diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index b21c39d899..b1f82c63f5 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -20,7 +20,6 @@ jobs: os: - ubuntu-latest python: - - "3.7" - "3.8" - "3.9" - "3.10" diff --git a/DEVELOPMENT_GUIDE.md b/DEVELOPMENT_GUIDE.md index 6d3ecac386..2a89debf6e 100644 --- a/DEVELOPMENT_GUIDE.md +++ b/DEVELOPMENT_GUIDE.md @@ -26,7 +26,7 @@ Environment setup ----------------- ### 1. Install Python versions -Our officially supported Python versions are 3.7, 3.8, 3.9 and 3.10. +Our officially supported Python versions are 3.8, 3.9 and 3.10. Our CI/CD pipeline is setup to run unit tests against Python 3 versions. Make sure you test it before sending a Pull Request. See [Unit testing with multiple Python versions](#unit-testing-with-multiple-python-versions). @@ -40,12 +40,11 @@ easily setup multiple Python versions. For 1. Install PyEnv - `curl -L https://github.com/pyenv/pyenv-installer/raw/master/bin/pyenv-installer | bash` 1. Restart shell so the path changes take effect - `exec $SHELL` -1. `pyenv install 3.7.16` 1. `pyenv install 3.8.16` 1. `pyenv install 3.9.16` 1. `pyenv install 3.10.9` 3. Make Python versions available in the project: - `pyenv local 3.7.16 3.8.16 3.9.16 3.10.9` + `pyenv local 3.8.16 3.9.16 3.10.9` Note: also make sure the following lines were written into your `.bashrc` (or `.zshrc`, depending on which shell you are using): ``` @@ -66,7 +65,7 @@ can be found [here](https://black.readthedocs.io/en/stable/editor_integration.ht Since black is installed in virtualenv, when you follow [this instruction](https://black.readthedocs.io/en/stable/editor_integration.html), `which black` might give you this ```bash -(sam37) $ where black +(sam38) $ where black /Users//.pyenv/shims/black ``` @@ -77,11 +76,11 @@ and this will happen: pyenv: black: command not found The `black' command exists in these Python versions: - 3.7.9/envs/sam37 - sam37 + 3.8.16/envs/sam38 + sam38 ``` -A simple workaround is to use `/Users//.pyenv/versions/sam37/bin/black` +A simple workaround is to use `/Users//.pyenv/versions/sam38/bin/black` instead of `/Users//.pyenv/shims/black`. #### Pre-commit @@ -99,15 +98,15 @@ handy plugin that can create virtualenv. Depending on the python version, the following commands would change to be the appropriate python version. -1. Create Virtualenv `sam37` for Python3.7: `pyenv virtualenv 3.7.9 sam37` -1. Activate Virtualenv: `pyenv activate sam37` +1. Create Virtualenv `sam38` for Python3.8: `pyenv virtualenv 3.8.16 sam38` +1. Activate Virtualenv: `pyenv activate sam38` ### 4. Install dev version of SAM transform We will install a development version of SAM transform from source into the virtualenv. -1. Activate Virtualenv: `pyenv activate sam37` +1. Activate Virtualenv: `pyenv activate sam38` 1. Install dev version of SAM transform: `make init` Running tests @@ -121,8 +120,8 @@ Run `make test` or `make test-fast`. Once all tests pass make sure to run ### Unit testing with multiple Python versions -Currently, our officially supported Python versions are 3.7, 3.8, 3.9 and 3.10. For the most -part, code that works in Python3.7 will work in Pythons 3.8, 3.9 and 3.10. You only run into problems if you are +Currently, our officially supported Python versions are 3.8, 3.9 and 3.10. For the most +part, code that works in Python3.8 will work in Pythons 3.9 and 3.10. You only run into problems if you are trying to use features released in a higher version (for example features introduced into Python3.10 will not work in Python3.9). If you want to test in many versions, you can create a virtualenv for each version and flip between them (sourcing the activate script). Typically, we run all tests in diff --git a/HOWTO.md b/HOWTO.md index 44bc1c32bd..f4162e905e 100644 --- a/HOWTO.md +++ b/HOWTO.md @@ -21,7 +21,7 @@ Check out the [latest specification](versions/2016-10-31.md) for details on how You could also use the [aws-sam-cli](https://github.com/awslabs/aws-sam-cli) to get started ```shell -$ sam init --runtime python3.7 +$ sam init --runtime python3.8 ``` ## Packing Artifacts Before you can deploy a SAM template, you should first upload your Lambda diff --git a/Makefile b/Makefile index 34d1319c50..1f9df9a624 100755 --- a/Makefile +++ b/Makefile @@ -65,7 +65,8 @@ prepare-companion-stack: fetch-schema-data: mkdir -p .tmp - curl -o .tmp/cfn-docs.json https://raw.githubusercontent.com/aws/aws-cdk/main/packages/%40aws-cdk/cfnspec/spec-source/cfn-docs/cfn-docs.json + # aws-cdk updated where they store the cfn doc json files. See https://github.com/aws/aws-cdk/blob/main/packages/%40aws-cdk/cfnspec/README.md + bin/git_lfs_download.sh "https://raw.githubusercontent.com/cdklabs/awscdk-service-spec/main/sources/CloudFormationDocumentation/CloudFormationDocumentation.json" curl -o .tmp/cloudformation.schema.json https://raw.githubusercontent.com/awslabs/goformation/master/schema/cloudformation.schema.json diff --git a/README.md b/README.md index 26cc8f8f8f..d2372075a1 100644 --- a/README.md +++ b/README.md @@ -85,7 +85,7 @@ For a more thorough introduction, see the [this tutorial](https://docs.aws.amazo ### Setting up development environment -You'll need to have Python 3.7+ installed. +You'll need to have Python 3.8+ installed. Create a [virtual environment](https://docs.python.org/3/library/venv.html): diff --git a/bin/git_lfs_download.sh b/bin/git_lfs_download.sh new file mode 100755 index 0000000000..47680e11cc --- /dev/null +++ b/bin/git_lfs_download.sh @@ -0,0 +1,38 @@ +#!/bin/bash +set -eux + +# Here is the reference I found on how to download Git LFS file +# https://gist.github.com/fkraeutli/66fa741d9a8c2a6a238a01d17ed0edc5#retrieving-lfs-files + +# Check if a URL parameter is provided +if [ $# -eq 0 ]; then + echo "Script Usage: $0 " + exit 1 +fi + +# Get the URL from the first command-line parameter +url="$1" + +# Fetch the metadata from the URL +response=$(curl -s "$url") + +# Extract oid and size from the metadata +oid=$(echo "$response" | grep '^oid' | cut -d: -f2) +size=$(echo "$response" | grep 'size' | cut -d ' ' -f 2) + +# String interpolation to create the request JSON content +request_json=$(jq -nc --arg oid "$oid" --argjson size "$size" '{"operation":"download","objects":[{"oid":$oid,"size":$size}],"transfers":["basic"]}') + +# Send a POST request to Git LFS with the retrieved metadata JSON content +response=$(curl \ + -X POST \ + -H "Accept: application/vnd.git-lfs+json" \ + -H "Content-type: application/json" \ + -d "$request_json" \ + https://github.com/cdklabs/awscdk-service-spec.git/info/lfs/objects/batch) + +# The above command should return a JSON object that tells you where the file is stored +href=$(echo "$response" | jq -r '.objects[0].actions.download.href') + +# Download the file and store it in .tmp/cfn-docs.json +curl -o .tmp/cfn-docs.json $href \ No newline at end of file diff --git a/bin/run_cfn_lint.sh b/bin/run_cfn_lint.sh index 33b783e185..4157af06e8 100755 --- a/bin/run_cfn_lint.sh +++ b/bin/run_cfn_lint.sh @@ -10,4 +10,6 @@ if [ ! -d "${VENV}" ]; then fi "${VENV}/bin/python" -m pip install cfn-lint==0.75.0 --upgrade --quiet +# update cfn schema +"${VENV}/bin/cfn-lint" -u "${VENV}/bin/cfn-lint" --format parseable diff --git a/bin/transform-test-error-json-format.py b/bin/transform-test-error-json-format.py index 6eb9335b03..998fa2bf64 100755 --- a/bin/transform-test-error-json-format.py +++ b/bin/transform-test-error-json-format.py @@ -8,13 +8,11 @@ import sys from pathlib import Path -from typing_extensions import Final - # To allow this script to be executed from other directories sys.path.insert(0, str(Path(__file__).absolute().parent.parent)) import json -from typing import Type +from typing import Final, Type from bin._file_formatter import FileFormatter diff --git a/integration/combination/test_function_with_cwe_dlq_generated.py b/integration/combination/test_function_with_cwe_dlq_generated.py index 52975df025..34296e205f 100644 --- a/integration/combination/test_function_with_cwe_dlq_generated.py +++ b/integration/combination/test_function_with_cwe_dlq_generated.py @@ -36,7 +36,7 @@ def test_function_with_cwe(self): # checking policy action actions = dlq_policy_statement["Action"] - action_list = actions if type(actions) == list else [actions] + action_list = actions if isinstance(actions, list) == list else [actions] self.assertEqual(len(action_list), 1, "Only one action must be in dead-letter queue policy") self.assertEqual( action_list[0], "sqs:SendMessage", "Action referenced in dead-letter queue policy must be 'sqs:SendMessage'" diff --git a/integration/combination/test_function_with_msk.py b/integration/combination/test_function_with_msk.py index c5be2d72a2..5a9f7b0d5c 100644 --- a/integration/combination/test_function_with_msk.py +++ b/integration/combination/test_function_with_msk.py @@ -7,6 +7,10 @@ from integration.helpers.resource import current_region_does_not_support, generate_suffix +# Mark this test suite as nonblocking tests since MSK Cluster creation can take +# up to 30 minutes according to https://docs.aws.amazon.com/msk/latest/developerguide/troubleshooting.html#troubleshooting-cluster-stuck +# This would cause the test to fail due to MSK Cluster did not stablize. +# We should investigate any other cause of failures. @skipIf(current_region_does_not_support([MSK]), "MSK is not supported in this testing region") @nonblocking class TestFunctionWithMsk(BaseTest): diff --git a/integration/combination/test_function_with_policy_templates.py b/integration/combination/test_function_with_policy_templates.py index a73c384d5a..e5746ec395 100644 --- a/integration/combination/test_function_with_policy_templates.py +++ b/integration/combination/test_function_with_policy_templates.py @@ -14,7 +14,7 @@ def test_with_policy_templates(self): self.assertEqual(len(sqs_poller_policy), 1, "Only one statement must be in SQS Poller policy") sqs_policy_statement = sqs_poller_policy[0] - self.assertTrue(type(sqs_policy_statement["Resource"]) != list) + self.assertFalse(isinstance(sqs_policy_statement["Resource"], list)) queue_url = self.get_physical_id_by_type("AWS::SQS::Queue") parts = queue_url.split("/") @@ -32,7 +32,7 @@ def test_with_policy_templates(self): self.assertEqual(len(lambda_invoke_policy), 1, "One policies statements should be present") lambda_policy_statement = lambda_invoke_policy[0] - self.assertTrue(type(lambda_policy_statement["Resource"]) != list) + self.assertFalse(isinstance(lambda_policy_statement["Resource"], list)) # NOTE: The resource ARN has "*" suffix to allow for any Lambda function version as well expected_function_suffix = "function:somename*" diff --git a/integration/combination/test_state_machine_with_api.py b/integration/combination/test_state_machine_with_api.py index c75cf56463..19b7cfa4c0 100644 --- a/integration/combination/test_state_machine_with_api.py +++ b/integration/combination/test_state_machine_with_api.py @@ -75,7 +75,7 @@ def _test_api_integration_with_state_machine( start_execution_policy_statement = start_execution_policy[0] - self.assertTrue(type(start_execution_policy_statement["Action"]) != list) + self.assertFalse(isinstance(start_execution_policy_statement["Action"], list)) policy_action = start_execution_policy_statement["Action"] self.assertEqual( policy_action, @@ -83,7 +83,7 @@ def _test_api_integration_with_state_machine( "Action referenced in event role policy must be 'states:StartExecution'", ) - self.assertTrue(type(start_execution_policy_statement["Resource"]) != list) + self.assertFalse(isinstance(start_execution_policy_statement["Resource"], list)) referenced_state_machine_arn = start_execution_policy_statement["Resource"] self.assertEqual( referenced_state_machine_arn, diff --git a/integration/combination/test_state_machine_with_cwe.py b/integration/combination/test_state_machine_with_cwe.py index 84e1663818..29ab63b6ae 100644 --- a/integration/combination/test_state_machine_with_cwe.py +++ b/integration/combination/test_state_machine_with_cwe.py @@ -34,7 +34,7 @@ def test_state_machine_with_cwe(self): start_execution_policy_statement = start_execution_policy[0] - self.assertTrue(type(start_execution_policy_statement["Action"]) != list) + self.assertFalse(isinstance(start_execution_policy_statement["Action"], list)) policy_action = start_execution_policy_statement["Action"] self.assertEqual( policy_action, @@ -42,7 +42,7 @@ def test_state_machine_with_cwe(self): "Action referenced in event role policy must be 'states:StartExecution'", ) - self.assertTrue(type(start_execution_policy_statement["Resource"]) != list) + self.assertFalse(isinstance(start_execution_policy_statement["Resource"], list)) referenced_state_machine_arn = start_execution_policy_statement["Resource"] self.assertEqual( referenced_state_machine_arn, diff --git a/integration/combination/test_state_machine_with_cwe_dlq_generated.py b/integration/combination/test_state_machine_with_cwe_dlq_generated.py index a45638dc09..5ee69ad27a 100644 --- a/integration/combination/test_state_machine_with_cwe_dlq_generated.py +++ b/integration/combination/test_state_machine_with_cwe_dlq_generated.py @@ -37,7 +37,7 @@ def test_state_machine_with_cwe(self): start_execution_policy_statement = start_execution_policy[0] - self.assertTrue(type(start_execution_policy_statement["Action"]) != list) + self.assertFalse(isinstance(start_execution_policy_statement["Action"], list)) policy_action = start_execution_policy_statement["Action"] self.assertEqual( policy_action, @@ -45,7 +45,7 @@ def test_state_machine_with_cwe(self): "Action referenced in event role policy must be 'states:StartExecution'", ) - self.assertTrue(type(start_execution_policy_statement["Resource"]) != list) + self.assertFalse(isinstance(start_execution_policy_statement["Resource"], list)) referenced_state_machine_arn = start_execution_policy_statement["Resource"] self.assertEqual( referenced_state_machine_arn, diff --git a/integration/combination/test_state_machine_with_policy_templates.py b/integration/combination/test_state_machine_with_policy_templates.py index 7864f6d7f5..b63c69493e 100644 --- a/integration/combination/test_state_machine_with_policy_templates.py +++ b/integration/combination/test_state_machine_with_policy_templates.py @@ -22,7 +22,7 @@ def test_with_policy_templates(self): self.assertEqual(len(sqs_poller_policy), 1, "Only one statement must be in SQS Poller policy") sqs_policy_statement = sqs_poller_policy[0] - self.assertTrue(type(sqs_policy_statement["Resource"]) != list) + self.assertFalse(isinstance(sqs_policy_statement["Resource"], list)) queue_url = self.get_physical_id_by_type("AWS::SQS::Queue") parts = queue_url.split("/") @@ -40,7 +40,7 @@ def test_with_policy_templates(self): self.assertEqual(len(lambda_invoke_policy), 1, "One policies statements should be present") lambda_policy_statement = lambda_invoke_policy[0] - self.assertTrue(type(lambda_policy_statement["Resource"]) != list) + self.assertFalse(isinstance(lambda_policy_statement["Resource"], list)) function_name = self.get_physical_id_by_type("AWS::Lambda::Function") # NOTE: The resource ARN has "*" suffix to allow for any Lambda function version as well diff --git a/integration/combination/test_state_machine_with_schedule.py b/integration/combination/test_state_machine_with_schedule.py index 7ca85933ab..01fb0612d8 100644 --- a/integration/combination/test_state_machine_with_schedule.py +++ b/integration/combination/test_state_machine_with_schedule.py @@ -45,7 +45,7 @@ def test_state_machine_with_schedule(self, template_file_path): start_execution_policy_statement = start_execution_policy[0] - self.assertTrue(type(start_execution_policy_statement["Action"]) != list) + self.assertFalse(isinstance(start_execution_policy_statement["Action"], list)) policy_action = start_execution_policy_statement["Action"] self.assertEqual( policy_action, @@ -53,7 +53,7 @@ def test_state_machine_with_schedule(self, template_file_path): "Action referenced in event role policy must be 'states:StartExecution'", ) - self.assertTrue(type(start_execution_policy_statement["Resource"]) != list) + self.assertFalse(isinstance(start_execution_policy_statement["Resource"], list)) referenced_state_machine_arn = start_execution_policy_statement["Resource"] self.assertEqual( referenced_state_machine_arn, diff --git a/integration/combination/test_state_machine_with_schedule_dlq_and_retry_policy.py b/integration/combination/test_state_machine_with_schedule_dlq_and_retry_policy.py index 5cc1a190c7..5ea7309c1f 100644 --- a/integration/combination/test_state_machine_with_schedule_dlq_and_retry_policy.py +++ b/integration/combination/test_state_machine_with_schedule_dlq_and_retry_policy.py @@ -46,7 +46,7 @@ def test_state_machine_with_schedule(self): start_execution_policy_statement = start_execution_policy[0] - self.assertTrue(type(start_execution_policy_statement["Action"]) != list) + self.assertFalse(isinstance(start_execution_policy_statement["Action"], list)) policy_action = start_execution_policy_statement["Action"] self.assertEqual( policy_action, @@ -54,7 +54,7 @@ def test_state_machine_with_schedule(self): "Action referenced in event role policy must be 'states:StartExecution'", ) - self.assertTrue(type(start_execution_policy_statement["Resource"]) != list) + self.assertFalse(isinstance(start_execution_policy_statement["Resource"], list)) referenced_state_machine_arn = start_execution_policy_statement["Resource"] self.assertEqual( referenced_state_machine_arn, diff --git a/integration/helpers/deployer/utils/colors.py b/integration/helpers/deployer/utils/colors.py index 792cb49966..3e1f90d0e4 100644 --- a/integration/helpers/deployer/utils/colors.py +++ b/integration/helpers/deployer/utils/colors.py @@ -2,9 +2,7 @@ Wrapper to generated colored messages for printing in Terminal This was ported over from the sam-cli repo """ -from typing import Dict - -from typing_extensions import Literal +from typing import Dict, Literal SupportedColor = Literal["red", "green", "yellow"] diff --git a/integration/helpers/resource.py b/integration/helpers/resource.py index e8ecb6ae9e..604f317663 100644 --- a/integration/helpers/resource.py +++ b/integration/helpers/resource.py @@ -206,8 +206,7 @@ def _resource_using_s3_events(resource: Dict[str, Any]) -> bool: def _get_all_event_sources(template_dict: Dict[str, Any]) -> Iterator[Dict[str, Any]]: resources = template_dict.get("Resources", {}).values() for resource in resources: - for event in resource.get("Properties", {}).get("Events", {}).values(): - yield event + yield from resource.get("Properties", {}).get("Events", {}).values() def _event_using_sns_filter_policy_scope(event: Dict[str, Any]) -> bool: diff --git a/integration/resources/templates/combination/function_with_alias_intrinsics.yaml b/integration/resources/templates/combination/function_with_alias_intrinsics.yaml index cbf9eb4dae..8f4b794682 100644 --- a/integration/resources/templates/combination/function_with_alias_intrinsics.yaml +++ b/integration/resources/templates/combination/function_with_alias_intrinsics.yaml @@ -19,7 +19,7 @@ Resources: Type: AWS::Serverless::Function Properties: Handler: index.handler - Runtime: nodejs16.x + Runtime: nodejs18.x CodeUri: # Just trying to create a complex intrinsic function where only a part of it can be resolved Bucket: diff --git a/integration/resources/templates/combination/function_with_mq.yaml b/integration/resources/templates/combination/function_with_mq.yaml index 7788797929..fdff7942ef 100644 --- a/integration/resources/templates/combination/function_with_mq.yaml +++ b/integration/resources/templates/combination/function_with_mq.yaml @@ -111,7 +111,7 @@ Resources: Ref: MQBrokerName DeploymentMode: SINGLE_INSTANCE EngineType: ACTIVEMQ - EngineVersion: 5.15.12 + EngineVersion: 5.17.6 HostInstanceType: mq.t3.micro Logs: Audit: true diff --git a/integration/resources/templates/combination/function_with_mq_using_autogen_role.yaml b/integration/resources/templates/combination/function_with_mq_using_autogen_role.yaml index 2238f14099..332a2943fe 100644 --- a/integration/resources/templates/combination/function_with_mq_using_autogen_role.yaml +++ b/integration/resources/templates/combination/function_with_mq_using_autogen_role.yaml @@ -84,7 +84,7 @@ Resources: Ref: MQBrokerName2 DeploymentMode: SINGLE_INSTANCE EngineType: ACTIVEMQ - EngineVersion: 5.15.12 + EngineVersion: 5.17.6 HostInstanceType: mq.t3.micro Logs: Audit: true diff --git a/integration/resources/templates/combination/function_with_msk_trigger_and_s3_onfailure_events_destinations.yaml b/integration/resources/templates/combination/function_with_msk_trigger_and_s3_onfailure_events_destinations.yaml index 98f2178ae4..6089c08c02 100644 --- a/integration/resources/templates/combination/function_with_msk_trigger_and_s3_onfailure_events_destinations.yaml +++ b/integration/resources/templates/combination/function_with_msk_trigger_and_s3_onfailure_events_destinations.yaml @@ -24,7 +24,7 @@ Resources: - Action: [kafka:DescribeCluster, kafka:GetBootstrapBrokers, ec2:CreateNetworkInterface, ec2:DescribeNetworkInterfaces, ec2:DescribeVpcs, ec2:DeleteNetworkInterface, ec2:DescribeSubnets, ec2:DescribeSecurityGroups, logs:CreateLogGroup, - logs:CreateLogStream, logs:PutLogEvents] + logs:CreateLogStream, logs:PutLogEvents, s3:ListBucket] Effect: Allow Resource: '*' ManagedPolicyArns: [arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole] diff --git a/integration/resources/templates/single/basic_function.yaml b/integration/resources/templates/single/basic_function.yaml index 72e8bec777..89255a46eb 100644 --- a/integration/resources/templates/single/basic_function.yaml +++ b/integration/resources/templates/single/basic_function.yaml @@ -3,7 +3,7 @@ Resources: Type: AWS::Serverless::Function Properties: Handler: index.handler - Runtime: nodejs16.x + Runtime: nodejs18.x CodeUri: ${codeuri} MemorySize: 128 Policies: diff --git a/integration/resources/templates/single/basic_function_event_destinations.yaml b/integration/resources/templates/single/basic_function_event_destinations.yaml index 00a23c2d07..80d7a10146 100644 --- a/integration/resources/templates/single/basic_function_event_destinations.yaml +++ b/integration/resources/templates/single/basic_function_event_destinations.yaml @@ -42,7 +42,7 @@ Resources: } }; Handler: index.handler - Runtime: nodejs16.x + Runtime: nodejs18.x MemorySize: 1024 MyTestFunction2: Type: AWS::Serverless::Function @@ -74,7 +74,7 @@ Resources: } }; Handler: index.handler - Runtime: nodejs16.x + Runtime: nodejs18.x MemorySize: 1024 DestinationLambda: Type: AWS::Serverless::Function @@ -88,7 +88,7 @@ Resources: return response; }; Handler: index.handler - Runtime: nodejs16.x + Runtime: nodejs18.x MemorySize: 1024 DestinationSQS: Condition: QueueCreationDisabled diff --git a/integration/resources/templates/single/basic_function_no_envvar.yaml b/integration/resources/templates/single/basic_function_no_envvar.yaml index 9ce67f39c1..ff67150d2d 100644 --- a/integration/resources/templates/single/basic_function_no_envvar.yaml +++ b/integration/resources/templates/single/basic_function_no_envvar.yaml @@ -3,7 +3,7 @@ Resources: Type: AWS::Serverless::Function Properties: Handler: index.handler - Runtime: nodejs16.x + Runtime: nodejs18.x CodeUri: ${codeuri} MemorySize: 128 Policies: diff --git a/integration/resources/templates/single/basic_function_openapi.yaml b/integration/resources/templates/single/basic_function_openapi.yaml index 5f21091d0e..fac4426a4c 100644 --- a/integration/resources/templates/single/basic_function_openapi.yaml +++ b/integration/resources/templates/single/basic_function_openapi.yaml @@ -6,7 +6,7 @@ Resources: Type: AWS::Serverless::Function Properties: Handler: index.handler - Runtime: nodejs16.x + Runtime: nodejs18.x CodeUri: ${codeuri} MemorySize: 128 Policies: diff --git a/integration/resources/templates/single/basic_function_with_arm_architecture.yaml b/integration/resources/templates/single/basic_function_with_arm_architecture.yaml index c018679a37..607d8e6e5a 100644 --- a/integration/resources/templates/single/basic_function_with_arm_architecture.yaml +++ b/integration/resources/templates/single/basic_function_with_arm_architecture.yaml @@ -3,7 +3,7 @@ Resources: Type: AWS::Serverless::Function Properties: Handler: index.handler - Runtime: nodejs16.x + Runtime: nodejs18.x CodeUri: ${codeuri} MemorySize: 128 Architectures: [arm64] diff --git a/integration/resources/templates/single/basic_function_with_function_url_config.yaml b/integration/resources/templates/single/basic_function_with_function_url_config.yaml index 39f38eb048..656d0e039c 100644 --- a/integration/resources/templates/single/basic_function_with_function_url_config.yaml +++ b/integration/resources/templates/single/basic_function_with_function_url_config.yaml @@ -3,7 +3,7 @@ Resources: Type: AWS::Serverless::Function Properties: Handler: index.handler - Runtime: nodejs16.x + Runtime: nodejs18.x CodeUri: ${codeuri} MemorySize: 128 FunctionUrlConfig: diff --git a/integration/resources/templates/single/basic_function_with_function_url_with_autopuplishalias.yaml b/integration/resources/templates/single/basic_function_with_function_url_with_autopuplishalias.yaml index faea46a858..2994d4f764 100644 --- a/integration/resources/templates/single/basic_function_with_function_url_with_autopuplishalias.yaml +++ b/integration/resources/templates/single/basic_function_with_function_url_with_autopuplishalias.yaml @@ -3,7 +3,7 @@ Resources: Type: AWS::Serverless::Function Properties: Handler: index.handler - Runtime: nodejs16.x + Runtime: nodejs18.x CodeUri: ${codeuri} MemorySize: 128 AutoPublishAlias: live diff --git a/integration/resources/templates/single/basic_function_with_kmskeyarn.yaml b/integration/resources/templates/single/basic_function_with_kmskeyarn.yaml index bf96634656..8e4c770ed2 100644 --- a/integration/resources/templates/single/basic_function_with_kmskeyarn.yaml +++ b/integration/resources/templates/single/basic_function_with_kmskeyarn.yaml @@ -3,7 +3,7 @@ Resources: Type: AWS::Serverless::Function Properties: Handler: index.handler - Runtime: nodejs16.x + Runtime: nodejs18.x CodeUri: ${codeuri} MemorySize: 128 Environment: diff --git a/integration/resources/templates/single/basic_function_with_sns_dlq.yaml b/integration/resources/templates/single/basic_function_with_sns_dlq.yaml index 6d6fe6bad8..1627aaed13 100644 --- a/integration/resources/templates/single/basic_function_with_sns_dlq.yaml +++ b/integration/resources/templates/single/basic_function_with_sns_dlq.yaml @@ -3,7 +3,7 @@ Resources: Type: AWS::Serverless::Function Properties: Handler: index.handler - Runtime: nodejs16.x + Runtime: nodejs18.x CodeUri: ${codeuri} DeadLetterQueue: Type: SNS diff --git a/integration/resources/templates/single/basic_function_with_sqs_dlq.yaml b/integration/resources/templates/single/basic_function_with_sqs_dlq.yaml index 2db4a1cf0a..712ee83113 100644 --- a/integration/resources/templates/single/basic_function_with_sqs_dlq.yaml +++ b/integration/resources/templates/single/basic_function_with_sqs_dlq.yaml @@ -3,7 +3,7 @@ Resources: Type: AWS::Serverless::Function Properties: Handler: index.handler - Runtime: nodejs16.x + Runtime: nodejs18.x CodeUri: ${codeuri} DeadLetterQueue: Type: SQS diff --git a/integration/resources/templates/single/basic_function_with_tags.yaml b/integration/resources/templates/single/basic_function_with_tags.yaml index e9e5ee1e78..0dd0ba4e90 100644 --- a/integration/resources/templates/single/basic_function_with_tags.yaml +++ b/integration/resources/templates/single/basic_function_with_tags.yaml @@ -3,7 +3,7 @@ Resources: Type: AWS::Serverless::Function Properties: Handler: index.handler - Runtime: nodejs16.x + Runtime: nodejs18.x CodeUri: ${codeuri} MemorySize: 128 Policies: diff --git a/integration/resources/templates/single/basic_function_with_tracing.yaml b/integration/resources/templates/single/basic_function_with_tracing.yaml index e29ab38190..7f73308660 100644 --- a/integration/resources/templates/single/basic_function_with_tracing.yaml +++ b/integration/resources/templates/single/basic_function_with_tracing.yaml @@ -14,7 +14,7 @@ Resources: Type: AWS::Serverless::Function Properties: Handler: index.handler - Runtime: nodejs16.x + Runtime: nodejs18.x CodeUri: ${codeuri} MemorySize: 128 Policies: @@ -26,7 +26,7 @@ Resources: Type: AWS::Serverless::Function Properties: Handler: index.handler - Runtime: nodejs16.x + Runtime: nodejs18.x CodeUri: ${codeuri} MemorySize: 128 Policies: diff --git a/integration/resources/templates/single/basic_function_with_x86_architecture.yaml b/integration/resources/templates/single/basic_function_with_x86_architecture.yaml index fa941488e8..1bdfce7138 100644 --- a/integration/resources/templates/single/basic_function_with_x86_architecture.yaml +++ b/integration/resources/templates/single/basic_function_with_x86_architecture.yaml @@ -3,7 +3,7 @@ Resources: Type: AWS::Serverless::Function Properties: Handler: index.handler - Runtime: nodejs16.x + Runtime: nodejs18.x CodeUri: ${codeuri} MemorySize: 128 Architectures: diff --git a/integration/resources/templates/single/basic_layer_with_compatible_architecture.yaml b/integration/resources/templates/single/basic_layer_with_compatible_architecture.yaml index 056b958cee..1c8846b22b 100644 --- a/integration/resources/templates/single/basic_layer_with_compatible_architecture.yaml +++ b/integration/resources/templates/single/basic_layer_with_compatible_architecture.yaml @@ -1,7 +1,7 @@ Parameters: Runtimes: Type: CommaDelimitedList - Default: nodejs16.x + Default: nodejs18.x LayerName: Type: String Default: MyNamedLayerVersion diff --git a/integration/resources/templates/single/basic_layer_with_parameters.yaml b/integration/resources/templates/single/basic_layer_with_parameters.yaml index 93eb7f0679..5651aaae87 100644 --- a/integration/resources/templates/single/basic_layer_with_parameters.yaml +++ b/integration/resources/templates/single/basic_layer_with_parameters.yaml @@ -7,7 +7,7 @@ Parameters: Default: MIT-0 Runtimes: Type: CommaDelimitedList - Default: nodejs16.x + Default: nodejs18.x LayerName: Type: String Default: MyNamedLayerVersion diff --git a/integration/resources/templates/single/function_alias_with_http_api_events.yaml b/integration/resources/templates/single/function_alias_with_http_api_events.yaml index bc5917f9fc..6c5fb449d1 100644 --- a/integration/resources/templates/single/function_alias_with_http_api_events.yaml +++ b/integration/resources/templates/single/function_alias_with_http_api_events.yaml @@ -6,7 +6,7 @@ Resources: Properties: AutoPublishAlias: live Handler: index.handler - Runtime: nodejs16.x + Runtime: nodejs18.x CodeUri: ${codeuri} Events: FooEvent: diff --git a/integration/resources/templates/single/function_with_http_api_events.yaml b/integration/resources/templates/single/function_with_http_api_events.yaml index 1d672a6a86..fa44fd3336 100644 --- a/integration/resources/templates/single/function_with_http_api_events.yaml +++ b/integration/resources/templates/single/function_with_http_api_events.yaml @@ -5,7 +5,7 @@ Resources: Type: AWS::Serverless::Function Properties: Handler: index.handler - Runtime: nodejs16.x + Runtime: nodejs18.x CodeUri: ${codeuri} Events: FooEvent: diff --git a/integration/resources/templates/single/function_with_http_api_events_and_auth.yaml b/integration/resources/templates/single/function_with_http_api_events_and_auth.yaml index 25b12a6ae3..4858cd60ae 100644 --- a/integration/resources/templates/single/function_with_http_api_events_and_auth.yaml +++ b/integration/resources/templates/single/function_with_http_api_events_and_auth.yaml @@ -11,7 +11,7 @@ Resources: Type: AWS::Serverless::Function Properties: Handler: index.handler - Runtime: nodejs16.x + Runtime: nodejs18.x CodeUri: ${codeuri} Events: # The following events use the implicit AWS::Serverless::HttpApi called "ServerlessHttpApi". diff --git a/integration/ruff.toml b/integration/ruff.toml index 620f9a8a95..f295c2fe8f 100644 --- a/integration/ruff.toml +++ b/integration/ruff.toml @@ -15,8 +15,8 @@ select = [ "UP", # pyupgrade ] -# Mininal python version we support is 3.7 -target-version = "py37" +# Mininal python version we support is 3.8 +target-version = "py38" [per-file-ignores] diff --git a/pyproject.toml b/pyproject.toml index 327062a140..bb5eabbf7e 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [tool.black] line-length = 120 -target_version = ['py37', 'py38', 'py39', 'py310'] +target_version = ['py38', 'py39', 'py310'] exclude = ''' ( diff --git a/pytest.ini b/pytest.ini index c130f7c2a5..cd1ec10a7f 100644 --- a/pytest.ini +++ b/pytest.ini @@ -14,8 +14,6 @@ filterwarnings = # From our own tests ignore:__init__ is deprecated and will be removed in a future release:DeprecationWarning ignore:deprecated_function is deprecated and will be removed in a future release, please use replacement_function:DeprecationWarning - # Python 3.7 deprecation - ignore::boto3.exceptions.PythonDeprecationWarning # https://github.com/pytest-dev/pytest-xdist/issues/825#issuecomment-1292450429 ignore:The --rsyncdir command line argument and rsyncdirs config variable are deprecated.:DeprecationWarning # Pytest warnings diff --git a/requirements/base.txt b/requirements/base.txt index 92cc18dbaa..44387bcb1d 100755 --- a/requirements/base.txt +++ b/requirements/base.txt @@ -1,6 +1,6 @@ boto3>=1.19.5,==1.* jsonschema<5,>=3.2 # TODO: evaluate risk of removing jsonschema 3.x support -typing_extensions>=4.4,<5 # 3.7 doesn't have Literal +typing_extensions>=4.4 # 3.8 doesn't have Required, TypeGuard and ParamSpec # resource validation & schema generation pydantic>=1.8,<3 diff --git a/requirements/dev.txt b/requirements/dev.txt index 08e09c7464..de81b0cf73 100644 --- a/requirements/dev.txt +++ b/requirements/dev.txt @@ -4,7 +4,7 @@ pytest-xdist>=2.5,<4 pytest-env>=0.6,<1 pytest-rerunfailures>=9.1,<12 pyyaml~=6.0 -ruff==0.0.284 # loose the requirement once it is more stable +ruff~=0.1.0 # Test requirements pytest>=6.2,<8 @@ -19,7 +19,7 @@ tenacity~=8.0 requests~=2.28 # formatter -black==23.3.0 # 23.3.0 is the last version supporting python 3.7 +black==23.10.1 ruamel.yaml==0.17.21 # It can parse yaml while perserving comments # type check @@ -29,7 +29,3 @@ mypy~=1.3.0 boto3-stubs[appconfig,serverlessrepo]>=1.19.5,==1.* types-PyYAML~=6.0 types-jsonschema~=3.2 - -# Check package version (backport importlib.metadata for python 3.7) -# https://docs.python.org/3/library/importlib.metadata.html -importlib_metadata; python_version < '3.8' diff --git a/ruff.toml b/ruff.toml index 65497d23e7..48bf5e4eb7 100644 --- a/ruff.toml +++ b/ruff.toml @@ -37,8 +37,8 @@ ignore = [ "G004", ] -# Mininal python version we support is 3.7 -target-version = "py37" +# Mininal python version we support is 3.8 +target-version = "py38" [per-file-ignores] # python scripts in bin/ needs some python path configurations before import diff --git a/samtranslator/__init__.py b/samtranslator/__init__.py index fa29c9b5ff..9e18d77e23 100644 --- a/samtranslator/__init__.py +++ b/samtranslator/__init__.py @@ -1 +1 @@ -__version__ = "1.82.0" +__version__ = "1.83.0" diff --git a/samtranslator/internal/model/appsync.py b/samtranslator/internal/model/appsync.py index afd3a8eb26..de81660c5b 100644 --- a/samtranslator/internal/model/appsync.py +++ b/samtranslator/internal/model/appsync.py @@ -1,6 +1,6 @@ -from typing import Any, Dict, List, Optional, Union +from typing import Any, Dict, List, Optional, TypedDict, Union -from typing_extensions import Required, TypedDict +from typing_extensions import Required from samtranslator.model import GeneratedProperty, Resource from samtranslator.model.intrinsics import fnGetAtt, ref @@ -113,6 +113,8 @@ class GraphQLApi(Resource): "OpenIDConnectConfig": GeneratedProperty(), "UserPoolConfig": GeneratedProperty(), "AdditionalAuthenticationProviders": GeneratedProperty(), + "Visibility": GeneratedProperty(), + "OwnerContact": GeneratedProperty(), } Name: str @@ -124,6 +126,8 @@ class GraphQLApi(Resource): Tags: Optional[List[Dict[str, Any]]] XrayEnabled: Optional[bool] LogConfig: Optional[LogConfigType] + Visibility: Optional[str] + OwnerContact: Optional[str] runtime_attrs = {"api_id": lambda self: fnGetAtt(self.logical_id, "ApiId")} diff --git a/samtranslator/internal/schema_source/aws_serverless_api.py b/samtranslator/internal/schema_source/aws_serverless_api.py index 0baaca700a..f94cc0b083 100644 --- a/samtranslator/internal/schema_source/aws_serverless_api.py +++ b/samtranslator/internal/schema_source/aws_serverless_api.py @@ -1,8 +1,6 @@ from __future__ import annotations -from typing import Dict, List, Optional, Union - -from typing_extensions import Literal +from typing import Dict, List, Literal, Optional, Union from samtranslator.internal.schema_source.aws_serverless_connector import EmbeddedConnector from samtranslator.internal.schema_source.common import ( diff --git a/samtranslator/internal/schema_source/aws_serverless_application.py b/samtranslator/internal/schema_source/aws_serverless_application.py index 0c6e486ca4..7079ca17ca 100644 --- a/samtranslator/internal/schema_source/aws_serverless_application.py +++ b/samtranslator/internal/schema_source/aws_serverless_application.py @@ -1,8 +1,6 @@ from __future__ import annotations -from typing import Any, Dict, Optional, Union - -from typing_extensions import Literal +from typing import Any, Dict, Literal, Optional, Union from samtranslator.internal.schema_source.common import ( BaseModel, diff --git a/samtranslator/internal/schema_source/aws_serverless_connector.py b/samtranslator/internal/schema_source/aws_serverless_connector.py index 4142378a68..76b596cb9e 100644 --- a/samtranslator/internal/schema_source/aws_serverless_connector.py +++ b/samtranslator/internal/schema_source/aws_serverless_connector.py @@ -1,6 +1,4 @@ -from typing import List, Optional, Union - -from typing_extensions import Literal +from typing import List, Literal, Optional, Union from samtranslator.internal.schema_source.common import ( BaseModel, diff --git a/samtranslator/internal/schema_source/aws_serverless_function.py b/samtranslator/internal/schema_source/aws_serverless_function.py index af97a1cbfd..77efe20d9f 100644 --- a/samtranslator/internal/schema_source/aws_serverless_function.py +++ b/samtranslator/internal/schema_source/aws_serverless_function.py @@ -1,8 +1,6 @@ from __future__ import annotations -from typing import Dict, List, Optional, Union - -from typing_extensions import Literal +from typing import Dict, List, Literal, Optional, Union from samtranslator.internal.schema_source.aws_serverless_connector import EmbeddedConnector from samtranslator.internal.schema_source.common import ( diff --git a/samtranslator/internal/schema_source/aws_serverless_graphqlapi.py b/samtranslator/internal/schema_source/aws_serverless_graphqlapi.py index 03da4e187a..b731abee73 100644 --- a/samtranslator/internal/schema_source/aws_serverless_graphqlapi.py +++ b/samtranslator/internal/schema_source/aws_serverless_graphqlapi.py @@ -1,6 +1,4 @@ -from typing import Dict, List, Optional, Union - -from typing_extensions import Literal +from typing import Dict, List, Literal, Optional, Union from samtranslator.internal.schema_source.common import ( BaseModel, @@ -164,6 +162,8 @@ class Properties(BaseModel): ApiKeys: Optional[Dict[str, ApiKey]] DomainName: Optional[DomainName] Cache: Optional[Cache] + Visibility: Optional[PassThroughProp] + OwnerContact: Optional[PassThroughProp] class Resource(BaseModel): diff --git a/samtranslator/internal/schema_source/aws_serverless_httpapi.py b/samtranslator/internal/schema_source/aws_serverless_httpapi.py index 57605eba10..c658527eb9 100644 --- a/samtranslator/internal/schema_source/aws_serverless_httpapi.py +++ b/samtranslator/internal/schema_source/aws_serverless_httpapi.py @@ -1,8 +1,6 @@ from __future__ import annotations -from typing import Dict, List, Optional, Union - -from typing_extensions import Literal +from typing import Dict, List, Literal, Optional, Union from samtranslator.internal.schema_source.aws_serverless_connector import EmbeddedConnector from samtranslator.internal.schema_source.common import ( diff --git a/samtranslator/internal/schema_source/aws_serverless_layerversion.py b/samtranslator/internal/schema_source/aws_serverless_layerversion.py index 162a6f562a..96523fd569 100644 --- a/samtranslator/internal/schema_source/aws_serverless_layerversion.py +++ b/samtranslator/internal/schema_source/aws_serverless_layerversion.py @@ -1,8 +1,6 @@ from __future__ import annotations -from typing import Optional, Union - -from typing_extensions import Literal +from typing import Literal, Optional, Union from samtranslator.internal.schema_source.common import ( BaseModel, diff --git a/samtranslator/internal/schema_source/aws_serverless_simpletable.py b/samtranslator/internal/schema_source/aws_serverless_simpletable.py index f046199de0..c21f9b9d79 100644 --- a/samtranslator/internal/schema_source/aws_serverless_simpletable.py +++ b/samtranslator/internal/schema_source/aws_serverless_simpletable.py @@ -1,8 +1,6 @@ from __future__ import annotations -from typing import Any, Dict, Optional - -from typing_extensions import Literal +from typing import Any, Dict, Literal, Optional from samtranslator.internal.schema_source.aws_serverless_connector import EmbeddedConnector from samtranslator.internal.schema_source.common import ( diff --git a/samtranslator/internal/schema_source/aws_serverless_statemachine.py b/samtranslator/internal/schema_source/aws_serverless_statemachine.py index 041392b934..9e6a549e9c 100644 --- a/samtranslator/internal/schema_source/aws_serverless_statemachine.py +++ b/samtranslator/internal/schema_source/aws_serverless_statemachine.py @@ -1,8 +1,6 @@ from __future__ import annotations -from typing import Dict, List, Optional, Union - -from typing_extensions import Literal +from typing import Dict, List, Literal, Optional, Union from samtranslator.internal.schema_source.aws_serverless_connector import EmbeddedConnector from samtranslator.internal.schema_source.common import ( diff --git a/samtranslator/internal/schema_source/common.py b/samtranslator/internal/schema_source/common.py index b74e3877c2..617f8f414b 100644 --- a/samtranslator/internal/schema_source/common.py +++ b/samtranslator/internal/schema_source/common.py @@ -1,9 +1,7 @@ import json from functools import partial from pathlib import Path -from typing import Any, Dict, List, Optional, TypeVar, Union - -from typing_extensions import Literal +from typing import Any, Dict, List, Literal, Optional, TypeVar, Union from samtranslator.compat import pydantic from samtranslator.model.types import PassThrough diff --git a/samtranslator/metrics/metrics.py b/samtranslator/metrics/metrics.py index cb9600f45c..d026e9c135 100644 --- a/samtranslator/metrics/metrics.py +++ b/samtranslator/metrics/metrics.py @@ -4,9 +4,7 @@ import logging from abc import ABC, abstractmethod from datetime import datetime -from typing import Any, Dict, List, Optional, Union - -from typing_extensions import TypedDict +from typing import Any, Dict, List, Optional, TypedDict, Union from samtranslator.internal.deprecation_control import deprecated diff --git a/samtranslator/model/api/api_generator.py b/samtranslator/model/api/api_generator.py index 4d93269722..a04352243e 100644 --- a/samtranslator/model/api/api_generator.py +++ b/samtranslator/model/api/api_generator.py @@ -604,9 +604,7 @@ def _construct_single_record_set_group( hostedZoneId = route53.get("HostedZoneId") hostedZoneName = route53.get("HostedZoneName") domainName = domain.get("DomainName") - logical_id = logical_id = LogicalIdGenerator( - "RecordSetGroup", [hostedZoneId or hostedZoneName, domainName] - ).gen() + logical_id = LogicalIdGenerator("RecordSetGroup", [hostedZoneId or hostedZoneName, domainName]).gen() record_set_group = Route53RecordSetGroup(logical_id, attributes=self.passthrough_resource_attributes) if hostedZoneId: diff --git a/samtranslator/model/s3_utils/uri_parser.py b/samtranslator/model/s3_utils/uri_parser.py index 9d9ebd5cb5..8a399abdf3 100644 --- a/samtranslator/model/s3_utils/uri_parser.py +++ b/samtranslator/model/s3_utils/uri_parser.py @@ -1,3 +1,4 @@ +from re import search from typing import Any, Dict, Optional, Union from urllib.parse import parse_qs, urlparse @@ -85,6 +86,16 @@ def construct_s3_location_object( s3_pointer = location_uri else: + # SSM Pattern found here https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/dynamic-references.html + ssm_pattern = r"{{resolve:(ssm|ssm-secure|secretsmanager):[a-zA-Z0-9_.\-/]+(:\d+)?}}" + match = search(ssm_pattern, location_uri) + if match and match.group(0) and "/" in match.group(0): + raise InvalidResourceException( + logical_id, + f"Unsupported dynamic reference detected in '{property_name}'. Please " + "consider using alternative 'FunctionCode' object format.", + ) + # location_uri is NOT a dictionary. Parse it as a string _s3_pointer = parse_s3_uri(location_uri) diff --git a/samtranslator/model/sam_resources.py b/samtranslator/model/sam_resources.py index f1382ea250..4aeed875c8 100644 --- a/samtranslator/model/sam_resources.py +++ b/samtranslator/model/sam_resources.py @@ -1,9 +1,7 @@ """ SAM macro definitions """ import copy from contextlib import suppress -from typing import Any, Callable, Dict, List, Optional, Tuple, Union, cast - -from typing_extensions import Literal +from typing import Any, Callable, Dict, List, Literal, Optional, Tuple, Union, cast import samtranslator.model.eventsources import samtranslator.model.eventsources.cloudwatchlogs @@ -2217,6 +2215,8 @@ class SamGraphQLApi(SamResourceMacro): "ApiKeys": Property(False, IS_DICT), "DomainName": Property(False, IS_DICT), "Cache": Property(False, IS_DICT), + "Visibility": PassThroughProperty(False), + "OwnerContact": PassThroughProperty(False), } Auth: List[Dict[str, Any]] @@ -2232,6 +2232,8 @@ class SamGraphQLApi(SamResourceMacro): ApiKeys: Optional[Dict[str, Dict[str, Any]]] DomainName: Optional[Dict[str, Any]] Cache: Optional[Dict[str, Any]] + Visibility: Optional[PassThrough] + OwnerContact: Optional[PassThrough] # stop validation so we can use class variables for tracking state validate_setattr = False @@ -2302,6 +2304,13 @@ def _construct_appsync_api_resources( api = GraphQLApi(logical_id=self.logical_id, depends_on=self.depends_on, attributes=self.resource_attributes) api.Name = passthrough_value(model.Name) or self.logical_id + # https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-appsync-graphqlapi.html#cfn-appsync-graphqlapi-visibility + # WARNING: If Visibility has not been defined, explicitly setting it to GLOBAL in a template/stack update will result in an API replacement and new DNS values. + # we don't want to force client's API re-creation + if model.Visibility: + api.Visibility = passthrough_value(model.Visibility) + if model.OwnerContact: + api.OwnerContact = passthrough_value(model.OwnerContact) api.XrayEnabled = model.XrayEnabled lambda_auth_arns = self._parse_and_set_auth_properties(api, model.Auth) diff --git a/samtranslator/model/tags/resource_tagging.py b/samtranslator/model/tags/resource_tagging.py index 8a216d5932..788bfc46d3 100644 --- a/samtranslator/model/tags/resource_tagging.py +++ b/samtranslator/model/tags/resource_tagging.py @@ -30,7 +30,7 @@ def get_tag_list(resource_tag_dict: Optional[Dict[str, Any]]) -> List[Dict[str, return tag_list for tag_key, tag_value in resource_tag_dict.items(): - tag = {_KEY: tag_key, _VALUE: tag_value if tag_value else ""} + tag = {_KEY: tag_key, _VALUE: tag_value if (tag_value is not None) else ""} tag_list.append(tag) return tag_list diff --git a/samtranslator/schema/schema.json b/samtranslator/schema/schema.json index b8f6eaa334..58bbbbee47 100644 --- a/samtranslator/schema/schema.json +++ b/samtranslator/schema/schema.json @@ -1340,6 +1340,140 @@ }, "type": "object" }, + "AWS::ARCZonalShift::ZonalAutoshiftConfiguration": { + "additionalProperties": false, + "properties": { + "Condition": { + "type": "string" + }, + "DeletionPolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + }, + "DependsOn": { + "anyOf": [ + { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + { + "items": { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + "type": "array" + } + ] + }, + "Metadata": { + "type": "object" + }, + "Properties": { + "additionalProperties": false, + "properties": { + "PracticeRunConfiguration": { + "$ref": "#/definitions/AWS::ARCZonalShift::ZonalAutoshiftConfiguration.PracticeRunConfiguration", + "markdownDescription": "A practice run configuration for a resource includes the Amazon CloudWatch alarms that you've specified for a practice run, as well as any blocked dates or blocked windows for the practice run. When a resource has a practice run configuration, Route 53 ARC shifts traffic for the resource weekly for practice runs.\n\nPractice runs are required for zonal autoshift. The zonal shifts that Route 53 ARC starts for practice runs help you to ensure that shifting away traffic from an Availability Zone during an autoshift is safe for your application.\n\nYou can update or delete a practice run configuration. Before you delete a practice run configuration, you must disable zonal autoshift for the resource. A practice run configuration is required when zonal autoshift is enabled.", + "title": "PracticeRunConfiguration" + }, + "ResourceIdentifier": { + "markdownDescription": "The identifier for the resource that AWS shifts traffic for. The identifier is the Amazon Resource Name (ARN) for the resource.\n\nAt this time, supported resources are Network Load Balancers and Application Load Balancers with cross-zone load balancing turned off.", + "title": "ResourceIdentifier", + "type": "string" + }, + "ZonalAutoshiftStatus": { + "markdownDescription": "When zonal autoshift is `ENABLED` , you authorize AWS to shift away resource traffic for an application from an Availability Zone during events, on your behalf, to help reduce time to recovery. Traffic is also shifted away for the required weekly practice runs.", + "title": "ZonalAutoshiftStatus", + "type": "string" + } + }, + "type": "object" + }, + "Type": { + "enum": [ + "AWS::ARCZonalShift::ZonalAutoshiftConfiguration" + ], + "type": "string" + }, + "UpdateReplacePolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + } + }, + "required": [ + "Type" + ], + "type": "object" + }, + "AWS::ARCZonalShift::ZonalAutoshiftConfiguration.ControlCondition": { + "additionalProperties": false, + "properties": { + "AlarmIdentifier": { + "markdownDescription": "The Amazon Resource Name (ARN) for an Amazon CloudWatch alarm that you specify as a control condition for a practice run.", + "title": "AlarmIdentifier", + "type": "string" + }, + "Type": { + "markdownDescription": "The type of alarm specified for a practice run. You can only specify Amazon CloudWatch alarms for practice runs, so the only valid value is `CLOUDWATCH` .", + "title": "Type", + "type": "string" + } + }, + "required": [ + "AlarmIdentifier", + "Type" + ], + "type": "object" + }, + "AWS::ARCZonalShift::ZonalAutoshiftConfiguration.PracticeRunConfiguration": { + "additionalProperties": false, + "properties": { + "BlockedDates": { + "items": { + "type": "string" + }, + "markdownDescription": "An array of one or more dates that you can specify when AWS does not start practice runs for a resource. Dates are in UTC.\n\nSpecify blocked dates in the format `YYYY-MM-DD` , separated by spaces.", + "title": "BlockedDates", + "type": "array" + }, + "BlockedWindows": { + "items": { + "type": "string" + }, + "markdownDescription": "An array of one or more days and times that you can specify when Route 53 ARC does not start practice runs for a resource. Days and times are in UTC.\n\nSpecify blocked windows in the format `DAY:HH:MM-DAY:HH:MM` , separated by spaces. For example, `MON:18:30-MON:19:30 TUE:18:30-TUE:19:30` .", + "title": "BlockedWindows", + "type": "array" + }, + "BlockingAlarms": { + "items": { + "$ref": "#/definitions/AWS::ARCZonalShift::ZonalAutoshiftConfiguration.ControlCondition" + }, + "markdownDescription": "An optional alarm that you can specify that blocks practice runs when the alarm is in an `ALARM` state. When a blocking alarm goes into an `ALARM` state, it prevents practice runs from being started, and ends practice runs that are in progress.", + "title": "BlockingAlarms", + "type": "array" + }, + "OutcomeAlarms": { + "items": { + "$ref": "#/definitions/AWS::ARCZonalShift::ZonalAutoshiftConfiguration.ControlCondition" + }, + "markdownDescription": "The alarm that you specify to monitor the health of your application during practice runs. When the outcome alarm goes into an `ALARM` state, the practice run is ended and the outcome is set to `FAILED` .", + "title": "OutcomeAlarms", + "type": "array" + } + }, + "required": [ + "OutcomeAlarms" + ], + "type": "object" + }, "AWS::AccessAnalyzer::Analyzer": { "additionalProperties": false, "properties": { @@ -1375,6 +1509,11 @@ "Properties": { "additionalProperties": false, "properties": { + "AnalyzerConfiguration": { + "$ref": "#/definitions/AWS::AccessAnalyzer::Analyzer.AnalyzerConfiguration", + "markdownDescription": "Contains information about the configuration of an unused access analyzer for an AWS organization or account.", + "title": "AnalyzerConfiguration" + }, "AnalyzerName": { "markdownDescription": "The name of the analyzer.", "title": "AnalyzerName", @@ -1384,7 +1523,7 @@ "items": { "$ref": "#/definitions/AWS::AccessAnalyzer::Analyzer.ArchiveRule" }, - "markdownDescription": "Specifies the archive rules to add for the analyzer.", + "markdownDescription": "Specifies the archive rules to add for the analyzer. Archive rules automatically archive findings that meet the criteria you define for the rule.", "title": "ArchiveRules", "type": "array" }, @@ -1392,12 +1531,12 @@ "items": { "$ref": "#/definitions/Tag" }, - "markdownDescription": "The tags to apply to the analyzer.", + "markdownDescription": "An array of key-value pairs to apply to the analyzer.", "title": "Tags", "type": "array" }, "Type": { - "markdownDescription": "The type represents the zone of trust for the analyzer.\n\n*Allowed Values* : ACCOUNT | ORGANIZATION", + "markdownDescription": "The type represents the zone of trust for the analyzer.\n\n*Allowed Values* : ACCOUNT | ORGANIZATION | ACCOUNT_UNUSED_ACCESS | ORGANIZATION_UNUSED_ACCESS", "title": "Type", "type": "string" } @@ -1428,6 +1567,17 @@ ], "type": "object" }, + "AWS::AccessAnalyzer::Analyzer.AnalyzerConfiguration": { + "additionalProperties": false, + "properties": { + "UnusedAccessConfiguration": { + "$ref": "#/definitions/AWS::AccessAnalyzer::Analyzer.UnusedAccessConfiguration", + "markdownDescription": "Specifies the configuration of an unused access analyzer for an AWS organization or account. External access analyzers do not support any configuration.", + "title": "UnusedAccessConfiguration" + } + }, + "type": "object" + }, "AWS::AccessAnalyzer::Analyzer.ArchiveRule": { "additionalProperties": false, "properties": { @@ -1440,7 +1590,7 @@ "type": "array" }, "RuleName": { - "markdownDescription": "The name of the archive rule.", + "markdownDescription": "The name of the rule to create.", "title": "RuleName", "type": "string" } @@ -1494,6 +1644,17 @@ ], "type": "object" }, + "AWS::AccessAnalyzer::Analyzer.UnusedAccessConfiguration": { + "additionalProperties": false, + "properties": { + "UnusedAccessAge": { + "markdownDescription": "The specified access age in days for which to generate findings for unused access. For example, if you specify 90 days, the analyzer will generate findings for IAM entities within the accounts of the selected organization for any access that hasn't been used in 90 or more days since the analyzer's last scan. You can choose a value between 1 and 180 days.", + "title": "UnusedAccessAge", + "type": "number" + } + }, + "type": "object" + }, "AWS::AmazonMQ::Broker": { "additionalProperties": false, "properties": { @@ -1550,9 +1711,13 @@ "title": "Configuration" }, "DataReplicationMode": { + "markdownDescription": "Defines whether this broker is a part of a data replication pair.", + "title": "DataReplicationMode", "type": "string" }, "DataReplicationPrimaryBrokerArn": { + "markdownDescription": "The Amazon Resource Name (ARN) of the primary broker that is used to replicate data from in a data replication pair, and is applied to the replica broker. Must be set when dataReplicationMode is set to CRDR.", + "title": "DataReplicationPrimaryBrokerArn", "type": "string" }, "DeploymentMode": { @@ -2414,12 +2579,14 @@ "additionalProperties": false, "properties": { "AppId": { - "markdownDescription": "The unique ID for an Amplify app.\n\n*Length Constraints:* Minimum length of 1. Maximum length of 20.\n\n*Pattern:* d[a-z0-9]+", + "markdownDescription": "The unique ID for an Amplify app.", "title": "AppId", "type": "string" }, "Backend": { - "$ref": "#/definitions/AWS::Amplify::Branch.Backend" + "$ref": "#/definitions/AWS::Amplify::Branch.Backend", + "markdownDescription": "The backend environment for an Amplify app.", + "title": "Backend" }, "BasicAuthConfig": { "$ref": "#/definitions/AWS::Amplify::Branch.BasicAuthConfig", @@ -2519,6 +2686,8 @@ "additionalProperties": false, "properties": { "StackArn": { + "markdownDescription": "The Amazon Resource Name (ARN) for the AWS CloudFormation stack.", + "title": "StackArn", "type": "string" } }, @@ -4405,8 +4574,6 @@ "type": "string" }, "Id": { - "markdownDescription": "", - "title": "Id", "type": "string" }, "RestApiId": { @@ -4693,7 +4860,7 @@ "type": "boolean" }, "DataTraceEnabled": { - "markdownDescription": "Specifies whether data trace logging is enabled for this method, which affects the log entries pushed to Amazon CloudWatch Logs.", + "markdownDescription": "Specifies whether data trace logging is enabled for this method, which affects the log entries pushed to Amazon CloudWatch Logs. This can be useful to troubleshoot APIs, but can result in logging sensitive data. We recommend that you don't enable this option for production APIs.", "title": "DataTraceEnabled", "type": "boolean" }, @@ -5359,7 +5526,7 @@ "markdownDescription": "A key-value map defining required or optional method request parameters that can be accepted by API Gateway. A key is a method request parameter name matching the pattern of `method.request.{location}.{name}` , where `location` is `querystring` , `path` , or `header` and `name` is a valid and unique parameter name. The value associated with the key is a Boolean flag indicating whether the parameter is required ( `true` ) or optional ( `false` ). The method request parameter names defined here are available in Integration to be mapped to integration request parameters or templates.", "patternProperties": { "^[a-zA-Z0-9]+$": { - "type": "boolean" + "type": "string" } }, "title": "RequestParameters", @@ -5501,6 +5668,9 @@ "type": "string" } }, + "required": [ + "Type" + ], "type": "object" }, "AWS::ApiGateway::Method.IntegrationResponse": { @@ -5568,7 +5738,7 @@ "markdownDescription": "A key-value map specifying required or optional response parameters that API Gateway can send back to the caller. A key defines a method response header and the value specifies whether the associated method response header is required or not. The expression of the key must match the pattern `method.response.header.{name}` , where `name` is a valid and unique header name. API Gateway passes certain integration response data to the method response headers specified here according to the mapping you prescribe in the API's IntegrationResponse. The integration response data that can be mapped include an integration response header expressed in `integration.response.header.{name}` , a static value enclosed within a pair of single quotes (e.g., `'application/json'` ), or a JSON expression from the back-end response payload in the form of `integration.response.body.{JSON-expression}` , where `JSON-expression` is a valid JSON expression without the `$` prefix.)", "patternProperties": { "^[a-zA-Z0-9]+$": { - "type": "boolean" + "type": "string" } }, "title": "ResponseParameters", @@ -6244,7 +6414,7 @@ "type": "boolean" }, "DataTraceEnabled": { - "markdownDescription": "Specifies whether data trace logging is enabled for this method, which affects the log entries pushed to Amazon CloudWatch Logs.", + "markdownDescription": "Specifies whether data trace logging is enabled for this method, which affects the log entries pushed to Amazon CloudWatch Logs. This can be useful to troubleshoot APIs, but can result in logging sensitive data. We recommend that you don't enable this option for production APIs.", "title": "DataTraceEnabled", "type": "boolean" }, @@ -7098,7 +7268,7 @@ "additionalProperties": false, "properties": { "ApiId": { - "markdownDescription": "The identifier of the API.", + "markdownDescription": "The API identifier.", "title": "ApiId", "type": "string" }, @@ -7659,13 +7829,9 @@ "additionalProperties": false, "properties": { "Destination": { - "markdownDescription": "Specifies the location of the response to modify, and how to modify it. To learn more, see [Transforming API requests and responses](https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-parameter-mapping.html) .", - "title": "Destination", "type": "string" }, "Source": { - "markdownDescription": "Specifies the data to update the parameter with. To learn more, see [Transforming API requests and responses](https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-parameter-mapping.html) .", - "title": "Source", "type": "string" } }, @@ -7682,8 +7848,6 @@ "items": { "$ref": "#/definitions/AWS::ApiGatewayV2::Integration.ResponseParameter" }, - "markdownDescription": "Supported only for HTTP APIs. You use response parameters to transform the HTTP response from a backend integration before returning the response to clients. Specify a key-value map from a selection key to response parameters. The selection key must be a valid HTTP status code within the range of 200-599. Response parameters are a key-value map. The key must match the pattern `:
.` or `overwrite.statuscode` . The action can be `append` , `overwrite` or `remove` . The value can be a static value, or map to response data, stage variables, or context variables that are evaluated at runtime. To learn more, see [Transforming API requests and responses](https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-parameter-mapping.html) .", - "title": "ResponseParameters", "type": "array" } }, @@ -8539,6 +8703,8 @@ "type": "string" }, "KmsKeyIdentifier": { + "markdownDescription": "", + "title": "KmsKeyIdentifier", "type": "string" }, "LocationUri": { @@ -8704,7 +8870,7 @@ "type": "string" }, "KmsKeyIdentifier": { - "markdownDescription": "The AWS KMS key identifier (key ID, key alias, or key ARN). AWS AppConfig uses this ID to encrypt the configuration data using a customer managed key.", + "markdownDescription": "The AWS Key Management Service key identifier (key ID, key alias, or key ARN) provided when the resource was created or updated.", "title": "KmsKeyIdentifier", "type": "string" }, @@ -9659,7 +9825,7 @@ }, "Pardot": { "$ref": "#/definitions/AWS::AppFlow::ConnectorProfile.PardotConnectorProfileCredentials", - "markdownDescription": "", + "markdownDescription": "The connector-specific credentials required when using Salesforce Pardot.", "title": "Pardot" }, "Redshift": { @@ -9745,7 +9911,7 @@ }, "Pardot": { "$ref": "#/definitions/AWS::AppFlow::ConnectorProfile.PardotConnectorProfileProperties", - "markdownDescription": "", + "markdownDescription": "The connector-specific properties required by Salesforce Pardot.", "title": "Pardot" }, "Redshift": { @@ -10176,12 +10342,12 @@ "additionalProperties": false, "properties": { "AccessToken": { - "markdownDescription": "", + "markdownDescription": "The credentials used to access protected Salesforce Pardot resources.", "title": "AccessToken", "type": "string" }, "ClientCredentialsArn": { - "markdownDescription": "", + "markdownDescription": "The secret manager ARN, which contains the client ID and client secret of the connected app.", "title": "ClientCredentialsArn", "type": "string" }, @@ -10191,7 +10357,7 @@ "title": "ConnectorOAuthRequest" }, "RefreshToken": { - "markdownDescription": "", + "markdownDescription": "The credentials used to acquire new access tokens.", "title": "RefreshToken", "type": "string" } @@ -10202,17 +10368,17 @@ "additionalProperties": false, "properties": { "BusinessUnitId": { - "markdownDescription": "", + "markdownDescription": "The business unit id of Salesforce Pardot instance.", "title": "BusinessUnitId", "type": "string" }, "InstanceUrl": { - "markdownDescription": "", + "markdownDescription": "The location of the Salesforce Pardot resource.", "title": "InstanceUrl", "type": "string" }, "IsSandboxEnvironment": { - "markdownDescription": "", + "markdownDescription": "Indicates whether the connector profile applies to a sandbox or production environment.", "title": "IsSandboxEnvironment", "type": "boolean" } @@ -10252,17 +10418,17 @@ "type": "string" }, "ClusterIdentifier": { - "markdownDescription": "", + "markdownDescription": "The unique ID that's assigned to an Amazon Redshift cluster.", "title": "ClusterIdentifier", "type": "string" }, "DataApiRoleArn": { - "markdownDescription": "", + "markdownDescription": "The Amazon Resource Name (ARN) of an IAM role that permits Amazon AppFlow to access your Amazon Redshift database through the Data API. For more information, and for the polices that you attach to this role, see [Allow Amazon AppFlow to access Amazon Redshift databases with the Data API](https://docs.aws.amazon.com/appflow/latest/userguide/security_iam_service-role-policies.html#access-redshift) .", "title": "DataApiRoleArn", "type": "string" }, "DatabaseName": { - "markdownDescription": "", + "markdownDescription": "The name of an Amazon Redshift database.", "title": "DatabaseName", "type": "string" }, @@ -10272,7 +10438,7 @@ "type": "string" }, "IsRedshiftServerless": { - "markdownDescription": "", + "markdownDescription": "Indicates whether the connector profile defines a connection to an Amazon Redshift Serverless data warehouse.", "title": "IsRedshiftServerless", "type": "boolean" }, @@ -10282,7 +10448,7 @@ "type": "string" }, "WorkgroupName": { - "markdownDescription": "", + "markdownDescription": "The name of an Amazon Redshift workgroup.", "title": "WorkgroupName", "type": "string" } @@ -10374,12 +10540,12 @@ "title": "ConnectorOAuthRequest" }, "JwtToken": { - "markdownDescription": "", + "markdownDescription": "A JSON web token (JWT) that authorizes Amazon AppFlow to access your Salesforce records.", "title": "JwtToken", "type": "string" }, "OAuth2GrantType": { - "markdownDescription": "", + "markdownDescription": "Specifies the OAuth 2.0 grant type that Amazon AppFlow uses when it requests an access token from Salesforce. Amazon AppFlow requires an access token each time it attempts to access your Salesforce records.\n\nYou can specify one of the following values:\n\n- **AUTHORIZATION_CODE** - Amazon AppFlow passes an authorization code when it requests the access token from Salesforce. Amazon AppFlow receives the authorization code from Salesforce after you log in to your Salesforce account and authorize Amazon AppFlow to access your records.\n- **CLIENT_CREDENTIALS** - Amazon AppFlow passes client credentials (a client ID and client secret) when it requests the access token from Salesforce. You provide these credentials to Amazon AppFlow when you define the connection to your Salesforce account.\n- **JWT_BEARER** - Amazon AppFlow passes a JSON web token (JWT) when it requests the access token from Salesforce. You provide the JWT to Amazon AppFlow when you define the connection to your Salesforce account. When you use this grant type, you don't need to log in to your Salesforce account to authorize Amazon AppFlow to access your records.", "title": "OAuth2GrantType", "type": "string" }, @@ -10405,7 +10571,7 @@ "type": "boolean" }, "usePrivateLinkForMetadataAndAuthorization": { - "markdownDescription": "", + "markdownDescription": "If the connection mode for the connector profile is private, this parameter sets whether Amazon AppFlow uses the private network to send metadata and authorization calls to Salesforce. Amazon AppFlow sends private calls through AWS PrivateLink . These calls travel through AWS infrastructure without being exposed to the public internet.\n\nSet either of the following values:\n\n- **true** - Amazon AppFlow sends all calls to Salesforce over the private network.\n\nThese private calls are:\n\n- Calls to get metadata about your Salesforce records. This metadata describes your Salesforce objects and their fields.\n- Calls to get or refresh access tokens that allow Amazon AppFlow to access your Salesforce records.\n- Calls to transfer your Salesforce records as part of a flow run.\n- **false** - The default value. Amazon AppFlow sends some calls to Salesforce privately and other calls over the public internet.\n\nThe public calls are:\n\n- Calls to get metadata about your Salesforce records.\n- Calls to get or refresh access tokens.\n\nThe private calls are:\n\n- Calls to transfer your Salesforce records as part of a flow run.", "title": "usePrivateLinkForMetadataAndAuthorization", "type": "boolean" } @@ -10416,7 +10582,9 @@ "additionalProperties": false, "properties": { "OAuth2Credentials": { - "$ref": "#/definitions/AWS::AppFlow::ConnectorProfile.OAuth2Credentials" + "$ref": "#/definitions/AWS::AppFlow::ConnectorProfile.OAuth2Credentials", + "markdownDescription": "", + "title": "OAuth2Credentials" }, "Password": { "markdownDescription": "The password that corresponds to the user name.", @@ -10726,7 +10894,7 @@ }, "MetadataCatalogConfig": { "$ref": "#/definitions/AWS::AppFlow::Flow.MetadataCatalogConfig", - "markdownDescription": "", + "markdownDescription": "Specifies the configuration that Amazon AppFlow uses when it catalogs your data. When Amazon AppFlow catalogs your data, it stores metadata in a data catalog.", "title": "MetadataCatalogConfig" }, "SourceFlowConfig": { @@ -10795,7 +10963,7 @@ "type": "string" }, "TargetFileSize": { - "markdownDescription": "", + "markdownDescription": "The desired file size, in MB, for each output file that Amazon AppFlow writes to the flow destination. For each file, Amazon AppFlow attempts to achieve the size that you specify. The actual file sizes might differ from this target based on the number and size of the records that each file contains.", "title": "TargetFileSize", "type": "number" } @@ -10855,7 +11023,7 @@ "type": "string" }, "Pardot": { - "markdownDescription": "", + "markdownDescription": "The operation to be performed on the provided Salesforce Pardot source fields.", "title": "Pardot", "type": "string" }, @@ -10966,7 +11134,7 @@ }, "DataTransferApi": { "$ref": "#/definitions/AWS::AppFlow::Flow.DataTransferApi", - "markdownDescription": "", + "markdownDescription": "The API of the connector application that Amazon AppFlow uses to transfer your data.", "title": "DataTransferApi" }, "EntityName": { @@ -10984,12 +11152,12 @@ "additionalProperties": false, "properties": { "Name": { - "markdownDescription": "", + "markdownDescription": "The name of the connector application API.", "title": "Name", "type": "string" }, "Type": { - "markdownDescription": "", + "markdownDescription": "You can specify one of the following types:\n\n- **AUTOMATIC** - The default. Optimizes a flow for datasets that fluctuate in size from small to large. For each flow run, Amazon AppFlow chooses to use the SYNC or ASYNC API type based on the amount of data that the run transfers.\n- **SYNC** - A synchronous API. This type of API optimizes a flow for small to medium-sized datasets.\n- **ASYNC** - An asynchronous API. This type of API optimizes a flow for large datasets.", "title": "Type", "type": "string" } @@ -11089,7 +11257,7 @@ "type": "string" }, "ConnectorType": { - "markdownDescription": "The type of destination connector, such as Sales force, Amazon S3, and so on.\n\n*Allowed Values* : `EventBridge | Redshift | S3 | Salesforce | Snowflake`", + "markdownDescription": "The type of destination connector, such as Sales force, Amazon S3, and so on.", "title": "ConnectorType", "type": "string" }, @@ -11273,7 +11441,7 @@ "properties": { "GlueDataCatalog": { "$ref": "#/definitions/AWS::AppFlow::Flow.GlueDataCatalog", - "markdownDescription": "", + "markdownDescription": "Specifies the configuration that Amazon AppFlow uses when it catalogs your data with the AWS Glue Data Catalog .", "title": "GlueDataCatalog" } }, @@ -11283,7 +11451,7 @@ "additionalProperties": false, "properties": { "Object": { - "markdownDescription": "", + "markdownDescription": "The object specified in the Salesforce Pardot flow source.", "title": "Object", "type": "string" } @@ -11300,7 +11468,7 @@ "items": { "type": "string" }, - "markdownDescription": "", + "markdownDescription": "Specifies whether the destination file path includes either or both of the following elements:\n\n- **EXECUTION_ID** - The ID that Amazon AppFlow assigns to the flow run.\n- **SCHEMA_VERSION** - The version number of your data schema. Amazon AppFlow assigns this version number. The version number increases by one when you change any of the following settings in your flow configuration:\n\n- Source-to-destination field mappings\n- Field data types\n- Partition keys", "title": "PathPrefixHierarchy", "type": "array" }, @@ -11401,7 +11569,7 @@ "title": "PrefixConfig" }, "PreserveSourceDataTyping": { - "markdownDescription": "", + "markdownDescription": "If your file output format is Parquet, use this parameter to set whether Amazon AppFlow preserves the data types in your source data when it writes the output to Amazon S3.\n\n- `true` : Amazon AppFlow preserves the data types when it writes to Amazon S3. For example, an integer or `1` in your source data is still an integer in your output.\n- `false` : Amazon AppFlow converts all of the source data into strings when it writes to Amazon S3. For example, an integer of `1` in your source data becomes the string `\"1\"` in the output.", "title": "PreserveSourceDataTyping", "type": "boolean" } @@ -11474,6 +11642,8 @@ "additionalProperties": false, "properties": { "maxPageSize": { + "markdownDescription": "", + "title": "maxPageSize", "type": "number" } }, @@ -11486,6 +11656,8 @@ "additionalProperties": false, "properties": { "maxParallelism": { + "markdownDescription": "", + "title": "maxParallelism", "type": "number" } }, @@ -11503,10 +11675,14 @@ "type": "string" }, "paginationConfig": { - "$ref": "#/definitions/AWS::AppFlow::Flow.SAPODataPaginationConfig" + "$ref": "#/definitions/AWS::AppFlow::Flow.SAPODataPaginationConfig", + "markdownDescription": "", + "title": "paginationConfig" }, "parallelismConfig": { - "$ref": "#/definitions/AWS::AppFlow::Flow.SAPODataParallelismConfig" + "$ref": "#/definitions/AWS::AppFlow::Flow.SAPODataParallelismConfig", + "markdownDescription": "", + "title": "parallelismConfig" } }, "required": [ @@ -11594,7 +11770,7 @@ "type": "number" }, "FlowErrorDeactivationThreshold": { - "markdownDescription": "", + "markdownDescription": "Defines how many times a scheduled flow fails consecutively before Amazon AppFlow deactivates it.", "title": "FlowErrorDeactivationThreshold", "type": "number" }, @@ -11741,7 +11917,7 @@ }, "Pardot": { "$ref": "#/definitions/AWS::AppFlow::Flow.PardotSourceProperties", - "markdownDescription": "", + "markdownDescription": "Specifies the information that is required for querying Salesforce Pardot.", "title": "Pardot" }, "S3": { @@ -11888,7 +12064,7 @@ "additionalProperties": false, "properties": { "Key": { - "markdownDescription": "The task property key.\n\n*Allowed Values* : `VALUE | VALUES | DATA_TYPE | UPPER_BOUND | LOWER_BOUND | SOURCE_DATA_TYPE | DESTINATION_DATA_TYPE | VALIDATION_ACTION | MASK_VALUE | MASK_LENGTH | TRUNCATE_LENGTH | MATH_OPERATION_FIELDS_ORDER | CONCAT_FORMAT | SUBFIELD_CATEGORY_MAP` | `EXCLUDE_SOURCE_FIELDS_LIST`", + "markdownDescription": "The task property key.", "title": "Key", "type": "string" }, @@ -16015,6 +16191,8 @@ "title": "SourceCodeVersion" }, "SourceDirectory": { + "markdownDescription": "The path of the directory that stores source code and configuration files. The build and start commands also execute from here. The path is absolute from root and, if not specified, defaults to the repository root.", + "title": "SourceDirectory", "type": "string" } }, @@ -16213,6 +16391,11 @@ "$ref": "#/definitions/AWS::AppRunner::Service.IngressConfiguration", "markdownDescription": "Network configuration settings for inbound message traffic.", "title": "IngressConfiguration" + }, + "IpAddressType": { + "markdownDescription": "App Runner provides you with the option to choose between *Internet Protocol version 4 (IPv4)* and *dual stack* (IPv4 and IPv6) for your incoming public network configuration. This is an optional parameter. If you do not specify an `IpAddressType` , it defaults to select IPv4.\n\n> Currently, App Runner supports dual stack for only Public endpoint. Only IPv4 is supported for Private endpoint. If you update a service that's using dual-stack Public endpoint to a Private endpoint, your App Runner service will default to support only IPv4 for Private endpoint and fail to receive traffic originating from IPv6 endpoint.", + "title": "IpAddressType", + "type": "string" } }, "type": "object" @@ -16536,7 +16719,7 @@ }, "PostSetupScriptDetails": { "$ref": "#/definitions/AWS::AppStream::AppBlock.ScriptDetails", - "markdownDescription": "The post setup script details of the app block.\n\nThis only applies to app blocks with PackagingType `APPSTREAM2` .", + "markdownDescription": "The post setup script details of the app block.", "title": "PostSetupScriptDetails" }, "SetupScriptDetails": { @@ -16674,7 +16857,7 @@ "items": { "$ref": "#/definitions/AWS::AppStream::AppBlockBuilder.AccessEndpoint" }, - "markdownDescription": "", + "markdownDescription": "The access endpoints of the app block builder.", "title": "AccessEndpoints", "type": "array" }, @@ -16682,7 +16865,7 @@ "items": { "type": "string" }, - "markdownDescription": "", + "markdownDescription": "The ARN of the app block.\n\n*Maximum* : `1`", "title": "AppBlockArns", "type": "array" }, @@ -16717,7 +16900,7 @@ "type": "string" }, "Platform": { - "markdownDescription": "The platform of the app block builder.\n\n`WINDOWS_SERVER_2019` is the only valid value.", + "markdownDescription": "The platform of the app block builder.\n\n*Allowed values* : `WINDOWS_SERVER_2019`", "title": "Platform", "type": "string" }, @@ -16725,7 +16908,7 @@ "items": { "$ref": "#/definitions/Tag" }, - "markdownDescription": "", + "markdownDescription": "The tags of the app block builder.", "title": "Tags", "type": "array" }, @@ -17454,10 +17637,12 @@ "type": "number" }, "MaxSessionsPerInstance": { + "markdownDescription": "The maximum number of user sessions on an instance. This only applies to multi-session fleets.", + "title": "MaxSessionsPerInstance", "type": "number" }, "MaxUserDurationInSeconds": { - "markdownDescription": "The maximum amount of time that a streaming session can remain active, in seconds. If users are still connected to a streaming instance five minutes before this limit is reached, they are prompted to save any open documents before being disconnected. After this time elapses, the instance is terminated and replaced by a new instance.\n\nSpecify a value between 600 and 360000.", + "markdownDescription": "The maximum amount of time that a streaming session can remain active, in seconds. If users are still connected to a streaming instance five minutes before this limit is reached, they are prompted to save any open documents before being disconnected. After this time elapses, the instance is terminated and replaced by a new instance.\n\nSpecify a value between 600 and 432000.", "title": "MaxUserDurationInSeconds", "type": "number" }, @@ -17467,7 +17652,7 @@ "type": "string" }, "Platform": { - "markdownDescription": "The platform of the fleet. Platform is a required setting for Elastic fleets, and is not used for other fleet types.\n\n*Allowed Values* : `WINDOWS_SERVER_2019` | `AMAZON_LINUX2`", + "markdownDescription": "The platform of the fleet. Platform is a required setting for Elastic fleets, and is not used for other fleet types.", "title": "Platform", "type": "string" }, @@ -17539,6 +17724,8 @@ "type": "number" }, "DesiredSessions": { + "markdownDescription": "The desired number of user sessions for a multi-session fleet. This is not allowed for single-session fleets.\n\nWhen you create a fleet, you must set either the DesiredSessions or DesiredInstances attribute, based on the type of fleet you create. You can\u2019t define both attributes or leave both attributes blank.", + "title": "DesiredSessions", "type": "number" } }, @@ -18025,6 +18212,11 @@ "title": "Action", "type": "string" }, + "MaximumLength": { + "markdownDescription": "", + "title": "MaximumLength", + "type": "number" + }, "Permission": { "markdownDescription": "Indicates whether the action is enabled or disabled.", "title": "Permission", @@ -18418,8 +18610,6 @@ "type": "string" }, "ApiKeyId": { - "markdownDescription": "The API key ID.", - "title": "ApiKeyId", "type": "string" }, "Description": { @@ -19076,7 +19266,7 @@ }, "Runtime": { "$ref": "#/definitions/AWS::AppSync::FunctionConfiguration.AppSyncRuntime", - "markdownDescription": "Describes a runtime used by an AWS AppSync pipeline resolver or AWS AppSync function. Specifies the name and version of the runtime to use. Note that if a runtime is specified, code must also be specified.", + "markdownDescription": "Describes a runtime used by an AWS AppSync resolver or AWS AppSync function. Specifies the name and version of the runtime to use. Note that if a runtime is specified, code must also be specified.", "title": "Runtime" }, "SyncConfig": { @@ -19632,7 +19822,7 @@ }, "Runtime": { "$ref": "#/definitions/AWS::AppSync::Resolver.AppSyncRuntime", - "markdownDescription": "Describes a runtime used by an AWS AppSync pipeline resolver or AWS AppSync function. Specifies the name and version of the runtime to use. Note that if a runtime is specified, code must also be specified.", + "markdownDescription": "Describes a runtime used by an AWS AppSync resolver or AWS AppSync function. Specifies the name and version of the runtime to use. Note that if a runtime is specified, code must also be specified.", "title": "Runtime" }, "SyncConfig": { @@ -19900,7 +20090,7 @@ "type": "number" }, "ResourceId": { - "markdownDescription": "The identifier of the resource associated with the scalable target. This string consists of the resource type and unique identifier.\n\n- ECS service - The resource type is `service` and the unique identifier is the cluster name and service name. Example: `service/default/sample-webapp` .\n- Spot Fleet - The resource type is `spot-fleet-request` and the unique identifier is the Spot Fleet request ID. Example: `spot-fleet-request/sfr-73fbd2ce-aa30-494c-8788-1cee4EXAMPLE` .\n- EMR cluster - The resource type is `instancegroup` and the unique identifier is the cluster ID and instance group ID. Example: `instancegroup/j-2EEZNYKUA1NTV/ig-1791Y4E1L8YI0` .\n- AppStream 2.0 fleet - The resource type is `fleet` and the unique identifier is the fleet name. Example: `fleet/sample-fleet` .\n- DynamoDB table - The resource type is `table` and the unique identifier is the table name. Example: `table/my-table` .\n- DynamoDB global secondary index - The resource type is `index` and the unique identifier is the index name. Example: `table/my-table/index/my-table-index` .\n- Aurora DB cluster - The resource type is `cluster` and the unique identifier is the cluster name. Example: `cluster:my-db-cluster` .\n- SageMaker endpoint variant - The resource type is `variant` and the unique identifier is the resource ID. Example: `endpoint/my-end-point/variant/KMeansClustering` .\n- Custom resources are not supported with a resource type. This parameter must specify the `OutputValue` from the CloudFormation template stack used to access the resources. The unique identifier is defined by the service provider. More information is available in our [GitHub repository](https://docs.aws.amazon.com/https://github.com/aws/aws-auto-scaling-custom-resource) .\n- Amazon Comprehend document classification endpoint - The resource type and unique identifier are specified using the endpoint ARN. Example: `arn:aws:comprehend:us-west-2:123456789012:document-classifier-endpoint/EXAMPLE` .\n- Amazon Comprehend entity recognizer endpoint - The resource type and unique identifier are specified using the endpoint ARN. Example: `arn:aws:comprehend:us-west-2:123456789012:entity-recognizer-endpoint/EXAMPLE` .\n- Lambda provisioned concurrency - The resource type is `function` and the unique identifier is the function name with a function version or alias name suffix that is not `$LATEST` . Example: `function:my-function:prod` or `function:my-function:1` .\n- Amazon Keyspaces table - The resource type is `table` and the unique identifier is the table name. Example: `keyspace/mykeyspace/table/mytable` .\n- Amazon MSK cluster - The resource type and unique identifier are specified using the cluster ARN. Example: `arn:aws:kafka:us-east-1:123456789012:cluster/demo-cluster-1/6357e0b2-0e6a-4b86-a0b4-70df934c2e31-5` .\n- Amazon ElastiCache replication group - The resource type is `replication-group` and the unique identifier is the replication group name. Example: `replication-group/mycluster` .\n- Neptune cluster - The resource type is `cluster` and the unique identifier is the cluster name. Example: `cluster:mycluster` .\n- SageMaker Serverless endpoint - The resource type is `variant` and the unique identifier is the resource ID. Example: `endpoint/my-end-point/variant/KMeansClustering` .", + "markdownDescription": "The identifier of the resource associated with the scalable target. This string consists of the resource type and unique identifier.\n\n- ECS service - The resource type is `service` and the unique identifier is the cluster name and service name. Example: `service/default/sample-webapp` .\n- Spot Fleet - The resource type is `spot-fleet-request` and the unique identifier is the Spot Fleet request ID. Example: `spot-fleet-request/sfr-73fbd2ce-aa30-494c-8788-1cee4EXAMPLE` .\n- EMR cluster - The resource type is `instancegroup` and the unique identifier is the cluster ID and instance group ID. Example: `instancegroup/j-2EEZNYKUA1NTV/ig-1791Y4E1L8YI0` .\n- AppStream 2.0 fleet - The resource type is `fleet` and the unique identifier is the fleet name. Example: `fleet/sample-fleet` .\n- DynamoDB table - The resource type is `table` and the unique identifier is the table name. Example: `table/my-table` .\n- DynamoDB global secondary index - The resource type is `index` and the unique identifier is the index name. Example: `table/my-table/index/my-table-index` .\n- Aurora DB cluster - The resource type is `cluster` and the unique identifier is the cluster name. Example: `cluster:my-db-cluster` .\n- SageMaker endpoint variant - The resource type is `variant` and the unique identifier is the resource ID. Example: `endpoint/my-end-point/variant/KMeansClustering` .\n- Custom resources are not supported with a resource type. This parameter must specify the `OutputValue` from the CloudFormation template stack used to access the resources. The unique identifier is defined by the service provider. More information is available in our [GitHub repository](https://docs.aws.amazon.com/https://github.com/aws/aws-auto-scaling-custom-resource) .\n- Amazon Comprehend document classification endpoint - The resource type and unique identifier are specified using the endpoint ARN. Example: `arn:aws:comprehend:us-west-2:123456789012:document-classifier-endpoint/EXAMPLE` .\n- Amazon Comprehend entity recognizer endpoint - The resource type and unique identifier are specified using the endpoint ARN. Example: `arn:aws:comprehend:us-west-2:123456789012:entity-recognizer-endpoint/EXAMPLE` .\n- Lambda provisioned concurrency - The resource type is `function` and the unique identifier is the function name with a function version or alias name suffix that is not `$LATEST` . Example: `function:my-function:prod` or `function:my-function:1` .\n- Amazon Keyspaces table - The resource type is `table` and the unique identifier is the table name. Example: `keyspace/mykeyspace/table/mytable` .\n- Amazon MSK cluster - The resource type and unique identifier are specified using the cluster ARN. Example: `arn:aws:kafka:us-east-1:123456789012:cluster/demo-cluster-1/6357e0b2-0e6a-4b86-a0b4-70df934c2e31-5` .\n- Amazon ElastiCache replication group - The resource type is `replication-group` and the unique identifier is the replication group name. Example: `replication-group/mycluster` .\n- Neptune cluster - The resource type is `cluster` and the unique identifier is the cluster name. Example: `cluster:mycluster` .\n- SageMaker serverless endpoint - The resource type is `variant` and the unique identifier is the resource ID. Example: `endpoint/my-end-point/variant/KMeansClustering` .\n- SageMaker inference component - The resource type is `inference-component` and the unique identifier is the resource ID. Example: `inference-component/my-inference-component` .", "title": "ResourceId", "type": "string" }, @@ -19910,7 +20100,7 @@ "type": "string" }, "ScalableDimension": { - "markdownDescription": "The scalable dimension associated with the scalable target. This string consists of the service namespace, resource type, and scaling property.\n\n- `ecs:service:DesiredCount` - The desired task count of an ECS service.\n- `elasticmapreduce:instancegroup:InstanceCount` - The instance count of an EMR Instance Group.\n- `ec2:spot-fleet-request:TargetCapacity` - The target capacity of a Spot Fleet.\n- `appstream:fleet:DesiredCapacity` - The desired capacity of an AppStream 2.0 fleet.\n- `dynamodb:table:ReadCapacityUnits` - The provisioned read capacity for a DynamoDB table.\n- `dynamodb:table:WriteCapacityUnits` - The provisioned write capacity for a DynamoDB table.\n- `dynamodb:index:ReadCapacityUnits` - The provisioned read capacity for a DynamoDB global secondary index.\n- `dynamodb:index:WriteCapacityUnits` - The provisioned write capacity for a DynamoDB global secondary index.\n- `rds:cluster:ReadReplicaCount` - The count of Aurora Replicas in an Aurora DB cluster. Available for Aurora MySQL-compatible edition and Aurora PostgreSQL-compatible edition.\n- `sagemaker:variant:DesiredInstanceCount` - The number of EC2 instances for a SageMaker model endpoint variant.\n- `custom-resource:ResourceType:Property` - The scalable dimension for a custom resource provided by your own application or service.\n- `comprehend:document-classifier-endpoint:DesiredInferenceUnits` - The number of inference units for an Amazon Comprehend document classification endpoint.\n- `comprehend:entity-recognizer-endpoint:DesiredInferenceUnits` - The number of inference units for an Amazon Comprehend entity recognizer endpoint.\n- `lambda:function:ProvisionedConcurrency` - The provisioned concurrency for a Lambda function.\n- `cassandra:table:ReadCapacityUnits` - The provisioned read capacity for an Amazon Keyspaces table.\n- `cassandra:table:WriteCapacityUnits` - The provisioned write capacity for an Amazon Keyspaces table.\n- `kafka:broker-storage:VolumeSize` - The provisioned volume size (in GiB) for brokers in an Amazon MSK cluster.\n- `elasticache:replication-group:NodeGroups` - The number of node groups for an Amazon ElastiCache replication group.\n- `elasticache:replication-group:Replicas` - The number of replicas per node group for an Amazon ElastiCache replication group.\n- `neptune:cluster:ReadReplicaCount` - The count of read replicas in an Amazon Neptune DB cluster.\n- `sagemaker:variant:DesiredProvisionedConcurrency` - The provisioned concurrency for a SageMaker Serverless endpoint.", + "markdownDescription": "The scalable dimension associated with the scalable target. This string consists of the service namespace, resource type, and scaling property.\n\n- `ecs:service:DesiredCount` - The desired task count of an ECS service.\n- `elasticmapreduce:instancegroup:InstanceCount` - The instance count of an EMR Instance Group.\n- `ec2:spot-fleet-request:TargetCapacity` - The target capacity of a Spot Fleet.\n- `appstream:fleet:DesiredCapacity` - The desired capacity of an AppStream 2.0 fleet.\n- `dynamodb:table:ReadCapacityUnits` - The provisioned read capacity for a DynamoDB table.\n- `dynamodb:table:WriteCapacityUnits` - The provisioned write capacity for a DynamoDB table.\n- `dynamodb:index:ReadCapacityUnits` - The provisioned read capacity for a DynamoDB global secondary index.\n- `dynamodb:index:WriteCapacityUnits` - The provisioned write capacity for a DynamoDB global secondary index.\n- `rds:cluster:ReadReplicaCount` - The count of Aurora Replicas in an Aurora DB cluster. Available for Aurora MySQL-compatible edition and Aurora PostgreSQL-compatible edition.\n- `sagemaker:variant:DesiredInstanceCount` - The number of EC2 instances for a SageMaker model endpoint variant.\n- `custom-resource:ResourceType:Property` - The scalable dimension for a custom resource provided by your own application or service.\n- `comprehend:document-classifier-endpoint:DesiredInferenceUnits` - The number of inference units for an Amazon Comprehend document classification endpoint.\n- `comprehend:entity-recognizer-endpoint:DesiredInferenceUnits` - The number of inference units for an Amazon Comprehend entity recognizer endpoint.\n- `lambda:function:ProvisionedConcurrency` - The provisioned concurrency for a Lambda function.\n- `cassandra:table:ReadCapacityUnits` - The provisioned read capacity for an Amazon Keyspaces table.\n- `cassandra:table:WriteCapacityUnits` - The provisioned write capacity for an Amazon Keyspaces table.\n- `kafka:broker-storage:VolumeSize` - The provisioned volume size (in GiB) for brokers in an Amazon MSK cluster.\n- `elasticache:replication-group:NodeGroups` - The number of node groups for an Amazon ElastiCache replication group.\n- `elasticache:replication-group:Replicas` - The number of replicas per node group for an Amazon ElastiCache replication group.\n- `neptune:cluster:ReadReplicaCount` - The count of read replicas in an Amazon Neptune DB cluster.\n- `sagemaker:variant:DesiredProvisionedConcurrency` - The provisioned concurrency for a SageMaker serverless endpoint.\n- `sagemaker:inference-component:DesiredCopyCount` - The number of copies across an endpoint for a SageMaker inference component.", "title": "ScalableDimension", "type": "string" }, @@ -20086,12 +20276,12 @@ "type": "string" }, "ResourceId": { - "markdownDescription": "The identifier of the resource associated with the scaling policy. This string consists of the resource type and unique identifier.\n\n- ECS service - The resource type is `service` and the unique identifier is the cluster name and service name. Example: `service/default/sample-webapp` .\n- Spot Fleet - The resource type is `spot-fleet-request` and the unique identifier is the Spot Fleet request ID. Example: `spot-fleet-request/sfr-73fbd2ce-aa30-494c-8788-1cee4EXAMPLE` .\n- EMR cluster - The resource type is `instancegroup` and the unique identifier is the cluster ID and instance group ID. Example: `instancegroup/j-2EEZNYKUA1NTV/ig-1791Y4E1L8YI0` .\n- AppStream 2.0 fleet - The resource type is `fleet` and the unique identifier is the fleet name. Example: `fleet/sample-fleet` .\n- DynamoDB table - The resource type is `table` and the unique identifier is the table name. Example: `table/my-table` .\n- DynamoDB global secondary index - The resource type is `index` and the unique identifier is the index name. Example: `table/my-table/index/my-table-index` .\n- Aurora DB cluster - The resource type is `cluster` and the unique identifier is the cluster name. Example: `cluster:my-db-cluster` .\n- SageMaker endpoint variant - The resource type is `variant` and the unique identifier is the resource ID. Example: `endpoint/my-end-point/variant/KMeansClustering` .\n- Custom resources are not supported with a resource type. This parameter must specify the `OutputValue` from the CloudFormation template stack used to access the resources. The unique identifier is defined by the service provider. More information is available in our [GitHub repository](https://docs.aws.amazon.com/https://github.com/aws/aws-auto-scaling-custom-resource) .\n- Amazon Comprehend document classification endpoint - The resource type and unique identifier are specified using the endpoint ARN. Example: `arn:aws:comprehend:us-west-2:123456789012:document-classifier-endpoint/EXAMPLE` .\n- Amazon Comprehend entity recognizer endpoint - The resource type and unique identifier are specified using the endpoint ARN. Example: `arn:aws:comprehend:us-west-2:123456789012:entity-recognizer-endpoint/EXAMPLE` .\n- Lambda provisioned concurrency - The resource type is `function` and the unique identifier is the function name with a function version or alias name suffix that is not `$LATEST` . Example: `function:my-function:prod` or `function:my-function:1` .\n- Amazon Keyspaces table - The resource type is `table` and the unique identifier is the table name. Example: `keyspace/mykeyspace/table/mytable` .\n- Amazon MSK cluster - The resource type and unique identifier are specified using the cluster ARN. Example: `arn:aws:kafka:us-east-1:123456789012:cluster/demo-cluster-1/6357e0b2-0e6a-4b86-a0b4-70df934c2e31-5` .\n- Amazon ElastiCache replication group - The resource type is `replication-group` and the unique identifier is the replication group name. Example: `replication-group/mycluster` .\n- Neptune cluster - The resource type is `cluster` and the unique identifier is the cluster name. Example: `cluster:mycluster` .\n- SageMaker Serverless endpoint - The resource type is `variant` and the unique identifier is the resource ID. Example: `endpoint/my-end-point/variant/KMeansClustering` .", + "markdownDescription": "The identifier of the resource associated with the scaling policy. This string consists of the resource type and unique identifier.\n\n- ECS service - The resource type is `service` and the unique identifier is the cluster name and service name. Example: `service/default/sample-webapp` .\n- Spot Fleet - The resource type is `spot-fleet-request` and the unique identifier is the Spot Fleet request ID. Example: `spot-fleet-request/sfr-73fbd2ce-aa30-494c-8788-1cee4EXAMPLE` .\n- EMR cluster - The resource type is `instancegroup` and the unique identifier is the cluster ID and instance group ID. Example: `instancegroup/j-2EEZNYKUA1NTV/ig-1791Y4E1L8YI0` .\n- AppStream 2.0 fleet - The resource type is `fleet` and the unique identifier is the fleet name. Example: `fleet/sample-fleet` .\n- DynamoDB table - The resource type is `table` and the unique identifier is the table name. Example: `table/my-table` .\n- DynamoDB global secondary index - The resource type is `index` and the unique identifier is the index name. Example: `table/my-table/index/my-table-index` .\n- Aurora DB cluster - The resource type is `cluster` and the unique identifier is the cluster name. Example: `cluster:my-db-cluster` .\n- SageMaker endpoint variant - The resource type is `variant` and the unique identifier is the resource ID. Example: `endpoint/my-end-point/variant/KMeansClustering` .\n- Custom resources are not supported with a resource type. This parameter must specify the `OutputValue` from the CloudFormation template stack used to access the resources. The unique identifier is defined by the service provider. More information is available in our [GitHub repository](https://docs.aws.amazon.com/https://github.com/aws/aws-auto-scaling-custom-resource) .\n- Amazon Comprehend document classification endpoint - The resource type and unique identifier are specified using the endpoint ARN. Example: `arn:aws:comprehend:us-west-2:123456789012:document-classifier-endpoint/EXAMPLE` .\n- Amazon Comprehend entity recognizer endpoint - The resource type and unique identifier are specified using the endpoint ARN. Example: `arn:aws:comprehend:us-west-2:123456789012:entity-recognizer-endpoint/EXAMPLE` .\n- Lambda provisioned concurrency - The resource type is `function` and the unique identifier is the function name with a function version or alias name suffix that is not `$LATEST` . Example: `function:my-function:prod` or `function:my-function:1` .\n- Amazon Keyspaces table - The resource type is `table` and the unique identifier is the table name. Example: `keyspace/mykeyspace/table/mytable` .\n- Amazon MSK cluster - The resource type and unique identifier are specified using the cluster ARN. Example: `arn:aws:kafka:us-east-1:123456789012:cluster/demo-cluster-1/6357e0b2-0e6a-4b86-a0b4-70df934c2e31-5` .\n- Amazon ElastiCache replication group - The resource type is `replication-group` and the unique identifier is the replication group name. Example: `replication-group/mycluster` .\n- Neptune cluster - The resource type is `cluster` and the unique identifier is the cluster name. Example: `cluster:mycluster` .\n- SageMaker serverless endpoint - The resource type is `variant` and the unique identifier is the resource ID. Example: `endpoint/my-end-point/variant/KMeansClustering` .\n- SageMaker inference component - The resource type is `inference-component` and the unique identifier is the resource ID. Example: `inference-component/my-inference-component` .", "title": "ResourceId", "type": "string" }, "ScalableDimension": { - "markdownDescription": "The scalable dimension. This string consists of the service namespace, resource type, and scaling property.\n\n- `ecs:service:DesiredCount` - The desired task count of an ECS service.\n- `elasticmapreduce:instancegroup:InstanceCount` - The instance count of an EMR Instance Group.\n- `ec2:spot-fleet-request:TargetCapacity` - The target capacity of a Spot Fleet.\n- `appstream:fleet:DesiredCapacity` - The desired capacity of an AppStream 2.0 fleet.\n- `dynamodb:table:ReadCapacityUnits` - The provisioned read capacity for a DynamoDB table.\n- `dynamodb:table:WriteCapacityUnits` - The provisioned write capacity for a DynamoDB table.\n- `dynamodb:index:ReadCapacityUnits` - The provisioned read capacity for a DynamoDB global secondary index.\n- `dynamodb:index:WriteCapacityUnits` - The provisioned write capacity for a DynamoDB global secondary index.\n- `rds:cluster:ReadReplicaCount` - The count of Aurora Replicas in an Aurora DB cluster. Available for Aurora MySQL-compatible edition and Aurora PostgreSQL-compatible edition.\n- `sagemaker:variant:DesiredInstanceCount` - The number of EC2 instances for a SageMaker model endpoint variant.\n- `custom-resource:ResourceType:Property` - The scalable dimension for a custom resource provided by your own application or service.\n- `comprehend:document-classifier-endpoint:DesiredInferenceUnits` - The number of inference units for an Amazon Comprehend document classification endpoint.\n- `comprehend:entity-recognizer-endpoint:DesiredInferenceUnits` - The number of inference units for an Amazon Comprehend entity recognizer endpoint.\n- `lambda:function:ProvisionedConcurrency` - The provisioned concurrency for a Lambda function.\n- `cassandra:table:ReadCapacityUnits` - The provisioned read capacity for an Amazon Keyspaces table.\n- `cassandra:table:WriteCapacityUnits` - The provisioned write capacity for an Amazon Keyspaces table.\n- `kafka:broker-storage:VolumeSize` - The provisioned volume size (in GiB) for brokers in an Amazon MSK cluster.\n- `elasticache:replication-group:NodeGroups` - The number of node groups for an Amazon ElastiCache replication group.\n- `elasticache:replication-group:Replicas` - The number of replicas per node group for an Amazon ElastiCache replication group.\n- `neptune:cluster:ReadReplicaCount` - The count of read replicas in an Amazon Neptune DB cluster.\n- `sagemaker:variant:DesiredProvisionedConcurrency` - The provisioned concurrency for a SageMaker Serverless endpoint.", + "markdownDescription": "The scalable dimension. This string consists of the service namespace, resource type, and scaling property.\n\n- `ecs:service:DesiredCount` - The desired task count of an ECS service.\n- `elasticmapreduce:instancegroup:InstanceCount` - The instance count of an EMR Instance Group.\n- `ec2:spot-fleet-request:TargetCapacity` - The target capacity of a Spot Fleet.\n- `appstream:fleet:DesiredCapacity` - The desired capacity of an AppStream 2.0 fleet.\n- `dynamodb:table:ReadCapacityUnits` - The provisioned read capacity for a DynamoDB table.\n- `dynamodb:table:WriteCapacityUnits` - The provisioned write capacity for a DynamoDB table.\n- `dynamodb:index:ReadCapacityUnits` - The provisioned read capacity for a DynamoDB global secondary index.\n- `dynamodb:index:WriteCapacityUnits` - The provisioned write capacity for a DynamoDB global secondary index.\n- `rds:cluster:ReadReplicaCount` - The count of Aurora Replicas in an Aurora DB cluster. Available for Aurora MySQL-compatible edition and Aurora PostgreSQL-compatible edition.\n- `sagemaker:variant:DesiredInstanceCount` - The number of EC2 instances for a SageMaker model endpoint variant.\n- `custom-resource:ResourceType:Property` - The scalable dimension for a custom resource provided by your own application or service.\n- `comprehend:document-classifier-endpoint:DesiredInferenceUnits` - The number of inference units for an Amazon Comprehend document classification endpoint.\n- `comprehend:entity-recognizer-endpoint:DesiredInferenceUnits` - The number of inference units for an Amazon Comprehend entity recognizer endpoint.\n- `lambda:function:ProvisionedConcurrency` - The provisioned concurrency for a Lambda function.\n- `cassandra:table:ReadCapacityUnits` - The provisioned read capacity for an Amazon Keyspaces table.\n- `cassandra:table:WriteCapacityUnits` - The provisioned write capacity for an Amazon Keyspaces table.\n- `kafka:broker-storage:VolumeSize` - The provisioned volume size (in GiB) for brokers in an Amazon MSK cluster.\n- `elasticache:replication-group:NodeGroups` - The number of node groups for an Amazon ElastiCache replication group.\n- `elasticache:replication-group:Replicas` - The number of replicas per node group for an Amazon ElastiCache replication group.\n- `neptune:cluster:ReadReplicaCount` - The count of read replicas in an Amazon Neptune DB cluster.\n- `sagemaker:variant:DesiredProvisionedConcurrency` - The provisioned concurrency for a SageMaker serverless endpoint.\n- `sagemaker:inference-component:DesiredCopyCount` - The number of copies across an endpoint for a SageMaker inference component.", "title": "ScalableDimension", "type": "string" }, @@ -20159,6 +20349,14 @@ "title": "MetricName", "type": "string" }, + "Metrics": { + "items": { + "$ref": "#/definitions/AWS::ApplicationAutoScaling::ScalingPolicy.TargetTrackingMetricDataQuery" + }, + "markdownDescription": "The metrics to include in the target tracking scaling policy, as a metric data query. This can include both raw metric and metric math expressions.", + "title": "Metrics", + "type": "array" + }, "Namespace": { "markdownDescription": "The namespace of the metric.", "title": "Namespace", @@ -20175,11 +20373,6 @@ "type": "string" } }, - "required": [ - "MetricName", - "Namespace", - "Statistic" - ], "type": "object" }, "AWS::ApplicationAutoScaling::ScalingPolicy.MetricDimension": { @@ -20254,7 +20447,7 @@ "type": "string" }, "Cooldown": { - "markdownDescription": "The amount of time, in seconds, to wait for a previous scaling activity to take effect. If not specified, the default value is 300. For more information, see [Cooldown period](https://docs.aws.amazon.com/autoscaling/application/userguide/application-auto-scaling-step-scaling-policies.html#step-scaling-cooldown) in the *Application Auto Scaling User Guide* .", + "markdownDescription": "The amount of time, in seconds, to wait for a previous scaling activity to take effect. If not specified, the default value is 300. For more information, see [Cooldown period](https://docs.aws.amazon.com/autoscaling/application/userguide/step-scaling-policy-overview.html#step-scaling-cooldown) in the *Application Auto Scaling User Guide* .", "title": "Cooldown", "type": "number" }, @@ -20279,6 +20472,98 @@ }, "type": "object" }, + "AWS::ApplicationAutoScaling::ScalingPolicy.TargetTrackingMetric": { + "additionalProperties": false, + "properties": { + "Dimensions": { + "items": { + "$ref": "#/definitions/AWS::ApplicationAutoScaling::ScalingPolicy.TargetTrackingMetricDimension" + }, + "markdownDescription": "The dimensions for the metric. For the list of available dimensions, see the AWS documentation available from the table in [AWS services that publish CloudWatch metrics](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/aws-services-cloudwatch-metrics.html) in the *Amazon CloudWatch User Guide* .\n\nConditional: If you published your metric with dimensions, you must specify the same dimensions in your scaling policy.", + "title": "Dimensions", + "type": "array" + }, + "MetricName": { + "markdownDescription": "The name of the metric.", + "title": "MetricName", + "type": "string" + }, + "Namespace": { + "markdownDescription": "The namespace of the metric. For more information, see the table in [AWS services that publish CloudWatch metrics](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/aws-services-cloudwatch-metrics.html) in the *Amazon CloudWatch User Guide* .", + "title": "Namespace", + "type": "string" + } + }, + "type": "object" + }, + "AWS::ApplicationAutoScaling::ScalingPolicy.TargetTrackingMetricDataQuery": { + "additionalProperties": false, + "properties": { + "Expression": { + "markdownDescription": "The math expression to perform on the returned data, if this object is performing a math expression. This expression can use the `Id` of the other metrics to refer to those metrics, and can also use the `Id` of other expressions to use the result of those expressions.\n\nConditional: Within each `TargetTrackingMetricDataQuery` object, you must specify either `Expression` or `MetricStat` , but not both.", + "title": "Expression", + "type": "string" + }, + "Id": { + "markdownDescription": "A short name that identifies the object's results in the response. This name must be unique among all `MetricDataQuery` objects specified for a single scaling policy. If you are performing math expressions on this set of data, this name represents that data and can serve as a variable in the mathematical expression. The valid characters are letters, numbers, and underscores. The first character must be a lowercase letter.", + "title": "Id", + "type": "string" + }, + "Label": { + "markdownDescription": "A human-readable label for this metric or expression. This is especially useful if this is a math expression, so that you know what the value represents.", + "title": "Label", + "type": "string" + }, + "MetricStat": { + "$ref": "#/definitions/AWS::ApplicationAutoScaling::ScalingPolicy.TargetTrackingMetricStat", + "markdownDescription": "Information about the metric data to return.\n\nConditional: Within each `MetricDataQuery` object, you must specify either `Expression` or `MetricStat` , but not both.", + "title": "MetricStat" + }, + "ReturnData": { + "markdownDescription": "Indicates whether to return the timestamps and raw data values of this metric.\n\nIf you use any math expressions, specify `true` for this value for only the final math expression that the metric specification is based on. You must specify `false` for `ReturnData` for all the other metrics and expressions used in the metric specification.\n\nIf you are only retrieving metrics and not performing any math expressions, do not specify anything for `ReturnData` . This sets it to its default ( `true` ).", + "title": "ReturnData", + "type": "boolean" + } + }, + "type": "object" + }, + "AWS::ApplicationAutoScaling::ScalingPolicy.TargetTrackingMetricDimension": { + "additionalProperties": false, + "properties": { + "Name": { + "markdownDescription": "The name of the dimension.", + "title": "Name", + "type": "string" + }, + "Value": { + "markdownDescription": "The value of the dimension.", + "title": "Value", + "type": "string" + } + }, + "type": "object" + }, + "AWS::ApplicationAutoScaling::ScalingPolicy.TargetTrackingMetricStat": { + "additionalProperties": false, + "properties": { + "Metric": { + "$ref": "#/definitions/AWS::ApplicationAutoScaling::ScalingPolicy.TargetTrackingMetric", + "markdownDescription": "The CloudWatch metric to return, including the metric name, namespace, and dimensions. To get the exact metric name, namespace, and dimensions, inspect the [Metric](https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_Metric.html) object that is returned by a call to [ListMetrics](https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_ListMetrics.html) .", + "title": "Metric" + }, + "Stat": { + "markdownDescription": "The statistic to return. It can include any CloudWatch statistic or extended statistic. For a list of valid values, see the table in [Statistics](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/cloudwatch_concepts.html#Statistic) in the *Amazon CloudWatch User Guide* .\n\nThe most commonly used metric for scaling is `Average` .", + "title": "Stat", + "type": "string" + }, + "Unit": { + "markdownDescription": "The unit to use for the returned data points. For a complete list of the units that CloudWatch supports, see the [MetricDatum](https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_MetricDatum.html) data type in the *Amazon CloudWatch API Reference* .", + "title": "Unit", + "type": "string" + } + }, + "type": "object" + }, "AWS::ApplicationAutoScaling::ScalingPolicy.TargetTrackingScalingPolicyConfiguration": { "additionalProperties": false, "properties": { @@ -20298,12 +20583,12 @@ "title": "PredefinedMetricSpecification" }, "ScaleInCooldown": { - "markdownDescription": "The amount of time, in seconds, after a scale-in activity completes before another scale-in activity can start. For more information and for default values, see [Define cooldown periods](https://docs.aws.amazon.com/autoscaling/application/userguide/application-auto-scaling-target-tracking.html#target-tracking-cooldown) in the *Application Auto Scaling User Guide* .", + "markdownDescription": "The amount of time, in seconds, after a scale-in activity completes before another scale-in activity can start. For more information and for default values, see [Define cooldown periods](https://docs.aws.amazon.com/autoscaling/application/userguide/target-tracking-scaling-policy-overview.html#target-tracking-cooldown) in the *Application Auto Scaling User Guide* .", "title": "ScaleInCooldown", "type": "number" }, "ScaleOutCooldown": { - "markdownDescription": "The amount of time, in seconds, to wait for a previous scale-out activity to take effect. For more information and for default values, see [Define cooldown periods](https://docs.aws.amazon.com/autoscaling/application/userguide/application-auto-scaling-target-tracking.html#target-tracking-cooldown) in the *Application Auto Scaling User Guide* .", + "markdownDescription": "The amount of time, in seconds, to wait for a previous scale-out activity to take effect. For more information and for default values, see [Define cooldown periods](https://docs.aws.amazon.com/autoscaling/application/userguide/target-tracking-scaling-policy-overview.html#target-tracking-cooldown) in the *Application Auto Scaling User Guide* .", "title": "ScaleOutCooldown", "type": "number" }, @@ -21013,7 +21298,7 @@ }, "Parameters": { "additionalProperties": true, - "markdownDescription": "Specifies the Lambda function or functions to use for the data catalog. The mapping used depends on the catalog type.\n\n- The `HIVE` data catalog type uses the following syntax. The `metadata-function` parameter is required. `The sdk-version` parameter is optional and defaults to the currently supported version.\n\n`metadata-function= *lambda_arn* , sdk-version= *version_number*`\n- The `LAMBDA` data catalog type uses one of the following sets of required parameters, but not both.\n\n- When one Lambda function processes metadata and another Lambda function reads data, the following syntax is used. Both parameters are required.\n\n`metadata-function= *lambda_arn* , record-function= *lambda_arn*`\n- A composite Lambda function that processes both metadata and data uses the following syntax.\n\n`function= *lambda_arn*`\n- The `GLUE` type takes a catalog ID parameter and is required. The `*catalog_id*` is the account ID of the AWS account to which the Glue catalog belongs.\n\n`catalog-id= *catalog_id*`\n\n- The `GLUE` data catalog type also applies to the default `AwsDataCatalog` that already exists in your account, of which you can have only one and cannot modify.\n- Queries that specify a GLUE data catalog other than the default `AwsDataCatalog` must be run on Athena engine version 2.\n- In Regions where Athena engine version 2 is not available, creating new GLUE data catalogs results in an `INVALID_INPUT` error.", + "markdownDescription": "Specifies the Lambda function or functions to use for the data catalog. The mapping used depends on the catalog type.\n\n- The `HIVE` data catalog type uses the following syntax. The `metadata-function` parameter is required. `The sdk-version` parameter is optional and defaults to the currently supported version.\n\n`metadata-function= *lambda_arn* , sdk-version= *version_number*`\n- The `LAMBDA` data catalog type uses one of the following sets of required parameters, but not both.\n\n- When one Lambda function processes metadata and another Lambda function reads data, the following syntax is used. Both parameters are required.\n\n`metadata-function= *lambda_arn* , record-function= *lambda_arn*`\n- A composite Lambda function that processes both metadata and data uses the following syntax.\n\n`function= *lambda_arn*`\n- The `GLUE` type takes a catalog ID parameter and is required. The `*catalog_id*` is the account ID of the AWS account to which the Glue catalog belongs.\n\n`catalog-id= *catalog_id*`\n\n- The `GLUE` data catalog type also applies to the default `AwsDataCatalog` that already exists in your account, of which you can have only one and cannot modify.", "patternProperties": { "^[a-zA-Z0-9]+$": { "type": "string" @@ -21348,7 +21633,7 @@ "additionalProperties": false, "properties": { "KmsKey": { - "markdownDescription": "The KMS key that is used to encrypt the user's data stores in Athena.", + "markdownDescription": "The customer managed KMS key that is used to encrypt the user's data stores in Athena.", "title": "KmsKey", "type": "string" } @@ -21830,6 +22115,11 @@ "title": "InstanceId", "type": "string" }, + "InstanceMaintenancePolicy": { + "$ref": "#/definitions/AWS::AutoScaling::AutoScalingGroup.InstanceMaintenancePolicy", + "markdownDescription": "An instance maintenance policy. For more information, see [Set instance maintenance policy](https://docs.aws.amazon.com/autoscaling/ec2/userguide/ec2-auto-scaling-instance-maintenance-policy.html) in the *Amazon EC2 Auto Scaling User Guide* .", + "title": "InstanceMaintenancePolicy" + }, "LaunchConfigurationName": { "markdownDescription": "The name of the launch configuration to use to launch instances.\n\nRequired only if you don't specify `LaunchTemplate` , `MixedInstancesPolicy` , or `InstanceId` .", "title": "LaunchConfigurationName", @@ -22018,6 +22308,22 @@ }, "type": "object" }, + "AWS::AutoScaling::AutoScalingGroup.InstanceMaintenancePolicy": { + "additionalProperties": false, + "properties": { + "MaxHealthyPercentage": { + "markdownDescription": "Specifies the upper threshold as a percentage of the desired capacity of the Auto Scaling group. It represents the maximum percentage of the group that can be in service and healthy, or pending, to support your workload when replacing instances. Value range is 100 to 200. After it's set, a value of `-1` will clear the previously set value.\n\nBoth `MinHealthyPercentage` and `MaxHealthyPercentage` must be specified, and the difference between them cannot be greater than 100. A large range increases the number of instances that can be replaced at the same time.", + "title": "MaxHealthyPercentage", + "type": "number" + }, + "MinHealthyPercentage": { + "markdownDescription": "Specifies the lower threshold as a percentage of the desired capacity of the Auto Scaling group. It represents the minimum percentage of the group to keep in service, healthy, and ready to use to support your workload when replacing instances. Value range is 0 to 100. After it's set, a value of `-1` will clear the previously set value.", + "title": "MinHealthyPercentage", + "type": "number" + } + }, + "type": "object" + }, "AWS::AutoScaling::AutoScalingGroup.InstanceRequirements": { "additionalProperties": false, "properties": { @@ -22161,6 +22467,10 @@ "title": "VCpuCount" } }, + "required": [ + "MemoryMiB", + "VCpuCount" + ], "type": "object" }, "AWS::AutoScaling::AutoScalingGroup.InstancesDistribution": { @@ -22261,7 +22571,7 @@ "type": "string" }, "Version": { - "markdownDescription": "The version number of the launch template.\n\nSpecifying `$Latest` or `$Default` for the template version number is not supported. However, you can specify `LatestVersionNumber` or `DefaultVersionNumber` using the `Fn::GetAtt` intrinsic function. For more information, see [Fn::GetAtt](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-getatt.html) .\n\n> For an example of using the `Fn::GetAtt` function, see the [Examples](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-as-group.html#aws-properties-as-group--examples) section of the `AWS::AutoScaling::AutoScalingGroup` resource.", + "markdownDescription": "The version number of the launch template.\n\nSpecifying `$Latest` or `$Default` for the template version number is not supported. However, you can specify `LatestVersionNumber` or `DefaultVersionNumber` using the `Fn::GetAtt` intrinsic function. For more information, see [Fn::GetAtt](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-getatt.html) .\n\n> For an example of using the `Fn::GetAtt` function, see the [Examples](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-autoscaling-autoscalinggroup.html#aws-resource-autoscaling-autoscalinggroup--examples) section of the `AWS::AutoScaling::AutoScalingGroup` resource.", "title": "Version", "type": "string" } @@ -23832,7 +24142,7 @@ "title": "CustomizedLoadMetricSpecification" }, "DisableDynamicScaling": { - "markdownDescription": "Controls whether dynamic scaling by AWS Auto Scaling is disabled. When dynamic scaling is enabled, AWS Auto Scaling creates target tracking scaling policies based on the specified target tracking configurations.\n\nThe default is enabled ( `false` ).", + "markdownDescription": "Controls whether dynamic scaling is disabled. When dynamic scaling is enabled, AWS Auto Scaling creates target tracking scaling policies based on the specified target tracking configurations.\n\nThe default is enabled ( `false` ).", "title": "DisableDynamicScaling", "type": "boolean" }, @@ -23877,7 +24187,7 @@ "type": "string" }, "ScalingPolicyUpdateBehavior": { - "markdownDescription": "Controls whether your scaling policies that are external to AWS Auto Scaling are deleted and new target tracking scaling policies created. The default value is `KeepExternalPolicies` .\n\nValid only when configuring dynamic scaling.", + "markdownDescription": "Controls whether a resource's externally created scaling policies are deleted and new target tracking scaling policies created. The default value is `KeepExternalPolicies` .\n\nValid only when configuring dynamic scaling.", "title": "ScalingPolicyUpdateBehavior", "type": "string" }, @@ -23976,6 +24286,243 @@ ], "type": "object" }, + "AWS::B2BI::Profile": { + "additionalProperties": false, + "properties": { + "Condition": { + "type": "string" + }, + "DeletionPolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + }, + "DependsOn": { + "anyOf": [ + { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + { + "items": { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + "type": "array" + } + ] + }, + "Metadata": { + "type": "object" + }, + "Properties": { + "additionalProperties": false, + "properties": { + "BusinessName": { + "markdownDescription": "Returns the name for the business associated with this profile.", + "title": "BusinessName", + "type": "string" + }, + "Email": { + "markdownDescription": "", + "title": "Email", + "type": "string" + }, + "Logging": { + "markdownDescription": "Specifies whether or not logging is enabled for this profile.", + "title": "Logging", + "type": "string" + }, + "Name": { + "markdownDescription": "Returns the display name for profile.", + "title": "Name", + "type": "string" + }, + "Phone": { + "markdownDescription": "", + "title": "Phone", + "type": "string" + }, + "Tags": { + "items": { + "$ref": "#/definitions/Tag" + }, + "markdownDescription": "A key-value pair for a specific profile. Tags are metadata that you can use to search for and group capabilities for various purposes.", + "title": "Tags", + "type": "array" + } + }, + "required": [ + "BusinessName", + "Logging", + "Name", + "Phone" + ], + "type": "object" + }, + "Type": { + "enum": [ + "AWS::B2BI::Profile" + ], + "type": "string" + }, + "UpdateReplacePolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + } + }, + "required": [ + "Type", + "Properties" + ], + "type": "object" + }, + "AWS::B2BI::Transformer": { + "additionalProperties": false, + "properties": { + "Condition": { + "type": "string" + }, + "DeletionPolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + }, + "DependsOn": { + "anyOf": [ + { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + { + "items": { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + "type": "array" + } + ] + }, + "Metadata": { + "type": "object" + }, + "Properties": { + "additionalProperties": false, + "properties": { + "EdiType": { + "$ref": "#/definitions/AWS::B2BI::Transformer.EdiType", + "markdownDescription": "Returns the details for the EDI standard that is being used for the transformer. Currently, only X12 is supported. X12 is a set of standards and corresponding messages that define specific business documents.", + "title": "EdiType" + }, + "FileFormat": { + "markdownDescription": "Returns that the currently supported file formats for EDI transformations are `JSON` and `XML` .", + "title": "FileFormat", + "type": "string" + }, + "MappingTemplate": { + "markdownDescription": "Returns a sample EDI document that is used by a transformer as a guide for processing the EDI data.", + "title": "MappingTemplate", + "type": "string" + }, + "ModifiedAt": { + "markdownDescription": "Returns a timestamp representing the date and time for the most recent change for the transformer object.", + "title": "ModifiedAt", + "type": "string" + }, + "Name": { + "markdownDescription": "Returns the descriptive name for the transformer.", + "title": "Name", + "type": "string" + }, + "SampleDocument": { + "markdownDescription": "Returns a sample EDI document that is used by a transformer as a guide for processing the EDI data.", + "title": "SampleDocument", + "type": "string" + }, + "Status": { + "markdownDescription": "Returns the state of the newly created transformer. The transformer can be either `active` or `inactive` . For the transformer to be used in a capability, its status must `active` .", + "title": "Status", + "type": "string" + }, + "Tags": { + "items": { + "$ref": "#/definitions/Tag" + }, + "markdownDescription": "A key-value pair for a specific transformer. Tags are metadata that you can use to search for and group capabilities for various purposes.", + "title": "Tags", + "type": "array" + } + }, + "required": [ + "EdiType", + "FileFormat", + "MappingTemplate", + "Name", + "Status" + ], + "type": "object" + }, + "Type": { + "enum": [ + "AWS::B2BI::Transformer" + ], + "type": "string" + }, + "UpdateReplacePolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + } + }, + "required": [ + "Type", + "Properties" + ], + "type": "object" + }, + "AWS::B2BI::Transformer.EdiType": { + "additionalProperties": false, + "properties": { + "X12Details": { + "$ref": "#/definitions/AWS::B2BI::Transformer.X12Details", + "markdownDescription": "Returns the details for the EDI standard that is being used for the transformer. Currently, only X12 is supported. X12 is a set of standards and corresponding messages that define specific business documents.", + "title": "X12Details" + } + }, + "required": [ + "X12Details" + ], + "type": "object" + }, + "AWS::B2BI::Transformer.X12Details": { + "additionalProperties": false, + "properties": { + "TransactionSet": { + "markdownDescription": "Returns an enumerated type where each value identifies an X12 transaction set. Transaction sets are maintained by the X12 Accredited Standards Committee.", + "title": "TransactionSet", + "type": "string" + }, + "Version": { + "markdownDescription": "Returns the version to use for the specified X12 transaction set. Supported versions are `4010` , `4030` , and `5010` .", + "title": "Version", + "type": "string" + } + }, + "type": "object" + }, "AWS::Backup::BackupPlan": { "additionalProperties": false, "properties": { @@ -24153,6 +24700,8 @@ "type": "string" }, "ScheduleExpressionTimezone": { + "markdownDescription": "", + "title": "ScheduleExpressionTimezone", "type": "string" }, "StartWindowMinutes": { @@ -24710,7 +25259,7 @@ }, "ControlScope": { "$ref": "#/definitions/AWS::Backup::Framework.ControlScope", - "markdownDescription": "The scope of a control. The control scope defines what the control will evaluate. Three examples of control scopes are: a specific backup plan, all backup plans with a specific tag, or all backup plans. For more information, see [`ControlScope` .](https://docs.aws.amazon.com/aws-backup/latest/devguide/API_ControlScope.html)", + "markdownDescription": "The scope of a control. The control scope defines what the control will evaluate. Three examples of control scopes are: a specific backup plan, all backup plans with a specific tag, or all backup plans.", "title": "ControlScope" } }, @@ -24883,7 +25432,7 @@ ], "type": "object" }, - "AWS::BackupGateway::Hypervisor": { + "AWS::Backup::RestoreTestingPlan": { "additionalProperties": false, "properties": { "Condition": { @@ -24918,50 +25467,50 @@ "Properties": { "additionalProperties": false, "properties": { - "Host": { - "markdownDescription": "The server host of the hypervisor. This can be either an IP address or a fully-qualified domain name (FQDN).", - "title": "Host", - "type": "string" + "RecoveryPointSelection": { + "$ref": "#/definitions/AWS::Backup::RestoreTestingPlan.RestoreTestingRecoveryPointSelection", + "markdownDescription": "The specified criteria to assign a set of resources, such as recovery point types or backup vaults.", + "title": "RecoveryPointSelection" }, - "KmsKeyArn": { - "markdownDescription": "The Amazon Resource Name (ARN) of the AWS Key Management Service used to encrypt the hypervisor.", - "title": "KmsKeyArn", + "RestoreTestingPlanName": { + "markdownDescription": "This is the restore testing plan name.", + "title": "RestoreTestingPlanName", "type": "string" }, - "LogGroupArn": { - "markdownDescription": "The Amazon Resource Name (ARN) of the group of gateways within the requested log.", - "title": "LogGroupArn", + "ScheduleExpression": { + "markdownDescription": "A CRON expression in specified timezone when a restore testing plan is executed.", + "title": "ScheduleExpression", "type": "string" }, - "Name": { - "markdownDescription": "The name of the hypervisor.", - "title": "Name", + "ScheduleExpressionTimezone": { + "markdownDescription": "Optional. This is the timezone in which the schedule expression is set. By default, ScheduleExpressions are in UTC. You can modify this to a specified timezone.", + "title": "ScheduleExpressionTimezone", "type": "string" }, - "Password": { - "markdownDescription": "The password for the hypervisor.", - "title": "Password", - "type": "string" + "StartWindowHours": { + "markdownDescription": "Defaults to 24 hours.\n\nA value in hours after a restore test is scheduled before a job will be canceled if it doesn't start successfully. This value is optional. If this value is included, this parameter has a maximum value of 168 hours (one week).", + "title": "StartWindowHours", + "type": "number" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, - "markdownDescription": "The tags of the hypervisor configuration to import.", + "markdownDescription": "", "title": "Tags", "type": "array" - }, - "Username": { - "markdownDescription": "The username for the hypervisor.", - "title": "Username", - "type": "string" } }, + "required": [ + "RecoveryPointSelection", + "RestoreTestingPlanName", + "ScheduleExpression" + ], "type": "object" }, "Type": { "enum": [ - "AWS::BackupGateway::Hypervisor" + "AWS::Backup::RestoreTestingPlan" ], "type": "string" }, @@ -24975,11 +25524,309 @@ } }, "required": [ - "Type" + "Type", + "Properties" ], "type": "object" }, - "AWS::Batch::ComputeEnvironment": { + "AWS::Backup::RestoreTestingPlan.RestoreTestingRecoveryPointSelection": { + "additionalProperties": false, + "properties": { + "Algorithm": { + "markdownDescription": "Acceptable values include \"LATEST_WITHIN_WINDOW\" or \"RANDOM_WITHIN_WINDOW\"", + "title": "Algorithm", + "type": "string" + }, + "ExcludeVaults": { + "items": { + "type": "string" + }, + "markdownDescription": "Accepted values include specific ARNs or list of selectors. Defaults to empty list if not listed.", + "title": "ExcludeVaults", + "type": "array" + }, + "IncludeVaults": { + "items": { + "type": "string" + }, + "markdownDescription": "Accepted values include wildcard [\"*\"] or by specific ARNs or ARN wilcard replacement [\"arn:aws:backup:us-west-2:123456789012:backup-vault:asdf\", ...] [\"arn:aws:backup:*:*:backup-vault:asdf-*\", ...]", + "title": "IncludeVaults", + "type": "array" + }, + "RecoveryPointTypes": { + "items": { + "type": "string" + }, + "markdownDescription": "These are the types of recovery points.", + "title": "RecoveryPointTypes", + "type": "array" + }, + "SelectionWindowDays": { + "markdownDescription": "Accepted values are integers from 1 to 365.", + "title": "SelectionWindowDays", + "type": "number" + } + }, + "required": [ + "Algorithm", + "IncludeVaults", + "RecoveryPointTypes" + ], + "type": "object" + }, + "AWS::Backup::RestoreTestingSelection": { + "additionalProperties": false, + "properties": { + "Condition": { + "type": "string" + }, + "DeletionPolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + }, + "DependsOn": { + "anyOf": [ + { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + { + "items": { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + "type": "array" + } + ] + }, + "Metadata": { + "type": "object" + }, + "Properties": { + "additionalProperties": false, + "properties": { + "IamRoleArn": { + "markdownDescription": "The Amazon Resource Name (ARN) of the IAM role that AWS Backup uses to create the target resource; for example: `arn:aws:iam::123456789012:role/S3Access` .", + "title": "IamRoleArn", + "type": "string" + }, + "ProtectedResourceArns": { + "items": { + "type": "string" + }, + "markdownDescription": "You can include specific ARNs, such as `ProtectedResourceArns: [\"arn:aws:...\", \"arn:aws:...\"]` or you can include a wildcard: `ProtectedResourceArns: [\"*\"]` , but not both.", + "title": "ProtectedResourceArns", + "type": "array" + }, + "ProtectedResourceConditions": { + "$ref": "#/definitions/AWS::Backup::RestoreTestingSelection.ProtectedResourceConditions", + "markdownDescription": "In a resource testing selection, this parameter filters by specific conditions such as `StringEquals` or `StringNotEquals` .", + "title": "ProtectedResourceConditions" + }, + "ProtectedResourceType": { + "markdownDescription": "The type of AWS resource included in a resource testing selection; for example, an Amazon EBS volume or an Amazon RDS database.", + "title": "ProtectedResourceType", + "type": "string" + }, + "RestoreMetadataOverrides": { + "additionalProperties": true, + "markdownDescription": "You can override certain restore metadata keys by including the parameter `RestoreMetadataOverrides` in the body of `RestoreTestingSelection` . Key values are not case sensitive.\n\nSee the complete list of [restore testing inferred metadata](https://docs.aws.amazon.com/aws-backup/latest/devguide/restore-testing-inferred-metadata.html) .", + "patternProperties": { + "^[a-zA-Z0-9]+$": { + "type": "string" + } + }, + "title": "RestoreMetadataOverrides", + "type": "object" + }, + "RestoreTestingPlanName": { + "markdownDescription": "The RestoreTestingPlanName is a unique string that is the name of the restore testing plan.", + "title": "RestoreTestingPlanName", + "type": "string" + }, + "RestoreTestingSelectionName": { + "markdownDescription": "This is the unique name of the restore testing selection that belongs to the related restore testing plan.", + "title": "RestoreTestingSelectionName", + "type": "string" + }, + "ValidationWindowHours": { + "markdownDescription": "This is amount of hours (1 to 168) available to run a validation script on the data. The data will be deleted upon the completion of the validation script or the end of the specified retention period, whichever comes first.", + "title": "ValidationWindowHours", + "type": "number" + } + }, + "required": [ + "IamRoleArn", + "ProtectedResourceType", + "RestoreTestingPlanName", + "RestoreTestingSelectionName" + ], + "type": "object" + }, + "Type": { + "enum": [ + "AWS::Backup::RestoreTestingSelection" + ], + "type": "string" + }, + "UpdateReplacePolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + } + }, + "required": [ + "Type", + "Properties" + ], + "type": "object" + }, + "AWS::Backup::RestoreTestingSelection.KeyValue": { + "additionalProperties": false, + "properties": { + "Key": { + "markdownDescription": "The tag key (String). The key can't start with `aws:` .\n\nLength Constraints: Minimum length of 1. Maximum length of 128.\n\nPattern: `^(?![aA]{1}[wW]{1}[sS]{1}:)([\\p{L}\\p{Z}\\p{N}_.:/=+\\-@]+)$`", + "title": "Key", + "type": "string" + }, + "Value": { + "markdownDescription": "The value of the key.\n\nLength Constraints: Maximum length of 256.\n\nPattern: `^([\\p{L}\\p{Z}\\p{N}_.:/=+\\-@]*)$`", + "title": "Value", + "type": "string" + } + }, + "required": [ + "Key", + "Value" + ], + "type": "object" + }, + "AWS::Backup::RestoreTestingSelection.ProtectedResourceConditions": { + "additionalProperties": false, + "properties": { + "StringEquals": { + "items": { + "$ref": "#/definitions/AWS::Backup::RestoreTestingSelection.KeyValue" + }, + "markdownDescription": "Filters the values of your tagged resources for only those resources that you tagged with the same value. Also called \"exact matching.\"", + "title": "StringEquals", + "type": "array" + }, + "StringNotEquals": { + "items": { + "$ref": "#/definitions/AWS::Backup::RestoreTestingSelection.KeyValue" + }, + "markdownDescription": "Filters the values of your tagged resources for only those resources that you tagged that do not have the same value. Also called \"negated matching.\"", + "title": "StringNotEquals", + "type": "array" + } + }, + "type": "object" + }, + "AWS::BackupGateway::Hypervisor": { + "additionalProperties": false, + "properties": { + "Condition": { + "type": "string" + }, + "DeletionPolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + }, + "DependsOn": { + "anyOf": [ + { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + { + "items": { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + "type": "array" + } + ] + }, + "Metadata": { + "type": "object" + }, + "Properties": { + "additionalProperties": false, + "properties": { + "Host": { + "markdownDescription": "The server host of the hypervisor. This can be either an IP address or a fully-qualified domain name (FQDN).", + "title": "Host", + "type": "string" + }, + "KmsKeyArn": { + "markdownDescription": "The Amazon Resource Name (ARN) of the AWS Key Management Service used to encrypt the hypervisor.", + "title": "KmsKeyArn", + "type": "string" + }, + "LogGroupArn": { + "markdownDescription": "The Amazon Resource Name (ARN) of the group of gateways within the requested log.", + "title": "LogGroupArn", + "type": "string" + }, + "Name": { + "markdownDescription": "The name of the hypervisor.", + "title": "Name", + "type": "string" + }, + "Password": { + "markdownDescription": "The password for the hypervisor.", + "title": "Password", + "type": "string" + }, + "Tags": { + "items": { + "$ref": "#/definitions/Tag" + }, + "markdownDescription": "The tags of the hypervisor configuration to import.", + "title": "Tags", + "type": "array" + }, + "Username": { + "markdownDescription": "The username for the hypervisor.", + "title": "Username", + "type": "string" + } + }, + "type": "object" + }, + "Type": { + "enum": [ + "AWS::BackupGateway::Hypervisor" + ], + "type": "string" + }, + "UpdateReplacePolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + } + }, + "required": [ + "Type" + ], + "type": "object" + }, + "AWS::Batch::ComputeEnvironment": { "additionalProperties": false, "properties": { "Condition": { @@ -25101,7 +25948,7 @@ "additionalProperties": false, "properties": { "AllocationStrategy": { - "markdownDescription": "The allocation strategy to use for the compute resource if not enough instances of the best fitting instance type can be allocated. This might be because of availability of the instance type in the Region or [Amazon EC2 service limits](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-resource-limits.html) . For more information, see [Allocation strategies](https://docs.aws.amazon.com/batch/latest/userguide/allocation-strategies.html) in the *AWS Batch User Guide* .\n\nWhen updating a compute environment, changing the allocation strategy requires an infrastructure update of the compute environment. For more information, see [Updating compute environments](https://docs.aws.amazon.com/batch/latest/userguide/updating-compute-environments.html) in the *AWS Batch User Guide* . `BEST_FIT` is not supported when updating a compute environment.\n\n> This parameter isn't applicable to jobs that are running on Fargate resources, and shouldn't be specified. \n\n- **BEST_FIT (default)** - AWS Batch selects an instance type that best fits the needs of the jobs with a preference for the lowest-cost instance type. If additional instances of the selected instance type aren't available, AWS Batch waits for the additional instances to be available. If there aren't enough instances available, or if the user is reaching [Amazon EC2 service limits](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-resource-limits.html) then additional jobs aren't run until the currently running jobs have completed. This allocation strategy keeps costs lower but can limit scaling. If you are using Spot Fleets with `BEST_FIT` then the Spot Fleet IAM role must be specified.\n- **BEST_FIT_PROGRESSIVE** - AWS Batch will select additional instance types that are large enough to meet the requirements of the jobs in the queue, with a preference for instance types with a lower cost per unit vCPU. If additional instances of the previously selected instance types aren't available, AWS Batch will select new instance types.\n- **SPOT_CAPACITY_OPTIMIZED** - AWS Batch will select one or more instance types that are large enough to meet the requirements of the jobs in the queue, with a preference for instance types that are less likely to be interrupted. This allocation strategy is only available for Spot Instance compute resources.\n\nWith both `BEST_FIT_PROGRESSIVE` and `SPOT_CAPACITY_OPTIMIZED` allocation strategies using On-Demand or Spot Instances, and the `BEST_FIT` strategy using Spot Instances, AWS Batch might need to go above `maxvCpus` to meet your capacity requirements. In this event, AWS Batch never exceeds `maxvCpus` by more than a single instance.", + "markdownDescription": "The allocation strategy to use for the compute resource if not enough instances of the best fitting instance type can be allocated. This might be because of availability of the instance type in the Region or [Amazon EC2 service limits](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-resource-limits.html) . For more information, see [Allocation strategies](https://docs.aws.amazon.com/batch/latest/userguide/allocation-strategies.html) in the *AWS Batch User Guide* .\n\nWhen updating a compute environment, changing the allocation strategy requires an infrastructure update of the compute environment. For more information, see [Updating compute environments](https://docs.aws.amazon.com/batch/latest/userguide/updating-compute-environments.html) in the *AWS Batch User Guide* . `BEST_FIT` is not supported when updating a compute environment.\n\n> This parameter isn't applicable to jobs that are running on Fargate resources, and shouldn't be specified. \n\n- **BEST_FIT (default)** - AWS Batch selects an instance type that best fits the needs of the jobs with a preference for the lowest-cost instance type. If additional instances of the selected instance type aren't available, AWS Batch waits for the additional instances to be available. If there aren't enough instances available, or if the user is reaching [Amazon EC2 service limits](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-resource-limits.html) then additional jobs aren't run until the currently running jobs have completed. This allocation strategy keeps costs lower but can limit scaling. If you are using Spot Fleets with `BEST_FIT` then the Spot Fleet IAM role must be specified.\n- **BEST_FIT_PROGRESSIVE** - AWS Batch will select additional instance types that are large enough to meet the requirements of the jobs in the queue, with a preference for instance types with a lower cost per unit vCPU. If additional instances of the previously selected instance types aren't available, AWS Batch will select new instance types.\n- **SPOT_CAPACITY_OPTIMIZED** - AWS Batch will select one or more instance types that are large enough to meet the requirements of the jobs in the queue, with a preference for instance types that are less likely to be interrupted. This allocation strategy is only available for Spot Instance compute resources.\n- **SPOT_PRICE_CAPACITY_OPTIMIZED** - The price and capacity optimized allocation strategy looks at both price and capacity to select the Spot Instance pools that are the least likely to be interrupted and have the lowest possible price. This allocation strategy is only available for Spot Instance compute resources.\n\n> We recommend that you use `SPOT_PRICE_CAPACITY_OPTIMIZED` rather than `SPOT_CAPACITY_OPTIMIZED` in most instances.\n\nWith `BEST_FIT_PROGRESSIVE` , `SPOT_CAPACITY_OPTIMIZED` , and `SPOT_PRICE_CAPACITY_OPTIMIZED` allocation strategies using On-Demand or Spot Instances, and the `BEST_FIT` strategy using Spot Instances, AWS Batch might need to go above `maxvCpus` to meet your capacity requirements. In this event, AWS Batch never exceeds `maxvCpus` by more than a single instance.", "title": "AllocationStrategy", "type": "string" }, @@ -25134,7 +25981,7 @@ "type": "string" }, "InstanceRole": { - "markdownDescription": "The Amazon ECS instance profile applied to Amazon EC2 instances in a compute environment. You can specify the short name or full Amazon Resource Name (ARN) of an instance profile. For example, `*ecsInstanceRole*` or `arn:aws:iam:: ** :instance-profile/ *ecsInstanceRole*` . For more information, see [Amazon ECS instance role](https://docs.aws.amazon.com/batch/latest/userguide/instance_IAM_role.html) in the *AWS Batch User Guide* .\n\nWhen updating a compute environment, changing this setting requires an infrastructure update of the compute environment. For more information, see [Updating compute environments](https://docs.aws.amazon.com/batch/latest/userguide/updating-compute-environments.html) in the *AWS Batch User Guide* .\n\n> This parameter isn't applicable to jobs that are running on Fargate resources. Don't specify it.", + "markdownDescription": "The Amazon ECS instance profile applied to Amazon EC2 instances in a compute environment. Required for Amazon EC2 instances. You can specify the short name or full Amazon Resource Name (ARN) of an instance profile. For example, `*ecsInstanceRole*` or `arn:aws:iam:: ** :instance-profile/ *ecsInstanceRole*` . For more information, see [Amazon ECS instance role](https://docs.aws.amazon.com/batch/latest/userguide/instance_IAM_role.html) in the *AWS Batch User Guide* .\n\nWhen updating a compute environment, changing this setting requires an infrastructure update of the compute environment. For more information, see [Updating compute environments](https://docs.aws.amazon.com/batch/latest/userguide/updating-compute-environments.html) in the *AWS Batch User Guide* .\n\n> This parameter isn't applicable to jobs that are running on Fargate resources. Don't specify it.", "title": "InstanceRole", "type": "string" }, @@ -25152,7 +25999,7 @@ "title": "LaunchTemplate" }, "MaxvCpus": { - "markdownDescription": "The maximum number of Amazon EC2 vCPUs that an environment can reach.\n\n> With both `BEST_FIT_PROGRESSIVE` and `SPOT_CAPACITY_OPTIMIZED` allocation strategies using On-Demand or Spot Instances, and the `BEST_FIT` strategy using Spot Instances, AWS Batch might need to exceed `maxvCpus` to meet your capacity requirements. In this event, AWS Batch never exceeds `maxvCpus` by more than a single instance. That is, no more than a single instance from among those specified in your compute environment.", + "markdownDescription": "The maximum number of Amazon EC2 vCPUs that an environment can reach.\n\n> With `BEST_FIT_PROGRESSIVE` , `SPOT_CAPACITY_OPTIMIZED` and `SPOT_PRICE_CAPACITY_OPTIMIZED` (recommended) strategies using On-Demand or Spot Instances, and the `BEST_FIT` strategy using Spot Instances, AWS Batch might need to exceed `maxvCpus` to meet your capacity requirements. In this event, AWS Batch never exceeds `maxvCpus` by more than a single instance.", "title": "MaxvCpus", "type": "number" }, @@ -25230,7 +26077,7 @@ "type": "string" }, "ImageType": { - "markdownDescription": "The image type to match with the instance type to select an AMI. The supported values are different for `ECS` and `EKS` resources.\n\n- **ECS** - If the `imageIdOverride` parameter isn't specified, then a recent [Amazon ECS-optimized Amazon Linux 2 AMI](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html#al2ami) ( `ECS_AL2` ) is used. If a new image type is specified in an update, but neither an `imageId` nor a `imageIdOverride` parameter is specified, then the latest Amazon ECS optimized AMI for that image type that's supported by AWS Batch is used.\n\n- **ECS_AL2** - [Amazon Linux 2](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html#al2ami) : Default for all non-GPU instance families.\n- **ECS_AL2_NVIDIA** - [Amazon Linux 2 (GPU)](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html#gpuami) : Default for all GPU instance families (for example `P4` and `G4` ) and can be used for all non AWS Graviton-based instance types.\n- **ECS_AL1** - [Amazon Linux](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html#alami) . Amazon Linux has reached the end-of-life of standard support. For more information, see [Amazon Linux AMI](https://docs.aws.amazon.com/amazon-linux-ami/) .\n- **EKS** - If the `imageIdOverride` parameter isn't specified, then a recent [Amazon EKS-optimized Amazon Linux AMI](https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html) ( `EKS_AL2` ) is used. If a new image type is specified in an update, but neither an `imageId` nor a `imageIdOverride` parameter is specified, then the latest Amazon EKS optimized AMI for that image type that AWS Batch supports is used.\n\n- **EKS_AL2** - [Amazon Linux 2](https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html) : Default for all non-GPU instance families.\n- **EKS_AL2_NVIDIA** - [Amazon Linux 2 (accelerated)](https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html) : Default for all GPU instance families (for example, `P4` and `G4` ) and can be used for all non AWS Graviton-based instance types.", + "markdownDescription": "The image type to match with the instance type to select an AMI. The supported values are different for `ECS` and `EKS` resources.\n\n- **ECS** - If the `imageIdOverride` parameter isn't specified, then a recent [Amazon ECS-optimized Amazon Linux 2 AMI](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html#al2ami) ( `ECS_AL2` ) is used. If a new image type is specified in an update, but neither an `imageId` nor a `imageIdOverride` parameter is specified, then the latest Amazon ECS optimized AMI for that image type that's supported by AWS Batch is used.\n\n- **ECS_AL2** - [Amazon Linux 2](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html#al2ami) : Default for all non-GPU instance families.\n- **ECS_AL2_NVIDIA** - [Amazon Linux 2 (GPU)](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html#gpuami) : Default for all GPU instance families (for example `P4` and `G4` ) and can be used for all non AWS Graviton-based instance types.\n- **ECS_AL2023** - [Amazon Linux 2023](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html) : AWS Batch supports Amazon Linux 2023.\n\n> Amazon Linux 2023 does not support `A1` instances.\n- **ECS_AL1** - [Amazon Linux](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html#alami) . Amazon Linux has reached the end-of-life of standard support. For more information, see [Amazon Linux AMI](https://docs.aws.amazon.com/amazon-linux-ami/) .\n- **EKS** - If the `imageIdOverride` parameter isn't specified, then a recent [Amazon EKS-optimized Amazon Linux AMI](https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html) ( `EKS_AL2` ) is used. If a new image type is specified in an update, but neither an `imageId` nor a `imageIdOverride` parameter is specified, then the latest Amazon EKS optimized AMI for that image type that AWS Batch supports is used.\n\n- **EKS_AL2** - [Amazon Linux 2](https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html) : Default for all non-GPU instance families.\n- **EKS_AL2_NVIDIA** - [Amazon Linux 2 (accelerated)](https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html) : Default for all GPU instance families (for example, `P4` and `G4` ) and can be used for all non AWS Graviton-based instance types.", "title": "ImageType", "type": "string" } @@ -25473,7 +26320,7 @@ "title": "FargatePlatformConfiguration" }, "Image": { - "markdownDescription": "The image used to start a container. This string is passed directly to the Docker daemon. Images in the Docker Hub registry are available by default. Other repositories are specified with `*repository-url* / *image* : *tag*` . It can be 255 characters long. It can contain uppercase and lowercase letters, numbers, hyphens (-), underscores (_), colons (:), periods (.), forward slashes (/), and number signs (#). This parameter maps to `Image` in the [Create a container](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.23/#create-a-container) section of the [Docker Remote API](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.23/) and the `IMAGE` parameter of [docker run](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/) .\n\n> Docker image architecture must match the processor architecture of the compute resources that they're scheduled on. For example, ARM-based Docker images can only run on ARM-based compute resources. \n\n- Images in Amazon ECR Public repositories use the full `registry/repository[:tag]` or `registry/repository[@digest]` naming conventions. For example, `public.ecr.aws/ *registry_alias* / *my-web-app* : *latest*` .\n- Images in Amazon ECR repositories use the full registry and repository URI (for example, `123456789012.dkr.ecr..amazonaws.com/` ).\n- Images in official repositories on Docker Hub use a single name (for example, `ubuntu` or `mongo` ).\n- Images in other repositories on Docker Hub are qualified with an organization name (for example, `amazon/amazon-ecs-agent` ).\n- Images in other online repositories are qualified further by a domain name (for example, `quay.io/assemblyline/ubuntu` ).", + "markdownDescription": "Required. The image used to start a container. This string is passed directly to the Docker daemon. Images in the Docker Hub registry are available by default. Other repositories are specified with `*repository-url* / *image* : *tag*` . It can be 255 characters long. It can contain uppercase and lowercase letters, numbers, hyphens (-), underscores (_), colons (:), periods (.), forward slashes (/), and number signs (#). This parameter maps to `Image` in the [Create a container](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.23/#create-a-container) section of the [Docker Remote API](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.23/) and the `IMAGE` parameter of [docker run](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/) .\n\n> Docker image architecture must match the processor architecture of the compute resources that they're scheduled on. For example, ARM-based Docker images can only run on ARM-based compute resources. \n\n- Images in Amazon ECR Public repositories use the full `registry/repository[:tag]` or `registry/repository[@digest]` naming conventions. For example, `public.ecr.aws/ *registry_alias* / *my-web-app* : *latest*` .\n- Images in Amazon ECR repositories use the full registry and repository URI (for example, `123456789012.dkr.ecr..amazonaws.com/` ).\n- Images in official repositories on Docker Hub use a single name (for example, `ubuntu` or `mongo` ).\n- Images in other repositories on Docker Hub are qualified with an organization name (for example, `amazon/amazon-ecs-agent` ).\n- Images in other online repositories are qualified further by a domain name (for example, `quay.io/assemblyline/ubuntu` ).", "title": "Image", "type": "string" }, @@ -25534,7 +26381,9 @@ "type": "array" }, "RuntimePlatform": { - "$ref": "#/definitions/AWS::Batch::JobDefinition.RuntimePlatform" + "$ref": "#/definitions/AWS::Batch::JobDefinition.RuntimePlatform", + "markdownDescription": "An object that represents the compute environment architecture for AWS Batch jobs on Fargate.", + "title": "RuntimePlatform" }, "Secrets": { "items": { @@ -25683,7 +26532,7 @@ }, "SecurityContext": { "$ref": "#/definitions/AWS::Batch::JobDefinition.EksContainerSecurityContext", - "markdownDescription": "", + "markdownDescription": "The security context for a job. For more information, see [Configure a security context for a pod or container](https://docs.aws.amazon.com/https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) in the *Kubernetes documentation* .", "title": "SecurityContext" }, "VolumeMounts": { @@ -26184,9 +27033,13 @@ "additionalProperties": false, "properties": { "CpuArchitecture": { + "markdownDescription": "The vCPU architecture. The default value is `X86_64` . Valid values are `X86_64` and `ARM64` .\n\n> This parameter must be set to `X86_64` for Windows containers. > Fargate Spot is not supported for `ARM64` and Windows-based containers on Fargate. A job queue will be blocked if a Fargate `ARM64` or Windows job is submitted to a job queue with only Fargate Spot compute environments. However, you can attach both `FARGATE` and `FARGATE_SPOT` compute environments to the same job queue.", + "title": "CpuArchitecture", "type": "string" }, "OperatingSystemFamily": { + "markdownDescription": "The operating system for the compute environment. Valid values are: `LINUX` (default), `WINDOWS_SERVER_2019_CORE` , `WINDOWS_SERVER_2019_FULL` , `WINDOWS_SERVER_2022_CORE` , and `WINDOWS_SERVER_2022_FULL` .\n\n> The following parameters can\u2019t be set for Windows containers: `linuxParameters` , `privileged` , `user` , `ulimits` , `readonlyRootFilesystem` , and `efsVolumeConfiguration` . > The AWS Batch Scheduler checks the compute environments that are attached to the job queue before registering a task definition with Fargate. In this scenario, the job queue is where the job is submitted. If the job requires a Windows container and the first compute environment is `LINUX` , the compute environment is skipped and the next compute environment is checked until a Windows-based compute environment is found. > Fargate Spot is not supported for `ARM64` and Windows-based containers on Fargate. A job queue will be blocked if a Fargate `ARM64` or Windows job is submitted to a job queue with only Fargate Spot compute environments. However, you can attach both `FARGATE` and `FARGATE_SPOT` compute environments to the same job queue.", + "title": "OperatingSystemFamily", "type": "string" } }, @@ -26260,7 +27113,7 @@ "type": "number" }, "Name": { - "markdownDescription": "The `type` of the `ulimit` .", + "markdownDescription": "The `type` of the `ulimit` . Valid values are: `core` | `cpu` | `data` | `fsize` | `locks` | `memlock` | `msgqueue` | `nice` | `nofile` | `nproc` | `rss` | `rtprio` | `rttime` | `sigpending` | `stack` .", "title": "Name", "type": "string" }, @@ -26587,7 +27440,7 @@ "properties": { "AccountGrouping": { "$ref": "#/definitions/AWS::BillingConductor::BillingGroup.AccountGrouping", - "markdownDescription": "The set of accounts that will be under the billing group. The set of accounts resemble the linked accounts in a consolidated family.", + "markdownDescription": "The set of accounts that will be under the billing group. The set of accounts resemble the linked accounts in a consolidated billing family.", "title": "AccountGrouping" }, "ComputationPreference": { @@ -26614,7 +27467,7 @@ "items": { "$ref": "#/definitions/Tag" }, - "markdownDescription": "", + "markdownDescription": "A map that contains tag keys and tag values that are attached to a billing group.", "title": "Tags", "type": "array" } @@ -26652,6 +27505,8 @@ "additionalProperties": false, "properties": { "AutoAssociate": { + "markdownDescription": "Specifies if this billing group will automatically associate newly added AWS accounts that join your consolidated billing family.", + "title": "AutoAssociate", "type": "boolean" }, "LinkedAccountIds": { @@ -26717,6 +27572,11 @@ "Properties": { "additionalProperties": false, "properties": { + "AccountId": { + "markdownDescription": "The AWS account in which this custom line item will be applied to.", + "title": "AccountId", + "type": "string" + }, "BillingGroupArn": { "markdownDescription": "The Amazon Resource Name (ARN) that references the billing group where the custom line item applies to.", "title": "BillingGroupArn", @@ -26806,6 +27666,8 @@ "items": { "$ref": "#/definitions/AWS::BillingConductor::CustomLineItem.LineItemFilter" }, + "markdownDescription": "A representation of the line item filter.", + "title": "LineItemFilters", "type": "array" }, "Percentage": { @@ -26864,15 +27726,21 @@ "additionalProperties": false, "properties": { "Attribute": { + "markdownDescription": "The attribute of the line item filter. This specifies what attribute that you can filter on.", + "title": "Attribute", "type": "string" }, "MatchOption": { + "markdownDescription": "The match criteria of the line item filter. This parameter specifies whether not to include the resource value from the billing group total cost.", + "title": "MatchOption", "type": "string" }, "Values": { "items": { "type": "string" }, + "markdownDescription": "The values of the line item filter. This specifies the values to filter on. Currently, you can only exclude Savings Plan discounts.", + "title": "Values", "type": "array" } }, @@ -27112,7 +27980,7 @@ "properties": { "FreeTier": { "$ref": "#/definitions/AWS::BillingConductor::PricingRule.FreeTier", - "markdownDescription": "", + "markdownDescription": "The possible AWS Free Tier configurations.", "title": "FreeTier" } }, @@ -27236,7 +28104,7 @@ "type": "string" }, "CostFilters": { - "markdownDescription": "The cost filters, such as `Region` , `Service` , `member account` , `Tag` , or `Cost Category` , that are applied to a budget.\n\nAWS Budgets supports the following services as a `Service` filter for RI budgets:\n\n- Amazon EC2\n- Amazon Redshift\n- Amazon Relational Database Service\n- Amazon ElastiCache\n- Amazon OpenSearch Service", + "markdownDescription": "The cost filters, such as `Region` , `Service` , `LinkedAccount` , `Tag` , or `CostCategory` , that are applied to a budget.\n\nAWS Budgets supports the following services as a `Service` filter for RI budgets:\n\n- Amazon EC2\n- Amazon Redshift\n- Amazon Relational Database Service\n- Amazon ElastiCache\n- Amazon OpenSearch Service", "title": "CostFilters", "type": "object" }, @@ -27405,7 +28273,7 @@ "type": "number" }, "Unit": { - "markdownDescription": "The unit of measurement that's used for the budget forecast, actual spend, or budget threshold, such as USD or GBP.", + "markdownDescription": "The unit of measurement that's used for the budget forecast, actual spend, or budget threshold.", "title": "Unit", "type": "string" } @@ -28663,6 +29531,8 @@ "type": "array" }, "KeyAlgorithm": { + "markdownDescription": "Specifies the algorithm of the public and private key pair that your certificate uses to encrypt data. RSA is the default key algorithm for ACM certificates. Elliptic Curve Digital Signature Algorithm (ECDSA) keys are smaller, offering security comparable to RSA keys but with greater computing efficiency. However, ECDSA is not supported by all network clients. Some AWS services may require RSA keys, or only support ECDSA keys of a particular size, while others allow the use of either RSA and ECDSA keys to ensure that compatibility is not broken. Check the requirements for the AWS service where you plan to deploy your certificate. For more information about selecting an algorithm, see [Key algorithms](https://docs.aws.amazon.com/acm/latest/userguide/acm-certificate.html#algorithms) .\n\n> Algorithms supported for an ACM certificate request include:\n> \n> - `RSA_2048`\n> - `EC_prime256v1`\n> - `EC_secp384r1`\n> \n> Other listed algorithms are for imported certificates only. > When you request a private PKI certificate signed by a CA from AWS Private CA, the specified signing algorithm family (RSA or ECDSA) must match the algorithm family of the CA's secret key. \n\nDefault: RSA_2048", + "title": "KeyAlgorithm", "type": "string" }, "SubjectAlternativeNames": { @@ -28809,7 +29679,7 @@ "type": "string" }, "TeamsChannelId": { - "markdownDescription": "The ID of the Microsoft Teams channel.\n\nTo get the channel ID, open Microsoft Teams, right click on the channel name in the left pane, then choose Copy. An example of the channel ID syntax is: `19%3ab6ef35dc342d56ba5654e6fc6d25a071%40thread.tacv2` .", + "markdownDescription": "", "title": "TeamsChannelId", "type": "string" }, @@ -29004,27 +29874,41 @@ "items": { "$ref": "#/definitions/AWS::CleanRooms::AnalysisTemplate.AnalysisParameter" }, + "markdownDescription": "The parameters of the analysis template.", + "title": "AnalysisParameters", "type": "array" }, "Description": { + "markdownDescription": "The description of the analysis template.", + "title": "Description", "type": "string" }, "Format": { + "markdownDescription": "The format of the analysis template.", + "title": "Format", "type": "string" }, "MembershipIdentifier": { + "markdownDescription": "The identifier for a membership resource.", + "title": "MembershipIdentifier", "type": "string" }, "Name": { + "markdownDescription": "The name of the analysis template.", + "title": "Name", "type": "string" }, "Source": { - "$ref": "#/definitions/AWS::CleanRooms::AnalysisTemplate.AnalysisSource" + "$ref": "#/definitions/AWS::CleanRooms::AnalysisTemplate.AnalysisSource", + "markdownDescription": "The source of the analysis template.", + "title": "Source" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "An optional label that you can assign to a resource when you create it. Each tag consists of a key and an optional value, both of which you define. When you use tagging, you can also use tag-based access control in IAM policies to control access to this resource.", + "title": "Tags", "type": "array" } }, @@ -29061,12 +29945,18 @@ "additionalProperties": false, "properties": { "DefaultValue": { + "markdownDescription": "Optional. The default value that is applied in the analysis template. The member who can query can override this value in the query editor.", + "title": "DefaultValue", "type": "string" }, "Name": { + "markdownDescription": "The name of the parameter. The name must use only alphanumeric, underscore (_), or hyphen (-) characters but cannot start or end with a hyphen.", + "title": "Name", "type": "string" }, "Type": { + "markdownDescription": "The type of parameter.", + "title": "Type", "type": "string" } }, @@ -29083,6 +29973,8 @@ "items": { "type": "string" }, + "markdownDescription": "The tables referenced in the analysis schema.", + "title": "ReferencedTables", "type": "array" } }, @@ -29095,6 +29987,8 @@ "additionalProperties": false, "properties": { "Text": { + "markdownDescription": "The query text.", + "title": "Text", "type": "string" } }, @@ -29147,10 +30041,15 @@ "items": { "type": "string" }, - "markdownDescription": "The abilities granted to the collaboration creator.", + "markdownDescription": "The abilities granted to the collaboration creator.\n\n*Allowed values* `CAN_QUERY` | `CAN_RECEIVE_RESULTS`", "title": "CreatorMemberAbilities", "type": "array" }, + "CreatorPaymentConfiguration": { + "$ref": "#/definitions/AWS::CleanRooms::Collaboration.PaymentConfiguration", + "markdownDescription": "An object representing the collaboration member's payment responsibilities set by the collaboration creator.", + "title": "CreatorPaymentConfiguration" + }, "DataEncryptionMetadata": { "$ref": "#/definitions/AWS::CleanRooms::Collaboration.DataEncryptionMetadata", "markdownDescription": "The settings for client-side encryption for cryptographic computing.", @@ -29223,22 +30122,22 @@ "additionalProperties": false, "properties": { "AllowCleartext": { - "markdownDescription": "Indicates whether encrypted tables can contain cleartext data (true) or are to cryptographically process every column (false).", + "markdownDescription": "Indicates whether encrypted tables can contain cleartext data ( `TRUE` ) or are to cryptographically process every column ( `FALSE` ).", "title": "AllowCleartext", "type": "boolean" }, "AllowDuplicates": { - "markdownDescription": "Indicates whether Fingerprint columns can contain duplicate entries (true) or are to contain only non-repeated values (false).", + "markdownDescription": "Indicates whether Fingerprint columns can contain duplicate entries ( `TRUE` ) or are to contain only non-repeated values ( `FALSE` ).", "title": "AllowDuplicates", "type": "boolean" }, "AllowJoinsOnColumnsWithDifferentNames": { - "markdownDescription": "Indicates whether Fingerprint columns can be joined on any other Fingerprint column with a different name (true) or can only be joined on Fingerprint columns of the same name (false).", + "markdownDescription": "Indicates whether Fingerprint columns can be joined on any other Fingerprint column with a different name ( `TRUE` ) or can only be joined on Fingerprint columns of the same name ( `FALSE` ).", "title": "AllowJoinsOnColumnsWithDifferentNames", "type": "boolean" }, "PreserveNulls": { - "markdownDescription": "Indicates whether NULL values are to be copied as NULL to encrypted tables (true) or cryptographically processed (false).", + "markdownDescription": "Indicates whether NULL values are to be copied as NULL to encrypted tables ( `TRUE` ) or cryptographically processed ( `FALSE` ).", "title": "PreserveNulls", "type": "boolean" } @@ -29271,6 +30170,11 @@ "markdownDescription": "The abilities granted to the collaboration member.\n\n*Allowed Values* : `CAN_QUERY` | `CAN_RECEIVE_RESULTS`", "title": "MemberAbilities", "type": "array" + }, + "PaymentConfiguration": { + "$ref": "#/definitions/AWS::CleanRooms::Collaboration.PaymentConfiguration", + "markdownDescription": "The collaboration member's payment responsibilities set by the collaboration creator.\n\nIf the collaboration creator hasn't speci\ufb01ed anyone as the member paying for query compute costs, then the member who can query is the default payer.", + "title": "PaymentConfiguration" } }, "required": [ @@ -29280,6 +30184,34 @@ ], "type": "object" }, + "AWS::CleanRooms::Collaboration.PaymentConfiguration": { + "additionalProperties": false, + "properties": { + "QueryCompute": { + "$ref": "#/definitions/AWS::CleanRooms::Collaboration.QueryComputePaymentConfig", + "markdownDescription": "The collaboration member's payment responsibilities set by the collaboration creator for query compute costs.", + "title": "QueryCompute" + } + }, + "required": [ + "QueryCompute" + ], + "type": "object" + }, + "AWS::CleanRooms::Collaboration.QueryComputePaymentConfig": { + "additionalProperties": false, + "properties": { + "IsResponsible": { + "markdownDescription": "Indicates whether the collaboration creator has configured the collaboration member to pay for query compute costs ( `TRUE` ) or has not configured the collaboration member to pay for query compute costs ( `FALSE` ).\n\nExactly one member can be configured to pay for query compute costs. An error is returned if the collaboration creator sets a `TRUE` value for more than one member in the collaboration.\n\nIf the collaboration creator hasn't specified anyone as the member paying for query compute costs, then the member who can query is the default payer. An error is returned if the collaboration creator sets a `FALSE` value for the member who can query.", + "title": "IsResponsible", + "type": "boolean" + } + }, + "required": [ + "IsResponsible" + ], + "type": "object" + }, "AWS::CleanRooms::ConfiguredTable": { "additionalProperties": false, "properties": { @@ -29447,7 +30379,7 @@ "title": "Policy" }, "Type": { - "markdownDescription": "The type of analysis rule. Valid values are `AGGREGATION` and `LIST`.", + "markdownDescription": "The type of analysis rule.", "title": "Type", "type": "string" } @@ -29531,12 +30463,16 @@ "items": { "type": "string" }, + "markdownDescription": "The analysis templates that are allowed by the custom analysis rule.", + "title": "AllowedAnalyses", "type": "array" }, "AllowedAnalysisProviders": { "items": { "type": "string" }, + "markdownDescription": "The AWS accounts that are allowed to query by the custom analysis rule. Required when `allowedAnalyses` is `ANY_QUERY` .", + "title": "AllowedAnalysisProviders", "type": "array" } }, @@ -29552,7 +30488,7 @@ "items": { "type": "string" }, - "markdownDescription": "Which logical operators (if any) are to be used in an INNER JOIN match condition. Default is `AND` .", + "markdownDescription": "The logical operators (if any) that are to be used in an INNER JOIN match condition. Default is `AND` .", "title": "AllowedJoinOperators", "type": "array" }, @@ -29602,7 +30538,9 @@ "title": "Aggregation" }, "Custom": { - "$ref": "#/definitions/AWS::CleanRooms::ConfiguredTable.AnalysisRuleCustom" + "$ref": "#/definitions/AWS::CleanRooms::ConfiguredTable.AnalysisRuleCustom", + "markdownDescription": "Analysis rule type that enables custom SQL queries on a configured table.", + "title": "Custom" }, "List": { "$ref": "#/definitions/AWS::CleanRooms::ConfiguredTable.AnalysisRuleList", @@ -29785,10 +30723,17 @@ "type": "string" }, "DefaultResultConfiguration": { - "$ref": "#/definitions/AWS::CleanRooms::Membership.MembershipProtectedQueryResultConfiguration" + "$ref": "#/definitions/AWS::CleanRooms::Membership.MembershipProtectedQueryResultConfiguration", + "markdownDescription": "The default protected query result configuration as specified by the member who can receive results.", + "title": "DefaultResultConfiguration" + }, + "PaymentConfiguration": { + "$ref": "#/definitions/AWS::CleanRooms::Membership.MembershipPaymentConfiguration", + "markdownDescription": "The payment responsibilities accepted by the collaboration member.", + "title": "PaymentConfiguration" }, "QueryLogStatus": { - "markdownDescription": "An indicator as to whether query logging has been enabled or disabled for the collaboration.", + "markdownDescription": "An indicator as to whether query logging has been enabled or disabled for the membership.", "title": "QueryLogStatus", "type": "string" }, @@ -29828,11 +30773,27 @@ ], "type": "object" }, + "AWS::CleanRooms::Membership.MembershipPaymentConfiguration": { + "additionalProperties": false, + "properties": { + "QueryCompute": { + "$ref": "#/definitions/AWS::CleanRooms::Membership.MembershipQueryComputePaymentConfig", + "markdownDescription": "The payment responsibilities accepted by the collaboration member for query compute costs.", + "title": "QueryCompute" + } + }, + "required": [ + "QueryCompute" + ], + "type": "object" + }, "AWS::CleanRooms::Membership.MembershipProtectedQueryOutputConfiguration": { "additionalProperties": false, "properties": { "S3": { - "$ref": "#/definitions/AWS::CleanRooms::Membership.ProtectedQueryS3OutputConfiguration" + "$ref": "#/definitions/AWS::CleanRooms::Membership.ProtectedQueryS3OutputConfiguration", + "markdownDescription": "Required configuration for a protected query with an `S3` output type.", + "title": "S3" } }, "required": [ @@ -29844,9 +30805,13 @@ "additionalProperties": false, "properties": { "OutputConfiguration": { - "$ref": "#/definitions/AWS::CleanRooms::Membership.MembershipProtectedQueryOutputConfiguration" + "$ref": "#/definitions/AWS::CleanRooms::Membership.MembershipProtectedQueryOutputConfiguration", + "markdownDescription": "Configuration for protected query results.", + "title": "OutputConfiguration" }, "RoleArn": { + "markdownDescription": "The unique ARN for an IAM role that is used by AWS Clean Rooms to write protected query results to the result location, given by the member who can receive results.", + "title": "RoleArn", "type": "string" } }, @@ -29855,16 +30820,36 @@ ], "type": "object" }, + "AWS::CleanRooms::Membership.MembershipQueryComputePaymentConfig": { + "additionalProperties": false, + "properties": { + "IsResponsible": { + "markdownDescription": "Indicates whether the collaboration member has accepted to pay for query compute costs ( `TRUE` ) or has not accepted to pay for query compute costs ( `FALSE` ).\n\nIf the collaboration creator has not specified anyone to pay for query compute costs, then the member who can query is the default payer.\n\nAn error message is returned for the following reasons:\n\n- If you set the value to `FALSE` but you are responsible to pay for query compute costs.\n- If you set the value to `TRUE` but you are not responsible to pay for query compute costs.", + "title": "IsResponsible", + "type": "boolean" + } + }, + "required": [ + "IsResponsible" + ], + "type": "object" + }, "AWS::CleanRooms::Membership.ProtectedQueryS3OutputConfiguration": { "additionalProperties": false, "properties": { "Bucket": { + "markdownDescription": "The S3 bucket to unload the protected query results.", + "title": "Bucket", "type": "string" }, "KeyPrefix": { + "markdownDescription": "The S3 prefix to unload the protected query results.", + "title": "KeyPrefix", "type": "string" }, "ResultFormat": { + "markdownDescription": "Intended file format of the result.", + "title": "ResultFormat", "type": "string" } }, @@ -29925,7 +30910,7 @@ "type": "string" }, "ImageId": { - "markdownDescription": "The identifier for the Amazon Machine Image (AMI) that's used to create the EC2 instance. To choose an AMI for the instance, you must specify a valid AMI alias or a valid AWS Systems Manager path.\n\nThe default AMI is used if the parameter isn't explicitly assigned a value in the request.\n\n*AMI aliases*\n\n- *Amazon Linux (default): `amazonlinux-1-x86_64`*\n- Amazon Linux 2: `amazonlinux-2-x86_64`\n- Ubuntu 18.04: `ubuntu-18.04-x86_64`\n\n*SSM paths*\n\n- *Amazon Linux (default): `resolve:ssm:/aws/service/cloud9/amis/amazonlinux-1-x86_64`*\n- Amazon Linux 2: `resolve:ssm:/aws/service/cloud9/amis/amazonlinux-2-x86_64`\n- Ubuntu 18.04: `resolve:ssm:/aws/service/cloud9/amis/ubuntu-18.04-x86_64`", + "markdownDescription": "The identifier for the Amazon Machine Image (AMI) that's used to create the EC2 instance. To choose an AMI for the instance, you must specify a valid AMI alias or a valid AWS Systems Manager path.\n\nFrom December 04, 2023, you will be required to include the `imageId` parameter for the `CreateEnvironmentEC2` action. This change will be reflected across all direct methods of communicating with the API, such as AWS SDK, AWS CLI and AWS CloudFormation. This change will only affect direct API consumers, and not AWS Cloud9 console users.\n\nFrom January 22, 2024, Amazon Linux (AL1) will be removed from the list of available image IDs for Cloud9. This is necessary as AL1 will reach the end of maintenance support in December 2023, and as a result will no longer receive security updates. We recommend using Amazon Linux 2023 as the new AMI to create your environment as it is fully supported. This change will only affect direct API consumers, and not AWS Cloud9 console users.\n\nSince Ubuntu 18.04 has ended standard support as of May 31, 2023, we recommend you choose Ubuntu 22.04.\n\n*AMI aliases*\n\n- Amazon Linux (end of maintenance support December 2023): `amazonlinux-1-x86_64`\n- Amazon Linux 2: `amazonlinux-2-x86_64`\n- Amazon Linux 2023 (recommended): `amazonlinux-2023-x86_64`\n- Ubuntu 18.04: `ubuntu-18.04-x86_64`\n- Ubuntu 22.04: `ubuntu-22.04-x86_64`\n\n*SSM paths*\n\n- Amazon Linux (end of maintenance support December 2023): `resolve:ssm:/aws/service/cloud9/amis/amazonlinux-1-x86_64`\n- Amazon Linux 2: `resolve:ssm:/aws/service/cloud9/amis/amazonlinux-2-x86_64`\n- Amazon Linux 2023 (recommended): `resolve:ssm:/aws/service/cloud9/amis/amazonlinux-2023-x86_64`\n- Ubuntu 18.04: `resolve:ssm:/aws/service/cloud9/amis/ubuntu-18.04-x86_64`\n- Ubuntu 22.04: `resolve:ssm:/aws/service/cloud9/amis/ubuntu-22.04-x86_64`", "title": "ImageId", "type": "string" }, @@ -29967,6 +30952,7 @@ } }, "required": [ + "ImageId", "InstanceType" ], "type": "object" @@ -31093,7 +32079,7 @@ "type": "array" }, "StackSetName": { - "markdownDescription": "The name to associate with the stack set. The name must be unique in the Region where you create your stack set.\n\n*Maximum* : `128`\n\n*Pattern* : `^[a-zA-Z][a-zA-Z0-9-]{0,127}$`\n\n> The `StackSetName` property is required.", + "markdownDescription": "The name to associate with the stack set. The name must be unique in the Region where you create your stack set.\n\n> The `StackSetName` property is required.", "title": "StackSetName", "type": "string" }, @@ -31101,17 +32087,17 @@ "items": { "$ref": "#/definitions/Tag" }, - "markdownDescription": "The key-value pairs to associate with this stack set and the stacks created from it. AWS CloudFormation also propagates these tags to supported resources that are created in the stacks. A maximum number of 50 tags can be specified.", + "markdownDescription": "Key-value pairs to associate with this stack. AWS CloudFormation also propagates these tags to supported resources in the stack. You can specify a maximum number of 50 tags.\n\nIf you don't specify this parameter, AWS CloudFormation doesn't modify the stack's tags. If you specify an empty value, AWS CloudFormation removes all associated tags.", "title": "Tags", "type": "array" }, "TemplateBody": { - "markdownDescription": "The structure that contains the template body, with a minimum length of 1 byte and a maximum length of 51,200 bytes.\n\nYou must include either `TemplateURL` or `TemplateBody` in a StackSet, but you can't use both. Dynamic references in the `TemplateBody` may not work correctly in all cases. It's recommended to pass templates containing dynamic references through `TemplateUrl` instead.\n\n*Minimum* : `1`\n\n*Maximum* : `51200`", + "markdownDescription": "The structure that contains the template body, with a minimum length of 1 byte and a maximum length of 51,200 bytes.\n\nYou must include either `TemplateURL` or `TemplateBody` in a StackSet, but you can't use both. Dynamic references in the `TemplateBody` may not work correctly in all cases. It's recommended to pass templates containing dynamic references through `TemplateUrl` instead.", "title": "TemplateBody", "type": "string" }, "TemplateURL": { - "markdownDescription": "Location of file containing the template body. The URL must point to a template (max size: 460,800 bytes) that's located in an Amazon S3 bucket.\n\nYou must include either `TemplateURL` or `TemplateBody` in a StackSet, but you can't use both.\n\n*Minimum* : `1`\n\n*Maximum* : `1024`", + "markdownDescription": "Location of file containing the template body. The URL must point to a template that's located in an Amazon S3 bucket or a Systems Manager document. For more information, go to [Template Anatomy](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/template-anatomy.html) in the AWS CloudFormation User Guide.\n\nConditional: You must specify only one of the following parameters: `TemplateBody` , `TemplateURL` .", "title": "TemplateURL", "type": "string" } @@ -31176,6 +32162,8 @@ "type": "array" }, "AccountsUrl": { + "markdownDescription": "Returns the value of the `AccountsUrl` property.", + "title": "AccountsUrl", "type": "string" }, "OrganizationalUnitIds": { @@ -31232,7 +32220,7 @@ "items": { "type": "string" }, - "markdownDescription": "The order of the Regions where you want to perform the stack operation.", + "markdownDescription": "The order of the Regions where you want to perform the stack operation.\n\n> `RegionOrder` isn't followed if `AutoDeployment` is enabled.", "title": "RegionOrder", "type": "array" } @@ -31917,10 +32905,14 @@ "type": "boolean" }, "SingleHeaderPolicyConfig": { - "$ref": "#/definitions/AWS::CloudFront::ContinuousDeploymentPolicy.SingleHeaderPolicyConfig" + "$ref": "#/definitions/AWS::CloudFront::ContinuousDeploymentPolicy.SingleHeaderPolicyConfig", + "markdownDescription": "This configuration determines which HTTP requests are sent to the staging distribution. If the HTTP request contains a header and value that matches what you specify here, the request is sent to the staging distribution. Otherwise the request is sent to the primary distribution.", + "title": "SingleHeaderPolicyConfig" }, "SingleWeightPolicyConfig": { - "$ref": "#/definitions/AWS::CloudFront::ContinuousDeploymentPolicy.SingleWeightPolicyConfig" + "$ref": "#/definitions/AWS::CloudFront::ContinuousDeploymentPolicy.SingleWeightPolicyConfig", + "markdownDescription": "This configuration determines the percentage of HTTP requests that are sent to the staging distribution.", + "title": "SingleWeightPolicyConfig" }, "StagingDistributionDnsNames": { "items": { @@ -31936,6 +32928,8 @@ "title": "TrafficConfig" }, "Type": { + "markdownDescription": "The type of traffic configuration.", + "title": "Type", "type": "string" } }, @@ -31989,9 +32983,13 @@ "additionalProperties": false, "properties": { "Header": { + "markdownDescription": "", + "title": "Header", "type": "string" }, "Value": { + "markdownDescription": "", + "title": "Value", "type": "string" } }, @@ -32024,9 +33022,13 @@ "additionalProperties": false, "properties": { "SessionStickinessConfig": { - "$ref": "#/definitions/AWS::CloudFront::ContinuousDeploymentPolicy.SessionStickinessConfig" + "$ref": "#/definitions/AWS::CloudFront::ContinuousDeploymentPolicy.SessionStickinessConfig", + "markdownDescription": "", + "title": "SessionStickinessConfig" }, "Weight": { + "markdownDescription": "", + "title": "Weight", "type": "number" } }, @@ -33040,7 +34042,7 @@ "type": "string" }, "CloudFrontDefaultCertificate": { - "markdownDescription": "If the distribution uses the CloudFront domain name such as `d111111abcdef8.cloudfront.net` , set this field to `true` .\n\nIf the distribution uses `Aliases` (alternate domain names or CNAMEs), set this field to `false` and specify values for the following fields:\n\n- `ACMCertificateArn` or `IAMCertificateId` (specify a value for one, not both)\n\nIn CloudFormation, these field names are `AcmCertificateArn` and `IamCertificateId` . Note the different capitalization.\n- `MinimumProtocolVersion`\n- `SSLSupportMethod` (In CloudFormation, this field name is `SslSupportMethod` . Note the different capitalization.)", + "markdownDescription": "If the distribution uses the CloudFront domain name such as `d111111abcdef8.cloudfront.net` , set this field to `true` .\n\nIf the distribution uses `Aliases` (alternate domain names or CNAMEs), omit this field and specify values for the following fields:\n\n- `AcmCertificateArn` or `IamCertificateId` (specify a value for one, not both)\n- `MinimumProtocolVersion`\n- `SslSupportMethod`", "title": "CloudFrontDefaultCertificate", "type": "boolean" }, @@ -33160,7 +34162,7 @@ "type": "string" }, "Runtime": { - "markdownDescription": "The function's runtime environment. The only valid value is `cloudfront-js-1.0` .", + "markdownDescription": "The function's runtime environment version.", "title": "Runtime", "type": "string" } @@ -33277,7 +34279,7 @@ ], "type": "object" }, - "AWS::CloudFront::MonitoringSubscription": { + "AWS::CloudFront::KeyValueStore": { "additionalProperties": false, "properties": { "Condition": { @@ -33312,26 +34314,30 @@ "Properties": { "additionalProperties": false, "properties": { - "DistributionId": { - "markdownDescription": "The ID of the distribution that you are enabling metrics for.", - "title": "DistributionId", + "Comment": { + "markdownDescription": "A comment for the Key Value Store.", + "title": "Comment", "type": "string" }, - "MonitoringSubscription": { - "$ref": "#/definitions/AWS::CloudFront::MonitoringSubscription.MonitoringSubscription", - "markdownDescription": "A subscription configuration for additional CloudWatch metrics.", - "title": "MonitoringSubscription" + "ImportSource": { + "$ref": "#/definitions/AWS::CloudFront::KeyValueStore.ImportSource", + "markdownDescription": "The import source for the Key Value Store.", + "title": "ImportSource" + }, + "Name": { + "markdownDescription": "The name of the Key Value Store.", + "title": "Name", + "type": "string" } }, "required": [ - "DistributionId", - "MonitoringSubscription" + "Name" ], "type": "object" }, "Type": { "enum": [ - "AWS::CloudFront::MonitoringSubscription" + "AWS::CloudFront::KeyValueStore" ], "type": "string" }, @@ -33350,32 +34356,27 @@ ], "type": "object" }, - "AWS::CloudFront::MonitoringSubscription.MonitoringSubscription": { - "additionalProperties": false, - "properties": { - "RealtimeMetricsSubscriptionConfig": { - "$ref": "#/definitions/AWS::CloudFront::MonitoringSubscription.RealtimeMetricsSubscriptionConfig", - "markdownDescription": "A subscription configuration for additional CloudWatch metrics.", - "title": "RealtimeMetricsSubscriptionConfig" - } - }, - "type": "object" - }, - "AWS::CloudFront::MonitoringSubscription.RealtimeMetricsSubscriptionConfig": { + "AWS::CloudFront::KeyValueStore.ImportSource": { "additionalProperties": false, "properties": { - "RealtimeMetricsSubscriptionStatus": { - "markdownDescription": "A flag that indicates whether additional CloudWatch metrics are enabled for a given CloudFront distribution.", - "title": "RealtimeMetricsSubscriptionStatus", + "SourceArn": { + "markdownDescription": "The Amazon Resource Name (ARN) of the import source for the Key Value Store.", + "title": "SourceArn", + "type": "string" + }, + "SourceType": { + "markdownDescription": "The source type of the import source for the Key Value Store.", + "title": "SourceType", "type": "string" } }, "required": [ - "RealtimeMetricsSubscriptionStatus" + "SourceArn", + "SourceType" ], "type": "object" }, - "AWS::CloudFront::OriginAccessControl": { + "AWS::CloudFront::MonitoringSubscription": { "additionalProperties": false, "properties": { "Condition": { @@ -33410,20 +34411,26 @@ "Properties": { "additionalProperties": false, "properties": { - "OriginAccessControlConfig": { - "$ref": "#/definitions/AWS::CloudFront::OriginAccessControl.OriginAccessControlConfig", - "markdownDescription": "The origin access control.", - "title": "OriginAccessControlConfig" + "DistributionId": { + "markdownDescription": "The ID of the distribution that you are enabling metrics for.", + "title": "DistributionId", + "type": "string" + }, + "MonitoringSubscription": { + "$ref": "#/definitions/AWS::CloudFront::MonitoringSubscription.MonitoringSubscription", + "markdownDescription": "A subscription configuration for additional CloudWatch metrics.", + "title": "MonitoringSubscription" } }, "required": [ - "OriginAccessControlConfig" + "DistributionId", + "MonitoringSubscription" ], "type": "object" }, "Type": { "enum": [ - "AWS::CloudFront::OriginAccessControl" + "AWS::CloudFront::MonitoringSubscription" ], "type": "string" }, @@ -33442,44 +34449,32 @@ ], "type": "object" }, - "AWS::CloudFront::OriginAccessControl.OriginAccessControlConfig": { + "AWS::CloudFront::MonitoringSubscription.MonitoringSubscription": { "additionalProperties": false, "properties": { - "Description": { - "markdownDescription": "A description of the origin access control.", - "title": "Description", - "type": "string" - }, - "Name": { - "markdownDescription": "A name to identify the origin access control.", - "title": "Name", - "type": "string" - }, - "OriginAccessControlOriginType": { - "markdownDescription": "The type of origin that this origin access control is for.", - "title": "OriginAccessControlOriginType", - "type": "string" - }, - "SigningBehavior": { - "markdownDescription": "Specifies which requests CloudFront signs (adds authentication information to). Specify `always` for the most common use case. For more information, see [origin access control advanced settings](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html#oac-advanced-settings) in the *Amazon CloudFront Developer Guide* .\n\nThis field can have one of the following values:\n\n- `always` \u2013 CloudFront signs all origin requests, overwriting the `Authorization` header from the viewer request if one exists.\n- `never` \u2013 CloudFront doesn't sign any origin requests. This value turns off origin access control for all origins in all distributions that use this origin access control.\n- `no-override` \u2013 If the viewer request doesn't contain the `Authorization` header, then CloudFront signs the origin request. If the viewer request contains the `Authorization` header, then CloudFront doesn't sign the origin request and instead passes along the `Authorization` header from the viewer request. *WARNING: To pass along the `Authorization` header from the viewer request, you *must* add the `Authorization` header to a [cache policy](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/controlling-the-cache-key.html) for all cache behaviors that use origins associated with this origin access control.*", - "title": "SigningBehavior", - "type": "string" - }, - "SigningProtocol": { - "markdownDescription": "The signing protocol of the origin access control, which determines how CloudFront signs (authenticates) requests. The only valid value is `sigv4` .", - "title": "SigningProtocol", + "RealtimeMetricsSubscriptionConfig": { + "$ref": "#/definitions/AWS::CloudFront::MonitoringSubscription.RealtimeMetricsSubscriptionConfig", + "markdownDescription": "A subscription configuration for additional CloudWatch metrics.", + "title": "RealtimeMetricsSubscriptionConfig" + } + }, + "type": "object" + }, + "AWS::CloudFront::MonitoringSubscription.RealtimeMetricsSubscriptionConfig": { + "additionalProperties": false, + "properties": { + "RealtimeMetricsSubscriptionStatus": { + "markdownDescription": "A flag that indicates whether additional CloudWatch metrics are enabled for a given CloudFront distribution.", + "title": "RealtimeMetricsSubscriptionStatus", "type": "string" } }, "required": [ - "Name", - "OriginAccessControlOriginType", - "SigningBehavior", - "SigningProtocol" + "RealtimeMetricsSubscriptionStatus" ], "type": "object" }, - "AWS::CloudFront::OriginRequestPolicy": { + "AWS::CloudFront::OriginAccessControl": { "additionalProperties": false, "properties": { "Condition": { @@ -33514,20 +34509,20 @@ "Properties": { "additionalProperties": false, "properties": { - "OriginRequestPolicyConfig": { - "$ref": "#/definitions/AWS::CloudFront::OriginRequestPolicy.OriginRequestPolicyConfig", - "markdownDescription": "The origin request policy configuration.", - "title": "OriginRequestPolicyConfig" + "OriginAccessControlConfig": { + "$ref": "#/definitions/AWS::CloudFront::OriginAccessControl.OriginAccessControlConfig", + "markdownDescription": "The origin access control.", + "title": "OriginAccessControlConfig" } }, "required": [ - "OriginRequestPolicyConfig" + "OriginAccessControlConfig" ], "type": "object" }, "Type": { "enum": [ - "AWS::CloudFront::OriginRequestPolicy" + "AWS::CloudFront::OriginAccessControl" ], "type": "string" }, @@ -33546,110 +34541,214 @@ ], "type": "object" }, - "AWS::CloudFront::OriginRequestPolicy.CookiesConfig": { + "AWS::CloudFront::OriginAccessControl.OriginAccessControlConfig": { "additionalProperties": false, "properties": { - "CookieBehavior": { - "markdownDescription": "Determines whether cookies in viewer requests are included in requests that CloudFront sends to the origin. Valid values are:\n\n- `none` \u2013 No cookies in viewer requests are included in requests that CloudFront sends to the origin. Even when this field is set to `none` , any cookies that are listed in a `CachePolicy` *are* included in origin requests.\n- `whitelist` \u2013 Only the cookies in viewer requests that are listed in the `CookieNames` type are included in requests that CloudFront sends to the origin.\n- `all` \u2013 All cookies in viewer requests are included in requests that CloudFront sends to the origin.\n- `allExcept` \u2013 All cookies in viewer requests are included in requests that CloudFront sends to the origin, **except** for those listed in the `CookieNames` type, which are not included.", - "title": "CookieBehavior", + "Description": { + "markdownDescription": "A description of the origin access control.", + "title": "Description", "type": "string" }, - "Cookies": { - "items": { - "type": "string" - }, - "markdownDescription": "Contains a list of cookie names.", - "title": "Cookies", - "type": "array" - } - }, - "required": [ - "CookieBehavior" - ], - "type": "object" - }, - "AWS::CloudFront::OriginRequestPolicy.HeadersConfig": { - "additionalProperties": false, - "properties": { - "HeaderBehavior": { - "markdownDescription": "Determines whether any HTTP headers are included in requests that CloudFront sends to the origin. Valid values are:\n\n- `none` \u2013 No HTTP headers in viewer requests are included in requests that CloudFront sends to the origin. Even when this field is set to `none` , any headers that are listed in a `CachePolicy` *are* included in origin requests.\n- `whitelist` \u2013 Only the HTTP headers that are listed in the `Headers` type are included in requests that CloudFront sends to the origin.\n- `allViewer` \u2013 All HTTP headers in viewer requests are included in requests that CloudFront sends to the origin.\n- `allViewerAndWhitelistCloudFront` \u2013 All HTTP headers in viewer requests and the additional CloudFront headers that are listed in the `Headers` type are included in requests that CloudFront sends to the origin. The additional headers are added by CloudFront.\n- `allExcept` \u2013 All HTTP headers in viewer requests are included in requests that CloudFront sends to the origin, **except** for those listed in the `Headers` type, which are not included.", - "title": "HeaderBehavior", + "Name": { + "markdownDescription": "A name to identify the origin access control.", + "title": "Name", "type": "string" }, - "Headers": { - "items": { - "type": "string" - }, - "markdownDescription": "Contains a list of HTTP header names.", - "title": "Headers", - "type": "array" - } - }, - "required": [ - "HeaderBehavior" - ], - "type": "object" - }, - "AWS::CloudFront::OriginRequestPolicy.OriginRequestPolicyConfig": { - "additionalProperties": false, - "properties": { - "Comment": { - "markdownDescription": "A comment to describe the origin request policy. The comment cannot be longer than 128 characters.", - "title": "Comment", + "OriginAccessControlOriginType": { + "markdownDescription": "The type of origin that this origin access control is for.", + "title": "OriginAccessControlOriginType", "type": "string" }, - "CookiesConfig": { - "$ref": "#/definitions/AWS::CloudFront::OriginRequestPolicy.CookiesConfig", - "markdownDescription": "The cookies from viewer requests to include in origin requests.", - "title": "CookiesConfig" - }, - "HeadersConfig": { - "$ref": "#/definitions/AWS::CloudFront::OriginRequestPolicy.HeadersConfig", - "markdownDescription": "The HTTP headers to include in origin requests. These can include headers from viewer requests and additional headers added by CloudFront.", - "title": "HeadersConfig" - }, - "Name": { - "markdownDescription": "A unique name to identify the origin request policy.", - "title": "Name", + "SigningBehavior": { + "markdownDescription": "Specifies which requests CloudFront signs (adds authentication information to). Specify `always` for the most common use case. For more information, see [origin access control advanced settings](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html#oac-advanced-settings) in the *Amazon CloudFront Developer Guide* .\n\nThis field can have one of the following values:\n\n- `always` \u2013 CloudFront signs all origin requests, overwriting the `Authorization` header from the viewer request if one exists.\n- `never` \u2013 CloudFront doesn't sign any origin requests. This value turns off origin access control for all origins in all distributions that use this origin access control.\n- `no-override` \u2013 If the viewer request doesn't contain the `Authorization` header, then CloudFront signs the origin request. If the viewer request contains the `Authorization` header, then CloudFront doesn't sign the origin request and instead passes along the `Authorization` header from the viewer request. *WARNING: To pass along the `Authorization` header from the viewer request, you *must* add the `Authorization` header to a [cache policy](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/controlling-the-cache-key.html) for all cache behaviors that use origins associated with this origin access control.*", + "title": "SigningBehavior", "type": "string" }, - "QueryStringsConfig": { - "$ref": "#/definitions/AWS::CloudFront::OriginRequestPolicy.QueryStringsConfig", - "markdownDescription": "The URL query strings from viewer requests to include in origin requests.", - "title": "QueryStringsConfig" - } - }, - "required": [ - "CookiesConfig", - "HeadersConfig", - "Name", - "QueryStringsConfig" - ], - "type": "object" - }, - "AWS::CloudFront::OriginRequestPolicy.QueryStringsConfig": { - "additionalProperties": false, - "properties": { - "QueryStringBehavior": { - "markdownDescription": "Determines whether any URL query strings in viewer requests are included in requests that CloudFront sends to the origin. Valid values are:\n\n- `none` \u2013 No query strings in viewer requests are included in requests that CloudFront sends to the origin. Even when this field is set to `none` , any query strings that are listed in a `CachePolicy` *are* included in origin requests.\n- `whitelist` \u2013 Only the query strings in viewer requests that are listed in the `QueryStringNames` type are included in requests that CloudFront sends to the origin.\n- `all` \u2013 All query strings in viewer requests are included in requests that CloudFront sends to the origin.\n- `allExcept` \u2013 All query strings in viewer requests are included in requests that CloudFront sends to the origin, **except** for those listed in the `QueryStringNames` type, which are not included.", - "title": "QueryStringBehavior", + "SigningProtocol": { + "markdownDescription": "The signing protocol of the origin access control, which determines how CloudFront signs (authenticates) requests. The only valid value is `sigv4` .", + "title": "SigningProtocol", "type": "string" - }, - "QueryStrings": { - "items": { - "type": "string" - }, - "markdownDescription": "Contains a list of query string names.", - "title": "QueryStrings", - "type": "array" } }, "required": [ - "QueryStringBehavior" + "Name", + "OriginAccessControlOriginType", + "SigningBehavior", + "SigningProtocol" ], "type": "object" }, - "AWS::CloudFront::PublicKey": { + "AWS::CloudFront::OriginRequestPolicy": { + "additionalProperties": false, + "properties": { + "Condition": { + "type": "string" + }, + "DeletionPolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + }, + "DependsOn": { + "anyOf": [ + { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + { + "items": { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + "type": "array" + } + ] + }, + "Metadata": { + "type": "object" + }, + "Properties": { + "additionalProperties": false, + "properties": { + "OriginRequestPolicyConfig": { + "$ref": "#/definitions/AWS::CloudFront::OriginRequestPolicy.OriginRequestPolicyConfig", + "markdownDescription": "The origin request policy configuration.", + "title": "OriginRequestPolicyConfig" + } + }, + "required": [ + "OriginRequestPolicyConfig" + ], + "type": "object" + }, + "Type": { + "enum": [ + "AWS::CloudFront::OriginRequestPolicy" + ], + "type": "string" + }, + "UpdateReplacePolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + } + }, + "required": [ + "Type", + "Properties" + ], + "type": "object" + }, + "AWS::CloudFront::OriginRequestPolicy.CookiesConfig": { + "additionalProperties": false, + "properties": { + "CookieBehavior": { + "markdownDescription": "Determines whether cookies in viewer requests are included in requests that CloudFront sends to the origin. Valid values are:\n\n- `none` \u2013 No cookies in viewer requests are included in requests that CloudFront sends to the origin. Even when this field is set to `none` , any cookies that are listed in a `CachePolicy` *are* included in origin requests.\n- `whitelist` \u2013 Only the cookies in viewer requests that are listed in the `CookieNames` type are included in requests that CloudFront sends to the origin.\n- `all` \u2013 All cookies in viewer requests are included in requests that CloudFront sends to the origin.\n- `allExcept` \u2013 All cookies in viewer requests are included in requests that CloudFront sends to the origin, **except** for those listed in the `CookieNames` type, which are not included.", + "title": "CookieBehavior", + "type": "string" + }, + "Cookies": { + "items": { + "type": "string" + }, + "markdownDescription": "Contains a list of cookie names.", + "title": "Cookies", + "type": "array" + } + }, + "required": [ + "CookieBehavior" + ], + "type": "object" + }, + "AWS::CloudFront::OriginRequestPolicy.HeadersConfig": { + "additionalProperties": false, + "properties": { + "HeaderBehavior": { + "markdownDescription": "Determines whether any HTTP headers are included in requests that CloudFront sends to the origin. Valid values are:\n\n- `none` \u2013 No HTTP headers in viewer requests are included in requests that CloudFront sends to the origin. Even when this field is set to `none` , any headers that are listed in a `CachePolicy` *are* included in origin requests.\n- `whitelist` \u2013 Only the HTTP headers that are listed in the `Headers` type are included in requests that CloudFront sends to the origin.\n- `allViewer` \u2013 All HTTP headers in viewer requests are included in requests that CloudFront sends to the origin.\n- `allViewerAndWhitelistCloudFront` \u2013 All HTTP headers in viewer requests and the additional CloudFront headers that are listed in the `Headers` type are included in requests that CloudFront sends to the origin. The additional headers are added by CloudFront.\n- `allExcept` \u2013 All HTTP headers in viewer requests are included in requests that CloudFront sends to the origin, **except** for those listed in the `Headers` type, which are not included.", + "title": "HeaderBehavior", + "type": "string" + }, + "Headers": { + "items": { + "type": "string" + }, + "markdownDescription": "Contains a list of HTTP header names.", + "title": "Headers", + "type": "array" + } + }, + "required": [ + "HeaderBehavior" + ], + "type": "object" + }, + "AWS::CloudFront::OriginRequestPolicy.OriginRequestPolicyConfig": { + "additionalProperties": false, + "properties": { + "Comment": { + "markdownDescription": "A comment to describe the origin request policy. The comment cannot be longer than 128 characters.", + "title": "Comment", + "type": "string" + }, + "CookiesConfig": { + "$ref": "#/definitions/AWS::CloudFront::OriginRequestPolicy.CookiesConfig", + "markdownDescription": "The cookies from viewer requests to include in origin requests.", + "title": "CookiesConfig" + }, + "HeadersConfig": { + "$ref": "#/definitions/AWS::CloudFront::OriginRequestPolicy.HeadersConfig", + "markdownDescription": "The HTTP headers to include in origin requests. These can include headers from viewer requests and additional headers added by CloudFront.", + "title": "HeadersConfig" + }, + "Name": { + "markdownDescription": "A unique name to identify the origin request policy.", + "title": "Name", + "type": "string" + }, + "QueryStringsConfig": { + "$ref": "#/definitions/AWS::CloudFront::OriginRequestPolicy.QueryStringsConfig", + "markdownDescription": "The URL query strings from viewer requests to include in origin requests.", + "title": "QueryStringsConfig" + } + }, + "required": [ + "CookiesConfig", + "HeadersConfig", + "Name", + "QueryStringsConfig" + ], + "type": "object" + }, + "AWS::CloudFront::OriginRequestPolicy.QueryStringsConfig": { + "additionalProperties": false, + "properties": { + "QueryStringBehavior": { + "markdownDescription": "Determines whether any URL query strings in viewer requests are included in requests that CloudFront sends to the origin. Valid values are:\n\n- `none` \u2013 No query strings in viewer requests are included in requests that CloudFront sends to the origin. Even when this field is set to `none` , any query strings that are listed in a `CachePolicy` *are* included in origin requests.\n- `whitelist` \u2013 Only the query strings in viewer requests that are listed in the `QueryStringNames` type are included in requests that CloudFront sends to the origin.\n- `all` \u2013 All query strings in viewer requests are included in requests that CloudFront sends to the origin.\n- `allExcept` \u2013 All query strings in viewer requests are included in requests that CloudFront sends to the origin, **except** for those listed in the `QueryStringNames` type, which are not included.", + "title": "QueryStringBehavior", + "type": "string" + }, + "QueryStrings": { + "items": { + "type": "string" + }, + "markdownDescription": "Contains a list of query string names.", + "title": "QueryStrings", + "type": "array" + } + }, + "required": [ + "QueryStringBehavior" + ], + "type": "object" + }, + "AWS::CloudFront::PublicKey": { "additionalProperties": false, "properties": { "Condition": { @@ -34655,7 +35754,7 @@ "type": "string" }, "Type": { - "markdownDescription": "The type of destination for events arriving from a channel. For channels used for a CloudTrail Lake integration, the value is `EventDataStore` . For service-linked channels, the value is `AWS_SERVICE` .", + "markdownDescription": "The type of destination for events arriving from a channel. For channels used for a CloudTrail Lake integration, the value is `EVENT_DATA_STORE` . For service-linked channels, the value is `AWS_SERVICE` .", "title": "Type", "type": "string" } @@ -34709,11 +35808,39 @@ "title": "AdvancedEventSelectors", "type": "array" }, + "BillingMode": { + "markdownDescription": "The billing mode for the event data store determines the cost for ingesting events and the default and maximum retention period for the event data store.\n\nThe following are the possible values:\n\n- `EXTENDABLE_RETENTION_PRICING` - This billing mode is generally recommended if you want a flexible retention period of up to 3653 days (about 10 years). The default retention period for this billing mode is 366 days.\n- `FIXED_RETENTION_PRICING` - This billing mode is recommended if you expect to ingest more than 25 TB of event data per month and need a retention period of up to 2557 days (about 7 years). The default retention period for this billing mode is 2557 days.\n\nThe default value is `EXTENDABLE_RETENTION_PRICING` .\n\nFor more information about CloudTrail pricing, see [AWS CloudTrail Pricing](https://docs.aws.amazon.com/cloudtrail/pricing/) and [Managing CloudTrail Lake costs](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-lake-manage-costs.html) .", + "title": "BillingMode", + "type": "string" + }, + "FederationEnabled": { + "markdownDescription": "Indicates if [Lake query federation](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/query-federation.html) is enabled. By default, Lake query federation is disabled. You cannot delete an event data store if Lake query federation is enabled.", + "title": "FederationEnabled", + "type": "boolean" + }, + "FederationRoleArn": { + "markdownDescription": "If Lake query federation is enabled, provides the ARN of the federation role used to access the resources for the federated event data store.\n\nThe federation role must exist in your account and provide the [required minimum permissions](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/query-federation.html#query-federation-permissions-role) .", + "title": "FederationRoleArn", + "type": "string" + }, "IngestionEnabled": { "markdownDescription": "Specifies whether the event data store should start ingesting live events. The default is true.", "title": "IngestionEnabled", "type": "boolean" }, + "InsightSelectors": { + "items": { + "$ref": "#/definitions/AWS::CloudTrail::EventDataStore.InsightSelector" + }, + "markdownDescription": "A JSON string that contains the Insights types you want to log on an event data store. `ApiCallRateInsight` and `ApiErrorRateInsight` are valid Insight types.\n\nThe `ApiCallRateInsight` Insights type analyzes write-only management API calls that are aggregated per minute against a baseline API call volume.\n\nThe `ApiErrorRateInsight` Insights type analyzes management API calls that result in error codes. The error is shown if the API call is unsuccessful.", + "title": "InsightSelectors", + "type": "array" + }, + "InsightsDestination": { + "markdownDescription": "The ARN (or ID suffix of the ARN) of the destination event data store that logs Insights events. For more information, see [Create an event data store for CloudTrail Insights events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/query-event-data-store-insights.html) .", + "title": "InsightsDestination", + "type": "string" + }, "KmsKeyId": { "markdownDescription": "Specifies the AWS KMS key ID to use to encrypt the events delivered by CloudTrail. The value can be an alias name prefixed by `alias/` , a fully specified ARN to an alias, a fully specified ARN to a key, or a globally unique identifier.\n\n> Disabling or deleting the KMS key, or removing CloudTrail permissions on the key, prevents CloudTrail from logging events to the event data store, and prevents users from querying the data in the event data store that was encrypted with the key. After you associate an event data store with a KMS key, the KMS key cannot be removed or changed. Before you disable or delete a KMS key that you are using with an event data store, delete or back up your event data store. \n\nCloudTrail also supports AWS KMS multi-Region keys. For more information about multi-Region keys, see [Using multi-Region keys](https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html) in the *AWS Key Management Service Developer Guide* .\n\nExamples:\n\n- `alias/MyAliasName`\n- `arn:aws:kms:us-east-2:123456789012:alias/MyAliasName`\n- `arn:aws:kms:us-east-2:123456789012:key/12345678-1234-1234-1234-123456789012`\n- `12345678-1234-1234-1234-123456789012`", "title": "KmsKeyId", @@ -34735,7 +35862,7 @@ "type": "boolean" }, "RetentionPeriod": { - "markdownDescription": "The retention period of the event data store, in days. You can set a retention period of up to 2557 days, the equivalent of seven years.", + "markdownDescription": "The retention period of the event data store, in days. If `BillingMode` is set to `EXTENDABLE_RETENTION_PRICING` , you can set a retention period of up to 3653 days, the equivalent of 10 years. If `BillingMode` is set to `FIXED_RETENTION_PRICING` , you can set a retention period of up to 2557 days, the equivalent of seven years.\n\nCloudTrail Lake determines whether to retain an event by checking if the `eventTime` of the event is within the specified retention period. For example, if you set a retention period of 90 days, CloudTrail will remove events when the `eventTime` is older than 90 days.\n\n> If you plan to copy trail events to this event data store, we recommend that you consider both the age of the events that you want to copy as well as how long you want to keep the copied events in your event data store. For example, if you copy trail events that are 5 years old and specify a retention period of 7 years, the event data store will retain those events for two years.", "title": "RetentionPeriod", "type": "number" }, @@ -34817,7 +35944,7 @@ "type": "array" }, "Field": { - "markdownDescription": "A field in a CloudTrail event record on which to filter events to be logged. For event data stores for AWS Config configuration items, Audit Manager evidence, or non- AWS events, the field is used only for selecting events as filtering is not supported.\n\nFor CloudTrail event records, supported fields include `readOnly` , `eventCategory` , `eventSource` (for management events), `eventName` , `resources.type` , and `resources.ARN` .\n\nFor event data stores for AWS Config configuration items, Audit Manager evidence, or non- AWS events, the only supported field is `eventCategory` .\n\n- *`readOnly`* - Optional. Can be set to `Equals` a value of `true` or `false` . If you do not add this field, CloudTrail logs both `read` and `write` events. A value of `true` logs only `read` events. A value of `false` logs only `write` events.\n- *`eventSource`* - For filtering management events only. This can be set only to `NotEquals` `kms.amazonaws.com` .\n- *`eventName`* - Can use any operator. You can use it to \ufb01lter in or \ufb01lter out any data event logged to CloudTrail, such as `PutBucket` or `GetSnapshotBlock` . You can have multiple values for this \ufb01eld, separated by commas.\n- *`eventCategory`* - This is required and must be set to `Equals` .\n\n- For CloudTrail event records, the value must be `Management` or `Data` .\n- For AWS Config configuration items, the value must be `ConfigurationItem` .\n- For Audit Manager evidence, the value must be `Evidence` .\n- For non- AWS events, the value must be `ActivityAuditLog` .\n- *`resources.type`* - This \ufb01eld is required for CloudTrail data events. `resources.type` can only use the `Equals` operator, and the value can be one of the following:\n\n- `AWS::DynamoDB::Table`\n- `AWS::Lambda::Function`\n- `AWS::S3::Object`\n- `AWS::CloudTrail::Channel`\n- `AWS::CodeWhisperer::Profile`\n- `AWS::Cognito::IdentityPool`\n- `AWS::DynamoDB::Stream`\n- `AWS::EC2::Snapshot`\n- `AWS::EMRWAL::Workspace`\n- `AWS::FinSpace::Environment`\n- `AWS::Glue::Table`\n- `AWS::GuardDuty::Detector`\n- `AWS::KendraRanking::ExecutionPlan`\n- `AWS::ManagedBlockchain::Network`\n- `AWS::ManagedBlockchain::Node`\n- `AWS::SageMaker::ExperimentTrialComponent`\n- `AWS::SageMaker::FeatureGroup`\n- `AWS::S3::AccessPoint`\n- `AWS::S3ObjectLambda::AccessPoint`\n- `AWS::S3Outposts::Object`\n- `AWS::SSMMessages::ControlChannel`\n- `AWS::VerifiedPermissions::PolicyStore`\n\nYou can have only one `resources.type` \ufb01eld per selector. To log data events on more than one resource type, add another selector.\n- *`resources.ARN`* - You can use any operator with `resources.ARN` , but if you use `Equals` or `NotEquals` , the value must exactly match the ARN of a valid resource of the type you've speci\ufb01ed in the template as the value of resources.type. For example, if resources.type equals `AWS::S3::Object` , the ARN must be in one of the following formats. To log all data events for all objects in a specific S3 bucket, use the `StartsWith` operator, and include only the bucket ARN as the matching value.\n\nThe trailing slash is intentional; do not exclude it. Replace the text between less than and greater than symbols (<>) with resource-specific information.\n\n- `arn::s3:::/`\n- `arn::s3::://`\n\nWhen resources.type equals `AWS::DynamoDB::Table` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::dynamodb:::table/`\n\nWhen resources.type equals `AWS::Lambda::Function` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::lambda:::function:`\n\nWhen resources.type equals `AWS::CloudTrail::Channel` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::cloudtrail:::channel/`\n\nWhen resources.type equals `AWS::CodeWhisperer::Profile` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::codewhisperer:::profile/`\n\nWhen resources.type equals `AWS::Cognito::IdentityPool` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::cognito-identity:::identitypool/`\n\nWhen `resources.type` equals `AWS::DynamoDB::Stream` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::dynamodb:::table//stream/`\n\nWhen `resources.type` equals `AWS::EC2::Snapshot` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::ec2:::snapshot/`\n\nWhen `resources.type` equals `AWS::EMRWAL::Workspace` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::emrwal:::workspace/`\n\nWhen `resources.type` equals `AWS::FinSpace::Environment` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::finspace:::environment/`\n\nWhen `resources.type` equals `AWS::Glue::Table` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::glue:::table//`\n\nWhen `resources.type` equals `AWS::GuardDuty::Detector` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::guardduty:::detector/`\n\nWhen `resources.type` equals `AWS::KendraRanking::ExecutionPlan` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::kendra-ranking:::rescore-execution-plan/`\n\nWhen `resources.type` equals `AWS::ManagedBlockchain::Network` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::managedblockchain:::networks/`\n\nWhen `resources.type` equals `AWS::ManagedBlockchain::Node` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::managedblockchain:::nodes/`\n\nWhen `resources.type` equals `AWS::SageMaker::ExperimentTrialComponent` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::sagemaker:::experiment-trial-component/`\n\nWhen `resources.type` equals `AWS::SageMaker::FeatureGroup` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::sagemaker:::feature-group/`\n\nWhen `resources.type` equals `AWS::S3::AccessPoint` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in one of the following formats. To log events on all objects in an S3 access point, we recommend that you use only the access point ARN, don\u2019t include the object path, and use the `StartsWith` or `NotStartsWith` operators.\n\n- `arn::s3:::accesspoint/`\n- `arn::s3:::accesspoint//object/`\n\nWhen `resources.type` equals `AWS::S3ObjectLambda::AccessPoint` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::s3-object-lambda:::accesspoint/`\n\nWhen `resources.type` equals `AWS::S3Outposts::Object` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::s3-outposts:::`\n\nWhen `resources.type` equals `AWS::SSMMessages::ControlChannel` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::ssmmessages:::control-channel/`\n\nWhen resources.type equals `AWS::VerifiedPermissions::PolicyStore` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::verifiedpermissions:::policy-store/`", + "markdownDescription": "A field in a CloudTrail event record on which to filter events to be logged. For event data stores for CloudTrail Insights events, AWS Config configuration items, Audit Manager evidence, or events outside of AWS , the field is used only for selecting events as filtering is not supported.\n\nFor CloudTrail management events, supported fields include `readOnly` , `eventCategory` , and `eventSource` .\n\nFor CloudTrail data events, supported fields include `readOnly` , `eventCategory` , `eventName` , `resources.type` , and `resources.ARN` .\n\nFor event data stores for CloudTrail Insights events, AWS Config configuration items, Audit Manager evidence, or events outside of AWS , the only supported field is `eventCategory` .\n\n- *`readOnly`* - Optional. Can be set to `Equals` a value of `true` or `false` . If you do not add this field, CloudTrail logs both `read` and `write` events. A value of `true` logs only `read` events. A value of `false` logs only `write` events.\n- *`eventSource`* - For filtering management events only. This can be set to `NotEquals` `kms.amazonaws.com` or `NotEquals` `rdsdata.amazonaws.com` .\n- *`eventName`* - Can use any operator. You can use it to \ufb01lter in or \ufb01lter out any data event logged to CloudTrail, such as `PutBucket` or `GetSnapshotBlock` . You can have multiple values for this \ufb01eld, separated by commas.\n- *`eventCategory`* - This is required and must be set to `Equals` .\n\n- For CloudTrail management events, the value must be `Management` .\n- For CloudTrail data events, the value must be `Data` .\n\nThe following are used only for event data stores:\n\n- For CloudTrail Insights events, the value must be `Insight` .\n- For AWS Config configuration items, the value must be `ConfigurationItem` .\n- For Audit Manager evidence, the value must be `Evidence` .\n- For non- AWS events, the value must be `ActivityAuditLog` .\n- *`resources.type`* - This \ufb01eld is required for CloudTrail data events. `resources.type` can only use the `Equals` operator, and the value can be one of the following:\n\n- `AWS::DynamoDB::Table`\n- `AWS::Lambda::Function`\n- `AWS::S3::Object`\n- `AWS::B2BI::Transformer`\n- `AWS::Bedrock::AgentAlias`\n- `AWS::Bedrock::KnowledgeBase`\n- `AWS::CloudFront:KeyValueStore`\n- `AWS::CloudTrail::Channel`\n- `AWS::CodeWhisperer::Customization`\n- `AWS::CodeWhisperer::Profile`\n- `AWS::Cognito::IdentityPool`\n- `AWS::DynamoDB::Stream`\n- `AWS::EC2::Snapshot`\n- `AWS::EMRWAL::Workspace`\n- `AWS::FinSpace::Environment`\n- `AWS::Glue::Table`\n- `AWS::GuardDuty::Detector`\n- `AWS::KendraRanking::ExecutionPlan`\n- `AWS::KinesisVideo::Stream`\n- `AWS::ManagedBlockchain::Network`\n- `AWS::ManagedBlockchain::Node`\n- `AWS::MedicalImaging::Datastore`\n- `AWS::NeptuneGraph::Graph`\n- `AWS::PCAConnectorAD::Connector`\n- `AWS::QBusiness::Application`\n- `AWS::QBusiness::DataSource`\n- `AWS::QBusiness::Index`\n- `AWS::QBusiness::WebExperience`\n- `AWS::SageMaker::Endpoint`\n- `AWS::SageMaker::ExperimentTrialComponent`\n- `AWS::SageMaker::FeatureGroup`\n- `AWS::ServiceDiscovery::Namespace`\n- `AWS::ServiceDiscovery::Service`\n- `AWS::SNS::PlatformEndpoint`\n- `AWS::SNS::Topic`\n- `AWS::SQS::Queue`\n- `AWS::S3::AccessPoint`\n- `AWS::S3ObjectLambda::AccessPoint`\n- `AWS::S3Outposts::Object`\n- `AWS::SSMMessages::ControlChannel`\n- `AWS::ThinClient::Device`\n- `AWS::ThinClient::Environment`\n- `AWS::Timestream::Database`\n- `AWS::Timestream::Table`\n- `AWS::VerifiedPermissions::PolicyStore`\n\nYou can have only one `resources.type` \ufb01eld per selector. To log data events on more than one resource type, add another selector.\n- *`resources.ARN`* - You can use any operator with `resources.ARN` , but if you use `Equals` or `NotEquals` , the value must exactly match the ARN of a valid resource of the type you've speci\ufb01ed in the template as the value of resources.type. For example, if resources.type equals `AWS::S3::Object` , the ARN must be in one of the following formats. To log all data events for all objects in a specific S3 bucket, use the `StartsWith` operator, and include only the bucket ARN as the matching value.\n\nThe trailing slash is intentional; do not exclude it. Replace the text between less than and greater than symbols (<>) with resource-specific information.\n\n- `arn::s3:::/`\n- `arn::s3::://`\n\nWhen resources.type equals `AWS::DynamoDB::Table` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::dynamodb:::table/`\n\nWhen resources.type equals `AWS::Lambda::Function` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::lambda:::function:`\n\nWhen resources.type equals `AWS::B2BI::Transformer` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::b2bi:::transformer/`\n\nWhen resources.type equals `AWS::Bedrock::AgentAlias` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::bedrock:::agent-alias//`\n\nWhen resources.type equals `AWS::Bedrock::KnowledgeBase` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::bedrock:::knowledge-base/`\n\nWhen resources.type equals `AWS::CloudFront:KeyValueStore` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::cloudfront:::key-value-store/`\n\nWhen resources.type equals `AWS::CloudTrail::Channel` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::cloudtrail:::channel/`\n\nWhen resources.type equals `AWS::CodeWhisperer::Customization` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::codewhisperer:::customization/`\n\nWhen resources.type equals `AWS::CodeWhisperer::Profile` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::codewhisperer:::profile/`\n\nWhen resources.type equals `AWS::Cognito::IdentityPool` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::cognito-identity:::identitypool/`\n\nWhen `resources.type` equals `AWS::DynamoDB::Stream` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::dynamodb:::table//stream/`\n\nWhen `resources.type` equals `AWS::EC2::Snapshot` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::ec2:::snapshot/`\n\nWhen `resources.type` equals `AWS::EMRWAL::Workspace` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::emrwal:::workspace/`\n\nWhen `resources.type` equals `AWS::FinSpace::Environment` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::finspace:::environment/`\n\nWhen `resources.type` equals `AWS::Glue::Table` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::glue:::table//`\n\nWhen `resources.type` equals `AWS::GuardDuty::Detector` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::guardduty:::detector/`\n\nWhen `resources.type` equals `AWS::KendraRanking::ExecutionPlan` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::kendra-ranking:::rescore-execution-plan/`\n\nWhen `resources.type` equals `AWS::KinesisVideo::Stream` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::kinesisvideo:::stream/`\n\nWhen `resources.type` equals `AWS::ManagedBlockchain::Network` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::managedblockchain:::networks/`\n\nWhen `resources.type` equals `AWS::ManagedBlockchain::Node` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::managedblockchain:::nodes/`\n\nWhen `resources.type` equals `AWS::MedicalImaging::Datastore` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::medical-imaging:::datastore/`\n\nWhen `resources.type` equals `AWS::NeptuneGraph::Graph` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::neptune-graph:::graph/`\n\nWhen `resources.type` equals `AWS::PCAConnectorAD::Connector` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::pca-connector-ad:::connector/`\n\nWhen `resources.type` equals `AWS::QBusiness::Application` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::qbusiness:::application/`\n\nWhen `resources.type` equals `AWS::QBusiness::DataSource` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::qbusiness:::application//index//data-source/`\n\nWhen `resources.type` equals `AWS::QBusiness::Index` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::qbusiness:::application//index/`\n\nWhen `resources.type` equals `AWS::QBusiness::WebExperience` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::qbusiness:::application//web-experience/`\n\nWhen `resources.type` equals `AWS::SageMaker::Endpoint` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::sagemaker:::endpoint/`\n\nWhen `resources.type` equals `AWS::SageMaker::ExperimentTrialComponent` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::sagemaker:::experiment-trial-component/`\n\nWhen `resources.type` equals `AWS::SageMaker::FeatureGroup` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::sagemaker:::feature-group/`\n\nWhen `resources.type` equals `AWS::ServiceDiscovery::Namespace` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::servicediscovery:::namespace/`\n\nWhen `resources.type` equals `AWS::ServiceDiscovery::Service` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::servicediscovery:::service/`\n\nWhen `resources.type` equals `AWS::SNS::PlatformEndpoint` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::sns:::endpoint///`\n\nWhen `resources.type` equals `AWS::SNS::Topic` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::sns:::`\n\nWhen `resources.type` equals `AWS::SQS::Queue` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::sqs:::`\n\nWhen `resources.type` equals `AWS::S3::AccessPoint` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in one of the following formats. To log events on all objects in an S3 access point, we recommend that you use only the access point ARN, don\u2019t include the object path, and use the `StartsWith` or `NotStartsWith` operators.\n\n- `arn::s3:::accesspoint/`\n- `arn::s3:::accesspoint//object/`\n\nWhen `resources.type` equals `AWS::S3ObjectLambda::AccessPoint` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::s3-object-lambda:::accesspoint/`\n\nWhen `resources.type` equals `AWS::S3Outposts::Object` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::s3-outposts:::`\n\nWhen `resources.type` equals `AWS::SSMMessages::ControlChannel` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::ssmmessages:::control-channel/`\n\nWhen `resources.type` equals `AWS::ThinClient::Device` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::thinclient:::device/`\n\nWhen `resources.type` equals `AWS::ThinClient::Environment` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::thinclient:::environment/`\n\nWhen `resources.type` equals `AWS::Timestream::Database` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::timestream:::database/`\n\nWhen `resources.type` equals `AWS::Timestream::Table` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::timestream:::database//table/`\n\nWhen resources.type equals `AWS::VerifiedPermissions::PolicyStore` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::verifiedpermissions:::policy-store/`", "title": "Field", "type": "string" }, @@ -34859,6 +35986,17 @@ ], "type": "object" }, + "AWS::CloudTrail::EventDataStore.InsightSelector": { + "additionalProperties": false, + "properties": { + "InsightType": { + "markdownDescription": "The type of Insights events to log on an event data store. `ApiCallRateInsight` and `ApiErrorRateInsight` are valid Insight types.\n\nThe `ApiCallRateInsight` Insights type analyzes write-only management API calls that are aggregated per minute against a baseline API call volume.\n\nThe `ApiErrorRateInsight` Insights type analyzes management API calls that result in error codes. The error is shown if the API call is unsuccessful.", + "title": "InsightType", + "type": "string" + } + }, + "type": "object" + }, "AWS::CloudTrail::ResourcePolicy": { "additionalProperties": false, "properties": { @@ -34994,7 +36132,7 @@ "items": { "$ref": "#/definitions/AWS::CloudTrail::Trail.EventSelector" }, - "markdownDescription": "Use event selectors to further specify the management and data event settings for your trail. By default, trails created without specific event selectors will be configured to log all read and write management events, and no data events. When an event occurs in your account, CloudTrail evaluates the event selector for all trails. For each trail, if the event matches any event selector, the trail processes and logs the event. If the event doesn't match any event selector, the trail doesn't log the event.\n\nYou can configure up to five event selectors for a trail.\n\nFor more information about how to configure event selectors, see [Examples](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudtrail-trail.html#aws-resource-cloudtrail-trail--examples) and [Configuring event selectors](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-additional-cli-commands.html#configuring-event-selector-examples) in the *AWS CloudTrail User Guide* .", + "markdownDescription": "Use event selectors to further specify the management and data event settings for your trail. By default, trails created without specific event selectors will be configured to log all read and write management events, and no data events. When an event occurs in your account, CloudTrail evaluates the event selector for all trails. For each trail, if the event matches any event selector, the trail processes and logs the event. If the event doesn't match any event selector, the trail doesn't log the event.\n\nYou can configure up to five event selectors for a trail.\n\nYou cannot apply both event selectors and advanced event selectors to a trail.", "title": "EventSelectors", "type": "array" }, @@ -35007,7 +36145,7 @@ "items": { "$ref": "#/definitions/AWS::CloudTrail::Trail.InsightSelector" }, - "markdownDescription": "A JSON string that contains the insight types you want to log on a trail. `ApiCallRateInsight` and `ApiErrorRateInsight` are valid Insight types.\n\nThe `ApiCallRateInsight` Insights type analyzes write-only management API calls that are aggregated per minute against a baseline API call volume.\n\nThe `ApiErrorRateInsight` Insights type analyzes management API calls that result in error codes. The error is shown if the API call is unsuccessful.", + "markdownDescription": "A JSON string that contains the Insights types you want to log on a trail. `ApiCallRateInsight` and `ApiErrorRateInsight` are valid Insight types.\n\nThe `ApiCallRateInsight` Insights type analyzes write-only management API calls that are aggregated per minute against a baseline API call volume.\n\nThe `ApiErrorRateInsight` Insights type analyzes management API calls that result in error codes. The error is shown if the API call is unsuccessful.", "title": "InsightSelectors", "type": "array" }, @@ -35022,7 +36160,7 @@ "type": "boolean" }, "IsOrganizationTrail": { - "markdownDescription": "Specifies whether the trail is applied to all accounts in an organization in AWS Organizations , or only for the current AWS account . The default is false, and cannot be true unless the call is made on behalf of an AWS account that is the management account or delegated administrator account for an organization in AWS Organizations . If the trail is not an organization trail and this is set to `true` , the trail will be created in all AWS accounts that belong to the organization. If the trail is an organization trail and this is set to `false` , the trail will remain in the current AWS account but be deleted from all member accounts in the organization.", + "markdownDescription": "Specifies whether the trail is applied to all accounts in an organization in AWS Organizations , or only for the current AWS account . The default is false, and cannot be true unless the call is made on behalf of an AWS account that is the management account for an organization in AWS Organizations . If the trail is not an organization trail and this is set to `true` , the trail will be created in all AWS accounts that belong to the organization. If the trail is an organization trail and this is set to `false` , the trail will remain in the current AWS account but be deleted from all member accounts in the organization.\n\n> Only the management account for the organization can convert an organization trail to a non-organization trail, or convert a non-organization trail to an organization trail.", "title": "IsOrganizationTrail", "type": "boolean" }, @@ -35129,7 +36267,7 @@ "type": "array" }, "Field": { - "markdownDescription": "A field in a CloudTrail event record on which to filter events to be logged. For event data stores for AWS Config configuration items, Audit Manager evidence, or non- AWS events, the field is used only for selecting events as filtering is not supported.\n\nFor CloudTrail event records, supported fields include `readOnly` , `eventCategory` , `eventSource` (for management events), `eventName` , `resources.type` , and `resources.ARN` .\n\nFor event data stores for AWS Config configuration items, Audit Manager evidence, or non- AWS events, the only supported field is `eventCategory` .\n\n- *`readOnly`* - Optional. Can be set to `Equals` a value of `true` or `false` . If you do not add this field, CloudTrail logs both `read` and `write` events. A value of `true` logs only `read` events. A value of `false` logs only `write` events.\n- *`eventSource`* - For filtering management events only. This can be set only to `NotEquals` `kms.amazonaws.com` .\n- *`eventName`* - Can use any operator. You can use it to \ufb01lter in or \ufb01lter out any data event logged to CloudTrail, such as `PutBucket` or `GetSnapshotBlock` . You can have multiple values for this \ufb01eld, separated by commas.\n- *`eventCategory`* - This is required and must be set to `Equals` .\n\n- For CloudTrail event records, the value must be `Management` or `Data` .\n- For AWS Config configuration items, the value must be `ConfigurationItem` .\n- For Audit Manager evidence, the value must be `Evidence` .\n- For non- AWS events, the value must be `ActivityAuditLog` .\n- *`resources.type`* - This \ufb01eld is required for CloudTrail data events. `resources.type` can only use the `Equals` operator, and the value can be one of the following:\n\n- `AWS::DynamoDB::Table`\n- `AWS::Lambda::Function`\n- `AWS::S3::Object`\n- `AWS::CloudTrail::Channel`\n- `AWS::CodeWhisperer::Profile`\n- `AWS::Cognito::IdentityPool`\n- `AWS::DynamoDB::Stream`\n- `AWS::EC2::Snapshot`\n- `AWS::EMRWAL::Workspace`\n- `AWS::FinSpace::Environment`\n- `AWS::Glue::Table`\n- `AWS::GuardDuty::Detector`\n- `AWS::KendraRanking::ExecutionPlan`\n- `AWS::ManagedBlockchain::Network`\n- `AWS::ManagedBlockchain::Node`\n- `AWS::SageMaker::ExperimentTrialComponent`\n- `AWS::SageMaker::FeatureGroup`\n- `AWS::S3::AccessPoint`\n- `AWS::S3ObjectLambda::AccessPoint`\n- `AWS::S3Outposts::Object`\n- `AWS::SSMMessages::ControlChannel`\n- `AWS::VerifiedPermissions::PolicyStore`\n\nYou can have only one `resources.type` \ufb01eld per selector. To log data events on more than one resource type, add another selector.\n- *`resources.ARN`* - You can use any operator with `resources.ARN` , but if you use `Equals` or `NotEquals` , the value must exactly match the ARN of a valid resource of the type you've speci\ufb01ed in the template as the value of resources.type. For example, if resources.type equals `AWS::S3::Object` , the ARN must be in one of the following formats. To log all data events for all objects in a specific S3 bucket, use the `StartsWith` operator, and include only the bucket ARN as the matching value.\n\nThe trailing slash is intentional; do not exclude it. Replace the text between less than and greater than symbols (<>) with resource-specific information.\n\n- `arn::s3:::/`\n- `arn::s3::://`\n\nWhen resources.type equals `AWS::DynamoDB::Table` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::dynamodb:::table/`\n\nWhen resources.type equals `AWS::Lambda::Function` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::lambda:::function:`\n\nWhen resources.type equals `AWS::CloudTrail::Channel` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::cloudtrail:::channel/`\n\nWhen resources.type equals `AWS::CodeWhisperer::Profile` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::codewhisperer:::profile/`\n\nWhen resources.type equals `AWS::Cognito::IdentityPool` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::cognito-identity:::identitypool/`\n\nWhen `resources.type` equals `AWS::DynamoDB::Stream` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::dynamodb:::table//stream/`\n\nWhen `resources.type` equals `AWS::EC2::Snapshot` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::ec2:::snapshot/`\n\nWhen `resources.type` equals `AWS::EMRWAL::Workspace` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::emrwal:::workspace/`\n\nWhen `resources.type` equals `AWS::FinSpace::Environment` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::finspace:::environment/`\n\nWhen `resources.type` equals `AWS::Glue::Table` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::glue:::table//`\n\nWhen `resources.type` equals `AWS::GuardDuty::Detector` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::guardduty:::detector/`\n\nWhen `resources.type` equals `AWS::KendraRanking::ExecutionPlan` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::kendra-ranking:::rescore-execution-plan/`\n\nWhen `resources.type` equals `AWS::ManagedBlockchain::Network` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::managedblockchain:::networks/`\n\nWhen `resources.type` equals `AWS::ManagedBlockchain::Node` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::managedblockchain:::nodes/`\n\nWhen `resources.type` equals `AWS::SageMaker::ExperimentTrialComponent` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::sagemaker:::experiment-trial-component/`\n\nWhen `resources.type` equals `AWS::SageMaker::FeatureGroup` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::sagemaker:::feature-group/`\n\nWhen `resources.type` equals `AWS::S3::AccessPoint` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in one of the following formats. To log events on all objects in an S3 access point, we recommend that you use only the access point ARN, don\u2019t include the object path, and use the `StartsWith` or `NotStartsWith` operators.\n\n- `arn::s3:::accesspoint/`\n- `arn::s3:::accesspoint//object/`\n\nWhen `resources.type` equals `AWS::S3ObjectLambda::AccessPoint` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::s3-object-lambda:::accesspoint/`\n\nWhen `resources.type` equals `AWS::S3Outposts::Object` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::s3-outposts:::`\n\nWhen `resources.type` equals `AWS::SSMMessages::ControlChannel` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::ssmmessages:::control-channel/`\n\nWhen resources.type equals `AWS::VerifiedPermissions::PolicyStore` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::verifiedpermissions:::policy-store/`", + "markdownDescription": "A field in a CloudTrail event record on which to filter events to be logged. For event data stores for CloudTrail Insights events, AWS Config configuration items, Audit Manager evidence, or events outside of AWS , the field is used only for selecting events as filtering is not supported.\n\nFor CloudTrail management events, supported fields include `readOnly` , `eventCategory` , and `eventSource` .\n\nFor CloudTrail data events, supported fields include `readOnly` , `eventCategory` , `eventName` , `resources.type` , and `resources.ARN` .\n\nFor event data stores for CloudTrail Insights events, AWS Config configuration items, Audit Manager evidence, or events outside of AWS , the only supported field is `eventCategory` .\n\n- *`readOnly`* - Optional. Can be set to `Equals` a value of `true` or `false` . If you do not add this field, CloudTrail logs both `read` and `write` events. A value of `true` logs only `read` events. A value of `false` logs only `write` events.\n- *`eventSource`* - For filtering management events only. This can be set to `NotEquals` `kms.amazonaws.com` or `NotEquals` `rdsdata.amazonaws.com` .\n- *`eventName`* - Can use any operator. You can use it to \ufb01lter in or \ufb01lter out any data event logged to CloudTrail, such as `PutBucket` or `GetSnapshotBlock` . You can have multiple values for this \ufb01eld, separated by commas.\n- *`eventCategory`* - This is required and must be set to `Equals` .\n\n- For CloudTrail management events, the value must be `Management` .\n- For CloudTrail data events, the value must be `Data` .\n\nThe following are used only for event data stores:\n\n- For CloudTrail Insights events, the value must be `Insight` .\n- For AWS Config configuration items, the value must be `ConfigurationItem` .\n- For Audit Manager evidence, the value must be `Evidence` .\n- For non- AWS events, the value must be `ActivityAuditLog` .\n- *`resources.type`* - This \ufb01eld is required for CloudTrail data events. `resources.type` can only use the `Equals` operator, and the value can be one of the following:\n\n- `AWS::DynamoDB::Table`\n- `AWS::Lambda::Function`\n- `AWS::S3::Object`\n- `AWS::B2BI::Transformer`\n- `AWS::Bedrock::AgentAlias`\n- `AWS::Bedrock::KnowledgeBase`\n- `AWS::CloudFront:KeyValueStore`\n- `AWS::CloudTrail::Channel`\n- `AWS::CodeWhisperer::Customization`\n- `AWS::CodeWhisperer::Profile`\n- `AWS::Cognito::IdentityPool`\n- `AWS::DynamoDB::Stream`\n- `AWS::EC2::Snapshot`\n- `AWS::EMRWAL::Workspace`\n- `AWS::FinSpace::Environment`\n- `AWS::Glue::Table`\n- `AWS::GuardDuty::Detector`\n- `AWS::KendraRanking::ExecutionPlan`\n- `AWS::KinesisVideo::Stream`\n- `AWS::ManagedBlockchain::Network`\n- `AWS::ManagedBlockchain::Node`\n- `AWS::MedicalImaging::Datastore`\n- `AWS::NeptuneGraph::Graph`\n- `AWS::PCAConnectorAD::Connector`\n- `AWS::QBusiness::Application`\n- `AWS::QBusiness::DataSource`\n- `AWS::QBusiness::Index`\n- `AWS::QBusiness::WebExperience`\n- `AWS::SageMaker::Endpoint`\n- `AWS::SageMaker::ExperimentTrialComponent`\n- `AWS::SageMaker::FeatureGroup`\n- `AWS::ServiceDiscovery::Namespace`\n- `AWS::ServiceDiscovery::Service`\n- `AWS::SNS::PlatformEndpoint`\n- `AWS::SNS::Topic`\n- `AWS::SQS::Queue`\n- `AWS::S3::AccessPoint`\n- `AWS::S3ObjectLambda::AccessPoint`\n- `AWS::S3Outposts::Object`\n- `AWS::SSMMessages::ControlChannel`\n- `AWS::ThinClient::Device`\n- `AWS::ThinClient::Environment`\n- `AWS::Timestream::Database`\n- `AWS::Timestream::Table`\n- `AWS::VerifiedPermissions::PolicyStore`\n\nYou can have only one `resources.type` \ufb01eld per selector. To log data events on more than one resource type, add another selector.\n- *`resources.ARN`* - You can use any operator with `resources.ARN` , but if you use `Equals` or `NotEquals` , the value must exactly match the ARN of a valid resource of the type you've speci\ufb01ed in the template as the value of resources.type. For example, if resources.type equals `AWS::S3::Object` , the ARN must be in one of the following formats. To log all data events for all objects in a specific S3 bucket, use the `StartsWith` operator, and include only the bucket ARN as the matching value.\n\nThe trailing slash is intentional; do not exclude it. Replace the text between less than and greater than symbols (<>) with resource-specific information.\n\n- `arn::s3:::/`\n- `arn::s3::://`\n\nWhen resources.type equals `AWS::DynamoDB::Table` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::dynamodb:::table/`\n\nWhen resources.type equals `AWS::Lambda::Function` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::lambda:::function:`\n\nWhen resources.type equals `AWS::B2BI::Transformer` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::b2bi:::transformer/`\n\nWhen resources.type equals `AWS::Bedrock::AgentAlias` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::bedrock:::agent-alias//`\n\nWhen resources.type equals `AWS::Bedrock::KnowledgeBase` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::bedrock:::knowledge-base/`\n\nWhen resources.type equals `AWS::CloudFront:KeyValueStore` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::cloudfront:::key-value-store/`\n\nWhen resources.type equals `AWS::CloudTrail::Channel` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::cloudtrail:::channel/`\n\nWhen resources.type equals `AWS::CodeWhisperer::Customization` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::codewhisperer:::customization/`\n\nWhen resources.type equals `AWS::CodeWhisperer::Profile` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::codewhisperer:::profile/`\n\nWhen resources.type equals `AWS::Cognito::IdentityPool` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::cognito-identity:::identitypool/`\n\nWhen `resources.type` equals `AWS::DynamoDB::Stream` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::dynamodb:::table//stream/`\n\nWhen `resources.type` equals `AWS::EC2::Snapshot` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::ec2:::snapshot/`\n\nWhen `resources.type` equals `AWS::EMRWAL::Workspace` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::emrwal:::workspace/`\n\nWhen `resources.type` equals `AWS::FinSpace::Environment` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::finspace:::environment/`\n\nWhen `resources.type` equals `AWS::Glue::Table` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::glue:::table//`\n\nWhen `resources.type` equals `AWS::GuardDuty::Detector` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::guardduty:::detector/`\n\nWhen `resources.type` equals `AWS::KendraRanking::ExecutionPlan` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::kendra-ranking:::rescore-execution-plan/`\n\nWhen `resources.type` equals `AWS::KinesisVideo::Stream` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::kinesisvideo:::stream/`\n\nWhen `resources.type` equals `AWS::ManagedBlockchain::Network` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::managedblockchain:::networks/`\n\nWhen `resources.type` equals `AWS::ManagedBlockchain::Node` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::managedblockchain:::nodes/`\n\nWhen `resources.type` equals `AWS::MedicalImaging::Datastore` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::medical-imaging:::datastore/`\n\nWhen `resources.type` equals `AWS::NeptuneGraph::Graph` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::neptune-graph:::graph/`\n\nWhen `resources.type` equals `AWS::PCAConnectorAD::Connector` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::pca-connector-ad:::connector/`\n\nWhen `resources.type` equals `AWS::QBusiness::Application` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::qbusiness:::application/`\n\nWhen `resources.type` equals `AWS::QBusiness::DataSource` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::qbusiness:::application//index//data-source/`\n\nWhen `resources.type` equals `AWS::QBusiness::Index` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::qbusiness:::application//index/`\n\nWhen `resources.type` equals `AWS::QBusiness::WebExperience` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::qbusiness:::application//web-experience/`\n\nWhen `resources.type` equals `AWS::SageMaker::Endpoint` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::sagemaker:::endpoint/`\n\nWhen `resources.type` equals `AWS::SageMaker::ExperimentTrialComponent` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::sagemaker:::experiment-trial-component/`\n\nWhen `resources.type` equals `AWS::SageMaker::FeatureGroup` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::sagemaker:::feature-group/`\n\nWhen `resources.type` equals `AWS::ServiceDiscovery::Namespace` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::servicediscovery:::namespace/`\n\nWhen `resources.type` equals `AWS::ServiceDiscovery::Service` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::servicediscovery:::service/`\n\nWhen `resources.type` equals `AWS::SNS::PlatformEndpoint` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::sns:::endpoint///`\n\nWhen `resources.type` equals `AWS::SNS::Topic` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::sns:::`\n\nWhen `resources.type` equals `AWS::SQS::Queue` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::sqs:::`\n\nWhen `resources.type` equals `AWS::S3::AccessPoint` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in one of the following formats. To log events on all objects in an S3 access point, we recommend that you use only the access point ARN, don\u2019t include the object path, and use the `StartsWith` or `NotStartsWith` operators.\n\n- `arn::s3:::accesspoint/`\n- `arn::s3:::accesspoint//object/`\n\nWhen `resources.type` equals `AWS::S3ObjectLambda::AccessPoint` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::s3-object-lambda:::accesspoint/`\n\nWhen `resources.type` equals `AWS::S3Outposts::Object` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::s3-outposts:::`\n\nWhen `resources.type` equals `AWS::SSMMessages::ControlChannel` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::ssmmessages:::control-channel/`\n\nWhen `resources.type` equals `AWS::ThinClient::Device` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::thinclient:::device/`\n\nWhen `resources.type` equals `AWS::ThinClient::Environment` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::thinclient:::environment/`\n\nWhen `resources.type` equals `AWS::Timestream::Database` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::timestream:::database/`\n\nWhen `resources.type` equals `AWS::Timestream::Table` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::timestream:::database//table/`\n\nWhen resources.type equals `AWS::VerifiedPermissions::PolicyStore` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::verifiedpermissions:::policy-store/`", "title": "Field", "type": "string" }, @@ -35175,7 +36313,7 @@ "additionalProperties": false, "properties": { "Type": { - "markdownDescription": "The resource type in which you want to log data events. You can specify the following *basic* event selector resource types:\n\n- `AWS::S3::Object`\n- `AWS::Lambda::Function`\n- `AWS::DynamoDB::Table`", + "markdownDescription": "The resource type in which you want to log data events. You can specify the following *basic* event selector resource types:\n\n- `AWS::DynamoDB::Table`\n- `AWS::Lambda::Function`\n- `AWS::S3::Object`\n\nThe following resource types are only available through *advanced* event selectors. Basic event selector resource types are valid in advanced event selectors, but advanced event selector resource types are not valid in basic event selectors. For more information, see [AdvancedFieldSelector](https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_AdvancedFieldSelector.html) .\n\n- `AWS::B2BI::Transformer`\n- `AWS::Bedrock::AgentAlias`\n- `AWS::Bedrock::KnowledgeBase`\n- `AWS::CloudFront:KeyValueStore`\n- `AWS::CloudTrail::Channel`\n- `AWS::CodeWhisperer::Customization`\n- `AWS::CodeWhisperer::Profile`\n- `AWS::Cognito::IdentityPool`\n- `AWS::DynamoDB::Stream`\n- `AWS::EC2::Snapshot`\n- `AWS::EMRWAL::Workspace`\n- `AWS::FinSpace::Environment`\n- `AWS::Glue::Table`\n- `AWS::GuardDuty::Detector`\n- `AWS::KendraRanking::ExecutionPlan`\n- `AWS::KinesisVideo::Stream`\n- `AWS::ManagedBlockchain::Network`\n- `AWS::ManagedBlockchain::Node`\n- `AWS::MedicalImaging::Datastore`\n- `AWS::NeptuneGraph::Graph`\n- `AWS::PCAConnectorAD::Connector`\n- `AWS::QBusiness::Application`\n- `AWS::QBusiness::DataSource`\n- `AWS::QBusiness::Index`\n- `AWS::QBusiness::WebExperience`\n- `AWS::SageMaker::Endpoint`\n- `AWS::SageMaker::ExperimentTrialComponent`\n- `AWS::SageMaker::FeatureGroup`\n- `AWS::ServiceDiscovery::Namespace`\n- `AWS::ServiceDiscovery::Service`\n- `AWS::SNS::PlatformEndpoint`\n- `AWS::SNS::Topic`\n- `AWS::SQS::Queue`\n- `AWS::S3::AccessPoint`\n- `AWS::S3ObjectLambda::AccessPoint`\n- `AWS::S3Outposts::Object`\n- `AWS::SSMMessages::ControlChannel`\n- `AWS::ThinClient::Device`\n- `AWS::ThinClient::Environment`\n- `AWS::Timestream::Database`\n- `AWS::Timestream::Table`\n- `AWS::VerifiedPermissions::PolicyStore`", "title": "Type", "type": "string" }, @@ -35200,7 +36338,7 @@ "items": { "$ref": "#/definitions/AWS::CloudTrail::Trail.DataResource" }, - "markdownDescription": "In AWS CloudFormation , CloudTrail supports data event logging for Amazon S3 objects, Amazon DynamoDB tables, and AWS Lambda functions. Currently, advanced event selectors for data events are not supported in AWS CloudFormation templates. You can specify up to 250 resources for an individual event selector, but the total number of data resources cannot exceed 250 across all event selectors in a trail. This limit does not apply if you configure resource logging for all data events.\n\nFor more information, see [Logging data events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html) and [Limits in AWS CloudTrail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/WhatIsCloudTrail-Limits.html) in the *AWS CloudTrail User Guide* .", + "markdownDescription": "CloudTrail supports data event logging for Amazon S3 objects, AWS Lambda functions, and Amazon DynamoDB tables with basic event selectors. You can specify up to 250 resources for an individual event selector, but the total number of data resources cannot exceed 250 across all event selectors in a trail. This limit does not apply if you configure resource logging for all data events.\n\nFor more information, see [Data Events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html) and [Limits in AWS CloudTrail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/WhatIsCloudTrail-Limits.html) in the *AWS CloudTrail User Guide* .", "title": "DataResources", "type": "array" }, @@ -36193,7 +37331,7 @@ "type": "string" }, "OutputFormat": { - "markdownDescription": "The output format for the stream. Valid values are `json` and `opentelemetry0.7` For more information about metric stream output formats, see [Metric streams output formats](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-metric-streams-formats.html) .\n\nThis parameter is required.", + "markdownDescription": "The output format for the stream. Valid values are `json` , `opentelemetry1.0` and `opentelemetry0.7` For more information about metric stream output formats, see [Metric streams output formats](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-metric-streams-formats.html) .\n\nThis parameter is required.", "title": "OutputFormat", "type": "string" }, @@ -36206,7 +37344,7 @@ "items": { "$ref": "#/definitions/AWS::CloudWatch::MetricStream.MetricStreamStatisticsConfiguration" }, - "markdownDescription": "By default, a metric stream always sends the MAX, MIN, SUM, and SAMPLECOUNT statistics for each metric that is streamed. You can use this parameter to have the metric stream also send additional statistics in the stream. This array can have up to 100 members.\n\nFor each entry in this array, you specify one or more metrics and the list of additional statistics to stream for those metrics. The additional statistics that you can stream depend on the stream's `OutputFormat` . If the `OutputFormat` is `json` , you can stream any additional statistic that is supported by CloudWatch , listed in [CloudWatch statistics definitions](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Statistics-definitions.html.html) . If the `OutputFormat` is `opentelemetry0` .7, you can stream percentile statistics *(p??)* .", + "markdownDescription": "By default, a metric stream always sends the MAX, MIN, SUM, and SAMPLECOUNT statistics for each metric that is streamed. You can use this parameter to have the metric stream also send additional statistics in the stream. This array can have up to 100 members.\n\nFor each entry in this array, you specify one or more metrics and the list of additional statistics to stream for those metrics. The additional statistics that you can stream depend on the stream's `OutputFormat` . If the `OutputFormat` is `json` , you can stream any additional statistic that is supported by CloudWatch , listed in [CloudWatch statistics definitions](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Statistics-definitions.html) . If the `OutputFormat` is OpenTelemetry, you can stream percentile statistics.", "title": "StatisticsConfigurations", "type": "array" }, @@ -36356,8 +37494,6 @@ "type": "string" }, "EncryptionKey": { - "markdownDescription": "The key used to encrypt the domain.", - "title": "EncryptionKey", "type": "string" }, "PermissionsPolicyDocument": { @@ -36446,8 +37582,6 @@ "type": "string" }, "DomainOwner": { - "markdownDescription": "The 12-digit account number of the AWS account that owns the domain that contains the repository. It does not include dashes or spaces.", - "title": "DomainOwner", "type": "string" }, "ExternalConnections": { @@ -36867,15 +38001,13 @@ "title": "RegistryCredential" }, "Type": { - "markdownDescription": "The type of build environment to use for related builds.\n\n- The environment type `ARM_CONTAINER` is available only in regions US East (N. Virginia), US East (Ohio), US West (Oregon), EU (Ireland), Asia Pacific (Mumbai), Asia Pacific (Tokyo), Asia Pacific (Sydney), and EU (Frankfurt).\n- The environment type `LINUX_CONTAINER` with compute type `build.general1.2xlarge` is available only in regions US East (N. Virginia), US East (Ohio), US West (Oregon), Canada (Central), EU (Ireland), EU (London), EU (Frankfurt), Asia Pacific (Tokyo), Asia Pacific (Seoul), Asia Pacific (Singapore), Asia Pacific (Sydney), China (Beijing), and China (Ningxia).\n- The environment type `LINUX_GPU_CONTAINER` is available only in regions US East (N. Virginia), US East (Ohio), US West (Oregon), Canada (Central), EU (Ireland), EU (London), EU (Frankfurt), Asia Pacific (Tokyo), Asia Pacific (Seoul), Asia Pacific (Singapore), Asia Pacific (Sydney) , China (Beijing), and China (Ningxia).\n\n- The environment types `WINDOWS_CONTAINER` and `WINDOWS_SERVER_2019_CONTAINER` are available only in regions US East (N. Virginia), US East (Ohio), US West (Oregon), and EU (Ireland).\n\nFor more information, see [Build environment compute types](https://docs.aws.amazon.com//codebuild/latest/userguide/build-env-ref-compute-types.html) in the *AWS CodeBuild user guide* .", + "markdownDescription": "The type of build environment to use for related builds.\n\n- The environment type `ARM_CONTAINER` is available only in regions US East (Ohio), US East (N. Virginia), US West (N. California), US West (Oregon), Asia Pacific (Hong Kong), Asia Pacific (Jakarta), Asia Pacific (Hyderabad), Asia Pacific (Melbourne), Asia Pacific (Mumbai), Asia Pacific (Osaka), Asia Pacific (Seoul), Asia Pacific (Singapore), Asia Pacific (Sydney), Asia Pacific (Tokyo), Canada (Central), China (Beijing), China (Ningxia), Europe (Frankfurt), Europe (Ireland), Europe (London), Europe (Milan), Europe (Paris), Europe (Spain), Europe (Stockholm), Europe (Zurich), Israel (Tel Aviv), Middle East (Bahrain), Middle East (UAE), and South America (S\u00e3o Paulo).\n- The environment type `LINUX_CONTAINER` with compute type `build.general1.2xlarge` is available only in regions US East (Ohio), US East (N. Virginia), US West (N. California), US West (Oregon), Asia Pacific (Hyderabad), Asia Pacific (Hong Kong), Asia Pacific (Jakarta), Asia Pacific (Melbourne), Asia Pacific (Mumbai), Asia Pacific (Seoul), Asia Pacific (Singapore), Asia Pacific (Sydney), Asia Pacific (Tokyo), Canada (Central), China (Beijing), China (Ningxia), Europe (Frankfurt), Europe (Ireland), Europe (London), Europe (Paris), Europe (Spain), Europe (Stockholm), Europe (Zurich), Israel (Tel Aviv), Middle East (Bahrain), Middle East (UAE), and South America (S\u00e3o Paulo).\n- The environment type `LINUX_GPU_CONTAINER` is available only in regions US East (Ohio), US East (N. Virginia), US West (Oregon), Asia Pacific (Seoul), Asia Pacific (Singapore), Asia Pacific (Sydney), Asia Pacific (Tokyo), Canada (Central), China (Beijing), China (Ningxia), Europe (Frankfurt), Europe (Ireland), and Europe (London).\n\n- The environment types `WINDOWS_SERVER_2019_CONTAINER` are available only in regions US East (N. Virginia), US East (Ohio), US West (Oregon), and Europe (Ireland).\n\nFor more information, see [Build environment compute types](https://docs.aws.amazon.com//codebuild/latest/userguide/build-env-ref-compute-types.html) in the *AWS CodeBuild user guide* .", "title": "Type", "type": "string" } }, "required": [ - "ComputeType", - "Image", - "Type" + "Image" ], "type": "object" }, @@ -36893,7 +38025,7 @@ "type": "string" }, "Value": { - "markdownDescription": "The value of the environment variable.\n\n> We strongly discourage the use of `PLAINTEXT` environment variables to store sensitive values, especially AWS secret key IDs and secret access keys. `PLAINTEXT` environment variables can be displayed in plain text using the AWS CodeBuild console and the AWS CLI . For sensitive values, we recommend you use an environment variable of type `PARAMETER_STORE` or `SECRETS_MANAGER` .", + "markdownDescription": "The value of the environment variable.\n\n> We strongly discourage the use of `PLAINTEXT` environment variables to store sensitive values, especially AWS secret key IDs. `PLAINTEXT` environment variables can be displayed in plain text using the AWS CodeBuild console and the AWS CLI . For sensitive values, we recommend you use an environment variable of type `PARAMETER_STORE` or `SECRETS_MANAGER` .", "title": "Value", "type": "string" } @@ -37034,6 +38166,15 @@ ], "type": "object" }, + "AWS::CodeBuild::Project.ProjectFleet": { + "additionalProperties": false, + "properties": { + "FleetArn": { + "type": "string" + } + }, + "type": "object" + }, "AWS::CodeBuild::Project.ProjectSourceVersion": { "additionalProperties": false, "properties": { @@ -37793,6 +38934,11 @@ "$ref": "#/definitions/AWS::CodeDeploy::DeploymentConfig.TrafficRoutingConfig", "markdownDescription": "The configuration that specifies how the deployment traffic is routed.", "title": "TrafficRoutingConfig" + }, + "ZonalConfig": { + "$ref": "#/definitions/AWS::CodeDeploy::DeploymentConfig.ZonalConfig", + "markdownDescription": "Configure the `ZonalConfig` object if you want AWS CodeDeploy to deploy your application to one [Availability Zone](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-availability-zones) at a time, within an AWS Region.\n\nFor more information about the zonal configuration feature, see [zonal configuration](https://docs.aws.amazon.com/codedeploy/latest/userguide/deployment-configurations-create.html#zonal-config) in the *CodeDeploy User Guide* .", + "title": "ZonalConfig" } }, "type": "object" @@ -37837,6 +38983,26 @@ ], "type": "object" }, + "AWS::CodeDeploy::DeploymentConfig.MinimumHealthyHostsPerZone": { + "additionalProperties": false, + "properties": { + "Type": { + "markdownDescription": "The `type` associated with the `MinimumHealthyHostsPerZone` option.", + "title": "Type", + "type": "string" + }, + "Value": { + "markdownDescription": "The `value` associated with the `MinimumHealthyHostsPerZone` option.", + "title": "Value", + "type": "number" + } + }, + "required": [ + "Type", + "Value" + ], + "type": "object" + }, "AWS::CodeDeploy::DeploymentConfig.TimeBasedCanary": { "additionalProperties": false, "properties": { @@ -37901,6 +39067,27 @@ ], "type": "object" }, + "AWS::CodeDeploy::DeploymentConfig.ZonalConfig": { + "additionalProperties": false, + "properties": { + "FirstZoneMonitorDurationInSeconds": { + "markdownDescription": "The period of time, in seconds, that CodeDeploy must wait after completing a deployment to the *first* Availability Zone. CodeDeploy will wait this amount of time before starting a deployment to the second Availability Zone. You might set this option if you want to allow extra bake time for the first Availability Zone. If you don't specify a value for `firstZoneMonitorDurationInSeconds` , then CodeDeploy uses the `monitorDurationInSeconds` value for the first Availability Zone.\n\nFor more information about the zonal configuration feature, see [zonal configuration](https://docs.aws.amazon.com/codedeploy/latest/userguide/deployment-configurations-create.html#zonal-config) in the *CodeDeploy User Guide* .", + "title": "FirstZoneMonitorDurationInSeconds", + "type": "number" + }, + "MinimumHealthyHostsPerZone": { + "$ref": "#/definitions/AWS::CodeDeploy::DeploymentConfig.MinimumHealthyHostsPerZone", + "markdownDescription": "The number or percentage of instances that must remain available per Availability Zone during a deployment. This option works in conjunction with the `MinimumHealthyHosts` option. For more information, see [About the minimum number of healthy hosts per Availability Zone](https://docs.aws.amazon.com//codedeploy/latest/userguide/instances-health.html#minimum-healthy-hosts-az) in the *CodeDeploy User Guide* .\n\nIf you don't specify the `minimumHealthyHostsPerZone` option, then CodeDeploy uses a default value of `0` percent.\n\nFor more information about the zonal configuration feature, see [zonal configuration](https://docs.aws.amazon.com/codedeploy/latest/userguide/deployment-configurations-create.html#zonal-config) in the *CodeDeploy User Guide* .", + "title": "MinimumHealthyHostsPerZone" + }, + "MonitorDurationInSeconds": { + "markdownDescription": "The period of time, in seconds, that CodeDeploy must wait after completing a deployment to an Availability Zone. CodeDeploy will wait this amount of time before starting a deployment to the next Availability Zone. Consider adding a monitor duration to give the deployment some time to prove itself (or 'bake') in one Availability Zone before it is released in the next zone. If you don't specify a `monitorDurationInSeconds` , CodeDeploy starts deploying to the next Availability Zone immediately.\n\nFor more information about the zonal configuration feature, see [zonal configuration](https://docs.aws.amazon.com/codedeploy/latest/userguide/deployment-configurations-create.html#zonal-config) in the *CodeDeploy User Guide* .", + "title": "MonitorDurationInSeconds", + "type": "number" + } + }, + "type": "object" + }, "AWS::CodeDeploy::DeploymentGroup": { "additionalProperties": false, "properties": { @@ -38024,7 +39211,7 @@ "title": "OnPremisesTagSet" }, "OutdatedInstancesStrategy": { - "markdownDescription": "", + "markdownDescription": "Indicates what happens when new Amazon EC2 instances are launched mid-deployment and do not receive the deployed application revision.\n\nIf this option is set to `UPDATE` or is unspecified, CodeDeploy initiates one or more 'auto-update outdated instances' deployments to apply the deployed application revision to the new Amazon EC2 instances.\n\nIf this option is set to `IGNORE` , CodeDeploy does not initiate a deployment to update the new Amazon EC2 instances. This may result in instances having different revisions.", "title": "OutdatedInstancesStrategy", "type": "string" }, @@ -38037,10 +39224,13 @@ "items": { "$ref": "#/definitions/Tag" }, - "markdownDescription": "", + "markdownDescription": "The metadata that you apply to CodeDeploy deployment groups to help you organize and categorize them. Each tag consists of a key and an optional value, both of which you define.", "title": "Tags", "type": "array" }, + "TerminationHookEnabled": { + "type": "boolean" + }, "TriggerConfigurations": { "items": { "$ref": "#/definitions/AWS::CodeDeploy::DeploymentGroup.TriggerConfig" @@ -38342,7 +39532,7 @@ "items": { "$ref": "#/definitions/AWS::CodeDeploy::DeploymentGroup.ELBInfo" }, - "markdownDescription": "An array that contains information about the load balancer to use for load balancing in a deployment. In Elastic Load Balancing, load balancers are used with Classic Load Balancers.\n\n> Adding more than one load balancer to the array is not supported.", + "markdownDescription": "An array that contains information about the load balancers to use for load balancing in a deployment. If you're using Classic Load Balancers, specify those load balancers in this array.\n\n> You can add up to 10 load balancers to the array. > If you're using Application Load Balancers or Network Load Balancers, use the `targetGroupInfoList` array instead of this one.", "title": "ElbInfoList", "type": "array" }, @@ -38350,7 +39540,7 @@ "items": { "$ref": "#/definitions/AWS::CodeDeploy::DeploymentGroup.TargetGroupInfo" }, - "markdownDescription": "An array that contains information about the target group to use for load balancing in a deployment. In Elastic Load Balancing , target groups are used with Application Load Balancers .\n\n> Adding more than one target group to the array is not supported.", + "markdownDescription": "An array that contains information about the target groups to use for load balancing in a deployment. If you're using Application Load Balancers and Network Load Balancers, specify their associated target groups in this array.\n\n> You can add up to 10 target groups to the array. > If you're using Classic Load Balancers, use the `elbInfoList` array instead of this one.", "title": "TargetGroupInfoList", "type": "array" }, @@ -38358,7 +39548,7 @@ "items": { "$ref": "#/definitions/AWS::CodeDeploy::DeploymentGroup.TargetGroupPairInfo" }, - "markdownDescription": "", + "markdownDescription": "The target group pair information. This is an array of `TargeGroupPairInfo` objects with a maximum size of one.", "title": "TargetGroupPairInfoList", "type": "array" } @@ -38486,20 +39676,20 @@ "properties": { "ProdTrafficRoute": { "$ref": "#/definitions/AWS::CodeDeploy::DeploymentGroup.TrafficRoute", - "markdownDescription": "", + "markdownDescription": "The path used by a load balancer to route production traffic when an Amazon ECS deployment is complete.", "title": "ProdTrafficRoute" }, "TargetGroups": { "items": { "$ref": "#/definitions/AWS::CodeDeploy::DeploymentGroup.TargetGroupInfo" }, - "markdownDescription": "", + "markdownDescription": "One pair of target groups. One is associated with the original task set. The second is associated with the task set that serves traffic after the deployment is complete.", "title": "TargetGroups", "type": "array" }, "TestTrafficRoute": { "$ref": "#/definitions/AWS::CodeDeploy::DeploymentGroup.TrafficRoute", - "markdownDescription": "", + "markdownDescription": "An optional path used by a load balancer to route test traffic after an Amazon ECS deployment. Validation can occur while test traffic is served during a deployment.", "title": "TestTrafficRoute" } }, @@ -38512,7 +39702,7 @@ "items": { "type": "string" }, - "markdownDescription": "", + "markdownDescription": "The Amazon Resource Name (ARN) of one listener. The listener identifies the route between a target group and a load balancer. This is an array of strings with a maximum size of one.", "title": "ListenerArns", "type": "array" } @@ -39034,6 +40224,11 @@ "title": "Name", "type": "string" }, + "PipelineType": { + "markdownDescription": "CodePipeline provides the following pipeline types, which differ in characteristics and price, so that you can tailor your pipeline features and cost to the needs of your applications.\n\n- V1 type pipelines have a JSON structure that contains standard pipeline, stage, and action-level parameters.\n- V2 type pipelines have the same structure as a V1 type, along with additional parameters for release safety and trigger configuration.\n\n> Including V2 parameters, such as triggers on Git tags, in the pipeline JSON when creating or updating a pipeline will result in the pipeline having the V2 type of pipeline and the associated costs. \n\nFor information about pricing for CodePipeline, see [Pricing](https://docs.aws.amazon.com/https://aws.amazon.com/codepipeline/pricing/) .\n\nFor information about which type of pipeline to choose, see [What type of pipeline is right for me?](https://docs.aws.amazon.com/codepipeline/latest/userguide/pipeline-types-planning.html) .", + "title": "PipelineType", + "type": "string" + }, "RestartExecutionOnUpdate": { "markdownDescription": "Indicates whether to rerun the CodePipeline pipeline after you update it.", "title": "RestartExecutionOnUpdate", @@ -39059,6 +40254,22 @@ "markdownDescription": "Specifies the tags applied to the pipeline.", "title": "Tags", "type": "array" + }, + "Triggers": { + "items": { + "$ref": "#/definitions/AWS::CodePipeline::Pipeline.PipelineTriggerDeclaration" + }, + "markdownDescription": "The trigger configuration specifying a type of event, such as Git tags, that starts the pipeline.\n\n> When a trigger configuration is specified, default change detection for repository and branch commits is disabled.", + "title": "Triggers", + "type": "array" + }, + "Variables": { + "items": { + "$ref": "#/definitions/AWS::CodePipeline::Pipeline.VariableDeclaration" + }, + "markdownDescription": "A list that defines the pipeline variables for a pipeline resource. Variable names can have alphanumeric and underscore characters, and the values must match `[A-Za-z0-9@\\-_]+` .", + "title": "Variables", + "type": "array" } }, "required": [ @@ -39266,6 +40477,61 @@ ], "type": "object" }, + "AWS::CodePipeline::Pipeline.GitConfiguration": { + "additionalProperties": false, + "properties": { + "Push": { + "items": { + "$ref": "#/definitions/AWS::CodePipeline::Pipeline.GitPushFilter" + }, + "markdownDescription": "The field where the repository event that will start the pipeline, such as pushing Git tags, is specified with details.\n\n> Git tags is the only supported event type.", + "title": "Push", + "type": "array" + }, + "SourceActionName": { + "markdownDescription": "The name of the pipeline source action where the trigger configuration, such as Git tags, is specified. The trigger configuration will start the pipeline upon the specified change only.\n\n> You can only specify one trigger configuration per source action.", + "title": "SourceActionName", + "type": "string" + } + }, + "required": [ + "SourceActionName" + ], + "type": "object" + }, + "AWS::CodePipeline::Pipeline.GitPushFilter": { + "additionalProperties": false, + "properties": { + "Tags": { + "$ref": "#/definitions/AWS::CodePipeline::Pipeline.GitTagFilterCriteria", + "markdownDescription": "The field that contains the details for the Git tags trigger configuration.", + "title": "Tags" + } + }, + "type": "object" + }, + "AWS::CodePipeline::Pipeline.GitTagFilterCriteria": { + "additionalProperties": false, + "properties": { + "Excludes": { + "items": { + "type": "string" + }, + "markdownDescription": "The list of patterns of Git tags that, when pushed, are to be excluded from starting the pipeline.", + "title": "Excludes", + "type": "array" + }, + "Includes": { + "items": { + "type": "string" + }, + "markdownDescription": "The list of patterns of Git tags that, when pushed, are to be included as criteria that starts the pipeline.", + "title": "Includes", + "type": "array" + } + }, + "type": "object" + }, "AWS::CodePipeline::Pipeline.InputArtifact": { "additionalProperties": false, "properties": { @@ -39294,6 +40560,25 @@ ], "type": "object" }, + "AWS::CodePipeline::Pipeline.PipelineTriggerDeclaration": { + "additionalProperties": false, + "properties": { + "GitConfiguration": { + "$ref": "#/definitions/AWS::CodePipeline::Pipeline.GitConfiguration", + "markdownDescription": "Provides the filter criteria and the source stage for the repository event that starts the pipeline, such as Git tags.", + "title": "GitConfiguration" + }, + "ProviderType": { + "markdownDescription": "The source provider for the event, such as connections configured for a repository with Git tags, for the specified trigger configuration.", + "title": "ProviderType", + "type": "string" + } + }, + "required": [ + "ProviderType" + ], + "type": "object" + }, "AWS::CodePipeline::Pipeline.StageDeclaration": { "additionalProperties": false, "properties": { @@ -39345,6 +40630,30 @@ ], "type": "object" }, + "AWS::CodePipeline::Pipeline.VariableDeclaration": { + "additionalProperties": false, + "properties": { + "DefaultValue": { + "markdownDescription": "The value of a pipeline-level variable.", + "title": "DefaultValue", + "type": "string" + }, + "Description": { + "markdownDescription": "The description of a pipeline-level variable. It's used to add additional context about the variable, and not being used at time when pipeline executes.", + "title": "Description", + "type": "string" + }, + "Name": { + "markdownDescription": "The name of a pipeline-level variable.", + "title": "Name", + "type": "string" + } + }, + "required": [ + "Name" + ], + "type": "object" + }, "AWS::CodePipeline::Webhook": { "additionalProperties": false, "properties": { @@ -39668,7 +40977,7 @@ "additionalProperties": false, "properties": { "ConnectionName": { - "markdownDescription": "The name of the connection. Connection names must be unique in an AWS user account.", + "markdownDescription": "The name of the connection. Connection names must be unique in an AWS account .", "title": "ConnectionName", "type": "string" }, @@ -39717,6 +41026,195 @@ ], "type": "object" }, + "AWS::CodeStarConnections::RepositoryLink": { + "additionalProperties": false, + "properties": { + "Condition": { + "type": "string" + }, + "DeletionPolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + }, + "DependsOn": { + "anyOf": [ + { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + { + "items": { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + "type": "array" + } + ] + }, + "Metadata": { + "type": "object" + }, + "Properties": { + "additionalProperties": false, + "properties": { + "ConnectionArn": { + "markdownDescription": "The Amazon Resource Name (ARN) of the connection associated with the repository link.", + "title": "ConnectionArn", + "type": "string" + }, + "EncryptionKeyArn": { + "markdownDescription": "The Amazon Resource Name (ARN) of the encryption key for the repository associated with the repository link.", + "title": "EncryptionKeyArn", + "type": "string" + }, + "OwnerId": { + "markdownDescription": "The owner ID for the repository associated with the repository link, such as the owner ID in GitHub.", + "title": "OwnerId", + "type": "string" + }, + "RepositoryName": { + "markdownDescription": "The name of the repository associated with the repository link.", + "title": "RepositoryName", + "type": "string" + }, + "Tags": { + "items": { + "$ref": "#/definitions/Tag" + }, + "markdownDescription": "The tags for the repository to be associated with the repository link.", + "title": "Tags", + "type": "array" + } + }, + "required": [ + "ConnectionArn", + "OwnerId", + "RepositoryName" + ], + "type": "object" + }, + "Type": { + "enum": [ + "AWS::CodeStarConnections::RepositoryLink" + ], + "type": "string" + }, + "UpdateReplacePolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + } + }, + "required": [ + "Type", + "Properties" + ], + "type": "object" + }, + "AWS::CodeStarConnections::SyncConfiguration": { + "additionalProperties": false, + "properties": { + "Condition": { + "type": "string" + }, + "DeletionPolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + }, + "DependsOn": { + "anyOf": [ + { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + { + "items": { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + "type": "array" + } + ] + }, + "Metadata": { + "type": "object" + }, + "Properties": { + "additionalProperties": false, + "properties": { + "Branch": { + "markdownDescription": "The branch associated with a specific sync configuration.", + "title": "Branch", + "type": "string" + }, + "ConfigFile": { + "markdownDescription": "The file path to the configuration file associated with a specific sync configuration. The path should point to an actual file in the sync configurations linked repository.", + "title": "ConfigFile", + "type": "string" + }, + "RepositoryLinkId": { + "markdownDescription": "The ID of the repository link associated with a specific sync configuration.", + "title": "RepositoryLinkId", + "type": "string" + }, + "ResourceName": { + "markdownDescription": "The name of the connection resource associated with a specific sync configuration.", + "title": "ResourceName", + "type": "string" + }, + "RoleArn": { + "markdownDescription": "The Amazon Resource Name (ARN) of the IAM role associated with a specific sync configuration.", + "title": "RoleArn", + "type": "string" + }, + "SyncType": { + "markdownDescription": "The type of sync for a specific sync configuration.", + "title": "SyncType", + "type": "string" + } + }, + "required": [ + "Branch", + "ConfigFile", + "RepositoryLinkId", + "ResourceName", + "RoleArn", + "SyncType" + ], + "type": "object" + }, + "Type": { + "enum": [ + "AWS::CodeStarConnections::SyncConfiguration" + ], + "type": "string" + }, + "UpdateReplacePolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + } + }, + "required": [ + "Type", + "Properties" + ], + "type": "object" + }, "AWS::CodeStarNotifications::NotificationRule": { "additionalProperties": false, "properties": { @@ -40329,9 +41827,13 @@ "items": { "$ref": "#/definitions/AWS::Cognito::LogDeliveryConfiguration.LogConfiguration" }, + "markdownDescription": "The detailed activity logging destination of a user pool.", + "title": "LogConfigurations", "type": "array" }, "UserPoolId": { + "markdownDescription": "The ID of the user pool where you configured detailed activity logging.", + "title": "UserPoolId", "type": "string" } }, @@ -40365,6 +41867,8 @@ "additionalProperties": false, "properties": { "LogGroupArn": { + "markdownDescription": "The Amazon Resource Name (arn) of a CloudWatch Logs log group where your user pool sends logs. The log group must not be encrypted with AWS Key Management Service and must be in the same AWS account as your user pool.\n\nTo send logs to log groups with a resource policy of a size greater than 5120 characters, configure a log group with a path that starts with `/aws/vendedlogs` . For more information, see [Enabling logging from certain AWS services](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html) .", + "title": "LogGroupArn", "type": "string" } }, @@ -40374,12 +41878,18 @@ "additionalProperties": false, "properties": { "CloudWatchLogsConfiguration": { - "$ref": "#/definitions/AWS::Cognito::LogDeliveryConfiguration.CloudWatchLogsConfiguration" + "$ref": "#/definitions/AWS::Cognito::LogDeliveryConfiguration.CloudWatchLogsConfiguration", + "markdownDescription": "The CloudWatch logging destination of a user pool detailed activity logging configuration.", + "title": "CloudWatchLogsConfiguration" }, "EventSource": { + "markdownDescription": "The source of events that your user pool sends for detailed activity logging.", + "title": "EventSource", "type": "string" }, "LogLevel": { + "markdownDescription": "The `errorlevel` selection of logs that a user pool sends for detailed activity logging.", + "title": "LogLevel", "type": "string" } }, @@ -40524,7 +42034,7 @@ }, "UserPoolAddOns": { "$ref": "#/definitions/AWS::Cognito::UserPool.UserPoolAddOns", - "markdownDescription": "Enables advanced security risk detection. Set the key `AdvancedSecurityMode` to the value \"AUDIT\".", + "markdownDescription": "User pool add-ons. Contains settings for activation of advanced security features. To log user security information but take no action, set to `AUDIT` . To configure automatic security responses to risky traffic to your user pool, set to `ENFORCED` .\n\nFor more information, see [Adding advanced security to a user pool](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html) .", "title": "UserPoolAddOns" }, "UserPoolName": { @@ -40691,7 +42201,7 @@ "type": "string" }, "SourceArn": { - "markdownDescription": "The ARN of a verified email address in Amazon SES. Amazon Cognito uses this email address in one of the following ways, depending on the value that you specify for the `EmailSendingAccount` parameter:\n\n- If you specify `COGNITO_DEFAULT` , Amazon Cognito uses this address as the custom FROM address when it emails your users using its built-in email account.\n- If you specify `DEVELOPER` , Amazon Cognito emails your users with this address by calling Amazon SES on your behalf.\n\nThe Region value of the `SourceArn` parameter must indicate a supported AWS Region of your user pool. Typically, the Region in the `SourceArn` and the user pool Region are the same. For more information, see [Amazon SES email configuration regions](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-email.html#user-pool-email-developer-region-mapping) in the [Amazon Cognito Developer Guide](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools.html) .", + "markdownDescription": "The ARN of a verified email address or an address from a verified domain in Amazon SES. You can set a `SourceArn` email from a verified domain only with an API request. You can set a verified email address, but not an address in a verified domain, in the Amazon Cognito console. Amazon Cognito uses the email address that you provide in one of the following ways, depending on the value that you specify for the `EmailSendingAccount` parameter:\n\n- If you specify `COGNITO_DEFAULT` , Amazon Cognito uses this address as the custom FROM address when it emails your users using its built-in email account.\n- If you specify `DEVELOPER` , Amazon Cognito emails your users with this address by calling Amazon SES on your behalf.\n\nThe Region value of the `SourceArn` parameter must indicate a supported AWS Region of your user pool. Typically, the Region in the `SourceArn` and the user pool Region are the same. For more information, see [Amazon SES email configuration regions](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-email.html#user-pool-email-developer-region-mapping) in the [Amazon Cognito Developer Guide](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools.html) .", "title": "SourceArn", "type": "string" } @@ -40835,7 +42345,7 @@ "type": "boolean" }, "TemporaryPasswordValidityDays": { - "markdownDescription": "The number of days a temporary password is valid in the password policy. If the user doesn't sign in during this time, an administrator must reset their password.\n\n> When you set `TemporaryPasswordValidityDays` for a user pool, you can no longer set a value for the legacy `UnusedAccountValidityDays` parameter in that user pool.", + "markdownDescription": "The number of days a temporary password is valid in the password policy. If the user doesn't sign in during this time, an administrator must reset their password. Defaults to `7` . If you submit a value of `0` , Amazon Cognito treats it as a null value and sets `TemporaryPasswordValidityDays` to its default value.\n\n> When you set `TemporaryPasswordValidityDays` for a user pool, you can no longer set a value for the legacy `UnusedAccountValidityDays` parameter in that user pool.", "title": "TemporaryPasswordValidityDays", "type": "number" } @@ -40873,7 +42383,7 @@ "additionalProperties": false, "properties": { "AttributeDataType": { - "markdownDescription": "The attribute data type.", + "markdownDescription": "The data format of the values for your attribute. When you choose an `AttributeDataType` , Amazon Cognito validates the input against the data type. A custom attribute value in your user's ID token is always a string, for example `\"custom:isMember\" : \"true\"` or `\"custom:YearsAsMember\" : \"12\"` .", "title": "AttributeDataType", "type": "string" }, @@ -40883,12 +42393,12 @@ "type": "boolean" }, "Mutable": { - "markdownDescription": "Specifies whether the value of the attribute can be changed.\n\nFor any user pool attribute that is mapped to an IdP attribute, you must set this parameter to `true` . Amazon Cognito updates mapped attributes when users sign in to your application through an IdP. If an attribute is immutable, Amazon Cognito throws an error when it attempts to update the attribute. For more information, see [Specifying Identity Provider Attribute Mappings for Your User Pool](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-specifying-attribute-mapping.html) .", + "markdownDescription": "Specifies whether the value of the attribute can be changed.\n\nAny user pool attribute whose value you map from an IdP attribute must be mutable, with a parameter value of `true` . Amazon Cognito updates mapped attributes when users sign in to your application through an IdP. If an attribute is immutable, Amazon Cognito throws an error when it attempts to update the attribute. For more information, see [Specifying Identity Provider Attribute Mappings for Your User Pool](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-specifying-attribute-mapping.html) .", "title": "Mutable", "type": "boolean" }, "Name": { - "markdownDescription": "A schema attribute of the name type.", + "markdownDescription": "The name of your user pool attribute. When you create or update a user pool, adding a schema attribute creates a custom or developer-only attribute. When you add an attribute with a `Name` value of `MyAttribute` , Amazon Cognito creates the custom attribute `custom:MyAttribute` . When `DeveloperOnlyAttribute` is `true` , Amazon Cognito creates your attribute as `dev:MyAttribute` . In an operation that describes a user pool, Amazon Cognito returns this value as `value` for standard attributes, `custom:value` for custom attributes, and `dev:value` for developer-only attributes..", "title": "Name", "type": "string" }, @@ -40968,7 +42478,7 @@ "additionalProperties": false, "properties": { "AdvancedSecurityMode": { - "markdownDescription": "The advanced security mode.", + "markdownDescription": "The operating mode of advanced security features in your user pool.", "title": "AdvancedSecurityMode", "type": "string" } @@ -41066,12 +42576,12 @@ "items": { "type": "string" }, - "markdownDescription": "The allowed OAuth flows.\n\n- **code** - Use a code grant flow, which provides an authorization code as the response. This code can be exchanged for access tokens with the `/oauth2/token` endpoint.\n- **implicit** - Issue the access token (and, optionally, ID token, based on scopes) directly to your user.\n- **client_credentials** - Issue the access token from the `/oauth2/token` endpoint directly to a non-person user using a combination of the client ID and client secret.", + "markdownDescription": "The OAuth grant types that you want your app client to generate. To create an app client that generates client credentials grants, you must add `client_credentials` as the only allowed OAuth flow.\n\n- **code** - Use a code grant flow, which provides an authorization code as the response. This code can be exchanged for access tokens with the `/oauth2/token` endpoint.\n- **implicit** - Issue the access token (and, optionally, ID token, based on scopes) directly to your user.\n- **client_credentials** - Issue the access token from the `/oauth2/token` endpoint directly to a non-person user using a combination of the client ID and client secret.", "title": "AllowedOAuthFlows", "type": "array" }, "AllowedOAuthFlowsUserPoolClient": { - "markdownDescription": "Set to true if the client is allowed to follow the OAuth protocol when interacting with Amazon Cognito user pools.", + "markdownDescription": "Set to `true` to use OAuth 2.0 features in your user pool app client.\n\n`AllowedOAuthFlowsUserPoolClient` must be `true` before you can configure the following features in your app client.\n\n- `CallBackURLs` : Callback URLs.\n- `LogoutURLs` : Sign-out redirect URLs.\n- `AllowedOAuthScopes` : OAuth 2.0 scopes.\n- `AllowedOAuthFlows` : Support for authorization code, implicit, and client credentials OAuth 2.0 grants.\n\nTo use OAuth 2.0 features, configure one of these features in the Amazon Cognito console or set `AllowedOAuthFlowsUserPoolClient` to `true` in a `CreateUserPoolClient` or `UpdateUserPoolClient` API request. If you don't set a value for `AllowedOAuthFlowsUserPoolClient` in a request with the AWS CLI or SDKs, it defaults to `false` .", "title": "AllowedOAuthFlowsUserPoolClient", "type": "boolean" }, @@ -41156,7 +42666,7 @@ "items": { "type": "string" }, - "markdownDescription": "The read attributes.", + "markdownDescription": "The list of user attributes that you want your app client to have read-only access to. After your user authenticates in your app, their access token authorizes them to read their own attribute value for any attribute in this list. An example of this kind of activity is when your user selects a link to view their profile information. Your app makes a [GetUser](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GetUser.html) API request to retrieve and display your user's profile data.\n\nWhen you don't specify the `ReadAttributes` for your app client, your app can read the values of `email_verified` , `phone_number_verified` , and the Standard attributes of your user pool. When your user pool has read access to these default attributes, `ReadAttributes` doesn't return any information. Amazon Cognito only populates `ReadAttributes` in the API response if you have specified your own custom set of read attributes.", "title": "ReadAttributes", "type": "array" }, @@ -41187,7 +42697,7 @@ "items": { "type": "string" }, - "markdownDescription": "The user pool attributes that the app client can write to.\n\nIf your app client allows users to sign in through an IdP, this array must include all attributes that you have mapped to IdP attributes. Amazon Cognito updates mapped attributes when users sign in to your application through an IdP. If your app client does not have write access to a mapped attribute, Amazon Cognito throws an error when it tries to update the attribute. For more information, see [Specifying IdP Attribute Mappings for Your user pool](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-specifying-attribute-mapping.html) .", + "markdownDescription": "The list of user attributes that you want your app client to have write access to. After your user authenticates in your app, their access token authorizes them to set or modify their own attribute value for any attribute in this list. An example of this kind of activity is when you present your user with a form to update their profile information and they change their last name. Your app then makes an [UpdateUserAttributes](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserAttributes.html) API request and sets `family_name` to the new value.\n\nWhen you don't specify the `WriteAttributes` for your app client, your app can write the values of the Standard attributes of your user pool. When your user pool has write access to these default attributes, `WriteAttributes` doesn't return any information. Amazon Cognito only populates `WriteAttributes` in the API response if you have specified your own custom set of write attributes.\n\nIf your app client allows users to sign in through an IdP, this array must include all attributes that you have mapped to IdP attributes. Amazon Cognito updates mapped attributes when users sign in to your application through an IdP. If your app client does not have write access to a mapped attribute, Amazon Cognito throws an error when it tries to update the attribute. For more information, see [Specifying IdP Attribute Mappings for Your user pool](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-specifying-attribute-mapping.html) .", "title": "WriteAttributes", "type": "array" } @@ -42065,7 +43575,7 @@ "items": { "$ref": "#/definitions/AWS::Cognito::UserPoolUser.AttributeType" }, - "markdownDescription": "The user attributes and attribute values to be set for the user to be created. These are name-value pairs You can create a user without specifying any attributes other than `Username` . However, any attributes that you specify as required (in [](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html) or in the *Attributes* tab of the console) must be supplied either by you (in your call to `AdminCreateUser` ) or by the user (when they sign up in response to your welcome message).\n\nFor custom attributes, you must prepend the `custom:` prefix to the attribute name.\n\nTo send a message inviting the user to sign up, you must specify the user's email address or phone number. This can be done in your call to AdminCreateUser or in the *Users* tab of the Amazon Cognito console for managing your user pools.\n\nIn your call to `AdminCreateUser` , you can set the `email_verified` attribute to `True` , and you can set the `phone_number_verified` attribute to `True` . (You can also do this by calling [](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminUpdateUserAttributes.html) .)\n\n- *email* : The email address of the user to whom the message that contains the code and user name will be sent. Required if the `email_verified` attribute is set to `True` , or if `\"EMAIL\"` is specified in the `DesiredDeliveryMediums` parameter.\n- *phone_number* : The phone number of the user to whom the message that contains the code and user name will be sent. Required if the `phone_number_verified` attribute is set to `True` , or if `\"SMS\"` is specified in the `DesiredDeliveryMediums` parameter.", + "markdownDescription": "An array of name-value pairs that contain user attributes and attribute values.", "title": "UserAttributes", "type": "array" }, @@ -42075,7 +43585,7 @@ "type": "string" }, "Username": { - "markdownDescription": "The username for the user. Must be unique within the user pool. Must be a UTF-8 string between 1 and 128 characters. After the user is created, the username can't be changed.", + "markdownDescription": "The value that you want to set as the username sign-in attribute. The following conditions apply to the username parameter.\n\n- The username can't be a duplicate of another username in the same user pool.\n- You can't change the value of a username after you create it.\n- You can only provide a value if usernames are a valid sign-in attribute for your user pool. If your user pool only supports phone numbers or email addresses as sign-in attributes, Amazon Cognito automatically generates a username value. For more information, see [Customizing sign-in attributes](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html#user-pool-settings-aliases) .", "title": "Username", "type": "string" }, @@ -42083,7 +43593,7 @@ "items": { "$ref": "#/definitions/AWS::Cognito::UserPoolUser.AttributeType" }, - "markdownDescription": "The user's validation data. This is an array of name-value pairs that contain user attributes and attribute values that you can use for custom validation, such as restricting the types of user accounts that can be registered. For example, you might choose to allow or disallow user sign-up based on the user's domain.\n\nTo configure custom validation, you must create a Pre Sign-up AWS Lambda trigger for the user pool as described in the Amazon Cognito Developer Guide. The Lambda trigger receives the validation data and uses it in the validation process.\n\nThe user's validation data isn't persisted.", + "markdownDescription": "Temporary user attributes that contribute to the outcomes of your pre sign-up Lambda trigger. This set of key-value pairs are for custom validation of information that you collect from your users but don't need to retain.\n\nYour Lambda function can analyze this additional data and act on it. Your function might perform external API operations like logging user attributes and validation data to Amazon CloudWatch Logs. Validation data might also affect the response that your function returns to Amazon Cognito, like automatically confirming the user if they sign up from within your network.\n\nFor more information about the pre sign-up Lambda trigger, see [Pre sign-up Lambda trigger](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-sign-up.html) .", "title": "ValidationData", "type": "array" } @@ -42166,7 +43676,7 @@ "additionalProperties": false, "properties": { "GroupName": { - "markdownDescription": "The group name.", + "markdownDescription": "The name of the group that you want to add your user to.", "title": "GroupName", "type": "string" }, @@ -42176,7 +43686,7 @@ "type": "string" }, "Username": { - "markdownDescription": "The username for the user.", + "markdownDescription": "", "title": "Username", "type": "string" } @@ -42265,7 +43775,7 @@ "type": "string" }, "Mode": { - "markdownDescription": "Indicates the mode in which the classifier will be trained. The classifier can be trained in multi-class mode, which identifies one and only one class for each document, or multi-label mode, which identifies one or more labels for each document. In multi-label mode, multiple labels for an individual document are separated by a delimiter. The default delimiter between labels is a pipe (|).", + "markdownDescription": "Indicates the mode in which the classifier will be trained. The classifier can be trained in multi-class (single-label) mode or multi-label mode. Multi-class mode identifies a single class label for each document and multi-label mode identifies one or more class labels for each document. Multiple labels for an individual document are separated by a delimiter. The default delimiter between labels is a pipe (|).", "title": "Mode", "type": "string" }, @@ -42466,7 +43976,7 @@ "items": { "type": "string" }, - "markdownDescription": "Specifies the type of Amazon Textract features to apply. If you chose `TEXTRACT_ANALYZE_DOCUMENT` as the read action, you must specify one or both of the following values:\n\n- `TABLES` - Returns information about any tables that are detected in the input document.\n- `FORMS` - Returns information and the data from any forms that are detected in the input document.", + "markdownDescription": "Specifies the type of Amazon Textract features to apply. If you chose `TEXTRACT_ANALYZE_DOCUMENT` as the read action, you must specify one or both of the following values:\n\n- `TABLES` - Returns additional information about any tables that are detected in the input document.\n- `FORMS` - Returns additional information about any forms that are detected in the input document.", "title": "FeatureTypes", "type": "array" } @@ -42675,7 +44185,7 @@ "additionalProperties": false, "properties": { "Type": { - "markdownDescription": "An entity type within a labeled training dataset that Amazon Comprehend uses to train a custom entity recognizer.\n\nEntity types must not contain the following invalid characters: \\n (line break), \\\\n (escaped line break, \\r (carriage return), \\\\r (escaped carriage return), \\t (tab), \\\\t (escaped tab), space, and , (comma).", + "markdownDescription": "An entity type within a labeled training dataset that Amazon Comprehend uses to train a custom entity recognizer.\n\nEntity types must not contain the following invalid characters: \\n (line break), \\\\n (escaped line break, \\r (carriage return), \\\\r (escaped carriage return), \\t (tab), \\\\t (escaped tab), and , (comma).", "title": "Type", "type": "string" } @@ -42852,7 +44362,9 @@ "additionalProperties": false, "properties": { "Compliance": { - "$ref": "#/definitions/AWS::Config::ConfigRule.Compliance" + "$ref": "#/definitions/AWS::Config::ConfigRule.Compliance", + "markdownDescription": "Indicates whether an AWS resource or AWS Config rule is compliant and provides the number of contributors that affect the compliance.", + "title": "Compliance" }, "ConfigRuleName": { "markdownDescription": "A name for the AWS Config rule. If you don't specify a name, AWS CloudFormation generates a unique physical ID and uses that ID for the rule name. For more information, see [Name Type](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-name.html) .", @@ -42868,6 +44380,8 @@ "items": { "$ref": "#/definitions/AWS::Config::ConfigRule.EvaluationModeConfiguration" }, + "markdownDescription": "The modes the AWS Config rule can be evaluated in. The valid values are distinct objects. By default, the value is Detective evaluation mode only.", + "title": "EvaluationModes", "type": "array" }, "InputParameters": { @@ -42921,6 +44435,8 @@ "additionalProperties": false, "properties": { "Type": { + "markdownDescription": "Indicates whether an AWS resource or AWS Config rule is compliant.\n\nA resource is compliant if it complies with all of the AWS Config rules that evaluate it. A resource is noncompliant if it does not comply with one or more of these rules.\n\nA rule is compliant if all of the resources that the rule evaluates comply with it. A rule is noncompliant if any of these resources do not comply.\n\nAWS Config returns the `INSUFFICIENT_DATA` value when no evaluation results are available for the AWS resource or AWS Config rule.\n\nFor the `Compliance` data type, AWS Config supports only `COMPLIANT` , `NON_COMPLIANT` , and `INSUFFICIENT_DATA` values. AWS Config does not support the `NOT_APPLICABLE` value for the `Compliance` data type.", + "title": "Type", "type": "string" } }, @@ -42951,6 +44467,8 @@ "additionalProperties": false, "properties": { "Mode": { + "markdownDescription": "The mode of an evaluation. The valid values are Detective or Proactive.", + "title": "Mode", "type": "string" } }, @@ -43219,17 +44737,22 @@ "additionalProperties": false, "properties": { "Name": { - "markdownDescription": "A name for the configuration recorder. If you don't specify a name, AWS CloudFormation CloudFormation generates a unique physical ID and uses that ID for the configuration recorder name. For more information, see [Name Type](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-name.html) .\n\n> After you create a configuration recorder, you cannot rename it. If you don't want a name that AWS CloudFormation generates, specify a value for this property. \n\nUpdates are not supported.", + "markdownDescription": "The name of the configuration recorder. AWS Config automatically assigns the name of \"default\" when creating the configuration recorder.\n\nYou cannot change the name of the configuration recorder after it has been created. To change the configuration recorder name, you must delete it and create a new configuration recorder with a new name.", "title": "Name", "type": "string" }, "RecordingGroup": { "$ref": "#/definitions/AWS::Config::ConfigurationRecorder.RecordingGroup", - "markdownDescription": "Indicates whether to record configurations for all supported resources or for a list of resource types. The resource types that you list must be supported by AWS Config .", + "markdownDescription": "Specifies which resource types AWS Config records for configuration changes.\n\n> *High Number of AWS Config Evaluations*\n> \n> You may notice increased activity in your account during your initial month recording with AWS Config when compared to subsequent months. During the initial bootstrapping process, AWS Config runs evaluations on all the resources in your account that you have selected for AWS Config to record.\n> \n> If you are running ephemeral workloads, you may see increased activity from AWS Config as it records configuration changes associated with creating and deleting these temporary resources. An *ephemeral workload* is a temporary use of computing resources that are loaded and run when needed. Examples include Amazon Elastic Compute Cloud ( Amazon EC2 ) Spot Instances, Amazon EMR jobs, and AWS Auto Scaling . If you want to avoid the increased activity from running ephemeral workloads, you can run these types of workloads in a separate account with AWS Config turned off to avoid increased configuration recording and rule evaluations.", "title": "RecordingGroup" }, + "RecordingMode": { + "$ref": "#/definitions/AWS::Config::ConfigurationRecorder.RecordingMode", + "markdownDescription": "Specifies the default recording frequency that AWS Config uses to record configuration changes. AWS Config supports *Continuous recording* and *Daily recording* .\n\n- Continuous recording allows you to record configuration changes continuously whenever a change occurs.\n- Daily recording allows you to receive a configuration item (CI) representing the most recent state of your resources over the last 24-hour period, only if it\u2019s different from the previous CI recorded.\n\n> AWS Firewall Manager depends on continuous recording to monitor your resources. If you are using Firewall Manager, it is recommended that you set the recording frequency to Continuous. \n\nYou can also override the recording frequency for specific resource types.", + "title": "RecordingMode" + }, "RoleARN": { - "markdownDescription": "The Amazon Resource Name (ARN) of the IAM (IAM) role that is used to make read or write requests to the delivery channel that you specify and to get configuration details for supported AWS resources. For more information, see [Permissions for the IAM Role Assigned](https://docs.aws.amazon.com/config/latest/developerguide/iamrole-permissions.html) to AWS Config in the AWS Config Developer Guide.", + "markdownDescription": "Amazon Resource Name (ARN) of the IAM role assumed by AWS Config and used by the configuration recorder. For more information, see [Permissions for the IAM Role Assigned](https://docs.aws.amazon.com/config/latest/developerguide/iamrole-permissions.html) to AWS Config in the AWS Config Developer Guide.\n\n> *Pre-existing AWS Config role*\n> \n> If you have used an AWS service that uses AWS Config , such as AWS Security Hub or AWS Control Tower , and an AWS Config role has already been created, make sure that the IAM role that you use when setting up AWS Config keeps the same minimum permissions as the already created AWS Config role. You must do this so that the other AWS service continues to run as expected.\n> \n> For example, if AWS Control Tower has an IAM role that allows AWS Config to read Amazon Simple Storage Service ( Amazon S3 ) objects, make sure that the same permissions are granted within the IAM role you use when setting up AWS Config . Otherwise, it may interfere with how AWS Control Tower operates. For more information about IAM roles for AWS Config , see [*Identity and Access Management for AWS Config*](https://docs.aws.amazon.com/config/latest/developerguide/security-iam.html) in the *AWS Config Developer Guide* .", "title": "RoleARN", "type": "string" } @@ -43267,6 +44790,8 @@ "items": { "type": "string" }, + "markdownDescription": "A comma-separated list of resource types to exclude from recording by the configuration recorder.", + "title": "ResourceTypes", "type": "array" } }, @@ -43279,36 +44804,92 @@ "additionalProperties": false, "properties": { "AllSupported": { - "markdownDescription": "Specifies whether AWS Config records configuration changes for all supported regional resource types.\n\nIf you set this field to `true` , when AWS Config adds support for a new type of regional resource, AWS Config starts recording resources of that type automatically.\n\nIf you set this field to `true` , you cannot enumerate specific resource types to record in the `resourceTypes` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) , or to exclude in the `resourceTypes` field of [ExclusionByResourceTypes](https://docs.aws.amazon.com/config/latest/APIReference/API_ExclusionByResourceTypes.html) .", + "markdownDescription": "Specifies whether AWS Config records configuration changes for all supported resource types, excluding the global IAM resource types.\n\nIf you set this field to `true` , when AWS Config adds support for a new resource type, AWS Config starts recording resources of that type automatically.\n\nIf you set this field to `true` , you cannot enumerate specific resource types to record in the `resourceTypes` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) , or to exclude in the `resourceTypes` field of [ExclusionByResourceTypes](https://docs.aws.amazon.com/config/latest/APIReference/API_ExclusionByResourceTypes.html) .\n\n> *Region availability*\n> \n> Check [Resource Coverage by Region Availability](https://docs.aws.amazon.com/config/latest/developerguide/what-is-resource-config-coverage.html) to see if a resource type is supported in the AWS Region where you set up AWS Config .", "title": "AllSupported", "type": "boolean" }, "ExclusionByResourceTypes": { - "$ref": "#/definitions/AWS::Config::ConfigurationRecorder.ExclusionByResourceTypes" + "$ref": "#/definitions/AWS::Config::ConfigurationRecorder.ExclusionByResourceTypes", + "markdownDescription": "An object that specifies how AWS Config excludes resource types from being recorded by the configuration recorder.\n\nTo use this option, you must set the `useOnly` field of [AWS::Config::ConfigurationRecorder RecordingStrategy](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-config-configurationrecorder-recordingstrategy.html) to `EXCLUSION_BY_RESOURCE_TYPES` .", + "title": "ExclusionByResourceTypes" }, "IncludeGlobalResourceTypes": { - "markdownDescription": "Specifies whether AWS Config includes all supported types of global resources (for example, IAM resources) with the resources that it records.\n\nBefore you can set this option to `true` , you must set the `AllSupported` option to `true` .\n\nIf you set this option to `true` , when AWS Config adds support for a new type of global resource, it starts recording resources of that type automatically.\n\nThe configuration details for any global resource are the same in all regions. To prevent duplicate configuration items, you should consider customizing AWS Config in only one region to record global resources.", + "markdownDescription": "This option is a bundle which only applies to the global IAM resource types: IAM users, groups, roles, and customer managed policies. These global IAM resource types can only be recorded by AWS Config in Regions where AWS Config was available before February 2022. You cannot be record the global IAM resouce types in Regions supported by AWS Config after February 2022. This list where you cannot record the global IAM resource types includes the following Regions:\n\n- Asia Pacific (Hyderabad)\n- Asia Pacific (Melbourne)\n- Europe (Spain)\n- Europe (Zurich)\n- Israel (Tel Aviv)\n- Middle East (UAE)\n\n> *Aurora global clusters are recorded in all enabled Regions*\n> \n> The `AWS::RDS::GlobalCluster` resource type will be recorded in all supported AWS Config Regions where the configuration recorder is enabled, even if `includeGlobalResourceTypes` is not set to `true` . The `includeGlobalResourceTypes` option is a bundle which only applies to IAM users, groups, roles, and customer managed policies.\n> \n> If you do not want to record `AWS::RDS::GlobalCluster` in all enabled Regions, use one of the following recording strategies:\n> \n> - *Record all current and future resource types with exclusions* ( `EXCLUSION_BY_RESOURCE_TYPES` ), or\n> - *Record specific resource types* ( `INCLUSION_BY_RESOURCE_TYPES` ).\n> \n> For more information, see [Selecting Which Resources are Recorded](https://docs.aws.amazon.com/config/latest/developerguide/select-resources.html#select-resources-all) in the *AWS Config developer guide* . > Before you set this field to `true` , set the `allSupported` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) to `true` . Optionally, you can set the `useOnly` field of [RecordingStrategy](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingStrategy.html) to `ALL_SUPPORTED_RESOURCE_TYPES` . > *Overriding fields*\n> \n> If you set this field to `false` but list global IAM resource types in the `resourceTypes` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) , AWS Config will still record configuration changes for those specified resource types *regardless* of if you set the `includeGlobalResourceTypes` field to false.\n> \n> If you do not want to record configuration changes to the global IAM resource types (IAM users, groups, roles, and customer managed policies), make sure to not list them in the `resourceTypes` field in addition to setting the `includeGlobalResourceTypes` field to false.", "title": "IncludeGlobalResourceTypes", "type": "boolean" }, "RecordingStrategy": { - "$ref": "#/definitions/AWS::Config::ConfigurationRecorder.RecordingStrategy" + "$ref": "#/definitions/AWS::Config::ConfigurationRecorder.RecordingStrategy", + "markdownDescription": "An object that specifies the recording strategy for the configuration recorder.\n\n- If you set the `useOnly` field of [RecordingStrategy](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingStrategy.html) to `ALL_SUPPORTED_RESOURCE_TYPES` , AWS Config records configuration changes for all supported resource types, excluding the global IAM resource types. You also must set the `allSupported` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) to `true` . When AWS Config adds support for a new resource type, AWS Config automatically starts recording resources of that type.\n- If you set the `useOnly` field of [RecordingStrategy](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingStrategy.html) to `INCLUSION_BY_RESOURCE_TYPES` , AWS Config records configuration changes for only the resource types you specify in the `resourceTypes` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) .\n- If you set the `useOnly` field of [RecordingStrategy](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingStrategy.html) to `EXCLUSION_BY_RESOURCE_TYPES` , AWS Config records configuration changes for all supported resource types except the resource types that you specify to exclude from being recorded in the `resourceTypes` field of [ExclusionByResourceTypes](https://docs.aws.amazon.com/config/latest/APIReference/API_ExclusionByResourceTypes.html) .\n\n> *Required and optional fields*\n> \n> The `recordingStrategy` field is optional when you set the `allSupported` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) to `true` .\n> \n> The `recordingStrategy` field is optional when you list resource types in the `resourceTypes` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) .\n> \n> The `recordingStrategy` field is required if you list resource types to exclude from recording in the `resourceTypes` field of [ExclusionByResourceTypes](https://docs.aws.amazon.com/config/latest/APIReference/API_ExclusionByResourceTypes.html) . > *Overriding fields*\n> \n> If you choose `EXCLUSION_BY_RESOURCE_TYPES` for the recording strategy, the `exclusionByResourceTypes` field will override other properties in the request.\n> \n> For example, even if you set `includeGlobalResourceTypes` to false, global IAM resource types will still be automatically recorded in this option unless those resource types are specifically listed as exclusions in the `resourceTypes` field of `exclusionByResourceTypes` . > *Global resources types and the resource exclusion recording strategy*\n> \n> By default, if you choose the `EXCLUSION_BY_RESOURCE_TYPES` recording strategy, when AWS Config adds support for a new resource type in the Region where you set up the configuration recorder, including global resource types, AWS Config starts recording resources of that type automatically.\n> \n> Unless specifically listed as exclusions, `AWS::RDS::GlobalCluster` will be recorded automatically in all supported AWS Config Regions were the configuration recorder is enabled.\n> \n> IAM users, groups, roles, and customer managed policies will be recorded in the Region where you set up the configuration recorder if that is a Region where AWS Config was available before February 2022. You cannot be record the global IAM resouce types in Regions supported by AWS Config after February 2022. This list where you cannot record the global IAM resource types includes the following Regions:\n> \n> - Asia Pacific (Hyderabad)\n> - Asia Pacific (Melbourne)\n> - Europe (Spain)\n> - Europe (Zurich)\n> - Israel (Tel Aviv)\n> - Middle East (UAE)", + "title": "RecordingStrategy" }, "ResourceTypes": { "items": { "type": "string" }, - "markdownDescription": "A comma-separated list that specifies the types of AWS resources for which AWS Config records configuration changes (for example, `AWS::EC2::Instance` or `AWS::CloudTrail::Trail` ).\n\nTo record all configuration changes, you must set the `AllSupported` option to `false` .\n\nIf you set the `AllSupported` option to false and populate the `ResourceTypes` option with values, when AWS Config adds support for a new type of resource, it will not record resources of that type unless you manually add that type to your recording group.\n\nFor a list of valid `resourceTypes` values, see the *resourceType Value* column in [Supported AWS Resource Types](https://docs.aws.amazon.com/config/latest/developerguide/resource-config-reference.html#supported-resources) .", + "markdownDescription": "A comma-separated list that specifies which resource types AWS Config records.\n\nFor a list of valid `resourceTypes` values, see the *Resource Type Value* column in [Supported AWS resource Types](https://docs.aws.amazon.com/config/latest/developerguide/resource-config-reference.html#supported-resources) in the *AWS Config developer guide* .\n\n> *Required and optional fields*\n> \n> Optionally, you can set the `useOnly` field of [RecordingStrategy](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingStrategy.html) to `INCLUSION_BY_RESOURCE_TYPES` .\n> \n> To record all configuration changes, set the `allSupported` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) to `true` , and either omit this field or don't specify any resource types in this field. If you set the `allSupported` field to `false` and specify values for `resourceTypes` , when AWS Config adds support for a new type of resource, it will not record resources of that type unless you manually add that type to your recording group. > *Region availability*\n> \n> Before specifying a resource type for AWS Config to track, check [Resource Coverage by Region Availability](https://docs.aws.amazon.com/config/latest/developerguide/what-is-resource-config-coverage.html) to see if the resource type is supported in the AWS Region where you set up AWS Config . If a resource type is supported by AWS Config in at least one Region, you can enable the recording of that resource type in all Regions supported by AWS Config , even if the specified resource type is not supported in the AWS Region where you set up AWS Config .", "title": "ResourceTypes", "type": "array" } }, "type": "object" }, + "AWS::Config::ConfigurationRecorder.RecordingMode": { + "additionalProperties": false, + "properties": { + "RecordingFrequency": { + "markdownDescription": "The default recording frequency that AWS Config uses to record configuration changes.\n\n> Daily recording is not supported for the following resource types:\n> \n> - `AWS::Config::ResourceCompliance`\n> - `AWS::Config::ConformancePackCompliance`\n> - `AWS::Config::ConfigurationRecorder`\n> \n> For the *allSupported* ( `ALL_SUPPORTED_RESOURCE_TYPES` ) recording strategy, these resource types will be set to Continuous recording.", + "title": "RecordingFrequency", + "type": "string" + }, + "RecordingModeOverrides": { + "items": { + "$ref": "#/definitions/AWS::Config::ConfigurationRecorder.RecordingModeOverride" + }, + "markdownDescription": "An array of `recordingModeOverride` objects for you to specify your overrides for the recording mode. The `recordingModeOverride` object in the `recordingModeOverrides` array consists of three fields: a `description` , the new `recordingFrequency` , and an array of `resourceTypes` to override.", + "title": "RecordingModeOverrides", + "type": "array" + } + }, + "required": [ + "RecordingFrequency" + ], + "type": "object" + }, + "AWS::Config::ConfigurationRecorder.RecordingModeOverride": { + "additionalProperties": false, + "properties": { + "Description": { + "markdownDescription": "A description that you provide for the override.", + "title": "Description", + "type": "string" + }, + "RecordingFrequency": { + "markdownDescription": "The recording frequency that will be applied to all the resource types specified in the override.\n\n- Continuous recording allows you to record configuration changes continuously whenever a change occurs.\n- Daily recording allows you to receive a configuration item (CI) representing the most recent state of your resources over the last 24-hour period, only if it\u2019s different from the previous CI recorded.\n\n> AWS Firewall Manager depends on continuous recording to monitor your resources. If you are using Firewall Manager, it is recommended that you set the recording frequency to Continuous.", + "title": "RecordingFrequency", + "type": "string" + }, + "ResourceTypes": { + "items": { + "type": "string" + }, + "markdownDescription": "A comma-separated list that specifies which resource types AWS Config includes in the override.\n\n> Daily recording is not supported for the following resource types:\n> \n> - `AWS::Config::ResourceCompliance`\n> - `AWS::Config::ConformancePackCompliance`\n> - `AWS::Config::ConfigurationRecorder`", + "title": "ResourceTypes", + "type": "array" + } + }, + "required": [ + "RecordingFrequency", + "ResourceTypes" + ], + "type": "object" + }, "AWS::Config::ConfigurationRecorder.RecordingStrategy": { "additionalProperties": false, "properties": { "UseOnly": { + "markdownDescription": "The recording strategy for the configuration recorder.\n\n- If you set this option to `ALL_SUPPORTED_RESOURCE_TYPES` , AWS Config records configuration changes for all supported resource types, excluding the global IAM resource types. You also must set the `allSupported` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) to `true` . When AWS Config adds support for a new resource type, AWS Config automatically starts recording resources of that type. For a list of supported resource types, see [Supported Resource Types](https://docs.aws.amazon.com/config/latest/developerguide/resource-config-reference.html#supported-resources) in the *AWS Config developer guide* .\n- If you set this option to `INCLUSION_BY_RESOURCE_TYPES` , AWS Config records configuration changes for only the resource types that you specify in the `resourceTypes` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) .\n- If you set this option to `EXCLUSION_BY_RESOURCE_TYPES` , AWS Config records configuration changes for all supported resource types, except the resource types that you specify to exclude from being recorded in the `resourceTypes` field of [ExclusionByResourceTypes](https://docs.aws.amazon.com/config/latest/APIReference/API_ExclusionByResourceTypes.html) .\n\n> *Required and optional fields*\n> \n> The `recordingStrategy` field is optional when you set the `allSupported` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) to `true` .\n> \n> The `recordingStrategy` field is optional when you list resource types in the `resourceTypes` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) .\n> \n> The `recordingStrategy` field is required if you list resource types to exclude from recording in the `resourceTypes` field of [ExclusionByResourceTypes](https://docs.aws.amazon.com/config/latest/APIReference/API_ExclusionByResourceTypes.html) . > *Overriding fields*\n> \n> If you choose `EXCLUSION_BY_RESOURCE_TYPES` for the recording strategy, the `exclusionByResourceTypes` field will override other properties in the request.\n> \n> For example, even if you set `includeGlobalResourceTypes` to false, global IAM resource types will still be automatically recorded in this option unless those resource types are specifically listed as exclusions in the `resourceTypes` field of `exclusionByResourceTypes` . > *Global resource types and the exclusion recording strategy*\n> \n> By default, if you choose the `EXCLUSION_BY_RESOURCE_TYPES` recording strategy, when AWS Config adds support for a new resource type in the Region where you set up the configuration recorder, including global resource types, AWS Config starts recording resources of that type automatically.\n> \n> Unless specifically listed as exclusions, `AWS::RDS::GlobalCluster` will be recorded automatically in all supported AWS Config Regions were the configuration recorder is enabled.\n> \n> IAM users, groups, roles, and customer managed policies will be recorded in the Region where you set up the configuration recorder if that is a Region where AWS Config was available before February 2022. You cannot be record the global IAM resouce types in Regions supported by AWS Config after February 2022. This list where you cannot record the global IAM resource types includes the following Regions:\n> \n> - Asia Pacific (Hyderabad)\n> - Asia Pacific (Melbourne)\n> - Europe (Spain)\n> - Europe (Zurich)\n> - Israel (Tel Aviv)\n> - Middle East (UAE)", + "title": "UseOnly", "type": "string" } }, @@ -43387,7 +44968,7 @@ }, "TemplateSSMDocumentDetails": { "$ref": "#/definitions/AWS::Config::ConformancePack.TemplateSSMDocumentDetails", - "markdownDescription": "", + "markdownDescription": "An object that contains the name or Amazon Resource Name (ARN) of the AWS Systems Manager document (SSM document) and the version of the SSM document that is used to create a conformance pack.", "title": "TemplateSSMDocumentDetails" } }, @@ -43606,7 +45187,7 @@ }, "OrganizationCustomPolicyRuleMetadata": { "$ref": "#/definitions/AWS::Config::OrganizationConfigRule.OrganizationCustomPolicyRuleMetadata", - "markdownDescription": "", + "markdownDescription": "An object that specifies metadata for your organization's AWS Config Custom Policy rule. The metadata includes the runtime system in use, which accounts have debug logging enabled, and other custom rule metadata, such as resource type, resource ID of AWS resource, and organization trigger types that initiate AWS Config to evaluate AWS resources against a rule.", "title": "OrganizationCustomPolicyRuleMetadata" }, "OrganizationCustomRuleMetadata": { @@ -43653,22 +45234,22 @@ "items": { "type": "string" }, - "markdownDescription": "", + "markdownDescription": "A list of accounts that you can enable debug logging for your organization AWS Config Custom Policy rule. List is null when debug logging is enabled for all accounts.", "title": "DebugLogDeliveryAccounts", "type": "array" }, "Description": { - "markdownDescription": "", + "markdownDescription": "The description that you provide for your organization AWS Config Custom Policy rule.", "title": "Description", "type": "string" }, "InputParameters": { - "markdownDescription": "", + "markdownDescription": "A string, in JSON format, that is passed to your organization AWS Config Custom Policy rule.", "title": "InputParameters", "type": "string" }, "MaximumExecutionFrequency": { - "markdownDescription": "", + "markdownDescription": "The maximum frequency with which AWS Config runs evaluations for a rule. Your AWS Config Custom Policy rule is triggered when AWS Config delivers the configuration snapshot. For more information, see `ConfigSnapshotDeliveryProperties` .", "title": "MaximumExecutionFrequency", "type": "string" }, @@ -43676,17 +45257,17 @@ "items": { "type": "string" }, - "markdownDescription": "", + "markdownDescription": "The type of notification that initiates AWS Config to run an evaluation for a rule. For AWS Config Custom Policy rules, AWS Config supports change-initiated notification types:\n\n- `ConfigurationItemChangeNotification` - Initiates an evaluation when AWS Config delivers a configuration item as a result of a resource change.\n- `OversizedConfigurationItemChangeNotification` - Initiates an evaluation when AWS Config delivers an oversized configuration item. AWS Config may generate this notification type when a resource changes and the notification exceeds the maximum size allowed by Amazon SNS.", "title": "OrganizationConfigRuleTriggerTypes", "type": "array" }, "PolicyText": { - "markdownDescription": "", + "markdownDescription": "The policy definition containing the logic for your organization AWS Config Custom Policy rule.", "title": "PolicyText", "type": "string" }, "ResourceIdScope": { - "markdownDescription": "", + "markdownDescription": "The ID of the AWS resource that was evaluated.", "title": "ResourceIdScope", "type": "string" }, @@ -43694,22 +45275,22 @@ "items": { "type": "string" }, - "markdownDescription": "", + "markdownDescription": "The type of the AWS resource that was evaluated.", "title": "ResourceTypesScope", "type": "array" }, "Runtime": { - "markdownDescription": "", + "markdownDescription": "The runtime system for your organization AWS Config Custom Policy rules. Guard is a policy-as-code language that allows you to write policies that are enforced by AWS Config Custom Policy rules. For more information about Guard, see the [Guard GitHub Repository](https://docs.aws.amazon.com/https://github.com/aws-cloudformation/cloudformation-guard) .", "title": "Runtime", "type": "string" }, "TagKeyScope": { - "markdownDescription": "", + "markdownDescription": "One part of a key-value pair that make up a tag. A key is a general label that acts like a category for more specific tag values.", "title": "TagKeyScope", "type": "string" }, "TagValueScope": { - "markdownDescription": "", + "markdownDescription": "The optional part of a key-value pair that make up a tag. A value acts as a descriptor within a tag category (key).", "title": "TagValueScope", "type": "string" } @@ -44022,7 +45603,7 @@ "type": "string" }, "RetryAttemptSeconds": { - "markdownDescription": "Maximum time in seconds that AWS Config runs auto-remediation. If you do not select a number, the default is 60 seconds.\n\nFor example, if you specify RetryAttemptSeconds as 50 seconds and MaximumAutomaticAttempts as 5, AWS Config will run auto-remediations 5 times within 50 seconds before throwing an exception.", + "markdownDescription": "Time window to determine whether or not to add a remediation exception to prevent infinite remediation attempts. If `MaximumAutomaticAttempts` remediation attempts have been made under `RetryAttemptSeconds` , a remediation exception will be added to the resource. If you do not select a number, the default is 60 seconds.\n\nFor example, if you specify `RetryAttemptSeconds` as 50 seconds and `MaximumAutomaticAttempts` as 5, AWS Config will run auto-remediations 5 times within 50 seconds before adding a remediation exception to the resource.", "title": "RetryAttemptSeconds", "type": "number" }, @@ -44101,8 +45682,6 @@ "additionalProperties": false, "properties": { "Value": { - "markdownDescription": "The value is a resource ID.", - "title": "Value", "type": "string" } }, @@ -44131,8 +45710,6 @@ "items": { "type": "string" }, - "markdownDescription": "A list of values. For example, the ARN of the assumed role.", - "title": "Values", "type": "array" } }, @@ -44907,7 +46484,7 @@ "additionalProperties": false, "properties": { "Label": { - "markdownDescription": "The property label of the automation.\n\n*Allowed values* : `OVERALL_CUSTOMER_SENTIMENT_SCORE` , `OVERALL_AGENT_SENTIMENT_SCORE` | `NON_TALK_TIME` | `NON_TALK_TIME_PERCENTAGE` | `NUMBER_OF_INTERRUPTIONS` | `CONTACT_DURATION` | `AGENT_INTERACTION_DURATION` | `CUSTOMER_HOLD_TIME`", + "markdownDescription": "The property label of the automation.", "title": "Label", "type": "string" } @@ -45025,7 +46602,7 @@ "items": { "$ref": "#/definitions/Tag" }, - "markdownDescription": "The tags used to organize, track, or control access for this resource. For example, { \"tags\": {\"key1\":\"value1\", \"key2\":\"value2\"} }.", + "markdownDescription": "The tags used to organize, track, or control access for this resource. For example, { \"Tags\": {\"key1\":\"value1\", \"key2\":\"value2\"} }.", "title": "Tags", "type": "array" }, @@ -45164,6 +46741,14 @@ "markdownDescription": "The alias of instance. `InstanceAlias` is only required when `IdentityManagementType` is `CONNECT_MANAGED` or `SAML` . `InstanceAlias` is not required when `IdentityManagementType` is `EXISTING_DIRECTORY` .", "title": "InstanceAlias", "type": "string" + }, + "Tags": { + "items": { + "$ref": "#/definitions/Tag" + }, + "markdownDescription": "The tags of an instance.", + "title": "Tags", + "type": "array" } }, "required": [ @@ -45405,6 +46990,7 @@ } }, "required": [ + "EncryptionConfig", "Prefix", "RetentionPeriodHours" ], @@ -45573,7 +47159,7 @@ "type": "array" }, "TargetArn": { - "markdownDescription": "The Amazon Resource Name (ARN) of Amazon Connect instances or traffic distribution group that phone numbers are claimed to.", + "markdownDescription": "The Amazon Resource Name (ARN) for Amazon Connect instances or traffic distribution group that phone numbers are claimed to.", "title": "TargetArn", "type": "string" }, @@ -45738,36 +47324,54 @@ "additionalProperties": false, "properties": { "Description": { + "markdownDescription": "The description of the queue.", + "title": "Description", "type": "string" }, "HoursOfOperationArn": { + "markdownDescription": "The Amazon Resource Name (ARN) of the hours of operation.", + "title": "HoursOfOperationArn", "type": "string" }, "InstanceArn": { + "markdownDescription": "The identifier of the Amazon Connect instance.", + "title": "InstanceArn", "type": "string" }, "MaxContacts": { + "markdownDescription": "The maximum number of contacts that can be in the queue before it is considered full.", + "title": "MaxContacts", "type": "number" }, "Name": { + "markdownDescription": "The name of the queue.", + "title": "Name", "type": "string" }, "OutboundCallerConfig": { - "$ref": "#/definitions/AWS::Connect::Queue.OutboundCallerConfig" + "$ref": "#/definitions/AWS::Connect::Queue.OutboundCallerConfig", + "markdownDescription": "The outbound caller ID name, number, and outbound whisper flow.", + "title": "OutboundCallerConfig" }, "QuickConnectArns": { "items": { "type": "string" }, + "markdownDescription": "The Amazon Resource Names (ARN) of the of the quick connects available to agents who are working the queue.", + "title": "QuickConnectArns", "type": "array" }, "Status": { + "markdownDescription": "The status of the queue.", + "title": "Status", "type": "string" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "The tags used to organize, track, or control access for this resource. For example, { \"Tags\": {\"key1\":\"value1\", \"key2\":\"value2\"} }.", + "title": "Tags", "type": "array" } }, @@ -45803,12 +47407,18 @@ "additionalProperties": false, "properties": { "OutboundCallerIdName": { + "markdownDescription": "The caller ID name.", + "title": "OutboundCallerIdName", "type": "string" }, "OutboundCallerIdNumberArn": { + "markdownDescription": "The Amazon Resource Name (ARN) of the outbound caller ID number.\n\n> Only use the phone number ARN format that doesn't contain `instance` in the path, for example, `arn:aws:connect:us-east-1:1234567890:phone-number/uuid` . This is the same ARN format that is returned when you create a phone number using CloudFormation , or when you call the [ListPhoneNumbersV2](https://docs.aws.amazon.com/connect/latest/APIReference/API_ListPhoneNumbersV2.html) API.", + "title": "OutboundCallerIdNumberArn", "type": "string" }, "OutboundFlowArn": { + "markdownDescription": "The Amazon Resource Name (ARN) of the outbound flow.", + "title": "OutboundFlowArn", "type": "string" } }, @@ -45873,7 +47483,7 @@ "items": { "$ref": "#/definitions/Tag" }, - "markdownDescription": "The tags used to organize, track, or control access for this resource. For example, { \"tags\": {\"key1\":\"value1\", \"key2\":\"value2\"} }.", + "markdownDescription": "The tags used to organize, track, or control access for this resource. For example, { \"Tags\": {\"key1\":\"value1\", \"key2\":\"value2\"} }.", "title": "Tags", "type": "array" } @@ -46025,36 +47635,52 @@ "additionalProperties": false, "properties": { "AgentAvailabilityTimer": { + "markdownDescription": "Whether agents with this routing profile will have their routing order calculated based on *time since their last inbound contact* or *longest idle time* .", + "title": "AgentAvailabilityTimer", "type": "string" }, "DefaultOutboundQueueArn": { + "markdownDescription": "The Amazon Resource Name (ARN) of the default outbound queue for the routing profile.", + "title": "DefaultOutboundQueueArn", "type": "string" }, "Description": { + "markdownDescription": "The description of the routing profile.", + "title": "Description", "type": "string" }, "InstanceArn": { + "markdownDescription": "The identifier of the Amazon Connect instance.", + "title": "InstanceArn", "type": "string" }, "MediaConcurrencies": { "items": { "$ref": "#/definitions/AWS::Connect::RoutingProfile.MediaConcurrency" }, + "markdownDescription": "The channels agents can handle in the Contact Control Panel (CCP) for this routing profile.", + "title": "MediaConcurrencies", "type": "array" }, "Name": { + "markdownDescription": "The name of the routing profile.", + "title": "Name", "type": "string" }, "QueueConfigs": { "items": { "$ref": "#/definitions/AWS::Connect::RoutingProfile.RoutingProfileQueueConfig" }, + "markdownDescription": "The inbound queues associated with the routing profile. If no queue is added, the agent can make only outbound calls.", + "title": "QueueConfigs", "type": "array" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "The tags used to organize, track, or control access for this resource. For example, { \"Tags\": {\"key1\":\"value1\", \"key2\":\"value2\"} }.", + "title": "Tags", "type": "array" } }, @@ -46092,6 +47718,8 @@ "additionalProperties": false, "properties": { "BehaviorType": { + "markdownDescription": "Specifies the other channels that can be routed to an agent handling their current channel.", + "title": "BehaviorType", "type": "string" } }, @@ -46104,13 +47732,19 @@ "additionalProperties": false, "properties": { "Channel": { + "markdownDescription": "The channels that agents can handle in the Contact Control Panel (CCP).", + "title": "Channel", "type": "string" }, "Concurrency": { + "markdownDescription": "The number of contacts an agent can have on a channel simultaneously.\n\nValid Range for `VOICE` : Minimum value of 1. Maximum value of 1.\n\nValid Range for `CHAT` : Minimum value of 1. Maximum value of 10.\n\nValid Range for `TASK` : Minimum value of 1. Maximum value of 10.", + "title": "Concurrency", "type": "number" }, "CrossChannelBehavior": { - "$ref": "#/definitions/AWS::Connect::RoutingProfile.CrossChannelBehavior" + "$ref": "#/definitions/AWS::Connect::RoutingProfile.CrossChannelBehavior", + "markdownDescription": "Defines the cross-channel routing behavior for each channel that is enabled for this Routing Profile. For example, this allows you to offer an agent a different contact from another channel when they are currently working with a contact from a Voice channel.", + "title": "CrossChannelBehavior" } }, "required": [ @@ -46123,13 +47757,19 @@ "additionalProperties": false, "properties": { "Delay": { + "markdownDescription": "The delay, in seconds, a contact should be in the queue before they are routed to an available agent. For more information, see [Queues: priority and delay](https://docs.aws.amazon.com/connect/latest/adminguide/concepts-routing-profiles-priority.html) in the *Amazon Connect Administrator Guide* .", + "title": "Delay", "type": "number" }, "Priority": { + "markdownDescription": "The order in which contacts are to be handled for the queue. For more information, see [Queues: priority and delay](https://docs.aws.amazon.com/connect/latest/adminguide/concepts-routing-profiles-priority.html) .", + "title": "Priority", "type": "number" }, "QueueReference": { - "$ref": "#/definitions/AWS::Connect::RoutingProfile.RoutingProfileQueueReference" + "$ref": "#/definitions/AWS::Connect::RoutingProfile.RoutingProfileQueueReference", + "markdownDescription": "Contains information about a queue resource.", + "title": "QueueReference" } }, "required": [ @@ -46143,9 +47783,13 @@ "additionalProperties": false, "properties": { "Channel": { + "markdownDescription": "The channels agents can handle in the Contact Control Panel (CCP) for this routing profile.", + "title": "Channel", "type": "string" }, "QueueArn": { + "markdownDescription": "The Amazon Resource Name (ARN) of the queue.", + "title": "QueueArn", "type": "string" } }, @@ -46361,7 +48005,7 @@ "additionalProperties": false, "properties": { "EventSourceName": { - "markdownDescription": "The name of the event source.\n\n*Allowed values* : `OnPostCallAnalysisAvailable` | `OnRealTimeCallAnalysisAvailable` | `OnPostChatAnalysisAvailable` | `OnZendeskTicketCreate` | `OnZendeskTicketStatusUpdate` | `OnSalesforceCaseCreate`", + "markdownDescription": "The name of the event source.", "title": "EventSourceName", "type": "string" }, @@ -46561,33 +48205,47 @@ "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "The list of tags that a security profile uses to restrict access to resources in Amazon Connect.", + "title": "AllowedAccessControlTags", "type": "array" }, "Description": { + "markdownDescription": "The description of the security profile.", + "title": "Description", "type": "string" }, "InstanceArn": { + "markdownDescription": "The identifier of the Amazon Connect instance.", + "title": "InstanceArn", "type": "string" }, "Permissions": { "items": { "type": "string" }, + "markdownDescription": "Permissions assigned to the security profile. For a list of valid permissions, see [List of security profile permissions](https://docs.aws.amazon.com/connect/latest/adminguide/security-profile-list.html) .", + "title": "Permissions", "type": "array" }, "SecurityProfileName": { + "markdownDescription": "The name for the security profile.", + "title": "SecurityProfileName", "type": "string" }, "TagRestrictedResources": { "items": { "type": "string" }, + "markdownDescription": "The list of resources that a security profile applies tag restrictions to in Amazon Connect.", + "title": "TagRestrictedResources", "type": "array" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "The tags used to organize, track, or control access for this resource. For example, { \"Tags\": {\"key1\":\"value1\", \"key2\":\"value2\"} }.", + "title": "Tags", "type": "array" } }, @@ -46914,18 +48572,26 @@ "additionalProperties": false, "properties": { "Description": { + "markdownDescription": "The description of the traffic distribution group.", + "title": "Description", "type": "string" }, "InstanceArn": { + "markdownDescription": "The Amazon Resource Name (ARN).", + "title": "InstanceArn", "type": "string" }, "Name": { + "markdownDescription": "The name of the traffic distribution group.", + "title": "Name", "type": "string" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "The tags used to organize, track, or control access for this resource. For example, {\"tags\": {\"key1\":\"value1\", \"key2\":\"value2\"} }.", + "title": "Tags", "type": "array" } }, @@ -47192,6 +48858,8 @@ "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "", + "title": "Tags", "type": "array" } }, @@ -47261,24 +48929,36 @@ "items": { "type": "string" }, + "markdownDescription": "A list of actions possible from the view.", + "title": "Actions", "type": "array" }, "Description": { + "markdownDescription": "The description of the view.", + "title": "Description", "type": "string" }, "InstanceArn": { + "markdownDescription": "The Amazon Resource Name (ARN) of the instance.", + "title": "InstanceArn", "type": "string" }, "Name": { + "markdownDescription": "The name of the view.", + "title": "Name", "type": "string" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "The tags associated with the view resource (not specific to view version).", + "title": "Tags", "type": "array" }, "Template": { + "markdownDescription": "The view template representing the structure of the view.", + "title": "Template", "type": "object" } }, @@ -47347,12 +49027,18 @@ "additionalProperties": false, "properties": { "VersionDescription": { + "markdownDescription": "The description of the view version.", + "title": "VersionDescription", "type": "string" }, "ViewArn": { + "markdownDescription": "The unqualified Amazon Resource Name (ARN) of the view.\n\nFor example:\n\n`arn::connect:::instance/00000000-0000-0000-0000-000000000000/view/00000000-0000-0000-0000-000000000000`", + "title": "ViewArn", "type": "string" }, "ViewContentSha256": { + "markdownDescription": "Indicates the checksum value of the latest published view content.", + "title": "ViewContentSha256", "type": "string" } }, @@ -47479,6 +49165,8 @@ "additionalProperties": false, "properties": { "DialingCapacity": { + "markdownDescription": "The allocation of dialing capacity between multiple active campaigns.", + "title": "DialingCapacity", "type": "number" } }, @@ -47488,7 +49176,7 @@ "additionalProperties": false, "properties": { "EnableAnswerMachineDetection": { - "markdownDescription": "", + "markdownDescription": "Whether answering machine detection is enabled.", "title": "EnableAnswerMachineDetection", "type": "boolean" } @@ -47502,7 +49190,9 @@ "additionalProperties": false, "properties": { "AgentlessDialerConfig": { - "$ref": "#/definitions/AWS::ConnectCampaigns::Campaign.AgentlessDialerConfig" + "$ref": "#/definitions/AWS::ConnectCampaigns::Campaign.AgentlessDialerConfig", + "markdownDescription": "The configuration of the agentless dialer.", + "title": "AgentlessDialerConfig" }, "PredictiveDialerConfig": { "$ref": "#/definitions/AWS::ConnectCampaigns::Campaign.PredictiveDialerConfig", @@ -47522,7 +49212,7 @@ "properties": { "AnswerMachineDetectionConfig": { "$ref": "#/definitions/AWS::ConnectCampaigns::Campaign.AnswerMachineDetectionConfig", - "markdownDescription": "", + "markdownDescription": "Whether answering machine detection has been enabled.", "title": "AnswerMachineDetectionConfig" }, "ConnectContactFlowArn": { @@ -47555,6 +49245,8 @@ "type": "number" }, "DialingCapacity": { + "markdownDescription": "The allocation of dialing capacity between multiple active campaigns.", + "title": "DialingCapacity", "type": "number" } }, @@ -47572,6 +49264,8 @@ "type": "number" }, "DialingCapacity": { + "markdownDescription": "The allocation of dialing capacity between multiple active campaigns.", + "title": "DialingCapacity", "type": "number" } }, @@ -47616,12 +49310,20 @@ "additionalProperties": false, "properties": { "ControlIdentifier": { - "markdownDescription": "The ARN of the control. Only *Strongly recommended* and *Elective* controls are permitted, with the exception of the *Region deny* guardrail.", + "markdownDescription": "The ARN of the control. Only *Strongly recommended* and *Elective* controls are permitted, with the exception of the *landing zone Region deny* control. For information on how to find the `controlIdentifier` , see [the overview page](https://docs.aws.amazon.com//controltower/latest/APIReference/Welcome.html) .", "title": "ControlIdentifier", "type": "string" }, + "Parameters": { + "items": { + "$ref": "#/definitions/AWS::ControlTower::EnabledControl.EnabledControlParameter" + }, + "markdownDescription": "Array of `EnabledControlParameter` objects.", + "title": "Parameters", + "type": "array" + }, "TargetIdentifier": { - "markdownDescription": "The ARN of the organizational unit.", + "markdownDescription": "The ARN of the organizational unit. For information on how to find the `targetIdentifier` , see [the overview page](https://docs.aws.amazon.com//controltower/latest/APIReference/Welcome.html) .", "title": "TargetIdentifier", "type": "string" } @@ -47653,213 +49355,314 @@ ], "type": "object" }, - "AWS::CustomerProfiles::CalculatedAttributeDefinition": { - "additionalProperties": false, - "properties": { - "Condition": { - "type": "string" - }, - "DeletionPolicy": { - "enum": [ - "Delete", - "Retain", - "Snapshot" - ], - "type": "string" - }, - "DependsOn": { - "anyOf": [ - { - "pattern": "^[a-zA-Z0-9]+$", - "type": "string" - }, - { - "items": { - "pattern": "^[a-zA-Z0-9]+$", - "type": "string" - }, - "type": "array" - } - ] - }, - "Metadata": { - "type": "object" - }, - "Properties": { - "additionalProperties": false, - "properties": { - "AttributeDetails": { - "$ref": "#/definitions/AWS::CustomerProfiles::CalculatedAttributeDefinition.AttributeDetails", - "markdownDescription": "Mathematical expression and a list of attribute items specified in that expression.", - "title": "AttributeDetails" - }, - "CalculatedAttributeName": { - "markdownDescription": "The name of an attribute defined in a profile object type.", - "title": "CalculatedAttributeName", - "type": "string" - }, - "Conditions": { - "$ref": "#/definitions/AWS::CustomerProfiles::CalculatedAttributeDefinition.Conditions", - "markdownDescription": "The conditions including range, object count, and threshold for the calculated attribute.", - "title": "Conditions" - }, - "Description": { - "markdownDescription": "The description of the calculated attribute.", - "title": "Description", - "type": "string" - }, - "DisplayName": { - "markdownDescription": "The display name of the calculated attribute.", - "title": "DisplayName", - "type": "string" - }, - "DomainName": { - "markdownDescription": "The unique name of the domain.", - "title": "DomainName", - "type": "string" - }, - "Statistic": { - "markdownDescription": "The aggregation operation to perform for the calculated attribute.", - "title": "Statistic", - "type": "string" - }, - "Tags": { - "items": { - "$ref": "#/definitions/Tag" - }, - "markdownDescription": "An array of key-value pairs to apply to this resource.", - "title": "Tags", - "type": "array" - } - }, - "required": [ - "AttributeDetails", - "CalculatedAttributeName", - "DomainName", - "Statistic" - ], - "type": "object" - }, - "Type": { - "enum": [ - "AWS::CustomerProfiles::CalculatedAttributeDefinition" - ], - "type": "string" - }, - "UpdateReplacePolicy": { - "enum": [ - "Delete", - "Retain", - "Snapshot" - ], - "type": "string" - } - }, - "required": [ - "Type", - "Properties" - ], - "type": "object" - }, - "AWS::CustomerProfiles::CalculatedAttributeDefinition.AttributeDetails": { - "additionalProperties": false, - "properties": { - "Attributes": { - "items": { - "$ref": "#/definitions/AWS::CustomerProfiles::CalculatedAttributeDefinition.AttributeItem" - }, - "markdownDescription": "Mathematical expression and a list of attribute items specified in that expression.", - "title": "Attributes", - "type": "array" - }, - "Expression": { - "markdownDescription": "Mathematical expression that is performed on attribute items provided in the attribute list. Each element in the expression should follow the structure of \\\"{ObjectTypeName.AttributeName}\\\".", - "title": "Expression", - "type": "string" - } - }, - "required": [ - "Attributes", - "Expression" - ], - "type": "object" - }, - "AWS::CustomerProfiles::CalculatedAttributeDefinition.AttributeItem": { + "AWS::ControlTower::EnabledControl.EnabledControlParameter": { "additionalProperties": false, "properties": { - "Name": { - "markdownDescription": "The unique name of the calculated attribute.", - "title": "Name", - "type": "string" - } - }, - "required": [ - "Name" - ], - "type": "object" - }, - "AWS::CustomerProfiles::CalculatedAttributeDefinition.Conditions": { - "additionalProperties": false, - "properties": { - "ObjectCount": { - "markdownDescription": "The number of profile objects used for the calculated attribute.", - "title": "ObjectCount", - "type": "number" - }, - "Range": { - "$ref": "#/definitions/AWS::CustomerProfiles::CalculatedAttributeDefinition.Range", - "markdownDescription": "The relative time period over which data is included in the aggregation.", - "title": "Range" - }, - "Threshold": { - "$ref": "#/definitions/AWS::CustomerProfiles::CalculatedAttributeDefinition.Threshold", - "markdownDescription": "The threshold for the calculated attribute.", - "title": "Threshold" - } - }, - "type": "object" - }, - "AWS::CustomerProfiles::CalculatedAttributeDefinition.Range": { - "additionalProperties": false, - "properties": { - "Unit": { - "markdownDescription": "The unit of time.", - "title": "Unit", - "type": "string" - }, - "Value": { - "markdownDescription": "The amount of time of the specified unit.", - "title": "Value", - "type": "number" - } - }, - "required": [ - "Unit", - "Value" - ], - "type": "object" - }, - "AWS::CustomerProfiles::CalculatedAttributeDefinition.Threshold": { - "additionalProperties": false, - "properties": { - "Operator": { - "markdownDescription": "The operator of the threshold.", - "title": "Operator", + "Key": { + "markdownDescription": "The key of a key/value pair. It is of type `string` .", + "title": "Key", "type": "string" }, "Value": { - "markdownDescription": "The value of the threshold.", + "markdownDescription": "The value of a key/value pair. It can be of type `array` , `string` , `number` , `object` , or `boolean` . [Note: The *Type* field that follows may show a single type such as Number, which is only one possible type.]", "title": "Value", - "type": "string" + "type": "object" } }, "required": [ - "Operator", + "Key", "Value" ], "type": "object" }, - "AWS::CustomerProfiles::Domain": { + "AWS::ControlTower::LandingZone": { + "additionalProperties": false, + "properties": { + "Condition": { + "type": "string" + }, + "DeletionPolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + }, + "DependsOn": { + "anyOf": [ + { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + { + "items": { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + "type": "array" + } + ] + }, + "Metadata": { + "type": "object" + }, + "Properties": { + "additionalProperties": false, + "properties": { + "Manifest": { + "markdownDescription": "The landing zone manifest JSON text file that specifies the landing zone configurations.", + "title": "Manifest", + "type": "object" + }, + "Tags": { + "items": { + "$ref": "#/definitions/Tag" + }, + "markdownDescription": "Tags to be applied to the landing zone.", + "title": "Tags", + "type": "array" + }, + "Version": { + "markdownDescription": "The landing zone's current deployed version.", + "title": "Version", + "type": "string" + } + }, + "required": [ + "Manifest", + "Version" + ], + "type": "object" + }, + "Type": { + "enum": [ + "AWS::ControlTower::LandingZone" + ], + "type": "string" + }, + "UpdateReplacePolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + } + }, + "required": [ + "Type", + "Properties" + ], + "type": "object" + }, + "AWS::CustomerProfiles::CalculatedAttributeDefinition": { + "additionalProperties": false, + "properties": { + "Condition": { + "type": "string" + }, + "DeletionPolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + }, + "DependsOn": { + "anyOf": [ + { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + { + "items": { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + "type": "array" + } + ] + }, + "Metadata": { + "type": "object" + }, + "Properties": { + "additionalProperties": false, + "properties": { + "AttributeDetails": { + "$ref": "#/definitions/AWS::CustomerProfiles::CalculatedAttributeDefinition.AttributeDetails", + "markdownDescription": "Mathematical expression and a list of attribute items specified in that expression.", + "title": "AttributeDetails" + }, + "CalculatedAttributeName": { + "markdownDescription": "The name of an attribute defined in a profile object type.", + "title": "CalculatedAttributeName", + "type": "string" + }, + "Conditions": { + "$ref": "#/definitions/AWS::CustomerProfiles::CalculatedAttributeDefinition.Conditions", + "markdownDescription": "The conditions including range, object count, and threshold for the calculated attribute.", + "title": "Conditions" + }, + "Description": { + "markdownDescription": "The description of the calculated attribute.", + "title": "Description", + "type": "string" + }, + "DisplayName": { + "markdownDescription": "The display name of the calculated attribute.", + "title": "DisplayName", + "type": "string" + }, + "DomainName": { + "markdownDescription": "The unique name of the domain.", + "title": "DomainName", + "type": "string" + }, + "Statistic": { + "markdownDescription": "The aggregation operation to perform for the calculated attribute.", + "title": "Statistic", + "type": "string" + }, + "Tags": { + "items": { + "$ref": "#/definitions/Tag" + }, + "markdownDescription": "An array of key-value pairs to apply to this resource.", + "title": "Tags", + "type": "array" + } + }, + "required": [ + "AttributeDetails", + "CalculatedAttributeName", + "DomainName", + "Statistic" + ], + "type": "object" + }, + "Type": { + "enum": [ + "AWS::CustomerProfiles::CalculatedAttributeDefinition" + ], + "type": "string" + }, + "UpdateReplacePolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + } + }, + "required": [ + "Type", + "Properties" + ], + "type": "object" + }, + "AWS::CustomerProfiles::CalculatedAttributeDefinition.AttributeDetails": { + "additionalProperties": false, + "properties": { + "Attributes": { + "items": { + "$ref": "#/definitions/AWS::CustomerProfiles::CalculatedAttributeDefinition.AttributeItem" + }, + "markdownDescription": "Mathematical expression and a list of attribute items specified in that expression.", + "title": "Attributes", + "type": "array" + }, + "Expression": { + "markdownDescription": "Mathematical expression that is performed on attribute items provided in the attribute list. Each element in the expression should follow the structure of \\\"{ObjectTypeName.AttributeName}\\\".", + "title": "Expression", + "type": "string" + } + }, + "required": [ + "Attributes", + "Expression" + ], + "type": "object" + }, + "AWS::CustomerProfiles::CalculatedAttributeDefinition.AttributeItem": { + "additionalProperties": false, + "properties": { + "Name": { + "markdownDescription": "The unique name of the calculated attribute.", + "title": "Name", + "type": "string" + } + }, + "required": [ + "Name" + ], + "type": "object" + }, + "AWS::CustomerProfiles::CalculatedAttributeDefinition.Conditions": { + "additionalProperties": false, + "properties": { + "ObjectCount": { + "markdownDescription": "The number of profile objects used for the calculated attribute.", + "title": "ObjectCount", + "type": "number" + }, + "Range": { + "$ref": "#/definitions/AWS::CustomerProfiles::CalculatedAttributeDefinition.Range", + "markdownDescription": "The relative time period over which data is included in the aggregation.", + "title": "Range" + }, + "Threshold": { + "$ref": "#/definitions/AWS::CustomerProfiles::CalculatedAttributeDefinition.Threshold", + "markdownDescription": "The threshold for the calculated attribute.", + "title": "Threshold" + } + }, + "type": "object" + }, + "AWS::CustomerProfiles::CalculatedAttributeDefinition.Range": { + "additionalProperties": false, + "properties": { + "Unit": { + "markdownDescription": "The unit of time.", + "title": "Unit", + "type": "string" + }, + "Value": { + "markdownDescription": "The amount of time of the specified unit.", + "title": "Value", + "type": "number" + } + }, + "required": [ + "Unit", + "Value" + ], + "type": "object" + }, + "AWS::CustomerProfiles::CalculatedAttributeDefinition.Threshold": { + "additionalProperties": false, + "properties": { + "Operator": { + "markdownDescription": "The operator of the threshold.", + "title": "Operator", + "type": "string" + }, + "Value": { + "markdownDescription": "The value of the threshold.", + "title": "Value", + "type": "string" + } + }, + "required": [ + "Operator", + "Value" + ], + "type": "object" + }, + "AWS::CustomerProfiles::Domain": { "additionalProperties": false, "properties": { "Condition": { @@ -47895,7 +49698,7 @@ "additionalProperties": false, "properties": { "DeadLetterQueueUrl": { - "markdownDescription": "The URL of the SQS dead letter queue, which is used for reporting errors associated with ingesting data from third party applications. You must set up a policy on the DeadLetterQueue for the SendMessage operation to enable Amazon Connect Customer Profiles to send messages to the DeadLetterQueue.", + "markdownDescription": "The URL of the SQS dead letter queue, which is used for reporting errors associated with ingesting data from third party applications. You must set up a policy on the `DeadLetterQueue` for the `SendMessage` operation to enable Amazon Connect Customer Profiles to send messages to the `DeadLetterQueue` .", "title": "DeadLetterQueueUrl", "type": "string" }, @@ -47915,10 +49718,14 @@ "type": "string" }, "Matching": { - "$ref": "#/definitions/AWS::CustomerProfiles::Domain.Matching" + "$ref": "#/definitions/AWS::CustomerProfiles::Domain.Matching", + "markdownDescription": "The process of matching duplicate profiles.", + "title": "Matching" }, "RuleBasedMatching": { - "$ref": "#/definitions/AWS::CustomerProfiles::Domain.RuleBasedMatching" + "$ref": "#/definitions/AWS::CustomerProfiles::Domain.RuleBasedMatching", + "markdownDescription": "The process of matching duplicate profiles using Rule-Based matching.", + "title": "RuleBasedMatching" }, "Tags": { "items": { @@ -47962,21 +49769,29 @@ "items": { "type": "string" }, + "markdownDescription": "The `Address` type. You can choose from `Address` , `BusinessAddress` , `MaillingAddress` , and `ShippingAddress` . You only can use the `Address` type in the `MatchingRule` . For example, if you want to match a profile based on `BusinessAddress.City` or `MaillingAddress.City` , you can choose the `BusinessAddress` and the `MaillingAddress` to represent the `Address` type and specify the `Address.City` on the matching rule.", + "title": "Address", "type": "array" }, "AttributeMatchingModel": { + "markdownDescription": "Configures the `AttributeMatchingModel` , you can either choose `ONE_TO_ONE` or `MANY_TO_MANY` .", + "title": "AttributeMatchingModel", "type": "string" }, "EmailAddress": { "items": { "type": "string" }, + "markdownDescription": "The Email type. You can choose from `EmailAddress` , `BusinessEmailAddress` and `PersonalEmailAddress` . You only can use the `EmailAddress` type in the `MatchingRule` . For example, if you want to match profile based on `PersonalEmailAddress` or `BusinessEmailAddress` , you can choose the `PersonalEmailAddress` and the `BusinessEmailAddress` to represent the `EmailAddress` type and only specify the `EmailAddress` on the matching rule.", + "title": "EmailAddress", "type": "array" }, "PhoneNumber": { "items": { "type": "string" }, + "markdownDescription": "The `PhoneNumber` type. You can choose from `PhoneNumber` , `HomePhoneNumber` , and `MobilePhoneNumber` . You only can use the `PhoneNumber` type in the `MatchingRule` . For example, if you want to match a profile based on `Phone` or `HomePhone` , you can choose the `Phone` and the `HomePhone` to represent the `PhoneNumber` type and only specify the `PhoneNumber` on the matching rule.", + "title": "PhoneNumber", "type": "array" } }, @@ -47989,15 +49804,23 @@ "additionalProperties": false, "properties": { "ConflictResolution": { - "$ref": "#/definitions/AWS::CustomerProfiles::Domain.ConflictResolution" + "$ref": "#/definitions/AWS::CustomerProfiles::Domain.ConflictResolution", + "markdownDescription": "Determines how the auto-merging process should resolve conflicts between different profiles. For example, if Profile A and Profile B have the same `FirstName` and `LastName` , `ConflictResolution` specifies which `EmailAddress` should be used.", + "title": "ConflictResolution" }, "Consolidation": { - "$ref": "#/definitions/AWS::CustomerProfiles::Domain.Consolidation" + "$ref": "#/definitions/AWS::CustomerProfiles::Domain.Consolidation", + "markdownDescription": "A list of matching attributes that represent matching criteria. If two profiles meet at least one of the requirements in the matching attributes list, they will be merged.", + "title": "Consolidation" }, "Enabled": { + "markdownDescription": "The flag that enables the auto-merging of duplicate profiles.", + "title": "Enabled", "type": "boolean" }, "MinAllowedConfidenceScoreForMerging": { + "markdownDescription": "A number between 0 and 1 that represents the minimum confidence score required for profiles within a matching group to be merged during the auto-merge process. A higher score means that a higher similarity is required to merge profiles.", + "title": "MinAllowedConfidenceScoreForMerging", "type": "number" } }, @@ -48010,9 +49833,13 @@ "additionalProperties": false, "properties": { "ConflictResolvingModel": { + "markdownDescription": "How the auto-merging process should resolve conflicts between different profiles.", + "title": "ConflictResolvingModel", "type": "string" }, "SourceName": { + "markdownDescription": "The `ObjectType` name that is used to resolve profile merging conflicts when choosing `SOURCE` as the `ConflictResolvingModel` .", + "title": "SourceName", "type": "string" } }, @@ -48025,6 +49852,8 @@ "additionalProperties": false, "properties": { "MatchingAttributesList": { + "markdownDescription": "A list of matching criteria.", + "title": "MatchingAttributesList", "type": "object" } }, @@ -48037,15 +49866,23 @@ "additionalProperties": false, "properties": { "MeteringProfileCount": { + "markdownDescription": "The number of profiles that you are currently paying for in the domain. If you have more than 100 objects associated with a single profile, that profile counts as two profiles. If you have more than 200 objects, that profile counts as three, and so on.", + "title": "MeteringProfileCount", "type": "number" }, "ObjectCount": { + "markdownDescription": "The total number of objects in domain.", + "title": "ObjectCount", "type": "number" }, "ProfileCount": { + "markdownDescription": "The total number of profiles currently in the domain.", + "title": "ProfileCount", "type": "number" }, "TotalSize": { + "markdownDescription": "The total size, in bytes, of all objects in the domain.", + "title": "TotalSize", "type": "number" } }, @@ -48055,7 +49892,9 @@ "additionalProperties": false, "properties": { "S3Exporting": { - "$ref": "#/definitions/AWS::CustomerProfiles::Domain.S3ExportingConfig" + "$ref": "#/definitions/AWS::CustomerProfiles::Domain.S3ExportingConfig", + "markdownDescription": "", + "title": "S3Exporting" } }, "type": "object" @@ -48064,9 +49903,13 @@ "additionalProperties": false, "properties": { "DayOfTheWeek": { + "markdownDescription": "The day when the Identity Resolution Job should run every week.", + "title": "DayOfTheWeek", "type": "string" }, "Time": { + "markdownDescription": "The time when the Identity Resolution Job should run every week.", + "title": "Time", "type": "string" } }, @@ -48080,16 +49923,24 @@ "additionalProperties": false, "properties": { "AutoMerging": { - "$ref": "#/definitions/AWS::CustomerProfiles::Domain.AutoMerging" + "$ref": "#/definitions/AWS::CustomerProfiles::Domain.AutoMerging", + "markdownDescription": "Configuration information about the auto-merging process.", + "title": "AutoMerging" }, "Enabled": { + "markdownDescription": "The flag that enables the matching process of duplicate profiles.", + "title": "Enabled", "type": "boolean" }, "ExportingConfig": { - "$ref": "#/definitions/AWS::CustomerProfiles::Domain.ExportingConfig" + "$ref": "#/definitions/AWS::CustomerProfiles::Domain.ExportingConfig", + "markdownDescription": "The S3 location where Identity Resolution Jobs write result files.", + "title": "ExportingConfig" }, "JobSchedule": { - "$ref": "#/definitions/AWS::CustomerProfiles::Domain.JobSchedule" + "$ref": "#/definitions/AWS::CustomerProfiles::Domain.JobSchedule", + "markdownDescription": "The day and time when do you want to start the Identity Resolution Job every week.", + "title": "JobSchedule" } }, "required": [ @@ -48104,6 +49955,8 @@ "items": { "type": "string" }, + "markdownDescription": "A single rule level of the `MatchRules` . Configures how the rule-based matching process should match profiles.", + "title": "Rule", "type": "array" } }, @@ -48116,30 +49969,46 @@ "additionalProperties": false, "properties": { "AttributeTypesSelector": { - "$ref": "#/definitions/AWS::CustomerProfiles::Domain.AttributeTypesSelector" + "$ref": "#/definitions/AWS::CustomerProfiles::Domain.AttributeTypesSelector", + "markdownDescription": "Configures information about the `AttributeTypesSelector` where the rule-based identity resolution uses to match profiles.", + "title": "AttributeTypesSelector" }, "ConflictResolution": { - "$ref": "#/definitions/AWS::CustomerProfiles::Domain.ConflictResolution" + "$ref": "#/definitions/AWS::CustomerProfiles::Domain.ConflictResolution", + "markdownDescription": "Determines how the auto-merging process should resolve conflicts between different profiles. For example, if Profile A and Profile B have the same `FirstName` and `LastName` , `ConflictResolution` specifies which `EmailAddress` should be used.", + "title": "ConflictResolution" }, "Enabled": { + "markdownDescription": "The flag that enables the matching process of duplicate profiles.", + "title": "Enabled", "type": "boolean" }, "ExportingConfig": { - "$ref": "#/definitions/AWS::CustomerProfiles::Domain.ExportingConfig" + "$ref": "#/definitions/AWS::CustomerProfiles::Domain.ExportingConfig", + "markdownDescription": "The S3 location where Identity Resolution Jobs write result files.", + "title": "ExportingConfig" }, "MatchingRules": { "items": { "$ref": "#/definitions/AWS::CustomerProfiles::Domain.MatchingRule" }, + "markdownDescription": "Configures how the rule-based matching process should match profiles. You can have up to 15 `MatchingRule` in the `MatchingRules` .", + "title": "MatchingRules", "type": "array" }, "MaxAllowedRuleLevelForMatching": { + "markdownDescription": "Indicates the maximum allowed rule level for matching.", + "title": "MaxAllowedRuleLevelForMatching", "type": "number" }, "MaxAllowedRuleLevelForMerging": { + "markdownDescription": "Indicates the maximum allowed rule level for merging.", + "title": "MaxAllowedRuleLevelForMerging", "type": "number" }, "Status": { + "markdownDescription": "The status of rule-based matching rule.", + "title": "Status", "type": "string" } }, @@ -48152,9 +50021,13 @@ "additionalProperties": false, "properties": { "S3BucketName": { + "markdownDescription": "The name of the S3 bucket where Identity Resolution Jobs write result files.", + "title": "S3BucketName", "type": "string" }, "S3KeyName": { + "markdownDescription": "The S3 key name of the location where Identity Resolution Jobs write result files.", + "title": "S3KeyName", "type": "string" } }, @@ -48839,6 +50712,8 @@ "type": "string" }, "SourceLastUpdatedTimestampFormat": { + "markdownDescription": "The format of your sourceLastUpdatedTimestamp that was previously set up.", + "title": "SourceLastUpdatedTimestampFormat", "type": "string" }, "Tags": { @@ -49298,21 +51173,56 @@ "Properties": { "additionalProperties": false, "properties": { + "CopyTags": { + "markdownDescription": "*[Default policies only]* Indicates whether the policy should copy tags from the source resource to the snapshot or AMI. If you do not specify a value, the default is `false` .\n\nDefault: false", + "title": "CopyTags", + "type": "boolean" + }, + "CreateInterval": { + "markdownDescription": "*[Default policies only]* Specifies how often the policy should run and create snapshots or AMIs. The creation frequency can range from 1 to 7 days. If you do not specify a value, the default is 1.\n\nDefault: 1", + "title": "CreateInterval", + "type": "number" + }, + "CrossRegionCopyTargets": { + "$ref": "#/definitions/AWS::DLM::LifecyclePolicy.CrossRegionCopyTargets", + "markdownDescription": "*[Default policies only]* Specifies destination Regions for snapshot or AMI copies. You can specify up to 3 destination Regions. If you do not want to create cross-Region copies, omit this parameter.", + "title": "CrossRegionCopyTargets" + }, + "DefaultPolicy": { + "markdownDescription": "Indicates whether the policy is a default lifecycle policy or a custom lifecycle policy.\n\n- `true` - the policy is a default policy.\n- `false` - the policy is a custom policy.", + "title": "DefaultPolicy", + "type": "string" + }, "Description": { "markdownDescription": "A description of the lifecycle policy. The characters ^[0-9A-Za-z _-]+$ are supported.", "title": "Description", "type": "string" }, + "Exclusions": { + "$ref": "#/definitions/AWS::DLM::LifecyclePolicy.Exclusions", + "markdownDescription": "*[Default policies only]* Specifies exclusion parameters for volumes or instances for which you do not want to create snapshots or AMIs. The policy will not create snapshots or AMIs for target resources that match any of the specified exclusion parameters.", + "title": "Exclusions" + }, "ExecutionRoleArn": { "markdownDescription": "The Amazon Resource Name (ARN) of the IAM role used to run the operations specified by the lifecycle policy.", "title": "ExecutionRoleArn", "type": "string" }, + "ExtendDeletion": { + "markdownDescription": "*[Default policies only]* Defines the snapshot or AMI retention behavior for the policy if the source volume or instance is deleted, or if the policy enters the error, disabled, or deleted state.\n\nBy default ( *ExtendDeletion=false* ):\n\n- If a source resource is deleted, Amazon Data Lifecycle Manager will continue to delete previously created snapshots or AMIs, up to but not including the last one, based on the specified retention period. If you want Amazon Data Lifecycle Manager to delete all snapshots or AMIs, including the last one, specify `true` .\n- If a policy enters the error, disabled, or deleted state, Amazon Data Lifecycle Manager stops deleting snapshots and AMIs. If you want Amazon Data Lifecycle Manager to continue deleting snapshots or AMIs, including the last one, if the policy enters one of these states, specify `true` .\n\nIf you enable extended deletion ( *ExtendDeletion=true* ), you override both default behaviors simultaneously.\n\nIf you do not specify a value, the default is `false` .\n\nDefault: false", + "title": "ExtendDeletion", + "type": "boolean" + }, "PolicyDetails": { "$ref": "#/definitions/AWS::DLM::LifecyclePolicy.PolicyDetails", - "markdownDescription": "The configuration details of the lifecycle policy.", + "markdownDescription": "The configuration details of the lifecycle policy.\n\n> If you create a default policy, you can specify the request parameters either in the request body, or in the PolicyDetails request structure, but not both.", "title": "PolicyDetails" }, + "RetainInterval": { + "markdownDescription": "*[Default policies only]* Specifies how long the policy should retain snapshots or AMIs before deleting them. The retention period can range from 2 to 14 days, but it must be greater than the creation frequency to ensure that the policy retains at least 1 snapshot or AMI at any given time. If you do not specify a value, the default is 7.\n\nDefault: 7", + "title": "RetainInterval", + "type": "number" + }, "State": { "markdownDescription": "The activation state of the lifecycle policy.", "title": "State", @@ -49377,7 +51287,7 @@ "properties": { "RetentionArchiveTier": { "$ref": "#/definitions/AWS::DLM::LifecyclePolicy.RetentionArchiveTier", - "markdownDescription": "", + "markdownDescription": "Information about retention period in the Amazon EBS Snapshots Archive. For more information, see [Archive Amazon EBS snapshots](https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/snapshot-archive.html) .", "title": "RetentionArchiveTier" } }, @@ -49391,7 +51301,7 @@ "properties": { "RetainRule": { "$ref": "#/definitions/AWS::DLM::LifecyclePolicy.ArchiveRetainRule", - "markdownDescription": "", + "markdownDescription": "Information about the retention period for the snapshot archiving rule.", "title": "RetainRule" } }, @@ -49419,10 +51329,18 @@ "type": "string" }, "Location": { - "markdownDescription": "*[Snapshot policies only]* Specifies the destination for snapshots created by the policy. To create snapshots in the same Region as the source resource, specify `CLOUD` . To create snapshots on the same Outpost as the source resource, specify `OUTPOST_LOCAL` . If you omit this parameter, `CLOUD` is used by default.\n\nIf the policy targets resources in an AWS Region , then you must create snapshots in the same Region as the source resource. If the policy targets resources on an Outpost, then you can create snapshots on the same Outpost as the source resource, or in the Region of that Outpost.", + "markdownDescription": "*[Custom snapshot policies only]* Specifies the destination for snapshots created by the policy. To create snapshots in the same Region as the source resource, specify `CLOUD` . To create snapshots on the same Outpost as the source resource, specify `OUTPOST_LOCAL` . If you omit this parameter, `CLOUD` is used by default.\n\nIf the policy targets resources in an AWS Region , then you must create snapshots in the same Region as the source resource. If the policy targets resources on an Outpost, then you can create snapshots on the same Outpost as the source resource, or in the Region of that Outpost.", "title": "Location", "type": "string" }, + "Scripts": { + "items": { + "$ref": "#/definitions/AWS::DLM::LifecyclePolicy.Script" + }, + "markdownDescription": "*[Custom snapshot policies that target instances only]* Specifies pre and/or post scripts for a snapshot lifecycle policy that targets instances. This is useful for creating application-consistent snapshots, or for performing specific administrative tasks before or after Amazon Data Lifecycle Manager initiates snapshot creation.\n\nFor more information, see [Automating application-consistent snapshots with pre and post scripts](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/automate-app-consistent-backups.html) .", + "title": "Scripts", + "type": "array" + }, "Times": { "items": { "type": "string" @@ -49463,12 +51381,12 @@ "additionalProperties": false, "properties": { "Interval": { - "markdownDescription": "", + "markdownDescription": "The period after which to deprecate the cross-Region AMI copies. The period must be less than or equal to the cross-Region AMI copy retention period, and it can't be greater than 10 years. This is equivalent to 120 months, 520 weeks, or 3650 days.", "title": "Interval", "type": "number" }, "IntervalUnit": { - "markdownDescription": "", + "markdownDescription": "The unit of time in which to measure the *Interval* . For example, to deprecate a cross-Region AMI copy after 3 months, specify `Interval=3` and `IntervalUnit=MONTHS` .", "title": "IntervalUnit", "type": "string" } @@ -49514,7 +51432,7 @@ }, "DeprecateRule": { "$ref": "#/definitions/AWS::DLM::LifecyclePolicy.CrossRegionCopyDeprecateRule", - "markdownDescription": "", + "markdownDescription": "*[Custom AMI policies only]* The AMI deprecation rule for cross-Region AMI copies created by the rule.", "title": "DeprecateRule" }, "Encrypted": { @@ -49528,12 +51446,12 @@ "title": "RetainRule" }, "Target": { - "markdownDescription": "The target Region or the Amazon Resource Name (ARN) of the target Outpost for the snapshot copies.\n\nUse this parameter instead of *TargetRegion* . Do not specify both.", + "markdownDescription": "> Use this parameter for snapshot policies only. For AMI policies, use *TargetRegion* instead. \n\n*[Custom snapshot policies only]* The target Region or the Amazon Resource Name (ARN) of the target Outpost for the snapshot copies.", "title": "Target", "type": "string" }, "TargetRegion": { - "markdownDescription": "> Avoid using this parameter when creating new policies. Instead, use *Target* to specify a target Region or a target Outpost for snapshot copies.\n> \n> For policies created before the *Target* parameter was introduced, this parameter indicates the target Region for snapshot copies.", + "markdownDescription": "> Use this parameter for AMI policies only. For snapshot policies, use *Target* instead. For snapshot policies created before the *Target* parameter was introduced, this parameter indicates the target Region for snapshot copies. \n\n*[Custom AMI policies only]* The target Region or the Amazon Resource Name (ARN) of the target Outpost for the snapshot copies.", "title": "TargetRegion", "type": "string" } @@ -49543,21 +51461,35 @@ ], "type": "object" }, + "AWS::DLM::LifecyclePolicy.CrossRegionCopyTarget": { + "additionalProperties": false, + "properties": { + "TargetRegion": { + "type": "string" + } + }, + "type": "object" + }, + "AWS::DLM::LifecyclePolicy.CrossRegionCopyTargets": { + "additionalProperties": false, + "properties": {}, + "type": "object" + }, "AWS::DLM::LifecyclePolicy.DeprecateRule": { "additionalProperties": false, "properties": { "Count": { - "markdownDescription": "", + "markdownDescription": "If the schedule has a count-based retention rule, this parameter specifies the number of oldest AMIs to deprecate. The count must be less than or equal to the schedule's retention count, and it can't be greater than 1000.", "title": "Count", "type": "number" }, "Interval": { - "markdownDescription": "", + "markdownDescription": "If the schedule has an age-based retention rule, this parameter specifies the period after which to deprecate AMIs created by the schedule. The period must be less than or equal to the schedule's retention period, and it can't be greater than 10 years. This is equivalent to 120 months, 520 weeks, or 3650 days.", "title": "Interval", "type": "number" }, "IntervalUnit": { - "markdownDescription": "", + "markdownDescription": "The unit of time in which to measure the *Interval* .", "title": "IntervalUnit", "type": "string" } @@ -49630,6 +51562,37 @@ ], "type": "object" }, + "AWS::DLM::LifecyclePolicy.ExcludeTags": { + "additionalProperties": false, + "properties": {}, + "type": "object" + }, + "AWS::DLM::LifecyclePolicy.ExcludeVolumeTypesList": { + "additionalProperties": false, + "properties": {}, + "type": "object" + }, + "AWS::DLM::LifecyclePolicy.Exclusions": { + "additionalProperties": false, + "properties": { + "ExcludeBootVolumes": { + "markdownDescription": "*[Default policies for EBS snapshots only]* Indicates whether to exclude volumes that are attached to instances as the boot volume. If you exclude boot volumes, only volumes attached as data (non-boot) volumes will be backed up by the policy. To exclude boot volumes, specify `true` .", + "title": "ExcludeBootVolumes", + "type": "boolean" + }, + "ExcludeTags": { + "$ref": "#/definitions/AWS::DLM::LifecyclePolicy.ExcludeTags", + "markdownDescription": "*[Default policies for EBS-backed AMIs only]* Specifies whether to exclude volumes that have specific tags.", + "title": "ExcludeTags" + }, + "ExcludeVolumeTypes": { + "$ref": "#/definitions/AWS::DLM::LifecyclePolicy.ExcludeVolumeTypesList", + "markdownDescription": "*[Default policies for EBS snapshots only]* Specifies the volume types to exclude. Volumes of the specified types will not be targeted by the policy.", + "title": "ExcludeVolumeTypes" + } + }, + "type": "object" + }, "AWS::DLM::LifecyclePolicy.FastRestoreRule": { "additionalProperties": false, "properties": { @@ -49663,7 +51626,7 @@ "additionalProperties": false, "properties": { "ExcludeBootVolume": { - "markdownDescription": "*[Snapshot policies that target instances only]* Indicates whether to exclude the root volume from multi-volume snapshot sets. The default is `false` . If you specify `true` , then the root volumes attached to targeted instances will be excluded from the multi-volume snapshot sets created by the policy.", + "markdownDescription": "*[Custom snapshot policies that target instances only]* Indicates whether to exclude the root volume from multi-volume snapshot sets. The default is `false` . If you specify `true` , then the root volumes attached to targeted instances will be excluded from the multi-volume snapshot sets created by the policy.", "title": "ExcludeBootVolume", "type": "boolean" }, @@ -49671,12 +51634,12 @@ "items": { "$ref": "#/definitions/Tag" }, - "markdownDescription": "", + "markdownDescription": "*[Custom snapshot policies that target instances only]* The tags used to identify data (non-root) volumes to exclude from multi-volume snapshot sets.\n\nIf you create a snapshot lifecycle policy that targets instances and you specify tags for this parameter, then data volumes with the specified tags that are attached to targeted instances will be excluded from the multi-volume snapshot sets created by the policy.", "title": "ExcludeDataVolumeTags", "type": "array" }, "NoReboot": { - "markdownDescription": "*[AMI policies only]* Indicates whether targeted instances are rebooted when the lifecycle policy runs. `true` indicates that targeted instances are not rebooted when the policy runs. `false` indicates that target instances are rebooted when the policy runs. The default is `true` (instances are not rebooted).", + "markdownDescription": "*[Custom AMI policies only]* Indicates whether targeted instances are rebooted when the lifecycle policy runs. `true` indicates that targeted instances are not rebooted when the policy runs. `false` indicates that target instances are rebooted when the policy runs. The default is `true` (instances are not rebooted).", "title": "NoReboot", "type": "boolean" } @@ -49694,18 +51657,48 @@ "title": "Actions", "type": "array" }, + "CopyTags": { + "markdownDescription": "*[Default policies only]* Indicates whether the policy should copy tags from the source resource to the snapshot or AMI. If you do not specify a value, the default is `false` .\n\nDefault: false", + "title": "CopyTags", + "type": "boolean" + }, + "CreateInterval": { + "markdownDescription": "*[Default policies only]* Specifies how often the policy should run and create snapshots or AMIs. The creation frequency can range from 1 to 7 days. If you do not specify a value, the default is 1.\n\nDefault: 1", + "title": "CreateInterval", + "type": "number" + }, + "CrossRegionCopyTargets": { + "$ref": "#/definitions/AWS::DLM::LifecyclePolicy.CrossRegionCopyTargets", + "markdownDescription": "*[Default policies only]* Specifies destination Regions for snapshot or AMI copies. You can specify up to 3 destination Regions. If you do not want to create cross-Region copies, omit this parameter.", + "title": "CrossRegionCopyTargets" + }, "EventSource": { "$ref": "#/definitions/AWS::DLM::LifecyclePolicy.EventSource", "markdownDescription": "*[Event-based policies only]* The event that activates the event-based policy.", "title": "EventSource" }, + "Exclusions": { + "$ref": "#/definitions/AWS::DLM::LifecyclePolicy.Exclusions", + "markdownDescription": "*[Default policies only]* Specifies exclusion parameters for volumes or instances for which you do not want to create snapshots or AMIs. The policy will not create snapshots or AMIs for target resources that match any of the specified exclusion parameters.", + "title": "Exclusions" + }, + "ExtendDeletion": { + "markdownDescription": "*[Default policies only]* Defines the snapshot or AMI retention behavior for the policy if the source volume or instance is deleted, or if the policy enters the error, disabled, or deleted state.\n\nBy default ( *ExtendDeletion=false* ):\n\n- If a source resource is deleted, Amazon Data Lifecycle Manager will continue to delete previously created snapshots or AMIs, up to but not including the last one, based on the specified retention period. If you want Amazon Data Lifecycle Manager to delete all snapshots or AMIs, including the last one, specify `true` .\n- If a policy enters the error, disabled, or deleted state, Amazon Data Lifecycle Manager stops deleting snapshots and AMIs. If you want Amazon Data Lifecycle Manager to continue deleting snapshots or AMIs, including the last one, if the policy enters one of these states, specify `true` .\n\nIf you enable extended deletion ( *ExtendDeletion=true* ), you override both default behaviors simultaneously.\n\nIf you do not specify a value, the default is `false` .\n\nDefault: false", + "title": "ExtendDeletion", + "type": "boolean" + }, "Parameters": { "$ref": "#/definitions/AWS::DLM::LifecyclePolicy.Parameters", - "markdownDescription": "*[Snapshot and AMI policies only]* A set of optional parameters for snapshot and AMI lifecycle policies.\n\n> If you are modifying a policy that was created or previously modified using the Amazon Data Lifecycle Manager console, then you must include this parameter and specify either the default values or the new values that you require. You can't omit this parameter or set its values to null.", + "markdownDescription": "*[Custom snapshot and AMI policies only]* A set of optional parameters for snapshot and AMI lifecycle policies.\n\n> If you are modifying a policy that was created or previously modified using the Amazon Data Lifecycle Manager console, then you must include this parameter and specify either the default values or the new values that you require. You can't omit this parameter or set its values to null.", "title": "Parameters" }, + "PolicyLanguage": { + "markdownDescription": "The type of policy to create. Specify one of the following:\n\n- `SIMPLIFIED` To create a default policy.\n- `STANDARD` To create a custom policy.", + "title": "PolicyLanguage", + "type": "string" + }, "PolicyType": { - "markdownDescription": "*[All policy types]* The valid target resource types and actions a policy can manage. Specify `EBS_SNAPSHOT_MANAGEMENT` to create a lifecycle policy that manages the lifecycle of Amazon EBS snapshots. Specify `IMAGE_MANAGEMENT` to create a lifecycle policy that manages the lifecycle of EBS-backed AMIs. Specify `EVENT_BASED_POLICY` to create an event-based policy that performs specific actions when a defined event occurs in your AWS account .\n\nThe default is `EBS_SNAPSHOT_MANAGEMENT` .", + "markdownDescription": "The type of policy. Specify `EBS_SNAPSHOT_MANAGEMENT` to create a lifecycle policy that manages the lifecycle of Amazon EBS snapshots. Specify `IMAGE_MANAGEMENT` to create a lifecycle policy that manages the lifecycle of EBS-backed AMIs. Specify `EVENT_BASED_POLICY` to create an event-based policy that performs specific actions when a defined event occurs in your AWS account .\n\nThe default is `EBS_SNAPSHOT_MANAGEMENT` .", "title": "PolicyType", "type": "string" }, @@ -49713,23 +51706,33 @@ "items": { "type": "string" }, - "markdownDescription": "*[Snapshot and AMI policies only]* The location of the resources to backup. If the source resources are located in an AWS Region , specify `CLOUD` . If the source resources are located on an Outpost in your account, specify `OUTPOST` .\n\nIf you specify `OUTPOST` , Amazon Data Lifecycle Manager backs up all resources of the specified type with matching target tags across all of the Outposts in your account.", + "markdownDescription": "*[Custom snapshot and AMI policies only]* The location of the resources to backup. If the source resources are located in an AWS Region , specify `CLOUD` . If the source resources are located on an Outpost in your account, specify `OUTPOST` .\n\nIf you specify `OUTPOST` , Amazon Data Lifecycle Manager backs up all resources of the specified type with matching target tags across all of the Outposts in your account.", "title": "ResourceLocations", "type": "array" }, + "ResourceType": { + "markdownDescription": "*[Default policies only]* Specify the type of default policy to create.\n\n- To create a default policy for EBS snapshots, that creates snapshots of all volumes in the Region that do not have recent backups, specify `VOLUME` .\n- To create a default policy for EBS-backed AMIs, that creates EBS-backed AMIs from all instances in the Region that do not have recent backups, specify `INSTANCE` .", + "title": "ResourceType", + "type": "string" + }, "ResourceTypes": { "items": { "type": "string" }, - "markdownDescription": "*[Snapshot policies only]* The target resource type for snapshot and AMI lifecycle policies. Use `VOLUME` to create snapshots of individual volumes or use `INSTANCE` to create multi-volume snapshots from the volumes for an instance.", + "markdownDescription": "*[Custom snapshot policies only]* The target resource type for snapshot and AMI lifecycle policies. Use `VOLUME` to create snapshots of individual volumes or use `INSTANCE` to create multi-volume snapshots from the volumes for an instance.", "title": "ResourceTypes", "type": "array" }, + "RetainInterval": { + "markdownDescription": "*[Default policies only]* Specifies how long the policy should retain snapshots or AMIs before deleting them. The retention period can range from 2 to 14 days, but it must be greater than the creation frequency to ensure that the policy retains at least 1 snapshot or AMI at any given time. If you do not specify a value, the default is 7.\n\nDefault: 7", + "title": "RetainInterval", + "type": "number" + }, "Schedules": { "items": { "$ref": "#/definitions/AWS::DLM::LifecyclePolicy.Schedule" }, - "markdownDescription": "*[Snapshot and AMI policies only]* The schedules of policy-defined actions for snapshot and AMI lifecycle policies. A policy can have up to four schedules\u2014one mandatory schedule and up to three optional schedules.", + "markdownDescription": "*[Custom snapshot and AMI policies only]* The schedules of policy-defined actions for snapshot and AMI lifecycle policies. A policy can have up to four schedules\u2014one mandatory schedule and up to three optional schedules.", "title": "Schedules", "type": "array" }, @@ -49737,7 +51740,7 @@ "items": { "$ref": "#/definitions/Tag" }, - "markdownDescription": "*[Snapshot and AMI policies only]* The single tag that identifies targeted resources for this policy.", + "markdownDescription": "*[Custom snapshot and AMI policies only]* The single tag that identifies targeted resources for this policy.", "title": "TargetTags", "type": "array" } @@ -49748,7 +51751,7 @@ "additionalProperties": false, "properties": { "Count": { - "markdownDescription": "The number of snapshots to retain for each volume, up to a maximum of 1000. For example if you want to retain a maximum of three snapshots, specify `3` . When the fourth snapshot is created, the oldest retained snapshot is deleted, or it is moved to the archive tier if you have specified an `ArchiveRule` .", + "markdownDescription": "The number of snapshots to retain for each volume, up to a maximum of 1000. For example if you want to retain a maximum of three snapshots, specify `3` . When the fourth snapshot is created, the oldest retained snapshot is deleted, or it is moved to the archive tier if you have specified an [ArchiveRule](https://docs.aws.amazon.com/dlm/latest/APIReference/API_ArchiveRule.html) .", "title": "Count", "type": "number" }, @@ -49758,7 +51761,7 @@ "type": "number" }, "IntervalUnit": { - "markdownDescription": "The unit of time for time-based retention. For example, to retain snapshots for 3 months, specify `Interval=3` and `IntervalUnit=MONTHS` . Once the snapshot has been retained for 3 months, it is deleted, or it is moved to the archive tier if you have specified an `ArchiveRule` .", + "markdownDescription": "The unit of time for time-based retention. For example, to retain snapshots for 3 months, specify `Interval=3` and `IntervalUnit=MONTHS` . Once the snapshot has been retained for 3 months, it is deleted, or it is moved to the archive tier if you have specified an [ArchiveRule](https://docs.aws.amazon.com/dlm/latest/APIReference/API_ArchiveRule.html) .", "title": "IntervalUnit", "type": "string" } @@ -49769,17 +51772,17 @@ "additionalProperties": false, "properties": { "Count": { - "markdownDescription": "", + "markdownDescription": "The maximum number of snapshots to retain in the archive storage tier for each volume. The count must ensure that each snapshot remains in the archive tier for at least 90 days. For example, if the schedule creates snapshots every 30 days, you must specify a count of 3 or more to ensure that each snapshot is archived for at least 90 days.", "title": "Count", "type": "number" }, "Interval": { - "markdownDescription": "", + "markdownDescription": "Specifies the period of time to retain snapshots in the archive tier. After this period expires, the snapshot is permanently deleted.", "title": "Interval", "type": "number" }, "IntervalUnit": { - "markdownDescription": "", + "markdownDescription": "The unit of time in which to measure the *Interval* . For example, to retain a snapshots in the archive tier for 6 months, specify `Interval=6` and `IntervalUnit=MONTHS` .", "title": "IntervalUnit", "type": "string" } @@ -49791,7 +51794,7 @@ "properties": { "ArchiveRule": { "$ref": "#/definitions/AWS::DLM::LifecyclePolicy.ArchiveRule", - "markdownDescription": "", + "markdownDescription": "*[Custom snapshot policies that target volumes only]* The snapshot archiving rule for the schedule. When you specify an archiving rule, snapshots are automatically moved from the standard tier to the archive tier once the schedule's retention threshold is met. Snapshots are then retained in the archive tier for the archive retention period that you specify.\n\nFor more information about using snapshot archiving, see [Considerations for snapshot lifecycle policies](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/snapshot-ami-policy.html#dlm-archive) .", "title": "ArchiveRule" }, "CopyTags": { @@ -49814,12 +51817,12 @@ }, "DeprecateRule": { "$ref": "#/definitions/AWS::DLM::LifecyclePolicy.DeprecateRule", - "markdownDescription": "", + "markdownDescription": "*[Custom AMI policies only]* The AMI deprecation rule for the schedule.", "title": "DeprecateRule" }, "FastRestoreRule": { "$ref": "#/definitions/AWS::DLM::LifecyclePolicy.FastRestoreRule", - "markdownDescription": "*[Snapshot policies only]* The rule for enabling fast snapshot restore.", + "markdownDescription": "*[Custom snapshot policies only]* The rule for enabling fast snapshot restore.", "title": "FastRestoreRule" }, "Name": { @@ -49836,7 +51839,7 @@ "items": { "$ref": "#/definitions/AWS::DLM::LifecyclePolicy.ShareRule" }, - "markdownDescription": "*[Snapshot policies only]* The rule for sharing snapshots with other AWS accounts .", + "markdownDescription": "*[Custom snapshot policies only]* The rule for sharing snapshots with other AWS accounts .", "title": "ShareRules", "type": "array" }, @@ -49859,6 +51862,45 @@ }, "type": "object" }, + "AWS::DLM::LifecyclePolicy.Script": { + "additionalProperties": false, + "properties": { + "ExecuteOperationOnScriptFailure": { + "markdownDescription": "Indicates whether Amazon Data Lifecycle Manager should default to crash-consistent snapshots if the pre script fails.\n\n- To default to crash consistent snapshot if the pre script fails, specify `true` .\n- To skip the instance for snapshot creation if the pre script fails, specify `false` .\n\nThis parameter is supported only if you run a pre script. If you run a post script only, omit this parameter.\n\nDefault: true", + "title": "ExecuteOperationOnScriptFailure", + "type": "boolean" + }, + "ExecutionHandler": { + "markdownDescription": "The SSM document that includes the pre and/or post scripts to run.\n\n- If you are automating VSS backups, specify `AWS_VSS_BACKUP` . In this case, Amazon Data Lifecycle Manager automatically uses the `AWSEC2-CreateVssSnapshot` SSM document.\n- If you are automating application-consistent snapshots for SAP HANA workloads, specify `AWSSystemsManagerSAP-CreateDLMSnapshotForSAPHANA` .\n- If you are using a custom SSM document that you own, specify either the name or ARN of the SSM document. If you are using a custom SSM document that is shared with you, specify the ARN of the SSM document.", + "title": "ExecutionHandler", + "type": "string" + }, + "ExecutionHandlerService": { + "markdownDescription": "Indicates the service used to execute the pre and/or post scripts.\n\n- If you are using custom SSM documents or automating application-consistent snapshots of SAP HANA workloads, specify `AWS_SYSTEMS_MANAGER` .\n- If you are automating VSS Backups, omit this parameter.\n\nDefault: AWS_SYSTEMS_MANAGER", + "title": "ExecutionHandlerService", + "type": "string" + }, + "ExecutionTimeout": { + "markdownDescription": "Specifies a timeout period, in seconds, after which Amazon Data Lifecycle Manager fails the script run attempt if it has not completed. If a script does not complete within its timeout period, Amazon Data Lifecycle Manager fails the attempt. The timeout period applies to the pre and post scripts individually.\n\nIf you are automating VSS Backups, omit this parameter.\n\nDefault: 10", + "title": "ExecutionTimeout", + "type": "number" + }, + "MaximumRetryCount": { + "markdownDescription": "Specifies the number of times Amazon Data Lifecycle Manager should retry scripts that fail.\n\n- If the pre script fails, Amazon Data Lifecycle Manager retries the entire snapshot creation process, including running the pre and post scripts.\n- If the post script fails, Amazon Data Lifecycle Manager retries the post script only; in this case, the pre script will have completed and the snapshot might have been created.\n\nIf you do not want Amazon Data Lifecycle Manager to retry failed scripts, specify `0` .\n\nDefault: 0", + "title": "MaximumRetryCount", + "type": "number" + }, + "Stages": { + "items": { + "type": "string" + }, + "markdownDescription": "Indicate which scripts Amazon Data Lifecycle Manager should run on target instances. Pre scripts run before Amazon Data Lifecycle Manager initiates snapshot creation. Post scripts run after Amazon Data Lifecycle Manager initiates snapshot creation.\n\n- To run a pre script only, specify `PRE` . In this case, Amazon Data Lifecycle Manager calls the SSM document with the `pre-script` parameter before initiating snapshot creation.\n- To run a post script only, specify `POST` . In this case, Amazon Data Lifecycle Manager calls the SSM document with the `post-script` parameter after initiating snapshot creation.\n- To run both pre and post scripts, specify both `PRE` and `POST` . In this case, Amazon Data Lifecycle Manager calls the SSM document with the `pre-script` parameter before initiating snapshot creation, and then it calls the SSM document again with the `post-script` parameter after initiating snapshot creation.\n\nIf you are automating VSS Backups, omit this parameter.\n\nDefault: PRE and POST", + "title": "Stages", + "type": "array" + } + }, + "type": "object" + }, "AWS::DLM::LifecyclePolicy.ShareRule": { "additionalProperties": false, "properties": { @@ -49883,6 +51925,11 @@ }, "type": "object" }, + "AWS::DLM::LifecyclePolicy.VolumeTypeValues": { + "additionalProperties": false, + "properties": {}, + "type": "object" + }, "AWS::DMS::Certificate": { "additionalProperties": false, "properties": { @@ -49956,6 +52003,276 @@ ], "type": "object" }, + "AWS::DMS::DataProvider": { + "additionalProperties": false, + "properties": { + "Condition": { + "type": "string" + }, + "DeletionPolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + }, + "DependsOn": { + "anyOf": [ + { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + { + "items": { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + "type": "array" + } + ] + }, + "Metadata": { + "type": "object" + }, + "Properties": { + "additionalProperties": false, + "properties": { + "DataProviderIdentifier": { + "markdownDescription": "The identifier of the data provider. Identifiers must begin with a letter and must contain only ASCII letters, digits, and hyphens. They can't end with a hyphen, or contain two consecutive hyphens.", + "title": "DataProviderIdentifier", + "type": "string" + }, + "DataProviderName": { + "markdownDescription": "The name of the data provider.", + "title": "DataProviderName", + "type": "string" + }, + "Description": { + "markdownDescription": "A description of the data provider. Descriptions can have up to 31 characters. A description can contain only ASCII letters, digits, and hyphens ('-'). Also, it can't end with a hyphen or contain two consecutive hyphens, and can only begin with a letter.", + "title": "Description", + "type": "string" + }, + "Engine": { + "markdownDescription": "The type of database engine for the data provider. Valid values include `\"aurora\"` , `\"aurora-postgresql\"` , `\"mysql\"` , `\"oracle\"` , `\"postgres\"` , `\"sqlserver\"` , `redshift` , `mariadb` , `mongodb` , and `docdb` . A value of `\"aurora\"` represents Amazon Aurora MySQL-Compatible Edition.", + "title": "Engine", + "type": "string" + }, + "ExactSettings": { + "markdownDescription": "", + "title": "ExactSettings", + "type": "boolean" + }, + "Settings": { + "$ref": "#/definitions/AWS::DMS::DataProvider.Settings", + "markdownDescription": "The settings in JSON format for a data provider.", + "title": "Settings" + }, + "Tags": { + "items": { + "$ref": "#/definitions/Tag" + }, + "markdownDescription": "", + "title": "Tags", + "type": "array" + } + }, + "required": [ + "Engine" + ], + "type": "object" + }, + "Type": { + "enum": [ + "AWS::DMS::DataProvider" + ], + "type": "string" + }, + "UpdateReplacePolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + } + }, + "required": [ + "Type", + "Properties" + ], + "type": "object" + }, + "AWS::DMS::DataProvider.MicrosoftSqlServerSettings": { + "additionalProperties": false, + "properties": { + "CertificateArn": { + "markdownDescription": "", + "title": "CertificateArn", + "type": "string" + }, + "DatabaseName": { + "markdownDescription": "Database name for the endpoint.", + "title": "DatabaseName", + "type": "string" + }, + "Port": { + "markdownDescription": "Endpoint TCP port.", + "title": "Port", + "type": "number" + }, + "ServerName": { + "markdownDescription": "Fully qualified domain name of the endpoint. For an Amazon RDS SQL Server instance, this is the output of [DescribeDBInstances](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DescribeDBInstances.html) , in the `[Endpoint](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Endpoint.html) .Address` field.", + "title": "ServerName", + "type": "string" + }, + "SslMode": { + "markdownDescription": "", + "title": "SslMode", + "type": "string" + } + }, + "type": "object" + }, + "AWS::DMS::DataProvider.MySqlSettings": { + "additionalProperties": false, + "properties": { + "CertificateArn": { + "markdownDescription": "", + "title": "CertificateArn", + "type": "string" + }, + "Port": { + "markdownDescription": "Endpoint TCP port.", + "title": "Port", + "type": "number" + }, + "ServerName": { + "markdownDescription": "The host name of the endpoint database.\n\nFor an Amazon RDS MySQL instance, this is the output of [DescribeDBInstances](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DescribeDBInstances.html) , in the `[Endpoint](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Endpoint.html) .Address` field.\n\nFor an Aurora MySQL instance, this is the output of [DescribeDBClusters](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DescribeDBClusters.html) , in the `Endpoint` field.", + "title": "ServerName", + "type": "string" + }, + "SslMode": { + "markdownDescription": "", + "title": "SslMode", + "type": "string" + } + }, + "type": "object" + }, + "AWS::DMS::DataProvider.OracleSettings": { + "additionalProperties": false, + "properties": { + "AsmServer": { + "markdownDescription": "For an Oracle source endpoint, your ASM server address. You can set this value from the `asm_server` value. You set `asm_server` as part of the extra connection attribute string to access an Oracle server with Binary Reader that uses ASM. For more information, see [Configuration for change data capture (CDC) on an Oracle source database](https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Source.Oracle.html#dms/latest/userguide/CHAP_Source.Oracle.html#CHAP_Source.Oracle.CDC.Configuration) .", + "title": "AsmServer", + "type": "string" + }, + "CertificateArn": { + "markdownDescription": "", + "title": "CertificateArn", + "type": "string" + }, + "DatabaseName": { + "markdownDescription": "Database name for the endpoint.", + "title": "DatabaseName", + "type": "string" + }, + "Port": { + "markdownDescription": "Endpoint TCP port.", + "title": "Port", + "type": "number" + }, + "SecretsManagerOracleAsmAccessRoleArn": { + "markdownDescription": "Required only if your Oracle endpoint uses Automatic Storage Management (ASM). The full ARN of the IAM role that specifies AWS DMS as the trusted entity and grants the required permissions to access the `SecretsManagerOracleAsmSecret` . This `SecretsManagerOracleAsmSecret` has the secret value that allows access to the Oracle ASM of the endpoint.\n\n> You can specify one of two sets of values for these permissions. You can specify the values for this setting and `SecretsManagerOracleAsmSecretId` . Or you can specify clear-text values for `AsmUser` , `AsmPassword` , and `AsmServerName` . You can't specify both. For more information on creating this `SecretsManagerOracleAsmSecret` and the `SecretsManagerOracleAsmAccessRoleArn` and `SecretsManagerOracleAsmSecretId` required to access it, see [Using secrets to access AWS Database Migration Service resources](https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Security.html#security-iam-secretsmanager) in the *AWS Database Migration Service User Guide* .", + "title": "SecretsManagerOracleAsmAccessRoleArn", + "type": "string" + }, + "SecretsManagerOracleAsmSecretId": { + "markdownDescription": "Required only if your Oracle endpoint uses Automatic Storage Management (ASM). The full ARN, partial ARN, or friendly name of the `SecretsManagerOracleAsmSecret` that contains the Oracle ASM connection details for the Oracle endpoint.", + "title": "SecretsManagerOracleAsmSecretId", + "type": "string" + }, + "SecretsManagerSecurityDbEncryptionAccessRoleArn": { + "markdownDescription": "", + "title": "SecretsManagerSecurityDbEncryptionAccessRoleArn", + "type": "string" + }, + "SecretsManagerSecurityDbEncryptionSecretId": { + "markdownDescription": "", + "title": "SecretsManagerSecurityDbEncryptionSecretId", + "type": "string" + }, + "ServerName": { + "markdownDescription": "Fully qualified domain name of the endpoint.\n\nFor an Amazon RDS Oracle instance, this is the output of [DescribeDBInstances](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DescribeDBInstances.html) , in the `[Endpoint](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Endpoint.html) .Address` field.", + "title": "ServerName", + "type": "string" + }, + "SslMode": { + "markdownDescription": "", + "title": "SslMode", + "type": "string" + } + }, + "type": "object" + }, + "AWS::DMS::DataProvider.PostgreSqlSettings": { + "additionalProperties": false, + "properties": { + "CertificateArn": { + "markdownDescription": "", + "title": "CertificateArn", + "type": "string" + }, + "DatabaseName": { + "markdownDescription": "Database name for the endpoint.", + "title": "DatabaseName", + "type": "string" + }, + "Port": { + "markdownDescription": "Endpoint TCP port. The default is 5432.", + "title": "Port", + "type": "number" + }, + "ServerName": { + "markdownDescription": "The host name of the endpoint database.\n\nFor an Amazon RDS PostgreSQL instance, this is the output of [DescribeDBInstances](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DescribeDBInstances.html) , in the `[Endpoint](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Endpoint.html) .Address` field.\n\nFor an Aurora PostgreSQL instance, this is the output of [DescribeDBClusters](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DescribeDBClusters.html) , in the `Endpoint` field.", + "title": "ServerName", + "type": "string" + }, + "SslMode": { + "markdownDescription": "", + "title": "SslMode", + "type": "string" + } + }, + "type": "object" + }, + "AWS::DMS::DataProvider.Settings": { + "additionalProperties": false, + "properties": { + "MicrosoftSqlServerSettings": { + "$ref": "#/definitions/AWS::DMS::DataProvider.MicrosoftSqlServerSettings", + "markdownDescription": "", + "title": "MicrosoftSqlServerSettings" + }, + "MySqlSettings": { + "$ref": "#/definitions/AWS::DMS::DataProvider.MySqlSettings", + "markdownDescription": "", + "title": "MySqlSettings" + }, + "OracleSettings": { + "$ref": "#/definitions/AWS::DMS::DataProvider.OracleSettings", + "markdownDescription": "", + "title": "OracleSettings" + }, + "PostgreSqlSettings": { + "$ref": "#/definitions/AWS::DMS::DataProvider.PostgreSqlSettings", + "markdownDescription": "", + "title": "PostgreSqlSettings" + } + }, + "type": "object" + }, "AWS::DMS::Endpoint": { "additionalProperties": false, "properties": { @@ -50027,7 +52344,7 @@ "type": "string" }, "EngineName": { - "markdownDescription": "The type of engine for the endpoint, depending on the `EndpointType` value.\n\n*Valid values* : `mysql` | `oracle` | `postgres` | `mariadb` | `aurora` | `aurora-postgresql` | `opensearch` | `redshift` | `s3` | `db2` | `azuredb` | `sybase` | `dynamodb` | `mongodb` | `kinesis` | `kafka` | `elasticsearch` | `docdb` | `sqlserver` | `neptune`", + "markdownDescription": "The type of engine for the endpoint, depending on the `EndpointType` value.\n\n*Valid values* : `mysql` | `oracle` | `postgres` | `mariadb` | `aurora` | `aurora-postgresql` | `opensearch` | `redshift` | `redshift-serverless` | `s3` | `db2` | `azuredb` | `sybase` | `dynamodb` | `mongodb` | `kinesis` | `kafka` | `elasticsearch` | `docdb` | `sqlserver` | `neptune`", "title": "EngineName", "type": "string" }, @@ -50299,7 +52616,7 @@ "type": "string" }, "ServerName": { - "markdownDescription": "Endpoint TCP port.", + "markdownDescription": "The MySQL host name.", "title": "ServerName", "type": "string" }, @@ -50324,6 +52641,21 @@ "title": "CurrentLsn", "type": "string" }, + "KeepCsvFiles": { + "markdownDescription": "If true, AWS DMS saves any .csv files to the Db2 LUW target that were used to replicate data. DMS uses these files for analysis and troubleshooting.\n\nThe default value is false.", + "title": "KeepCsvFiles", + "type": "boolean" + }, + "LoadTimeout": { + "markdownDescription": "The amount of time (in milliseconds) before AWS DMS times out operations performed by DMS on the Db2 target. The default value is 1200 (20 minutes).", + "title": "LoadTimeout", + "type": "number" + }, + "MaxFileSize": { + "markdownDescription": "Specifies the maximum size (in KB) of .csv files used to transfer data to Db2 LUW.", + "title": "MaxFileSize", + "type": "number" + }, "MaxKBytesPerRead": { "markdownDescription": "Maximum number of bytes per read, as a NUMBER value. The default is 64 KB.", "title": "MaxKBytesPerRead", @@ -50343,6 +52675,11 @@ "markdownDescription": "Enables ongoing replication (CDC) as a BOOLEAN value. The default is true.", "title": "SetDataCaptureChanges", "type": "boolean" + }, + "WriteBufferSize": { + "markdownDescription": "The size (in KB) of the in-memory file write buffer used when generating .csv files on the local disk on the DMS replication instance. The default value is 1024 (1 MB).", + "title": "WriteBufferSize", + "type": "number" } }, "type": "object" @@ -50513,15 +52850,23 @@ "type": "string" }, "DatabaseName": { + "markdownDescription": "Database name for the endpoint.", + "title": "DatabaseName", "type": "string" }, "ForceLobLookup": { + "markdownDescription": "Forces LOB lookup on inline LOB.", + "title": "ForceLobLookup", "type": "boolean" }, "Password": { + "markdownDescription": "Endpoint connection password.", + "title": "Password", "type": "string" }, "Port": { + "markdownDescription": "Endpoint TCP port.", + "title": "Port", "type": "number" }, "QuerySingleAlwaysOnNode": { @@ -50550,12 +52895,18 @@ "type": "string" }, "ServerName": { + "markdownDescription": "Fully qualified domain name of the endpoint. For an Amazon RDS SQL Server instance, this is the output of [DescribeDBInstances](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DescribeDBInstances.html) , in the `[Endpoint](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Endpoint.html) .Address` field.", + "title": "ServerName", "type": "string" }, "TlogAccessMode": { + "markdownDescription": "Indicates the mode used to fetch CDC data.", + "title": "TlogAccessMode", "type": "string" }, "TrimSpaceInChar": { + "markdownDescription": "Use the `TrimSpaceInChar` source endpoint setting to right-trim data on CHAR and NCHAR data types during migration. Setting `TrimSpaceInChar` does not left-trim data. The default value is `true` .", + "title": "TrimSpaceInChar", "type": "boolean" }, "UseBcpFullLoad": { @@ -50569,6 +52920,8 @@ "type": "boolean" }, "Username": { + "markdownDescription": "Endpoint connection user name.", + "title": "Username", "type": "string" } }, @@ -50859,7 +53212,7 @@ "type": "string" }, "SecretsManagerOracleAsmAccessRoleArn": { - "markdownDescription": "Required only if your Oracle endpoint uses Advanced Storage Manager (ASM). The full ARN of the IAM role that specifies AWS DMS as the trusted entity and grants the required permissions to access the `SecretsManagerOracleAsmSecret` . This `SecretsManagerOracleAsmSecret` has the secret value that allows access to the Oracle ASM of the endpoint.\n\n> You can specify one of two sets of values for these permissions. You can specify the values for this setting and `SecretsManagerOracleAsmSecretId` . Or you can specify clear-text values for `AsmUserName` , `AsmPassword` , and `AsmServerName` . You can't specify both.\n> \n> For more information on creating this `SecretsManagerOracleAsmSecret` , the corresponding `SecretsManagerOracleAsmAccessRoleArn` , and the `SecretsManagerOracleAsmSecretId` that is required to access it, see [Using secrets to access AWS Database Migration Service resources](https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Security.html#security-iam-secretsmanager) in the *AWS Database Migration Service User Guide* .", + "markdownDescription": "Required only if your Oracle endpoint uses Advanced Storage Manager (ASM). The full ARN of the IAM role that specifies AWS DMS as the trusted entity and grants the required permissions to access the `SecretsManagerOracleAsmSecret` . This `SecretsManagerOracleAsmSecret` has the secret value that allows access to the Oracle ASM of the endpoint.\n\n> You can specify one of two sets of values for these permissions. You can specify the values for this setting and `SecretsManagerOracleAsmSecretId` . Or you can specify clear-text values for `AsmUser` , `AsmPassword` , and `AsmServerName` . You can't specify both.\n> \n> For more information on creating this `SecretsManagerOracleAsmSecret` , the corresponding `SecretsManagerOracleAsmAccessRoleArn` , and the `SecretsManagerOracleAsmSecretId` that is required to access it, see [Using secrets to access AWS Database Migration Service resources](https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Security.html#security-iam-secretsmanager) in the *AWS Database Migration Service User Guide* .", "title": "SecretsManagerOracleAsmAccessRoleArn", "type": "string" }, @@ -50930,6 +53283,8 @@ "type": "string" }, "BabelfishDatabaseName": { + "markdownDescription": "The Babelfish for Aurora PostgreSQL database name for the endpoint.", + "title": "BabelfishDatabaseName", "type": "string" }, "CaptureDdls": { @@ -50938,6 +53293,8 @@ "type": "boolean" }, "DatabaseMode": { + "markdownDescription": "Specifies the default behavior of the replication's handling of PostgreSQL- compatible endpoints that require some additional configuration, such as Babelfish endpoints.", + "title": "DatabaseMode", "type": "string" }, "DdlArtifactsSchema": { @@ -50971,7 +53328,7 @@ "type": "string" }, "MapBooleanAsBoolean": { - "markdownDescription": "", + "markdownDescription": "When true, lets PostgreSQL migrate the boolean type as boolean. By default, PostgreSQL migrates booleans as `varchar(5)` . You must set this setting on both the source and target endpoints for it to take effect.", "title": "MapBooleanAsBoolean", "type": "boolean" }, @@ -51113,7 +53470,7 @@ "type": "number" }, "MapBooleanAsBoolean": { - "markdownDescription": "", + "markdownDescription": "When true, lets Redshift migrate the boolean type as boolean. By default, Redshift migrates booleans as `varchar(1)` . You must set this setting on both the source and target endpoints for it to take effect.", "title": "MapBooleanAsBoolean", "type": "boolean" }, @@ -51188,6 +53545,11 @@ "title": "AddColumnName", "type": "boolean" }, + "AddTrailingPaddingCharacter": { + "markdownDescription": "Use the S3 target endpoint setting `AddTrailingPaddingCharacter` to add padding on string data. The default value is `false` .", + "title": "AddTrailingPaddingCharacter", + "type": "boolean" + }, "BucketFolder": { "markdownDescription": "An optional parameter to set a folder name in the S3 bucket. If provided, tables are created in the path `*bucketFolder* / *schema_name* / *table_name* /` . If this parameter isn't specified, the path used is `*schema_name* / *table_name* /` .", "title": "BucketFolder", @@ -51303,11 +53665,21 @@ "title": "EncryptionMode", "type": "string" }, + "ExpectedBucketOwner": { + "markdownDescription": "To specify a bucket owner and prevent sniping, you can use the `ExpectedBucketOwner` endpoint setting.\n\nExample: `--s3-settings='{\"ExpectedBucketOwner\": \" *AWS_Account_ID* \"}'`\n\nWhen you make a request to test a connection or perform a migration, S3 checks the account ID of the bucket owner against the specified parameter.", + "title": "ExpectedBucketOwner", + "type": "string" + }, "ExternalTableDefinition": { "markdownDescription": "The external table definition.\n\nConditional: If `S3` is used as a source then `ExternalTableDefinition` is required.", "title": "ExternalTableDefinition", "type": "string" }, + "GlueCatalogGeneration": { + "markdownDescription": "When true, allows AWS Glue to catalog your S3 bucket. Creating an AWS Glue catalog lets you use Athena to query your data.", + "title": "GlueCatalogGeneration", + "type": "boolean" + }, "IgnoreHeaderRows": { "markdownDescription": "When this value is set to 1, AWS DMS ignores the first row header in a .csv file. A value of 1 turns on the feature; a value of 0 turns off the feature.\n\nThe default is 0.", "title": "IgnoreHeaderRows", @@ -51498,6 +53870,289 @@ ], "type": "object" }, + "AWS::DMS::InstanceProfile": { + "additionalProperties": false, + "properties": { + "Condition": { + "type": "string" + }, + "DeletionPolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + }, + "DependsOn": { + "anyOf": [ + { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + { + "items": { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + "type": "array" + } + ] + }, + "Metadata": { + "type": "object" + }, + "Properties": { + "additionalProperties": false, + "properties": { + "AvailabilityZone": { + "markdownDescription": "The Availability Zone where the instance profile runs.", + "title": "AvailabilityZone", + "type": "string" + }, + "Description": { + "markdownDescription": "A description of the instance profile. Descriptions can have up to 31 characters. A description can contain only ASCII letters, digits, and hyphens ('-'). Also, it can't end with a hyphen or contain two consecutive hyphens, and can only begin with a letter.", + "title": "Description", + "type": "string" + }, + "InstanceProfileIdentifier": { + "markdownDescription": "The identifier of the instance profile. Identifiers must begin with a letter and must contain only ASCII letters, digits, and hyphens. They can't end with a hyphen, or contain two consecutive hyphens.", + "title": "InstanceProfileIdentifier", + "type": "string" + }, + "InstanceProfileName": { + "markdownDescription": "The user-friendly name for the instance profile.", + "title": "InstanceProfileName", + "type": "string" + }, + "KmsKeyArn": { + "markdownDescription": "The Amazon Resource Name (ARN) of the AWS KMS key that is used to encrypt the connection parameters for the instance profile.\n\nIf you don't specify a value for the `KmsKeyArn` parameter, then AWS DMS uses your default encryption key.\n\nAWS KMS creates the default encryption key for your AWS account . Your AWS account has a different default encryption key for each AWS Region .", + "title": "KmsKeyArn", + "type": "string" + }, + "NetworkType": { + "markdownDescription": "Specifies the network type for the instance profile. A value of `IPV4` represents an instance profile with IPv4 network type and only supports IPv4 addressing. A value of `IPV6` represents an instance profile with IPv6 network type and only supports IPv6 addressing. A value of `DUAL` represents an instance profile with dual network type that supports IPv4 and IPv6 addressing.", + "title": "NetworkType", + "type": "string" + }, + "PubliclyAccessible": { + "markdownDescription": "Specifies the accessibility options for the instance profile. A value of `true` represents an instance profile with a public IP address. A value of `false` represents an instance profile with a private IP address. The default value is `true` .", + "title": "PubliclyAccessible", + "type": "boolean" + }, + "SubnetGroupIdentifier": { + "markdownDescription": "The identifier of the subnet group that is associated with the instance profile.", + "title": "SubnetGroupIdentifier", + "type": "string" + }, + "Tags": { + "items": { + "$ref": "#/definitions/Tag" + }, + "markdownDescription": "", + "title": "Tags", + "type": "array" + }, + "VpcSecurityGroups": { + "items": { + "type": "string" + }, + "markdownDescription": "The VPC security groups that are used with the instance profile. The VPC security group must work with the VPC containing the instance profile.", + "title": "VpcSecurityGroups", + "type": "array" + } + }, + "type": "object" + }, + "Type": { + "enum": [ + "AWS::DMS::InstanceProfile" + ], + "type": "string" + }, + "UpdateReplacePolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + } + }, + "required": [ + "Type" + ], + "type": "object" + }, + "AWS::DMS::MigrationProject": { + "additionalProperties": false, + "properties": { + "Condition": { + "type": "string" + }, + "DeletionPolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + }, + "DependsOn": { + "anyOf": [ + { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + { + "items": { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + "type": "array" + } + ] + }, + "Metadata": { + "type": "object" + }, + "Properties": { + "additionalProperties": false, + "properties": { + "Description": { + "markdownDescription": "A user-friendly description of the migration project.", + "title": "Description", + "type": "string" + }, + "InstanceProfileArn": { + "markdownDescription": "The Amazon Resource Name (ARN) of the instance profile for your migration project.", + "title": "InstanceProfileArn", + "type": "string" + }, + "InstanceProfileIdentifier": { + "markdownDescription": "The identifier of the instance profile for your migration project.", + "title": "InstanceProfileIdentifier", + "type": "string" + }, + "InstanceProfileName": { + "markdownDescription": "The name of the associated instance profile.", + "title": "InstanceProfileName", + "type": "string" + }, + "MigrationProjectIdentifier": { + "markdownDescription": "The identifier of the migration project. Identifiers must begin with a letter and must contain only ASCII letters, digits, and hyphens. They can't end with a hyphen, or contain two consecutive hyphens.", + "title": "MigrationProjectIdentifier", + "type": "string" + }, + "MigrationProjectName": { + "markdownDescription": "The name of the migration project.", + "title": "MigrationProjectName", + "type": "string" + }, + "SchemaConversionApplicationAttributes": { + "$ref": "#/definitions/AWS::DMS::MigrationProject.SchemaConversionApplicationAttributes", + "markdownDescription": "The schema conversion application attributes, including the Amazon S3 bucket name and Amazon S3 role ARN.", + "title": "SchemaConversionApplicationAttributes" + }, + "SourceDataProviderDescriptors": { + "items": { + "$ref": "#/definitions/AWS::DMS::MigrationProject.DataProviderDescriptor" + }, + "markdownDescription": "Information about the source data provider, including the name or ARN, and AWS Secrets Manager parameters.", + "title": "SourceDataProviderDescriptors", + "type": "array" + }, + "Tags": { + "items": { + "$ref": "#/definitions/Tag" + }, + "markdownDescription": "", + "title": "Tags", + "type": "array" + }, + "TargetDataProviderDescriptors": { + "items": { + "$ref": "#/definitions/AWS::DMS::MigrationProject.DataProviderDescriptor" + }, + "markdownDescription": "Information about the target data provider, including the name or ARN, and AWS Secrets Manager parameters.", + "title": "TargetDataProviderDescriptors", + "type": "array" + }, + "TransformationRules": { + "markdownDescription": "The settings in JSON format for migration rules. Migration rules make it possible for you to change the object names according to the rules that you specify. For example, you can change an object name to lowercase or uppercase, add or remove a prefix or suffix, or rename objects.", + "title": "TransformationRules", + "type": "string" + } + }, + "type": "object" + }, + "Type": { + "enum": [ + "AWS::DMS::MigrationProject" + ], + "type": "string" + }, + "UpdateReplacePolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + } + }, + "required": [ + "Type" + ], + "type": "object" + }, + "AWS::DMS::MigrationProject.DataProviderDescriptor": { + "additionalProperties": false, + "properties": { + "DataProviderArn": { + "markdownDescription": "The Amazon Resource Name (ARN) of the data provider.", + "title": "DataProviderArn", + "type": "string" + }, + "DataProviderIdentifier": { + "markdownDescription": "", + "title": "DataProviderIdentifier", + "type": "string" + }, + "DataProviderName": { + "markdownDescription": "The user-friendly name of the data provider.", + "title": "DataProviderName", + "type": "string" + }, + "SecretsManagerAccessRoleArn": { + "markdownDescription": "The ARN of the role used to access AWS Secrets Manager.", + "title": "SecretsManagerAccessRoleArn", + "type": "string" + }, + "SecretsManagerSecretId": { + "markdownDescription": "The identifier of the AWS Secrets Manager Secret used to store access credentials for the data provider.", + "title": "SecretsManagerSecretId", + "type": "string" + } + }, + "type": "object" + }, + "AWS::DMS::MigrationProject.SchemaConversionApplicationAttributes": { + "additionalProperties": false, + "properties": { + "S3BucketPath": { + "markdownDescription": "", + "title": "S3BucketPath", + "type": "string" + }, + "S3BucketRoleArn": { + "markdownDescription": "", + "title": "S3BucketRoleArn", + "type": "string" + } + }, + "type": "object" + }, "AWS::DMS::ReplicationConfig": { "additionalProperties": false, "properties": { @@ -51534,39 +54189,61 @@ "additionalProperties": false, "properties": { "ComputeConfig": { - "$ref": "#/definitions/AWS::DMS::ReplicationConfig.ComputeConfig" + "$ref": "#/definitions/AWS::DMS::ReplicationConfig.ComputeConfig", + "markdownDescription": "Configuration parameters for provisioning an AWS DMS Serverless replication.", + "title": "ComputeConfig" }, "ReplicationConfigArn": { + "markdownDescription": "The Amazon Resource Name (ARN) of this AWS DMS Serverless replication configuration.", + "title": "ReplicationConfigArn", "type": "string" }, "ReplicationConfigIdentifier": { + "markdownDescription": "A unique identifier that you want to use to create a `ReplicationConfigArn` that is returned as part of the output from this action. You can then pass this output `ReplicationConfigArn` as the value of the `ReplicationConfigArn` option for other actions to identify both AWS DMS Serverless replications and replication configurations that you want those actions to operate on. For some actions, you can also use either this unique identifier or a corresponding ARN in action filters to identify the specific replication and replication configuration to operate on.", + "title": "ReplicationConfigIdentifier", "type": "string" }, "ReplicationSettings": { + "markdownDescription": "Optional JSON settings for AWS DMS Serverless replications that are provisioned using this replication configuration. For example, see [Change processing tuning settings](https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Tasks.CustomizingTasks.TaskSettings.ChangeProcessingTuning.html) .", + "title": "ReplicationSettings", "type": "object" }, "ReplicationType": { + "markdownDescription": "The type of AWS DMS Serverless replication to provision using this replication configuration.\n\nPossible values:\n\n- `\"full-load\"`\n- `\"cdc\"`\n- `\"full-load-and-cdc\"`", + "title": "ReplicationType", "type": "string" }, "ResourceIdentifier": { + "markdownDescription": "Optional unique value or name that you set for a given resource that can be used to construct an Amazon Resource Name (ARN) for that resource. For more information, see [Fine-grained access control using resource names and tags](https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Security.html#CHAP_Security.FineGrainedAccess) .", + "title": "ResourceIdentifier", "type": "string" }, "SourceEndpointArn": { + "markdownDescription": "The Amazon Resource Name (ARN) of the source endpoint for this AWS DMS Serverless replication configuration.", + "title": "SourceEndpointArn", "type": "string" }, "SupplementalSettings": { + "markdownDescription": "Optional JSON settings for specifying supplemental data. For more information, see [Specifying supplemental data for task settings](https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Tasks.TaskData.html) .", + "title": "SupplementalSettings", "type": "object" }, "TableMappings": { + "markdownDescription": "JSON table mappings for AWS DMS Serverless replications that are provisioned using this replication configuration. For more information, see [Specifying table selection and transformations rules using JSON](https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Tasks.CustomizingTasks.TableMapping.SelectionTransformation.html) .", + "title": "TableMappings", "type": "object" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "One or more optional tags associated with resources used by the AWS DMS Serverless replication. For more information, see [Tagging resources in AWS Database Migration Service](https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Tagging.html) .", + "title": "Tags", "type": "array" }, "TargetEndpointArn": { + "markdownDescription": "The Amazon Resource Name (ARN) of the target endpoint for this AWS DMS serverless replication configuration.", + "title": "TargetEndpointArn", "type": "string" } }, @@ -51596,33 +54273,51 @@ "additionalProperties": false, "properties": { "AvailabilityZone": { + "markdownDescription": "The Availability Zone where the AWS DMS Serverless replication using this configuration will run. The default value is a random, system-chosen Availability Zone in the configuration's AWS Region , for example, `\"us-west-2\"` . You can't set this parameter if the `MultiAZ` parameter is set to `true` .", + "title": "AvailabilityZone", "type": "string" }, "DnsNameServers": { + "markdownDescription": "A list of custom DNS name servers supported for the AWS DMS Serverless replication to access your source or target database. This list overrides the default name servers supported by the AWS DMS Serverless replication. You can specify a comma-separated list of internet addresses for up to four DNS name servers. For example: `\"1.1.1.1,2.2.2.2,3.3.3.3,4.4.4.4\"`", + "title": "DnsNameServers", "type": "string" }, "KmsKeyId": { + "markdownDescription": "An AWS Key Management Service ( AWS KMS ) key Amazon Resource Name (ARN) that is used to encrypt the data during AWS DMS Serverless replication.\n\nIf you don't specify a value for the `KmsKeyId` parameter, AWS DMS uses your default encryption key.\n\nAWS KMS creates the default encryption key for your Amazon Web Services account. Your AWS account has a different default encryption key for each AWS Region .", + "title": "KmsKeyId", "type": "string" }, "MaxCapacityUnits": { + "markdownDescription": "Specifies the maximum value of the AWS DMS capacity units (DCUs) for which a given AWS DMS Serverless replication can be provisioned. A single DCU is 2GB of RAM, with 1 DCU as the minimum value allowed. The list of valid DCU values includes 1, 2, 4, 8, 16, 32, 64, 128, 192, 256, and 384. So, the maximum value that you can specify for AWS DMS Serverless is 384. The `MaxCapacityUnits` parameter is the only DCU parameter you are required to specify.", + "title": "MaxCapacityUnits", "type": "number" }, "MinCapacityUnits": { + "markdownDescription": "Specifies the minimum value of the AWS DMS capacity units (DCUs) for which a given AWS DMS Serverless replication can be provisioned. A single DCU is 2GB of RAM, with 1 DCU as the minimum value allowed. The list of valid DCU values includes 1, 2, 4, 8, 16, 32, 64, 128, 192, 256, and 384. So, the minimum DCU value that you can specify for AWS DMS Serverless is 1. If you don't set this value, AWS DMS sets this parameter to the minimum DCU value allowed, 1. If there is no current source activity, AWS DMS scales down your replication until it reaches the value specified in `MinCapacityUnits` .", + "title": "MinCapacityUnits", "type": "number" }, "MultiAZ": { + "markdownDescription": "Specifies whether the AWS DMS Serverless replication is a Multi-AZ deployment. You can't set the `AvailabilityZone` parameter if the `MultiAZ` parameter is set to `true` .", + "title": "MultiAZ", "type": "boolean" }, "PreferredMaintenanceWindow": { + "markdownDescription": "The weekly time range during which system maintenance can occur for the AWS DMS Serverless replication, in Universal Coordinated Time (UTC). The format is `ddd:hh24:mi-ddd:hh24:mi` .\n\nThe default is a 30-minute window selected at random from an 8-hour block of time per AWS Region . This maintenance occurs on a random day of the week. Valid values for days of the week include `Mon` , `Tue` , `Wed` , `Thu` , `Fri` , `Sat` , and `Sun` .\n\nConstraints include a minimum 30-minute window.", + "title": "PreferredMaintenanceWindow", "type": "string" }, "ReplicationSubnetGroupId": { + "markdownDescription": "Specifies a subnet group identifier to associate with the AWS DMS Serverless replication.", + "title": "ReplicationSubnetGroupId", "type": "string" }, "VpcSecurityGroupIds": { "items": { "type": "string" }, + "markdownDescription": "Specifies the virtual private cloud (VPC) security group to use with the AWS DMS Serverless replication. The VPC security group must work with the VPC containing the replication.", + "title": "VpcSecurityGroupIds", "type": "array" } }, @@ -51962,7 +54657,7 @@ "type": "string" }, "TaskData": { - "markdownDescription": "", + "markdownDescription": "Supplemental information that the task requires to migrate the data for certain source and target endpoints. For more information, see [Specifying Supplemental Data for Task Settings](https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Tasks.TaskData.html) in the *AWS Database Migration Service User Guide.*", "title": "TaskData", "type": "string" } @@ -52542,7 +55237,7 @@ }, "OutputLocation": { "$ref": "#/definitions/AWS::DataBrew::Job.OutputLocation", - "markdownDescription": "", + "markdownDescription": "The location in Amazon S3 where the job writes its output.", "title": "OutputLocation" }, "Outputs": { @@ -53335,12 +56030,12 @@ "properties": { "DataCatalogInputDefinition": { "$ref": "#/definitions/AWS::DataBrew::Recipe.DataCatalogInputDefinition", - "markdownDescription": "", + "markdownDescription": "The AWS Glue Data Catalog parameters for the data.", "title": "DataCatalogInputDefinition" }, "S3InputDefinition": { "$ref": "#/definitions/AWS::DataBrew::Recipe.S3Location", - "markdownDescription": "", + "markdownDescription": "The Amazon S3 location where the data is stored.", "title": "S3InputDefinition" } }, @@ -54594,30 +57289,46 @@ "items": { "type": "string" }, + "markdownDescription": "Specifies the Amazon Resource Name (ARN) of the DataSync agent that can connect with your Azure Blob Storage container.\n\nYou can specify more than one agent. For more information, see [Using multiple agents for your transfer](https://docs.aws.amazon.com/datasync/latest/userguide/multiple-agents.html) .", + "title": "AgentArns", "type": "array" }, "AzureAccessTier": { + "markdownDescription": "Specifies the access tier that you want your objects or files transferred into. This only applies when using the location as a transfer destination. For more information, see [Access tiers](https://docs.aws.amazon.com/datasync/latest/userguide/creating-azure-blob-location.html#azure-blob-access-tiers) .", + "title": "AzureAccessTier", "type": "string" }, "AzureBlobAuthenticationType": { + "markdownDescription": "Specifies the authentication method DataSync uses to access your Azure Blob Storage. DataSync can access blob storage using a shared access signature (SAS).", + "title": "AzureBlobAuthenticationType", "type": "string" }, "AzureBlobContainerUrl": { + "markdownDescription": "Specifies the URL of the Azure Blob Storage container involved in your transfer.", + "title": "AzureBlobContainerUrl", "type": "string" }, "AzureBlobSasConfiguration": { - "$ref": "#/definitions/AWS::DataSync::LocationAzureBlob.AzureBlobSasConfiguration" + "$ref": "#/definitions/AWS::DataSync::LocationAzureBlob.AzureBlobSasConfiguration", + "markdownDescription": "Specifies the SAS configuration that allows DataSync to access your Azure Blob Storage.", + "title": "AzureBlobSasConfiguration" }, "AzureBlobType": { + "markdownDescription": "Specifies the type of blob that you want your objects or files to be when transferring them into Azure Blob Storage. Currently, DataSync only supports moving data into Azure Blob Storage as block blobs. For more information on blob types, see the [Azure Blob Storage documentation](https://docs.aws.amazon.com/https://learn.microsoft.com/en-us/rest/api/storageservices/understanding-block-blobs--append-blobs--and-page-blobs) .", + "title": "AzureBlobType", "type": "string" }, "Subdirectory": { + "markdownDescription": "Specifies path segments if you want to limit your transfer to a virtual directory in your container (for example, `/my/images` ).", + "title": "Subdirectory", "type": "string" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "Specifies labels that help you categorize, filter, and search for your AWS resources. We recommend creating at least a name tag for your transfer location.", + "title": "Tags", "type": "array" } }, @@ -54652,6 +57363,8 @@ "additionalProperties": false, "properties": { "AzureBlobSasToken": { + "markdownDescription": "Specifies a SAS token that provides permissions to access your Azure Blob Storage.\n\nThe token is part of the SAS URI string that comes after the storage resource URI and a question mark. A token looks something like this:\n\n`sp=r&st=2023-12-20T14:54:52Z&se=2023-12-20T22:54:52Z&spr=https&sv=2021-06-08&sr=c&sig=aBBKDWQvyuVcTPH9EBp%2FXTI9E%2F%2Fmq171%2BZU178wcwqU%3D`", + "title": "AzureBlobSasToken", "type": "string" } }, @@ -55010,7 +57723,7 @@ "additionalProperties": false, "properties": { "Domain": { - "markdownDescription": "Specifies the fully qualified domain name (FQDN) of the Microsoft Active Directory that your storage virtual machine (SVM) belongs to.", + "markdownDescription": "Specifies the fully qualified domain name (FQDN) of the Microsoft Active Directory that your storage virtual machine (SVM) belongs to.\n\nIf you have multiple domains in your environment, configuring this setting makes sure that DataSync connects to the right SVM.", "title": "Domain", "type": "string" }, @@ -55214,7 +57927,7 @@ "additionalProperties": false, "properties": { "Domain": { - "markdownDescription": "Specifies the name of the Windows domain that the FSx for Windows File Server belongs to.", + "markdownDescription": "Specifies the name of the Microsoft Active Directory domain that the FSx for Windows File Server file system belongs to.\n\nIf you have multiple Active Directory domains in your environment, configuring this parameter makes sure that DataSync connects to the right file system.", "title": "Domain", "type": "string" }, @@ -55224,7 +57937,7 @@ "type": "string" }, "Password": { - "markdownDescription": "Specifies the password of the user who has the permissions to access files and folders in the file system.", + "markdownDescription": "Specifies the password of the user with the permissions to mount and access the files, folders, and file metadata in your FSx for Windows File Server file system.", "title": "Password", "type": "string" }, @@ -55493,21 +58206,21 @@ "properties": { "MountOptions": { "$ref": "#/definitions/AWS::DataSync::LocationNFS.MountOptions", - "markdownDescription": "Specifies the mount options that DataSync can use to mount your NFS share.", + "markdownDescription": "Specifies the options that DataSync can use to mount your NFS file server.", "title": "MountOptions" }, "OnPremConfig": { "$ref": "#/definitions/AWS::DataSync::LocationNFS.OnPremConfig", - "markdownDescription": "Specifies the Amazon Resource Names (ARNs) of agents that DataSync uses to connect to your NFS file server.\n\nIf you are copying data to or from your AWS Snowcone device, see [NFS Server on AWS Snowcone](https://docs.aws.amazon.com/datasync/latest/userguide/create-nfs-location.html#nfs-on-snowcone) for more information.", + "markdownDescription": "Specifies the Amazon Resource Name (ARN) of the DataSync agent that want to connect to your NFS file server.\n\nYou can specify more than one agent. For more information, see [Using multiple agents for transfers](https://docs.aws.amazon.com/datasync/latest/userguide/multiple-agents.html) .", "title": "OnPremConfig" }, "ServerHostname": { - "markdownDescription": "Specifies the IP address or domain name of your NFS file server. An agent that is installed on-premises uses this hostname to mount the NFS server in a network.\n\nIf you are copying data to or from your AWS Snowcone device, see [NFS Server on AWS Snowcone](https://docs.aws.amazon.com/datasync/latest/userguide/create-nfs-location.html#nfs-on-snowcone) for more information.\n\n> You must specify be an IP version 4 address or Domain Name System (DNS)-compliant name.", + "markdownDescription": "Specifies the Domain Name System (DNS) name or IP version 4 address of the NFS file server that your DataSync agent connects to.", "title": "ServerHostname", "type": "string" }, "Subdirectory": { - "markdownDescription": "Specifies the subdirectory in the NFS file server that DataSync transfers to or from. The NFS path should be a path that's exported by the NFS server, or a subdirectory of that path. The path should be such that it can be mounted by other NFS clients in your network.\n\nTo see all the paths exported by your NFS server, run \" `showmount -e nfs-server-name` \" from an NFS client that has access to your server. You can specify any directory that appears in the results, and any subdirectory of that directory. Ensure that the NFS export is accessible without Kerberos authentication.\n\nTo transfer all the data in the folder you specified, DataSync needs to have permissions to read all the data. To ensure this, either configure the NFS export with `no_root_squash,` or ensure that the permissions for all of the files that you want DataSync allow read access for all users. Doing either enables the agent to read the files. For the agent to access directories, you must additionally enable all execute access.\n\nIf you are copying data to or from your AWS Snowcone device, see [NFS Server on AWS Snowcone](https://docs.aws.amazon.com/datasync/latest/userguide/create-nfs-location.html#nfs-on-snowcone) for more information.", + "markdownDescription": "Specifies the export path in your NFS file server that you want DataSync to mount.\n\nThis path (or a subdirectory of the path) is where DataSync transfers data to or from. For information on configuring an export for DataSync, see [Accessing NFS file servers](https://docs.aws.amazon.com/datasync/latest/userguide/create-nfs-location.html#accessing-nfs) .", "title": "Subdirectory", "type": "string" }, @@ -55564,7 +58277,7 @@ "items": { "type": "string" }, - "markdownDescription": "ARNs of the agents to use for an NFS location.", + "markdownDescription": "The Amazon Resource Names (ARNs) of the agents connecting to a transfer location.", "title": "AgentArns", "type": "array" } @@ -55840,7 +58553,7 @@ "type": "array" }, "Domain": { - "markdownDescription": "Specifies the Windows domain name that your SMB file server belongs to.\n\nFor more information, see [required permissions](https://docs.aws.amazon.com/datasync/latest/userguide/create-smb-location.html#configuring-smb-permissions) for SMB locations.", + "markdownDescription": "Specifies the name of the Active Directory domain that your SMB file server belongs to.\n\nIf you have multiple Active Directory domains in your environment, configuring this parameter makes sure that DataSync connects to the right file server.", "title": "Domain", "type": "string" }, @@ -56150,7 +58863,9 @@ "type": "array" }, "TaskReportConfig": { - "$ref": "#/definitions/AWS::DataSync::Task.TaskReportConfig" + "$ref": "#/definitions/AWS::DataSync::Task.TaskReportConfig", + "markdownDescription": "Specifies how you want to configure a task report, which provides detailed information about for your DataSync transfer.", + "title": "TaskReportConfig" } }, "required": [ @@ -56184,6 +58899,8 @@ "additionalProperties": false, "properties": { "ReportLevel": { + "markdownDescription": "Specifies whether you want your task report to include only what went wrong with your transfer or a list of what succeeded and didn't.\n\n- `ERRORS_ONLY` : A report shows what DataSync was unable to delete.\n- `SUCCESSES_AND_ERRORS` : A report shows what DataSync was able and unable to delete.", + "title": "ReportLevel", "type": "string" } }, @@ -56193,7 +58910,9 @@ "additionalProperties": false, "properties": { "S3": { - "$ref": "#/definitions/AWS::DataSync::Task.S3" + "$ref": "#/definitions/AWS::DataSync::Task.S3", + "markdownDescription": "Specifies the Amazon S3 bucket where DataSync uploads your task report.", + "title": "S3" } }, "type": "object" @@ -56233,7 +58952,7 @@ "type": "string" }, "LogLevel": { - "markdownDescription": "Specifies the type of logs that DataSync publishes to a Amazon CloudWatch Logs log group. To specify the log group, see [CloudWatchLogGroupArn](https://docs.aws.amazon.com/datasync/latest/userguide/API_CreateTask.html#DataSync-CreateTask-request-CloudWatchLogGroupArn) .\n\nIf you set `LogLevel` to `OFF` , no logs are published. `BASIC` publishes logs on errors for individual files transferred. `TRANSFER` publishes logs for every file or object that is transferred and integrity checked.", + "markdownDescription": "Specifies the type of logs that DataSync publishes to a Amazon CloudWatch Logs log group. To specify the log group, see [CloudWatchLogGroupArn](https://docs.aws.amazon.com/datasync/latest/userguide/API_CreateTask.html#DataSync-CreateTask-request-CloudWatchLogGroupArn) .\n\n- `BASIC` - Publishes logs with only basic information (such as transfer errors).\n- `TRANSFER` - Publishes logs for all files or objects that your DataSync task transfers and performs data-integrity checks on.\n- `OFF` - No logs are published.", "title": "LogLevel", "type": "string" }, @@ -56243,12 +58962,12 @@ "type": "string" }, "ObjectTags": { - "markdownDescription": "Specifies whether object tags are preserved when transferring between object storage systems. If you want your DataSync task to ignore object tags, specify the `NONE` value.\n\nDefault Value: `PRESERVE`", + "markdownDescription": "Specifies whether you want DataSync to `PRESERVE` object tags (default behavior) when transferring between object storage systems. If you want your DataSync task to ignore object tags, specify the `NONE` value.", "title": "ObjectTags", "type": "string" }, "OverwriteMode": { - "markdownDescription": "Specifies whether data at the destination location should be overwritten or preserved. If set to `NEVER` , a destination file for example will not be replaced by a source file (even if the destination file differs from the source file). If you modify files in the destination and you sync the files, you can use this value to protect against overwriting those changes.\n\nSome storage classes have specific behaviors that can affect your Amazon S3 storage cost. For detailed information, see [Considerations when working with Amazon S3 storage classes in DataSync](https://docs.aws.amazon.com/datasync/latest/userguide/create-s3-location.html#using-storage-classes) .", + "markdownDescription": "Specifies whether DataSync should modify or preserve data at the destination location.\n\n- `ALWAYS` (default) - DataSync modifies data in the destination location when source data (including metadata) has changed.\n\nIf DataSync overwrites objects, you might incur additional charges for certain Amazon S3 storage classes (for example, for retrieval or early deletion). For more information, see [Storage class considerations with Amazon S3 transfers](https://docs.aws.amazon.com/datasync/latest/userguide/create-s3-location.html#using-storage-classes) .\n- `NEVER` - DataSync doesn't overwrite data in the destination location even if the source data has changed. You can use this option to protect against overwriting changes made to files or objects in the destination.", "title": "OverwriteMode", "type": "string" }, @@ -56299,16 +59018,24 @@ "additionalProperties": false, "properties": { "Deleted": { - "$ref": "#/definitions/AWS::DataSync::Task.Deleted" + "$ref": "#/definitions/AWS::DataSync::Task.Deleted", + "markdownDescription": "Specifies the level of reporting for the files, objects, and directories that DataSync attempted to delete in your destination location. This only applies if you [configure your task](https://docs.aws.amazon.com/datasync/latest/userguide/configure-metadata.html) to delete data in the destination that isn't in the source.", + "title": "Deleted" }, "Skipped": { - "$ref": "#/definitions/AWS::DataSync::Task.Skipped" + "$ref": "#/definitions/AWS::DataSync::Task.Skipped", + "markdownDescription": "Specifies the level of reporting for the files, objects, and directories that DataSync attempted to skip during your transfer.", + "title": "Skipped" }, "Transferred": { - "$ref": "#/definitions/AWS::DataSync::Task.Transferred" + "$ref": "#/definitions/AWS::DataSync::Task.Transferred", + "markdownDescription": "Specifies the level of reporting for the files, objects, and directories that DataSync attempted to transfer.", + "title": "Transferred" }, "Verified": { - "$ref": "#/definitions/AWS::DataSync::Task.Verified" + "$ref": "#/definitions/AWS::DataSync::Task.Verified", + "markdownDescription": "Specifies the level of reporting for the files, objects, and directories that DataSync attempted to verify during your transfer.", + "title": "Verified" } }, "type": "object" @@ -56317,12 +59044,18 @@ "additionalProperties": false, "properties": { "BucketAccessRoleArn": { + "markdownDescription": "Specifies the Amazon Resource Name (ARN) of the IAM policy that allows DataSync to upload a task report to your S3 bucket. For more information, see [Allowing DataSync to upload a task report to an Amazon S3 bucket](https://docs.aws.amazon.com/datasync/latest/userguide/creating-task-reports.html) .", + "title": "BucketAccessRoleArn", "type": "string" }, "S3BucketArn": { + "markdownDescription": "Specifies the ARN of the S3 bucket where DataSync uploads your report.", + "title": "S3BucketArn", "type": "string" }, "Subdirectory": { + "markdownDescription": "Specifies a bucket prefix for your report.", + "title": "Subdirectory", "type": "string" } }, @@ -56332,6 +59065,8 @@ "additionalProperties": false, "properties": { "ReportLevel": { + "markdownDescription": "Specifies whether you want your task report to include only what went wrong with your transfer or a list of what succeeded and didn't.\n\n- `ERRORS_ONLY` : A report shows what DataSync was unable to skip.\n- `SUCCESSES_AND_ERRORS` : A report shows what DataSync was able and unable to skip.", + "title": "ReportLevel", "type": "string" } }, @@ -56341,18 +59076,28 @@ "additionalProperties": false, "properties": { "Destination": { - "$ref": "#/definitions/AWS::DataSync::Task.Destination" + "$ref": "#/definitions/AWS::DataSync::Task.Destination", + "markdownDescription": "Specifies the Amazon S3 bucket where DataSync uploads your task report. For more information, see [Task reports](https://docs.aws.amazon.com/datasync/latest/userguide/task-reports.html#task-report-access) .", + "title": "Destination" }, "ObjectVersionIds": { + "markdownDescription": "Specifies whether your task report includes the new version of each object transferred into an S3 bucket. This only applies if you [enable versioning on your bucket](https://docs.aws.amazon.com/AmazonS3/latest/userguide/manage-versioning-examples.html) . Keep in mind that setting this to `INCLUDE` can increase the duration of your task execution.", + "title": "ObjectVersionIds", "type": "string" }, "OutputType": { + "markdownDescription": "Specifies the type of task report that you want:\n\n- `SUMMARY_ONLY` : Provides necessary details about your task, including the number of files, objects, and directories transferred and transfer duration.\n- `STANDARD` : Provides complete details about your task, including a full list of files, objects, and directories that were transferred, skipped, verified, and more.", + "title": "OutputType", "type": "string" }, "Overrides": { - "$ref": "#/definitions/AWS::DataSync::Task.Overrides" + "$ref": "#/definitions/AWS::DataSync::Task.Overrides", + "markdownDescription": "Customizes the reporting level for aspects of your task report. For example, your report might generally only include errors, but you could specify that you want a list of successes and errors just for the files that DataSync attempted to delete in your destination location.", + "title": "Overrides" }, "ReportLevel": { + "markdownDescription": "Specifies whether you want your task report to include only what went wrong with your transfer or a list of what succeeded and didn't.\n\n- `ERRORS_ONLY` : A report shows what DataSync was unable to transfer, skip, verify, and delete.\n- `SUCCESSES_AND_ERRORS` : A report shows what DataSync was able and unable to transfer, skip, verify, and delete.", + "title": "ReportLevel", "type": "string" } }, @@ -56380,6 +59125,8 @@ "additionalProperties": false, "properties": { "ReportLevel": { + "markdownDescription": "Specifies whether you want your task report to include only what went wrong with your transfer or a list of what succeeded and didn't.\n\n- `ERRORS_ONLY` : A report shows what DataSync was unable to transfer.\n- `SUCCESSES_AND_ERRORS` : A report shows what DataSync was able and unable to transfer.", + "title": "ReportLevel", "type": "string" } }, @@ -56389,6 +59136,8 @@ "additionalProperties": false, "properties": { "ReportLevel": { + "markdownDescription": "Specifies whether you want your task report to include only what went wrong with your transfer or a list of what succeeded and didn't.\n\n- `ERRORS_ONLY` : A report shows what DataSync was unable to verify.\n- `SUCCESSES_AND_ERRORS` : A report shows what DataSync was able and unable to verify.", + "title": "ReportLevel", "type": "string" } }, @@ -56880,7 +59629,7 @@ "properties": { "CloudFormation": { "$ref": "#/definitions/AWS::DevOpsGuru::ResourceCollection.CloudFormationCollectionFilter", - "markdownDescription": "Information about AWS CloudFormation stacks. You can use up to 500 stacks to specify which AWS resources in your account to analyze. For more information, see [Stacks](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacks.html) in the *AWS CloudFormation User Guide* .", + "markdownDescription": "Information about AWS CloudFormation stacks. You can use up to 1000 stacks to specify which AWS resources in your account to analyze. For more information, see [Stacks](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacks.html) in the *AWS CloudFormation User Guide* .", "title": "CloudFormation" }, "Tags": { @@ -57279,12 +60028,12 @@ "type": "string" }, "RestoreToTime": { - "markdownDescription": "", + "markdownDescription": "The date and time to restore the cluster to.\n\nValid values: A time in Universal Coordinated Time (UTC) format.\n\nConstraints:\n\n- Must be before the latest restorable time for the instance.\n- Must be specified if the `UseLatestRestorableTime` parameter is not provided.\n- Cannot be specified if the `UseLatestRestorableTime` parameter is `true` .\n- Cannot be specified if the `RestoreType` parameter is `copy-on-write` .\n\nExample: `2015-03-07T23:45:00Z`", "title": "RestoreToTime", "type": "string" }, "RestoreType": { - "markdownDescription": "", + "markdownDescription": "The type of restore to be performed. You can specify one of the following values:\n\n- `full-copy` - The new DB cluster is restored as a full copy of the source DB cluster.\n- `copy-on-write` - The new DB cluster is restored as a clone of the source DB cluster.\n\nConstraints: You can't specify `copy-on-write` if the engine version of the source DB cluster is earlier than 1.11.\n\nIf you don't specify a `RestoreType` value, then the new DB cluster is restored as a full copy of the source DB cluster.", "title": "RestoreType", "type": "string" }, @@ -57294,7 +60043,7 @@ "type": "string" }, "SourceDBClusterIdentifier": { - "markdownDescription": "", + "markdownDescription": "The identifier of the source cluster from which to restore.\n\nConstraints:\n\n- Must match the identifier of an existing `DBCluster` .", "title": "SourceDBClusterIdentifier", "type": "string" }, @@ -57312,7 +60061,7 @@ "type": "array" }, "UseLatestRestorableTime": { - "markdownDescription": "", + "markdownDescription": "A value that is set to `true` to restore the cluster to the latest restorable backup time, and `false` otherwise.\n\nDefault: `false`\n\nConstraints: Cannot be specified if the `RestoreToTime` parameter is provided.", "title": "UseLatestRestorableTime", "type": "boolean" }, @@ -57484,6 +60233,16 @@ "title": "AvailabilityZone", "type": "string" }, + "CACertificateIdentifier": { + "markdownDescription": "The CA certificate identifier to use for the DB instance's server certificate.\n\nFor more information, see [Updating Your Amazon DocumentDB TLS Certificates](https://docs.aws.amazon.com/documentdb/latest/developerguide/ca_cert_rotation.html) and [Encrypting Data in Transit](https://docs.aws.amazon.com/documentdb/latest/developerguide/security.encryption.ssl.html) in the *Amazon DocumentDB Developer Guide* .", + "title": "CACertificateIdentifier", + "type": "string" + }, + "CertificateRotationRestart": { + "markdownDescription": "Specifies whether the DB instance is restarted when you rotate your SSL/TLS certificate.\n\nBy default, the DB instance is restarted when you rotate your SSL/TLS certificate. The certificate is not updated until the DB instance is restarted.\n\n> Set this parameter only if you are *not* using SSL/TLS to connect to the DB instance. \n\nIf you are using SSL/TLS to connect to the DB instance, see [Updating Your Amazon DocumentDB TLS Certificates](https://docs.aws.amazon.com/documentdb/latest/developerguide/ca_cert_rotation.html) and [Encrypting Data in Transit](https://docs.aws.amazon.com/documentdb/latest/developerguide/security.encryption.ssl.html) in the *Amazon DocumentDB Developer Guide* .", + "title": "CertificateRotationRestart", + "type": "boolean" + }, "DBClusterIdentifier": { "markdownDescription": "The identifier of the cluster that the instance will belong to.", "title": "DBClusterIdentifier", @@ -57500,7 +60259,7 @@ "type": "string" }, "EnablePerformanceInsights": { - "markdownDescription": "", + "markdownDescription": "A value that indicates whether to enable Performance Insights for the DB Instance. For more information, see [Using Amazon Performance Insights](https://docs.aws.amazon.com/documentdb/latest/developerguide/performance-insights.html) .", "title": "EnablePerformanceInsights", "type": "boolean" }, @@ -57634,6 +60393,92 @@ ], "type": "object" }, + "AWS::DocDB::EventSubscription": { + "additionalProperties": false, + "properties": { + "Condition": { + "type": "string" + }, + "DeletionPolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + }, + "DependsOn": { + "anyOf": [ + { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + { + "items": { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + "type": "array" + } + ] + }, + "Metadata": { + "type": "object" + }, + "Properties": { + "additionalProperties": false, + "properties": { + "Enabled": { + "type": "boolean" + }, + "EventCategories": { + "items": { + "type": "string" + }, + "type": "array" + }, + "SnsTopicArn": { + "type": "string" + }, + "SourceIds": { + "items": { + "type": "string" + }, + "type": "array" + }, + "SourceType": { + "type": "string" + }, + "SubscriptionName": { + "type": "string" + } + }, + "required": [ + "SnsTopicArn" + ], + "type": "object" + }, + "Type": { + "enum": [ + "AWS::DocDB::EventSubscription" + ], + "type": "string" + }, + "UpdateReplacePolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + } + }, + "required": [ + "Type", + "Properties" + ], + "type": "object" + }, "AWS::DocDBElastic::Cluster": { "additionalProperties": false, "properties": { @@ -60020,7 +62865,7 @@ "items": { "$ref": "#/definitions/AWS::EC2::EC2Fleet.TagSpecification" }, - "markdownDescription": "The key-value pair for tagging the EC2 Fleet request on creation. For more information, see [Tagging your resources](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html#tag-resources) .\n\nIf the fleet type is `instant` , specify a resource type of `fleet` to tag the fleet or `instance` to tag the instances at launch.\n\nIf the fleet type is `maintain` or `request` , specify a resource type of `fleet` to tag the fleet. You cannot specify a resource type of `instance` . To tag instances at launch, specify the tags in a [launch template](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-launch-templates.html#create-launch-template) .", + "markdownDescription": "The key-value pair for tagging the EC2 Fleet request on creation. For more information, see [Tag your resources](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html#tag-resources) .\n\nIf the fleet type is `instant` , specify a resource type of `fleet` to tag the fleet or `instance` to tag the instances at launch.\n\nIf the fleet type is `maintain` or `request` , specify a resource type of `fleet` to tag the fleet. You cannot specify a resource type of `instance` . To tag instances at launch, specify the tags in a [launch template](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-launch-templates.html#create-launch-template) .", "title": "TagSpecifications", "type": "array" }, @@ -60253,7 +63098,7 @@ "items": { "type": "string" }, - "markdownDescription": "Indicates whether instance types must have accelerators by specific manufacturers.\n\n- For instance types with NVIDIA devices, specify `nvidia` .\n- For instance types with AMD devices, specify `amd` .\n- For instance types with AWS devices, specify `amazon-web-services` .\n- For instance types with Xilinx devices, specify `xilinx` .\n\nDefault: Any manufacturer", + "markdownDescription": "Indicates whether instance types must have accelerators by specific manufacturers.\n\n- For instance types with AWS devices, specify `amazon-web-services` .\n- For instance types with AMD devices, specify `amd` .\n- For instance types with Habana devices, specify `habana` .\n- For instance types with NVIDIA devices, specify `nvidia` .\n- For instance types with Xilinx devices, specify `xilinx` .\n\nDefault: Any manufacturer", "title": "AcceleratorManufacturers", "type": "array" }, @@ -60261,7 +63106,7 @@ "items": { "type": "string" }, - "markdownDescription": "The accelerators that must be on the instance type.\n\n- For instance types with NVIDIA A100 GPUs, specify `a100` .\n- For instance types with NVIDIA V100 GPUs, specify `v100` .\n- For instance types with NVIDIA K80 GPUs, specify `k80` .\n- For instance types with NVIDIA T4 GPUs, specify `t4` .\n- For instance types with NVIDIA M60 GPUs, specify `m60` .\n- For instance types with AMD Radeon Pro V520 GPUs, specify `radeon-pro-v520` .\n- For instance types with Xilinx VU9P FPGAs, specify `vu9p` .\n- For instance types with AWS Inferentia chips, specify `inferentia` .\n- For instance types with NVIDIA GRID K520 GPUs, specify `k520` .\n\nDefault: Any accelerator", + "markdownDescription": "The accelerators that must be on the instance type.\n\n- For instance types with NVIDIA A10G GPUs, specify `a10g` .\n- For instance types with NVIDIA A100 GPUs, specify `a100` .\n- For instance types with NVIDIA H100 GPUs, specify `h100` .\n- For instance types with AWS Inferentia chips, specify `inferentia` .\n- For instance types with NVIDIA GRID K520 GPUs, specify `k520` .\n- For instance types with NVIDIA K80 GPUs, specify `k80` .\n- For instance types with NVIDIA M60 GPUs, specify `m60` .\n- For instance types with AMD Radeon Pro V520 GPUs, specify `radeon-pro-v520` .\n- For instance types with NVIDIA T4 GPUs, specify `t4` .\n- For instance types with NVIDIA T4G GPUs, specify `t4g` .\n- For instance types with Xilinx VU9P FPGAs, specify `vu9p` .\n- For instance types with NVIDIA V100 GPUs, specify `v100` .\n\nDefault: Any accelerator", "title": "AcceleratorNames", "type": "array" }, @@ -60475,7 +63320,7 @@ "title": "CapacityReservationOptions" }, "MaxTotalPrice": { - "markdownDescription": "The maximum amount per hour for On-Demand Instances that you're willing to pay.", + "markdownDescription": "The maximum amount per hour for On-Demand Instances that you're willing to pay.\n\n> If your fleet includes T instances that are configured as `unlimited` , and if their average CPU usage exceeds the baseline utilization, you will incur a charge for surplus credits. The `MaxTotalPrice` does not account for surplus credits, and, if you use surplus credits, your final cost might be higher than what you specified for `MaxTotalPrice` . For more information, see [Surplus credits can incur charges](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/burstable-performance-instances-unlimited-mode-concepts.html#unlimited-mode-surplus-credits) in the *EC2 User Guide* .", "title": "MaxTotalPrice", "type": "string" }, @@ -60567,7 +63412,7 @@ "title": "MaintenanceStrategies" }, "MaxTotalPrice": { - "markdownDescription": "The maximum amount per hour for Spot Instances that you're willing to pay. We do not recommend using this parameter because it can lead to increased interruptions. If you do not specify this parameter, you will pay the current Spot price.\n\n> If you specify a maximum price, your Spot Instances will be interrupted more frequently than if you do not specify this parameter.", + "markdownDescription": "The maximum amount per hour for Spot Instances that you're willing to pay. We do not recommend using this parameter because it can lead to increased interruptions. If you do not specify this parameter, you will pay the current Spot price.\n\n> If you specify a maximum price, your Spot Instances will be interrupted more frequently than if you do not specify this parameter. > If your fleet includes T instances that are configured as `unlimited` , and if their average CPU usage exceeds the baseline utilization, you will incur a charge for surplus credits. The `MaxTotalPrice` does not account for surplus credits, and, if you use surplus credits, your final cost might be higher than what you specified for `MaxTotalPrice` . For more information, see [Surplus credits can incur charges](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/burstable-performance-instances-unlimited-mode-concepts.html#unlimited-mode-surplus-credits) in the *EC2 User Guide* .", "title": "MaxTotalPrice", "type": "string" }, @@ -60593,7 +63438,7 @@ "additionalProperties": false, "properties": { "ResourceType": { - "markdownDescription": "The type of resource to tag. `ResourceType` must be `fleet` .", + "markdownDescription": "The type of resource to tag.", "title": "ResourceType", "type": "string" }, @@ -60612,7 +63457,7 @@ "additionalProperties": false, "properties": { "DefaultTargetCapacityType": { - "markdownDescription": "The default `TotalTargetCapacity` , which is either `Spot` or `On-Demand` .", + "markdownDescription": "The default target capacity type.", "title": "DefaultTargetCapacityType", "type": "string" }, @@ -60627,12 +63472,12 @@ "type": "number" }, "TargetCapacityUnitType": { - "markdownDescription": "The unit for the target capacity. `TargetCapacityUnitType` can only be specified when `InstanceRequirements` is specified.\n\nDefault: `units` (translates to number of instances)", + "markdownDescription": "The unit for the target capacity. You can specify this parameter only when using attributed-based instance type selection.\n\nDefault: `units` (the number of instances)", "title": "TargetCapacityUnitType", "type": "string" }, "TotalTargetCapacity": { - "markdownDescription": "The number of units to request, filled using `DefaultTargetCapacityType` .", + "markdownDescription": "The number of units to request, filled using the default target capacity type.", "title": "TotalTargetCapacity", "type": "number" } @@ -60720,7 +63565,7 @@ "type": "string" }, "NetworkBorderGroup": { - "markdownDescription": "A unique set of Availability Zones, Local Zones, or Wavelength Zones from which AWS advertises IP addresses. Use this parameter to limit the IP address to this location. IP addresses cannot move between network border groups.\n\nUse [DescribeAvailabilityZones](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeAvailabilityZones.html) to view the network border groups.\n\nYou cannot use a network border group with EC2 Classic. If you attempt this operation on EC2 Classic, you receive an `InvalidParameterCombination` error.", + "markdownDescription": "A unique set of Availability Zones, Local Zones, or Wavelength Zones from which AWS advertises IP addresses. Use this parameter to limit the IP address to this location. IP addresses cannot move between network border groups.\n\nUse [DescribeAvailabilityZones](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeAvailabilityZones.html) to view the network border groups.", "title": "NetworkBorderGroup", "type": "string" }, @@ -61019,6 +63864,8 @@ "additionalProperties": false, "properties": { "DeliverCrossAccountRole": { + "markdownDescription": "The ARN of the IAM role that allows the service to publish flow logs across accounts.", + "title": "DeliverCrossAccountRole", "type": "string" }, "DeliverLogsPermissionArn": { @@ -61242,6 +64089,8 @@ "additionalProperties": false, "properties": { "AssetId": { + "markdownDescription": "The ID of the Outpost hardware asset on which the Dedicated Host is allocated.", + "title": "AssetId", "type": "string" }, "AutoPlacement": { @@ -61361,6 +64210,11 @@ "markdownDescription": "The key/value combination of a tag assigned to the resource. Use the tag key in the filter name and the tag value as the filter value. For example, to find all resources that have a tag with the key `Owner` and the value `TeamA` , specify `tag:Owner` for the filter name and `TeamA` for the filter value.", "title": "Tags", "type": "array" + }, + "Tier": { + "markdownDescription": "IPAM is offered in a Free Tier and an Advanced Tier. For more information about the features available in each tier and the costs associated with the tiers, see the [VPC IPAM product pricing page](https://docs.aws.amazon.com//vpc/pricing/) .", + "title": "Tier", + "type": "string" } }, "type": "object" @@ -62209,7 +65063,7 @@ "items": { "$ref": "#/definitions/AWS::EC2::Instance.SsmAssociation" }, - "markdownDescription": "The SSM [document](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ssm-document.html) and parameter values in AWS Systems Manager to associate with this instance. To use this property, you must specify an IAM instance profile role for the instance. For more information, see [Create an IAM instance profile for Systems Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-configuring-access-role.html) in the *AWS Systems Manager User Guide* .\n\n> You can currently associate only one document with an instance.", + "markdownDescription": "The SSM [document](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ssm-document.html) and parameter values in AWS Systems Manager to associate with this instance. To use this property, you must specify an IAM instance profile role for the instance. For more information, see [Create an IAM instance profile for Systems Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-configuring-access-role.html) in the *AWS Systems Manager User Guide* .\n\n> You can associate only one document with an instance.", "title": "SsmAssociations", "type": "array" }, @@ -62232,7 +65086,7 @@ "type": "string" }, "UserData": { - "markdownDescription": "The user data script to make available to the instance. User data is limited to 16 KB. You must provide base64-encoded text. For more information, see [Fn::Base64](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-base64.html) .\n\nUser data runs only at instance launch. For more information, see [Run commands on your Linux instance at launch](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/user-data.html) and [Run commands on your Windows instance at launch](https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ec2-windows-user-data.html) .", + "markdownDescription": "The parameters or scripts to store as user data. Any scripts in user data are run when you launch the instance. User data is limited to 16 KB. You must provide base64-encoded text. For more information, see [Fn::Base64](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-base64.html) .\n\nIf the root volume is an EBS volume and you update user data, CloudFormation restarts the instance. If the root volume is an instance store volume and you update user data, the instance is replaced.", "title": "UserData", "type": "string" }, @@ -62304,9 +65158,9 @@ "title": "Ebs" }, "NoDevice": { - "$ref": "#/definitions/AWS::EC2::Instance.NoDevice", "markdownDescription": "To omit the device from the block device mapping, specify an empty string.\n\n> After the instance is running, modifying this parameter results in instance [replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) .", - "title": "NoDevice" + "title": "NoDevice", + "type": "object" }, "VirtualName": { "markdownDescription": "The virtual device name ( `ephemeral` N). The name must be in the form `ephemeral` *X* where *X* is a number starting from zero (0). For example, an instance type with 2 available instance store volumes can specify mappings for `ephemeral0` and `ephemeral1` . The number of available instance store volumes depends on the instance type. After you connect to the instance, you must mount the volume.\n\nNVMe instance store volumes are automatically enumerated and assigned a device name. Including them in your block device mapping has no effect.\n\n*Constraints* : For M3 instances, you must specify instance store volumes in the block device mapping for the instance. When you launch an M3 instance, we ignore any instance store volumes specified in the block device mapping for the AMI.\n\n> After the instance is running, modifying this parameter results in instance [replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) .", @@ -62435,7 +65289,7 @@ "additionalProperties": false, "properties": { "Configured": { - "markdownDescription": "Set to `true` to enable your instance for hibernation.\n\nDefault: `false`", + "markdownDescription": "Set to `true` to enable your instance for hibernation.\n\nFor Spot Instances, if you set `Configured` to `true` , either omit the `InstanceInterruptionBehavior` parameter (for [`SpotMarketOptions`](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_SpotMarketOptions.html) ), or set it to `hibernate` . When `Configured` is true:\n\n- If you omit `InstanceInterruptionBehavior` , it defaults to `hibernate` .\n- If you set `InstanceInterruptionBehavior` to a value other than `hibernate` , you'll get an error.\n\nDefault: `false`", "title": "Configured", "type": "boolean" } @@ -62503,7 +65357,7 @@ "type": "boolean" }, "AssociatePublicIpAddress": { - "markdownDescription": "Indicates whether to assign a public IPv4 address to an instance. Applies only if creating a network interface when launching an instance. The network interface must be the primary network interface. If launching into a default subnet, the default value is `true` .", + "markdownDescription": "Indicates whether to assign a public IPv4 address to an instance. Applies only if creating a network interface when launching an instance. The network interface must be the primary network interface. If launching into a default subnet, the default value is `true` .\n\nStarting on February 1, 2024, AWS will charge for all public IPv4 addresses, including public IPv4 addresses associated with running instances and Elastic IP addresses. For more information, see the *Public IPv4 Address* tab on the [VPC pricing page](https://docs.aws.amazon.com/vpc/pricing/) .", "title": "AssociatePublicIpAddress", "type": "boolean" }, @@ -62577,11 +65431,6 @@ ], "type": "object" }, - "AWS::EC2::Instance.NoDevice": { - "additionalProperties": false, - "properties": {}, - "type": "object" - }, "AWS::EC2::Instance.PrivateDnsNameOptions": { "additionalProperties": false, "properties": { @@ -62701,24 +65550,34 @@ "additionalProperties": false, "properties": { "ClientToken": { + "markdownDescription": "Unique, case-sensitive identifier that you provide to ensure the idempotency of the request.", + "title": "ClientToken", "type": "string" }, "PreserveClientIp": { + "markdownDescription": "Indicates whether your client's IP address is preserved as the source. The value is `true` or `false` .\n\n- If `true` , your client's IP address is used when you connect to a resource.\n- If `false` , the elastic network interface IP address is used when you connect to a resource.\n\nDefault: `true`", + "title": "PreserveClientIp", "type": "boolean" }, "SecurityGroupIds": { "items": { "type": "string" }, + "markdownDescription": "One or more security groups to associate with the endpoint. If you don't specify a security group, the default security group for your VPC will be associated with the endpoint.", + "title": "SecurityGroupIds", "type": "array" }, "SubnetId": { + "markdownDescription": "The ID of the subnet in which to create the EC2 Instance Connect Endpoint.", + "title": "SubnetId", "type": "string" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "The tags to apply to the EC2 Instance Connect Endpoint during creation.", + "title": "Tags", "type": "array" } }, @@ -62953,7 +65812,7 @@ "items": { "$ref": "#/definitions/AWS::EC2::LaunchTemplate.LaunchTemplateTagSpecification" }, - "markdownDescription": "The tags to apply to the launch template on creation. To tag the launch template, the resource type must be `launch-template` .\n\n> To specify the tags for the resources that are created when an instance is launched, you must use the `TagSpecifications` parameter in the [launch template data](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RequestLaunchTemplateData.html) structure.", + "markdownDescription": "The tags to apply to the launch template on creation. To tag the launch template, the resource type must be `launch-template` .\n\nTo specify the tags for the resources that are created when an instance is launched, you must use [TagSpecifications](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-launchtemplate.html#cfn-ec2-launchtemplate-tagspecifications) .", "title": "TagSpecifications", "type": "array" }, @@ -63095,6 +65954,27 @@ }, "type": "object" }, + "AWS::EC2::LaunchTemplate.ConnectionTrackingSpecification": { + "additionalProperties": false, + "properties": { + "TcpEstablishedTimeout": { + "markdownDescription": "Timeout (in seconds) for idle TCP connections in an established state. Min: 60 seconds. Max: 432000 seconds (5 days). Default: 432000 seconds. Recommended: Less than 432000 seconds.", + "title": "TcpEstablishedTimeout", + "type": "number" + }, + "UdpStreamTimeout": { + "markdownDescription": "Timeout (in seconds) for idle UDP flows classified as streams which have seen more than one request-response transaction. Min: 60 seconds. Max: 180 seconds (3 minutes). Default: 180 seconds.", + "title": "UdpStreamTimeout", + "type": "number" + }, + "UdpTimeout": { + "markdownDescription": "Timeout (in seconds) for idle UDP flows that have seen traffic only in a single direction or a single request-response transaction. Min: 30 seconds. Max: 60 seconds. Default: 30 seconds.", + "title": "UdpTimeout", + "type": "number" + } + }, + "type": "object" + }, "AWS::EC2::LaunchTemplate.CpuOptions": { "additionalProperties": false, "properties": { @@ -63141,7 +66021,7 @@ "type": "boolean" }, "Iops": { - "markdownDescription": "The number of I/O operations per second (IOPS). For `gp3` , `io1` , and `io2` volumes, this represents the number of IOPS that are provisioned for the volume. For `gp2` volumes, this represents the baseline performance of the volume and the rate at which the volume accumulates I/O credits for bursting.\n\nThe following are the supported values for each volume type:\n\n- `gp3` : 3,000-16,000 IOPS\n- `io1` : 100-64,000 IOPS\n- `io2` : 100-64,000 IOPS\n\nFor `io1` and `io2` volumes, we guarantee 64,000 IOPS only for [Instances built on the Nitro System](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html#ec2-nitro-instances) . Other instance families guarantee performance up to 32,000 IOPS.\n\nThis parameter is supported for `io1` , `io2` , and `gp3` volumes only. This parameter is not supported for `gp2` , `st1` , `sc1` , or `standard` volumes.", + "markdownDescription": "The number of I/O operations per second (IOPS). For `gp3` , `io1` , and `io2` volumes, this represents the number of IOPS that are provisioned for the volume. For `gp2` volumes, this represents the baseline performance of the volume and the rate at which the volume accumulates I/O credits for bursting.\n\nThe following are the supported values for each volume type:\n\n- `gp3` : 3,000 - 16,000 IOPS\n- `io1` : 100 - 64,000 IOPS\n- `io2` : 100 - 256,000 IOPS\n\nFor `io2` volumes, you can achieve up to 256,000 IOPS on [instances built on the Nitro System](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html#ec2-nitro-instances) . On other instances, you can achieve performance up to 32,000 IOPS.\n\nThis parameter is supported for `io1` , `io2` , and `gp3` volumes only.", "title": "Iops", "type": "number" }, @@ -63161,7 +66041,7 @@ "type": "number" }, "VolumeSize": { - "markdownDescription": "The size of the volume, in GiBs. You must specify either a snapshot ID or a volume size. The following are the supported volumes sizes for each volume type:\n\n- `gp2` and `gp3` : 1-16,384\n- `io1` and `io2` : 4-16,384\n- `st1` and `sc1` : 125-16,384\n- `standard` : 1-1,024", + "markdownDescription": "The size of the volume, in GiBs. You must specify either a snapshot ID or a volume size. The following are the supported volumes sizes for each volume type:\n\n- `gp2` and `gp3` : 1 - 16,384 GiB\n- `io1` : 4 - 16,384 GiB\n- `io2` : 4 - 65,536 GiB\n- `st1` and `sc1` : 125 - 16,384 GiB\n- `standard` : 1 - 1024 GiB", "title": "VolumeSize", "type": "number" }, @@ -63184,6 +66064,33 @@ }, "type": "object" }, + "AWS::EC2::LaunchTemplate.EnaSrdSpecification": { + "additionalProperties": false, + "properties": { + "EnaSrdEnabled": { + "markdownDescription": "Indicates whether ENA Express is enabled for the network interface.", + "title": "EnaSrdEnabled", + "type": "boolean" + }, + "EnaSrdUdpSpecification": { + "$ref": "#/definitions/AWS::EC2::LaunchTemplate.EnaSrdUdpSpecification", + "markdownDescription": "Configures ENA Express for UDP network traffic.", + "title": "EnaSrdUdpSpecification" + } + }, + "type": "object" + }, + "AWS::EC2::LaunchTemplate.EnaSrdUdpSpecification": { + "additionalProperties": false, + "properties": { + "EnaSrdUdpEnabled": { + "markdownDescription": "Indicates whether UDP traffic to and from the instance uses ENA Express. To specify this setting, you must first enable ENA Express.", + "title": "EnaSrdUdpEnabled", + "type": "boolean" + } + }, + "type": "object" + }, "AWS::EC2::LaunchTemplate.EnclaveOptions": { "additionalProperties": false, "properties": { @@ -63250,7 +66157,7 @@ "items": { "type": "string" }, - "markdownDescription": "Indicates whether instance types must have accelerators by specific manufacturers.\n\n- For instance types with NVIDIA devices, specify `nvidia` .\n- For instance types with AMD devices, specify `amd` .\n- For instance types with AWS devices, specify `amazon-web-services` .\n- For instance types with Xilinx devices, specify `xilinx` .\n\nDefault: Any manufacturer", + "markdownDescription": "Indicates whether instance types must have accelerators by specific manufacturers.\n\n- For instance types with AWS devices, specify `amazon-web-services` .\n- For instance types with AMD devices, specify `amd` .\n- For instance types with Habana devices, specify `habana` .\n- For instance types with NVIDIA devices, specify `nvidia` .\n- For instance types with Xilinx devices, specify `xilinx` .\n\nDefault: Any manufacturer", "title": "AcceleratorManufacturers", "type": "array" }, @@ -63258,7 +66165,7 @@ "items": { "type": "string" }, - "markdownDescription": "The accelerators that must be on the instance type.\n\n- For instance types with NVIDIA A100 GPUs, specify `a100` .\n- For instance types with NVIDIA V100 GPUs, specify `v100` .\n- For instance types with NVIDIA K80 GPUs, specify `k80` .\n- For instance types with NVIDIA T4 GPUs, specify `t4` .\n- For instance types with NVIDIA M60 GPUs, specify `m60` .\n- For instance types with AMD Radeon Pro V520 GPUs, specify `radeon-pro-v520` .\n- For instance types with Xilinx VU9P FPGAs, specify `vu9p` .\n- For instance types with AWS Inferentia chips, specify `inferentia` .\n- For instance types with NVIDIA GRID K520 GPUs, specify `k520` .\n\nDefault: Any accelerator", + "markdownDescription": "The accelerators that must be on the instance type.\n\n- For instance types with NVIDIA A10G GPUs, specify `a10g` .\n- For instance types with NVIDIA A100 GPUs, specify `a100` .\n- For instance types with NVIDIA H100 GPUs, specify `h100` .\n- For instance types with AWS Inferentia chips, specify `inferentia` .\n- For instance types with NVIDIA GRID K520 GPUs, specify `k520` .\n- For instance types with NVIDIA K80 GPUs, specify `k80` .\n- For instance types with NVIDIA M60 GPUs, specify `m60` .\n- For instance types with AMD Radeon Pro V520 GPUs, specify `radeon-pro-v520` .\n- For instance types with NVIDIA T4 GPUs, specify `t4` .\n- For instance types with NVIDIA T4G GPUs, specify `t4g` .\n- For instance types with Xilinx VU9P FPGAs, specify `vu9p` .\n- For instance types with NVIDIA V100 GPUs, specify `v100` .\n\nDefault: Any accelerator", "title": "AcceleratorNames", "type": "array" }, @@ -63469,7 +66376,7 @@ "items": { "$ref": "#/definitions/AWS::EC2::LaunchTemplate.LaunchTemplateElasticInferenceAccelerator" }, - "markdownDescription": "The elastic inference accelerator for the instance.", + "markdownDescription": "An elastic inference accelerator to associate with the instance. Elastic inference accelerators are a resource you can attach to your Amazon EC2 instances to accelerate your Deep Learning (DL) inference workloads.\n\nYou cannot specify accelerators from different generations in the same request.\n\n> Starting April 15, 2023, AWS will not onboard new customers to Amazon Elastic Inference (EI), and will help current customers migrate their workloads to options that offer better price and performance. After April 15, 2023, new customers will not be able to launch instances with Amazon EI accelerators in Amazon SageMaker, Amazon ECS, or Amazon EC2. However, customers who have used Amazon EI at least once during the past 30-day period are considered current customers and will be able to continue using the service.", "title": "ElasticInferenceAccelerators", "type": "array" }, @@ -63581,7 +66488,7 @@ "items": { "type": "string" }, - "markdownDescription": "One or more security group names. For a nondefault VPC, you must use security group IDs instead. You cannot specify both a security group ID and security name in the same request.", + "markdownDescription": "One or more security group names. For a nondefault VPC, you must use security group IDs instead.", "title": "SecurityGroups", "type": "array" }, @@ -63589,7 +66496,7 @@ "items": { "$ref": "#/definitions/AWS::EC2::LaunchTemplate.TagSpecification" }, - "markdownDescription": "The tags to apply to the resources that are created during instance launch.\n\nYou can specify tags for the following resources only:\n\n- Instances\n- Volumes\n- Elastic graphics\n- Spot Instance requests\n- Network interfaces\n\nTo tag a resource after it has been created, see [CreateTags](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateTags.html) .\n\n> To tag the launch template itself, you must use the [TagSpecification](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateLaunchTemplate.html) parameter.", + "markdownDescription": "The tags to apply to the resources that are created during instance launch.\n\nTo tag a resource after it has been created, see [CreateTags](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateTags.html) .\n\nTo tag the launch template itself, use [TagSpecifications](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-launchtemplate.html#cfn-ec2-launchtemplate-tagspecifications) .", "title": "TagSpecifications", "type": "array" }, @@ -63709,7 +66616,7 @@ "type": "number" }, "HttpTokens": { - "markdownDescription": "IMDSv2 uses token-backed sessions. Set the use of HTTP tokens to `optional` (in other words, set the use of IMDSv2 to `optional` ) or `required` (in other words, set the use of IMDSv2 to `required` ).\n\n- `optional` - When IMDSv2 is optional, you can choose to retrieve instance metadata with or without a session token in your request. If you retrieve the IAM role credentials without a token, the IMDSv1 role credentials are returned. If you retrieve the IAM role credentials using a valid session token, the IMDSv2 role credentials are returned.\n- `required` - When IMDSv2 is required, you must send a session token with any instance metadata retrieval requests. In this state, retrieving the IAM role credentials always returns IMDSv2 credentials; IMDSv1 credentials are not available.\n\nDefault: `optional`", + "markdownDescription": "Indicates whether IMDSv2 is required.\n\n- `optional` - IMDSv2 is optional. You can choose whether to send a session token in your instance metadata retrieval requests. If you retrieve IAM role credentials without a session token, you receive the IMDSv1 role credentials. If you retrieve IAM role credentials using a valid session token, you receive the IMDSv2 role credentials.\n- `required` - IMDSv2 is required. You must send a session token in your instance metadata retrieval requests. With this option, retrieving the IAM role credentials always returns IMDSv2 credentials; IMDSv1 credentials are not available.\n\nDefault: If the value of `ImdsSupport` for the Amazon Machine Image (AMI) for your instance is `v2.0` , the default is `required` .", "title": "HttpTokens", "type": "string" }, @@ -63752,15 +66659,20 @@ "additionalProperties": false, "properties": { "AssociateCarrierIpAddress": { - "markdownDescription": "Indicates whether to associate a Carrier IP address with eth0 for a new network interface.\n\nUse this option when you launch an instance in a Wavelength Zone and want to associate a Carrier IP address with the network interface. For more information about Carrier IP addresses, see [Carrier IP addresses](https://docs.aws.amazon.com/wavelength/latest/developerguide/how-wavelengths-work.html#provider-owned-ip) in the *AWS Wavelength Developer Guide* .", + "markdownDescription": "Associates a Carrier IP address with eth0 for a new network interface.\n\nUse this option when you launch an instance in a Wavelength Zone and want to associate a Carrier IP address with the network interface. For more information about Carrier IP addresses, see [Carrier IP addresses](https://docs.aws.amazon.com/wavelength/latest/developerguide/how-wavelengths-work.html#provider-owned-ip) in the *AWS Wavelength Developer Guide* .", "title": "AssociateCarrierIpAddress", "type": "boolean" }, "AssociatePublicIpAddress": { - "markdownDescription": "Associates a public IPv4 address with eth0 for a new network interface.", + "markdownDescription": "Associates a public IPv4 address with eth0 for a new network interface.\n\nStarting on February 1, 2024, AWS will charge for all public IPv4 addresses, including public IPv4 addresses associated with running instances and Elastic IP addresses. For more information, see the *Public IPv4 Address* tab on the [Amazon VPC pricing page](https://docs.aws.amazon.com/vpc/pricing/) .", "title": "AssociatePublicIpAddress", "type": "boolean" }, + "ConnectionTrackingSpecification": { + "$ref": "#/definitions/AWS::EC2::LaunchTemplate.ConnectionTrackingSpecification", + "markdownDescription": "A connection tracking specification for the network interface.", + "title": "ConnectionTrackingSpecification" + }, "DeleteOnTermination": { "markdownDescription": "Indicates whether the network interface is deleted when the instance is terminated.", "title": "DeleteOnTermination", @@ -63776,6 +66688,11 @@ "title": "DeviceIndex", "type": "number" }, + "EnaSrdSpecification": { + "$ref": "#/definitions/AWS::EC2::LaunchTemplate.EnaSrdSpecification", + "markdownDescription": "The ENA Express configuration for the network interface.", + "title": "EnaSrdSpecification" + }, "Groups": { "items": { "type": "string" @@ -63839,6 +66756,8 @@ "type": "string" }, "PrimaryIpv6": { + "markdownDescription": "The primary IPv6 address of the network interface. When you enable an IPv6 GUA address to be a primary IPv6, the first IPv6 GUA will be made the primary IPv6 address until the instance is terminated or the network interface is detached. For more information about primary IPv6 addresses, see [RunInstances](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RunInstances.html) .", + "title": "PrimaryIpv6", "type": "boolean" }, "PrivateIpAddress": { @@ -64006,7 +66925,7 @@ "additionalProperties": false, "properties": { "ResourceType": { - "markdownDescription": "The type of resource to tag.\n\nThe `Valid Values` are all the resource types that can be tagged. However, when creating a launch template, you can specify tags for the following resource types only: `instance` | `volume` | `elastic-gpu` | `network-interface` | `spot-instances-request`\n\nTo tag a resource after it has been created, see [CreateTags](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateTags.html) .", + "markdownDescription": "The type of resource to tag.\n\nValid Values lists all resource types for Amazon EC2 that can be tagged. When you create a launch template, you can specify tags for the following resource types only: `instance` | `volume` | `elastic-gpu` | `network-interface` | `spot-instances-request` . If the instance does not include the resource type that you specify, the instance launch fails. For example, not all instance types include an Elastic GPU.\n\nTo tag a resource after it has been created, see [CreateTags](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateTags.html) .", "title": "ResourceType", "type": "string" }, @@ -64442,7 +67361,7 @@ "type": "array" }, "SecondaryPrivateIpAddressCount": { - "markdownDescription": "[Private NAT gateway only] The number of secondary private IPv4 addresses you want to assign to the NAT gateway. For more information about secondary addresses, see [Create a NAT gateway](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html#nat-gateway-creating) in the *Amazon Virtual Private Cloud User Guide* .\n\n> `SecondaryPrivateIpAddressCount` and `SecondaryPrivateIpAddresses` cannot be set at the same time.", + "markdownDescription": "[Private NAT gateway only] The number of secondary private IPv4 addresses you want to assign to the NAT gateway. For more information about secondary addresses, see [Create a NAT gateway](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html#nat-gateway-creating) in the *Amazon Virtual Private Cloud User Guide* .\n\n`SecondaryPrivateIpAddressCount` and `SecondaryPrivateIpAddresses` cannot be set at the same time.", "title": "SecondaryPrivateIpAddressCount", "type": "number" }, @@ -64450,7 +67369,7 @@ "items": { "type": "string" }, - "markdownDescription": "Secondary private IPv4 addresses. For more information about secondary addresses, see [Create a NAT gateway](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html#nat-gateway-creating) in the *Amazon Virtual Private Cloud User Guide* .\n\n> `SecondaryPrivateIpAddressCount` and `SecondaryPrivateIpAddresses` cannot be set at the same time.", + "markdownDescription": "Secondary private IPv4 addresses. For more information about secondary addresses, see [Create a NAT gateway](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html#nat-gateway-creating) in the *Amazon Virtual Private Cloud User Guide* .\n\n`SecondaryPrivateIpAddressCount` and `SecondaryPrivateIpAddresses` cannot be set at the same time.", "title": "SecondaryPrivateIpAddresses", "type": "array" }, @@ -66016,16 +68935,20 @@ "type": "string" }, "Ipv4PrefixCount": { + "markdownDescription": "The number of IPv4 prefixes to be automatically assigned to the network interface.\n\nWhen creating a network interface, you can't specify a count of IPv4 prefixes if you've specified one of the following: specific IPv4 prefixes, specific private IPv4 addresses, or a count of private IPv4 addresses.", + "title": "Ipv4PrefixCount", "type": "number" }, "Ipv4Prefixes": { "items": { "$ref": "#/definitions/AWS::EC2::NetworkInterface.Ipv4PrefixSpecification" }, + "markdownDescription": "The IPv4 delegated prefixes that are assigned to the network interface.\n\nWhen creating a network interface, you can't specify IPv4 prefixes if you've specified one of the following: a count of IPv4 prefixes, specific private IPv4 addresses, or a count of private IPv4 addresses.", + "title": "Ipv4Prefixes", "type": "array" }, "Ipv6AddressCount": { - "markdownDescription": "The number of IPv6 addresses to assign to a network interface. Amazon EC2 automatically selects the IPv6 addresses from the subnet range. To specify specific IPv6 addresses, use the `Ipv6Addresses` property and don't specify this property.", + "markdownDescription": "The number of IPv6 addresses to assign to a network interface. Amazon EC2 automatically selects the IPv6 addresses from the subnet range. To specify specific IPv6 addresses, use the `Ipv6Addresses` property and don't specify this property.\n\nWhen creating a network interface, you can't specify a count of IPv6 addresses if you've specified one of the following: specific IPv6 addresses, specific IPv6 prefixes, or a count of IPv6 prefixes.", "title": "Ipv6AddressCount", "type": "number" }, @@ -66033,17 +68956,21 @@ "items": { "$ref": "#/definitions/AWS::EC2::NetworkInterface.InstanceIpv6Address" }, - "markdownDescription": "One or more specific IPv6 addresses from the IPv6 CIDR block range of your subnet to associate with the network interface. If you're specifying a number of IPv6 addresses, use the `Ipv6AddressCount` property and don't specify this property.", + "markdownDescription": "One or more specific IPv6 addresses from the IPv6 CIDR block range of your subnet to associate with the network interface. If you're specifying a number of IPv6 addresses, use the `Ipv6AddressCount` property and don't specify this property.\n\nWhen creating a network interface, you can't specify IPv6 addresses if you've specified one of the following: a count of IPv6 addresses, specific IPv6 prefixes, or a count of IPv6 prefixes.", "title": "Ipv6Addresses", "type": "array" }, "Ipv6PrefixCount": { + "markdownDescription": "The number of IPv6 prefixes to be automatically assigned to the network interface.\n\nWhen creating a network interface, you can't specify a count of IPv6 prefixes if you've specified one of the following: specific IPv6 prefixes, specific IPv6 addresses, or a count of IPv6 addresses.", + "title": "Ipv6PrefixCount", "type": "number" }, "Ipv6Prefixes": { "items": { "$ref": "#/definitions/AWS::EC2::NetworkInterface.Ipv6PrefixSpecification" }, + "markdownDescription": "The IPv6 delegated prefixes that are assigned to the network interface.\n\nWhen creating a network interface, you can't specify IPv6 prefixes if you've specified one of the following: a count of IPv6 prefixes, specific IPv6 addresses, or a count of IPv6 addresses.", + "title": "Ipv6Prefixes", "type": "array" }, "PrivateIpAddress": { @@ -66055,12 +68982,12 @@ "items": { "$ref": "#/definitions/AWS::EC2::NetworkInterface.PrivateIpAddressSpecification" }, - "markdownDescription": "Assigns private IP addresses to the network interface. You can specify a primary private IP address by setting the value of the `Primary` property to `true` in the `PrivateIpAddressSpecification` property. If you want EC2 to automatically assign private IP addresses, use the `SecondaryPrivateIpAddressCount` property and do not specify this property.", + "markdownDescription": "Assigns private IP addresses to the network interface. You can specify a primary private IP address by setting the value of the `Primary` property to `true` in the `PrivateIpAddressSpecification` property. If you want EC2 to automatically assign private IP addresses, use the `SecondaryPrivateIpAddressCount` property and do not specify this property.\n\nWhen creating a network interface, you can't specify private IPv4 addresses if you've specified one of the following: a count of private IPv4 addresses, specific IPv4 prefixes, or a count of IPv4 prefixes.", "title": "PrivateIpAddresses", "type": "array" }, "SecondaryPrivateIpAddressCount": { - "markdownDescription": "The number of secondary private IPv4 addresses to assign to a network interface. When you specify a number of secondary IPv4 addresses, Amazon EC2 selects these IP addresses within the subnet's IPv4 CIDR range. You can't specify this option and specify more than one private IP address using `privateIpAddresses` .\n\nYou can't specify a count of private IPv4 addresses if you've specified one of the following: specific private IPv4 addresses, specific IPv4 prefixes, or a count of IPv4 prefixes.", + "markdownDescription": "The number of secondary private IPv4 addresses to assign to a network interface. When you specify a number of secondary IPv4 addresses, Amazon EC2 selects these IP addresses within the subnet's IPv4 CIDR range. You can't specify this option and specify more than one private IP address using `privateIpAddresses` .\n\nWhen creating a Network Interface, you can't specify a count of private IPv4 addresses if you've specified one of the following: specific private IPv4 addresses, specific IPv4 prefixes, or a count of IPv4 prefixes.", "title": "SecondaryPrivateIpAddressCount", "type": "number" }, @@ -66127,6 +69054,8 @@ "additionalProperties": false, "properties": { "Ipv4Prefix": { + "markdownDescription": "The IPv4 prefix. For information, see [Assigning prefixes to Amazon EC2 network interfaces](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-prefix-eni.html) in the *Amazon Elastic Compute Cloud User Guide* .", + "title": "Ipv4Prefix", "type": "string" } }, @@ -66139,6 +69068,8 @@ "additionalProperties": false, "properties": { "Ipv6Prefix": { + "markdownDescription": "The IPv6 prefix. For information, see [Assigning prefixes to Amazon EC2 network interfaces](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-prefix-eni.html) in the *Amazon Elastic Compute Cloud User Guide* .", + "title": "Ipv6Prefix", "type": "string" } }, @@ -66650,6 +69581,11 @@ "title": "CarrierGatewayId", "type": "string" }, + "CoreNetworkArn": { + "markdownDescription": "The Amazon Resource Name (ARN) of the core network.", + "title": "CoreNetworkArn", + "type": "string" + }, "DestinationCidrBlock": { "markdownDescription": "The IPv4 CIDR address block used for the destination match. Routing decisions are based on the most specific match. We modify the specified CIDR block to its canonical form; for example, if you specify `100.68.0.18/18` , we modify it to `100.68.0.0/18` .", "title": "DestinationCidrBlock", @@ -66661,6 +69597,8 @@ "type": "string" }, "DestinationPrefixListId": { + "markdownDescription": "The ID of a prefix list used for the destination match.", + "title": "DestinationPrefixListId", "type": "string" }, "EgressOnlyInternetGatewayId": { @@ -67254,6 +70192,73 @@ ], "type": "object" }, + "AWS::EC2::SnapshotBlockPublicAccess": { + "additionalProperties": false, + "properties": { + "Condition": { + "type": "string" + }, + "DeletionPolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + }, + "DependsOn": { + "anyOf": [ + { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + { + "items": { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + "type": "array" + } + ] + }, + "Metadata": { + "type": "object" + }, + "Properties": { + "additionalProperties": false, + "properties": { + "State": { + "markdownDescription": "The mode in which to enable block public access for snapshots for the Region. Specify one of the following values:\n\n- `block-all-sharing` - Prevents all public sharing of snapshots in the Region. Users in the account will no longer be able to request new public sharing. Additionally, snapshots that are already publicly shared are treated as private and they are no longer publicly available.\n\n> If you enable block public access for snapshots in `block-all-sharing` mode, it does not change the permissions for snapshots that are already publicly shared. Instead, it prevents these snapshots from be publicly visible and publicly accessible. Therefore, the attributes for these snapshots still indicate that they are publicly shared, even though they are not publicly available.\n- `block-new-sharing` - Prevents only new public sharing of snapshots in the Region. Users in the account will no longer be able to request new public sharing. However, snapshots that are already publicly shared, remain publicly available.", + "title": "State", + "type": "string" + } + }, + "required": [ + "State" + ], + "type": "object" + }, + "Type": { + "enum": [ + "AWS::EC2::SnapshotBlockPublicAccess" + ], + "type": "string" + }, + "UpdateReplacePolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + } + }, + "required": [ + "Type", + "Properties" + ], + "type": "object" + }, "AWS::EC2::SpotFleet": { "additionalProperties": false, "properties": { @@ -67443,7 +70448,7 @@ "type": "boolean" }, "Iops": { - "markdownDescription": "The number of I/O operations per second (IOPS). For `gp3` , `io1` , and `io2` volumes, this represents the number of IOPS that are provisioned for the volume. For `gp2` volumes, this represents the baseline performance of the volume and the rate at which the volume accumulates I/O credits for bursting.\n\nThe following are the supported values for each volume type:\n\n- `gp3` : 3,000-16,000 IOPS\n- `io1` : 100-64,000 IOPS\n- `io2` : 100-64,000 IOPS\n\nFor `io1` and `io2` volumes, we guarantee 64,000 IOPS only for [Instances built on the Nitro System](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html#ec2-nitro-instances) . Other instance families guarantee performance up to 32,000 IOPS.\n\nThis parameter is required for `io1` and `io2` volumes. The default for `gp3` volumes is 3,000 IOPS. This parameter is not supported for `gp2` , `st1` , `sc1` , or `standard` volumes.", + "markdownDescription": "The number of I/O operations per second (IOPS). For `gp3` , `io1` , and `io2` volumes, this represents the number of IOPS that are provisioned for the volume. For `gp2` volumes, this represents the baseline performance of the volume and the rate at which the volume accumulates I/O credits for bursting.\n\nThe following are the supported values for each volume type:\n\n- `gp3` : 3,000 - 16,000 IOPS\n- `io1` : 100 - 64,000 IOPS\n- `io2` : 100 - 256,000 IOPS\n\nFor `io2` volumes, you can achieve up to 256,000 IOPS on [instances built on the Nitro System](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html#ec2-nitro-instances) . On other instances, you can achieve performance up to 32,000 IOPS.\n\nThis parameter is required for `io1` and `io2` volumes. The default for `gp3` volumes is 3,000 IOPS.", "title": "Iops", "type": "number" }, @@ -67453,12 +70458,12 @@ "type": "string" }, "VolumeSize": { - "markdownDescription": "The size of the volume, in GiBs. You must specify either a snapshot ID or a volume size. If you specify a snapshot, the default is the snapshot size. You can specify a volume size that is equal to or larger than the snapshot size.\n\nThe following are the supported volumes sizes for each volume type:\n\n- `gp2` and `gp3` :1-16,384\n- `io1` and `io2` : 4-16,384\n- `st1` and `sc1` : 125-16,384\n- `standard` : 1-1,024", + "markdownDescription": "The size of the volume, in GiBs. You must specify either a snapshot ID or a volume size. If you specify a snapshot, the default is the snapshot size. You can specify a volume size that is equal to or larger than the snapshot size.\n\nThe following are the supported sizes for each volume type:\n\n- `gp2` and `gp3` : 1 - 16,384 GiB\n- `io1` : 4 - 16,384 GiB\n- `io2` : 4 - 65,536 GiB\n- `st1` and `sc1` : 125 - 16,384 GiB\n- `standard` : 1 - 1024 GiB", "title": "VolumeSize", "type": "number" }, "VolumeType": { - "markdownDescription": "The volume type. For more information, see [Amazon EBS volume types](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSVolumeTypes.html) in the *Amazon EC2 User Guide* . If the volume type is `io1` or `io2` , you must specify the IOPS that the volume supports.", + "markdownDescription": "The volume type. For more information, see [Amazon EBS volume types](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSVolumeTypes.html) in the *Amazon EC2 User Guide* .", "title": "VolumeType", "type": "string" } @@ -67532,7 +70537,7 @@ "additionalProperties": false, "properties": { "AssociatePublicIpAddress": { - "markdownDescription": "Indicates whether to assign a public IPv4 address to an instance you launch in a VPC. The public IP address can only be assigned to a network interface for eth0, and can only be assigned to a new network interface, not an existing one. You cannot specify more than one network interface in the request. If launching into a default subnet, the default value is `true` .", + "markdownDescription": "Indicates whether to assign a public IPv4 address to an instance you launch in a VPC. The public IP address can only be assigned to a network interface for eth0, and can only be assigned to a new network interface, not an existing one. You cannot specify more than one network interface in the request. If launching into a default subnet, the default value is `true` .\n\nStarting on February 1, 2024, AWS will charge for all public IPv4 addresses, including public IPv4 addresses associated with running instances and Elastic IP addresses. For more information, see the *Public IPv4 Address* tab on the [Amazon VPC pricing page](https://docs.aws.amazon.com/vpc/pricing/) .", "title": "AssociatePublicIpAddress", "type": "boolean" }, @@ -67610,7 +70615,7 @@ "items": { "type": "string" }, - "markdownDescription": "Indicates whether instance types must have accelerators by specific manufacturers.\n\n- For instance types with NVIDIA devices, specify `nvidia` .\n- For instance types with AMD devices, specify `amd` .\n- For instance types with AWS devices, specify `amazon-web-services` .\n- For instance types with Xilinx devices, specify `xilinx` .\n\nDefault: Any manufacturer", + "markdownDescription": "Indicates whether instance types must have accelerators by specific manufacturers.\n\n- For instance types with AWS devices, specify `amazon-web-services` .\n- For instance types with AMD devices, specify `amd` .\n- For instance types with Habana devices, specify `habana` .\n- For instance types with NVIDIA devices, specify `nvidia` .\n- For instance types with Xilinx devices, specify `xilinx` .\n\nDefault: Any manufacturer", "title": "AcceleratorManufacturers", "type": "array" }, @@ -67618,7 +70623,7 @@ "items": { "type": "string" }, - "markdownDescription": "The accelerators that must be on the instance type.\n\n- For instance types with NVIDIA A100 GPUs, specify `a100` .\n- For instance types with NVIDIA V100 GPUs, specify `v100` .\n- For instance types with NVIDIA K80 GPUs, specify `k80` .\n- For instance types with NVIDIA T4 GPUs, specify `t4` .\n- For instance types with NVIDIA M60 GPUs, specify `m60` .\n- For instance types with AMD Radeon Pro V520 GPUs, specify `radeon-pro-v520` .\n- For instance types with Xilinx VU9P FPGAs, specify `vu9p` .\n- For instance types with AWS Inferentia chips, specify `inferentia` .\n- For instance types with NVIDIA GRID K520 GPUs, specify `k520` .\n\nDefault: Any accelerator", + "markdownDescription": "The accelerators that must be on the instance type.\n\n- For instance types with NVIDIA A10G GPUs, specify `a10g` .\n- For instance types with NVIDIA A100 GPUs, specify `a100` .\n- For instance types with NVIDIA H100 GPUs, specify `h100` .\n- For instance types with AWS Inferentia chips, specify `inferentia` .\n- For instance types with NVIDIA GRID K520 GPUs, specify `k520` .\n- For instance types with NVIDIA K80 GPUs, specify `k80` .\n- For instance types with NVIDIA M60 GPUs, specify `m60` .\n- For instance types with AMD Radeon Pro V520 GPUs, specify `radeon-pro-v520` .\n- For instance types with NVIDIA T4 GPUs, specify `t4` .\n- For instance types with NVIDIA T4G GPUs, specify `t4g` .\n- For instance types with Xilinx VU9P FPGAs, specify `vu9p` .\n- For instance types with NVIDIA V100 GPUs, specify `v100` .\n\nDefault: Any accelerator", "title": "AcceleratorNames", "type": "array" }, @@ -68100,7 +71105,7 @@ "type": "string" }, "OnDemandMaxTotalPrice": { - "markdownDescription": "The maximum amount per hour for On-Demand Instances that you're willing to pay. You can use the `onDemandMaxTotalPrice` parameter, the `spotMaxTotalPrice` parameter, or both parameters to ensure that your fleet cost does not exceed your budget. If you set a maximum price per hour for the On-Demand Instances and Spot Instances in your request, Spot Fleet will launch instances until it reaches the maximum amount you're willing to pay. When the maximum amount you're willing to pay is reached, the fleet stops launching instances even if it hasn\u2019t met the target capacity.", + "markdownDescription": "The maximum amount per hour for On-Demand Instances that you're willing to pay. You can use the `onDemandMaxTotalPrice` parameter, the `spotMaxTotalPrice` parameter, or both parameters to ensure that your fleet cost does not exceed your budget. If you set a maximum price per hour for the On-Demand Instances and Spot Instances in your request, Spot Fleet will launch instances until it reaches the maximum amount you're willing to pay. When the maximum amount you're willing to pay is reached, the fleet stops launching instances even if it hasn\u2019t met the target capacity.\n\n> If your fleet includes T instances that are configured as `unlimited` , and if their average CPU usage exceeds the baseline utilization, you will incur a charge for surplus credits. The `onDemandMaxTotalPrice` does not account for surplus credits, and, if you use surplus credits, your final cost might be higher than what you specified for `onDemandMaxTotalPrice` . For more information, see [Surplus credits can incur charges](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/burstable-performance-instances-unlimited-mode-concepts.html#unlimited-mode-surplus-credits) in the *EC2 User Guide* .", "title": "OnDemandMaxTotalPrice", "type": "string" }, @@ -68120,7 +71125,7 @@ "title": "SpotMaintenanceStrategies" }, "SpotMaxTotalPrice": { - "markdownDescription": "The maximum amount per hour for Spot Instances that you're willing to pay. You can use the `spotdMaxTotalPrice` parameter, the `onDemandMaxTotalPrice` parameter, or both parameters to ensure that your fleet cost does not exceed your budget. If you set a maximum price per hour for the On-Demand Instances and Spot Instances in your request, Spot Fleet will launch instances until it reaches the maximum amount you're willing to pay. When the maximum amount you're willing to pay is reached, the fleet stops launching instances even if it hasn\u2019t met the target capacity.", + "markdownDescription": "The maximum amount per hour for Spot Instances that you're willing to pay. You can use the `spotMaxTotalPrice` parameter, the `onDemandMaxTotalPrice` parameter, or both parameters to ensure that your fleet cost does not exceed your budget. If you set a maximum price per hour for the On-Demand Instances and Spot Instances in your request, Spot Fleet will launch instances until it reaches the maximum amount you're willing to pay. When the maximum amount you're willing to pay is reached, the fleet stops launching instances even if it hasn\u2019t met the target capacity.\n\n> If your fleet includes T instances that are configured as `unlimited` , and if their average CPU usage exceeds the baseline utilization, you will incur a charge for surplus credits. The `spotMaxTotalPrice` does not account for surplus credits, and, if you use surplus credits, your final cost might be higher than what you specified for `spotMaxTotalPrice` . For more information, see [Surplus credits can incur charges](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/burstable-performance-instances-unlimited-mode-concepts.html#unlimited-mode-surplus-credits) in the *EC2 User Guide* .", "title": "SpotMaxTotalPrice", "type": "string" }, @@ -68133,7 +71138,7 @@ "items": { "$ref": "#/definitions/AWS::EC2::SpotFleet.SpotFleetTagSpecification" }, - "markdownDescription": "The key-value pair for tagging the Spot Fleet request on creation. The value for `ResourceType` must be `spot-fleet-request` , otherwise the Spot Fleet request fails. To tag instances at launch, specify the tags in the [launch template](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-launch-templates.html#create-launch-template) (valid only if you use `LaunchTemplateConfigs` ) or in the `[SpotFleetTagSpecification](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_SpotFleetTagSpecification.html)` (valid only if you use `LaunchSpecifications` ). For information about tagging after launch, see [Tagging Your Resources](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html#tag-resources) .", + "markdownDescription": "The key-value pair for tagging the Spot Fleet request on creation. The value for `ResourceType` must be `spot-fleet-request` , otherwise the Spot Fleet request fails. To tag instances at launch, specify the tags in the [launch template](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-launch-templates.html#create-launch-template) (valid only if you use `LaunchTemplateConfigs` ) or in the `[SpotFleetTagSpecification](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_SpotFleetTagSpecification.html)` (valid only if you use `LaunchSpecifications` ). For information about tagging after launch, see [Tag your resources](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html#tag-resources) .", "title": "TagSpecifications", "type": "array" }, @@ -68143,7 +71148,7 @@ "type": "number" }, "TargetCapacityUnitType": { - "markdownDescription": "The unit for the target capacity. `TargetCapacityUnitType` can only be specified when `InstanceRequirements` is specified.\n\nDefault: `units` (translates to number of instances)", + "markdownDescription": "The unit for the target capacity. You can specify this parameter only when using attribute-based instance type selection.\n\nDefault: `units` (the number of instances)", "title": "TargetCapacityUnitType", "type": "string" }, @@ -68348,6 +71353,11 @@ "title": "EnableDns64", "type": "boolean" }, + "Ipv4NetmaskLength": { + "markdownDescription": "An IPv4 netmask length for the subnet.", + "title": "Ipv4NetmaskLength", + "type": "number" + }, "Ipv6CidrBlock": { "markdownDescription": "The IPv6 CIDR block.\n\nIf you specify `AssignIpv6AddressOnCreation` , you must also specify `Ipv6CidrBlock` .", "title": "Ipv6CidrBlock", @@ -68358,8 +71368,13 @@ "title": "Ipv6Native", "type": "boolean" }, + "Ipv6NetmaskLength": { + "markdownDescription": "An IPv6 netmask length for the subnet.", + "title": "Ipv6NetmaskLength", + "type": "number" + }, "MapPublicIpOnLaunch": { - "markdownDescription": "Indicates whether instances launched in this subnet receive a public IPv4 address. The default value is `false` .", + "markdownDescription": "Indicates whether instances launched in this subnet receive a public IPv4 address. The default value is `false` .\n\nStarting on February 1, 2024, AWS will charge for all public IPv4 addresses, including public IPv4 addresses associated with running instances and Elastic IP addresses. For more information, see the *Public IPv4 Address* tab on the [VPC pricing page](https://docs.aws.amazon.com/vpc/pricing/) .", "title": "MapPublicIpOnLaunch", "type": "boolean" }, @@ -68470,7 +71485,7 @@ "additionalProperties": false, "properties": { "Ipv6CidrBlock": { - "markdownDescription": "The IPv6 network range for the subnet, in CIDR notation. The subnet size must use a /64 prefix length.\n\nThis parameter is required for an IPv6 only subnet.", + "markdownDescription": "The IPv6 network range for the subnet, in CIDR notation. This parameter is required for an IPv6 only subnet.", "title": "Ipv6CidrBlock", "type": "string" }, @@ -68915,7 +71930,7 @@ "type": "string" }, "PacketLength": { - "markdownDescription": "The number of bytes in each packet to mirror. These are bytes after the VXLAN header. Do not specify this parameter when you want to mirror the entire packet. To mirror a subset of the packet, set this to the length (in bytes) that you want to mirror. For example, if you set this value to 100, then the first 100 bytes that meet the filter criteria are copied to the target.\n\nIf you do not want to mirror the entire packet, use the `PacketLength` parameter to specify the number of bytes in each packet to mirror.", + "markdownDescription": "The number of bytes in each packet to mirror. These are bytes after the VXLAN header. Do not specify this parameter when you want to mirror the entire packet. To mirror a subset of the packet, set this to the length (in bytes) that you want to mirror. For example, if you set this value to 100, then the first 100 bytes that meet the filter criteria are copied to the target.\n\nIf you do not want to mirror the entire packet, use the `PacketLength` parameter to specify the number of bytes in each packet to mirror.\n\nFor sessions with Network Load Balancer (NLB) Traffic Mirror targets the default `PacketLength` will be set to 8500. Valid values are 1-8500. Setting a `PacketLength` greater than 8500 will result in an error response.", "title": "PacketLength", "type": "number" }, @@ -69299,6 +72314,11 @@ "markdownDescription": "Enable or disable IPv6 support. The default is `disable` .", "title": "Ipv6Support", "type": "string" + }, + "SecurityGroupReferencingSupport": { + "markdownDescription": "Enables you to reference a security group across VPCs attached to a transit gateway (TGW). Use this option to simplify security group management and control of instance-to-instance traffic across VPCs that are connected by transit gateway. You can also use this option to migrate from VPC peering (which was the only option that supported security group referencing) to transit gateways (which now also support security group referencing). This option is disabled by default and there are no additional costs to use this feature.\n\nFor important information about this feature, see [Create a transit gateway](https://docs.aws.amazon.com/vpc/latest/tgw/tgw-transit-gateways.html#create-tgw) in the *AWS Transit Gateway Guide* .", + "title": "SecurityGroupReferencingSupport", + "type": "string" } }, "type": "object" @@ -70409,7 +73429,7 @@ "additionalProperties": false, "properties": { "AmazonProvidedIpv6CidrBlock": { - "markdownDescription": "Requests an Amazon-provided IPv6 CIDR block with a /56 prefix length for the VPC. You cannot specify the range of IPv6 addresses, or the size of the CIDR block.", + "markdownDescription": "Requests an Amazon-provided IPv6 CIDR block with a /56 prefix length for the VPC. You cannot specify the range of IPv6 addresses or the size of the CIDR block.", "title": "AmazonProvidedIpv6CidrBlock", "type": "boolean" }, @@ -71531,7 +74551,9 @@ "type": "array" }, "SseSpecification": { - "$ref": "#/definitions/AWS::EC2::VerifiedAccessEndpoint.SseSpecification" + "$ref": "#/definitions/AWS::EC2::VerifiedAccessEndpoint.SseSpecification", + "markdownDescription": "The options for additional server side encryption.", + "title": "SseSpecification" }, "Tags": { "items": { @@ -71632,9 +74654,13 @@ "additionalProperties": false, "properties": { "CustomerManagedKeyEnabled": { + "markdownDescription": "Enable or disable the use of customer managed KMS keys for server side encryption.\n\nValid values: `True` | `False`", + "title": "CustomerManagedKeyEnabled", "type": "boolean" }, "KmsKeyArn": { + "markdownDescription": "The ARN of the KMS key.", + "title": "KmsKeyArn", "type": "string" } }, @@ -71691,7 +74717,9 @@ "type": "boolean" }, "SseSpecification": { - "$ref": "#/definitions/AWS::EC2::VerifiedAccessGroup.SseSpecification" + "$ref": "#/definitions/AWS::EC2::VerifiedAccessGroup.SseSpecification", + "markdownDescription": "The options for additional server side encryption.", + "title": "SseSpecification" }, "Tags": { "items": { @@ -71737,9 +74765,13 @@ "additionalProperties": false, "properties": { "CustomerManagedKeyEnabled": { + "markdownDescription": "Enable or disable the use of customer managed KMS keys for server side encryption.\n\nValid values: `True` | `False`", + "title": "CustomerManagedKeyEnabled", "type": "boolean" }, "KmsKeyArn": { + "markdownDescription": "The ARN of the KMS key.", + "title": "KmsKeyArn", "type": "string" } }, @@ -71786,11 +74818,13 @@ "type": "string" }, "FipsEnabled": { + "markdownDescription": "Indicates whether support for Federal Information Processing Standards (FIPS) is enabled on the instance.", + "title": "FipsEnabled", "type": "boolean" }, "LoggingConfigurations": { "$ref": "#/definitions/AWS::EC2::VerifiedAccessInstance.VerifiedAccessLogs", - "markdownDescription": "The current logging configuration for the Verified Access instances.", + "markdownDescription": "The logging configuration for the Verified Access instances.", "title": "LoggingConfigurations" }, "Tags": { @@ -71907,7 +74941,7 @@ "title": "CloudWatchLogs" }, "IncludeTrustContext": { - "markdownDescription": "Include trust data sent by trust providers into the logs.", + "markdownDescription": "Indicates whether to include trust data sent by trust providers in the logs.", "title": "IncludeTrustContext", "type": "boolean" }, @@ -71917,7 +74951,7 @@ "title": "KinesisDataFirehose" }, "LogVersion": { - "markdownDescription": "The logging version to use.\n\nValid values: `ocsf-0.1` | `ocsf-1.0.0-rc.2`", + "markdownDescription": "The logging version.\n\nValid values: `ocsf-0.1` | `ocsf-1.0.0-rc.2`", "title": "LogVersion", "type": "string" }, @@ -72021,7 +75055,9 @@ "type": "string" }, "SseSpecification": { - "$ref": "#/definitions/AWS::EC2::VerifiedAccessTrustProvider.SseSpecification" + "$ref": "#/definitions/AWS::EC2::VerifiedAccessTrustProvider.SseSpecification", + "markdownDescription": "The options for additional server side encryption.", + "title": "SseSpecification" }, "Tags": { "items": { @@ -72072,6 +75108,11 @@ "AWS::EC2::VerifiedAccessTrustProvider.DeviceOptions": { "additionalProperties": false, "properties": { + "PublicSigningKeyUrl": { + "markdownDescription": "The URL AWS Verified Access will use to verify the authenticity of the device tokens.", + "title": "PublicSigningKeyUrl", + "type": "string" + }, "TenantId": { "markdownDescription": "The ID of the tenant application with the device-identity provider.", "title": "TenantId", @@ -72125,9 +75166,13 @@ "additionalProperties": false, "properties": { "CustomerManagedKeyEnabled": { + "markdownDescription": "Enable or disable the use of customer managed KMS keys for server side encryption.\n\nValid values: `True` | `False`", + "title": "CustomerManagedKeyEnabled", "type": "boolean" }, "KmsKeyArn": { + "markdownDescription": "The ARN of the KMS key.", + "title": "KmsKeyArn", "type": "string" } }, @@ -72184,7 +75229,7 @@ "type": "boolean" }, "Iops": { - "markdownDescription": "The number of I/O operations per second (IOPS). For `gp3` , `io1` , and `io2` volumes, this represents the number of IOPS that are provisioned for the volume. For `gp2` volumes, this represents the baseline performance of the volume and the rate at which the volume accumulates I/O credits for bursting.\n\nThe following are the supported values for each volume type:\n\n- `gp3` : 3,000-16,000 IOPS\n- `io1` : 100-64,000 IOPS\n- `io2` : 100-64,000 IOPS\n\n`io1` and `io2` volumes support up to 64,000 IOPS only on [Instances built on the Nitro System](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html#ec2-nitro-instances) . Other instance families support performance up to 32,000 IOPS.\n\nThis parameter is required for `io1` and `io2` volumes. The default for `gp3` volumes is 3,000 IOPS. This parameter is not supported for `gp2` , `st1` , `sc1` , or `standard` volumes.", + "markdownDescription": "The number of I/O operations per second (IOPS). For `gp3` , `io1` , and `io2` volumes, this represents the number of IOPS that are provisioned for the volume. For `gp2` volumes, this represents the baseline performance of the volume and the rate at which the volume accumulates I/O credits for bursting.\n\nThe following are the supported values for each volume type:\n\n- `gp3` : 3,000 - 16,000 IOPS\n- `io1` : 100 - 64,000 IOPS\n- `io2` : 100 - 256,000 IOPS\n\nFor `io2` volumes, you can achieve up to 256,000 IOPS on [instances built on the Nitro System](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html#ec2-nitro-instances) . On other instances, you can achieve performance up to 32,000 IOPS.\n\nThis parameter is required for `io1` and `io2` volumes. The default for `gp3` volumes is 3,000 IOPS. This parameter is not supported for `gp2` , `st1` , `sc1` , or `standard` volumes.", "title": "Iops", "type": "number" }, @@ -72204,7 +75249,7 @@ "type": "string" }, "Size": { - "markdownDescription": "The size of the volume, in GiBs. You must specify either a snapshot ID or a volume size. If you specify a snapshot, the default is the snapshot size. You can specify a volume size that is equal to or larger than the snapshot size.\n\nThe following are the supported volumes sizes for each volume type:\n\n- `gp2` and `gp3` : 1-16,384\n- `io1` and `io2` : 4-16,384\n- `st1` and `sc1` : 125-16,384\n- `standard` : 1-1,024", + "markdownDescription": "The size of the volume, in GiBs. You must specify either a snapshot ID or a volume size. If you specify a snapshot, the default is the snapshot size. You can specify a volume size that is equal to or larger than the snapshot size.\n\nThe following are the supported volumes sizes for each volume type:\n\n- `gp2` and `gp3` : 1 - 16,384 GiB\n- `io1` : 4 - 16,384 GiB\n- `io2` : 4 - 65,536 GiB\n- `st1` and `sc1` : 125 - 16,384 GiB\n- `standard` : 1 - 1024 GiB", "title": "Size", "type": "number" }, @@ -72373,7 +75418,7 @@ "properties": { "RepositoryCatalogData": { "$ref": "#/definitions/AWS::ECR::PublicRepository.RepositoryCatalogData", - "markdownDescription": "", + "markdownDescription": "The details about the repository that are publicly visible in the Amazon ECR Public Gallery. For more information, see [Amazon ECR Public repository catalog data](https://docs.aws.amazon.com/AmazonECR/latest/public/public-repository-catalog-data.html) in the *Amazon ECR Public User Guide* .", "title": "RepositoryCatalogData" }, "RepositoryName": { @@ -72489,11 +75534,21 @@ "Properties": { "additionalProperties": false, "properties": { + "CredentialArn": { + "markdownDescription": "The ARN of the Secrets Manager secret associated with the pull through cache rule.", + "title": "CredentialArn", + "type": "string" + }, "EcrRepositoryPrefix": { "markdownDescription": "The Amazon ECR repository prefix associated with the pull through cache rule.", "title": "EcrRepositoryPrefix", "type": "string" }, + "UpstreamRegistry": { + "markdownDescription": "The name of the upstream source registry associated with the pull through cache rule.", + "title": "UpstreamRegistry", + "type": "string" + }, "UpstreamRegistryUrl": { "markdownDescription": "The upstream registry URL associated with the pull through cache rule.", "title": "UpstreamRegistryUrl", @@ -72774,6 +75829,8 @@ "additionalProperties": false, "properties": { "EmptyOnDelete": { + "markdownDescription": "If true, deleting the repository force deletes the contents of the repository. If false, the repository must be empty before attempting to delete it.", + "title": "EmptyOnDelete", "type": "boolean" }, "EncryptionConfiguration": { @@ -72967,10 +76024,15 @@ "additionalProperties": false, "properties": { "AutoScalingGroupArn": { - "markdownDescription": "The Amazon Resource Name (ARN) that identifies the Auto Scaling group.", + "markdownDescription": "The Amazon Resource Name (ARN) that identifies the Auto Scaling group, or the Auto Scaling group name.", "title": "AutoScalingGroupArn", "type": "string" }, + "ManagedDraining": { + "markdownDescription": "", + "title": "ManagedDraining", + "type": "string" + }, "ManagedScaling": { "$ref": "#/definitions/AWS::ECS::CapacityProvider.ManagedScaling", "markdownDescription": "The managed scaling settings for the Auto Scaling group capacity provider.", @@ -72996,7 +76058,7 @@ "type": "number" }, "MaximumScalingStepSize": { - "markdownDescription": "The maximum number of Amazon EC2 instances that Amazon ECS will scale out at one time. The scale in process is not affected by this parameter. If this parameter is omitted, the default value of `1` is used.", + "markdownDescription": "The maximum number of Amazon EC2 instances that Amazon ECS will scale out at one time. The scale in process is not affected by this parameter. If this parameter is omitted, the default value of `10000` is used.", "title": "MaximumScalingStepSize", "type": "number" }, @@ -73227,7 +76289,7 @@ "additionalProperties": false, "properties": { "Namespace": { - "markdownDescription": "The namespace name or full Amazon Resource Name (ARN) of the AWS Cloud Map namespace that's used when you create a service and don't specify a Service Connect configuration. The namespace name can include up to 1024 characters. The name is case-sensitive. The name can't include hyphens (-), tilde (~), greater than (>), less than (<), or slash (/).\n\nIf you enter an existing namespace name or ARN, then that namespace will be used. Any namespace type is supported. The namespace must be in this account and this AWS Region.\n\nIf you enter a new name, a AWS Cloud Map namespace will be created. Amazon ECS creates a AWS Cloud Map namespace with the \"API calls\" method of instance discovery only. This instance discovery method is the \"HTTP\" namespace type in the AWS Command Line Interface . Other types of instance discovery aren't used by Service Connect.\n\nIf you update the service with an empty string `\"\"` for the namespace name, the cluster configuration for Service Connect is removed. Note that the namespace will remain in AWS Cloud Map and must be deleted separately.\n\nFor more information about AWS Cloud Map , see [Working with Services](https://docs.aws.amazon.com/cloud-map/latest/dg/working-with-services.html) in the *AWS Cloud Map Developer Guide* .", + "markdownDescription": "The namespace name or full Amazon Resource Name (ARN) of the AWS Cloud Map namespace that's used when you create a service and don't specify a Service Connect configuration. The namespace name can include up to 1024 characters. The name is case-sensitive. The name can't include hyphens (-), tilde (~), greater than (>), less than (<), or slash (/).\n\nIf you enter an existing namespace name or ARN, then that namespace will be used. Any namespace type is supported. The namespace must be in this account and this AWS Region.\n\nIf you enter a new name, a AWS Cloud Map namespace will be created. Amazon ECS creates a AWS Cloud Map namespace with the \"API calls\" method of instance discovery only. This instance discovery method is the \"HTTP\" namespace type in the AWS Command Line Interface . Other types of instance discovery aren't used by Service Connect.\n\nIf you update the cluster with an empty string `\"\"` for the namespace name, the cluster configuration for Service Connect is removed. Note that the namespace will remain in AWS Cloud Map and must be deleted separately.\n\nFor more information about AWS Cloud Map , see [Working with Services](https://docs.aws.amazon.com/cloud-map/latest/dg/working-with-services.html) in the *AWS Cloud Map Developer Guide* .", "title": "Namespace", "type": "string" } @@ -73756,12 +76818,12 @@ "type": "number" }, "LoadBalancerName": { - "markdownDescription": "The name of the load balancer to associate with the Amazon ECS service or task set.\n\nA load balancer name is only specified when using a Classic Load Balancer. If you are using an Application Load Balancer or a Network Load Balancer the load balancer name parameter should be omitted.", + "markdownDescription": "The name of the load balancer to associate with the Amazon ECS service or task set.\n\nIf you are using an Application Load Balancer or a Network Load Balancer the load balancer name parameter should be omitted.", "title": "LoadBalancerName", "type": "string" }, "TargetGroupArn": { - "markdownDescription": "The full Amazon Resource Name (ARN) of the Elastic Load Balancing target group or groups associated with a service or task set.\n\nA target group ARN is only specified when using an Application Load Balancer or Network Load Balancer. If you're using a Classic Load Balancer, omit the target group ARN.\n\nFor services using the `ECS` deployment controller, you can specify one or multiple target groups. For more information, see [Registering multiple target groups with a service](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/register-multiple-targetgroups.html) in the *Amazon Elastic Container Service Developer Guide* .\n\nFor services using the `CODE_DEPLOY` deployment controller, you're required to define two target groups for the load balancer. For more information, see [Blue/green deployment with CodeDeploy](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/deployment-type-bluegreen.html) in the *Amazon Elastic Container Service Developer Guide* .\n\n> If your service's task definition uses the `awsvpc` network mode, you must choose `ip` as the target type, not `instance` . Do this when creating your target groups because tasks that use the `awsvpc` network mode are associated with an elastic network interface, not an Amazon EC2 instance. This network mode is required for the Fargate launch type.", + "markdownDescription": "The full Amazon Resource Name (ARN) of the Elastic Load Balancing target group or groups associated with a service or task set.\n\nA target group ARN is only specified when using an Application Load Balancer or Network Load Balancer.\n\nFor services using the `ECS` deployment controller, you can specify one or multiple target groups. For more information, see [Registering multiple target groups with a service](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/register-multiple-targetgroups.html) in the *Amazon Elastic Container Service Developer Guide* .\n\nFor services using the `CODE_DEPLOY` deployment controller, you're required to define two target groups for the load balancer. For more information, see [Blue/green deployment with CodeDeploy](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/deployment-type-bluegreen.html) in the *Amazon Elastic Container Service Developer Guide* .\n\n> If your service's task definition uses the `awsvpc` network mode, you must choose `ip` as the target type, not `instance` . Do this when creating your target groups because tasks that use the `awsvpc` network mode are associated with an elastic network interface, not an Amazon EC2 instance. This network mode is required for the Fargate launch type.", "title": "TargetGroupArn", "type": "string" } @@ -73896,7 +76958,7 @@ }, "LogConfiguration": { "$ref": "#/definitions/AWS::ECS::Service.LogConfiguration", - "markdownDescription": "The log configuration for the container. This parameter maps to `LogConfig` in the [Create a container](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/#operation/ContainerCreate) section of the [Docker Remote API](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/) and the `--log-driver` option to [`docker run`](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/commandline/run/) .\n\nBy default, containers use the same logging driver that the Docker daemon uses. However, the container might use a different logging driver than the Docker daemon by specifying a log driver configuration in the container definition. For more information about the options for different supported log drivers, see [Configure logging drivers](https://docs.aws.amazon.com/https://docs.docker.com/engine/admin/logging/overview/) in the Docker documentation.\n\nUnderstand the following when specifying a log configuration for your containers.\n\n- Amazon ECS currently supports a subset of the logging drivers available to the Docker daemon (shown in the valid values below). Additional log drivers may be available in future releases of the Amazon ECS container agent.\n- This parameter requires version 1.18 of the Docker Remote API or greater on your container instance.\n- For tasks that are hosted on Amazon EC2 instances, the Amazon ECS container agent must register the available logging drivers with the `ECS_AVAILABLE_LOGGING_DRIVERS` environment variable before containers placed on that instance can use these log configuration options. For more information, see [Amazon ECS container agent configuration](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-agent-config.html) in the *Amazon Elastic Container Service Developer Guide* .\n- For tasks that are on AWS Fargate , because you don't have access to the underlying infrastructure your tasks are hosted on, any additional software needed must be installed outside of the task. For example, the Fluentd output aggregators or a remote host running Logstash to send Gelf logs to.", + "markdownDescription": "The log configuration for the container. This parameter maps to `LogConfig` in the [Create a container](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/#operation/ContainerCreate) section of the [Docker Remote API](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/) and the `--log-driver` option to [`docker run`](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/commandline/run/) .\n\nBy default, containers use the same logging driver that the Docker daemon uses. However, the container might use a different logging driver than the Docker daemon by specifying a log driver configuration in the container definition. For more information about the options for different supported log drivers, see [Configure logging drivers](https://docs.aws.amazon.com/https://docs.docker.com/engine/admin/logging/overview/) in the Docker documentation.\n\nUnderstand the following when specifying a log configuration for your containers.\n\n- Amazon ECS currently supports a subset of the logging drivers available to the Docker daemon. Additional log drivers may be available in future releases of the Amazon ECS container agent.\n\nFor tasks on AWS Fargate , the supported log drivers are `awslogs` , `splunk` , and `awsfirelens` .\n\nFor tasks hosted on Amazon EC2 instances, the supported log drivers are `awslogs` , `fluentd` , `gelf` , `json-file` , `journald` , `logentries` , `syslog` , `splunk` , and `awsfirelens` .\n- This parameter requires version 1.18 of the Docker Remote API or greater on your container instance.\n- For tasks that are hosted on Amazon EC2 instances, the Amazon ECS container agent must register the available logging drivers with the `ECS_AVAILABLE_LOGGING_DRIVERS` environment variable before containers placed on that instance can use these log configuration options. For more information, see [Amazon ECS container agent configuration](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-agent-config.html) in the *Amazon Elastic Container Service Developer Guide* .\n- For tasks that are on AWS Fargate , because you don't have access to the underlying infrastructure your tasks are hosted on, any additional software needed must be installed outside of the task. For example, the Fluentd output aggregators or a remote host running Logstash to send Gelf logs to.", "title": "LogConfiguration" }, "Namespace": { @@ -74063,7 +77125,7 @@ "type": "string" }, "PidMode": { - "markdownDescription": "The process namespace to use for the containers in the task. The valid values are `host` or `task` . If `host` is specified, then all containers within the tasks that specified the `host` PID mode on the same container instance share the same process namespace with the host Amazon EC2 instance. If `task` is specified, all containers within the specified task share the same process namespace. If no value is specified, the default is a private namespace. For more information, see [PID settings](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/#pid-settings---pid) in the *Docker run reference* .\n\nIf the `host` PID mode is used, be aware that there is a heightened risk of undesired process namespace expose. For more information, see [Docker security](https://docs.aws.amazon.com/https://docs.docker.com/engine/security/security/) .\n\n> This parameter is not supported for Windows containers or tasks run on AWS Fargate .", + "markdownDescription": "The process namespace to use for the containers in the task. The valid values are `host` or `task` . On Fargate for Linux containers, the only valid value is `task` . For example, monitoring sidecars might need `pidMode` to access information about other containers running in the same task.\n\nIf `host` is specified, all containers within the tasks that specified the `host` PID mode on the same container instance share the same process namespace with the host Amazon EC2 instance.\n\nIf `task` is specified, all containers within the specified task share the same process namespace.\n\nIf no value is specified, the default is a private namespace for each container. For more information, see [PID settings](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/#pid-settings---pid) in the *Docker run reference* .\n\nIf the `host` PID mode is used, there's a heightened risk of undesired process namespace exposure. For more information, see [Docker security](https://docs.aws.amazon.com/https://docs.docker.com/engine/security/security/) .\n\n> This parameter is not supported for Windows containers. > This parameter is only supported for tasks that are hosted on AWS Fargate if the tasks are using platform version `1.4.0` or later (Linux). This isn't supported for Windows containers on Fargate.", "title": "PidMode", "type": "string" }, @@ -74378,7 +77440,7 @@ "items": { "$ref": "#/definitions/AWS::ECS::TaskDefinition.SystemControl" }, - "markdownDescription": "A list of namespaced kernel parameters to set in the container. This parameter maps to `Sysctls` in the [Create a container](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/#operation/ContainerCreate) section of the [Docker Remote API](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/) and the `--sysctl` option to [docker run](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/#security-configuration) .\n\n> We don't recommended that you specify network-related `systemControls` parameters for multiple containers in a single task that also uses either the `awsvpc` or `host` network modes. For tasks that use the `awsvpc` network mode, the container that's started last determines which `systemControls` parameters take effect. For tasks that use the `host` network mode, it changes the container instance's namespaced kernel parameters as well as the containers.", + "markdownDescription": "A list of namespaced kernel parameters to set in the container. This parameter maps to `Sysctls` in the [Create a container](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/#operation/ContainerCreate) section of the [Docker Remote API](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/) and the `--sysctl` option to [docker run](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/#security-configuration) . For example, you can configure `net.ipv4.tcp_keepalive_time` setting to maintain longer lived connections.\n\n> We don't recommended that you specify network-related `systemControls` parameters for multiple containers in a single task that also uses either the `awsvpc` or `host` network modes. For tasks that use the `awsvpc` network mode, the container that's started last determines which `systemControls` parameters take effect. For tasks that use the `host` network mode, it changes the container instance's namespaced kernel parameters as well as the containers. > This parameter is not supported for Windows containers. > This parameter is only supported for tasks that are hosted on AWS Fargate if the tasks are using platform version `1.4.0` or later (Linux). This isn't supported for Windows containers on Fargate.", "title": "SystemControls", "type": "array" }, @@ -74801,7 +77863,7 @@ "additionalProperties": false, "properties": { "AppProtocol": { - "markdownDescription": "The application protocol that's used for the port mapping. This parameter only applies to Service Connect. We recommend that you set this parameter to be consistent with the protocol that your application uses. If you set this parameter, Amazon ECS adds protocol-specific connection handling to the Service Connect proxy. If you set this parameter, Amazon ECS adds protocol-specific telemetry in the Amazon ECS console and CloudWatch.\n\nIf you don't set a value for this parameter, then TCP is used. However, Amazon ECS doesn't add protocol-specific telemetry for TCP.\n\nTasks that run in a namespace can use short names to connect to services in the namespace. Tasks can connect to services across all of the clusters in the namespace. Tasks connect through a managed proxy container that collects logs and metrics for increased visibility. Only the tasks that Amazon ECS services create are supported with Service Connect. For more information, see [Service Connect](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/service-connect.html) in the *Amazon Elastic Container Service Developer Guide* .", + "markdownDescription": "The application protocol that's used for the port mapping. This parameter only applies to Service Connect. We recommend that you set this parameter to be consistent with the protocol that your application uses. If you set this parameter, Amazon ECS adds protocol-specific connection handling to the Service Connect proxy. If you set this parameter, Amazon ECS adds protocol-specific telemetry in the Amazon ECS console and CloudWatch.\n\nIf you don't set a value for this parameter, then TCP is used. However, Amazon ECS doesn't add protocol-specific telemetry for TCP.\n\n`appProtocol` is immutable in a Service Connect service. Updating this field requires a service deletion and redeployment.\n\nTasks that run in a namespace can use short names to connect to services in the namespace. Tasks can connect to services across all of the clusters in the namespace. Tasks connect through a managed proxy container that collects logs and metrics for increased visibility. Only the tasks that Amazon ECS services create are supported with Service Connect. For more information, see [Service Connect](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/service-connect.html) in the *Amazon Elastic Container Service Developer Guide* .", "title": "AppProtocol", "type": "string" }, @@ -74811,12 +77873,12 @@ "type": "number" }, "ContainerPortRange": { - "markdownDescription": "The port number range on the container that's bound to the dynamically mapped host port range.\n\nThe following rules apply when you specify a `containerPortRange` :\n\n- You must use either the `bridge` network mode or the `awsvpc` network mode.\n- This parameter is available for both the EC2 and AWS Fargate launch types.\n- This parameter is available for both the Linux and Windows operating systems.\n- The container instance must have at least version 1.67.0 of the container agent and at least version 1.67.0-1 of the `ecs-init` package\n- You can specify a maximum of 100 port ranges per container.\n- You do not specify a `hostPortRange` . The value of the `hostPortRange` is set as follows:\n\n- For containers in a task with the `awsvpc` network mode, the `hostPort` is set to the same value as the `containerPort` . This is a static mapping strategy.\n- For containers in a task with the `bridge` network mode, the Amazon ECS agent finds open host ports from the default ephemeral range and passes it to docker to bind them to the container ports.\n- The `containerPortRange` valid values are between 1 and 65535.\n- A port can only be included in one port mapping per container.\n- You cannot specify overlapping port ranges.\n- The first port in the range must be less than last port in the range.\n- Docker recommends that you turn off the docker-proxy in the Docker daemon config file when you have a large number of ports.\n\nFor more information, see [Issue #11185](https://docs.aws.amazon.com/https://github.com/moby/moby/issues/11185) on the Github website.\n\nFor information about how to turn off the docker-proxy in the Docker daemon config file, see [Docker daemon](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/bootstrap_container_instance.html#bootstrap_docker_daemon) in the *Amazon ECS Developer Guide* .\n\nYou can call [`DescribeTasks`](https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_DescribeTasks.html) to view the `hostPortRange` which are the host ports that are bound to the container ports.", + "markdownDescription": "The port number range on the container that's bound to the dynamically mapped host port range.\n\nThe following rules apply when you specify a `containerPortRange` :\n\n- You must use either the `bridge` network mode or the `awsvpc` network mode.\n- This parameter is available for both the EC2 and AWS Fargate launch types.\n- This parameter is available for both the Linux and Windows operating systems.\n- The container instance must have at least version 1.67.0 of the container agent and at least version 1.67.0-1 of the `ecs-init` package\n- You can specify a maximum of 100 port ranges per container.\n- You do not specify a `hostPortRange` . The value of the `hostPortRange` is set as follows:\n\n- For containers in a task with the `awsvpc` network mode, the `hostPortRange` is set to the same value as the `containerPortRange` . This is a static mapping strategy.\n- For containers in a task with the `bridge` network mode, the Amazon ECS agent finds open host ports from the default ephemeral range and passes it to docker to bind them to the container ports.\n- The `containerPortRange` valid values are between 1 and 65535.\n- A port can only be included in one port mapping per container.\n- You cannot specify overlapping port ranges.\n- The first port in the range must be less than last port in the range.\n- Docker recommends that you turn off the docker-proxy in the Docker daemon config file when you have a large number of ports.\n\nFor more information, see [Issue #11185](https://docs.aws.amazon.com/https://github.com/moby/moby/issues/11185) on the Github website.\n\nFor information about how to turn off the docker-proxy in the Docker daemon config file, see [Docker daemon](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/bootstrap_container_instance.html#bootstrap_docker_daemon) in the *Amazon ECS Developer Guide* .\n\nYou can call [`DescribeTasks`](https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_DescribeTasks.html) to view the `hostPortRange` which are the host ports that are bound to the container ports.", "title": "ContainerPortRange", "type": "string" }, "HostPort": { - "markdownDescription": "The port number on the container instance to reserve for your container.\n\nIf you specify a `containerPortRange` , leave this field empty and the value of the `hostPort` is set as follows:\n\n- For containers in a task with the `awsvpc` network mode, the `hostPort` is set to the same value as the `containerPort` . This is a static mapping strategy.\n- For containers in a task with the `bridge` network mode, the Amazon ECS agent finds open ports on the host and automatically binds them to the container ports. This is a dynamic mapping strategy.\n\nIf you use containers in a task with the `awsvpc` or `host` network mode, the `hostPort` can either be left blank or set to the same value as the `containerPort` .\n\nIf you use containers in a task with the `bridge` network mode, you can specify a non-reserved host port for your container port mapping, or you can omit the `hostPort` (or set it to `0` ) while specifying a `containerPort` and your container automatically receives a port in the ephemeral port range for your container instance operating system and Docker version.\n\nThe default ephemeral port range for Docker version 1.6.0 and later is listed on the instance under `/proc/sys/net/ipv4/ip_local_port_range` . If this kernel parameter is unavailable, the default ephemeral port range from 49153 through 65535 is used. Do not attempt to specify a host port in the ephemeral port range as these are reserved for automatic assignment. In general, ports below 32768 are outside of the ephemeral port range.\n\nThe default reserved ports are 22 for SSH, the Docker ports 2375 and 2376, and the Amazon ECS container agent ports 51678-51680. Any host port that was previously specified in a running task is also reserved while the task is running. That is, after a task stops, the host port is released. The current reserved ports are displayed in the `remainingResources` of [DescribeContainerInstances](https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_DescribeContainerInstances.html) output. A container instance can have up to 100 reserved ports at a time. This number includes the default reserved ports. Automatically assigned ports aren't included in the 100 reserved ports quota.", + "markdownDescription": "The port number on the container instance to reserve for your container.\n\nIf you specify a `containerPortRange` , leave this field empty and the value of the `hostPort` is set as follows:\n\n- For containers in a task with the `awsvpc` network mode, the `hostPort` is set to the same value as the `containerPort` . This is a static mapping strategy.\n- For containers in a task with the `bridge` network mode, the Amazon ECS agent finds open ports on the host and automatically binds them to the container ports. This is a dynamic mapping strategy.\n\nIf you use containers in a task with the `awsvpc` or `host` network mode, the `hostPort` can either be left blank or set to the same value as the `containerPort` .\n\nIf you use containers in a task with the `bridge` network mode, you can specify a non-reserved host port for your container port mapping, or you can omit the `hostPort` (or set it to `0` ) while specifying a `containerPort` and your container automatically receives a port in the ephemeral port range for your container instance operating system and Docker version.\n\nThe default ephemeral port range for Docker version 1.6.0 and later is listed on the instance under `/proc/sys/net/ipv4/ip_local_port_range` . If this kernel parameter is unavailable, the default ephemeral port range from 49153 through 65535 (Linux) or 49152 through 65535 (Windows) is used. Do not attempt to specify a host port in the ephemeral port range as these are reserved for automatic assignment. In general, ports below 32768 are outside of the ephemeral port range.\n\nThe default reserved ports are 22 for SSH, the Docker ports 2375 and 2376, and the Amazon ECS container agent ports 51678-51680. Any host port that was previously specified in a running task is also reserved while the task is running. That is, after a task stops, the host port is released. The current reserved ports are displayed in the `remainingResources` of [DescribeContainerInstances](https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_DescribeContainerInstances.html) output. A container instance can have up to 100 reserved ports at a time. This number includes the default reserved ports. Automatically assigned ports aren't included in the 100 reserved ports quota.", "title": "HostPort", "type": "number" }, @@ -74826,7 +77888,7 @@ "type": "string" }, "Protocol": { - "markdownDescription": "The protocol used for the port mapping. Valid values are `tcp` and `udp` . The default is `tcp` .", + "markdownDescription": "The protocol used for the port mapping. Valid values are `tcp` and `udp` . The default is `tcp` . `protocol` is immutable in a Service Connect service. Updating this field requires a service deletion and redeployment.", "title": "Protocol", "type": "string" } @@ -74936,7 +77998,7 @@ "type": "string" }, "Value": { - "markdownDescription": "The value for the namespaced kernel parameter that's specified in `namespace` .", + "markdownDescription": "The namespaced kernel parameter to set a `value` for.\n\nValid IPC namespace values: `\"kernel.msgmax\" | \"kernel.msgmnb\" | \"kernel.msgmni\" | \"kernel.sem\" | \"kernel.shmall\" | \"kernel.shmmax\" | \"kernel.shmmni\" | \"kernel.shm_rmid_forced\"` , and `Sysctls` that start with `\"fs.mqueue.*\"`\n\nValid network namespace values: `Sysctls` that start with `\"net.*\"`\n\nAll of these values are supported by Fargate.", "title": "Value", "type": "string" } @@ -75034,7 +78096,7 @@ "title": "Host" }, "Name": { - "markdownDescription": "The name of the volume. Up to 255 letters (uppercase and lowercase), numbers, underscores, and hyphens are allowed. This name is referenced in the `sourceVolume` parameter of container definition `mountPoints` .", + "markdownDescription": "The name of the volume. Up to 255 letters (uppercase and lowercase), numbers, underscores, and hyphens are allowed. This name is referenced in the `sourceVolume` parameter of container definition `mountPoints` .\n\nThis is required wwhen you use an Amazon EFS volume.", "title": "Name", "type": "string" } @@ -75221,7 +78283,7 @@ "type": "number" }, "TargetGroupArn": { - "markdownDescription": "The full Amazon Resource Name (ARN) of the Elastic Load Balancing target group or groups associated with a service or task set.\n\nA target group ARN is only specified when using an Application Load Balancer or Network Load Balancer. If you're using a Classic Load Balancer, omit the target group ARN.\n\nFor services using the `ECS` deployment controller, you can specify one or multiple target groups. For more information, see [Registering multiple target groups with a service](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/register-multiple-targetgroups.html) in the *Amazon Elastic Container Service Developer Guide* .\n\nFor services using the `CODE_DEPLOY` deployment controller, you're required to define two target groups for the load balancer. For more information, see [Blue/green deployment with CodeDeploy](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/deployment-type-bluegreen.html) in the *Amazon Elastic Container Service Developer Guide* .\n\n> If your service's task definition uses the `awsvpc` network mode, you must choose `ip` as the target type, not `instance` . Do this when creating your target groups because tasks that use the `awsvpc` network mode are associated with an elastic network interface, not an Amazon EC2 instance. This network mode is required for the Fargate launch type.", + "markdownDescription": "The full Amazon Resource Name (ARN) of the Elastic Load Balancing target group or groups associated with a service or task set.\n\nA target group ARN is only specified when using an Application Load Balancer or Network Load Balancer.\n\nFor services using the `ECS` deployment controller, you can specify one or multiple target groups. For more information, see [Registering multiple target groups with a service](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/register-multiple-targetgroups.html) in the *Amazon Elastic Container Service Developer Guide* .\n\nFor services using the `CODE_DEPLOY` deployment controller, you're required to define two target groups for the load balancer. For more information, see [Blue/green deployment with CodeDeploy](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/deployment-type-bluegreen.html) in the *Amazon Elastic Container Service Developer Guide* .\n\n> If your service's task definition uses the `awsvpc` network mode, you must choose `ip` as the target type, not `instance` . Do this when creating your target groups because tasks that use the `awsvpc` network mode are associated with an elastic network interface, not an Amazon EC2 instance. This network mode is required for the Fargate launch type.", "title": "TargetGroupArn", "type": "string" } @@ -75341,7 +78403,7 @@ }, "RootDirectory": { "$ref": "#/definitions/AWS::EFS::AccessPoint.RootDirectory", - "markdownDescription": "The directory on the Amazon EFS file system that the access point exposes as the root directory to NFS clients using the access point.", + "markdownDescription": "The directory on the EFS file system that the access point exposes as the root directory to NFS clients using the access point.", "title": "RootDirectory" } }, @@ -75493,7 +78555,7 @@ "additionalProperties": false, "properties": { "AvailabilityZoneName": { - "markdownDescription": "Used to create a file system that uses One Zone storage classes. It specifies the AWS Availability Zone in which to create the file system. Use the format `us-east-1a` to specify the Availability Zone. For more information about One Zone storage classes, see [Using EFS storage classes](https://docs.aws.amazon.com/efs/latest/ug/storage-classes.html) in the *Amazon EFS User Guide* .\n\n> One Zone storage classes are not available in all Availability Zones in AWS Regions where Amazon EFS is available.", + "markdownDescription": "Used to create a One Zone file system. It specifies the AWS Availability Zone in which to create the file system. Use the format `us-east-1a` to specify the Availability Zone. For more information about One Zone file systems, see [Using EFS storage classes](https://docs.aws.amazon.com/efs/latest/ug/storage-classes.html) in the *Amazon EFS User Guide* .\n\n> One Zone file systems are not available in all Availability Zones in AWS Regions where Amazon EFS is available.", "title": "AvailabilityZoneName", "type": "string" }, @@ -75517,6 +78579,11 @@ "title": "FileSystemPolicy", "type": "object" }, + "FileSystemProtection": { + "$ref": "#/definitions/AWS::EFS::FileSystem.FileSystemProtection", + "markdownDescription": "Describes the protection on the file system.", + "title": "FileSystemProtection" + }, "FileSystemTags": { "items": { "$ref": "#/definitions/AWS::EFS::FileSystem.ElasticFileSystemTag" @@ -75539,7 +78606,7 @@ "type": "array" }, "PerformanceMode": { - "markdownDescription": "The performance mode of the file system. We recommend `generalPurpose` performance mode for most file systems. File systems using the `maxIO` performance mode can scale to higher levels of aggregate throughput and operations per second with a tradeoff of slightly higher latencies for most file operations. The performance mode can't be changed after the file system has been created.\n\n> The `maxIO` mode is not supported on file systems using One Zone storage classes. \n\nDefault is `generalPurpose` .", + "markdownDescription": "The Performance mode of the file system. We recommend `generalPurpose` performance mode for all file systems. File systems using the `maxIO` performance mode can scale to higher levels of aggregate throughput and operations per second with a tradeoff of slightly higher latencies for most file operations. The performance mode can't be changed after the file system has been created. The `maxIO` mode is not supported on One Zone file systems.\n\n> Due to the higher per-operation latencies with Max I/O, we recommend using General Purpose performance mode for all file systems. \n\nDefault is `generalPurpose` .", "title": "PerformanceMode", "type": "string" }, @@ -75549,10 +78616,12 @@ "type": "number" }, "ReplicationConfiguration": { - "$ref": "#/definitions/AWS::EFS::FileSystem.ReplicationConfiguration" + "$ref": "#/definitions/AWS::EFS::FileSystem.ReplicationConfiguration", + "markdownDescription": "Describes the replication configuration for a specific file system.", + "title": "ReplicationConfiguration" }, "ThroughputMode": { - "markdownDescription": "Specifies the throughput mode for the file system. The mode can be `bursting` , `provisioned` , or `elastic` . If you set `ThroughputMode` to `provisioned` , you must also set a value for `ProvisionedThroughputInMibps` . After you create the file system, you can decrease your file system's throughput in Provisioned Throughput mode or change between the throughput modes, with certain time restrictions. For more information, see [Specifying throughput with provisioned mode](https://docs.aws.amazon.com/efs/latest/ug/performance.html#provisioned-throughput) in the *Amazon EFS User Guide* .\n\nDefault is `elastic` .", + "markdownDescription": "Specifies the throughput mode for the file system. The mode can be `bursting` , `provisioned` , or `elastic` . If you set `ThroughputMode` to `provisioned` , you must also set a value for `ProvisionedThroughputInMibps` . After you create the file system, you can decrease your file system's Provisioned throughput or change between the throughput modes, with certain time restrictions. For more information, see [Specifying throughput with provisioned mode](https://docs.aws.amazon.com/efs/latest/ug/performance.html#provisioned-throughput) in the *Amazon EFS User Guide* .\n\nDefault is `bursting` .", "title": "ThroughputMode", "type": "string" } @@ -75613,16 +78682,32 @@ ], "type": "object" }, + "AWS::EFS::FileSystem.FileSystemProtection": { + "additionalProperties": false, + "properties": { + "ReplicationOverwriteProtection": { + "markdownDescription": "", + "title": "ReplicationOverwriteProtection", + "type": "string" + } + }, + "type": "object" + }, "AWS::EFS::FileSystem.LifecyclePolicy": { "additionalProperties": false, "properties": { + "TransitionToArchive": { + "markdownDescription": "The number of days after files were last accessed in primary storage (the Standard storage class) files at which to move them to Archive storage. Metadata operations such as listing the contents of a directory don't count as file access events.", + "title": "TransitionToArchive", + "type": "string" + }, "TransitionToIA": { - "markdownDescription": "Describes the period of time that a file is not accessed, after which it transitions to IA storage. Metadata operations such as listing the contents of a directory don't count as file access events.", + "markdownDescription": "The number of days after files were last accessed in primary storage (the Standard storage class) at which to move them to Infrequent Access (IA) storage. Metadata operations such as listing the contents of a directory don't count as file access events.", "title": "TransitionToIA", "type": "string" }, "TransitionToPrimaryStorageClass": { - "markdownDescription": "Describes when to transition a file from IA storage to primary storage. Metadata operations such as listing the contents of a directory don't count as file access events.", + "markdownDescription": "Whether to move files back to primary (Standard) storage after they are accessed in IA or Archive storage. Metadata operations such as listing the contents of a directory don't count as file access events.", "title": "TransitionToPrimaryStorageClass", "type": "string" } @@ -75636,6 +78721,8 @@ "items": { "$ref": "#/definitions/AWS::EFS::FileSystem.ReplicationDestination" }, + "markdownDescription": "An array of destination objects. Only one destination object is supported.", + "title": "Destinations", "type": "array" } }, @@ -75645,15 +78732,23 @@ "additionalProperties": false, "properties": { "AvailabilityZoneName": { + "markdownDescription": "The AWS Availability Zone in which to create the file system.\n\n> For file systems using One Zone storage classes, the replication configuration must specify the Availability Zone in which the destination file system is located. \n\nUse the format `us-east-1a` to specify the Availability Zone. For more information about One Zone storage classes, see [Using EFS storage classes](https://docs.aws.amazon.com/efs/latest/ug/storage-classes.html) in the *Amazon EFS User Guide* .\n\n> One Zone storage classes are not available in all Availability Zones in AWS Regions where Amazon EFS is available.", + "title": "AvailabilityZoneName", "type": "string" }, "FileSystemId": { + "markdownDescription": "The ID of the destination Amazon EFS file system.", + "title": "FileSystemId", "type": "string" }, "KmsKeyId": { + "markdownDescription": "The ID of an AWS KMS key used to protect the encrypted file system.", + "title": "KmsKeyId", "type": "string" }, "Region": { + "markdownDescription": "The AWS Region in which the destination file system is located.\n\n> For file systems using Standard storage classes, the replication configuration must specify the AWS Region in which the destination file system is located.", + "title": "Region", "type": "string" } }, @@ -75713,7 +78808,7 @@ "type": "array" }, "SubnetId": { - "markdownDescription": "The ID of the subnet to add the mount target in. For file systems that use One Zone storage classes, use the subnet that is associated with the file system's Availability Zone.", + "markdownDescription": "The ID of the subnet to add the mount target in. For One Zone file systems, use the subnet that is associated with the file system's Availability Zone.", "title": "SubnetId", "type": "string" } @@ -75917,7 +79012,7 @@ }, "ResourcesVpcConfig": { "$ref": "#/definitions/AWS::EKS::Cluster.ResourcesVpcConfig", - "markdownDescription": "The VPC configuration that's used by the cluster control plane. Amazon EKS VPC resources have specific requirements to work properly with Kubernetes. For more information, see [Cluster VPC Considerations](https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html) and [Cluster Security Group Considerations](https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html) in the *Amazon EKS User Guide* . You must specify at least two subnets. You can specify up to five security groups, but we recommend that you use a dedicated security group for your cluster control plane.\n\n> Updates require replacement of the `SecurityGroupIds` and `SubnetIds` sub-properties.", + "markdownDescription": "The VPC configuration that's used by the cluster control plane. Amazon EKS VPC resources have specific requirements to work properly with Kubernetes. For more information, see [Cluster VPC Considerations](https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html) and [Cluster Security Group Considerations](https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html) in the *Amazon EKS User Guide* . You must specify at least two subnets. You can specify up to five security groups. However, we recommend that you use a dedicated security group for your cluster control plane.", "title": "ResourcesVpcConfig" }, "RoleArn": { @@ -76715,6 +79810,99 @@ }, "type": "object" }, + "AWS::EKS::PodIdentityAssociation": { + "additionalProperties": false, + "properties": { + "Condition": { + "type": "string" + }, + "DeletionPolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + }, + "DependsOn": { + "anyOf": [ + { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + { + "items": { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + "type": "array" + } + ] + }, + "Metadata": { + "type": "object" + }, + "Properties": { + "additionalProperties": false, + "properties": { + "ClusterName": { + "markdownDescription": "The name of the cluster that the association is in.", + "title": "ClusterName", + "type": "string" + }, + "Namespace": { + "markdownDescription": "The name of the Kubernetes namespace inside the cluster to create the association in. The service account and the pods that use the service account must be in this namespace.", + "title": "Namespace", + "type": "string" + }, + "RoleArn": { + "markdownDescription": "The Amazon Resource Name (ARN) of the IAM role to associate with the service account. The EKS Pod Identity agent manages credentials to assume this role for applications in the containers in the pods that use this service account.", + "title": "RoleArn", + "type": "string" + }, + "ServiceAccount": { + "markdownDescription": "The name of the Kubernetes service account inside the cluster to associate the IAM credentials with.", + "title": "ServiceAccount", + "type": "string" + }, + "Tags": { + "items": { + "$ref": "#/definitions/Tag" + }, + "markdownDescription": "The metadata that you apply to a resource to assist with categorization and organization. Each tag consists of a key and an optional value. You define both.\n\nThe following basic restrictions apply to tags:\n\n- Maximum number of tags per resource \u2013 50\n- For each resource, each tag key must be unique, and each tag key can have only one value.\n- Maximum key length \u2013 128 Unicode characters in UTF-8\n- Maximum value length \u2013 256 Unicode characters in UTF-8\n- If your tagging schema is used across multiple services and resources, remember that other services may have restrictions on allowed characters. Generally allowed characters are: letters, numbers, and spaces representable in UTF-8, and the following characters: + - = . _ : / @.\n- Tag keys and values are case-sensitive.\n- Do not use `aws:` , `AWS:` , or any upper or lowercase combination of such as a prefix for either keys or values as it is reserved for AWS use. You cannot edit or delete tag keys or values with this prefix. Tags with this prefix do not count against your tags per resource limit.", + "title": "Tags", + "type": "array" + } + }, + "required": [ + "ClusterName", + "Namespace", + "RoleArn", + "ServiceAccount" + ], + "type": "object" + }, + "Type": { + "enum": [ + "AWS::EKS::PodIdentityAssociation" + ], + "type": "string" + }, + "UpdateReplacePolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + } + }, + "required": [ + "Type", + "Properties" + ], + "type": "object" + }, "AWS::EMR::Cluster": { "additionalProperties": false, "properties": { @@ -76770,7 +79958,7 @@ }, "AutoTerminationPolicy": { "$ref": "#/definitions/AWS::EMR::Cluster.AutoTerminationPolicy", - "markdownDescription": "", + "markdownDescription": "An auto-termination policy defines the amount of idle time in seconds after which a cluster automatically terminates. For alternative cluster termination options, see [Control cluster termination](https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-plan-termination.html)", "title": "AutoTerminationPolicy" }, "BootstrapActions": { @@ -76794,11 +79982,17 @@ "title": "CustomAmiId", "type": "string" }, + "EbsRootVolumeIops": { + "type": "number" + }, "EbsRootVolumeSize": { "markdownDescription": "The size, in GiB, of the Amazon EBS root device volume of the Linux AMI that is used for each Amazon EC2 instance. Available in Amazon EMR releases 4.x and later.", "title": "EbsRootVolumeSize", "type": "number" }, + "EbsRootVolumeThroughput": { + "type": "number" + }, "Instances": { "$ref": "#/definitions/AWS::EMR::Cluster.JobFlowInstancesConfig", "markdownDescription": "A specification of the number and type of Amazon EC2 instances.", @@ -76835,10 +80029,16 @@ "type": "string" }, "OSReleaseLabel": { - "markdownDescription": "", + "markdownDescription": "The Amazon Linux release specified in a cluster launch RunJobFlow request. If no Amazon Linux release was specified, the default Amazon Linux release is shown in the response.", "title": "OSReleaseLabel", "type": "string" }, + "PlacementGroupConfigs": { + "items": { + "$ref": "#/definitions/AWS::EMR::Cluster.PlacementGroupConfig" + }, + "type": "array" + }, "ReleaseLabel": { "markdownDescription": "The Amazon EMR release label, which determines the version of open-source application packages installed on the cluster. Release labels are in the form `emr-x.x.x` , where x.x.x is an Amazon EMR release version such as `emr-5.14.0` . For more information about Amazon EMR release versions and included application versions and features, see [](https://docs.aws.amazon.com/emr/latest/ReleaseGuide/) . The release label applies only to Amazon EMR releases version 4.0 and later. Earlier versions use `AmiVersion` .", "title": "ReleaseLabel", @@ -76977,7 +80177,7 @@ "additionalProperties": false, "properties": { "IdleTimeout": { - "markdownDescription": "", + "markdownDescription": "Specifies the amount of idle time in seconds after which the cluster automatically terminates. You can specify a minimum of 60 seconds and a maximum of 604800 seconds (seven days).", "title": "IdleTimeout", "type": "number" } @@ -77565,6 +80765,21 @@ ], "type": "object" }, + "AWS::EMR::Cluster.PlacementGroupConfig": { + "additionalProperties": false, + "properties": { + "InstanceRole": { + "type": "string" + }, + "PlacementStrategy": { + "type": "string" + } + }, + "required": [ + "InstanceRole" + ], + "type": "object" + }, "AWS::EMR::Cluster.PlacementType": { "additionalProperties": false, "properties": { @@ -77778,6 +80993,8 @@ "type": "number" }, "Throughput": { + "markdownDescription": "The throughput, in mebibyte per second (MiB/s). This optional parameter can be a number from 125 - 1000 and is valid only for gp3 volumes.", + "title": "Throughput", "type": "number" }, "VolumeType": { @@ -78082,6 +81299,8 @@ "type": "number" }, "Throughput": { + "markdownDescription": "The throughput, in mebibyte per second (MiB/s). This optional parameter can be a number from 125 - 1000 and is valid only for gp3 volumes.", + "title": "Throughput", "type": "number" }, "VolumeType": { @@ -78512,6 +81731,8 @@ "type": "number" }, "Throughput": { + "markdownDescription": "The throughput, in mebibyte per second (MiB/s). This optional parameter can be a number from 125 - 1000 and is valid only for gp3 volumes.", + "title": "Throughput", "type": "number" }, "VolumeType": { @@ -78784,11 +82005,26 @@ "title": "Description", "type": "string" }, + "EncryptionKeyArn": { + "markdownDescription": "The AWS KMS key identifier (ARN) used to encrypt Amazon EMR Studio workspace and notebook files when backed up to Amazon S3.", + "title": "EncryptionKeyArn", + "type": "string" + }, "EngineSecurityGroupId": { "markdownDescription": "The ID of the Amazon EMR Studio Engine security group. The Engine security group allows inbound network traffic from the Workspace security group, and it must be in the same VPC specified by `VpcId` .", "title": "EngineSecurityGroupId", "type": "string" }, + "IdcInstanceArn": { + "markdownDescription": "The ARN of the IAM Identity Center instance the Studio application belongs to.", + "title": "IdcInstanceArn", + "type": "string" + }, + "IdcUserAssignment": { + "markdownDescription": "Indicates whether the Studio has `REQUIRED` or `OPTIONAL` IAM Identity Center user assignment. If the value is set to `REQUIRED` , users must be explicitly assigned to the Studio application to access the Studio.", + "title": "IdcUserAssignment", + "type": "string" + }, "IdpAuthUrl": { "markdownDescription": "Your identity provider's authentication endpoint. Amazon EMR Studio redirects federated users to this endpoint for authentication when logging in to a Studio with the Studio URL.", "title": "IdpAuthUrl", @@ -78825,6 +82061,11 @@ "title": "Tags", "type": "array" }, + "TrustedIdentityPropagationEnabled": { + "markdownDescription": "Indicates whether the Studio has Trusted identity propagation enabled. The default value is `false` .", + "title": "TrustedIdentityPropagationEnabled", + "type": "boolean" + }, "UserRole": { "markdownDescription": "The Amazon Resource Name (ARN) of the IAM user role that will be assumed by users and groups logged in to a Studio. The permissions attached to this IAM role can be scoped down for each user or group using session policies. You only need to specify `UserRole` when you set `AuthMode` to `SSO` .", "title": "UserRole", @@ -78998,9 +82239,13 @@ "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "You can add tags when you create a new workspace. You can add, remove, or list tags from an active workspace, but you can't update tags. Instead, remove the tag and add a new one. For more information, see see [Tag your Amazon EMR WAL workspaces](https://docs.aws.amazon.com/emr/latest/ReleaseGuide/emr-hbase-wal.html#emr-hbase-wal-tagging) .", + "title": "Tags", "type": "array" }, "WALWorkspaceName": { + "markdownDescription": "The name of the WAL workspace.", + "title": "WALWorkspaceName", "type": "string" } }, @@ -79197,7 +82442,7 @@ "additionalProperties": false, "properties": { "Architecture": { - "markdownDescription": "The CPU architecture type of the application. Allowed values: `X86_64` or `ARM64`", + "markdownDescription": "The CPU architecture of an application.", "title": "Architecture", "type": "string" }, @@ -79213,7 +82458,7 @@ }, "ImageConfiguration": { "$ref": "#/definitions/AWS::EMRServerless::Application.ImageConfigurationInput", - "markdownDescription": "", + "markdownDescription": "The image configuration applied to all worker types.", "title": "ImageConfiguration" }, "InitialCapacity": { @@ -79229,8 +82474,13 @@ "markdownDescription": "The maximum capacity of the application. This is cumulative across all workers at any given point in time during the lifespan of the application is created. No new resources will be created once any one of the defined limits is hit.", "title": "MaximumCapacity" }, + "MonitoringConfiguration": { + "$ref": "#/definitions/AWS::EMRServerless::Application.MonitoringConfiguration", + "markdownDescription": "A configuration specification to be used when provisioning an application. A configuration consists of a classification, properties, and optional nested configurations. A classification refers to an application-specific configuration file. Properties are the settings you want to change in that file.", + "title": "MonitoringConfiguration" + }, "Name": { - "markdownDescription": "The name of the application.\n\n*Minimum* : 1\n\n*Maximum* : 64\n\n*Pattern* : `^[A-Za-z0-9._\\\\/#-]+$`", + "markdownDescription": "The name of the application.", "title": "Name", "type": "string" }, @@ -79240,10 +82490,18 @@ "title": "NetworkConfiguration" }, "ReleaseLabel": { - "markdownDescription": "The EMR release version associated with the application.\n\n*Minimum* : 1\n\n*Maximum* : 64\n\n*Pattern* : `^[A-Za-z0-9._/-]+$`", + "markdownDescription": "The EMR release associated with the application.", "title": "ReleaseLabel", "type": "string" }, + "RuntimeConfiguration": { + "items": { + "$ref": "#/definitions/AWS::EMRServerless::Application.ConfigurationObject" + }, + "markdownDescription": "The [Configuration](https://docs.aws.amazon.com/emr-serverless/latest/APIReference/API_Configuration.html) specifications of an application. Each configuration consists of a classification and properties. You use this parameter when creating or updating an application. To see the runtimeConfiguration object of an application, run the [GetApplication](https://docs.aws.amazon.com/emr-serverless/latest/APIReference/API_GetApplication.html) API operation.", + "title": "RuntimeConfiguration", + "type": "array" + }, "Tags": { "items": { "$ref": "#/definitions/Tag" @@ -79259,7 +82517,7 @@ }, "WorkerTypeSpecifications": { "additionalProperties": false, - "markdownDescription": "", + "markdownDescription": "The specification applied to each worker type.", "patternProperties": { "^[a-zA-Z0-9]+$": { "$ref": "#/definitions/AWS::EMRServerless::Application.WorkerTypeSpecificationInput" @@ -79300,7 +82558,7 @@ "additionalProperties": false, "properties": { "Enabled": { - "markdownDescription": "Enables the application to automatically start on job submission. Defaults to true.", + "markdownDescription": "", "title": "Enabled", "type": "boolean" } @@ -79311,23 +82569,54 @@ "additionalProperties": false, "properties": { "Enabled": { - "markdownDescription": "Enables the application to automatically stop after a certain amount of time being idle. Defaults to true.", + "markdownDescription": "", "title": "Enabled", "type": "boolean" }, "IdleTimeoutMinutes": { - "markdownDescription": "The amount of idle time in minutes after which your application will automatically stop. Defaults to 15 minutes.\n\n*Minimum* : 1\n\n*Maximum* : 10080", + "markdownDescription": "", "title": "IdleTimeoutMinutes", "type": "number" } }, "type": "object" }, + "AWS::EMRServerless::Application.ConfigurationObject": { + "additionalProperties": false, + "properties": { + "Classification": { + "markdownDescription": "", + "title": "Classification", + "type": "string" + }, + "Configurations": { + "items": { + "$ref": "#/definitions/AWS::EMRServerless::Application.ConfigurationObject" + }, + "markdownDescription": "", + "title": "Configurations", + "type": "array" + }, + "Properties": { + "additionalProperties": true, + "patternProperties": { + "^[a-zA-Z0-9]+$": { + "type": "string" + } + }, + "type": "object" + } + }, + "required": [ + "Classification" + ], + "type": "object" + }, "AWS::EMRServerless::Application.ImageConfigurationInput": { "additionalProperties": false, "properties": { "ImageUri": { - "markdownDescription": "", + "markdownDescription": "The URI of an image in the Amazon ECR registry. This field is required when you create a new application. If you leave this field blank in an update, Amazon EMR will remove the image configuration.", "title": "ImageUri", "type": "string" } @@ -79343,7 +82632,7 @@ "title": "WorkerConfiguration" }, "WorkerCount": { - "markdownDescription": "The number of workers in the initial capacity configuration.\n\n*Minimum* : 1\n\n*Maximum* : 1000000", + "markdownDescription": "The number of workers in the initial capacity configuration.", "title": "WorkerCount", "type": "number" } @@ -79358,13 +82647,13 @@ "additionalProperties": false, "properties": { "Key": { - "markdownDescription": "The worker type for an analytics framework. For Spark applications, the key can either be set to `Driver` or `Executor` . For Hive applications, it can be set to `HiveDriver` or `TezTask` .\n\n*Minimum* : 1\n\n*Maximum* : 50\n\n*Pattern* : `^[a-zA-Z]+[-_]*[a-zA-Z]+$`", + "markdownDescription": "", "title": "Key", "type": "string" }, "Value": { "$ref": "#/definitions/AWS::EMRServerless::Application.InitialCapacityConfig", - "markdownDescription": "The value for the initial capacity configuration per worker.", + "markdownDescription": "", "title": "Value" } }, @@ -79374,21 +82663,37 @@ ], "type": "object" }, + "AWS::EMRServerless::Application.ManagedPersistenceMonitoringConfiguration": { + "additionalProperties": false, + "properties": { + "Enabled": { + "markdownDescription": "Enables managed logging and defaults to true. If set to false, managed logging will be turned off.", + "title": "Enabled", + "type": "boolean" + }, + "EncryptionKeyArn": { + "markdownDescription": "The KMS key ARN to encrypt the logs stored in managed log persistence.", + "title": "EncryptionKeyArn", + "type": "string" + } + }, + "type": "object" + }, "AWS::EMRServerless::Application.MaximumAllowedResources": { "additionalProperties": false, "properties": { "Cpu": { - "markdownDescription": "The maximum allowed CPU for an application.\n\n*Minimum* : 1\n\n*Maximum* : 15\n\n*Pattern* : `^[1-9][0-9]*(\\\\s)?(vCPU|vcpu|VCPU)?$`", + "markdownDescription": "The maximum allowed CPU for an application.", "title": "Cpu", "type": "string" }, "Disk": { - "markdownDescription": "The maximum allowed disk for an application.\n\n*Minimum* : 1\n\n*Maximum* : 15\n\n*Pattern* : `^[1-9][0-9]*(\\\\s)?(GB|gb|gB|Gb)$\"`", + "markdownDescription": "The maximum allowed disk for an application.", "title": "Disk", "type": "string" }, "Memory": { - "markdownDescription": "The maximum allowed resources for an application.\n\n*Minimum* : 1\n\n*Maximum* : 15\n\n*Pattern* : `^[1-9][0-9]*(\\\\s)?(GB|gb|gB|Gb)?$`", + "markdownDescription": "The maximum allowed resources for an application.", "title": "Memory", "type": "string" } @@ -79399,6 +82704,22 @@ ], "type": "object" }, + "AWS::EMRServerless::Application.MonitoringConfiguration": { + "additionalProperties": false, + "properties": { + "ManagedPersistenceMonitoringConfiguration": { + "$ref": "#/definitions/AWS::EMRServerless::Application.ManagedPersistenceMonitoringConfiguration", + "markdownDescription": "The managed log persistence configuration for a job run.", + "title": "ManagedPersistenceMonitoringConfiguration" + }, + "S3MonitoringConfiguration": { + "$ref": "#/definitions/AWS::EMRServerless::Application.S3MonitoringConfiguration", + "markdownDescription": "The Amazon S3 configuration for monitoring log publishing.", + "title": "S3MonitoringConfiguration" + } + }, + "type": "object" + }, "AWS::EMRServerless::Application.NetworkConfiguration": { "additionalProperties": false, "properties": { @@ -79406,7 +82727,7 @@ "items": { "type": "string" }, - "markdownDescription": "The array of security group Ids for customer VPC connectivity.\n\n*Minimum* : 1\n\n*Maximum* : 32\n\n*Pattern* : `^[-0-9a-zA-Z]+`", + "markdownDescription": "The array of security group Ids for customer VPC connectivity.", "title": "SecurityGroupIds", "type": "array" }, @@ -79414,28 +82735,44 @@ "items": { "type": "string" }, - "markdownDescription": "The array of subnet Ids for customer VPC connectivity.\n\n*Minimum* : 1\n\n*Maximum* : 32\n\n*Pattern* : `^[-0-9a-zA-Z]+`", + "markdownDescription": "The array of subnet Ids for customer VPC connectivity.", "title": "SubnetIds", "type": "array" } }, "type": "object" }, + "AWS::EMRServerless::Application.S3MonitoringConfiguration": { + "additionalProperties": false, + "properties": { + "EncryptionKeyArn": { + "markdownDescription": "The KMS key ARN to encrypt the logs published to the given Amazon S3 destination.", + "title": "EncryptionKeyArn", + "type": "string" + }, + "LogUri": { + "markdownDescription": "The Amazon S3 destination URI for log publishing.", + "title": "LogUri", + "type": "string" + } + }, + "type": "object" + }, "AWS::EMRServerless::Application.WorkerConfiguration": { "additionalProperties": false, "properties": { "Cpu": { - "markdownDescription": "*Minimum* : 1\n\n*Maximum* : 15\n\n*Pattern* : `^[1-9][0-9]*(\\\\s)?(vCPU|vcpu|VCPU)?$`", + "markdownDescription": "", "title": "Cpu", "type": "string" }, "Disk": { - "markdownDescription": "*Minimum* : 1\n\n*Maximum* : 15\n\n*Pattern* : `^[1-9][0-9]*(\\\\s)?(GB|gb|gB|Gb)$\"`", + "markdownDescription": "", "title": "Disk", "type": "string" }, "Memory": { - "markdownDescription": "*Minimum* : 1\n\n*Maximum* : 15\n\n*Pattern* : `^[1-9][0-9]*(\\\\s)?(GB|gb|gB|Gb)?$`", + "markdownDescription": "", "title": "Memory", "type": "string" } @@ -79451,7 +82788,7 @@ "properties": { "ImageConfiguration": { "$ref": "#/definitions/AWS::EMRServerless::Application.ImageConfigurationInput", - "markdownDescription": "", + "markdownDescription": "The image configuration for a worker type.", "title": "ImageConfiguration" } }, @@ -79521,12 +82858,12 @@ "type": "array" }, "CacheSubnetGroupName": { - "markdownDescription": "The name of the subnet group to be used for the cluster.\n\nUse this parameter only when you are creating a cluster in an Amazon Virtual Private Cloud (Amazon VPC).\n\n> If you're going to launch your cluster in an Amazon VPC, you need to create a subnet group before you start creating a cluster. For more information, see [AWS::ElastiCache::SubnetGroup](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-elasticache-subnetgroup.html) .", + "markdownDescription": "The name of the subnet group to be used for the cluster.\n\nUse this parameter only when you are creating a cluster in an Amazon Virtual Private Cloud (Amazon VPC).\n\n> If you're going to launch your cluster in an Amazon VPC, you need to create a subnet group before you start creating a cluster. For more information, see `[AWS::ElastiCache::SubnetGroup](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-elasticache-subnetgroup.html) .`", "title": "CacheSubnetGroupName", "type": "string" }, "ClusterName": { - "markdownDescription": "A name for the cache cluster. If you don't specify a name, AWSCloudFormation generates a unique physical ID and uses that ID for the cache cluster. For more information, see [Name Type](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-name.html) .\n\nThe name must contain 1 to 50 alphanumeric characters or hyphens. The name must start with a letter and cannot end with a hyphen or contain two consecutive hyphens.", + "markdownDescription": "A name for the cache cluster. If you don't specify a name, AWS CloudFormation generates a unique physical ID and uses that ID for the cache cluster. For more information, see [Name Type](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-name.html) .\n\nThe name must contain 1 to 50 alphanumeric characters or hyphens. The name must start with a letter and cannot end with a hyphen or contain two consecutive hyphens.", "title": "ClusterName", "type": "string" }, @@ -80197,8 +83534,6 @@ "type": "string" }, "ReplicationGroupId": { - "markdownDescription": "The replication group identifier. This parameter is stored as a lowercase string.\n\nConstraints:\n\n- A name must contain from 1 to 40 alphanumeric characters or hyphens.\n- The first character must be a letter.\n- A name cannot end with a hyphen or contain two consecutive hyphens.", - "title": "ReplicationGroupId", "type": "string" }, "SecurityGroupIds": { @@ -80553,7 +83888,7 @@ ], "type": "object" }, - "AWS::ElastiCache::SubnetGroup": { + "AWS::ElastiCache::ServerlessCache": { "additionalProperties": false, "properties": { "Condition": { @@ -80588,21 +83923,82 @@ "Properties": { "additionalProperties": false, "properties": { - "CacheSubnetGroupName": { - "markdownDescription": "The name for the cache subnet group. This value is stored as a lowercase string.\n\nConstraints: Must contain no more than 255 alphanumeric characters or hyphens.\n\nExample: `mysubnetgroup`", - "title": "CacheSubnetGroupName", + "CacheUsageLimits": { + "$ref": "#/definitions/AWS::ElastiCache::ServerlessCache.CacheUsageLimits", + "markdownDescription": "The cache usage limit for the serverless cache.", + "title": "CacheUsageLimits" + }, + "DailySnapshotTime": { + "markdownDescription": "The daily time that a cache snapshot will be created. Default is NULL, i.e. snapshots will not be created at a specific time on a daily basis. Available for Redis only.", + "title": "DailySnapshotTime", "type": "string" }, "Description": { - "markdownDescription": "The description for the cache subnet group.", + "markdownDescription": "A description of the serverless cache.", "title": "Description", "type": "string" }, + "Endpoint": { + "$ref": "#/definitions/AWS::ElastiCache::ServerlessCache.Endpoint", + "markdownDescription": "Represents the information required for client programs to connect to a cache node.", + "title": "Endpoint" + }, + "Engine": { + "markdownDescription": "The engine the serverless cache is compatible with.", + "title": "Engine", + "type": "string" + }, + "FinalSnapshotName": { + "markdownDescription": "The name of the final snapshot taken of a cache before the cache is deleted.", + "title": "FinalSnapshotName", + "type": "string" + }, + "KmsKeyId": { + "markdownDescription": "The ID of the AWS Key Management Service (KMS) key that is used to encrypt data at rest in the serverless cache.", + "title": "KmsKeyId", + "type": "string" + }, + "MajorEngineVersion": { + "markdownDescription": "The version number of the engine the serverless cache is compatible with.", + "title": "MajorEngineVersion", + "type": "string" + }, + "ReaderEndpoint": { + "$ref": "#/definitions/AWS::ElastiCache::ServerlessCache.Endpoint", + "markdownDescription": "Represents the information required for client programs to connect to a cache node.", + "title": "ReaderEndpoint" + }, + "SecurityGroupIds": { + "items": { + "type": "string" + }, + "markdownDescription": "The IDs of the EC2 security groups associated with the serverless cache.", + "title": "SecurityGroupIds", + "type": "array" + }, + "ServerlessCacheName": { + "markdownDescription": "The unique identifier of the serverless cache.", + "title": "ServerlessCacheName", + "type": "string" + }, + "SnapshotArnsToRestore": { + "items": { + "type": "string" + }, + "markdownDescription": "The ARN of the snapshot from which to restore data into the new cache.", + "title": "SnapshotArnsToRestore", + "type": "array" + }, + "SnapshotRetentionLimit": { + "markdownDescription": "The current setting for the number of serverless cache snapshots the system will retain. Available for Redis only.", + "title": "SnapshotRetentionLimit", + "type": "number" + }, "SubnetIds": { "items": { "type": "string" }, - "markdownDescription": "The EC2 subnet IDs for the cache subnet group.", + "markdownDescription": "If no subnet IDs are given and your VPC is in SFO, then ElastiCache will select 2 default subnets across AZs in your VPC. For all other Regions, if no subnet IDs are given then ElastiCache will select 3 default subnets across AZs in your default VPC.", "title": "SubnetIds", "type": "array" }, @@ -80610,20 +84006,25 @@ "items": { "$ref": "#/definitions/Tag" }, - "markdownDescription": "A tag that can be added to an ElastiCache subnet group. Tags are composed of a Key/Value pair. You can use tags to categorize and track all your subnet groups. A tag with a null Value is permitted.", + "markdownDescription": "A list of tags to be added to this resource.", "title": "Tags", "type": "array" + }, + "UserGroupId": { + "markdownDescription": "The identifier of the user group associated with the serverless cache. Available for Redis only. Default is NULL.", + "title": "UserGroupId", + "type": "string" } }, "required": [ - "Description", - "SubnetIds" + "Engine", + "ServerlessCacheName" ], "type": "object" }, "Type": { "enum": [ - "AWS::ElastiCache::SubnetGroup" + "AWS::ElastiCache::ServerlessCache" ], "type": "string" }, @@ -80642,7 +84043,162 @@ ], "type": "object" }, - "AWS::ElastiCache::User": { + "AWS::ElastiCache::ServerlessCache.CacheUsageLimits": { + "additionalProperties": false, + "properties": { + "DataStorage": { + "$ref": "#/definitions/AWS::ElastiCache::ServerlessCache.DataStorage", + "markdownDescription": "The maximum data storage limit in the cache, expressed in Gigabytes.", + "title": "DataStorage" + }, + "ECPUPerSecond": { + "$ref": "#/definitions/AWS::ElastiCache::ServerlessCache.ECPUPerSecond", + "markdownDescription": "The number of ElastiCache Processing Units (ECPU) the cache can consume per second.", + "title": "ECPUPerSecond" + } + }, + "type": "object" + }, + "AWS::ElastiCache::ServerlessCache.DataStorage": { + "additionalProperties": false, + "properties": { + "Maximum": { + "markdownDescription": "The upper limit for data storage the cache is set to use.", + "title": "Maximum", + "type": "number" + }, + "Unit": { + "markdownDescription": "The unit that the storage is measured in, in GB.", + "title": "Unit", + "type": "string" + } + }, + "required": [ + "Maximum", + "Unit" + ], + "type": "object" + }, + "AWS::ElastiCache::ServerlessCache.ECPUPerSecond": { + "additionalProperties": false, + "properties": { + "Maximum": { + "markdownDescription": "The configuration for the maximum number of ECPUs the cache can consume per second.", + "title": "Maximum", + "type": "number" + } + }, + "required": [ + "Maximum" + ], + "type": "object" + }, + "AWS::ElastiCache::ServerlessCache.Endpoint": { + "additionalProperties": false, + "properties": { + "Address": { + "markdownDescription": "The DNS hostname of the cache node.", + "title": "Address", + "type": "string" + }, + "Port": { + "markdownDescription": "The port number that the cache engine is listening on.", + "title": "Port", + "type": "number" + } + }, + "type": "object" + }, + "AWS::ElastiCache::SubnetGroup": { + "additionalProperties": false, + "properties": { + "Condition": { + "type": "string" + }, + "DeletionPolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + }, + "DependsOn": { + "anyOf": [ + { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + { + "items": { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + "type": "array" + } + ] + }, + "Metadata": { + "type": "object" + }, + "Properties": { + "additionalProperties": false, + "properties": { + "CacheSubnetGroupName": { + "markdownDescription": "The name for the cache subnet group. This value is stored as a lowercase string.\n\nConstraints: Must contain no more than 255 alphanumeric characters or hyphens.\n\nExample: `mysubnetgroup`", + "title": "CacheSubnetGroupName", + "type": "string" + }, + "Description": { + "markdownDescription": "The description for the cache subnet group.", + "title": "Description", + "type": "string" + }, + "SubnetIds": { + "items": { + "type": "string" + }, + "markdownDescription": "The EC2 subnet IDs for the cache subnet group.", + "title": "SubnetIds", + "type": "array" + }, + "Tags": { + "items": { + "$ref": "#/definitions/Tag" + }, + "markdownDescription": "A tag that can be added to an ElastiCache subnet group. Tags are composed of a Key/Value pair. You can use tags to categorize and track all your subnet groups. A tag with a null Value is permitted.", + "title": "Tags", + "type": "array" + } + }, + "required": [ + "Description", + "SubnetIds" + ], + "type": "object" + }, + "Type": { + "enum": [ + "AWS::ElastiCache::SubnetGroup" + ], + "type": "string" + }, + "UpdateReplacePolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + } + }, + "required": [ + "Type", + "Properties" + ], + "type": "object" + }, + "AWS::ElastiCache::User": { "additionalProperties": false, "properties": { "Condition": { @@ -81496,16 +85052,16 @@ }, "ConnectionDrainingPolicy": { "$ref": "#/definitions/AWS::ElasticLoadBalancing::LoadBalancer.ConnectionDrainingPolicy", - "markdownDescription": "If enabled, the load balancer allows existing requests to complete before the load balancer shifts traffic away from a deregistered or unhealthy instance.\n\nFor more information, see [Configure Connection Draining](https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/config-conn-drain.html) in the *Classic Load Balancers Guide* .", + "markdownDescription": "If enabled, the load balancer allows existing requests to complete before the load balancer shifts traffic away from a deregistered or unhealthy instance.\n\nFor more information, see [Configure connection draining](https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/config-conn-drain.html) in the *User Guide for Classic Load Balancers* .", "title": "ConnectionDrainingPolicy" }, "ConnectionSettings": { "$ref": "#/definitions/AWS::ElasticLoadBalancing::LoadBalancer.ConnectionSettings", - "markdownDescription": "If enabled, the load balancer allows the connections to remain idle (no data is sent over the connection) for the specified duration.\n\nBy default, Elastic Load Balancing maintains a 60-second idle connection timeout for both front-end and back-end connections of your load balancer. For more information, see [Configure Idle Connection Timeout](https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/config-idle-timeout.html) in the *Classic Load Balancers Guide* .", + "markdownDescription": "If enabled, the load balancer allows the connections to remain idle (no data is sent over the connection) for the specified duration.\n\nBy default, Elastic Load Balancing maintains a 60-second idle connection timeout for both front-end and back-end connections of your load balancer. For more information, see [Configure idle connection timeout](https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/config-idle-timeout.html) in the *User Guide for Classic Load Balancers* .", "title": "ConnectionSettings" }, "CrossZone": { - "markdownDescription": "If enabled, the load balancer routes the request traffic evenly across all instances regardless of the Availability Zones.\n\nFor more information, see [Configure Cross-Zone Load Balancing](https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-disable-crosszone-lb.html) in the *Classic Load Balancers Guide* .", + "markdownDescription": "If enabled, the load balancer routes the request traffic evenly across all instances regardless of the Availability Zones.\n\nFor more information, see [Configure cross-zone load balancing](https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-disable-crosszone-lb.html) in the *User Guide for Classic Load Balancers* .", "title": "CrossZone", "type": "boolean" }, @@ -81897,6 +85453,11 @@ "title": "LoadBalancerArn", "type": "string" }, + "MutualAuthentication": { + "$ref": "#/definitions/AWS::ElasticLoadBalancingV2::Listener.MutualAuthentication", + "markdownDescription": "The mutual authentication configuration information.", + "title": "MutualAuthentication" + }, "Port": { "markdownDescription": "The port on which the load balancer is listening. You cannot specify a port for a Gateway Load Balancer.", "title": "Port", @@ -82179,6 +85740,27 @@ }, "type": "object" }, + "AWS::ElasticLoadBalancingV2::Listener.MutualAuthentication": { + "additionalProperties": false, + "properties": { + "IgnoreClientCertificateExpiry": { + "markdownDescription": "Indicates whether expired client certificates are ignored.", + "title": "IgnoreClientCertificateExpiry", + "type": "boolean" + }, + "Mode": { + "markdownDescription": "The client certificate handling method. Options are `off` , `passthrough` or `verify` . The default value is `off` .", + "title": "Mode", + "type": "string" + }, + "TrustStoreArn": { + "markdownDescription": "The Amazon Resource Name (ARN) of the trust store.", + "title": "TrustStoreArn", + "type": "string" + } + }, + "type": "object" + }, "AWS::ElasticLoadBalancingV2::Listener.RedirectConfig": { "additionalProperties": false, "properties": { @@ -82942,7 +86524,7 @@ "items": { "type": "string" }, - "markdownDescription": "[Application Load Balancers] The IDs of the security groups for the load balancer.", + "markdownDescription": "[Application Load Balancers and Network Load Balancers] The IDs of the security groups for the load balancer.", "title": "SecurityGroups", "type": "array" }, @@ -83002,7 +86584,7 @@ "additionalProperties": false, "properties": { "Key": { - "markdownDescription": "The name of the attribute.\n\nThe following attributes are supported by all load balancers:\n\n- `deletion_protection.enabled` - Indicates whether deletion protection is enabled. The value is `true` or `false` . The default is `false` .\n- `load_balancing.cross_zone.enabled` - Indicates whether cross-zone load balancing is enabled. The possible values are `true` and `false` . The default for Network Load Balancers and Gateway Load Balancers is `false` . The default for Application Load Balancers is `true` , and cannot be changed.\n\nThe following attributes are supported by both Application Load Balancers and Network Load Balancers:\n\n- `access_logs.s3.enabled` - Indicates whether access logs are enabled. The value is `true` or `false` . The default is `false` .\n- `access_logs.s3.bucket` - The name of the S3 bucket for the access logs. This attribute is required if access logs are enabled. The bucket must exist in the same region as the load balancer and have a bucket policy that grants Elastic Load Balancing permissions to write to the bucket.\n- `access_logs.s3.prefix` - The prefix for the location in the S3 bucket for the access logs.\n- `ipv6.deny_all_igw_traffic` - Blocks internet gateway (IGW) access to the load balancer. It is set to `false` for internet-facing load balancers and `true` for internal load balancers, preventing unintended access to your internal load balancer through an internet gateway.\n\nThe following attributes are supported by only Application Load Balancers:\n\n- `idle_timeout.timeout_seconds` - The idle timeout value, in seconds. The valid range is 1-4000 seconds. The default is 60 seconds.\n- `routing.http.desync_mitigation_mode` - Determines how the load balancer handles requests that might pose a security risk to your application. The possible values are `monitor` , `defensive` , and `strictest` . The default is `defensive` .\n- `routing.http.drop_invalid_header_fields.enabled` - Indicates whether HTTP headers with invalid header fields are removed by the load balancer ( `true` ) or routed to targets ( `false` ). The default is `false` .\n- `routing.http.preserve_host_header.enabled` - Indicates whether the Application Load Balancer should preserve the `Host` header in the HTTP request and send it to the target without any change. The possible values are `true` and `false` . The default is `false` .\n- `routing.http.x_amzn_tls_version_and_cipher_suite.enabled` - Indicates whether the two headers ( `x-amzn-tls-version` and `x-amzn-tls-cipher-suite` ), which contain information about the negotiated TLS version and cipher suite, are added to the client request before sending it to the target. The `x-amzn-tls-version` header has information about the TLS protocol version negotiated with the client, and the `x-amzn-tls-cipher-suite` header has information about the cipher suite negotiated with the client. Both headers are in OpenSSL format. The possible values for the attribute are `true` and `false` . The default is `false` .\n- `routing.http.xff_client_port.enabled` - Indicates whether the `X-Forwarded-For` header should preserve the source port that the client used to connect to the load balancer. The possible values are `true` and `false` . The default is `false` .\n- `routing.http.xff_header_processing.mode` - Enables you to modify, preserve, or remove the `X-Forwarded-For` header in the HTTP request before the Application Load Balancer sends the request to the target. The possible values are `append` , `preserve` , and `remove` . The default is `append` .\n\n- If the value is `append` , the Application Load Balancer adds the client IP address (of the last hop) to the `X-Forwarded-For` header in the HTTP request before it sends it to targets.\n- If the value is `preserve` the Application Load Balancer preserves the `X-Forwarded-For` header in the HTTP request, and sends it to targets without any change.\n- If the value is `remove` , the Application Load Balancer removes the `X-Forwarded-For` header in the HTTP request before it sends it to targets.\n- `routing.http2.enabled` - Indicates whether HTTP/2 is enabled. The possible values are `true` and `false` . The default is `true` . Elastic Load Balancing requires that message header names contain only alphanumeric characters and hyphens.\n- `waf.fail_open.enabled` - Indicates whether to allow a WAF-enabled load balancer to route requests to targets if it is unable to forward the request to AWS WAF. The possible values are `true` and `false` . The default is `false` .", + "markdownDescription": "The name of the attribute.\n\nThe following attributes are supported by all load balancers:\n\n- `deletion_protection.enabled` - Indicates whether deletion protection is enabled. The value is `true` or `false` . The default is `false` .\n- `load_balancing.cross_zone.enabled` - Indicates whether cross-zone load balancing is enabled. The possible values are `true` and `false` . The default for Network Load Balancers and Gateway Load Balancers is `false` . The default for Application Load Balancers is `true` , and cannot be changed.\n\nThe following attributes are supported by both Application Load Balancers and Network Load Balancers:\n\n- `access_logs.s3.enabled` - Indicates whether access logs are enabled. The value is `true` or `false` . The default is `false` .\n- `access_logs.s3.bucket` - The name of the S3 bucket for the access logs. This attribute is required if access logs are enabled. The bucket must exist in the same region as the load balancer and have a bucket policy that grants Elastic Load Balancing permissions to write to the bucket.\n- `access_logs.s3.prefix` - The prefix for the location in the S3 bucket for the access logs.\n- `ipv6.deny_all_igw_traffic` - Blocks internet gateway (IGW) access to the load balancer. It is set to `false` for internet-facing load balancers and `true` for internal load balancers, preventing unintended access to your internal load balancer through an internet gateway.\n\nThe following attributes are supported by only Application Load Balancers:\n\n- `idle_timeout.timeout_seconds` - The idle timeout value, in seconds. The valid range is 1-4000 seconds. The default is 60 seconds.\n- `connection_logs.s3.enabled` - Indicates whether connection logs are enabled. The value is `true` or `false` . The default is `false` .\n- `connection_logs.s3.bucket` - The name of the S3 bucket for the connection logs. This attribute is required if connection logs are enabled. The bucket must exist in the same region as the load balancer and have a bucket policy that grants Elastic Load Balancing permissions to write to the bucket.\n- `connection_logs.s3.prefix` - The prefix for the location in the S3 bucket for the connection logs.\n- `routing.http.desync_mitigation_mode` - Determines how the load balancer handles requests that might pose a security risk to your application. The possible values are `monitor` , `defensive` , and `strictest` . The default is `defensive` .\n- `routing.http.drop_invalid_header_fields.enabled` - Indicates whether HTTP headers with invalid header fields are removed by the load balancer ( `true` ) or routed to targets ( `false` ). The default is `false` .\n- `routing.http.preserve_host_header.enabled` - Indicates whether the Application Load Balancer should preserve the `Host` header in the HTTP request and send it to the target without any change. The possible values are `true` and `false` . The default is `false` .\n- `routing.http.x_amzn_tls_version_and_cipher_suite.enabled` - Indicates whether the two headers ( `x-amzn-tls-version` and `x-amzn-tls-cipher-suite` ), which contain information about the negotiated TLS version and cipher suite, are added to the client request before sending it to the target. The `x-amzn-tls-version` header has information about the TLS protocol version negotiated with the client, and the `x-amzn-tls-cipher-suite` header has information about the cipher suite negotiated with the client. Both headers are in OpenSSL format. The possible values for the attribute are `true` and `false` . The default is `false` .\n- `routing.http.xff_client_port.enabled` - Indicates whether the `X-Forwarded-For` header should preserve the source port that the client used to connect to the load balancer. The possible values are `true` and `false` . The default is `false` .\n- `routing.http.xff_header_processing.mode` - Enables you to modify, preserve, or remove the `X-Forwarded-For` header in the HTTP request before the Application Load Balancer sends the request to the target. The possible values are `append` , `preserve` , and `remove` . The default is `append` .\n\n- If the value is `append` , the Application Load Balancer adds the client IP address (of the last hop) to the `X-Forwarded-For` header in the HTTP request before it sends it to targets.\n- If the value is `preserve` the Application Load Balancer preserves the `X-Forwarded-For` header in the HTTP request, and sends it to targets without any change.\n- If the value is `remove` , the Application Load Balancer removes the `X-Forwarded-For` header in the HTTP request before it sends it to targets.\n- `routing.http2.enabled` - Indicates whether HTTP/2 is enabled. The possible values are `true` and `false` . The default is `true` . Elastic Load Balancing requires that message header names contain only alphanumeric characters and hyphens.\n- `waf.fail_open.enabled` - Indicates whether to allow a WAF-enabled load balancer to route requests to targets if it is unable to forward the request to AWS WAF. The possible values are `true` and `false` . The default is `false` .\n\nThe following attributes are supported by only Network Load Balancers:\n\n- `dns_record.client_routing_policy` - Indicates how traffic is distributed among the load balancer Availability Zones. The possible values are `availability_zone_affinity` with 100 percent zonal affinity, `partial_availability_zone_affinity` with 85 percent zonal affinity, and `any_availability_zone` with 0 percent zonal affinity.", "title": "Key", "type": "string" }, @@ -83249,7 +86831,7 @@ "additionalProperties": false, "properties": { "Key": { - "markdownDescription": "The name of the attribute.\n\nThe following attributes are supported by all load balancers:\n\n- `deregistration_delay.timeout_seconds` - The amount of time, in seconds, for Elastic Load Balancing to wait before changing the state of a deregistering target from `draining` to `unused` . The range is 0-3600 seconds. The default value is 300 seconds. If the target is a Lambda function, this attribute is not supported.\n- `stickiness.enabled` - Indicates whether target stickiness is enabled. The value is `true` or `false` . The default is `false` .\n- `stickiness.type` - Indicates the type of stickiness. The possible values are:\n\n- `lb_cookie` and `app_cookie` for Application Load Balancers.\n- `source_ip` for Network Load Balancers.\n- `source_ip_dest_ip` and `source_ip_dest_ip_proto` for Gateway Load Balancers.\n\nThe following attributes are supported by Application Load Balancers and Network Load Balancers:\n\n- `load_balancing.cross_zone.enabled` - Indicates whether cross zone load balancing is enabled. The value is `true` , `false` or `use_load_balancer_configuration` . The default is `use_load_balancer_configuration` .\n- `target_group_health.dns_failover.minimum_healthy_targets.count` - The minimum number of targets that must be healthy. If the number of healthy targets is below this value, mark the zone as unhealthy in DNS, so that traffic is routed only to healthy zones. The possible values are `off` or an integer from 1 to the maximum number of targets. The default is `off` .\n- `target_group_health.dns_failover.minimum_healthy_targets.percentage` - The minimum percentage of targets that must be healthy. If the percentage of healthy targets is below this value, mark the zone as unhealthy in DNS, so that traffic is routed only to healthy zones. The possible values are `off` or an integer from 1 to 100. The default is `off` .\n- `target_group_health.unhealthy_state_routing.minimum_healthy_targets.count` - The minimum number of targets that must be healthy. If the number of healthy targets is below this value, send traffic to all targets, including unhealthy targets. The possible values are 1 to the maximum number of targets. The default is 1.\n- `target_group_health.unhealthy_state_routing.minimum_healthy_targets.percentage` - The minimum percentage of targets that must be healthy. If the percentage of healthy targets is below this value, send traffic to all targets, including unhealthy targets. The possible values are `off` or an integer from 1 to 100. The default is `off` .\n\nThe following attributes are supported only if the load balancer is an Application Load Balancer and the target is an instance or an IP address:\n\n- `load_balancing.algorithm.type` - The load balancing algorithm determines how the load balancer selects targets when routing requests. The value is `round_robin` or `least_outstanding_requests` . The default is `round_robin` .\n- `slow_start.duration_seconds` - The time period, in seconds, during which a newly registered target receives an increasing share of the traffic to the target group. After this time period ends, the target receives its full share of traffic. The range is 30-900 seconds (15 minutes). The default is 0 seconds (disabled).\n- `stickiness.app_cookie.cookie_name` - Indicates the name of the application-based cookie. Names that start with the following prefixes are not allowed: `AWSALB` , `AWSALBAPP` , and `AWSALBTG` ; they're reserved for use by the load balancer.\n- `stickiness.app_cookie.duration_seconds` - The time period, in seconds, during which requests from a client should be routed to the same target. After this time period expires, the application-based cookie is considered stale. The range is 1 second to 1 week (604800 seconds). The default value is 1 day (86400 seconds).\n- `stickiness.lb_cookie.duration_seconds` - The time period, in seconds, during which requests from a client should be routed to the same target. After this time period expires, the load balancer-generated cookie is considered stale. The range is 1 second to 1 week (604800 seconds). The default value is 1 day (86400 seconds).\n\nThe following attribute is supported only if the load balancer is an Application Load Balancer and the target is a Lambda function:\n\n- `lambda.multi_value_headers.enabled` - Indicates whether the request and response headers that are exchanged between the load balancer and the Lambda function include arrays of values or strings. The value is `true` or `false` . The default is `false` . If the value is `false` and the request contains a duplicate header field name or query parameter key, the load balancer uses the last value sent by the client.\n\nThe following attributes are supported only by Network Load Balancers:\n\n- `deregistration_delay.connection_termination.enabled` - Indicates whether the load balancer terminates connections at the end of the deregistration timeout. The value is `true` or `false` . The default is `false` .\n- `preserve_client_ip.enabled` - Indicates whether client IP preservation is enabled. The value is `true` or `false` . The default is disabled if the target group type is IP address and the target group protocol is TCP or TLS. Otherwise, the default is enabled. Client IP preservation cannot be disabled for UDP and TCP_UDP target groups.\n- `proxy_protocol_v2.enabled` - Indicates whether Proxy Protocol version 2 is enabled. The value is `true` or `false` . The default is `false` .\n\nThe following attributes are supported only by Gateway Load Balancers:\n\n- `target_failover.on_deregistration` - Indicates how the Gateway Load Balancer handles existing flows when a target is deregistered. The possible values are `rebalance` and `no_rebalance` . The default is `no_rebalance` . The two attributes ( `target_failover.on_deregistration` and `target_failover.on_unhealthy` ) can't be set independently. The value you set for both attributes must be the same.\n- `target_failover.on_unhealthy` - Indicates how the Gateway Load Balancer handles existing flows when a target is unhealthy. The possible values are `rebalance` and `no_rebalance` . The default is `no_rebalance` . The two attributes ( `target_failover.on_deregistration` and `target_failover.on_unhealthy` ) cannot be set independently. The value you set for both attributes must be the same.", + "markdownDescription": "The name of the attribute.\n\nThe following attributes are supported by all load balancers:\n\n- `deregistration_delay.timeout_seconds` - The amount of time, in seconds, for Elastic Load Balancing to wait before changing the state of a deregistering target from `draining` to `unused` . The range is 0-3600 seconds. The default value is 300 seconds. If the target is a Lambda function, this attribute is not supported.\n- `stickiness.enabled` - Indicates whether target stickiness is enabled. The value is `true` or `false` . The default is `false` .\n- `stickiness.type` - Indicates the type of stickiness. The possible values are:\n\n- `lb_cookie` and `app_cookie` for Application Load Balancers.\n- `source_ip` for Network Load Balancers.\n- `source_ip_dest_ip` and `source_ip_dest_ip_proto` for Gateway Load Balancers.\n\nThe following attributes are supported by Application Load Balancers and Network Load Balancers:\n\n- `load_balancing.cross_zone.enabled` - Indicates whether cross zone load balancing is enabled. The value is `true` , `false` or `use_load_balancer_configuration` . The default is `use_load_balancer_configuration` .\n- `target_group_health.dns_failover.minimum_healthy_targets.count` - The minimum number of targets that must be healthy. If the number of healthy targets is below this value, mark the zone as unhealthy in DNS, so that traffic is routed only to healthy zones. The possible values are `off` or an integer from 1 to the maximum number of targets. The default is `off` .\n- `target_group_health.dns_failover.minimum_healthy_targets.percentage` - The minimum percentage of targets that must be healthy. If the percentage of healthy targets is below this value, mark the zone as unhealthy in DNS, so that traffic is routed only to healthy zones. The possible values are `off` or an integer from 1 to 100. The default is `off` .\n- `target_group_health.unhealthy_state_routing.minimum_healthy_targets.count` - The minimum number of targets that must be healthy. If the number of healthy targets is below this value, send traffic to all targets, including unhealthy targets. The possible values are 1 to the maximum number of targets. The default is 1.\n- `target_group_health.unhealthy_state_routing.minimum_healthy_targets.percentage` - The minimum percentage of targets that must be healthy. If the percentage of healthy targets is below this value, send traffic to all targets, including unhealthy targets. The possible values are `off` or an integer from 1 to 100. The default is `off` .\n\nThe following attributes are supported only if the load balancer is an Application Load Balancer and the target is an instance or an IP address:\n\n- `load_balancing.algorithm.type` - The load balancing algorithm determines how the load balancer selects targets when routing requests. The value is `round_robin` , `least_outstanding_requests` , or `weighted_random` . The default is `round_robin` .\n- `load_balancing.algorithm.anomaly_mitigation` - Only available when `load_balancing.algorithm.type` is `weighted_random` . Indicates whether anomaly mitigation is enabled. The value is `on` or `off` . The default is `off` .\n- `slow_start.duration_seconds` - The time period, in seconds, during which a newly registered target receives an increasing share of the traffic to the target group. After this time period ends, the target receives its full share of traffic. The range is 30-900 seconds (15 minutes). The default is 0 seconds (disabled).\n- `stickiness.app_cookie.cookie_name` - Indicates the name of the application-based cookie. Names that start with the following prefixes are not allowed: `AWSALB` , `AWSALBAPP` , and `AWSALBTG` ; they're reserved for use by the load balancer.\n- `stickiness.app_cookie.duration_seconds` - The time period, in seconds, during which requests from a client should be routed to the same target. After this time period expires, the application-based cookie is considered stale. The range is 1 second to 1 week (604800 seconds). The default value is 1 day (86400 seconds).\n- `stickiness.lb_cookie.duration_seconds` - The time period, in seconds, during which requests from a client should be routed to the same target. After this time period expires, the load balancer-generated cookie is considered stale. The range is 1 second to 1 week (604800 seconds). The default value is 1 day (86400 seconds).\n\nThe following attribute is supported only if the load balancer is an Application Load Balancer and the target is a Lambda function:\n\n- `lambda.multi_value_headers.enabled` - Indicates whether the request and response headers that are exchanged between the load balancer and the Lambda function include arrays of values or strings. The value is `true` or `false` . The default is `false` . If the value is `false` and the request contains a duplicate header field name or query parameter key, the load balancer uses the last value sent by the client.\n\nThe following attributes are supported only by Network Load Balancers:\n\n- `deregistration_delay.connection_termination.enabled` - Indicates whether the load balancer terminates connections at the end of the deregistration timeout. The value is `true` or `false` . For new UDP/TCP_UDP target groups the default is `true` . Otherwise, the default is `false` .\n- `preserve_client_ip.enabled` - Indicates whether client IP preservation is enabled. The value is `true` or `false` . The default is disabled if the target group type is IP address and the target group protocol is TCP or TLS. Otherwise, the default is enabled. Client IP preservation cannot be disabled for UDP and TCP_UDP target groups.\n- `proxy_protocol_v2.enabled` - Indicates whether Proxy Protocol version 2 is enabled. The value is `true` or `false` . The default is `false` .\n- `target_health_state.unhealthy.connection_termination.enabled` - Indicates whether the load balancer terminates connections to unhealthy targets. The value is `true` or `false` . The default is `true` .\n\nThe following attributes are supported only by Gateway Load Balancers:\n\n- `target_failover.on_deregistration` - Indicates how the Gateway Load Balancer handles existing flows when a target is deregistered. The possible values are `rebalance` and `no_rebalance` . The default is `no_rebalance` . The two attributes ( `target_failover.on_deregistration` and `target_failover.on_unhealthy` ) can't be set independently. The value you set for both attributes must be the same.\n- `target_failover.on_unhealthy` - Indicates how the Gateway Load Balancer handles existing flows when a target is unhealthy. The possible values are `rebalance` and `no_rebalance` . The default is `no_rebalance` . The two attributes ( `target_failover.on_deregistration` and `target_failover.on_unhealthy` ) cannot be set independently. The value you set for both attributes must be the same.", "title": "Key", "type": "string" }, @@ -83261,6 +86843,215 @@ }, "type": "object" }, + "AWS::ElasticLoadBalancingV2::TrustStore": { + "additionalProperties": false, + "properties": { + "Condition": { + "type": "string" + }, + "DeletionPolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + }, + "DependsOn": { + "anyOf": [ + { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + { + "items": { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + "type": "array" + } + ] + }, + "Metadata": { + "type": "object" + }, + "Properties": { + "additionalProperties": false, + "properties": { + "CaCertificatesBundleS3Bucket": { + "markdownDescription": "The Amazon S3 bucket for the ca certificates bundle.", + "title": "CaCertificatesBundleS3Bucket", + "type": "string" + }, + "CaCertificatesBundleS3Key": { + "markdownDescription": "The Amazon S3 path for the ca certificates bundle.", + "title": "CaCertificatesBundleS3Key", + "type": "string" + }, + "CaCertificatesBundleS3ObjectVersion": { + "markdownDescription": "The Amazon S3 object version for the ca certificates bundle. If undefined the current version is used.", + "title": "CaCertificatesBundleS3ObjectVersion", + "type": "string" + }, + "Name": { + "markdownDescription": "The name of the trust store.", + "title": "Name", + "type": "string" + }, + "Tags": { + "items": { + "$ref": "#/definitions/Tag" + }, + "markdownDescription": "The tags to assign to the trust store.", + "title": "Tags", + "type": "array" + } + }, + "type": "object" + }, + "Type": { + "enum": [ + "AWS::ElasticLoadBalancingV2::TrustStore" + ], + "type": "string" + }, + "UpdateReplacePolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + } + }, + "required": [ + "Type" + ], + "type": "object" + }, + "AWS::ElasticLoadBalancingV2::TrustStoreRevocation": { + "additionalProperties": false, + "properties": { + "Condition": { + "type": "string" + }, + "DeletionPolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + }, + "DependsOn": { + "anyOf": [ + { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + { + "items": { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + "type": "array" + } + ] + }, + "Metadata": { + "type": "object" + }, + "Properties": { + "additionalProperties": false, + "properties": { + "RevocationContents": { + "items": { + "$ref": "#/definitions/AWS::ElasticLoadBalancingV2::TrustStoreRevocation.RevocationContent" + }, + "markdownDescription": "The revocation file to add.", + "title": "RevocationContents", + "type": "array" + }, + "TrustStoreArn": { + "markdownDescription": "The Amazon Resource Name (ARN) of the trust store.", + "title": "TrustStoreArn", + "type": "string" + } + }, + "type": "object" + }, + "Type": { + "enum": [ + "AWS::ElasticLoadBalancingV2::TrustStoreRevocation" + ], + "type": "string" + }, + "UpdateReplacePolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + } + }, + "required": [ + "Type" + ], + "type": "object" + }, + "AWS::ElasticLoadBalancingV2::TrustStoreRevocation.RevocationContent": { + "additionalProperties": false, + "properties": { + "RevocationType": { + "markdownDescription": "The type of revocation file.", + "title": "RevocationType", + "type": "string" + }, + "S3Bucket": { + "markdownDescription": "The Amazon S3 bucket for the revocation file.", + "title": "S3Bucket", + "type": "string" + }, + "S3Key": { + "markdownDescription": "The Amazon S3 path for the revocation file.", + "title": "S3Key", + "type": "string" + }, + "S3ObjectVersion": { + "markdownDescription": "The Amazon S3 object version of the revocation file.", + "title": "S3ObjectVersion", + "type": "string" + } + }, + "type": "object" + }, + "AWS::ElasticLoadBalancingV2::TrustStoreRevocation.TrustStoreRevocation": { + "additionalProperties": false, + "properties": { + "NumberOfRevokedEntries": { + "markdownDescription": "The number of revoked certificates.", + "title": "NumberOfRevokedEntries", + "type": "number" + }, + "RevocationId": { + "markdownDescription": "The revocation ID of the revocation file.", + "title": "RevocationId", + "type": "string" + }, + "RevocationType": { + "markdownDescription": "The type of revocation file.", + "title": "RevocationType", + "type": "string" + }, + "TrustStoreArn": { + "markdownDescription": "The Amazon Resource Name (ARN) of the trust store.", + "title": "TrustStoreArn", + "type": "string" + } + }, + "type": "object" + }, "AWS::Elasticsearch::Domain": { "additionalProperties": false, "properties": { @@ -83734,33 +87525,47 @@ "additionalProperties": false, "properties": { "Description": { + "markdownDescription": "A description of the workflow.", + "title": "Description", "type": "string" }, "IdMappingTechniques": { - "$ref": "#/definitions/AWS::EntityResolution::IdMappingWorkflow.IdMappingTechniques" + "$ref": "#/definitions/AWS::EntityResolution::IdMappingWorkflow.IdMappingTechniques", + "markdownDescription": "An object which defines the `idMappingType` and the `providerProperties` .", + "title": "IdMappingTechniques" }, "InputSourceConfig": { "items": { "$ref": "#/definitions/AWS::EntityResolution::IdMappingWorkflow.IdMappingWorkflowInputSource" }, + "markdownDescription": "A list of `InputSource` objects, which have the fields `InputSourceARN` and `SchemaName` .", + "title": "InputSourceConfig", "type": "array" }, "OutputSourceConfig": { "items": { "$ref": "#/definitions/AWS::EntityResolution::IdMappingWorkflow.IdMappingWorkflowOutputSource" }, + "markdownDescription": "A list of `IdMappingWorkflowOutputSource` objects, each of which contains fields `OutputS3Path` and `Output` .", + "title": "OutputSourceConfig", "type": "array" }, "RoleArn": { + "markdownDescription": "The Amazon Resource Name (ARN) of the IAM role. AWS Entity Resolution assumes this role to create resources on your behalf as part of workflow execution.", + "title": "RoleArn", "type": "string" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "The tags used to organize, track, or control access for this resource.", + "title": "Tags", "type": "array" }, "WorkflowName": { + "markdownDescription": "The name of the workflow. There can't be multiple `IdMappingWorkflows` with the same name.", + "title": "WorkflowName", "type": "string" } }, @@ -83798,10 +87603,14 @@ "additionalProperties": false, "properties": { "IdMappingType": { + "markdownDescription": "The type of ID mapping.", + "title": "IdMappingType", "type": "string" }, "ProviderProperties": { - "$ref": "#/definitions/AWS::EntityResolution::IdMappingWorkflow.ProviderProperties" + "$ref": "#/definitions/AWS::EntityResolution::IdMappingWorkflow.ProviderProperties", + "markdownDescription": "An object which defines any additional configurations required by the provider service.", + "title": "ProviderProperties" } }, "type": "object" @@ -83810,9 +87619,13 @@ "additionalProperties": false, "properties": { "InputSourceARN": { + "markdownDescription": "An AWS Glue table ARN for the input source table.", + "title": "InputSourceARN", "type": "string" }, "SchemaArn": { + "markdownDescription": "The ARN (Amazon Resource Name) that AWS Entity Resolution generated for the `SchemaMapping` .", + "title": "SchemaArn", "type": "string" } }, @@ -83826,9 +87639,13 @@ "additionalProperties": false, "properties": { "KMSArn": { + "markdownDescription": "Customer AWS KMS ARN for encryption at rest. If not provided, system will use an AWS Entity Resolution managed KMS key.", + "title": "KMSArn", "type": "string" }, "OutputS3Path": { + "markdownDescription": "The S3 path to which AWS Entity Resolution will write the output table.", + "title": "OutputS3Path", "type": "string" } }, @@ -83841,6 +87658,8 @@ "additionalProperties": false, "properties": { "IntermediateS3Path": { + "markdownDescription": "The Amazon S3 location (bucket and prefix). For example: `s3://provider_bucket/DOC-EXAMPLE-BUCKET`", + "title": "IntermediateS3Path", "type": "string" } }, @@ -83853,18 +87672,24 @@ "additionalProperties": false, "properties": { "IntermediateSourceConfiguration": { - "$ref": "#/definitions/AWS::EntityResolution::IdMappingWorkflow.IntermediateSourceConfiguration" + "$ref": "#/definitions/AWS::EntityResolution::IdMappingWorkflow.IntermediateSourceConfiguration", + "markdownDescription": "The Amazon S3 location that temporarily stores your data while it processes. Your information won't be saved permanently.", + "title": "IntermediateSourceConfiguration" }, "ProviderConfiguration": { "additionalProperties": true, + "markdownDescription": "The required configuration fields to use with the provider service.", "patternProperties": { "^[a-zA-Z0-9]+$": { "type": "string" } }, + "title": "ProviderConfiguration", "type": "object" }, "ProviderServiceArn": { + "markdownDescription": "The ARN of the provider service.", + "title": "ProviderServiceArn", "type": "string" } }, @@ -83909,33 +87734,47 @@ "additionalProperties": false, "properties": { "Description": { + "markdownDescription": "A description of the workflow.", + "title": "Description", "type": "string" }, "InputSourceConfig": { "items": { "$ref": "#/definitions/AWS::EntityResolution::MatchingWorkflow.InputSource" }, + "markdownDescription": "A list of `InputSource` objects, which have the fields `InputSourceARN` and `SchemaName` .", + "title": "InputSourceConfig", "type": "array" }, "OutputSourceConfig": { "items": { "$ref": "#/definitions/AWS::EntityResolution::MatchingWorkflow.OutputSource" }, + "markdownDescription": "A list of `OutputSource` objects, each of which contains fields `OutputS3Path` , `ApplyNormalization` , and `Output` .", + "title": "OutputSourceConfig", "type": "array" }, "ResolutionTechniques": { - "$ref": "#/definitions/AWS::EntityResolution::MatchingWorkflow.ResolutionTechniques" + "$ref": "#/definitions/AWS::EntityResolution::MatchingWorkflow.ResolutionTechniques", + "markdownDescription": "An object which defines the `resolutionType` and the `ruleBasedProperties` .", + "title": "ResolutionTechniques" }, "RoleArn": { + "markdownDescription": "The Amazon Resource Name (ARN) of the IAM role. AWS Entity Resolution assumes this role to create resources on your behalf as part of workflow execution.", + "title": "RoleArn", "type": "string" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "The tags used to organize, track, or control access for this resource.", + "title": "Tags", "type": "array" }, "WorkflowName": { + "markdownDescription": "The name of the workflow. There can't be multiple `MatchingWorkflows` with the same name.", + "title": "WorkflowName", "type": "string" } }, @@ -83973,12 +87812,18 @@ "additionalProperties": false, "properties": { "ApplyNormalization": { + "markdownDescription": "Normalizes the attributes defined in the schema in the input data. For example, if an attribute has an `AttributeType` of `PHONE_NUMBER` , and the data in the input table is in a format of 1234567890, AWS Entity Resolution will normalize this field in the output to (123)-456-7890.", + "title": "ApplyNormalization", "type": "boolean" }, "InputSourceARN": { + "markdownDescription": "An object containing `InputSourceARN` , `SchemaName` , and `ApplyNormalization` .", + "title": "InputSourceARN", "type": "string" }, "SchemaArn": { + "markdownDescription": "The name of the schema.", + "title": "SchemaArn", "type": "string" } }, @@ -83992,6 +87837,8 @@ "additionalProperties": false, "properties": { "IntermediateS3Path": { + "markdownDescription": "The Amazon S3 location (bucket and prefix). For example: `s3://provider_bucket/DOC-EXAMPLE-BUCKET`", + "title": "IntermediateS3Path", "type": "string" } }, @@ -84004,9 +87851,13 @@ "additionalProperties": false, "properties": { "Hashed": { + "markdownDescription": "Enables the ability to hash the column values in the output.", + "title": "Hashed", "type": "boolean" }, "Name": { + "markdownDescription": "A name of a column to be written to the output. This must be an `InputField` name in the schema mapping.", + "title": "Name", "type": "string" } }, @@ -84019,18 +87870,26 @@ "additionalProperties": false, "properties": { "ApplyNormalization": { + "markdownDescription": "Normalizes the attributes defined in the schema in the input data. For example, if an attribute has an `AttributeType` of `PHONE_NUMBER` , and the data in the input table is in a format of 1234567890, AWS Entity Resolution will normalize this field in the output to (123)-456-7890.", + "title": "ApplyNormalization", "type": "boolean" }, "KMSArn": { + "markdownDescription": "Customer KMS ARN for encryption at rest. If not provided, system will use an AWS Entity Resolution managed KMS key.", + "title": "KMSArn", "type": "string" }, "Output": { "items": { "$ref": "#/definitions/AWS::EntityResolution::MatchingWorkflow.OutputAttribute" }, + "markdownDescription": "A list of `OutputAttribute` objects, each of which have the fields `Name` and `Hashed` . Each of these objects selects a column to be included in the output table, and whether the values of the column should be hashed.", + "title": "Output", "type": "array" }, "OutputS3Path": { + "markdownDescription": "The S3 path to which AWS Entity Resolution will write the output table.", + "title": "OutputS3Path", "type": "string" } }, @@ -84044,18 +87903,24 @@ "additionalProperties": false, "properties": { "IntermediateSourceConfiguration": { - "$ref": "#/definitions/AWS::EntityResolution::MatchingWorkflow.IntermediateSourceConfiguration" + "$ref": "#/definitions/AWS::EntityResolution::MatchingWorkflow.IntermediateSourceConfiguration", + "markdownDescription": "The Amazon S3 location that temporarily stores your data while it processes. Your information won't be saved permanently.", + "title": "IntermediateSourceConfiguration" }, "ProviderConfiguration": { "additionalProperties": true, + "markdownDescription": "The required configuration fields to use with the provider service.", "patternProperties": { "^[a-zA-Z0-9]+$": { "type": "string" } }, + "title": "ProviderConfiguration", "type": "object" }, "ProviderServiceArn": { + "markdownDescription": "The ARN of the provider service.", + "title": "ProviderServiceArn", "type": "string" } }, @@ -84068,13 +87933,19 @@ "additionalProperties": false, "properties": { "ProviderProperties": { - "$ref": "#/definitions/AWS::EntityResolution::MatchingWorkflow.ProviderProperties" + "$ref": "#/definitions/AWS::EntityResolution::MatchingWorkflow.ProviderProperties", + "markdownDescription": "The properties of the provider service.", + "title": "ProviderProperties" }, "ResolutionType": { + "markdownDescription": "The type of matching. There are two types of matching: `RULE_MATCHING` and `ML_MATCHING` .", + "title": "ResolutionType", "type": "string" }, "RuleBasedProperties": { - "$ref": "#/definitions/AWS::EntityResolution::MatchingWorkflow.RuleBasedProperties" + "$ref": "#/definitions/AWS::EntityResolution::MatchingWorkflow.RuleBasedProperties", + "markdownDescription": "An object which defines the list of matching rules to run and has a field `Rules` , which is a list of rule objects.", + "title": "RuleBasedProperties" } }, "type": "object" @@ -84086,9 +87957,13 @@ "items": { "type": "string" }, + "markdownDescription": "A list of `MatchingKeys` . The `MatchingKeys` must have been defined in the `SchemaMapping` . Two records are considered to match according to this rule if all of the `MatchingKeys` match.", + "title": "MatchingKeys", "type": "array" }, "RuleName": { + "markdownDescription": "A name for the matching rule.", + "title": "RuleName", "type": "string" } }, @@ -84102,12 +87977,16 @@ "additionalProperties": false, "properties": { "AttributeMatchingModel": { + "markdownDescription": "The comparison type. You can either choose `ONE_TO_ONE` or `MANY_TO_MANY` as the AttributeMatchingModel. When choosing `MANY_TO_MANY` , the system can match attributes across the sub-types of an attribute type. For example, if the value of the `Email` field of Profile A and the value of `BusinessEmail` field of Profile B matches, the two profiles are matched on the `Email` type. When choosing `ONE_TO_ONE` ,the system can only match if the sub-types are exact matches. For example, only when the value of the `Email` field of Profile A and the value of the `Email` field of Profile B matches, the two profiles are matched on the `Email` type.", + "title": "AttributeMatchingModel", "type": "string" }, "Rules": { "items": { "$ref": "#/definitions/AWS::EntityResolution::MatchingWorkflow.Rule" }, + "markdownDescription": "A list of `Rule` objects, each of which have fields `RuleName` and `MatchingKeys` .", + "title": "Rules", "type": "array" } }, @@ -84153,21 +88032,29 @@ "additionalProperties": false, "properties": { "Description": { + "markdownDescription": "A description of the schema.", + "title": "Description", "type": "string" }, "MappedInputFields": { "items": { "$ref": "#/definitions/AWS::EntityResolution::SchemaMapping.SchemaInputAttribute" }, + "markdownDescription": "A list of `MappedInputFields` . Each `MappedInputField` corresponds to a column the source data table, and contains column name plus additional information that AWS Entity Resolution uses for matching.", + "title": "MappedInputFields", "type": "array" }, "SchemaName": { + "markdownDescription": "The name of the schema. There can't be multiple `SchemaMappings` with the same name.", + "title": "SchemaName", "type": "string" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "The tags used to organize, track, or control access for this resource.", + "title": "Tags", "type": "array" } }, @@ -84202,18 +88089,28 @@ "additionalProperties": false, "properties": { "FieldName": { + "markdownDescription": "A string containing the field name.", + "title": "FieldName", "type": "string" }, "GroupName": { + "markdownDescription": "Instruct AWS Entity Resolution to combine several columns into a unified column with the identical attribute type. For example, when working with columns such as first_name, middle_name, and last_name, assigning them a common `GroupName` will prompt AWS Entity Resolution to concatenate them into a single value.", + "title": "GroupName", "type": "string" }, "MatchKey": { + "markdownDescription": "A key that allows grouping of multiple input attributes into a unified matching group. For example, let's consider a scenario where the source table contains various addresses, such as `business_address` and `shipping_address` . By assigning the `MatchKey` *Address* to both attributes, AWS Entity Resolution will match records across these fields to create a consolidated matching group. If no `MatchKey` is specified for a column, it won't be utilized for matching purposes but will still be included in the output table.", + "title": "MatchKey", "type": "string" }, "SubType": { + "markdownDescription": "The subtype of the attribute, selected from a list of values.", + "title": "SubType", "type": "string" }, "Type": { + "markdownDescription": "The type of the attribute, selected from a list of values.", + "title": "Type", "type": "string" } }, @@ -84312,12 +88209,12 @@ "additionalProperties": false, "properties": { "Key": { - "markdownDescription": "They key of a key-value pair.", + "markdownDescription": "The key of a key-value pair.", "title": "Key", "type": "string" }, "Value": { - "markdownDescription": "They value of a key-value pair.", + "markdownDescription": "The value of a key-value pair.", "title": "Value", "type": "string" } @@ -84408,12 +88305,12 @@ "additionalProperties": false, "properties": { "Key": { - "markdownDescription": "They key of a key-value pair.", + "markdownDescription": "The key of a key-value pair.", "title": "Key", "type": "string" }, "Value": { - "markdownDescription": "They value of a key-value pair.", + "markdownDescription": "The value of a key-value pair.", "title": "Value", "type": "string" } @@ -84603,12 +88500,12 @@ "additionalProperties": false, "properties": { "Key": { - "markdownDescription": "They key of a key-value pair.", + "markdownDescription": "The key of a key-value pair.", "title": "Key", "type": "string" }, "Value": { - "markdownDescription": "They value of a key-value pair.", + "markdownDescription": "The value of a key-value pair.", "title": "Value", "type": "string" } @@ -85282,6 +89179,8 @@ "type": "string" }, "Policy": { + "markdownDescription": "The permissions policy of the event bus, describing which other AWS accounts can write events to this event bus.", + "title": "Policy", "type": "object" }, "Tags": { @@ -85505,7 +89404,7 @@ "type": "string" }, "State": { - "markdownDescription": "The state of the rule.", + "markdownDescription": "The state of the rule.\n\nValid values include:\n\n- `DISABLED` : The rule is disabled. EventBridge does not match any events against the rule.\n- `ENABLED` : The rule is enabled. EventBridge matches events against the rule, *except* for AWS management events delivered through CloudTrail.\n- `ENABLED_WITH_ALL_CLOUDTRAIL_MANAGEMENT_EVENTS` : The rule is enabled for all events, including AWS management events delivered through CloudTrail.\n\nManagement events provide visibility into management operations that are performed on resources in your AWS account. These are also known as control plane operations. For more information, see [Logging management events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-management-events-with-cloudtrail.html#logging-management-events) in the *CloudTrail User Guide* , and [Filtering management events from AWS services](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-service-event.html#eb-service-event-cloudtrail) in the *Amazon EventBridge User Guide* .\n\nThis value is only valid for rules on the [default](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-what-is-how-it-works-concepts.html#eb-bus-concepts-buses) event bus or [custom event buses](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-create-event-bus.html) . It does not apply to [partner event buses](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-saas.html) .", "title": "State", "type": "string" }, @@ -85893,6 +89792,8 @@ "items": { "type": "string" }, + "markdownDescription": "One or more SQL statements to run. The SQL statements are run as a single transaction. They run serially in the order of the array. Subsequent SQL statements don't start until the previous statement in the array completes. If any SQL statement fails, then because they are run as one transaction, all work is rolled back.", + "title": "Sqls", "type": "array" }, "StatementName": { @@ -86189,7 +90090,7 @@ "type": "number" }, "Segment": { - "markdownDescription": "Specifies an audience *segment* to use in the experiment. When a segment is used in an experiment, only user sessions that match the segment pattern are used in the experiment.\n\nFor more information, see [Segment rule pattern syntax](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Evidently-segments-syntax.html) .", + "markdownDescription": "Specifies an audience *segment* to use in the experiment. When a segment is used in an experiment, only user sessions that match the segment pattern are used in the experiment.\n\nFor more information, see [Segment rule pattern syntax](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Evidently-segments.html#CloudWatch-Evidently-segments-syntax) .", "title": "Segment", "type": "string" }, @@ -87028,7 +90929,7 @@ "type": "string" }, "Pattern": { - "markdownDescription": "The pattern to use for the segment. For more information about pattern syntax, see [Segment rule pattern syntax](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Evidently-segments-syntax.html) .", + "markdownDescription": "The pattern to use for the segment. For more information about pattern syntax, see [Segment rule pattern syntax](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Evidently-segments.html#CloudWatch-Evidently-segments-syntax) .", "title": "Pattern", "type": "string" }, @@ -87114,17 +91015,22 @@ "type": "object" }, "Description": { - "markdownDescription": "A description for the experiment template.", + "markdownDescription": "The description for the experiment template.", "title": "Description", "type": "string" }, + "ExperimentOptions": { + "$ref": "#/definitions/AWS::FIS::ExperimentTemplate.ExperimentTemplateExperimentOptions", + "markdownDescription": "The experiment options for an experiment template.", + "title": "ExperimentOptions" + }, "LogConfiguration": { "$ref": "#/definitions/AWS::FIS::ExperimentTemplate.ExperimentTemplateLogConfiguration", "markdownDescription": "The configuration for experiment logging.", "title": "LogConfiguration" }, "RoleArn": { - "markdownDescription": "The Amazon Resource Name (ARN) of an IAM role that grants the AWS FIS service permission to perform service actions on your behalf.", + "markdownDescription": "The Amazon Resource Name (ARN) of an IAM role.", "title": "RoleArn", "type": "string" }, @@ -87132,13 +91038,13 @@ "items": { "$ref": "#/definitions/AWS::FIS::ExperimentTemplate.ExperimentTemplateStopCondition" }, - "markdownDescription": "The stop conditions.", + "markdownDescription": "The stop conditions for the experiment.", "title": "StopConditions", "type": "array" }, "Tags": { "additionalProperties": true, - "markdownDescription": "The tags to apply to the experiment template.", + "markdownDescription": "The tags for the experiment template.", "patternProperties": { "^[a-zA-Z0-9]+$": { "type": "string" @@ -87207,7 +91113,7 @@ "additionalProperties": false, "properties": { "ActionId": { - "markdownDescription": "The ID of the action. The format of the action ID is: aws: *service-name* : *action-type* .", + "markdownDescription": "The ID of the action.", "title": "ActionId", "type": "string" }, @@ -87218,32 +91124,28 @@ }, "Parameters": { "additionalProperties": true, - "markdownDescription": "The parameters for the action, if applicable.", "patternProperties": { "^[a-zA-Z0-9]+$": { "type": "string" } }, - "title": "Parameters", "type": "object" }, "StartAfter": { "items": { "type": "string" }, - "markdownDescription": "The name of the action that must be completed before the current action starts. Omit this parameter to run the action at the start of the experiment.", + "markdownDescription": "The name of the action that must be completed before the current action starts.", "title": "StartAfter", "type": "array" }, "Targets": { "additionalProperties": true, - "markdownDescription": "The targets for the action.", "patternProperties": { "^[a-zA-Z0-9]+$": { "type": "string" } }, - "title": "Targets", "type": "object" } }, @@ -87252,12 +91154,28 @@ ], "type": "object" }, + "AWS::FIS::ExperimentTemplate.ExperimentTemplateExperimentOptions": { + "additionalProperties": false, + "properties": { + "AccountTargeting": { + "markdownDescription": "The account targeting setting for an experiment template.", + "title": "AccountTargeting", + "type": "string" + }, + "EmptyTargetResolutionMode": { + "markdownDescription": "The empty target resolution mode for an experiment template.", + "title": "EmptyTargetResolutionMode", + "type": "string" + } + }, + "type": "object" + }, "AWS::FIS::ExperimentTemplate.ExperimentTemplateLogConfiguration": { "additionalProperties": false, "properties": { "CloudWatchLogsConfiguration": { "$ref": "#/definitions/AWS::FIS::ExperimentTemplate.CloudWatchLogsConfiguration", - "markdownDescription": "The configuration for experiment logging to CloudWatch Logs .", + "markdownDescription": "The configuration for experiment logging to Amazon CloudWatch Logs.", "title": "CloudWatchLogsConfiguration" }, "LogSchemaVersion": { @@ -87267,7 +91185,7 @@ }, "S3Configuration": { "$ref": "#/definitions/AWS::FIS::ExperimentTemplate.S3Configuration", - "markdownDescription": "The configuration for experiment logging to Amazon S3 .", + "markdownDescription": "The configuration for experiment logging to Amazon S3.", "title": "S3Configuration" } }, @@ -87280,12 +91198,12 @@ "additionalProperties": false, "properties": { "Source": { - "markdownDescription": "The source for the stop condition. Specify `aws:cloudwatch:alarm` if the stop condition is defined by a CloudWatch alarm. Specify `none` if there is no stop condition.", + "markdownDescription": "The source for the stop condition.", "title": "Source", "type": "string" }, "Value": { - "markdownDescription": "The Amazon Resource Name (ARN) of the CloudWatch alarm. This is required if the source is a CloudWatch alarm.", + "markdownDescription": "The Amazon Resource Name (ARN) of the CloudWatch alarm, if applicable.", "title": "Value", "type": "string" } @@ -87308,7 +91226,7 @@ }, "Parameters": { "additionalProperties": true, - "markdownDescription": "The parameters for the resource type.", + "markdownDescription": "The resource type parameters.", "patternProperties": { "^[a-zA-Z0-9]+$": { "type": "string" @@ -87321,7 +91239,7 @@ "items": { "type": "string" }, - "markdownDescription": "The Amazon Resource Names (ARNs) of the resources.", + "markdownDescription": "The Amazon Resource Names (ARNs) of the targets.", "title": "ResourceArns", "type": "array" }, @@ -87337,12 +91255,12 @@ "type": "object" }, "ResourceType": { - "markdownDescription": "The resource type. The resource type must be supported for the specified action.", + "markdownDescription": "The resource type.", "title": "ResourceType", "type": "string" }, "SelectionMode": { - "markdownDescription": "Scopes the identified resources to a specific count of the resources at random, or a percentage of the resources. All identified resources are included in the target.\n\n- ALL - Run the action on all identified targets. This is the default.\n- COUNT(n) - Run the action on the specified number of targets, chosen from the identified targets at random. For example, COUNT(1) selects one of the targets.\n- PERCENT(n) - Run the action on the specified percentage of targets, chosen from the identified targets at random. For example, PERCENT(25) selects 25% of the targets.", + "markdownDescription": "Scopes the identified resources to a specific count or percentage.", "title": "SelectionMode", "type": "string" } @@ -87395,6 +91313,90 @@ ], "type": "object" }, + "AWS::FIS::TargetAccountConfiguration": { + "additionalProperties": false, + "properties": { + "Condition": { + "type": "string" + }, + "DeletionPolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + }, + "DependsOn": { + "anyOf": [ + { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + { + "items": { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + "type": "array" + } + ] + }, + "Metadata": { + "type": "object" + }, + "Properties": { + "additionalProperties": false, + "properties": { + "AccountId": { + "markdownDescription": "The AWS account ID of the target account.", + "title": "AccountId", + "type": "string" + }, + "Description": { + "markdownDescription": "The description of the target account.", + "title": "Description", + "type": "string" + }, + "ExperimentTemplateId": { + "markdownDescription": "The ID of the experiment template.", + "title": "ExperimentTemplateId", + "type": "string" + }, + "RoleArn": { + "markdownDescription": "The Amazon Resource Name (ARN) of an IAM role for the target account.", + "title": "RoleArn", + "type": "string" + } + }, + "required": [ + "AccountId", + "ExperimentTemplateId", + "RoleArn" + ], + "type": "object" + }, + "Type": { + "enum": [ + "AWS::FIS::TargetAccountConfiguration" + ], + "type": "string" + }, + "UpdateReplacePolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + } + }, + "required": [ + "Type", + "Properties" + ], + "type": "object" + }, "AWS::FMS::NotificationChannel": { "additionalProperties": false, "properties": { @@ -87555,7 +91557,7 @@ "type": "array" }, "ResourceType": { - "markdownDescription": "The type of resource protected by or in scope of the policy. This is in the format shown in the [AWS Resource Types Reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-template-resource-type-ref.html) . To apply this policy to multiple resource types, specify a resource type of `ResourceTypeList` and then specify the resource types in a `ResourceTypeList` .\n\nFor AWS WAF and Shield Advanced, example resource types include `AWS::ElasticLoadBalancingV2::LoadBalancer` and `AWS::CloudFront::Distribution` . For a security group common policy, valid values are `AWS::EC2::NetworkInterface` and `AWS::EC2::Instance` . For a security group content audit policy, valid values are `AWS::EC2::SecurityGroup` , `AWS::EC2::NetworkInterface` , and `AWS::EC2::Instance` . For a security group usage audit policy, the value is `AWS::EC2::SecurityGroup` . For an AWS Network Firewall policy or DNS Firewall policy, the value is `AWS::EC2::VPC` .", + "markdownDescription": "The type of resource protected by or in scope of the policy. This is in the format shown in the [AWS Resource Types Reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-template-resource-type-ref.html) . To apply this policy to multiple resource types, specify a resource type of `ResourceTypeList` and then specify the resource types in a `ResourceTypeList` .\n\nThe following are valid resource types for each Firewall Manager policy type:\n\n- AWS WAF Classic - `AWS::ApiGateway::Stage` , `AWS::CloudFront::Distribution` , and `AWS::ElasticLoadBalancingV2::LoadBalancer` .\n- AWS WAF - `AWS::ApiGateway::Stage` , `AWS::ElasticLoadBalancingV2::LoadBalancer` , and `AWS::CloudFront::Distribution` .\n- DNS Firewall, AWS Network Firewall , and third-party firewall - `AWS::EC2::VPC` .\n- AWS Shield Advanced - `AWS::ElasticLoadBalancingV2::LoadBalancer` , `AWS::ElasticLoadBalancing::LoadBalancer` , `AWS::EC2::EIP` , and `AWS::CloudFront::Distribution` .\n- Security group content audit - `AWS::EC2::SecurityGroup` , `AWS::EC2::NetworkInterface` , and `AWS::EC2::Instance` .\n- Security group usage audit - `AWS::EC2::SecurityGroup` .", "title": "ResourceType", "type": "string" }, @@ -87574,7 +91576,7 @@ }, "SecurityServicePolicyData": { "$ref": "#/definitions/AWS::FMS::Policy.SecurityServicePolicyData", - "markdownDescription": "Details about the security service that is being used to protect the resources.\n\nThis contains the following settings:\n\n- Type - Indicates the service type that the policy uses to protect the resource. For security group policies, Firewall Manager supports one security group for each common policy and for each content audit policy. This is an adjustable limit that you can increase by contacting AWS Support .\n\nValid values: `DNS_FIREWALL` | `NETWORK_FIREWALL` | `SECURITY_GROUPS_COMMON` | `SECURITY_GROUPS_CONTENT_AUDIT` | `SECURITY_GROUPS_USAGE_AUDIT` | `SHIELD_ADVANCED` | `THIRD_PARTY_FIREWALL` | `WAFV2` | `WAF`\n- ManagedServiceData - Details about the service that are specific to the service type, in JSON format.\n\n- Example: `DNS_FIREWALL`\n\n`\"{\\\"type\\\":\\\"DNS_FIREWALL\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupId\\\":\\\"rslvr-frg-1\\\",\\\"priority\\\":10}],\\\"postProcessRuleGroups\\\":[{\\\"ruleGroupId\\\":\\\"rslvr-frg-2\\\",\\\"priority\\\":9911}]}\"`\n\n> Valid values for `preProcessRuleGroups` are between 1 and 99. Valid values for `postProcessRuleGroups` are between 9901 and 10000.\n- Example: `NETWORK_FIREWALL` - Centralized deployment model\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"awsNetworkFirewallConfig\\\":{\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}},\\\"firewallDeploymentModel\\\":{\\\"centralizedFirewallDeploymentModel\\\":{\\\"centralizedFirewallOrchestrationConfig\\\":{\\\"inspectionVpcIds\\\":[{\\\"resourceId\\\":\\\"vpc-1234\\\",\\\"accountId\\\":\\\"123456789011\\\"}],\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneId\\\":null,\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]}]}},\\\"allowedIPV4CidrList\\\":[]}}}}\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `NETWORK_FIREWALL` - Distributed deployment model with automatic Availability Zone configuration\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\",\\\"192.168.0.0/28\\\"],\\\"routeManagementAction\\\":\\\"OFF\\\"},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}}\"`\n\nWith automatic Availbility Zone configuration, Firewall Manager chooses which Availability Zones to create the endpoints in. To use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `NETWORK_FIREWALL` - Distributed deployment model with automatic Availability Zone configuration and route management\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\",\\\"192.168.0.0/28\\\"],\\\"routeManagementAction\\\":\\\"MONITOR\\\",\\\"routeManagementTargetTypes\\\":[\\\"InternetGateway\\\"]},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\": \\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}}\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `NETWORK_FIREWALL` - Distributed deployment model with custom Availability Zone configuration\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"fragmentcustomactionname\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\", \\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}},{\\\"actionName\\\":\\\"fragmentcustomactionname\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"fragmentmetricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"firewallCreationConfig\\\":{ \\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]},{\\\"availabilityZoneName\\\":\\\"us-east-1b\\\",\\\"allowedIPV4CidrList\\\":[ \\\"10.0.0.0/28\\\"]}]} },\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":null,\\\"routeManagementAction\\\":\\\"OFF\\\",\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":boolean}}\"`\n\nWith custom Availability Zone configuration, you define which specific Availability Zones to create endpoints in by configuring `firewallCreationConfig` . To configure the Availability Zones in `firewallCreationConfig` , specify either the `availabilityZoneName` or `availabilityZoneId` parameter, not both parameters.\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `NETWORK_FIREWALL` - Distributed deployment model with custom Availability Zone configuration and route management\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"fragmentcustomactionname\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}},{\\\"actionName\\\":\\\"fragmentcustomactionname\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"fragmentmetricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]},{\\\"availabilityZoneName\\\":\\\"us-east-1b\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]}]}},\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":null,\\\"routeManagementAction\\\":\\\"MONITOR\\\",\\\"routeManagementTargetTypes\\\":[\\\"InternetGateway\\\"],\\\"routeManagementConfig\\\":{\\\"allowCrossAZTrafficIfNoEndpoint\\\":true}},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":boolean}}\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `THIRD_PARTY_FIREWALL` - Palo Alto Networks Cloud Next-Generation Firewall centralized deployment model\n\n`\"{ \\\"type\\\":\\\"THIRD_PARTY_FIREWALL\\\", \\\"thirdPartyFirewall\\\":\\\"PALO_ALTO_NETWORKS_CLOUD_NGFW\\\", \\\"thirdPartyFirewallConfig\\\":{ \\\"thirdPartyFirewallPolicyList\\\":[\\\"global-1\\\"] },\\\"firewallDeploymentModel\\\":{\\\"centralizedFirewallDeploymentModel\\\":{\\\"centralizedFirewallOrchestrationConfig\\\":{\\\"inspectionVpcIds\\\":[{\\\"resourceId\\\":\\\"vpc-1234\\\",\\\"accountId\\\":\\\"123456789011\\\"}],\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneId\\\":null,\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]}]}},\\\"allowedIPV4CidrList\\\":[]}}}}\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-thirdpartyfirewallpolicy.html) to `CENTRALIZED` .\n- Example: `THIRD_PARTY_FIREWALL` - Palo Alto Networks Cloud Next-Generation Firewall distributed deployment model\n\n`\"{\\\"type\\\":\\\"THIRD_PARTY_FIREWALL\\\",\\\"thirdPartyFirewall\\\":\\\"PALO_ALTO_NETWORKS_CLOUD_NGFW\\\",\\\"thirdPartyFirewallConfig\\\":{\\\"thirdPartyFirewallPolicyList\\\":[\\\"global-1\\\"] },\\\"firewallDeploymentModel\\\":{ \\\"distributedFirewallDeploymentModel\\\":{ \\\"distributedFirewallOrchestrationConfig\\\":{\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{ \\\"availabilityZoneConfigList\\\":[ {\\\"availabilityZoneName\\\":\\\"${AvailabilityZone}\\\" } ] } }, \\\"allowedIPV4CidrList\\\":[ ] } } } }\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-thirdpartyfirewallpolicy.html) to `DISTRIBUTED` .\n- Specification for `SHIELD_ADVANCED` for Amazon CloudFront distributions\n\n`\"{\\\"type\\\":\\\"SHIELD_ADVANCED\\\",\\\"automaticResponseConfiguration\\\": {\\\"automaticResponseStatus\\\":\\\"ENABLED|IGNORED|DISABLED\\\", \\\"automaticResponseAction\\\":\\\"BLOCK|COUNT\\\"}, \\\"overrideCustomerWebaclClassic\\\":true|false}\"`\n\nFor example: `\"{\\\"type\\\":\\\"SHIELD_ADVANCED\\\",\\\"automaticResponseConfiguration\\\": {\\\"automaticResponseStatus\\\":\\\"ENABLED\\\", \\\"automaticResponseAction\\\":\\\"COUNT\\\"}}\"`\n\nThe default value for `automaticResponseStatus` is `IGNORED` . The value for `automaticResponseAction` is only required when `automaticResponseStatus` is set to `ENABLED` . The default value for `overrideCustomerWebaclClassic` is `false` .\n\nFor other resource types that you can protect with a Shield Advanced policy, this `ManagedServiceData` configuration is an empty string.\n- Example: `WAFV2`\n\n`\"{\\\"type\\\":\\\"WAFV2\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupArn\\\":null,\\\"overrideAction\\\":{\\\"type\\\":\\\"NONE\\\"},\\\"managedRuleGroupIdentifier\\\":{\\\"version\\\":null,\\\"vendorName\\\":\\\"AWS\\\",\\\"managedRuleGroupName\\\":\\\"AWSManagedRulesAmazonIpReputationList\\\"},\\\"ruleGroupType\\\":\\\"ManagedRuleGroup\\\",\\\"excludeRules\\\":[{\\\"name\\\":\\\"NoUserAgent_HEADER\\\"}]}],\\\"postProcessRuleGroups\\\":[],\\\"defaultAction\\\":{\\\"type\\\":\\\"ALLOW\\\"},\\\"overrideCustomerWebACLAssociation\\\":false,\\\"loggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[\\\"arn:aws:firehose:us-west-2:12345678912:deliverystream/aws-waf-logs-fms-admin-destination\\\"],\\\"redactedFields\\\":[{\\\"redactedFieldType\\\":\\\"SingleHeader\\\",\\\"redactedFieldValue\\\":\\\"Cookies\\\"},{\\\"redactedFieldType\\\":\\\"Method\\\"}]}}\"`\n\nIn the `loggingConfiguration` , you can specify one `logDestinationConfigs` , you can optionally provide up to 20 `redactedFields` , and the `RedactedFieldType` must be one of `URI` , `QUERY_STRING` , `HEADER` , or `METHOD` .\n- Example: `AWS WAF Classic`\n\n`\"{\\\"type\\\": \\\"WAF\\\", \\\"ruleGroups\\\": [{\\\"id\\\":\\\"12345678-1bcd-9012-efga-0987654321ab\\\", \\\"overrideAction\\\" : {\\\"type\\\": \\\"COUNT\\\"}}], \\\"defaultAction\\\": {\\\"type\\\": \\\"BLOCK\\\"}}\"`\n- Example: `WAFV2` - AWS Firewall Manager support for AWS WAF managed rule group versioning\n\n`\"{\\\"type\\\":\\\"WAFV2\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupArn\\\":null,\\\"overrideAction\\\":{\\\"type\\\":\\\"NONE\\\"},\\\"managedRuleGroupIdentifier\\\":{\\\"versionEnabled\\\":true,\\\"version\\\":\\\"Version_2.0\\\",\\\"vendorName\\\":\\\"AWS\\\",\\\"managedRuleGroupName\\\":\\\"AWSManagedRulesCommonRuleSet\\\"},\\\"ruleGroupType\\\":\\\"ManagedRuleGroup\\\",\\\"excludeRules\\\":[{\\\"name\\\":\\\"NoUserAgent_HEADER\\\"}]}],\\\"postProcessRuleGroups\\\":[],\\\"defaultAction\\\":{\\\"type\\\":\\\"ALLOW\\\"},\\\"overrideCustomerWebACLAssociation\\\":false,\\\"loggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[\\\"arn:aws:firehose:us-west-2:12345678912:deliverystream/aws-waf-logs-fms-admin-destination\\\"],\\\"redactedFields\\\":[{\\\"redactedFieldType\\\":\\\"SingleHeader\\\",\\\"redactedFieldValue\\\":\\\"Cookies\\\"},{\\\"redactedFieldType\\\":\\\"Method\\\"}]}}\"`\n\nTo use a specific version of a AWS WAF managed rule group in your Firewall Manager policy, you must set `versionEnabled` to `true` , and set `version` to the version you'd like to use. If you don't set `versionEnabled` to `true` , or if you omit `versionEnabled` , then Firewall Manager uses the default version of the AWS WAF managed rule group.\n- Example: `SECURITY_GROUPS_COMMON`\n\n`\"{\\\"type\\\":\\\"SECURITY_GROUPS_COMMON\\\",\\\"revertManualSecurityGroupChanges\\\":false,\\\"exclusiveResourceSecurityGroupManagement\\\":false, \\\"applyToAllEC2InstanceENIs\\\":false,\\\"securityGroups\\\":[{\\\"id\\\":\\\" sg-000e55995d61a06bd\\\"}]}\"`\n- Example: Shared VPCs. Apply the preceding policy to resources in shared VPCs as well as to those in VPCs that the account owns\n\n`\"{\\\"type\\\":\\\"SECURITY_GROUPS_COMMON\\\",\\\"revertManualSecurityGroupChanges\\\":false,\\\"exclusiveResourceSecurityGroupManagement\\\":false, \\\"applyToAllEC2InstanceENIs\\\":false,\\\"includeSharedVPC\\\":true,\\\"securityGroups\\\":[{\\\"id\\\":\\\" sg-000e55995d61a06bd\\\"}]}\"`\n- Example: `SECURITY_GROUPS_CONTENT_AUDIT`\n\n`\"{\\\"type\\\":\\\"SECURITY_GROUPS_CONTENT_AUDIT\\\",\\\"securityGroups\\\":[{\\\"id\\\":\\\"sg-000e55995d61a06bd\\\"}],\\\"securityGroupAction\\\":{\\\"type\\\":\\\"ALLOW\\\"}}\"`\n\nThe security group action for content audit can be `ALLOW` or `DENY` . For `ALLOW` , all in-scope security group rules must be within the allowed range of the policy's security group rules. For `DENY` , all in-scope security group rules must not contain a value or a range that matches a rule value or range in the policy security group.\n- Example: `SECURITY_GROUPS_USAGE_AUDIT`\n\n`\"{\\\"type\\\":\\\"SECURITY_GROUPS_USAGE_AUDIT\\\",\\\"deleteUnusedSecurityGroups\\\":true,\\\"coalesceRedundantSecurityGroups\\\":true}\"`", + "markdownDescription": "Details about the security service that is being used to protect the resources.\n\nThis contains the following settings:\n\n- Type - Indicates the service type that the policy uses to protect the resource. For security group policies, Firewall Manager supports one security group for each common policy and for each content audit policy. This is an adjustable limit that you can increase by contacting AWS Support .\n\nValid values: `DNS_FIREWALL` | `NETWORK_FIREWALL` | `SECURITY_GROUPS_COMMON` | `SECURITY_GROUPS_CONTENT_AUDIT` | `SECURITY_GROUPS_USAGE_AUDIT` | `SHIELD_ADVANCED` | `THIRD_PARTY_FIREWALL` | `WAFV2` | `WAF`\n- ManagedServiceData - Details about the service that are specific to the service type, in JSON format.\n\n- Example: `DNS_FIREWALL`\n\n`\"{\\\"type\\\":\\\"DNS_FIREWALL\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupId\\\":\\\"rslvr-frg-1\\\",\\\"priority\\\":10}],\\\"postProcessRuleGroups\\\":[{\\\"ruleGroupId\\\":\\\"rslvr-frg-2\\\",\\\"priority\\\":9911}]}\"`\n\n> Valid values for `preProcessRuleGroups` are between 1 and 99. Valid values for `postProcessRuleGroups` are between 9901 and 10000.\n- Example: `NETWORK_FIREWALL` - Centralized deployment model\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"awsNetworkFirewallConfig\\\":{\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}},\\\"firewallDeploymentModel\\\":{\\\"centralizedFirewallDeploymentModel\\\":{\\\"centralizedFirewallOrchestrationConfig\\\":{\\\"inspectionVpcIds\\\":[{\\\"resourceId\\\":\\\"vpc-1234\\\",\\\"accountId\\\":\\\"123456789011\\\"}],\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneId\\\":null,\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]}]}},\\\"allowedIPV4CidrList\\\":[]}}}}\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `NETWORK_FIREWALL` - Distributed deployment model with automatic Availability Zone configuration\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\",\\\"192.168.0.0/28\\\"],\\\"routeManagementAction\\\":\\\"OFF\\\"},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}}\"`\n\nWith automatic Availbility Zone configuration, Firewall Manager chooses which Availability Zones to create the endpoints in. To use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `NETWORK_FIREWALL` - Distributed deployment model with automatic Availability Zone configuration and route management\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\",\\\"192.168.0.0/28\\\"],\\\"routeManagementAction\\\":\\\"MONITOR\\\",\\\"routeManagementTargetTypes\\\":[\\\"InternetGateway\\\"]},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\": \\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}}\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `NETWORK_FIREWALL` - Distributed deployment model with custom Availability Zone configuration\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"fragmentcustomactionname\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\", \\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}},{\\\"actionName\\\":\\\"fragmentcustomactionname\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"fragmentmetricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"firewallCreationConfig\\\":{ \\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]},{\\\"availabilityZoneName\\\":\\\"us-east-1b\\\",\\\"allowedIPV4CidrList\\\":[ \\\"10.0.0.0/28\\\"]}]} },\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":null,\\\"routeManagementAction\\\":\\\"OFF\\\",\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":boolean}}\"`\n\nWith custom Availability Zone configuration, you define which specific Availability Zones to create endpoints in by configuring `firewallCreationConfig` . To configure the Availability Zones in `firewallCreationConfig` , specify either the `availabilityZoneName` or `availabilityZoneId` parameter, not both parameters.\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `NETWORK_FIREWALL` - Distributed deployment model with custom Availability Zone configuration and route management\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"fragmentcustomactionname\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}},{\\\"actionName\\\":\\\"fragmentcustomactionname\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"fragmentmetricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]},{\\\"availabilityZoneName\\\":\\\"us-east-1b\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]}]}},\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":null,\\\"routeManagementAction\\\":\\\"MONITOR\\\",\\\"routeManagementTargetTypes\\\":[\\\"InternetGateway\\\"],\\\"routeManagementConfig\\\":{\\\"allowCrossAZTrafficIfNoEndpoint\\\":true}},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":boolean}}\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `THIRD_PARTY_FIREWALL` - Centralized deployment model\n\nReplace `THIRD_PARTY_FIREWALL_NAME` with the third-party firewall name.\n\n`\"{ \\\"type\\\":\\\"THIRD_PARTY_FIREWALL\\\", \\\"thirdPartyFirewall\\\":\\\"THIRD_PARTY_FIREWALL_NAME\\\", \\\"thirdPartyFirewallConfig\\\":{ \\\"thirdPartyFirewallPolicyList\\\":[\\\"global-1\\\"] },\\\"firewallDeploymentModel\\\":{\\\"centralizedFirewallDeploymentModel\\\":{\\\"centralizedFirewallOrchestrationConfig\\\":{\\\"inspectionVpcIds\\\":[{\\\"resourceId\\\":\\\"vpc-1234\\\",\\\"accountId\\\":\\\"123456789011\\\"}],\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneId\\\":null,\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]}]}},\\\"allowedIPV4CidrList\\\":[]}}}}\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-thirdpartyfirewallpolicy.html) to `CENTRALIZED` .\n- Example: `THIRD_PARTY_FIREWALL` - Distributed deployment model\n\nReplace `THIRD_PARTY_FIREWALL_NAME` with the third-party firewall name.\n\n`\"{\\\"type\\\":\\\"THIRD_PARTY_FIREWALL\\\",\\\"thirdPartyFirewall\\\":\\\"THIRD_PARTY_FIREWALL_NAME\\\",\\\"thirdPartyFirewallConfig\\\":{\\\"thirdPartyFirewallPolicyList\\\":[\\\"global-1\\\"] },\\\"firewallDeploymentModel\\\":{ \\\"distributedFirewallDeploymentModel\\\":{ \\\"distributedFirewallOrchestrationConfig\\\":{\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{ \\\"availabilityZoneConfigList\\\":[ {\\\"availabilityZoneName\\\":\\\"${AvailabilityZone}\\\" } ] } }, \\\"allowedIPV4CidrList\\\":[ ] } } } }\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-thirdpartyfirewallpolicy.html) to `DISTRIBUTED` .\n- Specification for `SHIELD_ADVANCED` for Amazon CloudFront distributions\n\n`\"{\\\"type\\\":\\\"SHIELD_ADVANCED\\\",\\\"automaticResponseConfiguration\\\": {\\\"automaticResponseStatus\\\":\\\"ENABLED|IGNORED|DISABLED\\\", \\\"automaticResponseAction\\\":\\\"BLOCK|COUNT\\\"}, \\\"overrideCustomerWebaclClassic\\\":true|false}\"`\n\nFor example: `\"{\\\"type\\\":\\\"SHIELD_ADVANCED\\\",\\\"automaticResponseConfiguration\\\": {\\\"automaticResponseStatus\\\":\\\"ENABLED\\\", \\\"automaticResponseAction\\\":\\\"COUNT\\\"}}\"`\n\nThe default value for `automaticResponseStatus` is `IGNORED` . The value for `automaticResponseAction` is only required when `automaticResponseStatus` is set to `ENABLED` . The default value for `overrideCustomerWebaclClassic` is `false` .\n\nFor other resource types that you can protect with a Shield Advanced policy, this `ManagedServiceData` configuration is an empty string.\n- Example: `WAFV2`\n\n`\"{\\\"type\\\":\\\"WAFV2\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupArn\\\":null,\\\"overrideAction\\\":{\\\"type\\\":\\\"NONE\\\"},\\\"managedRuleGroupIdentifier\\\":{\\\"version\\\":null,\\\"vendorName\\\":\\\"AWS\\\",\\\"managedRuleGroupName\\\":\\\"AWSManagedRulesAmazonIpReputationList\\\"},\\\"ruleGroupType\\\":\\\"ManagedRuleGroup\\\",\\\"excludeRules\\\":[{\\\"name\\\":\\\"NoUserAgent_HEADER\\\"}]}],\\\"postProcessRuleGroups\\\":[],\\\"defaultAction\\\":{\\\"type\\\":\\\"ALLOW\\\"},\\\"overrideCustomerWebACLAssociation\\\":false,\\\"loggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[\\\"arn:aws:firehose:us-west-2:12345678912:deliverystream/aws-waf-logs-fms-admin-destination\\\"],\\\"redactedFields\\\":[{\\\"redactedFieldType\\\":\\\"SingleHeader\\\",\\\"redactedFieldValue\\\":\\\"Cookies\\\"},{\\\"redactedFieldType\\\":\\\"Method\\\"}]}}\"`\n\nIn the `loggingConfiguration` , you can specify one `logDestinationConfigs` , you can optionally provide up to 20 `redactedFields` , and the `RedactedFieldType` must be one of `URI` , `QUERY_STRING` , `HEADER` , or `METHOD` .\n- Example: `AWS WAF Classic`\n\n`\"{\\\"type\\\": \\\"WAF\\\", \\\"ruleGroups\\\": [{\\\"id\\\":\\\"12345678-1bcd-9012-efga-0987654321ab\\\", \\\"overrideAction\\\" : {\\\"type\\\": \\\"COUNT\\\"}}], \\\"defaultAction\\\": {\\\"type\\\": \\\"BLOCK\\\"}}\"`\n- Example: `WAFV2` - AWS Firewall Manager support for AWS WAF managed rule group versioning\n\n`\"{\\\"type\\\":\\\"WAFV2\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupArn\\\":null,\\\"overrideAction\\\":{\\\"type\\\":\\\"NONE\\\"},\\\"managedRuleGroupIdentifier\\\":{\\\"versionEnabled\\\":true,\\\"version\\\":\\\"Version_2.0\\\",\\\"vendorName\\\":\\\"AWS\\\",\\\"managedRuleGroupName\\\":\\\"AWSManagedRulesCommonRuleSet\\\"},\\\"ruleGroupType\\\":\\\"ManagedRuleGroup\\\",\\\"excludeRules\\\":[{\\\"name\\\":\\\"NoUserAgent_HEADER\\\"}]}],\\\"postProcessRuleGroups\\\":[],\\\"defaultAction\\\":{\\\"type\\\":\\\"ALLOW\\\"},\\\"overrideCustomerWebACLAssociation\\\":false,\\\"loggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[\\\"arn:aws:firehose:us-west-2:12345678912:deliverystream/aws-waf-logs-fms-admin-destination\\\"],\\\"redactedFields\\\":[{\\\"redactedFieldType\\\":\\\"SingleHeader\\\",\\\"redactedFieldValue\\\":\\\"Cookies\\\"},{\\\"redactedFieldType\\\":\\\"Method\\\"}]}}\"`\n\nTo use a specific version of a AWS WAF managed rule group in your Firewall Manager policy, you must set `versionEnabled` to `true` , and set `version` to the version you'd like to use. If you don't set `versionEnabled` to `true` , or if you omit `versionEnabled` , then Firewall Manager uses the default version of the AWS WAF managed rule group.\n- Example: `SECURITY_GROUPS_COMMON`\n\n`\"{\\\"type\\\":\\\"SECURITY_GROUPS_COMMON\\\",\\\"revertManualSecurityGroupChanges\\\":false,\\\"exclusiveResourceSecurityGroupManagement\\\":false, \\\"applyToAllEC2InstanceENIs\\\":false,\\\"securityGroups\\\":[{\\\"id\\\":\\\" sg-000e55995d61a06bd\\\"}]}\"`\n- Example: Shared VPCs. Apply the preceding policy to resources in shared VPCs as well as to those in VPCs that the account owns\n\n`\"{\\\"type\\\":\\\"SECURITY_GROUPS_COMMON\\\",\\\"revertManualSecurityGroupChanges\\\":false,\\\"exclusiveResourceSecurityGroupManagement\\\":false, \\\"applyToAllEC2InstanceENIs\\\":false,\\\"includeSharedVPC\\\":true,\\\"securityGroups\\\":[{\\\"id\\\":\\\" sg-000e55995d61a06bd\\\"}]}\"`\n- Example: `SECURITY_GROUPS_CONTENT_AUDIT`\n\n`\"{\\\"type\\\":\\\"SECURITY_GROUPS_CONTENT_AUDIT\\\",\\\"securityGroups\\\":[{\\\"id\\\":\\\"sg-000e55995d61a06bd\\\"}],\\\"securityGroupAction\\\":{\\\"type\\\":\\\"ALLOW\\\"}}\"`\n\nThe security group action for content audit can be `ALLOW` or `DENY` . For `ALLOW` , all in-scope security group rules must be within the allowed range of the policy's security group rules. For `DENY` , all in-scope security group rules must not contain a value or a range that matches a rule value or range in the policy security group.\n- Example: `SECURITY_GROUPS_USAGE_AUDIT`\n\n`\"{\\\"type\\\":\\\"SECURITY_GROUPS_USAGE_AUDIT\\\",\\\"deleteUnusedSecurityGroups\\\":true,\\\"coalesceRedundantSecurityGroups\\\":true}\"`", "title": "SecurityServicePolicyData" }, "Tags": { @@ -87710,7 +91712,7 @@ "additionalProperties": false, "properties": { "ManagedServiceData": { - "markdownDescription": "Details about the service that are specific to the service type, in JSON format.\n\n- Example: `DNS_FIREWALL`\n\n`\"{\\\"type\\\":\\\"DNS_FIREWALL\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupId\\\":\\\"rslvr-frg-1\\\",\\\"priority\\\":10}],\\\"postProcessRuleGroups\\\":[{\\\"ruleGroupId\\\":\\\"rslvr-frg-2\\\",\\\"priority\\\":9911}]}\"`\n\n> Valid values for `preProcessRuleGroups` are between 1 and 99. Valid values for `postProcessRuleGroups` are between 9901 and 10000.\n- Example: `NETWORK_FIREWALL` - Centralized deployment model\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"awsNetworkFirewallConfig\\\":{\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}},\\\"firewallDeploymentModel\\\":{\\\"centralizedFirewallDeploymentModel\\\":{\\\"centralizedFirewallOrchestrationConfig\\\":{\\\"inspectionVpcIds\\\":[{\\\"resourceId\\\":\\\"vpc-1234\\\",\\\"accountId\\\":\\\"123456789011\\\"}],\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneId\\\":null,\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]}]}},\\\"allowedIPV4CidrList\\\":[]}}}}\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `NETWORK_FIREWALL` - Distributed deployment model with automatic Availability Zone configuration\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\",\\\"192.168.0.0/28\\\"],\\\"routeManagementAction\\\":\\\"OFF\\\"},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}}\"`\n\nWith automatic Availbility Zone configuration, Firewall Manager chooses which Availability Zones to create the endpoints in. To use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `NETWORK_FIREWALL` - Distributed deployment model with automatic Availability Zone configuration and route management\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\",\\\"192.168.0.0/28\\\"],\\\"routeManagementAction\\\":\\\"MONITOR\\\",\\\"routeManagementTargetTypes\\\":[\\\"InternetGateway\\\"]},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\": \\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}}\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `NETWORK_FIREWALL` - Distributed deployment model with custom Availability Zone configuration\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"fragmentcustomactionname\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\", \\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}},{\\\"actionName\\\":\\\"fragmentcustomactionname\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"fragmentmetricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"firewallCreationConfig\\\":{ \\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]},{\\\"availabilityZoneName\\\":\\\"us-east-1b\\\",\\\"allowedIPV4CidrList\\\":[ \\\"10.0.0.0/28\\\"]}]} },\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":null,\\\"routeManagementAction\\\":\\\"OFF\\\",\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":boolean}}\"`\n\nWith custom Availability Zone configuration, you define which specific Availability Zones to create endpoints in by configuring `firewallCreationConfig` . To configure the Availability Zones in `firewallCreationConfig` , specify either the `availabilityZoneName` or `availabilityZoneId` parameter, not both parameters.\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `NETWORK_FIREWALL` - Distributed deployment model with custom Availability Zone configuration and route management\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"fragmentcustomactionname\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}},{\\\"actionName\\\":\\\"fragmentcustomactionname\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"fragmentmetricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]},{\\\"availabilityZoneName\\\":\\\"us-east-1b\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]}]}},\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":null,\\\"routeManagementAction\\\":\\\"MONITOR\\\",\\\"routeManagementTargetTypes\\\":[\\\"InternetGateway\\\"],\\\"routeManagementConfig\\\":{\\\"allowCrossAZTrafficIfNoEndpoint\\\":true}},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":boolean}}\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `THIRD_PARTY_FIREWALL` - Palo Alto Networks Cloud Next-Generation Firewall centralized deployment model\n\n`\"{ \\\"type\\\":\\\"THIRD_PARTY_FIREWALL\\\", \\\"thirdPartyFirewall\\\":\\\"PALO_ALTO_NETWORKS_CLOUD_NGFW\\\", \\\"thirdPartyFirewallConfig\\\":{ \\\"thirdPartyFirewallPolicyList\\\":[\\\"global-1\\\"] },\\\"firewallDeploymentModel\\\":{\\\"centralizedFirewallDeploymentModel\\\":{\\\"centralizedFirewallOrchestrationConfig\\\":{\\\"inspectionVpcIds\\\":[{\\\"resourceId\\\":\\\"vpc-1234\\\",\\\"accountId\\\":\\\"123456789011\\\"}],\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneId\\\":null,\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]}]}},\\\"allowedIPV4CidrList\\\":[]}}}}\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-thirdpartyfirewallpolicy.html) to `CENTRALIZED` .\n- Example: `THIRD_PARTY_FIREWALL` - Palo Alto Networks Cloud Next-Generation Firewall distributed deployment model\n\n`\"{\\\"type\\\":\\\"THIRD_PARTY_FIREWALL\\\",\\\"thirdPartyFirewall\\\":\\\"PALO_ALTO_NETWORKS_CLOUD_NGFW\\\",\\\"thirdPartyFirewallConfig\\\":{\\\"thirdPartyFirewallPolicyList\\\":[\\\"global-1\\\"] },\\\"firewallDeploymentModel\\\":{ \\\"distributedFirewallDeploymentModel\\\":{ \\\"distributedFirewallOrchestrationConfig\\\":{\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{ \\\"availabilityZoneConfigList\\\":[ {\\\"availabilityZoneName\\\":\\\"${AvailabilityZone}\\\" } ] } }, \\\"allowedIPV4CidrList\\\":[ ] } } } }\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-thirdpartyfirewallpolicy.html) to `DISTRIBUTED` .\n- Specification for `SHIELD_ADVANCED` for Amazon CloudFront distributions\n\n`\"{\\\"type\\\":\\\"SHIELD_ADVANCED\\\",\\\"automaticResponseConfiguration\\\": {\\\"automaticResponseStatus\\\":\\\"ENABLED|IGNORED|DISABLED\\\", \\\"automaticResponseAction\\\":\\\"BLOCK|COUNT\\\"}, \\\"overrideCustomerWebaclClassic\\\":true|false}\"`\n\nFor example: `\"{\\\"type\\\":\\\"SHIELD_ADVANCED\\\",\\\"automaticResponseConfiguration\\\": {\\\"automaticResponseStatus\\\":\\\"ENABLED\\\", \\\"automaticResponseAction\\\":\\\"COUNT\\\"}}\"`\n\nThe default value for `automaticResponseStatus` is `IGNORED` . The value for `automaticResponseAction` is only required when `automaticResponseStatus` is set to `ENABLED` . The default value for `overrideCustomerWebaclClassic` is `false` .\n\nFor other resource types that you can protect with a Shield Advanced policy, this `ManagedServiceData` configuration is an empty string.\n- Example: `WAFV2`\n\n`\"{\\\"type\\\":\\\"WAFV2\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupArn\\\":null,\\\"overrideAction\\\":{\\\"type\\\":\\\"NONE\\\"},\\\"managedRuleGroupIdentifier\\\":{\\\"version\\\":null,\\\"vendorName\\\":\\\"AWS\\\",\\\"managedRuleGroupName\\\":\\\"AWSManagedRulesAmazonIpReputationList\\\"},\\\"ruleGroupType\\\":\\\"ManagedRuleGroup\\\",\\\"excludeRules\\\":[{\\\"name\\\":\\\"NoUserAgent_HEADER\\\"}]}],\\\"postProcessRuleGroups\\\":[],\\\"defaultAction\\\":{\\\"type\\\":\\\"ALLOW\\\"},\\\"overrideCustomerWebACLAssociation\\\":false,\\\"loggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[\\\"arn:aws:firehose:us-west-2:12345678912:deliverystream/aws-waf-logs-fms-admin-destination\\\"],\\\"redactedFields\\\":[{\\\"redactedFieldType\\\":\\\"SingleHeader\\\",\\\"redactedFieldValue\\\":\\\"Cookies\\\"},{\\\"redactedFieldType\\\":\\\"Method\\\"}]}}\"`\n\nIn the `loggingConfiguration` , you can specify one `logDestinationConfigs` , you can optionally provide up to 20 `redactedFields` , and the `RedactedFieldType` must be one of `URI` , `QUERY_STRING` , `HEADER` , or `METHOD` .\n- Example: `AWS WAF Classic`\n\n`\"{\\\"type\\\": \\\"WAF\\\", \\\"ruleGroups\\\": [{\\\"id\\\":\\\"12345678-1bcd-9012-efga-0987654321ab\\\", \\\"overrideAction\\\" : {\\\"type\\\": \\\"COUNT\\\"}}], \\\"defaultAction\\\": {\\\"type\\\": \\\"BLOCK\\\"}}\"`\n- Example: `WAFV2` - AWS Firewall Manager support for AWS WAF managed rule group versioning\n\n`\"{\\\"type\\\":\\\"WAFV2\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupArn\\\":null,\\\"overrideAction\\\":{\\\"type\\\":\\\"NONE\\\"},\\\"managedRuleGroupIdentifier\\\":{\\\"versionEnabled\\\":true,\\\"version\\\":\\\"Version_2.0\\\",\\\"vendorName\\\":\\\"AWS\\\",\\\"managedRuleGroupName\\\":\\\"AWSManagedRulesCommonRuleSet\\\"},\\\"ruleGroupType\\\":\\\"ManagedRuleGroup\\\",\\\"excludeRules\\\":[{\\\"name\\\":\\\"NoUserAgent_HEADER\\\"}]}],\\\"postProcessRuleGroups\\\":[],\\\"defaultAction\\\":{\\\"type\\\":\\\"ALLOW\\\"},\\\"overrideCustomerWebACLAssociation\\\":false,\\\"loggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[\\\"arn:aws:firehose:us-west-2:12345678912:deliverystream/aws-waf-logs-fms-admin-destination\\\"],\\\"redactedFields\\\":[{\\\"redactedFieldType\\\":\\\"SingleHeader\\\",\\\"redactedFieldValue\\\":\\\"Cookies\\\"},{\\\"redactedFieldType\\\":\\\"Method\\\"}]}}\"`\n\nTo use a specific version of a AWS WAF managed rule group in your Firewall Manager policy, you must set `versionEnabled` to `true` , and set `version` to the version you'd like to use. If you don't set `versionEnabled` to `true` , or if you omit `versionEnabled` , then Firewall Manager uses the default version of the AWS WAF managed rule group.\n- Example: `SECURITY_GROUPS_COMMON`\n\n`\"{\\\"type\\\":\\\"SECURITY_GROUPS_COMMON\\\",\\\"revertManualSecurityGroupChanges\\\":false,\\\"exclusiveResourceSecurityGroupManagement\\\":false, \\\"applyToAllEC2InstanceENIs\\\":false,\\\"securityGroups\\\":[{\\\"id\\\":\\\" sg-000e55995d61a06bd\\\"}]}\"`\n- Example: Shared VPCs. Apply the preceding policy to resources in shared VPCs as well as to those in VPCs that the account owns\n\n`\"{\\\"type\\\":\\\"SECURITY_GROUPS_COMMON\\\",\\\"revertManualSecurityGroupChanges\\\":false,\\\"exclusiveResourceSecurityGroupManagement\\\":false, \\\"applyToAllEC2InstanceENIs\\\":false,\\\"includeSharedVPC\\\":true,\\\"securityGroups\\\":[{\\\"id\\\":\\\" sg-000e55995d61a06bd\\\"}]}\"`\n- Example: `SECURITY_GROUPS_CONTENT_AUDIT`\n\n`\"{\\\"type\\\":\\\"SECURITY_GROUPS_CONTENT_AUDIT\\\",\\\"securityGroups\\\":[{\\\"id\\\":\\\"sg-000e55995d61a06bd\\\"}],\\\"securityGroupAction\\\":{\\\"type\\\":\\\"ALLOW\\\"}}\"`\n\nThe security group action for content audit can be `ALLOW` or `DENY` . For `ALLOW` , all in-scope security group rules must be within the allowed range of the policy's security group rules. For `DENY` , all in-scope security group rules must not contain a value or a range that matches a rule value or range in the policy security group.\n- Example: `SECURITY_GROUPS_USAGE_AUDIT`\n\n`\"{\\\"type\\\":\\\"SECURITY_GROUPS_USAGE_AUDIT\\\",\\\"deleteUnusedSecurityGroups\\\":true,\\\"coalesceRedundantSecurityGroups\\\":true}\"`", + "markdownDescription": "Details about the service that are specific to the service type, in JSON format.\n\n- Example: `DNS_FIREWALL`\n\n`\"{\\\"type\\\":\\\"DNS_FIREWALL\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupId\\\":\\\"rslvr-frg-1\\\",\\\"priority\\\":10}],\\\"postProcessRuleGroups\\\":[{\\\"ruleGroupId\\\":\\\"rslvr-frg-2\\\",\\\"priority\\\":9911}]}\"`\n\n> Valid values for `preProcessRuleGroups` are between 1 and 99. Valid values for `postProcessRuleGroups` are between 9901 and 10000.\n- Example: `NETWORK_FIREWALL` - Centralized deployment model\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"awsNetworkFirewallConfig\\\":{\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}},\\\"firewallDeploymentModel\\\":{\\\"centralizedFirewallDeploymentModel\\\":{\\\"centralizedFirewallOrchestrationConfig\\\":{\\\"inspectionVpcIds\\\":[{\\\"resourceId\\\":\\\"vpc-1234\\\",\\\"accountId\\\":\\\"123456789011\\\"}],\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneId\\\":null,\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]}]}},\\\"allowedIPV4CidrList\\\":[]}}}}\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `NETWORK_FIREWALL` - Distributed deployment model with automatic Availability Zone configuration\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\",\\\"192.168.0.0/28\\\"],\\\"routeManagementAction\\\":\\\"OFF\\\"},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}}\"`\n\nWith automatic Availbility Zone configuration, Firewall Manager chooses which Availability Zones to create the endpoints in. To use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `NETWORK_FIREWALL` - Distributed deployment model with automatic Availability Zone configuration and route management\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\",\\\"192.168.0.0/28\\\"],\\\"routeManagementAction\\\":\\\"MONITOR\\\",\\\"routeManagementTargetTypes\\\":[\\\"InternetGateway\\\"]},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\": \\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}}\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `NETWORK_FIREWALL` - Distributed deployment model with custom Availability Zone configuration\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"fragmentcustomactionname\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\", \\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}},{\\\"actionName\\\":\\\"fragmentcustomactionname\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"fragmentmetricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"firewallCreationConfig\\\":{ \\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]},{\\\"availabilityZoneName\\\":\\\"us-east-1b\\\",\\\"allowedIPV4CidrList\\\":[ \\\"10.0.0.0/28\\\"]}]} },\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":null,\\\"routeManagementAction\\\":\\\"OFF\\\",\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":boolean}}\"`\n\nWith custom Availability Zone configuration, you define which specific Availability Zones to create endpoints in by configuring `firewallCreationConfig` . To configure the Availability Zones in `firewallCreationConfig` , specify either the `availabilityZoneName` or `availabilityZoneId` parameter, not both parameters.\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `NETWORK_FIREWALL` - Distributed deployment model with custom Availability Zone configuration and route management\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"fragmentcustomactionname\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}},{\\\"actionName\\\":\\\"fragmentcustomactionname\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"fragmentmetricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]},{\\\"availabilityZoneName\\\":\\\"us-east-1b\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]}]}},\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":null,\\\"routeManagementAction\\\":\\\"MONITOR\\\",\\\"routeManagementTargetTypes\\\":[\\\"InternetGateway\\\"],\\\"routeManagementConfig\\\":{\\\"allowCrossAZTrafficIfNoEndpoint\\\":true}},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":boolean}}\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Specification for `SHIELD_ADVANCED` for Amazon CloudFront distributions\n\n`\"{\\\"type\\\":\\\"SHIELD_ADVANCED\\\",\\\"automaticResponseConfiguration\\\": {\\\"automaticResponseStatus\\\":\\\"ENABLED|IGNORED|DISABLED\\\", \\\"automaticResponseAction\\\":\\\"BLOCK|COUNT\\\"}, \\\"overrideCustomerWebaclClassic\\\":true|false, \\\"optimizeUnassociatedWebACL\\\":true|false}\"`\n\nFor example: `\"{\\\"type\\\":\\\"SHIELD_ADVANCED\\\",\\\"automaticResponseConfiguration\\\": {\\\"automaticResponseStatus\\\":\\\"ENABLED\\\", \\\"automaticResponseAction\\\":\\\"COUNT\\\"}}\"`\n\nThe default value for `automaticResponseStatus` is `IGNORED` . The value for `automaticResponseAction` is only required when `automaticResponseStatus` is set to `ENABLED` . The default value for `overrideCustomerWebaclClassic` is `false` .\n\nFor other resource types that you can protect with a Shield Advanced policy, this `ManagedServiceData` configuration is an empty string.\n- Example: `THIRD_PARTY_FIREWALL` - Centralized deployment model\n\nReplace `THIRD_PARTY_FIREWALL_NAME` with the name of the third-party firewall.\n\n`\"{ \\\"type\\\":\\\"THIRD_PARTY_FIREWALL\\\", \\\"thirdPartyFirewall\\\":\\\"\\THIRD_PARTY_FIREWALL_NAME\\\", \\\"thirdPartyFirewallConfig\\\":{ \\\"thirdPartyFirewallPolicyList\\\":[\\\"global-1\\\"] },\\\"firewallDeploymentModel\\\":{\\\"centralizedFirewallDeploymentModel\\\":{\\\"centralizedFirewallOrchestrationConfig\\\":{\\\"inspectionVpcIds\\\":[{\\\"resourceId\\\":\\\"vpc-1234\\\",\\\"accountId\\\":\\\"123456789011\\\"}],\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneId\\\":null,\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]}]}},\\\"allowedIPV4CidrList\\\":[]}}}}\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-thirdpartyfirewallpolicy.html) to `CENTRALIZED` .\n- Example: `THIRD_PARTY_FIREWALL` - Distributed deployment model\n\nReplace `THIRD_PARTY_FIREWALL_NAME` with the name of the third-party firewall.\n\n`\"{\\\"type\\\":\\\"THIRD_PARTY_FIREWALL\\\",\\\"thirdPartyFirewall\\\":\\\"THIRD_PARTY_FIREWALL_NAME\\\",\\\"thirdPartyFirewallConfig\\\":{\\\"thirdPartyFirewallPolicyList\\\":[\\\"global-1\\\"] },\\\"firewallDeploymentModel\\\":{ \\\"distributedFirewallDeploymentModel\\\":{ \\\"distributedFirewallOrchestrationConfig\\\":{\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{ \\\"availabilityZoneConfigList\\\":[ {\\\"availabilityZoneName\\\":\\\"${AvailabilityZone}\\\" } ] } }, \\\"allowedIPV4CidrList\\\":[ ] } } } }\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-thirdpartyfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `WAFV2`\n\n`\"{\\\"type\\\":\\\"WAFV2\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupArn\\\":null,\\\"overrideAction\\\":{\\\"type\\\":\\\"NONE\\\"},\\\"managedRuleGroupIdentifier\\\":{\\\"version\\\":null,\\\"vendorName\\\":\\\"AWS\\\",\\\"managedRuleGroupName\\\":\\\"AWSManagedRulesAmazonIpReputationList\\\"},\\\"ruleGroupType\\\":\\\"ManagedRuleGroup\\\",\\\"excludeRules\\\":[{\\\"name\\\":\\\"NoUserAgent_HEADER\\\"}]}],\\\"postProcessRuleGroups\\\":[],\\\"defaultAction\\\":{\\\"type\\\":\\\"ALLOW\\\"},\\\"overrideCustomerWebACLAssociation\\\":false,\\\"loggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[\\\"arn:aws:firehose:us-west-2:12345678912:deliverystream/aws-waf-logs-fms-admin-destination\\\"],\\\"redactedFields\\\":[{\\\"redactedFieldType\\\":\\\"SingleHeader\\\",\\\"redactedFieldValue\\\":\\\"Cookies\\\"},{\\\"redactedFieldType\\\":\\\"Method\\\"}]},\\\"optimizeUnassociatedWebACL\\\":true}\"`\n\nIn the `loggingConfiguration` , you can specify one `logDestinationConfigs` , you can optionally provide up to 20 `redactedFields` , and the `RedactedFieldType` must be one of `URI` , `QUERY_STRING` , `HEADER` , or `METHOD` .\n- Example: `AWS WAF Classic`\n\n`\"{\\\"type\\\": \\\"WAF\\\", \\\"ruleGroups\\\": [{\\\"id\\\":\\\"12345678-1bcd-9012-efga-0987654321ab\\\", \\\"overrideAction\\\" : {\\\"type\\\": \\\"COUNT\\\"}}], \\\"defaultAction\\\": {\\\"type\\\": \\\"BLOCK\\\"}}\"`\n- Example: `WAFV2` - AWS Firewall Manager support for AWS WAF managed rule group versioning\n\n`\"{\\\"type\\\":\\\"WAFV2\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupArn\\\":null,\\\"overrideAction\\\":{\\\"type\\\":\\\"NONE\\\"},\\\"managedRuleGroupIdentifier\\\":{\\\"versionEnabled\\\":true,\\\"version\\\":\\\"Version_2.0\\\",\\\"vendorName\\\":\\\"AWS\\\",\\\"managedRuleGroupName\\\":\\\"AWSManagedRulesCommonRuleSet\\\"},\\\"ruleGroupType\\\":\\\"ManagedRuleGroup\\\",\\\"excludeRules\\\":[{\\\"name\\\":\\\"NoUserAgent_HEADER\\\"}]}],\\\"postProcessRuleGroups\\\":[],\\\"defaultAction\\\":{\\\"type\\\":\\\"ALLOW\\\"},\\\"overrideCustomerWebACLAssociation\\\":false,\\\"loggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[\\\"arn:aws:firehose:us-west-2:12345678912:deliverystream/aws-waf-logs-fms-admin-destination\\\"],\\\"redactedFields\\\":[{\\\"redactedFieldType\\\":\\\"SingleHeader\\\",\\\"redactedFieldValue\\\":\\\"Cookies\\\"},{\\\"redactedFieldType\\\":\\\"Method\\\"}]}}\"`\n\nTo use a specific version of a AWS WAF managed rule group in your Firewall Manager policy, you must set `versionEnabled` to `true` , and set `version` to the version you'd like to use. If you don't set `versionEnabled` to `true` , or if you omit `versionEnabled` , then Firewall Manager uses the default version of the AWS WAF managed rule group.\n- Example: `SECURITY_GROUPS_COMMON`\n\n`\"{\\\"type\\\":\\\"SECURITY_GROUPS_COMMON\\\",\\\"revertManualSecurityGroupChanges\\\":false,\\\"exclusiveResourceSecurityGroupManagement\\\":false, \\\"applyToAllEC2InstanceENIs\\\":false,\\\"securityGroups\\\":[{\\\"id\\\":\\\" sg-000e55995d61a06bd\\\"}]}\"`\n- Example: Shared VPCs. Apply the preceding policy to resources in shared VPCs as well as to those in VPCs that the account owns\n\n`\"{\\\"type\\\":\\\"SECURITY_GROUPS_COMMON\\\",\\\"revertManualSecurityGroupChanges\\\":false,\\\"exclusiveResourceSecurityGroupManagement\\\":false, \\\"applyToAllEC2InstanceENIs\\\":false,\\\"includeSharedVPC\\\":true,\\\"securityGroups\\\":[{\\\"id\\\":\\\" sg-000e55995d61a06bd\\\"}]}\"`\n- Example: `SECURITY_GROUPS_CONTENT_AUDIT`\n\n`\"{\\\"type\\\":\\\"SECURITY_GROUPS_CONTENT_AUDIT\\\",\\\"securityGroups\\\":[{\\\"id\\\":\\\"sg-000e55995d61a06bd\\\"}],\\\"securityGroupAction\\\":{\\\"type\\\":\\\"ALLOW\\\"}}\"`\n\nThe security group action for content audit can be `ALLOW` or `DENY` . For `ALLOW` , all in-scope security group rules must be within the allowed range of the policy's security group rules. For `DENY` , all in-scope security group rules must not contain a value or a range that matches a rule value or range in the policy security group.\n- Example: `SECURITY_GROUPS_USAGE_AUDIT`\n\n`\"{\\\"type\\\":\\\"SECURITY_GROUPS_USAGE_AUDIT\\\",\\\"deleteUnusedSecurityGroups\\\":true,\\\"coalesceRedundantSecurityGroups\\\":true}\"`", "title": "ManagedServiceData", "type": "string" }, @@ -87801,7 +91803,7 @@ "items": { "type": "string" }, - "markdownDescription": "The resources included in the resource set.", + "markdownDescription": "", "title": "Resources", "type": "array" }, @@ -87809,7 +91811,7 @@ "items": { "$ref": "#/definitions/Tag" }, - "markdownDescription": "A collection of key:value pairs associated with a resource set. The key:value pair can be anything you define. Typically, the tag key represents a category (such as \"environment\") and the tag value represents a specific value within that category (such as \"test,\" \"development,\" or \"production\"). You can add up to 50 tags to each AWS resource.", + "markdownDescription": "", "title": "Tags", "type": "array" } @@ -88039,7 +92041,7 @@ "type": "string" }, "FileSystemTypeVersion": { - "markdownDescription": "(Optional) For FSx for Lustre file systems, sets the Lustre version for the file system that you're creating. Valid values are `2.10` and `2.12` :\n\n- 2.10 is supported by the Scratch and Persistent_1 Lustre deployment types.\n- 2.12 is supported by all Lustre deployment types. `2.12` is required when setting FSx for Lustre `DeploymentType` to `PERSISTENT_2` .\n\nDefault value = `2.10` , except when `DeploymentType` is set to `PERSISTENT_2` , then the default is `2.12` .\n\n> If you set `FileSystemTypeVersion` to `2.10` for a `PERSISTENT_2` Lustre deployment type, the `CreateFileSystem` operation fails.", + "markdownDescription": "(Optional) For FSx for Lustre file systems, sets the Lustre version for the file system that you're creating. Valid values are `2.10` , `2.12` , and `2.15` :\n\n- 2.10 is supported by the Scratch and Persistent_1 Lustre deployment types.\n- 2.12 and 2.15 are supported by all Lustre deployment types. `2.12` or `2.15` is required when setting FSx for Lustre `DeploymentType` to `PERSISTENT_2` .\n\nDefault value = `2.10` , except when `DeploymentType` is set to `PERSISTENT_2` , then the default is `2.12` .\n\n> If you set `FileSystemTypeVersion` to `2.10` for a `PERSISTENT_2` Lustre deployment type, the `CreateFileSystem` operation fails.", "title": "FileSystemTypeVersion", "type": "string" }, @@ -88178,7 +92180,7 @@ "additionalProperties": false, "properties": { "Iops": { - "markdownDescription": "The total number of SSD IOPS provisioned for the file system.", + "markdownDescription": "The total number of SSD IOPS provisioned for the file system.\n\nThe minimum and maximum values for this property depend on the value of `HAPairs` and `StorageCapacity` . The minimum value is calculated as `StorageCapacity` * 3 * `HAPairs` (3 IOPS per GB of `StorageCapacity` ). The maximum value is calculated as 200,000 * `HAPairs` .\n\nAmazon FSx responds with an HTTP status code 400 (Bad Request) if the value of `Iops` is outside of the minimum or maximum values.", "title": "Iops", "type": "number" }, @@ -88284,7 +92286,7 @@ "type": "string" }, "DeploymentType": { - "markdownDescription": "Specifies the FSx for ONTAP file system deployment type to use in creating the file system.\n\n- `MULTI_AZ_1` - (Default) A high availability file system configured for Multi-AZ redundancy to tolerate temporary Availability Zone (AZ) unavailability.\n- `SINGLE_AZ_1` - A file system configured for Single-AZ redundancy.\n\nFor information about the use cases for Multi-AZ and Single-AZ deployments, refer to [Choosing a file system deployment type](https://docs.aws.amazon.com/fsx/latest/ONTAPGuide/high-availability-AZ.html) .", + "markdownDescription": "Specifies the FSx for ONTAP file system deployment type to use in creating the file system.\n\n- `MULTI_AZ_1` - (Default) A high availability file system configured for Multi-AZ redundancy to tolerate temporary Availability Zone (AZ) unavailability.\n- `SINGLE_AZ_1` - A file system configured for Single-AZ redundancy.\n- `SINGLE_AZ_2` - A file system configured with multiple high-availability (HA) pairs for Single-AZ redundancy.\n\nFor information about the use cases for Multi-AZ and Single-AZ deployments, refer to [Choosing a file system deployment type](https://docs.aws.amazon.com/fsx/latest/ONTAPGuide/high-availability-AZ.html) .", "title": "DeploymentType", "type": "string" }, @@ -88303,6 +92305,11 @@ "title": "FsxAdminPassword", "type": "string" }, + "HAPairs": { + "markdownDescription": "", + "title": "HAPairs", + "type": "number" + }, "PreferredSubnetId": { "markdownDescription": "Required when `DeploymentType` is set to `MULTI_AZ_1` . This specifies the subnet in which you want the preferred file server to be located.", "title": "PreferredSubnetId", @@ -88312,15 +92319,20 @@ "items": { "type": "string" }, - "markdownDescription": "(Multi-AZ only) Specifies the virtual private cloud (VPC) route tables in which your file system's endpoints will be created. You should specify all VPC route tables associated with the subnets in which your clients are located. By default, Amazon FSx selects your VPC's default route table.", + "markdownDescription": "(Multi-AZ only) Specifies the route tables in which Amazon FSx creates the rules for routing traffic to the correct file server. You should specify all virtual private cloud (VPC) route tables associated with the subnets in which your clients are located. By default, Amazon FSx selects your VPC's default route table.", "title": "RouteTableIds", "type": "array" }, "ThroughputCapacity": { - "markdownDescription": "Sets the throughput capacity for the file system that you're creating. Valid values are 128, 256, 512, 1024, 2048, and 4096 MBps.", + "markdownDescription": "Sets the throughput capacity for the file system that you're creating in megabytes per second (MBps). For more information, see [Managing throughput capacity](https://docs.aws.amazon.com/fsx/latest/ONTAPGuide/managing-throughput-capacity.html) in the FSx for ONTAP User Guide.\n\nAmazon FSx responds with an HTTP status code 400 (Bad Request) for the following conditions:\n\n- The value of `ThroughputCapacity` and `ThroughputCapacityPerHAPair` are not the same value.\n- The value of `ThroughputCapacity` when divided by the value of `HAPairs` is outside of the valid range for `ThroughputCapacity` .", "title": "ThroughputCapacity", "type": "number" }, + "ThroughputCapacityPerHAPair": { + "markdownDescription": "", + "title": "ThroughputCapacityPerHAPair", + "type": "number" + }, "WeeklyMaintenanceStartTime": { "markdownDescription": "A recurring weekly time, in the format `D:HH:MM` .\n\n`D` is the day of the week, for which 1 represents Monday and 7 represents Sunday. For further details, see [the ISO-8601 spec as described on Wikipedia](https://docs.aws.amazon.com/https://en.wikipedia.org/wiki/ISO_week_date) .\n\n`HH` is the zero-padded hour of the day (0-23), and `MM` is the zero-padded minute of the hour.\n\nFor example, `1:05:00` specifies maintenance at 5 AM Monday.", "title": "WeeklyMaintenanceStartTime", @@ -88356,16 +92368,18 @@ "type": "string" }, "DeploymentType": { - "markdownDescription": "Specifies the file system deployment type. Single AZ deployment types are configured for redundancy within a single Availability Zone in an AWS Region . Valid values are the following:\n\n- `SINGLE_AZ_1` - (Default) Creates file systems with throughput capacities of 64 - 4,096 MBps. `Single_AZ_1` is available in all AWS Regions where Amazon FSx for OpenZFS is available.\n- `SINGLE_AZ_2` - Creates file systems with throughput capacities of 160 - 10,240 MB/s using an NVMe L2ARC cache. `Single_AZ_2` is available only in the US East (N. Virginia), US East (Ohio), US West (Oregon), and Europe (Ireland) AWS Regions .\n\nFor more information, see: [Deployment type availability](https://docs.aws.amazon.com/fsx/latest/OpenZFSGuide/availability-durability.html#available-aws-regions) and [File system performance](https://docs.aws.amazon.com/fsx/latest/OpenZFSGuide/performance.html#zfs-fs-performance) in the *Amazon FSx for OpenZFS User Guide* .", + "markdownDescription": "Specifies the file system deployment type. Single AZ deployment types are configured for redundancy within a single Availability Zone in an AWS Region . Valid values are the following:\n\n- `MULTI_AZ_1` - Creates file systems with high availability that are configured for Multi-AZ redundancy to tolerate temporary unavailability in Availability Zones (AZs). `Multi_AZ_1` is available only in the US East (N. Virginia), US East (Ohio), US West (Oregon), Asia Pacific (Singapore), Asia Pacific (Tokyo), and Europe (Ireland) AWS Regions .\n- `SINGLE_AZ_1` - Creates file systems with throughput capacities of 64 - 4,096 MB/s. `Single_AZ_1` is available in all AWS Regions where Amazon FSx for OpenZFS is available.\n- `SINGLE_AZ_2` - Creates file systems with throughput capacities of 160 - 10,240 MB/s using an NVMe L2ARC cache. `Single_AZ_2` is available only in the US East (N. Virginia), US East (Ohio), US West (Oregon), Asia Pacific (Singapore), Asia Pacific (Tokyo), and Europe (Ireland) AWS Regions .\n\nFor more information, see [Deployment type availability](https://docs.aws.amazon.com/fsx/latest/OpenZFSGuide/availability-durability.html#available-aws-regions) and [File system performance](https://docs.aws.amazon.com/fsx/latest/OpenZFSGuide/performance.html#zfs-fs-performance) in the *Amazon FSx for OpenZFS User Guide* .", "title": "DeploymentType", "type": "string" }, "DiskIopsConfiguration": { "$ref": "#/definitions/AWS::FSx::FileSystem.DiskIopsConfiguration", - "markdownDescription": "The SSD IOPS (input/output operations per second) configuration for an Amazon FSx for NetApp ONTAP or FSx for OpenZFS file system. By default, Amazon FSx automatically provisions 3 IOPS per GB of storage capacity. You can provision additional IOPS per GB of storage. The configuration consists of the total number of provisioned SSD IOPS and how it is was provisioned, or the mode (by the customer or by Amazon FSx).", + "markdownDescription": "The SSD IOPS (input/output operations per second) configuration for an Amazon FSx for NetApp ONTAP, Amazon FSx for Windows File Server, or FSx for OpenZFS file system. By default, Amazon FSx automatically provisions 3 IOPS per GB of storage capacity. You can provision additional IOPS per GB of storage. The configuration consists of the total number of provisioned SSD IOPS and how it is was provisioned, or the mode (by the customer or by Amazon FSx).", "title": "DiskIopsConfiguration" }, "EndpointIpAddressRange": { + "markdownDescription": "(Multi-AZ only) Specifies the IP address range in which the endpoints to access your file system will be created. By default in the Amazon FSx API and Amazon FSx console, Amazon FSx selects an available /28 IP address range for you from one of the VPC's CIDR ranges. You can have overlapping endpoint IP addresses for file systems deployed in the same VPC/route tables.", + "title": "EndpointIpAddressRange", "type": "string" }, "Options": { @@ -88377,6 +92391,8 @@ "type": "array" }, "PreferredSubnetId": { + "markdownDescription": "Required when `DeploymentType` is set to `MULTI_AZ_1` . This specifies the subnet in which you want the preferred file server to be located.", + "title": "PreferredSubnetId", "type": "string" }, "RootVolumeConfiguration": { @@ -88388,10 +92404,12 @@ "items": { "type": "string" }, + "markdownDescription": "(Multi-AZ only) Specifies the route tables in which Amazon FSx creates the rules for routing traffic to the correct file server. You should specify all virtual private cloud (VPC) route tables associated with the subnets in which your clients are located. By default, Amazon FSx selects your VPC's default route table.", + "title": "RouteTableIds", "type": "array" }, "ThroughputCapacity": { - "markdownDescription": "Specifies the throughput of an Amazon FSx for OpenZFS file system, measured in megabytes per second (MBps). Valid values depend on the DeploymentType you choose, as follows:\n\n- For `SINGLE_AZ_1` , valid values are 64, 128, 256, 512, 1024, 2048, 3072, or 4096 MBps.\n- For `SINGLE_AZ_2` , valid values are 160, 320, 640, 1280, 2560, 3840, 5120, 7680, or 10240 MBps.\n\nYou pay for additional throughput capacity that you provision.", + "markdownDescription": "Specifies the throughput of an Amazon FSx for OpenZFS file system, measured in megabytes per second (MBps). Valid values depend on the DeploymentType you choose, as follows:\n\n- For `MULTI_AZ_1` and `SINGLE_AZ_2` , valid values are 160, 320, 640, 1280, 2560, 3840, 5120, 7680, or 10240 MBps.\n- For `SINGLE_AZ_1` , valid values are 64, 128, 256, 512, 1024, 2048, 3072, or 4096 MBps.\n\nYou pay for additional throughput capacity that you provision.", "title": "ThroughputCapacity", "type": "number" }, @@ -88550,7 +92568,9 @@ "type": "string" }, "DiskIopsConfiguration": { - "$ref": "#/definitions/AWS::FSx::FileSystem.DiskIopsConfiguration" + "$ref": "#/definitions/AWS::FSx::FileSystem.DiskIopsConfiguration", + "markdownDescription": "The SSD IOPS (input/output operations per second) configuration for an Amazon FSx for Windows file system. By default, Amazon FSx automatically provisions 3 IOPS per GiB of storage capacity. You can provision additional IOPS per GiB of storage, up to the maximum limit associated with your chosen throughput capacity.", + "title": "DiskIopsConfiguration" }, "PreferredSubnetId": { "markdownDescription": "Required when `DeploymentType` is set to `MULTI_AZ_1` . This specifies the subnet in which you want the preferred file server to be located. For in- AWS applications, we recommend that you launch your clients in the same availability zone as your preferred file server to reduce cross-availability zone data transfer costs and minimize latency.", @@ -88905,13 +92925,36 @@ ], "type": "object" }, + "AWS::FSx::Volume.AggregateConfiguration": { + "additionalProperties": false, + "properties": { + "Aggregates": { + "items": { + "type": "string" + }, + "markdownDescription": "The list of aggregates that this volume resides on. Aggregates are storage pools which make up your primary storage tier. Each high-availability (HA) pair has one aggregate. The names of the aggregates map to the names of the aggregates in the ONTAP CLI and REST API. For FlexVols, there will always be a single entry.\n\nAmazon FSx responds with an HTTP status code 400 (Bad Request) for the following conditions:\n\n- The strings in the value of `Aggregates` are not are not formatted as `aggrX` , where X is a number between 1 and 6.\n- The value of `Aggregates` contains aggregates that are not present.\n- One or more of the aggregates supplied are too close to the volume limit to support adding more volumes.", + "title": "Aggregates", + "type": "array" + }, + "ConstituentsPerAggregate": { + "markdownDescription": "", + "title": "ConstituentsPerAggregate", + "type": "number" + } + }, + "type": "object" + }, "AWS::FSx::Volume.AutocommitPeriod": { "additionalProperties": false, "properties": { "Type": { + "markdownDescription": "Defines the type of time for the autocommit period of a file in an FSx for ONTAP SnapLock volume. Setting this value to `NONE` disables autocommit. The default value is `NONE` .", + "title": "Type", "type": "string" }, "Value": { + "markdownDescription": "Defines the amount of time for the autocommit period of a file in an FSx for ONTAP SnapLock volume. The following ranges are valid:\n\n- `Minutes` : 5 - 65,535\n- `Hours` : 1 - 65,535\n- `Days` : 1 - 3,650\n- `Months` : 1 - 120\n- `Years` : 1 - 10", + "title": "Value", "type": "number" } }, @@ -88963,6 +93006,11 @@ "AWS::FSx::Volume.OntapConfiguration": { "additionalProperties": false, "properties": { + "AggregateConfiguration": { + "$ref": "#/definitions/AWS::FSx::Volume.AggregateConfiguration", + "markdownDescription": "", + "title": "AggregateConfiguration" + }, "CopyTagsToBackups": { "markdownDescription": "A boolean flag indicating whether tags for the volume should be copied to backups. This value defaults to false. If it's set to true, all tags for the volume are copied to all automatic and user-initiated backups where the user doesn't specify tags. If this value is true, and you specify one or more tags, only the specified tags are copied to backups. If you specify one or more tags when creating a user-initiated backup, no tags are copied from the volume, regardless of this value.", "title": "CopyTagsToBackups", @@ -88983,13 +93031,20 @@ "title": "SecurityStyle", "type": "string" }, + "SizeInBytes": { + "markdownDescription": "", + "title": "SizeInBytes", + "type": "string" + }, "SizeInMegabytes": { "markdownDescription": "Specifies the size of the volume, in megabytes (MB), that you are creating.", "title": "SizeInMegabytes", "type": "string" }, "SnaplockConfiguration": { - "$ref": "#/definitions/AWS::FSx::Volume.SnaplockConfiguration" + "$ref": "#/definitions/AWS::FSx::Volume.SnaplockConfiguration", + "markdownDescription": "The SnapLock configuration object for an FSx for ONTAP SnapLock volume.", + "title": "SnaplockConfiguration" }, "SnapshotPolicy": { "markdownDescription": "Specifies the snapshot policy for the volume. There are three built-in snapshot policies:\n\n- `default` : This is the default policy. A maximum of six hourly snapshots taken five minutes past the hour. A maximum of two daily snapshots taken Monday through Saturday at 10 minutes after midnight. A maximum of two weekly snapshots taken every Sunday at 15 minutes after midnight.\n- `default-1weekly` : This policy is the same as the `default` policy except that it only retains one snapshot from the weekly schedule.\n- `none` : This policy does not take any snapshots. This policy can be assigned to volumes to prevent automatic snapshots from being taken.\n\nYou can also provide the name of a custom policy that you created with the ONTAP CLI or REST API.\n\nFor more information, see [Snapshot policies](https://docs.aws.amazon.com/fsx/latest/ONTAPGuide/snapshots-ontap.html#snapshot-policies) in the *Amazon FSx for NetApp ONTAP User Guide* .", @@ -89010,10 +93065,14 @@ "$ref": "#/definitions/AWS::FSx::Volume.TieringPolicy", "markdownDescription": "Describes the data tiering policy for an ONTAP volume. When enabled, Amazon FSx for ONTAP's intelligent tiering automatically transitions a volume's data between the file system's primary storage and capacity pool storage based on your access patterns.\n\nValid tiering policies are the following:\n\n- `SNAPSHOT_ONLY` - (Default value) moves cold snapshots to the capacity pool storage tier.\n\n- `AUTO` - moves cold user data and snapshots to the capacity pool storage tier based on your access patterns.\n\n- `ALL` - moves all user data blocks in both the active file system and Snapshot copies to the storage pool tier.\n\n- `NONE` - keeps a volume's data in the primary storage tier, preventing it from being moved to the capacity pool tier.", "title": "TieringPolicy" + }, + "VolumeStyle": { + "markdownDescription": "", + "title": "VolumeStyle", + "type": "string" } }, "required": [ - "SizeInMegabytes", "StorageVirtualMachineId" ], "type": "object" @@ -89095,7 +93154,7 @@ "additionalProperties": false, "properties": { "CopyStrategy": { - "markdownDescription": "The strategy used when copying data from the snapshot to the new volume.\n\n- `CLONE` - The new volume references the data in the origin snapshot. Cloning a snapshot is faster than copying data from the snapshot to a new volume and doesn't consume disk throughput. However, the origin snapshot can't be deleted if there is a volume using its copied data.\n- `FULL_COPY` - Copies all data from the snapshot to the new volume.", + "markdownDescription": "Specifies the strategy used when copying data from the snapshot to the new volume.\n\n- `CLONE` - The new volume references the data in the origin snapshot. Cloning a snapshot is faster than copying data from the snapshot to a new volume and doesn't consume disk throughput. However, the origin snapshot can't be deleted if there is a volume using its copied data.\n- `FULL_COPY` - Copies all data from the snapshot to the new volume.\n\nSpecify this option to create the volume from a snapshot on another FSx for OpenZFS file system.\n\n> The `INCREMENTAL_COPY` option is only for updating an existing volume by using a snapshot from another FSx for OpenZFS file system. For more information, see [CopySnapshotAndUpdateVolume](https://docs.aws.amazon.com/fsx/latest/APIReference/API_CopySnapshotAndUpdateVolume.html) .", "title": "CopyStrategy", "type": "string" }, @@ -89115,9 +93174,13 @@ "additionalProperties": false, "properties": { "Type": { + "markdownDescription": "Defines the type of time for the retention period of an FSx for ONTAP SnapLock volume. Set it to one of the valid types. If you set it to `INFINITE` , the files are retained forever. If you set it to `UNSPECIFIED` , the files are retained until you set an explicit retention period.", + "title": "Type", "type": "string" }, "Value": { + "markdownDescription": "Defines the amount of time for the retention period of an FSx for ONTAP SnapLock volume. You can't set a value for `INFINITE` or `UNSPECIFIED` . For all other options, the following ranges are valid:\n\n- `Seconds` : 0 - 65,535\n- `Minutes` : 0 - 65,535\n- `Hours` : 0 - 24\n- `Days` : 0 - 365\n- `Months` : 0 - 12\n- `Years` : 0 - 100", + "title": "Value", "type": "number" } }, @@ -89130,21 +93193,33 @@ "additionalProperties": false, "properties": { "AuditLogVolume": { + "markdownDescription": "Enables or disables the audit log volume for an FSx for ONTAP SnapLock volume. The default value is `false` . If you set `AuditLogVolume` to `true` , the SnapLock volume is created as an audit log volume. The minimum retention period for an audit log volume is six months.\n\nFor more information, see [SnapLock audit log volumes](https://docs.aws.amazon.com/fsx/latest/ONTAPGuide/how-snaplock-works.html#snaplock-audit-log-volume) .", + "title": "AuditLogVolume", "type": "string" }, "AutocommitPeriod": { - "$ref": "#/definitions/AWS::FSx::Volume.AutocommitPeriod" + "$ref": "#/definitions/AWS::FSx::Volume.AutocommitPeriod", + "markdownDescription": "The configuration object for setting the autocommit period of files in an FSx for ONTAP SnapLock volume.", + "title": "AutocommitPeriod" }, "PrivilegedDelete": { + "markdownDescription": "Enables, disables, or permanently disables privileged delete on an FSx for ONTAP SnapLock Enterprise volume. Enabling privileged delete allows SnapLock administrators to delete write once, read many (WORM) files even if they have active retention periods. `PERMANENTLY_DISABLED` is a terminal state. If privileged delete is permanently disabled on a SnapLock volume, you can't re-enable it. The default value is `DISABLED` .\n\nFor more information, see [Privileged delete](https://docs.aws.amazon.com/fsx/latest/ONTAPGuide/snaplock-enterprise.html#privileged-delete) .", + "title": "PrivilegedDelete", "type": "string" }, "RetentionPeriod": { - "$ref": "#/definitions/AWS::FSx::Volume.SnaplockRetentionPeriod" + "$ref": "#/definitions/AWS::FSx::Volume.SnaplockRetentionPeriod", + "markdownDescription": "Specifies the retention period of an FSx for ONTAP SnapLock volume.", + "title": "RetentionPeriod" }, "SnaplockType": { + "markdownDescription": "Specifies the retention mode of an FSx for ONTAP SnapLock volume. After it is set, it can't be changed. You can choose one of the following retention modes:\n\n- `COMPLIANCE` : Files transitioned to write once, read many (WORM) on a Compliance volume can't be deleted until their retention periods expire. This retention mode is used to address government or industry-specific mandates or to protect against ransomware attacks. For more information, see [SnapLock Compliance](https://docs.aws.amazon.com/fsx/latest/ONTAPGuide/snaplock-compliance.html) .\n- `ENTERPRISE` : Files transitioned to WORM on an Enterprise volume can be deleted by authorized users before their retention periods expire using privileged delete. This retention mode is used to advance an organization's data integrity and internal compliance or to test retention settings before using SnapLock Compliance. For more information, see [SnapLock Enterprise](https://docs.aws.amazon.com/fsx/latest/ONTAPGuide/snaplock-enterprise.html) .", + "title": "SnaplockType", "type": "string" }, "VolumeAppendModeEnabled": { + "markdownDescription": "Enables or disables volume-append mode on an FSx for ONTAP SnapLock volume. Volume-append mode allows you to create WORM-appendable files and write data to them incrementally. The default value is `false` .\n\nFor more information, see [Volume-append mode](https://docs.aws.amazon.com/fsx/latest/ONTAPGuide/worm-state.html#worm-state-append) .", + "title": "VolumeAppendModeEnabled", "type": "string" } }, @@ -89157,13 +93232,19 @@ "additionalProperties": false, "properties": { "DefaultRetention": { - "$ref": "#/definitions/AWS::FSx::Volume.RetentionPeriod" + "$ref": "#/definitions/AWS::FSx::Volume.RetentionPeriod", + "markdownDescription": "The retention period assigned to a write once, read many (WORM) file by default if an explicit retention period is not set for an FSx for ONTAP SnapLock volume. The default retention period must be greater than or equal to the minimum retention period and less than or equal to the maximum retention period.", + "title": "DefaultRetention" }, "MaximumRetention": { - "$ref": "#/definitions/AWS::FSx::Volume.RetentionPeriod" + "$ref": "#/definitions/AWS::FSx::Volume.RetentionPeriod", + "markdownDescription": "The longest retention period that can be assigned to a WORM file on an FSx for ONTAP SnapLock volume.", + "title": "MaximumRetention" }, "MinimumRetention": { - "$ref": "#/definitions/AWS::FSx::Volume.RetentionPeriod" + "$ref": "#/definitions/AWS::FSx::Volume.RetentionPeriod", + "markdownDescription": "The shortest retention period that can be assigned to a WORM file on an FSx for ONTAP SnapLock volume.", + "title": "MinimumRetention" } }, "required": [ @@ -89986,7 +94067,7 @@ "additionalProperties": false, "properties": { "Arn": { - "markdownDescription": "", + "markdownDescription": "The ARN of the model.", "title": "Arn", "type": "string" } @@ -90066,7 +94147,7 @@ "type": "string" }, "Language": { - "markdownDescription": "The rule language.", + "markdownDescription": "The rule language.\n\nValid Value: DETECTORPL", "title": "Language", "type": "string" }, @@ -90942,12 +95023,12 @@ "type": "string" }, "OperatingSystem": { - "markdownDescription": "The operating system that your game server binaries run on. This value determines the type of fleet resources that you use for this build. If your game build contains multiple executables, they all must run on the same operating system. You must specify a valid operating system in this request. There is no default value. You can't change a build's operating system later.\n\n> The Amazon Linux 2023 OS is not available in the China Regions. > Support is ending in 2023 for the Windows Server 2012 and Amazon Linux (AL1) operating systems. If you have active fleets using these operating systems, you can continue to create new builds using these until their end of support. All other users must use Windows Server 2016, Amazon Linux 2, or Amazon Linux 2023. For more information, including specific end-of-support dates, see the Amazon GameLift FAQs for [Windows Server](https://docs.aws.amazon.com/gamelift/faq/win2012/) and [Linux Server](https://docs.aws.amazon.com/gamelift/faq/al1/) .", + "markdownDescription": "The operating system that your game server binaries run on. This value determines the type of fleet resources that you use for this build. If your game build contains multiple executables, they all must run on the same operating system. You must specify a valid operating system in this request. There is no default value. You can't change a build's operating system later.\n\n> If you have active fleets using the Windows Server 2012 operating system, you can continue to create new builds using this OS until October 10, 2023, when Microsoft ends its support. All others must use Windows Server 2016 when creating new Windows-based builds.", "title": "OperatingSystem", "type": "string" }, "ServerSdkVersion": { - "markdownDescription": "The Amazon GameLift Server SDK version used to develop your game server.", + "markdownDescription": "A server SDK version you used when integrating your game server build with Amazon GameLift. For more information see [Integrate games with custom game servers](https://docs.aws.amazon.com/gamelift/latest/developerguide/integration-custom-intro.html) . By default Amazon GameLift sets this value to `4.0.2` .", "title": "ServerSdkVersion", "type": "string" }, @@ -90988,22 +95069,22 @@ "additionalProperties": false, "properties": { "Bucket": { - "markdownDescription": "", + "markdownDescription": "An Amazon S3 bucket identifier. The name of the S3 bucket.\n\n> Amazon GameLift doesn't support uploading from Amazon S3 buckets with names that contain a dot (.).", "title": "Bucket", "type": "string" }, "Key": { - "markdownDescription": "", + "markdownDescription": "The name of the zip file that contains the build files or script files.", "title": "Key", "type": "string" }, "ObjectVersion": { - "markdownDescription": "", + "markdownDescription": "A version of a stored file to retrieve, if the object versioning feature is turned on for the S3 bucket. Use this parameter to specify a specific version. If this parameter isn't set, Amazon GameLift retrieves the latest version of the file.", "title": "ObjectVersion", "type": "string" }, "RoleArn": { - "markdownDescription": "", + "markdownDescription": "The ARNfor an IAM role that allows Amazon GameLift to access the S3 bucket.", "title": "RoleArn", "type": "string" } @@ -91052,9 +95133,14 @@ "properties": { "AnywhereConfiguration": { "$ref": "#/definitions/AWS::GameLift::Fleet.AnywhereConfiguration", - "markdownDescription": "", + "markdownDescription": "Amazon GameLift Anywhere configuration options.", "title": "AnywhereConfiguration" }, + "ApplyCapacity": { + "markdownDescription": "Current resource capacity settings in a specified fleet or location. The location value might refer to a fleet's remote location or its home Region.\n\n*Related actions*\n\n[DescribeFleetCapacity](https://docs.aws.amazon.com/gamelift/latest/apireference/API_DescribeFleetCapacity.html) | [DescribeFleetLocationCapacity](https://docs.aws.amazon.com/gamelift/latest/apireference/API_DescribeFleetLocationCapacity.html) | [UpdateFleetCapacity](https://docs.aws.amazon.com/gamelift/latest/apireference/API_UpdateFleetCapacity.html)", + "title": "ApplyCapacity", + "type": "string" + }, "BuildId": { "markdownDescription": "A unique identifier for a build to be deployed on the new fleet. If you are deploying the fleet with a custom game build, you must specify this property. The build must have been successfully uploaded to Amazon GameLift and be in a `READY` status. This fleet setting cannot be changed once the fleet is created.", "title": "BuildId", @@ -91066,7 +95152,7 @@ "title": "CertificateConfiguration" }, "ComputeType": { - "markdownDescription": "The type of compute resource used to host your game servers. You can use your own compute resources with Amazon GameLift Anywhere or use Amazon EC2 instances with managed Amazon GameLift.", + "markdownDescription": "The type of compute resource used to host your game servers. You can use your own compute resources with Amazon GameLift Anywhere or use Amazon EC2 instances with managed Amazon GameLift. By default, this property is set to `EC2` .", "title": "ComputeType", "type": "string" }, @@ -91094,16 +95180,18 @@ "type": "string" }, "FleetType": { - "markdownDescription": "Indicates whether to use On-Demand or Spot instances for this fleet. By default, this property is set to `ON_DEMAND` . Learn more about when to use [On-Demand versus Spot Instances](https://docs.aws.amazon.com/gamelift/latest/developerguide/gamelift-ec2-instances.html#gamelift-ec2-instances-spot) . This property cannot be changed after the fleet is created.", + "markdownDescription": "Indicates whether to use On-Demand or Spot instances for this fleet. By default, this property is set to `ON_DEMAND` . Learn more about when to use [On-Demand versus Spot Instances](https://docs.aws.amazon.com/gamelift/latest/developerguide/gamelift-ec2-instances.html#gamelift-ec2-instances-spot) . This fleet property can't be changed after the fleet is created.", "title": "FleetType", "type": "string" }, "InstanceRoleARN": { - "markdownDescription": "A unique identifier for an IAM role that manages access to your AWS services. With an instance role ARN set, any application that runs on an instance in this fleet can assume the role, including install scripts, server processes, and daemons (background processes). Create a role or look up a role's ARN by using the [IAM dashboard](https://docs.aws.amazon.com/iam/) in the AWS Management Console . Learn more about using on-box credentials for your game servers at [Access external resources from a game server](https://docs.aws.amazon.com/gamelift/latest/developerguide/gamelift-sdk-server-resources.html) . This property cannot be changed after the fleet is created.", + "markdownDescription": "A unique identifier for an IAM role with access permissions to other AWS services. Any application that runs on an instance in the fleet--including install scripts, server processes, and other processes--can use these permissions to interact with AWS resources that you own or have access to. For more information about using the role with your game server builds, see [Communicate with other AWS resources from your fleets](https://docs.aws.amazon.com/gamelift/latest/developerguide/gamelift-sdk-server-resources.html) .", "title": "InstanceRoleARN", "type": "string" }, "InstanceRoleCredentialsProvider": { + "markdownDescription": "Indicates that fleet instances maintain a shared credentials file for the IAM role defined in `InstanceRoleArn` . Shared credentials allow applications that are deployed with the game server executable to communicate with other AWS resources. This property is used only when the game server is integrated with the server SDK version 5.x. For more information about using shared credentials, see [Communicate with other AWS resources from your fleets](https://docs.aws.amazon.com/gamelift/latest/developerguide/gamelift-sdk-server-resources.html) .", + "title": "InstanceRoleCredentialsProvider", "type": "string" }, "Locations": { @@ -91162,6 +95250,14 @@ "markdownDescription": "Instructions for how to launch and maintain server processes on instances in the fleet. The runtime configuration defines one or more server process configurations, each identifying a build executable or Realtime script file and the number of processes of that type to run concurrently.\n\n> The `RuntimeConfiguration` parameter is required unless the fleet is being configured using the older parameters `ServerLaunchPath` and `ServerLaunchParameters` , which are still supported for backward compatibility.", "title": "RuntimeConfiguration" }, + "ScalingPolicies": { + "items": { + "$ref": "#/definitions/AWS::GameLift::Fleet.ScalingPolicy" + }, + "markdownDescription": "Rule that controls how a fleet is scaled. Scaling policies are uniquely identified by the combination of name and fleet ID.", + "title": "ScalingPolicies", + "type": "array" + }, "ScriptId": { "markdownDescription": "The unique identifier for a Realtime configuration script to be deployed on fleet instances. You can use either the script ID or ARN. Scripts must be uploaded to Amazon GameLift prior to creating the fleet. This fleet property cannot be changed later.\n\n> You can't use the `!Ref` command to reference a script created with a CloudFormation template for the fleet property `ScriptId` . Instead, use `Fn::GetAtt Script.Arn` or `Fn::GetAtt Script.Id` to retrieve either of these properties as input for `ScriptId` . Alternatively, enter a `ScriptId` string manually.", "title": "ScriptId", @@ -91258,7 +95354,7 @@ "additionalProperties": false, "properties": { "DesiredEC2Instances": { - "markdownDescription": "The number of Amazon EC2 instances you want to maintain in the specified fleet location. This value must fall between the minimum and maximum size limits.", + "markdownDescription": "The number of Amazon EC2 instances you want to maintain in the specified fleet location. This value must fall between the minimum and maximum size limits. Changes in desired instance value can take up to 1 minute to be reflected when viewing the fleet's capacity settings.", "title": "DesiredEC2Instances", "type": "number" }, @@ -91339,6 +95435,76 @@ }, "type": "object" }, + "AWS::GameLift::Fleet.ScalingPolicy": { + "additionalProperties": false, + "properties": { + "ComparisonOperator": { + "markdownDescription": "Comparison operator to use when measuring a metric against the threshold value.", + "title": "ComparisonOperator", + "type": "string" + }, + "EvaluationPeriods": { + "markdownDescription": "Length of time (in minutes) the metric must be at or beyond the threshold before a scaling event is triggered.", + "title": "EvaluationPeriods", + "type": "number" + }, + "Location": { + "markdownDescription": "The fleet location.", + "title": "Location", + "type": "string" + }, + "MetricName": { + "markdownDescription": "Name of the Amazon GameLift-defined metric that is used to trigger a scaling adjustment. For detailed descriptions of fleet metrics, see [Monitor Amazon GameLift with Amazon CloudWatch](https://docs.aws.amazon.com/gamelift/latest/developerguide/monitoring-cloudwatch.html) .\n\n- *ActivatingGameSessions* -- Game sessions in the process of being created.\n- *ActiveGameSessions* -- Game sessions that are currently running.\n- *ActiveInstances* -- Fleet instances that are currently running at least one game session.\n- *AvailableGameSessions* -- Additional game sessions that fleet could host simultaneously, given current capacity.\n- *AvailablePlayerSessions* -- Empty player slots in currently active game sessions. This includes game sessions that are not currently accepting players. Reserved player slots are not included.\n- *CurrentPlayerSessions* -- Player slots in active game sessions that are being used by a player or are reserved for a player.\n- *IdleInstances* -- Active instances that are currently hosting zero game sessions.\n- *PercentAvailableGameSessions* -- Unused percentage of the total number of game sessions that a fleet could host simultaneously, given current capacity. Use this metric for a target-based scaling policy.\n- *PercentIdleInstances* -- Percentage of the total number of active instances that are hosting zero game sessions.\n- *QueueDepth* -- Pending game session placement requests, in any queue, where the current fleet is the top-priority destination.\n- *WaitTime* -- Current wait time for pending game session placement requests, in any queue, where the current fleet is the top-priority destination.", + "title": "MetricName", + "type": "string" + }, + "Name": { + "markdownDescription": "A descriptive label that is associated with a fleet's scaling policy. Policy names do not need to be unique.", + "title": "Name", + "type": "string" + }, + "PolicyType": { + "markdownDescription": "The type of scaling policy to create. For a target-based policy, set the parameter *MetricName* to 'PercentAvailableGameSessions' and specify a *TargetConfiguration* . For a rule-based policy set the following parameters: *MetricName* , *ComparisonOperator* , *Threshold* , *EvaluationPeriods* , *ScalingAdjustmentType* , and *ScalingAdjustment* .", + "title": "PolicyType", + "type": "string" + }, + "ScalingAdjustment": { + "markdownDescription": "Amount of adjustment to make, based on the scaling adjustment type.", + "title": "ScalingAdjustment", + "type": "number" + }, + "ScalingAdjustmentType": { + "markdownDescription": "The type of adjustment to make to a fleet's instance count.\n\n- *ChangeInCapacity* -- add (or subtract) the scaling adjustment value from the current instance count. Positive values scale up while negative values scale down.\n- *ExactCapacity* -- set the instance count to the scaling adjustment value.\n- *PercentChangeInCapacity* -- increase or reduce the current instance count by the scaling adjustment, read as a percentage. Positive values scale up while negative values scale down.", + "title": "ScalingAdjustmentType", + "type": "string" + }, + "Status": { + "markdownDescription": "Current status of the scaling policy. The scaling policy can be in force only when in an `ACTIVE` status. Scaling policies can be suspended for individual fleets. If the policy is suspended for a fleet, the policy status does not change.\n\n- *ACTIVE* -- The scaling policy can be used for auto-scaling a fleet.\n- *UPDATE_REQUESTED* -- A request to update the scaling policy has been received.\n- *UPDATING* -- A change is being made to the scaling policy.\n- *DELETE_REQUESTED* -- A request to delete the scaling policy has been received.\n- *DELETING* -- The scaling policy is being deleted.\n- *DELETED* -- The scaling policy has been deleted.\n- *ERROR* -- An error occurred in creating the policy. It should be removed and recreated.", + "title": "Status", + "type": "string" + }, + "TargetConfiguration": { + "$ref": "#/definitions/AWS::GameLift::Fleet.TargetConfiguration", + "markdownDescription": "An object that contains settings for a target-based scaling policy.", + "title": "TargetConfiguration" + }, + "Threshold": { + "markdownDescription": "Metric value used to trigger a scaling event.", + "title": "Threshold", + "type": "number" + }, + "UpdateStatus": { + "markdownDescription": "The current status of the fleet's scaling policies in a requested fleet location. The status `PENDING_UPDATE` indicates that an update was requested for the fleet but has not yet been completed for the location.", + "title": "UpdateStatus", + "type": "string" + } + }, + "required": [ + "MetricName", + "Name" + ], + "type": "object" + }, "AWS::GameLift::Fleet.ServerProcess": { "additionalProperties": false, "properties": { @@ -91348,12 +95514,12 @@ "type": "number" }, "LaunchPath": { - "markdownDescription": "The location of a game build executable or the Realtime script file that contains the `Init()` function. Game builds and Realtime scripts are installed on instances at the root:\n\n- Windows (custom game builds only): `C:\\game` . Example: \" `C:\\game\\MyGame\\server.exe` \"\n- Linux: `/local/game` . Examples: \" `/local/game/MyGame/server.exe` \" or \" `/local/game/MyRealtimeScript.js` \"", + "markdownDescription": "The location of a game build executable or Realtime script. Game builds and Realtime scripts are installed on instances at the root:\n\n- Windows (custom game builds only): `C:\\game` . Example: \" `C:\\game\\MyGame\\server.exe` \"\n- Linux: `/local/game` . Examples: \" `/local/game/MyGame/server.exe` \" or \" `/local/game/MyRealtimeScript.js` \"\n\n> Amazon GameLift doesn't support the use of setup scripts that launch the game executable. For custom game builds, this parameter must indicate the executable that calls the server SDK operations `initSDK()` and `ProcessReady()` .", "title": "LaunchPath", "type": "string" }, "Parameters": { - "markdownDescription": "An optional list of parameters to pass to the server executable or Realtime script on launch.", + "markdownDescription": "An optional list of parameters to pass to the server executable or Realtime script on launch.\n\nLength Constraints: Minimum length of 1. Maximum length of 1024.\n\nPattern: [A-Za-z0-9_:.+\\/\\\\\\- =@{},?'\\[\\]\"]+", "title": "Parameters", "type": "string" } @@ -91364,6 +95530,20 @@ ], "type": "object" }, + "AWS::GameLift::Fleet.TargetConfiguration": { + "additionalProperties": false, + "properties": { + "TargetValue": { + "markdownDescription": "Desired value to use with a target-based scaling policy. The value must be relevant for whatever metric the scaling policy is using. For example, in a policy using the metric PercentAvailableGameSessions, the target value should be the preferred size of the fleet's buffer (the percent of capacity that should be idle and ready for new game sessions).", + "title": "TargetValue", + "type": "number" + } + }, + "required": [ + "TargetValue" + ], + "type": "object" + }, "AWS::GameLift::GameServerGroup": { "additionalProperties": false, "properties": { @@ -91612,7 +95792,7 @@ }, "Destinations": { "items": { - "$ref": "#/definitions/AWS::GameLift::GameSessionQueue.Destination" + "$ref": "#/definitions/AWS::GameLift::GameSessionQueue.GameSessionQueueDestination" }, "markdownDescription": "A list of fleets and/or fleet aliases that can be used to fulfill game session placement requests in the queue. Destinations are identified by either a fleet ARN or a fleet alias ARN, and are listed in order of placement preference.", "title": "Destinations", @@ -91686,17 +95866,6 @@ ], "type": "object" }, - "AWS::GameLift::GameSessionQueue.Destination": { - "additionalProperties": false, - "properties": { - "DestinationArn": { - "markdownDescription": "The Amazon Resource Name (ARN) that is assigned to fleet or fleet alias. ARNs, which include a fleet ID or alias ID and a Region name, provide a unique identifier across all Regions.", - "title": "DestinationArn", - "type": "string" - } - }, - "type": "object" - }, "AWS::GameLift::GameSessionQueue.FilterConfiguration": { "additionalProperties": false, "properties": { @@ -91711,6 +95880,17 @@ }, "type": "object" }, + "AWS::GameLift::GameSessionQueue.GameSessionQueueDestination": { + "additionalProperties": false, + "properties": { + "DestinationArn": { + "markdownDescription": "The Amazon Resource Name (ARN) that is assigned to fleet or fleet alias. ARNs, which include a fleet ID or alias ID and a Region name, provide a unique identifier across all Regions.", + "title": "DestinationArn", + "type": "string" + } + }, + "type": "object" + }, "AWS::GameLift::GameSessionQueue.PlayerLatencyPolicy": { "additionalProperties": false, "properties": { @@ -91785,7 +95965,7 @@ "additionalProperties": false, "properties": { "LocationName": { - "markdownDescription": "The location's name.", + "markdownDescription": "A descriptive name for the custom location.", "title": "LocationName", "type": "string" }, @@ -91793,7 +95973,7 @@ "items": { "$ref": "#/definitions/Tag" }, - "markdownDescription": "", + "markdownDescription": "A list of labels to assign to the new matchmaking configuration resource. Tags are developer-defined key-value pairs. Tagging AWS resources are useful for resource management, access management and cost allocation. For more information, see [Tagging AWS Resources](https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html) in the *AWS General Rareference* .", "title": "Tags", "type": "array" } @@ -91879,6 +96059,11 @@ "title": "BackfillMode", "type": "string" }, + "CreationTime": { + "markdownDescription": "A time stamp indicating when this data object was created. Format is a number expressed in Unix time as milliseconds (for example `\"1469498468.057\"` ).", + "title": "CreationTime", + "type": "string" + }, "CustomEventData": { "markdownDescription": "Information to add to all events related to the matchmaking configuration.", "title": "CustomEventData", @@ -91930,6 +96115,11 @@ "title": "RequestTimeoutSeconds", "type": "number" }, + "RuleSetArn": { + "markdownDescription": "The Amazon Resource Name ( [ARN](https://docs.aws.amazon.com/AmazonS3/latest/dev/s3-arn-format.html) ) associated with the GameLift matchmaking rule set resource that this configuration uses.", + "title": "RuleSetArn", + "type": "string" + }, "RuleSetName": { "markdownDescription": "A unique identifier for the matchmaking rule set to use with this configuration. You can use either the rule set name or ARN value. A matchmaking configuration can only use rule sets that are defined in the same Region.", "title": "RuleSetName", @@ -92411,7 +96601,7 @@ "type": "boolean" }, "EndpointId": { - "markdownDescription": "An ID for the endpoint. If the endpoint is a Network Load Balancer or Application Load Balancer, this is the Amazon Resource Name (ARN) of the resource. If the endpoint is an Elastic IP address, this is the Elastic IP address allocation ID. For Amazon EC2 instances, this is the EC2 instance ID. A resource must be valid and active when you add it as an endpoint.\n\nAn Application Load Balancer can be either internal or internet-facing.", + "markdownDescription": "An ID for the endpoint. If the endpoint is a Network Load Balancer or Application Load Balancer, this is the Amazon Resource Name (ARN) of the resource. If the endpoint is an Elastic IP address, this is the Elastic IP address allocation ID. For Amazon EC2 instances, this is the EC2 instance ID. A resource must be valid and active when you add it as an endpoint.\n\nFor cross-account endpoints, this must be the ARN of the resource.", "title": "EndpointId", "type": "string" }, @@ -92643,6 +96833,8 @@ "items": { "type": "string" }, + "markdownDescription": "", + "title": "ContainsCustomDatatype", "type": "array" }, "ContainsHeader": { @@ -92651,6 +96843,8 @@ "type": "string" }, "CustomDatatypeConfigured": { + "markdownDescription": "Enables the custom datatype to be configured.", + "title": "CustomDatatypeConfigured", "type": "boolean" }, "Delimiter": { @@ -93106,21 +97300,29 @@ "additionalProperties": false, "properties": { "ConnectionName": { + "markdownDescription": "The name of the connection to use to connect to the Iceberg target.", + "title": "ConnectionName", "type": "string" }, "Exclusions": { "items": { "type": "string" }, + "markdownDescription": "A list of glob patterns used to exclude from the crawl. For more information, see [Catalog Tables with a Crawler](https://docs.aws.amazon.com/glue/latest/dg/add-crawler.html) .", + "title": "Exclusions", "type": "array" }, "MaximumTraversalDepth": { + "markdownDescription": "The maximum depth of Amazon S3 paths that the crawler can traverse to discover the Iceberg metadata folder in your Amazon S3 path. Used to limit the crawler run time.", + "title": "MaximumTraversalDepth", "type": "number" }, "Paths": { "items": { "type": "string" }, + "markdownDescription": "One or more Amazon S3 paths that contains Iceberg metadata folders as `s3://bucket/prefix` .", + "title": "Paths", "type": "array" } }, @@ -93274,6 +97476,8 @@ "items": { "$ref": "#/definitions/AWS::Glue::Crawler.IcebergTarget" }, + "markdownDescription": "", + "title": "IcebergTargets", "type": "array" }, "JdbcTargets": { @@ -93303,6 +97507,79 @@ }, "type": "object" }, + "AWS::Glue::CustomEntityType": { + "additionalProperties": false, + "properties": { + "Condition": { + "type": "string" + }, + "DeletionPolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + }, + "DependsOn": { + "anyOf": [ + { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + { + "items": { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + "type": "array" + } + ] + }, + "Metadata": { + "type": "object" + }, + "Properties": { + "additionalProperties": false, + "properties": { + "ContextWords": { + "items": { + "type": "string" + }, + "type": "array" + }, + "Name": { + "type": "string" + }, + "RegexString": { + "type": "string" + }, + "Tags": { + "type": "object" + } + }, + "type": "object" + }, + "Type": { + "enum": [ + "AWS::Glue::CustomEntityType" + ], + "type": "string" + }, + "UpdateReplacePolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + } + }, + "required": [ + "Type" + ], + "type": "object" + }, "AWS::Glue::DataCatalogEncryptionSettings": { "additionalProperties": false, "properties": { @@ -93626,6 +97903,8 @@ "type": "string" }, "Region": { + "markdownDescription": "Region of the target database.", + "title": "Region", "type": "string" } }, @@ -95245,7 +99524,9 @@ "type": "string" }, "OpenTableFormatInput": { - "$ref": "#/definitions/AWS::Glue::Table.OpenTableFormatInput" + "$ref": "#/definitions/AWS::Glue::Table.OpenTableFormatInput", + "markdownDescription": "A structure representing an open format table.", + "title": "OpenTableFormatInput" }, "TableInput": { "$ref": "#/definitions/AWS::Glue::Table.TableInput", @@ -95309,9 +99590,13 @@ "additionalProperties": false, "properties": { "MetadataOperation": { - "$ref": "#/definitions/AWS::Glue::Table.MetadataOperation" + "$ref": "#/definitions/AWS::Glue::Table.MetadataOperation", + "markdownDescription": "A required metadata operation. Can only be set to `CREATE` .", + "title": "MetadataOperation" }, "Version": { + "markdownDescription": "The table version for the Iceberg table. Defaults to 2.", + "title": "Version", "type": "string" } }, @@ -95326,7 +99611,9 @@ "additionalProperties": false, "properties": { "IcebergInput": { - "$ref": "#/definitions/AWS::Glue::Table.IcebergInput" + "$ref": "#/definitions/AWS::Glue::Table.IcebergInput", + "markdownDescription": "Specifies an `IcebergInput` structure that defines an Apache Iceberg metadata table.", + "title": "IcebergInput" } }, "type": "object" @@ -95540,6 +99827,8 @@ "type": "string" }, "Region": { + "markdownDescription": "Region of the target table.", + "title": "Region", "type": "string" } }, @@ -95968,7 +100257,7 @@ "items": { "type": "string" }, - "markdownDescription": "Specifies whether this workspace uses SAML 2.0, AWS IAM Identity Center (successor to AWS Single Sign-On) , or both to authenticate users for using the Grafana console within a workspace. For more information, see [User authentication in Amazon Managed Grafana](https://docs.aws.amazon.com/grafana/latest/userguide/authentication-in-AMG.html) .", + "markdownDescription": "Specifies whether this workspace uses SAML 2.0, AWS IAM Identity Center , or both to authenticate users for using the Grafana console within a workspace. For more information, see [User authentication in Amazon Managed Grafana](https://docs.aws.amazon.com/grafana/latest/userguide/authentication-in-AMG.html) .", "title": "AuthenticationProviders", "type": "array" }, @@ -95991,7 +100280,7 @@ "type": "string" }, "GrafanaVersion": { - "markdownDescription": "Specifies the version of Grafana to support in the new workspace.\n\nSupported values are `8.4` and `9.4` .", + "markdownDescription": "Specifies the version of Grafana to support in the workspace. Defaults to the latest version on create (for example, 9.4), or the current version of the workspace on update.\n\nCan only be used to upgrade (for example, from 8.4 to 9.4), not downgrade (for example, from 9.4 to 8.4).\n\nTo know what versions are available to upgrade to for a specific workspace, see the [ListVersions](https://docs.aws.amazon.com/grafana/latest/APIReference/API_ListVersions.html) operation.", "title": "GrafanaVersion", "type": "string" }, @@ -96031,6 +100320,11 @@ "title": "PermissionType", "type": "string" }, + "PluginAdminEnabled": { + "markdownDescription": "Whether plugin administration is enabled in the workspace. Setting to `true` allows workspace admins to install, uninstall, and update plugins from within the Grafana workspace.\n\n> This option is only valid for workspaces that support Grafana version 9 or newer.", + "title": "PluginAdminEnabled", + "type": "boolean" + }, "RoleArn": { "markdownDescription": "The IAM role that grants permissions to the AWS resources that the workspace will view data from. This role must already exist.", "title": "RoleArn", @@ -96285,7 +100579,7 @@ "type": "string" }, "Tags": { - "markdownDescription": "Application-specific metadata to attach to the connector definition. You can use tags in IAM policies to control access to AWS IoT Greengrass resources. You can also use tags to categorize your resources. For more information, see [Tagging Your AWS IoT Greengrass Resources](https://docs.aws.amazon.com/greengrass/latest/developerguide/tagging.html) in the *Developer Guide* .\n\nThis `Json` property type is processed as a map of key-value pairs. It uses the following format, which is different from most `Tags` implementations in AWS CloudFormation templates.\n\n```json\n\"Tags\": { \"KeyName0\": \"value\", \"KeyName1\": \"value\", \"KeyName2\": \"value\"\n}\n```", + "markdownDescription": "Application-specific metadata to attach to the connector definition. You can use tags in IAM policies to control access to AWS IoT Greengrass resources. You can also use tags to categorize your resources. For more information, see [Tagging Your AWS IoT Greengrass Resources](https://docs.aws.amazon.com/greengrass/v1/developerguide/tagging.html) in the *Developer Guide* .\n\nThis `Json` property type is processed as a map of key-value pairs. It uses the following format, which is different from most `Tags` implementations in AWS CloudFormation templates.\n\n```json\n\"Tags\": { \"KeyName0\": \"value\", \"KeyName1\": \"value\", \"KeyName2\": \"value\"\n}\n```", "title": "Tags", "type": "object" } @@ -96320,7 +100614,7 @@ "additionalProperties": false, "properties": { "ConnectorArn": { - "markdownDescription": "The Amazon Resource Name (ARN) of the connector.\n\nFor more information about connectors provided by AWS , see [Greengrass Connectors Provided by AWS](https://docs.aws.amazon.com/greengrass/latest/developerguide/connectors-list.html) .", + "markdownDescription": "The Amazon Resource Name (ARN) of the connector.\n\nFor more information about connectors provided by AWS , see [Greengrass Connectors Provided by AWS](https://docs.aws.amazon.com/greengrass/v1/developerguide/connectors-list.html) .", "title": "ConnectorArn", "type": "string" }, @@ -96330,7 +100624,7 @@ "type": "string" }, "Parameters": { - "markdownDescription": "The parameters or configuration used by the connector.\n\nFor more information about connectors provided by AWS , see [Greengrass Connectors Provided by AWS](https://docs.aws.amazon.com/greengrass/latest/developerguide/connectors-list.html) .", + "markdownDescription": "The parameters or configuration used by the connector.\n\nFor more information about connectors provided by AWS , see [Greengrass Connectors Provided by AWS](https://docs.aws.amazon.com/greengrass/v1/developerguide/connectors-list.html) .", "title": "Parameters", "type": "object" } @@ -96438,7 +100732,7 @@ "additionalProperties": false, "properties": { "ConnectorArn": { - "markdownDescription": "The Amazon Resource Name (ARN) of the connector.\n\nFor more information about connectors provided by AWS , see [Greengrass Connectors Provided by AWS](https://docs.aws.amazon.com/greengrass/latest/developerguide/connectors-list.html) .", + "markdownDescription": "The Amazon Resource Name (ARN) of the connector.\n\nFor more information about connectors provided by AWS , see [Greengrass Connectors Provided by AWS](https://docs.aws.amazon.com/greengrass/v1/developerguide/connectors-list.html) .", "title": "ConnectorArn", "type": "string" }, @@ -96448,7 +100742,7 @@ "type": "string" }, "Parameters": { - "markdownDescription": "The parameters or configuration that the connector uses.\n\nFor more information about connectors provided by AWS , see [Greengrass Connectors Provided by AWS](https://docs.aws.amazon.com/greengrass/latest/developerguide/connectors-list.html) .", + "markdownDescription": "The parameters or configuration that the connector uses.\n\nFor more information about connectors provided by AWS , see [Greengrass Connectors Provided by AWS](https://docs.aws.amazon.com/greengrass/v1/developerguide/connectors-list.html) .", "title": "Parameters", "type": "object" } @@ -96505,7 +100799,7 @@ "type": "string" }, "Tags": { - "markdownDescription": "Application-specific metadata to attach to the core definition. You can use tags in IAM policies to control access to AWS IoT Greengrass resources. You can also use tags to categorize your resources. For more information, see [Tagging Your AWS IoT Greengrass Resources](https://docs.aws.amazon.com/greengrass/latest/developerguide/tagging.html) in the *Developer Guide* .\n\nThis `Json` property type is processed as a map of key-value pairs. It uses the following format, which is different from most `Tags` implementations in AWS CloudFormation templates.\n\n```json\n\"Tags\": { \"KeyName0\": \"value\", \"KeyName1\": \"value\", \"KeyName2\": \"value\"\n}\n```", + "markdownDescription": "Application-specific metadata to attach to the core definition. You can use tags in IAM policies to control access to AWS IoT Greengrass resources. You can also use tags to categorize your resources. For more information, see [Tagging Your AWS IoT Greengrass Resources](https://docs.aws.amazon.com/greengrass/v1/developerguide/tagging.html) in the *Developer Guide* .\n\nThis `Json` property type is processed as a map of key-value pairs. It uses the following format, which is different from most `Tags` implementations in AWS CloudFormation templates.\n\n```json\n\"Tags\": { \"KeyName0\": \"value\", \"KeyName1\": \"value\", \"KeyName2\": \"value\"\n}\n```", "title": "Tags", "type": "object" } @@ -96737,7 +101031,7 @@ "type": "string" }, "Tags": { - "markdownDescription": "Application-specific metadata to attach to the device definition. You can use tags in IAM policies to control access to AWS IoT Greengrass resources. You can also use tags to categorize your resources. For more information, see [Tagging Your AWS IoT Greengrass Resources](https://docs.aws.amazon.com/greengrass/latest/developerguide/tagging.html) in the *Developer Guide* .\n\nThis `Json` property type is processed as a map of key-value pairs. It uses the following format, which is different from most `Tags` implementations in AWS CloudFormation templates.\n\n```json\n\"Tags\": { \"KeyName0\": \"value\", \"KeyName1\": \"value\", \"KeyName2\": \"value\"\n}\n```", + "markdownDescription": "Application-specific metadata to attach to the device definition. You can use tags in IAM policies to control access to AWS IoT Greengrass resources. You can also use tags to categorize your resources. For more information, see [Tagging Your AWS IoT Greengrass Resources](https://docs.aws.amazon.com/greengrass/v1/developerguide/tagging.html) in the *Developer Guide* .\n\nThis `Json` property type is processed as a map of key-value pairs. It uses the following format, which is different from most `Tags` implementations in AWS CloudFormation templates.\n\n```json\n\"Tags\": { \"KeyName0\": \"value\", \"KeyName1\": \"value\", \"KeyName2\": \"value\"\n}\n```", "title": "Tags", "type": "object" } @@ -96969,7 +101263,7 @@ "type": "string" }, "Tags": { - "markdownDescription": "Application-specific metadata to attach to the function definition. You can use tags in IAM policies to control access to AWS IoT Greengrass resources. You can also use tags to categorize your resources. For more information, see [Tagging Your AWS IoT Greengrass Resources](https://docs.aws.amazon.com/greengrass/latest/developerguide/tagging.html) in the *Developer Guide* .\n\nThis `Json` property type is processed as a map of key-value pairs. It uses the following format, which is different from most `Tags` implementations in AWS CloudFormation templates.\n\n```json\n\"Tags\": { \"KeyName0\": \"value\", \"KeyName1\": \"value\", \"KeyName2\": \"value\"\n}\n```", + "markdownDescription": "Application-specific metadata to attach to the function definition. You can use tags in IAM policies to control access to AWS IoT Greengrass resources. You can also use tags to categorize your resources. For more information, see [Tagging Your AWS IoT Greengrass Resources](https://docs.aws.amazon.com/greengrass/v1/developerguide/tagging.html) in the *Developer Guide* .\n\nThis `Json` property type is processed as a map of key-value pairs. It uses the following format, which is different from most `Tags` implementations in AWS CloudFormation templates.\n\n```json\n\"Tags\": { \"KeyName0\": \"value\", \"KeyName1\": \"value\", \"KeyName2\": \"value\"\n}\n```", "title": "Tags", "type": "object" } @@ -97047,13 +101341,13 @@ "additionalProperties": false, "properties": { "IsolationMode": { - "markdownDescription": "The containerization that the Lambda function runs in. Valid values are `GreengrassContainer` or `NoContainer` . Typically, this is `GreengrassContainer` . For more information, see [Containerization](https://docs.aws.amazon.com/greengrass/latest/developerguide/lambda-group-config.html#lambda-function-containerization) in the *Developer Guide* .\n\n- When set on the [`DefaultConfig`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-greengrass-functiondefinitionversion-defaultconfig.html) property of a function definition version, this setting is used as the default containerization for all Lambda functions in the function definition version.\n- When set on the [`Environment`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-greengrass-functiondefinitionversion-environment.html) property of a function, this setting applies to the individual function and overrides the default. Omit this value to run the function with the default containerization.\n\n> We recommend that you run in a Greengrass container unless your business case requires that you run without containerization.", + "markdownDescription": "The containerization that the Lambda function runs in. Valid values are `GreengrassContainer` or `NoContainer` . Typically, this is `GreengrassContainer` . For more information, see [Containerization](https://docs.aws.amazon.com/greengrass/v1/developerguide/lambda-group-config.html#lambda-function-containerization) in the *Developer Guide* .\n\n- When set on the [`DefaultConfig`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-greengrass-functiondefinitionversion-defaultconfig.html) property of a function definition version, this setting is used as the default containerization for all Lambda functions in the function definition version.\n- When set on the [`Environment`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-greengrass-functiondefinitionversion-environment.html) property of a function, this setting applies to the individual function and overrides the default. Omit this value to run the function with the default containerization.\n\n> We recommend that you run in a Greengrass container unless your business case requires that you run without containerization.", "title": "IsolationMode", "type": "string" }, "RunAs": { "$ref": "#/definitions/AWS::Greengrass::FunctionDefinition.RunAs", - "markdownDescription": "The user and group permissions used to run the Lambda function. Typically, this is the ggc_user and ggc_group. For more information, see [Run as](https://docs.aws.amazon.com/greengrass/latest/developerguide/lambda-group-config.html#lambda-access-identity.html) in the *Developer Guide* .\n\n- When set on the [`DefaultConfig`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-greengrass-functiondefinitionversion-defaultconfig.html) property of a function definition version, this setting is used as the default access identity for all Lambda functions in the function definition version.\n- When set on the [`Environment`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-greengrass-functiondefinitionversion-environment.html) property of a function, this setting applies to the individual function and overrides the default. You can override the user, group, or both. Omit this value to run the function with the default permissions.\n\n> Running as the root user increases risks to your data and device. Do not run as root (UID/GID=0) unless your business case requires it. For more information and requirements, see [Running a Lambda Function as Root](https://docs.aws.amazon.com/greengrass/latest/developerguide/lambda-group-config.html#lambda-running-as-root) .", + "markdownDescription": "The user and group permissions used to run the Lambda function. Typically, this is the ggc_user and ggc_group. For more information, see [Run as](https://docs.aws.amazon.com/greengrass/v1/developerguide/lambda-group-config.html#lambda-access-identity.html) in the *Developer Guide* .\n\n- When set on the [`DefaultConfig`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-greengrass-functiondefinitionversion-defaultconfig.html) property of a function definition version, this setting is used as the default access identity for all Lambda functions in the function definition version.\n- When set on the [`Environment`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-greengrass-functiondefinitionversion-environment.html) property of a function, this setting applies to the individual function and overrides the default. You can override the user, group, or both. Omit this value to run the function with the default permissions.\n\n> Running as the root user increases risks to your data and device. Do not run as root (UID/GID=0) unless your business case requires it. For more information and requirements, see [Running a Lambda Function as Root](https://docs.aws.amazon.com/greengrass/v1/developerguide/lambda-group-config.html#lambda-running-as-root) .", "title": "RunAs" } }, @@ -97311,13 +101605,13 @@ "additionalProperties": false, "properties": { "IsolationMode": { - "markdownDescription": "The containerization that the Lambda function runs in. Valid values are `GreengrassContainer` or `NoContainer` . Typically, this is `GreengrassContainer` . For more information, see [Containerization](https://docs.aws.amazon.com/greengrass/latest/developerguide/lambda-group-config.html#lambda-function-containerization) in the *Developer Guide* .\n\n- When set on the [`DefaultConfig`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-greengrass-functiondefinitionversion-defaultconfig.html) property of a function definition version, this setting is used as the default containerization for all Lambda functions in the function definition version.\n- When set on the [`Environment`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-greengrass-functiondefinitionversion-environment.html) property of a function, this setting applies to the individual function and overrides the default. Omit this value to run the function with the default containerization.\n\n> We recommend that you run in a Greengrass container unless your business case requires that you run without containerization.", + "markdownDescription": "The containerization that the Lambda function runs in. Valid values are `GreengrassContainer` or `NoContainer` . Typically, this is `GreengrassContainer` . For more information, see [Containerization](https://docs.aws.amazon.com/greengrass/v1/developerguide/lambda-group-config.html#lambda-function-containerization) in the *Developer Guide* .\n\n- When set on the [`DefaultConfig`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-greengrass-functiondefinitionversion-defaultconfig.html) property of a function definition version, this setting is used as the default containerization for all Lambda functions in the function definition version.\n- When set on the [`Environment`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-greengrass-functiondefinitionversion-environment.html) property of a function, this setting applies to the individual function and overrides the default. Omit this value to run the function with the default containerization.\n\n> We recommend that you run in a Greengrass container unless your business case requires that you run without containerization.", "title": "IsolationMode", "type": "string" }, "RunAs": { "$ref": "#/definitions/AWS::Greengrass::FunctionDefinitionVersion.RunAs", - "markdownDescription": "The user and group permissions used to run the Lambda function. Typically, this is the ggc_user and ggc_group. For more information, see [Run as](https://docs.aws.amazon.com/greengrass/latest/developerguide/lambda-group-config.html#lambda-access-identity.html) in the *Developer Guide* .\n\n- When set on the [`DefaultConfig`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-greengrass-functiondefinitionversion-defaultconfig.html) property of a function definition version, this setting is used as the default access identity for all Lambda functions in the function definition version.\n- When set on the [`Environment`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-greengrass-functiondefinitionversion-environment.html) property of a function, this setting applies to the individual function and overrides the default. You can override the user, group, or both. Omit this value to run the function with the default permissions.\n\n> Running as the root user increases risks to your data and device. Do not run as root (UID/GID=0) unless your business case requires it. For more information and requirements, see [Running a Lambda Function as Root](https://docs.aws.amazon.com/greengrass/latest/developerguide/lambda-group-config.html#lambda-running-as-root) .", + "markdownDescription": "The user and group permissions used to run the Lambda function. Typically, this is the ggc_user and ggc_group. For more information, see [Run as](https://docs.aws.amazon.com/greengrass/v1/developerguide/lambda-group-config.html#lambda-access-identity.html) in the *Developer Guide* .\n\n- When set on the [`DefaultConfig`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-greengrass-functiondefinitionversion-defaultconfig.html) property of a function definition version, this setting is used as the default access identity for all Lambda functions in the function definition version.\n- When set on the [`Environment`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-greengrass-functiondefinitionversion-environment.html) property of a function, this setting applies to the individual function and overrides the default. You can override the user, group, or both. Omit this value to run the function with the default permissions.\n\n> Running as the root user increases risks to your data and device. Do not run as root (UID/GID=0) unless your business case requires it. For more information and requirements, see [Running a Lambda Function as Root](https://docs.aws.amazon.com/greengrass/v1/developerguide/lambda-group-config.html#lambda-running-as-root) .", "title": "RunAs" } }, @@ -97476,7 +101770,7 @@ "type": "string" }, "Tags": { - "markdownDescription": "Application-specific metadata to attach to the group. You can use tags in IAM policies to control access to AWS IoT Greengrass resources. You can also use tags to categorize your resources. For more information, see [Tagging Your AWS IoT Greengrass Resources](https://docs.aws.amazon.com/greengrass/latest/developerguide/tagging.html) in the *Developer Guide* .\n\nThis `Json` property type is processed as a map of key-value pairs. It uses the following format, which is different from most `Tags` implementations in AWS CloudFormation templates.\n\n```json\n\"Tags\": { \"KeyName0\": \"value\", \"KeyName1\": \"value\", \"KeyName2\": \"value\"\n}\n```", + "markdownDescription": "Application-specific metadata to attach to the group. You can use tags in IAM policies to control access to AWS IoT Greengrass resources. You can also use tags to categorize your resources. For more information, see [Tagging Your AWS IoT Greengrass Resources](https://docs.aws.amazon.com/greengrass/v1/developerguide/tagging.html) in the *Developer Guide* .\n\nThis `Json` property type is processed as a map of key-value pairs. It uses the following format, which is different from most `Tags` implementations in AWS CloudFormation templates.\n\n```json\n\"Tags\": { \"KeyName0\": \"value\", \"KeyName1\": \"value\", \"KeyName2\": \"value\"\n}\n```", "title": "Tags", "type": "object" } @@ -97696,7 +101990,7 @@ "type": "string" }, "Tags": { - "markdownDescription": "Application-specific metadata to attach to the logger definition. You can use tags in IAM policies to control access to AWS IoT Greengrass resources. You can also use tags to categorize your resources. For more information, see [Tagging Your AWS IoT Greengrass Resources](https://docs.aws.amazon.com/greengrass/latest/developerguide/tagging.html) in the *Developer Guide* .\n\nThis `Json` property type is processed as a map of key-value pairs. It uses the following format, which is different from most `Tags` implementations in AWS CloudFormation templates.\n\n```json\n\"Tags\": { \"KeyName0\": \"value\", \"KeyName1\": \"value\", \"KeyName2\": \"value\"\n}\n```", + "markdownDescription": "Application-specific metadata to attach to the logger definition. You can use tags in IAM policies to control access to AWS IoT Greengrass resources. You can also use tags to categorize your resources. For more information, see [Tagging Your AWS IoT Greengrass Resources](https://docs.aws.amazon.com/greengrass/v1/developerguide/tagging.html) in the *Developer Guide* .\n\nThis `Json` property type is processed as a map of key-value pairs. It uses the following format, which is different from most `Tags` implementations in AWS CloudFormation templates.\n\n```json\n\"Tags\": { \"KeyName0\": \"value\", \"KeyName1\": \"value\", \"KeyName2\": \"value\"\n}\n```", "title": "Tags", "type": "object" } @@ -97940,7 +102234,7 @@ "type": "string" }, "Tags": { - "markdownDescription": "Application-specific metadata to attach to the resource definition. You can use tags in IAM policies to control access to AWS IoT Greengrass resources. You can also use tags to categorize your resources. For more information, see [Tagging Your AWS IoT Greengrass Resources](https://docs.aws.amazon.com/greengrass/latest/developerguide/tagging.html) in the *Developer Guide* .\n\nThis `Json` property type is processed as a map of key-value pairs. It uses the following format, which is different from most `Tags` implementations in AWS CloudFormation templates.\n\n```json\n\"Tags\": { \"KeyName0\": \"value\", \"KeyName1\": \"value\", \"KeyName2\": \"value\"\n}\n```", + "markdownDescription": "Application-specific metadata to attach to the resource definition. You can use tags in IAM policies to control access to AWS IoT Greengrass resources. You can also use tags to categorize your resources. For more information, see [Tagging Your AWS IoT Greengrass Resources](https://docs.aws.amazon.com/greengrass/v1/developerguide/tagging.html) in the *Developer Guide* .\n\nThis `Json` property type is processed as a map of key-value pairs. It uses the following format, which is different from most `Tags` implementations in AWS CloudFormation templates.\n\n```json\n\"Tags\": { \"KeyName0\": \"value\", \"KeyName1\": \"value\", \"KeyName2\": \"value\"\n}\n```", "title": "Tags", "type": "object" } @@ -98138,7 +102432,7 @@ }, "OwnerSetting": { "$ref": "#/definitions/AWS::Greengrass::ResourceDefinition.ResourceDownloadOwnerSetting", - "markdownDescription": "The owner setting for the downloaded machine learning resource. For more information, see [Access Machine Learning Resources from Lambda Functions](https://docs.aws.amazon.com/greengrass/latest/developerguide/access-ml-resources.html) in the *Developer Guide* .", + "markdownDescription": "The owner setting for the downloaded machine learning resource. For more information, see [Access Machine Learning Resources from Lambda Functions](https://docs.aws.amazon.com/greengrass/v1/developerguide/access-ml-resources.html) in the *Developer Guide* .", "title": "OwnerSetting" }, "S3Uri": { @@ -98163,7 +102457,7 @@ }, "OwnerSetting": { "$ref": "#/definitions/AWS::Greengrass::ResourceDefinition.ResourceDownloadOwnerSetting", - "markdownDescription": "The owner setting for the downloaded machine learning resource. For more information, see [Access Machine Learning Resources from Lambda Functions](https://docs.aws.amazon.com/greengrass/latest/developerguide/access-ml-resources.html) in the *Developer Guide* .", + "markdownDescription": "The owner setting for the downloaded machine learning resource. For more information, see [Access Machine Learning Resources from Lambda Functions](https://docs.aws.amazon.com/greengrass/v1/developerguide/access-ml-resources.html) in the *Developer Guide* .", "title": "OwnerSetting" }, "SageMakerJobArn": { @@ -98426,7 +102720,7 @@ }, "OwnerSetting": { "$ref": "#/definitions/AWS::Greengrass::ResourceDefinitionVersion.ResourceDownloadOwnerSetting", - "markdownDescription": "The owner setting for the downloaded machine learning resource. For more information, see [Access Machine Learning Resources from Lambda Functions](https://docs.aws.amazon.com/greengrass/latest/developerguide/access-ml-resources.html) in the *Developer Guide* .", + "markdownDescription": "The owner setting for the downloaded machine learning resource. For more information, see [Access Machine Learning Resources from Lambda Functions](https://docs.aws.amazon.com/greengrass/v1/developerguide/access-ml-resources.html) in the *Developer Guide* .", "title": "OwnerSetting" }, "S3Uri": { @@ -98451,7 +102745,7 @@ }, "OwnerSetting": { "$ref": "#/definitions/AWS::Greengrass::ResourceDefinitionVersion.ResourceDownloadOwnerSetting", - "markdownDescription": "The owner setting for the downloaded machine learning resource. For more information, see [Access Machine Learning Resources from Lambda Functions](https://docs.aws.amazon.com/greengrass/latest/developerguide/access-ml-resources.html) in the *Developer Guide* .", + "markdownDescription": "The owner setting for the downloaded machine learning resource. For more information, see [Access Machine Learning Resources from Lambda Functions](https://docs.aws.amazon.com/greengrass/v1/developerguide/access-ml-resources.html) in the *Developer Guide* .", "title": "OwnerSetting" }, "SageMakerJobArn": { @@ -98534,7 +102828,7 @@ "type": "string" }, "Tags": { - "markdownDescription": "Application-specific metadata to attach to the subscription definition. You can use tags in IAM policies to control access to AWS IoT Greengrass resources. You can also use tags to categorize your resources. For more information, see [Tagging Your AWS IoT Greengrass Resources](https://docs.aws.amazon.com/greengrass/latest/developerguide/tagging.html) in the *Developer Guide* .\n\nThis `Json` property type is processed as a map of key-value pairs. It uses the following format, which is different from most `Tags` implementations in AWS CloudFormation templates.\n\n```json\n\"Tags\": { \"KeyName0\": \"value\", \"KeyName1\": \"value\", \"KeyName2\": \"value\"\n}\n```", + "markdownDescription": "Application-specific metadata to attach to the subscription definition. You can use tags in IAM policies to control access to AWS IoT Greengrass resources. You can also use tags to categorize your resources. For more information, see [Tagging Your AWS IoT Greengrass Resources](https://docs.aws.amazon.com/greengrass/v1/developerguide/tagging.html) in the *Developer Guide* .\n\nThis `Json` property type is processed as a map of key-value pairs. It uses the following format, which is different from most `Tags` implementations in AWS CloudFormation templates.\n\n```json\n\"Tags\": { \"KeyName0\": \"value\", \"KeyName1\": \"value\", \"KeyName2\": \"value\"\n}\n```", "title": "Tags", "type": "object" } @@ -99636,7 +103930,7 @@ "additionalProperties": false, "properties": { "UnvalidatedJSON": { - "markdownDescription": "The decoding settings are in JSON format and define a set of steps to perform to decode the data.", + "markdownDescription": "", "title": "UnvalidatedJSON", "type": "string" } @@ -99647,7 +103941,7 @@ "additionalProperties": false, "properties": { "UnvalidatedJSON": { - "markdownDescription": "The demodulation settings are in JSON format and define parameters for demodulation, for example which modulation scheme (e.g. PSK, QPSK, etc.) and matched filter to use.", + "markdownDescription": "", "title": "UnvalidatedJSON", "type": "string" } @@ -99931,7 +104225,7 @@ "title": "Address" }, "Mtu": { - "markdownDescription": "Maximum transmission unit (MTU) size in bytes of a dataflow endpoint. Valid values are between 1400 and 1500. A default value of 1500 is used if not set.", + "markdownDescription": "", "title": "Mtu", "type": "number" }, @@ -100321,9 +104615,13 @@ "additionalProperties": false, "properties": { "Name": { + "markdownDescription": "Name of the additional configuration.", + "title": "Name", "type": "string" }, "Status": { + "markdownDescription": "Status of the additional configuration.", + "title": "Status", "type": "string" } }, @@ -100336,12 +104634,18 @@ "items": { "$ref": "#/definitions/AWS::GuardDuty::Detector.CFNFeatureAdditionalConfiguration" }, + "markdownDescription": "Information about the additional configuration of a feature in your account.", + "title": "AdditionalConfiguration", "type": "array" }, "Name": { + "markdownDescription": "Name of the feature.", + "title": "Name", "type": "string" }, "Status": { + "markdownDescription": "Status of the feature configuration.", + "title": "Status", "type": "string" } }, @@ -100419,9 +104723,13 @@ "additionalProperties": false, "properties": { "Key": { + "markdownDescription": "The tag value.", + "title": "Key", "type": "string" }, "Value": { + "markdownDescription": "The tag key.", + "title": "Value", "type": "string" } }, @@ -100618,7 +104926,7 @@ "additionalProperties": false, "properties": { "Criterion": { - "markdownDescription": "Represents a map of finding properties that match specified conditions and values when querying findings.\n\nFor a mapping of JSON criterion to their console equivalent see [Finding criteria](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_filter-findings.html#filter_criteria) . The following are the available criterion:\n\n- accountId\n- region\n- confidence\n- id\n- resource.accessKeyDetails.accessKeyId\n- resource.accessKeyDetails.principalId\n- resource.accessKeyDetails.userName\n- resource.accessKeyDetails.userType\n- resource.instanceDetails.iamInstanceProfile.id\n- resource.instanceDetails.imageId\n- resource.instanceDetails.instanceId\n- resource.instanceDetails.outpostArn\n- resource.instanceDetails.networkInterfaces.ipv6Addresses\n- resource.instanceDetails.networkInterfaces.privateIpAddresses.privateIpAddress\n- resource.instanceDetails.networkInterfaces.publicDnsName\n- resource.instanceDetails.networkInterfaces.publicIp\n- resource.instanceDetails.networkInterfaces.securityGroups.groupId\n- resource.instanceDetails.networkInterfaces.securityGroups.groupName\n- resource.instanceDetails.networkInterfaces.subnetId\n- resource.instanceDetails.networkInterfaces.vpcId\n- resource.instanceDetails.tags.key\n- resource.instanceDetails.tags.value\n- resource.resourceType\n- service.action.actionType\n- service.action.awsApiCallAction.api\n- service.action.awsApiCallAction.callerType\n- service.action.awsApiCallAction.errorCode\n- service.action.awsApiCallAction.remoteIpDetails.city.cityName\n- service.action.awsApiCallAction.remoteIpDetails.country.countryName\n- service.action.awsApiCallAction.remoteIpDetails.ipAddressV4\n- service.action.awsApiCallAction.remoteIpDetails.organization.asn\n- service.action.awsApiCallAction.remoteIpDetails.organization.asnOrg\n- service.action.awsApiCallAction.serviceName\n- service.action.dnsRequestAction.domain\n- service.action.networkConnectionAction.blocked\n- service.action.networkConnectionAction.connectionDirection\n- service.action.networkConnectionAction.localPortDetails.port\n- service.action.networkConnectionAction.protocol\n- service.action.networkConnectionAction.localIpDetails.ipAddressV4\n- service.action.networkConnectionAction.remoteIpDetails.city.cityName\n- service.action.networkConnectionAction.remoteIpDetails.country.countryName\n- service.action.networkConnectionAction.remoteIpDetails.ipAddressV4\n- service.action.networkConnectionAction.remoteIpDetails.organization.asn\n- service.action.networkConnectionAction.remoteIpDetails.organization.asnOrg\n- service.action.networkConnectionAction.remotePortDetails.port\n- service.additionalInfo.threatListName\n- service.archived\n\nWhen this attribute is set to TRUE, only archived findings are listed. When it's set to FALSE, only unarchived findings are listed. When this attribute is not set, all existing findings are listed.\n- service.resourceRole\n- severity\n- type\n- updatedAt\n\nType: ISO 8601 string format: YYYY-MM-DDTHH:MM:SS.SSSZ or YYYY-MM-DDTHH:MM:SSZ depending on whether the value contains milliseconds.", + "markdownDescription": "Represents a map of finding properties that match specified conditions and values when querying findings.\n\nFor information about JSON criterion mapping to their console equivalent, see [Finding criteria](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_filter-findings.html#filter_criteria) . The following are the available criterion:\n\n- accountId\n- id\n- region\n- severity\n\nTo filter on the basis of severity, API and CFN use the following input list for the condition:\n\n- *Low* : `[\"1\", \"2\", \"3\"]`\n- *Medium* : `[\"4\", \"5\", \"6\"]`\n- *High* : `[\"7\", \"8\", \"9\"]`\n\nFor more information, see [Severity levels for GuardDuty findings](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html#guardduty_findings-severity) .\n- type\n- updatedAt\n\nType: ISO 8601 string format: YYYY-MM-DDTHH:MM:SS.SSSZ or YYYY-MM-DDTHH:MM:SSZ depending on whether the value contains milliseconds.\n- resource.accessKeyDetails.accessKeyId\n- resource.accessKeyDetails.principalId\n- resource.accessKeyDetails.userName\n- resource.accessKeyDetails.userType\n- resource.instanceDetails.iamInstanceProfile.id\n- resource.instanceDetails.imageId\n- resource.instanceDetails.instanceId\n- resource.instanceDetails.tags.key\n- resource.instanceDetails.tags.value\n- resource.instanceDetails.networkInterfaces.ipv6Addresses\n- resource.instanceDetails.networkInterfaces.privateIpAddresses.privateIpAddress\n- resource.instanceDetails.networkInterfaces.publicDnsName\n- resource.instanceDetails.networkInterfaces.publicIp\n- resource.instanceDetails.networkInterfaces.securityGroups.groupId\n- resource.instanceDetails.networkInterfaces.securityGroups.groupName\n- resource.instanceDetails.networkInterfaces.subnetId\n- resource.instanceDetails.networkInterfaces.vpcId\n- resource.instanceDetails.outpostArn\n- resource.resourceType\n- resource.s3BucketDetails.publicAccess.effectivePermissions\n- resource.s3BucketDetails.name\n- resource.s3BucketDetails.tags.key\n- resource.s3BucketDetails.tags.value\n- resource.s3BucketDetails.type\n- service.action.actionType\n- service.action.awsApiCallAction.api\n- service.action.awsApiCallAction.callerType\n- service.action.awsApiCallAction.errorCode\n- service.action.awsApiCallAction.remoteIpDetails.city.cityName\n- service.action.awsApiCallAction.remoteIpDetails.country.countryName\n- service.action.awsApiCallAction.remoteIpDetails.ipAddressV4\n- service.action.awsApiCallAction.remoteIpDetails.organization.asn\n- service.action.awsApiCallAction.remoteIpDetails.organization.asnOrg\n- service.action.awsApiCallAction.serviceName\n- service.action.dnsRequestAction.domain\n- service.action.networkConnectionAction.blocked\n- service.action.networkConnectionAction.connectionDirection\n- service.action.networkConnectionAction.localPortDetails.port\n- service.action.networkConnectionAction.protocol\n- service.action.networkConnectionAction.remoteIpDetails.city.cityName\n- service.action.networkConnectionAction.remoteIpDetails.country.countryName\n- service.action.networkConnectionAction.remoteIpDetails.ipAddressV4\n- service.action.networkConnectionAction.remoteIpDetails.organization.asn\n- service.action.networkConnectionAction.remoteIpDetails.organization.asnOrg\n- service.action.networkConnectionAction.remotePortDetails.port\n- service.action.awsApiCallAction.remoteAccountDetails.affiliated\n- service.action.kubernetesApiCallAction.remoteIpDetails.ipAddressV4\n- service.action.kubernetesApiCallAction.requestUri\n- service.action.networkConnectionAction.localIpDetails.ipAddressV4\n- service.action.networkConnectionAction.protocol\n- service.action.awsApiCallAction.serviceName\n- service.action.awsApiCallAction.remoteAccountDetails.accountId\n- service.additionalInfo.threatListName\n- service.resourceRole\n- resource.eksClusterDetails.name\n- resource.kubernetesDetails.kubernetesWorkloadDetails.name\n- resource.kubernetesDetails.kubernetesWorkloadDetails.namespace\n- resource.kubernetesDetails.kubernetesUserDetails.username\n- resource.kubernetesDetails.kubernetesWorkloadDetails.containers.image\n- resource.kubernetesDetails.kubernetesWorkloadDetails.containers.imagePrefix\n- service.ebsVolumeScanDetails.scanId\n- service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.name\n- service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.severity\n- service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.filePaths.hash\n- resource.ecsClusterDetails.name\n- resource.ecsClusterDetails.taskDetails.containers.image\n- resource.ecsClusterDetails.taskDetails.definitionArn\n- resource.containerDetails.image\n- resource.rdsDbInstanceDetails.dbInstanceIdentifier\n- resource.rdsDbInstanceDetails.dbClusterIdentifier\n- resource.rdsDbInstanceDetails.engine\n- resource.rdsDbUserDetails.user\n- resource.rdsDbInstanceDetails.tags.key\n- resource.rdsDbInstanceDetails.tags.value\n- service.runtimeDetails.process.executableSha256\n- service.runtimeDetails.process.name\n- service.runtimeDetails.process.name\n- resource.lambdaDetails.functionName\n- resource.lambdaDetails.functionArn\n- resource.lambdaDetails.tags.key\n- resource.lambdaDetails.tags.value", "title": "Criterion", "type": "object" }, @@ -100692,7 +105000,7 @@ }, "Tags": { "items": { - "$ref": "#/definitions/Tag" + "$ref": "#/definitions/AWS::GuardDuty::IPSet.TagItem" }, "markdownDescription": "The tags to be added to a new IP set resource. Each tag consists of a key and an optional value, both of which you define.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) .", "title": "Tags", @@ -100700,10 +105008,9 @@ } }, "required": [ - "Activate", - "DetectorId", "Format", - "Location" + "Location", + "Name" ], "type": "object" }, @@ -100728,6 +105035,26 @@ ], "type": "object" }, + "AWS::GuardDuty::IPSet.TagItem": { + "additionalProperties": false, + "properties": { + "Key": { + "markdownDescription": "", + "title": "Key", + "type": "string" + }, + "Value": { + "markdownDescription": "", + "title": "Value", + "type": "string" + } + }, + "required": [ + "Key", + "Value" + ], + "type": "object" + }, "AWS::GuardDuty::Master": { "additionalProperties": false, "properties": { @@ -100774,8 +105101,6 @@ "type": "string" }, "MasterId": { - "markdownDescription": "The AWS account ID of the account designated as the GuardDuty administrator account.", - "title": "MasterId", "type": "string" } }, @@ -100857,8 +105182,6 @@ "type": "string" }, "MemberId": { - "markdownDescription": "The AWS account ID of the account to designate as a member.", - "title": "MemberId", "type": "string" }, "Message": { @@ -100962,7 +105285,7 @@ }, "Tags": { "items": { - "$ref": "#/definitions/Tag" + "$ref": "#/definitions/AWS::GuardDuty::ThreatIntelSet.TagItem" }, "markdownDescription": "The tags to be added to a new threat list resource. Each tag consists of a key and an optional value, both of which you define.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) .", "title": "Tags", @@ -100970,10 +105293,9 @@ } }, "required": [ - "Activate", - "DetectorId", "Format", - "Location" + "Location", + "Name" ], "type": "object" }, @@ -100998,80 +105320,27 @@ ], "type": "object" }, - "AWS::HealthImaging::Datastore": { + "AWS::GuardDuty::ThreatIntelSet.TagItem": { "additionalProperties": false, "properties": { - "Condition": { - "type": "string" - }, - "DeletionPolicy": { - "enum": [ - "Delete", - "Retain", - "Snapshot" - ], - "type": "string" - }, - "DependsOn": { - "anyOf": [ - { - "pattern": "^[a-zA-Z0-9]+$", - "type": "string" - }, - { - "items": { - "pattern": "^[a-zA-Z0-9]+$", - "type": "string" - }, - "type": "array" - } - ] - }, - "Metadata": { - "type": "object" - }, - "Properties": { - "additionalProperties": false, - "properties": { - "DatastoreName": { - "type": "string" - }, - "KmsKeyArn": { - "type": "string" - }, - "Tags": { - "additionalProperties": true, - "patternProperties": { - "^[a-zA-Z0-9]+$": { - "type": "string" - } - }, - "type": "object" - } - }, - "type": "object" - }, - "Type": { - "enum": [ - "AWS::HealthImaging::Datastore" - ], + "Key": { + "markdownDescription": "", + "title": "Key", "type": "string" }, - "UpdateReplacePolicy": { - "enum": [ - "Delete", - "Retain", - "Snapshot" - ], + "Value": { + "markdownDescription": "", + "title": "Value", "type": "string" } }, "required": [ - "Type" + "Key", + "Value" ], "type": "object" }, - "AWS::HealthLake::FHIRDatastore": { + "AWS::HealthImaging::Datastore": { "additionalProperties": false, "properties": { "Condition": { @@ -101107,47 +105376,32 @@ "additionalProperties": false, "properties": { "DatastoreName": { - "markdownDescription": "The user generated name for the Data Store.", + "markdownDescription": "The data store name.", "title": "DatastoreName", "type": "string" }, - "DatastoreTypeVersion": { - "markdownDescription": "The FHIR version of the Data Store. The only supported version is R4.", - "title": "DatastoreTypeVersion", + "KmsKeyArn": { + "markdownDescription": "The Amazon Resource Name (ARN) assigned to the Key Management Service (KMS) key for accessing encrypted data.", + "title": "KmsKeyArn", "type": "string" }, - "IdentityProviderConfiguration": { - "$ref": "#/definitions/AWS::HealthLake::FHIRDatastore.IdentityProviderConfiguration", - "markdownDescription": "", - "title": "IdentityProviderConfiguration" - }, - "PreloadDataConfig": { - "$ref": "#/definitions/AWS::HealthLake::FHIRDatastore.PreloadDataConfig", - "markdownDescription": "The preloaded data configuration for the Data Store. Only data preloaded from Synthea is supported.", - "title": "PreloadDataConfig" - }, - "SseConfiguration": { - "$ref": "#/definitions/AWS::HealthLake::FHIRDatastore.SseConfiguration", - "markdownDescription": "The server-side encryption key configuration for a customer provided encryption key specified for creating a Data Store.", - "title": "SseConfiguration" - }, "Tags": { - "items": { - "$ref": "#/definitions/Tag" + "additionalProperties": true, + "markdownDescription": "The tags provided when creating a data store.", + "patternProperties": { + "^[a-zA-Z0-9]+$": { + "type": "string" + } }, - "markdownDescription": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) .", "title": "Tags", - "type": "array" + "type": "object" } }, - "required": [ - "DatastoreTypeVersion" - ], "type": "object" }, "Type": { "enum": [ - "AWS::HealthLake::FHIRDatastore" + "AWS::HealthImaging::Datastore" ], "type": "string" }, @@ -101161,108 +105415,202 @@ } }, "required": [ - "Type", - "Properties" - ], - "type": "object" - }, - "AWS::HealthLake::FHIRDatastore.CreatedAt": { - "additionalProperties": false, - "properties": { - "Nanos": { - "markdownDescription": "", - "title": "Nanos", - "type": "number" - }, - "Seconds": { - "markdownDescription": "", - "title": "Seconds", - "type": "string" - } - }, - "required": [ - "Nanos", - "Seconds" - ], - "type": "object" - }, - "AWS::HealthLake::FHIRDatastore.IdentityProviderConfiguration": { - "additionalProperties": false, - "properties": { - "AuthorizationStrategy": { - "markdownDescription": "", - "title": "AuthorizationStrategy", - "type": "string" - }, - "FineGrainedAuthorizationEnabled": { - "markdownDescription": "", - "title": "FineGrainedAuthorizationEnabled", - "type": "boolean" - }, - "IdpLambdaArn": { - "markdownDescription": "", - "title": "IdpLambdaArn", - "type": "string" - }, - "Metadata": { - "markdownDescription": "", - "title": "Metadata", - "type": "string" - } - }, - "required": [ - "AuthorizationStrategy" - ], - "type": "object" - }, - "AWS::HealthLake::FHIRDatastore.KmsEncryptionConfig": { - "additionalProperties": false, - "properties": { - "CmkType": { - "markdownDescription": "The type of customer-managed-key(CMK) used for encryption. The two types of supported CMKs are customer owned CMKs and Amazon owned CMKs. For more information on CMK types, see [KmsEncryptionConfig](https://docs.aws.amazon.com/healthlake/latest/APIReference/API_KmsEncryptionConfig.html#HealthLake-Type-KmsEncryptionConfig-CmkType) .", - "title": "CmkType", - "type": "string" - }, - "KmsKeyId": { - "markdownDescription": "The KMS encryption key id/alias used to encrypt the Data Store contents at rest.", - "title": "KmsKeyId", - "type": "string" - } - }, - "required": [ - "CmkType" - ], - "type": "object" - }, - "AWS::HealthLake::FHIRDatastore.PreloadDataConfig": { - "additionalProperties": false, - "properties": { - "PreloadDataType": { - "markdownDescription": "The type of preloaded data. Only Synthea preloaded data is supported.", - "title": "PreloadDataType", - "type": "string" - } - }, - "required": [ - "PreloadDataType" - ], - "type": "object" - }, - "AWS::HealthLake::FHIRDatastore.SseConfiguration": { - "additionalProperties": false, - "properties": { - "KmsEncryptionConfig": { - "$ref": "#/definitions/AWS::HealthLake::FHIRDatastore.KmsEncryptionConfig", - "markdownDescription": "The server-side encryption key configuration for a customer provided encryption key (CMK).", - "title": "KmsEncryptionConfig" - } - }, - "required": [ - "KmsEncryptionConfig" + "Type" ], "type": "object" }, - "AWS::IAM::AccessKey": { + "AWS::HealthLake::FHIRDatastore": { + "additionalProperties": false, + "properties": { + "Condition": { + "type": "string" + }, + "DeletionPolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + }, + "DependsOn": { + "anyOf": [ + { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + { + "items": { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + "type": "array" + } + ] + }, + "Metadata": { + "type": "object" + }, + "Properties": { + "additionalProperties": false, + "properties": { + "DatastoreName": { + "markdownDescription": "The user generated name for the data store.", + "title": "DatastoreName", + "type": "string" + }, + "DatastoreTypeVersion": { + "markdownDescription": "The FHIR version of the data store. The only supported version is R4.", + "title": "DatastoreTypeVersion", + "type": "string" + }, + "IdentityProviderConfiguration": { + "$ref": "#/definitions/AWS::HealthLake::FHIRDatastore.IdentityProviderConfiguration", + "markdownDescription": "The identity provider configuration that you gave when the data store was created.", + "title": "IdentityProviderConfiguration" + }, + "PreloadDataConfig": { + "$ref": "#/definitions/AWS::HealthLake::FHIRDatastore.PreloadDataConfig", + "markdownDescription": "The preloaded data configuration for the data store. Only data preloaded from Synthea is supported.", + "title": "PreloadDataConfig" + }, + "SseConfiguration": { + "$ref": "#/definitions/AWS::HealthLake::FHIRDatastore.SseConfiguration", + "markdownDescription": "The server-side encryption key configuration for a customer provided encryption key specified for creating a data store.", + "title": "SseConfiguration" + }, + "Tags": { + "items": { + "$ref": "#/definitions/Tag" + }, + "markdownDescription": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) .", + "title": "Tags", + "type": "array" + } + }, + "required": [ + "DatastoreTypeVersion" + ], + "type": "object" + }, + "Type": { + "enum": [ + "AWS::HealthLake::FHIRDatastore" + ], + "type": "string" + }, + "UpdateReplacePolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + } + }, + "required": [ + "Type", + "Properties" + ], + "type": "object" + }, + "AWS::HealthLake::FHIRDatastore.CreatedAt": { + "additionalProperties": false, + "properties": { + "Nanos": { + "markdownDescription": "", + "title": "Nanos", + "type": "number" + }, + "Seconds": { + "markdownDescription": "", + "title": "Seconds", + "type": "string" + } + }, + "required": [ + "Nanos", + "Seconds" + ], + "type": "object" + }, + "AWS::HealthLake::FHIRDatastore.IdentityProviderConfiguration": { + "additionalProperties": false, + "properties": { + "AuthorizationStrategy": { + "markdownDescription": "The authorization strategy that you selected when you created the data store.", + "title": "AuthorizationStrategy", + "type": "string" + }, + "FineGrainedAuthorizationEnabled": { + "markdownDescription": "If you enabled fine-grained authorization when you created the data store.", + "title": "FineGrainedAuthorizationEnabled", + "type": "boolean" + }, + "IdpLambdaArn": { + "markdownDescription": "The Amazon Resource Name (ARN) of the Lambda function that you want to use to decode the access token created by the authorization server.", + "title": "IdpLambdaArn", + "type": "string" + }, + "Metadata": { + "markdownDescription": "The JSON metadata elements that you want to use in your identity provider configuration. Required elements are listed based on the launch specification of the SMART application. For more information on all possible elements, see [Metadata](https://docs.aws.amazon.com/https://build.fhir.org/ig/HL7/smart-app-launch/conformance.html#metadata) in SMART's App Launch specification.\n\n`authorization_endpoint` : The URL to the OAuth2 authorization endpoint.\n\n`grant_types_supported` : An array of grant types that are supported at the token endpoint. You must provide at least one grant type option. Valid options are `authorization_code` and `client_credentials` .\n\n`token_endpoint` : The URL to the OAuth2 token endpoint.\n\n`capabilities` : An array of strings of the SMART capabilities that the authorization server supports.\n\n`code_challenge_methods_supported` : An array of strings of supported PKCE code challenge methods. You must include the `S256` method in the array of PKCE code challenge methods.", + "title": "Metadata", + "type": "string" + } + }, + "required": [ + "AuthorizationStrategy" + ], + "type": "object" + }, + "AWS::HealthLake::FHIRDatastore.KmsEncryptionConfig": { + "additionalProperties": false, + "properties": { + "CmkType": { + "markdownDescription": "The type of customer-managed-key(CMK) used for encryption. The two types of supported CMKs are customer owned CMKs and Amazon owned CMKs. For more information on CMK types, see [KmsEncryptionConfig](https://docs.aws.amazon.com/healthlake/latest/APIReference/API_KmsEncryptionConfig.html#HealthLake-Type-KmsEncryptionConfig-CmkType) .", + "title": "CmkType", + "type": "string" + }, + "KmsKeyId": { + "markdownDescription": "The KMS encryption key id/alias used to encrypt the data store contents at rest.", + "title": "KmsKeyId", + "type": "string" + } + }, + "required": [ + "CmkType" + ], + "type": "object" + }, + "AWS::HealthLake::FHIRDatastore.PreloadDataConfig": { + "additionalProperties": false, + "properties": { + "PreloadDataType": { + "markdownDescription": "The type of preloaded data. Only Synthea preloaded data is supported.", + "title": "PreloadDataType", + "type": "string" + } + }, + "required": [ + "PreloadDataType" + ], + "type": "object" + }, + "AWS::HealthLake::FHIRDatastore.SseConfiguration": { + "additionalProperties": false, + "properties": { + "KmsEncryptionConfig": { + "$ref": "#/definitions/AWS::HealthLake::FHIRDatastore.KmsEncryptionConfig", + "markdownDescription": "The server-side encryption key configuration for a customer provided encryption key (CMK).", + "title": "KmsEncryptionConfig" + } + }, + "required": [ + "KmsEncryptionConfig" + ], + "type": "object" + }, + "AWS::IAM::AccessKey": { "additionalProperties": false, "properties": { "Condition": { @@ -101479,12 +105827,18 @@ "additionalProperties": false, "properties": { "GroupName": { + "markdownDescription": "The name of the group to associate the policy with.\n\nThis parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-.", + "title": "GroupName", "type": "string" }, "PolicyDocument": { + "markdownDescription": "The policy document.\n\nYou must provide policies in JSON format in IAM. However, for AWS CloudFormation templates formatted in YAML, you can provide the policy in JSON or YAML format. AWS CloudFormation always converts a YAML policy to JSON format before submitting it to IAM.\n\nThe [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) used to validate this parameter is a string of characters consisting of the following:\n\n- Any printable ASCII character ranging from the space character ( `\\u0020` ) through the end of the ASCII character range\n- The printable characters in the Basic Latin and Latin-1 Supplement character set (through `\\u00FF` )\n- The special characters tab ( `\\u0009` ), line feed ( `\\u000A` ), and carriage return ( `\\u000D` )", + "title": "PolicyDocument", "type": "object" }, "PolicyName": { + "markdownDescription": "The name of the policy document.\n\nThis parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-", + "title": "PolicyName", "type": "string" } }, @@ -102061,12 +106415,18 @@ "additionalProperties": false, "properties": { "PolicyDocument": { + "markdownDescription": "The policy document.\n\nYou must provide policies in JSON format in IAM. However, for AWS CloudFormation templates formatted in YAML, you can provide the policy in JSON or YAML format. AWS CloudFormation always converts a YAML policy to JSON format before submitting it to IAM.\n\nThe [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) used to validate this parameter is a string of characters consisting of the following:\n\n- Any printable ASCII character ranging from the space character ( `\\u0020` ) through the end of the ASCII character range\n- The printable characters in the Basic Latin and Latin-1 Supplement character set (through `\\u00FF` )\n- The special characters tab ( `\\u0009` ), line feed ( `\\u000A` ), and carriage return ( `\\u000D` )", + "title": "PolicyDocument", "type": "object" }, "PolicyName": { + "markdownDescription": "The name of the policy document.\n\nThis parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-", + "title": "PolicyName", "type": "string" }, "RoleName": { + "markdownDescription": "The name of the role to associate the policy with.\n\nThis parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-", + "title": "RoleName", "type": "string" } }, @@ -102526,12 +106886,18 @@ "additionalProperties": false, "properties": { "PolicyDocument": { + "markdownDescription": "The policy document.\n\nYou must provide policies in JSON format in IAM. However, for AWS CloudFormation templates formatted in YAML, you can provide the policy in JSON or YAML format. AWS CloudFormation always converts a YAML policy to JSON format before submitting it to IAM.\n\nThe [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) used to validate this parameter is a string of characters consisting of the following:\n\n- Any printable ASCII character ranging from the space character ( `\\u0020` ) through the end of the ASCII character range\n- The printable characters in the Basic Latin and Latin-1 Supplement character set (through `\\u00FF` )\n- The special characters tab ( `\\u0009` ), line feed ( `\\u000A` ), and carriage return ( `\\u000D` )", + "title": "PolicyDocument", "type": "object" }, "PolicyName": { + "markdownDescription": "The name of the policy document.\n\nThis parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-", + "title": "PolicyName", "type": "string" }, "UserName": { + "markdownDescription": "The name of the user to associate the policy with.\n\nThis parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-", + "title": "UserName", "type": "string" } }, @@ -102795,7 +107161,7 @@ "items": { "$ref": "#/definitions/Tag" }, - "markdownDescription": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) .", + "markdownDescription": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ivs-channel-tag.html) .", "title": "Tags", "type": "array" }, @@ -102876,7 +107242,7 @@ "items": { "$ref": "#/definitions/Tag" }, - "markdownDescription": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) .", + "markdownDescription": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ivs-playbackkeypair-tag.html) .", "title": "Tags", "type": "array" } @@ -102940,7 +107306,7 @@ "properties": { "DestinationConfiguration": { "$ref": "#/definitions/AWS::IVS::RecordingConfiguration.DestinationConfiguration", - "markdownDescription": "A destination configuration contains information about where recorded video will be stored. See the [DestinationConfiguration](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ivs-recordingconfiguration-destinationconfiguration.html) property type for more information.", + "markdownDescription": "A destination configuration contains information about where recorded video will be stored. See the DestinationConfiguration property type for more information.", "title": "DestinationConfiguration" }, "Name": { @@ -102954,19 +107320,21 @@ "type": "number" }, "RenditionConfiguration": { - "$ref": "#/definitions/AWS::IVS::RecordingConfiguration.RenditionConfiguration" + "$ref": "#/definitions/AWS::IVS::RecordingConfiguration.RenditionConfiguration", + "markdownDescription": "A rendition configuration describes which renditions should be recorded for a stream. See the RenditionConfiguration property type for more information.", + "title": "RenditionConfiguration" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, - "markdownDescription": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) .", + "markdownDescription": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ivs-recordingconfiguration-tag.html) .", "title": "Tags", "type": "array" }, "ThumbnailConfiguration": { "$ref": "#/definitions/AWS::IVS::RecordingConfiguration.ThumbnailConfiguration", - "markdownDescription": "A thumbnail configuration enables/disables the recording of thumbnails for a live session and controls the interval at which thumbnails are generated for the live session. See the [ThumbnailConfiguration](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ivs-recordingconfiguration-thunbnailconfiguration.html) property type for more information.", + "markdownDescription": "A thumbnail configuration enables/disables the recording of thumbnails for a live session and controls the interval at which thumbnails are generated for the live session. See the ThumbnailConfiguration property type for more information.", "title": "ThumbnailConfiguration" } }, @@ -103011,12 +107379,16 @@ "additionalProperties": false, "properties": { "RenditionSelection": { + "markdownDescription": "The set of renditions are recorded for a stream. For `BASIC` channels, the `CUSTOM` value has no effect. If `CUSTOM` is specified, a set of renditions can be specified in the `renditions` field. Default: `ALL` .", + "title": "RenditionSelection", "type": "string" }, "Renditions": { "items": { "type": "string" }, + "markdownDescription": "A list of which renditions are recorded for a stream, if `renditionSelection` is `CUSTOM` ; otherwise, this field is irrelevant. The selected renditions are recorded if they are available during the stream. If a selected rendition is unavailable, the best available rendition is recorded. For details on the resolution dimensions of each rendition, see [Auto-Record to Amazon S3](https://docs.aws.amazon.com//ivs/latest/userguide/record-to-s3.html) .", + "title": "Renditions", "type": "array" } }, @@ -103045,16 +107417,20 @@ "type": "string" }, "Resolution": { + "markdownDescription": "The desired resolution of recorded thumbnails for a stream. Thumbnails are recorded at the selected resolution if the corresponding rendition is available during the stream; otherwise, they are recorded at source resolution. For more information about resolution values and their corresponding height and width dimensions, see [Auto-Record to Amazon S3](https://docs.aws.amazon.com//ivs/latest/userguide/record-to-s3.html) .", + "title": "Resolution", "type": "string" }, "Storage": { "items": { "type": "string" }, + "markdownDescription": "The format in which thumbnails are recorded for a stream. `SEQUENTIAL` records all generated thumbnails in a serial manner, to the media/thumbnails directory. `LATEST` saves the latest thumbnail in media/thumbnails/latest/thumb.jpg and overwrites it at the interval specified by `targetIntervalSeconds` . You can enable both `SEQUENTIAL` and `LATEST` . Default: `SEQUENTIAL` .", + "title": "Storage", "type": "array" }, "TargetIntervalSeconds": { - "markdownDescription": "The targeted thumbnail-generation interval in seconds. This is configurable (and required) only if [RecordingMode](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ivs-recordingconfiguration-thumbnailconfiguration.html#cfn-ivs-recordingconfiguration-thumbnailconfiguration-recordingmode) is `INTERVAL` .\n\n> Setting a value for `TargetIntervalSeconds` does not guarantee that thumbnails are generated at the specified interval. For thumbnails to be generated at the `TargetIntervalSeconds` interval, the `IDR/Keyframe` value for the input video must be less than the `TargetIntervalSeconds` value. See [Amazon IVS Streaming Configuration](https://docs.aws.amazon.com/ivs/latest/userguide/streaming-config.html) for information on setting `IDR/Keyframe` to the recommended value in video-encoder settings. \n\n*Default* : 60\n\n*Valid Range* : Minumum value of 5. Maximum value of 60.", + "markdownDescription": "The targeted thumbnail-generation interval in seconds. This is configurable (and required) only if [RecordingMode](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ivs-recordingconfiguration-thumbnailconfiguration.html#cfn-ivs-recordingconfiguration-thumbnailconfiguration-recordingmode) is `INTERVAL` .\n\n> Setting a value for `TargetIntervalSeconds` does not guarantee that thumbnails are generated at the specified interval. For thumbnails to be generated at the `TargetIntervalSeconds` interval, the `IDR/Keyframe` value for the input video must be less than the `TargetIntervalSeconds` value. See [Amazon IVS Streaming Configuration](https://docs.aws.amazon.com/ivs/latest/userguide/streaming-config.html) for information on setting `IDR/Keyframe` to the recommended value in video-encoder settings. \n\n*Default* : 60\n\n*Valid Range* : Minumum value of 1. Maximum value of 60.", "title": "TargetIntervalSeconds", "type": "number" } @@ -103105,7 +107481,7 @@ "items": { "$ref": "#/definitions/Tag" }, - "markdownDescription": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) .", + "markdownDescription": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ivs-streamkey-tag.html) .", "title": "Tags", "type": "array" } @@ -103185,7 +107561,7 @@ "items": { "$ref": "#/definitions/Tag" }, - "markdownDescription": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) .", + "markdownDescription": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ivschat-loggingconfiguration-tag.html) .", "title": "Tags", "type": "array" } @@ -103346,7 +107722,7 @@ "items": { "$ref": "#/definitions/Tag" }, - "markdownDescription": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) .", + "markdownDescription": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ivschat-room-tag.html) .", "title": "Tags", "type": "array" } @@ -103596,7 +107972,7 @@ "additionalProperties": false, "properties": { "ChangeDescription": { - "markdownDescription": "The change description of the component. Describes what change has been made in this version, or what makes this version different from other versions of this component.", + "markdownDescription": "The change description of the component. Describes what change has been made in this version, or what makes this version different from other versions of the component.", "title": "ChangeDescription", "type": "string" }, @@ -103846,7 +108222,7 @@ "items": { "$ref": "#/definitions/AWS::ImageBuilder::ContainerRecipe.ComponentParameter" }, - "markdownDescription": "", + "markdownDescription": "A group of parameter settings that Image Builder uses to configure the component for a specific recipe.", "title": "Parameters", "type": "array" } @@ -103857,7 +108233,7 @@ "additionalProperties": false, "properties": { "Name": { - "markdownDescription": "", + "markdownDescription": "The name of the component parameter to set.", "title": "Name", "type": "string" }, @@ -103865,7 +108241,7 @@ "items": { "type": "string" }, - "markdownDescription": "", + "markdownDescription": "Sets the value for the named component parameter.", "title": "Value", "type": "array" } @@ -104161,7 +108537,7 @@ "items": { "$ref": "#/definitions/AWS::ImageBuilder::DistributionConfiguration.FastLaunchConfiguration" }, - "markdownDescription": "", + "markdownDescription": "The Windows faster-launching configurations to use for AMI distribution.", "title": "FastLaunchConfigurations", "type": "array" }, @@ -104196,28 +108572,28 @@ "additionalProperties": false, "properties": { "AccountId": { - "markdownDescription": "", + "markdownDescription": "The owner account ID for the fast-launch enabled Windows AMI.", "title": "AccountId", "type": "string" }, "Enabled": { - "markdownDescription": "", + "markdownDescription": "A Boolean that represents the current state of faster launching for the Windows AMI. Set to `true` to start using Windows faster launching, or `false` to stop using it.", "title": "Enabled", "type": "boolean" }, "LaunchTemplate": { "$ref": "#/definitions/AWS::ImageBuilder::DistributionConfiguration.FastLaunchLaunchTemplateSpecification", - "markdownDescription": "", + "markdownDescription": "The launch template that the fast-launch enabled Windows AMI uses when it launches Windows instances to create pre-provisioned snapshots.", "title": "LaunchTemplate" }, "MaxParallelLaunches": { - "markdownDescription": "", + "markdownDescription": "The maximum number of parallel instances that are launched for creating resources.", "title": "MaxParallelLaunches", "type": "number" }, "SnapshotConfiguration": { "$ref": "#/definitions/AWS::ImageBuilder::DistributionConfiguration.FastLaunchSnapshotConfiguration", - "markdownDescription": "", + "markdownDescription": "Configuration settings for managing the number of snapshots that are created from pre-provisioned instances for the Windows AMI when faster launching is enabled.", "title": "SnapshotConfiguration" } }, @@ -104227,17 +108603,17 @@ "additionalProperties": false, "properties": { "LaunchTemplateId": { - "markdownDescription": "", + "markdownDescription": "The ID of the launch template to use for faster launching for a Windows AMI.", "title": "LaunchTemplateId", "type": "string" }, "LaunchTemplateName": { - "markdownDescription": "", + "markdownDescription": "The name of the launch template to use for faster launching for a Windows AMI.", "title": "LaunchTemplateName", "type": "string" }, "LaunchTemplateVersion": { - "markdownDescription": "", + "markdownDescription": "The version of the launch template to use for faster launching for a Windows AMI.", "title": "LaunchTemplateVersion", "type": "string" } @@ -104248,7 +108624,7 @@ "additionalProperties": false, "properties": { "TargetResourceCount": { - "markdownDescription": "", + "markdownDescription": "The number of pre-provisioned snapshots to keep on hand for a fast-launch enabled Windows AMI.", "title": "TargetResourceCount", "type": "number" } @@ -104387,7 +108763,7 @@ }, "ImageScanningConfiguration": { "$ref": "#/definitions/AWS::ImageBuilder::Image.ImageScanningConfiguration", - "markdownDescription": "", + "markdownDescription": "Contains settings for vulnerability scans.", "title": "ImageScanningConfiguration" }, "ImageTestsConfiguration": { @@ -104445,12 +108821,12 @@ "items": { "type": "string" }, - "markdownDescription": "", + "markdownDescription": "Tags for Image Builder to apply to the output container image that &INS; scans. Tags can help you identify and manage your scanned images.", "title": "ContainerTags", "type": "array" }, "RepositoryName": { - "markdownDescription": "", + "markdownDescription": "The name of the container repository that Amazon Inspector scans to identify findings for your container images. The name includes the path for the repository location. If you don\u2019t provide this information, Image Builder creates a repository in your account named `image-builder-image-scanning-repository` for vulnerability scans of your output container images.", "title": "RepositoryName", "type": "string" } @@ -104462,11 +108838,11 @@ "properties": { "EcrConfiguration": { "$ref": "#/definitions/AWS::ImageBuilder::Image.EcrConfiguration", - "markdownDescription": "", + "markdownDescription": "Contains Amazon ECR settings for vulnerability scans.", "title": "EcrConfiguration" }, "ImageScanningEnabled": { - "markdownDescription": "", + "markdownDescription": "A setting that indicates whether Image Builder keeps a snapshot of the vulnerability scans that Amazon Inspector runs against the build instance when you create a new image.", "title": "ImageScanningEnabled", "type": "boolean" } @@ -104551,7 +108927,7 @@ }, "ImageScanningConfiguration": { "$ref": "#/definitions/AWS::ImageBuilder::ImagePipeline.ImageScanningConfiguration", - "markdownDescription": "", + "markdownDescription": "Contains settings for vulnerability scans.", "title": "ImageScanningConfiguration" }, "ImageTestsConfiguration": { @@ -104625,12 +109001,12 @@ "items": { "type": "string" }, - "markdownDescription": "", + "markdownDescription": "Tags for Image Builder to apply to the output container image that &INS; scans. Tags can help you identify and manage your scanned images.", "title": "ContainerTags", "type": "array" }, "RepositoryName": { - "markdownDescription": "", + "markdownDescription": "The name of the container repository that Amazon Inspector scans to identify findings for your container images. The name includes the path for the repository location. If you don\u2019t provide this information, Image Builder creates a repository in your account named `image-builder-image-scanning-repository` for vulnerability scans of your output container images.", "title": "RepositoryName", "type": "string" } @@ -104642,11 +109018,11 @@ "properties": { "EcrConfiguration": { "$ref": "#/definitions/AWS::ImageBuilder::ImagePipeline.EcrConfiguration", - "markdownDescription": "", + "markdownDescription": "Contains Amazon ECR settings for vulnerability scans.", "title": "EcrConfiguration" }, "ImageScanningEnabled": { - "markdownDescription": "", + "markdownDescription": "A setting that indicates whether Image Builder keeps a snapshot of the vulnerability scans that Amazon Inspector runs against the build instance when you create a new image.", "title": "ImageScanningEnabled", "type": "boolean" } @@ -105137,7 +109513,7 @@ }, "type": "object" }, - "AWS::Inspector::AssessmentTarget": { + "AWS::ImageBuilder::LifecyclePolicy": { "additionalProperties": false, "properties": { "Condition": { @@ -105172,22 +109548,68 @@ "Properties": { "additionalProperties": false, "properties": { - "AssessmentTargetName": { - "markdownDescription": "The name of the Amazon Inspector assessment target. The name must be unique within the AWS account .", - "title": "AssessmentTargetName", + "Description": { + "markdownDescription": "Optional description for the lifecycle policy.", + "title": "Description", "type": "string" }, - "ResourceGroupArn": { - "markdownDescription": "The ARN that specifies the resource group that is used to create the assessment target. If `resourceGroupArn` is not specified, all EC2 instances in the current AWS account and Region are included in the assessment target.", - "title": "ResourceGroupArn", + "ExecutionRole": { + "markdownDescription": "The name or Amazon Resource Name (ARN) of the IAM role that Image Builder uses to run the lifecycle policy. This is a custom role that you create.", + "title": "ExecutionRole", + "type": "string" + }, + "Name": { + "markdownDescription": "The name of the lifecycle policy.", + "title": "Name", + "type": "string" + }, + "PolicyDetails": { + "items": { + "$ref": "#/definitions/AWS::ImageBuilder::LifecyclePolicy.PolicyDetail" + }, + "markdownDescription": "The configuration details for a lifecycle policy resource.", + "title": "PolicyDetails", + "type": "array" + }, + "ResourceSelection": { + "$ref": "#/definitions/AWS::ImageBuilder::LifecyclePolicy.ResourceSelection", + "markdownDescription": "Resource selection criteria used to run the lifecycle policy.", + "title": "ResourceSelection" + }, + "ResourceType": { + "markdownDescription": "The type of resources the lifecycle policy targets.", + "title": "ResourceType", + "type": "string" + }, + "Status": { + "markdownDescription": "Indicates whether the lifecycle policy resource is enabled.", + "title": "Status", "type": "string" + }, + "Tags": { + "additionalProperties": true, + "markdownDescription": "To help manage your lifecycle policy resources, you can assign your own metadata to each resource in the form of tags. Each tag consists of a key and an optional value, both of which you define.", + "patternProperties": { + "^[a-zA-Z0-9]+$": { + "type": "string" + } + }, + "title": "Tags", + "type": "object" } }, + "required": [ + "ExecutionRole", + "Name", + "PolicyDetails", + "ResourceSelection", + "ResourceType" + ], "type": "object" }, "Type": { "enum": [ - "AWS::Inspector::AssessmentTarget" + "AWS::ImageBuilder::LifecyclePolicy" ], "type": "string" }, @@ -105200,12 +109622,305 @@ "type": "string" } }, + "required": [ + "Type", + "Properties" + ], + "type": "object" + }, + "AWS::ImageBuilder::LifecyclePolicy.Action": { + "additionalProperties": false, + "properties": { + "IncludeResources": { + "$ref": "#/definitions/AWS::ImageBuilder::LifecyclePolicy.IncludeResources", + "markdownDescription": "", + "title": "IncludeResources" + }, + "Type": { + "markdownDescription": "", + "title": "Type", + "type": "string" + } + }, "required": [ "Type" ], "type": "object" }, - "AWS::Inspector::AssessmentTemplate": { + "AWS::ImageBuilder::LifecyclePolicy.AmiExclusionRules": { + "additionalProperties": false, + "properties": { + "IsPublic": { + "markdownDescription": "", + "title": "IsPublic", + "type": "boolean" + }, + "LastLaunched": { + "$ref": "#/definitions/AWS::ImageBuilder::LifecyclePolicy.LastLaunched", + "markdownDescription": "", + "title": "LastLaunched" + }, + "Regions": { + "items": { + "type": "string" + }, + "markdownDescription": "", + "title": "Regions", + "type": "array" + }, + "SharedAccounts": { + "items": { + "type": "string" + }, + "markdownDescription": "", + "title": "SharedAccounts", + "type": "array" + }, + "TagMap": { + "additionalProperties": true, + "markdownDescription": "", + "patternProperties": { + "^[a-zA-Z0-9]+$": { + "type": "string" + } + }, + "title": "TagMap", + "type": "object" + } + }, + "type": "object" + }, + "AWS::ImageBuilder::LifecyclePolicy.ExclusionRules": { + "additionalProperties": false, + "properties": { + "Amis": { + "$ref": "#/definitions/AWS::ImageBuilder::LifecyclePolicy.AmiExclusionRules", + "markdownDescription": "", + "title": "Amis" + }, + "TagMap": { + "additionalProperties": true, + "markdownDescription": "", + "patternProperties": { + "^[a-zA-Z0-9]+$": { + "type": "string" + } + }, + "title": "TagMap", + "type": "object" + } + }, + "type": "object" + }, + "AWS::ImageBuilder::LifecyclePolicy.Filter": { + "additionalProperties": false, + "properties": { + "RetainAtLeast": { + "markdownDescription": "", + "title": "RetainAtLeast", + "type": "number" + }, + "Type": { + "markdownDescription": "", + "title": "Type", + "type": "string" + }, + "Unit": { + "markdownDescription": "", + "title": "Unit", + "type": "string" + }, + "Value": { + "markdownDescription": "", + "title": "Value", + "type": "number" + } + }, + "required": [ + "Type", + "Value" + ], + "type": "object" + }, + "AWS::ImageBuilder::LifecyclePolicy.IncludeResources": { + "additionalProperties": false, + "properties": { + "Amis": { + "markdownDescription": "", + "title": "Amis", + "type": "boolean" + }, + "Containers": { + "markdownDescription": "", + "title": "Containers", + "type": "boolean" + }, + "Snapshots": { + "markdownDescription": "", + "title": "Snapshots", + "type": "boolean" + } + }, + "type": "object" + }, + "AWS::ImageBuilder::LifecyclePolicy.LastLaunched": { + "additionalProperties": false, + "properties": { + "Unit": { + "markdownDescription": "", + "title": "Unit", + "type": "string" + }, + "Value": { + "markdownDescription": "", + "title": "Value", + "type": "number" + } + }, + "required": [ + "Unit", + "Value" + ], + "type": "object" + }, + "AWS::ImageBuilder::LifecyclePolicy.PolicyDetail": { + "additionalProperties": false, + "properties": { + "Action": { + "$ref": "#/definitions/AWS::ImageBuilder::LifecyclePolicy.Action", + "markdownDescription": "", + "title": "Action" + }, + "ExclusionRules": { + "$ref": "#/definitions/AWS::ImageBuilder::LifecyclePolicy.ExclusionRules", + "markdownDescription": "", + "title": "ExclusionRules" + }, + "Filter": { + "$ref": "#/definitions/AWS::ImageBuilder::LifecyclePolicy.Filter", + "markdownDescription": "", + "title": "Filter" + } + }, + "required": [ + "Action", + "Filter" + ], + "type": "object" + }, + "AWS::ImageBuilder::LifecyclePolicy.RecipeSelection": { + "additionalProperties": false, + "properties": { + "Name": { + "markdownDescription": "", + "title": "Name", + "type": "string" + }, + "SemanticVersion": { + "markdownDescription": "", + "title": "SemanticVersion", + "type": "string" + } + }, + "required": [ + "Name" + ], + "type": "object" + }, + "AWS::ImageBuilder::LifecyclePolicy.ResourceSelection": { + "additionalProperties": false, + "properties": { + "Recipes": { + "items": { + "$ref": "#/definitions/AWS::ImageBuilder::LifecyclePolicy.RecipeSelection" + }, + "markdownDescription": "", + "title": "Recipes", + "type": "array" + }, + "TagMap": { + "additionalProperties": true, + "markdownDescription": "", + "patternProperties": { + "^[a-zA-Z0-9]+$": { + "type": "string" + } + }, + "title": "TagMap", + "type": "object" + } + }, + "type": "object" + }, + "AWS::Inspector::AssessmentTarget": { + "additionalProperties": false, + "properties": { + "Condition": { + "type": "string" + }, + "DeletionPolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + }, + "DependsOn": { + "anyOf": [ + { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + { + "items": { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + "type": "array" + } + ] + }, + "Metadata": { + "type": "object" + }, + "Properties": { + "additionalProperties": false, + "properties": { + "AssessmentTargetName": { + "markdownDescription": "The name of the Amazon Inspector assessment target. The name must be unique within the AWS account .", + "title": "AssessmentTargetName", + "type": "string" + }, + "ResourceGroupArn": { + "markdownDescription": "The ARN that specifies the resource group that is used to create the assessment target. If `resourceGroupArn` is not specified, all EC2 instances in the current AWS account and Region are included in the assessment target.", + "title": "ResourceGroupArn", + "type": "string" + } + }, + "type": "object" + }, + "Type": { + "enum": [ + "AWS::Inspector::AssessmentTarget" + ], + "type": "string" + }, + "UpdateReplacePolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + } + }, + "required": [ + "Type" + ], + "type": "object" + }, + "AWS::Inspector::AssessmentTemplate": { "additionalProperties": false, "properties": { "Condition": { @@ -105873,7 +110588,7 @@ "properties": { "HealthEventsConfig": { "$ref": "#/definitions/AWS::InternetMonitor::Monitor.HealthEventsConfig", - "markdownDescription": "", + "markdownDescription": "A complex type with the configuration information that determines the threshold and other conditions for when Internet Monitor creates a health event for an overall performance or availability issue, across an application's geographies.\n\nDefines the percentages, for overall performance scores and availability scores for an application, that are the thresholds for when Amazon CloudWatch Internet Monitor creates a health event. You can override the defaults to set a custom threshold for overall performance or availability scores, or both.\n\nYou can also set thresholds for local health scores,, where Internet Monitor creates a health event when scores cross a threshold for one or more city-networks, in addition to creating an event when an overall score crosses a threshold.\n\nIf you don't set a health event threshold, the default value is 95%.\n\nFor local thresholds, you also set a minimum percentage of overall traffic that is impacted by an issue before Internet Monitor creates an event. In addition, you can disable local thresholds, for performance scores, availability scores, or both.\n\nFor more information, see [Change health event thresholds](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-IM-overview.html#IMUpdateThresholdFromOverview) in the Internet Monitor section of the *CloudWatch User Guide* .", "title": "HealthEventsConfig" }, "InternetMeasurementsLogDelivery": { @@ -105895,7 +110610,7 @@ "items": { "type": "string" }, - "markdownDescription": "The resources that have been added for the monitor, listed by their Amazon Resource Names (ARNs).", + "markdownDescription": "The resources that have been added for the monitor, listed by their Amazon Resource Names (ARNs). Use this option to add or remove resources when making an update.\n\n> Be aware that if you include content in the `Resources` field when you update a monitor, the `ResourcesToAdd` and `ResourcesToRemove` fields must be empty.", "title": "Resources", "type": "array" }, @@ -105903,7 +110618,7 @@ "items": { "type": "string" }, - "markdownDescription": "The resources to add to a monitor, which you provide as a set of Amazon Resource Names (ARNs).\n\nYou can add a combination of Virtual Private Clouds (VPCs) and Amazon CloudFront distributions, or you can add WorkSpaces directories. You can't add all three types of resources.\n\n> If you add only VPC resources, at least one VPC must have an Internet Gateway attached to it, to make sure that it has internet connectivity.", + "markdownDescription": "The resources to include in a monitor, which you provide as a set of Amazon Resource Names (ARNs). Resources can be Amazon Virtual Private Cloud VPCs, Network Load Balancers (NLBs), Amazon CloudFront distributions, or Amazon WorkSpaces directories.\n\nYou can add a combination of VPCs and CloudFront distributions, or you can add WorkSpaces directories, or you can add NLBs. You can't add NLBs or WorkSpaces directories together with any other resources.\n\nIf you add only VPC resources, at least one VPC must have an Internet Gateway attached to it, to make sure that it has internet connectivity.\n\n> You can specify this field for a monitor update only if the `Resources` field is empty.", "title": "ResourcesToAdd", "type": "array" }, @@ -105911,7 +110626,7 @@ "items": { "type": "string" }, - "markdownDescription": "The resources to remove from a monitor, which you provide as a set of Amazon Resource Names (ARNs).", + "markdownDescription": "The resources to remove from a monitor, which you provide as a set of Amazon Resource Names (ARNs)\n\n> You can specify this field for a monitor update only if the `Resources` field is empty.", "title": "ResourcesToRemove", "type": "array" }, @@ -105964,18 +110679,22 @@ "additionalProperties": false, "properties": { "AvailabilityLocalHealthEventsConfig": { - "$ref": "#/definitions/AWS::InternetMonitor::Monitor.LocalHealthEventsConfig" + "$ref": "#/definitions/AWS::InternetMonitor::Monitor.LocalHealthEventsConfig", + "markdownDescription": "The configuration that determines the threshold and other conditions for when Internet Monitor creates a health event for a local availability issue.", + "title": "AvailabilityLocalHealthEventsConfig" }, "AvailabilityScoreThreshold": { - "markdownDescription": "", + "markdownDescription": "The health event threshold percentage set for availability scores. When the overall availability score is at or below this percentage, Internet Monitor creates a health event.", "title": "AvailabilityScoreThreshold", "type": "number" }, "PerformanceLocalHealthEventsConfig": { - "$ref": "#/definitions/AWS::InternetMonitor::Monitor.LocalHealthEventsConfig" + "$ref": "#/definitions/AWS::InternetMonitor::Monitor.LocalHealthEventsConfig", + "markdownDescription": "The configuration that determines the threshold and other conditions for when Internet Monitor creates a health event for a local performance issue.", + "title": "PerformanceLocalHealthEventsConfig" }, "PerformanceScoreThreshold": { - "markdownDescription": "", + "markdownDescription": "The health event threshold percentage set for performance scores. When the overall performance score is at or below this percentage, Internet Monitor creates a health event.", "title": "PerformanceScoreThreshold", "type": "number" } @@ -105987,7 +110706,7 @@ "properties": { "S3Config": { "$ref": "#/definitions/AWS::InternetMonitor::Monitor.S3Config", - "markdownDescription": "The configuration information for publishing Amazon CloudWatch Internet Monitor internet measurements to Amazon S3. The configuration includes the bucket name and (optionally) bucket prefix for the S3 bucket to store the measurements, and the delivery status. The delivery status is `ENABLED` if you choose to deliver internet measurements to an S3 bucket, and `DISABLED` otherwise.", + "markdownDescription": "The configuration information for publishing Internet Monitor internet measurements to Amazon S3. The configuration includes the bucket name and (optionally) prefix for the S3 bucket to store the measurements, and the delivery status. The delivery status is `ENABLED` or `DISABLED` , depending on whether you choose to deliver internet measurements to S3 logs.", "title": "S3Config" } }, @@ -105997,12 +110716,18 @@ "additionalProperties": false, "properties": { "HealthScoreThreshold": { + "markdownDescription": "The health event threshold percentage set for a local health score.", + "title": "HealthScoreThreshold", "type": "number" }, "MinTrafficImpact": { + "markdownDescription": "The minimum percentage of overall traffic for an application that must be impacted by an issue before Internet Monitor creates an event when a threshold is crossed for a local health score.\n\nIf you don't set a minimum traffic impact threshold, the default value is 0.01%.", + "title": "MinTrafficImpact", "type": "number" }, "Status": { + "markdownDescription": "The status of whether Internet Monitor creates a health event based on a threshold percentage set for a local health score. The status can be `ENABLED` or `DISABLED` .", + "title": "Status", "type": "string" } }, @@ -106012,17 +110737,17 @@ "additionalProperties": false, "properties": { "BucketName": { - "markdownDescription": "The Amazon S3 bucket name for internet measurements publishing.", + "markdownDescription": "The Amazon S3 bucket name.", "title": "BucketName", "type": "string" }, "BucketPrefix": { - "markdownDescription": "An optional Amazon S3 bucket prefix for internet measurements publishing.", + "markdownDescription": "The Amazon S3 bucket prefix.", "title": "BucketPrefix", "type": "string" }, "LogDeliveryStatus": { - "markdownDescription": "The status of publishing Internet Monitor internet measurements to an Amazon S3 bucket. The delivery status is `ENABLED` if you choose to deliver internet measurements to an S3 bucket, and `DISABLED` otherwise.", + "markdownDescription": "The status of publishing Internet Monitor internet measurements to an Amazon S3 bucket.", "title": "LogDeliveryStatus", "type": "string" } @@ -106265,13 +110990,9 @@ "additionalProperties": false, "properties": { "CallbackOverrides": { - "markdownDescription": "An optional AWS Lambda function to invoke instead of the default AWS Lambda function provided by the placement template.", - "title": "CallbackOverrides", "type": "object" }, "DeviceType": { - "markdownDescription": "The device type, which currently must be `\"button\"` .", - "title": "DeviceType", "type": "string" } }, @@ -106428,12 +111149,12 @@ }, "IntermediateCaRevokedForActiveDeviceCertificatesCheck": { "$ref": "#/definitions/AWS::IoT::AccountAuditConfiguration.AuditCheckConfiguration", - "markdownDescription": "", + "markdownDescription": "Checks if device certificates are still active despite being revoked by an intermediate CA.", "title": "IntermediateCaRevokedForActiveDeviceCertificatesCheck" }, "IoTPolicyPotentialMisConfigurationCheck": { "$ref": "#/definitions/AWS::IoT::AccountAuditConfiguration.AuditCheckConfiguration", - "markdownDescription": "", + "markdownDescription": "Checks if an AWS IoT policy is potentially misconfigured. Misconfigured policies, including overly permissive policies, can cause security incidents like allowing devices access to unintended resources. This check is a warning for you to make sure that only intended actions are allowed before updating the policy.", "title": "IoTPolicyPotentialMisConfigurationCheck" }, "IotPolicyOverlyPermissiveCheck": { @@ -107436,6 +112157,8 @@ "items": { "type": "string" }, + "markdownDescription": "The package version Amazon Resource Names (ARNs) that are installed on the device\u2019s reserved named shadow ( `$package` ) when the job successfully completes.\n\n*Note:* Up to 25 package version ARNS are allowed.", + "title": "DestinationPackageVersions", "type": "array" }, "Document": { @@ -108056,6 +112779,8 @@ "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "", + "title": "Tags", "type": "array" } }, @@ -108605,6 +113330,11 @@ "title": "Behaviors", "type": "array" }, + "MetricsExportConfig": { + "$ref": "#/definitions/AWS::IoT::SecurityProfile.MetricsExportConfig", + "markdownDescription": "Specifies the MQTT topic and role ARN required for metric export.", + "title": "MetricsExportConfig" + }, "SecurityProfileDescription": { "markdownDescription": "A description of the security profile.", "title": "SecurityProfileDescription", @@ -108679,9 +113409,14 @@ "properties": { "Criteria": { "$ref": "#/definitions/AWS::IoT::SecurityProfile.BehaviorCriteria", - "markdownDescription": "The criteria that determine if a device is behaving normally in regard to the `metric` .", + "markdownDescription": "The criteria that determine if a device is behaving normally in regard to the `metric` .\n\n> In the AWS IoT console, you can choose to be sent an alert through Amazon SNS when AWS IoT Device Defender detects that a device is behaving anomalously.", "title": "Criteria" }, + "ExportMetric": { + "markdownDescription": "Value indicates exporting metrics related to the behavior when it is true.", + "title": "ExportMetric", + "type": "boolean" + }, "Metric": { "markdownDescription": "What is measured by the behavior.", "title": "Metric", @@ -108782,6 +113517,11 @@ "AWS::IoT::SecurityProfile.MetricToRetain": { "additionalProperties": false, "properties": { + "ExportMetric": { + "markdownDescription": "The value indicates exporting metrics related to the `MetricToRetain` when it's true.", + "title": "ExportMetric", + "type": "boolean" + }, "Metric": { "markdownDescription": "A standard of measurement.", "title": "Metric", @@ -108846,6 +113586,26 @@ }, "type": "object" }, + "AWS::IoT::SecurityProfile.MetricsExportConfig": { + "additionalProperties": false, + "properties": { + "MqttTopic": { + "markdownDescription": "The MQTT topic that Device Defender Detect should publish messages to for metrics export.", + "title": "MqttTopic", + "type": "string" + }, + "RoleArn": { + "markdownDescription": "This role ARN has permission to publish MQTT messages, after which Device Defender Detect can assume the role and publish messages on your behalf.", + "title": "RoleArn", + "type": "string" + } + }, + "required": [ + "MqttTopic", + "RoleArn" + ], + "type": "object" + }, "AWS::IoT::SecurityProfile.StatisticalThreshold": { "additionalProperties": false, "properties": { @@ -108893,15 +113653,21 @@ "additionalProperties": false, "properties": { "Description": { + "markdownDescription": "A summary of the package being created. This can be used to outline the package's contents or purpose.", + "title": "Description", "type": "string" }, "PackageName": { + "markdownDescription": "The name of the new software package.", + "title": "PackageName", "type": "string" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "Metadata that can be used to manage the package.", + "title": "Tags", "type": "array" } }, @@ -108964,26 +113730,36 @@ "properties": { "Attributes": { "additionalProperties": true, + "markdownDescription": "Metadata that can be used to define a package version\u2019s configuration. For example, the S3 file location, configuration options that are being sent to the device or fleet.\n\nThe combined size of all the attributes on a package version is limited to 3KB.", "patternProperties": { "^[a-zA-Z0-9]+$": { "type": "string" } }, + "title": "Attributes", "type": "object" }, "Description": { + "markdownDescription": "A summary of the package version being created. This can be used to outline the package's contents or purpose.", + "title": "Description", "type": "string" }, "PackageName": { + "markdownDescription": "The name of the associated software package.", + "title": "PackageName", "type": "string" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "Metadata that can be used to manage the package version.", + "title": "Tags", "type": "array" }, "VersionName": { + "markdownDescription": "The name of the new package version.", + "title": "VersionName", "type": "string" } }, @@ -110061,6 +114837,8 @@ "items": { "$ref": "#/definitions/AWS::IoT::TopicRule.KafkaActionHeader" }, + "markdownDescription": "The list of Kafka headers that you specify.", + "title": "Headers", "type": "array" }, "Key": { @@ -110090,9 +114868,13 @@ "additionalProperties": false, "properties": { "Key": { + "markdownDescription": "The key of the Kafka header.", + "title": "Key", "type": "string" }, "Value": { + "markdownDescription": "The value of the Kafka header.", + "title": "Value", "type": "string" } }, @@ -112241,12 +117023,12 @@ "additionalProperties": false, "properties": { "CertificateArn": { - "markdownDescription": "", + "markdownDescription": "Lists device's certificate ARN.", "title": "CertificateArn", "type": "string" }, "ThingArn": { - "markdownDescription": "", + "markdownDescription": "Lists device's thing ARN.", "title": "ThingArn", "type": "string" } @@ -112257,7 +117039,7 @@ "additionalProperties": false, "properties": { "DevicePermissionRoleArn": { - "markdownDescription": "", + "markdownDescription": "Gets the device permission ARN. This is a required parameter.", "title": "DevicePermissionRoleArn", "type": "string" }, @@ -112265,22 +117047,22 @@ "items": { "$ref": "#/definitions/AWS::IoTCoreDeviceAdvisor::SuiteDefinition.DeviceUnderTest" }, - "markdownDescription": "", + "markdownDescription": "Gets the devices configured.", "title": "Devices", "type": "array" }, "IntendedForQualification": { - "markdownDescription": "", + "markdownDescription": "Gets the tests intended for qualification in a suite.", "title": "IntendedForQualification", "type": "boolean" }, "RootGroup": { - "markdownDescription": "", + "markdownDescription": "Gets the test suite root group. This is a required parameter. For updating or creating the latest qualification suite, if `intendedForQualification` is set to true, `rootGroup` can be an empty string. If `intendedForQualification` is false, `rootGroup` cannot be an empty string. If `rootGroup` is empty, and `intendedForQualification` is set to true, all the qualification tests are included, and the configuration is default.\n\nFor a qualification suite, the minimum length is 0, and the maximum is 2048. For a non-qualification suite, the minimum length is 1, and the maximum is 2048.", "title": "RootGroup", "type": "string" }, "SuiteDefinitionName": { - "markdownDescription": "", + "markdownDescription": "Gets the suite definition name. This is a required parameter.", "title": "SuiteDefinitionName", "type": "string" } @@ -114306,23 +119088,15 @@ "additionalProperties": false, "properties": { "CanInterface": { - "$ref": "#/definitions/AWS::IoTFleetWise::DecoderManifest.CanInterface", - "markdownDescription": "(Optional) Information about a network interface specified by the Controller Area Network (CAN) protocol.", - "title": "CanInterface" + "$ref": "#/definitions/AWS::IoTFleetWise::DecoderManifest.CanInterface" }, "InterfaceId": { - "markdownDescription": "The ID of the network interface.", - "title": "InterfaceId", "type": "string" }, "ObdInterface": { - "$ref": "#/definitions/AWS::IoTFleetWise::DecoderManifest.ObdInterface", - "markdownDescription": "(Optional) Information about a network interface specified by the On-board diagnostic (OBD) II protocol.", - "title": "ObdInterface" + "$ref": "#/definitions/AWS::IoTFleetWise::DecoderManifest.ObdInterface" }, "Type": { - "markdownDescription": "The network protocol for the vehicle. For example, `CAN_SIGNAL` specifies a protocol that defines how data is communicated between electronic control units (ECUs). `OBD_SIGNAL` specifies a protocol that defines how self-diagnostic data is communicated between ECUs.", - "title": "Type", "type": "string" } }, @@ -114441,28 +119215,18 @@ "additionalProperties": false, "properties": { "CanSignal": { - "$ref": "#/definitions/AWS::IoTFleetWise::DecoderManifest.CanSignal", - "markdownDescription": "(Optional) Information about a single controller area network (CAN) signal and the messages it receives and transmits.", - "title": "CanSignal" + "$ref": "#/definitions/AWS::IoTFleetWise::DecoderManifest.CanSignal" }, "FullyQualifiedName": { - "markdownDescription": "The fully qualified name of a signal decoder as defined in a vehicle model.", - "title": "FullyQualifiedName", "type": "string" }, "InterfaceId": { - "markdownDescription": "The ID of a network interface that specifies what network protocol a vehicle follows.", - "title": "InterfaceId", "type": "string" }, "ObdSignal": { - "$ref": "#/definitions/AWS::IoTFleetWise::DecoderManifest.ObdSignal", - "markdownDescription": "(Optional) Information about signal messages using the on-board diagnostics (OBD) II protocol in a vehicle.", - "title": "ObdSignal" + "$ref": "#/definitions/AWS::IoTFleetWise::DecoderManifest.ObdSignal" }, "Type": { - "markdownDescription": "The network protocol for the vehicle. For example, `CAN_SIGNAL` specifies a protocol that defines how data is communicated between electronic control units (ECUs). `OBD_SIGNAL` specifies a protocol that defines how self-diagnostic data is communicated between ECUs.", - "title": "Type", "type": "string" } }, @@ -115305,7 +120069,7 @@ "type": "array" }, "AssetModelId": { - "markdownDescription": "The ID of the asset model from which to create the asset.", + "markdownDescription": "The ID of the asset model from which to create the asset. This can be either the actual ID in UUID format, or else `externalId:` followed by the external ID, if it has one. For more information, see [Referencing objects with external IDs](https://docs.aws.amazon.com/iot-sitewise/latest/userguide/object-ids.html#external-id-references) in the *AWS IoT SiteWise User Guide* .", "title": "AssetModelId", "type": "string" }, @@ -116063,7 +120827,7 @@ "type": "string" }, "PortalAuthMode": { - "markdownDescription": "The service to use to authenticate users to the portal. Choose from the following options:\n\n- `SSO` \u2013 The portal uses AWS IAM Identity Center (successor to AWS Single Sign-On) to authenticate users and manage user permissions. Before you can create a portal that uses IAM Identity Center , you must enable IAM Identity Center . For more information, see [Enabling IAM Identity Center](https://docs.aws.amazon.com/iot-sitewise/latest/userguide/monitor-get-started.html#mon-gs-sso) in the *AWS IoT SiteWise User Guide* . This option is only available in AWS Regions other than the China Regions.\n- `IAM` \u2013 The portal uses AWS Identity and Access Management ( IAM ) to authenticate users and manage user permissions.\n\nYou can't change this value after you create a portal.\n\nDefault: `SSO`", + "markdownDescription": "The service to use to authenticate users to the portal. Choose from the following options:\n\n- `SSO` \u2013 The portal uses AWS IAM Identity Center to authenticate users and manage user permissions. Before you can create a portal that uses IAM Identity Center , you must enable IAM Identity Center . For more information, see [Enabling IAM Identity Center](https://docs.aws.amazon.com/iot-sitewise/latest/userguide/monitor-get-started.html#mon-gs-sso) in the *AWS IoT SiteWise User Guide* . This option is only available in AWS Regions other than the China Regions.\n- `IAM` \u2013 The portal uses AWS Identity and Access Management ( IAM ) to authenticate users and manage user permissions.\n\nYou can't change this value after you create a portal.\n\nDefault: `SSO`", "title": "PortalAuthMode", "type": "string" }, @@ -116358,6 +121122,17 @@ "title": "ComponentTypeId", "type": "string" }, + "CompositeComponentTypes": { + "additionalProperties": false, + "markdownDescription": "Maps strings to `compositeComponentTypes` of the `componentType` . `CompositeComponentType` is referenced by `componentTypeId` .", + "patternProperties": { + "^[a-zA-Z0-9]+$": { + "$ref": "#/definitions/AWS::IoTTwinMaker::ComponentType.CompositeComponentType" + } + }, + "title": "CompositeComponentTypes", + "type": "object" + }, "Description": { "markdownDescription": "The description of the component type.", "title": "Description", @@ -116421,7 +121196,7 @@ "type": "object" }, "WorkspaceId": { - "markdownDescription": "The ID of the workspace.", + "markdownDescription": "The ID of the workspace that contains the component type.", "title": "WorkspaceId", "type": "string" } @@ -116453,6 +121228,17 @@ ], "type": "object" }, + "AWS::IoTTwinMaker::ComponentType.CompositeComponentType": { + "additionalProperties": false, + "properties": { + "ComponentTypeId": { + "markdownDescription": "The ID of the component type.", + "title": "ComponentTypeId", + "type": "string" + } + }, + "type": "object" + }, "AWS::IoTTwinMaker::ComponentType.DataConnector": { "additionalProperties": false, "properties": { @@ -116645,7 +121431,7 @@ "title": "DefaultValue" }, "IsExternalId": { - "markdownDescription": "A boolean value that specifies whether the property ID comes from an external data store.", + "markdownDescription": "A Boolean value that specifies whether the property ID comes from an external data source.", "title": "IsExternalId", "type": "boolean" }, @@ -116780,13 +121566,24 @@ "title": "Components", "type": "object" }, + "CompositeComponents": { + "additionalProperties": false, + "markdownDescription": "Maps string to `compositeComponent` updates in the request. Each key of the map represents the `componentPath` of the `compositeComponent` .", + "patternProperties": { + "^[a-zA-Z0-9]+$": { + "$ref": "#/definitions/AWS::IoTTwinMaker::Entity.CompositeComponent" + } + }, + "title": "CompositeComponents", + "type": "object" + }, "Description": { "markdownDescription": "The description of the entity.", "title": "Description", "type": "string" }, "EntityId": { - "markdownDescription": "The entity ID.", + "markdownDescription": "The ID of the entity.", "title": "EntityId", "type": "string" }, @@ -116812,7 +121609,7 @@ "type": "object" }, "WorkspaceId": { - "markdownDescription": "The ID of the workspace.", + "markdownDescription": "The ID of the workspace that contains the entity.", "title": "WorkspaceId", "type": "string" } @@ -116853,7 +121650,7 @@ "type": "string" }, "ComponentTypeId": { - "markdownDescription": "The ID of the ComponentType.", + "markdownDescription": "The ID of the component type.", "title": "ComponentTypeId", "type": "string" }, @@ -116897,6 +121694,59 @@ }, "type": "object" }, + "AWS::IoTTwinMaker::Entity.CompositeComponent": { + "additionalProperties": false, + "properties": { + "ComponentName": { + "markdownDescription": "The name of the component.", + "title": "ComponentName", + "type": "string" + }, + "ComponentPath": { + "markdownDescription": "The path to the composite component, starting from the top-level component.", + "title": "ComponentPath", + "type": "string" + }, + "ComponentTypeId": { + "markdownDescription": "The ID of the composite component type.", + "title": "ComponentTypeId", + "type": "string" + }, + "Description": { + "markdownDescription": "The description of the component type.", + "title": "Description", + "type": "string" + }, + "Properties": { + "additionalProperties": false, + "markdownDescription": "Map of strings to the properties in the component type. Each string in the mapping must be unique to this component.", + "patternProperties": { + "^[a-zA-Z0-9]+$": { + "$ref": "#/definitions/AWS::IoTTwinMaker::Entity.Property" + } + }, + "title": "Properties", + "type": "object" + }, + "PropertyGroups": { + "additionalProperties": false, + "markdownDescription": "The property groups.", + "patternProperties": { + "^[a-zA-Z0-9]+$": { + "$ref": "#/definitions/AWS::IoTTwinMaker::Entity.PropertyGroup" + } + }, + "title": "PropertyGroups", + "type": "object" + }, + "Status": { + "$ref": "#/definitions/AWS::IoTTwinMaker::Entity.Status", + "markdownDescription": "The current status of the composite component.", + "title": "Status" + } + }, + "type": "object" + }, "AWS::IoTTwinMaker::Entity.DataType": { "additionalProperties": false, "properties": { @@ -117206,7 +122056,7 @@ "type": "string" }, "SceneId": { - "markdownDescription": "The scene ID.", + "markdownDescription": "The ID of the scene.", "title": "SceneId", "type": "string" }, @@ -117233,7 +122083,7 @@ "type": "object" }, "WorkspaceId": { - "markdownDescription": "The ID of the workspace.", + "markdownDescription": "", "title": "WorkspaceId", "type": "string" } @@ -118142,6 +122992,8 @@ "additionalProperties": false, "properties": { "AccountLinked": { + "markdownDescription": "Whether the partner account is linked to the AWS account.", + "title": "AccountLinked", "type": "boolean" }, "PartnerAccountId": { @@ -118150,6 +123002,8 @@ "type": "string" }, "PartnerType": { + "markdownDescription": "The partner type.", + "title": "PartnerType", "type": "string" }, "Sidewalk": { @@ -118158,10 +123012,14 @@ "title": "Sidewalk" }, "SidewalkResponse": { - "$ref": "#/definitions/AWS::IoTWireless::PartnerAccount.SidewalkAccountInfoWithFingerprint" + "$ref": "#/definitions/AWS::IoTWireless::PartnerAccount.SidewalkAccountInfoWithFingerprint", + "markdownDescription": "", + "title": "SidewalkResponse" }, "SidewalkUpdate": { - "$ref": "#/definitions/AWS::IoTWireless::PartnerAccount.SidewalkUpdateAccount" + "$ref": "#/definitions/AWS::IoTWireless::PartnerAccount.SidewalkUpdateAccount", + "markdownDescription": "Sidewalk update.", + "title": "SidewalkUpdate" }, "Tags": { "items": { @@ -118458,7 +123316,9 @@ "type": "boolean" }, "LoRaWANUpdateGatewayTaskEntry": { - "$ref": "#/definitions/AWS::IoTWireless::TaskDefinition.LoRaWANUpdateGatewayTaskEntry" + "$ref": "#/definitions/AWS::IoTWireless::TaskDefinition.LoRaWANUpdateGatewayTaskEntry", + "markdownDescription": "LoRaWANUpdateGatewayTaskEntry object.", + "title": "LoRaWANUpdateGatewayTaskEntry" }, "Name": { "markdownDescription": "The name of the new resource.", @@ -118474,6 +123334,8 @@ "type": "array" }, "TaskDefinitionType": { + "markdownDescription": "A filter to list only the wireless gateway task definitions that use this task definition type.", + "title": "TaskDefinitionType", "type": "string" }, "Update": { @@ -118702,13 +123564,13 @@ "additionalProperties": false, "properties": { "DevAddr": { - "markdownDescription": "The DevAddr value.", + "markdownDescription": "", "title": "DevAddr", "type": "string" }, "SessionKeys": { "$ref": "#/definitions/AWS::IoTWireless::WirelessDevice.SessionKeysAbpV10x", - "markdownDescription": "Session keys for ABP v1.0.x", + "markdownDescription": "", "title": "SessionKeys" } }, @@ -118743,7 +123605,7 @@ "properties": { "AbpV10x": { "$ref": "#/definitions/AWS::IoTWireless::WirelessDevice.AbpV10x", - "markdownDescription": "LoRaWAN object for create APIs.", + "markdownDescription": "", "title": "AbpV10x" }, "AbpV11": { @@ -118783,12 +123645,12 @@ "additionalProperties": false, "properties": { "AppEui": { - "markdownDescription": "The AppEUI value, with pattern of `[a-fA-F0-9]{16}` .", + "markdownDescription": "", "title": "AppEui", "type": "string" }, "AppKey": { - "markdownDescription": "The AppKey is a secret key, which you should handle in a similar way as you would an application password. You can protect the AppKey value by storing it in the AWS Secrets Manager and use the [secretsmanager](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/dynamic-references.html#dynamic-references-secretsmanager) to reference this value.", + "markdownDescription": "", "title": "AppKey", "type": "string" } @@ -118829,12 +123691,12 @@ "additionalProperties": false, "properties": { "AppSKey": { - "markdownDescription": "The AppSKey is a secret key, which you should handle in a similar way as you would an application password. You can protect the AppSKey value by storing it in the AWS Secrets Manager and use the [secretsmanager](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/dynamic-references.html#dynamic-references-secretsmanager) to reference this value.", + "markdownDescription": "", "title": "AppSKey", "type": "string" }, "NwkSKey": { - "markdownDescription": "The NwkSKey is a secret key, which you should handle in a similar way as you would an application password. You can protect the NwkSKey value by storing it in the AWS Secrets Manager and use the [secretsmanager](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/dynamic-references.html#dynamic-references-secretsmanager) to reference this value.", + "markdownDescription": "", "title": "NwkSKey", "type": "string" } @@ -119143,7 +124005,7 @@ "additionalProperties": false, "properties": { "AliasName": { - "markdownDescription": "Specifies the alias name. This value must begin with `alias/` followed by a name, such as `alias/ExampleAlias` .\n\n> If you change the value of the `AliasName` property, the existing alias is deleted and a new alias is created for the specified KMS key. This change can disrupt applications that use the alias. It can also allow or deny access to a KMS key affected by attribute-based access control (ABAC). \n\nThe alias must be string of 1-256 characters. It can contain only alphanumeric characters, forward slashes (/), underscores (_), and dashes (-). The alias name cannot begin with `alias/aws/` . The `alias/aws/` prefix is reserved for [AWS managed keys](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk) .\n\n*Pattern* : `^alias/[a-zA-Z0-9/_-]+$`\n\n*Minimum* : `1`\n\n*Maximum* : `256`", + "markdownDescription": "Specifies the alias name. This value must begin with `alias/` followed by a name, such as `alias/ExampleAlias` .\n\n> If you change the value of the `AliasName` property, the existing alias is deleted and a new alias is created for the specified KMS key. This change can disrupt applications that use the alias. It can also allow or deny access to a KMS key affected by attribute-based access control (ABAC). \n\nThe alias must be string of 1-256 characters. It can contain only alphanumeric characters, forward slashes (/), underscores (_), and dashes (-). The alias name cannot begin with `alias/aws/` . The `alias/aws/` prefix is reserved for [AWS managed keys](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk) .", "title": "AliasName", "type": "string" }, @@ -119216,6 +124078,8 @@ "additionalProperties": false, "properties": { "BypassPolicyLockoutSafetyCheck": { + "markdownDescription": "Skips (\"bypasses\") the key policy lockout safety check. The default value is false.\n\n> Setting this value to true increases the risk that the KMS key becomes unmanageable. Do not set this value to true indiscriminately.\n> \n> For more information, see [Default key policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#prevent-unmanageable-key) in the *AWS Key Management Service Developer Guide* . \n\nUse this parameter only when you intend to prevent the principal that is making the request from making a subsequent [PutKeyPolicy](https://docs.aws.amazon.com/kms/latest/APIReference/API_PutKeyPolicy.html) request on the KMS key.", + "title": "BypassPolicyLockoutSafetyCheck", "type": "boolean" }, "Description": { @@ -119224,7 +124088,7 @@ "type": "string" }, "EnableKeyRotation": { - "markdownDescription": "Enables automatic rotation of the key material for the specified KMS key. By default, automatic key rotation is not enabled.\n\nAWS KMS supports automatic rotation only for symmetric encryption KMS keys ( `KeySpec` = `SYMMETRIC_DEFAULT` ). For asymmetric KMS keys and HMAC KMS keys, omit the `EnableKeyRotation` property or set it to `false` .\n\nTo enable automatic key rotation of the key material for a multi-Region KMS key, set `EnableKeyRotation` to `true` on the primary key (created by using `AWS::KMS::Key` ). AWS KMS copies the rotation status to all replica keys. For details, see [Rotating multi-Region keys](https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate) in the *AWS Key Management Service Developer Guide* .\n\nWhen you enable automatic rotation, AWS KMS automatically creates new key material for the KMS key one year after the enable date and every year thereafter. AWS KMS retains all key material until you delete the KMS key. For detailed information about automatic key rotation, see [Rotating KMS keys](https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html) in the *AWS Key Management Service Developer Guide* .", + "markdownDescription": "Enables automatic rotation of the key material for the specified KMS key. By default, automatic key rotation is not enabled.\n\nAWS KMS supports automatic rotation only for symmetric encryption KMS keys ( `KeySpec` = `SYMMETRIC_DEFAULT` ). For asymmetric KMS keys, HMAC KMS keys, and KMS keys with Origin `EXTERNAL` , omit the `EnableKeyRotation` property or set it to `false` .\n\nTo enable automatic key rotation of the key material for a multi-Region KMS key, set `EnableKeyRotation` to `true` on the primary key (created by using `AWS::KMS::Key` ). AWS KMS copies the rotation status to all replica keys. For details, see [Rotating multi-Region keys](https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate) in the *AWS Key Management Service Developer Guide* .\n\nWhen you enable automatic rotation, AWS KMS automatically creates new key material for the KMS key one year after the enable date and every year thereafter. AWS KMS retains all key material until you delete the KMS key. For detailed information about automatic key rotation, see [Rotating KMS keys](https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html) in the *AWS Key Management Service Developer Guide* .", "title": "EnableKeyRotation", "type": "boolean" }, @@ -119234,7 +124098,7 @@ "type": "boolean" }, "KeyPolicy": { - "markdownDescription": "The key policy that authorizes use of the KMS key. The key policy must conform to the following rules.\n\n- The key policy must allow the caller to make a subsequent [PutKeyPolicy](https://docs.aws.amazon.com/kms/latest/APIReference/API_PutKeyPolicy.html) request on the KMS key. This reduces the risk that the KMS key becomes unmanageable. For more information, refer to the scenario in the [Default key policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam) section of the **AWS Key Management Service Developer Guide** .\n- Each statement in the key policy must contain one or more principals. The principals in the key policy must exist and be visible to AWS KMS . When you create a new AWS principal (for example, an IAM user or role), you might need to enforce a delay before including the new principal in a key policy because the new principal might not be immediately visible to AWS KMS . For more information, see [Changes that I make are not always immediately visible](https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency) in the *AWS Identity and Access Management User Guide* .\n\nIf you are unsure of which policy to use, consider the *default key policy* . This is the key policy that AWS KMS applies to KMS keys that are created by using the CreateKey API with no specified key policy. It gives the AWS account that owns the key permission to perform all operations on the key. It also allows you write IAM policies to authorize access to the key. For details, see [Default key policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default) in the *AWS Key Management Service Developer Guide* .\n\nA key policy document can include only the following characters:\n\n- Printable ASCII characters\n- Printable characters in the Basic Latin and Latin-1 Supplement character set\n- The tab ( `\\u0009` ), line feed ( `\\u000A` ), and carriage return ( `\\u000D` ) special characters\n\n*Minimum* : `1`\n\n*Maximum* : `32768`", + "markdownDescription": "The key policy to attach to the KMS key.\n\nIf you provide a key policy, it must meet the following criteria:\n\n- The key policy must allow the caller to make a subsequent [PutKeyPolicy](https://docs.aws.amazon.com/kms/latest/APIReference/API_PutKeyPolicy.html) request on the KMS key. This reduces the risk that the KMS key becomes unmanageable. For more information, see [Default key policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam) in the *AWS Key Management Service Developer Guide* . (To omit this condition, set `BypassPolicyLockoutSafetyCheck` to true.)\n- Each statement in the key policy must contain one or more principals. The principals in the key policy must exist and be visible to AWS KMS . When you create a new AWS principal (for example, an IAM user or role), you might need to enforce a delay before including the new principal in a key policy because the new principal might not be immediately visible to AWS KMS . For more information, see [Changes that I make are not always immediately visible](https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency) in the *AWS Identity and Access Management User Guide* .\n\nIf you do not provide a key policy, AWS KMS attaches a default key policy to the KMS key. For more information, see [Default key policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default) in the *AWS Key Management Service Developer Guide* .\n\nA key policy document can include only the following characters:\n\n- Printable ASCII characters\n- Printable characters in the Basic Latin and Latin-1 Supplement character set\n- The tab ( `\\u0009` ), line feed ( `\\u000A` ), and carriage return ( `\\u000D` ) special characters\n\n*Minimum* : `1`\n\n*Maximum* : `32768`", "title": "KeyPolicy", "type": "object" }, @@ -119254,10 +124118,12 @@ "type": "boolean" }, "Origin": { + "markdownDescription": "The source of the key material for the KMS key. You cannot change the origin after you create the KMS key. The default is `AWS_KMS` , which means that AWS KMS creates the key material.\n\nTo [create a KMS key with no key material](https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-create-cmk.html) (for imported key material), set this value to `EXTERNAL` . For more information about importing key material into AWS KMS , see [Importing Key Material](https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html) in the *AWS Key Management Service Developer Guide* .\n\nYou can ignore `ENABLED` when Origin is `EXTERNAL` . When a KMS key with Origin `EXTERNAL` is created, the key state is `PENDING_IMPORT` and `ENABLED` is `false` . After you import the key material, `ENABLED` updated to `true` . The KMS key can then be used for Cryptographic Operations.\n\n> AWS CloudFormation doesn't support creating an `Origin` parameter of the `AWS_CLOUDHSM` or `EXTERNAL_KEY_STORE` values.", + "title": "Origin", "type": "string" }, "PendingWindowInDays": { - "markdownDescription": "Specifies the number of days in the waiting period before AWS KMS deletes a KMS key that has been removed from a CloudFormation stack. Enter a value between 7 and 30 days. The default value is 30 days.\n\nWhen you remove a KMS key from a CloudFormation stack, AWS KMS schedules the KMS key for deletion and starts the mandatory waiting period. The `PendingWindowInDays` property determines the length of waiting period. During the waiting period, the key state of KMS key is `Pending Deletion` or `Pending Replica Deletion` , which prevents the KMS key from being used in cryptographic operations. When the waiting period expires, AWS KMS permanently deletes the KMS key.\n\nAWS KMS will not delete a [multi-Region primary key](https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html) that has replica keys. If you remove a multi-Region primary key from a CloudFormation stack, its key state changes to `PendingReplicaDeletion` so it cannot be replicated or used in cryptographic operations. This state can persist indefinitely. When the last of its replica keys is deleted, the key state of the primary key changes to `PendingDeletion` and the waiting period specified by `PendingWindowInDays` begins. When this waiting period expires, AWS KMS deletes the primary key. For details, see [Deleting multi-Region keys](https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-delete.html) in the *AWS Key Management Service Developer Guide* .\n\nYou cannot use a CloudFormation template to cancel deletion of the KMS key after you remove it from the stack, regardless of the waiting period. If you specify a KMS key in your template, even one with the same name, CloudFormation creates a new KMS key. To cancel deletion of a KMS key, use the AWS KMS console or the [CancelKeyDeletion](https://docs.aws.amazon.com/kms/latest/APIReference/API_CancelKeyDeletion.html) operation.\n\nFor information about the `Pending Deletion` and `Pending Replica Deletion` key states, see [Key state: Effect on your KMS key](https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) in the *AWS Key Management Service Developer Guide* . For more information about deleting KMS keys, see the [ScheduleKeyDeletion](https://docs.aws.amazon.com/kms/latest/APIReference/API_ScheduleKeyDeletion.html) operation in the *AWS Key Management Service API Reference* and [Deleting KMS keys](https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html) in the *AWS Key Management Service Developer Guide* .\n\n*Minimum* : 7\n\n*Maximum* : 30", + "markdownDescription": "Specifies the number of days in the waiting period before AWS KMS deletes a KMS key that has been removed from a CloudFormation stack. Enter a value between 7 and 30 days. The default value is 30 days.\n\nWhen you remove a KMS key from a CloudFormation stack, AWS KMS schedules the KMS key for deletion and starts the mandatory waiting period. The `PendingWindowInDays` property determines the length of waiting period. During the waiting period, the key state of KMS key is `Pending Deletion` or `Pending Replica Deletion` , which prevents the KMS key from being used in cryptographic operations. When the waiting period expires, AWS KMS permanently deletes the KMS key.\n\nAWS KMS will not delete a [multi-Region primary key](https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html) that has replica keys. If you remove a multi-Region primary key from a CloudFormation stack, its key state changes to `PendingReplicaDeletion` so it cannot be replicated or used in cryptographic operations. This state can persist indefinitely. When the last of its replica keys is deleted, the key state of the primary key changes to `PendingDeletion` and the waiting period specified by `PendingWindowInDays` begins. When this waiting period expires, AWS KMS deletes the primary key. For details, see [Deleting multi-Region keys](https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-delete.html) in the *AWS Key Management Service Developer Guide* .\n\nYou cannot use a CloudFormation template to cancel deletion of the KMS key after you remove it from the stack, regardless of the waiting period. If you specify a KMS key in your template, even one with the same name, CloudFormation creates a new KMS key. To cancel deletion of a KMS key, use the AWS KMS console or the [CancelKeyDeletion](https://docs.aws.amazon.com/kms/latest/APIReference/API_CancelKeyDeletion.html) operation.\n\nFor information about the `Pending Deletion` and `Pending Replica Deletion` key states, see [Key state: Effect on your KMS key](https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) in the *AWS Key Management Service Developer Guide* . For more information about deleting KMS keys, see the [ScheduleKeyDeletion](https://docs.aws.amazon.com/kms/latest/APIReference/API_ScheduleKeyDeletion.html) operation in the *AWS Key Management Service API Reference* and [Deleting KMS keys](https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html) in the *AWS Key Management Service Developer Guide* .", "title": "PendingWindowInDays", "type": "number" }, @@ -119343,7 +124209,7 @@ "type": "object" }, "PendingWindowInDays": { - "markdownDescription": "Specifies the number of days in the waiting period before AWS KMS deletes a replica key that has been removed from a CloudFormation stack. Enter a value between 7 and 30 days. The default value is 30 days.\n\nWhen you remove a replica key from a CloudFormation stack, AWS KMS schedules the replica key for deletion and starts the mandatory waiting period. The `PendingWindowInDays` property determines the length of waiting period. During the waiting period, the key state of replica key is `Pending Deletion` , which prevents it from being used in cryptographic operations. When the waiting period expires, AWS KMS permanently deletes the replica key.\n\nIf the KMS key is a multi-Region primary key with replica keys, the waiting period begins when the last of its replica keys is deleted. Otherwise, the waiting period begins immediately.\n\nYou cannot use a CloudFormation template to cancel deletion of the replica after you remove it from the stack, regardless of the waiting period. However, if you specify a replica key in your template that is based on the same primary key as the original replica key, CloudFormation creates a new replica key with the same key ID, key material, and other shared properties of the original replica key. This new replica key can decrypt ciphertext that was encrypted under the original replica key, or any related multi-Region key.\n\nFor detailed information about deleting multi-Region keys, see [Deleting multi-Region keys](https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-delete.html) in the *AWS Key Management Service Developer Guide* .\n\nFor information about the `PendingDeletion` key state, see [Key state: Effect on your KMS key](https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) in the *AWS Key Management Service Developer Guide* . For more information about deleting KMS keys, see the [ScheduleKeyDeletion](https://docs.aws.amazon.com/kms/latest/APIReference/API_ScheduleKeyDeletion.html) operation in the *AWS Key Management Service API Reference* and [Deleting KMS keys](https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html) in the *AWS Key Management Service Developer Guide* .\n\n*Minimum* : 7\n\n*Maximum* : 30", + "markdownDescription": "Specifies the number of days in the waiting period before AWS KMS deletes a replica key that has been removed from a CloudFormation stack. Enter a value between 7 and 30 days. The default value is 30 days.\n\nWhen you remove a replica key from a CloudFormation stack, AWS KMS schedules the replica key for deletion and starts the mandatory waiting period. The `PendingWindowInDays` property determines the length of waiting period. During the waiting period, the key state of replica key is `Pending Deletion` , which prevents it from being used in cryptographic operations. When the waiting period expires, AWS KMS permanently deletes the replica key.\n\nIf the KMS key is a multi-Region primary key with replica keys, the waiting period begins when the last of its replica keys is deleted. Otherwise, the waiting period begins immediately.\n\nYou cannot use a CloudFormation template to cancel deletion of the replica after you remove it from the stack, regardless of the waiting period. However, if you specify a replica key in your template that is based on the same primary key as the original replica key, CloudFormation creates a new replica key with the same key ID, key material, and other shared properties of the original replica key. This new replica key can decrypt ciphertext that was encrypted under the original replica key, or any related multi-Region key.\n\nFor detailed information about deleting multi-Region keys, see [Deleting multi-Region keys](https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-delete.html) in the *AWS Key Management Service Developer Guide* .\n\nFor information about the `PendingDeletion` key state, see [Key state: Effect on your KMS key](https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) in the *AWS Key Management Service Developer Guide* . For more information about deleting KMS keys, see the [ScheduleKeyDeletion](https://docs.aws.amazon.com/kms/latest/APIReference/API_ScheduleKeyDeletion.html) operation in the *AWS Key Management Service API Reference* and [Deleting KMS keys](https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html) in the *AWS Key Management Service Developer Guide* .", "title": "PendingWindowInDays", "type": "number" }, @@ -119923,6 +124789,8 @@ "type": "string" }, "LanguageCode": { + "markdownDescription": "The code for a language. This shows a supported language for all documents in the data source. English is supported by default. For more information on supported languages, including their codes, see [Adding documents in languages other than English](https://docs.aws.amazon.com/kendra/latest/dg/in-adding-languages.html) .", + "title": "LanguageCode", "type": "string" }, "Name": { @@ -120430,17 +125298,17 @@ "additionalProperties": false, "properties": { "DataSourceFieldName": { - "markdownDescription": "The name of the column or attribute in the data source.", + "markdownDescription": "The name of the field in the data source. You must first create the index field using the `UpdateIndex` API.", "title": "DataSourceFieldName", "type": "string" }, "DateFieldFormat": { - "markdownDescription": "The type of data stored in the column or attribute.", + "markdownDescription": "The format for date fields in the data source. If the field specified in `DataSourceFieldName` is a date field, you must specify the date format. If the field is not a date field, an exception is thrown.", "title": "DateFieldFormat", "type": "string" }, "IndexFieldName": { - "markdownDescription": "The name of the field in the index.", + "markdownDescription": "The name of the index field to map to the data source field. The index field type must match the data source field type.", "title": "IndexFieldName", "type": "string" } @@ -121722,7 +126590,7 @@ "properties": { "CapacityUnits": { "$ref": "#/definitions/AWS::Kendra::Index.CapacityUnitsConfiguration", - "markdownDescription": "", + "markdownDescription": "Specifies additional capacity units configured for your Enterprise Edition index. You can add and remove capacity units to fit your usage requirements.", "title": "CapacityUnits" }, "Description": { @@ -123136,7 +128004,7 @@ }, "RunConfiguration": { "$ref": "#/definitions/AWS::KinesisAnalyticsV2::Application.RunConfiguration", - "markdownDescription": "", + "markdownDescription": "Describes the starting parameters for an Managed Service for Apache Flink application.", "title": "RunConfiguration" }, "RuntimeEnvironment": { @@ -123210,27 +128078,27 @@ "properties": { "ApplicationCodeConfiguration": { "$ref": "#/definitions/AWS::KinesisAnalyticsV2::Application.ApplicationCodeConfiguration", - "markdownDescription": "The code location and type parameters for a Flink-based Kinesis Data Analytics application.", + "markdownDescription": "The code location and type parameters for a Managed Service for Apache Flink application.", "title": "ApplicationCodeConfiguration" }, "ApplicationSnapshotConfiguration": { "$ref": "#/definitions/AWS::KinesisAnalyticsV2::Application.ApplicationSnapshotConfiguration", - "markdownDescription": "Describes whether snapshots are enabled for a Flink-based Kinesis Data Analytics application.", + "markdownDescription": "Describes whether snapshots are enabled for a Managed Service for Apache Flink application.", "title": "ApplicationSnapshotConfiguration" }, "EnvironmentProperties": { "$ref": "#/definitions/AWS::KinesisAnalyticsV2::Application.EnvironmentProperties", - "markdownDescription": "Describes execution properties for a Flink-based Kinesis Data Analytics application.", + "markdownDescription": "Describes execution properties for a Managed Service for Apache Flink application.", "title": "EnvironmentProperties" }, "FlinkApplicationConfiguration": { "$ref": "#/definitions/AWS::KinesisAnalyticsV2::Application.FlinkApplicationConfiguration", - "markdownDescription": "The creation and update parameters for a Flink-based Kinesis Data Analytics application.", + "markdownDescription": "The creation and update parameters for a Managed Service for Apache Flink application.", "title": "FlinkApplicationConfiguration" }, "SqlApplicationConfiguration": { "$ref": "#/definitions/AWS::KinesisAnalyticsV2::Application.SqlApplicationConfiguration", - "markdownDescription": "The creation and update parameters for a SQL-based Kinesis Data Analytics application.", + "markdownDescription": "The creation and update parameters for a SQL-based Managed Service for Apache Flink application.", "title": "SqlApplicationConfiguration" }, "VpcConfigurations": { @@ -123286,7 +128154,7 @@ "additionalProperties": false, "properties": { "SnapshotsEnabled": { - "markdownDescription": "Describes whether snapshots are enabled for a Flink-based Kinesis Data Analytics application.", + "markdownDescription": "Describes whether snapshots are enabled for a Managed Service for Apache Flink application.", "title": "SnapshotsEnabled", "type": "boolean" } @@ -123336,12 +128204,12 @@ "type": "number" }, "CheckpointingEnabled": { - "markdownDescription": "Describes whether checkpointing is enabled for a Flink-based Kinesis Data Analytics application.\n\n> If `CheckpointConfiguration.ConfigurationType` is `DEFAULT` , the application will use a `CheckpointingEnabled` value of `true` , even if this value is set to another value using this API or in application code.", + "markdownDescription": "Describes whether checkpointing is enabled for a Managed Service for Apache Flink application.\n\n> If `CheckpointConfiguration.ConfigurationType` is `DEFAULT` , the application will use a `CheckpointingEnabled` value of `true` , even if this value is set to another value using this API or in application code.", "title": "CheckpointingEnabled", "type": "boolean" }, "ConfigurationType": { - "markdownDescription": "Describes whether the application uses Kinesis Data Analytics' default checkpointing behavior. You must set this property to `CUSTOM` in order to set the `CheckpointingEnabled` , `CheckpointInterval` , or `MinPauseBetweenCheckpoints` parameters.\n\n> If this value is set to `DEFAULT` , the application will use the following values, even if they are set to other values using APIs or application code:\n> \n> - *CheckpointingEnabled:* true\n> - *CheckpointInterval:* 60000\n> - *MinPauseBetweenCheckpoints:* 5000", + "markdownDescription": "Describes whether the application uses Managed Service for Apache Flink' default checkpointing behavior. You must set this property to `CUSTOM` in order to set the `CheckpointingEnabled` , `CheckpointInterval` , or `MinPauseBetweenCheckpoints` parameters.\n\n> If this value is set to `DEFAULT` , the application will use the following values, even if they are set to other values using APIs or application code:\n> \n> - *CheckpointingEnabled:* true\n> - *CheckpointInterval:* 60000\n> - *MinPauseBetweenCheckpoints:* 5000", "title": "ConfigurationType", "type": "string" }, @@ -123365,12 +128233,12 @@ "title": "S3ContentLocation" }, "TextContent": { - "markdownDescription": "The text-format code for a Flink-based Kinesis Data Analytics application.", + "markdownDescription": "The text-format code for a Managed Service for Apache Flink application.", "title": "TextContent", "type": "string" }, "ZipFileContent": { - "markdownDescription": "The zip-format code for a Flink-based Kinesis Data Analytics application.", + "markdownDescription": "The zip-format code for a Managed Service for Apache Flink application.", "title": "ZipFileContent", "type": "string" } @@ -123482,7 +128350,7 @@ }, "InputProcessingConfiguration": { "$ref": "#/definitions/AWS::KinesisAnalyticsV2::Application.InputProcessingConfiguration", - "markdownDescription": "The [InputProcessingConfiguration](https://docs.aws.amazon.com/kinesisanalytics/latest/apiv2/API_InputProcessingConfiguration.html) for the input. An input processor transforms records as they are received from the stream, before the application's SQL code executes. Currently, the only input processing configuration available is [InputLambdaProcessor](https://docs.aws.amazon.com/kinesisanalytics/latest/apiv2/API_InputLambdaProcessor.html) .", + "markdownDescription": "The [InputProcessingConfiguration](https://docs.aws.amazon.com/managed-flink/latest/apiv2/API_InputProcessingConfiguration.html) for the input. An input processor transforms records as they are received from the stream, before the application's SQL code executes. Currently, the only input processing configuration available is [InputLambdaProcessor](https://docs.aws.amazon.com/managed-flink/latest/apiv2/API_InputLambdaProcessor.html) .", "title": "InputProcessingConfiguration" }, "InputSchema": { @@ -123501,7 +128369,7 @@ "title": "KinesisStreamsInput" }, "NamePrefix": { - "markdownDescription": "The name prefix to use when creating an in-application stream. Suppose that you specify a prefix \" `MyInApplicationStream` .\" Kinesis Data Analytics then creates one or more (as per the `InputParallelism` count you specified) in-application streams with the names \" `MyInApplicationStream_001` ,\" \" `MyInApplicationStream_002` ,\" and so on.", + "markdownDescription": "The name prefix to use when creating an in-application stream. Suppose that you specify a prefix \" `MyInApplicationStream` .\" Managed Service for Apache Flink then creates one or more (as per the `InputParallelism` count you specified) in-application streams with the names \" `MyInApplicationStream_001` ,\" \" `MyInApplicationStream_002` ,\" and so on.", "title": "NamePrefix", "type": "string" } @@ -123542,7 +128410,7 @@ "properties": { "InputLambdaProcessor": { "$ref": "#/definitions/AWS::KinesisAnalyticsV2::Application.InputLambdaProcessor", - "markdownDescription": "The [InputLambdaProcessor](https://docs.aws.amazon.com/kinesisanalytics/latest/apiv2/API_InputLambdaProcessor.html) that is used to preprocess the records in the stream before being processed by your application code.", + "markdownDescription": "The [InputLambdaProcessor](https://docs.aws.amazon.com/managed-flink/latest/apiv2/API_InputLambdaProcessor.html) that is used to preprocess the records in the stream before being processed by your application code.", "title": "InputLambdaProcessor" } }, @@ -123688,17 +128556,17 @@ "additionalProperties": false, "properties": { "AutoScalingEnabled": { - "markdownDescription": "Describes whether the Kinesis Data Analytics service can increase the parallelism of the application in response to increased throughput.", + "markdownDescription": "Describes whether the Managed Service for Apache Flink service can increase the parallelism of the application in response to increased throughput.", "title": "AutoScalingEnabled", "type": "boolean" }, "ConfigurationType": { - "markdownDescription": "Describes whether the application uses the default parallelism for the Kinesis Data Analytics service. You must set this property to `CUSTOM` in order to change your application's `AutoScalingEnabled` , `Parallelism` , or `ParallelismPerKPU` properties.", + "markdownDescription": "Describes whether the application uses the default parallelism for the Managed Service for Apache Flink service. You must set this property to `CUSTOM` in order to change your application's `AutoScalingEnabled` , `Parallelism` , or `ParallelismPerKPU` properties.", "title": "ConfigurationType", "type": "string" }, "Parallelism": { - "markdownDescription": "Describes the initial number of parallel tasks that a Java-based Kinesis Data Analytics application can perform. The Kinesis Data Analytics service can increase this number automatically if [ParallelismConfiguration:AutoScalingEnabled](https://docs.aws.amazon.com/kinesisanalytics/latest/apiv2/API_ParallelismConfiguration.html#kinesisanalytics-Type-ParallelismConfiguration-AutoScalingEnabled.html) is set to `true` .", + "markdownDescription": "Describes the initial number of parallel tasks that a Java-based Kinesis Data Analytics application can perform. The Kinesis Data Analytics service can increase this number automatically if [ParallelismConfiguration:AutoScalingEnabled](https://docs.aws.amazon.com/managed-flink/latest/apiv2/API_ParallelismConfiguration.html#kinesisanalytics-Type-ParallelismConfiguration-AutoScalingEnabled.html) is set to `true` .", "title": "Parallelism", "type": "number" }, @@ -123789,7 +128657,7 @@ }, "FlinkRunConfiguration": { "$ref": "#/definitions/AWS::KinesisAnalyticsV2::Application.FlinkRunConfiguration", - "markdownDescription": "Describes the starting parameters for a Flink-based Kinesis Data Analytics application.", + "markdownDescription": "Describes the starting parameters for a Managed Service for Apache Flink application.", "title": "FlinkRunConfiguration" } }, @@ -123846,7 +128714,7 @@ "items": { "$ref": "#/definitions/AWS::KinesisAnalyticsV2::Application.Input" }, - "markdownDescription": "The array of [Input](https://docs.aws.amazon.com/kinesisanalytics/latest/apiv2/API_Input.html) objects describing the input streams used by the application.", + "markdownDescription": "The array of [Input](https://docs.aws.amazon.com/managed-flink/latest/apiv2/API_Input.html) objects describing the input streams used by the application.", "title": "Inputs", "type": "array" } @@ -124048,7 +128916,7 @@ }, "Output": { "$ref": "#/definitions/AWS::KinesisAnalyticsV2::ApplicationOutput.Output", - "markdownDescription": "Describes a SQL-based Kinesis Data Analytics application's output configuration, in which you identify an in-application stream and a destination where you want the in-application stream data to be written. The destination can be a Kinesis data stream or a Kinesis Data Firehose delivery stream.", + "markdownDescription": "Describes a SQL-based Managed Service for Apache Flink application's output configuration, in which you identify an in-application stream and a destination where you want the in-application stream data to be written. The destination can be a Kinesis data stream or a Kinesis Data Firehose delivery stream.", "title": "Output" } }, @@ -124208,7 +129076,7 @@ }, "ReferenceDataSource": { "$ref": "#/definitions/AWS::KinesisAnalyticsV2::ApplicationReferenceDataSource.ReferenceDataSource", - "markdownDescription": "For a SQL-based Kinesis Data Analytics application, describes the reference data source by providing the source information (Amazon S3 bucket name and object key name), the resulting in-application table name that is created, and the necessary schema to map the data elements in the Amazon S3 object to the in-application table.", + "markdownDescription": "For a SQL-based Managed Service for Apache Flink application, describes the reference data source by providing the source information (Amazon S3 bucket name and object key name), the resulting in-application table name that is created, and the necessary schema to map the data elements in the Amazon S3 object to the in-application table.", "title": "ReferenceDataSource" } }, @@ -124343,7 +129211,7 @@ }, "S3ReferenceDataSource": { "$ref": "#/definitions/AWS::KinesisAnalyticsV2::ApplicationReferenceDataSource.S3ReferenceDataSource", - "markdownDescription": "Identifies the S3 bucket and object that contains the reference data. A Kinesis Data Analytics application loads reference data only once. If the data changes, you call the [UpdateApplication](https://docs.aws.amazon.com/kinesisanalytics/latest/apiv2/API_UpdateApplication.html) operation to trigger reloading of data into your application.", + "markdownDescription": "Identifies the S3 bucket and object that contains the reference data. A Kinesis Data Analytics application loads reference data only once. If the data changes, you call the [UpdateApplication](https://docs.aws.amazon.com/managed-flink/latest/apiv2/API_UpdateApplication.html) operation to trigger reloading of data into your application.", "title": "S3ReferenceDataSource" }, "TableName": { @@ -124442,7 +129310,7 @@ "properties": { "AmazonOpenSearchServerlessDestinationConfiguration": { "$ref": "#/definitions/AWS::KinesisFirehose::DeliveryStream.AmazonOpenSearchServerlessDestinationConfiguration", - "markdownDescription": "", + "markdownDescription": "Describes the configuration of a destination in the Serverless offering for Amazon OpenSearch Service.", "title": "AmazonOpenSearchServerlessDestinationConfiguration" }, "AmazonopensearchserviceDestinationConfiguration": { @@ -124486,7 +129354,9 @@ "title": "KinesisStreamSourceConfiguration" }, "MSKSourceConfiguration": { - "$ref": "#/definitions/AWS::KinesisFirehose::DeliveryStream.MSKSourceConfiguration" + "$ref": "#/definitions/AWS::KinesisFirehose::DeliveryStream.MSKSourceConfiguration", + "markdownDescription": "The configuration for the Amazon MSK cluster to be used as the source for a delivery stream.", + "title": "MSKSourceConfiguration" }, "RedshiftDestinationConfiguration": { "$ref": "#/definitions/AWS::KinesisFirehose::DeliveryStream.RedshiftDestinationConfiguration", @@ -124538,12 +129408,12 @@ "additionalProperties": false, "properties": { "IntervalInSeconds": { - "markdownDescription": "", + "markdownDescription": "Buffer incoming data for the specified period of time, in seconds, before delivering it to the destination. The default value is 300 (5 minutes).", "title": "IntervalInSeconds", "type": "number" }, "SizeInMBs": { - "markdownDescription": "", + "markdownDescription": "Buffer incoming data to the specified size, in MBs, before delivering it to the destination. The default value is 5.\n\nWe recommend setting this parameter to a value greater than the amount of data you typically ingest into the delivery stream in 10 seconds. For example, if you typically ingest data at 1 MB/sec, the value should be 10 MB or higher.", "title": "SizeInMBs", "type": "number" } @@ -124555,7 +129425,7 @@ "properties": { "BufferingHints": { "$ref": "#/definitions/AWS::KinesisFirehose::DeliveryStream.AmazonOpenSearchServerlessBufferingHints", - "markdownDescription": "", + "markdownDescription": "The buffering options. If no value is specified, the default values for AmazonopensearchserviceBufferingHints are used.", "title": "BufferingHints" }, "CloudWatchLoggingOptions": { @@ -124564,12 +129434,12 @@ "title": "CloudWatchLoggingOptions" }, "CollectionEndpoint": { - "markdownDescription": "", + "markdownDescription": "The endpoint to use when communicating with the collection in the Serverless offering for Amazon OpenSearch Service.", "title": "CollectionEndpoint", "type": "string" }, "IndexName": { - "markdownDescription": "", + "markdownDescription": "The Serverless offering for Amazon OpenSearch Service index name.", "title": "IndexName", "type": "string" }, @@ -124580,16 +129450,16 @@ }, "RetryOptions": { "$ref": "#/definitions/AWS::KinesisFirehose::DeliveryStream.AmazonOpenSearchServerlessRetryOptions", - "markdownDescription": "", + "markdownDescription": "The retry behavior in case Kinesis Data Firehose is unable to deliver documents to the Serverless offering for Amazon OpenSearch Service. The default value is 300 (5 minutes).", "title": "RetryOptions" }, "RoleARN": { - "markdownDescription": "", + "markdownDescription": "The Amazon Resource Name (ARN) of the IAM role to be assumed by Kinesis Data Firehose for calling the Serverless offering for Amazon OpenSearch Service Configuration API and for indexing documents.", "title": "RoleARN", "type": "string" }, "S3BackupMode": { - "markdownDescription": "", + "markdownDescription": "Defines how documents should be delivered to Amazon S3. When it is set to FailedDocumentsOnly, Kinesis Data Firehose writes any documents that could not be indexed to the configured Amazon S3 destination, with AmazonOpenSearchService-failed/ appended to the key prefix. When set to AllDocuments, Kinesis Data Firehose delivers all incoming records to Amazon S3, and also writes failed documents with AmazonOpenSearchService-failed/ appended to the prefix.", "title": "S3BackupMode", "type": "string" }, @@ -124615,7 +129485,7 @@ "additionalProperties": false, "properties": { "DurationInSeconds": { - "markdownDescription": "", + "markdownDescription": "After an initial failure to deliver to the Serverless offering for Amazon OpenSearch Service, the total amount of time during which Kinesis Data Firehose retries delivery (including the first attempt). After this time has elapsed, the failed documents are written to Amazon S3. Default value is 300 seconds (5 minutes). A value of 0 (zero) results in no retries.", "title": "DurationInSeconds", "type": "number" } @@ -124658,7 +129528,7 @@ }, "DocumentIdOptions": { "$ref": "#/definitions/AWS::KinesisFirehose::DeliveryStream.DocumentIdOptions", - "markdownDescription": "", + "markdownDescription": "Indicates the method for setting up document ID. The supported methods are Kinesis Data Firehose generated document ID and OpenSearch Service generated document ID.", "title": "DocumentIdOptions" }, "DomainARN": { @@ -124734,9 +129604,13 @@ "additionalProperties": false, "properties": { "Connectivity": { + "markdownDescription": "The type of connectivity used to access the Amazon MSK cluster.", + "title": "Connectivity", "type": "string" }, "RoleARN": { + "markdownDescription": "The ARN of the role used to access the Amazon MSK cluster.", + "title": "RoleARN", "type": "string" } }, @@ -124872,7 +129746,7 @@ "additionalProperties": false, "properties": { "DefaultDocumentIdFormat": { - "markdownDescription": "", + "markdownDescription": "When the `FIREHOSE_DEFAULT` option is chosen, Kinesis Data Firehose generates a unique document ID for each record based on a unique internal identifier. The generated document ID is stable across multiple delivery attempts, which helps prevent the same record from being indexed multiple times with different document IDs.\n\nWhen the `NO_DOCUMENT_ID` option is chosen, Kinesis Data Firehose does not include any document IDs in the requests it sends to the Amazon OpenSearch Service. This causes the Amazon OpenSearch Service domain to generate document IDs. In case of multiple delivery attempts, this may cause the same record to be indexed more than once with different document IDs. This option enables write-heavy operations, such as the ingestion of logs and observability data, to consume less resources in the Amazon OpenSearch Service domain, resulting in improved performance.", "title": "DefaultDocumentIdFormat", "type": "string" } @@ -124934,7 +129808,7 @@ }, "DocumentIdOptions": { "$ref": "#/definitions/AWS::KinesisFirehose::DeliveryStream.DocumentIdOptions", - "markdownDescription": "", + "markdownDescription": "Indicates the method for setting up document ID. The supported methods are Kinesis Data Firehose generated document ID and OpenSearch Service generated document ID.", "title": "DocumentIdOptions" }, "DomainARN": { @@ -125278,12 +130152,18 @@ "additionalProperties": false, "properties": { "AuthenticationConfiguration": { - "$ref": "#/definitions/AWS::KinesisFirehose::DeliveryStream.AuthenticationConfiguration" + "$ref": "#/definitions/AWS::KinesisFirehose::DeliveryStream.AuthenticationConfiguration", + "markdownDescription": "The authentication configuration of the Amazon MSK cluster.", + "title": "AuthenticationConfiguration" }, "MSKClusterARN": { + "markdownDescription": "The ARN of the Amazon MSK cluster.", + "title": "MSKClusterARN", "type": "string" }, "TopicName": { + "markdownDescription": "The topic name within the Amazon MSK cluster.", + "title": "TopicName", "type": "string" } }, @@ -126132,6 +131012,8 @@ "type": "boolean" }, "AllowFullTableExternalDataAccess": { + "markdownDescription": "Specifies whether query engines and applications can get credentials without IAM session tags if the user has full table access. It provides query engines and applications performance benefits as well as simplifies data access. Amazon EMR on Amazon EC2 is able to leverage this setting.\n\nFor more information, see [](https://docs.aws.amazon.com/lake-formation/latest/dg/using-cred-vending.html)", + "title": "AllowFullTableExternalDataAccess", "type": "boolean" }, "AuthorizedSessionTagValueList": { @@ -126158,6 +131040,8 @@ "title": "ExternalDataFilteringAllowList" }, "MutationType": { + "markdownDescription": "Specifies whether the data lake settings are updated by adding new values to the current settings ( `APPEND` ) or by replacing the current settings with new settings ( `REPLACE` ).\n\n> If you choose `REPLACE` , your current data lake settings will be replaced with the new values in your template.", + "title": "MutationType", "type": "string" }, "Parameters": { @@ -126810,7 +131694,7 @@ "additionalProperties": false, "properties": { "CatalogId": { - "markdownDescription": "", + "markdownDescription": "The identifier for the Data Catalog. By default, it is the account ID of the caller.", "title": "CatalogId", "type": "string" }, @@ -127616,7 +132500,7 @@ "additionalProperties": false, "properties": { "Destination": { - "markdownDescription": "The Amazon Resource Name (ARN) of the destination resource.", + "markdownDescription": "The Amazon Resource Name (ARN) of the destination resource.\n\nTo retain records of [asynchronous invocations](https://docs.aws.amazon.com/lambda/latest/dg/invocation-async.html#invocation-async-destinations) , you can configure an Amazon SNS topic, Amazon SQS queue, Lambda function, or Amazon EventBridge event bus as the destination.\n\nTo retain records of failed invocations from [Kinesis and DynamoDB event sources](https://docs.aws.amazon.com/lambda/latest/dg/invocation-eventsourcemapping.html#event-source-mapping-destinations) , you can configure an Amazon SNS topic or Amazon SQS queue as the destination.\n\nTo retain records of failed invocations from [self-managed Kafka](https://docs.aws.amazon.com/lambda/latest/dg/with-kafka.html#services-smaa-onfailure-destination) or [Amazon MSK](https://docs.aws.amazon.com/lambda/latest/dg/with-msk.html#services-msk-onfailure-destination) , you can configure an Amazon SNS topic or Amazon SQS queue as the destination.", "title": "Destination", "type": "string" } @@ -127706,7 +132590,7 @@ "type": "boolean" }, "EventSourceArn": { - "markdownDescription": "The Amazon Resource Name (ARN) of the event source.\n\n- *Amazon Kinesis* \u2013 The ARN of the data stream or a stream consumer.\n- *Amazon DynamoDB Streams* \u2013 The ARN of the stream.\n- *Amazon Simple Queue Service* \u2013 The ARN of the queue.\n- *Amazon Managed Streaming for Apache Kafka* \u2013 The ARN of the cluster.\n- *Amazon MQ* \u2013 The ARN of the broker.\n- *Amazon DocumentDB* \u2013 The ARN of the DocumentDB change stream.", + "markdownDescription": "The Amazon Resource Name (ARN) of the event source.\n\n- *Amazon Kinesis* \u2013 The ARN of the data stream or a stream consumer.\n- *Amazon DynamoDB Streams* \u2013 The ARN of the stream.\n- *Amazon Simple Queue Service* \u2013 The ARN of the queue.\n- *Amazon Managed Streaming for Apache Kafka* \u2013 The ARN of the cluster or the ARN of the VPC connection (for [cross-account event source mappings](https://docs.aws.amazon.com/lambda/latest/dg/with-msk.html#msk-multi-vpc) ).\n- *Amazon MQ* \u2013 The ARN of the broker.\n- *Amazon DocumentDB* \u2013 The ARN of the DocumentDB change stream.", "title": "EventSourceArn", "type": "string" }, @@ -127915,7 +132799,7 @@ "additionalProperties": false, "properties": { "Destination": { - "markdownDescription": "The Amazon Resource Name (ARN) of the destination resource.", + "markdownDescription": "The Amazon Resource Name (ARN) of the destination resource.\n\nTo retain records of [asynchronous invocations](https://docs.aws.amazon.com/lambda/latest/dg/invocation-async.html#invocation-async-destinations) , you can configure an Amazon SNS topic, Amazon SQS queue, Lambda function, or Amazon EventBridge event bus as the destination.\n\nTo retain records of failed invocations from [Kinesis and DynamoDB event sources](https://docs.aws.amazon.com/lambda/latest/dg/invocation-eventsourcemapping.html#event-source-mapping-destinations) , you can configure an Amazon SNS topic or Amazon SQS queue as the destination.\n\nTo retain records of failed invocations from [self-managed Kafka](https://docs.aws.amazon.com/lambda/latest/dg/with-kafka.html#services-smaa-onfailure-destination) or [Amazon MSK](https://docs.aws.amazon.com/lambda/latest/dg/with-msk.html#services-msk-onfailure-destination) , you can configure an Amazon SNS topic or Amazon SQS queue as the destination.", "title": "Destination", "type": "string" } @@ -128087,8 +132971,13 @@ "title": "Layers", "type": "array" }, + "LoggingConfig": { + "$ref": "#/definitions/AWS::Lambda::Function.LoggingConfig", + "markdownDescription": "The function's Amazon CloudWatch Logs configuration settings.", + "title": "LoggingConfig" + }, "MemorySize": { - "markdownDescription": "The amount of [memory available to the function](https://docs.aws.amazon.com/lambda/latest/dg/configuration-function-common.html#configuration-memory-console) at runtime. Increasing the function memory also increases its CPU allocation. The default value is 128 MB. The value can be any multiple of 1 MB.", + "markdownDescription": "The amount of [memory available to the function](https://docs.aws.amazon.com/lambda/latest/dg/configuration-function-common.html#configuration-memory-console) at runtime. Increasing the function memory also increases its CPU allocation. The default value is 128 MB. The value can be any multiple of 1 MB. Note that new AWS accounts have reduced concurrency and memory quotas. AWS raises these quotas automatically based on your usage. You can also request a quota increase.", "title": "MemorySize", "type": "number" }, @@ -128097,9 +132986,6 @@ "title": "PackageType", "type": "string" }, - "Policy": { - "type": "object" - }, "ReservedConcurrentExecutions": { "markdownDescription": "The number of simultaneous executions to reserve for the function.", "title": "ReservedConcurrentExecutions", @@ -128296,6 +133182,32 @@ }, "type": "object" }, + "AWS::Lambda::Function.LoggingConfig": { + "additionalProperties": false, + "properties": { + "ApplicationLogLevel": { + "markdownDescription": "Set this property to filter the application logs for your function that Lambda sends to CloudWatch. Lambda only sends application logs at the selected level and lower.", + "title": "ApplicationLogLevel", + "type": "string" + }, + "LogFormat": { + "markdownDescription": "The format in which Lambda sends your function's application and system logs to CloudWatch. Select between plain text and structured JSON.", + "title": "LogFormat", + "type": "string" + }, + "LogGroup": { + "markdownDescription": "The name of the Amazon CloudWatch log group the function sends logs to. By default, Lambda functions send logs to a default log group named `/aws/lambda/` . To use a different log group, enter an existing log group or enter a new log group name.", + "title": "LogGroup", + "type": "string" + }, + "SystemLogLevel": { + "markdownDescription": "Set this property to filter the system logs for your function that Lambda sends to CloudWatch. Lambda only sends system logs at the selected level and lower.", + "title": "SystemLogLevel", + "type": "string" + } + }, + "type": "object" + }, "AWS::Lambda::Function.RuntimeManagementConfig": { "additionalProperties": false, "properties": { @@ -128360,6 +133272,8 @@ "additionalProperties": false, "properties": { "Ipv6AllowedForDualStack": { + "markdownDescription": "Allows outbound IPv6 traffic on VPC functions that are connected to dual-stack subnets.", + "title": "Ipv6AllowedForDualStack", "type": "boolean" }, "SecurityGroupIds": { @@ -128884,7 +133798,9 @@ "title": "ProvisionedConcurrencyConfig" }, "RuntimePolicy": { - "$ref": "#/definitions/AWS::Lambda::Version.RuntimePolicy" + "$ref": "#/definitions/AWS::Lambda::Version.RuntimePolicy", + "markdownDescription": "", + "title": "RuntimePolicy" } }, "required": [ @@ -128931,9 +133847,13 @@ "additionalProperties": false, "properties": { "RuntimeVersionArn": { + "markdownDescription": "", + "title": "RuntimeVersionArn", "type": "string" }, "UpdateRuntimeOn": { + "markdownDescription": "", + "title": "UpdateRuntimeOn", "type": "string" } }, @@ -132354,7 +137274,9 @@ "type": "string" }, "PrivateRegistryAccess": { - "$ref": "#/definitions/AWS::Lightsail::Container.PrivateRegistryAccess" + "$ref": "#/definitions/AWS::Lightsail::Container.PrivateRegistryAccess", + "markdownDescription": "An object that describes the configuration for the container service to access private container image repositories, such as Amazon Elastic Container Registry ( Amazon ECR ) private repositories.\n\nFor more information, see [Configuring access to an Amazon ECR private repository for an Amazon Lightsail container service](https://docs.aws.amazon.com/latest/userguide/amazon-lightsail-container-service-ecr-private-repo-access) in the *Amazon Lightsail Developer Guide* .", + "title": "PrivateRegistryAccess" }, "PublicDomainNames": { "items": { @@ -132474,9 +137396,13 @@ "additionalProperties": false, "properties": { "IsActive": { + "markdownDescription": "A boolean value that indicates whether the `ECRImagePullerRole` is active.", + "title": "IsActive", "type": "boolean" }, "PrincipalArn": { + "markdownDescription": "The principle Amazon Resource Name (ARN) of the role. This property is read-only.", + "title": "PrincipalArn", "type": "string" } }, @@ -132554,7 +137480,9 @@ "additionalProperties": false, "properties": { "EcrImagePullerRole": { - "$ref": "#/definitions/AWS::Lightsail::Container.EcrImagePullerRole" + "$ref": "#/definitions/AWS::Lightsail::Container.EcrImagePullerRole", + "markdownDescription": "An object that describes the activation status of the role that you can use to grant a Lightsail container service access to Amazon ECR private repositories. If the role is activated, the Amazon Resource Name (ARN) of the role is also listed.", + "title": "EcrImagePullerRole" } }, "type": "object" @@ -132640,7 +137568,7 @@ "type": "string" }, "BackupRetention": { - "markdownDescription": "A Boolean value indicating whether automated backup retention is enabled for the database.", + "markdownDescription": "A Boolean value indicating whether automated backup retention is enabled for the database. Data Import Mode is enabled when `BackupRetention` is set to `false` , and is disabled when `BackupRetention` is set to `true` .", "title": "BackupRetention", "type": "boolean" }, @@ -132847,7 +137775,7 @@ }, "Location": { "$ref": "#/definitions/AWS::Lightsail::Disk.Location", - "markdownDescription": "", + "markdownDescription": "The AWS Region and Availability Zone where the disk is located.", "title": "Location" }, "SizeInGb": { @@ -132930,12 +137858,12 @@ "additionalProperties": false, "properties": { "AvailabilityZone": { - "markdownDescription": "", + "markdownDescription": "The Availability Zone where the disk is located.", "title": "AvailabilityZone", "type": "string" }, "RegionName": { - "markdownDescription": "", + "markdownDescription": "The AWS Region where the disk is located.", "title": "RegionName", "type": "string" } @@ -134408,15 +139336,23 @@ "additionalProperties": false, "properties": { "PolicyDocument": { + "markdownDescription": "Specify the data protection policy, in JSON.\n\nThis policy must include two JSON blocks:\n\n- The first block must include both a `DataIdentifer` array and an `Operation` property with an `Audit` action. The `DataIdentifer` array lists the types of sensitive data that you want to mask. For more information about the available options, see [Types of data that you can mask](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/mask-sensitive-log-data-types.html) .\n\nThe `Operation` property with an `Audit` action is required to find the sensitive data terms. This `Audit` action must contain a `FindingsDestination` object. You can optionally use that `FindingsDestination` object to list one or more destinations to send audit findings to. If you specify destinations such as log groups, Kinesis Data Firehose streams, and S3 buckets, they must already exist.\n- The second block must include both a `DataIdentifer` array and an `Operation` property with an `Deidentify` action. The `DataIdentifer` array must exactly match the `DataIdentifer` array in the first block of the policy.\n\nThe `Operation` property with the `Deidentify` action is what actually masks the data, and it must contain the `\"MaskConfig\": {}` object. The `\"MaskConfig\": {}` object must be empty.\n\n> The contents of the two `DataIdentifer` arrays must match exactly.", + "title": "PolicyDocument", "type": "string" }, "PolicyName": { + "markdownDescription": "A name for the policy. This must be unique within the account.", + "title": "PolicyName", "type": "string" }, "PolicyType": { + "markdownDescription": "Currently the only valid value for this parameter is `DATA_PROTECTION_POLICY` .", + "title": "PolicyType", "type": "string" }, "Scope": { + "markdownDescription": "Currently the only valid value for this parameter is `ALL` , which specifies that the data protection policy applies to all log groups in the account. If you omit this parameter, the default of `ALL` is used.", + "title": "Scope", "type": "string" } }, @@ -134448,6 +139384,257 @@ ], "type": "object" }, + "AWS::Logs::Delivery": { + "additionalProperties": false, + "properties": { + "Condition": { + "type": "string" + }, + "DeletionPolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + }, + "DependsOn": { + "anyOf": [ + { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + { + "items": { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + "type": "array" + } + ] + }, + "Metadata": { + "type": "object" + }, + "Properties": { + "additionalProperties": false, + "properties": { + "DeliveryDestinationArn": { + "markdownDescription": "The ARN of the delivery destination that is associated with this delivery.", + "title": "DeliveryDestinationArn", + "type": "string" + }, + "DeliverySourceName": { + "markdownDescription": "The name of the delivery source that is associated with this delivery.", + "title": "DeliverySourceName", + "type": "string" + }, + "Tags": { + "items": { + "$ref": "#/definitions/Tag" + }, + "markdownDescription": "The tags that have been assigned to this delivery.", + "title": "Tags", + "type": "array" + } + }, + "required": [ + "DeliveryDestinationArn", + "DeliverySourceName" + ], + "type": "object" + }, + "Type": { + "enum": [ + "AWS::Logs::Delivery" + ], + "type": "string" + }, + "UpdateReplacePolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + } + }, + "required": [ + "Type", + "Properties" + ], + "type": "object" + }, + "AWS::Logs::DeliveryDestination": { + "additionalProperties": false, + "properties": { + "Condition": { + "type": "string" + }, + "DeletionPolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + }, + "DependsOn": { + "anyOf": [ + { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + { + "items": { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + "type": "array" + } + ] + }, + "Metadata": { + "type": "object" + }, + "Properties": { + "additionalProperties": false, + "properties": { + "DeliveryDestinationPolicy": { + "markdownDescription": "A structure that contains information about one delivery destination policy.", + "title": "DeliveryDestinationPolicy", + "type": "object" + }, + "DestinationResourceArn": { + "markdownDescription": "The ARN of the AWS destination that this delivery destination represents. That AWS destination can be a log group in CloudWatch Logs, an Amazon S3 bucket, or a delivery stream in Kinesis Data Firehose.", + "title": "DestinationResourceArn", + "type": "string" + }, + "Name": { + "markdownDescription": "The name of this delivery destination.", + "title": "Name", + "type": "string" + }, + "Tags": { + "items": { + "$ref": "#/definitions/Tag" + }, + "markdownDescription": "The tags that have been assigned to this delivery destination.", + "title": "Tags", + "type": "array" + } + }, + "required": [ + "Name" + ], + "type": "object" + }, + "Type": { + "enum": [ + "AWS::Logs::DeliveryDestination" + ], + "type": "string" + }, + "UpdateReplacePolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + } + }, + "required": [ + "Type", + "Properties" + ], + "type": "object" + }, + "AWS::Logs::DeliverySource": { + "additionalProperties": false, + "properties": { + "Condition": { + "type": "string" + }, + "DeletionPolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + }, + "DependsOn": { + "anyOf": [ + { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + { + "items": { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + "type": "array" + } + ] + }, + "Metadata": { + "type": "object" + }, + "Properties": { + "additionalProperties": false, + "properties": { + "LogType": { + "markdownDescription": "The type of log that the source is sending. For valid values for this parameter, see the documentation for the source service.", + "title": "LogType", + "type": "string" + }, + "Name": { + "markdownDescription": "The unique name of the delivery source.", + "title": "Name", + "type": "string" + }, + "ResourceArn": { + "markdownDescription": "", + "title": "ResourceArn", + "type": "string" + }, + "Tags": { + "items": { + "$ref": "#/definitions/Tag" + }, + "markdownDescription": "The tags that have been assigned to this delivery source.", + "title": "Tags", + "type": "array" + } + }, + "required": [ + "Name" + ], + "type": "object" + }, + "Type": { + "enum": [ + "AWS::Logs::DeliverySource" + ], + "type": "string" + }, + "UpdateReplacePolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + } + }, + "required": [ + "Type", + "Properties" + ], + "type": "object" + }, "AWS::Logs::Destination": { "additionalProperties": false, "properties": { @@ -134532,7 +139719,7 @@ ], "type": "object" }, - "AWS::Logs::LogGroup": { + "AWS::Logs::LogAnomalyDetector": { "additionalProperties": false, "properties": { "Condition": { @@ -134567,32 +139754,42 @@ "Properties": { "additionalProperties": false, "properties": { - "DataProtectionPolicy": { - "markdownDescription": "Creates a data protection policy and assigns it to the log group. A data protection policy can help safeguard sensitive data that's ingested by the log group by auditing and masking the sensitive log data. When a user who does not have permission to view masked data views a log event that includes masked data, the sensitive data is replaced by asterisks.\n\nFor more information, including a list of types of data that can be audited and masked, see [Protect sensitive log data with masking](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/mask-sensitive-log-data.html) .", - "title": "DataProtectionPolicy", - "type": "object" + "AccountId": { + "markdownDescription": "The ID of the account to create the anomaly detector in.", + "title": "AccountId", + "type": "string" }, - "KmsKeyId": { - "markdownDescription": "The Amazon Resource Name (ARN) of the AWS KMS key to use when encrypting log data.\n\nTo associate an AWS KMS key with the log group, specify the ARN of that KMS key here. If you do so, ingested data is encrypted using this key. This association is stored as long as the data encrypted with the KMS key is still within CloudWatch Logs . This enables CloudWatch Logs to decrypt this data whenever it is requested.\n\nIf you attempt to associate a KMS key with the log group but the KMS key doesn't exist or is deactivated, you will receive an `InvalidParameterException` error.\n\nLog group data is always encrypted in CloudWatch Logs . If you omit this key, the encryption does not use AWS KMS . For more information, see [Encrypt log data in CloudWatch Logs using AWS Key Management Service](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/encrypt-log-data-kms.html)", - "title": "KmsKeyId", + "AnomalyVisibilityTime": { + "markdownDescription": "The number of days to have visibility on an anomaly. After this time period has elapsed for an anomaly, it will be automatically baselined and the anomaly detector will treat new occurrences of a similar anomaly as normal. Therefore, if you do not correct the cause of an anomaly during the time period specified in `AnomalyVisibilityTime` , it will be considered normal going forward and will not be detected as an anomaly.", + "title": "AnomalyVisibilityTime", + "type": "number" + }, + "DetectorName": { + "markdownDescription": "A name for this anomaly detector.", + "title": "DetectorName", "type": "string" }, - "LogGroupName": { - "markdownDescription": "The name of the log group. If you don't specify a name, AWS CloudFormation generates a unique ID for the log group.", - "title": "LogGroupName", + "EvaluationFrequency": { + "markdownDescription": "Specifies how often the anomaly detector is to run and look for anomalies. Set this value according to the frequency that the log group receives new logs. For example, if the log group receives new log events every 10 minutes, then 15 minutes might be a good setting for `EvaluationFrequency` .", + "title": "EvaluationFrequency", "type": "string" }, - "RetentionInDays": { - "markdownDescription": "The number of days to retain the log events in the specified log group. Possible values are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1096, 1827, 2192, 2557, 2922, 3288, and 3653.\n\nTo set a log group so that its log events do not expire, use [DeleteRetentionPolicy](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DeleteRetentionPolicy.html) .", - "title": "RetentionInDays", - "type": "number" + "FilterPattern": { + "markdownDescription": "You can use this parameter to limit the anomaly detection model to examine only log events that match the pattern you specify here. For more information, see [Filter and Pattern Syntax](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/FilterAndPatternSyntax.html) .", + "title": "FilterPattern", + "type": "string" }, - "Tags": { + "KmsKeyId": { + "markdownDescription": "Optionally assigns a AWS KMS key to secure this anomaly detector and its findings. If a key is assigned, the anomalies found and the model used by this detector are encrypted at rest with the key. If a key is assigned to an anomaly detector, a user must have permissions for both this key and for the anomaly detector to retrieve information about the anomalies that it finds.\n\nFor more information about using a AWS KMS key and to see the required IAM policy, see [Use a AWS KMS key with an anomaly detector](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/LogsAnomalyDetection-KMS.html) .", + "title": "KmsKeyId", + "type": "string" + }, + "LogGroupArnList": { "items": { - "$ref": "#/definitions/Tag" + "type": "string" }, - "markdownDescription": "An array of key-value pairs to apply to the log group.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) .", - "title": "Tags", + "markdownDescription": "The ARN of the log group that is associated with this anomaly detector. You can specify only one log group ARN.", + "title": "LogGroupArnList", "type": "array" } }, @@ -134600,7 +139797,7 @@ }, "Type": { "enum": [ - "AWS::Logs::LogGroup" + "AWS::Logs::LogAnomalyDetector" ], "type": "string" }, @@ -134618,7 +139815,98 @@ ], "type": "object" }, - "AWS::Logs::LogStream": { + "AWS::Logs::LogGroup": { + "additionalProperties": false, + "properties": { + "Condition": { + "type": "string" + }, + "DeletionPolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + }, + "DependsOn": { + "anyOf": [ + { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + { + "items": { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + "type": "array" + } + ] + }, + "Metadata": { + "type": "object" + }, + "Properties": { + "additionalProperties": false, + "properties": { + "DataProtectionPolicy": { + "markdownDescription": "Creates a data protection policy and assigns it to the log group. A data protection policy can help safeguard sensitive data that's ingested by the log group by auditing and masking the sensitive log data. When a user who does not have permission to view masked data views a log event that includes masked data, the sensitive data is replaced by asterisks.\n\nFor more information, including a list of types of data that can be audited and masked, see [Protect sensitive log data with masking](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/mask-sensitive-log-data.html) .", + "title": "DataProtectionPolicy", + "type": "object" + }, + "KmsKeyId": { + "markdownDescription": "The Amazon Resource Name (ARN) of the AWS KMS key to use when encrypting log data.\n\nTo associate an AWS KMS key with the log group, specify the ARN of that KMS key here. If you do so, ingested data is encrypted using this key. This association is stored as long as the data encrypted with the KMS key is still within CloudWatch Logs . This enables CloudWatch Logs to decrypt this data whenever it is requested.\n\nIf you attempt to associate a KMS key with the log group but the KMS key doesn't exist or is deactivated, you will receive an `InvalidParameterException` error.\n\nLog group data is always encrypted in CloudWatch Logs . If you omit this key, the encryption does not use AWS KMS . For more information, see [Encrypt log data in CloudWatch Logs using AWS Key Management Service](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/encrypt-log-data-kms.html)", + "title": "KmsKeyId", + "type": "string" + }, + "LogGroupClass": { + "markdownDescription": "Specifies the log group class for this log group. There are two classes:\n\n- The `Standard` log class supports all CloudWatch Logs features.\n- The `Infrequent Access` log class supports a subset of CloudWatch Logs features and incurs lower costs.\n\nFor details about the features supported by each class, see [Log classes](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CloudWatch_Logs_Log_Classes.html)", + "title": "LogGroupClass", + "type": "string" + }, + "LogGroupName": { + "markdownDescription": "The name of the log group. If you don't specify a name, AWS CloudFormation generates a unique ID for the log group.", + "title": "LogGroupName", + "type": "string" + }, + "RetentionInDays": { + "markdownDescription": "The number of days to retain the log events in the specified log group. Possible values are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1096, 1827, 2192, 2557, 2922, 3288, and 3653.\n\nTo set a log group so that its log events do not expire, use [DeleteRetentionPolicy](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DeleteRetentionPolicy.html) .", + "title": "RetentionInDays", + "type": "number" + }, + "Tags": { + "items": { + "$ref": "#/definitions/Tag" + }, + "markdownDescription": "An array of key-value pairs to apply to the log group.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) .", + "title": "Tags", + "type": "array" + } + }, + "type": "object" + }, + "Type": { + "enum": [ + "AWS::Logs::LogGroup" + ], + "type": "string" + }, + "UpdateReplacePolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + } + }, + "required": [ + "Type" + ], + "type": "object" + }, + "AWS::Logs::LogStream": { "additionalProperties": false, "properties": { "Condition": { @@ -135150,7 +140438,7 @@ "type": "string" }, "ModelName": { - "markdownDescription": "The name of the ML model used for the inference scheduler.", + "markdownDescription": "The name of the machine learning model used for the inference scheduler.", "title": "ModelName", "type": "string" }, @@ -136091,7 +141379,7 @@ "type": "string" }, "RoleArn": { - "markdownDescription": "", + "markdownDescription": "The Amazon Resource Name (ARN) of the role associated with the application.", "title": "RoleArn", "type": "string" }, @@ -136482,7 +141770,7 @@ }, "ClientAuthentication": { "$ref": "#/definitions/AWS::MSK::Cluster.ClientAuthentication", - "markdownDescription": "Includes all client authentication related information.", + "markdownDescription": "VPC connection control settings for brokers.", "title": "ClientAuthentication" }, "ClusterName": { @@ -136619,7 +141907,7 @@ "title": "ConnectivityInfo" }, "InstanceType": { - "markdownDescription": "The type of Amazon EC2 instances to use for brokers. The following instance types are allowed: kafka.m5.large, kafka.m5.xlarge, kafka.m5.2xlarge, kafka.m5.4xlarge, kafka.m5.8xlarge, kafka.m5.12xlarge, kafka.m5.16xlarge, and kafka.m5.24xlarge, and kafka.t3.small.", + "markdownDescription": "The type of Amazon EC2 instances to use for brokers. The following instance types are allowed: kafka.m5.large, kafka.m5.xlarge, kafka.m5.2xlarge, kafka.m5.4xlarge, kafka.m5.8xlarge, kafka.m5.12xlarge, kafka.m5.16xlarge, kafka.m5.24xlarge, and kafka.t3.small.", "title": "InstanceType", "type": "string" }, @@ -136739,7 +142027,7 @@ "additionalProperties": false, "properties": { "DataVolumeKMSKeyId": { - "markdownDescription": "The ARN of the Amazon KMS key for encrypting data at rest. If you don't specify a KMS key, MSK creates one for you and uses it.", + "markdownDescription": "The Amazon Resource Name (ARN) of the Amazon KMS key for encrypting data at rest. If you don't specify a KMS key, MSK creates one for you and uses it.", "title": "DataVolumeKMSKeyId", "type": "string" } @@ -136790,7 +142078,7 @@ "type": "string" }, "Enabled": { - "markdownDescription": "Specifies whether broker logs get send to the specified Kinesis Data Firehose delivery stream.", + "markdownDescription": "Specifies whether broker logs get sent to the specified Kinesis Data Firehose delivery stream.", "title": "Enabled", "type": "boolean" } @@ -136985,7 +142273,7 @@ "items": { "type": "string" }, - "markdownDescription": "List of AWS Private CA ARNs.", + "markdownDescription": "List of AWS Private CA Amazon Resource Name (ARN)s.", "title": "CertificateAuthorityArnList", "type": "array" }, @@ -137218,7 +142506,9 @@ "type": "array" }, "LatestRevision": { - "$ref": "#/definitions/AWS::MSK::Configuration.LatestRevision" + "$ref": "#/definitions/AWS::MSK::Configuration.LatestRevision", + "markdownDescription": "Latest revision of the configuration.", + "title": "LatestRevision" }, "Name": { "markdownDescription": "The name of the configuration. Configuration names are strings that match the regex \"^[0-9A-Za-z][0-9A-Za-z-]{0,}$\".", @@ -137262,12 +142552,18 @@ "additionalProperties": false, "properties": { "CreationTime": { + "markdownDescription": "", + "title": "CreationTime", "type": "string" }, "Description": { + "markdownDescription": "", + "title": "Description", "type": "string" }, "Revision": { + "markdownDescription": "", + "title": "Revision", "type": "number" } }, @@ -137309,33 +142605,47 @@ "additionalProperties": false, "properties": { "CurrentVersion": { + "markdownDescription": "", + "title": "CurrentVersion", "type": "string" }, "Description": { + "markdownDescription": "", + "title": "Description", "type": "string" }, "KafkaClusters": { "items": { "$ref": "#/definitions/AWS::MSK::Replicator.KafkaCluster" }, + "markdownDescription": "", + "title": "KafkaClusters", "type": "array" }, "ReplicationInfoList": { "items": { "$ref": "#/definitions/AWS::MSK::Replicator.ReplicationInfo" }, + "markdownDescription": "", + "title": "ReplicationInfoList", "type": "array" }, "ReplicatorName": { + "markdownDescription": "", + "title": "ReplicatorName", "type": "string" }, "ServiceExecutionRoleArn": { + "markdownDescription": "", + "title": "ServiceExecutionRoleArn", "type": "string" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "", + "title": "Tags", "type": "array" } }, @@ -137372,6 +142682,8 @@ "additionalProperties": false, "properties": { "MskClusterArn": { + "markdownDescription": "", + "title": "MskClusterArn", "type": "string" } }, @@ -137387,18 +142699,26 @@ "items": { "type": "string" }, + "markdownDescription": "", + "title": "ConsumerGroupsToExclude", "type": "array" }, "ConsumerGroupsToReplicate": { "items": { "type": "string" }, + "markdownDescription": "", + "title": "ConsumerGroupsToReplicate", "type": "array" }, "DetectAndCopyNewConsumerGroups": { + "markdownDescription": "", + "title": "DetectAndCopyNewConsumerGroups", "type": "boolean" }, "SynchroniseConsumerGroupOffsets": { + "markdownDescription": "", + "title": "SynchroniseConsumerGroupOffsets", "type": "boolean" } }, @@ -137411,10 +142731,14 @@ "additionalProperties": false, "properties": { "AmazonMskCluster": { - "$ref": "#/definitions/AWS::MSK::Replicator.AmazonMskCluster" + "$ref": "#/definitions/AWS::MSK::Replicator.AmazonMskCluster", + "markdownDescription": "", + "title": "AmazonMskCluster" }, "VpcConfig": { - "$ref": "#/definitions/AWS::MSK::Replicator.KafkaClusterClientVpcConfig" + "$ref": "#/definitions/AWS::MSK::Replicator.KafkaClusterClientVpcConfig", + "markdownDescription": "", + "title": "VpcConfig" } }, "required": [ @@ -137430,12 +142754,16 @@ "items": { "type": "string" }, + "markdownDescription": "", + "title": "SecurityGroupIds", "type": "array" }, "SubnetIds": { "items": { "type": "string" }, + "markdownDescription": "", + "title": "SubnetIds", "type": "array" } }, @@ -137448,19 +142776,29 @@ "additionalProperties": false, "properties": { "ConsumerGroupReplication": { - "$ref": "#/definitions/AWS::MSK::Replicator.ConsumerGroupReplication" + "$ref": "#/definitions/AWS::MSK::Replicator.ConsumerGroupReplication", + "markdownDescription": "", + "title": "ConsumerGroupReplication" }, "SourceKafkaClusterArn": { + "markdownDescription": "", + "title": "SourceKafkaClusterArn", "type": "string" }, "TargetCompressionType": { + "markdownDescription": "", + "title": "TargetCompressionType", "type": "string" }, "TargetKafkaClusterArn": { + "markdownDescription": "", + "title": "TargetKafkaClusterArn", "type": "string" }, "TopicReplication": { - "$ref": "#/definitions/AWS::MSK::Replicator.TopicReplication" + "$ref": "#/definitions/AWS::MSK::Replicator.TopicReplication", + "markdownDescription": "", + "title": "TopicReplication" } }, "required": [ @@ -137476,24 +142814,34 @@ "additionalProperties": false, "properties": { "CopyAccessControlListsForTopics": { + "markdownDescription": "", + "title": "CopyAccessControlListsForTopics", "type": "boolean" }, "CopyTopicConfigurations": { + "markdownDescription": "", + "title": "CopyTopicConfigurations", "type": "boolean" }, "DetectAndCopyNewTopics": { + "markdownDescription": "", + "title": "DetectAndCopyNewTopics", "type": "boolean" }, "TopicsToExclude": { "items": { "type": "string" }, + "markdownDescription": "", + "title": "TopicsToExclude", "type": "array" }, "TopicsToReplicate": { "items": { "type": "string" }, + "markdownDescription": "", + "title": "TopicsToReplicate", "type": "array" } }, @@ -137539,7 +142887,7 @@ "properties": { "ClientAuthentication": { "$ref": "#/definitions/AWS::MSK::ServerlessCluster.ClientAuthentication", - "markdownDescription": "", + "markdownDescription": "Includes all client authentication information.", "title": "ClientAuthentication" }, "ClusterName": { @@ -137811,7 +143159,7 @@ "type": "object" }, "AirflowVersion": { - "markdownDescription": "The version of Apache Airflow to use for the environment. If no value is specified, defaults to the latest version.\n\n*Allowed Values* : `2.0.2` | `1.10.12` | `2.2.2` | `2.4.3` | `2.5.1` (latest)", + "markdownDescription": "The version of Apache Airflow to use for the environment. If no value is specified, defaults to the latest version.\n\nIf you specify a newer version number for an existing environment, the version update requires some service interruption before taking effect.\n\n*Allowed Values* : `1.10.12` | `2.0.2` | `2.2.2` | `2.4.3` | `2.5.1` | `2.6.3` | `2.7.2` (latest)", "title": "AirflowVersion", "type": "string" }, @@ -137820,6 +143168,11 @@ "title": "DagS3Path", "type": "string" }, + "EndpointManagement": { + "markdownDescription": "Defines whether the VPC endpoints configured for the environment are created, and managed, by the customer or by Amazon MWAA. If set to `SERVICE` , Amazon MWAA will create and manage the required VPC endpoints in your VPC. If set to `CUSTOMER` , you must create, and manage, the VPC endpoints in your VPC.", + "title": "EndpointManagement", + "type": "string" + }, "EnvironmentClass": { "markdownDescription": "The environment class type. Valid values: `mw1.small` , `mw1.medium` , `mw1.large` . To learn more, see [Amazon MWAA environment class](https://docs.aws.amazon.com/mwaa/latest/userguide/environment-class.html) .", "title": "EnvironmentClass", @@ -137901,7 +143254,7 @@ "type": "string" }, "Tags": { - "markdownDescription": "The key-value tag pairs associated to your environment. For example, `\"Environment\": \"Staging\"` . To learn more, see [Tagging](https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html) .", + "markdownDescription": "The key-value tag pairs associated to your environment. For example, `\"Environment\": \"Staging\"` . To learn more, see [Tagging](https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html) .\n\nIf you specify new tags for an existing environment, the update requires service interruption before taking effect.", "title": "Tags", "type": "object" }, @@ -138070,7 +143423,7 @@ "items": { "$ref": "#/definitions/Tag" }, - "markdownDescription": "An array of key-value pairs to apply to the allow list.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) .", + "markdownDescription": "An array of key-value pairs to apply to the allow list.\n\nFor more information, see [Resource tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) .", "title": "Tags", "type": "array" } @@ -138213,6 +143566,8 @@ "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "An array of key-value pairs to apply to the custom data identifier.\n\nFor more information, see [Resource tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) .", + "title": "Tags", "type": "array" } }, @@ -138299,7 +143654,7 @@ "type": "string" }, "Position": { - "markdownDescription": "The position of the findings filter in the list of saved filters on the Amazon Macie console. This value also determines the order in which the filter is applied to findings, relative to other filters that are also applied to findings.", + "markdownDescription": "The position of the findings filter in the list of saved filter rules on the Amazon Macie console. This value also determines the order in which the filter is applied to findings, relative to other filters that are also applied to findings.", "title": "Position", "type": "number" }, @@ -138307,6 +143662,8 @@ "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "An array of key-value pairs to apply to the findings filter.\n\nFor more information, see [Resource tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) .", + "title": "Tags", "type": "array" } }, @@ -138504,6 +143861,11 @@ "title": "AccessorType", "type": "string" }, + "NetworkType": { + "markdownDescription": "The blockchain network that the `Accessor` token is created for.\n\n> We recommend using the appropriate `networkType` value for the blockchain network that you are creating the `Accessor` token for. You cannnot use the value `ETHEREUM_MAINNET_AND_GOERLI` to specify a `networkType` for your Accessor token.\n> \n> The default value of `ETHEREUM_MAINNET_AND_GOERLI` is only applied:\n> \n> - when the `CreateAccessor` action does not set a `networkType` .\n> - to all existing `Accessor` tokens that were created before the `networkType` property was introduced.", + "title": "NetworkType", + "type": "string" + }, "Tags": { "items": { "$ref": "#/definitions/Tag" @@ -138630,7 +143992,7 @@ "type": "number" }, "ThresholdComparator": { - "markdownDescription": "Determines whether the vote percentage must be greater than the `ThresholdPercentage` or must be greater than or equal to the `ThreholdPercentage` to be approved.", + "markdownDescription": "Determines whether the vote percentage must be greater than the `ThresholdPercentage` or must be greater than or equal to the `ThresholdPercentage` to be approved.", "title": "ThresholdComparator", "type": "string" }, @@ -138816,7 +144178,7 @@ "type": "string" }, "NetworkId": { - "markdownDescription": "The unique identifier of the network for the node.\n\nEthereum public networks have the following `NetworkId` s:\n\n- `n-ethereum-mainnet`\n- `n-ethereum-goerli`\n- `n-ethereum-rinkeby`", + "markdownDescription": "The unique identifier of the network for the node.\n\nEthereum public networks have the following `NetworkId` s:\n\n- `n-ethereum-mainnet`\n- `n-ethereum-goerli`", "title": "NetworkId", "type": "string" }, @@ -138919,7 +144281,7 @@ "title": "IngressGatewayBridge" }, "Name": { - "markdownDescription": "The network output name. This name is used to reference the output and must be unique among outputs in this bridge.", + "markdownDescription": "The name of the bridge. This name can not be modified after the bridge is created.", "title": "Name", "type": "string" }, @@ -139355,7 +144717,7 @@ "title": "FlowSource" }, "Name": { - "markdownDescription": "The name of the network source. This name is used to reference the source and must be unique among sources in this bridge.", + "markdownDescription": "The name of the flow source. This name is used to reference the source and must be unique among sources in this bridge.", "title": "Name", "type": "string" }, @@ -139621,13 +144983,13 @@ "additionalProperties": false, "properties": { "BridgeArn": { - "markdownDescription": "", + "markdownDescription": "The ARN of the bridge feeding this flow.", "title": "BridgeArn", "type": "string" }, "VpcInterfaceAttachment": { "$ref": "#/definitions/AWS::MediaConnect::Flow.VpcInterfaceAttachment", - "markdownDescription": "", + "markdownDescription": "The name of the VPC interface attachment to use for this bridge source.", "title": "VpcInterfaceAttachment" } }, @@ -139656,7 +145018,7 @@ }, "GatewayBridgeSource": { "$ref": "#/definitions/AWS::MediaConnect::Flow.GatewayBridgeSource", - "markdownDescription": "", + "markdownDescription": "The source configuration for cloud flows receiving a stream from a bridge.", "title": "GatewayBridgeSource" }, "IngestIp": { @@ -139760,7 +145122,7 @@ "additionalProperties": false, "properties": { "VpcInterfaceName": { - "markdownDescription": "", + "markdownDescription": "The name of the VPC interface that you want to send your output to.", "title": "VpcInterfaceName", "type": "string" } @@ -139999,7 +145361,7 @@ "type": "number" }, "Name": { - "markdownDescription": "The name of the VPC interface.", + "markdownDescription": "The name of the output. This value must be unique within the current flow.", "title": "Name", "type": "string" }, @@ -140159,7 +145521,7 @@ }, "GatewayBridgeSource": { "$ref": "#/definitions/AWS::MediaConnect::FlowSource.GatewayBridgeSource", - "markdownDescription": "", + "markdownDescription": "The source configuration for cloud flows receiving a stream from a bridge.", "title": "GatewayBridgeSource" }, "IngestPort": { @@ -140313,13 +145675,13 @@ "additionalProperties": false, "properties": { "BridgeArn": { - "markdownDescription": "", + "markdownDescription": "The ARN of the bridge feeding this flow.", "title": "BridgeArn", "type": "string" }, "VpcInterfaceAttachment": { "$ref": "#/definitions/AWS::MediaConnect::FlowSource.VpcInterfaceAttachment", - "markdownDescription": "", + "markdownDescription": "The name of the VPC interface attachment to use for this bridge source.", "title": "VpcInterfaceAttachment" } }, @@ -140332,7 +145694,7 @@ "additionalProperties": false, "properties": { "VpcInterfaceName": { - "markdownDescription": "", + "markdownDescription": "The name of the VPC interface that you want to send your output to.", "title": "VpcInterfaceName", "type": "string" } @@ -140477,7 +145839,7 @@ "type": "array" }, "Name": { - "markdownDescription": "The name of the gateway. This name can not be modified after the gateway is created.", + "markdownDescription": "The name of the network. This name is used to reference the network and must be unique among networks in this gateway.", "title": "Name", "type": "string" }, @@ -140597,7 +145959,7 @@ "type": "array" }, "Name": { - "markdownDescription": "The name of the job template you are creating.", + "markdownDescription": "Name of the output group", "title": "Name", "type": "string" }, @@ -140936,7 +146298,7 @@ }, "Maintenance": { "$ref": "#/definitions/AWS::MediaLive::Channel.MaintenanceCreateSettings", - "markdownDescription": "", + "markdownDescription": "Maintenance settings for this channel.", "title": "Maintenance" }, "Name": { @@ -141037,6 +146399,8 @@ "additionalProperties": false, "properties": { "AttenuationControl": { + "markdownDescription": "", + "title": "AttenuationControl", "type": "string" }, "Bitrate": { @@ -142372,7 +147736,9 @@ "type": "array" }, "ThumbnailConfiguration": { - "$ref": "#/definitions/AWS::MediaLive::Channel.ThumbnailConfiguration" + "$ref": "#/definitions/AWS::MediaLive::Channel.ThumbnailConfiguration", + "markdownDescription": "", + "title": "ThumbnailConfiguration" }, "TimecodeConfig": { "$ref": "#/definitions/AWS::MediaLive::Channel.TimecodeConfig", @@ -142390,6 +147756,22 @@ }, "type": "object" }, + "AWS::MediaLive::Channel.EpochLockingSettings": { + "additionalProperties": false, + "properties": { + "CustomEpoch": { + "markdownDescription": "", + "title": "CustomEpoch", + "type": "string" + }, + "JamSyncTime": { + "markdownDescription": "", + "title": "JamSyncTime", + "type": "string" + } + }, + "type": "object" + }, "AWS::MediaLive::Channel.Esam": { "additionalProperties": false, "properties": { @@ -142465,6 +147847,11 @@ "markdownDescription": "Enables the Input Prepare feature. You can create Input Prepare actions in the schedule only if this feature is enabled.\nIf you disable the feature on an existing schedule, make sure that you first delete all input prepare actions from the schedule.", "title": "InputPrepareScheduleActions", "type": "string" + }, + "OutputStaticImageOverlayScheduleActions": { + "markdownDescription": "", + "title": "OutputStaticImageOverlayScheduleActions", + "type": "string" } }, "type": "object" @@ -142609,6 +147996,11 @@ "title": "OutputLockingMode", "type": "string" }, + "OutputLockingSettings": { + "$ref": "#/definitions/AWS::MediaLive::Channel.OutputLockingSettings", + "markdownDescription": "", + "title": "OutputLockingSettings" + }, "OutputTimingSource": { "markdownDescription": "Indicates whether the rate of frames emitted by the Live encoder should be paced by its system clock (which optionally might be locked to another source through NTP) or should be locked to the clock of the source that is providing the input stream.", "title": "OutputTimingSource", @@ -143352,7 +148744,7 @@ "type": "string" }, "ProgramDateTimeClock": { - "markdownDescription": "", + "markdownDescription": "Specifies the algorithm used to drive the HLS EXT-X-PROGRAM-DATE-TIME clock. Options include: INITIALIZE_FROM_OUTPUT_TIMECODE: The PDT clock is initialized as a function of the first output timecode, then incremented by the EXTINF duration of each encoded segment. SYSTEM_CLOCK: The PDT clock is initialized as a function of the UTC wall clock, then incremented by the EXTINF duration of each encoded segment. If the PDT clock diverges from the wall clock by more than 500ms, it is resynchronized to the wall clock.", "title": "ProgramDateTimeClock", "type": "string" }, @@ -144039,9 +149431,13 @@ "type": "string" }, "KlvBehavior": { + "markdownDescription": "", + "title": "KlvBehavior", "type": "string" }, "KlvDataPids": { + "markdownDescription": "", + "title": "KlvDataPids", "type": "string" }, "NielsenId3Behavior": { @@ -144121,12 +149517,12 @@ "additionalProperties": false, "properties": { "MaintenanceDay": { - "markdownDescription": "", + "markdownDescription": "Choose one day of the week for maintenance. The chosen day is used for all future maintenance windows.", "title": "MaintenanceDay", "type": "string" }, "MaintenanceStartTime": { - "markdownDescription": "", + "markdownDescription": "Choose the hour that maintenance will start. The chosen time is used for all future maintenance windows.", "title": "MaintenanceStartTime", "type": "string" } @@ -144137,18 +149533,12 @@ "additionalProperties": false, "properties": { "MaintenanceDay": { - "markdownDescription": "", - "title": "MaintenanceDay", "type": "string" }, "MaintenanceScheduledDate": { - "markdownDescription": "", - "title": "MaintenanceScheduledDate", "type": "string" }, "MaintenanceStartTime": { - "markdownDescription": "", - "title": "MaintenanceStartTime", "type": "string" } }, @@ -144751,6 +150141,22 @@ }, "type": "object" }, + "AWS::MediaLive::Channel.OutputLockingSettings": { + "additionalProperties": false, + "properties": { + "EpochLockingSettings": { + "$ref": "#/definitions/AWS::MediaLive::Channel.EpochLockingSettings", + "markdownDescription": "", + "title": "EpochLockingSettings" + }, + "PipelineLockingSettings": { + "$ref": "#/definitions/AWS::MediaLive::Channel.PipelineLockingSettings", + "markdownDescription": "", + "title": "PipelineLockingSettings" + } + }, + "type": "object" + }, "AWS::MediaLive::Channel.OutputSettings": { "additionalProperties": false, "properties": { @@ -144802,6 +150208,11 @@ "properties": {}, "type": "object" }, + "AWS::MediaLive::Channel.PipelineLockingSettings": { + "additionalProperties": false, + "properties": {}, + "type": "object" + }, "AWS::MediaLive::Channel.RawSettings": { "additionalProperties": false, "properties": {}, @@ -144878,6 +150289,8 @@ "type": "string" }, "IncludeFillerNalUnits": { + "markdownDescription": "", + "title": "IncludeFillerNalUnits", "type": "string" }, "InputLossAction": { @@ -145081,6 +150494,8 @@ "additionalProperties": false, "properties": { "State": { + "markdownDescription": "", + "title": "State", "type": "string" } }, @@ -145550,8 +150965,6 @@ "additionalProperties": false, "properties": { "Id": { - "markdownDescription": "This property is not used. Ignore it.", - "title": "Id", "type": "string" } }, @@ -145704,7 +151117,7 @@ }, "type": "object" }, - "AWS::MediaPackage::Asset": { + "AWS::MediaLive::Multiplex": { "additionalProperties": false, "properties": { "Condition": { @@ -145739,59 +151152,51 @@ "Properties": { "additionalProperties": false, "properties": { - "EgressEndpoints": { + "AvailabilityZones": { "items": { - "$ref": "#/definitions/AWS::MediaPackage::Asset.EgressEndpoint" + "type": "string" }, - "markdownDescription": "List of playback endpoints that are available for this asset.", - "title": "EgressEndpoints", + "markdownDescription": "A list of availability zones for the multiplex.", + "title": "AvailabilityZones", "type": "array" }, - "Id": { - "markdownDescription": "Unique identifier that you assign to the asset.", - "title": "Id", - "type": "string" - }, - "PackagingGroupId": { - "markdownDescription": "The ID of the packaging group associated with this asset.", - "title": "PackagingGroupId", - "type": "string" - }, - "ResourceId": { - "markdownDescription": "Unique identifier for this asset, as it's configured in the key provider service.", - "title": "ResourceId", - "type": "string" + "Destinations": { + "items": { + "$ref": "#/definitions/AWS::MediaLive::Multiplex.MultiplexOutputDestination" + }, + "markdownDescription": "A list of the multiplex output destinations.", + "title": "Destinations", + "type": "array" }, - "SourceArn": { - "markdownDescription": "The ARN for the source content in Amazon S3.", - "title": "SourceArn", - "type": "string" + "MultiplexSettings": { + "$ref": "#/definitions/AWS::MediaLive::Multiplex.MultiplexSettings", + "markdownDescription": "Configuration for a multiplex event.", + "title": "MultiplexSettings" }, - "SourceRoleArn": { - "markdownDescription": "The ARN for the IAM role that provides AWS Elemental MediaPackage access to the Amazon S3 bucket where the source content is stored. Valid format: arn:aws:iam::{accountID}:role/{name}", - "title": "SourceRoleArn", + "Name": { + "markdownDescription": "The name of the multiplex.", + "title": "Name", "type": "string" }, "Tags": { "items": { - "$ref": "#/definitions/Tag" + "$ref": "#/definitions/AWS::MediaLive::Multiplex.Tags" }, - "markdownDescription": "The tags to assign to the asset.", + "markdownDescription": "A collection of key-value pairs.", "title": "Tags", "type": "array" } }, "required": [ - "Id", - "PackagingGroupId", - "SourceArn", - "SourceRoleArn" + "AvailabilityZones", + "MultiplexSettings", + "Name" ], "type": "object" }, "Type": { "enum": [ - "AWS::MediaPackage::Asset" + "AWS::MediaLive::Multiplex" ], "type": "string" }, @@ -145810,27 +151215,482 @@ ], "type": "object" }, - "AWS::MediaPackage::Asset.EgressEndpoint": { + "AWS::MediaLive::Multiplex.MultiplexMediaConnectOutputDestinationSettings": { "additionalProperties": false, "properties": { - "PackagingConfigurationId": { - "markdownDescription": "The ID of a packaging configuration that's applied to this asset.", - "title": "PackagingConfigurationId", + "EntitlementArn": { + "markdownDescription": "The MediaConnect entitlement ARN available as a Flow source.", + "title": "EntitlementArn", "type": "string" + } + }, + "type": "object" + }, + "AWS::MediaLive::Multiplex.MultiplexOutputDestination": { + "additionalProperties": false, + "properties": { + "MultiplexMediaConnectOutputDestinationSettings": { + "$ref": "#/definitions/AWS::MediaLive::Multiplex.MultiplexMediaConnectOutputDestinationSettings", + "markdownDescription": "", + "title": "MultiplexMediaConnectOutputDestinationSettings" + } + }, + "type": "object" + }, + "AWS::MediaLive::Multiplex.MultiplexSettings": { + "additionalProperties": false, + "properties": { + "MaximumVideoBufferDelayMilliseconds": { + "markdownDescription": "Maximum video buffer delay in milliseconds.", + "title": "MaximumVideoBufferDelayMilliseconds", + "type": "number" }, - "Url": { - "markdownDescription": "The URL that's used to request content from this endpoint.", - "title": "Url", - "type": "string" + "TransportStreamBitrate": { + "markdownDescription": "Transport stream bit rate.", + "title": "TransportStreamBitrate", + "type": "number" + }, + "TransportStreamId": { + "markdownDescription": "Transport stream ID.", + "title": "TransportStreamId", + "type": "number" + }, + "TransportStreamReservedBitrate": { + "markdownDescription": "Transport stream reserved bit rate.", + "title": "TransportStreamReservedBitrate", + "type": "number" } }, "required": [ - "PackagingConfigurationId", - "Url" + "TransportStreamBitrate", + "TransportStreamId" ], "type": "object" }, - "AWS::MediaPackage::Channel": { + "AWS::MediaLive::Multiplex.Tags": { + "additionalProperties": false, + "properties": { + "Key": { + "markdownDescription": "", + "title": "Key", + "type": "string" + }, + "Value": { + "markdownDescription": "", + "title": "Value", + "type": "string" + } + }, + "type": "object" + }, + "AWS::MediaLive::Multiplexprogram": { + "additionalProperties": false, + "properties": { + "Condition": { + "type": "string" + }, + "DeletionPolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + }, + "DependsOn": { + "anyOf": [ + { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + { + "items": { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + "type": "array" + } + ] + }, + "Metadata": { + "type": "object" + }, + "Properties": { + "additionalProperties": false, + "properties": { + "ChannelId": { + "markdownDescription": "The unique ID of the channel.", + "title": "ChannelId", + "type": "string" + }, + "MultiplexId": { + "markdownDescription": "The unique id of the multiplex.", + "title": "MultiplexId", + "type": "string" + }, + "MultiplexProgramSettings": { + "$ref": "#/definitions/AWS::MediaLive::Multiplexprogram.MultiplexProgramSettings", + "markdownDescription": "Multiplex Program settings configuration.", + "title": "MultiplexProgramSettings" + }, + "PacketIdentifiersMap": { + "$ref": "#/definitions/AWS::MediaLive::Multiplexprogram.MultiplexProgramPacketIdentifiersMap", + "markdownDescription": "", + "title": "PacketIdentifiersMap" + }, + "PipelineDetails": { + "items": { + "$ref": "#/definitions/AWS::MediaLive::Multiplexprogram.MultiplexProgramPipelineDetail" + }, + "markdownDescription": "", + "title": "PipelineDetails", + "type": "array" + }, + "PreferredChannelPipeline": { + "markdownDescription": "Indicates which pipeline is preferred by the multiplex for program ingest.\nIf set to \\\"PIPELINE_0\\\" or \\\"PIPELINE_1\\\" and an unhealthy ingest causes the multiplex to switch to the non-preferred pipeline,\nit will switch back once that ingest is healthy again. If set to \\\"CURRENTLY_ACTIVE\\\",\nit will not switch back to the other pipeline based on it recovering to a healthy state,\nit will only switch if the active pipeline becomes unhealthy.", + "title": "PreferredChannelPipeline", + "type": "string" + }, + "ProgramName": { + "markdownDescription": "", + "title": "ProgramName", + "type": "string" + } + }, + "type": "object" + }, + "Type": { + "enum": [ + "AWS::MediaLive::Multiplexprogram" + ], + "type": "string" + }, + "UpdateReplacePolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + } + }, + "required": [ + "Type" + ], + "type": "object" + }, + "AWS::MediaLive::Multiplexprogram.MultiplexProgramPacketIdentifiersMap": { + "additionalProperties": false, + "properties": { + "AudioPids": { + "items": { + "type": "number" + }, + "markdownDescription": "", + "title": "AudioPids", + "type": "array" + }, + "DvbSubPids": { + "items": { + "type": "number" + }, + "markdownDescription": "", + "title": "DvbSubPids", + "type": "array" + }, + "DvbTeletextPid": { + "markdownDescription": "", + "title": "DvbTeletextPid", + "type": "number" + }, + "EtvPlatformPid": { + "markdownDescription": "", + "title": "EtvPlatformPid", + "type": "number" + }, + "EtvSignalPid": { + "markdownDescription": "", + "title": "EtvSignalPid", + "type": "number" + }, + "KlvDataPids": { + "items": { + "type": "number" + }, + "markdownDescription": "", + "title": "KlvDataPids", + "type": "array" + }, + "PcrPid": { + "markdownDescription": "", + "title": "PcrPid", + "type": "number" + }, + "PmtPid": { + "markdownDescription": "", + "title": "PmtPid", + "type": "number" + }, + "PrivateMetadataPid": { + "markdownDescription": "", + "title": "PrivateMetadataPid", + "type": "number" + }, + "Scte27Pids": { + "items": { + "type": "number" + }, + "markdownDescription": "", + "title": "Scte27Pids", + "type": "array" + }, + "Scte35Pid": { + "markdownDescription": "", + "title": "Scte35Pid", + "type": "number" + }, + "TimedMetadataPid": { + "markdownDescription": "", + "title": "TimedMetadataPid", + "type": "number" + }, + "VideoPid": { + "markdownDescription": "", + "title": "VideoPid", + "type": "number" + } + }, + "type": "object" + }, + "AWS::MediaLive::Multiplexprogram.MultiplexProgramPipelineDetail": { + "additionalProperties": false, + "properties": { + "ActiveChannelPipeline": { + "markdownDescription": "Identifies the channel pipeline that is currently active for the pipeline (identified by PipelineId) in the multiplex.", + "title": "ActiveChannelPipeline", + "type": "string" + }, + "PipelineId": { + "markdownDescription": "Identifies a specific pipeline in the multiplex.", + "title": "PipelineId", + "type": "string" + } + }, + "type": "object" + }, + "AWS::MediaLive::Multiplexprogram.MultiplexProgramServiceDescriptor": { + "additionalProperties": false, + "properties": { + "ProviderName": { + "markdownDescription": "Name of the provider.", + "title": "ProviderName", + "type": "string" + }, + "ServiceName": { + "markdownDescription": "Name of the service.", + "title": "ServiceName", + "type": "string" + } + }, + "required": [ + "ProviderName", + "ServiceName" + ], + "type": "object" + }, + "AWS::MediaLive::Multiplexprogram.MultiplexProgramSettings": { + "additionalProperties": false, + "properties": { + "PreferredChannelPipeline": { + "markdownDescription": "Indicates which pipeline is preferred by the multiplex for program ingest.", + "title": "PreferredChannelPipeline", + "type": "string" + }, + "ProgramNumber": { + "markdownDescription": "Unique program number.", + "title": "ProgramNumber", + "type": "number" + }, + "ServiceDescriptor": { + "$ref": "#/definitions/AWS::MediaLive::Multiplexprogram.MultiplexProgramServiceDescriptor", + "markdownDescription": "Transport stream service descriptor configuration for the Multiplex program.", + "title": "ServiceDescriptor" + }, + "VideoSettings": { + "$ref": "#/definitions/AWS::MediaLive::Multiplexprogram.MultiplexVideoSettings", + "markdownDescription": "Program video settings configuration.", + "title": "VideoSettings" + } + }, + "required": [ + "ProgramNumber" + ], + "type": "object" + }, + "AWS::MediaLive::Multiplexprogram.MultiplexStatmuxVideoSettings": { + "additionalProperties": false, + "properties": { + "MaximumBitrate": { + "markdownDescription": "Maximum statmux bitrate.", + "title": "MaximumBitrate", + "type": "number" + }, + "MinimumBitrate": { + "markdownDescription": "Minimum statmux bitrate.", + "title": "MinimumBitrate", + "type": "number" + }, + "Priority": { + "markdownDescription": "The purpose of the priority is to use a combination of the\\nmultiplex rate control algorithm and the QVBR capability of the\\nencoder to prioritize the video quality of some channels in a\\nmultiplex over others. Channels that have a higher priority will\\nget higher video quality at the expense of the video quality of\\nother channels in the multiplex with lower priority.", + "title": "Priority", + "type": "number" + } + }, + "type": "object" + }, + "AWS::MediaLive::Multiplexprogram.MultiplexVideoSettings": { + "additionalProperties": false, + "properties": { + "ConstantBitrate": { + "markdownDescription": "The constant bitrate configuration for the video encode.\nWhen this field is defined, StatmuxSettings must be undefined.", + "title": "ConstantBitrate", + "type": "number" + }, + "StatmuxSettings": { + "$ref": "#/definitions/AWS::MediaLive::Multiplexprogram.MultiplexStatmuxVideoSettings", + "markdownDescription": "Statmux rate control settings.\nWhen this field is defined, ConstantBitrate must be undefined.", + "title": "StatmuxSettings" + } + }, + "type": "object" + }, + "AWS::MediaPackage::Asset": { + "additionalProperties": false, + "properties": { + "Condition": { + "type": "string" + }, + "DeletionPolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + }, + "DependsOn": { + "anyOf": [ + { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + { + "items": { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + "type": "array" + } + ] + }, + "Metadata": { + "type": "object" + }, + "Properties": { + "additionalProperties": false, + "properties": { + "EgressEndpoints": { + "items": { + "$ref": "#/definitions/AWS::MediaPackage::Asset.EgressEndpoint" + }, + "markdownDescription": "List of playback endpoints that are available for this asset.", + "title": "EgressEndpoints", + "type": "array" + }, + "Id": { + "markdownDescription": "Unique identifier that you assign to the asset.", + "title": "Id", + "type": "string" + }, + "PackagingGroupId": { + "markdownDescription": "The ID of the packaging group associated with this asset.", + "title": "PackagingGroupId", + "type": "string" + }, + "ResourceId": { + "markdownDescription": "Unique identifier for this asset, as it's configured in the key provider service.", + "title": "ResourceId", + "type": "string" + }, + "SourceArn": { + "markdownDescription": "The ARN for the source content in Amazon S3.", + "title": "SourceArn", + "type": "string" + }, + "SourceRoleArn": { + "markdownDescription": "The ARN for the IAM role that provides AWS Elemental MediaPackage access to the Amazon S3 bucket where the source content is stored. Valid format: arn:aws:iam::{accountID}:role/{name}", + "title": "SourceRoleArn", + "type": "string" + }, + "Tags": { + "items": { + "$ref": "#/definitions/Tag" + }, + "markdownDescription": "The tags to assign to the asset.", + "title": "Tags", + "type": "array" + } + }, + "required": [ + "Id", + "PackagingGroupId", + "SourceArn", + "SourceRoleArn" + ], + "type": "object" + }, + "Type": { + "enum": [ + "AWS::MediaPackage::Asset" + ], + "type": "string" + }, + "UpdateReplacePolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + } + }, + "required": [ + "Type", + "Properties" + ], + "type": "object" + }, + "AWS::MediaPackage::Asset.EgressEndpoint": { + "additionalProperties": false, + "properties": { + "PackagingConfigurationId": { + "markdownDescription": "The ID of a packaging configuration that's applied to this asset.", + "title": "PackagingConfigurationId", + "type": "string" + }, + "Url": { + "markdownDescription": "The URL that's used to request content from this endpoint.", + "title": "Url", + "type": "string" + } + }, + "required": [ + "PackagingConfigurationId", + "Url" + ], + "type": "object" + }, + "AWS::MediaPackage::Channel": { "additionalProperties": false, "properties": { "Condition": { @@ -146842,9 +152702,13 @@ "additionalProperties": false, "properties": { "PresetSpeke20Audio": { + "markdownDescription": "A collection of audio encryption presets.\n\nValue description:\n\n- `PRESET-AUDIO-1` - Use one content key to encrypt all of the audio tracks in your stream.\n- `PRESET-AUDIO-2` - Use one content key to encrypt all of the stereo audio tracks and one content key to encrypt all of the multichannel audio tracks.\n- `PRESET-AUDIO-3` - Use one content key to encrypt all of the stereo audio tracks, one content key to encrypt all of the multichannel audio tracks with 3 to 6 channels, and one content key to encrypt all of the multichannel audio tracks with more than 6 channels.\n- `SHARED` - Use the same content key for all of the audio and video tracks in your stream.\n- `UNENCRYPTED` - Don't encrypt any of the audio tracks in your stream.", + "title": "PresetSpeke20Audio", "type": "string" }, "PresetSpeke20Video": { + "markdownDescription": "A collection of video encryption presets.\n\nValue description:\n\n- `PRESET-VIDEO-1` - Use one content key to encrypt all of the video tracks in your stream.\n- `PRESET-VIDEO-2` - Use one content key to encrypt all of the SD video tracks and one content key for all HD and higher resolutions video tracks.\n- `PRESET-VIDEO-3` - Use one content key to encrypt all of the SD video tracks, one content key for HD video tracks and one content key for all UHD video tracks.\n- `PRESET-VIDEO-4` - Use one content key to encrypt all of the SD video tracks, one content key for HD video tracks, one content key for all UHD1 video tracks and one content key for all UHD2 video tracks.\n- `PRESET-VIDEO-5` - Use one content key to encrypt all of the SD video tracks, one content key for HD1 video tracks, one content key for HD2 video tracks, one content key for all UHD1 video tracks and one content key for all UHD2 video tracks.\n- `PRESET-VIDEO-6` - Use one content key to encrypt all of the SD video tracks, one content key for HD1 video tracks, one content key for HD2 video tracks and one content key for all UHD video tracks.\n- `PRESET-VIDEO-7` - Use one content key to encrypt all of the SD+HD1 video tracks, one content key for HD2 video tracks and one content key for all UHD video tracks.\n- `PRESET-VIDEO-8` - Use one content key to encrypt all of the SD+HD1 video tracks, one content key for HD2 video tracks, one content key for all UHD1 video tracks and one content key for all UHD2 video tracks.\n- `SHARED` - Use the same content key for all of the video and audio tracks in your stream.\n- `UNENCRYPTED` - Don't encrypt any of the video tracks in your stream.", + "title": "PresetSpeke20Video", "type": "string" } }, @@ -147215,18 +153079,26 @@ "additionalProperties": false, "properties": { "ChannelGroupName": { + "markdownDescription": "The name of the channel group associated with the channel configuration.", + "title": "ChannelGroupName", "type": "string" }, "ChannelName": { + "markdownDescription": "The name of the channel.", + "title": "ChannelName", "type": "string" }, "Description": { + "markdownDescription": "The description of the channel.", + "title": "Description", "type": "string" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "The tags associated with the channel.", + "title": "Tags", "type": "array" } }, @@ -147256,9 +153128,13 @@ "additionalProperties": false, "properties": { "Id": { + "markdownDescription": "The identifier associated with the ingest endpoint of the channel.", + "title": "Id", "type": "string" }, "Url": { + "markdownDescription": "The URL associated with the ingest endpoint of the channel.", + "title": "Url", "type": "string" } }, @@ -147300,15 +153176,21 @@ "additionalProperties": false, "properties": { "ChannelGroupName": { + "markdownDescription": "The name of the channel group.", + "title": "ChannelGroupName", "type": "string" }, "Description": { + "markdownDescription": "The configuration for a MediaPackage V2 channel group.", + "title": "Description", "type": "string" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "The tags associated with the channel group.", + "title": "Tags", "type": "array" } }, @@ -147370,12 +153252,18 @@ "additionalProperties": false, "properties": { "ChannelGroupName": { + "markdownDescription": "The name of the channel group associated with the channel policy.", + "title": "ChannelGroupName", "type": "string" }, "ChannelName": { + "markdownDescription": "The name of the channel associated with the channel policy.", + "title": "ChannelName", "type": "string" }, "Policy": { + "markdownDescription": "The policy associated with the channel.", + "title": "Policy", "type": "object" } }, @@ -147441,42 +153329,62 @@ "additionalProperties": false, "properties": { "ChannelGroupName": { + "markdownDescription": "The name of the channel group associated with the origin endpoint configuration.", + "title": "ChannelGroupName", "type": "string" }, "ChannelName": { + "markdownDescription": "The channel name associated with the origin endpoint.", + "title": "ChannelName", "type": "string" }, "ContainerType": { + "markdownDescription": "The container type associated with the origin endpoint configuration.", + "title": "ContainerType", "type": "string" }, "Description": { + "markdownDescription": "The description associated with the origin endpoint.", + "title": "Description", "type": "string" }, "HlsManifests": { "items": { "$ref": "#/definitions/AWS::MediaPackageV2::OriginEndpoint.HlsManifestConfiguration" }, + "markdownDescription": "The HLS manfiests associated with the origin endpoint configuration.", + "title": "HlsManifests", "type": "array" }, "LowLatencyHlsManifests": { "items": { "$ref": "#/definitions/AWS::MediaPackageV2::OriginEndpoint.LowLatencyHlsManifestConfiguration" }, + "markdownDescription": "The low-latency HLS (LL-HLS) manifests associated with the origin endpoint.", + "title": "LowLatencyHlsManifests", "type": "array" }, "OriginEndpointName": { + "markdownDescription": "The name of the origin endpoint associated with the origin endpoint configuration.", + "title": "OriginEndpointName", "type": "string" }, "Segment": { - "$ref": "#/definitions/AWS::MediaPackageV2::OriginEndpoint.Segment" + "$ref": "#/definitions/AWS::MediaPackageV2::OriginEndpoint.Segment", + "markdownDescription": "The segment associated with the origin endpoint.", + "title": "Segment" }, "StartoverWindowSeconds": { + "markdownDescription": "The size of the window (in seconds) to specify a window of the live stream that's available for on-demand viewing. Viewers can start-over or catch-up on content that falls within the window.", + "title": "StartoverWindowSeconds", "type": "number" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "The tags associated with the origin endpoint.", + "title": "Tags", "type": "array" } }, @@ -147510,16 +153418,24 @@ "additionalProperties": false, "properties": { "ConstantInitializationVector": { + "markdownDescription": "A 128-bit, 16-byte hex value represented by a 32-character string, used in conjunction with the key for encrypting content. If you don't specify a value, then MediaPackage creates the constant initialization vector (IV).", + "title": "ConstantInitializationVector", "type": "string" }, "EncryptionMethod": { - "$ref": "#/definitions/AWS::MediaPackageV2::OriginEndpoint.EncryptionMethod" + "$ref": "#/definitions/AWS::MediaPackageV2::OriginEndpoint.EncryptionMethod", + "markdownDescription": "The encryption method to use.", + "title": "EncryptionMethod" }, "KeyRotationIntervalSeconds": { + "markdownDescription": "The interval, in seconds, to rotate encryption keys for the origin endpoint.", + "title": "KeyRotationIntervalSeconds", "type": "number" }, "SpekeKeyProvider": { - "$ref": "#/definitions/AWS::MediaPackageV2::OriginEndpoint.SpekeKeyProvider" + "$ref": "#/definitions/AWS::MediaPackageV2::OriginEndpoint.SpekeKeyProvider", + "markdownDescription": "The SPEKE key provider to use for encryption.", + "title": "SpekeKeyProvider" } }, "required": [ @@ -147532,9 +153448,13 @@ "additionalProperties": false, "properties": { "PresetSpeke20Audio": { + "markdownDescription": "A collection of audio encryption presets.\n\nValue description:\n\n- `PRESET-AUDIO-1` - Use one content key to encrypt all of the audio tracks in your stream.\n- `PRESET-AUDIO-2` - Use one content key to encrypt all of the stereo audio tracks and one content key to encrypt all of the multichannel audio tracks.\n- `PRESET-AUDIO-3` - Use one content key to encrypt all of the stereo audio tracks, one content key to encrypt all of the multichannel audio tracks with 3 to 6 channels, and one content key to encrypt all of the multichannel audio tracks with more than 6 channels.\n- `SHARED` - Use the same content key for all of the audio and video tracks in your stream.\n- `UNENCRYPTED` - Don't encrypt any of the audio tracks in your stream.", + "title": "PresetSpeke20Audio", "type": "string" }, "PresetSpeke20Video": { + "markdownDescription": "The SPEKE Version 2.0 preset video associated with the encryption contract configuration of the origin endpoint.", + "title": "PresetSpeke20Video", "type": "string" } }, @@ -147548,33 +153468,80 @@ "additionalProperties": false, "properties": { "CmafEncryptionMethod": { + "markdownDescription": "The encryption method to use.", + "title": "CmafEncryptionMethod", "type": "string" }, "TsEncryptionMethod": { + "markdownDescription": "The encryption method to use.", + "title": "TsEncryptionMethod", "type": "string" } }, "type": "object" }, + "AWS::MediaPackageV2::OriginEndpoint.FilterConfiguration": { + "additionalProperties": false, + "properties": { + "End": { + "markdownDescription": "", + "title": "End", + "type": "string" + }, + "ManifestFilter": { + "markdownDescription": "", + "title": "ManifestFilter", + "type": "string" + }, + "Start": { + "markdownDescription": "", + "title": "Start", + "type": "string" + }, + "TimeDelaySeconds": { + "markdownDescription": "", + "title": "TimeDelaySeconds", + "type": "number" + } + }, + "type": "object" + }, "AWS::MediaPackageV2::OriginEndpoint.HlsManifestConfiguration": { "additionalProperties": false, "properties": { "ChildManifestName": { + "markdownDescription": "The name of the child manifest associated with the HLS manifest configuration.", + "title": "ChildManifestName", "type": "string" }, + "FilterConfiguration": { + "$ref": "#/definitions/AWS::MediaPackageV2::OriginEndpoint.FilterConfiguration", + "markdownDescription": "", + "title": "FilterConfiguration" + }, "ManifestName": { + "markdownDescription": "The name of the manifest associated with the HLS manifest configuration.", + "title": "ManifestName", "type": "string" }, "ManifestWindowSeconds": { + "markdownDescription": "The duration of the manifest window, in seconds, for the HLS manifest configuration.", + "title": "ManifestWindowSeconds", "type": "number" }, "ProgramDateTimeIntervalSeconds": { + "markdownDescription": "The `EXT-X-PROGRAM-DATE-TIME` interval, in seconds, associated with the HLS manifest configuration.", + "title": "ProgramDateTimeIntervalSeconds", "type": "number" }, "ScteHls": { - "$ref": "#/definitions/AWS::MediaPackageV2::OriginEndpoint.ScteHls" + "$ref": "#/definitions/AWS::MediaPackageV2::OriginEndpoint.ScteHls", + "markdownDescription": "THE SCTE-35 HLS configuration associated with the HLS manifest configuration.", + "title": "ScteHls" }, "Url": { + "markdownDescription": "The URL of the HLS manifest configuration.", + "title": "Url", "type": "string" } }, @@ -147587,21 +153554,38 @@ "additionalProperties": false, "properties": { "ChildManifestName": { + "markdownDescription": "The name of the child manifest associated with the low-latency HLS (LL-HLS) manifest configuration of the origin endpoint.", + "title": "ChildManifestName", "type": "string" }, + "FilterConfiguration": { + "$ref": "#/definitions/AWS::MediaPackageV2::OriginEndpoint.FilterConfiguration", + "markdownDescription": "", + "title": "FilterConfiguration" + }, "ManifestName": { + "markdownDescription": "A short short string that's appended to the endpoint URL. The manifest name creates a unique path to this endpoint. If you don't enter a value, MediaPackage uses the default manifest name, `index` . MediaPackage automatically inserts the format extension, such as `.m3u8` . You can't use the same manifest name if you use HLS manifest and low-latency HLS manifest. The `manifestName` on the `HLSManifest` object overrides the `manifestName` you provided on the `originEndpoint` object.", + "title": "ManifestName", "type": "string" }, "ManifestWindowSeconds": { + "markdownDescription": "The total duration (in seconds) of the manifest's content.", + "title": "ManifestWindowSeconds", "type": "number" }, "ProgramDateTimeIntervalSeconds": { + "markdownDescription": "Inserts `EXT-X-PROGRAM-DATE-TIME` tags in the output manifest at the interval that you specify. If you don't enter an interval, `EXT-X-PROGRAM-DATE-TIME` tags aren't included in the manifest. The tags sync the stream to the wall clock so that viewers can seek to a specific time in the playback timeline on the player. `ID3Timed` metadata messages generate every 5 seconds whenever MediaPackage ingests the content.\n\nIrrespective of this parameter, if any `ID3Timed` metadata is in the HLS input, MediaPackage passes through that metadata to the HLS output.", + "title": "ProgramDateTimeIntervalSeconds", "type": "number" }, "ScteHls": { - "$ref": "#/definitions/AWS::MediaPackageV2::OriginEndpoint.ScteHls" + "$ref": "#/definitions/AWS::MediaPackageV2::OriginEndpoint.ScteHls", + "markdownDescription": "The SCTE-35 HLS configuration associated with the low-latency HLS (LL-HLS) manifest configuration of the origin endpoint.", + "title": "ScteHls" }, "Url": { + "markdownDescription": "The URL of the low-latency HLS (LL-HLS) manifest configuration of the origin endpoint.", + "title": "Url", "type": "string" } }, @@ -147617,6 +153601,8 @@ "items": { "type": "string" }, + "markdownDescription": "The filter associated with the SCTE-35 configuration.", + "title": "ScteFilter", "type": "array" } }, @@ -147626,6 +153612,8 @@ "additionalProperties": false, "properties": { "AdMarkerHls": { + "markdownDescription": "The SCTE-35 HLS ad-marker configuration.", + "title": "AdMarkerHls", "type": "string" } }, @@ -147635,24 +153623,38 @@ "additionalProperties": false, "properties": { "Encryption": { - "$ref": "#/definitions/AWS::MediaPackageV2::OriginEndpoint.Encryption" + "$ref": "#/definitions/AWS::MediaPackageV2::OriginEndpoint.Encryption", + "markdownDescription": "Whether to use encryption for the segment.", + "title": "Encryption" }, "IncludeIframeOnlyStreams": { + "markdownDescription": "Whether the segment includes I-frame-only streams.", + "title": "IncludeIframeOnlyStreams", "type": "boolean" }, "Scte": { - "$ref": "#/definitions/AWS::MediaPackageV2::OriginEndpoint.Scte" + "$ref": "#/definitions/AWS::MediaPackageV2::OriginEndpoint.Scte", + "markdownDescription": "The SCTE-35 configuration associated with the segment.", + "title": "Scte" }, "SegmentDurationSeconds": { + "markdownDescription": "The duration of the segment, in seconds.", + "title": "SegmentDurationSeconds", "type": "number" }, "SegmentName": { + "markdownDescription": "The name of the segment associated with the origin endpoint.", + "title": "SegmentName", "type": "string" }, "TsIncludeDvbSubtitles": { + "markdownDescription": "Whether the segment includes DVB subtitles.", + "title": "TsIncludeDvbSubtitles", "type": "boolean" }, "TsUseAudioRenditionGroup": { + "markdownDescription": "Whether the segment is an audio rendition group.", + "title": "TsUseAudioRenditionGroup", "type": "boolean" } }, @@ -147665,18 +153667,28 @@ "items": { "type": "string" }, + "markdownDescription": "The DRM solution provider you're using to protect your content during distribution.", + "title": "DrmSystems", "type": "array" }, "EncryptionContractConfiguration": { - "$ref": "#/definitions/AWS::MediaPackageV2::OriginEndpoint.EncryptionContractConfiguration" + "$ref": "#/definitions/AWS::MediaPackageV2::OriginEndpoint.EncryptionContractConfiguration", + "markdownDescription": "The encryption contract configuration associated with the SPEKE key provider.", + "title": "EncryptionContractConfiguration" }, "ResourceId": { + "markdownDescription": "The unique identifier for the content. The service sends this identifier to the key server to identify the current endpoint. How unique you make this identifier depends on how fine-grained you want access controls to be. The service does not permit you to use the same ID for two simultaneous encryption processes. The resource ID is also known as the content ID.\n\nThe following example shows a resource ID: `MovieNight20171126093045`", + "title": "ResourceId", "type": "string" }, "RoleArn": { + "markdownDescription": "The ARN for the IAM role granted by the key provider that provides access to the key provider API. This role must have a trust policy that allows MediaPackage to assume the role, and it must have a sufficient permissions policy to allow access to the specific key retrieval URL. Get this from your DRM solution provider.\n\nValid format: `arn:aws:iam::{accountID}:role/{name}` . The following example shows a role ARN: `arn:aws:iam::444455556666:role/SpekeAccess`", + "title": "RoleArn", "type": "string" }, "Url": { + "markdownDescription": "The URL of the SPEKE key provider.", + "title": "Url", "type": "string" } }, @@ -147725,15 +153737,23 @@ "additionalProperties": false, "properties": { "ChannelGroupName": { + "markdownDescription": "The name of the channel group associated with the origin endpoint policy.", + "title": "ChannelGroupName", "type": "string" }, "ChannelName": { + "markdownDescription": "The channel name associated with the origin endpoint policy.", + "title": "ChannelName", "type": "string" }, "OriginEndpointName": { + "markdownDescription": "The name of the origin endpoint associated with the origin endpoint policy.", + "title": "OriginEndpointName", "type": "string" }, "Policy": { + "markdownDescription": "The policy associated with the origin endpoint.", + "title": "Policy", "type": "object" } }, @@ -147823,7 +153843,7 @@ }, "MetricPolicy": { "$ref": "#/definitions/AWS::MediaStore::Container.MetricPolicy", - "markdownDescription": "", + "markdownDescription": "The metric policy that is associated with the container. A metric policy allows AWS Elemental MediaStore to send metrics to Amazon CloudWatch. In the policy, you must indicate whether you want MediaStore to send container-level metrics. You can also include rules to define groups of objects that you want MediaStore to send object-level metrics for.\n\nTo view examples of how to construct a metric policy for your use case, see [Example Metric Policies](https://docs.aws.amazon.com/mediastore/latest/ug/policies-metric-examples.html) .", "title": "MetricPolicy" }, "Policy": { @@ -147987,30 +154007,44 @@ "additionalProperties": false, "properties": { "ChannelName": { + "markdownDescription": "The name of the channel.", + "title": "ChannelName", "type": "string" }, "FillerSlate": { - "$ref": "#/definitions/AWS::MediaTailor::Channel.SlateSource" + "$ref": "#/definitions/AWS::MediaTailor::Channel.SlateSource", + "markdownDescription": "The slate used to fill gaps between programs in the schedule. You must configure filler slate if your channel uses the `LINEAR` `PlaybackMode` . MediaTailor doesn't support filler slate for channels using the `LOOP` `PlaybackMode` .", + "title": "FillerSlate" }, "LogConfiguration": { - "$ref": "#/definitions/AWS::MediaTailor::Channel.LogConfigurationForChannel" + "$ref": "#/definitions/AWS::MediaTailor::Channel.LogConfigurationForChannel", + "markdownDescription": "The log configuration.", + "title": "LogConfiguration" }, "Outputs": { "items": { "$ref": "#/definitions/AWS::MediaTailor::Channel.RequestOutputItem" }, + "markdownDescription": "The channel's output properties.", + "title": "Outputs", "type": "array" }, "PlaybackMode": { + "markdownDescription": "The type of playback mode for this channel.\n\n`LINEAR` - Programs play back-to-back only once.\n\n`LOOP` - Programs play back-to-back in an endless loop. When the last program in the schedule plays, playback loops back to the first program in the schedule.", + "title": "PlaybackMode", "type": "string" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "The tags to assign to the channel. Tags are key-value pairs that you can associate with Amazon resources to help with organization, access control, and cost tracking. For more information, see [Tagging AWS Elemental MediaTailor Resources](https://docs.aws.amazon.com/mediatailor/latest/ug/tagging.html) .", + "title": "Tags", "type": "array" }, "Tier": { + "markdownDescription": "The tier for this channel. STANDARD tier channels can contain live programs.", + "title": "Tier", "type": "string" } }, @@ -148046,15 +154080,23 @@ "additionalProperties": false, "properties": { "ManifestWindowSeconds": { + "markdownDescription": "The total duration (in seconds) of each manifest. Minimum value: `30` seconds. Maximum value: `3600` seconds.", + "title": "ManifestWindowSeconds", "type": "number" }, "MinBufferTimeSeconds": { + "markdownDescription": "Minimum amount of content (measured in seconds) that a player must keep available in the buffer. Minimum value: `2` seconds. Maximum value: `60` seconds.", + "title": "MinBufferTimeSeconds", "type": "number" }, "MinUpdatePeriodSeconds": { + "markdownDescription": "Minimum amount of time (in seconds) that the player should wait before requesting updates to the manifest. Minimum value: `2` seconds. Maximum value: `60` seconds.", + "title": "MinUpdatePeriodSeconds", "type": "number" }, "SuggestedPresentationDelaySeconds": { + "markdownDescription": "Amount of time (in seconds) that the player should be from the live point at the end of the manifest. Minimum value: `2` seconds. Maximum value: `60` seconds.", + "title": "SuggestedPresentationDelaySeconds", "type": "number" } }, @@ -148067,9 +154109,13 @@ "items": { "type": "string" }, + "markdownDescription": "Determines the type of SCTE 35 tags to use in ad markup. Specify `DATERANGE` to use `DATERANGE` tags (for live or VOD content). Specify `SCTE35_ENHANCED` to use `EXT-X-CUE-OUT` and `EXT-X-CUE-IN` tags (for VOD content only).", + "title": "AdMarkupType", "type": "array" }, "ManifestWindowSeconds": { + "markdownDescription": "The total duration (in seconds) of each manifest. Minimum value: `30` seconds. Maximum value: `3600` seconds.", + "title": "ManifestWindowSeconds", "type": "number" } }, @@ -148082,6 +154128,8 @@ "items": { "type": "string" }, + "markdownDescription": "The log types.", + "title": "LogTypes", "type": "array" } }, @@ -148091,15 +154139,23 @@ "additionalProperties": false, "properties": { "DashPlaylistSettings": { - "$ref": "#/definitions/AWS::MediaTailor::Channel.DashPlaylistSettings" + "$ref": "#/definitions/AWS::MediaTailor::Channel.DashPlaylistSettings", + "markdownDescription": "DASH manifest configuration parameters.", + "title": "DashPlaylistSettings" }, "HlsPlaylistSettings": { - "$ref": "#/definitions/AWS::MediaTailor::Channel.HlsPlaylistSettings" + "$ref": "#/definitions/AWS::MediaTailor::Channel.HlsPlaylistSettings", + "markdownDescription": "HLS playlist configuration parameters.", + "title": "HlsPlaylistSettings" }, "ManifestName": { + "markdownDescription": "The name of the manifest for the channel. The name appears in the `PlaybackUrl` .", + "title": "ManifestName", "type": "string" }, "SourceGroup": { + "markdownDescription": "A string used to match which `HttpPackageConfiguration` is used for each `VodSource` .", + "title": "SourceGroup", "type": "string" } }, @@ -148113,9 +154169,13 @@ "additionalProperties": false, "properties": { "SourceLocationName": { + "markdownDescription": "The name of the source location where the slate VOD source is stored.", + "title": "SourceLocationName", "type": "string" }, "VodSourceName": { + "markdownDescription": "The slate VOD source name. The VOD source must already exist in a source location before it can be used for slate.", + "title": "VodSourceName", "type": "string" } }, @@ -148157,9 +154217,13 @@ "additionalProperties": false, "properties": { "ChannelName": { + "markdownDescription": "The name of the channel associated with this Channel Policy.", + "title": "ChannelName", "type": "string" }, "Policy": { + "markdownDescription": "The IAM policy for the channel. IAM policies are used to control access to your channel.", + "title": "Policy", "type": "object" } }, @@ -148229,18 +154293,26 @@ "items": { "$ref": "#/definitions/AWS::MediaTailor::LiveSource.HttpPackageConfiguration" }, + "markdownDescription": "The HTTP package configurations for the live source.", + "title": "HttpPackageConfigurations", "type": "array" }, "LiveSourceName": { + "markdownDescription": "The name that's used to refer to a live source.", + "title": "LiveSourceName", "type": "string" }, "SourceLocationName": { + "markdownDescription": "The name of the source location.", + "title": "SourceLocationName", "type": "string" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "The tags assigned to the live source. Tags are key-value pairs that you can associate with Amazon resources to help with organization, access control, and cost tracking. For more information, see [Tagging AWS Elemental MediaTailor Resources](https://docs.aws.amazon.com/mediatailor/latest/ug/tagging.html) .", + "title": "Tags", "type": "array" } }, @@ -148276,12 +154348,18 @@ "additionalProperties": false, "properties": { "Path": { + "markdownDescription": "The relative path to the URL for this VOD source. This is combined with `SourceLocation::HttpConfiguration::BaseUrl` to form a valid URL.", + "title": "Path", "type": "string" }, "SourceGroup": { + "markdownDescription": "The name of the source group. This has to match one of the `Channel::Outputs::SourceGroup` .", + "title": "SourceGroup", "type": "string" }, "Type": { + "markdownDescription": "The streaming protocol for this package configuration. Supported values are `HLS` and `DASH` .", + "title": "Type", "type": "string" } }, @@ -148328,23 +154406,23 @@ "additionalProperties": false, "properties": { "AdDecisionServerUrl": { - "markdownDescription": "", + "markdownDescription": "The URL for the ad decision server (ADS). This includes the specification of static parameters and placeholders for dynamic parameters. AWS Elemental MediaTailor substitutes player-specific and session-specific parameters as needed when calling the ADS. Alternately, for testing you can provide a static VAST URL. The maximum length is 25,000 characters.", "title": "AdDecisionServerUrl", "type": "string" }, "AvailSuppression": { "$ref": "#/definitions/AWS::MediaTailor::PlaybackConfiguration.AvailSuppression", - "markdownDescription": "", + "markdownDescription": "The configuration for avail suppression, also known as ad suppression. For more information about ad suppression, see [Ad Suppression](https://docs.aws.amazon.com/mediatailor/latest/ug/ad-behavior.html) .", "title": "AvailSuppression" }, "Bumper": { "$ref": "#/definitions/AWS::MediaTailor::PlaybackConfiguration.Bumper", - "markdownDescription": "", + "markdownDescription": "The configuration for bumpers. Bumpers are short audio or video clips that play at the start or before the end of an ad break. To learn more about bumpers, see [Bumpers](https://docs.aws.amazon.com/mediatailor/latest/ug/bumpers.html) .", "title": "Bumper" }, "CdnConfiguration": { "$ref": "#/definitions/AWS::MediaTailor::PlaybackConfiguration.CdnConfiguration", - "markdownDescription": "", + "markdownDescription": "The configuration for using a content delivery network (CDN), like Amazon CloudFront, for content and ad segment management.", "title": "CdnConfiguration" }, "ConfigurationAliases": { @@ -148360,7 +154438,7 @@ }, "DashConfiguration": { "$ref": "#/definitions/AWS::MediaTailor::PlaybackConfiguration.DashConfiguration", - "markdownDescription": "", + "markdownDescription": "The configuration for a DASH source.", "title": "DashConfiguration" }, "HlsConfiguration": { @@ -148370,26 +154448,26 @@ }, "LivePreRollConfiguration": { "$ref": "#/definitions/AWS::MediaTailor::PlaybackConfiguration.LivePreRollConfiguration", - "markdownDescription": "", + "markdownDescription": "The configuration for pre-roll ad insertion.", "title": "LivePreRollConfiguration" }, "ManifestProcessingRules": { "$ref": "#/definitions/AWS::MediaTailor::PlaybackConfiguration.ManifestProcessingRules", - "markdownDescription": "", + "markdownDescription": "The configuration for manifest processing rules. Manifest processing rules enable customization of the personalized manifests created by MediaTailor.", "title": "ManifestProcessingRules" }, "Name": { - "markdownDescription": "", + "markdownDescription": "The identifier for the playback configuration.", "title": "Name", "type": "string" }, "PersonalizationThresholdSeconds": { - "markdownDescription": "", + "markdownDescription": "Defines the maximum duration of underfilled ad time (in seconds) allowed in an ad break. If the duration of underfilled ad time exceeds the personalization threshold, then the personalization of the ad break is abandoned and the underlying content is shown. This feature applies to *ad replacement* in live and VOD streams, rather than ad insertion, because it relies on an underlying content stream. For more information about ad break behavior, including ad replacement and insertion, see [Ad Behavior in AWS Elemental MediaTailor](https://docs.aws.amazon.com/mediatailor/latest/ug/ad-behavior.html) .", "title": "PersonalizationThresholdSeconds", "type": "number" }, "SlateAdUrl": { - "markdownDescription": "", + "markdownDescription": "The URL for a video asset to transcode and use to fill in time that's not used by ads. AWS Elemental MediaTailor shows the slate to fill in gaps in media content. Configuring the slate is optional for non-VPAID playback configurations. For VPAID, the slate is required because MediaTailor provides it in the slots designated for dynamic ad content. The slate must be a high-quality asset that contains both audio and video.", "title": "SlateAdUrl", "type": "string" }, @@ -148397,17 +154475,17 @@ "items": { "$ref": "#/definitions/Tag" }, - "markdownDescription": "", + "markdownDescription": "The tags to assign to the playback configuration. Tags are key-value pairs that you can associate with Amazon resources to help with organization, access control, and cost tracking. For more information, see [Tagging AWS Elemental MediaTailor Resources](https://docs.aws.amazon.com/mediatailor/latest/ug/tagging.html) .", "title": "Tags", "type": "array" }, "TranscodeProfileName": { - "markdownDescription": "", + "markdownDescription": "The name that is used to associate this playback configuration with a custom transcode profile. This overrides the dynamic transcoding defaults of MediaTailor. Use this only if you have already set up custom profiles with the help of AWS Support.", "title": "TranscodeProfileName", "type": "string" }, "VideoContentSourceUrl": { - "markdownDescription": "", + "markdownDescription": "The URL prefix for the parent manifest for the stream, minus the asset ID. The maximum length is 512 characters.", "title": "VideoContentSourceUrl", "type": "string" } @@ -148444,7 +154522,7 @@ "additionalProperties": false, "properties": { "Enabled": { - "markdownDescription": "", + "markdownDescription": "Enables ad marker passthrough for your configuration.", "title": "Enabled", "type": "boolean" } @@ -148455,12 +154533,12 @@ "additionalProperties": false, "properties": { "Mode": { - "markdownDescription": "", + "markdownDescription": "Sets the ad suppression mode. By default, ad suppression is off and all ad breaks are filled with ads or slate. When Mode is set to `BEHIND_LIVE_EDGE` , ad suppression is active and MediaTailor won't fill ad breaks on or behind the ad suppression Value time in the manifest lookback window. When Mode is set to `AFTER_LIVE_EDGE` , ad suppression is active and MediaTailor won't fill ad breaks that are within the live edge plus the avail suppression value.", "title": "Mode", "type": "string" }, "Value": { - "markdownDescription": "", + "markdownDescription": "A live edge offset time in HH:MM:SS. MediaTailor won't fill ad breaks on or behind this time in the manifest lookback window. If Value is set to 00:00:00, it is in sync with the live edge, and MediaTailor won't fill any ad breaks on or behind the live edge. If you set a Value time, MediaTailor won't fill any ad breaks on or behind this time in the manifest lookback window. For example, if you set 00:45:00, then MediaTailor will fill ad breaks that occur within 45 minutes behind the live edge, but won't fill ad breaks on or behind 45 minutes behind the live edge.", "title": "Value", "type": "string" } @@ -148471,12 +154549,12 @@ "additionalProperties": false, "properties": { "EndUrl": { - "markdownDescription": "", + "markdownDescription": "The URL for the end bumper asset.", "title": "EndUrl", "type": "string" }, "StartUrl": { - "markdownDescription": "", + "markdownDescription": "The URL for the start bumper asset.", "title": "StartUrl", "type": "string" } @@ -148487,12 +154565,12 @@ "additionalProperties": false, "properties": { "AdSegmentUrlPrefix": { - "markdownDescription": "", + "markdownDescription": "A non-default content delivery network (CDN) to serve ad segments. By default, AWS Elemental MediaTailor uses Amazon CloudFront with default cache settings as its CDN for ad segments. To set up an alternate CDN, create a rule in your CDN for the origin ads.mediatailor. ** .amazonaws.com. Then specify the rule's name in this `AdSegmentUrlPrefix` . When AWS Elemental MediaTailor serves a manifest, it reports your CDN as the source for ad segments.", "title": "AdSegmentUrlPrefix", "type": "string" }, "ContentSegmentUrlPrefix": { - "markdownDescription": "", + "markdownDescription": "A content delivery network (CDN) to cache content segments, so that content requests don\u2019t always have to go to the origin server. First, create a rule in your CDN for the content segment origin server. Then specify the rule's name in this `ContentSegmentUrlPrefix` . When AWS Elemental MediaTailor serves a manifest, it reports your CDN as the source for content segments.", "title": "ContentSegmentUrlPrefix", "type": "string" } @@ -148535,12 +154613,12 @@ "additionalProperties": false, "properties": { "AdDecisionServerUrl": { - "markdownDescription": "", + "markdownDescription": "The URL for the ad decision server (ADS) for pre-roll ads. This includes the specification of static parameters and placeholders for dynamic parameters. AWS Elemental MediaTailor substitutes player-specific and session-specific parameters as needed when calling the ADS. Alternately, for testing, you can provide a static VAST URL. The maximum length is 25,000 characters.", "title": "AdDecisionServerUrl", "type": "string" }, "MaxDurationSeconds": { - "markdownDescription": "", + "markdownDescription": "The maximum allowed duration for the pre-roll ad avail. AWS Elemental MediaTailor won't play pre-roll ads to exceed this duration, regardless of the total duration of ads that the ADS returns.", "title": "MaxDurationSeconds", "type": "number" } @@ -148552,7 +154630,7 @@ "properties": { "AdMarkerPassthrough": { "$ref": "#/definitions/AWS::MediaTailor::PlaybackConfiguration.AdMarkerPassthrough", - "markdownDescription": "", + "markdownDescription": "For HLS, when set to `true` , MediaTailor passes through `EXT-X-CUE-IN` , `EXT-X-CUE-OUT` , and `EXT-X-SPLICEPOINT-SCTE35` ad markers from the origin manifest to the MediaTailor personalized manifest.\n\nNo logic is applied to these ad markers. For example, if `EXT-X-CUE-OUT` has a value of `60` , but no ads are filled for that ad break, MediaTailor will not set the value to `0` .", "title": "AdMarkerPassthrough" } }, @@ -148594,27 +154672,39 @@ "additionalProperties": false, "properties": { "AccessConfiguration": { - "$ref": "#/definitions/AWS::MediaTailor::SourceLocation.AccessConfiguration" + "$ref": "#/definitions/AWS::MediaTailor::SourceLocation.AccessConfiguration", + "markdownDescription": "The access configuration for the source location.", + "title": "AccessConfiguration" }, "DefaultSegmentDeliveryConfiguration": { - "$ref": "#/definitions/AWS::MediaTailor::SourceLocation.DefaultSegmentDeliveryConfiguration" + "$ref": "#/definitions/AWS::MediaTailor::SourceLocation.DefaultSegmentDeliveryConfiguration", + "markdownDescription": "The default segment delivery configuration.", + "title": "DefaultSegmentDeliveryConfiguration" }, "HttpConfiguration": { - "$ref": "#/definitions/AWS::MediaTailor::SourceLocation.HttpConfiguration" + "$ref": "#/definitions/AWS::MediaTailor::SourceLocation.HttpConfiguration", + "markdownDescription": "The HTTP configuration for the source location.", + "title": "HttpConfiguration" }, "SegmentDeliveryConfigurations": { "items": { "$ref": "#/definitions/AWS::MediaTailor::SourceLocation.SegmentDeliveryConfiguration" }, + "markdownDescription": "The segment delivery configurations for the source location.", + "title": "SegmentDeliveryConfigurations", "type": "array" }, "SourceLocationName": { + "markdownDescription": "The name of the source location.", + "title": "SourceLocationName", "type": "string" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "The tags assigned to the source location. Tags are key-value pairs that you can associate with Amazon resources to help with organization, access control, and cost tracking. For more information, see [Tagging AWS Elemental MediaTailor Resources](https://docs.aws.amazon.com/mediatailor/latest/ug/tagging.html) .", + "title": "Tags", "type": "array" } }, @@ -148649,10 +154739,14 @@ "additionalProperties": false, "properties": { "AccessType": { + "markdownDescription": "The type of authentication used to access content from `HttpConfiguration::BaseUrl` on your source location. Accepted value: `S3_SIGV4` .\n\n`S3_SIGV4` - AWS Signature Version 4 authentication for Amazon S3 hosted virtual-style access. If your source location base URL is an Amazon S3 bucket, MediaTailor can use AWS Signature Version 4 (SigV4) authentication to access the bucket where your source content is stored. Your MediaTailor source location baseURL must follow the S3 virtual hosted-style request URL format. For example, https://bucket-name.s3.Region.amazonaws.com/key-name.\n\nBefore you can use `S3_SIGV4` , you must meet these requirements:\n\n\u2022 You must allow MediaTailor to access your S3 bucket by granting mediatailor.amazonaws.com principal access in IAM. For information about configuring access in IAM, see Access management in the IAM User Guide.\n\n\u2022 The mediatailor.amazonaws.com service principal must have permissions to read all top level manifests referenced by the VodSource packaging configurations.\n\n\u2022 The caller of the API must have s3:GetObject IAM permissions to read all top level manifests referenced by your MediaTailor VodSource packaging configurations.", + "title": "AccessType", "type": "string" }, "SecretsManagerAccessTokenConfiguration": { - "$ref": "#/definitions/AWS::MediaTailor::SourceLocation.SecretsManagerAccessTokenConfiguration" + "$ref": "#/definitions/AWS::MediaTailor::SourceLocation.SecretsManagerAccessTokenConfiguration", + "markdownDescription": "AWS Secrets Manager access token configuration parameters.", + "title": "SecretsManagerAccessTokenConfiguration" } }, "type": "object" @@ -148661,6 +154755,8 @@ "additionalProperties": false, "properties": { "BaseUrl": { + "markdownDescription": "The hostname of the server that will be used to serve segments. This string must include the protocol, such as *https://* .", + "title": "BaseUrl", "type": "string" } }, @@ -148670,6 +154766,8 @@ "additionalProperties": false, "properties": { "BaseUrl": { + "markdownDescription": "The base URL for the source location host server. This string must include the protocol, such as *https://* .", + "title": "BaseUrl", "type": "string" } }, @@ -148682,12 +154780,18 @@ "additionalProperties": false, "properties": { "HeaderName": { + "markdownDescription": "The name of the HTTP header used to supply the access token in requests to the source location.", + "title": "HeaderName", "type": "string" }, "SecretArn": { + "markdownDescription": "The Amazon Resource Name (ARN) of the AWS Secrets Manager secret that contains the access token.", + "title": "SecretArn", "type": "string" }, "SecretStringKey": { + "markdownDescription": "The AWS Secrets Manager [SecretString](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_CreateSecret.html#SecretsManager-CreateSecret-request-SecretString.html) key associated with the access token. MediaTailor uses the key to look up SecretString key and value pair containing the access token.", + "title": "SecretStringKey", "type": "string" } }, @@ -148697,9 +154801,13 @@ "additionalProperties": false, "properties": { "BaseUrl": { + "markdownDescription": "The base URL of the host or path of the segment delivery server that you're using to serve segments. This is typically a content delivery network (CDN). The URL can be absolute or relative. To use an absolute URL include the protocol, such as `https://example.com/some/path` . To use a relative URL specify the relative path, such as `/some/path*` .", + "title": "BaseUrl", "type": "string" }, "Name": { + "markdownDescription": "A unique identifier used to distinguish between multiple segment delivery configurations in a source location.", + "title": "Name", "type": "string" } }, @@ -148744,18 +154852,26 @@ "items": { "$ref": "#/definitions/AWS::MediaTailor::VodSource.HttpPackageConfiguration" }, + "markdownDescription": "The HTTP package configurations for the VOD source.", + "title": "HttpPackageConfigurations", "type": "array" }, "SourceLocationName": { + "markdownDescription": "The name of the source location that the VOD source is associated with.", + "title": "SourceLocationName", "type": "string" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "The tags assigned to the VOD source. Tags are key-value pairs that you can associate with Amazon resources to help with organization, access control, and cost tracking. For more information, see [Tagging AWS Elemental MediaTailor Resources](https://docs.aws.amazon.com/mediatailor/latest/ug/tagging.html) .", + "title": "Tags", "type": "array" }, "VodSourceName": { + "markdownDescription": "The name of the VOD source.", + "title": "VodSourceName", "type": "string" } }, @@ -148791,12 +154907,18 @@ "additionalProperties": false, "properties": { "Path": { + "markdownDescription": "The relative path to the URL for this VOD source. This is combined with `SourceLocation::HttpConfiguration::BaseUrl` to form a valid URL.", + "title": "Path", "type": "string" }, "SourceGroup": { + "markdownDescription": "The name of the source group. This has to match one of the `Channel::Outputs::SourceGroup` .", + "title": "SourceGroup", "type": "string" }, "Type": { + "markdownDescription": "The streaming protocol for this package configuration. Supported values are `HLS` and `DASH` .", + "title": "Type", "type": "string" } }, @@ -149376,12 +155498,12 @@ "items": { "type": "string" }, - "markdownDescription": "", + "markdownDescription": "The password(s) used for authentication", "title": "Passwords", "type": "array" }, "Type": { - "markdownDescription": "", + "markdownDescription": "Indicates whether the user requires a password to authenticate. All newly-created users require a password.", "title": "Type", "type": "string" } @@ -149465,6 +155587,8 @@ "type": "string" }, "DBPort": { + "markdownDescription": "The port number on which the DB instances in the DB cluster accept connections.\n\nIf not specified, the default port used is `8182` .\n\n> The `Port` property will soon be deprecated. Please update existing templates to use the new `DBPort` property that has the same functionality.", + "title": "DBPort", "type": "number" }, "DBSubnetGroupName": { @@ -149607,12 +155731,12 @@ "additionalProperties": false, "properties": { "MaxCapacity": { - "markdownDescription": "", + "markdownDescription": "The maximum number of Neptune capacity units (NCUs) for a DB instance in a Neptune Serverless cluster. You can specify NCU values in half-step increments, such as 40, 40.5, 41, and so on.", "title": "MaxCapacity", "type": "number" }, "MinCapacity": { - "markdownDescription": "", + "markdownDescription": "The minimum number of Neptune capacity units (NCUs) for a DB instance in a Neptune Serverless cluster. You can specify NCU values in half-step increments, such as 8, 8.5, 9, and so on.", "title": "MinCapacity", "type": "number" } @@ -150402,7 +156526,7 @@ "additionalProperties": false, "properties": { "RuleOrder": { - "markdownDescription": "Indicates how to manage the order of stateful rule evaluation for the policy. `DEFAULT_ACTION_ORDER` is the default behavior. Stateful rules are provided to the rule engine as Suricata compatible strings, and Suricata evaluates them based on certain settings. For more information, see [Evaluation order for stateful rules](https://docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-rule-evaluation-order.html) in the *AWS Network Firewall Developer Guide* .", + "markdownDescription": "Indicates how to manage the order of stateful rule evaluation for the policy. `STRICT_ORDER` is the default and recommended option. With `STRICT_ORDER` , provide your rules in the order that you want them to be evaluated. You can then choose one or more default actions for packets that don't match any rules. Choose `STRICT_ORDER` to have the stateful rules engine determine the evaluation order of your rules. The default action for this rule order is `PASS` , followed by `DROP` , `REJECT` , and `ALERT` actions. Stateful rules are provided to the rule engine as Suricata compatible strings, and Suricata evaluates them based on your settings. For more information, see [Evaluation order for stateful rules](https://docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-rule-evaluation-order.html) in the *AWS Network Firewall Developer Guide* .", "title": "RuleOrder", "type": "string" }, @@ -150986,7 +157110,7 @@ }, "StatefulRuleOptions": { "$ref": "#/definitions/AWS::NetworkFirewall::RuleGroup.StatefulRuleOptions", - "markdownDescription": "Additional options governing how Network Firewall handles stateful rules. The policies where you use your stateful rule group must have stateful rule options settings that are compatible with these settings.", + "markdownDescription": "Additional options governing how Network Firewall handles stateful rules. The policies where you use your stateful rule group must have stateful rule options settings that are compatible with these settings. Some limitations apply; for more information, see [Strict evaluation order](https://docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-limitations-caveats.html) in the *AWS Network Firewall Developer Guide* .", "title": "StatefulRuleOptions" } }, @@ -151054,7 +157178,7 @@ "title": "RulesSourceList" }, "RulesString": { - "markdownDescription": "Stateful inspection criteria, provided in Suricata compatible intrusion prevention system (IPS) rules. Suricata is an open-source network IPS that includes a standard rule-based language for network traffic inspection.\n\nThese rules contain the inspection criteria and the action to take for traffic that matches the criteria, so this type of rule group doesn't have a separate action setting.", + "markdownDescription": "Stateful inspection criteria, provided in Suricata compatible rules. Suricata is an open-source threat detection framework that includes a standard rule-based language for network traffic inspection.\n\nThese rules contain the inspection criteria and the action to take for traffic that matches the criteria, so this type of rule group doesn't have a separate action setting.\n\n> You can't use the `priority` keyword if the `RuleOrder` option in `StatefulRuleOptions` is set to `STRICT_ORDER` .", "title": "RulesString", "type": "string" }, @@ -151268,7 +157392,7 @@ }, "ProposedSegmentChange": { "$ref": "#/definitions/AWS::NetworkManager::ConnectAttachment.ProposedSegmentChange", - "markdownDescription": "", + "markdownDescription": "Describes a proposed segment change. In some cases, the segment change must first be evaluated and accepted.", "title": "ProposedSegmentChange" }, "Tags": { @@ -151386,7 +157510,7 @@ "properties": { "BgpOptions": { "$ref": "#/definitions/AWS::NetworkManager::ConnectPeer.BgpOptions", - "markdownDescription": "", + "markdownDescription": "Describes the BGP options.", "title": "BgpOptions" }, "ConnectAttachmentId": { @@ -151413,6 +157537,8 @@ "type": "string" }, "SubnetArn": { + "markdownDescription": "The subnet ARN of the Connect peer.", + "title": "SubnetArn", "type": "string" }, "Tags": { @@ -151782,7 +157908,7 @@ "properties": { "AWSLocation": { "$ref": "#/definitions/AWS::NetworkManager::Device.AWSLocation", - "markdownDescription": "", + "markdownDescription": "The AWS location of the device.", "title": "AWSLocation" }, "Description": { @@ -151864,12 +157990,12 @@ "additionalProperties": false, "properties": { "SubnetArn": { - "markdownDescription": "", + "markdownDescription": "The Amazon Resource Name (ARN) of the subnet that the device is located in.", "title": "SubnetArn", "type": "string" }, "Zone": { - "markdownDescription": "", + "markdownDescription": "The Zone that the device is located in. Specify the ID of an Availability Zone, Local Zone, Wavelength Zone, or an Outpost.", "title": "Zone", "type": "string" } @@ -151933,6 +158059,8 @@ "additionalProperties": false, "properties": { "CreatedAt": { + "markdownDescription": "The date and time that the global network was created.", + "title": "CreatedAt", "type": "string" }, "Description": { @@ -151941,6 +158069,8 @@ "type": "string" }, "State": { + "markdownDescription": "The state of the global network.", + "title": "State", "type": "string" }, "Tags": { @@ -152319,7 +158449,7 @@ }, "ProposedSegmentChange": { "$ref": "#/definitions/AWS::NetworkManager::SiteToSiteVpnAttachment.ProposedSegmentChange", - "markdownDescription": "", + "markdownDescription": "Describes a proposed segment change. In some cases, the segment change must first be evaluated and accepted.", "title": "ProposedSegmentChange" }, "Tags": { @@ -152698,7 +158828,7 @@ }, "ProposedSegmentChange": { "$ref": "#/definitions/AWS::NetworkManager::VpcAttachment.ProposedSegmentChange", - "markdownDescription": "", + "markdownDescription": "Describes a proposed segment change. In some cases, the segment change must first be evaluated and accepted.", "title": "ProposedSegmentChange" }, "SubnetArns": { @@ -152917,7 +159047,7 @@ "additionalProperties": false, "properties": { "AutomaticTerminationMode": { - "markdownDescription": "", + "markdownDescription": "Indicates if a streaming session created from this launch profile should be terminated automatically or retained without termination after being in a `STOPPED` state.\n\n- When `ACTIVATED` , the streaming session is scheduled for termination after being in the `STOPPED` state for the time specified in `maxStoppedSessionLengthInMinutes` .\n- When `DEACTIVATED` , the streaming session can remain in the `STOPPED` state indefinitely.\n\nThis parameter is only allowed when `sessionPersistenceMode` is `ACTIVATED` . When allowed, the default value for this parameter is `DEACTIVATED` .", "title": "AutomaticTerminationMode", "type": "string" }, @@ -152946,11 +159076,11 @@ }, "SessionBackup": { "$ref": "#/definitions/AWS::NimbleStudio::LaunchProfile.StreamConfigurationSessionBackup", - "markdownDescription": "", + "markdownDescription": "Information about the streaming session backup.", "title": "SessionBackup" }, "SessionPersistenceMode": { - "markdownDescription": "", + "markdownDescription": "Determine if a streaming session created from this launch profile can configure persistent storage. This means that `volumeConfiguration` and `automaticTerminationMode` are configured.", "title": "SessionPersistenceMode", "type": "string" }, @@ -152969,7 +159099,7 @@ }, "VolumeConfiguration": { "$ref": "#/definitions/AWS::NimbleStudio::LaunchProfile.VolumeConfiguration", - "markdownDescription": "", + "markdownDescription": "Custom volume configuration for the root volumes that are attached to streaming sessions.\n\nThis parameter is only allowed when `sessionPersistenceMode` is `ACTIVATED` .", "title": "VolumeConfiguration" } }, @@ -152984,12 +159114,12 @@ "additionalProperties": false, "properties": { "MaxBackupsToRetain": { - "markdownDescription": "", + "markdownDescription": "The maximum number of backups that each streaming session created from this launch profile can have.", "title": "MaxBackupsToRetain", "type": "number" }, "Mode": { - "markdownDescription": "", + "markdownDescription": "Specifies how artists sessions are backed up.\n\nConfigures backups for streaming sessions launched with this launch profile. The default value is `DEACTIVATED` , which means that backups are deactivated. To allow backups, set this value to `AUTOMATIC` .", "title": "Mode", "type": "string" } @@ -153038,17 +159168,17 @@ "additionalProperties": false, "properties": { "Iops": { - "markdownDescription": "", + "markdownDescription": "The number of I/O operations per second for the root volume that is attached to streaming session.", "title": "Iops", "type": "number" }, "Size": { - "markdownDescription": "", + "markdownDescription": "The size of the root volume that is attached to the streaming session. The root volume size is measured in GiBs.", "title": "Size", "type": "number" }, "Throughput": { - "markdownDescription": "", + "markdownDescription": "The throughput to provision for the root volume that is attached to the streaming session. The throughput is measured in MiB/s.", "title": "Throughput", "type": "number" } @@ -153154,12 +159284,12 @@ "additionalProperties": false, "properties": { "KeyArn": { - "markdownDescription": "", + "markdownDescription": "The ARN for a KMS key that is used to encrypt studio data.", "title": "KeyArn", "type": "string" }, "KeyType": { - "markdownDescription": "", + "markdownDescription": "The type of KMS key that is used to encrypt studio data.", "title": "KeyType", "type": "string" } @@ -153619,6 +159749,16 @@ "Properties": { "additionalProperties": false, "properties": { + "BufferOptions": { + "$ref": "#/definitions/AWS::OSIS::Pipeline.BufferOptions", + "markdownDescription": "Options that specify the configuration of a persistent buffer. To configure how OpenSearch Ingestion encrypts this data, set the EncryptionAtRestOptions.", + "title": "BufferOptions" + }, + "EncryptionAtRestOptions": { + "$ref": "#/definitions/AWS::OSIS::Pipeline.EncryptionAtRestOptions", + "markdownDescription": "Options to control how OpenSearch encrypts all data-at-rest.", + "title": "EncryptionAtRestOptions" + }, "LogPublishingOptions": { "$ref": "#/definitions/AWS::OSIS::Pipeline.LogPublishingOptions", "markdownDescription": "Key-value pairs that represent log publishing settings.", @@ -153687,15 +159827,46 @@ ], "type": "object" }, + "AWS::OSIS::Pipeline.BufferOptions": { + "additionalProperties": false, + "properties": { + "PersistentBufferEnabled": { + "markdownDescription": "Whether persistent buffering should be enabled.", + "title": "PersistentBufferEnabled", + "type": "boolean" + } + }, + "required": [ + "PersistentBufferEnabled" + ], + "type": "object" + }, "AWS::OSIS::Pipeline.CloudWatchLogDestination": { "additionalProperties": false, "properties": { "LogGroup": { - "markdownDescription": "", + "markdownDescription": "The name of the CloudWatch Logs group to send pipeline logs to. You can specify an existing log group or create a new one. For example, `/aws/OpenSearchService/IngestionService/my-pipeline` .", "title": "LogGroup", "type": "string" } }, + "required": [ + "LogGroup" + ], + "type": "object" + }, + "AWS::OSIS::Pipeline.EncryptionAtRestOptions": { + "additionalProperties": false, + "properties": { + "KmsKeyArn": { + "markdownDescription": "The ARN of the KMS key used to encrypt data-at-rest in OpenSearch Ingestion. By default, data is encrypted using an AWS owned key.", + "title": "KmsKeyArn", + "type": "string" + } + }, + "required": [ + "KmsKeyArn" + ], "type": "object" }, "AWS::OSIS::Pipeline.LogPublishingOptions": { @@ -153755,6 +159926,9 @@ "type": "array" } }, + "required": [ + "SubnetIds" + ], "type": "object" }, "AWS::Oam::Link": { @@ -153801,7 +159975,7 @@ "items": { "type": "string" }, - "markdownDescription": "An array of strings that define which types of data that the source account shares with the monitoring account. Valid values are `AWS::CloudWatch::Metric | AWS::Logs::LogGroup | AWS::XRay::Trace` .", + "markdownDescription": "An array of strings that define which types of data that the source account shares with the monitoring account. Valid values are `AWS::CloudWatch::Metric | AWS::Logs::LogGroup | AWS::XRay::Trace | AWS::ApplicationInsights::Application` .", "title": "ResourceTypes", "type": "array" }, @@ -154263,6 +160437,8 @@ "type": "number" }, "MaxGpus": { + "markdownDescription": "The maximum GPUs that can be used by a run group.", + "title": "MaxGpus", "type": "number" }, "MaxRuns": { @@ -154350,7 +160526,7 @@ "type": "string" }, "FallbackLocation": { - "markdownDescription": "", + "markdownDescription": "An S3 location that is used to store files that have failed a direct upload.", "title": "FallbackLocation", "type": "string" }, @@ -154584,6 +160760,8 @@ "additionalProperties": false, "properties": { "Accelerators": { + "markdownDescription": "", + "title": "Accelerators", "type": "string" }, "DefinitionUri": { @@ -154806,6 +160984,11 @@ "title": "Name", "type": "string" }, + "StandbyReplicas": { + "markdownDescription": "Details about an OpenSearch Serverless collection.", + "title": "StandbyReplicas", + "type": "string" + }, "Tags": { "items": { "$ref": "#/definitions/Tag" @@ -154815,7 +160998,7 @@ "type": "array" }, "Type": { - "markdownDescription": "The type of collection. Possible values are `SEARCH` and `TIMESERIES` . For more information, see [Choosing a collection type](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/serverless-overview.html#serverless-usecase) .", + "markdownDescription": "The type of collection. Possible values are `SEARCH` , `TIMESERIES` , and `VECTORSEARCH` . For more information, see [Choosing a collection type](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/serverless-overview.html#serverless-usecase) .", "title": "Type", "type": "string" } @@ -154846,6 +161029,90 @@ ], "type": "object" }, + "AWS::OpenSearchServerless::LifecyclePolicy": { + "additionalProperties": false, + "properties": { + "Condition": { + "type": "string" + }, + "DeletionPolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + }, + "DependsOn": { + "anyOf": [ + { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + { + "items": { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + "type": "array" + } + ] + }, + "Metadata": { + "type": "object" + }, + "Properties": { + "additionalProperties": false, + "properties": { + "Description": { + "markdownDescription": "The description of the lifecycle policy.", + "title": "Description", + "type": "string" + }, + "Name": { + "markdownDescription": "The name of the lifecycle policy.", + "title": "Name", + "type": "string" + }, + "Policy": { + "markdownDescription": "The JSON policy document without any whitespaces.", + "title": "Policy", + "type": "string" + }, + "Type": { + "markdownDescription": "The type of lifecycle policy.", + "title": "Type", + "type": "string" + } + }, + "required": [ + "Name", + "Policy", + "Type" + ], + "type": "object" + }, + "Type": { + "enum": [ + "AWS::OpenSearchServerless::LifecyclePolicy" + ], + "type": "string" + }, + "UpdateReplacePolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + } + }, + "required": [ + "Type", + "Properties" + ], + "type": "object" + }, "AWS::OpenSearchServerless::SecurityConfig": { "additionalProperties": false, "properties": { @@ -155218,6 +161485,11 @@ "title": "EngineVersion", "type": "string" }, + "IPAddressType": { + "markdownDescription": "The type of IP addresses supported by the endpoint for the domain.", + "title": "IPAddressType", + "type": "string" + }, "LogPublishingOptions": { "additionalProperties": false, "markdownDescription": "An object with one or more of the following keys: `SEARCH_SLOW_LOGS` , `ES_APPLICATION_LOGS` , `INDEX_SLOW_LOGS` , `AUDIT_LOGS` , depending on the types of logs you want to publish. Each key needs a valid `LogPublishingOption` value. For the full syntax, see the [examples](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-opensearchservice-domain.html#aws-resource-opensearchservice-domain--examples) .", @@ -155912,7 +162184,7 @@ "type": "string" }, "Secure": { - "markdownDescription": "(Optional) Whether the variable's value is returned by the [DescribeApps](https://docs.aws.amazon.com/goto/WebAPI/opsworks-2013-02-18/DescribeApps) action. To hide an environment variable's value, set `Secure` to `true` . `DescribeApps` returns `*****FILTERED*****` instead of the actual value. The default value for `Secure` is `false` .", + "markdownDescription": "(Optional) Whether the variable's value is returned by the `DescribeApps` action. To hide an environment variable's value, set `Secure` to `true` . `DescribeApps` returns `*****FILTERED*****` instead of the actual value. The default value for `Secure` is `false` .", "title": "Secure", "type": "boolean" }, @@ -156094,7 +162366,7 @@ "additionalProperties": false, "properties": { "AgentVersion": { - "markdownDescription": "The default AWS OpsWorks Stacks agent version. You have the following options:\n\n- `INHERIT` - Use the stack's default agent version setting.\n- *version_number* - Use the specified agent version. This value overrides the stack's default setting. To update the agent version, edit the instance configuration and specify a new version. AWS OpsWorks Stacks installs that version on the instance.\n\nThe default setting is `INHERIT` . To specify an agent version, you must use the complete version number, not the abbreviated number shown on the console. For a list of available agent version numbers, call [DescribeAgentVersions](https://docs.aws.amazon.com/goto/WebAPI/opsworks-2013-02-18/DescribeAgentVersions) . AgentVersion cannot be set to Chef 12.2.", + "markdownDescription": "The default AWS OpsWorks Stacks agent version. You have the following options:\n\n- `INHERIT` - Use the stack's default agent version setting.\n- *version_number* - Use the specified agent version. This value overrides the stack's default setting. To update the agent version, edit the instance configuration and specify a new version. AWS OpsWorks Stacks installs that version on the instance.\n\nThe default setting is `INHERIT` . To specify an agent version, you must use the complete version number, not the abbreviated number shown on the console. For a list of available agent version numbers, call `DescribeAgentVersions` . AgentVersion cannot be set to Chef 12.2.", "title": "AgentVersion", "type": "string" }, @@ -156145,7 +162417,7 @@ "type": "string" }, "InstallUpdatesOnBoot": { - "markdownDescription": "Whether to install operating system and package updates when the instance boots. The default value is `true` . To control when updates are installed, set this value to `false` . You must then update your instances manually by using [CreateDeployment](https://docs.aws.amazon.com/goto/WebAPI/opsworks-2013-02-18/CreateDeployment) to run the `update_dependencies` stack command or by manually running `yum` (Amazon Linux) or `apt-get` (Ubuntu) on the instances.\n\n> We strongly recommend using the default value of `true` to ensure that your instances have the latest security updates.", + "markdownDescription": "Whether to install operating system and package updates when the instance boots. The default value is `true` . To control when updates are installed, set this value to `false` . You must then update your instances manually by using `CreateDeployment` to run the `update_dependencies` stack command or by manually running `yum` (Amazon Linux) or `apt-get` (Ubuntu) on the instances.\n\n> We strongly recommend using the default value of `true` to ensure that your instances have the latest security updates.", "title": "InstallUpdatesOnBoot", "type": "boolean" }, @@ -156163,7 +162435,7 @@ "type": "array" }, "Os": { - "markdownDescription": "The instance's operating system, which must be set to one of the following.\n\n- A supported Linux operating system: An Amazon Linux version, such as `Amazon Linux 2` , `Amazon Linux 2018.03` , `Amazon Linux 2017.09` , `Amazon Linux 2017.03` , `Amazon Linux 2016.09` , `Amazon Linux 2016.03` , `Amazon Linux 2015.09` , or `Amazon Linux 2015.03` .\n- A supported Ubuntu operating system, such as `Ubuntu 18.04 LTS` , `Ubuntu 16.04 LTS` , `Ubuntu 14.04 LTS` , or `Ubuntu 12.04 LTS` .\n- `CentOS Linux 7`\n- `Red Hat Enterprise Linux 7`\n- A supported Windows operating system, such as `Microsoft Windows Server 2012 R2 Base` , `Microsoft Windows Server 2012 R2 with SQL Server Express` , `Microsoft Windows Server 2012 R2 with SQL Server Standard` , or `Microsoft Windows Server 2012 R2 with SQL Server Web` .\n- A custom AMI: `Custom` .\n\nNot all operating systems are supported with all versions of Chef. For more information about the supported operating systems, see [AWS OpsWorks Stacks Operating Systems](https://docs.aws.amazon.com/opsworks/latest/userguide/workinginstances-os.html) .\n\nThe default option is the current Amazon Linux version. If you set this parameter to `Custom` , you must use the [CreateInstance](https://docs.aws.amazon.com/goto/WebAPI/opsworks-2013-02-18/CreateInstance) action's AmiId parameter to specify the custom AMI that you want to use. Block device mappings are not supported if the value is `Custom` . For more information about how to use custom AMIs with AWS OpsWorks Stacks, see [Using Custom AMIs](https://docs.aws.amazon.com/opsworks/latest/userguide/workinginstances-custom-ami.html) .", + "markdownDescription": "The instance's operating system, which must be set to one of the following.\n\n- A supported Linux operating system: An Amazon Linux version, such as `Amazon Linux 2` , `Amazon Linux 2018.03` , `Amazon Linux 2017.09` , `Amazon Linux 2017.03` , `Amazon Linux 2016.09` , `Amazon Linux 2016.03` , `Amazon Linux 2015.09` , or `Amazon Linux 2015.03` .\n- A supported Ubuntu operating system, such as `Ubuntu 18.04 LTS` , `Ubuntu 16.04 LTS` , `Ubuntu 14.04 LTS` , or `Ubuntu 12.04 LTS` .\n- `CentOS Linux 7`\n- `Red Hat Enterprise Linux 7`\n- A supported Windows operating system, such as `Microsoft Windows Server 2012 R2 Base` , `Microsoft Windows Server 2012 R2 with SQL Server Express` , `Microsoft Windows Server 2012 R2 with SQL Server Standard` , or `Microsoft Windows Server 2012 R2 with SQL Server Web` .\n- A custom AMI: `Custom` .\n\nNot all operating systems are supported with all versions of Chef. For more information about the supported operating systems, see [AWS OpsWorks Stacks Operating Systems](https://docs.aws.amazon.com/opsworks/latest/userguide/workinginstances-os.html) .\n\nThe default option is the current Amazon Linux version. If you set this parameter to `Custom` , you must use the `CreateInstance` action's AmiId parameter to specify the custom AMI that you want to use. Block device mappings are not supported if the value is `Custom` . For more information about how to use custom AMIs with AWS OpsWorks Stacks, see [Using Custom AMIs](https://docs.aws.amazon.com/opsworks/latest/userguide/workinginstances-custom-ami.html) .", "title": "Os", "type": "string" }, @@ -156464,7 +162736,7 @@ "type": "boolean" }, "InstallUpdatesOnBoot": { - "markdownDescription": "Whether to install operating system and package updates when the instance boots. The default value is `true` . To control when updates are installed, set this value to `false` . You must then update your instances manually by using [CreateDeployment](https://docs.aws.amazon.com/goto/WebAPI/opsworks-2013-02-18/CreateDeployment) to run the `update_dependencies` stack command or by manually running `yum` (Amazon Linux) or `apt-get` (Ubuntu) on the instances.\n\n> To ensure that your instances have the latest security updates, we strongly recommend using the default value of `true` .", + "markdownDescription": "Whether to install operating system and package updates when the instance boots. The default value is `true` . To control when updates are installed, set this value to `false` . You must then update your instances manually by using `CreateDeployment` to run the `update_dependencies` stack command or by manually running `yum` (Amazon Linux) or `apt-get` (Ubuntu) on the instances.\n\n> To ensure that your instances have the latest security updates, we strongly recommend using the default value of `true` .", "title": "InstallUpdatesOnBoot", "type": "boolean" }, @@ -156767,7 +163039,7 @@ "additionalProperties": false, "properties": { "AgentVersion": { - "markdownDescription": "The default AWS OpsWorks Stacks agent version. You have the following options:\n\n- Auto-update - Set this parameter to `LATEST` . AWS OpsWorks Stacks automatically installs new agent versions on the stack's instances as soon as they are available.\n- Fixed version - Set this parameter to your preferred agent version. To update the agent version, you must edit the stack configuration and specify a new version. AWS OpsWorks Stacks installs that version on the stack's instances.\n\nThe default setting is the most recent release of the agent. To specify an agent version, you must use the complete version number, not the abbreviated number shown on the console. For a list of available agent version numbers, call [DescribeAgentVersions](https://docs.aws.amazon.com/goto/WebAPI/opsworks-2013-02-18/DescribeAgentVersions) . AgentVersion cannot be set to Chef 12.2.\n\n> You can also specify an agent version when you create or update an instance, which overrides the stack's default setting.", + "markdownDescription": "The default AWS OpsWorks Stacks agent version. You have the following options:\n\n- Auto-update - Set this parameter to `LATEST` . AWS OpsWorks Stacks automatically installs new agent versions on the stack's instances as soon as they are available.\n- Fixed version - Set this parameter to your preferred agent version. To update the agent version, you must edit the stack configuration and specify a new version. AWS OpsWorks Stacks installs that version on the stack's instances.\n\nThe default setting is the most recent release of the agent. To specify an agent version, you must use the complete version number, not the abbreviated number shown on the console. For a list of available agent version numbers, call `DescribeAgentVersions` . AgentVersion cannot be set to Chef 12.2.\n\n> You can also specify an agent version when you create or update an instance, which overrides the stack's default setting.", "title": "AgentVersion", "type": "string" }, @@ -157462,7 +163734,7 @@ "type": "array" }, "RoleName": { - "markdownDescription": "The name of an IAM role that AWS Organizations automatically preconfigures in the new member account. This role trusts the management account, allowing users in the management account to assume the role, as permitted by the management account administrator. The role has administrator permissions in the new member account.\n\nIf you don't specify this parameter, the role name defaults to `OrganizationAccountAccessRole` .\n\nFor more information about how to use this role to access the member account, see the following links:\n\n- [Accessing and Administering the Member Accounts in Your Organization](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html#orgs_manage_accounts_create-cross-account-role) in the *AWS Organizations User Guide*\n- Steps 2 and 3 in [Tutorial: Delegate Access Across AWS accounts Using IAM Roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html) in the *IAM User Guide*\n\nThe [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) that is used to validate this parameter. The pattern can include uppercase letters, lowercase letters, digits with no spaces, and any of the following characters: =,.@-", + "markdownDescription": "The name of an IAM role that AWS Organizations automatically preconfigures in the new member account. This role trusts the management account, allowing users in the management account to assume the role, as permitted by the management account administrator. The role has administrator permissions in the new member account.\n\nIf you don't specify this parameter, the role name defaults to `OrganizationAccountAccessRole` .\n\nFor more information about how to use this role to access the member account, see the following links:\n\n- [Creating the OrganizationAccountAccessRole in an invited member account](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html#orgs_manage_accounts_create-cross-account-role) in the *AWS Organizations User Guide*\n- Steps 2 and 3 in [IAM Tutorial: Delegate access across AWS accounts using IAM roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html) in the *IAM User Guide*\n\nThe [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) that is used to validate this parameter. The pattern can include uppercase letters, lowercase letters, digits with no spaces, and any of the following characters: =,.@-", "title": "RoleName", "type": "string" }, @@ -157538,7 +163810,7 @@ "additionalProperties": false, "properties": { "FeatureSet": { - "markdownDescription": "Specifies the feature set supported by the new organization. Each feature set supports different levels of functionality.\n\n- `ALL` In addition to all the features supported by the consolidated billing feature set, the management account gains access to advanced features that give you more control over accounts in your organization. By default or if you set the `FeatureSet` property to `ALL` , the new organization is created with all features enabled and service control policies automatically enabled in the [root](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#root) . For more information, see [All features](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#feature-set-all) in the *AWS Organizations User Guide* .\n- `CONSOLIDATED_BILLING` All member accounts have their bills consolidated to and paid by the management account. For more information, see [Consolidated billing](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#feature-set-cb-only) in the *AWS Organizations User Guide.*\n\nThe consolidated billing feature subset isn't available for organizations in the AWS GovCloud (US) Region.\n\nFeature set `ALL` provides the following advanced features:\n\n- Apply any [policy type](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies.html#orgs-policy-types) to any member account in the organization.\n- Apply [service control policies (SCPs)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html) to member accounts that restrict the services and actions that users (including the root user) and roles in an account can access. Using SCPs you can prevent member accounts from leaving the organization.\n- Enable [integration with supported AWS services](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services_list.html) to let those services provide functionality across all of the accounts in your organization.\n\nIf you don't specify this property, the default value is `ALL` .", + "markdownDescription": "Specifies the feature set supported by the new organization. Each feature set supports different levels of functionality.\n\n- `ALL` In addition to all the features supported by the consolidated billing feature set, the management account gains access to advanced features that give you more control over accounts in your organization. By default or if you set the `FeatureSet` property to `ALL` , the new organization is created with all features enabled and service control policies automatically enabled in the [root](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#root) . For more information, see [All features](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#feature-set-all) in the *AWS Organizations User Guide* .\n- `CONSOLIDATED_BILLING` All member accounts have their bills consolidated to and paid by the management account. For more information, see [Consolidated billing](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#feature-set-cb-only) in the *AWS Organizations User Guide* .\n\nThe consolidated billing feature subset isn't available for organizations in the AWS GovCloud (US) Region.\n\nFeature set `ALL` provides the following advanced features:\n\n- Apply any [policy type](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies.html#orgs-policy-types) to any member account in the organization.\n- Apply [service control policies (SCPs)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html) to member accounts that restrict the services and actions that users (including the root user) and roles in an account can access. Using SCPs you can prevent member accounts from leaving the organization.\n- Enable [integration with supported AWS services](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services_list.html) to let those services provide functionality across all of the accounts in your organization.\n\nIf you don't specify this property, the default value is `ALL` .", "title": "FeatureSet", "type": "string" } @@ -157682,7 +163954,7 @@ "additionalProperties": false, "properties": { "Content": { - "markdownDescription": "The policy text content. You can specify the policy content as a JSON object or a JSON string.\n\n> When you specify the policy content as a JSON string, you can't perform drift detection on the CloudFormation stack. For this reason, we recommend specifying the policy content as a JSON object instead. \n\nThe text that you supply must adhere to the rules of the policy type you specify in the `Type` parameter. The following AWS Organizations quotas are enforced for the maximum size of a policy document:\n\n- Service control policies: 5,120 bytes *(not characters)*\n- AI services opt-out policies: 2,500 characters\n- Backup policies: 10,000 characters\n- Tag policies: 10,000 characters\n\nFor more information about Organizations service quotas, see [Quotas for AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_reference_limits.html) in the *AWS Organizations User Guide* .", + "markdownDescription": "The policy text content. You can specify the policy content as a JSON object or a JSON string.\n\n> When you specify the policy content as a JSON string, you can't perform drift detection on the CloudFormation stack. For this reason, we recommend specifying the policy content as a JSON object instead. \n\nThe text that you supply must adhere to the rules of the policy type you specify in the `Type` parameter. The following AWS Organizations quotas are enforced for the maximum size of a policy document:\n\n- Service control policies: 5,120 characters\n- AI services opt-out policies: 2,500 characters\n- Backup policies: 10,000 characters\n- Tag policies: 10,000 characters\n\nFor more information about Organizations service quotas, see [Quotas for AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_reference_limits.html) in the *AWS Organizations User Guide* .", "title": "Content", "type": "object" }, @@ -157857,22 +164129,30 @@ "additionalProperties": false, "properties": { "CertificateAuthorityArn": { + "markdownDescription": "The Amazon Resource Name (ARN) of the certificate authority being used.", + "title": "CertificateAuthorityArn", "type": "string" }, "DirectoryId": { + "markdownDescription": "The identifier of the Active Directory.", + "title": "DirectoryId", "type": "string" }, "Tags": { "additionalProperties": true, + "markdownDescription": "Metadata assigned to a connector consisting of a key-value pair.", "patternProperties": { "^[a-zA-Z0-9]+$": { "type": "string" } }, + "title": "Tags", "type": "object" }, "VpcInformation": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Connector.VpcInformation" + "$ref": "#/definitions/AWS::PCAConnectorAD::Connector.VpcInformation", + "markdownDescription": "Information of the VPC and security group(s) used with the connector.", + "title": "VpcInformation" } }, "required": [ @@ -157910,6 +164190,8 @@ "items": { "type": "string" }, + "markdownDescription": "The security groups used with the connector. You can use a maximum of 4 security groups with a connector.", + "title": "SecurityGroupIds", "type": "array" } }, @@ -157954,15 +164236,19 @@ "additionalProperties": false, "properties": { "DirectoryId": { + "markdownDescription": "The identifier of the Active Directory.", + "title": "DirectoryId", "type": "string" }, "Tags": { "additionalProperties": true, + "markdownDescription": "Metadata assigned to a directory registration consisting of a key-value pair.", "patternProperties": { "^[a-zA-Z0-9]+$": { "type": "string" } }, + "title": "Tags", "type": "object" } }, @@ -158028,9 +164314,13 @@ "additionalProperties": false, "properties": { "ConnectorArn": { + "markdownDescription": "The Amazon Resource Name (ARN) that was returned when you called [CreateConnector.html](https://docs.aws.amazon.com/pca-connector-ad/latest/APIReference/API_CreateConnector.html) .", + "title": "ConnectorArn", "type": "string" }, "DirectoryRegistrationArn": { + "markdownDescription": "The Amazon Resource Name (ARN) that was returned when you called [CreateDirectoryRegistration](https://docs.aws.amazon.com/pca-connector-ad/latest/APIReference/API_CreateDirectoryRegistration.html) .", + "title": "DirectoryRegistrationArn", "type": "string" } }, @@ -158092,24 +164382,34 @@ "additionalProperties": false, "properties": { "ConnectorArn": { + "markdownDescription": "The Amazon Resource Name (ARN) that was returned when you called [CreateConnector](https://docs.aws.amazon.com/pca-connector-ad/latest/APIReference/API_CreateConnector.html) .", + "title": "ConnectorArn", "type": "string" }, "Definition": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.TemplateDefinition" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.TemplateDefinition", + "markdownDescription": "Template configuration to define the information included in certificates. Define certificate validity and renewal periods, certificate request handling and enrollment options, key usage extensions, application policies, and cryptography settings.", + "title": "Definition" }, "Name": { + "markdownDescription": "Name of the templates. Template names must be unique.", + "title": "Name", "type": "string" }, "ReenrollAllCertificateHolders": { + "markdownDescription": "This setting allows the major version of a template to be increased automatically. All members of Active Directory groups that are allowed to enroll with a template will receive a new certificate issued using that template.", + "title": "ReenrollAllCertificateHolders", "type": "boolean" }, "Tags": { "additionalProperties": true, + "markdownDescription": "Metadata assigned to a template consisting of a key-value pair.", "patternProperties": { "^[a-zA-Z0-9]+$": { "type": "string" } }, + "title": "Tags", "type": "object" } }, @@ -158145,12 +164445,16 @@ "additionalProperties": false, "properties": { "Critical": { + "markdownDescription": "Marks the application policy extension as critical.", + "title": "Critical", "type": "boolean" }, "Policies": { "items": { "$ref": "#/definitions/AWS::PCAConnectorAD::Template.ApplicationPolicy" }, + "markdownDescription": "Application policies describe what the certificate can be used for.", + "title": "Policies", "type": "array" } }, @@ -158163,9 +164467,13 @@ "additionalProperties": false, "properties": { "PolicyObjectIdentifier": { + "markdownDescription": "The object identifier (OID) of an application policy.", + "title": "PolicyObjectIdentifier", "type": "string" }, "PolicyType": { + "markdownDescription": "The type of application policy", + "title": "PolicyType", "type": "string" } }, @@ -158175,10 +164483,14 @@ "additionalProperties": false, "properties": { "RenewalPeriod": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.ValidityPeriod" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.ValidityPeriod", + "markdownDescription": "Renewal period is the period of time before certificate expiration when a new certificate will be requested.", + "title": "RenewalPeriod" }, "ValidityPeriod": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.ValidityPeriod" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.ValidityPeriod", + "markdownDescription": "Information describing the end of the validity period of the certificate. This parameter sets the \u201cNot After\u201d date for the certificate. Certificate validity is the period of time during which a certificate is valid. Validity can be expressed as an explicit date and time when the certificate expires, or as a span of time after issuance, stated in days, months, or years. For more information, see Validity in RFC 5280. This value is unaffected when ValidityNotBefore is also specified. For example, if Validity is set to 20 days in the future, the certificate will expire 20 days from issuance time regardless of the ValidityNotBefore value.", + "title": "ValidityPeriod" } }, "required": [ @@ -158191,18 +164503,28 @@ "additionalProperties": false, "properties": { "EnableKeyReuseOnNtTokenKeysetStorageFull": { + "markdownDescription": "Allow renewal using the same key.", + "title": "EnableKeyReuseOnNtTokenKeysetStorageFull", "type": "boolean" }, "IncludeSymmetricAlgorithms": { + "markdownDescription": "Include symmetric algorithms allowed by the subject.", + "title": "IncludeSymmetricAlgorithms", "type": "boolean" }, "NoSecurityExtension": { + "markdownDescription": "This flag instructs the CA to not include the security extension szOID_NTDS_CA_SECURITY_EXT (OID:1.3.6.1.4.1.311.25.2), as specified in [MS-WCCE] sections 2.2.2.7.7.4 and 3.2.2.6.2.1.4.5.9, in the issued certificate. This addresses a Windows Kerberos elevation-of-privilege vulnerability.", + "title": "NoSecurityExtension", "type": "boolean" }, "RemoveInvalidCertificateFromPersonalStore": { + "markdownDescription": "Delete expired or revoked certificates instead of archiving them.", + "title": "RemoveInvalidCertificateFromPersonalStore", "type": "boolean" }, "UserInteractionRequired": { + "markdownDescription": "Require user interaction when the subject is enrolled and the private key associated with the certificate is used.", + "title": "UserInteractionRequired", "type": "boolean" } }, @@ -158212,18 +164534,28 @@ "additionalProperties": false, "properties": { "EnableKeyReuseOnNtTokenKeysetStorageFull": { + "markdownDescription": "Allow renewal using the same key.", + "title": "EnableKeyReuseOnNtTokenKeysetStorageFull", "type": "boolean" }, "IncludeSymmetricAlgorithms": { + "markdownDescription": "Include symmetric algorithms allowed by the subject.", + "title": "IncludeSymmetricAlgorithms", "type": "boolean" }, "NoSecurityExtension": { + "markdownDescription": "This flag instructs the CA to not include the security extension szOID_NTDS_CA_SECURITY_EXT (OID:1.3.6.1.4.1.311.25.2), as specified in [MS-WCCE] sections 2.2.2.7.7.4 and 3.2.2.6.2.1.4.5.9, in the issued certificate. This addresses a Windows Kerberos elevation-of-privilege vulnerability.", + "title": "NoSecurityExtension", "type": "boolean" }, "RemoveInvalidCertificateFromPersonalStore": { + "markdownDescription": "Delete expired or revoked certificates instead of archiving them.", + "title": "RemoveInvalidCertificateFromPersonalStore", "type": "boolean" }, "UserInteractionRequired": { + "markdownDescription": "Require user interaction when the subject is enrolled and the private key associated with the certificate is used.", + "title": "UserInteractionRequired", "type": "boolean" } }, @@ -158233,18 +164565,28 @@ "additionalProperties": false, "properties": { "EnableKeyReuseOnNtTokenKeysetStorageFull": { + "markdownDescription": "Allow renewal using the same key.", + "title": "EnableKeyReuseOnNtTokenKeysetStorageFull", "type": "boolean" }, "IncludeSymmetricAlgorithms": { + "markdownDescription": "Include symmetric algorithms allowed by the subject.", + "title": "IncludeSymmetricAlgorithms", "type": "boolean" }, "NoSecurityExtension": { + "markdownDescription": "This flag instructs the CA to not include the security extension szOID_NTDS_CA_SECURITY_EXT (OID:1.3.6.1.4.1.311.25.2), as specified in [MS-WCCE] sections 2.2.2.7.7.4 and 3.2.2.6.2.1.4.5.9, in the issued certificate. This addresses a Windows Kerberos elevation-of-privilege vulnerability.", + "title": "NoSecurityExtension", "type": "boolean" }, "RemoveInvalidCertificateFromPersonalStore": { + "markdownDescription": "Delete expired or revoked certificates instead of archiving them.", + "title": "RemoveInvalidCertificateFromPersonalStore", "type": "boolean" }, "UserInteractionRequired": { + "markdownDescription": "Require user interaction when the subject is enrolled and the private key associated with the certificate is used.", + "title": "UserInteractionRequired", "type": "boolean" } }, @@ -158254,10 +164596,14 @@ "additionalProperties": false, "properties": { "ApplicationPolicies": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.ApplicationPolicies" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.ApplicationPolicies", + "markdownDescription": "Application policies specify what the certificate is used for and its purpose.", + "title": "ApplicationPolicies" }, "KeyUsage": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.KeyUsage" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.KeyUsage", + "markdownDescription": "The key usage extension defines the purpose (e.g., encipherment, signature, certificate signing) of the key contained in the certificate.", + "title": "KeyUsage" } }, "required": [ @@ -158269,10 +164615,14 @@ "additionalProperties": false, "properties": { "ApplicationPolicies": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.ApplicationPolicies" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.ApplicationPolicies", + "markdownDescription": "Application policies specify what the certificate is used for and its purpose.", + "title": "ApplicationPolicies" }, "KeyUsage": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.KeyUsage" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.KeyUsage", + "markdownDescription": "The key usage extension defines the purpose (e.g., encipherment, signature, certificate signing) of the key contained in the certificate.", + "title": "KeyUsage" } }, "required": [ @@ -158284,10 +164634,14 @@ "additionalProperties": false, "properties": { "ApplicationPolicies": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.ApplicationPolicies" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.ApplicationPolicies", + "markdownDescription": "Application policies specify what the certificate is used for and its purpose.", + "title": "ApplicationPolicies" }, "KeyUsage": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.KeyUsage" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.KeyUsage", + "markdownDescription": "The key usage extension defines the purpose (e.g., encipherment, signature) of the key contained in the certificate.", + "title": "KeyUsage" } }, "required": [ @@ -158299,9 +164653,13 @@ "additionalProperties": false, "properties": { "AutoEnrollment": { + "markdownDescription": "Allows certificate issuance using autoenrollment. Set to TRUE to allow autoenrollment.", + "title": "AutoEnrollment", "type": "boolean" }, "MachineType": { + "markdownDescription": "Defines if the template is for machines or users. Set to TRUE if the template is for machines. Set to FALSE if the template is for users.", + "title": "MachineType", "type": "boolean" } }, @@ -158311,9 +164669,13 @@ "additionalProperties": false, "properties": { "AutoEnrollment": { + "markdownDescription": "Allows certificate issuance using autoenrollment. Set to TRUE to allow autoenrollment.", + "title": "AutoEnrollment", "type": "boolean" }, "MachineType": { + "markdownDescription": "Defines if the template is for machines or users. Set to TRUE if the template is for machines. Set to FALSE if the template is for users", + "title": "MachineType", "type": "boolean" } }, @@ -158323,9 +164685,13 @@ "additionalProperties": false, "properties": { "AutoEnrollment": { + "markdownDescription": "Allows certificate issuance using autoenrollment. Set to TRUE to allow autoenrollment.", + "title": "AutoEnrollment", "type": "boolean" }, "MachineType": { + "markdownDescription": "Defines if the template is for machines or users. Set to TRUE if the template is for machines. Set to FALSE if the template is for users", + "title": "MachineType", "type": "boolean" } }, @@ -158335,10 +164701,14 @@ "additionalProperties": false, "properties": { "Critical": { + "markdownDescription": "Sets the key usage extension to critical.", + "title": "Critical", "type": "boolean" }, "UsageFlags": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.KeyUsageFlags" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.KeyUsageFlags", + "markdownDescription": "The key usage flags represent the purpose (e.g., encipherment, signature) of the key contained in the certificate.", + "title": "UsageFlags" } }, "required": [ @@ -158350,18 +164720,28 @@ "additionalProperties": false, "properties": { "DataEncipherment": { + "markdownDescription": "DataEncipherment is asserted when the subject public key is used for directly enciphering raw user data without the use of an intermediate symmetric cipher.", + "title": "DataEncipherment", "type": "boolean" }, "DigitalSignature": { + "markdownDescription": "The digitalSignature is asserted when the subject public key is used for verifying digital signatures.", + "title": "DigitalSignature", "type": "boolean" }, "KeyAgreement": { + "markdownDescription": "KeyAgreement is asserted when the subject public key is used for key agreement.", + "title": "KeyAgreement", "type": "boolean" }, "KeyEncipherment": { + "markdownDescription": "KeyEncipherment is asserted when the subject public key is used for enciphering private or secret keys, i.e., for key transport.", + "title": "KeyEncipherment", "type": "boolean" }, "NonRepudiation": { + "markdownDescription": "NonRepudiation is asserted when the subject public key is used to verify digital signatures.", + "title": "NonRepudiation", "type": "boolean" } }, @@ -158371,9 +164751,13 @@ "additionalProperties": false, "properties": { "PropertyFlags": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.KeyUsagePropertyFlags" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.KeyUsagePropertyFlags", + "markdownDescription": "You can specify key usage for encryption, key agreement, and signature. You can use property flags or property type but not both.", + "title": "PropertyFlags" }, "PropertyType": { + "markdownDescription": "You can specify all key usages using property type ALL. You can use property type or property flags but not both.", + "title": "PropertyType", "type": "string" } }, @@ -158383,12 +164767,18 @@ "additionalProperties": false, "properties": { "Decrypt": { + "markdownDescription": "Allows key for encryption and decryption.", + "title": "Decrypt", "type": "boolean" }, "KeyAgreement": { + "markdownDescription": "Allows key exchange without encryption.", + "title": "KeyAgreement", "type": "boolean" }, "Sign": { + "markdownDescription": "Allow key use for digital signature.", + "title": "Sign", "type": "boolean" } }, @@ -158401,12 +164791,18 @@ "items": { "type": "string" }, + "markdownDescription": "Defines the cryptographic providers used to generate the private key.", + "title": "CryptoProviders", "type": "array" }, "KeySpec": { + "markdownDescription": "Defines the purpose of the private key. Set it to \"KEY_EXCHANGE\" or \"SIGNATURE\" value.", + "title": "KeySpec", "type": "string" }, "MinimalKeyLength": { + "markdownDescription": "Set the minimum key length of the private key.", + "title": "MinimalKeyLength", "type": "number" } }, @@ -158420,21 +164816,31 @@ "additionalProperties": false, "properties": { "Algorithm": { + "markdownDescription": "Defines the algorithm used to generate the private key.", + "title": "Algorithm", "type": "string" }, "CryptoProviders": { "items": { "type": "string" }, + "markdownDescription": "Defines the cryptographic providers used to generate the private key.", + "title": "CryptoProviders", "type": "array" }, "KeySpec": { + "markdownDescription": "Defines the purpose of the private key. Set it to \"KEY_EXCHANGE\" or \"SIGNATURE\" value.", + "title": "KeySpec", "type": "string" }, "KeyUsageProperty": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.KeyUsageProperty" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.KeyUsageProperty", + "markdownDescription": "The key usage property defines the purpose of the private key contained in the certificate. You can specify specific purposes using property flags or all by using property type ALL.", + "title": "KeyUsageProperty" }, "MinimalKeyLength": { + "markdownDescription": "Set the minimum key length of the private key.", + "title": "MinimalKeyLength", "type": "number" } }, @@ -158450,21 +164856,31 @@ "additionalProperties": false, "properties": { "Algorithm": { + "markdownDescription": "Defines the algorithm used to generate the private key.", + "title": "Algorithm", "type": "string" }, "CryptoProviders": { "items": { "type": "string" }, + "markdownDescription": "Defines the cryptographic providers used to generate the private key.", + "title": "CryptoProviders", "type": "array" }, "KeySpec": { + "markdownDescription": "Defines the purpose of the private key. Set it to \"KEY_EXCHANGE\" or \"SIGNATURE\" value.", + "title": "KeySpec", "type": "string" }, "KeyUsageProperty": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.KeyUsageProperty" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.KeyUsageProperty", + "markdownDescription": "The key usage property defines the purpose of the private key contained in the certificate. You can specify specific purposes using property flags or all by using property type ALL.", + "title": "KeyUsageProperty" }, "MinimalKeyLength": { + "markdownDescription": "Set the minimum key length of the private key.", + "title": "MinimalKeyLength", "type": "number" } }, @@ -158478,12 +164894,18 @@ "additionalProperties": false, "properties": { "ClientVersion": { + "markdownDescription": "Defines the minimum client compatibility.", + "title": "ClientVersion", "type": "string" }, "ExportableKey": { + "markdownDescription": "Allows the private key to be exported.", + "title": "ExportableKey", "type": "boolean" }, "StrongKeyProtectionRequired": { + "markdownDescription": "Require user input when using the private key for enrollment.", + "title": "StrongKeyProtectionRequired", "type": "boolean" } }, @@ -158496,15 +164918,23 @@ "additionalProperties": false, "properties": { "ClientVersion": { + "markdownDescription": "Defines the minimum client compatibility.", + "title": "ClientVersion", "type": "string" }, "ExportableKey": { + "markdownDescription": "Allows the private key to be exported.", + "title": "ExportableKey", "type": "boolean" }, "RequireAlternateSignatureAlgorithm": { + "markdownDescription": "Reguires the PKCS #1 v2.1 signature format for certificates. You should verify that your CA, objects, and applications can accept this signature format.", + "title": "RequireAlternateSignatureAlgorithm", "type": "boolean" }, "StrongKeyProtectionRequired": { + "markdownDescription": "Requirer user input when using the private key for enrollment.", + "title": "StrongKeyProtectionRequired", "type": "boolean" } }, @@ -158517,21 +164947,33 @@ "additionalProperties": false, "properties": { "ClientVersion": { + "markdownDescription": "Defines the minimum client compatibility.", + "title": "ClientVersion", "type": "string" }, "ExportableKey": { + "markdownDescription": "Allows the private key to be exported.", + "title": "ExportableKey", "type": "boolean" }, "RequireAlternateSignatureAlgorithm": { + "markdownDescription": "Requires the PKCS #1 v2.1 signature format for certificates. You should verify that your CA, objects, and applications can accept this signature format.", + "title": "RequireAlternateSignatureAlgorithm", "type": "boolean" }, "RequireSameKeyRenewal": { + "markdownDescription": "Renew certificate using the same private key.", + "title": "RequireSameKeyRenewal", "type": "boolean" }, "StrongKeyProtectionRequired": { + "markdownDescription": "Require user input when using the private key for enrollment.", + "title": "StrongKeyProtectionRequired", "type": "boolean" }, "UseLegacyProvider": { + "markdownDescription": "Specifies the cryptographic service provider category used to generate private keys. Set to TRUE to use Legacy Cryptographic Service Providers and FALSE to use Key Storage Providers.", + "title": "UseLegacyProvider", "type": "boolean" } }, @@ -158544,33 +164986,53 @@ "additionalProperties": false, "properties": { "RequireCommonName": { + "markdownDescription": "Include the common name in the subject name.", + "title": "RequireCommonName", "type": "boolean" }, "RequireDirectoryPath": { + "markdownDescription": "Include the directory path in the subject name.", + "title": "RequireDirectoryPath", "type": "boolean" }, "RequireDnsAsCn": { + "markdownDescription": "Include the DNS as common name in the subject name.", + "title": "RequireDnsAsCn", "type": "boolean" }, "RequireEmail": { + "markdownDescription": "Include the subject's email in the subject name.", + "title": "RequireEmail", "type": "boolean" }, "SanRequireDirectoryGuid": { + "markdownDescription": "Include the globally unique identifier (GUID) in the subject alternate name.", + "title": "SanRequireDirectoryGuid", "type": "boolean" }, "SanRequireDns": { + "markdownDescription": "Include the DNS in the subject alternate name.", + "title": "SanRequireDns", "type": "boolean" }, "SanRequireDomainDns": { + "markdownDescription": "Include the domain DNS in the subject alternate name.", + "title": "SanRequireDomainDns", "type": "boolean" }, "SanRequireEmail": { + "markdownDescription": "Include the subject's email in the subject alternate name.", + "title": "SanRequireEmail", "type": "boolean" }, "SanRequireSpn": { + "markdownDescription": "Include the service principal name (SPN) in the subject alternate name.", + "title": "SanRequireSpn", "type": "boolean" }, "SanRequireUpn": { + "markdownDescription": "Include the user principal name (UPN) in the subject alternate name.", + "title": "SanRequireUpn", "type": "boolean" } }, @@ -158580,33 +165042,53 @@ "additionalProperties": false, "properties": { "RequireCommonName": { + "markdownDescription": "Include the common name in the subject name.", + "title": "RequireCommonName", "type": "boolean" }, "RequireDirectoryPath": { + "markdownDescription": "Include the directory path in the subject name.", + "title": "RequireDirectoryPath", "type": "boolean" }, "RequireDnsAsCn": { + "markdownDescription": "Include the DNS as common name in the subject name.", + "title": "RequireDnsAsCn", "type": "boolean" }, "RequireEmail": { + "markdownDescription": "Include the subject's email in the subject name.", + "title": "RequireEmail", "type": "boolean" }, "SanRequireDirectoryGuid": { + "markdownDescription": "Include the globally unique identifier (GUID) in the subject alternate name.", + "title": "SanRequireDirectoryGuid", "type": "boolean" }, "SanRequireDns": { + "markdownDescription": "Include the DNS in the subject alternate name.", + "title": "SanRequireDns", "type": "boolean" }, "SanRequireDomainDns": { + "markdownDescription": "Include the domain DNS in the subject alternate name.", + "title": "SanRequireDomainDns", "type": "boolean" }, "SanRequireEmail": { + "markdownDescription": "Include the subject's email in the subject alternate name.", + "title": "SanRequireEmail", "type": "boolean" }, "SanRequireSpn": { + "markdownDescription": "Include the service principal name (SPN) in the subject alternate name.", + "title": "SanRequireSpn", "type": "boolean" }, "SanRequireUpn": { + "markdownDescription": "Include the user principal name (UPN) in the subject alternate name.", + "title": "SanRequireUpn", "type": "boolean" } }, @@ -158616,33 +165098,53 @@ "additionalProperties": false, "properties": { "RequireCommonName": { + "markdownDescription": "Include the common name in the subject name.", + "title": "RequireCommonName", "type": "boolean" }, "RequireDirectoryPath": { + "markdownDescription": "Include the directory path in the subject name.", + "title": "RequireDirectoryPath", "type": "boolean" }, "RequireDnsAsCn": { + "markdownDescription": "Include the DNS as common name in the subject name.", + "title": "RequireDnsAsCn", "type": "boolean" }, "RequireEmail": { + "markdownDescription": "Include the subject's email in the subject name.", + "title": "RequireEmail", "type": "boolean" }, "SanRequireDirectoryGuid": { + "markdownDescription": "Include the globally unique identifier (GUID) in the subject alternate name.", + "title": "SanRequireDirectoryGuid", "type": "boolean" }, "SanRequireDns": { + "markdownDescription": "Include the DNS in the subject alternate name.", + "title": "SanRequireDns", "type": "boolean" }, "SanRequireDomainDns": { + "markdownDescription": "Include the domain DNS in the subject alternate name.", + "title": "SanRequireDomainDns", "type": "boolean" }, "SanRequireEmail": { + "markdownDescription": "Include the subject's email in the subject alternate name.", + "title": "SanRequireEmail", "type": "boolean" }, "SanRequireSpn": { + "markdownDescription": "Include the service principal name (SPN) in the subject alternate name.", + "title": "SanRequireSpn", "type": "boolean" }, "SanRequireUpn": { + "markdownDescription": "Include the user principal name (UPN) in the subject alternate name.", + "title": "SanRequireUpn", "type": "boolean" } }, @@ -158652,13 +165154,19 @@ "additionalProperties": false, "properties": { "TemplateV2": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.TemplateV2" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.TemplateV2", + "markdownDescription": "Template configuration to define the information included in certificates. Define certificate validity and renewal periods, certificate request handling and enrollment options, key usage extensions, application policies, and cryptography settings.", + "title": "TemplateV2" }, "TemplateV3": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.TemplateV3" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.TemplateV3", + "markdownDescription": "Template configuration to define the information included in certificates. Define certificate validity and renewal periods, certificate request handling and enrollment options, key usage extensions, application policies, and cryptography settings.", + "title": "TemplateV3" }, "TemplateV4": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.TemplateV4" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.TemplateV4", + "markdownDescription": "Template configuration to define the information included in certificates. Define certificate validity and renewal periods, certificate request handling and enrollment options, key usage extensions, application policies, and cryptography settings.", + "title": "TemplateV4" } }, "type": "object" @@ -158667,30 +165175,46 @@ "additionalProperties": false, "properties": { "CertificateValidity": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.CertificateValidity" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.CertificateValidity", + "markdownDescription": "Certificate validity describes the validity and renewal periods of a certificate.", + "title": "CertificateValidity" }, "EnrollmentFlags": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.EnrollmentFlagsV2" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.EnrollmentFlagsV2", + "markdownDescription": "Enrollment flags describe the enrollment settings for certificates such as using the existing private key and deleting expired or revoked certificates.", + "title": "EnrollmentFlags" }, "Extensions": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.ExtensionsV2" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.ExtensionsV2", + "markdownDescription": "Extensions describe the key usage extensions and application policies for a template.", + "title": "Extensions" }, "GeneralFlags": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.GeneralFlagsV2" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.GeneralFlagsV2", + "markdownDescription": "General flags describe whether the template is used for computers or users and if the template can be used with autoenrollment.", + "title": "GeneralFlags" }, "PrivateKeyAttributes": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.PrivateKeyAttributesV2" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.PrivateKeyAttributesV2", + "markdownDescription": "Private key attributes allow you to specify the minimal key length, key spec, and cryptographic providers for the private key of a certificate for v2 templates. V2 templates allow you to use Legacy Cryptographic Service Providers.", + "title": "PrivateKeyAttributes" }, "PrivateKeyFlags": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.PrivateKeyFlagsV2" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.PrivateKeyFlagsV2", + "markdownDescription": "Private key flags for v2 templates specify the client compatibility, if the private key can be exported, and if user input is required when using a private key.", + "title": "PrivateKeyFlags" }, "SubjectNameFlags": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.SubjectNameFlagsV2" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.SubjectNameFlagsV2", + "markdownDescription": "Subject name flags describe the subject name and subject alternate name that is included in a certificate.", + "title": "SubjectNameFlags" }, "SupersededTemplates": { "items": { "type": "string" }, + "markdownDescription": "List of templates in Active Directory that are superseded by this template.", + "title": "SupersededTemplates", "type": "array" } }, @@ -158709,33 +165233,51 @@ "additionalProperties": false, "properties": { "CertificateValidity": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.CertificateValidity" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.CertificateValidity", + "markdownDescription": "Certificate validity describes the validity and renewal periods of a certificate.", + "title": "CertificateValidity" }, "EnrollmentFlags": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.EnrollmentFlagsV3" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.EnrollmentFlagsV3", + "markdownDescription": "Enrollment flags describe the enrollment settings for certificates such as using the existing private key and deleting expired or revoked certificates.", + "title": "EnrollmentFlags" }, "Extensions": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.ExtensionsV3" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.ExtensionsV3", + "markdownDescription": "Extensions describe the key usage extensions and application policies for a template.", + "title": "Extensions" }, "GeneralFlags": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.GeneralFlagsV3" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.GeneralFlagsV3", + "markdownDescription": "General flags describe whether the template is used for computers or users and if the template can be used with autoenrollment.", + "title": "GeneralFlags" }, "HashAlgorithm": { + "markdownDescription": "Specifies the hash algorithm used to hash the private key.", + "title": "HashAlgorithm", "type": "string" }, "PrivateKeyAttributes": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.PrivateKeyAttributesV3" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.PrivateKeyAttributesV3", + "markdownDescription": "Private key attributes allow you to specify the algorithm, minimal key length, key spec, key usage, and cryptographic providers for the private key of a certificate for v3 templates. V3 templates allow you to use Key Storage Providers.", + "title": "PrivateKeyAttributes" }, "PrivateKeyFlags": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.PrivateKeyFlagsV3" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.PrivateKeyFlagsV3", + "markdownDescription": "Private key flags for v3 templates specify the client compatibility, if the private key can be exported, if user input is required when using a private key, and if an alternate signature algorithm should be used.", + "title": "PrivateKeyFlags" }, "SubjectNameFlags": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.SubjectNameFlagsV3" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.SubjectNameFlagsV3", + "markdownDescription": "Subject name flags describe the subject name and subject alternate name that is included in a certificate.", + "title": "SubjectNameFlags" }, "SupersededTemplates": { "items": { "type": "string" }, + "markdownDescription": "List of templates in Active Directory that are superseded by this template.", + "title": "SupersededTemplates", "type": "array" } }, @@ -158755,33 +165297,51 @@ "additionalProperties": false, "properties": { "CertificateValidity": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.CertificateValidity" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.CertificateValidity", + "markdownDescription": "Certificate validity describes the validity and renewal periods of a certificate.", + "title": "CertificateValidity" }, "EnrollmentFlags": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.EnrollmentFlagsV4" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.EnrollmentFlagsV4", + "markdownDescription": "Enrollment flags describe the enrollment settings for certificates using the existing private key and deleting expired or revoked certificates.", + "title": "EnrollmentFlags" }, "Extensions": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.ExtensionsV4" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.ExtensionsV4", + "markdownDescription": "Extensions describe the key usage extensions and application policies for a template.", + "title": "Extensions" }, "GeneralFlags": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.GeneralFlagsV4" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.GeneralFlagsV4", + "markdownDescription": "General flags describe whether the template is used for computers or users and if the template can be used with autoenrollment.", + "title": "GeneralFlags" }, "HashAlgorithm": { + "markdownDescription": "Specifies the hash algorithm used to hash the private key. Hash algorithm can only be specified when using Key Storage Providers.", + "title": "HashAlgorithm", "type": "string" }, "PrivateKeyAttributes": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.PrivateKeyAttributesV4" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.PrivateKeyAttributesV4", + "markdownDescription": "Private key attributes allow you to specify the minimal key length, key spec, key usage, and cryptographic providers for the private key of a certificate for v4 templates. V4 templates allow you to use either Key Storage Providers or Legacy Cryptographic Service Providers. You specify the cryptography provider category in private key flags.", + "title": "PrivateKeyAttributes" }, "PrivateKeyFlags": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.PrivateKeyFlagsV4" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.PrivateKeyFlagsV4", + "markdownDescription": "Private key flags for v4 templates specify the client compatibility, if the private key can be exported, if user input is required when using a private key, if an alternate signature algorithm should be used, and if certificates are renewed using the same private key.", + "title": "PrivateKeyFlags" }, "SubjectNameFlags": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.SubjectNameFlagsV4" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.SubjectNameFlagsV4", + "markdownDescription": "Subject name flags describe the subject name and subject alternate name that is included in a certificate.", + "title": "SubjectNameFlags" }, "SupersededTemplates": { "items": { "type": "string" }, + "markdownDescription": "List of templates in Active Directory that are superseded by this template.", + "title": "SupersededTemplates", "type": "array" } }, @@ -158800,9 +165360,13 @@ "additionalProperties": false, "properties": { "Period": { + "markdownDescription": "The numeric value for the validity period.", + "title": "Period", "type": "number" }, "PeriodType": { + "markdownDescription": "The unit of time. You can select hours, days, weeks, months, and years.", + "title": "PeriodType", "type": "string" } }, @@ -158848,15 +165412,23 @@ "additionalProperties": false, "properties": { "AccessRights": { - "$ref": "#/definitions/AWS::PCAConnectorAD::TemplateGroupAccessControlEntry.AccessRights" + "$ref": "#/definitions/AWS::PCAConnectorAD::TemplateGroupAccessControlEntry.AccessRights", + "markdownDescription": "Permissions to allow or deny an Active Directory group to enroll or autoenroll certificates issued against a template.", + "title": "AccessRights" }, "GroupDisplayName": { + "markdownDescription": "Name of the Active Directory group. This name does not need to match the group name in Active Directory.", + "title": "GroupDisplayName", "type": "string" }, "GroupSecurityIdentifier": { + "markdownDescription": "Security identifier (SID) of the group object from Active Directory. The SID starts with \"S-\".", + "title": "GroupSecurityIdentifier", "type": "string" }, "TemplateArn": { + "markdownDescription": "The Amazon Resource Name (ARN) that was returned when you called [CreateTemplate](https://docs.aws.amazon.com/pca-connector-ad/latest/APIReference/API_CreateTemplate.html) .", + "title": "TemplateArn", "type": "string" } }, @@ -158891,9 +165463,13 @@ "additionalProperties": false, "properties": { "AutoEnroll": { + "markdownDescription": "Allow or deny an Active Directory group from autoenrolling certificates issued against a template. The Active Directory group must be allowed to enroll to allow autoenrollment", + "title": "AutoEnroll", "type": "string" }, "Enroll": { + "markdownDescription": "Allow or deny an Active Directory group from enrolling certificates issued against a template.", + "title": "Enroll", "type": "string" } }, @@ -159069,7 +165645,7 @@ }, "StorageLocation": { "$ref": "#/definitions/AWS::Panorama::Package.StorageLocation", - "markdownDescription": "", + "markdownDescription": "A storage location.", "title": "StorageLocation" }, "Tags": { @@ -159111,27 +165687,27 @@ "additionalProperties": false, "properties": { "BinaryPrefixLocation": { - "markdownDescription": "", + "markdownDescription": "The location's binary prefix.", "title": "BinaryPrefixLocation", "type": "string" }, "Bucket": { - "markdownDescription": "", + "markdownDescription": "The location's bucket.", "title": "Bucket", "type": "string" }, "GeneratedPrefixLocation": { - "markdownDescription": "", + "markdownDescription": "The location's generated prefix.", "title": "GeneratedPrefixLocation", "type": "string" }, "ManifestPrefixLocation": { - "markdownDescription": "", + "markdownDescription": "The location's manifest prefix.", "title": "ManifestPrefixLocation", "type": "string" }, "RepoPrefixLocation": { - "markdownDescription": "", + "markdownDescription": "The location's repo prefix.", "title": "RepoPrefixLocation", "type": "string" } @@ -159274,11 +165850,11 @@ }, "DatasetImportJob": { "$ref": "#/definitions/AWS::Personalize::Dataset.DatasetImportJob", - "markdownDescription": "Describes a job that imports training data from a data source (Amazon S3 bucket) to an Amazon Personalize dataset.", + "markdownDescription": "Describes a job that imports training data from a data source (Amazon S3 bucket) to an Amazon Personalize dataset. If you specify a dataset import job as part of a dataset, all dataset import job fields are required.", "title": "DatasetImportJob" }, "DatasetType": { - "markdownDescription": "One of the following values:\n\n- Interactions\n- Items\n- Users", + "markdownDescription": "One of the following values:\n\n- Interactions\n- Items\n- Users\n- Actions\n- Action_Interactions", "title": "DatasetType", "type": "string" }, @@ -159326,7 +165902,7 @@ "additionalProperties": false, "properties": { "DataLocation": { - "markdownDescription": "", + "markdownDescription": "The path to the Amazon S3 bucket where the data that you want to upload to your dataset is stored. For example:\n\n`s3://bucket-name/folder-name/`", "title": "DataLocation", "type": "string" } @@ -159415,7 +165991,7 @@ "type": "string" }, "RoleArn": { - "markdownDescription": "The ARN of the IAM role that has permissions to create the dataset group.", + "markdownDescription": "The ARN of the AWS Identity and Access Management (IAM) role that has permissions to access the AWS Key Management Service (KMS) key. Supplying an IAM role is only valid when also specifying a KMS key.", "title": "RoleArn", "type": "string" } @@ -159629,7 +166205,7 @@ "items": { "$ref": "#/definitions/AWS::Personalize::Solution.CategoricalHyperParameterRange" }, - "markdownDescription": "", + "markdownDescription": "Provides the name and range of a categorical hyperparameter.", "title": "CategoricalHyperParameterRanges", "type": "array" }, @@ -159637,7 +166213,7 @@ "items": { "$ref": "#/definitions/AWS::Personalize::Solution.ContinuousHyperParameterRange" }, - "markdownDescription": "", + "markdownDescription": "Provides the name and range of a continuous hyperparameter.", "title": "ContinuousHyperParameterRanges", "type": "array" }, @@ -159645,7 +166221,7 @@ "items": { "$ref": "#/definitions/AWS::Personalize::Solution.IntegerHyperParameterRange" }, - "markdownDescription": "", + "markdownDescription": "Provides the name and range of an integer-valued hyperparameter.", "title": "IntegerHyperParameterRanges", "type": "array" } @@ -159656,7 +166232,7 @@ "additionalProperties": false, "properties": { "MetricName": { - "markdownDescription": "", + "markdownDescription": "The metric to optimize.", "title": "MetricName", "type": "string" }, @@ -159664,7 +166240,7 @@ "items": { "type": "string" }, - "markdownDescription": "", + "markdownDescription": "The list of candidate recipes.", "title": "RecipeList", "type": "array" } @@ -159675,7 +166251,7 @@ "additionalProperties": false, "properties": { "Name": { - "markdownDescription": "", + "markdownDescription": "The name of the hyperparameter.", "title": "Name", "type": "string" }, @@ -159683,7 +166259,7 @@ "items": { "type": "string" }, - "markdownDescription": "", + "markdownDescription": "A list of the categories for the hyperparameter.", "title": "Values", "type": "array" } @@ -159694,17 +166270,17 @@ "additionalProperties": false, "properties": { "MaxValue": { - "markdownDescription": "", + "markdownDescription": "The maximum allowable value for the hyperparameter.", "title": "MaxValue", "type": "number" }, "MinValue": { - "markdownDescription": "", + "markdownDescription": "The minimum allowable value for the hyperparameter.", "title": "MinValue", "type": "number" }, "Name": { - "markdownDescription": "", + "markdownDescription": "The name of the hyperparameter.", "title": "Name", "type": "string" } @@ -159716,17 +166292,17 @@ "properties": { "AlgorithmHyperParameterRanges": { "$ref": "#/definitions/AWS::Personalize::Solution.AlgorithmHyperParameterRanges", - "markdownDescription": "", + "markdownDescription": "The hyperparameters and their allowable ranges.", "title": "AlgorithmHyperParameterRanges" }, "HpoObjective": { "$ref": "#/definitions/AWS::Personalize::Solution.HpoObjective", - "markdownDescription": "", + "markdownDescription": "The metric to optimize during HPO.\n\n> Amazon Personalize doesn't support configuring the `hpoObjective` at this time.", "title": "HpoObjective" }, "HpoResourceConfig": { "$ref": "#/definitions/AWS::Personalize::Solution.HpoResourceConfig", - "markdownDescription": "", + "markdownDescription": "Describes the resource configuration for HPO.", "title": "HpoResourceConfig" } }, @@ -159736,17 +166312,17 @@ "additionalProperties": false, "properties": { "MetricName": { - "markdownDescription": "", + "markdownDescription": "The name of the metric.", "title": "MetricName", "type": "string" }, "MetricRegex": { - "markdownDescription": "", + "markdownDescription": "A regular expression for finding the metric in the training job logs.", "title": "MetricRegex", "type": "string" }, "Type": { - "markdownDescription": "", + "markdownDescription": "The type of the metric. Valid values are `Maximize` and `Minimize` .", "title": "Type", "type": "string" } @@ -159757,12 +166333,12 @@ "additionalProperties": false, "properties": { "MaxNumberOfTrainingJobs": { - "markdownDescription": "", + "markdownDescription": "The maximum number of training jobs when you create a solution version. The maximum value for `maxNumberOfTrainingJobs` is `40` .", "title": "MaxNumberOfTrainingJobs", "type": "string" }, "MaxParallelTrainingJobs": { - "markdownDescription": "", + "markdownDescription": "The maximum number of parallel training jobs when you create a solution version. The maximum value for `maxParallelTrainingJobs` is `10` .", "title": "MaxParallelTrainingJobs", "type": "string" } @@ -159773,17 +166349,17 @@ "additionalProperties": false, "properties": { "MaxValue": { - "markdownDescription": "", + "markdownDescription": "The maximum allowable value for the hyperparameter.", "title": "MaxValue", "type": "number" }, "MinValue": { - "markdownDescription": "", + "markdownDescription": "The minimum allowable value for the hyperparameter.", "title": "MinValue", "type": "number" }, "Name": { - "markdownDescription": "", + "markdownDescription": "The name of the hyperparameter.", "title": "Name", "type": "string" } @@ -159795,7 +166371,7 @@ "properties": { "AlgorithmHyperParameters": { "additionalProperties": true, - "markdownDescription": "Lists the hyperparameter names and ranges.", + "markdownDescription": "Lists the algorithm hyperparameters and their values.", "patternProperties": { "^[a-zA-Z0-9]+$": { "type": "string" @@ -160463,7 +167039,7 @@ "title": "CampaignHook" }, "CloudWatchMetricsEnabled": { - "markdownDescription": "Specifies whether to enable application-related alarms in Amazon CloudWatch.", + "markdownDescription": "", "title": "CloudWatchMetricsEnabled", "type": "boolean" }, @@ -160735,7 +167311,7 @@ }, "MessageConfiguration": { "$ref": "#/definitions/AWS::Pinpoint::Campaign.MessageConfiguration", - "markdownDescription": "The message configuration settings for the campaign.", + "markdownDescription": "The message configuration settings for the treatment.", "title": "MessageConfiguration" }, "Name": { @@ -160750,7 +167326,7 @@ }, "Schedule": { "$ref": "#/definitions/AWS::Pinpoint::Campaign.Schedule", - "markdownDescription": "The schedule settings for the campaign.", + "markdownDescription": "The schedule settings for the treatment.", "title": "Schedule" }, "SegmentId": { @@ -160774,12 +167350,12 @@ "title": "TemplateConfiguration" }, "TreatmentDescription": { - "markdownDescription": "A custom description of the default treatment for the campaign.", + "markdownDescription": "A custom description of the treatment.", "title": "TreatmentDescription", "type": "string" }, "TreatmentName": { - "markdownDescription": "A custom name of the default treatment for the campaign, if the campaign has multiple treatments. A *treatment* is a variation of a campaign that's used for A/B testing.", + "markdownDescription": "A custom name for the treatment.", "title": "TreatmentName", "type": "string" } @@ -160817,16 +167393,12 @@ "additionalProperties": false, "properties": { "AttributeType": { - "markdownDescription": "The type of segment dimension to use. Valid values are:\n\n- `INCLUSIVE` \u2013 endpoints that have attributes matching the values are included in the segment.\n- `EXCLUSIVE` \u2013 endpoints that have attributes matching the values are excluded from the segment.\n- `CONTAINS` \u2013 endpoints that have attributes' substrings match the values are included in the segment.\n- `BEFORE` \u2013 endpoints with attributes read as ISO_INSTANT datetimes before the value are included in the segment.\n- `AFTER` \u2013 endpoints with attributes read as ISO_INSTANT datetimes after the value are included in the segment.\n- `BETWEEN` \u2013 endpoints with attributes read as ISO_INSTANT datetimes between the values are included in the segment.\n- `ON` \u2013 endpoints with attributes read as ISO_INSTANT dates on the value are included in the segment. Time is ignored in this comparison.", - "title": "AttributeType", "type": "string" }, "Values": { "items": { "type": "string" }, - "markdownDescription": "The criteria values to use for the segment dimension. Depending on the value of the `AttributeType` property, endpoints are included or excluded from the segment if their attribute values match the criteria values.", - "title": "Values", "type": "array" } }, @@ -161298,13 +167870,9 @@ "additionalProperties": false, "properties": { "ComparisonOperator": { - "markdownDescription": "The operator to use when comparing metric values. Valid values are: `GREATER_THAN` , `LESS_THAN` , `GREATER_THAN_OR_EQUAL` , `LESS_THAN_OR_EQUAL` , and `EQUAL` .", - "title": "ComparisonOperator", "type": "string" }, "Value": { - "markdownDescription": "The value to compare.", - "title": "Value", "type": "number" } }, @@ -162165,7 +168733,7 @@ "type": "string" }, "TemplateName": { - "markdownDescription": "The name of the message template.", + "markdownDescription": "The name of the message template to use for the message. If specified, this value must match the name of an existing message template.", "title": "TemplateName", "type": "string" } @@ -162433,7 +169001,7 @@ }, "Dimensions": { "$ref": "#/definitions/AWS::Pinpoint::Segment.SegmentDimensions", - "markdownDescription": "The criteria that define the dimensions for the segment.", + "markdownDescription": "An array that defines the dimensions for the segment.", "title": "Dimensions" }, "Name": { @@ -162483,16 +169051,12 @@ "additionalProperties": false, "properties": { "AttributeType": { - "markdownDescription": "The type of segment dimension to use. Valid values are:\n\n- `INCLUSIVE` \u2013 endpoints that have attributes matching the values are included in the segment.\n- `EXCLUSIVE` \u2013 endpoints that have attributes matching the values are excluded from the segment.\n- `CONTAINS` \u2013 endpoints that have attributes' substrings match the values are included in the segment.\n- `BEFORE` \u2013 endpoints with attributes read as ISO_INSTANT datetimes before the value are included in the segment.\n- `AFTER` \u2013 endpoints with attributes read as ISO_INSTANT datetimes after the value are included in the segment.\n- `BETWEEN` \u2013 endpoints with attributes read as ISO_INSTANT datetimes between the values are included in the segment.\n- `ON` \u2013 endpoints with attributes read as ISO_INSTANT dates on the value are included in the segment. Time is ignored in this comparison.", - "title": "AttributeType", "type": "string" }, "Values": { "items": { "type": "string" }, - "markdownDescription": "The criteria values to use for the segment dimension. Depending on the value of the `AttributeType` property, endpoints are included or excluded from the segment if their attribute values match the criteria values.", - "title": "Values", "type": "array" } }, @@ -162802,7 +169366,7 @@ "type": "string" }, "TemplateName": { - "markdownDescription": "The name of the message template.", + "markdownDescription": "The name of the message template to use for the message. If specified, this value must match the name of an existing message template.", "title": "TemplateName", "type": "string" } @@ -163530,6 +170094,11 @@ "markdownDescription": "The parameters required to set up enrichment on your pipe.", "title": "EnrichmentParameters" }, + "LogConfiguration": { + "$ref": "#/definitions/AWS::Pipes::Pipe.PipeLogConfiguration", + "markdownDescription": "The logging configuration settings for the pipe.", + "title": "LogConfiguration" + }, "Name": { "markdownDescription": "The name of the pipe.", "title": "Name", @@ -163763,11 +170332,22 @@ ], "type": "object" }, + "AWS::Pipes::Pipe.CloudwatchLogsLogDestination": { + "additionalProperties": false, + "properties": { + "LogGroupArn": { + "markdownDescription": "The AWS Resource Name (ARN) for the CloudWatch log group to which EventBridge sends the log records.", + "title": "LogGroupArn", + "type": "string" + } + }, + "type": "object" + }, "AWS::Pipes::Pipe.DeadLetterConfig": { "additionalProperties": false, "properties": { "Arn": { - "markdownDescription": "The ARN of the Amazon SQS queue specified as the target for the dead-letter queue.", + "markdownDescription": "The ARN of the specified target for the dead-letter queue.\n\nFor Amazon Kinesis stream and Amazon DynamoDB stream sources, specify either an Amazon SNS topic or Amazon SQS queue ARN.", "title": "Arn", "type": "string" } @@ -163990,6 +170570,17 @@ }, "type": "object" }, + "AWS::Pipes::Pipe.FirehoseLogDestination": { + "additionalProperties": false, + "properties": { + "DeliveryStreamArn": { + "markdownDescription": "The Amazon Resource Name (ARN) of the Kinesis Data Firehose delivery stream to which EventBridge delivers the pipe log records.", + "title": "DeliveryStreamArn", + "type": "string" + } + }, + "type": "object" + }, "AWS::Pipes::Pipe.MQBrokerAccessCredentials": { "additionalProperties": false, "properties": { @@ -164083,6 +170674,40 @@ }, "type": "object" }, + "AWS::Pipes::Pipe.PipeLogConfiguration": { + "additionalProperties": false, + "properties": { + "CloudwatchLogsLogDestination": { + "$ref": "#/definitions/AWS::Pipes::Pipe.CloudwatchLogsLogDestination", + "markdownDescription": "The logging configuration settings for the pipe.", + "title": "CloudwatchLogsLogDestination" + }, + "FirehoseLogDestination": { + "$ref": "#/definitions/AWS::Pipes::Pipe.FirehoseLogDestination", + "markdownDescription": "The Amazon Kinesis Data Firehose logging configuration settings for the pipe.", + "title": "FirehoseLogDestination" + }, + "IncludeExecutionData": { + "items": { + "type": "string" + }, + "markdownDescription": "Whether the execution data (specifically, the `payload` , `awsRequest` , and `awsResponse` fields) is included in the log messages for this pipe.\n\nThis applies to all log destinations for the pipe.\n\nFor more information, see [Including execution data in logs](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-pipes-logs.html#eb-pipes-logs-execution-data) in the *Amazon EventBridge User Guide* .", + "title": "IncludeExecutionData", + "type": "array" + }, + "Level": { + "markdownDescription": "The level of logging detail to include. This applies to all log destinations for the pipe.", + "title": "Level", + "type": "string" + }, + "S3LogDestination": { + "$ref": "#/definitions/AWS::Pipes::Pipe.S3LogDestination", + "markdownDescription": "The Amazon S3 logging configuration settings for the pipe.", + "title": "S3LogDestination" + } + }, + "type": "object" + }, "AWS::Pipes::Pipe.PipeSourceActiveMQBrokerParameters": { "additionalProperties": false, "properties": { @@ -164290,7 +170915,7 @@ }, "SelfManagedKafkaParameters": { "$ref": "#/definitions/AWS::Pipes::Pipe.PipeSourceSelfManagedKafkaParameters", - "markdownDescription": "The parameters for using a self-managed Apache Kafka stream as a source.", + "markdownDescription": "The parameters for using a stream as a source.", "title": "SelfManagedKafkaParameters" }, "SqsQueueParameters": { @@ -164852,6 +171477,32 @@ }, "type": "object" }, + "AWS::Pipes::Pipe.S3LogDestination": { + "additionalProperties": false, + "properties": { + "BucketName": { + "markdownDescription": "The name of the Amazon S3 bucket to which EventBridge delivers the log records for the pipe.", + "title": "BucketName", + "type": "string" + }, + "BucketOwner": { + "markdownDescription": "The AWS account that owns the Amazon S3 bucket to which EventBridge delivers the log records for the pipe.", + "title": "BucketOwner", + "type": "string" + }, + "OutputFormat": { + "markdownDescription": "The format EventBridge uses for the log records.\n\n- `json` : JSON\n- `plain` : Plain text\n- `w3c` : [W3C extended logging file format](https://docs.aws.amazon.com/https://www.w3.org/TR/WD-logfile)", + "title": "OutputFormat", + "type": "string" + }, + "Prefix": { + "markdownDescription": "The prefix text with which to begin Amazon S3 log object names.\n\nFor more information, see [Organizing objects using prefixes](https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-prefixes.html) in the *Amazon Simple Storage Service User Guide* .", + "title": "Prefix", + "type": "string" + } + }, + "type": "object" + }, "AWS::Pipes::Pipe.SageMakerPipelineParameter": { "additionalProperties": false, "properties": { @@ -165500,7 +172151,9 @@ "type": "string" }, "ValidationStrategy": { - "$ref": "#/definitions/AWS::QuickSight::Analysis.ValidationStrategy" + "$ref": "#/definitions/AWS::QuickSight::Analysis.ValidationStrategy", + "markdownDescription": "The option to relax the validation that is required to create and update analyses, dashboards, and templates with definition objects. When you set this value to `LENIENT` , validation is skipped for specific errors.", + "title": "ValidationStrategy" } }, "required": [ @@ -165535,7 +172188,9 @@ "additionalProperties": false, "properties": { "AttributeAggregationFunction": { - "$ref": "#/definitions/AWS::QuickSight::Analysis.AttributeAggregationFunction" + "$ref": "#/definitions/AWS::QuickSight::Analysis.AttributeAggregationFunction", + "markdownDescription": "Aggregation for attributes.", + "title": "AttributeAggregationFunction" }, "CategoricalAggregationFunction": { "markdownDescription": "Aggregation for categorical values.\n\n- `COUNT` : Aggregate by the total number of values, including duplicates.\n- `DISTINCT_COUNT` : Aggregate by the total number of distinct values.", @@ -165634,6 +172289,11 @@ "title": "FilterGroups", "type": "array" }, + "Options": { + "$ref": "#/definitions/AWS::QuickSight::Analysis.AssetOptions", + "markdownDescription": "An array of option definitions for an analysis.", + "title": "Options" + }, "ParameterDeclarations": { "items": { "$ref": "#/definitions/AWS::QuickSight::Analysis.ParameterDeclaration" @@ -165789,13 +172449,33 @@ }, "type": "object" }, + "AWS::QuickSight::Analysis.AssetOptions": { + "additionalProperties": false, + "properties": { + "Timezone": { + "markdownDescription": "Determines the timezone for the analysis.", + "title": "Timezone", + "type": "string" + }, + "WeekStart": { + "markdownDescription": "Determines the week start day for an analysis.", + "title": "WeekStart", + "type": "string" + } + }, + "type": "object" + }, "AWS::QuickSight::Analysis.AttributeAggregationFunction": { "additionalProperties": false, "properties": { "SimpleAttributeAggregation": { + "markdownDescription": "The built-in aggregation functions for attributes.\n\n- `UNIQUE_VALUE` : Returns the unique value for a field, aggregated by the dimension fields.", + "title": "SimpleAttributeAggregation", "type": "string" }, "ValueForMultipleValues": { + "markdownDescription": "Used by the `UNIQUE_VALUE` aggregation function. If there are multiple values for the field used by the aggregation, the value for this property will be returned instead. Defaults to '*'.", + "title": "ValueForMultipleValues", "type": "string" } }, @@ -166764,6 +173444,8 @@ "items": { "$ref": "#/definitions/AWS::QuickSight::Analysis.CustomColor" }, + "markdownDescription": "A list of up to 50 custom colors.", + "title": "CustomColors", "type": "array" } }, @@ -166773,7 +173455,9 @@ "additionalProperties": false, "properties": { "ColorsConfiguration": { - "$ref": "#/definitions/AWS::QuickSight::Analysis.ColorsConfiguration" + "$ref": "#/definitions/AWS::QuickSight::Analysis.ColorsConfiguration", + "markdownDescription": "The color configurations of the column.", + "title": "ColorsConfiguration" }, "Column": { "$ref": "#/definitions/AWS::QuickSight::Analysis.ColumnIdentifier", @@ -167482,12 +174166,18 @@ "additionalProperties": false, "properties": { "Color": { + "markdownDescription": "The color that is applied to the data value.", + "title": "Color", "type": "string" }, "FieldValue": { + "markdownDescription": "The data value that the color is applied to.", + "title": "FieldValue", "type": "string" }, "SpecialValue": { + "markdownDescription": "The value of a special data value.", + "title": "SpecialValue", "type": "string" } }, @@ -167932,6 +174622,8 @@ "additionalProperties": false, "properties": { "PivotTableDataPathType": { + "markdownDescription": "The type of data path value utilized in a pivot table. Choose one of the following options:\n\n- `HIERARCHY_ROWS_LAYOUT_COLUMN` - The type of data path for the rows layout column, when `RowsLayout` is set to `HIERARCHY` .\n- `MULTIPLE_ROW_METRICS_COLUMN` - The type of data path for the metric column when the row is set to Metric Placement.\n- `EMPTY_COLUMN_HEADER` - The type of data path for the column with empty column header, when there is no field in `ColumnsFieldWell` and the row is set to Metric Placement.\n- `COUNT_METRIC_COLUMN` - The type of data path for the column with `COUNT` as the metric, when there is no field in the `ValuesFieldWell` .", + "title": "PivotTableDataPathType", "type": "string" } }, @@ -167941,7 +174633,9 @@ "additionalProperties": false, "properties": { "DataPathType": { - "$ref": "#/definitions/AWS::QuickSight::Analysis.DataPathType" + "$ref": "#/definitions/AWS::QuickSight::Analysis.DataPathType", + "markdownDescription": "The type configuration of the field.", + "title": "DataPathType" }, "FieldId": { "markdownDescription": "The field ID of the field that needs to be sorted.", @@ -168208,7 +174902,9 @@ "type": "string" }, "InfoIconLabelOptions": { - "$ref": "#/definitions/AWS::QuickSight::Analysis.SheetControlInfoIconLabelOptions" + "$ref": "#/definitions/AWS::QuickSight::Analysis.SheetControlInfoIconLabelOptions", + "markdownDescription": "The configuration of info icon label options.", + "title": "InfoIconLabelOptions" }, "TitleOptions": { "$ref": "#/definitions/AWS::QuickSight::Analysis.LabelOptions", @@ -168538,7 +175234,9 @@ "additionalProperties": false, "properties": { "InfoIconLabelOptions": { - "$ref": "#/definitions/AWS::QuickSight::Analysis.SheetControlInfoIconLabelOptions" + "$ref": "#/definitions/AWS::QuickSight::Analysis.SheetControlInfoIconLabelOptions", + "markdownDescription": "The configuration of info icon label options.", + "title": "InfoIconLabelOptions" }, "SelectAllOptions": { "$ref": "#/definitions/AWS::QuickSight::Analysis.ListControlSelectAllOptions", @@ -169201,6 +175899,8 @@ "type": "string" }, "NullOption": { + "markdownDescription": "This option determines how null values should be treated when filtering data.\n\n- `ALL_VALUES` : Include null values in filtered results.\n- `NULLS_ONLY` : Only include null values in filtered results.\n- `NON_NULLS_ONLY` : Exclude null values from filtered results.", + "title": "NullOption", "type": "string" }, "SelectAllOptions": { @@ -169333,6 +176033,8 @@ "additionalProperties": false, "properties": { "AllSheets": { + "markdownDescription": "The configuration for applying a filter to all sheets.", + "title": "AllSheets", "type": "object" }, "SelectedSheets": { @@ -171112,10 +177814,14 @@ "additionalProperties": false, "properties": { "Icon": { - "$ref": "#/definitions/AWS::QuickSight::Analysis.ConditionalFormattingIcon" + "$ref": "#/definitions/AWS::QuickSight::Analysis.ConditionalFormattingIcon", + "markdownDescription": "The conditional formatting of the actual value's icon.", + "title": "Icon" }, "TextColor": { - "$ref": "#/definitions/AWS::QuickSight::Analysis.ConditionalFormattingColor" + "$ref": "#/definitions/AWS::QuickSight::Analysis.ConditionalFormattingColor", + "markdownDescription": "The conditional formatting of the actual value's text color.", + "title": "TextColor" } }, "type": "object" @@ -171124,10 +177830,14 @@ "additionalProperties": false, "properties": { "Icon": { - "$ref": "#/definitions/AWS::QuickSight::Analysis.ConditionalFormattingIcon" + "$ref": "#/definitions/AWS::QuickSight::Analysis.ConditionalFormattingIcon", + "markdownDescription": "The conditional formatting of the comparison value's icon.", + "title": "Icon" }, "TextColor": { - "$ref": "#/definitions/AWS::QuickSight::Analysis.ConditionalFormattingColor" + "$ref": "#/definitions/AWS::QuickSight::Analysis.ConditionalFormattingColor", + "markdownDescription": "The conditional formatting of the comparison value's text color.", + "title": "TextColor" } }, "type": "object" @@ -171150,10 +177860,14 @@ "additionalProperties": false, "properties": { "ActualValue": { - "$ref": "#/definitions/AWS::QuickSight::Analysis.KPIActualValueConditionalFormatting" + "$ref": "#/definitions/AWS::QuickSight::Analysis.KPIActualValueConditionalFormatting", + "markdownDescription": "The conditional formatting for the actual value of a KPI visual.", + "title": "ActualValue" }, "ComparisonValue": { - "$ref": "#/definitions/AWS::QuickSight::Analysis.KPIComparisonValueConditionalFormatting" + "$ref": "#/definitions/AWS::QuickSight::Analysis.KPIComparisonValueConditionalFormatting", + "markdownDescription": "The conditional formatting for the comparison value of a KPI visual.", + "title": "ComparisonValue" }, "PrimaryValue": { "$ref": "#/definitions/AWS::QuickSight::Analysis.KPIPrimaryValueConditionalFormatting", @@ -171253,7 +177967,9 @@ "title": "SecondaryValueFontConfiguration" }, "Sparkline": { - "$ref": "#/definitions/AWS::QuickSight::Analysis.KPISparklineOptions" + "$ref": "#/definitions/AWS::QuickSight::Analysis.KPISparklineOptions", + "markdownDescription": "The options that determine the visibility, color, type, and tooltip visibility of the sparkline of a KPI visual.", + "title": "Sparkline" }, "TrendArrows": { "$ref": "#/definitions/AWS::QuickSight::Analysis.TrendArrowOptions", @@ -171261,7 +177977,9 @@ "title": "TrendArrows" }, "VisualLayoutOptions": { - "$ref": "#/definitions/AWS::QuickSight::Analysis.KPIVisualLayoutOptions" + "$ref": "#/definitions/AWS::QuickSight::Analysis.KPIVisualLayoutOptions", + "markdownDescription": "The options that determine the layout a KPI visual.", + "title": "VisualLayoutOptions" } }, "type": "object" @@ -171311,15 +178029,23 @@ "additionalProperties": false, "properties": { "Color": { + "markdownDescription": "The color of the sparkline.", + "title": "Color", "type": "string" }, "TooltipVisibility": { + "markdownDescription": "The tooltip visibility of the sparkline.", + "title": "TooltipVisibility", "type": "string" }, "Type": { + "markdownDescription": "The type of the sparkline.", + "title": "Type", "type": "string" }, "Visibility": { + "markdownDescription": "The visibility of the sparkline.", + "title": "Visibility", "type": "string" } }, @@ -171382,7 +178108,9 @@ "additionalProperties": false, "properties": { "StandardLayout": { - "$ref": "#/definitions/AWS::QuickSight::Analysis.KPIVisualStandardLayout" + "$ref": "#/definitions/AWS::QuickSight::Analysis.KPIVisualStandardLayout", + "markdownDescription": "The standard layout of the KPI visual.", + "title": "StandardLayout" } }, "type": "object" @@ -171391,6 +178119,8 @@ "additionalProperties": false, "properties": { "Type": { + "markdownDescription": "The standard layout type.", + "title": "Type", "type": "string" } }, @@ -171842,7 +178572,9 @@ "additionalProperties": false, "properties": { "InfoIconLabelOptions": { - "$ref": "#/definitions/AWS::QuickSight::Analysis.SheetControlInfoIconLabelOptions" + "$ref": "#/definitions/AWS::QuickSight::Analysis.SheetControlInfoIconLabelOptions", + "markdownDescription": "The configuration of info icon label options.", + "title": "InfoIconLabelOptions" }, "SearchOptions": { "$ref": "#/definitions/AWS::QuickSight::Analysis.ListControlSearchOptions", @@ -173498,6 +180230,8 @@ "type": "string" }, "DefaultCellWidth": { + "markdownDescription": "The default cell width of the pivot table.", + "title": "DefaultCellWidth", "type": "string" }, "MetricPlacement": { @@ -173521,9 +180255,13 @@ "title": "RowHeaderStyle" }, "RowsLabelOptions": { - "$ref": "#/definitions/AWS::QuickSight::Analysis.PivotTableRowsLabelOptions" + "$ref": "#/definitions/AWS::QuickSight::Analysis.PivotTableRowsLabelOptions", + "markdownDescription": "The options for the label that is located above the row headers. This option is only applicable when `RowsLayout` is set to `HIERARCHY` .", + "title": "RowsLabelOptions" }, "RowsLayout": { + "markdownDescription": "The layout for the row dimension headers of a pivot table. Choose one of the following options.\n\n- `TABULAR` : (Default) Each row field is displayed in a separate column.\n- `HIERARCHY` : All row fields are displayed in a single column. Indentation is used to differentiate row headers of different fields.", + "title": "RowsLayout", "type": "string" }, "SingleMetricVisibility": { @@ -173559,9 +180297,13 @@ "additionalProperties": false, "properties": { "CustomLabel": { + "markdownDescription": "The custom label string for the rows label.", + "title": "CustomLabel", "type": "string" }, "Visibility": { + "markdownDescription": "The visibility of the rows label.", + "title": "Visibility", "type": "string" } }, @@ -173697,6 +180439,8 @@ "items": { "$ref": "#/definitions/AWS::QuickSight::Analysis.TotalAggregationOption" }, + "markdownDescription": "The total aggregation options for each value field.", + "title": "TotalAggregationOptions", "type": "array" }, "TotalCellStyle": { @@ -174038,7 +180782,7 @@ "additionalProperties": false, "properties": { "AxisBinding": { - "markdownDescription": "The axis binding type of the reference line. Choose one of the following options:\n\n- PrimaryY\n- SecondaryY", + "markdownDescription": "The axis binding type of the reference line. Choose one of the following options:\n\n- `PrimaryY`\n- `SecondaryY`", "title": "AxisBinding", "type": "string" }, @@ -174048,6 +180792,8 @@ "title": "DynamicConfiguration" }, "SeriesType": { + "markdownDescription": "The series type of the reference line data configuration. Choose one of the following options:\n\n- `BAR`\n- `LINE`", + "title": "SeriesType", "type": "string" }, "StaticConfiguration": { @@ -174174,7 +180920,9 @@ "type": "string" }, "InfoIconLabelOptions": { - "$ref": "#/definitions/AWS::QuickSight::Analysis.SheetControlInfoIconLabelOptions" + "$ref": "#/definitions/AWS::QuickSight::Analysis.SheetControlInfoIconLabelOptions", + "markdownDescription": "The configuration of info icon label options.", + "title": "InfoIconLabelOptions" }, "TitleOptions": { "$ref": "#/definitions/AWS::QuickSight::Analysis.LabelOptions", @@ -174312,6 +181060,8 @@ "type": "string" }, "UsePrimaryBackgroundColor": { + "markdownDescription": "The primary background color options for alternate rows.", + "title": "UsePrimaryBackgroundColor", "type": "string" } }, @@ -174899,9 +181649,13 @@ "additionalProperties": false, "properties": { "InfoIconText": { + "markdownDescription": "The text content of info icon.", + "title": "InfoIconText", "type": "string" }, "Visibility": { + "markdownDescription": "The visibility configuration of info icon label options.", + "title": "Visibility", "type": "string" } }, @@ -175123,7 +181877,9 @@ "additionalProperties": false, "properties": { "InfoIconLabelOptions": { - "$ref": "#/definitions/AWS::QuickSight::Analysis.SheetControlInfoIconLabelOptions" + "$ref": "#/definitions/AWS::QuickSight::Analysis.SheetControlInfoIconLabelOptions", + "markdownDescription": "The configuration of info icon label options.", + "title": "InfoIconLabelOptions" }, "TitleOptions": { "$ref": "#/definitions/AWS::QuickSight::Analysis.LabelOptions", @@ -175137,9 +181893,13 @@ "additionalProperties": false, "properties": { "Placement": { + "markdownDescription": "Defines the placement of the axis. By default, axes are rendered `OUTSIDE` of the panels. Axes with `INDEPENDENT` scale are rendered `INSIDE` the panels.", + "title": "Placement", "type": "string" }, "Scale": { + "markdownDescription": "Determines whether scale of the axes are shared or independent. The default value is `SHARED` .", + "title": "Scale", "type": "string" } }, @@ -175164,10 +181924,14 @@ "title": "PanelConfiguration" }, "XAxis": { - "$ref": "#/definitions/AWS::QuickSight::Analysis.SmallMultiplesAxisProperties" + "$ref": "#/definitions/AWS::QuickSight::Analysis.SmallMultiplesAxisProperties", + "markdownDescription": "The properties of a small multiples X axis.", + "title": "XAxis" }, "YAxis": { - "$ref": "#/definitions/AWS::QuickSight::Analysis.SmallMultiplesAxisProperties" + "$ref": "#/definitions/AWS::QuickSight::Analysis.SmallMultiplesAxisProperties", + "markdownDescription": "The properties of a small multiples Y axis.", + "title": "YAxis" } }, "type": "object" @@ -175340,6 +182104,8 @@ "items": { "$ref": "#/definitions/AWS::QuickSight::Analysis.TableStyleTarget" }, + "markdownDescription": "The style targets options for subtotals.", + "title": "StyleTargets", "type": "array" }, "TotalCellStyle": { @@ -175671,18 +182437,20 @@ "items": { "type": "string" }, - "markdownDescription": "The order of field IDs of the field options for a table visual.", + "markdownDescription": "The order of the field IDs that are configured as field options for a table visual.", "title": "Order", "type": "array" }, "PinnedFieldOptions": { - "$ref": "#/definitions/AWS::QuickSight::Analysis.TablePinnedFieldOptions" + "$ref": "#/definitions/AWS::QuickSight::Analysis.TablePinnedFieldOptions", + "markdownDescription": "The settings for the pinned columns of a table visual.", + "title": "PinnedFieldOptions" }, "SelectedFieldOptions": { "items": { "$ref": "#/definitions/AWS::QuickSight::Analysis.TableFieldOption" }, - "markdownDescription": "The selected field options for the table field options.", + "markdownDescription": "The field options to be configured to a table.", "title": "SelectedFieldOptions", "type": "array" } @@ -175781,6 +182549,8 @@ "items": { "type": "string" }, + "markdownDescription": "A list of columns to be pinned to the left of a table visual.", + "title": "PinnedLeftFields", "type": "array" } }, @@ -175861,6 +182631,8 @@ "additionalProperties": false, "properties": { "CellType": { + "markdownDescription": "The cell type of the table style target.", + "title": "CellType", "type": "string" } }, @@ -175929,7 +182701,9 @@ "additionalProperties": false, "properties": { "InfoIconLabelOptions": { - "$ref": "#/definitions/AWS::QuickSight::Analysis.SheetControlInfoIconLabelOptions" + "$ref": "#/definitions/AWS::QuickSight::Analysis.SheetControlInfoIconLabelOptions", + "markdownDescription": "The configuration of info icon label options.", + "title": "InfoIconLabelOptions" }, "PlaceholderOptions": { "$ref": "#/definitions/AWS::QuickSight::Analysis.TextControlPlaceholderOptions", @@ -175980,7 +182754,9 @@ "additionalProperties": false, "properties": { "InfoIconLabelOptions": { - "$ref": "#/definitions/AWS::QuickSight::Analysis.SheetControlInfoIconLabelOptions" + "$ref": "#/definitions/AWS::QuickSight::Analysis.SheetControlInfoIconLabelOptions", + "markdownDescription": "The configuration of info icon label options.", + "title": "InfoIconLabelOptions" }, "PlaceholderOptions": { "$ref": "#/definitions/AWS::QuickSight::Analysis.TextControlPlaceholderOptions", @@ -176061,12 +182837,14 @@ "type": "string" }, "ParameterName": { - "markdownDescription": "The parameter whose value should be used for the filter value.\n\nThis field is mutually exclusive to `Value` .", + "markdownDescription": "The parameter whose value should be used for the filter value.\n\nThis field is mutually exclusive to `Value` and `RollingDate` .", "title": "ParameterName", "type": "string" }, "RollingDate": { - "$ref": "#/definitions/AWS::QuickSight::Analysis.RollingDateConfiguration" + "$ref": "#/definitions/AWS::QuickSight::Analysis.RollingDateConfiguration", + "markdownDescription": "The rolling date input for the `TimeEquality` filter.\n\nThis field is mutually exclusive to `Value` and `ParameterName` .", + "title": "RollingDate" }, "TimeGranularity": { "markdownDescription": "The level of time precision that is used to aggregate `DateTime` values.", @@ -176074,7 +182852,7 @@ "type": "string" }, "Value": { - "markdownDescription": "The value of a `TimeEquality` filter.\n\nThis field is mutually exclusive to `ParameterName` .", + "markdownDescription": "The value of a `TimeEquality` filter.\n\nThis field is mutually exclusive to `RollingDate` and `ParameterName` .", "title": "Value", "type": "string" } @@ -176393,6 +183171,8 @@ "additionalProperties": false, "properties": { "SimpleTotalAggregationFunction": { + "markdownDescription": "A built in aggregation function for total values.", + "title": "SimpleTotalAggregationFunction", "type": "string" } }, @@ -176402,10 +183182,14 @@ "additionalProperties": false, "properties": { "FieldId": { + "markdownDescription": "The field id that's associated with the total aggregation option.", + "title": "FieldId", "type": "string" }, "TotalAggregationFunction": { - "$ref": "#/definitions/AWS::QuickSight::Analysis.TotalAggregationFunction" + "$ref": "#/definitions/AWS::QuickSight::Analysis.TotalAggregationFunction", + "markdownDescription": "The total aggregation function that you want to set for a specified field id.", + "title": "TotalAggregationFunction" } }, "required": [ @@ -176436,6 +183220,8 @@ "items": { "$ref": "#/definitions/AWS::QuickSight::Analysis.TotalAggregationOption" }, + "markdownDescription": "The total aggregation settings for each value field.", + "title": "TotalAggregationOptions", "type": "array" }, "TotalCellStyle": { @@ -176671,6 +183457,8 @@ "additionalProperties": false, "properties": { "Mode": { + "markdownDescription": "The mode of validation for the asset to be created or updated. When you set this value to `STRICT` , strict validation for every error is enforced. When you set this value to `LENIENT` , validation is skipped for specific UI errors.", + "title": "Mode", "type": "string" } }, @@ -177360,6 +184148,11 @@ "markdownDescription": "", "title": "Definition" }, + "LinkSharingConfiguration": { + "$ref": "#/definitions/AWS::QuickSight::Dashboard.LinkSharingConfiguration", + "markdownDescription": "A structure that contains the link sharing configurations that you want to apply overrides to.", + "title": "LinkSharingConfiguration" + }, "Name": { "markdownDescription": "The display name of the dashboard.", "title": "Name", @@ -177397,7 +184190,9 @@ "type": "string" }, "ValidationStrategy": { - "$ref": "#/definitions/AWS::QuickSight::Dashboard.ValidationStrategy" + "$ref": "#/definitions/AWS::QuickSight::Dashboard.ValidationStrategy", + "markdownDescription": "The option to relax the validation that is required to create and update analyses, dashboards, and templates with definition objects. When you set this value to `LENIENT` , validation is skipped for specific errors.", + "title": "ValidationStrategy" }, "VersionDescription": { "markdownDescription": "A description for the first version of the dashboard being created.", @@ -177448,7 +184243,9 @@ "additionalProperties": false, "properties": { "AttributeAggregationFunction": { - "$ref": "#/definitions/AWS::QuickSight::Dashboard.AttributeAggregationFunction" + "$ref": "#/definitions/AWS::QuickSight::Dashboard.AttributeAggregationFunction", + "markdownDescription": "Aggregation for attributes.", + "title": "AttributeAggregationFunction" }, "CategoricalAggregationFunction": { "markdownDescription": "Aggregation for categorical values.\n\n- `COUNT` : Aggregate by the total number of values, including duplicates.\n- `DISTINCT_COUNT` : Aggregate by the total number of distinct values.", @@ -177582,13 +184379,33 @@ }, "type": "object" }, + "AWS::QuickSight::Dashboard.AssetOptions": { + "additionalProperties": false, + "properties": { + "Timezone": { + "markdownDescription": "Determines the timezone for the analysis.", + "title": "Timezone", + "type": "string" + }, + "WeekStart": { + "markdownDescription": "Determines the week start day for an analysis.", + "title": "WeekStart", + "type": "string" + } + }, + "type": "object" + }, "AWS::QuickSight::Dashboard.AttributeAggregationFunction": { "additionalProperties": false, "properties": { "SimpleAttributeAggregation": { + "markdownDescription": "The built-in aggregation functions for attributes.\n\n- `UNIQUE_VALUE` : Returns the unique value for a field, aggregated by the dimension fields.", + "title": "SimpleAttributeAggregation", "type": "string" }, "ValueForMultipleValues": { + "markdownDescription": "Used by the `UNIQUE_VALUE` aggregation function. If there are multiple values for the field used by the aggregation, the value for this property will be returned instead. Defaults to '*'.", + "title": "ValueForMultipleValues", "type": "string" } }, @@ -178557,6 +185374,8 @@ "items": { "$ref": "#/definitions/AWS::QuickSight::Dashboard.CustomColor" }, + "markdownDescription": "A list of up to 50 custom colors.", + "title": "CustomColors", "type": "array" } }, @@ -178566,7 +185385,9 @@ "additionalProperties": false, "properties": { "ColorsConfiguration": { - "$ref": "#/definitions/AWS::QuickSight::Dashboard.ColorsConfiguration" + "$ref": "#/definitions/AWS::QuickSight::Dashboard.ColorsConfiguration", + "markdownDescription": "The color configurations of the column.", + "title": "ColorsConfiguration" }, "Column": { "$ref": "#/definitions/AWS::QuickSight::Dashboard.ColumnIdentifier", @@ -179275,12 +186096,18 @@ "additionalProperties": false, "properties": { "Color": { + "markdownDescription": "The color that is applied to the data value.", + "title": "Color", "type": "string" }, "FieldValue": { + "markdownDescription": "The data value that the color is applied to.", + "title": "FieldValue", "type": "string" }, "SpecialValue": { + "markdownDescription": "The value of a special data value.", + "title": "SpecialValue", "type": "string" } }, @@ -179716,6 +186543,11 @@ "title": "FilterGroups", "type": "array" }, + "Options": { + "$ref": "#/definitions/AWS::QuickSight::Dashboard.AssetOptions", + "markdownDescription": "An array of option definitions for a dashboard.", + "title": "Options" + }, "ParameterDeclarations": { "items": { "$ref": "#/definitions/AWS::QuickSight::Dashboard.ParameterDeclaration" @@ -179982,6 +186814,8 @@ "additionalProperties": false, "properties": { "PivotTableDataPathType": { + "markdownDescription": "The type of data path value utilized in a pivot table. Choose one of the following options:\n\n- `HIERARCHY_ROWS_LAYOUT_COLUMN` - The type of data path for the rows layout column, when `RowsLayout` is set to `HIERARCHY` .\n- `MULTIPLE_ROW_METRICS_COLUMN` - The type of data path for the metric column when the row is set to Metric Placement.\n- `EMPTY_COLUMN_HEADER` - The type of data path for the column with empty column header, when there is no field in `ColumnsFieldWell` and the row is set to Metric Placement.\n- `COUNT_METRIC_COLUMN` - The type of data path for the column with `COUNT` as the metric, when there is no field in the `ValuesFieldWell` .", + "title": "PivotTableDataPathType", "type": "string" } }, @@ -179991,7 +186825,9 @@ "additionalProperties": false, "properties": { "DataPathType": { - "$ref": "#/definitions/AWS::QuickSight::Dashboard.DataPathType" + "$ref": "#/definitions/AWS::QuickSight::Dashboard.DataPathType", + "markdownDescription": "The type configuration of the field.", + "title": "DataPathType" }, "FieldId": { "markdownDescription": "The field ID of the field that needs to be sorted.", @@ -180291,7 +187127,9 @@ "type": "string" }, "InfoIconLabelOptions": { - "$ref": "#/definitions/AWS::QuickSight::Dashboard.SheetControlInfoIconLabelOptions" + "$ref": "#/definitions/AWS::QuickSight::Dashboard.SheetControlInfoIconLabelOptions", + "markdownDescription": "The configuration of info icon label options.", + "title": "InfoIconLabelOptions" }, "TitleOptions": { "$ref": "#/definitions/AWS::QuickSight::Dashboard.LabelOptions", @@ -180621,7 +187459,9 @@ "additionalProperties": false, "properties": { "InfoIconLabelOptions": { - "$ref": "#/definitions/AWS::QuickSight::Dashboard.SheetControlInfoIconLabelOptions" + "$ref": "#/definitions/AWS::QuickSight::Dashboard.SheetControlInfoIconLabelOptions", + "markdownDescription": "The configuration of info icon label options.", + "title": "InfoIconLabelOptions" }, "SelectAllOptions": { "$ref": "#/definitions/AWS::QuickSight::Dashboard.ListControlSelectAllOptions", @@ -181317,6 +188157,8 @@ "type": "string" }, "NullOption": { + "markdownDescription": "This option determines how null values should be treated when filtering data.\n\n- `ALL_VALUES` : Include null values in filtered results.\n- `NULLS_ONLY` : Only include null values in filtered results.\n- `NON_NULLS_ONLY` : Exclude null values from filtered results.", + "title": "NullOption", "type": "string" }, "SelectAllOptions": { @@ -181449,6 +188291,8 @@ "additionalProperties": false, "properties": { "AllSheets": { + "markdownDescription": "The configuration for applying a filter to all sheets.", + "title": "AllSheets", "type": "object" }, "SelectedSheets": { @@ -183228,10 +190072,14 @@ "additionalProperties": false, "properties": { "Icon": { - "$ref": "#/definitions/AWS::QuickSight::Dashboard.ConditionalFormattingIcon" + "$ref": "#/definitions/AWS::QuickSight::Dashboard.ConditionalFormattingIcon", + "markdownDescription": "The conditional formatting of the actual value's icon.", + "title": "Icon" }, "TextColor": { - "$ref": "#/definitions/AWS::QuickSight::Dashboard.ConditionalFormattingColor" + "$ref": "#/definitions/AWS::QuickSight::Dashboard.ConditionalFormattingColor", + "markdownDescription": "The conditional formatting of the actual value's text color.", + "title": "TextColor" } }, "type": "object" @@ -183240,10 +190088,14 @@ "additionalProperties": false, "properties": { "Icon": { - "$ref": "#/definitions/AWS::QuickSight::Dashboard.ConditionalFormattingIcon" + "$ref": "#/definitions/AWS::QuickSight::Dashboard.ConditionalFormattingIcon", + "markdownDescription": "The conditional formatting of the comparison value's icon.", + "title": "Icon" }, "TextColor": { - "$ref": "#/definitions/AWS::QuickSight::Dashboard.ConditionalFormattingColor" + "$ref": "#/definitions/AWS::QuickSight::Dashboard.ConditionalFormattingColor", + "markdownDescription": "The conditional formatting of the comparison value's text color.", + "title": "TextColor" } }, "type": "object" @@ -183266,10 +190118,14 @@ "additionalProperties": false, "properties": { "ActualValue": { - "$ref": "#/definitions/AWS::QuickSight::Dashboard.KPIActualValueConditionalFormatting" + "$ref": "#/definitions/AWS::QuickSight::Dashboard.KPIActualValueConditionalFormatting", + "markdownDescription": "The conditional formatting for the actual value of a KPI visual.", + "title": "ActualValue" }, "ComparisonValue": { - "$ref": "#/definitions/AWS::QuickSight::Dashboard.KPIComparisonValueConditionalFormatting" + "$ref": "#/definitions/AWS::QuickSight::Dashboard.KPIComparisonValueConditionalFormatting", + "markdownDescription": "The conditional formatting for the comparison value of a KPI visual.", + "title": "ComparisonValue" }, "PrimaryValue": { "$ref": "#/definitions/AWS::QuickSight::Dashboard.KPIPrimaryValueConditionalFormatting", @@ -183369,7 +190225,9 @@ "title": "SecondaryValueFontConfiguration" }, "Sparkline": { - "$ref": "#/definitions/AWS::QuickSight::Dashboard.KPISparklineOptions" + "$ref": "#/definitions/AWS::QuickSight::Dashboard.KPISparklineOptions", + "markdownDescription": "The options that determine the visibility, color, type, and tooltip visibility of the sparkline of a KPI visual.", + "title": "Sparkline" }, "TrendArrows": { "$ref": "#/definitions/AWS::QuickSight::Dashboard.TrendArrowOptions", @@ -183377,7 +190235,9 @@ "title": "TrendArrows" }, "VisualLayoutOptions": { - "$ref": "#/definitions/AWS::QuickSight::Dashboard.KPIVisualLayoutOptions" + "$ref": "#/definitions/AWS::QuickSight::Dashboard.KPIVisualLayoutOptions", + "markdownDescription": "The options that determine the layout a KPI visual.", + "title": "VisualLayoutOptions" } }, "type": "object" @@ -183427,15 +190287,23 @@ "additionalProperties": false, "properties": { "Color": { + "markdownDescription": "The color of the sparkline.", + "title": "Color", "type": "string" }, "TooltipVisibility": { + "markdownDescription": "The tooltip visibility of the sparkline.", + "title": "TooltipVisibility", "type": "string" }, "Type": { + "markdownDescription": "The type of the sparkline.", + "title": "Type", "type": "string" }, "Visibility": { + "markdownDescription": "The visibility of the sparkline.", + "title": "Visibility", "type": "string" } }, @@ -183498,7 +190366,9 @@ "additionalProperties": false, "properties": { "StandardLayout": { - "$ref": "#/definitions/AWS::QuickSight::Dashboard.KPIVisualStandardLayout" + "$ref": "#/definitions/AWS::QuickSight::Dashboard.KPIVisualStandardLayout", + "markdownDescription": "The standard layout of the KPI visual.", + "title": "StandardLayout" } }, "type": "object" @@ -183507,6 +190377,8 @@ "additionalProperties": false, "properties": { "Type": { + "markdownDescription": "The standard layout type.", + "title": "Type", "type": "string" } }, @@ -183954,11 +190826,27 @@ }, "type": "object" }, + "AWS::QuickSight::Dashboard.LinkSharingConfiguration": { + "additionalProperties": false, + "properties": { + "Permissions": { + "items": { + "$ref": "#/definitions/AWS::QuickSight::Dashboard.ResourcePermission" + }, + "markdownDescription": "A structure that contains the permissions of a shareable link.", + "title": "Permissions", + "type": "array" + } + }, + "type": "object" + }, "AWS::QuickSight::Dashboard.ListControlDisplayOptions": { "additionalProperties": false, "properties": { "InfoIconLabelOptions": { - "$ref": "#/definitions/AWS::QuickSight::Dashboard.SheetControlInfoIconLabelOptions" + "$ref": "#/definitions/AWS::QuickSight::Dashboard.SheetControlInfoIconLabelOptions", + "markdownDescription": "The configuration of info icon label options.", + "title": "InfoIconLabelOptions" }, "SearchOptions": { "$ref": "#/definitions/AWS::QuickSight::Dashboard.ListControlSearchOptions", @@ -185614,6 +192502,8 @@ "type": "string" }, "DefaultCellWidth": { + "markdownDescription": "The default cell width of the pivot table.", + "title": "DefaultCellWidth", "type": "string" }, "MetricPlacement": { @@ -185637,9 +192527,13 @@ "title": "RowHeaderStyle" }, "RowsLabelOptions": { - "$ref": "#/definitions/AWS::QuickSight::Dashboard.PivotTableRowsLabelOptions" + "$ref": "#/definitions/AWS::QuickSight::Dashboard.PivotTableRowsLabelOptions", + "markdownDescription": "The options for the label that is located above the row headers. This option is only applicable when `RowsLayout` is set to `HIERARCHY` .", + "title": "RowsLabelOptions" }, "RowsLayout": { + "markdownDescription": "The layout for the row dimension headers of a pivot table. Choose one of the following options.\n\n- `TABULAR` : (Default) Each row field is displayed in a separate column.\n- `HIERARCHY` : All row fields are displayed in a single column. Indentation is used to differentiate row headers of different fields.", + "title": "RowsLayout", "type": "string" }, "SingleMetricVisibility": { @@ -185675,9 +192569,13 @@ "additionalProperties": false, "properties": { "CustomLabel": { + "markdownDescription": "The custom label string for the rows label.", + "title": "CustomLabel", "type": "string" }, "Visibility": { + "markdownDescription": "The visibility of the rows label.", + "title": "Visibility", "type": "string" } }, @@ -185813,6 +192711,8 @@ "items": { "$ref": "#/definitions/AWS::QuickSight::Dashboard.TotalAggregationOption" }, + "markdownDescription": "The total aggregation options for each value field.", + "title": "TotalAggregationOptions", "type": "array" }, "TotalCellStyle": { @@ -186154,7 +193054,7 @@ "additionalProperties": false, "properties": { "AxisBinding": { - "markdownDescription": "The axis binding type of the reference line. Choose one of the following options:\n\n- PrimaryY\n- SecondaryY", + "markdownDescription": "The axis binding type of the reference line. Choose one of the following options:\n\n- `PrimaryY`\n- `SecondaryY`", "title": "AxisBinding", "type": "string" }, @@ -186164,6 +193064,8 @@ "title": "DynamicConfiguration" }, "SeriesType": { + "markdownDescription": "The series type of the reference line data configuration. Choose one of the following options:\n\n- `BAR`\n- `LINE`", + "title": "SeriesType", "type": "string" }, "StaticConfiguration": { @@ -186290,7 +193192,9 @@ "type": "string" }, "InfoIconLabelOptions": { - "$ref": "#/definitions/AWS::QuickSight::Dashboard.SheetControlInfoIconLabelOptions" + "$ref": "#/definitions/AWS::QuickSight::Dashboard.SheetControlInfoIconLabelOptions", + "markdownDescription": "The configuration of info icon label options.", + "title": "InfoIconLabelOptions" }, "TitleOptions": { "$ref": "#/definitions/AWS::QuickSight::Dashboard.LabelOptions", @@ -186428,6 +193332,8 @@ "type": "string" }, "UsePrimaryBackgroundColor": { + "markdownDescription": "The primary background color options for alternate rows.", + "title": "UsePrimaryBackgroundColor", "type": "string" } }, @@ -187015,9 +193921,13 @@ "additionalProperties": false, "properties": { "InfoIconText": { + "markdownDescription": "The text content of info icon.", + "title": "InfoIconText", "type": "string" }, "Visibility": { + "markdownDescription": "The visibility configuration of info icon label options.", + "title": "Visibility", "type": "string" } }, @@ -187261,7 +194171,9 @@ "additionalProperties": false, "properties": { "InfoIconLabelOptions": { - "$ref": "#/definitions/AWS::QuickSight::Dashboard.SheetControlInfoIconLabelOptions" + "$ref": "#/definitions/AWS::QuickSight::Dashboard.SheetControlInfoIconLabelOptions", + "markdownDescription": "The configuration of info icon label options.", + "title": "InfoIconLabelOptions" }, "TitleOptions": { "$ref": "#/definitions/AWS::QuickSight::Dashboard.LabelOptions", @@ -187275,9 +194187,13 @@ "additionalProperties": false, "properties": { "Placement": { + "markdownDescription": "Defines the placement of the axis. By default, axes are rendered `OUTSIDE` of the panels. Axes with `INDEPENDENT` scale are rendered `INSIDE` the panels.", + "title": "Placement", "type": "string" }, "Scale": { + "markdownDescription": "Determines whether scale of the axes are shared or independent. The default value is `SHARED` .", + "title": "Scale", "type": "string" } }, @@ -187302,10 +194218,14 @@ "title": "PanelConfiguration" }, "XAxis": { - "$ref": "#/definitions/AWS::QuickSight::Dashboard.SmallMultiplesAxisProperties" + "$ref": "#/definitions/AWS::QuickSight::Dashboard.SmallMultiplesAxisProperties", + "markdownDescription": "The properties of a small multiples X axis.", + "title": "XAxis" }, "YAxis": { - "$ref": "#/definitions/AWS::QuickSight::Dashboard.SmallMultiplesAxisProperties" + "$ref": "#/definitions/AWS::QuickSight::Dashboard.SmallMultiplesAxisProperties", + "markdownDescription": "The properties of a small multiples Y axis.", + "title": "YAxis" } }, "type": "object" @@ -187478,6 +194398,8 @@ "items": { "$ref": "#/definitions/AWS::QuickSight::Dashboard.TableStyleTarget" }, + "markdownDescription": "The style targets options for subtotals.", + "title": "StyleTargets", "type": "array" }, "TotalCellStyle": { @@ -187809,18 +194731,20 @@ "items": { "type": "string" }, - "markdownDescription": "The order of field IDs of the field options for a table visual.", + "markdownDescription": "The order of the field IDs that are configured as field options for a table visual.", "title": "Order", "type": "array" }, "PinnedFieldOptions": { - "$ref": "#/definitions/AWS::QuickSight::Dashboard.TablePinnedFieldOptions" + "$ref": "#/definitions/AWS::QuickSight::Dashboard.TablePinnedFieldOptions", + "markdownDescription": "The settings for the pinned columns of a table visual.", + "title": "PinnedFieldOptions" }, "SelectedFieldOptions": { "items": { "$ref": "#/definitions/AWS::QuickSight::Dashboard.TableFieldOption" }, - "markdownDescription": "The selected field options for the table field options.", + "markdownDescription": "The field options to be configured to a table.", "title": "SelectedFieldOptions", "type": "array" } @@ -187919,6 +194843,8 @@ "items": { "type": "string" }, + "markdownDescription": "A list of columns to be pinned to the left of a table visual.", + "title": "PinnedLeftFields", "type": "array" } }, @@ -187999,6 +194925,8 @@ "additionalProperties": false, "properties": { "CellType": { + "markdownDescription": "The cell type of the table style target.", + "title": "CellType", "type": "string" } }, @@ -188067,7 +194995,9 @@ "additionalProperties": false, "properties": { "InfoIconLabelOptions": { - "$ref": "#/definitions/AWS::QuickSight::Dashboard.SheetControlInfoIconLabelOptions" + "$ref": "#/definitions/AWS::QuickSight::Dashboard.SheetControlInfoIconLabelOptions", + "markdownDescription": "The configuration of info icon label options.", + "title": "InfoIconLabelOptions" }, "PlaceholderOptions": { "$ref": "#/definitions/AWS::QuickSight::Dashboard.TextControlPlaceholderOptions", @@ -188118,7 +195048,9 @@ "additionalProperties": false, "properties": { "InfoIconLabelOptions": { - "$ref": "#/definitions/AWS::QuickSight::Dashboard.SheetControlInfoIconLabelOptions" + "$ref": "#/definitions/AWS::QuickSight::Dashboard.SheetControlInfoIconLabelOptions", + "markdownDescription": "The configuration of info icon label options.", + "title": "InfoIconLabelOptions" }, "PlaceholderOptions": { "$ref": "#/definitions/AWS::QuickSight::Dashboard.TextControlPlaceholderOptions", @@ -188199,12 +195131,14 @@ "type": "string" }, "ParameterName": { - "markdownDescription": "The parameter whose value should be used for the filter value.\n\nThis field is mutually exclusive to `Value` .", + "markdownDescription": "The parameter whose value should be used for the filter value.\n\nThis field is mutually exclusive to `Value` and `RollingDate` .", "title": "ParameterName", "type": "string" }, "RollingDate": { - "$ref": "#/definitions/AWS::QuickSight::Dashboard.RollingDateConfiguration" + "$ref": "#/definitions/AWS::QuickSight::Dashboard.RollingDateConfiguration", + "markdownDescription": "The rolling date input for the `TimeEquality` filter.\n\nThis field is mutually exclusive to `Value` and `ParameterName` .", + "title": "RollingDate" }, "TimeGranularity": { "markdownDescription": "The level of time precision that is used to aggregate `DateTime` values.", @@ -188212,7 +195146,7 @@ "type": "string" }, "Value": { - "markdownDescription": "The value of a `TimeEquality` filter.\n\nThis field is mutually exclusive to `ParameterName` .", + "markdownDescription": "The value of a `TimeEquality` filter.\n\nThis field is mutually exclusive to `RollingDate` and `ParameterName` .", "title": "Value", "type": "string" } @@ -188531,6 +195465,8 @@ "additionalProperties": false, "properties": { "SimpleTotalAggregationFunction": { + "markdownDescription": "A built in aggregation function for total values.", + "title": "SimpleTotalAggregationFunction", "type": "string" } }, @@ -188540,10 +195476,14 @@ "additionalProperties": false, "properties": { "FieldId": { + "markdownDescription": "The field id that's associated with the total aggregation option.", + "title": "FieldId", "type": "string" }, "TotalAggregationFunction": { - "$ref": "#/definitions/AWS::QuickSight::Dashboard.TotalAggregationFunction" + "$ref": "#/definitions/AWS::QuickSight::Dashboard.TotalAggregationFunction", + "markdownDescription": "The total aggregation function that you want to set for a specified field id.", + "title": "TotalAggregationFunction" } }, "required": [ @@ -188574,6 +195514,8 @@ "items": { "$ref": "#/definitions/AWS::QuickSight::Dashboard.TotalAggregationOption" }, + "markdownDescription": "The total aggregation settings for each value field.", + "title": "TotalAggregationOptions", "type": "array" }, "TotalCellStyle": { @@ -188809,6 +195751,8 @@ "additionalProperties": false, "properties": { "Mode": { + "markdownDescription": "The mode of validation for the asset to be created or updated. When you set this value to `STRICT` , strict validation for every error is enforced. When you set this value to `LENIENT` , validation is skipped for specific UI errors.", + "title": "Mode", "type": "string" } }, @@ -189528,7 +196472,7 @@ }, "DataSetRefreshProperties": { "$ref": "#/definitions/AWS::QuickSight::DataSet.DataSetRefreshProperties", - "markdownDescription": "", + "markdownDescription": "The refresh properties of a dataset.", "title": "DataSetRefreshProperties" }, "DataSetUsageConfiguration": { @@ -189540,7 +196484,7 @@ "items": { "$ref": "#/definitions/AWS::QuickSight::DataSet.DatasetParameter" }, - "markdownDescription": "", + "markdownDescription": "The parameters that are declared in a dataset.", "title": "DatasetParameters", "type": "array" }, @@ -189684,6 +196628,11 @@ "markdownDescription": "New column data type.", "title": "NewColumnType", "type": "string" + }, + "SubType": { + "markdownDescription": "The sub data type of the new column. Sub types are only available for decimal columns that are part of a SPICE dataset.", + "title": "SubType", + "type": "string" } }, "required": [ @@ -189836,22 +196785,22 @@ "properties": { "DateTimeDatasetParameter": { "$ref": "#/definitions/AWS::QuickSight::DataSet.DateTimeDatasetParameter", - "markdownDescription": "", + "markdownDescription": "A date time parameter that is created in the dataset.", "title": "DateTimeDatasetParameter" }, "DecimalDatasetParameter": { "$ref": "#/definitions/AWS::QuickSight::DataSet.DecimalDatasetParameter", - "markdownDescription": "", + "markdownDescription": "A decimal parameter that is created in the dataset.", "title": "DecimalDatasetParameter" }, "IntegerDatasetParameter": { "$ref": "#/definitions/AWS::QuickSight::DataSet.IntegerDatasetParameter", - "markdownDescription": "", + "markdownDescription": "An integer parameter that is created in the dataset.", "title": "IntegerDatasetParameter" }, "StringDatasetParameter": { "$ref": "#/definitions/AWS::QuickSight::DataSet.StringDatasetParameter", - "markdownDescription": "", + "markdownDescription": "A string parameter that is created in the dataset.", "title": "StringDatasetParameter" } }, @@ -189862,26 +196811,26 @@ "properties": { "DefaultValues": { "$ref": "#/definitions/AWS::QuickSight::DataSet.DateTimeDatasetParameterDefaultValues", - "markdownDescription": "", + "markdownDescription": "A list of default values for a given date time parameter. This structure only accepts static values.", "title": "DefaultValues" }, "Id": { - "markdownDescription": "", + "markdownDescription": "An identifier for the parameter that is created in the dataset.", "title": "Id", "type": "string" }, "Name": { - "markdownDescription": "", + "markdownDescription": "The name of the date time parameter that is created in the dataset.", "title": "Name", "type": "string" }, "TimeGranularity": { - "markdownDescription": "", + "markdownDescription": "The time granularity of the date time parameter.", "title": "TimeGranularity", "type": "string" }, "ValueType": { - "markdownDescription": "", + "markdownDescription": "The value type of the dataset parameter. Valid values are `single value` or `multi value` .", "title": "ValueType", "type": "string" } @@ -189912,21 +196861,21 @@ "properties": { "DefaultValues": { "$ref": "#/definitions/AWS::QuickSight::DataSet.DecimalDatasetParameterDefaultValues", - "markdownDescription": "", + "markdownDescription": "A list of default values for a given decimal parameter. This structure only accepts static values.", "title": "DefaultValues" }, "Id": { - "markdownDescription": "", + "markdownDescription": "An identifier for the decimal parameter created in the dataset.", "title": "Id", "type": "string" }, "Name": { - "markdownDescription": "", + "markdownDescription": "The name of the decimal parameter that is created in the dataset.", "title": "Name", "type": "string" }, "ValueType": { - "markdownDescription": "", + "markdownDescription": "The value type of the dataset parameter. Valid values are `single value` or `multi value` .", "title": "ValueType", "type": "string" } @@ -189945,7 +196894,7 @@ "items": { "type": "number" }, - "markdownDescription": "", + "markdownDescription": "A list of static default values for a given decimal parameter.", "title": "StaticValues", "type": "array" } @@ -190048,6 +196997,11 @@ "title": "Name", "type": "string" }, + "SubType": { + "markdownDescription": "The sub data type of the column. Sub types are only available for decimal columns that are part of a SPICE dataset.", + "title": "SubType", + "type": "string" + }, "Type": { "markdownDescription": "The data type of the column.", "title": "Type", @@ -190065,21 +197019,21 @@ "properties": { "DefaultValues": { "$ref": "#/definitions/AWS::QuickSight::DataSet.IntegerDatasetParameterDefaultValues", - "markdownDescription": "", + "markdownDescription": "A list of default values for a given integer parameter. This structure only accepts static values.", "title": "DefaultValues" }, "Id": { - "markdownDescription": "", + "markdownDescription": "An identifier for the integer parameter created in the dataset.", "title": "Id", "type": "string" }, "Name": { - "markdownDescription": "", + "markdownDescription": "The name of the integer parameter that is created in the dataset.", "title": "Name", "type": "string" }, "ValueType": { - "markdownDescription": "", + "markdownDescription": "The value type of the dataset parameter. Valid values are `single value` or `multi value` .", "title": "ValueType", "type": "string" } @@ -190098,7 +197052,7 @@ "items": { "type": "number" }, - "markdownDescription": "", + "markdownDescription": "A list of static default values for a given integer parameter.", "title": "StaticValues", "type": "array" } @@ -190243,7 +197197,7 @@ "items": { "type": "number" }, - "markdownDescription": "", + "markdownDescription": "A list of static default values for a given decimal parameter.", "title": "DecimalStaticValues", "type": "array" }, @@ -190251,7 +197205,7 @@ "items": { "type": "number" }, - "markdownDescription": "", + "markdownDescription": "A list of static default values for a given integer parameter.", "title": "IntegerStaticValues", "type": "array" }, @@ -190259,7 +197213,7 @@ "items": { "type": "string" }, - "markdownDescription": "", + "markdownDescription": "A list of static default values for a given string parameter.", "title": "StringStaticValues", "type": "array" } @@ -190275,12 +197229,17 @@ "type": "string" }, "Name": { - "markdownDescription": "A display name for the dataset.", + "markdownDescription": "The display name of the column..", "title": "Name", "type": "string" }, + "SubType": { + "markdownDescription": "The sub data type of the column.", + "title": "SubType", + "type": "string" + }, "Type": { - "markdownDescription": "The type.", + "markdownDescription": "The data type of the column.", "title": "Type", "type": "string" } @@ -190301,7 +197260,7 @@ "type": "string" }, "ParameterName": { - "markdownDescription": "", + "markdownDescription": "The name of the parameter to be overridden with different values.", "title": "ParameterName", "type": "string" } @@ -190364,7 +197323,7 @@ "additionalProperties": false, "properties": { "Catalog": { - "markdownDescription": "", + "markdownDescription": "The catalog associated with a table.", "title": "Catalog", "type": "string" }, @@ -190481,12 +197440,12 @@ "additionalProperties": false, "properties": { "Status": { - "markdownDescription": "", + "markdownDescription": "The status of row-level security tags. If enabled, the status is `ENABLED` . If disabled, the status is `DISABLED` .", "title": "Status", "type": "string" }, "TagRuleConfigurations": { - "markdownDescription": "", + "markdownDescription": "The configuration of tags on a dataset to set row-level security.", "title": "TagRuleConfigurations", "type": "object" }, @@ -190494,7 +197453,7 @@ "items": { "$ref": "#/definitions/AWS::QuickSight::DataSet.RowLevelPermissionTagRule" }, - "markdownDescription": "", + "markdownDescription": "A set of rules associated with row-level security, such as the tag names and columns that they are assigned to.", "title": "TagRules", "type": "array" } @@ -190508,22 +197467,22 @@ "additionalProperties": false, "properties": { "ColumnName": { - "markdownDescription": "", + "markdownDescription": "The column name that a tag key is assigned to.", "title": "ColumnName", "type": "string" }, "MatchAllValue": { - "markdownDescription": "", + "markdownDescription": "A string that you want to use to filter by all the values in a column in the dataset and don\u2019t want to list the values one by one. For example, you can use an asterisk as your match all value.", "title": "MatchAllValue", "type": "string" }, "TagKey": { - "markdownDescription": "", + "markdownDescription": "The unique key for a tag.", "title": "TagKey", "type": "string" }, "TagMultiValueDelimiter": { - "markdownDescription": "", + "markdownDescription": "A string that you want to use to delimit the values when you pass the values at run time. For example, you can delimit the values with a comma.", "title": "TagMultiValueDelimiter", "type": "string" } @@ -190567,21 +197526,21 @@ "properties": { "DefaultValues": { "$ref": "#/definitions/AWS::QuickSight::DataSet.StringDatasetParameterDefaultValues", - "markdownDescription": "", + "markdownDescription": "A list of default values for a given string dataset parameter type. This structure only accepts static values.", "title": "DefaultValues" }, "Id": { - "markdownDescription": "", + "markdownDescription": "An identifier for the string parameter that is created in the dataset.", "title": "Id", "type": "string" }, "Name": { - "markdownDescription": "", + "markdownDescription": "The name of the string parameter that is created in the dataset.", "title": "Name", "type": "string" }, "ValueType": { - "markdownDescription": "", + "markdownDescription": "The value type of the dataset parameter. Valid values are `single value` or `multi value` .", "title": "ValueType", "type": "string" } @@ -190600,7 +197559,7 @@ "items": { "type": "string" }, - "markdownDescription": "", + "markdownDescription": "A list of static default values for a given string parameter.", "title": "StaticValues", "type": "array" } @@ -191078,10 +198037,20 @@ "markdownDescription": "The parameters for SQL Server.", "title": "SqlServerParameters" }, + "StarburstParameters": { + "$ref": "#/definitions/AWS::QuickSight::DataSource.StarburstParameters", + "markdownDescription": "The parameters that are required to connect to a Starburst data source.", + "title": "StarburstParameters" + }, "TeradataParameters": { "$ref": "#/definitions/AWS::QuickSight::DataSource.TeradataParameters", "markdownDescription": "The parameters for Teradata.", "title": "TeradataParameters" + }, + "TrinoParameters": { + "$ref": "#/definitions/AWS::QuickSight::DataSource.TrinoParameters", + "markdownDescription": "The parameters that are required to connect to a Trino data source.", + "title": "TrinoParameters" } }, "type": "object" @@ -191436,6 +198405,37 @@ }, "type": "object" }, + "AWS::QuickSight::DataSource.StarburstParameters": { + "additionalProperties": false, + "properties": { + "Catalog": { + "markdownDescription": "The catalog name for the Starburst data source.", + "title": "Catalog", + "type": "string" + }, + "Host": { + "markdownDescription": "The host name of the Starburst data source.", + "title": "Host", + "type": "string" + }, + "Port": { + "markdownDescription": "The port for the Starburst data source.", + "title": "Port", + "type": "number" + }, + "ProductType": { + "markdownDescription": "The product type for the Starburst data source.", + "title": "ProductType", + "type": "string" + } + }, + "required": [ + "Catalog", + "Host", + "Port" + ], + "type": "object" + }, "AWS::QuickSight::DataSource.TeradataParameters": { "additionalProperties": false, "properties": { @@ -191462,6 +198462,32 @@ ], "type": "object" }, + "AWS::QuickSight::DataSource.TrinoParameters": { + "additionalProperties": false, + "properties": { + "Catalog": { + "markdownDescription": "The catalog name for the Trino data source.", + "title": "Catalog", + "type": "string" + }, + "Host": { + "markdownDescription": "The host name of the Trino data source.", + "title": "Host", + "type": "string" + }, + "Port": { + "markdownDescription": "The port for the Trino data source.", + "title": "Port", + "type": "number" + } + }, + "required": [ + "Catalog", + "Host", + "Port" + ], + "type": "object" + }, "AWS::QuickSight::DataSource.VpcConnectionProperties": { "additionalProperties": false, "properties": { @@ -191694,7 +198720,9 @@ "type": "string" }, "ValidationStrategy": { - "$ref": "#/definitions/AWS::QuickSight::Template.ValidationStrategy" + "$ref": "#/definitions/AWS::QuickSight::Template.ValidationStrategy", + "markdownDescription": "The option to relax the validation that is required to create and update analyses, dashboards, and templates with definition objects. When you set this value to `LENIENT` , validation is skipped for specific errors.", + "title": "ValidationStrategy" }, "VersionDescription": { "markdownDescription": "A description of the current template version being created. This API operation creates the first version of the template. Every time `UpdateTemplate` is called, a new version is created. Each version of the template maintains a description of the version in the `VersionDescription` field.", @@ -191733,7 +198761,9 @@ "additionalProperties": false, "properties": { "AttributeAggregationFunction": { - "$ref": "#/definitions/AWS::QuickSight::Template.AttributeAggregationFunction" + "$ref": "#/definitions/AWS::QuickSight::Template.AttributeAggregationFunction", + "markdownDescription": "Aggregation for attributes.", + "title": "AttributeAggregationFunction" }, "CategoricalAggregationFunction": { "markdownDescription": "Aggregation for categorical values.\n\n- `COUNT` : Aggregate by the total number of values, including duplicates.\n- `DISTINCT_COUNT` : Aggregate by the total number of distinct values.", @@ -191867,13 +198897,33 @@ }, "type": "object" }, + "AWS::QuickSight::Template.AssetOptions": { + "additionalProperties": false, + "properties": { + "Timezone": { + "markdownDescription": "Determines the timezone for the analysis.", + "title": "Timezone", + "type": "string" + }, + "WeekStart": { + "markdownDescription": "Determines the week start day for an analysis.", + "title": "WeekStart", + "type": "string" + } + }, + "type": "object" + }, "AWS::QuickSight::Template.AttributeAggregationFunction": { "additionalProperties": false, "properties": { "SimpleAttributeAggregation": { + "markdownDescription": "The built-in aggregation functions for attributes.\n\n- `UNIQUE_VALUE` : Returns the unique value for a field, aggregated by the dimension fields.", + "title": "SimpleAttributeAggregation", "type": "string" }, "ValueForMultipleValues": { + "markdownDescription": "Used by the `UNIQUE_VALUE` aggregation function. If there are multiple values for the field used by the aggregation, the value for this property will be returned instead. Defaults to '*'.", + "title": "ValueForMultipleValues", "type": "string" } }, @@ -192842,6 +199892,8 @@ "items": { "$ref": "#/definitions/AWS::QuickSight::Template.CustomColor" }, + "markdownDescription": "A list of up to 50 custom colors.", + "title": "CustomColors", "type": "array" } }, @@ -192851,7 +199903,9 @@ "additionalProperties": false, "properties": { "ColorsConfiguration": { - "$ref": "#/definitions/AWS::QuickSight::Template.ColorsConfiguration" + "$ref": "#/definitions/AWS::QuickSight::Template.ColorsConfiguration", + "markdownDescription": "The color configurations of the column.", + "title": "ColorsConfiguration" }, "Column": { "$ref": "#/definitions/AWS::QuickSight::Template.ColumnIdentifier", @@ -193611,12 +200665,18 @@ "additionalProperties": false, "properties": { "Color": { + "markdownDescription": "The color that is applied to the data value.", + "title": "Color", "type": "string" }, "FieldValue": { + "markdownDescription": "The data value that the color is applied to.", + "title": "FieldValue", "type": "string" }, "SpecialValue": { + "markdownDescription": "The value of a special data value.", + "title": "SpecialValue", "type": "string" } }, @@ -194061,6 +201121,8 @@ "additionalProperties": false, "properties": { "PivotTableDataPathType": { + "markdownDescription": "The type of data path value utilized in a pivot table. Choose one of the following options:\n\n- `HIERARCHY_ROWS_LAYOUT_COLUMN` - The type of data path for the rows layout column, when `RowsLayout` is set to `HIERARCHY` .\n- `MULTIPLE_ROW_METRICS_COLUMN` - The type of data path for the metric column when the row is set to Metric Placement.\n- `EMPTY_COLUMN_HEADER` - The type of data path for the column with empty column header, when there is no field in `ColumnsFieldWell` and the row is set to Metric Placement.\n- `COUNT_METRIC_COLUMN` - The type of data path for the column with `COUNT` as the metric, when there is no field in the `ValuesFieldWell` .", + "title": "PivotTableDataPathType", "type": "string" } }, @@ -194070,7 +201132,9 @@ "additionalProperties": false, "properties": { "DataPathType": { - "$ref": "#/definitions/AWS::QuickSight::Template.DataPathType" + "$ref": "#/definitions/AWS::QuickSight::Template.DataPathType", + "markdownDescription": "The type configuration of the field.", + "title": "DataPathType" }, "FieldId": { "markdownDescription": "The field ID of the field that needs to be sorted.", @@ -194332,7 +201396,9 @@ "type": "string" }, "InfoIconLabelOptions": { - "$ref": "#/definitions/AWS::QuickSight::Template.SheetControlInfoIconLabelOptions" + "$ref": "#/definitions/AWS::QuickSight::Template.SheetControlInfoIconLabelOptions", + "markdownDescription": "The configuration of info icon label options.", + "title": "InfoIconLabelOptions" }, "TitleOptions": { "$ref": "#/definitions/AWS::QuickSight::Template.LabelOptions", @@ -194639,7 +201705,9 @@ "additionalProperties": false, "properties": { "InfoIconLabelOptions": { - "$ref": "#/definitions/AWS::QuickSight::Template.SheetControlInfoIconLabelOptions" + "$ref": "#/definitions/AWS::QuickSight::Template.SheetControlInfoIconLabelOptions", + "markdownDescription": "The configuration of info icon label options.", + "title": "InfoIconLabelOptions" }, "SelectAllOptions": { "$ref": "#/definitions/AWS::QuickSight::Template.ListControlSelectAllOptions", @@ -195302,6 +202370,8 @@ "type": "string" }, "NullOption": { + "markdownDescription": "This option determines how null values should be treated when filtering data.\n\n- `ALL_VALUES` : Include null values in filtered results.\n- `NULLS_ONLY` : Only include null values in filtered results.\n- `NON_NULLS_ONLY` : Exclude null values from filtered results.", + "title": "NullOption", "type": "string" }, "SelectAllOptions": { @@ -195434,6 +202504,8 @@ "additionalProperties": false, "properties": { "AllSheets": { + "markdownDescription": "The configuration for applying a filter to all sheets.", + "title": "AllSheets", "type": "object" }, "SelectedSheets": { @@ -197190,10 +204262,14 @@ "additionalProperties": false, "properties": { "Icon": { - "$ref": "#/definitions/AWS::QuickSight::Template.ConditionalFormattingIcon" + "$ref": "#/definitions/AWS::QuickSight::Template.ConditionalFormattingIcon", + "markdownDescription": "The conditional formatting of the actual value's icon.", + "title": "Icon" }, "TextColor": { - "$ref": "#/definitions/AWS::QuickSight::Template.ConditionalFormattingColor" + "$ref": "#/definitions/AWS::QuickSight::Template.ConditionalFormattingColor", + "markdownDescription": "The conditional formatting of the actual value's text color.", + "title": "TextColor" } }, "type": "object" @@ -197202,10 +204278,14 @@ "additionalProperties": false, "properties": { "Icon": { - "$ref": "#/definitions/AWS::QuickSight::Template.ConditionalFormattingIcon" + "$ref": "#/definitions/AWS::QuickSight::Template.ConditionalFormattingIcon", + "markdownDescription": "The conditional formatting of the comparison value's icon.", + "title": "Icon" }, "TextColor": { - "$ref": "#/definitions/AWS::QuickSight::Template.ConditionalFormattingColor" + "$ref": "#/definitions/AWS::QuickSight::Template.ConditionalFormattingColor", + "markdownDescription": "The conditional formatting of the comparison value's text color.", + "title": "TextColor" } }, "type": "object" @@ -197228,10 +204308,14 @@ "additionalProperties": false, "properties": { "ActualValue": { - "$ref": "#/definitions/AWS::QuickSight::Template.KPIActualValueConditionalFormatting" + "$ref": "#/definitions/AWS::QuickSight::Template.KPIActualValueConditionalFormatting", + "markdownDescription": "The conditional formatting for the actual value of a KPI visual.", + "title": "ActualValue" }, "ComparisonValue": { - "$ref": "#/definitions/AWS::QuickSight::Template.KPIComparisonValueConditionalFormatting" + "$ref": "#/definitions/AWS::QuickSight::Template.KPIComparisonValueConditionalFormatting", + "markdownDescription": "The conditional formatting for the comparison value of a KPI visual.", + "title": "ComparisonValue" }, "PrimaryValue": { "$ref": "#/definitions/AWS::QuickSight::Template.KPIPrimaryValueConditionalFormatting", @@ -197331,7 +204415,9 @@ "title": "SecondaryValueFontConfiguration" }, "Sparkline": { - "$ref": "#/definitions/AWS::QuickSight::Template.KPISparklineOptions" + "$ref": "#/definitions/AWS::QuickSight::Template.KPISparklineOptions", + "markdownDescription": "The options that determine the visibility, color, type, and tooltip visibility of the sparkline of a KPI visual.", + "title": "Sparkline" }, "TrendArrows": { "$ref": "#/definitions/AWS::QuickSight::Template.TrendArrowOptions", @@ -197339,7 +204425,9 @@ "title": "TrendArrows" }, "VisualLayoutOptions": { - "$ref": "#/definitions/AWS::QuickSight::Template.KPIVisualLayoutOptions" + "$ref": "#/definitions/AWS::QuickSight::Template.KPIVisualLayoutOptions", + "markdownDescription": "The options that determine the layout a KPI visual.", + "title": "VisualLayoutOptions" } }, "type": "object" @@ -197389,15 +204477,23 @@ "additionalProperties": false, "properties": { "Color": { + "markdownDescription": "The color of the sparkline.", + "title": "Color", "type": "string" }, "TooltipVisibility": { + "markdownDescription": "The tooltip visibility of the sparkline.", + "title": "TooltipVisibility", "type": "string" }, "Type": { + "markdownDescription": "The type of the sparkline.", + "title": "Type", "type": "string" }, "Visibility": { + "markdownDescription": "The visibility of the sparkline.", + "title": "Visibility", "type": "string" } }, @@ -197460,7 +204556,9 @@ "additionalProperties": false, "properties": { "StandardLayout": { - "$ref": "#/definitions/AWS::QuickSight::Template.KPIVisualStandardLayout" + "$ref": "#/definitions/AWS::QuickSight::Template.KPIVisualStandardLayout", + "markdownDescription": "The standard layout of the KPI visual.", + "title": "StandardLayout" } }, "type": "object" @@ -197469,6 +204567,8 @@ "additionalProperties": false, "properties": { "Type": { + "markdownDescription": "The standard layout type.", + "title": "Type", "type": "string" } }, @@ -197920,7 +205020,9 @@ "additionalProperties": false, "properties": { "InfoIconLabelOptions": { - "$ref": "#/definitions/AWS::QuickSight::Template.SheetControlInfoIconLabelOptions" + "$ref": "#/definitions/AWS::QuickSight::Template.SheetControlInfoIconLabelOptions", + "markdownDescription": "The configuration of info icon label options.", + "title": "InfoIconLabelOptions" }, "SearchOptions": { "$ref": "#/definitions/AWS::QuickSight::Template.ListControlSearchOptions", @@ -199538,6 +206640,8 @@ "type": "string" }, "DefaultCellWidth": { + "markdownDescription": "The default cell width of the pivot table.", + "title": "DefaultCellWidth", "type": "string" }, "MetricPlacement": { @@ -199561,9 +206665,13 @@ "title": "RowHeaderStyle" }, "RowsLabelOptions": { - "$ref": "#/definitions/AWS::QuickSight::Template.PivotTableRowsLabelOptions" + "$ref": "#/definitions/AWS::QuickSight::Template.PivotTableRowsLabelOptions", + "markdownDescription": "The options for the label that is located above the row headers. This option is only applicable when `RowsLayout` is set to `HIERARCHY` .", + "title": "RowsLabelOptions" }, "RowsLayout": { + "markdownDescription": "The layout for the row dimension headers of a pivot table. Choose one of the following options.\n\n- `TABULAR` : (Default) Each row field is displayed in a separate column.\n- `HIERARCHY` : All row fields are displayed in a single column. Indentation is used to differentiate row headers of different fields.", + "title": "RowsLayout", "type": "string" }, "SingleMetricVisibility": { @@ -199599,9 +206707,13 @@ "additionalProperties": false, "properties": { "CustomLabel": { + "markdownDescription": "The custom label string for the rows label.", + "title": "CustomLabel", "type": "string" }, "Visibility": { + "markdownDescription": "The visibility of the rows label.", + "title": "Visibility", "type": "string" } }, @@ -199737,6 +206849,8 @@ "items": { "$ref": "#/definitions/AWS::QuickSight::Template.TotalAggregationOption" }, + "markdownDescription": "The total aggregation options for each value field.", + "title": "TotalAggregationOptions", "type": "array" }, "TotalCellStyle": { @@ -200078,7 +207192,7 @@ "additionalProperties": false, "properties": { "AxisBinding": { - "markdownDescription": "The axis binding type of the reference line. Choose one of the following options:\n\n- PrimaryY\n- SecondaryY", + "markdownDescription": "The axis binding type of the reference line. Choose one of the following options:\n\n- `PrimaryY`\n- `SecondaryY`", "title": "AxisBinding", "type": "string" }, @@ -200088,6 +207202,8 @@ "title": "DynamicConfiguration" }, "SeriesType": { + "markdownDescription": "The series type of the reference line data configuration. Choose one of the following options:\n\n- `BAR`\n- `LINE`", + "title": "SeriesType", "type": "string" }, "StaticConfiguration": { @@ -200214,7 +207330,9 @@ "type": "string" }, "InfoIconLabelOptions": { - "$ref": "#/definitions/AWS::QuickSight::Template.SheetControlInfoIconLabelOptions" + "$ref": "#/definitions/AWS::QuickSight::Template.SheetControlInfoIconLabelOptions", + "markdownDescription": "The configuration of info icon label options.", + "title": "InfoIconLabelOptions" }, "TitleOptions": { "$ref": "#/definitions/AWS::QuickSight::Template.LabelOptions", @@ -200352,6 +207470,8 @@ "type": "string" }, "UsePrimaryBackgroundColor": { + "markdownDescription": "The primary background color options for alternate rows.", + "title": "UsePrimaryBackgroundColor", "type": "string" } }, @@ -200939,9 +208059,13 @@ "additionalProperties": false, "properties": { "InfoIconText": { + "markdownDescription": "The text content of info icon.", + "title": "InfoIconText", "type": "string" }, "Visibility": { + "markdownDescription": "The visibility configuration of info icon label options.", + "title": "Visibility", "type": "string" } }, @@ -201163,7 +208287,9 @@ "additionalProperties": false, "properties": { "InfoIconLabelOptions": { - "$ref": "#/definitions/AWS::QuickSight::Template.SheetControlInfoIconLabelOptions" + "$ref": "#/definitions/AWS::QuickSight::Template.SheetControlInfoIconLabelOptions", + "markdownDescription": "The configuration of info icon label options.", + "title": "InfoIconLabelOptions" }, "TitleOptions": { "$ref": "#/definitions/AWS::QuickSight::Template.LabelOptions", @@ -201177,9 +208303,13 @@ "additionalProperties": false, "properties": { "Placement": { + "markdownDescription": "Defines the placement of the axis. By default, axes are rendered `OUTSIDE` of the panels. Axes with `INDEPENDENT` scale are rendered `INSIDE` the panels.", + "title": "Placement", "type": "string" }, "Scale": { + "markdownDescription": "Determines whether scale of the axes are shared or independent. The default value is `SHARED` .", + "title": "Scale", "type": "string" } }, @@ -201204,10 +208334,14 @@ "title": "PanelConfiguration" }, "XAxis": { - "$ref": "#/definitions/AWS::QuickSight::Template.SmallMultiplesAxisProperties" + "$ref": "#/definitions/AWS::QuickSight::Template.SmallMultiplesAxisProperties", + "markdownDescription": "The properties of a small multiples X axis.", + "title": "XAxis" }, "YAxis": { - "$ref": "#/definitions/AWS::QuickSight::Template.SmallMultiplesAxisProperties" + "$ref": "#/definitions/AWS::QuickSight::Template.SmallMultiplesAxisProperties", + "markdownDescription": "The properties of a small multiples Y axis.", + "title": "YAxis" } }, "type": "object" @@ -201357,6 +208491,8 @@ "items": { "$ref": "#/definitions/AWS::QuickSight::Template.TableStyleTarget" }, + "markdownDescription": "The style targets options for subtotals.", + "title": "StyleTargets", "type": "array" }, "TotalCellStyle": { @@ -201688,18 +208824,20 @@ "items": { "type": "string" }, - "markdownDescription": "The order of field IDs of the field options for a table visual.", + "markdownDescription": "The order of the field IDs that are configured as field options for a table visual.", "title": "Order", "type": "array" }, "PinnedFieldOptions": { - "$ref": "#/definitions/AWS::QuickSight::Template.TablePinnedFieldOptions" + "$ref": "#/definitions/AWS::QuickSight::Template.TablePinnedFieldOptions", + "markdownDescription": "The settings for the pinned columns of a table visual.", + "title": "PinnedFieldOptions" }, "SelectedFieldOptions": { "items": { "$ref": "#/definitions/AWS::QuickSight::Template.TableFieldOption" }, - "markdownDescription": "The selected field options for the table field options.", + "markdownDescription": "The field options to be configured to a table.", "title": "SelectedFieldOptions", "type": "array" } @@ -201798,6 +208936,8 @@ "items": { "type": "string" }, + "markdownDescription": "A list of columns to be pinned to the left of a table visual.", + "title": "PinnedLeftFields", "type": "array" } }, @@ -201878,6 +209018,8 @@ "additionalProperties": false, "properties": { "CellType": { + "markdownDescription": "The cell type of the table style target.", + "title": "CellType", "type": "string" } }, @@ -202119,6 +209261,11 @@ "title": "FilterGroups", "type": "array" }, + "Options": { + "$ref": "#/definitions/AWS::QuickSight::Template.AssetOptions", + "markdownDescription": "An array of option definitions for a template.", + "title": "Options" + }, "ParameterDeclarations": { "items": { "$ref": "#/definitions/AWS::QuickSight::Template.ParameterDeclaration" @@ -202145,7 +209292,9 @@ "additionalProperties": false, "properties": { "InfoIconLabelOptions": { - "$ref": "#/definitions/AWS::QuickSight::Template.SheetControlInfoIconLabelOptions" + "$ref": "#/definitions/AWS::QuickSight::Template.SheetControlInfoIconLabelOptions", + "markdownDescription": "The configuration of info icon label options.", + "title": "InfoIconLabelOptions" }, "PlaceholderOptions": { "$ref": "#/definitions/AWS::QuickSight::Template.TextControlPlaceholderOptions", @@ -202196,7 +209345,9 @@ "additionalProperties": false, "properties": { "InfoIconLabelOptions": { - "$ref": "#/definitions/AWS::QuickSight::Template.SheetControlInfoIconLabelOptions" + "$ref": "#/definitions/AWS::QuickSight::Template.SheetControlInfoIconLabelOptions", + "markdownDescription": "The configuration of info icon label options.", + "title": "InfoIconLabelOptions" }, "PlaceholderOptions": { "$ref": "#/definitions/AWS::QuickSight::Template.TextControlPlaceholderOptions", @@ -202277,12 +209428,14 @@ "type": "string" }, "ParameterName": { - "markdownDescription": "The parameter whose value should be used for the filter value.\n\nThis field is mutually exclusive to `Value` .", + "markdownDescription": "The parameter whose value should be used for the filter value.\n\nThis field is mutually exclusive to `Value` and `RollingDate` .", "title": "ParameterName", "type": "string" }, "RollingDate": { - "$ref": "#/definitions/AWS::QuickSight::Template.RollingDateConfiguration" + "$ref": "#/definitions/AWS::QuickSight::Template.RollingDateConfiguration", + "markdownDescription": "The rolling date input for the `TimeEquality` filter.\n\nThis field is mutually exclusive to `Value` and `ParameterName` .", + "title": "RollingDate" }, "TimeGranularity": { "markdownDescription": "The level of time precision that is used to aggregate `DateTime` values.", @@ -202290,7 +209443,7 @@ "type": "string" }, "Value": { - "markdownDescription": "The value of a `TimeEquality` filter.\n\nThis field is mutually exclusive to `ParameterName` .", + "markdownDescription": "The value of a `TimeEquality` filter.\n\nThis field is mutually exclusive to `RollingDate` and `ParameterName` .", "title": "Value", "type": "string" } @@ -202609,6 +209762,8 @@ "additionalProperties": false, "properties": { "SimpleTotalAggregationFunction": { + "markdownDescription": "A built in aggregation function for total values.", + "title": "SimpleTotalAggregationFunction", "type": "string" } }, @@ -202618,10 +209773,14 @@ "additionalProperties": false, "properties": { "FieldId": { + "markdownDescription": "The field id that's associated with the total aggregation option.", + "title": "FieldId", "type": "string" }, "TotalAggregationFunction": { - "$ref": "#/definitions/AWS::QuickSight::Template.TotalAggregationFunction" + "$ref": "#/definitions/AWS::QuickSight::Template.TotalAggregationFunction", + "markdownDescription": "The total aggregation function that you want to set for a specified field id.", + "title": "TotalAggregationFunction" } }, "required": [ @@ -202652,6 +209811,8 @@ "items": { "$ref": "#/definitions/AWS::QuickSight::Template.TotalAggregationOption" }, + "markdownDescription": "The total aggregation settings for each value field.", + "title": "TotalAggregationOptions", "type": "array" }, "TotalCellStyle": { @@ -202887,6 +210048,8 @@ "additionalProperties": false, "properties": { "Mode": { + "markdownDescription": "The mode of validation for the asset to be created or updated. When you set this value to `STRICT` , strict validation for every error is enforced. When you set this value to `LENIENT` , validation is skipped for specific UI errors.", + "title": "Mode", "type": "string" } }, @@ -203675,7 +210838,7 @@ "additionalProperties": false, "properties": { "FontFamily": { - "markdownDescription": "", + "markdownDescription": "Determines the font family settings.", "title": "FontFamily", "type": "string" } @@ -203873,7 +211036,7 @@ "items": { "$ref": "#/definitions/AWS::QuickSight::Theme.Font" }, - "markdownDescription": "", + "markdownDescription": "Determines the list of font families.", "title": "FontFamilies", "type": "array" } @@ -204506,6 +211669,8 @@ "type": "boolean" }, "NonAdditive": { + "markdownDescription": "The non additive for the table style target.", + "title": "NonAdditive", "type": "boolean" }, "NotAllowedAggregations": { @@ -204584,7 +211749,7 @@ "additionalProperties": false, "properties": { "Aggregation": { - "markdownDescription": "The type of aggregation that is performed on the column data when it's queried. Valid values for this structure are `SUM` , `MAX` , `MIN` , `COUNT` , `DISTINCT_COUNT` , and `AVERAGE` .", + "markdownDescription": "The type of aggregation that is performed on the column data when it's queried.", "title": "Aggregation", "type": "string" }, @@ -204653,6 +211818,8 @@ "type": "boolean" }, "NonAdditive": { + "markdownDescription": "The non additive value for the column.", + "title": "NonAdditive", "type": "boolean" }, "NotAllowedAggregations": { @@ -205199,6 +212366,8 @@ "items": { "type": "string" }, + "markdownDescription": "", + "title": "Sources", "type": "array" }, "Tags": { @@ -205482,6 +212651,11 @@ "title": "EnableCloudwatchLogsExports", "type": "array" }, + "EnableGlobalWriteForwarding": { + "markdownDescription": "Specifies whether to enable this DB cluster to forward write operations to the primary cluster of a global cluster (Aurora global database). By default, write operations are not allowed on Aurora DB clusters that are secondary clusters in an Aurora global database.\n\nYou can set this value only on Aurora DB clusters that are members of an Aurora global database. With this parameter enabled, a secondary cluster can forward writes to the current primary cluster, and the resulting changes are replicated back to this cluster. For the primary DB cluster of an Aurora global database, this value is used immediately if the primary is demoted by a global cluster API operation, but it does nothing until then.\n\nValid for Cluster Type: Aurora DB clusters only", + "title": "EnableGlobalWriteForwarding", + "type": "boolean" + }, "EnableHttpEndpoint": { "markdownDescription": "A value that indicates whether to enable the HTTP endpoint for an Aurora Serverless DB cluster. By default, the HTTP endpoint is disabled.\n\nWhen enabled, the HTTP endpoint provides a connectionless web service API for running SQL queries on the Aurora Serverless DB cluster. You can also query your database from inside the RDS console with the query editor.\n\nFor more information, see [Using the Data API for Aurora Serverless](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/data-api.html) in the *Amazon Aurora User Guide* .\n\nValid for: Aurora DB clusters only", "title": "EnableHttpEndpoint", @@ -205518,7 +212692,7 @@ "type": "number" }, "KmsKeyId": { - "markdownDescription": "The Amazon Resource Name (ARN) of the AWS KMS key that is used to encrypt the database instances in the DB cluster, such as `arn:aws:kms:us-east-1:012345678910:key/abcd1234-a123-456a-a12b-a123b4cd56ef` . If you enable the `StorageEncrypted` property but don't specify this property, the default KMS key is used. If you specify this property, you must set the `StorageEncrypted` property to `true` .\n\nIf you specify the `SnapshotIdentifier` property, the `StorageEncrypted` property value is inherited from the snapshot, and if the DB cluster is encrypted, the specified `KmsKeyId` property is used.\n\nValid for: Aurora DB clusters and Multi-AZ DB clusters", + "markdownDescription": "The Amazon Resource Name (ARN) of the AWS KMS key that is used to encrypt the database instances in the DB cluster, such as `arn:aws:kms:us-east-1:012345678910:key/abcd1234-a123-456a-a12b-a123b4cd56ef` . If you enable the `StorageEncrypted` property but don't specify this property, the default KMS key is used. If you specify this property, you must set the `StorageEncrypted` property to `true` .\n\nIf you specify the `SnapshotIdentifier` property, the `StorageEncrypted` property value is inherited from the snapshot, and if the DB cluster is encrypted, the specified `KmsKeyId` property is used.\n\nIf you create a read replica of an encrypted DB cluster in another AWS Region, make sure to set `KmsKeyId` to a KMS key identifier that is valid in the destination AWS Region. This KMS key is used to encrypt the read replica in that AWS Region.\n\nValid for: Aurora DB clusters and Multi-AZ DB clusters", "title": "KmsKeyId", "type": "string" }, @@ -205598,7 +212772,7 @@ "type": "string" }, "RestoreToTime": { - "markdownDescription": "The date and time to restore the DB cluster to.\n\nValid Values: Value must be a time in Universal Coordinated Time (UTC) format\n\nConstraints:\n\n- Must be before the latest restorable time for the DB instance\n- Must be specified if `UseLatestRestorableTime` parameter isn't provided\n- Can't be specified if the `UseLatestRestorableTime` parameter is enabled\n- Can't be specified if the `RestoreType` parameter is `copy-on-write`\n\nExample: `2015-03-07T23:45:00Z`\n\nValid for: Aurora DB clusters and Multi-AZ DB clusters", + "markdownDescription": "The date and time to restore the DB cluster to.\n\nValid Values: Value must be a time in Universal Coordinated Time (UTC) format\n\nConstraints:\n\n- Must be before the latest restorable time for the DB instance\n- Must be specified if `UseLatestRestorableTime` parameter isn't provided\n- Can't be specified if the `UseLatestRestorableTime` parameter is enabled\n- Can't be specified if the `RestoreType` parameter is `copy-on-write`\n\nThis property must be used with `SourceDBClusterIdentifier` property. The resulting cluster will have the identifier that matches the value of the `DBclusterIdentifier` property.\n\nExample: `2015-03-07T23:45:00Z`\n\nValid for: Aurora DB clusters and Multi-AZ DB clusters", "title": "RestoreToTime", "type": "string" }, @@ -205638,7 +212812,7 @@ "type": "boolean" }, "StorageType": { - "markdownDescription": "The storage type to associate with the DB cluster.\n\nFor information on storage types for Aurora DB clusters, see [Storage configurations for Amazon Aurora DB clusters](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Aurora.Overview.StorageReliability.html#aurora-storage-type) . For information on storage types for Multi-AZ DB clusters, see [Settings for creating Multi-AZ DB clusters](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/create-multi-az-db-cluster.html#create-multi-az-db-cluster-settings) .\n\nThis setting is required to create a Multi-AZ DB cluster.\n\nWhen specified for a Multi-AZ DB cluster, a value for the `Iops` parameter is required.\n\nValid for Cluster Type: Aurora DB clusters and Multi-AZ DB clusters\n\nValid Values:\n\n- Aurora DB clusters - `aurora | aurora-iopt1`\n- Multi-AZ DB clusters - `io1`\n\nDefault:\n\n- Aurora DB clusters - `aurora`\n- Multi-AZ DB clusters - `io1`", + "markdownDescription": "The storage type to associate with the DB cluster.\n\nFor information on storage types for Aurora DB clusters, see [Storage configurations for Amazon Aurora DB clusters](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Aurora.Overview.StorageReliability.html#aurora-storage-type) . For information on storage types for Multi-AZ DB clusters, see [Settings for creating Multi-AZ DB clusters](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/create-multi-az-db-cluster.html#create-multi-az-db-cluster-settings) .\n\nThis setting is required to create a Multi-AZ DB cluster.\n\nWhen specified for a Multi-AZ DB cluster, a value for the `Iops` parameter is required.\n\nValid for Cluster Type: Aurora DB clusters and Multi-AZ DB clusters\n\nValid Values:\n\n- Aurora DB clusters - `aurora | aurora-iopt1`\n- Multi-AZ DB clusters - `io1`\n\nDefault:\n\n- Aurora DB clusters - `aurora`\n- Multi-AZ DB clusters - `io1`\n\n> When you create an Aurora DB cluster with the storage type set to `aurora-iopt1` , the storage type is returned in the response. The storage type isn't returned when you set it to `aurora` .", "title": "StorageType", "type": "string" }, @@ -205752,7 +212926,7 @@ "additionalProperties": false, "properties": { "AutoPause": { - "markdownDescription": "A value that indicates whether to allow or disallow automatic pause for an Aurora DB cluster in `serverless` DB engine mode. A DB cluster can be paused only when it's idle (it has no connections).\n\n> If a DB cluster is paused for more than seven days, the DB cluster might be backed up with a snapshot. In this case, the DB cluster is restored when there is a request to connect to it.", + "markdownDescription": "Indicates whether to allow or disallow automatic pause for an Aurora DB cluster in `serverless` DB engine mode. A DB cluster can be paused only when it's idle (it has no connections).\n\n> If a DB cluster is paused for more than seven days, the DB cluster might be backed up with a snapshot. In this case, the DB cluster is restored when there is a request to connect to it.", "title": "AutoPause", "type": "boolean" }, @@ -205928,7 +213102,7 @@ "additionalProperties": false, "properties": { "AllocatedStorage": { - "markdownDescription": "The amount of storage in gibibytes (GiB) to be initially allocated for the database instance.\n\n> If any value is set in the `Iops` parameter, `AllocatedStorage` must be at least 100 GiB, which corresponds to the minimum Iops value of 1,000. If you increase the `Iops` value (in 1,000 IOPS increments), then you must also increase the `AllocatedStorage` value (in 100-GiB increments). \n\n*Amazon Aurora*\n\nNot applicable. Aurora cluster volumes automatically grow as the amount of data in your database increases, though you are only charged for the space that you use in an Aurora cluster volume.\n\n*MySQL*\n\nConstraints to the amount of storage for each storage type are the following:\n\n- General Purpose (SSD) storage (gp2): Must be an integer from 20 to 65536.\n- Provisioned IOPS storage (io1): Must be an integer from 100 to 65536.\n- Magnetic storage (standard): Must be an integer from 5 to 3072.\n\n*MariaDB*\n\nConstraints to the amount of storage for each storage type are the following:\n\n- General Purpose (SSD) storage (gp2): Must be an integer from 20 to 65536.\n- Provisioned IOPS storage (io1): Must be an integer from 100 to 65536.\n- Magnetic storage (standard): Must be an integer from 5 to 3072.\n\n*PostgreSQL*\n\nConstraints to the amount of storage for each storage type are the following:\n\n- General Purpose (SSD) storage (gp2): Must be an integer from 20 to 65536.\n- Provisioned IOPS storage (io1): Must be an integer from 100 to 65536.\n- Magnetic storage (standard): Must be an integer from 5 to 3072.\n\n*Oracle*\n\nConstraints to the amount of storage for each storage type are the following:\n\n- General Purpose (SSD) storage (gp2): Must be an integer from 20 to 65536.\n- Provisioned IOPS storage (io1): Must be an integer from 100 to 65536.\n- Magnetic storage (standard): Must be an integer from 10 to 3072.\n\n*SQL Server*\n\nConstraints to the amount of storage for each storage type are the following:\n\n- General Purpose (SSD) storage (gp2):\n\n- Enterprise and Standard editions: Must be an integer from 20 to 16384.\n- Web and Express editions: Must be an integer from 20 to 16384.\n- Provisioned IOPS storage (io1):\n\n- Enterprise and Standard editions: Must be an integer from 20 to 16384.\n- Web and Express editions: Must be an integer from 20 to 16384.\n- Magnetic storage (standard):\n\n- Enterprise and Standard editions: Must be an integer from 20 to 1024.\n- Web and Express editions: Must be an integer from 20 to 1024.", + "markdownDescription": "The amount of storage in gibibytes (GiB) to be initially allocated for the database instance.\n\n> If any value is set in the `Iops` parameter, `AllocatedStorage` must be at least 100 GiB, which corresponds to the minimum Iops value of 1,000. If you increase the `Iops` value (in 1,000 IOPS increments), then you must also increase the `AllocatedStorage` value (in 100-GiB increments). \n\n*Amazon Aurora*\n\nNot applicable. Aurora cluster volumes automatically grow as the amount of data in your database increases, though you are only charged for the space that you use in an Aurora cluster volume.\n\n*Db2*\n\nConstraints to the amount of storage for each storage type are the following:\n\n- General Purpose (SSD) storage (gp3): Must be an integer from 20 to 64000.\n- Provisioned IOPS storage (io1): Must be an integer from 100 to 64000.\n\n*MySQL*\n\nConstraints to the amount of storage for each storage type are the following:\n\n- General Purpose (SSD) storage (gp2): Must be an integer from 20 to 65536.\n- Provisioned IOPS storage (io1): Must be an integer from 100 to 65536.\n- Magnetic storage (standard): Must be an integer from 5 to 3072.\n\n*MariaDB*\n\nConstraints to the amount of storage for each storage type are the following:\n\n- General Purpose (SSD) storage (gp2): Must be an integer from 20 to 65536.\n- Provisioned IOPS storage (io1): Must be an integer from 100 to 65536.\n- Magnetic storage (standard): Must be an integer from 5 to 3072.\n\n*PostgreSQL*\n\nConstraints to the amount of storage for each storage type are the following:\n\n- General Purpose (SSD) storage (gp2): Must be an integer from 20 to 65536.\n- Provisioned IOPS storage (io1): Must be an integer from 100 to 65536.\n- Magnetic storage (standard): Must be an integer from 5 to 3072.\n\n*Oracle*\n\nConstraints to the amount of storage for each storage type are the following:\n\n- General Purpose (SSD) storage (gp2): Must be an integer from 20 to 65536.\n- Provisioned IOPS storage (io1): Must be an integer from 100 to 65536.\n- Magnetic storage (standard): Must be an integer from 10 to 3072.\n\n*SQL Server*\n\nConstraints to the amount of storage for each storage type are the following:\n\n- General Purpose (SSD) storage (gp2):\n\n- Enterprise and Standard editions: Must be an integer from 20 to 16384.\n- Web and Express editions: Must be an integer from 20 to 16384.\n- Provisioned IOPS storage (io1):\n\n- Enterprise and Standard editions: Must be an integer from 20 to 16384.\n- Web and Express editions: Must be an integer from 20 to 16384.\n- Magnetic storage (standard):\n\n- Enterprise and Standard editions: Must be an integer from 20 to 1024.\n- Web and Express editions: Must be an integer from 20 to 1024.", "title": "AllocatedStorage", "type": "string" }, @@ -205951,6 +213125,8 @@ "type": "boolean" }, "AutomaticBackupReplicationRegion": { + "markdownDescription": "The destination region for the backup replication of the DB instance. For more info, see [Replicating automated backups to another AWS Region](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_ReplicateBackups.html) in the *Amazon RDS User Guide* .", + "title": "AutomaticBackupReplicationRegion", "type": "string" }, "AvailabilityZone": { @@ -206014,7 +213190,7 @@ "type": "string" }, "DBName": { - "markdownDescription": "The meaning of this parameter differs according to the database engine you use.\n\n> If you specify the `[DBSnapshotIdentifier](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-database-instance.html#cfn-rds-dbinstance-dbsnapshotidentifier)` property, this property only applies to RDS for Oracle. \n\n*Amazon Aurora*\n\nNot applicable. The database name is managed by the DB cluster.\n\n*MySQL*\n\nThe name of the database to create when the DB instance is created. If this parameter is not specified, no database is created in the DB instance.\n\nConstraints:\n\n- Must contain 1 to 64 letters or numbers.\n- Can't be a word reserved by the specified database engine\n\n*MariaDB*\n\nThe name of the database to create when the DB instance is created. If this parameter is not specified, no database is created in the DB instance.\n\nConstraints:\n\n- Must contain 1 to 64 letters or numbers.\n- Can't be a word reserved by the specified database engine\n\n*PostgreSQL*\n\nThe name of the database to create when the DB instance is created. If this parameter is not specified, the default `postgres` database is created in the DB instance.\n\nConstraints:\n\n- Must begin with a letter. Subsequent characters can be letters, underscores, or digits (0-9).\n- Must contain 1 to 63 characters.\n- Can't be a word reserved by the specified database engine\n\n*Oracle*\n\nThe Oracle System ID (SID) of the created DB instance. If you specify `null` , the default value `ORCL` is used. You can't specify the string NULL, or any other reserved word, for `DBName` .\n\nDefault: `ORCL`\n\nConstraints:\n\n- Can't be longer than 8 characters\n\n*SQL Server*\n\nNot applicable. Must be null.", + "markdownDescription": "The meaning of this parameter differs according to the database engine you use.\n\n> If you specify the `[DBSnapshotIdentifier](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-database-instance.html#cfn-rds-dbinstance-dbsnapshotidentifier)` property, this property only applies to RDS for Oracle. \n\n*Amazon Aurora*\n\nNot applicable. The database name is managed by the DB cluster.\n\n*Db2*\n\nThe name of the database to create when the DB instance is created. If this parameter isn't specified, no database is created in the DB instance.\n\nConstraints:\n\n- Must contain 1 to 64 letters or numbers.\n- Must begin with a letter. Subsequent characters can be letters, underscores, or digits (0-9).\n- Can't be a word reserved by the specified database engine.\n\n*MySQL*\n\nThe name of the database to create when the DB instance is created. If this parameter is not specified, no database is created in the DB instance.\n\nConstraints:\n\n- Must contain 1 to 64 letters or numbers.\n- Can't be a word reserved by the specified database engine\n\n*MariaDB*\n\nThe name of the database to create when the DB instance is created. If this parameter is not specified, no database is created in the DB instance.\n\nConstraints:\n\n- Must contain 1 to 64 letters or numbers.\n- Can't be a word reserved by the specified database engine\n\n*PostgreSQL*\n\nThe name of the database to create when the DB instance is created. If this parameter is not specified, the default `postgres` database is created in the DB instance.\n\nConstraints:\n\n- Must begin with a letter. Subsequent characters can be letters, underscores, or digits (0-9).\n- Must contain 1 to 63 characters.\n- Can't be a word reserved by the specified database engine\n\n*Oracle*\n\nThe Oracle System ID (SID) of the created DB instance. If you specify `null` , the default value `ORCL` is used. You can't specify the string NULL, or any other reserved word, for `DBName` .\n\nDefault: `ORCL`\n\nConstraints:\n\n- Can't be longer than 8 characters\n\n*SQL Server*\n\nNot applicable. Must be null.", "title": "DBName", "type": "string" }, @@ -206041,6 +213217,11 @@ "title": "DBSubnetGroupName", "type": "string" }, + "DedicatedLogVolume": { + "markdownDescription": "Indicates whether the DB instance has a dedicated log volume (DLV) enabled.", + "title": "DedicatedLogVolume", + "type": "boolean" + }, "DeleteAutomatedBackups": { "markdownDescription": "A value that indicates whether to remove automated backups immediately after the DB instance is deleted. This parameter isn't case-sensitive. The default is to remove automated backups immediately after the DB instance is deleted.\n\n*Amazon Aurora*\n\nNot applicable. When you delete a DB cluster, all automated backups for that DB cluster are deleted and can't be recovered. Manual DB cluster snapshots of the DB cluster are not deleted.", "title": "DeleteAutomatedBackups", @@ -206052,20 +213233,26 @@ "type": "boolean" }, "Domain": { - "markdownDescription": "The Active Directory directory ID to create the DB instance in. Currently, only Microsoft SQL Server, Oracle, and PostgreSQL DB instances can be created in an Active Directory Domain.\n\nFor more information, see [Kerberos Authentication](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/kerberos-authentication.html) in the *Amazon RDS User Guide* .", + "markdownDescription": "The Active Directory directory ID to create the DB instance in. Currently, only Db2, MySQL, Microsoft SQL Server, Oracle, and PostgreSQL DB instances can be created in an Active Directory Domain.\n\nFor more information, see [Kerberos Authentication](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/kerberos-authentication.html) in the *Amazon RDS User Guide* .", "title": "Domain", "type": "string" }, "DomainAuthSecretArn": { + "markdownDescription": "The ARN for the Secrets Manager secret with the credentials for the user joining the domain.\n\nExample: `arn:aws:secretsmanager:region:account-number:secret:myselfmanagedADtestsecret-123456`", + "title": "DomainAuthSecretArn", "type": "string" }, "DomainDnsIps": { "items": { "type": "string" }, + "markdownDescription": "The IPv4 DNS IP addresses of your primary and secondary Active Directory domain controllers.\n\nConstraints:\n\n- Two IP addresses must be provided. If there isn't a secondary domain controller, use the IP address of the primary domain controller for both entries in the list.\n\nExample: `123.124.125.126,234.235.236.237`", + "title": "DomainDnsIps", "type": "array" }, "DomainFqdn": { + "markdownDescription": "The fully qualified domain name (FQDN) of an Active Directory domain.\n\nConstraints:\n\n- Can't be longer than 64 characters.\n\nExample: `mymanagedADtest.mymanagedAD.mydomain`", + "title": "DomainFqdn", "type": "string" }, "DomainIAMRoleName": { @@ -206074,13 +213261,15 @@ "type": "string" }, "DomainOu": { + "markdownDescription": "The Active Directory organizational unit for your DB instance to join.\n\nConstraints:\n\n- Must be in the distinguished name format.\n- Can't be longer than 64 characters.\n\nExample: `OU=mymanagedADtestOU,DC=mymanagedADtest,DC=mymanagedAD,DC=mydomain`", + "title": "DomainOu", "type": "string" }, "EnableCloudwatchLogsExports": { "items": { "type": "string" }, - "markdownDescription": "The list of log types that need to be enabled for exporting to CloudWatch Logs. The values in the list depend on the DB engine being used. For more information, see [Publishing Database Logs to Amazon CloudWatch Logs](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_LogAccess.html#USER_LogAccess.Procedural.UploadtoCloudWatch) in the *Amazon Relational Database Service User Guide* .\n\n*Amazon Aurora*\n\nNot applicable. CloudWatch Logs exports are managed by the DB cluster.\n\n*MariaDB*\n\nValid values: `audit` , `error` , `general` , `slowquery`\n\n*Microsoft SQL Server*\n\nValid values: `agent` , `error`\n\n*MySQL*\n\nValid values: `audit` , `error` , `general` , `slowquery`\n\n*Oracle*\n\nValid values: `alert` , `audit` , `listener` , `trace`\n\n*PostgreSQL*\n\nValid values: `postgresql` , `upgrade`", + "markdownDescription": "The list of log types that need to be enabled for exporting to CloudWatch Logs. The values in the list depend on the DB engine being used. For more information, see [Publishing Database Logs to Amazon CloudWatch Logs](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_LogAccess.html#USER_LogAccess.Procedural.UploadtoCloudWatch) in the *Amazon Relational Database Service User Guide* .\n\n*Amazon Aurora*\n\nNot applicable. CloudWatch Logs exports are managed by the DB cluster.\n\n*Db2*\n\nValid values: `diag.log` , `notify.log`\n\n*MariaDB*\n\nValid values: `audit` , `error` , `general` , `slowquery`\n\n*Microsoft SQL Server*\n\nValid values: `agent` , `error`\n\n*MySQL*\n\nValid values: `audit` , `error` , `general` , `slowquery`\n\n*Oracle*\n\nValid values: `alert` , `audit` , `listener` , `trace` , `oemagent`\n\n*PostgreSQL*\n\nValid values: `postgresql` , `upgrade`", "title": "EnableCloudwatchLogsExports", "type": "array" }, @@ -206100,17 +213289,17 @@ "title": "Endpoint" }, "Engine": { - "markdownDescription": "The name of the database engine that you want to use for this DB instance.\n\n> When you are creating a DB instance, the `Engine` property is required. \n\nValid Values:\n\n- `aurora-mysql` (for Aurora MySQL DB instances)\n- `aurora-postgresql` (for Aurora PostgreSQL DB instances)\n- `custom-oracle-ee` (for RDS Custom for Oracle DB instances)\n- `custom-oracle-ee-cdb` (for RDS Custom for Oracle DB instances)\n- `custom-sqlserver-ee` (for RDS Custom for SQL Server DB instances)\n- `custom-sqlserver-se` (for RDS Custom for SQL Server DB instances)\n- `custom-sqlserver-web` (for RDS Custom for SQL Server DB instances)\n- `mariadb`\n- `mysql`\n- `oracle-ee`\n- `oracle-ee-cdb`\n- `oracle-se2`\n- `oracle-se2-cdb`\n- `postgres`\n- `sqlserver-ee`\n- `sqlserver-se`\n- `sqlserver-ex`\n- `sqlserver-web`", + "markdownDescription": "The name of the database engine that you want to use for this DB instance.\n\nNot every database engine is available in every AWS Region.\n\n> When you are creating a DB instance, the `Engine` property is required. \n\nValid Values:\n\n- `aurora-mysql` (for Aurora MySQL DB instances)\n- `aurora-postgresql` (for Aurora PostgreSQL DB instances)\n- `custom-oracle-ee` (for RDS Custom for Oracle DB instances)\n- `custom-oracle-ee-cdb` (for RDS Custom for Oracle DB instances)\n- `custom-sqlserver-ee` (for RDS Custom for SQL Server DB instances)\n- `custom-sqlserver-se` (for RDS Custom for SQL Server DB instances)\n- `custom-sqlserver-web` (for RDS Custom for SQL Server DB instances)\n- `db2-ae`\n- `db2-se`\n- `mariadb`\n- `mysql`\n- `oracle-ee`\n- `oracle-ee-cdb`\n- `oracle-se2`\n- `oracle-se2-cdb`\n- `postgres`\n- `sqlserver-ee`\n- `sqlserver-se`\n- `sqlserver-ex`\n- `sqlserver-web`", "title": "Engine", "type": "string" }, "EngineVersion": { - "markdownDescription": "The version number of the database engine to use.\n\nFor a list of valid engine versions, use the `DescribeDBEngineVersions` action.\n\nThe following are the database engines and links to information about the major and minor versions that are available with Amazon RDS. Not every database engine is available for every AWS Region.\n\n*Amazon Aurora*\n\nNot applicable. The version number of the database engine to be used by the DB instance is managed by the DB cluster.\n\n*MariaDB*\n\nSee [MariaDB on Amazon RDS Versions](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_MariaDB.html#MariaDB.Concepts.VersionMgmt) in the *Amazon RDS User Guide.*\n\n*Microsoft SQL Server*\n\nSee [Microsoft SQL Server Versions on Amazon RDS](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_SQLServer.html#SQLServer.Concepts.General.VersionSupport) in the *Amazon RDS User Guide.*\n\n*MySQL*\n\nSee [MySQL on Amazon RDS Versions](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_MySQL.html#MySQL.Concepts.VersionMgmt) in the *Amazon RDS User Guide.*\n\n*Oracle*\n\nSee [Oracle Database Engine Release Notes](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Appendix.Oracle.PatchComposition.html) in the *Amazon RDS User Guide.*\n\n*PostgreSQL*\n\nSee [Supported PostgreSQL Database Versions](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_PostgreSQL.html#PostgreSQL.Concepts.General.DBVersions) in the *Amazon RDS User Guide.*", + "markdownDescription": "The version number of the database engine to use.\n\nFor a list of valid engine versions, use the `DescribeDBEngineVersions` action.\n\nThe following are the database engines and links to information about the major and minor versions that are available with Amazon RDS. Not every database engine is available for every AWS Region.\n\n*Amazon Aurora*\n\nNot applicable. The version number of the database engine to be used by the DB instance is managed by the DB cluster.\n\n*Db2*\n\nSee [Amazon RDS for Db2](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_Db2.html#Db2.Concepts.VersionMgmt) in the *Amazon RDS User Guide.*\n\n*MariaDB*\n\nSee [MariaDB on Amazon RDS Versions](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_MariaDB.html#MariaDB.Concepts.VersionMgmt) in the *Amazon RDS User Guide.*\n\n*Microsoft SQL Server*\n\nSee [Microsoft SQL Server Versions on Amazon RDS](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_SQLServer.html#SQLServer.Concepts.General.VersionSupport) in the *Amazon RDS User Guide.*\n\n*MySQL*\n\nSee [MySQL on Amazon RDS Versions](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_MySQL.html#MySQL.Concepts.VersionMgmt) in the *Amazon RDS User Guide.*\n\n*Oracle*\n\nSee [Oracle Database Engine Release Notes](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Appendix.Oracle.PatchComposition.html) in the *Amazon RDS User Guide.*\n\n*PostgreSQL*\n\nSee [Supported PostgreSQL Database Versions](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_PostgreSQL.html#PostgreSQL.Concepts.General.DBVersions) in the *Amazon RDS User Guide.*", "title": "EngineVersion", "type": "string" }, "Iops": { - "markdownDescription": "The number of I/O operations per second (IOPS) that the database provisions. The value must be equal to or greater than 1000.\n\nIf you specify this property, you must follow the range of allowed ratios of your requested IOPS rate to the amount of storage that you allocate (IOPS to allocated storage). For example, you can provision an Oracle database instance with 1000 IOPS and 200 GiB of storage (a ratio of 5:1), or specify 2000 IOPS with 200 GiB of storage (a ratio of 10:1). For more information, see [Amazon RDS Provisioned IOPS Storage to Improve Performance](https://docs.aws.amazon.com/AmazonRDS/latest/DeveloperGuide/CHAP_Storage.html#USER_PIOPS) in the *Amazon RDS User Guide* .\n\n> If you specify `io1` for the `StorageType` property, then you must also specify the `Iops` property.", + "markdownDescription": "The number of I/O operations per second (IOPS) that the database provisions. The value must be equal to or greater than 1000.\n\nIf you specify this property, you must follow the range of allowed ratios of your requested IOPS rate to the amount of storage that you allocate (IOPS to allocated storage). For example, you can provision an Oracle database instance with 1000 IOPS and 200 GiB of storage (a ratio of 5:1), or specify 2000 IOPS with 200 GiB of storage (a ratio of 10:1). For more information, see [Amazon RDS Provisioned IOPS Storage to Improve Performance](https://docs.aws.amazon.com/AmazonRDS/latest/DeveloperGuide/CHAP_Storage.html#USER_PIOPS) in the *Amazon RDS User Guide* .\n\n> If you specify `io1` for the `StorageType` property, then you must also specify the `Iops` property. \n\nConstraints:\n\n- For RDS for Db2, MariaDB, MySQL, Oracle, and PostgreSQL - Must be a multiple between .5 and 50 of the storage amount for the DB instance.\n- For RDS for SQL Server - Must be a multiple between 1 and 50 of the storage amount for the DB instance.", "title": "Iops", "type": "number" }, @@ -206120,7 +213309,7 @@ "type": "string" }, "LicenseModel": { - "markdownDescription": "License model information for this DB instance.\n\nValid values:\n\n- Aurora MySQL - `general-public-license`\n- Aurora PostgreSQL - `postgresql-license`\n- MariaDB - `general-public-license`\n- Microsoft SQL Server - `license-included`\n- MySQL - `general-public-license`\n- Oracle - `bring-your-own-license` or `license-included`\n- PostgreSQL - `postgresql-license`\n\n> If you've specified `DBSecurityGroups` and then you update the license model, AWS CloudFormation replaces the underlying DB instance. This will incur some interruptions to database availability.", + "markdownDescription": "License model information for this DB instance.\n\nValid Values:\n\n- Aurora MySQL - `general-public-license`\n- Aurora PostgreSQL - `postgresql-license`\n- RDS for Db2 - `bring-your-own-license` . For more information about RDS for Db2 licensing, see [](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/db2-licensing.html) in the *Amazon RDS User Guide.*\n- RDS for MariaDB - `general-public-license`\n- RDS for Microsoft SQL Server - `license-included`\n- RDS for MySQL - `general-public-license`\n- RDS for Oracle - `bring-your-own-license` or `license-included`\n- RDS for PostgreSQL - `postgresql-license`\n\n> If you've specified `DBSecurityGroups` and then you update the license model, AWS CloudFormation replaces the underlying DB instance. This will incur some interruptions to database availability.", "title": "LicenseModel", "type": "string" }, @@ -206130,7 +213319,7 @@ "type": "boolean" }, "MasterUserPassword": { - "markdownDescription": "The password for the master user. The password can include any printable ASCII character except \"/\", \"\"\", or \"@\".\n\n*Amazon Aurora*\n\nNot applicable. The password for the master user is managed by the DB cluster.\n\n*MariaDB*\n\nConstraints: Must contain from 8 to 41 characters.\n\n*Microsoft SQL Server*\n\nConstraints: Must contain from 8 to 128 characters.\n\n*MySQL*\n\nConstraints: Must contain from 8 to 41 characters.\n\n*Oracle*\n\nConstraints: Must contain from 8 to 30 characters.\n\n*PostgreSQL*\n\nConstraints: Must contain from 8 to 128 characters.", + "markdownDescription": "The password for the master user. The password can include any printable ASCII character except \"/\", \"\"\", or \"@\".\n\n*Amazon Aurora*\n\nNot applicable. The password for the master user is managed by the DB cluster.\n\n*RDS for Db2*\n\nMust contain from 8 to 255 characters.\n\n*RDS for MariaDB*\n\nConstraints: Must contain from 8 to 41 characters.\n\n*RDS for Microsoft SQL Server*\n\nConstraints: Must contain from 8 to 128 characters.\n\n*RDS for MySQL*\n\nConstraints: Must contain from 8 to 41 characters.\n\n*RDS for Oracle*\n\nConstraints: Must contain from 8 to 30 characters.\n\n*RDS for PostgreSQL*\n\nConstraints: Must contain from 8 to 128 characters.", "title": "MasterUserPassword", "type": "string" }, @@ -206140,7 +213329,7 @@ "title": "MasterUserSecret" }, "MasterUsername": { - "markdownDescription": "The master user name for the DB instance.\n\n> If you specify the `SourceDBInstanceIdentifier` or `DBSnapshotIdentifier` property, don't specify this property. The value is inherited from the source DB instance or snapshot. \n\n*Amazon Aurora*\n\nNot applicable. The name for the master user is managed by the DB cluster.\n\n*MariaDB*\n\nConstraints:\n\n- Required for MariaDB.\n- Must be 1 to 16 letters or numbers.\n- Can't be a reserved word for the chosen database engine.\n\n*Microsoft SQL Server*\n\nConstraints:\n\n- Required for SQL Server.\n- Must be 1 to 128 letters or numbers.\n- The first character must be a letter.\n- Can't be a reserved word for the chosen database engine.\n\n*MySQL*\n\nConstraints:\n\n- Required for MySQL.\n- Must be 1 to 16 letters or numbers.\n- First character must be a letter.\n- Can't be a reserved word for the chosen database engine.\n\n*Oracle*\n\nConstraints:\n\n- Required for Oracle.\n- Must be 1 to 30 letters or numbers.\n- First character must be a letter.\n- Can't be a reserved word for the chosen database engine.\n\n*PostgreSQL*\n\nConstraints:\n\n- Required for PostgreSQL.\n- Must be 1 to 63 letters or numbers.\n- First character must be a letter.\n- Can't be a reserved word for the chosen database engine.", + "markdownDescription": "The master user name for the DB instance.\n\n> If you specify the `SourceDBInstanceIdentifier` or `DBSnapshotIdentifier` property, don't specify this property. The value is inherited from the source DB instance or snapshot.\n> \n> When migrating a self-managed Db2 database, we recommend that you use the same master username as your self-managed Db2 instance name. \n\n*Amazon Aurora*\n\nNot applicable. The name for the master user is managed by the DB cluster.\n\n*RDS for Db2*\n\nConstraints:\n\n- Must be 1 to 16 letters or numbers.\n- First character must be a letter.\n- Can't be a reserved word for the chosen database engine.\n\n*RDS for MariaDB*\n\nConstraints:\n\n- Must be 1 to 16 letters or numbers.\n- Can't be a reserved word for the chosen database engine.\n\n*RDS for Microsoft SQL Server*\n\nConstraints:\n\n- Must be 1 to 128 letters or numbers.\n- First character must be a letter.\n- Can't be a reserved word for the chosen database engine.\n\n*RDS for MySQL*\n\nConstraints:\n\n- Must be 1 to 16 letters or numbers.\n- First character must be a letter.\n- Can't be a reserved word for the chosen database engine.\n\n*RDS for Oracle*\n\nConstraints:\n\n- Must be 1 to 30 letters or numbers.\n- First character must be a letter.\n- Can't be a reserved word for the chosen database engine.\n\n*RDS for PostgreSQL*\n\nConstraints:\n\n- Must be 1 to 63 letters or numbers.\n- First character must be a letter.\n- Can't be a reserved word for the chosen database engine.", "title": "MasterUsername", "type": "string" }, @@ -206190,7 +213379,7 @@ "type": "number" }, "Port": { - "markdownDescription": "The port number on which the database accepts connections.\n\n*Amazon Aurora*\n\nNot applicable. The port number is managed by the DB cluster.", + "markdownDescription": "The port number on which the database accepts connections.\n\n*Amazon Aurora*\n\nNot applicable. The port number is managed by the DB cluster.\n\n*Db2*\n\nDefault value: `50000`", "title": "Port", "type": "string" }, @@ -206228,7 +213417,7 @@ "type": "string" }, "RestoreTime": { - "markdownDescription": "The date and time to restore from.\n\nValid Values: Value must be a time in Universal Coordinated Time (UTC) format\n\nConstraints:\n\n- Must be before the latest restorable time for the DB instance\n- Can't be specified if the `UseLatestRestorableTime` parameter is enabled\n\nExample: `2009-09-07T23:45:00Z`", + "markdownDescription": "The date and time to restore from.\n\nConstraints:\n\n- Must be a time in Universal Coordinated Time (UTC) format.\n- Must be before the latest restorable time for the DB instance.\n- Can't be specified if the `UseLatestRestorableTime` parameter is enabled.\n\nExample: `2009-09-07T23:45:00Z`", "title": "RestoreTime", "type": "string" }, @@ -206238,7 +213427,7 @@ "type": "string" }, "SourceDBInstanceAutomatedBackupsArn": { - "markdownDescription": "The Amazon Resource Name (ARN) of the replicated automated backups from which to restore, for example, `arn:aws:rds:useast-1:123456789012:auto-backup:ab-L2IJCEXJP7XQ7HOJ4SIEXAMPLE` .\n\nThis setting doesn't apply to RDS Custom.", + "markdownDescription": "The Amazon Resource Name (ARN) of the replicated automated backups from which to restore, for example, `arn:aws:rds:us-east-1:123456789012:auto-backup:ab-L2IJCEXJP7XQ7HOJ4SIEXAMPLE` .\n\nThis setting doesn't apply to RDS Custom.", "title": "SourceDBInstanceAutomatedBackupsArn", "type": "string" }, @@ -206258,7 +213447,7 @@ "type": "string" }, "StorageEncrypted": { - "markdownDescription": "A value that indicates whether the DB instance is encrypted. By default, it isn't encrypted.\n\nIf you specify the `KmsKeyId` property, then you must enable encryption.\n\nIf you specify the `SourceDBInstanceIdentifier` property, don't specify this property. The value is inherited from the source DB instance, and if the DB instance is encrypted, the specified `KmsKeyId` property is used.\n\nIf you specify the `SnapshotIdentifier` and the specified snapshot is encrypted, don't specify this property. The value is inherited from the snapshot, and the specified `KmsKeyId` property is used.\n\nIf you specify the `SnapshotIdentifier` and the specified snapshot isn't encrypted, you can use this property to specify that the restored DB instance is encrypted. Specify the `KmsKeyId` property for the KMS key to use for encryption. If you don't want the restored DB instance to be encrypted, then don't set this property or set it to `false` .\n\n*Amazon Aurora*\n\nNot applicable. The encryption for DB instances is managed by the DB cluster.", + "markdownDescription": "A value that indicates whether the DB instance is encrypted. By default, it isn't encrypted.\n\nIf you specify the `KmsKeyId` property, then you must enable encryption.\n\nIf you specify the `SourceDBInstanceIdentifier` property, don't specify this property. The value is inherited from the source DB instance, and if the DB instance is encrypted, the specified `KmsKeyId` property is used.\n\nIf you specify the `DBSnapshotIdentifier` and the specified snapshot is encrypted, don't specify this property. The value is inherited from the snapshot, and the specified `KmsKeyId` property is used.\n\nIf you specify the `DBSnapshotIdentifier` and the specified snapshot isn't encrypted, you can use this property to specify that the restored DB instance is encrypted. Specify the `KmsKeyId` property for the KMS key to use for encryption. If you don't want the restored DB instance to be encrypted, then don't set this property or set it to `false` .\n\n*Amazon Aurora*\n\nNot applicable. The encryption for DB instances is managed by the DB cluster.", "title": "StorageEncrypted", "type": "boolean" }, @@ -206291,7 +213480,7 @@ "type": "boolean" }, "UseLatestRestorableTime": { - "markdownDescription": "A value that indicates whether the DB instance is restored from the latest backup time. By default, the DB instance isn't restored from the latest backup time.\n\nConstraints: Can't be specified if the `RestoreTime` parameter is provided.", + "markdownDescription": "Specifies whether the DB instance is restored from the latest backup time. By default, the DB instance isn't restored from the latest backup time.\n\nConstraints:\n\n- Can't be specified if the `RestoreTime` parameter is provided.", "title": "UseLatestRestorableTime", "type": "boolean" }, @@ -206466,7 +213655,7 @@ "type": "string" }, "Parameters": { - "markdownDescription": "An array of parameter names and values for the parameter update. At least one parameter name and value must be supplied. Subsequent arguments are optional.\n\nFor more information about DB parameters and DB parameter groups for Amazon RDS DB engines, see [Working with DB Parameter Groups](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_WorkingWithParamGroups.html) in the *Amazon RDS User Guide* .\n\nFor more information about DB cluster and DB instance parameters and parameter groups for Amazon Aurora DB engines, see [Working with DB Parameter Groups and DB Cluster Parameter Groups](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/USER_WorkingWithParamGroups.html) in the *Amazon Aurora User Guide* .\n\n> AWS CloudFormation doesn't support specifying an apply method for each individual parameter. The default apply method for each parameter is used.", + "markdownDescription": "An array of parameter names and values for the parameter update. At least one parameter name and value must be supplied. Subsequent arguments are optional.\n\nRDS for Db2 requires you to bring your own Db2 license. You must enter your IBM customer ID ( `rds.ibm_customer_id` ) and site number ( `rds.ibm_site_id` ) before starting a Db2 instance.\n\nFor more information about DB parameters and DB parameter groups for Amazon RDS DB engines, see [Working with DB Parameter Groups](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_WorkingWithParamGroups.html) in the *Amazon RDS User Guide* .\n\nFor more information about DB cluster and DB instance parameters and parameter groups for Amazon Aurora DB engines, see [Working with DB Parameter Groups and DB Cluster Parameter Groups](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/USER_WorkingWithParamGroups.html) in the *Amazon Aurora User Guide* .\n\n> AWS CloudFormation doesn't support specifying an apply method for each individual parameter. The default apply method for each parameter is used.", "title": "Parameters", "type": "object" }, @@ -206555,12 +213744,12 @@ "type": "string" }, "DebugLogging": { - "markdownDescription": "Whether the proxy includes detailed information about SQL statements in its logs. This information helps you to debug issues involving SQL behavior or the performance and scalability of the proxy connections. The debug information includes the text of SQL statements that you submit through the proxy. Thus, only enable this setting when needed for debugging, and only when you have security measures in place to safeguard any sensitive information that appears in the logs.", + "markdownDescription": "Specifies whether the proxy includes detailed information about SQL statements in its logs. This information helps you to debug issues involving SQL behavior or the performance and scalability of the proxy connections. The debug information includes the text of SQL statements that you submit through the proxy. Thus, only enable this setting when needed for debugging, and only when you have security measures in place to safeguard any sensitive information that appears in the logs.", "title": "DebugLogging", "type": "boolean" }, "EngineFamily": { - "markdownDescription": "The kinds of databases that the proxy can connect to. This value determines which database network protocol the proxy recognizes when it interprets network traffic to and from the database. For Aurora MySQL, RDS for MariaDB, and RDS for MySQL databases, specify `MYSQL` . For Aurora PostgreSQL and RDS for PostgreSQL databases, specify `POSTGRESQL` . For RDS for Microsoft SQL Server, specify `SQLSERVER` .\n\n*Valid values* : `MYSQL` | `POSTGRESQL` | `SQLSERVER`", + "markdownDescription": "The kinds of databases that the proxy can connect to. This value determines which database network protocol the proxy recognizes when it interprets network traffic to and from the database. For Aurora MySQL, RDS for MariaDB, and RDS for MySQL databases, specify `MYSQL` . For Aurora PostgreSQL and RDS for PostgreSQL databases, specify `POSTGRESQL` . For RDS for Microsoft SQL Server, specify `SQLSERVER` .\n\n*Valid Values* : `MYSQL` | `POSTGRESQL` | `SQLSERVER`", "title": "EngineFamily", "type": "string" }, @@ -206570,7 +213759,7 @@ "type": "number" }, "RequireTLS": { - "markdownDescription": "A Boolean parameter that specifies whether Transport Layer Security (TLS) encryption is required for connections to the proxy. By enabling this setting, you can enforce encrypted TLS connections to the proxy.", + "markdownDescription": "Specifies whether Transport Layer Security (TLS) encryption is required for connections to the proxy. By enabling this setting, you can enforce encrypted TLS connections to the proxy.", "title": "RequireTLS", "type": "boolean" }, @@ -206898,7 +214087,7 @@ "additionalProperties": false, "properties": { "ConnectionBorrowTimeout": { - "markdownDescription": "The number of seconds for a proxy to wait for a connection to become available in the connection pool. Only applies when the proxy has opened its maximum number of connections and all connections are busy with client sessions.\n\nDefault: 120\n\nConstraints: between 1 and 3600, or 0 representing unlimited", + "markdownDescription": "The number of seconds for a proxy to wait for a connection to become available in the connection pool. This setting only applies when the proxy has opened its maximum number of connections and all connections are busy with client sessions. For an unlimited wait time, specify `0` .\n\nDefault: `120`\n\nConstraints:\n\n- Must be between 0 and 3600.", "title": "ConnectionBorrowTimeout", "type": "number" }, @@ -206908,12 +214097,12 @@ "type": "string" }, "MaxConnectionsPercent": { - "markdownDescription": "The maximum size of the connection pool for each target in a target group. The value is expressed as a percentage of the `max_connections` setting for the RDS DB instance or Aurora DB cluster used by the target group.\n\nIf you specify `MaxIdleConnectionsPercent` , then you must also include a value for this parameter.\n\nDefault: 10 for RDS for Microsoft SQL Server, and 100 for all other engines\n\nConstraints: Must be between 1 and 100.", + "markdownDescription": "The maximum size of the connection pool for each target in a target group. The value is expressed as a percentage of the `max_connections` setting for the RDS DB instance or Aurora DB cluster used by the target group.\n\nIf you specify `MaxIdleConnectionsPercent` , then you must also include a value for this parameter.\n\nDefault: `10` for RDS for Microsoft SQL Server, and `100` for all other engines\n\nConstraints:\n\n- Must be between 1 and 100.", "title": "MaxConnectionsPercent", "type": "number" }, "MaxIdleConnectionsPercent": { - "markdownDescription": "Controls how actively the proxy closes idle database connections in the connection pool. The value is expressed as a percentage of the `max_connections` setting for the RDS DB instance or Aurora DB cluster used by the target group. With a high value, the proxy leaves a high percentage of idle database connections open. A low value causes the proxy to close more idle connections and return them to the database.\n\nIf you specify this parameter, then you must also include a value for `MaxConnectionsPercent` .\n\nDefault: The default value is half of the value of `MaxConnectionsPercent` . For example, if `MaxConnectionsPercent` is 80, then the default value of `MaxIdleConnectionsPercent` is 40. If the value of `MaxConnectionsPercent` isn't specified, then for SQL Server, `MaxIdleConnectionsPercent` is 5, and for all other engines, the default is 50.\n\nConstraints: Must be between 0 and the value of `MaxConnectionsPercent` .", + "markdownDescription": "A value that controls how actively the proxy closes idle database connections in the connection pool. The value is expressed as a percentage of the `max_connections` setting for the RDS DB instance or Aurora DB cluster used by the target group. With a high value, the proxy leaves a high percentage of idle database connections open. A low value causes the proxy to close more idle connections and return them to the database.\n\nIf you specify this parameter, then you must also include a value for `MaxConnectionsPercent` .\n\nDefault: The default value is half of the value of `MaxConnectionsPercent` . For example, if `MaxConnectionsPercent` is 80, then the default value of `MaxIdleConnectionsPercent` is 40. If the value of `MaxConnectionsPercent` isn't specified, then for SQL Server, `MaxIdleConnectionsPercent` is `5` , and for all other engines, the default is `50` .\n\nConstraints:\n\n- Must be between 0 and the value of `MaxConnectionsPercent` .", "title": "MaxIdleConnectionsPercent", "type": "number" }, @@ -207255,7 +214444,7 @@ "additionalProperties": false, "properties": { "Enabled": { - "markdownDescription": "A value that indicates whether to activate the subscription. If the event notification subscription isn't activated, the subscription is created but not active.", + "markdownDescription": "Specifies whether to activate the subscription. If the event notification subscription isn't activated, the subscription is created but not active.", "title": "Enabled", "type": "boolean" }, @@ -208024,7 +215213,7 @@ "type": "number" }, "MasterUserPassword": { - "markdownDescription": "The password associated with the admin user account for the cluster that is being created.\n\nConstraints:\n\n- Must be between 8 and 64 characters in length.\n- Must contain at least one uppercase letter.\n- Must contain at least one lowercase letter.\n- Must contain one number.\n- Can be any printable ASCII character (ASCII code 33-126) except `'` (single quote), `\"` (double quote), `\\` , `/` , or `@` .", + "markdownDescription": "The password associated with the admin user account for the cluster that is being created.\n\nYou can't use `MasterUserPassword` if `ManageMasterPassword` is `true` .\n\nConstraints:\n\n- Must be between 8 and 64 characters in length.\n- Must contain at least one uppercase letter.\n- Must contain at least one lowercase letter.\n- Must contain one number.\n- Can be any printable ASCII character (ASCII code 33-126) except `'` (single quote), `\"` (double quote), `\\` , `/` , or `@` .", "title": "MasterUserPassword", "type": "string" }, @@ -208033,6 +215222,11 @@ "title": "MasterUsername", "type": "string" }, + "MultiAZ": { + "markdownDescription": "A boolean indicating whether Amazon Redshift should deploy the cluster in two Availability Zones. The default is false.", + "title": "MultiAZ", + "type": "boolean" + }, "NodeType": { "markdownDescription": "The node type to be provisioned for the cluster. For information about node types, go to [Working with Clusters](https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-clusters.html#how-many-nodes) in the *Amazon Redshift Cluster Management Guide* .\n\nValid Values: `ds2.xlarge` | `ds2.8xlarge` | `dc1.large` | `dc1.8xlarge` | `dc2.large` | `dc2.8xlarge` | `ra3.xlplus` | `ra3.4xlarge` | `ra3.16xlarge`", "title": "NodeType", @@ -208064,7 +215258,7 @@ "type": "boolean" }, "ResourceAction": { - "markdownDescription": "The Amazon Redshift operation to be performed. Supported operations are `pause-cluster` and `resume-cluster` .", + "markdownDescription": "The Amazon Redshift operation to be performed. Supported operations are `pause-cluster` , `resume-cluster` , and `failover-primary-compute` .", "title": "ResourceAction", "type": "string" }, @@ -209500,7 +216694,7 @@ "items": { "$ref": "#/definitions/AWS::RedshiftServerless::Workgroup.ConfigParameter" }, - "markdownDescription": "An array of parameters to set for advanced control over a database. The options are `auto_mv` , `datestyle` , `enable_case_sensitivity_identifier` , `enable_user_activity_logging` , `query_group` , , `search_path` , and query monitoring metrics that let you define performance boundaries. For more information about query monitoring rules and available metrics, see [Query monitoring metrics for Amazon Redshift Serverless](https://docs.aws.amazon.com/redshift/latest/dg/cm-c-wlm-query-monitoring-rules.html#cm-c-wlm-query-monitoring-metrics-serverless) .", + "markdownDescription": "An array of parameters to set for advanced control over a database. The options are `auto_mv` , `datestyle` , `enable_case_sensitive_identifier` , `enable_user_activity_logging` , `query_group` , `search_path` , and query monitoring metrics that let you define performance boundaries. For more information about query monitoring rules and available metrics, see [Query monitoring metrics for Amazon Redshift Serverless](https://docs.aws.amazon.com/redshift/latest/dg/cm-c-wlm-query-monitoring-rules.html#cm-c-wlm-query-monitoring-metrics-serverless) .", "title": "ConfigParameters", "type": "array" }, @@ -210533,12 +217727,12 @@ "type": "string" }, "AppTemplateBody": { - "markdownDescription": "A JSON string that provides information about your application structure. To learn more about the `appTemplateBody` template, see the sample template provided in the *Examples* section.\n\nThe `appTemplateBody` JSON string has the following structure:\n\n- *`resources`*\n\nThe list of logical resources that needs to be included in the AWS Resilience Hub application.\n\nType: Array\n\n> Don't add the resources that you want to exclude. \n\nEach `resources` array item includes the following fields:\n\n- *`logicalResourceId`*\n\nThe logical identifier of the resource.\n\nType: Object\n\nEach `logicalResourceId` object includes the following fields:\n\n- `identifier`\n\nThe identifier of the resource.\n\nType: String\n- `logicalStackName`\n\nThe name of the AWS CloudFormation stack this resource belongs to.\n\nType: String\n- `resourceGroupName`\n\nThe name of the resource group this resource belongs to.\n\nType: String\n- `terraformSourceName`\n\nThe name of the Terraform S3 state file this resource belongs to.\n\nType: String\n- `eksSourceName`\n\nThe name of the Amazon Elastic Kubernetes Service cluster and namespace this resource belongs to.\n\n> This parameter accepts values in \"eks-cluster/namespace\" format. \n\nType: String\n- *`type`*\n\nThe type of resource.\n\nType: string\n- *`name`*\n\nThe name of the resource.\n\nType: String\n- `additionalInfo`\n\nAdditional configuration parameters for an AWS Resilience Hub application. If you want to implement `additionalInfo` through the AWS Resilience Hub console rather than using an API call, see [Configure the application configuration parameters](https://docs.aws.amazon.com//resilience-hub/latest/userguide/app-config-param.html) .\n\n> Currently, this parameter accepts a key-value mapping (in a string format) of only one failover region and one associated account.\n> \n> Key: `\"failover-regions\"`\n> \n> Value: `\"[{\"region\":\"\", \"accounts\":[{\"id\":\"\"}]}]\"`\n- *`appComponents`*\n\nThe list of Application Components (AppComponent) that this resource belongs to. If an AppComponent is not part of the AWS Resilience Hub application, it will be added.\n\nType: Array\n\nEach `appComponents` array item includes the following fields:\n\n- `name`\n\nThe name of the AppComponent.\n\nType: String\n- `type`\n\nThe type of AppComponent. For more information about the types of AppComponent, see [Grouping resources in an AppComponent](https://docs.aws.amazon.com/resilience-hub/latest/userguide/AppComponent.grouping.html) .\n\nType: String\n- `resourceNames`\n\nThe list of included resources that are assigned to the AppComponent.\n\nType: Array of strings\n- `additionalInfo`\n\nAdditional configuration parameters for an AWS Resilience Hub application. If you want to implement `additionalInfo` through the AWS Resilience Hub console rather than using an API call, see [Configure the application configuration parameters](https://docs.aws.amazon.com//resilience-hub/latest/userguide/app-config-param.html) .\n\n> Currently, this parameter accepts a key-value mapping (in a string format) of only one failover region and one associated account.\n> \n> Key: `\"failover-regions\"`\n> \n> Value: `\"[{\"region\":\"\", \"accounts\":[{\"id\":\"\"}]}]\"`\n- *`excludedResources`*\n\nThe list of logical resource identifiers to be excluded from the application.\n\nType: Array\n\n> Don't add the resources that you want to include. \n\nEach `excludedResources` array item includes the following fields:\n\n- *`logicalResourceIds`*\n\nThe logical identifier of the resource.\n\nType: Object\n\n> You can configure only one of the following fields:\n> \n> - `logicalStackName`\n> - `resourceGroupName`\n> - `terraformSourceName`\n> - `eksSourceName` \n\nEach `logicalResourceIds` object includes the following fields:\n\n- `identifier`\n\nThe identifier of the resource.\n\nType: String\n- `logicalStackName`\n\nThe name of the AWS CloudFormation stack this resource belongs to.\n\nType: String\n- `resourceGroupName`\n\nThe name of the resource group this resource belongs to.\n\nType: String\n- `terraformSourceName`\n\nThe name of the Terraform S3 state file this resource belongs to.\n\nType: String\n- `eksSourceName`\n\nThe name of the Amazon Elastic Kubernetes Service cluster and namespace this resource belongs to.\n\n> This parameter accepts values in \"eks-cluster/namespace\" format. \n\nType: String\n- *`version`*\n\nThe AWS Resilience Hub application version.\n- `additionalInfo`\n\nAdditional configuration parameters for an AWS Resilience Hub application. If you want to implement `additionalInfo` through the AWS Resilience Hub console rather than using an API call, see [Configure the application configuration parameters](https://docs.aws.amazon.com//resilience-hub/latest/userguide/app-config-param.html) .\n\n> Currently, this parameter accepts a key-value mapping (in a string format) of only one failover region and one associated account.\n> \n> Key: `\"failover-regions\"`\n> \n> Value: `\"[{\"region\":\"\", \"accounts\":[{\"id\":\"\"}]}]\"`", + "markdownDescription": "A JSON string that provides information about your application structure. To learn more about the `appTemplateBody` template, see the sample template in [Sample appTemplateBody template](https://docs.aws.amazon.com//resilience-hub/latest/APIReference/API_PutDraftAppVersionTemplate.html#API_PutDraftAppVersionTemplate_Examples) .\n\nThe `appTemplateBody` JSON string has the following structure:\n\n- *`resources`*\n\nThe list of logical resources that needs to be included in the AWS Resilience Hub application.\n\nType: Array\n\n> Don't add the resources that you want to exclude. \n\nEach `resources` array item includes the following fields:\n\n- *`logicalResourceId`*\n\nThe logical identifier of the resource.\n\nType: Object\n\nEach `logicalResourceId` object includes the following fields:\n\n- `identifier`\n\nIdentifier of the resource.\n\nType: String\n- `logicalStackName`\n\nName of the AWS CloudFormation stack this resource belongs to.\n\nType: String\n- `resourceGroupName`\n\nName of the resource group this resource belongs to.\n\nType: String\n- `terraformSourceName`\n\nName of the Terraform S3 state file this resource belongs to.\n\nType: String\n- `eksSourceName`\n\nName of the Amazon Elastic Kubernetes Service cluster and namespace this resource belongs to.\n\n> This parameter accepts values in \"eks-cluster/namespace\" format. \n\nType: String\n- *`type`*\n\nThe type of resource.\n\nType: string\n- *`name`*\n\nName of the resource.\n\nType: String\n- `additionalInfo`\n\nAdditional configuration parameters for an AWS Resilience Hub application. If you want to implement `additionalInfo` through the AWS Resilience Hub console rather than using an API call, see [Configure the application configuration parameters](https://docs.aws.amazon.com//resilience-hub/latest/userguide/app-config-param.html) .\n\n> Currently, this parameter accepts a key-value mapping (in a string format) of only one failover region and one associated account.\n> \n> Key: `\"failover-regions\"`\n> \n> Value: `\"[{\"region\":\"\", \"accounts\":[{\"id\":\"\"}]}]\"`\n- *`appComponents`*\n\nThe list of Application Components (AppComponent) that this resource belongs to. If an AppComponent is not part of the AWS Resilience Hub application, it will be added.\n\nType: Array\n\nEach `appComponents` array item includes the following fields:\n\n- `name`\n\nName of the AppComponent.\n\nType: String\n- `type`\n\nThe type of AppComponent. For more information about the types of AppComponent, see [Grouping resources in an AppComponent](https://docs.aws.amazon.com/resilience-hub/latest/userguide/AppComponent.grouping.html) .\n\nType: String\n- `resourceNames`\n\nThe list of included resources that are assigned to the AppComponent.\n\nType: Array of strings\n- `additionalInfo`\n\nAdditional configuration parameters for an AWS Resilience Hub application. If you want to implement `additionalInfo` through the AWS Resilience Hub console rather than using an API call, see [Configure the application configuration parameters](https://docs.aws.amazon.com//resilience-hub/latest/userguide/app-config-param.html) .\n\n> Currently, this parameter accepts a key-value mapping (in a string format) of only one failover region and one associated account.\n> \n> Key: `\"failover-regions\"`\n> \n> Value: `\"[{\"region\":\"\", \"accounts\":[{\"id\":\"\"}]}]\"`\n- *`excludedResources`*\n\nThe list of logical resource identifiers to be excluded from the application.\n\nType: Array\n\n> Don't add the resources that you want to include. \n\nEach `excludedResources` array item includes the following fields:\n\n- *`logicalResourceIds`*\n\nThe logical identifier of the resource.\n\nType: Object\n\n> You can configure only one of the following fields:\n> \n> - `logicalStackName`\n> - `resourceGroupName`\n> - `terraformSourceName`\n> - `eksSourceName` \n\nEach `logicalResourceIds` object includes the following fields:\n\n- `identifier`\n\nThe identifier of the resource.\n\nType: String\n- `logicalStackName`\n\nName of the AWS CloudFormation stack this resource belongs to.\n\nType: String\n- `resourceGroupName`\n\nName of the resource group this resource belongs to.\n\nType: String\n- `terraformSourceName`\n\nName of the Terraform S3 state file this resource belongs to.\n\nType: String\n- `eksSourceName`\n\nName of the Amazon Elastic Kubernetes Service cluster and namespace this resource belongs to.\n\n> This parameter accepts values in \"eks-cluster/namespace\" format. \n\nType: String\n- *`version`*\n\nThe AWS Resilience Hub application version.\n- `additionalInfo`\n\nAdditional configuration parameters for an AWS Resilience Hub application. If you want to implement `additionalInfo` through the AWS Resilience Hub console rather than using an API call, see [Configure the application configuration parameters](https://docs.aws.amazon.com//resilience-hub/latest/userguide/app-config-param.html) .\n\n> Currently, this parameter accepts a key-value mapping (in a string format) of only one failover region and one associated account.\n> \n> Key: `\"failover-regions\"`\n> \n> Value: `\"[{\"region\":\"\", \"accounts\":[{\"id\":\"\"}]}]\"`", "title": "AppTemplateBody", "type": "string" }, "Description": { - "markdownDescription": "The optional description for an app.", + "markdownDescription": "Optional description for an application.", "title": "Description", "type": "string" }, @@ -210546,15 +217740,19 @@ "items": { "$ref": "#/definitions/AWS::ResilienceHub::App.EventSubscription" }, + "markdownDescription": "The list of events you would like to subscribe and get notification for. Currently, AWS Resilience Hub supports notifications only for *Drift detected* and *Scheduled assessment failure* events.", + "title": "EventSubscriptions", "type": "array" }, "Name": { - "markdownDescription": "The name for the application.", + "markdownDescription": "Name for the application.", "title": "Name", "type": "string" }, "PermissionModel": { - "$ref": "#/definitions/AWS::ResilienceHub::App.PermissionModel" + "$ref": "#/definitions/AWS::ResilienceHub::App.PermissionModel", + "markdownDescription": "Defines the roles and credentials that AWS Resilience Hub would use while creating the application, importing its resources, and running an assessment.", + "title": "PermissionModel" }, "ResiliencyPolicyArn": { "markdownDescription": "The Amazon Resource Name (ARN) of the resiliency policy.", @@ -210565,13 +217763,13 @@ "items": { "$ref": "#/definitions/AWS::ResilienceHub::App.ResourceMapping" }, - "markdownDescription": "An array of ResourceMapping objects.", + "markdownDescription": "An array of `ResourceMapping` objects.", "title": "ResourceMappings", "type": "array" }, "Tags": { "additionalProperties": true, - "markdownDescription": "The tags assigned to the resource. A tag is a label that you assign to an AWS resource. Each tag consists of a key/value pair.", + "markdownDescription": "Tags assigned to the resource. A tag is a label that you assign to an AWS resource. Each tag consists of a key/value pair.", "patternProperties": { "^[a-zA-Z0-9]+$": { "type": "string" @@ -210613,12 +217811,18 @@ "additionalProperties": false, "properties": { "EventType": { + "markdownDescription": "The type of event you would like to subscribe and get notification for. Currently, AWS Resilience Hub supports notifications only for *Drift detected* ( `DriftDetected` ) and *Scheduled assessment failure* ( `ScheduledAssessmentFailure` ) events.", + "title": "EventType", "type": "string" }, "Name": { + "markdownDescription": "Unique name to identify an event subscription.", + "title": "Name", "type": "string" }, "SnsTopicArn": { + "markdownDescription": "Amazon Resource Name (ARN) of the Amazon Simple Notification Service topic. The format for this ARN is: `arn:partition:sns:region:account:topic-name` . For more information about ARNs, see [Amazon Resource Names (ARNs)](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) in the *AWS General Reference* guide.", + "title": "SnsTopicArn", "type": "string" } }, @@ -210635,12 +217839,18 @@ "items": { "type": "string" }, + "markdownDescription": "Defines a list of role Amazon Resource Names (ARNs) to be used in other accounts. These ARNs are used for querying purposes while importing resources and assessing your application.\n\n> - These ARNs are required only when your resources are in other accounts and you have different role name in these accounts. Else, the invoker role name will be used in the other accounts.\n> - These roles must have a trust policy with `iam:AssumeRole` permission to the invoker role in the primary account.", + "title": "CrossAccountRoleArns", "type": "array" }, "InvokerRoleName": { + "markdownDescription": "Existing AWS IAM role name in the primary AWS account that will be assumed by AWS Resilience Hub Service Principle to obtain a read-only access to your application resources while running an assessment.\n\n> - You must have `iam:passRole` permission for this role while creating or updating the application.\n> - Currently, `invokerRoleName` accepts only `[A-Za-z0-9_+=,.@-]` characters.", + "title": "InvokerRoleName", "type": "string" }, "Type": { + "markdownDescription": "Defines how AWS Resilience Hub scans your resources. It can scan for the resources by using a pre-existing role in your AWS account, or by using the credentials of the current IAM user.", + "title": "Type", "type": "string" } }, @@ -210663,7 +217873,7 @@ "type": "string" }, "Identifier": { - "markdownDescription": "The identifier of the physical resource.", + "markdownDescription": "Identifier of the physical resource.", "title": "Identifier", "type": "string" }, @@ -210683,32 +217893,32 @@ "additionalProperties": false, "properties": { "EksSourceName": { - "markdownDescription": "", + "markdownDescription": "Name of the Amazon Elastic Kubernetes Service cluster and namespace that this resource is mapped to when the `mappingType` is `EKS` .\n\n> This parameter accepts values in \"eks-cluster/namespace\" format.", "title": "EksSourceName", "type": "string" }, "LogicalStackName": { - "markdownDescription": "The name of the CloudFormation stack this resource is mapped to.", + "markdownDescription": "Name of the AWS CloudFormation stack this resource is mapped to when the `mappingType` is `CfnStack` .", "title": "LogicalStackName", "type": "string" }, "MappingType": { - "markdownDescription": "Specifies the type of resource mapping.\n\nValid Values: CfnStack | Resource | AppRegistryApp | ResourceGroup | Terraform\n\n- **AppRegistryApp** - The resource is mapped to another application. The name of the application is contained in the `appRegistryAppName` property.\n- **CfnStack** - The resource is mapped to a CloudFormation stack. The name of the CloudFormation stack is contained in the `logicalStackName` property.\n- **Resource** - The resource is mapped to another resource. The name of the resource is contained in the `resourceName` property.\n- **ResourceGroup** - The resource is mapped to a resource group. The name of the resource group is contained in the `resourceGroupName` property.", + "markdownDescription": "Specifies the type of resource mapping.", "title": "MappingType", "type": "string" }, "PhysicalResourceId": { "$ref": "#/definitions/AWS::ResilienceHub::App.PhysicalResourceId", - "markdownDescription": "The identifier of this resource.", + "markdownDescription": "Identifier of the physical resource.", "title": "PhysicalResourceId" }, "ResourceName": { - "markdownDescription": "The name of the resource this resource is mapped to.", + "markdownDescription": "Name of the resource that this resource is mapped to when the `mappingType` is `Resource` .", "title": "ResourceName", "type": "string" }, "TerraformSourceName": { - "markdownDescription": "The short name of the Terraform source.", + "markdownDescription": "Name of the Terraform source that this resource is mapped to when the `mappingType` is `Terraform` .", "title": "TerraformSourceName", "type": "string" } @@ -210782,7 +217992,7 @@ }, "Tags": { "additionalProperties": true, - "markdownDescription": "The tags assigned to the resource. A tag is a label that you assign to an AWS resource. Each tag consists of a key/value pair.", + "markdownDescription": "Tags assigned to the resource. A tag is a label that you assign to an AWS resource. Each tag consists of a key/value pair.", "patternProperties": { "^[a-zA-Z0-9]+$": { "type": "string" @@ -210829,12 +218039,12 @@ "additionalProperties": false, "properties": { "RpoInSecs": { - "markdownDescription": "The Recovery Point Objective (RPO), in seconds.", + "markdownDescription": "Recovery Point Objective (RPO) in seconds.", "title": "RpoInSecs", "type": "number" }, "RtoInSecs": { - "markdownDescription": "The Recovery Time Objective (RTO), in seconds.", + "markdownDescription": "Recovery Time Objective (RTO) in seconds.", "title": "RtoInSecs", "type": "number" } @@ -211026,7 +218236,7 @@ "additionalProperties": false, "properties": { "Filters": { - "$ref": "#/definitions/AWS::ResourceExplorer2::View.Filters", + "$ref": "#/definitions/AWS::ResourceExplorer2::View.SearchFilter", "markdownDescription": "An array of strings that include search keywords, prefixes, and operators that filter the results that are returned for queries made using this view. When you use this view in a [Search](https://docs.aws.amazon.com/resource-explorer/latest/apireference/API_Search.html) operation, the filter string is combined with the search's `QueryString` parameter using a logical `AND` operator.\n\nFor information about the supported syntax, see [Search query reference for Resource Explorer](https://docs.aws.amazon.com/resource-explorer/latest/userguide/using-search-query-syntax.html) in the *AWS Resource Explorer User Guide* .\n\n> This query string in the context of this operation supports only [filter prefixes](https://docs.aws.amazon.com/resource-explorer/latest/userguide/using-search-query-syntax.html#query-syntax-filters) with optional [operators](https://docs.aws.amazon.com/resource-explorer/latest/userguide/using-search-query-syntax.html#query-syntax-operators) . It doesn't support free-form text. For example, the string `region:us* service:ec2 -tag:stage=prod` includes all Amazon EC2 resources in any AWS Region that begin with the letters `us` and are *not* tagged with a key `Stage` that has the value `prod` .", "title": "Filters" }, @@ -211038,6 +218248,11 @@ "title": "IncludedProperties", "type": "array" }, + "Scope": { + "markdownDescription": "The root ARN of the account, an organizational unit (OU), or an organization ARN. If left empty, the default is account.", + "title": "Scope", + "type": "string" + }, "Tags": { "additionalProperties": true, "markdownDescription": "Tag key and value pairs that are attached to the view.", @@ -211081,31 +218296,31 @@ ], "type": "object" }, - "AWS::ResourceExplorer2::View.Filters": { + "AWS::ResourceExplorer2::View.IncludedProperty": { "additionalProperties": false, "properties": { - "FilterString": { - "markdownDescription": "", - "title": "FilterString", + "Name": { + "markdownDescription": "The name of the property that is included in this view.", + "title": "Name", "type": "string" } }, "required": [ - "FilterString" + "Name" ], "type": "object" }, - "AWS::ResourceExplorer2::View.IncludedProperty": { + "AWS::ResourceExplorer2::View.SearchFilter": { "additionalProperties": false, "properties": { - "Name": { - "markdownDescription": "The name of the property that is included in this view.", - "title": "Name", + "FilterString": { + "markdownDescription": "The string that contains the search keywords, prefixes, and operators to control the results that can be returned by a Search operation.\n\nFor information about the supported syntax, see [Search query reference](https://docs.aws.amazon.com/resource-explorer/latest/userguide/using-search-query-syntax.html) in the *AWS Resource Explorer User Guide* .\n\n> This query string in the context of this operation supports only [filter prefixes](https://docs.aws.amazon.com/resource-explorer/latest/userguide/using-search-query-syntax.html#query-syntax-filters) with optional [operators](https://docs.aws.amazon.com/resource-explorer/latest/userguide/using-search-query-syntax.html#query-syntax-operators) . It doesn't support free-form text. For example, the string `region:us* service:ec2 -tag:stage=prod` includes all Amazon EC2 resources in any AWS Region that begin with the letters `us` and are *not* tagged with a key `Stage` that has the value `prod` .", + "title": "FilterString", "type": "string" } }, "required": [ - "Name" + "FilterString" ], "type": "object" }, @@ -212000,17 +219215,17 @@ "additionalProperties": false, "properties": { "CrlData": { - "markdownDescription": "The x509 v3 specified certificate revocation list (CRL).", + "markdownDescription": "", "title": "CrlData", "type": "string" }, "Enabled": { - "markdownDescription": "Specifies whether the certificate revocation list (CRL) is enabled.", + "markdownDescription": "", "title": "Enabled", "type": "boolean" }, "Name": { - "markdownDescription": "The name of the certificate revocation list (CRL).", + "markdownDescription": "", "title": "Name", "type": "string" }, @@ -212018,7 +219233,7 @@ "items": { "$ref": "#/definitions/Tag" }, - "markdownDescription": "A list of tags to attach to the certificate revocation list (CRL).", + "markdownDescription": "", "title": "Tags", "type": "array" }, @@ -212091,12 +219306,12 @@ "additionalProperties": false, "properties": { "DurationSeconds": { - "markdownDescription": "Sets the maximum number of seconds that vended temporary credentials through [CreateSession](https://docs.aws.amazon.com/rolesanywhere/latest/userguide/authentication-create-session.html) will be valid for, between 900 and 3600.", + "markdownDescription": "The number of seconds vended session credentials will be valid for", "title": "DurationSeconds", "type": "number" }, "Enabled": { - "markdownDescription": "Indicates whether the profile is enabled.", + "markdownDescription": "The enabled status of the resource.", "title": "Enabled", "type": "boolean" }, @@ -212104,17 +219319,17 @@ "items": { "type": "string" }, - "markdownDescription": "A list of managed policy ARNs that apply to the vended session credentials.", + "markdownDescription": "A list of managed policy ARNs. Managed policies identified by this list will be applied to the vended session credentials.", "title": "ManagedPolicyArns", "type": "array" }, "Name": { - "markdownDescription": "The name of the profile.", + "markdownDescription": "The customer specified name of the resource.", "title": "Name", "type": "string" }, "RequireInstanceProperties": { - "markdownDescription": "Specifies whether instance properties are required in temporary credential requests with this profile.", + "markdownDescription": "Specifies whether instance properties are required in CreateSession requests with this profile.", "title": "RequireInstanceProperties", "type": "boolean" }, @@ -212122,12 +219337,12 @@ "items": { "type": "string" }, - "markdownDescription": "A list of IAM role ARNs. During `CreateSession` , if a matching role ARN is provided, the properties in this profile will be applied to the intersection session policy.", + "markdownDescription": "A list of IAM role ARNs that can be assumed when this profile is specified in a CreateSession request.", "title": "RoleArns", "type": "array" }, "SessionPolicy": { - "markdownDescription": "A session policy that applies to the trust boundary of the vended session credentials.", + "markdownDescription": "A session policy that will applied to the trust boundary of the vended session credentials.", "title": "SessionPolicy", "type": "string" }, @@ -212135,7 +219350,7 @@ "items": { "$ref": "#/definitions/Tag" }, - "markdownDescription": "The tags to attach to the profile.", + "markdownDescription": "A list of Tags.", "title": "Tags", "type": "array" } @@ -212216,6 +219431,8 @@ "items": { "$ref": "#/definitions/AWS::RolesAnywhere::TrustAnchor.NotificationSetting" }, + "markdownDescription": "A list of notification settings to be associated to the trust anchor.", + "title": "NotificationSettings", "type": "array" }, "Source": { @@ -212263,15 +219480,23 @@ "additionalProperties": false, "properties": { "Channel": { + "markdownDescription": "The specified channel of notification. IAM Roles Anywhere uses CloudWatch metrics, EventBridge , and AWS Health Dashboard to notify for an event.\n\n> In the absence of a specific channel, IAM Roles Anywhere applies this setting to 'ALL' channels.", + "title": "Channel", "type": "string" }, "Enabled": { + "markdownDescription": "Indicates whether the notification setting is enabled.", + "title": "Enabled", "type": "boolean" }, "Event": { + "markdownDescription": "The event to which this notification setting is applied.", + "title": "Event", "type": "string" }, "Threshold": { + "markdownDescription": "The number of days before a notification event. This value is required for a notification setting that is enabled.", + "title": "Threshold", "type": "number" } }, @@ -212286,11 +219511,11 @@ "properties": { "SourceData": { "$ref": "#/definitions/AWS::RolesAnywhere::TrustAnchor.SourceData", - "markdownDescription": "The data field of the trust anchor depending on its type.", + "markdownDescription": "A union object representing the data field of the TrustAnchor depending on its type", "title": "SourceData" }, "SourceType": { - "markdownDescription": "The type of the TrustAnchor.\n\n> `AWS_ACM_PCA` is not an allowed value in your region.", + "markdownDescription": "The type of the TrustAnchor.", "title": "SourceType", "type": "string" } @@ -212653,7 +219878,7 @@ "type": "string" }, "RoutingControlArn": { - "markdownDescription": "", + "markdownDescription": "The Amazon Resource Name (ARN) for the Route 53 Application Recovery Controller routing control.\n\nFor more information about Route 53 Application Recovery Controller, see [Route 53 Application Recovery Controller Developer Guide.](https://docs.aws.amazon.com/r53recovery/latest/dg/what-is-route-53-recovery.html) .", "title": "RoutingControlArn", "type": "string" }, @@ -213013,7 +220238,7 @@ "type": "boolean" }, "Name": { - "markdownDescription": "For `ChangeResourceRecordSets` requests, the name of the record that you want to create, update, or delete. For `ListResourceRecordSets` responses, the name of a record in the specified hosted zone.\n\n*ChangeResourceRecordSets Only*\n\nEnter a fully qualified domain name, for example, `www.example.com` . You can optionally include a trailing dot. If you omit the trailing dot, Amazon Route 53 assumes that the domain name that you specify is fully qualified. This means that Route 53 treats `www.example.com` (without a trailing dot) and `www.example.com.` (with a trailing dot) as identical.\n\nFor information about how to specify characters other than `a-z` , `0-9` , and `-` (hyphen) and how to specify internationalized domain names, see [DNS Domain Name Format](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/DomainNameFormat.html) in the *Amazon Route 53 Developer Guide* .\n\nYou can use the asterisk (*) wildcard to replace the leftmost label in a domain name, for example, `*.example.com` . Note the following:\n\n- The * must replace the entire label. For example, you can't specify `*prod.example.com` or `prod*.example.com` .\n- The * can't replace any of the middle labels, for example, marketing.*.example.com.\n- If you include * in any position other than the leftmost label in a domain name, DNS treats it as an * character (ASCII 42), not as a wildcard.\n\n> You can't use the * wildcard for resource records sets that have a type of NS.\n\nYou can use the * wildcard as the leftmost label in a domain name, for example, `*.example.com` . You can't use an * for one of the middle labels, for example, `marketing.*.example.com` . In addition, the * must replace the entire label; for example, you can't specify `prod*.example.com` .", + "markdownDescription": "For `ChangeResourceRecordSets` requests, the name of the record that you want to create, update, or delete. For `ListResourceRecordSets` responses, the name of a record in the specified hosted zone.\n\n*ChangeResourceRecordSets Only*\n\nEnter a fully qualified domain name, for example, `www.example.com` . You can optionally include a trailing dot. If you omit the trailing dot, Amazon Route 53 assumes that the domain name that you specify is fully qualified. This means that Route 53 treats `www.example.com` (without a trailing dot) and `www.example.com.` (with a trailing dot) as identical.\n\nFor information about how to specify characters other than `a-z` , `0-9` , and `-` (hyphen) and how to specify internationalized domain names, see [DNS Domain Name Format](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/DomainNameFormat.html) in the *Amazon Route 53 Developer Guide* .\n\nYou can use the asterisk (*) wildcard to replace the leftmost label in a domain name, for example, `*.example.com` . Note the following:\n\n- The * must replace the entire label. For example, you can't specify `*prod.example.com` or `prod*.example.com` .\n- The * can't replace any of the middle labels, for example, marketing.*.example.com.\n- If you include * in any position other than the leftmost label in a domain name, DNS treats it as an * character (ASCII 42), not as a wildcard.\n\n> You can't use the * wildcard for resource records sets that have a type of NS.", "title": "Name", "type": "string" }, @@ -213320,7 +220545,7 @@ "type": "string" }, "HostedZoneId": { - "markdownDescription": "The ID of the hosted zone that you want to create records in.\n\nSpecify either `HostedZoneName` or `HostedZoneId` , but not both. If you have multiple hosted zones with the same domain name, you must specify the hosted zone using `HostedZoneId` .", + "markdownDescription": "The ID of the hosted zone that you want to create records in.\n\nSpecify either `HostedZoneName` or `HostedZoneId` , but not both. If you have multiple hosted zones with the same domain name, you must specify the hosted zone using `HostedZoneId` .\n\nDo not provide the `HostedZoneId` if it is already defined in `AWS::Route53::RecordSetGroup` . The creation fails if `HostedZoneId` is defined in both.", "title": "HostedZoneId", "type": "string" }, @@ -213335,7 +220560,7 @@ "type": "boolean" }, "Name": { - "markdownDescription": "For `ChangeResourceRecordSets` requests, the name of the record that you want to create, update, or delete. For `ListResourceRecordSets` responses, the name of a record in the specified hosted zone.\n\n*ChangeResourceRecordSets Only*\n\nEnter a fully qualified domain name, for example, `www.example.com` . You can optionally include a trailing dot. If you omit the trailing dot, Amazon Route 53 assumes that the domain name that you specify is fully qualified. This means that Route 53 treats `www.example.com` (without a trailing dot) and `www.example.com.` (with a trailing dot) as identical.\n\nFor information about how to specify characters other than `a-z` , `0-9` , and `-` (hyphen) and how to specify internationalized domain names, see [DNS Domain Name Format](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/DomainNameFormat.html) in the *Amazon Route 53 Developer Guide* .\n\nYou can use the asterisk (*) wildcard to replace the leftmost label in a domain name, for example, `*.example.com` . Note the following:\n\n- The * must replace the entire label. For example, you can't specify `*prod.example.com` or `prod*.example.com` .\n- The * can't replace any of the middle labels, for example, marketing.*.example.com.\n- If you include * in any position other than the leftmost label in a domain name, DNS treats it as an * character (ASCII 42), not as a wildcard.\n\n> You can't use the * wildcard for resource records sets that have a type of NS.\n\nYou can use the * wildcard as the leftmost label in a domain name, for example, `*.example.com` . You can't use an * for one of the middle labels, for example, `marketing.*.example.com` . In addition, the * must replace the entire label; for example, you can't specify `prod*.example.com` .", + "markdownDescription": "For `ChangeResourceRecordSets` requests, the name of the record that you want to create, update, or delete. For `ListResourceRecordSets` responses, the name of a record in the specified hosted zone.\n\n*ChangeResourceRecordSets Only*\n\nEnter a fully qualified domain name, for example, `www.example.com` . You can optionally include a trailing dot. If you omit the trailing dot, Amazon Route 53 assumes that the domain name that you specify is fully qualified. This means that Route 53 treats `www.example.com` (without a trailing dot) and `www.example.com.` (with a trailing dot) as identical.\n\nFor information about how to specify characters other than `a-z` , `0-9` , and `-` (hyphen) and how to specify internationalized domain names, see [DNS Domain Name Format](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/DomainNameFormat.html) in the *Amazon Route 53 Developer Guide* .\n\nYou can use the asterisk (*) wildcard to replace the leftmost label in a domain name, for example, `*.example.com` . Note the following:\n\n- The * must replace the entire label. For example, you can't specify `*prod.example.com` or `prod*.example.com` .\n- The * can't replace any of the middle labels, for example, marketing.*.example.com.\n- If you include * in any position other than the leftmost label in a domain name, DNS treats it as an * character (ASCII 42), not as a wildcard.\n\n> You can't use the * wildcard for resource records sets that have a type of NS.", "title": "Name", "type": "string" }, @@ -213423,7 +220648,7 @@ "items": { "$ref": "#/definitions/Tag" }, - "markdownDescription": "The value for a tag.", + "markdownDescription": "The tags associated with the cluster.", "title": "Tags", "type": "array" } @@ -213519,7 +220744,7 @@ "items": { "$ref": "#/definitions/Tag" }, - "markdownDescription": "The value for a tag.", + "markdownDescription": "The tags associated with the control panel.", "title": "Tags", "type": "array" } @@ -213668,7 +220893,7 @@ "title": "AssertionRule" }, "ControlPanelArn": { - "markdownDescription": "The Amazon Resource Name (ARN) for the control panel.", + "markdownDescription": "The Amazon Resource Name (ARN) of the control panel.", "title": "ControlPanelArn", "type": "string" }, @@ -213691,7 +220916,7 @@ "items": { "$ref": "#/definitions/Tag" }, - "markdownDescription": "The value for a tag.", + "markdownDescription": "The tags associated with the safety rule.", "title": "Tags", "type": "array" } @@ -214573,21 +221798,31 @@ "additionalProperties": false, "properties": { "InstanceCount": { + "markdownDescription": "Amazon EC2 instance count for the Resolver on the Outpost.", + "title": "InstanceCount", "type": "number" }, "Name": { + "markdownDescription": "Name of the Resolver.", + "title": "Name", "type": "string" }, "OutpostArn": { + "markdownDescription": "The ARN (Amazon Resource Name) for the Outpost.", + "title": "OutpostArn", "type": "string" }, "PreferredInstanceType": { + "markdownDescription": "The Amazon EC2 instance type. If you specify this, you must also specify a value for the `OutpostArn` .", + "title": "PreferredInstanceType", "type": "string" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "A key value pair that helps you identify a Route\u00a053 Resolver .", + "title": "Tags", "type": "array" } }, @@ -214809,15 +222044,23 @@ "type": "string" }, "OutpostArn": { - "markdownDescription": "", + "markdownDescription": "The ARN (Amazon Resource Name) for the Outpost.", "title": "OutpostArn", "type": "string" }, "PreferredInstanceType": { - "markdownDescription": "", + "markdownDescription": "The Amazon EC2 instance type.", "title": "PreferredInstanceType", "type": "string" }, + "Protocols": { + "items": { + "type": "string" + }, + "markdownDescription": "", + "title": "Protocols", + "type": "array" + }, "ResolverEndpointType": { "markdownDescription": "The Resolver endpoint IP address type.", "title": "ResolverEndpointType", @@ -215144,6 +222387,11 @@ "markdownDescription": "The port at `Ip` that you want to forward DNS queries to.", "title": "Port", "type": "string" + }, + "Protocol": { + "markdownDescription": "", + "title": "Protocol", + "type": "string" } }, "type": "object" @@ -215226,7 +222474,7 @@ ], "type": "object" }, - "AWS::S3::AccessPoint": { + "AWS::S3::AccessGrant": { "additionalProperties": false, "properties": { "Condition": { @@ -215261,45 +222509,55 @@ "Properties": { "additionalProperties": false, "properties": { - "Bucket": { - "markdownDescription": "The name of the bucket associated with this access point.", - "title": "Bucket", - "type": "string" + "AccessGrantsLocationConfiguration": { + "$ref": "#/definitions/AWS::S3::AccessGrant.AccessGrantsLocationConfiguration", + "markdownDescription": "The configuration options of the grant location. The grant location is the S3 path to the data to which you are granting access. It contains the `S3SubPrefix` field. The grant scope is the result of appending the subprefix to the location scope of the registered location.", + "title": "AccessGrantsLocationConfiguration" }, - "BucketAccountId": { - "markdownDescription": "The AWS account ID associated with the S3 bucket associated with this access point.", - "title": "BucketAccountId", + "AccessGrantsLocationId": { + "markdownDescription": "The ID of the registered location to which you are granting access. S3 Access Grants assigns this ID when you register the location. S3 Access Grants assigns the ID `default` to the default location `s3://` and assigns an auto-generated ID to other locations that you register.", + "title": "AccessGrantsLocationId", "type": "string" }, - "Name": { - "markdownDescription": "The name of this access point. If you don't specify a name, AWS CloudFormation generates a unique ID and uses that ID for the access point name.", - "title": "Name", + "ApplicationArn": { + "markdownDescription": "The Amazon Resource Name (ARN) of an AWS IAM Identity Center application associated with your Identity Center instance. If the grant includes an application ARN, the grantee can only access the S3 data through this application.", + "title": "ApplicationArn", "type": "string" }, - "Policy": { - "markdownDescription": "The access point policy associated with this access point.", - "title": "Policy", - "type": "object" + "Grantee": { + "$ref": "#/definitions/AWS::S3::AccessGrant.Grantee", + "markdownDescription": "The user, group, or role to which you are granting access. You can grant access to an IAM user or role. If you have added your corporate directory to AWS IAM Identity Center and associated your Identity Center instance with your S3 Access Grants instance, the grantee can also be a corporate directory user or group.", + "title": "Grantee" }, - "PublicAccessBlockConfiguration": { - "$ref": "#/definitions/AWS::S3::AccessPoint.PublicAccessBlockConfiguration", - "markdownDescription": "The PublicAccessBlock configuration that you want to apply to this Amazon S3 bucket. You can enable the configuration options in any combination. For more information about when Amazon S3 considers a bucket or object public, see [The Meaning of \"Public\"](https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html#access-control-block-public-access-policy-status) in the *Amazon S3 User Guide* .", - "title": "PublicAccessBlockConfiguration" + "Permission": { + "markdownDescription": "The type of access that you are granting to your S3 data, which can be set to one of the following values:\n\n- `READ` \u2013 Grant read-only access to the S3 data.\n- `WRITE` \u2013 Grant write-only access to the S3 data.\n- `READWRITE` \u2013 Grant both read and write access to the S3 data.", + "title": "Permission", + "type": "string" }, - "VpcConfiguration": { - "$ref": "#/definitions/AWS::S3::AccessPoint.VpcConfiguration", - "markdownDescription": "The Virtual Private Cloud (VPC) configuration for this access point, if one exists.", - "title": "VpcConfiguration" + "S3PrefixType": { + "markdownDescription": "The type of `S3SubPrefix` . The only possible value is `Object` . Pass this value if the access grant scope is an object. Do not pass this value if the access grant scope is a bucket or a bucket and a prefix.", + "title": "S3PrefixType", + "type": "string" + }, + "Tags": { + "items": { + "$ref": "#/definitions/Tag" + }, + "markdownDescription": "The AWS resource tags that you are adding to the access grant. Each tag is a label consisting of a user-defined key and value. Tags can help you manage, identify, organize, search for, and filter resources.", + "title": "Tags", + "type": "array" } }, "required": [ - "Bucket" + "AccessGrantsLocationId", + "Grantee", + "Permission" ], "type": "object" }, "Type": { "enum": [ - "AWS::S3::AccessPoint" + "AWS::S3::AccessGrant" ], "type": "string" }, @@ -215318,54 +222576,327 @@ ], "type": "object" }, - "AWS::S3::AccessPoint.PublicAccessBlockConfiguration": { + "AWS::S3::AccessGrant.AccessGrantsLocationConfiguration": { "additionalProperties": false, "properties": { - "BlockPublicAcls": { - "markdownDescription": "Specifies whether Amazon S3 should block public access control lists (ACLs) for this bucket and objects in this bucket. Setting this element to `TRUE` causes the following behavior:\n\n- PUT Bucket ACL and PUT Object ACL calls fail if the specified ACL is public.\n- PUT Object calls fail if the request includes a public ACL.\n- PUT Bucket calls fail if the request includes a public ACL.\n\nEnabling this setting doesn't affect existing policies or ACLs.", - "title": "BlockPublicAcls", - "type": "boolean" - }, - "BlockPublicPolicy": { - "markdownDescription": "Specifies whether Amazon S3 should block public bucket policies for this bucket. Setting this element to `TRUE` causes Amazon S3 to reject calls to PUT Bucket policy if the specified bucket policy allows public access.\n\nEnabling this setting doesn't affect existing bucket policies.", - "title": "BlockPublicPolicy", - "type": "boolean" - }, - "IgnorePublicAcls": { - "markdownDescription": "Specifies whether Amazon S3 should ignore public ACLs for this bucket and objects in this bucket. Setting this element to `TRUE` causes Amazon S3 to ignore all public ACLs on this bucket and objects in this bucket.\n\nEnabling this setting doesn't affect the persistence of any existing ACLs and doesn't prevent new public ACLs from being set.", - "title": "IgnorePublicAcls", - "type": "boolean" - }, - "RestrictPublicBuckets": { - "markdownDescription": "Specifies whether Amazon S3 should restrict public bucket policies for this bucket. Setting this element to `TRUE` restricts access to this bucket to only AWS service principals and authorized users within this account if the bucket has a public policy.\n\nEnabling this setting doesn't affect previously stored bucket policies, except that public and cross-account access within any public bucket policy, including non-public delegation to specific accounts, is blocked.", - "title": "RestrictPublicBuckets", - "type": "boolean" + "S3SubPrefix": { + "markdownDescription": "The `S3SubPrefix` is appended to the location scope creating the grant scope. Use this field to narrow the scope of the grant to a subset of the location scope. This field is required if the location scope is the default location `s3://` because you cannot create a grant for all of your S3 data in the Region and must narrow the scope. For example, if the location scope is the default location `s3://` , the `S3SubPrefx` can be a `/*` , so the full grant scope path would be `s3:///*` . Or the `S3SubPrefx` can be `/*` , so the full grant scope path would be `s3:///*` .\n\nIf the `S3SubPrefix` includes a prefix, append the wildcard character `*` after the prefix to indicate that you want to include all object key names in the bucket that start with that prefix.", + "title": "S3SubPrefix", + "type": "string" } }, + "required": [ + "S3SubPrefix" + ], "type": "object" }, - "AWS::S3::AccessPoint.VpcConfiguration": { + "AWS::S3::AccessGrant.Grantee": { "additionalProperties": false, "properties": { - "VpcId": { - "markdownDescription": "If this field is specified, the access point will only allow connections from the specified VPC ID.", - "title": "VpcId", + "GranteeIdentifier": { + "markdownDescription": "The unique identifier of the `Grantee` . If the grantee type is `IAM` , the identifier is the IAM Amazon Resource Name (ARN) of the user or role. If the grantee type is a directory user or group, the identifier is 128-bit universally unique identifier (UUID) in the format `a1b2c3d4-5678-90ab-cdef-EXAMPLE11111` . You can obtain this UUID from your AWS IAM Identity Center instance.", + "title": "GranteeIdentifier", + "type": "string" + }, + "GranteeType": { + "markdownDescription": "The type of the grantee to which access has been granted. It can be one of the following values:\n\n- `IAM` - An IAM user or role.\n- `DIRECTORY_USER` - Your corporate directory user. You can use this option if you have added your corporate identity directory to IAM Identity Center and associated the IAM Identity Center instance with your S3 Access Grants instance.\n- `DIRECTORY_GROUP` - Your corporate directory group. You can use this option if you have added your corporate identity directory to IAM Identity Center and associated the IAM Identity Center instance with your S3 Access Grants instance.", + "title": "GranteeType", "type": "string" } }, + "required": [ + "GranteeIdentifier", + "GranteeType" + ], "type": "object" }, - "AWS::S3::Bucket": { + "AWS::S3::AccessGrantsInstance": { "additionalProperties": false, "properties": { "Condition": { "type": "string" }, - "Connectors": { - "additionalProperties": { - "$ref": "#/definitions/EmbeddedConnector" + "DeletionPolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + }, + "DependsOn": { + "anyOf": [ + { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + { + "items": { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + "type": "array" + } + ] + }, + "Metadata": { + "type": "object" + }, + "Properties": { + "additionalProperties": false, + "properties": { + "IdentityCenterArn": { + "markdownDescription": "If you would like to associate your S3 Access Grants instance with an AWS IAM Identity Center instance, use this field to pass the Amazon Resource Name (ARN) of the AWS IAM Identity Center instance that you are associating with your S3 Access Grants instance. An IAM Identity Center instance is your corporate identity directory that you added to the IAM Identity Center.", + "title": "IdentityCenterArn", + "type": "string" + }, + "Tags": { + "items": { + "$ref": "#/definitions/Tag" + }, + "markdownDescription": "The AWS resource tags that you are adding to the S3 Access Grants instance. Each tag is a label consisting of a user-defined key and value. Tags can help you manage, identify, organize, search for, and filter resources.", + "title": "Tags", + "type": "array" + } }, - "title": "Connectors", + "type": "object" + }, + "Type": { + "enum": [ + "AWS::S3::AccessGrantsInstance" + ], + "type": "string" + }, + "UpdateReplacePolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + } + }, + "required": [ + "Type" + ], + "type": "object" + }, + "AWS::S3::AccessGrantsLocation": { + "additionalProperties": false, + "properties": { + "Condition": { + "type": "string" + }, + "DeletionPolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + }, + "DependsOn": { + "anyOf": [ + { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + { + "items": { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + "type": "array" + } + ] + }, + "Metadata": { + "type": "object" + }, + "Properties": { + "additionalProperties": false, + "properties": { + "IamRoleArn": { + "markdownDescription": "The Amazon Resource Name (ARN) of the IAM role for the registered location. S3 Access Grants assumes this role to manage access to the registered location.", + "title": "IamRoleArn", + "type": "string" + }, + "LocationScope": { + "markdownDescription": "The S3 URI path to the location that you are registering. The location scope can be the default S3 location `s3://` , the S3 path to a bucket, or the S3 path to a bucket and prefix. A prefix in S3 is a string of characters at the beginning of an object key name used to organize the objects that you store in your S3 buckets. For example, object key names that start with the `engineering/` prefix or object key names that start with the `marketing/campaigns/` prefix.", + "title": "LocationScope", + "type": "string" + }, + "Tags": { + "items": { + "$ref": "#/definitions/Tag" + }, + "markdownDescription": "The AWS resource tags that you are adding to the S3 Access Grants location. Each tag is a label consisting of a user-defined key and value. Tags can help you manage, identify, organize, search for, and filter resources.", + "title": "Tags", + "type": "array" + } + }, + "type": "object" + }, + "Type": { + "enum": [ + "AWS::S3::AccessGrantsLocation" + ], + "type": "string" + }, + "UpdateReplacePolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + } + }, + "required": [ + "Type" + ], + "type": "object" + }, + "AWS::S3::AccessPoint": { + "additionalProperties": false, + "properties": { + "Condition": { + "type": "string" + }, + "DeletionPolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + }, + "DependsOn": { + "anyOf": [ + { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + { + "items": { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + "type": "array" + } + ] + }, + "Metadata": { + "type": "object" + }, + "Properties": { + "additionalProperties": false, + "properties": { + "Bucket": { + "markdownDescription": "The name of the bucket associated with this access point.", + "title": "Bucket", + "type": "string" + }, + "BucketAccountId": { + "markdownDescription": "The AWS account ID associated with the S3 bucket associated with this access point.", + "title": "BucketAccountId", + "type": "string" + }, + "Name": { + "markdownDescription": "The name of this access point. If you don't specify a name, AWS CloudFormation generates a unique ID and uses that ID for the access point name.", + "title": "Name", + "type": "string" + }, + "Policy": { + "markdownDescription": "The access point policy associated with this access point.", + "title": "Policy", + "type": "object" + }, + "PublicAccessBlockConfiguration": { + "$ref": "#/definitions/AWS::S3::AccessPoint.PublicAccessBlockConfiguration", + "markdownDescription": "The PublicAccessBlock configuration that you want to apply to this Amazon S3 bucket. You can enable the configuration options in any combination. For more information about when Amazon S3 considers a bucket or object public, see [The Meaning of \"Public\"](https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html#access-control-block-public-access-policy-status) in the *Amazon S3 User Guide* .", + "title": "PublicAccessBlockConfiguration" + }, + "VpcConfiguration": { + "$ref": "#/definitions/AWS::S3::AccessPoint.VpcConfiguration", + "markdownDescription": "The Virtual Private Cloud (VPC) configuration for this access point, if one exists.", + "title": "VpcConfiguration" + } + }, + "required": [ + "Bucket" + ], + "type": "object" + }, + "Type": { + "enum": [ + "AWS::S3::AccessPoint" + ], + "type": "string" + }, + "UpdateReplacePolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + } + }, + "required": [ + "Type", + "Properties" + ], + "type": "object" + }, + "AWS::S3::AccessPoint.PublicAccessBlockConfiguration": { + "additionalProperties": false, + "properties": { + "BlockPublicAcls": { + "markdownDescription": "Specifies whether Amazon S3 should block public access control lists (ACLs) for this bucket and objects in this bucket. Setting this element to `TRUE` causes the following behavior:\n\n- PUT Bucket ACL and PUT Object ACL calls fail if the specified ACL is public.\n- PUT Object calls fail if the request includes a public ACL.\n- PUT Bucket calls fail if the request includes a public ACL.\n\nEnabling this setting doesn't affect existing policies or ACLs.", + "title": "BlockPublicAcls", + "type": "boolean" + }, + "BlockPublicPolicy": { + "markdownDescription": "Specifies whether Amazon S3 should block public bucket policies for this bucket. Setting this element to `TRUE` causes Amazon S3 to reject calls to PUT Bucket policy if the specified bucket policy allows public access.\n\nEnabling this setting doesn't affect existing bucket policies.", + "title": "BlockPublicPolicy", + "type": "boolean" + }, + "IgnorePublicAcls": { + "markdownDescription": "Specifies whether Amazon S3 should ignore public ACLs for this bucket and objects in this bucket. Setting this element to `TRUE` causes Amazon S3 to ignore all public ACLs on this bucket and objects in this bucket.\n\nEnabling this setting doesn't affect the persistence of any existing ACLs and doesn't prevent new public ACLs from being set.", + "title": "IgnorePublicAcls", + "type": "boolean" + }, + "RestrictPublicBuckets": { + "markdownDescription": "Specifies whether Amazon S3 should restrict public bucket policies for this bucket. Setting this element to `TRUE` restricts access to this bucket to only AWS service principals and authorized users within this account if the bucket has a public policy.\n\nEnabling this setting doesn't affect previously stored bucket policies, except that public and cross-account access within any public bucket policy, including non-public delegation to specific accounts, is blocked.", + "title": "RestrictPublicBuckets", + "type": "boolean" + } + }, + "type": "object" + }, + "AWS::S3::AccessPoint.VpcConfiguration": { + "additionalProperties": false, + "properties": { + "VpcId": { + "markdownDescription": "If this field is specified, the access point will only allow connections from the specified VPC ID.", + "title": "VpcId", + "type": "string" + } + }, + "type": "object" + }, + "AWS::S3::Bucket": { + "additionalProperties": false, + "properties": { + "Condition": { + "type": "string" + }, + "Connectors": { + "additionalProperties": { + "$ref": "#/definitions/EmbeddedConnector" + }, + "title": "Connectors", "type": "object" }, "DeletionPolicy": { @@ -215403,7 +222934,7 @@ "title": "AccelerateConfiguration" }, "AccessControl": { - "markdownDescription": "A canned access control list (ACL) that grants predefined permissions to the bucket. For more information about canned ACLs, see [Canned ACL](https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#canned-acl) in the *Amazon S3 User Guide* .\n\nBe aware that the syntax for this property differs from the information provided in the *Amazon S3 User Guide* . The AccessControl property is case-sensitive and must be one of the following values: Private, PublicRead, PublicReadWrite, AuthenticatedRead, LogDeliveryWrite, BucketOwnerRead, BucketOwnerFullControl, or AwsExecRead.", + "markdownDescription": "> This is a legacy property, and it is not recommended for most use cases. A majority of modern use cases in Amazon S3 no longer require the use of ACLs, and we recommend that you keep ACLs disabled. For more information, see [Controlling object ownership](https://docs.aws.amazon.com//AmazonS3/latest/userguide/about-object-ownership.html) in the *Amazon S3 User Guide* . \n\nA canned access control list (ACL) that grants predefined permissions to the bucket. For more information about canned ACLs, see [Canned ACL](https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#canned-acl) in the *Amazon S3 User Guide* .\n\nS3 buckets are created with ACLs disabled by default. Therefore, unless you explicitly set the [AWS::S3::OwnershipControls](https://docs.aws.amazon.com//AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-ownershipcontrols.html) property to enable ACLs, your resource will fail to deploy with any value other than Private. Use cases requiring ACLs are uncommon.\n\nThe majority of access control configurations can be successfully and more easily achieved with bucket policies. For more information, see [AWS::S3::BucketPolicy](https://docs.aws.amazon.com//AWSCloudFormation/latest/UserGuide/aws-properties-s3-policy.html) . For examples of common policy configurations, including S3 Server Access Logs buckets and more, see [Bucket policy examples](https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html) in the *Amazon S3 User Guide* .", "title": "AccessControl", "type": "string" }, @@ -215471,7 +223002,7 @@ }, "ObjectLockConfiguration": { "$ref": "#/definitions/AWS::S3::Bucket.ObjectLockConfiguration", - "markdownDescription": "Places an Object Lock configuration on the specified bucket. The rule specified in the Object Lock configuration will be applied by default to every new object placed in the specified bucket. For more information, see [Locking Objects](https://docs.aws.amazon.com/AmazonS3/latest/dev/object-lock.html) .\n\n> - The `DefaultRetention` settings require both a mode and a period.\n> - The `DefaultRetention` period can be either `Days` or `Years` but you must select one. You cannot specify `Days` and `Years` at the same time.\n> - You can only enable Object Lock for new buckets. If you want to turn on Object Lock for an existing bucket, contact AWS Support.", + "markdownDescription": "> This operation is not supported by directory buckets. \n\nPlaces an Object Lock configuration on the specified bucket. The rule specified in the Object Lock configuration will be applied by default to every new object placed in the specified bucket. For more information, see [Locking Objects](https://docs.aws.amazon.com/AmazonS3/latest/dev/object-lock.html) .\n\n> - The `DefaultRetention` settings require both a mode and a period.\n> - The `DefaultRetention` period can be either `Days` or `Years` but you must select one. You cannot specify `Days` and `Years` at the same time.\n> - You can enable Object Lock for new or existing buckets. For more information, see [Configuring Object Lock](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock-configure.html) .", "title": "ObjectLockConfiguration" }, "ObjectLockEnabled": { @@ -215762,7 +223293,7 @@ "type": "string" }, "Format": { - "markdownDescription": "Specifies the file format used when exporting data to Amazon S3.", + "markdownDescription": "Specifies the file format used when exporting data to Amazon S3.\n\n*Allowed values* : `CSV` | `ORC` | `Parquet`", "title": "Format", "type": "string" }, @@ -215801,6 +223332,9 @@ "type": "boolean" } }, + "required": [ + "EventBridgeEnabled" + ], "type": "object" }, "AWS::S3::Bucket.FilterRule": { @@ -215892,7 +223426,7 @@ "items": { "type": "string" }, - "markdownDescription": "Contains the optional fields that are included in the inventory results.\n\n*Valid values* : `Size | LastModifiedDate | StorageClass | ETag | IsMultipartUploaded | ReplicationStatus | EncryptionStatus | ObjectLockRetainUntilDate | ObjectLockMode | ObjectLockLegalHoldStatus | IntelligentTieringAccessTier | BucketKeyStatus`", + "markdownDescription": "Contains the optional fields that are included in the inventory results.", "title": "OptionalFields", "type": "array" }, @@ -215902,7 +223436,7 @@ "type": "string" }, "ScheduleFrequency": { - "markdownDescription": "Specifies the schedule for generating inventory results.\n\n*Allowed values* : `Daily` | `Weekly`", + "markdownDescription": "Specifies the schedule for generating inventory results.", "title": "ScheduleFrequency", "type": "string" } @@ -215970,6 +223504,11 @@ "markdownDescription": "A prefix for all log object keys. If you store log files from multiple Amazon S3 buckets in a single bucket, you can use a prefix to distinguish which log files came from which bucket.", "title": "LogFilePrefix", "type": "string" + }, + "TargetObjectKeyFormat": { + "$ref": "#/definitions/AWS::S3::Bucket.TargetObjectKeyFormat", + "markdownDescription": "Amazon S3 key format for log objects. Only one format, PartitionedPrefix or SimplePrefix, is allowed.", + "title": "TargetObjectKeyFormat" } }, "type": "object" @@ -216173,6 +223712,17 @@ }, "type": "object" }, + "AWS::S3::Bucket.PartitionedPrefix": { + "additionalProperties": false, + "properties": { + "PartitionDateSource": { + "markdownDescription": "Specifies the partition date source for the partitioned prefix. PartitionDateSource can be EventTime or DeliveryTime.", + "title": "PartitionDateSource", + "type": "string" + } + }, + "type": "object" + }, "AWS::S3::Bucket.PublicAccessBlockConfiguration": { "additionalProperties": false, "properties": { @@ -216568,12 +224118,12 @@ "ObjectSizeGreaterThan": { "markdownDescription": "Specifies the minimum object size in bytes for this rule to apply to. Objects must be larger than this value in bytes. For more information about size based rules, see [Lifecycle configuration using size-based rules](https://docs.aws.amazon.com/AmazonS3/latest/userguide/lifecycle-configuration-examples.html#lc-size-rules) in the *Amazon S3 User Guide* .", "title": "ObjectSizeGreaterThan", - "type": "number" + "type": "string" }, "ObjectSizeLessThan": { "markdownDescription": "Specifies the maximum object size in bytes for this rule to apply to. Objects must be smaller than this value in bytes. For more information about sized based rules, see [Lifecycle configuration using size-based rules](https://docs.aws.amazon.com/AmazonS3/latest/userguide/lifecycle-configuration-examples.html#lc-size-rules) in the *Amazon S3 User Guide* .", "title": "ObjectSizeLessThan", - "type": "number" + "type": "string" }, "Prefix": { "markdownDescription": "Object key prefix that identifies one or more objects to which this rule applies.\n\n> Replacement must be made for object keys containing special characters (such as carriage returns) when using XML requests. For more information, see [XML related object key constraints](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-keys.html#object-key-xml-related-constraints) .", @@ -216725,6 +224275,22 @@ ], "type": "object" }, + "AWS::S3::Bucket.TargetObjectKeyFormat": { + "additionalProperties": false, + "properties": { + "PartitionedPrefix": { + "$ref": "#/definitions/AWS::S3::Bucket.PartitionedPrefix", + "markdownDescription": "Partitioned S3 key for log objects.", + "title": "PartitionedPrefix" + }, + "SimplePrefix": { + "markdownDescription": "To use the simple format for S3 keys for log objects. To specify SimplePrefix format, set SimplePrefix to {}.", + "title": "SimplePrefix", + "type": "object" + } + }, + "type": "object" + }, "AWS::S3::Bucket.Tiering": { "additionalProperties": false, "properties": { @@ -217224,6 +224790,11 @@ "$ref": "#/definitions/AWS::S3::StorageLens.DetailedStatusCodesMetrics", "markdownDescription": "This property contains the details of account-level detailed status code metrics for S3 Storage Lens.", "title": "DetailedStatusCodesMetrics" + }, + "StorageLensGroupLevel": { + "$ref": "#/definitions/AWS::S3::StorageLens.StorageLensGroupLevel", + "markdownDescription": "This property determines the scope of Storage Lens group data that is displayed in the Storage Lens dashboard.", + "title": "StorageLensGroupLevel" } }, "required": [ @@ -217546,6 +225117,433 @@ ], "type": "object" }, + "AWS::S3::StorageLens.StorageLensGroupLevel": { + "additionalProperties": false, + "properties": { + "StorageLensGroupSelectionCriteria": { + "$ref": "#/definitions/AWS::S3::StorageLens.StorageLensGroupSelectionCriteria", + "markdownDescription": "This property indicates which Storage Lens group ARNs to include or exclude in the Storage Lens group aggregation. If this value is left null, then all Storage Lens groups are selected.", + "title": "StorageLensGroupSelectionCriteria" + } + }, + "type": "object" + }, + "AWS::S3::StorageLens.StorageLensGroupSelectionCriteria": { + "additionalProperties": false, + "properties": { + "Exclude": { + "items": { + "type": "string" + }, + "markdownDescription": "This property indicates which Storage Lens group ARNs to exclude from the Storage Lens group aggregation.", + "title": "Exclude", + "type": "array" + }, + "Include": { + "items": { + "type": "string" + }, + "markdownDescription": "This property indicates which Storage Lens group ARNs to include in the Storage Lens group aggregation.", + "title": "Include", + "type": "array" + } + }, + "type": "object" + }, + "AWS::S3::StorageLensGroup": { + "additionalProperties": false, + "properties": { + "Condition": { + "type": "string" + }, + "DeletionPolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + }, + "DependsOn": { + "anyOf": [ + { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + { + "items": { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + "type": "array" + } + ] + }, + "Metadata": { + "type": "object" + }, + "Properties": { + "additionalProperties": false, + "properties": { + "Filter": { + "$ref": "#/definitions/AWS::S3::StorageLensGroup.Filter", + "markdownDescription": "This property contains the criteria for the Storage Lens group data that is displayed", + "title": "Filter" + }, + "Name": { + "markdownDescription": "This property contains the Storage Lens group name.", + "title": "Name", + "type": "string" + }, + "Tags": { + "items": { + "$ref": "#/definitions/Tag" + }, + "markdownDescription": "This property contains the AWS resource tags that you're adding to your Storage Lens group. This parameter is optional.", + "title": "Tags", + "type": "array" + } + }, + "required": [ + "Filter", + "Name" + ], + "type": "object" + }, + "Type": { + "enum": [ + "AWS::S3::StorageLensGroup" + ], + "type": "string" + }, + "UpdateReplacePolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + } + }, + "required": [ + "Type", + "Properties" + ], + "type": "object" + }, + "AWS::S3::StorageLensGroup.And": { + "additionalProperties": false, + "properties": { + "MatchAnyPrefix": { + "items": { + "type": "string" + }, + "markdownDescription": "This property contains a list of prefixes. At least one prefix must be specified. Up to 10 prefixes are allowed.", + "title": "MatchAnyPrefix", + "type": "array" + }, + "MatchAnySuffix": { + "items": { + "type": "string" + }, + "markdownDescription": "This property contains a list of suffixes. At least one suffix must be specified. Up to 10 suffixes are allowed.", + "title": "MatchAnySuffix", + "type": "array" + }, + "MatchAnyTag": { + "items": { + "$ref": "#/definitions/Tag" + }, + "markdownDescription": "This property contains the list of object tags. At least one object tag must be specified. Up to 10 object tags are allowed.", + "title": "MatchAnyTag", + "type": "array" + }, + "MatchObjectAge": { + "$ref": "#/definitions/AWS::S3::StorageLensGroup.MatchObjectAge", + "markdownDescription": "This property contains `DaysGreaterThan` and `DaysLessThan` properties to define the object age range (minimum and maximum number of days).", + "title": "MatchObjectAge" + }, + "MatchObjectSize": { + "$ref": "#/definitions/AWS::S3::StorageLensGroup.MatchObjectSize", + "markdownDescription": "This property contains `BytesGreaterThan` and `BytesLessThan` to define the object size range (minimum and maximum number of Bytes).", + "title": "MatchObjectSize" + } + }, + "type": "object" + }, + "AWS::S3::StorageLensGroup.Filter": { + "additionalProperties": false, + "properties": { + "And": { + "$ref": "#/definitions/AWS::S3::StorageLensGroup.And", + "markdownDescription": "This property contains the `And` logical operator, which allows multiple filter conditions to be joined for more complex comparisons of Storage Lens group data. Objects must match all of the listed filter conditions that are joined by the `And` logical operator. Only one of each filter condition is allowed.", + "title": "And" + }, + "MatchAnyPrefix": { + "items": { + "type": "string" + }, + "markdownDescription": "This property contains a list of prefixes. At least one prefix must be specified. Up to 10 prefixes are allowed.", + "title": "MatchAnyPrefix", + "type": "array" + }, + "MatchAnySuffix": { + "items": { + "type": "string" + }, + "markdownDescription": "This property contains a list of suffixes. At least one suffix must be specified. Up to 10 suffixes are allowed.", + "title": "MatchAnySuffix", + "type": "array" + }, + "MatchAnyTag": { + "items": { + "$ref": "#/definitions/Tag" + }, + "markdownDescription": "This property contains the list of S3 object tags. At least one object tag must be specified. Up to 10 object tags are allowed.", + "title": "MatchAnyTag", + "type": "array" + }, + "MatchObjectAge": { + "$ref": "#/definitions/AWS::S3::StorageLensGroup.MatchObjectAge", + "markdownDescription": "This property contains `DaysGreaterThan` and `DaysLessThan` to define the object age range (minimum and maximum number of days).", + "title": "MatchObjectAge" + }, + "MatchObjectSize": { + "$ref": "#/definitions/AWS::S3::StorageLensGroup.MatchObjectSize", + "markdownDescription": "This property contains `BytesGreaterThan` and `BytesLessThan` to define the object size range (minimum and maximum number of Bytes).", + "title": "MatchObjectSize" + }, + "Or": { + "$ref": "#/definitions/AWS::S3::StorageLensGroup.Or", + "markdownDescription": "This property contains the `Or` logical operator, which allows multiple filter conditions to be joined. Objects can match any of the listed filter conditions, which are joined by the `Or` logical operator. Only one of each filter condition is allowed.", + "title": "Or" + } + }, + "type": "object" + }, + "AWS::S3::StorageLensGroup.MatchObjectAge": { + "additionalProperties": false, + "properties": { + "DaysGreaterThan": { + "markdownDescription": "This property indicates the minimum object age in days.", + "title": "DaysGreaterThan", + "type": "number" + }, + "DaysLessThan": { + "markdownDescription": "This property indicates the maximum object age in days.", + "title": "DaysLessThan", + "type": "number" + } + }, + "type": "object" + }, + "AWS::S3::StorageLensGroup.MatchObjectSize": { + "additionalProperties": false, + "properties": { + "BytesGreaterThan": { + "markdownDescription": "This property specifies the minimum object size in bytes. The value must be a positive number, greater than 0 and less than 5 TB.", + "title": "BytesGreaterThan", + "type": "number" + }, + "BytesLessThan": { + "markdownDescription": "This property specifies the maximum object size in bytes. The value must be a positive number, greater than the minimum object size and less than 5 TB.", + "title": "BytesLessThan", + "type": "number" + } + }, + "type": "object" + }, + "AWS::S3::StorageLensGroup.Or": { + "additionalProperties": false, + "properties": { + "MatchAnyPrefix": { + "items": { + "type": "string" + }, + "markdownDescription": "This property contains a list of prefixes. At least one prefix must be specified. Up to 10 prefixes are allowed.", + "title": "MatchAnyPrefix", + "type": "array" + }, + "MatchAnySuffix": { + "items": { + "type": "string" + }, + "markdownDescription": "This property contains the list of suffixes. At least one suffix must be specified. Up to 10 suffixes are allowed.", + "title": "MatchAnySuffix", + "type": "array" + }, + "MatchAnyTag": { + "items": { + "$ref": "#/definitions/Tag" + }, + "markdownDescription": "This property contains the list of S3 object tags. At least one object tag must be specified. Up to 10 object tags are allowed.", + "title": "MatchAnyTag", + "type": "array" + }, + "MatchObjectAge": { + "$ref": "#/definitions/AWS::S3::StorageLensGroup.MatchObjectAge", + "markdownDescription": "This property filters objects that match the specified object age range.", + "title": "MatchObjectAge" + }, + "MatchObjectSize": { + "$ref": "#/definitions/AWS::S3::StorageLensGroup.MatchObjectSize", + "markdownDescription": "This property contains the `BytesGreaterThan` and `BytesLessThan` values to define the object size range (minimum and maximum number of Bytes).", + "title": "MatchObjectSize" + } + }, + "type": "object" + }, + "AWS::S3Express::BucketPolicy": { + "additionalProperties": false, + "properties": { + "Condition": { + "type": "string" + }, + "DeletionPolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + }, + "DependsOn": { + "anyOf": [ + { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + { + "items": { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + "type": "array" + } + ] + }, + "Metadata": { + "type": "object" + }, + "Properties": { + "additionalProperties": false, + "properties": { + "Bucket": { + "markdownDescription": "The name of the S3 directory bucket to which the policy applies.", + "title": "Bucket", + "type": "string" + }, + "PolicyDocument": { + "markdownDescription": "A policy document containing permissions to add to the specified bucket. In IAM, you must provide policy documents in JSON format. However, in CloudFormation you can provide the policy in JSON or YAML format because CloudFormation converts YAML to JSON before submitting it to IAM. For more information, see the AWS::IAM::Policy [PolicyDocument](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html#cfn-iam-policy-policydocument) resource description in this guide and [Policies and Permissions in Amazon S3](https://docs.aws.amazon.com/AmazonS3/latest/dev/access-policy-language-overview.html) in the *Amazon S3 User Guide* .", + "title": "PolicyDocument", + "type": "object" + } + }, + "required": [ + "Bucket", + "PolicyDocument" + ], + "type": "object" + }, + "Type": { + "enum": [ + "AWS::S3Express::BucketPolicy" + ], + "type": "string" + }, + "UpdateReplacePolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + } + }, + "required": [ + "Type", + "Properties" + ], + "type": "object" + }, + "AWS::S3Express::DirectoryBucket": { + "additionalProperties": false, + "properties": { + "Condition": { + "type": "string" + }, + "DeletionPolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + }, + "DependsOn": { + "anyOf": [ + { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + { + "items": { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + "type": "array" + } + ] + }, + "Metadata": { + "type": "object" + }, + "Properties": { + "additionalProperties": false, + "properties": { + "BucketName": { + "markdownDescription": "A name for the bucket. The bucket name must contain only lowercase letters, numbers, and hyphens (-). A directory bucket name must be unique in the chosen Availability Zone. The bucket name must also follow the format `*bucket_base_name* -- *az_id* --x-s3` (for example, `*DOC-EXAMPLE-BUCKET* -- *usw2-az1* --x-s3` ). If you don't specify a name, AWS CloudFormation generates a unique ID and uses that ID for the bucket name. For information about bucket naming restrictions, see [Directory bucket naming rules](https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-bucket-naming-rules.html) in the *Amazon S3 User Guide* .\n\n> If you specify a name, you can't perform updates that require replacement of this resource. You can perform updates that require no or some interruption. If you need to replace the resource, specify a new name.", + "title": "BucketName", + "type": "string" + }, + "DataRedundancy": { + "markdownDescription": "The number of Availability Zone that's used for redundancy for the bucket.", + "title": "DataRedundancy", + "type": "string" + }, + "LocationName": { + "markdownDescription": "The name of the location where the bucket will be created.\n\nFor directory buckets, the name of the location is the AZ ID of the Availability Zone where the bucket will be created. An example AZ ID value is `usw2-az1` .", + "title": "LocationName", + "type": "string" + } + }, + "required": [ + "DataRedundancy", + "LocationName" + ], + "type": "object" + }, + "Type": { + "enum": [ + "AWS::S3Express::DirectoryBucket" + ], + "type": "string" + }, + "UpdateReplacePolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + } + }, + "required": [ + "Type", + "Properties" + ], + "type": "object" + }, "AWS::S3ObjectLambda::AccessPoint": { "additionalProperties": false, "properties": { @@ -217916,7 +225914,7 @@ "additionalProperties": false, "properties": { "VpcId": { - "markdownDescription": "The ID of the VPC configuration.", + "markdownDescription": "", "title": "VpcId", "type": "string" } @@ -218127,7 +226125,7 @@ "title": "Filter" }, "Id": { - "markdownDescription": "The unique identifier for the lifecycle rule. The value can't be longer than 255 characters.", + "markdownDescription": "", "title": "Id", "type": "string" }, @@ -218262,7 +226260,7 @@ }, "FailedReason": { "$ref": "#/definitions/AWS::S3Outposts::Endpoint.FailedReason", - "markdownDescription": "", + "markdownDescription": "The failure reason, if any, for a create or delete endpoint operation.", "title": "FailedReason" }, "OutpostId": { @@ -218271,12 +226269,12 @@ "type": "string" }, "SecurityGroupId": { - "markdownDescription": "The ID of the security group to use with the endpoint.", + "markdownDescription": "The ID of the security group used for the endpoint.", "title": "SecurityGroupId", "type": "string" }, "SubnetId": { - "markdownDescription": "The ID of the subnet.", + "markdownDescription": "The ID of the subnet used for the endpoint.", "title": "SubnetId", "type": "string" } @@ -218313,12 +226311,12 @@ "additionalProperties": false, "properties": { "ErrorCode": { - "markdownDescription": "", + "markdownDescription": "The failure code, if any, for a create or delete endpoint operation.", "title": "ErrorCode", "type": "string" }, "Message": { - "markdownDescription": "", + "markdownDescription": "Additional error details describing the endpoint failure and recommended action.", "title": "Message", "type": "string" } @@ -219886,6 +227884,11 @@ "title": "Region", "type": "string" }, + "ReplayPolicy": { + "markdownDescription": "", + "title": "ReplayPolicy", + "type": "object" + }, "SubscriptionRoleArn": { "markdownDescription": "This property applies only to Amazon Kinesis Data Firehose delivery stream subscriptions. Specify the ARN of the IAM role that has the following:\n\n- Permission to write to the Amazon Kinesis Data Firehose delivery stream\n- Amazon SNS listed as a trusted entity\n\nSpecifying a valid ARN for this attribute is required for Kinesis Data Firehose delivery stream subscriptions. For more information, see [Fanout to Amazon Kinesis Data Firehose delivery streams](https://docs.aws.amazon.com/sns/latest/dg/sns-firehose-as-subscriber.html) in the *Amazon SNS Developer Guide.*", "title": "SubscriptionRoleArn", @@ -219967,6 +227970,8 @@ "additionalProperties": false, "properties": { "ArchivePolicy": { + "markdownDescription": "The archive policy determines the number of days Amazon SNS retains messages. You can set a retention period from 1 to 365 days.", + "title": "ArchivePolicy", "type": "object" }, "ContentBasedDeduplication": { @@ -219979,6 +227984,14 @@ "title": "DataProtectionPolicy", "type": "object" }, + "DeliveryStatusLogging": { + "items": { + "$ref": "#/definitions/AWS::SNS::Topic.LoggingConfig" + }, + "markdownDescription": "The `DeliveryStatusLogging` configuration enables you to log the delivery status of messages sent from your Amazon SNS topic to subscribed endpoints with the following supported delivery protocols:\n\n- HTTP\n- Amazon Kinesis Data Firehose\n- AWS Lambda\n- Platform application endpoint\n- Amazon Simple Queue Service\n\nOnce configured, log entries are sent to Amazon CloudWatch Logs.", + "title": "DeliveryStatusLogging", + "type": "array" + }, "DisplayName": { "markdownDescription": "The display name to use for an Amazon SNS topic with SMS subscriptions. The display name must be maximum 100 characters long, including hyphens (-), underscores (_), spaces, and tabs.", "title": "DisplayName", @@ -220021,7 +228034,7 @@ "type": "string" }, "TracingConfig": { - "markdownDescription": "Tracing mode of an Amazon SNS topic. By default `TracingConfig` is set to `PassThrough` , and the topic passes through the tracing header it receives from an SNS publisher to its subscriptions. If set to `Active` , SNS will vend X-Ray segment data to topic owner account if the sampled flag in the tracing header is true. Only supported on standard topics.", + "markdownDescription": "Tracing mode of an Amazon SNS topic. By default `TracingConfig` is set to `PassThrough` , and the topic passes through the tracing header it receives from an Amazon SNS publisher to its subscriptions. If set to `Active` , Amazon SNS will vend X-Ray segment data to topic owner account if the sampled flag in the tracing header is true.", "title": "TracingConfig", "type": "string" } @@ -220048,6 +228061,35 @@ ], "type": "object" }, + "AWS::SNS::Topic.LoggingConfig": { + "additionalProperties": false, + "properties": { + "FailureFeedbackRoleArn": { + "markdownDescription": "The IAM role ARN to be used when logging failed message deliveries in Amazon CloudWatch.", + "title": "FailureFeedbackRoleArn", + "type": "string" + }, + "Protocol": { + "markdownDescription": "Indicates one of the supported protocols for the Amazon SNS topic.\n\n> At least one of the other three `LoggingConfig` properties is recommend along with `Protocol` .", + "title": "Protocol", + "type": "string" + }, + "SuccessFeedbackRoleArn": { + "markdownDescription": "The IAM role ARN to be used when logging successful message deliveries in Amazon CloudWatch.", + "title": "SuccessFeedbackRoleArn", + "type": "string" + }, + "SuccessFeedbackSampleRate": { + "markdownDescription": "The percentage of successful message deliveries to be logged in Amazon CloudWatch. Valid percentage values range from 0 to 100.", + "title": "SuccessFeedbackSampleRate", + "type": "string" + } + }, + "required": [ + "Protocol" + ], + "type": "object" + }, "AWS::SNS::Topic.Subscription": { "additionalProperties": false, "properties": { @@ -220104,9 +228146,13 @@ "additionalProperties": false, "properties": { "PolicyDocument": { + "markdownDescription": "A policy document that contains permissions to add to the specified Amazon SNS topic.", + "title": "PolicyDocument", "type": "object" }, "TopicArn": { + "markdownDescription": "The Amazon Resource Name (ARN) of the topic to which you want to add the policy.", + "title": "TopicArn", "type": "string" } }, @@ -220173,233 +228219,237 @@ "additionalProperties": false, "properties": { "PolicyDocument": { - "markdownDescription": "A policy document that contains permissions to add to the specified SNS topics.", + "markdownDescription": "A policy document that contains permissions to add to the specified SNS topics.", + "title": "PolicyDocument", + "type": "object" + }, + "Topics": { + "items": { + "type": "string" + }, + "markdownDescription": "The Amazon Resource Names (ARN) of the topics to which you want to add the policy. You can use the `[Ref](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-ref.html)` function to specify an `[AWS::SNS::Topic](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-sns-topic.html)` resource.", + "title": "Topics", + "type": "array" + } + }, + "required": [ + "PolicyDocument", + "Topics" + ], + "type": "object" + }, + "Type": { + "enum": [ + "AWS::SNS::TopicPolicy" + ], + "type": "string" + }, + "UpdateReplacePolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + } + }, + "required": [ + "Type", + "Properties" + ], + "type": "object" + }, + "AWS::SQS::Queue": { + "additionalProperties": false, + "properties": { + "Condition": { + "type": "string" + }, + "Connectors": { + "additionalProperties": { + "$ref": "#/definitions/EmbeddedConnector" + }, + "title": "Connectors", + "type": "object" + }, + "DeletionPolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + }, + "DependsOn": { + "anyOf": [ + { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + { + "items": { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + "type": "array" + } + ] + }, + "Metadata": { + "type": "object" + }, + "Properties": { + "additionalProperties": false, + "properties": { + "ContentBasedDeduplication": { + "markdownDescription": "For first-in-first-out (FIFO) queues, specifies whether to enable content-based deduplication. During the deduplication interval, Amazon SQS treats messages that are sent with identical content as duplicates and delivers only one copy of the message. For more information, see the `ContentBasedDeduplication` attribute for the `[CreateQueue](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/API_CreateQueue.html)` action in the *Amazon SQS API Reference* .", + "title": "ContentBasedDeduplication", + "type": "boolean" + }, + "DeduplicationScope": { + "markdownDescription": "For high throughput for FIFO queues, specifies whether message deduplication occurs at the message group or queue level. Valid values are `messageGroup` and `queue` .\n\nTo enable high throughput for a FIFO queue, set this attribute to `messageGroup` *and* set the `FifoThroughputLimit` attribute to `perMessageGroupId` . If you set these attributes to anything other than these values, normal throughput is in effect and deduplication occurs as specified. For more information, see [High throughput for FIFO queues](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/high-throughput-fifo.html) and [Quotas related to messages](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/quotas-messages.html) in the *Amazon SQS Developer Guide* .", + "title": "DeduplicationScope", + "type": "string" + }, + "DelaySeconds": { + "markdownDescription": "The time in seconds for which the delivery of all messages in the queue is delayed. You can specify an integer value of `0` to `900` (15 minutes). The default value is `0` .", + "title": "DelaySeconds", + "type": "number" + }, + "FifoQueue": { + "markdownDescription": "If set to true, creates a FIFO queue. If you don't specify this property, Amazon SQS creates a standard queue. For more information, see [FIFO queues](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/FIFO-queues.html) in the *Amazon SQS Developer Guide* .", + "title": "FifoQueue", + "type": "boolean" + }, + "FifoThroughputLimit": { + "markdownDescription": "For high throughput for FIFO queues, specifies whether the FIFO queue throughput quota applies to the entire queue or per message group. Valid values are `perQueue` and `perMessageGroupId` .\n\nTo enable high throughput for a FIFO queue, set this attribute to `perMessageGroupId` *and* set the `DeduplicationScope` attribute to `messageGroup` . If you set these attributes to anything other than these values, normal throughput is in effect and deduplication occurs as specified. For more information, see [High throughput for FIFO queues](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/high-throughput-fifo.html) and [Quotas related to messages](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/quotas-messages.html) in the *Amazon SQS Developer Guide* .", + "title": "FifoThroughputLimit", + "type": "string" + }, + "KmsDataKeyReusePeriodSeconds": { + "markdownDescription": "The length of time in seconds for which Amazon SQS can reuse a data key to encrypt or decrypt messages before calling AWS KMS again. The value must be an integer between 60 (1 minute) and 86,400 (24 hours). The default is 300 (5 minutes).\n\n> A shorter time period provides better security, but results in more calls to AWS KMS , which might incur charges after Free Tier. For more information, see [Encryption at rest](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-server-side-encryption.html#sqs-how-does-the-data-key-reuse-period-work) in the *Amazon SQS Developer Guide* .", + "title": "KmsDataKeyReusePeriodSeconds", + "type": "number" + }, + "KmsMasterKeyId": { + "markdownDescription": "The ID of an AWS Key Management Service (KMS) for Amazon SQS , or a custom KMS. To use the AWS managed KMS for Amazon SQS , specify a (default) alias ARN, alias name (e.g. `alias/aws/sqs` ), key ARN, or key ID. For more information, see the following:\n\n- [Encryption at rest](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-server-side-encryption.html) in the *Amazon SQS Developer Guide*\n- [CreateQueue](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/API_CreateQueue.html) in the *Amazon SQS API Reference*\n- [Request Parameters](https://docs.aws.amazon.com/kms/latest/APIReference/API_DescribeKey.html#API_DescribeKey_RequestParameters) in the *AWS Key Management Service API Reference*\n- The Key Management Service (KMS) section of the [AWS Key Management Service Best Practices](https://docs.aws.amazon.com/https://d0.awsstatic.com/whitepapers/aws-kms-best-practices.pdf) whitepaper", + "title": "KmsMasterKeyId", + "type": "string" + }, + "MaximumMessageSize": { + "markdownDescription": "The limit of how many bytes that a message can contain before Amazon SQS rejects it. You can specify an integer value from `1,024` bytes (1 KiB) to `262,144` bytes (256 KiB). The default value is `262,144` (256 KiB).", + "title": "MaximumMessageSize", + "type": "number" + }, + "MessageRetentionPeriod": { + "markdownDescription": "The number of seconds that Amazon SQS retains a message. You can specify an integer value from `60` seconds (1 minute) to `1,209,600` seconds (14 days). The default value is `345,600` seconds (4 days).", + "title": "MessageRetentionPeriod", + "type": "number" + }, + "QueueName": { + "markdownDescription": "A name for the queue. To create a FIFO queue, the name of your FIFO queue must end with the `.fifo` suffix. For more information, see [FIFO queues](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/FIFO-queues.html) in the *Amazon SQS Developer Guide* .\n\nIf you don't specify a name, AWS CloudFormation generates a unique physical ID and uses that ID for the queue name. For more information, see [Name type](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-name.html) in the *AWS CloudFormation User Guide* .\n\n> If you specify a name, you can't perform updates that require replacement of this resource. You can perform updates that require no or some interruption. If you must replace the resource, specify a new name.", + "title": "QueueName", + "type": "string" + }, + "ReceiveMessageWaitTimeSeconds": { + "markdownDescription": "Specifies the duration, in seconds, that the ReceiveMessage action call waits until a message is in the queue in order to include it in the response, rather than returning an empty response if a message isn't yet available. You can specify an integer from 1 to 20. Short polling is used as the default or when you specify 0 for this property. For more information, see [Consuming messages using long polling](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-short-and-long-polling.html#sqs-long-polling) in the *Amazon SQS Developer Guide* .", + "title": "ReceiveMessageWaitTimeSeconds", + "type": "number" + }, + "RedriveAllowPolicy": { + "markdownDescription": "The string that includes the parameters for the permissions for the dead-letter queue redrive permission and which source queues can specify dead-letter queues as a JSON object. The parameters are as follows:\n\n- `redrivePermission` : The permission type that defines which source queues can specify the current queue as the dead-letter queue. Valid values are:\n\n- `allowAll` : (Default) Any source queues in this AWS account in the same Region can specify this queue as the dead-letter queue.\n- `denyAll` : No source queues can specify this queue as the dead-letter queue.\n- `byQueue` : Only queues specified by the `sourceQueueArns` parameter can specify this queue as the dead-letter queue.\n- `sourceQueueArns` : The Amazon Resource Names (ARN)s of the source queues that can specify this queue as the dead-letter queue and redrive messages. You can specify this parameter only when the `redrivePermission` parameter is set to `byQueue` . You can specify up to 10 source queue ARNs. To allow more than 10 source queues to specify dead-letter queues, set the `redrivePermission` parameter to `allowAll` .", + "title": "RedriveAllowPolicy", + "type": "object" + }, + "RedrivePolicy": { + "markdownDescription": "The string that includes the parameters for the dead-letter queue functionality of the source queue as a JSON object. The parameters are as follows:\n\n- `deadLetterTargetArn` : The Amazon Resource Name (ARN) of the dead-letter queue to which Amazon SQS moves messages after the value of `maxReceiveCount` is exceeded.\n- `maxReceiveCount` : The number of times a message is delivered to the source queue before being moved to the dead-letter queue. When the `ReceiveCount` for a message exceeds the `maxReceiveCount` for a queue, Amazon SQS moves the message to the dead-letter-queue.\n\n> The dead-letter queue of a FIFO queue must also be a FIFO queue. Similarly, the dead-letter queue of a standard queue must also be a standard queue. \n\n*JSON*\n\n`{ \"deadLetterTargetArn\" : *String* , \"maxReceiveCount\" : *Integer* }`\n\n*YAML*\n\n`deadLetterTargetArn : *String*`\n\n`maxReceiveCount : *Integer*`", + "title": "RedrivePolicy", + "type": "object" + }, + "SqsManagedSseEnabled": { + "markdownDescription": "Enables server-side queue encryption using SQS owned encryption keys. Only one server-side encryption option is supported per queue (for example, [SSE-KMS](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-configure-sse-existing-queue.html) or [SSE-SQS](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-configure-sqs-sse-queue.html) ). When `SqsManagedSseEnabled` is not defined, `SSE-SQS` encryption is enabled by default.", + "title": "SqsManagedSseEnabled", + "type": "boolean" + }, + "Tags": { + "items": { + "$ref": "#/definitions/Tag" + }, + "markdownDescription": "The tags that you attach to this queue. For more information, see [Resource tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) in the *AWS CloudFormation User Guide* .", + "title": "Tags", + "type": "array" + }, + "VisibilityTimeout": { + "markdownDescription": "The length of time during which a message will be unavailable after a message is delivered from the queue. This blocks other components from receiving the same message and gives the initial component time to process and delete the message from the queue.\n\nValues must be from 0 to 43,200 seconds (12 hours). If you don't specify a value, AWS CloudFormation uses the default value of 30 seconds.\n\nFor more information about Amazon SQS queue visibility timeouts, see [Visibility timeout](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-visibility-timeout.html) in the *Amazon SQS Developer Guide* .", + "title": "VisibilityTimeout", + "type": "number" + } + }, + "type": "object" + }, + "Type": { + "enum": [ + "AWS::SQS::Queue" + ], + "type": "string" + }, + "UpdateReplacePolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + } + }, + "required": [ + "Type" + ], + "type": "object" + }, + "AWS::SQS::QueueInlinePolicy": { + "additionalProperties": false, + "properties": { + "Condition": { + "type": "string" + }, + "DeletionPolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + }, + "DependsOn": { + "anyOf": [ + { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + { + "items": { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + "type": "array" + } + ] + }, + "Metadata": { + "type": "object" + }, + "Properties": { + "additionalProperties": false, + "properties": { + "PolicyDocument": { + "markdownDescription": "A policy document that contains the permissions for the specified Amazon SQS queues. For more information about Amazon SQS policies, see [Using custom policies with the Amazon SQS access policy language](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-creating-custom-policies.html) in the *Amazon SQS Developer Guide* .", "title": "PolicyDocument", "type": "object" }, - "Topics": { - "items": { - "type": "string" - }, - "markdownDescription": "The Amazon Resource Names (ARN) of the topics to which you want to add the policy. You can use the `[Ref](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-ref.html)` function to specify an `[AWS::SNS::Topic](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-sns-topic.html)` resource.", - "title": "Topics", - "type": "array" - } - }, - "required": [ - "PolicyDocument", - "Topics" - ], - "type": "object" - }, - "Type": { - "enum": [ - "AWS::SNS::TopicPolicy" - ], - "type": "string" - }, - "UpdateReplacePolicy": { - "enum": [ - "Delete", - "Retain", - "Snapshot" - ], - "type": "string" - } - }, - "required": [ - "Type", - "Properties" - ], - "type": "object" - }, - "AWS::SQS::Queue": { - "additionalProperties": false, - "properties": { - "Condition": { - "type": "string" - }, - "Connectors": { - "additionalProperties": { - "$ref": "#/definitions/EmbeddedConnector" - }, - "title": "Connectors", - "type": "object" - }, - "DeletionPolicy": { - "enum": [ - "Delete", - "Retain", - "Snapshot" - ], - "type": "string" - }, - "DependsOn": { - "anyOf": [ - { - "pattern": "^[a-zA-Z0-9]+$", - "type": "string" - }, - { - "items": { - "pattern": "^[a-zA-Z0-9]+$", - "type": "string" - }, - "type": "array" - } - ] - }, - "Metadata": { - "type": "object" - }, - "Properties": { - "additionalProperties": false, - "properties": { - "ContentBasedDeduplication": { - "markdownDescription": "For first-in-first-out (FIFO) queues, specifies whether to enable content-based deduplication. During the deduplication interval, Amazon SQS treats messages that are sent with identical content as duplicates and delivers only one copy of the message. For more information, see the `ContentBasedDeduplication` attribute for the `[CreateQueue](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/API_CreateQueue.html)` action in the *Amazon SQS API Reference* .", - "title": "ContentBasedDeduplication", - "type": "boolean" - }, - "DeduplicationScope": { - "markdownDescription": "For high throughput for FIFO queues, specifies whether message deduplication occurs at the message group or queue level. Valid values are `messageGroup` and `queue` .\n\nTo enable high throughput for a FIFO queue, set this attribute to `messageGroup` *and* set the `FifoThroughputLimit` attribute to `perMessageGroupId` . If you set these attributes to anything other than these values, normal throughput is in effect and deduplication occurs as specified. For more information, see [High throughput for FIFO queues](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/high-throughput-fifo.html) and [Quotas related to messages](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/quotas-messages.html) in the *Amazon SQS Developer Guide* .", - "title": "DeduplicationScope", - "type": "string" - }, - "DelaySeconds": { - "markdownDescription": "The time in seconds for which the delivery of all messages in the queue is delayed. You can specify an integer value of `0` to `900` (15 minutes). The default value is `0` .", - "title": "DelaySeconds", - "type": "number" - }, - "FifoQueue": { - "markdownDescription": "If set to true, creates a FIFO queue. If you don't specify this property, Amazon SQS creates a standard queue. For more information, see [FIFO queues](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/FIFO-queues.html) in the *Amazon SQS Developer Guide* .", - "title": "FifoQueue", - "type": "boolean" - }, - "FifoThroughputLimit": { - "markdownDescription": "For high throughput for FIFO queues, specifies whether the FIFO queue throughput quota applies to the entire queue or per message group. Valid values are `perQueue` and `perMessageGroupId` .\n\nTo enable high throughput for a FIFO queue, set this attribute to `perMessageGroupId` *and* set the `DeduplicationScope` attribute to `messageGroup` . If you set these attributes to anything other than these values, normal throughput is in effect and deduplication occurs as specified. For more information, see [High throughput for FIFO queues](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/high-throughput-fifo.html) and [Quotas related to messages](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/quotas-messages.html) in the *Amazon SQS Developer Guide* .", - "title": "FifoThroughputLimit", - "type": "string" - }, - "KmsDataKeyReusePeriodSeconds": { - "markdownDescription": "The length of time in seconds for which Amazon SQS can reuse a data key to encrypt or decrypt messages before calling AWS KMS again. The value must be an integer between 60 (1 minute) and 86,400 (24 hours). The default is 300 (5 minutes).\n\n> A shorter time period provides better security, but results in more calls to AWS KMS , which might incur charges after Free Tier. For more information, see [Encryption at rest](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-server-side-encryption.html#sqs-how-does-the-data-key-reuse-period-work) in the *Amazon SQS Developer Guide* .", - "title": "KmsDataKeyReusePeriodSeconds", - "type": "number" - }, - "KmsMasterKeyId": { - "markdownDescription": "The ID of an AWS Key Management Service (KMS) for Amazon SQS , or a custom KMS. To use the AWS managed KMS for Amazon SQS , specify a (default) alias ARN, alias name (e.g. `alias/aws/sqs` ), key ARN, or key ID. For more information, see the following:\n\n- [Encryption at rest](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-server-side-encryption.html) in the *Amazon SQS Developer Guide*\n- [CreateQueue](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/API_CreateQueue.html) in the *Amazon SQS API Reference*\n- [Request Parameters](https://docs.aws.amazon.com/kms/latest/APIReference/API_DescribeKey.html#API_DescribeKey_RequestParameters) in the *AWS Key Management Service API Reference*\n- The Key Management Service (KMS) section of the [AWS Key Management Service Best Practices](https://docs.aws.amazon.com/https://d0.awsstatic.com/whitepapers/aws-kms-best-practices.pdf) whitepaper", - "title": "KmsMasterKeyId", - "type": "string" - }, - "MaximumMessageSize": { - "markdownDescription": "The limit of how many bytes that a message can contain before Amazon SQS rejects it. You can specify an integer value from `1,024` bytes (1 KiB) to `262,144` bytes (256 KiB). The default value is `262,144` (256 KiB).", - "title": "MaximumMessageSize", - "type": "number" - }, - "MessageRetentionPeriod": { - "markdownDescription": "The number of seconds that Amazon SQS retains a message. You can specify an integer value from `60` seconds (1 minute) to `1,209,600` seconds (14 days). The default value is `345,600` seconds (4 days).", - "title": "MessageRetentionPeriod", - "type": "number" - }, - "QueueName": { - "markdownDescription": "A name for the queue. To create a FIFO queue, the name of your FIFO queue must end with the `.fifo` suffix. For more information, see [FIFO queues](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/FIFO-queues.html) in the *Amazon SQS Developer Guide* .\n\nIf you don't specify a name, AWS CloudFormation generates a unique physical ID and uses that ID for the queue name. For more information, see [Name type](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-name.html) in the *AWS CloudFormation User Guide* .\n\n> If you specify a name, you can't perform updates that require replacement of this resource. You can perform updates that require no or some interruption. If you must replace the resource, specify a new name.", - "title": "QueueName", - "type": "string" - }, - "ReceiveMessageWaitTimeSeconds": { - "markdownDescription": "Specifies the duration, in seconds, that the ReceiveMessage action call waits until a message is in the queue in order to include it in the response, rather than returning an empty response if a message isn't yet available. You can specify an integer from 1 to 20. Short polling is used as the default or when you specify 0 for this property. For more information, see [Consuming messages using long polling](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-short-and-long-polling.html#sqs-long-polling) in the *Amazon SQS Developer Guide* .", - "title": "ReceiveMessageWaitTimeSeconds", - "type": "number" - }, - "RedriveAllowPolicy": { - "markdownDescription": "The string that includes the parameters for the permissions for the dead-letter queue redrive permission and which source queues can specify dead-letter queues as a JSON object. The parameters are as follows:\n\n- `redrivePermission` : The permission type that defines which source queues can specify the current queue as the dead-letter queue. Valid values are:\n\n- `allowAll` : (Default) Any source queues in this AWS account in the same Region can specify this queue as the dead-letter queue.\n- `denyAll` : No source queues can specify this queue as the dead-letter queue.\n- `byQueue` : Only queues specified by the `sourceQueueArns` parameter can specify this queue as the dead-letter queue.\n- `sourceQueueArns` : The Amazon Resource Names (ARN)s of the source queues that can specify this queue as the dead-letter queue and redrive messages. You can specify this parameter only when the `redrivePermission` parameter is set to `byQueue` . You can specify up to 10 source queue ARNs. To allow more than 10 source queues to specify dead-letter queues, set the `redrivePermission` parameter to `allowAll` .", - "title": "RedriveAllowPolicy", - "type": "object" - }, - "RedrivePolicy": { - "markdownDescription": "The string that includes the parameters for the dead-letter queue functionality of the source queue as a JSON object. The parameters are as follows:\n\n- `deadLetterTargetArn` : The Amazon Resource Name (ARN) of the dead-letter queue to which Amazon SQS moves messages after the value of `maxReceiveCount` is exceeded.\n- `maxReceiveCount` : The number of times a message is delivered to the source queue before being moved to the dead-letter queue. When the `ReceiveCount` for a message exceeds the `maxReceiveCount` for a queue, Amazon SQS moves the message to the dead-letter-queue.\n\n> The dead-letter queue of a FIFO queue must also be a FIFO queue. Similarly, the dead-letter queue of a standard queue must also be a standard queue. \n\n*JSON*\n\n`{ \"deadLetterTargetArn\" : *String* , \"maxReceiveCount\" : *Integer* }`\n\n*YAML*\n\n`deadLetterTargetArn : *String*`\n\n`maxReceiveCount : *Integer*`", - "title": "RedrivePolicy", - "type": "object" - }, - "SqsManagedSseEnabled": { - "markdownDescription": "Enables server-side queue encryption using SQS owned encryption keys. Only one server-side encryption option is supported per queue (for example, [SSE-KMS](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-configure-sse-existing-queue.html) or [SSE-SQS](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-configure-sqs-sse-queue.html) ).", - "title": "SqsManagedSseEnabled", - "type": "boolean" - }, - "Tags": { - "items": { - "$ref": "#/definitions/Tag" - }, - "markdownDescription": "The tags that you attach to this queue. For more information, see [Resource tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) in the *AWS CloudFormation User Guide* .", - "title": "Tags", - "type": "array" - }, - "VisibilityTimeout": { - "markdownDescription": "The length of time during which a message will be unavailable after a message is delivered from the queue. This blocks other components from receiving the same message and gives the initial component time to process and delete the message from the queue.\n\nValues must be from 0 to 43,200 seconds (12 hours). If you don't specify a value, AWS CloudFormation uses the default value of 30 seconds.\n\nFor more information about Amazon SQS queue visibility timeouts, see [Visibility timeout](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-visibility-timeout.html) in the *Amazon SQS Developer Guide* .", - "title": "VisibilityTimeout", - "type": "number" - } - }, - "type": "object" - }, - "Type": { - "enum": [ - "AWS::SQS::Queue" - ], - "type": "string" - }, - "UpdateReplacePolicy": { - "enum": [ - "Delete", - "Retain", - "Snapshot" - ], - "type": "string" - } - }, - "required": [ - "Type" - ], - "type": "object" - }, - "AWS::SQS::QueueInlinePolicy": { - "additionalProperties": false, - "properties": { - "Condition": { - "type": "string" - }, - "DeletionPolicy": { - "enum": [ - "Delete", - "Retain", - "Snapshot" - ], - "type": "string" - }, - "DependsOn": { - "anyOf": [ - { - "pattern": "^[a-zA-Z0-9]+$", - "type": "string" - }, - { - "items": { - "pattern": "^[a-zA-Z0-9]+$", - "type": "string" - }, - "type": "array" - } - ] - }, - "Metadata": { - "type": "object" - }, - "Properties": { - "additionalProperties": false, - "properties": { - "PolicyDocument": { - "type": "object" - }, "Queue": { + "markdownDescription": "The URLs of the queues to which you want to add the policy. You can use the `[Ref](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-ref.html)` function to specify an `[AWS::SQS::Queue](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-sqs-queues.html)` resource.", + "title": "Queue", "type": "string" } }, @@ -220600,8 +228650,6 @@ "title": "OutputLocation" }, "Parameters": { - "markdownDescription": "The parameters for the runtime configuration of the document.", - "title": "Parameters", "type": "object" }, "ScheduleExpression": { @@ -220628,7 +228676,7 @@ "type": "array" }, "WaitForSuccessTimeoutSeconds": { - "markdownDescription": "The number of seconds the service should wait for the association status to show \"Success\" before proceeding with the stack execution. If the association status doesn't show \"Success\" after the specified number of seconds, then stack creation fails.", + "markdownDescription": "The number of seconds the service should wait for the association status to show \"Success\" before proceeding with the stack execution. If the association status doesn't show \"Success\" after the specified number of seconds, then stack creation fails.\n\n> When you specify a value for the `WaitForSuccessTimeoutSeconds` , [drift detection](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-stack-drift.html) for your AWS CloudFormation stack\u2019s configuration might yield inaccurate results. If drift detection is important in your scenario, we recommend that you don\u2019t include `WaitForSuccessTimeoutSeconds` in your template.", "title": "WaitForSuccessTimeoutSeconds", "type": "number" } @@ -220768,7 +228816,7 @@ "type": "string" }, "DocumentType": { - "markdownDescription": "The type of document to create.\n\n*Allowed Values* : `ApplicationConfigurationSchema` | `Automation` | `Automation.ChangeTemplate` | `Command` | `DeploymentStrategy` | `Package` | `Policy` | `Session`", + "markdownDescription": "The type of document to create.", "title": "DocumentType", "type": "string" }, @@ -221565,7 +229613,7 @@ "type": "string" }, "Type": { - "markdownDescription": "The type of parameter.\n\n> AWS CloudFormation doesn't support creating a `SecureString` parameter type. \n\n*Allowed Values* : String | StringList", + "markdownDescription": "The type of parameter.\n\n> Although `SecureString` is included in the list of valid values, AWS CloudFormation does *not* current support creating a `SecureString` parameter type.", "title": "Type", "type": "string" }, @@ -221917,8 +229965,6 @@ "type": "string" }, "SyncName": { - "markdownDescription": "A name for the resource data sync.", - "title": "SyncName", "type": "string" }, "SyncSource": { @@ -223651,7 +231697,7 @@ "type": "string" }, "AppType": { - "markdownDescription": "The type of app.\n\n*Allowed Values* : `JupyterServer | KernelGateway | RSessionGateway | RStudioServerPro | TensorBoard | Canvas`", + "markdownDescription": "The type of app.", "title": "AppType", "type": "string" }, @@ -224103,30 +232149,32 @@ "additionalProperties": false, "properties": { "DataCapturedDestinationS3Uri": { - "markdownDescription": "", + "markdownDescription": "The Amazon S3 location being used to capture the data.", "title": "DataCapturedDestinationS3Uri", "type": "string" }, "DatasetFormat": { "$ref": "#/definitions/AWS::SageMaker::DataQualityJobDefinition.DatasetFormat", - "markdownDescription": "", + "markdownDescription": "The dataset format for your batch transform job.", "title": "DatasetFormat" }, "ExcludeFeaturesAttribute": { + "markdownDescription": "The attributes of the input data to exclude from the analysis.", + "title": "ExcludeFeaturesAttribute", "type": "string" }, "LocalPath": { - "markdownDescription": "", + "markdownDescription": "Path to the filesystem where the batch transform data is available to the container.", "title": "LocalPath", "type": "string" }, "S3DataDistributionType": { - "markdownDescription": "", + "markdownDescription": "Whether input data distributed in Amazon S3 is fully replicated or sharded by an S3 key. Defaults to `FullyReplicated`", "title": "S3DataDistributionType", "type": "string" }, "S3InputMode": { - "markdownDescription": "", + "markdownDescription": "Whether the `Pipe` or `File` is used as the input mode for transferring data for the monitoring job. `Pipe` mode is recommended for large datasets. `File` mode is useful for small files that fit in memory. Defaults to `File` .", "title": "S3InputMode", "type": "string" } @@ -224232,7 +232280,7 @@ "type": "string" }, "RecordPreprocessorSourceUri": { - "markdownDescription": "An Amazon S3 URI to a script that is called per row prior to running analysis. It can base64 decode the payload and convert it into a flatted json so that the built-in container can use the converted data. Applicable only for the built-in (first party) containers.", + "markdownDescription": "An Amazon S3 URI to a script that is called per row prior to running analysis. It can base64 decode the payload and convert it into a flattened JSON so that the built-in container can use the converted data. Applicable only for the built-in (first party) containers.", "title": "RecordPreprocessorSourceUri", "type": "string" } @@ -224268,7 +232316,7 @@ "properties": { "BatchTransformInput": { "$ref": "#/definitions/AWS::SageMaker::DataQualityJobDefinition.BatchTransformInput", - "markdownDescription": "", + "markdownDescription": "Input object for the batch transform job.", "title": "BatchTransformInput" }, "EndpointInput": { @@ -224309,6 +232357,8 @@ "type": "string" }, "ExcludeFeaturesAttribute": { + "markdownDescription": "The attributes of the input data to exclude from the analysis.", + "title": "ExcludeFeaturesAttribute", "type": "string" }, "LocalPath": { @@ -224317,7 +232367,7 @@ "type": "string" }, "S3DataDistributionType": { - "markdownDescription": "Whether input data distributed in Amazon S3 is fully replicated or sharded by an S3 key. Defaults to `FullyReplicated`", + "markdownDescription": "Whether input data distributed in Amazon S3 is fully replicated or sharded by an Amazon S3 key. Defaults to `FullyReplicated`", "title": "S3DataDistributionType", "type": "string" }, @@ -224362,7 +232412,7 @@ "additionalProperties": false, "properties": { "KmsKeyId": { - "markdownDescription": "The AWS Key Management Service ( AWS KMS) key that Amazon SageMaker uses to encrypt the model artifacts at rest using Amazon S3 server-side encryption.", + "markdownDescription": "The AWS Key Management Service ( AWS KMS ) key that Amazon SageMaker uses to encrypt the model artifacts at rest using Amazon S3 server-side encryption.", "title": "KmsKeyId", "type": "string" }, @@ -224472,7 +232522,7 @@ "items": { "type": "string" }, - "markdownDescription": "The VPC security group IDs, in the form sg-xxxxxxxx. Specify the security groups for the VPC that is specified in the `Subnets` field.", + "markdownDescription": "The VPC security group IDs, in the form `sg-xxxxxxxx` . Specify the security groups for the VPC that is specified in the `Subnets` field.", "title": "SecurityGroupIds", "type": "array" }, @@ -224758,7 +232808,7 @@ }, "DefaultSpaceSettings": { "$ref": "#/definitions/AWS::SageMaker::Domain.DefaultSpaceSettings", - "markdownDescription": "", + "markdownDescription": "A collection of settings that apply to spaces created in the Domain.", "title": "DefaultSpaceSettings" }, "DefaultUserSettings": { @@ -224833,6 +232883,50 @@ ], "type": "object" }, + "AWS::SageMaker::Domain.CodeEditorAppSettings": { + "additionalProperties": false, + "properties": { + "DefaultResourceSpec": { + "$ref": "#/definitions/AWS::SageMaker::Domain.ResourceSpec", + "markdownDescription": "", + "title": "DefaultResourceSpec" + }, + "LifecycleConfigArns": { + "items": { + "type": "string" + }, + "markdownDescription": "The Amazon Resource Name (ARN) of the Code Editor application lifecycle configuration.", + "title": "LifecycleConfigArns", + "type": "array" + } + }, + "type": "object" + }, + "AWS::SageMaker::Domain.CodeRepository": { + "additionalProperties": false, + "properties": { + "RepositoryUrl": { + "markdownDescription": "The URL of the Git repository.", + "title": "RepositoryUrl", + "type": "string" + } + }, + "required": [ + "RepositoryUrl" + ], + "type": "object" + }, + "AWS::SageMaker::Domain.CustomFileSystemConfig": { + "additionalProperties": false, + "properties": { + "EFSFileSystemConfig": { + "$ref": "#/definitions/AWS::SageMaker::Domain.EFSFileSystemConfig", + "markdownDescription": "The settings for a custom Amazon EFS file system.", + "title": "EFSFileSystemConfig" + } + }, + "type": "object" + }, "AWS::SageMaker::Domain.CustomImage": { "additionalProperties": false, "properties": { @@ -224858,6 +232952,46 @@ ], "type": "object" }, + "AWS::SageMaker::Domain.CustomPosixUserConfig": { + "additionalProperties": false, + "properties": { + "Gid": { + "markdownDescription": "The POSIX group ID.", + "title": "Gid", + "type": "number" + }, + "Uid": { + "markdownDescription": "The POSIX user ID.", + "title": "Uid", + "type": "number" + } + }, + "required": [ + "Gid", + "Uid" + ], + "type": "object" + }, + "AWS::SageMaker::Domain.DefaultEbsStorageSettings": { + "additionalProperties": false, + "properties": { + "DefaultEbsVolumeSizeInGb": { + "markdownDescription": "The default size of the EBS storage volume for a private space.", + "title": "DefaultEbsVolumeSizeInGb", + "type": "number" + }, + "MaximumEbsVolumeSizeInGb": { + "markdownDescription": "The maximum size of the EBS storage volume for a private space.", + "title": "MaximumEbsVolumeSizeInGb", + "type": "number" + } + }, + "required": [ + "DefaultEbsVolumeSizeInGb", + "MaximumEbsVolumeSizeInGb" + ], + "type": "object" + }, "AWS::SageMaker::Domain.DefaultSpaceSettings": { "additionalProperties": false, "properties": { @@ -224890,6 +233024,17 @@ ], "type": "object" }, + "AWS::SageMaker::Domain.DefaultSpaceStorageSettings": { + "additionalProperties": false, + "properties": { + "DefaultEbsStorageSettings": { + "$ref": "#/definitions/AWS::SageMaker::Domain.DefaultEbsStorageSettings", + "markdownDescription": "The default EBS storage settings for a private space.", + "title": "DefaultEbsStorageSettings" + } + }, + "type": "object" + }, "AWS::SageMaker::Domain.DomainSettings": { "additionalProperties": false, "properties": { @@ -224909,6 +233054,60 @@ }, "type": "object" }, + "AWS::SageMaker::Domain.EFSFileSystemConfig": { + "additionalProperties": false, + "properties": { + "FileSystemId": { + "markdownDescription": "The ID of your Amazon EFS file system.", + "title": "FileSystemId", + "type": "string" + }, + "FileSystemPath": { + "markdownDescription": "The path to the file system directory that is accessible in Amazon SageMaker Studio. Permitted users can access only this directory and below.", + "title": "FileSystemPath", + "type": "string" + } + }, + "required": [ + "FileSystemId" + ], + "type": "object" + }, + "AWS::SageMaker::Domain.JupyterLabAppSettings": { + "additionalProperties": false, + "properties": { + "CodeRepositories": { + "items": { + "$ref": "#/definitions/AWS::SageMaker::Domain.CodeRepository" + }, + "markdownDescription": "A list of Git repositories that SageMaker automatically displays to users for cloning in the JupyterLab application.", + "title": "CodeRepositories", + "type": "array" + }, + "CustomImages": { + "items": { + "$ref": "#/definitions/AWS::SageMaker::Domain.CustomImage" + }, + "markdownDescription": "A list of custom SageMaker images that are configured to run as a JupyterLab app.", + "title": "CustomImages", + "type": "array" + }, + "DefaultResourceSpec": { + "$ref": "#/definitions/AWS::SageMaker::Domain.ResourceSpec", + "markdownDescription": "", + "title": "DefaultResourceSpec" + }, + "LifecycleConfigArns": { + "items": { + "type": "string" + }, + "markdownDescription": "The Amazon Resource Name (ARN) of the lifecycle configurations attached to the user profile or domain. To remove a lifecycle config, you must set `LifecycleConfigArns` to an empty list.", + "title": "LifecycleConfigArns", + "type": "array" + } + }, + "type": "object" + }, "AWS::SageMaker::Domain.JupyterServerAppSettings": { "additionalProperties": false, "properties": { @@ -225053,11 +233252,39 @@ "AWS::SageMaker::Domain.UserSettings": { "additionalProperties": false, "properties": { + "CodeEditorAppSettings": { + "$ref": "#/definitions/AWS::SageMaker::Domain.CodeEditorAppSettings", + "markdownDescription": "The Code Editor application settings.", + "title": "CodeEditorAppSettings" + }, + "CustomFileSystemConfigs": { + "items": { + "$ref": "#/definitions/AWS::SageMaker::Domain.CustomFileSystemConfig" + }, + "markdownDescription": "The settings for assigning a custom file system to a user profile. Permitted users can access this file system in Amazon SageMaker Studio.", + "title": "CustomFileSystemConfigs", + "type": "array" + }, + "CustomPosixUserConfig": { + "$ref": "#/definitions/AWS::SageMaker::Domain.CustomPosixUserConfig", + "markdownDescription": "Details about the POSIX identity that is used for file system operations.", + "title": "CustomPosixUserConfig" + }, + "DefaultLandingUri": { + "markdownDescription": "The default experience that the user is directed to when accessing the domain. The supported values are:\n\n- `studio::` : Indicates that Studio is the default experience. This value can only be passed if `StudioWebPortal` is set to `ENABLED` .\n- `app:JupyterServer:` : Indicates that Studio Classic is the default experience.", + "title": "DefaultLandingUri", + "type": "string" + }, "ExecutionRole": { "markdownDescription": "The execution role for the user.", "title": "ExecutionRole", "type": "string" }, + "JupyterLabAppSettings": { + "$ref": "#/definitions/AWS::SageMaker::Domain.JupyterLabAppSettings", + "markdownDescription": "The settings for the JupyterLab application.", + "title": "JupyterLabAppSettings" + }, "JupyterServerAppSettings": { "$ref": "#/definitions/AWS::SageMaker::Domain.JupyterServerAppSettings", "markdownDescription": "The Jupyter server's app settings.", @@ -225082,14 +233309,24 @@ "items": { "type": "string" }, - "markdownDescription": "The security groups for the Amazon Virtual Private Cloud (VPC) that Studio uses for communication.\n\nOptional when the `CreateDomain.AppNetworkAccessType` parameter is set to `PublicInternetOnly` .\n\nRequired when the `CreateDomain.AppNetworkAccessType` parameter is set to `VpcOnly` , unless specified as part of the `DefaultUserSettings` for the domain.\n\nAmazon SageMaker adds a security group to allow NFS traffic from SageMaker Studio. Therefore, the number of security groups that you can specify is one less than the maximum number shown.", + "markdownDescription": "The security groups for the Amazon Virtual Private Cloud (VPC) that the domain uses for communication.\n\nOptional when the `CreateDomain.AppNetworkAccessType` parameter is set to `PublicInternetOnly` .\n\nRequired when the `CreateDomain.AppNetworkAccessType` parameter is set to `VpcOnly` , unless specified as part of the `DefaultUserSettings` for the domain.\n\nAmazon SageMaker adds a security group to allow NFS traffic from Amazon SageMaker Studio. Therefore, the number of security groups that you can specify is one less than the maximum number shown.", "title": "SecurityGroups", "type": "array" }, "SharingSettings": { "$ref": "#/definitions/AWS::SageMaker::Domain.SharingSettings", - "markdownDescription": "Specifies options for sharing SageMaker Studio notebooks.", + "markdownDescription": "Specifies options for sharing Amazon SageMaker Studio notebooks.", "title": "SharingSettings" + }, + "SpaceStorageSettings": { + "$ref": "#/definitions/AWS::SageMaker::Domain.DefaultSpaceStorageSettings", + "markdownDescription": "The storage settings for a private space.", + "title": "SpaceStorageSettings" + }, + "StudioWebPortal": { + "markdownDescription": "Whether the user can access Studio. If this value is set to `DISABLED` , the user cannot access Studio, even if that is the default experience for the domain.", + "title": "StudioWebPortal", + "type": "string" } }, "required": [ @@ -225289,7 +233526,9 @@ "title": "BlueGreenUpdatePolicy" }, "RollingUpdatePolicy": { - "$ref": "#/definitions/AWS::SageMaker::Endpoint.RollingUpdatePolicy" + "$ref": "#/definitions/AWS::SageMaker::Endpoint.RollingUpdatePolicy", + "markdownDescription": "Specifies a rolling deployment strategy for updating a SageMaker endpoint.", + "title": "RollingUpdatePolicy" } }, "type": "object" @@ -225298,15 +233537,23 @@ "additionalProperties": false, "properties": { "MaximumBatchSize": { - "$ref": "#/definitions/AWS::SageMaker::Endpoint.CapacitySize" + "$ref": "#/definitions/AWS::SageMaker::Endpoint.CapacitySize", + "markdownDescription": "Batch size for each rolling step to provision capacity and turn on traffic on the new endpoint fleet, and terminate capacity on the old endpoint fleet. Value must be between 5% to 50% of the variant's total instance count.", + "title": "MaximumBatchSize" }, "MaximumExecutionTimeoutInSeconds": { + "markdownDescription": "The time limit for the total deployment. Exceeding this limit causes a timeout.", + "title": "MaximumExecutionTimeoutInSeconds", "type": "number" }, "RollbackMaximumBatchSize": { - "$ref": "#/definitions/AWS::SageMaker::Endpoint.CapacitySize" + "$ref": "#/definitions/AWS::SageMaker::Endpoint.CapacitySize", + "markdownDescription": "Batch size for rollback to the old endpoint fleet. Each rolling step to provision capacity and turn on traffic on the old endpoint fleet, and terminate capacity on the new endpoint fleet. If this field is absent, the default value will be set to 100% of total capacity which means to bring up the whole capacity of the old fleet at once during rollback.", + "title": "RollbackMaximumBatchSize" }, "WaitIntervalInSeconds": { + "markdownDescription": "The length of the baking period, during which SageMaker monitors alarms for each batch on the new fleet.", + "title": "WaitIntervalInSeconds", "type": "number" } }, @@ -225401,14 +233648,20 @@ "markdownDescription": "Specifies how to capture endpoint data for model monitor. The data capture configuration applies to all production variants hosted at the endpoint.", "title": "DataCaptureConfig" }, + "EnableNetworkIsolation": { + "type": "boolean" + }, "EndpointConfigName": { "markdownDescription": "The name of the endpoint configuration.", "title": "EndpointConfigName", "type": "string" }, + "ExecutionRoleArn": { + "type": "string" + }, "ExplainerConfig": { "$ref": "#/definitions/AWS::SageMaker::EndpointConfig.ExplainerConfig", - "markdownDescription": "", + "markdownDescription": "A parameter to activate explainers.", "title": "ExplainerConfig" }, "KmsKeyId": { @@ -225439,6 +233692,9 @@ "markdownDescription": "A list of key-value pairs to apply to this resource.\n\nFor more information, see [Resource Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) and [Using Cost Allocation Tags](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/cost-alloc-tags.html#allocation-what) .", "title": "Tags", "type": "array" + }, + "VpcConfig": { + "$ref": "#/definitions/AWS::SageMaker::EndpointConfig.VpcConfig" } }, "required": [ @@ -225509,7 +233765,7 @@ "items": { "type": "string" }, - "markdownDescription": "", + "markdownDescription": "The Amazon SNS topics where you want the inference response to be included.\n\n> The inference response is included only if the response size is less than or equal to 128 KB.", "title": "IncludeInferenceResponseIn", "type": "array" }, @@ -225535,7 +233791,7 @@ "title": "NotificationConfig" }, "S3FailurePath": { - "markdownDescription": "", + "markdownDescription": "The Amazon S3 location to upload failure inference responses to.", "title": "S3FailurePath", "type": "string" }, @@ -225587,18 +233843,18 @@ "additionalProperties": false, "properties": { "EnableExplanations": { - "markdownDescription": "", + "markdownDescription": "A JMESPath boolean expression used to filter which records to explain. Explanations are activated by default. See [`EnableExplanations`](https://docs.aws.amazon.com/sagemaker/latest/dg/clarify-online-explainability-create-endpoint.html#clarify-online-explainability-create-endpoint-enable) for additional information.", "title": "EnableExplanations", "type": "string" }, "InferenceConfig": { "$ref": "#/definitions/AWS::SageMaker::EndpointConfig.ClarifyInferenceConfig", - "markdownDescription": "", + "markdownDescription": "The inference configuration parameter for the model container.", "title": "InferenceConfig" }, "ShapConfig": { "$ref": "#/definitions/AWS::SageMaker::EndpointConfig.ClarifyShapConfig", - "markdownDescription": "", + "markdownDescription": "The configuration for SHAP analysis.", "title": "ShapConfig" } }, @@ -225621,7 +233877,7 @@ "additionalProperties": false, "properties": { "ContentTemplate": { - "markdownDescription": "", + "markdownDescription": "A template string used to format a JSON record into an acceptable model container input. For example, a `ContentTemplate` string `'{\"myfeatures\":$features}'` will format a list of features `[1,2,3]` into the record string `'{\"myfeatures\":[1,2,3]}'` . Required only when the model container input is in JSON Lines format.", "title": "ContentTemplate", "type": "string" }, @@ -225629,7 +233885,7 @@ "items": { "$ref": "#/definitions/AWS::SageMaker::EndpointConfig.ClarifyHeader" }, - "markdownDescription": "", + "markdownDescription": "The names of the features. If provided, these are included in the endpoint response payload to help readability of the `InvokeEndpoint` output. See the [Response](https://docs.aws.amazon.com/sagemaker/latest/dg/clarify-online-explainability-invoke-endpoint.html#clarify-online-explainability-response) section under *Invoke the endpoint* in the Developer Guide for more information.", "title": "FeatureHeaders", "type": "array" }, @@ -225637,17 +233893,17 @@ "items": { "$ref": "#/definitions/AWS::SageMaker::EndpointConfig.ClarifyFeatureType" }, - "markdownDescription": "", + "markdownDescription": "A list of data types of the features (optional). Applicable only to NLP explainability. If provided, `FeatureTypes` must have at least one `'text'` string (for example, `['text']` ). If `FeatureTypes` is not provided, the explainer infers the feature types based on the baseline data. The feature types are included in the endpoint response payload. For additional information see the [response](https://docs.aws.amazon.com/sagemaker/latest/dg/clarify-online-explainability-invoke-endpoint.html#clarify-online-explainability-response) section under *Invoke the endpoint* in the Developer Guide for more information.", "title": "FeatureTypes", "type": "array" }, "FeaturesAttribute": { - "markdownDescription": "", + "markdownDescription": "Provides the JMESPath expression to extract the features from a model container input in JSON Lines format. For example, if `FeaturesAttribute` is the JMESPath expression `'myfeatures'` , it extracts a list of features `[1,2,3]` from request data `'{\"myfeatures\":[1,2,3]}'` .", "title": "FeaturesAttribute", "type": "string" }, "LabelAttribute": { - "markdownDescription": "", + "markdownDescription": "A JMESPath expression used to locate the list of label headers in the model container output.\n\n*Example* : If the model container output of a batch request is `'{\"labels\":[\"cat\",\"dog\",\"fish\"],\"probability\":[0.6,0.3,0.1]}'` , then set `LabelAttribute` to `'labels'` to extract the list of label headers `[\"cat\",\"dog\",\"fish\"]`", "title": "LabelAttribute", "type": "string" }, @@ -225655,32 +233911,32 @@ "items": { "$ref": "#/definitions/AWS::SageMaker::EndpointConfig.ClarifyHeader" }, - "markdownDescription": "", + "markdownDescription": "For multiclass classification problems, the label headers are the names of the classes. Otherwise, the label header is the name of the predicted label. These are used to help readability for the output of the `InvokeEndpoint` API. See the [response](https://docs.aws.amazon.com/sagemaker/latest/dg/clarify-online-explainability-invoke-endpoint.html#clarify-online-explainability-response) section under *Invoke the endpoint* in the Developer Guide for more information. If there are no label headers in the model container output, provide them manually using this parameter.", "title": "LabelHeaders", "type": "array" }, "LabelIndex": { - "markdownDescription": "", + "markdownDescription": "A zero-based index used to extract a label header or list of label headers from model container output in CSV format.\n\n*Example for a multiclass model:* If the model container output consists of label headers followed by probabilities: `'\"[\\'cat\\',\\'dog\\',\\'fish\\']\",\"[0.1,0.6,0.3]\"'` , set `LabelIndex` to `0` to select the label headers `['cat','dog','fish']` .", "title": "LabelIndex", "type": "number" }, "MaxPayloadInMB": { - "markdownDescription": "", + "markdownDescription": "The maximum payload size (MB) allowed of a request from the explainer to the model container. Defaults to `6` MB.", "title": "MaxPayloadInMB", "type": "number" }, "MaxRecordCount": { - "markdownDescription": "", + "markdownDescription": "The maximum number of records in a request that the model container can process when querying the model container for the predictions of a [synthetic dataset](https://docs.aws.amazon.com/sagemaker/latest/dg/clarify-online-explainability-create-endpoint.html#clarify-online-explainability-create-endpoint-synthetic) . A record is a unit of input data that inference can be made on, for example, a single line in CSV data. If `MaxRecordCount` is `1` , the model container expects one record per request. A value of 2 or greater means that the model expects batch requests, which can reduce overhead and speed up the inferencing process. If this parameter is not provided, the explainer will tune the record count per request according to the model container's capacity at runtime.", "title": "MaxRecordCount", "type": "number" }, "ProbabilityAttribute": { - "markdownDescription": "", + "markdownDescription": "A JMESPath expression used to extract the probability (or score) from the model container output if the model container is in JSON Lines format.\n\n*Example* : If the model container output of a single request is `'{\"predicted_label\":1,\"probability\":0.6}'` , then set `ProbabilityAttribute` to `'probability'` .", "title": "ProbabilityAttribute", "type": "string" }, "ProbabilityIndex": { - "markdownDescription": "", + "markdownDescription": "A zero-based index used to extract a probability value (score) or list from model container output in CSV format. If this value is not provided, the entire model container output will be treated as a probability value (score) or list.\n\n*Example for a single class model:* If the model container output consists of a string-formatted prediction label followed by its probability: `'1,0.6'` , set `ProbabilityIndex` to `1` to select the probability value `0.6` .\n\n*Example for a multiclass model:* If the model container output consists of a string-formatted prediction label followed by its probability: `'\"[\\'cat\\',\\'dog\\',\\'fish\\']\",\"[0.1,0.6,0.3]\"'` , set `ProbabilityIndex` to `1` to select the probability values `[0.1,0.6,0.3]` .", "title": "ProbabilityIndex", "type": "number" } @@ -225691,17 +233947,17 @@ "additionalProperties": false, "properties": { "MimeType": { - "markdownDescription": "", + "markdownDescription": "The MIME type of the baseline data. Choose from `'text/csv'` or `'application/jsonlines'` . Defaults to `'text/csv'` .", "title": "MimeType", "type": "string" }, "ShapBaseline": { - "markdownDescription": "", + "markdownDescription": "The inline SHAP baseline data in string format. `ShapBaseline` can have one or multiple records to be used as the baseline dataset. The format of the SHAP baseline file should be the same format as the training dataset. For example, if the training dataset is in CSV format and each record contains four features, and all features are numerical, then the format of the baseline data should also share these characteristics. For natural language processing (NLP) of text columns, the baseline value should be the value used to replace the unit of text specified by the `Granularity` of the `TextConfig` parameter. The size limit for `ShapBasline` is 4 KB. Use the `ShapBaselineUri` parameter if you want to provide more than 4 KB of baseline data.", "title": "ShapBaseline", "type": "string" }, "ShapBaselineUri": { - "markdownDescription": "", + "markdownDescription": "The uniform resource identifier (URI) of the S3 bucket where the SHAP baseline file is stored. The format of the SHAP baseline file should be the same format as the format of the training dataset. For example, if the training dataset is in CSV format, and each record in the training dataset has four features, and all features are numerical, then the baseline file should also have this same format. Each record should contain only the features. If you are using a virtual private cloud (VPC), the `ShapBaselineUri` should be accessible to the VPC. For more information about setting up endpoints with Amazon Virtual Private Cloud, see [Give SageMaker access to Resources in your Amazon Virtual Private Cloud](https://docs.aws.amazon.com/sagemaker/latest/dg/infrastructure-give-access.html) .", "title": "ShapBaselineUri", "type": "string" } @@ -225712,27 +233968,27 @@ "additionalProperties": false, "properties": { "NumberOfSamples": { - "markdownDescription": "", + "markdownDescription": "The number of samples to be used for analysis by the Kernal SHAP algorithm.\n\n> The number of samples determines the size of the synthetic dataset, which has an impact on latency of explainability requests. For more information, see the *Synthetic data* of [Configure and create an endpoint](https://docs.aws.amazon.com/sagemaker/latest/dg/clarify-online-explainability-create-endpoint.html) .", "title": "NumberOfSamples", "type": "number" }, "Seed": { - "markdownDescription": "", + "markdownDescription": "The starting value used to initialize the random number generator in the explainer. Provide a value for this parameter to obtain a deterministic SHAP result.", "title": "Seed", "type": "number" }, "ShapBaselineConfig": { "$ref": "#/definitions/AWS::SageMaker::EndpointConfig.ClarifyShapBaselineConfig", - "markdownDescription": "", + "markdownDescription": "The configuration for the SHAP baseline of the Kernal SHAP algorithm.", "title": "ShapBaselineConfig" }, "TextConfig": { "$ref": "#/definitions/AWS::SageMaker::EndpointConfig.ClarifyTextConfig", - "markdownDescription": "", + "markdownDescription": "A parameter that indicates if text features are treated as text and explanations are provided for individual units of text. Required for natural language processing (NLP) explainability only.", "title": "TextConfig" }, "UseLogit": { - "markdownDescription": "", + "markdownDescription": "A Boolean toggle to indicate if you want to use the logit function (true) or log-odds units (false) for model predictions. Defaults to false.", "title": "UseLogit", "type": "boolean" } @@ -225746,12 +234002,12 @@ "additionalProperties": false, "properties": { "Granularity": { - "markdownDescription": "", + "markdownDescription": "The unit of granularity for the analysis of text features. For example, if the unit is `'token'` , then each token (like a word in English) of the text is treated as a feature. SHAP values are computed for each unit/feature.", "title": "Granularity", "type": "string" }, "Language": { - "markdownDescription": "", + "markdownDescription": "Specifies the language of the text features in [ISO 639-1](https://docs.aws.amazon.com/ https://en.wikipedia.org/wiki/List_of_ISO_639-1_codes) or [ISO 639-3](https://docs.aws.amazon.com/https://en.wikipedia.org/wiki/ISO_639-3) code of a supported language.\n\n> For a mix of multiple languages, use code `'xx'` .", "title": "Language", "type": "string" } @@ -225811,12 +234067,27 @@ "properties": { "ClarifyExplainerConfig": { "$ref": "#/definitions/AWS::SageMaker::EndpointConfig.ClarifyExplainerConfig", - "markdownDescription": "", + "markdownDescription": "A member of `ExplainerConfig` that contains configuration parameters for the SageMaker Clarify explainer.", "title": "ClarifyExplainerConfig" } }, "type": "object" }, + "AWS::SageMaker::EndpointConfig.ManagedInstanceScaling": { + "additionalProperties": false, + "properties": { + "MaxInstanceCount": { + "type": "number" + }, + "MinInstanceCount": { + "type": "number" + }, + "Status": { + "type": "string" + } + }, + "type": "object" + }, "AWS::SageMaker::EndpointConfig.ProductionVariant": { "additionalProperties": false, "properties": { @@ -225826,12 +234097,12 @@ "type": "string" }, "ContainerStartupHealthCheckTimeoutInSeconds": { - "markdownDescription": "", + "markdownDescription": "The timeout value, in seconds, for your inference container to pass health check by SageMaker Hosting. For more information about health check, see [How Your Container Should Respond to Health Check (Ping) Requests](https://docs.aws.amazon.com/sagemaker/latest/dg/your-algorithms-inference-code.html#your-algorithms-inference-algo-ping-requests) .", "title": "ContainerStartupHealthCheckTimeoutInSeconds", "type": "number" }, "EnableSSMAccess": { - "markdownDescription": "", + "markdownDescription": "You can use this parameter to turn on native AWS Systems Manager (SSM) access for a production variant behind an endpoint. By default, SSM access is disabled for all production variants behind an endpoint. You can turn on or turn off SSM access for a production variant behind an existing endpoint by creating a new endpoint configuration and calling `UpdateEndpoint` .", "title": "EnableSSMAccess", "type": "boolean" }, @@ -225850,8 +234121,11 @@ "title": "InstanceType", "type": "string" }, + "ManagedInstanceScaling": { + "$ref": "#/definitions/AWS::SageMaker::EndpointConfig.ManagedInstanceScaling" + }, "ModelDataDownloadTimeoutInSeconds": { - "markdownDescription": "", + "markdownDescription": "The timeout value, in seconds, to download and extract the model that you want to host from Amazon S3 to the individual inference instance associated with this production variant.", "title": "ModelDataDownloadTimeoutInSeconds", "type": "number" }, @@ -225860,6 +234134,9 @@ "title": "ModelName", "type": "string" }, + "RoutingConfig": { + "$ref": "#/definitions/AWS::SageMaker::EndpointConfig.RoutingConfig" + }, "ServerlessConfig": { "$ref": "#/definitions/AWS::SageMaker::EndpointConfig.ServerlessConfig", "markdownDescription": "The serverless configuration for an endpoint. Specifies a serverless endpoint configuration instead of an instance-based endpoint configuration.", @@ -225871,18 +234148,25 @@ "type": "string" }, "VolumeSizeInGB": { - "markdownDescription": "", + "markdownDescription": "The size, in GB, of the ML storage volume attached to individual inference instance associated with the production variant. Currently only Amazon EBS gp2 storage volumes are supported.", "title": "VolumeSizeInGB", "type": "number" } }, "required": [ - "InitialVariantWeight", - "ModelName", "VariantName" ], "type": "object" }, + "AWS::SageMaker::EndpointConfig.RoutingConfig": { + "additionalProperties": false, + "properties": { + "RoutingStrategy": { + "type": "string" + } + }, + "type": "object" + }, "AWS::SageMaker::EndpointConfig.ServerlessConfig": { "additionalProperties": false, "properties": { @@ -225908,6 +234192,28 @@ ], "type": "object" }, + "AWS::SageMaker::EndpointConfig.VpcConfig": { + "additionalProperties": false, + "properties": { + "SecurityGroupIds": { + "items": { + "type": "string" + }, + "type": "array" + }, + "Subnets": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "SecurityGroupIds", + "Subnets" + ], + "type": "object" + }, "AWS::SageMaker::FeatureGroup": { "additionalProperties": false, "properties": { @@ -226089,7 +234395,7 @@ "title": "S3StorageConfig" }, "TableFormat": { - "markdownDescription": "", + "markdownDescription": "Format for the offline store table. Supported formats are Glue (Default) and [Apache Iceberg](https://docs.aws.amazon.com/https://iceberg.apache.org/) .", "title": "TableFormat", "type": "string" } @@ -226111,6 +234417,11 @@ "$ref": "#/definitions/AWS::SageMaker::FeatureGroup.OnlineStoreSecurityConfig", "markdownDescription": "Use to specify KMS Key ID ( `KMSKeyId` ) for at-rest encryption of your `OnlineStore` .", "title": "SecurityConfig" + }, + "StorageType": { + "markdownDescription": "Option for different tiers of low latency storage for real-time data retrieval.\n\n- `Standard` : A managed low latency data store for feature groups.\n- `InMemory` : A managed data store for feature groups that supports very low latency retrieval.", + "title": "StorageType", + "type": "string" } }, "type": "object" @@ -226181,7 +234492,7 @@ "additionalProperties": false, "properties": { "ImageDescription": { - "markdownDescription": "The description of the image.\n\n*Length Constraints* : Minimum length of 1. Maximum length of 512.\n\n*Pattern* : `.*`", + "markdownDescription": "The description of the image.", "title": "ImageDescription", "type": "string" }, @@ -226272,20 +234583,26 @@ "additionalProperties": false, "properties": { "Alias": { + "markdownDescription": "", + "title": "Alias", "type": "string" }, "Aliases": { "items": { "type": "string" }, + "markdownDescription": "", + "title": "Aliases", "type": "array" }, "BaseImage": { - "markdownDescription": "The container image that the SageMaker image version is based on.\n\n*Length Constraints* : Minimum length of 1. Maximum length of 255.\n\n*Pattern* : `.*`", + "markdownDescription": "The container image that the SageMaker image version is based on.", "title": "BaseImage", "type": "string" }, "Horovod": { + "markdownDescription": "", + "title": "Horovod", "type": "boolean" }, "ImageName": { @@ -226294,21 +234611,33 @@ "type": "string" }, "JobType": { + "markdownDescription": "", + "title": "JobType", "type": "string" }, "MLFramework": { + "markdownDescription": "", + "title": "MLFramework", "type": "string" }, "Processor": { + "markdownDescription": "", + "title": "Processor", "type": "string" }, "ProgrammingLang": { + "markdownDescription": "", + "title": "ProgrammingLang", "type": "string" }, "ReleaseNotes": { + "markdownDescription": "", + "title": "ReleaseNotes", "type": "string" }, "VendorGuidance": { + "markdownDescription": "", + "title": "VendorGuidance", "type": "string" } }, @@ -226339,6 +234668,254 @@ ], "type": "object" }, + "AWS::SageMaker::InferenceComponent": { + "additionalProperties": false, + "properties": { + "Condition": { + "type": "string" + }, + "DeletionPolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + }, + "DependsOn": { + "anyOf": [ + { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + { + "items": { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + "type": "array" + } + ] + }, + "Metadata": { + "type": "object" + }, + "Properties": { + "additionalProperties": false, + "properties": { + "EndpointArn": { + "markdownDescription": "The Amazon Resource Name (ARN) of the endpoint that hosts the inference component.", + "title": "EndpointArn", + "type": "string" + }, + "EndpointName": { + "markdownDescription": "The name of the endpoint that hosts the inference component.", + "title": "EndpointName", + "type": "string" + }, + "InferenceComponentName": { + "markdownDescription": "The name of the inference component.", + "title": "InferenceComponentName", + "type": "string" + }, + "RuntimeConfig": { + "$ref": "#/definitions/AWS::SageMaker::InferenceComponent.InferenceComponentRuntimeConfig", + "markdownDescription": "", + "title": "RuntimeConfig" + }, + "Specification": { + "$ref": "#/definitions/AWS::SageMaker::InferenceComponent.InferenceComponentSpecification", + "markdownDescription": "", + "title": "Specification" + }, + "Tags": { + "items": { + "$ref": "#/definitions/Tag" + }, + "markdownDescription": "", + "title": "Tags", + "type": "array" + }, + "VariantName": { + "markdownDescription": "The name of the production variant that hosts the inference component.", + "title": "VariantName", + "type": "string" + } + }, + "required": [ + "EndpointName", + "RuntimeConfig", + "Specification", + "VariantName" + ], + "type": "object" + }, + "Type": { + "enum": [ + "AWS::SageMaker::InferenceComponent" + ], + "type": "string" + }, + "UpdateReplacePolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + } + }, + "required": [ + "Type", + "Properties" + ], + "type": "object" + }, + "AWS::SageMaker::InferenceComponent.DeployedImage": { + "additionalProperties": false, + "properties": { + "ResolutionTime": { + "markdownDescription": "The date and time when the image path for the model resolved to the `ResolvedImage`", + "title": "ResolutionTime", + "type": "string" + }, + "ResolvedImage": { + "markdownDescription": "The specific digest path of the image hosted in this `ProductionVariant` .", + "title": "ResolvedImage", + "type": "string" + }, + "SpecifiedImage": { + "markdownDescription": "The image path you specified when you created the model.", + "title": "SpecifiedImage", + "type": "string" + } + }, + "type": "object" + }, + "AWS::SageMaker::InferenceComponent.InferenceComponentComputeResourceRequirements": { + "additionalProperties": false, + "properties": { + "MaxMemoryRequiredInMb": { + "markdownDescription": "The maximum MB of memory to allocate to run a model that you assign to an inference component.", + "title": "MaxMemoryRequiredInMb", + "type": "number" + }, + "MinMemoryRequiredInMb": { + "markdownDescription": "The minimum MB of memory to allocate to run a model that you assign to an inference component.", + "title": "MinMemoryRequiredInMb", + "type": "number" + }, + "NumberOfAcceleratorDevicesRequired": { + "markdownDescription": "The number of accelerators to allocate to run a model that you assign to an inference component. Accelerators include GPUs and AWS Inferentia.", + "title": "NumberOfAcceleratorDevicesRequired", + "type": "number" + }, + "NumberOfCpuCoresRequired": { + "markdownDescription": "The number of CPU cores to allocate to run a model that you assign to an inference component.", + "title": "NumberOfCpuCoresRequired", + "type": "number" + } + }, + "type": "object" + }, + "AWS::SageMaker::InferenceComponent.InferenceComponentContainerSpecification": { + "additionalProperties": false, + "properties": { + "ArtifactUrl": { + "markdownDescription": "The Amazon S3 path where the model artifacts, which result from model training, are stored. This path must point to a single gzip compressed tar archive (.tar.gz suffix).", + "title": "ArtifactUrl", + "type": "string" + }, + "DeployedImage": { + "$ref": "#/definitions/AWS::SageMaker::InferenceComponent.DeployedImage", + "markdownDescription": "", + "title": "DeployedImage" + }, + "Environment": { + "additionalProperties": true, + "markdownDescription": "The environment variables to set in the Docker container. Each key and value in the Environment string-to-string map can have length of up to 1024. We support up to 16 entries in the map.", + "patternProperties": { + "^[a-zA-Z0-9]+$": { + "type": "string" + } + }, + "title": "Environment", + "type": "object" + }, + "Image": { + "markdownDescription": "The Amazon Elastic Container Registry (Amazon ECR) path where the Docker image for the model is stored.", + "title": "Image", + "type": "string" + } + }, + "type": "object" + }, + "AWS::SageMaker::InferenceComponent.InferenceComponentRuntimeConfig": { + "additionalProperties": false, + "properties": { + "CopyCount": { + "markdownDescription": "The number of runtime copies of the model container to deploy with the inference component. Each copy can serve inference requests.", + "title": "CopyCount", + "type": "number" + }, + "CurrentCopyCount": { + "markdownDescription": "", + "title": "CurrentCopyCount", + "type": "number" + }, + "DesiredCopyCount": { + "markdownDescription": "", + "title": "DesiredCopyCount", + "type": "number" + } + }, + "type": "object" + }, + "AWS::SageMaker::InferenceComponent.InferenceComponentSpecification": { + "additionalProperties": false, + "properties": { + "ComputeResourceRequirements": { + "$ref": "#/definitions/AWS::SageMaker::InferenceComponent.InferenceComponentComputeResourceRequirements", + "markdownDescription": "The compute resources allocated to run the model assigned to the inference component.", + "title": "ComputeResourceRequirements" + }, + "Container": { + "$ref": "#/definitions/AWS::SageMaker::InferenceComponent.InferenceComponentContainerSpecification", + "markdownDescription": "Defines a container that provides the runtime environment for a model that you deploy with an inference component.", + "title": "Container" + }, + "ModelName": { + "markdownDescription": "The name of an existing SageMaker model object in your account that you want to deploy with the inference component.", + "title": "ModelName", + "type": "string" + }, + "StartupParameters": { + "$ref": "#/definitions/AWS::SageMaker::InferenceComponent.InferenceComponentStartupParameters", + "markdownDescription": "Settings that take effect while the model container starts up.", + "title": "StartupParameters" + } + }, + "required": [ + "ComputeResourceRequirements" + ], + "type": "object" + }, + "AWS::SageMaker::InferenceComponent.InferenceComponentStartupParameters": { + "additionalProperties": false, + "properties": { + "ContainerStartupHealthCheckTimeoutInSeconds": { + "markdownDescription": "The timeout value, in seconds, for your inference container to pass health check by Amazon S3 Hosting. For more information about health check, see [How Your Container Should Respond to Health Check (Ping) Requests](https://docs.aws.amazon.com/sagemaker/latest/dg/your-algorithms-inference-code.html#your-algorithms-inference-algo-ping-requests) .", + "title": "ContainerStartupHealthCheckTimeoutInSeconds", + "type": "number" + }, + "ModelDataDownloadTimeoutInSeconds": { + "markdownDescription": "The timeout value, in seconds, to download and extract the model that you want to host from Amazon S3 to the individual inference instance associated with this inference component.", + "title": "ModelDataDownloadTimeoutInSeconds", + "type": "number" + } + }, + "type": "object" + }, "AWS::SageMaker::InferenceExperiment": { "additionalProperties": false, "properties": { @@ -226483,7 +235060,7 @@ "items": { "type": "string" }, - "markdownDescription": "The list of all content type headers that SageMaker will treat as CSV and capture accordingly.", + "markdownDescription": "The list of all content type headers that Amazon SageMaker will treat as CSV and capture accordingly.", "title": "CsvContentTypes", "type": "array" }, @@ -226753,9 +235330,6 @@ "title": "VpcConfig" } }, - "required": [ - "ExecutionRoleArn" - ], "type": "object" }, "Type": { @@ -226774,8 +235348,7 @@ } }, "required": [ - "Type", - "Properties" + "Type" ], "type": "object" }, @@ -226812,6 +235385,11 @@ "title": "Mode", "type": "string" }, + "ModelDataSource": { + "$ref": "#/definitions/AWS::SageMaker::Model.ModelDataSource", + "markdownDescription": "Specifies the location of ML model data to deploy.\n\n> Currently you cannot use `ModelDataSource` in conjunction with SageMaker batch transform, SageMaker serverless endpoints, SageMaker multi-model endpoints, and SageMaker Marketplace.", + "title": "ModelDataSource" + }, "ModelDataUrl": { "markdownDescription": "The S3 path where the model artifacts, which result from model training, are stored. This path must point to a single gzip compressed tar archive (.tar.gz suffix). The S3 path is required for SageMaker built-in algorithms, but not if you use your own algorithms. For more information on built-in algorithms, see [Common Parameters](https://docs.aws.amazon.com/sagemaker/latest/dg/sagemaker-algo-docker-registry-paths.html) .\n\n> The model artifacts must be in an S3 bucket that is in the same region as the model or endpoint you are creating. \n\nIf you provide a value for this parameter, SageMaker uses AWS Security Token Service to download model artifacts from the S3 path you provide. AWS STS is activated in your AWS account by default. If you previously deactivated AWS STS for a region, you need to reactivate AWS STS for that region. For more information, see [Activating and Deactivating AWS STS in an AWS Region](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html) in the *AWS Identity and Access Management User Guide* .\n\n> If you use a built-in algorithm to create a model, SageMaker requires that you provide a S3 path to the model artifacts in `ModelDataUrl` .", "title": "ModelDataUrl", @@ -226863,6 +235441,20 @@ ], "type": "object" }, + "AWS::SageMaker::Model.ModelDataSource": { + "additionalProperties": false, + "properties": { + "S3DataSource": { + "$ref": "#/definitions/AWS::SageMaker::Model.S3DataSource", + "markdownDescription": "Specifies the S3 location of ML model data to deploy.", + "title": "S3DataSource" + } + }, + "required": [ + "S3DataSource" + ], + "type": "object" + }, "AWS::SageMaker::Model.MultiModelConfig": { "additionalProperties": false, "properties": { @@ -226888,6 +235480,32 @@ ], "type": "object" }, + "AWS::SageMaker::Model.S3DataSource": { + "additionalProperties": false, + "properties": { + "CompressionType": { + "markdownDescription": "", + "title": "CompressionType", + "type": "string" + }, + "S3DataType": { + "markdownDescription": "If you choose `S3Prefix` , `S3Uri` identifies a key name prefix. SageMaker uses all objects that match the specified key name prefix for model training.\n\nIf you choose `ManifestFile` , `S3Uri` identifies an object that is a manifest file containing a list of object keys that you want SageMaker to use for model training.\n\nIf you choose `AugmentedManifestFile` , S3Uri identifies an object that is an augmented manifest file in JSON lines format. This file contains the data you want to use for model training. `AugmentedManifestFile` can only be used if the Channel's input mode is `Pipe` .", + "title": "S3DataType", + "type": "string" + }, + "S3Uri": { + "markdownDescription": "Depending on the value specified for the `S3DataType` , identifies either a key name prefix or a manifest. For example:\n\n- A key name prefix might look like this: `s3://bucketname/exampleprefix`\n- A manifest might look like this: `s3://bucketname/example.manifest`\n\nA manifest is an S3 object which is a JSON file consisting of an array of elements. The first element is a prefix which is followed by one or more suffixes. SageMaker appends the suffix elements to the prefix to get a full set of `S3Uri` . Note that the prefix must be a valid non-empty `S3Uri` that precludes users from specifying a manifest whose individual `S3Uri` is sourced from different S3 buckets.\n\nThe following code example shows a valid manifest format:\n\n`[ {\"prefix\": \"s3://customer_bucket/some/prefix/\"},`\n\n`\"relative/path/to/custdata-1\",`\n\n`\"relative/path/custdata-2\",`\n\n`...`\n\n`\"relative/path/custdata-N\"`\n\n`]`\n\nThis JSON is equivalent to the following `S3Uri` list:\n\n`s3://customer_bucket/some/prefix/relative/path/to/custdata-1`\n\n`s3://customer_bucket/some/prefix/relative/path/custdata-2`\n\n`...`\n\n`s3://customer_bucket/some/prefix/relative/path/custdata-N`\n\nThe complete set of `S3Uri` in this manifest is the input data for the channel for this data source. The object that each `S3Uri` points to must be readable by the IAM role that SageMaker uses to perform tasks on your behalf.\n\nYour input bucket must be located in same AWS region as your training job.", + "title": "S3Uri", + "type": "string" + } + }, + "required": [ + "CompressionType", + "S3DataType", + "S3Uri" + ], + "type": "object" + }, "AWS::SageMaker::Model.VpcConfig": { "additionalProperties": false, "properties": { @@ -226895,7 +235513,7 @@ "items": { "type": "string" }, - "markdownDescription": "The VPC security group IDs, in the form sg-xxxxxxxx. Specify the security groups for the VPC that is specified in the `Subnets` field.", + "markdownDescription": "The VPC security group IDs, in the form `sg-xxxxxxxx` . Specify the security groups for the VPC that is specified in the `Subnets` field.", "title": "SecurityGroupIds", "type": "array" }, @@ -227042,57 +235660,57 @@ "additionalProperties": false, "properties": { "DataCapturedDestinationS3Uri": { - "markdownDescription": "", + "markdownDescription": "The Amazon S3 location being used to capture the data.", "title": "DataCapturedDestinationS3Uri", "type": "string" }, "DatasetFormat": { "$ref": "#/definitions/AWS::SageMaker::ModelBiasJobDefinition.DatasetFormat", - "markdownDescription": "", + "markdownDescription": "The dataset format for your batch transform job.", "title": "DatasetFormat" }, "EndTimeOffset": { - "markdownDescription": "", + "markdownDescription": "If specified, monitoring jobs subtract this time from the end time. For information about using offsets for scheduling monitoring jobs, see [Schedule Model Quality Monitoring Jobs](https://docs.aws.amazon.com/sagemaker/latest/dg/model-monitor-model-quality-schedule.html) .", "title": "EndTimeOffset", "type": "string" }, "FeaturesAttribute": { - "markdownDescription": "", + "markdownDescription": "The attributes of the input data that are the input features.", "title": "FeaturesAttribute", "type": "string" }, "InferenceAttribute": { - "markdownDescription": "", + "markdownDescription": "The attribute of the input data that represents the ground truth label.", "title": "InferenceAttribute", "type": "string" }, "LocalPath": { - "markdownDescription": "", + "markdownDescription": "Path to the filesystem where the batch transform data is available to the container.", "title": "LocalPath", "type": "string" }, "ProbabilityAttribute": { - "markdownDescription": "", + "markdownDescription": "In a classification problem, the attribute that represents the class probability.", "title": "ProbabilityAttribute", "type": "string" }, "ProbabilityThresholdAttribute": { - "markdownDescription": "", + "markdownDescription": "The threshold for the class probability to be evaluated as a positive result.", "title": "ProbabilityThresholdAttribute", "type": "number" }, "S3DataDistributionType": { - "markdownDescription": "", + "markdownDescription": "Whether input data distributed in Amazon S3 is fully replicated or sharded by an S3 key. Defaults to `FullyReplicated`", "title": "S3DataDistributionType", "type": "string" }, "S3InputMode": { - "markdownDescription": "", + "markdownDescription": "Whether the `Pipe` or `File` is used as the input mode for transferring data for the monitoring job. `Pipe` mode is recommended for large datasets. `File` mode is useful for small files that fit in memory. Defaults to `File` .", "title": "S3InputMode", "type": "string" }, "StartTimeOffset": { - "markdownDescription": "", + "markdownDescription": "If specified, monitoring jobs substract this time from the start time. For information about using offsets for scheduling monitoring jobs, see [Schedule Model Quality Monitoring Jobs](https://docs.aws.amazon.com/sagemaker/latest/dg/model-monitor-model-quality-schedule.html) .", "title": "StartTimeOffset", "type": "string" } @@ -227217,7 +235835,7 @@ "type": "number" }, "S3DataDistributionType": { - "markdownDescription": "Whether input data distributed in Amazon S3 is fully replicated or sharded by an S3 key. Defaults to `FullyReplicated`", + "markdownDescription": "Whether input data distributed in Amazon S3 is fully replicated or sharded by an Amazon S3 key. Defaults to `FullyReplicated`", "title": "S3DataDistributionType", "type": "string" }, @@ -227301,7 +235919,7 @@ "properties": { "BatchTransformInput": { "$ref": "#/definitions/AWS::SageMaker::ModelBiasJobDefinition.BatchTransformInput", - "markdownDescription": "", + "markdownDescription": "Input object for the batch transform job.", "title": "BatchTransformInput" }, "EndpointInput": { @@ -227352,7 +235970,7 @@ "additionalProperties": false, "properties": { "KmsKeyId": { - "markdownDescription": "The AWS Key Management Service ( AWS KMS) key that Amazon SageMaker uses to encrypt the model artifacts at rest using Amazon S3 server-side encryption.", + "markdownDescription": "The AWS Key Management Service ( AWS KMS ) key that Amazon SageMaker uses to encrypt the model artifacts at rest using Amazon S3 server-side encryption.", "title": "KmsKeyId", "type": "string" }, @@ -227451,7 +236069,7 @@ "items": { "type": "string" }, - "markdownDescription": "The VPC security group IDs, in the form sg-xxxxxxxx. Specify the security groups for the VPC that is specified in the `Subnets` field.", + "markdownDescription": "The VPC security group IDs, in the form `sg-xxxxxxxx` . Specify the security groups for the VPC that is specified in the `Subnets` field.", "title": "SecurityGroupIds", "type": "array" }, @@ -227781,7 +236399,7 @@ "items": { "$ref": "#/definitions/AWS::SageMaker::ModelCard.Container" }, - "markdownDescription": "", + "markdownDescription": "The Amazon ECR registry path of the Docker image that contains the inference code.", "title": "Containers", "type": "array" } @@ -227826,39 +236444,27 @@ "additionalProperties": false, "properties": { "Name": { - "markdownDescription": "The names of the metrics.", - "title": "Name", "type": "string" }, "Notes": { - "markdownDescription": "Any notes to add to the metric.", - "title": "Notes", "type": "string" }, "Type": { - "markdownDescription": "You must specify one of the following data types:\n\n- Bar Chart `bar_char`\n- Boolean `boolean`\n- Linear Graph `linear_graph`\n- Matrix `matrix`\n- Number `number`\n- String `string`", - "title": "Type", "type": "string" }, "Value": { - "markdownDescription": "The datatype of the metric. The metric's *value* must be compatible with the metric's *type* .", - "title": "Value", "type": "object" }, "XAxisName": { "items": { "type": "string" }, - "markdownDescription": "The name of the x axis.", - "title": "XAxisName", "type": "array" }, "YAxisName": { "items": { "type": "string" }, - "markdownDescription": "The name of the y axis.", - "title": "YAxisName", "type": "array" } }, @@ -228067,12 +236673,12 @@ "additionalProperties": false, "properties": { "AlgorithmName": { - "markdownDescription": "", + "markdownDescription": "The name of an algorithm that was used to create the model package. The algorithm must be either an algorithm resource in your SageMaker account or an algorithm in AWS Marketplace that you are subscribed to.", "title": "AlgorithmName", "type": "string" }, "ModelDataUrl": { - "markdownDescription": "", + "markdownDescription": "The Amazon S3 path where the model artifacts, which result from model training, are stored. This path must point to a single `gzip` compressed tar archive ( `.tar.gz` suffix).\n\n> The model artifacts must be in an S3 bucket that is in the same AWS region as the algorithm.", "title": "ModelDataUrl", "type": "string" } @@ -228367,42 +236973,42 @@ "additionalProperties": false, "properties": { "DataCapturedDestinationS3Uri": { - "markdownDescription": "", + "markdownDescription": "The Amazon S3 location being used to capture the data.", "title": "DataCapturedDestinationS3Uri", "type": "string" }, "DatasetFormat": { "$ref": "#/definitions/AWS::SageMaker::ModelExplainabilityJobDefinition.DatasetFormat", - "markdownDescription": "", + "markdownDescription": "The dataset format for your batch transform job.", "title": "DatasetFormat" }, "FeaturesAttribute": { - "markdownDescription": "", + "markdownDescription": "The attributes of the input data that are the input features.", "title": "FeaturesAttribute", "type": "string" }, "InferenceAttribute": { - "markdownDescription": "", + "markdownDescription": "The attribute of the input data that represents the ground truth label.", "title": "InferenceAttribute", "type": "string" }, "LocalPath": { - "markdownDescription": "", + "markdownDescription": "Path to the filesystem where the batch transform data is available to the container.", "title": "LocalPath", "type": "string" }, "ProbabilityAttribute": { - "markdownDescription": "", + "markdownDescription": "In a classification problem, the attribute that represents the class probability.", "title": "ProbabilityAttribute", "type": "string" }, "S3DataDistributionType": { - "markdownDescription": "", + "markdownDescription": "Whether input data distributed in Amazon S3 is fully replicated or sharded by an S3 key. Defaults to `FullyReplicated`", "title": "S3DataDistributionType", "type": "string" }, "S3InputMode": { - "markdownDescription": "", + "markdownDescription": "Whether the `Pipe` or `File` is used as the input mode for transferring data for the monitoring job. `Pipe` mode is recommended for large datasets. `File` mode is useful for small files that fit in memory. Defaults to `File` .", "title": "S3InputMode", "type": "string" } @@ -228517,7 +237123,7 @@ "type": "string" }, "S3DataDistributionType": { - "markdownDescription": "Whether input data distributed in Amazon S3 is fully replicated or sharded by an S3 key. Defaults to `FullyReplicated`", + "markdownDescription": "Whether input data distributed in Amazon S3 is fully replicated or sharded by an Amazon S3 key. Defaults to `FullyReplicated`", "title": "S3DataDistributionType", "type": "string" }, @@ -228548,7 +237154,7 @@ "additionalProperties": false, "properties": { "ConfigUri": { - "markdownDescription": "JSON formatted S3 file that defines explainability parameters. For more information on this JSON configuration file, see [Configure model explainability parameters](https://docs.aws.amazon.com/sagemaker/latest/dg/clarify-config-json-monitor-model-explainability-parameters.html) .", + "markdownDescription": "JSON formatted Amazon S3 file that defines explainability parameters. For more information on this JSON configuration file, see [Configure model explainability parameters](https://docs.aws.amazon.com/sagemaker/latest/dg/clarify-config-json-monitor-model-explainability-parameters.html) .", "title": "ConfigUri", "type": "string" }, @@ -228596,7 +237202,7 @@ "properties": { "BatchTransformInput": { "$ref": "#/definitions/AWS::SageMaker::ModelExplainabilityJobDefinition.BatchTransformInput", - "markdownDescription": "", + "markdownDescription": "Input object for the batch transform job.", "title": "BatchTransformInput" }, "EndpointInput": { @@ -228625,7 +237231,7 @@ "additionalProperties": false, "properties": { "KmsKeyId": { - "markdownDescription": "The AWS Key Management Service ( AWS KMS) key that Amazon SageMaker uses to encrypt the model artifacts at rest using Amazon S3 server-side encryption.", + "markdownDescription": "The AWS Key Management Service ( AWS KMS ) key that Amazon SageMaker uses to encrypt the model artifacts at rest using Amazon S3 server-side encryption.", "title": "KmsKeyId", "type": "string" }, @@ -228724,7 +237330,7 @@ "items": { "type": "string" }, - "markdownDescription": "The VPC security group IDs, in the form sg-xxxxxxxx. Specify the security groups for the VPC that is specified in the `Subnets` field.", + "markdownDescription": "The VPC security group IDs, in the form `sg-xxxxxxxx` . Specify the security groups for the VPC that is specified in the `Subnets` field.", "title": "SecurityGroupIds", "type": "array" }, @@ -228886,6 +237492,8 @@ "type": "string" }, "SkipModelValidation": { + "markdownDescription": "Indicates if you want to skip model validation.", + "title": "SkipModelValidation", "type": "string" }, "SourceAlgorithmSpecification": { @@ -229879,52 +238487,52 @@ "additionalProperties": false, "properties": { "DataCapturedDestinationS3Uri": { - "markdownDescription": "", + "markdownDescription": "The Amazon S3 location being used to capture the data.", "title": "DataCapturedDestinationS3Uri", "type": "string" }, "DatasetFormat": { "$ref": "#/definitions/AWS::SageMaker::ModelQualityJobDefinition.DatasetFormat", - "markdownDescription": "", + "markdownDescription": "The dataset format for your batch transform job.", "title": "DatasetFormat" }, "EndTimeOffset": { - "markdownDescription": "", + "markdownDescription": "If specified, monitoring jobs subtract this time from the end time. For information about using offsets for scheduling monitoring jobs, see [Schedule Model Quality Monitoring Jobs](https://docs.aws.amazon.com/sagemaker/latest/dg/model-monitor-model-quality-schedule.html) .", "title": "EndTimeOffset", "type": "string" }, "InferenceAttribute": { - "markdownDescription": "", + "markdownDescription": "The attribute of the input data that represents the ground truth label.", "title": "InferenceAttribute", "type": "string" }, "LocalPath": { - "markdownDescription": "", + "markdownDescription": "Path to the filesystem where the batch transform data is available to the container.", "title": "LocalPath", "type": "string" }, "ProbabilityAttribute": { - "markdownDescription": "", + "markdownDescription": "In a classification problem, the attribute that represents the class probability.", "title": "ProbabilityAttribute", "type": "string" }, "ProbabilityThresholdAttribute": { - "markdownDescription": "", + "markdownDescription": "The threshold for the class probability to be evaluated as a positive result.", "title": "ProbabilityThresholdAttribute", "type": "number" }, "S3DataDistributionType": { - "markdownDescription": "", + "markdownDescription": "Whether input data distributed in Amazon S3 is fully replicated or sharded by an S3 key. Defaults to `FullyReplicated`", "title": "S3DataDistributionType", "type": "string" }, "S3InputMode": { - "markdownDescription": "", + "markdownDescription": "Whether the `Pipe` or `File` is used as the input mode for transferring data for the monitoring job. `Pipe` mode is recommended for large datasets. `File` mode is useful for small files that fit in memory. Defaults to `File` .", "title": "S3InputMode", "type": "string" }, "StartTimeOffset": { - "markdownDescription": "", + "markdownDescription": "If specified, monitoring jobs substract this time from the start time. For information about using offsets for scheduling monitoring jobs, see [Schedule Model Quality Monitoring Jobs](https://docs.aws.amazon.com/sagemaker/latest/dg/model-monitor-model-quality-schedule.html) .", "title": "StartTimeOffset", "type": "string" } @@ -230044,7 +238652,7 @@ "type": "number" }, "S3DataDistributionType": { - "markdownDescription": "Whether input data distributed in Amazon S3 is fully replicated or sharded by an S3 key. Defaults to `FullyReplicated`", + "markdownDescription": "Whether input data distributed in Amazon S3 is fully replicated or sharded by an Amazon S3 key. Defaults to `FullyReplicated`", "title": "S3DataDistributionType", "type": "string" }, @@ -230122,7 +238730,7 @@ "type": "string" }, "RecordPreprocessorSourceUri": { - "markdownDescription": "An Amazon S3 URI to a script that is called per row prior to running analysis. It can base64 decode the payload and convert it into a flatted json so that the built-in container can use the converted data. Applicable only for the built-in (first party) containers.", + "markdownDescription": "An Amazon S3 URI to a script that is called per row prior to running analysis. It can base64 decode the payload and convert it into a flattened JSON so that the built-in container can use the converted data. Applicable only for the built-in (first party) containers.", "title": "RecordPreprocessorSourceUri", "type": "string" } @@ -230154,7 +238762,7 @@ "properties": { "BatchTransformInput": { "$ref": "#/definitions/AWS::SageMaker::ModelQualityJobDefinition.BatchTransformInput", - "markdownDescription": "", + "markdownDescription": "Input object for the batch transform job.", "title": "BatchTransformInput" }, "EndpointInput": { @@ -230205,7 +238813,7 @@ "additionalProperties": false, "properties": { "KmsKeyId": { - "markdownDescription": "The AWS Key Management Service ( AWS KMS) key that Amazon SageMaker uses to encrypt the model artifacts at rest using Amazon S3 server-side encryption.", + "markdownDescription": "The AWS Key Management Service ( AWS KMS ) key that Amazon SageMaker uses to encrypt the model artifacts at rest using Amazon S3 server-side encryption.", "title": "KmsKeyId", "type": "string" }, @@ -230304,7 +238912,7 @@ "items": { "type": "string" }, - "markdownDescription": "The VPC security group IDs, in the form sg-xxxxxxxx. Specify the security groups for the VPC that is specified in the `Subnets` field.", + "markdownDescription": "The VPC security group IDs, in the form `sg-xxxxxxxx` . Specify the security groups for the VPC that is specified in the `Subnets` field.", "title": "SecurityGroupIds", "type": "array" }, @@ -230444,30 +239052,32 @@ "additionalProperties": false, "properties": { "DataCapturedDestinationS3Uri": { - "markdownDescription": "", + "markdownDescription": "The Amazon S3 location being used to capture the data.", "title": "DataCapturedDestinationS3Uri", "type": "string" }, "DatasetFormat": { "$ref": "#/definitions/AWS::SageMaker::MonitoringSchedule.DatasetFormat", - "markdownDescription": "", + "markdownDescription": "The dataset format for your batch transform job.", "title": "DatasetFormat" }, "ExcludeFeaturesAttribute": { + "markdownDescription": "The attributes of the input data to exclude from the analysis.", + "title": "ExcludeFeaturesAttribute", "type": "string" }, "LocalPath": { - "markdownDescription": "", + "markdownDescription": "Path to the filesystem where the batch transform data is available to the container.", "title": "LocalPath", "type": "string" }, "S3DataDistributionType": { - "markdownDescription": "", + "markdownDescription": "Whether input data distributed in Amazon S3 is fully replicated or sharded by an S3 key. Defaults to `FullyReplicated`", "title": "S3DataDistributionType", "type": "string" }, "S3InputMode": { - "markdownDescription": "", + "markdownDescription": "Whether the `Pipe` or `File` is used as the input mode for transferring data for the monitoring job. `Pipe` mode is recommended for large datasets. `File` mode is useful for small files that fit in memory. Defaults to `File` .", "title": "S3InputMode", "type": "string" } @@ -230562,6 +239172,8 @@ "type": "string" }, "ExcludeFeaturesAttribute": { + "markdownDescription": "The attributes of the input data to exclude from the analysis.", + "title": "ExcludeFeaturesAttribute", "type": "string" }, "LocalPath": { @@ -230570,7 +239182,7 @@ "type": "string" }, "S3DataDistributionType": { - "markdownDescription": "Whether input data distributed in Amazon S3 is fully replicated or sharded by an S3 key. Defaults to `FullyReplicated`", + "markdownDescription": "Whether input data distributed in Amazon S3 is fully replicated or sharded by an Amazon S3 key. Defaults to `FullyReplicated`", "title": "S3DataDistributionType", "type": "string" }, @@ -230627,7 +239239,7 @@ "type": "string" }, "RecordPreprocessorSourceUri": { - "markdownDescription": "An Amazon S3 URI to a script that is called per row prior to running analysis. It can base64 decode the payload and convert it into a flatted json so that the built-in container can use the converted data. Applicable only for the built-in (first party) containers.", + "markdownDescription": "An Amazon S3 URI to a script that is called per row prior to running analysis. It can base64 decode the payload and convert it into a flattened JSON so that the built-in container can use the converted data. Applicable only for the built-in (first party) containers.", "title": "RecordPreprocessorSourceUri", "type": "string" } @@ -230695,7 +239307,7 @@ "properties": { "BatchTransformInput": { "$ref": "#/definitions/AWS::SageMaker::MonitoringSchedule.BatchTransformInput", - "markdownDescription": "", + "markdownDescription": "Input object for the batch transform job.", "title": "BatchTransformInput" }, "EndpointInput": { @@ -230740,7 +239352,7 @@ }, "MonitoringOutputConfig": { "$ref": "#/definitions/AWS::SageMaker::MonitoringSchedule.MonitoringOutputConfig", - "markdownDescription": "The array of outputs from the monitoring job to be uploaded to Amazon Simple Storage Service (Amazon S3).", + "markdownDescription": "The array of outputs from the monitoring job to be uploaded to Amazon S3.", "title": "MonitoringOutputConfig" }, "MonitoringResources": { @@ -230791,7 +239403,7 @@ "additionalProperties": false, "properties": { "KmsKeyId": { - "markdownDescription": "The AWS Key Management Service ( AWS KMS) key that Amazon SageMaker uses to encrypt the model artifacts at rest using Amazon S3 server-side encryption.", + "markdownDescription": "The AWS Key Management Service ( AWS KMS ) key that Amazon SageMaker uses to encrypt the model artifacts at rest using Amazon S3 server-side encryption.", "title": "KmsKeyId", "type": "string" }, @@ -230899,13 +239511,17 @@ "additionalProperties": false, "properties": { "DataAnalysisEndTime": { + "markdownDescription": "Sets the end time for a monitoring job window. Express this time as an offset to the times that you schedule your monitoring jobs to run. You schedule monitoring jobs with the `ScheduleExpression` parameter. Specify this offset in ISO 8601 duration format. For example, if you want to end the window one hour before the start of each monitoring job, you would specify: `\"-PT1H\"` .\n\nThe end time that you specify must not follow the start time that you specify by more than 24 hours. You specify the start time with the `DataAnalysisStartTime` parameter.\n\nIf you set `ScheduleExpression` to `NOW` , this parameter is required.", + "title": "DataAnalysisEndTime", "type": "string" }, "DataAnalysisStartTime": { + "markdownDescription": "Sets the start time for a monitoring job window. Express this time as an offset to the times that you schedule your monitoring jobs to run. You schedule monitoring jobs with the `ScheduleExpression` parameter. Specify this offset in ISO 8601 duration format. For example, if you want to monitor the five hours of data in your dataset that precede the start of each monitoring job, you would specify: `\"-PT5H\"` .\n\nThe start time that you specify must not precede the end time that you specify by more than 24 hours. You specify the end time with the `DataAnalysisEndTime` parameter.\n\nIf you set `ScheduleExpression` to `NOW` , this parameter is required.", + "title": "DataAnalysisStartTime", "type": "string" }, "ScheduleExpression": { - "markdownDescription": "A cron expression that describes details about the monitoring schedule.\n\nCurrently the only supported cron expressions are:\n\n- If you want to set the job to start every hour, please use the following:\n\n`Hourly: cron(0 * ? * * *)`\n- If you want to start the job daily:\n\n`cron(0 [00-23] ? * * *)`\n\nFor example, the following are valid cron expressions:\n\n- Daily at noon UTC: `cron(0 12 ? * * *)`\n- Daily at midnight UTC: `cron(0 0 ? * * *)`\n\nTo support running every 6, 12 hours, the following are also supported:\n\n`cron(0 [00-23]/[01-24] ? * * *)`\n\nFor example, the following are valid cron expressions:\n\n- Every 12 hours, starting at 5pm UTC: `cron(0 17/12 ? * * *)`\n- Every two hours starting at midnight: `cron(0 0/2 ? * * *)`\n\n> - Even though the cron expression is set to start at 5PM UTC, note that there could be a delay of 0-20 minutes from the actual requested time to run the execution.\n> - We recommend that if you would like a daily schedule, you do not provide this parameter. Amazon SageMaker will pick a time for running every day.", + "markdownDescription": "A cron expression that describes details about the monitoring schedule.\n\nThe supported cron expressions are:\n\n- If you want to set the job to start every hour, use the following:\n\n`Hourly: cron(0 * ? * * *)`\n- If you want to start the job daily:\n\n`cron(0 [00-23] ? * * *)`\n- If you want to run the job one time, immediately, use the following keyword:\n\n`NOW`\n\nFor example, the following are valid cron expressions:\n\n- Daily at noon UTC: `cron(0 12 ? * * *)`\n- Daily at midnight UTC: `cron(0 0 ? * * *)`\n\nTo support running every 6, 12 hours, the following are also supported:\n\n`cron(0 [00-23]/[01-24] ? * * *)`\n\nFor example, the following are valid cron expressions:\n\n- Every 12 hours, starting at 5pm UTC: `cron(0 17/12 ? * * *)`\n- Every two hours starting at midnight: `cron(0 0/2 ? * * *)`\n\n> - Even though the cron expression is set to start at 5PM UTC, note that there could be a delay of 0-20 minutes from the actual requested time to run the execution.\n> - We recommend that if you would like a daily schedule, you do not provide this parameter. Amazon SageMaker will pick a time for running every day. \n\nYou can also specify the keyword `NOW` to run the monitoring job immediately, one time, without recurring.", "title": "ScheduleExpression", "type": "string" } @@ -230947,7 +239563,7 @@ "items": { "type": "string" }, - "markdownDescription": "The VPC security group IDs, in the form sg-xxxxxxxx. Specify the security groups for the VPC that is specified in the `Subnets` field.", + "markdownDescription": "The VPC security group IDs, in the form `sg-xxxxxxxx` . Specify the security groups for the VPC that is specified in the `Subnets` field.", "title": "SecurityGroupIds", "type": "array" }, @@ -231262,7 +239878,7 @@ "properties": { "ParallelismConfiguration": { "$ref": "#/definitions/AWS::SageMaker::Pipeline.ParallelismConfiguration", - "markdownDescription": "", + "markdownDescription": "The parallelism configuration applied to the pipeline.", "title": "ParallelismConfiguration" }, "PipelineDefinition": { @@ -231345,13 +239961,13 @@ "additionalProperties": false, "properties": { "PipelineDefinitionBody": { - "markdownDescription": "", + "markdownDescription": "The [JSON pipeline definition](https://docs.aws.amazon.com/https://aws-sagemaker-mlops.github.io/sagemaker-model-building-pipeline-definition-JSON-schema/) of the pipeline.", "title": "PipelineDefinitionBody", "type": "string" }, "PipelineDefinitionS3Location": { "$ref": "#/definitions/AWS::SageMaker::Pipeline.S3Location", - "markdownDescription": "", + "markdownDescription": "The location of the pipeline definition stored in Amazon S3. If specified, SageMaker retrieves the pipeline definition from this location.", "title": "PipelineDefinitionS3Location" } }, @@ -231361,22 +239977,22 @@ "additionalProperties": false, "properties": { "Bucket": { - "markdownDescription": "", + "markdownDescription": "The name of the S3 bucket.", "title": "Bucket", "type": "string" }, "ETag": { - "markdownDescription": "", + "markdownDescription": "A file checksum of the pipeline definition file.", "title": "ETag", "type": "string" }, "Key": { - "markdownDescription": "", + "markdownDescription": "The object key (or key name) which uniquely identifies the object in an S3 bucket.", "title": "Key", "type": "string" }, "Version": { - "markdownDescription": "", + "markdownDescription": "The version ID of the pipeline definition file. If not specified, Amazon SageMaker will retrieve the latest version.", "title": "Version", "type": "string" } @@ -231434,7 +240050,7 @@ }, "ServiceCatalogProvisionedProductDetails": { "$ref": "#/definitions/AWS::SageMaker::Project.ServiceCatalogProvisionedProductDetails", - "markdownDescription": "", + "markdownDescription": "Details of a provisioned service catalog product. For information about service catalog, see [What is AWS Service Catalog](https://docs.aws.amazon.com/servicecatalog/latest/adminguide/introduction.html) .", "title": "ServiceCatalogProvisionedProductDetails" }, "ServiceCatalogProvisioningDetails": { @@ -231820,6 +240436,50 @@ ], "type": "object" }, + "AWS::SageMaker::UserProfile.CodeEditorAppSettings": { + "additionalProperties": false, + "properties": { + "DefaultResourceSpec": { + "$ref": "#/definitions/AWS::SageMaker::UserProfile.ResourceSpec", + "markdownDescription": "", + "title": "DefaultResourceSpec" + }, + "LifecycleConfigArns": { + "items": { + "type": "string" + }, + "markdownDescription": "The Amazon Resource Name (ARN) of the Code Editor application lifecycle configuration.", + "title": "LifecycleConfigArns", + "type": "array" + } + }, + "type": "object" + }, + "AWS::SageMaker::UserProfile.CodeRepository": { + "additionalProperties": false, + "properties": { + "RepositoryUrl": { + "markdownDescription": "The URL of the Git repository.", + "title": "RepositoryUrl", + "type": "string" + } + }, + "required": [ + "RepositoryUrl" + ], + "type": "object" + }, + "AWS::SageMaker::UserProfile.CustomFileSystemConfig": { + "additionalProperties": false, + "properties": { + "EFSFileSystemConfig": { + "$ref": "#/definitions/AWS::SageMaker::UserProfile.EFSFileSystemConfig", + "markdownDescription": "The settings for a custom Amazon EFS file system.", + "title": "EFSFileSystemConfig" + } + }, + "type": "object" + }, "AWS::SageMaker::UserProfile.CustomImage": { "additionalProperties": false, "properties": { @@ -231845,6 +240505,111 @@ ], "type": "object" }, + "AWS::SageMaker::UserProfile.CustomPosixUserConfig": { + "additionalProperties": false, + "properties": { + "Gid": { + "markdownDescription": "The POSIX group ID.", + "title": "Gid", + "type": "number" + }, + "Uid": { + "markdownDescription": "The POSIX user ID.", + "title": "Uid", + "type": "number" + } + }, + "required": [ + "Gid", + "Uid" + ], + "type": "object" + }, + "AWS::SageMaker::UserProfile.DefaultEbsStorageSettings": { + "additionalProperties": false, + "properties": { + "DefaultEbsVolumeSizeInGb": { + "markdownDescription": "The default size of the EBS storage volume for a private space.", + "title": "DefaultEbsVolumeSizeInGb", + "type": "number" + }, + "MaximumEbsVolumeSizeInGb": { + "markdownDescription": "The maximum size of the EBS storage volume for a private space.", + "title": "MaximumEbsVolumeSizeInGb", + "type": "number" + } + }, + "required": [ + "DefaultEbsVolumeSizeInGb", + "MaximumEbsVolumeSizeInGb" + ], + "type": "object" + }, + "AWS::SageMaker::UserProfile.DefaultSpaceStorageSettings": { + "additionalProperties": false, + "properties": { + "DefaultEbsStorageSettings": { + "$ref": "#/definitions/AWS::SageMaker::UserProfile.DefaultEbsStorageSettings", + "markdownDescription": "The default EBS storage settings for a private space.", + "title": "DefaultEbsStorageSettings" + } + }, + "type": "object" + }, + "AWS::SageMaker::UserProfile.EFSFileSystemConfig": { + "additionalProperties": false, + "properties": { + "FileSystemId": { + "markdownDescription": "The ID of your Amazon EFS file system.", + "title": "FileSystemId", + "type": "string" + }, + "FileSystemPath": { + "markdownDescription": "The path to the file system directory that is accessible in Amazon SageMaker Studio. Permitted users can access only this directory and below.", + "title": "FileSystemPath", + "type": "string" + } + }, + "required": [ + "FileSystemId" + ], + "type": "object" + }, + "AWS::SageMaker::UserProfile.JupyterLabAppSettings": { + "additionalProperties": false, + "properties": { + "CodeRepositories": { + "items": { + "$ref": "#/definitions/AWS::SageMaker::UserProfile.CodeRepository" + }, + "markdownDescription": "A list of Git repositories that SageMaker automatically displays to users for cloning in the JupyterLab application.", + "title": "CodeRepositories", + "type": "array" + }, + "CustomImages": { + "items": { + "$ref": "#/definitions/AWS::SageMaker::UserProfile.CustomImage" + }, + "markdownDescription": "A list of custom SageMaker images that are configured to run as a JupyterLab app.", + "title": "CustomImages", + "type": "array" + }, + "DefaultResourceSpec": { + "$ref": "#/definitions/AWS::SageMaker::UserProfile.ResourceSpec", + "markdownDescription": "", + "title": "DefaultResourceSpec" + }, + "LifecycleConfigArns": { + "items": { + "type": "string" + }, + "markdownDescription": "The Amazon Resource Name (ARN) of the lifecycle configurations attached to the user profile or domain. To remove a lifecycle config, you must set `LifecycleConfigArns` to an empty list.", + "title": "LifecycleConfigArns", + "type": "array" + } + }, + "type": "object" + }, "AWS::SageMaker::UserProfile.JupyterServerAppSettings": { "additionalProperties": false, "properties": { @@ -231936,11 +240701,39 @@ "AWS::SageMaker::UserProfile.UserSettings": { "additionalProperties": false, "properties": { + "CodeEditorAppSettings": { + "$ref": "#/definitions/AWS::SageMaker::UserProfile.CodeEditorAppSettings", + "markdownDescription": "The Code Editor application settings.", + "title": "CodeEditorAppSettings" + }, + "CustomFileSystemConfigs": { + "items": { + "$ref": "#/definitions/AWS::SageMaker::UserProfile.CustomFileSystemConfig" + }, + "markdownDescription": "The settings for assigning a custom file system to a user profile. Permitted users can access this file system in Amazon SageMaker Studio.", + "title": "CustomFileSystemConfigs", + "type": "array" + }, + "CustomPosixUserConfig": { + "$ref": "#/definitions/AWS::SageMaker::UserProfile.CustomPosixUserConfig", + "markdownDescription": "Details about the POSIX identity that is used for file system operations.", + "title": "CustomPosixUserConfig" + }, + "DefaultLandingUri": { + "markdownDescription": "The default experience that the user is directed to when accessing the domain. The supported values are:\n\n- `studio::` : Indicates that Studio is the default experience. This value can only be passed if `StudioWebPortal` is set to `ENABLED` .\n- `app:JupyterServer:` : Indicates that Studio Classic is the default experience.", + "title": "DefaultLandingUri", + "type": "string" + }, "ExecutionRole": { "markdownDescription": "The execution role for the user.", "title": "ExecutionRole", "type": "string" }, + "JupyterLabAppSettings": { + "$ref": "#/definitions/AWS::SageMaker::UserProfile.JupyterLabAppSettings", + "markdownDescription": "The settings for the JupyterLab application.", + "title": "JupyterLabAppSettings" + }, "JupyterServerAppSettings": { "$ref": "#/definitions/AWS::SageMaker::UserProfile.JupyterServerAppSettings", "markdownDescription": "The Jupyter server's app settings.", @@ -231960,14 +240753,24 @@ "items": { "type": "string" }, - "markdownDescription": "The security groups for the Amazon Virtual Private Cloud (VPC) that Studio uses for communication.\n\nOptional when the `CreateDomain.AppNetworkAccessType` parameter is set to `PublicInternetOnly` .\n\nRequired when the `CreateDomain.AppNetworkAccessType` parameter is set to `VpcOnly` , unless specified as part of the `DefaultUserSettings` for the domain.\n\nAmazon SageMaker adds a security group to allow NFS traffic from SageMaker Studio. Therefore, the number of security groups that you can specify is one less than the maximum number shown.", + "markdownDescription": "The security groups for the Amazon Virtual Private Cloud (VPC) that the domain uses for communication.\n\nOptional when the `CreateDomain.AppNetworkAccessType` parameter is set to `PublicInternetOnly` .\n\nRequired when the `CreateDomain.AppNetworkAccessType` parameter is set to `VpcOnly` , unless specified as part of the `DefaultUserSettings` for the domain.\n\nAmazon SageMaker adds a security group to allow NFS traffic from Amazon SageMaker Studio. Therefore, the number of security groups that you can specify is one less than the maximum number shown.", "title": "SecurityGroups", "type": "array" }, "SharingSettings": { "$ref": "#/definitions/AWS::SageMaker::UserProfile.SharingSettings", - "markdownDescription": "Specifies options for sharing SageMaker Studio notebooks.", + "markdownDescription": "Specifies options for sharing Amazon SageMaker Studio notebooks.", "title": "SharingSettings" + }, + "SpaceStorageSettings": { + "$ref": "#/definitions/AWS::SageMaker::UserProfile.DefaultSpaceStorageSettings", + "markdownDescription": "The storage settings for a private space.", + "title": "SpaceStorageSettings" + }, + "StudioWebPortal": { + "markdownDescription": "Whether the user can access Studio. If this value is set to `DISABLED` , the user cannot access Studio, even if that is the default experience for the domain.", + "title": "StudioWebPortal", + "type": "string" } }, "type": "object" @@ -232440,7 +241243,7 @@ "type": "number" }, "Mode": { - "markdownDescription": "Determines whether the schedule is invoked within a flexible time window.\n\n*Allowed Values* : `OFF` | `FLEXIBLE`", + "markdownDescription": "Determines whether the schedule is invoked within a flexible time window. You must use quotation marks when you specify this value in your JSON or YAML template.\n\n*Allowed Values* : `\"OFF\"` | `\"FLEXIBLE\"`", "title": "Mode", "type": "string" } @@ -232893,7 +241696,7 @@ "type": "string" }, "RotationType": { - "markdownDescription": "The rotation template to base the rotation function on, one of the following:\n\n- `MySQLSingleUser` to use the template [SecretsManagerRDSMySQLRotationSingleUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-mysql-singleuser) .\n- `MySQLMultiUser` to use the template [SecretsManagerRDSMySQLRotationMultiUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-mysql-multiuser) .\n- `PostgreSQLSingleUser` to use the template [SecretsManagerRDSPostgreSQLRotationSingleUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-postgre-singleuser)\n- `PostgreSQLMultiUser` to use the template [SecretsManagerRDSPostgreSQLRotationMultiUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-postgre-multiuser) .\n- `OracleSingleUser` to use the template [SecretsManagerRDSOracleRotationSingleUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-oracle-singleuser) .\n- `OracleMultiUser` to use the template [SecretsManagerRDSOracleRotationMultiUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-oracle-multiuser) .\n- `MariaDBSingleUser` to use the template [SecretsManagerRDSMariaDBRotationSingleUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-mariadb-singleuser) .\n- `MariaDBMultiUser` to use the template [SecretsManagerRDSMariaDBRotationMultiUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-mariadb-multiuser) .\n- `SQLServerSingleUser` to use the template [SecretsManagerRDSSQLServerRotationSingleUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-sqlserver-singleuser) .\n- `SQLServerMultiUser` to use the template [SecretsManagerRDSSQLServerRotationMultiUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-sqlserver-multiuser) .\n- `RedshiftSingleUser` to use the template [SecretsManagerRedshiftRotationSingleUsr](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-redshift-singleuser) .\n- `RedshiftMultiUser` to use the template [SecretsManagerRedshiftRotationMultiUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-redshift-multiuser) .\n- `MongoDBSingleUser` to use the template [SecretsManagerMongoDBRotationSingleUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-mongodb-singleuser) .\n- `MongoDBMultiUser` to use the template [SecretsManagerMongoDBRotationMultiUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-mongodb-multiuser) .", + "markdownDescription": "The rotation template to base the rotation function on, one of the following:\n\n- `Db2SingleUser` to use the template [SecretsManagerRDSDb2RotationSingleUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-db2-singleuser) .\n- `Db2MultiUser` to use the template [SecretsManagerRDSDb2RotationMultiUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-db2-multiuser) .\n- `MySQLSingleUser` to use the template [SecretsManagerRDSMySQLRotationSingleUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-mysql-singleuser) .\n- `MySQLMultiUser` to use the template [SecretsManagerRDSMySQLRotationMultiUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-mysql-multiuser) .\n- `PostgreSQLSingleUser` to use the template [SecretsManagerRDSPostgreSQLRotationSingleUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-postgre-singleuser)\n- `PostgreSQLMultiUser` to use the template [SecretsManagerRDSPostgreSQLRotationMultiUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-postgre-multiuser) .\n- `OracleSingleUser` to use the template [SecretsManagerRDSOracleRotationSingleUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-oracle-singleuser) .\n- `OracleMultiUser` to use the template [SecretsManagerRDSOracleRotationMultiUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-oracle-multiuser) .\n- `MariaDBSingleUser` to use the template [SecretsManagerRDSMariaDBRotationSingleUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-mariadb-singleuser) .\n- `MariaDBMultiUser` to use the template [SecretsManagerRDSMariaDBRotationMultiUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-mariadb-multiuser) .\n- `SQLServerSingleUser` to use the template [SecretsManagerRDSSQLServerRotationSingleUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-sqlserver-singleuser) .\n- `SQLServerMultiUser` to use the template [SecretsManagerRDSSQLServerRotationMultiUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-sqlserver-multiuser) .\n- `RedshiftSingleUser` to use the template [SecretsManagerRedshiftRotationSingleUsr](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-redshift-singleuser) .\n- `RedshiftMultiUser` to use the template [SecretsManagerRedshiftRotationMultiUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-redshift-multiuser) .\n- `MongoDBSingleUser` to use the template [SecretsManagerMongoDBRotationSingleUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-mongodb-singleuser) .\n- `MongoDBMultiUser` to use the template [SecretsManagerMongoDBRotationMultiUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-mongodb-multiuser) .", "title": "RotationType", "type": "string" }, @@ -233021,7 +241824,7 @@ "items": { "$ref": "#/definitions/Tag" }, - "markdownDescription": "A list of tags to attach to the secret. Each tag is a key and value pair of strings in a JSON text string, for example:\n\n`[{\"Key\":\"CostCenter\",\"Value\":\"12345\"},{\"Key\":\"environment\",\"Value\":\"production\"}]`\n\nSecrets Manager tag key names are case sensitive. A tag with the key \"ABC\" is a different tag from one with key \"abc\".\n\nIf you check tags in permissions policies as part of your security strategy, then adding or removing a tag can change permissions. If the completion of this operation would result in you losing your permissions for this secret, then Secrets Manager blocks the operation and returns an `Access Denied` error. For more information, see [Control access to secrets using tags](https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_examples.html#tag-secrets-abac) and [Limit access to identities with tags that match secrets' tags](https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_examples.html#auth-and-access_tags2) .\n\nFor information about how to format a JSON parameter for the various command line tool environments, see [Using JSON for Parameters](https://docs.aws.amazon.com/cli/latest/userguide/cli-using-param.html#cli-using-param-json) . If your command-line tool or SDK requires quotation marks around the parameter, you should use single quotes to avoid confusion with the double quotes required in the JSON text.\n\nThe following restrictions apply to tags:\n\n- Maximum number of tags per secret: 50\n- Maximum key length: 127 Unicode characters in UTF-8\n- Maximum value length: 255 Unicode characters in UTF-8\n- Tag keys and values are case sensitive.\n- Do not use the `aws:` prefix in your tag names or values because AWS reserves it for AWS use. You can't edit or delete tag names or values with this prefix. Tags with this prefix do not count against your tags per secret limit.\n- If you use your tagging schema across multiple services and resources, other services might have restrictions on allowed characters. Generally allowed characters: letters, spaces, and numbers representable in UTF-8, plus the following special characters: + - = . _ : / @.", + "markdownDescription": "A list of tags to attach to the secret. Each tag is a key and value pair of strings in a JSON text string, for example:\n\n`[{\"Key\":\"CostCenter\",\"Value\":\"12345\"},{\"Key\":\"environment\",\"Value\":\"production\"}]`\n\nSecrets Manager tag key names are case sensitive. A tag with the key \"ABC\" is a different tag from one with key \"abc\".\n\nStack-level tags, tags you apply to the CloudFormation stack, are also attached to the secret.\n\nIf you check tags in permissions policies as part of your security strategy, then adding or removing a tag can change permissions. If the completion of this operation would result in you losing your permissions for this secret, then Secrets Manager blocks the operation and returns an `Access Denied` error. For more information, see [Control access to secrets using tags](https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_examples.html#tag-secrets-abac) and [Limit access to identities with tags that match secrets' tags](https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_examples.html#auth-and-access_tags2) .\n\nFor information about how to format a JSON parameter for the various command line tool environments, see [Using JSON for Parameters](https://docs.aws.amazon.com/cli/latest/userguide/cli-using-param.html#cli-using-param-json) . If your command-line tool or SDK requires quotation marks around the parameter, you should use single quotes to avoid confusion with the double quotes required in the JSON text.\n\nThe following restrictions apply to tags:\n\n- Maximum number of tags per secret: 50\n- Maximum key length: 127 Unicode characters in UTF-8\n- Maximum value length: 255 Unicode characters in UTF-8\n- Tag keys and values are case sensitive.\n- Do not use the `aws:` prefix in your tag names or values because AWS reserves it for AWS use. You can't edit or delete tag names or values with this prefix. Tags with this prefix do not count against your tags per secret limit.\n- If you use your tagging schema across multiple services and resources, other services might have restrictions on allowed characters. Generally allowed characters: letters, spaces, and numbers representable in UTF-8, plus the following special characters: + - = . _ : / @.", "title": "Tags", "type": "array" } @@ -233113,7 +241916,7 @@ "type": "string" }, "Region": { - "markdownDescription": "(Optional) A string that represents a `Region` , for example \"us-east-1\".", + "markdownDescription": "A string that represents a `Region` , for example \"us-east-1\".", "title": "Region", "type": "string" } @@ -233241,13 +242044,13 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.AutomationRulesAction" }, - "markdownDescription": "One or more actions to update finding fields if a finding matches the defined criteria of the rule.", + "markdownDescription": "One or more actions to update finding fields if a finding matches the conditions specified in `Criteria` .", "title": "Actions", "type": "array" }, "Criteria": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.AutomationRulesFindingFilters", - "markdownDescription": "A set of [AWS Security Finding Format](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html) finding field attributes and corresponding expected values that Security Hub uses to filter findings. If a rule is enabled and a finding matches the conditions specified in this parameter, Security Hub applies the rule action to the finding.", + "markdownDescription": "A set of [AWS Security Finding Format (ASFF)](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html) finding field attributes and corresponding expected values that Security Hub uses to filter findings. If a rule is enabled and a finding matches the criteria specified in this parameter, Security Hub applies the rule action to the finding.", "title": "Criteria" }, "Description": { @@ -233256,7 +242059,7 @@ "type": "string" }, "IsTerminal": { - "markdownDescription": "Specifies whether a rule is the last to be applied with respect to a finding that matches the rule criteria. This is useful when a finding matches the criteria for multiple rules, and each rule has different actions. If the value of this field is set to `true` for a rule, Security Hub applies the rule action to a finding that matches the rule criteria and doesn't evaluate other rules for the finding. The default value of this field is `false` .", + "markdownDescription": "Specifies whether a rule is the last to be applied with respect to a finding that matches the rule criteria. This is useful when a finding matches the criteria for multiple rules, and each rule has different actions. If a rule is terminal, Security Hub applies the rule action to a finding that matches the rule criteria and doesn't evaluate other rules for the finding. By default, a rule isn't terminal.", "title": "IsTerminal", "type": "boolean" }, @@ -233277,7 +242080,7 @@ }, "Tags": { "additionalProperties": true, - "markdownDescription": "User-defined tags that help you label the purpose of a rule.", + "markdownDescription": "User-defined tags associated with an automation rule.", "patternProperties": { "^[a-zA-Z0-9]+$": { "type": "string" @@ -233399,7 +242202,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.StringFilter" }, - "markdownDescription": "The AWS account ID in which a finding was generated.", + "markdownDescription": "The AWS account ID in which a finding was generated.\n\nArray Members: Minimum number of 1 item. Maximum number of 100 items.", "title": "AwsAccountId", "type": "array" }, @@ -233407,7 +242210,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.StringFilter" }, - "markdownDescription": "The name of the company for the product that generated the finding. For control-based findings, the company is AWS .", + "markdownDescription": "The name of the company for the product that generated the finding. For control-based findings, the company is AWS .\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "CompanyName", "type": "array" }, @@ -233415,7 +242218,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.StringFilter" }, - "markdownDescription": "The unique identifier of a standard in which a control is enabled. This field consists of the resource portion of the Amazon Resource Name (ARN) returned for a standard in the [DescribeStandards](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_DescribeStandards.html) API response.", + "markdownDescription": "The unique identifier of a standard in which a control is enabled. This field consists of the resource portion of the Amazon Resource Name (ARN) returned for a standard in the [DescribeStandards](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_DescribeStandards.html) API response.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "ComplianceAssociatedStandardsId", "type": "array" }, @@ -233423,7 +242226,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.StringFilter" }, - "markdownDescription": "The security control ID for which a finding was generated. Security control IDs are the same across standards.", + "markdownDescription": "The security control ID for which a finding was generated. Security control IDs are the same across standards.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "ComplianceSecurityControlId", "type": "array" }, @@ -233431,7 +242234,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.StringFilter" }, - "markdownDescription": "The result of a security check. This field is only used for findings generated from controls.", + "markdownDescription": "The result of a security check. This field is only used for findings generated from controls.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "ComplianceStatus", "type": "array" }, @@ -233439,7 +242242,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.NumberFilter" }, - "markdownDescription": "The likelihood that a finding accurately identifies the behavior or issue that it was intended to identify. `Confidence` is scored on a 0\u2013100 basis using a ratio scale. A value of `0` means 0 percent confidence, and a value of `100` means 100 percent confidence. For example, a data exfiltration detection based on a statistical deviation of network traffic has low confidence because an actual exfiltration hasn't been verified. For more information, see [Confidence](https://docs.aws.amazon.com/securityhub/latest/userguide/asff-top-level-attributes.html#asff-confidence) in the *AWS Security Hub User Guide* .", + "markdownDescription": "The likelihood that a finding accurately identifies the behavior or issue that it was intended to identify. `Confidence` is scored on a 0\u2013100 basis using a ratio scale. A value of `0` means 0 percent confidence, and a value of `100` means 100 percent confidence. For example, a data exfiltration detection based on a statistical deviation of network traffic has low confidence because an actual exfiltration hasn't been verified. For more information, see [Confidence](https://docs.aws.amazon.com/securityhub/latest/userguide/asff-top-level-attributes.html#asff-confidence) in the *AWS Security Hub User Guide* .\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "Confidence", "type": "array" }, @@ -233447,7 +242250,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.DateFilter" }, - "markdownDescription": "A timestamp that indicates when this finding record was created.\n\nUses the `date-time` format specified in [RFC 3339 section 5.6, Internet Date/Time Format](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc3339#section-5.6) . The value cannot contain spaces. For example, `2020-03-22T13:22:13.933Z` .", + "markdownDescription": "A timestamp that indicates when this finding record was created.\n\nUses the `date-time` format specified in [RFC 3339 section 5.6, Internet Date/Time Format](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc3339#section-5.6) . The value cannot contain spaces. For example, `2020-03-22T13:22:13.933Z` .\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "CreatedAt", "type": "array" }, @@ -233455,7 +242258,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.NumberFilter" }, - "markdownDescription": "The level of importance that is assigned to the resources that are associated with a finding. `Criticality` is scored on a 0\u2013100 basis, using a ratio scale that supports only full integers. A score of `0` means that the underlying resources have no criticality, and a score of `100` is reserved for the most critical resources. For more information, see [Criticality](https://docs.aws.amazon.com/securityhub/latest/userguide/asff-top-level-attributes.html#asff-criticality) in the *AWS Security Hub User Guide* .", + "markdownDescription": "The level of importance that is assigned to the resources that are associated with a finding. `Criticality` is scored on a 0\u2013100 basis, using a ratio scale that supports only full integers. A score of `0` means that the underlying resources have no criticality, and a score of `100` is reserved for the most critical resources. For more information, see [Criticality](https://docs.aws.amazon.com/securityhub/latest/userguide/asff-top-level-attributes.html#asff-criticality) in the *AWS Security Hub User Guide* .\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "Criticality", "type": "array" }, @@ -233463,7 +242266,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.StringFilter" }, - "markdownDescription": "A finding's description.", + "markdownDescription": "A finding's description.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "Description", "type": "array" }, @@ -233471,7 +242274,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.DateFilter" }, - "markdownDescription": "A timestamp that indicates when the potential security issue captured by a finding was first observed by the security findings product.\n\nUses the `date-time` format specified in [RFC 3339 section 5.6, Internet Date/Time Format](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc3339#section-5.6) . The value cannot contain spaces. For example, `2020-03-22T13:22:13.933Z` .", + "markdownDescription": "A timestamp that indicates when the potential security issue captured by a finding was first observed by the security findings product.\n\nUses the `date-time` format specified in [RFC 3339 section 5.6, Internet Date/Time Format](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc3339#section-5.6) . The value cannot contain spaces. For example, `2020-03-22T13:22:13.933Z` .\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "FirstObservedAt", "type": "array" }, @@ -233479,7 +242282,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.StringFilter" }, - "markdownDescription": "The identifier for the solution-specific component that generated a finding.", + "markdownDescription": "The identifier for the solution-specific component that generated a finding.\n\nArray Members: Minimum number of 1 item. Maximum number of 100 items.", "title": "GeneratorId", "type": "array" }, @@ -233487,7 +242290,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.StringFilter" }, - "markdownDescription": "The product-specific identifier for a finding.", + "markdownDescription": "The product-specific identifier for a finding.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "Id", "type": "array" }, @@ -233495,7 +242298,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.DateFilter" }, - "markdownDescription": "A timestamp that indicates when the potential security issue captured by a finding was most recently observed by the security findings product.\n\nUses the `date-time` format specified in [RFC 3339 section 5.6, Internet Date/Time Format](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc3339#section-5.6) . The value cannot contain spaces. For example, `2020-03-22T13:22:13.933Z` .", + "markdownDescription": "A timestamp that indicates when the potential security issue captured by a finding was most recently observed by the security findings product.\n\nUses the `date-time` format specified in [RFC 3339 section 5.6, Internet Date/Time Format](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc3339#section-5.6) . The value cannot contain spaces. For example, `2020-03-22T13:22:13.933Z` .\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "LastObservedAt", "type": "array" }, @@ -233503,7 +242306,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.StringFilter" }, - "markdownDescription": "The text of a user-defined note that's added to a finding.", + "markdownDescription": "The text of a user-defined note that's added to a finding.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "NoteText", "type": "array" }, @@ -233511,7 +242314,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.DateFilter" }, - "markdownDescription": "The timestamp of when the note was updated. Uses the date-time format specified in [RFC 3339 section 5.6, Internet Date/Time Format](https://docs.aws.amazon.com/https://www.rfc-editor.org/rfc/rfc3339#section-5.6) . The value cannot contain spaces. For example, `2020-03-22T13:22:13.933Z` .", + "markdownDescription": "The timestamp of when the note was updated. Uses the date-time format specified in [RFC 3339 section 5.6, Internet Date/Time Format](https://docs.aws.amazon.com/https://www.rfc-editor.org/rfc/rfc3339#section-5.6) . The value cannot contain spaces. For example, `2020-03-22T13:22:13.933Z` .\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "NoteUpdatedAt", "type": "array" }, @@ -233519,7 +242322,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.StringFilter" }, - "markdownDescription": "The principal that created a note.", + "markdownDescription": "The principal that created a note.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "NoteUpdatedBy", "type": "array" }, @@ -233527,7 +242330,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.StringFilter" }, - "markdownDescription": "The Amazon Resource Name (ARN) for a third-party product that generated a finding in Security Hub.", + "markdownDescription": "The Amazon Resource Name (ARN) for a third-party product that generated a finding in Security Hub.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "ProductArn", "type": "array" }, @@ -233535,7 +242338,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.StringFilter" }, - "markdownDescription": "Provides the name of the product that generated the finding. For control-based findings, the product name is Security Hub.", + "markdownDescription": "Provides the name of the product that generated the finding. For control-based findings, the product name is Security Hub.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "ProductName", "type": "array" }, @@ -233543,7 +242346,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.StringFilter" }, - "markdownDescription": "Provides the current state of a finding.", + "markdownDescription": "Provides the current state of a finding.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "RecordState", "type": "array" }, @@ -233551,7 +242354,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.StringFilter" }, - "markdownDescription": "The product-generated identifier for a related finding.", + "markdownDescription": "The product-generated identifier for a related finding.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "RelatedFindingsId", "type": "array" }, @@ -233559,7 +242362,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.StringFilter" }, - "markdownDescription": "The ARN for the product that generated a related finding.", + "markdownDescription": "The ARN for the product that generated a related finding.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "RelatedFindingsProductArn", "type": "array" }, @@ -233567,7 +242370,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.MapFilter" }, - "markdownDescription": "Custom fields and values about the resource that a finding pertains to.", + "markdownDescription": "Custom fields and values about the resource that a finding pertains to.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "ResourceDetailsOther", "type": "array" }, @@ -233575,7 +242378,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.StringFilter" }, - "markdownDescription": "The identifier for the given resource type. For AWS resources that are identified by Amazon Resource Names (ARNs), this is the ARN. For AWS resources that lack ARNs, this is the identifier as defined by the AWS service that created the resource. For non- AWS resources, this is a unique identifier that is associated with the resource.", + "markdownDescription": "The identifier for the given resource type. For AWS resources that are identified by Amazon Resource Names (ARNs), this is the ARN. For AWS resources that lack ARNs, this is the identifier as defined by the AWS service that created the resource. For non- AWS resources, this is a unique identifier that is associated with the resource.\n\nArray Members: Minimum number of 1 item. Maximum number of 100 items.", "title": "ResourceId", "type": "array" }, @@ -233583,7 +242386,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.StringFilter" }, - "markdownDescription": "The partition in which the resource that the finding pertains to is located. A partition is a group of AWS Regions . Each AWS account is scoped to one partition.", + "markdownDescription": "The partition in which the resource that the finding pertains to is located. A partition is a group of AWS Regions . Each AWS account is scoped to one partition.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "ResourcePartition", "type": "array" }, @@ -233591,7 +242394,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.StringFilter" }, - "markdownDescription": "The AWS Region where the resource that a finding pertains to is located.", + "markdownDescription": "The AWS Region where the resource that a finding pertains to is located.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "ResourceRegion", "type": "array" }, @@ -233599,7 +242402,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.MapFilter" }, - "markdownDescription": "A list of AWS tags associated with a resource at the time the finding was processed.", + "markdownDescription": "A list of AWS tags associated with a resource at the time the finding was processed.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "ResourceTags", "type": "array" }, @@ -233607,7 +242410,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.StringFilter" }, - "markdownDescription": "A finding's title.", + "markdownDescription": "A finding's title.\n\nArray Members: Minimum number of 1 item. Maximum number of 100 items.", "title": "ResourceType", "type": "array" }, @@ -233615,7 +242418,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.StringFilter" }, - "markdownDescription": "The severity value of the finding.", + "markdownDescription": "The severity value of the finding.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "SeverityLabel", "type": "array" }, @@ -233623,7 +242426,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.StringFilter" }, - "markdownDescription": "Provides a URL that links to a page about the current finding in the finding product.", + "markdownDescription": "Provides a URL that links to a page about the current finding in the finding product.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "SourceUrl", "type": "array" }, @@ -233631,7 +242434,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.StringFilter" }, - "markdownDescription": "A finding's title.", + "markdownDescription": "A finding's title.\n\nArray Members: Minimum number of 1 item. Maximum number of 100 items.", "title": "Title", "type": "array" }, @@ -233639,7 +242442,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.StringFilter" }, - "markdownDescription": "One or more finding types in the format of namespace/category/classifier that classify a finding. For a list of namespaces, classifiers, and categories, see [Types taxonomy for ASFF](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format-type-taxonomy.html) in the *AWS Security Hub User Guide* .", + "markdownDescription": "One or more finding types in the format of namespace/category/classifier that classify a finding. For a list of namespaces, classifiers, and categories, see [Types taxonomy for ASFF](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format-type-taxonomy.html) in the *AWS Security Hub User Guide* .\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "Type", "type": "array" }, @@ -233647,7 +242450,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.DateFilter" }, - "markdownDescription": "A timestamp that indicates when the finding record was most recently updated.\n\nUses the `date-time` format specified in [RFC 3339 section 5.6, Internet Date/Time Format](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc3339#section-5.6) . The value cannot contain spaces. For example, `2020-03-22T13:22:13.933Z` .", + "markdownDescription": "A timestamp that indicates when the finding record was most recently updated.\n\nUses the `date-time` format specified in [RFC 3339 section 5.6, Internet Date/Time Format](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc3339#section-5.6) . The value cannot contain spaces. For example, `2020-03-22T13:22:13.933Z` .\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "UpdatedAt", "type": "array" }, @@ -233655,7 +242458,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.MapFilter" }, - "markdownDescription": "A list of user-defined name and value string pairs added to a finding.", + "markdownDescription": "A list of user-defined name and value string pairs added to a finding.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "UserDefinedFields", "type": "array" }, @@ -233663,7 +242466,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.StringFilter" }, - "markdownDescription": "Provides the veracity of a finding.", + "markdownDescription": "Provides the veracity of a finding.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "VerificationState", "type": "array" }, @@ -233671,7 +242474,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.StringFilter" }, - "markdownDescription": "Provides information about the status of the investigation into a finding.", + "markdownDescription": "Provides information about the status of the investigation into a finding.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "WorkflowStatus", "type": "array" } @@ -233723,7 +242526,7 @@ "additionalProperties": false, "properties": { "Comparison": { - "markdownDescription": "The condition to apply to the key value when querying for findings with a map filter.\n\nTo search for values that exactly match the filter value, use `EQUALS` . For example, for the `ResourceTags` field, the filter `Department EQUALS Security` matches findings that have the value `Security` for the tag `Department` .\n\nTo search for values other than the filter value, use `NOT_EQUALS` . For example, for the `ResourceTags` field, the filter `Department NOT_EQUALS Finance` matches findings that do not have the value `Finance` for the tag `Department` .\n\n`EQUALS` filters on the same field are joined by `OR` . A finding matches if it matches any one of those filters.\n\n`NOT_EQUALS` filters on the same field are joined by `AND` . A finding matches only if it matches all of those filters.\n\nYou cannot have both an `EQUALS` filter and a `NOT_EQUALS` filter on the same field.", + "markdownDescription": "The condition to apply to the key value when filtering Security Hub findings with a map filter.\n\nTo search for values that have the filter value, use one of the following comparison operators:\n\n- To search for values that include the filter value, use `CONTAINS` . For example, for the `ResourceTags` field, the filter `Department CONTAINS Security` matches findings that include the value `Security` for the `Department` tag. In the same example, a finding with a value of `Security team` for the `Department` tag is a match.\n- To search for values that exactly match the filter value, use `EQUALS` . For example, for the `ResourceTags` field, the filter `Department EQUALS Security` matches findings that have the value `Security` for the `Department` tag.\n\n`CONTAINS` and `EQUALS` filters on the same field are joined by `OR` . A finding matches if it matches any one of those filters. For example, the filters `Department CONTAINS Security OR Department CONTAINS Finance` match a finding that includes either `Security` , `Finance` , or both values.\n\nTo search for values that don't have the filter value, use one of the following comparison operators:\n\n- To search for values that exclude the filter value, use `NOT_CONTAINS` . For example, for the `ResourceTags` field, the filter `Department NOT_CONTAINS Finance` matches findings that exclude the value `Finance` for the `Department` tag.\n- To search for values other than the filter value, use `NOT_EQUALS` . For example, for the `ResourceTags` field, the filter `Department NOT_EQUALS Finance` matches findings that don\u2019t have the value `Finance` for the `Department` tag.\n\n`NOT_CONTAINS` and `NOT_EQUALS` filters on the same field are joined by `AND` . A finding matches only if it matches all of those filters. For example, the filters `Department NOT_CONTAINS Security AND Department NOT_CONTAINS Finance` match a finding that excludes both the `Security` and `Finance` values.\n\n`CONTAINS` filters can only be used with other `CONTAINS` filters. `NOT_CONTAINS` filters can only be used with other `NOT_CONTAINS` filters.\n\nYou can\u2019t have both a `CONTAINS` filter and a `NOT_CONTAINS` filter on the same field. Similarly, you can\u2019t have both an `EQUALS` filter and a `NOT_EQUALS` filter on the same field. Combining filters in this way returns an error.\n\n`CONTAINS` and `NOT_CONTAINS` operators can be used only with automation rules. For more information, see [Automation rules](https://docs.aws.amazon.com/securityhub/latest/userguide/automation-rules.html) in the *AWS Security Hub User Guide* .", "title": "Comparison", "type": "string" }, @@ -233733,7 +242536,7 @@ "type": "string" }, "Value": { - "markdownDescription": "The value for the key in the map filter. Filter values are case sensitive. For example, one of the values for a tag called `Department` might be `Security` . If you provide `security` as the filter value, then there is no match.", + "markdownDescription": "The value for the key in the map filter. Filter values are case sensitive. For example, one of the values for a tag called `Department` might be `Security` . If you provide `security` as the filter value, then there's no match.", "title": "Value", "type": "string" } @@ -233790,7 +242593,7 @@ "additionalProperties": false, "properties": { "Id": { - "markdownDescription": "The product-generated identifier for a related finding.", + "markdownDescription": "The product-generated identifier for a related finding.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "Id", "type": "object" }, @@ -233831,12 +242634,12 @@ "additionalProperties": false, "properties": { "Comparison": { - "markdownDescription": "The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:\n\n- To search for values that exactly match the filter value, use `EQUALS` .\n\nFor example, the filter `ResourceType EQUALS AwsEc2SecurityGroup` only matches findings that have a resource type of `AwsEc2SecurityGroup` .\n- To search for values that start with the filter value, use `PREFIX` .\n\nFor example, the filter `ResourceType PREFIX AwsIam` matches findings that have a resource type that starts with `AwsIam` . Findings with a resource type of `AwsIamPolicy` , `AwsIamRole` , or `AwsIamUser` would all match.\n\n`EQUALS` and `PREFIX` filters on the same field are joined by `OR` . A finding matches if it matches any one of those filters.\n\nTo search for values that do not contain the filter criteria value, use one of the following comparison operators:\n\n- To search for values that do not exactly match the filter value, use `NOT_EQUALS` .\n\nFor example, the filter `ResourceType NOT_EQUALS AwsIamPolicy` matches findings that have a resource type other than `AwsIamPolicy` .\n- To search for values that do not start with the filter value, use `PREFIX_NOT_EQUALS` .\n\nFor example, the filter `ResourceType PREFIX_NOT_EQUALS AwsIam` matches findings that have a resource type that does not start with `AwsIam` . Findings with a resource type of `AwsIamPolicy` , `AwsIamRole` , or `AwsIamUser` would all be excluded from the results.\n\n`NOT_EQUALS` and `PREFIX_NOT_EQUALS` filters on the same field are joined by `AND` . A finding matches only if it matches all of those filters.\n\nFor filters on the same field, you cannot provide both an `EQUALS` filter and a `NOT_EQUALS` or `PREFIX_NOT_EQUALS` filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.\n\nYou can combine `PREFIX` filters with `NOT_EQUALS` or `PREFIX_NOT_EQUALS` filters for the same field. Security Hub first processes the `PREFIX` filters, then the `NOT_EQUALS` or `PREFIX_NOT_EQUALS` filters.\n\nFor example, for the following filter, Security Hub first identifies findings that have resource types that start with either `AwsIAM` or `AwsEc2` . It then excludes findings that have a resource type of `AwsIamPolicy` and findings that have a resource type of `AwsEc2NetworkInterface` .\n\n- `ResourceType PREFIX AwsIam`\n- `ResourceType PREFIX AwsEc2`\n- `ResourceType NOT_EQUALS AwsIamPolicy`\n- `ResourceType NOT_EQUALS AwsEc2NetworkInterface`", + "markdownDescription": "The condition to apply to a string value when filtering Security Hub findings.\n\nTo search for values that have the filter value, use one of the following comparison operators:\n\n- To search for values that include the filter value, use `CONTAINS` . For example, the filter `Title CONTAINS CloudFront` matches findings that have a `Title` that includes the string CloudFront.\n- To search for values that exactly match the filter value, use `EQUALS` . For example, the filter `AwsAccountId EQUALS 123456789012` only matches findings that have an account ID of `123456789012` .\n- To search for values that start with the filter value, use `PREFIX` . For example, the filter `ResourceRegion PREFIX us` matches findings that have a `ResourceRegion` that starts with `us` . A `ResourceRegion` that starts with a different value, such as `af` , `ap` , or `ca` , doesn't match.\n\n`CONTAINS` , `EQUALS` , and `PREFIX` filters on the same field are joined by `OR` . A finding matches if it matches any one of those filters. For example, the filters `Title CONTAINS CloudFront OR Title CONTAINS CloudWatch` match a finding that includes either `CloudFront` , `CloudWatch` , or both strings in the title.\n\nTo search for values that don\u2019t have the filter value, use one of the following comparison operators:\n\n- To search for values that exclude the filter value, use `NOT_CONTAINS` . For example, the filter `Title NOT_CONTAINS CloudFront` matches findings that have a `Title` that excludes the string CloudFront.\n- To search for values other than the filter value, use `NOT_EQUALS` . For example, the filter `AwsAccountId NOT_EQUALS 123456789012` only matches findings that have an account ID other than `123456789012` .\n- To search for values that don't start with the filter value, use `PREFIX_NOT_EQUALS` . For example, the filter `ResourceRegion PREFIX_NOT_EQUALS us` matches findings with a `ResourceRegion` that starts with a value other than `us` .\n\n`NOT_CONTAINS` , `NOT_EQUALS` , and `PREFIX_NOT_EQUALS` filters on the same field are joined by `AND` . A finding matches only if it matches all of those filters. For example, the filters `Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch` match a finding that excludes both `CloudFront` and `CloudWatch` in the title.\n\nYou can\u2019t have both a `CONTAINS` filter and a `NOT_CONTAINS` filter on the same field. Similarly, you can't provide both an `EQUALS` filter and a `NOT_EQUALS` or `PREFIX_NOT_EQUALS` filter on the same field. Combining filters in this way returns an error. `CONTAINS` filters can only be used with other `CONTAINS` filters. `NOT_CONTAINS` filters can only be used with other `NOT_CONTAINS` filters.\n\nYou can combine `PREFIX` filters with `NOT_EQUALS` or `PREFIX_NOT_EQUALS` filters for the same field. Security Hub first processes the `PREFIX` filters, and then the `NOT_EQUALS` or `PREFIX_NOT_EQUALS` filters.\n\nFor example, for the following filters, Security Hub first identifies findings that have resource types that start with either `AwsIam` or `AwsEc2` . It then excludes findings that have a resource type of `AwsIamPolicy` and findings that have a resource type of `AwsEc2NetworkInterface` .\n\n- `ResourceType PREFIX AwsIam`\n- `ResourceType PREFIX AwsEc2`\n- `ResourceType NOT_EQUALS AwsIamPolicy`\n- `ResourceType NOT_EQUALS AwsEc2NetworkInterface`\n\n`CONTAINS` and `NOT_CONTAINS` operators can be used only with automation rules. For more information, see [Automation rules](https://docs.aws.amazon.com/securityhub/latest/userguide/automation-rules.html) in the *AWS Security Hub User Guide* .", "title": "Comparison", "type": "string" }, "Value": { - "markdownDescription": "The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is `Security Hub` . If you provide `security hub` as the filter text, then there is no match.", + "markdownDescription": "The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is `Security Hub` . If you provide `security hub` as the filter value, there's no match.", "title": "Value", "type": "string" } @@ -233912,7 +242715,13 @@ "type": "boolean" }, "Tags": { + "additionalProperties": true, "markdownDescription": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) .", + "patternProperties": { + "^[a-zA-Z0-9]+$": { + "type": "string" + } + }, "title": "Tags", "type": "object" } @@ -233978,7 +242787,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::Standard.StandardsControl" }, - "markdownDescription": "Specifies which controls are to be disabled in a standard.", + "markdownDescription": "Specifies which controls are to be disabled in a standard.\n\n*Maximum* : `100`", "title": "DisabledStandardsControls", "type": "array" }, @@ -234306,7 +243115,7 @@ "type": "string" }, "Type": { - "markdownDescription": "The type of provisioning artifact.\n\n- `CLOUD_FORMATION_TEMPLATE` - AWS CloudFormation template\n- `MARKETPLACE_AMI` - AWS Marketplace AMI\n- `MARKETPLACE_CAR` - AWS Marketplace Clusters and AWS Resources\n- `TERRAFORM_OPEN_SOURCE` - Terraform open source configuration file", + "markdownDescription": "The type of provisioning artifact.\n\n- `CLOUD_FORMATION_TEMPLATE` - AWS CloudFormation template\n- `TERRAFORM_OPEN_SOURCE` - Terraform Open Source configuration file\n- `TERRAFORM_CLOUD` - Terraform Cloud configuration file\n- `EXTERNAL` - External configuration file", "title": "Type", "type": "string" } @@ -234946,7 +243755,7 @@ "type": "string" }, "PrincipalType": { - "markdownDescription": "The principal type. The supported value is `IAM` .\n\n*Allowed Values* : `IAM`", + "markdownDescription": "The principal type. The supported values are `IAM` and `IAM_PATTERN` .", "title": "PrincipalType", "type": "string" } @@ -236141,8 +244950,6 @@ "type": "object" }, "InstanceId": { - "markdownDescription": "An identifier that you want to associate with the instance. Note the following:\n\n- If the service that's specified by `ServiceId` includes settings for an `SRV` record, the value of `InstanceId` is automatically included as part of the value for the `SRV` record. For more information, see [DnsRecord > Type](https://docs.aws.amazon.com/cloud-map/latest/api/API_DnsRecord.html#cloudmap-Type-DnsRecord-Type) .\n- You can use this value to update an existing instance.\n- To register a new instance, you must specify a value that's unique among instances that you register by using the same service.\n- If you specify an existing `InstanceId` and `ServiceId` , AWS Cloud Map updates the existing DNS records, if any. If there's also an existing health check, AWS Cloud Map deletes the old health check and creates a new one.\n\n> The health check isn't deleted immediately, so it will still appear for a while if you submit a `ListHealthChecks` request, for example.\n\n> Do not include sensitive information in `InstanceId` if the namespace is discoverable by public DNS queries and any `Type` member of `DnsRecord` for the service contains `SRV` because the `InstanceId` is discoverable by public DNS queries.", - "title": "InstanceId", "type": "string" }, "ServiceId": { @@ -236815,7 +245622,7 @@ "properties": { "ApplicationLayerAutomaticResponseConfiguration": { "$ref": "#/definitions/AWS::Shield::Protection.ApplicationLayerAutomaticResponseConfiguration", - "markdownDescription": "The automatic application layer DDoS mitigation settings for the protection. This configuration determines whether Shield Advanced automatically manages rules in the web ACL in order to respond to application layer events that Shield Advanced determines to be DDoS attacks.", + "markdownDescription": "The automatic application layer DDoS mitigation settings for the protection. This configuration determines whether Shield Advanced automatically manages rules in the web ACL in order to respond to application layer events that Shield Advanced determines to be DDoS attacks.\n\nIf you use AWS CloudFormation to manage the web ACLs that you use with Shield Advanced automatic mitigation, see the additional guidance about web ACL management in the `AWS::WAFv2::WebACL` resource description.", "title": "ApplicationLayerAutomaticResponseConfiguration" }, "HealthCheckArns": { @@ -237664,7 +246471,7 @@ "properties": { "DeploymentPreference": { "$ref": "#/definitions/AWS::StepFunctions::StateMachineAlias.DeploymentPreference", - "markdownDescription": "The settings that enable gradual state machine deployments. These settings include [Alarms](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-stepfunctions-statemachinealias-deploymentpreference.html#cfn-stepfunctions-statemachinealias-deploymentpreference-alarms) , [Interval](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-stepfunctions-statemachinealias-deploymentpreference.html#cfn-stepfunctions-statemachinealias-deploymentpreference-interval) , [Percentage](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-stepfunctions-statemachinealias-deploymentpreference.html#cfn-stepfunctions-statemachinealias-deploymentpreference-percentage) , [StateMachineVersionArn](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-stepfunctions-statemachinealias-deploymentpreference.html#cfn-stepfunctions-statemachinealias-deploymentpreference-statemachineversionarn) , and [Type](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-stepfunctions-statemachinealias-deploymentpreference.html#cfn-stepfunctions-statemachinealias-deploymentpreference-type) .\n\nCloudFormation automatically shifts traffic from the version an alias currently points to, to a new state machine version that you specify.\n\n> `RoutingConfiguration` and `DeploymentPreference` are mutually exclusive properties. You must define only one of these properties. \n\nBased on the type of deployment you want to perform, you can specify one of the following settings:\n\n- `LINEAR` - Shifts traffic to the new version in equal increments with an equal number of seconds between each increment.\n\nFor example, if you specify the increment percent as `20` with an interval of `600` seconds, this deployment increases traffic by 20 percent every 600 seconds until the new version receives 100 percent of the traffic. This deployment immediately rolls back the new version if any Amazon CloudWatch alarms are triggered.\n- `ALL_AT_ONCE` - Shifts 100 percent of traffic to the new version immediately. CloudFormation monitors the new version and rolls it back automatically to the previous version if any CloudWatch alarms are triggered.\n- `CANARY` - Shifts traffic in two increments.\n\nIn the first increment, a small percentage of traffic, for example, 10 percent is shifted to the new version. In the second increment, before a specified time interval in seconds gets over, the remaining traffic is shifted to the new version. The shift to the new version for the remaining traffic takes place only if no CloudWatch alarms are triggered during the specified time interval.", + "markdownDescription": "The settings that enable gradual state machine deployments. These settings include [Alarms](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-stepfunctions-statemachinealias-deploymentpreference.html#cfn-stepfunctions-statemachinealias-deploymentpreference-alarms) , [Interval](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-stepfunctions-statemachinealias-deploymentpreference.html#cfn-stepfunctions-statemachinealias-deploymentpreference-interval) , [Percentage](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-stepfunctions-statemachinealias-deploymentpreference.html#cfn-stepfunctions-statemachinealias-deploymentpreference-percentage) , [StateMachineVersionArn](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-stepfunctions-statemachinealias-deploymentpreference.html#cfn-stepfunctions-statemachinealias-deploymentpreference-statemachineversionarn) , and [Type](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-stepfunctions-statemachinealias-deploymentpreference.html#cfn-stepfunctions-statemachinealias-deploymentpreference-type) .\n\nCloudFormation automatically shifts traffic from the version an alias currently points to, to a new state machine version that you specify.\n\n> `RoutingConfiguration` and `DeploymentPreference` are mutually exclusive properties. You must define only one of these properties. \n\nBased on the type of deployment you want to perform, you can specify one of the following settings:\n\n- `LINEAR` - Shifts traffic to the new version in equal increments with an equal number of minutes between each increment.\n\nFor example, if you specify the increment percent as `20` with an interval of `600` minutes, this deployment increases traffic by 20 percent every 600 minutes until the new version receives 100 percent of the traffic. This deployment immediately rolls back the new version if any Amazon CloudWatch alarms are triggered.\n- `ALL_AT_ONCE` - Shifts 100 percent of traffic to the new version immediately. CloudFormation monitors the new version and rolls it back automatically to the previous version if any CloudWatch alarms are triggered.\n- `CANARY` - Shifts traffic in two increments.\n\nIn the first increment, a small percentage of traffic, for example, 10 percent is shifted to the new version. In the second increment, before a specified time interval in seconds gets over, the remaining traffic is shifted to the new version. The shift to the new version for the remaining traffic takes place only if no CloudWatch alarms are triggered during the specified time interval.", "title": "DeploymentPreference" }, "Description": { @@ -237735,7 +246542,7 @@ "type": "string" }, "Type": { - "markdownDescription": "The type of deployment you want to perform. You can specify one of the following types:\n\n- `LINEAR` - Shifts traffic to the new version in equal increments with an equal number of seconds between each increment.\n\nFor example, if you specify the increment percent as `20` with an interval of `600` seconds, this deployment increases traffic by 20 percent every 600 seconds until the new version receives 100 percent of the traffic. This deployment immediately rolls back the new version if any CloudWatch alarms are triggered.\n- `ALL_AT_ONCE` - Shifts 100 percent of traffic to the new version immediately. CloudFormation monitors the new version and rolls it back automatically to the previous version if any CloudWatch alarms are triggered.\n- `CANARY` - Shifts traffic in two increments.\n\nIn the first increment, a small percentage of traffic, for example, 10 percent is shifted to the new version. In the second increment, before a specified time interval in seconds gets over, the remaining traffic is shifted to the new version. The shift to the new version for the remaining traffic takes place only if no CloudWatch alarms are triggered during the specified time interval.", + "markdownDescription": "The type of deployment you want to perform. You can specify one of the following types:\n\n- `LINEAR` - Shifts traffic to the new version in equal increments with an equal number of minutes between each increment.\n\nFor example, if you specify the increment percent as `20` with an interval of `600` minutes, this deployment increases traffic by 20 percent every 600 minutes until the new version receives 100 percent of the traffic. This deployment immediately rolls back the new version if any CloudWatch alarms are triggered.\n- `ALL_AT_ONCE` - Shifts 100 percent of traffic to the new version immediately. CloudFormation monitors the new version and rolls it back automatically to the previous version if any CloudWatch alarms are triggered.\n- `CANARY` - Shifts traffic in two increments.\n\nIn the first increment, a small percentage of traffic, for example, 10 percent is shifted to the new version. In the second increment, before a specified time interval in seconds gets over, the remaining traffic is shifted to the new version. The shift to the new version for the remaining traffic takes place only if no CloudWatch alarms are triggered during the specified time interval.", "title": "Type", "type": "string" } @@ -239127,7 +247934,9 @@ "title": "RetentionProperties" }, "Schema": { - "$ref": "#/definitions/AWS::Timestream::Table.Schema" + "$ref": "#/definitions/AWS::Timestream::Table.Schema", + "markdownDescription": "The schema of the table.", + "title": "Schema" }, "TableName": { "markdownDescription": "The name of the Timestream table.\n\n*Length Constraints* : Minimum length of 3 bytes. Maximum length of 256 bytes.", @@ -239203,12 +248012,18 @@ "additionalProperties": false, "properties": { "EnforcementInRecord": { + "markdownDescription": "The level of enforcement for the specification of a dimension key in ingested records. Options are REQUIRED (dimension key must be specified) and OPTIONAL (dimension key does not have to be specified).", + "title": "EnforcementInRecord", "type": "string" }, "Name": { + "markdownDescription": "The name of the attribute used for a dimension key.", + "title": "Name", "type": "string" }, "Type": { + "markdownDescription": "The type of the partition key. Options are DIMENSION (dimension key) and MEASURE (measure key).", + "title": "Type", "type": "string" } }, @@ -239270,6 +248085,8 @@ "items": { "$ref": "#/definitions/AWS::Timestream::Table.PartitionKey" }, + "markdownDescription": "A non-empty list of partition keys defining the attributes used to partition the table data. The order of the list determines the partition hierarchy. The name and type of each partition key as well as the partition key order cannot be changed after the table is created. However, the enforcement level of each partition key can be changed.", + "title": "CompositePartitionKey", "type": "array" } }, @@ -239311,7 +248128,7 @@ "additionalProperties": false, "properties": { "AccessRole": { - "markdownDescription": "With AS2, you can send files by calling `StartFileTransfer` and specifying the file paths in the request parameter, `SendFilePaths` . We use the file\u2019s parent directory (for example, for `--send-file-paths /bucket/dir/file.txt` , parent directory is `/bucket/dir/` ) to temporarily store a processed AS2 message file, store the MDN when we receive them from the partner, and write a final JSON file containing relevant metadata of the transmission. So, the `AccessRole` needs to provide read and write access to the parent directory of the file location used in the `StartFileTransfer` request. Additionally, you need to provide read and write access to the parent directory of the files that you intend to send with `StartFileTransfer` .\n\nIf you are using Basic authentication for your AS2 connector, the access role requires the `secretsmanager:GetSecretValue` permission for the secret. If the secret is encrypted using a customer-managed key instead of the AWS managed key in Secrets Manager, then the role also needs the `kms:Decrypt` permission for that key.", + "markdownDescription": "Connectors are used to send files using either the AS2 or SFTP protocol. For the access role, provide the Amazon Resource Name (ARN) of the AWS Identity and Access Management role to use.\n\n*For AS2 connectors*\n\nWith AS2, you can send files by calling `StartFileTransfer` and specifying the file paths in the request parameter, `SendFilePaths` . We use the file\u2019s parent directory (for example, for `--send-file-paths /bucket/dir/file.txt` , parent directory is `/bucket/dir/` ) to temporarily store a processed AS2 message file, store the MDN when we receive them from the partner, and write a final JSON file containing relevant metadata of the transmission. So, the `AccessRole` needs to provide read and write access to the parent directory of the file location used in the `StartFileTransfer` request. Additionally, you need to provide read and write access to the parent directory of the files that you intend to send with `StartFileTransfer` .\n\nIf you are using Basic authentication for your AS2 connector, the access role requires the `secretsmanager:GetSecretValue` permission for the secret. If the secret is encrypted using a customer-managed key instead of the AWS managed key in Secrets Manager, then the role also needs the `kms:Decrypt` permission for that key.\n\n*For SFTP connectors*\n\nMake sure that the access role provides read and write access to the parent directory of the file location that's used in the `StartFileTransfer` request. Additionally, make sure that the role provides `secretsmanager:GetSecretValue` permission to AWS Secrets Manager .", "title": "AccessRole", "type": "string" }, @@ -239526,13 +248343,13 @@ "additionalProperties": false, "properties": { "AccessRole": { - "markdownDescription": "With AS2, you can send files by calling `StartFileTransfer` and specifying the file paths in the request parameter, `SendFilePaths` . We use the file\u2019s parent directory (for example, for `--send-file-paths /bucket/dir/file.txt` , parent directory is `/bucket/dir/` ) to temporarily store a processed AS2 message file, store the MDN when we receive them from the partner, and write a final JSON file containing relevant metadata of the transmission. So, the `AccessRole` needs to provide read and write access to the parent directory of the file location used in the `StartFileTransfer` request. Additionally, you need to provide read and write access to the parent directory of the files that you intend to send with `StartFileTransfer` .\n\nIf you are using Basic authentication for your AS2 connector, the access role requires the `secretsmanager:GetSecretValue` permission for the secret. If the secret is encrypted using a customer-managed key instead of the AWS managed key in Secrets Manager, then the role also needs the `kms:Decrypt` permission for that key.", + "markdownDescription": "Connectors are used to send files using either the AS2 or SFTP protocol. For the access role, provide the Amazon Resource Name (ARN) of the AWS Identity and Access Management role to use.\n\n*For AS2 connectors*\n\nWith AS2, you can send files by calling `StartFileTransfer` and specifying the file paths in the request parameter, `SendFilePaths` . We use the file\u2019s parent directory (for example, for `--send-file-paths /bucket/dir/file.txt` , parent directory is `/bucket/dir/` ) to temporarily store a processed AS2 message file, store the MDN when we receive them from the partner, and write a final JSON file containing relevant metadata of the transmission. So, the `AccessRole` needs to provide read and write access to the parent directory of the file location used in the `StartFileTransfer` request. Additionally, you need to provide read and write access to the parent directory of the files that you intend to send with `StartFileTransfer` .\n\nIf you are using Basic authentication for your AS2 connector, the access role requires the `secretsmanager:GetSecretValue` permission for the secret. If the secret is encrypted using a customer-managed key instead of the AWS managed key in Secrets Manager, then the role also needs the `kms:Decrypt` permission for that key.\n\n*For SFTP connectors*\n\nMake sure that the access role provides read and write access to the parent directory of the file location that's used in the `StartFileTransfer` request. Additionally, make sure that the role provides `secretsmanager:GetSecretValue` permission to AWS Secrets Manager .", "title": "AccessRole", "type": "string" }, "As2Config": { "$ref": "#/definitions/AWS::Transfer::Connector.As2Config", - "markdownDescription": "A structure that contains the parameters for a connector object.", + "markdownDescription": "A structure that contains the parameters for an AS2 connector object.", "title": "As2Config" }, "LoggingRole": { @@ -239541,7 +248358,9 @@ "type": "string" }, "SftpConfig": { - "$ref": "#/definitions/AWS::Transfer::Connector.SftpConfig" + "$ref": "#/definitions/AWS::Transfer::Connector.SftpConfig", + "markdownDescription": "A structure that contains the parameters for an SFTP connector object.", + "title": "SftpConfig" }, "Tags": { "items": { @@ -239552,7 +248371,7 @@ "type": "array" }, "Url": { - "markdownDescription": "The URL of the partner's AS2 endpoint.", + "markdownDescription": "The URL of the partner's AS2 or SFTP endpoint.", "title": "Url", "type": "string" } @@ -239588,6 +248407,8 @@ "additionalProperties": false, "properties": { "BasicAuthSecretId": { + "markdownDescription": "Provides Basic authentication support to the AS2 Connectors API. To use Basic authentication, you must provide the name or Amazon Resource Name (ARN) of a secret in AWS Secrets Manager .\n\nThe default value for this parameter is `null` , which indicates that Basic authentication is not enabled for the connector.\n\nIf the connector should use Basic authentication, the secret needs to be in the following format:\n\n`{ \"Username\": \"user-name\", \"Password\": \"user-password\" }`\n\nReplace `user-name` and `user-password` with the credentials for the actual user that is being authenticated.\n\nNote the following:\n\n- You are storing these credentials in Secrets Manager, *not passing them directly* into this API.\n- If you are using the API, SDKs, or CloudFormation to configure your connector, then you must create the secret before you can enable Basic authentication. However, if you are using the AWS management console, you can have the system create the secret for you.\n\nIf you have previously enabled Basic authentication for a connector, you can disable it by using the `UpdateConnector` API call. For example, if you are using the CLI, you can run the following command to remove Basic authentication:\n\n`update-connector --connector-id my-connector-id --as2-config 'BasicAuthSecretId=\"\"'`", + "title": "BasicAuthSecretId", "type": "string" }, "Compression": { @@ -239640,9 +248461,13 @@ "items": { "type": "string" }, + "markdownDescription": "The public portion of the host key, or keys, that are used to identify the external server to which you are connecting. You can use the `ssh-keyscan` command against the SFTP server to retrieve the necessary key.\n\nThe three standard SSH public key format elements are `` , `` , and an optional `` , with spaces between each element. Specify only the `` and `` : do not enter the `` portion of the key.\n\nFor the trusted host key, AWS Transfer Family accepts RSA and ECDSA keys.\n\n- For RSA keys, the `` string is `ssh-rsa` .\n- For ECDSA keys, the `` string is either `ecdsa-sha2-nistp256` , `ecdsa-sha2-nistp384` , or `ecdsa-sha2-nistp521` , depending on the size of the key you generated.", + "title": "TrustedHostKeys", "type": "array" }, "UserSecretId": { + "markdownDescription": "The identifier for the secret (in AWS Secrets Manager) that contains the SFTP user's private key, password, or both. The identifier must be the Amazon Resource Name (ARN) of the secret.", + "title": "UserSecretId", "type": "string" } }, @@ -239788,7 +248613,7 @@ "title": "EndpointDetails" }, "EndpointType": { - "markdownDescription": "The type of endpoint that you want your server to use. You can choose to make your server's endpoint publicly accessible (PUBLIC) or host it inside your VPC. With an endpoint that is hosted in a VPC, you can restrict access to your server and resources only within your VPC or choose to make it internet facing by attaching Elastic IP addresses directly to it.", + "markdownDescription": "The type of endpoint that you want your server to use. You can choose to make your server's endpoint publicly accessible (PUBLIC) or host it inside your VPC. With an endpoint that is hosted in a VPC, you can restrict access to your server and resources only within your VPC or choose to make it internet facing by attaching Elastic IP addresses directly to it.\n\n> After May 19, 2021, you won't be able to create a server using `EndpointType=VPC_ENDPOINT` in your AWS account if your account hasn't already done so before May 19, 2021. If you have already created servers with `EndpointType=VPC_ENDPOINT` in your AWS account on or before May 19, 2021, you will not be affected. After this date, use `EndpointType` = `VPC` .\n> \n> For more information, see [Discontinuing the use of VPC_ENDPOINT](https://docs.aws.amazon.com//transfer/latest/userguide/create-server-in-vpc.html#deprecate-vpc-endpoint) .\n> \n> It is recommended that you use `VPC` as the `EndpointType` . With this endpoint type, you have the option to directly associate up to three Elastic IPv4 addresses (BYO IP included) with your server's endpoint and use VPC security groups to restrict traffic by the client's public IP address. This is not possible with `EndpointType` set to `VPC_ENDPOINT` .", "title": "EndpointType", "type": "string" }, @@ -239830,6 +248655,11 @@ "title": "Protocols", "type": "array" }, + "S3StorageOptions": { + "$ref": "#/definitions/AWS::Transfer::Server.S3StorageOptions", + "markdownDescription": "Specifies whether or not performance for your Amazon S3 directories is optimized. This is disabled by default.\n\nBy default, home directory mappings have a `TYPE` of `DIRECTORY` . If you enable this option, you would then need to explicitly set the `HomeDirectoryMapEntry` `Type` to `FILE` if you want a mapping to have a file target.", + "title": "S3StorageOptions" + }, "SecurityPolicyName": { "markdownDescription": "Specifies the name of the security policy that is attached to the server.", "title": "SecurityPolicyName", @@ -239891,7 +248721,7 @@ "items": { "type": "string" }, - "markdownDescription": "A list of address allocation IDs that are required to attach an Elastic IP address to your server's endpoint.\n\n> This property can only be set when `EndpointType` is set to `VPC` and it is only valid in the `UpdateServer` API.", + "markdownDescription": "A list of address allocation IDs that are required to attach an Elastic IP address to your server's endpoint.\n\nAn address allocation ID corresponds to the allocation ID of an Elastic IP address. This value can be retrieved from the `allocationId` field from the Amazon EC2 [Address](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_Address.html) data type. One way to retrieve this value is by calling the EC2 [DescribeAddresses](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeAddresses.html) API.\n\nThis parameter is optional. Set this parameter if you want to make your VPC endpoint public-facing. For details, see [Create an internet-facing endpoint for your server](https://docs.aws.amazon.com/transfer/latest/userguide/create-server-in-vpc.html#create-internet-facing-endpoint) .\n\n> This property can only be set as follows:\n> \n> - `EndpointType` must be set to `VPC`\n> - The Transfer Family server must be offline.\n> - You cannot set this parameter for Transfer Family servers that use the FTP protocol.\n> - The server must already have `SubnetIds` populated ( `SubnetIds` and `AddressAllocationIds` cannot be updated simultaneously).\n> - `AddressAllocationIds` can't contain duplicates, and must be equal in length to `SubnetIds` . For example, if you have three subnet IDs, you must also specify three address allocation IDs.\n> - Call the `UpdateServer` API to set or change this parameter.", "title": "AddressAllocationIds", "type": "array" }, @@ -239928,7 +248758,7 @@ "additionalProperties": false, "properties": { "DirectoryId": { - "markdownDescription": "The identifier of the AWS Directory Service directory that you want to stop sharing.", + "markdownDescription": "The identifier of the AWS Directory Service directory that you want to use as your identity provider.", "title": "DirectoryId", "type": "string" }, @@ -239989,6 +248819,17 @@ }, "type": "object" }, + "AWS::Transfer::Server.S3StorageOptions": { + "additionalProperties": false, + "properties": { + "DirectoryListingOptimization": { + "markdownDescription": "Specifies whether or not performance for your Amazon S3 directories is optimized. This is disabled by default.\n\nBy default, home directory mappings have a `TYPE` of `DIRECTORY` . If you enable this option, you would then need to explicitly set the `HomeDirectoryMapEntry` `Type` to `FILE` if you want a mapping to have a file target.", + "title": "DirectoryListingOptimization", + "type": "string" + } + }, + "type": "object" + }, "AWS::Transfer::Server.StructuredLogDestination": { "additionalProperties": false, "properties": {}, @@ -240072,7 +248913,7 @@ "additionalProperties": false, "properties": { "HomeDirectory": { - "markdownDescription": "The landing directory (folder) for a user when they log in to the server using the client.\n\nA `HomeDirectory` example is `/bucket_name/home/mydirectory` .", + "markdownDescription": "The landing directory (folder) for a user when they log in to the server using the client.\n\nA `HomeDirectory` example is `/bucket_name/home/mydirectory` .\n\n> The `HomeDirectory` parameter is only used if `HomeDirectoryType` is set to `PATH` .", "title": "HomeDirectory", "type": "string" }, @@ -240080,12 +248921,12 @@ "items": { "$ref": "#/definitions/AWS::Transfer::User.HomeDirectoryMapEntry" }, - "markdownDescription": "Logical directory mappings that specify what Amazon S3 paths and keys should be visible to your user and how you want to make them visible. You will need to specify the \" `Entry` \" and \" `Target` \" pair, where `Entry` shows how the path is made visible and `Target` is the actual Amazon S3 path. If you only specify a target, it will be displayed as is. You will need to also make sure that your IAM role provides access to paths in `Target` . The following is an example.\n\n`'[ { \"Entry\": \"/\", \"Target\": \"/bucket3/customized-reports/\" } ]'`\n\nIn most cases, you can use this value instead of the session policy to lock your user down to the designated home directory (\"chroot\"). To do this, you can set `Entry` to '/' and set `Target` to the HomeDirectory parameter value.\n\n> If the target of a logical directory entry does not exist in Amazon S3, the entry will be ignored. As a workaround, you can use the Amazon S3 API to create 0 byte objects as place holders for your directory. If using the CLI, use the `s3api` call instead of `s3` so you can use the put-object operation. For example, you use the following: `AWS s3api put-object --bucket bucketname --key path/to/folder/` . Make sure that the end of the key name ends in a '/' for it to be considered a folder.", + "markdownDescription": "Logical directory mappings that specify what Amazon S3 or Amazon EFS paths and keys should be visible to your user and how you want to make them visible. You must specify the `Entry` and `Target` pair, where `Entry` shows how the path is made visible and `Target` is the actual Amazon S3 or Amazon EFS path. If you only specify a target, it is displayed as is. You also must ensure that your AWS Identity and Access Management (IAM) role provides access to paths in `Target` . This value can be set only when `HomeDirectoryType` is set to *LOGICAL* .\n\nThe following is an `Entry` and `Target` pair example.\n\n`[ { \"Entry\": \"/directory1\", \"Target\": \"/bucket_name/home/mydirectory\" } ]`\n\nIn most cases, you can use this value instead of the session policy to lock your user down to the designated home directory (\" `chroot` \"). To do this, you can set `Entry` to `/` and set `Target` to the value the user should see for their home directory when they log in.\n\nThe following is an `Entry` and `Target` pair example for `chroot` .\n\n`[ { \"Entry\": \"/\", \"Target\": \"/bucket_name/home/mydirectory\" } ]`", "title": "HomeDirectoryMappings", "type": "array" }, "HomeDirectoryType": { - "markdownDescription": "The type of landing directory (folder) that you want your users' home directory to be when they log in to the server. If you set it to `PATH` , the user will see the absolute Amazon S3 bucket or EFS paths as is in their file transfer protocol clients. If you set it `LOGICAL` , you need to provide mappings in the `HomeDirectoryMappings` for how you want to make Amazon S3 or Amazon EFS paths visible to your users.", + "markdownDescription": "The type of landing directory (folder) that you want your users' home directory to be when they log in to the server. If you set it to `PATH` , the user will see the absolute Amazon S3 bucket or Amazon EFS path as is in their file transfer protocol clients. If you set it to `LOGICAL` , you need to provide mappings in the `HomeDirectoryMappings` for how you want to make Amazon S3 or Amazon EFS paths visible to your users.\n\n> If `HomeDirectoryType` is `LOGICAL` , you must provide mappings, using the `HomeDirectoryMappings` parameter. If, on the other hand, `HomeDirectoryType` is `PATH` , you provide an absolute path using the `HomeDirectory` parameter. You cannot have both `HomeDirectory` and `HomeDirectoryMappings` in your template.", "title": "HomeDirectoryType", "type": "string" }, @@ -240168,9 +249009,14 @@ "type": "string" }, "Target": { - "markdownDescription": "Represents the map target that is used in a `HomeDirectorymapEntry` .", + "markdownDescription": "Represents the map target that is used in a `HomeDirectoryMapEntry` .", "title": "Target", "type": "string" + }, + "Type": { + "markdownDescription": "Specifies the type of mapping. Set the type to `FILE` if you want the mapping to point to a file, or `DIRECTORY` for the directory to point to a directory.\n\n> By default, home directory mappings have a `Type` of `DIRECTORY` when you create a Transfer Family server. You would need to explicitly set `Type` to `FILE` if you want a mapping to have a file target.", + "title": "Type", + "type": "string" } }, "required": [ @@ -240578,7 +249424,7 @@ "properties": { "Configuration": { "$ref": "#/definitions/AWS::VerifiedPermissions::IdentitySource.IdentitySourceConfiguration", - "markdownDescription": "Contains configuration information used when creating or updating an identity source.\n\n> At this time, the only valid member of this structure is a Amazon Cognito user pool configuration.\n> \n> You must specify a `userPoolArn` , and optionally, a `ClientId` .", + "markdownDescription": "Contains configuration information used when creating a new identity source.\n\n> At this time, the only valid member of this structure is a Amazon Cognito user pool configuration.\n> \n> You must specify a `userPoolArn` , and optionally, a `ClientId` . \n\nThis data type is used as a request parameter for the [CreateIdentitySource](https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_CreateIdentitySource.html) operation.", "title": "Configuration" }, "PolicyStoreId": { @@ -241298,7 +250144,7 @@ "properties": { "DefaultAction": { "$ref": "#/definitions/AWS::VpcLattice::Listener.DefaultAction", - "markdownDescription": "The action for the default rule. Each listener has a default rule. Each rule consists of a priority, one or more actions, and one or more conditions. The default rule is the rule that's used if no other rules match. Each rule must include exactly one of the following types of actions: `forward` or `fixed-response` , and it must be the last action to be performed.", + "markdownDescription": "The action for the default rule. Each listener has a default rule. The default rule is used if no other rules match.", "title": "DefaultAction" }, "Name": { @@ -241307,12 +250153,12 @@ "type": "string" }, "Port": { - "markdownDescription": "The listener port. You can specify a value from `1` to `65535` . For HTTP, the default is `80` . For HTTPS, the default is `443` .", + "markdownDescription": "The listener port. You can specify a value from 1 to 65535. For HTTP, the default is 80. For HTTPS, the default is 443.", "title": "Port", "type": "number" }, "Protocol": { - "markdownDescription": "The listener protocol HTTP or HTTPS.", + "markdownDescription": "The listener protocol.", "title": "Protocol", "type": "string" }, @@ -241362,7 +250208,7 @@ "properties": { "FixedResponse": { "$ref": "#/definitions/AWS::VpcLattice::Listener.FixedResponse", - "markdownDescription": "Information about an action that returns a custom HTTP response.", + "markdownDescription": "Describes an action that returns a custom HTTP response.", "title": "FixedResponse" }, "Forward": { @@ -241394,7 +250240,7 @@ "items": { "$ref": "#/definitions/AWS::VpcLattice::Listener.WeightedTargetGroup" }, - "markdownDescription": "The target groups. Traffic matching the rule is forwarded to the specified target groups. With forward actions, you can assign a weight that controls the prioritization and selection of each target group. This means that requests are distributed to individual target groups based on their weights. For example, if two target groups have the same weight, each target group receives half of the traffic.\n\nThe default value is 1. This means that if only one target group is provided, there is no need to set the weight; 100% of traffic will go to that target group.", + "markdownDescription": "The target groups. Traffic matching the rule is forwarded to the specified target groups. With forward actions, you can assign a weight that controls the prioritization and selection of each target group. This means that requests are distributed to individual target groups based on their weights. For example, if two target groups have the same weight, each target group receives half of the traffic.\n\nThe default value is 1. This means that if only one target group is provided, there is no need to set the weight; 100% of the traffic goes to that target group.", "title": "TargetGroups", "type": "array" } @@ -241413,7 +250259,7 @@ "type": "string" }, "Weight": { - "markdownDescription": "Only required if you specify multiple target groups for a forward action. The \"weight\" determines how requests are distributed to the target group. For example, if you specify two target groups, each with a weight of 10, each target group receives half the requests. If you specify two target groups, one with a weight of 10 and the other with a weight of 20, the target group with a weight of 20 receives twice as many requests as the other target group. If there's only one target group specified, then the default value is 100.", + "markdownDescription": "Only required if you specify multiple target groups for a forward action. The weight determines how requests are distributed to the target group. For example, if you specify two target groups, each with a weight of 10, each target group receives half the requests. If you specify two target groups, one with a weight of 10 and the other with a weight of 20, the target group with a weight of 20 receives twice as many requests as the other target group. If there's only one target group specified, then the default value is 100.", "title": "Weight", "type": "number" } @@ -241533,7 +250379,7 @@ "properties": { "Action": { "$ref": "#/definitions/AWS::VpcLattice::Rule.Action", - "markdownDescription": "Describes the action for a rule. Each rule must include exactly one of the following types of actions: `forward` or `fixed-response` , and it must be the last action to be performed.", + "markdownDescription": "Describes the action for a rule.", "title": "Action" }, "ListenerIdentifier": { @@ -241603,7 +250449,7 @@ "properties": { "FixedResponse": { "$ref": "#/definitions/AWS::VpcLattice::Rule.FixedResponse", - "markdownDescription": "Describes the rule action that returns a custom HTTP response.", + "markdownDescription": "The fixed response action. The rule returns a custom HTTP response.", "title": "FixedResponse" }, "Forward": { @@ -241635,7 +250481,7 @@ "items": { "$ref": "#/definitions/AWS::VpcLattice::Rule.WeightedTargetGroup" }, - "markdownDescription": "The target groups. Traffic matching the rule is forwarded to the specified target groups. With forward actions, you can assign a weight that controls the prioritization and selection of each target group. This means that requests are distributed to individual target groups based on their weights. For example, if two target groups have the same weight, each target group receives half of the traffic.\n\nThe default value is 1. This means that if only one target group is provided, there is no need to set the weight; 100% of traffic will go to that target group.", + "markdownDescription": "The target groups. Traffic matching the rule is forwarded to the specified target groups. With forward actions, you can assign a weight that controls the prioritization and selection of each target group. This means that requests are distributed to individual target groups based on their weights. For example, if two target groups have the same weight, each target group receives half of the traffic.\n\nThe default value is 1. This means that if only one target group is provided, there is no need to set the weight; 100% of the traffic goes to that target group.", "title": "TargetGroups", "type": "array" } @@ -241649,7 +250495,7 @@ "additionalProperties": false, "properties": { "CaseSensitive": { - "markdownDescription": "Indicates whether the match is case sensitive. Defaults to false.", + "markdownDescription": "Indicates whether the match is case sensitive.", "title": "CaseSensitive", "type": "boolean" }, @@ -241674,17 +250520,17 @@ "additionalProperties": false, "properties": { "Contains": { - "markdownDescription": "Specifies a contains type match.", + "markdownDescription": "A contains type match.", "title": "Contains", "type": "string" }, "Exact": { - "markdownDescription": "Specifies an exact type match.", + "markdownDescription": "An exact type match.", "title": "Exact", "type": "string" }, "Prefix": { - "markdownDescription": "Specifies a prefix type match. Matches the value with the prefix.", + "markdownDescription": "A prefix type match. Matches the value with the prefix.", "title": "Prefix", "type": "string" } @@ -241733,7 +250579,7 @@ "additionalProperties": false, "properties": { "CaseSensitive": { - "markdownDescription": "Indicates whether the match is case sensitive. Defaults to false.", + "markdownDescription": "Indicates whether the match is case sensitive.", "title": "CaseSensitive", "type": "boolean" }, @@ -241773,7 +250619,7 @@ "type": "string" }, "Weight": { - "markdownDescription": "Only required if you specify multiple target groups for a forward action. The \"weight\" determines how requests are distributed to the target group. For example, if you specify two target groups, each with a weight of 10, each target group receives half the requests. If you specify two target groups, one with a weight of 10 and the other with a weight of 20, the target group with a weight of 20 receives twice as many requests as the other target group. If there's only one target group specified, then the default value is 100.", + "markdownDescription": "Only required if you specify multiple target groups for a forward action. The weight determines how requests are distributed to the target group. For example, if you specify two target groups, each with a weight of 10, each target group receives half the requests. If you specify two target groups, one with a weight of 10 and the other with a weight of 20, the target group with a weight of 20 receives twice as many requests as the other target group. If there's only one target group specified, then the default value is 100.", "title": "Weight", "type": "number" } @@ -241835,7 +250681,7 @@ }, "DnsEntry": { "$ref": "#/definitions/AWS::VpcLattice::Service.DnsEntry", - "markdownDescription": "", + "markdownDescription": "The DNS information of the service.", "title": "DnsEntry" }, "Name": { @@ -242003,7 +250849,7 @@ "properties": { "DnsEntry": { "$ref": "#/definitions/AWS::VpcLattice::ServiceNetworkServiceAssociation.DnsEntry", - "markdownDescription": "", + "markdownDescription": "The DNS information of the service.", "title": "DnsEntry" }, "ServiceIdentifier": { @@ -242184,7 +251030,7 @@ "properties": { "Config": { "$ref": "#/definitions/AWS::VpcLattice::TargetGroup.TargetGroupConfig", - "markdownDescription": "The target group configuration. If `type` is set to `LAMBDA` , this parameter doesn't apply.", + "markdownDescription": "The target group configuration.", "title": "Config" }, "Name": { @@ -242265,7 +251111,7 @@ }, "Matcher": { "$ref": "#/definitions/AWS::VpcLattice::TargetGroup.Matcher", - "markdownDescription": "The codes to use when checking for a successful response from a target. These are called *Success codes* in the console.", + "markdownDescription": "The codes to use when checking for a successful response from a target.", "title": "Matcher" }, "Path": { @@ -242314,12 +251160,12 @@ "additionalProperties": false, "properties": { "Id": { - "markdownDescription": "The ID of the target. If the target type of the target group is `INSTANCE` , this is an instance ID. If the target type is `IP` , this is an IP address. If the target type is `LAMBDA` , this is the ARN of the Lambda function. If the target type is `ALB` , this is the ARN of the Application Load Balancer.", + "markdownDescription": "The ID of the target. If the target group type is `INSTANCE` , this is an instance ID. If the target group type is `IP` , this is an IP address. If the target group type is `LAMBDA` , this is the ARN of a Lambda function. If the target group type is `ALB` , this is the ARN of an Application Load Balancer.", "title": "Id", "type": "string" }, "Port": { - "markdownDescription": "The port on which the target is listening. For HTTP, the default is `80` . For HTTPS, the default is `443` .", + "markdownDescription": "The port on which the target is listening. For HTTP, the default is 80. For HTTPS, the default is 443.", "title": "Port", "type": "number" } @@ -242334,34 +251180,36 @@ "properties": { "HealthCheck": { "$ref": "#/definitions/AWS::VpcLattice::TargetGroup.HealthCheckConfig", - "markdownDescription": "The health check configuration.", + "markdownDescription": "The health check configuration. Not supported if the target group type is `LAMBDA` or `ALB` .", "title": "HealthCheck" }, "IpAddressType": { - "markdownDescription": "The type of IP address used for the target group. The possible values are `ipv4` and `ipv6` . This is an optional parameter. If not specified, the IP address type defaults to `ipv4` .", + "markdownDescription": "The type of IP address used for the target group. Supported only if the target group type is `IP` . The default is `IPV4` .", "title": "IpAddressType", "type": "string" }, "LambdaEventStructureVersion": { + "markdownDescription": "The version of the event structure that your Lambda function receives. Supported only if the target group type is `LAMBDA` . The default is `V1` .", + "title": "LambdaEventStructureVersion", "type": "string" }, "Port": { - "markdownDescription": "The port on which the targets are listening. For HTTP, the default is `80` . For HTTPS, the default is `443`", + "markdownDescription": "The port on which the targets are listening. For HTTP, the default is 80. For HTTPS, the default is 443. Not supported if the target group type is `LAMBDA` .", "title": "Port", "type": "number" }, "Protocol": { - "markdownDescription": "The protocol to use for routing traffic to the targets. Default is the protocol of a target group.", + "markdownDescription": "The protocol to use for routing traffic to the targets. The default is the protocol of the target group. Not supported if the target group type is `LAMBDA` .", "title": "Protocol", "type": "string" }, "ProtocolVersion": { - "markdownDescription": "The protocol version. Default value is `HTTP1` .", + "markdownDescription": "The protocol version. The default is `HTTP1` . Not supported if the target group type is `LAMBDA` .", "title": "ProtocolVersion", "type": "string" }, "VpcIdentifier": { - "markdownDescription": "The ID of the VPC.", + "markdownDescription": "The ID of the VPC. Not supported if the target group type is `LAMBDA` .", "title": "VpcIdentifier", "type": "string" } @@ -244397,7 +253245,7 @@ "items": { "type": "string" }, - "markdownDescription": "Contains an array of strings that specifies zero or more IP addresses or blocks of IP addresses. All addresses must be specified using Classless Inter-Domain Routing (CIDR) notation. AWS WAF supports all IPv4 and IPv6 CIDR ranges except for `/0` .\n\nExample address strings:\n\n- To configure AWS WAF to allow, block, or count requests that originated from the IP address 192.0.2.44, specify `192.0.2.44/32` .\n- To configure AWS WAF to allow, block, or count requests that originated from IP addresses from 192.0.2.0 to 192.0.2.255, specify `192.0.2.0/24` .\n- To configure AWS WAF to allow, block, or count requests that originated from the IP address 1111:0000:0000:0000:0000:0000:0000:0111, specify `1111:0000:0000:0000:0000:0000:0000:0111/128` .\n- To configure AWS WAF to allow, block, or count requests that originated from IP addresses 1111:0000:0000:0000:0000:0000:0000:0000 to 1111:0000:0000:0000:ffff:ffff:ffff:ffff, specify `1111:0000:0000:0000:0000:0000:0000:0000/64` .\n\nFor more information about CIDR notation, see the Wikipedia entry [Classless Inter-Domain Routing](https://docs.aws.amazon.com/https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) .\n\nExample JSON `Addresses` specifications:\n\n- Empty array: `\"Addresses\": []`\n- Array with one address: `\"Addresses\": [\"192.0.2.44/32\"]`\n- Array with three addresses: `\"Addresses\": [\"192.0.2.44/32\", \"192.0.2.0/24\", \"192.0.0.0/16\"]`\n- INVALID specification: `\"Addresses\": [\"\"]` INVALID", + "markdownDescription": "Contains an array of strings that specifies zero or more IP addresses or blocks of IP addresses that you want AWS WAF to inspect for in incoming requests. All addresses must be specified using Classless Inter-Domain Routing (CIDR) notation. AWS WAF supports all IPv4 and IPv6 CIDR ranges except for `/0` .\n\nExample address strings:\n\n- For requests that originated from the IP address 192.0.2.44, specify `192.0.2.44/32` .\n- For requests that originated from IP addresses from 192.0.2.0 to 192.0.2.255, specify `192.0.2.0/24` .\n- For requests that originated from the IP address 1111:0000:0000:0000:0000:0000:0000:0111, specify `1111:0000:0000:0000:0000:0000:0000:0111/128` .\n- For requests that originated from IP addresses 1111:0000:0000:0000:0000:0000:0000:0000 to 1111:0000:0000:0000:ffff:ffff:ffff:ffff, specify `1111:0000:0000:0000:0000:0000:0000:0000/64` .\n\nFor more information about CIDR notation, see the Wikipedia entry [Classless Inter-Domain Routing](https://docs.aws.amazon.com/https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) .\n\nExample JSON `Addresses` specifications:\n\n- Empty array: `\"Addresses\": []`\n- Array with one address: `\"Addresses\": [\"192.0.2.44/32\"]`\n- Array with three addresses: `\"Addresses\": [\"192.0.2.44/32\", \"192.0.2.0/24\", \"192.0.0.0/16\"]`\n- INVALID specification: `\"Addresses\": [\"\"]` INVALID", "title": "Addresses", "type": "array" }, @@ -244651,7 +253499,7 @@ "title": "MatchPattern" }, "MatchScope": { - "markdownDescription": "The parts of the JSON to match against using the `MatchPattern` . If you specify `All` , AWS WAF matches against keys and values.", + "markdownDescription": "The parts of the JSON to match against using the `MatchPattern` . If you specify `ALL` , AWS WAF matches against keys and values.\n\n`All` does not require a match to be found in the keys and a match to be found in the values. It requires a match to be found in the keys or the values or both. To require a match in the keys and in the values, use a logical `AND` statement to combine two match rules, one that inspects the keys and another that inspects the values.", "title": "MatchScope", "type": "string" } @@ -245001,7 +253849,7 @@ "additionalProperties": false, "properties": { "OversizeHandling": { - "markdownDescription": "What AWS WAF should do if the body is larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. If the body is larger than the limit, the underlying host service only forwards the contents that are below the limit to AWS WAF for inspection.\n\nThe default limit is 8 KB (8,192 kilobytes) for regional resources and 16 KB (16,384 kilobytes) for CloudFront distributions. For CloudFront distributions, you can increase the limit in the web ACL `AssociationConfig` , for additional processing fees.\n\nThe options for oversize handling are the following:\n\n- `CONTINUE` - Inspect the available body contents normally, according to the rule inspection criteria.\n- `MATCH` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.\n- `NO_MATCH` - Treat the web request as not matching the rule statement.\n\nYou can combine the `MATCH` or `NO_MATCH` settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over the limit.\n\nDefault: `CONTINUE`", + "markdownDescription": "What AWS WAF should do if the body is larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. If the body is larger than the limit, the underlying host service only forwards the contents that are below the limit to AWS WAF for inspection.\n\nThe default limit is 8 KB (8,192 bytes) for regional resources and 16 KB (16,384 bytes) for CloudFront distributions. For CloudFront distributions, you can increase the limit in the web ACL `AssociationConfig` , for additional processing fees.\n\nThe options for oversize handling are the following:\n\n- `CONTINUE` - Inspect the available body contents normally, according to the rule inspection criteria.\n- `MATCH` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.\n- `NO_MATCH` - Treat the web request as not matching the rule statement.\n\nYou can combine the `MATCH` or `NO_MATCH` settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over the limit.\n\nDefault: `CONTINUE`", "title": "OversizeHandling", "type": "string" } @@ -245127,7 +253975,7 @@ "title": "MatchPattern" }, "MatchScope": { - "markdownDescription": "The parts of the cookies to inspect with the rule inspection criteria. If you specify `All` , AWS WAF inspects both keys and values.", + "markdownDescription": "The parts of the cookies to inspect with the rule inspection criteria. If you specify `ALL` , AWS WAF inspects both keys and values.\n\n`All` does not require a match to be found in the keys and a match to be found in the values. It requires a match to be found in the keys or the values or both. To require a match in the keys and in the values, use a logical `AND` statement to combine two match rules, one that inspects the keys and another that inspects the values.", "title": "MatchScope", "type": "string" }, @@ -245209,7 +254057,7 @@ "items": { "$ref": "#/definitions/AWS::WAFv2::RuleGroup.CustomHTTPHeader" }, - "markdownDescription": "The HTTP headers to use in the response. Duplicate header names are not allowed.\n\nFor information about the limits on count and size for custom request and response settings, see [AWS WAF quotas](https://docs.aws.amazon.com/waf/latest/developerguide/limits.html) in the *AWS WAF Developer Guide* .", + "markdownDescription": "The HTTP headers to use in the response. You can specify any header name except for `content-type` . Duplicate header names are not allowed.\n\nFor information about the limits on count and size for custom request and response settings, see [AWS WAF quotas](https://docs.aws.amazon.com/waf/latest/developerguide/limits.html) in the *AWS WAF Developer Guide* .", "title": "ResponseHeaders", "type": "array" } @@ -245249,7 +254097,7 @@ }, "Body": { "$ref": "#/definitions/AWS::WAFv2::RuleGroup.Body", - "markdownDescription": "Inspect the request body as plain text. The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form.\n\nA limited amount of the request body is forwarded to AWS WAF for inspection by the underlying host service. For regional resources, the limit is 8 KB (8,192 kilobytes) and for CloudFront distributions, the limit is 16 KB (16,384 kilobytes). For CloudFront distributions, you can increase the limit in the web ACL's `AssociationConfig` , for additional processing fees.\n\nFor information about how to handle oversized request bodies, see the `Body` object configuration.", + "markdownDescription": "Inspect the request body as plain text. The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form.\n\nA limited amount of the request body is forwarded to AWS WAF for inspection by the underlying host service. For regional resources, the limit is 8 KB (8,192 bytes) and for CloudFront distributions, the limit is 16 KB (16,384 bytes). For CloudFront distributions, you can increase the limit in the web ACL's `AssociationConfig` , for additional processing fees.\n\nFor information about how to handle oversized request bodies, see the `Body` object configuration.", "title": "Body" }, "Cookies": { @@ -245264,7 +254112,7 @@ }, "JsonBody": { "$ref": "#/definitions/AWS::WAFv2::RuleGroup.JsonBody", - "markdownDescription": "Inspect the request body as JSON. The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form.\n\nA limited amount of the request body is forwarded to AWS WAF for inspection by the underlying host service. For regional resources, the limit is 8 KB (8,192 kilobytes) and for CloudFront distributions, the limit is 16 KB (16,384 kilobytes). For CloudFront distributions, you can increase the limit in the web ACL's `AssociationConfig` , for additional processing fees.\n\nFor information about how to handle oversized request bodies, see the `JsonBody` object configuration.", + "markdownDescription": "Inspect the request body as JSON. The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form.\n\nA limited amount of the request body is forwarded to AWS WAF for inspection by the underlying host service. For regional resources, the limit is 8 KB (8,192 bytes) and for CloudFront distributions, the limit is 16 KB (16,384 bytes). For CloudFront distributions, you can increase the limit in the web ACL's `AssociationConfig` , for additional processing fees.\n\nFor information about how to handle oversized request bodies, see the `JsonBody` object configuration.", "title": "JsonBody" }, "Method": { @@ -245370,7 +254218,7 @@ "title": "MatchPattern" }, "MatchScope": { - "markdownDescription": "The parts of the headers to match with the rule inspection criteria. If you specify `All` , AWS WAF inspects both keys and values.", + "markdownDescription": "The parts of the headers to match with the rule inspection criteria. If you specify `ALL` , AWS WAF inspects both keys and values.\n\n`All` does not require a match to be found in the keys and a match to be found in the values. It requires a match to be found in the keys or the values or both. To require a match in the keys and in the values, use a logical `AND` statement to combine two match rules, one that inspects the keys and another that inspects the values.", "title": "MatchScope", "type": "string" }, @@ -245460,12 +254308,12 @@ "title": "MatchPattern" }, "MatchScope": { - "markdownDescription": "The parts of the JSON to match against using the `MatchPattern` . If you specify `All` , AWS WAF matches against keys and values.", + "markdownDescription": "The parts of the JSON to match against using the `MatchPattern` . If you specify `ALL` , AWS WAF matches against keys and values.\n\n`All` does not require a match to be found in the keys and a match to be found in the values. It requires a match to be found in the keys or the values or both. To require a match in the keys and in the values, use a logical `AND` statement to combine two match rules, one that inspects the keys and another that inspects the values.", "title": "MatchScope", "type": "string" }, "OversizeHandling": { - "markdownDescription": "What AWS WAF should do if the body is larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. If the body is larger than the limit, the underlying host service only forwards the contents that are below the limit to AWS WAF for inspection.\n\nThe default limit is 8 KB (8,192 kilobytes) for regional resources and 16 KB (16,384 kilobytes) for CloudFront distributions. For CloudFront distributions, you can increase the limit in the web ACL `AssociationConfig` , for additional processing fees.\n\nThe options for oversize handling are the following:\n\n- `CONTINUE` - Inspect the available body contents normally, according to the rule inspection criteria.\n- `MATCH` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.\n- `NO_MATCH` - Treat the web request as not matching the rule statement.\n\nYou can combine the `MATCH` or `NO_MATCH` settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over the limit.\n\nDefault: `CONTINUE`", + "markdownDescription": "What AWS WAF should do if the body is larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. If the body is larger than the limit, the underlying host service only forwards the contents that are below the limit to AWS WAF for inspection.\n\nThe default limit is 8 KB (8,192 bytes) for regional resources and 16 KB (16,384 bytes) for CloudFront distributions. For CloudFront distributions, you can increase the limit in the web ACL `AssociationConfig` , for additional processing fees.\n\nThe options for oversize handling are the following:\n\n- `CONTINUE` - Inspect the available body contents normally, according to the rule inspection criteria.\n- `MATCH` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.\n- `NO_MATCH` - Treat the web request as not matching the rule statement.\n\nYou can combine the `MATCH` or `NO_MATCH` settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over the limit.\n\nDefault: `CONTINUE`", "title": "OversizeHandling", "type": "string" } @@ -245575,7 +254423,7 @@ "additionalProperties": false, "properties": { "AggregateKeyType": { - "markdownDescription": "Setting that indicates how to aggregate the request counts. The options are the following:\n\n- `IP` - Aggregate the request counts on the IP address from the web request origin.\n- `FORWARDED_IP` - Aggregate the request counts on the first IP address in an HTTP header. If you use this, configure the `ForwardedIPConfig` , to specify the header to use.\n\n> You can only use the `IP` and `FORWARDED_IP` key types.", + "markdownDescription": "Setting that indicates how to aggregate the request counts.\n\n> Web requests that are missing any of the components specified in the aggregation keys are omitted from the rate-based rule evaluation and handling. \n\n- `CONSTANT` - Count and limit the requests that match the rate-based rule's scope-down statement. With this option, the counted requests aren't further aggregated. The scope-down statement is the only specification used. When the count of all requests that satisfy the scope-down statement goes over the limit, AWS WAF applies the rule action to all requests that satisfy the scope-down statement.\n\nWith this option, you must configure the `ScopeDownStatement` property.\n- `CUSTOM_KEYS` - Aggregate the request counts using one or more web request components as the aggregate keys.\n\nWith this option, you must specify the aggregate keys in the `CustomKeys` property.\n\nTo aggregate on only the IP address or only the forwarded IP address, don't use custom keys. Instead, set the aggregate key type to `IP` or `FORWARDED_IP` .\n- `FORWARDED_IP` - Aggregate the request counts on the first IP address in an HTTP header.\n\nWith this option, you must specify the header to use in the `ForwardedIPConfig` property.\n\nTo aggregate on a combination of the forwarded IP address with other aggregate keys, use `CUSTOM_KEYS` .\n- `IP` - Aggregate the request counts on the IP address from the web request origin.\n\nTo aggregate on a combination of the IP address with other aggregate keys, use `CUSTOM_KEYS` .", "title": "AggregateKeyType", "type": "string" }, @@ -245583,6 +254431,8 @@ "items": { "$ref": "#/definitions/AWS::WAFv2::RuleGroup.RateBasedStatementCustomKey" }, + "markdownDescription": "Specifies the aggregate keys to use in a rate-base rule.", + "title": "CustomKeys", "type": "array" }, "ForwardedIPConfig": { @@ -245591,13 +254441,13 @@ "title": "ForwardedIPConfig" }, "Limit": { - "markdownDescription": "The limit on requests per 5-minute period for a single originating IP address. If the statement includes a `ScopeDownStatement` , this limit is applied only to the requests that match the statement.", + "markdownDescription": "The limit on requests per 5-minute period for a single aggregation instance for the rate-based rule. If the rate-based statement includes a `ScopeDownStatement` , this limit is applied only to the requests that match the statement.\n\nExamples:\n\n- If you aggregate on just the IP address, this is the limit on requests from any single IP address.\n- If you aggregate on the HTTP method and the query argument name \"city\", then this is the limit on requests for any single method, city pair.", "title": "Limit", "type": "number" }, "ScopeDownStatement": { "$ref": "#/definitions/AWS::WAFv2::RuleGroup.Statement", - "markdownDescription": "An optional nested statement that narrows the scope of the web requests that are evaluated by the rate-based statement. Requests are only tracked by the rate-based statement if they match the scope-down statement. You can use any nestable statement in the scope-down statement, and you can nest statements at any level, the same as you can for a rule statement.", + "markdownDescription": "An optional nested statement that narrows the scope of the web requests that are evaluated and managed by the rate-based statement. When you use a scope-down statement, the rate-based rule only tracks and rate limits requests that match the scope-down statement. You can use any nestable `Statement` in the scope-down statement, and you can nest statements at any level, the same as you can for a rule statement.", "title": "ScopeDownStatement" } }, @@ -245611,31 +254461,49 @@ "additionalProperties": false, "properties": { "Cookie": { - "$ref": "#/definitions/AWS::WAFv2::RuleGroup.RateLimitCookie" + "$ref": "#/definitions/AWS::WAFv2::RuleGroup.RateLimitCookie", + "markdownDescription": "Use the value of a cookie in the request as an aggregate key. Each distinct value in the cookie contributes to the aggregation instance. If you use a single cookie as your custom key, then each value fully defines an aggregation instance.", + "title": "Cookie" }, "ForwardedIP": { + "markdownDescription": "Use the first IP address in an HTTP header as an aggregate key. Each distinct forwarded IP address contributes to the aggregation instance.\n\nWhen you specify an IP or forwarded IP in the custom key settings, you must also specify at least one other key to use. You can aggregate on only the forwarded IP address by specifying `FORWARDED_IP` in your rate-based statement's `AggregateKeyType` .\n\nWith this option, you must specify the header to use in the rate-based rule's `ForwardedIPConfig` property.", + "title": "ForwardedIP", "type": "object" }, "HTTPMethod": { + "markdownDescription": "Use the request's HTTP method as an aggregate key. Each distinct HTTP method contributes to the aggregation instance. If you use just the HTTP method as your custom key, then each method fully defines an aggregation instance.", + "title": "HTTPMethod", "type": "object" }, "Header": { - "$ref": "#/definitions/AWS::WAFv2::RuleGroup.RateLimitHeader" + "$ref": "#/definitions/AWS::WAFv2::RuleGroup.RateLimitHeader", + "markdownDescription": "Use the value of a header in the request as an aggregate key. Each distinct value in the header contributes to the aggregation instance. If you use a single header as your custom key, then each value fully defines an aggregation instance.", + "title": "Header" }, "IP": { + "markdownDescription": "Use the request's originating IP address as an aggregate key. Each distinct IP address contributes to the aggregation instance.\n\nWhen you specify an IP or forwarded IP in the custom key settings, you must also specify at least one other key to use. You can aggregate on only the IP address by specifying `IP` in your rate-based statement's `AggregateKeyType` .", + "title": "IP", "type": "object" }, "LabelNamespace": { - "$ref": "#/definitions/AWS::WAFv2::RuleGroup.RateLimitLabelNamespace" + "$ref": "#/definitions/AWS::WAFv2::RuleGroup.RateLimitLabelNamespace", + "markdownDescription": "Use the specified label namespace as an aggregate key. Each distinct fully qualified label name that has the specified label namespace contributes to the aggregation instance. If you use just one label namespace as your custom key, then each label name fully defines an aggregation instance.\n\nThis uses only labels that have been added to the request by rules that are evaluated before this rate-based rule in the web ACL.\n\nFor information about label namespaces and names, see [Label syntax and naming requirements](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-label-requirements.html) in the *AWS WAF Developer Guide* .", + "title": "LabelNamespace" }, "QueryArgument": { - "$ref": "#/definitions/AWS::WAFv2::RuleGroup.RateLimitQueryArgument" + "$ref": "#/definitions/AWS::WAFv2::RuleGroup.RateLimitQueryArgument", + "markdownDescription": "Use the specified query argument as an aggregate key. Each distinct value for the named query argument contributes to the aggregation instance. If you use a single query argument as your custom key, then each value fully defines an aggregation instance.", + "title": "QueryArgument" }, "QueryString": { - "$ref": "#/definitions/AWS::WAFv2::RuleGroup.RateLimitQueryString" + "$ref": "#/definitions/AWS::WAFv2::RuleGroup.RateLimitQueryString", + "markdownDescription": "Use the request's query string as an aggregate key. Each distinct string contributes to the aggregation instance. If you use just the query string as your custom key, then each string fully defines an aggregation instance.", + "title": "QueryString" }, "UriPath": { - "$ref": "#/definitions/AWS::WAFv2::RuleGroup.RateLimitUriPath" + "$ref": "#/definitions/AWS::WAFv2::RuleGroup.RateLimitUriPath", + "markdownDescription": "Use the request's URI path as an aggregate key. Each distinct URI path contributes to the aggregation instance. If you use just the URI path as your custom key, then each URI path fully defines an aggregation instance.", + "title": "UriPath" } }, "type": "object" @@ -245644,12 +254512,16 @@ "additionalProperties": false, "properties": { "Name": { + "markdownDescription": "The name of the cookie to use.", + "title": "Name", "type": "string" }, "TextTransformations": { "items": { "$ref": "#/definitions/AWS::WAFv2::RuleGroup.TextTransformation" }, + "markdownDescription": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. Text transformations are used in rule match statements, to transform the `FieldToMatch` request component before inspecting it, and they're used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, AWS WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the transformed component contents.", + "title": "TextTransformations", "type": "array" } }, @@ -245663,12 +254535,16 @@ "additionalProperties": false, "properties": { "Name": { + "markdownDescription": "The name of the header to use.", + "title": "Name", "type": "string" }, "TextTransformations": { "items": { "$ref": "#/definitions/AWS::WAFv2::RuleGroup.TextTransformation" }, + "markdownDescription": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. Text transformations are used in rule match statements, to transform the `FieldToMatch` request component before inspecting it, and they're used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, AWS WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the transformed component contents.", + "title": "TextTransformations", "type": "array" } }, @@ -245682,6 +254558,8 @@ "additionalProperties": false, "properties": { "Namespace": { + "markdownDescription": "The namespace to use for aggregation.", + "title": "Namespace", "type": "string" } }, @@ -245694,12 +254572,16 @@ "additionalProperties": false, "properties": { "Name": { + "markdownDescription": "The name of the query argument to use.", + "title": "Name", "type": "string" }, "TextTransformations": { "items": { "$ref": "#/definitions/AWS::WAFv2::RuleGroup.TextTransformation" }, + "markdownDescription": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. Text transformations are used in rule match statements, to transform the `FieldToMatch` request component before inspecting it, and they're used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, AWS WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the transformed component contents.", + "title": "TextTransformations", "type": "array" } }, @@ -245716,6 +254598,8 @@ "items": { "$ref": "#/definitions/AWS::WAFv2::RuleGroup.TextTransformation" }, + "markdownDescription": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. Text transformations are used in rule match statements, to transform the `FieldToMatch` request component before inspecting it, and they're used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, AWS WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the transformed component contents.", + "title": "TextTransformations", "type": "array" } }, @@ -245731,6 +254615,8 @@ "items": { "$ref": "#/definitions/AWS::WAFv2::RuleGroup.TextTransformation" }, + "markdownDescription": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. Text transformations are used in rule match statements, to transform the `FieldToMatch` request component before inspecting it, and they're used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, AWS WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the transformed component contents.", + "title": "TextTransformations", "type": "array" } }, @@ -245816,7 +254702,7 @@ "title": "ChallengeConfig" }, "Name": { - "markdownDescription": "The name of the rule. You can't change the name of a `Rule` after you create it.", + "markdownDescription": "The name of the rule.\n\nIf you change the name of a `Rule` after you create it and you want the rule's metric name to reflect the change, update the metric name in the rule's `VisibilityConfig` settings. AWS WAF doesn't automatically update the metric name when you update the rule name.", "title": "Name", "type": "string" }, @@ -245840,7 +254726,7 @@ }, "VisibilityConfig": { "$ref": "#/definitions/AWS::WAFv2::RuleGroup.VisibilityConfig", - "markdownDescription": "Defines and enables Amazon CloudWatch metrics and web request sample collection.", + "markdownDescription": "Defines and enables Amazon CloudWatch metrics and web request sample collection.\n\nIf you change the name of a `Rule` after you create it and you want the rule's metric name to reflect the change, update the metric name as well. AWS WAF doesn't automatically update the metric name.", "title": "VisibilityConfig" } }, @@ -246014,7 +254900,7 @@ }, "RateBasedStatement": { "$ref": "#/definitions/AWS::WAFv2::RuleGroup.RateBasedStatement", - "markdownDescription": "A rate-based rule tracks the rate of requests for each originating IP address, and triggers the rule action when the rate exceeds a limit that you specify on the number of requests in any 5-minute time span. You can use this to put a temporary block on requests from an IP address that is sending excessive requests.\n\nAWS WAF tracks and manages web requests separately for each instance of a rate-based rule that you use. For example, if you provide the same rate-based rule settings in two web ACLs, each of the two rule statements represents a separate instance of the rate-based rule and gets its own tracking and management by AWS WAF . If you define a rate-based rule inside a rule group, and then use that rule group in multiple places, each use creates a separate instance of the rate-based rule that gets its own tracking and management by AWS WAF .\n\nWhen the rule action triggers, AWS WAF blocks additional requests from the IP address until the request rate falls below the limit.\n\nYou can optionally nest another statement inside the rate-based statement, to narrow the scope of the rule so that it only counts requests that match the nested statement. For example, based on recent requests that you have seen from an attacker, you might create a rate-based rule with a nested AND rule statement that contains the following nested statements:\n\n- An IP match statement with an IP set that specifies the address 192.0.2.44.\n- A string match statement that searches in the User-Agent header for the string BadBot.\n\nIn this rate-based rule, you also define a rate limit. For this example, the rate limit is 1,000. Requests that meet the criteria of both of the nested statements are counted. If the count exceeds 1,000 requests per five minutes, the rule action triggers. Requests that do not meet the criteria of both of the nested statements are not counted towards the rate limit and are not affected by this rule.\n\nYou cannot nest a `RateBasedStatement` inside another statement, for example inside a `NotStatement` or `OrStatement` . You can define a `RateBasedStatement` inside a web ACL and inside a rule group.", + "markdownDescription": "A rate-based rule counts incoming requests and rate limits requests when they are coming at too fast a rate. The rule categorizes requests according to your aggregation criteria, collects them into aggregation instances, and counts and rate limits the requests for each instance.\n\nYou can specify individual aggregation keys, like IP address or HTTP method. You can also specify aggregation key combinations, like IP address and HTTP method, or HTTP method, query argument, and cookie.\n\nEach unique set of values for the aggregation keys that you specify is a separate aggregation instance, with the value from each key contributing to the aggregation instance definition.\n\nFor example, assume the rule evaluates web requests with the following IP address and HTTP method values:\n\n- IP address 10.1.1.1, HTTP method POST\n- IP address 10.1.1.1, HTTP method GET\n- IP address 127.0.0.0, HTTP method POST\n- IP address 10.1.1.1, HTTP method GET\n\nThe rule would create different aggregation instances according to your aggregation criteria, for example:\n\n- If the aggregation criteria is just the IP address, then each individual address is an aggregation instance, and AWS WAF counts requests separately for each. The aggregation instances and request counts for our example would be the following:\n\n- IP address 10.1.1.1: count 3\n- IP address 127.0.0.0: count 1\n- If the aggregation criteria is HTTP method, then each individual HTTP method is an aggregation instance. The aggregation instances and request counts for our example would be the following:\n\n- HTTP method POST: count 2\n- HTTP method GET: count 2\n- If the aggregation criteria is IP address and HTTP method, then each IP address and each HTTP method would contribute to the combined aggregation instance. The aggregation instances and request counts for our example would be the following:\n\n- IP address 10.1.1.1, HTTP method POST: count 1\n- IP address 10.1.1.1, HTTP method GET: count 2\n- IP address 127.0.0.0, HTTP method POST: count 1\n\nFor any n-tuple of aggregation keys, each unique combination of values for the keys defines a separate aggregation instance, which AWS WAF counts and rate-limits individually.\n\nYou can optionally nest another statement inside the rate-based statement, to narrow the scope of the rule so that it only counts and rate limits requests that match the nested statement. You can use this nested scope-down statement in conjunction with your aggregation key specifications or you can just count and rate limit all requests that match the scope-down statement, without additional aggregation. When you choose to just manage all requests that match a scope-down statement, the aggregation instance is singular for the rule.\n\nYou cannot nest a `RateBasedStatement` inside another statement, for example inside a `NotStatement` or `OrStatement` . You can define a `RateBasedStatement` inside a web ACL and inside a rule group.\n\nFor additional information about the options, see [Rate limiting web requests using rate-based rules](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rate-based-rules.html) in the *AWS WAF Developer Guide* .\n\nIf you only aggregate on the individual IP address or forwarded IP address, you can retrieve the list of IP addresses that AWS WAF is currently rate limiting for a rule through the API call `GetRateBasedStatementManagedKeys` . This option is not available for other aggregation configurations.\n\nAWS WAF tracks and manages web requests separately for each instance of a rate-based rule that you use. For example, if you provide the same rate-based rule settings in two web ACLs, each of the two rule statements represents a separate instance of the rate-based rule and gets its own tracking and management by AWS WAF . If you define a rate-based rule inside a rule group, and then use that rule group in multiple places, each use creates a separate instance of the rate-based rule that gets its own tracking and management by AWS WAF .", "title": "RateBasedStatement" }, "RegexMatchStatement": { @@ -246029,7 +254915,7 @@ }, "SizeConstraintStatement": { "$ref": "#/definitions/AWS::WAFv2::RuleGroup.SizeConstraintStatement", - "markdownDescription": "A rule statement that compares a number of bytes against the size of a request component, using a comparison operator, such as greater than (>) or less than (<). For example, you can use a size constraint statement to look for query strings that are longer than 100 bytes.\n\nIf you configure AWS WAF to inspect the request body, AWS WAF inspects only the number of bytes of the body up to the limit for the web ACL. By default, for regional web ACLs, this limit is 8 KB (8,192 kilobytes) and for CloudFront web ACLs, this limit is 16 KB (16,384 kilobytes). For CloudFront web ACLs, you can increase the limit in the web ACL `AssociationConfig` , for additional fees. If you know that the request body for your web requests should never exceed the inspection limit, you could use a size constraint statement to block requests that have a larger request body size.\n\nIf you choose URI for the value of Part of the request to filter on, the slash (/) in the URI counts as one character. For example, the URI `/logo.jpg` is nine characters long.", + "markdownDescription": "A rule statement that compares a number of bytes against the size of a request component, using a comparison operator, such as greater than (>) or less than (<). For example, you can use a size constraint statement to look for query strings that are longer than 100 bytes.\n\nIf you configure AWS WAF to inspect the request body, AWS WAF inspects only the number of bytes of the body up to the limit for the web ACL. By default, for regional web ACLs, this limit is 8 KB (8,192 bytes) and for CloudFront web ACLs, this limit is 16 KB (16,384 bytes). For CloudFront web ACLs, you can increase the limit in the web ACL `AssociationConfig` , for additional fees. If you know that the request body for your web requests should never exceed the inspection limit, you could use a size constraint statement to block requests that have a larger request body size.\n\nIf you choose URI for the value of Part of the request to filter on, the slash (/) in the URI counts as one character. For example, the URI `/logo.jpg` is nine characters long.", "title": "SizeConstraintStatement" }, "SqliMatchStatement": { @@ -246054,7 +254940,7 @@ "type": "number" }, "Type": { - "markdownDescription": "You can specify the following transformation types:\n\n*BASE64_DECODE* - Decode a `Base64` -encoded string.\n\n*BASE64_DECODE_EXT* - Decode a `Base64` -encoded string, but use a forgiving implementation that ignores characters that aren't valid.\n\n*CMD_LINE* - Command-line transformations. These are helpful in reducing effectiveness of attackers who inject an operating system command-line command and use unusual formatting to disguise some or all of the command.\n\n- Delete the following characters: `\\ \" ' ^`\n- Delete spaces before the following characters: `/ (`\n- Replace the following characters with a space: `, ;`\n- Replace multiple spaces with one space\n- Convert uppercase letters (A-Z) to lowercase (a-z)\n\n*COMPRESS_WHITE_SPACE* - Replace these characters with a space character (decimal 32):\n\n- `\\f` , formfeed, decimal 12\n- `\\t` , tab, decimal 9\n- `\\n` , newline, decimal 10\n- `\\r` , carriage return, decimal 13\n- `\\v` , vertical tab, decimal 11\n- Non-breaking space, decimal 160\n\n`COMPRESS_WHITE_SPACE` also replaces multiple spaces with one space.\n\n*CSS_DECODE* - Decode characters that were encoded using CSS 2.x escape rules `syndata.html#characters` . This function uses up to two bytes in the decoding process, so it can help to uncover ASCII characters that were encoded using CSS encoding that wouldn\u2019t typically be encoded. It's also useful in countering evasion, which is a combination of a backslash and non-hexadecimal characters. For example, `ja\\vascript` for javascript.\n\n*ESCAPE_SEQ_DECODE* - Decode the following ANSI C escape sequences: `\\a` , `\\b` , `\\f` , `\\n` , `\\r` , `\\t` , `\\v` , `\\\\` , `\\?` , `\\'` , `\\\"` , `\\xHH` (hexadecimal), `\\0OOO` (octal). Encodings that aren't valid remain in the output.\n\n*HEX_DECODE* - Decode a string of hexadecimal characters into a binary.\n\n*HTML_ENTITY_DECODE* - Replace HTML-encoded characters with unencoded characters. `HTML_ENTITY_DECODE` performs these operations:\n\n- Replaces `(ampersand)quot;` with `\"`\n- Replaces `(ampersand)nbsp;` with a non-breaking space, decimal 160\n- Replaces `(ampersand)lt;` with a \"less than\" symbol\n- Replaces `(ampersand)gt;` with `>`\n- Replaces characters that are represented in hexadecimal format, `(ampersand)#xhhhh;` , with the corresponding characters\n- Replaces characters that are represented in decimal format, `(ampersand)#nnnn;` , with the corresponding characters\n\n*JS_DECODE* - Decode JavaScript escape sequences. If a `\\` `u` `HHHH` code is in the full-width ASCII code range of `FF01-FF5E` , then the higher byte is used to detect and adjust the lower byte. If not, only the lower byte is used and the higher byte is zeroed, causing a possible loss of information.\n\n*LOWERCASE* - Convert uppercase letters (A-Z) to lowercase (a-z).\n\n*MD5* - Calculate an MD5 hash from the data in the input. The computed hash is in a raw binary form.\n\n*NONE* - Specify `NONE` if you don't want any text transformations.\n\n*NORMALIZE_PATH* - Remove multiple slashes, directory self-references, and directory back-references that are not at the beginning of the input from an input string.\n\n*NORMALIZE_PATH_WIN* - This is the same as `NORMALIZE_PATH` , but first converts backslash characters to forward slashes.\n\n*REMOVE_NULLS* - Remove all `NULL` bytes from the input.\n\n*REPLACE_COMMENTS* - Replace each occurrence of a C-style comment ( `/* ... */` ) with a single space. Multiple consecutive occurrences are not compressed. Unterminated comments are also replaced with a space (ASCII 0x20). However, a standalone termination of a comment ( `*/` ) is not acted upon.\n\n*REPLACE_NULLS* - Replace NULL bytes in the input with space characters (ASCII `0x20` ).\n\n*SQL_HEX_DECODE* - Decode SQL hex data. Example ( `0x414243` ) will be decoded to ( `ABC` ).\n\n*URL_DECODE* - Decode a URL-encoded value.\n\n*URL_DECODE_UNI* - Like `URL_DECODE` , but with support for Microsoft-specific `%u` encoding. If the code is in the full-width ASCII code range of `FF01-FF5E` , the higher byte is used to detect and adjust the lower byte. Otherwise, only the lower byte is used and the higher byte is zeroed.\n\n*UTF8_TO_UNICODE* - Convert all UTF-8 character sequences to Unicode. This helps input normalization, and minimizing false-positives and false-negatives for non-English languages.", + "markdownDescription": "For detailed descriptions of each of the transformation types, see [Text transformations](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-transformation.html) in the *AWS WAF Developer Guide* .", "title": "Type", "type": "string" } @@ -246151,7 +255037,7 @@ "properties": { "AssociationConfig": { "$ref": "#/definitions/AWS::WAFv2::WebACL.AssociationConfig", - "markdownDescription": "Specifies custom configurations for the associations between the web ACL and protected resources.\n\nUse this to customize the maximum size of the request body that your protected CloudFront distributions forward to AWS WAF for inspection. The default is 16 KB (16,384 kilobytes).\n\n> You are charged additional fees when your protected resources forward body sizes that are larger than the default. For more information, see [AWS WAF Pricing](https://docs.aws.amazon.com/waf/pricing/) .", + "markdownDescription": "Specifies custom configurations for the associations between the web ACL and protected resources.\n\nUse this to customize the maximum size of the request body that your protected CloudFront distributions forward to AWS WAF for inspection. The default is 16 KB (16,384 bytes).\n\n> You are charged additional fees when your protected resources forward body sizes that are larger than the default. For more information, see [AWS WAF Pricing](https://docs.aws.amazon.com/waf/pricing/) .", "title": "AssociationConfig" }, "CaptchaConfig": { @@ -246194,7 +255080,7 @@ "items": { "$ref": "#/definitions/AWS::WAFv2::WebACL.Rule" }, - "markdownDescription": "The rule statements used to identify the web requests that you want to allow, block, or count. Each rule includes one top-level statement that AWS WAF uses to identify matching web requests, and parameters that govern how AWS WAF handles them.", + "markdownDescription": "The rule statements used to identify the web requests that you want to manage. Each rule includes one top-level statement that AWS WAF uses to identify matching web requests, and parameters that govern how AWS WAF handles them.", "title": "Rules", "type": "array" }, @@ -246257,19 +255143,29 @@ "additionalProperties": false, "properties": { "CreationPath": { + "markdownDescription": "The path of the account creation endpoint for your application. This is the page on your website that accepts the completed registration form for a new user. This page must accept `POST` requests.\n\nFor example, for the URL `https://example.com/web/newaccount` , you would provide the path `/web/newaccount` . Account creation page paths that start with the path that you provide are considered a match. For example `/web/newaccount` matches the account creation paths `/web/newaccount` , `/web/newaccount/` , `/web/newaccountPage` , and `/web/newaccount/thisPage` , but doesn't match the path `/home/web/newaccount` or `/website/newaccount` .", + "title": "CreationPath", "type": "string" }, "EnableRegexInPath": { + "markdownDescription": "Allow the use of regular expressions in the registration page path and the account creation path.", + "title": "EnableRegexInPath", "type": "boolean" }, "RegistrationPagePath": { + "markdownDescription": "The path of the account registration endpoint for your application. This is the page on your website that presents the registration form to new users.\n\n> This page must accept `GET` text/html requests. \n\nFor example, for the URL `https://example.com/web/registration` , you would provide the path `/web/registration` . Registration page paths that start with the path that you provide are considered a match. For example `/web/registration` matches the registration paths `/web/registration` , `/web/registration/` , `/web/registrationPage` , and `/web/registration/thisPage` , but doesn't match the path `/home/web/registration` or `/website/registration` .", + "title": "RegistrationPagePath", "type": "string" }, "RequestInspection": { - "$ref": "#/definitions/AWS::WAFv2::WebACL.RequestInspectionACFP" + "$ref": "#/definitions/AWS::WAFv2::WebACL.RequestInspectionACFP", + "markdownDescription": "The criteria for inspecting account creation requests, used by the ACFP rule group to validate and track account creation attempts.", + "title": "RequestInspection" }, "ResponseInspection": { - "$ref": "#/definitions/AWS::WAFv2::WebACL.ResponseInspection" + "$ref": "#/definitions/AWS::WAFv2::WebACL.ResponseInspection", + "markdownDescription": "The criteria for inspecting responses to account creation requests, used by the ACFP rule group to track account creation success rates.\n\n> Response inspection is available only in web ACLs that protect Amazon CloudFront distributions. \n\nThe ACFP rule group evaluates the responses that your protected resources send back to client account creation attempts, keeping count of successful and failed attempts from each IP address and client session. Using this information, the rule group labels and mitigates requests from client sessions and IP addresses that have had too many successful account creation attempts in a short amount of time.", + "title": "ResponseInspection" } }, "required": [ @@ -246283,10 +255179,12 @@ "additionalProperties": false, "properties": { "EnableRegexInPath": { + "markdownDescription": "Allow the use of regular expressions in the login page path.", + "title": "EnableRegexInPath", "type": "boolean" }, "LoginPath": { - "markdownDescription": "The path of the login endpoint for your application. For example, for the URL `https://example.com/web/login` , you would provide the path `/web/login` .\n\nThe rule group inspects only HTTP `POST` requests to your specified login endpoint.", + "markdownDescription": "The path of the login endpoint for your application. For example, for the URL `https://example.com/web/login` , you would provide the path `/web/login` . Login paths that start with the path that you provide are considered a match. For example `/web/login` matches the login paths `/web/login` , `/web/login/` , `/web/loginPage` , and `/web/login/thisPage` , but doesn't match the login path `/home/web/login` or `/website/login` .\n\nThe rule group inspects only HTTP `POST` requests to your specified login endpoint.", "title": "LoginPath", "type": "string" }, @@ -246297,7 +255195,7 @@ }, "ResponseInspection": { "$ref": "#/definitions/AWS::WAFv2::WebACL.ResponseInspection", - "markdownDescription": "The criteria for inspecting responses to login requests, used by the ATP rule group to track login failure rates.\n\nThe ATP rule group evaluates the responses that your protected resources send back to client login attempts, keeping count of successful and failed attempts from each IP address and client session. Using this information, the rule group labels and mitigates requests from client sessions and IP addresses that submit too many failed login attempts in a short amount of time.\n\n> Response inspection is available only in web ACLs that protect Amazon CloudFront distributions.", + "markdownDescription": "The criteria for inspecting responses to login requests, used by the ATP rule group to track login failure rates.\n\n> Response inspection is available only in web ACLs that protect Amazon CloudFront distributions. \n\nThe ATP rule group evaluates the responses that your protected resources send back to client login attempts, keeping count of successful and failed attempts for each IP address and client session. Using this information, the rule group labels and mitigates requests from client sessions and IP addresses that have had too many failed login attempts in a short amount of time.", "title": "ResponseInspection" } }, @@ -246310,10 +255208,12 @@ "additionalProperties": false, "properties": { "EnableMachineLearning": { + "markdownDescription": "Applies only to the targeted inspection level.\n\nDetermines whether to use machine learning (ML) to analyze your web traffic for bot-related activity. Machine learning is required for the Bot Control rules `TGT_ML_CoordinatedActivityLow` and `TGT_ML_CoordinatedActivityMedium` , which\ninspect for anomalous behavior that might indicate distributed, coordinated bot activity.\n\nFor more information about this choice, see the listing for these rules in the table at [Bot Control rules listing](https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-bot.html#aws-managed-rule-groups-bot-rules) in the *AWS WAF Developer Guide* .\n\nDefault: `TRUE`", + "title": "EnableMachineLearning", "type": "boolean" }, "InspectionLevel": { - "markdownDescription": "The inspection level to use for the Bot Control rule group. The common level is the least expensive. The targeted level includes all common level rules and adds rules with more advanced inspection criteria. For details, see [AWS WAF Bot Control rule group](https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-bot.html) .", + "markdownDescription": "The inspection level to use for the Bot Control rule group. The common level is the least expensive. The targeted level includes all common level rules and adds rules with more advanced inspection criteria. For details, see [AWS WAF Bot Control rule group](https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-bot.html) in the *AWS WAF Developer Guide* .", "title": "InspectionLevel", "type": "string" } @@ -246356,7 +255256,7 @@ "properties": { "RequestBody": { "additionalProperties": false, - "markdownDescription": "Customizes the maximum size of the request body that your protected CloudFront distributions forward to AWS WAF for inspection. The default size is 16 KB (16,384 kilobytes).\n\n> You are charged additional fees when your protected resources forward body sizes that are larger than the default. For more information, see [AWS WAF Pricing](https://docs.aws.amazon.com/waf/pricing/) .", + "markdownDescription": "Customizes the maximum size of the request body that your protected CloudFront distributions forward to AWS WAF for inspection. The default size is 16 KB (16,384 bytes).\n\n> You are charged additional fees when your protected resources forward body sizes that are larger than the default. For more information, see [AWS WAF Pricing](https://docs.aws.amazon.com/waf/pricing/) .", "patternProperties": { "^[a-zA-Z0-9]+$": { "$ref": "#/definitions/AWS::WAFv2::WebACL.RequestBodyAssociatedResourceTypeConfig" @@ -246383,7 +255283,7 @@ "additionalProperties": false, "properties": { "OversizeHandling": { - "markdownDescription": "What AWS WAF should do if the body is larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. If the body is larger than the limit, the underlying host service only forwards the contents that are below the limit to AWS WAF for inspection.\n\nThe default limit is 8 KB (8,192 kilobytes) for regional resources and 16 KB (16,384 kilobytes) for CloudFront distributions. For CloudFront distributions, you can increase the limit in the web ACL `AssociationConfig` , for additional processing fees.\n\nThe options for oversize handling are the following:\n\n- `CONTINUE` - Inspect the available body contents normally, according to the rule inspection criteria.\n- `MATCH` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.\n- `NO_MATCH` - Treat the web request as not matching the rule statement.\n\nYou can combine the `MATCH` or `NO_MATCH` settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over the limit.\n\nDefault: `CONTINUE`", + "markdownDescription": "What AWS WAF should do if the body is larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. If the body is larger than the limit, the underlying host service only forwards the contents that are below the limit to AWS WAF for inspection.\n\nThe default limit is 8 KB (8,192 bytes) for regional resources and 16 KB (16,384 bytes) for CloudFront distributions. For CloudFront distributions, you can increase the limit in the web ACL `AssociationConfig` , for additional processing fees.\n\nThe options for oversize handling are the following:\n\n- `CONTINUE` - Inspect the available body contents normally, according to the rule inspection criteria.\n- `MATCH` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.\n- `NO_MATCH` - Treat the web request as not matching the rule statement.\n\nYou can combine the `MATCH` or `NO_MATCH` settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over the limit.\n\nDefault: `CONTINUE`", "title": "OversizeHandling", "type": "string" } @@ -246456,7 +255356,7 @@ "properties": { "CustomRequestHandling": { "$ref": "#/definitions/AWS::WAFv2::WebACL.CustomRequestHandling", - "markdownDescription": "Defines custom handling for the web request, used when the challenge inspection determines that the request's token is valid and unexpired.\n\nFor information about customizing web requests and responses, see [Customizing web requests and responses in AWS WAF](https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html) in the [AWS WAF Developer Guide](https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html) .", + "markdownDescription": "Defines custom handling for the web request, used when the challenge inspection determines that the request's token is valid and unexpired.\n\nFor information about customizing web requests and responses, see [Customizing web requests and responses in AWS WAF](https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html) in the [AWS WAF developer guide](https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html) .", "title": "CustomRequestHandling" } }, @@ -246509,7 +255409,7 @@ "title": "MatchPattern" }, "MatchScope": { - "markdownDescription": "The parts of the cookies to inspect with the rule inspection criteria. If you specify `All` , AWS WAF inspects both keys and values.", + "markdownDescription": "The parts of the cookies to inspect with the rule inspection criteria. If you specify `ALL` , AWS WAF inspects both keys and values.\n\n`All` does not require a match to be found in the keys and a match to be found in the values. It requires a match to be found in the keys or the values or both. To require a match in the keys and in the values, use a logical `AND` statement to combine two match rules, one that inspects the keys and another that inspects the values.", "title": "MatchScope", "type": "string" }, @@ -246591,7 +255491,7 @@ "items": { "$ref": "#/definitions/AWS::WAFv2::WebACL.CustomHTTPHeader" }, - "markdownDescription": "The HTTP headers to use in the response. Duplicate header names are not allowed.\n\nFor information about the limits on count and size for custom request and response settings, see [AWS WAF quotas](https://docs.aws.amazon.com/waf/latest/developerguide/limits.html) in the *AWS WAF Developer Guide* .", + "markdownDescription": "The HTTP headers to use in the response. You can specify any header name except for `content-type` . Duplicate header names are not allowed.\n\nFor information about the limits on count and size for custom request and response settings, see [AWS WAF quotas](https://docs.aws.amazon.com/waf/latest/developerguide/limits.html) in the *AWS WAF Developer Guide* .", "title": "ResponseHeaders", "type": "array" } @@ -246655,7 +255555,7 @@ "additionalProperties": false, "properties": { "Identifier": { - "markdownDescription": "The name of the username or password field, used in the `ManagedRuleGroupConfig` settings.\n\nWhen the `PayloadType` is `JSON` , the identifier must be in JSON pointer syntax. For example `/form/username` . For information about the JSON Pointer syntax, see the Internet Engineering Task Force (IETF) documentation [JavaScript Object Notation (JSON) Pointer](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc6901) .\n\nWhen the `PayloadType` is `FORM_ENCODED` , use the HTML form names. For example, `username` .", + "markdownDescription": "The name of the field.\n\nWhen the `PayloadType` in the request inspection is `JSON` , this identifier must be in JSON pointer syntax. For example `/form/username` . For information about the JSON Pointer syntax, see the Internet Engineering Task Force (IETF) documentation [JavaScript Object Notation (JSON) Pointer](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc6901) .\n\nWhen the `PayloadType` is `FORM_ENCODED` , use the HTML form names. For example, `username` .\n\nFor more information, see the descriptions for each field type in the request inspection properties.", "title": "Identifier", "type": "string" } @@ -246675,7 +255575,7 @@ }, "Body": { "$ref": "#/definitions/AWS::WAFv2::WebACL.Body", - "markdownDescription": "Inspect the request body as plain text. The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form.\n\nA limited amount of the request body is forwarded to AWS WAF for inspection by the underlying host service. For regional resources, the limit is 8 KB (8,192 kilobytes) and for CloudFront distributions, the limit is 16 KB (16,384 kilobytes). For CloudFront distributions, you can increase the limit in the web ACL's `AssociationConfig` , for additional processing fees.\n\nFor information about how to handle oversized request bodies, see the `Body` object configuration.", + "markdownDescription": "Inspect the request body as plain text. The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form.\n\nA limited amount of the request body is forwarded to AWS WAF for inspection by the underlying host service. For regional resources, the limit is 8 KB (8,192 bytes) and for CloudFront distributions, the limit is 16 KB (16,384 bytes). For CloudFront distributions, you can increase the limit in the web ACL's `AssociationConfig` , for additional processing fees.\n\nFor information about how to handle oversized request bodies, see the `Body` object configuration.", "title": "Body" }, "Cookies": { @@ -246690,7 +255590,7 @@ }, "JsonBody": { "$ref": "#/definitions/AWS::WAFv2::WebACL.JsonBody", - "markdownDescription": "Inspect the request body as JSON. The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form.\n\nA limited amount of the request body is forwarded to AWS WAF for inspection by the underlying host service. For regional resources, the limit is 8 KB (8,192 kilobytes) and for CloudFront distributions, the limit is 16 KB (16,384 kilobytes). For CloudFront distributions, you can increase the limit in the web ACL's `AssociationConfig` , for additional processing fees.\n\nFor information about how to handle oversized request bodies, see the `JsonBody` object configuration.", + "markdownDescription": "Inspect the request body as JSON. The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form.\n\nA limited amount of the request body is forwarded to AWS WAF for inspection by the underlying host service. For regional resources, the limit is 8 KB (8,192 bytes) and for CloudFront distributions, the limit is 16 KB (16,384 bytes). For CloudFront distributions, you can increase the limit in the web ACL's `AssociationConfig` , for additional processing fees.\n\nFor information about how to handle oversized request bodies, see the `JsonBody` object configuration.", "title": "JsonBody" }, "Method": { @@ -246796,7 +255696,7 @@ "title": "MatchPattern" }, "MatchScope": { - "markdownDescription": "The parts of the headers to match with the rule inspection criteria. If you specify `All` , AWS WAF inspects both keys and values.", + "markdownDescription": "The parts of the headers to match with the rule inspection criteria. If you specify `ALL` , AWS WAF inspects both keys and values.\n\n`All` does not require a match to be found in the keys and a match to be found in the values. It requires a match to be found in the keys or the values or both. To require a match in the keys and in the values, use a logical `AND` statement to combine two match rules, one that inspects the keys and another that inspects the values.", "title": "MatchScope", "type": "string" }, @@ -246886,12 +255786,12 @@ "title": "MatchPattern" }, "MatchScope": { - "markdownDescription": "The parts of the JSON to match against using the `MatchPattern` . If you specify `All` , AWS WAF matches against keys and values.", + "markdownDescription": "The parts of the JSON to match against using the `MatchPattern` . If you specify `ALL` , AWS WAF matches against keys and values.\n\n`All` does not require a match to be found in the keys and a match to be found in the values. It requires a match to be found in the keys or the values or both. To require a match in the keys and in the values, use a logical `AND` statement to combine two match rules, one that inspects the keys and another that inspects the values.", "title": "MatchScope", "type": "string" }, "OversizeHandling": { - "markdownDescription": "What AWS WAF should do if the body is larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. If the body is larger than the limit, the underlying host service only forwards the contents that are below the limit to AWS WAF for inspection.\n\nThe default limit is 8 KB (8,192 kilobytes) for regional resources and 16 KB (16,384 kilobytes) for CloudFront distributions. For CloudFront distributions, you can increase the limit in the web ACL `AssociationConfig` , for additional processing fees.\n\nThe options for oversize handling are the following:\n\n- `CONTINUE` - Inspect the available body contents normally, according to the rule inspection criteria.\n- `MATCH` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.\n- `NO_MATCH` - Treat the web request as not matching the rule statement.\n\nYou can combine the `MATCH` or `NO_MATCH` settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over the limit.\n\nDefault: `CONTINUE`", + "markdownDescription": "What AWS WAF should do if the body is larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. If the body is larger than the limit, the underlying host service only forwards the contents that are below the limit to AWS WAF for inspection.\n\nThe default limit is 8 KB (8,192 bytes) for regional resources and 16 KB (16,384 bytes) for CloudFront distributions. For CloudFront distributions, you can increase the limit in the web ACL `AssociationConfig` , for additional processing fees.\n\nThe options for oversize handling are the following:\n\n- `CONTINUE` - Inspect the available body contents normally, according to the rule inspection criteria.\n- `MATCH` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.\n- `NO_MATCH` - Treat the web request as not matching the rule statement.\n\nYou can combine the `MATCH` or `NO_MATCH` settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over the limit.\n\nDefault: `CONTINUE`", "title": "OversizeHandling", "type": "string" } @@ -246959,7 +255859,9 @@ "additionalProperties": false, "properties": { "AWSManagedRulesACFPRuleSet": { - "$ref": "#/definitions/AWS::WAFv2::WebACL.AWSManagedRulesACFPRuleSet" + "$ref": "#/definitions/AWS::WAFv2::WebACL.AWSManagedRulesACFPRuleSet", + "markdownDescription": "Additional configuration for using the account creation fraud prevention (ACFP) managed rule group, `AWSManagedRulesACFPRuleSet` . Use this to provide account creation request information to the rule group. For web ACLs that protect CloudFront distributions, use this to also provide the information about how your distribution responds to account creation requests.\n\nFor information about using the ACFP managed rule group, see [AWS WAF Fraud Control account creation fraud prevention (ACFP) rule group](https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-acfp.html) and [AWS WAF Fraud Control account creation fraud prevention (ACFP)](https://docs.aws.amazon.com/waf/latest/developerguide/waf-acfp.html) in the *AWS WAF Developer Guide* .", + "title": "AWSManagedRulesACFPRuleSet" }, "AWSManagedRulesATPRuleSet": { "$ref": "#/definitions/AWS::WAFv2::WebACL.AWSManagedRulesATPRuleSet", @@ -246978,17 +255880,17 @@ }, "PasswordField": { "$ref": "#/definitions/AWS::WAFv2::WebACL.FieldIdentifier", - "markdownDescription": "> Instead of this setting, provide your configuration under `AWSManagedRulesATPRuleSet` `RequestInspection` .", + "markdownDescription": "> Instead of this setting, provide your configuration under the request inspection configuration for `AWSManagedRulesATPRuleSet` or `AWSManagedRulesACFPRuleSet` .", "title": "PasswordField" }, "PayloadType": { - "markdownDescription": "> Instead of this setting, provide your configuration under `AWSManagedRulesATPRuleSet` `RequestInspection` .", + "markdownDescription": "> Instead of this setting, provide your configuration under the request inspection configuration for `AWSManagedRulesATPRuleSet` or `AWSManagedRulesACFPRuleSet` .", "title": "PayloadType", "type": "string" }, "UsernameField": { "$ref": "#/definitions/AWS::WAFv2::WebACL.FieldIdentifier", - "markdownDescription": "> Instead of this setting, provide your configuration under `AWSManagedRulesATPRuleSet` `RequestInspection` .", + "markdownDescription": "> Instead of this setting, provide your configuration under the request inspection configuration for `AWSManagedRulesATPRuleSet` or `AWSManagedRulesACFPRuleSet` .", "title": "UsernameField" } }, @@ -247009,7 +255911,7 @@ "items": { "$ref": "#/definitions/AWS::WAFv2::WebACL.ManagedRuleGroupConfig" }, - "markdownDescription": "Additional information that's used by a managed rule group. Many managed rule groups don't require this.\n\nUse the `AWSManagedRulesATPRuleSet` configuration object for the account takeover prevention managed rule group, to provide information such as the sign-in page of your application and the type of content to accept or reject from the client.\n\nUse the `AWSManagedRulesBotControlRuleSet` configuration object to configure the protection level that you want the Bot Control rule group to use.", + "markdownDescription": "Additional information that's used by a managed rule group. Many managed rule groups don't require this.\n\nThe rule groups used for intelligent threat mitigation require additional configuration:\n\n- Use the `AWSManagedRulesACFPRuleSet` configuration object to configure the account creation fraud prevention managed rule group. The configuration includes the registration and sign-up pages of your application and the locations in the account creation request payload of data, such as the user email and phone number fields.\n- Use the `AWSManagedRulesATPRuleSet` configuration object to configure the account takeover prevention managed rule group. The configuration includes the sign-in page of your application and the locations in the login request payload of data such as the username and password.\n- Use the `AWSManagedRulesBotControlRuleSet` configuration object to configure the protection level that you want the Bot Control rule group to use.", "title": "ManagedRuleGroupConfigs", "type": "array" }, @@ -247099,7 +256001,7 @@ "additionalProperties": false, "properties": { "AggregateKeyType": { - "markdownDescription": "Setting that indicates how to aggregate the request counts. The options are the following:\n\n- `IP` - Aggregate the request counts on the IP address from the web request origin.\n- `FORWARDED_IP` - Aggregate the request counts on the first IP address in an HTTP header. If you use this, configure the `ForwardedIPConfig` , to specify the header to use.\n\n> You can only use the `IP` and `FORWARDED_IP` key types.", + "markdownDescription": "Setting that indicates how to aggregate the request counts.\n\n> Web requests that are missing any of the components specified in the aggregation keys are omitted from the rate-based rule evaluation and handling. \n\n- `CONSTANT` - Count and limit the requests that match the rate-based rule's scope-down statement. With this option, the counted requests aren't further aggregated. The scope-down statement is the only specification used. When the count of all requests that satisfy the scope-down statement goes over the limit, AWS WAF applies the rule action to all requests that satisfy the scope-down statement.\n\nWith this option, you must configure the `ScopeDownStatement` property.\n- `CUSTOM_KEYS` - Aggregate the request counts using one or more web request components as the aggregate keys.\n\nWith this option, you must specify the aggregate keys in the `CustomKeys` property.\n\nTo aggregate on only the IP address or only the forwarded IP address, don't use custom keys. Instead, set the aggregate key type to `IP` or `FORWARDED_IP` .\n- `FORWARDED_IP` - Aggregate the request counts on the first IP address in an HTTP header.\n\nWith this option, you must specify the header to use in the `ForwardedIPConfig` property.\n\nTo aggregate on a combination of the forwarded IP address with other aggregate keys, use `CUSTOM_KEYS` .\n- `IP` - Aggregate the request counts on the IP address from the web request origin.\n\nTo aggregate on a combination of the IP address with other aggregate keys, use `CUSTOM_KEYS` .", "title": "AggregateKeyType", "type": "string" }, @@ -247107,6 +256009,8 @@ "items": { "$ref": "#/definitions/AWS::WAFv2::WebACL.RateBasedStatementCustomKey" }, + "markdownDescription": "Specifies the aggregate keys to use in a rate-base rule.", + "title": "CustomKeys", "type": "array" }, "ForwardedIPConfig": { @@ -247115,13 +256019,13 @@ "title": "ForwardedIPConfig" }, "Limit": { - "markdownDescription": "The limit on requests per 5-minute period for a single originating IP address. If the statement includes a `ScopeDownStatement` , this limit is applied only to the requests that match the statement.", + "markdownDescription": "The limit on requests per 5-minute period for a single aggregation instance for the rate-based rule. If the rate-based statement includes a `ScopeDownStatement` , this limit is applied only to the requests that match the statement.\n\nExamples:\n\n- If you aggregate on just the IP address, this is the limit on requests from any single IP address.\n- If you aggregate on the HTTP method and the query argument name \"city\", then this is the limit on requests for any single method, city pair.", "title": "Limit", "type": "number" }, "ScopeDownStatement": { "$ref": "#/definitions/AWS::WAFv2::WebACL.Statement", - "markdownDescription": "An optional nested statement that narrows the scope of the web requests that are evaluated by the rate-based statement. Requests are only tracked by the rate-based statement if they match the scope-down statement. You can use any nestable `Statement` in the scope-down statement, and you can nest statements at any level, the same as you can for a rule statement.", + "markdownDescription": "An optional nested statement that narrows the scope of the web requests that are evaluated and managed by the rate-based statement. When you use a scope-down statement, the rate-based rule only tracks and rate limits requests that match the scope-down statement. You can use any nestable `Statement` in the scope-down statement, and you can nest statements at any level, the same as you can for a rule statement.", "title": "ScopeDownStatement" } }, @@ -247135,31 +256039,49 @@ "additionalProperties": false, "properties": { "Cookie": { - "$ref": "#/definitions/AWS::WAFv2::WebACL.RateLimitCookie" + "$ref": "#/definitions/AWS::WAFv2::WebACL.RateLimitCookie", + "markdownDescription": "Use the value of a cookie in the request as an aggregate key. Each distinct value in the cookie contributes to the aggregation instance. If you use a single cookie as your custom key, then each value fully defines an aggregation instance.", + "title": "Cookie" }, "ForwardedIP": { + "markdownDescription": "Use the first IP address in an HTTP header as an aggregate key. Each distinct forwarded IP address contributes to the aggregation instance.\n\nWhen you specify an IP or forwarded IP in the custom key settings, you must also specify at least one other key to use. You can aggregate on only the forwarded IP address by specifying `FORWARDED_IP` in your rate-based statement's `AggregateKeyType` .\n\nWith this option, you must specify the header to use in the rate-based rule's `ForwardedIPConfig` property.", + "title": "ForwardedIP", "type": "object" }, "HTTPMethod": { + "markdownDescription": "Use the request's HTTP method as an aggregate key. Each distinct HTTP method contributes to the aggregation instance. If you use just the HTTP method as your custom key, then each method fully defines an aggregation instance.", + "title": "HTTPMethod", "type": "object" }, "Header": { - "$ref": "#/definitions/AWS::WAFv2::WebACL.RateLimitHeader" + "$ref": "#/definitions/AWS::WAFv2::WebACL.RateLimitHeader", + "markdownDescription": "Use the value of a header in the request as an aggregate key. Each distinct value in the header contributes to the aggregation instance. If you use a single header as your custom key, then each value fully defines an aggregation instance.", + "title": "Header" }, "IP": { + "markdownDescription": "Use the request's originating IP address as an aggregate key. Each distinct IP address contributes to the aggregation instance.\n\nWhen you specify an IP or forwarded IP in the custom key settings, you must also specify at least one other key to use. You can aggregate on only the IP address by specifying `IP` in your rate-based statement's `AggregateKeyType` .", + "title": "IP", "type": "object" }, "LabelNamespace": { - "$ref": "#/definitions/AWS::WAFv2::WebACL.RateLimitLabelNamespace" + "$ref": "#/definitions/AWS::WAFv2::WebACL.RateLimitLabelNamespace", + "markdownDescription": "Use the specified label namespace as an aggregate key. Each distinct fully qualified label name that has the specified label namespace contributes to the aggregation instance. If you use just one label namespace as your custom key, then each label name fully defines an aggregation instance.\n\nThis uses only labels that have been added to the request by rules that are evaluated before this rate-based rule in the web ACL.\n\nFor information about label namespaces and names, see [Label syntax and naming requirements](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-label-requirements.html) in the *AWS WAF Developer Guide* .", + "title": "LabelNamespace" }, "QueryArgument": { - "$ref": "#/definitions/AWS::WAFv2::WebACL.RateLimitQueryArgument" + "$ref": "#/definitions/AWS::WAFv2::WebACL.RateLimitQueryArgument", + "markdownDescription": "Use the specified query argument as an aggregate key. Each distinct value for the named query argument contributes to the aggregation instance. If you use a single query argument as your custom key, then each value fully defines an aggregation instance.", + "title": "QueryArgument" }, "QueryString": { - "$ref": "#/definitions/AWS::WAFv2::WebACL.RateLimitQueryString" + "$ref": "#/definitions/AWS::WAFv2::WebACL.RateLimitQueryString", + "markdownDescription": "Use the request's query string as an aggregate key. Each distinct string contributes to the aggregation instance. If you use just the query string as your custom key, then each string fully defines an aggregation instance.", + "title": "QueryString" }, "UriPath": { - "$ref": "#/definitions/AWS::WAFv2::WebACL.RateLimitUriPath" + "$ref": "#/definitions/AWS::WAFv2::WebACL.RateLimitUriPath", + "markdownDescription": "Use the request's URI path as an aggregate key. Each distinct URI path contributes to the aggregation instance. If you use just the URI path as your custom key, then each URI path fully defines an aggregation instance.", + "title": "UriPath" } }, "type": "object" @@ -247168,12 +256090,16 @@ "additionalProperties": false, "properties": { "Name": { + "markdownDescription": "The name of the cookie to use.", + "title": "Name", "type": "string" }, "TextTransformations": { "items": { "$ref": "#/definitions/AWS::WAFv2::WebACL.TextTransformation" }, + "markdownDescription": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. Text transformations are used in rule match statements, to transform the `FieldToMatch` request component before inspecting it, and they're used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, AWS WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the transformed component contents.", + "title": "TextTransformations", "type": "array" } }, @@ -247187,12 +256113,16 @@ "additionalProperties": false, "properties": { "Name": { + "markdownDescription": "The name of the header to use.", + "title": "Name", "type": "string" }, "TextTransformations": { "items": { "$ref": "#/definitions/AWS::WAFv2::WebACL.TextTransformation" }, + "markdownDescription": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. Text transformations are used in rule match statements, to transform the `FieldToMatch` request component before inspecting it, and they're used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, AWS WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the transformed component contents.", + "title": "TextTransformations", "type": "array" } }, @@ -247206,6 +256136,8 @@ "additionalProperties": false, "properties": { "Namespace": { + "markdownDescription": "The namespace to use for aggregation.", + "title": "Namespace", "type": "string" } }, @@ -247218,12 +256150,16 @@ "additionalProperties": false, "properties": { "Name": { + "markdownDescription": "The name of the query argument to use.", + "title": "Name", "type": "string" }, "TextTransformations": { "items": { "$ref": "#/definitions/AWS::WAFv2::WebACL.TextTransformation" }, + "markdownDescription": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. Text transformations are used in rule match statements, to transform the `FieldToMatch` request component before inspecting it, and they're used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, AWS WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the transformed component contents.", + "title": "TextTransformations", "type": "array" } }, @@ -247240,6 +256176,8 @@ "items": { "$ref": "#/definitions/AWS::WAFv2::WebACL.TextTransformation" }, + "markdownDescription": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. Text transformations are used in rule match statements, to transform the `FieldToMatch` request component before inspecting it, and they're used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, AWS WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the transformed component contents.", + "title": "TextTransformations", "type": "array" } }, @@ -247255,6 +256193,8 @@ "items": { "$ref": "#/definitions/AWS::WAFv2::WebACL.TextTransformation" }, + "markdownDescription": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. Text transformations are used in rule match statements, to transform the `FieldToMatch` request component before inspecting it, and they're used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, AWS WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the transformed component contents.", + "title": "TextTransformations", "type": "array" } }, @@ -247325,7 +256265,7 @@ "additionalProperties": false, "properties": { "DefaultSizeInspectionLimit": { - "markdownDescription": "Specifies the maximum size of the web request body component that an associated CloudFront distribution should send to AWS WAF for inspection. This applies to statements in the web ACL that inspect the body or JSON body.\n\nDefault: `16 KB (16,384 kilobytes)`", + "markdownDescription": "Specifies the maximum size of the web request body component that an associated CloudFront distribution should send to AWS WAF for inspection. This applies to statements in the web ACL that inspect the body or JSON body.\n\nDefault: `16 KB (16,384 bytes)`", "title": "DefaultSizeInspectionLimit", "type": "string" } @@ -247368,25 +256308,37 @@ "items": { "$ref": "#/definitions/AWS::WAFv2::WebACL.FieldIdentifier" }, + "markdownDescription": "The names of the fields in the request payload that contain your customer's primary physical address.\n\nOrder the address fields in the array exactly as they are ordered in the request payload.\n\nHow you specify the address fields depends on the request inspection payload type.\n\n- For JSON payloads, specify the field identifiers in JSON pointer syntax. For information about the JSON Pointer syntax, see the Internet Engineering Task Force (IETF) documentation [JavaScript Object Notation (JSON) Pointer](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc6901) .\n\nFor example, for the JSON payload `{ \"form\": { \"primaryaddressline1\": \"THE_ADDRESS1\", \"primaryaddressline2\": \"THE_ADDRESS2\", \"primaryaddressline3\": \"THE_ADDRESS3\" } }` , the address field idenfiers are `/form/primaryaddressline1` , `/form/primaryaddressline2` , and `/form/primaryaddressline3` .\n- For form encoded payload types, use the HTML form names.\n\nFor example, for an HTML form with input elements named `primaryaddressline1` , `primaryaddressline2` , and `primaryaddressline3` , the address fields identifiers are `primaryaddressline1` , `primaryaddressline2` , and `primaryaddressline3` .", + "title": "AddressFields", "type": "array" }, "EmailField": { - "$ref": "#/definitions/AWS::WAFv2::WebACL.FieldIdentifier" + "$ref": "#/definitions/AWS::WAFv2::WebACL.FieldIdentifier", + "markdownDescription": "The name of the field in the request payload that contains your customer's email.\n\nHow you specify this depends on the request inspection payload type.\n\n- For JSON payloads, specify the field name in JSON pointer syntax. For information about the JSON Pointer syntax, see the Internet Engineering Task Force (IETF) documentation [JavaScript Object Notation (JSON) Pointer](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc6901) .\n\nFor example, for the JSON payload `{ \"form\": { \"email\": \"THE_EMAIL\" } }` , the email field specification is `/form/email` .\n- For form encoded payload types, use the HTML form names.\n\nFor example, for an HTML form with the input element named `email1` , the email field specification is `email1` .", + "title": "EmailField" }, "PasswordField": { - "$ref": "#/definitions/AWS::WAFv2::WebACL.FieldIdentifier" + "$ref": "#/definitions/AWS::WAFv2::WebACL.FieldIdentifier", + "markdownDescription": "The name of the field in the request payload that contains your customer's password.\n\nHow you specify this depends on the request inspection payload type.\n\n- For JSON payloads, specify the field name in JSON pointer syntax. For information about the JSON Pointer syntax, see the Internet Engineering Task Force (IETF) documentation [JavaScript Object Notation (JSON) Pointer](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc6901) .\n\nFor example, for the JSON payload `{ \"form\": { \"password\": \"THE_PASSWORD\" } }` , the password field specification is `/form/password` .\n- For form encoded payload types, use the HTML form names.\n\nFor example, for an HTML form with the input element named `password1` , the password field specification is `password1` .", + "title": "PasswordField" }, "PayloadType": { + "markdownDescription": "The payload type for your account creation endpoint, either JSON or form encoded.", + "title": "PayloadType", "type": "string" }, "PhoneNumberFields": { "items": { "$ref": "#/definitions/AWS::WAFv2::WebACL.FieldIdentifier" }, + "markdownDescription": "The names of the fields in the request payload that contain your customer's primary phone number.\n\nOrder the phone number fields in the array exactly as they are ordered in the request payload.\n\nHow you specify the phone number fields depends on the request inspection payload type.\n\n- For JSON payloads, specify the field identifiers in JSON pointer syntax. For information about the JSON Pointer syntax, see the Internet Engineering Task Force (IETF) documentation [JavaScript Object Notation (JSON) Pointer](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc6901) .\n\nFor example, for the JSON payload `{ \"form\": { \"primaryphoneline1\": \"THE_PHONE1\", \"primaryphoneline2\": \"THE_PHONE2\", \"primaryphoneline3\": \"THE_PHONE3\" } }` , the phone number field identifiers are `/form/primaryphoneline1` , `/form/primaryphoneline2` , and `/form/primaryphoneline3` .\n- For form encoded payload types, use the HTML form names.\n\nFor example, for an HTML form with input elements named `primaryphoneline1` , `primaryphoneline2` , and `primaryphoneline3` , the phone number field identifiers are `primaryphoneline1` , `primaryphoneline2` , and `primaryphoneline3` .", + "title": "PhoneNumberFields", "type": "array" }, "UsernameField": { - "$ref": "#/definitions/AWS::WAFv2::WebACL.FieldIdentifier" + "$ref": "#/definitions/AWS::WAFv2::WebACL.FieldIdentifier", + "markdownDescription": "The name of the field in the request payload that contains your customer's username.\n\nHow you specify this depends on the request inspection payload type.\n\n- For JSON payloads, specify the field name in JSON pointer syntax. For information about the JSON Pointer syntax, see the Internet Engineering Task Force (IETF) documentation [JavaScript Object Notation (JSON) Pointer](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc6901) .\n\nFor example, for the JSON payload `{ \"form\": { \"username\": \"THE_USERNAME\" } }` , the username field specification is `/form/username` .\n- For form encoded payload types, use the HTML form names.\n\nFor example, for an HTML form with the input element named `username1` , the username field specification is `username1`", + "title": "UsernameField" } }, "required": [ @@ -247399,22 +256351,22 @@ "properties": { "BodyContains": { "$ref": "#/definitions/AWS::WAFv2::WebACL.ResponseInspectionBodyContains", - "markdownDescription": "Configures inspection of the response body. AWS WAF can inspect the first 65,536 bytes (64 KB) of the response body.", + "markdownDescription": "Configures inspection of the response body for success and failure indicators. AWS WAF can inspect the first 65,536 bytes (64 KB) of the response body.", "title": "BodyContains" }, "Header": { "$ref": "#/definitions/AWS::WAFv2::WebACL.ResponseInspectionHeader", - "markdownDescription": "Configures inspection of the response header.", + "markdownDescription": "Configures inspection of the response header for success and failure indicators.", "title": "Header" }, "Json": { "$ref": "#/definitions/AWS::WAFv2::WebACL.ResponseInspectionJson", - "markdownDescription": "Configures inspection of the response JSON. AWS WAF can inspect the first 65,536 bytes (64 KB) of the response JSON.", + "markdownDescription": "Configures inspection of the response JSON for success and failure indicators. AWS WAF can inspect the first 65,536 bytes (64 KB) of the response JSON.", "title": "Json" }, "StatusCode": { "$ref": "#/definitions/AWS::WAFv2::WebACL.ResponseInspectionStatusCode", - "markdownDescription": "Configures inspection of the response status code.", + "markdownDescription": "Configures inspection of the response status code for success and failure indicators.", "title": "StatusCode" } }, @@ -247427,7 +256379,7 @@ "items": { "type": "string" }, - "markdownDescription": "Strings in the body of the response that indicate a failed login attempt. To be counted as a failed login, the string can be anywhere in the body and must be an exact match, including case. Each string must be unique among the success and failure strings.\n\nJSON example: `\"FailureStrings\": [ \"Login failed\" ]`", + "markdownDescription": "Strings in the body of the response that indicate a failed login or account creation attempt. To be counted as a failure, the string can be anywhere in the body and must be an exact match, including case. Each string must be unique among the success and failure strings.\n\nJSON example: `\"FailureStrings\": [ \"Request failed\" ]`", "title": "FailureStrings", "type": "array" }, @@ -247435,7 +256387,7 @@ "items": { "type": "string" }, - "markdownDescription": "Strings in the body of the response that indicate a successful login attempt. To be counted as a successful login, the string can be anywhere in the body and must be an exact match, including case. Each string must be unique among the success and failure strings.\n\nJSON example: `\"SuccessStrings\": [ \"Login successful\", \"Welcome to our site!\" ]`", + "markdownDescription": "Strings in the body of the response that indicate a successful login or account creation attempt. To be counted as a success, the string can be anywhere in the body and must be an exact match, including case. Each string must be unique among the success and failure strings.\n\nJSON examples: `\"SuccessStrings\": [ \"Login successful\" ]` and `\"SuccessStrings\": [ \"Account creation successful\", \"Welcome to our site!\" ]`", "title": "SuccessStrings", "type": "array" } @@ -247453,12 +256405,12 @@ "items": { "type": "string" }, - "markdownDescription": "Values in the response header with the specified name that indicate a failed login attempt. To be counted as a failed login, the value must be an exact match, including case. Each value must be unique among the success and failure values.\n\nJSON example: `\"FailureValues\": [ \"LoginFailed\", \"Failed login\" ]`", + "markdownDescription": "Values in the response header with the specified name that indicate a failed login or account creation attempt. To be counted as a failure, the value must be an exact match, including case. Each value must be unique among the success and failure values.\n\nJSON examples: `\"FailureValues\": [ \"LoginFailed\", \"Failed login\" ]` and `\"FailureValues\": [ \"AccountCreationFailed\" ]`", "title": "FailureValues", "type": "array" }, "Name": { - "markdownDescription": "The name of the header to match against. The name must be an exact match, including case.\n\nJSON example: `\"Name\": [ \"LoginResult\" ]`", + "markdownDescription": "The name of the header to match against. The name must be an exact match, including case.\n\nJSON example: `\"Name\": [ \"RequestResult\" ]`", "title": "Name", "type": "string" }, @@ -247466,7 +256418,7 @@ "items": { "type": "string" }, - "markdownDescription": "Values in the response header with the specified name that indicate a successful login attempt. To be counted as a successful login, the value must be an exact match, including case. Each value must be unique among the success and failure values.\n\nJSON example: `\"SuccessValues\": [ \"LoginPassed\", \"Successful login\" ]`", + "markdownDescription": "Values in the response header with the specified name that indicate a successful login or account creation attempt. To be counted as a success, the value must be an exact match, including case. Each value must be unique among the success and failure values.\n\nJSON examples: `\"SuccessValues\": [ \"LoginPassed\", \"Successful login\" ]` and `\"SuccessValues\": [ \"AccountCreated\", \"Successful account creation\" ]`", "title": "SuccessValues", "type": "array" } @@ -247485,12 +256437,12 @@ "items": { "type": "string" }, - "markdownDescription": "Values for the specified identifier in the response JSON that indicate a failed login attempt. To be counted as a failed login, the value must be an exact match, including case. Each value must be unique among the success and failure values.\n\nJSON example: `\"FailureValues\": [ \"False\", \"Failed\" ]`", + "markdownDescription": "Values for the specified identifier in the response JSON that indicate a failed login or account creation attempt. To be counted as a failure, the value must be an exact match, including case. Each value must be unique among the success and failure values.\n\nJSON example: `\"FailureValues\": [ \"False\", \"Failed\" ]`", "title": "FailureValues", "type": "array" }, "Identifier": { - "markdownDescription": "The identifier for the value to match against in the JSON. The identifier must be an exact match, including case.\n\nJSON example: `\"Identifier\": [ \"/login/success\" ]`", + "markdownDescription": "The identifier for the value to match against in the JSON. The identifier must be an exact match, including case.\n\nJSON examples: `\"Identifier\": [ \"/login/success\" ]` and `\"Identifier\": [ \"/sign-up/success\" ]`", "title": "Identifier", "type": "string" }, @@ -247498,7 +256450,7 @@ "items": { "type": "string" }, - "markdownDescription": "Values for the specified identifier in the response JSON that indicate a successful login attempt. To be counted as a successful login, the value must be an exact match, including case. Each value must be unique among the success and failure values.\n\nJSON example: `\"SuccessValues\": [ \"True\", \"Succeeded\" ]`", + "markdownDescription": "Values for the specified identifier in the response JSON that indicate a successful login or account creation attempt. To be counted as a success, the value must be an exact match, including case. Each value must be unique among the success and failure values.\n\nJSON example: `\"SuccessValues\": [ \"True\", \"Succeeded\" ]`", "title": "SuccessValues", "type": "array" } @@ -247517,7 +256469,7 @@ "items": { "type": "number" }, - "markdownDescription": "Status codes in the response that indicate a failed login attempt. To be counted as a failed login, the response status code must match one of these. Each code must be unique among the success and failure status codes.\n\nJSON example: `\"FailureCodes\": [ 400, 404 ]`", + "markdownDescription": "Status codes in the response that indicate a failed login or account creation attempt. To be counted as a failure, the response status code must match one of these. Each code must be unique among the success and failure status codes.\n\nJSON example: `\"FailureCodes\": [ 400, 404 ]`", "title": "FailureCodes", "type": "array" }, @@ -247525,7 +256477,7 @@ "items": { "type": "number" }, - "markdownDescription": "Status codes in the response that indicate a successful login attempt. To be counted as a successful login, the response status code must match one of these. Each code must be unique among the success and failure status codes.\n\nJSON example: `\"SuccessCodes\": [ 200, 201 ]`", + "markdownDescription": "Status codes in the response that indicate a successful login or account creation attempt. To be counted as a success, the response status code must match one of these. Each code must be unique among the success and failure status codes.\n\nJSON example: `\"SuccessCodes\": [ 200, 201 ]`", "title": "SuccessCodes", "type": "array" } @@ -247555,7 +256507,7 @@ "title": "ChallengeConfig" }, "Name": { - "markdownDescription": "The name of the rule. You can't change the name of a `Rule` after you create it.", + "markdownDescription": "The name of the rule.\n\nIf you change the name of a `Rule` after you create it and you want the rule's metric name to reflect the change, update the metric name in the rule's `VisibilityConfig` settings. AWS WAF doesn't automatically update the metric name when you update the rule name.", "title": "Name", "type": "string" }, @@ -247584,7 +256536,7 @@ }, "VisibilityConfig": { "$ref": "#/definitions/AWS::WAFv2::WebACL.VisibilityConfig", - "markdownDescription": "Defines and enables Amazon CloudWatch metrics and web request sample collection.", + "markdownDescription": "Defines and enables Amazon CloudWatch metrics and web request sample collection.\n\nIf you change the name of a `Rule` after you create it and you want the rule's metric name to reflect the change, update the metric name as well. AWS WAF doesn't automatically update the metric name.", "title": "VisibilityConfig" } }, @@ -247798,7 +256750,7 @@ }, "ManagedRuleGroupStatement": { "$ref": "#/definitions/AWS::WAFv2::WebACL.ManagedRuleGroupStatement", - "markdownDescription": "A rule statement used to run the rules that are defined in a managed rule group. To use this, provide the vendor name and the name of the rule group in this statement.\n\nYou cannot nest a `ManagedRuleGroupStatement` , for example for use inside a `NotStatement` or `OrStatement` . It can only be referenced as a top-level statement within a rule.", + "markdownDescription": "A rule statement used to run the rules that are defined in a managed rule group. To use this, provide the vendor name and the name of the rule group in this statement. You can retrieve the required names through the API call `ListAvailableManagedRuleGroups` .\n\nYou cannot nest a `ManagedRuleGroupStatement` , for example for use inside a `NotStatement` or `OrStatement` . It can only be referenced as a top-level statement within a rule.\n\n> You are charged additional fees when you use the AWS WAF Bot Control managed rule group `AWSManagedRulesBotControlRuleSet` , the AWS WAF Fraud Control account takeover prevention (ATP) managed rule group `AWSManagedRulesATPRuleSet` , or the AWS WAF Fraud Control account creation fraud prevention (ACFP) managed rule group `AWSManagedRulesACFPRuleSet` . For more information, see [AWS WAF Pricing](https://docs.aws.amazon.com/waf/pricing/) .", "title": "ManagedRuleGroupStatement" }, "NotStatement": { @@ -247813,7 +256765,7 @@ }, "RateBasedStatement": { "$ref": "#/definitions/AWS::WAFv2::WebACL.RateBasedStatement", - "markdownDescription": "A rate-based rule tracks the rate of requests for each originating IP address, and triggers the rule action when the rate exceeds a limit that you specify on the number of requests in any 5-minute time span. You can use this to put a temporary block on requests from an IP address that is sending excessive requests.\n\nAWS WAF tracks and manages web requests separately for each instance of a rate-based rule that you use. For example, if you provide the same rate-based rule settings in two web ACLs, each of the two rule statements represents a separate instance of the rate-based rule and gets its own tracking and management by AWS WAF . If you define a rate-based rule inside a rule group, and then use that rule group in multiple places, each use creates a separate instance of the rate-based rule that gets its own tracking and management by AWS WAF .\n\nWhen the rule action triggers, AWS WAF blocks additional requests from the IP address until the request rate falls below the limit.\n\nYou can optionally nest another statement inside the rate-based statement, to narrow the scope of the rule so that it only counts requests that match the nested statement. For example, based on recent requests that you have seen from an attacker, you might create a rate-based rule with a nested AND rule statement that contains the following nested statements:\n\n- An IP match statement with an IP set that specifies the address 192.0.2.44.\n- A string match statement that searches in the User-Agent header for the string BadBot.\n\nIn this rate-based rule, you also define a rate limit. For this example, the rate limit is 1,000. Requests that meet the criteria of both of the nested statements are counted. If the count exceeds 1,000 requests per five minutes, the rule action triggers. Requests that do not meet the criteria of both of the nested statements are not counted towards the rate limit and are not affected by this rule.\n\nYou cannot nest a `RateBasedStatement` inside another statement, for example inside a `NotStatement` or `OrStatement` . You can define a `RateBasedStatement` inside a web ACL and inside a rule group.", + "markdownDescription": "A rate-based rule counts incoming requests and rate limits requests when they are coming at too fast a rate. The rule categorizes requests according to your aggregation criteria, collects them into aggregation instances, and counts and rate limits the requests for each instance.\n\nYou can specify individual aggregation keys, like IP address or HTTP method. You can also specify aggregation key combinations, like IP address and HTTP method, or HTTP method, query argument, and cookie.\n\nEach unique set of values for the aggregation keys that you specify is a separate aggregation instance, with the value from each key contributing to the aggregation instance definition.\n\nFor example, assume the rule evaluates web requests with the following IP address and HTTP method values:\n\n- IP address 10.1.1.1, HTTP method POST\n- IP address 10.1.1.1, HTTP method GET\n- IP address 127.0.0.0, HTTP method POST\n- IP address 10.1.1.1, HTTP method GET\n\nThe rule would create different aggregation instances according to your aggregation criteria, for example:\n\n- If the aggregation criteria is just the IP address, then each individual address is an aggregation instance, and AWS WAF counts requests separately for each. The aggregation instances and request counts for our example would be the following:\n\n- IP address 10.1.1.1: count 3\n- IP address 127.0.0.0: count 1\n- If the aggregation criteria is HTTP method, then each individual HTTP method is an aggregation instance. The aggregation instances and request counts for our example would be the following:\n\n- HTTP method POST: count 2\n- HTTP method GET: count 2\n- If the aggregation criteria is IP address and HTTP method, then each IP address and each HTTP method would contribute to the combined aggregation instance. The aggregation instances and request counts for our example would be the following:\n\n- IP address 10.1.1.1, HTTP method POST: count 1\n- IP address 10.1.1.1, HTTP method GET: count 2\n- IP address 127.0.0.0, HTTP method POST: count 1\n\nFor any n-tuple of aggregation keys, each unique combination of values for the keys defines a separate aggregation instance, which AWS WAF counts and rate-limits individually.\n\nYou can optionally nest another statement inside the rate-based statement, to narrow the scope of the rule so that it only counts and rate limits requests that match the nested statement. You can use this nested scope-down statement in conjunction with your aggregation key specifications or you can just count and rate limit all requests that match the scope-down statement, without additional aggregation. When you choose to just manage all requests that match a scope-down statement, the aggregation instance is singular for the rule.\n\nYou cannot nest a `RateBasedStatement` inside another statement, for example inside a `NotStatement` or `OrStatement` . You can define a `RateBasedStatement` inside a web ACL and inside a rule group.\n\nFor additional information about the options, see [Rate limiting web requests using rate-based rules](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rate-based-rules.html) in the *AWS WAF Developer Guide* .\n\nIf you only aggregate on the individual IP address or forwarded IP address, you can retrieve the list of IP addresses that AWS WAF is currently rate limiting for a rule through the API call `GetRateBasedStatementManagedKeys` . This option is not available for other aggregation configurations.\n\nAWS WAF tracks and manages web requests separately for each instance of a rate-based rule that you use. For example, if you provide the same rate-based rule settings in two web ACLs, each of the two rule statements represents a separate instance of the rate-based rule and gets its own tracking and management by AWS WAF . If you define a rate-based rule inside a rule group, and then use that rule group in multiple places, each use creates a separate instance of the rate-based rule that gets its own tracking and management by AWS WAF .", "title": "RateBasedStatement" }, "RegexMatchStatement": { @@ -247828,12 +256780,12 @@ }, "RuleGroupReferenceStatement": { "$ref": "#/definitions/AWS::WAFv2::WebACL.RuleGroupReferenceStatement", - "markdownDescription": "A rule statement used to run the rules that are defined in a `RuleGroup` . To use this, create a rule group with your rules, then provide the ARN of the rule group in this statement.\n\nYou cannot nest a `RuleGroupReferenceStatement` , for example for use inside a `NotStatement` or `OrStatement` . You can only use a rule group reference statement at the top level inside a web ACL.", + "markdownDescription": "A rule statement used to run the rules that are defined in a `RuleGroup` . To use this, create a rule group with your rules, then provide the ARN of the rule group in this statement.\n\nYou cannot nest a `RuleGroupReferenceStatement` , for example for use inside a `NotStatement` or `OrStatement` . You cannot use a rule group reference statement inside another rule group. You can only reference a rule group as a top-level statement within a rule that you define in a web ACL.", "title": "RuleGroupReferenceStatement" }, "SizeConstraintStatement": { "$ref": "#/definitions/AWS::WAFv2::WebACL.SizeConstraintStatement", - "markdownDescription": "A rule statement that compares a number of bytes against the size of a request component, using a comparison operator, such as greater than (>) or less than (<). For example, you can use a size constraint statement to look for query strings that are longer than 100 bytes.\n\nIf you configure AWS WAF to inspect the request body, AWS WAF inspects only the number of bytes of the body up to the limit for the web ACL. By default, for regional web ACLs, this limit is 8 KB (8,192 kilobytes) and for CloudFront web ACLs, this limit is 16 KB (16,384 kilobytes). For CloudFront web ACLs, you can increase the limit in the web ACL `AssociationConfig` , for additional fees. If you know that the request body for your web requests should never exceed the inspection limit, you could use a size constraint statement to block requests that have a larger request body size.\n\nIf you choose URI for the value of Part of the request to filter on, the slash (/) in the URI counts as one character. For example, the URI `/logo.jpg` is nine characters long.", + "markdownDescription": "A rule statement that compares a number of bytes against the size of a request component, using a comparison operator, such as greater than (>) or less than (<). For example, you can use a size constraint statement to look for query strings that are longer than 100 bytes.\n\nIf you configure AWS WAF to inspect the request body, AWS WAF inspects only the number of bytes of the body up to the limit for the web ACL. By default, for regional web ACLs, this limit is 8 KB (8,192 bytes) and for CloudFront web ACLs, this limit is 16 KB (16,384 bytes). For CloudFront web ACLs, you can increase the limit in the web ACL `AssociationConfig` , for additional fees. If you know that the request body for your web requests should never exceed the inspection limit, you could use a size constraint statement to block requests that have a larger request body size.\n\nIf you choose URI for the value of Part of the request to filter on, the slash (/) in the URI counts as one character. For example, the URI `/logo.jpg` is nine characters long.", "title": "SizeConstraintStatement" }, "SqliMatchStatement": { @@ -247858,7 +256810,7 @@ "type": "number" }, "Type": { - "markdownDescription": "You can specify the following transformation types:\n\n*BASE64_DECODE* - Decode a `Base64` -encoded string.\n\n*BASE64_DECODE_EXT* - Decode a `Base64` -encoded string, but use a forgiving implementation that ignores characters that aren't valid.\n\n*CMD_LINE* - Command-line transformations. These are helpful in reducing effectiveness of attackers who inject an operating system command-line command and use unusual formatting to disguise some or all of the command.\n\n- Delete the following characters: `\\ \" ' ^`\n- Delete spaces before the following characters: `/ (`\n- Replace the following characters with a space: `, ;`\n- Replace multiple spaces with one space\n- Convert uppercase letters (A-Z) to lowercase (a-z)\n\n*COMPRESS_WHITE_SPACE* - Replace these characters with a space character (decimal 32):\n\n- `\\f` , formfeed, decimal 12\n- `\\t` , tab, decimal 9\n- `\\n` , newline, decimal 10\n- `\\r` , carriage return, decimal 13\n- `\\v` , vertical tab, decimal 11\n- Non-breaking space, decimal 160\n\n`COMPRESS_WHITE_SPACE` also replaces multiple spaces with one space.\n\n*CSS_DECODE* - Decode characters that were encoded using CSS 2.x escape rules `syndata.html#characters` . This function uses up to two bytes in the decoding process, so it can help to uncover ASCII characters that were encoded using CSS encoding that wouldn\u2019t typically be encoded. It's also useful in countering evasion, which is a combination of a backslash and non-hexadecimal characters. For example, `ja\\vascript` for javascript.\n\n*ESCAPE_SEQ_DECODE* - Decode the following ANSI C escape sequences: `\\a` , `\\b` , `\\f` , `\\n` , `\\r` , `\\t` , `\\v` , `\\\\` , `\\?` , `\\'` , `\\\"` , `\\xHH` (hexadecimal), `\\0OOO` (octal). Encodings that aren't valid remain in the output.\n\n*HEX_DECODE* - Decode a string of hexadecimal characters into a binary.\n\n*HTML_ENTITY_DECODE* - Replace HTML-encoded characters with unencoded characters. `HTML_ENTITY_DECODE` performs these operations:\n\n- Replaces `(ampersand)quot;` with `\"`\n- Replaces `(ampersand)nbsp;` with a non-breaking space, decimal 160\n- Replaces `(ampersand)lt;` with a \"less than\" symbol\n- Replaces `(ampersand)gt;` with `>`\n- Replaces characters that are represented in hexadecimal format, `(ampersand)#xhhhh;` , with the corresponding characters\n- Replaces characters that are represented in decimal format, `(ampersand)#nnnn;` , with the corresponding characters\n\n*JS_DECODE* - Decode JavaScript escape sequences. If a `\\` `u` `HHHH` code is in the full-width ASCII code range of `FF01-FF5E` , then the higher byte is used to detect and adjust the lower byte. If not, only the lower byte is used and the higher byte is zeroed, causing a possible loss of information.\n\n*LOWERCASE* - Convert uppercase letters (A-Z) to lowercase (a-z).\n\n*MD5* - Calculate an MD5 hash from the data in the input. The computed hash is in a raw binary form.\n\n*NONE* - Specify `NONE` if you don't want any text transformations.\n\n*NORMALIZE_PATH* - Remove multiple slashes, directory self-references, and directory back-references that are not at the beginning of the input from an input string.\n\n*NORMALIZE_PATH_WIN* - This is the same as `NORMALIZE_PATH` , but first converts backslash characters to forward slashes.\n\n*REMOVE_NULLS* - Remove all `NULL` bytes from the input.\n\n*REPLACE_COMMENTS* - Replace each occurrence of a C-style comment ( `/* ... */` ) with a single space. Multiple consecutive occurrences are not compressed. Unterminated comments are also replaced with a space (ASCII 0x20). However, a standalone termination of a comment ( `*/` ) is not acted upon.\n\n*REPLACE_NULLS* - Replace NULL bytes in the input with space characters (ASCII `0x20` ).\n\n*SQL_HEX_DECODE* - Decode SQL hex data. Example ( `0x414243` ) will be decoded to ( `ABC` ).\n\n*URL_DECODE* - Decode a URL-encoded value.\n\n*URL_DECODE_UNI* - Like `URL_DECODE` , but with support for Microsoft-specific `%u` encoding. If the code is in the full-width ASCII code range of `FF01-FF5E` , the higher byte is used to detect and adjust the lower byte. Otherwise, only the lower byte is used and the higher byte is zeroed.\n\n*UTF8_TO_UNICODE* - Convert all UTF-8 character sequences to Unicode. This helps input normalization, and minimizing false-positives and false-negatives for non-English languages.", + "markdownDescription": "For detailed descriptions of each of the transformation types, see [Text transformations](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-transformation.html) in the *AWS WAF Developer Guide* .", "title": "Type", "type": "string" } @@ -248038,7 +256990,7 @@ }, "ServerSideEncryptionConfiguration": { "$ref": "#/definitions/AWS::Wisdom::Assistant.ServerSideEncryptionConfiguration", - "markdownDescription": "The KMS key used for encryption.", + "markdownDescription": "The configuration information for the customer managed key used for encryption. The customer managed key must have a policy that allows `kms:CreateGrant` and `kms:DescribeKey` permissions to the IAM identity using the key to invoke Wisdom. To use Wisdom with chat, the key policy must also allow `kms:Decrypt` , `kms:GenerateDataKey*` , and `kms:DescribeKey` permissions to the `connect.amazonaws.com` service principal. For more information about setting up a customer managed key for Wisdom, see [Enable Amazon Connect Wisdom for your instance](https://docs.aws.amazon.com/connect/latest/adminguide/enable-wisdom.html) .", "title": "ServerSideEncryptionConfiguration" }, "Tags": { @@ -248086,7 +257038,7 @@ "additionalProperties": false, "properties": { "KmsKeyId": { - "markdownDescription": "The KMS key . For information about valid ID values, see [Key identifiers (KeyId)](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id) in the *AWS Key Management Service Developer Guide* .", + "markdownDescription": "The customer managed key used for encryption. The customer managed key must have a policy that allows `kms:CreateGrant` and `kms:DescribeKey` permissions to the IAM identity using the key to invoke Wisdom. To use Wisdom with chat, the key policy must also allow `kms:Decrypt` , `kms:GenerateDataKey*` , and `kms:DescribeKey` permissions to the `connect.amazonaws.com` service principal. For more information about setting up a customer managed key for Wisdom, see [Enable Amazon Connect Wisdom for your instance](https://docs.aws.amazon.com/connect/latest/adminguide/enable-wisdom.html) . For information about valid ID values, see [Key identifiers (KeyId)](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id) in the *AWS Key Management Service Developer Guide* .", "title": "KmsKeyId", "type": "string" } @@ -248251,7 +257203,7 @@ }, "ServerSideEncryptionConfiguration": { "$ref": "#/definitions/AWS::Wisdom::KnowledgeBase.ServerSideEncryptionConfiguration", - "markdownDescription": "The KMS key used for encryption.", + "markdownDescription": "This customer managed key must have a policy that allows `kms:CreateGrant` and `kms:DescribeKey` permissions to the IAM identity using the key to invoke Wisdom. For more information about setting up a customer managed key for Wisdom, see [Enable Amazon Connect Wisdom for your instance](https://docs.aws.amazon.com/connect/latest/adminguide/enable-wisdom.html) . For information about valid ID values, see [Key identifiers (KeyId)](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id) in the *AWS Key Management Service Developer Guide* .", "title": "ServerSideEncryptionConfiguration" }, "SourceConfiguration": { @@ -248299,7 +257251,7 @@ "additionalProperties": false, "properties": { "AppIntegrationArn": { - "markdownDescription": "The Amazon Resource Name (ARN) of the AppIntegrations DataIntegration to use for ingesting content.\n\n- For [Salesforce](https://docs.aws.amazon.com/https://developer.salesforce.com/docs/atlas.en-us.knowledge_dev.meta/knowledge_dev/sforce_api_objects_knowledge__kav.htm) , your AppIntegrations DataIntegration must have an ObjectConfiguration if objectFields is not provided, including at least `Id` , `ArticleNumber` , `VersionNumber` , `Title` , `PublishStatus` , and `IsDeleted` as source fields.\n- For [ServiceNow](https://docs.aws.amazon.com/https://developer.servicenow.com/dev.do#!/reference/api/rome/rest/knowledge-management-api) , your AppIntegrations DataIntegration must have an ObjectConfiguration if objectFields is not provided, including at least `number` , `short_description` , `sys_mod_count` , `workflow_state` , and `active` as source fields.\n- For [Zendesk](https://docs.aws.amazon.com/https://developer.zendesk.com/api-reference/help_center/help-center-api/articles/) , your AppIntegrations DataIntegration must have an ObjectConfiguration if `objectFields` is not provided, including at least `id` , `title` , `updated_at` , and `draft` as source fields.\n- For [SharePoint](https://docs.aws.amazon.com/https://learn.microsoft.com/en-us/sharepoint/dev/sp-add-ins/sharepoint-net-server-csom-jsom-and-rest-api-index) , your AppIntegrations DataIntegration must have a FileConfiguration, including only file extensions that are among `docx` , `pdf` , `html` , `htm` , and `txt` .", + "markdownDescription": "The Amazon Resource Name (ARN) of the AppIntegrations DataIntegration to use for ingesting content.\n\n- For [Salesforce](https://docs.aws.amazon.com/https://developer.salesforce.com/docs/atlas.en-us.knowledge_dev.meta/knowledge_dev/sforce_api_objects_knowledge__kav.htm) , your AppIntegrations DataIntegration must have an ObjectConfiguration if objectFields is not provided, including at least `Id` , `ArticleNumber` , `VersionNumber` , `Title` , `PublishStatus` , and `IsDeleted` as source fields.\n- For [ServiceNow](https://docs.aws.amazon.com/https://developer.servicenow.com/dev.do#!/reference/api/rome/rest/knowledge-management-api) , your AppIntegrations DataIntegration must have an ObjectConfiguration if objectFields is not provided, including at least `number` , `short_description` , `sys_mod_count` , `workflow_state` , and `active` as source fields.\n- For [Zendesk](https://docs.aws.amazon.com/https://developer.zendesk.com/api-reference/help_center/help-center-api/articles/) , your AppIntegrations DataIntegration must have an ObjectConfiguration if `objectFields` is not provided, including at least `id` , `title` , `updated_at` , and `draft` as source fields.\n- For [SharePoint](https://docs.aws.amazon.com/https://learn.microsoft.com/en-us/sharepoint/dev/sp-add-ins/sharepoint-net-server-csom-jsom-and-rest-api-index) , your AppIntegrations DataIntegration must have a FileConfiguration, including only file extensions that are among `docx` , `pdf` , `html` , `htm` , and `txt` .\n- For [Amazon S3](https://docs.aws.amazon.com/https://aws.amazon.com/s3/) , the ObjectConfiguration and FileConfiguration of your AppIntegrations DataIntegration must be null. The `SourceURI` of your DataIntegration must use the following format: `s3://your_s3_bucket_name` .\n\n> The bucket policy of the corresponding S3 bucket must allow the AWS principal `app-integrations.amazonaws.com` to perform `s3:ListBucket` , `s3:GetObject` , and `s3:GetBucketLocation` against the bucket.", "title": "AppIntegrationArn", "type": "string" }, @@ -248307,7 +257259,7 @@ "items": { "type": "string" }, - "markdownDescription": "The fields from the source that are made available to your agents in Wisdom. Optional if ObjectConfiguration is included in the provided DataIntegration.\n\n- For [Salesforce](https://docs.aws.amazon.com/https://developer.salesforce.com/docs/atlas.en-us.knowledge_dev.meta/knowledge_dev/sforce_api_objects_knowledge__kav.htm) , you must include at least `Id` , `ArticleNumber` , `VersionNumber` , `Title` , `PublishStatus` , and `IsDeleted` .\n- For [ServiceNow](https://docs.aws.amazon.com/https://developer.servicenow.com/dev.do#!/reference/api/rome/rest/knowledge-management-api) , you must include at least `number` , `short_description` , `sys_mod_count` , `workflow_state` , and `active` .\n- For [Zendesk](https://docs.aws.amazon.com/https://developer.zendesk.com/api-reference/help_center/help-center-api/articles/) , you must include at least `id` , `title` , `updated_at` , and `draft` .\n\nMake sure to include additional fields. These fields are indexed and used to source recommendations.", + "markdownDescription": "The fields from the source that are made available to your agents in Amazon Q. Optional if ObjectConfiguration is included in the provided DataIntegration.\n\n- For [Salesforce](https://docs.aws.amazon.com/https://developer.salesforce.com/docs/atlas.en-us.knowledge_dev.meta/knowledge_dev/sforce_api_objects_knowledge__kav.htm) , you must include at least `Id` , `ArticleNumber` , `VersionNumber` , `Title` , `PublishStatus` , and `IsDeleted` .\n- For [ServiceNow](https://docs.aws.amazon.com/https://developer.servicenow.com/dev.do#!/reference/api/rome/rest/knowledge-management-api) , you must include at least `number` , `short_description` , `sys_mod_count` , `workflow_state` , and `active` .\n- For [Zendesk](https://docs.aws.amazon.com/https://developer.zendesk.com/api-reference/help_center/help-center-api/articles/) , you must include at least `id` , `title` , `updated_at` , and `draft` .\n\nMake sure to include additional fields. These fields are indexed and used to source recommendations.", "title": "ObjectFields", "type": "array" } @@ -248321,7 +257273,7 @@ "additionalProperties": false, "properties": { "TemplateUri": { - "markdownDescription": "A URI template containing exactly one variable in `${variableName}` format. This can only be set for `EXTERNAL` knowledge bases. For Salesforce, ServiceNow, and Zendesk, the variable must be one of the following:\n\n- Salesforce: `Id` , `ArticleNumber` , `VersionNumber` , `Title` , `PublishStatus` , or `IsDeleted`\n- ServiceNow: `number` , `short_description` , `sys_mod_count` , `workflow_state` , or `active`\n- Zendesk: `id` , `title` , `updated_at` , or `draft`\n\nThe variable is replaced with the actual value for a piece of content when calling [GetContent](https://docs.aws.amazon.com/wisdom/latest/APIReference/API_GetContent.html) .", + "markdownDescription": "A URI template containing exactly one variable in `${variableName}` format. This can only be set for `EXTERNAL` knowledge bases. For Salesforce, ServiceNow, and Zendesk, the variable must be one of the following:\n\n- Salesforce: `Id` , `ArticleNumber` , `VersionNumber` , `Title` , `PublishStatus` , or `IsDeleted`\n- ServiceNow: `number` , `short_description` , `sys_mod_count` , `workflow_state` , or `active`\n- Zendesk: `id` , `title` , `updated_at` , or `draft`\n\nThe variable is replaced with the actual value for a piece of content when calling [GetContent](https://docs.aws.amazon.com/amazon-q-connect/latest/APIReference/API_GetContent.html) .", "title": "TemplateUri", "type": "string" } @@ -248332,7 +257284,7 @@ "additionalProperties": false, "properties": { "KmsKeyId": { - "markdownDescription": "The KMS key . For information about valid ID values, see [Key identifiers (KeyId)](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id) in the *AWS Key Management Service Developer Guide* .", + "markdownDescription": "The customer managed key used for encryption.\n\nThis customer managed key must have a policy that allows `kms:CreateGrant` and `kms:DescribeKey` permissions to the IAM identity using the key to invoke Wisdom.\n\nFor more information about setting up a customer managed key for Wisdom, see [Enable Amazon Connect Wisdom for your instance](https://docs.aws.amazon.com/connect/latest/adminguide/enable-wisdom.html) . For information about valid ID values, see [Key identifiers (KeyId)](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id) .", "title": "KmsKeyId", "type": "string" } @@ -248432,22 +257384,22 @@ "additionalProperties": false, "properties": { "AssociatedAccountId": { - "markdownDescription": "", + "markdownDescription": "The identifier of the AWS account that associated the connection alias with a directory.", "title": "AssociatedAccountId", "type": "string" }, "AssociationStatus": { - "markdownDescription": "", + "markdownDescription": "The association status of the connection alias.", "title": "AssociationStatus", "type": "string" }, "ConnectionIdentifier": { - "markdownDescription": "", + "markdownDescription": "The identifier of the connection alias association. You use the connection identifier in the DNS TXT record when you're configuring your DNS routing policies.", "title": "ConnectionIdentifier", "type": "string" }, "ResourceId": { - "markdownDescription": "", + "markdownDescription": "The identifier of the directory associated with a connection alias.", "title": "ResourceId", "type": "string" } @@ -248592,6 +257544,163 @@ }, "type": "object" }, + "AWS::WorkSpacesThinClient::Environment": { + "additionalProperties": false, + "properties": { + "Condition": { + "type": "string" + }, + "DeletionPolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + }, + "DependsOn": { + "anyOf": [ + { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + { + "items": { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + "type": "array" + } + ] + }, + "Metadata": { + "type": "object" + }, + "Properties": { + "additionalProperties": false, + "properties": { + "DesiredSoftwareSetId": { + "markdownDescription": "The ID of the software set to apply.", + "title": "DesiredSoftwareSetId", + "type": "string" + }, + "DesktopArn": { + "markdownDescription": "The Amazon Resource Name (ARN) of the desktop to stream from Amazon WorkSpaces , WorkSpaces Web, or AppStream 2.0 .", + "title": "DesktopArn", + "type": "string" + }, + "DesktopEndpoint": { + "markdownDescription": "The URL for the identity provider login (only for environments that use AppStream 2.0 ).", + "title": "DesktopEndpoint", + "type": "string" + }, + "KmsKeyArn": { + "markdownDescription": "The Amazon Resource Name (ARN) of the AWS Key Management Service key used to encrypt the environment.", + "title": "KmsKeyArn", + "type": "string" + }, + "MaintenanceWindow": { + "$ref": "#/definitions/AWS::WorkSpacesThinClient::Environment.MaintenanceWindow", + "markdownDescription": "A specification for a time window to apply software updates.", + "title": "MaintenanceWindow" + }, + "Name": { + "markdownDescription": "The name of the environment.", + "title": "Name", + "type": "string" + }, + "SoftwareSetUpdateMode": { + "markdownDescription": "An option to define which software updates to apply.", + "title": "SoftwareSetUpdateMode", + "type": "string" + }, + "SoftwareSetUpdateSchedule": { + "markdownDescription": "An option to define if software updates should be applied within a maintenance window.", + "title": "SoftwareSetUpdateSchedule", + "type": "string" + }, + "Tags": { + "items": { + "$ref": "#/definitions/Tag" + }, + "markdownDescription": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) .", + "title": "Tags", + "type": "array" + } + }, + "required": [ + "DesktopArn" + ], + "type": "object" + }, + "Type": { + "enum": [ + "AWS::WorkSpacesThinClient::Environment" + ], + "type": "string" + }, + "UpdateReplacePolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + } + }, + "required": [ + "Type", + "Properties" + ], + "type": "object" + }, + "AWS::WorkSpacesThinClient::Environment.MaintenanceWindow": { + "additionalProperties": false, + "properties": { + "ApplyTimeOf": { + "markdownDescription": "The option to set the maintenance window during the device local time or Universal Coordinated Time (UTC).", + "title": "ApplyTimeOf", + "type": "string" + }, + "DaysOfTheWeek": { + "items": { + "type": "string" + }, + "markdownDescription": "The days of the week during which the maintenance window is open.", + "title": "DaysOfTheWeek", + "type": "array" + }, + "EndTimeHour": { + "markdownDescription": "The hour for the maintenance window end ( `00` - `23` ).", + "title": "EndTimeHour", + "type": "number" + }, + "EndTimeMinute": { + "markdownDescription": "The minutes for the maintenance window end ( `00` - `59` ).", + "title": "EndTimeMinute", + "type": "number" + }, + "StartTimeHour": { + "markdownDescription": "The hour for the maintenance window start ( `00` - `23` ).", + "title": "StartTimeHour", + "type": "number" + }, + "StartTimeMinute": { + "markdownDescription": "The minutes past the hour for the maintenance window start ( `00` - `59` ).", + "title": "StartTimeMinute", + "type": "number" + }, + "Type": { + "markdownDescription": "An option to select the default or custom maintenance window.", + "title": "Type", + "type": "string" + } + }, + "required": [ + "Type" + ], + "type": "object" + }, "AWS::WorkSpacesWeb::BrowserSettings": { "additionalProperties": false, "properties": { @@ -248629,23 +257738,31 @@ "properties": { "AdditionalEncryptionContext": { "additionalProperties": true, + "markdownDescription": "Additional encryption context of the browser settings.", "patternProperties": { "^[a-zA-Z0-9]+$": { "type": "string" } }, + "title": "AdditionalEncryptionContext", "type": "object" }, "BrowserPolicy": { + "markdownDescription": "A JSON string containing Chrome Enterprise policies that will be applied to all streaming sessions.", + "title": "BrowserPolicy", "type": "string" }, "CustomerManagedKey": { + "markdownDescription": "The custom managed key of the browser settings.\n\n*Pattern* : `^arn:[\\w+=\\/,.@-]+:kms:[a-zA-Z0-9\\-]*:[a-zA-Z0-9]{1,12}:key\\/[a-zA-Z0-9-]+$`", + "title": "CustomerManagedKey", "type": "string" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "The tags to add to the browser settings resource. A tag is a key-value pair.", + "title": "Tags", "type": "array" } }, @@ -248708,20 +257825,28 @@ "properties": { "IdentityProviderDetails": { "additionalProperties": true, + "markdownDescription": "The identity provider details. The following list describes the provider detail keys for each identity provider type.\n\n- For Google and Login with Amazon:\n\n- `client_id`\n- `client_secret`\n- `authorize_scopes`\n- For Facebook:\n\n- `client_id`\n- `client_secret`\n- `authorize_scopes`\n- `api_version`\n- For Sign in with Apple:\n\n- `client_id`\n- `team_id`\n- `key_id`\n- `private_key`\n- `authorize_scopes`\n- For OIDC providers:\n\n- `client_id`\n- `client_secret`\n- `attributes_request_method`\n- `oidc_issuer`\n- `authorize_scopes`\n- `authorize_url` *if not available from discovery URL specified by oidc_issuer key*\n- `token_url` *if not available from discovery URL specified by oidc_issuer key*\n- `attributes_url` *if not available from discovery URL specified by oidc_issuer key*\n- `jwks_uri` *if not available from discovery URL specified by oidc_issuer key*\n- For SAML providers:\n\n- `MetadataFile` OR `MetadataURL`\n- `IDPSignout` *optional*", "patternProperties": { "^[a-zA-Z0-9]+$": { "type": "string" } }, + "title": "IdentityProviderDetails", "type": "object" }, "IdentityProviderName": { + "markdownDescription": "The identity provider name.", + "title": "IdentityProviderName", "type": "string" }, "IdentityProviderType": { + "markdownDescription": "The identity provider type.", + "title": "IdentityProviderType", "type": "string" }, "PortalArn": { + "markdownDescription": "The ARN of the identity provider.", + "title": "PortalArn", "type": "string" } }, @@ -248790,32 +257915,44 @@ "properties": { "AdditionalEncryptionContext": { "additionalProperties": true, + "markdownDescription": "Additional encryption context of the IP access settings.", "patternProperties": { "^[a-zA-Z0-9]+$": { "type": "string" } }, + "title": "AdditionalEncryptionContext", "type": "object" }, "CustomerManagedKey": { + "markdownDescription": "The custom managed key of the IP access settings.\n\n*Pattern* : `^arn:[\\w+=\\/,.@-]+:kms:[a-zA-Z0-9\\-]*:[a-zA-Z0-9]{1,12}:key\\/[a-zA-Z0-9-]+$`", + "title": "CustomerManagedKey", "type": "string" }, "Description": { + "markdownDescription": "The description of the IP access settings.", + "title": "Description", "type": "string" }, "DisplayName": { + "markdownDescription": "The display name of the IP access settings.", + "title": "DisplayName", "type": "string" }, "IpRules": { "items": { "$ref": "#/definitions/AWS::WorkSpacesWeb::IpAccessSettings.IpRule" }, + "markdownDescription": "The IP rules of the IP access settings.", + "title": "IpRules", "type": "array" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "The tags to add to the browser settings resource. A tag is a key-value pair.", + "title": "Tags", "type": "array" } }, @@ -248849,9 +257986,13 @@ "additionalProperties": false, "properties": { "Description": { + "markdownDescription": "The description of the IP rule.", + "title": "Description", "type": "string" }, "IpRange": { + "markdownDescription": "The IP range of the IP rule. This can either be a single IP address or a range using CIDR notation.", + "title": "IpRange", "type": "string" } }, @@ -248899,21 +258040,29 @@ "items": { "type": "string" }, + "markdownDescription": "One or more security groups used to control access from streaming instances to your VPC.\n\n*Pattern* : `^[\\w+\\-]+$`", + "title": "SecurityGroupIds", "type": "array" }, "SubnetIds": { "items": { "type": "string" }, + "markdownDescription": "The subnets in which network interfaces are created to connect streaming instances to your VPC. At least two of these subnets must be in different availability zones.\n\n*Pattern* : `^subnet-([0-9a-f]{8}|[0-9a-f]{17})$`", + "title": "SubnetIds", "type": "array" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "The tags to add to the network settings resource. A tag is a key-value pair.", + "title": "Tags", "type": "array" }, "VpcId": { + "markdownDescription": "The VPC that streaming instances will connect to.\n\n*Pattern* : `^vpc-[0-9a-z]*$`", + "title": "VpcId", "type": "string" } }, @@ -248982,44 +258131,66 @@ "properties": { "AdditionalEncryptionContext": { "additionalProperties": true, + "markdownDescription": "The additional encryption context of the portal.", "patternProperties": { "^[a-zA-Z0-9]+$": { "type": "string" } }, + "title": "AdditionalEncryptionContext", "type": "object" }, "AuthenticationType": { + "markdownDescription": "The type of authentication integration points used when signing into the web portal. Defaults to `Standard` .\n\n`Standard` web portals are authenticated directly through your identity provider (IdP). User and group access to your web portal is controlled through your IdP. You need to include an IdP resource in your template to integrate your IdP with your web portal. Completing the configuration for your IdP requires exchanging WorkSpaces Web\u2019s SP metadata with your IdP\u2019s IdP metadata. If your IdP requires the SP metadata first before returning the IdP metadata, you should follow these steps:\n\n1. Create and deploy a CloudFormation template with a `Standard` portal with no `IdentityProvider` resource.\n\n2. Retrieve the SP metadata using `Fn:GetAtt` , the WorkSpaces Web console, or by the calling the `GetPortalServiceProviderMetadata` API.\n\n3. Submit the data to your IdP.\n\n4. Add an `IdentityProvider` resource to your CloudFormation template.\n\n`IAM Identity Center` web portals are authenticated through AWS IAM Identity Center . They provide additional features, such as IdP-initiated authentication. Identity sources (including external identity provider integration) and other identity provider information must be configured in IAM Identity Center . User and group assignment must be done through the WorkSpaces Web console. These cannot be configured in CloudFormation.", + "title": "AuthenticationType", "type": "string" }, "BrowserSettingsArn": { + "markdownDescription": "The ARN of the browser settings that is associated with this web portal.", + "title": "BrowserSettingsArn", "type": "string" }, "CustomerManagedKey": { + "markdownDescription": "The customer managed key of the web portal.\n\n*Pattern* : `^arn:[\\w+=\\/,.@-]+:kms:[a-zA-Z0-9\\-]*:[a-zA-Z0-9]{1,12}:key\\/[a-zA-Z0-9-]+$`", + "title": "CustomerManagedKey", "type": "string" }, "DisplayName": { + "markdownDescription": "The name of the web portal.", + "title": "DisplayName", "type": "string" }, "IpAccessSettingsArn": { + "markdownDescription": "The ARN of the IP access settings that is associated with the web portal.", + "title": "IpAccessSettingsArn", "type": "string" }, "NetworkSettingsArn": { + "markdownDescription": "The ARN of the network settings that is associated with the web portal.", + "title": "NetworkSettingsArn", "type": "string" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "The tags to add to the web portal. A tag is a key-value pair.", + "title": "Tags", "type": "array" }, "TrustStoreArn": { + "markdownDescription": "The ARN of the trust store that is associated with the web portal.", + "title": "TrustStoreArn", "type": "string" }, "UserAccessLoggingSettingsArn": { + "markdownDescription": "The ARN of the user access logging settings that is associated with the web portal.", + "title": "UserAccessLoggingSettingsArn", "type": "string" }, "UserSettingsArn": { + "markdownDescription": "The ARN of the user settings that is associated with the web portal.", + "title": "UserSettingsArn", "type": "string" } }, @@ -249084,12 +258255,16 @@ "items": { "type": "string" }, + "markdownDescription": "A list of CA certificates to be added to the trust store.", + "title": "CertificateList", "type": "array" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "The tags to add to the trust store. A tag is a key-value pair.", + "title": "Tags", "type": "array" } }, @@ -249155,12 +258330,16 @@ "additionalProperties": false, "properties": { "KinesisStreamArn": { + "markdownDescription": "The ARN of the Kinesis stream.", + "title": "KinesisStreamArn", "type": "string" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "The tags to add to the user access logging settings resource. A tag is a key-value pair.", + "title": "Tags", "type": "array" } }, @@ -249227,44 +258406,66 @@ "properties": { "AdditionalEncryptionContext": { "additionalProperties": true, + "markdownDescription": "", "patternProperties": { "^[a-zA-Z0-9]+$": { "type": "string" } }, + "title": "AdditionalEncryptionContext", "type": "object" }, "CookieSynchronizationConfiguration": { - "$ref": "#/definitions/AWS::WorkSpacesWeb::UserSettings.CookieSynchronizationConfiguration" + "$ref": "#/definitions/AWS::WorkSpacesWeb::UserSettings.CookieSynchronizationConfiguration", + "markdownDescription": "The configuration that specifies which cookies should be synchronized from the end user's local browser to the remote browser.", + "title": "CookieSynchronizationConfiguration" }, "CopyAllowed": { + "markdownDescription": "Specifies whether the user can copy text from the streaming session to the local device.", + "title": "CopyAllowed", "type": "string" }, "CustomerManagedKey": { + "markdownDescription": "", + "title": "CustomerManagedKey", "type": "string" }, "DisconnectTimeoutInMinutes": { + "markdownDescription": "The amount of time that a streaming session remains active after users disconnect.", + "title": "DisconnectTimeoutInMinutes", "type": "number" }, "DownloadAllowed": { + "markdownDescription": "Specifies whether the user can download files from the streaming session to the local device.", + "title": "DownloadAllowed", "type": "string" }, "IdleDisconnectTimeoutInMinutes": { + "markdownDescription": "The amount of time that users can be idle (inactive) before they are disconnected from their streaming session and the disconnect timeout interval begins.", + "title": "IdleDisconnectTimeoutInMinutes", "type": "number" }, "PasteAllowed": { + "markdownDescription": "Specifies whether the user can paste text from the local device to the streaming session.", + "title": "PasteAllowed", "type": "string" }, "PrintAllowed": { + "markdownDescription": "Specifies whether the user can print to the local device.", + "title": "PrintAllowed", "type": "string" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "The tags to add to the user settings resource. A tag is a key-value pair.", + "title": "Tags", "type": "array" }, "UploadAllowed": { + "markdownDescription": "Specifies whether the user can upload files from the local device to the streaming session.", + "title": "UploadAllowed", "type": "string" } }, @@ -249302,12 +258503,18 @@ "additionalProperties": false, "properties": { "Domain": { + "markdownDescription": "The domain of the cookie.", + "title": "Domain", "type": "string" }, "Name": { + "markdownDescription": "The name of the cookie.", + "title": "Name", "type": "string" }, "Path": { + "markdownDescription": "The path of the cookie.", + "title": "Path", "type": "string" } }, @@ -249323,12 +258530,16 @@ "items": { "$ref": "#/definitions/AWS::WorkSpacesWeb::UserSettings.CookieSpecification" }, + "markdownDescription": "The list of cookie specifications that are allowed to be synchronized to the remote browser.", + "title": "Allowlist", "type": "array" }, "Blocklist": { "items": { "$ref": "#/definitions/AWS::WorkSpacesWeb::UserSettings.CookieSpecification" }, + "markdownDescription": "The list of cookie specifications that are blocked from being synchronized to the remote browser.", + "title": "Blocklist", "type": "array" } }, @@ -255768,6 +264979,9 @@ "Name": { "$ref": "#/definitions/PassThroughProp" }, + "OwnerContact": { + "$ref": "#/definitions/PassThroughProp" + }, "Resolvers": { "additionalProperties": { "additionalProperties": { @@ -255788,6 +265002,9 @@ "title": "Tags", "type": "object" }, + "Visibility": { + "$ref": "#/definitions/PassThroughProp" + }, "XrayEnabled": { "title": "Xrayenabled", "type": "boolean" @@ -257569,6 +266786,9 @@ { "$ref": "#/definitions/AWS::APS::Workspace" }, + { + "$ref": "#/definitions/AWS::ARCZonalShift::ZonalAutoshiftConfiguration" + }, { "$ref": "#/definitions/AWS::AccessAnalyzer::Analyzer" }, @@ -257887,6 +267107,12 @@ { "$ref": "#/definitions/AWS::AutoScalingPlans::ScalingPlan" }, + { + "$ref": "#/definitions/AWS::B2BI::Profile" + }, + { + "$ref": "#/definitions/AWS::B2BI::Transformer" + }, { "$ref": "#/definitions/AWS::Backup::BackupPlan" }, @@ -257902,6 +267128,12 @@ { "$ref": "#/definitions/AWS::Backup::ReportPlan" }, + { + "$ref": "#/definitions/AWS::Backup::RestoreTestingPlan" + }, + { + "$ref": "#/definitions/AWS::Backup::RestoreTestingSelection" + }, { "$ref": "#/definitions/AWS::BackupGateway::Hypervisor" }, @@ -258049,6 +267281,9 @@ { "$ref": "#/definitions/AWS::CloudFront::KeyGroup" }, + { + "$ref": "#/definitions/AWS::CloudFront::KeyValueStore" + }, { "$ref": "#/definitions/AWS::CloudFront::MonitoringSubscription" }, @@ -258148,6 +267383,12 @@ { "$ref": "#/definitions/AWS::CodeStarConnections::Connection" }, + { + "$ref": "#/definitions/AWS::CodeStarConnections::RepositoryLink" + }, + { + "$ref": "#/definitions/AWS::CodeStarConnections::SyncConfiguration" + }, { "$ref": "#/definitions/AWS::CodeStarNotifications::NotificationRule" }, @@ -258301,6 +267542,9 @@ { "$ref": "#/definitions/AWS::ControlTower::EnabledControl" }, + { + "$ref": "#/definitions/AWS::ControlTower::LandingZone" + }, { "$ref": "#/definitions/AWS::CustomerProfiles::CalculatedAttributeDefinition" }, @@ -258331,12 +267575,21 @@ { "$ref": "#/definitions/AWS::DMS::Certificate" }, + { + "$ref": "#/definitions/AWS::DMS::DataProvider" + }, { "$ref": "#/definitions/AWS::DMS::Endpoint" }, { "$ref": "#/definitions/AWS::DMS::EventSubscription" }, + { + "$ref": "#/definitions/AWS::DMS::InstanceProfile" + }, + { + "$ref": "#/definitions/AWS::DMS::MigrationProject" + }, { "$ref": "#/definitions/AWS::DMS::ReplicationConfig" }, @@ -258448,6 +267701,9 @@ { "$ref": "#/definitions/AWS::DocDB::DBSubnetGroup" }, + { + "$ref": "#/definitions/AWS::DocDB::EventSubscription" + }, { "$ref": "#/definitions/AWS::DocDBElastic::Cluster" }, @@ -258610,6 +267866,9 @@ { "$ref": "#/definitions/AWS::EC2::SecurityGroupIngress" }, + { + "$ref": "#/definitions/AWS::EC2::SnapshotBlockPublicAccess" + }, { "$ref": "#/definitions/AWS::EC2::SpotFleet" }, @@ -258793,6 +268052,9 @@ { "$ref": "#/definitions/AWS::EKS::Nodegroup" }, + { + "$ref": "#/definitions/AWS::EKS::PodIdentityAssociation" + }, { "$ref": "#/definitions/AWS::EMR::Cluster" }, @@ -258841,6 +268103,9 @@ { "$ref": "#/definitions/AWS::ElastiCache::SecurityGroupIngress" }, + { + "$ref": "#/definitions/AWS::ElastiCache::ServerlessCache" + }, { "$ref": "#/definitions/AWS::ElastiCache::SubnetGroup" }, @@ -258880,6 +268145,12 @@ { "$ref": "#/definitions/AWS::ElasticLoadBalancingV2::TargetGroup" }, + { + "$ref": "#/definitions/AWS::ElasticLoadBalancingV2::TrustStore" + }, + { + "$ref": "#/definitions/AWS::ElasticLoadBalancingV2::TrustStoreRevocation" + }, { "$ref": "#/definitions/AWS::Elasticsearch::Domain" }, @@ -258943,6 +268214,9 @@ { "$ref": "#/definitions/AWS::FIS::ExperimentTemplate" }, + { + "$ref": "#/definitions/AWS::FIS::TargetAccountConfiguration" + }, { "$ref": "#/definitions/AWS::FMS::NotificationChannel" }, @@ -259042,6 +268316,9 @@ { "$ref": "#/definitions/AWS::Glue::Crawler" }, + { + "$ref": "#/definitions/AWS::Glue::CustomEntityType" + }, { "$ref": "#/definitions/AWS::Glue::DataCatalogEncryptionSettings" }, @@ -259270,6 +268547,9 @@ { "$ref": "#/definitions/AWS::ImageBuilder::InfrastructureConfiguration" }, + { + "$ref": "#/definitions/AWS::ImageBuilder::LifecyclePolicy" + }, { "$ref": "#/definitions/AWS::Inspector::AssessmentTarget" }, @@ -259675,9 +268955,21 @@ { "$ref": "#/definitions/AWS::Logs::AccountPolicy" }, + { + "$ref": "#/definitions/AWS::Logs::Delivery" + }, + { + "$ref": "#/definitions/AWS::Logs::DeliveryDestination" + }, + { + "$ref": "#/definitions/AWS::Logs::DeliverySource" + }, { "$ref": "#/definitions/AWS::Logs::Destination" }, + { + "$ref": "#/definitions/AWS::Logs::LogAnomalyDetector" + }, { "$ref": "#/definitions/AWS::Logs::LogGroup" }, @@ -259804,6 +269096,12 @@ { "$ref": "#/definitions/AWS::MediaLive::InputSecurityGroup" }, + { + "$ref": "#/definitions/AWS::MediaLive::Multiplex" + }, + { + "$ref": "#/definitions/AWS::MediaLive::Multiplexprogram" + }, { "$ref": "#/definitions/AWS::MediaPackage::Asset" }, @@ -259984,6 +269282,9 @@ { "$ref": "#/definitions/AWS::OpenSearchServerless::Collection" }, + { + "$ref": "#/definitions/AWS::OpenSearchServerless::LifecyclePolicy" + }, { "$ref": "#/definitions/AWS::OpenSearchServerless::SecurityConfig" }, @@ -260413,6 +269714,15 @@ { "$ref": "#/definitions/AWS::Route53Resolver::ResolverRuleAssociation" }, + { + "$ref": "#/definitions/AWS::S3::AccessGrant" + }, + { + "$ref": "#/definitions/AWS::S3::AccessGrantsInstance" + }, + { + "$ref": "#/definitions/AWS::S3::AccessGrantsLocation" + }, { "$ref": "#/definitions/AWS::S3::AccessPoint" }, @@ -260431,6 +269741,15 @@ { "$ref": "#/definitions/AWS::S3::StorageLens" }, + { + "$ref": "#/definitions/AWS::S3::StorageLensGroup" + }, + { + "$ref": "#/definitions/AWS::S3Express::BucketPolicy" + }, + { + "$ref": "#/definitions/AWS::S3Express::DirectoryBucket" + }, { "$ref": "#/definitions/AWS::S3ObjectLambda::AccessPoint" }, @@ -260593,6 +269912,9 @@ { "$ref": "#/definitions/AWS::SageMaker::ImageVersion" }, + { + "$ref": "#/definitions/AWS::SageMaker::InferenceComponent" + }, { "$ref": "#/definitions/AWS::SageMaker::InferenceExperiment" }, @@ -260956,6 +270278,9 @@ { "$ref": "#/definitions/AWS::WorkSpaces::Workspace" }, + { + "$ref": "#/definitions/AWS::WorkSpacesThinClient::Environment" + }, { "$ref": "#/definitions/AWS::WorkSpacesWeb::BrowserSettings" }, diff --git a/samtranslator/swagger/swagger.py b/samtranslator/swagger/swagger.py index 253534a24e..88a078e498 100644 --- a/samtranslator/swagger/swagger.py +++ b/samtranslator/swagger/swagger.py @@ -62,7 +62,13 @@ def __init__(self, doc: Optional[Dict[str, Any]]) -> None: """ if not doc or not SwaggerEditor.is_valid(doc): - raise InvalidDocumentException([InvalidTemplateException("Invalid Swagger document")]) + raise InvalidDocumentException( + [ + InvalidTemplateException( + "Invalid Swagger document or the Swagger document is not explicitly defined in 'DefinitionBody'." + ) + ] + ) self._doc = _deepcopy(doc) self.paths = self._doc["paths"] diff --git a/schema_source/cloudformation-docs.json b/schema_source/cloudformation-docs.json index b924e4c16b..38124ef56f 100644 --- a/schema_source/cloudformation-docs.json +++ b/schema_source/cloudformation-docs.json @@ -182,6 +182,10 @@ "Surname": "Family name.", "Title": "A personal title such as Mr." }, + "AWS::ACMPCA::CertificateAuthority Tag": { + "Key": "Key (name) of the tag.", + "Value": "Value of the tag." + }, "AWS::ACMPCA::CertificateAuthorityActivation": { "Certificate": "The Base64 PEM-encoded certificate authority certificate.", "CertificateAuthorityArn": "The Amazon Resource Name (ARN) of your private CA.", @@ -200,6 +204,10 @@ "Tags": "A list of key and value pairs for the workspace resources.", "Workspace": "The ARN of the workspace that contains this rule groups namespace." }, + "AWS::APS::RuleGroupsNamespace Tag": { + "Key": "", + "Value": "" + }, "AWS::APS::Workspace": { "AlertManagerDefinition": "The alert manager definition for the workspace, as a string. For more information, see [Alert manager and templating](https://docs.aws.amazon.com/prometheus/latest/userguide/AMP-alert-manager.html) .", "Alias": "An alias that you assign to this workspace to help you identify it. It does not need to be unique.\n\nThe alias can be as many as 100 characters and can include any type of characters. Amazon Managed Service for Prometheus automatically strips any blank spaces from the beginning and end of the alias that you specify.", @@ -209,15 +217,38 @@ "AWS::APS::Workspace LoggingConfiguration": { "LogGroupArn": "The Amazon Resource Name (ARN) of the CloudWatch log group the logs are emitted to." }, + "AWS::APS::Workspace Tag": { + "Key": "", + "Value": "" + }, + "AWS::ARCZonalShift::ZonalAutoshiftConfiguration": { + "PracticeRunConfiguration": "A practice run configuration for a resource includes the Amazon CloudWatch alarms that you've specified for a practice run, as well as any blocked dates or blocked windows for the practice run. When a resource has a practice run configuration, Route 53 ARC shifts traffic for the resource weekly for practice runs.\n\nPractice runs are required for zonal autoshift. The zonal shifts that Route 53 ARC starts for practice runs help you to ensure that shifting away traffic from an Availability Zone during an autoshift is safe for your application.\n\nYou can update or delete a practice run configuration. Before you delete a practice run configuration, you must disable zonal autoshift for the resource. A practice run configuration is required when zonal autoshift is enabled.", + "ResourceIdentifier": "The identifier for the resource that AWS shifts traffic for. The identifier is the Amazon Resource Name (ARN) for the resource.\n\nAt this time, supported resources are Network Load Balancers and Application Load Balancers with cross-zone load balancing turned off.", + "ZonalAutoshiftStatus": "When zonal autoshift is `ENABLED` , you authorize AWS to shift away resource traffic for an application from an Availability Zone during events, on your behalf, to help reduce time to recovery. Traffic is also shifted away for the required weekly practice runs." + }, + "AWS::ARCZonalShift::ZonalAutoshiftConfiguration ControlCondition": { + "AlarmIdentifier": "The Amazon Resource Name (ARN) for an Amazon CloudWatch alarm that you specify as a control condition for a practice run.", + "Type": "The type of alarm specified for a practice run. You can only specify Amazon CloudWatch alarms for practice runs, so the only valid value is `CLOUDWATCH` ." + }, + "AWS::ARCZonalShift::ZonalAutoshiftConfiguration PracticeRunConfiguration": { + "BlockedDates": "An array of one or more dates that you can specify when AWS does not start practice runs for a resource. Dates are in UTC.\n\nSpecify blocked dates in the format `YYYY-MM-DD` , separated by spaces.", + "BlockedWindows": "An array of one or more days and times that you can specify when Route 53 ARC does not start practice runs for a resource. Days and times are in UTC.\n\nSpecify blocked windows in the format `DAY:HH:MM-DAY:HH:MM` , separated by spaces. For example, `MON:18:30-MON:19:30 TUE:18:30-TUE:19:30` .", + "BlockingAlarms": "An optional alarm that you can specify that blocks practice runs when the alarm is in an `ALARM` state. When a blocking alarm goes into an `ALARM` state, it prevents practice runs from being started, and ends practice runs that are in progress.", + "OutcomeAlarms": "The alarm that you specify to monitor the health of your application during practice runs. When the outcome alarm goes into an `ALARM` state, the practice run is ended and the outcome is set to `FAILED` ." + }, "AWS::AccessAnalyzer::Analyzer": { + "AnalyzerConfiguration": "Contains information about the configuration of an unused access analyzer for an AWS organization or account.", "AnalyzerName": "The name of the analyzer.", - "ArchiveRules": "Specifies the archive rules to add for the analyzer.", - "Tags": "The tags to apply to the analyzer.", - "Type": "The type represents the zone of trust for the analyzer.\n\n*Allowed Values* : ACCOUNT | ORGANIZATION" + "ArchiveRules": "Specifies the archive rules to add for the analyzer. Archive rules automatically archive findings that meet the criteria you define for the rule.", + "Tags": "An array of key-value pairs to apply to the analyzer.", + "Type": "The type represents the zone of trust for the analyzer.\n\n*Allowed Values* : ACCOUNT | ORGANIZATION | ACCOUNT_UNUSED_ACCESS | ORGANIZATION_UNUSED_ACCESS" + }, + "AWS::AccessAnalyzer::Analyzer AnalyzerConfiguration": { + "UnusedAccessConfiguration": "Specifies the configuration of an unused access analyzer for an AWS organization or account. External access analyzers do not support any configuration." }, "AWS::AccessAnalyzer::Analyzer ArchiveRule": { "Filter": "The criteria for the rule.", - "RuleName": "The name of the archive rule." + "RuleName": "The name of the rule to create." }, "AWS::AccessAnalyzer::Analyzer Filter": { "Contains": "A \"contains\" condition to match for the rule.", @@ -226,11 +257,20 @@ "Neq": "A \"not equal\" condition to match for the rule.", "Property": "The property used to define the criteria in the filter for the rule." }, + "AWS::AccessAnalyzer::Analyzer Tag": { + "Key": "The key name of the tag. You can specify a value that's 1 to 128 Unicode characters in length and can't be prefixed with `aws:` . digits, whitespace, `_` , `.` , `:` , `/` , `=` , `+` , `@` , `-` , and `\"` .\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) .", + "Value": "The value for the tag. You can specify a value that's 1 to 256 characters in length. You can use any of the following characters: the set of Unicode letters, digits, whitespace, `_` , `.` , `/` , `=` , `+` , and `-` .\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) ." + }, + "AWS::AccessAnalyzer::Analyzer UnusedAccessConfiguration": { + "UnusedAccessAge": "The specified access age in days for which to generate findings for unused access. For example, if you specify 90 days, the analyzer will generate findings for IAM entities within the accounts of the selected organization for any access that hasn't been used in 90 or more days since the analyzer's last scan. You can choose a value between 1 and 180 days." + }, "AWS::AmazonMQ::Broker": { "AuthenticationStrategy": "Optional. The authentication strategy used to secure the broker. The default is `SIMPLE` .", "AutoMinorVersionUpgrade": "Enables automatic upgrades to new minor versions for brokers, as new broker engine versions are released and supported by Amazon MQ. Automatic upgrades occur during the scheduled maintenance window of the broker or after a manual broker reboot.", "BrokerName": "The name of the broker. This value must be unique in your AWS account , 1-50 characters long, must contain only letters, numbers, dashes, and underscores, and must not contain white spaces, brackets, wildcard characters, or special characters.\n\n> Do not add personally identifiable information (PII) or other confidential or sensitive information in broker names. Broker names are accessible to other AWS services, including C CloudWatch Logs . Broker names are not intended to be used for private or sensitive data.", "Configuration": "A list of information about the configuration. Does not apply to RabbitMQ brokers.", + "DataReplicationMode": "Defines whether this broker is a part of a data replication pair.", + "DataReplicationPrimaryBrokerArn": "The Amazon Resource Name (ARN) of the primary broker that is used to replicate data from in a data replication pair, and is applied to the replica broker. Must be set when dataReplicationMode is set to CRDR.", "DeploymentMode": "The deployment mode of the broker. Available values:\n\n- `SINGLE_INSTANCE`\n- `ACTIVE_STANDBY_MULTI_AZ`\n- `CLUSTER_MULTI_AZ`", "EncryptionOptions": "Encryption options for the broker. Does not apply to RabbitMQ brokers.", "EngineType": "The type of broker engine. Currently, Amazon MQ supports `ACTIVEMQ` and `RABBITMQ` .", @@ -352,8 +392,13 @@ "Name": "The environment variable name.\n\n*Length Constraints:* Maximum length of 255.\n\n*Pattern:* (?s).*", "Value": "The environment variable value.\n\n*Length Constraints:* Maximum length of 5500.\n\n*Pattern:* (?s).*" }, + "AWS::Amplify::App Tag": { + "Key": "Specifies the key for the tag.", + "Value": "Specifies the value for the tag." + }, "AWS::Amplify::Branch": { - "AppId": "The unique ID for an Amplify app.\n\n*Length Constraints:* Minimum length of 1. Maximum length of 20.\n\n*Pattern:* d[a-z0-9]+", + "AppId": "The unique ID for an Amplify app.", + "Backend": "The backend environment for an Amplify app.", "BasicAuthConfig": "The basic authorization credentials for a branch of an Amplify app. You must base64-encode the authorization credentials and provide them in the format `user:password` .", "BranchName": "The name for the branch.\n\n*Length Constraints:* Minimum length of 1. Maximum length of 255.\n\n*Pattern:* (?s).+", "BuildSpec": "The build specification (build spec) for the branch.\n\n*Length Constraints:* Minimum length of 1. Maximum length of 25000.\n\n*Pattern:* (?s).+", @@ -367,6 +412,9 @@ "Stage": "Describes the current stage for the branch.\n\n*Valid Values:* PRODUCTION | BETA | DEVELOPMENT | EXPERIMENTAL | PULL_REQUEST", "Tags": "The tag for the branch." }, + "AWS::Amplify::Branch Backend": { + "StackArn": "The Amazon Resource Name (ARN) for the AWS CloudFormation stack." + }, "AWS::Amplify::Branch BasicAuthConfig": { "EnableBasicAuth": "Enables basic authorization for the branch.", "Password": "The password for basic authorization.\n\n*Length Constraints:* Minimum length of 1. Maximum length of 255.", @@ -376,6 +424,10 @@ "Name": "The environment variable name.\n\n*Length Constraints:* Maximum length of 255.\n\n*Pattern:* (?s).*", "Value": "The environment variable value.\n\n*Length Constraints:* Maximum length of 5500.\n\n*Pattern:* (?s).*" }, + "AWS::Amplify::Branch Tag": { + "Key": "Specifies the key for the tag.", + "Value": "Specifies the value for the tag." + }, "AWS::Amplify::Domain": { "AppId": "The unique ID for an Amplify app.\n\n*Length Constraints:* Minimum length of 1. Maximum length of 20.\n\n*Pattern:* d[a-z0-9]+", "AutoSubDomainCreationPatterns": "Sets the branch patterns for automatic subdomain creation.", @@ -633,6 +685,10 @@ "RestApiId": "The string identifier of the associated RestApi.", "StageName": "The stage name associated with the stage key." }, + "AWS::ApiGateway::ApiKey Tag": { + "Key": "A string you can use to assign a value. The combination of tag keys and values can help you organize and categorize your resources.", + "Value": "The value for the specified tag key." + }, "AWS::ApiGateway::Authorizer": { "AuthType": "Optional customer-defined field, used in OpenAPI imports and exports without functional impact.", "AuthorizerCredentials": "Specifies the required credentials as an IAM role for API Gateway to invoke the authorizer. To specify an IAM role for API Gateway to assume, use the role's Amazon Resource Name (ARN). To use resource-based permissions on the Lambda function, specify null.", @@ -648,7 +704,6 @@ "AWS::ApiGateway::BasePathMapping": { "BasePath": "The base path name that callers of the API must provide as part of the URL after the domain name.", "DomainName": "The domain name of the BasePathMapping resource to be described.", - "Id": "", "RestApiId": "The string identifier of the associated RestApi.", "Stage": "The name of the associated stage." }, @@ -656,6 +711,10 @@ "Description": "The description of the client certificate.", "Tags": "The collection of tags. Each tag element is associated with a given resource." }, + "AWS::ApiGateway::ClientCertificate Tag": { + "Key": "A string you can use to assign a value. The combination of tag keys and values can help you organize and categorize your resources.", + "Value": "The value for the specified tag key." + }, "AWS::ApiGateway::Deployment": { "DeploymentCanarySettings": "The input configuration for a canary deployment.", "Description": "The description for the Deployment resource to create.", @@ -681,7 +740,7 @@ "CacheDataEncrypted": "Specifies whether the cached responses are encrypted.", "CacheTtlInSeconds": "Specifies the time to live (TTL), in seconds, for cached responses. The higher the TTL, the longer the response will be cached.", "CachingEnabled": "Specifies whether responses should be cached and returned for requests. A cache cluster must be enabled on the stage for responses to be cached.", - "DataTraceEnabled": "Specifies whether data trace logging is enabled for this method, which affects the log entries pushed to Amazon CloudWatch Logs.", + "DataTraceEnabled": "Specifies whether data trace logging is enabled for this method, which affects the log entries pushed to Amazon CloudWatch Logs. This can be useful to troubleshoot APIs, but can result in logging sensitive data. We recommend that you don't enable this option for production APIs.", "HttpMethod": "The HTTP method.", "LoggingLevel": "Specifies the logging level for this method, which affects the log entries pushed to Amazon CloudWatch Logs. Valid values are `OFF` , `ERROR` , and `INFO` . Choose `ERROR` to write only error-level entries to CloudWatch Logs, or choose `INFO` to include all `ERROR` events as well as extra informational events.", "MetricsEnabled": "Specifies whether Amazon CloudWatch metrics are enabled for this method.", @@ -710,6 +769,10 @@ "TracingEnabled": "Specifies whether active tracing with X-ray is enabled for this stage.\n\nFor more information, see [Trace API Gateway API Execution with AWS X-Ray](https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-xray.html) in the *API Gateway Developer Guide* .", "Variables": "A map that defines the stage variables. Variable names must consist of alphanumeric characters, and the values must match the following regular expression: `[A-Za-z0-9-._~:/?#&=,]+` ." }, + "AWS::ApiGateway::Deployment Tag": { + "Key": "A string you can use to assign a value. The combination of tag keys and values can help you organize and categorize your resources.", + "Value": "The value for the specified tag key." + }, "AWS::ApiGateway::DocumentationPart": { "Location": "The location of the targeted API entity of the to-be-created documentation part.", "Properties": "The new documentation content map of the targeted API entity. Enclosed key-value pairs are API-specific, but only OpenAPI-compliant key-value pairs can be exported and, hence, published.", @@ -744,6 +807,10 @@ "TruststoreUri": "An Amazon S3 URL that specifies the truststore for mutual TLS authentication, for example `s3://bucket-name/key-name` . The truststore can contain certificates from public or private certificate authorities. To update the truststore, upload a new version to S3, and then update your custom domain name to use the new version. To update the truststore, you must have permissions to access the S3 object.", "TruststoreVersion": "The version of the S3 object that contains your truststore. To specify a version, you must have versioning enabled for the S3 bucket." }, + "AWS::ApiGateway::DomainName Tag": { + "Key": "A string you can use to assign a value. The combination of tag keys and values can help you organize and categorize your resources.", + "Value": "The value for the specified tag key." + }, "AWS::ApiGateway::GatewayResponse": { "ResponseParameters": "Response parameters (paths, query strings and headers) of the GatewayResponse as a string-to-string map of key-value pairs.", "ResponseTemplates": "Response templates of the GatewayResponse as a string-to-string map of key-value pairs.", @@ -839,6 +906,10 @@ "Key": "The file name of the OpenAPI file (Amazon S3 object name).", "Version": "For versioning-enabled buckets, a specific version of the OpenAPI file." }, + "AWS::ApiGateway::RestApi Tag": { + "Key": "A string you can use to assign a value. The combination of tag keys and values can help you organize and categorize your resources.", + "Value": "The value for the specified tag key." + }, "AWS::ApiGateway::Stage": { "AccessLogSetting": "Access log settings, including the access log format and access log destination ARN.", "CacheClusterEnabled": "Specifies whether a cache cluster is enabled for the stage.", @@ -869,7 +940,7 @@ "CacheDataEncrypted": "Specifies whether the cached responses are encrypted.", "CacheTtlInSeconds": "Specifies the time to live (TTL), in seconds, for cached responses. The higher the TTL, the longer the response will be cached.", "CachingEnabled": "Specifies whether responses should be cached and returned for requests. A cache cluster must be enabled on the stage for responses to be cached.", - "DataTraceEnabled": "Specifies whether data trace logging is enabled for this method, which affects the log entries pushed to Amazon CloudWatch Logs.", + "DataTraceEnabled": "Specifies whether data trace logging is enabled for this method, which affects the log entries pushed to Amazon CloudWatch Logs. This can be useful to troubleshoot APIs, but can result in logging sensitive data. We recommend that you don't enable this option for production APIs.", "HttpMethod": "The HTTP method. To apply settings to multiple resources and methods, specify an asterisk ( `*` ) for the `HttpMethod` and `/*` for the `ResourcePath` . This parameter is required when you specify a `MethodSetting` .", "LoggingLevel": "Specifies the logging level for this method, which affects the log entries pushed to Amazon CloudWatch Logs. Valid values are `OFF` , `ERROR` , and `INFO` . Choose `ERROR` to write only error-level entries to CloudWatch Logs, or choose `INFO` to include all `ERROR` events as well as extra informational events.", "MetricsEnabled": "Specifies whether Amazon CloudWatch metrics are enabled for this method.", @@ -877,6 +948,10 @@ "ThrottlingBurstLimit": "Specifies the throttling burst limit.", "ThrottlingRateLimit": "Specifies the throttling rate limit." }, + "AWS::ApiGateway::Stage Tag": { + "Key": "A string you can use to assign a value. The combination of tag keys and values can help you organize and categorize your resources.", + "Value": "The value for the specified tag key." + }, "AWS::ApiGateway::UsagePlan": { "ApiStages": "The associated API stages of a usage plan.", "Description": "The description of a usage plan.", @@ -895,6 +970,10 @@ "Offset": "The number of requests subtracted from the given limit in the initial time period.", "Period": "The time period in which the limit applies. Valid values are \"DAY\", \"WEEK\" or \"MONTH\"." }, + "AWS::ApiGateway::UsagePlan Tag": { + "Key": "A string you can use to assign a value. The combination of tag keys and values can help you organize and categorize your resources.", + "Value": "The value for the specified tag key." + }, "AWS::ApiGateway::UsagePlan ThrottleSettings": { "BurstLimit": "The API target request burst rate limit. This allows more requests through for a period of time than the target rate limit.", "RateLimit": "The API target request rate limit." @@ -910,6 +989,10 @@ "Tags": "An array of arbitrary tags (key-value pairs) to associate with the VPC link.", "TargetArns": "The ARN of the network load balancer of the VPC targeted by the VPC link. The network load balancer must be owned by the same AWS account of the API owner." }, + "AWS::ApiGateway::VpcLink Tag": { + "Key": "A string you can use to assign a value. The combination of tag keys and values can help you organize and categorize your resources.", + "Value": "The value for the specified tag key." + }, "AWS::ApiGatewayV2::Api": { "ApiKeySelectionExpression": "An API key selection expression. Supported only for WebSocket APIs. See [API Key Selection Expressions](https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-websocket-api-selection-expressions.html#apigateway-websocket-api-apikey-selection-expressions) .", "BasePath": "Specifies how to interpret the base path of the API during import. Valid values are `ignore` , `prepend` , and `split` . The default value is `ignore` . To learn more, see [Set the OpenAPI basePath Property](https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-import-api-basePath.html) . Supported only for HTTP APIs.", @@ -982,7 +1065,7 @@ "StageVariables": "A map that defines the stage variables for a `Stage` . Variable names can have alphanumeric and underscore characters, and the values must match [A-Za-z0-9-._~:/?#&=,]+." }, "AWS::ApiGatewayV2::ApiMapping": { - "ApiId": "The identifier of the API.", + "ApiId": "The API identifier.", "ApiMappingKey": "The API mapping key.", "DomainName": "The domain name.", "Stage": "The API stage." @@ -1046,13 +1129,6 @@ "TimeoutInMillis": "Custom timeout between 50 and 29,000 milliseconds for WebSocket APIs and between 50 and 30,000 milliseconds for HTTP APIs. The default timeout is 29 seconds for WebSocket APIs and 30 seconds for HTTP APIs.", "TlsConfig": "The TLS configuration for a private integration. If you specify a TLS configuration, private integration traffic uses the HTTPS protocol. Supported only for HTTP APIs." }, - "AWS::ApiGatewayV2::Integration ResponseParameter": { - "Destination": "Specifies the location of the response to modify, and how to modify it. To learn more, see [Transforming API requests and responses](https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-parameter-mapping.html) .", - "Source": "Specifies the data to update the parameter with. To learn more, see [Transforming API requests and responses](https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-parameter-mapping.html) ." - }, - "AWS::ApiGatewayV2::Integration ResponseParameterList": { - "ResponseParameters": "Supported only for HTTP APIs. You use response parameters to transform the HTTP response from a backend integration before returning the response to clients. Specify a key-value map from a selection key to response parameters. The selection key must be a valid HTTP status code within the range of 200-599. Response parameters are a key-value map. The key must match the pattern `:
.` or `overwrite.statuscode` . The action can be `append` , `overwrite` or `remove` . The value can be a static value, or map to response data, stage variables, or context variables that are evaluated at runtime. To learn more, see [Transforming API requests and responses](https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-parameter-mapping.html) ." - }, "AWS::ApiGatewayV2::Integration TlsConfig": { "ServerNameToVerify": "If you specify a server name, API Gateway uses it to verify the hostname on the integration's certificate. The server name is also included in the TLS handshake to support Server Name Indication (SNI) or virtual hosting." }, @@ -1140,6 +1216,7 @@ "AWS::AppConfig::ConfigurationProfile": { "ApplicationId": "The application ID.", "Description": "A description of the configuration profile.", + "KmsKeyIdentifier": "", "LocationUri": "A URI to locate the configuration. You can specify the following:\n\n- For the AWS AppConfig hosted configuration store and for feature flags, specify `hosted` .\n- For an AWS Systems Manager Parameter Store parameter, specify either the parameter name in the format `ssm-parameter://` or the ARN.\n- For an AWS CodePipeline pipeline, specify the URI in the following format: `codepipeline` ://.\n- For an AWS Secrets Manager secret, specify the URI in the following format: `secretsmanager` ://.\n- For an Amazon S3 object, specify the URI in the following format: `s3:///` . Here is an example: `s3://my-bucket/my-app/us-east-1/my-config.json`\n- For an SSM document, specify either the document name in the format `ssm-document://` or the Amazon Resource Name (ARN).", "Name": "A name for the configuration profile.", "RetrievalRoleArn": "The ARN of an IAM role with permission to access the configuration at the specified `LocationUri` .\n\n> A retrieval role ARN is not required for configurations stored in the AWS AppConfig hosted configuration store. It is required for all other sources that store your configuration.", @@ -1162,7 +1239,7 @@ "DeploymentStrategyId": "The deployment strategy ID.", "Description": "A description of the deployment.", "EnvironmentId": "The environment ID.", - "KmsKeyIdentifier": "The AWS KMS key identifier (key ID, key alias, or key ARN). AWS AppConfig uses this ID to encrypt the configuration data using a customer managed key.", + "KmsKeyIdentifier": "The AWS Key Management Service key identifier (key ID, key alias, or key ARN) provided when the resource was created or updated.", "Tags": "Metadata to assign to the deployment. Tags help organize and categorize your AWS AppConfig resources. Each tag consists of a key and an optional value, both of which you define." }, "AWS::AppConfig::Deployment Tags": { @@ -1206,10 +1283,20 @@ "Parameters": "The parameters accepted by the extension. You specify parameter values when you associate the extension to an AWS AppConfig resource by using the `CreateExtensionAssociation` API action. For AWS Lambda extension actions, these parameters are included in the Lambda request object.", "Tags": "Adds one or more tags for the specified extension. Tags are metadata that help you categorize resources in different ways, for example, by purpose, owner, or environment. Each tag consists of a key and an optional value, both of which you define." }, + "AWS::AppConfig::Extension Action": { + "Description": "Information about the action.", + "Name": "The action name.", + "RoleArn": "An Amazon Resource Name (ARN) for an AWS Identity and Access Management assume role.", + "Uri": "The extension URI associated to the action point in the extension definition. The URI can be an Amazon Resource Name (ARN) for one of the following: an AWS Lambda function, an Amazon Simple Queue Service queue, an Amazon Simple Notification Service topic, or the Amazon EventBridge default event bus." + }, "AWS::AppConfig::Extension Parameter": { "Description": "Information about the parameter.", "Required": "A parameter value must be specified in the extension association." }, + "AWS::AppConfig::Extension Tag": { + "Key": "", + "Value": "" + }, "AWS::AppConfig::ExtensionAssociation": { "ExtensionIdentifier": "The name, the ID, or the Amazon Resource Name (ARN) of the extension.", "ExtensionVersionNumber": "The version number of the extension. If not specified, AWS AppConfig uses the maximum version of the extension.", @@ -1217,6 +1304,10 @@ "ResourceIdentifier": "The ARN of an application, configuration profile, or environment.", "Tags": "Adds one or more tags for the specified extension association. Tags are metadata that help you categorize resources in different ways, for example, by purpose, owner, or environment. Each tag consists of a key and an optional value, both of which you define." }, + "AWS::AppConfig::ExtensionAssociation Tag": { + "Key": "", + "Value": "" + }, "AWS::AppConfig::HostedConfigurationVersion": { "ApplicationId": "The application ID.", "ConfigurationProfileId": "The configuration profile ID.", @@ -1274,7 +1365,7 @@ "GoogleAnalytics": "The connector-specific credentials required when using Google Analytics.", "InforNexus": "The connector-specific credentials required when using Infor Nexus.", "Marketo": "The connector-specific credentials required when using Marketo.", - "Pardot": "", + "Pardot": "The connector-specific credentials required when using Salesforce Pardot.", "Redshift": "The connector-specific credentials required when using Amazon Redshift.", "SAPOData": "The connector-specific profile credentials required when using SAPOData.", "Salesforce": "The connector-specific credentials required when using Salesforce.", @@ -1292,7 +1383,7 @@ "Dynatrace": "The connector-specific properties required by Dynatrace.", "InforNexus": "The connector-specific properties required by Infor Nexus.", "Marketo": "The connector-specific properties required by Marketo.", - "Pardot": "", + "Pardot": "The connector-specific properties required by Salesforce Pardot.", "Redshift": "The connector-specific properties required by Amazon Redshift.", "SAPOData": "The connector-specific profile properties required when using SAPOData.", "Salesforce": "The connector-specific properties required by Salesforce.", @@ -1380,15 +1471,15 @@ "TokenUrl": "The token url required to fetch access/refresh tokens using authorization code and also to refresh expired access token using refresh token." }, "AWS::AppFlow::ConnectorProfile PardotConnectorProfileCredentials": { - "AccessToken": "", - "ClientCredentialsArn": "", + "AccessToken": "The credentials used to access protected Salesforce Pardot resources.", + "ClientCredentialsArn": "The secret manager ARN, which contains the client ID and client secret of the connected app.", "ConnectorOAuthRequest": "", - "RefreshToken": "" + "RefreshToken": "The credentials used to acquire new access tokens." }, "AWS::AppFlow::ConnectorProfile PardotConnectorProfileProperties": { - "BusinessUnitId": "", - "InstanceUrl": "", - "IsSandboxEnvironment": "" + "BusinessUnitId": "The business unit id of Salesforce Pardot instance.", + "InstanceUrl": "The location of the Salesforce Pardot resource.", + "IsSandboxEnvironment": "Indicates whether the connector profile applies to a sandbox or production environment." }, "AWS::AppFlow::ConnectorProfile RedshiftConnectorProfileCredentials": { "Password": "The password that corresponds to the user name.", @@ -1397,13 +1488,13 @@ "AWS::AppFlow::ConnectorProfile RedshiftConnectorProfileProperties": { "BucketName": "A name for the associated Amazon S3 bucket.", "BucketPrefix": "The object key for the destination bucket in which Amazon AppFlow places the files.", - "ClusterIdentifier": "", - "DataApiRoleArn": "", - "DatabaseName": "", + "ClusterIdentifier": "The unique ID that's assigned to an Amazon Redshift cluster.", + "DataApiRoleArn": "The Amazon Resource Name (ARN) of an IAM role that permits Amazon AppFlow to access your Amazon Redshift database through the Data API. For more information, and for the polices that you attach to this role, see [Allow Amazon AppFlow to access Amazon Redshift databases with the Data API](https://docs.aws.amazon.com/appflow/latest/userguide/security_iam_service-role-policies.html#access-redshift) .", + "DatabaseName": "The name of an Amazon Redshift database.", "DatabaseUrl": "The JDBC URL of the Amazon Redshift cluster.", - "IsRedshiftServerless": "", + "IsRedshiftServerless": "Indicates whether the connector profile defines a connection to an Amazon Redshift Serverless data warehouse.", "RoleArn": "The Amazon Resource Name (ARN) of IAM role that grants Amazon Redshift read-only access to Amazon S3. For more information, and for the polices that you attach to this role, see [Allow Amazon Redshift to access your Amazon AppFlow data in Amazon S3](https://docs.aws.amazon.com/appflow/latest/userguide/security_iam_service-role-policies.html#redshift-access-s3) .", - "WorkgroupName": "" + "WorkgroupName": "The name of an Amazon Redshift workgroup." }, "AWS::AppFlow::ConnectorProfile SAPODataConnectorProfileCredentials": { "BasicAuthCredentials": "The SAPOData basic authentication credentials.", @@ -1423,16 +1514,17 @@ "AccessToken": "The credentials used to access protected Salesforce resources.", "ClientCredentialsArn": "The secret manager ARN, which contains the client ID and client secret of the connected app.", "ConnectorOAuthRequest": "Used by select connectors for which the OAuth workflow is supported, such as Salesforce, Google Analytics, Marketo, Zendesk, and Slack.", - "JwtToken": "", - "OAuth2GrantType": "", + "JwtToken": "A JSON web token (JWT) that authorizes Amazon AppFlow to access your Salesforce records.", + "OAuth2GrantType": "Specifies the OAuth 2.0 grant type that Amazon AppFlow uses when it requests an access token from Salesforce. Amazon AppFlow requires an access token each time it attempts to access your Salesforce records.\n\nYou can specify one of the following values:\n\n- **AUTHORIZATION_CODE** - Amazon AppFlow passes an authorization code when it requests the access token from Salesforce. Amazon AppFlow receives the authorization code from Salesforce after you log in to your Salesforce account and authorize Amazon AppFlow to access your records.\n- **CLIENT_CREDENTIALS** - Amazon AppFlow passes client credentials (a client ID and client secret) when it requests the access token from Salesforce. You provide these credentials to Amazon AppFlow when you define the connection to your Salesforce account.\n- **JWT_BEARER** - Amazon AppFlow passes a JSON web token (JWT) when it requests the access token from Salesforce. You provide the JWT to Amazon AppFlow when you define the connection to your Salesforce account. When you use this grant type, you don't need to log in to your Salesforce account to authorize Amazon AppFlow to access your records.", "RefreshToken": "The credentials used to acquire new access tokens." }, "AWS::AppFlow::ConnectorProfile SalesforceConnectorProfileProperties": { "InstanceUrl": "The location of the Salesforce resource.", "isSandboxEnvironment": "Indicates whether the connector profile applies to a sandbox or production environment.", - "usePrivateLinkForMetadataAndAuthorization": "" + "usePrivateLinkForMetadataAndAuthorization": "If the connection mode for the connector profile is private, this parameter sets whether Amazon AppFlow uses the private network to send metadata and authorization calls to Salesforce. Amazon AppFlow sends private calls through AWS PrivateLink . These calls travel through AWS infrastructure without being exposed to the public internet.\n\nSet either of the following values:\n\n- **true** - Amazon AppFlow sends all calls to Salesforce over the private network.\n\nThese private calls are:\n\n- Calls to get metadata about your Salesforce records. This metadata describes your Salesforce objects and their fields.\n- Calls to get or refresh access tokens that allow Amazon AppFlow to access your Salesforce records.\n- Calls to transfer your Salesforce records as part of a flow run.\n- **false** - The default value. Amazon AppFlow sends some calls to Salesforce privately and other calls over the public internet.\n\nThe public calls are:\n\n- Calls to get metadata about your Salesforce records.\n- Calls to get or refresh access tokens.\n\nThe private calls are:\n\n- Calls to transfer your Salesforce records as part of a flow run." }, "AWS::AppFlow::ConnectorProfile ServiceNowConnectorProfileCredentials": { + "OAuth2Credentials": "", "Password": "The password that corresponds to the user name.", "Username": "The name of the user." }, @@ -1489,7 +1581,7 @@ "FlowName": "The specified name of the flow. Spaces are not allowed. Use underscores (_) or hyphens (-) only.", "FlowStatus": "Sets the status of the flow. You can specify one of the following values:\n\n- **Active** - The flow runs based on the trigger settings that you defined. Active scheduled flows run as scheduled, and active event-triggered flows run when the specified change event occurs. However, active on-demand flows run only when you manually start them by using Amazon AppFlow.\n- **Suspended** - You can use this option to deactivate an active flow. Scheduled and event-triggered flows will cease to run until you reactive them. This value only affects scheduled and event-triggered flows. It has no effect for on-demand flows.\n\nIf you omit the FlowStatus parameter, Amazon AppFlow creates the flow with a default status. The default status for on-demand flows is Active. The default status for scheduled and event-triggered flows is Draft, which means they\u2019re not yet active.", "KMSArn": "The ARN (Amazon Resource Name) of the Key Management Service (KMS) key you provide for encryption. This is required if you do not want to use the Amazon AppFlow-managed KMS key. If you don't provide anything here, Amazon AppFlow uses the Amazon AppFlow-managed KMS key.", - "MetadataCatalogConfig": "", + "MetadataCatalogConfig": "Specifies the configuration that Amazon AppFlow uses when it catalogs your data. When Amazon AppFlow catalogs your data, it stores metadata in a data catalog.", "SourceFlowConfig": "Contains information about the configuration of the source connector used in the flow.", "Tags": "The tags used to organize, track, or control access for your flow.", "Tasks": "A list of tasks that Amazon AppFlow performs while transferring the data in the flow run.", @@ -1497,7 +1589,7 @@ }, "AWS::AppFlow::Flow AggregationConfig": { "AggregationType": "Specifies whether Amazon AppFlow aggregates the flow records into a single file, or leave them unaggregated.", - "TargetFileSize": "" + "TargetFileSize": "The desired file size, in MB, for each output file that Amazon AppFlow writes to the flow destination. For each file, Amazon AppFlow attempts to achieve the size that you specify. The actual file sizes might differ from this target based on the number and size of the records that each file contains." }, "AWS::AppFlow::Flow AmplitudeSourceProperties": { "Object": "The object specified in the Amplitude flow source." @@ -1510,7 +1602,7 @@ "GoogleAnalytics": "The operation to be performed on the provided Google Analytics source fields.", "InforNexus": "The operation to be performed on the provided Infor Nexus source fields.", "Marketo": "The operation to be performed on the provided Marketo source fields.", - "Pardot": "", + "Pardot": "The operation to be performed on the provided Salesforce Pardot source fields.", "S3": "The operation to be performed on the provided Amazon S3 source fields.", "SAPOData": "The operation to be performed on the provided SAPOData source fields.", "Salesforce": "The operation to be performed on the provided Salesforce source fields.", @@ -1530,12 +1622,12 @@ }, "AWS::AppFlow::Flow CustomConnectorSourceProperties": { "CustomProperties": "Custom properties that are required to use the custom connector as a source.", - "DataTransferApi": "", + "DataTransferApi": "The API of the connector application that Amazon AppFlow uses to transfer your data.", "EntityName": "The entity specified in the custom connector as a source in the flow." }, "AWS::AppFlow::Flow DataTransferApi": { - "Name": "", - "Type": "" + "Name": "The name of the connector application API.", + "Type": "You can specify one of the following types:\n\n- **AUTOMATIC** - The default. Optimizes a flow for datasets that fluctuate in size from small to large. For each flow run, Amazon AppFlow chooses to use the SYNC or ASYNC API type based on the amount of data that the run transfers.\n- **SYNC** - A synchronous API. This type of API optimizes a flow for small to medium-sized datasets.\n- **ASYNC** - An asynchronous API. This type of API optimizes a flow for large datasets." }, "AWS::AppFlow::Flow DatadogSourceProperties": { "Object": "The object specified in the Datadog flow source." @@ -1556,7 +1648,7 @@ "AWS::AppFlow::Flow DestinationFlowConfig": { "ApiVersion": "The API version that the destination connector uses.", "ConnectorProfileName": "The name of the connector profile. This name must be unique for each connector profile in the AWS account .", - "ConnectorType": "The type of destination connector, such as Sales force, Amazon S3, and so on.\n\n*Allowed Values* : `EventBridge | Redshift | S3 | Salesforce | Snowflake`", + "ConnectorType": "The type of destination connector, such as Sales force, Amazon S3, and so on.", "DestinationConnectorProperties": "This stores the information that is required to query a particular connector." }, "AWS::AppFlow::Flow DynatraceSourceProperties": { @@ -1596,13 +1688,13 @@ "Object": "The object specified in the Marketo flow source." }, "AWS::AppFlow::Flow MetadataCatalogConfig": { - "GlueDataCatalog": "" + "GlueDataCatalog": "Specifies the configuration that Amazon AppFlow uses when it catalogs your data with the AWS Glue Data Catalog ." }, "AWS::AppFlow::Flow PardotSourceProperties": { - "Object": "" + "Object": "The object specified in the Salesforce Pardot flow source." }, "AWS::AppFlow::Flow PrefixConfig": { - "PathPrefixHierarchy": "", + "PathPrefixHierarchy": "Specifies whether the destination file path includes either or both of the following elements:\n\n- **EXECUTION_ID** - The ID that Amazon AppFlow assigns to the flow run.\n- **SCHEMA_VERSION** - The version number of your data schema. Amazon AppFlow assigns this version number. The version number increases by one when you change any of the following settings in your flow configuration:\n\n- Source-to-destination field mappings\n- Field data types\n- Partition keys", "PrefixFormat": "Determines the level of granularity for the date and time that's included in the prefix.", "PrefixType": "Determines the format of the prefix, and whether it applies to the file name, file path, or both." }, @@ -1624,7 +1716,7 @@ "AggregationConfig": "The aggregation settings that you can use to customize the output format of your flow data.", "FileType": "Indicates the file type that Amazon AppFlow places in the Amazon S3 bucket.", "PrefixConfig": "Determines the prefix that Amazon AppFlow applies to the folder name in the Amazon S3 bucket. You can name folders according to the flow frequency and date.", - "PreserveSourceDataTyping": "" + "PreserveSourceDataTyping": "If your file output format is Parquet, use this parameter to set whether Amazon AppFlow preserves the data types in your source data when it writes the output to Amazon S3.\n\n- `true` : Amazon AppFlow preserves the data types when it writes to Amazon S3. For example, an integer or `1` in your source data is still an integer in your output.\n- `false` : Amazon AppFlow converts all of the source data into strings when it writes to Amazon S3. For example, an integer of `1` in your source data becomes the string `\"1\"` in the output." }, "AWS::AppFlow::Flow S3SourceProperties": { "BucketName": "The Amazon S3 bucket name where the source files are stored.", @@ -1638,8 +1730,16 @@ "SuccessResponseHandlingConfig": "Determines how Amazon AppFlow handles the success response that it gets from the connector after placing data.\n\nFor example, this setting would determine where to write the response from a destination connector upon a successful insert operation.", "WriteOperationType": "The possible write operations in the destination connector. When this value is not provided, this defaults to the `INSERT` operation." }, + "AWS::AppFlow::Flow SAPODataPaginationConfig": { + "maxPageSize": "" + }, + "AWS::AppFlow::Flow SAPODataParallelismConfig": { + "maxParallelism": "" + }, "AWS::AppFlow::Flow SAPODataSourceProperties": { - "ObjectPath": "The object path specified in the SAPOData flow source." + "ObjectPath": "The object path specified in the SAPOData flow source.", + "paginationConfig": "", + "parallelismConfig": "" }, "AWS::AppFlow::Flow SalesforceDestinationProperties": { "DataTransferApi": "Specifies which Salesforce API is used by Amazon AppFlow when your flow transfers data to Salesforce.\n\n- **AUTOMATIC** - The default. Amazon AppFlow selects which API to use based on the number of records that your flow transfers to Salesforce. If your flow transfers fewer than 1,000 records, Amazon AppFlow uses Salesforce REST API. If your flow transfers 1,000 records or more, Amazon AppFlow uses Salesforce Bulk API 2.0.\n\nEach of these Salesforce APIs structures data differently. If Amazon AppFlow selects the API automatically, be aware that, for recurring flows, the data output might vary from one flow run to the next. For example, if a flow runs daily, it might use REST API on one day to transfer 900 records, and it might use Bulk API 2.0 on the next day to transfer 1,100 records. For each of these flow runs, the respective Salesforce API formats the data differently. Some of the differences include how dates are formatted and null values are represented. Also, Bulk API 2.0 doesn't transfer Salesforce compound fields.\n\nBy choosing this option, you optimize flow performance for both small and large data transfers, but the tradeoff is inconsistent formatting in the output.\n- **BULKV2** - Amazon AppFlow uses only Salesforce Bulk API 2.0. This API runs asynchronous data transfers, and it's optimal for large sets of data. By choosing this option, you ensure that your flow writes consistent output, but you optimize performance only for large data transfers.\n\nNote that Bulk API 2.0 does not transfer Salesforce compound fields.\n- **REST_SYNC** - Amazon AppFlow uses only Salesforce REST API. By choosing this option, you ensure that your flow writes consistent output, but you decrease performance for large data transfers that are better suited for Bulk API 2.0. In some cases, if your flow attempts to transfer a vary large set of data, it might fail with a timed out error.", @@ -1657,7 +1757,7 @@ "AWS::AppFlow::Flow ScheduledTriggerProperties": { "DataPullMode": "Specifies whether a scheduled flow has an incremental data transfer or a complete data transfer for each flow run.", "FirstExecutionFrom": "Specifies the date range for the records to import from the connector in the first flow run.", - "FlowErrorDeactivationThreshold": "", + "FlowErrorDeactivationThreshold": "Defines how many times a scheduled flow fails consecutively before Amazon AppFlow deactivates it.", "ScheduleEndTime": "The time at which the scheduled flow ends. The time is formatted as a timestamp that follows the ISO 8601 standard, such as `2022-04-27T13:00:00-07:00` .", "ScheduleExpression": "The scheduling expression that determines the rate at which the schedule will run, for example `rate(5minutes)` .", "ScheduleOffset": "Specifies the optional offset that is added to the time interval for a schedule-triggered flow.", @@ -1687,7 +1787,7 @@ "GoogleAnalytics": "Specifies the information that is required for querying Google Analytics.", "InforNexus": "Specifies the information that is required for querying Infor Nexus.", "Marketo": "Specifies the information that is required for querying Marketo.", - "Pardot": "", + "Pardot": "Specifies the information that is required for querying Salesforce Pardot.", "S3": "Specifies the information that is required for querying Amazon S3.", "SAPOData": "The properties that are applied when using SAPOData as a flow source.", "Salesforce": "Specifies the information that is required for querying Salesforce.", @@ -1709,6 +1809,10 @@ "BucketName": "The name of the Amazon S3 bucket.", "BucketPrefix": "The Amazon S3 bucket prefix." }, + "AWS::AppFlow::Flow Tag": { + "Key": "", + "Value": "" + }, "AWS::AppFlow::Flow Task": { "ConnectorOperator": "The operation to be performed on the provided source fields.", "DestinationField": "A field in a destination connector, or a field value against which Amazon AppFlow validates a source field.", @@ -1717,7 +1821,7 @@ "TaskType": "Specifies the particular task implementation that Amazon AppFlow performs.\n\n*Allowed values* : `Arithmetic` | `Filter` | `Map` | `Map_all` | `Mask` | `Merge` | `Truncate` | `Validate`" }, "AWS::AppFlow::Flow TaskPropertiesObject": { - "Key": "The task property key.\n\n*Allowed Values* : `VALUE | VALUES | DATA_TYPE | UPPER_BOUND | LOWER_BOUND | SOURCE_DATA_TYPE | DESTINATION_DATA_TYPE | VALIDATION_ACTION | MASK_VALUE | MASK_LENGTH | TRUNCATE_LENGTH | MATH_OPERATION_FIELDS_ORDER | CONCAT_FORMAT | SUBFIELD_CATEGORY_MAP` | `EXCLUDE_SOURCE_FIELDS_LIST`", + "Key": "The task property key.", "Value": "The task property value." }, "AWS::AppFlow::Flow TrendmicroSourceProperties": { @@ -1772,6 +1876,10 @@ "Object": "The name of the object to pull from the data source.", "ScheduleExpression": "How often the data should be pulled from data source." }, + "AWS::AppIntegrations::DataIntegration Tag": { + "Key": "", + "Value": "" + }, "AWS::AppIntegrations::EventIntegration": { "Description": "The event integration description.", "EventBridgeBus": "The Amazon EventBridge bus for the event integration.", @@ -1782,6 +1890,10 @@ "AWS::AppIntegrations::EventIntegration EventFilter": { "Source": "The source of the events." }, + "AWS::AppIntegrations::EventIntegration Tag": { + "Key": "", + "Value": "" + }, "AWS::AppMesh::GatewayRoute": { "GatewayRouteName": "The name of the gateway route.", "MeshName": "The name of the service mesh that the resource resides in.", @@ -1895,6 +2007,10 @@ "Match": "The query parameter to match on.", "Name": "A name for the query parameter that will be matched on." }, + "AWS::AppMesh::GatewayRoute Tag": { + "Key": "", + "Value": "" + }, "AWS::AppMesh::Mesh": { "MeshName": "The name to use for the service mesh.", "Spec": "The service mesh specification to apply.", @@ -1910,6 +2026,10 @@ "EgressFilter": "The egress filter rules for the service mesh.", "ServiceDiscovery": "" }, + "AWS::AppMesh::Mesh Tag": { + "Key": "", + "Value": "" + }, "AWS::AppMesh::Route": { "MeshName": "The name of the service mesh to create the route in.", "MeshOwner": "The AWS IAM account ID of the service mesh owner. If the account ID is not your own, then the account that you specify must share the mesh with your account before you can create the resource in the service mesh. For more information about mesh sharing, see [Working with shared meshes](https://docs.aws.amazon.com/app-mesh/latest/userguide/sharing.html) .", @@ -2022,6 +2142,10 @@ "Priority": "The priority for the route. Routes are matched based on the specified value, where 0 is the highest priority.", "TcpRoute": "An object that represents the specification of a TCP route." }, + "AWS::AppMesh::Route Tag": { + "Key": "", + "Value": "" + }, "AWS::AppMesh::Route TcpRoute": { "Action": "The action to take if a match is determined.", "Match": "An object that represents the criteria for determining a request match.", @@ -2062,6 +2186,10 @@ "AWS::AppMesh::VirtualGateway SubjectAlternativeNames": { "Match": "An object that represents the criteria for determining a SANs match." }, + "AWS::AppMesh::VirtualGateway Tag": { + "Key": "", + "Value": "" + }, "AWS::AppMesh::VirtualGateway VirtualGatewayAccessLog": { "File": "The file object to send virtual gateway access logs to." }, @@ -2315,6 +2443,10 @@ "AWS::AppMesh::VirtualNode SubjectAlternativeNames": { "Match": "An object that represents the criteria for determining a SANs match." }, + "AWS::AppMesh::VirtualNode Tag": { + "Key": "", + "Value": "" + }, "AWS::AppMesh::VirtualNode TcpTimeout": { "Idle": "An object that represents an idle timeout. An idle timeout bounds the amount of time that a connection may be idle. The default value is none." }, @@ -2377,6 +2509,10 @@ "Port": "The port used for the port mapping.", "Protocol": "The protocol used for the port mapping. Specify one protocol." }, + "AWS::AppMesh::VirtualRouter Tag": { + "Key": "", + "Value": "" + }, "AWS::AppMesh::VirtualRouter VirtualRouterListener": { "PortMapping": "The port mapping information for the listener." }, @@ -2390,6 +2526,10 @@ "Tags": "Optional metadata that you can apply to the virtual service to assist with categorization and organization. Each tag consists of a key and an optional value, both of which you define. Tag keys can have a maximum character length of 128 characters, and tag values can have a maximum length of 256 characters.", "VirtualServiceName": "The name to use for the virtual service." }, + "AWS::AppMesh::VirtualService Tag": { + "Key": "", + "Value": "" + }, "AWS::AppMesh::VirtualService VirtualNodeServiceProvider": { "VirtualNodeName": "The name of the virtual node that is acting as a service provider." }, @@ -2410,11 +2550,19 @@ "MinSize": "The minimum number of instances that App Runner provisions for a service. The service always has at least `MinSize` provisioned instances. Some of them actively serve traffic. The rest of them (provisioned and inactive instances) are a cost-effective compute capacity reserve and are ready to be quickly activated. You pay for memory usage of all the provisioned instances. You pay for CPU usage of only the active subset.\n\nApp Runner temporarily doubles the number of provisioned instances during deployments, to maintain the same capacity for both old and new code.", "Tags": "A list of metadata items that you can associate with your auto scaling configuration resource. A tag is a key-value pair." }, + "AWS::AppRunner::AutoScalingConfiguration Tag": { + "Key": "The key of the tag assigned to the `AutoScalingConfiguration` resource of the App Runner service.", + "Value": "The value of the tag assigned to the `AutoScalingConfiguration` resource of the App Runner service." + }, "AWS::AppRunner::ObservabilityConfiguration": { "ObservabilityConfigurationName": "A name for the observability configuration. When you use it for the first time in an AWS Region , App Runner creates revision number `1` of this name. When you use the same name in subsequent calls, App Runner creates incremental revisions of the configuration.\n\n> The name `DefaultConfiguration` is reserved. You can't use it to create a new observability configuration, and you can't create a revision of it.\n> \n> When you want to use your own observability configuration for your App Runner service, *create a configuration with a different name* , and then provide it when you create or update your service. \n\nIf you don't specify a name, AWS CloudFormation generates a name for your observability configuration.", "Tags": "A list of metadata items that you can associate with your observability configuration resource. A tag is a key-value pair.", "TraceConfiguration": "The configuration of the tracing feature within this observability configuration. If you don't specify it, App Runner doesn't enable tracing." }, + "AWS::AppRunner::ObservabilityConfiguration Tag": { + "Key": "The key of the tag.", + "Value": "The value of the tag." + }, "AWS::AppRunner::ObservabilityConfiguration TraceConfiguration": { "Vendor": "The implementation provider chosen for tracing App Runner services." }, @@ -2448,7 +2596,8 @@ "AWS::AppRunner::Service CodeRepository": { "CodeConfiguration": "Configuration for building and running the service from a source code repository.\n\n> `CodeConfiguration` is required only for `CreateService` request.", "RepositoryUrl": "The location of the repository that contains the source code.", - "SourceCodeVersion": "The version that should be used within the source code repository." + "SourceCodeVersion": "The version that should be used within the source code repository.", + "SourceDirectory": "The path of the directory that stores source code and configuration files. The build and start commands also execute from here. The path is absolute from root and, if not specified, defaults to the repository root." }, "AWS::AppRunner::Service EgressConfiguration": { "EgressType": "The type of egress configuration.\n\nSet to `DEFAULT` for access to resources hosted on public networks.\n\nSet to `VPC` to associate your service to a custom VPC specified by `VpcConnectorArn` .", @@ -2490,7 +2639,8 @@ }, "AWS::AppRunner::Service NetworkConfiguration": { "EgressConfiguration": "Network configuration settings for outbound message traffic.", - "IngressConfiguration": "Network configuration settings for inbound message traffic." + "IngressConfiguration": "Network configuration settings for inbound message traffic.", + "IpAddressType": "App Runner provides you with the option to choose between *Internet Protocol version 4 (IPv4)* and *dual stack* (IPv4 and IPv6) for your incoming public network configuration. This is an optional parameter. If you do not specify an `IpAddressType` , it defaults to select IPv4.\n\n> Currently, App Runner supports dual stack for only Public endpoint. Only IPv4 is supported for Private endpoint. If you update a service that's using dual-stack Public endpoint to a Private endpoint, your App Runner service will default to support only IPv4 for Private endpoint and fail to receive traffic originating from IPv6 endpoint." }, "AWS::AppRunner::Service ServiceObservabilityConfiguration": { "ObservabilityConfigurationArn": "The Amazon Resource Name (ARN) of the observability configuration that is associated with the service. Specified only when `ObservabilityEnabled` is `true` .\n\nSpecify an ARN with a name and a revision number to associate that revision. For example: `arn:aws:apprunner:us-east-1:123456789012:observabilityconfiguration/xray-tracing/3`\n\nSpecify just the name to associate the latest revision. For example: `arn:aws:apprunner:us-east-1:123456789012:observabilityconfiguration/xray-tracing`", @@ -2506,12 +2656,20 @@ "CodeRepository": "The description of a source code repository.\n\nYou must provide either this member or `ImageRepository` (but not both).", "ImageRepository": "The description of a source image repository.\n\nYou must provide either this member or `CodeRepository` (but not both)." }, + "AWS::AppRunner::Service Tag": { + "Key": "The key of the tag assigned to an App Runner service.", + "Value": "The value of the tag assigned to an App Runner service." + }, "AWS::AppRunner::VpcConnector": { "SecurityGroups": "A list of IDs of security groups that App Runner should use for access to AWS resources under the specified subnets. If not specified, App Runner uses the default security group of the Amazon VPC. The default security group allows all outbound traffic.", "Subnets": "A list of IDs of subnets that App Runner should use when it associates your service with a custom Amazon VPC. Specify IDs of subnets of a single Amazon VPC. App Runner determines the Amazon VPC from the subnets you specify.\n\n> App Runner currently only provides support for IPv4.", "Tags": "A list of metadata items that you can associate with your VPC connector resource. A tag is a key-value pair.", "VpcConnectorName": "A name for the VPC connector.\n\nIf you don't specify a name, AWS CloudFormation generates a name for your VPC connector." }, + "AWS::AppRunner::VpcConnector Tag": { + "Key": "The key of the tag assigned to the `VpcConnector` resource of the App Runner service.", + "Value": "The value of the tag assigned to the `VpcConnector` resource of the App Runner service." + }, "AWS::AppRunner::VpcIngressConnection": { "IngressVpcConfiguration": "Specifications for the customer\u2019s Amazon VPC and the related AWS PrivateLink VPC endpoint that are used to create the VPC Ingress Connection resource.", "ServiceArn": "The Amazon Resource Name (ARN) for this App Runner service that is used to create the VPC Ingress Connection resource.", @@ -2522,12 +2680,16 @@ "VpcEndpointId": "The ID of the VPC endpoint that your App Runner service connects to.", "VpcId": "The ID of the VPC that is used for the VPC endpoint." }, + "AWS::AppRunner::VpcIngressConnection Tag": { + "Key": "The key of the tag.", + "Value": "The value of the tag assigned to `VpcIngressConnection` resource of the App Runner service." + }, "AWS::AppStream::AppBlock": { "Description": "The description of the app block.", "DisplayName": "The display name of the app block.", "Name": "The name of the app block.\n\n*Pattern* : `^[a-zA-Z0-9][a-zA-Z0-9_.-]{0,100}$`", "PackagingType": "The packaging type of the app block.", - "PostSetupScriptDetails": "The post setup script details of the app block.\n\nThis only applies to app blocks with PackagingType `APPSTREAM2` .", + "PostSetupScriptDetails": "The post setup script details of the app block.", "SetupScriptDetails": "The setup script details of the app block.", "SourceS3Location": "The source S3 location of the app block.", "Tags": "The tags of the app block." @@ -2542,23 +2704,34 @@ "ScriptS3Location": "The S3 object location of the script.", "TimeoutInSeconds": "The run timeout, in seconds, for the script." }, + "AWS::AppStream::AppBlock Tag": { + "TagItems": "The items of the tag." + }, + "AWS::AppStream::AppBlock TagItems": { + "Key": "", + "Value": "" + }, "AWS::AppStream::AppBlockBuilder": { - "AccessEndpoints": "", - "AppBlockArns": "", + "AccessEndpoints": "The access endpoints of the app block builder.", + "AppBlockArns": "The ARN of the app block.\n\n*Maximum* : `1`", "Description": "The description of the app block builder.", "DisplayName": "The display name of the app block builder.", "EnableDefaultInternetAccess": "Indicates whether default internet access is enabled for the app block builder.", "IamRoleArn": "The ARN of the IAM role that is applied to the app block builder.", "InstanceType": "The instance type of the app block builder.", "Name": "The name of the app block builder.", - "Platform": "The platform of the app block builder.\n\n`WINDOWS_SERVER_2019` is the only valid value.", - "Tags": "", + "Platform": "The platform of the app block builder.\n\n*Allowed values* : `WINDOWS_SERVER_2019`", + "Tags": "The tags of the app block builder.", "VpcConfig": "The VPC configuration for the app block builder." }, "AWS::AppStream::AppBlockBuilder AccessEndpoint": { "EndpointType": "The type of interface endpoint.", "VpceId": "The identifier (ID) of the VPC in which the interface endpoint is used." }, + "AWS::AppStream::AppBlockBuilder Tag": { + "Key": "The key of the tag.", + "Value": "The value of the tag." + }, "AWS::AppStream::AppBlockBuilder VpcConfig": { "SecurityGroupIds": "The identifiers of the security groups for the fleet or image builder.", "SubnetIds": "The identifiers of the subnets to which a network interface is attached from the fleet instance or image builder instance. Fleet instances use one or more subnets. Image builder instances use one subnet." @@ -2581,6 +2754,13 @@ "S3Bucket": "The S3 bucket of the S3 object.", "S3Key": "The S3 key of the S3 object." }, + "AWS::AppStream::Application Tag": { + "TagItems": "The items of the tag." + }, + "AWS::AppStream::Application TagItems": { + "Key": "", + "Value": "" + }, "AWS::AppStream::ApplicationEntitlementAssociation": { "ApplicationIdentifier": "The identifier of the application.", "EntitlementName": "The name of the entitlement.", @@ -2629,9 +2809,10 @@ "ImageName": "The name of the image used to create the fleet.", "InstanceType": "The instance type to use when launching fleet instances. The following instance types are available for non-Elastic fleets:\n\n- stream.standard.small\n- stream.standard.medium\n- stream.standard.large\n- stream.compute.large\n- stream.compute.xlarge\n- stream.compute.2xlarge\n- stream.compute.4xlarge\n- stream.compute.8xlarge\n- stream.memory.large\n- stream.memory.xlarge\n- stream.memory.2xlarge\n- stream.memory.4xlarge\n- stream.memory.8xlarge\n- stream.memory.z1d.large\n- stream.memory.z1d.xlarge\n- stream.memory.z1d.2xlarge\n- stream.memory.z1d.3xlarge\n- stream.memory.z1d.6xlarge\n- stream.memory.z1d.12xlarge\n- stream.graphics-design.large\n- stream.graphics-design.xlarge\n- stream.graphics-design.2xlarge\n- stream.graphics-design.4xlarge\n- stream.graphics-desktop.2xlarge\n- stream.graphics.g4dn.xlarge\n- stream.graphics.g4dn.2xlarge\n- stream.graphics.g4dn.4xlarge\n- stream.graphics.g4dn.8xlarge\n- stream.graphics.g4dn.12xlarge\n- stream.graphics.g4dn.16xlarge\n- stream.graphics-pro.4xlarge\n- stream.graphics-pro.8xlarge\n- stream.graphics-pro.16xlarge\n\nThe following instance types are available for Elastic fleets:\n\n- stream.standard.small\n- stream.standard.medium", "MaxConcurrentSessions": "The maximum number of concurrent sessions that can be run on an Elastic fleet. This setting is required for Elastic fleets, but is not used for other fleet types.", - "MaxUserDurationInSeconds": "The maximum amount of time that a streaming session can remain active, in seconds. If users are still connected to a streaming instance five minutes before this limit is reached, they are prompted to save any open documents before being disconnected. After this time elapses, the instance is terminated and replaced by a new instance.\n\nSpecify a value between 600 and 360000.", + "MaxSessionsPerInstance": "The maximum number of user sessions on an instance. This only applies to multi-session fleets.", + "MaxUserDurationInSeconds": "The maximum amount of time that a streaming session can remain active, in seconds. If users are still connected to a streaming instance five minutes before this limit is reached, they are prompted to save any open documents before being disconnected. After this time elapses, the instance is terminated and replaced by a new instance.\n\nSpecify a value between 600 and 432000.", "Name": "A unique name for the fleet.", - "Platform": "The platform of the fleet. Platform is a required setting for Elastic fleets, and is not used for other fleet types.\n\n*Allowed Values* : `WINDOWS_SERVER_2019` | `AMAZON_LINUX2`", + "Platform": "The platform of the fleet. Platform is a required setting for Elastic fleets, and is not used for other fleet types.", "SessionScriptS3Location": "The S3 location of the session scripts configuration zip file. This only applies to Elastic fleets.", "StreamView": "The AppStream 2.0 view that is displayed to your users when they stream from the fleet. When `APP` is specified, only the windows of applications opened by users display. When `DESKTOP` is specified, the standard desktop that is provided by the operating system displays.\n\nThe default value is `APP` .", "Tags": "An array of key-value pairs.", @@ -2639,7 +2820,8 @@ "VpcConfig": "The VPC configuration for the fleet. This is required for Elastic fleets, but not required for other fleet types." }, "AWS::AppStream::Fleet ComputeCapacity": { - "DesiredInstances": "The desired number of streaming instances." + "DesiredInstances": "The desired number of streaming instances.", + "DesiredSessions": "The desired number of user sessions for a multi-session fleet. This is not allowed for single-session fleets.\n\nWhen you create a fleet, you must set either the DesiredSessions or DesiredInstances attribute, based on the type of fleet you create. You can\u2019t define both attributes or leave both attributes blank." }, "AWS::AppStream::Fleet DomainJoinInfo": { "DirectoryName": "The fully qualified name of the directory (for example, corp.example.com).", @@ -2649,6 +2831,10 @@ "S3Bucket": "The S3 bucket of the S3 object.", "S3Key": "The S3 key of the S3 object." }, + "AWS::AppStream::Fleet Tag": { + "Key": "The key of the tag.", + "Value": "The value of the tag." + }, "AWS::AppStream::Fleet VpcConfig": { "SecurityGroupIds": "The identifiers of the security groups for the fleet.", "SubnetIds": "The identifiers of the subnets to which a network interface is attached from the fleet instance. Fleet instances can use one or two subnets." @@ -2676,6 +2862,10 @@ "DirectoryName": "The fully qualified name of the directory (for example, corp.example.com).", "OrganizationalUnitDistinguishedName": "The distinguished name of the organizational unit for computer accounts." }, + "AWS::AppStream::ImageBuilder Tag": { + "Key": "The key of the tag.", + "Value": "The value of the tag." + }, "AWS::AppStream::ImageBuilder VpcConfig": { "SecurityGroupIds": "The identifiers of the security groups for the image builder.", "SubnetIds": "The identifier of the subnet to which a network interface is attached from the image builder instance. An image builder instance can use one subnet." @@ -2712,8 +2902,13 @@ "AWS::AppStream::Stack StreamingExperienceSettings": { "PreferredProtocol": "The preferred protocol that you want to use while streaming your application." }, + "AWS::AppStream::Stack Tag": { + "Key": "The key of the tag.", + "Value": "The value of the tag." + }, "AWS::AppStream::Stack UserSetting": { "Action": "The action that is enabled or disabled.", + "MaximumLength": "", "Permission": "Indicates whether the action is enabled or disabled." }, "AWS::AppStream::StackFleetAssociation": { @@ -2743,7 +2938,6 @@ }, "AWS::AppSync::ApiKey": { "ApiId": "Unique AWS AppSync GraphQL API ID for this API key.", - "ApiKeyId": "The API key ID.", "Description": "Unique description of your API key.", "Expires": "The time after which the API key expires. The date is represented as seconds since the epoch, rounded down to the nearest hour." }, @@ -2832,7 +3026,7 @@ "RequestMappingTemplateS3Location": "Describes a Sync configuration for a resolver.\n\nContains information on which Conflict Detection, as well as Resolution strategy, should be performed when the resolver is invoked.", "ResponseMappingTemplate": "The `Function` response mapping template.", "ResponseMappingTemplateS3Location": "The location of a response mapping template in an Amazon S3 bucket. Use this if you want to provision with a template file in Amazon S3 rather than embedding it in your CloudFormation template.", - "Runtime": "Describes a runtime used by an AWS AppSync pipeline resolver or AWS AppSync function. Specifies the name and version of the runtime to use. Note that if a runtime is specified, code must also be specified.", + "Runtime": "Describes a runtime used by an AWS AppSync resolver or AWS AppSync function. Specifies the name and version of the runtime to use. Note that if a runtime is specified, code must also be specified.", "SyncConfig": "Describes a Sync configuration for a resolver.\n\nSpecifies which Conflict Detection strategy and Resolution strategy to use when the resolver is invoked." }, "AWS::AppSync::FunctionConfiguration AppSyncRuntime": { @@ -2889,6 +3083,10 @@ "IatTTL": "The number of milliseconds that a token is valid after it's issued to a user.", "Issuer": "The issuer for the OIDC configuration. The issuer returned by discovery must exactly match the value of `iss` in the ID token." }, + "AWS::AppSync::GraphQLApi Tag": { + "Key": "Describes the key of the tag.", + "Value": "Describes the value of the tag." + }, "AWS::AppSync::GraphQLApi UserPoolConfig": { "AppIdClientRegex": "A regular expression for validating the incoming Amazon Cognito user pool app client ID. If this value isn't set, no filtering is applied.", "AwsRegion": "The AWS Region in which the user pool was created.", @@ -2914,7 +3112,7 @@ "RequestMappingTemplateS3Location": "The location of a request mapping template in an Amazon S3 bucket. Use this if you want to provision with a template file in Amazon S3 rather than embedding it in your CloudFormation template.", "ResponseMappingTemplate": "The response mapping template.", "ResponseMappingTemplateS3Location": "The location of a response mapping template in an Amazon S3 bucket. Use this if you want to provision with a template file in Amazon S3 rather than embedding it in your CloudFormation template.", - "Runtime": "Describes a runtime used by an AWS AppSync pipeline resolver or AWS AppSync function. Specifies the name and version of the runtime to use. Note that if a runtime is specified, code must also be specified.", + "Runtime": "Describes a runtime used by an AWS AppSync resolver or AWS AppSync function. Specifies the name and version of the runtime to use. Note that if a runtime is specified, code must also be specified.", "SyncConfig": "The `SyncConfig` for a resolver attached to a versioned data source.", "TypeName": "The GraphQL type that invokes this resolver." }, @@ -2949,9 +3147,9 @@ "AWS::ApplicationAutoScaling::ScalableTarget": { "MaxCapacity": "The maximum value that you plan to scale out to. When a scaling policy is in effect, Application Auto Scaling can scale out (expand) as needed to the maximum capacity limit in response to changing demand.", "MinCapacity": "The minimum value that you plan to scale in to. When a scaling policy is in effect, Application Auto Scaling can scale in (contract) as needed to the minimum capacity limit in response to changing demand.", - "ResourceId": "The identifier of the resource associated with the scalable target. This string consists of the resource type and unique identifier.\n\n- ECS service - The resource type is `service` and the unique identifier is the cluster name and service name. Example: `service/default/sample-webapp` .\n- Spot Fleet - The resource type is `spot-fleet-request` and the unique identifier is the Spot Fleet request ID. Example: `spot-fleet-request/sfr-73fbd2ce-aa30-494c-8788-1cee4EXAMPLE` .\n- EMR cluster - The resource type is `instancegroup` and the unique identifier is the cluster ID and instance group ID. Example: `instancegroup/j-2EEZNYKUA1NTV/ig-1791Y4E1L8YI0` .\n- AppStream 2.0 fleet - The resource type is `fleet` and the unique identifier is the fleet name. Example: `fleet/sample-fleet` .\n- DynamoDB table - The resource type is `table` and the unique identifier is the table name. Example: `table/my-table` .\n- DynamoDB global secondary index - The resource type is `index` and the unique identifier is the index name. Example: `table/my-table/index/my-table-index` .\n- Aurora DB cluster - The resource type is `cluster` and the unique identifier is the cluster name. Example: `cluster:my-db-cluster` .\n- SageMaker endpoint variant - The resource type is `variant` and the unique identifier is the resource ID. Example: `endpoint/my-end-point/variant/KMeansClustering` .\n- Custom resources are not supported with a resource type. This parameter must specify the `OutputValue` from the CloudFormation template stack used to access the resources. The unique identifier is defined by the service provider. More information is available in our [GitHub repository](https://docs.aws.amazon.com/https://github.com/aws/aws-auto-scaling-custom-resource) .\n- Amazon Comprehend document classification endpoint - The resource type and unique identifier are specified using the endpoint ARN. Example: `arn:aws:comprehend:us-west-2:123456789012:document-classifier-endpoint/EXAMPLE` .\n- Amazon Comprehend entity recognizer endpoint - The resource type and unique identifier are specified using the endpoint ARN. Example: `arn:aws:comprehend:us-west-2:123456789012:entity-recognizer-endpoint/EXAMPLE` .\n- Lambda provisioned concurrency - The resource type is `function` and the unique identifier is the function name with a function version or alias name suffix that is not `$LATEST` . Example: `function:my-function:prod` or `function:my-function:1` .\n- Amazon Keyspaces table - The resource type is `table` and the unique identifier is the table name. Example: `keyspace/mykeyspace/table/mytable` .\n- Amazon MSK cluster - The resource type and unique identifier are specified using the cluster ARN. Example: `arn:aws:kafka:us-east-1:123456789012:cluster/demo-cluster-1/6357e0b2-0e6a-4b86-a0b4-70df934c2e31-5` .\n- Amazon ElastiCache replication group - The resource type is `replication-group` and the unique identifier is the replication group name. Example: `replication-group/mycluster` .\n- Neptune cluster - The resource type is `cluster` and the unique identifier is the cluster name. Example: `cluster:mycluster` .\n- SageMaker Serverless endpoint - The resource type is `variant` and the unique identifier is the resource ID. Example: `endpoint/my-end-point/variant/KMeansClustering` .", + "ResourceId": "The identifier of the resource associated with the scalable target. This string consists of the resource type and unique identifier.\n\n- ECS service - The resource type is `service` and the unique identifier is the cluster name and service name. Example: `service/default/sample-webapp` .\n- Spot Fleet - The resource type is `spot-fleet-request` and the unique identifier is the Spot Fleet request ID. Example: `spot-fleet-request/sfr-73fbd2ce-aa30-494c-8788-1cee4EXAMPLE` .\n- EMR cluster - The resource type is `instancegroup` and the unique identifier is the cluster ID and instance group ID. Example: `instancegroup/j-2EEZNYKUA1NTV/ig-1791Y4E1L8YI0` .\n- AppStream 2.0 fleet - The resource type is `fleet` and the unique identifier is the fleet name. Example: `fleet/sample-fleet` .\n- DynamoDB table - The resource type is `table` and the unique identifier is the table name. Example: `table/my-table` .\n- DynamoDB global secondary index - The resource type is `index` and the unique identifier is the index name. Example: `table/my-table/index/my-table-index` .\n- Aurora DB cluster - The resource type is `cluster` and the unique identifier is the cluster name. Example: `cluster:my-db-cluster` .\n- SageMaker endpoint variant - The resource type is `variant` and the unique identifier is the resource ID. Example: `endpoint/my-end-point/variant/KMeansClustering` .\n- Custom resources are not supported with a resource type. This parameter must specify the `OutputValue` from the CloudFormation template stack used to access the resources. The unique identifier is defined by the service provider. More information is available in our [GitHub repository](https://docs.aws.amazon.com/https://github.com/aws/aws-auto-scaling-custom-resource) .\n- Amazon Comprehend document classification endpoint - The resource type and unique identifier are specified using the endpoint ARN. Example: `arn:aws:comprehend:us-west-2:123456789012:document-classifier-endpoint/EXAMPLE` .\n- Amazon Comprehend entity recognizer endpoint - The resource type and unique identifier are specified using the endpoint ARN. Example: `arn:aws:comprehend:us-west-2:123456789012:entity-recognizer-endpoint/EXAMPLE` .\n- Lambda provisioned concurrency - The resource type is `function` and the unique identifier is the function name with a function version or alias name suffix that is not `$LATEST` . Example: `function:my-function:prod` or `function:my-function:1` .\n- Amazon Keyspaces table - The resource type is `table` and the unique identifier is the table name. Example: `keyspace/mykeyspace/table/mytable` .\n- Amazon MSK cluster - The resource type and unique identifier are specified using the cluster ARN. Example: `arn:aws:kafka:us-east-1:123456789012:cluster/demo-cluster-1/6357e0b2-0e6a-4b86-a0b4-70df934c2e31-5` .\n- Amazon ElastiCache replication group - The resource type is `replication-group` and the unique identifier is the replication group name. Example: `replication-group/mycluster` .\n- Neptune cluster - The resource type is `cluster` and the unique identifier is the cluster name. Example: `cluster:mycluster` .\n- SageMaker serverless endpoint - The resource type is `variant` and the unique identifier is the resource ID. Example: `endpoint/my-end-point/variant/KMeansClustering` .\n- SageMaker inference component - The resource type is `inference-component` and the unique identifier is the resource ID. Example: `inference-component/my-inference-component` .", "RoleARN": "Specify the Amazon Resource Name (ARN) of an Identity and Access Management (IAM) role that allows Application Auto Scaling to modify the scalable target on your behalf. This can be either an IAM service role that Application Auto Scaling can assume to make calls to other AWS resources on your behalf, or a service-linked role for the specified service. For more information, see [How Application Auto Scaling works with IAM](https://docs.aws.amazon.com/autoscaling/application/userguide/security_iam_service-with-iam.html) in the *Application Auto Scaling User Guide* .\n\nTo automatically create a service-linked role (recommended), specify the full ARN of the service-linked role in your stack template. To find the exact ARN of the service-linked role for your AWS or custom resource, see the [Service-linked roles](https://docs.aws.amazon.com/autoscaling/application/userguide/application-auto-scaling-service-linked-roles.html) topic in the *Application Auto Scaling User Guide* . Look for the ARN in the table at the bottom of the page.", - "ScalableDimension": "The scalable dimension associated with the scalable target. This string consists of the service namespace, resource type, and scaling property.\n\n- `ecs:service:DesiredCount` - The desired task count of an ECS service.\n- `elasticmapreduce:instancegroup:InstanceCount` - The instance count of an EMR Instance Group.\n- `ec2:spot-fleet-request:TargetCapacity` - The target capacity of a Spot Fleet.\n- `appstream:fleet:DesiredCapacity` - The desired capacity of an AppStream 2.0 fleet.\n- `dynamodb:table:ReadCapacityUnits` - The provisioned read capacity for a DynamoDB table.\n- `dynamodb:table:WriteCapacityUnits` - The provisioned write capacity for a DynamoDB table.\n- `dynamodb:index:ReadCapacityUnits` - The provisioned read capacity for a DynamoDB global secondary index.\n- `dynamodb:index:WriteCapacityUnits` - The provisioned write capacity for a DynamoDB global secondary index.\n- `rds:cluster:ReadReplicaCount` - The count of Aurora Replicas in an Aurora DB cluster. Available for Aurora MySQL-compatible edition and Aurora PostgreSQL-compatible edition.\n- `sagemaker:variant:DesiredInstanceCount` - The number of EC2 instances for a SageMaker model endpoint variant.\n- `custom-resource:ResourceType:Property` - The scalable dimension for a custom resource provided by your own application or service.\n- `comprehend:document-classifier-endpoint:DesiredInferenceUnits` - The number of inference units for an Amazon Comprehend document classification endpoint.\n- `comprehend:entity-recognizer-endpoint:DesiredInferenceUnits` - The number of inference units for an Amazon Comprehend entity recognizer endpoint.\n- `lambda:function:ProvisionedConcurrency` - The provisioned concurrency for a Lambda function.\n- `cassandra:table:ReadCapacityUnits` - The provisioned read capacity for an Amazon Keyspaces table.\n- `cassandra:table:WriteCapacityUnits` - The provisioned write capacity for an Amazon Keyspaces table.\n- `kafka:broker-storage:VolumeSize` - The provisioned volume size (in GiB) for brokers in an Amazon MSK cluster.\n- `elasticache:replication-group:NodeGroups` - The number of node groups for an Amazon ElastiCache replication group.\n- `elasticache:replication-group:Replicas` - The number of replicas per node group for an Amazon ElastiCache replication group.\n- `neptune:cluster:ReadReplicaCount` - The count of read replicas in an Amazon Neptune DB cluster.\n- `sagemaker:variant:DesiredProvisionedConcurrency` - The provisioned concurrency for a SageMaker Serverless endpoint.", + "ScalableDimension": "The scalable dimension associated with the scalable target. This string consists of the service namespace, resource type, and scaling property.\n\n- `ecs:service:DesiredCount` - The desired task count of an ECS service.\n- `elasticmapreduce:instancegroup:InstanceCount` - The instance count of an EMR Instance Group.\n- `ec2:spot-fleet-request:TargetCapacity` - The target capacity of a Spot Fleet.\n- `appstream:fleet:DesiredCapacity` - The desired capacity of an AppStream 2.0 fleet.\n- `dynamodb:table:ReadCapacityUnits` - The provisioned read capacity for a DynamoDB table.\n- `dynamodb:table:WriteCapacityUnits` - The provisioned write capacity for a DynamoDB table.\n- `dynamodb:index:ReadCapacityUnits` - The provisioned read capacity for a DynamoDB global secondary index.\n- `dynamodb:index:WriteCapacityUnits` - The provisioned write capacity for a DynamoDB global secondary index.\n- `rds:cluster:ReadReplicaCount` - The count of Aurora Replicas in an Aurora DB cluster. Available for Aurora MySQL-compatible edition and Aurora PostgreSQL-compatible edition.\n- `sagemaker:variant:DesiredInstanceCount` - The number of EC2 instances for a SageMaker model endpoint variant.\n- `custom-resource:ResourceType:Property` - The scalable dimension for a custom resource provided by your own application or service.\n- `comprehend:document-classifier-endpoint:DesiredInferenceUnits` - The number of inference units for an Amazon Comprehend document classification endpoint.\n- `comprehend:entity-recognizer-endpoint:DesiredInferenceUnits` - The number of inference units for an Amazon Comprehend entity recognizer endpoint.\n- `lambda:function:ProvisionedConcurrency` - The provisioned concurrency for a Lambda function.\n- `cassandra:table:ReadCapacityUnits` - The provisioned read capacity for an Amazon Keyspaces table.\n- `cassandra:table:WriteCapacityUnits` - The provisioned write capacity for an Amazon Keyspaces table.\n- `kafka:broker-storage:VolumeSize` - The provisioned volume size (in GiB) for brokers in an Amazon MSK cluster.\n- `elasticache:replication-group:NodeGroups` - The number of node groups for an Amazon ElastiCache replication group.\n- `elasticache:replication-group:Replicas` - The number of replicas per node group for an Amazon ElastiCache replication group.\n- `neptune:cluster:ReadReplicaCount` - The count of read replicas in an Amazon Neptune DB cluster.\n- `sagemaker:variant:DesiredProvisionedConcurrency` - The provisioned concurrency for a SageMaker serverless endpoint.\n- `sagemaker:inference-component:DesiredCopyCount` - The number of copies across an endpoint for a SageMaker inference component.", "ScheduledActions": "The scheduled actions for the scalable target. Duplicates aren't allowed.", "ServiceNamespace": "The namespace of the AWS service that provides the resource, or a `custom-resource` .", "SuspendedState": "An embedded object that contains attributes and attribute values that are used to suspend and resume automatic scaling. Setting the value of an attribute to `true` suspends the specified scaling activities. Setting it to `false` (default) resumes the specified scaling activities.\n\n*Suspension Outcomes*\n\n- For `DynamicScalingInSuspended` , while a suspension is in effect, all scale-in activities that are triggered by a scaling policy are suspended.\n- For `DynamicScalingOutSuspended` , while a suspension is in effect, all scale-out activities that are triggered by a scaling policy are suspended.\n- For `ScheduledScalingSuspended` , while a suspension is in effect, all scaling activities that involve scheduled actions are suspended." @@ -2976,8 +3174,8 @@ "AWS::ApplicationAutoScaling::ScalingPolicy": { "PolicyName": "The name of the scaling policy.\n\nUpdates to the name of a target tracking scaling policy are not supported, unless you also update the metric used for scaling. To change only a target tracking scaling policy's name, first delete the policy by removing the existing `AWS::ApplicationAutoScaling::ScalingPolicy` resource from the template and updating the stack. Then, recreate the resource with the same settings and a different name.", "PolicyType": "The scaling policy type.\n\nThe following policy types are supported:\n\n`TargetTrackingScaling` \u2014Not supported for Amazon EMR\n\n`StepScaling` \u2014Not supported for DynamoDB, Amazon Comprehend, Lambda, Amazon Keyspaces, Amazon MSK, Amazon ElastiCache, or Neptune.", - "ResourceId": "The identifier of the resource associated with the scaling policy. This string consists of the resource type and unique identifier.\n\n- ECS service - The resource type is `service` and the unique identifier is the cluster name and service name. Example: `service/default/sample-webapp` .\n- Spot Fleet - The resource type is `spot-fleet-request` and the unique identifier is the Spot Fleet request ID. Example: `spot-fleet-request/sfr-73fbd2ce-aa30-494c-8788-1cee4EXAMPLE` .\n- EMR cluster - The resource type is `instancegroup` and the unique identifier is the cluster ID and instance group ID. Example: `instancegroup/j-2EEZNYKUA1NTV/ig-1791Y4E1L8YI0` .\n- AppStream 2.0 fleet - The resource type is `fleet` and the unique identifier is the fleet name. Example: `fleet/sample-fleet` .\n- DynamoDB table - The resource type is `table` and the unique identifier is the table name. Example: `table/my-table` .\n- DynamoDB global secondary index - The resource type is `index` and the unique identifier is the index name. Example: `table/my-table/index/my-table-index` .\n- Aurora DB cluster - The resource type is `cluster` and the unique identifier is the cluster name. Example: `cluster:my-db-cluster` .\n- SageMaker endpoint variant - The resource type is `variant` and the unique identifier is the resource ID. Example: `endpoint/my-end-point/variant/KMeansClustering` .\n- Custom resources are not supported with a resource type. This parameter must specify the `OutputValue` from the CloudFormation template stack used to access the resources. The unique identifier is defined by the service provider. More information is available in our [GitHub repository](https://docs.aws.amazon.com/https://github.com/aws/aws-auto-scaling-custom-resource) .\n- Amazon Comprehend document classification endpoint - The resource type and unique identifier are specified using the endpoint ARN. Example: `arn:aws:comprehend:us-west-2:123456789012:document-classifier-endpoint/EXAMPLE` .\n- Amazon Comprehend entity recognizer endpoint - The resource type and unique identifier are specified using the endpoint ARN. Example: `arn:aws:comprehend:us-west-2:123456789012:entity-recognizer-endpoint/EXAMPLE` .\n- Lambda provisioned concurrency - The resource type is `function` and the unique identifier is the function name with a function version or alias name suffix that is not `$LATEST` . Example: `function:my-function:prod` or `function:my-function:1` .\n- Amazon Keyspaces table - The resource type is `table` and the unique identifier is the table name. Example: `keyspace/mykeyspace/table/mytable` .\n- Amazon MSK cluster - The resource type and unique identifier are specified using the cluster ARN. Example: `arn:aws:kafka:us-east-1:123456789012:cluster/demo-cluster-1/6357e0b2-0e6a-4b86-a0b4-70df934c2e31-5` .\n- Amazon ElastiCache replication group - The resource type is `replication-group` and the unique identifier is the replication group name. Example: `replication-group/mycluster` .\n- Neptune cluster - The resource type is `cluster` and the unique identifier is the cluster name. Example: `cluster:mycluster` .\n- SageMaker Serverless endpoint - The resource type is `variant` and the unique identifier is the resource ID. Example: `endpoint/my-end-point/variant/KMeansClustering` .", - "ScalableDimension": "The scalable dimension. This string consists of the service namespace, resource type, and scaling property.\n\n- `ecs:service:DesiredCount` - The desired task count of an ECS service.\n- `elasticmapreduce:instancegroup:InstanceCount` - The instance count of an EMR Instance Group.\n- `ec2:spot-fleet-request:TargetCapacity` - The target capacity of a Spot Fleet.\n- `appstream:fleet:DesiredCapacity` - The desired capacity of an AppStream 2.0 fleet.\n- `dynamodb:table:ReadCapacityUnits` - The provisioned read capacity for a DynamoDB table.\n- `dynamodb:table:WriteCapacityUnits` - The provisioned write capacity for a DynamoDB table.\n- `dynamodb:index:ReadCapacityUnits` - The provisioned read capacity for a DynamoDB global secondary index.\n- `dynamodb:index:WriteCapacityUnits` - The provisioned write capacity for a DynamoDB global secondary index.\n- `rds:cluster:ReadReplicaCount` - The count of Aurora Replicas in an Aurora DB cluster. Available for Aurora MySQL-compatible edition and Aurora PostgreSQL-compatible edition.\n- `sagemaker:variant:DesiredInstanceCount` - The number of EC2 instances for a SageMaker model endpoint variant.\n- `custom-resource:ResourceType:Property` - The scalable dimension for a custom resource provided by your own application or service.\n- `comprehend:document-classifier-endpoint:DesiredInferenceUnits` - The number of inference units for an Amazon Comprehend document classification endpoint.\n- `comprehend:entity-recognizer-endpoint:DesiredInferenceUnits` - The number of inference units for an Amazon Comprehend entity recognizer endpoint.\n- `lambda:function:ProvisionedConcurrency` - The provisioned concurrency for a Lambda function.\n- `cassandra:table:ReadCapacityUnits` - The provisioned read capacity for an Amazon Keyspaces table.\n- `cassandra:table:WriteCapacityUnits` - The provisioned write capacity for an Amazon Keyspaces table.\n- `kafka:broker-storage:VolumeSize` - The provisioned volume size (in GiB) for brokers in an Amazon MSK cluster.\n- `elasticache:replication-group:NodeGroups` - The number of node groups for an Amazon ElastiCache replication group.\n- `elasticache:replication-group:Replicas` - The number of replicas per node group for an Amazon ElastiCache replication group.\n- `neptune:cluster:ReadReplicaCount` - The count of read replicas in an Amazon Neptune DB cluster.\n- `sagemaker:variant:DesiredProvisionedConcurrency` - The provisioned concurrency for a SageMaker Serverless endpoint.", + "ResourceId": "The identifier of the resource associated with the scaling policy. This string consists of the resource type and unique identifier.\n\n- ECS service - The resource type is `service` and the unique identifier is the cluster name and service name. Example: `service/default/sample-webapp` .\n- Spot Fleet - The resource type is `spot-fleet-request` and the unique identifier is the Spot Fleet request ID. Example: `spot-fleet-request/sfr-73fbd2ce-aa30-494c-8788-1cee4EXAMPLE` .\n- EMR cluster - The resource type is `instancegroup` and the unique identifier is the cluster ID and instance group ID. Example: `instancegroup/j-2EEZNYKUA1NTV/ig-1791Y4E1L8YI0` .\n- AppStream 2.0 fleet - The resource type is `fleet` and the unique identifier is the fleet name. Example: `fleet/sample-fleet` .\n- DynamoDB table - The resource type is `table` and the unique identifier is the table name. Example: `table/my-table` .\n- DynamoDB global secondary index - The resource type is `index` and the unique identifier is the index name. Example: `table/my-table/index/my-table-index` .\n- Aurora DB cluster - The resource type is `cluster` and the unique identifier is the cluster name. Example: `cluster:my-db-cluster` .\n- SageMaker endpoint variant - The resource type is `variant` and the unique identifier is the resource ID. Example: `endpoint/my-end-point/variant/KMeansClustering` .\n- Custom resources are not supported with a resource type. This parameter must specify the `OutputValue` from the CloudFormation template stack used to access the resources. The unique identifier is defined by the service provider. More information is available in our [GitHub repository](https://docs.aws.amazon.com/https://github.com/aws/aws-auto-scaling-custom-resource) .\n- Amazon Comprehend document classification endpoint - The resource type and unique identifier are specified using the endpoint ARN. Example: `arn:aws:comprehend:us-west-2:123456789012:document-classifier-endpoint/EXAMPLE` .\n- Amazon Comprehend entity recognizer endpoint - The resource type and unique identifier are specified using the endpoint ARN. Example: `arn:aws:comprehend:us-west-2:123456789012:entity-recognizer-endpoint/EXAMPLE` .\n- Lambda provisioned concurrency - The resource type is `function` and the unique identifier is the function name with a function version or alias name suffix that is not `$LATEST` . Example: `function:my-function:prod` or `function:my-function:1` .\n- Amazon Keyspaces table - The resource type is `table` and the unique identifier is the table name. Example: `keyspace/mykeyspace/table/mytable` .\n- Amazon MSK cluster - The resource type and unique identifier are specified using the cluster ARN. Example: `arn:aws:kafka:us-east-1:123456789012:cluster/demo-cluster-1/6357e0b2-0e6a-4b86-a0b4-70df934c2e31-5` .\n- Amazon ElastiCache replication group - The resource type is `replication-group` and the unique identifier is the replication group name. Example: `replication-group/mycluster` .\n- Neptune cluster - The resource type is `cluster` and the unique identifier is the cluster name. Example: `cluster:mycluster` .\n- SageMaker serverless endpoint - The resource type is `variant` and the unique identifier is the resource ID. Example: `endpoint/my-end-point/variant/KMeansClustering` .\n- SageMaker inference component - The resource type is `inference-component` and the unique identifier is the resource ID. Example: `inference-component/my-inference-component` .", + "ScalableDimension": "The scalable dimension. This string consists of the service namespace, resource type, and scaling property.\n\n- `ecs:service:DesiredCount` - The desired task count of an ECS service.\n- `elasticmapreduce:instancegroup:InstanceCount` - The instance count of an EMR Instance Group.\n- `ec2:spot-fleet-request:TargetCapacity` - The target capacity of a Spot Fleet.\n- `appstream:fleet:DesiredCapacity` - The desired capacity of an AppStream 2.0 fleet.\n- `dynamodb:table:ReadCapacityUnits` - The provisioned read capacity for a DynamoDB table.\n- `dynamodb:table:WriteCapacityUnits` - The provisioned write capacity for a DynamoDB table.\n- `dynamodb:index:ReadCapacityUnits` - The provisioned read capacity for a DynamoDB global secondary index.\n- `dynamodb:index:WriteCapacityUnits` - The provisioned write capacity for a DynamoDB global secondary index.\n- `rds:cluster:ReadReplicaCount` - The count of Aurora Replicas in an Aurora DB cluster. Available for Aurora MySQL-compatible edition and Aurora PostgreSQL-compatible edition.\n- `sagemaker:variant:DesiredInstanceCount` - The number of EC2 instances for a SageMaker model endpoint variant.\n- `custom-resource:ResourceType:Property` - The scalable dimension for a custom resource provided by your own application or service.\n- `comprehend:document-classifier-endpoint:DesiredInferenceUnits` - The number of inference units for an Amazon Comprehend document classification endpoint.\n- `comprehend:entity-recognizer-endpoint:DesiredInferenceUnits` - The number of inference units for an Amazon Comprehend entity recognizer endpoint.\n- `lambda:function:ProvisionedConcurrency` - The provisioned concurrency for a Lambda function.\n- `cassandra:table:ReadCapacityUnits` - The provisioned read capacity for an Amazon Keyspaces table.\n- `cassandra:table:WriteCapacityUnits` - The provisioned write capacity for an Amazon Keyspaces table.\n- `kafka:broker-storage:VolumeSize` - The provisioned volume size (in GiB) for brokers in an Amazon MSK cluster.\n- `elasticache:replication-group:NodeGroups` - The number of node groups for an Amazon ElastiCache replication group.\n- `elasticache:replication-group:Replicas` - The number of replicas per node group for an Amazon ElastiCache replication group.\n- `neptune:cluster:ReadReplicaCount` - The count of read replicas in an Amazon Neptune DB cluster.\n- `sagemaker:variant:DesiredProvisionedConcurrency` - The provisioned concurrency for a SageMaker serverless endpoint.\n- `sagemaker:inference-component:DesiredCopyCount` - The number of copies across an endpoint for a SageMaker inference component.", "ScalingTargetId": "The CloudFormation-generated ID of an Application Auto Scaling scalable target. For more information about the ID, see the Return Value section of the `AWS::ApplicationAutoScaling::ScalableTarget` resource.\n\n> You must specify either the `ScalingTargetId` property, or the `ResourceId` , `ScalableDimension` , and `ServiceNamespace` properties, but not both.", "ServiceNamespace": "The namespace of the AWS service that provides the resource, or a `custom-resource` .", "StepScalingPolicyConfiguration": "A step scaling policy.", @@ -2986,6 +3184,7 @@ "AWS::ApplicationAutoScaling::ScalingPolicy CustomizedMetricSpecification": { "Dimensions": "The dimensions of the metric.\n\nConditional: If you published your metric with dimensions, you must specify the same dimensions in your scaling policy.", "MetricName": "The name of the metric. To get the exact metric name, namespace, and dimensions, inspect the [Metric](https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_Metric.html) object that's returned by a call to [ListMetrics](https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_ListMetrics.html) .", + "Metrics": "The metrics to include in the target tracking scaling policy, as a metric data query. This can include both raw metric and metric math expressions.", "Namespace": "The namespace of the metric.", "Statistic": "The statistic of the metric.", "Unit": "The unit of the metric. For a complete list of the units that CloudWatch supports, see the [MetricDatum](https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_MetricDatum.html) data type in the *Amazon CloudWatch API Reference* ." @@ -3005,17 +3204,38 @@ }, "AWS::ApplicationAutoScaling::ScalingPolicy StepScalingPolicyConfiguration": { "AdjustmentType": "Specifies whether the `ScalingAdjustment` value in the `StepAdjustment` property is an absolute number or a percentage of the current capacity.", - "Cooldown": "The amount of time, in seconds, to wait for a previous scaling activity to take effect. If not specified, the default value is 300. For more information, see [Cooldown period](https://docs.aws.amazon.com/autoscaling/application/userguide/application-auto-scaling-step-scaling-policies.html#step-scaling-cooldown) in the *Application Auto Scaling User Guide* .", + "Cooldown": "The amount of time, in seconds, to wait for a previous scaling activity to take effect. If not specified, the default value is 300. For more information, see [Cooldown period](https://docs.aws.amazon.com/autoscaling/application/userguide/step-scaling-policy-overview.html#step-scaling-cooldown) in the *Application Auto Scaling User Guide* .", "MetricAggregationType": "The aggregation type for the CloudWatch metrics. Valid values are `Minimum` , `Maximum` , and `Average` . If the aggregation type is null, the value is treated as `Average` .", "MinAdjustmentMagnitude": "The minimum value to scale by when the adjustment type is `PercentChangeInCapacity` . For example, suppose that you create a step scaling policy to scale out an Amazon ECS service by 25 percent and you specify a `MinAdjustmentMagnitude` of 2. If the service has 4 tasks and the scaling policy is performed, 25 percent of 4 is 1. However, because you specified a `MinAdjustmentMagnitude` of 2, Application Auto Scaling scales out the service by 2 tasks.", "StepAdjustments": "A set of adjustments that enable you to scale based on the size of the alarm breach.\n\nAt least one step adjustment is required if you are adding a new step scaling policy configuration." }, + "AWS::ApplicationAutoScaling::ScalingPolicy TargetTrackingMetric": { + "Dimensions": "The dimensions for the metric. For the list of available dimensions, see the AWS documentation available from the table in [AWS services that publish CloudWatch metrics](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/aws-services-cloudwatch-metrics.html) in the *Amazon CloudWatch User Guide* .\n\nConditional: If you published your metric with dimensions, you must specify the same dimensions in your scaling policy.", + "MetricName": "The name of the metric.", + "Namespace": "The namespace of the metric. For more information, see the table in [AWS services that publish CloudWatch metrics](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/aws-services-cloudwatch-metrics.html) in the *Amazon CloudWatch User Guide* ." + }, + "AWS::ApplicationAutoScaling::ScalingPolicy TargetTrackingMetricDataQuery": { + "Expression": "The math expression to perform on the returned data, if this object is performing a math expression. This expression can use the `Id` of the other metrics to refer to those metrics, and can also use the `Id` of other expressions to use the result of those expressions.\n\nConditional: Within each `TargetTrackingMetricDataQuery` object, you must specify either `Expression` or `MetricStat` , but not both.", + "Id": "A short name that identifies the object's results in the response. This name must be unique among all `MetricDataQuery` objects specified for a single scaling policy. If you are performing math expressions on this set of data, this name represents that data and can serve as a variable in the mathematical expression. The valid characters are letters, numbers, and underscores. The first character must be a lowercase letter.", + "Label": "A human-readable label for this metric or expression. This is especially useful if this is a math expression, so that you know what the value represents.", + "MetricStat": "Information about the metric data to return.\n\nConditional: Within each `MetricDataQuery` object, you must specify either `Expression` or `MetricStat` , but not both.", + "ReturnData": "Indicates whether to return the timestamps and raw data values of this metric.\n\nIf you use any math expressions, specify `true` for this value for only the final math expression that the metric specification is based on. You must specify `false` for `ReturnData` for all the other metrics and expressions used in the metric specification.\n\nIf you are only retrieving metrics and not performing any math expressions, do not specify anything for `ReturnData` . This sets it to its default ( `true` )." + }, + "AWS::ApplicationAutoScaling::ScalingPolicy TargetTrackingMetricDimension": { + "Name": "The name of the dimension.", + "Value": "The value of the dimension." + }, + "AWS::ApplicationAutoScaling::ScalingPolicy TargetTrackingMetricStat": { + "Metric": "The CloudWatch metric to return, including the metric name, namespace, and dimensions. To get the exact metric name, namespace, and dimensions, inspect the [Metric](https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_Metric.html) object that is returned by a call to [ListMetrics](https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_ListMetrics.html) .", + "Stat": "The statistic to return. It can include any CloudWatch statistic or extended statistic. For a list of valid values, see the table in [Statistics](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/cloudwatch_concepts.html#Statistic) in the *Amazon CloudWatch User Guide* .\n\nThe most commonly used metric for scaling is `Average` .", + "Unit": "The unit to use for the returned data points. For a complete list of the units that CloudWatch supports, see the [MetricDatum](https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_MetricDatum.html) data type in the *Amazon CloudWatch API Reference* ." + }, "AWS::ApplicationAutoScaling::ScalingPolicy TargetTrackingScalingPolicyConfiguration": { "CustomizedMetricSpecification": "A customized metric. You can specify either a predefined metric or a customized metric.", "DisableScaleIn": "Indicates whether scale in by the target tracking scaling policy is disabled. If the value is `true` , scale in is disabled and the target tracking scaling policy won't remove capacity from the scalable target. Otherwise, scale in is enabled and the target tracking scaling policy can remove capacity from the scalable target. The default value is `false` .", "PredefinedMetricSpecification": "A predefined metric. You can specify either a predefined metric or a customized metric.", - "ScaleInCooldown": "The amount of time, in seconds, after a scale-in activity completes before another scale-in activity can start. For more information and for default values, see [Define cooldown periods](https://docs.aws.amazon.com/autoscaling/application/userguide/application-auto-scaling-target-tracking.html#target-tracking-cooldown) in the *Application Auto Scaling User Guide* .", - "ScaleOutCooldown": "The amount of time, in seconds, to wait for a previous scale-out activity to take effect. For more information and for default values, see [Define cooldown periods](https://docs.aws.amazon.com/autoscaling/application/userguide/application-auto-scaling-target-tracking.html#target-tracking-cooldown) in the *Application Auto Scaling User Guide* .", + "ScaleInCooldown": "The amount of time, in seconds, after a scale-in activity completes before another scale-in activity can start. For more information and for default values, see [Define cooldown periods](https://docs.aws.amazon.com/autoscaling/application/userguide/target-tracking-scaling-policy-overview.html#target-tracking-cooldown) in the *Application Auto Scaling User Guide* .", + "ScaleOutCooldown": "The amount of time, in seconds, to wait for a previous scale-out activity to take effect. For more information and for default values, see [Define cooldown periods](https://docs.aws.amazon.com/autoscaling/application/userguide/target-tracking-scaling-policy-overview.html#target-tracking-cooldown) in the *Application Auto Scaling User Guide* .", "TargetValue": "The target value for the metric. Although this property accepts numbers of type Double, it won't accept values that are either too small or too large. Values must be in the range of -2^360 to 2^360. The value must be a valid number based on the choice of metric. For example, if the metric is CPU utilization, then the target value is a percent value that represents how much of the CPU can be used before scaling out." }, "AWS::ApplicationInsights::Application": { @@ -3102,6 +3322,10 @@ "SubComponentConfigurationDetails": "The configuration settings of the sub-components.", "SubComponentType": "The sub-component type." }, + "AWS::ApplicationInsights::Application Tag": { + "Key": "One part of a key-value pair that defines a tag. The maximum length of a tag key is 128 characters. The minimum length is 1 character.", + "Value": "The optional part of a key-value pair that defines a tag. The maximum length of a tag value is 256 characters. The minimum length is 0 characters. If you don't want an application to have a specific tag value, don't specify a value for this parameter." + }, "AWS::ApplicationInsights::Application WindowsEvent": { "EventLevels": "The levels of event to log. You must specify each level to log. Possible values include `INFORMATION` , `WARNING` , `ERROR` , `CRITICAL` , and `VERBOSE` . This field is required for each type of Windows Event to log.", "EventName": "The type of Windows Events to log, equivalent to the Windows Event log channel name. For example, System, Security, CustomEventName, and so on. This field is required for each type of Windows event to log.", @@ -3120,13 +3344,21 @@ "AWS::Athena::CapacityReservation CapacityAssignmentConfiguration": { "CapacityAssignments": "The list of assignments that make up the capacity assignment configuration." }, + "AWS::Athena::CapacityReservation Tag": { + "Key": "A tag key. The tag key length is from 1 to 128 Unicode characters in UTF-8. You can use letters and numbers representable in UTF-8, and the following characters: + - = . _ : / @. Tag keys are case-sensitive and must be unique per resource.", + "Value": "A tag value. The tag value length is from 0 to 256 Unicode characters in UTF-8. You can use letters and numbers representable in UTF-8, and the following characters: + - = . _ : / @. Tag values are case-sensitive." + }, "AWS::Athena::DataCatalog": { "Description": "A description of the data catalog.", "Name": "The name of the data catalog. The catalog name must be unique for the AWS account and can use a maximum of 128 alphanumeric, underscore, at sign, or hyphen characters.", - "Parameters": "Specifies the Lambda function or functions to use for the data catalog. The mapping used depends on the catalog type.\n\n- The `HIVE` data catalog type uses the following syntax. The `metadata-function` parameter is required. `The sdk-version` parameter is optional and defaults to the currently supported version.\n\n`metadata-function= *lambda_arn* , sdk-version= *version_number*`\n- The `LAMBDA` data catalog type uses one of the following sets of required parameters, but not both.\n\n- When one Lambda function processes metadata and another Lambda function reads data, the following syntax is used. Both parameters are required.\n\n`metadata-function= *lambda_arn* , record-function= *lambda_arn*`\n- A composite Lambda function that processes both metadata and data uses the following syntax.\n\n`function= *lambda_arn*`\n- The `GLUE` type takes a catalog ID parameter and is required. The `*catalog_id*` is the account ID of the AWS account to which the Glue catalog belongs.\n\n`catalog-id= *catalog_id*`\n\n- The `GLUE` data catalog type also applies to the default `AwsDataCatalog` that already exists in your account, of which you can have only one and cannot modify.\n- Queries that specify a GLUE data catalog other than the default `AwsDataCatalog` must be run on Athena engine version 2.\n- In Regions where Athena engine version 2 is not available, creating new GLUE data catalogs results in an `INVALID_INPUT` error.", + "Parameters": "Specifies the Lambda function or functions to use for the data catalog. The mapping used depends on the catalog type.\n\n- The `HIVE` data catalog type uses the following syntax. The `metadata-function` parameter is required. `The sdk-version` parameter is optional and defaults to the currently supported version.\n\n`metadata-function= *lambda_arn* , sdk-version= *version_number*`\n- The `LAMBDA` data catalog type uses one of the following sets of required parameters, but not both.\n\n- When one Lambda function processes metadata and another Lambda function reads data, the following syntax is used. Both parameters are required.\n\n`metadata-function= *lambda_arn* , record-function= *lambda_arn*`\n- A composite Lambda function that processes both metadata and data uses the following syntax.\n\n`function= *lambda_arn*`\n- The `GLUE` type takes a catalog ID parameter and is required. The `*catalog_id*` is the account ID of the AWS account to which the Glue catalog belongs.\n\n`catalog-id= *catalog_id*`\n\n- The `GLUE` data catalog type also applies to the default `AwsDataCatalog` that already exists in your account, of which you can have only one and cannot modify.", "Tags": "The tags (key-value pairs) to associate with this resource.", "Type": "The type of data catalog: `LAMBDA` for a federated catalog, `GLUE` for AWS Glue Catalog, or `HIVE` for an external hive metastore." }, + "AWS::Athena::DataCatalog Tag": { + "Key": "A tag key. The tag key length is from 1 to 128 Unicode characters in UTF-8. You can use letters and numbers representable in UTF-8, and the following characters: + - = . _ : / @. Tag keys are case-sensitive and must be unique per resource.", + "Value": "A tag value. The tag value length is from 0 to 256 Unicode characters in UTF-8. You can use letters and numbers representable in UTF-8, and the following characters: + - = . _ : / @. Tag values are case-sensitive." + }, "AWS::Athena::NamedQuery": { "Database": "The database to which the query belongs.", "Description": "The query description.", @@ -3152,7 +3384,7 @@ "S3AclOption": "The Amazon S3 canned ACL that Athena should specify when storing query results. Currently the only supported canned ACL is `BUCKET_OWNER_FULL_CONTROL` . If a query runs in a workgroup and the workgroup overrides client-side settings, then the Amazon S3 canned ACL specified in the workgroup's settings is used for all queries that run in the workgroup. For more information about Amazon S3 canned ACLs, see [Canned ACL](https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html#canned-acl) in the *Amazon S3 User Guide* ." }, "AWS::Athena::WorkGroup CustomerContentEncryptionConfiguration": { - "KmsKey": "The KMS key that is used to encrypt the user's data stores in Athena." + "KmsKey": "The customer managed KMS key that is used to encrypt the user's data stores in Athena." }, "AWS::Athena::WorkGroup EncryptionConfiguration": { "EncryptionOption": "Indicates whether Amazon S3 server-side encryption with Amazon S3-managed keys ( `SSE_S3` ), server-side encryption with KMS-managed keys ( `SSE_KMS` ), or client-side encryption with KMS-managed keys ( `CSE_KMS` ) is used.\n\nIf a query runs in a workgroup and the workgroup overrides client-side settings, then the workgroup's setting for encryption is used. It specifies whether query results must be encrypted, for all queries that run in this workgroup.", @@ -3168,6 +3400,20 @@ "ExpectedBucketOwner": "The account ID that you expect to be the owner of the Amazon S3 bucket specified by `ResultConfiguration:OutputLocation` . If set, Athena uses the value for `ExpectedBucketOwner` when it makes Amazon S3 calls to your specified output location. If the `ExpectedBucketOwner` account ID does not match the actual owner of the Amazon S3 bucket, the call fails with a permissions error.\n\nThis is a client-side setting. If workgroup settings override client-side settings, then the query uses the `ExpectedBucketOwner` setting that is specified for the workgroup, and also uses the location for storing query results specified in the workgroup. See `EnforceWorkGroupConfiguration` .", "OutputLocation": "The location in Amazon S3 where your query results are stored, such as `s3://path/to/query/bucket/` . To run a query, you must specify the query results location using either a client-side setting for individual queries or a location specified by the workgroup. If workgroup settings override client-side settings, then the query uses the location specified for the workgroup. If no query location is set, Athena issues an error. For more information, see [Working with Query Results, Output Files, and Query History](https://docs.aws.amazon.com/athena/latest/ug/querying.html) and `EnforceWorkGroupConfiguration` ." }, + "AWS::Athena::WorkGroup ResultConfigurationUpdates": { + "AclConfiguration": "The ACL configuration for the query results.", + "EncryptionConfiguration": "The encryption configuration for the query results.", + "ExpectedBucketOwner": "The AWS account ID that you expect to be the owner of the Amazon S3 bucket specified by `ResultConfiguration$OutputLocation` . If set, Athena uses the value for `ExpectedBucketOwner` when it makes Amazon S3 calls to your specified output location. If the `ExpectedBucketOwner` AWS account ID does not match the actual owner of the Amazon S3 bucket, the call fails with a permissions error.\n\nIf workgroup settings override client-side settings, then the query uses the `ExpectedBucketOwner` setting that is specified for the workgroup, and also uses the location for storing query results specified in the workgroup. See `WorkGroupConfiguration$EnforceWorkGroupConfiguration` and [Workgroup Settings Override Client-Side Settings](https://docs.aws.amazon.com/athena/latest/ug/workgroups-settings-override.html) .", + "OutputLocation": "The location in Amazon S3 where your query results are stored, such as `s3://path/to/query/bucket/` . For more information, see [Query Results](https://docs.aws.amazon.com/athena/latest/ug/querying.html) If workgroup settings override client-side settings, then the query uses the location for the query results and the encryption configuration that are specified for the workgroup. The \"workgroup settings override\" is specified in EnforceWorkGroupConfiguration (true/false) in the WorkGroupConfiguration. See `EnforceWorkGroupConfiguration` .", + "RemoveAclConfiguration": "If set to `true` , indicates that the previously-specified ACL configuration for queries in this workgroup should be ignored and set to null. If set to `false` or not set, and a value is present in the `AclConfiguration` of `ResultConfigurationUpdates` , the `AclConfiguration` in the workgroup's `ResultConfiguration` is updated with the new value. For more information, see [Workgroup Settings Override Client-Side Settings](https://docs.aws.amazon.com/athena/latest/ug/workgroups-settings-override.html) .", + "RemoveEncryptionConfiguration": "If set to \"true\", indicates that the previously-specified encryption configuration (also known as the client-side setting) for queries in this workgroup should be ignored and set to null. If set to \"false\" or not set, and a value is present in the EncryptionConfiguration in ResultConfigurationUpdates (the client-side setting), the EncryptionConfiguration in the workgroup's ResultConfiguration will be updated with the new value. For more information, see [Workgroup Settings Override Client-Side Settings](https://docs.aws.amazon.com/athena/latest/ug/workgroups-settings-override.html) .", + "RemoveExpectedBucketOwner": "If set to \"true\", removes the AWS account ID previously specified for `ResultConfiguration$ExpectedBucketOwner` . If set to \"false\" or not set, and a value is present in the `ExpectedBucketOwner` in `ResultConfigurationUpdates` (the client-side setting), the `ExpectedBucketOwner` in the workgroup's `ResultConfiguration` is updated with the new value. For more information, see [Workgroup Settings Override Client-Side Settings](https://docs.aws.amazon.com/athena/latest/ug/workgroups-settings-override.html) .", + "RemoveOutputLocation": "If set to \"true\", indicates that the previously-specified query results location (also known as a client-side setting) for queries in this workgroup should be ignored and set to null. If set to \"false\" or not set, and a value is present in the OutputLocation in ResultConfigurationUpdates (the client-side setting), the OutputLocation in the workgroup's ResultConfiguration will be updated with the new value. For more information, see [Workgroup Settings Override Client-Side Settings](https://docs.aws.amazon.com/athena/latest/ug/workgroups-settings-override.html) ." + }, + "AWS::Athena::WorkGroup Tag": { + "Key": "A tag key. The tag key length is from 1 to 128 Unicode characters in UTF-8. You can use letters and numbers representable in UTF-8, and the following characters: + - = . _ : / @. Tag keys are case-sensitive and must be unique per resource.", + "Value": "A tag value. The tag value length is from 0 to 256 Unicode characters in UTF-8. You can use letters and numbers representable in UTF-8, and the following characters: + - = . _ : / @. Tag values are case-sensitive." + }, "AWS::Athena::WorkGroup WorkGroupConfiguration": { "AdditionalConfiguration": "Specifies a user defined JSON string that is passed to the session engine.", "BytesScannedCutoffPerQuery": "The upper limit (cutoff) for the amount of bytes a single query in a workgroup is allowed to scan. No default is defined.\n\n> This property currently supports integer types. Support for long values is planned.", @@ -3224,6 +3470,10 @@ "AwsAccounts": "The AWS accounts that are included in the scope of the assessment.", "AwsServices": "The AWS services that are included in the scope of the assessment." }, + "AWS::AuditManager::Assessment Tag": { + "Key": "One part of a key-value pair that make up a tag. A `key` is a general label that acts like a category for more specific tag values.", + "Value": "One part of a key-value pair that make up a tag. A `value` acts as a descriptor within a tag category (key)." + }, "AWS::AutoScaling::AutoScalingGroup": { "AutoScalingGroupName": "The name of the Auto Scaling group. This name must be unique per Region per account.\n\nThe name can contain any ASCII character 33 to 126 including most punctuation characters, digits, and upper and lowercased letters.\n\n> You cannot use a colon (:) in the name.", "AvailabilityZones": "A list of Availability Zones where instances in the Auto Scaling group can be created. Used for launching into the default VPC subnet in each Availability Zone when not using the `VPCZoneIdentifier` property, or for attaching a network interface when an existing network interface ID is specified in a launch template.", @@ -3236,6 +3486,7 @@ "HealthCheckGracePeriod": "The amount of time, in seconds, that Amazon EC2 Auto Scaling waits before checking the health status of an EC2 instance that has come into service and marking it unhealthy due to a failed health check. This is useful if your instances do not immediately pass their health checks after they enter the `InService` state. For more information, see [Set the health check grace period for an Auto Scaling group](https://docs.aws.amazon.com/autoscaling/ec2/userguide/health-check-grace-period.html) in the *Amazon EC2 Auto Scaling User Guide* .\n\nDefault: `0` seconds", "HealthCheckType": "A comma-separated value string of one or more health check types.\n\nThe valid values are `EC2` , `ELB` , and `VPC_LATTICE` . `EC2` is the default health check and cannot be disabled. For more information, see [Health checks for Auto Scaling instances](https://docs.aws.amazon.com/autoscaling/ec2/userguide/healthcheck.html) in the *Amazon EC2 Auto Scaling User Guide* .\n\nOnly specify `EC2` if you must clear a value that was previously set.", "InstanceId": "The ID of the instance used to base the launch configuration on. For more information, see [Create an Auto Scaling group using an EC2 instance](https://docs.aws.amazon.com/autoscaling/ec2/userguide/create-asg-from-instance.html) in the *Amazon EC2 Auto Scaling User Guide* .\n\nIf you specify `LaunchTemplate` , `MixedInstancesPolicy` , or `LaunchConfigurationName` , don't specify `InstanceId` .", + "InstanceMaintenancePolicy": "An instance maintenance policy. For more information, see [Set instance maintenance policy](https://docs.aws.amazon.com/autoscaling/ec2/userguide/ec2-auto-scaling-instance-maintenance-policy.html) in the *Amazon EC2 Auto Scaling User Guide* .", "LaunchConfigurationName": "The name of the launch configuration to use to launch instances.\n\nRequired only if you don't specify `LaunchTemplate` , `MixedInstancesPolicy` , or `InstanceId` .", "LaunchTemplate": "Information used to specify the launch template and version to use to launch instances. You can alternatively associate a launch template to the Auto Scaling group by specifying a `MixedInstancesPolicy` . For more information about creating launch templates, see [Create a launch template for an Auto Scaling group](https://docs.aws.amazon.com/autoscaling/ec2/userguide/create-launch-template.html) in the *Amazon EC2 Auto Scaling User Guide* .\n\nIf you omit this property, you must specify `MixedInstancesPolicy` , `LaunchConfigurationName` , or `InstanceId` .", "LifecycleHookSpecificationList": "One or more lifecycle hooks to add to the Auto Scaling group before instances are launched.", @@ -3266,6 +3517,10 @@ "Max": "The maximum value in Mbps.", "Min": "The minimum value in Mbps." }, + "AWS::AutoScaling::AutoScalingGroup InstanceMaintenancePolicy": { + "MaxHealthyPercentage": "Specifies the upper threshold as a percentage of the desired capacity of the Auto Scaling group. It represents the maximum percentage of the group that can be in service and healthy, or pending, to support your workload when replacing instances. Value range is 100 to 200. After it's set, a value of `-1` will clear the previously set value.\n\nBoth `MinHealthyPercentage` and `MaxHealthyPercentage` must be specified, and the difference between them cannot be greater than 100. A large range increases the number of instances that can be replaced at the same time.", + "MinHealthyPercentage": "Specifies the lower threshold as a percentage of the desired capacity of the Auto Scaling group. It represents the minimum percentage of the group to keep in service, healthy, and ready to use to support your workload when replacing instances. Value range is 0 to 100. After it's set, a value of `-1` will clear the previously set value." + }, "AWS::AutoScaling::AutoScalingGroup InstanceRequirements": { "AcceleratorCount": "The minimum and maximum number of accelerators (GPUs, FPGAs, or AWS Inferentia chips) for an instance type.\n\nTo exclude accelerator-enabled instance types, set `Max` to `0` .\n\nDefault: No minimum or maximum limits", "AcceleratorManufacturers": "Indicates whether instance types must have accelerators by specific manufacturers.\n\n- For instance types with NVIDIA devices, specify `nvidia` .\n- For instance types with AMD devices, specify `amd` .\n- For instance types with AWS devices, specify `amazon-web-services` .\n- For instance types with Xilinx devices, specify `xilinx` .\n\nDefault: Any manufacturer", @@ -3312,7 +3567,7 @@ "AWS::AutoScaling::AutoScalingGroup LaunchTemplateSpecification": { "LaunchTemplateId": "The ID of the launch template.\n\nYou must specify the `LaunchTemplateID` or the `LaunchTemplateName` , but not both.", "LaunchTemplateName": "The name of the launch template.\n\nYou must specify the `LaunchTemplateName` or the `LaunchTemplateID` , but not both.", - "Version": "The version number of the launch template.\n\nSpecifying `$Latest` or `$Default` for the template version number is not supported. However, you can specify `LatestVersionNumber` or `DefaultVersionNumber` using the `Fn::GetAtt` intrinsic function. For more information, see [Fn::GetAtt](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-getatt.html) .\n\n> For an example of using the `Fn::GetAtt` function, see the [Examples](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-as-group.html#aws-properties-as-group--examples) section of the `AWS::AutoScaling::AutoScalingGroup` resource." + "Version": "The version number of the launch template.\n\nSpecifying `$Latest` or `$Default` for the template version number is not supported. However, you can specify `LatestVersionNumber` or `DefaultVersionNumber` using the `Fn::GetAtt` intrinsic function. For more information, see [Fn::GetAtt](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-getatt.html) .\n\n> For an example of using the `Fn::GetAtt` function, see the [Examples](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-autoscaling-autoscalinggroup.html#aws-resource-autoscaling-autoscalinggroup--examples) section of the `AWS::AutoScaling::AutoScalingGroup` resource." }, "AWS::AutoScaling::AutoScalingGroup LifecycleHookSpecification": { "DefaultResult": "The action the Auto Scaling group takes when the lifecycle hook timeout elapses or if an unexpected failure occurs. The default value is `ABANDON` .\n\nValid values: `CONTINUE` | `ABANDON`", @@ -3564,7 +3819,7 @@ }, "AWS::AutoScalingPlans::ScalingPlan ScalingInstruction": { "CustomizedLoadMetricSpecification": "The customized load metric to use for predictive scaling. This property or a *PredefinedLoadMetricSpecification* is required when configuring predictive scaling, and cannot be used otherwise.", - "DisableDynamicScaling": "Controls whether dynamic scaling by AWS Auto Scaling is disabled. When dynamic scaling is enabled, AWS Auto Scaling creates target tracking scaling policies based on the specified target tracking configurations.\n\nThe default is enabled ( `false` ).", + "DisableDynamicScaling": "Controls whether dynamic scaling is disabled. When dynamic scaling is enabled, AWS Auto Scaling creates target tracking scaling policies based on the specified target tracking configurations.\n\nThe default is enabled ( `false` ).", "MaxCapacity": "The maximum capacity of the resource. The exception to this upper limit is if you specify a non-default setting for *PredictiveScalingMaxCapacityBehavior* .", "MinCapacity": "The minimum capacity of the resource.", "PredefinedLoadMetricSpecification": "The predefined load metric to use for predictive scaling. This property or a *CustomizedLoadMetricSpecification* is required when configuring predictive scaling, and cannot be used otherwise.", @@ -3573,7 +3828,7 @@ "PredictiveScalingMode": "The predictive scaling mode. The default value is `ForecastAndScale` . Otherwise, AWS Auto Scaling forecasts capacity but does not apply any scheduled scaling actions based on the capacity forecast.", "ResourceId": "The ID of the resource. This string consists of the resource type and unique identifier.\n\n- Auto Scaling group - The resource type is `autoScalingGroup` and the unique identifier is the name of the Auto Scaling group. Example: `autoScalingGroup/my-asg` .\n- ECS service - The resource type is `service` and the unique identifier is the cluster name and service name. Example: `service/default/sample-webapp` .\n- Spot Fleet request - The resource type is `spot-fleet-request` and the unique identifier is the Spot Fleet request ID. Example: `spot-fleet-request/sfr-73fbd2ce-aa30-494c-8788-1cee4EXAMPLE` .\n- DynamoDB table - The resource type is `table` and the unique identifier is the resource ID. Example: `table/my-table` .\n- DynamoDB global secondary index - The resource type is `index` and the unique identifier is the resource ID. Example: `table/my-table/index/my-table-index` .\n- Aurora DB cluster - The resource type is `cluster` and the unique identifier is the cluster name. Example: `cluster:my-db-cluster` .", "ScalableDimension": "The scalable dimension associated with the resource.\n\n- `autoscaling:autoScalingGroup:DesiredCapacity` - The desired capacity of an Auto Scaling group.\n- `ecs:service:DesiredCount` - The desired task count of an ECS service.\n- `ec2:spot-fleet-request:TargetCapacity` - The target capacity of a Spot Fleet request.\n- `dynamodb:table:ReadCapacityUnits` - The provisioned read capacity for a DynamoDB table.\n- `dynamodb:table:WriteCapacityUnits` - The provisioned write capacity for a DynamoDB table.\n- `dynamodb:index:ReadCapacityUnits` - The provisioned read capacity for a DynamoDB global secondary index.\n- `dynamodb:index:WriteCapacityUnits` - The provisioned write capacity for a DynamoDB global secondary index.\n- `rds:cluster:ReadReplicaCount` - The count of Aurora Replicas in an Aurora DB cluster. Available for Aurora MySQL-compatible edition and Aurora PostgreSQL-compatible edition.", - "ScalingPolicyUpdateBehavior": "Controls whether your scaling policies that are external to AWS Auto Scaling are deleted and new target tracking scaling policies created. The default value is `KeepExternalPolicies` .\n\nValid only when configuring dynamic scaling.", + "ScalingPolicyUpdateBehavior": "Controls whether a resource's externally created scaling policies are deleted and new target tracking scaling policies created. The default value is `KeepExternalPolicies` .\n\nValid only when configuring dynamic scaling.", "ScheduledActionBufferTime": "The amount of time, in seconds, to buffer the run time of scheduled scaling actions when scaling out. For example, if the forecast says to add capacity at 10:00 AM, and the buffer time is 5 minutes, then the run time of the corresponding scheduled scaling action will be 9:55 AM. The intention is to give resources time to be provisioned. For example, it can take a few minutes to launch an EC2 instance. The actual amount of time required depends on several factors, such as the size of the instance and whether there are startup scripts to complete.\n\nThe value must be less than the forecast interval duration of 3600 seconds (60 minutes). The default is 300 seconds.\n\nValid only when configuring predictive scaling.", "ServiceNamespace": "The namespace of the AWS service.", "TargetTrackingConfigurations": "The target tracking configurations (up to 10). Each of these structures must specify a unique scaling metric and a target value for the metric." @@ -3591,6 +3846,82 @@ "ScaleOutCooldown": "The amount of time, in seconds, after a scale-out activity completes before another scale-out activity can start. This value is not used if the scalable resource is an Auto Scaling group.", "TargetValue": "The target value for the metric. Although this property accepts numbers of type Double, it won't accept values that are either too small or too large. Values must be in the range of -2^360 to 2^360." }, + "AWS::B2BI::Capability": { + "Configuration": "Specifies a structure that contains the details for a capability.", + "InstructionsDocuments": "Specifies one or more locations in Amazon S3, each specifying an EDI document that can be used with this capability. Each item contains the name of the bucket and the key, to identify the document's location.", + "Name": "The display name of the capability.", + "Tags": "Specifies the key-value pairs assigned to ARNs that you can use to group and search for resources by type. You can attach this metadata to resources (capabilities, partnerships, and so on) for any purpose.", + "Type": "Returns the type of the capability. Currently, only `edi` is supported." + }, + "AWS::B2BI::Capability CapabilityConfiguration": { + "Edi": "An EDI (electronic data interchange) configuration object." + }, + "AWS::B2BI::Capability EdiConfiguration": { + "InputLocation": "Contains the Amazon S3 bucket and prefix for the location of the input file, which is contained in an `S3Location` object.", + "OutputLocation": "Contains the Amazon S3 bucket and prefix for the location of the output file, which is contained in an `S3Location` object.", + "TransformerId": "Returns the system-assigned unique identifier for the transformer.", + "Type": "Returns the type of the capability. Currently, only `edi` is supported." + }, + "AWS::B2BI::Capability EdiType": { + "X12Details": "Returns the details for the EDI standard that is being used for the transformer. Currently, only X12 is supported. X12 is a set of standards and corresponding messages that define specific business documents." + }, + "AWS::B2BI::Capability S3Location": { + "BucketName": "Specifies the name of the Amazon S3 bucket.", + "Key": "Specifies the Amazon S3 key for the file location." + }, + "AWS::B2BI::Capability Tag": { + "Key": "Specifies the name assigned to the tag that you create.", + "Value": "Contains one or more values that you assigned to the key name that you create." + }, + "AWS::B2BI::Capability X12Details": { + "TransactionSet": "Returns an enumerated type where each value identifies an X12 transaction set. Transaction sets are maintained by the X12 Accredited Standards Committee.", + "Version": "Returns the version to use for the specified X12 transaction set. Supported versions are `4010` , `4030` , and `5010` ." + }, + "AWS::B2BI::Partnership": { + "Capabilities": "Returns one or more capabilities associated with this partnership.", + "Email": "", + "Name": "Returns the name of the partnership.", + "Phone": "", + "ProfileId": "Returns the unique, system-generated identifier for the profile connected to this partnership.", + "Tags": "A key-value pair for a specific partnership. Tags are metadata that you can use to search for and group capabilities for various purposes." + }, + "AWS::B2BI::Partnership Tag": { + "Key": "Specifies the name assigned to the tag that you create.", + "Value": "Contains one or more values that you assigned to the key name that you create." + }, + "AWS::B2BI::Profile": { + "BusinessName": "Returns the name for the business associated with this profile.", + "Email": "", + "Logging": "Specifies whether or not logging is enabled for this profile.", + "Name": "Returns the display name for profile.", + "Phone": "", + "Tags": "A key-value pair for a specific profile. Tags are metadata that you can use to search for and group capabilities for various purposes." + }, + "AWS::B2BI::Profile Tag": { + "Key": "Specifies the name assigned to the tag that you create.", + "Value": "Contains one or more values that you assigned to the key name that you create." + }, + "AWS::B2BI::Transformer": { + "EdiType": "Returns the details for the EDI standard that is being used for the transformer. Currently, only X12 is supported. X12 is a set of standards and corresponding messages that define specific business documents.", + "FileFormat": "Returns that the currently supported file formats for EDI transformations are `JSON` and `XML` .", + "MappingTemplate": "Returns a sample EDI document that is used by a transformer as a guide for processing the EDI data.", + "ModifiedAt": "Returns a timestamp representing the date and time for the most recent change for the transformer object.", + "Name": "Returns the descriptive name for the transformer.", + "SampleDocument": "Returns a sample EDI document that is used by a transformer as a guide for processing the EDI data.", + "Status": "Returns the state of the newly created transformer. The transformer can be either `active` or `inactive` . For the transformer to be used in a capability, its status must `active` .", + "Tags": "A key-value pair for a specific transformer. Tags are metadata that you can use to search for and group capabilities for various purposes." + }, + "AWS::B2BI::Transformer EdiType": { + "X12Details": "Returns the details for the EDI standard that is being used for the transformer. Currently, only X12 is supported. X12 is a set of standards and corresponding messages that define specific business documents." + }, + "AWS::B2BI::Transformer Tag": { + "Key": "Specifies the name assigned to the tag that you create.", + "Value": "Contains one or more values that you assigned to the key name that you create." + }, + "AWS::B2BI::Transformer X12Details": { + "TransactionSet": "Returns an enumerated type where each value identifies an X12 transaction set. Transaction sets are maintained by the X12 Accredited Standards Committee.", + "Version": "Returns the version to use for the specified X12 transaction set. Supported versions are `4010` , `4030` , and `5010` ." + }, "AWS::Backup::BackupPlan": { "BackupPlan": "Uniquely identifies the backup plan to be associated with the selection of resources.", "BackupPlanTags": "To help organize your resources, you can assign your own metadata to the resources that you create. Each tag is a key-value pair. The specified tags are assigned to all backups created with this plan." @@ -3612,6 +3943,7 @@ "RecoveryPointTags": "To help organize your resources, you can assign your own metadata to the resources that you create. Each tag is a key-value pair.", "RuleName": "A display name for a backup rule.", "ScheduleExpression": "A CRON expression specifying when AWS Backup initiates a backup job.", + "ScheduleExpressionTimezone": "", "StartWindowMinutes": "An optional value that specifies a period of time in minutes after a backup is scheduled before a job is canceled if it doesn't start successfully.\n\nIf this value is included, it must be at least 60 minutes to avoid errors.", "TargetBackupVault": "The name of a logical container where backups are stored. Backup vaults are identified by names that are unique to the account used to create them and the AWS Region where they are created. They consist of letters, numbers, and hyphens." }, @@ -3685,7 +4017,11 @@ "AWS::Backup::Framework FrameworkControl": { "ControlInputParameters": "A list of `ParameterName` and `ParameterValue` pairs.", "ControlName": "The name of a control. This name is between 1 and 256 characters.", - "ControlScope": "The scope of a control. The control scope defines what the control will evaluate. Three examples of control scopes are: a specific backup plan, all backup plans with a specific tag, or all backup plans. For more information, see [`ControlScope` .](https://docs.aws.amazon.com/aws-backup/latest/devguide/API_ControlScope.html)" + "ControlScope": "The scope of a control. The control scope defines what the control will evaluate. Three examples of control scopes are: a specific backup plan, all backup plans with a specific tag, or all backup plans." + }, + "AWS::Backup::Framework Tag": { + "Key": "", + "Value": "" }, "AWS::Backup::ReportPlan": { "ReportDeliveryChannel": "Contains information about where and how to deliver your reports, specifically your Amazon S3 bucket name, S3 key prefix, and the formats of your reports.", @@ -3706,6 +4042,47 @@ "Regions": "These are the Regions to be included in the report.", "ReportTemplate": "Identifies the report template for the report. Reports are built using a report template. The report templates are:\n\n`RESOURCE_COMPLIANCE_REPORT | CONTROL_COMPLIANCE_REPORT | BACKUP_JOB_REPORT | COPY_JOB_REPORT | RESTORE_JOB_REPORT`" }, + "AWS::Backup::ReportPlan Tag": { + "Key": "", + "Value": "" + }, + "AWS::Backup::RestoreTestingPlan": { + "RecoveryPointSelection": "The specified criteria to assign a set of resources, such as recovery point types or backup vaults.", + "RestoreTestingPlanName": "This is the restore testing plan name.", + "ScheduleExpression": "A CRON expression in specified timezone when a restore testing plan is executed.", + "ScheduleExpressionTimezone": "Optional. This is the timezone in which the schedule expression is set. By default, ScheduleExpressions are in UTC. You can modify this to a specified timezone.", + "StartWindowHours": "Defaults to 24 hours.\n\nA value in hours after a restore test is scheduled before a job will be canceled if it doesn't start successfully. This value is optional. If this value is included, this parameter has a maximum value of 168 hours (one week).", + "Tags": "" + }, + "AWS::Backup::RestoreTestingPlan RestoreTestingRecoveryPointSelection": { + "Algorithm": "Acceptable values include \"LATEST_WITHIN_WINDOW\" or \"RANDOM_WITHIN_WINDOW\"", + "ExcludeVaults": "Accepted values include specific ARNs or list of selectors. Defaults to empty list if not listed.", + "IncludeVaults": "Accepted values include wildcard [\"*\"] or by specific ARNs or ARN wilcard replacement [\"arn:aws:backup:us-west-2:123456789012:backup-vault:asdf\", ...] [\"arn:aws:backup:*:*:backup-vault:asdf-*\", ...]", + "RecoveryPointTypes": "These are the types of recovery points.", + "SelectionWindowDays": "Accepted values are integers from 1 to 365." + }, + "AWS::Backup::RestoreTestingPlan Tag": { + "Key": "", + "Value": "" + }, + "AWS::Backup::RestoreTestingSelection": { + "IamRoleArn": "The Amazon Resource Name (ARN) of the IAM role that AWS Backup uses to create the target resource; for example: `arn:aws:iam::123456789012:role/S3Access` .", + "ProtectedResourceArns": "You can include specific ARNs, such as `ProtectedResourceArns: [\"arn:aws:...\", \"arn:aws:...\"]` or you can include a wildcard: `ProtectedResourceArns: [\"*\"]` , but not both.", + "ProtectedResourceConditions": "In a resource testing selection, this parameter filters by specific conditions such as `StringEquals` or `StringNotEquals` .", + "ProtectedResourceType": "The type of AWS resource included in a resource testing selection; for example, an Amazon EBS volume or an Amazon RDS database.", + "RestoreMetadataOverrides": "You can override certain restore metadata keys by including the parameter `RestoreMetadataOverrides` in the body of `RestoreTestingSelection` . Key values are not case sensitive.\n\nSee the complete list of [restore testing inferred metadata](https://docs.aws.amazon.com/aws-backup/latest/devguide/restore-testing-inferred-metadata.html) .", + "RestoreTestingPlanName": "The RestoreTestingPlanName is a unique string that is the name of the restore testing plan.", + "RestoreTestingSelectionName": "This is the unique name of the restore testing selection that belongs to the related restore testing plan.", + "ValidationWindowHours": "This is amount of hours (1 to 168) available to run a validation script on the data. The data will be deleted upon the completion of the validation script or the end of the specified retention period, whichever comes first." + }, + "AWS::Backup::RestoreTestingSelection KeyValue": { + "Key": "The tag key (String). The key can't start with `aws:` .\n\nLength Constraints: Minimum length of 1. Maximum length of 128.\n\nPattern: `^(?![aA]{1}[wW]{1}[sS]{1}:)([\\p{L}\\p{Z}\\p{N}_.:/=+\\-@]+)$`", + "Value": "The value of the key.\n\nLength Constraints: Maximum length of 256.\n\nPattern: `^([\\p{L}\\p{Z}\\p{N}_.:/=+\\-@]*)$`" + }, + "AWS::Backup::RestoreTestingSelection ProtectedResourceConditions": { + "StringEquals": "Filters the values of your tagged resources for only those resources that you tagged with the same value. Also called \"exact matching.\"", + "StringNotEquals": "Filters the values of your tagged resources for only those resources that you tagged that do not have the same value. Also called \"negated matching.\"" + }, "AWS::BackupGateway::Hypervisor": { "Host": "The server host of the hypervisor. This can be either an IP address or a fully-qualified domain name (FQDN).", "KmsKeyArn": "The Amazon Resource Name (ARN) of the AWS Key Management Service used to encrypt the hypervisor.", @@ -3715,6 +4092,10 @@ "Tags": "The tags of the hypervisor configuration to import.", "Username": "The username for the hypervisor." }, + "AWS::BackupGateway::Hypervisor Tag": { + "Key": "The key part of a tag's key-value pair. The key can't start with `aws:` .", + "Value": "The value part of a tag's key-value pair." + }, "AWS::Batch::ComputeEnvironment": { "ComputeEnvironmentName": "The name for your compute environment. It can be up to 128 characters long. It can contain uppercase and lowercase letters, numbers, hyphens (-), and underscores (_).", "ComputeResources": "The ComputeResources property type specifies details of the compute resources managed by the compute environment. This parameter is required for managed compute environments. For more information, see [Compute Environments](https://docs.aws.amazon.com/batch/latest/userguide/compute_environments.html) in the ** .", @@ -3728,16 +4109,16 @@ "UpdatePolicy": "Specifies the infrastructure update policy for the compute environment. For more information about infrastructure updates, see [Updating compute environments](https://docs.aws.amazon.com/batch/latest/userguide/updating-compute-environments.html) in the *AWS Batch User Guide* ." }, "AWS::Batch::ComputeEnvironment ComputeResources": { - "AllocationStrategy": "The allocation strategy to use for the compute resource if not enough instances of the best fitting instance type can be allocated. This might be because of availability of the instance type in the Region or [Amazon EC2 service limits](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-resource-limits.html) . For more information, see [Allocation strategies](https://docs.aws.amazon.com/batch/latest/userguide/allocation-strategies.html) in the *AWS Batch User Guide* .\n\nWhen updating a compute environment, changing the allocation strategy requires an infrastructure update of the compute environment. For more information, see [Updating compute environments](https://docs.aws.amazon.com/batch/latest/userguide/updating-compute-environments.html) in the *AWS Batch User Guide* . `BEST_FIT` is not supported when updating a compute environment.\n\n> This parameter isn't applicable to jobs that are running on Fargate resources, and shouldn't be specified. \n\n- **BEST_FIT (default)** - AWS Batch selects an instance type that best fits the needs of the jobs with a preference for the lowest-cost instance type. If additional instances of the selected instance type aren't available, AWS Batch waits for the additional instances to be available. If there aren't enough instances available, or if the user is reaching [Amazon EC2 service limits](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-resource-limits.html) then additional jobs aren't run until the currently running jobs have completed. This allocation strategy keeps costs lower but can limit scaling. If you are using Spot Fleets with `BEST_FIT` then the Spot Fleet IAM role must be specified.\n- **BEST_FIT_PROGRESSIVE** - AWS Batch will select additional instance types that are large enough to meet the requirements of the jobs in the queue, with a preference for instance types with a lower cost per unit vCPU. If additional instances of the previously selected instance types aren't available, AWS Batch will select new instance types.\n- **SPOT_CAPACITY_OPTIMIZED** - AWS Batch will select one or more instance types that are large enough to meet the requirements of the jobs in the queue, with a preference for instance types that are less likely to be interrupted. This allocation strategy is only available for Spot Instance compute resources.\n\nWith both `BEST_FIT_PROGRESSIVE` and `SPOT_CAPACITY_OPTIMIZED` allocation strategies using On-Demand or Spot Instances, and the `BEST_FIT` strategy using Spot Instances, AWS Batch might need to go above `maxvCpus` to meet your capacity requirements. In this event, AWS Batch never exceeds `maxvCpus` by more than a single instance.", + "AllocationStrategy": "The allocation strategy to use for the compute resource if not enough instances of the best fitting instance type can be allocated. This might be because of availability of the instance type in the Region or [Amazon EC2 service limits](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-resource-limits.html) . For more information, see [Allocation strategies](https://docs.aws.amazon.com/batch/latest/userguide/allocation-strategies.html) in the *AWS Batch User Guide* .\n\nWhen updating a compute environment, changing the allocation strategy requires an infrastructure update of the compute environment. For more information, see [Updating compute environments](https://docs.aws.amazon.com/batch/latest/userguide/updating-compute-environments.html) in the *AWS Batch User Guide* . `BEST_FIT` is not supported when updating a compute environment.\n\n> This parameter isn't applicable to jobs that are running on Fargate resources, and shouldn't be specified. \n\n- **BEST_FIT (default)** - AWS Batch selects an instance type that best fits the needs of the jobs with a preference for the lowest-cost instance type. If additional instances of the selected instance type aren't available, AWS Batch waits for the additional instances to be available. If there aren't enough instances available, or if the user is reaching [Amazon EC2 service limits](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-resource-limits.html) then additional jobs aren't run until the currently running jobs have completed. This allocation strategy keeps costs lower but can limit scaling. If you are using Spot Fleets with `BEST_FIT` then the Spot Fleet IAM role must be specified.\n- **BEST_FIT_PROGRESSIVE** - AWS Batch will select additional instance types that are large enough to meet the requirements of the jobs in the queue, with a preference for instance types with a lower cost per unit vCPU. If additional instances of the previously selected instance types aren't available, AWS Batch will select new instance types.\n- **SPOT_CAPACITY_OPTIMIZED** - AWS Batch will select one or more instance types that are large enough to meet the requirements of the jobs in the queue, with a preference for instance types that are less likely to be interrupted. This allocation strategy is only available for Spot Instance compute resources.\n- **SPOT_PRICE_CAPACITY_OPTIMIZED** - The price and capacity optimized allocation strategy looks at both price and capacity to select the Spot Instance pools that are the least likely to be interrupted and have the lowest possible price. This allocation strategy is only available for Spot Instance compute resources.\n\n> We recommend that you use `SPOT_PRICE_CAPACITY_OPTIMIZED` rather than `SPOT_CAPACITY_OPTIMIZED` in most instances.\n\nWith `BEST_FIT_PROGRESSIVE` , `SPOT_CAPACITY_OPTIMIZED` , and `SPOT_PRICE_CAPACITY_OPTIMIZED` allocation strategies using On-Demand or Spot Instances, and the `BEST_FIT` strategy using Spot Instances, AWS Batch might need to go above `maxvCpus` to meet your capacity requirements. In this event, AWS Batch never exceeds `maxvCpus` by more than a single instance.", "BidPercentage": "The maximum percentage that a Spot Instance price can be when compared with the On-Demand price for that instance type before instances are launched. For example, if your maximum percentage is 20%, the Spot price must be less than 20% of the current On-Demand price for that Amazon EC2 instance. You always pay the lowest (market) price and never more than your maximum percentage. For most use cases, we recommend leaving this field empty.\n\nWhen updating a compute environment, changing the bid percentage requires an infrastructure update of the compute environment. For more information, see [Updating compute environments](https://docs.aws.amazon.com/batch/latest/userguide/updating-compute-environments.html) in the *AWS Batch User Guide* .\n\n> This parameter isn't applicable to jobs that are running on Fargate resources. Don't specify it.", "DesiredvCpus": "The desired number of vCPUS in the compute environment. AWS Batch modifies this value between the minimum and maximum values based on job queue demand.\n\n> This parameter isn't applicable to jobs that are running on Fargate resources. Don't specify it. > AWS Batch doesn't support changing the desired number of vCPUs of an existing compute environment. Don't specify this parameter for compute environments using Amazon EKS clusters. > When you update the `desiredvCpus` setting, the value must be between the `minvCpus` and `maxvCpus` values.\n> \n> Additionally, the updated `desiredvCpus` value must be greater than or equal to the current `desiredvCpus` value. For more information, see [Troubleshooting AWS Batch](https://docs.aws.amazon.com/batch/latest/userguide/troubleshooting.html#error-desired-vcpus-update) in the *AWS Batch User Guide* .", "Ec2Configuration": "Provides information used to select Amazon Machine Images (AMIs) for EC2 instances in the compute environment. If `Ec2Configuration` isn't specified, the default is `ECS_AL2` .\n\nWhen updating a compute environment, changing this setting requires an infrastructure update of the compute environment. For more information, see [Updating compute environments](https://docs.aws.amazon.com/batch/latest/userguide/updating-compute-environments.html) in the *AWS Batch User Guide* . To remove the EC2 configuration and any custom AMI ID specified in `imageIdOverride` , set this value to an empty string.\n\nOne or two values can be provided.\n\n> This parameter isn't applicable to jobs that are running on Fargate resources. Don't specify it.", "Ec2KeyPair": "The Amazon EC2 key pair that's used for instances launched in the compute environment. You can use this key pair to log in to your instances with SSH. To remove the Amazon EC2 key pair, set this value to an empty string.\n\nWhen updating a compute environment, changing the EC2 key pair requires an infrastructure update of the compute environment. For more information, see [Updating compute environments](https://docs.aws.amazon.com/batch/latest/userguide/updating-compute-environments.html) in the *AWS Batch User Guide* .\n\n> This parameter isn't applicable to jobs that are running on Fargate resources. Don't specify it.", "ImageId": "The Amazon Machine Image (AMI) ID used for instances launched in the compute environment. This parameter is overridden by the `imageIdOverride` member of the `Ec2Configuration` structure. To remove the custom AMI ID and use the default AMI ID, set this value to an empty string.\n\nWhen updating a compute environment, changing the AMI ID requires an infrastructure update of the compute environment. For more information, see [Updating compute environments](https://docs.aws.amazon.com/batch/latest/userguide/updating-compute-environments.html) in the *AWS Batch User Guide* .\n\n> This parameter isn't applicable to jobs that are running on Fargate resources. Don't specify it. > The AMI that you choose for a compute environment must match the architecture of the instance types that you intend to use for that compute environment. For example, if your compute environment uses A1 instance types, the compute resource AMI that you choose must support ARM instances. Amazon ECS vends both x86 and ARM versions of the Amazon ECS-optimized Amazon Linux 2 AMI. For more information, see [Amazon ECS-optimized Amazon Linux 2 AMI](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html#ecs-optimized-ami-linux-variants.html) in the *Amazon Elastic Container Service Developer Guide* .", - "InstanceRole": "The Amazon ECS instance profile applied to Amazon EC2 instances in a compute environment. You can specify the short name or full Amazon Resource Name (ARN) of an instance profile. For example, `*ecsInstanceRole*` or `arn:aws:iam:: ** :instance-profile/ *ecsInstanceRole*` . For more information, see [Amazon ECS instance role](https://docs.aws.amazon.com/batch/latest/userguide/instance_IAM_role.html) in the *AWS Batch User Guide* .\n\nWhen updating a compute environment, changing this setting requires an infrastructure update of the compute environment. For more information, see [Updating compute environments](https://docs.aws.amazon.com/batch/latest/userguide/updating-compute-environments.html) in the *AWS Batch User Guide* .\n\n> This parameter isn't applicable to jobs that are running on Fargate resources. Don't specify it.", + "InstanceRole": "The Amazon ECS instance profile applied to Amazon EC2 instances in a compute environment. Required for Amazon EC2 instances. You can specify the short name or full Amazon Resource Name (ARN) of an instance profile. For example, `*ecsInstanceRole*` or `arn:aws:iam:: ** :instance-profile/ *ecsInstanceRole*` . For more information, see [Amazon ECS instance role](https://docs.aws.amazon.com/batch/latest/userguide/instance_IAM_role.html) in the *AWS Batch User Guide* .\n\nWhen updating a compute environment, changing this setting requires an infrastructure update of the compute environment. For more information, see [Updating compute environments](https://docs.aws.amazon.com/batch/latest/userguide/updating-compute-environments.html) in the *AWS Batch User Guide* .\n\n> This parameter isn't applicable to jobs that are running on Fargate resources. Don't specify it.", "InstanceTypes": "The instances types that can be launched. You can specify instance families to launch any instance type within those families (for example, `c5` or `p3` ), or you can specify specific sizes within a family (such as `c5.8xlarge` ). You can also choose `optimal` to select instance types (from the C4, M4, and R4 instance families) that match the demand of your job queues.\n\nWhen updating a compute environment, changing this setting requires an infrastructure update of the compute environment. For more information, see [Updating compute environments](https://docs.aws.amazon.com/batch/latest/userguide/updating-compute-environments.html) in the *AWS Batch User Guide* .\n\n> This parameter isn't applicable to jobs that are running on Fargate resources. Don't specify it. > When you create a compute environment, the instance types that you select for the compute environment must share the same architecture. For example, you can't mix x86 and ARM instances in the same compute environment. > Currently, `optimal` uses instance types from the C4, M4, and R4 instance families. In Regions that don't have instance types from those instance families, instance types from the C5, M5, and R5 instance families are used.", "LaunchTemplate": "The launch template to use for your compute resources. Any other compute resource parameters that you specify in a [CreateComputeEnvironment](https://docs.aws.amazon.com/batch/latest/APIReference/API_CreateComputeEnvironment.html) API operation override the same parameters in the launch template. You must specify either the launch template ID or launch template name in the request, but not both. For more information, see [Launch Template Support](https://docs.aws.amazon.com/batch/latest/userguide/launch-templates.html) in the ** . Removing the launch template from a compute environment will not remove the AMI specified in the launch template. In order to update the AMI specified in a launch template, the `updateToLatestImageVersion` parameter must be set to `true` .\n\nWhen updating a compute environment, changing the launch template requires an infrastructure update of the compute environment. For more information, see [Updating compute environments](https://docs.aws.amazon.com/batch/latest/userguide/updating-compute-environments.html) in the ** .\n\n> This parameter isn't applicable to jobs running on Fargate resources, and shouldn't be specified.", - "MaxvCpus": "The maximum number of Amazon EC2 vCPUs that an environment can reach.\n\n> With both `BEST_FIT_PROGRESSIVE` and `SPOT_CAPACITY_OPTIMIZED` allocation strategies using On-Demand or Spot Instances, and the `BEST_FIT` strategy using Spot Instances, AWS Batch might need to exceed `maxvCpus` to meet your capacity requirements. In this event, AWS Batch never exceeds `maxvCpus` by more than a single instance. That is, no more than a single instance from among those specified in your compute environment.", + "MaxvCpus": "The maximum number of Amazon EC2 vCPUs that an environment can reach.\n\n> With `BEST_FIT_PROGRESSIVE` , `SPOT_CAPACITY_OPTIMIZED` and `SPOT_PRICE_CAPACITY_OPTIMIZED` (recommended) strategies using On-Demand or Spot Instances, and the `BEST_FIT` strategy using Spot Instances, AWS Batch might need to exceed `maxvCpus` to meet your capacity requirements. In this event, AWS Batch never exceeds `maxvCpus` by more than a single instance.", "MinvCpus": "The minimum number of vCPUs that an environment should maintain (even if the compute environment is `DISABLED` ).\n\n> This parameter isn't applicable to jobs that are running on Fargate resources. Don't specify it.", "PlacementGroup": "The Amazon EC2 placement group to associate with your compute resources. If you intend to submit multi-node parallel jobs to your compute environment, you should consider creating a cluster placement group and associate it with your compute resources. This keeps your multi-node parallel job on a logical grouping of instances within a single Availability Zone with high network flow potential. For more information, see [Placement groups](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/placement-groups.html) in the *Amazon EC2 User Guide for Linux Instances* .\n\nWhen updating a compute environment, changing the placement group requires an infrastructure update of the compute environment. For more information, see [Updating compute environments](https://docs.aws.amazon.com/batch/latest/userguide/updating-compute-environments.html) in the *AWS Batch User Guide* .\n\n> This parameter isn't applicable to jobs that are running on Fargate resources. Don't specify it.", "SecurityGroupIds": "The Amazon EC2 security groups that are associated with instances launched in the compute environment. This parameter is required for Fargate compute resources, where it can contain up to 5 security groups. For Fargate compute resources, providing an empty list is handled as if this parameter wasn't specified and no change is made. For EC2 compute resources, providing an empty list removes the security groups from the compute resource.\n\nWhen updating a compute environment, changing the EC2 security groups requires an infrastructure update of the compute environment. For more information, see [Updating compute environments](https://docs.aws.amazon.com/batch/latest/userguide/updating-compute-environments.html) in the *AWS Batch User Guide* .", @@ -3750,7 +4131,7 @@ "AWS::Batch::ComputeEnvironment Ec2ConfigurationObject": { "ImageIdOverride": "The AMI ID used for instances launched in the compute environment that match the image type. This setting overrides the `imageId` set in the `computeResource` object.\n\n> The AMI that you choose for a compute environment must match the architecture of the instance types that you intend to use for that compute environment. For example, if your compute environment uses A1 instance types, the compute resource AMI that you choose must support ARM instances. Amazon ECS vends both x86 and ARM versions of the Amazon ECS-optimized Amazon Linux 2 AMI. For more information, see [Amazon ECS-optimized Amazon Linux 2 AMI](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html#ecs-optimized-ami-linux-variants.html) in the *Amazon Elastic Container Service Developer Guide* .", "ImageKubernetesVersion": "The Kubernetes version for the compute environment. If you don't specify a value, the latest version that AWS Batch supports is used.", - "ImageType": "The image type to match with the instance type to select an AMI. The supported values are different for `ECS` and `EKS` resources.\n\n- **ECS** - If the `imageIdOverride` parameter isn't specified, then a recent [Amazon ECS-optimized Amazon Linux 2 AMI](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html#al2ami) ( `ECS_AL2` ) is used. If a new image type is specified in an update, but neither an `imageId` nor a `imageIdOverride` parameter is specified, then the latest Amazon ECS optimized AMI for that image type that's supported by AWS Batch is used.\n\n- **ECS_AL2** - [Amazon Linux 2](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html#al2ami) : Default for all non-GPU instance families.\n- **ECS_AL2_NVIDIA** - [Amazon Linux 2 (GPU)](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html#gpuami) : Default for all GPU instance families (for example `P4` and `G4` ) and can be used for all non AWS Graviton-based instance types.\n- **ECS_AL1** - [Amazon Linux](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html#alami) . Amazon Linux has reached the end-of-life of standard support. For more information, see [Amazon Linux AMI](https://docs.aws.amazon.com/amazon-linux-ami/) .\n- **EKS** - If the `imageIdOverride` parameter isn't specified, then a recent [Amazon EKS-optimized Amazon Linux AMI](https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html) ( `EKS_AL2` ) is used. If a new image type is specified in an update, but neither an `imageId` nor a `imageIdOverride` parameter is specified, then the latest Amazon EKS optimized AMI for that image type that AWS Batch supports is used.\n\n- **EKS_AL2** - [Amazon Linux 2](https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html) : Default for all non-GPU instance families.\n- **EKS_AL2_NVIDIA** - [Amazon Linux 2 (accelerated)](https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html) : Default for all GPU instance families (for example, `P4` and `G4` ) and can be used for all non AWS Graviton-based instance types." + "ImageType": "The image type to match with the instance type to select an AMI. The supported values are different for `ECS` and `EKS` resources.\n\n- **ECS** - If the `imageIdOverride` parameter isn't specified, then a recent [Amazon ECS-optimized Amazon Linux 2 AMI](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html#al2ami) ( `ECS_AL2` ) is used. If a new image type is specified in an update, but neither an `imageId` nor a `imageIdOverride` parameter is specified, then the latest Amazon ECS optimized AMI for that image type that's supported by AWS Batch is used.\n\n- **ECS_AL2** - [Amazon Linux 2](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html#al2ami) : Default for all non-GPU instance families.\n- **ECS_AL2_NVIDIA** - [Amazon Linux 2 (GPU)](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html#gpuami) : Default for all GPU instance families (for example `P4` and `G4` ) and can be used for all non AWS Graviton-based instance types.\n- **ECS_AL2023** - [Amazon Linux 2023](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html) : AWS Batch supports Amazon Linux 2023.\n\n> Amazon Linux 2023 does not support `A1` instances.\n- **ECS_AL1** - [Amazon Linux](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html#alami) . Amazon Linux has reached the end-of-life of standard support. For more information, see [Amazon Linux AMI](https://docs.aws.amazon.com/amazon-linux-ami/) .\n- **EKS** - If the `imageIdOverride` parameter isn't specified, then a recent [Amazon EKS-optimized Amazon Linux AMI](https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html) ( `EKS_AL2` ) is used. If a new image type is specified in an update, but neither an `imageId` nor a `imageIdOverride` parameter is specified, then the latest Amazon EKS optimized AMI for that image type that AWS Batch supports is used.\n\n- **EKS_AL2** - [Amazon Linux 2](https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html) : Default for all non-GPU instance families.\n- **EKS_AL2_NVIDIA** - [Amazon Linux 2 (accelerated)](https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html) : Default for all GPU instance families (for example, `P4` and `G4` ) and can be used for all non AWS Graviton-based instance types." }, "AWS::Batch::ComputeEnvironment EksConfiguration": { "EksClusterArn": "The Amazon Resource Name (ARN) of the Amazon EKS cluster. An example is `arn: *aws* :eks: *us-east-1* : *123456789012* :cluster/ *ClusterForBatch*` .", @@ -3789,7 +4170,7 @@ "EphemeralStorage": "The amount of ephemeral storage to allocate for the task. This parameter is used to expand the total amount of ephemeral storage available, beyond the default amount, for tasks hosted on AWS Fargate .", "ExecutionRoleArn": "The Amazon Resource Name (ARN) of the execution role that AWS Batch can assume. For jobs that run on Fargate resources, you must provide an execution role. For more information, see [AWS Batch execution IAM role](https://docs.aws.amazon.com/batch/latest/userguide/execution-IAM-role.html) in the *AWS Batch User Guide* .", "FargatePlatformConfiguration": "The platform configuration for jobs that are running on Fargate resources. Jobs that are running on EC2 resources must not specify this parameter.", - "Image": "The image used to start a container. This string is passed directly to the Docker daemon. Images in the Docker Hub registry are available by default. Other repositories are specified with `*repository-url* / *image* : *tag*` . It can be 255 characters long. It can contain uppercase and lowercase letters, numbers, hyphens (-), underscores (_), colons (:), periods (.), forward slashes (/), and number signs (#). This parameter maps to `Image` in the [Create a container](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.23/#create-a-container) section of the [Docker Remote API](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.23/) and the `IMAGE` parameter of [docker run](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/) .\n\n> Docker image architecture must match the processor architecture of the compute resources that they're scheduled on. For example, ARM-based Docker images can only run on ARM-based compute resources. \n\n- Images in Amazon ECR Public repositories use the full `registry/repository[:tag]` or `registry/repository[@digest]` naming conventions. For example, `public.ecr.aws/ *registry_alias* / *my-web-app* : *latest*` .\n- Images in Amazon ECR repositories use the full registry and repository URI (for example, `123456789012.dkr.ecr..amazonaws.com/` ).\n- Images in official repositories on Docker Hub use a single name (for example, `ubuntu` or `mongo` ).\n- Images in other repositories on Docker Hub are qualified with an organization name (for example, `amazon/amazon-ecs-agent` ).\n- Images in other online repositories are qualified further by a domain name (for example, `quay.io/assemblyline/ubuntu` ).", + "Image": "Required. The image used to start a container. This string is passed directly to the Docker daemon. Images in the Docker Hub registry are available by default. Other repositories are specified with `*repository-url* / *image* : *tag*` . It can be 255 characters long. It can contain uppercase and lowercase letters, numbers, hyphens (-), underscores (_), colons (:), periods (.), forward slashes (/), and number signs (#). This parameter maps to `Image` in the [Create a container](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.23/#create-a-container) section of the [Docker Remote API](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.23/) and the `IMAGE` parameter of [docker run](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/) .\n\n> Docker image architecture must match the processor architecture of the compute resources that they're scheduled on. For example, ARM-based Docker images can only run on ARM-based compute resources. \n\n- Images in Amazon ECR Public repositories use the full `registry/repository[:tag]` or `registry/repository[@digest]` naming conventions. For example, `public.ecr.aws/ *registry_alias* / *my-web-app* : *latest*` .\n- Images in Amazon ECR repositories use the full registry and repository URI (for example, `123456789012.dkr.ecr..amazonaws.com/` ).\n- Images in official repositories on Docker Hub use a single name (for example, `ubuntu` or `mongo` ).\n- Images in other repositories on Docker Hub are qualified with an organization name (for example, `amazon/amazon-ecs-agent` ).\n- Images in other online repositories are qualified further by a domain name (for example, `quay.io/assemblyline/ubuntu` ).", "InstanceType": "The instance type to use for a multi-node parallel job. All node groups in a multi-node parallel job must use the same instance type.\n\n> This parameter isn't applicable to single-node container jobs or jobs that run on Fargate resources, and shouldn't be provided.", "JobRoleArn": "The Amazon Resource Name (ARN) of the IAM role that the container can assume for AWS permissions. For more information, see [IAM roles for tasks](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html) in the *Amazon Elastic Container Service Developer Guide* .", "LinuxParameters": "Linux-specific modifications that are applied to the container, such as details for device mappings.", @@ -3800,6 +4181,7 @@ "Privileged": "When this parameter is true, the container is given elevated permissions on the host container instance (similar to the `root` user). This parameter maps to `Privileged` in the [Create a container](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.23/#create-a-container) section of the [Docker Remote API](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.23/) and the `--privileged` option to [docker run](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/) . The default value is false.\n\n> This parameter isn't applicable to jobs that are running on Fargate resources and shouldn't be provided, or specified as false.", "ReadonlyRootFilesystem": "When this parameter is true, the container is given read-only access to its root file system. This parameter maps to `ReadonlyRootfs` in the [Create a container](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.23/#create-a-container) section of the [Docker Remote API](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.23/) and the `--read-only` option to `docker run` .", "ResourceRequirements": "The type and amount of resources to assign to a container. The supported resources include `GPU` , `MEMORY` , and `VCPU` .", + "RuntimePlatform": "An object that represents the compute environment architecture for AWS Batch jobs on Fargate.", "Secrets": "The secrets for the container. For more information, see [Specifying sensitive data](https://docs.aws.amazon.com/batch/latest/userguide/specifying-sensitive-data.html) in the *AWS Batch User Guide* .", "Ulimits": "A list of `ulimits` to set in the container. This parameter maps to `Ulimits` in the [Create a container](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.23/#create-a-container) section of the [Docker Remote API](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.23/) and the `--ulimit` option to [docker run](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/) .\n\n> This parameter isn't applicable to jobs that are running on Fargate resources and shouldn't be provided.", "User": "The user name to use inside the container. This parameter maps to `User` in the [Create a container](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.23/#create-a-container) section of the [Docker Remote API](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.23/) and the `--user` option to [docker run](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/) .", @@ -3826,7 +4208,7 @@ "ImagePullPolicy": "The image pull policy for the container. Supported values are `Always` , `IfNotPresent` , and `Never` . This parameter defaults to `IfNotPresent` . However, if the `:latest` tag is specified, it defaults to `Always` . For more information, see [Updating images](https://docs.aws.amazon.com/https://kubernetes.io/docs/concepts/containers/images/#updating-images) in the *Kubernetes documentation* .", "Name": "The name of the container. If the name isn't specified, the default name \" `Default` \" is used. Each container in a pod must have a unique name.", "Resources": "The type and amount of resources to assign to a container. The supported resources include `memory` , `cpu` , and `nvidia.com/gpu` . For more information, see [Resource management for pods and containers](https://docs.aws.amazon.com/https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) in the *Kubernetes documentation* .", - "SecurityContext": "", + "SecurityContext": "The security context for a job. For more information, see [Configure a security context for a pod or container](https://docs.aws.amazon.com/https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) in the *Kubernetes documentation* .", "VolumeMounts": "The volume mounts for the container. AWS Batch supports `emptyDir` , `hostPath` , and `secret` volume types. For more information about volumes and volume mounts in Kubernetes, see [Volumes](https://docs.aws.amazon.com/https://kubernetes.io/docs/concepts/storage/volumes/) in the *Kubernetes documentation* ." }, "AWS::Batch::JobDefinition EksContainerEnvironmentVariable": { @@ -3934,6 +4316,10 @@ "Attempts": "The number of times to move a job to the `RUNNABLE` status. You can specify between 1 and 10 attempts. If the value of `attempts` is greater than one, the job is retried on failure the same number of attempts as the value.", "EvaluateOnExit": "Array of up to 5 objects that specify the conditions where jobs are retried or failed. If this parameter is specified, then the `attempts` parameter must also be specified. If none of the listed conditions match, then the job is retried." }, + "AWS::Batch::JobDefinition RuntimePlatform": { + "CpuArchitecture": "The vCPU architecture. The default value is `X86_64` . Valid values are `X86_64` and `ARM64` .\n\n> This parameter must be set to `X86_64` for Windows containers. > Fargate Spot is not supported for `ARM64` and Windows-based containers on Fargate. A job queue will be blocked if a Fargate `ARM64` or Windows job is submitted to a job queue with only Fargate Spot compute environments. However, you can attach both `FARGATE` and `FARGATE_SPOT` compute environments to the same job queue.", + "OperatingSystemFamily": "The operating system for the compute environment. Valid values are: `LINUX` (default), `WINDOWS_SERVER_2019_CORE` , `WINDOWS_SERVER_2019_FULL` , `WINDOWS_SERVER_2022_CORE` , and `WINDOWS_SERVER_2022_FULL` .\n\n> The following parameters can\u2019t be set for Windows containers: `linuxParameters` , `privileged` , `user` , `ulimits` , `readonlyRootFilesystem` , and `efsVolumeConfiguration` . > The AWS Batch Scheduler checks the compute environments that are attached to the job queue before registering a task definition with Fargate. In this scenario, the job queue is where the job is submitted. If the job requires a Windows container and the first compute environment is `LINUX` , the compute environment is skipped and the next compute environment is checked until a Windows-based compute environment is found. > Fargate Spot is not supported for `ARM64` and Windows-based containers on Fargate. A job queue will be blocked if a Fargate `ARM64` or Windows job is submitted to a job queue with only Fargate Spot compute environments. However, you can attach both `FARGATE` and `FARGATE_SPOT` compute environments to the same job queue." + }, "AWS::Batch::JobDefinition Secret": { "Name": "The name of the secret.", "ValueFrom": "The secret to expose to the container. The supported values are either the full Amazon Resource Name (ARN) of the AWS Secrets Manager secret or the full ARN of the parameter in the AWS Systems Manager Parameter Store.\n\n> If the AWS Systems Manager Parameter Store parameter exists in the same Region as the job you're launching, then you can use either the full Amazon Resource Name (ARN) or name of the parameter. If the parameter exists in a different Region, then the full ARN must be specified." @@ -3948,7 +4334,7 @@ }, "AWS::Batch::JobDefinition Ulimit": { "HardLimit": "The hard limit for the `ulimit` type.", - "Name": "The `type` of the `ulimit` .", + "Name": "The `type` of the `ulimit` . Valid values are: `core` | `cpu` | `data` | `fsize` | `locks` | `memlock` | `msgqueue` | `nice` | `nofile` | `nproc` | `rss` | `rtprio` | `rttime` | `sigpending` | `stack` .", "SoftLimit": "The soft limit for the `ulimit` type." }, "AWS::Batch::JobDefinition Volumes": { @@ -3986,20 +4372,26 @@ "WeightFactor": "The weight factor for the fair share identifier. The default value is 1.0. A lower value has a higher priority for compute resources. For example, jobs that use a share identifier with a weight factor of 0.125 (1/8) get 8 times the compute resources of jobs that use a share identifier with a weight factor of 1.\n\nThe smallest supported value is 0.0001, and the largest supported value is 999.9999." }, "AWS::BillingConductor::BillingGroup": { - "AccountGrouping": "The set of accounts that will be under the billing group. The set of accounts resemble the linked accounts in a consolidated family.", + "AccountGrouping": "The set of accounts that will be under the billing group. The set of accounts resemble the linked accounts in a consolidated billing family.", "ComputationPreference": "The preferences and settings that will be used to compute the AWS charges for a billing group.", "Description": "The description of the billing group.", "Name": "The billing group's name.", "PrimaryAccountId": "The account ID that serves as the main account in a billing group.", - "Tags": "" + "Tags": "A map that contains tag keys and tag values that are attached to a billing group." }, "AWS::BillingConductor::BillingGroup AccountGrouping": { + "AutoAssociate": "Specifies if this billing group will automatically associate newly added AWS accounts that join your consolidated billing family.", "LinkedAccountIds": "The account IDs that make up the billing group. Account IDs must be a part of the consolidated billing family, and not associated with another billing group." }, "AWS::BillingConductor::BillingGroup ComputationPreference": { "PricingPlanArn": "The Amazon Resource Name (ARN) of the pricing plan used to compute the AWS charges for a billing group." }, + "AWS::BillingConductor::BillingGroup Tag": { + "Key": "The key in a key-value pair.", + "Value": "The value in a key-value pair of a tag." + }, "AWS::BillingConductor::CustomLineItem": { + "AccountId": "The AWS account in which this custom line item will be applied to.", "BillingGroupArn": "The Amazon Resource Name (ARN) that references the billing group where the custom line item applies to.", "BillingPeriodRange": "A time range for which the custom line item is effective.", "CustomLineItemChargeDetails": "The charge details of a custom line item. It should contain only one of `Flat` or `Percentage` .", @@ -4013,6 +4405,7 @@ }, "AWS::BillingConductor::CustomLineItem CustomLineItemChargeDetails": { "Flat": "A `CustomLineItemFlatChargeDetails` that describes the charge details of a flat custom line item.", + "LineItemFilters": "A representation of the line item filter.", "Percentage": "A `CustomLineItemPercentageChargeDetails` that describes the charge details of a percentage custom line item.", "Type": "The type of the custom line item that indicates whether the charge is a fee or credit." }, @@ -4023,12 +4416,25 @@ "ChildAssociatedResources": "A list of resource ARNs to associate to the percentage custom line item.", "PercentageValue": "The custom line item's percentage value. This will be multiplied against the combined value of its associated resources to determine its charge value." }, + "AWS::BillingConductor::CustomLineItem LineItemFilter": { + "Attribute": "The attribute of the line item filter. This specifies what attribute that you can filter on.", + "MatchOption": "The match criteria of the line item filter. This parameter specifies whether not to include the resource value from the billing group total cost.", + "Values": "The values of the line item filter. This specifies the values to filter on. Currently, you can only exclude Savings Plan discounts." + }, + "AWS::BillingConductor::CustomLineItem Tag": { + "Key": "The key in a key-value pair.", + "Value": "The value in a key-value pair of a tag." + }, "AWS::BillingConductor::PricingPlan": { "Description": "The pricing plan description.", "Name": "The name of a pricing plan.", "PricingRuleArns": "The `PricingRuleArns` that are associated with the Pricing Plan.", "Tags": "A map that contains tag keys and tag values that are attached to a pricing plan." }, + "AWS::BillingConductor::PricingPlan Tag": { + "Key": "The key in a key-value pair.", + "Value": "The value in a key-value pair of a tag." + }, "AWS::BillingConductor::PricingRule": { "BillingEntity": "The seller of services provided by AWS , their affiliates, or third-party providers selling services via AWS Marketplace .", "Description": "The pricing rule description.", @@ -4045,8 +4451,12 @@ "AWS::BillingConductor::PricingRule FreeTier": { "Activated": "Activate or deactivate AWS Free Tier." }, + "AWS::BillingConductor::PricingRule Tag": { + "Key": "The key in a key-value pair.", + "Value": "The value in a key-value pair of a tag." + }, "AWS::BillingConductor::PricingRule Tiering": { - "FreeTier": "" + "FreeTier": "The possible AWS Free Tier configurations." }, "AWS::Budgets::Budget": { "Budget": "The budget object that you want to create.", @@ -4061,7 +4471,7 @@ "BudgetLimit": "The total amount of cost, usage, RI utilization, RI coverage, Savings Plans utilization, or Savings Plans coverage that you want to track with your budget.\n\n`BudgetLimit` is required for cost or usage budgets, but optional for RI or Savings Plans utilization or coverage budgets. RI and Savings Plans utilization or coverage budgets default to `100` . This is the only valid value for RI or Savings Plans utilization or coverage budgets. You can't use `BudgetLimit` with `PlannedBudgetLimits` for `CreateBudget` and `UpdateBudget` actions.", "BudgetName": "The name of a budget. The value must be unique within an account. `BudgetName` can't include `:` and `\\` characters. If you don't include value for `BudgetName` in the template, Billing and Cost Management assigns your budget a randomly generated name.", "BudgetType": "Specifies whether this budget tracks costs, usage, RI utilization, RI coverage, Savings Plans utilization, or Savings Plans coverage.", - "CostFilters": "The cost filters, such as `Region` , `Service` , `member account` , `Tag` , or `Cost Category` , that are applied to a budget.\n\nAWS Budgets supports the following services as a `Service` filter for RI budgets:\n\n- Amazon EC2\n- Amazon Redshift\n- Amazon Relational Database Service\n- Amazon ElastiCache\n- Amazon OpenSearch Service", + "CostFilters": "The cost filters, such as `Region` , `Service` , `LinkedAccount` , `Tag` , or `CostCategory` , that are applied to a budget.\n\nAWS Budgets supports the following services as a `Service` filter for RI budgets:\n\n- Amazon EC2\n- Amazon Redshift\n- Amazon Relational Database Service\n- Amazon ElastiCache\n- Amazon OpenSearch Service", "CostTypes": "The types of costs that are included in this `COST` budget.\n\n`USAGE` , `RI_UTILIZATION` , `RI_COVERAGE` , `SAVINGS_PLANS_UTILIZATION` , and `SAVINGS_PLANS_COVERAGE` budgets do not have `CostTypes` .", "PlannedBudgetLimits": "A map containing multiple `BudgetLimit` , including current or future limits.\n\n`PlannedBudgetLimits` is available for cost or usage budget and supports both monthly and quarterly `TimeUnit` .\n\nFor monthly budgets, provide 12 months of `PlannedBudgetLimits` values. This must start from the current month and include the next 11 months. The `key` is the start of the month, `UTC` in epoch seconds.\n\nFor quarterly budgets, provide four quarters of `PlannedBudgetLimits` value entries in standard calendar quarter increments. This must start from the current quarter and include the next three quarters. The `key` is the start of the quarter, `UTC` in epoch seconds.\n\nIf the planned budget expires before 12 months for monthly or four quarters for quarterly, provide the `PlannedBudgetLimits` values only for the remaining periods.\n\nIf the budget begins at a date in the future, provide `PlannedBudgetLimits` values from the start date of the budget.\n\nAfter all of the `BudgetLimit` values in `PlannedBudgetLimits` are used, the budget continues to use the last limit as the `BudgetLimit` . At that point, the planned budget provides the same experience as a fixed budget.\n\n`DescribeBudget` and `DescribeBudgets` response along with `PlannedBudgetLimits` also contain `BudgetLimit` representing the current month or quarter limit present in `PlannedBudgetLimits` . This only applies to budgets that are created with `PlannedBudgetLimits` . Budgets that are created without `PlannedBudgetLimits` only contain `BudgetLimit` . They don't contain `PlannedBudgetLimits` .", "TimePeriod": "The period of time that is covered by a budget. The period has a start date and an end date. The start date must come before the end date. There are no restrictions on the end date.\n\nThe start date for a budget. If you created your budget and didn't specify a start date, the start date defaults to the start of the chosen time period (MONTHLY, QUARTERLY, or ANNUALLY). For example, if you create your budget on January 24, 2019, choose `MONTHLY` , and don't set a start date, the start date defaults to `01/01/19 00:00 UTC` . The defaults are the same for the AWS Billing and Cost Management console and the API.\n\nYou can change your start date with the `UpdateBudget` operation.\n\nAfter the end date, AWS deletes the budget and all associated notifications and subscribers.", @@ -4095,7 +4505,7 @@ }, "AWS::Budgets::Budget Spend": { "Amount": "The cost or usage amount that's associated with a budget forecast, actual spend, or budget threshold.", - "Unit": "The unit of measurement that's used for the budget forecast, actual spend, or budget threshold, such as USD or GBP." + "Unit": "The unit of measurement that's used for the budget forecast, actual spend, or budget threshold." }, "AWS::Budgets::Budget Subscriber": { "Address": "The address that AWS sends budget notifications to, either an SNS topic or an email.\n\nWhen you create a subscriber, the value of `Address` can't contain line breaks.", @@ -4202,6 +4612,10 @@ "RegionList": "Specifies the AWS Regions that the keyspace is replicated in. You must specify at least two and up to six Regions, including the Region that the keyspace is being created in.", "ReplicationStrategy": "The options are:\n\n- `SINGLE_REGION` (optional)\n- `MULTI_REGION`\n\nIf no value is specified, the default is `SINGLE_REGION` . If `MULTI_REGION` is specified, `RegionList` is required." }, + "AWS::Cassandra::Keyspace Tag": { + "Key": "The key of the tag. Tag keys are case sensitive. Each Amazon Keyspaces resource can only have up to one tag with the same key. If you try to add an existing tag (same key), the existing tag value will be updated to the new value.", + "Value": "The value of the tag. Tag values are case-sensitive and can be null." + }, "AWS::Cassandra::Table": { "BillingMode": "The billing mode for the table, which determines how you'll be charged for reads and writes:\n\n- *On-demand mode* (default) - You pay based on the actual reads and writes your application performs.\n- *Provisioned mode* - Lets you specify the number of reads and writes per second that you need for your application.\n\nIf you don't specify a value for this property, then the table will use on-demand mode.", "ClientSideTimestampsEnabled": "Enables client-side timestamps for the table. By default, the setting is disabled. You can enable client-side timestamps with the following option:\n\n- `status: \"enabled\"`\n\nAfter client-side timestamps are enabled for a table, you can't disable this setting.", @@ -4235,6 +4649,10 @@ "ReadCapacityUnits": "The amount of read capacity that's provisioned for the table. For more information, see [Read/write capacity mode](https://docs.aws.amazon.com/keyspaces/latest/devguide/ReadWriteCapacityMode.html) in the *Amazon Keyspaces Developer Guide* .", "WriteCapacityUnits": "The amount of write capacity that's provisioned for the table. For more information, see [Read/write capacity mode](https://docs.aws.amazon.com/keyspaces/latest/devguide/ReadWriteCapacityMode.html) in the *Amazon Keyspaces Developer Guide* ." }, + "AWS::Cassandra::Table Tag": { + "Key": "The key of the tag. Tag keys are case sensitive. Each Amazon Keyspaces resource can only have up to one tag with the same key. If you try to add an existing tag (same key), the existing tag value will be updated to the new value.", + "Value": "The value of the tag. Tag values are case-sensitive and can be null." + }, "AWS::CertificateManager::Account": { "ExpiryEventsConfiguration": "Object containing expiration events options associated with an AWS account . For more information, see [ExpiryEventsConfiguration](https://docs.aws.amazon.com/acm/latest/APIReference/API_ExpiryEventsConfiguration.html) in the API reference." }, @@ -4246,6 +4664,7 @@ "CertificateTransparencyLoggingPreference": "You can opt out of certificate transparency logging by specifying the `DISABLED` option. Opt in by specifying `ENABLED` .\n\nIf you do not specify a certificate transparency logging preference on a new CloudFormation template, or if you remove the logging preference from an existing template, this is the same as explicitly enabling the preference.\n\nChanging the certificate transparency logging preference will update the existing resource by calling `UpdateCertificateOptions` on the certificate. This action will not create a new resource.", "DomainName": "The fully qualified domain name (FQDN), such as www.example.com, with which you want to secure an ACM certificate. Use an asterisk (*) to create a wildcard certificate that protects several sites in the same domain. For example, `*.example.com` protects `www.example.com` , `site.example.com` , and `images.example.com.`", "DomainValidationOptions": "Domain information that domain name registrars use to verify your identity.\n\n> In order for a AWS::CertificateManager::Certificate to be provisioned and validated in CloudFormation automatically, the `DomainName` property needs to be identical to one of the `DomainName` property supplied in DomainValidationOptions, if the ValidationMethod is **DNS**. Failing to keep them like-for-like will result in failure to create the domain validation records in Route53.", + "KeyAlgorithm": "Specifies the algorithm of the public and private key pair that your certificate uses to encrypt data. RSA is the default key algorithm for ACM certificates. Elliptic Curve Digital Signature Algorithm (ECDSA) keys are smaller, offering security comparable to RSA keys but with greater computing efficiency. However, ECDSA is not supported by all network clients. Some AWS services may require RSA keys, or only support ECDSA keys of a particular size, while others allow the use of either RSA and ECDSA keys to ensure that compatibility is not broken. Check the requirements for the AWS service where you plan to deploy your certificate. For more information about selecting an algorithm, see [Key algorithms](https://docs.aws.amazon.com/acm/latest/userguide/acm-certificate.html#algorithms) .\n\n> Algorithms supported for an ACM certificate request include:\n> \n> - `RSA_2048`\n> - `EC_prime256v1`\n> - `EC_secp384r1`\n> \n> Other listed algorithms are for imported certificates only. > When you request a private PKI certificate signed by a CA from AWS Private CA, the specified signing algorithm family (RSA or ECDSA) must match the algorithm family of the CA's secret key. \n\nDefault: RSA_2048", "SubjectAlternativeNames": "Additional FQDNs to be included in the Subject Alternative Name extension of the ACM certificate. For example, you can add www.example.net to a certificate for which the `DomainName` field is www.example.com if users can reach your site by using either name.", "Tags": "Key-value pairs that can identify the certificate.", "ValidationMethod": "The method you want to use to validate that you own or control the domain associated with a public certificate. You can [validate with DNS](https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-validate-dns.html) or [validate with email](https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-validate-email.html) . We recommend that you use DNS validation.\n\nIf not specified, this property defaults to email validation." @@ -4255,6 +4674,10 @@ "HostedZoneId": "The `HostedZoneId` option, which is available if you are using Route 53 as your domain registrar, causes ACM to add your CNAME to the domain record. Your list of `DomainValidationOptions` must contain one and only one of the domain-validation options, and the `HostedZoneId` can be used only when `DNS` is specified as your validation method.\n\nUse the Route 53 `ListHostedZones` API to discover IDs for available hosted zones.\n\nThis option is required for publicly trusted certificates.\n\n> The `ListHostedZones` API returns IDs in the format \"/hostedzone/Z111111QQQQQQQ\", but CloudFormation requires the IDs to be in the format \"Z111111QQQQQQQ\". \n\nWhen you change your `DomainValidationOptions` , a new resource is created.", "ValidationDomain": "The domain name to which you want ACM to send validation emails. This domain name is the suffix of the email addresses that you want ACM to use. This must be the same as the `DomainName` value or a superdomain of the `DomainName` value. For example, if you request a certificate for `testing.example.com` , you can specify `example.com` as this value. In that case, ACM sends domain validation emails to the following five addresses:\n\n- admin@example.com\n- administrator@example.com\n- hostmaster@example.com\n- postmaster@example.com\n- webmaster@example.com" }, + "AWS::CertificateManager::Certificate Tag": { + "Key": "The key of the tag.", + "Value": "The value of the tag." + }, "AWS::Chatbot::MicrosoftTeamsChannelConfiguration": { "ConfigurationName": "The name of the configuration.", "GuardrailPolicies": "The list of IAM policy ARNs that are applied as channel guardrails. The AWS managed 'AdministratorAccess' policy is applied as a default if this is not set.", @@ -4262,7 +4685,7 @@ "LoggingLevel": "Specifies the logging level for this configuration. This property affects the log entries pushed to Amazon CloudWatch Logs.\n\nLogging levels include `ERROR` , `INFO` , or `NONE` .", "SnsTopicArns": "The ARNs of the SNS topics that deliver notifications to AWS Chatbot .", "TeamId": "The ID of the Microsoft Team authorized with AWS Chatbot .\n\nTo get the team ID, you must perform the initial authorization flow with Microsoft Teams in the AWS Chatbot console. Then you can copy and paste the team ID from the console. For more details, see steps 1-4 in [Get started with Microsoft Teams](https://docs.aws.amazon.com/chatbot/latest/adminguide/teams-setup.html#teams-client-setup) in the *AWS Chatbot Administrator Guide* .", - "TeamsChannelId": "The ID of the Microsoft Teams channel.\n\nTo get the channel ID, open Microsoft Teams, right click on the channel name in the left pane, then choose Copy. An example of the channel ID syntax is: `19%3ab6ef35dc342d56ba5654e6fc6d25a071%40thread.tacv2` .", + "TeamsChannelId": "", "TeamsTenantId": "The ID of the Microsoft Teams tenant.\n\nTo get the tenant ID, you must perform the initial authorization flow with Microsoft Teams in the AWS Chatbot console. Then you can copy and paste the tenant ID from the console. For more details, see steps 1-4 in [Get started with Microsoft Teams](https://docs.aws.amazon.com/chatbot/latest/adminguide/teams-setup.html#teams-client-setup) in the *AWS Chatbot Administrator Guide* .", "UserRoleRequired": "Enables use of a user role requirement in your chat configuration." }, @@ -4276,9 +4699,34 @@ "SnsTopicArns": "The ARNs of the SNS topics that deliver notifications to AWS Chatbot .", "UserRoleRequired": "Enables use of a user role requirement in your chat configuration." }, + "AWS::CleanRooms::AnalysisTemplate": { + "AnalysisParameters": "The parameters of the analysis template.", + "Description": "The description of the analysis template.", + "Format": "The format of the analysis template.", + "MembershipIdentifier": "The identifier for a membership resource.", + "Name": "The name of the analysis template.", + "Source": "The source of the analysis template.", + "Tags": "An optional label that you can assign to a resource when you create it. Each tag consists of a key and an optional value, both of which you define. When you use tagging, you can also use tag-based access control in IAM policies to control access to this resource." + }, + "AWS::CleanRooms::AnalysisTemplate AnalysisParameter": { + "DefaultValue": "Optional. The default value that is applied in the analysis template. The member who can query can override this value in the query editor.", + "Name": "The name of the parameter. The name must use only alphanumeric, underscore (_), or hyphen (-) characters but cannot start or end with a hyphen.", + "Type": "The type of parameter." + }, + "AWS::CleanRooms::AnalysisTemplate AnalysisSchema": { + "ReferencedTables": "The tables referenced in the analysis schema." + }, + "AWS::CleanRooms::AnalysisTemplate AnalysisSource": { + "Text": "The query text." + }, + "AWS::CleanRooms::AnalysisTemplate Tag": { + "Key": "The key of the tag.", + "Value": "The value of the tag." + }, "AWS::CleanRooms::Collaboration": { "CreatorDisplayName": "A display name of the collaboration creator.", - "CreatorMemberAbilities": "The abilities granted to the collaboration creator.", + "CreatorMemberAbilities": "The abilities granted to the collaboration creator.\n\n*Allowed values* `CAN_QUERY` | `CAN_RECEIVE_RESULTS`", + "CreatorPaymentConfiguration": "An object representing the collaboration member's payment responsibilities set by the collaboration creator.", "DataEncryptionMetadata": "The settings for client-side encryption for cryptographic computing.", "Description": "A description of the collaboration provided by the collaboration owner.", "Members": "A list of initial members, not including the creator. This list is immutable.", @@ -4287,15 +4735,26 @@ "Tags": "An optional label that you can assign to a resource when you create it. Each tag consists of a key and an optional value, both of which you define. When you use tagging, you can also use tag-based access control in IAM policies to control access to this resource." }, "AWS::CleanRooms::Collaboration DataEncryptionMetadata": { - "AllowCleartext": "Indicates whether encrypted tables can contain cleartext data (true) or are to cryptographically process every column (false).", - "AllowDuplicates": "Indicates whether Fingerprint columns can contain duplicate entries (true) or are to contain only non-repeated values (false).", - "AllowJoinsOnColumnsWithDifferentNames": "Indicates whether Fingerprint columns can be joined on any other Fingerprint column with a different name (true) or can only be joined on Fingerprint columns of the same name (false).", - "PreserveNulls": "Indicates whether NULL values are to be copied as NULL to encrypted tables (true) or cryptographically processed (false)." + "AllowCleartext": "Indicates whether encrypted tables can contain cleartext data ( `TRUE` ) or are to cryptographically process every column ( `FALSE` ).", + "AllowDuplicates": "Indicates whether Fingerprint columns can contain duplicate entries ( `TRUE` ) or are to contain only non-repeated values ( `FALSE` ).", + "AllowJoinsOnColumnsWithDifferentNames": "Indicates whether Fingerprint columns can be joined on any other Fingerprint column with a different name ( `TRUE` ) or can only be joined on Fingerprint columns of the same name ( `FALSE` ).", + "PreserveNulls": "Indicates whether NULL values are to be copied as NULL to encrypted tables ( `TRUE` ) or cryptographically processed ( `FALSE` )." }, "AWS::CleanRooms::Collaboration MemberSpecification": { "AccountId": "The identifier used to reference members of the collaboration. Currently only supports AWS account ID.", "DisplayName": "The member's display name.", - "MemberAbilities": "The abilities granted to the collaboration member.\n\n*Allowed Values* : `CAN_QUERY` | `CAN_RECEIVE_RESULTS`" + "MemberAbilities": "The abilities granted to the collaboration member.\n\n*Allowed Values* : `CAN_QUERY` | `CAN_RECEIVE_RESULTS`", + "PaymentConfiguration": "The collaboration member's payment responsibilities set by the collaboration creator.\n\nIf the collaboration creator hasn't speci\ufb01ed anyone as the member paying for query compute costs, then the member who can query is the default payer." + }, + "AWS::CleanRooms::Collaboration PaymentConfiguration": { + "QueryCompute": "The collaboration member's payment responsibilities set by the collaboration creator for query compute costs." + }, + "AWS::CleanRooms::Collaboration QueryComputePaymentConfig": { + "IsResponsible": "Indicates whether the collaboration creator has configured the collaboration member to pay for query compute costs ( `TRUE` ) or has not configured the collaboration member to pay for query compute costs ( `FALSE` ).\n\nExactly one member can be configured to pay for query compute costs. An error is returned if the collaboration creator sets a `TRUE` value for more than one member in the collaboration.\n\nIf the collaboration creator hasn't specified anyone as the member paying for query compute costs, then the member who can query is the default payer. An error is returned if the collaboration creator sets a `FALSE` value for the member who can query." + }, + "AWS::CleanRooms::Collaboration Tag": { + "Key": "The key of the tag.", + "Value": "The value of the tag." }, "AWS::CleanRooms::ConfiguredTable": { "AllowedColumns": "The columns within the underlying AWS Glue table that can be utilized within collaborations.", @@ -4317,7 +4776,7 @@ }, "AWS::CleanRooms::ConfiguredTable AnalysisRule": { "Policy": "A policy that describes the associated data usage limitations.", - "Type": "The type of analysis rule. Valid values are `AGGREGATION` and `LIST`." + "Type": "The type of analysis rule." }, "AWS::CleanRooms::ConfiguredTable AnalysisRuleAggregation": { "AggregateColumns": "The columns that query runners are allowed to use in aggregation queries.", @@ -4328,8 +4787,12 @@ "OutputConstraints": "Columns that must meet a specific threshold value (after an aggregation function is applied to it) for each output row to be returned.", "ScalarFunctions": "Set of scalar functions that are allowed to be used on dimension columns and the output of aggregation of metrics." }, + "AWS::CleanRooms::ConfiguredTable AnalysisRuleCustom": { + "AllowedAnalyses": "The analysis templates that are allowed by the custom analysis rule.", + "AllowedAnalysisProviders": "The AWS accounts that are allowed to query by the custom analysis rule. Required when `allowedAnalyses` is `ANY_QUERY` ." + }, "AWS::CleanRooms::ConfiguredTable AnalysisRuleList": { - "AllowedJoinOperators": "Which logical operators (if any) are to be used in an INNER JOIN match condition. Default is `AND` .", + "AllowedJoinOperators": "The logical operators (if any) that are to be used in an INNER JOIN match condition. Default is `AND` .", "JoinColumns": "Columns that can be used to join a configured table with the table of the member who can query and other members' configured tables.", "ListColumns": "Columns that can be listed in the output." }, @@ -4338,6 +4801,7 @@ }, "AWS::CleanRooms::ConfiguredTable ConfiguredTableAnalysisRulePolicyV1": { "Aggregation": "Analysis rule type that enables only aggregation queries on a configured table.", + "Custom": "Analysis rule type that enables custom SQL queries on a configured table.", "List": "Analysis rule type that enables only list queries on a configured table." }, "AWS::CleanRooms::ConfiguredTable GlueTableReference": { @@ -4347,6 +4811,10 @@ "AWS::CleanRooms::ConfiguredTable TableReference": { "Glue": "If present, a reference to the AWS Glue table referred to by this table reference." }, + "AWS::CleanRooms::ConfiguredTable Tag": { + "Key": "The key of the tag.", + "Value": "The value of the tag." + }, "AWS::CleanRooms::ConfiguredTableAssociation": { "ConfiguredTableIdentifier": "A unique identifier for the configured table to be associated to. Currently accepts a configured table ID.", "Description": "A description of the configured table association.", @@ -4355,16 +4823,44 @@ "RoleArn": "The service will assume this role to access catalog metadata and query the table.", "Tags": "An optional label that you can assign to a resource when you create it. Each tag consists of a key and an optional value, both of which you define. When you use tagging, you can also use tag-based access control in IAM policies to control access to this resource." }, + "AWS::CleanRooms::ConfiguredTableAssociation Tag": { + "Key": "The key of the tag.", + "Value": "The value of the tag." + }, "AWS::CleanRooms::Membership": { "CollaborationIdentifier": "The unique ID for the associated collaboration.", - "QueryLogStatus": "An indicator as to whether query logging has been enabled or disabled for the collaboration.", + "DefaultResultConfiguration": "The default protected query result configuration as specified by the member who can receive results.", + "PaymentConfiguration": "The payment responsibilities accepted by the collaboration member.", + "QueryLogStatus": "An indicator as to whether query logging has been enabled or disabled for the membership.", "Tags": "An optional label that you can assign to a resource when you create it. Each tag consists of a key and an optional value, both of which you define. When you use tagging, you can also use tag-based access control in IAM policies to control access to this resource." }, + "AWS::CleanRooms::Membership MembershipPaymentConfiguration": { + "QueryCompute": "The payment responsibilities accepted by the collaboration member for query compute costs." + }, + "AWS::CleanRooms::Membership MembershipProtectedQueryOutputConfiguration": { + "S3": "Required configuration for a protected query with an `S3` output type." + }, + "AWS::CleanRooms::Membership MembershipProtectedQueryResultConfiguration": { + "OutputConfiguration": "Configuration for protected query results.", + "RoleArn": "The unique ARN for an IAM role that is used by AWS Clean Rooms to write protected query results to the result location, given by the member who can receive results." + }, + "AWS::CleanRooms::Membership MembershipQueryComputePaymentConfig": { + "IsResponsible": "Indicates whether the collaboration member has accepted to pay for query compute costs ( `TRUE` ) or has not accepted to pay for query compute costs ( `FALSE` ).\n\nIf the collaboration creator has not specified anyone to pay for query compute costs, then the member who can query is the default payer.\n\nAn error message is returned for the following reasons:\n\n- If you set the value to `FALSE` but you are responsible to pay for query compute costs.\n- If you set the value to `TRUE` but you are not responsible to pay for query compute costs." + }, + "AWS::CleanRooms::Membership ProtectedQueryS3OutputConfiguration": { + "Bucket": "The S3 bucket to unload the protected query results.", + "KeyPrefix": "The S3 prefix to unload the protected query results.", + "ResultFormat": "Intended file format of the result." + }, + "AWS::CleanRooms::Membership Tag": { + "Key": "The key of the tag.", + "Value": "The value of the tag." + }, "AWS::Cloud9::EnvironmentEC2": { "AutomaticStopTimeMinutes": "The number of minutes until the running instance is shut down after the environment was last used.", "ConnectionType": "The connection type used for connecting to an Amazon EC2 environment. Valid values are `CONNECT_SSH` (default) and `CONNECT_SSM` (connected through AWS Systems Manager ).", "Description": "The description of the environment to create.", - "ImageId": "The identifier for the Amazon Machine Image (AMI) that's used to create the EC2 instance. To choose an AMI for the instance, you must specify a valid AMI alias or a valid AWS Systems Manager path.\n\nThe default AMI is used if the parameter isn't explicitly assigned a value in the request.\n\n*AMI aliases*\n\n- *Amazon Linux (default): `amazonlinux-1-x86_64`*\n- Amazon Linux 2: `amazonlinux-2-x86_64`\n- Ubuntu 18.04: `ubuntu-18.04-x86_64`\n\n*SSM paths*\n\n- *Amazon Linux (default): `resolve:ssm:/aws/service/cloud9/amis/amazonlinux-1-x86_64`*\n- Amazon Linux 2: `resolve:ssm:/aws/service/cloud9/amis/amazonlinux-2-x86_64`\n- Ubuntu 18.04: `resolve:ssm:/aws/service/cloud9/amis/ubuntu-18.04-x86_64`", + "ImageId": "The identifier for the Amazon Machine Image (AMI) that's used to create the EC2 instance. To choose an AMI for the instance, you must specify a valid AMI alias or a valid AWS Systems Manager path.\n\nFrom December 04, 2023, you will be required to include the `imageId` parameter for the `CreateEnvironmentEC2` action. This change will be reflected across all direct methods of communicating with the API, such as AWS SDK, AWS CLI and AWS CloudFormation. This change will only affect direct API consumers, and not AWS Cloud9 console users.\n\nFrom January 22, 2024, Amazon Linux (AL1) will be removed from the list of available image IDs for Cloud9. This is necessary as AL1 will reach the end of maintenance support in December 2023, and as a result will no longer receive security updates. We recommend using Amazon Linux 2023 as the new AMI to create your environment as it is fully supported. This change will only affect direct API consumers, and not AWS Cloud9 console users.\n\nSince Ubuntu 18.04 has ended standard support as of May 31, 2023, we recommend you choose Ubuntu 22.04.\n\n*AMI aliases*\n\n- Amazon Linux (end of maintenance support December 2023): `amazonlinux-1-x86_64`\n- Amazon Linux 2: `amazonlinux-2-x86_64`\n- Amazon Linux 2023 (recommended): `amazonlinux-2023-x86_64`\n- Ubuntu 18.04: `ubuntu-18.04-x86_64`\n- Ubuntu 22.04: `ubuntu-22.04-x86_64`\n\n*SSM paths*\n\n- Amazon Linux (end of maintenance support December 2023): `resolve:ssm:/aws/service/cloud9/amis/amazonlinux-1-x86_64`\n- Amazon Linux 2: `resolve:ssm:/aws/service/cloud9/amis/amazonlinux-2-x86_64`\n- Amazon Linux 2023 (recommended): `resolve:ssm:/aws/service/cloud9/amis/amazonlinux-2023-x86_64`\n- Ubuntu 18.04: `resolve:ssm:/aws/service/cloud9/amis/ubuntu-18.04-x86_64`\n- Ubuntu 22.04: `resolve:ssm:/aws/service/cloud9/amis/ubuntu-22.04-x86_64`", "InstanceType": "The type of instance to connect to the environment (for example, `t2.micro` ).", "Name": "The name of the environment.", "OwnerArn": "The Amazon Resource Name (ARN) of the environment owner. This ARN can be the ARN of any AWS Identity and Access Management principal. If this value is not specified, the ARN defaults to this environment's creator.", @@ -4376,6 +4872,10 @@ "PathComponent": "The path within the development environment's default file system location to clone the AWS CodeCommit repository into. For example, `/REPOSITORY_NAME` would clone the repository into the `/home/USER_NAME/environment/REPOSITORY_NAME` directory in the environment.", "RepositoryUrl": "The clone URL of the AWS CodeCommit repository to be cloned. For example, for an AWS CodeCommit repository this might be `https://git-codecommit.us-east-2.amazonaws.com/v1/repos/REPOSITORY_NAME` ." }, + "AWS::Cloud9::EnvironmentEC2 Tag": { + "Key": "The *name* part of a tag.", + "Value": "The *value* part of a tag." + }, "AWS::CloudFormation::CustomResource": { "ServiceToken": "> Only one property is defined by AWS for a custom resource: `ServiceToken` . All other properties are defined by the service provider. \n\nThe service token that was given to the template developer by the service provider to access the service, such as an Amazon SNS topic ARN or Lambda function ARN. The service token must be from the same Region in which you are creating the stack.\n\nUpdates aren't supported." }, @@ -4443,12 +4943,40 @@ "LogRoleArn": "The ARN of the role that CloudFormation should assume when sending log entries to CloudWatch logs." }, "AWS::CloudFormation::Stack": { + "Capabilities": "In some cases, you must explicitly acknowledge that your stack template contains certain capabilities in order for AWS CloudFormation to create the stack.\n\n- `CAPABILITY_IAM` and `CAPABILITY_NAMED_IAM`\n\nSome stack templates might include resources that can affect permissions in your AWS account ; for example, by creating new AWS Identity and Access Management (IAM) users. For those stacks, you must explicitly acknowledge this by specifying one of these capabilities.\n\nThe following IAM resources require you to specify either the `CAPABILITY_IAM` or `CAPABILITY_NAMED_IAM` capability.\n\n- If you have IAM resources, you can specify either capability.\n- If you have IAM resources with custom names, you *must* specify `CAPABILITY_NAMED_IAM` .\n- If you don't specify either of these capabilities, AWS CloudFormation returns an `InsufficientCapabilities` error.\n\nIf your stack template contains these resources, we recommend that you review all permissions associated with them and edit their permissions if necessary.\n\n- [`AWS::IAM::AccessKey`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-accesskey.html)\n- [`AWS::IAM::Group`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-group.html)\n- [`AWS::IAM::InstanceProfile`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-instanceprofile.html)\n- [`AWS::IAM::Policy`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-policy.html)\n- [`AWS::IAM::Role`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html)\n- [`AWS::IAM::User`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-user.html)\n- [`AWS::IAM::UserToGroupAddition`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-addusertogroup.html)\n\nFor more information, see [Acknowledging IAM Resources in AWS CloudFormation Templates](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-template.html#capabilities) .\n- `CAPABILITY_AUTO_EXPAND`\n\nSome template contain macros. Macros perform custom processing on templates; this can include simple actions like find-and-replace operations, all the way to extensive transformations of entire templates. Because of this, users typically create a change set from the processed template, so that they can review the changes resulting from the macros before actually creating the stack. If your stack template contains one or more macros, and you choose to create a stack directly from the processed template, without first reviewing the resulting changes in a change set, you must acknowledge this capability. This includes the [AWS::Include](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/create-reusable-transform-function-snippets-and-add-to-your-template-with-aws-include-transform.html) and [AWS::Serverless](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/transform-aws-serverless.html) transforms, which are macros hosted by AWS CloudFormation .\n\nIf you want to create a stack from a stack template that contains macros *and* nested stacks, you must create the stack directly from the template using this capability.\n\n> You should only create stacks directly from a stack template that contains macros if you know what processing the macro performs.\n> \n> Each macro relies on an underlying Lambda service function for processing stack templates. Be aware that the Lambda function owner can update the function operation without AWS CloudFormation being notified. \n\nFor more information, see [Using AWS CloudFormation macros to perform custom processing on templates](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/template-macros.html) .", + "ChangeSetId": "The unique ID of the change set.", + "CreationTime": "The time at which the stack was created.", + "Description": "A user-defined description associated with the stack.", + "DisableRollback": "Set to `true` to disable rollback of the stack if stack creation failed. You can specify either `DisableRollback` or `OnFailure` , but not both.\n\nDefault: `false`", + "EnableTerminationProtection": "Whether to enable termination protection on the specified stack. If a user attempts to delete a stack with termination protection enabled, the operation fails and the stack remains unchanged. For more information, see [Protecting a Stack From Being Deleted](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-protect-stacks.html) in the *AWS CloudFormation User Guide* . Termination protection is deactivated on stacks by default.\n\nFor [nested stacks](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-nested-stacks.html) , termination protection is set on the root stack and can't be changed directly on the nested stack.", + "LastUpdateTime": "The time the stack was last updated. This field will only be returned if the stack has been updated at least once.", "NotificationARNs": "The Amazon Simple Notification Service (Amazon SNS) topic ARNs to publish stack related events. You can find your Amazon SNS topic ARNs using the Amazon SNS console or your Command Line Interface (CLI).", + "Outputs": "A list of output structures.", "Parameters": "The set value pairs that represent the parameters passed to CloudFormation when this nested stack is created. Each parameter has a name corresponding to a parameter defined in the embedded template and a value representing the value that you want to set for the parameter.\n\n> If you use the `Ref` function to pass a parameter value to a nested stack, comma-delimited list parameters must be of type `String` . In other words, you can't pass values that are of type `CommaDelimitedList` to nested stacks. \n\nConditional. Required if the nested stack requires input parameters.\n\nWhether an update causes interruptions depends on the resources that are being updated. An update never causes a nested stack to be replaced.", + "ParentId": "For nested stacks--stacks created as resources for another stack--the stack ID of the direct parent of this stack. For the first level of nested stacks, the root stack is also the parent stack.\n\nFor more information, see [Working with Nested Stacks](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-nested-stacks.html) in the *AWS CloudFormation User Guide* .", + "RoleARN": "The Amazon Resource Name (ARN) of an AWS Identity and Access Management (IAM) role that AWS CloudFormation assumes to create the stack. AWS CloudFormation uses the role's credentials to make calls on your behalf. AWS CloudFormation always uses this role for all future operations on the stack. Provided that users have permission to operate on the stack, AWS CloudFormation uses this role even if the users don't have permission to pass it. Ensure that the role grants least privilege.\n\nIf you don't specify a value, AWS CloudFormation uses the role that was previously associated with the stack. If no role is available, AWS CloudFormation uses a temporary session that's generated from your user credentials.", + "RootId": "For nested stacks--stacks created as resources for another stack--the stack ID of the top-level stack to which the nested stack ultimately belongs.\n\nFor more information, see [Working with Nested Stacks](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-nested-stacks.html) in the *AWS CloudFormation User Guide* .", + "StackId": "Unique identifier of the stack.", + "StackName": "The name that's associated with the stack. The name must be unique in the Region in which you are creating the stack.\n\n> A stack name can contain only alphanumeric characters (case sensitive) and hyphens. It must start with an alphabetical character and can't be longer than 128 characters.", + "StackPolicyBody": "Structure containing the stack policy body. For more information, go to [Prevent Updates to Stack Resources](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/protect-stack-resources.html) in the *AWS CloudFormation User Guide* . You can specify either the `StackPolicyBody` or the `StackPolicyURL` parameter, but not both.", + "StackPolicyURL": "Location of a file containing the stack policy. The URL must point to a policy (maximum size: 16 KB) located in an S3 bucket in the same Region as the stack. You can specify either the `StackPolicyBody` or the `StackPolicyURL` parameter, but not both.", + "StackStatus": "Current status of the stack.", + "StackStatusReason": "Success/failure message associated with the stack status.", "Tags": "Key-value pairs to associate with this stack. AWS CloudFormation also propagates these tags to the resources created in the stack. A maximum number of 50 tags can be specified.", + "TemplateBody": "Structure containing the template body with a minimum length of 1 byte and a maximum length of 51,200 bytes. For more information, go to [Template anatomy](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/template-anatomy.html) in the AWS CloudFormation User Guide.\n\nConditional: You must specify either the `TemplateBody` or the `TemplateURL` parameter, but not both.", "TemplateURL": "Location of file containing the template body. The URL must point to a template (max size: 460,800 bytes) that's located in an Amazon S3 bucket. For more information, see [Template anatomy](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/template-anatomy.html) .\n\nWhether an update causes interruptions depends on the resources that are being updated. An update never causes a nested stack to be replaced.", "TimeoutInMinutes": "The length of time, in minutes, that CloudFormation waits for the nested stack to reach the `CREATE_COMPLETE` state. The default is no timeout. When CloudFormation detects that the nested stack has reached the `CREATE_COMPLETE` state, it marks the nested stack resource as `CREATE_COMPLETE` in the parent stack and resumes creating the parent stack. If the timeout period expires before the nested stack reaches `CREATE_COMPLETE` , CloudFormation marks the nested stack as failed and rolls back both the nested stack and parent stack.\n\nUpdates aren't supported." }, + "AWS::CloudFormation::Stack Output": { + "Description": "User defined description associated with the output.", + "ExportName": "The name of the export associated with the output.", + "OutputKey": "The key associated with the output.", + "OutputValue": "The value associated with the output." + }, + "AWS::CloudFormation::Stack Tag": { + "Key": "*Required* . A string used to identify this tag. You can specify a maximum of 128 characters for a tag key. Tags owned by Amazon Web Services ( AWS ) have the reserved prefix: `aws:` .", + "Value": "*Required* . A string containing the value for this tag. You can specify a maximum of 256 characters for a tag value." + }, "AWS::CloudFormation::StackSet": { "AdministrationRoleARN": "The Amazon Resource Number (ARN) of the IAM role to use to create this stack set. Specify an IAM role only if you are using customized administrator roles to control which users or groups can manage specific stack sets within the same administrator account.\n\nUse customized administrator roles to control which users or groups can manage specific stack sets within the same administrator account. For more information, see [Prerequisites: Granting Permissions for Stack Set Operations](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-prereqs.html) in the *AWS CloudFormation User Guide* .\n\n*Minimum* : `20`\n\n*Maximum* : `2048`", "AutoDeployment": "[ `Service-managed` permissions] Describes whether StackSets automatically deploys to AWS Organizations accounts that are added to a target organization or organizational unit (OU).", @@ -4461,10 +4989,10 @@ "Parameters": "The input parameters for the stack set template.", "PermissionModel": "Describes how the IAM roles required for stack set operations are created.\n\n- With `SELF_MANAGED` permissions, you must create the administrator and execution roles required to deploy to target accounts. For more information, see [Grant Self-Managed Stack Set Permissions](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-prereqs-self-managed.html) .\n- With `SERVICE_MANAGED` permissions, StackSets automatically creates the IAM roles required to deploy to accounts managed by AWS Organizations .", "StackInstancesGroup": "A group of stack instances with parameters in some specific accounts and Regions.", - "StackSetName": "The name to associate with the stack set. The name must be unique in the Region where you create your stack set.\n\n*Maximum* : `128`\n\n*Pattern* : `^[a-zA-Z][a-zA-Z0-9-]{0,127}$`\n\n> The `StackSetName` property is required.", - "Tags": "The key-value pairs to associate with this stack set and the stacks created from it. AWS CloudFormation also propagates these tags to supported resources that are created in the stacks. A maximum number of 50 tags can be specified.", - "TemplateBody": "The structure that contains the template body, with a minimum length of 1 byte and a maximum length of 51,200 bytes.\n\nYou must include either `TemplateURL` or `TemplateBody` in a StackSet, but you can't use both. Dynamic references in the `TemplateBody` may not work correctly in all cases. It's recommended to pass templates containing dynamic references through `TemplateUrl` instead.\n\n*Minimum* : `1`\n\n*Maximum* : `51200`", - "TemplateURL": "Location of file containing the template body. The URL must point to a template (max size: 460,800 bytes) that's located in an Amazon S3 bucket.\n\nYou must include either `TemplateURL` or `TemplateBody` in a StackSet, but you can't use both.\n\n*Minimum* : `1`\n\n*Maximum* : `1024`" + "StackSetName": "The name to associate with the stack set. The name must be unique in the Region where you create your stack set.\n\n> The `StackSetName` property is required.", + "Tags": "Key-value pairs to associate with this stack. AWS CloudFormation also propagates these tags to supported resources in the stack. You can specify a maximum number of 50 tags.\n\nIf you don't specify this parameter, AWS CloudFormation doesn't modify the stack's tags. If you specify an empty value, AWS CloudFormation removes all associated tags.", + "TemplateBody": "The structure that contains the template body, with a minimum length of 1 byte and a maximum length of 51,200 bytes.\n\nYou must include either `TemplateURL` or `TemplateBody` in a StackSet, but you can't use both. Dynamic references in the `TemplateBody` may not work correctly in all cases. It's recommended to pass templates containing dynamic references through `TemplateUrl` instead.", + "TemplateURL": "Location of file containing the template body. The URL must point to a template that's located in an Amazon S3 bucket or a Systems Manager document. For more information, go to [Template Anatomy](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/template-anatomy.html) in the AWS CloudFormation User Guide.\n\nConditional: You must specify only one of the following parameters: `TemplateBody` , `TemplateURL` ." }, "AWS::CloudFormation::StackSet AutoDeployment": { "Enabled": "If set to `true` , StackSets automatically deploys additional stack instances to AWS Organizations accounts that are added to a target organization or organizational unit (OU) in the specified Regions. If an account is removed from a target organization or OU, StackSets deletes stack instances from the account in the specified Regions.", @@ -4473,6 +5001,7 @@ "AWS::CloudFormation::StackSet DeploymentTargets": { "AccountFilterType": "Limit deployment targets to individual accounts or include additional accounts with provided OUs.\n\nThe following is a list of possible values for the `AccountFilterType` operation.\n\n- `INTERSECTION` : StackSets deploys to the accounts specified in `Accounts` parameter.\n- `DIFFERENCE` : StackSets excludes the accounts specified in `Accounts` parameter. This enables user to avoid certain accounts within an OU such as suspended accounts.\n- `UNION` : StackSets includes additional accounts deployment targets.\n\nThis is the default value if `AccountFilterType` is not provided. This enables user to update an entire OU and individual accounts from a different OU in one request, which used to be two separate requests.\n- `NONE` : Deploys to all the accounts in specified organizational units (OU).", "Accounts": "The names of one or more AWS accounts for which you want to deploy stack set updates.\n\n*Pattern* : `^[0-9]{12}$`", + "AccountsUrl": "Returns the value of the `AccountsUrl` property.", "OrganizationalUnitIds": "The organization root ID or organizational unit (OU) IDs to which StackSets deploys.\n\n*Pattern* : `^(ou-[a-z0-9]{4,32}-[a-z0-9]{8,32}|r-[a-z0-9]{4,32})$`" }, "AWS::CloudFormation::StackSet ManagedExecution": { @@ -4484,7 +5013,7 @@ "MaxConcurrentCount": "The maximum number of accounts in which to perform this operation at one time. This is dependent on the value of `FailureToleranceCount` . `MaxConcurrentCount` is at most one more than the `FailureToleranceCount` .\n\nNote that this setting lets you specify the *maximum* for operations. For large deployments, under certain circumstances the actual number of accounts acted upon concurrently may be lower due to service throttling.\n\nConditional: You must specify either `MaxConcurrentCount` or `MaxConcurrentPercentage` , but not both.", "MaxConcurrentPercentage": "The maximum percentage of accounts in which to perform this operation at one time.\n\nWhen calculating the number of accounts based on the specified percentage, AWS CloudFormation rounds down to the next whole number. This is true except in cases where rounding down would result is zero. In this case, CloudFormation sets the number as one instead.\n\nNote that this setting lets you specify the *maximum* for operations. For large deployments, under certain circumstances the actual number of accounts acted upon concurrently may be lower due to service throttling.\n\nConditional: You must specify either `MaxConcurrentCount` or `MaxConcurrentPercentage` , but not both.", "RegionConcurrencyType": "The concurrency type of deploying StackSets operations in Regions, could be in parallel or one Region at a time.", - "RegionOrder": "The order of the Regions where you want to perform the stack operation." + "RegionOrder": "The order of the Regions where you want to perform the stack operation.\n\n> `RegionOrder` isn't followed if `AutoDeployment` is enabled." }, "AWS::CloudFormation::StackSet Parameter": { "ParameterKey": "The key associated with the parameter. If you don't specify a key and value for a particular parameter, AWS CloudFormation uses the default value that's specified in your template.", @@ -4495,6 +5024,10 @@ "ParameterOverrides": "A list of stack set parameters whose values you want to override in the selected stack instances.", "Regions": "The names of one or more Regions where you want to create stack instances using the specified AWS accounts ." }, + "AWS::CloudFormation::StackSet Tag": { + "Key": "*Required* . A string used to identify this tag. You can specify a maximum of 128 characters for a tag key. Tags owned by Amazon Web Services ( AWS ) have the reserved prefix: `aws:` .", + "Value": "*Required* . A string containing the value for this tag. You can specify a maximum of 256 characters for a tag value." + }, "AWS::CloudFormation::TypeActivation": { "AutoUpdate": "Whether to automatically update the extension in this account and Region when a new *minor* version is published by the extension publisher. Major versions released by the publisher must be manually updated.\n\nThe default is `true` .", "ExecutionRoleArn": "The name of the IAM execution role to use to activate the extension.", @@ -4558,8 +5091,11 @@ }, "AWS::CloudFront::ContinuousDeploymentPolicy ContinuousDeploymentPolicyConfig": { "Enabled": "A Boolean that indicates whether this continuous deployment policy is enabled (in effect). When this value is `true` , this policy is enabled and in effect. When this value is `false` , this policy is not enabled and has no effect.", + "SingleHeaderPolicyConfig": "This configuration determines which HTTP requests are sent to the staging distribution. If the HTTP request contains a header and value that matches what you specify here, the request is sent to the staging distribution. Otherwise the request is sent to the primary distribution.", + "SingleWeightPolicyConfig": "This configuration determines the percentage of HTTP requests that are sent to the staging distribution.", "StagingDistributionDnsNames": "The CloudFront domain name of the staging distribution. For example: `d111111abcdef8.cloudfront.net` .", - "TrafficConfig": "Contains the parameters for routing production traffic from your primary to staging distributions." + "TrafficConfig": "Contains the parameters for routing production traffic from your primary to staging distributions.", + "Type": "The type of traffic configuration." }, "AWS::CloudFront::ContinuousDeploymentPolicy SessionStickinessConfig": { "IdleTTL": "The amount of time after which you want sessions to cease if no requests are received. Allowed values are 300\u20133600 seconds (5\u201360 minutes).", @@ -4569,10 +5105,18 @@ "Header": "The request header name that you want CloudFront to send to your staging distribution. The header must contain the prefix `aws-cf-cd-` .", "Value": "The request header value." }, + "AWS::CloudFront::ContinuousDeploymentPolicy SingleHeaderPolicyConfig": { + "Header": "", + "Value": "" + }, "AWS::CloudFront::ContinuousDeploymentPolicy SingleWeightConfig": { "SessionStickinessConfig": "Session stickiness provides the ability to define multiple requests from a single viewer as a single session. This prevents the potentially inconsistent experience of sending some of a given user's requests to your staging distribution, while others are sent to your primary distribution. Define the session duration using TTL values.", "Weight": "The percentage of traffic to send to a staging distribution, expressed as a decimal number between 0 and .15." }, + "AWS::CloudFront::ContinuousDeploymentPolicy SingleWeightPolicyConfig": { + "SessionStickinessConfig": "", + "Weight": "" + }, "AWS::CloudFront::ContinuousDeploymentPolicy TrafficConfig": { "SingleHeaderConfig": "Determines which HTTP requests are sent to the staging distribution.", "SingleWeightConfig": "Contains the percentage of traffic to send to the staging distribution.", @@ -4750,9 +5294,13 @@ "Items": "The items (status codes) for an origin group.", "Quantity": "The number of status codes." }, + "AWS::CloudFront::Distribution Tag": { + "Key": "A string that contains `Tag` key.\n\nThe string length should be between 1 and 128 characters. Valid characters include `a-z` , `A-Z` , `0-9` , space, and the special characters `_ - . : / = + @` .", + "Value": "A string that contains an optional `Tag` value.\n\nThe string length should be between 0 and 256 characters. Valid characters include `a-z` , `A-Z` , `0-9` , space, and the special characters `_ - . : / = + @` ." + }, "AWS::CloudFront::Distribution ViewerCertificate": { "AcmCertificateArn": "> In CloudFormation, this field name is `AcmCertificateArn` . Note the different capitalization. \n\nIf the distribution uses `Aliases` (alternate domain names or CNAMEs) and the SSL/TLS certificate is stored in [AWS Certificate Manager (ACM)](https://docs.aws.amazon.com/acm/latest/userguide/acm-overview.html) , provide the Amazon Resource Name (ARN) of the ACM certificate. CloudFront only supports ACM certificates in the US East (N. Virginia) Region ( `us-east-1` ).\n\nIf you specify an ACM certificate ARN, you must also specify values for `MinimumProtocolVersion` and `SSLSupportMethod` . (In CloudFormation, the field name is `SslSupportMethod` . Note the different capitalization.)", - "CloudFrontDefaultCertificate": "If the distribution uses the CloudFront domain name such as `d111111abcdef8.cloudfront.net` , set this field to `true` .\n\nIf the distribution uses `Aliases` (alternate domain names or CNAMEs), set this field to `false` and specify values for the following fields:\n\n- `ACMCertificateArn` or `IAMCertificateId` (specify a value for one, not both)\n\nIn CloudFormation, these field names are `AcmCertificateArn` and `IamCertificateId` . Note the different capitalization.\n- `MinimumProtocolVersion`\n- `SSLSupportMethod` (In CloudFormation, this field name is `SslSupportMethod` . Note the different capitalization.)", + "CloudFrontDefaultCertificate": "If the distribution uses the CloudFront domain name such as `d111111abcdef8.cloudfront.net` , set this field to `true` .\n\nIf the distribution uses `Aliases` (alternate domain names or CNAMEs), omit this field and specify values for the following fields:\n\n- `AcmCertificateArn` or `IamCertificateId` (specify a value for one, not both)\n- `MinimumProtocolVersion`\n- `SslSupportMethod`", "IamCertificateId": "> In CloudFormation, this field name is `IamCertificateId` . Note the different capitalization. \n\nIf the distribution uses `Aliases` (alternate domain names or CNAMEs) and the SSL/TLS certificate is stored in [AWS Identity and Access Management (IAM)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_server-certs.html) , provide the ID of the IAM certificate.\n\nIf you specify an IAM certificate ID, you must also specify values for `MinimumProtocolVersion` and `SSLSupportMethod` . (In CloudFormation, the field name is `SslSupportMethod` . Note the different capitalization.)", "MinimumProtocolVersion": "If the distribution uses `Aliases` (alternate domain names or CNAMEs), specify the security policy that you want CloudFront to use for HTTPS connections with viewers. The security policy determines two settings:\n\n- The minimum SSL/TLS protocol that CloudFront can use to communicate with viewers.\n- The ciphers that CloudFront can use to encrypt the content that it returns to viewers.\n\nFor more information, see [Security Policy](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-values-specify.html#DownloadDistValues-security-policy) and [Supported Protocols and Ciphers Between Viewers and CloudFront](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/secure-connections-supported-viewer-protocols-ciphers.html#secure-connections-supported-ciphers) in the *Amazon CloudFront Developer Guide* .\n\n> On the CloudFront console, this setting is called *Security Policy* . \n\nWhen you're using SNI only (you set `SSLSupportMethod` to `sni-only` ), you must specify `TLSv1` or higher. (In CloudFormation, the field name is `SslSupportMethod` . Note the different capitalization.)\n\nIf the distribution uses the CloudFront domain name such as `d111111abcdef8.cloudfront.net` (you set `CloudFrontDefaultCertificate` to `true` ), CloudFront automatically sets the security policy to `TLSv1` regardless of the value that you set here.", "SslSupportMethod": "> In CloudFormation, this field name is `SslSupportMethod` . Note the different capitalization. \n\nIf the distribution uses `Aliases` (alternate domain names or CNAMEs), specify which viewers the distribution accepts HTTPS connections from.\n\n- `sni-only` \u2013 The distribution accepts HTTPS connections from only viewers that support [server name indication (SNI)](https://docs.aws.amazon.com/https://en.wikipedia.org/wiki/Server_Name_Indication) . This is recommended. Most browsers and clients support SNI.\n- `vip` \u2013 The distribution accepts HTTPS connections from all viewers including those that don't support SNI. This is not recommended, and results in additional monthly charges from CloudFront.\n- `static-ip` - Do not specify this value unless your distribution has been enabled for this feature by the CloudFront team. If you have a use case that requires static IP addresses for a distribution, contact CloudFront through the [AWS Support Center](https://docs.aws.amazon.com/support/home) .\n\nIf the distribution uses the CloudFront domain name such as `d111111abcdef8.cloudfront.net` , don't set a value for this field." @@ -4766,7 +5314,7 @@ }, "AWS::CloudFront::Function FunctionConfig": { "Comment": "A comment to describe the function.", - "Runtime": "The function's runtime environment. The only valid value is `cloudfront-js-1.0` ." + "Runtime": "The function's runtime environment version." }, "AWS::CloudFront::Function FunctionMetadata": { "FunctionARN": "The Amazon Resource Name (ARN) of the function. The ARN uniquely identifies the function." @@ -4779,6 +5327,15 @@ "Items": "A list of the identifiers of the public keys in the key group.", "Name": "A name to identify the key group." }, + "AWS::CloudFront::KeyValueStore": { + "Comment": "A comment for the Key Value Store.", + "ImportSource": "The import source for the Key Value Store.", + "Name": "The name of the Key Value Store." + }, + "AWS::CloudFront::KeyValueStore ImportSource": { + "SourceArn": "The Amazon Resource Name (ARN) of the import source for the Key Value Store.", + "SourceType": "The source type of the import source for the Key Value Store." + }, "AWS::CloudFront::MonitoringSubscription": { "DistributionId": "The ID of the distribution that you are enabling metrics for.", "MonitoringSubscription": "A subscription configuration for additional CloudWatch metrics." @@ -4952,6 +5509,10 @@ "S3Origin": "A complex type that contains information about the Amazon S3 bucket from which you want CloudFront to get your media files for distribution.", "TrustedSigners": "A complex type that specifies any AWS accounts that you want to permit to create signed URLs for private content. If you want the distribution to use signed URLs, include this element; if you want the distribution to use public URLs, remove this element. For more information, see [Serving Private Content through CloudFront](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/PrivateContent.html) in the *Amazon CloudFront Developer Guide* ." }, + "AWS::CloudFront::StreamingDistribution Tag": { + "Key": "A string that contains `Tag` key.\n\nThe string length should be between 1 and 128 characters. Valid characters include `a-z` , `A-Z` , `0-9` , space, and the special characters `_ - . : / = + @` .", + "Value": "A string that contains an optional `Tag` value.\n\nThe string length should be between 0 and 256 characters. Valid characters include `a-z` , `A-Z` , `0-9` , space, and the special characters `_ - . : / = + @` ." + }, "AWS::CloudFront::StreamingDistribution TrustedSigners": { "AwsAccountNumbers": "An AWS account number that contains active CloudFront key pairs that CloudFront can use to verify the signatures of signed URLs and signed cookies. If the AWS account that owns the key pairs is the same account that owns the CloudFront distribution, the value of this field is `self` .", "Enabled": "This field is `true` if any of the AWS accounts in the list are configured as trusted signers. If not, this field is `false` ." @@ -4964,16 +5525,25 @@ }, "AWS::CloudTrail::Channel Destination": { "Location": "For channels used for a CloudTrail Lake integration, the location is the ARN of an event data store that receives events from a channel. For service-linked channels, the location is the name of the AWS service.", - "Type": "The type of destination for events arriving from a channel. For channels used for a CloudTrail Lake integration, the value is `EventDataStore` . For service-linked channels, the value is `AWS_SERVICE` ." + "Type": "The type of destination for events arriving from a channel. For channels used for a CloudTrail Lake integration, the value is `EVENT_DATA_STORE` . For service-linked channels, the value is `AWS_SERVICE` ." + }, + "AWS::CloudTrail::Channel Tag": { + "Key": "The key in a key-value pair. The key must be must be no longer than 128 Unicode characters. The key must be unique for the resource to which it applies.", + "Value": "The value in a key-value pair of a tag. The value must be no longer than 256 Unicode characters." }, "AWS::CloudTrail::EventDataStore": { "AdvancedEventSelectors": "The advanced event selectors to use to select the events for the data store. You can configure up to five advanced event selectors for each event data store.\n\nFor more information about how to use advanced event selectors to log CloudTrail events, see [Log events by using advanced event selectors](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html#creating-data-event-selectors-advanced) in the CloudTrail User Guide.\n\nFor more information about how to use advanced event selectors to include AWS Config configuration items in your event data store, see [Create an event data store for AWS Config configuration items](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/query-lake-cli.html#lake-cli-create-eds-config) in the CloudTrail User Guide.\n\nFor more information about how to use advanced event selectors to include non- AWS events in your event data store, see [Create an integration to log events from outside AWS](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/query-lake-cli.html#lake-cli-create-integration) in the CloudTrail User Guide.", + "BillingMode": "The billing mode for the event data store determines the cost for ingesting events and the default and maximum retention period for the event data store.\n\nThe following are the possible values:\n\n- `EXTENDABLE_RETENTION_PRICING` - This billing mode is generally recommended if you want a flexible retention period of up to 3653 days (about 10 years). The default retention period for this billing mode is 366 days.\n- `FIXED_RETENTION_PRICING` - This billing mode is recommended if you expect to ingest more than 25 TB of event data per month and need a retention period of up to 2557 days (about 7 years). The default retention period for this billing mode is 2557 days.\n\nThe default value is `EXTENDABLE_RETENTION_PRICING` .\n\nFor more information about CloudTrail pricing, see [AWS CloudTrail Pricing](https://docs.aws.amazon.com/cloudtrail/pricing/) and [Managing CloudTrail Lake costs](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-lake-manage-costs.html) .", + "FederationEnabled": "Indicates if [Lake query federation](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/query-federation.html) is enabled. By default, Lake query federation is disabled. You cannot delete an event data store if Lake query federation is enabled.", + "FederationRoleArn": "If Lake query federation is enabled, provides the ARN of the federation role used to access the resources for the federated event data store.\n\nThe federation role must exist in your account and provide the [required minimum permissions](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/query-federation.html#query-federation-permissions-role) .", "IngestionEnabled": "Specifies whether the event data store should start ingesting live events. The default is true.", + "InsightSelectors": "A JSON string that contains the Insights types you want to log on an event data store. `ApiCallRateInsight` and `ApiErrorRateInsight` are valid Insight types.\n\nThe `ApiCallRateInsight` Insights type analyzes write-only management API calls that are aggregated per minute against a baseline API call volume.\n\nThe `ApiErrorRateInsight` Insights type analyzes management API calls that result in error codes. The error is shown if the API call is unsuccessful.", + "InsightsDestination": "The ARN (or ID suffix of the ARN) of the destination event data store that logs Insights events. For more information, see [Create an event data store for CloudTrail Insights events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/query-event-data-store-insights.html) .", "KmsKeyId": "Specifies the AWS KMS key ID to use to encrypt the events delivered by CloudTrail. The value can be an alias name prefixed by `alias/` , a fully specified ARN to an alias, a fully specified ARN to a key, or a globally unique identifier.\n\n> Disabling or deleting the KMS key, or removing CloudTrail permissions on the key, prevents CloudTrail from logging events to the event data store, and prevents users from querying the data in the event data store that was encrypted with the key. After you associate an event data store with a KMS key, the KMS key cannot be removed or changed. Before you disable or delete a KMS key that you are using with an event data store, delete or back up your event data store. \n\nCloudTrail also supports AWS KMS multi-Region keys. For more information about multi-Region keys, see [Using multi-Region keys](https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html) in the *AWS Key Management Service Developer Guide* .\n\nExamples:\n\n- `alias/MyAliasName`\n- `arn:aws:kms:us-east-2:123456789012:alias/MyAliasName`\n- `arn:aws:kms:us-east-2:123456789012:key/12345678-1234-1234-1234-123456789012`\n- `12345678-1234-1234-1234-123456789012`", "MultiRegionEnabled": "Specifies whether the event data store includes events from all Regions, or only from the Region in which the event data store is created.", "Name": "The name of the event data store.", "OrganizationEnabled": "Specifies whether an event data store collects events logged for an organization in AWS Organizations .", - "RetentionPeriod": "The retention period of the event data store, in days. You can set a retention period of up to 2557 days, the equivalent of seven years.", + "RetentionPeriod": "The retention period of the event data store, in days. If `BillingMode` is set to `EXTENDABLE_RETENTION_PRICING` , you can set a retention period of up to 3653 days, the equivalent of 10 years. If `BillingMode` is set to `FIXED_RETENTION_PRICING` , you can set a retention period of up to 2557 days, the equivalent of seven years.\n\nCloudTrail Lake determines whether to retain an event by checking if the `eventTime` of the event is within the specified retention period. For example, if you set a retention period of 90 days, CloudTrail will remove events when the `eventTime` is older than 90 days.\n\n> If you plan to copy trail events to this event data store, we recommend that you consider both the age of the events that you want to copy as well as how long you want to keep the copied events in your event data store. For example, if you copy trail events that are 5 years old and specify a retention period of 7 years, the event data store will retain those events for two years.", "Tags": "A list of tags.", "TerminationProtectionEnabled": "Specifies whether termination protection is enabled for the event data store. If termination protection is enabled, you cannot delete the event data store until termination protection is disabled." }, @@ -4984,12 +5554,19 @@ "AWS::CloudTrail::EventDataStore AdvancedFieldSelector": { "EndsWith": "An operator that includes events that match the last few characters of the event record field specified as the value of `Field` .", "Equals": "An operator that includes events that match the exact value of the event record field specified as the value of `Field` . This is the only valid operator that you can use with the `readOnly` , `eventCategory` , and `resources.type` fields.", - "Field": "A field in a CloudTrail event record on which to filter events to be logged. For event data stores for AWS Config configuration items, Audit Manager evidence, or non- AWS events, the field is used only for selecting events as filtering is not supported.\n\nFor CloudTrail event records, supported fields include `readOnly` , `eventCategory` , `eventSource` (for management events), `eventName` , `resources.type` , and `resources.ARN` .\n\nFor event data stores for AWS Config configuration items, Audit Manager evidence, or non- AWS events, the only supported field is `eventCategory` .\n\n- *`readOnly`* - Optional. Can be set to `Equals` a value of `true` or `false` . If you do not add this field, CloudTrail logs both `read` and `write` events. A value of `true` logs only `read` events. A value of `false` logs only `write` events.\n- *`eventSource`* - For filtering management events only. This can be set only to `NotEquals` `kms.amazonaws.com` .\n- *`eventName`* - Can use any operator. You can use it to \ufb01lter in or \ufb01lter out any data event logged to CloudTrail, such as `PutBucket` or `GetSnapshotBlock` . You can have multiple values for this \ufb01eld, separated by commas.\n- *`eventCategory`* - This is required and must be set to `Equals` .\n\n- For CloudTrail event records, the value must be `Management` or `Data` .\n- For AWS Config configuration items, the value must be `ConfigurationItem` .\n- For Audit Manager evidence, the value must be `Evidence` .\n- For non- AWS events, the value must be `ActivityAuditLog` .\n- *`resources.type`* - This \ufb01eld is required for CloudTrail data events. `resources.type` can only use the `Equals` operator, and the value can be one of the following:\n\n- `AWS::DynamoDB::Table`\n- `AWS::Lambda::Function`\n- `AWS::S3::Object`\n- `AWS::CloudTrail::Channel`\n- `AWS::CodeWhisperer::Profile`\n- `AWS::Cognito::IdentityPool`\n- `AWS::DynamoDB::Stream`\n- `AWS::EC2::Snapshot`\n- `AWS::EMRWAL::Workspace`\n- `AWS::FinSpace::Environment`\n- `AWS::Glue::Table`\n- `AWS::GuardDuty::Detector`\n- `AWS::KendraRanking::ExecutionPlan`\n- `AWS::ManagedBlockchain::Network`\n- `AWS::ManagedBlockchain::Node`\n- `AWS::SageMaker::ExperimentTrialComponent`\n- `AWS::SageMaker::FeatureGroup`\n- `AWS::S3::AccessPoint`\n- `AWS::S3ObjectLambda::AccessPoint`\n- `AWS::S3Outposts::Object`\n- `AWS::SSMMessages::ControlChannel`\n- `AWS::VerifiedPermissions::PolicyStore`\n\nYou can have only one `resources.type` \ufb01eld per selector. To log data events on more than one resource type, add another selector.\n- *`resources.ARN`* - You can use any operator with `resources.ARN` , but if you use `Equals` or `NotEquals` , the value must exactly match the ARN of a valid resource of the type you've speci\ufb01ed in the template as the value of resources.type. For example, if resources.type equals `AWS::S3::Object` , the ARN must be in one of the following formats. To log all data events for all objects in a specific S3 bucket, use the `StartsWith` operator, and include only the bucket ARN as the matching value.\n\nThe trailing slash is intentional; do not exclude it. Replace the text between less than and greater than symbols (<>) with resource-specific information.\n\n- `arn::s3:::/`\n- `arn::s3::://`\n\nWhen resources.type equals `AWS::DynamoDB::Table` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::dynamodb:::table/`\n\nWhen resources.type equals `AWS::Lambda::Function` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::lambda:::function:`\n\nWhen resources.type equals `AWS::CloudTrail::Channel` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::cloudtrail:::channel/`\n\nWhen resources.type equals `AWS::CodeWhisperer::Profile` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::codewhisperer:::profile/`\n\nWhen resources.type equals `AWS::Cognito::IdentityPool` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::cognito-identity:::identitypool/`\n\nWhen `resources.type` equals `AWS::DynamoDB::Stream` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::dynamodb:::table//stream/`\n\nWhen `resources.type` equals `AWS::EC2::Snapshot` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::ec2:::snapshot/`\n\nWhen `resources.type` equals `AWS::EMRWAL::Workspace` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::emrwal:::workspace/`\n\nWhen `resources.type` equals `AWS::FinSpace::Environment` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::finspace:::environment/`\n\nWhen `resources.type` equals `AWS::Glue::Table` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::glue:::table//`\n\nWhen `resources.type` equals `AWS::GuardDuty::Detector` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::guardduty:::detector/`\n\nWhen `resources.type` equals `AWS::KendraRanking::ExecutionPlan` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::kendra-ranking:::rescore-execution-plan/`\n\nWhen `resources.type` equals `AWS::ManagedBlockchain::Network` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::managedblockchain:::networks/`\n\nWhen `resources.type` equals `AWS::ManagedBlockchain::Node` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::managedblockchain:::nodes/`\n\nWhen `resources.type` equals `AWS::SageMaker::ExperimentTrialComponent` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::sagemaker:::experiment-trial-component/`\n\nWhen `resources.type` equals `AWS::SageMaker::FeatureGroup` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::sagemaker:::feature-group/`\n\nWhen `resources.type` equals `AWS::S3::AccessPoint` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in one of the following formats. To log events on all objects in an S3 access point, we recommend that you use only the access point ARN, don\u2019t include the object path, and use the `StartsWith` or `NotStartsWith` operators.\n\n- `arn::s3:::accesspoint/`\n- `arn::s3:::accesspoint//object/`\n\nWhen `resources.type` equals `AWS::S3ObjectLambda::AccessPoint` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::s3-object-lambda:::accesspoint/`\n\nWhen `resources.type` equals `AWS::S3Outposts::Object` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::s3-outposts:::`\n\nWhen `resources.type` equals `AWS::SSMMessages::ControlChannel` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::ssmmessages:::control-channel/`\n\nWhen resources.type equals `AWS::VerifiedPermissions::PolicyStore` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::verifiedpermissions:::policy-store/`", + "Field": "A field in a CloudTrail event record on which to filter events to be logged. For event data stores for CloudTrail Insights events, AWS Config configuration items, Audit Manager evidence, or events outside of AWS , the field is used only for selecting events as filtering is not supported.\n\nFor CloudTrail management events, supported fields include `readOnly` , `eventCategory` , and `eventSource` .\n\nFor CloudTrail data events, supported fields include `readOnly` , `eventCategory` , `eventName` , `resources.type` , and `resources.ARN` .\n\nFor event data stores for CloudTrail Insights events, AWS Config configuration items, Audit Manager evidence, or events outside of AWS , the only supported field is `eventCategory` .\n\n- *`readOnly`* - Optional. Can be set to `Equals` a value of `true` or `false` . If you do not add this field, CloudTrail logs both `read` and `write` events. A value of `true` logs only `read` events. A value of `false` logs only `write` events.\n- *`eventSource`* - For filtering management events only. This can be set to `NotEquals` `kms.amazonaws.com` or `NotEquals` `rdsdata.amazonaws.com` .\n- *`eventName`* - Can use any operator. You can use it to \ufb01lter in or \ufb01lter out any data event logged to CloudTrail, such as `PutBucket` or `GetSnapshotBlock` . You can have multiple values for this \ufb01eld, separated by commas.\n- *`eventCategory`* - This is required and must be set to `Equals` .\n\n- For CloudTrail management events, the value must be `Management` .\n- For CloudTrail data events, the value must be `Data` .\n\nThe following are used only for event data stores:\n\n- For CloudTrail Insights events, the value must be `Insight` .\n- For AWS Config configuration items, the value must be `ConfigurationItem` .\n- For Audit Manager evidence, the value must be `Evidence` .\n- For non- AWS events, the value must be `ActivityAuditLog` .\n- *`resources.type`* - This \ufb01eld is required for CloudTrail data events. `resources.type` can only use the `Equals` operator, and the value can be one of the following:\n\n- `AWS::DynamoDB::Table`\n- `AWS::Lambda::Function`\n- `AWS::S3::Object`\n- `AWS::B2BI::Transformer`\n- `AWS::Bedrock::AgentAlias`\n- `AWS::Bedrock::KnowledgeBase`\n- `AWS::CloudFront:KeyValueStore`\n- `AWS::CloudTrail::Channel`\n- `AWS::CodeWhisperer::Customization`\n- `AWS::CodeWhisperer::Profile`\n- `AWS::Cognito::IdentityPool`\n- `AWS::DynamoDB::Stream`\n- `AWS::EC2::Snapshot`\n- `AWS::EMRWAL::Workspace`\n- `AWS::FinSpace::Environment`\n- `AWS::Glue::Table`\n- `AWS::GuardDuty::Detector`\n- `AWS::KendraRanking::ExecutionPlan`\n- `AWS::KinesisVideo::Stream`\n- `AWS::ManagedBlockchain::Network`\n- `AWS::ManagedBlockchain::Node`\n- `AWS::MedicalImaging::Datastore`\n- `AWS::NeptuneGraph::Graph`\n- `AWS::PCAConnectorAD::Connector`\n- `AWS::QBusiness::Application`\n- `AWS::QBusiness::DataSource`\n- `AWS::QBusiness::Index`\n- `AWS::QBusiness::WebExperience`\n- `AWS::SageMaker::Endpoint`\n- `AWS::SageMaker::ExperimentTrialComponent`\n- `AWS::SageMaker::FeatureGroup`\n- `AWS::ServiceDiscovery::Namespace`\n- `AWS::ServiceDiscovery::Service`\n- `AWS::SNS::PlatformEndpoint`\n- `AWS::SNS::Topic`\n- `AWS::SQS::Queue`\n- `AWS::S3::AccessPoint`\n- `AWS::S3ObjectLambda::AccessPoint`\n- `AWS::S3Outposts::Object`\n- `AWS::SSMMessages::ControlChannel`\n- `AWS::ThinClient::Device`\n- `AWS::ThinClient::Environment`\n- `AWS::Timestream::Database`\n- `AWS::Timestream::Table`\n- `AWS::VerifiedPermissions::PolicyStore`\n\nYou can have only one `resources.type` \ufb01eld per selector. To log data events on more than one resource type, add another selector.\n- *`resources.ARN`* - You can use any operator with `resources.ARN` , but if you use `Equals` or `NotEquals` , the value must exactly match the ARN of a valid resource of the type you've speci\ufb01ed in the template as the value of resources.type. For example, if resources.type equals `AWS::S3::Object` , the ARN must be in one of the following formats. To log all data events for all objects in a specific S3 bucket, use the `StartsWith` operator, and include only the bucket ARN as the matching value.\n\nThe trailing slash is intentional; do not exclude it. Replace the text between less than and greater than symbols (<>) with resource-specific information.\n\n- `arn::s3:::/`\n- `arn::s3::://`\n\nWhen resources.type equals `AWS::DynamoDB::Table` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::dynamodb:::table/`\n\nWhen resources.type equals `AWS::Lambda::Function` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::lambda:::function:`\n\nWhen resources.type equals `AWS::B2BI::Transformer` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::b2bi:::transformer/`\n\nWhen resources.type equals `AWS::Bedrock::AgentAlias` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::bedrock:::agent-alias//`\n\nWhen resources.type equals `AWS::Bedrock::KnowledgeBase` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::bedrock:::knowledge-base/`\n\nWhen resources.type equals `AWS::CloudFront:KeyValueStore` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::cloudfront:::key-value-store/`\n\nWhen resources.type equals `AWS::CloudTrail::Channel` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::cloudtrail:::channel/`\n\nWhen resources.type equals `AWS::CodeWhisperer::Customization` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::codewhisperer:::customization/`\n\nWhen resources.type equals `AWS::CodeWhisperer::Profile` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::codewhisperer:::profile/`\n\nWhen resources.type equals `AWS::Cognito::IdentityPool` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::cognito-identity:::identitypool/`\n\nWhen `resources.type` equals `AWS::DynamoDB::Stream` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::dynamodb:::table//stream/`\n\nWhen `resources.type` equals `AWS::EC2::Snapshot` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::ec2:::snapshot/`\n\nWhen `resources.type` equals `AWS::EMRWAL::Workspace` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::emrwal:::workspace/`\n\nWhen `resources.type` equals `AWS::FinSpace::Environment` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::finspace:::environment/`\n\nWhen `resources.type` equals `AWS::Glue::Table` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::glue:::table//`\n\nWhen `resources.type` equals `AWS::GuardDuty::Detector` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::guardduty:::detector/`\n\nWhen `resources.type` equals `AWS::KendraRanking::ExecutionPlan` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::kendra-ranking:::rescore-execution-plan/`\n\nWhen `resources.type` equals `AWS::KinesisVideo::Stream` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::kinesisvideo:::stream/`\n\nWhen `resources.type` equals `AWS::ManagedBlockchain::Network` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::managedblockchain:::networks/`\n\nWhen `resources.type` equals `AWS::ManagedBlockchain::Node` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::managedblockchain:::nodes/`\n\nWhen `resources.type` equals `AWS::MedicalImaging::Datastore` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::medical-imaging:::datastore/`\n\nWhen `resources.type` equals `AWS::NeptuneGraph::Graph` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::neptune-graph:::graph/`\n\nWhen `resources.type` equals `AWS::PCAConnectorAD::Connector` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::pca-connector-ad:::connector/`\n\nWhen `resources.type` equals `AWS::QBusiness::Application` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::qbusiness:::application/`\n\nWhen `resources.type` equals `AWS::QBusiness::DataSource` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::qbusiness:::application//index//data-source/`\n\nWhen `resources.type` equals `AWS::QBusiness::Index` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::qbusiness:::application//index/`\n\nWhen `resources.type` equals `AWS::QBusiness::WebExperience` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::qbusiness:::application//web-experience/`\n\nWhen `resources.type` equals `AWS::SageMaker::Endpoint` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::sagemaker:::endpoint/`\n\nWhen `resources.type` equals `AWS::SageMaker::ExperimentTrialComponent` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::sagemaker:::experiment-trial-component/`\n\nWhen `resources.type` equals `AWS::SageMaker::FeatureGroup` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::sagemaker:::feature-group/`\n\nWhen `resources.type` equals `AWS::ServiceDiscovery::Namespace` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::servicediscovery:::namespace/`\n\nWhen `resources.type` equals `AWS::ServiceDiscovery::Service` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::servicediscovery:::service/`\n\nWhen `resources.type` equals `AWS::SNS::PlatformEndpoint` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::sns:::endpoint///`\n\nWhen `resources.type` equals `AWS::SNS::Topic` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::sns:::`\n\nWhen `resources.type` equals `AWS::SQS::Queue` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::sqs:::`\n\nWhen `resources.type` equals `AWS::S3::AccessPoint` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in one of the following formats. To log events on all objects in an S3 access point, we recommend that you use only the access point ARN, don\u2019t include the object path, and use the `StartsWith` or `NotStartsWith` operators.\n\n- `arn::s3:::accesspoint/`\n- `arn::s3:::accesspoint//object/`\n\nWhen `resources.type` equals `AWS::S3ObjectLambda::AccessPoint` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::s3-object-lambda:::accesspoint/`\n\nWhen `resources.type` equals `AWS::S3Outposts::Object` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::s3-outposts:::`\n\nWhen `resources.type` equals `AWS::SSMMessages::ControlChannel` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::ssmmessages:::control-channel/`\n\nWhen `resources.type` equals `AWS::ThinClient::Device` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::thinclient:::device/`\n\nWhen `resources.type` equals `AWS::ThinClient::Environment` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::thinclient:::environment/`\n\nWhen `resources.type` equals `AWS::Timestream::Database` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::timestream:::database/`\n\nWhen `resources.type` equals `AWS::Timestream::Table` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::timestream:::database//table/`\n\nWhen resources.type equals `AWS::VerifiedPermissions::PolicyStore` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::verifiedpermissions:::policy-store/`", "NotEndsWith": "An operator that excludes events that match the last few characters of the event record field specified as the value of `Field` .", "NotEquals": "An operator that excludes events that match the exact value of the event record field specified as the value of `Field` .", "NotStartsWith": "An operator that excludes events that match the first few characters of the event record field specified as the value of `Field` .", "StartsWith": "An operator that includes events that match the first few characters of the event record field specified as the value of `Field` ." }, + "AWS::CloudTrail::EventDataStore InsightSelector": { + "InsightType": "The type of Insights events to log on an event data store. `ApiCallRateInsight` and `ApiErrorRateInsight` are valid Insight types.\n\nThe `ApiCallRateInsight` Insights type analyzes write-only management API calls that are aggregated per minute against a baseline API call volume.\n\nThe `ApiErrorRateInsight` Insights type analyzes management API calls that result in error codes. The error is shown if the API call is unsuccessful." + }, + "AWS::CloudTrail::EventDataStore Tag": { + "Key": "The key in a key-value pair. The key must be must be no longer than 128 Unicode characters. The key must be unique for the resource to which it applies.", + "Value": "The value in a key-value pair of a tag. The value must be no longer than 256 Unicode characters." + }, "AWS::CloudTrail::ResourcePolicy": { "ResourceArn": "The Amazon Resource Name (ARN) of the CloudTrail channel attached to the resource-based policy. The following is the format of a resource ARN: `arn:aws:cloudtrail:us-east-2:123456789012:channel/MyChannel` .", "ResourcePolicy": "A JSON-formatted string for an AWS resource-based policy.\n\nThe following are requirements for the resource policy:\n\n- Contains only one action: cloudtrail-data:PutAuditEvents\n- Contains at least one statement. The policy can have a maximum of 20 statements.\n- Each statement contains at least one principal. A statement can have a maximum of 50 principals." @@ -4999,12 +5576,12 @@ "CloudWatchLogsLogGroupArn": "Specifies a log group name using an Amazon Resource Name (ARN), a unique identifier that represents the log group to which CloudTrail logs are delivered. You must use a log group that exists in your account.\n\nNot required unless you specify `CloudWatchLogsRoleArn` .", "CloudWatchLogsRoleArn": "Specifies the role for the CloudWatch Logs endpoint to assume to write to a user's log group. You must use a role that exists in your account.", "EnableLogFileValidation": "Specifies whether log file validation is enabled. The default is false.\n\n> When you disable log file integrity validation, the chain of digest files is broken after one hour. CloudTrail does not create digest files for log files that were delivered during a period in which log file integrity validation was disabled. For example, if you enable log file integrity validation at noon on January 1, disable it at noon on January 2, and re-enable it at noon on January 10, digest files will not be created for the log files delivered from noon on January 2 to noon on January 10. The same applies whenever you stop CloudTrail logging or delete a trail.", - "EventSelectors": "Use event selectors to further specify the management and data event settings for your trail. By default, trails created without specific event selectors will be configured to log all read and write management events, and no data events. When an event occurs in your account, CloudTrail evaluates the event selector for all trails. For each trail, if the event matches any event selector, the trail processes and logs the event. If the event doesn't match any event selector, the trail doesn't log the event.\n\nYou can configure up to five event selectors for a trail.\n\nFor more information about how to configure event selectors, see [Examples](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudtrail-trail.html#aws-resource-cloudtrail-trail--examples) and [Configuring event selectors](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-additional-cli-commands.html#configuring-event-selector-examples) in the *AWS CloudTrail User Guide* .", + "EventSelectors": "Use event selectors to further specify the management and data event settings for your trail. By default, trails created without specific event selectors will be configured to log all read and write management events, and no data events. When an event occurs in your account, CloudTrail evaluates the event selector for all trails. For each trail, if the event matches any event selector, the trail processes and logs the event. If the event doesn't match any event selector, the trail doesn't log the event.\n\nYou can configure up to five event selectors for a trail.\n\nYou cannot apply both event selectors and advanced event selectors to a trail.", "IncludeGlobalServiceEvents": "Specifies whether the trail is publishing events from global services such as IAM to the log files.", - "InsightSelectors": "A JSON string that contains the insight types you want to log on a trail. `ApiCallRateInsight` and `ApiErrorRateInsight` are valid Insight types.\n\nThe `ApiCallRateInsight` Insights type analyzes write-only management API calls that are aggregated per minute against a baseline API call volume.\n\nThe `ApiErrorRateInsight` Insights type analyzes management API calls that result in error codes. The error is shown if the API call is unsuccessful.", + "InsightSelectors": "A JSON string that contains the Insights types you want to log on a trail. `ApiCallRateInsight` and `ApiErrorRateInsight` are valid Insight types.\n\nThe `ApiCallRateInsight` Insights type analyzes write-only management API calls that are aggregated per minute against a baseline API call volume.\n\nThe `ApiErrorRateInsight` Insights type analyzes management API calls that result in error codes. The error is shown if the API call is unsuccessful.", "IsLogging": "Whether the CloudTrail trail is currently logging AWS API calls.", "IsMultiRegionTrail": "Specifies whether the trail applies only to the current Region or to all Regions. The default is false. If the trail exists only in the current Region and this value is set to true, shadow trails (replications of the trail) will be created in the other Regions. If the trail exists in all Regions and this value is set to false, the trail will remain in the Region where it was created, and its shadow trails in other Regions will be deleted. As a best practice, consider using trails that log events in all Regions.", - "IsOrganizationTrail": "Specifies whether the trail is applied to all accounts in an organization in AWS Organizations , or only for the current AWS account . The default is false, and cannot be true unless the call is made on behalf of an AWS account that is the management account or delegated administrator account for an organization in AWS Organizations . If the trail is not an organization trail and this is set to `true` , the trail will be created in all AWS accounts that belong to the organization. If the trail is an organization trail and this is set to `false` , the trail will remain in the current AWS account but be deleted from all member accounts in the organization.", + "IsOrganizationTrail": "Specifies whether the trail is applied to all accounts in an organization in AWS Organizations , or only for the current AWS account . The default is false, and cannot be true unless the call is made on behalf of an AWS account that is the management account for an organization in AWS Organizations . If the trail is not an organization trail and this is set to `true` , the trail will be created in all AWS accounts that belong to the organization. If the trail is an organization trail and this is set to `false` , the trail will remain in the current AWS account but be deleted from all member accounts in the organization.\n\n> Only the management account for the organization can convert an organization trail to a non-organization trail, or convert a non-organization trail to an organization trail.", "KMSKeyId": "Specifies the AWS KMS key ID to use to encrypt the logs delivered by CloudTrail. The value can be an alias name prefixed by \"alias/\", a fully specified ARN to an alias, a fully specified ARN to a key, or a globally unique identifier.\n\nCloudTrail also supports AWS KMS multi-Region keys. For more information about multi-Region keys, see [Using multi-Region keys](https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html) in the *AWS Key Management Service Developer Guide* .\n\nExamples:\n\n- alias/MyAliasName\n- arn:aws:kms:us-east-2:123456789012:alias/MyAliasName\n- arn:aws:kms:us-east-2:123456789012:key/12345678-1234-1234-1234-123456789012\n- 12345678-1234-1234-1234-123456789012", "S3BucketName": "Specifies the name of the Amazon S3 bucket designated for publishing log files. See [Amazon S3 Bucket Naming Requirements](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/create_trail_naming_policy.html) .", "S3KeyPrefix": "Specifies the Amazon S3 key prefix that comes after the name of the bucket you have designated for log file delivery. For more information, see [Finding Your CloudTrail Log Files](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-find-log-files.html) . The maximum length is 200 characters.", @@ -5019,18 +5596,18 @@ "AWS::CloudTrail::Trail AdvancedFieldSelector": { "EndsWith": "An operator that includes events that match the last few characters of the event record field specified as the value of `Field` .", "Equals": "An operator that includes events that match the exact value of the event record field specified as the value of `Field` . This is the only valid operator that you can use with the `readOnly` , `eventCategory` , and `resources.type` fields.", - "Field": "A field in a CloudTrail event record on which to filter events to be logged. For event data stores for AWS Config configuration items, Audit Manager evidence, or non- AWS events, the field is used only for selecting events as filtering is not supported.\n\nFor CloudTrail event records, supported fields include `readOnly` , `eventCategory` , `eventSource` (for management events), `eventName` , `resources.type` , and `resources.ARN` .\n\nFor event data stores for AWS Config configuration items, Audit Manager evidence, or non- AWS events, the only supported field is `eventCategory` .\n\n- *`readOnly`* - Optional. Can be set to `Equals` a value of `true` or `false` . If you do not add this field, CloudTrail logs both `read` and `write` events. A value of `true` logs only `read` events. A value of `false` logs only `write` events.\n- *`eventSource`* - For filtering management events only. This can be set only to `NotEquals` `kms.amazonaws.com` .\n- *`eventName`* - Can use any operator. You can use it to \ufb01lter in or \ufb01lter out any data event logged to CloudTrail, such as `PutBucket` or `GetSnapshotBlock` . You can have multiple values for this \ufb01eld, separated by commas.\n- *`eventCategory`* - This is required and must be set to `Equals` .\n\n- For CloudTrail event records, the value must be `Management` or `Data` .\n- For AWS Config configuration items, the value must be `ConfigurationItem` .\n- For Audit Manager evidence, the value must be `Evidence` .\n- For non- AWS events, the value must be `ActivityAuditLog` .\n- *`resources.type`* - This \ufb01eld is required for CloudTrail data events. `resources.type` can only use the `Equals` operator, and the value can be one of the following:\n\n- `AWS::DynamoDB::Table`\n- `AWS::Lambda::Function`\n- `AWS::S3::Object`\n- `AWS::CloudTrail::Channel`\n- `AWS::CodeWhisperer::Profile`\n- `AWS::Cognito::IdentityPool`\n- `AWS::DynamoDB::Stream`\n- `AWS::EC2::Snapshot`\n- `AWS::EMRWAL::Workspace`\n- `AWS::FinSpace::Environment`\n- `AWS::Glue::Table`\n- `AWS::GuardDuty::Detector`\n- `AWS::KendraRanking::ExecutionPlan`\n- `AWS::ManagedBlockchain::Network`\n- `AWS::ManagedBlockchain::Node`\n- `AWS::SageMaker::ExperimentTrialComponent`\n- `AWS::SageMaker::FeatureGroup`\n- `AWS::S3::AccessPoint`\n- `AWS::S3ObjectLambda::AccessPoint`\n- `AWS::S3Outposts::Object`\n- `AWS::SSMMessages::ControlChannel`\n- `AWS::VerifiedPermissions::PolicyStore`\n\nYou can have only one `resources.type` \ufb01eld per selector. To log data events on more than one resource type, add another selector.\n- *`resources.ARN`* - You can use any operator with `resources.ARN` , but if you use `Equals` or `NotEquals` , the value must exactly match the ARN of a valid resource of the type you've speci\ufb01ed in the template as the value of resources.type. For example, if resources.type equals `AWS::S3::Object` , the ARN must be in one of the following formats. To log all data events for all objects in a specific S3 bucket, use the `StartsWith` operator, and include only the bucket ARN as the matching value.\n\nThe trailing slash is intentional; do not exclude it. Replace the text between less than and greater than symbols (<>) with resource-specific information.\n\n- `arn::s3:::/`\n- `arn::s3::://`\n\nWhen resources.type equals `AWS::DynamoDB::Table` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::dynamodb:::table/`\n\nWhen resources.type equals `AWS::Lambda::Function` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::lambda:::function:`\n\nWhen resources.type equals `AWS::CloudTrail::Channel` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::cloudtrail:::channel/`\n\nWhen resources.type equals `AWS::CodeWhisperer::Profile` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::codewhisperer:::profile/`\n\nWhen resources.type equals `AWS::Cognito::IdentityPool` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::cognito-identity:::identitypool/`\n\nWhen `resources.type` equals `AWS::DynamoDB::Stream` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::dynamodb:::table//stream/`\n\nWhen `resources.type` equals `AWS::EC2::Snapshot` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::ec2:::snapshot/`\n\nWhen `resources.type` equals `AWS::EMRWAL::Workspace` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::emrwal:::workspace/`\n\nWhen `resources.type` equals `AWS::FinSpace::Environment` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::finspace:::environment/`\n\nWhen `resources.type` equals `AWS::Glue::Table` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::glue:::table//`\n\nWhen `resources.type` equals `AWS::GuardDuty::Detector` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::guardduty:::detector/`\n\nWhen `resources.type` equals `AWS::KendraRanking::ExecutionPlan` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::kendra-ranking:::rescore-execution-plan/`\n\nWhen `resources.type` equals `AWS::ManagedBlockchain::Network` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::managedblockchain:::networks/`\n\nWhen `resources.type` equals `AWS::ManagedBlockchain::Node` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::managedblockchain:::nodes/`\n\nWhen `resources.type` equals `AWS::SageMaker::ExperimentTrialComponent` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::sagemaker:::experiment-trial-component/`\n\nWhen `resources.type` equals `AWS::SageMaker::FeatureGroup` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::sagemaker:::feature-group/`\n\nWhen `resources.type` equals `AWS::S3::AccessPoint` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in one of the following formats. To log events on all objects in an S3 access point, we recommend that you use only the access point ARN, don\u2019t include the object path, and use the `StartsWith` or `NotStartsWith` operators.\n\n- `arn::s3:::accesspoint/`\n- `arn::s3:::accesspoint//object/`\n\nWhen `resources.type` equals `AWS::S3ObjectLambda::AccessPoint` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::s3-object-lambda:::accesspoint/`\n\nWhen `resources.type` equals `AWS::S3Outposts::Object` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::s3-outposts:::`\n\nWhen `resources.type` equals `AWS::SSMMessages::ControlChannel` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::ssmmessages:::control-channel/`\n\nWhen resources.type equals `AWS::VerifiedPermissions::PolicyStore` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::verifiedpermissions:::policy-store/`", + "Field": "A field in a CloudTrail event record on which to filter events to be logged. For event data stores for CloudTrail Insights events, AWS Config configuration items, Audit Manager evidence, or events outside of AWS , the field is used only for selecting events as filtering is not supported.\n\nFor CloudTrail management events, supported fields include `readOnly` , `eventCategory` , and `eventSource` .\n\nFor CloudTrail data events, supported fields include `readOnly` , `eventCategory` , `eventName` , `resources.type` , and `resources.ARN` .\n\nFor event data stores for CloudTrail Insights events, AWS Config configuration items, Audit Manager evidence, or events outside of AWS , the only supported field is `eventCategory` .\n\n- *`readOnly`* - Optional. Can be set to `Equals` a value of `true` or `false` . If you do not add this field, CloudTrail logs both `read` and `write` events. A value of `true` logs only `read` events. A value of `false` logs only `write` events.\n- *`eventSource`* - For filtering management events only. This can be set to `NotEquals` `kms.amazonaws.com` or `NotEquals` `rdsdata.amazonaws.com` .\n- *`eventName`* - Can use any operator. You can use it to \ufb01lter in or \ufb01lter out any data event logged to CloudTrail, such as `PutBucket` or `GetSnapshotBlock` . You can have multiple values for this \ufb01eld, separated by commas.\n- *`eventCategory`* - This is required and must be set to `Equals` .\n\n- For CloudTrail management events, the value must be `Management` .\n- For CloudTrail data events, the value must be `Data` .\n\nThe following are used only for event data stores:\n\n- For CloudTrail Insights events, the value must be `Insight` .\n- For AWS Config configuration items, the value must be `ConfigurationItem` .\n- For Audit Manager evidence, the value must be `Evidence` .\n- For non- AWS events, the value must be `ActivityAuditLog` .\n- *`resources.type`* - This \ufb01eld is required for CloudTrail data events. `resources.type` can only use the `Equals` operator, and the value can be one of the following:\n\n- `AWS::DynamoDB::Table`\n- `AWS::Lambda::Function`\n- `AWS::S3::Object`\n- `AWS::B2BI::Transformer`\n- `AWS::Bedrock::AgentAlias`\n- `AWS::Bedrock::KnowledgeBase`\n- `AWS::CloudFront:KeyValueStore`\n- `AWS::CloudTrail::Channel`\n- `AWS::CodeWhisperer::Customization`\n- `AWS::CodeWhisperer::Profile`\n- `AWS::Cognito::IdentityPool`\n- `AWS::DynamoDB::Stream`\n- `AWS::EC2::Snapshot`\n- `AWS::EMRWAL::Workspace`\n- `AWS::FinSpace::Environment`\n- `AWS::Glue::Table`\n- `AWS::GuardDuty::Detector`\n- `AWS::KendraRanking::ExecutionPlan`\n- `AWS::KinesisVideo::Stream`\n- `AWS::ManagedBlockchain::Network`\n- `AWS::ManagedBlockchain::Node`\n- `AWS::MedicalImaging::Datastore`\n- `AWS::NeptuneGraph::Graph`\n- `AWS::PCAConnectorAD::Connector`\n- `AWS::QBusiness::Application`\n- `AWS::QBusiness::DataSource`\n- `AWS::QBusiness::Index`\n- `AWS::QBusiness::WebExperience`\n- `AWS::SageMaker::Endpoint`\n- `AWS::SageMaker::ExperimentTrialComponent`\n- `AWS::SageMaker::FeatureGroup`\n- `AWS::ServiceDiscovery::Namespace`\n- `AWS::ServiceDiscovery::Service`\n- `AWS::SNS::PlatformEndpoint`\n- `AWS::SNS::Topic`\n- `AWS::SQS::Queue`\n- `AWS::S3::AccessPoint`\n- `AWS::S3ObjectLambda::AccessPoint`\n- `AWS::S3Outposts::Object`\n- `AWS::SSMMessages::ControlChannel`\n- `AWS::ThinClient::Device`\n- `AWS::ThinClient::Environment`\n- `AWS::Timestream::Database`\n- `AWS::Timestream::Table`\n- `AWS::VerifiedPermissions::PolicyStore`\n\nYou can have only one `resources.type` \ufb01eld per selector. To log data events on more than one resource type, add another selector.\n- *`resources.ARN`* - You can use any operator with `resources.ARN` , but if you use `Equals` or `NotEquals` , the value must exactly match the ARN of a valid resource of the type you've speci\ufb01ed in the template as the value of resources.type. For example, if resources.type equals `AWS::S3::Object` , the ARN must be in one of the following formats. To log all data events for all objects in a specific S3 bucket, use the `StartsWith` operator, and include only the bucket ARN as the matching value.\n\nThe trailing slash is intentional; do not exclude it. Replace the text between less than and greater than symbols (<>) with resource-specific information.\n\n- `arn::s3:::/`\n- `arn::s3::://`\n\nWhen resources.type equals `AWS::DynamoDB::Table` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::dynamodb:::table/`\n\nWhen resources.type equals `AWS::Lambda::Function` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::lambda:::function:`\n\nWhen resources.type equals `AWS::B2BI::Transformer` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::b2bi:::transformer/`\n\nWhen resources.type equals `AWS::Bedrock::AgentAlias` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::bedrock:::agent-alias//`\n\nWhen resources.type equals `AWS::Bedrock::KnowledgeBase` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::bedrock:::knowledge-base/`\n\nWhen resources.type equals `AWS::CloudFront:KeyValueStore` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::cloudfront:::key-value-store/`\n\nWhen resources.type equals `AWS::CloudTrail::Channel` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::cloudtrail:::channel/`\n\nWhen resources.type equals `AWS::CodeWhisperer::Customization` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::codewhisperer:::customization/`\n\nWhen resources.type equals `AWS::CodeWhisperer::Profile` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::codewhisperer:::profile/`\n\nWhen resources.type equals `AWS::Cognito::IdentityPool` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::cognito-identity:::identitypool/`\n\nWhen `resources.type` equals `AWS::DynamoDB::Stream` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::dynamodb:::table//stream/`\n\nWhen `resources.type` equals `AWS::EC2::Snapshot` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::ec2:::snapshot/`\n\nWhen `resources.type` equals `AWS::EMRWAL::Workspace` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::emrwal:::workspace/`\n\nWhen `resources.type` equals `AWS::FinSpace::Environment` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::finspace:::environment/`\n\nWhen `resources.type` equals `AWS::Glue::Table` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::glue:::table//`\n\nWhen `resources.type` equals `AWS::GuardDuty::Detector` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::guardduty:::detector/`\n\nWhen `resources.type` equals `AWS::KendraRanking::ExecutionPlan` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::kendra-ranking:::rescore-execution-plan/`\n\nWhen `resources.type` equals `AWS::KinesisVideo::Stream` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::kinesisvideo:::stream/`\n\nWhen `resources.type` equals `AWS::ManagedBlockchain::Network` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::managedblockchain:::networks/`\n\nWhen `resources.type` equals `AWS::ManagedBlockchain::Node` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::managedblockchain:::nodes/`\n\nWhen `resources.type` equals `AWS::MedicalImaging::Datastore` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::medical-imaging:::datastore/`\n\nWhen `resources.type` equals `AWS::NeptuneGraph::Graph` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::neptune-graph:::graph/`\n\nWhen `resources.type` equals `AWS::PCAConnectorAD::Connector` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::pca-connector-ad:::connector/`\n\nWhen `resources.type` equals `AWS::QBusiness::Application` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::qbusiness:::application/`\n\nWhen `resources.type` equals `AWS::QBusiness::DataSource` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::qbusiness:::application//index//data-source/`\n\nWhen `resources.type` equals `AWS::QBusiness::Index` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::qbusiness:::application//index/`\n\nWhen `resources.type` equals `AWS::QBusiness::WebExperience` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::qbusiness:::application//web-experience/`\n\nWhen `resources.type` equals `AWS::SageMaker::Endpoint` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::sagemaker:::endpoint/`\n\nWhen `resources.type` equals `AWS::SageMaker::ExperimentTrialComponent` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::sagemaker:::experiment-trial-component/`\n\nWhen `resources.type` equals `AWS::SageMaker::FeatureGroup` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::sagemaker:::feature-group/`\n\nWhen `resources.type` equals `AWS::ServiceDiscovery::Namespace` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::servicediscovery:::namespace/`\n\nWhen `resources.type` equals `AWS::ServiceDiscovery::Service` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::servicediscovery:::service/`\n\nWhen `resources.type` equals `AWS::SNS::PlatformEndpoint` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::sns:::endpoint///`\n\nWhen `resources.type` equals `AWS::SNS::Topic` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::sns:::`\n\nWhen `resources.type` equals `AWS::SQS::Queue` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::sqs:::`\n\nWhen `resources.type` equals `AWS::S3::AccessPoint` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in one of the following formats. To log events on all objects in an S3 access point, we recommend that you use only the access point ARN, don\u2019t include the object path, and use the `StartsWith` or `NotStartsWith` operators.\n\n- `arn::s3:::accesspoint/`\n- `arn::s3:::accesspoint//object/`\n\nWhen `resources.type` equals `AWS::S3ObjectLambda::AccessPoint` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::s3-object-lambda:::accesspoint/`\n\nWhen `resources.type` equals `AWS::S3Outposts::Object` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::s3-outposts:::`\n\nWhen `resources.type` equals `AWS::SSMMessages::ControlChannel` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::ssmmessages:::control-channel/`\n\nWhen `resources.type` equals `AWS::ThinClient::Device` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::thinclient:::device/`\n\nWhen `resources.type` equals `AWS::ThinClient::Environment` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::thinclient:::environment/`\n\nWhen `resources.type` equals `AWS::Timestream::Database` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::timestream:::database/`\n\nWhen `resources.type` equals `AWS::Timestream::Table` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::timestream:::database//table/`\n\nWhen resources.type equals `AWS::VerifiedPermissions::PolicyStore` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::verifiedpermissions:::policy-store/`", "NotEndsWith": "An operator that excludes events that match the last few characters of the event record field specified as the value of `Field` .", "NotEquals": "An operator that excludes events that match the exact value of the event record field specified as the value of `Field` .", "NotStartsWith": "An operator that excludes events that match the first few characters of the event record field specified as the value of `Field` .", "StartsWith": "An operator that includes events that match the first few characters of the event record field specified as the value of `Field` ." }, "AWS::CloudTrail::Trail DataResource": { - "Type": "The resource type in which you want to log data events. You can specify the following *basic* event selector resource types:\n\n- `AWS::S3::Object`\n- `AWS::Lambda::Function`\n- `AWS::DynamoDB::Table`", + "Type": "The resource type in which you want to log data events. You can specify the following *basic* event selector resource types:\n\n- `AWS::DynamoDB::Table`\n- `AWS::Lambda::Function`\n- `AWS::S3::Object`\n\nThe following resource types are only available through *advanced* event selectors. Basic event selector resource types are valid in advanced event selectors, but advanced event selector resource types are not valid in basic event selectors. For more information, see [AdvancedFieldSelector](https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_AdvancedFieldSelector.html) .\n\n- `AWS::B2BI::Transformer`\n- `AWS::Bedrock::AgentAlias`\n- `AWS::Bedrock::KnowledgeBase`\n- `AWS::CloudFront:KeyValueStore`\n- `AWS::CloudTrail::Channel`\n- `AWS::CodeWhisperer::Customization`\n- `AWS::CodeWhisperer::Profile`\n- `AWS::Cognito::IdentityPool`\n- `AWS::DynamoDB::Stream`\n- `AWS::EC2::Snapshot`\n- `AWS::EMRWAL::Workspace`\n- `AWS::FinSpace::Environment`\n- `AWS::Glue::Table`\n- `AWS::GuardDuty::Detector`\n- `AWS::KendraRanking::ExecutionPlan`\n- `AWS::KinesisVideo::Stream`\n- `AWS::ManagedBlockchain::Network`\n- `AWS::ManagedBlockchain::Node`\n- `AWS::MedicalImaging::Datastore`\n- `AWS::NeptuneGraph::Graph`\n- `AWS::PCAConnectorAD::Connector`\n- `AWS::QBusiness::Application`\n- `AWS::QBusiness::DataSource`\n- `AWS::QBusiness::Index`\n- `AWS::QBusiness::WebExperience`\n- `AWS::SageMaker::Endpoint`\n- `AWS::SageMaker::ExperimentTrialComponent`\n- `AWS::SageMaker::FeatureGroup`\n- `AWS::ServiceDiscovery::Namespace`\n- `AWS::ServiceDiscovery::Service`\n- `AWS::SNS::PlatformEndpoint`\n- `AWS::SNS::Topic`\n- `AWS::SQS::Queue`\n- `AWS::S3::AccessPoint`\n- `AWS::S3ObjectLambda::AccessPoint`\n- `AWS::S3Outposts::Object`\n- `AWS::SSMMessages::ControlChannel`\n- `AWS::ThinClient::Device`\n- `AWS::ThinClient::Environment`\n- `AWS::Timestream::Database`\n- `AWS::Timestream::Table`\n- `AWS::VerifiedPermissions::PolicyStore`", "Values": "An array of Amazon Resource Name (ARN) strings or partial ARN strings for the specified objects.\n\n- To log data events for all objects in all S3 buckets in your AWS account , specify the prefix as `arn:aws:s3` .\n\n> This also enables logging of data event activity performed by any user or role in your AWS account , even if that activity is performed on a bucket that belongs to another AWS account .\n- To log data events for all objects in an S3 bucket, specify the bucket and an empty object prefix such as `arn:aws:s3:::bucket-1/` . The trail logs data events for all objects in this S3 bucket.\n- To log data events for specific objects, specify the S3 bucket and object prefix such as `arn:aws:s3:::bucket-1/example-images` . The trail logs data events for objects in this S3 bucket that match the prefix.\n- To log data events for all Lambda functions in your AWS account , specify the prefix as `arn:aws:lambda` .\n\n> This also enables logging of `Invoke` activity performed by any user or role in your AWS account , even if that activity is performed on a function that belongs to another AWS account .\n- To log data events for a specific Lambda function, specify the function ARN.\n\n> Lambda function ARNs are exact. For example, if you specify a function ARN *arn:aws:lambda:us-west-2:111111111111:function:helloworld* , data events will only be logged for *arn:aws:lambda:us-west-2:111111111111:function:helloworld* . They will not be logged for *arn:aws:lambda:us-west-2:111111111111:function:helloworld2* .\n- To log data events for all DynamoDB tables in your AWS account , specify the prefix as `arn:aws:dynamodb` ." }, "AWS::CloudTrail::Trail EventSelector": { - "DataResources": "In AWS CloudFormation , CloudTrail supports data event logging for Amazon S3 objects, Amazon DynamoDB tables, and AWS Lambda functions. Currently, advanced event selectors for data events are not supported in AWS CloudFormation templates. You can specify up to 250 resources for an individual event selector, but the total number of data resources cannot exceed 250 across all event selectors in a trail. This limit does not apply if you configure resource logging for all data events.\n\nFor more information, see [Logging data events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html) and [Limits in AWS CloudTrail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/WhatIsCloudTrail-Limits.html) in the *AWS CloudTrail User Guide* .", + "DataResources": "CloudTrail supports data event logging for Amazon S3 objects, AWS Lambda functions, and Amazon DynamoDB tables with basic event selectors. You can specify up to 250 resources for an individual event selector, but the total number of data resources cannot exceed 250 across all event selectors in a trail. This limit does not apply if you configure resource logging for all data events.\n\nFor more information, see [Data Events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html) and [Limits in AWS CloudTrail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/WhatIsCloudTrail-Limits.html) in the *AWS CloudTrail User Guide* .", "ExcludeManagementEventSources": "An optional list of service event sources from which you do not want management events to be logged on your trail. In this release, the list can be empty (disables the filter), or it can filter out AWS Key Management Service or Amazon RDS Data API events by containing `kms.amazonaws.com` or `rdsdata.amazonaws.com` . By default, `ExcludeManagementEventSources` is empty, and AWS KMS and Amazon RDS Data API events are logged to your trail. You can exclude management event sources only in Regions that support the event source.", "IncludeManagementEvents": "Specify if you want your event selector to include management events for your trail.\n\nFor more information, see [Management Events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-management-events-with-cloudtrail.html) in the *AWS CloudTrail User Guide* .\n\nBy default, the value is `true` .\n\nThe first copy of management events is free. You are charged for additional copies of management events that you are logging on any subsequent trail in the same Region. For more information about CloudTrail pricing, see [AWS CloudTrail Pricing](https://docs.aws.amazon.com/cloudtrail/pricing/) .", "ReadWriteType": "Specify if you want your trail to log read-only events, write-only events, or all. For example, the EC2 `GetConsoleOutput` is a read-only API operation and `RunInstances` is a write-only API operation.\n\nBy default, the value is `All` ." @@ -5038,6 +5615,10 @@ "AWS::CloudTrail::Trail InsightSelector": { "InsightType": "The type of Insights events to log on a trail. `ApiCallRateInsight` and `ApiErrorRateInsight` are valid Insight types.\n\nThe `ApiCallRateInsight` Insights type analyzes write-only management API calls that are aggregated per minute against a baseline API call volume.\n\nThe `ApiErrorRateInsight` Insights type analyzes management API calls that result in error codes. The error is shown if the API call is unsuccessful." }, + "AWS::CloudTrail::Trail Tag": { + "Key": "The key in a key-value pair. The key must be must be no longer than 128 Unicode characters. The key must be unique for the resource to which it applies.", + "Value": "The value in a key-value pair of a tag. The value must be no longer than 256 Unicode characters." + }, "AWS::CloudWatch::Alarm": { "ActionsEnabled": "Indicates whether actions should be executed during any changes to the alarm state. The default is TRUE.", "AlarmActions": "The list of actions to execute when this alarm transitions into an ALARM state from any other state. Specify each action as an Amazon Resource Name (ARN). For more information about creating alarms and the actions that you can specify, see [PutMetricAlarm](https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_PutMetricAlarm.html) in the *Amazon CloudWatch API Reference* .", @@ -5107,7 +5688,6 @@ "MetricName": "The name of the metric. This is a required field.", "Namespace": "The namespace of the metric." }, - "AWS::CloudWatch::AnomalyDetector MetricDataQueries": {}, "AWS::CloudWatch::AnomalyDetector MetricDataQuery": { "AccountId": "The ID of the account where the metrics are located.\n\nIf you are performing a `GetMetricData` operation in a monitoring account, use this to specify which account to retrieve this metric from.\n\nIf you are performing a `PutMetricAlarm` operation, use this to specify which account contains the metric that the alarm is watching.", "Expression": "This field can contain either a Metrics Insights query, or a metric math expression to be performed on the returned data. For more information about Metrics Insights queries, see [Metrics Insights query components and syntax](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/cloudwatch-metrics-insights-querylanguage) in the *Amazon CloudWatch User Guide* .\n\nA math expression can use the `Id` of the other metrics or queries to refer to those metrics, and can also use the `Id` of other expressions to use the result of those expressions. For more information about metric math expressions, see [Metric Math Syntax and Functions](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/using-metric-math.html#metric-math-syntax) in the *Amazon CloudWatch User Guide* .\n\nWithin each MetricDataQuery object, you must specify either `Expression` or `MetricStat` but not both.", @@ -5158,16 +5738,15 @@ "RuleState": "The current state of the rule. Valid values are `ENABLED` and `DISABLED` .", "Tags": "A list of key-value pairs to associate with the Contributor Insights rule. You can associate as many as 50 tags with a rule.\n\nTags can help you organize and categorize your resources. For more information, see [Tagging Your Amazon CloudWatch Resources](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Tagging.html) .\n\nTo be able to associate tags with a rule, you must have the `cloudwatch:TagResource` permission in addition to the `cloudwatch:PutInsightRule` permission." }, - "AWS::CloudWatch::InsightRule Tags": {}, "AWS::CloudWatch::MetricStream": { "ExcludeFilters": "If you specify this parameter, the stream sends metrics from all metric namespaces except for the namespaces that you specify here. You cannot specify both `IncludeFilters` and `ExcludeFilters` in the same metric stream.\n\nWhen you modify the `IncludeFilters` or `ExcludeFilters` of an existing metric stream in any way, the metric stream is effectively restarted, so after such a change you will get only the datapoints that have a timestamp after the time of the update.", "FirehoseArn": "The ARN of the Amazon Kinesis Firehose delivery stream to use for this metric stream. This Amazon Kinesis Firehose delivery stream must already exist and must be in the same account as the metric stream.", "IncludeFilters": "If you specify this parameter, the stream sends only the metrics from the metric namespaces that you specify here. You cannot specify both `IncludeFilters` and `ExcludeFilters` in the same metric stream.\n\nWhen you modify the `IncludeFilters` or `ExcludeFilters` of an existing metric stream in any way, the metric stream is effectively restarted, so after such a change you will get only the datapoints that have a timestamp after the time of the update.", "IncludeLinkedAccountsMetrics": "If you are creating a metric stream in a monitoring account, specify `true` to include metrics from source accounts that are linked to this monitoring account, in the metric stream. The default is `false` .\n\nFor more information about linking accounts, see [CloudWatch cross-account observability](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Unified-Cross-Account.html)", "Name": "If you are creating a new metric stream, this is the name for the new stream. The name must be different than the names of other metric streams in this account and Region.\n\nIf you are updating a metric stream, specify the name of that stream here.", - "OutputFormat": "The output format for the stream. Valid values are `json` and `opentelemetry0.7` For more information about metric stream output formats, see [Metric streams output formats](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-metric-streams-formats.html) .\n\nThis parameter is required.", + "OutputFormat": "The output format for the stream. Valid values are `json` , `opentelemetry1.0` and `opentelemetry0.7` For more information about metric stream output formats, see [Metric streams output formats](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-metric-streams-formats.html) .\n\nThis parameter is required.", "RoleArn": "The ARN of an IAM role that this metric stream will use to access Amazon Kinesis Firehose resources. This IAM role must already exist and must be in the same account as the metric stream. This IAM role must include the `firehose:PutRecord` and `firehose:PutRecordBatch` permissions.", - "StatisticsConfigurations": "By default, a metric stream always sends the MAX, MIN, SUM, and SAMPLECOUNT statistics for each metric that is streamed. You can use this parameter to have the metric stream also send additional statistics in the stream. This array can have up to 100 members.\n\nFor each entry in this array, you specify one or more metrics and the list of additional statistics to stream for those metrics. The additional statistics that you can stream depend on the stream's `OutputFormat` . If the `OutputFormat` is `json` , you can stream any additional statistic that is supported by CloudWatch , listed in [CloudWatch statistics definitions](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Statistics-definitions.html.html) . If the `OutputFormat` is `opentelemetry0` .7, you can stream percentile statistics *(p??)* .", + "StatisticsConfigurations": "By default, a metric stream always sends the MAX, MIN, SUM, and SAMPLECOUNT statistics for each metric that is streamed. You can use this parameter to have the metric stream also send additional statistics in the stream. This array can have up to 100 members.\n\nFor each entry in this array, you specify one or more metrics and the list of additional statistics to stream for those metrics. The additional statistics that you can stream depend on the stream's `OutputFormat` . If the `OutputFormat` is `json` , you can stream any additional statistic that is supported by CloudWatch , listed in [CloudWatch statistics definitions](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Statistics-definitions.html) . If the `OutputFormat` is OpenTelemetry, you can stream percentile statistics.", "Tags": "An array of key-value pairs to apply to the metric stream.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) ." }, "AWS::CloudWatch::MetricStream MetricStreamFilter": { @@ -5182,22 +5761,32 @@ "MetricName": "The name of the metric.", "Namespace": "The namespace of the metric." }, + "AWS::CloudWatch::MetricStream Tag": { + "Key": "A string that you can use to assign a value. The combination of tag keys and values can help you organize and categorize your resources.", + "Value": "The value for the specified tag key." + }, "AWS::CodeArtifact::Domain": { "DomainName": "A string that specifies the name of the requested domain.", - "EncryptionKey": "The key used to encrypt the domain.", "PermissionsPolicyDocument": "The document that defines the resource policy that is set on a domain.", "Tags": "A list of tags to be applied to the domain." }, + "AWS::CodeArtifact::Domain Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::CodeArtifact::Repository": { "Description": "A text description of the repository.", "DomainName": "The name of the domain that contains the repository.", - "DomainOwner": "The 12-digit account number of the AWS account that owns the domain that contains the repository. It does not include dashes or spaces.", "ExternalConnections": "An array of external connections associated with the repository.", "PermissionsPolicyDocument": "The document that defines the resource policy that is set on a repository.", "RepositoryName": "The name of an upstream repository.", "Tags": "A list of tags to be applied to the repository.", "Upstreams": "A list of upstream repositories to associate with the repository. The order of the upstream repositories in the list determines their priority order when AWS CodeArtifact looks for a requested package version. For more information, see [Working with upstream repositories](https://docs.aws.amazon.com/codeartifact/latest/ug/repos-upstream.html) ." }, + "AWS::CodeArtifact::Repository Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::CodeBuild::Project": { "Artifacts": "`Artifacts` is a property of the [AWS::CodeBuild::Project](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-codebuild-project.html) resource that specifies output settings for artifacts generated by an AWS CodeBuild build.", "BadgeEnabled": "Indicates whether AWS CodeBuild generates a publicly accessible URL for your project's build badge. For more information, see [Build Badges Sample](https://docs.aws.amazon.com/codebuild/latest/userguide/sample-build-badges.html) in the *AWS CodeBuild User Guide* .\n\n> Including build badges with your project is currently not supported if the source type is CodePipeline. If you specify `CODEPIPELINE` for the `Source` property, do not specify the `BadgeEnabled` property.", @@ -5256,14 +5845,13 @@ "ImagePullCredentialsType": "The type of credentials AWS CodeBuild uses to pull images in your build. There are two valid values:\n\n- `CODEBUILD` specifies that AWS CodeBuild uses its own credentials. This requires that you modify your ECR repository policy to trust AWS CodeBuild service principal.\n- `SERVICE_ROLE` specifies that AWS CodeBuild uses your build project's service role.\n\nWhen you use a cross-account or private registry image, you must use SERVICE_ROLE credentials. When you use an AWS CodeBuild curated image, you must use CODEBUILD credentials.", "PrivilegedMode": "Enables running the Docker daemon inside a Docker container. Set to true only if the build project is used to build Docker images. Otherwise, a build that attempts to interact with the Docker daemon fails. The default setting is `false` .\n\nYou can initialize the Docker daemon during the install phase of your build by adding one of the following sets of commands to the install phase of your buildspec file:\n\nIf the operating system's base image is Ubuntu Linux:\n\n`- nohup /usr/local/bin/dockerd --host=unix:///var/run/docker.sock --host=tcp://0.0.0.0:2375 --storage-driver=overlay&`\n\n`- timeout 15 sh -c \"until docker info; do echo .; sleep 1; done\"`\n\nIf the operating system's base image is Alpine Linux and the previous command does not work, add the `-t` argument to `timeout` :\n\n`- nohup /usr/local/bin/dockerd --host=unix:///var/run/docker.sock --host=tcp://0.0.0.0:2375 --storage-driver=overlay&`\n\n`- timeout -t 15 sh -c \"until docker info; do echo .; sleep 1; done\"`", "RegistryCredential": "`RegistryCredential` is a property of the [AWS::CodeBuild::Project Environment](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-codebuild-project.html#cfn-codebuild-project-environment) property that specifies information about credentials that provide access to a private Docker registry. When this is set:\n\n- `imagePullCredentialsType` must be set to `SERVICE_ROLE` .\n- images cannot be curated or an Amazon ECR image.", - "Type": "The type of build environment to use for related builds.\n\n- The environment type `ARM_CONTAINER` is available only in regions US East (N. Virginia), US East (Ohio), US West (Oregon), EU (Ireland), Asia Pacific (Mumbai), Asia Pacific (Tokyo), Asia Pacific (Sydney), and EU (Frankfurt).\n- The environment type `LINUX_CONTAINER` with compute type `build.general1.2xlarge` is available only in regions US East (N. Virginia), US East (Ohio), US West (Oregon), Canada (Central), EU (Ireland), EU (London), EU (Frankfurt), Asia Pacific (Tokyo), Asia Pacific (Seoul), Asia Pacific (Singapore), Asia Pacific (Sydney), China (Beijing), and China (Ningxia).\n- The environment type `LINUX_GPU_CONTAINER` is available only in regions US East (N. Virginia), US East (Ohio), US West (Oregon), Canada (Central), EU (Ireland), EU (London), EU (Frankfurt), Asia Pacific (Tokyo), Asia Pacific (Seoul), Asia Pacific (Singapore), Asia Pacific (Sydney) , China (Beijing), and China (Ningxia).\n\n- The environment types `WINDOWS_CONTAINER` and `WINDOWS_SERVER_2019_CONTAINER` are available only in regions US East (N. Virginia), US East (Ohio), US West (Oregon), and EU (Ireland).\n\nFor more information, see [Build environment compute types](https://docs.aws.amazon.com//codebuild/latest/userguide/build-env-ref-compute-types.html) in the *AWS CodeBuild user guide* ." + "Type": "The type of build environment to use for related builds.\n\n- The environment type `ARM_CONTAINER` is available only in regions US East (Ohio), US East (N. Virginia), US West (N. California), US West (Oregon), Asia Pacific (Hong Kong), Asia Pacific (Jakarta), Asia Pacific (Hyderabad), Asia Pacific (Melbourne), Asia Pacific (Mumbai), Asia Pacific (Osaka), Asia Pacific (Seoul), Asia Pacific (Singapore), Asia Pacific (Sydney), Asia Pacific (Tokyo), Canada (Central), China (Beijing), China (Ningxia), Europe (Frankfurt), Europe (Ireland), Europe (London), Europe (Milan), Europe (Paris), Europe (Spain), Europe (Stockholm), Europe (Zurich), Israel (Tel Aviv), Middle East (Bahrain), Middle East (UAE), and South America (S\u00e3o Paulo).\n- The environment type `LINUX_CONTAINER` with compute type `build.general1.2xlarge` is available only in regions US East (Ohio), US East (N. Virginia), US West (N. California), US West (Oregon), Asia Pacific (Hyderabad), Asia Pacific (Hong Kong), Asia Pacific (Jakarta), Asia Pacific (Melbourne), Asia Pacific (Mumbai), Asia Pacific (Seoul), Asia Pacific (Singapore), Asia Pacific (Sydney), Asia Pacific (Tokyo), Canada (Central), China (Beijing), China (Ningxia), Europe (Frankfurt), Europe (Ireland), Europe (London), Europe (Paris), Europe (Spain), Europe (Stockholm), Europe (Zurich), Israel (Tel Aviv), Middle East (Bahrain), Middle East (UAE), and South America (S\u00e3o Paulo).\n- The environment type `LINUX_GPU_CONTAINER` is available only in regions US East (Ohio), US East (N. Virginia), US West (Oregon), Asia Pacific (Seoul), Asia Pacific (Singapore), Asia Pacific (Sydney), Asia Pacific (Tokyo), Canada (Central), China (Beijing), China (Ningxia), Europe (Frankfurt), Europe (Ireland), and Europe (London).\n\n- The environment types `WINDOWS_SERVER_2019_CONTAINER` are available only in regions US East (N. Virginia), US East (Ohio), US West (Oregon), and Europe (Ireland).\n\nFor more information, see [Build environment compute types](https://docs.aws.amazon.com//codebuild/latest/userguide/build-env-ref-compute-types.html) in the *AWS CodeBuild user guide* ." }, "AWS::CodeBuild::Project EnvironmentVariable": { "Name": "The name or key of the environment variable.", "Type": "The type of environment variable. Valid values include:\n\n- `PARAMETER_STORE` : An environment variable stored in Systems Manager Parameter Store. For environment variables of this type, specify the name of the parameter as the `value` of the EnvironmentVariable. The parameter value will be substituted for the name at runtime. You can also define Parameter Store environment variables in the buildspec. To learn how to do so, see [env/parameter-store](https://docs.aws.amazon.com/codebuild/latest/userguide/build-spec-ref.html#build-spec.env.parameter-store) in the *AWS CodeBuild User Guide* .\n- `PLAINTEXT` : An environment variable in plain text format. This is the default value.\n- `SECRETS_MANAGER` : An environment variable stored in AWS Secrets Manager . For environment variables of this type, specify the name of the secret as the `value` of the EnvironmentVariable. The secret value will be substituted for the name at runtime. You can also define AWS Secrets Manager environment variables in the buildspec. To learn how to do so, see [env/secrets-manager](https://docs.aws.amazon.com/codebuild/latest/userguide/build-spec-ref.html#build-spec.env.secrets-manager) in the *AWS CodeBuild User Guide* .", - "Value": "The value of the environment variable.\n\n> We strongly discourage the use of `PLAINTEXT` environment variables to store sensitive values, especially AWS secret key IDs and secret access keys. `PLAINTEXT` environment variables can be displayed in plain text using the AWS CodeBuild console and the AWS CLI . For sensitive values, we recommend you use an environment variable of type `PARAMETER_STORE` or `SECRETS_MANAGER` ." + "Value": "The value of the environment variable.\n\n> We strongly discourage the use of `PLAINTEXT` environment variables to store sensitive values, especially AWS secret key IDs. `PLAINTEXT` environment variables can be displayed in plain text using the AWS CodeBuild console and the AWS CLI . For sensitive values, we recommend you use an environment variable of type `PARAMETER_STORE` or `SECRETS_MANAGER` ." }, - "AWS::CodeBuild::Project FilterGroup": {}, "AWS::CodeBuild::Project GitSubmodulesConfig": { "FetchSubmodules": "Set to true to fetch Git submodules for your AWS CodeBuild build project." }, @@ -5324,6 +5912,10 @@ "Resource": "The resource value that applies to the specified authorization type.\n\n> This data type is used by the AWS CodeBuild console only.", "Type": "The authorization type to use. The only valid value is `OAUTH` , which represents the OAuth authorization type.\n\n> This data type is used by the AWS CodeBuild console only." }, + "AWS::CodeBuild::Project Tag": { + "Key": "The tag's key.", + "Value": "The tag's value." + }, "AWS::CodeBuild::Project VpcConfig": { "SecurityGroupIds": "A list of one or more security groups IDs in your Amazon VPC. The maximum count is 5.", "Subnets": "A list of one or more subnet IDs in your Amazon VPC. The maximum count is 16.", @@ -5353,6 +5945,10 @@ "Packaging": "The type of build output artifact to create. Valid values include:\n\n- `NONE` : CodeBuild creates the raw data in the output bucket. This is the default if packaging is not specified.\n- `ZIP` : CodeBuild creates a ZIP file with the raw data in the output bucket.", "Path": "The path to the exported report's raw data results." }, + "AWS::CodeBuild::ReportGroup Tag": { + "Key": "The tag's key.", + "Value": "The tag's value." + }, "AWS::CodeBuild::SourceCredential": { "AuthType": "The type of authentication used by the credentials. Valid options are OAUTH, BASIC_AUTH, or PERSONAL_ACCESS_TOKEN.", "ServerType": "The type of source provider. The valid options are GITHUB, GITHUB_ENTERPRISE, or BITBUCKET.", @@ -5382,21 +5978,34 @@ "Key": "The key to use for accessing the Amazon S3 bucket. Changes to this property are ignored after initial resource creation. For more information, see [Creating object key names](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-keys.html) and [Uploading objects](https://docs.aws.amazon.com/AmazonS3/latest/userguide/upload-objects.html) in the Amazon S3 User Guide.", "ObjectVersion": "The object version of the ZIP file, if versioning is enabled for the Amazon S3 bucket. Changes to this property are ignored after initial resource creation." }, + "AWS::CodeCommit::Repository Tag": { + "Key": "", + "Value": "" + }, "AWS::CodeDeploy::Application": { "ApplicationName": "A name for the application. If you don't specify a name, AWS CloudFormation generates a unique physical ID and uses that ID for the application name. For more information, see [Name Type](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-name.html) .\n\n> Updates to `ApplicationName` are not supported.", "ComputePlatform": "The compute platform that CodeDeploy deploys the application to.", "Tags": "The metadata that you apply to CodeDeploy applications to help you organize and categorize them. Each tag consists of a key and an optional value, both of which you define." }, + "AWS::CodeDeploy::Application Tag": { + "Key": "The tag's key.", + "Value": "The tag's value." + }, "AWS::CodeDeploy::DeploymentConfig": { "ComputePlatform": "The destination platform type for the deployment ( `Lambda` , `Server` , or `ECS` ).", "DeploymentConfigName": "A name for the deployment configuration. If you don't specify a name, AWS CloudFormation generates a unique physical ID and uses that ID for the deployment configuration name. For more information, see [Name Type](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-name.html) .\n\n> If you specify a name, you cannot perform updates that require replacement of this resource. You can perform updates that require no or some interruption. If you must replace the resource, specify a new name.", "MinimumHealthyHosts": "The minimum number of healthy instances that should be available at any time during the deployment. There are two parameters expected in the input: type and value.\n\nThe type parameter takes either of the following values:\n\n- HOST_COUNT: The value parameter represents the minimum number of healthy instances as an absolute value.\n- FLEET_PERCENT: The value parameter represents the minimum number of healthy instances as a percentage of the total number of instances in the deployment. If you specify FLEET_PERCENT, at the start of the deployment, AWS CodeDeploy converts the percentage to the equivalent number of instance and rounds up fractional instances.\n\nThe value parameter takes an integer.\n\nFor example, to set a minimum of 95% healthy instance, specify a type of FLEET_PERCENT and a value of 95.\n\nFor more information about instance health, see [CodeDeploy Instance Health](https://docs.aws.amazon.com/codedeploy/latest/userguide/instances-health.html) in the AWS CodeDeploy User Guide.", - "TrafficRoutingConfig": "The configuration that specifies how the deployment traffic is routed." + "TrafficRoutingConfig": "The configuration that specifies how the deployment traffic is routed.", + "ZonalConfig": "Configure the `ZonalConfig` object if you want AWS CodeDeploy to deploy your application to one [Availability Zone](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-availability-zones) at a time, within an AWS Region.\n\nFor more information about the zonal configuration feature, see [zonal configuration](https://docs.aws.amazon.com/codedeploy/latest/userguide/deployment-configurations-create.html#zonal-config) in the *CodeDeploy User Guide* ." }, "AWS::CodeDeploy::DeploymentConfig MinimumHealthyHosts": { "Type": "The minimum healthy instance type:\n\n- HOST_COUNT: The minimum number of healthy instance as an absolute value.\n- FLEET_PERCENT: The minimum number of healthy instance as a percentage of the total number of instance in the deployment.\n\nIn an example of nine instance, if a HOST_COUNT of six is specified, deploy to up to three instances at a time. The deployment is successful if six or more instances are deployed to successfully. Otherwise, the deployment fails. If a FLEET_PERCENT of 40 is specified, deploy to up to five instance at a time. The deployment is successful if four or more instance are deployed to successfully. Otherwise, the deployment fails.\n\n> In a call to `GetDeploymentConfig` , CodeDeployDefault.OneAtATime returns a minimum healthy instance type of MOST_CONCURRENCY and a value of 1. This means a deployment to only one instance at a time. (You cannot set the type to MOST_CONCURRENCY, only to HOST_COUNT or FLEET_PERCENT.) In addition, with CodeDeployDefault.OneAtATime, AWS CodeDeploy attempts to ensure that all instances but one are kept in a healthy state during the deployment. Although this allows one instance at a time to be taken offline for a new deployment, it also means that if the deployment to the last instance fails, the overall deployment is still successful. \n\nFor more information, see [AWS CodeDeploy Instance Health](https://docs.aws.amazon.com//codedeploy/latest/userguide/instances-health.html) in the *AWS CodeDeploy User Guide* .", "Value": "The minimum healthy instance value." }, + "AWS::CodeDeploy::DeploymentConfig MinimumHealthyHostsPerZone": { + "Type": "The `type` associated with the `MinimumHealthyHostsPerZone` option.", + "Value": "The `value` associated with the `MinimumHealthyHostsPerZone` option." + }, "AWS::CodeDeploy::DeploymentConfig TimeBasedCanary": { "CanaryInterval": "The number of minutes between the first and second traffic shifts of a `TimeBasedCanary` deployment.", "CanaryPercentage": "The percentage of traffic to shift in the first increment of a `TimeBasedCanary` deployment." @@ -5410,6 +6019,11 @@ "TimeBasedLinear": "A configuration that shifts traffic from one version of a Lambda function or Amazon ECS task set to another in equal increments, with an equal number of minutes between each increment. The original and target Lambda function versions or Amazon ECS task sets are specified in the deployment's AppSpec file.", "Type": "The type of traffic shifting ( `TimeBasedCanary` or `TimeBasedLinear` ) used by a deployment configuration." }, + "AWS::CodeDeploy::DeploymentConfig ZonalConfig": { + "FirstZoneMonitorDurationInSeconds": "The period of time, in seconds, that CodeDeploy must wait after completing a deployment to the *first* Availability Zone. CodeDeploy will wait this amount of time before starting a deployment to the second Availability Zone. You might set this option if you want to allow extra bake time for the first Availability Zone. If you don't specify a value for `firstZoneMonitorDurationInSeconds` , then CodeDeploy uses the `monitorDurationInSeconds` value for the first Availability Zone.\n\nFor more information about the zonal configuration feature, see [zonal configuration](https://docs.aws.amazon.com/codedeploy/latest/userguide/deployment-configurations-create.html#zonal-config) in the *CodeDeploy User Guide* .", + "MinimumHealthyHostsPerZone": "The number or percentage of instances that must remain available per Availability Zone during a deployment. This option works in conjunction with the `MinimumHealthyHosts` option. For more information, see [About the minimum number of healthy hosts per Availability Zone](https://docs.aws.amazon.com//codedeploy/latest/userguide/instances-health.html#minimum-healthy-hosts-az) in the *CodeDeploy User Guide* .\n\nIf you don't specify the `minimumHealthyHostsPerZone` option, then CodeDeploy uses a default value of `0` percent.\n\nFor more information about the zonal configuration feature, see [zonal configuration](https://docs.aws.amazon.com/codedeploy/latest/userguide/deployment-configurations-create.html#zonal-config) in the *CodeDeploy User Guide* .", + "MonitorDurationInSeconds": "The period of time, in seconds, that CodeDeploy must wait after completing a deployment to an Availability Zone. CodeDeploy will wait this amount of time before starting a deployment to the next Availability Zone. Consider adding a monitor duration to give the deployment some time to prove itself (or 'bake') in one Availability Zone before it is released in the next zone. If you don't specify a `monitorDurationInSeconds` , CodeDeploy starts deploying to the next Availability Zone immediately.\n\nFor more information about the zonal configuration feature, see [zonal configuration](https://docs.aws.amazon.com/codedeploy/latest/userguide/deployment-configurations-create.html#zonal-config) in the *CodeDeploy User Guide* ." + }, "AWS::CodeDeploy::DeploymentGroup": { "AlarmConfiguration": "Information about the Amazon CloudWatch alarms that are associated with the deployment group.", "ApplicationName": "The name of an existing CodeDeploy application to associate this deployment group with.", @@ -5426,9 +6040,9 @@ "LoadBalancerInfo": "Information about the load balancer to use in a deployment. For more information, see [Integrating CodeDeploy with Elastic Load Balancing](https://docs.aws.amazon.com/codedeploy/latest/userguide/integrations-aws-elastic-load-balancing.html) in the *AWS CodeDeploy User Guide* .", "OnPremisesInstanceTagFilters": "The on-premises instance tags already applied to on-premises instances that you want to include in the deployment group. CodeDeploy includes all on-premises instances identified by any of the tags you specify in this deployment group. To register on-premises instances with CodeDeploy , see [Working with On-Premises Instances for CodeDeploy](https://docs.aws.amazon.com/codedeploy/latest/userguide/instances-on-premises.html) in the *AWS CodeDeploy User Guide* . Duplicates are not allowed.\n\nYou can specify `OnPremisesInstanceTagFilters` or `OnPremisesInstanceTagSet` , but not both.", "OnPremisesTagSet": "Information about groups of tags applied to on-premises instances. The deployment group includes only on-premises instances identified by all the tag groups.\n\nYou can specify `OnPremisesInstanceTagFilters` or `OnPremisesInstanceTagSet` , but not both.", - "OutdatedInstancesStrategy": "", + "OutdatedInstancesStrategy": "Indicates what happens when new Amazon EC2 instances are launched mid-deployment and do not receive the deployed application revision.\n\nIf this option is set to `UPDATE` or is unspecified, CodeDeploy initiates one or more 'auto-update outdated instances' deployments to apply the deployed application revision to the new Amazon EC2 instances.\n\nIf this option is set to `IGNORE` , CodeDeploy does not initiate a deployment to update the new Amazon EC2 instances. This may result in instances having different revisions.", "ServiceRoleArn": "A service role Amazon Resource Name (ARN) that grants CodeDeploy permission to make calls to AWS services on your behalf. For more information, see [Create a Service Role for AWS CodeDeploy](https://docs.aws.amazon.com/codedeploy/latest/userguide/getting-started-create-service-role.html) in the *AWS CodeDeploy User Guide* .\n\n> In some cases, you might need to add a dependency on the service role's policy. For more information, see IAM role policy in [DependsOn Attribute](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-dependson.html) .", - "Tags": "", + "Tags": "The metadata that you apply to CodeDeploy deployment groups to help you organize and categorize them. Each tag consists of a key and an optional value, both of which you define.", "TriggerConfigurations": "Information about triggers associated with the deployment group. Duplicates are not allowed" }, "AWS::CodeDeploy::DeploymentGroup Alarm": { @@ -5491,9 +6105,9 @@ "Action": "The method used to add instances to a replacement environment.\n\n- `DISCOVER_EXISTING` : Use instances that already exist or will be created manually.\n- `COPY_AUTO_SCALING_GROUP` : Use settings from a specified Auto Scaling group to define and create instances in a new Auto Scaling group." }, "AWS::CodeDeploy::DeploymentGroup LoadBalancerInfo": { - "ElbInfoList": "An array that contains information about the load balancer to use for load balancing in a deployment. In Elastic Load Balancing, load balancers are used with Classic Load Balancers.\n\n> Adding more than one load balancer to the array is not supported.", - "TargetGroupInfoList": "An array that contains information about the target group to use for load balancing in a deployment. In Elastic Load Balancing , target groups are used with Application Load Balancers .\n\n> Adding more than one target group to the array is not supported.", - "TargetGroupPairInfoList": "" + "ElbInfoList": "An array that contains information about the load balancers to use for load balancing in a deployment. If you're using Classic Load Balancers, specify those load balancers in this array.\n\n> You can add up to 10 load balancers to the array. > If you're using Application Load Balancers or Network Load Balancers, use the `targetGroupInfoList` array instead of this one.", + "TargetGroupInfoList": "An array that contains information about the target groups to use for load balancing in a deployment. If you're using Application Load Balancers and Network Load Balancers, specify their associated target groups in this array.\n\n> You can add up to 10 target groups to the array. > If you're using Classic Load Balancers, use the `elbInfoList` array instead of this one.", + "TargetGroupPairInfoList": "The target group pair information. This is an array of `TargeGroupPairInfo` objects with a maximum size of one." }, "AWS::CodeDeploy::DeploymentGroup OnPremisesTagSet": { "OnPremisesTagSetList": "A list that contains other lists of on-premises instance tag groups. For an instance to be included in the deployment group, it must be identified by all of the tag groups in the list.\n\nDuplicates are not allowed." @@ -5513,6 +6127,10 @@ "Key": "The name of the Amazon S3 object that represents the bundled artifacts for the application revision.", "Version": "A specific version of the Amazon S3 object that represents the bundled artifacts for the application revision.\n\nIf the version is not specified, the system uses the most recent version by default." }, + "AWS::CodeDeploy::DeploymentGroup Tag": { + "Key": "The tag's key.", + "Value": "The tag's value." + }, "AWS::CodeDeploy::DeploymentGroup TagFilter": { "Key": "The on-premises instance tag filter key.", "Type": "The on-premises instance tag filter type:\n\n- KEY_ONLY: Key only.\n- VALUE_ONLY: Value only.\n- KEY_AND_VALUE: Key and value.", @@ -5522,12 +6140,12 @@ "Name": "For blue/green deployments, the name of the target group that instances in the original environment are deregistered from, and instances in the replacement environment registered with. For in-place deployments, the name of the target group that instances are deregistered from, so they are not serving traffic during a deployment, and then re-registered with after the deployment completes. No duplicates allowed.\n\n> AWS CloudFormation supports blue/green deployments on AWS Lambda compute platforms only. \n\nThis value cannot exceed 32 characters, so you should use the `Name` property of the target group, or the `TargetGroupName` attribute with the `Fn::GetAtt` intrinsic function, as shown in the following example. Don't use the group's Amazon Resource Name (ARN) or `TargetGroupFullName` attribute." }, "AWS::CodeDeploy::DeploymentGroup TargetGroupPairInfo": { - "ProdTrafficRoute": "", - "TargetGroups": "", - "TestTrafficRoute": "" + "ProdTrafficRoute": "The path used by a load balancer to route production traffic when an Amazon ECS deployment is complete.", + "TargetGroups": "One pair of target groups. One is associated with the original task set. The second is associated with the task set that serves traffic after the deployment is complete.", + "TestTrafficRoute": "An optional path used by a load balancer to route test traffic after an Amazon ECS deployment. Validation can occur while test traffic is served during a deployment." }, "AWS::CodeDeploy::DeploymentGroup TrafficRoute": { - "ListenerArns": "" + "ListenerArns": "The Amazon Resource Name (ARN) of one listener. The listener identifies the route between a target group and a load balancer. This is an array of strings with a maximum size of one." }, "AWS::CodeDeploy::DeploymentGroup TriggerConfig": { "TriggerEvents": "The event type or types that trigger notifications.", @@ -5548,6 +6166,10 @@ "channelId": "The channel ID.", "channelUri": "The channel URI." }, + "AWS::CodeGuruProfiler::ProfilingGroup Tag": { + "Key": "", + "Value": "" + }, "AWS::CodeGuruReviewer::RepositoryAssociation": { "BucketName": "The name of the bucket. This is required for your S3Bucket repository. The name must start with the prefix `codeguru-reviewer-*` .", "ConnectionArn": "The Amazon Resource Name (ARN) of an AWS CodeStar Connections connection. Its format is `arn:aws:codestar-connections:region-id:aws-account_id:connection/connection-id` . For more information, see [Connection](https://docs.aws.amazon.com/codestar-connections/latest/APIReference/API_Connection.html) in the *AWS CodeStar Connections API Reference* .\n\n`ConnectionArn` must be specified for Bitbucket and GitHub Enterprise Server repositories. It has no effect if it is specified for an AWS CodeCommit repository.", @@ -5556,6 +6178,10 @@ "Tags": "An array of key-value pairs used to tag an associated repository. A tag is a custom attribute label with two parts:\n\n- A *tag key* (for example, `CostCenter` , `Environment` , `Project` , or `Secret` ). Tag keys are case sensitive.\n- An optional field known as a *tag value* (for example, `111122223333` , `Production` , or a team name). Omitting the tag value is the same as using an empty string. Like tag keys, tag values are case sensitive.", "Type": "The type of repository that contains the source code to be reviewed. The valid values are:\n\n- `CodeCommit`\n- `Bitbucket`\n- `GitHubEnterpriseServer`\n- `S3Bucket`" }, + "AWS::CodeGuruReviewer::RepositoryAssociation Tag": { + "Key": "", + "Value": "" + }, "AWS::CodePipeline::CustomActionType": { "Category": "The category of the custom action, such as a build action or a test action.", "ConfigurationProperties": "The configuration properties for the custom action.\n\n> You can refer to a name in the configuration properties of the custom action within the URL templates by following the format of {Config:name}, as long as the configuration property is both required and not secret. For more information, see [Create a Custom Action for a Pipeline](https://docs.aws.amazon.com/codepipeline/latest/userguide/how-to-create-custom-action.html) .", @@ -5585,15 +6211,22 @@ "RevisionUrlTemplate": "The URL returned to the CodePipeline console that contains a link to the page where customers can update or change the configuration of the external action.", "ThirdPartyConfigurationUrl": "The URL of a sign-up page where users can sign up for an external service and perform initial configuration of the action provided by that service." }, + "AWS::CodePipeline::CustomActionType Tag": { + "Key": "The tag's key.", + "Value": "The tag's value." + }, "AWS::CodePipeline::Pipeline": { "ArtifactStore": "The S3 bucket where artifacts for the pipeline are stored.\n\n> You must include either `artifactStore` or `artifactStores` in your pipeline, but you cannot use both. If you create a cross-region action in your pipeline, you must use `artifactStores` .", "ArtifactStores": "A mapping of `artifactStore` objects and their corresponding AWS Regions. There must be an artifact store for the pipeline Region and for each cross-region action in the pipeline.\n\n> You must include either `artifactStore` or `artifactStores` in your pipeline, but you cannot use both. If you create a cross-region action in your pipeline, you must use `artifactStores` .", "DisableInboundStageTransitions": "Represents the input of a `DisableStageTransition` action.", "Name": "The name of the pipeline.", + "PipelineType": "CodePipeline provides the following pipeline types, which differ in characteristics and price, so that you can tailor your pipeline features and cost to the needs of your applications.\n\n- V1 type pipelines have a JSON structure that contains standard pipeline, stage, and action-level parameters.\n- V2 type pipelines have the same structure as a V1 type, along with additional parameters for release safety and trigger configuration.\n\n> Including V2 parameters, such as triggers on Git tags, in the pipeline JSON when creating or updating a pipeline will result in the pipeline having the V2 type of pipeline and the associated costs. \n\nFor information about pricing for CodePipeline, see [Pricing](https://docs.aws.amazon.com/https://aws.amazon.com/codepipeline/pricing/) .\n\nFor information about which type of pipeline to choose, see [What type of pipeline is right for me?](https://docs.aws.amazon.com/codepipeline/latest/userguide/pipeline-types-planning.html) .", "RestartExecutionOnUpdate": "Indicates whether to rerun the CodePipeline pipeline after you update it.", "RoleArn": "The Amazon Resource Name (ARN) for CodePipeline to use to either perform actions with no `actionRoleArn` , or to use to assume roles for actions with an `actionRoleArn` .", "Stages": "Represents information about a stage and its definition.", - "Tags": "Specifies the tags applied to the pipeline." + "Tags": "Specifies the tags applied to the pipeline.", + "Triggers": "The trigger configuration specifying a type of event, such as Git tags, that starts the pipeline.\n\n> When a trigger configuration is specified, default change detection for repository and branch commits is disabled.", + "Variables": "A list that defines the pipeline variables for a pipeline resource. Variable names can have alphanumeric and underscore characters, and the values must match `[A-Za-z0-9@\\-_]+` ." }, "AWS::CodePipeline::Pipeline ActionDeclaration": { "ActionTypeId": "Specifies the action type and the provider of the action.", @@ -5629,12 +6262,27 @@ "Id": "The ID used to identify the key. For an AWS KMS key, you can use the key ID, the key ARN, or the alias ARN.\n\n> Aliases are recognized only in the account that created the AWS KMS key. For cross-account actions, you can only use the key ID or key ARN to identify the key. Cross-account actions involve using the role from the other account (AccountB), so specifying the key ID will use the key from the other account (AccountB).", "Type": "The type of encryption key, such as an AWS KMS key. When creating or updating a pipeline, the value must be set to 'KMS'." }, + "AWS::CodePipeline::Pipeline GitConfiguration": { + "Push": "The field where the repository event that will start the pipeline, such as pushing Git tags, is specified with details.\n\n> Git tags is the only supported event type.", + "SourceActionName": "The name of the pipeline source action where the trigger configuration, such as Git tags, is specified. The trigger configuration will start the pipeline upon the specified change only.\n\n> You can only specify one trigger configuration per source action." + }, + "AWS::CodePipeline::Pipeline GitPushFilter": { + "Tags": "The field that contains the details for the Git tags trigger configuration." + }, + "AWS::CodePipeline::Pipeline GitTagFilterCriteria": { + "Excludes": "The list of patterns of Git tags that, when pushed, are to be excluded from starting the pipeline.", + "Includes": "The list of patterns of Git tags that, when pushed, are to be included as criteria that starts the pipeline." + }, "AWS::CodePipeline::Pipeline InputArtifact": { "Name": "The name of the artifact to be worked on (for example, \"My App\").\n\nArtifacts are the files that are worked on by actions in the pipeline. See the action configuration for each action for details about artifact parameters. For example, the S3 source action input artifact is a file name (or file path), and the files are generally provided as a ZIP file. Example artifact name: SampleApp_Windows.zip\n\nThe input artifact of an action must exactly match the output artifact declared in a preceding action, but the input artifact does not have to be the next action in strict sequence from the action that provided the output artifact. Actions in parallel can declare different output artifacts, which are in turn consumed by different following actions." }, "AWS::CodePipeline::Pipeline OutputArtifact": { "Name": "The name of the output of an artifact, such as \"My App\".\n\nThe output artifact name must exactly match the input artifact declared for a downstream action. However, the downstream action's input artifact does not have to be the next action in strict sequence from the action that provided the output artifact. Actions in parallel can declare different output artifacts, which are in turn consumed by different following actions.\n\nOutput artifact names must be unique within a pipeline." }, + "AWS::CodePipeline::Pipeline PipelineTriggerDeclaration": { + "GitConfiguration": "Provides the filter criteria and the source stage for the repository event that starts the pipeline, such as Git tags.", + "ProviderType": "The source provider for the event, such as connections configured for a repository with Git tags, for the specified trigger configuration." + }, "AWS::CodePipeline::Pipeline StageDeclaration": { "Actions": "The actions included in a stage.", "Blockers": "Reserved for future use.", @@ -5644,6 +6292,15 @@ "Reason": "The reason given to the user that a stage is disabled, such as waiting for manual approval or manual tests. This message is displayed in the pipeline console UI.", "StageName": "The name of the stage where you want to disable the inbound or outbound transition of artifacts." }, + "AWS::CodePipeline::Pipeline Tag": { + "Key": "The tag's key.", + "Value": "The tag's value." + }, + "AWS::CodePipeline::Pipeline VariableDeclaration": { + "DefaultValue": "The value of a pipeline-level variable.", + "Description": "The description of a pipeline-level variable. It's used to add additional context about the variable, and not being used at time when pipeline executes.", + "Name": "The name of a pipeline-level variable." + }, "AWS::CodePipeline::Webhook": { "Authentication": "Supported options are GITHUB_HMAC, IP, and UNAUTHENTICATED.\n\n- For information about the authentication scheme implemented by GITHUB_HMAC, see [Securing your webhooks](https://docs.aws.amazon.com/https://developer.github.com/webhooks/securing/) on the GitHub Developer website.\n- IP rejects webhooks trigger requests unless they originate from an IP address in the IP range whitelisted in the authentication configuration.\n- UNAUTHENTICATED accepts all webhook trigger requests regardless of origin.", "AuthenticationConfiguration": "Properties that configure the authentication applied to incoming webhook trigger requests. The required properties depend on the authentication type. For GITHUB_HMAC, only the `SecretToken` property must be set. For IP, only the `AllowedIPRange` property must be set to a valid CIDR range. For UNAUTHENTICATED, no properties can be set.", @@ -5681,11 +6338,34 @@ "ObjectVersion": "The object version of the ZIP file, if versioning is enabled for the Amazon S3 bucket." }, "AWS::CodeStarConnections::Connection": { - "ConnectionName": "The name of the connection. Connection names must be unique in an AWS user account.", + "ConnectionName": "The name of the connection. Connection names must be unique in an AWS account .", "HostArn": "The Amazon Resource Name (ARN) of the host associated with the connection.", "ProviderType": "The name of the external provider where your third-party code repository is configured.", "Tags": "Specifies the tags applied to the resource." }, + "AWS::CodeStarConnections::Connection Tag": { + "Key": "The tag's key.", + "Value": "The tag's value." + }, + "AWS::CodeStarConnections::RepositoryLink": { + "ConnectionArn": "The Amazon Resource Name (ARN) of the connection associated with the repository link.", + "EncryptionKeyArn": "The Amazon Resource Name (ARN) of the encryption key for the repository associated with the repository link.", + "OwnerId": "The owner ID for the repository associated with the repository link, such as the owner ID in GitHub.", + "RepositoryName": "The name of the repository associated with the repository link.", + "Tags": "The tags for the repository to be associated with the repository link." + }, + "AWS::CodeStarConnections::RepositoryLink Tag": { + "Key": "The tag's key.", + "Value": "The tag's value." + }, + "AWS::CodeStarConnections::SyncConfiguration": { + "Branch": "The branch associated with a specific sync configuration.", + "ConfigFile": "The file path to the configuration file associated with a specific sync configuration. The path should point to an actual file in the sync configurations linked repository.", + "RepositoryLinkId": "The ID of the repository link associated with a specific sync configuration.", + "ResourceName": "The name of the connection resource associated with a specific sync configuration.", + "RoleArn": "The Amazon Resource Name (ARN) of the IAM role associated with a specific sync configuration.", + "SyncType": "The type of sync for a specific sync configuration." + }, "AWS::CodeStarNotifications::NotificationRule": { "CreatedBy": "", "DetailType": "The level of detail to include in the notifications for this resource. `BASIC` will include only the contents of the event as it would appear in Amazon CloudWatch. `FULL` will include any supplemental information provided by AWS CodeStar Notifications and/or the service for the resource for which the notification is created.", @@ -5755,6 +6435,18 @@ "AWS::Cognito::IdentityPoolRoleAttachment RulesConfigurationType": { "Rules": "The rules. You can specify up to 25 rules per identity provider." }, + "AWS::Cognito::LogDeliveryConfiguration": { + "LogConfigurations": "The detailed activity logging destination of a user pool.", + "UserPoolId": "The ID of the user pool where you configured detailed activity logging." + }, + "AWS::Cognito::LogDeliveryConfiguration CloudWatchLogsConfiguration": { + "LogGroupArn": "The Amazon Resource Name (arn) of a CloudWatch Logs log group where your user pool sends logs. The log group must not be encrypted with AWS Key Management Service and must be in the same AWS account as your user pool.\n\nTo send logs to log groups with a resource policy of a size greater than 5120 characters, configure a log group with a path that starts with `/aws/vendedlogs` . For more information, see [Enabling logging from certain AWS services](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html) ." + }, + "AWS::Cognito::LogDeliveryConfiguration LogConfiguration": { + "CloudWatchLogsConfiguration": "The CloudWatch logging destination of a user pool detailed activity logging configuration.", + "EventSource": "The source of events that your user pool sends for detailed activity logging.", + "LogLevel": "The `errorlevel` selection of logs that a user pool sends for detailed activity logging." + }, "AWS::Cognito::UserPool": { "AccountRecoverySetting": "Use this setting to define which verified available method a user can use to recover their password when they call `ForgotPassword` . It allows you to define a preferred method when a user has more than one method available. With this setting, SMS does not qualify for a valid password recovery mechanism if the user also has SMS MFA enabled. In the absence of this setting, Cognito uses the legacy behavior to determine the recovery method where SMS is preferred over email.", "AdminCreateUserConfig": "The configuration for creating a new user profile.", @@ -5774,7 +6466,7 @@ "SmsConfiguration": "The SMS configuration with the settings that your Amazon Cognito user pool must use to send an SMS message from your AWS account through Amazon Simple Notification Service. To send SMS messages with Amazon SNS in the AWS Region that you want, the Amazon Cognito user pool uses an AWS Identity and Access Management (IAM) role in your AWS account .", "SmsVerificationMessage": "This parameter is no longer used. See [VerificationMessageTemplateType](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_VerificationMessageTemplateType.html) .", "UserAttributeUpdateSettings": "The settings for updates to user attributes. These settings include the property `AttributesRequireVerificationBeforeUpdate` ,\na user-pool setting that tells Amazon Cognito how to handle changes to the value of your users' email address and phone number attributes. For\nmore information, see [Verifying updates to email addresses and phone numbers](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-email-phone-verification.html#user-pool-settings-verifications-verify-attribute-updates) .", - "UserPoolAddOns": "Enables advanced security risk detection. Set the key `AdvancedSecurityMode` to the value \"AUDIT\".", + "UserPoolAddOns": "User pool add-ons. Contains settings for activation of advanced security features. To log user security information but take no action, set to `AUDIT` . To configure automatic security responses to risky traffic to your user pool, set to `ENFORCED` .\n\nFor more information, see [Adding advanced security to a user pool](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html) .", "UserPoolName": "A string used to name the user pool.", "UserPoolTags": "The tag keys and values to assign to the user pool. A tag is a label that you can use to categorize and manage user pools in different ways, such as by purpose, owner, environment, or other criteria.", "UsernameAttributes": "Determines whether email addresses or phone numbers can be specified as user names when a user signs up. Possible values: `phone_number` or `email` .\n\nThis user pool property cannot be updated.", @@ -5806,7 +6498,7 @@ "EmailSendingAccount": "Specifies whether Amazon Cognito uses its built-in functionality to send your users email messages, or uses your Amazon Simple Email Service email configuration. Specify one of the following values:\n\n- **COGNITO_DEFAULT** - When Amazon Cognito emails your users, it uses its built-in email functionality. When you use the default option, Amazon Cognito allows only a limited number of emails each day for your user pool. For typical production environments, the default email limit is less than the required delivery volume. To achieve a higher delivery volume, specify DEVELOPER to use your Amazon SES email configuration.\n\nTo look up the email delivery limit for the default option, see [Limits](https://docs.aws.amazon.com/cognito/latest/developerguide/limits.html) in the *Amazon Cognito Developer Guide* .\n\nThe default FROM address is `no-reply@verificationemail.com` . To customize the FROM address, provide the Amazon Resource Name (ARN) of an Amazon SES verified email address for the `SourceArn` parameter.\n- **DEVELOPER** - When Amazon Cognito emails your users, it uses your Amazon SES configuration. Amazon Cognito calls Amazon SES on your behalf to send email from your verified email address. When you use this option, the email delivery limits are the same limits that apply to your Amazon SES verified email address in your AWS account .\n\nIf you use this option, provide the ARN of an Amazon SES verified email address for the `SourceArn` parameter.\n\nBefore Amazon Cognito can email your users, it requires additional permissions to call Amazon SES on your behalf. When you update your user pool with this option, Amazon Cognito creates a *service-linked role* , which is a type of role in your AWS account . This role contains the permissions that allow you to access Amazon SES and send email messages from your email address. For more information about the service-linked role that Amazon Cognito creates, see [Using Service-Linked Roles for Amazon Cognito](https://docs.aws.amazon.com/cognito/latest/developerguide/using-service-linked-roles.html) in the *Amazon Cognito Developer Guide* .", "From": "Identifies either the sender's email address or the sender's name with their email address. For example, `testuser@example.com` or `Test User ` . This address appears before the body of the email.", "ReplyToEmailAddress": "The destination to which the receiver of the email should reply.", - "SourceArn": "The ARN of a verified email address in Amazon SES. Amazon Cognito uses this email address in one of the following ways, depending on the value that you specify for the `EmailSendingAccount` parameter:\n\n- If you specify `COGNITO_DEFAULT` , Amazon Cognito uses this address as the custom FROM address when it emails your users using its built-in email account.\n- If you specify `DEVELOPER` , Amazon Cognito emails your users with this address by calling Amazon SES on your behalf.\n\nThe Region value of the `SourceArn` parameter must indicate a supported AWS Region of your user pool. Typically, the Region in the `SourceArn` and the user pool Region are the same. For more information, see [Amazon SES email configuration regions](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-email.html#user-pool-email-developer-region-mapping) in the [Amazon Cognito Developer Guide](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools.html) ." + "SourceArn": "The ARN of a verified email address or an address from a verified domain in Amazon SES. You can set a `SourceArn` email from a verified domain only with an API request. You can set a verified email address, but not an address in a verified domain, in the Amazon Cognito console. Amazon Cognito uses the email address that you provide in one of the following ways, depending on the value that you specify for the `EmailSendingAccount` parameter:\n\n- If you specify `COGNITO_DEFAULT` , Amazon Cognito uses this address as the custom FROM address when it emails your users using its built-in email account.\n- If you specify `DEVELOPER` , Amazon Cognito emails your users with this address by calling Amazon SES on your behalf.\n\nThe Region value of the `SourceArn` parameter must indicate a supported AWS Region of your user pool. Typically, the Region in the `SourceArn` and the user pool Region are the same. For more information, see [Amazon SES email configuration regions](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-email.html#user-pool-email-developer-region-mapping) in the [Amazon Cognito Developer Guide](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools.html) ." }, "AWS::Cognito::UserPool InviteMessageTemplate": { "EmailMessage": "The message template for email messages. EmailMessage is allowed only if [EmailSendingAccount](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_EmailConfigurationType.html#CognitoUserPools-Type-EmailConfigurationType-EmailSendingAccount) is DEVELOPER.", @@ -5838,7 +6530,7 @@ "RequireNumbers": "In the password policy that you have set, refers to whether you have required users to use at least one number in their password.", "RequireSymbols": "In the password policy that you have set, refers to whether you have required users to use at least one symbol in their password.", "RequireUppercase": "In the password policy that you have set, refers to whether you have required users to use at least one uppercase letter in their password.", - "TemporaryPasswordValidityDays": "The number of days a temporary password is valid in the password policy. If the user doesn't sign in during this time, an administrator must reset their password.\n\n> When you set `TemporaryPasswordValidityDays` for a user pool, you can no longer set a value for the legacy `UnusedAccountValidityDays` parameter in that user pool." + "TemporaryPasswordValidityDays": "The number of days a temporary password is valid in the password policy. If the user doesn't sign in during this time, an administrator must reset their password. Defaults to `7` . If you submit a value of `0` , Amazon Cognito treats it as a null value and sets `TemporaryPasswordValidityDays` to its default value.\n\n> When you set `TemporaryPasswordValidityDays` for a user pool, you can no longer set a value for the legacy `UnusedAccountValidityDays` parameter in that user pool." }, "AWS::Cognito::UserPool Policies": { "PasswordPolicy": "The password policy." @@ -5848,10 +6540,10 @@ "Priority": "A positive integer specifying priority of a method with 1 being the highest priority." }, "AWS::Cognito::UserPool SchemaAttribute": { - "AttributeDataType": "The attribute data type.", + "AttributeDataType": "The data format of the values for your attribute. When you choose an `AttributeDataType` , Amazon Cognito validates the input against the data type. A custom attribute value in your user's ID token is always a string, for example `\"custom:isMember\" : \"true\"` or `\"custom:YearsAsMember\" : \"12\"` .", "DeveloperOnlyAttribute": "> We recommend that you use [WriteAttributes](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UserPoolClientType.html#CognitoUserPools-Type-UserPoolClientType-WriteAttributes) in the user pool client to control how attributes can be mutated for new use cases instead of using `DeveloperOnlyAttribute` . \n\nSpecifies whether the attribute type is developer only. This attribute can only be modified by an administrator. Users will not be able to modify this attribute using their access token.", - "Mutable": "Specifies whether the value of the attribute can be changed.\n\nFor any user pool attribute that is mapped to an IdP attribute, you must set this parameter to `true` . Amazon Cognito updates mapped attributes when users sign in to your application through an IdP. If an attribute is immutable, Amazon Cognito throws an error when it attempts to update the attribute. For more information, see [Specifying Identity Provider Attribute Mappings for Your User Pool](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-specifying-attribute-mapping.html) .", - "Name": "A schema attribute of the name type.", + "Mutable": "Specifies whether the value of the attribute can be changed.\n\nAny user pool attribute whose value you map from an IdP attribute must be mutable, with a parameter value of `true` . Amazon Cognito updates mapped attributes when users sign in to your application through an IdP. If an attribute is immutable, Amazon Cognito throws an error when it attempts to update the attribute. For more information, see [Specifying Identity Provider Attribute Mappings for Your User Pool](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-specifying-attribute-mapping.html) .", + "Name": "The name of your user pool attribute. When you create or update a user pool, adding a schema attribute creates a custom or developer-only attribute. When you add an attribute with a `Name` value of `MyAttribute` , Amazon Cognito creates the custom attribute `custom:MyAttribute` . When `DeveloperOnlyAttribute` is `true` , Amazon Cognito creates your attribute as `dev:MyAttribute` . In an operation that describes a user pool, Amazon Cognito returns this value as `value` for standard attributes, `custom:value` for custom attributes, and `dev:value` for developer-only attributes..", "NumberAttributeConstraints": "Specifies the constraints for an attribute of the number type.", "Required": "Specifies whether a user pool attribute is required. If the attribute is required and the user doesn't provide a value, registration or sign-in will fail.", "StringAttributeConstraints": "Specifies the constraints for an attribute of the string type." @@ -5869,7 +6561,7 @@ "AttributesRequireVerificationBeforeUpdate": "Requires that your user verifies their email address, phone number, or both before Amazon Cognito updates the value of that attribute. When you update a user attribute that has this option activated, Amazon Cognito sends a verification message to the new phone number or email address. Amazon Cognito doesn\u2019t change the value of the attribute until your user responds to the verification message and confirms the new value.\n\nYou can verify an updated email address or phone number with a [VerifyUserAttribute](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_VerifyUserAttribute.html) API request. You can also call the [AdminUpdateUserAttributes](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminUpdateUserAttributes.html) API and set `email_verified` or `phone_number_verified` to true.\n\nWhen `AttributesRequireVerificationBeforeUpdate` is false, your user pool doesn't require that your users verify attribute changes before Amazon Cognito updates them. In a user pool where `AttributesRequireVerificationBeforeUpdate` is false, API operations that change attribute values can immediately update a user\u2019s `email` or `phone_number` attribute." }, "AWS::Cognito::UserPool UserPoolAddOns": { - "AdvancedSecurityMode": "The advanced security mode." + "AdvancedSecurityMode": "The operating mode of advanced security features in your user pool." }, "AWS::Cognito::UserPool UsernameConfiguration": { "CaseSensitive": "Specifies whether user name case sensitivity will be applied for all users in the user pool through Amazon Cognito APIs. For most use cases, set case sensitivity to `False` (case insensitive) as a best practice. When usernames and email addresses are case insensitive, users can sign in as the same user when they enter a different capitalization of their user name.\n\nValid values include:\n\n- **True** - Enables case sensitivity for all username input. When this option is set to `True` , users must sign in using the exact capitalization of their given username, such as \u201cUserName\u201d. This is the default value.\n- **False** - Enables case insensitivity for all username input. For example, when this option is set to `False` , users can sign in using `username` , `USERNAME` , or `UserName` . This option also enables both `preferred_username` and `email` alias to be case insensitive, in addition to the `username` attribute." @@ -5884,8 +6576,8 @@ }, "AWS::Cognito::UserPoolClient": { "AccessTokenValidity": "The access token time limit. After this limit expires, your user can't use their access token. To specify the time unit for `AccessTokenValidity` as `seconds` , `minutes` , `hours` , or `days` , set a `TokenValidityUnits` value in your API request.\n\nFor example, when you set `AccessTokenValidity` to `10` and `TokenValidityUnits` to `hours` , your user can authorize access with their access token for 10 hours.\n\nThe default time unit for `AccessTokenValidity` in an API request is hours.", - "AllowedOAuthFlows": "The allowed OAuth flows.\n\n- **code** - Use a code grant flow, which provides an authorization code as the response. This code can be exchanged for access tokens with the `/oauth2/token` endpoint.\n- **implicit** - Issue the access token (and, optionally, ID token, based on scopes) directly to your user.\n- **client_credentials** - Issue the access token from the `/oauth2/token` endpoint directly to a non-person user using a combination of the client ID and client secret.", - "AllowedOAuthFlowsUserPoolClient": "Set to true if the client is allowed to follow the OAuth protocol when interacting with Amazon Cognito user pools.", + "AllowedOAuthFlows": "The OAuth grant types that you want your app client to generate. To create an app client that generates client credentials grants, you must add `client_credentials` as the only allowed OAuth flow.\n\n- **code** - Use a code grant flow, which provides an authorization code as the response. This code can be exchanged for access tokens with the `/oauth2/token` endpoint.\n- **implicit** - Issue the access token (and, optionally, ID token, based on scopes) directly to your user.\n- **client_credentials** - Issue the access token from the `/oauth2/token` endpoint directly to a non-person user using a combination of the client ID and client secret.", + "AllowedOAuthFlowsUserPoolClient": "Set to `true` to use OAuth 2.0 features in your user pool app client.\n\n`AllowedOAuthFlowsUserPoolClient` must be `true` before you can configure the following features in your app client.\n\n- `CallBackURLs` : Callback URLs.\n- `LogoutURLs` : Sign-out redirect URLs.\n- `AllowedOAuthScopes` : OAuth 2.0 scopes.\n- `AllowedOAuthFlows` : Support for authorization code, implicit, and client credentials OAuth 2.0 grants.\n\nTo use OAuth 2.0 features, configure one of these features in the Amazon Cognito console or set `AllowedOAuthFlowsUserPoolClient` to `true` in a `CreateUserPoolClient` or `UpdateUserPoolClient` API request. If you don't set a value for `AllowedOAuthFlowsUserPoolClient` in a request with the AWS CLI or SDKs, it defaults to `false` .", "AllowedOAuthScopes": "The allowed OAuth scopes. Possible values provided by OAuth are `phone` , `email` , `openid` , and `profile` . Possible values provided by AWS are `aws.cognito.signin.user.admin` . Custom scopes created in Resource Servers are also supported.", "AnalyticsConfiguration": "The user pool analytics configuration for collecting metrics and sending them to your Amazon Pinpoint campaign.\n\n> In AWS Regions where Amazon Pinpoint isn't available, user pools only support sending events to Amazon Pinpoint projects in AWS Region us-east-1. In Regions where Amazon Pinpoint is available, user pools support sending events to Amazon Pinpoint projects within that same Region.", "AuthSessionValidity": "Amazon Cognito creates a session token for each API request in an authentication flow. `AuthSessionValidity` is the duration, in minutes, of that session token. Your user pool native user must respond to each authentication challenge before the session expires.", @@ -5899,12 +6591,12 @@ "IdTokenValidity": "The ID token time limit. After this limit expires, your user can't use their ID token. To specify the time unit for `IdTokenValidity` as `seconds` , `minutes` , `hours` , or `days` , set a `TokenValidityUnits` value in your API request.\n\nFor example, when you set `IdTokenValidity` as `10` and `TokenValidityUnits` as `hours` , your user can authenticate their session with their ID token for 10 hours.\n\nThe default time unit for `IdTokenValidity` in an API request is hours.", "LogoutURLs": "A list of allowed logout URLs for the IdPs.", "PreventUserExistenceErrors": "Use this setting to choose which errors and responses are returned by Cognito APIs during authentication, account confirmation, and password recovery when the user does not exist in the user pool. When set to `ENABLED` and the user does not exist, authentication returns an error indicating either the username or password was incorrect, and account confirmation and password recovery return a response indicating a code was sent to a simulated destination. When set to `LEGACY` , those APIs will return a `UserNotFoundException` exception if the user does not exist in the user pool.", - "ReadAttributes": "The read attributes.", + "ReadAttributes": "The list of user attributes that you want your app client to have read-only access to. After your user authenticates in your app, their access token authorizes them to read their own attribute value for any attribute in this list. An example of this kind of activity is when your user selects a link to view their profile information. Your app makes a [GetUser](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GetUser.html) API request to retrieve and display your user's profile data.\n\nWhen you don't specify the `ReadAttributes` for your app client, your app can read the values of `email_verified` , `phone_number_verified` , and the Standard attributes of your user pool. When your user pool has read access to these default attributes, `ReadAttributes` doesn't return any information. Amazon Cognito only populates `ReadAttributes` in the API response if you have specified your own custom set of read attributes.", "RefreshTokenValidity": "The refresh token time limit. After this limit expires, your user can't use their refresh token. To specify the time unit for `RefreshTokenValidity` as `seconds` , `minutes` , `hours` , or `days` , set a `TokenValidityUnits` value in your API request.\n\nFor example, when you set `RefreshTokenValidity` as `10` and `TokenValidityUnits` as `days` , your user can refresh their session and retrieve new access and ID tokens for 10 days.\n\nThe default time unit for `RefreshTokenValidity` in an API request is days. You can't set `RefreshTokenValidity` to 0. If you do, Amazon Cognito overrides the value with the default value of 30 days.", "SupportedIdentityProviders": "A list of provider names for the identity providers (IdPs) that are supported on this client. The following are supported: `COGNITO` , `Facebook` , `Google` , `SignInWithApple` , and `LoginWithAmazon` . You can also specify the names that you configured for the SAML and OIDC IdPs in your user pool, for example `MySAMLIdP` or `MyOIDCIdP` .", "TokenValidityUnits": "The units in which the validity times are represented. The default unit for RefreshToken is days, and default for ID and access tokens are hours.", "UserPoolId": "The user pool ID for the user pool where you want to create a user pool client.", - "WriteAttributes": "The user pool attributes that the app client can write to.\n\nIf your app client allows users to sign in through an IdP, this array must include all attributes that you have mapped to IdP attributes. Amazon Cognito updates mapped attributes when users sign in to your application through an IdP. If your app client does not have write access to a mapped attribute, Amazon Cognito throws an error when it tries to update the attribute. For more information, see [Specifying IdP Attribute Mappings for Your user pool](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-specifying-attribute-mapping.html) ." + "WriteAttributes": "The list of user attributes that you want your app client to have write access to. After your user authenticates in your app, their access token authorizes them to set or modify their own attribute value for any attribute in this list. An example of this kind of activity is when you present your user with a form to update their profile information and they change their last name. Your app then makes an [UpdateUserAttributes](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserAttributes.html) API request and sets `family_name` to the new value.\n\nWhen you don't specify the `WriteAttributes` for your app client, your app can write the values of the Standard attributes of your user pool. When your user pool has write access to these default attributes, `WriteAttributes` doesn't return any information. Amazon Cognito only populates `WriteAttributes` in the API response if you have specified your own custom set of write attributes.\n\nIf your app client allows users to sign in through an IdP, this array must include all attributes that you have mapped to IdP attributes. Amazon Cognito updates mapped attributes when users sign in to your application through an IdP. If your app client does not have write access to a mapped attribute, Amazon Cognito throws an error when it tries to update the attribute. For more information, see [Specifying IdP Attribute Mappings for Your user pool](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-specifying-attribute-mapping.html) ." }, "AWS::Cognito::UserPoolClient AnalyticsConfiguration": { "ApplicationArn": "The Amazon Resource Name (ARN) of an Amazon Pinpoint project. You can use the Amazon Pinpoint project for integration with the chosen user pool client. Amazon Cognito publishes events to the Amazon Pinpoint project that the app ARN declares.", @@ -6005,26 +6697,26 @@ "DesiredDeliveryMediums": "Specify `\"EMAIL\"` if email will be used to send the welcome message. Specify `\"SMS\"` if the phone number will be used. The default value is `\"SMS\"` . You can specify more than one value.", "ForceAliasCreation": "This parameter is used only if the `phone_number_verified` or `email_verified` attribute is set to `True` . Otherwise, it is ignored.\n\nIf this parameter is set to `True` and the phone number or email address specified in the UserAttributes parameter already exists as an alias with a different user, the API call will migrate the alias from the previous user to the newly created user. The previous user will no longer be able to log in using that alias.\n\nIf this parameter is set to `False` , the API throws an `AliasExistsException` error if the alias already exists. The default value is `False` .", "MessageAction": "Set to `RESEND` to resend the invitation message to a user that already exists and reset the expiration limit on the user's account. Set to `SUPPRESS` to suppress sending the message. You can specify only one value.", - "UserAttributes": "The user attributes and attribute values to be set for the user to be created. These are name-value pairs You can create a user without specifying any attributes other than `Username` . However, any attributes that you specify as required (in [](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html) or in the *Attributes* tab of the console) must be supplied either by you (in your call to `AdminCreateUser` ) or by the user (when they sign up in response to your welcome message).\n\nFor custom attributes, you must prepend the `custom:` prefix to the attribute name.\n\nTo send a message inviting the user to sign up, you must specify the user's email address or phone number. This can be done in your call to AdminCreateUser or in the *Users* tab of the Amazon Cognito console for managing your user pools.\n\nIn your call to `AdminCreateUser` , you can set the `email_verified` attribute to `True` , and you can set the `phone_number_verified` attribute to `True` . (You can also do this by calling [](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminUpdateUserAttributes.html) .)\n\n- *email* : The email address of the user to whom the message that contains the code and user name will be sent. Required if the `email_verified` attribute is set to `True` , or if `\"EMAIL\"` is specified in the `DesiredDeliveryMediums` parameter.\n- *phone_number* : The phone number of the user to whom the message that contains the code and user name will be sent. Required if the `phone_number_verified` attribute is set to `True` , or if `\"SMS\"` is specified in the `DesiredDeliveryMediums` parameter.", + "UserAttributes": "An array of name-value pairs that contain user attributes and attribute values.", "UserPoolId": "The user pool ID for the user pool where the user will be created.", - "Username": "The username for the user. Must be unique within the user pool. Must be a UTF-8 string between 1 and 128 characters. After the user is created, the username can't be changed.", - "ValidationData": "The user's validation data. This is an array of name-value pairs that contain user attributes and attribute values that you can use for custom validation, such as restricting the types of user accounts that can be registered. For example, you might choose to allow or disallow user sign-up based on the user's domain.\n\nTo configure custom validation, you must create a Pre Sign-up AWS Lambda trigger for the user pool as described in the Amazon Cognito Developer Guide. The Lambda trigger receives the validation data and uses it in the validation process.\n\nThe user's validation data isn't persisted." + "Username": "The value that you want to set as the username sign-in attribute. The following conditions apply to the username parameter.\n\n- The username can't be a duplicate of another username in the same user pool.\n- You can't change the value of a username after you create it.\n- You can only provide a value if usernames are a valid sign-in attribute for your user pool. If your user pool only supports phone numbers or email addresses as sign-in attributes, Amazon Cognito automatically generates a username value. For more information, see [Customizing sign-in attributes](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html#user-pool-settings-aliases) .", + "ValidationData": "Temporary user attributes that contribute to the outcomes of your pre sign-up Lambda trigger. This set of key-value pairs are for custom validation of information that you collect from your users but don't need to retain.\n\nYour Lambda function can analyze this additional data and act on it. Your function might perform external API operations like logging user attributes and validation data to Amazon CloudWatch Logs. Validation data might also affect the response that your function returns to Amazon Cognito, like automatically confirming the user if they sign up from within your network.\n\nFor more information about the pre sign-up Lambda trigger, see [Pre sign-up Lambda trigger](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-sign-up.html) ." }, "AWS::Cognito::UserPoolUser AttributeType": { "Name": "The name of the attribute.", "Value": "The value of the attribute." }, "AWS::Cognito::UserPoolUserToGroupAttachment": { - "GroupName": "The group name.", + "GroupName": "The name of the group that you want to add your user to.", "UserPoolId": "The user pool ID for the user pool.", - "Username": "The username for the user." + "Username": "" }, "AWS::Comprehend::DocumentClassifier": { "DataAccessRoleArn": "The Amazon Resource Name (ARN) of the IAM role that grants Amazon Comprehend read access to your input data.", "DocumentClassifierName": "The name of the document classifier.", "InputDataConfig": "Specifies the format and location of the input data for the job.", "LanguageCode": "The language of the input documents. You can specify any of the languages supported by Amazon Comprehend. All documents must be in the same language.", - "Mode": "Indicates the mode in which the classifier will be trained. The classifier can be trained in multi-class mode, which identifies one and only one class for each document, or multi-label mode, which identifies one or more labels for each document. In multi-label mode, multiple labels for an individual document are separated by a delimiter. The default delimiter between labels is a pipe (|).", + "Mode": "Indicates the mode in which the classifier will be trained. The classifier can be trained in multi-class (single-label) mode or multi-label mode. Multi-class mode identifies a single class label for each document and multi-label mode identifies one or more class labels for each document. Multiple labels for an individual document are separated by a delimiter. The default delimiter between labels is a pipe (|).", "ModelKmsKeyId": "ID for the AWS KMS key that Amazon Comprehend uses to encrypt trained custom models. The ModelKmsKeyId can be either of the following formats:\n\n- KMS Key ID: `\"1234abcd-12ab-34cd-56ef-1234567890ab\"`\n- Amazon Resource Name (ARN) of a KMS Key: `\"arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab\"`", "ModelPolicy": "The resource-based policy to attach to your custom document classifier model. You can use this policy to allow another AWS account to import your custom model.\n\nProvide your policy as a JSON body that you enter as a UTF-8 encoded string without line breaks. To provide valid JSON, enclose the attribute names and values in double quotes. If the JSON body is also enclosed in double quotes, then you must escape the double quotes that are inside the policy:\n\n`\"{\\\"attribute\\\": \\\"value\\\", \\\"attribute\\\": [\\\"value\\\"]}\"`\n\nTo avoid escaping quotes, you can use single quotes to enclose the policy and double quotes to enclose the JSON names and values:\n\n`'{\"attribute\": \"value\", \"attribute\": [\"value\"]}'`", "OutputDataConfig": "Provides output results configuration parameters for custom classifier jobs.", @@ -6059,7 +6751,11 @@ "AWS::Comprehend::DocumentClassifier DocumentReaderConfig": { "DocumentReadAction": "This field defines the Amazon Textract API operation that Amazon Comprehend uses to extract text from PDF files and image files. Enter one of the following values:\n\n- `TEXTRACT_DETECT_DOCUMENT_TEXT` - The Amazon Comprehend service uses the `DetectDocumentText` API operation.\n- `TEXTRACT_ANALYZE_DOCUMENT` - The Amazon Comprehend service uses the `AnalyzeDocument` API operation.", "DocumentReadMode": "Determines the text extraction actions for PDF files. Enter one of the following values:\n\n- `SERVICE_DEFAULT` - use the Amazon Comprehend service defaults for PDF files.\n- `FORCE_DOCUMENT_READ_ACTION` - Amazon Comprehend uses the Textract API specified by DocumentReadAction for all PDF files, including digital PDF files.", - "FeatureTypes": "Specifies the type of Amazon Textract features to apply. If you chose `TEXTRACT_ANALYZE_DOCUMENT` as the read action, you must specify one or both of the following values:\n\n- `TABLES` - Returns information about any tables that are detected in the input document.\n- `FORMS` - Returns information and the data from any forms that are detected in the input document." + "FeatureTypes": "Specifies the type of Amazon Textract features to apply. If you chose `TEXTRACT_ANALYZE_DOCUMENT` as the read action, you must specify one or both of the following values:\n\n- `TABLES` - Returns additional information about any tables that are detected in the input document.\n- `FORMS` - Returns additional information about any forms that are detected in the input document." + }, + "AWS::Comprehend::DocumentClassifier Tag": { + "Key": "The initial part of a key-value pair that forms a tag associated with a given resource. For instance, if you want to show which resources are used by which departments, you might use \u201cDepartment\u201d as the key portion of the pair, with multiple possible values such as \u201csales,\u201d \u201clegal,\u201d and \u201cadministration.\u201d", + "Value": "The second part of a key-value pair that forms a tag associated with a given resource. For instance, if you want to show which resources are used by which departments, you might use \u201cDepartment\u201d as the initial (key) portion of the pair, with a value of \u201csales\u201d to indicate the sales department." }, "AWS::Comprehend::DocumentClassifier VpcConfig": { "SecurityGroupIds": "The ID number for a security group on an instance of your private VPC. Security groups on your VPC function serve as a virtual firewall to control inbound and outbound traffic and provides security for the resources that you\u2019ll be accessing on the VPC. This ID number is preceded by \"sg-\", for instance: \"sg-03b388029b0a285ea\". For more information, see [Security Groups for your VPC](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html) .", @@ -6089,7 +6785,11 @@ "EntityTypes": "Up to 25 entity types that the model is trained to recognize." }, "AWS::Comprehend::Flywheel EntityTypesListItem": { - "Type": "An entity type within a labeled training dataset that Amazon Comprehend uses to train a custom entity recognizer.\n\nEntity types must not contain the following invalid characters: \\n (line break), \\\\n (escaped line break, \\r (carriage return), \\\\r (escaped carriage return), \\t (tab), \\\\t (escaped tab), space, and , (comma)." + "Type": "An entity type within a labeled training dataset that Amazon Comprehend uses to train a custom entity recognizer.\n\nEntity types must not contain the following invalid characters: \\n (line break), \\\\n (escaped line break, \\r (carriage return), \\\\r (escaped carriage return), \\t (tab), \\\\t (escaped tab), and , (comma)." + }, + "AWS::Comprehend::Flywheel Tag": { + "Key": "The initial part of a key-value pair that forms a tag associated with a given resource. For instance, if you want to show which resources are used by which departments, you might use \u201cDepartment\u201d as the key portion of the pair, with multiple possible values such as \u201csales,\u201d \u201clegal,\u201d and \u201cadministration.\u201d", + "Value": "The second part of a key-value pair that forms a tag associated with a given resource. For instance, if you want to show which resources are used by which departments, you might use \u201cDepartment\u201d as the initial (key) portion of the pair, with a value of \u201csales\u201d to indicate the sales department." }, "AWS::Comprehend::Flywheel TaskConfig": { "DocumentClassificationConfig": "Configuration required for a document classification model.", @@ -6105,19 +6805,31 @@ "AuthorizedAwsRegion": "The region authorized to collect aggregated data.", "Tags": "An array of tag object." }, + "AWS::Config::AggregationAuthorization Tag": { + "Key": "One part of a key-value pair that make up a tag. A key is a general label that acts like a category for more specific tag values.", + "Value": "The optional part of a key-value pair that make up a tag. A value acts as a descriptor within a tag category (key)." + }, "AWS::Config::ConfigRule": { + "Compliance": "Indicates whether an AWS resource or AWS Config rule is compliant and provides the number of contributors that affect the compliance.", "ConfigRuleName": "A name for the AWS Config rule. If you don't specify a name, AWS CloudFormation generates a unique physical ID and uses that ID for the rule name. For more information, see [Name Type](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-name.html) .", "Description": "The description that you provide for the AWS Config rule.", + "EvaluationModes": "The modes the AWS Config rule can be evaluated in. The valid values are distinct objects. By default, the value is Detective evaluation mode only.", "InputParameters": "A string, in JSON format, that is passed to the AWS Config rule Lambda function.", "MaximumExecutionFrequency": "The maximum frequency with which AWS Config runs evaluations for a rule. You can specify a value for `MaximumExecutionFrequency` when:\n\n- You are using an AWS managed rule that is triggered at a periodic frequency.\n- Your custom rule is triggered when AWS Config delivers the configuration snapshot. For more information, see [ConfigSnapshotDeliveryProperties](https://docs.aws.amazon.com/config/latest/APIReference/API_ConfigSnapshotDeliveryProperties.html) .\n\n> By default, rules with a periodic trigger are evaluated every 24 hours. To change the frequency, specify a valid value for the `MaximumExecutionFrequency` parameter.", "Scope": "Defines which resources can trigger an evaluation for the rule. The scope can include one or more resource types, a combination of one resource type and one resource ID, or a combination of a tag key and value. Specify a scope to constrain the resources that can trigger an evaluation for the rule. If you do not specify a scope, evaluations are triggered when any resource in the recording group changes.\n\n> The scope can be empty.", "Source": "Provides the rule owner ( `AWS` for managed rules, `CUSTOM_POLICY` for Custom Policy rules, and `CUSTOM_LAMBDA` for Custom Lambda rules), the rule identifier, and the notifications that cause the function to evaluate your AWS resources." }, + "AWS::Config::ConfigRule Compliance": { + "Type": "Indicates whether an AWS resource or AWS Config rule is compliant.\n\nA resource is compliant if it complies with all of the AWS Config rules that evaluate it. A resource is noncompliant if it does not comply with one or more of these rules.\n\nA rule is compliant if all of the resources that the rule evaluates comply with it. A rule is noncompliant if any of these resources do not comply.\n\nAWS Config returns the `INSUFFICIENT_DATA` value when no evaluation results are available for the AWS resource or AWS Config rule.\n\nFor the `Compliance` data type, AWS Config supports only `COMPLIANT` , `NON_COMPLIANT` , and `INSUFFICIENT_DATA` values. AWS Config does not support the `NOT_APPLICABLE` value for the `Compliance` data type." + }, "AWS::Config::ConfigRule CustomPolicyDetails": { "EnableDebugLogDelivery": "The boolean expression for enabling debug logging for your AWS Config Custom Policy rule. The default value is `false` .", "PolicyRuntime": "The runtime system for your AWS Config Custom Policy rule. Guard is a policy-as-code language that allows you to write policies that are enforced by AWS Config Custom Policy rules. For more information about Guard, see the [Guard GitHub Repository](https://docs.aws.amazon.com/https://github.com/aws-cloudformation/cloudformation-guard) .", "PolicyText": "The policy definition containing the logic for your AWS Config Custom Policy rule." }, + "AWS::Config::ConfigRule EvaluationModeConfiguration": { + "Mode": "The mode of an evaluation. The valid values are Detective or Proactive." + }, "AWS::Config::ConfigRule Scope": { "ComplianceResourceId": "The ID of the only AWS resource that you want to trigger an evaluation for the rule. If you specify a resource ID, you must specify one resource type for `ComplianceResourceTypes` .", "ComplianceResourceTypes": "The resource types of only those AWS resources that you want to trigger an evaluation for the rule. You can only specify one type if you also specify a resource ID for `ComplianceResourceId` .", @@ -6151,15 +6863,37 @@ "AwsRegions": "The source regions being aggregated.", "RoleArn": "ARN of the IAM role used to retrieve AWS Organizations details associated with the aggregator account." }, + "AWS::Config::ConfigurationAggregator Tag": { + "Key": "One part of a key-value pair that make up a tag. A key is a general label that acts like a category for more specific tag values.", + "Value": "The optional part of a key-value pair that make up a tag. A value acts as a descriptor within a tag category (key)." + }, "AWS::Config::ConfigurationRecorder": { - "Name": "A name for the configuration recorder. If you don't specify a name, AWS CloudFormation CloudFormation generates a unique physical ID and uses that ID for the configuration recorder name. For more information, see [Name Type](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-name.html) .\n\n> After you create a configuration recorder, you cannot rename it. If you don't want a name that AWS CloudFormation generates, specify a value for this property. \n\nUpdates are not supported.", - "RecordingGroup": "Indicates whether to record configurations for all supported resources or for a list of resource types. The resource types that you list must be supported by AWS Config .", - "RoleARN": "The Amazon Resource Name (ARN) of the IAM (IAM) role that is used to make read or write requests to the delivery channel that you specify and to get configuration details for supported AWS resources. For more information, see [Permissions for the IAM Role Assigned](https://docs.aws.amazon.com/config/latest/developerguide/iamrole-permissions.html) to AWS Config in the AWS Config Developer Guide." + "Name": "The name of the configuration recorder. AWS Config automatically assigns the name of \"default\" when creating the configuration recorder.\n\nYou cannot change the name of the configuration recorder after it has been created. To change the configuration recorder name, you must delete it and create a new configuration recorder with a new name.", + "RecordingGroup": "Specifies which resource types AWS Config records for configuration changes.\n\n> *High Number of AWS Config Evaluations*\n> \n> You may notice increased activity in your account during your initial month recording with AWS Config when compared to subsequent months. During the initial bootstrapping process, AWS Config runs evaluations on all the resources in your account that you have selected for AWS Config to record.\n> \n> If you are running ephemeral workloads, you may see increased activity from AWS Config as it records configuration changes associated with creating and deleting these temporary resources. An *ephemeral workload* is a temporary use of computing resources that are loaded and run when needed. Examples include Amazon Elastic Compute Cloud ( Amazon EC2 ) Spot Instances, Amazon EMR jobs, and AWS Auto Scaling . If you want to avoid the increased activity from running ephemeral workloads, you can run these types of workloads in a separate account with AWS Config turned off to avoid increased configuration recording and rule evaluations.", + "RecordingMode": "Specifies the default recording frequency that AWS Config uses to record configuration changes. AWS Config supports *Continuous recording* and *Daily recording* .\n\n- Continuous recording allows you to record configuration changes continuously whenever a change occurs.\n- Daily recording allows you to receive a configuration item (CI) representing the most recent state of your resources over the last 24-hour period, only if it\u2019s different from the previous CI recorded.\n\n> AWS Firewall Manager depends on continuous recording to monitor your resources. If you are using Firewall Manager, it is recommended that you set the recording frequency to Continuous. \n\nYou can also override the recording frequency for specific resource types.", + "RoleARN": "Amazon Resource Name (ARN) of the IAM role assumed by AWS Config and used by the configuration recorder. For more information, see [Permissions for the IAM Role Assigned](https://docs.aws.amazon.com/config/latest/developerguide/iamrole-permissions.html) to AWS Config in the AWS Config Developer Guide.\n\n> *Pre-existing AWS Config role*\n> \n> If you have used an AWS service that uses AWS Config , such as AWS Security Hub or AWS Control Tower , and an AWS Config role has already been created, make sure that the IAM role that you use when setting up AWS Config keeps the same minimum permissions as the already created AWS Config role. You must do this so that the other AWS service continues to run as expected.\n> \n> For example, if AWS Control Tower has an IAM role that allows AWS Config to read Amazon Simple Storage Service ( Amazon S3 ) objects, make sure that the same permissions are granted within the IAM role you use when setting up AWS Config . Otherwise, it may interfere with how AWS Control Tower operates. For more information about IAM roles for AWS Config , see [*Identity and Access Management for AWS Config*](https://docs.aws.amazon.com/config/latest/developerguide/security-iam.html) in the *AWS Config Developer Guide* ." + }, + "AWS::Config::ConfigurationRecorder ExclusionByResourceTypes": { + "ResourceTypes": "A comma-separated list of resource types to exclude from recording by the configuration recorder." }, "AWS::Config::ConfigurationRecorder RecordingGroup": { - "AllSupported": "Specifies whether AWS Config records configuration changes for all supported regional resource types.\n\nIf you set this field to `true` , when AWS Config adds support for a new type of regional resource, AWS Config starts recording resources of that type automatically.\n\nIf you set this field to `true` , you cannot enumerate specific resource types to record in the `resourceTypes` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) , or to exclude in the `resourceTypes` field of [ExclusionByResourceTypes](https://docs.aws.amazon.com/config/latest/APIReference/API_ExclusionByResourceTypes.html) .", - "IncludeGlobalResourceTypes": "Specifies whether AWS Config includes all supported types of global resources (for example, IAM resources) with the resources that it records.\n\nBefore you can set this option to `true` , you must set the `AllSupported` option to `true` .\n\nIf you set this option to `true` , when AWS Config adds support for a new type of global resource, it starts recording resources of that type automatically.\n\nThe configuration details for any global resource are the same in all regions. To prevent duplicate configuration items, you should consider customizing AWS Config in only one region to record global resources.", - "ResourceTypes": "A comma-separated list that specifies the types of AWS resources for which AWS Config records configuration changes (for example, `AWS::EC2::Instance` or `AWS::CloudTrail::Trail` ).\n\nTo record all configuration changes, you must set the `AllSupported` option to `false` .\n\nIf you set the `AllSupported` option to false and populate the `ResourceTypes` option with values, when AWS Config adds support for a new type of resource, it will not record resources of that type unless you manually add that type to your recording group.\n\nFor a list of valid `resourceTypes` values, see the *resourceType Value* column in [Supported AWS Resource Types](https://docs.aws.amazon.com/config/latest/developerguide/resource-config-reference.html#supported-resources) ." + "AllSupported": "Specifies whether AWS Config records configuration changes for all supported resource types, excluding the global IAM resource types.\n\nIf you set this field to `true` , when AWS Config adds support for a new resource type, AWS Config starts recording resources of that type automatically.\n\nIf you set this field to `true` , you cannot enumerate specific resource types to record in the `resourceTypes` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) , or to exclude in the `resourceTypes` field of [ExclusionByResourceTypes](https://docs.aws.amazon.com/config/latest/APIReference/API_ExclusionByResourceTypes.html) .\n\n> *Region availability*\n> \n> Check [Resource Coverage by Region Availability](https://docs.aws.amazon.com/config/latest/developerguide/what-is-resource-config-coverage.html) to see if a resource type is supported in the AWS Region where you set up AWS Config .", + "ExclusionByResourceTypes": "An object that specifies how AWS Config excludes resource types from being recorded by the configuration recorder.\n\nTo use this option, you must set the `useOnly` field of [AWS::Config::ConfigurationRecorder RecordingStrategy](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-config-configurationrecorder-recordingstrategy.html) to `EXCLUSION_BY_RESOURCE_TYPES` .", + "IncludeGlobalResourceTypes": "This option is a bundle which only applies to the global IAM resource types: IAM users, groups, roles, and customer managed policies. These global IAM resource types can only be recorded by AWS Config in Regions where AWS Config was available before February 2022. You cannot be record the global IAM resouce types in Regions supported by AWS Config after February 2022. This list where you cannot record the global IAM resource types includes the following Regions:\n\n- Asia Pacific (Hyderabad)\n- Asia Pacific (Melbourne)\n- Europe (Spain)\n- Europe (Zurich)\n- Israel (Tel Aviv)\n- Middle East (UAE)\n\n> *Aurora global clusters are recorded in all enabled Regions*\n> \n> The `AWS::RDS::GlobalCluster` resource type will be recorded in all supported AWS Config Regions where the configuration recorder is enabled, even if `includeGlobalResourceTypes` is not set to `true` . The `includeGlobalResourceTypes` option is a bundle which only applies to IAM users, groups, roles, and customer managed policies.\n> \n> If you do not want to record `AWS::RDS::GlobalCluster` in all enabled Regions, use one of the following recording strategies:\n> \n> - *Record all current and future resource types with exclusions* ( `EXCLUSION_BY_RESOURCE_TYPES` ), or\n> - *Record specific resource types* ( `INCLUSION_BY_RESOURCE_TYPES` ).\n> \n> For more information, see [Selecting Which Resources are Recorded](https://docs.aws.amazon.com/config/latest/developerguide/select-resources.html#select-resources-all) in the *AWS Config developer guide* . > Before you set this field to `true` , set the `allSupported` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) to `true` . Optionally, you can set the `useOnly` field of [RecordingStrategy](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingStrategy.html) to `ALL_SUPPORTED_RESOURCE_TYPES` . > *Overriding fields*\n> \n> If you set this field to `false` but list global IAM resource types in the `resourceTypes` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) , AWS Config will still record configuration changes for those specified resource types *regardless* of if you set the `includeGlobalResourceTypes` field to false.\n> \n> If you do not want to record configuration changes to the global IAM resource types (IAM users, groups, roles, and customer managed policies), make sure to not list them in the `resourceTypes` field in addition to setting the `includeGlobalResourceTypes` field to false.", + "RecordingStrategy": "An object that specifies the recording strategy for the configuration recorder.\n\n- If you set the `useOnly` field of [RecordingStrategy](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingStrategy.html) to `ALL_SUPPORTED_RESOURCE_TYPES` , AWS Config records configuration changes for all supported resource types, excluding the global IAM resource types. You also must set the `allSupported` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) to `true` . When AWS Config adds support for a new resource type, AWS Config automatically starts recording resources of that type.\n- If you set the `useOnly` field of [RecordingStrategy](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingStrategy.html) to `INCLUSION_BY_RESOURCE_TYPES` , AWS Config records configuration changes for only the resource types you specify in the `resourceTypes` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) .\n- If you set the `useOnly` field of [RecordingStrategy](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingStrategy.html) to `EXCLUSION_BY_RESOURCE_TYPES` , AWS Config records configuration changes for all supported resource types except the resource types that you specify to exclude from being recorded in the `resourceTypes` field of [ExclusionByResourceTypes](https://docs.aws.amazon.com/config/latest/APIReference/API_ExclusionByResourceTypes.html) .\n\n> *Required and optional fields*\n> \n> The `recordingStrategy` field is optional when you set the `allSupported` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) to `true` .\n> \n> The `recordingStrategy` field is optional when you list resource types in the `resourceTypes` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) .\n> \n> The `recordingStrategy` field is required if you list resource types to exclude from recording in the `resourceTypes` field of [ExclusionByResourceTypes](https://docs.aws.amazon.com/config/latest/APIReference/API_ExclusionByResourceTypes.html) . > *Overriding fields*\n> \n> If you choose `EXCLUSION_BY_RESOURCE_TYPES` for the recording strategy, the `exclusionByResourceTypes` field will override other properties in the request.\n> \n> For example, even if you set `includeGlobalResourceTypes` to false, global IAM resource types will still be automatically recorded in this option unless those resource types are specifically listed as exclusions in the `resourceTypes` field of `exclusionByResourceTypes` . > *Global resources types and the resource exclusion recording strategy*\n> \n> By default, if you choose the `EXCLUSION_BY_RESOURCE_TYPES` recording strategy, when AWS Config adds support for a new resource type in the Region where you set up the configuration recorder, including global resource types, AWS Config starts recording resources of that type automatically.\n> \n> Unless specifically listed as exclusions, `AWS::RDS::GlobalCluster` will be recorded automatically in all supported AWS Config Regions were the configuration recorder is enabled.\n> \n> IAM users, groups, roles, and customer managed policies will be recorded in the Region where you set up the configuration recorder if that is a Region where AWS Config was available before February 2022. You cannot be record the global IAM resouce types in Regions supported by AWS Config after February 2022. This list where you cannot record the global IAM resource types includes the following Regions:\n> \n> - Asia Pacific (Hyderabad)\n> - Asia Pacific (Melbourne)\n> - Europe (Spain)\n> - Europe (Zurich)\n> - Israel (Tel Aviv)\n> - Middle East (UAE)", + "ResourceTypes": "A comma-separated list that specifies which resource types AWS Config records.\n\nFor a list of valid `resourceTypes` values, see the *Resource Type Value* column in [Supported AWS resource Types](https://docs.aws.amazon.com/config/latest/developerguide/resource-config-reference.html#supported-resources) in the *AWS Config developer guide* .\n\n> *Required and optional fields*\n> \n> Optionally, you can set the `useOnly` field of [RecordingStrategy](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingStrategy.html) to `INCLUSION_BY_RESOURCE_TYPES` .\n> \n> To record all configuration changes, set the `allSupported` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) to `true` , and either omit this field or don't specify any resource types in this field. If you set the `allSupported` field to `false` and specify values for `resourceTypes` , when AWS Config adds support for a new type of resource, it will not record resources of that type unless you manually add that type to your recording group. > *Region availability*\n> \n> Before specifying a resource type for AWS Config to track, check [Resource Coverage by Region Availability](https://docs.aws.amazon.com/config/latest/developerguide/what-is-resource-config-coverage.html) to see if the resource type is supported in the AWS Region where you set up AWS Config . If a resource type is supported by AWS Config in at least one Region, you can enable the recording of that resource type in all Regions supported by AWS Config , even if the specified resource type is not supported in the AWS Region where you set up AWS Config ." + }, + "AWS::Config::ConfigurationRecorder RecordingMode": { + "RecordingFrequency": "The default recording frequency that AWS Config uses to record configuration changes.\n\n> Daily recording is not supported for the following resource types:\n> \n> - `AWS::Config::ResourceCompliance`\n> - `AWS::Config::ConformancePackCompliance`\n> - `AWS::Config::ConfigurationRecorder`\n> \n> For the *allSupported* ( `ALL_SUPPORTED_RESOURCE_TYPES` ) recording strategy, these resource types will be set to Continuous recording.", + "RecordingModeOverrides": "An array of `recordingModeOverride` objects for you to specify your overrides for the recording mode. The `recordingModeOverride` object in the `recordingModeOverrides` array consists of three fields: a `description` , the new `recordingFrequency` , and an array of `resourceTypes` to override." + }, + "AWS::Config::ConfigurationRecorder RecordingModeOverride": { + "Description": "A description that you provide for the override.", + "RecordingFrequency": "The recording frequency that will be applied to all the resource types specified in the override.\n\n- Continuous recording allows you to record configuration changes continuously whenever a change occurs.\n- Daily recording allows you to receive a configuration item (CI) representing the most recent state of your resources over the last 24-hour period, only if it\u2019s different from the previous CI recorded.\n\n> AWS Firewall Manager depends on continuous recording to monitor your resources. If you are using Firewall Manager, it is recommended that you set the recording frequency to Continuous.", + "ResourceTypes": "A comma-separated list that specifies which resource types AWS Config includes in the override.\n\n> Daily recording is not supported for the following resource types:\n> \n> - `AWS::Config::ResourceCompliance`\n> - `AWS::Config::ConformancePackCompliance`\n> - `AWS::Config::ConfigurationRecorder`" + }, + "AWS::Config::ConfigurationRecorder RecordingStrategy": { + "UseOnly": "The recording strategy for the configuration recorder.\n\n- If you set this option to `ALL_SUPPORTED_RESOURCE_TYPES` , AWS Config records configuration changes for all supported resource types, excluding the global IAM resource types. You also must set the `allSupported` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) to `true` . When AWS Config adds support for a new resource type, AWS Config automatically starts recording resources of that type. For a list of supported resource types, see [Supported Resource Types](https://docs.aws.amazon.com/config/latest/developerguide/resource-config-reference.html#supported-resources) in the *AWS Config developer guide* .\n- If you set this option to `INCLUSION_BY_RESOURCE_TYPES` , AWS Config records configuration changes for only the resource types that you specify in the `resourceTypes` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) .\n- If you set this option to `EXCLUSION_BY_RESOURCE_TYPES` , AWS Config records configuration changes for all supported resource types, except the resource types that you specify to exclude from being recorded in the `resourceTypes` field of [ExclusionByResourceTypes](https://docs.aws.amazon.com/config/latest/APIReference/API_ExclusionByResourceTypes.html) .\n\n> *Required and optional fields*\n> \n> The `recordingStrategy` field is optional when you set the `allSupported` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) to `true` .\n> \n> The `recordingStrategy` field is optional when you list resource types in the `resourceTypes` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) .\n> \n> The `recordingStrategy` field is required if you list resource types to exclude from recording in the `resourceTypes` field of [ExclusionByResourceTypes](https://docs.aws.amazon.com/config/latest/APIReference/API_ExclusionByResourceTypes.html) . > *Overriding fields*\n> \n> If you choose `EXCLUSION_BY_RESOURCE_TYPES` for the recording strategy, the `exclusionByResourceTypes` field will override other properties in the request.\n> \n> For example, even if you set `includeGlobalResourceTypes` to false, global IAM resource types will still be automatically recorded in this option unless those resource types are specifically listed as exclusions in the `resourceTypes` field of `exclusionByResourceTypes` . > *Global resource types and the exclusion recording strategy*\n> \n> By default, if you choose the `EXCLUSION_BY_RESOURCE_TYPES` recording strategy, when AWS Config adds support for a new resource type in the Region where you set up the configuration recorder, including global resource types, AWS Config starts recording resources of that type automatically.\n> \n> Unless specifically listed as exclusions, `AWS::RDS::GlobalCluster` will be recorded automatically in all supported AWS Config Regions were the configuration recorder is enabled.\n> \n> IAM users, groups, roles, and customer managed policies will be recorded in the Region where you set up the configuration recorder if that is a Region where AWS Config was available before February 2022. You cannot be record the global IAM resouce types in Regions supported by AWS Config after February 2022. This list where you cannot record the global IAM resource types includes the following Regions:\n> \n> - Asia Pacific (Hyderabad)\n> - Asia Pacific (Melbourne)\n> - Europe (Spain)\n> - Europe (Zurich)\n> - Israel (Tel Aviv)\n> - Middle East (UAE)" }, "AWS::Config::ConformancePack": { "ConformancePackInputParameters": "A list of ConformancePackInputParameter objects.", @@ -6168,7 +6902,7 @@ "DeliveryS3KeyPrefix": "The prefix for the Amazon S3 bucket.", "TemplateBody": "A string containing full conformance pack template body. Structure containing the template body with a minimum length of 1 byte and a maximum length of 51,200 bytes.\n\n> You can only use a YAML template with two resource types: config rule ( `AWS::Config::ConfigRule` ) and a remediation action ( `AWS::Config::RemediationConfiguration` ).", "TemplateS3Uri": "Location of file containing the template body (s3://bucketname/prefix). The uri must point to the conformance pack template (max size: 300 KB) that is located in an Amazon S3 bucket.\n\n> You must have access to read Amazon S3 bucket.", - "TemplateSSMDocumentDetails": "" + "TemplateSSMDocumentDetails": "An object that contains the name or Amazon Resource Name (ARN) of the AWS Systems Manager document (SSM document) and the version of the SSM document that is used to create a conformance pack." }, "AWS::Config::ConformancePack ConformancePackInputParameter": { "ParameterName": "One part of a key-value pair.", @@ -6192,22 +6926,22 @@ "AWS::Config::OrganizationConfigRule": { "ExcludedAccounts": "A comma-separated list of accounts excluded from organization AWS Config rule.", "OrganizationConfigRuleName": "The name that you assign to organization AWS Config rule.", - "OrganizationCustomPolicyRuleMetadata": "", + "OrganizationCustomPolicyRuleMetadata": "An object that specifies metadata for your organization's AWS Config Custom Policy rule. The metadata includes the runtime system in use, which accounts have debug logging enabled, and other custom rule metadata, such as resource type, resource ID of AWS resource, and organization trigger types that initiate AWS Config to evaluate AWS resources against a rule.", "OrganizationCustomRuleMetadata": "An `OrganizationCustomRuleMetadata` object.", "OrganizationManagedRuleMetadata": "An `OrganizationManagedRuleMetadata` object." }, "AWS::Config::OrganizationConfigRule OrganizationCustomPolicyRuleMetadata": { - "DebugLogDeliveryAccounts": "", - "Description": "", - "InputParameters": "", - "MaximumExecutionFrequency": "", - "OrganizationConfigRuleTriggerTypes": "", - "PolicyText": "", - "ResourceIdScope": "", - "ResourceTypesScope": "", - "Runtime": "", - "TagKeyScope": "", - "TagValueScope": "" + "DebugLogDeliveryAccounts": "A list of accounts that you can enable debug logging for your organization AWS Config Custom Policy rule. List is null when debug logging is enabled for all accounts.", + "Description": "The description that you provide for your organization AWS Config Custom Policy rule.", + "InputParameters": "A string, in JSON format, that is passed to your organization AWS Config Custom Policy rule.", + "MaximumExecutionFrequency": "The maximum frequency with which AWS Config runs evaluations for a rule. Your AWS Config Custom Policy rule is triggered when AWS Config delivers the configuration snapshot. For more information, see `ConfigSnapshotDeliveryProperties` .", + "OrganizationConfigRuleTriggerTypes": "The type of notification that initiates AWS Config to run an evaluation for a rule. For AWS Config Custom Policy rules, AWS Config supports change-initiated notification types:\n\n- `ConfigurationItemChangeNotification` - Initiates an evaluation when AWS Config delivers a configuration item as a result of a resource change.\n- `OversizedConfigurationItemChangeNotification` - Initiates an evaluation when AWS Config delivers an oversized configuration item. AWS Config may generate this notification type when a resource changes and the notification exceeds the maximum size allowed by Amazon SNS.", + "PolicyText": "The policy definition containing the logic for your organization AWS Config Custom Policy rule.", + "ResourceIdScope": "The ID of the AWS resource that was evaluated.", + "ResourceTypesScope": "The type of the AWS resource that was evaluated.", + "Runtime": "The runtime system for your organization AWS Config Custom Policy rules. Guard is a policy-as-code language that allows you to write policies that are enforced by AWS Config Custom Policy rules. For more information about Guard, see the [Guard GitHub Repository](https://docs.aws.amazon.com/https://github.com/aws-cloudformation/cloudformation-guard) .", + "TagKeyScope": "One part of a key-value pair that make up a tag. A key is a general label that acts like a category for more specific tag values.", + "TagValueScope": "The optional part of a key-value pair that make up a tag. A value acts as a descriptor within a tag category (key)." }, "AWS::Config::OrganizationConfigRule OrganizationCustomRuleMetadata": { "Description": "The description that you provide for your organization AWS Config rule.", @@ -6250,7 +6984,7 @@ "MaximumAutomaticAttempts": "The maximum number of failed attempts for auto-remediation. If you do not select a number, the default is 5.\n\nFor example, if you specify MaximumAutomaticAttempts as 5 with RetryAttemptSeconds as 50 seconds, AWS Config will put a RemediationException on your behalf for the failing resource after the 5th failed attempt within 50 seconds.", "Parameters": "An object of the RemediationParameterValue. For more information, see [RemediationParameterValue](https://docs.aws.amazon.com/config/latest/APIReference/API_RemediationParameterValue.html) .\n\n> The type is a map of strings to RemediationParameterValue.", "ResourceType": "The type of a resource.", - "RetryAttemptSeconds": "Maximum time in seconds that AWS Config runs auto-remediation. If you do not select a number, the default is 60 seconds.\n\nFor example, if you specify RetryAttemptSeconds as 50 seconds and MaximumAutomaticAttempts as 5, AWS Config will run auto-remediations 5 times within 50 seconds before throwing an exception.", + "RetryAttemptSeconds": "Time window to determine whether or not to add a remediation exception to prevent infinite remediation attempts. If `MaximumAutomaticAttempts` remediation attempts have been made under `RetryAttemptSeconds` , a remediation exception will be added to the resource. If you do not select a number, the default is 60 seconds.\n\nFor example, if you specify `RetryAttemptSeconds` as 50 seconds and `MaximumAutomaticAttempts` as 5, AWS Config will run auto-remediations 5 times within 50 seconds before adding a remediation exception to the resource.", "TargetId": "Target ID is the name of the SSM document.", "TargetType": "The type of the target. Target executes remediation. For example, SSM document.", "TargetVersion": "Version of the target. For example, version of the SSM document.\n\n> If you make backward incompatible changes to the SSM document, you must call PutRemediationConfiguration API again to ensure the remediations can run." @@ -6262,22 +6996,20 @@ "ResourceValue": "The value is dynamic and changes at run-time.", "StaticValue": "The value is static and does not change at run-time." }, - "AWS::Config::RemediationConfiguration ResourceValue": { - "Value": "The value is a resource ID." - }, "AWS::Config::RemediationConfiguration SsmControls": { "ConcurrentExecutionRatePercentage": "The maximum percentage of remediation actions allowed to run in parallel on the non-compliant resources for that specific rule. You can specify a percentage, such as 10%. The default value is 10.", "ErrorPercentage": "The percentage of errors that are allowed before SSM stops running automations on non-compliant resources for that specific rule. You can specify a percentage of errors, for example 10%. If you do not specifiy a percentage, the default is 50%. For example, if you set the ErrorPercentage to 40% for 10 non-compliant resources, then SSM stops running the automations when the fifth error is received." }, - "AWS::Config::RemediationConfiguration StaticValue": { - "Values": "A list of values. For example, the ARN of the assumed role." - }, "AWS::Config::StoredQuery": { "QueryDescription": "A unique description for the query.", "QueryExpression": "The expression of the query. For example, `SELECT resourceId, resourceType, supplementaryConfiguration.BucketVersioningConfiguration.status WHERE resourceType = 'AWS::S3::Bucket' AND supplementaryConfiguration.BucketVersioningConfiguration.status = 'Off'.`", "QueryName": "The name of the query.", "Tags": "An array of key-value pairs to apply to this resource." }, + "AWS::Config::StoredQuery Tag": { + "Key": "One part of a key-value pair that make up a tag. A key is a general label that acts like a category for more specific tag values.", + "Value": "The optional part of a key-value pair that make up a tag. A value acts as a descriptor within a tag category (key)." + }, "AWS::Connect::ApprovedOrigin": { "InstanceId": "The Amazon Resource Name (ARN) of the instance.\n\n*Minimum* : `1`\n\n*Maximum* : `100`", "Origin": "Domain name to be added to the allow-list of the instance.\n\n*Maximum* : `267`" @@ -6291,6 +7023,10 @@ "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) .", "Type": "The type of the flow. For descriptions of the available types, see [Choose a flow type](https://docs.aws.amazon.com/connect/latest/adminguide/create-contact-flow.html#contact-flow-types) in the *Amazon Connect Administrator Guide* ." }, + "AWS::Connect::ContactFlow Tag": { + "Key": "", + "Value": "" + }, "AWS::Connect::ContactFlowModule": { "Content": "The content of the flow module.", "Description": "The description of the flow module.", @@ -6299,6 +7035,10 @@ "State": "The state of the flow module.", "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) ." }, + "AWS::Connect::ContactFlowModule Tag": { + "Key": "", + "Value": "" + }, "AWS::Connect::EvaluationForm": { "Description": "The description of the evaluation form.\n\n*Length Constraints* : Minimum length of 0. Maximum length of 1024.", "InstanceArn": "The identifier of the Amazon Connect instance.", @@ -6369,7 +7109,7 @@ "Options": "The answer options of the single select question.\n\n*Minimum* : 2\n\n*Maximum* : 256" }, "AWS::Connect::EvaluationForm NumericQuestionPropertyValueAutomation": { - "Label": "The property label of the automation.\n\n*Allowed values* : `OVERALL_CUSTOMER_SENTIMENT_SCORE` , `OVERALL_AGENT_SENTIMENT_SCORE` | `NON_TALK_TIME` | `NON_TALK_TIME_PERCENTAGE` | `NUMBER_OF_INTERRUPTIONS` | `CONTACT_DURATION` | `AGENT_INTERACTION_DURATION` | `CUSTOMER_HOLD_TIME`" + "Label": "The property label of the automation." }, "AWS::Connect::EvaluationForm ScoringStrategy": { "Mode": "The scoring mode of the evaluation form.\n\n*Allowed values* : `QUESTION_ONLY` | `SECTION_ONLY`", @@ -6380,12 +7120,16 @@ "Condition": "The condition to apply for the automation option. If the condition is PRESENT, then the option is applied when the contact data includes the category. Similarly, if the condition is NOT_PRESENT, then the option is applied when the contact data does not include the category.\n\n*Allowed values* : `PRESENT` | `NOT_PRESENT`\n\n*Maximum* : 50", "OptionRefId": "The identifier of the answer option. An identifier must be unique within the question.\n\n*Length Constraints* : Minimum length of 1. Maximum length of 40." }, + "AWS::Connect::EvaluationForm Tag": { + "Key": "", + "Value": "" + }, "AWS::Connect::HoursOfOperation": { "Config": "Configuration information for the hours of operation.", "Description": "The description for the hours of operation.", "InstanceArn": "The Amazon Resource Name (ARN) of the instance.", "Name": "The name for the hours of operation.", - "Tags": "The tags used to organize, track, or control access for this resource. For example, { \"tags\": {\"key1\":\"value1\", \"key2\":\"value2\"} }.", + "Tags": "The tags used to organize, track, or control access for this resource. For example, { \"Tags\": {\"key1\":\"value1\", \"key2\":\"value2\"} }.", "TimeZone": "The time zone for the hours of operation." }, "AWS::Connect::HoursOfOperation HoursOfOperationConfig": { @@ -6397,11 +7141,16 @@ "Hours": "The hours.", "Minutes": "The minutes." }, + "AWS::Connect::HoursOfOperation Tag": { + "Key": "", + "Value": "" + }, "AWS::Connect::Instance": { "Attributes": "A toggle for an individual feature at the instance level.", "DirectoryId": "The identifier for the directory.", "IdentityManagementType": "The identity management type.", - "InstanceAlias": "The alias of instance. `InstanceAlias` is only required when `IdentityManagementType` is `CONNECT_MANAGED` or `SAML` . `InstanceAlias` is not required when `IdentityManagementType` is `EXISTING_DIRECTORY` ." + "InstanceAlias": "The alias of instance. `InstanceAlias` is only required when `IdentityManagementType` is `CONNECT_MANAGED` or `SAML` . `InstanceAlias` is not required when `IdentityManagementType` is `EXISTING_DIRECTORY` .", + "Tags": "The tags of an instance." }, "AWS::Connect::Instance Attributes": { "AutoResolveBestVoices": "", @@ -6412,6 +7161,10 @@ "OutboundCalls": "", "UseCustomTTSVoices": "" }, + "AWS::Connect::Instance Tag": { + "Key": "", + "Value": "" + }, "AWS::Connect::InstanceStorageConfig": { "InstanceArn": "The Amazon Resource Name (ARN) of the instance.", "KinesisFirehoseConfig": "The configuration of the Kinesis Firehose delivery stream.", @@ -6451,9 +7204,13 @@ "Description": "The description of the phone number.", "Prefix": "The prefix of the phone number. If provided, it must contain `+` as part of the country code.\n\n*Pattern* : `^\\\\+[0-9]{1,15}`", "Tags": "The tags used to organize, track, or control access for this resource. For example, { \"tags\": {\"key1\":\"value1\", \"key2\":\"value2\"} }.", - "TargetArn": "The Amazon Resource Name (ARN) of Amazon Connect instances or traffic distribution group that phone numbers are claimed to.", + "TargetArn": "The Amazon Resource Name (ARN) for Amazon Connect instances or traffic distribution group that phone numbers are claimed to.", "Type": "The type of phone number." }, + "AWS::Connect::PhoneNumber Tag": { + "Key": "", + "Value": "" + }, "AWS::Connect::Prompt": { "Description": "The description of the prompt.", "InstanceArn": "The identifier of the Amazon Connect instance.", @@ -6461,12 +7218,36 @@ "S3Uri": "The URI for the S3 bucket where the prompt is stored. This property is required when you create a prompt.", "Tags": "The tags used to organize, track, or control access for this resource. For example, { \"tags\": {\"key1\":\"value1\", \"key2\":\"value2\"} }." }, + "AWS::Connect::Prompt Tag": { + "Key": "", + "Value": "" + }, + "AWS::Connect::Queue": { + "Description": "The description of the queue.", + "HoursOfOperationArn": "The Amazon Resource Name (ARN) of the hours of operation.", + "InstanceArn": "The identifier of the Amazon Connect instance.", + "MaxContacts": "The maximum number of contacts that can be in the queue before it is considered full.", + "Name": "The name of the queue.", + "OutboundCallerConfig": "The outbound caller ID name, number, and outbound whisper flow.", + "QuickConnectArns": "The Amazon Resource Names (ARN) of the of the quick connects available to agents who are working the queue.", + "Status": "The status of the queue.", + "Tags": "The tags used to organize, track, or control access for this resource. For example, { \"Tags\": {\"key1\":\"value1\", \"key2\":\"value2\"} }." + }, + "AWS::Connect::Queue OutboundCallerConfig": { + "OutboundCallerIdName": "The caller ID name.", + "OutboundCallerIdNumberArn": "The Amazon Resource Name (ARN) of the outbound caller ID number.\n\n> Only use the phone number ARN format that doesn't contain `instance` in the path, for example, `arn:aws:connect:us-east-1:1234567890:phone-number/uuid` . This is the same ARN format that is returned when you create a phone number using CloudFormation , or when you call the [ListPhoneNumbersV2](https://docs.aws.amazon.com/connect/latest/APIReference/API_ListPhoneNumbersV2.html) API.", + "OutboundFlowArn": "The Amazon Resource Name (ARN) of the outbound flow." + }, + "AWS::Connect::Queue Tag": { + "Key": "", + "Value": "" + }, "AWS::Connect::QuickConnect": { "Description": "The description of the quick connect.", "InstanceArn": "The Amazon Resource Name (ARN) of the instance.", "Name": "The name of the quick connect.", "QuickConnectConfig": "Contains information about the quick connect.", - "Tags": "The tags used to organize, track, or control access for this resource. For example, { \"tags\": {\"key1\":\"value1\", \"key2\":\"value2\"} }." + "Tags": "The tags used to organize, track, or control access for this resource. For example, { \"Tags\": {\"key1\":\"value1\", \"key2\":\"value2\"} }." }, "AWS::Connect::QuickConnect PhoneNumberQuickConnectConfig": { "PhoneNumber": "The phone number in E.164 format." @@ -6481,10 +7262,45 @@ "QuickConnectType": "The type of quick connect. In the Amazon Connect console, when you create a quick connect, you are prompted to assign one of the following types: Agent (USER), External (PHONE_NUMBER), or Queue (QUEUE).", "UserConfig": "The user configuration. This is required only if QuickConnectType is USER." }, + "AWS::Connect::QuickConnect Tag": { + "Key": "", + "Value": "" + }, "AWS::Connect::QuickConnect UserQuickConnectConfig": { "ContactFlowArn": "The Amazon Resource Name (ARN) of the flow.", "UserArn": "The Amazon Resource Name (ARN) of the user." }, + "AWS::Connect::RoutingProfile": { + "AgentAvailabilityTimer": "Whether agents with this routing profile will have their routing order calculated based on *time since their last inbound contact* or *longest idle time* .", + "DefaultOutboundQueueArn": "The Amazon Resource Name (ARN) of the default outbound queue for the routing profile.", + "Description": "The description of the routing profile.", + "InstanceArn": "The identifier of the Amazon Connect instance.", + "MediaConcurrencies": "The channels agents can handle in the Contact Control Panel (CCP) for this routing profile.", + "Name": "The name of the routing profile.", + "QueueConfigs": "The inbound queues associated with the routing profile. If no queue is added, the agent can make only outbound calls.", + "Tags": "The tags used to organize, track, or control access for this resource. For example, { \"Tags\": {\"key1\":\"value1\", \"key2\":\"value2\"} }." + }, + "AWS::Connect::RoutingProfile CrossChannelBehavior": { + "BehaviorType": "Specifies the other channels that can be routed to an agent handling their current channel." + }, + "AWS::Connect::RoutingProfile MediaConcurrency": { + "Channel": "The channels that agents can handle in the Contact Control Panel (CCP).", + "Concurrency": "The number of contacts an agent can have on a channel simultaneously.\n\nValid Range for `VOICE` : Minimum value of 1. Maximum value of 1.\n\nValid Range for `CHAT` : Minimum value of 1. Maximum value of 10.\n\nValid Range for `TASK` : Minimum value of 1. Maximum value of 10.", + "CrossChannelBehavior": "Defines the cross-channel routing behavior for each channel that is enabled for this Routing Profile. For example, this allows you to offer an agent a different contact from another channel when they are currently working with a contact from a Voice channel." + }, + "AWS::Connect::RoutingProfile RoutingProfileQueueConfig": { + "Delay": "The delay, in seconds, a contact should be in the queue before they are routed to an available agent. For more information, see [Queues: priority and delay](https://docs.aws.amazon.com/connect/latest/adminguide/concepts-routing-profiles-priority.html) in the *Amazon Connect Administrator Guide* .", + "Priority": "The order in which contacts are to be handled for the queue. For more information, see [Queues: priority and delay](https://docs.aws.amazon.com/connect/latest/adminguide/concepts-routing-profiles-priority.html) .", + "QueueReference": "Contains information about a queue resource." + }, + "AWS::Connect::RoutingProfile RoutingProfileQueueReference": { + "Channel": "The channels agents can handle in the Contact Control Panel (CCP) for this routing profile.", + "QueueArn": "The Amazon Resource Name (ARN) of the queue." + }, + "AWS::Connect::RoutingProfile Tag": { + "Key": "", + "Value": "" + }, "AWS::Connect::Rule": { "Actions": "A list of actions to be run when the rule is triggered.", "Function": "The conditions of the rule.", @@ -6512,7 +7328,7 @@ "Value": "A valid value for the reference. For example, for a URL reference, a formatted URL that is displayed to an agent in the Contact Control Panel (CCP)." }, "AWS::Connect::Rule RuleTriggerEventSource": { - "EventSourceName": "The name of the event source.\n\n*Allowed values* : `OnPostCallAnalysisAvailable` | `OnRealTimeCallAnalysisAvailable` | `OnPostChatAnalysisAvailable` | `OnZendeskTicketCreate` | `OnZendeskTicketStatusUpdate` | `OnSalesforceCaseCreate`", + "EventSourceName": "The name of the event source.", "IntegrationAssociationArn": "The Amazon Resource Name (ARN) of the integration association. `IntegrationAssociationArn` is required if `TriggerEventSource` is one of the following values: `OnZendeskTicketCreate` | `OnZendeskTicketStatusUpdate` | `OnSalesforceCaseCreate`" }, "AWS::Connect::Rule SendNotificationAction": { @@ -6522,6 +7338,10 @@ "Recipient": "Notification recipient.", "Subject": "The subject of the email if the delivery method is `EMAIL` . Supports variable injection. For more information, see [JSONPath reference](https://docs.aws.amazon.com/connect/latest/adminguide/contact-lens-variable-injection.html) in the *Amazon Connect Administrators Guide* ." }, + "AWS::Connect::Rule Tag": { + "Key": "", + "Value": "" + }, "AWS::Connect::Rule TaskAction": { "ContactFlowArn": "The Amazon Resource Name (ARN) of the flow.", "Description": "The description. Supports variable injection. For more information, see [JSONPath reference](https://docs.aws.amazon.com/connect/latest/adminguide/contact-lens-variable-injection.html) in the *Amazon Connect Administrators Guide* .", @@ -6532,6 +7352,19 @@ "InstanceId": "The Amazon Resource Name (ARN) of the instance.\n\n*Minimum* : `1`\n\n*Maximum* : `100`", "Key": "A valid security key in PEM format. For example:\n\n`\"-----BEGIN PUBLIC KEY-----\\ [a lot of characters] ----END PUBLIC KEY-----\"`\n\n*Minimum* : `1`\n\n*Maximum* : `1024`" }, + "AWS::Connect::SecurityProfile": { + "AllowedAccessControlTags": "The list of tags that a security profile uses to restrict access to resources in Amazon Connect.", + "Description": "The description of the security profile.", + "InstanceArn": "The identifier of the Amazon Connect instance.", + "Permissions": "Permissions assigned to the security profile. For a list of valid permissions, see [List of security profile permissions](https://docs.aws.amazon.com/connect/latest/adminguide/security-profile-list.html) .", + "SecurityProfileName": "The name for the security profile.", + "TagRestrictedResources": "The list of resources that a security profile applies tag restrictions to in Amazon Connect.", + "Tags": "The tags used to organize, track, or control access for this resource. For example, { \"Tags\": {\"key1\":\"value1\", \"key2\":\"value2\"} }." + }, + "AWS::Connect::SecurityProfile Tag": { + "Key": "", + "Value": "" + }, "AWS::Connect::TaskTemplate": { "ClientToken": "A unique, case-sensitive identifier that you provide to ensure the idempotency of the request.", "Constraints": "Constraints that are applicable to the fields listed.\n\nThe values can be represented in either JSON or YAML format. For an example of the JSON configuration, see *Examples* at the bottom of this page.", @@ -6571,6 +7404,20 @@ "AWS::Connect::TaskTemplate RequiredFieldInfo": { "Id": "The unique identifier for the field." }, + "AWS::Connect::TaskTemplate Tag": { + "Key": "", + "Value": "" + }, + "AWS::Connect::TrafficDistributionGroup": { + "Description": "The description of the traffic distribution group.", + "InstanceArn": "The Amazon Resource Name (ARN).", + "Name": "The name of the traffic distribution group.", + "Tags": "The tags used to organize, track, or control access for this resource. For example, {\"tags\": {\"key1\":\"value1\", \"key2\":\"value2\"} }." + }, + "AWS::Connect::TrafficDistributionGroup Tag": { + "Key": "", + "Value": "" + }, "AWS::Connect::User": { "DirectoryUserId": "The identifier of the user account in the directory used for identity management.", "HierarchyGroupArn": "The Amazon Resource Name (ARN) of the user's hierarchy group.", @@ -6583,6 +7430,10 @@ "Tags": "The tags.", "Username": "The user name assigned to the user account." }, + "AWS::Connect::User Tag": { + "Key": "", + "Value": "" + }, "AWS::Connect::User UserIdentityInfo": { "Email": "The email address. If you are using SAML for identity management and include this parameter, an error is returned.", "FirstName": "The first name. This is required if you are using Amazon Connect or SAML for identity management.", @@ -6599,7 +7450,29 @@ "AWS::Connect::UserHierarchyGroup": { "InstanceArn": "The Amazon Resource Name (ARN) of the user hierarchy group.", "Name": "The name of the user hierarchy group.", - "ParentGroupArn": "The Amazon Resource Name (ARN) of the parent group." + "ParentGroupArn": "The Amazon Resource Name (ARN) of the parent group.", + "Tags": "" + }, + "AWS::Connect::UserHierarchyGroup Tag": { + "Key": "", + "Value": "" + }, + "AWS::Connect::View": { + "Actions": "A list of actions possible from the view.", + "Description": "The description of the view.", + "InstanceArn": "The Amazon Resource Name (ARN) of the instance.", + "Name": "The name of the view.", + "Tags": "The tags associated with the view resource (not specific to view version).", + "Template": "The view template representing the structure of the view." + }, + "AWS::Connect::View Tag": { + "Key": "", + "Value": "" + }, + "AWS::Connect::ViewVersion": { + "VersionDescription": "The description of the view version.", + "ViewArn": "The unqualified Amazon Resource Name (ARN) of the view.\n\nFor example:\n\n`arn::connect:::instance/00000000-0000-0000-0000-000000000000/view/00000000-0000-0000-0000-000000000000`", + "ViewContentSha256": "Indicates the checksum value of the latest published view content." }, "AWS::ConnectCampaigns::Campaign": { "ConnectInstanceArn": "The Amazon Resource Name (ARN) of the Amazon Connect instance.", @@ -6608,28 +7481,52 @@ "OutboundCallConfig": "Contains information about the outbound call configuration.", "Tags": "The tags used to organize, track, or control access for this resource. For example, { \"tags\": {\"key1\":\"value1\", \"key2\":\"value2\"} }." }, + "AWS::ConnectCampaigns::Campaign AgentlessDialerConfig": { + "DialingCapacity": "The allocation of dialing capacity between multiple active campaigns." + }, "AWS::ConnectCampaigns::Campaign AnswerMachineDetectionConfig": { - "EnableAnswerMachineDetection": "" + "EnableAnswerMachineDetection": "Whether answering machine detection is enabled." }, "AWS::ConnectCampaigns::Campaign DialerConfig": { + "AgentlessDialerConfig": "The configuration of the agentless dialer.", "PredictiveDialerConfig": "The configuration of the predictive dialer.", "ProgressiveDialerConfig": "The configuration of the progressive dialer." }, "AWS::ConnectCampaigns::Campaign OutboundCallConfig": { - "AnswerMachineDetectionConfig": "", + "AnswerMachineDetectionConfig": "Whether answering machine detection has been enabled.", "ConnectContactFlowArn": "The Amazon Resource Name (ARN) of the flow.", "ConnectQueueArn": "The Amazon Resource Name (ARN) of the queue.", "ConnectSourcePhoneNumber": "The phone number associated with the outbound call. This is the caller ID that is displayed to customers when an agent calls them." }, "AWS::ConnectCampaigns::Campaign PredictiveDialerConfig": { - "BandwidthAllocation": "Bandwidth allocation for the predictive dialer." + "BandwidthAllocation": "Bandwidth allocation for the predictive dialer.", + "DialingCapacity": "The allocation of dialing capacity between multiple active campaigns." }, "AWS::ConnectCampaigns::Campaign ProgressiveDialerConfig": { - "BandwidthAllocation": "Bandwidth allocation for the progressive dialer." + "BandwidthAllocation": "Bandwidth allocation for the progressive dialer.", + "DialingCapacity": "The allocation of dialing capacity between multiple active campaigns." + }, + "AWS::ConnectCampaigns::Campaign Tag": { + "Key": "", + "Value": "" }, "AWS::ControlTower::EnabledControl": { - "ControlIdentifier": "The ARN of the control. Only *Strongly recommended* and *Elective* controls are permitted, with the exception of the *Region deny* guardrail.", - "TargetIdentifier": "The ARN of the organizational unit." + "ControlIdentifier": "The ARN of the control. Only *Strongly recommended* and *Elective* controls are permitted, with the exception of the *landing zone Region deny* control. For information on how to find the `controlIdentifier` , see [the overview page](https://docs.aws.amazon.com//controltower/latest/APIReference/Welcome.html) .", + "Parameters": "Array of `EnabledControlParameter` objects.", + "TargetIdentifier": "The ARN of the organizational unit. For information on how to find the `targetIdentifier` , see [the overview page](https://docs.aws.amazon.com//controltower/latest/APIReference/Welcome.html) ." + }, + "AWS::ControlTower::EnabledControl EnabledControlParameter": { + "Key": "The key of a key/value pair. It is of type `string` .", + "Value": "The value of a key/value pair. It can be of type `array` , `string` , `number` , `object` , or `boolean` . [Note: The *Type* field that follows may show a single type such as Number, which is only one possible type.]" + }, + "AWS::ControlTower::LandingZone": { + "Manifest": "The landing zone manifest JSON text file that specifies the landing zone configurations.", + "Tags": "Tags to be applied to the landing zone.", + "Version": "The landing zone's current deployed version." + }, + "AWS::ControlTower::LandingZone Tag": { + "Key": "The key name of the tag. You can specify a value that's 1 to 128 Unicode characters in length and can't be prefixed with `aws:` . digits, whitespace, `_` , `.` , `:` , `/` , `=` , `+` , `@` , `-` , and `\"` .\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) .", + "Value": "The value for the tag. You can specify a value that's 1 to 256 characters in length. You can use any of the following characters: the set of Unicode letters, digits, whitespace, `_` , `.` , `/` , `=` , `+` , and `-` .\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) ." }, "AWS::CustomerProfiles::CalculatedAttributeDefinition": { "AttributeDetails": "Mathematical expression and a list of attribute items specified in that expression.", @@ -6657,17 +7554,82 @@ "Unit": "The unit of time.", "Value": "The amount of time of the specified unit." }, + "AWS::CustomerProfiles::CalculatedAttributeDefinition Tag": { + "Key": "", + "Value": "" + }, "AWS::CustomerProfiles::CalculatedAttributeDefinition Threshold": { "Operator": "The operator of the threshold.", "Value": "The value of the threshold." }, "AWS::CustomerProfiles::Domain": { - "DeadLetterQueueUrl": "The URL of the SQS dead letter queue, which is used for reporting errors associated with ingesting data from third party applications. You must set up a policy on the DeadLetterQueue for the SendMessage operation to enable Amazon Connect Customer Profiles to send messages to the DeadLetterQueue.", + "DeadLetterQueueUrl": "The URL of the SQS dead letter queue, which is used for reporting errors associated with ingesting data from third party applications. You must set up a policy on the `DeadLetterQueue` for the `SendMessage` operation to enable Amazon Connect Customer Profiles to send messages to the `DeadLetterQueue` .", "DefaultEncryptionKey": "The default encryption key, which is an AWS managed key, is used when no specific type of encryption key is specified. It is used to encrypt all data before it is placed in permanent or semi-permanent storage.", "DefaultExpirationDays": "The default number of days until the data within the domain expires.", "DomainName": "The unique name of the domain.", + "Matching": "The process of matching duplicate profiles.", + "RuleBasedMatching": "The process of matching duplicate profiles using Rule-Based matching.", "Tags": "The tags used to organize, track, or control access for this resource." }, + "AWS::CustomerProfiles::Domain AttributeTypesSelector": { + "Address": "The `Address` type. You can choose from `Address` , `BusinessAddress` , `MaillingAddress` , and `ShippingAddress` . You only can use the `Address` type in the `MatchingRule` . For example, if you want to match a profile based on `BusinessAddress.City` or `MaillingAddress.City` , you can choose the `BusinessAddress` and the `MaillingAddress` to represent the `Address` type and specify the `Address.City` on the matching rule.", + "AttributeMatchingModel": "Configures the `AttributeMatchingModel` , you can either choose `ONE_TO_ONE` or `MANY_TO_MANY` .", + "EmailAddress": "The Email type. You can choose from `EmailAddress` , `BusinessEmailAddress` and `PersonalEmailAddress` . You only can use the `EmailAddress` type in the `MatchingRule` . For example, if you want to match profile based on `PersonalEmailAddress` or `BusinessEmailAddress` , you can choose the `PersonalEmailAddress` and the `BusinessEmailAddress` to represent the `EmailAddress` type and only specify the `EmailAddress` on the matching rule.", + "PhoneNumber": "The `PhoneNumber` type. You can choose from `PhoneNumber` , `HomePhoneNumber` , and `MobilePhoneNumber` . You only can use the `PhoneNumber` type in the `MatchingRule` . For example, if you want to match a profile based on `Phone` or `HomePhone` , you can choose the `Phone` and the `HomePhone` to represent the `PhoneNumber` type and only specify the `PhoneNumber` on the matching rule." + }, + "AWS::CustomerProfiles::Domain AutoMerging": { + "ConflictResolution": "Determines how the auto-merging process should resolve conflicts between different profiles. For example, if Profile A and Profile B have the same `FirstName` and `LastName` , `ConflictResolution` specifies which `EmailAddress` should be used.", + "Consolidation": "A list of matching attributes that represent matching criteria. If two profiles meet at least one of the requirements in the matching attributes list, they will be merged.", + "Enabled": "The flag that enables the auto-merging of duplicate profiles.", + "MinAllowedConfidenceScoreForMerging": "A number between 0 and 1 that represents the minimum confidence score required for profiles within a matching group to be merged during the auto-merge process. A higher score means that a higher similarity is required to merge profiles." + }, + "AWS::CustomerProfiles::Domain ConflictResolution": { + "ConflictResolvingModel": "How the auto-merging process should resolve conflicts between different profiles.", + "SourceName": "The `ObjectType` name that is used to resolve profile merging conflicts when choosing `SOURCE` as the `ConflictResolvingModel` ." + }, + "AWS::CustomerProfiles::Domain Consolidation": { + "MatchingAttributesList": "A list of matching criteria." + }, + "AWS::CustomerProfiles::Domain DomainStats": { + "MeteringProfileCount": "The number of profiles that you are currently paying for in the domain. If you have more than 100 objects associated with a single profile, that profile counts as two profiles. If you have more than 200 objects, that profile counts as three, and so on.", + "ObjectCount": "The total number of objects in domain.", + "ProfileCount": "The total number of profiles currently in the domain.", + "TotalSize": "The total size, in bytes, of all objects in the domain." + }, + "AWS::CustomerProfiles::Domain ExportingConfig": { + "S3Exporting": "" + }, + "AWS::CustomerProfiles::Domain JobSchedule": { + "DayOfTheWeek": "The day when the Identity Resolution Job should run every week.", + "Time": "The time when the Identity Resolution Job should run every week." + }, + "AWS::CustomerProfiles::Domain Matching": { + "AutoMerging": "Configuration information about the auto-merging process.", + "Enabled": "The flag that enables the matching process of duplicate profiles.", + "ExportingConfig": "The S3 location where Identity Resolution Jobs write result files.", + "JobSchedule": "The day and time when do you want to start the Identity Resolution Job every week." + }, + "AWS::CustomerProfiles::Domain MatchingRule": { + "Rule": "A single rule level of the `MatchRules` . Configures how the rule-based matching process should match profiles." + }, + "AWS::CustomerProfiles::Domain RuleBasedMatching": { + "AttributeTypesSelector": "Configures information about the `AttributeTypesSelector` where the rule-based identity resolution uses to match profiles.", + "ConflictResolution": "Determines how the auto-merging process should resolve conflicts between different profiles. For example, if Profile A and Profile B have the same `FirstName` and `LastName` , `ConflictResolution` specifies which `EmailAddress` should be used.", + "Enabled": "The flag that enables the matching process of duplicate profiles.", + "ExportingConfig": "The S3 location where Identity Resolution Jobs write result files.", + "MatchingRules": "Configures how the rule-based matching process should match profiles. You can have up to 15 `MatchingRule` in the `MatchingRules` .", + "MaxAllowedRuleLevelForMatching": "Indicates the maximum allowed rule level for matching.", + "MaxAllowedRuleLevelForMerging": "Indicates the maximum allowed rule level for merging.", + "Status": "The status of rule-based matching rule." + }, + "AWS::CustomerProfiles::Domain S3ExportingConfig": { + "S3BucketName": "The name of the S3 bucket where Identity Resolution Jobs write result files.", + "S3KeyName": "The S3 key name of the location where Identity Resolution Jobs write result files." + }, + "AWS::CustomerProfiles::Domain Tag": { + "Key": "A string you can use to assign a value. The combination of tag keys and values can help you organize and categorize your resources.", + "Value": "The value for the specified tag key." + }, "AWS::CustomerProfiles::EventStream": { "DomainName": "The unique name of the domain.", "EventStreamName": "The name of the event stream.", @@ -6678,6 +7640,10 @@ "Status": "The status of enabling the Kinesis stream as a destination for export.", "Uri": "The StreamARN of the destination to deliver profile events to. For example, arn:aws:kinesis:region:account-id:stream/stream-name." }, + "AWS::CustomerProfiles::EventStream Tag": { + "Key": "", + "Value": "" + }, "AWS::CustomerProfiles::Integration": { "DomainName": "The unique name of the domain.", "FlowDefinition": "The configuration that controls how Customer Profiles retrieves data from the source.", @@ -6745,6 +7711,10 @@ "IncrementalPullConfig": "Defines the configuration for a scheduled incremental data pull. If a valid configuration is provided, the fields specified in the configuration are used when querying for the incremental data pull.", "SourceConnectorProperties": "Specifies the information that is required to query a particular source connector." }, + "AWS::CustomerProfiles::Integration Tag": { + "Key": "", + "Value": "" + }, "AWS::CustomerProfiles::Integration Task": { "ConnectorOperator": "The operation to be performed on the provided source fields.", "DestinationField": "A field in a destination connector, or a field value against which Amazon AppFlow validates a source field.", @@ -6775,6 +7745,7 @@ "Fields": "A list of field definitions for the object type mapping.", "Keys": "A list of keys that can be used to map data to the profile or search for the profile.", "ObjectTypeName": "The name of the profile object type.", + "SourceLastUpdatedTimestampFormat": "The format of your sourceLastUpdatedTimestamp that was previously set up.", "Tags": "The tags used to organize, track, or control access for this resource.", "TemplateId": "A unique identifier for the template mapping. This can be used instead of specifying the Keys and Fields properties directly." }, @@ -6795,6 +7766,10 @@ "FieldNames": "The reference for the key name of the fields map.", "StandardIdentifiers": "The types of keys that a ProfileObject can have. Each ProfileObject can have only 1 UNIQUE key but multiple PROFILE keys. PROFILE means that this key can be used to tie an object to a PROFILE. UNIQUE means that it can be used to uniquely identify an object. If a key a is marked as SECONDARY, it will be used to search for profiles after all other PROFILE keys have been searched. A LOOKUP_ONLY key is only used to match a profile but is not persisted to be used for searching of the profile. A NEW_ONLY key is only used if the profile does not already exist before the object is ingested, otherwise it is only used for matching objects to profiles." }, + "AWS::CustomerProfiles::ObjectType Tag": { + "Key": "A string you can use to assign a value. The combination of tag keys and values can help you organize and categorize your resources.", + "Value": "The value for the specified tag key." + }, "AWS::DAX::Cluster": { "AvailabilityZones": "The Availability Zones (AZs) in which the cluster nodes will reside after the cluster has been created or updated. If provided, the length of this list must equal the `ReplicationFactor` parameter. If you omit this parameter, DAX will spread the nodes across Availability Zones for the highest availability.", "ClusterEndpointEncryptionType": "The encryption type of the cluster's endpoint. Available values are:\n\n- `NONE` - The cluster's endpoint will be unencrypted.\n- `TLS` - The cluster's endpoint will be encrypted with Transport Layer Security, and will provide an x509 certificate for authentication.\n\nThe default value is `NONE` .", @@ -6825,9 +7800,16 @@ "SubnetIds": "A list of VPC subnet IDs for the subnet group." }, "AWS::DLM::LifecyclePolicy": { + "CopyTags": "*[Default policies only]* Indicates whether the policy should copy tags from the source resource to the snapshot or AMI. If you do not specify a value, the default is `false` .\n\nDefault: false", + "CreateInterval": "*[Default policies only]* Specifies how often the policy should run and create snapshots or AMIs. The creation frequency can range from 1 to 7 days. If you do not specify a value, the default is 1.\n\nDefault: 1", + "CrossRegionCopyTargets": "*[Default policies only]* Specifies destination Regions for snapshot or AMI copies. You can specify up to 3 destination Regions. If you do not want to create cross-Region copies, omit this parameter.", + "DefaultPolicy": "Indicates whether the policy is a default lifecycle policy or a custom lifecycle policy.\n\n- `true` - the policy is a default policy.\n- `false` - the policy is a custom policy.", "Description": "A description of the lifecycle policy. The characters ^[0-9A-Za-z _-]+$ are supported.", + "Exclusions": "*[Default policies only]* Specifies exclusion parameters for volumes or instances for which you do not want to create snapshots or AMIs. The policy will not create snapshots or AMIs for target resources that match any of the specified exclusion parameters.", "ExecutionRoleArn": "The Amazon Resource Name (ARN) of the IAM role used to run the operations specified by the lifecycle policy.", - "PolicyDetails": "The configuration details of the lifecycle policy.", + "ExtendDeletion": "*[Default policies only]* Defines the snapshot or AMI retention behavior for the policy if the source volume or instance is deleted, or if the policy enters the error, disabled, or deleted state.\n\nBy default ( *ExtendDeletion=false* ):\n\n- If a source resource is deleted, Amazon Data Lifecycle Manager will continue to delete previously created snapshots or AMIs, up to but not including the last one, based on the specified retention period. If you want Amazon Data Lifecycle Manager to delete all snapshots or AMIs, including the last one, specify `true` .\n- If a policy enters the error, disabled, or deleted state, Amazon Data Lifecycle Manager stops deleting snapshots and AMIs. If you want Amazon Data Lifecycle Manager to continue deleting snapshots or AMIs, including the last one, if the policy enters one of these states, specify `true` .\n\nIf you enable extended deletion ( *ExtendDeletion=true* ), you override both default behaviors simultaneously.\n\nIf you do not specify a value, the default is `false` .\n\nDefault: false", + "PolicyDetails": "The configuration details of the lifecycle policy.\n\n> If you create a default policy, you can specify the request parameters either in the request body, or in the PolicyDetails request structure, but not both.", + "RetainInterval": "*[Default policies only]* Specifies how long the policy should retain snapshots or AMIs before deleting them. The retention period can range from 2 to 14 days, but it must be greater than the creation frequency to ensure that the policy retains at least 1 snapshot or AMI at any given time. If you do not specify a value, the default is 7.\n\nDefault: 7", "State": "The activation state of the lifecycle policy.", "Tags": "The tags to apply to the lifecycle policy during creation." }, @@ -6836,16 +7818,17 @@ "Name": "A descriptive name for the action." }, "AWS::DLM::LifecyclePolicy ArchiveRetainRule": { - "RetentionArchiveTier": "" + "RetentionArchiveTier": "Information about retention period in the Amazon EBS Snapshots Archive. For more information, see [Archive Amazon EBS snapshots](https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/snapshot-archive.html) ." }, "AWS::DLM::LifecyclePolicy ArchiveRule": { - "RetainRule": "" + "RetainRule": "Information about the retention period for the snapshot archiving rule." }, "AWS::DLM::LifecyclePolicy CreateRule": { "CronExpression": "The schedule, as a Cron expression. The schedule interval must be between 1 hour and 1 year. For more information, see [Cron expressions](https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/ScheduledEvents.html#CronExpressions) in the *Amazon CloudWatch User Guide* .", "Interval": "The interval between snapshots. The supported values are 1, 2, 3, 4, 6, 8, 12, and 24.", "IntervalUnit": "The interval unit.", - "Location": "*[Snapshot policies only]* Specifies the destination for snapshots created by the policy. To create snapshots in the same Region as the source resource, specify `CLOUD` . To create snapshots on the same Outpost as the source resource, specify `OUTPOST_LOCAL` . If you omit this parameter, `CLOUD` is used by default.\n\nIf the policy targets resources in an AWS Region , then you must create snapshots in the same Region as the source resource. If the policy targets resources on an Outpost, then you can create snapshots on the same Outpost as the source resource, or in the Region of that Outpost.", + "Location": "*[Custom snapshot policies only]* Specifies the destination for snapshots created by the policy. To create snapshots in the same Region as the source resource, specify `CLOUD` . To create snapshots on the same Outpost as the source resource, specify `OUTPOST_LOCAL` . If you omit this parameter, `CLOUD` is used by default.\n\nIf the policy targets resources in an AWS Region , then you must create snapshots in the same Region as the source resource. If the policy targets resources on an Outpost, then you can create snapshots on the same Outpost as the source resource, or in the Region of that Outpost.", + "Scripts": "*[Custom snapshot policies that target instances only]* Specifies pre and/or post scripts for a snapshot lifecycle policy that targets instances. This is useful for creating application-consistent snapshots, or for performing specific administrative tasks before or after Amazon Data Lifecycle Manager initiates snapshot creation.\n\nFor more information, see [Automating application-consistent snapshots with pre and post scripts](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/automate-app-consistent-backups.html) .", "Times": "The time, in UTC, to start the operation. The supported format is hh:mm.\n\nThe operation occurs within a one-hour window following the specified time. If you do not specify a time, Amazon Data Lifecycle Manager selects a time within the next 24 hours." }, "AWS::DLM::LifecyclePolicy CrossRegionCopyAction": { @@ -6854,8 +7837,8 @@ "Target": "The target Region." }, "AWS::DLM::LifecyclePolicy CrossRegionCopyDeprecateRule": { - "Interval": "", - "IntervalUnit": "" + "Interval": "The period after which to deprecate the cross-Region AMI copies. The period must be less than or equal to the cross-Region AMI copy retention period, and it can't be greater than 10 years. This is equivalent to 120 months, 520 weeks, or 3650 days.", + "IntervalUnit": "The unit of time in which to measure the *Interval* . For example, to deprecate a cross-Region AMI copy after 3 months, specify `Interval=3` and `IntervalUnit=MONTHS` ." }, "AWS::DLM::LifecyclePolicy CrossRegionCopyRetainRule": { "Interval": "The amount of time to retain a cross-Region snapshot or AMI copy. The maximum is 100 years. This is equivalent to 1200 months, 5200 weeks, or 36500 days.", @@ -6864,16 +7847,16 @@ "AWS::DLM::LifecyclePolicy CrossRegionCopyRule": { "CmkArn": "The Amazon Resource Name (ARN) of the AWS KMS key to use for EBS encryption. If this parameter is not specified, the default KMS key for the account is used.", "CopyTags": "Indicates whether to copy all user-defined tags from the source snapshot or AMI to the cross-Region copy.", - "DeprecateRule": "", + "DeprecateRule": "*[Custom AMI policies only]* The AMI deprecation rule for cross-Region AMI copies created by the rule.", "Encrypted": "To encrypt a copy of an unencrypted snapshot if encryption by default is not enabled, enable encryption using this parameter. Copies of encrypted snapshots are encrypted, even if this parameter is false or if encryption by default is not enabled.", "RetainRule": "The retention rule that indicates how long the cross-Region snapshot or AMI copies are to be retained in the destination Region.", - "Target": "The target Region or the Amazon Resource Name (ARN) of the target Outpost for the snapshot copies.\n\nUse this parameter instead of *TargetRegion* . Do not specify both.", - "TargetRegion": "> Avoid using this parameter when creating new policies. Instead, use *Target* to specify a target Region or a target Outpost for snapshot copies.\n> \n> For policies created before the *Target* parameter was introduced, this parameter indicates the target Region for snapshot copies." + "Target": "> Use this parameter for snapshot policies only. For AMI policies, use *TargetRegion* instead. \n\n*[Custom snapshot policies only]* The target Region or the Amazon Resource Name (ARN) of the target Outpost for the snapshot copies.", + "TargetRegion": "> Use this parameter for AMI policies only. For snapshot policies, use *Target* instead. For snapshot policies created before the *Target* parameter was introduced, this parameter indicates the target Region for snapshot copies. \n\n*[Custom AMI policies only]* The target Region or the Amazon Resource Name (ARN) of the target Outpost for the snapshot copies." }, "AWS::DLM::LifecyclePolicy DeprecateRule": { - "Count": "", - "Interval": "", - "IntervalUnit": "" + "Count": "If the schedule has a count-based retention rule, this parameter specifies the number of oldest AMIs to deprecate. The count must be less than or equal to the schedule's retention count, and it can't be greater than 1000.", + "Interval": "If the schedule has an age-based retention rule, this parameter specifies the period after which to deprecate AMIs created by the schedule. The period must be less than or equal to the schedule's retention period, and it can't be greater than 10 years. This is equivalent to 120 months, 520 weeks, or 3650 days.", + "IntervalUnit": "The unit of time in which to measure the *Interval* ." }, "AWS::DLM::LifecyclePolicy EncryptionConfiguration": { "CmkArn": "The Amazon Resource Name (ARN) of the AWS KMS key to use for EBS encryption. If this parameter is not specified, the default KMS key for the account is used.", @@ -6888,6 +7871,11 @@ "Parameters": "Information about the event.", "Type": "The source of the event. Currently only managed CloudWatch Events rules are supported." }, + "AWS::DLM::LifecyclePolicy Exclusions": { + "ExcludeBootVolumes": "*[Default policies for EBS snapshots only]* Indicates whether to exclude volumes that are attached to instances as the boot volume. If you exclude boot volumes, only volumes attached as data (non-boot) volumes will be backed up by the policy. To exclude boot volumes, specify `true` .", + "ExcludeTags": "*[Default policies for EBS-backed AMIs only]* Specifies whether to exclude volumes that have specific tags.", + "ExcludeVolumeTypes": "*[Default policies for EBS snapshots only]* Specifies the volume types to exclude. Volumes of the specified types will not be targeted by the policy." + }, "AWS::DLM::LifecyclePolicy FastRestoreRule": { "AvailabilityZones": "The Availability Zones in which to enable fast snapshot restore.", "Count": "The number of snapshots to be enabled with fast snapshot restore.", @@ -6895,53 +7883,124 @@ "IntervalUnit": "The unit of time for enabling fast snapshot restore." }, "AWS::DLM::LifecyclePolicy Parameters": { - "ExcludeBootVolume": "*[Snapshot policies that target instances only]* Indicates whether to exclude the root volume from multi-volume snapshot sets. The default is `false` . If you specify `true` , then the root volumes attached to targeted instances will be excluded from the multi-volume snapshot sets created by the policy.", - "ExcludeDataVolumeTags": "", - "NoReboot": "*[AMI policies only]* Indicates whether targeted instances are rebooted when the lifecycle policy runs. `true` indicates that targeted instances are not rebooted when the policy runs. `false` indicates that target instances are rebooted when the policy runs. The default is `true` (instances are not rebooted)." + "ExcludeBootVolume": "*[Custom snapshot policies that target instances only]* Indicates whether to exclude the root volume from multi-volume snapshot sets. The default is `false` . If you specify `true` , then the root volumes attached to targeted instances will be excluded from the multi-volume snapshot sets created by the policy.", + "ExcludeDataVolumeTags": "*[Custom snapshot policies that target instances only]* The tags used to identify data (non-root) volumes to exclude from multi-volume snapshot sets.\n\nIf you create a snapshot lifecycle policy that targets instances and you specify tags for this parameter, then data volumes with the specified tags that are attached to targeted instances will be excluded from the multi-volume snapshot sets created by the policy.", + "NoReboot": "*[Custom AMI policies only]* Indicates whether targeted instances are rebooted when the lifecycle policy runs. `true` indicates that targeted instances are not rebooted when the policy runs. `false` indicates that target instances are rebooted when the policy runs. The default is `true` (instances are not rebooted)." }, "AWS::DLM::LifecyclePolicy PolicyDetails": { "Actions": "*[Event-based policies only]* The actions to be performed when the event-based policy is activated. You can specify only one action per policy.", + "CopyTags": "*[Default policies only]* Indicates whether the policy should copy tags from the source resource to the snapshot or AMI. If you do not specify a value, the default is `false` .\n\nDefault: false", + "CreateInterval": "*[Default policies only]* Specifies how often the policy should run and create snapshots or AMIs. The creation frequency can range from 1 to 7 days. If you do not specify a value, the default is 1.\n\nDefault: 1", + "CrossRegionCopyTargets": "*[Default policies only]* Specifies destination Regions for snapshot or AMI copies. You can specify up to 3 destination Regions. If you do not want to create cross-Region copies, omit this parameter.", "EventSource": "*[Event-based policies only]* The event that activates the event-based policy.", - "Parameters": "*[Snapshot and AMI policies only]* A set of optional parameters for snapshot and AMI lifecycle policies.\n\n> If you are modifying a policy that was created or previously modified using the Amazon Data Lifecycle Manager console, then you must include this parameter and specify either the default values or the new values that you require. You can't omit this parameter or set its values to null.", - "PolicyType": "*[All policy types]* The valid target resource types and actions a policy can manage. Specify `EBS_SNAPSHOT_MANAGEMENT` to create a lifecycle policy that manages the lifecycle of Amazon EBS snapshots. Specify `IMAGE_MANAGEMENT` to create a lifecycle policy that manages the lifecycle of EBS-backed AMIs. Specify `EVENT_BASED_POLICY` to create an event-based policy that performs specific actions when a defined event occurs in your AWS account .\n\nThe default is `EBS_SNAPSHOT_MANAGEMENT` .", - "ResourceLocations": "*[Snapshot and AMI policies only]* The location of the resources to backup. If the source resources are located in an AWS Region , specify `CLOUD` . If the source resources are located on an Outpost in your account, specify `OUTPOST` .\n\nIf you specify `OUTPOST` , Amazon Data Lifecycle Manager backs up all resources of the specified type with matching target tags across all of the Outposts in your account.", - "ResourceTypes": "*[Snapshot policies only]* The target resource type for snapshot and AMI lifecycle policies. Use `VOLUME` to create snapshots of individual volumes or use `INSTANCE` to create multi-volume snapshots from the volumes for an instance.", - "Schedules": "*[Snapshot and AMI policies only]* The schedules of policy-defined actions for snapshot and AMI lifecycle policies. A policy can have up to four schedules\u2014one mandatory schedule and up to three optional schedules.", - "TargetTags": "*[Snapshot and AMI policies only]* The single tag that identifies targeted resources for this policy." + "Exclusions": "*[Default policies only]* Specifies exclusion parameters for volumes or instances for which you do not want to create snapshots or AMIs. The policy will not create snapshots or AMIs for target resources that match any of the specified exclusion parameters.", + "ExtendDeletion": "*[Default policies only]* Defines the snapshot or AMI retention behavior for the policy if the source volume or instance is deleted, or if the policy enters the error, disabled, or deleted state.\n\nBy default ( *ExtendDeletion=false* ):\n\n- If a source resource is deleted, Amazon Data Lifecycle Manager will continue to delete previously created snapshots or AMIs, up to but not including the last one, based on the specified retention period. If you want Amazon Data Lifecycle Manager to delete all snapshots or AMIs, including the last one, specify `true` .\n- If a policy enters the error, disabled, or deleted state, Amazon Data Lifecycle Manager stops deleting snapshots and AMIs. If you want Amazon Data Lifecycle Manager to continue deleting snapshots or AMIs, including the last one, if the policy enters one of these states, specify `true` .\n\nIf you enable extended deletion ( *ExtendDeletion=true* ), you override both default behaviors simultaneously.\n\nIf you do not specify a value, the default is `false` .\n\nDefault: false", + "Parameters": "*[Custom snapshot and AMI policies only]* A set of optional parameters for snapshot and AMI lifecycle policies.\n\n> If you are modifying a policy that was created or previously modified using the Amazon Data Lifecycle Manager console, then you must include this parameter and specify either the default values or the new values that you require. You can't omit this parameter or set its values to null.", + "PolicyLanguage": "The type of policy to create. Specify one of the following:\n\n- `SIMPLIFIED` To create a default policy.\n- `STANDARD` To create a custom policy.", + "PolicyType": "The type of policy. Specify `EBS_SNAPSHOT_MANAGEMENT` to create a lifecycle policy that manages the lifecycle of Amazon EBS snapshots. Specify `IMAGE_MANAGEMENT` to create a lifecycle policy that manages the lifecycle of EBS-backed AMIs. Specify `EVENT_BASED_POLICY` to create an event-based policy that performs specific actions when a defined event occurs in your AWS account .\n\nThe default is `EBS_SNAPSHOT_MANAGEMENT` .", + "ResourceLocations": "*[Custom snapshot and AMI policies only]* The location of the resources to backup. If the source resources are located in an AWS Region , specify `CLOUD` . If the source resources are located on an Outpost in your account, specify `OUTPOST` .\n\nIf you specify `OUTPOST` , Amazon Data Lifecycle Manager backs up all resources of the specified type with matching target tags across all of the Outposts in your account.", + "ResourceType": "*[Default policies only]* Specify the type of default policy to create.\n\n- To create a default policy for EBS snapshots, that creates snapshots of all volumes in the Region that do not have recent backups, specify `VOLUME` .\n- To create a default policy for EBS-backed AMIs, that creates EBS-backed AMIs from all instances in the Region that do not have recent backups, specify `INSTANCE` .", + "ResourceTypes": "*[Custom snapshot policies only]* The target resource type for snapshot and AMI lifecycle policies. Use `VOLUME` to create snapshots of individual volumes or use `INSTANCE` to create multi-volume snapshots from the volumes for an instance.", + "RetainInterval": "*[Default policies only]* Specifies how long the policy should retain snapshots or AMIs before deleting them. The retention period can range from 2 to 14 days, but it must be greater than the creation frequency to ensure that the policy retains at least 1 snapshot or AMI at any given time. If you do not specify a value, the default is 7.\n\nDefault: 7", + "Schedules": "*[Custom snapshot and AMI policies only]* The schedules of policy-defined actions for snapshot and AMI lifecycle policies. A policy can have up to four schedules\u2014one mandatory schedule and up to three optional schedules.", + "TargetTags": "*[Custom snapshot and AMI policies only]* The single tag that identifies targeted resources for this policy." }, "AWS::DLM::LifecyclePolicy RetainRule": { - "Count": "The number of snapshots to retain for each volume, up to a maximum of 1000. For example if you want to retain a maximum of three snapshots, specify `3` . When the fourth snapshot is created, the oldest retained snapshot is deleted, or it is moved to the archive tier if you have specified an `ArchiveRule` .", + "Count": "The number of snapshots to retain for each volume, up to a maximum of 1000. For example if you want to retain a maximum of three snapshots, specify `3` . When the fourth snapshot is created, the oldest retained snapshot is deleted, or it is moved to the archive tier if you have specified an [ArchiveRule](https://docs.aws.amazon.com/dlm/latest/APIReference/API_ArchiveRule.html) .", "Interval": "The amount of time to retain each snapshot. The maximum is 100 years. This is equivalent to 1200 months, 5200 weeks, or 36500 days.", - "IntervalUnit": "The unit of time for time-based retention. For example, to retain snapshots for 3 months, specify `Interval=3` and `IntervalUnit=MONTHS` . Once the snapshot has been retained for 3 months, it is deleted, or it is moved to the archive tier if you have specified an `ArchiveRule` ." + "IntervalUnit": "The unit of time for time-based retention. For example, to retain snapshots for 3 months, specify `Interval=3` and `IntervalUnit=MONTHS` . Once the snapshot has been retained for 3 months, it is deleted, or it is moved to the archive tier if you have specified an [ArchiveRule](https://docs.aws.amazon.com/dlm/latest/APIReference/API_ArchiveRule.html) ." }, "AWS::DLM::LifecyclePolicy RetentionArchiveTier": { - "Count": "", - "Interval": "", - "IntervalUnit": "" + "Count": "The maximum number of snapshots to retain in the archive storage tier for each volume. The count must ensure that each snapshot remains in the archive tier for at least 90 days. For example, if the schedule creates snapshots every 30 days, you must specify a count of 3 or more to ensure that each snapshot is archived for at least 90 days.", + "Interval": "Specifies the period of time to retain snapshots in the archive tier. After this period expires, the snapshot is permanently deleted.", + "IntervalUnit": "The unit of time in which to measure the *Interval* . For example, to retain a snapshots in the archive tier for 6 months, specify `Interval=6` and `IntervalUnit=MONTHS` ." }, "AWS::DLM::LifecyclePolicy Schedule": { - "ArchiveRule": "", + "ArchiveRule": "*[Custom snapshot policies that target volumes only]* The snapshot archiving rule for the schedule. When you specify an archiving rule, snapshots are automatically moved from the standard tier to the archive tier once the schedule's retention threshold is met. Snapshots are then retained in the archive tier for the archive retention period that you specify.\n\nFor more information about using snapshot archiving, see [Considerations for snapshot lifecycle policies](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/snapshot-ami-policy.html#dlm-archive) .", "CopyTags": "Copy all user-defined tags on a source volume to snapshots of the volume created by this policy.", "CreateRule": "The creation rule.", "CrossRegionCopyRules": "Specifies a rule for copying snapshots or AMIs across regions.\n\n> You can't specify cross-Region copy rules for policies that create snapshots on an Outpost. If the policy creates snapshots in a Region, then snapshots can be copied to up to three Regions or Outposts.", - "DeprecateRule": "", - "FastRestoreRule": "*[Snapshot policies only]* The rule for enabling fast snapshot restore.", + "DeprecateRule": "*[Custom AMI policies only]* The AMI deprecation rule for the schedule.", + "FastRestoreRule": "*[Custom snapshot policies only]* The rule for enabling fast snapshot restore.", "Name": "The name of the schedule.", "RetainRule": "The retention rule for snapshots or AMIs created by the policy.", - "ShareRules": "*[Snapshot policies only]* The rule for sharing snapshots with other AWS accounts .", + "ShareRules": "*[Custom snapshot policies only]* The rule for sharing snapshots with other AWS accounts .", "TagsToAdd": "The tags to apply to policy-created resources. These user-defined tags are in addition to the AWS -added lifecycle tags.", "VariableTags": "*[AMI policies and snapshot policies that target instances only]* A collection of key/value pairs with values determined dynamically when the policy is executed. Keys may be any valid Amazon EC2 tag key. Values must be in one of the two following formats: `$(instance-id)` or `$(timestamp)` . Variable tags are only valid for EBS Snapshot Management \u2013 Instance policies." }, + "AWS::DLM::LifecyclePolicy Script": { + "ExecuteOperationOnScriptFailure": "Indicates whether Amazon Data Lifecycle Manager should default to crash-consistent snapshots if the pre script fails.\n\n- To default to crash consistent snapshot if the pre script fails, specify `true` .\n- To skip the instance for snapshot creation if the pre script fails, specify `false` .\n\nThis parameter is supported only if you run a pre script. If you run a post script only, omit this parameter.\n\nDefault: true", + "ExecutionHandler": "The SSM document that includes the pre and/or post scripts to run.\n\n- If you are automating VSS backups, specify `AWS_VSS_BACKUP` . In this case, Amazon Data Lifecycle Manager automatically uses the `AWSEC2-CreateVssSnapshot` SSM document.\n- If you are automating application-consistent snapshots for SAP HANA workloads, specify `AWSSystemsManagerSAP-CreateDLMSnapshotForSAPHANA` .\n- If you are using a custom SSM document that you own, specify either the name or ARN of the SSM document. If you are using a custom SSM document that is shared with you, specify the ARN of the SSM document.", + "ExecutionHandlerService": "Indicates the service used to execute the pre and/or post scripts.\n\n- If you are using custom SSM documents or automating application-consistent snapshots of SAP HANA workloads, specify `AWS_SYSTEMS_MANAGER` .\n- If you are automating VSS Backups, omit this parameter.\n\nDefault: AWS_SYSTEMS_MANAGER", + "ExecutionTimeout": "Specifies a timeout period, in seconds, after which Amazon Data Lifecycle Manager fails the script run attempt if it has not completed. If a script does not complete within its timeout period, Amazon Data Lifecycle Manager fails the attempt. The timeout period applies to the pre and post scripts individually.\n\nIf you are automating VSS Backups, omit this parameter.\n\nDefault: 10", + "MaximumRetryCount": "Specifies the number of times Amazon Data Lifecycle Manager should retry scripts that fail.\n\n- If the pre script fails, Amazon Data Lifecycle Manager retries the entire snapshot creation process, including running the pre and post scripts.\n- If the post script fails, Amazon Data Lifecycle Manager retries the post script only; in this case, the pre script will have completed and the snapshot might have been created.\n\nIf you do not want Amazon Data Lifecycle Manager to retry failed scripts, specify `0` .\n\nDefault: 0", + "Stages": "Indicate which scripts Amazon Data Lifecycle Manager should run on target instances. Pre scripts run before Amazon Data Lifecycle Manager initiates snapshot creation. Post scripts run after Amazon Data Lifecycle Manager initiates snapshot creation.\n\n- To run a pre script only, specify `PRE` . In this case, Amazon Data Lifecycle Manager calls the SSM document with the `pre-script` parameter before initiating snapshot creation.\n- To run a post script only, specify `POST` . In this case, Amazon Data Lifecycle Manager calls the SSM document with the `post-script` parameter after initiating snapshot creation.\n- To run both pre and post scripts, specify both `PRE` and `POST` . In this case, Amazon Data Lifecycle Manager calls the SSM document with the `pre-script` parameter before initiating snapshot creation, and then it calls the SSM document again with the `post-script` parameter after initiating snapshot creation.\n\nIf you are automating VSS Backups, omit this parameter.\n\nDefault: PRE and POST" + }, "AWS::DLM::LifecyclePolicy ShareRule": { "TargetAccounts": "The IDs of the AWS accounts with which to share the snapshots.", "UnshareInterval": "The period after which snapshots that are shared with other AWS accounts are automatically unshared.", "UnshareIntervalUnit": "The unit of time for the automatic unsharing interval." }, + "AWS::DLM::LifecyclePolicy Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::DMS::Certificate": { "CertificateIdentifier": "A customer-assigned name for the certificate. Identifiers must begin with a letter and must contain only ASCII letters, digits, and hyphens. They can't end with a hyphen or contain two consecutive hyphens.", "CertificatePem": "The contents of a `.pem` file, which contains an X.509 certificate.", "CertificateWallet": "The location of an imported Oracle Wallet certificate for use with SSL. An example is: `filebase64(\"${path.root}/rds-ca-2019-root.sso\")`" }, + "AWS::DMS::DataProvider": { + "DataProviderIdentifier": "The identifier of the data provider. Identifiers must begin with a letter and must contain only ASCII letters, digits, and hyphens. They can't end with a hyphen, or contain two consecutive hyphens.", + "DataProviderName": "The name of the data provider.", + "Description": "A description of the data provider. Descriptions can have up to 31 characters. A description can contain only ASCII letters, digits, and hyphens ('-'). Also, it can't end with a hyphen or contain two consecutive hyphens, and can only begin with a letter.", + "Engine": "The type of database engine for the data provider. Valid values include `\"aurora\"` , `\"aurora-postgresql\"` , `\"mysql\"` , `\"oracle\"` , `\"postgres\"` , `\"sqlserver\"` , `redshift` , `mariadb` , `mongodb` , and `docdb` . A value of `\"aurora\"` represents Amazon Aurora MySQL-Compatible Edition.", + "ExactSettings": "", + "Settings": "The settings in JSON format for a data provider.", + "Tags": "" + }, + "AWS::DMS::DataProvider MicrosoftSqlServerSettings": { + "CertificateArn": "", + "DatabaseName": "Database name for the endpoint.", + "Port": "Endpoint TCP port.", + "ServerName": "Fully qualified domain name of the endpoint. For an Amazon RDS SQL Server instance, this is the output of [DescribeDBInstances](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DescribeDBInstances.html) , in the `[Endpoint](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Endpoint.html) .Address` field.", + "SslMode": "" + }, + "AWS::DMS::DataProvider MySqlSettings": { + "CertificateArn": "", + "Port": "Endpoint TCP port.", + "ServerName": "The host name of the endpoint database.\n\nFor an Amazon RDS MySQL instance, this is the output of [DescribeDBInstances](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DescribeDBInstances.html) , in the `[Endpoint](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Endpoint.html) .Address` field.\n\nFor an Aurora MySQL instance, this is the output of [DescribeDBClusters](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DescribeDBClusters.html) , in the `Endpoint` field.", + "SslMode": "" + }, + "AWS::DMS::DataProvider OracleSettings": { + "AsmServer": "For an Oracle source endpoint, your ASM server address. You can set this value from the `asm_server` value. You set `asm_server` as part of the extra connection attribute string to access an Oracle server with Binary Reader that uses ASM. For more information, see [Configuration for change data capture (CDC) on an Oracle source database](https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Source.Oracle.html#dms/latest/userguide/CHAP_Source.Oracle.html#CHAP_Source.Oracle.CDC.Configuration) .", + "CertificateArn": "", + "DatabaseName": "Database name for the endpoint.", + "Port": "Endpoint TCP port.", + "SecretsManagerOracleAsmAccessRoleArn": "Required only if your Oracle endpoint uses Automatic Storage Management (ASM). The full ARN of the IAM role that specifies AWS DMS as the trusted entity and grants the required permissions to access the `SecretsManagerOracleAsmSecret` . This `SecretsManagerOracleAsmSecret` has the secret value that allows access to the Oracle ASM of the endpoint.\n\n> You can specify one of two sets of values for these permissions. You can specify the values for this setting and `SecretsManagerOracleAsmSecretId` . Or you can specify clear-text values for `AsmUser` , `AsmPassword` , and `AsmServerName` . You can't specify both. For more information on creating this `SecretsManagerOracleAsmSecret` and the `SecretsManagerOracleAsmAccessRoleArn` and `SecretsManagerOracleAsmSecretId` required to access it, see [Using secrets to access AWS Database Migration Service resources](https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Security.html#security-iam-secretsmanager) in the *AWS Database Migration Service User Guide* .", + "SecretsManagerOracleAsmSecretId": "Required only if your Oracle endpoint uses Automatic Storage Management (ASM). The full ARN, partial ARN, or friendly name of the `SecretsManagerOracleAsmSecret` that contains the Oracle ASM connection details for the Oracle endpoint.", + "SecretsManagerSecurityDbEncryptionAccessRoleArn": "", + "SecretsManagerSecurityDbEncryptionSecretId": "", + "ServerName": "Fully qualified domain name of the endpoint.\n\nFor an Amazon RDS Oracle instance, this is the output of [DescribeDBInstances](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DescribeDBInstances.html) , in the `[Endpoint](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Endpoint.html) .Address` field.", + "SslMode": "" + }, + "AWS::DMS::DataProvider PostgreSqlSettings": { + "CertificateArn": "", + "DatabaseName": "Database name for the endpoint.", + "Port": "Endpoint TCP port. The default is 5432.", + "ServerName": "The host name of the endpoint database.\n\nFor an Amazon RDS PostgreSQL instance, this is the output of [DescribeDBInstances](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DescribeDBInstances.html) , in the `[Endpoint](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Endpoint.html) .Address` field.\n\nFor an Aurora PostgreSQL instance, this is the output of [DescribeDBClusters](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DescribeDBClusters.html) , in the `Endpoint` field.", + "SslMode": "" + }, + "AWS::DMS::DataProvider Settings": { + "MicrosoftSqlServerSettings": "", + "MySqlSettings": "", + "OracleSettings": "", + "PostgreSqlSettings": "" + }, + "AWS::DMS::DataProvider Tag": { + "Key": "A key is the required name of the tag. The string value can be 1-128 Unicode characters in length and can't be prefixed with \"aws:\" or \"dms:\". The string can only contain only the set of Unicode letters, digits, white-space, '_', '.', '/', '=', '+', '-' (Java regular expressions: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-]*)$\").", + "Value": "A value is the optional value of the tag. The string value can be 1-256 Unicode characters in length and can't be prefixed with \"aws:\" or \"dms:\". The string can only contain only the set of Unicode letters, digits, white-space, '_', '.', '/', '=', '+', '-' (Java regular expressions: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-]*)$\")." + }, "AWS::DMS::Endpoint": { "CertificateArn": "The Amazon Resource Name (ARN) for the certificate.", "DatabaseName": "The name of the endpoint database. For a MySQL source or target endpoint, don't specify `DatabaseName` . To migrate to a specific database, use this setting and `targetDbType` .", @@ -6950,7 +8009,7 @@ "ElasticsearchSettings": "Settings in JSON format for the target OpenSearch endpoint. For more information about the available settings, see [Extra connection attributes when using OpenSearch as a target for AWS DMS](https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Target.Elasticsearch.html#CHAP_Target.Elasticsearch.Configuration) in the *AWS Database Migration Service User Guide* .", "EndpointIdentifier": "The database endpoint identifier. Identifiers must begin with a letter and must contain only ASCII letters, digits, and hyphens. They can't end with a hyphen, or contain two consecutive hyphens.", "EndpointType": "The type of endpoint. Valid values are `source` and `target` .", - "EngineName": "The type of engine for the endpoint, depending on the `EndpointType` value.\n\n*Valid values* : `mysql` | `oracle` | `postgres` | `mariadb` | `aurora` | `aurora-postgresql` | `opensearch` | `redshift` | `s3` | `db2` | `azuredb` | `sybase` | `dynamodb` | `mongodb` | `kinesis` | `kafka` | `elasticsearch` | `docdb` | `sqlserver` | `neptune`", + "EngineName": "The type of engine for the endpoint, depending on the `EndpointType` value.\n\n*Valid values* : `mysql` | `oracle` | `postgres` | `mariadb` | `aurora` | `aurora-postgresql` | `opensearch` | `redshift` | `redshift-serverless` | `s3` | `db2` | `azuredb` | `sybase` | `dynamodb` | `mongodb` | `kinesis` | `kafka` | `elasticsearch` | `docdb` | `sqlserver` | `neptune`", "ExtraConnectionAttributes": "Additional attributes associated with the connection. Each attribute is specified as a name-value pair associated by an equal sign (=). Multiple attributes are separated by a semicolon (;) with no additional white space. For information on the attributes available for connecting your source or target endpoint, see [Working with AWS DMS Endpoints](https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Endpoints.html) in the *AWS Database Migration Service User Guide* .", "GcpMySQLSettings": "Settings in JSON format for the source GCP MySQL endpoint. These settings are much the same as the settings for any MySQL-compatible endpoint. For more information, see [Extra connection attributes when using MySQL as a source for AWS DMS](https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Source.MySQL.html#CHAP_Source.MySQL.ConnectionAttrib) in the *AWS Database Migration Service User Guide* .", "IbmDb2Settings": "Settings in JSON format for the source IBM Db2 LUW endpoint. For information about other available settings, see [Extra connection attributes when using Db2 LUW as a source for AWS DMS](https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Source.DB2.html#CHAP_Source.DB2.ConnectionAttrib) in the *AWS Database Migration Service User Guide* .", @@ -7002,16 +8061,20 @@ "Port": "The port used by the endpoint database.", "SecretsManagerAccessRoleArn": "The full Amazon Resource Name (ARN) of the IAM role that specifies AWS DMS as the trusted entity and grants the required permissions to access the value in `SecretsManagerSecret.` The role must allow the `iam:PassRole` action. `SecretsManagerSecret` has the value of the AWS Secrets Manager secret that allows access to the MySQL endpoint.\n\n> You can specify one of two sets of values for these permissions. You can specify the values for this setting and `SecretsManagerSecretId` . Or you can specify clear-text values for `UserName` , `Password` , `ServerName` , and `Port` . You can't specify both.\n> \n> For more information on creating this `SecretsManagerSecret` , the corresponding `SecretsManagerAccessRoleArn` , and the `SecretsManagerSecretId` required to access it, see [Using secrets to access AWS Database Migration Service resources](https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Security.html#security-iam-secretsmanager) in the *AWS Database Migration Service User Guide* .", "SecretsManagerSecretId": "The full ARN, partial ARN, or display name of the `SecretsManagerSecret` that contains the MySQL endpoint connection details.", - "ServerName": "Endpoint TCP port.", + "ServerName": "The MySQL host name.", "ServerTimezone": "Specifies the time zone for the source MySQL database. Don't enclose time zones in single quotation marks.\n\nExample: `serverTimezone=US/Pacific;`", "Username": "Endpoint connection user name." }, "AWS::DMS::Endpoint IbmDb2Settings": { "CurrentLsn": "For ongoing replication (CDC), use CurrentLSN to specify a log sequence number (LSN) where you want the replication to start.", + "KeepCsvFiles": "If true, AWS DMS saves any .csv files to the Db2 LUW target that were used to replicate data. DMS uses these files for analysis and troubleshooting.\n\nThe default value is false.", + "LoadTimeout": "The amount of time (in milliseconds) before AWS DMS times out operations performed by DMS on the Db2 target. The default value is 1200 (20 minutes).", + "MaxFileSize": "Specifies the maximum size (in KB) of .csv files used to transfer data to Db2 LUW.", "MaxKBytesPerRead": "Maximum number of bytes per read, as a NUMBER value. The default is 64 KB.", "SecretsManagerAccessRoleArn": "The full Amazon Resource Name (ARN) of the IAM role that specifies AWS DMS as the trusted entity and grants the required permissions to access the value in `SecretsManagerSecret` . The role must allow the `iam:PassRole` action. `SecretsManagerSecret` has the value ofthe AWS Secrets Manager secret that allows access to the Db2 LUW endpoint.\n\n> You can specify one of two sets of values for these permissions. You can specify the values for this setting and `SecretsManagerSecretId` . Or you can specify clear-text values for `UserName` , `Password` , `ServerName` , and `Port` . You can't specify both.\n> \n> For more information on creating this `SecretsManagerSecret` , the corresponding `SecretsManagerAccessRoleArn` , and the `SecretsManagerSecretId` that is required to access it, see [Using secrets to access AWS Database Migration Service resources](https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Security.html#security-iam-secretsmanager) in the *AWS Database Migration Service User Guide* .", "SecretsManagerSecretId": "The full ARN, partial ARN, or display name of the `SecretsManagerSecret` that contains the IBMDB2 endpoint connection details.", - "SetDataCaptureChanges": "Enables ongoing replication (CDC) as a BOOLEAN value. The default is true." + "SetDataCaptureChanges": "Enables ongoing replication (CDC) as a BOOLEAN value. The default is true.", + "WriteBufferSize": "The size (in KB) of the in-memory file write buffer used when generating .csv files on the local disk on the DMS replication instance. The default value is 1024 (1 MB)." }, "AWS::DMS::Endpoint KafkaSettings": { "Broker": "A comma-separated list of one or more broker locations in your Kafka cluster that host your Kafka instance. Specify each broker location in the form `*broker-hostname-or-ip* : *port*` . For example, `\"ec2-12-345-678-901.compute-1.amazonaws.com:2345\"` . For more information and examples of specifying a list of broker locations, see [Using Apache Kafka as a target for AWS Database Migration Service](https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Target.Kafka.html) in the *AWS Database Migration Service User Guide* .", @@ -7048,13 +8111,21 @@ "AWS::DMS::Endpoint MicrosoftSqlServerSettings": { "BcpPacketSize": "The maximum size of the packets (in bytes) used to transfer data using BCP.", "ControlTablesFileGroup": "Specifies a file group for the AWS DMS internal tables. When the replication task starts, all the internal AWS DMS control tables (awsdms_ apply_exception, awsdms_apply, awsdms_changes) are created for the specified file group.", + "DatabaseName": "Database name for the endpoint.", + "ForceLobLookup": "Forces LOB lookup on inline LOB.", + "Password": "Endpoint connection password.", + "Port": "Endpoint TCP port.", "QuerySingleAlwaysOnNode": "Cleans and recreates table metadata information on the replication instance when a mismatch occurs. An example is a situation where running an alter DDL statement on a table might result in different information about the table cached in the replication instance.", "ReadBackupOnly": "When this attribute is set to `Y` , AWS DMS only reads changes from transaction log backups and doesn't read from the active transaction log file during ongoing replication. Setting this parameter to `Y` enables you to control active transaction log file growth during full load and ongoing replication tasks. However, it can add some source latency to ongoing replication.", "SafeguardPolicy": "Use this attribute to minimize the need to access the backup log and enable AWS DMS to prevent truncation using one of the following two methods.\n\n*Start transactions in the database:* This is the default method. When this method is used, AWS DMS prevents TLOG truncation by mimicking a transaction in the database. As long as such a transaction is open, changes that appear after the transaction started aren't truncated. If you need Microsoft Replication to be enabled in your database, then you must choose this method.\n\n*Exclusively use sp_repldone within a single task* : When this method is used, AWS DMS reads the changes and then uses sp_repldone to mark the TLOG transactions as ready for truncation. Although this method doesn't involve any transactional activities, it can only be used when Microsoft Replication isn't running. Also, when using this method, only one AWS DMS task can access the database at any given time. Therefore, if you need to run parallel AWS DMS tasks against the same database, use the default method.", "SecretsManagerAccessRoleArn": "The full Amazon Resource Name (ARN) of the IAM role that specifies AWS DMS as the trusted entity and grants the required permissions to access the value in `SecretsManagerSecret` . The role must allow the `iam:PassRole` action. `SecretsManagerSecret` has the value of the AWS Secrets Manager secret that allows access to the SQL Server endpoint.\n\n> You can specify one of two sets of values for these permissions. You can specify the values for this setting and `SecretsManagerSecretId` . Or you can specify clear-text values for `UserName` , `Password` , `ServerName` , and `Port` . You can't specify both.\n> \n> For more information on creating this `SecretsManagerSecret` , the corresponding `SecretsManagerAccessRoleArn` , and the `SecretsManagerSecretId` that is required to access it, see [Using secrets to access AWS Database Migration Service resources](https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Security.html#security-iam-secretsmanager) in the *AWS Database Migration Service User Guide* .", "SecretsManagerSecretId": "The full ARN, partial ARN, or display name of the `SecretsManagerSecret` that contains the MicrosoftSQLServer endpoint connection details.", + "ServerName": "Fully qualified domain name of the endpoint. For an Amazon RDS SQL Server instance, this is the output of [DescribeDBInstances](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DescribeDBInstances.html) , in the `[Endpoint](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Endpoint.html) .Address` field.", + "TlogAccessMode": "Indicates the mode used to fetch CDC data.", + "TrimSpaceInChar": "Use the `TrimSpaceInChar` source endpoint setting to right-trim data on CHAR and NCHAR data types during migration. Setting `TrimSpaceInChar` does not left-trim data. The default value is `true` .", "UseBcpFullLoad": "Use this to attribute to transfer data for full-load operations using BCP. When the target table contains an identity column that does not exist in the source table, you must disable the use BCP for loading table option.", - "UseThirdPartyBackupDevice": "When this attribute is set to `Y` , DMS processes third-party transaction log backups if they are created in native format." + "UseThirdPartyBackupDevice": "When this attribute is set to `Y` , DMS processes third-party transaction log backups if they are created in native format.", + "Username": "Endpoint connection user name." }, "AWS::DMS::Endpoint MongoDbSettings": { "AuthMechanism": "The authentication mechanism you use to access the MongoDB source endpoint.\n\nFor the default value, in MongoDB version 2.x, `\"default\"` is `\"mongodb_cr\"` . For MongoDB version 3.x or later, `\"default\"` is `\"scram_sha_1\"` . This setting isn't used when `AuthType` is set to `\"no\"` .", @@ -7115,7 +8186,7 @@ "ReplacePathPrefix": "Set this attribute to true in order to use the Binary Reader to capture change data for an Amazon RDS for Oracle as the source. This setting tells DMS instance to replace the default Oracle root with the specified `usePathPrefix` setting to access the redo logs.", "RetryInterval": "Specifies the number of seconds that the system waits before resending a query.\n\nExample: `retryInterval=6;`", "SecretsManagerAccessRoleArn": "The full Amazon Resource Name (ARN) of the IAM role that specifies AWS DMS as the trusted entity and grants the required permissions to access the value in `SecretsManagerSecret` . The role must allow the `iam:PassRole` action. `SecretsManagerSecret` has the value of the AWS Secrets Manager secret that allows access to the Oracle endpoint.\n\n> You can specify one of two sets of values for these permissions. You can specify the values for this setting and `SecretsManagerSecretId` . Or you can specify clear-text values for `UserName` , `Password` , `ServerName` , and `Port` . You can't specify both.\n> \n> For more information on creating this `SecretsManagerSecret` , the corresponding `SecretsManagerAccessRoleArn` , and the `SecretsManagerSecretId` that is required to access it, see [Using secrets to access AWS Database Migration Service resources](https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Security.html#security-iam-secretsmanager) in the *AWS Database Migration Service User Guide* .", - "SecretsManagerOracleAsmAccessRoleArn": "Required only if your Oracle endpoint uses Advanced Storage Manager (ASM). The full ARN of the IAM role that specifies AWS DMS as the trusted entity and grants the required permissions to access the `SecretsManagerOracleAsmSecret` . This `SecretsManagerOracleAsmSecret` has the secret value that allows access to the Oracle ASM of the endpoint.\n\n> You can specify one of two sets of values for these permissions. You can specify the values for this setting and `SecretsManagerOracleAsmSecretId` . Or you can specify clear-text values for `AsmUserName` , `AsmPassword` , and `AsmServerName` . You can't specify both.\n> \n> For more information on creating this `SecretsManagerOracleAsmSecret` , the corresponding `SecretsManagerOracleAsmAccessRoleArn` , and the `SecretsManagerOracleAsmSecretId` that is required to access it, see [Using secrets to access AWS Database Migration Service resources](https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Security.html#security-iam-secretsmanager) in the *AWS Database Migration Service User Guide* .", + "SecretsManagerOracleAsmAccessRoleArn": "Required only if your Oracle endpoint uses Advanced Storage Manager (ASM). The full ARN of the IAM role that specifies AWS DMS as the trusted entity and grants the required permissions to access the `SecretsManagerOracleAsmSecret` . This `SecretsManagerOracleAsmSecret` has the secret value that allows access to the Oracle ASM of the endpoint.\n\n> You can specify one of two sets of values for these permissions. You can specify the values for this setting and `SecretsManagerOracleAsmSecretId` . Or you can specify clear-text values for `AsmUser` , `AsmPassword` , and `AsmServerName` . You can't specify both.\n> \n> For more information on creating this `SecretsManagerOracleAsmSecret` , the corresponding `SecretsManagerOracleAsmAccessRoleArn` , and the `SecretsManagerOracleAsmSecretId` that is required to access it, see [Using secrets to access AWS Database Migration Service resources](https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Security.html#security-iam-secretsmanager) in the *AWS Database Migration Service User Guide* .", "SecretsManagerOracleAsmSecretId": "Required only if your Oracle endpoint uses Advanced Storage Manager (ASM). The full ARN, partial ARN, or display name of the `SecretsManagerOracleAsmSecret` that contains the Oracle ASM connection details for the Oracle endpoint.", "SecretsManagerSecretId": "The full ARN, partial ARN, or display name of the `SecretsManagerSecret` that contains the Oracle endpoint connection details.", "SecurityDbEncryption": "For an Oracle source endpoint, the transparent data encryption (TDE) password required by AWM DMS to access Oracle redo logs encrypted by TDE using Binary Reader. It is also the `*TDE_Password*` part of the comma-separated value you set to the `Password` request parameter when you create the endpoint. The `SecurityDbEncryptian` setting is related to this `SecurityDbEncryptionName` setting. For more information, see [Supported encryption methods for using Oracle as a source for AWS DMS](https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Source.Oracle.html#CHAP_Source.Oracle.Encryption) in the *AWS Database Migration Service User Guide* .", @@ -7130,14 +8201,16 @@ }, "AWS::DMS::Endpoint PostgreSqlSettings": { "AfterConnectScript": "For use with change data capture (CDC) only, this attribute has AWS DMS bypass foreign keys and user triggers to reduce the time it takes to bulk load data.\n\nExample: `afterConnectScript=SET session_replication_role='replica'`", + "BabelfishDatabaseName": "The Babelfish for Aurora PostgreSQL database name for the endpoint.", "CaptureDdls": "To capture DDL events, AWS DMS creates various artifacts in the PostgreSQL database when the task starts. You can later remove these artifacts.\n\nIf this value is set to `N` , you don't have to create tables or triggers on the source database.", + "DatabaseMode": "Specifies the default behavior of the replication's handling of PostgreSQL- compatible endpoints that require some additional configuration, such as Babelfish endpoints.", "DdlArtifactsSchema": "The schema in which the operational DDL database artifacts are created.\n\nExample: `ddlArtifactsSchema=xyzddlschema;`", "ExecuteTimeout": "Sets the client statement timeout for the PostgreSQL instance, in seconds. The default value is 60 seconds.\n\nExample: `executeTimeout=100;`", "FailTasksOnLobTruncation": "When set to `true` , this value causes a task to fail if the actual size of a LOB column is greater than the specified `LobMaxSize` .\n\nIf task is set to Limited LOB mode and this option is set to true, the task fails instead of truncating the LOB data.", "HeartbeatEnable": "The write-ahead log (WAL) heartbeat feature mimics a dummy transaction. By doing this, it prevents idle logical replication slots from holding onto old WAL logs, which can result in storage full situations on the source. This heartbeat keeps `restart_lsn` moving and prevents storage full scenarios.", "HeartbeatFrequency": "Sets the WAL heartbeat frequency (in minutes).", "HeartbeatSchema": "Sets the schema in which the heartbeat artifacts are created.", - "MapBooleanAsBoolean": "", + "MapBooleanAsBoolean": "When true, lets PostgreSQL migrate the boolean type as boolean. By default, PostgreSQL migrates booleans as `varchar(5)` . You must set this setting on both the source and target endpoints for it to take effect.", "MaxFileSize": "Specifies the maximum size (in KB) of any .csv file used to transfer data to PostgreSQL.\n\nExample: `maxFileSize=512`", "PluginName": "Specifies the plugin to use to create a replication slot.", "SecretsManagerAccessRoleArn": "The full Amazon Resource Name (ARN) of the IAM role that specifies AWS DMS as the trusted entity and grants the required permissions to access the value in `SecretsManagerSecret` . The role must allow the `iam:PassRole` action. `SecretsManagerSecret` has the value of the AWS Secrets Manager secret that allows access to the PostgreSQL endpoint.\n\n> You can specify one of two sets of values for these permissions. You can specify the values for this setting and `SecretsManagerSecretId` . Or you can specify clear-text values for `UserName` , `Password` , `ServerName` , and `Port` . You can't specify both.\n> \n> For more information on creating this `SecretsManagerSecret` , the corresponding `SecretsManagerAccessRoleArn` , and the `SecretsManagerSecretId` that is required to access it, see [Using secrets to access AWS Database Migration Service resources](https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Security.html#security-iam-secretsmanager) in the *AWS Database Migration Service User Guide* .", @@ -7167,7 +8240,7 @@ "ExplicitIds": "This setting is only valid for a full-load migration task. Set `ExplicitIds` to `true` to have tables with `IDENTITY` columns override their auto-generated values with explicit values loaded from the source data files used to populate the tables. The default is `false` .", "FileTransferUploadStreams": "The number of threads used to upload a single file. This parameter accepts a value from 1 through 64. It defaults to 10.\n\nThe number of parallel streams used to upload a single .csv file to an S3 bucket using S3 Multipart Upload. For more information, see [Multipart upload overview](https://docs.aws.amazon.com/AmazonS3/latest/dev/mpuoverview.html) .\n\n`FileTransferUploadStreams` accepts a value from 1 through 64. It defaults to 10.", "LoadTimeout": "The amount of time to wait (in milliseconds) before timing out of operations performed by AWS DMS on a Redshift cluster, such as Redshift COPY, INSERT, DELETE, and UPDATE.", - "MapBooleanAsBoolean": "", + "MapBooleanAsBoolean": "When true, lets Redshift migrate the boolean type as boolean. By default, Redshift migrates booleans as `varchar(1)` . You must set this setting on both the source and target endpoints for it to take effect.", "MaxFileSize": "The maximum size (in KB) of any .csv file used to load data on an S3 bucket and transfer data to Amazon Redshift. It defaults to 1048576KB (1 GB).", "RemoveQuotes": "A value that specifies to remove surrounding quotation marks from strings in the incoming data. All characters within the quotation marks, including delimiters, are retained. Choose `true` to remove quotation marks. The default is `false` .", "ReplaceChars": "A value that specifies to replaces the invalid characters specified in `ReplaceInvalidChars` , substituting the specified characters instead. The default is `\"?\"` .", @@ -7183,6 +8256,7 @@ }, "AWS::DMS::Endpoint S3Settings": { "AddColumnName": "An optional parameter that, when set to `true` or `y` , you can use to add column name information to the .csv output file.\n\nThe default value is `false` . Valid values are `true` , `false` , `y` , and `n` .", + "AddTrailingPaddingCharacter": "Use the S3 target endpoint setting `AddTrailingPaddingCharacter` to add padding on string data. The default value is `false` .", "BucketFolder": "An optional parameter to set a folder name in the S3 bucket. If provided, tables are created in the path `*bucketFolder* / *schema_name* / *table_name* /` . If this parameter isn't specified, the path used is `*schema_name* / *table_name* /` .", "BucketName": "The name of the S3 bucket.", "CannedAclForObjects": "A value that enables AWS DMS to specify a predefined (canned) access control list (ACL) for objects created in an Amazon S3 bucket as .csv or .parquet files. For more information about Amazon S3 canned ACLs, see [Canned ACL](https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#canned-acl) in the *Amazon S3 Developer Guide* .\n\nThe default value is NONE. Valid values include NONE, PRIVATE, PUBLIC_READ, PUBLIC_READ_WRITE, AUTHENTICATED_READ, AWS_EXEC_READ, BUCKET_OWNER_READ, and BUCKET_OWNER_FULL_CONTROL.", @@ -7206,7 +8280,9 @@ "EnableStatistics": "A value that enables statistics for Parquet pages and row groups. Choose `true` to enable statistics, `false` to disable. Statistics include `NULL` , `DISTINCT` , `MAX` , and `MIN` values. This parameter defaults to `true` . This value is used for .parquet file format only.", "EncodingType": "The type of encoding that you're using:\n\n- `RLE_DICTIONARY` uses a combination of bit-packing and run-length encoding to store repeated values more efficiently. This is the default.\n- `PLAIN` doesn't use encoding at all. Values are stored as they are.\n- `PLAIN_DICTIONARY` builds a dictionary of the values encountered in a given column. The dictionary is stored in a dictionary page for each column chunk.", "EncryptionMode": "The type of server-side encryption that you want to use for your data. This encryption type is part of the endpoint settings or the extra connections attributes for Amazon S3. You can choose either `SSE_S3` (the default) or `SSE_KMS` .\n\n> For the `ModifyEndpoint` operation, you can change the existing value of the `EncryptionMode` parameter from `SSE_KMS` to `SSE_S3` . But you can\u2019t change the existing value from `SSE_S3` to `SSE_KMS` . \n\nTo use `SSE_S3` , you need an IAM role with permission to allow `\"arn:aws:s3:::dms-*\"` to use the following actions:\n\n- `s3:CreateBucket`\n- `s3:ListBucket`\n- `s3:DeleteBucket`\n- `s3:GetBucketLocation`\n- `s3:GetObject`\n- `s3:PutObject`\n- `s3:DeleteObject`\n- `s3:GetObjectVersion`\n- `s3:GetBucketPolicy`\n- `s3:PutBucketPolicy`\n- `s3:DeleteBucketPolicy`", + "ExpectedBucketOwner": "To specify a bucket owner and prevent sniping, you can use the `ExpectedBucketOwner` endpoint setting.\n\nExample: `--s3-settings='{\"ExpectedBucketOwner\": \" *AWS_Account_ID* \"}'`\n\nWhen you make a request to test a connection or perform a migration, S3 checks the account ID of the bucket owner against the specified parameter.", "ExternalTableDefinition": "The external table definition.\n\nConditional: If `S3` is used as a source then `ExternalTableDefinition` is required.", + "GlueCatalogGeneration": "When true, allows AWS Glue to catalog your S3 bucket. Creating an AWS Glue catalog lets you use Athena to query your data.", "IgnoreHeaderRows": "When this value is set to 1, AWS DMS ignores the first row header in a .csv file. A value of 1 turns on the feature; a value of 0 turns off the feature.\n\nThe default is 0.", "IncludeOpForFullLoad": "A value that enables a full load to write INSERT operations to the comma-separated value (.csv) output files only to indicate how the rows were added to the source database.\n\n> AWS DMS supports the `IncludeOpForFullLoad` parameter in versions 3.1.4 and later. \n\nFor full load, records can only be inserted. By default (the `false` setting), no information is recorded in these output files for a full load to indicate that the rows were inserted at the source database. If `IncludeOpForFullLoad` is set to `true` or `y` , the INSERT is recorded as an I annotation in the first field of the .csv file. This allows the format of your target records from a full load to be consistent with the target records from a CDC load.\n\n> This setting works together with the `CdcInsertsOnly` and the `CdcInsertsAndUpdates` parameters for output to .csv files only. For more information about how these settings work together, see [Indicating Source DB Operations in Migrated S3 Data](https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Target.S3.html#CHAP_Target.S3.Configuring.InsertOps) in the *AWS Database Migration Service User Guide* .", "MaxFileSize": "A value that specifies the maximum size (in KB) of any .csv file to be created while migrating to an S3 target during full load.\n\nThe default value is 1,048,576 KB (1 GB). Valid values include 1 to 1,048,576.", @@ -7225,6 +8301,10 @@ "SecretsManagerAccessRoleArn": "The full Amazon Resource Name (ARN) of the IAM role that specifies AWS DMS as the trusted entity and grants the required permissions to access the value in `SecretsManagerSecret` . The role must allow the `iam:PassRole` action. `SecretsManagerSecret` has the value of the AWS Secrets Manager secret that allows access to the SAP ASE endpoint.\n\n> You can specify one of two sets of values for these permissions. You can specify the values for this setting and `SecretsManagerSecretId` . Or you can specify clear-text values for `UserName` , `Password` , `ServerName` , and `Port` . You can't specify both.\n> \n> For more information on creating this `SecretsManagerSecret` , the corresponding `SecretsManagerAccessRoleArn` , and the `SecretsManagerSecretId` that is required to access it, see [Using secrets to access AWS Database Migration Service resources](https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Security.html#security-iam-secretsmanager) in the *AWS Database Migration Service User Guide* .", "SecretsManagerSecretId": "The full ARN, partial ARN, or display name of the `SecretsManagerSecret` that contains the SAP SAE endpoint connection details." }, + "AWS::DMS::Endpoint Tag": { + "Key": "A key is the required name of the tag. The string value can be 1-128 Unicode characters in length and can't be prefixed with \"aws:\" or \"dms:\". The string can only contain only the set of Unicode letters, digits, white-space, '_', '.', '/', '=', '+', '-' (Java regular expressions: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-]*)$\").", + "Value": "A value is the optional value of the tag. The string value can be 1-256 Unicode characters in length and can't be prefixed with \"aws:\" or \"dms:\". The string can only contain only the set of Unicode letters, digits, white-space, '_', '.', '/', '=', '+', '-' (Java regular expressions: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-]*)$\")." + }, "AWS::DMS::EventSubscription": { "Enabled": "Indicates whether to activate the subscription. If you don't specify this property, AWS CloudFormation activates the subscription.", "EventCategories": "A list of event categories for a source type that you want to subscribe to. If you don't specify this property, you are notified about all event categories. For more information, see [Working with Events and Notifications](https://docs.aws.amazon.com//dms/latest/userguide/CHAP_Events.html) in the *AWS DMS User Guide* .", @@ -7234,6 +8314,82 @@ "SubscriptionName": "The name of the AWS DMS event notification subscription. This name must be less than 255 characters.", "Tags": "One or more tags to be assigned to the event subscription." }, + "AWS::DMS::EventSubscription Tag": { + "Key": "A key is the required name of the tag. The string value can be 1-128 Unicode characters in length and can't be prefixed with \"aws:\" or \"dms:\". The string can only contain only the set of Unicode letters, digits, white-space, '_', '.', '/', '=', '+', '-' (Java regular expressions: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-]*)$\").", + "Value": "A value is the optional value of the tag. The string value can be 1-256 Unicode characters in length and can't be prefixed with \"aws:\" or \"dms:\". The string can only contain only the set of Unicode letters, digits, white-space, '_', '.', '/', '=', '+', '-' (Java regular expressions: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-]*)$\")." + }, + "AWS::DMS::InstanceProfile": { + "AvailabilityZone": "The Availability Zone where the instance profile runs.", + "Description": "A description of the instance profile. Descriptions can have up to 31 characters. A description can contain only ASCII letters, digits, and hyphens ('-'). Also, it can't end with a hyphen or contain two consecutive hyphens, and can only begin with a letter.", + "InstanceProfileIdentifier": "The identifier of the instance profile. Identifiers must begin with a letter and must contain only ASCII letters, digits, and hyphens. They can't end with a hyphen, or contain two consecutive hyphens.", + "InstanceProfileName": "The user-friendly name for the instance profile.", + "KmsKeyArn": "The Amazon Resource Name (ARN) of the AWS KMS key that is used to encrypt the connection parameters for the instance profile.\n\nIf you don't specify a value for the `KmsKeyArn` parameter, then AWS DMS uses your default encryption key.\n\nAWS KMS creates the default encryption key for your AWS account . Your AWS account has a different default encryption key for each AWS Region .", + "NetworkType": "Specifies the network type for the instance profile. A value of `IPV4` represents an instance profile with IPv4 network type and only supports IPv4 addressing. A value of `IPV6` represents an instance profile with IPv6 network type and only supports IPv6 addressing. A value of `DUAL` represents an instance profile with dual network type that supports IPv4 and IPv6 addressing.", + "PubliclyAccessible": "Specifies the accessibility options for the instance profile. A value of `true` represents an instance profile with a public IP address. A value of `false` represents an instance profile with a private IP address. The default value is `true` .", + "SubnetGroupIdentifier": "The identifier of the subnet group that is associated with the instance profile.", + "Tags": "", + "VpcSecurityGroups": "The VPC security groups that are used with the instance profile. The VPC security group must work with the VPC containing the instance profile." + }, + "AWS::DMS::InstanceProfile Tag": { + "Key": "A key is the required name of the tag. The string value can be 1-128 Unicode characters in length and can't be prefixed with \"aws:\" or \"dms:\". The string can only contain only the set of Unicode letters, digits, white-space, '_', '.', '/', '=', '+', '-' (Java regular expressions: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-]*)$\").", + "Value": "A value is the optional value of the tag. The string value can be 1-256 Unicode characters in length and can't be prefixed with \"aws:\" or \"dms:\". The string can only contain only the set of Unicode letters, digits, white-space, '_', '.', '/', '=', '+', '-' (Java regular expressions: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-]*)$\")." + }, + "AWS::DMS::MigrationProject": { + "Description": "A user-friendly description of the migration project.", + "InstanceProfileArn": "The Amazon Resource Name (ARN) of the instance profile for your migration project.", + "InstanceProfileIdentifier": "The identifier of the instance profile for your migration project.", + "InstanceProfileName": "The name of the associated instance profile.", + "MigrationProjectIdentifier": "The identifier of the migration project. Identifiers must begin with a letter and must contain only ASCII letters, digits, and hyphens. They can't end with a hyphen, or contain two consecutive hyphens.", + "MigrationProjectName": "The name of the migration project.", + "SchemaConversionApplicationAttributes": "The schema conversion application attributes, including the Amazon S3 bucket name and Amazon S3 role ARN.", + "SourceDataProviderDescriptors": "Information about the source data provider, including the name or ARN, and AWS Secrets Manager parameters.", + "Tags": "", + "TargetDataProviderDescriptors": "Information about the target data provider, including the name or ARN, and AWS Secrets Manager parameters.", + "TransformationRules": "The settings in JSON format for migration rules. Migration rules make it possible for you to change the object names according to the rules that you specify. For example, you can change an object name to lowercase or uppercase, add or remove a prefix or suffix, or rename objects." + }, + "AWS::DMS::MigrationProject DataProviderDescriptor": { + "DataProviderArn": "The Amazon Resource Name (ARN) of the data provider.", + "DataProviderIdentifier": "", + "DataProviderName": "The user-friendly name of the data provider.", + "SecretsManagerAccessRoleArn": "The ARN of the role used to access AWS Secrets Manager.", + "SecretsManagerSecretId": "The identifier of the AWS Secrets Manager Secret used to store access credentials for the data provider." + }, + "AWS::DMS::MigrationProject SchemaConversionApplicationAttributes": { + "S3BucketPath": "", + "S3BucketRoleArn": "" + }, + "AWS::DMS::MigrationProject Tag": { + "Key": "A key is the required name of the tag. The string value can be 1-128 Unicode characters in length and can't be prefixed with \"aws:\" or \"dms:\". The string can only contain only the set of Unicode letters, digits, white-space, '_', '.', '/', '=', '+', '-' (Java regular expressions: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-]*)$\").", + "Value": "A value is the optional value of the tag. The string value can be 1-256 Unicode characters in length and can't be prefixed with \"aws:\" or \"dms:\". The string can only contain only the set of Unicode letters, digits, white-space, '_', '.', '/', '=', '+', '-' (Java regular expressions: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-]*)$\")." + }, + "AWS::DMS::ReplicationConfig": { + "ComputeConfig": "Configuration parameters for provisioning an AWS DMS Serverless replication.", + "ReplicationConfigArn": "The Amazon Resource Name (ARN) of this AWS DMS Serverless replication configuration.", + "ReplicationConfigIdentifier": "A unique identifier that you want to use to create a `ReplicationConfigArn` that is returned as part of the output from this action. You can then pass this output `ReplicationConfigArn` as the value of the `ReplicationConfigArn` option for other actions to identify both AWS DMS Serverless replications and replication configurations that you want those actions to operate on. For some actions, you can also use either this unique identifier or a corresponding ARN in action filters to identify the specific replication and replication configuration to operate on.", + "ReplicationSettings": "Optional JSON settings for AWS DMS Serverless replications that are provisioned using this replication configuration. For example, see [Change processing tuning settings](https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Tasks.CustomizingTasks.TaskSettings.ChangeProcessingTuning.html) .", + "ReplicationType": "The type of AWS DMS Serverless replication to provision using this replication configuration.\n\nPossible values:\n\n- `\"full-load\"`\n- `\"cdc\"`\n- `\"full-load-and-cdc\"`", + "ResourceIdentifier": "Optional unique value or name that you set for a given resource that can be used to construct an Amazon Resource Name (ARN) for that resource. For more information, see [Fine-grained access control using resource names and tags](https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Security.html#CHAP_Security.FineGrainedAccess) .", + "SourceEndpointArn": "The Amazon Resource Name (ARN) of the source endpoint for this AWS DMS Serverless replication configuration.", + "SupplementalSettings": "Optional JSON settings for specifying supplemental data. For more information, see [Specifying supplemental data for task settings](https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Tasks.TaskData.html) .", + "TableMappings": "JSON table mappings for AWS DMS Serverless replications that are provisioned using this replication configuration. For more information, see [Specifying table selection and transformations rules using JSON](https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Tasks.CustomizingTasks.TableMapping.SelectionTransformation.html) .", + "Tags": "One or more optional tags associated with resources used by the AWS DMS Serverless replication. For more information, see [Tagging resources in AWS Database Migration Service](https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Tagging.html) .", + "TargetEndpointArn": "The Amazon Resource Name (ARN) of the target endpoint for this AWS DMS serverless replication configuration." + }, + "AWS::DMS::ReplicationConfig ComputeConfig": { + "AvailabilityZone": "The Availability Zone where the AWS DMS Serverless replication using this configuration will run. The default value is a random, system-chosen Availability Zone in the configuration's AWS Region , for example, `\"us-west-2\"` . You can't set this parameter if the `MultiAZ` parameter is set to `true` .", + "DnsNameServers": "A list of custom DNS name servers supported for the AWS DMS Serverless replication to access your source or target database. This list overrides the default name servers supported by the AWS DMS Serverless replication. You can specify a comma-separated list of internet addresses for up to four DNS name servers. For example: `\"1.1.1.1,2.2.2.2,3.3.3.3,4.4.4.4\"`", + "KmsKeyId": "An AWS Key Management Service ( AWS KMS ) key Amazon Resource Name (ARN) that is used to encrypt the data during AWS DMS Serverless replication.\n\nIf you don't specify a value for the `KmsKeyId` parameter, AWS DMS uses your default encryption key.\n\nAWS KMS creates the default encryption key for your Amazon Web Services account. Your AWS account has a different default encryption key for each AWS Region .", + "MaxCapacityUnits": "Specifies the maximum value of the AWS DMS capacity units (DCUs) for which a given AWS DMS Serverless replication can be provisioned. A single DCU is 2GB of RAM, with 1 DCU as the minimum value allowed. The list of valid DCU values includes 1, 2, 4, 8, 16, 32, 64, 128, 192, 256, and 384. So, the maximum value that you can specify for AWS DMS Serverless is 384. The `MaxCapacityUnits` parameter is the only DCU parameter you are required to specify.", + "MinCapacityUnits": "Specifies the minimum value of the AWS DMS capacity units (DCUs) for which a given AWS DMS Serverless replication can be provisioned. A single DCU is 2GB of RAM, with 1 DCU as the minimum value allowed. The list of valid DCU values includes 1, 2, 4, 8, 16, 32, 64, 128, 192, 256, and 384. So, the minimum DCU value that you can specify for AWS DMS Serverless is 1. If you don't set this value, AWS DMS sets this parameter to the minimum DCU value allowed, 1. If there is no current source activity, AWS DMS scales down your replication until it reaches the value specified in `MinCapacityUnits` .", + "MultiAZ": "Specifies whether the AWS DMS Serverless replication is a Multi-AZ deployment. You can't set the `AvailabilityZone` parameter if the `MultiAZ` parameter is set to `true` .", + "PreferredMaintenanceWindow": "The weekly time range during which system maintenance can occur for the AWS DMS Serverless replication, in Universal Coordinated Time (UTC). The format is `ddd:hh24:mi-ddd:hh24:mi` .\n\nThe default is a 30-minute window selected at random from an 8-hour block of time per AWS Region . This maintenance occurs on a random day of the week. Valid values for days of the week include `Mon` , `Tue` , `Wed` , `Thu` , `Fri` , `Sat` , and `Sun` .\n\nConstraints include a minimum 30-minute window.", + "ReplicationSubnetGroupId": "Specifies a subnet group identifier to associate with the AWS DMS Serverless replication.", + "VpcSecurityGroupIds": "Specifies the virtual private cloud (VPC) security group to use with the AWS DMS Serverless replication. The VPC security group must work with the VPC containing the replication." + }, + "AWS::DMS::ReplicationConfig Tag": { + "Key": "A key is the required name of the tag. The string value can be 1-128 Unicode characters in length and can't be prefixed with \"aws:\" or \"dms:\". The string can only contain only the set of Unicode letters, digits, white-space, '_', '.', '/', '=', '+', '-' (Java regular expressions: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-]*)$\").", + "Value": "A value is the optional value of the tag. The string value can be 1-256 Unicode characters in length and can't be prefixed with \"aws:\" or \"dms:\". The string can only contain only the set of Unicode letters, digits, white-space, '_', '.', '/', '=', '+', '-' (Java regular expressions: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-]*)$\")." + }, "AWS::DMS::ReplicationInstance": { "AllocatedStorage": "The amount of storage (in gigabytes) to be initially allocated for the replication instance.", "AllowMajorVersionUpgrade": "Indicates that major version upgrades are allowed. Changing this parameter does not result in an outage, and the change is asynchronously applied as soon as possible.\n\nThis parameter must be set to `true` when specifying a value for the `EngineVersion` parameter that is a different major version than the replication instance's current version.", @@ -7251,12 +8407,20 @@ "Tags": "One or more tags to be assigned to the replication instance.", "VpcSecurityGroupIds": "Specifies the virtual private cloud (VPC) security group to be used with the replication instance. The VPC security group must work with the VPC containing the replication instance." }, + "AWS::DMS::ReplicationInstance Tag": { + "Key": "A key is the required name of the tag. The string value can be 1-128 Unicode characters in length and can't be prefixed with \"aws:\" or \"dms:\". The string can only contain only the set of Unicode letters, digits, white-space, '_', '.', '/', '=', '+', '-' (Java regular expressions: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-]*)$\").", + "Value": "A value is the optional value of the tag. The string value can be 1-256 Unicode characters in length and can't be prefixed with \"aws:\" or \"dms:\". The string can only contain only the set of Unicode letters, digits, white-space, '_', '.', '/', '=', '+', '-' (Java regular expressions: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-]*)$\")." + }, "AWS::DMS::ReplicationSubnetGroup": { "ReplicationSubnetGroupDescription": "The description for the subnet group.", "ReplicationSubnetGroupIdentifier": "The identifier for the replication subnet group. If you don't specify a name, AWS CloudFormation generates a unique ID and uses that ID for the identifier.", "SubnetIds": "One or more subnet IDs to be assigned to the subnet group.", "Tags": "One or more tags to be assigned to the subnet group." }, + "AWS::DMS::ReplicationSubnetGroup Tag": { + "Key": "A key is the required name of the tag. The string value can be 1-128 Unicode characters in length and can't be prefixed with \"aws:\" or \"dms:\". The string can only contain only the set of Unicode letters, digits, white-space, '_', '.', '/', '=', '+', '-' (Java regular expressions: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-]*)$\").", + "Value": "A value is the optional value of the tag. The string value can be 1-256 Unicode characters in length and can't be prefixed with \"aws:\" or \"dms:\". The string can only contain only the set of Unicode letters, digits, white-space, '_', '.', '/', '=', '+', '-' (Java regular expressions: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-]*)$\")." + }, "AWS::DMS::ReplicationTask": { "CdcStartPosition": "Indicates when you want a change data capture (CDC) operation to start. Use either `CdcStartPosition` or `CdcStartTime` to specify when you want a CDC operation to start. Specifying both values results in an error.\n\nThe value can be in date, checkpoint, log sequence number (LSN), or system change number (SCN) format.\n\nHere is a date example: `--cdc-start-position \"2018-03-08T12:12:12\"`\n\nHere is a checkpoint example: `--cdc-start-position \"checkpoint:V1#27#mysql-bin-changelog.157832:1975:-1:2002:677883278264080:mysql-bin-changelog.157832:1876#0#0#*#0#93\"`\n\nHere is an LSN example: `--cdc-start-position \u201cmysql-bin-changelog.000024:373\u201d`\n\n> When you use this task setting with a source PostgreSQL database, a logical replication slot should already be created and associated with the source endpoint. You can verify this by setting the `slotName` extra connection attribute to the name of this logical replication slot. For more information, see [Extra Connection Attributes When Using PostgreSQL as a Source for AWS DMS](https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Source.PostgreSQL.html#CHAP_Source.PostgreSQL.ConnectionAttrib) in the *AWS Database Migration Service User Guide* .", "CdcStartTime": "Indicates the start time for a change data capture (CDC) operation.", @@ -7270,7 +8434,11 @@ "TableMappings": "The table mappings for the task, in JSON format. For more information, see [Using Table Mapping to Specify Task Settings](https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Tasks.CustomizingTasks.TableMapping.html) in the *AWS Database Migration Service User Guide* .", "Tags": "One or more tags to be assigned to the replication task.", "TargetEndpointArn": "An Amazon Resource Name (ARN) that uniquely identifies the target endpoint.", - "TaskData": "" + "TaskData": "Supplemental information that the task requires to migrate the data for certain source and target endpoints. For more information, see [Specifying Supplemental Data for Task Settings](https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Tasks.TaskData.html) in the *AWS Database Migration Service User Guide.*" + }, + "AWS::DMS::ReplicationTask Tag": { + "Key": "A key is the required name of the tag. The string value can be 1-128 Unicode characters in length and can't be prefixed with \"aws:\" or \"dms:\". The string can only contain only the set of Unicode letters, digits, white-space, '_', '.', '/', '=', '+', '-' (Java regular expressions: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-]*)$\").", + "Value": "A value is the optional value of the tag. The string value can be 1-256 Unicode characters in length and can't be prefixed with \"aws:\" or \"dms:\". The string can only contain only the set of Unicode letters, digits, white-space, '_', '.', '/', '=', '+', '-' (Java regular expressions: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-]*)$\")." }, "AWS::DataBrew::Dataset": { "Format": "The file format of a dataset that is created from an Amazon S3 file or folder.", @@ -7356,6 +8524,10 @@ "Bucket": "The Amazon S3 bucket name.", "Key": "The unique name of the object in the bucket." }, + "AWS::DataBrew::Dataset Tag": { + "Key": "", + "Value": "" + }, "AWS::DataBrew::Job": { "DataCatalogOutputs": "One or more artifacts that represent the AWS Glue Data Catalog output from running the job.", "DatabaseOutputs": "Represents a list of JDBC database output objects which defines the output destination for a DataBrew recipe job to write into.", @@ -7367,7 +8539,7 @@ "MaxCapacity": "The maximum number of nodes that can be consumed when the job processes data.", "MaxRetries": "The maximum number of times to retry the job after a job run fails.", "Name": "The unique name of the job.", - "OutputLocation": "", + "OutputLocation": "The location in Amazon S3 where the job writes its output.", "Outputs": "One or more artifacts that represent output from running the job.", "ProfileConfiguration": "Configuration for profile jobs. Configuration can be used to select columns, do evaluations, and override default parameters of evaluations. When configuration is undefined, the profile job will apply default settings to all supported columns.", "ProjectName": "The name of the project that the job is associated with.", @@ -7460,6 +8632,10 @@ "IncludedStatistics": "List of included evaluations. When the list is undefined, all supported evaluations will be included.", "Overrides": "List of overrides for evaluations." }, + "AWS::DataBrew::Job Tag": { + "Key": "", + "Value": "" + }, "AWS::DataBrew::Job ValidationConfiguration": { "RulesetArn": "The Amazon Resource Name (ARN) for the ruleset to be validated in the profile job. The TargetArn of the selected ruleset should be the same as the Amazon Resource Name (ARN) of the dataset that is associated with the profile job.", "ValidationMode": "Mode of data quality validation. Default mode is \u201cCHECK_ALL\u201d which verifies all rules defined in the selected ruleset." @@ -7476,6 +8652,10 @@ "Size": "The number of rows in the sample.", "Type": "The way in which DataBrew obtains rows from a dataset." }, + "AWS::DataBrew::Project Tag": { + "Key": "", + "Value": "" + }, "AWS::DataBrew::Recipe": { "Description": "The description of the recipe.", "Name": "The unique name for the recipe.", @@ -7498,8 +8678,11 @@ "TempDirectory": "Represents an Amazon location where DataBrew can store intermediate results." }, "AWS::DataBrew::Recipe Input": { - "DataCatalogInputDefinition": "", - "S3InputDefinition": "" + "DataCatalogInputDefinition": "The AWS Glue Data Catalog parameters for the data.", + "S3InputDefinition": "The Amazon S3 location where the data is stored." + }, + "AWS::DataBrew::Recipe Parameters": { + "Parameters": "Contextual parameters for the transformation." }, "AWS::DataBrew::Recipe RecipeParameters": { "AggregateFunction": "The name of an aggregation function to apply.", @@ -7616,6 +8799,10 @@ "DataCatalogInputDefinition": "The AWS Glue Data Catalog parameters for the data.", "S3InputDefinition": "The Amazon S3 location where the data is stored." }, + "AWS::DataBrew::Recipe Tag": { + "Key": "", + "Value": "" + }, "AWS::DataBrew::Ruleset": { "Description": "The description of the ruleset.", "Name": "The name of the ruleset.", @@ -7639,6 +8826,10 @@ "Value": "Value or column name.", "ValueReference": "Variable name." }, + "AWS::DataBrew::Ruleset Tag": { + "Key": "", + "Value": "" + }, "AWS::DataBrew::Ruleset Threshold": { "Type": "The type of a threshold. Used for comparison of an actual count of rows that satisfy the rule to the threshold value.", "Unit": "Unit of threshold value. Can be either a COUNT or PERCENTAGE of the full sample size used for validation.", @@ -7650,6 +8841,10 @@ "Name": "The name of the schedule.", "Tags": "Metadata tags that have been applied to the schedule." }, + "AWS::DataBrew::Schedule Tag": { + "Key": "", + "Value": "" + }, "AWS::DataPipeline::Pipeline": { "Activate": "Indicates whether to validate and start the pipeline or stop an active pipeline. By default, the value is set to `true` .", "Description": "A description of the pipeline.", @@ -7693,6 +8888,27 @@ "Tags": "Specifies labels that help you categorize, filter, and search for your AWS resources. We recommend creating at least one tag for your agent.", "VpcEndpointId": "The ID of the virtual private cloud (VPC) endpoint that the agent has access to. This is the client-side VPC endpoint, powered by AWS PrivateLink . If you don't have an AWS PrivateLink VPC endpoint, see [AWS PrivateLink and VPC endpoints](https://docs.aws.amazon.com//vpc/latest/userguide/endpoint-services-overview.html) in the *Amazon VPC User Guide* .\n\nFor more information about activating your agent in a private network based on a VPC, see [Using AWS DataSync in a Virtual Private Cloud](https://docs.aws.amazon.com/datasync/latest/userguide/datasync-in-vpc.html) in the *AWS DataSync User Guide.*\n\nA VPC endpoint ID looks like this: `vpce-01234d5aff67890e1` ." }, + "AWS::DataSync::Agent Tag": { + "Key": "", + "Value": "" + }, + "AWS::DataSync::LocationAzureBlob": { + "AgentArns": "Specifies the Amazon Resource Name (ARN) of the DataSync agent that can connect with your Azure Blob Storage container.\n\nYou can specify more than one agent. For more information, see [Using multiple agents for your transfer](https://docs.aws.amazon.com/datasync/latest/userguide/multiple-agents.html) .", + "AzureAccessTier": "Specifies the access tier that you want your objects or files transferred into. This only applies when using the location as a transfer destination. For more information, see [Access tiers](https://docs.aws.amazon.com/datasync/latest/userguide/creating-azure-blob-location.html#azure-blob-access-tiers) .", + "AzureBlobAuthenticationType": "Specifies the authentication method DataSync uses to access your Azure Blob Storage. DataSync can access blob storage using a shared access signature (SAS).", + "AzureBlobContainerUrl": "Specifies the URL of the Azure Blob Storage container involved in your transfer.", + "AzureBlobSasConfiguration": "Specifies the SAS configuration that allows DataSync to access your Azure Blob Storage.", + "AzureBlobType": "Specifies the type of blob that you want your objects or files to be when transferring them into Azure Blob Storage. Currently, DataSync only supports moving data into Azure Blob Storage as block blobs. For more information on blob types, see the [Azure Blob Storage documentation](https://docs.aws.amazon.com/https://learn.microsoft.com/en-us/rest/api/storageservices/understanding-block-blobs--append-blobs--and-page-blobs) .", + "Subdirectory": "Specifies path segments if you want to limit your transfer to a virtual directory in your container (for example, `/my/images` ).", + "Tags": "Specifies labels that help you categorize, filter, and search for your AWS resources. We recommend creating at least a name tag for your transfer location." + }, + "AWS::DataSync::LocationAzureBlob AzureBlobSasConfiguration": { + "AzureBlobSasToken": "Specifies a SAS token that provides permissions to access your Azure Blob Storage.\n\nThe token is part of the SAS URI string that comes after the storage resource URI and a question mark. A token looks something like this:\n\n`sp=r&st=2023-12-20T14:54:52Z&se=2023-12-20T22:54:52Z&spr=https&sv=2021-06-08&sr=c&sig=aBBKDWQvyuVcTPH9EBp%2FXTI9E%2F%2Fmq171%2BZU178wcwqU%3D`" + }, + "AWS::DataSync::LocationAzureBlob Tag": { + "Key": "", + "Value": "" + }, "AWS::DataSync::LocationEFS": { "AccessPointArn": "Specifies the Amazon Resource Name (ARN) of the access point that DataSync uses to access the Amazon EFS file system.", "Ec2Config": "Specifies the subnet and security groups DataSync uses to access your Amazon EFS file system.", @@ -7706,12 +8922,20 @@ "SecurityGroupArns": "Specifies the Amazon Resource Names (ARNs) of the security groups associated with an Amazon EFS file system's mount target.", "SubnetArn": "Specifies the ARN of a subnet where DataSync creates the [network interfaces](https://docs.aws.amazon.com/datasync/latest/userguide/datasync-network.html#required-network-interfaces) for managing traffic during your transfer.\n\nThe subnet must be located:\n\n- In the same virtual private cloud (VPC) as the Amazon EFS file system.\n- In the same Availability Zone as at least one mount target for the Amazon EFS file system.\n\n> You don't need to specify a subnet that includes a file system mount target." }, + "AWS::DataSync::LocationEFS Tag": { + "Key": "", + "Value": "" + }, "AWS::DataSync::LocationFSxLustre": { "FsxFilesystemArn": "The Amazon Resource Name (ARN) for the FSx for Lustre file system.", "SecurityGroupArns": "The ARNs of the security groups that are used to configure the FSx for Lustre file system.\n\n*Pattern* : `^arn:(aws|aws-cn|aws-us-gov|aws-iso|aws-iso-b):ec2:[a-z\\-0-9]*:[0-9]{12}:security-group/.*$`\n\n*Length constraints* : Maximum length of 128.", "Subdirectory": "A subdirectory in the location's path. This subdirectory in the FSx for Lustre file system is used to read data from the FSx for Lustre source location or write data to the FSx for Lustre destination.", "Tags": "The key-value pair that represents a tag that you want to add to the resource. The value can be an empty string. This value helps you manage, filter, and search for your resources. We recommend that you create a name tag for your location." }, + "AWS::DataSync::LocationFSxLustre Tag": { + "Key": "", + "Value": "" + }, "AWS::DataSync::LocationFSxONTAP": { "Protocol": "Specifies the data transfer protocol that DataSync uses to access your Amazon FSx file system.", "SecurityGroupArns": "Specifies the Amazon Resource Names (ARNs) of the security groups that DataSync can use to access your FSx for ONTAP file system. You must configure the security groups to allow outbound traffic on the following ports (depending on the protocol that you're using):\n\n- *Network File System (NFS)* : TCP ports 111, 635, and 2049\n- *Server Message Block (SMB)* : TCP port 445\n\nYour file system's security groups must also allow inbound traffic on the same port.", @@ -7730,7 +8954,7 @@ "SMB": "Specifies the Server Message Block (SMB) protocol configuration that DataSync uses to access your FSx for ONTAP file system's SVM." }, "AWS::DataSync::LocationFSxONTAP SMB": { - "Domain": "Specifies the fully qualified domain name (FQDN) of the Microsoft Active Directory that your storage virtual machine (SVM) belongs to.", + "Domain": "Specifies the fully qualified domain name (FQDN) of the Microsoft Active Directory that your storage virtual machine (SVM) belongs to.\n\nIf you have multiple domains in your environment, configuring this setting makes sure that DataSync connects to the right SVM.", "MountOptions": "Specifies how DataSync can access a location using the SMB protocol.", "Password": "Specifies the password of a user who has permission to access your SVM.", "User": "Specifies a user name that can mount the location and access the files, folders, and metadata that you need in the SVM.\n\nIf you provide a user in your Active Directory, note the following:\n\n- If you're using AWS Directory Service for Microsoft Active Directory , the user must be a member of the AWS Delegated FSx Administrators group.\n- If you're using a self-managed Active Directory, the user must be a member of either the Domain Admins group or a custom group that you specified for file system administration when you created your file system.\n\nMake sure that the user has the permissions it needs to copy the data you want:\n\n- `SE_TCB_NAME` : Required to set object ownership and file metadata. With this privilege, you also can copy NTFS discretionary access lists (DACLs).\n- `SE_SECURITY_NAME` : May be needed to copy NTFS system access control lists (SACLs). This operation specifically requires the Windows privilege, which is granted to members of the Domain Admins group. If you configure your task to copy SACLs, make sure that the user has the required privileges. For information about copying SACLs, see [Ownership and permissions-related options](https://docs.aws.amazon.com/datasync/latest/userguide/create-task.html#configure-ownership-and-permissions) ." @@ -7738,6 +8962,10 @@ "AWS::DataSync::LocationFSxONTAP SmbMountOptions": { "Version": "By default, DataSync automatically chooses an SMB protocol version based on negotiation with your SMB file server. You also can configure DataSync to use a specific SMB version, but we recommend doing this only if DataSync has trouble negotiating with the SMB file server automatically.\n\nThese are the following options for configuring the SMB version:\n\n- `AUTOMATIC` (default): DataSync and the SMB file server negotiate the highest version of SMB that they mutually support between 2.1 and 3.1.1.\n\nThis is the recommended option. If you instead choose a specific version that your file server doesn't support, you may get an `Operation Not Supported` error.\n- `SMB3` : Restricts the protocol negotiation to only SMB version 3.0.2.\n- `SMB2` : Restricts the protocol negotiation to only SMB version 2.1.\n- `SMB2_0` : Restricts the protocol negotiation to only SMB version 2.0.\n- `SMB1` : Restricts the protocol negotiation to only SMB version 1.0.\n\n> The `SMB1` option isn't available when [creating an Amazon FSx for NetApp ONTAP location](https://docs.aws.amazon.com/datasync/latest/userguide/API_CreateLocationFsxOntap.html) ." }, + "AWS::DataSync::LocationFSxONTAP Tag": { + "Key": "", + "Value": "" + }, "AWS::DataSync::LocationFSxOpenZFS": { "FsxFilesystemArn": "The Amazon Resource Name (ARN) of the FSx for OpenZFS file system.", "Protocol": "The type of protocol that AWS DataSync uses to access your file system.", @@ -7754,15 +8982,23 @@ "AWS::DataSync::LocationFSxOpenZFS Protocol": { "NFS": "Represents the Network File System (NFS) protocol that DataSync uses to access your FSx for OpenZFS file system." }, + "AWS::DataSync::LocationFSxOpenZFS Tag": { + "Key": "", + "Value": "" + }, "AWS::DataSync::LocationFSxWindows": { - "Domain": "Specifies the name of the Windows domain that the FSx for Windows File Server belongs to.", + "Domain": "Specifies the name of the Microsoft Active Directory domain that the FSx for Windows File Server file system belongs to.\n\nIf you have multiple Active Directory domains in your environment, configuring this parameter makes sure that DataSync connects to the right file system.", "FsxFilesystemArn": "Specifies the Amazon Resource Name (ARN) for the FSx for Windows File Server file system.", - "Password": "Specifies the password of the user who has the permissions to access files and folders in the file system.", + "Password": "Specifies the password of the user with the permissions to mount and access the files, folders, and file metadata in your FSx for Windows File Server file system.", "SecurityGroupArns": "The Amazon Resource Names (ARNs) of the security groups that are used to configure the FSx for Windows File Server file system.\n\n*Pattern* : `^arn:(aws|aws-cn|aws-us-gov|aws-iso|aws-iso-b):ec2:[a-z\\-0-9]*:[0-9]{12}:security-group/.*$`\n\n*Length constraints* : Maximum length of 128.", "Subdirectory": "Specifies a mount path for your file system using forward slashes. This is where DataSync reads or writes data (depending on if this is a source or destination location).", "Tags": "Specifies labels that help you categorize, filter, and search for your AWS resources. We recommend creating at least a name tag for your location.", "User": "The user who has the permissions to access files and folders in the FSx for Windows File Server file system.\n\nFor information about choosing a user name that ensures sufficient permissions to files, folders, and metadata, see [user](https://docs.aws.amazon.com/datasync/latest/userguide/create-fsx-location.html#FSxWuser) ." }, + "AWS::DataSync::LocationFSxWindows Tag": { + "Key": "", + "Value": "" + }, "AWS::DataSync::LocationHDFS": { "AgentArns": "The Amazon Resource Names (ARNs) of the agents that are used to connect to the HDFS cluster.", "AuthenticationType": "", @@ -7786,18 +9022,26 @@ "DataTransferProtection": "The data transfer protection setting configured on the HDFS cluster. This setting corresponds to your `dfs.data.transfer.protection` setting in the `hdfs-site.xml` file on your Hadoop cluster.", "RpcProtection": "The Remote Procedure Call (RPC) protection setting configured on the HDFS cluster. This setting corresponds to your `hadoop.rpc.protection` setting in your `core-site.xml` file on your Hadoop cluster." }, + "AWS::DataSync::LocationHDFS Tag": { + "Key": "", + "Value": "" + }, "AWS::DataSync::LocationNFS": { - "MountOptions": "Specifies the mount options that DataSync can use to mount your NFS share.", - "OnPremConfig": "Specifies the Amazon Resource Names (ARNs) of agents that DataSync uses to connect to your NFS file server.\n\nIf you are copying data to or from your AWS Snowcone device, see [NFS Server on AWS Snowcone](https://docs.aws.amazon.com/datasync/latest/userguide/create-nfs-location.html#nfs-on-snowcone) for more information.", - "ServerHostname": "Specifies the IP address or domain name of your NFS file server. An agent that is installed on-premises uses this hostname to mount the NFS server in a network.\n\nIf you are copying data to or from your AWS Snowcone device, see [NFS Server on AWS Snowcone](https://docs.aws.amazon.com/datasync/latest/userguide/create-nfs-location.html#nfs-on-snowcone) for more information.\n\n> You must specify be an IP version 4 address or Domain Name System (DNS)-compliant name.", - "Subdirectory": "Specifies the subdirectory in the NFS file server that DataSync transfers to or from. The NFS path should be a path that's exported by the NFS server, or a subdirectory of that path. The path should be such that it can be mounted by other NFS clients in your network.\n\nTo see all the paths exported by your NFS server, run \" `showmount -e nfs-server-name` \" from an NFS client that has access to your server. You can specify any directory that appears in the results, and any subdirectory of that directory. Ensure that the NFS export is accessible without Kerberos authentication.\n\nTo transfer all the data in the folder you specified, DataSync needs to have permissions to read all the data. To ensure this, either configure the NFS export with `no_root_squash,` or ensure that the permissions for all of the files that you want DataSync allow read access for all users. Doing either enables the agent to read the files. For the agent to access directories, you must additionally enable all execute access.\n\nIf you are copying data to or from your AWS Snowcone device, see [NFS Server on AWS Snowcone](https://docs.aws.amazon.com/datasync/latest/userguide/create-nfs-location.html#nfs-on-snowcone) for more information.", + "MountOptions": "Specifies the options that DataSync can use to mount your NFS file server.", + "OnPremConfig": "Specifies the Amazon Resource Name (ARN) of the DataSync agent that want to connect to your NFS file server.\n\nYou can specify more than one agent. For more information, see [Using multiple agents for transfers](https://docs.aws.amazon.com/datasync/latest/userguide/multiple-agents.html) .", + "ServerHostname": "Specifies the Domain Name System (DNS) name or IP version 4 address of the NFS file server that your DataSync agent connects to.", + "Subdirectory": "Specifies the export path in your NFS file server that you want DataSync to mount.\n\nThis path (or a subdirectory of the path) is where DataSync transfers data to or from. For information on configuring an export for DataSync, see [Accessing NFS file servers](https://docs.aws.amazon.com/datasync/latest/userguide/create-nfs-location.html#accessing-nfs) .", "Tags": "Specifies labels that help you categorize, filter, and search for your AWS resources. We recommend creating at least a name tag for your location." }, "AWS::DataSync::LocationNFS MountOptions": { "Version": "Specifies the NFS version that you want DataSync to use when mounting your NFS share. If the server refuses to use the version specified, the task fails.\n\nYou can specify the following options:\n\n- `AUTOMATIC` (default): DataSync chooses NFS version 4.1.\n- `NFS3` : Stateless protocol version that allows for asynchronous writes on the server.\n- `NFSv4_0` : Stateful, firewall-friendly protocol version that supports delegations and pseudo file systems.\n- `NFSv4_1` : Stateful protocol version that supports sessions, directory delegations, and parallel data processing. NFS version 4.1 also includes all features available in version 4.0.\n\n> DataSync currently only supports NFS version 3 with Amazon FSx for NetApp ONTAP locations." }, "AWS::DataSync::LocationNFS OnPremConfig": { - "AgentArns": "ARNs of the agents to use for an NFS location." + "AgentArns": "The Amazon Resource Names (ARNs) of the agents connecting to a transfer location." + }, + "AWS::DataSync::LocationNFS Tag": { + "Key": "", + "Value": "" }, "AWS::DataSync::LocationObjectStorage": { "AccessKey": "Specifies the access key (for example, a user name) if credentials are required to authenticate with the object storage server.", @@ -7811,6 +9055,10 @@ "Subdirectory": "Specifies the object prefix for your object storage server. If this is a source location, DataSync only copies objects with this prefix. If this is a destination location, DataSync writes all objects with this prefix.", "Tags": "Specifies the key-value pair that represents a tag that you want to add to the resource. Tags can help you manage, filter, and search for your resources. We recommend creating a name tag for your location." }, + "AWS::DataSync::LocationObjectStorage Tag": { + "Key": "", + "Value": "" + }, "AWS::DataSync::LocationS3": { "S3BucketArn": "The ARN of the Amazon S3 bucket.", "S3Config": "The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that is used to access an Amazon S3 bucket.\n\nFor detailed information about using such a role, see [Creating a Location for Amazon S3](https://docs.aws.amazon.com/datasync/latest/userguide/working-with-locations.html#create-s3-location) in the *AWS DataSync User Guide* .", @@ -7821,9 +9069,13 @@ "AWS::DataSync::LocationS3 S3Config": { "BucketAccessRoleArn": "The ARN of the IAM role for accessing the S3 bucket." }, + "AWS::DataSync::LocationS3 Tag": { + "Key": "", + "Value": "" + }, "AWS::DataSync::LocationSMB": { "AgentArns": "The Amazon Resource Names (ARNs) of agents to use for a Server Message Block (SMB) location.", - "Domain": "Specifies the Windows domain name that your SMB file server belongs to.\n\nFor more information, see [required permissions](https://docs.aws.amazon.com/datasync/latest/userguide/create-smb-location.html#configuring-smb-permissions) for SMB locations.", + "Domain": "Specifies the name of the Active Directory domain that your SMB file server belongs to.\n\nIf you have multiple Active Directory domains in your environment, configuring this parameter makes sure that DataSync connects to the right file server.", "MountOptions": "Specifies the version of the SMB protocol that DataSync uses to access your SMB file server.", "Password": "The password of the user who can mount the share and has the permissions to access files and folders in the SMB share.", "ServerHostname": "Specifies the Domain Name Service (DNS) name or IP address of the SMB file server that your DataSync agent will mount.\n\n> You can't specify an IP version 6 (IPv6) address.", @@ -7834,6 +9086,10 @@ "AWS::DataSync::LocationSMB MountOptions": { "Version": "By default, DataSync automatically chooses an SMB protocol version based on negotiation with your SMB file server. You also can configure DataSync to use a specific SMB version, but we recommend doing this only if DataSync has trouble negotiating with the SMB file server automatically.\n\nThese are the following options for configuring the SMB version:\n\n- `AUTOMATIC` (default): DataSync and the SMB file server negotiate the highest version of SMB that they mutually support between 2.1 and 3.1.1.\n\nThis is the recommended option. If you instead choose a specific version that your file server doesn't support, you may get an `Operation Not Supported` error.\n- `SMB3` : Restricts the protocol negotiation to only SMB version 3.0.2.\n- `SMB2` : Restricts the protocol negotiation to only SMB version 2.1.\n- `SMB2_0` : Restricts the protocol negotiation to only SMB version 2.0.\n- `SMB1` : Restricts the protocol negotiation to only SMB version 1.0.\n\n> The `SMB1` option isn't available when [creating an Amazon FSx for NetApp ONTAP location](https://docs.aws.amazon.com/datasync/latest/userguide/API_CreateLocationFsxOntap.html) ." }, + "AWS::DataSync::LocationSMB Tag": { + "Key": "", + "Value": "" + }, "AWS::DataSync::StorageSystem": { "AgentArns": "Specifies the Amazon Resource Name (ARN) of the DataSync agent that connects to and reads from your on-premises storage system's management interface. You can only specify one ARN.", "CloudWatchLogGroupArn": "Specifies the ARN of the Amazon CloudWatch log group for monitoring and logging discovery job events.", @@ -7851,6 +9107,10 @@ "Password": "Specifies the password for your storage system's management interface.", "Username": "Specifies the user name for your storage system's management interface." }, + "AWS::DataSync::StorageSystem Tag": { + "Key": "", + "Value": "" + }, "AWS::DataSync::Task": { "CloudWatchLogGroupArn": "The Amazon Resource Name (ARN) of the Amazon CloudWatch log group that is used to monitor and log events in the task.\n\nFor more information about how to use CloudWatch Logs with DataSync, see [Monitoring Your Task](https://docs.aws.amazon.com/datasync/latest/userguide/monitor-datasync.html#cloudwatchlogs) in the *AWS DataSync User Guide.*\n\nFor more information about these groups, see [Working with Log Groups and Log Streams](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/Working-with-log-groups-and-streams.html) in the *Amazon CloudWatch Logs User Guide* .", "DestinationLocationArn": "The Amazon Resource Name (ARN) of an AWS storage resource's location.", @@ -7860,7 +9120,14 @@ "Options": "Specifies the configuration options for a task. Some options include preserving file or object metadata and verifying data integrity.\n\nYou can also override these options before starting an individual run of a task (also known as a *task execution* ). For more information, see [StartTaskExecution](https://docs.aws.amazon.com/datasync/latest/userguide/API_StartTaskExecution.html) .", "Schedule": "Specifies a schedule used to periodically transfer files from a source to a destination location. The schedule should be specified in UTC time. For more information, see [Scheduling your task](https://docs.aws.amazon.com/datasync/latest/userguide/task-scheduling.html) .", "SourceLocationArn": "The Amazon Resource Name (ARN) of the source location for the task.", - "Tags": "Specifies the tags that you want to apply to the Amazon Resource Name (ARN) representing the task.\n\n*Tags* are key-value pairs that help you manage, filter, and search for your DataSync resources." + "Tags": "Specifies the tags that you want to apply to the Amazon Resource Name (ARN) representing the task.\n\n*Tags* are key-value pairs that help you manage, filter, and search for your DataSync resources.", + "TaskReportConfig": "Specifies how you want to configure a task report, which provides detailed information about for your DataSync transfer." + }, + "AWS::DataSync::Task Deleted": { + "ReportLevel": "Specifies whether you want your task report to include only what went wrong with your transfer or a list of what succeeded and didn't.\n\n- `ERRORS_ONLY` : A report shows what DataSync was unable to delete.\n- `SUCCESSES_AND_ERRORS` : A report shows what DataSync was able and unable to delete." + }, + "AWS::DataSync::Task Destination": { + "S3": "Specifies the Amazon S3 bucket where DataSync uploads your task report." }, "AWS::DataSync::Task FilterRule": { "FilterType": "The type of filter rule to apply. AWS DataSync only supports the SIMPLE_PATTERN rule type.", @@ -7870,10 +9137,10 @@ "Atime": "A file metadata value that shows the last time that a file was accessed (that is, when the file was read or written to). If you set `Atime` to `BEST_EFFORT` , AWS DataSync attempts to preserve the original `Atime` attribute on all source files (that is, the version before the PREPARING phase). However, `Atime` 's behavior is not fully standard across platforms, so AWS DataSync can only do this on a best-effort basis.\n\nDefault value: `BEST_EFFORT`\n\n`BEST_EFFORT` : Attempt to preserve the per-file `Atime` value (recommended).\n\n`NONE` : Ignore `Atime` .\n\n> If `Atime` is set to `BEST_EFFORT` , `Mtime` must be set to `PRESERVE` .\n> \n> If `Atime` is set to `NONE` , `Mtime` must also be `NONE` .", "BytesPerSecond": "A value that limits the bandwidth used by AWS DataSync . For example, if you want AWS DataSync to use a maximum of 1 MB, set this value to `1048576` (=1024*1024).", "Gid": "The group ID (GID) of the file's owners.\n\nDefault value: `INT_VALUE`\n\n`INT_VALUE` : Preserve the integer value of the user ID (UID) and group ID (GID) (recommended).\n\n`NAME` : Currently not supported.\n\n`NONE` : Ignore the UID and GID.", - "LogLevel": "Specifies the type of logs that DataSync publishes to a Amazon CloudWatch Logs log group. To specify the log group, see [CloudWatchLogGroupArn](https://docs.aws.amazon.com/datasync/latest/userguide/API_CreateTask.html#DataSync-CreateTask-request-CloudWatchLogGroupArn) .\n\nIf you set `LogLevel` to `OFF` , no logs are published. `BASIC` publishes logs on errors for individual files transferred. `TRANSFER` publishes logs for every file or object that is transferred and integrity checked.", + "LogLevel": "Specifies the type of logs that DataSync publishes to a Amazon CloudWatch Logs log group. To specify the log group, see [CloudWatchLogGroupArn](https://docs.aws.amazon.com/datasync/latest/userguide/API_CreateTask.html#DataSync-CreateTask-request-CloudWatchLogGroupArn) .\n\n- `BASIC` - Publishes logs with only basic information (such as transfer errors).\n- `TRANSFER` - Publishes logs for all files or objects that your DataSync task transfers and performs data-integrity checks on.\n- `OFF` - No logs are published.", "Mtime": "A value that indicates the last time that a file was modified (that is, a file was written to) before the PREPARING phase. This option is required for cases when you need to run the same task more than one time.\n\nDefault value: `PRESERVE`\n\n`PRESERVE` : Preserve original `Mtime` (recommended)\n\n`NONE` : Ignore `Mtime` .\n\n> If `Mtime` is set to `PRESERVE` , `Atime` must be set to `BEST_EFFORT` .\n> \n> If `Mtime` is set to `NONE` , `Atime` must also be set to `NONE` .", - "ObjectTags": "Specifies whether object tags are preserved when transferring between object storage systems. If you want your DataSync task to ignore object tags, specify the `NONE` value.\n\nDefault Value: `PRESERVE`", - "OverwriteMode": "Specifies whether data at the destination location should be overwritten or preserved. If set to `NEVER` , a destination file for example will not be replaced by a source file (even if the destination file differs from the source file). If you modify files in the destination and you sync the files, you can use this value to protect against overwriting those changes.\n\nSome storage classes have specific behaviors that can affect your Amazon S3 storage cost. For detailed information, see [Considerations when working with Amazon S3 storage classes in DataSync](https://docs.aws.amazon.com/datasync/latest/userguide/create-s3-location.html#using-storage-classes) .", + "ObjectTags": "Specifies whether you want DataSync to `PRESERVE` object tags (default behavior) when transferring between object storage systems. If you want your DataSync task to ignore object tags, specify the `NONE` value.", + "OverwriteMode": "Specifies whether DataSync should modify or preserve data at the destination location.\n\n- `ALWAYS` (default) - DataSync modifies data in the destination location when source data (including metadata) has changed.\n\nIf DataSync overwrites objects, you might incur additional charges for certain Amazon S3 storage classes (for example, for retrieval or early deletion). For more information, see [Storage class considerations with Amazon S3 transfers](https://docs.aws.amazon.com/datasync/latest/userguide/create-s3-location.html#using-storage-classes) .\n- `NEVER` - DataSync doesn't overwrite data in the destination location even if the source data has changed. You can use this option to protect against overwriting changes made to files or objects in the destination.", "PosixPermissions": "A value that determines which users or groups can access a file for a specific purpose, such as reading, writing, or execution of the file. This option should be set only for Network File System (NFS), Amazon EFS, and Amazon S3 locations. For more information about what metadata is copied by DataSync, see [Metadata Copied by DataSync](https://docs.aws.amazon.com/datasync/latest/userguide/special-files.html#metadata-copied) .\n\nDefault value: `PRESERVE`\n\n`PRESERVE` : Preserve POSIX-style permissions (recommended).\n\n`NONE` : Ignore permissions.\n\n> AWS DataSync can preserve extant permissions of a source location.", "PreserveDeletedFiles": "A value that specifies whether files in the destination that don't exist in the source file system are preserved. This option can affect your storage costs. If your task deletes objects, you might incur minimum storage duration charges for certain storage classes. For detailed information, see [Considerations when working with Amazon S3 storage classes in DataSync](https://docs.aws.amazon.com/datasync/latest/userguide/create-s3-location.html#using-storage-classes) in the *AWS DataSync User Guide* .\n\nDefault value: `PRESERVE`\n\n`PRESERVE` : Ignore destination files that aren't present in the source (recommended).\n\n`REMOVE` : Delete destination files that aren't present in the source.", "PreserveDevices": "A value that determines whether AWS DataSync should preserve the metadata of block and character devices in the source file system, and re-create the files with that device name and metadata on the destination. DataSync does not copy the contents of such devices, only the name and metadata.\n\n> AWS DataSync can't sync the actual contents of such devices, because they are nonterminal and don't return an end-of-file (EOF) marker. \n\nDefault value: `NONE`\n\n`NONE` : Ignore special devices (recommended).\n\n`PRESERVE` : Preserve character and block device metadata. This option isn't currently supported for Amazon EFS.", @@ -7883,13 +9150,48 @@ "Uid": "The user ID (UID) of the file's owner.\n\nDefault value: `INT_VALUE`\n\n`INT_VALUE` : Preserve the integer value of the UID and group ID (GID) (recommended).\n\n`NAME` : Currently not supported\n\n`NONE` : Ignore the UID and GID.", "VerifyMode": "A value that determines whether a data integrity verification is performed at the end of a task execution after all data and metadata have been transferred. For more information, see [Configure task settings](https://docs.aws.amazon.com/datasync/latest/userguide/create-task.html) .\n\nDefault value: `POINT_IN_TIME_CONSISTENT`\n\n`ONLY_FILES_TRANSFERRED` (recommended): Perform verification only on files that were transferred.\n\n`POINT_IN_TIME_CONSISTENT` : Scan the entire source and entire destination at the end of the transfer to verify that the source and destination are fully synchronized. This option isn't supported when transferring to S3 Glacier or S3 Glacier Deep Archive storage classes.\n\n`NONE` : No additional verification is done at the end of the transfer, but all data transmissions are integrity-checked with checksum verification during the transfer." }, + "AWS::DataSync::Task Overrides": { + "Deleted": "Specifies the level of reporting for the files, objects, and directories that DataSync attempted to delete in your destination location. This only applies if you [configure your task](https://docs.aws.amazon.com/datasync/latest/userguide/configure-metadata.html) to delete data in the destination that isn't in the source.", + "Skipped": "Specifies the level of reporting for the files, objects, and directories that DataSync attempted to skip during your transfer.", + "Transferred": "Specifies the level of reporting for the files, objects, and directories that DataSync attempted to transfer.", + "Verified": "Specifies the level of reporting for the files, objects, and directories that DataSync attempted to verify during your transfer." + }, + "AWS::DataSync::Task S3": { + "BucketAccessRoleArn": "Specifies the Amazon Resource Name (ARN) of the IAM policy that allows DataSync to upload a task report to your S3 bucket. For more information, see [Allowing DataSync to upload a task report to an Amazon S3 bucket](https://docs.aws.amazon.com/datasync/latest/userguide/creating-task-reports.html) .", + "S3BucketArn": "Specifies the ARN of the S3 bucket where DataSync uploads your report.", + "Subdirectory": "Specifies a bucket prefix for your report." + }, + "AWS::DataSync::Task Skipped": { + "ReportLevel": "Specifies whether you want your task report to include only what went wrong with your transfer or a list of what succeeded and didn't.\n\n- `ERRORS_ONLY` : A report shows what DataSync was unable to skip.\n- `SUCCESSES_AND_ERRORS` : A report shows what DataSync was able and unable to skip." + }, + "AWS::DataSync::Task Tag": { + "Key": "", + "Value": "" + }, + "AWS::DataSync::Task TaskReportConfig": { + "Destination": "Specifies the Amazon S3 bucket where DataSync uploads your task report. For more information, see [Task reports](https://docs.aws.amazon.com/datasync/latest/userguide/task-reports.html#task-report-access) .", + "ObjectVersionIds": "Specifies whether your task report includes the new version of each object transferred into an S3 bucket. This only applies if you [enable versioning on your bucket](https://docs.aws.amazon.com/AmazonS3/latest/userguide/manage-versioning-examples.html) . Keep in mind that setting this to `INCLUDE` can increase the duration of your task execution.", + "OutputType": "Specifies the type of task report that you want:\n\n- `SUMMARY_ONLY` : Provides necessary details about your task, including the number of files, objects, and directories transferred and transfer duration.\n- `STANDARD` : Provides complete details about your task, including a full list of files, objects, and directories that were transferred, skipped, verified, and more.", + "Overrides": "Customizes the reporting level for aspects of your task report. For example, your report might generally only include errors, but you could specify that you want a list of successes and errors just for the files that DataSync attempted to delete in your destination location.", + "ReportLevel": "Specifies whether you want your task report to include only what went wrong with your transfer or a list of what succeeded and didn't.\n\n- `ERRORS_ONLY` : A report shows what DataSync was unable to transfer, skip, verify, and delete.\n- `SUCCESSES_AND_ERRORS` : A report shows what DataSync was able and unable to transfer, skip, verify, and delete." + }, "AWS::DataSync::Task TaskSchedule": { "ScheduleExpression": "A cron expression that specifies when AWS DataSync initiates a scheduled transfer from a source to a destination location." }, + "AWS::DataSync::Task Transferred": { + "ReportLevel": "Specifies whether you want your task report to include only what went wrong with your transfer or a list of what succeeded and didn't.\n\n- `ERRORS_ONLY` : A report shows what DataSync was unable to transfer.\n- `SUCCESSES_AND_ERRORS` : A report shows what DataSync was able and unable to transfer." + }, + "AWS::DataSync::Task Verified": { + "ReportLevel": "Specifies whether you want your task report to include only what went wrong with your transfer or a list of what succeeded and didn't.\n\n- `ERRORS_ONLY` : A report shows what DataSync was unable to verify.\n- `SUCCESSES_AND_ERRORS` : A report shows what DataSync was able and unable to verify." + }, "AWS::Detective::Graph": { "AutoEnableMembers": "Indicates whether to automatically enable new organization accounts as member accounts in the organization behavior graph.\n\nBy default, this property is set to `false` . If you want to change the value of this property, you must be the Detective administrator for the organization. For more information on setting a Detective administrator account, see [AWS::Detective::OrganizationAdmin](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-detective-organizationadmin.html)", "Tags": "The tag values to assign to the new behavior graph." }, + "AWS::Detective::Graph Tag": { + "Key": "", + "Value": "" + }, "AWS::Detective::MemberInvitation": { "DisableEmailNotification": "Whether to send an invitation email to the member account. If set to true, the member account does not receive an invitation email.", "GraphArn": "The ARN of the behavior graph to invite the account to contribute data to.", @@ -7922,7 +9224,7 @@ "StackNames": "An array of CloudFormation stack names." }, "AWS::DevOpsGuru::ResourceCollection ResourceCollectionFilter": { - "CloudFormation": "Information about AWS CloudFormation stacks. You can use up to 500 stacks to specify which AWS resources in your account to analyze. For more information, see [Stacks](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacks.html) in the *AWS CloudFormation User Guide* .", + "CloudFormation": "Information about AWS CloudFormation stacks. You can use up to 1000 stacks to specify which AWS resources in your account to analyze. For more information, see [Stacks](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacks.html) in the *AWS CloudFormation User Guide* .", "Tags": "The AWS tags used to filter the resources in the resource collection.\n\nTags help you identify and organize your AWS resources. Many AWS services support tagging, so you can assign the same tag to resources from different services to indicate that the resources are related. For example, you can assign the same tag to an Amazon DynamoDB table resource that you assign to an AWS Lambda function. For more information about using tags, see the [Tagging best practices](https://docs.aws.amazon.com/whitepapers/latest/tagging-best-practices/tagging-best-practices.html) whitepaper.\n\nEach AWS tag has two parts.\n\n- A tag *key* (for example, `CostCenter` , `Environment` , `Project` , or `Secret` ). Tag *keys* are case-sensitive.\n- A field known as a tag *value* (for example, `111122223333` , `Production` , or a team name). Omitting the tag *value* is the same as using an empty string. Like tag *keys* , tag *values* are case-sensitive. The tag value is a required property when AppBoundaryKey is specified.\n\nTogether these are known as *key* - *value* pairs.\n\n> The string used for a *key* in a tag that you use to define your resource coverage must begin with the prefix `Devops-guru-` . The tag *key* might be `DevOps-Guru-deployment-application` or `devops-guru-rds-application` . When you create a *key* , the case of characters in the *key* can be whatever you choose. After you create a *key* , it is case-sensitive. For example, DevOps Guru works with a *key* named `devops-guru-rds` and a *key* named `DevOps-Guru-RDS` , and these act as two different *keys* . Possible *key* / *value* pairs in your application might be `Devops-Guru-production-application/RDS` or `Devops-Guru-production-application/containers` ." }, "AWS::DevOpsGuru::ResourceCollection TagCollection": { @@ -7942,6 +9244,10 @@ "Operator": "Specifies how Device Farm compares the rule's attribute to the value. For the operators that are supported by each attribute, see the attribute descriptions.", "Value": "The rule's value." }, + "AWS::DeviceFarm::DevicePool Tag": { + "Key": "One part of a key-value pair that makes up a tag. A `key` is a general label that acts like a category for more specific tag values.", + "Value": "The optional part of a key-value pair that makes up a tag. A `value` acts as a descriptor in a tag category (key)." + }, "AWS::DeviceFarm::InstanceProfile": { "Description": "The description of the instance profile.", "ExcludeAppPackagesFromCleanup": "An array of strings containing the list of app packages that should not be cleaned up from the device after a test run completes.\n\nThe list of packages is considered only if you set `packageCleanup` to `true` .", @@ -7950,6 +9256,10 @@ "RebootAfterUse": "When set to `true` , Device Farm reboots the instance after a test run. The default value is `true` .", "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) in the *guide* ." }, + "AWS::DeviceFarm::InstanceProfile Tag": { + "Key": "One part of a key-value pair that makes up a tag. A `key` is a general label that acts like a category for more specific tag values.", + "Value": "The optional part of a key-value pair that makes up a tag. A `value` acts as a descriptor in a tag category (key)." + }, "AWS::DeviceFarm::NetworkProfile": { "Description": "The description of the network profile.", "DownlinkBandwidthBits": "The data throughput rate in bits per second, as an integer from 0 to 104857600.", @@ -7964,12 +9274,20 @@ "UplinkJitterMs": "Time variation in the delay of received packets in milliseconds as an integer from 0 to 2000.", "UplinkLossPercent": "Proportion of transmitted packets that fail to arrive from 0 to 100 percent." }, + "AWS::DeviceFarm::NetworkProfile Tag": { + "Key": "One part of a key-value pair that makes up a tag. A `key` is a general label that acts like a category for more specific tag values.", + "Value": "The optional part of a key-value pair that makes up a tag. A `value` acts as a descriptor in a tag category (key)." + }, "AWS::DeviceFarm::Project": { "DefaultJobTimeoutMinutes": "Sets the execution timeout value (in minutes) for a project. All test runs in this project use the specified execution timeout value unless overridden when scheduling a run.", "Name": "The project's name.", "Tags": "The tags to add to the resource. A tag is an array of key-value pairs. Tag keys can have a maximum character length of 128 characters. Tag values can have a maximum length of 256 characters.", "VpcConfig": "The VPC security groups and subnets that are attached to a project." }, + "AWS::DeviceFarm::Project Tag": { + "Key": "One part of a key-value pair that makes up a tag. A `key` is a general label that acts like a category for more specific tag values.", + "Value": "The optional part of a key-value pair that makes up a tag. A `value` acts as a descriptor in a tag category (key)." + }, "AWS::DeviceFarm::Project VpcConfig": { "SecurityGroupIds": "A list of VPC security group IDs.\n\nA security group allows inbound traffic from network interfaces (and their associated instances) that are assigned to the same security group. See [Security groups](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html) in the *Amazon Virtual Private Cloud user guide* .", "SubnetIds": "A subnet is a range of IP addresses in your VPC. You can launch Amazon resources, such as EC2 instances, into a specific subnet. When you create a subnet, you specify the IPv4 CIDR block for the subnet, which is a subset of the VPC CIDR block. See [VPCs and subnets](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Subnets.html) in the *Amazon Virtual Private Cloud user guide* .", @@ -7981,6 +9299,10 @@ "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) in the *guide* .", "VpcConfig": "The VPC security groups and subnets that are attached to a project." }, + "AWS::DeviceFarm::TestGridProject Tag": { + "Key": "One part of a key-value pair that makes up a tag. A `key` is a general label that acts like a category for more specific tag values.", + "Value": "The optional part of a key-value pair that makes up a tag. A `value` acts as a descriptor in a tag category (key)." + }, "AWS::DeviceFarm::TestGridProject VpcConfig": { "SecurityGroupIds": "A list of VPC security group IDs.\n\nA security group allows inbound traffic from network interfaces (and their associated instances) that are assigned to the same security group. See [Security groups](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html) in the *Amazon Virtual Private Cloud user guide* .", "SubnetIds": "A list of VPC subnet IDs.\n\nA subnet is a range of IP addresses in your VPC. You can launch Amazon resources, such as EC2 instances, into a specific subnet. When you create a subnet, you specify the IPv4 CIDR block for the subnet, which is a subset of the VPC CIDR block. See [VPCs and subnets](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Subnets.html) in the *Amazon Virtual Private Cloud user guide* .", @@ -7993,6 +9315,10 @@ "VpceConfigurationName": "The friendly name you give to your VPC endpoint configuration to manage your configurations more easily.", "VpceServiceName": "The name of the VPC endpoint service that you want to access from Device Farm.\n\nThe name follows the format `com.amazonaws.vpce.us-west-2.vpce-svc-id` ." }, + "AWS::DeviceFarm::VPCEConfiguration Tag": { + "Key": "One part of a key-value pair that makes up a tag. A `key` is a general label that acts like a category for more specific tag values.", + "Value": "The optional part of a key-value pair that makes up a tag. A `value` acts as a descriptor in a tag category (key)." + }, "AWS::DirectoryService::MicrosoftAD": { "CreateAlias": "Specifies an alias for a directory and assigns the alias to the directory. The alias is used to construct the access URL for the directory, such as `http://.awsapps.com` . By default, AWS CloudFormation does not create an alias.\n\n> After an alias has been created, it cannot be deleted or reused, so this operation should only be used when absolutely necessary.", "Edition": "AWS Managed Microsoft AD is available in two editions: `Standard` and `Enterprise` . `Enterprise` is the default.", @@ -8036,15 +9362,19 @@ "Port": "Specifies the port that the database engine is listening on.", "PreferredBackupWindow": "The daily time range during which automated backups are created if automated backups are enabled using the `BackupRetentionPeriod` parameter.\n\nThe default is a 30-minute window selected at random from an 8-hour block of time for each AWS Region .\n\nConstraints:\n\n- Must be in the format `hh24:mi-hh24:mi` .\n- Must be in Universal Coordinated Time (UTC).\n- Must not conflict with the preferred maintenance window.\n- Must be at least 30 minutes.", "PreferredMaintenanceWindow": "The weekly time range during which system maintenance can occur, in Universal Coordinated Time (UTC).\n\nFormat: `ddd:hh24:mi-ddd:hh24:mi`\n\nThe default is a 30-minute window selected at random from an 8-hour block of time for each AWS Region , occurring on a random day of the week.\n\nValid days: Mon, Tue, Wed, Thu, Fri, Sat, Sun\n\nConstraints: Minimum 30-minute window.", - "RestoreToTime": "", - "RestoreType": "", + "RestoreToTime": "The date and time to restore the cluster to.\n\nValid values: A time in Universal Coordinated Time (UTC) format.\n\nConstraints:\n\n- Must be before the latest restorable time for the instance.\n- Must be specified if the `UseLatestRestorableTime` parameter is not provided.\n- Cannot be specified if the `UseLatestRestorableTime` parameter is `true` .\n- Cannot be specified if the `RestoreType` parameter is `copy-on-write` .\n\nExample: `2015-03-07T23:45:00Z`", + "RestoreType": "The type of restore to be performed. You can specify one of the following values:\n\n- `full-copy` - The new DB cluster is restored as a full copy of the source DB cluster.\n- `copy-on-write` - The new DB cluster is restored as a clone of the source DB cluster.\n\nConstraints: You can't specify `copy-on-write` if the engine version of the source DB cluster is earlier than 1.11.\n\nIf you don't specify a `RestoreType` value, then the new DB cluster is restored as a full copy of the source DB cluster.", "SnapshotIdentifier": "The identifier for the snapshot or cluster snapshot to restore from.\n\nYou can use either the name or the Amazon Resource Name (ARN) to specify a cluster snapshot. However, you can use only the ARN to specify a snapshot.\n\nConstraints:\n\n- Must match the identifier of an existing snapshot.", - "SourceDBClusterIdentifier": "", + "SourceDBClusterIdentifier": "The identifier of the source cluster from which to restore.\n\nConstraints:\n\n- Must match the identifier of an existing `DBCluster` .", "StorageEncrypted": "Specifies whether the cluster is encrypted.", "Tags": "The tags to be assigned to the cluster.", - "UseLatestRestorableTime": "", + "UseLatestRestorableTime": "A value that is set to `true` to restore the cluster to the latest restorable backup time, and `false` otherwise.\n\nDefault: `false`\n\nConstraints: Cannot be specified if the `RestoreToTime` parameter is provided.", "VpcSecurityGroupIds": "A list of EC2 VPC security groups to associate with this cluster." }, + "AWS::DocDB::DBCluster Tag": { + "Key": "The required name of the tag. The string value can be from 1 to 128 Unicode characters in length and can't be prefixed with \" `aws:` \" or \" `rds:` \". The string can contain only the set of Unicode letters, digits, white space, '_', '.', '/', '=', '+', '-' (Java regex: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-]*)$\").", + "Value": "The optional value of the tag. The string value can be from 1 to 256 Unicode characters in length and can't be prefixed with \" `aws:` \" or \" `rds:` \". The string can contain only the set of Unicode letters, digits, white space, '_', '.', '/', '=', '+', '-' (Java regex: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-]*)$\")." + }, "AWS::DocDB::DBClusterParameterGroup": { "Description": "The description for the cluster parameter group.", "Family": "The cluster parameter group family name.", @@ -8052,22 +9382,36 @@ "Parameters": "Provides a list of parameters for the cluster parameter group.", "Tags": "The tags to be assigned to the cluster parameter group." }, + "AWS::DocDB::DBClusterParameterGroup Tag": { + "Key": "The required name of the tag. The string value can be from 1 to 128 Unicode characters in length and can't be prefixed with \" `aws:` \" or \" `rds:` \". The string can contain only the set of Unicode letters, digits, white space, '_', '.', '/', '=', '+', '-' (Java regex: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-]*)$\").", + "Value": "The optional value of the tag. The string value can be from 1 to 256 Unicode characters in length and can't be prefixed with \" `aws:` \" or \" `rds:` \". The string can contain only the set of Unicode letters, digits, white space, '_', '.', '/', '=', '+', '-' (Java regex: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-]*)$\")." + }, "AWS::DocDB::DBInstance": { "AutoMinorVersionUpgrade": "This parameter does not apply to Amazon DocumentDB. Amazon DocumentDB does not perform minor version upgrades regardless of the value set.\n\nDefault: `false`", "AvailabilityZone": "The Amazon EC2 Availability Zone that the instance is created in.\n\nDefault: A random, system-chosen Availability Zone in the endpoint's AWS Region .\n\nExample: `us-east-1d`", + "CACertificateIdentifier": "The CA certificate identifier to use for the DB instance's server certificate.\n\nFor more information, see [Updating Your Amazon DocumentDB TLS Certificates](https://docs.aws.amazon.com/documentdb/latest/developerguide/ca_cert_rotation.html) and [Encrypting Data in Transit](https://docs.aws.amazon.com/documentdb/latest/developerguide/security.encryption.ssl.html) in the *Amazon DocumentDB Developer Guide* .", + "CertificateRotationRestart": "Specifies whether the DB instance is restarted when you rotate your SSL/TLS certificate.\n\nBy default, the DB instance is restarted when you rotate your SSL/TLS certificate. The certificate is not updated until the DB instance is restarted.\n\n> Set this parameter only if you are *not* using SSL/TLS to connect to the DB instance. \n\nIf you are using SSL/TLS to connect to the DB instance, see [Updating Your Amazon DocumentDB TLS Certificates](https://docs.aws.amazon.com/documentdb/latest/developerguide/ca_cert_rotation.html) and [Encrypting Data in Transit](https://docs.aws.amazon.com/documentdb/latest/developerguide/security.encryption.ssl.html) in the *Amazon DocumentDB Developer Guide* .", "DBClusterIdentifier": "The identifier of the cluster that the instance will belong to.", "DBInstanceClass": "The compute and memory capacity of the instance; for example, `db.m4.large` . If you change the class of an instance there can be some interruption in the cluster's service.", "DBInstanceIdentifier": "The instance identifier. This parameter is stored as a lowercase string.\n\nConstraints:\n\n- Must contain from 1 to 63 letters, numbers, or hyphens.\n- The first character must be a letter.\n- Cannot end with a hyphen or contain two consecutive hyphens.\n\nExample: `mydbinstance`", - "EnablePerformanceInsights": "", + "EnablePerformanceInsights": "A value that indicates whether to enable Performance Insights for the DB Instance. For more information, see [Using Amazon Performance Insights](https://docs.aws.amazon.com/documentdb/latest/developerguide/performance-insights.html) .", "PreferredMaintenanceWindow": "The time range each week during which system maintenance can occur, in Universal Coordinated Time (UTC).\n\nFormat: `ddd:hh24:mi-ddd:hh24:mi`\n\nThe default is a 30-minute window selected at random from an 8-hour block of time for each AWS Region , occurring on a random day of the week.\n\nValid days: Mon, Tue, Wed, Thu, Fri, Sat, Sun\n\nConstraints: Minimum 30-minute window.", "Tags": "The tags to be assigned to the instance. You can assign up to 10 tags to an instance." }, + "AWS::DocDB::DBInstance Tag": { + "Key": "The required name of the tag. The string value can be from 1 to 128 Unicode characters in length and can't be prefixed with \" `aws:` \" or \" `rds:` \". The string can contain only the set of Unicode letters, digits, white space, '_', '.', '/', '=', '+', '-' (Java regex: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-]*)$\").", + "Value": "The optional value of the tag. The string value can be from 1 to 256 Unicode characters in length and can't be prefixed with \" `aws:` \" or \" `rds:` \". The string can contain only the set of Unicode letters, digits, white space, '_', '.', '/', '=', '+', '-' (Java regex: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-]*)$\")." + }, "AWS::DocDB::DBSubnetGroup": { "DBSubnetGroupDescription": "The description for the subnet group.", "DBSubnetGroupName": "The name for the subnet group. This value is stored as a lowercase string.\n\nConstraints: Must contain no more than 255 letters, numbers, periods, underscores, spaces, or hyphens. Must not be default.\n\nExample: `mySubnetgroup`", "SubnetIds": "The Amazon EC2 subnet IDs for the subnet group.", "Tags": "The tags to be assigned to the subnet group." }, + "AWS::DocDB::DBSubnetGroup Tag": { + "Key": "The required name of the tag. The string value can be from 1 to 128 Unicode characters in length and can't be prefixed with \" `aws:` \" or \" `rds:` \". The string can contain only the set of Unicode letters, digits, white space, '_', '.', '/', '=', '+', '-' (Java regex: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-]*)$\").", + "Value": "The optional value of the tag. The string value can be from 1 to 256 Unicode characters in length and can't be prefixed with \" `aws:` \" or \" `rds:` \". The string can contain only the set of Unicode letters, digits, white space, '_', '.', '/', '=', '+', '-' (Java regex: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-]*)$\")." + }, "AWS::DocDBElastic::Cluster": { "AdminUserName": "The name of the Amazon DocumentDB elastic clusters administrator.\n\n*Constraints* :\n\n- Must be from 1 to 63 letters or numbers.\n- The first character must be a letter.\n- Cannot be a reserved word.", "AdminUserPassword": "The password for the Elastic DocumentDB cluster administrator and can contain any printable ASCII characters.\n\n*Constraints* :\n\n- Must contain from 8 to 100 characters.\n- Cannot contain a forward slash (/), double quote (\"), or the \"at\" symbol (@).\n- A valid `AdminUserName` entry is also required.", @@ -8081,6 +9425,10 @@ "Tags": "The tags to be assigned to the new elastic cluster.", "VpcSecurityGroupIds": "A list of EC2 VPC security groups to associate with the new elastic cluster." }, + "AWS::DocDBElastic::Cluster Tag": { + "Key": "", + "Value": "" + }, "AWS::DynamoDB::GlobalTable": { "AttributeDefinitions": "A list of attributes that describe the key schema for the global table and indexes.", "BillingMode": "Specifies how you are charged for read and write throughput and how you manage capacity. Valid values are:\n\n- `PAY_PER_REQUEST`\n- `PROVISIONED`\n\nAll replicas in your global table will have the same billing mode. If you use `PROVISIONED` billing mode, you must provide an auto scaling configuration via the `WriteProvisionedThroughputSettings` property. The default value of this property is `PROVISIONED` .", @@ -8163,6 +9511,10 @@ "AWS::DynamoDB::GlobalTable StreamSpecification": { "StreamViewType": "When an item in the table is modified, `StreamViewType` determines what information is written to the stream for this table. Valid values for `StreamViewType` are:\n\n- `KEYS_ONLY` - Only the key attributes of the modified item are written to the stream.\n- `NEW_IMAGE` - The entire item, as it appears after it was modified, is written to the stream.\n- `OLD_IMAGE` - The entire item, as it appeared before it was modified, is written to the stream.\n- `NEW_AND_OLD_IMAGES` - Both the new and the old item images of the item are written to the stream." }, + "AWS::DynamoDB::GlobalTable Tag": { + "Key": "The key of the tag. Tag keys are case sensitive. Each DynamoDB table can only have up to one tag with the same key. If you try to add an existing tag (same key), the existing tag value will be updated to the new value.", + "Value": "The value of the tag. Tag values are case-sensitive and can be null." + }, "AWS::DynamoDB::GlobalTable TargetTrackingScalingPolicyConfiguration": { "DisableScaleIn": "Indicates whether scale in by the target tracking scaling policy is disabled. The default value is `false` .", "ScaleInCooldown": "The amount of time, in seconds, after a scale-in activity completes before another scale-in activity can start.", @@ -8258,6 +9610,10 @@ "AWS::DynamoDB::Table StreamSpecification": { "StreamViewType": "When an item in the table is modified, `StreamViewType` determines what information is written to the stream for this table. Valid values for `StreamViewType` are:\n\n- `KEYS_ONLY` - Only the key attributes of the modified item are written to the stream.\n- `NEW_IMAGE` - The entire item, as it appears after it was modified, is written to the stream.\n- `OLD_IMAGE` - The entire item, as it appeared before it was modified, is written to the stream.\n- `NEW_AND_OLD_IMAGES` - Both the new and the old item images of the item are written to the stream." }, + "AWS::DynamoDB::Table Tag": { + "Key": "The key of the tag. Tag keys are case sensitive. Each DynamoDB table can only have up to one tag with the same key. If you try to add an existing tag (same key), the existing tag value will be updated to the new value.", + "Value": "The value of the tag. Tag values are case-sensitive and can be null." + }, "AWS::DynamoDB::Table TimeToLiveSpecification": { "AttributeName": "The name of the TTL attribute used to store the expiration time for items in the table.\n\n> - The `AttributeName` property is required when enabling the TTL, or when TTL is already enabled.\n> - To update this property, you must first disable TTL and then enable TTL with the new attribute name.", "Enabled": "Indicates whether TTL is to be enabled (true) or disabled (false) on the table." @@ -8277,6 +9633,10 @@ "TagSpecifications": "The tags to apply to the Capacity Reservation during launch.", "Tenancy": "Indicates the tenancy of the Capacity Reservation. A Capacity Reservation can have one of the following tenancy settings:\n\n- `default` - The Capacity Reservation is created on hardware that is shared with other AWS accounts .\n- `dedicated` - The Capacity Reservation is created on single-tenant hardware that is dedicated to a single AWS account ." }, + "AWS::EC2::CapacityReservation Tag": { + "Key": "The key of the tag.\n\nConstraints: Tag keys are case-sensitive and accept a maximum of 127 Unicode characters. May not begin with `aws:` .", + "Value": "The value of the tag.\n\nConstraints: Tag values are case-sensitive and accept a maximum of 256 Unicode characters." + }, "AWS::EC2::CapacityReservation TagSpecification": { "ResourceType": "The type of resource to tag. Specify `capacity-reservation` .", "Tags": "The tags to apply to the resource." @@ -8301,6 +9661,10 @@ "Priority": "The priority to assign to the instance type. This value is used to determine which of the instance types specified for the Fleet should be prioritized for use. A lower value indicates a high priority. For more information, see [Instance type priority](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/crfleet-concepts.html#instance-priority) in the Amazon EC2 User Guide.", "Weight": "The number of capacity units provided by the specified instance type. This value, together with the total target capacity that you specify for the Fleet determine the number of instances for which the Fleet reserves capacity. Both values are based on units that make sense for your workload. For more information, see [Total target capacity](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/crfleet-concepts.html#target-capacity) in the Amazon EC2 User Guide.\n\nValid Range: Minimum value of `0.001` . Maximum value of `99.999` ." }, + "AWS::EC2::CapacityReservationFleet Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::EC2::CapacityReservationFleet TagSpecification": { "ResourceType": "The type of resource to tag on creation. Specify `capacity-reservation-fleet` .\n\nTo tag a resource after it has been created, see [CreateTags](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateTags.html) .", "Tags": "The tags to apply to the resource." @@ -8309,6 +9673,10 @@ "Tags": "The tags assigned to the carrier gateway.", "VpcId": "The ID of the VPC associated with the carrier gateway." }, + "AWS::EC2::CarrierGateway Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::EC2::ClientVpnAuthorizationRule": { "AccessGroupId": "The ID of the group to grant access to, for example, the Active Directory group or identity provider (IdP) group. Required if `AuthorizeAllGroups` is `false` or not specified.", "AuthorizeAllGroups": "Indicates whether to grant access to all clients. Specify `true` to grant all clients who successfully establish a VPN connection access to the network. Must be set to `true` if `AccessGroupId` is not specified.", @@ -8363,6 +9731,10 @@ "SAMLProviderArn": "The Amazon Resource Name (ARN) of the IAM SAML identity provider.", "SelfServiceSAMLProviderArn": "The Amazon Resource Name (ARN) of the IAM SAML identity provider for the self-service portal." }, + "AWS::EC2::ClientVpnEndpoint Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::EC2::ClientVpnEndpoint TagSpecification": { "ResourceType": "The type of resource to tag.", "Tags": "The tags to apply to the resource." @@ -8384,6 +9756,10 @@ "Tags": "One or more tags for the customer gateway.", "Type": "The type of VPN connection that this customer gateway supports ( `ipsec.1` )." }, + "AWS::EC2::CustomerGateway Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::EC2::DHCPOptions": { "DomainName": "This value is used to complete unqualified DNS hostnames. If you're using AmazonProvidedDNS in `us-east-1` , specify `ec2.internal` . If you're using AmazonProvidedDNS in another Region, specify *region* . `compute.internal` (for example, `ap-northeast-1.compute.internal` ). Otherwise, specify a domain name (for example, *MyCompany.com* ).", "DomainNameServers": "The IPv4 addresses of up to four domain name servers, or `AmazonProvidedDNS` . The default is `AmazonProvidedDNS` . To have your instance receive a custom DNS hostname as specified in `DomainName` , you must set this property to a custom DNS server.", @@ -8392,6 +9768,10 @@ "NtpServers": "The IPv4 addresses of up to four Network Time Protocol (NTP) servers.", "Tags": "Any tags assigned to the DHCP options set." }, + "AWS::EC2::DHCPOptions Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::EC2::EC2Fleet": { "Context": "Reserved.", "ExcessCapacityTerminationPolicy": "Indicates whether running instances should be terminated if the total target capacity of the EC2 Fleet is decreased below the current size of the EC2 Fleet.\n\nSupported only for fleets of type `maintain` .", @@ -8399,7 +9779,7 @@ "OnDemandOptions": "Describes the configuration of On-Demand Instances in an EC2 Fleet.", "ReplaceUnhealthyInstances": "Indicates whether EC2 Fleet should replace unhealthy Spot Instances. Supported only for fleets of type `maintain` . For more information, see [EC2 Fleet health checks](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/manage-ec2-fleet.html#ec2-fleet-health-checks) in the *Amazon EC2 User Guide* .", "SpotOptions": "Describes the configuration of Spot Instances in an EC2 Fleet.", - "TagSpecifications": "The key-value pair for tagging the EC2 Fleet request on creation. For more information, see [Tagging your resources](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html#tag-resources) .\n\nIf the fleet type is `instant` , specify a resource type of `fleet` to tag the fleet or `instance` to tag the instances at launch.\n\nIf the fleet type is `maintain` or `request` , specify a resource type of `fleet` to tag the fleet. You cannot specify a resource type of `instance` . To tag instances at launch, specify the tags in a [launch template](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-launch-templates.html#create-launch-template) .", + "TagSpecifications": "The key-value pair for tagging the EC2 Fleet request on creation. For more information, see [Tag your resources](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html#tag-resources) .\n\nIf the fleet type is `instant` , specify a resource type of `fleet` to tag the fleet or `instance` to tag the instances at launch.\n\nIf the fleet type is `maintain` or `request` , specify a resource type of `fleet` to tag the fleet. You cannot specify a resource type of `instance` . To tag instances at launch, specify the tags in a [launch template](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-launch-templates.html#create-launch-template) .", "TargetCapacitySpecification": "The number of units to request.", "TerminateInstancesWithExpiration": "Indicates whether running instances should be terminated when the EC2 Fleet expires.", "Type": "The fleet type. The default value is `maintain` .\n\n- `maintain` - The EC2 Fleet places an asynchronous request for your desired capacity, and continues to maintain your desired Spot capacity by replenishing interrupted Spot Instances.\n- `request` - The EC2 Fleet places an asynchronous one-time request for your desired capacity, but does submit Spot requests in alternative capacity pools if Spot capacity is unavailable, and does not maintain Spot capacity if Spot Instances are interrupted.\n- `instant` - The EC2 Fleet places a synchronous one-time request for your desired capacity, and returns errors for any instances that could not be launched.\n\nFor more information, see [EC2 Fleet request types](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-fleet-request-type.html) in the *Amazon EC2 User Guide* .", @@ -8446,8 +9826,8 @@ }, "AWS::EC2::EC2Fleet InstanceRequirementsRequest": { "AcceleratorCount": "The minimum and maximum number of accelerators (GPUs, FPGAs, or AWS Inferentia chips) on an instance.\n\nTo exclude accelerator-enabled instance types, set `Max` to `0` .\n\nDefault: No minimum or maximum limits", - "AcceleratorManufacturers": "Indicates whether instance types must have accelerators by specific manufacturers.\n\n- For instance types with NVIDIA devices, specify `nvidia` .\n- For instance types with AMD devices, specify `amd` .\n- For instance types with AWS devices, specify `amazon-web-services` .\n- For instance types with Xilinx devices, specify `xilinx` .\n\nDefault: Any manufacturer", - "AcceleratorNames": "The accelerators that must be on the instance type.\n\n- For instance types with NVIDIA A100 GPUs, specify `a100` .\n- For instance types with NVIDIA V100 GPUs, specify `v100` .\n- For instance types with NVIDIA K80 GPUs, specify `k80` .\n- For instance types with NVIDIA T4 GPUs, specify `t4` .\n- For instance types with NVIDIA M60 GPUs, specify `m60` .\n- For instance types with AMD Radeon Pro V520 GPUs, specify `radeon-pro-v520` .\n- For instance types with Xilinx VU9P FPGAs, specify `vu9p` .\n- For instance types with AWS Inferentia chips, specify `inferentia` .\n- For instance types with NVIDIA GRID K520 GPUs, specify `k520` .\n\nDefault: Any accelerator", + "AcceleratorManufacturers": "Indicates whether instance types must have accelerators by specific manufacturers.\n\n- For instance types with AWS devices, specify `amazon-web-services` .\n- For instance types with AMD devices, specify `amd` .\n- For instance types with Habana devices, specify `habana` .\n- For instance types with NVIDIA devices, specify `nvidia` .\n- For instance types with Xilinx devices, specify `xilinx` .\n\nDefault: Any manufacturer", + "AcceleratorNames": "The accelerators that must be on the instance type.\n\n- For instance types with NVIDIA A10G GPUs, specify `a10g` .\n- For instance types with NVIDIA A100 GPUs, specify `a100` .\n- For instance types with NVIDIA H100 GPUs, specify `h100` .\n- For instance types with AWS Inferentia chips, specify `inferentia` .\n- For instance types with NVIDIA GRID K520 GPUs, specify `k520` .\n- For instance types with NVIDIA K80 GPUs, specify `k80` .\n- For instance types with NVIDIA M60 GPUs, specify `m60` .\n- For instance types with AMD Radeon Pro V520 GPUs, specify `radeon-pro-v520` .\n- For instance types with NVIDIA T4 GPUs, specify `t4` .\n- For instance types with NVIDIA T4G GPUs, specify `t4g` .\n- For instance types with Xilinx VU9P FPGAs, specify `vu9p` .\n- For instance types with NVIDIA V100 GPUs, specify `v100` .\n\nDefault: Any accelerator", "AcceleratorTotalMemoryMiB": "The minimum and maximum amount of total accelerator memory, in MiB.\n\nDefault: No minimum or maximum limits", "AcceleratorTypes": "The accelerator types that must be on the instance type.\n\n- To include instance types with GPU hardware, specify `gpu` .\n- To include instance types with FPGA hardware, specify `fpga` .\n- To include instance types with inference hardware, specify `inference` .\n\nDefault: Any accelerator type", "AllowedInstanceTypes": "The instance types to apply your specified attributes against. All other instance types are ignored, even if they match your specified attributes.\n\nYou can use strings with one or more wild cards, represented by an asterisk ( `*` ), to allow an instance type, size, or generation. The following are examples: `m5.8xlarge` , `c5*.*` , `m5a.*` , `r*` , `*3*` .\n\nFor example, if you specify `c5*` ,Amazon EC2 will allow the entire C5 instance family, which includes all C5a and C5n instance types. If you specify `m5a.*` , Amazon EC2 will allow all the M5a instance types, but not the M5n instance types.\n\n> If you specify `AllowedInstanceTypes` , you can't specify `ExcludedInstanceTypes` . \n\nDefault: All instance types", @@ -8491,7 +9871,7 @@ "AWS::EC2::EC2Fleet OnDemandOptionsRequest": { "AllocationStrategy": "The strategy that determines the order of the launch template overrides to use in fulfilling On-Demand capacity.\n\n`lowest-price` - EC2 Fleet uses price to determine the order, launching the lowest price first.\n\n`prioritized` - EC2 Fleet uses the priority that you assigned to each launch template override, launching the highest priority first.\n\nDefault: `lowest-price`", "CapacityReservationOptions": "The strategy for using unused Capacity Reservations for fulfilling On-Demand capacity.\n\nSupported only for fleets of type `instant` .", - "MaxTotalPrice": "The maximum amount per hour for On-Demand Instances that you're willing to pay.", + "MaxTotalPrice": "The maximum amount per hour for On-Demand Instances that you're willing to pay.\n\n> If your fleet includes T instances that are configured as `unlimited` , and if their average CPU usage exceeds the baseline utilization, you will incur a charge for surplus credits. The `MaxTotalPrice` does not account for surplus credits, and, if you use surplus credits, your final cost might be higher than what you specified for `MaxTotalPrice` . For more information, see [Surplus credits can incur charges](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/burstable-performance-instances-unlimited-mode-concepts.html#unlimited-mode-surplus-credits) in the *EC2 User Guide* .", "MinTargetCapacity": "The minimum target capacity for On-Demand Instances in the fleet. If the minimum target capacity is not reached, the fleet launches no instances.\n\nSupported only for fleets of type `instant` .\n\nAt least one of the following must be specified: `SingleAvailabilityZone` | `SingleInstanceType`", "SingleAvailabilityZone": "Indicates that the fleet launches all On-Demand Instances into a single Availability Zone.\n\nSupported only for fleets of type `instant` .", "SingleInstanceType": "Indicates that the fleet uses a single instance type to launch all On-Demand Instances in the fleet.\n\nSupported only for fleets of type `instant` ." @@ -8511,21 +9891,25 @@ "InstanceInterruptionBehavior": "The behavior when a Spot Instance is interrupted.\n\nDefault: `terminate`", "InstancePoolsToUseCount": "The number of Spot pools across which to allocate your target Spot capacity. Supported only when Spot `AllocationStrategy` is set to `lowest-price` . EC2 Fleet selects the cheapest Spot pools and evenly allocates your target Spot capacity across the number of Spot pools that you specify.\n\nNote that EC2 Fleet attempts to draw Spot Instances from the number of pools that you specify on a best effort basis. If a pool runs out of Spot capacity before fulfilling your target capacity, EC2 Fleet will continue to fulfill your request by drawing from the next cheapest pool. To ensure that your target capacity is met, you might receive Spot Instances from more than the number of pools that you specified. Similarly, if most of the pools have no Spot capacity, you might receive your full target capacity from fewer than the number of pools that you specified.", "MaintenanceStrategies": "The strategies for managing your Spot Instances that are at an elevated risk of being interrupted.", - "MaxTotalPrice": "The maximum amount per hour for Spot Instances that you're willing to pay. We do not recommend using this parameter because it can lead to increased interruptions. If you do not specify this parameter, you will pay the current Spot price.\n\n> If you specify a maximum price, your Spot Instances will be interrupted more frequently than if you do not specify this parameter.", + "MaxTotalPrice": "The maximum amount per hour for Spot Instances that you're willing to pay. We do not recommend using this parameter because it can lead to increased interruptions. If you do not specify this parameter, you will pay the current Spot price.\n\n> If you specify a maximum price, your Spot Instances will be interrupted more frequently than if you do not specify this parameter. > If your fleet includes T instances that are configured as `unlimited` , and if their average CPU usage exceeds the baseline utilization, you will incur a charge for surplus credits. The `MaxTotalPrice` does not account for surplus credits, and, if you use surplus credits, your final cost might be higher than what you specified for `MaxTotalPrice` . For more information, see [Surplus credits can incur charges](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/burstable-performance-instances-unlimited-mode-concepts.html#unlimited-mode-surplus-credits) in the *EC2 User Guide* .", "MinTargetCapacity": "The minimum target capacity for Spot Instances in the fleet. If the minimum target capacity is not reached, the fleet launches no instances.\n\nSupported only for fleets of type `instant` .\n\nAt least one of the following must be specified: `SingleAvailabilityZone` | `SingleInstanceType`", "SingleAvailabilityZone": "Indicates that the fleet launches all Spot Instances into a single Availability Zone.\n\nSupported only for fleets of type `instant` .", "SingleInstanceType": "Indicates that the fleet uses a single instance type to launch all Spot Instances in the fleet.\n\nSupported only for fleets of type `instant` ." }, + "AWS::EC2::EC2Fleet Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::EC2::EC2Fleet TagSpecification": { - "ResourceType": "The type of resource to tag. `ResourceType` must be `fleet` .", + "ResourceType": "The type of resource to tag.", "Tags": "The tags to apply to the resource." }, "AWS::EC2::EC2Fleet TargetCapacitySpecificationRequest": { - "DefaultTargetCapacityType": "The default `TotalTargetCapacity` , which is either `Spot` or `On-Demand` .", + "DefaultTargetCapacityType": "The default target capacity type.", "OnDemandTargetCapacity": "The number of On-Demand units to request.", "SpotTargetCapacity": "The number of Spot units to request.", - "TargetCapacityUnitType": "The unit for the target capacity. `TargetCapacityUnitType` can only be specified when `InstanceRequirements` is specified.\n\nDefault: `units` (translates to number of instances)", - "TotalTargetCapacity": "The number of units to request, filled using `DefaultTargetCapacityType` ." + "TargetCapacityUnitType": "The unit for the target capacity. You can specify this parameter only when using attributed-based instance type selection.\n\nDefault: `units` (the number of instances)", + "TotalTargetCapacity": "The number of units to request, filled using the default target capacity type." }, "AWS::EC2::EC2Fleet TotalLocalStorageGBRequest": { "Max": "The maximum amount of total local storage, in GB. To specify no maximum limit, omit this parameter.", @@ -8538,14 +9922,17 @@ "AWS::EC2::EIP": { "Domain": "The network ( `vpc` ).\n\nIf you define an Elastic IP address and associate it with a VPC that is defined in the same template, you must declare a dependency on the VPC-gateway attachment by using the [DependsOn Attribute](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-dependson.html) on this resource.", "InstanceId": "The ID of the instance.\n\n> Updates to the `InstanceId` property may require *some interruptions* . Updates on an EIP reassociates the address on its associated resource.", - "NetworkBorderGroup": "A unique set of Availability Zones, Local Zones, or Wavelength Zones from which AWS advertises IP addresses. Use this parameter to limit the IP address to this location. IP addresses cannot move between network border groups.\n\nUse [DescribeAvailabilityZones](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeAvailabilityZones.html) to view the network border groups.\n\nYou cannot use a network border group with EC2 Classic. If you attempt this operation on EC2 Classic, you receive an `InvalidParameterCombination` error.", + "NetworkBorderGroup": "A unique set of Availability Zones, Local Zones, or Wavelength Zones from which AWS advertises IP addresses. Use this parameter to limit the IP address to this location. IP addresses cannot move between network border groups.\n\nUse [DescribeAvailabilityZones](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeAvailabilityZones.html) to view the network border groups.", "PublicIpv4Pool": "The ID of an address pool that you own. Use this parameter to let Amazon EC2 select an address from the address pool.\n\n> Updates to the `PublicIpv4Pool` property may require *some interruptions* . Updates on an EIP reassociates the address on its associated resource.", "Tags": "Any tags assigned to the Elastic IP address.\n\n> Updates to the `Tags` property may require *some interruptions* . Updates on an EIP reassociates the address on its associated resource.", "TransferAddress": "The Elastic IP address you are accepting for transfer. You can only accept one transferred address. For more information on Elastic IP address transfers, see [Transfer Elastic IP addresses](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-eips.html#transfer-EIPs-intro) in the *Amazon Virtual Private Cloud User Guide* ." }, + "AWS::EC2::EIP Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::EC2::EIPAssociation": { "AllocationId": "The allocation ID. This is required.", - "EIP": "Deprecated.", "InstanceId": "The ID of the instance. The instance must have exactly one attached network interface. You can specify either the instance ID or the network interface ID, but not both.", "NetworkInterfaceId": "The ID of the network interface. If the instance has more than one network interface, you must specify a network interface ID.\n\nYou can specify either the instance ID or the network interface ID, but not both.", "PrivateIpAddress": "The primary or secondary private IP address to associate with the Elastic IP address. If no private IP address is specified, the Elastic IP address is associated with the primary private IP address." @@ -8558,6 +9945,7 @@ "RoleArn": "The ARN of the IAM role to associate with the ACM certificate. You can associate up to 16 IAM roles with an ACM certificate." }, "AWS::EC2::FlowLog": { + "DeliverCrossAccountRole": "The ARN of the IAM role that allows the service to publish flow logs across accounts.", "DeliverLogsPermissionArn": "The ARN of the IAM role that allows Amazon EC2 to publish flow logs to a CloudWatch Logs log group in your account.\n\nThis parameter is required if the destination type is `cloud-watch-logs` and unsupported otherwise.", "DestinationOptions": "The destination options. The following options are supported:\n\n- `FileFormat` - The format for the flow log ( `plain-text` | `parquet` ). The default is `plain-text` .\n- `HiveCompatiblePartitions` - Indicates whether to use Hive-compatible prefixes for flow logs stored in Amazon S3 ( `true` | `false` ). The default is `false` .\n- `PerHourPartition` - Indicates whether to partition the flow log per hour ( `true` | `false` ). The default is `false` .", "LogDestination": "The destination for the flow log data. The meaning of this parameter depends on the destination type.\n\n- If the destination type is `cloud-watch-logs` , specify the ARN of a CloudWatch Logs log group. For example:\n\narn:aws:logs: *region* : *account_id* :log-group: *my_group*\n\nAlternatively, use the `LogGroupName` parameter.\n- If the destination type is `s3` , specify the ARN of an S3 bucket. For example:\n\narn:aws:s3::: *my_bucket* / *my_subfolder* /\n\nThe subfolder is optional. Note that you can't use `AWSLogs` as a subfolder name.\n- If the destination type is `kinesis-data-firehose` , specify the ARN of a Kinesis Data Firehose delivery stream. For example:\n\narn:aws:firehose: *region* : *account_id* :deliverystream: *my_stream*", @@ -8575,11 +9963,16 @@ "HiveCompatiblePartitions": "Indicates whether to use Hive-compatible prefixes for flow logs stored in Amazon S3. The default is `false` .", "PerHourPartition": "Indicates whether to partition the flow log per hour. This reduces the cost and response time for queries. The default is `false` ." }, + "AWS::EC2::FlowLog Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::EC2::GatewayRouteTableAssociation": { "GatewayId": "The ID of the gateway.", "RouteTableId": "The ID of the route table." }, "AWS::EC2::Host": { + "AssetId": "The ID of the Outpost hardware asset on which the Dedicated Host is allocated.", "AutoPlacement": "Indicates whether the host accepts any untargeted instance launches that match its instance type configuration, or if it only accepts Host tenancy instance launches that specify its unique host ID. For more information, see [Understanding auto-placement and affinity](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/how-dedicated-hosts-work.html#dedicated-hosts-understanding) in the *Amazon EC2 User Guide* .\n\nDefault: `on`", "AvailabilityZone": "The Availability Zone in which to allocate the Dedicated Host.", "HostMaintenance": "Indicates whether host maintenance is enabled or disabled for the Dedicated Host.", @@ -8589,15 +9982,18 @@ "OutpostArn": "The Amazon Resource Name (ARN) of the AWS Outpost on which the Dedicated Host is allocated." }, "AWS::EC2::IPAM": { - "DefaultResourceDiscoveryAssociationId": "The IPAM's default resource discovery association ID.", - "DefaultResourceDiscoveryId": "The IPAM's default resource discovery ID.", "Description": "The description for the IPAM.", "OperatingRegions": "The operating Regions for an IPAM. Operating Regions are AWS Regions where the IPAM is allowed to manage IP address CIDRs. IPAM only discovers and monitors resources in the AWS Regions you select as operating Regions.\n\nFor more information about operating Regions, see [Create an IPAM](https://docs.aws.amazon.com//vpc/latest/ipam/create-ipam.html) in the *Amazon VPC IPAM User Guide* .", - "Tags": "The key/value combination of a tag assigned to the resource. Use the tag key in the filter name and the tag value as the filter value. For example, to find all resources that have a tag with the key `Owner` and the value `TeamA` , specify `tag:Owner` for the filter name and `TeamA` for the filter value." + "Tags": "The key/value combination of a tag assigned to the resource. Use the tag key in the filter name and the tag value as the filter value. For example, to find all resources that have a tag with the key `Owner` and the value `TeamA` , specify `tag:Owner` for the filter name and `TeamA` for the filter value.", + "Tier": "IPAM is offered in a Free Tier and an Advanced Tier. For more information about the features available in each tier and the costs associated with the tiers, see the [VPC IPAM product pricing page](https://docs.aws.amazon.com//vpc/pricing/) ." }, "AWS::EC2::IPAM IpamOperatingRegion": { "RegionName": "The name of the operating Region." }, + "AWS::EC2::IPAM Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::EC2::IPAMAllocation": { "Cidr": "The CIDR you would like to allocate from the IPAM pool. Note the following:\n\n- If there is no DefaultNetmaskLength allocation rule set on the pool, you must specify either the NetmaskLength or the CIDR.\n- If the DefaultNetmaskLength allocation rule is set on the pool, you can specify either the NetmaskLength or the CIDR and the DefaultNetmaskLength allocation rule will be ignored.\n\nPossible values: Any available IPv4 or IPv6 CIDR.", "Description": "A description for the allocation.", @@ -8624,6 +10020,10 @@ "AWS::EC2::IPAMPool ProvisionedCidr": { "Cidr": "The CIDR provisioned to the IPAM pool. A CIDR is a representation of an IP address and its associated network mask (or netmask) and refers to a range of IP addresses. An IPv4 CIDR example is `10.24.34.0/23` . An IPv6 CIDR example is `2001:DB8::/32` ." }, + "AWS::EC2::IPAMPool Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::EC2::IPAMPoolCidr": { "Cidr": "The CIDR provisioned to the IPAM pool. A CIDR is a representation of an IP address and its associated network mask (or netmask) and refers to a range of IP addresses. An IPv4 CIDR example is `10.24.34.0/23` . An IPv6 CIDR example is `2001:DB8::/32` .", "IpamPoolId": "The ID of the IPAM pool.", @@ -8637,16 +10037,28 @@ "AWS::EC2::IPAMResourceDiscovery IpamOperatingRegion": { "RegionName": "The name of the operating Region." }, + "AWS::EC2::IPAMResourceDiscovery Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::EC2::IPAMResourceDiscoveryAssociation": { "IpamId": "The IPAM ID.", "IpamResourceDiscoveryId": "The resource discovery ID.", "Tags": "A tag is a label that you assign to an AWS resource. Each tag consists of a key and an optional value. You can use tags to search and filter your resources or track your AWS costs." }, + "AWS::EC2::IPAMResourceDiscoveryAssociation Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::EC2::IPAMScope": { "Description": "The description of the scope.", "IpamId": "The ID of the IPAM for which you're creating this scope.", "Tags": "The key/value combination of a tag assigned to the resource. Use the tag key in the filter name and the tag value as the filter value. For example, to find all resources that have a tag with the key `Owner` and the value `TeamA` , specify `tag:Owner` for the filter name and `TeamA` for the filter value." }, + "AWS::EC2::IPAMScope Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::EC2::Instance": { "AdditionalInfo": "This property is reserved for internal use. If you use it, the stack fails with this error: `Bad property set: [Testing this property] (Service: AmazonEC2; Status Code: 400; Error Code: InvalidParameterCombination; Request ID: 0XXXXXX-49c7-4b40-8bcc-76885dcXXXXX)` .", "Affinity": "Indicates whether the instance is associated with a dedicated host. If you want the instance to always restart on the same host on which it was launched, specify `host` . If you want the instance to restart on any available host, but try to launch onto the last host it ran on (on a best-effort basis), specify `default` .", @@ -8682,11 +10094,11 @@ "SecurityGroupIds": "The IDs of the security groups. You can specify the IDs of existing security groups and references to resources created by the stack template.\n\nIf you specify a network interface, you must specify any security groups as part of the network interface.", "SecurityGroups": "[Default VPC] The names of the security groups. For a nondefault VPC, you must use security group IDs instead.\n\nYou cannot specify this option and the network interfaces option in the same request. The list can contain both the name of existing Amazon EC2 security groups or references to AWS::EC2::SecurityGroup resources created in the template.\n\nDefault: Amazon EC2 uses the default security group.", "SourceDestCheck": "Enable or disable source/destination checks, which ensure that the instance is either the source or the destination of any traffic that it receives. If the value is `true` , source/destination checks are enabled; otherwise, they are disabled. The default value is `true` . You must disable source/destination checks if the instance runs services such as network address translation, routing, or firewalls.", - "SsmAssociations": "The SSM [document](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ssm-document.html) and parameter values in AWS Systems Manager to associate with this instance. To use this property, you must specify an IAM instance profile role for the instance. For more information, see [Create an IAM instance profile for Systems Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-configuring-access-role.html) in the *AWS Systems Manager User Guide* .\n\n> You can currently associate only one document with an instance.", + "SsmAssociations": "The SSM [document](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ssm-document.html) and parameter values in AWS Systems Manager to associate with this instance. To use this property, you must specify an IAM instance profile role for the instance. For more information, see [Create an IAM instance profile for Systems Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-configuring-access-role.html) in the *AWS Systems Manager User Guide* .\n\n> You can associate only one document with an instance.", "SubnetId": "The ID of the subnet to launch the instance into.\n\nIf you specify a network interface, you must specify any subnets as part of the network interface.", "Tags": "The tags to add to the instance. These tags are not applied to the EBS volumes, such as the root volume, unless [PropagateTagsToVolumeOnCreation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-instance.html#cfn-ec2-instance-propagatetagstovolumeoncreation) is `true` .", "Tenancy": "The tenancy of the instance. An instance with a tenancy of `dedicated` runs on single-tenant hardware.", - "UserData": "The user data script to make available to the instance. User data is limited to 16 KB. You must provide base64-encoded text. For more information, see [Fn::Base64](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-base64.html) .\n\nUser data runs only at instance launch. For more information, see [Run commands on your Linux instance at launch](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/user-data.html) and [Run commands on your Windows instance at launch](https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ec2-windows-user-data.html) .", + "UserData": "The parameters or scripts to store as user data. Any scripts in user data are run when you launch the instance. User data is limited to 16 KB. You must provide base64-encoded text. For more information, see [Fn::Base64](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-base64.html) .\n\nIf the root volume is an EBS volume and you update user data, CloudFormation restarts the instance. If the root volume is an instance store volume and you update user data, the instance is replaced.", "Volumes": "The volumes to attach to the instance." }, "AWS::EC2::Instance AssociationParameter": { @@ -8726,7 +10138,7 @@ "Enabled": "If this parameter is set to `true` , the instance is enabled for AWS Nitro Enclaves; otherwise, it is not enabled for AWS Nitro Enclaves." }, "AWS::EC2::Instance HibernationOptions": { - "Configured": "Set to `true` to enable your instance for hibernation.\n\nDefault: `false`" + "Configured": "Set to `true` to enable your instance for hibernation.\n\nFor Spot Instances, if you set `Configured` to `true` , either omit the `InstanceInterruptionBehavior` parameter (for [`SpotMarketOptions`](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_SpotMarketOptions.html) ), or set it to `hibernate` . When `Configured` is true:\n\n- If you omit `InstanceInterruptionBehavior` , it defaults to `hibernate` .\n- If you set `InstanceInterruptionBehavior` to a value other than `hibernate` , you'll get an error.\n\nDefault: `false`" }, "AWS::EC2::Instance InstanceIpv6Address": { "Ipv6Address": "The IPv6 address." @@ -8741,7 +10153,7 @@ }, "AWS::EC2::Instance NetworkInterface": { "AssociateCarrierIpAddress": "Indicates whether to assign a carrier IP address to the network interface.\n\nYou can only assign a carrier IP address to a network interface that is in a subnet in a Wavelength Zone. For more information about carrier IP addresses, see [Carrier IP address](https://docs.aws.amazon.com/wavelength/latest/developerguide/how-wavelengths-work.html#provider-owned-ip) in the *AWS Wavelength Developer Guide* .", - "AssociatePublicIpAddress": "Indicates whether to assign a public IPv4 address to an instance. Applies only if creating a network interface when launching an instance. The network interface must be the primary network interface. If launching into a default subnet, the default value is `true` .", + "AssociatePublicIpAddress": "Indicates whether to assign a public IPv4 address to an instance. Applies only if creating a network interface when launching an instance. The network interface must be the primary network interface. If launching into a default subnet, the default value is `true` .\n\nStarting on February 1, 2024, AWS will charge for all public IPv4 addresses, including public IPv4 addresses associated with running instances and Elastic IP addresses. For more information, see the *Public IPv4 Address* tab on the [VPC pricing page](https://docs.aws.amazon.com/vpc/pricing/) .", "DeleteOnTermination": "Indicates whether the network interface is deleted when the instance is terminated. Applies only if creating a network interface when launching an instance.", "Description": "The description of the network interface. Applies only if creating a network interface when launching an instance.", "DeviceIndex": "The position of the network interface in the attachment order. A primary network interface has a device index of 0.\n\nIf you create a network interface when launching an instance, you must specify the device index.", @@ -8754,7 +10166,6 @@ "SecondaryPrivateIpAddressCount": "The number of secondary private IPv4 addresses. You can't specify this option and specify more than one private IP address using the private IP addresses option.", "SubnetId": "The ID of the subnet associated with the network interface. Applies only if creating a network interface when launching an instance." }, - "AWS::EC2::Instance NoDevice": {}, "AWS::EC2::Instance PrivateDnsNameOptions": { "EnableResourceNameDnsAAAARecord": "Indicates whether to respond to DNS queries for instance hostnames with DNS AAAA records. For more information, see [Amazon EC2 instance hostname types](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-naming.html) in the *Amazon Elastic Compute Cloud User Guide* .", "EnableResourceNameDnsARecord": "Indicates whether to respond to DNS queries for instance hostnames with DNS A records. For more information, see [Amazon EC2 instance hostname types](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-naming.html) in the *Amazon Elastic Compute Cloud User Guide* .", @@ -8768,13 +10179,32 @@ "AssociationParameters": "The input parameter values to use with the associated SSM document.", "DocumentName": "The name of an SSM document to associate with the instance." }, + "AWS::EC2::Instance Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::EC2::Instance Volume": { "Device": "The device name (for example, `/dev/sdh` or `xvdh` ).", "VolumeId": "The ID of the EBS volume. The volume and instance must be within the same Availability Zone." }, + "AWS::EC2::InstanceConnectEndpoint": { + "ClientToken": "Unique, case-sensitive identifier that you provide to ensure the idempotency of the request.", + "PreserveClientIp": "Indicates whether your client's IP address is preserved as the source. The value is `true` or `false` .\n\n- If `true` , your client's IP address is used when you connect to a resource.\n- If `false` , the elastic network interface IP address is used when you connect to a resource.\n\nDefault: `true`", + "SecurityGroupIds": "One or more security groups to associate with the endpoint. If you don't specify a security group, the default security group for your VPC will be associated with the endpoint.", + "SubnetId": "The ID of the subnet in which to create the EC2 Instance Connect Endpoint.", + "Tags": "The tags to apply to the EC2 Instance Connect Endpoint during creation." + }, + "AWS::EC2::InstanceConnectEndpoint Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::EC2::InternetGateway": { "Tags": "Any tags to assign to the internet gateway." }, + "AWS::EC2::InternetGateway Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::EC2::KeyPair": { "KeyFormat": "The format of the key pair.\n\nDefault: `pem`", "KeyName": "A unique name for the key pair.\n\nConstraints: Up to 255 ASCII characters", @@ -8782,10 +10212,14 @@ "PublicKeyMaterial": "The public key material. The `PublicKeyMaterial` property is used to import a key pair. If this property is not specified, then a new key pair will be created.", "Tags": "The tags to apply to the key pair." }, + "AWS::EC2::KeyPair Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::EC2::LaunchTemplate": { "LaunchTemplateData": "The information for the launch template.", "LaunchTemplateName": "A name for the launch template.", - "TagSpecifications": "The tags to apply to the launch template on creation. To tag the launch template, the resource type must be `launch-template` .\n\n> To specify the tags for the resources that are created when an instance is launched, you must use the `TagSpecifications` parameter in the [launch template data](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RequestLaunchTemplateData.html) structure.", + "TagSpecifications": "The tags to apply to the launch template on creation. To tag the launch template, the resource type must be `launch-template` .\n\nTo specify the tags for the resources that are created when an instance is launched, you must use [TagSpecifications](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-launchtemplate.html#cfn-ec2-launchtemplate-tagspecifications) .", "VersionDescription": "A description for the first version of the launch template." }, "AWS::EC2::LaunchTemplate AcceleratorCount": { @@ -8814,6 +10248,11 @@ "CapacityReservationId": "The ID of the Capacity Reservation in which to run the instance.", "CapacityReservationResourceGroupArn": "The ARN of the Capacity Reservation resource group in which to run the instance." }, + "AWS::EC2::LaunchTemplate ConnectionTrackingSpecification": { + "TcpEstablishedTimeout": "Timeout (in seconds) for idle TCP connections in an established state. Min: 60 seconds. Max: 432000 seconds (5 days). Default: 432000 seconds. Recommended: Less than 432000 seconds.", + "UdpStreamTimeout": "Timeout (in seconds) for idle UDP flows classified as streams which have seen more than one request-response transaction. Min: 60 seconds. Max: 180 seconds (3 minutes). Default: 180 seconds.", + "UdpTimeout": "Timeout (in seconds) for idle UDP flows that have seen traffic only in a single direction or a single request-response transaction. Min: 30 seconds. Max: 60 seconds. Default: 30 seconds." + }, "AWS::EC2::LaunchTemplate CpuOptions": { "AmdSevSnp": "Indicates whether to enable the instance for AMD SEV-SNP. AMD SEV-SNP is supported with M6a, R6a, and C6a instance types only. For more information, see [AMD SEV-SNP](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sev-snp.html) .", "CoreCount": "The number of CPU cores for the instance.", @@ -8825,16 +10264,23 @@ "AWS::EC2::LaunchTemplate Ebs": { "DeleteOnTermination": "Indicates whether the EBS volume is deleted on instance termination.", "Encrypted": "Indicates whether the EBS volume is encrypted. Encrypted volumes can only be attached to instances that support Amazon EBS encryption. If you are creating a volume from a snapshot, you can't specify an encryption value.", - "Iops": "The number of I/O operations per second (IOPS). For `gp3` , `io1` , and `io2` volumes, this represents the number of IOPS that are provisioned for the volume. For `gp2` volumes, this represents the baseline performance of the volume and the rate at which the volume accumulates I/O credits for bursting.\n\nThe following are the supported values for each volume type:\n\n- `gp3` : 3,000-16,000 IOPS\n- `io1` : 100-64,000 IOPS\n- `io2` : 100-64,000 IOPS\n\nFor `io1` and `io2` volumes, we guarantee 64,000 IOPS only for [Instances built on the Nitro System](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html#ec2-nitro-instances) . Other instance families guarantee performance up to 32,000 IOPS.\n\nThis parameter is supported for `io1` , `io2` , and `gp3` volumes only. This parameter is not supported for `gp2` , `st1` , `sc1` , or `standard` volumes.", + "Iops": "The number of I/O operations per second (IOPS). For `gp3` , `io1` , and `io2` volumes, this represents the number of IOPS that are provisioned for the volume. For `gp2` volumes, this represents the baseline performance of the volume and the rate at which the volume accumulates I/O credits for bursting.\n\nThe following are the supported values for each volume type:\n\n- `gp3` : 3,000 - 16,000 IOPS\n- `io1` : 100 - 64,000 IOPS\n- `io2` : 100 - 256,000 IOPS\n\nFor `io2` volumes, you can achieve up to 256,000 IOPS on [instances built on the Nitro System](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html#ec2-nitro-instances) . On other instances, you can achieve performance up to 32,000 IOPS.\n\nThis parameter is supported for `io1` , `io2` , and `gp3` volumes only.", "KmsKeyId": "The ARN of the symmetric AWS Key Management Service ( AWS KMS ) CMK used for encryption.", "SnapshotId": "The ID of the snapshot.", "Throughput": "The throughput to provision for a `gp3` volume, with a maximum of 1,000 MiB/s.\n\nValid Range: Minimum value of 125. Maximum value of 1000.", - "VolumeSize": "The size of the volume, in GiBs. You must specify either a snapshot ID or a volume size. The following are the supported volumes sizes for each volume type:\n\n- `gp2` and `gp3` : 1-16,384\n- `io1` and `io2` : 4-16,384\n- `st1` and `sc1` : 125-16,384\n- `standard` : 1-1,024", + "VolumeSize": "The size of the volume, in GiBs. You must specify either a snapshot ID or a volume size. The following are the supported volumes sizes for each volume type:\n\n- `gp2` and `gp3` : 1 - 16,384 GiB\n- `io1` : 4 - 16,384 GiB\n- `io2` : 4 - 65,536 GiB\n- `st1` and `sc1` : 125 - 16,384 GiB\n- `standard` : 1 - 1024 GiB", "VolumeType": "The volume type. For more information, see [Amazon EBS volume types](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSVolumeTypes.html) in the *Amazon Elastic Compute Cloud User Guide* ." }, "AWS::EC2::LaunchTemplate ElasticGpuSpecification": { "Type": "The type of Elastic Graphics accelerator. For more information about the values to specify for `Type` , see [Elastic Graphics Basics](https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/elastic-graphics.html#elastic-graphics-basics) , specifically the Elastic Graphics accelerator column, in the *Amazon Elastic Compute Cloud User Guide for Windows Instances* ." }, + "AWS::EC2::LaunchTemplate EnaSrdSpecification": { + "EnaSrdEnabled": "Indicates whether ENA Express is enabled for the network interface.", + "EnaSrdUdpSpecification": "Configures ENA Express for UDP network traffic." + }, + "AWS::EC2::LaunchTemplate EnaSrdUdpSpecification": { + "EnaSrdUdpEnabled": "Indicates whether UDP traffic to and from the instance uses ENA Express. To specify this setting, you must first enable ENA Express." + }, "AWS::EC2::LaunchTemplate EnclaveOptions": { "Enabled": "If this parameter is set to `true` , the instance is enabled for AWS Nitro Enclaves; otherwise, it is not enabled for AWS Nitro Enclaves." }, @@ -8851,8 +10297,8 @@ }, "AWS::EC2::LaunchTemplate InstanceRequirements": { "AcceleratorCount": "The minimum and maximum number of accelerators (GPUs, FPGAs, or AWS Inferentia chips) on an instance.\n\nTo exclude accelerator-enabled instance types, set `Max` to `0` .\n\nDefault: No minimum or maximum limits", - "AcceleratorManufacturers": "Indicates whether instance types must have accelerators by specific manufacturers.\n\n- For instance types with NVIDIA devices, specify `nvidia` .\n- For instance types with AMD devices, specify `amd` .\n- For instance types with AWS devices, specify `amazon-web-services` .\n- For instance types with Xilinx devices, specify `xilinx` .\n\nDefault: Any manufacturer", - "AcceleratorNames": "The accelerators that must be on the instance type.\n\n- For instance types with NVIDIA A100 GPUs, specify `a100` .\n- For instance types with NVIDIA V100 GPUs, specify `v100` .\n- For instance types with NVIDIA K80 GPUs, specify `k80` .\n- For instance types with NVIDIA T4 GPUs, specify `t4` .\n- For instance types with NVIDIA M60 GPUs, specify `m60` .\n- For instance types with AMD Radeon Pro V520 GPUs, specify `radeon-pro-v520` .\n- For instance types with Xilinx VU9P FPGAs, specify `vu9p` .\n- For instance types with AWS Inferentia chips, specify `inferentia` .\n- For instance types with NVIDIA GRID K520 GPUs, specify `k520` .\n\nDefault: Any accelerator", + "AcceleratorManufacturers": "Indicates whether instance types must have accelerators by specific manufacturers.\n\n- For instance types with AWS devices, specify `amazon-web-services` .\n- For instance types with AMD devices, specify `amd` .\n- For instance types with Habana devices, specify `habana` .\n- For instance types with NVIDIA devices, specify `nvidia` .\n- For instance types with Xilinx devices, specify `xilinx` .\n\nDefault: Any manufacturer", + "AcceleratorNames": "The accelerators that must be on the instance type.\n\n- For instance types with NVIDIA A10G GPUs, specify `a10g` .\n- For instance types with NVIDIA A100 GPUs, specify `a100` .\n- For instance types with NVIDIA H100 GPUs, specify `h100` .\n- For instance types with AWS Inferentia chips, specify `inferentia` .\n- For instance types with NVIDIA GRID K520 GPUs, specify `k520` .\n- For instance types with NVIDIA K80 GPUs, specify `k80` .\n- For instance types with NVIDIA M60 GPUs, specify `m60` .\n- For instance types with AMD Radeon Pro V520 GPUs, specify `radeon-pro-v520` .\n- For instance types with NVIDIA T4 GPUs, specify `t4` .\n- For instance types with NVIDIA T4G GPUs, specify `t4g` .\n- For instance types with Xilinx VU9P FPGAs, specify `vu9p` .\n- For instance types with NVIDIA V100 GPUs, specify `v100` .\n\nDefault: Any accelerator", "AcceleratorTotalMemoryMiB": "The minimum and maximum amount of total accelerator memory, in MiB.\n\nDefault: No minimum or maximum limits", "AcceleratorTypes": "The accelerator types that must be on the instance type.\n\n- For instance types with GPU accelerators, specify `gpu` .\n- For instance types with FPGA accelerators, specify `fpga` .\n- For instance types with inference accelerators, specify `inference` .\n\nDefault: Any accelerator type", "AllowedInstanceTypes": "The instance types to apply your specified attributes against. All other instance types are ignored, even if they match your specified attributes.\n\nYou can use strings with one or more wild cards, represented by an asterisk ( `*` ), to allow an instance type, size, or generation. The following are examples: `m5.8xlarge` , `c5*.*` , `m5a.*` , `r*` , `*3*` .\n\nFor example, if you specify `c5*` ,Amazon EC2 will allow the entire C5 instance family, which includes all C5a and C5n instance types. If you specify `m5a.*` , Amazon EC2 will allow all the M5a instance types, but not the M5n instance types.\n\n> If you specify `AllowedInstanceTypes` , you can't specify `ExcludedInstanceTypes` . \n\nDefault: All instance types", @@ -8892,7 +10338,7 @@ "DisableApiTermination": "If you set this parameter to `true` , you can't terminate the instance using the Amazon EC2 console, CLI, or API; otherwise, you can. To change this attribute after launch, use [ModifyInstanceAttribute](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyInstanceAttribute.html) . Alternatively, if you set `InstanceInitiatedShutdownBehavior` to `terminate` , you can terminate the instance by running the shutdown command from the instance.", "EbsOptimized": "Indicates whether the instance is optimized for Amazon EBS I/O. This optimization provides dedicated throughput to Amazon EBS and an optimized configuration stack to provide optimal Amazon EBS I/O performance. This optimization isn't available with all instance types. Additional usage charges apply when using an EBS-optimized instance.", "ElasticGpuSpecifications": "An elastic GPU to associate with the instance.", - "ElasticInferenceAccelerators": "The elastic inference accelerator for the instance.", + "ElasticInferenceAccelerators": "An elastic inference accelerator to associate with the instance. Elastic inference accelerators are a resource you can attach to your Amazon EC2 instances to accelerate your Deep Learning (DL) inference workloads.\n\nYou cannot specify accelerators from different generations in the same request.\n\n> Starting April 15, 2023, AWS will not onboard new customers to Amazon Elastic Inference (EI), and will help current customers migrate their workloads to options that offer better price and performance. After April 15, 2023, new customers will not be able to launch instances with Amazon EI accelerators in Amazon SageMaker, Amazon ECS, or Amazon EC2. However, customers who have used Amazon EI at least once during the past 30-day period are considered current customers and will be able to continue using the service.", "EnclaveOptions": "Indicates whether the instance is enabled for AWS Nitro Enclaves. For more information, see [What is AWS Nitro Enclaves?](https://docs.aws.amazon.com/enclaves/latest/user/nitro-enclave.html) in the *AWS Nitro Enclaves User Guide* .\n\nYou can't enable AWS Nitro Enclaves and hibernation on the same instance.", "HibernationOptions": "Indicates whether an instance is enabled for hibernation. This parameter is valid only if the instance meets the [hibernation prerequisites](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/hibernating-prerequisites.html) . For more information, see [Hibernate your instance](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Hibernate.html) in the *Amazon Elastic Compute Cloud User Guide* .", "IamInstanceProfile": "The name or Amazon Resource Name (ARN) of an IAM instance profile.", @@ -8912,8 +10358,8 @@ "PrivateDnsNameOptions": "The hostname type for EC2 instances launched into this subnet and how DNS A and AAAA record queries should be handled. For more information, see [Amazon EC2 instance hostname types](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-naming.html) in the *Amazon Elastic Compute Cloud User Guide* .", "RamDiskId": "The ID of the RAM disk.\n\n> We recommend that you use PV-GRUB instead of kernels and RAM disks. For more information, see [User provided kernels](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/UserProvidedkernels.html) in the *Amazon Elastic Compute Cloud User Guide* .", "SecurityGroupIds": "The IDs of the security groups. You can specify the IDs of existing security groups and references to resources created by the stack template.", - "SecurityGroups": "One or more security group names. For a nondefault VPC, you must use security group IDs instead. You cannot specify both a security group ID and security name in the same request.", - "TagSpecifications": "The tags to apply to the resources that are created during instance launch.\n\nYou can specify tags for the following resources only:\n\n- Instances\n- Volumes\n- Elastic graphics\n- Spot Instance requests\n- Network interfaces\n\nTo tag a resource after it has been created, see [CreateTags](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateTags.html) .\n\n> To tag the launch template itself, you must use the [TagSpecification](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateLaunchTemplate.html) parameter.", + "SecurityGroups": "One or more security group names. For a nondefault VPC, you must use security group IDs instead.", + "TagSpecifications": "The tags to apply to the resources that are created during instance launch.\n\nTo tag a resource after it has been created, see [CreateTags](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateTags.html) .\n\nTo tag the launch template itself, use [TagSpecifications](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-launchtemplate.html#cfn-ec2-launchtemplate-tagspecifications) .", "UserData": "The user data to make available to the instance. You must provide base64-encoded text. User data is limited to 16 KB. For more information, see [Run commands on your Linux instance at launch](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/user-data.html) (Linux) or [Work with instance user data](https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/instancedata-add-user-data.html) (Windows) in the *Amazon Elastic Compute Cloud User Guide* .\n\nIf you are creating the launch template for use with AWS Batch , the user data must be provided in the [MIME multi-part archive format](https://docs.aws.amazon.com/https://cloudinit.readthedocs.io/en/latest/topics/format.html#mime-multi-part-archive) . For more information, see [Amazon EC2 user data in launch templates](https://docs.aws.amazon.com/batch/latest/userguide/launch-templates.html) in the *AWS Batch User Guide* ." }, "AWS::EC2::LaunchTemplate LaunchTemplateElasticInferenceAccelerator": { @@ -8942,7 +10388,7 @@ "HttpEndpoint": "Enables or disables the HTTP metadata endpoint on your instances. If the parameter is not specified, the default state is `enabled` .\n\n> If you specify a value of `disabled` , you will not be able to access your instance metadata.", "HttpProtocolIpv6": "Enables or disables the IPv6 endpoint for the instance metadata service.\n\nDefault: `disabled`", "HttpPutResponseHopLimit": "The desired HTTP PUT response hop limit for instance metadata requests. The larger the number, the further instance metadata requests can travel.\n\nDefault: `1`\n\nPossible values: Integers from 1 to 64", - "HttpTokens": "IMDSv2 uses token-backed sessions. Set the use of HTTP tokens to `optional` (in other words, set the use of IMDSv2 to `optional` ) or `required` (in other words, set the use of IMDSv2 to `required` ).\n\n- `optional` - When IMDSv2 is optional, you can choose to retrieve instance metadata with or without a session token in your request. If you retrieve the IAM role credentials without a token, the IMDSv1 role credentials are returned. If you retrieve the IAM role credentials using a valid session token, the IMDSv2 role credentials are returned.\n- `required` - When IMDSv2 is required, you must send a session token with any instance metadata retrieval requests. In this state, retrieving the IAM role credentials always returns IMDSv2 credentials; IMDSv1 credentials are not available.\n\nDefault: `optional`", + "HttpTokens": "Indicates whether IMDSv2 is required.\n\n- `optional` - IMDSv2 is optional. You can choose whether to send a session token in your instance metadata retrieval requests. If you retrieve IAM role credentials without a session token, you receive the IMDSv1 role credentials. If you retrieve IAM role credentials using a valid session token, you receive the IMDSv2 role credentials.\n- `required` - IMDSv2 is required. You must send a session token in your instance metadata retrieval requests. With this option, retrieving the IAM role credentials always returns IMDSv2 credentials; IMDSv1 credentials are not available.\n\nDefault: If the value of `ImdsSupport` for the Amazon Machine Image (AMI) for your instance is `v2.0` , the default is `required` .", "InstanceMetadataTags": "Set to `enabled` to allow access to instance tags from the instance metadata. Set to `disabled` to turn off access to instance tags from the instance metadata. For more information, see [Work with instance tags using the instance metadata](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html#work-with-tags-in-IMDS) .\n\nDefault: `disabled`" }, "AWS::EC2::LaunchTemplate Monitoring": { @@ -8953,11 +10399,13 @@ "Min": "The minimum amount of network bandwidth, in Gbps. If this parameter is not specified, there is no minimum limit." }, "AWS::EC2::LaunchTemplate NetworkInterface": { - "AssociateCarrierIpAddress": "Indicates whether to associate a Carrier IP address with eth0 for a new network interface.\n\nUse this option when you launch an instance in a Wavelength Zone and want to associate a Carrier IP address with the network interface. For more information about Carrier IP addresses, see [Carrier IP addresses](https://docs.aws.amazon.com/wavelength/latest/developerguide/how-wavelengths-work.html#provider-owned-ip) in the *AWS Wavelength Developer Guide* .", - "AssociatePublicIpAddress": "Associates a public IPv4 address with eth0 for a new network interface.", + "AssociateCarrierIpAddress": "Associates a Carrier IP address with eth0 for a new network interface.\n\nUse this option when you launch an instance in a Wavelength Zone and want to associate a Carrier IP address with the network interface. For more information about Carrier IP addresses, see [Carrier IP addresses](https://docs.aws.amazon.com/wavelength/latest/developerguide/how-wavelengths-work.html#provider-owned-ip) in the *AWS Wavelength Developer Guide* .", + "AssociatePublicIpAddress": "Associates a public IPv4 address with eth0 for a new network interface.\n\nStarting on February 1, 2024, AWS will charge for all public IPv4 addresses, including public IPv4 addresses associated with running instances and Elastic IP addresses. For more information, see the *Public IPv4 Address* tab on the [Amazon VPC pricing page](https://docs.aws.amazon.com/vpc/pricing/) .", + "ConnectionTrackingSpecification": "A connection tracking specification for the network interface.", "DeleteOnTermination": "Indicates whether the network interface is deleted when the instance is terminated.", "Description": "A description for the network interface.", "DeviceIndex": "The device index for the network interface attachment.", + "EnaSrdSpecification": "The ENA Express configuration for the network interface.", "Groups": "The IDs of one or more security groups.", "InterfaceType": "The type of network interface. To create an Elastic Fabric Adapter (EFA), specify `efa` . For more information, see [Elastic Fabric Adapter](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/efa.html) in the *Amazon Elastic Compute Cloud User Guide* .\n\nIf you are not creating an EFA, specify `interface` or omit this parameter.\n\nValid values: `interface` | `efa`", "Ipv4PrefixCount": "The number of IPv4 prefixes to be automatically assigned to the network interface. You cannot use this option if you use the `Ipv4Prefix` option.", @@ -8968,6 +10416,7 @@ "Ipv6Prefixes": "One or more IPv6 prefixes to be assigned to the network interface. You cannot use this option if you use the `Ipv6PrefixCount` option.", "NetworkCardIndex": "The index of the network card. Some instance types support multiple network cards. The primary network interface must be assigned to network card index 0. The default is network card index 0.", "NetworkInterfaceId": "The ID of the network interface.", + "PrimaryIpv6": "The primary IPv6 address of the network interface. When you enable an IPv6 GUA address to be a primary IPv6, the first IPv6 GUA will be made the primary IPv6 address until the instance is terminated or the network interface is detached. For more information about primary IPv6 addresses, see [RunInstances](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RunInstances.html) .", "PrivateIpAddress": "The primary private IPv4 address of the network interface.", "PrivateIpAddresses": "One or more private IPv4 addresses.", "SecondaryPrivateIpAddressCount": "The number of secondary private IPv4 addresses to assign to a network interface.", @@ -9004,8 +10453,12 @@ "SpotInstanceType": "The Spot Instance request type.\n\nIf you are using Spot Instances with an Auto Scaling group, use `one-time` requests, as the Amazon EC2 Auto Scaling service handles requesting new Spot Instances whenever the group is below its desired capacity.", "ValidUntil": "The end date of the request, in UTC format ( *YYYY-MM-DD* T *HH:MM:SS* Z). Supported only for persistent requests.\n\n- For a persistent request, the request remains active until the `ValidUntil` date and time is reached. Otherwise, the request remains active until you cancel it.\n- For a one-time request, `ValidUntil` is not supported. The request remains active until all instances launch or you cancel the request.\n\nDefault: 7 days from the current date" }, + "AWS::EC2::LaunchTemplate Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::EC2::LaunchTemplate TagSpecification": { - "ResourceType": "The type of resource to tag.\n\nThe `Valid Values` are all the resource types that can be tagged. However, when creating a launch template, you can specify tags for the following resource types only: `instance` | `volume` | `elastic-gpu` | `network-interface` | `spot-instances-request`\n\nTo tag a resource after it has been created, see [CreateTags](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateTags.html) .", + "ResourceType": "The type of resource to tag.\n\nValid Values lists all resource types for Amazon EC2 that can be tagged. When you create a launch template, you can specify tags for the following resource types only: `instance` | `volume` | `elastic-gpu` | `network-interface` | `spot-instances-request` . If the instance does not include the resource type that you specify, the instance launch fails. For example, not all instance types include an Elastic GPU.\n\nTo tag a resource after it has been created, see [CreateTags](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateTags.html) .", "Tags": "The tags to apply to the resource." }, "AWS::EC2::LaunchTemplate TotalLocalStorageGB": { @@ -9027,31 +10480,51 @@ "Mode": "The mode of the local gateway route table.", "Tags": "The tags assigned to the local gateway route table." }, + "AWS::EC2::LocalGatewayRouteTable Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::EC2::LocalGatewayRouteTableVPCAssociation": { "LocalGatewayRouteTableId": "The ID of the local gateway route table.", "Tags": "The tags assigned to the association.", "VpcId": "The ID of the VPC." }, + "AWS::EC2::LocalGatewayRouteTableVPCAssociation Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::EC2::LocalGatewayRouteTableVirtualInterfaceGroupAssociation": { "LocalGatewayRouteTableId": "The ID of the local gateway route table.", "LocalGatewayVirtualInterfaceGroupId": "The ID of the virtual interface group.", "Tags": "The tags assigned to the association." }, + "AWS::EC2::LocalGatewayRouteTableVirtualInterfaceGroupAssociation Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::EC2::NatGateway": { "AllocationId": "[Public NAT gateway only] The allocation ID of the Elastic IP address that's associated with the NAT gateway. This property is required for a public NAT gateway and cannot be specified with a private NAT gateway.", "ConnectivityType": "Indicates whether the NAT gateway supports public or private connectivity. The default is public connectivity.", "MaxDrainDurationSeconds": "The maximum amount of time to wait (in seconds) before forcibly releasing the IP addresses if connections are still in progress. Default value is 350 seconds.", "PrivateIpAddress": "The private IPv4 address to assign to the NAT gateway. If you don't provide an address, a private IPv4 address will be automatically assigned.", "SecondaryAllocationIds": "Secondary EIP allocation IDs. For more information, see [Create a NAT gateway](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html#nat-gateway-creating) in the *Amazon VPC User Guide* .", - "SecondaryPrivateIpAddressCount": "[Private NAT gateway only] The number of secondary private IPv4 addresses you want to assign to the NAT gateway. For more information about secondary addresses, see [Create a NAT gateway](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html#nat-gateway-creating) in the *Amazon Virtual Private Cloud User Guide* .\n\n> `SecondaryPrivateIpAddressCount` and `SecondaryPrivateIpAddresses` cannot be set at the same time.", - "SecondaryPrivateIpAddresses": "Secondary private IPv4 addresses. For more information about secondary addresses, see [Create a NAT gateway](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html#nat-gateway-creating) in the *Amazon Virtual Private Cloud User Guide* .\n\n> `SecondaryPrivateIpAddressCount` and `SecondaryPrivateIpAddresses` cannot be set at the same time.", + "SecondaryPrivateIpAddressCount": "[Private NAT gateway only] The number of secondary private IPv4 addresses you want to assign to the NAT gateway. For more information about secondary addresses, see [Create a NAT gateway](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html#nat-gateway-creating) in the *Amazon Virtual Private Cloud User Guide* .\n\n`SecondaryPrivateIpAddressCount` and `SecondaryPrivateIpAddresses` cannot be set at the same time.", + "SecondaryPrivateIpAddresses": "Secondary private IPv4 addresses. For more information about secondary addresses, see [Create a NAT gateway](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html#nat-gateway-creating) in the *Amazon Virtual Private Cloud User Guide* .\n\n`SecondaryPrivateIpAddressCount` and `SecondaryPrivateIpAddresses` cannot be set at the same time.", "SubnetId": "The ID of the subnet in which the NAT gateway is located.", "Tags": "The tags for the NAT gateway." }, + "AWS::EC2::NatGateway Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::EC2::NetworkAcl": { "Tags": "The tags for the network ACL.", "VpcId": "The ID of the VPC for the network ACL." }, + "AWS::EC2::NetworkAcl Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::EC2::NetworkAclEntry": { "CidrBlock": "The IPv4 CIDR range to allow or deny, in CIDR notation (for example, 172.16.0.0/24). Requirement is conditional: You must specify the `CidrBlock` or `Ipv6CidrBlock` property.", "Egress": "Whether this rule applies to egress traffic from the subnet ( `true` ) or ingress traffic to the subnet ( `false` ). By default, AWS CloudFormation specifies `false` .", @@ -9098,6 +10571,10 @@ "ResourceTypes": "The resource types.", "Resources": "The resources." }, + "AWS::EC2::NetworkInsightsAccessScope Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::EC2::NetworkInsightsAccessScope ThroughResourcesStatementRequest": { "ResourceStatement": "The resource statement." }, @@ -9105,6 +10582,10 @@ "NetworkInsightsAccessScopeId": "The ID of the Network Access Scope.", "Tags": "The tags." }, + "AWS::EC2::NetworkInsightsAccessScopeAnalysis Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::EC2::NetworkInsightsAnalysis": { "AdditionalAccounts": "The member accounts that contain resources that the path can traverse.", "FilterInArns": "The Amazon Resource Names (ARN) of the resources that the path must traverse.", @@ -9247,6 +10728,10 @@ "From": "The first port in the range.", "To": "The last port in the range." }, + "AWS::EC2::NetworkInsightsAnalysis Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::EC2::NetworkInsightsAnalysis TransitGatewayRouteTableRoute": { "AttachmentId": "The ID of the route attachment.", "DestinationCidr": "The CIDR block used for destination matches.", @@ -9277,15 +10762,23 @@ "SourceAddress": "The source IPv4 address.", "SourcePortRange": "The source port range." }, + "AWS::EC2::NetworkInsightsPath Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::EC2::NetworkInterface": { "Description": "A description for the network interface.", "GroupSet": "The security group IDs associated with this network interface.", "InterfaceType": "The type of network interface. The default is `interface` . The supported values are `efa` and `trunk` .", - "Ipv6AddressCount": "The number of IPv6 addresses to assign to a network interface. Amazon EC2 automatically selects the IPv6 addresses from the subnet range. To specify specific IPv6 addresses, use the `Ipv6Addresses` property and don't specify this property.", - "Ipv6Addresses": "One or more specific IPv6 addresses from the IPv6 CIDR block range of your subnet to associate with the network interface. If you're specifying a number of IPv6 addresses, use the `Ipv6AddressCount` property and don't specify this property.", + "Ipv4PrefixCount": "The number of IPv4 prefixes to be automatically assigned to the network interface.\n\nWhen creating a network interface, you can't specify a count of IPv4 prefixes if you've specified one of the following: specific IPv4 prefixes, specific private IPv4 addresses, or a count of private IPv4 addresses.", + "Ipv4Prefixes": "The IPv4 delegated prefixes that are assigned to the network interface.\n\nWhen creating a network interface, you can't specify IPv4 prefixes if you've specified one of the following: a count of IPv4 prefixes, specific private IPv4 addresses, or a count of private IPv4 addresses.", + "Ipv6AddressCount": "The number of IPv6 addresses to assign to a network interface. Amazon EC2 automatically selects the IPv6 addresses from the subnet range. To specify specific IPv6 addresses, use the `Ipv6Addresses` property and don't specify this property.\n\nWhen creating a network interface, you can't specify a count of IPv6 addresses if you've specified one of the following: specific IPv6 addresses, specific IPv6 prefixes, or a count of IPv6 prefixes.", + "Ipv6Addresses": "One or more specific IPv6 addresses from the IPv6 CIDR block range of your subnet to associate with the network interface. If you're specifying a number of IPv6 addresses, use the `Ipv6AddressCount` property and don't specify this property.\n\nWhen creating a network interface, you can't specify IPv6 addresses if you've specified one of the following: a count of IPv6 addresses, specific IPv6 prefixes, or a count of IPv6 prefixes.", + "Ipv6PrefixCount": "The number of IPv6 prefixes to be automatically assigned to the network interface.\n\nWhen creating a network interface, you can't specify a count of IPv6 prefixes if you've specified one of the following: specific IPv6 prefixes, specific IPv6 addresses, or a count of IPv6 addresses.", + "Ipv6Prefixes": "The IPv6 delegated prefixes that are assigned to the network interface.\n\nWhen creating a network interface, you can't specify IPv6 prefixes if you've specified one of the following: a count of IPv6 prefixes, specific IPv6 addresses, or a count of IPv6 addresses.", "PrivateIpAddress": "Assigns a single private IP address to the network interface, which is used as the primary private IP address. If you want to specify multiple private IP address, use the `PrivateIpAddresses` property.", - "PrivateIpAddresses": "Assigns private IP addresses to the network interface. You can specify a primary private IP address by setting the value of the `Primary` property to `true` in the `PrivateIpAddressSpecification` property. If you want EC2 to automatically assign private IP addresses, use the `SecondaryPrivateIpAddressCount` property and do not specify this property.", - "SecondaryPrivateIpAddressCount": "The number of secondary private IPv4 addresses to assign to a network interface. When you specify a number of secondary IPv4 addresses, Amazon EC2 selects these IP addresses within the subnet's IPv4 CIDR range. You can't specify this option and specify more than one private IP address using `privateIpAddresses` .\n\nYou can't specify a count of private IPv4 addresses if you've specified one of the following: specific private IPv4 addresses, specific IPv4 prefixes, or a count of IPv4 prefixes.", + "PrivateIpAddresses": "Assigns private IP addresses to the network interface. You can specify a primary private IP address by setting the value of the `Primary` property to `true` in the `PrivateIpAddressSpecification` property. If you want EC2 to automatically assign private IP addresses, use the `SecondaryPrivateIpAddressCount` property and do not specify this property.\n\nWhen creating a network interface, you can't specify private IPv4 addresses if you've specified one of the following: a count of private IPv4 addresses, specific IPv4 prefixes, or a count of IPv4 prefixes.", + "SecondaryPrivateIpAddressCount": "The number of secondary private IPv4 addresses to assign to a network interface. When you specify a number of secondary IPv4 addresses, Amazon EC2 selects these IP addresses within the subnet's IPv4 CIDR range. You can't specify this option and specify more than one private IP address using `privateIpAddresses` .\n\nWhen creating a Network Interface, you can't specify a count of private IPv4 addresses if you've specified one of the following: specific private IPv4 addresses, specific IPv4 prefixes, or a count of IPv4 prefixes.", "SourceDestCheck": "Enable or disable source/destination checks, which ensure that the instance is either the source or the destination of any traffic that it receives. If the value is `true` , source/destination checks are enabled; otherwise, they are disabled. The default value is `true` . You must disable source/destination checks if the instance runs services such as network address translation, routing, or firewalls.", "SubnetId": "The ID of the subnet to associate with the network interface.", "Tags": "An arbitrary set of tags (key-value pairs) for this network interface." @@ -9293,10 +10786,20 @@ "AWS::EC2::NetworkInterface InstanceIpv6Address": { "Ipv6Address": "An IPv6 address to associate with the network interface." }, + "AWS::EC2::NetworkInterface Ipv4PrefixSpecification": { + "Ipv4Prefix": "The IPv4 prefix. For information, see [Assigning prefixes to Amazon EC2 network interfaces](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-prefix-eni.html) in the *Amazon Elastic Compute Cloud User Guide* ." + }, + "AWS::EC2::NetworkInterface Ipv6PrefixSpecification": { + "Ipv6Prefix": "The IPv6 prefix. For information, see [Assigning prefixes to Amazon EC2 network interfaces](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-prefix-eni.html) in the *Amazon Elastic Compute Cloud User Guide* ." + }, "AWS::EC2::NetworkInterface PrivateIpAddressSpecification": { "Primary": "Sets the private IP address as the primary private address. You can set only one primary private IP address. If you don't specify a primary private IP address, Amazon EC2 automatically assigns a primary private IP address.", "PrivateIpAddress": "The private IP address of the network interface." }, + "AWS::EC2::NetworkInterface Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::EC2::NetworkInterfaceAttachment": { "DeleteOnTermination": "Whether to delete the network interface when the instance terminates. By default, this value is set to `true` .", "DeviceIndex": "The network interface's position in the attachment order. For example, the first attached network interface has a `DeviceIndex` of 0.", @@ -9320,6 +10823,10 @@ "Strategy": "The placement strategy.", "Tags": "The tags to apply to the new placement group." }, + "AWS::EC2::PlacementGroup Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::EC2::PrefixList": { "AddressFamily": "The IP address type.\n\nValid Values: `IPv4` | `IPv6`", "Entries": "One or more entries for the prefix list.", @@ -9331,10 +10838,16 @@ "Cidr": "The CIDR block.", "Description": "A description for the entry.\n\nConstraints: Up to 255 characters in length." }, + "AWS::EC2::PrefixList Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::EC2::Route": { "CarrierGatewayId": "The ID of the carrier gateway.\n\nYou can only use this option when the VPC contains a subnet which is associated with a Wavelength Zone.", + "CoreNetworkArn": "The Amazon Resource Name (ARN) of the core network.", "DestinationCidrBlock": "The IPv4 CIDR address block used for the destination match. Routing decisions are based on the most specific match. We modify the specified CIDR block to its canonical form; for example, if you specify `100.68.0.18/18` , we modify it to `100.68.0.0/18` .", "DestinationIpv6CidrBlock": "The IPv6 CIDR block used for the destination match. Routing decisions are based on the most specific match.", + "DestinationPrefixListId": "The ID of a prefix list used for the destination match.", "EgressOnlyInternetGatewayId": "[IPv6 traffic only] The ID of an egress-only internet gateway.", "GatewayId": "The ID of an internet gateway or virtual private gateway attached to your VPC.", "InstanceId": "The ID of a NAT instance in your VPC. The operation fails if you specify an instance ID unless exactly one network interface is attached.", @@ -9350,6 +10863,10 @@ "Tags": "Any tags assigned to the route table.", "VpcId": "The ID of the VPC." }, + "AWS::EC2::RouteTable Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::EC2::SecurityGroup": { "GroupDescription": "A description for the security group.\n\nConstraints: Up to 255 characters in length\n\nValid characters: a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=&;{}!$*", "GroupName": "The name of the security group.\n\nConstraints: Up to 255 characters in length. Cannot start with `sg-` .\n\nValid characters: a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=&;{}!$*", @@ -9380,6 +10897,10 @@ "SourceSecurityGroupOwnerId": "[nondefault VPC] The AWS account ID for the source security group, if the source security group is in a different account. You can't specify this property with an IP address range. Creates rules that grant full ICMP, UDP, and TCP access.\n\nIf you specify `SourceSecurityGroupName` or `SourceSecurityGroupId` and that security group is owned by a different account than the account creating the stack, you must specify the `SourceSecurityGroupOwnerId` ; otherwise, this property is optional.", "ToPort": "If the protocol is TCP or UDP, this is the end of the port range. If the protocol is ICMP or ICMPv6, this is the code. A value of -1 indicates all ICMP/ICMPv6 codes. If you specify all ICMP/ICMPv6 types, you must specify all ICMP/ICMPv6 codes." }, + "AWS::EC2::SecurityGroup Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::EC2::SecurityGroupEgress": { "CidrIp": "The IPv4 address range, in CIDR format.\n\nYou must specify a destination security group ( `DestinationPrefixListId` or `DestinationSecurityGroupId` ) or a CIDR range ( `CidrIp` or `CidrIpv6` ).\n\nFor examples of rules that you can add to security groups for specific access scenarios, see [Security group rules for different use cases](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html) in the *Amazon EC2 User Guide* .", "CidrIpv6": "The IPv6 address range, in CIDR format.\n\nYou must specify a destination security group ( `DestinationPrefixListId` or `DestinationSecurityGroupId` ) or a CIDR range ( `CidrIp` or `CidrIpv6` ).\n\nFor examples of rules that you can add to security groups for specific access scenarios, see [Security group rules for different use cases](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html) in the *Amazon EC2 User Guide* .", @@ -9405,6 +10926,9 @@ "SourceSecurityGroupOwnerId": "[nondefault VPC] The AWS account ID for the source security group, if the source security group is in a different account. You can't specify this property with an IP address range. Creates rules that grant full ICMP, UDP, and TCP access.\n\nIf you specify `SourceSecurityGroupName` or `SourceSecurityGroupId` and that security group is owned by a different account than the account creating the stack, you must specify `SourceSecurityGroupOwnerId` ; otherwise, this property is optional.", "ToPort": "The end of port range for the TCP and UDP protocols, or an ICMP/ICMPv6 code. A value of `-1` indicates all ICMP/ICMPv6 codes for the specified ICMP type. If you specify all ICMP/ICMPv6 types, you must specify all codes.\n\nUse this for ICMP and any protocol that uses ports." }, + "AWS::EC2::SnapshotBlockPublicAccess": { + "State": "The mode in which to enable block public access for snapshots for the Region. Specify one of the following values:\n\n- `block-all-sharing` - Prevents all public sharing of snapshots in the Region. Users in the account will no longer be able to request new public sharing. Additionally, snapshots that are already publicly shared are treated as private and they are no longer publicly available.\n\n> If you enable block public access for snapshots in `block-all-sharing` mode, it does not change the permissions for snapshots that are already publicly shared. Instead, it prevents these snapshots from be publicly visible and publicly accessible. Therefore, the attributes for these snapshots still indicate that they are publicly shared, even though they are not publicly available.\n- `block-new-sharing` - Prevents only new public sharing of snapshots in the Region. Users in the account will no longer be able to request new public sharing. However, snapshots that are already publicly shared, remain publicly available." + }, "AWS::EC2::SpotFleet": { "SpotFleetRequestConfigData": "Describes the configuration of a Spot Fleet request." }, @@ -9435,10 +10959,10 @@ "AWS::EC2::SpotFleet EbsBlockDevice": { "DeleteOnTermination": "Indicates whether the EBS volume is deleted on instance termination. For more information, see [Preserving Amazon EBS volumes on instance termination](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/terminating-instances.html#preserving-volumes-on-termination) in the *Amazon EC2 User Guide* .", "Encrypted": "Indicates whether the encryption state of an EBS volume is changed while being restored from a backing snapshot. The effect of setting the encryption state to `true` depends on the volume origin (new or from a snapshot), starting encryption state, ownership, and whether encryption by default is enabled. For more information, see [Amazon EBS Encryption](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#encryption-parameters) in the *Amazon EC2 User Guide* .\n\nIn no case can you remove encryption from an encrypted volume.\n\nEncrypted volumes can only be attached to instances that support Amazon EBS encryption. For more information, see [Supported Instance Types](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#EBSEncryption_supported_instances) .\n\nThis parameter is not returned by [DescribeImageAttribute](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeImageAttribute.html) .", - "Iops": "The number of I/O operations per second (IOPS). For `gp3` , `io1` , and `io2` volumes, this represents the number of IOPS that are provisioned for the volume. For `gp2` volumes, this represents the baseline performance of the volume and the rate at which the volume accumulates I/O credits for bursting.\n\nThe following are the supported values for each volume type:\n\n- `gp3` : 3,000-16,000 IOPS\n- `io1` : 100-64,000 IOPS\n- `io2` : 100-64,000 IOPS\n\nFor `io1` and `io2` volumes, we guarantee 64,000 IOPS only for [Instances built on the Nitro System](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html#ec2-nitro-instances) . Other instance families guarantee performance up to 32,000 IOPS.\n\nThis parameter is required for `io1` and `io2` volumes. The default for `gp3` volumes is 3,000 IOPS. This parameter is not supported for `gp2` , `st1` , `sc1` , or `standard` volumes.", + "Iops": "The number of I/O operations per second (IOPS). For `gp3` , `io1` , and `io2` volumes, this represents the number of IOPS that are provisioned for the volume. For `gp2` volumes, this represents the baseline performance of the volume and the rate at which the volume accumulates I/O credits for bursting.\n\nThe following are the supported values for each volume type:\n\n- `gp3` : 3,000 - 16,000 IOPS\n- `io1` : 100 - 64,000 IOPS\n- `io2` : 100 - 256,000 IOPS\n\nFor `io2` volumes, you can achieve up to 256,000 IOPS on [instances built on the Nitro System](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html#ec2-nitro-instances) . On other instances, you can achieve performance up to 32,000 IOPS.\n\nThis parameter is required for `io1` and `io2` volumes. The default for `gp3` volumes is 3,000 IOPS.", "SnapshotId": "The ID of the snapshot.", - "VolumeSize": "The size of the volume, in GiBs. You must specify either a snapshot ID or a volume size. If you specify a snapshot, the default is the snapshot size. You can specify a volume size that is equal to or larger than the snapshot size.\n\nThe following are the supported volumes sizes for each volume type:\n\n- `gp2` and `gp3` :1-16,384\n- `io1` and `io2` : 4-16,384\n- `st1` and `sc1` : 125-16,384\n- `standard` : 1-1,024", - "VolumeType": "The volume type. For more information, see [Amazon EBS volume types](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSVolumeTypes.html) in the *Amazon EC2 User Guide* . If the volume type is `io1` or `io2` , you must specify the IOPS that the volume supports." + "VolumeSize": "The size of the volume, in GiBs. You must specify either a snapshot ID or a volume size. If you specify a snapshot, the default is the snapshot size. You can specify a volume size that is equal to or larger than the snapshot size.\n\nThe following are the supported sizes for each volume type:\n\n- `gp2` and `gp3` : 1 - 16,384 GiB\n- `io1` : 4 - 16,384 GiB\n- `io2` : 4 - 65,536 GiB\n- `st1` and `sc1` : 125 - 16,384 GiB\n- `standard` : 1 - 1024 GiB", + "VolumeType": "The volume type. For more information, see [Amazon EBS volume types](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSVolumeTypes.html) in the *Amazon EC2 User Guide* ." }, "AWS::EC2::SpotFleet FleetLaunchTemplateSpecification": { "LaunchTemplateId": "The ID of the launch template.\n\nYou must specify the `LaunchTemplateId` or the `LaunchTemplateName` , but not both.", @@ -9455,7 +10979,7 @@ "Ipv6Address": "The IPv6 address." }, "AWS::EC2::SpotFleet InstanceNetworkInterfaceSpecification": { - "AssociatePublicIpAddress": "Indicates whether to assign a public IPv4 address to an instance you launch in a VPC. The public IP address can only be assigned to a network interface for eth0, and can only be assigned to a new network interface, not an existing one. You cannot specify more than one network interface in the request. If launching into a default subnet, the default value is `true` .", + "AssociatePublicIpAddress": "Indicates whether to assign a public IPv4 address to an instance you launch in a VPC. The public IP address can only be assigned to a network interface for eth0, and can only be assigned to a new network interface, not an existing one. You cannot specify more than one network interface in the request. If launching into a default subnet, the default value is `true` .\n\nStarting on February 1, 2024, AWS will charge for all public IPv4 addresses, including public IPv4 addresses associated with running instances and Elastic IP addresses. For more information, see the *Public IPv4 Address* tab on the [Amazon VPC pricing page](https://docs.aws.amazon.com/vpc/pricing/) .", "DeleteOnTermination": "Indicates whether the network interface is deleted when the instance is terminated.", "Description": "The description of the network interface. Applies only if creating a network interface when launching an instance.", "DeviceIndex": "The position of the network interface in the attachment order. A primary network interface has a device index of 0.\n\nIf you specify a network interface when launching an instance, you must specify the device index.", @@ -9469,8 +10993,8 @@ }, "AWS::EC2::SpotFleet InstanceRequirementsRequest": { "AcceleratorCount": "The minimum and maximum number of accelerators (GPUs, FPGAs, or AWS Inferentia chips) on an instance.\n\nTo exclude accelerator-enabled instance types, set `Max` to `0` .\n\nDefault: No minimum or maximum limits", - "AcceleratorManufacturers": "Indicates whether instance types must have accelerators by specific manufacturers.\n\n- For instance types with NVIDIA devices, specify `nvidia` .\n- For instance types with AMD devices, specify `amd` .\n- For instance types with AWS devices, specify `amazon-web-services` .\n- For instance types with Xilinx devices, specify `xilinx` .\n\nDefault: Any manufacturer", - "AcceleratorNames": "The accelerators that must be on the instance type.\n\n- For instance types with NVIDIA A100 GPUs, specify `a100` .\n- For instance types with NVIDIA V100 GPUs, specify `v100` .\n- For instance types with NVIDIA K80 GPUs, specify `k80` .\n- For instance types with NVIDIA T4 GPUs, specify `t4` .\n- For instance types with NVIDIA M60 GPUs, specify `m60` .\n- For instance types with AMD Radeon Pro V520 GPUs, specify `radeon-pro-v520` .\n- For instance types with Xilinx VU9P FPGAs, specify `vu9p` .\n- For instance types with AWS Inferentia chips, specify `inferentia` .\n- For instance types with NVIDIA GRID K520 GPUs, specify `k520` .\n\nDefault: Any accelerator", + "AcceleratorManufacturers": "Indicates whether instance types must have accelerators by specific manufacturers.\n\n- For instance types with AWS devices, specify `amazon-web-services` .\n- For instance types with AMD devices, specify `amd` .\n- For instance types with Habana devices, specify `habana` .\n- For instance types with NVIDIA devices, specify `nvidia` .\n- For instance types with Xilinx devices, specify `xilinx` .\n\nDefault: Any manufacturer", + "AcceleratorNames": "The accelerators that must be on the instance type.\n\n- For instance types with NVIDIA A10G GPUs, specify `a10g` .\n- For instance types with NVIDIA A100 GPUs, specify `a100` .\n- For instance types with NVIDIA H100 GPUs, specify `h100` .\n- For instance types with AWS Inferentia chips, specify `inferentia` .\n- For instance types with NVIDIA GRID K520 GPUs, specify `k520` .\n- For instance types with NVIDIA K80 GPUs, specify `k80` .\n- For instance types with NVIDIA M60 GPUs, specify `m60` .\n- For instance types with AMD Radeon Pro V520 GPUs, specify `radeon-pro-v520` .\n- For instance types with NVIDIA T4 GPUs, specify `t4` .\n- For instance types with NVIDIA T4G GPUs, specify `t4g` .\n- For instance types with Xilinx VU9P FPGAs, specify `vu9p` .\n- For instance types with NVIDIA V100 GPUs, specify `v100` .\n\nDefault: Any accelerator", "AcceleratorTotalMemoryMiB": "The minimum and maximum amount of total accelerator memory, in MiB.\n\nDefault: No minimum or maximum limits", "AcceleratorTypes": "The accelerator types that must be on the instance type.\n\n- To include instance types with GPU hardware, specify `gpu` .\n- To include instance types with FPGA hardware, specify `fpga` .\n- To include instance types with inference hardware, specify `inference` .\n\nDefault: Any accelerator type", "AllowedInstanceTypes": "The instance types to apply your specified attributes against. All other instance types are ignored, even if they match your specified attributes.\n\nYou can use strings with one or more wild cards, represented by an asterisk ( `*` ), to allow an instance type, size, or generation. The following are examples: `m5.8xlarge` , `c5*.*` , `m5a.*` , `r*` , `*3*` .\n\nFor example, if you specify `c5*` ,Amazon EC2 will allow the entire C5 instance family, which includes all C5a and C5n instance types. If you specify `m5a.*` , Amazon EC2 will allow all the M5a instance types, but not the M5n instance types.\n\n> If you specify `AllowedInstanceTypes` , you can't specify `ExcludedInstanceTypes` . \n\nDefault: All instance types", @@ -9567,15 +11091,15 @@ "LaunchTemplateConfigs": "The launch template and overrides. If you specify `LaunchTemplateConfigs` , you can't specify `LaunchSpecifications` .", "LoadBalancersConfig": "One or more Classic Load Balancers and target groups to attach to the Spot Fleet request. Spot Fleet registers the running Spot Instances with the specified Classic Load Balancers and target groups.\n\nWith Network Load Balancers, Spot Fleet cannot register instances that have the following instance types: C1, CC1, CC2, CG1, CG2, CR1, CS1, G1, G2, HI1, HS1, M1, M2, M3, and T1.", "OnDemandAllocationStrategy": "The order of the launch template overrides to use in fulfilling On-Demand capacity. If you specify `lowestPrice` , Spot Fleet uses price to determine the order, launching the lowest price first. If you specify `prioritized` , Spot Fleet uses the priority that you assign to each Spot Fleet launch template override, launching the highest priority first. If you do not specify a value, Spot Fleet defaults to `lowestPrice` .", - "OnDemandMaxTotalPrice": "The maximum amount per hour for On-Demand Instances that you're willing to pay. You can use the `onDemandMaxTotalPrice` parameter, the `spotMaxTotalPrice` parameter, or both parameters to ensure that your fleet cost does not exceed your budget. If you set a maximum price per hour for the On-Demand Instances and Spot Instances in your request, Spot Fleet will launch instances until it reaches the maximum amount you're willing to pay. When the maximum amount you're willing to pay is reached, the fleet stops launching instances even if it hasn\u2019t met the target capacity.", + "OnDemandMaxTotalPrice": "The maximum amount per hour for On-Demand Instances that you're willing to pay. You can use the `onDemandMaxTotalPrice` parameter, the `spotMaxTotalPrice` parameter, or both parameters to ensure that your fleet cost does not exceed your budget. If you set a maximum price per hour for the On-Demand Instances and Spot Instances in your request, Spot Fleet will launch instances until it reaches the maximum amount you're willing to pay. When the maximum amount you're willing to pay is reached, the fleet stops launching instances even if it hasn\u2019t met the target capacity.\n\n> If your fleet includes T instances that are configured as `unlimited` , and if their average CPU usage exceeds the baseline utilization, you will incur a charge for surplus credits. The `onDemandMaxTotalPrice` does not account for surplus credits, and, if you use surplus credits, your final cost might be higher than what you specified for `onDemandMaxTotalPrice` . For more information, see [Surplus credits can incur charges](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/burstable-performance-instances-unlimited-mode-concepts.html#unlimited-mode-surplus-credits) in the *EC2 User Guide* .", "OnDemandTargetCapacity": "The number of On-Demand units to request. You can choose to set the target capacity in terms of instances or a performance characteristic that is important to your application workload, such as vCPUs, memory, or I/O. If the request type is `maintain` , you can specify a target capacity of 0 and add capacity later.", "ReplaceUnhealthyInstances": "Indicates whether Spot Fleet should replace unhealthy instances.", "SpotMaintenanceStrategies": "The strategies for managing your Spot Instances that are at an elevated risk of being interrupted.", - "SpotMaxTotalPrice": "The maximum amount per hour for Spot Instances that you're willing to pay. You can use the `spotdMaxTotalPrice` parameter, the `onDemandMaxTotalPrice` parameter, or both parameters to ensure that your fleet cost does not exceed your budget. If you set a maximum price per hour for the On-Demand Instances and Spot Instances in your request, Spot Fleet will launch instances until it reaches the maximum amount you're willing to pay. When the maximum amount you're willing to pay is reached, the fleet stops launching instances even if it hasn\u2019t met the target capacity.", + "SpotMaxTotalPrice": "The maximum amount per hour for Spot Instances that you're willing to pay. You can use the `spotMaxTotalPrice` parameter, the `onDemandMaxTotalPrice` parameter, or both parameters to ensure that your fleet cost does not exceed your budget. If you set a maximum price per hour for the On-Demand Instances and Spot Instances in your request, Spot Fleet will launch instances until it reaches the maximum amount you're willing to pay. When the maximum amount you're willing to pay is reached, the fleet stops launching instances even if it hasn\u2019t met the target capacity.\n\n> If your fleet includes T instances that are configured as `unlimited` , and if their average CPU usage exceeds the baseline utilization, you will incur a charge for surplus credits. The `spotMaxTotalPrice` does not account for surplus credits, and, if you use surplus credits, your final cost might be higher than what you specified for `spotMaxTotalPrice` . For more information, see [Surplus credits can incur charges](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/burstable-performance-instances-unlimited-mode-concepts.html#unlimited-mode-surplus-credits) in the *EC2 User Guide* .", "SpotPrice": "The maximum price per unit hour that you are willing to pay for a Spot Instance. We do not recommend using this parameter because it can lead to increased interruptions. If you do not specify this parameter, you will pay the current Spot price.\n\n> If you specify a maximum price, your instances will be interrupted more frequently than if you do not specify this parameter.", - "TagSpecifications": "The key-value pair for tagging the Spot Fleet request on creation. The value for `ResourceType` must be `spot-fleet-request` , otherwise the Spot Fleet request fails. To tag instances at launch, specify the tags in the [launch template](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-launch-templates.html#create-launch-template) (valid only if you use `LaunchTemplateConfigs` ) or in the `[SpotFleetTagSpecification](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_SpotFleetTagSpecification.html)` (valid only if you use `LaunchSpecifications` ). For information about tagging after launch, see [Tagging Your Resources](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html#tag-resources) .", + "TagSpecifications": "The key-value pair for tagging the Spot Fleet request on creation. The value for `ResourceType` must be `spot-fleet-request` , otherwise the Spot Fleet request fails. To tag instances at launch, specify the tags in the [launch template](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-launch-templates.html#create-launch-template) (valid only if you use `LaunchTemplateConfigs` ) or in the `[SpotFleetTagSpecification](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_SpotFleetTagSpecification.html)` (valid only if you use `LaunchSpecifications` ). For information about tagging after launch, see [Tag your resources](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html#tag-resources) .", "TargetCapacity": "The number of units to request for the Spot Fleet. You can choose to set the target capacity in terms of instances or a performance characteristic that is important to your application workload, such as vCPUs, memory, or I/O. If the request type is `maintain` , you can specify a target capacity of 0 and add capacity later.", - "TargetCapacityUnitType": "The unit for the target capacity. `TargetCapacityUnitType` can only be specified when `InstanceRequirements` is specified.\n\nDefault: `units` (translates to number of instances)", + "TargetCapacityUnitType": "The unit for the target capacity. You can specify this parameter only when using attribute-based instance type selection.\n\nDefault: `units` (the number of instances)", "TerminateInstancesWithExpiration": "Indicates whether running Spot Instances are terminated when the Spot Fleet request expires.", "Type": "The type of request. Indicates whether the Spot Fleet only requests the target capacity or also attempts to maintain it. When this value is `request` , the Spot Fleet only places the required requests. It does not attempt to replenish Spot Instances if capacity is diminished, nor does it submit requests in alternative Spot pools if capacity is not available. When this value is `maintain` , the Spot Fleet maintains the target capacity. The Spot Fleet places the required requests to meet capacity and automatically replenishes any interrupted instances. Default: `maintain` . `instant` is listed but is not used by Spot Fleet.", "ValidFrom": "The start date and time of the request, in UTC format ( *YYYY* - *MM* - *DD* T *HH* : *MM* : *SS* Z). By default, Amazon EC2 starts fulfilling the request immediately.", @@ -9593,6 +11117,10 @@ "GroupName": "The name of the placement group.", "Tenancy": "The tenancy of the instance (if the instance is running in a VPC). An instance with a tenancy of `dedicated` runs on single-tenant hardware. The `host` tenancy is not supported for Spot Instances." }, + "AWS::EC2::SpotFleet Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::EC2::SpotFleet TargetGroup": { "Arn": "The Amazon Resource Name (ARN) of the target group." }, @@ -9613,9 +11141,11 @@ "AvailabilityZoneId": "The AZ ID of the subnet.", "CidrBlock": "The IPv4 CIDR block assigned to the subnet.\n\nIf you update this property, we create a new subnet, and then delete the existing one.", "EnableDns64": "Indicates whether DNS queries made to the Amazon-provided DNS Resolver in this subnet should return synthetic IPv6 addresses for IPv4-only destinations. For more information, see [DNS64 and NAT64](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html#nat-gateway-nat64-dns64) in the *Amazon Virtual Private Cloud User Guide* .", + "Ipv4NetmaskLength": "An IPv4 netmask length for the subnet.", "Ipv6CidrBlock": "The IPv6 CIDR block.\n\nIf you specify `AssignIpv6AddressOnCreation` , you must also specify `Ipv6CidrBlock` .", "Ipv6Native": "Indicates whether this is an IPv6 only subnet. For more information, see [Subnet basics](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Subnets.html#subnet-basics) in the *Amazon Virtual Private Cloud User Guide* .", - "MapPublicIpOnLaunch": "Indicates whether instances launched in this subnet receive a public IPv4 address. The default value is `false` .", + "Ipv6NetmaskLength": "An IPv6 netmask length for the subnet.", + "MapPublicIpOnLaunch": "Indicates whether instances launched in this subnet receive a public IPv4 address. The default value is `false` .\n\nStarting on February 1, 2024, AWS will charge for all public IPv4 addresses, including public IPv4 addresses associated with running instances and Elastic IP addresses. For more information, see the *Public IPv4 Address* tab on the [VPC pricing page](https://docs.aws.amazon.com/vpc/pricing/) .", "OutpostArn": "The Amazon Resource Name (ARN) of the Outpost.", "PrivateDnsNameOptionsOnLaunch": "The hostname type for EC2 instances launched into this subnet and how DNS A and AAAA record queries to the instances should be handled. For more information, see [Amazon EC2 instance hostname types](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-naming.html) in the *Amazon Elastic Compute Cloud User Guide* .\n\nAvailable options:\n\n- EnableResourceNameDnsAAAARecord (true | false)\n- EnableResourceNameDnsARecord (true | false)\n- HostnameType (ip-name | resource-name)", "Tags": "Any tags assigned to the subnet.", @@ -9626,8 +11156,12 @@ "EnableResourceNameDnsARecord": "Indicates whether to respond to DNS queries for instance hostnames with DNS A records.", "HostnameType": "The type of hostname for EC2 instances. For IPv4 only subnets, an instance DNS name must be based on the instance IPv4 address. For IPv6 only subnets, an instance DNS name must be based on the instance ID. For dual-stack subnets, you can specify whether DNS names use the instance IPv4 address or the instance ID." }, + "AWS::EC2::Subnet Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::EC2::SubnetCidrBlock": { - "Ipv6CidrBlock": "The IPv6 network range for the subnet, in CIDR notation. The subnet size must use a /64 prefix length.\n\nThis parameter is required for an IPv6 only subnet.", + "Ipv6CidrBlock": "The IPv6 network range for the subnet, in CIDR notation. This parameter is required for an IPv6 only subnet.", "SubnetId": "The ID of the subnet." }, "AWS::EC2::SubnetNetworkAclAssociation": { @@ -9643,6 +11177,10 @@ "NetworkServices": "The network service traffic that is associated with the Traffic Mirror filter.\n\nValid values are `amazon-dns` .", "Tags": "The tags to assign to a Traffic Mirror filter." }, + "AWS::EC2::TrafficMirrorFilter Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::EC2::TrafficMirrorFilterRule": { "Description": "The description of the Traffic Mirror rule.", "DestinationCidrBlock": "The destination CIDR block to assign to the Traffic Mirror rule.", @@ -9662,13 +11200,17 @@ "AWS::EC2::TrafficMirrorSession": { "Description": "The description of the Traffic Mirror session.", "NetworkInterfaceId": "The ID of the source network interface.", - "PacketLength": "The number of bytes in each packet to mirror. These are bytes after the VXLAN header. Do not specify this parameter when you want to mirror the entire packet. To mirror a subset of the packet, set this to the length (in bytes) that you want to mirror. For example, if you set this value to 100, then the first 100 bytes that meet the filter criteria are copied to the target.\n\nIf you do not want to mirror the entire packet, use the `PacketLength` parameter to specify the number of bytes in each packet to mirror.", + "PacketLength": "The number of bytes in each packet to mirror. These are bytes after the VXLAN header. Do not specify this parameter when you want to mirror the entire packet. To mirror a subset of the packet, set this to the length (in bytes) that you want to mirror. For example, if you set this value to 100, then the first 100 bytes that meet the filter criteria are copied to the target.\n\nIf you do not want to mirror the entire packet, use the `PacketLength` parameter to specify the number of bytes in each packet to mirror.\n\nFor sessions with Network Load Balancer (NLB) Traffic Mirror targets the default `PacketLength` will be set to 8500. Valid values are 1-8500. Setting a `PacketLength` greater than 8500 will result in an error response.", "SessionNumber": "The session number determines the order in which sessions are evaluated when an interface is used by multiple sessions. The first session with a matching filter is the one that mirrors the packets.\n\nValid values are 1-32766.", "Tags": "The tags to assign to a Traffic Mirror session.", "TrafficMirrorFilterId": "The ID of the Traffic Mirror filter.", "TrafficMirrorTargetId": "The ID of the Traffic Mirror target.", "VirtualNetworkId": "The VXLAN ID for the Traffic Mirror session. For more information about the VXLAN protocol, see [RFC 7348](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc7348) . If you do not specify a `VirtualNetworkId` , an account-wide unique id is chosen at random." }, + "AWS::EC2::TrafficMirrorSession Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::EC2::TrafficMirrorTarget": { "Description": "The description of the Traffic Mirror target.", "GatewayLoadBalancerEndpointId": "The ID of the Gateway Load Balancer endpoint.", @@ -9676,6 +11218,10 @@ "NetworkLoadBalancerArn": "The Amazon Resource Name (ARN) of the Network Load Balancer that is associated with the target.", "Tags": "The tags to assign to the Traffic Mirror target." }, + "AWS::EC2::TrafficMirrorTarget Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::EC2::TransitGateway": { "AmazonSideAsn": "A private Autonomous System Number (ASN) for the Amazon side of a BGP session. The range is 64512 to 65534 for 16-bit ASNs. The default is 64512.", "AssociationDefaultRouteTableId": "The ID of the default association route table.", @@ -9690,6 +11236,10 @@ "TransitGatewayCidrBlocks": "The transit gateway CIDR blocks.", "VpnEcmpSupport": "Enable or disable Equal Cost Multipath Protocol support. Enabled by default." }, + "AWS::EC2::TransitGateway Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::EC2::TransitGatewayAttachment": { "Options": "The VPC attachment options.", "SubnetIds": "The IDs of one or more subnets. You can specify only one subnet per Availability Zone. You must specify at least one subnet, but we recommend that you specify two subnets for better availability. The transit gateway uses one IP address from each specified subnet.", @@ -9700,13 +11250,22 @@ "AWS::EC2::TransitGatewayAttachment Options": { "ApplianceModeSupport": "Enable or disable appliance mode support. The default is `disable` .", "DnsSupport": "Enable or disable DNS support. The default is `disable` .", - "Ipv6Support": "Enable or disable IPv6 support. The default is `disable` ." + "Ipv6Support": "Enable or disable IPv6 support. The default is `disable` .", + "SecurityGroupReferencingSupport": "Enables you to reference a security group across VPCs attached to a transit gateway (TGW). Use this option to simplify security group management and control of instance-to-instance traffic across VPCs that are connected by transit gateway. You can also use this option to migrate from VPC peering (which was the only option that supported security group referencing) to transit gateways (which now also support security group referencing). This option is disabled by default and there are no additional costs to use this feature.\n\nFor important information about this feature, see [Create a transit gateway](https://docs.aws.amazon.com/vpc/latest/tgw/tgw-transit-gateways.html#create-tgw) in the *AWS Transit Gateway Guide* ." + }, + "AWS::EC2::TransitGatewayAttachment Tag": { + "Key": "The tag key.", + "Value": "The tag value." }, "AWS::EC2::TransitGatewayConnect": { "Options": "The Connect attachment options.\n\n- protocol (gre)", "Tags": "The tags for the attachment.", "TransportTransitGatewayAttachmentId": "The ID of the attachment from which the Connect attachment was created." }, + "AWS::EC2::TransitGatewayConnect Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::EC2::TransitGatewayConnect TransitGatewayConnectOptions": { "Protocol": "The tunnel protocol." }, @@ -9720,6 +11279,10 @@ "Igmpv2Support": "Specify whether to enable Internet Group Management Protocol (IGMP) version 2 for the transit gateway multicast domain.", "StaticSourcesSupport": "Specify whether to enable support for statically configuring multicast group sources for a domain." }, + "AWS::EC2::TransitGatewayMulticastDomain Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::EC2::TransitGatewayMulticastDomainAssociation": { "SubnetId": "The IDs of the subnets to associate with the transit gateway multicast domain.", "TransitGatewayAttachmentId": "The ID of the transit gateway attachment.", @@ -9746,6 +11309,10 @@ "Code": "The status code.", "Message": "The status message, if applicable." }, + "AWS::EC2::TransitGatewayPeeringAttachment Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::EC2::TransitGatewayRoute": { "Blackhole": "Indicates whether to drop traffic that matches this route.", "DestinationCidrBlock": "The CIDR block used for destination matches.", @@ -9756,6 +11323,10 @@ "Tags": "Any tags assigned to the route table.", "TransitGatewayId": "The ID of the transit gateway." }, + "AWS::EC2::TransitGatewayRouteTable Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::EC2::TransitGatewayRouteTableAssociation": { "TransitGatewayAttachmentId": "The ID of the attachment.", "TransitGatewayRouteTableId": "The ID of the route table for the transit gateway." @@ -9778,6 +11349,10 @@ "DnsSupport": "Enable or disable DNS support. The default is `disable` .", "Ipv6Support": "Enable or disable IPv6 support. The default is `disable` ." }, + "AWS::EC2::TransitGatewayVpcAttachment Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::EC2::VPC": { "CidrBlock": "The IPv4 network range for the VPC, in CIDR notation. For example, `10.0.0.0/16` . We modify the specified CIDR block to its canonical form; for example, if you specify `100.68.0.18/18` , we modify it to `100.68.0.0/18` .\n\nYou must specify either `CidrBlock` or `Ipv4IpamPoolId` .", "EnableDnsHostnames": "Indicates whether the instances launched in the VPC get DNS hostnames. If enabled, instances in the VPC get DNS hostnames; otherwise, they do not. Disabled by default for nondefault VPCs. For more information, see [DNS attributes in your VPC](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-dns.html#vpc-dns-support) .\n\nYou can only enable DNS hostnames if you've enabled DNS support.", @@ -9787,8 +11362,12 @@ "Ipv4NetmaskLength": "The netmask length of the IPv4 CIDR you want to allocate to this VPC from an Amazon VPC IP Address Manager (IPAM) pool. For more information about IPAM, see [What is IPAM?](https://docs.aws.amazon.com//vpc/latest/ipam/what-is-it-ipam.html) in the *Amazon VPC IPAM User Guide* .", "Tags": "The tags for the VPC." }, + "AWS::EC2::VPC Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::EC2::VPCCidrBlock": { - "AmazonProvidedIpv6CidrBlock": "Requests an Amazon-provided IPv6 CIDR block with a /56 prefix length for the VPC. You cannot specify the range of IPv6 addresses, or the size of the CIDR block.", + "AmazonProvidedIpv6CidrBlock": "Requests an Amazon-provided IPv6 CIDR block with a /56 prefix length for the VPC. You cannot specify the range of IPv6 addresses or the size of the CIDR block.", "CidrBlock": "An IPv4 CIDR block to associate with the VPC.", "Ipv4IpamPoolId": "Associate a CIDR allocated from an IPv4 IPAM pool to a VPC. For more information about Amazon VPC IP Address Manager (IPAM), see [What is IPAM?](https://docs.aws.amazon.com//vpc/latest/ipam/what-is-it-ipam.html) in the *Amazon VPC IPAM User Guide* .", "Ipv4NetmaskLength": "The netmask length of the IPv4 CIDR you would like to associate from an Amazon VPC IP Address Manager (IPAM) pool. For more information about IPAM, see [What is IPAM?](https://docs.aws.amazon.com//vpc/latest/ipam/what-is-it-ipam.html) in the *Amazon VPC IPAM User Guide* .", @@ -9842,6 +11421,10 @@ "Tags": "Any tags assigned to the resource.", "VpcId": "The ID of the VPC." }, + "AWS::EC2::VPCPeeringConnection Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::EC2::VPNConnection": { "CustomerGatewayId": "The ID of the customer gateway at your end of the VPN connection.", "StaticRoutesOnly": "Indicates whether the VPN connection uses static routes only. Static routes must be used for devices that don't support BGP.\n\nIf you are creating a VPN connection for a device that does not support Border Gateway Protocol (BGP), you must specify `true` .", @@ -9851,6 +11434,10 @@ "VpnGatewayId": "The ID of the virtual private gateway at the AWS side of the VPN connection.\n\nYou must specify either `TransitGatewayId` or `VpnGatewayId` , but not both.", "VpnTunnelOptionsSpecifications": "The tunnel options for the VPN connection." }, + "AWS::EC2::VPNConnection Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::EC2::VPNConnection VpnTunnelOptionsSpecification": { "PreSharedKey": "The pre-shared key (PSK) to establish initial authentication between the virtual private gateway and customer gateway.\n\nConstraints: Allowed characters are alphanumeric characters, periods (.), and underscores (_). Must be between 8 and 64 characters in length and cannot start with zero (0).", "TunnelInsideCidr": "The range of inside IP addresses for the tunnel. Any specified CIDR blocks must be unique across all VPN connections that use the same virtual private gateway.\n\nConstraints: A size /30 CIDR block from the `169.254.0.0/16` range. The following CIDR blocks are reserved and cannot be used:\n\n- `169.254.0.0/30`\n- `169.254.1.0/30`\n- `169.254.2.0/30`\n- `169.254.3.0/30`\n- `169.254.4.0/30`\n- `169.254.5.0/30`\n- `169.254.169.252/30`" @@ -9864,6 +11451,10 @@ "Tags": "Any tags assigned to the virtual private gateway.", "Type": "The type of VPN connection the virtual private gateway supports." }, + "AWS::EC2::VPNGateway Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::EC2::VPNGatewayRoutePropagation": { "RouteTableIds": "The ID of the route table. The routing table must be associated with the same VPC that the virtual private gateway is attached to.", "VpnGatewayId": "The ID of the virtual private gateway that is attached to a VPC. The virtual private gateway must be attached to the same VPC that the routing tables are associated with." @@ -9880,6 +11471,7 @@ "PolicyDocument": "The Verified Access policy document.", "PolicyEnabled": "The status of the Verified Access policy.", "SecurityGroupIds": "The IDs of the security groups for the endpoint.", + "SseSpecification": "The options for additional server side encryption.", "Tags": "The tags.", "VerifiedAccessGroupId": "The ID of the AWS Verified Access group." }, @@ -9894,16 +11486,34 @@ "Port": "The IP port number.", "Protocol": "The IP protocol." }, + "AWS::EC2::VerifiedAccessEndpoint SseSpecification": { + "CustomerManagedKeyEnabled": "Enable or disable the use of customer managed KMS keys for server side encryption.\n\nValid values: `True` | `False`", + "KmsKeyArn": "The ARN of the KMS key." + }, + "AWS::EC2::VerifiedAccessEndpoint Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::EC2::VerifiedAccessGroup": { "Description": "A description for the AWS Verified Access group.", "PolicyDocument": "The Verified Access policy document.", "PolicyEnabled": "The status of the Verified Access policy.", + "SseSpecification": "The options for additional server side encryption.", "Tags": "The tags.", "VerifiedAccessInstanceId": "The ID of the AWS Verified Access instance." }, + "AWS::EC2::VerifiedAccessGroup SseSpecification": { + "CustomerManagedKeyEnabled": "Enable or disable the use of customer managed KMS keys for server side encryption.\n\nValid values: `True` | `False`", + "KmsKeyArn": "The ARN of the KMS key." + }, + "AWS::EC2::VerifiedAccessGroup Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::EC2::VerifiedAccessInstance": { "Description": "A description for the AWS Verified Access instance.", - "LoggingConfigurations": "The current logging configuration for the Verified Access instances.", + "FipsEnabled": "Indicates whether support for Federal Information Processing Standards (FIPS) is enabled on the instance.", + "LoggingConfigurations": "The logging configuration for the Verified Access instances.", "Tags": "The tags.", "VerifiedAccessTrustProviderIds": "The IDs of the AWS Verified Access trust providers.", "VerifiedAccessTrustProviders": "The IDs of the AWS Verified Access trust providers." @@ -9922,11 +11532,15 @@ "Enabled": "Indicates whether logging is enabled.", "Prefix": "The bucket prefix." }, + "AWS::EC2::VerifiedAccessInstance Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::EC2::VerifiedAccessInstance VerifiedAccessLogs": { "CloudWatchLogs": "CloudWatch Logs logging destination.", - "IncludeTrustContext": "Include trust data sent by trust providers into the logs.", + "IncludeTrustContext": "Indicates whether to include trust data sent by trust providers in the logs.", "KinesisDataFirehose": "Kinesis logging destination.", - "LogVersion": "The logging version to use.\n\nValid values: `ocsf-0.1` | `ocsf-1.0.0-rc.2`", + "LogVersion": "The logging version.\n\nValid values: `ocsf-0.1` | `ocsf-1.0.0-rc.2`", "S3": "Amazon S3 logging options." }, "AWS::EC2::VerifiedAccessInstance VerifiedAccessTrustProvider": { @@ -9942,11 +11556,13 @@ "DeviceTrustProviderType": "The type of device-based trust provider.", "OidcOptions": "The options for an OpenID Connect-compatible user-identity trust provider.", "PolicyReferenceName": "The identifier to be used when working with policy rules.", + "SseSpecification": "The options for additional server side encryption.", "Tags": "The tags.", "TrustProviderType": "The type of Verified Access trust provider.", "UserTrustProviderType": "The type of user-based trust provider." }, "AWS::EC2::VerifiedAccessTrustProvider DeviceOptions": { + "PublicSigningKeyUrl": "The URL AWS Verified Access will use to verify the authenticity of the device tokens.", "TenantId": "The ID of the tenant application with the device-identity provider." }, "AWS::EC2::VerifiedAccessTrustProvider OidcOptions": { @@ -9958,27 +11574,39 @@ "TokenEndpoint": "The OIDC token endpoint.", "UserInfoEndpoint": "The OIDC user info endpoint." }, + "AWS::EC2::VerifiedAccessTrustProvider SseSpecification": { + "CustomerManagedKeyEnabled": "Enable or disable the use of customer managed KMS keys for server side encryption.\n\nValid values: `True` | `False`", + "KmsKeyArn": "The ARN of the KMS key." + }, + "AWS::EC2::VerifiedAccessTrustProvider Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::EC2::Volume": { "AutoEnableIO": "Indicates whether the volume is auto-enabled for I/O operations. By default, Amazon EBS disables I/O to the volume from attached EC2 instances when it determines that a volume's data is potentially inconsistent. If the consistency of the volume is not a concern, and you prefer that the volume be made available immediately if it's impaired, you can configure the volume to automatically enable I/O.", "AvailabilityZone": "The ID of the Availability Zone in which to create the volume. For example, `us-east-1a` .", "Encrypted": "Indicates whether the volume should be encrypted. The effect of setting the encryption state to `true` depends on the volume origin (new or from a snapshot), starting encryption state, ownership, and whether encryption by default is enabled. For more information, see [Encryption by default](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#encryption-by-default) in the *Amazon Elastic Compute Cloud User Guide* .\n\nEncrypted Amazon EBS volumes must be attached to instances that support Amazon EBS encryption. For more information, see [Supported instance types](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#EBSEncryption_supported_instances) .", - "Iops": "The number of I/O operations per second (IOPS). For `gp3` , `io1` , and `io2` volumes, this represents the number of IOPS that are provisioned for the volume. For `gp2` volumes, this represents the baseline performance of the volume and the rate at which the volume accumulates I/O credits for bursting.\n\nThe following are the supported values for each volume type:\n\n- `gp3` : 3,000-16,000 IOPS\n- `io1` : 100-64,000 IOPS\n- `io2` : 100-64,000 IOPS\n\n`io1` and `io2` volumes support up to 64,000 IOPS only on [Instances built on the Nitro System](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html#ec2-nitro-instances) . Other instance families support performance up to 32,000 IOPS.\n\nThis parameter is required for `io1` and `io2` volumes. The default for `gp3` volumes is 3,000 IOPS. This parameter is not supported for `gp2` , `st1` , `sc1` , or `standard` volumes.", + "Iops": "The number of I/O operations per second (IOPS). For `gp3` , `io1` , and `io2` volumes, this represents the number of IOPS that are provisioned for the volume. For `gp2` volumes, this represents the baseline performance of the volume and the rate at which the volume accumulates I/O credits for bursting.\n\nThe following are the supported values for each volume type:\n\n- `gp3` : 3,000 - 16,000 IOPS\n- `io1` : 100 - 64,000 IOPS\n- `io2` : 100 - 256,000 IOPS\n\nFor `io2` volumes, you can achieve up to 256,000 IOPS on [instances built on the Nitro System](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html#ec2-nitro-instances) . On other instances, you can achieve performance up to 32,000 IOPS.\n\nThis parameter is required for `io1` and `io2` volumes. The default for `gp3` volumes is 3,000 IOPS. This parameter is not supported for `gp2` , `st1` , `sc1` , or `standard` volumes.", "KmsKeyId": "The identifier of the AWS KMS key to use for Amazon EBS encryption. If `KmsKeyId` is specified, the encrypted state must be `true` .\n\nIf you omit this property and your account is enabled for encryption by default, or *Encrypted* is set to `true` , then the volume is encrypted using the default key specified for your account. If your account does not have a default key, then the volume is encrypted using the AWS managed key .\n\nAlternatively, if you want to specify a different key, you can specify one of the following:\n\n- Key ID. For example, 1234abcd-12ab-34cd-56ef-1234567890ab.\n- Key alias. Specify the alias for the key, prefixed with `alias/` . For example, for a key with the alias `my_cmk` , use `alias/my_cmk` . Or to specify the AWS managed key , use `alias/aws/ebs` .\n- Key ARN. For example, arn:aws:kms:us-east-1:012345678910:key/1234abcd-12ab-34cd-56ef-1234567890ab.\n- Alias ARN. For example, arn:aws:kms:us-east-1:012345678910:alias/ExampleAlias.", "MultiAttachEnabled": "Indicates whether Amazon EBS Multi-Attach is enabled.\n\nAWS CloudFormation does not currently support updating a single-attach volume to be multi-attach enabled, updating a multi-attach enabled volume to be single-attach, or updating the size or number of I/O operations per second (IOPS) of a multi-attach enabled volume.", "OutpostArn": "The Amazon Resource Name (ARN) of the Outpost.", - "Size": "The size of the volume, in GiBs. You must specify either a snapshot ID or a volume size. If you specify a snapshot, the default is the snapshot size. You can specify a volume size that is equal to or larger than the snapshot size.\n\nThe following are the supported volumes sizes for each volume type:\n\n- `gp2` and `gp3` : 1-16,384\n- `io1` and `io2` : 4-16,384\n- `st1` and `sc1` : 125-16,384\n- `standard` : 1-1,024", + "Size": "The size of the volume, in GiBs. You must specify either a snapshot ID or a volume size. If you specify a snapshot, the default is the snapshot size. You can specify a volume size that is equal to or larger than the snapshot size.\n\nThe following are the supported volumes sizes for each volume type:\n\n- `gp2` and `gp3` : 1 - 16,384 GiB\n- `io1` : 4 - 16,384 GiB\n- `io2` : 4 - 65,536 GiB\n- `st1` and `sc1` : 125 - 16,384 GiB\n- `standard` : 1 - 1024 GiB", "SnapshotId": "The snapshot from which to create the volume. You must specify either a snapshot ID or a volume size.", "Tags": "The tags to apply to the volume during creation.", "Throughput": "The throughput to provision for a volume, with a maximum of 1,000 MiB/s.\n\nThis parameter is valid only for `gp3` volumes. The default value is 125.\n\nValid Range: Minimum value of 125. Maximum value of 1000.", "VolumeType": "The volume type. This parameter can be one of the following values:\n\n- General Purpose SSD: `gp2` | `gp3`\n- Provisioned IOPS SSD: `io1` | `io2`\n- Throughput Optimized HDD: `st1`\n- Cold HDD: `sc1`\n- Magnetic: `standard`\n\nFor more information, see [Amazon EBS volume types](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSVolumeTypes.html) in the *Amazon Elastic Compute Cloud User Guide* .\n\nDefault: `gp2`" }, + "AWS::EC2::Volume Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::EC2::VolumeAttachment": { "Device": "The device name (for example, `/dev/sdh` or `xvdh` ).", "InstanceId": "The ID of the instance to which the volume attaches. This value can be a reference to an [`AWS::EC2::Instance`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-instance.html) resource, or it can be the physical ID of an existing EC2 instance.", "VolumeId": "The ID of the Amazon EBS volume. The volume and instance must be within the same Availability Zone. This value can be a reference to an [`AWS::EC2::Volume`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-ebs-volume.html) resource, or it can be the volume ID of an existing Amazon EBS volume." }, "AWS::ECR::PublicRepository": { - "RepositoryCatalogData": "", + "RepositoryCatalogData": "The details about the repository that are publicly visible in the Amazon ECR Public Gallery. For more information, see [Amazon ECR Public repository catalog data](https://docs.aws.amazon.com/AmazonECR/latest/public/public-repository-catalog-data.html) in the *Amazon ECR Public User Guide* .", "RepositoryName": "The name to use for the public repository. The repository name may be specified on its own (such as `nginx-web-app` ) or it can be prepended with a namespace to group the repository into a category (such as `project-a/nginx-web-app` ). If you don't specify a name, AWS CloudFormation generates a unique physical ID and uses that ID for the repository name. For more information, see [Name Type](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-name.html) .\n\n> If you specify a name, you cannot perform updates that require replacement of this resource. You can perform updates that require no or some interruption. If you must replace the resource, specify a new name.", "RepositoryPolicyText": "The JSON repository policy text to apply to the public repository. For more information, see [Amazon ECR Public repository policies](https://docs.aws.amazon.com/AmazonECR/latest/public/public-repository-policies.html) in the *Amazon ECR Public User Guide* .", "Tags": "An array of key-value pairs to apply to this resource." @@ -9990,8 +11618,14 @@ "RepositoryDescription": "The short description of the repository.", "UsageText": "The longform usage details of the contents of the repository. The usage text provides context for users of the repository." }, + "AWS::ECR::PublicRepository Tag": { + "Key": "One part of a key-value pair that make up a tag. A `key` is a general label that acts like a category for more specific tag values.", + "Value": "A `value` acts as a descriptor within a tag category (key)." + }, "AWS::ECR::PullThroughCacheRule": { + "CredentialArn": "The ARN of the Secrets Manager secret associated with the pull through cache rule.", "EcrRepositoryPrefix": "The Amazon ECR repository prefix associated with the pull through cache rule.", + "UpstreamRegistry": "The name of the upstream source registry associated with the pull through cache rule.", "UpstreamRegistryUrl": "The upstream registry URL associated with the pull through cache rule." }, "AWS::ECR::RegistryPolicy": { @@ -10016,6 +11650,7 @@ "FilterType": "The repository filter type. The only supported value is `PREFIX_MATCH` , which is a repository name prefix specified with the `filter` parameter." }, "AWS::ECR::Repository": { + "EmptyOnDelete": "If true, deleting the repository force deletes the contents of the repository. If false, the repository must be empty before attempting to delete it.", "EncryptionConfiguration": "The encryption configuration for the repository. This determines how the contents of your repository are encrypted at rest.", "ImageScanningConfiguration": "The image scanning configuration for the repository. This determines whether images are scanned for known vulnerabilities after being pushed to the repository.", "ImageTagMutability": "The tag mutability setting for the repository. If this parameter is omitted, the default setting of `MUTABLE` will be used which will allow image tags to be overwritten. If `IMMUTABLE` is specified, all image tags within the repository will be immutable which will prevent them from being overwritten.", @@ -10035,23 +11670,32 @@ "LifecyclePolicyText": "The JSON repository policy text to apply to the repository.", "RegistryId": "The AWS account ID associated with the registry that contains the repository. If you do not specify a registry, the default registry is assumed." }, + "AWS::ECR::Repository Tag": { + "Key": "One part of a key-value pair that make up a tag. A `key` is a general label that acts like a category for more specific tag values.", + "Value": "A `value` acts as a descriptor within a tag category (key)." + }, "AWS::ECS::CapacityProvider": { "AutoScalingGroupProvider": "The Auto Scaling group settings for the capacity provider.", "Name": "The name of the capacity provider. If a name is specified, it cannot start with `aws` , `ecs` , or `fargate` . If no name is specified, a default name in the `CFNStackName-CFNResourceName-RandomString` format is used.", "Tags": "The metadata that you apply to the capacity provider to help you categorize and organize it. Each tag consists of a key and an optional value. You define both.\n\nThe following basic restrictions apply to tags:\n\n- Maximum number of tags per resource - 50\n- For each resource, each tag key must be unique, and each tag key can have only one value.\n- Maximum key length - 128 Unicode characters in UTF-8\n- Maximum value length - 256 Unicode characters in UTF-8\n- If your tagging schema is used across multiple services and resources, remember that other services may have restrictions on allowed characters. Generally allowed characters are: letters, numbers, and spaces representable in UTF-8, and the following characters: + - = . _ : / @.\n- Tag keys and values are case-sensitive.\n- Do not use `aws:` , `AWS:` , or any upper or lowercase combination of such as a prefix for either keys or values as it is reserved for AWS use. You cannot edit or delete tag keys or values with this prefix. Tags with this prefix do not count against your tags per resource limit." }, "AWS::ECS::CapacityProvider AutoScalingGroupProvider": { - "AutoScalingGroupArn": "The Amazon Resource Name (ARN) that identifies the Auto Scaling group.", + "AutoScalingGroupArn": "The Amazon Resource Name (ARN) that identifies the Auto Scaling group, or the Auto Scaling group name.", + "ManagedDraining": "", "ManagedScaling": "The managed scaling settings for the Auto Scaling group capacity provider.", "ManagedTerminationProtection": "The managed termination protection setting to use for the Auto Scaling group capacity provider. This determines whether the Auto Scaling group has managed termination protection. The default is off.\n\n> When using managed termination protection, managed scaling must also be used otherwise managed termination protection doesn't work. \n\nWhen managed termination protection is on, Amazon ECS prevents the Amazon EC2 instances in an Auto Scaling group that contain tasks from being terminated during a scale-in action. The Auto Scaling group and each instance in the Auto Scaling group must have instance protection from scale-in actions on as well. For more information, see [Instance Protection](https://docs.aws.amazon.com/autoscaling/ec2/userguide/as-instance-termination.html#instance-protection) in the *AWS Auto Scaling User Guide* .\n\nWhen managed termination protection is off, your Amazon EC2 instances aren't protected from termination when the Auto Scaling group scales in." }, "AWS::ECS::CapacityProvider ManagedScaling": { "InstanceWarmupPeriod": "The period of time, in seconds, after a newly launched Amazon EC2 instance can contribute to CloudWatch metrics for Auto Scaling group. If this parameter is omitted, the default value of `300` seconds is used.", - "MaximumScalingStepSize": "The maximum number of Amazon EC2 instances that Amazon ECS will scale out at one time. The scale in process is not affected by this parameter. If this parameter is omitted, the default value of `1` is used.", + "MaximumScalingStepSize": "The maximum number of Amazon EC2 instances that Amazon ECS will scale out at one time. The scale in process is not affected by this parameter. If this parameter is omitted, the default value of `10000` is used.", "MinimumScalingStepSize": "The minimum number of Amazon EC2 instances that Amazon ECS will scale out at one time. The scale in process is not affected by this parameter If this parameter is omitted, the default value of `1` is used.\n\nWhen additional capacity is required, Amazon ECS will scale up the minimum scaling step size even if the actual demand is less than the minimum scaling step size.\n\nIf you use a capacity provider with an Auto Scaling group configured with more than one Amazon EC2 instance type or Availability Zone, Amazon ECS will scale up by the exact minimum scaling step size value and will ignore both the maximum scaling step size as well as the capacity demand.", "Status": "Determines whether to use managed scaling for the capacity provider.", "TargetCapacity": "The target capacity utilization as a percentage for the capacity provider. The specified value must be greater than `0` and less than or equal to `100` . For example, if you want the capacity provider to maintain 10% spare capacity, then that means the utilization is 90%, so use a `targetCapacity` of `90` . The default value of `100` percent results in the Amazon EC2 instances in your Auto Scaling group being completely used." }, + "AWS::ECS::CapacityProvider Tag": { + "Key": "One part of a key-value pair that make up a tag. A `key` is a general label that acts like a category for more specific tag values.", + "Value": "The optional part of a key-value pair that make up a tag. A `value` acts as a descriptor within a tag category (key)." + }, "AWS::ECS::Cluster": { "CapacityProviders": "The short name of one or more capacity providers to associate with the cluster. A capacity provider must be associated with a cluster before it can be included as part of the default capacity provider strategy of the cluster or used in a capacity provider strategy when calling the [CreateService](https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_CreateService.html) or [RunTask](https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_RunTask.html) actions.\n\nIf specifying a capacity provider that uses an Auto Scaling group, the capacity provider must be created but not associated with another cluster. New Auto Scaling group capacity providers can be created with the [CreateCapacityProvider](https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_CreateCapacityProvider.html) API operation.\n\nTo use a AWS Fargate capacity provider, specify either the `FARGATE` or `FARGATE_SPOT` capacity providers. The AWS Fargate capacity providers are available to all accounts and only need to be associated with a cluster to be used.\n\nThe [PutCapacityProvider](https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_PutCapacityProvider.html) API operation is used to update the list of available capacity providers for a cluster after the cluster is created.", "ClusterName": "A user-generated string that you use to identify your cluster. If you don't specify a name, AWS CloudFormation generates a unique physical ID for the name.", @@ -10086,7 +11730,11 @@ "S3KeyPrefix": "An optional folder in the S3 bucket to place logs in." }, "AWS::ECS::Cluster ServiceConnectDefaults": { - "Namespace": "The namespace name or full Amazon Resource Name (ARN) of the AWS Cloud Map namespace that's used when you create a service and don't specify a Service Connect configuration. The namespace name can include up to 1024 characters. The name is case-sensitive. The name can't include hyphens (-), tilde (~), greater than (>), less than (<), or slash (/).\n\nIf you enter an existing namespace name or ARN, then that namespace will be used. Any namespace type is supported. The namespace must be in this account and this AWS Region.\n\nIf you enter a new name, a AWS Cloud Map namespace will be created. Amazon ECS creates a AWS Cloud Map namespace with the \"API calls\" method of instance discovery only. This instance discovery method is the \"HTTP\" namespace type in the AWS Command Line Interface . Other types of instance discovery aren't used by Service Connect.\n\nIf you update the service with an empty string `\"\"` for the namespace name, the cluster configuration for Service Connect is removed. Note that the namespace will remain in AWS Cloud Map and must be deleted separately.\n\nFor more information about AWS Cloud Map , see [Working with Services](https://docs.aws.amazon.com/cloud-map/latest/dg/working-with-services.html) in the *AWS Cloud Map Developer Guide* ." + "Namespace": "The namespace name or full Amazon Resource Name (ARN) of the AWS Cloud Map namespace that's used when you create a service and don't specify a Service Connect configuration. The namespace name can include up to 1024 characters. The name is case-sensitive. The name can't include hyphens (-), tilde (~), greater than (>), less than (<), or slash (/).\n\nIf you enter an existing namespace name or ARN, then that namespace will be used. Any namespace type is supported. The namespace must be in this account and this AWS Region.\n\nIf you enter a new name, a AWS Cloud Map namespace will be created. Amazon ECS creates a AWS Cloud Map namespace with the \"API calls\" method of instance discovery only. This instance discovery method is the \"HTTP\" namespace type in the AWS Command Line Interface . Other types of instance discovery aren't used by Service Connect.\n\nIf you update the cluster with an empty string `\"\"` for the namespace name, the cluster configuration for Service Connect is removed. Note that the namespace will remain in AWS Cloud Map and must be deleted separately.\n\nFor more information about AWS Cloud Map , see [Working with Services](https://docs.aws.amazon.com/cloud-map/latest/dg/working-with-services.html) in the *AWS Cloud Map Developer Guide* ." + }, + "AWS::ECS::Cluster Tag": { + "Key": "One part of a key-value pair that make up a tag. A `key` is a general label that acts like a category for more specific tag values.", + "Value": "The optional part of a key-value pair that make up a tag. A `value` acts as a descriptor within a tag category (key)." }, "AWS::ECS::ClusterCapacityProviderAssociations": { "CapacityProviders": "The capacity providers to associate with the cluster.", @@ -10158,8 +11806,8 @@ "AWS::ECS::Service LoadBalancer": { "ContainerName": "The name of the container (as it appears in a container definition) to associate with the load balancer.", "ContainerPort": "The port on the container to associate with the load balancer. This port must correspond to a `containerPort` in the task definition the tasks in the service are using. For tasks that use the EC2 launch type, the container instance they're launched on must allow ingress traffic on the `hostPort` of the port mapping.", - "LoadBalancerName": "The name of the load balancer to associate with the Amazon ECS service or task set.\n\nA load balancer name is only specified when using a Classic Load Balancer. If you are using an Application Load Balancer or a Network Load Balancer the load balancer name parameter should be omitted.", - "TargetGroupArn": "The full Amazon Resource Name (ARN) of the Elastic Load Balancing target group or groups associated with a service or task set.\n\nA target group ARN is only specified when using an Application Load Balancer or Network Load Balancer. If you're using a Classic Load Balancer, omit the target group ARN.\n\nFor services using the `ECS` deployment controller, you can specify one or multiple target groups. For more information, see [Registering multiple target groups with a service](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/register-multiple-targetgroups.html) in the *Amazon Elastic Container Service Developer Guide* .\n\nFor services using the `CODE_DEPLOY` deployment controller, you're required to define two target groups for the load balancer. For more information, see [Blue/green deployment with CodeDeploy](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/deployment-type-bluegreen.html) in the *Amazon Elastic Container Service Developer Guide* .\n\n> If your service's task definition uses the `awsvpc` network mode, you must choose `ip` as the target type, not `instance` . Do this when creating your target groups because tasks that use the `awsvpc` network mode are associated with an elastic network interface, not an Amazon EC2 instance. This network mode is required for the Fargate launch type." + "LoadBalancerName": "The name of the load balancer to associate with the Amazon ECS service or task set.\n\nIf you are using an Application Load Balancer or a Network Load Balancer the load balancer name parameter should be omitted.", + "TargetGroupArn": "The full Amazon Resource Name (ARN) of the Elastic Load Balancing target group or groups associated with a service or task set.\n\nA target group ARN is only specified when using an Application Load Balancer or Network Load Balancer.\n\nFor services using the `ECS` deployment controller, you can specify one or multiple target groups. For more information, see [Registering multiple target groups with a service](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/register-multiple-targetgroups.html) in the *Amazon Elastic Container Service Developer Guide* .\n\nFor services using the `CODE_DEPLOY` deployment controller, you're required to define two target groups for the load balancer. For more information, see [Blue/green deployment with CodeDeploy](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/deployment-type-bluegreen.html) in the *Amazon Elastic Container Service Developer Guide* .\n\n> If your service's task definition uses the `awsvpc` network mode, you must choose `ip` as the target type, not `instance` . Do this when creating your target groups because tasks that use the `awsvpc` network mode are associated with an elastic network interface, not an Amazon EC2 instance. This network mode is required for the Fargate launch type." }, "AWS::ECS::Service LogConfiguration": { "LogDriver": "The log driver to use for the container.\n\nFor tasks on AWS Fargate , the supported log drivers are `awslogs` , `splunk` , and `awsfirelens` .\n\nFor tasks hosted on Amazon EC2 instances, the supported log drivers are `awslogs` , `fluentd` , `gelf` , `json-file` , `journald` , `logentries` , `syslog` , `splunk` , and `awsfirelens` .\n\nFor more information about using the `awslogs` log driver, see [Using the awslogs log driver](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/using_awslogs.html) in the *Amazon Elastic Container Service Developer Guide* .\n\nFor more information about using the `awsfirelens` log driver, see [Custom log routing](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/using_firelens.html) in the *Amazon Elastic Container Service Developer Guide* .\n\n> If you have a custom driver that isn't listed, you can fork the Amazon ECS container agent project that's [available on GitHub](https://docs.aws.amazon.com/https://github.com/aws/amazon-ecs-agent) and customize it to work with that driver. We encourage you to submit pull requests for changes that you would like to have included. However, we don't currently provide support for running modified copies of this software.", @@ -10187,7 +11835,7 @@ }, "AWS::ECS::Service ServiceConnectConfiguration": { "Enabled": "Specifies whether to use Service Connect with this service.", - "LogConfiguration": "The log configuration for the container. This parameter maps to `LogConfig` in the [Create a container](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/#operation/ContainerCreate) section of the [Docker Remote API](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/) and the `--log-driver` option to [`docker run`](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/commandline/run/) .\n\nBy default, containers use the same logging driver that the Docker daemon uses. However, the container might use a different logging driver than the Docker daemon by specifying a log driver configuration in the container definition. For more information about the options for different supported log drivers, see [Configure logging drivers](https://docs.aws.amazon.com/https://docs.docker.com/engine/admin/logging/overview/) in the Docker documentation.\n\nUnderstand the following when specifying a log configuration for your containers.\n\n- Amazon ECS currently supports a subset of the logging drivers available to the Docker daemon (shown in the valid values below). Additional log drivers may be available in future releases of the Amazon ECS container agent.\n- This parameter requires version 1.18 of the Docker Remote API or greater on your container instance.\n- For tasks that are hosted on Amazon EC2 instances, the Amazon ECS container agent must register the available logging drivers with the `ECS_AVAILABLE_LOGGING_DRIVERS` environment variable before containers placed on that instance can use these log configuration options. For more information, see [Amazon ECS container agent configuration](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-agent-config.html) in the *Amazon Elastic Container Service Developer Guide* .\n- For tasks that are on AWS Fargate , because you don't have access to the underlying infrastructure your tasks are hosted on, any additional software needed must be installed outside of the task. For example, the Fluentd output aggregators or a remote host running Logstash to send Gelf logs to.", + "LogConfiguration": "The log configuration for the container. This parameter maps to `LogConfig` in the [Create a container](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/#operation/ContainerCreate) section of the [Docker Remote API](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/) and the `--log-driver` option to [`docker run`](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/commandline/run/) .\n\nBy default, containers use the same logging driver that the Docker daemon uses. However, the container might use a different logging driver than the Docker daemon by specifying a log driver configuration in the container definition. For more information about the options for different supported log drivers, see [Configure logging drivers](https://docs.aws.amazon.com/https://docs.docker.com/engine/admin/logging/overview/) in the Docker documentation.\n\nUnderstand the following when specifying a log configuration for your containers.\n\n- Amazon ECS currently supports a subset of the logging drivers available to the Docker daemon. Additional log drivers may be available in future releases of the Amazon ECS container agent.\n\nFor tasks on AWS Fargate , the supported log drivers are `awslogs` , `splunk` , and `awsfirelens` .\n\nFor tasks hosted on Amazon EC2 instances, the supported log drivers are `awslogs` , `fluentd` , `gelf` , `json-file` , `journald` , `logentries` , `syslog` , `splunk` , and `awsfirelens` .\n- This parameter requires version 1.18 of the Docker Remote API or greater on your container instance.\n- For tasks that are hosted on Amazon EC2 instances, the Amazon ECS container agent must register the available logging drivers with the `ECS_AVAILABLE_LOGGING_DRIVERS` environment variable before containers placed on that instance can use these log configuration options. For more information, see [Amazon ECS container agent configuration](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-agent-config.html) in the *Amazon Elastic Container Service Developer Guide* .\n- For tasks that are on AWS Fargate , because you don't have access to the underlying infrastructure your tasks are hosted on, any additional software needed must be installed outside of the task. For example, the Fluentd output aggregators or a remote host running Logstash to send Gelf logs to.", "Namespace": "The namespace name or full Amazon Resource Name (ARN) of the AWS Cloud Map namespace for use with Service Connect. The namespace must be in the same AWS Region as the Amazon ECS service and cluster. The type of namespace doesn't affect Service Connect. For more information about AWS Cloud Map , see [Working with Services](https://docs.aws.amazon.com/cloud-map/latest/dg/working-with-services.html) in the *AWS Cloud Map Developer Guide* .", "Services": "The list of Service Connect service objects. These are names and aliases (also known as endpoints) that are used by other Amazon ECS services to connect to this service.\n\nThis field is not required for a \"client\" Amazon ECS service that's a member of a namespace only to connect to other services within the namespace. An example of this would be a frontend application that accepts incoming requests from either a load balancer that's attached to the service or by other means.\n\nAn object selects a port from the task definition, assigns a name for the AWS Cloud Map service, and a list of aliases (endpoints) and ports for client applications to refer to this service." }, @@ -10203,6 +11851,10 @@ "Port": "The port value used if your service discovery service specified an SRV record. This field might be used if both the `awsvpc` network mode and SRV records are used.", "RegistryArn": "The Amazon Resource Name (ARN) of the service registry. The currently supported service registry is AWS Cloud Map . For more information, see [CreateService](https://docs.aws.amazon.com/cloud-map/latest/api/API_CreateService.html) ." }, + "AWS::ECS::Service Tag": { + "Key": "One part of a key-value pair that make up a tag. A `key` is a general label that acts like a category for more specific tag values.", + "Value": "The optional part of a key-value pair that make up a tag. A `value` acts as a descriptor within a tag category (key)." + }, "AWS::ECS::TaskDefinition": { "ContainerDefinitions": "A list of container definitions in JSON format that describe the different containers that make up your task. For more information about container definition parameters and defaults, see [Amazon ECS Task Definitions](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_defintions.html) in the *Amazon Elastic Container Service Developer Guide* .", "Cpu": "The number of `cpu` units used by the task. If you use the EC2 launch type, this field is optional. Any value can be used. If you use the Fargate launch type, this field is required. You must use one of the following values. The value that you choose determines your range of valid values for the `memory` parameter.\n\nThe CPU units cannot be less than 1 vCPU when you use Windows containers on Fargate.\n\n- 256 (.25 vCPU) - Available `memory` values: 512 (0.5 GB), 1024 (1 GB), 2048 (2 GB)\n- 512 (.5 vCPU) - Available `memory` values: 1024 (1 GB), 2048 (2 GB), 3072 (3 GB), 4096 (4 GB)\n- 1024 (1 vCPU) - Available `memory` values: 2048 (2 GB), 3072 (3 GB), 4096 (4 GB), 5120 (5 GB), 6144 (6 GB), 7168 (7 GB), 8192 (8 GB)\n- 2048 (2 vCPU) - Available `memory` values: 4096 (4 GB) and 16384 (16 GB) in increments of 1024 (1 GB)\n- 4096 (4 vCPU) - Available `memory` values: 8192 (8 GB) and 30720 (30 GB) in increments of 1024 (1 GB)\n- 8192 (8 vCPU) - Available `memory` values: 16 GB and 60 GB in 4 GB increments\n\nThis option requires Linux platform `1.4.0` or later.\n- 16384 (16vCPU) - Available `memory` values: 32GB and 120 GB in 8 GB increments\n\nThis option requires Linux platform `1.4.0` or later.", @@ -10213,7 +11865,7 @@ "IpcMode": "The IPC resource namespace to use for the containers in the task. The valid values are `host` , `task` , or `none` . If `host` is specified, then all containers within the tasks that specified the `host` IPC mode on the same container instance share the same IPC resources with the host Amazon EC2 instance. If `task` is specified, all containers within the specified task share the same IPC resources. If `none` is specified, then IPC resources within the containers of a task are private and not shared with other containers in a task or on the container instance. If no value is specified, then the IPC resource namespace sharing depends on the Docker daemon setting on the container instance. For more information, see [IPC settings](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/#ipc-settings---ipc) in the *Docker run reference* .\n\nIf the `host` IPC mode is used, be aware that there is a heightened risk of undesired IPC namespace expose. For more information, see [Docker security](https://docs.aws.amazon.com/https://docs.docker.com/engine/security/security/) .\n\nIf you are setting namespaced kernel parameters using `systemControls` for the containers in the task, the following will apply to your IPC resource namespace. For more information, see [System Controls](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html) in the *Amazon Elastic Container Service Developer Guide* .\n\n- For tasks that use the `host` IPC mode, IPC namespace related `systemControls` are not supported.\n- For tasks that use the `task` IPC mode, IPC namespace related `systemControls` will apply to all containers within a task.\n\n> This parameter is not supported for Windows containers or tasks run on AWS Fargate .", "Memory": "The amount (in MiB) of memory used by the task.\n\nIf your tasks runs on Amazon EC2 instances, you must specify either a task-level memory value or a container-level memory value. This field is optional and any value can be used. If a task-level memory value is specified, the container-level memory value is optional. For more information regarding container-level memory and memory reservation, see [ContainerDefinition](https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_ContainerDefinition.html) .\n\nIf your tasks runs on AWS Fargate , this field is required. You must use one of the following values. The value you choose determines your range of valid values for the `cpu` parameter.\n\n- 512 (0.5 GB), 1024 (1 GB), 2048 (2 GB) - Available `cpu` values: 256 (.25 vCPU)\n- 1024 (1 GB), 2048 (2 GB), 3072 (3 GB), 4096 (4 GB) - Available `cpu` values: 512 (.5 vCPU)\n- 2048 (2 GB), 3072 (3 GB), 4096 (4 GB), 5120 (5 GB), 6144 (6 GB), 7168 (7 GB), 8192 (8 GB) - Available `cpu` values: 1024 (1 vCPU)\n- Between 4096 (4 GB) and 16384 (16 GB) in increments of 1024 (1 GB) - Available `cpu` values: 2048 (2 vCPU)\n- Between 8192 (8 GB) and 30720 (30 GB) in increments of 1024 (1 GB) - Available `cpu` values: 4096 (4 vCPU)\n- Between 16 GB and 60 GB in 4 GB increments - Available `cpu` values: 8192 (8 vCPU)\n\nThis option requires Linux platform `1.4.0` or later.\n- Between 32GB and 120 GB in 8 GB increments - Available `cpu` values: 16384 (16 vCPU)\n\nThis option requires Linux platform `1.4.0` or later.", "NetworkMode": "The Docker networking mode to use for the containers in the task. The valid values are `none` , `bridge` , `awsvpc` , and `host` . If no network mode is specified, the default is `bridge` .\n\nFor Amazon ECS tasks on Fargate, the `awsvpc` network mode is required. For Amazon ECS tasks on Amazon EC2 Linux instances, any network mode can be used. For Amazon ECS tasks on Amazon EC2 Windows instances, `` or `awsvpc` can be used. If the network mode is set to `none` , you cannot specify port mappings in your container definitions, and the tasks containers do not have external connectivity. The `host` and `awsvpc` network modes offer the highest networking performance for containers because they use the EC2 network stack instead of the virtualized network stack provided by the `bridge` mode.\n\nWith the `host` and `awsvpc` network modes, exposed container ports are mapped directly to the corresponding host port (for the `host` network mode) or the attached elastic network interface port (for the `awsvpc` network mode), so you cannot take advantage of dynamic host port mappings.\n\n> When using the `host` network mode, you should not run containers using the root user (UID 0). It is considered best practice to use a non-root user. \n\nIf the network mode is `awsvpc` , the task is allocated an elastic network interface, and you must specify a `NetworkConfiguration` value when you create a service or run a task with the task definition. For more information, see [Task Networking](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-networking.html) in the *Amazon Elastic Container Service Developer Guide* .\n\nIf the network mode is `host` , you cannot run multiple instantiations of the same task on a single container instance when port mappings are used.\n\nFor more information, see [Network settings](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/#network-settings) in the *Docker run reference* .", - "PidMode": "The process namespace to use for the containers in the task. The valid values are `host` or `task` . If `host` is specified, then all containers within the tasks that specified the `host` PID mode on the same container instance share the same process namespace with the host Amazon EC2 instance. If `task` is specified, all containers within the specified task share the same process namespace. If no value is specified, the default is a private namespace. For more information, see [PID settings](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/#pid-settings---pid) in the *Docker run reference* .\n\nIf the `host` PID mode is used, be aware that there is a heightened risk of undesired process namespace expose. For more information, see [Docker security](https://docs.aws.amazon.com/https://docs.docker.com/engine/security/security/) .\n\n> This parameter is not supported for Windows containers or tasks run on AWS Fargate .", + "PidMode": "The process namespace to use for the containers in the task. The valid values are `host` or `task` . On Fargate for Linux containers, the only valid value is `task` . For example, monitoring sidecars might need `pidMode` to access information about other containers running in the same task.\n\nIf `host` is specified, all containers within the tasks that specified the `host` PID mode on the same container instance share the same process namespace with the host Amazon EC2 instance.\n\nIf `task` is specified, all containers within the specified task share the same process namespace.\n\nIf no value is specified, the default is a private namespace for each container. For more information, see [PID settings](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/#pid-settings---pid) in the *Docker run reference* .\n\nIf the `host` PID mode is used, there's a heightened risk of undesired process namespace exposure. For more information, see [Docker security](https://docs.aws.amazon.com/https://docs.docker.com/engine/security/security/) .\n\n> This parameter is not supported for Windows containers. > This parameter is only supported for tasks that are hosted on AWS Fargate if the tasks are using platform version `1.4.0` or later (Linux). This isn't supported for Windows containers on Fargate.", "PlacementConstraints": "An array of placement constraint objects to use for tasks.\n\n> This parameter isn't supported for tasks run on AWS Fargate .", "ProxyConfiguration": "The configuration details for the App Mesh proxy.\n\nYour Amazon ECS container instances require at least version 1.26.0 of the container agent and at least version 1.26.0-1 of the `ecs-init` package to use a proxy configuration. If your container instances are launched from the Amazon ECS optimized AMI version `20190301` or later, they contain the required versions of the container agent and `ecs-init` . For more information, see [Amazon ECS-optimized Linux AMI](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html) in the *Amazon Elastic Container Service Developer Guide* .", "RequiresCompatibilities": "The task launch types the task definition was validated against. The valid values are `EC2` , `FARGATE` , and `EXTERNAL` . For more information, see [Amazon ECS launch types](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/launch_types.html) in the *Amazon Elastic Container Service Developer Guide* .", @@ -10261,7 +11913,7 @@ "Secrets": "The secrets to pass to the container. For more information, see [Specifying Sensitive Data](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/specifying-sensitive-data.html) in the *Amazon Elastic Container Service Developer Guide* .", "StartTimeout": "Time duration (in seconds) to wait before giving up on resolving dependencies for a container. For example, you specify two containers in a task definition with containerA having a dependency on containerB reaching a `COMPLETE` , `SUCCESS` , or `HEALTHY` status. If a `startTimeout` value is specified for containerB and it doesn't reach the desired status within that time then containerA gives up and not start. This results in the task transitioning to a `STOPPED` state.\n\n> When the `ECS_CONTAINER_START_TIMEOUT` container agent configuration variable is used, it's enforced independently from this start timeout value. \n\nFor tasks using the Fargate launch type, the task or service requires the following platforms:\n\n- Linux platform version `1.3.0` or later.\n- Windows platform version `1.0.0` or later.\n\nFor tasks using the EC2 launch type, your container instances require at least version `1.26.0` of the container agent to use a container start timeout value. However, we recommend using the latest container agent version. For information about checking your agent version and updating to the latest version, see [Updating the Amazon ECS Container Agent](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-agent-update.html) in the *Amazon Elastic Container Service Developer Guide* . If you're using an Amazon ECS-optimized Linux AMI, your instance needs at least version `1.26.0-1` of the `ecs-init` package. If your container instances are launched from version `20190301` or later, then they contain the required versions of the container agent and `ecs-init` . For more information, see [Amazon ECS-optimized Linux AMI](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html) in the *Amazon Elastic Container Service Developer Guide* .\n\nThe valid values are 2-120 seconds.", "StopTimeout": "Time duration (in seconds) to wait before the container is forcefully killed if it doesn't exit normally on its own.\n\nFor tasks using the Fargate launch type, the task or service requires the following platforms:\n\n- Linux platform version `1.3.0` or later.\n- Windows platform version `1.0.0` or later.\n\nThe max stop timeout value is 120 seconds and if the parameter is not specified, the default value of 30 seconds is used.\n\nFor tasks that use the EC2 launch type, if the `stopTimeout` parameter isn't specified, the value set for the Amazon ECS container agent configuration variable `ECS_CONTAINER_STOP_TIMEOUT` is used. If neither the `stopTimeout` parameter or the `ECS_CONTAINER_STOP_TIMEOUT` agent configuration variable are set, then the default values of 30 seconds for Linux containers and 30 seconds on Windows containers are used. Your container instances require at least version 1.26.0 of the container agent to use a container stop timeout value. However, we recommend using the latest container agent version. For information about checking your agent version and updating to the latest version, see [Updating the Amazon ECS Container Agent](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-agent-update.html) in the *Amazon Elastic Container Service Developer Guide* . If you're using an Amazon ECS-optimized Linux AMI, your instance needs at least version 1.26.0-1 of the `ecs-init` package. If your container instances are launched from version `20190301` or later, then they contain the required versions of the container agent and `ecs-init` . For more information, see [Amazon ECS-optimized Linux AMI](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html) in the *Amazon Elastic Container Service Developer Guide* .\n\nThe valid values are 2-120 seconds.", - "SystemControls": "A list of namespaced kernel parameters to set in the container. This parameter maps to `Sysctls` in the [Create a container](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/#operation/ContainerCreate) section of the [Docker Remote API](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/) and the `--sysctl` option to [docker run](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/#security-configuration) .\n\n> We don't recommended that you specify network-related `systemControls` parameters for multiple containers in a single task that also uses either the `awsvpc` or `host` network modes. For tasks that use the `awsvpc` network mode, the container that's started last determines which `systemControls` parameters take effect. For tasks that use the `host` network mode, it changes the container instance's namespaced kernel parameters as well as the containers.", + "SystemControls": "A list of namespaced kernel parameters to set in the container. This parameter maps to `Sysctls` in the [Create a container](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/#operation/ContainerCreate) section of the [Docker Remote API](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/) and the `--sysctl` option to [docker run](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/#security-configuration) . For example, you can configure `net.ipv4.tcp_keepalive_time` setting to maintain longer lived connections.\n\n> We don't recommended that you specify network-related `systemControls` parameters for multiple containers in a single task that also uses either the `awsvpc` or `host` network modes. For tasks that use the `awsvpc` network mode, the container that's started last determines which `systemControls` parameters take effect. For tasks that use the `host` network mode, it changes the container instance's namespaced kernel parameters as well as the containers. > This parameter is not supported for Windows containers. > This parameter is only supported for tasks that are hosted on AWS Fargate if the tasks are using platform version `1.4.0` or later (Linux). This isn't supported for Windows containers on Fargate.", "Ulimits": "A list of `ulimits` to set in the container. This parameter maps to `Ulimits` in the [Create a container](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/#operation/ContainerCreate) section of the [Docker Remote API](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/) and the `--ulimit` option to [docker run](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/) . Valid naming values are displayed in the [Ulimit](https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_Ulimit.html) data type. This parameter requires version 1.18 of the Docker Remote API or greater on your container instance. To check the Docker Remote API version on your container instance, log in to your container instance and run the following command: `sudo docker version --format '{{.Server.APIVersion}}'`\n\n> This parameter is not supported for Windows containers.", "User": "The user to use inside the container. This parameter maps to `User` in the [Create a container](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/#operation/ContainerCreate) section of the [Docker Remote API](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/) and the `--user` option to [docker run](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/#security-configuration) .\n\n> When running tasks using the `host` network mode, don't run containers using the root user (UID 0). We recommend using a non-root user for better security. \n\nYou can specify the `user` using the following formats. If specifying a UID or GID, you must specify it as a positive integer.\n\n- `user`\n- `user:group`\n- `uid`\n- `uid:gid`\n- `user:gid`\n- `uid:group`\n\n> This parameter is not supported for Windows containers.", "VolumesFrom": "Data volumes to mount from another container. This parameter maps to `VolumesFrom` in the [Create a container](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/#operation/ContainerCreate) section of the [Docker Remote API](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/) and the `--volumes-from` option to [docker run](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/#security-configuration) .", @@ -10347,12 +11999,12 @@ "SourceVolume": "The name of the volume to mount. Must be a volume name referenced in the `name` parameter of task definition `volume` ." }, "AWS::ECS::TaskDefinition PortMapping": { - "AppProtocol": "The application protocol that's used for the port mapping. This parameter only applies to Service Connect. We recommend that you set this parameter to be consistent with the protocol that your application uses. If you set this parameter, Amazon ECS adds protocol-specific connection handling to the Service Connect proxy. If you set this parameter, Amazon ECS adds protocol-specific telemetry in the Amazon ECS console and CloudWatch.\n\nIf you don't set a value for this parameter, then TCP is used. However, Amazon ECS doesn't add protocol-specific telemetry for TCP.\n\nTasks that run in a namespace can use short names to connect to services in the namespace. Tasks can connect to services across all of the clusters in the namespace. Tasks connect through a managed proxy container that collects logs and metrics for increased visibility. Only the tasks that Amazon ECS services create are supported with Service Connect. For more information, see [Service Connect](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/service-connect.html) in the *Amazon Elastic Container Service Developer Guide* .", + "AppProtocol": "The application protocol that's used for the port mapping. This parameter only applies to Service Connect. We recommend that you set this parameter to be consistent with the protocol that your application uses. If you set this parameter, Amazon ECS adds protocol-specific connection handling to the Service Connect proxy. If you set this parameter, Amazon ECS adds protocol-specific telemetry in the Amazon ECS console and CloudWatch.\n\nIf you don't set a value for this parameter, then TCP is used. However, Amazon ECS doesn't add protocol-specific telemetry for TCP.\n\n`appProtocol` is immutable in a Service Connect service. Updating this field requires a service deletion and redeployment.\n\nTasks that run in a namespace can use short names to connect to services in the namespace. Tasks can connect to services across all of the clusters in the namespace. Tasks connect through a managed proxy container that collects logs and metrics for increased visibility. Only the tasks that Amazon ECS services create are supported with Service Connect. For more information, see [Service Connect](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/service-connect.html) in the *Amazon Elastic Container Service Developer Guide* .", "ContainerPort": "The port number on the container that's bound to the user-specified or automatically assigned host port.\n\nIf you use containers in a task with the `awsvpc` or `host` network mode, specify the exposed ports using `containerPort` .\n\nIf you use containers in a task with the `bridge` network mode and you specify a container port and not a host port, your container automatically receives a host port in the ephemeral port range. For more information, see `hostPort` . Port mappings that are automatically assigned in this way do not count toward the 100 reserved ports limit of a container instance.", - "ContainerPortRange": "The port number range on the container that's bound to the dynamically mapped host port range.\n\nThe following rules apply when you specify a `containerPortRange` :\n\n- You must use either the `bridge` network mode or the `awsvpc` network mode.\n- This parameter is available for both the EC2 and AWS Fargate launch types.\n- This parameter is available for both the Linux and Windows operating systems.\n- The container instance must have at least version 1.67.0 of the container agent and at least version 1.67.0-1 of the `ecs-init` package\n- You can specify a maximum of 100 port ranges per container.\n- You do not specify a `hostPortRange` . The value of the `hostPortRange` is set as follows:\n\n- For containers in a task with the `awsvpc` network mode, the `hostPort` is set to the same value as the `containerPort` . This is a static mapping strategy.\n- For containers in a task with the `bridge` network mode, the Amazon ECS agent finds open host ports from the default ephemeral range and passes it to docker to bind them to the container ports.\n- The `containerPortRange` valid values are between 1 and 65535.\n- A port can only be included in one port mapping per container.\n- You cannot specify overlapping port ranges.\n- The first port in the range must be less than last port in the range.\n- Docker recommends that you turn off the docker-proxy in the Docker daemon config file when you have a large number of ports.\n\nFor more information, see [Issue #11185](https://docs.aws.amazon.com/https://github.com/moby/moby/issues/11185) on the Github website.\n\nFor information about how to turn off the docker-proxy in the Docker daemon config file, see [Docker daemon](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/bootstrap_container_instance.html#bootstrap_docker_daemon) in the *Amazon ECS Developer Guide* .\n\nYou can call [`DescribeTasks`](https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_DescribeTasks.html) to view the `hostPortRange` which are the host ports that are bound to the container ports.", - "HostPort": "The port number on the container instance to reserve for your container.\n\nIf you specify a `containerPortRange` , leave this field empty and the value of the `hostPort` is set as follows:\n\n- For containers in a task with the `awsvpc` network mode, the `hostPort` is set to the same value as the `containerPort` . This is a static mapping strategy.\n- For containers in a task with the `bridge` network mode, the Amazon ECS agent finds open ports on the host and automatically binds them to the container ports. This is a dynamic mapping strategy.\n\nIf you use containers in a task with the `awsvpc` or `host` network mode, the `hostPort` can either be left blank or set to the same value as the `containerPort` .\n\nIf you use containers in a task with the `bridge` network mode, you can specify a non-reserved host port for your container port mapping, or you can omit the `hostPort` (or set it to `0` ) while specifying a `containerPort` and your container automatically receives a port in the ephemeral port range for your container instance operating system and Docker version.\n\nThe default ephemeral port range for Docker version 1.6.0 and later is listed on the instance under `/proc/sys/net/ipv4/ip_local_port_range` . If this kernel parameter is unavailable, the default ephemeral port range from 49153 through 65535 is used. Do not attempt to specify a host port in the ephemeral port range as these are reserved for automatic assignment. In general, ports below 32768 are outside of the ephemeral port range.\n\nThe default reserved ports are 22 for SSH, the Docker ports 2375 and 2376, and the Amazon ECS container agent ports 51678-51680. Any host port that was previously specified in a running task is also reserved while the task is running. That is, after a task stops, the host port is released. The current reserved ports are displayed in the `remainingResources` of [DescribeContainerInstances](https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_DescribeContainerInstances.html) output. A container instance can have up to 100 reserved ports at a time. This number includes the default reserved ports. Automatically assigned ports aren't included in the 100 reserved ports quota.", + "ContainerPortRange": "The port number range on the container that's bound to the dynamically mapped host port range.\n\nThe following rules apply when you specify a `containerPortRange` :\n\n- You must use either the `bridge` network mode or the `awsvpc` network mode.\n- This parameter is available for both the EC2 and AWS Fargate launch types.\n- This parameter is available for both the Linux and Windows operating systems.\n- The container instance must have at least version 1.67.0 of the container agent and at least version 1.67.0-1 of the `ecs-init` package\n- You can specify a maximum of 100 port ranges per container.\n- You do not specify a `hostPortRange` . The value of the `hostPortRange` is set as follows:\n\n- For containers in a task with the `awsvpc` network mode, the `hostPortRange` is set to the same value as the `containerPortRange` . This is a static mapping strategy.\n- For containers in a task with the `bridge` network mode, the Amazon ECS agent finds open host ports from the default ephemeral range and passes it to docker to bind them to the container ports.\n- The `containerPortRange` valid values are between 1 and 65535.\n- A port can only be included in one port mapping per container.\n- You cannot specify overlapping port ranges.\n- The first port in the range must be less than last port in the range.\n- Docker recommends that you turn off the docker-proxy in the Docker daemon config file when you have a large number of ports.\n\nFor more information, see [Issue #11185](https://docs.aws.amazon.com/https://github.com/moby/moby/issues/11185) on the Github website.\n\nFor information about how to turn off the docker-proxy in the Docker daemon config file, see [Docker daemon](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/bootstrap_container_instance.html#bootstrap_docker_daemon) in the *Amazon ECS Developer Guide* .\n\nYou can call [`DescribeTasks`](https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_DescribeTasks.html) to view the `hostPortRange` which are the host ports that are bound to the container ports.", + "HostPort": "The port number on the container instance to reserve for your container.\n\nIf you specify a `containerPortRange` , leave this field empty and the value of the `hostPort` is set as follows:\n\n- For containers in a task with the `awsvpc` network mode, the `hostPort` is set to the same value as the `containerPort` . This is a static mapping strategy.\n- For containers in a task with the `bridge` network mode, the Amazon ECS agent finds open ports on the host and automatically binds them to the container ports. This is a dynamic mapping strategy.\n\nIf you use containers in a task with the `awsvpc` or `host` network mode, the `hostPort` can either be left blank or set to the same value as the `containerPort` .\n\nIf you use containers in a task with the `bridge` network mode, you can specify a non-reserved host port for your container port mapping, or you can omit the `hostPort` (or set it to `0` ) while specifying a `containerPort` and your container automatically receives a port in the ephemeral port range for your container instance operating system and Docker version.\n\nThe default ephemeral port range for Docker version 1.6.0 and later is listed on the instance under `/proc/sys/net/ipv4/ip_local_port_range` . If this kernel parameter is unavailable, the default ephemeral port range from 49153 through 65535 (Linux) or 49152 through 65535 (Windows) is used. Do not attempt to specify a host port in the ephemeral port range as these are reserved for automatic assignment. In general, ports below 32768 are outside of the ephemeral port range.\n\nThe default reserved ports are 22 for SSH, the Docker ports 2375 and 2376, and the Amazon ECS container agent ports 51678-51680. Any host port that was previously specified in a running task is also reserved while the task is running. That is, after a task stops, the host port is released. The current reserved ports are displayed in the `remainingResources` of [DescribeContainerInstances](https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_DescribeContainerInstances.html) output. A container instance can have up to 100 reserved ports at a time. This number includes the default reserved ports. Automatically assigned ports aren't included in the 100 reserved ports quota.", "Name": "The name that's used for the port mapping. This parameter only applies to Service Connect. This parameter is the name that you use in the `serviceConnectConfiguration` of a service. The name can include up to 64 characters. The characters can include lowercase letters, numbers, underscores (_), and hyphens (-). The name can't start with a hyphen.\n\nFor more information, see [Service Connect](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/service-connect.html) in the *Amazon Elastic Container Service Developer Guide* .", - "Protocol": "The protocol used for the port mapping. Valid values are `tcp` and `udp` . The default is `tcp` ." + "Protocol": "The protocol used for the port mapping. Valid values are `tcp` and `udp` . The default is `tcp` . `protocol` is immutable in a Service Connect service. Updating this field requires a service deletion and redeployment." }, "AWS::ECS::TaskDefinition ProxyConfiguration": { "ContainerName": "The name of the container that will serve as the App Mesh proxy.", @@ -10376,7 +12028,11 @@ }, "AWS::ECS::TaskDefinition SystemControl": { "Namespace": "The namespaced kernel parameter to set a `value` for.", - "Value": "The value for the namespaced kernel parameter that's specified in `namespace` ." + "Value": "The namespaced kernel parameter to set a `value` for.\n\nValid IPC namespace values: `\"kernel.msgmax\" | \"kernel.msgmnb\" | \"kernel.msgmni\" | \"kernel.sem\" | \"kernel.shmall\" | \"kernel.shmmax\" | \"kernel.shmmni\" | \"kernel.shm_rmid_forced\"` , and `Sysctls` that start with `\"fs.mqueue.*\"`\n\nValid network namespace values: `Sysctls` that start with `\"net.*\"`\n\nAll of these values are supported by Fargate." + }, + "AWS::ECS::TaskDefinition Tag": { + "Key": "One part of a key-value pair that make up a tag. A `key` is a general label that acts like a category for more specific tag values.", + "Value": "The optional part of a key-value pair that make up a tag. A `value` acts as a descriptor within a tag category (key)." }, "AWS::ECS::TaskDefinition TaskDefinitionPlacementConstraint": { "Expression": "A cluster query language expression to apply to the constraint. For more information, see [Cluster query language](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/cluster-query-language.html) in the *Amazon Elastic Container Service Developer Guide* .", @@ -10396,7 +12052,7 @@ "DockerVolumeConfiguration": "This parameter is specified when you use Docker volumes.\n\nWindows containers only support the use of the `local` driver. To use bind mounts, specify the `host` parameter instead.\n\n> Docker volumes aren't supported by tasks run on AWS Fargate .", "EFSVolumeConfiguration": "This parameter is specified when you use an Amazon Elastic File System file system for task storage.", "Host": "This parameter is specified when you use bind mount host volumes. The contents of the `host` parameter determine whether your bind mount host volume persists on the host container instance and where it's stored. If the `host` parameter is empty, then the Docker daemon assigns a host path for your data volume. However, the data isn't guaranteed to persist after the containers that are associated with it stop running.\n\nWindows containers can mount whole directories on the same drive as `$env:ProgramData` . Windows containers can't mount directories on a different drive, and mount point can't be across drives. For example, you can mount `C:\\my\\path:C:\\my\\path` and `D:\\:D:\\` , but not `D:\\my\\path:C:\\my\\path` or `D:\\:C:\\my\\path` .", - "Name": "The name of the volume. Up to 255 letters (uppercase and lowercase), numbers, underscores, and hyphens are allowed. This name is referenced in the `sourceVolume` parameter of container definition `mountPoints` ." + "Name": "The name of the volume. Up to 255 letters (uppercase and lowercase), numbers, underscores, and hyphens are allowed. This name is referenced in the `sourceVolume` parameter of container definition `mountPoints` .\n\nThis is required wwhen you use an Amazon EFS volume." }, "AWS::ECS::TaskDefinition VolumeFrom": { "ReadOnly": "If this value is `true` , the container has read-only access to the volume. If this value is `false` , then the container can write to the volume. The default value is `false` .", @@ -10422,8 +12078,7 @@ "AWS::ECS::TaskSet LoadBalancer": { "ContainerName": "The name of the container (as it appears in a container definition) to associate with the load balancer.", "ContainerPort": "The port on the container to associate with the load balancer. This port must correspond to a `containerPort` in the task definition the tasks in the service are using. For tasks that use the EC2 launch type, the container instance they're launched on must allow ingress traffic on the `hostPort` of the port mapping.", - "LoadBalancerName": "The name of the load balancer to associate with the Amazon ECS service or task set.\n\nA load balancer name is only specified when using a Classic Load Balancer. If you are using an Application Load Balancer or a Network Load Balancer the load balancer name parameter should be omitted.", - "TargetGroupArn": "The full Amazon Resource Name (ARN) of the Elastic Load Balancing target group or groups associated with a service or task set.\n\nA target group ARN is only specified when using an Application Load Balancer or Network Load Balancer. If you're using a Classic Load Balancer, omit the target group ARN.\n\nFor services using the `ECS` deployment controller, you can specify one or multiple target groups. For more information, see [Registering multiple target groups with a service](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/register-multiple-targetgroups.html) in the *Amazon Elastic Container Service Developer Guide* .\n\nFor services using the `CODE_DEPLOY` deployment controller, you're required to define two target groups for the load balancer. For more information, see [Blue/green deployment with CodeDeploy](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/deployment-type-bluegreen.html) in the *Amazon Elastic Container Service Developer Guide* .\n\n> If your service's task definition uses the `awsvpc` network mode, you must choose `ip` as the target type, not `instance` . Do this when creating your target groups because tasks that use the `awsvpc` network mode are associated with an elastic network interface, not an Amazon EC2 instance. This network mode is required for the Fargate launch type." + "TargetGroupArn": "The full Amazon Resource Name (ARN) of the Elastic Load Balancing target group or groups associated with a service or task set.\n\nA target group ARN is only specified when using an Application Load Balancer or Network Load Balancer.\n\nFor services using the `ECS` deployment controller, you can specify one or multiple target groups. For more information, see [Registering multiple target groups with a service](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/register-multiple-targetgroups.html) in the *Amazon Elastic Container Service Developer Guide* .\n\nFor services using the `CODE_DEPLOY` deployment controller, you're required to define two target groups for the load balancer. For more information, see [Blue/green deployment with CodeDeploy](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/deployment-type-bluegreen.html) in the *Amazon Elastic Container Service Developer Guide* .\n\n> If your service's task definition uses the `awsvpc` network mode, you must choose `ip` as the target type, not `instance` . Do this when creating your target groups because tasks that use the `awsvpc` network mode are associated with an elastic network interface, not an Amazon EC2 instance. This network mode is required for the Fargate launch type." }, "AWS::ECS::TaskSet NetworkConfiguration": { "AwsVpcConfiguration": "The VPC subnets and security groups that are associated with a task.\n\n> All specified subnets and security groups must be from the same VPC." @@ -10443,7 +12098,7 @@ "ClientToken": "The opaque string specified in the request to ensure idempotent creation.", "FileSystemId": "The ID of the EFS file system that the access point applies to. Accepts only the ID format for input when specifying a file system, for example `fs-0123456789abcedf2` .", "PosixUser": "The full POSIX identity, including the user ID, group ID, and secondary group IDs on the access point that is used for all file operations by NFS clients using the access point.", - "RootDirectory": "The directory on the Amazon EFS file system that the access point exposes as the root directory to NFS clients using the access point." + "RootDirectory": "The directory on the EFS file system that the access point exposes as the root directory to NFS clients using the access point." }, "AWS::EFS::AccessPoint AccessPointTag": { "Key": "The tag key (String). The key can't start with `aws:` .", @@ -10464,17 +12119,19 @@ "Path": "Specifies the path on the EFS file system to expose as the root directory to NFS clients using the access point to access the EFS file system. A path can have up to four subdirectories. If the specified path does not exist, you are required to provide the `CreationInfo` ." }, "AWS::EFS::FileSystem": { - "AvailabilityZoneName": "Used to create a file system that uses One Zone storage classes. It specifies the AWS Availability Zone in which to create the file system. Use the format `us-east-1a` to specify the Availability Zone. For more information about One Zone storage classes, see [Using EFS storage classes](https://docs.aws.amazon.com/efs/latest/ug/storage-classes.html) in the *Amazon EFS User Guide* .\n\n> One Zone storage classes are not available in all Availability Zones in AWS Regions where Amazon EFS is available.", + "AvailabilityZoneName": "Used to create a One Zone file system. It specifies the AWS Availability Zone in which to create the file system. Use the format `us-east-1a` to specify the Availability Zone. For more information about One Zone file systems, see [Using EFS storage classes](https://docs.aws.amazon.com/efs/latest/ug/storage-classes.html) in the *Amazon EFS User Guide* .\n\n> One Zone file systems are not available in all Availability Zones in AWS Regions where Amazon EFS is available.", "BackupPolicy": "Use the `BackupPolicy` to turn automatic backups on or off for the file system.", "BypassPolicyLockoutSafetyCheck": "(Optional) A boolean that specifies whether or not to bypass the `FileSystemPolicy` lockout safety check. The lockout safety check determines whether the policy in the request will lock out, or prevent, the IAM principal that is making the request from making future `PutFileSystemPolicy` requests on this file system. Set `BypassPolicyLockoutSafetyCheck` to `True` only when you intend to prevent the IAM principal that is making the request from making subsequent `PutFileSystemPolicy` requests on this file system. The default value is `False` .", "Encrypted": "A Boolean value that, if true, creates an encrypted file system. When creating an encrypted file system, you have the option of specifying a KmsKeyId for an existing AWS KMS key . If you don't specify a KMS key , then the default KMS key for Amazon EFS , `/aws/elasticfilesystem` , is used to protect the encrypted file system.", "FileSystemPolicy": "The `FileSystemPolicy` for the EFS file system. A file system policy is an IAM resource policy used to control NFS access to an EFS file system. For more information, see [Using IAM to control NFS access to Amazon EFS](https://docs.aws.amazon.com/efs/latest/ug/iam-access-control-nfs-efs.html) in the *Amazon EFS User Guide* .", + "FileSystemProtection": "Describes the protection on the file system.", "FileSystemTags": "Use to create one or more tags associated with the file system. Each tag is a user-defined key-value pair. Name your file system on creation by including a `\"Key\":\"Name\",\"Value\":\"{value}\"` key-value pair. Each key must be unique. For more information, see [Tagging AWS resources](https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html) in the *AWS General Reference Guide* .", "KmsKeyId": "The ID of the AWS KMS key to be used to protect the encrypted file system. This parameter is only required if you want to use a nondefault KMS key . If this parameter is not specified, the default KMS key for Amazon EFS is used. This ID can be in one of the following formats:\n\n- Key ID - A unique identifier of the key, for example `1234abcd-12ab-34cd-56ef-1234567890ab` .\n- ARN - An Amazon Resource Name (ARN) for the key, for example `arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab` .\n- Key alias - A previously created display name for a key, for example `alias/projectKey1` .\n- Key alias ARN - An ARN for a key alias, for example `arn:aws:kms:us-west-2:444455556666:alias/projectKey1` .\n\nIf `KmsKeyId` is specified, the `Encrypted` parameter must be set to true.", "LifecyclePolicies": "An array of `LifecyclePolicy` objects that define the file system's `LifecycleConfiguration` object. A `LifecycleConfiguration` object informs EFS lifecycle management and intelligent tiering of the following:\n\n- When to move files in the file system from primary storage to the IA storage class.\n- When to move files that are in IA storage to primary storage.\n\n> Amazon EFS requires that each `LifecyclePolicy` object have only a single transition. This means that in a request body, `LifecyclePolicies` needs to be structured as an array of `LifecyclePolicy` objects, one object for each transition, `TransitionToIA` , `TransitionToPrimaryStorageClass` . See the example requests in the following section for more information.", - "PerformanceMode": "The performance mode of the file system. We recommend `generalPurpose` performance mode for most file systems. File systems using the `maxIO` performance mode can scale to higher levels of aggregate throughput and operations per second with a tradeoff of slightly higher latencies for most file operations. The performance mode can't be changed after the file system has been created.\n\n> The `maxIO` mode is not supported on file systems using One Zone storage classes. \n\nDefault is `generalPurpose` .", + "PerformanceMode": "The Performance mode of the file system. We recommend `generalPurpose` performance mode for all file systems. File systems using the `maxIO` performance mode can scale to higher levels of aggregate throughput and operations per second with a tradeoff of slightly higher latencies for most file operations. The performance mode can't be changed after the file system has been created. The `maxIO` mode is not supported on One Zone file systems.\n\n> Due to the higher per-operation latencies with Max I/O, we recommend using General Purpose performance mode for all file systems. \n\nDefault is `generalPurpose` .", "ProvisionedThroughputInMibps": "The throughput, measured in mebibytes per second (MiBps), that you want to provision for a file system that you're creating. Required if `ThroughputMode` is set to `provisioned` . Valid values are 1-3414 MiBps, with the upper limit depending on Region. To increase this limit, contact AWS Support . For more information, see [Amazon EFS quotas that you can increase](https://docs.aws.amazon.com/efs/latest/ug/limits.html#soft-limits) in the *Amazon EFS User Guide* .", - "ThroughputMode": "Specifies the throughput mode for the file system. The mode can be `bursting` , `provisioned` , or `elastic` . If you set `ThroughputMode` to `provisioned` , you must also set a value for `ProvisionedThroughputInMibps` . After you create the file system, you can decrease your file system's throughput in Provisioned Throughput mode or change between the throughput modes, with certain time restrictions. For more information, see [Specifying throughput with provisioned mode](https://docs.aws.amazon.com/efs/latest/ug/performance.html#provisioned-throughput) in the *Amazon EFS User Guide* .\n\nDefault is `elastic` ." + "ReplicationConfiguration": "Describes the replication configuration for a specific file system.", + "ThroughputMode": "Specifies the throughput mode for the file system. The mode can be `bursting` , `provisioned` , or `elastic` . If you set `ThroughputMode` to `provisioned` , you must also set a value for `ProvisionedThroughputInMibps` . After you create the file system, you can decrease your file system's Provisioned throughput or change between the throughput modes, with certain time restrictions. For more information, see [Specifying throughput with provisioned mode](https://docs.aws.amazon.com/efs/latest/ug/performance.html#provisioned-throughput) in the *Amazon EFS User Guide* .\n\nDefault is `bursting` ." }, "AWS::EFS::FileSystem BackupPolicy": { "Status": "Set the backup policy status for the file system.\n\n- *`ENABLED`* - Turns automatic backups on for the file system.\n- *`DISABLED`* - Turns automatic backups off for the file system." @@ -10483,15 +12140,28 @@ "Key": "The tag key (String). The key can't start with `aws:` .", "Value": "The value of the tag key." }, + "AWS::EFS::FileSystem FileSystemProtection": { + "ReplicationOverwriteProtection": "" + }, "AWS::EFS::FileSystem LifecyclePolicy": { - "TransitionToIA": "Describes the period of time that a file is not accessed, after which it transitions to IA storage. Metadata operations such as listing the contents of a directory don't count as file access events.", - "TransitionToPrimaryStorageClass": "Describes when to transition a file from IA storage to primary storage. Metadata operations such as listing the contents of a directory don't count as file access events." + "TransitionToArchive": "The number of days after files were last accessed in primary storage (the Standard storage class) files at which to move them to Archive storage. Metadata operations such as listing the contents of a directory don't count as file access events.", + "TransitionToIA": "The number of days after files were last accessed in primary storage (the Standard storage class) at which to move them to Infrequent Access (IA) storage. Metadata operations such as listing the contents of a directory don't count as file access events.", + "TransitionToPrimaryStorageClass": "Whether to move files back to primary (Standard) storage after they are accessed in IA or Archive storage. Metadata operations such as listing the contents of a directory don't count as file access events." + }, + "AWS::EFS::FileSystem ReplicationConfiguration": { + "Destinations": "An array of destination objects. Only one destination object is supported." + }, + "AWS::EFS::FileSystem ReplicationDestination": { + "AvailabilityZoneName": "The AWS Availability Zone in which to create the file system.\n\n> For file systems using One Zone storage classes, the replication configuration must specify the Availability Zone in which the destination file system is located. \n\nUse the format `us-east-1a` to specify the Availability Zone. For more information about One Zone storage classes, see [Using EFS storage classes](https://docs.aws.amazon.com/efs/latest/ug/storage-classes.html) in the *Amazon EFS User Guide* .\n\n> One Zone storage classes are not available in all Availability Zones in AWS Regions where Amazon EFS is available.", + "FileSystemId": "The ID of the destination Amazon EFS file system.", + "KmsKeyId": "The ID of an AWS KMS key used to protect the encrypted file system.", + "Region": "The AWS Region in which the destination file system is located.\n\n> For file systems using Standard storage classes, the replication configuration must specify the AWS Region in which the destination file system is located." }, "AWS::EFS::MountTarget": { "FileSystemId": "The ID of the file system for which to create the mount target.", "IpAddress": "Valid IPv4 address within the address range of the specified subnet.", "SecurityGroups": "Up to five VPC security group IDs, of the form `sg-xxxxxxxx` . These must be for the same VPC as subnet specified.", - "SubnetId": "The ID of the subnet to add the mount target in. For file systems that use One Zone storage classes, use the subnet that is associated with the file system's Availability Zone." + "SubnetId": "The ID of the subnet to add the mount target in. For One Zone file systems, use the subnet that is associated with the file system's Availability Zone." }, "AWS::EKS::Addon": { "AddonName": "The name of the add-on.", @@ -10503,13 +12173,17 @@ "ServiceAccountRoleArn": "The Amazon Resource Name (ARN) of an existing IAM role to bind to the add-on's service account. The role must be assigned the IAM permissions required by the add-on. If you don't specify an existing IAM role, then the add-on uses the permissions assigned to the node IAM role. For more information, see [Amazon EKS node IAM role](https://docs.aws.amazon.com/eks/latest/userguide/create-node-role.html) in the *Amazon EKS User Guide* .\n\n> To specify an existing IAM role, you must have an IAM OpenID Connect (OIDC) provider created for your cluster. For more information, see [Enabling IAM roles for service accounts on your cluster](https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html) in the *Amazon EKS User Guide* .", "Tags": "The metadata that you apply to the add-on to assist with categorization and organization. Each tag consists of a key and an optional value, both of which you define. Add-on tags do not propagate to any other resources associated with the cluster." }, + "AWS::EKS::Addon Tag": { + "Key": "One part of a key-value pair that make up a tag. A `key` is a general label that acts like a category for more specific tag values.", + "Value": "The optional part of a key-value pair that make up a tag. A `value` acts as a descriptor within a tag category (key)." + }, "AWS::EKS::Cluster": { "EncryptionConfig": "The encryption configuration for the cluster.", "KubernetesNetworkConfig": "The Kubernetes network configuration for the cluster.", "Logging": "The logging configuration for your cluster.", "Name": "The unique name to give to your cluster.", "OutpostConfig": "An object representing the configuration of your local Amazon EKS cluster on an AWS Outpost. This object isn't available for clusters on the AWS cloud.", - "ResourcesVpcConfig": "The VPC configuration that's used by the cluster control plane. Amazon EKS VPC resources have specific requirements to work properly with Kubernetes. For more information, see [Cluster VPC Considerations](https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html) and [Cluster Security Group Considerations](https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html) in the *Amazon EKS User Guide* . You must specify at least two subnets. You can specify up to five security groups, but we recommend that you use a dedicated security group for your cluster control plane.\n\n> Updates require replacement of the `SecurityGroupIds` and `SubnetIds` sub-properties.", + "ResourcesVpcConfig": "The VPC configuration that's used by the cluster control plane. Amazon EKS VPC resources have specific requirements to work properly with Kubernetes. For more information, see [Cluster VPC Considerations](https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html) and [Cluster Security Group Considerations](https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html) in the *Amazon EKS User Guide* . You must specify at least two subnets. You can specify up to five security groups. However, we recommend that you use a dedicated security group for your cluster control plane.", "RoleArn": "The Amazon Resource Name (ARN) of the IAM role that provides permissions for the Kubernetes control plane to make calls to AWS API operations on your behalf. For more information, see [Amazon EKS Service IAM Role](https://docs.aws.amazon.com/eks/latest/userguide/service_IAM_role.html) in the **Amazon EKS User Guide** .", "Tags": "The metadata that you apply to the cluster to assist with categorization and organization. Each tag consists of a key and an optional value, both of which you define. Cluster tags don't propagate to any other resources associated with the cluster.\n\n> You must have the `eks:TagResource` and `eks:UntagResource` permissions for your [IAM principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html) to manage the AWS CloudFormation stack. If you don't have these permissions, there might be unexpected behavior with stack-level tags propagating to the resource during resource creation and update.", "Version": "The desired Kubernetes version for your cluster. If you don't specify a value here, the default version available in Amazon EKS is used.\n\n> The default version might not be the latest version available." @@ -10550,6 +12224,10 @@ "SecurityGroupIds": "Specify one or more security groups for the cross-account elastic network interfaces that Amazon EKS creates to use that allow communication between your nodes and the Kubernetes control plane. If you don't specify any security groups, then familiarize yourself with the difference between Amazon EKS defaults for clusters deployed with Kubernetes. For more information, see [Amazon EKS security group considerations](https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html) in the **Amazon EKS User Guide** .", "SubnetIds": "Specify subnets for your Amazon EKS nodes. Amazon EKS creates cross-account elastic network interfaces in these subnets to allow communication between your nodes and the Kubernetes control plane." }, + "AWS::EKS::Cluster Tag": { + "Key": "One part of a key-value pair that make up a tag. A `key` is a general label that acts like a category for more specific tag values.", + "Value": "The optional part of a key-value pair that make up a tag. A `value` acts as a descriptor within a tag category (key)." + }, "AWS::EKS::FargateProfile": { "ClusterName": "The name of the Amazon EKS cluster to apply the Fargate profile to.", "FargateProfileName": "The name of the Fargate profile.", @@ -10566,6 +12244,10 @@ "Labels": "The Kubernetes labels that the selector should match. A pod must contain all of the labels that are specified in the selector for it to be considered a match.", "Namespace": "The Kubernetes namespace that the selector should match." }, + "AWS::EKS::FargateProfile Tag": { + "Key": "One part of a key-value pair that make up a tag. A `key` is a general label that acts like a category for more specific tag values.", + "Value": "The optional part of a key-value pair that make up a tag. A `value` acts as a descriptor within a tag category (key)." + }, "AWS::EKS::IdentityProviderConfig": { "ClusterName": "The cluster that the configuration is associated to.", "IdentityProviderConfigName": "The name of the configuration.", @@ -10586,6 +12268,10 @@ "Key": "The key to match from the token.", "Value": "The value for the key from the token." }, + "AWS::EKS::IdentityProviderConfig Tag": { + "Key": "One part of a key-value pair that make up a tag. A `key` is a general label that acts like a category for more specific tag values.", + "Value": "The optional part of a key-value pair that make up a tag. A `value` acts as a descriptor within a tag category (key)." + }, "AWS::EKS::Nodegroup": { "AmiType": "The AMI type for your node group. If you specify `launchTemplate` , and your launch template uses a custom AMI, then don't specify `amiType` , or the node group deployment will fail. If your launch template uses a Windows custom AMI, then add `eks:kube-proxy-windows` to your Windows nodes `rolearn` in the `aws-auth` `ConfigMap` . For more information about using launch templates with Amazon EKS, see [Launch template support](https://docs.aws.amazon.com/eks/latest/userguide/launch-templates.html) in the *Amazon EKS User Guide* .", "CapacityType": "The capacity type of your managed node group.", @@ -10629,11 +12315,22 @@ "MaxUnavailable": "The maximum number of nodes unavailable at once during a version update. Nodes will be updated in parallel. This value or `maxUnavailablePercentage` is required to have a value.The maximum number is 100.", "MaxUnavailablePercentage": "The maximum percentage of nodes unavailable during a version update. This percentage of nodes will be updated in parallel, up to 100 nodes at once. This value or `maxUnavailable` is required to have a value." }, + "AWS::EKS::PodIdentityAssociation": { + "ClusterName": "The name of the cluster that the association is in.", + "Namespace": "The name of the Kubernetes namespace inside the cluster to create the association in. The service account and the pods that use the service account must be in this namespace.", + "RoleArn": "The Amazon Resource Name (ARN) of the IAM role to associate with the service account. The EKS Pod Identity agent manages credentials to assume this role for applications in the containers in the pods that use this service account.", + "ServiceAccount": "The name of the Kubernetes service account inside the cluster to associate the IAM credentials with.", + "Tags": "The metadata that you apply to a resource to assist with categorization and organization. Each tag consists of a key and an optional value. You define both.\n\nThe following basic restrictions apply to tags:\n\n- Maximum number of tags per resource \u2013 50\n- For each resource, each tag key must be unique, and each tag key can have only one value.\n- Maximum key length \u2013 128 Unicode characters in UTF-8\n- Maximum value length \u2013 256 Unicode characters in UTF-8\n- If your tagging schema is used across multiple services and resources, remember that other services may have restrictions on allowed characters. Generally allowed characters are: letters, numbers, and spaces representable in UTF-8, and the following characters: + - = . _ : / @.\n- Tag keys and values are case-sensitive.\n- Do not use `aws:` , `AWS:` , or any upper or lowercase combination of such as a prefix for either keys or values as it is reserved for AWS use. You cannot edit or delete tag keys or values with this prefix. Tags with this prefix do not count against your tags per resource limit." + }, + "AWS::EKS::PodIdentityAssociation Tag": { + "Key": "One part of a key-value pair that make up a tag. A `key` is a general label that acts like a category for more specific tag values.", + "Value": "The optional part of a key-value pair that make up a tag. A `value` acts as a descriptor within a tag category (key)." + }, "AWS::EMR::Cluster": { "AdditionalInfo": "A JSON string for selecting additional features.", "Applications": "The applications to install on this cluster, for example, Spark, Flink, Oozie, Zeppelin, and so on.", "AutoScalingRole": "An IAM role for automatic scaling policies. The default role is `EMR_AutoScaling_DefaultRole` . The IAM role provides permissions that the automatic scaling feature requires to launch and terminate Amazon EC2 instances in an instance group.", - "AutoTerminationPolicy": "", + "AutoTerminationPolicy": "An auto-termination policy defines the amount of idle time in seconds after which a cluster automatically terminates. For alternative cluster termination options, see [Control cluster termination](https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-plan-termination.html)", "BootstrapActions": "A list of bootstrap actions to run before Hadoop starts on the cluster nodes.", "Configurations": "Applies only to Amazon EMR releases 4.x and later. The list of configurations that are supplied to the Amazon EMR cluster.", "CustomAmiId": "Available only in Amazon EMR releases 5.7.0 and later. The ID of a custom Amazon EBS-backed Linux AMI if the cluster uses a custom AMI.", @@ -10645,7 +12342,7 @@ "LogUri": "The path to the Amazon S3 location where logs for this cluster are stored.", "ManagedScalingPolicy": "Creates or updates a managed scaling policy for an Amazon EMR cluster. The managed scaling policy defines the limits for resources, such as Amazon EC2 instances that can be added or terminated from a cluster. The policy only applies to the core and task nodes. The master node cannot be scaled after initial configuration.", "Name": "The name of the cluster.", - "OSReleaseLabel": "", + "OSReleaseLabel": "The Amazon Linux release specified in a cluster launch RunJobFlow request. If no Amazon Linux release was specified, the default Amazon Linux release is shown in the response.", "ReleaseLabel": "The Amazon EMR release label, which determines the version of open-source application packages installed on the cluster. Release labels are in the form `emr-x.x.x` , where x.x.x is an Amazon EMR release version such as `emr-5.14.0` . For more information about Amazon EMR release versions and included application versions and features, see [](https://docs.aws.amazon.com/emr/latest/ReleaseGuide/) . The release label applies only to Amazon EMR releases version 4.0 and later. Earlier versions use `AmiVersion` .", "ScaleDownBehavior": "The way that individual Amazon EC2 instances terminate when an automatic scale-in activity occurs or an instance group is resized. `TERMINATE_AT_INSTANCE_HOUR` indicates that Amazon EMR terminates nodes at the instance-hour boundary, regardless of when the request to terminate the instance was submitted. This option is only available with Amazon EMR 5.1.0 and later and is the default for clusters created using that version. `TERMINATE_AT_TASK_COMPLETION` indicates that Amazon EMR adds nodes to a deny list and drains tasks from nodes before terminating the Amazon EC2 instances, regardless of the instance-hour boundary. With either behavior, Amazon EMR removes the least active nodes first and blocks instance termination if it could lead to HDFS corruption. `TERMINATE_AT_TASK_COMPLETION` is available only in Amazon EMR releases 4.1.0 and later, and is the default for versions of Amazon EMR earlier than 5.1.0.", "SecurityConfiguration": "The name of the security configuration applied to the cluster.", @@ -10666,7 +12363,7 @@ "Rules": "The scale-in and scale-out rules that comprise the automatic scaling policy." }, "AWS::EMR::Cluster AutoTerminationPolicy": { - "IdleTimeout": "" + "IdleTimeout": "Specifies the amount of idle time in seconds after which the cluster automatically terminates. You can specify a minimum of 60 seconds and a maximum of 604800 seconds (seven days)." }, "AWS::EMR::Cluster BootstrapActionConfig": { "Name": "The name of the bootstrap action.", @@ -10821,9 +12518,14 @@ "HadoopJarStep": "The JAR file used for the step.", "Name": "The name of the step." }, + "AWS::EMR::Cluster Tag": { + "Key": "A user-defined key, which is the minimum required information for a valid tag. For more information, see [Tag](https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-plan-tags.html) .", + "Value": "A user-defined value, which is optional in a tag. For more information, see [Tag Clusters](https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-plan-tags.html) ." + }, "AWS::EMR::Cluster VolumeSpecification": { "Iops": "The number of I/O operations per second (IOPS) that the volume supports.", "SizeInGB": "The volume size, in gibibytes (GiB). This can be a number from 1 - 1024. If the volume type is EBS-optimized, the minimum value is 10.", + "Throughput": "The throughput, in mebibyte per second (MiB/s). This optional parameter can be a number from 125 - 1000 and is valid only for gp3 volumes.", "VolumeType": "The volume type. Volume types supported are gp3, gp2, io1, st1, sc1, and standard." }, "AWS::EMR::InstanceFleetConfig": { @@ -10873,6 +12575,7 @@ "AWS::EMR::InstanceFleetConfig VolumeSpecification": { "Iops": "The number of I/O operations per second (IOPS) that the volume supports.", "SizeInGB": "The volume size, in gibibytes (GiB). This can be a number from 1 - 1024. If the volume type is EBS-optimized, the minimum value is 10.", + "Throughput": "The throughput, in mebibyte per second (MiB/s). This optional parameter can be a number from 125 - 1000 and is valid only for gp3 volumes.", "VolumeType": "The volume type. Volume types supported are gp3, gp2, io1, st1, sc1, and standard." }, "AWS::EMR::InstanceGroupConfig": { @@ -10945,6 +12648,7 @@ "AWS::EMR::InstanceGroupConfig VolumeSpecification": { "Iops": "The number of I/O operations per second (IOPS) that the volume supports.", "SizeInGB": "The volume size, in gibibytes (GiB). This can be a number from 1 - 1024. If the volume type is EBS-optimized, the minimum value is 10.", + "Throughput": "The throughput, in mebibyte per second (MiB/s). This optional parameter can be a number from 125 - 1000 and is valid only for gp3 volumes.", "VolumeType": "The volume type. Volume types supported are gp3, gp2, io1, st1, sc1, and standard." }, "AWS::EMR::SecurityConfiguration": { @@ -10971,23 +12675,39 @@ "AuthMode": "Specifies whether the Studio authenticates users using IAM Identity Center or IAM.", "DefaultS3Location": "The Amazon S3 location to back up EMR Studio Workspaces and notebook files.", "Description": "A detailed description of the Amazon EMR Studio.", + "EncryptionKeyArn": "The AWS KMS key identifier (ARN) used to encrypt Amazon EMR Studio workspace and notebook files when backed up to Amazon S3.", "EngineSecurityGroupId": "The ID of the Amazon EMR Studio Engine security group. The Engine security group allows inbound network traffic from the Workspace security group, and it must be in the same VPC specified by `VpcId` .", + "IdcInstanceArn": "The ARN of the IAM Identity Center instance the Studio application belongs to.", + "IdcUserAssignment": "Indicates whether the Studio has `REQUIRED` or `OPTIONAL` IAM Identity Center user assignment. If the value is set to `REQUIRED` , users must be explicitly assigned to the Studio application to access the Studio.", "IdpAuthUrl": "Your identity provider's authentication endpoint. Amazon EMR Studio redirects federated users to this endpoint for authentication when logging in to a Studio with the Studio URL.", "IdpRelayStateParameterName": "The name of your identity provider's `RelayState` parameter.", "Name": "A descriptive name for the Amazon EMR Studio.", "ServiceRole": "The Amazon Resource Name (ARN) of the IAM role that will be assumed by the Amazon EMR Studio. The service role provides a way for Amazon EMR Studio to interoperate with other AWS services.", "SubnetIds": "A list of subnet IDs to associate with the Amazon EMR Studio. A Studio can have a maximum of 5 subnets. The subnets must belong to the VPC specified by `VpcId` . Studio users can create a Workspace in any of the specified subnets.", "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) .", + "TrustedIdentityPropagationEnabled": "Indicates whether the Studio has Trusted identity propagation enabled. The default value is `false` .", "UserRole": "The Amazon Resource Name (ARN) of the IAM user role that will be assumed by users and groups logged in to a Studio. The permissions attached to this IAM role can be scoped down for each user or group using session policies. You only need to specify `UserRole` when you set `AuthMode` to `SSO` .", "VpcId": "The ID of the Amazon Virtual Private Cloud (Amazon VPC) to associate with the Studio.", "WorkspaceSecurityGroupId": "The ID of the Workspace security group associated with the Amazon EMR Studio. The Workspace security group allows outbound network traffic to resources in the Engine security group and to the internet." }, + "AWS::EMR::Studio Tag": { + "Key": "A user-defined key, which is the minimum required information for a valid tag. For more information, see [Tag](https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-plan-tags.html) .", + "Value": "A user-defined value, which is optional in a tag. For more information, see [Tag Clusters](https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-plan-tags.html) ." + }, "AWS::EMR::StudioSessionMapping": { "IdentityName": "The name of the user or group. For more information, see [UserName](https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_User.html#singlesignon-Type-User-UserName) and [DisplayName](https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_Group.html#singlesignon-Type-Group-DisplayName) in the *IAM Identity Center Identity Store API Reference* .", "IdentityType": "Specifies whether the identity to map to the Amazon EMR Studio is a user or a group.", "SessionPolicyArn": "The Amazon Resource Name (ARN) for the session policy that will be applied to the user or group. Session policies refine Studio user permissions without the need to use multiple IAM user roles. For more information, see [Create an EMR Studio user role with session policies](https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-studio-user-role.html) in the *Amazon EMR Management Guide* .", "StudioId": "The ID of the Amazon EMR Studio to which the user or group will be mapped." }, + "AWS::EMR::WALWorkspace": { + "Tags": "You can add tags when you create a new workspace. You can add, remove, or list tags from an active workspace, but you can't update tags. Instead, remove the tag and add a new one. For more information, see see [Tag your Amazon EMR WAL workspaces](https://docs.aws.amazon.com/emr/latest/ReleaseGuide/emr-hbase-wal.html#emr-hbase-wal-tagging) .", + "WALWorkspaceName": "The name of the WAL workspace." + }, + "AWS::EMR::WALWorkspace Tag": { + "Key": "A user-defined key, which is the minimum required information for a valid tag. For more information, see [Tag](https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-plan-tags.html) .", + "Value": "A user-defined value, which is optional in a tag. For more information, see [Tag Clusters](https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-plan-tags.html) ." + }, "AWS::EMRContainers::VirtualCluster": { "ContainerProvider": "The container provider of the virtual cluster.", "Name": "The name of the virtual cluster.", @@ -11004,54 +12724,81 @@ "AWS::EMRContainers::VirtualCluster EksInfo": { "Namespace": "The namespaces of the EKS cluster.\n\n*Minimum* : 1\n\n*Maximum* : 63\n\n*Pattern* : `[a-z0-9]([-a-z0-9]*[a-z0-9])?`" }, + "AWS::EMRContainers::VirtualCluster Tag": { + "Key": "", + "Value": "" + }, "AWS::EMRServerless::Application": { - "Architecture": "The CPU architecture type of the application. Allowed values: `X86_64` or `ARM64`", + "Architecture": "The CPU architecture of an application.", "AutoStartConfiguration": "The configuration for an application to automatically start on job submission.", "AutoStopConfiguration": "The configuration for an application to automatically stop after a certain amount of time being idle.", - "ImageConfiguration": "", + "ImageConfiguration": "The image configuration applied to all worker types.", "InitialCapacity": "The initial capacity of the application.", "MaximumCapacity": "The maximum capacity of the application. This is cumulative across all workers at any given point in time during the lifespan of the application is created. No new resources will be created once any one of the defined limits is hit.", - "Name": "The name of the application.\n\n*Minimum* : 1\n\n*Maximum* : 64\n\n*Pattern* : `^[A-Za-z0-9._\\\\/#-]+$`", + "MonitoringConfiguration": "A configuration specification to be used when provisioning an application. A configuration consists of a classification, properties, and optional nested configurations. A classification refers to an application-specific configuration file. Properties are the settings you want to change in that file.", + "Name": "The name of the application.", "NetworkConfiguration": "The network configuration for customer VPC connectivity for the application.", - "ReleaseLabel": "The EMR release version associated with the application.\n\n*Minimum* : 1\n\n*Maximum* : 64\n\n*Pattern* : `^[A-Za-z0-9._/-]+$`", + "ReleaseLabel": "The EMR release associated with the application.", + "RuntimeConfiguration": "The [Configuration](https://docs.aws.amazon.com/emr-serverless/latest/APIReference/API_Configuration.html) specifications of an application. Each configuration consists of a classification and properties. You use this parameter when creating or updating an application. To see the runtimeConfiguration object of an application, run the [GetApplication](https://docs.aws.amazon.com/emr-serverless/latest/APIReference/API_GetApplication.html) API operation.", "Tags": "The tags assigned to the application.", "Type": "The type of application, such as Spark or Hive.", - "WorkerTypeSpecifications": "" + "WorkerTypeSpecifications": "The specification applied to each worker type." }, "AWS::EMRServerless::Application AutoStartConfiguration": { - "Enabled": "Enables the application to automatically start on job submission. Defaults to true." + "Enabled": "" }, "AWS::EMRServerless::Application AutoStopConfiguration": { - "Enabled": "Enables the application to automatically stop after a certain amount of time being idle. Defaults to true.", - "IdleTimeoutMinutes": "The amount of idle time in minutes after which your application will automatically stop. Defaults to 15 minutes.\n\n*Minimum* : 1\n\n*Maximum* : 10080" + "Enabled": "", + "IdleTimeoutMinutes": "" + }, + "AWS::EMRServerless::Application ConfigurationObject": { + "Classification": "", + "Configurations": "", + "SensitivePropertiesMap": "" }, "AWS::EMRServerless::Application ImageConfigurationInput": { - "ImageUri": "" + "ImageUri": "The URI of an image in the Amazon ECR registry. This field is required when you create a new application. If you leave this field blank in an update, Amazon EMR will remove the image configuration." }, "AWS::EMRServerless::Application InitialCapacityConfig": { "WorkerConfiguration": "The resource configuration of the initial capacity configuration.", - "WorkerCount": "The number of workers in the initial capacity configuration.\n\n*Minimum* : 1\n\n*Maximum* : 1000000" + "WorkerCount": "The number of workers in the initial capacity configuration." }, "AWS::EMRServerless::Application InitialCapacityConfigKeyValuePair": { - "Key": "The worker type for an analytics framework. For Spark applications, the key can either be set to `Driver` or `Executor` . For Hive applications, it can be set to `HiveDriver` or `TezTask` .\n\n*Minimum* : 1\n\n*Maximum* : 50\n\n*Pattern* : `^[a-zA-Z]+[-_]*[a-zA-Z]+$`", - "Value": "The value for the initial capacity configuration per worker." + "Key": "", + "Value": "" + }, + "AWS::EMRServerless::Application ManagedPersistenceMonitoringConfiguration": { + "Enabled": "Enables managed logging and defaults to true. If set to false, managed logging will be turned off.", + "EncryptionKeyArn": "The KMS key ARN to encrypt the logs stored in managed log persistence." }, "AWS::EMRServerless::Application MaximumAllowedResources": { - "Cpu": "The maximum allowed CPU for an application.\n\n*Minimum* : 1\n\n*Maximum* : 15\n\n*Pattern* : `^[1-9][0-9]*(\\\\s)?(vCPU|vcpu|VCPU)?$`", - "Disk": "The maximum allowed disk for an application.\n\n*Minimum* : 1\n\n*Maximum* : 15\n\n*Pattern* : `^[1-9][0-9]*(\\\\s)?(GB|gb|gB|Gb)$\"`", - "Memory": "The maximum allowed resources for an application.\n\n*Minimum* : 1\n\n*Maximum* : 15\n\n*Pattern* : `^[1-9][0-9]*(\\\\s)?(GB|gb|gB|Gb)?$`" + "Cpu": "The maximum allowed CPU for an application.", + "Disk": "The maximum allowed disk for an application.", + "Memory": "The maximum allowed resources for an application." + }, + "AWS::EMRServerless::Application MonitoringConfiguration": { + "ManagedPersistenceMonitoringConfiguration": "The managed log persistence configuration for a job run.", + "S3MonitoringConfiguration": "The Amazon S3 configuration for monitoring log publishing." }, "AWS::EMRServerless::Application NetworkConfiguration": { - "SecurityGroupIds": "The array of security group Ids for customer VPC connectivity.\n\n*Minimum* : 1\n\n*Maximum* : 32\n\n*Pattern* : `^[-0-9a-zA-Z]+`", - "SubnetIds": "The array of subnet Ids for customer VPC connectivity.\n\n*Minimum* : 1\n\n*Maximum* : 32\n\n*Pattern* : `^[-0-9a-zA-Z]+`" + "SecurityGroupIds": "The array of security group Ids for customer VPC connectivity.", + "SubnetIds": "The array of subnet Ids for customer VPC connectivity." + }, + "AWS::EMRServerless::Application S3MonitoringConfiguration": { + "EncryptionKeyArn": "The KMS key ARN to encrypt the logs published to the given Amazon S3 destination.", + "LogUri": "The Amazon S3 destination URI for log publishing." + }, + "AWS::EMRServerless::Application Tag": { + "Key": "", + "Value": "" }, "AWS::EMRServerless::Application WorkerConfiguration": { - "Cpu": "*Minimum* : 1\n\n*Maximum* : 15\n\n*Pattern* : `^[1-9][0-9]*(\\\\s)?(vCPU|vcpu|VCPU)?$`", - "Disk": "*Minimum* : 1\n\n*Maximum* : 15\n\n*Pattern* : `^[1-9][0-9]*(\\\\s)?(GB|gb|gB|Gb)$\"`", - "Memory": "*Minimum* : 1\n\n*Maximum* : 15\n\n*Pattern* : `^[1-9][0-9]*(\\\\s)?(GB|gb|gB|Gb)?$`" + "Cpu": "", + "Disk": "", + "Memory": "" }, "AWS::EMRServerless::Application WorkerTypeSpecificationInput": { - "ImageConfiguration": "" + "ImageConfiguration": "The image configuration for a worker type." }, "AWS::ElastiCache::CacheCluster": { "AZMode": "Specifies whether the nodes in this Memcached cluster are created in a single Availability Zone or created across multiple Availability Zones in the cluster's region.\n\nThis parameter is only supported for Memcached clusters.\n\nIf the `AZMode` and `PreferredAvailabilityZones` are not specified, ElastiCache assumes `single-az` mode.", @@ -11059,8 +12806,8 @@ "CacheNodeType": "The compute and memory capacity of the nodes in the node group (shard).\n\nThe following node types are supported by ElastiCache. Generally speaking, the current generation types provide more memory and computational power at lower cost when compared to their equivalent previous generation counterparts. Changing the CacheNodeType of a Memcached instance is currently not supported. If you need to scale using Memcached, we recommend forcing a replacement update by changing the `LogicalResourceId` of the resource.\n\n- General purpose:\n\n- Current generation:\n\n*M6g node types:* `cache.m6g.large` , `cache.m6g.xlarge` , `cache.m6g.2xlarge` , `cache.m6g.4xlarge` , `cache.m6g.8xlarge` , `cache.m6g.12xlarge` , `cache.m6g.16xlarge` , `cache.m6g.24xlarge`\n\n*M5 node types:* `cache.m5.large` , `cache.m5.xlarge` , `cache.m5.2xlarge` , `cache.m5.4xlarge` , `cache.m5.12xlarge` , `cache.m5.24xlarge`\n\n*M4 node types:* `cache.m4.large` , `cache.m4.xlarge` , `cache.m4.2xlarge` , `cache.m4.4xlarge` , `cache.m4.10xlarge`\n\n*T4g node types:* `cache.t4g.micro` , `cache.t4g.small` , `cache.t4g.medium`\n\n*T3 node types:* `cache.t3.micro` , `cache.t3.small` , `cache.t3.medium`\n\n*T2 node types:* `cache.t2.micro` , `cache.t2.small` , `cache.t2.medium`\n- Previous generation: (not recommended)\n\n*T1 node types:* `cache.t1.micro`\n\n*M1 node types:* `cache.m1.small` , `cache.m1.medium` , `cache.m1.large` , `cache.m1.xlarge`\n\n*M3 node types:* `cache.m3.medium` , `cache.m3.large` , `cache.m3.xlarge` , `cache.m3.2xlarge`\n- Compute optimized:\n\n- Previous generation: (not recommended)\n\n*C1 node types:* `cache.c1.xlarge`\n- Memory optimized:\n\n- Current generation:\n\n*R6gd node types:* `cache.r6gd.xlarge` , `cache.r6gd.2xlarge` , `cache.r6gd.4xlarge` , `cache.r6gd.8xlarge` , `cache.r6gd.12xlarge` , `cache.r6gd.16xlarge`\n\n> The `r6gd` family is available in the following regions: `us-east-2` , `us-east-1` , `us-west-2` , `us-west-1` , `eu-west-1` , `eu-central-1` , `ap-northeast-1` , `ap-southeast-1` , `ap-southeast-2` . \n\n*R6g node types:* `cache.r6g.large` , `cache.r6g.xlarge` , `cache.r6g.2xlarge` , `cache.r6g.4xlarge` , `cache.r6g.8xlarge` , `cache.r6g.12xlarge` , `cache.r6g.16xlarge` , `cache.r6g.24xlarge`\n\n*R5 node types:* `cache.r5.large` , `cache.r5.xlarge` , `cache.r5.2xlarge` , `cache.r5.4xlarge` , `cache.r5.12xlarge` , `cache.r5.24xlarge`\n\n*R4 node types:* `cache.r4.large` , `cache.r4.xlarge` , `cache.r4.2xlarge` , `cache.r4.4xlarge` , `cache.r4.8xlarge` , `cache.r4.16xlarge`\n- Previous generation: (not recommended)\n\n*M2 node types:* `cache.m2.xlarge` , `cache.m2.2xlarge` , `cache.m2.4xlarge`\n\n*R3 node types:* `cache.r3.large` , `cache.r3.xlarge` , `cache.r3.2xlarge` , `cache.r3.4xlarge` , `cache.r3.8xlarge`\n\nFor region availability, see [Supported Node Types by Region](https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/CacheNodes.SupportedTypes.html#CacheNodes.SupportedTypesByRegion)\n\n*Additional node type info*\n\n- All current generation instance types are created in Amazon VPC by default.\n- Redis append-only files (AOF) are not supported for T1 or T2 instances.\n- Redis Multi-AZ with automatic failover is not supported on T1 instances.\n- Redis configuration variables `appendonly` and `appendfsync` are not supported on Redis version 2.8.22 and later.", "CacheParameterGroupName": "The name of the parameter group to associate with this cluster. If this argument is omitted, the default parameter group for the specified engine is used. You cannot use any parameter group which has `cluster-enabled='yes'` when creating a cluster.", "CacheSecurityGroupNames": "A list of security group names to associate with this cluster.\n\nUse this parameter only when you are creating a cluster outside of an Amazon Virtual Private Cloud (Amazon VPC).", - "CacheSubnetGroupName": "The name of the subnet group to be used for the cluster.\n\nUse this parameter only when you are creating a cluster in an Amazon Virtual Private Cloud (Amazon VPC).\n\n> If you're going to launch your cluster in an Amazon VPC, you need to create a subnet group before you start creating a cluster. For more information, see [AWS::ElastiCache::SubnetGroup](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-elasticache-subnetgroup.html) .", - "ClusterName": "A name for the cache cluster. If you don't specify a name, AWSCloudFormation generates a unique physical ID and uses that ID for the cache cluster. For more information, see [Name Type](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-name.html) .\n\nThe name must contain 1 to 50 alphanumeric characters or hyphens. The name must start with a letter and cannot end with a hyphen or contain two consecutive hyphens.", + "CacheSubnetGroupName": "The name of the subnet group to be used for the cluster.\n\nUse this parameter only when you are creating a cluster in an Amazon Virtual Private Cloud (Amazon VPC).\n\n> If you're going to launch your cluster in an Amazon VPC, you need to create a subnet group before you start creating a cluster. For more information, see `[AWS::ElastiCache::SubnetGroup](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-elasticache-subnetgroup.html) .`", + "ClusterName": "A name for the cache cluster. If you don't specify a name, AWS CloudFormation generates a unique physical ID and uses that ID for the cache cluster. For more information, see [Name Type](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-name.html) .\n\nThe name must contain 1 to 50 alphanumeric characters or hyphens. The name must start with a letter and cannot end with a hyphen or contain two consecutive hyphens.", "Engine": "The name of the cache engine to be used for this cluster.\n\nValid values for this parameter are: `memcached` | `redis`", "EngineVersion": "The version number of the cache engine to be used for this cluster. To view the supported cache engine versions, use the DescribeCacheEngineVersions operation.\n\n*Important:* You can upgrade to a newer engine version (see [Selecting a Cache Engine and Version](https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/SelectEngine.html#VersionManagement) ), but you cannot downgrade to an earlier engine version. If you want to use an earlier engine version, you must delete the existing cluster or replication group and create it anew with the earlier engine version.", "IpDiscovery": "The network type you choose when modifying a cluster, either `ipv4` | `ipv6` . IPv6 is supported for workloads using Redis engine version 6.2 onward or Memcached engine version 1.6.6 on all instances built on the [Nitro system](https://docs.aws.amazon.com/ec2/nitro/) .", @@ -11096,6 +12843,10 @@ "LogFormat": "Valid values are either `json` or `text` .", "LogType": "Valid value is either `slow-log` , which refers to [slow-log](https://docs.aws.amazon.com/https://redis.io/commands/slowlog) or `engine-log` ." }, + "AWS::ElastiCache::CacheCluster Tag": { + "Key": "The key for the tag. May not be null.", + "Value": "The tag's value. May be null." + }, "AWS::ElastiCache::GlobalReplicationGroup": { "AutomaticFailoverEnabled": "Specifies whether a read-only replica is automatically promoted to read/write primary if the existing primary fails.\n\n`AutomaticFailoverEnabled` must be enabled for Redis (cluster mode enabled) replication groups.", "CacheNodeType": "The cache node type of the Global datastore", @@ -11127,6 +12878,10 @@ "Properties": "A comma-delimited list of parameter name/value pairs.\n\nFor example:\n\n```\n\"Properties\" : { \"cas_disabled\" : \"1\", \"chunk_size_growth_factor\" : \"1.02\"\n}\n```", "Tags": "A tag that can be added to an ElastiCache parameter group. Tags are composed of a Key/Value pair. You can use tags to categorize and track all your parameter groups. A tag with a null Value is permitted." }, + "AWS::ElastiCache::ParameterGroup Tag": { + "Key": "The key for the tag. May not be null.", + "Value": "The tag's value. May be null." + }, "AWS::ElastiCache::ReplicationGroup": { "AtRestEncryptionEnabled": "A flag that enables encryption at rest when set to `true` .\n\nYou cannot modify the value of `AtRestEncryptionEnabled` after the replication group is created. To enable encryption at rest on a replication group you must set `AtRestEncryptionEnabled` to `true` when you create the replication group.\n\n*Required:* Only available when creating a replication group in an Amazon VPC using redis version `3.2.6` or `4.x` onward.\n\nDefault: `false`", "AuthToken": "*Reserved parameter.* The password used to access a password protected server.\n\n`AuthToken` can be specified only on replication groups where `TransitEncryptionEnabled` is `true` . For more information, see [Authenticating Users with the Redis AUTH Command](https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/auth.html) .\n\n> For HIPAA compliance, you must specify `TransitEncryptionEnabled` as `true` , an `AuthToken` , and a `CacheSubnetGroup` . \n\nPassword constraints:\n\n- Must be only printable ASCII characters.\n- Must be at least 16 characters and no more than 128 characters in length.\n- Nonalphanumeric characters are restricted to (!, &, #, $, ^, <, >, -, ).\n\nFor more information, see [AUTH password](https://docs.aws.amazon.com/http://redis.io/commands/AUTH) at http://redis.io/commands/AUTH.\n\n> If ADDING the AuthToken, update requires [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) .", @@ -11156,7 +12911,6 @@ "PrimaryClusterId": "The identifier of the cluster that serves as the primary for this replication group. This cluster must already exist and have a status of `available` .\n\nThis parameter is not required if `NumCacheClusters` , `NumNodeGroups` , or `ReplicasPerNodeGroup` is specified.", "ReplicasPerNodeGroup": "An optional parameter that specifies the number of replica nodes in each node group (shard). Valid values are 0 to 5.", "ReplicationGroupDescription": "A user-created description for the replication group.", - "ReplicationGroupId": "The replication group identifier. This parameter is stored as a lowercase string.\n\nConstraints:\n\n- A name must contain from 1 to 40 alphanumeric characters or hyphens.\n- The first character must be a letter.\n- A name cannot end with a hyphen or contain two consecutive hyphens.", "SecurityGroupIds": "One or more Amazon VPC security groups associated with this replication group.\n\nUse this parameter only when you are creating a replication group in an Amazon Virtual Private Cloud (Amazon VPC).", "SnapshotArns": "A list of Amazon Resource Names (ARN) that uniquely identify the Redis RDB snapshot files stored in Amazon S3. The snapshot files are used to populate the new replication group. The Amazon S3 object name in the ARN cannot contain any commas. The new replication group will have the number of node groups (console: shards) specified by the parameter *NumNodeGroups* or the number of node groups configured by *NodeGroupConfiguration* regardless of the number of ARNs specified here.\n\nExample of an Amazon S3 ARN: `arn:aws:s3:::my_bucket/snapshot1.rdb`", "SnapshotName": "The name of a snapshot from which to restore data into the new replication group. The snapshot status changes to `restoring` while the new replication group is being created.", @@ -11191,21 +12945,70 @@ "ReplicaCount": "The number of read replica nodes in this node group (shard).", "Slots": "A string of comma-separated values where the first set of values are the slot numbers (zero based), and the second set of values are the keyspaces for each slot. The following example specifies three slots (numbered 0, 1, and 2): `0,1,2,0-4999,5000-9999,10000-16,383` .\n\nIf you don't specify a value, ElastiCache allocates keys equally among each slot.\n\nWhen you use an `UseOnlineResharding` update policy to update the number of node groups without interruption, ElastiCache evenly distributes the keyspaces between the specified number of slots. This cannot be updated later. Therefore, after updating the number of node groups in this way, you should remove the value specified for the `Slots` property of each `NodeGroupConfiguration` from the stack template, as it no longer reflects the actual values in each node group. For more information, see [UseOnlineResharding Policy](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-updatepolicy.html#cfn-attributes-updatepolicy-useonlineresharding) ." }, + "AWS::ElastiCache::ReplicationGroup Tag": { + "Key": "The key for the tag. May not be null.", + "Value": "The tag's value. May be null." + }, "AWS::ElastiCache::SecurityGroup": { "Description": "A description for the cache security group.", "Tags": "A tag that can be added to an ElastiCache security group. Tags are composed of a Key/Value pair. You can use tags to categorize and track all your security groups. A tag with a null Value is permitted." }, + "AWS::ElastiCache::SecurityGroup Tag": { + "Key": "The key for the tag. May not be null.", + "Value": "The tag's value. May be null." + }, "AWS::ElastiCache::SecurityGroupIngress": { "CacheSecurityGroupName": "The name of the Cache Security Group to authorize.", "EC2SecurityGroupName": "Name of the EC2 Security Group to include in the authorization.", "EC2SecurityGroupOwnerId": "Specifies the Amazon Account ID of the owner of the EC2 security group specified in the EC2SecurityGroupName property. The Amazon access key ID is not an acceptable value." }, + "AWS::ElastiCache::ServerlessCache": { + "CacheUsageLimits": "The cache usage limit for the serverless cache.", + "DailySnapshotTime": "The daily time that a cache snapshot will be created. Default is NULL, i.e. snapshots will not be created at a specific time on a daily basis. Available for Redis only.", + "Description": "A description of the serverless cache.", + "Endpoint": "Represents the information required for client programs to connect to a cache node.", + "Engine": "The engine the serverless cache is compatible with.", + "FinalSnapshotName": "The name of the final snapshot taken of a cache before the cache is deleted.", + "KmsKeyId": "The ID of the AWS Key Management Service (KMS) key that is used to encrypt data at rest in the serverless cache.", + "MajorEngineVersion": "The version number of the engine the serverless cache is compatible with.", + "ReaderEndpoint": "Represents the information required for client programs to connect to a cache node.", + "SecurityGroupIds": "The IDs of the EC2 security groups associated with the serverless cache.", + "ServerlessCacheName": "The unique identifier of the serverless cache.", + "SnapshotArnsToRestore": "The ARN of the snapshot from which to restore data into the new cache.", + "SnapshotRetentionLimit": "The current setting for the number of serverless cache snapshots the system will retain. Available for Redis only.", + "SubnetIds": "If no subnet IDs are given and your VPC is in SFO, then ElastiCache will select 2 default subnets across AZs in your VPC. For all other Regions, if no subnet IDs are given then ElastiCache will select 3 default subnets across AZs in your default VPC.", + "Tags": "A list of tags to be added to this resource.", + "UserGroupId": "The identifier of the user group associated with the serverless cache. Available for Redis only. Default is NULL." + }, + "AWS::ElastiCache::ServerlessCache CacheUsageLimits": { + "DataStorage": "The maximum data storage limit in the cache, expressed in Gigabytes.", + "ECPUPerSecond": "The number of ElastiCache Processing Units (ECPU) the cache can consume per second." + }, + "AWS::ElastiCache::ServerlessCache DataStorage": { + "Maximum": "The upper limit for data storage the cache is set to use.", + "Unit": "The unit that the storage is measured in, in GB." + }, + "AWS::ElastiCache::ServerlessCache ECPUPerSecond": { + "Maximum": "The configuration for the maximum number of ECPUs the cache can consume per second." + }, + "AWS::ElastiCache::ServerlessCache Endpoint": { + "Address": "The DNS hostname of the cache node.", + "Port": "The port number that the cache engine is listening on." + }, + "AWS::ElastiCache::ServerlessCache Tag": { + "Key": "The key for the tag. May not be null.", + "Value": "The tag's value. May be null." + }, "AWS::ElastiCache::SubnetGroup": { "CacheSubnetGroupName": "The name for the cache subnet group. This value is stored as a lowercase string.\n\nConstraints: Must contain no more than 255 alphanumeric characters or hyphens.\n\nExample: `mysubnetgroup`", "Description": "The description for the cache subnet group.", "SubnetIds": "The EC2 subnet IDs for the cache subnet group.", "Tags": "A tag that can be added to an ElastiCache subnet group. Tags are composed of a Key/Value pair. You can use tags to categorize and track all your subnet groups. A tag with a null Value is permitted." }, + "AWS::ElastiCache::SubnetGroup Tag": { + "Key": "The key for the tag. May not be null.", + "Value": "The tag's value. May be null." + }, "AWS::ElastiCache::User": { "AccessString": "Access permissions string used for this user.", "AuthenticationMode": "Specifies the authentication mode to use. Below is an example of the possible JSON values:\n\n```\n{ Type: Passwords: [\"*****\", \"******\"] // If Type is password.\n}\n```", @@ -11220,12 +13023,20 @@ "Passwords": "Specifies the passwords to use for authentication if `Type` is set to `password` .", "Type": "Specifies the authentication type. Possible options are IAM authentication, password and no password." }, + "AWS::ElastiCache::User Tag": { + "Key": "The key for the tag. May not be null.", + "Value": "The tag's value. May be null." + }, "AWS::ElastiCache::UserGroup": { "Engine": "The current supported value is redis.", "Tags": "", "UserGroupId": "The ID of the user group.", "UserIds": "The list of user IDs that belong to the user group. A user named `default` must be included." }, + "AWS::ElastiCache::UserGroup Tag": { + "Key": "The key for the tag. May not be null.", + "Value": "The tag's value. May be null." + }, "AWS::ElasticBeanstalk::Application": { "ApplicationName": "A name for the Elastic Beanstalk application. If you don't specify a name, AWS CloudFormation generates a unique physical ID and uses that ID for the application name. For more information, see [Name Type](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-name.html) .\n\n> If you specify a name, you cannot perform updates that require replacement of this resource. You can perform updates that require no or some interruption. If you must replace the resource, specify a new name.", "Description": "Your description of the application.", @@ -11297,6 +13108,10 @@ "ResourceName": "A unique resource name for the option setting. Use it for a time\u2013based scaling configuration option.", "Value": "The current value for the configuration option." }, + "AWS::ElasticBeanstalk::Environment Tag": { + "Key": "The key of the tag.", + "Value": "The value of the tag." + }, "AWS::ElasticBeanstalk::Environment Tier": { "Name": "The name of this environment tier.\n\nValid values:\n\n- For *Web server tier* \u2013 `WebServer`\n- For *Worker tier* \u2013 `Worker`", "Type": "The type of this environment tier.\n\nValid values:\n\n- For *Web server tier* \u2013 `Standard`\n- For *Worker tier* \u2013 `SQS/HTTP`", @@ -11306,9 +13121,9 @@ "AccessLoggingPolicy": "Information about where and how access logs are stored for the load balancer.", "AppCookieStickinessPolicy": "Information about a policy for application-controlled session stickiness.", "AvailabilityZones": "The Availability Zones for the load balancer. For load balancers in a VPC, specify `Subnets` instead.\n\nUpdate requires replacement if you did not previously specify an Availability Zone or if you are removing all Availability Zones. Otherwise, update requires no interruption.", - "ConnectionDrainingPolicy": "If enabled, the load balancer allows existing requests to complete before the load balancer shifts traffic away from a deregistered or unhealthy instance.\n\nFor more information, see [Configure Connection Draining](https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/config-conn-drain.html) in the *Classic Load Balancers Guide* .", - "ConnectionSettings": "If enabled, the load balancer allows the connections to remain idle (no data is sent over the connection) for the specified duration.\n\nBy default, Elastic Load Balancing maintains a 60-second idle connection timeout for both front-end and back-end connections of your load balancer. For more information, see [Configure Idle Connection Timeout](https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/config-idle-timeout.html) in the *Classic Load Balancers Guide* .", - "CrossZone": "If enabled, the load balancer routes the request traffic evenly across all instances regardless of the Availability Zones.\n\nFor more information, see [Configure Cross-Zone Load Balancing](https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-disable-crosszone-lb.html) in the *Classic Load Balancers Guide* .", + "ConnectionDrainingPolicy": "If enabled, the load balancer allows existing requests to complete before the load balancer shifts traffic away from a deregistered or unhealthy instance.\n\nFor more information, see [Configure connection draining](https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/config-conn-drain.html) in the *User Guide for Classic Load Balancers* .", + "ConnectionSettings": "If enabled, the load balancer allows the connections to remain idle (no data is sent over the connection) for the specified duration.\n\nBy default, Elastic Load Balancing maintains a 60-second idle connection timeout for both front-end and back-end connections of your load balancer. For more information, see [Configure idle connection timeout](https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/config-idle-timeout.html) in the *User Guide for Classic Load Balancers* .", + "CrossZone": "If enabled, the load balancer routes the request traffic evenly across all instances regardless of the Availability Zones.\n\nFor more information, see [Configure cross-zone load balancing](https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-disable-crosszone-lb.html) in the *User Guide for Classic Load Balancers* .", "HealthCheck": "The health check settings to use when evaluating the health of your EC2 instances.\n\nUpdate requires replacement if you did not previously specify health check settings or if you are removing the health check settings. Otherwise, update requires no interruption.", "Instances": "The IDs of the instances for the load balancer.", "LBCookieStickinessPolicy": "Information about a policy for duration-based session stickiness.", @@ -11363,11 +13178,16 @@ "PolicyName": "The name of the policy.", "PolicyType": "The name of the policy type." }, + "AWS::ElasticLoadBalancing::LoadBalancer Tag": { + "Key": "The key of the tag.", + "Value": "The value of the tag." + }, "AWS::ElasticLoadBalancingV2::Listener": { "AlpnPolicy": "[TLS listener] The name of the Application-Layer Protocol Negotiation (ALPN) policy.", "Certificates": "The default SSL server certificate for a secure listener. You must provide exactly one certificate if the listener protocol is HTTPS or TLS.\n\nTo create a certificate list for a secure listener, use [AWS::ElasticLoadBalancingV2::ListenerCertificate](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-elasticloadbalancingv2-listenercertificate.html) .", "DefaultActions": "The actions for the default rule. You cannot define a condition for a default rule.\n\nTo create additional rules for an Application Load Balancer, use [AWS::ElasticLoadBalancingV2::ListenerRule](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-elasticloadbalancingv2-listenerrule.html) .", "LoadBalancerArn": "The Amazon Resource Name (ARN) of the load balancer.", + "MutualAuthentication": "The mutual authentication configuration information.", "Port": "The port on which the load balancer is listening. You cannot specify a port for a Gateway Load Balancer.", "Protocol": "The protocol for connections from clients to the load balancer. For Application Load Balancers, the supported protocols are HTTP and HTTPS. For Network Load Balancers, the supported protocols are TCP, TLS, UDP, and TCP_UDP. You can\u2019t specify the UDP or TCP_UDP protocol if dual-stack mode is enabled. You cannot specify a protocol for a Gateway Load Balancer.", "SslPolicy": "[HTTPS and TLS listeners] The security policy that defines which protocols and ciphers are supported.\n\nFor more information, see [Security policies](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html#describe-ssl-policies) in the *Application Load Balancers Guide* and [Security policies](https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-tls-listener.html#describe-ssl-policies) in the *Network Load Balancers Guide* ." @@ -11418,6 +13238,11 @@ "TargetGroupStickinessConfig": "Information about the target group stickiness for a rule.", "TargetGroups": "Information about how traffic will be distributed between multiple target groups in a forward rule." }, + "AWS::ElasticLoadBalancingV2::Listener MutualAuthentication": { + "IgnoreClientCertificateExpiry": "Indicates whether expired client certificates are ignored.", + "Mode": "The client certificate handling method. Options are `off` , `passthrough` or `verify` . The default value is `off` .", + "TrustStoreArn": "The Amazon Resource Name (ARN) of the trust store." + }, "AWS::ElasticLoadBalancingV2::Listener RedirectConfig": { "Host": "The hostname. This component is not percent-encoded. The hostname can contain #{host}.", "Path": "The absolute path, starting with the leading \"/\". This component is not percent-encoded. The path can contain #{host}, #{path}, and #{port}.", @@ -11544,14 +13369,14 @@ "LoadBalancerAttributes": "The load balancer attributes.", "Name": "The name of the load balancer. This name must be unique per region per account, can have a maximum of 32 characters, must contain only alphanumeric characters or hyphens, must not begin or end with a hyphen, and must not begin with \"internal-\".\n\nIf you don't specify a name, AWS CloudFormation generates a unique physical ID for the load balancer. If you specify a name, you cannot perform updates that require replacement of this resource, but you can perform other updates. To replace the resource, specify a new name.", "Scheme": "The nodes of an Internet-facing load balancer have public IP addresses. The DNS name of an Internet-facing load balancer is publicly resolvable to the public IP addresses of the nodes. Therefore, Internet-facing load balancers can route requests from clients over the internet.\n\nThe nodes of an internal load balancer have only private IP addresses. The DNS name of an internal load balancer is publicly resolvable to the private IP addresses of the nodes. Therefore, internal load balancers can route requests only from clients with access to the VPC for the load balancer.\n\nThe default is an Internet-facing load balancer.\n\nYou cannot specify a scheme for a Gateway Load Balancer.", - "SecurityGroups": "[Application Load Balancers] The IDs of the security groups for the load balancer.", + "SecurityGroups": "[Application Load Balancers and Network Load Balancers] The IDs of the security groups for the load balancer.", "SubnetMappings": "The IDs of the public subnets. You can specify only one subnet per Availability Zone. You must specify either subnets or subnet mappings, but not both.\n\n[Application Load Balancers] You must specify subnets from at least two Availability Zones. You cannot specify Elastic IP addresses for your subnets.\n\n[Application Load Balancers on Outposts] You must specify one Outpost subnet.\n\n[Application Load Balancers on Local Zones] You can specify subnets from one or more Local Zones.\n\n[Network Load Balancers] You can specify subnets from one or more Availability Zones. You can specify one Elastic IP address per subnet if you need static IP addresses for your internet-facing load balancer. For internal load balancers, you can specify one private IP address per subnet from the IPv4 range of the subnet. For internet-facing load balancer, you can specify one IPv6 address per subnet.\n\n[Gateway Load Balancers] You can specify subnets from one or more Availability Zones. You cannot specify Elastic IP addresses for your subnets.", "Subnets": "The IDs of the public subnets. You can specify only one subnet per Availability Zone. You must specify either subnets or subnet mappings, but not both. To specify an Elastic IP address, specify subnet mappings instead of subnets.\n\n[Application Load Balancers] You must specify subnets from at least two Availability Zones.\n\n[Application Load Balancers on Outposts] You must specify one Outpost subnet.\n\n[Application Load Balancers on Local Zones] You can specify subnets from one or more Local Zones.\n\n[Network Load Balancers] You can specify subnets from one or more Availability Zones.\n\n[Gateway Load Balancers] You can specify subnets from one or more Availability Zones.", "Tags": "The tags to assign to the load balancer.", "Type": "The type of load balancer. The default is `application` ." }, "AWS::ElasticLoadBalancingV2::LoadBalancer LoadBalancerAttribute": { - "Key": "The name of the attribute.\n\nThe following attributes are supported by all load balancers:\n\n- `deletion_protection.enabled` - Indicates whether deletion protection is enabled. The value is `true` or `false` . The default is `false` .\n- `load_balancing.cross_zone.enabled` - Indicates whether cross-zone load balancing is enabled. The possible values are `true` and `false` . The default for Network Load Balancers and Gateway Load Balancers is `false` . The default for Application Load Balancers is `true` , and cannot be changed.\n\nThe following attributes are supported by both Application Load Balancers and Network Load Balancers:\n\n- `access_logs.s3.enabled` - Indicates whether access logs are enabled. The value is `true` or `false` . The default is `false` .\n- `access_logs.s3.bucket` - The name of the S3 bucket for the access logs. This attribute is required if access logs are enabled. The bucket must exist in the same region as the load balancer and have a bucket policy that grants Elastic Load Balancing permissions to write to the bucket.\n- `access_logs.s3.prefix` - The prefix for the location in the S3 bucket for the access logs.\n- `ipv6.deny_all_igw_traffic` - Blocks internet gateway (IGW) access to the load balancer. It is set to `false` for internet-facing load balancers and `true` for internal load balancers, preventing unintended access to your internal load balancer through an internet gateway.\n\nThe following attributes are supported by only Application Load Balancers:\n\n- `idle_timeout.timeout_seconds` - The idle timeout value, in seconds. The valid range is 1-4000 seconds. The default is 60 seconds.\n- `routing.http.desync_mitigation_mode` - Determines how the load balancer handles requests that might pose a security risk to your application. The possible values are `monitor` , `defensive` , and `strictest` . The default is `defensive` .\n- `routing.http.drop_invalid_header_fields.enabled` - Indicates whether HTTP headers with invalid header fields are removed by the load balancer ( `true` ) or routed to targets ( `false` ). The default is `false` .\n- `routing.http.preserve_host_header.enabled` - Indicates whether the Application Load Balancer should preserve the `Host` header in the HTTP request and send it to the target without any change. The possible values are `true` and `false` . The default is `false` .\n- `routing.http.x_amzn_tls_version_and_cipher_suite.enabled` - Indicates whether the two headers ( `x-amzn-tls-version` and `x-amzn-tls-cipher-suite` ), which contain information about the negotiated TLS version and cipher suite, are added to the client request before sending it to the target. The `x-amzn-tls-version` header has information about the TLS protocol version negotiated with the client, and the `x-amzn-tls-cipher-suite` header has information about the cipher suite negotiated with the client. Both headers are in OpenSSL format. The possible values for the attribute are `true` and `false` . The default is `false` .\n- `routing.http.xff_client_port.enabled` - Indicates whether the `X-Forwarded-For` header should preserve the source port that the client used to connect to the load balancer. The possible values are `true` and `false` . The default is `false` .\n- `routing.http.xff_header_processing.mode` - Enables you to modify, preserve, or remove the `X-Forwarded-For` header in the HTTP request before the Application Load Balancer sends the request to the target. The possible values are `append` , `preserve` , and `remove` . The default is `append` .\n\n- If the value is `append` , the Application Load Balancer adds the client IP address (of the last hop) to the `X-Forwarded-For` header in the HTTP request before it sends it to targets.\n- If the value is `preserve` the Application Load Balancer preserves the `X-Forwarded-For` header in the HTTP request, and sends it to targets without any change.\n- If the value is `remove` , the Application Load Balancer removes the `X-Forwarded-For` header in the HTTP request before it sends it to targets.\n- `routing.http2.enabled` - Indicates whether HTTP/2 is enabled. The possible values are `true` and `false` . The default is `true` . Elastic Load Balancing requires that message header names contain only alphanumeric characters and hyphens.\n- `waf.fail_open.enabled` - Indicates whether to allow a WAF-enabled load balancer to route requests to targets if it is unable to forward the request to AWS WAF. The possible values are `true` and `false` . The default is `false` .", + "Key": "The name of the attribute.\n\nThe following attributes are supported by all load balancers:\n\n- `deletion_protection.enabled` - Indicates whether deletion protection is enabled. The value is `true` or `false` . The default is `false` .\n- `load_balancing.cross_zone.enabled` - Indicates whether cross-zone load balancing is enabled. The possible values are `true` and `false` . The default for Network Load Balancers and Gateway Load Balancers is `false` . The default for Application Load Balancers is `true` , and cannot be changed.\n\nThe following attributes are supported by both Application Load Balancers and Network Load Balancers:\n\n- `access_logs.s3.enabled` - Indicates whether access logs are enabled. The value is `true` or `false` . The default is `false` .\n- `access_logs.s3.bucket` - The name of the S3 bucket for the access logs. This attribute is required if access logs are enabled. The bucket must exist in the same region as the load balancer and have a bucket policy that grants Elastic Load Balancing permissions to write to the bucket.\n- `access_logs.s3.prefix` - The prefix for the location in the S3 bucket for the access logs.\n- `ipv6.deny_all_igw_traffic` - Blocks internet gateway (IGW) access to the load balancer. It is set to `false` for internet-facing load balancers and `true` for internal load balancers, preventing unintended access to your internal load balancer through an internet gateway.\n\nThe following attributes are supported by only Application Load Balancers:\n\n- `idle_timeout.timeout_seconds` - The idle timeout value, in seconds. The valid range is 1-4000 seconds. The default is 60 seconds.\n- `connection_logs.s3.enabled` - Indicates whether connection logs are enabled. The value is `true` or `false` . The default is `false` .\n- `connection_logs.s3.bucket` - The name of the S3 bucket for the connection logs. This attribute is required if connection logs are enabled. The bucket must exist in the same region as the load balancer and have a bucket policy that grants Elastic Load Balancing permissions to write to the bucket.\n- `connection_logs.s3.prefix` - The prefix for the location in the S3 bucket for the connection logs.\n- `routing.http.desync_mitigation_mode` - Determines how the load balancer handles requests that might pose a security risk to your application. The possible values are `monitor` , `defensive` , and `strictest` . The default is `defensive` .\n- `routing.http.drop_invalid_header_fields.enabled` - Indicates whether HTTP headers with invalid header fields are removed by the load balancer ( `true` ) or routed to targets ( `false` ). The default is `false` .\n- `routing.http.preserve_host_header.enabled` - Indicates whether the Application Load Balancer should preserve the `Host` header in the HTTP request and send it to the target without any change. The possible values are `true` and `false` . The default is `false` .\n- `routing.http.x_amzn_tls_version_and_cipher_suite.enabled` - Indicates whether the two headers ( `x-amzn-tls-version` and `x-amzn-tls-cipher-suite` ), which contain information about the negotiated TLS version and cipher suite, are added to the client request before sending it to the target. The `x-amzn-tls-version` header has information about the TLS protocol version negotiated with the client, and the `x-amzn-tls-cipher-suite` header has information about the cipher suite negotiated with the client. Both headers are in OpenSSL format. The possible values for the attribute are `true` and `false` . The default is `false` .\n- `routing.http.xff_client_port.enabled` - Indicates whether the `X-Forwarded-For` header should preserve the source port that the client used to connect to the load balancer. The possible values are `true` and `false` . The default is `false` .\n- `routing.http.xff_header_processing.mode` - Enables you to modify, preserve, or remove the `X-Forwarded-For` header in the HTTP request before the Application Load Balancer sends the request to the target. The possible values are `append` , `preserve` , and `remove` . The default is `append` .\n\n- If the value is `append` , the Application Load Balancer adds the client IP address (of the last hop) to the `X-Forwarded-For` header in the HTTP request before it sends it to targets.\n- If the value is `preserve` the Application Load Balancer preserves the `X-Forwarded-For` header in the HTTP request, and sends it to targets without any change.\n- If the value is `remove` , the Application Load Balancer removes the `X-Forwarded-For` header in the HTTP request before it sends it to targets.\n- `routing.http2.enabled` - Indicates whether HTTP/2 is enabled. The possible values are `true` and `false` . The default is `true` . Elastic Load Balancing requires that message header names contain only alphanumeric characters and hyphens.\n- `waf.fail_open.enabled` - Indicates whether to allow a WAF-enabled load balancer to route requests to targets if it is unable to forward the request to AWS WAF. The possible values are `true` and `false` . The default is `false` .\n\nThe following attributes are supported by only Network Load Balancers:\n\n- `dns_record.client_routing_policy` - Indicates how traffic is distributed among the load balancer Availability Zones. The possible values are `availability_zone_affinity` with 100 percent zonal affinity, `partial_availability_zone_affinity` with 85 percent zonal affinity, and `any_availability_zone` with 0 percent zonal affinity.", "Value": "The value of the attribute." }, "AWS::ElasticLoadBalancingV2::LoadBalancer SubnetMapping": { @@ -11560,6 +13385,10 @@ "PrivateIPv4Address": "[Network Load Balancers] The private IPv4 address for an internal load balancer.", "SubnetId": "The ID of the subnet." }, + "AWS::ElasticLoadBalancingV2::LoadBalancer Tag": { + "Key": "The key of the tag.", + "Value": "The value of the tag." + }, "AWS::ElasticLoadBalancingV2::TargetGroup": { "HealthCheckEnabled": "Indicates whether health checks are enabled. If the target type is `lambda` , health checks are disabled by default but can be enabled. If the target type is `instance` , `ip` , or `alb` , health checks are always enabled and cannot be disabled.", "HealthCheckIntervalSeconds": "The approximate amount of time, in seconds, between health checks of an individual target. The range is 5-300. If the target group protocol is TCP, TLS, UDP, TCP_UDP, HTTP or HTTPS, the default is 30 seconds. If the target group protocol is GENEVE, the default is 10 seconds. If the target type is `lambda` , the default is 35 seconds.", @@ -11585,15 +13414,46 @@ "GrpcCode": "You can specify values between 0 and 99. You can specify multiple values (for example, \"0,1\") or a range of values (for example, \"0-5\"). The default value is 12.", "HttpCode": "For Application Load Balancers, you can specify values between 200 and 499, with the default value being 200. You can specify multiple values (for example, \"200,202\") or a range of values (for example, \"200-299\").\n\nFor Network Load Balancers, you can specify values between 200 and 599, with the default value being 200-399. You can specify multiple values (for example, \"200,202\") or a range of values (for example, \"200-299\").\n\nFor Gateway Load Balancers, this must be \"200\u2013399\".\n\nNote that when using shorthand syntax, some values such as commas need to be escaped." }, + "AWS::ElasticLoadBalancingV2::TargetGroup Tag": { + "Key": "The key of the tag.", + "Value": "The value of the tag." + }, "AWS::ElasticLoadBalancingV2::TargetGroup TargetDescription": { "AvailabilityZone": "An Availability Zone or `all` . This determines whether the target receives traffic from the load balancer nodes in the specified Availability Zone or from all enabled Availability Zones for the load balancer.\n\nFor Application Load Balancer target groups, the specified Availability Zone value is only applicable when cross-zone load balancing is off. Otherwise the parameter is ignored and treated as `all` .\n\nThis parameter is not supported if the target type of the target group is `instance` or `alb` .\n\nIf the target type is `ip` and the IP address is in a subnet of the VPC for the target group, the Availability Zone is automatically detected and this parameter is optional. If the IP address is outside the VPC, this parameter is required.\n\nFor Application Load Balancer target groups with cross-zone load balancing off, if the target type is `ip` and the IP address is outside of the VPC for the target group, this should be an Availability Zone inside the VPC for the target group.\n\nIf the target type is `lambda` , this parameter is optional and the only supported value is `all` .", "Id": "The ID of the target. If the target type of the target group is `instance` , specify an instance ID. If the target type is `ip` , specify an IP address. If the target type is `lambda` , specify the ARN of the Lambda function. If the target type is `alb` , specify the ARN of the Application Load Balancer target.", "Port": "The port on which the target is listening. If the target group protocol is GENEVE, the supported port is 6081. If the target type is `alb` , the targeted Application Load Balancer must have at least one listener whose port matches the target group port. This parameter is not used if the target is a Lambda function." }, "AWS::ElasticLoadBalancingV2::TargetGroup TargetGroupAttribute": { - "Key": "The name of the attribute.\n\nThe following attributes are supported by all load balancers:\n\n- `deregistration_delay.timeout_seconds` - The amount of time, in seconds, for Elastic Load Balancing to wait before changing the state of a deregistering target from `draining` to `unused` . The range is 0-3600 seconds. The default value is 300 seconds. If the target is a Lambda function, this attribute is not supported.\n- `stickiness.enabled` - Indicates whether target stickiness is enabled. The value is `true` or `false` . The default is `false` .\n- `stickiness.type` - Indicates the type of stickiness. The possible values are:\n\n- `lb_cookie` and `app_cookie` for Application Load Balancers.\n- `source_ip` for Network Load Balancers.\n- `source_ip_dest_ip` and `source_ip_dest_ip_proto` for Gateway Load Balancers.\n\nThe following attributes are supported by Application Load Balancers and Network Load Balancers:\n\n- `load_balancing.cross_zone.enabled` - Indicates whether cross zone load balancing is enabled. The value is `true` , `false` or `use_load_balancer_configuration` . The default is `use_load_balancer_configuration` .\n- `target_group_health.dns_failover.minimum_healthy_targets.count` - The minimum number of targets that must be healthy. If the number of healthy targets is below this value, mark the zone as unhealthy in DNS, so that traffic is routed only to healthy zones. The possible values are `off` or an integer from 1 to the maximum number of targets. The default is `off` .\n- `target_group_health.dns_failover.minimum_healthy_targets.percentage` - The minimum percentage of targets that must be healthy. If the percentage of healthy targets is below this value, mark the zone as unhealthy in DNS, so that traffic is routed only to healthy zones. The possible values are `off` or an integer from 1 to 100. The default is `off` .\n- `target_group_health.unhealthy_state_routing.minimum_healthy_targets.count` - The minimum number of targets that must be healthy. If the number of healthy targets is below this value, send traffic to all targets, including unhealthy targets. The possible values are 1 to the maximum number of targets. The default is 1.\n- `target_group_health.unhealthy_state_routing.minimum_healthy_targets.percentage` - The minimum percentage of targets that must be healthy. If the percentage of healthy targets is below this value, send traffic to all targets, including unhealthy targets. The possible values are `off` or an integer from 1 to 100. The default is `off` .\n\nThe following attributes are supported only if the load balancer is an Application Load Balancer and the target is an instance or an IP address:\n\n- `load_balancing.algorithm.type` - The load balancing algorithm determines how the load balancer selects targets when routing requests. The value is `round_robin` or `least_outstanding_requests` . The default is `round_robin` .\n- `slow_start.duration_seconds` - The time period, in seconds, during which a newly registered target receives an increasing share of the traffic to the target group. After this time period ends, the target receives its full share of traffic. The range is 30-900 seconds (15 minutes). The default is 0 seconds (disabled).\n- `stickiness.app_cookie.cookie_name` - Indicates the name of the application-based cookie. Names that start with the following prefixes are not allowed: `AWSALB` , `AWSALBAPP` , and `AWSALBTG` ; they're reserved for use by the load balancer.\n- `stickiness.app_cookie.duration_seconds` - The time period, in seconds, during which requests from a client should be routed to the same target. After this time period expires, the application-based cookie is considered stale. The range is 1 second to 1 week (604800 seconds). The default value is 1 day (86400 seconds).\n- `stickiness.lb_cookie.duration_seconds` - The time period, in seconds, during which requests from a client should be routed to the same target. After this time period expires, the load balancer-generated cookie is considered stale. The range is 1 second to 1 week (604800 seconds). The default value is 1 day (86400 seconds).\n\nThe following attribute is supported only if the load balancer is an Application Load Balancer and the target is a Lambda function:\n\n- `lambda.multi_value_headers.enabled` - Indicates whether the request and response headers that are exchanged between the load balancer and the Lambda function include arrays of values or strings. The value is `true` or `false` . The default is `false` . If the value is `false` and the request contains a duplicate header field name or query parameter key, the load balancer uses the last value sent by the client.\n\nThe following attributes are supported only by Network Load Balancers:\n\n- `deregistration_delay.connection_termination.enabled` - Indicates whether the load balancer terminates connections at the end of the deregistration timeout. The value is `true` or `false` . The default is `false` .\n- `preserve_client_ip.enabled` - Indicates whether client IP preservation is enabled. The value is `true` or `false` . The default is disabled if the target group type is IP address and the target group protocol is TCP or TLS. Otherwise, the default is enabled. Client IP preservation cannot be disabled for UDP and TCP_UDP target groups.\n- `proxy_protocol_v2.enabled` - Indicates whether Proxy Protocol version 2 is enabled. The value is `true` or `false` . The default is `false` .\n\nThe following attributes are supported only by Gateway Load Balancers:\n\n- `target_failover.on_deregistration` - Indicates how the Gateway Load Balancer handles existing flows when a target is deregistered. The possible values are `rebalance` and `no_rebalance` . The default is `no_rebalance` . The two attributes ( `target_failover.on_deregistration` and `target_failover.on_unhealthy` ) can't be set independently. The value you set for both attributes must be the same.\n- `target_failover.on_unhealthy` - Indicates how the Gateway Load Balancer handles existing flows when a target is unhealthy. The possible values are `rebalance` and `no_rebalance` . The default is `no_rebalance` . The two attributes ( `target_failover.on_deregistration` and `target_failover.on_unhealthy` ) cannot be set independently. The value you set for both attributes must be the same.", + "Key": "The name of the attribute.\n\nThe following attributes are supported by all load balancers:\n\n- `deregistration_delay.timeout_seconds` - The amount of time, in seconds, for Elastic Load Balancing to wait before changing the state of a deregistering target from `draining` to `unused` . The range is 0-3600 seconds. The default value is 300 seconds. If the target is a Lambda function, this attribute is not supported.\n- `stickiness.enabled` - Indicates whether target stickiness is enabled. The value is `true` or `false` . The default is `false` .\n- `stickiness.type` - Indicates the type of stickiness. The possible values are:\n\n- `lb_cookie` and `app_cookie` for Application Load Balancers.\n- `source_ip` for Network Load Balancers.\n- `source_ip_dest_ip` and `source_ip_dest_ip_proto` for Gateway Load Balancers.\n\nThe following attributes are supported by Application Load Balancers and Network Load Balancers:\n\n- `load_balancing.cross_zone.enabled` - Indicates whether cross zone load balancing is enabled. The value is `true` , `false` or `use_load_balancer_configuration` . The default is `use_load_balancer_configuration` .\n- `target_group_health.dns_failover.minimum_healthy_targets.count` - The minimum number of targets that must be healthy. If the number of healthy targets is below this value, mark the zone as unhealthy in DNS, so that traffic is routed only to healthy zones. The possible values are `off` or an integer from 1 to the maximum number of targets. The default is `off` .\n- `target_group_health.dns_failover.minimum_healthy_targets.percentage` - The minimum percentage of targets that must be healthy. If the percentage of healthy targets is below this value, mark the zone as unhealthy in DNS, so that traffic is routed only to healthy zones. The possible values are `off` or an integer from 1 to 100. The default is `off` .\n- `target_group_health.unhealthy_state_routing.minimum_healthy_targets.count` - The minimum number of targets that must be healthy. If the number of healthy targets is below this value, send traffic to all targets, including unhealthy targets. The possible values are 1 to the maximum number of targets. The default is 1.\n- `target_group_health.unhealthy_state_routing.minimum_healthy_targets.percentage` - The minimum percentage of targets that must be healthy. If the percentage of healthy targets is below this value, send traffic to all targets, including unhealthy targets. The possible values are `off` or an integer from 1 to 100. The default is `off` .\n\nThe following attributes are supported only if the load balancer is an Application Load Balancer and the target is an instance or an IP address:\n\n- `load_balancing.algorithm.type` - The load balancing algorithm determines how the load balancer selects targets when routing requests. The value is `round_robin` , `least_outstanding_requests` , or `weighted_random` . The default is `round_robin` .\n- `load_balancing.algorithm.anomaly_mitigation` - Only available when `load_balancing.algorithm.type` is `weighted_random` . Indicates whether anomaly mitigation is enabled. The value is `on` or `off` . The default is `off` .\n- `slow_start.duration_seconds` - The time period, in seconds, during which a newly registered target receives an increasing share of the traffic to the target group. After this time period ends, the target receives its full share of traffic. The range is 30-900 seconds (15 minutes). The default is 0 seconds (disabled).\n- `stickiness.app_cookie.cookie_name` - Indicates the name of the application-based cookie. Names that start with the following prefixes are not allowed: `AWSALB` , `AWSALBAPP` , and `AWSALBTG` ; they're reserved for use by the load balancer.\n- `stickiness.app_cookie.duration_seconds` - The time period, in seconds, during which requests from a client should be routed to the same target. After this time period expires, the application-based cookie is considered stale. The range is 1 second to 1 week (604800 seconds). The default value is 1 day (86400 seconds).\n- `stickiness.lb_cookie.duration_seconds` - The time period, in seconds, during which requests from a client should be routed to the same target. After this time period expires, the load balancer-generated cookie is considered stale. The range is 1 second to 1 week (604800 seconds). The default value is 1 day (86400 seconds).\n\nThe following attribute is supported only if the load balancer is an Application Load Balancer and the target is a Lambda function:\n\n- `lambda.multi_value_headers.enabled` - Indicates whether the request and response headers that are exchanged between the load balancer and the Lambda function include arrays of values or strings. The value is `true` or `false` . The default is `false` . If the value is `false` and the request contains a duplicate header field name or query parameter key, the load balancer uses the last value sent by the client.\n\nThe following attributes are supported only by Network Load Balancers:\n\n- `deregistration_delay.connection_termination.enabled` - Indicates whether the load balancer terminates connections at the end of the deregistration timeout. The value is `true` or `false` . For new UDP/TCP_UDP target groups the default is `true` . Otherwise, the default is `false` .\n- `preserve_client_ip.enabled` - Indicates whether client IP preservation is enabled. The value is `true` or `false` . The default is disabled if the target group type is IP address and the target group protocol is TCP or TLS. Otherwise, the default is enabled. Client IP preservation cannot be disabled for UDP and TCP_UDP target groups.\n- `proxy_protocol_v2.enabled` - Indicates whether Proxy Protocol version 2 is enabled. The value is `true` or `false` . The default is `false` .\n- `target_health_state.unhealthy.connection_termination.enabled` - Indicates whether the load balancer terminates connections to unhealthy targets. The value is `true` or `false` . The default is `true` .\n\nThe following attributes are supported only by Gateway Load Balancers:\n\n- `target_failover.on_deregistration` - Indicates how the Gateway Load Balancer handles existing flows when a target is deregistered. The possible values are `rebalance` and `no_rebalance` . The default is `no_rebalance` . The two attributes ( `target_failover.on_deregistration` and `target_failover.on_unhealthy` ) can't be set independently. The value you set for both attributes must be the same.\n- `target_failover.on_unhealthy` - Indicates how the Gateway Load Balancer handles existing flows when a target is unhealthy. The possible values are `rebalance` and `no_rebalance` . The default is `no_rebalance` . The two attributes ( `target_failover.on_deregistration` and `target_failover.on_unhealthy` ) cannot be set independently. The value you set for both attributes must be the same.", "Value": "The value of the attribute." }, + "AWS::ElasticLoadBalancingV2::TrustStore": { + "CaCertificatesBundleS3Bucket": "The Amazon S3 bucket for the ca certificates bundle.", + "CaCertificatesBundleS3Key": "The Amazon S3 path for the ca certificates bundle.", + "CaCertificatesBundleS3ObjectVersion": "The Amazon S3 object version for the ca certificates bundle. If undefined the current version is used.", + "Name": "The name of the trust store.", + "Tags": "The tags to assign to the trust store." + }, + "AWS::ElasticLoadBalancingV2::TrustStore Tag": { + "Key": "The key of the tag.", + "Value": "The value of the tag." + }, + "AWS::ElasticLoadBalancingV2::TrustStoreRevocation": { + "RevocationContents": "The revocation file to add.", + "TrustStoreArn": "The Amazon Resource Name (ARN) of the trust store." + }, + "AWS::ElasticLoadBalancingV2::TrustStoreRevocation RevocationContent": { + "RevocationType": "The type of revocation file.", + "S3Bucket": "The Amazon S3 bucket for the revocation file.", + "S3Key": "The Amazon S3 path for the revocation file.", + "S3ObjectVersion": "The Amazon S3 object version of the revocation file." + }, + "AWS::ElasticLoadBalancingV2::TrustStoreRevocation TrustStoreRevocation": { + "NumberOfRevokedEntries": "The number of revoked certificates.", + "RevocationId": "The revocation ID of the revocation file.", + "RevocationType": "The type of revocation file.", + "TrustStoreArn": "The Amazon Resource Name (ARN) of the trust store." + }, "AWS::Elasticsearch::Domain": { "AccessPolicies": "An AWS Identity and Access Management ( IAM ) policy document that specifies who can access the OpenSearch Service domain and their permissions. For more information, see [Configuring access policies](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/ac.html#ac-creating) in the *Amazon OpenSearch Service Developer Guid* e.", "AdvancedOptions": "Additional options to specify for the OpenSearch Service domain. For more information, see [Advanced cluster parameters](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/createupdatedomains.html#createdomain-configure-advanced-options) in the *Amazon OpenSearch Service Developer Guide* .", @@ -11671,6 +13531,10 @@ "AWS::Elasticsearch::Domain SnapshotOptions": { "AutomatedSnapshotStartHour": "The hour in UTC during which the service takes an automated daily snapshot of the indices in the OpenSearch Service domain. For example, if you specify 0, OpenSearch Service takes an automated snapshot everyday between midnight and 1 am. You can specify a value between 0 and 23." }, + "AWS::Elasticsearch::Domain Tag": { + "Key": "", + "Value": "" + }, "AWS::Elasticsearch::Domain VPCOptions": { "SecurityGroupIds": "The list of security group IDs that are associated with the VPC endpoints for the domain. If you don't provide a security group ID, OpenSearch Service uses the default security group for the VPC. To learn more, see [Security groups for your VPC](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html) in the *Amazon VPC User Guide* .", "SubnetIds": "Provide one subnet ID for each Availability Zone that your domain uses. For example, you must specify three subnet IDs for a three Availability Zone domain. To learn more, see [VPCs and subnets](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Subnets.html) in the *Amazon VPC User Guide* .\n\nRequired if you're creating your domain inside a VPC." @@ -11678,6 +13542,105 @@ "AWS::Elasticsearch::Domain ZoneAwarenessConfig": { "AvailabilityZoneCount": "If you enabled multiple Availability Zones (AZs), the number of AZs that you want the domain to use.\n\nValid values are `2` and `3` . Default is 2." }, + "AWS::EntityResolution::IdMappingWorkflow": { + "Description": "A description of the workflow.", + "IdMappingTechniques": "An object which defines the `idMappingType` and the `providerProperties` .", + "InputSourceConfig": "A list of `InputSource` objects, which have the fields `InputSourceARN` and `SchemaName` .", + "OutputSourceConfig": "A list of `IdMappingWorkflowOutputSource` objects, each of which contains fields `OutputS3Path` and `Output` .", + "RoleArn": "The Amazon Resource Name (ARN) of the IAM role. AWS Entity Resolution assumes this role to create resources on your behalf as part of workflow execution.", + "Tags": "The tags used to organize, track, or control access for this resource.", + "WorkflowName": "The name of the workflow. There can't be multiple `IdMappingWorkflows` with the same name." + }, + "AWS::EntityResolution::IdMappingWorkflow IdMappingTechniques": { + "IdMappingType": "The type of ID mapping.", + "ProviderProperties": "An object which defines any additional configurations required by the provider service." + }, + "AWS::EntityResolution::IdMappingWorkflow IdMappingWorkflowInputSource": { + "InputSourceARN": "An AWS Glue table ARN for the input source table.", + "SchemaArn": "The ARN (Amazon Resource Name) that AWS Entity Resolution generated for the `SchemaMapping` ." + }, + "AWS::EntityResolution::IdMappingWorkflow IdMappingWorkflowOutputSource": { + "KMSArn": "Customer AWS KMS ARN for encryption at rest. If not provided, system will use an AWS Entity Resolution managed KMS key.", + "OutputS3Path": "The S3 path to which AWS Entity Resolution will write the output table." + }, + "AWS::EntityResolution::IdMappingWorkflow IntermediateSourceConfiguration": { + "IntermediateS3Path": "The Amazon S3 location (bucket and prefix). For example: `s3://provider_bucket/DOC-EXAMPLE-BUCKET`" + }, + "AWS::EntityResolution::IdMappingWorkflow ProviderProperties": { + "IntermediateSourceConfiguration": "The Amazon S3 location that temporarily stores your data while it processes. Your information won't be saved permanently.", + "ProviderConfiguration": "The required configuration fields to use with the provider service.", + "ProviderServiceArn": "The ARN of the provider service." + }, + "AWS::EntityResolution::IdMappingWorkflow Tag": { + "Key": "", + "Value": "" + }, + "AWS::EntityResolution::MatchingWorkflow": { + "Description": "A description of the workflow.", + "InputSourceConfig": "A list of `InputSource` objects, which have the fields `InputSourceARN` and `SchemaName` .", + "OutputSourceConfig": "A list of `OutputSource` objects, each of which contains fields `OutputS3Path` , `ApplyNormalization` , and `Output` .", + "ResolutionTechniques": "An object which defines the `resolutionType` and the `ruleBasedProperties` .", + "RoleArn": "The Amazon Resource Name (ARN) of the IAM role. AWS Entity Resolution assumes this role to create resources on your behalf as part of workflow execution.", + "Tags": "The tags used to organize, track, or control access for this resource.", + "WorkflowName": "The name of the workflow. There can't be multiple `MatchingWorkflows` with the same name." + }, + "AWS::EntityResolution::MatchingWorkflow InputSource": { + "ApplyNormalization": "Normalizes the attributes defined in the schema in the input data. For example, if an attribute has an `AttributeType` of `PHONE_NUMBER` , and the data in the input table is in a format of 1234567890, AWS Entity Resolution will normalize this field in the output to (123)-456-7890.", + "InputSourceARN": "An object containing `InputSourceARN` , `SchemaName` , and `ApplyNormalization` .", + "SchemaArn": "The name of the schema." + }, + "AWS::EntityResolution::MatchingWorkflow IntermediateSourceConfiguration": { + "IntermediateS3Path": "The Amazon S3 location (bucket and prefix). For example: `s3://provider_bucket/DOC-EXAMPLE-BUCKET`" + }, + "AWS::EntityResolution::MatchingWorkflow OutputAttribute": { + "Hashed": "Enables the ability to hash the column values in the output.", + "Name": "A name of a column to be written to the output. This must be an `InputField` name in the schema mapping." + }, + "AWS::EntityResolution::MatchingWorkflow OutputSource": { + "ApplyNormalization": "Normalizes the attributes defined in the schema in the input data. For example, if an attribute has an `AttributeType` of `PHONE_NUMBER` , and the data in the input table is in a format of 1234567890, AWS Entity Resolution will normalize this field in the output to (123)-456-7890.", + "KMSArn": "Customer KMS ARN for encryption at rest. If not provided, system will use an AWS Entity Resolution managed KMS key.", + "Output": "A list of `OutputAttribute` objects, each of which have the fields `Name` and `Hashed` . Each of these objects selects a column to be included in the output table, and whether the values of the column should be hashed.", + "OutputS3Path": "The S3 path to which AWS Entity Resolution will write the output table." + }, + "AWS::EntityResolution::MatchingWorkflow ProviderProperties": { + "IntermediateSourceConfiguration": "The Amazon S3 location that temporarily stores your data while it processes. Your information won't be saved permanently.", + "ProviderConfiguration": "The required configuration fields to use with the provider service.", + "ProviderServiceArn": "The ARN of the provider service." + }, + "AWS::EntityResolution::MatchingWorkflow ResolutionTechniques": { + "ProviderProperties": "The properties of the provider service.", + "ResolutionType": "The type of matching. There are two types of matching: `RULE_MATCHING` and `ML_MATCHING` .", + "RuleBasedProperties": "An object which defines the list of matching rules to run and has a field `Rules` , which is a list of rule objects." + }, + "AWS::EntityResolution::MatchingWorkflow Rule": { + "MatchingKeys": "A list of `MatchingKeys` . The `MatchingKeys` must have been defined in the `SchemaMapping` . Two records are considered to match according to this rule if all of the `MatchingKeys` match.", + "RuleName": "A name for the matching rule." + }, + "AWS::EntityResolution::MatchingWorkflow RuleBasedProperties": { + "AttributeMatchingModel": "The comparison type. You can either choose `ONE_TO_ONE` or `MANY_TO_MANY` as the AttributeMatchingModel. When choosing `MANY_TO_MANY` , the system can match attributes across the sub-types of an attribute type. For example, if the value of the `Email` field of Profile A and the value of `BusinessEmail` field of Profile B matches, the two profiles are matched on the `Email` type. When choosing `ONE_TO_ONE` ,the system can only match if the sub-types are exact matches. For example, only when the value of the `Email` field of Profile A and the value of the `Email` field of Profile B matches, the two profiles are matched on the `Email` type.", + "Rules": "A list of `Rule` objects, each of which have fields `RuleName` and `MatchingKeys` ." + }, + "AWS::EntityResolution::MatchingWorkflow Tag": { + "Key": "", + "Value": "" + }, + "AWS::EntityResolution::SchemaMapping": { + "Description": "A description of the schema.", + "MappedInputFields": "A list of `MappedInputFields` . Each `MappedInputField` corresponds to a column the source data table, and contains column name plus additional information that AWS Entity Resolution uses for matching.", + "SchemaName": "The name of the schema. There can't be multiple `SchemaMappings` with the same name.", + "Tags": "The tags used to organize, track, or control access for this resource." + }, + "AWS::EntityResolution::SchemaMapping SchemaInputAttribute": { + "FieldName": "A string containing the field name.", + "GroupName": "Instruct AWS Entity Resolution to combine several columns into a unified column with the identical attribute type. For example, when working with columns such as first_name, middle_name, and last_name, assigning them a common `GroupName` will prompt AWS Entity Resolution to concatenate them into a single value.", + "MatchKey": "A key that allows grouping of multiple input attributes into a unified matching group. For example, let's consider a scenario where the source table contains various addresses, such as `business_address` and `shipping_address` . By assigning the `MatchKey` *Address* to both attributes, AWS Entity Resolution will match records across these fields to create a consolidated matching group. If no `MatchKey` is specified for a column, it won't be utilized for matching purposes but will still be included in the output table.", + "SubType": "The subtype of the attribute, selected from a list of values.", + "Type": "The type of the attribute, selected from a list of values." + }, + "AWS::EntityResolution::SchemaMapping Tag": { + "Key": "", + "Value": "" + }, "AWS::EventSchemas::Discoverer": { "CrossAccount": "Allows for the discovery of the event schemas that are sent to the event bus from another account.", "Description": "A description for the discoverer.", @@ -11685,8 +13648,8 @@ "Tags": "Tags associated with the resource." }, "AWS::EventSchemas::Discoverer TagsEntry": { - "Key": "They key of a key-value pair.", - "Value": "They value of a key-value pair." + "Key": "The key of a key-value pair.", + "Value": "The value of a key-value pair." }, "AWS::EventSchemas::Registry": { "Description": "A description of the registry to be created.", @@ -11694,8 +13657,8 @@ "Tags": "Tags to associate with the registry." }, "AWS::EventSchemas::Registry TagsEntry": { - "Key": "They key of a key-value pair.", - "Value": "They value of a key-value pair." + "Key": "The key of a key-value pair.", + "Value": "The value of a key-value pair." }, "AWS::EventSchemas::RegistryPolicy": { "Policy": "A resource-based policy.", @@ -11711,8 +13674,8 @@ "Type": "The type of schema.\n\nValid types include `OpenApi3` and `JSONSchemaDraft4` ." }, "AWS::EventSchemas::Schema TagsEntry": { - "Key": "They key of a key-value pair.", - "Value": "They value of a key-value pair." + "Key": "The key of a key-value pair.", + "Value": "The value of a key-value pair." }, "AWS::Events::ApiDestination": { "ConnectionArn": "The ARN of the connection to use for the API destination. The destination endpoint must support the authorization type specified for the connection.", @@ -11799,9 +13762,10 @@ "AWS::Events::EventBus": { "EventSourceName": "If you are creating a partner event bus, this specifies the partner event source that the new event bus will be matched with.", "Name": "The name of the new event bus.\n\nCustom event bus names can't contain the `/` character, but you can use the `/` character in partner event bus names. In addition, for partner event buses, the name must exactly match the name of the partner event source that this event bus is matched to.\n\nYou can't use the name `default` for a custom event bus, as this name is already used for your account's default event bus.", + "Policy": "The permissions policy of the event bus, describing which other AWS accounts can write events to this event bus.", "Tags": "Tags to associate with the event bus." }, - "AWS::Events::EventBus TagEntry": { + "AWS::Events::EventBus Tag": { "Key": "A string you can use to assign a value. The combination of tag keys and values can help you organize and categorize your resources.", "Value": "The value for the specified tag key." }, @@ -11825,7 +13789,7 @@ "Name": "The name of the rule.", "RoleArn": "The Amazon Resource Name (ARN) of the role that is used for target invocation.\n\nIf you're setting an event bus in another account as the target and that account granted permission to your account through an organization instead of directly by the account ID, you must specify a `RoleArn` with proper permissions in the `Target` structure, instead of here in this parameter.", "ScheduleExpression": "The scheduling expression. For example, \"cron(0 20 * * ? *)\", \"rate(5 minutes)\". For more information, see [Creating an Amazon EventBridge rule that runs on a schedule](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-create-rule-schedule.html) .", - "State": "The state of the rule.", + "State": "The state of the rule.\n\nValid values include:\n\n- `DISABLED` : The rule is disabled. EventBridge does not match any events against the rule.\n- `ENABLED` : The rule is enabled. EventBridge matches events against the rule, *except* for AWS management events delivered through CloudTrail.\n- `ENABLED_WITH_ALL_CLOUDTRAIL_MANAGEMENT_EVENTS` : The rule is enabled for all events, including AWS management events delivered through CloudTrail.\n\nManagement events provide visibility into management operations that are performed on resources in your AWS account. These are also known as control plane operations. For more information, see [Logging management events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-management-events-with-cloudtrail.html#logging-management-events) in the *CloudTrail User Guide* , and [Filtering management events from AWS services](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-service-event.html#eb-service-event-cloudtrail) in the *Amazon EventBridge User Guide* .\n\nThis value is only valid for rules on the [default](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-what-is-how-it-works-concepts.html#eb-bus-concepts-buses) event bus or [custom event buses](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-create-event-bus.html) . It does not apply to [partner event buses](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-saas.html) .", "Targets": "Adds the specified targets to the specified rule, or updates the targets if they are already associated with the rule.\n\nTargets are the resources that are invoked when a rule is triggered.\n\nThe maximum number of entries per request is 10.\n\n> Each rule can have up to five (5) targets associated with it at one time. \n\nFor a list of services you can configure as targets for events, see [EventBridge targets](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-targets.html) in the *Amazon EventBridge User Guide* .\n\nCreating rules with built-in targets is supported only in the AWS Management Console . The built-in targets are:\n\n- `Amazon EBS CreateSnapshot API call`\n- `Amazon EC2 RebootInstances API call`\n- `Amazon EC2 StopInstances API call`\n- `Amazon EC2 TerminateInstances API call`\n\nFor some target types, `PutTargets` provides target-specific parameters. If the target is a Kinesis data stream, you can optionally specify which shard the event goes to by using the `KinesisParameters` argument. To invoke a command on multiple EC2 instances with one rule, you can use the `RunCommandParameters` field.\n\nTo be able to make API calls against the resources that you own, Amazon EventBridge needs the appropriate permissions:\n\n- For AWS Lambda and Amazon SNS resources, EventBridge relies on resource-based policies.\n- For EC2 instances, Kinesis Data Streams, AWS Step Functions state machines and API Gateway APIs, EventBridge relies on IAM roles that you specify in the `RoleARN` argument in `PutTargets` .\n\nFor more information, see [Authentication and Access Control](https://docs.aws.amazon.com/eventbridge/latest/userguide/auth-and-access-control-eventbridge.html) in the *Amazon EventBridge User Guide* .\n\nIf another AWS account is in the same region and has granted you permission (using `PutPermission` ), you can send events to that account. Set that account's event bus as a target of the rules in your account. To send the matched events to the other account, specify that account's event bus as the `Arn` value when you run `PutTargets` . If your account sends events to another account, your account is charged for each sent event. Each event sent to another account is charged as a custom event. The account receiving the event is not charged. For more information, see [Amazon EventBridge Pricing](https://docs.aws.amazon.com/eventbridge/pricing/) .\n\n> `Input` , `InputPath` , and `InputTransformer` are not available with `PutTarget` if the target is an event bus of a different AWS account. \n\nIf you are setting the event bus of another account as the target, and that account granted permission to your account through an organization instead of directly by the account ID, then you must specify a `RoleArn` with proper permissions in the `Target` structure. For more information, see [Sending and Receiving Events Between AWS Accounts](https://docs.aws.amazon.com/eventbridge/latest/userguide/eventbridge-cross-account-event-delivery.html) in the *Amazon EventBridge User Guide* .\n\n> If you have an IAM role on a cross-account event bus target, a `PutTargets` call without a role on the same target (same `Id` and `Arn` ) will not remove the role. \n\nFor more information about enabling cross-account events, see [PutPermission](https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_PutPermission.html) .\n\n*Input* , *InputPath* , and *InputTransformer* are mutually exclusive and optional parameters of a target. When a rule is triggered due to a matched event:\n\n- If none of the following arguments are specified for a target, then the entire event is passed to the target in JSON format (unless the target is Amazon EC2 Run Command or Amazon ECS task, in which case nothing from the event is passed to the target).\n- If *Input* is specified in the form of valid JSON, then the matched event is overridden with this constant.\n- If *InputPath* is specified in the form of JSONPath (for example, `$.detail` ), then only the part of the event specified in the path is passed to the target (for example, only the detail part of the event is passed).\n- If *InputTransformer* is specified, then one or more specified JSONPaths are extracted from the event and used as values in a template that you specify as the input to the target.\n\nWhen you specify `InputPath` or `InputTransformer` , you must use JSON dot notation, not bracket notation.\n\nWhen you add targets to a rule and the associated rule triggers soon after, new or updated targets might not be immediately invoked. Allow a short period of time for changes to take effect.\n\nThis action can partially fail if too many requests are made at the same time. If that happens, `FailedEntryCount` is non-zero in the response and each entry in `FailedEntries` provides the ID of the failed target and the error code." }, "AWS::Events::Rule AwsVpcConfiguration": { @@ -11897,6 +13861,7 @@ "DbUser": "The database user name. Required when authenticating using temporary credentials.", "SecretManagerArn": "The name or ARN of the secret that enables access to the database. Required when authenticating using AWS Secrets Manager.", "Sql": "The SQL statement text to run.", + "Sqls": "One or more SQL statements to run. The SQL statements are run as a single transaction. They run serially in the order of the array. Subsequent SQL statements don't start until the previous statement in the array completes. If any SQL statement fails, then because they are run as one transaction, all work is rolled back.", "StatementName": "The name of the SQL statement. You can name the SQL statement when you create it to identify the query.", "WithEvent": "Indicates whether to send an event back to EventBridge after the SQL statement runs." }, @@ -11953,7 +13918,7 @@ "RemoveSegment": "Set this to `true` to remove the segment that is associated with this experiment. You can't use this parameter if the experiment is currently running.", "RunningStatus": "A structure that you can use to start and stop the experiment.", "SamplingRate": "The portion of the available audience that you want to allocate to this experiment, in thousandths of a percent. The available audience is the total audience minus the audience that you have allocated to overrides or current launches of this feature.\n\nThis is represented in thousandths of a percent. For example, specify 10,000 to allocate 10% of the available audience.", - "Segment": "Specifies an audience *segment* to use in the experiment. When a segment is used in an experiment, only user sessions that match the segment pattern are used in the experiment.\n\nFor more information, see [Segment rule pattern syntax](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Evidently-segments-syntax.html) .", + "Segment": "Specifies an audience *segment* to use in the experiment. When a segment is used in an experiment, only user sessions that match the segment pattern are used in the experiment.\n\nFor more information, see [Segment rule pattern syntax](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Evidently-segments.html#CloudWatch-Evidently-segments-syntax) .", "Tags": "Assigns one or more tags (key-value pairs) to the experiment.\n\nTags can help you organize and categorize your resources. You can also use them to scope user permissions by granting a user permission to access or change only resources with certain tag values.\n\nTags don't have any semantic meaning to AWS and are interpreted strictly as strings of characters.\n\nYou can associate as many as 50 tags with an experiment.\n\nFor more information, see [Tagging AWS resources](https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html) .", "Treatments": "An array of structures that describe the configuration of each feature variation used in the experiment." }, @@ -11975,6 +13940,10 @@ "Reason": "If you are using AWS CloudFormation to stop this experiment, this is an optional field that you can use to record why the experiment is being stopped or cancelled.", "Status": "To start the experiment now, specify `START` for this parameter. If this experiment is currently running and you want to stop it now, specify `STOP` ." }, + "AWS::Evidently::Experiment Tag": { + "Key": "", + "Value": "" + }, "AWS::Evidently::Experiment TreatmentObject": { "Description": "The description of the treatment.", "Feature": "The name of the feature for this experiment.", @@ -11999,6 +13968,10 @@ "EntityId": "The entity ID to be served the variation specified in `Variation` .", "Variation": "The name of the variation to serve to the user session that matches the `EntityId` ." }, + "AWS::Evidently::Feature Tag": { + "Key": "", + "Value": "" + }, "AWS::Evidently::Feature VariationObject": { "BooleanValue": "The value assigned to this variation, if the variation type is boolean.", "DoubleValue": "The value assigned to this variation, if the variation type is a double.", @@ -12049,6 +14022,10 @@ "SegmentOverrides": "An array of structures that you can use to specify different traffic splits for one or more audience *segments* . A segment is a portion of your audience that share one or more characteristics. Examples could be Chrome browser users, users in Europe, or Firefox browser users in Europe who also fit other criteria that your application collects, such as age.\n\nFor more information, see [Use segments to focus your audience](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Evidently-segments.html) .", "StartTime": "The date and time to start this step of the launch. Use UTC format, `yyyy-MM-ddTHH:mm:ssZ` . For example, `2025-11-25T23:59:59Z`" }, + "AWS::Evidently::Launch Tag": { + "Key": "", + "Value": "" + }, "AWS::Evidently::Project": { "AppConfigResource": "Use this parameter if the project will use *client-side evaluation powered by AWS AppConfig* . Client-side evaluation allows your application to assign variations to user sessions locally instead of by calling the [EvaluateFeature](https://docs.aws.amazon.com/cloudwatchevidently/latest/APIReference/API_EvaluateFeature.html) operation. This mitigates the latency and availability risks that come with an API call. For more information, see [Use client-side evaluation - powered by AWS AppConfig .](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Evidently-client-side-evaluation.html)\n\nThis parameter is a structure that contains information about the AWS AppConfig application that will be used as for client-side evaluation.\n\nTo create a project that uses client-side evaluation, you must have the `evidently:ExportProjectAsConfiguration` permission.", "DataDelivery": "A structure that contains information about where Evidently is to store evaluation events for longer term storage, if you choose to do so. If you choose not to store these events, Evidently deletes them after using them to produce metrics and other experiment results that you can view.\n\nYou can't specify both `CloudWatchLogs` and `S3Destination` in the same operation.", @@ -12068,47 +14045,60 @@ "BucketName": "The name of the bucket in which Evidently stores evaluation events.", "Prefix": "The bucket prefix in which Evidently stores evaluation events." }, + "AWS::Evidently::Project Tag": { + "Key": "", + "Value": "" + }, "AWS::Evidently::Segment": { "Description": "An optional description for this segment.", "Name": "A name for the segment.", - "Pattern": "The pattern to use for the segment. For more information about pattern syntax, see [Segment rule pattern syntax](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Evidently-segments-syntax.html) .", + "Pattern": "The pattern to use for the segment. For more information about pattern syntax, see [Segment rule pattern syntax](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Evidently-segments.html#CloudWatch-Evidently-segments-syntax) .", "Tags": "Assigns one or more tags (key-value pairs) to the feature.\n\nTags can help you organize and categorize your resources. You can also use them to scope user permissions by granting a user permission to access or change only resources with certain tag values.\n\nTags don't have any semantic meaning to AWS and are interpreted strictly as strings of characters.\n\nYou can associate as many as 50 tags with a feature.\n\nFor more information, see [Tagging AWS resources](https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html) ." }, + "AWS::Evidently::Segment Tag": { + "Key": "", + "Value": "" + }, "AWS::FIS::ExperimentTemplate": { "Actions": "The actions for the experiment.", - "Description": "A description for the experiment template.", + "Description": "The description for the experiment template.", + "ExperimentOptions": "The experiment options for an experiment template.", "LogConfiguration": "The configuration for experiment logging.", - "RoleArn": "The Amazon Resource Name (ARN) of an IAM role that grants the AWS FIS service permission to perform service actions on your behalf.", - "StopConditions": "The stop conditions.", - "Tags": "The tags to apply to the experiment template.", + "RoleArn": "The Amazon Resource Name (ARN) of an IAM role.", + "StopConditions": "The stop conditions for the experiment.", + "Tags": "The tags for the experiment template.", "Targets": "The targets for the experiment." }, "AWS::FIS::ExperimentTemplate CloudWatchLogsConfiguration": { "LogGroupArn": "The Amazon Resource Name (ARN) of the destination Amazon CloudWatch Logs log group." }, "AWS::FIS::ExperimentTemplate ExperimentTemplateAction": { - "ActionId": "The ID of the action. The format of the action ID is: aws: *service-name* : *action-type* .", + "ActionId": "The ID of the action.", "Description": "A description for the action.", - "Parameters": "The parameters for the action, if applicable.", - "StartAfter": "The name of the action that must be completed before the current action starts. Omit this parameter to run the action at the start of the experiment.", - "Targets": "The targets for the action." + "ExperimentTemplateActionItemParameter": "The parameters for the action.", + "ExperimentTemplateActionItemTarget": "The targets for the action.", + "StartAfter": "The name of the action that must be completed before the current action starts." + }, + "AWS::FIS::ExperimentTemplate ExperimentTemplateExperimentOptions": { + "AccountTargeting": "The account targeting setting for an experiment template.", + "EmptyTargetResolutionMode": "The empty target resolution mode for an experiment template." }, "AWS::FIS::ExperimentTemplate ExperimentTemplateLogConfiguration": { - "CloudWatchLogsConfiguration": "The configuration for experiment logging to CloudWatch Logs .", + "CloudWatchLogsConfiguration": "The configuration for experiment logging to Amazon CloudWatch Logs.", "LogSchemaVersion": "The schema version.", - "S3Configuration": "The configuration for experiment logging to Amazon S3 ." + "S3Configuration": "The configuration for experiment logging to Amazon S3." }, "AWS::FIS::ExperimentTemplate ExperimentTemplateStopCondition": { - "Source": "The source for the stop condition. Specify `aws:cloudwatch:alarm` if the stop condition is defined by a CloudWatch alarm. Specify `none` if there is no stop condition.", - "Value": "The Amazon Resource Name (ARN) of the CloudWatch alarm. This is required if the source is a CloudWatch alarm." + "Source": "The source for the stop condition.", + "Value": "The Amazon Resource Name (ARN) of the CloudWatch alarm, if applicable." }, "AWS::FIS::ExperimentTemplate ExperimentTemplateTarget": { "Filters": "The filters to apply to identify target resources using specific attributes.", - "Parameters": "The parameters for the resource type.", - "ResourceArns": "The Amazon Resource Names (ARNs) of the resources.", + "Parameters": "The resource type parameters.", + "ResourceArns": "The Amazon Resource Names (ARNs) of the targets.", "ResourceTags": "The tags for the target resources.", - "ResourceType": "The resource type. The resource type must be supported for the specified action.", - "SelectionMode": "Scopes the identified resources to a specific count of the resources at random, or a percentage of the resources. All identified resources are included in the target.\n\n- ALL - Run the action on all identified targets. This is the default.\n- COUNT(n) - Run the action on the specified number of targets, chosen from the identified targets at random. For example, COUNT(1) selects one of the targets.\n- PERCENT(n) - Run the action on the specified percentage of targets, chosen from the identified targets at random. For example, PERCENT(25) selects 25% of the targets." + "ResourceType": "The resource type.", + "SelectionMode": "Scopes the identified resources to a specific count or percentage." }, "AWS::FIS::ExperimentTemplate ExperimentTemplateTargetFilter": { "Path": "The attribute path for the filter.", @@ -12118,6 +14108,12 @@ "BucketName": "The name of the destination bucket.", "Prefix": "The bucket prefix." }, + "AWS::FIS::TargetAccountConfiguration": { + "AccountId": "The AWS account ID of the target account.", + "Description": "The description of the target account.", + "ExperimentTemplateId": "The ID of the experiment template.", + "RoleArn": "The Amazon Resource Name (ARN) of an IAM role for the target account." + }, "AWS::FMS::NotificationChannel": { "SnsRoleName": "The Amazon Resource Name (ARN) of the IAM role that allows Amazon SNS to record AWS Firewall Manager activity.", "SnsTopicArn": "The Amazon Resource Name (ARN) of the SNS topic that collects notifications from AWS Firewall Manager ." @@ -12132,10 +14128,10 @@ "RemediationEnabled": "Indicates if the policy should be automatically applied to new resources.", "ResourceSetIds": "The unique identifiers of the resource sets used by the policy.", "ResourceTags": "An array of `ResourceTag` objects, used to explicitly include resources in the policy scope or explicitly exclude them. If this isn't set, then tags aren't used to modify policy scope. See also `ExcludeResourceTags` .", - "ResourceType": "The type of resource protected by or in scope of the policy. This is in the format shown in the [AWS Resource Types Reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-template-resource-type-ref.html) . To apply this policy to multiple resource types, specify a resource type of `ResourceTypeList` and then specify the resource types in a `ResourceTypeList` .\n\nFor AWS WAF and Shield Advanced, example resource types include `AWS::ElasticLoadBalancingV2::LoadBalancer` and `AWS::CloudFront::Distribution` . For a security group common policy, valid values are `AWS::EC2::NetworkInterface` and `AWS::EC2::Instance` . For a security group content audit policy, valid values are `AWS::EC2::SecurityGroup` , `AWS::EC2::NetworkInterface` , and `AWS::EC2::Instance` . For a security group usage audit policy, the value is `AWS::EC2::SecurityGroup` . For an AWS Network Firewall policy or DNS Firewall policy, the value is `AWS::EC2::VPC` .", + "ResourceType": "The type of resource protected by or in scope of the policy. This is in the format shown in the [AWS Resource Types Reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-template-resource-type-ref.html) . To apply this policy to multiple resource types, specify a resource type of `ResourceTypeList` and then specify the resource types in a `ResourceTypeList` .\n\nThe following are valid resource types for each Firewall Manager policy type:\n\n- AWS WAF Classic - `AWS::ApiGateway::Stage` , `AWS::CloudFront::Distribution` , and `AWS::ElasticLoadBalancingV2::LoadBalancer` .\n- AWS WAF - `AWS::ApiGateway::Stage` , `AWS::ElasticLoadBalancingV2::LoadBalancer` , and `AWS::CloudFront::Distribution` .\n- DNS Firewall, AWS Network Firewall , and third-party firewall - `AWS::EC2::VPC` .\n- AWS Shield Advanced - `AWS::ElasticLoadBalancingV2::LoadBalancer` , `AWS::ElasticLoadBalancing::LoadBalancer` , `AWS::EC2::EIP` , and `AWS::CloudFront::Distribution` .\n- Security group content audit - `AWS::EC2::SecurityGroup` , `AWS::EC2::NetworkInterface` , and `AWS::EC2::Instance` .\n- Security group usage audit - `AWS::EC2::SecurityGroup` .", "ResourceTypeList": "An array of `ResourceType` objects. Use this only to specify multiple resource types. To specify a single resource type, use `ResourceType` .", "ResourcesCleanUp": "Indicates whether AWS Firewall Manager should automatically remove protections from resources that leave the policy scope and clean up resources that Firewall Manager is managing for accounts when those accounts leave policy scope. For example, Firewall Manager will disassociate a Firewall Manager managed web ACL from a protected customer resource when the customer resource leaves policy scope.\n\nBy default, Firewall Manager doesn't remove protections or delete Firewall Manager managed resources.\n\nThis option is not available for Shield Advanced or AWS WAF Classic policies.", - "SecurityServicePolicyData": "Details about the security service that is being used to protect the resources.\n\nThis contains the following settings:\n\n- Type - Indicates the service type that the policy uses to protect the resource. For security group policies, Firewall Manager supports one security group for each common policy and for each content audit policy. This is an adjustable limit that you can increase by contacting AWS Support .\n\nValid values: `DNS_FIREWALL` | `NETWORK_FIREWALL` | `SECURITY_GROUPS_COMMON` | `SECURITY_GROUPS_CONTENT_AUDIT` | `SECURITY_GROUPS_USAGE_AUDIT` | `SHIELD_ADVANCED` | `THIRD_PARTY_FIREWALL` | `WAFV2` | `WAF`\n- ManagedServiceData - Details about the service that are specific to the service type, in JSON format.\n\n- Example: `DNS_FIREWALL`\n\n`\"{\\\"type\\\":\\\"DNS_FIREWALL\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupId\\\":\\\"rslvr-frg-1\\\",\\\"priority\\\":10}],\\\"postProcessRuleGroups\\\":[{\\\"ruleGroupId\\\":\\\"rslvr-frg-2\\\",\\\"priority\\\":9911}]}\"`\n\n> Valid values for `preProcessRuleGroups` are between 1 and 99. Valid values for `postProcessRuleGroups` are between 9901 and 10000.\n- Example: `NETWORK_FIREWALL` - Centralized deployment model\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"awsNetworkFirewallConfig\\\":{\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}},\\\"firewallDeploymentModel\\\":{\\\"centralizedFirewallDeploymentModel\\\":{\\\"centralizedFirewallOrchestrationConfig\\\":{\\\"inspectionVpcIds\\\":[{\\\"resourceId\\\":\\\"vpc-1234\\\",\\\"accountId\\\":\\\"123456789011\\\"}],\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneId\\\":null,\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]}]}},\\\"allowedIPV4CidrList\\\":[]}}}}\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `NETWORK_FIREWALL` - Distributed deployment model with automatic Availability Zone configuration\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\",\\\"192.168.0.0/28\\\"],\\\"routeManagementAction\\\":\\\"OFF\\\"},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}}\"`\n\nWith automatic Availbility Zone configuration, Firewall Manager chooses which Availability Zones to create the endpoints in. To use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `NETWORK_FIREWALL` - Distributed deployment model with automatic Availability Zone configuration and route management\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\",\\\"192.168.0.0/28\\\"],\\\"routeManagementAction\\\":\\\"MONITOR\\\",\\\"routeManagementTargetTypes\\\":[\\\"InternetGateway\\\"]},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\": \\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}}\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `NETWORK_FIREWALL` - Distributed deployment model with custom Availability Zone configuration\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"fragmentcustomactionname\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\", \\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}},{\\\"actionName\\\":\\\"fragmentcustomactionname\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"fragmentmetricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"firewallCreationConfig\\\":{ \\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]},{\\\"availabilityZoneName\\\":\\\"us-east-1b\\\",\\\"allowedIPV4CidrList\\\":[ \\\"10.0.0.0/28\\\"]}]} },\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":null,\\\"routeManagementAction\\\":\\\"OFF\\\",\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":boolean}}\"`\n\nWith custom Availability Zone configuration, you define which specific Availability Zones to create endpoints in by configuring `firewallCreationConfig` . To configure the Availability Zones in `firewallCreationConfig` , specify either the `availabilityZoneName` or `availabilityZoneId` parameter, not both parameters.\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `NETWORK_FIREWALL` - Distributed deployment model with custom Availability Zone configuration and route management\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"fragmentcustomactionname\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}},{\\\"actionName\\\":\\\"fragmentcustomactionname\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"fragmentmetricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]},{\\\"availabilityZoneName\\\":\\\"us-east-1b\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]}]}},\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":null,\\\"routeManagementAction\\\":\\\"MONITOR\\\",\\\"routeManagementTargetTypes\\\":[\\\"InternetGateway\\\"],\\\"routeManagementConfig\\\":{\\\"allowCrossAZTrafficIfNoEndpoint\\\":true}},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":boolean}}\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `THIRD_PARTY_FIREWALL` - Palo Alto Networks Cloud Next-Generation Firewall centralized deployment model\n\n`\"{ \\\"type\\\":\\\"THIRD_PARTY_FIREWALL\\\", \\\"thirdPartyFirewall\\\":\\\"PALO_ALTO_NETWORKS_CLOUD_NGFW\\\", \\\"thirdPartyFirewallConfig\\\":{ \\\"thirdPartyFirewallPolicyList\\\":[\\\"global-1\\\"] },\\\"firewallDeploymentModel\\\":{\\\"centralizedFirewallDeploymentModel\\\":{\\\"centralizedFirewallOrchestrationConfig\\\":{\\\"inspectionVpcIds\\\":[{\\\"resourceId\\\":\\\"vpc-1234\\\",\\\"accountId\\\":\\\"123456789011\\\"}],\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneId\\\":null,\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]}]}},\\\"allowedIPV4CidrList\\\":[]}}}}\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-thirdpartyfirewallpolicy.html) to `CENTRALIZED` .\n- Example: `THIRD_PARTY_FIREWALL` - Palo Alto Networks Cloud Next-Generation Firewall distributed deployment model\n\n`\"{\\\"type\\\":\\\"THIRD_PARTY_FIREWALL\\\",\\\"thirdPartyFirewall\\\":\\\"PALO_ALTO_NETWORKS_CLOUD_NGFW\\\",\\\"thirdPartyFirewallConfig\\\":{\\\"thirdPartyFirewallPolicyList\\\":[\\\"global-1\\\"] },\\\"firewallDeploymentModel\\\":{ \\\"distributedFirewallDeploymentModel\\\":{ \\\"distributedFirewallOrchestrationConfig\\\":{\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{ \\\"availabilityZoneConfigList\\\":[ {\\\"availabilityZoneName\\\":\\\"${AvailabilityZone}\\\" } ] } }, \\\"allowedIPV4CidrList\\\":[ ] } } } }\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-thirdpartyfirewallpolicy.html) to `DISTRIBUTED` .\n- Specification for `SHIELD_ADVANCED` for Amazon CloudFront distributions\n\n`\"{\\\"type\\\":\\\"SHIELD_ADVANCED\\\",\\\"automaticResponseConfiguration\\\": {\\\"automaticResponseStatus\\\":\\\"ENABLED|IGNORED|DISABLED\\\", \\\"automaticResponseAction\\\":\\\"BLOCK|COUNT\\\"}, \\\"overrideCustomerWebaclClassic\\\":true|false}\"`\n\nFor example: `\"{\\\"type\\\":\\\"SHIELD_ADVANCED\\\",\\\"automaticResponseConfiguration\\\": {\\\"automaticResponseStatus\\\":\\\"ENABLED\\\", \\\"automaticResponseAction\\\":\\\"COUNT\\\"}}\"`\n\nThe default value for `automaticResponseStatus` is `IGNORED` . The value for `automaticResponseAction` is only required when `automaticResponseStatus` is set to `ENABLED` . The default value for `overrideCustomerWebaclClassic` is `false` .\n\nFor other resource types that you can protect with a Shield Advanced policy, this `ManagedServiceData` configuration is an empty string.\n- Example: `WAFV2`\n\n`\"{\\\"type\\\":\\\"WAFV2\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupArn\\\":null,\\\"overrideAction\\\":{\\\"type\\\":\\\"NONE\\\"},\\\"managedRuleGroupIdentifier\\\":{\\\"version\\\":null,\\\"vendorName\\\":\\\"AWS\\\",\\\"managedRuleGroupName\\\":\\\"AWSManagedRulesAmazonIpReputationList\\\"},\\\"ruleGroupType\\\":\\\"ManagedRuleGroup\\\",\\\"excludeRules\\\":[{\\\"name\\\":\\\"NoUserAgent_HEADER\\\"}]}],\\\"postProcessRuleGroups\\\":[],\\\"defaultAction\\\":{\\\"type\\\":\\\"ALLOW\\\"},\\\"overrideCustomerWebACLAssociation\\\":false,\\\"loggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[\\\"arn:aws:firehose:us-west-2:12345678912:deliverystream/aws-waf-logs-fms-admin-destination\\\"],\\\"redactedFields\\\":[{\\\"redactedFieldType\\\":\\\"SingleHeader\\\",\\\"redactedFieldValue\\\":\\\"Cookies\\\"},{\\\"redactedFieldType\\\":\\\"Method\\\"}]}}\"`\n\nIn the `loggingConfiguration` , you can specify one `logDestinationConfigs` , you can optionally provide up to 20 `redactedFields` , and the `RedactedFieldType` must be one of `URI` , `QUERY_STRING` , `HEADER` , or `METHOD` .\n- Example: `AWS WAF Classic`\n\n`\"{\\\"type\\\": \\\"WAF\\\", \\\"ruleGroups\\\": [{\\\"id\\\":\\\"12345678-1bcd-9012-efga-0987654321ab\\\", \\\"overrideAction\\\" : {\\\"type\\\": \\\"COUNT\\\"}}], \\\"defaultAction\\\": {\\\"type\\\": \\\"BLOCK\\\"}}\"`\n- Example: `WAFV2` - AWS Firewall Manager support for AWS WAF managed rule group versioning\n\n`\"{\\\"type\\\":\\\"WAFV2\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupArn\\\":null,\\\"overrideAction\\\":{\\\"type\\\":\\\"NONE\\\"},\\\"managedRuleGroupIdentifier\\\":{\\\"versionEnabled\\\":true,\\\"version\\\":\\\"Version_2.0\\\",\\\"vendorName\\\":\\\"AWS\\\",\\\"managedRuleGroupName\\\":\\\"AWSManagedRulesCommonRuleSet\\\"},\\\"ruleGroupType\\\":\\\"ManagedRuleGroup\\\",\\\"excludeRules\\\":[{\\\"name\\\":\\\"NoUserAgent_HEADER\\\"}]}],\\\"postProcessRuleGroups\\\":[],\\\"defaultAction\\\":{\\\"type\\\":\\\"ALLOW\\\"},\\\"overrideCustomerWebACLAssociation\\\":false,\\\"loggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[\\\"arn:aws:firehose:us-west-2:12345678912:deliverystream/aws-waf-logs-fms-admin-destination\\\"],\\\"redactedFields\\\":[{\\\"redactedFieldType\\\":\\\"SingleHeader\\\",\\\"redactedFieldValue\\\":\\\"Cookies\\\"},{\\\"redactedFieldType\\\":\\\"Method\\\"}]}}\"`\n\nTo use a specific version of a AWS WAF managed rule group in your Firewall Manager policy, you must set `versionEnabled` to `true` , and set `version` to the version you'd like to use. If you don't set `versionEnabled` to `true` , or if you omit `versionEnabled` , then Firewall Manager uses the default version of the AWS WAF managed rule group.\n- Example: `SECURITY_GROUPS_COMMON`\n\n`\"{\\\"type\\\":\\\"SECURITY_GROUPS_COMMON\\\",\\\"revertManualSecurityGroupChanges\\\":false,\\\"exclusiveResourceSecurityGroupManagement\\\":false, \\\"applyToAllEC2InstanceENIs\\\":false,\\\"securityGroups\\\":[{\\\"id\\\":\\\" sg-000e55995d61a06bd\\\"}]}\"`\n- Example: Shared VPCs. Apply the preceding policy to resources in shared VPCs as well as to those in VPCs that the account owns\n\n`\"{\\\"type\\\":\\\"SECURITY_GROUPS_COMMON\\\",\\\"revertManualSecurityGroupChanges\\\":false,\\\"exclusiveResourceSecurityGroupManagement\\\":false, \\\"applyToAllEC2InstanceENIs\\\":false,\\\"includeSharedVPC\\\":true,\\\"securityGroups\\\":[{\\\"id\\\":\\\" sg-000e55995d61a06bd\\\"}]}\"`\n- Example: `SECURITY_GROUPS_CONTENT_AUDIT`\n\n`\"{\\\"type\\\":\\\"SECURITY_GROUPS_CONTENT_AUDIT\\\",\\\"securityGroups\\\":[{\\\"id\\\":\\\"sg-000e55995d61a06bd\\\"}],\\\"securityGroupAction\\\":{\\\"type\\\":\\\"ALLOW\\\"}}\"`\n\nThe security group action for content audit can be `ALLOW` or `DENY` . For `ALLOW` , all in-scope security group rules must be within the allowed range of the policy's security group rules. For `DENY` , all in-scope security group rules must not contain a value or a range that matches a rule value or range in the policy security group.\n- Example: `SECURITY_GROUPS_USAGE_AUDIT`\n\n`\"{\\\"type\\\":\\\"SECURITY_GROUPS_USAGE_AUDIT\\\",\\\"deleteUnusedSecurityGroups\\\":true,\\\"coalesceRedundantSecurityGroups\\\":true}\"`", + "SecurityServicePolicyData": "Details about the security service that is being used to protect the resources.\n\nThis contains the following settings:\n\n- Type - Indicates the service type that the policy uses to protect the resource. For security group policies, Firewall Manager supports one security group for each common policy and for each content audit policy. This is an adjustable limit that you can increase by contacting AWS Support .\n\nValid values: `DNS_FIREWALL` | `NETWORK_FIREWALL` | `SECURITY_GROUPS_COMMON` | `SECURITY_GROUPS_CONTENT_AUDIT` | `SECURITY_GROUPS_USAGE_AUDIT` | `SHIELD_ADVANCED` | `THIRD_PARTY_FIREWALL` | `WAFV2` | `WAF`\n- ManagedServiceData - Details about the service that are specific to the service type, in JSON format.\n\n- Example: `DNS_FIREWALL`\n\n`\"{\\\"type\\\":\\\"DNS_FIREWALL\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupId\\\":\\\"rslvr-frg-1\\\",\\\"priority\\\":10}],\\\"postProcessRuleGroups\\\":[{\\\"ruleGroupId\\\":\\\"rslvr-frg-2\\\",\\\"priority\\\":9911}]}\"`\n\n> Valid values for `preProcessRuleGroups` are between 1 and 99. Valid values for `postProcessRuleGroups` are between 9901 and 10000.\n- Example: `NETWORK_FIREWALL` - Centralized deployment model\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"awsNetworkFirewallConfig\\\":{\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}},\\\"firewallDeploymentModel\\\":{\\\"centralizedFirewallDeploymentModel\\\":{\\\"centralizedFirewallOrchestrationConfig\\\":{\\\"inspectionVpcIds\\\":[{\\\"resourceId\\\":\\\"vpc-1234\\\",\\\"accountId\\\":\\\"123456789011\\\"}],\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneId\\\":null,\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]}]}},\\\"allowedIPV4CidrList\\\":[]}}}}\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `NETWORK_FIREWALL` - Distributed deployment model with automatic Availability Zone configuration\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\",\\\"192.168.0.0/28\\\"],\\\"routeManagementAction\\\":\\\"OFF\\\"},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}}\"`\n\nWith automatic Availbility Zone configuration, Firewall Manager chooses which Availability Zones to create the endpoints in. To use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `NETWORK_FIREWALL` - Distributed deployment model with automatic Availability Zone configuration and route management\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\",\\\"192.168.0.0/28\\\"],\\\"routeManagementAction\\\":\\\"MONITOR\\\",\\\"routeManagementTargetTypes\\\":[\\\"InternetGateway\\\"]},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\": \\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}}\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `NETWORK_FIREWALL` - Distributed deployment model with custom Availability Zone configuration\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"fragmentcustomactionname\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\", \\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}},{\\\"actionName\\\":\\\"fragmentcustomactionname\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"fragmentmetricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"firewallCreationConfig\\\":{ \\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]},{\\\"availabilityZoneName\\\":\\\"us-east-1b\\\",\\\"allowedIPV4CidrList\\\":[ \\\"10.0.0.0/28\\\"]}]} },\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":null,\\\"routeManagementAction\\\":\\\"OFF\\\",\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":boolean}}\"`\n\nWith custom Availability Zone configuration, you define which specific Availability Zones to create endpoints in by configuring `firewallCreationConfig` . To configure the Availability Zones in `firewallCreationConfig` , specify either the `availabilityZoneName` or `availabilityZoneId` parameter, not both parameters.\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `NETWORK_FIREWALL` - Distributed deployment model with custom Availability Zone configuration and route management\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"fragmentcustomactionname\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}},{\\\"actionName\\\":\\\"fragmentcustomactionname\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"fragmentmetricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]},{\\\"availabilityZoneName\\\":\\\"us-east-1b\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]}]}},\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":null,\\\"routeManagementAction\\\":\\\"MONITOR\\\",\\\"routeManagementTargetTypes\\\":[\\\"InternetGateway\\\"],\\\"routeManagementConfig\\\":{\\\"allowCrossAZTrafficIfNoEndpoint\\\":true}},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":boolean}}\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `THIRD_PARTY_FIREWALL` - Centralized deployment model\n\nReplace `THIRD_PARTY_FIREWALL_NAME` with the third-party firewall name.\n\n`\"{ \\\"type\\\":\\\"THIRD_PARTY_FIREWALL\\\", \\\"thirdPartyFirewall\\\":\\\"THIRD_PARTY_FIREWALL_NAME\\\", \\\"thirdPartyFirewallConfig\\\":{ \\\"thirdPartyFirewallPolicyList\\\":[\\\"global-1\\\"] },\\\"firewallDeploymentModel\\\":{\\\"centralizedFirewallDeploymentModel\\\":{\\\"centralizedFirewallOrchestrationConfig\\\":{\\\"inspectionVpcIds\\\":[{\\\"resourceId\\\":\\\"vpc-1234\\\",\\\"accountId\\\":\\\"123456789011\\\"}],\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneId\\\":null,\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]}]}},\\\"allowedIPV4CidrList\\\":[]}}}}\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-thirdpartyfirewallpolicy.html) to `CENTRALIZED` .\n- Example: `THIRD_PARTY_FIREWALL` - Distributed deployment model\n\nReplace `THIRD_PARTY_FIREWALL_NAME` with the third-party firewall name.\n\n`\"{\\\"type\\\":\\\"THIRD_PARTY_FIREWALL\\\",\\\"thirdPartyFirewall\\\":\\\"THIRD_PARTY_FIREWALL_NAME\\\",\\\"thirdPartyFirewallConfig\\\":{\\\"thirdPartyFirewallPolicyList\\\":[\\\"global-1\\\"] },\\\"firewallDeploymentModel\\\":{ \\\"distributedFirewallDeploymentModel\\\":{ \\\"distributedFirewallOrchestrationConfig\\\":{\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{ \\\"availabilityZoneConfigList\\\":[ {\\\"availabilityZoneName\\\":\\\"${AvailabilityZone}\\\" } ] } }, \\\"allowedIPV4CidrList\\\":[ ] } } } }\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-thirdpartyfirewallpolicy.html) to `DISTRIBUTED` .\n- Specification for `SHIELD_ADVANCED` for Amazon CloudFront distributions\n\n`\"{\\\"type\\\":\\\"SHIELD_ADVANCED\\\",\\\"automaticResponseConfiguration\\\": {\\\"automaticResponseStatus\\\":\\\"ENABLED|IGNORED|DISABLED\\\", \\\"automaticResponseAction\\\":\\\"BLOCK|COUNT\\\"}, \\\"overrideCustomerWebaclClassic\\\":true|false}\"`\n\nFor example: `\"{\\\"type\\\":\\\"SHIELD_ADVANCED\\\",\\\"automaticResponseConfiguration\\\": {\\\"automaticResponseStatus\\\":\\\"ENABLED\\\", \\\"automaticResponseAction\\\":\\\"COUNT\\\"}}\"`\n\nThe default value for `automaticResponseStatus` is `IGNORED` . The value for `automaticResponseAction` is only required when `automaticResponseStatus` is set to `ENABLED` . The default value for `overrideCustomerWebaclClassic` is `false` .\n\nFor other resource types that you can protect with a Shield Advanced policy, this `ManagedServiceData` configuration is an empty string.\n- Example: `WAFV2`\n\n`\"{\\\"type\\\":\\\"WAFV2\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupArn\\\":null,\\\"overrideAction\\\":{\\\"type\\\":\\\"NONE\\\"},\\\"managedRuleGroupIdentifier\\\":{\\\"version\\\":null,\\\"vendorName\\\":\\\"AWS\\\",\\\"managedRuleGroupName\\\":\\\"AWSManagedRulesAmazonIpReputationList\\\"},\\\"ruleGroupType\\\":\\\"ManagedRuleGroup\\\",\\\"excludeRules\\\":[{\\\"name\\\":\\\"NoUserAgent_HEADER\\\"}]}],\\\"postProcessRuleGroups\\\":[],\\\"defaultAction\\\":{\\\"type\\\":\\\"ALLOW\\\"},\\\"overrideCustomerWebACLAssociation\\\":false,\\\"loggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[\\\"arn:aws:firehose:us-west-2:12345678912:deliverystream/aws-waf-logs-fms-admin-destination\\\"],\\\"redactedFields\\\":[{\\\"redactedFieldType\\\":\\\"SingleHeader\\\",\\\"redactedFieldValue\\\":\\\"Cookies\\\"},{\\\"redactedFieldType\\\":\\\"Method\\\"}]}}\"`\n\nIn the `loggingConfiguration` , you can specify one `logDestinationConfigs` , you can optionally provide up to 20 `redactedFields` , and the `RedactedFieldType` must be one of `URI` , `QUERY_STRING` , `HEADER` , or `METHOD` .\n- Example: `AWS WAF Classic`\n\n`\"{\\\"type\\\": \\\"WAF\\\", \\\"ruleGroups\\\": [{\\\"id\\\":\\\"12345678-1bcd-9012-efga-0987654321ab\\\", \\\"overrideAction\\\" : {\\\"type\\\": \\\"COUNT\\\"}}], \\\"defaultAction\\\": {\\\"type\\\": \\\"BLOCK\\\"}}\"`\n- Example: `WAFV2` - AWS Firewall Manager support for AWS WAF managed rule group versioning\n\n`\"{\\\"type\\\":\\\"WAFV2\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupArn\\\":null,\\\"overrideAction\\\":{\\\"type\\\":\\\"NONE\\\"},\\\"managedRuleGroupIdentifier\\\":{\\\"versionEnabled\\\":true,\\\"version\\\":\\\"Version_2.0\\\",\\\"vendorName\\\":\\\"AWS\\\",\\\"managedRuleGroupName\\\":\\\"AWSManagedRulesCommonRuleSet\\\"},\\\"ruleGroupType\\\":\\\"ManagedRuleGroup\\\",\\\"excludeRules\\\":[{\\\"name\\\":\\\"NoUserAgent_HEADER\\\"}]}],\\\"postProcessRuleGroups\\\":[],\\\"defaultAction\\\":{\\\"type\\\":\\\"ALLOW\\\"},\\\"overrideCustomerWebACLAssociation\\\":false,\\\"loggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[\\\"arn:aws:firehose:us-west-2:12345678912:deliverystream/aws-waf-logs-fms-admin-destination\\\"],\\\"redactedFields\\\":[{\\\"redactedFieldType\\\":\\\"SingleHeader\\\",\\\"redactedFieldValue\\\":\\\"Cookies\\\"},{\\\"redactedFieldType\\\":\\\"Method\\\"}]}}\"`\n\nTo use a specific version of a AWS WAF managed rule group in your Firewall Manager policy, you must set `versionEnabled` to `true` , and set `version` to the version you'd like to use. If you don't set `versionEnabled` to `true` , or if you omit `versionEnabled` , then Firewall Manager uses the default version of the AWS WAF managed rule group.\n- Example: `SECURITY_GROUPS_COMMON`\n\n`\"{\\\"type\\\":\\\"SECURITY_GROUPS_COMMON\\\",\\\"revertManualSecurityGroupChanges\\\":false,\\\"exclusiveResourceSecurityGroupManagement\\\":false, \\\"applyToAllEC2InstanceENIs\\\":false,\\\"securityGroups\\\":[{\\\"id\\\":\\\" sg-000e55995d61a06bd\\\"}]}\"`\n- Example: Shared VPCs. Apply the preceding policy to resources in shared VPCs as well as to those in VPCs that the account owns\n\n`\"{\\\"type\\\":\\\"SECURITY_GROUPS_COMMON\\\",\\\"revertManualSecurityGroupChanges\\\":false,\\\"exclusiveResourceSecurityGroupManagement\\\":false, \\\"applyToAllEC2InstanceENIs\\\":false,\\\"includeSharedVPC\\\":true,\\\"securityGroups\\\":[{\\\"id\\\":\\\" sg-000e55995d61a06bd\\\"}]}\"`\n- Example: `SECURITY_GROUPS_CONTENT_AUDIT`\n\n`\"{\\\"type\\\":\\\"SECURITY_GROUPS_CONTENT_AUDIT\\\",\\\"securityGroups\\\":[{\\\"id\\\":\\\"sg-000e55995d61a06bd\\\"}],\\\"securityGroupAction\\\":{\\\"type\\\":\\\"ALLOW\\\"}}\"`\n\nThe security group action for content audit can be `ALLOW` or `DENY` . For `ALLOW` , all in-scope security group rules must be within the allowed range of the policy's security group rules. For `DENY` , all in-scope security group rules must not contain a value or a range that matches a rule value or range in the policy security group.\n- Example: `SECURITY_GROUPS_USAGE_AUDIT`\n\n`\"{\\\"type\\\":\\\"SECURITY_GROUPS_USAGE_AUDIT\\\",\\\"deleteUnusedSecurityGroups\\\":true,\\\"coalesceRedundantSecurityGroups\\\":true}\"`", "Tags": "A collection of key:value pairs associated with an AWS resource. The key:value pair can be anything you define. Typically, the tag key represents a category (such as \"environment\") and the tag value represents a specific value within that category (such as \"test,\" \"development,\" or \"production\"). You can add up to 50 tags to each AWS resource." }, "AWS::FMS::Policy IEMap": { @@ -12158,7 +14154,7 @@ "Value": "The resource tag value." }, "AWS::FMS::Policy SecurityServicePolicyData": { - "ManagedServiceData": "Details about the service that are specific to the service type, in JSON format.\n\n- Example: `DNS_FIREWALL`\n\n`\"{\\\"type\\\":\\\"DNS_FIREWALL\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupId\\\":\\\"rslvr-frg-1\\\",\\\"priority\\\":10}],\\\"postProcessRuleGroups\\\":[{\\\"ruleGroupId\\\":\\\"rslvr-frg-2\\\",\\\"priority\\\":9911}]}\"`\n\n> Valid values for `preProcessRuleGroups` are between 1 and 99. Valid values for `postProcessRuleGroups` are between 9901 and 10000.\n- Example: `NETWORK_FIREWALL` - Centralized deployment model\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"awsNetworkFirewallConfig\\\":{\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}},\\\"firewallDeploymentModel\\\":{\\\"centralizedFirewallDeploymentModel\\\":{\\\"centralizedFirewallOrchestrationConfig\\\":{\\\"inspectionVpcIds\\\":[{\\\"resourceId\\\":\\\"vpc-1234\\\",\\\"accountId\\\":\\\"123456789011\\\"}],\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneId\\\":null,\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]}]}},\\\"allowedIPV4CidrList\\\":[]}}}}\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `NETWORK_FIREWALL` - Distributed deployment model with automatic Availability Zone configuration\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\",\\\"192.168.0.0/28\\\"],\\\"routeManagementAction\\\":\\\"OFF\\\"},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}}\"`\n\nWith automatic Availbility Zone configuration, Firewall Manager chooses which Availability Zones to create the endpoints in. To use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `NETWORK_FIREWALL` - Distributed deployment model with automatic Availability Zone configuration and route management\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\",\\\"192.168.0.0/28\\\"],\\\"routeManagementAction\\\":\\\"MONITOR\\\",\\\"routeManagementTargetTypes\\\":[\\\"InternetGateway\\\"]},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\": \\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}}\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `NETWORK_FIREWALL` - Distributed deployment model with custom Availability Zone configuration\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"fragmentcustomactionname\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\", \\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}},{\\\"actionName\\\":\\\"fragmentcustomactionname\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"fragmentmetricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"firewallCreationConfig\\\":{ \\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]},{\\\"availabilityZoneName\\\":\\\"us-east-1b\\\",\\\"allowedIPV4CidrList\\\":[ \\\"10.0.0.0/28\\\"]}]} },\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":null,\\\"routeManagementAction\\\":\\\"OFF\\\",\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":boolean}}\"`\n\nWith custom Availability Zone configuration, you define which specific Availability Zones to create endpoints in by configuring `firewallCreationConfig` . To configure the Availability Zones in `firewallCreationConfig` , specify either the `availabilityZoneName` or `availabilityZoneId` parameter, not both parameters.\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `NETWORK_FIREWALL` - Distributed deployment model with custom Availability Zone configuration and route management\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"fragmentcustomactionname\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}},{\\\"actionName\\\":\\\"fragmentcustomactionname\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"fragmentmetricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]},{\\\"availabilityZoneName\\\":\\\"us-east-1b\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]}]}},\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":null,\\\"routeManagementAction\\\":\\\"MONITOR\\\",\\\"routeManagementTargetTypes\\\":[\\\"InternetGateway\\\"],\\\"routeManagementConfig\\\":{\\\"allowCrossAZTrafficIfNoEndpoint\\\":true}},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":boolean}}\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `THIRD_PARTY_FIREWALL` - Palo Alto Networks Cloud Next-Generation Firewall centralized deployment model\n\n`\"{ \\\"type\\\":\\\"THIRD_PARTY_FIREWALL\\\", \\\"thirdPartyFirewall\\\":\\\"PALO_ALTO_NETWORKS_CLOUD_NGFW\\\", \\\"thirdPartyFirewallConfig\\\":{ \\\"thirdPartyFirewallPolicyList\\\":[\\\"global-1\\\"] },\\\"firewallDeploymentModel\\\":{\\\"centralizedFirewallDeploymentModel\\\":{\\\"centralizedFirewallOrchestrationConfig\\\":{\\\"inspectionVpcIds\\\":[{\\\"resourceId\\\":\\\"vpc-1234\\\",\\\"accountId\\\":\\\"123456789011\\\"}],\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneId\\\":null,\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]}]}},\\\"allowedIPV4CidrList\\\":[]}}}}\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-thirdpartyfirewallpolicy.html) to `CENTRALIZED` .\n- Example: `THIRD_PARTY_FIREWALL` - Palo Alto Networks Cloud Next-Generation Firewall distributed deployment model\n\n`\"{\\\"type\\\":\\\"THIRD_PARTY_FIREWALL\\\",\\\"thirdPartyFirewall\\\":\\\"PALO_ALTO_NETWORKS_CLOUD_NGFW\\\",\\\"thirdPartyFirewallConfig\\\":{\\\"thirdPartyFirewallPolicyList\\\":[\\\"global-1\\\"] },\\\"firewallDeploymentModel\\\":{ \\\"distributedFirewallDeploymentModel\\\":{ \\\"distributedFirewallOrchestrationConfig\\\":{\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{ \\\"availabilityZoneConfigList\\\":[ {\\\"availabilityZoneName\\\":\\\"${AvailabilityZone}\\\" } ] } }, \\\"allowedIPV4CidrList\\\":[ ] } } } }\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-thirdpartyfirewallpolicy.html) to `DISTRIBUTED` .\n- Specification for `SHIELD_ADVANCED` for Amazon CloudFront distributions\n\n`\"{\\\"type\\\":\\\"SHIELD_ADVANCED\\\",\\\"automaticResponseConfiguration\\\": {\\\"automaticResponseStatus\\\":\\\"ENABLED|IGNORED|DISABLED\\\", \\\"automaticResponseAction\\\":\\\"BLOCK|COUNT\\\"}, \\\"overrideCustomerWebaclClassic\\\":true|false}\"`\n\nFor example: `\"{\\\"type\\\":\\\"SHIELD_ADVANCED\\\",\\\"automaticResponseConfiguration\\\": {\\\"automaticResponseStatus\\\":\\\"ENABLED\\\", \\\"automaticResponseAction\\\":\\\"COUNT\\\"}}\"`\n\nThe default value for `automaticResponseStatus` is `IGNORED` . The value for `automaticResponseAction` is only required when `automaticResponseStatus` is set to `ENABLED` . The default value for `overrideCustomerWebaclClassic` is `false` .\n\nFor other resource types that you can protect with a Shield Advanced policy, this `ManagedServiceData` configuration is an empty string.\n- Example: `WAFV2`\n\n`\"{\\\"type\\\":\\\"WAFV2\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupArn\\\":null,\\\"overrideAction\\\":{\\\"type\\\":\\\"NONE\\\"},\\\"managedRuleGroupIdentifier\\\":{\\\"version\\\":null,\\\"vendorName\\\":\\\"AWS\\\",\\\"managedRuleGroupName\\\":\\\"AWSManagedRulesAmazonIpReputationList\\\"},\\\"ruleGroupType\\\":\\\"ManagedRuleGroup\\\",\\\"excludeRules\\\":[{\\\"name\\\":\\\"NoUserAgent_HEADER\\\"}]}],\\\"postProcessRuleGroups\\\":[],\\\"defaultAction\\\":{\\\"type\\\":\\\"ALLOW\\\"},\\\"overrideCustomerWebACLAssociation\\\":false,\\\"loggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[\\\"arn:aws:firehose:us-west-2:12345678912:deliverystream/aws-waf-logs-fms-admin-destination\\\"],\\\"redactedFields\\\":[{\\\"redactedFieldType\\\":\\\"SingleHeader\\\",\\\"redactedFieldValue\\\":\\\"Cookies\\\"},{\\\"redactedFieldType\\\":\\\"Method\\\"}]}}\"`\n\nIn the `loggingConfiguration` , you can specify one `logDestinationConfigs` , you can optionally provide up to 20 `redactedFields` , and the `RedactedFieldType` must be one of `URI` , `QUERY_STRING` , `HEADER` , or `METHOD` .\n- Example: `AWS WAF Classic`\n\n`\"{\\\"type\\\": \\\"WAF\\\", \\\"ruleGroups\\\": [{\\\"id\\\":\\\"12345678-1bcd-9012-efga-0987654321ab\\\", \\\"overrideAction\\\" : {\\\"type\\\": \\\"COUNT\\\"}}], \\\"defaultAction\\\": {\\\"type\\\": \\\"BLOCK\\\"}}\"`\n- Example: `WAFV2` - AWS Firewall Manager support for AWS WAF managed rule group versioning\n\n`\"{\\\"type\\\":\\\"WAFV2\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupArn\\\":null,\\\"overrideAction\\\":{\\\"type\\\":\\\"NONE\\\"},\\\"managedRuleGroupIdentifier\\\":{\\\"versionEnabled\\\":true,\\\"version\\\":\\\"Version_2.0\\\",\\\"vendorName\\\":\\\"AWS\\\",\\\"managedRuleGroupName\\\":\\\"AWSManagedRulesCommonRuleSet\\\"},\\\"ruleGroupType\\\":\\\"ManagedRuleGroup\\\",\\\"excludeRules\\\":[{\\\"name\\\":\\\"NoUserAgent_HEADER\\\"}]}],\\\"postProcessRuleGroups\\\":[],\\\"defaultAction\\\":{\\\"type\\\":\\\"ALLOW\\\"},\\\"overrideCustomerWebACLAssociation\\\":false,\\\"loggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[\\\"arn:aws:firehose:us-west-2:12345678912:deliverystream/aws-waf-logs-fms-admin-destination\\\"],\\\"redactedFields\\\":[{\\\"redactedFieldType\\\":\\\"SingleHeader\\\",\\\"redactedFieldValue\\\":\\\"Cookies\\\"},{\\\"redactedFieldType\\\":\\\"Method\\\"}]}}\"`\n\nTo use a specific version of a AWS WAF managed rule group in your Firewall Manager policy, you must set `versionEnabled` to `true` , and set `version` to the version you'd like to use. If you don't set `versionEnabled` to `true` , or if you omit `versionEnabled` , then Firewall Manager uses the default version of the AWS WAF managed rule group.\n- Example: `SECURITY_GROUPS_COMMON`\n\n`\"{\\\"type\\\":\\\"SECURITY_GROUPS_COMMON\\\",\\\"revertManualSecurityGroupChanges\\\":false,\\\"exclusiveResourceSecurityGroupManagement\\\":false, \\\"applyToAllEC2InstanceENIs\\\":false,\\\"securityGroups\\\":[{\\\"id\\\":\\\" sg-000e55995d61a06bd\\\"}]}\"`\n- Example: Shared VPCs. Apply the preceding policy to resources in shared VPCs as well as to those in VPCs that the account owns\n\n`\"{\\\"type\\\":\\\"SECURITY_GROUPS_COMMON\\\",\\\"revertManualSecurityGroupChanges\\\":false,\\\"exclusiveResourceSecurityGroupManagement\\\":false, \\\"applyToAllEC2InstanceENIs\\\":false,\\\"includeSharedVPC\\\":true,\\\"securityGroups\\\":[{\\\"id\\\":\\\" sg-000e55995d61a06bd\\\"}]}\"`\n- Example: `SECURITY_GROUPS_CONTENT_AUDIT`\n\n`\"{\\\"type\\\":\\\"SECURITY_GROUPS_CONTENT_AUDIT\\\",\\\"securityGroups\\\":[{\\\"id\\\":\\\"sg-000e55995d61a06bd\\\"}],\\\"securityGroupAction\\\":{\\\"type\\\":\\\"ALLOW\\\"}}\"`\n\nThe security group action for content audit can be `ALLOW` or `DENY` . For `ALLOW` , all in-scope security group rules must be within the allowed range of the policy's security group rules. For `DENY` , all in-scope security group rules must not contain a value or a range that matches a rule value or range in the policy security group.\n- Example: `SECURITY_GROUPS_USAGE_AUDIT`\n\n`\"{\\\"type\\\":\\\"SECURITY_GROUPS_USAGE_AUDIT\\\",\\\"deleteUnusedSecurityGroups\\\":true,\\\"coalesceRedundantSecurityGroups\\\":true}\"`", + "ManagedServiceData": "Details about the service that are specific to the service type, in JSON format.\n\n- Example: `DNS_FIREWALL`\n\n`\"{\\\"type\\\":\\\"DNS_FIREWALL\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupId\\\":\\\"rslvr-frg-1\\\",\\\"priority\\\":10}],\\\"postProcessRuleGroups\\\":[{\\\"ruleGroupId\\\":\\\"rslvr-frg-2\\\",\\\"priority\\\":9911}]}\"`\n\n> Valid values for `preProcessRuleGroups` are between 1 and 99. Valid values for `postProcessRuleGroups` are between 9901 and 10000.\n- Example: `NETWORK_FIREWALL` - Centralized deployment model\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"awsNetworkFirewallConfig\\\":{\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}},\\\"firewallDeploymentModel\\\":{\\\"centralizedFirewallDeploymentModel\\\":{\\\"centralizedFirewallOrchestrationConfig\\\":{\\\"inspectionVpcIds\\\":[{\\\"resourceId\\\":\\\"vpc-1234\\\",\\\"accountId\\\":\\\"123456789011\\\"}],\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneId\\\":null,\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]}]}},\\\"allowedIPV4CidrList\\\":[]}}}}\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `NETWORK_FIREWALL` - Distributed deployment model with automatic Availability Zone configuration\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\",\\\"192.168.0.0/28\\\"],\\\"routeManagementAction\\\":\\\"OFF\\\"},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}}\"`\n\nWith automatic Availbility Zone configuration, Firewall Manager chooses which Availability Zones to create the endpoints in. To use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `NETWORK_FIREWALL` - Distributed deployment model with automatic Availability Zone configuration and route management\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\",\\\"192.168.0.0/28\\\"],\\\"routeManagementAction\\\":\\\"MONITOR\\\",\\\"routeManagementTargetTypes\\\":[\\\"InternetGateway\\\"]},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\": \\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}}\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `NETWORK_FIREWALL` - Distributed deployment model with custom Availability Zone configuration\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"fragmentcustomactionname\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\", \\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}},{\\\"actionName\\\":\\\"fragmentcustomactionname\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"fragmentmetricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"firewallCreationConfig\\\":{ \\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]},{\\\"availabilityZoneName\\\":\\\"us-east-1b\\\",\\\"allowedIPV4CidrList\\\":[ \\\"10.0.0.0/28\\\"]}]} },\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":null,\\\"routeManagementAction\\\":\\\"OFF\\\",\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":boolean}}\"`\n\nWith custom Availability Zone configuration, you define which specific Availability Zones to create endpoints in by configuring `firewallCreationConfig` . To configure the Availability Zones in `firewallCreationConfig` , specify either the `availabilityZoneName` or `availabilityZoneId` parameter, not both parameters.\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `NETWORK_FIREWALL` - Distributed deployment model with custom Availability Zone configuration and route management\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"fragmentcustomactionname\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}},{\\\"actionName\\\":\\\"fragmentcustomactionname\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"fragmentmetricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]},{\\\"availabilityZoneName\\\":\\\"us-east-1b\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]}]}},\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":null,\\\"routeManagementAction\\\":\\\"MONITOR\\\",\\\"routeManagementTargetTypes\\\":[\\\"InternetGateway\\\"],\\\"routeManagementConfig\\\":{\\\"allowCrossAZTrafficIfNoEndpoint\\\":true}},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":boolean}}\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Specification for `SHIELD_ADVANCED` for Amazon CloudFront distributions\n\n`\"{\\\"type\\\":\\\"SHIELD_ADVANCED\\\",\\\"automaticResponseConfiguration\\\": {\\\"automaticResponseStatus\\\":\\\"ENABLED|IGNORED|DISABLED\\\", \\\"automaticResponseAction\\\":\\\"BLOCK|COUNT\\\"}, \\\"overrideCustomerWebaclClassic\\\":true|false, \\\"optimizeUnassociatedWebACL\\\":true|false}\"`\n\nFor example: `\"{\\\"type\\\":\\\"SHIELD_ADVANCED\\\",\\\"automaticResponseConfiguration\\\": {\\\"automaticResponseStatus\\\":\\\"ENABLED\\\", \\\"automaticResponseAction\\\":\\\"COUNT\\\"}}\"`\n\nThe default value for `automaticResponseStatus` is `IGNORED` . The value for `automaticResponseAction` is only required when `automaticResponseStatus` is set to `ENABLED` . The default value for `overrideCustomerWebaclClassic` is `false` .\n\nFor other resource types that you can protect with a Shield Advanced policy, this `ManagedServiceData` configuration is an empty string.\n- Example: `THIRD_PARTY_FIREWALL` - Centralized deployment model\n\nReplace `THIRD_PARTY_FIREWALL_NAME` with the name of the third-party firewall.\n\n`\"{ \\\"type\\\":\\\"THIRD_PARTY_FIREWALL\\\", \\\"thirdPartyFirewall\\\":\\\"\\THIRD_PARTY_FIREWALL_NAME\\\", \\\"thirdPartyFirewallConfig\\\":{ \\\"thirdPartyFirewallPolicyList\\\":[\\\"global-1\\\"] },\\\"firewallDeploymentModel\\\":{\\\"centralizedFirewallDeploymentModel\\\":{\\\"centralizedFirewallOrchestrationConfig\\\":{\\\"inspectionVpcIds\\\":[{\\\"resourceId\\\":\\\"vpc-1234\\\",\\\"accountId\\\":\\\"123456789011\\\"}],\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneId\\\":null,\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]}]}},\\\"allowedIPV4CidrList\\\":[]}}}}\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-thirdpartyfirewallpolicy.html) to `CENTRALIZED` .\n- Example: `THIRD_PARTY_FIREWALL` - Distributed deployment model\n\nReplace `THIRD_PARTY_FIREWALL_NAME` with the name of the third-party firewall.\n\n`\"{\\\"type\\\":\\\"THIRD_PARTY_FIREWALL\\\",\\\"thirdPartyFirewall\\\":\\\"THIRD_PARTY_FIREWALL_NAME\\\",\\\"thirdPartyFirewallConfig\\\":{\\\"thirdPartyFirewallPolicyList\\\":[\\\"global-1\\\"] },\\\"firewallDeploymentModel\\\":{ \\\"distributedFirewallDeploymentModel\\\":{ \\\"distributedFirewallOrchestrationConfig\\\":{\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{ \\\"availabilityZoneConfigList\\\":[ {\\\"availabilityZoneName\\\":\\\"${AvailabilityZone}\\\" } ] } }, \\\"allowedIPV4CidrList\\\":[ ] } } } }\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-thirdpartyfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `WAFV2`\n\n`\"{\\\"type\\\":\\\"WAFV2\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupArn\\\":null,\\\"overrideAction\\\":{\\\"type\\\":\\\"NONE\\\"},\\\"managedRuleGroupIdentifier\\\":{\\\"version\\\":null,\\\"vendorName\\\":\\\"AWS\\\",\\\"managedRuleGroupName\\\":\\\"AWSManagedRulesAmazonIpReputationList\\\"},\\\"ruleGroupType\\\":\\\"ManagedRuleGroup\\\",\\\"excludeRules\\\":[{\\\"name\\\":\\\"NoUserAgent_HEADER\\\"}]}],\\\"postProcessRuleGroups\\\":[],\\\"defaultAction\\\":{\\\"type\\\":\\\"ALLOW\\\"},\\\"overrideCustomerWebACLAssociation\\\":false,\\\"loggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[\\\"arn:aws:firehose:us-west-2:12345678912:deliverystream/aws-waf-logs-fms-admin-destination\\\"],\\\"redactedFields\\\":[{\\\"redactedFieldType\\\":\\\"SingleHeader\\\",\\\"redactedFieldValue\\\":\\\"Cookies\\\"},{\\\"redactedFieldType\\\":\\\"Method\\\"}]},\\\"optimizeUnassociatedWebACL\\\":true}\"`\n\nIn the `loggingConfiguration` , you can specify one `logDestinationConfigs` , you can optionally provide up to 20 `redactedFields` , and the `RedactedFieldType` must be one of `URI` , `QUERY_STRING` , `HEADER` , or `METHOD` .\n- Example: `AWS WAF Classic`\n\n`\"{\\\"type\\\": \\\"WAF\\\", \\\"ruleGroups\\\": [{\\\"id\\\":\\\"12345678-1bcd-9012-efga-0987654321ab\\\", \\\"overrideAction\\\" : {\\\"type\\\": \\\"COUNT\\\"}}], \\\"defaultAction\\\": {\\\"type\\\": \\\"BLOCK\\\"}}\"`\n- Example: `WAFV2` - AWS Firewall Manager support for AWS WAF managed rule group versioning\n\n`\"{\\\"type\\\":\\\"WAFV2\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupArn\\\":null,\\\"overrideAction\\\":{\\\"type\\\":\\\"NONE\\\"},\\\"managedRuleGroupIdentifier\\\":{\\\"versionEnabled\\\":true,\\\"version\\\":\\\"Version_2.0\\\",\\\"vendorName\\\":\\\"AWS\\\",\\\"managedRuleGroupName\\\":\\\"AWSManagedRulesCommonRuleSet\\\"},\\\"ruleGroupType\\\":\\\"ManagedRuleGroup\\\",\\\"excludeRules\\\":[{\\\"name\\\":\\\"NoUserAgent_HEADER\\\"}]}],\\\"postProcessRuleGroups\\\":[],\\\"defaultAction\\\":{\\\"type\\\":\\\"ALLOW\\\"},\\\"overrideCustomerWebACLAssociation\\\":false,\\\"loggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[\\\"arn:aws:firehose:us-west-2:12345678912:deliverystream/aws-waf-logs-fms-admin-destination\\\"],\\\"redactedFields\\\":[{\\\"redactedFieldType\\\":\\\"SingleHeader\\\",\\\"redactedFieldValue\\\":\\\"Cookies\\\"},{\\\"redactedFieldType\\\":\\\"Method\\\"}]}}\"`\n\nTo use a specific version of a AWS WAF managed rule group in your Firewall Manager policy, you must set `versionEnabled` to `true` , and set `version` to the version you'd like to use. If you don't set `versionEnabled` to `true` , or if you omit `versionEnabled` , then Firewall Manager uses the default version of the AWS WAF managed rule group.\n- Example: `SECURITY_GROUPS_COMMON`\n\n`\"{\\\"type\\\":\\\"SECURITY_GROUPS_COMMON\\\",\\\"revertManualSecurityGroupChanges\\\":false,\\\"exclusiveResourceSecurityGroupManagement\\\":false, \\\"applyToAllEC2InstanceENIs\\\":false,\\\"securityGroups\\\":[{\\\"id\\\":\\\" sg-000e55995d61a06bd\\\"}]}\"`\n- Example: Shared VPCs. Apply the preceding policy to resources in shared VPCs as well as to those in VPCs that the account owns\n\n`\"{\\\"type\\\":\\\"SECURITY_GROUPS_COMMON\\\",\\\"revertManualSecurityGroupChanges\\\":false,\\\"exclusiveResourceSecurityGroupManagement\\\":false, \\\"applyToAllEC2InstanceENIs\\\":false,\\\"includeSharedVPC\\\":true,\\\"securityGroups\\\":[{\\\"id\\\":\\\" sg-000e55995d61a06bd\\\"}]}\"`\n- Example: `SECURITY_GROUPS_CONTENT_AUDIT`\n\n`\"{\\\"type\\\":\\\"SECURITY_GROUPS_CONTENT_AUDIT\\\",\\\"securityGroups\\\":[{\\\"id\\\":\\\"sg-000e55995d61a06bd\\\"}],\\\"securityGroupAction\\\":{\\\"type\\\":\\\"ALLOW\\\"}}\"`\n\nThe security group action for content audit can be `ALLOW` or `DENY` . For `ALLOW` , all in-scope security group rules must be within the allowed range of the policy's security group rules. For `DENY` , all in-scope security group rules must not contain a value or a range that matches a rule value or range in the policy security group.\n- Example: `SECURITY_GROUPS_USAGE_AUDIT`\n\n`\"{\\\"type\\\":\\\"SECURITY_GROUPS_USAGE_AUDIT\\\",\\\"deleteUnusedSecurityGroups\\\":true,\\\"coalesceRedundantSecurityGroups\\\":true}\"`", "PolicyOption": "Contains the Network Firewall firewall policy options to configure a centralized deployment model.", "Type": "The service that the policy is using to protect the resources. This specifies the type of policy that is created, either an AWS WAF policy, a Shield Advanced policy, or a security group policy. For security group policies, Firewall Manager supports one security group for each common policy and for each content audit policy. This is an adjustable limit that you can increase by contacting AWS Support ." }, @@ -12169,8 +14165,12 @@ "Description": "A description of the resource set.", "Name": "The descriptive name of the resource set. You can't change the name of a resource set after you create it.", "ResourceTypeList": "Determines the resources that can be associated to the resource set. Depending on your setting for max results and the number of resource sets, a single call might not return the full list.", - "Resources": "The resources included in the resource set.", - "Tags": "A collection of key:value pairs associated with a resource set. The key:value pair can be anything you define. Typically, the tag key represents a category (such as \"environment\") and the tag value represents a specific value within that category (such as \"test,\" \"development,\" or \"production\"). You can add up to 50 tags to each AWS resource." + "Resources": "", + "Tags": "" + }, + "AWS::FMS::ResourceSet Tag": { + "Key": "Part of the key:value pair that defines a tag. You can use a tag key to describe a category of information, such as \"customer.\" Tag keys are case-sensitive.", + "Value": "Part of the key:value pair that defines a tag. You can use a tag value to describe a specific value within a category, such as \"companyA\" or \"companyB.\" Tag values are case-sensitive." }, "AWS::FSx::DataRepositoryAssociation": { "BatchImportMetaDataOnCreate": "A boolean flag indicating whether an import data repository task to import metadata should run after the data repository association is created. The task runs if this flag is set to `true` .", @@ -12191,10 +14191,14 @@ "AutoExportPolicy": "Describes a data repository association's automatic export policy. The `AutoExportPolicy` defines the types of updated objects on the file system that will be automatically exported to the data repository. As you create, modify, or delete files, Amazon FSx for Lustre automatically exports the defined changes asynchronously once your application finishes modifying the file.\n\nThe `AutoExportPolicy` is only supported on Amazon FSx for Lustre file systems with a data repository association.", "AutoImportPolicy": "Describes the data repository association's automatic import policy. The AutoImportPolicy defines how Amazon FSx keeps your file metadata and directory listings up to date by importing changes to your Amazon FSx for Lustre file system as you modify objects in a linked S3 bucket.\n\nThe `AutoImportPolicy` is only supported on Amazon FSx for Lustre file systems with a data repository association." }, + "AWS::FSx::DataRepositoryAssociation Tag": { + "Key": "A value that specifies the `TagKey` , the name of the tag. Tag keys must be unique for the resource to which they are attached.", + "Value": "A value that specifies the `TagValue` , the value assigned to the corresponding tag key. Tag values can be null and don't have to be unique in a tag set. For example, you can have a key-value pair in a tag set of `finances : April` and also of `payroll : April` ." + }, "AWS::FSx::FileSystem": { "BackupId": "The ID of the file system backup that you are using to create a file system. For more information, see [CreateFileSystemFromBackup](https://docs.aws.amazon.com/fsx/latest/APIReference/API_CreateFileSystemFromBackup.html) .", "FileSystemType": "The type of Amazon FSx file system, which can be `LUSTRE` , `WINDOWS` , `ONTAP` , or `OPENZFS` .", - "FileSystemTypeVersion": "(Optional) For FSx for Lustre file systems, sets the Lustre version for the file system that you're creating. Valid values are `2.10` and `2.12` :\n\n- 2.10 is supported by the Scratch and Persistent_1 Lustre deployment types.\n- 2.12 is supported by all Lustre deployment types. `2.12` is required when setting FSx for Lustre `DeploymentType` to `PERSISTENT_2` .\n\nDefault value = `2.10` , except when `DeploymentType` is set to `PERSISTENT_2` , then the default is `2.12` .\n\n> If you set `FileSystemTypeVersion` to `2.10` for a `PERSISTENT_2` Lustre deployment type, the `CreateFileSystem` operation fails.", + "FileSystemTypeVersion": "(Optional) For FSx for Lustre file systems, sets the Lustre version for the file system that you're creating. Valid values are `2.10` , `2.12` , and `2.15` :\n\n- 2.10 is supported by the Scratch and Persistent_1 Lustre deployment types.\n- 2.12 and 2.15 are supported by all Lustre deployment types. `2.12` or `2.15` is required when setting FSx for Lustre `DeploymentType` to `PERSISTENT_2` .\n\nDefault value = `2.10` , except when `DeploymentType` is set to `PERSISTENT_2` , then the default is `2.12` .\n\n> If you set `FileSystemTypeVersion` to `2.10` for a `PERSISTENT_2` Lustre deployment type, the `CreateFileSystem` operation fails.", "KmsKeyId": "The ID of the AWS Key Management Service ( AWS KMS ) key used to encrypt Amazon FSx file system data. Used as follows with Amazon FSx file system types:\n\n- Amazon FSx for Lustre `PERSISTENT_1` and `PERSISTENT_2` deployment types only.\n\n`SCRATCH_1` and `SCRATCH_2` types are encrypted using the Amazon FSx service AWS KMS key for your account.\n- Amazon FSx for NetApp ONTAP\n- Amazon FSx for OpenZFS\n- Amazon FSx for Windows File Server", "LustreConfiguration": "The Lustre configuration for the file system being created.\n\n> The following parameters are not supported for file systems with a data repository association.\n> \n> - `AutoImportPolicy`\n> - `ExportPath`\n> - `ImportedChunkSize`\n> - `ImportPath`", "OntapConfiguration": "The ONTAP configuration properties of the FSx for ONTAP file system that you are creating.", @@ -12216,7 +14220,7 @@ "Options": "The options to use when mounting the file system. For a list of options that you can use with Network File System (NFS), see the [exports(5) - Linux man page](https://docs.aws.amazon.com/https://linux.die.net/man/5/exports) . When choosing your options, consider the following:\n\n- `crossmnt` is used by default. If you don't specify `crossmnt` when changing the client configuration, you won't be able to see or access snapshots in your file system's snapshot directory.\n- `sync` is used by default. If you instead specify `async` , the system acknowledges writes before writing to disk. If the system crashes before the writes are finished, you lose the unwritten data." }, "AWS::FSx::FileSystem DiskIopsConfiguration": { - "Iops": "The total number of SSD IOPS provisioned for the file system.", + "Iops": "The total number of SSD IOPS provisioned for the file system.\n\nThe minimum and maximum values for this property depend on the value of `HAPairs` and `StorageCapacity` . The minimum value is calculated as `StorageCapacity` * 3 * `HAPairs` (3 IOPS per GB of `StorageCapacity` ). The maximum value is calculated as 200,000 * `HAPairs` .\n\nAmazon FSx responds with an HTTP status code 400 (Bad Request) if the value of `Iops` is outside of the minimum or maximum values.", "Mode": "Specifies whether the file system is using the `AUTOMATIC` setting of SSD IOPS of 3 IOPS per GB of storage capacity, , or if it using a `USER_PROVISIONED` value." }, "AWS::FSx::FileSystem LustreConfiguration": { @@ -12239,13 +14243,15 @@ "AWS::FSx::FileSystem OntapConfiguration": { "AutomaticBackupRetentionDays": "The number of days to retain automatic backups. Setting this property to `0` disables automatic backups. You can retain automatic backups for a maximum of 90 days. The default is `30` .", "DailyAutomaticBackupStartTime": "A recurring daily time, in the format `HH:MM` . `HH` is the zero-padded hour of the day (0-23), and `MM` is the zero-padded minute of the hour. For example, `05:00` specifies 5 AM daily.", - "DeploymentType": "Specifies the FSx for ONTAP file system deployment type to use in creating the file system.\n\n- `MULTI_AZ_1` - (Default) A high availability file system configured for Multi-AZ redundancy to tolerate temporary Availability Zone (AZ) unavailability.\n- `SINGLE_AZ_1` - A file system configured for Single-AZ redundancy.\n\nFor information about the use cases for Multi-AZ and Single-AZ deployments, refer to [Choosing a file system deployment type](https://docs.aws.amazon.com/fsx/latest/ONTAPGuide/high-availability-AZ.html) .", + "DeploymentType": "Specifies the FSx for ONTAP file system deployment type to use in creating the file system.\n\n- `MULTI_AZ_1` - (Default) A high availability file system configured for Multi-AZ redundancy to tolerate temporary Availability Zone (AZ) unavailability.\n- `SINGLE_AZ_1` - A file system configured for Single-AZ redundancy.\n- `SINGLE_AZ_2` - A file system configured with multiple high-availability (HA) pairs for Single-AZ redundancy.\n\nFor information about the use cases for Multi-AZ and Single-AZ deployments, refer to [Choosing a file system deployment type](https://docs.aws.amazon.com/fsx/latest/ONTAPGuide/high-availability-AZ.html) .", "DiskIopsConfiguration": "The SSD IOPS configuration for the FSx for ONTAP file system.", "EndpointIpAddressRange": "(Multi-AZ only) Specifies the IP address range in which the endpoints to access your file system will be created. By default in the Amazon FSx API, Amazon FSx selects an unused IP address range for you from the 198.19.* range. By default in the Amazon FSx console, Amazon FSx chooses the last 64 IP addresses from the VPC\u2019s primary CIDR range to use as the endpoint IP address range for the file system. You can have overlapping endpoint IP addresses for file systems deployed in the same VPC/route tables, as long as they don't overlap with any subnet.", "FsxAdminPassword": "The ONTAP administrative password for the `fsxadmin` user with which you administer your file system using the NetApp ONTAP CLI and REST API.", + "HAPairs": "", "PreferredSubnetId": "Required when `DeploymentType` is set to `MULTI_AZ_1` . This specifies the subnet in which you want the preferred file server to be located.", - "RouteTableIds": "(Multi-AZ only) Specifies the virtual private cloud (VPC) route tables in which your file system's endpoints will be created. You should specify all VPC route tables associated with the subnets in which your clients are located. By default, Amazon FSx selects your VPC's default route table.", - "ThroughputCapacity": "Sets the throughput capacity for the file system that you're creating. Valid values are 128, 256, 512, 1024, 2048, and 4096 MBps.", + "RouteTableIds": "(Multi-AZ only) Specifies the route tables in which Amazon FSx creates the rules for routing traffic to the correct file server. You should specify all virtual private cloud (VPC) route tables associated with the subnets in which your clients are located. By default, Amazon FSx selects your VPC's default route table.", + "ThroughputCapacity": "Sets the throughput capacity for the file system that you're creating in megabytes per second (MBps). For more information, see [Managing throughput capacity](https://docs.aws.amazon.com/fsx/latest/ONTAPGuide/managing-throughput-capacity.html) in the FSx for ONTAP User Guide.\n\nAmazon FSx responds with an HTTP status code 400 (Bad Request) for the following conditions:\n\n- The value of `ThroughputCapacity` and `ThroughputCapacityPerHAPair` are not the same value.\n- The value of `ThroughputCapacity` when divided by the value of `HAPairs` is outside of the valid range for `ThroughputCapacity` .", + "ThroughputCapacityPerHAPair": "", "WeeklyMaintenanceStartTime": "A recurring weekly time, in the format `D:HH:MM` .\n\n`D` is the day of the week, for which 1 represents Monday and 7 represents Sunday. For further details, see [the ISO-8601 spec as described on Wikipedia](https://docs.aws.amazon.com/https://en.wikipedia.org/wiki/ISO_week_date) .\n\n`HH` is the zero-padded hour of the day (0-23), and `MM` is the zero-padded minute of the hour.\n\nFor example, `1:05:00` specifies maintenance at 5 AM Monday." }, "AWS::FSx::FileSystem OpenZFSConfiguration": { @@ -12253,11 +14259,14 @@ "CopyTagsToBackups": "A Boolean value indicating whether tags for the file system should be copied to backups. This value defaults to `false` . If it's set to `true` , all tags for the file system are copied to all automatic and user-initiated backups where the user doesn't specify tags. If this value is `true` , and you specify one or more tags, only the specified tags are copied to backups. If you specify one or more tags when creating a user-initiated backup, no tags are copied from the file system, regardless of this value.", "CopyTagsToVolumes": "A Boolean value indicating whether tags for the file system should be copied to volumes. This value defaults to `false` . If it's set to `true` , all tags for the file system are copied to volumes where the user doesn't specify tags. If this value is `true` , and you specify one or more tags, only the specified tags are copied to volumes. If you specify one or more tags when creating the volume, no tags are copied from the file system, regardless of this value.", "DailyAutomaticBackupStartTime": "A recurring daily time, in the format `HH:MM` . `HH` is the zero-padded hour of the day (0-23), and `MM` is the zero-padded minute of the hour. For example, `05:00` specifies 5 AM daily.", - "DeploymentType": "Specifies the file system deployment type. Single AZ deployment types are configured for redundancy within a single Availability Zone in an AWS Region . Valid values are the following:\n\n- `SINGLE_AZ_1` - (Default) Creates file systems with throughput capacities of 64 - 4,096 MBps. `Single_AZ_1` is available in all AWS Regions where Amazon FSx for OpenZFS is available.\n- `SINGLE_AZ_2` - Creates file systems with throughput capacities of 160 - 10,240 MB/s using an NVMe L2ARC cache. `Single_AZ_2` is available only in the US East (N. Virginia), US East (Ohio), US West (Oregon), and Europe (Ireland) AWS Regions .\n\nFor more information, see: [Deployment type availability](https://docs.aws.amazon.com/fsx/latest/OpenZFSGuide/availability-durability.html#available-aws-regions) and [File system performance](https://docs.aws.amazon.com/fsx/latest/OpenZFSGuide/performance.html#zfs-fs-performance) in the *Amazon FSx for OpenZFS User Guide* .", - "DiskIopsConfiguration": "The SSD IOPS (input/output operations per second) configuration for an Amazon FSx for NetApp ONTAP or FSx for OpenZFS file system. By default, Amazon FSx automatically provisions 3 IOPS per GB of storage capacity. You can provision additional IOPS per GB of storage. The configuration consists of the total number of provisioned SSD IOPS and how it is was provisioned, or the mode (by the customer or by Amazon FSx).", + "DeploymentType": "Specifies the file system deployment type. Single AZ deployment types are configured for redundancy within a single Availability Zone in an AWS Region . Valid values are the following:\n\n- `MULTI_AZ_1` - Creates file systems with high availability that are configured for Multi-AZ redundancy to tolerate temporary unavailability in Availability Zones (AZs). `Multi_AZ_1` is available only in the US East (N. Virginia), US East (Ohio), US West (Oregon), Asia Pacific (Singapore), Asia Pacific (Tokyo), and Europe (Ireland) AWS Regions .\n- `SINGLE_AZ_1` - Creates file systems with throughput capacities of 64 - 4,096 MB/s. `Single_AZ_1` is available in all AWS Regions where Amazon FSx for OpenZFS is available.\n- `SINGLE_AZ_2` - Creates file systems with throughput capacities of 160 - 10,240 MB/s using an NVMe L2ARC cache. `Single_AZ_2` is available only in the US East (N. Virginia), US East (Ohio), US West (Oregon), Asia Pacific (Singapore), Asia Pacific (Tokyo), and Europe (Ireland) AWS Regions .\n\nFor more information, see [Deployment type availability](https://docs.aws.amazon.com/fsx/latest/OpenZFSGuide/availability-durability.html#available-aws-regions) and [File system performance](https://docs.aws.amazon.com/fsx/latest/OpenZFSGuide/performance.html#zfs-fs-performance) in the *Amazon FSx for OpenZFS User Guide* .", + "DiskIopsConfiguration": "The SSD IOPS (input/output operations per second) configuration for an Amazon FSx for NetApp ONTAP, Amazon FSx for Windows File Server, or FSx for OpenZFS file system. By default, Amazon FSx automatically provisions 3 IOPS per GB of storage capacity. You can provision additional IOPS per GB of storage. The configuration consists of the total number of provisioned SSD IOPS and how it is was provisioned, or the mode (by the customer or by Amazon FSx).", + "EndpointIpAddressRange": "(Multi-AZ only) Specifies the IP address range in which the endpoints to access your file system will be created. By default in the Amazon FSx API and Amazon FSx console, Amazon FSx selects an available /28 IP address range for you from one of the VPC's CIDR ranges. You can have overlapping endpoint IP addresses for file systems deployed in the same VPC/route tables.", "Options": "To delete a file system if there are child volumes present below the root volume, use the string `DELETE_CHILD_VOLUMES_AND_SNAPSHOTS` . If your file system has child volumes and you don't use this option, the delete request will fail.", + "PreferredSubnetId": "Required when `DeploymentType` is set to `MULTI_AZ_1` . This specifies the subnet in which you want the preferred file server to be located.", "RootVolumeConfiguration": "The configuration Amazon FSx uses when creating the root value of the Amazon FSx for OpenZFS file system. All volumes are children of the root volume.", - "ThroughputCapacity": "Specifies the throughput of an Amazon FSx for OpenZFS file system, measured in megabytes per second (MBps). Valid values depend on the DeploymentType you choose, as follows:\n\n- For `SINGLE_AZ_1` , valid values are 64, 128, 256, 512, 1024, 2048, 3072, or 4096 MBps.\n- For `SINGLE_AZ_2` , valid values are 160, 320, 640, 1280, 2560, 3840, 5120, 7680, or 10240 MBps.\n\nYou pay for additional throughput capacity that you provision.", + "RouteTableIds": "(Multi-AZ only) Specifies the route tables in which Amazon FSx creates the rules for routing traffic to the correct file server. You should specify all virtual private cloud (VPC) route tables associated with the subnets in which your clients are located. By default, Amazon FSx selects your VPC's default route table.", + "ThroughputCapacity": "Specifies the throughput of an Amazon FSx for OpenZFS file system, measured in megabytes per second (MBps). Valid values depend on the DeploymentType you choose, as follows:\n\n- For `MULTI_AZ_1` and `SINGLE_AZ_2` , valid values are 160, 320, 640, 1280, 2560, 3840, 5120, 7680, or 10240 MBps.\n- For `SINGLE_AZ_1` , valid values are 64, 128, 256, 512, 1024, 2048, 3072, or 4096 MBps.\n\nYou pay for additional throughput capacity that you provision.", "WeeklyMaintenanceStartTime": "A recurring weekly time, in the format `D:HH:MM` .\n\n`D` is the day of the week, for which 1 represents Monday and 7 represents Sunday. For further details, see [the ISO-8601 spec as described on Wikipedia](https://docs.aws.amazon.com/https://en.wikipedia.org/wiki/ISO_week_date) .\n\n`HH` is the zero-padded hour of the day (0-23), and `MM` is the zero-padded minute of the hour.\n\nFor example, `1:05:00` specifies maintenance at 5 AM Monday." }, "AWS::FSx::FileSystem RootVolumeConfiguration": { @@ -12276,6 +14285,10 @@ "Password": "The password for the service account on your self-managed AD domain that Amazon FSx will use to join to your AD domain.", "UserName": "The user name for the service account on your self-managed AD domain that Amazon FSx will use to join to your AD domain. This account must have the permission to join computers to the domain in the organizational unit provided in `OrganizationalUnitDistinguishedName` , or in the default location of your AD domain." }, + "AWS::FSx::FileSystem Tag": { + "Key": "A value that specifies the `TagKey` , the name of the tag. Tag keys must be unique for the resource to which they are attached.", + "Value": "A value that specifies the `TagValue` , the value assigned to the corresponding tag key. Tag values can be null and don't have to be unique in a tag set. For example, you can have a key-value pair in a tag set of `finances : April` and also of `payroll : April` ." + }, "AWS::FSx::FileSystem UserAndGroupQuotas": { "Id": "The ID of the user or group.", "StorageCapacityQuotaGiB": "The amount of storage that the user or group can use in gibibytes (GiB).", @@ -12289,6 +14302,7 @@ "CopyTagsToBackups": "A boolean flag indicating whether tags for the file system should be copied to backups. This value defaults to false. If it's set to true, all tags for the file system are copied to all automatic and user-initiated backups where the user doesn't specify tags. If this value is true, and you specify one or more tags, only the specified tags are copied to backups. If you specify one or more tags when creating a user-initiated backup, no tags are copied from the file system, regardless of this value.", "DailyAutomaticBackupStartTime": "A recurring daily time, in the format `HH:MM` . `HH` is the zero-padded hour of the day (0-23), and `MM` is the zero-padded minute of the hour. For example, `05:00` specifies 5 AM daily.", "DeploymentType": "Specifies the file system deployment type, valid values are the following:\n\n- `MULTI_AZ_1` - Deploys a high availability file system that is configured for Multi-AZ redundancy to tolerate temporary Availability Zone (AZ) unavailability. You can only deploy a Multi-AZ file system in AWS Regions that have a minimum of three Availability Zones. Also supports HDD storage type\n- `SINGLE_AZ_1` - (Default) Choose to deploy a file system that is configured for single AZ redundancy.\n- `SINGLE_AZ_2` - The latest generation Single AZ file system. Specifies a file system that is configured for single AZ redundancy and supports HDD storage type.\n\nFor more information, see [Availability and Durability: Single-AZ and Multi-AZ File Systems](https://docs.aws.amazon.com/fsx/latest/WindowsGuide/high-availability-multiAZ.html) .", + "DiskIopsConfiguration": "The SSD IOPS (input/output operations per second) configuration for an Amazon FSx for Windows file system. By default, Amazon FSx automatically provisions 3 IOPS per GiB of storage capacity. You can provision additional IOPS per GiB of storage, up to the maximum limit associated with your chosen throughput capacity.", "PreferredSubnetId": "Required when `DeploymentType` is set to `MULTI_AZ_1` . This specifies the subnet in which you want the preferred file server to be located. For in- AWS applications, we recommend that you launch your clients in the same availability zone as your preferred file server to reduce cross-availability zone data transfer costs and minimize latency.", "SelfManagedActiveDirectoryConfiguration": "The configuration that Amazon FSx uses to join a FSx for Windows File Server file system or an FSx for ONTAP storage virtual machine (SVM) to a self-managed (including on-premises) Microsoft Active Directory (AD) directory. For more information, see [Using Amazon FSx for Windows with your self-managed Microsoft Active Directory](https://docs.aws.amazon.com/fsx/latest/WindowsGuide/self-managed-AD.html) or [Managing FSx for ONTAP SVMs](https://docs.aws.amazon.com/fsx/latest/ONTAPGuide/managing-svms.html) .", "ThroughputCapacity": "Sets the throughput capacity of an Amazon FSx file system, measured in megabytes per second (MB/s), in 2 to the *n* th increments, between 2^3 (8) and 2^11 (2048).\n\n> To increase storage capacity, a file system must have a minimum throughput capacity of 16 MB/s.", @@ -12299,6 +14313,10 @@ "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) .", "VolumeId": "The ID of the volume that the snapshot is of." }, + "AWS::FSx::Snapshot Tag": { + "Key": "A value that specifies the `TagKey` , the name of the tag. Tag keys must be unique for the resource to which they are attached.", + "Value": "A value that specifies the `TagValue` , the value assigned to the corresponding tag key. Tag values can be null and don't have to be unique in a tag set. For example, you can have a key-value pair in a tag set of `finances : April` and also of `payroll : April` ." + }, "AWS::FSx::StorageVirtualMachine": { "ActiveDirectoryConfiguration": "Describes the Microsoft Active Directory configuration to which the SVM is joined, if applicable.", "FileSystemId": "Specifies the FSx for ONTAP file system on which to create the SVM.", @@ -12319,6 +14337,10 @@ "Password": "The password for the service account on your self-managed AD domain that Amazon FSx will use to join to your AD domain.", "UserName": "The user name for the service account on your self-managed AD domain that Amazon FSx will use to join to your AD domain. This account must have the permission to join computers to the domain in the organizational unit provided in `OrganizationalUnitDistinguishedName` , or in the default location of your AD domain." }, + "AWS::FSx::StorageVirtualMachine Tag": { + "Key": "A value that specifies the `TagKey` , the name of the tag. Tag keys must be unique for the resource to which they are attached.", + "Value": "A value that specifies the `TagValue` , the value assigned to the corresponding tag key. Tag values can be null and don't have to be unique in a tag set. For example, you can have a key-value pair in a tag set of `finances : April` and also of `payroll : April` ." + }, "AWS::FSx::Volume": { "BackupId": "Specifies the ID of the volume backup to use to create a new volume.", "Name": "The name of the volume.", @@ -12327,6 +14349,14 @@ "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) .", "VolumeType": "The type of the volume." }, + "AWS::FSx::Volume AggregateConfiguration": { + "Aggregates": "The list of aggregates that this volume resides on. Aggregates are storage pools which make up your primary storage tier. Each high-availability (HA) pair has one aggregate. The names of the aggregates map to the names of the aggregates in the ONTAP CLI and REST API. For FlexVols, there will always be a single entry.\n\nAmazon FSx responds with an HTTP status code 400 (Bad Request) for the following conditions:\n\n- The strings in the value of `Aggregates` are not are not formatted as `aggrX` , where X is a number between 1 and 6.\n- The value of `Aggregates` contains aggregates that are not present.\n- One or more of the aggregates supplied are too close to the volume limit to support adding more volumes.", + "ConstituentsPerAggregate": "" + }, + "AWS::FSx::Volume AutocommitPeriod": { + "Type": "Defines the type of time for the autocommit period of a file in an FSx for ONTAP SnapLock volume. Setting this value to `NONE` disables autocommit. The default value is `NONE` .", + "Value": "Defines the amount of time for the autocommit period of a file in an FSx for ONTAP SnapLock volume. The following ranges are valid:\n\n- `Minutes` : 5 - 65,535\n- `Hours` : 1 - 65,535\n- `Days` : 1 - 3,650\n- `Months` : 1 - 120\n- `Years` : 1 - 10" + }, "AWS::FSx::Volume ClientConfigurations": { "Clients": "A value that specifies who can mount the file system. You can provide a wildcard character ( `*` ), an IP address ( `0.0.0.0` ), or a CIDR address ( `192.0.2.0/24` ). By default, Amazon FSx uses the wildcard character when specifying the client.", "Options": "The options to use when mounting the file system. For a list of options that you can use with Network File System (NFS), see the [exports(5) - Linux man page](https://docs.aws.amazon.com/https://linux.die.net/man/5/exports) . When choosing your options, consider the following:\n\n- `crossmnt` is used by default. If you don't specify `crossmnt` when changing the client configuration, you won't be able to see or access snapshots in your file system's snapshot directory.\n- `sync` is used by default. If you instead specify `async` , the system acknowledges writes before writing to disk. If the system crashes before the writes are finished, you lose the unwritten data." @@ -12335,15 +14365,19 @@ "ClientConfigurations": "A list of configuration objects that contain the client and options for mounting the OpenZFS file system." }, "AWS::FSx::Volume OntapConfiguration": { + "AggregateConfiguration": "", "CopyTagsToBackups": "A boolean flag indicating whether tags for the volume should be copied to backups. This value defaults to false. If it's set to true, all tags for the volume are copied to all automatic and user-initiated backups where the user doesn't specify tags. If this value is true, and you specify one or more tags, only the specified tags are copied to backups. If you specify one or more tags when creating a user-initiated backup, no tags are copied from the volume, regardless of this value.", "JunctionPath": "Specifies the location in the SVM's namespace where the volume is mounted. This parameter is required. The `JunctionPath` must have a leading forward slash, such as `/vol3` .", "OntapVolumeType": "Specifies the type of volume you are creating. Valid values are the following:\n\n- `RW` specifies a read/write volume. `RW` is the default.\n- `DP` specifies a data-protection volume. A `DP` volume is read-only and can be used as the destination of a NetApp SnapMirror relationship.\n\nFor more information, see [Volume types](https://docs.aws.amazon.com/fsx/latest/ONTAPGuide/volume-types) in the *Amazon FSx for NetApp ONTAP User Guide* .", "SecurityStyle": "Specifies the security style for the volume. If a volume's security style is not specified, it is automatically set to the root volume's security style. The security style determines the type of permissions that FSx for ONTAP uses to control data access. For more information, see [Volume security style](https://docs.aws.amazon.com/fsx/latest/ONTAPGuide/managing-volumes.html#volume-security-style) in the *Amazon FSx for NetApp ONTAP User Guide* . Specify one of the following values:\n\n- `UNIX` if the file system is managed by a UNIX administrator, the majority of users are NFS clients, and an application accessing the data uses a UNIX user as the service account.\n- `NTFS` if the file system is managed by a Windows administrator, the majority of users are SMB clients, and an application accessing the data uses a Windows user as the service account.\n- `MIXED` if the file system is managed by both UNIX and Windows administrators and users consist of both NFS and SMB clients.", + "SizeInBytes": "", "SizeInMegabytes": "Specifies the size of the volume, in megabytes (MB), that you are creating.", + "SnaplockConfiguration": "The SnapLock configuration object for an FSx for ONTAP SnapLock volume.", "SnapshotPolicy": "Specifies the snapshot policy for the volume. There are three built-in snapshot policies:\n\n- `default` : This is the default policy. A maximum of six hourly snapshots taken five minutes past the hour. A maximum of two daily snapshots taken Monday through Saturday at 10 minutes after midnight. A maximum of two weekly snapshots taken every Sunday at 15 minutes after midnight.\n- `default-1weekly` : This policy is the same as the `default` policy except that it only retains one snapshot from the weekly schedule.\n- `none` : This policy does not take any snapshots. This policy can be assigned to volumes to prevent automatic snapshots from being taken.\n\nYou can also provide the name of a custom policy that you created with the ONTAP CLI or REST API.\n\nFor more information, see [Snapshot policies](https://docs.aws.amazon.com/fsx/latest/ONTAPGuide/snapshots-ontap.html#snapshot-policies) in the *Amazon FSx for NetApp ONTAP User Guide* .", "StorageEfficiencyEnabled": "Set to true to enable deduplication, compression, and compaction storage efficiency features on the volume, or set to false to disable them. This parameter is required.", "StorageVirtualMachineId": "Specifies the ONTAP SVM in which to create the volume.", - "TieringPolicy": "Describes the data tiering policy for an ONTAP volume. When enabled, Amazon FSx for ONTAP's intelligent tiering automatically transitions a volume's data between the file system's primary storage and capacity pool storage based on your access patterns.\n\nValid tiering policies are the following:\n\n- `SNAPSHOT_ONLY` - (Default value) moves cold snapshots to the capacity pool storage tier.\n\n- `AUTO` - moves cold user data and snapshots to the capacity pool storage tier based on your access patterns.\n\n- `ALL` - moves all user data blocks in both the active file system and Snapshot copies to the storage pool tier.\n\n- `NONE` - keeps a volume's data in the primary storage tier, preventing it from being moved to the capacity pool tier." + "TieringPolicy": "Describes the data tiering policy for an ONTAP volume. When enabled, Amazon FSx for ONTAP's intelligent tiering automatically transitions a volume's data between the file system's primary storage and capacity pool storage based on your access patterns.\n\nValid tiering policies are the following:\n\n- `SNAPSHOT_ONLY` - (Default value) moves cold snapshots to the capacity pool storage tier.\n\n- `AUTO` - moves cold user data and snapshots to the capacity pool storage tier based on your access patterns.\n\n- `ALL` - moves all user data blocks in both the active file system and Snapshot copies to the storage pool tier.\n\n- `NONE` - keeps a volume's data in the primary storage tier, preventing it from being moved to the capacity pool tier.", + "VolumeStyle": "" }, "AWS::FSx::Volume OpenZFSConfiguration": { "CopyTagsToSnapshots": "A Boolean value indicating whether tags for the volume should be copied to snapshots. This value defaults to `false` . If it's set to `true` , all tags for the volume are copied to snapshots where the user doesn't specify tags. If this value is `true` , and you specify one or more tags, only the specified tags are copied to snapshots. If you specify one or more tags when creating the snapshot, no tags are copied from the volume, regardless of this value.", @@ -12359,9 +14393,30 @@ "UserAndGroupQuotas": "An object specifying how much storage users or groups can use on the volume." }, "AWS::FSx::Volume OriginSnapshot": { - "CopyStrategy": "The strategy used when copying data from the snapshot to the new volume.\n\n- `CLONE` - The new volume references the data in the origin snapshot. Cloning a snapshot is faster than copying data from the snapshot to a new volume and doesn't consume disk throughput. However, the origin snapshot can't be deleted if there is a volume using its copied data.\n- `FULL_COPY` - Copies all data from the snapshot to the new volume.", + "CopyStrategy": "Specifies the strategy used when copying data from the snapshot to the new volume.\n\n- `CLONE` - The new volume references the data in the origin snapshot. Cloning a snapshot is faster than copying data from the snapshot to a new volume and doesn't consume disk throughput. However, the origin snapshot can't be deleted if there is a volume using its copied data.\n- `FULL_COPY` - Copies all data from the snapshot to the new volume.\n\nSpecify this option to create the volume from a snapshot on another FSx for OpenZFS file system.\n\n> The `INCREMENTAL_COPY` option is only for updating an existing volume by using a snapshot from another FSx for OpenZFS file system. For more information, see [CopySnapshotAndUpdateVolume](https://docs.aws.amazon.com/fsx/latest/APIReference/API_CopySnapshotAndUpdateVolume.html) .", "SnapshotARN": "Specifies the snapshot to use when creating an OpenZFS volume from a snapshot." }, + "AWS::FSx::Volume RetentionPeriod": { + "Type": "Defines the type of time for the retention period of an FSx for ONTAP SnapLock volume. Set it to one of the valid types. If you set it to `INFINITE` , the files are retained forever. If you set it to `UNSPECIFIED` , the files are retained until you set an explicit retention period.", + "Value": "Defines the amount of time for the retention period of an FSx for ONTAP SnapLock volume. You can't set a value for `INFINITE` or `UNSPECIFIED` . For all other options, the following ranges are valid:\n\n- `Seconds` : 0 - 65,535\n- `Minutes` : 0 - 65,535\n- `Hours` : 0 - 24\n- `Days` : 0 - 365\n- `Months` : 0 - 12\n- `Years` : 0 - 100" + }, + "AWS::FSx::Volume SnaplockConfiguration": { + "AuditLogVolume": "Enables or disables the audit log volume for an FSx for ONTAP SnapLock volume. The default value is `false` . If you set `AuditLogVolume` to `true` , the SnapLock volume is created as an audit log volume. The minimum retention period for an audit log volume is six months.\n\nFor more information, see [SnapLock audit log volumes](https://docs.aws.amazon.com/fsx/latest/ONTAPGuide/how-snaplock-works.html#snaplock-audit-log-volume) .", + "AutocommitPeriod": "The configuration object for setting the autocommit period of files in an FSx for ONTAP SnapLock volume.", + "PrivilegedDelete": "Enables, disables, or permanently disables privileged delete on an FSx for ONTAP SnapLock Enterprise volume. Enabling privileged delete allows SnapLock administrators to delete write once, read many (WORM) files even if they have active retention periods. `PERMANENTLY_DISABLED` is a terminal state. If privileged delete is permanently disabled on a SnapLock volume, you can't re-enable it. The default value is `DISABLED` .\n\nFor more information, see [Privileged delete](https://docs.aws.amazon.com/fsx/latest/ONTAPGuide/snaplock-enterprise.html#privileged-delete) .", + "RetentionPeriod": "Specifies the retention period of an FSx for ONTAP SnapLock volume.", + "SnaplockType": "Specifies the retention mode of an FSx for ONTAP SnapLock volume. After it is set, it can't be changed. You can choose one of the following retention modes:\n\n- `COMPLIANCE` : Files transitioned to write once, read many (WORM) on a Compliance volume can't be deleted until their retention periods expire. This retention mode is used to address government or industry-specific mandates or to protect against ransomware attacks. For more information, see [SnapLock Compliance](https://docs.aws.amazon.com/fsx/latest/ONTAPGuide/snaplock-compliance.html) .\n- `ENTERPRISE` : Files transitioned to WORM on an Enterprise volume can be deleted by authorized users before their retention periods expire using privileged delete. This retention mode is used to advance an organization's data integrity and internal compliance or to test retention settings before using SnapLock Compliance. For more information, see [SnapLock Enterprise](https://docs.aws.amazon.com/fsx/latest/ONTAPGuide/snaplock-enterprise.html) .", + "VolumeAppendModeEnabled": "Enables or disables volume-append mode on an FSx for ONTAP SnapLock volume. Volume-append mode allows you to create WORM-appendable files and write data to them incrementally. The default value is `false` .\n\nFor more information, see [Volume-append mode](https://docs.aws.amazon.com/fsx/latest/ONTAPGuide/worm-state.html#worm-state-append) ." + }, + "AWS::FSx::Volume SnaplockRetentionPeriod": { + "DefaultRetention": "The retention period assigned to a write once, read many (WORM) file by default if an explicit retention period is not set for an FSx for ONTAP SnapLock volume. The default retention period must be greater than or equal to the minimum retention period and less than or equal to the maximum retention period.", + "MaximumRetention": "The longest retention period that can be assigned to a WORM file on an FSx for ONTAP SnapLock volume.", + "MinimumRetention": "The shortest retention period that can be assigned to a WORM file on an FSx for ONTAP SnapLock volume." + }, + "AWS::FSx::Volume Tag": { + "Key": "A value that specifies the `TagKey` , the name of the tag. Tag keys must be unique for the resource to which they are attached.", + "Value": "A value that specifies the `TagValue` , the value assigned to the corresponding tag key. Tag values can be null and don't have to be unique in a tag set. For example, you can have a key-value pair in a tag set of `finances : April` and also of `payroll : April` ." + }, "AWS::FSx::Volume TieringPolicy": { "CoolingPeriod": "Specifies the number of days that user data in a volume must remain inactive before it is considered \"cold\" and moved to the capacity pool. Used with the `AUTO` and `SNAPSHOT_ONLY` tiering policies. Enter a whole number between 2 and 183. Default values are 31 days for `AUTO` and 2 days for `SNAPSHOT_ONLY` .", "Name": "Specifies the tiering policy used to transition data. Default value is `SNAPSHOT_ONLY` .\n\n- `SNAPSHOT_ONLY` - moves cold snapshots to the capacity pool storage tier.\n- `AUTO` - moves cold user data and snapshots to the capacity pool storage tier based on your access patterns.\n- `ALL` - moves all user data blocks in both the active file system and Snapshot copies to the storage pool tier.\n- `NONE` - keeps a volume's data in the primary storage tier, preventing it from being moved to the capacity pool tier." @@ -12397,6 +14452,10 @@ "FirstName": "The first name of the superuser.", "LastName": "The last name of the superuser." }, + "AWS::FinSpace::Environment Tag": { + "Key": "", + "Value": "" + }, "AWS::Forecast::Dataset": { "DataFrequency": "The frequency of data collection. This parameter is required for RELATED_TIME_SERIES datasets.\n\nValid intervals are an integer followed by Y (Year), M (Month), W (Week), D (Day), H (Hour), and min (Minute). For example, \"1D\" indicates every day and \"15min\" indicates every 15 minutes. You cannot specify a value that would overlap with the next larger frequency. That means, for example, you cannot specify a frequency of 60 minutes, because that is equivalent to 1 hour. The valid values for each frequency are the following:\n\n- Minute - 1-59\n- Hour - 1-23\n- Day - 1-6\n- Week - 1-4\n- Month - 1-11\n- Year - 1\n\nThus, if you want every other week forecasts, specify \"2W\". Or, if you want quarterly forecasts, you specify \"3M\".", "DatasetName": "The name of the dataset.", @@ -12427,6 +14486,10 @@ "Domain": "The domain associated with the dataset group. When you add a dataset to a dataset group, this value and the value specified for the `Domain` parameter of the [CreateDataset](https://docs.aws.amazon.com/forecast/latest/dg/API_CreateDataset.html) operation must match.\n\nThe `Domain` and `DatasetType` that you choose determine the fields that must be present in training data that you import to a dataset. For example, if you choose the `RETAIL` domain and `TARGET_TIME_SERIES` as the `DatasetType` , Amazon Forecast requires that `item_id` , `timestamp` , and `demand` fields are present in your data. For more information, see [Dataset groups](https://docs.aws.amazon.com/forecast/latest/dg/howitworks-datasets-groups.html) .", "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) ." }, + "AWS::Forecast::DatasetGroup Tag": { + "Key": "One part of a key-value pair that makes up a tag. A `key` is a general label that acts like a category for more specific tag values.", + "Value": "The optional part of a key-value pair that makes up a tag. A `value` acts as a descriptor within a tag category (key)." + }, "AWS::FraudDetector::Detector": { "AssociatedModels": "The models to associate with this detector. You must provide the ARNs of all the models you want to associate.", "Description": "The detector description.", @@ -12481,7 +14544,7 @@ "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) ." }, "AWS::FraudDetector::Detector Model": { - "Arn": "" + "Arn": "The ARN of the model." }, "AWS::FraudDetector::Detector Outcome": { "Arn": "The outcome ARN.", @@ -12498,18 +14561,26 @@ "Description": "The rule description.", "DetectorId": "The detector for which the rule is associated.", "Expression": "The rule expression. A rule expression captures the business logic. For more information, see [Rule language reference](https://docs.aws.amazon.com/frauddetector/latest/ug/rule-language-reference.html) .", - "Language": "The rule language.", + "Language": "The rule language.\n\nValid Value: DETECTORPL", "LastUpdatedTime": "Timestamp for when the rule was last updated.", "Outcomes": "The rule outcome.", "RuleId": "The rule ID.", "RuleVersion": "The rule version.", "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) ." }, + "AWS::FraudDetector::Detector Tag": { + "Key": "A tag key.", + "Value": "A value assigned to a tag key." + }, "AWS::FraudDetector::EntityType": { "Description": "The entity type description.", "Name": "The entity type name.\n\nPattern: `^[0-9a-z_-]+$`", "Tags": "A key and value pair." }, + "AWS::FraudDetector::EntityType Tag": { + "Key": "A tag key.", + "Value": "A value assigned to a tag key." + }, "AWS::FraudDetector::EventType": { "Description": "The event type description.", "EntityTypes": "The event type entity types.", @@ -12549,11 +14620,19 @@ "Name": "The label name.", "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) ." }, + "AWS::FraudDetector::EventType Tag": { + "Key": "A tag key.", + "Value": "A value assigned to a tag key." + }, "AWS::FraudDetector::Label": { "Description": "The label description.", "Name": "The label name.\n\nPattern: `^[0-9a-z_-]+$`", "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) ." }, + "AWS::FraudDetector::Label Tag": { + "Key": "A tag key.", + "Value": "A value assigned to a tag key." + }, "AWS::FraudDetector::List": { "Description": "The description of the list.", "Elements": "The elements in the list.", @@ -12561,11 +14640,19 @@ "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) .", "VariableType": "The variable type of the list. For more information, see [Variable types](https://docs.aws.amazon.com/frauddetector/latest/ug/variables.html#variable-types)" }, + "AWS::FraudDetector::List Tag": { + "Key": "A tag key.", + "Value": "A value assigned to a tag key." + }, "AWS::FraudDetector::Outcome": { "Description": "The outcome description.", "Name": "The outcome name.", "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) ." }, + "AWS::FraudDetector::Outcome Tag": { + "Key": "A tag key.", + "Value": "A value assigned to a tag key." + }, "AWS::FraudDetector::Variable": { "DataSource": "The data source of the variable.\n\nValid values: `EVENT | EXTERNAL_MODEL_SCORE`\n\nWhen defining a variable within a detector, you can only use the `EVENT` value for DataSource when the *Inline* property is set to true. If the *Inline* property is set false, you can use either `EVENT` or `MODEL_SCORE` for DataSource.", "DataType": "The data type of the variable.\n\nValid data types: `STRING | INTEGER | BOOLEAN | FLOAT`", @@ -12575,6 +14662,10 @@ "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) .", "VariableType": "The type of the variable. For more information see [Variable types](https://docs.aws.amazon.com/frauddetector/latest/ug/create-a-variable.html#variable-types) .\n\nValid Values: `AUTH_CODE | AVS | BILLING_ADDRESS_L1 | BILLING_ADDRESS_L2 | BILLING_CITY | BILLING_COUNTRY | BILLING_NAME | BILLING_PHONE | BILLING_STATE | BILLING_ZIP | CARD_BIN | CATEGORICAL | CURRENCY_CODE | EMAIL_ADDRESS | FINGERPRINT | FRAUD_LABEL | FREE_FORM_TEXT | IP_ADDRESS | NUMERIC | ORDER_ID | PAYMENT_TYPE | PHONE_NUMBER | PRICE | PRODUCT_CATEGORY | SHIPPING_ADDRESS_L1 | SHIPPING_ADDRESS_L2 | SHIPPING_CITY | SHIPPING_COUNTRY | SHIPPING_NAME | SHIPPING_PHONE | SHIPPING_STATE | SHIPPING_ZIP | USERAGENT`" }, + "AWS::FraudDetector::Variable Tag": { + "Key": "A tag key.", + "Value": "A value assigned to a tag key." + }, "AWS::GameLift::Alias": { "Description": "A human-readable description of the alias.", "Name": "A descriptive label that is associated with an alias. Alias names do not need to be unique.", @@ -12587,28 +14678,30 @@ }, "AWS::GameLift::Build": { "Name": "A descriptive label that is associated with a build. Build names do not need to be unique.", - "OperatingSystem": "The operating system that your game server binaries run on. This value determines the type of fleet resources that you use for this build. If your game build contains multiple executables, they all must run on the same operating system. You must specify a valid operating system in this request. There is no default value. You can't change a build's operating system later.\n\n> The Amazon Linux 2023 OS is not available in the China Regions. > Support is ending in 2023 for the Windows Server 2012 and Amazon Linux (AL1) operating systems. If you have active fleets using these operating systems, you can continue to create new builds using these until their end of support. All other users must use Windows Server 2016, Amazon Linux 2, or Amazon Linux 2023. For more information, including specific end-of-support dates, see the Amazon GameLift FAQs for [Windows Server](https://docs.aws.amazon.com/gamelift/faq/win2012/) and [Linux Server](https://docs.aws.amazon.com/gamelift/faq/al1/) .", - "ServerSdkVersion": "The Amazon GameLift Server SDK version used to develop your game server.", + "OperatingSystem": "The operating system that your game server binaries run on. This value determines the type of fleet resources that you use for this build. If your game build contains multiple executables, they all must run on the same operating system. You must specify a valid operating system in this request. There is no default value. You can't change a build's operating system later.\n\n> If you have active fleets using the Windows Server 2012 operating system, you can continue to create new builds using this OS until October 10, 2023, when Microsoft ends its support. All others must use Windows Server 2016 when creating new Windows-based builds.", + "ServerSdkVersion": "A server SDK version you used when integrating your game server build with Amazon GameLift. For more information see [Integrate games with custom game servers](https://docs.aws.amazon.com/gamelift/latest/developerguide/integration-custom-intro.html) . By default Amazon GameLift sets this value to `4.0.2` .", "StorageLocation": "Information indicating where your game build files are stored. Use this parameter only when creating a build with files stored in an Amazon S3 bucket that you own. The storage location must specify an Amazon S3 bucket name and key. The location must also specify a role ARN that you set up to allow Amazon GameLift to access your Amazon S3 bucket. The S3 bucket and your new build must be in the same Region.\n\nIf a `StorageLocation` is specified, the size of your file can be found in your Amazon S3 bucket. Amazon GameLift will report a `SizeOnDisk` of 0.", "Version": "Version information that is associated with this build. Version strings do not need to be unique." }, "AWS::GameLift::Build StorageLocation": { - "Bucket": "", - "Key": "", - "ObjectVersion": "", - "RoleArn": "" + "Bucket": "An Amazon S3 bucket identifier. The name of the S3 bucket.\n\n> Amazon GameLift doesn't support uploading from Amazon S3 buckets with names that contain a dot (.).", + "Key": "The name of the zip file that contains the build files or script files.", + "ObjectVersion": "A version of a stored file to retrieve, if the object versioning feature is turned on for the S3 bucket. Use this parameter to specify a specific version. If this parameter isn't set, Amazon GameLift retrieves the latest version of the file.", + "RoleArn": "The ARNfor an IAM role that allows Amazon GameLift to access the S3 bucket." }, "AWS::GameLift::Fleet": { - "AnywhereConfiguration": "", + "AnywhereConfiguration": "Amazon GameLift Anywhere configuration options.", + "ApplyCapacity": "Current resource capacity settings in a specified fleet or location. The location value might refer to a fleet's remote location or its home Region.\n\n*Related actions*\n\n[DescribeFleetCapacity](https://docs.aws.amazon.com/gamelift/latest/apireference/API_DescribeFleetCapacity.html) | [DescribeFleetLocationCapacity](https://docs.aws.amazon.com/gamelift/latest/apireference/API_DescribeFleetLocationCapacity.html) | [UpdateFleetCapacity](https://docs.aws.amazon.com/gamelift/latest/apireference/API_UpdateFleetCapacity.html)", "BuildId": "A unique identifier for a build to be deployed on the new fleet. If you are deploying the fleet with a custom game build, you must specify this property. The build must have been successfully uploaded to Amazon GameLift and be in a `READY` status. This fleet setting cannot be changed once the fleet is created.", "CertificateConfiguration": "Prompts Amazon GameLift to generate a TLS/SSL certificate for the fleet. Amazon GameLift uses the certificates to encrypt traffic between game clients and the game servers running on Amazon GameLift. By default, the `CertificateConfiguration` is `DISABLED` . You can't change this property after you create the fleet.\n\nAWS Certificate Manager (ACM) certificates expire after 13 months. Certificate expiration can cause fleets to fail, preventing players from connecting to instances in the fleet. We recommend you replace fleets before 13 months, consider using fleet aliases for a smooth transition.\n\n> ACM isn't available in all AWS regions. A fleet creation request with certificate generation enabled in an unsupported Region, fails with a 4xx error. For more information about the supported Regions, see [Supported Regions](https://docs.aws.amazon.com/acm/latest/userguide/acm-regions.html) in the *AWS Certificate Manager User Guide* .", - "ComputeType": "The type of compute resource used to host your game servers. You can use your own compute resources with Amazon GameLift Anywhere or use Amazon EC2 instances with managed Amazon GameLift.", + "ComputeType": "The type of compute resource used to host your game servers. You can use your own compute resources with Amazon GameLift Anywhere or use Amazon EC2 instances with managed Amazon GameLift. By default, this property is set to `EC2` .", "Description": "A description for the fleet.", "DesiredEC2Instances": "The number of EC2 instances that you want this fleet to host. When creating a new fleet, GameLift automatically sets this value to \"1\" and initiates a single instance. Once the fleet is active, update this value to trigger GameLift to add or remove instances from the fleet.", "EC2InboundPermissions": "The allowed IP address ranges and port settings that allow inbound traffic to access game sessions on this fleet. If the fleet is hosting a custom game build, this property must be set before players can connect to game sessions. For Realtime Servers fleets, Amazon GameLift automatically sets TCP and UDP ranges.", "EC2InstanceType": "The Amazon GameLift-supported Amazon EC2 instance type to use for all fleet instances. Instance type determines the computing resources that will be used to host your game servers, including CPU, memory, storage, and networking capacity. See [Amazon Elastic Compute Cloud Instance Types](https://docs.aws.amazon.com/ec2/instance-types/) for detailed descriptions of Amazon EC2 instance types.", - "FleetType": "Indicates whether to use On-Demand or Spot instances for this fleet. By default, this property is set to `ON_DEMAND` . Learn more about when to use [On-Demand versus Spot Instances](https://docs.aws.amazon.com/gamelift/latest/developerguide/gamelift-ec2-instances.html#gamelift-ec2-instances-spot) . This property cannot be changed after the fleet is created.", - "InstanceRoleARN": "A unique identifier for an IAM role that manages access to your AWS services. With an instance role ARN set, any application that runs on an instance in this fleet can assume the role, including install scripts, server processes, and daemons (background processes). Create a role or look up a role's ARN by using the [IAM dashboard](https://docs.aws.amazon.com/iam/) in the AWS Management Console . Learn more about using on-box credentials for your game servers at [Access external resources from a game server](https://docs.aws.amazon.com/gamelift/latest/developerguide/gamelift-sdk-server-resources.html) . This property cannot be changed after the fleet is created.", + "FleetType": "Indicates whether to use On-Demand or Spot instances for this fleet. By default, this property is set to `ON_DEMAND` . Learn more about when to use [On-Demand versus Spot Instances](https://docs.aws.amazon.com/gamelift/latest/developerguide/gamelift-ec2-instances.html#gamelift-ec2-instances-spot) . This fleet property can't be changed after the fleet is created.", + "InstanceRoleARN": "A unique identifier for an IAM role with access permissions to other AWS services. Any application that runs on an instance in the fleet--including install scripts, server processes, and other processes--can use these permissions to interact with AWS resources that you own or have access to. For more information about using the role with your game server builds, see [Communicate with other AWS resources from your fleets](https://docs.aws.amazon.com/gamelift/latest/developerguide/gamelift-sdk-server-resources.html) .", + "InstanceRoleCredentialsProvider": "Indicates that fleet instances maintain a shared credentials file for the IAM role defined in `InstanceRoleArn` . Shared credentials allow applications that are deployed with the game server executable to communicate with other AWS resources. This property is used only when the game server is integrated with the server SDK version 5.x. For more information about using shared credentials, see [Communicate with other AWS resources from your fleets](https://docs.aws.amazon.com/gamelift/latest/developerguide/gamelift-sdk-server-resources.html) .", "Locations": "A set of remote locations to deploy additional instances to and manage as part of the fleet. This parameter can only be used when creating fleets in AWS Regions that support multiple locations. You can add any Amazon GameLift-supported AWS Region as a remote location, in the form of an AWS Region code such as `us-west-2` . To create a fleet with instances in the home Region only, don't use this parameter.\n\nTo use this parameter, Amazon GameLift requires you to use your home location in the request.", "MaxSize": "The maximum number of instances that are allowed in the specified fleet location. If this parameter is not set, the default is 1.", "MetricGroups": "The name of an AWS CloudWatch metric group to add this fleet to. A metric group is used to aggregate the metrics for multiple fleets. You can specify an existing metric group name or set a new name to create a new metric group. A fleet can be included in only one metric group at a time.", @@ -12619,6 +14712,7 @@ "PeerVpcId": "A unique identifier for a VPC with resources to be accessed by your Amazon GameLift fleet. The VPC must be in the same Region as your fleet. To look up a VPC ID, use the [VPC Dashboard](https://docs.aws.amazon.com/vpc/) in the AWS Management Console . Learn more about VPC peering in [VPC Peering with Amazon GameLift Fleets](https://docs.aws.amazon.com/gamelift/latest/developerguide/vpc-peering.html) .", "ResourceCreationLimitPolicy": "A policy that limits the number of game sessions that an individual player can create on instances in this fleet within a specified span of time.", "RuntimeConfiguration": "Instructions for how to launch and maintain server processes on instances in the fleet. The runtime configuration defines one or more server process configurations, each identifying a build executable or Realtime script file and the number of processes of that type to run concurrently.\n\n> The `RuntimeConfiguration` parameter is required unless the fleet is being configured using the older parameters `ServerLaunchPath` and `ServerLaunchParameters` , which are still supported for backward compatibility.", + "ScalingPolicies": "Rule that controls how a fleet is scaled. Scaling policies are uniquely identified by the combination of name and fleet ID.", "ScriptId": "The unique identifier for a Realtime configuration script to be deployed on fleet instances. You can use either the script ID or ARN. Scripts must be uploaded to Amazon GameLift prior to creating the fleet. This fleet property cannot be changed later.\n\n> You can't use the `!Ref` command to reference a script created with a CloudFormation template for the fleet property `ScriptId` . Instead, use `Fn::GetAtt Script.Arn` or `Fn::GetAtt Script.Id` to retrieve either of these properties as input for `ScriptId` . Alternatively, enter a `ScriptId` string manually." }, "AWS::GameLift::Fleet AnywhereConfiguration": { @@ -12634,7 +14728,7 @@ "ToPort": "An ending value for a range of allowed port numbers. Port numbers are end-inclusive. This value must be equal to or greater than `FromPort` .\n\nFor fleets using Linux builds, only ports `22` and `1026-60000` are valid.\n\nFor fleets using Windows builds, only ports `1026-60000` are valid." }, "AWS::GameLift::Fleet LocationCapacity": { - "DesiredEC2Instances": "The number of Amazon EC2 instances you want to maintain in the specified fleet location. This value must fall between the minimum and maximum size limits.", + "DesiredEC2Instances": "The number of Amazon EC2 instances you want to maintain in the specified fleet location. This value must fall between the minimum and maximum size limits. Changes in desired instance value can take up to 1 minute to be reflected when viewing the fleet's capacity settings.", "MaxSize": "The maximum number of instances that are allowed in the specified fleet location. If this parameter is not set, the default is 1.", "MinSize": "The minimum number of instances that are allowed in the specified fleet location. If this parameter is not set, the default is 0." }, @@ -12651,10 +14745,27 @@ "MaxConcurrentGameSessionActivations": "The number of game sessions in status `ACTIVATING` to allow on an instance. This setting limits the instance resources that can be used for new game activations at any one time.", "ServerProcesses": "A collection of server process configurations that identify what server processes to run on each instance in a fleet." }, + "AWS::GameLift::Fleet ScalingPolicy": { + "ComparisonOperator": "Comparison operator to use when measuring a metric against the threshold value.", + "EvaluationPeriods": "Length of time (in minutes) the metric must be at or beyond the threshold before a scaling event is triggered.", + "Location": "The fleet location.", + "MetricName": "Name of the Amazon GameLift-defined metric that is used to trigger a scaling adjustment. For detailed descriptions of fleet metrics, see [Monitor Amazon GameLift with Amazon CloudWatch](https://docs.aws.amazon.com/gamelift/latest/developerguide/monitoring-cloudwatch.html) .\n\n- *ActivatingGameSessions* -- Game sessions in the process of being created.\n- *ActiveGameSessions* -- Game sessions that are currently running.\n- *ActiveInstances* -- Fleet instances that are currently running at least one game session.\n- *AvailableGameSessions* -- Additional game sessions that fleet could host simultaneously, given current capacity.\n- *AvailablePlayerSessions* -- Empty player slots in currently active game sessions. This includes game sessions that are not currently accepting players. Reserved player slots are not included.\n- *CurrentPlayerSessions* -- Player slots in active game sessions that are being used by a player or are reserved for a player.\n- *IdleInstances* -- Active instances that are currently hosting zero game sessions.\n- *PercentAvailableGameSessions* -- Unused percentage of the total number of game sessions that a fleet could host simultaneously, given current capacity. Use this metric for a target-based scaling policy.\n- *PercentIdleInstances* -- Percentage of the total number of active instances that are hosting zero game sessions.\n- *QueueDepth* -- Pending game session placement requests, in any queue, where the current fleet is the top-priority destination.\n- *WaitTime* -- Current wait time for pending game session placement requests, in any queue, where the current fleet is the top-priority destination.", + "Name": "A descriptive label that is associated with a fleet's scaling policy. Policy names do not need to be unique.", + "PolicyType": "The type of scaling policy to create. For a target-based policy, set the parameter *MetricName* to 'PercentAvailableGameSessions' and specify a *TargetConfiguration* . For a rule-based policy set the following parameters: *MetricName* , *ComparisonOperator* , *Threshold* , *EvaluationPeriods* , *ScalingAdjustmentType* , and *ScalingAdjustment* .", + "ScalingAdjustment": "Amount of adjustment to make, based on the scaling adjustment type.", + "ScalingAdjustmentType": "The type of adjustment to make to a fleet's instance count.\n\n- *ChangeInCapacity* -- add (or subtract) the scaling adjustment value from the current instance count. Positive values scale up while negative values scale down.\n- *ExactCapacity* -- set the instance count to the scaling adjustment value.\n- *PercentChangeInCapacity* -- increase or reduce the current instance count by the scaling adjustment, read as a percentage. Positive values scale up while negative values scale down.", + "Status": "Current status of the scaling policy. The scaling policy can be in force only when in an `ACTIVE` status. Scaling policies can be suspended for individual fleets. If the policy is suspended for a fleet, the policy status does not change.\n\n- *ACTIVE* -- The scaling policy can be used for auto-scaling a fleet.\n- *UPDATE_REQUESTED* -- A request to update the scaling policy has been received.\n- *UPDATING* -- A change is being made to the scaling policy.\n- *DELETE_REQUESTED* -- A request to delete the scaling policy has been received.\n- *DELETING* -- The scaling policy is being deleted.\n- *DELETED* -- The scaling policy has been deleted.\n- *ERROR* -- An error occurred in creating the policy. It should be removed and recreated.", + "TargetConfiguration": "An object that contains settings for a target-based scaling policy.", + "Threshold": "Metric value used to trigger a scaling event.", + "UpdateStatus": "The current status of the fleet's scaling policies in a requested fleet location. The status `PENDING_UPDATE` indicates that an update was requested for the fleet but has not yet been completed for the location." + }, "AWS::GameLift::Fleet ServerProcess": { "ConcurrentExecutions": "The number of server processes using this configuration that run concurrently on each instance.", - "LaunchPath": "The location of a game build executable or the Realtime script file that contains the `Init()` function. Game builds and Realtime scripts are installed on instances at the root:\n\n- Windows (custom game builds only): `C:\\game` . Example: \" `C:\\game\\MyGame\\server.exe` \"\n- Linux: `/local/game` . Examples: \" `/local/game/MyGame/server.exe` \" or \" `/local/game/MyRealtimeScript.js` \"", - "Parameters": "An optional list of parameters to pass to the server executable or Realtime script on launch." + "LaunchPath": "The location of a game build executable or Realtime script. Game builds and Realtime scripts are installed on instances at the root:\n\n- Windows (custom game builds only): `C:\\game` . Example: \" `C:\\game\\MyGame\\server.exe` \"\n- Linux: `/local/game` . Examples: \" `/local/game/MyGame/server.exe` \" or \" `/local/game/MyRealtimeScript.js` \"\n\n> Amazon GameLift doesn't support the use of setup scripts that launch the game executable. For custom game builds, this parameter must indicate the executable that calls the server SDK operations `initSDK()` and `ProcessReady()` .", + "Parameters": "An optional list of parameters to pass to the server executable or Realtime script on launch.\n\nLength Constraints: Minimum length of 1. Maximum length of 1024.\n\nPattern: [A-Za-z0-9_:.+\\/\\\\\\- =@{},?'\\[\\]\"]+" + }, + "AWS::GameLift::Fleet TargetConfiguration": { + "TargetValue": "Desired value to use with a target-based scaling policy. The value must be relevant for whatever metric the scaling policy is using. For example, in a policy using the metric PercentAvailableGameSessions, the target value should be the preferred size of the fleet's buffer (the percent of capacity that should be idle and ready for new game sessions)." }, "AWS::GameLift::GameServerGroup": { "AutoScalingPolicy": "Configuration settings to define a scaling policy for the Auto Scaling group that is optimized for game hosting. The scaling policy uses the metric `\"PercentUtilizedGameServers\"` to maintain a buffer of idle game servers that can immediately accommodate new games and players. After the Auto Scaling group is created, update this value directly in the Auto Scaling group using the AWS console or APIs.", @@ -12683,6 +14794,10 @@ "LaunchTemplateName": "A readable identifier for an existing Amazon EC2 launch template.", "Version": "The version of the Amazon EC2 launch template to use. If no version is specified, the default version will be used. With Amazon EC2, you can specify a default version for a launch template. If none is set, the default is the first version created." }, + "AWS::GameLift::GameServerGroup Tag": { + "Key": "The key for a developer-defined key value pair for tagging an AWS resource.", + "Value": "The value for a developer-defined key value pair for tagging an AWS resource." + }, "AWS::GameLift::GameServerGroup TargetTrackingConfiguration": { "TargetValue": "Desired value to use with a game server group target-based scaling policy." }, @@ -12697,12 +14812,12 @@ "Tags": "A list of labels to assign to the new game session queue resource. Tags are developer-defined key-value pairs. Tagging AWS resources are useful for resource management, access management and cost allocation. For more information, see [Tagging AWS Resources](https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html) in the *AWS General Reference* . Once the resource is created, you can use TagResource, UntagResource, and ListTagsForResource to add, remove, and view tags. The maximum tag limit may be lower than stated. See the AWS General Reference for actual tagging limits.", "TimeoutInSeconds": "The maximum time, in seconds, that a new game session placement request remains in the queue. When a request exceeds this time, the game session placement changes to a `TIMED_OUT` status. By default, this property is set to `600` ." }, - "AWS::GameLift::GameSessionQueue Destination": { - "DestinationArn": "The Amazon Resource Name (ARN) that is assigned to fleet or fleet alias. ARNs, which include a fleet ID or alias ID and a Region name, provide a unique identifier across all Regions." - }, "AWS::GameLift::GameSessionQueue FilterConfiguration": { "AllowedLocations": "A list of locations to allow game session placement in, in the form of AWS Region codes such as `us-west-2` ." }, + "AWS::GameLift::GameSessionQueue GameSessionQueueDestination": { + "DestinationArn": "The Amazon Resource Name (ARN) that is assigned to fleet or fleet alias. ARNs, which include a fleet ID or alias ID and a Region name, provide a unique identifier across all Regions." + }, "AWS::GameLift::GameSessionQueue PlayerLatencyPolicy": { "MaximumIndividualPlayerLatencyMilliseconds": "The maximum latency value that is allowed for any player, in milliseconds. All policies must have a value set for this property.", "PolicyDurationSeconds": "The length of time, in seconds, that the policy is enforced while placing a new game session. A null value for this property means that the policy is enforced until the queue times out." @@ -12711,15 +14826,24 @@ "LocationOrder": "The prioritization order to use for fleet locations, when the `PriorityOrder` property includes `LOCATION` . Locations are identified by AWS Region codes such as `us-west-2` . Each location can only be listed once.", "PriorityOrder": "The recommended sequence to use when prioritizing where to place new game sessions. Each type can only be listed once.\n\n- `LATENCY` -- FleetIQ prioritizes locations where the average player latency (provided in each game session request) is lowest.\n- `COST` -- FleetIQ prioritizes destinations with the lowest current hosting costs. Cost is evaluated based on the location, instance type, and fleet type (Spot or On-Demand) for each destination in the queue.\n- `DESTINATION` -- FleetIQ prioritizes based on the order that destinations are listed in the queue configuration.\n- `LOCATION` -- FleetIQ prioritizes based on the provided order of locations, as defined in `LocationOrder` ." }, + "AWS::GameLift::GameSessionQueue Tag": { + "Key": "The key for a developer-defined key value pair for tagging an AWS resource.", + "Value": "The value for a developer-defined key value pair for tagging an AWS resource." + }, "AWS::GameLift::Location": { - "LocationName": "The location's name.", - "Tags": "" + "LocationName": "A descriptive name for the custom location.", + "Tags": "A list of labels to assign to the new matchmaking configuration resource. Tags are developer-defined key-value pairs. Tagging AWS resources are useful for resource management, access management and cost allocation. For more information, see [Tagging AWS Resources](https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html) in the *AWS General Rareference* ." + }, + "AWS::GameLift::Location Tag": { + "Key": "The key for a developer-defined key value pair for tagging an AWS resource.", + "Value": "The value for a developer-defined key value pair for tagging an AWS resource." }, "AWS::GameLift::MatchmakingConfiguration": { "AcceptanceRequired": "A flag that determines whether a match that was created with this configuration must be accepted by the matched players. To require acceptance, set to `TRUE` . With this option enabled, matchmaking tickets use the status `REQUIRES_ACCEPTANCE` to indicate when a completed potential match is waiting for player acceptance.", "AcceptanceTimeoutSeconds": "The length of time (in seconds) to wait for players to accept a proposed match, if acceptance is required.", "AdditionalPlayerCount": "The number of player slots in a match to keep open for future players. For example, if the configuration's rule set specifies a match for a single 10-person team, and the additional player count is set to 2, 10 players will be selected for the match and 2 more player slots will be open for future players. This parameter is not used if `FlexMatchMode` is set to `STANDALONE` .", "BackfillMode": "The method used to backfill game sessions that are created with this matchmaking configuration. Specify `MANUAL` when your game manages backfill requests manually or does not use the match backfill feature. Specify `AUTOMATIC` to have GameLift create a `StartMatchBackfill` request whenever a game session has one or more open slots. Learn more about manual and automatic backfill in [Backfill Existing Games with FlexMatch](https://docs.aws.amazon.com/gamelift/latest/flexmatchguide/match-backfill.html) . Automatic backfill is not available when `FlexMatchMode` is set to `STANDALONE` .", + "CreationTime": "A time stamp indicating when this data object was created. Format is a number expressed in Unix time as milliseconds (for example `\"1469498468.057\"` ).", "CustomEventData": "Information to add to all events related to the matchmaking configuration.", "Description": "A description for the matchmaking configuration.", "FlexMatchMode": "Indicates whether this matchmaking configuration is being used with Amazon GameLift hosting or as a standalone matchmaking solution.\n\n- *STANDALONE* - FlexMatch forms matches and returns match information, including players and team assignments, in a [MatchmakingSucceeded](https://docs.aws.amazon.com/gamelift/latest/flexmatchguide/match-events.html#match-events-matchmakingsucceeded) event.\n- *WITH_QUEUE* - FlexMatch forms matches and uses the specified Amazon GameLift queue to start a game session for the match.", @@ -12729,6 +14853,7 @@ "Name": "A unique identifier for the matchmaking configuration. This name is used to identify the configuration associated with a matchmaking request or ticket.", "NotificationTarget": "An SNS topic ARN that is set up to receive matchmaking notifications. See [Setting up notifications for matchmaking](https://docs.aws.amazon.com/gamelift/latest/flexmatchguide/match-notification.html) for more information.", "RequestTimeoutSeconds": "The maximum duration, in seconds, that a matchmaking ticket can remain in process before timing out. Requests that fail due to timing out can be resubmitted as needed.", + "RuleSetArn": "The Amazon Resource Name ( [ARN](https://docs.aws.amazon.com/AmazonS3/latest/dev/s3-arn-format.html) ) associated with the GameLift matchmaking rule set resource that this configuration uses.", "RuleSetName": "A unique identifier for the matchmaking rule set to use with this configuration. You can use either the rule set name or ARN value. A matchmaking configuration can only use rule sets that are defined in the same Region.", "Tags": "A list of labels to assign to the new matchmaking configuration resource. Tags are developer-defined key-value pairs. Tagging AWS resources are useful for resource management, access management and cost allocation. For more information, see [Tagging AWS Resources](https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html) in the *AWS General Reference* . Once the resource is created, you can use TagResource, UntagResource, and ListTagsForResource to add, remove, and view tags. The maximum tag limit may be lower than stated. See the AWS General Reference for actual tagging limits." }, @@ -12736,11 +14861,19 @@ "Key": "The game property identifier.", "Value": "The game property value." }, + "AWS::GameLift::MatchmakingConfiguration Tag": { + "Key": "The key for a developer-defined key value pair for tagging an AWS resource.", + "Value": "The value for a developer-defined key value pair for tagging an AWS resource." + }, "AWS::GameLift::MatchmakingRuleSet": { "Name": "A unique identifier for the matchmaking rule set. A matchmaking configuration identifies the rule set it uses by this name value. Note that the rule set name is different from the optional `name` field in the rule set body.", "RuleSetBody": "A collection of matchmaking rules, formatted as a JSON string. Comments are not allowed in JSON, but most elements support a description field.", "Tags": "A list of labels to assign to the new matchmaking rule set resource. Tags are developer-defined key-value pairs. Tagging AWS resources are useful for resource management, access management and cost allocation. For more information, see [Tagging AWS Resources](https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html) in the *AWS General Reference* . Once the resource is created, you can use TagResource, UntagResource, and ListTagsForResource to add, remove, and view tags. The maximum tag limit may be lower than stated. See the AWS General Reference for actual tagging limits." }, + "AWS::GameLift::MatchmakingRuleSet Tag": { + "Key": "The key for a developer-defined key value pair for tagging an AWS resource.", + "Value": "The value for a developer-defined key value pair for tagging an AWS resource." + }, "AWS::GameLift::Script": { "Name": "A descriptive label that is associated with a script. Script names do not need to be unique.", "StorageLocation": "The location of the Amazon S3 bucket where a zipped file containing your Realtime scripts is stored. The storage location must specify the Amazon S3 bucket name, the zip file name (the \"key\"), and a role ARN that allows Amazon GameLift to access the Amazon S3 storage location. The S3 bucket must be in the same Region where you want to create a new script. By default, Amazon GameLift uploads the latest version of the zip file; if you have S3 object versioning turned on, you can use the `ObjectVersion` parameter to specify an earlier version.", @@ -12753,6 +14886,10 @@ "ObjectVersion": "The version of the file, if object versioning is turned on for the bucket. Amazon GameLift uses this information when retrieving files from an S3 bucket that you own. Use this parameter to specify a specific version of the file. If not set, the latest version of the file is retrieved.", "RoleArn": "The Amazon Resource Name ( [ARN](https://docs.aws.amazon.com/AmazonS3/latest/dev/s3-arn-format.html) ) for an IAM role that allows Amazon GameLift to access the S3 bucket." }, + "AWS::GameLift::Script Tag": { + "Key": "The key for a developer-defined key value pair for tagging an AWS resource.", + "Value": "The value for a developer-defined key value pair for tagging an AWS resource." + }, "AWS::GlobalAccelerator::Accelerator": { "Enabled": "Indicates whether the accelerator is enabled. The value is true or false. The default value is true.\n\nIf the value is set to true, the accelerator cannot be deleted. If set to false, accelerator can be deleted.", "IpAddressType": "The IP address type that an accelerator supports. For a standard accelerator, the value can be IPV4 or DUAL_STACK.", @@ -12760,6 +14897,10 @@ "Name": "The name of the accelerator. The name must contain only alphanumeric characters or hyphens (-), and must not begin or end with a hyphen.", "Tags": "Create tags for an accelerator.\n\nFor more information, see [Tagging](https://docs.aws.amazon.com/global-accelerator/latest/dg/tagging-in-global-accelerator.html) in the *AWS Global Accelerator Developer Guide* ." }, + "AWS::GlobalAccelerator::Accelerator Tag": { + "Key": "A string that contains a `Tag` key.", + "Value": "A string that contains a `Tag` value." + }, "AWS::GlobalAccelerator::EndpointGroup": { "EndpointConfigurations": "The list of endpoint objects.", "EndpointGroupRegion": "The AWS Regions where the endpoint group is located.", @@ -12774,7 +14915,7 @@ }, "AWS::GlobalAccelerator::EndpointGroup EndpointConfiguration": { "ClientIPPreservationEnabled": "Indicates whether client IP address preservation is enabled for an Application Load Balancer endpoint. The value is true or false. The default value is true for new accelerators.\n\nIf the value is set to true, the client's IP address is preserved in the `X-Forwarded-For` request header as traffic travels to applications on the Application Load Balancer endpoint fronted by the accelerator.\n\nFor more information, see [Preserve Client IP Addresses](https://docs.aws.amazon.com/global-accelerator/latest/dg/preserve-client-ip-address.html) in the *AWS Global Accelerator Developer Guide* .", - "EndpointId": "An ID for the endpoint. If the endpoint is a Network Load Balancer or Application Load Balancer, this is the Amazon Resource Name (ARN) of the resource. If the endpoint is an Elastic IP address, this is the Elastic IP address allocation ID. For Amazon EC2 instances, this is the EC2 instance ID. A resource must be valid and active when you add it as an endpoint.\n\nAn Application Load Balancer can be either internal or internet-facing.", + "EndpointId": "An ID for the endpoint. If the endpoint is a Network Load Balancer or Application Load Balancer, this is the Amazon Resource Name (ARN) of the resource. If the endpoint is an Elastic IP address, this is the Elastic IP address allocation ID. For Amazon EC2 instances, this is the EC2 instance ID. A resource must be valid and active when you add it as an endpoint.\n\nFor cross-account endpoints, this must be the ARN of the resource.", "Weight": "The weight associated with the endpoint. When you add weights to endpoints, you configure Global Accelerator to route traffic based on proportions that you specify. For example, you might specify endpoint weights of 4, 5, 5, and 6 (sum=20). The result is that 4/20 of your traffic, on average, is routed to the first endpoint, 5/20 is routed both to the second and third endpoints, and 6/20 is routed to the last endpoint. For more information, see [Endpoint Weights](https://docs.aws.amazon.com/global-accelerator/latest/dg/about-endpoints-endpoint-weights.html) in the *AWS Global Accelerator Developer Guide* ." }, "AWS::GlobalAccelerator::EndpointGroup PortOverride": { @@ -12799,7 +14940,9 @@ }, "AWS::Glue::Classifier CsvClassifier": { "AllowSingleColumn": "Enables the processing of files that contain only one column.", + "ContainsCustomDatatype": "", "ContainsHeader": "Indicates whether the CSV file contains a header.\n\nA value of `UNKNOWN` specifies that the classifier will detect whether the CSV file contains headings.\n\nA value of `PRESENT` specifies that the CSV file contains headings.\n\nA value of `ABSENT` specifies that the CSV file does not contain headings.", + "CustomDatatypeConfigured": "Enables the custom datatype to be configured.", "Delimiter": "A custom symbol to denote what separates each column entry in the row.", "DisableValueTrimming": "Specifies not to trim values before identifying the type of column values. The default value is `true` .", "Header": "A list of strings representing column names.", @@ -12869,6 +15012,12 @@ "AWS::Glue::Crawler DynamoDBTarget": { "Path": "The name of the DynamoDB table to crawl." }, + "AWS::Glue::Crawler IcebergTarget": { + "ConnectionName": "The name of the connection to use to connect to the Iceberg target.", + "Exclusions": "A list of glob patterns used to exclude from the crawl. For more information, see [Catalog Tables with a Crawler](https://docs.aws.amazon.com/glue/latest/dg/add-crawler.html) .", + "MaximumTraversalDepth": "The maximum depth of Amazon S3 paths that the crawler can traverse to discover the Iceberg metadata folder in your Amazon S3 path. Used to limit the crawler run time.", + "Paths": "One or more Amazon S3 paths that contains Iceberg metadata folders as `s3://bucket/prefix` ." + }, "AWS::Glue::Crawler JdbcTarget": { "ConnectionName": "The name of the connection to use to connect to the JDBC target.", "Exclusions": "A list of glob patterns used to exclude from the crawl. For more information, see [Catalog Tables with a Crawler](https://docs.aws.amazon.com/glue/latest/dg/add-crawler.html) .", @@ -12900,6 +15049,7 @@ "CatalogTargets": "Specifies AWS Glue Data Catalog targets.", "DeltaTargets": "Specifies an array of Delta data store targets.", "DynamoDBTargets": "Specifies Amazon DynamoDB targets.", + "IcebergTargets": "", "JdbcTargets": "Specifies JDBC targets.", "MongoDBTargets": "A list of Mongo DB targets.", "S3Targets": "Specifies Amazon Simple Storage Service (Amazon S3) targets." @@ -12941,7 +15091,8 @@ }, "AWS::Glue::Database DatabaseIdentifier": { "CatalogId": "The ID of the Data Catalog in which the database resides.", - "DatabaseName": "The name of the catalog database." + "DatabaseName": "The name of the catalog database.", + "Region": "Region of the target database." }, "AWS::Glue::Database DatabaseInput": { "CreateTableDefaultPermissions": "Creates a set of default permissions on the table for principals. Used by AWS Lake Formation . Not used in the normal course of AWS Glue operations.", @@ -13116,6 +15267,10 @@ "Name": "The name of the registry.", "Tags": "AWS tags that contain a key value pair and may be searched by console, command line, or API." }, + "AWS::Glue::Registry Tag": { + "Key": "The tag key. The key is required when you create a tag on an object. The key is case-sensitive, and must not contain the prefix aws.", + "Value": "The tag value. The value is optional when you create a tag on an object. The value is case-sensitive, and must not contain the prefix aws." + }, "AWS::Glue::Schema": { "CheckpointVersion": "Specify the `VersionNumber` or the `IsLatest` for setting the checkpoint for the schema. This is only required for updating a checkpoint.", "Compatibility": "The compatibility mode of the schema.", @@ -13134,6 +15289,10 @@ "IsLatest": "Indicates if this version is the latest version of the schema.", "VersionNumber": "The version number of the schema." }, + "AWS::Glue::Schema Tag": { + "Key": "The tag key. The key is required when you create a tag on an object. The key is case-sensitive, and must not contain the prefix aws.", + "Value": "The tag value. The value is optional when you create a tag on an object. The value is case-sensitive, and must not contain the prefix aws." + }, "AWS::Glue::SchemaVersion": { "Schema": "The schema that includes the schema version.", "SchemaDefinition": "The schema definition for the schema version." @@ -13169,10 +15328,10 @@ "KmsKeyArn": "The Amazon Resource Name (ARN) of the KMS key to be used to encrypt the data.", "S3EncryptionMode": "The encryption mode to use for Amazon S3 data." }, - "AWS::Glue::SecurityConfiguration S3Encryptions": {}, "AWS::Glue::Table": { "CatalogId": "The ID of the Data Catalog in which to create the `Table` .", "DatabaseName": "The name of the database where the table metadata resides. For Hive compatibility, this must be all lowercase.", + "OpenTableFormatInput": "A structure representing an open format table.", "TableInput": "A structure used to define a table." }, "AWS::Glue::Table Column": { @@ -13180,6 +15339,13 @@ "Name": "The name of the `Column` .", "Type": "The data type of the `Column` ." }, + "AWS::Glue::Table IcebergInput": { + "MetadataOperation": "A required metadata operation. Can only be set to `CREATE` .", + "Version": "The table version for the Iceberg table. Defaults to 2." + }, + "AWS::Glue::Table OpenTableFormatInput": { + "IcebergInput": "Specifies an `IcebergInput` structure that defines an Apache Iceberg metadata table." + }, "AWS::Glue::Table Order": { "Column": "The name of the column.", "SortOrder": "Indicates that the column is sorted in ascending order ( `== 1` ), or in descending order ( `==0` )." @@ -13222,7 +15388,8 @@ "AWS::Glue::Table TableIdentifier": { "CatalogId": "The ID of the Data Catalog in which the table resides.", "DatabaseName": "The name of the catalog database that contains the target table.", - "Name": "The name of the target table." + "Name": "The name of the target table.", + "Region": "Region of the target table." }, "AWS::Glue::Table TableInput": { "Description": "A description of the table.", @@ -13284,17 +15451,18 @@ }, "AWS::Grafana::Workspace": { "AccountAccessType": "Specifies whether the workspace can access AWS resources in this AWS account only, or whether it can also access AWS resources in other accounts in the same organization. If this is `ORGANIZATION` , the `OrganizationalUnits` parameter specifies which organizational units the workspace can access.", - "AuthenticationProviders": "Specifies whether this workspace uses SAML 2.0, AWS IAM Identity Center (successor to AWS Single Sign-On) , or both to authenticate users for using the Grafana console within a workspace. For more information, see [User authentication in Amazon Managed Grafana](https://docs.aws.amazon.com/grafana/latest/userguide/authentication-in-AMG.html) .", + "AuthenticationProviders": "Specifies whether this workspace uses SAML 2.0, AWS IAM Identity Center , or both to authenticate users for using the Grafana console within a workspace. For more information, see [User authentication in Amazon Managed Grafana](https://docs.aws.amazon.com/grafana/latest/userguide/authentication-in-AMG.html) .", "ClientToken": "A unique, case-sensitive, user-provided identifier to ensure the idempotency of the request.", "DataSources": "Specifies the AWS data sources that have been configured to have IAM roles and permissions created to allow Amazon Managed Grafana to read data from these sources.\n\nThis list is only used when the workspace was created through the AWS console, and the `permissionType` is `SERVICE_MANAGED` .", "Description": "The user-defined description of the workspace.", - "GrafanaVersion": "Specifies the version of Grafana to support in the new workspace.\n\nSupported values are `8.4` and `9.4` .", + "GrafanaVersion": "Specifies the version of Grafana to support in the workspace. Defaults to the latest version on create (for example, 9.4), or the current version of the workspace on update.\n\nCan only be used to upgrade (for example, from 8.4 to 9.4), not downgrade (for example, from 9.4 to 8.4).\n\nTo know what versions are available to upgrade to for a specific workspace, see the [ListVersions](https://docs.aws.amazon.com/grafana/latest/APIReference/API_ListVersions.html) operation.", "Name": "The name of the workspace.", "NetworkAccessControl": "The configuration settings for network access to your workspace.", "NotificationDestinations": "The AWS notification channels that Amazon Managed Grafana can automatically create IAM roles and permissions for, to allow Amazon Managed Grafana to use these channels.", "OrganizationRoleName": "The name of the IAM role that is used to access resources through Organizations .", "OrganizationalUnits": "Specifies the organizational units that this workspace is allowed to use data sources from, if this workspace is in an account that is part of an organization.", "PermissionType": "If this is `SERVICE_MANAGED` , and the workplace was created through the Amazon Managed Grafana console, then Amazon Managed Grafana automatically creates the IAM roles and provisions the permissions that the workspace needs to use AWS data sources and notification channels.\n\nIf this is `CUSTOMER_MANAGED` , you must manage those roles and permissions yourself.\n\nIf you are working with a workspace in a member account of an organization and that account is not a delegated administrator account, and you want the workspace to access data sources in other AWS accounts in the organization, this parameter must be set to `CUSTOMER_MANAGED` .\n\nFor more information about converting between customer and service managed, see [Managing permissions for data sources and notification channels](https://docs.aws.amazon.com/grafana/latest/userguide/AMG-datasource-and-notification.html) . For more information about the roles and permissions that must be managed for customer managed workspaces, see [Amazon Managed Grafana permissions and policies for AWS data sources and notification channels](https://docs.aws.amazon.com/grafana/latest/userguide/AMG-manage-permissions.html)", + "PluginAdminEnabled": "Whether plugin administration is enabled in the workspace. Setting to `true` allows workspace admins to install, uninstall, and update plugins from within the Grafana workspace.\n\n> This option is only valid for workspaces that support Grafana version 9 or newer.", "RoleArn": "The IAM role that grants permissions to the AWS resources that the workspace will view data from. This role must already exist.", "SamlConfiguration": "If the workspace uses SAML, use this structure to map SAML assertion attributes to workspace user information and define which groups in the assertion attribute are to have the `Admin` and `Editor` roles in the workspace.", "StackSetName": "The name of the AWS CloudFormation stack set that is used to generate IAM roles to be used for this workspace.", @@ -13334,12 +15502,12 @@ "AWS::Greengrass::ConnectorDefinition": { "InitialVersion": "The connector definition version to include when the connector definition is created. A connector definition version contains a list of [`connector`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-greengrass-connectordefinition-connector.html) property types.\n\n> To associate a connector definition version after the connector definition is created, create an [`AWS::Greengrass::ConnectorDefinitionVersion`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-greengrass-connectordefinitionversion.html) resource and specify the ID of this connector definition.", "Name": "The name of the connector definition.", - "Tags": "Application-specific metadata to attach to the connector definition. You can use tags in IAM policies to control access to AWS IoT Greengrass resources. You can also use tags to categorize your resources. For more information, see [Tagging Your AWS IoT Greengrass Resources](https://docs.aws.amazon.com/greengrass/latest/developerguide/tagging.html) in the *Developer Guide* .\n\nThis `Json` property type is processed as a map of key-value pairs. It uses the following format, which is different from most `Tags` implementations in AWS CloudFormation templates.\n\n```json\n\"Tags\": { \"KeyName0\": \"value\", \"KeyName1\": \"value\", \"KeyName2\": \"value\"\n}\n```" + "Tags": "Application-specific metadata to attach to the connector definition. You can use tags in IAM policies to control access to AWS IoT Greengrass resources. You can also use tags to categorize your resources. For more information, see [Tagging Your AWS IoT Greengrass Resources](https://docs.aws.amazon.com/greengrass/v1/developerguide/tagging.html) in the *Developer Guide* .\n\nThis `Json` property type is processed as a map of key-value pairs. It uses the following format, which is different from most `Tags` implementations in AWS CloudFormation templates.\n\n```json\n\"Tags\": { \"KeyName0\": \"value\", \"KeyName1\": \"value\", \"KeyName2\": \"value\"\n}\n```" }, "AWS::Greengrass::ConnectorDefinition Connector": { - "ConnectorArn": "The Amazon Resource Name (ARN) of the connector.\n\nFor more information about connectors provided by AWS , see [Greengrass Connectors Provided by AWS](https://docs.aws.amazon.com/greengrass/latest/developerguide/connectors-list.html) .", + "ConnectorArn": "The Amazon Resource Name (ARN) of the connector.\n\nFor more information about connectors provided by AWS , see [Greengrass Connectors Provided by AWS](https://docs.aws.amazon.com/greengrass/v1/developerguide/connectors-list.html) .", "Id": "A descriptive or arbitrary ID for the connector. This value must be unique within the connector definition version. Maximum length is 128 characters with pattern `[a-zA-Z0-9:_-]+` .", - "Parameters": "The parameters or configuration used by the connector.\n\nFor more information about connectors provided by AWS , see [Greengrass Connectors Provided by AWS](https://docs.aws.amazon.com/greengrass/latest/developerguide/connectors-list.html) ." + "Parameters": "The parameters or configuration used by the connector.\n\nFor more information about connectors provided by AWS , see [Greengrass Connectors Provided by AWS](https://docs.aws.amazon.com/greengrass/v1/developerguide/connectors-list.html) ." }, "AWS::Greengrass::ConnectorDefinition ConnectorDefinitionVersion": { "Connectors": "The connectors in this version. Only one instance of a given connector can be added to a connector definition version at a time." @@ -13349,14 +15517,14 @@ "Connectors": "The connectors in this version. Only one instance of a given connector can be added to the connector definition version at a time." }, "AWS::Greengrass::ConnectorDefinitionVersion Connector": { - "ConnectorArn": "The Amazon Resource Name (ARN) of the connector.\n\nFor more information about connectors provided by AWS , see [Greengrass Connectors Provided by AWS](https://docs.aws.amazon.com/greengrass/latest/developerguide/connectors-list.html) .", + "ConnectorArn": "The Amazon Resource Name (ARN) of the connector.\n\nFor more information about connectors provided by AWS , see [Greengrass Connectors Provided by AWS](https://docs.aws.amazon.com/greengrass/v1/developerguide/connectors-list.html) .", "Id": "A descriptive or arbitrary ID for the connector. This value must be unique within the connector definition version. Maximum length is 128 characters with pattern `[a-zA-Z0-9:_-]+` .", - "Parameters": "The parameters or configuration that the connector uses.\n\nFor more information about connectors provided by AWS , see [Greengrass Connectors Provided by AWS](https://docs.aws.amazon.com/greengrass/latest/developerguide/connectors-list.html) ." + "Parameters": "The parameters or configuration that the connector uses.\n\nFor more information about connectors provided by AWS , see [Greengrass Connectors Provided by AWS](https://docs.aws.amazon.com/greengrass/v1/developerguide/connectors-list.html) ." }, "AWS::Greengrass::CoreDefinition": { "InitialVersion": "The core definition version to include when the core definition is created. Currently, a core definition version can contain only one [`core`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-greengrass-coredefinition-core.html) .\n\n> To associate a core definition version after the core definition is created, create an [`AWS::Greengrass::CoreDefinitionVersion`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-greengrass-coredefinitionversion.html) resource and specify the ID of this core definition.", "Name": "The name of the core definition.", - "Tags": "Application-specific metadata to attach to the core definition. You can use tags in IAM policies to control access to AWS IoT Greengrass resources. You can also use tags to categorize your resources. For more information, see [Tagging Your AWS IoT Greengrass Resources](https://docs.aws.amazon.com/greengrass/latest/developerguide/tagging.html) in the *Developer Guide* .\n\nThis `Json` property type is processed as a map of key-value pairs. It uses the following format, which is different from most `Tags` implementations in AWS CloudFormation templates.\n\n```json\n\"Tags\": { \"KeyName0\": \"value\", \"KeyName1\": \"value\", \"KeyName2\": \"value\"\n}\n```" + "Tags": "Application-specific metadata to attach to the core definition. You can use tags in IAM policies to control access to AWS IoT Greengrass resources. You can also use tags to categorize your resources. For more information, see [Tagging Your AWS IoT Greengrass Resources](https://docs.aws.amazon.com/greengrass/v1/developerguide/tagging.html) in the *Developer Guide* .\n\nThis `Json` property type is processed as a map of key-value pairs. It uses the following format, which is different from most `Tags` implementations in AWS CloudFormation templates.\n\n```json\n\"Tags\": { \"KeyName0\": \"value\", \"KeyName1\": \"value\", \"KeyName2\": \"value\"\n}\n```" }, "AWS::Greengrass::CoreDefinition Core": { "CertificateArn": "The Amazon Resource Name (ARN) of the device certificate for the core. This X.509 certificate is used to authenticate the core with AWS IoT and AWS IoT Greengrass services.", @@ -13380,7 +15548,7 @@ "AWS::Greengrass::DeviceDefinition": { "InitialVersion": "The device definition version to include when the device definition is created. A device definition version contains a list of [`device`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-greengrass-devicedefinition-device.html) property types.\n\n> To associate a device definition version after the device definition is created, create an [`AWS::Greengrass::DeviceDefinitionVersion`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-greengrass-devicedefinitionversion.html) resource and specify the ID of this device definition.", "Name": "The name of the device definition.", - "Tags": "Application-specific metadata to attach to the device definition. You can use tags in IAM policies to control access to AWS IoT Greengrass resources. You can also use tags to categorize your resources. For more information, see [Tagging Your AWS IoT Greengrass Resources](https://docs.aws.amazon.com/greengrass/latest/developerguide/tagging.html) in the *Developer Guide* .\n\nThis `Json` property type is processed as a map of key-value pairs. It uses the following format, which is different from most `Tags` implementations in AWS CloudFormation templates.\n\n```json\n\"Tags\": { \"KeyName0\": \"value\", \"KeyName1\": \"value\", \"KeyName2\": \"value\"\n}\n```" + "Tags": "Application-specific metadata to attach to the device definition. You can use tags in IAM policies to control access to AWS IoT Greengrass resources. You can also use tags to categorize your resources. For more information, see [Tagging Your AWS IoT Greengrass Resources](https://docs.aws.amazon.com/greengrass/v1/developerguide/tagging.html) in the *Developer Guide* .\n\nThis `Json` property type is processed as a map of key-value pairs. It uses the following format, which is different from most `Tags` implementations in AWS CloudFormation templates.\n\n```json\n\"Tags\": { \"KeyName0\": \"value\", \"KeyName1\": \"value\", \"KeyName2\": \"value\"\n}\n```" }, "AWS::Greengrass::DeviceDefinition Device": { "CertificateArn": "The Amazon Resource Name (ARN) of the device certificate for the device. This X.509 certificate is used to authenticate the device with AWS IoT and AWS IoT Greengrass services.", @@ -13404,7 +15572,7 @@ "AWS::Greengrass::FunctionDefinition": { "InitialVersion": "The function definition version to include when the function definition is created. A function definition version contains a list of [`function`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-greengrass-functiondefinition-function.html) property types.\n\n> To associate a function definition version after the function definition is created, create an [`AWS::Greengrass::FunctionDefinitionVersion`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-greengrass-functiondefinitionversion.html) resource and specify the ID of this function definition.", "Name": "The name of the function definition.", - "Tags": "Application-specific metadata to attach to the function definition. You can use tags in IAM policies to control access to AWS IoT Greengrass resources. You can also use tags to categorize your resources. For more information, see [Tagging Your AWS IoT Greengrass Resources](https://docs.aws.amazon.com/greengrass/latest/developerguide/tagging.html) in the *Developer Guide* .\n\nThis `Json` property type is processed as a map of key-value pairs. It uses the following format, which is different from most `Tags` implementations in AWS CloudFormation templates.\n\n```json\n\"Tags\": { \"KeyName0\": \"value\", \"KeyName1\": \"value\", \"KeyName2\": \"value\"\n}\n```" + "Tags": "Application-specific metadata to attach to the function definition. You can use tags in IAM policies to control access to AWS IoT Greengrass resources. You can also use tags to categorize your resources. For more information, see [Tagging Your AWS IoT Greengrass Resources](https://docs.aws.amazon.com/greengrass/v1/developerguide/tagging.html) in the *Developer Guide* .\n\nThis `Json` property type is processed as a map of key-value pairs. It uses the following format, which is different from most `Tags` implementations in AWS CloudFormation templates.\n\n```json\n\"Tags\": { \"KeyName0\": \"value\", \"KeyName1\": \"value\", \"KeyName2\": \"value\"\n}\n```" }, "AWS::Greengrass::FunctionDefinition DefaultConfig": { "Execution": "Configuration settings for the Lambda execution environment on the AWS IoT Greengrass core." @@ -13416,8 +15584,8 @@ "Variables": "Environment variables for the Lambda function." }, "AWS::Greengrass::FunctionDefinition Execution": { - "IsolationMode": "The containerization that the Lambda function runs in. Valid values are `GreengrassContainer` or `NoContainer` . Typically, this is `GreengrassContainer` . For more information, see [Containerization](https://docs.aws.amazon.com/greengrass/latest/developerguide/lambda-group-config.html#lambda-function-containerization) in the *Developer Guide* .\n\n- When set on the [`DefaultConfig`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-greengrass-functiondefinitionversion-defaultconfig.html) property of a function definition version, this setting is used as the default containerization for all Lambda functions in the function definition version.\n- When set on the [`Environment`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-greengrass-functiondefinitionversion-environment.html) property of a function, this setting applies to the individual function and overrides the default. Omit this value to run the function with the default containerization.\n\n> We recommend that you run in a Greengrass container unless your business case requires that you run without containerization.", - "RunAs": "The user and group permissions used to run the Lambda function. Typically, this is the ggc_user and ggc_group. For more information, see [Run as](https://docs.aws.amazon.com/greengrass/latest/developerguide/lambda-group-config.html#lambda-access-identity.html) in the *Developer Guide* .\n\n- When set on the [`DefaultConfig`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-greengrass-functiondefinitionversion-defaultconfig.html) property of a function definition version, this setting is used as the default access identity for all Lambda functions in the function definition version.\n- When set on the [`Environment`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-greengrass-functiondefinitionversion-environment.html) property of a function, this setting applies to the individual function and overrides the default. You can override the user, group, or both. Omit this value to run the function with the default permissions.\n\n> Running as the root user increases risks to your data and device. Do not run as root (UID/GID=0) unless your business case requires it. For more information and requirements, see [Running a Lambda Function as Root](https://docs.aws.amazon.com/greengrass/latest/developerguide/lambda-group-config.html#lambda-running-as-root) ." + "IsolationMode": "The containerization that the Lambda function runs in. Valid values are `GreengrassContainer` or `NoContainer` . Typically, this is `GreengrassContainer` . For more information, see [Containerization](https://docs.aws.amazon.com/greengrass/v1/developerguide/lambda-group-config.html#lambda-function-containerization) in the *Developer Guide* .\n\n- When set on the [`DefaultConfig`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-greengrass-functiondefinitionversion-defaultconfig.html) property of a function definition version, this setting is used as the default containerization for all Lambda functions in the function definition version.\n- When set on the [`Environment`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-greengrass-functiondefinitionversion-environment.html) property of a function, this setting applies to the individual function and overrides the default. Omit this value to run the function with the default containerization.\n\n> We recommend that you run in a Greengrass container unless your business case requires that you run without containerization.", + "RunAs": "The user and group permissions used to run the Lambda function. Typically, this is the ggc_user and ggc_group. For more information, see [Run as](https://docs.aws.amazon.com/greengrass/v1/developerguide/lambda-group-config.html#lambda-access-identity.html) in the *Developer Guide* .\n\n- When set on the [`DefaultConfig`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-greengrass-functiondefinitionversion-defaultconfig.html) property of a function definition version, this setting is used as the default access identity for all Lambda functions in the function definition version.\n- When set on the [`Environment`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-greengrass-functiondefinitionversion-environment.html) property of a function, this setting applies to the individual function and overrides the default. You can override the user, group, or both. Omit this value to run the function with the default permissions.\n\n> Running as the root user increases risks to your data and device. Do not run as root (UID/GID=0) unless your business case requires it. For more information and requirements, see [Running a Lambda Function as Root](https://docs.aws.amazon.com/greengrass/v1/developerguide/lambda-group-config.html#lambda-running-as-root) ." }, "AWS::Greengrass::FunctionDefinition Function": { "FunctionArn": "The Amazon Resource Name (ARN) of the alias (recommended) or version of the referenced Lambda function.", @@ -13460,8 +15628,8 @@ "Variables": "Environment variables for the Lambda function." }, "AWS::Greengrass::FunctionDefinitionVersion Execution": { - "IsolationMode": "The containerization that the Lambda function runs in. Valid values are `GreengrassContainer` or `NoContainer` . Typically, this is `GreengrassContainer` . For more information, see [Containerization](https://docs.aws.amazon.com/greengrass/latest/developerguide/lambda-group-config.html#lambda-function-containerization) in the *Developer Guide* .\n\n- When set on the [`DefaultConfig`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-greengrass-functiondefinitionversion-defaultconfig.html) property of a function definition version, this setting is used as the default containerization for all Lambda functions in the function definition version.\n- When set on the [`Environment`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-greengrass-functiondefinitionversion-environment.html) property of a function, this setting applies to the individual function and overrides the default. Omit this value to run the function with the default containerization.\n\n> We recommend that you run in a Greengrass container unless your business case requires that you run without containerization.", - "RunAs": "The user and group permissions used to run the Lambda function. Typically, this is the ggc_user and ggc_group. For more information, see [Run as](https://docs.aws.amazon.com/greengrass/latest/developerguide/lambda-group-config.html#lambda-access-identity.html) in the *Developer Guide* .\n\n- When set on the [`DefaultConfig`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-greengrass-functiondefinitionversion-defaultconfig.html) property of a function definition version, this setting is used as the default access identity for all Lambda functions in the function definition version.\n- When set on the [`Environment`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-greengrass-functiondefinitionversion-environment.html) property of a function, this setting applies to the individual function and overrides the default. You can override the user, group, or both. Omit this value to run the function with the default permissions.\n\n> Running as the root user increases risks to your data and device. Do not run as root (UID/GID=0) unless your business case requires it. For more information and requirements, see [Running a Lambda Function as Root](https://docs.aws.amazon.com/greengrass/latest/developerguide/lambda-group-config.html#lambda-running-as-root) ." + "IsolationMode": "The containerization that the Lambda function runs in. Valid values are `GreengrassContainer` or `NoContainer` . Typically, this is `GreengrassContainer` . For more information, see [Containerization](https://docs.aws.amazon.com/greengrass/v1/developerguide/lambda-group-config.html#lambda-function-containerization) in the *Developer Guide* .\n\n- When set on the [`DefaultConfig`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-greengrass-functiondefinitionversion-defaultconfig.html) property of a function definition version, this setting is used as the default containerization for all Lambda functions in the function definition version.\n- When set on the [`Environment`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-greengrass-functiondefinitionversion-environment.html) property of a function, this setting applies to the individual function and overrides the default. Omit this value to run the function with the default containerization.\n\n> We recommend that you run in a Greengrass container unless your business case requires that you run without containerization.", + "RunAs": "The user and group permissions used to run the Lambda function. Typically, this is the ggc_user and ggc_group. For more information, see [Run as](https://docs.aws.amazon.com/greengrass/v1/developerguide/lambda-group-config.html#lambda-access-identity.html) in the *Developer Guide* .\n\n- When set on the [`DefaultConfig`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-greengrass-functiondefinitionversion-defaultconfig.html) property of a function definition version, this setting is used as the default access identity for all Lambda functions in the function definition version.\n- When set on the [`Environment`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-greengrass-functiondefinitionversion-environment.html) property of a function, this setting applies to the individual function and overrides the default. You can override the user, group, or both. Omit this value to run the function with the default permissions.\n\n> Running as the root user increases risks to your data and device. Do not run as root (UID/GID=0) unless your business case requires it. For more information and requirements, see [Running a Lambda Function as Root](https://docs.aws.amazon.com/greengrass/v1/developerguide/lambda-group-config.html#lambda-running-as-root) ." }, "AWS::Greengrass::FunctionDefinitionVersion Function": { "FunctionArn": "The Amazon Resource Name (ARN) of the alias (recommended) or version of the referenced Lambda function.", @@ -13489,7 +15657,7 @@ "InitialVersion": "The group version to include when the group is created. A group version references the Amazon Resource Name (ARN) of a core definition version, device definition version, subscription definition version, and other version types. The group version must reference a core definition version that contains one core. Other version types are optionally included, depending on your business need.\n\n> To associate a group version after the group is created, create an [`AWS::Greengrass::GroupVersion`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-greengrass-groupversion.html) resource and specify the ID of this group.", "Name": "The name of the group.", "RoleArn": "The Amazon Resource Name (ARN) of the IAM role attached to the group. This role contains the permissions that Lambda functions and connectors use to interact with other AWS services.", - "Tags": "Application-specific metadata to attach to the group. You can use tags in IAM policies to control access to AWS IoT Greengrass resources. You can also use tags to categorize your resources. For more information, see [Tagging Your AWS IoT Greengrass Resources](https://docs.aws.amazon.com/greengrass/latest/developerguide/tagging.html) in the *Developer Guide* .\n\nThis `Json` property type is processed as a map of key-value pairs. It uses the following format, which is different from most `Tags` implementations in AWS CloudFormation templates.\n\n```json\n\"Tags\": { \"KeyName0\": \"value\", \"KeyName1\": \"value\", \"KeyName2\": \"value\"\n}\n```" + "Tags": "Application-specific metadata to attach to the group. You can use tags in IAM policies to control access to AWS IoT Greengrass resources. You can also use tags to categorize your resources. For more information, see [Tagging Your AWS IoT Greengrass Resources](https://docs.aws.amazon.com/greengrass/v1/developerguide/tagging.html) in the *Developer Guide* .\n\nThis `Json` property type is processed as a map of key-value pairs. It uses the following format, which is different from most `Tags` implementations in AWS CloudFormation templates.\n\n```json\n\"Tags\": { \"KeyName0\": \"value\", \"KeyName1\": \"value\", \"KeyName2\": \"value\"\n}\n```" }, "AWS::Greengrass::Group GroupVersion": { "ConnectorDefinitionVersionArn": "The Amazon Resource Name (ARN) of the connector definition version that contains the connectors you want to deploy with the group version.", @@ -13513,7 +15681,7 @@ "AWS::Greengrass::LoggerDefinition": { "InitialVersion": "The logger definition version to include when the logger definition is created. A logger definition version contains a list of [`logger`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-greengrass-loggerdefinition-logger.html) property types.\n\n> To associate a logger definition version after the logger definition is created, create an [`AWS::Greengrass::LoggerDefinitionVersion`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-greengrass-loggerdefinitionversion.html) resource and specify the ID of this logger definition.", "Name": "The name of the logger definition.", - "Tags": "Application-specific metadata to attach to the logger definition. You can use tags in IAM policies to control access to AWS IoT Greengrass resources. You can also use tags to categorize your resources. For more information, see [Tagging Your AWS IoT Greengrass Resources](https://docs.aws.amazon.com/greengrass/latest/developerguide/tagging.html) in the *Developer Guide* .\n\nThis `Json` property type is processed as a map of key-value pairs. It uses the following format, which is different from most `Tags` implementations in AWS CloudFormation templates.\n\n```json\n\"Tags\": { \"KeyName0\": \"value\", \"KeyName1\": \"value\", \"KeyName2\": \"value\"\n}\n```" + "Tags": "Application-specific metadata to attach to the logger definition. You can use tags in IAM policies to control access to AWS IoT Greengrass resources. You can also use tags to categorize your resources. For more information, see [Tagging Your AWS IoT Greengrass Resources](https://docs.aws.amazon.com/greengrass/v1/developerguide/tagging.html) in the *Developer Guide* .\n\nThis `Json` property type is processed as a map of key-value pairs. It uses the following format, which is different from most `Tags` implementations in AWS CloudFormation templates.\n\n```json\n\"Tags\": { \"KeyName0\": \"value\", \"KeyName1\": \"value\", \"KeyName2\": \"value\"\n}\n```" }, "AWS::Greengrass::LoggerDefinition Logger": { "Component": "The source of the log event. Valid values are `GreengrassSystem` or `Lambda` . When `GreengrassSystem` is used, events from Greengrass system components are logged. When `Lambda` is used, events from user-defined Lambda functions are logged.", @@ -13539,7 +15707,7 @@ "AWS::Greengrass::ResourceDefinition": { "InitialVersion": "The resource definition version to include when the resource definition is created. A resource definition version contains a list of [`resource instance`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-greengrass-resourcedefinition-resourceinstance.html) property types.\n\n> To associate a resource definition version after the resource definition is created, create an [`AWS::Greengrass::ResourceDefinitionVersion`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-greengrass-resourcedefinitionversion.html) resource and specify the ID of this resource definition.", "Name": "The name of the resource definition.", - "Tags": "Application-specific metadata to attach to the resource definition. You can use tags in IAM policies to control access to AWS IoT Greengrass resources. You can also use tags to categorize your resources. For more information, see [Tagging Your AWS IoT Greengrass Resources](https://docs.aws.amazon.com/greengrass/latest/developerguide/tagging.html) in the *Developer Guide* .\n\nThis `Json` property type is processed as a map of key-value pairs. It uses the following format, which is different from most `Tags` implementations in AWS CloudFormation templates.\n\n```json\n\"Tags\": { \"KeyName0\": \"value\", \"KeyName1\": \"value\", \"KeyName2\": \"value\"\n}\n```" + "Tags": "Application-specific metadata to attach to the resource definition. You can use tags in IAM policies to control access to AWS IoT Greengrass resources. You can also use tags to categorize your resources. For more information, see [Tagging Your AWS IoT Greengrass Resources](https://docs.aws.amazon.com/greengrass/v1/developerguide/tagging.html) in the *Developer Guide* .\n\nThis `Json` property type is processed as a map of key-value pairs. It uses the following format, which is different from most `Tags` implementations in AWS CloudFormation templates.\n\n```json\n\"Tags\": { \"KeyName0\": \"value\", \"KeyName1\": \"value\", \"KeyName2\": \"value\"\n}\n```" }, "AWS::Greengrass::ResourceDefinition GroupOwnerSetting": { "AutoAddGroupOwner": "Indicates whether to give the privileges of the Linux group that owns the resource to the Lambda process. This gives the Lambda process the file access permissions of the Linux group.", @@ -13575,12 +15743,12 @@ }, "AWS::Greengrass::ResourceDefinition S3MachineLearningModelResourceData": { "DestinationPath": "The absolute local path of the resource inside the Lambda environment.", - "OwnerSetting": "The owner setting for the downloaded machine learning resource. For more information, see [Access Machine Learning Resources from Lambda Functions](https://docs.aws.amazon.com/greengrass/latest/developerguide/access-ml-resources.html) in the *Developer Guide* .", + "OwnerSetting": "The owner setting for the downloaded machine learning resource. For more information, see [Access Machine Learning Resources from Lambda Functions](https://docs.aws.amazon.com/greengrass/v1/developerguide/access-ml-resources.html) in the *Developer Guide* .", "S3Uri": "The URI of the source model in an Amazon S3 bucket. The model package must be in `tar.gz` or `.zip` format." }, "AWS::Greengrass::ResourceDefinition SageMakerMachineLearningModelResourceData": { "DestinationPath": "The absolute local path of the resource inside the Lambda environment.", - "OwnerSetting": "The owner setting for the downloaded machine learning resource. For more information, see [Access Machine Learning Resources from Lambda Functions](https://docs.aws.amazon.com/greengrass/latest/developerguide/access-ml-resources.html) in the *Developer Guide* .", + "OwnerSetting": "The owner setting for the downloaded machine learning resource. For more information, see [Access Machine Learning Resources from Lambda Functions](https://docs.aws.amazon.com/greengrass/v1/developerguide/access-ml-resources.html) in the *Developer Guide* .", "SageMakerJobArn": "The Amazon Resource Name (ARN) of the Amazon SageMaker training job that represents the source model." }, "AWS::Greengrass::ResourceDefinition SecretsManagerSecretResourceData": { @@ -13622,12 +15790,12 @@ }, "AWS::Greengrass::ResourceDefinitionVersion S3MachineLearningModelResourceData": { "DestinationPath": "The absolute local path of the resource inside the Lambda environment.", - "OwnerSetting": "The owner setting for the downloaded machine learning resource. For more information, see [Access Machine Learning Resources from Lambda Functions](https://docs.aws.amazon.com/greengrass/latest/developerguide/access-ml-resources.html) in the *Developer Guide* .", + "OwnerSetting": "The owner setting for the downloaded machine learning resource. For more information, see [Access Machine Learning Resources from Lambda Functions](https://docs.aws.amazon.com/greengrass/v1/developerguide/access-ml-resources.html) in the *Developer Guide* .", "S3Uri": "The URI of the source model in an Amazon S3 bucket. The model package must be in `tar.gz` or `.zip` format." }, "AWS::Greengrass::ResourceDefinitionVersion SageMakerMachineLearningModelResourceData": { "DestinationPath": "The absolute local path of the resource inside the Lambda environment.", - "OwnerSetting": "The owner setting for the downloaded machine learning resource. For more information, see [Access Machine Learning Resources from Lambda Functions](https://docs.aws.amazon.com/greengrass/latest/developerguide/access-ml-resources.html) in the *Developer Guide* .", + "OwnerSetting": "The owner setting for the downloaded machine learning resource. For more information, see [Access Machine Learning Resources from Lambda Functions](https://docs.aws.amazon.com/greengrass/v1/developerguide/access-ml-resources.html) in the *Developer Guide* .", "SageMakerJobArn": "The Amazon Resource Name (ARN) of the Amazon SageMaker training job that represents the source model." }, "AWS::Greengrass::ResourceDefinitionVersion SecretsManagerSecretResourceData": { @@ -13637,7 +15805,7 @@ "AWS::Greengrass::SubscriptionDefinition": { "InitialVersion": "The subscription definition version to include when the subscription definition is created. A subscription definition version contains a list of [`subscription`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-greengrass-subscriptiondefinition-subscription.html) property types.\n\n> To associate a subscription definition version after the subscription definition is created, create an [`AWS::Greengrass::SubscriptionDefinitionVersion`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-greengrass-subscriptiondefinitionversion.html) resource and specify the ID of this subscription definition.", "Name": "The name of the subscription definition.", - "Tags": "Application-specific metadata to attach to the subscription definition. You can use tags in IAM policies to control access to AWS IoT Greengrass resources. You can also use tags to categorize your resources. For more information, see [Tagging Your AWS IoT Greengrass Resources](https://docs.aws.amazon.com/greengrass/latest/developerguide/tagging.html) in the *Developer Guide* .\n\nThis `Json` property type is processed as a map of key-value pairs. It uses the following format, which is different from most `Tags` implementations in AWS CloudFormation templates.\n\n```json\n\"Tags\": { \"KeyName0\": \"value\", \"KeyName1\": \"value\", \"KeyName2\": \"value\"\n}\n```" + "Tags": "Application-specific metadata to attach to the subscription definition. You can use tags in IAM policies to control access to AWS IoT Greengrass resources. You can also use tags to categorize your resources. For more information, see [Tagging Your AWS IoT Greengrass Resources](https://docs.aws.amazon.com/greengrass/v1/developerguide/tagging.html) in the *Developer Guide* .\n\nThis `Json` property type is processed as a map of key-value pairs. It uses the following format, which is different from most `Tags` implementations in AWS CloudFormation templates.\n\n```json\n\"Tags\": { \"KeyName0\": \"value\", \"KeyName1\": \"value\", \"KeyName2\": \"value\"\n}\n```" }, "AWS::Greengrass::SubscriptionDefinition Subscription": { "Id": "A descriptive or arbitrary ID for the subscription. This value must be unique within the subscription definition version. Maximum length is 128 characters with pattern `[a-zA-Z0-9:_-]+` .", @@ -13818,10 +15986,10 @@ "DataflowEndpointRegion": "The region of the dataflow endpoint to use during contacts. When omitted, Ground Station will use the region of the contact." }, "AWS::GroundStation::Config DecodeConfig": { - "UnvalidatedJSON": "The decoding settings are in JSON format and define a set of steps to perform to decode the data." + "UnvalidatedJSON": "" }, "AWS::GroundStation::Config DemodulationConfig": { - "UnvalidatedJSON": "The demodulation settings are in JSON format and define parameters for demodulation, for example which modulation scheme (e.g. PSK, QPSK, etc.) and matched filter to use." + "UnvalidatedJSON": "" }, "AWS::GroundStation::Config Eirp": { "Units": "The units of the EIRP.", @@ -13845,6 +16013,10 @@ "CenterFrequency": "The center frequency of the spectrum. Valid values are between 2200 to 2300 MHz and 7750 to 8400 MHz for downlink and 2025 to 2120 MHz for uplink.", "Polarization": "The polarization of the spectrum. Valid values are `\"RIGHT_HAND\"` and `\"LEFT_HAND\"` . Capturing both `\"RIGHT_HAND\"` and `\"LEFT_HAND\"` polarization requires two separate configs." }, + "AWS::GroundStation::Config Tag": { + "Key": "", + "Value": "" + }, "AWS::GroundStation::Config TrackingConfig": { "Autotrack": "Specifies whether or not to use autotrack. `REMOVED` specifies that program track should only be used during the contact. `PREFERRED` specifies that autotracking is preferred during the contact but fallback to program track if the signal is lost. `REQUIRED` specifies that autotracking is required during the contact and not to use program track if the signal is lost." }, @@ -13875,7 +16047,7 @@ }, "AWS::GroundStation::DataflowEndpointGroup DataflowEndpoint": { "Address": "The address and port of an endpoint.", - "Mtu": "Maximum transmission unit (MTU) size in bytes of a dataflow endpoint. Valid values are between 1400 and 1500. A default value of 1500 is used if not set.", + "Mtu": "", "Name": "The endpoint name.\n\nWhen listing available contacts for a satellite, Ground Station searches for a dataflow endpoint whose name matches the value specified by the dataflow endpoint config of the selected mission profile. If no matching dataflow endpoints are found then Ground Station will not display any available contacts for the satellite." }, "AWS::GroundStation::DataflowEndpointGroup EndpointDetails": { @@ -13904,6 +16076,10 @@ "Name": "The name of the endpoint, such as `Endpoint 1` .", "Port": "The port of the endpoint, such as `55888` ." }, + "AWS::GroundStation::DataflowEndpointGroup Tag": { + "Key": "", + "Value": "" + }, "AWS::GroundStation::MissionProfile": { "ContactPostPassDurationSeconds": "Amount of time in seconds after a contact ends that you\u2019d like to receive a CloudWatch Event indicating the pass has finished. For more information on CloudWatch Events, see the [What Is CloudWatch Events?](https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/WhatIsCloudWatchEvents.html)", "ContactPrePassDurationSeconds": "Amount of time in seconds prior to contact start that you'd like to receive a CloudWatch Event indicating an upcoming pass. For more information on CloudWatch Events, see the [What Is CloudWatch Events?](https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/WhatIsCloudWatchEvents.html)", @@ -13923,6 +16099,10 @@ "KmsAliasArn": "", "KmsKeyArn": "" }, + "AWS::GroundStation::MissionProfile Tag": { + "Key": "", + "Value": "" + }, "AWS::GuardDuty::Detector": { "DataSources": "Describes which data sources will be enabled for the detector.", "Enable": "Specifies whether the detector is to be enabled on creation.", @@ -13935,6 +16115,15 @@ "MalwareProtection": "Describes whether Malware Protection will be enabled as a data source.", "S3Logs": "Describes whether S3 data event logs are enabled as a data source." }, + "AWS::GuardDuty::Detector CFNFeatureAdditionalConfiguration": { + "Name": "Name of the additional configuration.", + "Status": "Status of the additional configuration." + }, + "AWS::GuardDuty::Detector CFNFeatureConfiguration": { + "AdditionalConfiguration": "Information about the additional configuration of a feature in your account.", + "Name": "Name of the feature.", + "Status": "Status of the feature configuration." + }, "AWS::GuardDuty::Detector CFNKubernetesAuditLogsConfiguration": { "Enable": "Describes whether Kubernetes audit logs are enabled as a data source for the detector." }, @@ -13950,14 +16139,9 @@ "AWS::GuardDuty::Detector CFNScanEc2InstanceWithFindingsConfiguration": { "EbsVolumes": "Describes the configuration for scanning EBS volumes as data source." }, - "AWS::GuardDuty::Detector FeatureAdditionalConfiguration": { - "Name": "Name of the additional configuration of a feature.", - "Status": "Status of the additional configuration of a feature." - }, - "AWS::GuardDuty::Detector FeatureConfigurations": { - "AdditionalConfiguration": "Additional configuration of the feature.", - "Name": "Name of the feature.", - "Status": "Status of the feature." + "AWS::GuardDuty::Detector TagItem": { + "Key": "The tag value.", + "Value": "The tag key." }, "AWS::GuardDuty::Filter": { "Action": "Specifies the action that is to be applied to the findings that match the filter.", @@ -13983,9 +16167,13 @@ "NotEquals": "Represents a *not equal* ** condition to be applied to a single field when querying for findings." }, "AWS::GuardDuty::Filter FindingCriteria": { - "Criterion": "Represents a map of finding properties that match specified conditions and values when querying findings.\n\nFor a mapping of JSON criterion to their console equivalent see [Finding criteria](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_filter-findings.html#filter_criteria) . The following are the available criterion:\n\n- accountId\n- region\n- confidence\n- id\n- resource.accessKeyDetails.accessKeyId\n- resource.accessKeyDetails.principalId\n- resource.accessKeyDetails.userName\n- resource.accessKeyDetails.userType\n- resource.instanceDetails.iamInstanceProfile.id\n- resource.instanceDetails.imageId\n- resource.instanceDetails.instanceId\n- resource.instanceDetails.outpostArn\n- resource.instanceDetails.networkInterfaces.ipv6Addresses\n- resource.instanceDetails.networkInterfaces.privateIpAddresses.privateIpAddress\n- resource.instanceDetails.networkInterfaces.publicDnsName\n- resource.instanceDetails.networkInterfaces.publicIp\n- resource.instanceDetails.networkInterfaces.securityGroups.groupId\n- resource.instanceDetails.networkInterfaces.securityGroups.groupName\n- resource.instanceDetails.networkInterfaces.subnetId\n- resource.instanceDetails.networkInterfaces.vpcId\n- resource.instanceDetails.tags.key\n- resource.instanceDetails.tags.value\n- resource.resourceType\n- service.action.actionType\n- service.action.awsApiCallAction.api\n- service.action.awsApiCallAction.callerType\n- service.action.awsApiCallAction.errorCode\n- service.action.awsApiCallAction.remoteIpDetails.city.cityName\n- service.action.awsApiCallAction.remoteIpDetails.country.countryName\n- service.action.awsApiCallAction.remoteIpDetails.ipAddressV4\n- service.action.awsApiCallAction.remoteIpDetails.organization.asn\n- service.action.awsApiCallAction.remoteIpDetails.organization.asnOrg\n- service.action.awsApiCallAction.serviceName\n- service.action.dnsRequestAction.domain\n- service.action.networkConnectionAction.blocked\n- service.action.networkConnectionAction.connectionDirection\n- service.action.networkConnectionAction.localPortDetails.port\n- service.action.networkConnectionAction.protocol\n- service.action.networkConnectionAction.localIpDetails.ipAddressV4\n- service.action.networkConnectionAction.remoteIpDetails.city.cityName\n- service.action.networkConnectionAction.remoteIpDetails.country.countryName\n- service.action.networkConnectionAction.remoteIpDetails.ipAddressV4\n- service.action.networkConnectionAction.remoteIpDetails.organization.asn\n- service.action.networkConnectionAction.remoteIpDetails.organization.asnOrg\n- service.action.networkConnectionAction.remotePortDetails.port\n- service.additionalInfo.threatListName\n- service.archived\n\nWhen this attribute is set to TRUE, only archived findings are listed. When it's set to FALSE, only unarchived findings are listed. When this attribute is not set, all existing findings are listed.\n- service.resourceRole\n- severity\n- type\n- updatedAt\n\nType: ISO 8601 string format: YYYY-MM-DDTHH:MM:SS.SSSZ or YYYY-MM-DDTHH:MM:SSZ depending on whether the value contains milliseconds.", + "Criterion": "Represents a map of finding properties that match specified conditions and values when querying findings.\n\nFor information about JSON criterion mapping to their console equivalent, see [Finding criteria](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_filter-findings.html#filter_criteria) . The following are the available criterion:\n\n- accountId\n- id\n- region\n- severity\n\nTo filter on the basis of severity, API and CFN use the following input list for the condition:\n\n- *Low* : `[\"1\", \"2\", \"3\"]`\n- *Medium* : `[\"4\", \"5\", \"6\"]`\n- *High* : `[\"7\", \"8\", \"9\"]`\n\nFor more information, see [Severity levels for GuardDuty findings](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html#guardduty_findings-severity) .\n- type\n- updatedAt\n\nType: ISO 8601 string format: YYYY-MM-DDTHH:MM:SS.SSSZ or YYYY-MM-DDTHH:MM:SSZ depending on whether the value contains milliseconds.\n- resource.accessKeyDetails.accessKeyId\n- resource.accessKeyDetails.principalId\n- resource.accessKeyDetails.userName\n- resource.accessKeyDetails.userType\n- resource.instanceDetails.iamInstanceProfile.id\n- resource.instanceDetails.imageId\n- resource.instanceDetails.instanceId\n- resource.instanceDetails.tags.key\n- resource.instanceDetails.tags.value\n- resource.instanceDetails.networkInterfaces.ipv6Addresses\n- resource.instanceDetails.networkInterfaces.privateIpAddresses.privateIpAddress\n- resource.instanceDetails.networkInterfaces.publicDnsName\n- resource.instanceDetails.networkInterfaces.publicIp\n- resource.instanceDetails.networkInterfaces.securityGroups.groupId\n- resource.instanceDetails.networkInterfaces.securityGroups.groupName\n- resource.instanceDetails.networkInterfaces.subnetId\n- resource.instanceDetails.networkInterfaces.vpcId\n- resource.instanceDetails.outpostArn\n- resource.resourceType\n- resource.s3BucketDetails.publicAccess.effectivePermissions\n- resource.s3BucketDetails.name\n- resource.s3BucketDetails.tags.key\n- resource.s3BucketDetails.tags.value\n- resource.s3BucketDetails.type\n- service.action.actionType\n- service.action.awsApiCallAction.api\n- service.action.awsApiCallAction.callerType\n- service.action.awsApiCallAction.errorCode\n- service.action.awsApiCallAction.remoteIpDetails.city.cityName\n- service.action.awsApiCallAction.remoteIpDetails.country.countryName\n- service.action.awsApiCallAction.remoteIpDetails.ipAddressV4\n- service.action.awsApiCallAction.remoteIpDetails.organization.asn\n- service.action.awsApiCallAction.remoteIpDetails.organization.asnOrg\n- service.action.awsApiCallAction.serviceName\n- service.action.dnsRequestAction.domain\n- service.action.networkConnectionAction.blocked\n- service.action.networkConnectionAction.connectionDirection\n- service.action.networkConnectionAction.localPortDetails.port\n- service.action.networkConnectionAction.protocol\n- service.action.networkConnectionAction.remoteIpDetails.city.cityName\n- service.action.networkConnectionAction.remoteIpDetails.country.countryName\n- service.action.networkConnectionAction.remoteIpDetails.ipAddressV4\n- service.action.networkConnectionAction.remoteIpDetails.organization.asn\n- service.action.networkConnectionAction.remoteIpDetails.organization.asnOrg\n- service.action.networkConnectionAction.remotePortDetails.port\n- service.action.awsApiCallAction.remoteAccountDetails.affiliated\n- service.action.kubernetesApiCallAction.remoteIpDetails.ipAddressV4\n- service.action.kubernetesApiCallAction.requestUri\n- service.action.networkConnectionAction.localIpDetails.ipAddressV4\n- service.action.networkConnectionAction.protocol\n- service.action.awsApiCallAction.serviceName\n- service.action.awsApiCallAction.remoteAccountDetails.accountId\n- service.additionalInfo.threatListName\n- service.resourceRole\n- resource.eksClusterDetails.name\n- resource.kubernetesDetails.kubernetesWorkloadDetails.name\n- resource.kubernetesDetails.kubernetesWorkloadDetails.namespace\n- resource.kubernetesDetails.kubernetesUserDetails.username\n- resource.kubernetesDetails.kubernetesWorkloadDetails.containers.image\n- resource.kubernetesDetails.kubernetesWorkloadDetails.containers.imagePrefix\n- service.ebsVolumeScanDetails.scanId\n- service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.name\n- service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.severity\n- service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.filePaths.hash\n- resource.ecsClusterDetails.name\n- resource.ecsClusterDetails.taskDetails.containers.image\n- resource.ecsClusterDetails.taskDetails.definitionArn\n- resource.containerDetails.image\n- resource.rdsDbInstanceDetails.dbInstanceIdentifier\n- resource.rdsDbInstanceDetails.dbClusterIdentifier\n- resource.rdsDbInstanceDetails.engine\n- resource.rdsDbUserDetails.user\n- resource.rdsDbInstanceDetails.tags.key\n- resource.rdsDbInstanceDetails.tags.value\n- service.runtimeDetails.process.executableSha256\n- service.runtimeDetails.process.name\n- service.runtimeDetails.process.name\n- resource.lambdaDetails.functionName\n- resource.lambdaDetails.functionArn\n- resource.lambdaDetails.tags.key\n- resource.lambdaDetails.tags.value", "ItemType": "Specifies the condition to be applied to a single field when filtering through findings." }, + "AWS::GuardDuty::Filter Tag": { + "Key": "The EC2 instance tag key.", + "Value": "The EC2 instance tag value." + }, "AWS::GuardDuty::IPSet": { "Activate": "Indicates whether or not GuardDuty uses the `IPSet` .", "DetectorId": "The unique ID of the detector of the GuardDuty account that you want to create an IPSet for.", @@ -13994,16 +16182,18 @@ "Name": "The user-friendly name to identify the IPSet.\n\nAllowed characters are alphanumeric, whitespace, dash (-), and underscores (_).", "Tags": "The tags to be added to a new IP set resource. Each tag consists of a key and an optional value, both of which you define.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) ." }, + "AWS::GuardDuty::IPSet TagItem": { + "Key": "", + "Value": "" + }, "AWS::GuardDuty::Master": { "DetectorId": "The unique ID of the detector of the GuardDuty member account.", - "InvitationId": "The ID of the invitation that is sent to the account designated as a member account. You can find the invitation ID by using the ListInvitation action of the GuardDuty API.", - "MasterId": "The AWS account ID of the account designated as the GuardDuty administrator account." + "InvitationId": "The ID of the invitation that is sent to the account designated as a member account. You can find the invitation ID by using the ListInvitation action of the GuardDuty API." }, "AWS::GuardDuty::Member": { "DetectorId": "The ID of the detector associated with the GuardDuty service to add the member to.", "DisableEmailNotification": "Specifies whether or not to disable email notification for the member account that you invite.", "Email": "The email address associated with the member account.", - "MemberId": "The AWS account ID of the account to designate as a member.", "Message": "The invitation message that you want to send to the accounts that you're inviting to GuardDuty as members.", "Status": "You can use the `Status` property to update the status of the relationship between the member account and its administrator account. Valid values are `Created` and `Invited` when using an `AWS::GuardDuty::Member` resource. If the value for this property is not provided or set to `Created` , a member account is created but not invited. If the value of this property is set to `Invited` , a member account is created and invited." }, @@ -14015,12 +16205,21 @@ "Name": "A user-friendly ThreatIntelSet name displayed in all findings that are generated by activity that involves IP addresses included in this ThreatIntelSet.", "Tags": "The tags to be added to a new threat list resource. Each tag consists of a key and an optional value, both of which you define.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) ." }, + "AWS::GuardDuty::ThreatIntelSet TagItem": { + "Key": "", + "Value": "" + }, + "AWS::HealthImaging::Datastore": { + "DatastoreName": "The data store name.", + "KmsKeyArn": "The Amazon Resource Name (ARN) assigned to the Key Management Service (KMS) key for accessing encrypted data.", + "Tags": "The tags provided when creating a data store." + }, "AWS::HealthLake::FHIRDatastore": { - "DatastoreName": "The user generated name for the Data Store.", - "DatastoreTypeVersion": "The FHIR version of the Data Store. The only supported version is R4.", - "IdentityProviderConfiguration": "", - "PreloadDataConfig": "The preloaded data configuration for the Data Store. Only data preloaded from Synthea is supported.", - "SseConfiguration": "The server-side encryption key configuration for a customer provided encryption key specified for creating a Data Store.", + "DatastoreName": "The user generated name for the data store.", + "DatastoreTypeVersion": "The FHIR version of the data store. The only supported version is R4.", + "IdentityProviderConfiguration": "The identity provider configuration that you gave when the data store was created.", + "PreloadDataConfig": "The preloaded data configuration for the data store. Only data preloaded from Synthea is supported.", + "SseConfiguration": "The server-side encryption key configuration for a customer provided encryption key specified for creating a data store.", "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) ." }, "AWS::HealthLake::FHIRDatastore CreatedAt": { @@ -14028,14 +16227,14 @@ "Seconds": "" }, "AWS::HealthLake::FHIRDatastore IdentityProviderConfiguration": { - "AuthorizationStrategy": "", - "FineGrainedAuthorizationEnabled": "", - "IdpLambdaArn": "", - "Metadata": "" + "AuthorizationStrategy": "The authorization strategy that you selected when you created the data store.", + "FineGrainedAuthorizationEnabled": "If you enabled fine-grained authorization when you created the data store.", + "IdpLambdaArn": "The Amazon Resource Name (ARN) of the Lambda function that you want to use to decode the access token created by the authorization server.", + "Metadata": "The JSON metadata elements that you want to use in your identity provider configuration. Required elements are listed based on the launch specification of the SMART application. For more information on all possible elements, see [Metadata](https://docs.aws.amazon.com/https://build.fhir.org/ig/HL7/smart-app-launch/conformance.html#metadata) in SMART's App Launch specification.\n\n`authorization_endpoint` : The URL to the OAuth2 authorization endpoint.\n\n`grant_types_supported` : An array of grant types that are supported at the token endpoint. You must provide at least one grant type option. Valid options are `authorization_code` and `client_credentials` .\n\n`token_endpoint` : The URL to the OAuth2 token endpoint.\n\n`capabilities` : An array of strings of the SMART capabilities that the authorization server supports.\n\n`code_challenge_methods_supported` : An array of strings of supported PKCE code challenge methods. You must include the `S256` method in the array of PKCE code challenge methods." }, "AWS::HealthLake::FHIRDatastore KmsEncryptionConfig": { "CmkType": "The type of customer-managed-key(CMK) used for encryption. The two types of supported CMKs are customer owned CMKs and Amazon owned CMKs. For more information on CMK types, see [KmsEncryptionConfig](https://docs.aws.amazon.com/healthlake/latest/APIReference/API_KmsEncryptionConfig.html#HealthLake-Type-KmsEncryptionConfig-CmkType) .", - "KmsKeyId": "The KMS encryption key id/alias used to encrypt the Data Store contents at rest." + "KmsKeyId": "The KMS encryption key id/alias used to encrypt the data store contents at rest." }, "AWS::HealthLake::FHIRDatastore PreloadDataConfig": { "PreloadDataType": "The type of preloaded data. Only Synthea preloaded data is supported." @@ -14043,6 +16242,10 @@ "AWS::HealthLake::FHIRDatastore SseConfiguration": { "KmsEncryptionConfig": "The server-side encryption key configuration for a customer provided encryption key (CMK)." }, + "AWS::HealthLake::FHIRDatastore Tag": { + "Key": "The key portion of a tag. Tag keys are case sensitive.", + "Value": "The value portion of a tag. Tag values are case sensitive." + }, "AWS::IAM::AccessKey": { "Serial": "This value is specific to CloudFormation and can only be *incremented* . Incrementing this value notifies CloudFormation that you want to rotate your access key. When you update your stack, CloudFormation will replace the existing access key with a new key.", "Status": "The status of the access key. `Active` means that the key is valid for API calls, while `Inactive` means it is not.", @@ -14058,6 +16261,11 @@ "PolicyDocument": "The policy document.", "PolicyName": "The friendly name (not ARN) identifying the policy." }, + "AWS::IAM::GroupPolicy": { + "GroupName": "The name of the group to associate the policy with.\n\nThis parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-.", + "PolicyDocument": "The policy document.\n\nYou must provide policies in JSON format in IAM. However, for AWS CloudFormation templates formatted in YAML, you can provide the policy in JSON or YAML format. AWS CloudFormation always converts a YAML policy to JSON format before submitting it to IAM.\n\nThe [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) used to validate this parameter is a string of characters consisting of the following:\n\n- Any printable ASCII character ranging from the space character ( `\\u0020` ) through the end of the ASCII character range\n- The printable characters in the Basic Latin and Latin-1 Supplement character set (through `\\u00FF` )\n- The special characters tab ( `\\u0009` ), line feed ( `\\u000A` ), and carriage return ( `\\u000D` )", + "PolicyName": "The name of the policy document.\n\nThis parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-" + }, "AWS::IAM::InstanceProfile": { "InstanceProfileName": "The name of the instance profile to create.\n\nThis parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-", "Path": "The path to the instance profile. For more information about paths, see [IAM Identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) in the *IAM User Guide* .\n\nThis parameter is optional. If it is not included, it defaults to a slash (/).\n\nThis parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of either a forward slash (/) by itself or a string that must begin and end with forward slashes. In addition, it can contain any ASCII character from the ! ( `\\u0021` ) through the DEL character ( `\\u007F` ), including most punctuation characters, digits, and upper and lowercased letters.", @@ -14078,6 +16286,10 @@ "ThumbprintList": "A list of certificate thumbprints that are associated with the specified IAM OIDC provider resource object. For more information, see [CreateOpenIDConnectProvider](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateOpenIDConnectProvider.html) .", "Url": "The URL that the IAM OIDC provider resource object is associated with. For more information, see [CreateOpenIDConnectProvider](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateOpenIDConnectProvider.html) ." }, + "AWS::IAM::OIDCProvider Tag": { + "Key": "The key name that can be used to look up or retrieve the associated value. For example, `Department` or `Cost Center` are common choices.", + "Value": "The value associated with this tag. For example, tags with a key name of `Department` could have values such as `Human Resources` , `Accounting` , and `Support` . Tags with a key name of `Cost Center` might have values that consist of the number associated with the different cost centers in your company. Typically, many resources have tags with the same key name but with different values.\n\n> AWS always interprets the tag `Value` as a single string. If you need to store an array, you can store comma-separated values in the string. However, you must interpret the value in your code." + }, "AWS::IAM::Policy": { "Groups": "The name of the group to associate the policy with.\n\nThis parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-.", "PolicyDocument": "The policy document.\n\nYou must provide policies in JSON format in IAM. However, for AWS CloudFormation templates formatted in YAML, you can provide the policy in JSON or YAML format. AWS CloudFormation always converts a YAML policy to JSON format before submitting it to IAM.\n\nThe [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) used to validate this parameter is a string of characters consisting of the following:\n\n- Any printable ASCII character ranging from the space character ( `\\u0020` ) through the end of the ASCII character range\n- The printable characters in the Basic Latin and Latin-1 Supplement character set (through `\\u00FF` )\n- The special characters tab ( `\\u0009` ), line feed ( `\\u000A` ), and carriage return ( `\\u000D` )", @@ -14100,11 +16312,24 @@ "PolicyDocument": "The entire contents of the policy that defines permissions. For more information, see [Overview of JSON policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policies-json) .", "PolicyName": "The friendly name (not ARN) identifying the policy." }, + "AWS::IAM::Role Tag": { + "Key": "The key name that can be used to look up or retrieve the associated value. For example, `Department` or `Cost Center` are common choices.", + "Value": "The value associated with this tag. For example, tags with a key name of `Department` could have values such as `Human Resources` , `Accounting` , and `Support` . Tags with a key name of `Cost Center` might have values that consist of the number associated with the different cost centers in your company. Typically, many resources have tags with the same key name but with different values.\n\n> AWS always interprets the tag `Value` as a single string. If you need to store an array, you can store comma-separated values in the string. However, you must interpret the value in your code." + }, + "AWS::IAM::RolePolicy": { + "PolicyDocument": "The policy document.\n\nYou must provide policies in JSON format in IAM. However, for AWS CloudFormation templates formatted in YAML, you can provide the policy in JSON or YAML format. AWS CloudFormation always converts a YAML policy to JSON format before submitting it to IAM.\n\nThe [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) used to validate this parameter is a string of characters consisting of the following:\n\n- Any printable ASCII character ranging from the space character ( `\\u0020` ) through the end of the ASCII character range\n- The printable characters in the Basic Latin and Latin-1 Supplement character set (through `\\u00FF` )\n- The special characters tab ( `\\u0009` ), line feed ( `\\u000A` ), and carriage return ( `\\u000D` )", + "PolicyName": "The name of the policy document.\n\nThis parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-", + "RoleName": "The name of the role to associate the policy with.\n\nThis parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-" + }, "AWS::IAM::SAMLProvider": { "Name": "The name of the provider to create.\n\nThis parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-", "SamlMetadataDocument": "An XML document generated by an identity provider (IdP) that supports SAML 2.0. The document includes the issuer's name, expiration information, and keys that can be used to validate the SAML authentication response (assertions) that are received from the IdP. You must generate the metadata document using the identity management software that is used as your organization's IdP.\n\nFor more information, see [About SAML 2.0-based federation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html) in the *IAM User Guide*", "Tags": "A list of tags that you want to attach to the new IAM SAML provider. Each tag consists of a key name and an associated value. For more information about tagging, see [Tagging IAM resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) in the *IAM User Guide* .\n\n> If any one of the tags is invalid or if you exceed the allowed maximum number of tags, then the entire request fails and the resource is not created." }, + "AWS::IAM::SAMLProvider Tag": { + "Key": "The key name that can be used to look up or retrieve the associated value. For example, `Department` or `Cost Center` are common choices.", + "Value": "The value associated with this tag. For example, tags with a key name of `Department` could have values such as `Human Resources` , `Accounting` , and `Support` . Tags with a key name of `Cost Center` might have values that consist of the number associated with the different cost centers in your company. Typically, many resources have tags with the same key name but with different values.\n\n> AWS always interprets the tag `Value` as a single string. If you need to store an array, you can store comma-separated values in the string. However, you must interpret the value in your code." + }, "AWS::IAM::ServerCertificate": { "CertificateBody": "The contents of the public key certificate.", "CertificateChain": "The contents of the public key certificate chain.", @@ -14113,6 +16338,10 @@ "ServerCertificateName": "The name for the server certificate. Do not include the path in this value. The name of the certificate cannot contain any spaces.\n\nThis parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-", "Tags": "A list of tags that are attached to the server certificate. For more information about tagging, see [Tagging IAM resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) in the *IAM User Guide* ." }, + "AWS::IAM::ServerCertificate Tag": { + "Key": "The key name that can be used to look up or retrieve the associated value. For example, `Department` or `Cost Center` are common choices.", + "Value": "The value associated with this tag. For example, tags with a key name of `Department` could have values such as `Human Resources` , `Accounting` , and `Support` . Tags with a key name of `Cost Center` might have values that consist of the number associated with the different cost centers in your company. Typically, many resources have tags with the same key name but with different values.\n\n> AWS always interprets the tag `Value` as a single string. If you need to store an array, you can store comma-separated values in the string. However, you must interpret the value in your code." + }, "AWS::IAM::ServiceLinkedRole": { "AWSServiceName": "The service principal for the AWS service to which this role is attached. You use a string similar to a URL but without the http:// in front. For example: `elasticbeanstalk.amazonaws.com` .\n\nService principals are unique and case-sensitive. To find the exact service principal for your service-linked role, see [AWS services that work with IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html) in the *IAM User Guide* . Look for the services that have *Yes* in the *Service-Linked Role* column. Choose the *Yes* link to view the service-linked role documentation for that service.", "CustomSuffix": "A string that you provide, which is combined with the service-provided prefix to form the complete role name. If you make multiple requests for the same service, then you must supply a different `CustomSuffix` for each request. Otherwise the request fails with a duplicate role name error. For example, you could add `-1` or `-debug` to the suffix.\n\nSome services do not support the `CustomSuffix` parameter. If you provide an optional suffix and the operation fails, try the operation again without the suffix.", @@ -14136,6 +16365,15 @@ "PolicyDocument": "The entire contents of the policy that defines permissions. For more information, see [Overview of JSON policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policies-json) .", "PolicyName": "The friendly name (not ARN) identifying the policy." }, + "AWS::IAM::User Tag": { + "Key": "The key name that can be used to look up or retrieve the associated value. For example, `Department` or `Cost Center` are common choices.", + "Value": "The value associated with this tag. For example, tags with a key name of `Department` could have values such as `Human Resources` , `Accounting` , and `Support` . Tags with a key name of `Cost Center` might have values that consist of the number associated with the different cost centers in your company. Typically, many resources have tags with the same key name but with different values.\n\n> AWS always interprets the tag `Value` as a single string. If you need to store an array, you can store comma-separated values in the string. However, you must interpret the value in your code." + }, + "AWS::IAM::UserPolicy": { + "PolicyDocument": "The policy document.\n\nYou must provide policies in JSON format in IAM. However, for AWS CloudFormation templates formatted in YAML, you can provide the policy in JSON or YAML format. AWS CloudFormation always converts a YAML policy to JSON format before submitting it to IAM.\n\nThe [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) used to validate this parameter is a string of characters consisting of the following:\n\n- Any printable ASCII character ranging from the space character ( `\\u0020` ) through the end of the ASCII character range\n- The printable characters in the Basic Latin and Latin-1 Supplement character set (through `\\u00FF` )\n- The special characters tab ( `\\u0009` ), line feed ( `\\u000A` ), and carriage return ( `\\u000D` )", + "PolicyName": "The name of the policy document.\n\nThis parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-", + "UserName": "The name of the user to associate the policy with.\n\nThis parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-" + }, "AWS::IAM::UserToGroupAddition": { "GroupName": "The name of the group to update.\n\nThis parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-", "Users": "A list of the names of the users that you want to add to the group." @@ -14146,6 +16384,10 @@ "Users": "The IAM user associated with this virtual MFA device.", "VirtualMfaDeviceName": "The name of the virtual MFA device, which must be unique. Use with path to uniquely identify a virtual MFA device.\n\nThis parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-" }, + "AWS::IAM::VirtualMFADevice Tag": { + "Key": "The key name that can be used to look up or retrieve the associated value. For example, `Department` or `Cost Center` are common choices.", + "Value": "The value associated with this tag. For example, tags with a key name of `Department` could have values such as `Human Resources` , `Accounting` , and `Support` . Tags with a key name of `Cost Center` might have values that consist of the number associated with the different cost centers in your company. Typically, many resources have tags with the same key name but with different values.\n\n> AWS always interprets the tag `Value` as a single string. If you need to store an array, you can store comma-separated values in the string. However, you must interpret the value in your code." + }, "AWS::IVS::Channel": { "Authorized": "Whether the channel is authorized.\n\n*Default* : `false`", "InsecureIngest": "Whether the channel allows insecure RTMP ingest.\n\n*Default* : `false`", @@ -14153,39 +16395,62 @@ "Name": "Channel name.", "Preset": "An optional transcode preset for the channel. This is selectable only for `ADVANCED_HD` and `ADVANCED_SD` channel types. For those channel types, the default preset is `HIGHER_BANDWIDTH_DELIVERY` . For other channel types ( `BASIC` and `STANDARD` ), `preset` is the empty string (\"\").", "RecordingConfigurationArn": "The ARN of a RecordingConfiguration resource. An empty string indicates that recording is disabled for the channel. A RecordingConfiguration ARN indicates that recording is enabled using the specified recording configuration. See the [RecordingConfiguration](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ivs-recordingconfiguration.html) resource for more information and an example.\n\n*Default* : \"\" (empty string, recording is disabled)", - "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) .", + "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ivs-channel-tag.html) .", "Type": "The channel type, which determines the allowable resolution and bitrate. *If you exceed the allowable resolution or bitrate, the stream probably will disconnect immediately.* Valid values:\n\n- `STANDARD` : Video is transcoded: multiple qualities are generated from the original input to automatically give viewers the best experience for their devices and network conditions. Transcoding allows higher playback quality across a range of download speeds. Resolution can be up to 1080p and bitrate can be up to 8.5 Mbps. Audio is transcoded only for renditions 360p and below; above that, audio is passed through.\n- `BASIC` : Video is transmuxed: Amazon IVS delivers the original input to viewers. The viewer\u2019s video-quality choice is limited to the original input. Resolution can be up to 1080p and bitrate can be up to 1.5 Mbps for 480p and up to 3.5 Mbps for resolutions between 480p and 1080p.\n- `ADVANCED_SD` : Video is transcoded; multiple qualities are generated from the original input, to automatically give viewers the best experience for their devices and network conditions. Input resolution can be up to 1080p and bitrate can be up to 8.5 Mbps; output is capped at SD quality (480p). You can select an optional transcode preset (see below). Audio for all renditions is transcoded, and an audio-only rendition is available.\n- `ADVANCED_HD` : Video is transcoded; multiple qualities are generated from the original input, to automatically give viewers the best experience for their devices and network conditions. Input resolution can be up to 1080p and bitrate can be up to 8.5 Mbps; output is capped at HD quality (720p). You can select an optional transcode preset (see below). Audio for all renditions is transcoded, and an audio-only rendition is available.\n\nOptional *transcode presets* (available for the `ADVANCED` types) allow you to trade off available download bandwidth and video quality, to optimize the viewing experience. There are two presets:\n\n- *Constrained bandwidth delivery* uses a lower bitrate for each quality level. Use it if you have low download bandwidth and/or simple video content (e.g., talking heads)\n- *Higher bandwidth delivery* uses a higher bitrate for each quality level. Use it if you have high download bandwidth and/or complex video content (e.g., flashes and quick scene changes).\n\n*Default* : `STANDARD`" }, + "AWS::IVS::Channel Tag": { + "Key": "One part of a key-value pair that makes up a tag. A `key` is a general label that acts like a category for more specific tag values.", + "Value": "The optional part of a key-value pair that makes up a tag. A `value` acts as a descriptor within a tag category (key)." + }, "AWS::IVS::PlaybackKeyPair": { "Name": "Playback-key-pair name. The value does not need to be unique.", "PublicKeyMaterial": "The public portion of a customer-generated key pair.", - "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) ." + "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ivs-playbackkeypair-tag.html) ." + }, + "AWS::IVS::PlaybackKeyPair Tag": { + "Key": "One part of a key-value pair that makes up a tag. A `key` is a general label that acts like a category for more specific tag values.", + "Value": "The optional part of a key-value pair that makes up a tag. A `value` acts as a descriptor within a tag category (key)." }, "AWS::IVS::RecordingConfiguration": { - "DestinationConfiguration": "A destination configuration contains information about where recorded video will be stored. See the [DestinationConfiguration](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ivs-recordingconfiguration-destinationconfiguration.html) property type for more information.", + "DestinationConfiguration": "A destination configuration contains information about where recorded video will be stored. See the DestinationConfiguration property type for more information.", "Name": "Recording-configuration name. The value does not need to be unique.", "RecordingReconnectWindowSeconds": "If a broadcast disconnects and then reconnects within the specified interval, the multiple streams will be considered a single broadcast and merged together.\n\n*Default* : `0`", - "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) .", - "ThumbnailConfiguration": "A thumbnail configuration enables/disables the recording of thumbnails for a live session and controls the interval at which thumbnails are generated for the live session. See the [ThumbnailConfiguration](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ivs-recordingconfiguration-thunbnailconfiguration.html) property type for more information." + "RenditionConfiguration": "A rendition configuration describes which renditions should be recorded for a stream. See the RenditionConfiguration property type for more information.", + "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ivs-recordingconfiguration-tag.html) .", + "ThumbnailConfiguration": "A thumbnail configuration enables/disables the recording of thumbnails for a live session and controls the interval at which thumbnails are generated for the live session. See the ThumbnailConfiguration property type for more information." }, "AWS::IVS::RecordingConfiguration DestinationConfiguration": { "S3": "An S3 destination configuration where recorded videos will be stored. See the [S3DestinationConfiguration](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ivs-recordingconfiguration-s3destinationconfiguration.html) property type for more information." }, + "AWS::IVS::RecordingConfiguration RenditionConfiguration": { + "RenditionSelection": "The set of renditions are recorded for a stream. For `BASIC` channels, the `CUSTOM` value has no effect. If `CUSTOM` is specified, a set of renditions can be specified in the `renditions` field. Default: `ALL` .", + "Renditions": "A list of which renditions are recorded for a stream, if `renditionSelection` is `CUSTOM` ; otherwise, this field is irrelevant. The selected renditions are recorded if they are available during the stream. If a selected rendition is unavailable, the best available rendition is recorded. For details on the resolution dimensions of each rendition, see [Auto-Record to Amazon S3](https://docs.aws.amazon.com//ivs/latest/userguide/record-to-s3.html) ." + }, "AWS::IVS::RecordingConfiguration S3DestinationConfiguration": { "BucketName": "Location (S3 bucket name) where recorded videos will be stored." }, + "AWS::IVS::RecordingConfiguration Tag": { + "Key": "One part of a key-value pair that makes up a tag. A `key` is a general label that acts like a category for more specific tag values.", + "Value": "The optional part of a key-value pair that makes up a tag. A `value` acts as a descriptor within a tag category (key)." + }, "AWS::IVS::RecordingConfiguration ThumbnailConfiguration": { "RecordingMode": "Thumbnail recording mode. Valid values:\n\n- `DISABLED` : Use DISABLED to disable the generation of thumbnails for recorded video.\n- `INTERVAL` : Use INTERVAL to enable the generation of thumbnails for recorded video at a time interval controlled by the [TargetIntervalSeconds](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ivs-recordingconfiguration-thumbnailconfiguration.html#cfn-ivs-recordingconfiguration-thumbnailconfiguration-targetintervalseconds) property.\n\n*Default* : `INTERVAL`", - "TargetIntervalSeconds": "The targeted thumbnail-generation interval in seconds. This is configurable (and required) only if [RecordingMode](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ivs-recordingconfiguration-thumbnailconfiguration.html#cfn-ivs-recordingconfiguration-thumbnailconfiguration-recordingmode) is `INTERVAL` .\n\n> Setting a value for `TargetIntervalSeconds` does not guarantee that thumbnails are generated at the specified interval. For thumbnails to be generated at the `TargetIntervalSeconds` interval, the `IDR/Keyframe` value for the input video must be less than the `TargetIntervalSeconds` value. See [Amazon IVS Streaming Configuration](https://docs.aws.amazon.com/ivs/latest/userguide/streaming-config.html) for information on setting `IDR/Keyframe` to the recommended value in video-encoder settings. \n\n*Default* : 60\n\n*Valid Range* : Minumum value of 5. Maximum value of 60." + "Resolution": "The desired resolution of recorded thumbnails for a stream. Thumbnails are recorded at the selected resolution if the corresponding rendition is available during the stream; otherwise, they are recorded at source resolution. For more information about resolution values and their corresponding height and width dimensions, see [Auto-Record to Amazon S3](https://docs.aws.amazon.com//ivs/latest/userguide/record-to-s3.html) .", + "Storage": "The format in which thumbnails are recorded for a stream. `SEQUENTIAL` records all generated thumbnails in a serial manner, to the media/thumbnails directory. `LATEST` saves the latest thumbnail in media/thumbnails/latest/thumb.jpg and overwrites it at the interval specified by `targetIntervalSeconds` . You can enable both `SEQUENTIAL` and `LATEST` . Default: `SEQUENTIAL` .", + "TargetIntervalSeconds": "The targeted thumbnail-generation interval in seconds. This is configurable (and required) only if [RecordingMode](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ivs-recordingconfiguration-thumbnailconfiguration.html#cfn-ivs-recordingconfiguration-thumbnailconfiguration-recordingmode) is `INTERVAL` .\n\n> Setting a value for `TargetIntervalSeconds` does not guarantee that thumbnails are generated at the specified interval. For thumbnails to be generated at the `TargetIntervalSeconds` interval, the `IDR/Keyframe` value for the input video must be less than the `TargetIntervalSeconds` value. See [Amazon IVS Streaming Configuration](https://docs.aws.amazon.com/ivs/latest/userguide/streaming-config.html) for information on setting `IDR/Keyframe` to the recommended value in video-encoder settings. \n\n*Default* : 60\n\n*Valid Range* : Minumum value of 1. Maximum value of 60." }, "AWS::IVS::StreamKey": { "ChannelArn": "Channel ARN for the stream.", - "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) ." + "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ivs-streamkey-tag.html) ." + }, + "AWS::IVS::StreamKey Tag": { + "Key": "One part of a key-value pair that makes up a tag. A `key` is a general label that acts like a category for more specific tag values.", + "Value": "The optional part of a key-value pair that makes up a tag. A `value` acts as a descriptor within a tag category (key)." }, "AWS::IVSChat::LoggingConfiguration": { "DestinationConfiguration": "The DestinationConfiguration is a complex type that contains information about where chat content will be logged.", "Name": "Logging-configuration name. The value does not need to be unique.", - "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) ." + "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ivschat-loggingconfiguration-tag.html) ." }, "AWS::IVSChat::LoggingConfiguration CloudWatchLogsDestinationConfiguration": { "LogGroupName": "Name of the Amazon Cloudwatch Logs destination where chat activity will be logged." @@ -14201,18 +16466,26 @@ "AWS::IVSChat::LoggingConfiguration S3DestinationConfiguration": { "BucketName": "Name of the Amazon S3 bucket where chat activity will be logged." }, + "AWS::IVSChat::LoggingConfiguration Tag": { + "Key": "One part of a key-value pair that makes up a tag. A `key` is a general label that acts like a category for more specific tag values.", + "Value": "The optional part of a key-value pair that makes up a tag. A `value` acts as a descriptor within a tag category (key)." + }, "AWS::IVSChat::Room": { "LoggingConfigurationIdentifiers": "List of logging-configuration identifiers attached to the room.", "MaximumMessageLength": "Maximum number of characters in a single message. Messages are expected to be UTF-8 encoded and this limit applies specifically to rune/code-point count, not number of bytes.", "MaximumMessageRatePerSecond": "Maximum number of messages per second that can be sent to the room (by all clients).", "MessageReviewHandler": "Configuration information for optional review of messages.", "Name": "Room name. The value does not need to be unique.", - "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) ." + "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ivschat-room-tag.html) ." }, "AWS::IVSChat::Room MessageReviewHandler": { "FallbackResult": "Specifies the fallback behavior (whether the message is allowed or denied) if the handler does not return a valid response, encounters an error, or times out. (For the timeout period, see [Service Quotas](https://docs.aws.amazon.com/ivs/latest/userguide/service-quotas.html) .) If allowed, the message is delivered with returned content to all users connected to the room. If denied, the message is not delivered to any user.\n\n*Default* : `ALLOW`", "Uri": "Identifier of the message review handler. Currently this must be an ARN of a lambda function." }, + "AWS::IVSChat::Room Tag": { + "Key": "One part of a key-value pair that makes up a tag. A `key` is a general label that acts like a category for more specific tag values.", + "Value": "The optional part of a key-value pair that makes up a tag. A `value` acts as a descriptor within a tag category (key)." + }, "AWS::IdentityStore::Group": { "Description": "A string containing the description of the group.", "DisplayName": "", @@ -14227,7 +16500,7 @@ "UserId": "" }, "AWS::ImageBuilder::Component": { - "ChangeDescription": "The change description of the component. Describes what change has been made in this version, or what makes this version different from other versions of this component.", + "ChangeDescription": "The change description of the component. Describes what change has been made in this version, or what makes this version different from other versions of the component.", "Data": "Component `data` contains inline YAML document content for the component. Alternatively, you can specify the `uri` of a YAML document file stored in Amazon S3. However, you cannot specify both properties.", "Description": "Describes the contents of the component.", "KmsKeyId": "The ID of the KMS key that is used to encrypt this component.", @@ -14257,11 +16530,11 @@ }, "AWS::ImageBuilder::ContainerRecipe ComponentConfiguration": { "ComponentArn": "The Amazon Resource Name (ARN) of the component.", - "Parameters": "" + "Parameters": "A group of parameter settings that Image Builder uses to configure the component for a specific recipe." }, "AWS::ImageBuilder::ContainerRecipe ComponentParameter": { - "Name": "", - "Value": "" + "Name": "The name of the component parameter to set.", + "Value": "Sets the value for the named component parameter." }, "AWS::ImageBuilder::ContainerRecipe EbsInstanceBlockDeviceSpecification": { "DeleteOnTermination": "Use to configure delete on termination of the associated device.", @@ -14309,25 +16582,25 @@ "AWS::ImageBuilder::DistributionConfiguration Distribution": { "AmiDistributionConfiguration": "The specific AMI settings, such as launch permissions and AMI tags. For details, see example schema below.", "ContainerDistributionConfiguration": "Container distribution settings for encryption, licensing, and sharing in a specific Region. For details, see example schema below.", - "FastLaunchConfigurations": "", + "FastLaunchConfigurations": "The Windows faster-launching configurations to use for AMI distribution.", "LaunchTemplateConfigurations": "A group of launchTemplateConfiguration settings that apply to image distribution for specified accounts.", "LicenseConfigurationArns": "The License Manager Configuration to associate with the AMI in the specified Region. For more information, see the [LicenseConfiguration API](https://docs.aws.amazon.com/license-manager/latest/APIReference/API_LicenseConfiguration.html) .", "Region": "The target Region for the Distribution Configuration. For example, `eu-west-1` ." }, "AWS::ImageBuilder::DistributionConfiguration FastLaunchConfiguration": { - "AccountId": "", - "Enabled": "", - "LaunchTemplate": "", - "MaxParallelLaunches": "", - "SnapshotConfiguration": "" + "AccountId": "The owner account ID for the fast-launch enabled Windows AMI.", + "Enabled": "A Boolean that represents the current state of faster launching for the Windows AMI. Set to `true` to start using Windows faster launching, or `false` to stop using it.", + "LaunchTemplate": "The launch template that the fast-launch enabled Windows AMI uses when it launches Windows instances to create pre-provisioned snapshots.", + "MaxParallelLaunches": "The maximum number of parallel instances that are launched for creating resources.", + "SnapshotConfiguration": "Configuration settings for managing the number of snapshots that are created from pre-provisioned instances for the Windows AMI when faster launching is enabled." }, "AWS::ImageBuilder::DistributionConfiguration FastLaunchLaunchTemplateSpecification": { - "LaunchTemplateId": "", - "LaunchTemplateName": "", - "LaunchTemplateVersion": "" + "LaunchTemplateId": "The ID of the launch template to use for faster launching for a Windows AMI.", + "LaunchTemplateName": "The name of the launch template to use for faster launching for a Windows AMI.", + "LaunchTemplateVersion": "The version of the launch template to use for faster launching for a Windows AMI." }, "AWS::ImageBuilder::DistributionConfiguration FastLaunchSnapshotConfiguration": { - "TargetResourceCount": "" + "TargetResourceCount": "The number of pre-provisioned snapshots to keep on hand for a fast-launch enabled Windows AMI." }, "AWS::ImageBuilder::DistributionConfiguration LaunchPermissionConfiguration": { "OrganizationArns": "The ARN for an AWS Organization that you want to share your AMI with. For more information, see [What is AWS Organizations ?](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html) .", @@ -14349,18 +16622,18 @@ "DistributionConfigurationArn": "The Amazon Resource Name (ARN) of the distribution configuration.", "EnhancedImageMetadataEnabled": "Indicates whether Image Builder collects additional information about the image, such as the operating system (OS) version and package list.", "ImageRecipeArn": "The Amazon Resource Name (ARN) of the image recipe.", - "ImageScanningConfiguration": "", + "ImageScanningConfiguration": "Contains settings for vulnerability scans.", "ImageTestsConfiguration": "The configuration settings for your image test components, which includes a toggle that allows you to turn off tests, and a timeout setting.", "InfrastructureConfigurationArn": "The Amazon Resource Name (ARN) of the infrastructure configuration associated with this image pipeline.", "Tags": "The tags of the image." }, "AWS::ImageBuilder::Image EcrConfiguration": { - "ContainerTags": "", - "RepositoryName": "" + "ContainerTags": "Tags for Image Builder to apply to the output container image that &INS; scans. Tags can help you identify and manage your scanned images.", + "RepositoryName": "The name of the container repository that Amazon Inspector scans to identify findings for your container images. The name includes the path for the repository location. If you don\u2019t provide this information, Image Builder creates a repository in your account named `image-builder-image-scanning-repository` for vulnerability scans of your output container images." }, "AWS::ImageBuilder::Image ImageScanningConfiguration": { - "EcrConfiguration": "", - "ImageScanningEnabled": "" + "EcrConfiguration": "Contains Amazon ECR settings for vulnerability scans.", + "ImageScanningEnabled": "A setting that indicates whether Image Builder keeps a snapshot of the vulnerability scans that Amazon Inspector runs against the build instance when you create a new image." }, "AWS::ImageBuilder::Image ImageTestsConfiguration": { "ImageTestsEnabled": "Determines if tests should run after building the image. Image Builder defaults to enable tests to run following the image build, before image distribution.", @@ -14372,7 +16645,7 @@ "DistributionConfigurationArn": "The Amazon Resource Name (ARN) of the distribution configuration associated with this image pipeline.", "EnhancedImageMetadataEnabled": "Collects additional information about the image being created, including the operating system (OS) version and package list. This information is used to enhance the overall experience of using EC2 Image Builder. Enabled by default.", "ImageRecipeArn": "The Amazon Resource Name (ARN) of the image recipe associated with this image pipeline.", - "ImageScanningConfiguration": "", + "ImageScanningConfiguration": "Contains settings for vulnerability scans.", "ImageTestsConfiguration": "The configuration of the image tests that run after image creation to ensure the quality of the image that was created.", "InfrastructureConfigurationArn": "The Amazon Resource Name (ARN) of the infrastructure configuration associated with this image pipeline.", "Name": "The name of the image pipeline.", @@ -14381,12 +16654,12 @@ "Tags": "The tags of this image pipeline." }, "AWS::ImageBuilder::ImagePipeline EcrConfiguration": { - "ContainerTags": "", - "RepositoryName": "" + "ContainerTags": "Tags for Image Builder to apply to the output container image that &INS; scans. Tags can help you identify and manage your scanned images.", + "RepositoryName": "The name of the container repository that Amazon Inspector scans to identify findings for your container images. The name includes the path for the repository location. If you don\u2019t provide this information, Image Builder creates a repository in your account named `image-builder-image-scanning-repository` for vulnerability scans of your output container images." }, "AWS::ImageBuilder::ImagePipeline ImageScanningConfiguration": { - "EcrConfiguration": "", - "ImageScanningEnabled": "" + "EcrConfiguration": "Contains Amazon ECR settings for vulnerability scans.", + "ImageScanningEnabled": "A setting that indicates whether Image Builder keeps a snapshot of the vulnerability scans that Amazon Inspector runs against the build instance when you create a new image." }, "AWS::ImageBuilder::ImagePipeline ImageTestsConfiguration": { "ImageTestsEnabled": "Defines if tests should be executed when building this image. For example, `true` or `false` .", @@ -14464,6 +16737,59 @@ "S3BucketName": "The S3 bucket in which to store the logs.", "S3KeyPrefix": "The Amazon S3 path to the bucket where the logs are stored." }, + "AWS::ImageBuilder::LifecyclePolicy": { + "Description": "Optional description for the lifecycle policy.", + "ExecutionRole": "The name or Amazon Resource Name (ARN) of the IAM role that Image Builder uses to run the lifecycle policy. This is a custom role that you create.", + "Name": "The name of the lifecycle policy.", + "PolicyDetails": "The configuration details for a lifecycle policy resource.", + "ResourceSelection": "Resource selection criteria used to run the lifecycle policy.", + "ResourceType": "The type of resources the lifecycle policy targets.", + "Status": "Indicates whether the lifecycle policy resource is enabled.", + "Tags": "To help manage your lifecycle policy resources, you can assign your own metadata to each resource in the form of tags. Each tag consists of a key and an optional value, both of which you define." + }, + "AWS::ImageBuilder::LifecyclePolicy Action": { + "IncludeResources": "", + "Type": "" + }, + "AWS::ImageBuilder::LifecyclePolicy AmiExclusionRules": { + "IsPublic": "", + "LastLaunched": "", + "Regions": "", + "SharedAccounts": "", + "TagMap": "" + }, + "AWS::ImageBuilder::LifecyclePolicy ExclusionRules": { + "Amis": "", + "TagMap": "" + }, + "AWS::ImageBuilder::LifecyclePolicy Filter": { + "RetainAtLeast": "", + "Type": "", + "Unit": "", + "Value": "" + }, + "AWS::ImageBuilder::LifecyclePolicy IncludeResources": { + "Amis": "", + "Containers": "", + "Snapshots": "" + }, + "AWS::ImageBuilder::LifecyclePolicy LastLaunched": { + "Unit": "", + "Value": "" + }, + "AWS::ImageBuilder::LifecyclePolicy PolicyDetail": { + "Action": "", + "ExclusionRules": "", + "Filter": "" + }, + "AWS::ImageBuilder::LifecyclePolicy RecipeSelection": { + "Name": "", + "SemanticVersion": "" + }, + "AWS::ImageBuilder::LifecyclePolicy ResourceSelection": { + "Recipes": "", + "TagMap": "" + }, "AWS::Inspector::AssessmentTarget": { "AssessmentTargetName": "The name of the Amazon Inspector assessment target. The name must be unique within the AWS account .", "ResourceGroupArn": "The ARN that specifies the resource group that is used to create the assessment target. If `resourceGroupArn` is not specified, all EC2 instances in the current AWS account and Region are included in the assessment target." @@ -14475,9 +16801,17 @@ "RulesPackageArns": "The ARNs of the rules packages that you want to use in the assessment template.", "UserAttributesForFindings": "The user-defined attributes that are assigned to every finding that is generated by the assessment run that uses this assessment template. Within an assessment template, each key must be unique." }, + "AWS::Inspector::AssessmentTemplate Tag": { + "Key": "A tag key.", + "Value": "A value assigned to a tag key." + }, "AWS::Inspector::ResourceGroup": { "ResourceGroupTags": "The tags (key and value pairs) that will be associated with the resource group.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) ." }, + "AWS::Inspector::ResourceGroup Tag": { + "Key": "A tag key.", + "Value": "A value assigned to a tag key." + }, "AWS::InspectorV2::Filter": { "Description": "A description of the filter.", "FilterAction": "The action that is to be applied to the findings that match the filter.", @@ -14547,28 +16881,39 @@ "Value": "The value to filter on." }, "AWS::InternetMonitor::Monitor": { - "HealthEventsConfig": "", + "HealthEventsConfig": "A complex type with the configuration information that determines the threshold and other conditions for when Internet Monitor creates a health event for an overall performance or availability issue, across an application's geographies.\n\nDefines the percentages, for overall performance scores and availability scores for an application, that are the thresholds for when Amazon CloudWatch Internet Monitor creates a health event. You can override the defaults to set a custom threshold for overall performance or availability scores, or both.\n\nYou can also set thresholds for local health scores,, where Internet Monitor creates a health event when scores cross a threshold for one or more city-networks, in addition to creating an event when an overall score crosses a threshold.\n\nIf you don't set a health event threshold, the default value is 95%.\n\nFor local thresholds, you also set a minimum percentage of overall traffic that is impacted by an issue before Internet Monitor creates an event. In addition, you can disable local thresholds, for performance scores, availability scores, or both.\n\nFor more information, see [Change health event thresholds](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-IM-overview.html#IMUpdateThresholdFromOverview) in the Internet Monitor section of the *CloudWatch User Guide* .", "InternetMeasurementsLogDelivery": "Publish internet measurements for a monitor for all city-networks (up to the 500,000 service limit) to another location, such as an Amazon S3 bucket. Measurements are also published to Amazon CloudWatch Logs for the first 500 (by traffic volume) city-networks (client locations and ASNs, typically internet service providers or ISPs).", "MaxCityNetworksToMonitor": "The maximum number of city-networks to monitor for your resources. A city-network is the location (city) where clients access your application resources from and the network, such as an internet service provider, that clients access the resources through.\n\nFor more information, see [Choosing a city-network maximum value](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/IMCityNetworksMaximum.html) in *Using Amazon CloudWatch Internet Monitor* .", "MonitorName": "The name of the monitor. A monitor name can contain only alphanumeric characters, dashes (-), periods (.), and underscores (_).", - "Resources": "The resources that have been added for the monitor, listed by their Amazon Resource Names (ARNs).", - "ResourcesToAdd": "The resources to add to a monitor, which you provide as a set of Amazon Resource Names (ARNs).\n\nYou can add a combination of Virtual Private Clouds (VPCs) and Amazon CloudFront distributions, or you can add WorkSpaces directories. You can't add all three types of resources.\n\n> If you add only VPC resources, at least one VPC must have an Internet Gateway attached to it, to make sure that it has internet connectivity.", - "ResourcesToRemove": "The resources to remove from a monitor, which you provide as a set of Amazon Resource Names (ARNs).", + "Resources": "The resources that have been added for the monitor, listed by their Amazon Resource Names (ARNs). Use this option to add or remove resources when making an update.\n\n> Be aware that if you include content in the `Resources` field when you update a monitor, the `ResourcesToAdd` and `ResourcesToRemove` fields must be empty.", + "ResourcesToAdd": "The resources to include in a monitor, which you provide as a set of Amazon Resource Names (ARNs). Resources can be Amazon Virtual Private Cloud VPCs, Network Load Balancers (NLBs), Amazon CloudFront distributions, or Amazon WorkSpaces directories.\n\nYou can add a combination of VPCs and CloudFront distributions, or you can add WorkSpaces directories, or you can add NLBs. You can't add NLBs or WorkSpaces directories together with any other resources.\n\nIf you add only VPC resources, at least one VPC must have an Internet Gateway attached to it, to make sure that it has internet connectivity.\n\n> You can specify this field for a monitor update only if the `Resources` field is empty.", + "ResourcesToRemove": "The resources to remove from a monitor, which you provide as a set of Amazon Resource Names (ARNs)\n\n> You can specify this field for a monitor update only if the `Resources` field is empty.", "Status": "The status of a monitor. The accepted values that you can specify for `Status` are `ACTIVE` and `INACTIVE` .", "Tags": "The tags for a monitor, listed as a set of *key:value* pairs.", "TrafficPercentageToMonitor": "The percentage of the internet-facing traffic for your application that you want to monitor. You can also, optionally, set a limit for the number of city-networks (client locations and ASNs, typically internet service providers) that Internet Monitor will monitor traffic for. The city-networks maximum limit caps the number of city-networks that Internet Monitor monitors for your application, regardless of the percentage of traffic that you choose to monitor." }, "AWS::InternetMonitor::Monitor HealthEventsConfig": { - "AvailabilityScoreThreshold": "", - "PerformanceScoreThreshold": "" + "AvailabilityLocalHealthEventsConfig": "The configuration that determines the threshold and other conditions for when Internet Monitor creates a health event for a local availability issue.", + "AvailabilityScoreThreshold": "The health event threshold percentage set for availability scores. When the overall availability score is at or below this percentage, Internet Monitor creates a health event.", + "PerformanceLocalHealthEventsConfig": "The configuration that determines the threshold and other conditions for when Internet Monitor creates a health event for a local performance issue.", + "PerformanceScoreThreshold": "The health event threshold percentage set for performance scores. When the overall performance score is at or below this percentage, Internet Monitor creates a health event." }, "AWS::InternetMonitor::Monitor InternetMeasurementsLogDelivery": { - "S3Config": "The configuration information for publishing Amazon CloudWatch Internet Monitor internet measurements to Amazon S3. The configuration includes the bucket name and (optionally) bucket prefix for the S3 bucket to store the measurements, and the delivery status. The delivery status is `ENABLED` if you choose to deliver internet measurements to an S3 bucket, and `DISABLED` otherwise." + "S3Config": "The configuration information for publishing Internet Monitor internet measurements to Amazon S3. The configuration includes the bucket name and (optionally) prefix for the S3 bucket to store the measurements, and the delivery status. The delivery status is `ENABLED` or `DISABLED` , depending on whether you choose to deliver internet measurements to S3 logs." + }, + "AWS::InternetMonitor::Monitor LocalHealthEventsConfig": { + "HealthScoreThreshold": "The health event threshold percentage set for a local health score.", + "MinTrafficImpact": "The minimum percentage of overall traffic for an application that must be impacted by an issue before Internet Monitor creates an event when a threshold is crossed for a local health score.\n\nIf you don't set a minimum traffic impact threshold, the default value is 0.01%.", + "Status": "The status of whether Internet Monitor creates a health event based on a threshold percentage set for a local health score. The status can be `ENABLED` or `DISABLED` ." }, "AWS::InternetMonitor::Monitor S3Config": { - "BucketName": "The Amazon S3 bucket name for internet measurements publishing.", - "BucketPrefix": "An optional Amazon S3 bucket prefix for internet measurements publishing.", - "LogDeliveryStatus": "The status of publishing Internet Monitor internet measurements to an Amazon S3 bucket. The delivery status is `ENABLED` if you choose to deliver internet measurements to an S3 bucket, and `DISABLED` otherwise." + "BucketName": "The Amazon S3 bucket name.", + "BucketPrefix": "The Amazon S3 bucket prefix.", + "LogDeliveryStatus": "The status of publishing Internet Monitor internet measurements to an Amazon S3 bucket." + }, + "AWS::InternetMonitor::Monitor Tag": { + "Key": "", + "Value": "" }, "AWS::IoT1Click::Device": { "DeviceId": "The ID of the device, such as `G030PX0312744DWM` .", @@ -14585,10 +16930,6 @@ "PlacementTemplate": "An object describing the project's placement specifications.", "ProjectName": "The name of the project from which to obtain information." }, - "AWS::IoT1Click::Project DeviceTemplate": { - "CallbackOverrides": "An optional AWS Lambda function to invoke instead of the default AWS Lambda function provided by the placement template.", - "DeviceType": "The device type, which currently must be `\"button\"` ." - }, "AWS::IoT1Click::Project PlacementTemplate": { "DefaultAttributes": "The default attributes (key-value pairs) to be applied to all placements using this template.", "DeviceTemplates": "An object specifying the [DeviceTemplate](https://docs.aws.amazon.com/iot-1-click/latest/projects-apireference/API_DeviceTemplate.html) for all placements using this ( [PlacementTemplate](https://docs.aws.amazon.com/iot-1-click/latest/projects-apireference/API_PlacementTemplate.html) ) template." @@ -14610,8 +16951,8 @@ "DeviceCertificateExpiringCheck": "Checks if a device certificate is expiring. This check applies to device certificates expiring within 30 days or that have expired.", "DeviceCertificateKeyQualityCheck": "Checks the quality of the device certificate key. The quality checks if the key is in a valid format, not expired, signed by a registered certificate authority, and if the key meets a minimum required size.", "DeviceCertificateSharedCheck": "Checks if multiple concurrent connections use the same X.509 certificate to authenticate with AWS IoT .", - "IntermediateCaRevokedForActiveDeviceCertificatesCheck": "", - "IoTPolicyPotentialMisConfigurationCheck": "", + "IntermediateCaRevokedForActiveDeviceCertificatesCheck": "Checks if device certificates are still active despite being revoked by an intermediate CA.", + "IoTPolicyPotentialMisConfigurationCheck": "Checks if an AWS IoT policy is potentially misconfigured. Misconfigured policies, including overly permissive policies, can cause security incidents like allowing devices access to unintended resources. This check is a warning for you to make sure that only intended actions are allowed before updating the policy.", "IotPolicyOverlyPermissiveCheck": "Checks the permissiveness of a policy attached to an authenticated Amazon Cognito identity pool role.", "IotRoleAliasAllowsAccessToUnusedServicesCheck": "Checks if a role alias has access to services that haven't been used for the AWS IoT device in the last year.", "IotRoleAliasOverlyPermissiveCheck": "Checks if the temporary credentials provided by AWS IoT role aliases are overly permissive.", @@ -14638,6 +16979,10 @@ "TokenKeyName": "The key used to extract the token from the HTTP headers.", "TokenSigningPublicKeys": "The public keys used to validate the token signature returned by your custom authentication service." }, + "AWS::IoT::Authorizer Tag": { + "Key": "The tag's key.", + "Value": "The tag's value." + }, "AWS::IoT::BillingGroup": { "BillingGroupName": "The name of the billing group.", "BillingGroupProperties": "The properties of the billing group.", @@ -14646,6 +16991,10 @@ "AWS::IoT::BillingGroup BillingGroupProperties": { "BillingGroupDescription": "The description of the billing group." }, + "AWS::IoT::BillingGroup Tag": { + "Key": "The tag's key.", + "Value": "The tag's value." + }, "AWS::IoT::CACertificate": { "AutoRegistrationStatus": "Whether the CA certificate is configured for auto registration of device certificates. Valid values are \"ENABLE\" and \"DISABLE\".", "CACertificatePem": "The certificate data in PEM format.", @@ -14661,6 +17010,10 @@ "TemplateBody": "The template body.", "TemplateName": "The name of the provisioning template." }, + "AWS::IoT::CACertificate Tag": { + "Key": "The tag's key.", + "Value": "The tag's value." + }, "AWS::IoT::Certificate": { "CACertificatePem": "The CA certificate used to sign the device certificate being registered, not available when CertificateMode is SNI_ONLY.", "CertificateMode": "Specifies which mode of certificate registration to use with this resource. Valid options are DEFAULT with CaCertificatePem and CertificatePem, SNI_ONLY with CertificatePem, and Default with CertificateSigningRequest.\n\n`DEFAULT` : A certificate in `DEFAULT` mode is either generated by AWS IoT Core or registered with an issuer certificate authority (CA). Devices with certificates in `DEFAULT` mode aren't required to send the Server Name Indication (SNI) extension when connecting to AWS IoT Core . However, to use features such as custom domains and VPC endpoints, we recommend that you use the SNI extension when connecting to AWS IoT Core .\n\n`SNI_ONLY` : A certificate in `SNI_ONLY` mode is registered without an issuer CA. Devices with certificates in `SNI_ONLY` mode must send the SNI extension when connecting to AWS IoT Core .", @@ -14674,12 +17027,20 @@ "MetricType": "The type of the custom metric. Types include `string-list` , `ip-address-list` , `number-list` , and `number` .\n\n> The type `number` only takes a single metric value as an input, but when you submit the metrics value in the DeviceMetrics report, you must pass it as an array with a single value.", "Tags": "Metadata that can be used to manage the custom metric." }, + "AWS::IoT::CustomMetric Tag": { + "Key": "The tag's key.", + "Value": "The tag's value." + }, "AWS::IoT::Dimension": { "Name": "A unique identifier for the dimension.", "StringValues": "Specifies the value or list of values for the dimension. For `TOPIC_FILTER` dimensions, this is a pattern used to match the MQTT topic (for example, \"admin/#\").", "Tags": "Metadata that can be used to manage the dimension.", "Type": "Specifies the type of dimension. Supported types: `TOPIC_FILTER.`" }, + "AWS::IoT::Dimension Tag": { + "Key": "The tag's key.", + "Value": "The tag's value." + }, "AWS::IoT::DomainConfiguration": { "AuthorizerConfig": "An object that specifies the authorization service for a domain.", "DomainConfigurationName": "The name of the domain configuration. This value must be unique to a region.", @@ -14700,6 +17061,10 @@ "ServerCertificateStatus": "The status of the server certificate.", "ServerCertificateStatusDetail": "Details that explain the status of the server certificate." }, + "AWS::IoT::DomainConfiguration Tag": { + "Key": "The tag's key.", + "Value": "The tag's value." + }, "AWS::IoT::DomainConfiguration TlsConfig": { "SecurityPolicy": "The security policy for a domain configuration. For more information, see [Security policies](https://docs.aws.amazon.com/iot/latest/developerguide/transport-security.html#tls-policy-table) in the *AWS IoT Core developer guide* ." }, @@ -14719,9 +17084,14 @@ "Name": "The name of the aggregation type.", "Values": "A list of the values of aggregation types." }, + "AWS::IoT::FleetMetric Tag": { + "Key": "The tag's key.", + "Value": "The tag's value." + }, "AWS::IoT::JobTemplate": { "AbortConfig": "The criteria that determine when and how a job abort takes place.", "Description": "A description of the job template.", + "DestinationPackageVersions": "The package version Amazon Resource Names (ARNs) that are installed on the device\u2019s reserved named shadow ( `$package` ) when the job successfully completes.\n\n*Note:* Up to 25 package version ARNS are allowed.", "Document": "The job document.\n\nRequired if you don't specify a value for `documentSource` .", "DocumentSource": "An S3 link, or S3 object URL, to the job document. The link is an Amazon S3 object URL and is required if you don't specify a value for `document` .\n\nFor example, `--document-source https://s3. *region-code* .amazonaws.com/example-firmware/device-firmware.1.0`\n\nFor more information, see [Methods for accessing a bucket](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-bucket-intro.html) .", "JobArn": "The ARN of the job to use as the basis for the job template.", @@ -14770,6 +17140,10 @@ "FailureType": "The type of job execution failures that can initiate a job retry.", "NumberOfRetries": "The number of retries allowed for a failure type for the job." }, + "AWS::IoT::JobTemplate Tag": { + "Key": "The tag's key.", + "Value": "The tag's value." + }, "AWS::IoT::JobTemplate TimeoutConfig": { "InProgressTimeoutInMinutes": "Specifies the amount of time, in minutes, this device has to finish execution of this job. The timeout interval can be anywhere between 1 minute and 7 days (1 to 10080 minutes). The in progress timer can't be updated and will apply to all job executions for the job. Whenever a job execution remains in the IN_PROGRESS status for longer than this interval, the job execution will fail and switch to the terminal `TIMED_OUT` status." }, @@ -14806,6 +17180,10 @@ "AWS::IoT::MitigationAction ReplaceDefaultPolicyVersionParams": { "TemplateName": "The name of the template to be applied. The only supported value is `BLANK_POLICY` ." }, + "AWS::IoT::MitigationAction Tag": { + "Key": "The tag's key.", + "Value": "The tag's value." + }, "AWS::IoT::MitigationAction UpdateCACertificateParams": { "Action": "The action that you want to apply to the CA certificate. The only supported value is `DEACTIVATE` ." }, @@ -14814,7 +17192,12 @@ }, "AWS::IoT::Policy": { "PolicyDocument": "The JSON document that describes the policy.", - "PolicyName": "The policy name." + "PolicyName": "The policy name.", + "Tags": "" + }, + "AWS::IoT::Policy Tag": { + "Key": "The tag's key.", + "Value": "The tag's value." }, "AWS::IoT::PolicyPrincipalAttachment": { "PolicyName": "The name of the AWS IoT policy.", @@ -14834,6 +17217,10 @@ "PayloadVersion": "The payload that was sent to the target function. The valid payload is `\"2020-04-01\"` .", "TargetArn": "The ARN of the target function." }, + "AWS::IoT::ProvisioningTemplate Tag": { + "Key": "The tag's key.", + "Value": "The tag's value." + }, "AWS::IoT::ResourceSpecificLogging": { "LogLevel": "The default log level.Valid Values: `DEBUG | INFO | ERROR | WARN | DISABLED`", "TargetName": "The target name.", @@ -14845,6 +17232,10 @@ "RoleArn": "The role ARN.", "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) ." }, + "AWS::IoT::RoleAlias Tag": { + "Key": "The tag's key.", + "Value": "The tag's value." + }, "AWS::IoT::ScheduledAudit": { "DayOfMonth": "The day of the month on which the scheduled audit is run (if the `frequency` is \"MONTHLY\"). If days 29-31 are specified, and the month does not have that many days, the audit takes place on the \"LAST\" day of the month.", "DayOfWeek": "The day of the week on which the scheduled audit is run (if the `frequency` is \"WEEKLY\" or \"BIWEEKLY\").", @@ -14853,10 +17244,15 @@ "Tags": "Metadata that can be used to manage the scheduled audit.", "TargetCheckNames": "Which checks are performed during the scheduled audit. Checks must be enabled for your account. (Use `DescribeAccountAuditConfiguration` to see the list of all checks, including those that are enabled or use `UpdateAccountAuditConfiguration` to select which checks are enabled.)\n\nThe following checks are currently aviable:\n\n- `AUTHENTICATED_COGNITO_ROLE_OVERLY_PERMISSIVE_CHECK`\n- `CA_CERTIFICATE_EXPIRING_CHECK`\n- `CA_CERTIFICATE_KEY_QUALITY_CHECK`\n- `CONFLICTING_CLIENT_IDS_CHECK`\n- `DEVICE_CERTIFICATE_EXPIRING_CHECK`\n- `DEVICE_CERTIFICATE_KEY_QUALITY_CHECK`\n- `DEVICE_CERTIFICATE_SHARED_CHECK`\n- `IOT_POLICY_OVERLY_PERMISSIVE_CHECK`\n- `IOT_ROLE_ALIAS_ALLOWS_ACCESS_TO_UNUSED_SERVICES_CHECK`\n- `IOT_ROLE_ALIAS_OVERLY_PERMISSIVE_CHECK`\n- `LOGGING_DISABLED_CHECK`\n- `REVOKED_CA_CERTIFICATE_STILL_ACTIVE_CHECK`\n- `REVOKED_DEVICE_CERTIFICATE_STILL_ACTIVE_CHECK`\n- `UNAUTHENTICATED_COGNITO_ROLE_OVERLY_PERMISSIVE_CHECK`" }, + "AWS::IoT::ScheduledAudit Tag": { + "Key": "The tag's key.", + "Value": "The tag's value." + }, "AWS::IoT::SecurityProfile": { "AdditionalMetricsToRetainV2": "A list of metrics whose data is retained (stored). By default, data is retained for any metric used in the profile's `behaviors` , but it's also retained for any metric specified here. Can be used with custom metrics; can't be used with dimensions.", "AlertTargets": "Specifies the destinations to which alerts are sent. (Alerts are always sent to the console.) Alerts are generated when a device (thing) violates a behavior.", "Behaviors": "Specifies the behaviors that, when violated by a device (thing), cause an alert.", + "MetricsExportConfig": "Specifies the MQTT topic and role ARN required for metric export.", "SecurityProfileDescription": "A description of the security profile.", "SecurityProfileName": "The name you gave to the security profile.", "Tags": "Metadata that can be used to manage the security profile.", @@ -14867,7 +17263,8 @@ "RoleArn": "The ARN of the role that grants permission to send alerts to the notification target." }, "AWS::IoT::SecurityProfile Behavior": { - "Criteria": "The criteria that determine if a device is behaving normally in regard to the `metric` .", + "Criteria": "The criteria that determine if a device is behaving normally in regard to the `metric` .\n\n> In the AWS IoT console, you can choose to be sent an alert through Amazon SNS when AWS IoT Device Defender detects that a device is behaving anomalously.", + "ExportMetric": "Value indicates exporting metrics related to the behavior when it is true.", "Metric": "What is measured by the behavior.", "MetricDimension": "The dimension of the metric.", "Name": "The name you've given to the behavior.", @@ -14890,6 +17287,7 @@ "Operator": "Operators are constructs that perform logical operations. Valid values are `IN` and `NOT_IN` ." }, "AWS::IoT::SecurityProfile MetricToRetain": { + "ExportMetric": "The value indicates exporting metrics related to the `MetricToRetain` when it's true.", "Metric": "A standard of measurement.", "MetricDimension": "The dimension of the metric." }, @@ -14901,9 +17299,37 @@ "Ports": "If the `comparisonOperator` calls for a set of ports, use this to specify that set to be compared with the `metric` .", "Strings": "The string values of a metric." }, + "AWS::IoT::SecurityProfile MetricsExportConfig": { + "MqttTopic": "The MQTT topic that Device Defender Detect should publish messages to for metrics export.", + "RoleArn": "This role ARN has permission to publish MQTT messages, after which Device Defender Detect can assume the role and publish messages on your behalf." + }, "AWS::IoT::SecurityProfile StatisticalThreshold": { "Statistic": "The percentile that resolves to a threshold value by which compliance with a behavior is determined. Metrics are collected over the specified period ( `durationSeconds` ) from all reporting devices in your account and statistical ranks are calculated. Then, the measurements from a device are collected over the same period. If the accumulated measurements from the device fall above or below ( `comparisonOperator` ) the value associated with the percentile specified, then the device is considered to be in compliance with the behavior, otherwise a violation occurs." }, + "AWS::IoT::SecurityProfile Tag": { + "Key": "The tag's key.", + "Value": "The tag's value." + }, + "AWS::IoT::SoftwarePackage": { + "Description": "A summary of the package being created. This can be used to outline the package's contents or purpose.", + "PackageName": "The name of the new software package.", + "Tags": "Metadata that can be used to manage the package." + }, + "AWS::IoT::SoftwarePackage Tag": { + "Key": "The tag's key.", + "Value": "The tag's value." + }, + "AWS::IoT::SoftwarePackageVersion": { + "Attributes": "Metadata that can be used to define a package version\u2019s configuration. For example, the S3 file location, configuration options that are being sent to the device or fleet.\n\nThe combined size of all the attributes on a package version is limited to 3KB.", + "Description": "A summary of the package version being created. This can be used to outline the package's contents or purpose.", + "PackageName": "The name of the associated software package.", + "Tags": "Metadata that can be used to manage the package version.", + "VersionName": "The name of the new package version." + }, + "AWS::IoT::SoftwarePackageVersion Tag": { + "Key": "The tag's key.", + "Value": "The tag's value." + }, "AWS::IoT::Thing": { "AttributePayload": "A string that contains up to three key value pairs. Maximum length of 800. Duplicates not allowed.", "ThingName": "The name of the thing to update.\n\nYou can't change a thing's name. To change a thing's name, you must create a new thing, give it the new name, and then delete the old thing." @@ -14921,6 +17347,10 @@ "AWS::IoT::ThingGroup AttributePayload": { "Attributes": "A JSON string containing up to three key-value pair in JSON format. For example:\n\n`{\\\"attributes\\\":{\\\"string1\\\":\\\"string2\\\"}}`" }, + "AWS::IoT::ThingGroup Tag": { + "Key": "The tag's key.", + "Value": "The tag's value." + }, "AWS::IoT::ThingGroup ThingGroupProperties": { "AttributePayload": "The thing group attributes in JSON format.", "ThingGroupDescription": "The thing group description." @@ -14935,6 +17365,10 @@ "ThingTypeName": "The name of the thing type.", "ThingTypeProperties": "The thing type properties for the thing type to create. It contains information about the new thing type including a description, and a list of searchable thing attribute names. `ThingTypeProperties` can't be updated after the initial creation of the `ThingType` ." }, + "AWS::IoT::ThingType Tag": { + "Key": "The tag's key.", + "Value": "The tag's value." + }, "AWS::IoT::ThingType ThingTypeProperties": { "SearchableAttributes": "A list of searchable thing attribute names.", "ThingTypeDescription": "The description of the thing type." @@ -15061,10 +17495,15 @@ "AWS::IoT::TopicRule KafkaAction": { "ClientProperties": "Properties of the Apache Kafka producer client.", "DestinationArn": "The ARN of Kafka action's VPC `TopicRuleDestination` .", + "Headers": "The list of Kafka headers that you specify.", "Key": "The Kafka message key.", "Partition": "The Kafka message partition.", "Topic": "The Kafka topic for messages to be sent to the Kafka broker." }, + "AWS::IoT::TopicRule KafkaActionHeader": { + "Key": "The key of the Kafka header.", + "Value": "The value of the Kafka header." + }, "AWS::IoT::TopicRule KinesisAction": { "PartitionKey": "The partition key.", "RoleArn": "The ARN of the IAM role that grants access to the Amazon Kinesis stream.", @@ -15138,6 +17577,10 @@ "RoleArn": "The ARN of the role that grants IoT permission to start execution of a state machine (\"Action\":\"states:StartExecution\").", "StateMachineName": "The name of the Step Functions state machine whose execution will be started." }, + "AWS::IoT::TopicRule Tag": { + "Key": "The tag's key.", + "Value": "The tag's value." + }, "AWS::IoT::TopicRule Timestamp": { "Unit": "The precision of the timestamp value that results from the expression described in `value` .", "Value": "An expression that returns a long epoch time value." @@ -15202,6 +17645,10 @@ "NumberOfDays": "The number of days that message data is kept. The `unlimited` parameter must be false.", "Unlimited": "If true, message data is kept indefinitely." }, + "AWS::IoTAnalytics::Channel Tag": { + "Key": "The tag's key.", + "Value": "The tag's value." + }, "AWS::IoTAnalytics::Dataset": { "Actions": "The `DatasetAction` objects that automatically create the dataset contents.", "ContentDeliveryRules": "When dataset contents are created they are delivered to destinations specified here.", @@ -15283,6 +17730,10 @@ "AWS::IoTAnalytics::Dataset Schedule": { "ScheduleExpression": "The expression that defines when to trigger an update. For more information, see [Schedule Expressions for Rules](https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/ScheduledEvents.html) in the Amazon CloudWatch documentation." }, + "AWS::IoTAnalytics::Dataset Tag": { + "Key": "The tag's key.", + "Value": "The tag's value." + }, "AWS::IoTAnalytics::Dataset Trigger": { "Schedule": "The \"Schedule\" when the trigger is initiated.", "TriggeringDataset": "Information about the data set whose content generation triggers the new data set content generation." @@ -15354,6 +17805,10 @@ "AWS::IoTAnalytics::Datastore SchemaDefinition": { "Columns": "Specifies one or more columns that store your data.\n\nEach schema can have up to 100 columns. Each column can have up to 100 nested types." }, + "AWS::IoTAnalytics::Datastore Tag": { + "Key": "The tag's key.", + "Value": "The tag's value." + }, "AWS::IoTAnalytics::Datastore TimestampPartition": { "AttributeName": "The attribute name of the partition defined by a timestamp.", "TimestampFormat": "The timestamp format of a partition defined by a timestamp. The default format is seconds since epoch (January 1, 1970 at midnight UTC time)." @@ -15430,20 +17885,28 @@ "Name": "The name of the 'selectAttributes' activity.", "Next": "The next activity in the pipeline." }, + "AWS::IoTAnalytics::Pipeline Tag": { + "Key": "The tag's key.", + "Value": "The tag's value." + }, "AWS::IoTCoreDeviceAdvisor::SuiteDefinition": { "SuiteDefinitionConfiguration": "The configuration of the Suite Definition. Listed below are the required elements of the `SuiteDefinitionConfiguration` .\n\n- ***devicePermissionRoleArn*** - The device permission arn.\n\nThis is a required element.\n\n*Type:* String\n- ***devices*** - The list of configured devices under test. For more information on devices under test, see [DeviceUnderTest](https://docs.aws.amazon.com/iot/latest/apireference/API_iotdeviceadvisor_DeviceUnderTest.html)\n\nNot a required element.\n\n*Type:* List of devices under test\n- ***intendedForQualification*** - The tests intended for qualification in a suite.\n\nNot a required element.\n\n*Type:* Boolean\n- ***rootGroup*** - The test suite root group. For more information on creating and using root groups see the [Device Advisor workflow](https://docs.aws.amazon.com/iot/latest/developerguide/device-advisor-workflow.html) .\n\nThis is a required element.\n\n*Type:* String\n- ***suiteDefinitionName*** - The Suite Definition Configuration name.\n\nThis is a required element.\n\n*Type:* String", "Tags": "Metadata that can be used to manage the the Suite Definition." }, "AWS::IoTCoreDeviceAdvisor::SuiteDefinition DeviceUnderTest": { - "CertificateArn": "", - "ThingArn": "" + "CertificateArn": "Lists device's certificate ARN.", + "ThingArn": "Lists device's thing ARN." }, "AWS::IoTCoreDeviceAdvisor::SuiteDefinition SuiteDefinitionConfiguration": { - "DevicePermissionRoleArn": "", - "Devices": "", - "IntendedForQualification": "", - "RootGroup": "", - "SuiteDefinitionName": "" + "DevicePermissionRoleArn": "Gets the device permission ARN. This is a required parameter.", + "Devices": "Gets the devices configured.", + "IntendedForQualification": "Gets the tests intended for qualification in a suite.", + "RootGroup": "Gets the test suite root group. This is a required parameter. For updating or creating the latest qualification suite, if `intendedForQualification` is set to true, `rootGroup` can be an empty string. If `intendedForQualification` is false, `rootGroup` cannot be an empty string. If `rootGroup` is empty, and `intendedForQualification` is set to true, all the qualification tests are included, and the configuration is default.\n\nFor a qualification suite, the minimum length is 0, and the maximum is 2048. For a non-qualification suite, the minimum length is 1, and the maximum is 2048.", + "SuiteDefinitionName": "Gets the suite definition name. This is a required parameter." + }, + "AWS::IoTCoreDeviceAdvisor::SuiteDefinition Tag": { + "Key": "", + "Value": "" }, "AWS::IoTEvents::AlarmModel": { "AlarmCapabilities": "Contains the configuration information of alarm state changes.", @@ -15556,6 +18019,10 @@ "QueueUrl": "The URL of the SQS queue where the data is written.", "UseBase64": "Set this to TRUE if you want the data to be base-64 encoded before it is written to the queue. Otherwise, set this to FALSE." }, + "AWS::IoTEvents::AlarmModel Tag": { + "Key": "The tag's key.", + "Value": "The tag's value." + }, "AWS::IoTEvents::DetectorModel": { "DetectorModelDefinition": "Information that defines how a detector operates.", "DetectorModelDescription": "A brief description of the detector model.", @@ -15688,6 +18155,10 @@ "OnInput": "When an input is received and the `condition` is TRUE, perform the specified `actions` .", "StateName": "The name of the state." }, + "AWS::IoTEvents::DetectorModel Tag": { + "Key": "The tag's key.", + "Value": "The tag's value." + }, "AWS::IoTEvents::DetectorModel TransitionEvent": { "Actions": "The actions to be performed.", "Condition": "Required. A Boolean expression that when TRUE causes the actions to be performed and the `nextState` to be entered.", @@ -15706,12 +18177,20 @@ "AWS::IoTEvents::Input InputDefinition": { "Attributes": "The attributes from the JSON payload that are made available by the input. Inputs are derived from messages sent to the AWS IoT Events system using `BatchPutMessage` . Each such message contains a JSON payload, and those attributes (and their paired values) specified here are available for use in the `condition` expressions used by detectors that monitor this input." }, + "AWS::IoTEvents::Input Tag": { + "Key": "The tag's key.", + "Value": "The tag's value." + }, "AWS::IoTFleetHub::Application": { "ApplicationDescription": "An optional description of the web application.", "ApplicationName": "The name of the web application.", "RoleArn": "The ARN of the role that the web application assumes when it interacts with AWS IoT Core .\n\n> The name of the role must be in the form `FleetHub_random_string` . \n\nPattern: `^arn:[!-~]+$`", "Tags": "A set of key/value pairs that you can use to manage the web application resource." }, + "AWS::IoTFleetHub::Application Tag": { + "Key": "", + "Value": "" + }, "AWS::IoTFleetWise::Campaign": { "Action": "Specifies how to update a campaign. The action can be one of the following:\n\n- `APPROVE` - To approve delivering a data collection scheme to vehicles.\n- `SUSPEND` - To suspend collecting signal data. The campaign is deleted from vehicles and all vehicles in the suspended campaign will stop sending data.\n- `RESUME` - To reactivate the `SUSPEND` campaign. The campaign is redeployed to all vehicles and the vehicles will resume sending data.\n- `UPDATE` - To update a campaign.", "CollectionScheme": "The data collection scheme associated with the campaign. You can specify a scheme that collects data based on time or an event.", @@ -15756,6 +18235,10 @@ "MinimumSamplingIntervalMs": "(Optional) The minimum duration of time (in milliseconds) between two triggering events to collect data.\n\n> If a signal changes often, you might want to collect data at a slower rate.", "Name": "The name of the signal." }, + "AWS::IoTFleetWise::Campaign Tag": { + "Key": "The tag's key.", + "Value": "The tag's value." + }, "AWS::IoTFleetWise::Campaign TimeBasedCollectionScheme": { "PeriodMs": "The time period (in milliseconds) to decide how often to collect data. For example, if the time period is `60000` , the Edge Agent software collects data once every minute." }, @@ -15777,6 +18260,11 @@ "ProtocolName": "(Optional) The name of the communication protocol for the interface.", "ProtocolVersion": "(Optional) The version of the communication protocol for the interface." }, + "AWS::IoTFleetWise::DecoderManifest CanNetworkInterface": { + "CanInterface": "Information about a network interface specified by the Controller Area Network (CAN) protocol.", + "InterfaceId": "The ID of the network interface.", + "Type": "The network protocol for the vehicle. For example, `CAN_SIGNAL` specifies a protocol that defines how data is communicated between electronic control units (ECUs). `OBD_SIGNAL` specifies a protocol that defines how self-diagnostic data is communicated between ECUs." + }, "AWS::IoTFleetWise::DecoderManifest CanSignal": { "Factor": "A multiplier used to decode the CAN message.", "IsBigEndian": "Whether the byte ordering of a CAN message is big-endian.", @@ -15787,12 +18275,16 @@ "Offset": "The offset used to calculate the signal value. Combined with factor, the calculation is `value = raw_value * factor + offset` .", "StartBit": "Indicates the beginning of the CAN message." }, - "AWS::IoTFleetWise::DecoderManifest NetworkInterfacesItems": { - "CanInterface": "(Optional) Information about a network interface specified by the Controller Area Network (CAN) protocol.", - "InterfaceId": "The ID of the network interface.", - "ObdInterface": "(Optional) Information about a network interface specified by the On-board diagnostic (OBD) II protocol.", + "AWS::IoTFleetWise::DecoderManifest CanSignalDecoder": { + "CanSignal": "Information about a single controller area network (CAN) signal and the messages it receives and transmits.", + "FullyQualifiedName": "The fully qualified name of a signal decoder as defined in a vehicle model.", + "InterfaceId": "The ID of a network interface that specifies what network protocol a vehicle follows.", "Type": "The network protocol for the vehicle. For example, `CAN_SIGNAL` specifies a protocol that defines how data is communicated between electronic control units (ECUs). `OBD_SIGNAL` specifies a protocol that defines how self-diagnostic data is communicated between ECUs." }, + "AWS::IoTFleetWise::DecoderManifest NetworkInterfacesItems": { + "CanNetworkInterface": "", + "ObdNetworkInterface": "" + }, "AWS::IoTFleetWise::DecoderManifest ObdInterface": { "DtcRequestIntervalSeconds": "(Optional) The maximum number message requests per diagnostic trouble code per second.", "HasTransmissionEcu": "(Optional) Whether the vehicle has a transmission control module (TCM).", @@ -15802,6 +18294,11 @@ "RequestMessageId": "The ID of the message requesting vehicle data.", "UseExtendedIds": "(Optional) Whether to use extended IDs in the message." }, + "AWS::IoTFleetWise::DecoderManifest ObdNetworkInterface": { + "InterfaceId": "The ID of the network interface.", + "ObdInterface": "(Optional) Information about a network interface specified by the On-board diagnostic (OBD) II protocol.", + "Type": "The network protocol for the vehicle. For example, `CAN_SIGNAL` specifies a protocol that defines how data is communicated between electronic control units (ECUs). `OBD_SIGNAL` specifies a protocol that defines how self-diagnostic data is communicated between ECUs." + }, "AWS::IoTFleetWise::DecoderManifest ObdSignal": { "BitMaskLength": "(Optional) The number of bits to mask in a message.", "BitRightShift": "(Optional) The number of positions to shift bits in the message.", @@ -15813,12 +18310,19 @@ "ServiceMode": "The mode of operation (diagnostic service) in a message.", "StartByte": "Indicates the beginning of the message." }, + "AWS::IoTFleetWise::DecoderManifest ObdSignalDecoder": { + "FullyQualifiedName": "", + "InterfaceId": "", + "ObdSignal": "Information about signal messages using the on-board diagnostics (OBD) II protocol in a vehicle.", + "Type": "" + }, "AWS::IoTFleetWise::DecoderManifest SignalDecodersItems": { - "CanSignal": "(Optional) Information about a single controller area network (CAN) signal and the messages it receives and transmits.", - "FullyQualifiedName": "The fully qualified name of a signal decoder as defined in a vehicle model.", - "InterfaceId": "The ID of a network interface that specifies what network protocol a vehicle follows.", - "ObdSignal": "(Optional) Information about signal messages using the on-board diagnostics (OBD) II protocol in a vehicle.", - "Type": "The network protocol for the vehicle. For example, `CAN_SIGNAL` specifies a protocol that defines how data is communicated between electronic control units (ECUs). `OBD_SIGNAL` specifies a protocol that defines how self-diagnostic data is communicated between ECUs." + "CanSignalDecoder": "", + "ObdSignalDecoder": "" + }, + "AWS::IoTFleetWise::DecoderManifest Tag": { + "Key": "The tag's key.", + "Value": "The tag's value." }, "AWS::IoTFleetWise::Fleet": { "Description": "(Optional) A brief description of the fleet.", @@ -15826,6 +18330,10 @@ "SignalCatalogArn": "The ARN of the signal catalog associated with the fleet.", "Tags": "(Optional) Metadata that can be used to manage the fleet." }, + "AWS::IoTFleetWise::Fleet Tag": { + "Key": "The tag's key.", + "Value": "The tag's value." + }, "AWS::IoTFleetWise::ModelManifest": { "Description": "(Optional) A brief description of the vehicle model.", "Name": "The name of the vehicle model.", @@ -15834,6 +18342,10 @@ "Status": "(Optional) The state of the vehicle model. If the status is `ACTIVE` , the vehicle model can't be edited. If the status is `DRAFT` , you can edit the vehicle model.", "Tags": "(Optional) Metadata that can be used to manage the vehicle model." }, + "AWS::IoTFleetWise::ModelManifest Tag": { + "Key": "The tag's key.", + "Value": "The tag's value." + }, "AWS::IoTFleetWise::SignalCatalog": { "Description": "(Optional) A brief description of the signal catalog.", "Name": "(Optional) The name of the signal catalog.", @@ -15888,6 +18400,10 @@ "Min": "(Optional) The specified possible minimum value of the sensor.", "Unit": "(Optional) The scientific unit of measurement for data collected by the sensor." }, + "AWS::IoTFleetWise::SignalCatalog Tag": { + "Key": "The tag's key.", + "Value": "The tag's value." + }, "AWS::IoTFleetWise::Vehicle": { "AssociationBehavior": "(Optional) An option to create a new AWS IoT thing when creating a vehicle, or to validate an existing thing as a vehicle.", "Attributes": "(Optional) Static information about a vehicle in a key-value pair. For example: `\"engine Type\"` : `\"v6\"`", @@ -15896,6 +18412,10 @@ "Name": "The unique ID of the vehicle.", "Tags": "(Optional) Metadata which can be used to manage the vehicle." }, + "AWS::IoTFleetWise::Vehicle Tag": { + "Key": "The tag's key.", + "Value": "The tag's value." + }, "AWS::IoTSiteWise::AccessPolicy": { "AccessPolicyIdentity": "The identity for this access policy. Choose an IAM Identity Center user, an IAM Identity Center group, or an IAM user.", "AccessPolicyPermission": "The permission level for this access policy. Choose either a `ADMINISTRATOR` or `VIEWER` . Note that a project `ADMINISTRATOR` is also known as a project owner.", @@ -15928,7 +18448,7 @@ "AWS::IoTSiteWise::Asset": { "AssetDescription": "A description for the asset.", "AssetHierarchies": "A list of asset hierarchies that each contain a `hierarchyLogicalId` . A hierarchy specifies allowed parent/child asset relationships.", - "AssetModelId": "The ID of the asset model from which to create the asset.", + "AssetModelId": "The ID of the asset model from which to create the asset. This can be either the actual ID in UUID format, or else `externalId:` followed by the external ID, if it has one. For more information, see [Referencing objects with external IDs](https://docs.aws.amazon.com/iot-sitewise/latest/userguide/object-ids.html#external-id-references) in the *AWS IoT SiteWise User Guide* .", "AssetName": "A unique, friendly name for the asset.\n\nThe maximum length is 256 characters with the pattern `[^\\u0000-\\u001F\\u007F]+` .", "AssetProperties": "The list of asset properties for the asset.\n\nThis object doesn't include properties that you define in composite models. You can find composite model properties in the `assetCompositeModels` object.", "Tags": "A list of key-value pairs that contain metadata for the asset. For more information, see [Tagging your AWS IoT SiteWise resources](https://docs.aws.amazon.com/iot-sitewise/latest/userguide/tag-resources.html) in the *AWS IoT SiteWise User Guide* ." @@ -15943,6 +18463,10 @@ "NotificationState": "The MQTT notification state ( `ENABLED` or `DISABLED` ) for this asset property. When the notification state is `ENABLED` , AWS IoT SiteWise publishes property value updates to a unique MQTT topic. For more information, see [Interacting with other services](https://docs.aws.amazon.com/iot-sitewise/latest/userguide/interact-with-other-services.html) in the *AWS IoT SiteWise User Guide* .\n\nIf you omit this parameter, the notification state is set to `DISABLED` .\n\n> You must use all caps for the NotificationState parameter. If you use lower case letters, you will receive a schema validation error.", "Unit": "The unit (such as `Newtons` or `RPM` ) of the asset property." }, + "AWS::IoTSiteWise::Asset Tag": { + "Key": "", + "Value": "" + }, "AWS::IoTSiteWise::AssetModel": { "AssetModelCompositeModels": "The composite asset models that are part of this asset model. Composite asset models are asset models that contain specific properties. Each composite model has a type that defines the properties that the composite model supports. You can use composite asset models to define alarms on this asset model.", "AssetModelDescription": "A description for the asset model.", @@ -15991,6 +18515,10 @@ "Transform": "Specifies an asset transform property. A transform contains a mathematical expression that maps a property's data points from one form to another, such as a unit conversion from Celsius to Fahrenheit.\n\nThis is required if the `TypeName` is `Transform` .", "TypeName": "The type of property type, which can be one of `Attribute` , `Measurement` , `Metric` , or `Transform` ." }, + "AWS::IoTSiteWise::AssetModel Tag": { + "Key": "", + "Value": "" + }, "AWS::IoTSiteWise::AssetModel Transform": { "Expression": "The mathematical expression that defines the transformation function. You can specify up to 10 variables per expression. You can specify up to 10 functions per expression.\n\nFor more information, see [Quotas](https://docs.aws.amazon.com/iot-sitewise/latest/userguide/quotas.html) in the *AWS IoT SiteWise User Guide* .", "Variables": "The list of variables used in the expression." @@ -16010,6 +18538,10 @@ "ProjectId": "The ID of the project in which to create the dashboard.", "Tags": "A list of key-value pairs that contain metadata for the dashboard. For more information, see [Tagging your AWS IoT SiteWise resources](https://docs.aws.amazon.com/iot-sitewise/latest/userguide/tag-resources.html) in the *AWS IoT SiteWise User Guide* ." }, + "AWS::IoTSiteWise::Dashboard Tag": { + "Key": "", + "Value": "" + }, "AWS::IoTSiteWise::Gateway": { "GatewayCapabilitySummaries": "A list of gateway capability summaries that each contain a namespace and status. Each gateway capability defines data sources for the gateway. To retrieve a capability configuration's definition, use [DescribeGatewayCapabilityConfiguration](https://docs.aws.amazon.com/iot-sitewise/latest/APIReference/API_DescribeGatewayCapabilityConfiguration.html) .", "GatewayName": "A unique, friendly name for the gateway.\n\nThe maximum length is 256 characters with the pattern `[^\\u0000-\\u001F\\u007F]+` .", @@ -16030,10 +18562,14 @@ "AWS::IoTSiteWise::Gateway GreengrassV2": { "CoreDeviceThingName": "The name of the AWS IoT thing for your AWS IoT Greengrass V2 core device." }, + "AWS::IoTSiteWise::Gateway Tag": { + "Key": "", + "Value": "" + }, "AWS::IoTSiteWise::Portal": { "Alarms": "Contains the configuration information of an alarm created in an AWS IoT SiteWise Monitor portal. You can use the alarm to monitor an asset property and get notified when the asset property value is outside a specified range. For more information, see [Monitoring with alarms](https://docs.aws.amazon.com/iot-sitewise/latest/appguide/monitor-alarms.html) in the *AWS IoT SiteWise Application Guide* .", "NotificationSenderEmail": "The email address that sends alarm notifications.\n\n> If you use the [AWS IoT Events managed Lambda function](https://docs.aws.amazon.com/iotevents/latest/developerguide/lambda-support.html) to manage your emails, you must [verify the sender email address in Amazon SES](https://docs.aws.amazon.com/ses/latest/DeveloperGuide/verify-email-addresses.html) .", - "PortalAuthMode": "The service to use to authenticate users to the portal. Choose from the following options:\n\n- `SSO` \u2013 The portal uses AWS IAM Identity Center (successor to AWS Single Sign-On) to authenticate users and manage user permissions. Before you can create a portal that uses IAM Identity Center , you must enable IAM Identity Center . For more information, see [Enabling IAM Identity Center](https://docs.aws.amazon.com/iot-sitewise/latest/userguide/monitor-get-started.html#mon-gs-sso) in the *AWS IoT SiteWise User Guide* . This option is only available in AWS Regions other than the China Regions.\n- `IAM` \u2013 The portal uses AWS Identity and Access Management ( IAM ) to authenticate users and manage user permissions.\n\nYou can't change this value after you create a portal.\n\nDefault: `SSO`", + "PortalAuthMode": "The service to use to authenticate users to the portal. Choose from the following options:\n\n- `SSO` \u2013 The portal uses AWS IAM Identity Center to authenticate users and manage user permissions. Before you can create a portal that uses IAM Identity Center , you must enable IAM Identity Center . For more information, see [Enabling IAM Identity Center](https://docs.aws.amazon.com/iot-sitewise/latest/userguide/monitor-get-started.html#mon-gs-sso) in the *AWS IoT SiteWise User Guide* . This option is only available in AWS Regions other than the China Regions.\n- `IAM` \u2013 The portal uses AWS Identity and Access Management ( IAM ) to authenticate users and manage user permissions.\n\nYou can't change this value after you create a portal.\n\nDefault: `SSO`", "PortalContactEmail": "The AWS administrator's contact email address.", "PortalDescription": "A description for the portal.", "PortalName": "A friendly name for the portal.", @@ -16044,6 +18580,10 @@ "AlarmRoleArn": "The [ARN](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) of the IAM role that allows the alarm to perform actions and access AWS resources and services, such as AWS IoT Events .", "NotificationLambdaArn": "The [ARN](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) of the Lambda function that manages alarm notifications. For more information, see [Managing alarm notifications](https://docs.aws.amazon.com/iotevents/latest/developerguide/lambda-support.html) in the *AWS IoT Events Developer Guide* ." }, + "AWS::IoTSiteWise::Portal Tag": { + "Key": "", + "Value": "" + }, "AWS::IoTSiteWise::Project": { "AssetIds": "A list that contains the IDs of each asset associated with the project.", "PortalId": "The ID of the portal in which to create the project.", @@ -16051,8 +18591,13 @@ "ProjectName": "A friendly name for the project.", "Tags": "A list of key-value pairs that contain metadata for the project. For more information, see [Tagging your AWS IoT SiteWise resources](https://docs.aws.amazon.com/iot-sitewise/latest/userguide/tag-resources.html) in the *AWS IoT SiteWise User Guide* ." }, + "AWS::IoTSiteWise::Project Tag": { + "Key": "", + "Value": "" + }, "AWS::IoTTwinMaker::ComponentType": { "ComponentTypeId": "The ID of the component type.", + "CompositeComponentTypes": "Maps strings to `compositeComponentTypes` of the `componentType` . `CompositeComponentType` is referenced by `componentTypeId` .", "Description": "The description of the component type.", "ExtendsFrom": "The name of the parent component type that this component type extends.", "Functions": "An object that maps strings to the functions in the component type. Each string in the mapping must be unique to this object.\n\nFor information on the FunctionResponse object see the [FunctionResponse](https://docs.aws.amazon.com//iot-twinmaker/latest/apireference/API_FunctionResponse.html) API reference.", @@ -16060,7 +18605,10 @@ "PropertyDefinitions": "An object that maps strings to the property definitions in the component type. Each string in the mapping must be unique to this object.\n\nFor information about the PropertyDefinitionResponse object, see the [PropertyDefinitionResponse](https://docs.aws.amazon.com//iot-twinmaker/latest/apireference/API_PropertyDefinitionResponse.html) API reference.", "PropertyGroups": "An object that maps strings to the property groups in the component type. Each string in the mapping must be unique to this object.", "Tags": "The ComponentType tags.", - "WorkspaceId": "The ID of the workspace." + "WorkspaceId": "The ID of the workspace that contains the component type." + }, + "AWS::IoTTwinMaker::ComponentType CompositeComponentType": { + "ComponentTypeId": "The ID of the component type." }, "AWS::IoTTwinMaker::ComponentType DataConnector": { "IsNative": "A boolean value that specifies whether the data connector is native to IoT TwinMaker.", @@ -16100,7 +18648,7 @@ "Configurations": "A mapping that specifies configuration information about the property.", "DataType": "", "DefaultValue": "A boolean value that specifies whether the property ID comes from an external data store.", - "IsExternalId": "A boolean value that specifies whether the property ID comes from an external data store.", + "IsExternalId": "A Boolean value that specifies whether the property ID comes from an external data source.", "IsRequiredInEntity": "A boolean value that specifies whether the property is required in an entity.", "IsStoredExternally": "A boolean value that specifies whether the property is stored externally.", "IsTimeSeries": "A boolean value that specifies whether the property consists of time series data." @@ -16123,22 +18671,32 @@ }, "AWS::IoTTwinMaker::Entity": { "Components": "An object that maps strings to the components in the entity. Each string in the mapping must be unique to this object.\n\nFor information on the component object see the [component](https://docs.aws.amazon.com//iot-twinmaker/latest/apireference/API_ComponentResponse.html) API reference.", + "CompositeComponents": "Maps string to `compositeComponent` updates in the request. Each key of the map represents the `componentPath` of the `compositeComponent` .", "Description": "The description of the entity.", - "EntityId": "The entity ID.", + "EntityId": "The ID of the entity.", "EntityName": "The entity name.", "ParentEntityId": "The ID of the parent entity.", "Tags": "Metadata that you can use to manage the entity.", - "WorkspaceId": "The ID of the workspace." + "WorkspaceId": "The ID of the workspace that contains the entity." }, "AWS::IoTTwinMaker::Entity Component": { "ComponentName": "The name of the component.", - "ComponentTypeId": "The ID of the ComponentType.", + "ComponentTypeId": "The ID of the component type.", "DefinedIn": "The name of the property definition set in the request.", "Description": "The description of the component.", "Properties": "An object that maps strings to the properties to set in the component type. Each string in the mapping must be unique to this object.", "PropertyGroups": "An object that maps strings to the property groups in the component type. Each string in the mapping must be unique to this object.", "Status": "The status of the component." }, + "AWS::IoTTwinMaker::Entity CompositeComponent": { + "ComponentName": "The name of the component.", + "ComponentPath": "The path to the composite component, starting from the top-level component.", + "ComponentTypeId": "The ID of the composite component type.", + "Description": "The description of the component type.", + "Properties": "Map of strings to the properties in the component type. Each string in the mapping must be unique to this component.", + "PropertyGroups": "The property groups.", + "Status": "The current status of the composite component." + }, "AWS::IoTTwinMaker::Entity DataType": { "AllowedValues": "The allowed values.", "NestedType": "The nested type.", @@ -16197,10 +18755,10 @@ "Capabilities": "A list of capabilities that the scene uses to render.", "ContentLocation": "The relative path that specifies the location of the content definition file.", "Description": "The description of this scene.", - "SceneId": "The scene ID.", + "SceneId": "The ID of the scene.", "SceneMetadata": "The scene metadata.", "Tags": "The ComponentType tags.", - "WorkspaceId": "The ID of the workspace." + "WorkspaceId": "" }, "AWS::IoTTwinMaker::SyncJob": { "SyncRole": "The SyncJob IAM role. This IAM role is used by the sync job to read from the syncSource, and create, update or delete the corresponding resources.", @@ -16223,6 +18781,10 @@ "RoleArn": "The ARN of the IAM Role that authorizes the destination.", "Tags": "The tags are an array of key-value pairs to attach to the specified resource. Tags can have a minimum of 0 and a maximum of 50 items." }, + "AWS::IoTWireless::Destination Tag": { + "Key": "", + "Value": "" + }, "AWS::IoTWireless::DeviceProfile": { "LoRaWAN": "LoRaWAN device profile object.", "Name": "The name of the new resource.", @@ -16249,6 +18811,10 @@ "SupportsClassC": "The SupportsClassC value.", "SupportsJoin": "The SupportsJoin value." }, + "AWS::IoTWireless::DeviceProfile Tag": { + "Key": "", + "Value": "" + }, "AWS::IoTWireless::FuotaTask": { "AssociateMulticastGroup": "The ID of the multicast group to associate with a FUOTA task.", "AssociateWirelessDevice": "The ID of the wireless device to associate with a multicast group.", @@ -16265,6 +18831,10 @@ "RfRegion": "The frequency band (RFRegion) value.", "StartTime": "Start time of a FUOTA task." }, + "AWS::IoTWireless::FuotaTask Tag": { + "Key": "", + "Value": "" + }, "AWS::IoTWireless::MulticastGroup": { "AssociateWirelessDevice": "The ID of the wireless device to associate with a multicast group.", "Description": "The description of the multicast group.", @@ -16279,6 +18849,10 @@ "NumberOfDevicesRequested": "Number of devices that are requested to be associated with the multicast group.", "RfRegion": "The frequency band (RFRegion) value." }, + "AWS::IoTWireless::MulticastGroup Tag": { + "Key": "", + "Value": "" + }, "AWS::IoTWireless::NetworkAnalyzerConfiguration": { "Description": "The description of the resource.", "Name": "Name of the network analyzer configuration.", @@ -16287,13 +18861,21 @@ "WirelessDevices": "Wireless device resources to add to the network analyzer configuration. Provide the `WirelessDeviceId` of the resource to add in the input array.", "WirelessGateways": "Wireless gateway resources to add to the network analyzer configuration. Provide the `WirelessGatewayId` of the resource to add in the input array." }, + "AWS::IoTWireless::NetworkAnalyzerConfiguration Tag": { + "Key": "", + "Value": "" + }, "AWS::IoTWireless::NetworkAnalyzerConfiguration TraceContent": { "LogLevel": "The log level for a log message. The log levels can be disabled, or set to `ERROR` to display less verbose logs containing only error information, or to `INFO` for more detailed logs", "WirelessDeviceFrameInfo": "`FrameInfo` of your wireless device resources for the trace content. Use FrameInfo to debug the communication between your LoRaWAN end devices and the network server." }, "AWS::IoTWireless::PartnerAccount": { + "AccountLinked": "Whether the partner account is linked to the AWS account.", "PartnerAccountId": "The ID of the partner account to update.", + "PartnerType": "The partner type.", "Sidewalk": "The Sidewalk account credentials.", + "SidewalkResponse": "", + "SidewalkUpdate": "Sidewalk update.", "Tags": "The tags are an array of key-value pairs to attach to the specified resource. Tags can have a minimum of 0 and a maximum of 50 items." }, "AWS::IoTWireless::PartnerAccount SidewalkAccountInfo": { @@ -16307,6 +18889,10 @@ "AWS::IoTWireless::PartnerAccount SidewalkUpdateAccount": { "AppServerPrivateKey": "The new Sidewalk application server private key." }, + "AWS::IoTWireless::PartnerAccount Tag": { + "Key": "", + "Value": "" + }, "AWS::IoTWireless::ServiceProfile": { "LoRaWAN": "LoRaWAN service profile object.", "Name": "The name of the new resource.", @@ -16333,10 +18919,16 @@ "UlRate": "The ULRate value.\n\nThis property is `ReadOnly` and can't be inputted for create. It's returned with `Fn::GetAtt`", "UlRatePolicy": "The ULRatePolicy value.\n\nThis property is `ReadOnly` and can't be inputted for create. It's returned with `Fn::GetAtt`" }, + "AWS::IoTWireless::ServiceProfile Tag": { + "Key": "", + "Value": "" + }, "AWS::IoTWireless::TaskDefinition": { "AutoCreateTasks": "Whether to automatically create tasks using this task definition for all gateways with the specified current version. If `false` , the task must be created by calling `CreateWirelessGatewayTask` .", + "LoRaWANUpdateGatewayTaskEntry": "LoRaWANUpdateGatewayTaskEntry object.", "Name": "The name of the new resource.", "Tags": "The tags are an array of key-value pairs to attach to the specified resource. Tags can have a minimum of 0 and a maximum of 50 items.", + "TaskDefinitionType": "A filter to list only the wireless gateway task definitions that use this task definition type.", "Update": "Information about the gateways to update." }, "AWS::IoTWireless::TaskDefinition LoRaWANGatewayVersion": { @@ -16354,6 +18946,10 @@ "CurrentVersion": "The version of the gateways that should receive the update.", "UpdateVersion": "The firmware version to update the gateway to." }, + "AWS::IoTWireless::TaskDefinition Tag": { + "Key": "", + "Value": "" + }, "AWS::IoTWireless::TaskDefinition UpdateWirelessGatewayTaskCreate": { "LoRaWAN": "The properties that relate to the LoRaWAN wireless gateway.", "UpdateDataRole": "The IAM role used to read data from the S3 bucket.", @@ -16370,15 +18966,15 @@ "Type": "The wireless device type." }, "AWS::IoTWireless::WirelessDevice AbpV10x": { - "DevAddr": "The DevAddr value.", - "SessionKeys": "Session keys for ABP v1.0.x" + "DevAddr": "", + "SessionKeys": "" }, "AWS::IoTWireless::WirelessDevice AbpV11": { "DevAddr": "The DevAddr value.", "SessionKeys": "Session keys for ABP v1.1." }, "AWS::IoTWireless::WirelessDevice LoRaWANDevice": { - "AbpV10x": "LoRaWAN object for create APIs.", + "AbpV10x": "", "AbpV11": "ABP device object for create APIs for v1.1.", "DevEui": "The DevEUI value.", "DeviceProfileId": "The ID of the device profile for the new wireless device.", @@ -16387,8 +18983,8 @@ "ServiceProfileId": "The ID of the service profile." }, "AWS::IoTWireless::WirelessDevice OtaaV10x": { - "AppEui": "The AppEUI value, with pattern of `[a-fA-F0-9]{16}` .", - "AppKey": "The AppKey is a secret key, which you should handle in a similar way as you would an application password. You can protect the AppKey value by storing it in the AWS Secrets Manager and use the [secretsmanager](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/dynamic-references.html#dynamic-references-secretsmanager) to reference this value." + "AppEui": "", + "AppKey": "" }, "AWS::IoTWireless::WirelessDevice OtaaV11": { "AppKey": "The AppKey is a secret key, which you should handle in a similar way as you would an application password. You can protect the AppKey value by storing it in the AWS Secrets Manager and use the [secretsmanager](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/dynamic-references.html#dynamic-references-secretsmanager) to reference this value.", @@ -16396,8 +18992,8 @@ "NwkKey": "The NwkKey is a secret key, which you should handle in a similar way as you would an application password. You can protect the NwkKey value by storing it in the AWS Secrets Manager and use the [secretsmanager](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/dynamic-references.html#dynamic-references-secretsmanager) to reference this value." }, "AWS::IoTWireless::WirelessDevice SessionKeysAbpV10x": { - "AppSKey": "The AppSKey is a secret key, which you should handle in a similar way as you would an application password. You can protect the AppSKey value by storing it in the AWS Secrets Manager and use the [secretsmanager](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/dynamic-references.html#dynamic-references-secretsmanager) to reference this value.", - "NwkSKey": "The NwkSKey is a secret key, which you should handle in a similar way as you would an application password. You can protect the NwkSKey value by storing it in the AWS Secrets Manager and use the [secretsmanager](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/dynamic-references.html#dynamic-references-secretsmanager) to reference this value." + "AppSKey": "", + "NwkSKey": "" }, "AWS::IoTWireless::WirelessDevice SessionKeysAbpV11": { "AppSKey": "The AppSKey is a secret key, which you should handle in a similar way as you would an application password. You can protect the AppSKey value by storing it in the AWS Secrets Manager and use the [secretsmanager](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/dynamic-references.html#dynamic-references-secretsmanager) to reference this value.", @@ -16405,6 +19001,10 @@ "NwkSEncKey": "The NwkSEncKey is a secret key, which you should handle in a similar way as you would an application password. You can protect the NwkSEncKey value by storing it in the AWS Secrets Manager and use the [secretsmanager](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/dynamic-references.html#dynamic-references-secretsmanager) to reference this value.", "SNwkSIntKey": "The SNwkSIntKey is a secret key, which you should handle in a similar way as you would an application password. You can protect the SNwkSIntKey value by storing it in the AWS Secrets Manager and use the [secretsmanager](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/dynamic-references.html#dynamic-references-secretsmanager) to reference this value." }, + "AWS::IoTWireless::WirelessDevice Tag": { + "Key": "", + "Value": "" + }, "AWS::IoTWireless::WirelessDeviceImportTask": { "DestinationName": "The name of the destination that describes the IoT rule to route messages from the Sidewalk devices in the import task to other applications.", "Sidewalk": "The Sidewalk-related information of the wireless device import task.", @@ -16416,6 +19016,10 @@ "Role": "The IAM role that allows AWS IoT Wireless to access the CSV file in the S3 bucket.", "SidewalkManufacturingSn": "The Sidewalk manufacturing serial number (SMSN) of the Sidewalk device." }, + "AWS::IoTWireless::WirelessDeviceImportTask Tag": { + "Key": "", + "Value": "" + }, "AWS::IoTWireless::WirelessGateway": { "Description": "The description of the new resource. The maximum length is 2048 characters.", "LastUplinkReceivedAt": "The date and time when the most recent uplink was received.", @@ -16429,29 +19033,43 @@ "GatewayEui": "The gateway's EUI value.", "RfRegion": "The frequency band (RFRegion) value." }, + "AWS::IoTWireless::WirelessGateway Tag": { + "Key": "", + "Value": "" + }, "AWS::KMS::Alias": { - "AliasName": "Specifies the alias name. This value must begin with `alias/` followed by a name, such as `alias/ExampleAlias` .\n\n> If you change the value of the `AliasName` property, the existing alias is deleted and a new alias is created for the specified KMS key. This change can disrupt applications that use the alias. It can also allow or deny access to a KMS key affected by attribute-based access control (ABAC). \n\nThe alias must be string of 1-256 characters. It can contain only alphanumeric characters, forward slashes (/), underscores (_), and dashes (-). The alias name cannot begin with `alias/aws/` . The `alias/aws/` prefix is reserved for [AWS managed keys](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk) .\n\n*Pattern* : `^alias/[a-zA-Z0-9/_-]+$`\n\n*Minimum* : `1`\n\n*Maximum* : `256`", + "AliasName": "Specifies the alias name. This value must begin with `alias/` followed by a name, such as `alias/ExampleAlias` .\n\n> If you change the value of the `AliasName` property, the existing alias is deleted and a new alias is created for the specified KMS key. This change can disrupt applications that use the alias. It can also allow or deny access to a KMS key affected by attribute-based access control (ABAC). \n\nThe alias must be string of 1-256 characters. It can contain only alphanumeric characters, forward slashes (/), underscores (_), and dashes (-). The alias name cannot begin with `alias/aws/` . The `alias/aws/` prefix is reserved for [AWS managed keys](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk) .", "TargetKeyId": "Associates the alias with the specified [customer managed key](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk) . The KMS key must be in the same AWS account and Region.\n\nA valid key ID is required. If you supply a null or empty string value, this operation returns an error.\n\nFor help finding the key ID and ARN, see [Finding the key ID and ARN](https://docs.aws.amazon.com/kms/latest/developerguide/viewing-keys.html#find-cmk-id-arn) in the *AWS Key Management Service Developer Guide* .\n\nSpecify the key ID or the key ARN of the KMS key.\n\nFor example:\n\n- Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`\n- Key ARN: `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`\n\nTo get the key ID and key ARN for a KMS key, use [ListKeys](https://docs.aws.amazon.com/kms/latest/APIReference/API_ListKeys.html) or [DescribeKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_DescribeKey.html) ." }, "AWS::KMS::Key": { + "BypassPolicyLockoutSafetyCheck": "Skips (\"bypasses\") the key policy lockout safety check. The default value is false.\n\n> Setting this value to true increases the risk that the KMS key becomes unmanageable. Do not set this value to true indiscriminately.\n> \n> For more information, see [Default key policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#prevent-unmanageable-key) in the *AWS Key Management Service Developer Guide* . \n\nUse this parameter only when you intend to prevent the principal that is making the request from making a subsequent [PutKeyPolicy](https://docs.aws.amazon.com/kms/latest/APIReference/API_PutKeyPolicy.html) request on the KMS key.", "Description": "A description of the KMS key. Use a description that helps you to distinguish this KMS key from others in the account, such as its intended use.", - "EnableKeyRotation": "Enables automatic rotation of the key material for the specified KMS key. By default, automatic key rotation is not enabled.\n\nAWS KMS supports automatic rotation only for symmetric encryption KMS keys ( `KeySpec` = `SYMMETRIC_DEFAULT` ). For asymmetric KMS keys and HMAC KMS keys, omit the `EnableKeyRotation` property or set it to `false` .\n\nTo enable automatic key rotation of the key material for a multi-Region KMS key, set `EnableKeyRotation` to `true` on the primary key (created by using `AWS::KMS::Key` ). AWS KMS copies the rotation status to all replica keys. For details, see [Rotating multi-Region keys](https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate) in the *AWS Key Management Service Developer Guide* .\n\nWhen you enable automatic rotation, AWS KMS automatically creates new key material for the KMS key one year after the enable date and every year thereafter. AWS KMS retains all key material until you delete the KMS key. For detailed information about automatic key rotation, see [Rotating KMS keys](https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html) in the *AWS Key Management Service Developer Guide* .", + "EnableKeyRotation": "Enables automatic rotation of the key material for the specified KMS key. By default, automatic key rotation is not enabled.\n\nAWS KMS supports automatic rotation only for symmetric encryption KMS keys ( `KeySpec` = `SYMMETRIC_DEFAULT` ). For asymmetric KMS keys, HMAC KMS keys, and KMS keys with Origin `EXTERNAL` , omit the `EnableKeyRotation` property or set it to `false` .\n\nTo enable automatic key rotation of the key material for a multi-Region KMS key, set `EnableKeyRotation` to `true` on the primary key (created by using `AWS::KMS::Key` ). AWS KMS copies the rotation status to all replica keys. For details, see [Rotating multi-Region keys](https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate) in the *AWS Key Management Service Developer Guide* .\n\nWhen you enable automatic rotation, AWS KMS automatically creates new key material for the KMS key one year after the enable date and every year thereafter. AWS KMS retains all key material until you delete the KMS key. For detailed information about automatic key rotation, see [Rotating KMS keys](https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html) in the *AWS Key Management Service Developer Guide* .", "Enabled": "Specifies whether the KMS key is enabled. Disabled KMS keys cannot be used in cryptographic operations.\n\nWhen `Enabled` is `true` , the *key state* of the KMS key is `Enabled` . When `Enabled` is `false` , the key state of the KMS key is `Disabled` . The default value is `true` .\n\nThe actual key state of the KMS key might be affected by actions taken outside of CloudFormation, such as running the [EnableKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_EnableKey.html) , [DisableKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_DisableKey.html) , or [ScheduleKeyDeletion](https://docs.aws.amazon.com/kms/latest/APIReference/API_ScheduleKeyDeletion.html) operations.\n\nFor information about the key states of a KMS key, see [Key state: Effect on your KMS key](https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) in the *AWS Key Management Service Developer Guide* .", - "KeyPolicy": "The key policy that authorizes use of the KMS key. The key policy must conform to the following rules.\n\n- The key policy must allow the caller to make a subsequent [PutKeyPolicy](https://docs.aws.amazon.com/kms/latest/APIReference/API_PutKeyPolicy.html) request on the KMS key. This reduces the risk that the KMS key becomes unmanageable. For more information, refer to the scenario in the [Default key policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam) section of the **AWS Key Management Service Developer Guide** .\n- Each statement in the key policy must contain one or more principals. The principals in the key policy must exist and be visible to AWS KMS . When you create a new AWS principal (for example, an IAM user or role), you might need to enforce a delay before including the new principal in a key policy because the new principal might not be immediately visible to AWS KMS . For more information, see [Changes that I make are not always immediately visible](https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency) in the *AWS Identity and Access Management User Guide* .\n\nIf you are unsure of which policy to use, consider the *default key policy* . This is the key policy that AWS KMS applies to KMS keys that are created by using the CreateKey API with no specified key policy. It gives the AWS account that owns the key permission to perform all operations on the key. It also allows you write IAM policies to authorize access to the key. For details, see [Default key policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default) in the *AWS Key Management Service Developer Guide* .\n\nA key policy document can include only the following characters:\n\n- Printable ASCII characters\n- Printable characters in the Basic Latin and Latin-1 Supplement character set\n- The tab ( `\\u0009` ), line feed ( `\\u000A` ), and carriage return ( `\\u000D` ) special characters\n\n*Minimum* : `1`\n\n*Maximum* : `32768`", + "KeyPolicy": "The key policy to attach to the KMS key.\n\nIf you provide a key policy, it must meet the following criteria:\n\n- The key policy must allow the caller to make a subsequent [PutKeyPolicy](https://docs.aws.amazon.com/kms/latest/APIReference/API_PutKeyPolicy.html) request on the KMS key. This reduces the risk that the KMS key becomes unmanageable. For more information, see [Default key policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam) in the *AWS Key Management Service Developer Guide* . (To omit this condition, set `BypassPolicyLockoutSafetyCheck` to true.)\n- Each statement in the key policy must contain one or more principals. The principals in the key policy must exist and be visible to AWS KMS . When you create a new AWS principal (for example, an IAM user or role), you might need to enforce a delay before including the new principal in a key policy because the new principal might not be immediately visible to AWS KMS . For more information, see [Changes that I make are not always immediately visible](https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency) in the *AWS Identity and Access Management User Guide* .\n\nIf you do not provide a key policy, AWS KMS attaches a default key policy to the KMS key. For more information, see [Default key policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default) in the *AWS Key Management Service Developer Guide* .\n\nA key policy document can include only the following characters:\n\n- Printable ASCII characters\n- Printable characters in the Basic Latin and Latin-1 Supplement character set\n- The tab ( `\\u0009` ), line feed ( `\\u000A` ), and carriage return ( `\\u000D` ) special characters\n\n*Minimum* : `1`\n\n*Maximum* : `32768`", "KeySpec": "Specifies the type of KMS key to create. The default value, `SYMMETRIC_DEFAULT` , creates a KMS key with a 256-bit symmetric key for encryption and decryption. In China Regions, `SYMMETRIC_DEFAULT` creates a 128-bit symmetric key that uses SM4 encryption. You can't change the `KeySpec` value after the KMS key is created. For help choosing a key spec for your KMS key, see [Choosing a KMS key type](https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-choose.html) in the *AWS Key Management Service Developer Guide* .\n\nThe `KeySpec` property determines the type of key material in the KMS key and the algorithms that the KMS key supports. To further restrict the algorithms that can be used with the KMS key, use a condition key in its key policy or IAM policy. For more information, see [AWS KMS condition keys](https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms) in the *AWS Key Management Service Developer Guide* .\n\n> If you change the value of the `KeySpec` property on an existing KMS key, the update request fails, regardless of the value of the [`UpdateReplacePolicy` attribute](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-updatereplacepolicy.html) . This prevents you from accidentally deleting a KMS key by changing an immutable property value. > [AWS services that are integrated with AWS KMS](https://docs.aws.amazon.com/kms/features/#AWS_Service_Integration) use symmetric encryption KMS keys to protect your data. These services do not support encryption with asymmetric KMS keys. For help determining whether a KMS key is asymmetric, see [Identifying asymmetric KMS keys](https://docs.aws.amazon.com/kms/latest/developerguide/find-symm-asymm.html) in the *AWS Key Management Service Developer Guide* . \n\nAWS KMS supports the following key specs for KMS keys:\n\n- Symmetric encryption key (default)\n\n- `SYMMETRIC_DEFAULT` (AES-256-GCM)\n- HMAC keys (symmetric)\n\n- `HMAC_224`\n- `HMAC_256`\n- `HMAC_384`\n- `HMAC_512`\n- Asymmetric RSA key pairs\n\n- `RSA_2048`\n- `RSA_3072`\n- `RSA_4096`\n- Asymmetric NIST-recommended elliptic curve key pairs\n\n- `ECC_NIST_P256` (secp256r1)\n- `ECC_NIST_P384` (secp384r1)\n- `ECC_NIST_P521` (secp521r1)\n- Other asymmetric elliptic curve key pairs\n\n- `ECC_SECG_P256K1` (secp256k1), commonly used for cryptocurrencies.\n- SM2 key pairs (China Regions only)\n\n- `SM2`", "KeyUsage": "Determines the [cryptographic operations](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations) for which you can use the KMS key. The default value is `ENCRYPT_DECRYPT` . This property is required for asymmetric KMS keys and HMAC KMS keys. You can't change the `KeyUsage` value after the KMS key is created.\n\n> If you change the value of the `KeyUsage` property on an existing KMS key, the update request fails, regardless of the value of the [`UpdateReplacePolicy` attribute](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-updatereplacepolicy.html) . This prevents you from accidentally deleting a KMS key by changing an immutable property value. \n\nSelect only one valid value.\n\n- For symmetric encryption KMS keys, omit the property or specify `ENCRYPT_DECRYPT` .\n- For asymmetric KMS keys with RSA key material, specify `ENCRYPT_DECRYPT` or `SIGN_VERIFY` .\n- For asymmetric KMS keys with ECC key material, specify `SIGN_VERIFY` .\n- For asymmetric KMS keys with SM2 (China Regions only) key material, specify `ENCRYPT_DECRYPT` or `SIGN_VERIFY` .\n- For HMAC KMS keys, specify `GENERATE_VERIFY_MAC` .", "MultiRegion": "Creates a multi-Region primary key that you can replicate in other AWS Regions . You can't change the `MultiRegion` value after the KMS key is created.\n\nFor a list of AWS Regions in which multi-Region keys are supported, see [Multi-Region keys in AWS KMS](https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html) in the ** .\n\n> If you change the value of the `MultiRegion` property on an existing KMS key, the update request fails, regardless of the value of the [`UpdateReplacePolicy` attribute](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-updatereplacepolicy.html) . This prevents you from accidentally deleting a KMS key by changing an immutable property value. \n\nFor a multi-Region key, set to this property to `true` . For a single-Region key, omit this property or set it to `false` . The default value is `false` .\n\n*Multi-Region keys* are an AWS KMS feature that lets you create multiple interoperable KMS keys in different AWS Regions . Because these KMS keys have the same key ID, key material, and other metadata, you can use them to encrypt data in one AWS Region and decrypt it in a different AWS Region without making a cross-Region call or exposing the plaintext data. For more information, see [Multi-Region keys](https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html) in the *AWS Key Management Service Developer Guide* .\n\nYou can create a symmetric encryption, HMAC, or asymmetric multi-Region KMS key, and you can create a multi-Region key with imported key material. However, you cannot create a multi-Region key in a custom key store.\n\nTo create a replica of this primary key in a different AWS Region , create an [AWS::KMS::ReplicaKey](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-kms-replicakey.html) resource in a CloudFormation stack in the replica Region. Specify the key ARN of this primary key.", - "PendingWindowInDays": "Specifies the number of days in the waiting period before AWS KMS deletes a KMS key that has been removed from a CloudFormation stack. Enter a value between 7 and 30 days. The default value is 30 days.\n\nWhen you remove a KMS key from a CloudFormation stack, AWS KMS schedules the KMS key for deletion and starts the mandatory waiting period. The `PendingWindowInDays` property determines the length of waiting period. During the waiting period, the key state of KMS key is `Pending Deletion` or `Pending Replica Deletion` , which prevents the KMS key from being used in cryptographic operations. When the waiting period expires, AWS KMS permanently deletes the KMS key.\n\nAWS KMS will not delete a [multi-Region primary key](https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html) that has replica keys. If you remove a multi-Region primary key from a CloudFormation stack, its key state changes to `PendingReplicaDeletion` so it cannot be replicated or used in cryptographic operations. This state can persist indefinitely. When the last of its replica keys is deleted, the key state of the primary key changes to `PendingDeletion` and the waiting period specified by `PendingWindowInDays` begins. When this waiting period expires, AWS KMS deletes the primary key. For details, see [Deleting multi-Region keys](https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-delete.html) in the *AWS Key Management Service Developer Guide* .\n\nYou cannot use a CloudFormation template to cancel deletion of the KMS key after you remove it from the stack, regardless of the waiting period. If you specify a KMS key in your template, even one with the same name, CloudFormation creates a new KMS key. To cancel deletion of a KMS key, use the AWS KMS console or the [CancelKeyDeletion](https://docs.aws.amazon.com/kms/latest/APIReference/API_CancelKeyDeletion.html) operation.\n\nFor information about the `Pending Deletion` and `Pending Replica Deletion` key states, see [Key state: Effect on your KMS key](https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) in the *AWS Key Management Service Developer Guide* . For more information about deleting KMS keys, see the [ScheduleKeyDeletion](https://docs.aws.amazon.com/kms/latest/APIReference/API_ScheduleKeyDeletion.html) operation in the *AWS Key Management Service API Reference* and [Deleting KMS keys](https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html) in the *AWS Key Management Service Developer Guide* .\n\n*Minimum* : 7\n\n*Maximum* : 30", + "Origin": "The source of the key material for the KMS key. You cannot change the origin after you create the KMS key. The default is `AWS_KMS` , which means that AWS KMS creates the key material.\n\nTo [create a KMS key with no key material](https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-create-cmk.html) (for imported key material), set this value to `EXTERNAL` . For more information about importing key material into AWS KMS , see [Importing Key Material](https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html) in the *AWS Key Management Service Developer Guide* .\n\nYou can ignore `ENABLED` when Origin is `EXTERNAL` . When a KMS key with Origin `EXTERNAL` is created, the key state is `PENDING_IMPORT` and `ENABLED` is `false` . After you import the key material, `ENABLED` updated to `true` . The KMS key can then be used for Cryptographic Operations.\n\n> AWS CloudFormation doesn't support creating an `Origin` parameter of the `AWS_CLOUDHSM` or `EXTERNAL_KEY_STORE` values.", + "PendingWindowInDays": "Specifies the number of days in the waiting period before AWS KMS deletes a KMS key that has been removed from a CloudFormation stack. Enter a value between 7 and 30 days. The default value is 30 days.\n\nWhen you remove a KMS key from a CloudFormation stack, AWS KMS schedules the KMS key for deletion and starts the mandatory waiting period. The `PendingWindowInDays` property determines the length of waiting period. During the waiting period, the key state of KMS key is `Pending Deletion` or `Pending Replica Deletion` , which prevents the KMS key from being used in cryptographic operations. When the waiting period expires, AWS KMS permanently deletes the KMS key.\n\nAWS KMS will not delete a [multi-Region primary key](https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html) that has replica keys. If you remove a multi-Region primary key from a CloudFormation stack, its key state changes to `PendingReplicaDeletion` so it cannot be replicated or used in cryptographic operations. This state can persist indefinitely. When the last of its replica keys is deleted, the key state of the primary key changes to `PendingDeletion` and the waiting period specified by `PendingWindowInDays` begins. When this waiting period expires, AWS KMS deletes the primary key. For details, see [Deleting multi-Region keys](https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-delete.html) in the *AWS Key Management Service Developer Guide* .\n\nYou cannot use a CloudFormation template to cancel deletion of the KMS key after you remove it from the stack, regardless of the waiting period. If you specify a KMS key in your template, even one with the same name, CloudFormation creates a new KMS key. To cancel deletion of a KMS key, use the AWS KMS console or the [CancelKeyDeletion](https://docs.aws.amazon.com/kms/latest/APIReference/API_CancelKeyDeletion.html) operation.\n\nFor information about the `Pending Deletion` and `Pending Replica Deletion` key states, see [Key state: Effect on your KMS key](https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) in the *AWS Key Management Service Developer Guide* . For more information about deleting KMS keys, see the [ScheduleKeyDeletion](https://docs.aws.amazon.com/kms/latest/APIReference/API_ScheduleKeyDeletion.html) operation in the *AWS Key Management Service API Reference* and [Deleting KMS keys](https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html) in the *AWS Key Management Service Developer Guide* .", "Tags": "Assigns one or more tags to the replica key.\n\n> Tagging or untagging a KMS key can allow or deny permission to the KMS key. For details, see [ABAC for AWS KMS](https://docs.aws.amazon.com/kms/latest/developerguide/abac.html) in the *AWS Key Management Service Developer Guide* . \n\nFor information about tags in AWS KMS , see [Tagging keys](https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html) in the *AWS Key Management Service Developer Guide* . For information about tags in CloudFormation, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) ." }, + "AWS::KMS::Key Tag": { + "Key": "", + "Value": "" + }, "AWS::KMS::ReplicaKey": { "Description": "A description of the KMS key.\n\nThe default value is an empty string (no description).\n\nThe description is not a shared property of multi-Region keys. You can specify the same description or a different description for each key in a set of related multi-Region keys. AWS Key Management Service does not synchronize this property.", "Enabled": "Specifies whether the replica key is enabled. Disabled KMS keys cannot be used in cryptographic operations.\n\nWhen `Enabled` is `true` , the *key state* of the KMS key is `Enabled` . When `Enabled` is `false` , the key state of the KMS key is `Disabled` . The default value is `true` .\n\nThe actual key state of the replica might be affected by actions taken outside of CloudFormation, such as running the [EnableKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_EnableKey.html) , [DisableKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_DisableKey.html) , or [ScheduleKeyDeletion](https://docs.aws.amazon.com/kms/latest/APIReference/API_ScheduleKeyDeletion.html) operations. Also, while the replica key is being created, its key state is `Creating` . When the process is complete, the key state of the replica key changes to `Enabled` .\n\nFor information about the key states of a KMS key, see [Key state: Effect on your KMS key](https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) in the *AWS Key Management Service Developer Guide* .", "KeyPolicy": "The key policy that authorizes use of the replica key.\n\nThe key policy is not a shared property of multi-Region keys. You can specify the same key policy or a different key policy for each key in a set of related multi-Region keys. AWS KMS does not synchronize this property.\n\nThe key policy must conform to the following rules.\n\n- The key policy must give the caller [PutKeyPolicy](https://docs.aws.amazon.com/kms/latest/APIReference/API_PutKeyPolicy.html) permission on the KMS key. This reduces the risk that the KMS key becomes unmanageable. For more information, refer to the scenario in the [Default key policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam) section of the **AWS Key Management Service Developer Guide** .\n- Each statement in the key policy must contain one or more principals. The principals in the key policy must exist and be visible to AWS KMS . When you create a new AWS principal (for example, an IAM user or role), you might need to enforce a delay before including the new principal in a key policy because the new principal might not be immediately visible to AWS KMS . For more information, see [Changes that I make are not always immediately visible](https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency) in the *AWS Identity and Access Management User Guide* .\n\nA key policy document can include only the following characters:\n\n- Printable ASCII characters from the space character ( `\\u0020` ) through the end of the ASCII character range.\n- Printable characters in the Basic Latin and Latin-1 Supplement character set (through `\\u00FF` ).\n- The tab ( `\\u0009` ), line feed ( `\\u000A` ), and carriage return ( `\\u000D` ) special characters\n\n*Minimum* : `1`\n\n*Maximum* : `32768`", - "PendingWindowInDays": "Specifies the number of days in the waiting period before AWS KMS deletes a replica key that has been removed from a CloudFormation stack. Enter a value between 7 and 30 days. The default value is 30 days.\n\nWhen you remove a replica key from a CloudFormation stack, AWS KMS schedules the replica key for deletion and starts the mandatory waiting period. The `PendingWindowInDays` property determines the length of waiting period. During the waiting period, the key state of replica key is `Pending Deletion` , which prevents it from being used in cryptographic operations. When the waiting period expires, AWS KMS permanently deletes the replica key.\n\nIf the KMS key is a multi-Region primary key with replica keys, the waiting period begins when the last of its replica keys is deleted. Otherwise, the waiting period begins immediately.\n\nYou cannot use a CloudFormation template to cancel deletion of the replica after you remove it from the stack, regardless of the waiting period. However, if you specify a replica key in your template that is based on the same primary key as the original replica key, CloudFormation creates a new replica key with the same key ID, key material, and other shared properties of the original replica key. This new replica key can decrypt ciphertext that was encrypted under the original replica key, or any related multi-Region key.\n\nFor detailed information about deleting multi-Region keys, see [Deleting multi-Region keys](https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-delete.html) in the *AWS Key Management Service Developer Guide* .\n\nFor information about the `PendingDeletion` key state, see [Key state: Effect on your KMS key](https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) in the *AWS Key Management Service Developer Guide* . For more information about deleting KMS keys, see the [ScheduleKeyDeletion](https://docs.aws.amazon.com/kms/latest/APIReference/API_ScheduleKeyDeletion.html) operation in the *AWS Key Management Service API Reference* and [Deleting KMS keys](https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html) in the *AWS Key Management Service Developer Guide* .\n\n*Minimum* : 7\n\n*Maximum* : 30", + "PendingWindowInDays": "Specifies the number of days in the waiting period before AWS KMS deletes a replica key that has been removed from a CloudFormation stack. Enter a value between 7 and 30 days. The default value is 30 days.\n\nWhen you remove a replica key from a CloudFormation stack, AWS KMS schedules the replica key for deletion and starts the mandatory waiting period. The `PendingWindowInDays` property determines the length of waiting period. During the waiting period, the key state of replica key is `Pending Deletion` , which prevents it from being used in cryptographic operations. When the waiting period expires, AWS KMS permanently deletes the replica key.\n\nIf the KMS key is a multi-Region primary key with replica keys, the waiting period begins when the last of its replica keys is deleted. Otherwise, the waiting period begins immediately.\n\nYou cannot use a CloudFormation template to cancel deletion of the replica after you remove it from the stack, regardless of the waiting period. However, if you specify a replica key in your template that is based on the same primary key as the original replica key, CloudFormation creates a new replica key with the same key ID, key material, and other shared properties of the original replica key. This new replica key can decrypt ciphertext that was encrypted under the original replica key, or any related multi-Region key.\n\nFor detailed information about deleting multi-Region keys, see [Deleting multi-Region keys](https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-delete.html) in the *AWS Key Management Service Developer Guide* .\n\nFor information about the `PendingDeletion` key state, see [Key state: Effect on your KMS key](https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) in the *AWS Key Management Service Developer Guide* . For more information about deleting KMS keys, see the [ScheduleKeyDeletion](https://docs.aws.amazon.com/kms/latest/APIReference/API_ScheduleKeyDeletion.html) operation in the *AWS Key Management Service API Reference* and [Deleting KMS keys](https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html) in the *AWS Key Management Service Developer Guide* .", "PrimaryKeyArn": "Specifies the multi-Region primary key to replicate. The primary key must be in a different AWS Region of the same AWS partition. You can create only one replica of a given primary key in each AWS Region .\n\n> If you change the `PrimaryKeyArn` value of a replica key, the existing replica key is scheduled for deletion and a new replica key is created based on the specified primary key. While it is scheduled for deletion, the existing replica key becomes unusable. You can cancel the scheduled deletion of the key outside of CloudFormation.\n> \n> However, if you inadvertently delete a replica key, you can decrypt ciphertext encrypted by that replica key by using any related multi-Region key. If necessary, you can recreate the replica in the same Region after the previous one is completely deleted. For details, see [Deleting multi-Region keys](https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-delete.html) in the *AWS Key Management Service Developer Guide* \n\nSpecify the key ARN of an existing multi-Region primary key. For example, `arn:aws:kms:us-east-2:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab` .", "Tags": "Assigns one or more tags to the replica key.\n\n> Tagging or untagging a KMS key can allow or deny permission to the KMS key. For details, see [ABAC for AWS KMS](https://docs.aws.amazon.com/kms/latest/developerguide/abac.html) in the *AWS Key Management Service Developer Guide* . \n\nTags are not a shared property of multi-Region keys. You can specify the same tags or different tags for each key in a set of related multi-Region keys. AWS KMS does not synchronize this property.\n\nEach tag consists of a tag key and a tag value. Both the tag key and the tag value are required, but the tag value can be an empty (null) string. You cannot have more than one tag on a KMS key with the same tag key. If you specify an existing tag key with a different tag value, AWS KMS replaces the current tag value with the specified one.\n\nWhen you assign tags to an AWS resource, AWS generates a cost allocation report with usage and costs aggregated by tags. Tags can also be used to control access to a KMS key. For details, see [Tagging keys](https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html) ." }, + "AWS::KMS::ReplicaKey Tag": { + "Key": "", + "Value": "" + }, "AWS::KafkaConnect::Connector": { "Capacity": "The connector's compute capacity settings.", "ConnectorConfiguration": "The configuration of the connector.", @@ -16541,6 +19159,7 @@ "DataSourceConfiguration": "Configuration information for an Amazon Kendra data source. The contents of the configuration depend on the type of data source. You can only specify one type of data source in the configuration.\n\nYou can't specify the `Configuration` parameter when the `Type` parameter is set to `CUSTOM` .\n\nThe `Configuration` parameter is required for all other data sources.", "Description": "A description for the data source connector.", "IndexId": "The identifier of the index you want to use with the data source connector.", + "LanguageCode": "The code for a language. This shows a supported language for all documents in the data source. English is supported by default. For more information on supported languages, including their codes, see [Adding documents in languages other than English](https://docs.aws.amazon.com/kendra/latest/dg/in-adding-languages.html) .", "Name": "The name of the data source.", "RoleArn": "The Amazon Resource Name (ARN) of a role with permission to access the data source.\n\nYou can't specify the `RoleArn` parameter when the `Type` parameter is set to `CUSTOM` .\n\nThe `RoleArn` parameter is required for all other data sources.", "Schedule": "Sets the frequency that Amazon Kendra checks the documents in your data source and updates the index. If you don't set a schedule, Amazon Kendra doesn't periodically update the index.", @@ -16635,9 +19254,9 @@ "WorkDocsConfiguration": "Provides the configuration information to connect to Amazon WorkDocs as your data source." }, "AWS::Kendra::DataSource DataSourceToIndexFieldMapping": { - "DataSourceFieldName": "The name of the column or attribute in the data source.", - "DateFieldFormat": "The type of data stored in the column or attribute.", - "IndexFieldName": "The name of the field in the index." + "DataSourceFieldName": "The name of the field in the data source. You must first create the index field using the `UpdateIndex` API.", + "DateFieldFormat": "The format for date fields in the data source. If the field specified in `DataSourceFieldName` is a date field, you must specify the date format. If the field is not a date field, an exception is thrown.", + "IndexFieldName": "The name of the index field to map to the data source field. The index field type must match the data source field type." }, "AWS::Kendra::DataSource DataSourceVpcConfiguration": { "SecurityGroupIds": "A list of identifiers of security groups within your Amazon VPC. The security groups should enable Amazon Kendra to connect to the data source.", @@ -16804,6 +19423,10 @@ "AWS::Kendra::DataSource SqlConfiguration": { "QueryIdentifiersEnclosingOption": "Determines whether Amazon Kendra encloses SQL identifiers for tables and column names in double quotes (\") when making a database query. You can set the value to `DOUBLE_QUOTES` or `NONE` .\n\nBy default, Amazon Kendra passes SQL identifiers the way that they are entered into the data source configuration. It does not change the case of identifiers or enclose them in quotes.\n\nPostgreSQL internally converts uppercase characters to lower case characters in identifiers unless they are quoted. Choosing this option encloses identifiers in quotes so that PostgreSQL does not convert the character's case.\n\nFor MySQL databases, you must enable the ansi_quotes option when you set this field to `DOUBLE_QUOTES` ." }, + "AWS::Kendra::DataSource Tag": { + "Key": "The key for the tag. Keys are not case sensitive and must be unique for the index, FAQ, or data source.", + "Value": "The value associated with the tag. The value may be an empty string but it can't be null." + }, "AWS::Kendra::DataSource WebCrawlerAuthenticationConfiguration": { "BasicAuthentication": "The list of configuration information that's required to connect to and crawl a website host using basic authentication credentials.\n\nThe list includes the name and port number of the website host." }, @@ -16855,8 +19478,12 @@ "Bucket": "The name of the S3 bucket that contains the file.", "Key": "The name of the file." }, + "AWS::Kendra::Faq Tag": { + "Key": "The key for the tag. Keys are not case sensitive and must be unique for the index, FAQ, or data source.", + "Value": "The value associated with the tag. The value may be an empty string but it can't be null." + }, "AWS::Kendra::Index": { - "CapacityUnits": "", + "CapacityUnits": "Specifies additional capacity units configured for your Enterprise Edition index. You can add and remove capacity units to fit your usage requirements.", "Description": "A description for the index.", "DocumentMetadataConfigurations": "Specifies the properties of an index field. You can add either a custom or a built-in field. You can add and remove built-in fields at any time. When a built-in field is removed it's configuration reverts to the default for the field. Custom fields can't be removed from an index after they are added.", "Edition": "Indicates whether the index is a Enterprise Edition index or a Developer Edition index. Valid values are `DEVELOPER_EDITION` and `ENTERPRISE_EDITION` .", @@ -16906,6 +19533,10 @@ "AWS::Kendra::Index ServerSideEncryptionConfiguration": { "KmsKeyId": "The identifier of the AWS KMS key . Amazon Kendra doesn't support asymmetric keys." }, + "AWS::Kendra::Index Tag": { + "Key": "The key for the tag. Keys are not case sensitive and must be unique for the index, FAQ, or data source.", + "Value": "The value associated with the tag. The value may be an empty string but it can't be null." + }, "AWS::Kendra::Index UserTokenConfiguration": { "JsonTokenTypeConfiguration": "Information about the JSON token type configuration.", "JwtTokenTypeConfiguration": "Information about the JWT token type configuration." @@ -16923,6 +19554,10 @@ "AWS::KendraRanking::ExecutionPlan CapacityUnitsConfiguration": { "RescoreCapacityUnits": "The amount of extra capacity for your rescore execution plan.\n\nA single extra capacity unit for a rescore execution plan provides 0.01 rescore requests per second. You can add up to 1000 extra capacity units." }, + "AWS::KendraRanking::ExecutionPlan Tag": { + "Key": "The key for the tag. Keys are not case sensitive and must be unique.", + "Value": "The value associated with the tag. The value can be an empty string but it can't be null." + }, "AWS::Kinesis::Stream": { "Name": "The name of the Kinesis stream. If you don't specify a name, AWS CloudFormation generates a unique physical ID and uses that ID for the stream name. For more information, see [Name Type](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-name.html) .\n\nIf you specify a name, you cannot perform updates that require replacement of this resource. You can perform updates that require no or some interruption. If you must replace the resource, specify a new name.", "RetentionPeriodHours": "The number of hours for the data records that are stored in shards to remain accessible. The default value is 24. For more information about the stream retention period, see [Changing the Data Retention Period](https://docs.aws.amazon.com/streams/latest/dev/kinesis-extended-retention.html) in the Amazon Kinesis Developer Guide.", @@ -16938,6 +19573,10 @@ "AWS::Kinesis::Stream StreamModeDetails": { "StreamMode": "Specifies the capacity mode to which you want to set your data stream. Currently, in Kinesis Data Streams, you can choose between an *on-demand* capacity mode and a *provisioned* capacity mode for your data streams." }, + "AWS::Kinesis::Stream Tag": { + "Key": "A unique identifier for the tag. Maximum length: 128 characters. Valid characters: Unicode letters, digits, white space, _ . / = + - % @", + "Value": "An optional string, typically used to describe or define the tag. Maximum length: 256 characters. Valid characters: Unicode letters, digits, white space, _ . / = + - % @" + }, "AWS::Kinesis::StreamConsumer": { "ConsumerName": "The name of the consumer is something you choose when you register the consumer.", "StreamARN": "The ARN of the stream with which you registered the consumer." @@ -17070,7 +19709,7 @@ "ApplicationMaintenanceConfiguration": "", "ApplicationMode": "To create a Kinesis Data Analytics Studio notebook, you must set the mode to `INTERACTIVE` . However, for a Kinesis Data Analytics for Apache Flink application, the mode is optional.", "ApplicationName": "The name of the application.", - "RunConfiguration": "", + "RunConfiguration": "Describes the starting parameters for an Managed Service for Apache Flink application.", "RuntimeEnvironment": "The runtime environment for the application.", "ServiceExecutionRole": "Specifies the IAM role that the application uses to access external resources.", "Tags": "A list of one or more tags to assign to the application. A tag is a key-value pair that identifies an application. Note that the maximum number of application tags includes system tags. The maximum number of user-defined application tags is 50." @@ -17080,11 +19719,11 @@ "CodeContentType": "Specifies whether the code content is in text or zip format." }, "AWS::KinesisAnalyticsV2::Application ApplicationConfiguration": { - "ApplicationCodeConfiguration": "The code location and type parameters for a Flink-based Kinesis Data Analytics application.", - "ApplicationSnapshotConfiguration": "Describes whether snapshots are enabled for a Flink-based Kinesis Data Analytics application.", - "EnvironmentProperties": "Describes execution properties for a Flink-based Kinesis Data Analytics application.", - "FlinkApplicationConfiguration": "The creation and update parameters for a Flink-based Kinesis Data Analytics application.", - "SqlApplicationConfiguration": "The creation and update parameters for a SQL-based Kinesis Data Analytics application.", + "ApplicationCodeConfiguration": "The code location and type parameters for a Managed Service for Apache Flink application.", + "ApplicationSnapshotConfiguration": "Describes whether snapshots are enabled for a Managed Service for Apache Flink application.", + "EnvironmentProperties": "Describes execution properties for a Managed Service for Apache Flink application.", + "FlinkApplicationConfiguration": "The creation and update parameters for a Managed Service for Apache Flink application.", + "SqlApplicationConfiguration": "The creation and update parameters for a SQL-based Managed Service for Apache Flink application.", "VpcConfigurations": "The array of descriptions of VPC configurations available to the application.", "ZeppelinApplicationConfiguration": "The configuration parameters for a Kinesis Data Analytics Studio notebook." }, @@ -17096,7 +19735,7 @@ "SnapshotName": "The identifier of an existing snapshot of application state to use to restart an application. The application uses this value if `RESTORE_FROM_CUSTOM_SNAPSHOT` is specified for the `ApplicationRestoreType` ." }, "AWS::KinesisAnalyticsV2::Application ApplicationSnapshotConfiguration": { - "SnapshotsEnabled": "Describes whether snapshots are enabled for a Flink-based Kinesis Data Analytics application." + "SnapshotsEnabled": "Describes whether snapshots are enabled for a Managed Service for Apache Flink application." }, "AWS::KinesisAnalyticsV2::Application CSVMappingParameters": { "RecordColumnDelimiter": "The column delimiter. For example, in a CSV format, a comma (\",\") is the typical column delimiter.", @@ -17107,14 +19746,14 @@ }, "AWS::KinesisAnalyticsV2::Application CheckpointConfiguration": { "CheckpointInterval": "Describes the interval in milliseconds between checkpoint operations.\n\n> If `CheckpointConfiguration.ConfigurationType` is `DEFAULT` , the application will use a `CheckpointInterval` value of 60000, even if this value is set to another value using this API or in application code.", - "CheckpointingEnabled": "Describes whether checkpointing is enabled for a Flink-based Kinesis Data Analytics application.\n\n> If `CheckpointConfiguration.ConfigurationType` is `DEFAULT` , the application will use a `CheckpointingEnabled` value of `true` , even if this value is set to another value using this API or in application code.", - "ConfigurationType": "Describes whether the application uses Kinesis Data Analytics' default checkpointing behavior. You must set this property to `CUSTOM` in order to set the `CheckpointingEnabled` , `CheckpointInterval` , or `MinPauseBetweenCheckpoints` parameters.\n\n> If this value is set to `DEFAULT` , the application will use the following values, even if they are set to other values using APIs or application code:\n> \n> - *CheckpointingEnabled:* true\n> - *CheckpointInterval:* 60000\n> - *MinPauseBetweenCheckpoints:* 5000", + "CheckpointingEnabled": "Describes whether checkpointing is enabled for a Managed Service for Apache Flink application.\n\n> If `CheckpointConfiguration.ConfigurationType` is `DEFAULT` , the application will use a `CheckpointingEnabled` value of `true` , even if this value is set to another value using this API or in application code.", + "ConfigurationType": "Describes whether the application uses Managed Service for Apache Flink' default checkpointing behavior. You must set this property to `CUSTOM` in order to set the `CheckpointingEnabled` , `CheckpointInterval` , or `MinPauseBetweenCheckpoints` parameters.\n\n> If this value is set to `DEFAULT` , the application will use the following values, even if they are set to other values using APIs or application code:\n> \n> - *CheckpointingEnabled:* true\n> - *CheckpointInterval:* 60000\n> - *MinPauseBetweenCheckpoints:* 5000", "MinPauseBetweenCheckpoints": "Describes the minimum time in milliseconds after a checkpoint operation completes that a new checkpoint operation can start. If a checkpoint operation takes longer than the `CheckpointInterval` , the application otherwise performs continual checkpoint operations. For more information, see [Tuning Checkpointing](https://docs.aws.amazon.com/https://ci.apache.org/projects/flink/flink-docs-release-1.8/ops/state/large_state_tuning.html#tuning-checkpointing) in the [Apache Flink Documentation](https://docs.aws.amazon.com/https://ci.apache.org/projects/flink/flink-docs-release-1.8/) .\n\n> If `CheckpointConfiguration.ConfigurationType` is `DEFAULT` , the application will use a `MinPauseBetweenCheckpoints` value of 5000, even if this value is set using this API or in application code." }, "AWS::KinesisAnalyticsV2::Application CodeContent": { "S3ContentLocation": "Information about the Amazon S3 bucket that contains the application code.", - "TextContent": "The text-format code for a Flink-based Kinesis Data Analytics application.", - "ZipFileContent": "The zip-format code for a Flink-based Kinesis Data Analytics application." + "TextContent": "The text-format code for a Managed Service for Apache Flink application.", + "ZipFileContent": "The zip-format code for a Managed Service for Apache Flink application." }, "AWS::KinesisAnalyticsV2::Application CustomArtifactConfiguration": { "ArtifactType": "Set this to either `UDF` or `DEPENDENCY_JAR` . `UDF` stands for user-defined functions. This type of artifact must be in an S3 bucket. A `DEPENDENCY_JAR` can be in either Maven or an S3 bucket.", @@ -17140,11 +19779,11 @@ }, "AWS::KinesisAnalyticsV2::Application Input": { "InputParallelism": "Describes the number of in-application streams to create.", - "InputProcessingConfiguration": "The [InputProcessingConfiguration](https://docs.aws.amazon.com/kinesisanalytics/latest/apiv2/API_InputProcessingConfiguration.html) for the input. An input processor transforms records as they are received from the stream, before the application's SQL code executes. Currently, the only input processing configuration available is [InputLambdaProcessor](https://docs.aws.amazon.com/kinesisanalytics/latest/apiv2/API_InputLambdaProcessor.html) .", + "InputProcessingConfiguration": "The [InputProcessingConfiguration](https://docs.aws.amazon.com/managed-flink/latest/apiv2/API_InputProcessingConfiguration.html) for the input. An input processor transforms records as they are received from the stream, before the application's SQL code executes. Currently, the only input processing configuration available is [InputLambdaProcessor](https://docs.aws.amazon.com/managed-flink/latest/apiv2/API_InputLambdaProcessor.html) .", "InputSchema": "Describes the format of the data in the streaming source, and how each data element maps to corresponding columns in the in-application stream that is being created.\n\nAlso used to describe the format of the reference data source.", "KinesisFirehoseInput": "If the streaming source is an Amazon Kinesis Data Firehose delivery stream, identifies the delivery stream's ARN.", "KinesisStreamsInput": "If the streaming source is an Amazon Kinesis data stream, identifies the stream's Amazon Resource Name (ARN).", - "NamePrefix": "The name prefix to use when creating an in-application stream. Suppose that you specify a prefix \" `MyInApplicationStream` .\" Kinesis Data Analytics then creates one or more (as per the `InputParallelism` count you specified) in-application streams with the names \" `MyInApplicationStream_001` ,\" \" `MyInApplicationStream_002` ,\" and so on." + "NamePrefix": "The name prefix to use when creating an in-application stream. Suppose that you specify a prefix \" `MyInApplicationStream` .\" Managed Service for Apache Flink then creates one or more (as per the `InputParallelism` count you specified) in-application streams with the names \" `MyInApplicationStream_001` ,\" \" `MyInApplicationStream_002` ,\" and so on." }, "AWS::KinesisAnalyticsV2::Application InputLambdaProcessor": { "ResourceARN": "The ARN of the Amazon Lambda function that operates on records in the stream.\n\n> To specify an earlier version of the Lambda function than the latest, include the Lambda function version in the Lambda function ARN. For more information about Lambda ARNs, see [Example ARNs: Amazon Lambda](https://docs.aws.amazon.com//general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-lambda)" @@ -17153,7 +19792,7 @@ "Count": "The number of in-application streams to create." }, "AWS::KinesisAnalyticsV2::Application InputProcessingConfiguration": { - "InputLambdaProcessor": "The [InputLambdaProcessor](https://docs.aws.amazon.com/kinesisanalytics/latest/apiv2/API_InputLambdaProcessor.html) that is used to preprocess the records in the stream before being processed by your application code." + "InputLambdaProcessor": "The [InputLambdaProcessor](https://docs.aws.amazon.com/managed-flink/latest/apiv2/API_InputLambdaProcessor.html) that is used to preprocess the records in the stream before being processed by your application code." }, "AWS::KinesisAnalyticsV2::Application InputSchema": { "RecordColumns": "A list of `RecordColumn` objects.", @@ -17184,9 +19823,9 @@ "MetricsLevel": "Describes the granularity of the CloudWatch Logs for an application. The `Parallelism` level is not recommended for applications with a Parallelism over 64 due to excessive costs." }, "AWS::KinesisAnalyticsV2::Application ParallelismConfiguration": { - "AutoScalingEnabled": "Describes whether the Kinesis Data Analytics service can increase the parallelism of the application in response to increased throughput.", - "ConfigurationType": "Describes whether the application uses the default parallelism for the Kinesis Data Analytics service. You must set this property to `CUSTOM` in order to change your application's `AutoScalingEnabled` , `Parallelism` , or `ParallelismPerKPU` properties.", - "Parallelism": "Describes the initial number of parallel tasks that a Java-based Kinesis Data Analytics application can perform. The Kinesis Data Analytics service can increase this number automatically if [ParallelismConfiguration:AutoScalingEnabled](https://docs.aws.amazon.com/kinesisanalytics/latest/apiv2/API_ParallelismConfiguration.html#kinesisanalytics-Type-ParallelismConfiguration-AutoScalingEnabled.html) is set to `true` .", + "AutoScalingEnabled": "Describes whether the Managed Service for Apache Flink service can increase the parallelism of the application in response to increased throughput.", + "ConfigurationType": "Describes whether the application uses the default parallelism for the Managed Service for Apache Flink service. You must set this property to `CUSTOM` in order to change your application's `AutoScalingEnabled` , `Parallelism` , or `ParallelismPerKPU` properties.", + "Parallelism": "Describes the initial number of parallel tasks that a Java-based Kinesis Data Analytics application can perform. The Kinesis Data Analytics service can increase this number automatically if [ParallelismConfiguration:AutoScalingEnabled](https://docs.aws.amazon.com/managed-flink/latest/apiv2/API_ParallelismConfiguration.html#kinesisanalytics-Type-ParallelismConfiguration-AutoScalingEnabled.html) is set to `true` .", "ParallelismPerKPU": "Describes the number of parallel tasks that a Java-based Kinesis Data Analytics application can perform per Kinesis Processing Unit (KPU) used by the application. For more information about KPUs, see [Amazon Kinesis Data Analytics Pricing](https://docs.aws.amazon.com/kinesis/data-analytics/pricing/) ." }, "AWS::KinesisAnalyticsV2::Application PropertyGroup": { @@ -17204,7 +19843,7 @@ }, "AWS::KinesisAnalyticsV2::Application RunConfiguration": { "ApplicationRestoreConfiguration": "Describes the restore behavior of a restarting application.", - "FlinkRunConfiguration": "Describes the starting parameters for a Flink-based Kinesis Data Analytics application." + "FlinkRunConfiguration": "Describes the starting parameters for a Managed Service for Apache Flink application." }, "AWS::KinesisAnalyticsV2::Application S3ContentBaseLocation": { "BasePath": "The base path for the S3 bucket.", @@ -17216,7 +19855,11 @@ "ObjectVersion": "The version of the object containing the application code." }, "AWS::KinesisAnalyticsV2::Application SqlApplicationConfiguration": { - "Inputs": "The array of [Input](https://docs.aws.amazon.com/kinesisanalytics/latest/apiv2/API_Input.html) objects describing the input streams used by the application." + "Inputs": "The array of [Input](https://docs.aws.amazon.com/managed-flink/latest/apiv2/API_Input.html) objects describing the input streams used by the application." + }, + "AWS::KinesisAnalyticsV2::Application Tag": { + "Key": "The key of the key-value tag.", + "Value": "The value of the key-value tag. The value is optional." }, "AWS::KinesisAnalyticsV2::Application VpcConfiguration": { "SecurityGroupIds": "The array of [SecurityGroup](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_SecurityGroup.html) IDs used by the VPC configuration.", @@ -17240,7 +19883,7 @@ }, "AWS::KinesisAnalyticsV2::ApplicationOutput": { "ApplicationName": "The name of the application.", - "Output": "Describes a SQL-based Kinesis Data Analytics application's output configuration, in which you identify an in-application stream and a destination where you want the in-application stream data to be written. The destination can be a Kinesis data stream or a Kinesis Data Firehose delivery stream." + "Output": "Describes a SQL-based Managed Service for Apache Flink application's output configuration, in which you identify an in-application stream and a destination where you want the in-application stream data to be written. The destination can be a Kinesis data stream or a Kinesis Data Firehose delivery stream." }, "AWS::KinesisAnalyticsV2::ApplicationOutput DestinationSchema": { "RecordFormatType": "Specifies the format of the records on the output stream." @@ -17263,7 +19906,7 @@ }, "AWS::KinesisAnalyticsV2::ApplicationReferenceDataSource": { "ApplicationName": "The name of the application.", - "ReferenceDataSource": "For a SQL-based Kinesis Data Analytics application, describes the reference data source by providing the source information (Amazon S3 bucket name and object key name), the resulting in-application table name that is created, and the necessary schema to map the data elements in the Amazon S3 object to the in-application table." + "ReferenceDataSource": "For a SQL-based Managed Service for Apache Flink application, describes the reference data source by providing the source information (Amazon S3 bucket name and object key name), the resulting in-application table name that is created, and the necessary schema to map the data elements in the Amazon S3 object to the in-application table." }, "AWS::KinesisAnalyticsV2::ApplicationReferenceDataSource CSVMappingParameters": { "RecordColumnDelimiter": "The column delimiter. For example, in a CSV format, a comma (\",\") is the typical column delimiter.", @@ -17287,7 +19930,7 @@ }, "AWS::KinesisAnalyticsV2::ApplicationReferenceDataSource ReferenceDataSource": { "ReferenceSchema": "Describes the format of the data in the streaming source, and how each data element maps to corresponding columns created in the in-application stream.", - "S3ReferenceDataSource": "Identifies the S3 bucket and object that contains the reference data. A Kinesis Data Analytics application loads reference data only once. If the data changes, you call the [UpdateApplication](https://docs.aws.amazon.com/kinesisanalytics/latest/apiv2/API_UpdateApplication.html) operation to trigger reloading of data into your application.", + "S3ReferenceDataSource": "Identifies the S3 bucket and object that contains the reference data. A Kinesis Data Analytics application loads reference data only once. If the data changes, you call the [UpdateApplication](https://docs.aws.amazon.com/managed-flink/latest/apiv2/API_UpdateApplication.html) operation to trigger reloading of data into your application.", "TableName": "The name of the in-application table to create." }, "AWS::KinesisAnalyticsV2::ApplicationReferenceDataSource ReferenceSchema": { @@ -17300,7 +19943,7 @@ "FileKey": "The object key name containing the reference data." }, "AWS::KinesisFirehose::DeliveryStream": { - "AmazonOpenSearchServerlessDestinationConfiguration": "", + "AmazonOpenSearchServerlessDestinationConfiguration": "Describes the configuration of a destination in the Serverless offering for Amazon OpenSearch Service.", "AmazonopensearchserviceDestinationConfiguration": "The destination in Amazon OpenSearch Service. You can specify only one destination.", "DeliveryStreamEncryptionConfigurationInput": "Specifies the type and Amazon Resource Name (ARN) of the CMK to use for Server-Side Encryption (SSE).", "DeliveryStreamName": "The name of the delivery stream.", @@ -17309,29 +19952,30 @@ "ExtendedS3DestinationConfiguration": "An Amazon S3 destination for the delivery stream.\n\nConditional. You must specify only one destination configuration.\n\nIf you change the delivery stream destination from an Amazon Extended S3 destination to an Amazon ES destination, update requires [some interruptions](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-some-interrupt) .", "HttpEndpointDestinationConfiguration": "Enables configuring Kinesis Firehose to deliver data to any HTTP endpoint destination. You can specify only one destination.", "KinesisStreamSourceConfiguration": "When a Kinesis stream is used as the source for the delivery stream, a [KinesisStreamSourceConfiguration](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-kinesisfirehose-deliverystream-kinesisstreamsourceconfiguration.html) containing the Kinesis stream ARN and the role ARN for the source stream.", + "MSKSourceConfiguration": "The configuration for the Amazon MSK cluster to be used as the source for a delivery stream.", "RedshiftDestinationConfiguration": "An Amazon Redshift destination for the delivery stream.\n\nConditional. You must specify only one destination configuration.\n\nIf you change the delivery stream destination from an Amazon Redshift destination to an Amazon ES destination, update requires [some interruptions](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-some-interrupt) .", "S3DestinationConfiguration": "The `S3DestinationConfiguration` property type specifies an Amazon Simple Storage Service (Amazon S3) destination to which Amazon Kinesis Data Firehose (Kinesis Data Firehose) delivers data.\n\nConditional. You must specify only one destination configuration.\n\nIf you change the delivery stream destination from an Amazon S3 destination to an Amazon ES destination, update requires [some interruptions](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-some-interrupt) .", "SplunkDestinationConfiguration": "The configuration of a destination in Splunk for the delivery stream.", "Tags": "A set of tags to assign to the delivery stream. A tag is a key-value pair that you can define and assign to AWS resources. Tags are metadata. For example, you can add friendly names and descriptions or other types of information that can help you distinguish the delivery stream. For more information about tags, see [Using Cost Allocation Tags](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/cost-alloc-tags.html) in the AWS Billing and Cost Management User Guide.\n\nYou can specify up to 50 tags when creating a delivery stream." }, "AWS::KinesisFirehose::DeliveryStream AmazonOpenSearchServerlessBufferingHints": { - "IntervalInSeconds": "", - "SizeInMBs": "" + "IntervalInSeconds": "Buffer incoming data for the specified period of time, in seconds, before delivering it to the destination. The default value is 300 (5 minutes).", + "SizeInMBs": "Buffer incoming data to the specified size, in MBs, before delivering it to the destination. The default value is 5.\n\nWe recommend setting this parameter to a value greater than the amount of data you typically ingest into the delivery stream in 10 seconds. For example, if you typically ingest data at 1 MB/sec, the value should be 10 MB or higher." }, "AWS::KinesisFirehose::DeliveryStream AmazonOpenSearchServerlessDestinationConfiguration": { - "BufferingHints": "", + "BufferingHints": "The buffering options. If no value is specified, the default values for AmazonopensearchserviceBufferingHints are used.", "CloudWatchLoggingOptions": "", - "CollectionEndpoint": "", - "IndexName": "", + "CollectionEndpoint": "The endpoint to use when communicating with the collection in the Serverless offering for Amazon OpenSearch Service.", + "IndexName": "The Serverless offering for Amazon OpenSearch Service index name.", "ProcessingConfiguration": "", - "RetryOptions": "", - "RoleARN": "", - "S3BackupMode": "", + "RetryOptions": "The retry behavior in case Kinesis Data Firehose is unable to deliver documents to the Serverless offering for Amazon OpenSearch Service. The default value is 300 (5 minutes).", + "RoleARN": "The Amazon Resource Name (ARN) of the IAM role to be assumed by Kinesis Data Firehose for calling the Serverless offering for Amazon OpenSearch Service Configuration API and for indexing documents.", + "S3BackupMode": "Defines how documents should be delivered to Amazon S3. When it is set to FailedDocumentsOnly, Kinesis Data Firehose writes any documents that could not be indexed to the configured Amazon S3 destination, with AmazonOpenSearchService-failed/ appended to the key prefix. When set to AllDocuments, Kinesis Data Firehose delivers all incoming records to Amazon S3, and also writes failed documents with AmazonOpenSearchService-failed/ appended to the prefix.", "S3Configuration": "", "VpcConfiguration": "" }, "AWS::KinesisFirehose::DeliveryStream AmazonOpenSearchServerlessRetryOptions": { - "DurationInSeconds": "" + "DurationInSeconds": "After an initial failure to deliver to the Serverless offering for Amazon OpenSearch Service, the total amount of time during which Kinesis Data Firehose retries delivery (including the first attempt). After this time has elapsed, the failed documents are written to Amazon S3. Default value is 300 seconds (5 minutes). A value of 0 (zero) results in no retries." }, "AWS::KinesisFirehose::DeliveryStream AmazonopensearchserviceBufferingHints": { "IntervalInSeconds": "Buffer incoming data for the specified period of time, in seconds, before delivering it to the destination. The default value is 300 (5 minutes).", @@ -17341,7 +19985,7 @@ "BufferingHints": "The buffering options. If no value is specified, the default values for AmazonopensearchserviceBufferingHints are used.", "CloudWatchLoggingOptions": "Describes the Amazon CloudWatch logging options for your delivery stream.", "ClusterEndpoint": "The endpoint to use when communicating with the cluster. Specify either this ClusterEndpoint or the DomainARN field.", - "DocumentIdOptions": "", + "DocumentIdOptions": "Indicates the method for setting up document ID. The supported methods are Kinesis Data Firehose generated document ID and OpenSearch Service generated document ID.", "DomainARN": "The ARN of the Amazon OpenSearch Service domain.", "IndexName": "The Amazon OpenSearch Service index name.", "IndexRotationPeriod": "The Amazon OpenSearch Service index rotation period. Index rotation appends a timestamp to the IndexName to facilitate the expiration of old data.", @@ -17356,6 +20000,10 @@ "AWS::KinesisFirehose::DeliveryStream AmazonopensearchserviceRetryOptions": { "DurationInSeconds": "After an initial failure to deliver to Amazon OpenSearch Service, the total amount of time during which Kinesis Data Firehose retries delivery (including the first attempt). After this time has elapsed, the failed documents are written to Amazon S3. Default value is 300 seconds (5 minutes). A value of 0 (zero) results in no retries." }, + "AWS::KinesisFirehose::DeliveryStream AuthenticationConfiguration": { + "Connectivity": "The type of connectivity used to access the Amazon MSK cluster.", + "RoleARN": "The ARN of the role used to access the Amazon MSK cluster." + }, "AWS::KinesisFirehose::DeliveryStream BufferingHints": { "IntervalInSeconds": "The length of time, in seconds, that Kinesis Data Firehose buffers incoming data before delivering it to the destination. For valid values, see the `IntervalInSeconds` content for the [BufferingHints](https://docs.aws.amazon.com/firehose/latest/APIReference/API_BufferingHints.html) data type in the *Amazon Kinesis Data Firehose API Reference* .", "SizeInMBs": "The size of the buffer, in MBs, that Kinesis Data Firehose uses for incoming data before delivering it to the destination. For valid values, see the `SizeInMBs` content for the [BufferingHints](https://docs.aws.amazon.com/firehose/latest/APIReference/API_BufferingHints.html) data type in the *Amazon Kinesis Data Firehose API Reference* ." @@ -17385,7 +20033,7 @@ "OpenXJsonSerDe": "The OpenX SerDe. Used by Kinesis Data Firehose for deserializing data, which means converting it from the JSON format in preparation for serializing it to the Parquet or ORC format. This is one of two deserializers you can choose, depending on which one offers the functionality you need. The other option is the native Hive / HCatalog JsonSerDe." }, "AWS::KinesisFirehose::DeliveryStream DocumentIdOptions": { - "DefaultDocumentIdFormat": "" + "DefaultDocumentIdFormat": "When the `FIREHOSE_DEFAULT` option is chosen, Kinesis Data Firehose generates a unique document ID for each record based on a unique internal identifier. The generated document ID is stable across multiple delivery attempts, which helps prevent the same record from being indexed multiple times with different document IDs.\n\nWhen the `NO_DOCUMENT_ID` option is chosen, Kinesis Data Firehose does not include any document IDs in the requests it sends to the Amazon OpenSearch Service. This causes the Amazon OpenSearch Service domain to generate document IDs. In case of multiple delivery attempts, this may cause the same record to be indexed more than once with different document IDs. This option enables write-heavy operations, such as the ingestion of logs and observability data, to consume less resources in the Amazon OpenSearch Service domain, resulting in improved performance." }, "AWS::KinesisFirehose::DeliveryStream DynamicPartitioningConfiguration": { "Enabled": "Specifies whether dynamic partitioning is enabled for this Kinesis Data Firehose delivery stream.", @@ -17399,7 +20047,7 @@ "BufferingHints": "Configures how Kinesis Data Firehose buffers incoming data while delivering it to the Amazon ES domain.", "CloudWatchLoggingOptions": "The Amazon CloudWatch Logs logging options for the delivery stream.", "ClusterEndpoint": "The endpoint to use when communicating with the cluster. Specify either this `ClusterEndpoint` or the `DomainARN` field.", - "DocumentIdOptions": "", + "DocumentIdOptions": "Indicates the method for setting up document ID. The supported methods are Kinesis Data Firehose generated document ID and OpenSearch Service generated document ID.", "DomainARN": "The ARN of the Amazon ES domain. The IAM role must have permissions for `DescribeElasticsearchDomain` , `DescribeElasticsearchDomains` , and `DescribeElasticsearchDomainConfig` after assuming the role specified in *RoleARN* .\n\nSpecify either `ClusterEndpoint` or `DomainARN` .", "IndexName": "The name of the Elasticsearch index to which Kinesis Data Firehose adds data for indexing.", "IndexRotationPeriod": "The frequency of Elasticsearch index rotation. If you enable index rotation, Kinesis Data Firehose appends a portion of the UTC arrival timestamp to the specified index name, and rotates the appended timestamp accordingly. For more information, see [Index Rotation for the Amazon ES Destination](https://docs.aws.amazon.com/firehose/latest/dev/basic-deliver.html#es-index-rotation) in the *Amazon Kinesis Data Firehose Developer Guide* .", @@ -17470,6 +20118,11 @@ "KinesisStreamARN": "The ARN of the source Kinesis data stream.", "RoleARN": "The ARN of the role that provides access to the source Kinesis data stream." }, + "AWS::KinesisFirehose::DeliveryStream MSKSourceConfiguration": { + "AuthenticationConfiguration": "The authentication configuration of the Amazon MSK cluster.", + "MSKClusterARN": "The ARN of the Amazon MSK cluster.", + "TopicName": "The topic name within the Amazon MSK cluster." + }, "AWS::KinesisFirehose::DeliveryStream OpenXJsonSerDe": { "CaseInsensitive": "When set to `true` , which is the default, Kinesis Data Firehose converts JSON keys to lowercase before deserializing them.", "ColumnToJsonKeyMappings": "Maps column names to JSON keys that aren't identical to the column names. This is useful when the JSON contains keys that are Hive keywords. For example, `timestamp` is a Hive keyword. If you have a JSON key named `timestamp` , set this parameter to `{\"ts\": \"timestamp\"}` to map this key to a column named `ts` .", @@ -17565,6 +20218,10 @@ "AWS::KinesisFirehose::DeliveryStream SplunkRetryOptions": { "DurationInSeconds": "The total amount of time that Kinesis Data Firehose spends on retries. This duration starts after the initial attempt to send data to Splunk fails. It doesn't include the periods during which Kinesis Data Firehose waits for acknowledgment from Splunk after each attempt." }, + "AWS::KinesisFirehose::DeliveryStream Tag": { + "Key": "A unique identifier for the tag. Maximum length: 128 characters. Valid characters: Unicode letters, digits, white space, _ . / = + - % @", + "Value": "An optional string, which you can use to describe or define the tag. Maximum length: 256 characters. Valid characters: Unicode letters, digits, white space, _ . / = + - % @" + }, "AWS::KinesisFirehose::DeliveryStream VpcConfiguration": { "RoleARN": "The ARN of the IAM role that you want the delivery stream to use to create endpoints in the destination VPC. You can use your existing Kinesis Data Firehose delivery role or you can specify a new role. In either case, make sure that the role trusts the Kinesis Data Firehose service principal and that it grants the following permissions:\n\n- `ec2:DescribeVpcs`\n- `ec2:DescribeVpcAttribute`\n- `ec2:DescribeSubnets`\n- `ec2:DescribeSecurityGroups`\n- `ec2:DescribeNetworkInterfaces`\n- `ec2:CreateNetworkInterface`\n- `ec2:CreateNetworkInterfacePermission`\n- `ec2:DeleteNetworkInterface`\n\nIf you revoke these permissions after you create the delivery stream, Kinesis Data Firehose can't scale out by creating more ENIs when necessary. You might therefore see a degradation in performance.", "SecurityGroupIds": "The IDs of the security groups that you want Kinesis Data Firehose to use when it creates ENIs in the VPC of the Amazon ES destination. You can use the same security group that the Amazon ES domain uses or different ones. If you specify different security groups here, ensure that they allow outbound HTTPS traffic to the Amazon ES domain's security group. Also ensure that the Amazon ES domain's security group allows HTTPS traffic from the security groups specified here. If you use the same security group for both your delivery stream and the Amazon ES domain, make sure the security group inbound rule allows HTTPS traffic.", @@ -17576,6 +20233,10 @@ "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) .", "Type": "A type of the signaling channel that you are creating. Currently, `SINGLE_MASTER` is the only supported channel type." }, + "AWS::KinesisVideo::SignalingChannel Tag": { + "Key": "The key of the tag that is associated with the specified signaling channel.", + "Value": "The value of the tag that is associated with the specified signaling channel." + }, "AWS::KinesisVideo::Stream": { "DataRetentionInHours": "How long the stream retains data, in hours.", "DeviceName": "The name of the device that is associated with the stream.", @@ -17584,6 +20245,10 @@ "Name": "The name of the stream.", "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) ." }, + "AWS::KinesisVideo::Stream Tag": { + "Key": "The key of the tag that is associated with the specified signaling channel.", + "Value": "The value of the tag that is associated with the specified signaling channel." + }, "AWS::LakeFormation::DataCellsFilter": { "ColumnNames": "An array of UTF-8 strings. A list of column names.", "ColumnWildcard": "A wildcard with exclusions. You must specify either a `ColumnNames` list or the `ColumnWildCard` .", @@ -17603,20 +20268,18 @@ "AWS::LakeFormation::DataLakeSettings": { "Admins": "A list of AWS Lake Formation principals.", "AllowExternalDataFiltering": "Whether to allow Amazon EMR clusters or other third-party query engines to access data managed by Lake Formation .\n\nIf set to true, you allow Amazon EMR clusters or other third-party engines to access data in Amazon S3 locations that are registered with Lake Formation .\n\nIf false or null, no third-party query engines will be able to access data in Amazon S3 locations that are registered with Lake Formation.\n\nFor more information, see [External data filtering setting](https://docs.aws.amazon.com/lake-formation/latest/dg/initial-LF-setup.html#external-data-filter) .", + "AllowFullTableExternalDataAccess": "Specifies whether query engines and applications can get credentials without IAM session tags if the user has full table access. It provides query engines and applications performance benefits as well as simplifies data access. Amazon EMR on Amazon EC2 is able to leverage this setting.\n\nFor more information, see [](https://docs.aws.amazon.com/lake-formation/latest/dg/using-cred-vending.html)", "AuthorizedSessionTagValueList": "Lake Formation relies on a privileged process secured by Amazon EMR or the third party integrator to tag the user's role while assuming it. Lake Formation will publish the acceptable key-value pair, for example key = \"LakeFormationTrustedCaller\" and value = \"TRUE\" and the third party integrator must properly tag the temporary security credentials that will be used to call Lake Formation 's administrative API operations.", "CreateDatabaseDefaultPermissions": "Specifies whether access control on a newly created database is managed by Lake Formation permissions or exclusively by IAM permissions.\n\nA null value indicates that the access is controlled by Lake Formation permissions. `ALL` permissions assigned to `IAM_ALLOWED_PRINCIPALS` group indicates that the user's IAM permissions determine the access to the database. This is referred to as the setting \"Use only IAM access control,\" and is to support backward compatibility with the AWS Glue permission model implemented by IAM permissions.\n\nThe only permitted values are an empty array or an array that contains a single JSON object that grants `ALL` to `IAM_ALLOWED_PRINCIPALS` .\n\nFor more information, see [Changing the default security settings for your data lake](https://docs.aws.amazon.com/lake-formation/latest/dg/change-settings.html) .", "CreateTableDefaultPermissions": "Specifies whether access control on a newly created table is managed by Lake Formation permissions or exclusively by IAM permissions.\n\nA null value indicates that the access is controlled by Lake Formation permissions. `ALL` permissions assigned to `IAM_ALLOWED_PRINCIPALS` group indicate that the user's IAM permissions determine the access to the table. This is referred to as the setting \"Use only IAM access control,\" and is to support the backward compatibility with the AWS Glue permission model implemented by IAM permissions.\n\nThe only permitted values are an empty array or an array that contains a single JSON object that grants `ALL` permissions to `IAM_ALLOWED_PRINCIPALS` .\n\nFor more information, see [Changing the default security settings for your data lake](https://docs.aws.amazon.com/lake-formation/latest/dg/change-settings.html) .", "ExternalDataFilteringAllowList": "A list of the account IDs of AWS accounts with Amazon EMR clusters or third-party engines that are allwed to perform data filtering.", + "MutationType": "Specifies whether the data lake settings are updated by adding new values to the current settings ( `APPEND` ) or by replacing the current settings with new settings ( `REPLACE` ).\n\n> If you choose `REPLACE` , your current data lake settings will be replaced with the new values in your template.", "Parameters": "A key-value map that provides an additional configuration on your data lake. `CrossAccountVersion` is the key you can configure in the `Parameters` field. Accepted values for the `CrossAccountVersion` key are 1, 2, and 3.", "TrustedResourceOwners": "An array of UTF-8 strings.\n\nA list of the resource-owning account IDs that the caller's account can use to share their user access details (user ARNs). The user ARNs can be logged in the resource owner's CloudTrail log. You may want to specify this property when you are in a high-trust boundary, such as the same team or company." }, - "AWS::LakeFormation::DataLakeSettings Admins": {}, - "AWS::LakeFormation::DataLakeSettings CreateDatabaseDefaultPermissions": {}, - "AWS::LakeFormation::DataLakeSettings CreateTableDefaultPermissions": {}, "AWS::LakeFormation::DataLakeSettings DataLakePrincipal": { "DataLakePrincipalIdentifier": "An identifier for the Lake Formation principal." }, - "AWS::LakeFormation::DataLakeSettings ExternalDataFilteringAllowList": {}, "AWS::LakeFormation::DataLakeSettings PrincipalPermissions": { "Permissions": "The permissions that are granted to the principal.", "Principal": "The principal who is granted permissions." @@ -17653,7 +20316,6 @@ "Name": "The name of the table.", "TableWildcard": "An empty object representing all tables under a database. If this field is specified instead of the `Name` field, all tables under `DatabaseName` will have permission changes applied." }, - "AWS::LakeFormation::Permissions TableWildcard": {}, "AWS::LakeFormation::Permissions TableWithColumnsResource": { "CatalogId": "The identifier for the Data Catalog . By default, it is the account ID of the caller.", "ColumnNames": "The list of column names for the table. At least one of `ColumnNames` or `ColumnWildcard` is required.", @@ -17713,7 +20375,7 @@ "TableWithColumns": "The table with columns for the resource. A principal with permissions to this resource can select metadata from the columns of a table in the Data Catalog and the underlying data in Amazon S3." }, "AWS::LakeFormation::PrincipalPermissions TableResource": { - "CatalogId": "", + "CatalogId": "The identifier for the Data Catalog. By default, it is the account ID of the caller.", "DatabaseName": "The name of the database for the table. Unique to a Data Catalog. A database is a set of associated table definitions organized into a logical group. You can Grant and Revoke database privileges to a principal.", "Name": "The name of the table.", "TableWildcard": "A wildcard object representing every table under a database.\n\nAt least one of `TableResource$Name` or `TableResource$TableWildcard` is required." @@ -17808,7 +20470,7 @@ "OnSuccess": "The destination configuration for successful invocations." }, "AWS::Lambda::EventInvokeConfig OnFailure": { - "Destination": "The Amazon Resource Name (ARN) of the destination resource." + "Destination": "The Amazon Resource Name (ARN) of the destination resource.\n\nTo retain records of [asynchronous invocations](https://docs.aws.amazon.com/lambda/latest/dg/invocation-async.html#invocation-async-destinations) , you can configure an Amazon SNS topic, Amazon SQS queue, Lambda function, or Amazon EventBridge event bus as the destination.\n\nTo retain records of failed invocations from [Kinesis and DynamoDB event sources](https://docs.aws.amazon.com/lambda/latest/dg/invocation-eventsourcemapping.html#event-source-mapping-destinations) , you can configure an Amazon SNS topic or Amazon SQS queue as the destination.\n\nTo retain records of failed invocations from [self-managed Kafka](https://docs.aws.amazon.com/lambda/latest/dg/with-kafka.html#services-smaa-onfailure-destination) or [Amazon MSK](https://docs.aws.amazon.com/lambda/latest/dg/with-msk.html#services-msk-onfailure-destination) , you can configure an Amazon SNS topic or Amazon SQS queue as the destination." }, "AWS::Lambda::EventInvokeConfig OnSuccess": { "Destination": "The Amazon Resource Name (ARN) of the destination resource." @@ -17820,7 +20482,7 @@ "DestinationConfig": "(Kinesis and DynamoDB Streams only) An Amazon SQS queue or Amazon SNS topic destination for discarded records.", "DocumentDBEventSourceConfig": "Specific configuration settings for a DocumentDB event source.", "Enabled": "When true, the event source mapping is active. When false, Lambda pauses polling and invocation.\n\nDefault: True", - "EventSourceArn": "The Amazon Resource Name (ARN) of the event source.\n\n- *Amazon Kinesis* \u2013 The ARN of the data stream or a stream consumer.\n- *Amazon DynamoDB Streams* \u2013 The ARN of the stream.\n- *Amazon Simple Queue Service* \u2013 The ARN of the queue.\n- *Amazon Managed Streaming for Apache Kafka* \u2013 The ARN of the cluster.\n- *Amazon MQ* \u2013 The ARN of the broker.\n- *Amazon DocumentDB* \u2013 The ARN of the DocumentDB change stream.", + "EventSourceArn": "The Amazon Resource Name (ARN) of the event source.\n\n- *Amazon Kinesis* \u2013 The ARN of the data stream or a stream consumer.\n- *Amazon DynamoDB Streams* \u2013 The ARN of the stream.\n- *Amazon Simple Queue Service* \u2013 The ARN of the queue.\n- *Amazon Managed Streaming for Apache Kafka* \u2013 The ARN of the cluster or the ARN of the VPC connection (for [cross-account event source mappings](https://docs.aws.amazon.com/lambda/latest/dg/with-msk.html#msk-multi-vpc) ).\n- *Amazon MQ* \u2013 The ARN of the broker.\n- *Amazon DocumentDB* \u2013 The ARN of the DocumentDB change stream.", "FilterCriteria": "An object that defines the filter criteria that determine whether Lambda should process an event. For more information, see [Lambda event filtering](https://docs.aws.amazon.com/lambda/latest/dg/invocation-eventfiltering.html) .", "FunctionName": "The name of the Lambda function.\n\n**Name formats** - *Function name* \u2013 `MyFunction` .\n- *Function ARN* \u2013 `arn:aws:lambda:us-west-2:123456789012:function:MyFunction` .\n- *Version or Alias ARN* \u2013 `arn:aws:lambda:us-west-2:123456789012:function:MyFunction:PROD` .\n- *Partial ARN* \u2013 `123456789012:function:MyFunction` .\n\nThe length constraint applies only to the full ARN. If you specify only the function name, it's limited to 64 characters in length.", "FunctionResponseTypes": "(Streams and SQS) A list of current response type enums applied to the event source mapping.\n\nValid Values: `ReportBatchItemFailures`", @@ -17859,7 +20521,7 @@ "Filters": "A list of filters." }, "AWS::Lambda::EventSourceMapping OnFailure": { - "Destination": "The Amazon Resource Name (ARN) of the destination resource." + "Destination": "The Amazon Resource Name (ARN) of the destination resource.\n\nTo retain records of [asynchronous invocations](https://docs.aws.amazon.com/lambda/latest/dg/invocation-async.html#invocation-async-destinations) , you can configure an Amazon SNS topic, Amazon SQS queue, Lambda function, or Amazon EventBridge event bus as the destination.\n\nTo retain records of failed invocations from [Kinesis and DynamoDB event sources](https://docs.aws.amazon.com/lambda/latest/dg/invocation-eventsourcemapping.html#event-source-mapping-destinations) , you can configure an Amazon SNS topic or Amazon SQS queue as the destination.\n\nTo retain records of failed invocations from [self-managed Kafka](https://docs.aws.amazon.com/lambda/latest/dg/with-kafka.html#services-smaa-onfailure-destination) or [Amazon MSK](https://docs.aws.amazon.com/lambda/latest/dg/with-msk.html#services-msk-onfailure-destination) , you can configure an Amazon SNS topic or Amazon SQS queue as the destination." }, "AWS::Lambda::EventSourceMapping ScalingConfig": { "MaximumConcurrency": "Limits the number of concurrent instances that the Amazon SQS event source can invoke." @@ -17888,7 +20550,8 @@ "ImageConfig": "Configuration values that override the container image Dockerfile settings. For more information, see [Container image settings](https://docs.aws.amazon.com/lambda/latest/dg/images-create.html#images-parms) .", "KmsKeyArn": "The ARN of the AWS Key Management Service ( AWS KMS ) customer managed key that's used to encrypt your function's [environment variables](https://docs.aws.amazon.com/lambda/latest/dg/configuration-envvars.html#configuration-envvars-encryption) . When [Lambda SnapStart](https://docs.aws.amazon.com/lambda/latest/dg/snapstart-security.html) is activated, Lambda also uses this key is to encrypt your function's snapshot. If you deploy your function using a container image, Lambda also uses this key to encrypt your function when it's deployed. Note that this is not the same key that's used to protect your container image in the Amazon Elastic Container Registry (Amazon ECR).\nIf you don't provide a customer managed key, Lambda uses a default service key.", "Layers": "A list of [function layers](https://docs.aws.amazon.com/lambda/latest/dg/configuration-layers.html) to add to the function's execution environment. Specify each layer by its ARN, including the version.", - "MemorySize": "The amount of [memory available to the function](https://docs.aws.amazon.com/lambda/latest/dg/configuration-function-common.html#configuration-memory-console) at runtime. Increasing the function memory also increases its CPU allocation. The default value is 128 MB. The value can be any multiple of 1 MB.", + "LoggingConfig": "The function's Amazon CloudWatch Logs configuration settings.", + "MemorySize": "The amount of [memory available to the function](https://docs.aws.amazon.com/lambda/latest/dg/configuration-function-common.html#configuration-memory-console) at runtime. Increasing the function memory also increases its CPU allocation. The default value is 128 MB. The value can be any multiple of 1 MB. Note that new AWS accounts have reduced concurrency and memory quotas. AWS raises these quotas automatically based on your usage. You can also request a quota increase.", "PackageType": "The type of deployment package. Set to `Image` for container image and set `Zip` for .zip file archive.", "ReservedConcurrentExecutions": "The number of simultaneous executions to reserve for the function.", "Role": "The Amazon Resource Name (ARN) of the function's execution role.", @@ -17925,6 +20588,12 @@ "EntryPoint": "Specifies the entry point to their application, which is typically the location of the runtime executable. You can specify a maximum of 1,500 string entries in the list.", "WorkingDirectory": "Specifies the working directory. The length of the directory string cannot exceed 1,000 characters." }, + "AWS::Lambda::Function LoggingConfig": { + "ApplicationLogLevel": "Set this property to filter the application logs for your function that Lambda sends to CloudWatch. Lambda only sends application logs at the selected level and lower.", + "LogFormat": "The format in which Lambda sends your function's application and system logs to CloudWatch. Select between plain text and structured JSON.", + "LogGroup": "The name of the Amazon CloudWatch log group the function sends logs to. By default, Lambda functions send logs to a default log group named `/aws/lambda/` . To use a different log group, enter an existing log group or enter a new log group name.", + "SystemLogLevel": "Set this property to filter the system logs for your function that Lambda sends to CloudWatch. Lambda only sends system logs at the selected level and lower." + }, "AWS::Lambda::Function RuntimeManagementConfig": { "RuntimeVersionArn": "The ARN of the runtime version you want the function to use.\n\n> This is only required if you're using the *Manual* runtime update mode.", "UpdateRuntimeOn": "Specify the runtime update mode.\n\n- *Auto (default)* - Automatically update to the most recent and secure runtime version using a [Two-phase runtime version rollout](https://docs.aws.amazon.com/lambda/latest/dg/runtimes-update.html#runtime-management-two-phase) . This is the best choice for most customers to ensure they always benefit from runtime updates.\n- *FunctionUpdate* - Lambda updates the runtime of you function to the most recent and secure runtime version when you update your function. This approach synchronizes runtime updates with function deployments, giving you control over when runtime updates are applied and allowing you to detect and mitigate rare runtime update incompatibilities early. When using this setting, you need to regularly update your functions to keep their runtime up-to-date.\n- *Manual* - You specify a runtime version in your function configuration. The function will use this runtime version indefinitely. In the rare case where a new runtime version is incompatible with an existing function, this allows you to roll back your function to an earlier runtime version. For more information, see [Roll back a runtime version](https://docs.aws.amazon.com/lambda/latest/dg/runtimes-update.html#runtime-management-rollback) .\n\n*Valid Values* : `Auto` | `FunctionUpdate` | `Manual`" @@ -17936,10 +20605,15 @@ "ApplyOn": "When set to `PublishedVersions` , Lambda creates a snapshot of the execution environment when you publish a function version.", "OptimizationStatus": "When you provide a [qualified Amazon Resource Name (ARN)](https://docs.aws.amazon.com/lambda/latest/dg/configuration-versions.html#versioning-versions-using) , this response element indicates whether SnapStart is activated for the specified function version." }, + "AWS::Lambda::Function Tag": { + "Key": "", + "Value": "" + }, "AWS::Lambda::Function TracingConfig": { "Mode": "The tracing mode." }, "AWS::Lambda::Function VpcConfig": { + "Ipv6AllowedForDualStack": "Allows outbound IPv6 traffic on VPC functions that are connected to dual-stack subnets.", "SecurityGroupIds": "A list of VPC security group IDs.", "SubnetIds": "A list of VPC subnet IDs." }, @@ -17991,11 +20665,16 @@ "CodeSha256": "Only publish a version if the hash value matches the value that's specified. Use this option to avoid publishing a version if the function code has changed since you last updated it. Updates are not supported for this property.", "Description": "A description for the version to override the description in the function configuration. Updates are not supported for this property.", "FunctionName": "The name of the Lambda function.\n\n**Name formats** - *Function name* - `MyFunction` .\n- *Function ARN* - `arn:aws:lambda:us-west-2:123456789012:function:MyFunction` .\n- *Partial ARN* - `123456789012:function:MyFunction` .\n\nThe length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.", - "ProvisionedConcurrencyConfig": "Specifies a provisioned concurrency configuration for a function's version. Updates are not supported for this property." + "ProvisionedConcurrencyConfig": "Specifies a provisioned concurrency configuration for a function's version. Updates are not supported for this property.", + "RuntimePolicy": "" }, "AWS::Lambda::Version ProvisionedConcurrencyConfiguration": { "ProvisionedConcurrentExecutions": "The amount of provisioned concurrency to allocate for the version." }, + "AWS::Lambda::Version RuntimePolicy": { + "RuntimeVersionArn": "", + "UpdateRuntimeOn": "" + }, "AWS::Lex::Bot": { "AutoBuildBotLocales": "Indicates whether Amazon Lex V2 should automatically build the locales for the bot after a change.", "BotFileS3Location": "The Amazon S3 location of files used to import a bot. The files must be in the import format specified in [JSON format for importing and exporting](https://docs.aws.amazon.com/lexv2/latest/dg/import-export-format.html) in the *Amazon Lex developer guide.*", @@ -18386,6 +21065,10 @@ "MessageGroupsList": "One or more message groups, each containing one or more messages, that define the prompts that Amazon Lex sends to the user.", "TimeoutInSeconds": "If Amazon Lex waits longer than this length of time for a response, it will stop sending messages." }, + "AWS::Lex::Bot Tag": { + "Key": "", + "Value": "" + }, "AWS::Lex::Bot TestBotAliasSettings": { "BotAliasLocaleSettings": "Specifies settings that are unique to a locale. For example, you can use a different Lambda function depending on the bot's locale.", "ConversationLogSettings": "Specifies settings for conversation logs that save audio, text, and metadata information for conversations with your users.", @@ -18460,6 +21143,10 @@ "AWS::Lex::BotAlias SentimentAnalysisSettings": { "DetectSentiment": "Sets whether Amazon Lex uses Amazon Comprehend to detect the sentiment of user utterances." }, + "AWS::Lex::BotAlias Tag": { + "Key": "", + "Value": "" + }, "AWS::Lex::BotAlias TextLogDestination": { "CloudWatch": "Defines the Amazon CloudWatch Logs log group where text and metadata logs are delivered." }, @@ -18562,16 +21249,25 @@ "AllowPublicOverrides": "A Boolean value indicating whether the access control list (ACL) permissions that are applied to individual objects override the `GetObject` option that is currently specified.\n\nWhen this is true, you can use the [PutObjectAcl](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutObjectAcl.html) Amazon S3 API operation to set individual objects to public (read-only) or private, using either the `public-read` ACL or the `private` ACL.", "GetObject": "Specifies the anonymous access to all objects in a bucket.\n\nThe following options can be specified:\n\n- `public` - Sets all objects in the bucket to public (read-only), making them readable by everyone on the internet.\n\nIf the `GetObject` value is set to `public` , then all objects in the bucket default to public regardless of the `allowPublicOverrides` value.\n- `private` - Sets all objects in the bucket to private, making them readable only by you and anyone that you grant access to.\n\nIf the `GetObject` value is set to `private` , and the `allowPublicOverrides` value is set to `true` , then all objects in the bucket default to private unless they are configured with a `public-read` ACL. Individual objects with a `public-read` ACL are readable by everyone on the internet." }, + "AWS::Lightsail::Bucket Tag": { + "Key": "The key of the tag.\n\nConstraints: Tag keys accept a maximum of 128 letters, numbers, spaces in UTF-8, or the following characters: + - = . _ : / @", + "Value": "The value of the tag.\n\nConstraints: Tag values accept a maximum of 256 letters, numbers, spaces in UTF-8, or the following characters: + - = . _ : / @" + }, "AWS::Lightsail::Certificate": { "CertificateName": "The name of the certificate.", "DomainName": "The domain name of the certificate.", "SubjectAlternativeNames": "An array of strings that specify the alternate domains (such as `example.org` ) and subdomains (such as `blog.example.com` ) of the certificate.", "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) in the *AWS CloudFormation User Guide* .\n\n> The `Value` of `Tags` is optional for Lightsail resources." }, + "AWS::Lightsail::Certificate Tag": { + "Key": "The key of the tag.\n\nConstraints: Tag keys accept a maximum of 128 letters, numbers, spaces in UTF-8, or the following characters: + - = . _ : / @", + "Value": "The value of the tag.\n\nConstraints: Tag values accept a maximum of 256 letters, numbers, spaces in UTF-8, or the following characters: + - = . _ : / @" + }, "AWS::Lightsail::Container": { "ContainerServiceDeployment": "An object that describes the current container deployment of the container service.", "IsDisabled": "A Boolean value indicating whether the container service is disabled.", "Power": "The power specification of the container service.\n\nThe power specifies the amount of RAM, the number of vCPUs, and the base price of the container service.", + "PrivateRegistryAccess": "An object that describes the configuration for the container service to access private container image repositories, such as Amazon Elastic Container Registry ( Amazon ECR ) private repositories.\n\nFor more information, see [Configuring access to an Amazon ECR private repository for an Amazon Lightsail container service](https://docs.aws.amazon.com/latest/userguide/amazon-lightsail-container-service-ecr-private-repo-access) in the *Amazon Lightsail Developer Guide* .", "PublicDomainNames": "The public domain name of the container service, such as `example.com` and `www.example.com` .\n\nYou can specify up to four public domain names for a container service. The domain names that you specify are used when you create a deployment with a container that is configured as the public endpoint of your container service.\n\nIf you don't specify public domain names, then you can use the default domain of the container service.\n\n> You must create and validate an SSL/TLS certificate before you can use public domain names with your container service. Use the [AWS::Lightsail::Certificate](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lightsail-certificate.html) resource to create a certificate for the public domain names that you want to use with your container service.", "Scale": "The scale specification of the container service.\n\nThe scale specifies the allocated compute nodes of the container service.", "ServiceName": "The name of the container service.", @@ -18588,6 +21284,10 @@ "Containers": "An object that describes the configuration for the containers of the deployment.", "PublicEndpoint": "An object that describes the endpoint of the deployment." }, + "AWS::Lightsail::Container EcrImagePullerRole": { + "IsActive": "A boolean value that indicates whether the `ECRImagePullerRole` is active.", + "PrincipalArn": "The principle Amazon Resource Name (ARN) of the role. This property is read-only." + }, "AWS::Lightsail::Container EnvironmentVariable": { "Value": "The environment variable value.", "Variable": "The environment variable key." @@ -18604,6 +21304,9 @@ "Port": "The open firewall ports of the container.", "Protocol": "The protocol name for the open ports.\n\n*Allowed values* : `HTTP` | `HTTPS` | `TCP` | `UDP`" }, + "AWS::Lightsail::Container PrivateRegistryAccess": { + "EcrImagePullerRole": "An object that describes the activation status of the role that you can use to grant a Lightsail container service access to Amazon ECR private repositories. If the role is activated, the Amazon Resource Name (ARN) of the role is also listed." + }, "AWS::Lightsail::Container PublicDomainName": { "CertificateName": "The name of the certificate for the public domains.", "DomainNames": "The public domain names to use with the container service." @@ -18613,9 +21316,13 @@ "ContainerPort": "The port of the specified container to which traffic is forwarded to.", "HealthCheckConfig": "An object that describes the health check configuration of the container." }, + "AWS::Lightsail::Container Tag": { + "Key": "The key of the tag.\n\nConstraints: Tag keys accept a maximum of 128 letters, numbers, spaces in UTF-8, or the following characters: + - = . _ : / @", + "Value": "The value of the tag.\n\nConstraints: Tag values accept a maximum of 256 letters, numbers, spaces in UTF-8, or the following characters: + - = . _ : / @" + }, "AWS::Lightsail::Database": { "AvailabilityZone": "The Availability Zone for the database.", - "BackupRetention": "A Boolean value indicating whether automated backup retention is enabled for the database.", + "BackupRetention": "A Boolean value indicating whether automated backup retention is enabled for the database. Data Import Mode is enabled when `BackupRetention` is set to `false` , and is disabled when `BackupRetention` is set to `true` .", "CaCertificateIdentifier": "The certificate associated with the database.", "MasterDatabaseName": "The meaning of this parameter differs according to the database engine you use.\n\n*MySQL*\n\nThe name of the database to create when the Lightsail database resource is created. If this parameter isn't specified, no database is created in the database resource.\n\nConstraints:\n\n- Must contain 1-64 letters or numbers.\n- Must begin with a letter. Subsequent characters can be letters, underscores, or numbers (0-9).\n- Can't be a word reserved by the specified database engine.\n\nFor more information about reserved words in MySQL, see the Keywords and Reserved Words articles for [MySQL 5.6](https://docs.aws.amazon.com/https://dev.mysql.com/doc/refman/5.6/en/keywords.html) , [MySQL 5.7](https://docs.aws.amazon.com/https://dev.mysql.com/doc/refman/5.7/en/keywords.html) , and [MySQL 8.0](https://docs.aws.amazon.com/https://dev.mysql.com/doc/refman/8.0/en/keywords.html) .\n\n*PostgreSQL*\n\nThe name of the database to create when the Lightsail database resource is created. If this parameter isn't specified, a database named `postgres` is created in the database resource.\n\nConstraints:\n\n- Must contain 1-63 letters or numbers.\n- Must begin with a letter. Subsequent characters can be letters, underscores, or numbers (0-9).\n- Can't be a word reserved by the specified database engine.\n\nFor more information about reserved words in PostgreSQL, see the SQL Key Words articles for [PostgreSQL 9.6](https://docs.aws.amazon.com/https://www.postgresql.org/docs/9.6/sql-keywords-appendix.html) , [PostgreSQL 10](https://docs.aws.amazon.com/https://www.postgresql.org/docs/10/sql-keywords-appendix.html) , [PostgreSQL 11](https://docs.aws.amazon.com/https://www.postgresql.org/docs/11/sql-keywords-appendix.html) , and [PostgreSQL 12](https://docs.aws.amazon.com/https://www.postgresql.org/docs/12/sql-keywords-appendix.html) .", "MasterUserPassword": "The password for the primary user of the database. The password can include any printable ASCII character except the following: /, \", or @. It cannot contain spaces.\n\n> The `MasterUserPassword` and `RotateMasterUserPassword` parameters cannot be used together in the same template. \n\n*MySQL*\n\nConstraints: Must contain 8-41 characters.\n\n*PostgreSQL*\n\nConstraints: Must contain 8-128 characters.", @@ -18640,11 +21347,15 @@ "ParameterName": "The name of the parameter.", "ParameterValue": "The value for the parameter." }, + "AWS::Lightsail::Database Tag": { + "Key": "The key of the tag.\n\nConstraints: Tag keys accept a maximum of 128 letters, numbers, spaces in UTF-8, or the following characters: + - = . _ : / @", + "Value": "The value of the tag.\n\nConstraints: Tag values accept a maximum of 256 letters, numbers, spaces in UTF-8, or the following characters: + - = . _ : / @" + }, "AWS::Lightsail::Disk": { "AddOns": "An array of add-ons for the disk.\n\n> If the disk has an add-on enabled when performing a delete disk request, the add-on is automatically disabled before the disk is deleted.", "AvailabilityZone": "The AWS Region and Availability Zone location for the disk (for example, `us-east-1a` ).", "DiskName": "The name of the disk.", - "Location": "", + "Location": "The AWS Region and Availability Zone where the disk is located.", "SizeInGb": "The size of the disk in GB.", "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) in the *AWS CloudFormation User Guide* .\n\n> The `Value` of `Tags` is optional for Lightsail resources." }, @@ -18657,8 +21368,12 @@ "SnapshotTimeOfDay": "The daily time when an automatic snapshot will be created.\n\nConstraints:\n\n- Must be in `HH:00` format, and in an hourly increment.\n- Specified in Coordinated Universal Time (UTC).\n- The snapshot will be automatically created between the time specified and up to 45 minutes after." }, "AWS::Lightsail::Disk Location": { - "AvailabilityZone": "", - "RegionName": "" + "AvailabilityZone": "The Availability Zone where the disk is located.", + "RegionName": "The AWS Region where the disk is located." + }, + "AWS::Lightsail::Disk Tag": { + "Key": "The key of the tag.\n\nConstraints: Tag keys accept a maximum of 128 letters, numbers, spaces in UTF-8, or the following characters: + - = . _ : / @", + "Value": "The value of the tag.\n\nConstraints: Tag values accept a maximum of 256 letters, numbers, spaces in UTF-8, or the following characters: + - = . _ : / @" }, "AWS::Lightsail::Distribution": { "BundleId": "The ID of the bundle applied to the distribution.", @@ -18706,6 +21421,10 @@ "Option": "Indicates whether the distribution forwards and caches based on query strings.", "QueryStringsAllowList": "The specific query strings that the distribution forwards to the origin.\n\nYour distribution caches content based on the specified query strings.\n\nIf the `option` parameter is true, then your distribution forwards all query strings, regardless of what you specify using the `QueryStringsAllowList` parameter." }, + "AWS::Lightsail::Distribution Tag": { + "Key": "The key of the tag.\n\nConstraints: Tag keys accept a maximum of 128 letters, numbers, spaces in UTF-8, or the following characters: + - = . _ : / @", + "Value": "The value of the tag.\n\nConstraints: Tag values accept a maximum of 256 letters, numbers, spaces in UTF-8, or the following characters: + - = . _ : / @" + }, "AWS::Lightsail::Instance": { "AddOns": "An array of add-ons for the instance.\n\n> If the instance has an add-on enabled when performing a delete instance request, the add-on is automatically disabled before the instance is deleted.", "AvailabilityZone": "The Availability Zone for the instance.", @@ -18769,6 +21488,10 @@ "Code": "The status code of the instance.", "Name": "The state of the instance (for example, `running` or `pending` )." }, + "AWS::Lightsail::Instance Tag": { + "Key": "The key of the tag.\n\nConstraints: Tag keys accept a maximum of 128 letters, numbers, spaces in UTF-8, or the following characters: + - = . _ : / @", + "Value": "The value of the tag.\n\nConstraints: Tag values accept a maximum of 256 letters, numbers, spaces in UTF-8, or the following characters: + - = . _ : / @" + }, "AWS::Lightsail::LoadBalancer": { "AttachedInstances": "The Lightsail instances to attach to the load balancer.", "HealthCheckPath": "The path on the attached instance where the health check will be performed. If no path is specified, the load balancer tries to make a request to the default (root) page ( `/index.html` ).", @@ -18780,6 +21503,10 @@ "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) in the *AWS CloudFormation User Guide* .\n\n> The `Value` of `Tags` is optional for Lightsail resources.", "TlsPolicyName": "The name of the TLS security policy for the load balancer." }, + "AWS::Lightsail::LoadBalancer Tag": { + "Key": "The key of the tag.\n\nConstraints: Tag keys accept a maximum of 128 letters, numbers, spaces in UTF-8, or the following characters: + - = . _ : / @", + "Value": "The value of the tag.\n\nConstraints: Tag values accept a maximum of 256 letters, numbers, spaces in UTF-8, or the following characters: + - = . _ : / @" + }, "AWS::Lightsail::LoadBalancerTlsCertificate": { "CertificateAlternativeNames": "An array of alternative domain names and subdomain names for your SSL/TLS certificate.\n\nIn addition to the primary domain name, you can have up to nine alternative domain names. Wildcards (such as `*.example.com` ) are not supported.", "CertificateDomainName": "The domain name for the SSL/TLS certificate. For example, `example.com` or `www.example.com` .", @@ -18832,19 +21559,68 @@ "ConsumerArn": "The Amazon Resource Name (ARN) for the geofence collection to be associated to tracker resource. Used when you need to specify a resource across all AWS .\n\n- Format example: `arn:aws:geo:region:account-id:geofence-collection/ExampleGeofenceCollectionConsumer`", "TrackerName": "The name for the tracker resource.\n\nRequirements:\n\n- Contain only alphanumeric characters (A-Z, a-z, 0-9) , hyphens (-), periods (.), and underscores (_).\n- Must be a unique tracker resource name.\n- No spaces allowed. For example, `ExampleTracker` ." }, + "AWS::Logs::AccountPolicy": { + "PolicyDocument": "Specify the data protection policy, in JSON.\n\nThis policy must include two JSON blocks:\n\n- The first block must include both a `DataIdentifer` array and an `Operation` property with an `Audit` action. The `DataIdentifer` array lists the types of sensitive data that you want to mask. For more information about the available options, see [Types of data that you can mask](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/mask-sensitive-log-data-types.html) .\n\nThe `Operation` property with an `Audit` action is required to find the sensitive data terms. This `Audit` action must contain a `FindingsDestination` object. You can optionally use that `FindingsDestination` object to list one or more destinations to send audit findings to. If you specify destinations such as log groups, Kinesis Data Firehose streams, and S3 buckets, they must already exist.\n- The second block must include both a `DataIdentifer` array and an `Operation` property with an `Deidentify` action. The `DataIdentifer` array must exactly match the `DataIdentifer` array in the first block of the policy.\n\nThe `Operation` property with the `Deidentify` action is what actually masks the data, and it must contain the `\"MaskConfig\": {}` object. The `\"MaskConfig\": {}` object must be empty.\n\n> The contents of the two `DataIdentifer` arrays must match exactly.", + "PolicyName": "A name for the policy. This must be unique within the account.", + "PolicyType": "Currently the only valid value for this parameter is `DATA_PROTECTION_POLICY` .", + "Scope": "Currently the only valid value for this parameter is `ALL` , which specifies that the data protection policy applies to all log groups in the account. If you omit this parameter, the default of `ALL` is used." + }, + "AWS::Logs::Delivery": { + "DeliveryDestinationArn": "The ARN of the delivery destination that is associated with this delivery.", + "DeliverySourceName": "The name of the delivery source that is associated with this delivery.", + "Tags": "The tags that have been assigned to this delivery." + }, + "AWS::Logs::Delivery Tag": { + "Key": "", + "Value": "" + }, + "AWS::Logs::DeliveryDestination": { + "DeliveryDestinationPolicy": "A structure that contains information about one delivery destination policy.", + "DestinationResourceArn": "The ARN of the AWS destination that this delivery destination represents. That AWS destination can be a log group in CloudWatch Logs, an Amazon S3 bucket, or a delivery stream in Kinesis Data Firehose.", + "Name": "The name of this delivery destination.", + "Tags": "The tags that have been assigned to this delivery destination." + }, + "AWS::Logs::DeliveryDestination Tag": { + "Key": "", + "Value": "" + }, + "AWS::Logs::DeliverySource": { + "LogType": "The type of log that the source is sending. For valid values for this parameter, see the documentation for the source service.", + "Name": "The unique name of the delivery source.", + "ResourceArn": "", + "Tags": "The tags that have been assigned to this delivery source." + }, + "AWS::Logs::DeliverySource Tag": { + "Key": "", + "Value": "" + }, "AWS::Logs::Destination": { "DestinationName": "The name of the destination.", "DestinationPolicy": "An IAM policy document that governs which AWS accounts can create subscription filters against this destination.", "RoleArn": "The ARN of an IAM role that permits CloudWatch Logs to send data to the specified AWS resource.", "TargetArn": "The Amazon Resource Name (ARN) of the physical target where the log events are delivered (for example, a Kinesis stream)." }, + "AWS::Logs::LogAnomalyDetector": { + "AccountId": "The ID of the account to create the anomaly detector in.", + "AnomalyVisibilityTime": "The number of days to have visibility on an anomaly. After this time period has elapsed for an anomaly, it will be automatically baselined and the anomaly detector will treat new occurrences of a similar anomaly as normal. Therefore, if you do not correct the cause of an anomaly during the time period specified in `AnomalyVisibilityTime` , it will be considered normal going forward and will not be detected as an anomaly.", + "DetectorName": "A name for this anomaly detector.", + "EvaluationFrequency": "Specifies how often the anomaly detector is to run and look for anomalies. Set this value according to the frequency that the log group receives new logs. For example, if the log group receives new log events every 10 minutes, then 15 minutes might be a good setting for `EvaluationFrequency` .", + "FilterPattern": "You can use this parameter to limit the anomaly detection model to examine only log events that match the pattern you specify here. For more information, see [Filter and Pattern Syntax](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/FilterAndPatternSyntax.html) .", + "KmsKeyId": "Optionally assigns a AWS KMS key to secure this anomaly detector and its findings. If a key is assigned, the anomalies found and the model used by this detector are encrypted at rest with the key. If a key is assigned to an anomaly detector, a user must have permissions for both this key and for the anomaly detector to retrieve information about the anomalies that it finds.\n\nFor more information about using a AWS KMS key and to see the required IAM policy, see [Use a AWS KMS key with an anomaly detector](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/LogsAnomalyDetection-KMS.html) .", + "LogGroupArnList": "The ARN of the log group that is associated with this anomaly detector. You can specify only one log group ARN." + }, "AWS::Logs::LogGroup": { "DataProtectionPolicy": "Creates a data protection policy and assigns it to the log group. A data protection policy can help safeguard sensitive data that's ingested by the log group by auditing and masking the sensitive log data. When a user who does not have permission to view masked data views a log event that includes masked data, the sensitive data is replaced by asterisks.\n\nFor more information, including a list of types of data that can be audited and masked, see [Protect sensitive log data with masking](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/mask-sensitive-log-data.html) .", "KmsKeyId": "The Amazon Resource Name (ARN) of the AWS KMS key to use when encrypting log data.\n\nTo associate an AWS KMS key with the log group, specify the ARN of that KMS key here. If you do so, ingested data is encrypted using this key. This association is stored as long as the data encrypted with the KMS key is still within CloudWatch Logs . This enables CloudWatch Logs to decrypt this data whenever it is requested.\n\nIf you attempt to associate a KMS key with the log group but the KMS key doesn't exist or is deactivated, you will receive an `InvalidParameterException` error.\n\nLog group data is always encrypted in CloudWatch Logs . If you omit this key, the encryption does not use AWS KMS . For more information, see [Encrypt log data in CloudWatch Logs using AWS Key Management Service](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/encrypt-log-data-kms.html)", + "LogGroupClass": "Specifies the log group class for this log group. There are two classes:\n\n- The `Standard` log class supports all CloudWatch Logs features.\n- The `Infrequent Access` log class supports a subset of CloudWatch Logs features and incurs lower costs.\n\nFor details about the features supported by each class, see [Log classes](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CloudWatch_Logs_Log_Classes.html)", "LogGroupName": "The name of the log group. If you don't specify a name, AWS CloudFormation generates a unique ID for the log group.", "RetentionInDays": "The number of days to retain the log events in the specified log group. Possible values are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1096, 1827, 2192, 2557, 2922, 3288, and 3653.\n\nTo set a log group so that its log events do not expire, use [DeleteRetentionPolicy](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DeleteRetentionPolicy.html) .", "Tags": "An array of key-value pairs to apply to the log group.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) ." }, + "AWS::Logs::LogGroup Tag": { + "Key": "", + "Value": "" + }, "AWS::Logs::LogStream": { "LogGroupName": "The name of the log group where the log stream is created.", "LogStreamName": "The name of the log stream. The name must be unique within the log group." @@ -18890,7 +21666,7 @@ "DataOutputConfiguration": "Specifies configuration information for the output results for the inference scheduler, including the Amazon S3 location for the output.", "DataUploadFrequency": "How often data is uploaded to the source S3 bucket for the input data. This value is the length of time between data uploads. For instance, if you select 5 minutes, Amazon Lookout for Equipment will upload the real-time data to the source bucket once every 5 minutes. This frequency also determines how often Amazon Lookout for Equipment starts a scheduled inference on your data. In this example, it starts once every 5 minutes.", "InferenceSchedulerName": "The name of the inference scheduler.", - "ModelName": "The name of the ML model used for the inference scheduler.", + "ModelName": "The name of the machine learning model used for the inference scheduler.", "RoleArn": "The Amazon Resource Name (ARN) of a role with permission to access the data source being used for the inference.", "ServerSideKmsKeyId": "Provides the identifier of the AWS KMS key used to encrypt inference scheduler data by Amazon Lookout for Equipment .", "Tags": "Any tags associated with the inference scheduler.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) ." @@ -18916,6 +21692,10 @@ "Bucket": "", "Prefix": "" }, + "AWS::LookoutEquipment::InferenceScheduler Tag": { + "Key": "The key for the specified tag.", + "Value": "The value for the specified tag." + }, "AWS::LookoutMetrics::Alert": { "Action": "Action that will be triggered when there is an alert.", "AlertDescription": "A description of the alert.", @@ -19034,7 +21814,7 @@ "EngineType": "The type of the target platform for this application.", "KmsKeyId": "The identifier of a customer managed key.", "Name": "The name of the application.", - "RoleArn": "", + "RoleArn": "The Amazon Resource Name (ARN) of the role associated with the application.", "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) ." }, "AWS::M2::Application Definition": { @@ -19077,7 +21857,7 @@ }, "AWS::MSK::Cluster": { "BrokerNodeGroupInfo": "Information about the broker nodes in the cluster.", - "ClientAuthentication": "Includes all client authentication related information.", + "ClientAuthentication": "VPC connection control settings for brokers.", "ClusterName": "The name of the cluster.", "ConfigurationInfo": "Represents the configuration that you want MSK to use for the cluster.", "CurrentVersion": "The version of the cluster that you want to update.", @@ -19099,7 +21879,7 @@ "BrokerAZDistribution": "This parameter is currently not in use.", "ClientSubnets": "The list of subnets to connect to in the client virtual private cloud (VPC). Amazon creates elastic network interfaces inside these subnets. Client applications use elastic network interfaces to produce and consume data.\n\nIf you use the US West (N. California) Region, specify exactly two subnets. For other Regions where Amazon MSK is available, you can specify either two or three subnets. The subnets that you specify must be in distinct Availability Zones. When you create a cluster, Amazon MSK distributes the broker nodes evenly across the subnets that you specify.\n\nClient subnets can't occupy the Availability Zone with ID `use1-az3` .", "ConnectivityInfo": "Information about the cluster's connectivity setting.", - "InstanceType": "The type of Amazon EC2 instances to use for brokers. The following instance types are allowed: kafka.m5.large, kafka.m5.xlarge, kafka.m5.2xlarge, kafka.m5.4xlarge, kafka.m5.8xlarge, kafka.m5.12xlarge, kafka.m5.16xlarge, and kafka.m5.24xlarge, and kafka.t3.small.", + "InstanceType": "The type of Amazon EC2 instances to use for brokers. The following instance types are allowed: kafka.m5.large, kafka.m5.xlarge, kafka.m5.2xlarge, kafka.m5.4xlarge, kafka.m5.8xlarge, kafka.m5.12xlarge, kafka.m5.16xlarge, kafka.m5.24xlarge, and kafka.t3.small.", "SecurityGroups": "The security groups to associate with the elastic network interfaces in order to specify who can connect to and communicate with the Amazon MSK cluster. If you don't specify a security group, Amazon MSK uses the default security group associated with the VPC. If you specify security groups that were shared with you, you must ensure that you have permissions to them. Specifically, you need the `ec2:DescribeSecurityGroups` permission.", "StorageInfo": "Contains information about storage volumes attached to Amazon MSK broker nodes." }, @@ -19125,7 +21905,7 @@ "VolumeSize": "The size in GiB of the EBS volume for the data drive on each broker node." }, "AWS::MSK::Cluster EncryptionAtRest": { - "DataVolumeKMSKeyId": "The ARN of the Amazon KMS key for encrypting data at rest. If you don't specify a KMS key, MSK creates one for you and uses it." + "DataVolumeKMSKeyId": "The Amazon Resource Name (ARN) of the Amazon KMS key for encrypting data at rest. If you don't specify a KMS key, MSK creates one for you and uses it." }, "AWS::MSK::Cluster EncryptionInTransit": { "ClientBroker": "Indicates the encryption setting for data in transit between clients and brokers. You must set it to one of the following values.\n\n`TLS` means that client-broker communication is enabled with TLS only.\n\n`TLS_PLAINTEXT` means that client-broker communication is enabled for both TLS-encrypted, as well as plaintext data.\n\n`PLAINTEXT` means that client-broker communication is enabled in plaintext only.\n\nThe default value is `TLS` .", @@ -19137,7 +21917,7 @@ }, "AWS::MSK::Cluster Firehose": { "DeliveryStream": "The Kinesis Data Firehose delivery stream that is the destination for broker logs.", - "Enabled": "Specifies whether broker logs get send to the specified Kinesis Data Firehose delivery stream." + "Enabled": "Specifies whether broker logs get sent to the specified Kinesis Data Firehose delivery stream." }, "AWS::MSK::Cluster Iam": { "Enabled": "SASL/IAM authentication is enabled or not." @@ -19181,7 +21961,7 @@ "EBSStorageInfo": "EBS volume information." }, "AWS::MSK::Cluster Tls": { - "CertificateAuthorityArnList": "List of AWS Private CA ARNs.", + "CertificateAuthorityArnList": "List of AWS Private CA Amazon Resource Name (ARN)s.", "Enabled": "TLS authentication is enabled or not." }, "AWS::MSK::Cluster Unauthenticated": { @@ -19214,11 +21994,61 @@ "AWS::MSK::Configuration": { "Description": "The description of the configuration.", "KafkaVersionsList": "", + "LatestRevision": "Latest revision of the configuration.", "Name": "The name of the configuration. Configuration names are strings that match the regex \"^[0-9A-Za-z][0-9A-Za-z-]{0,}$\".", "ServerProperties": "Contents of the server.properties file. When using the API, you must ensure that the contents of the file are base64 encoded. When using the console, the SDK, or the CLI, the contents of server.properties can be in plaintext." }, + "AWS::MSK::Configuration LatestRevision": { + "CreationTime": "", + "Description": "", + "Revision": "" + }, + "AWS::MSK::Replicator": { + "CurrentVersion": "", + "Description": "", + "KafkaClusters": "", + "ReplicationInfoList": "", + "ReplicatorName": "", + "ServiceExecutionRoleArn": "", + "Tags": "" + }, + "AWS::MSK::Replicator AmazonMskCluster": { + "MskClusterArn": "" + }, + "AWS::MSK::Replicator ConsumerGroupReplication": { + "ConsumerGroupsToExclude": "", + "ConsumerGroupsToReplicate": "", + "DetectAndCopyNewConsumerGroups": "", + "SynchroniseConsumerGroupOffsets": "" + }, + "AWS::MSK::Replicator KafkaCluster": { + "AmazonMskCluster": "", + "VpcConfig": "" + }, + "AWS::MSK::Replicator KafkaClusterClientVpcConfig": { + "SecurityGroupIds": "", + "SubnetIds": "" + }, + "AWS::MSK::Replicator ReplicationInfo": { + "ConsumerGroupReplication": "", + "SourceKafkaClusterArn": "", + "TargetCompressionType": "", + "TargetKafkaClusterArn": "", + "TopicReplication": "" + }, + "AWS::MSK::Replicator Tag": { + "Key": "", + "Value": "" + }, + "AWS::MSK::Replicator TopicReplication": { + "CopyAccessControlListsForTopics": "", + "CopyTopicConfigurations": "", + "DetectAndCopyNewTopics": "", + "TopicsToExclude": "", + "TopicsToReplicate": "" + }, "AWS::MSK::ServerlessCluster": { - "ClientAuthentication": "", + "ClientAuthentication": "Includes all client authentication information.", "ClusterName": "", "Tags": "", "VpcConfigs": "" @@ -19246,8 +22076,9 @@ }, "AWS::MWAA::Environment": { "AirflowConfigurationOptions": "A list of key-value pairs containing the Airflow configuration options for your environment. For example, `core.default_timezone: utc` . To learn more, see [Apache Airflow configuration options](https://docs.aws.amazon.com/mwaa/latest/userguide/configuring-env-variables.html) .", - "AirflowVersion": "The version of Apache Airflow to use for the environment. If no value is specified, defaults to the latest version.\n\n*Allowed Values* : `2.0.2` | `1.10.12` | `2.2.2` | `2.4.3` | `2.5.1` (latest)", + "AirflowVersion": "The version of Apache Airflow to use for the environment. If no value is specified, defaults to the latest version.\n\nIf you specify a newer version number for an existing environment, the version update requires some service interruption before taking effect.\n\n*Allowed Values* : `1.10.12` | `2.0.2` | `2.2.2` | `2.4.3` | `2.5.1` | `2.6.3` | `2.7.2` (latest)", "DagS3Path": "The relative path to the DAGs folder on your Amazon S3 bucket. For example, `dags` . To learn more, see [Adding or updating DAGs](https://docs.aws.amazon.com/mwaa/latest/userguide/configuring-dag-folder.html) .", + "EndpointManagement": "Defines whether the VPC endpoints configured for the environment are created, and managed, by the customer or by Amazon MWAA. If set to `SERVICE` , Amazon MWAA will create and manage the required VPC endpoints in your VPC. If set to `CUSTOMER` , you must create, and manage, the VPC endpoints in your VPC.", "EnvironmentClass": "The environment class type. Valid values: `mw1.small` , `mw1.medium` , `mw1.large` . To learn more, see [Amazon MWAA environment class](https://docs.aws.amazon.com/mwaa/latest/userguide/environment-class.html) .", "ExecutionRoleArn": "The Amazon Resource Name (ARN) of the execution role in IAM that allows MWAA to access AWS resources in your environment. For example, `arn:aws:iam::123456789:role/my-execution-role` . To learn more, see [Amazon MWAA Execution role](https://docs.aws.amazon.com/mwaa/latest/userguide/mwaa-create-role.html) .", "KmsKey": "The AWS Key Management Service (KMS) key to encrypt and decrypt the data in your environment. You can use an AWS KMS key managed by MWAA, or a customer-managed KMS key (advanced).", @@ -19264,7 +22095,7 @@ "SourceBucketArn": "The Amazon Resource Name (ARN) of the Amazon S3 bucket where your DAG code and supporting files are stored. For example, `arn:aws:s3:::my-airflow-bucket-unique-name` . To learn more, see [Create an Amazon S3 bucket for Amazon MWAA](https://docs.aws.amazon.com/mwaa/latest/userguide/mwaa-s3-bucket.html) .", "StartupScriptS3ObjectVersion": "The version of the startup shell script in your Amazon S3 bucket. You must specify the [version ID](https://docs.aws.amazon.com/AmazonS3/latest/userguide/versioning-workflows.html) that Amazon S3 assigns to the file every time you update the script.\n\nVersion IDs are Unicode, UTF-8 encoded, URL-ready, opaque strings that are no more than 1,024 bytes long. The following is an example:\n\n`3sL4kqtJlcpXroDTDmJ+rmSpXd3dIbrHY+MTRCxf3vjVBH40Nr8X8gdRQBpUMLUo`\n\nFor more information, see [Using a startup script](https://docs.aws.amazon.com/mwaa/latest/userguide/using-startup-script.html) .", "StartupScriptS3Path": "The relative path to the startup shell script in your Amazon S3 bucket. For example, `s3://mwaa-environment/startup.sh` .\n\nAmazon MWAA runs the script as your environment starts, and before running the Apache Airflow process. You can use this script to install dependencies, modify Apache Airflow configuration options, and set environment variables. For more information, see [Using a startup script](https://docs.aws.amazon.com/mwaa/latest/userguide/using-startup-script.html) .", - "Tags": "The key-value tag pairs associated to your environment. For example, `\"Environment\": \"Staging\"` . To learn more, see [Tagging](https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html) .", + "Tags": "The key-value tag pairs associated to your environment. For example, `\"Environment\": \"Staging\"` . To learn more, see [Tagging](https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html) .\n\nIf you specify new tags for an existing environment, the update requires service interruption before taking effect.", "WebserverAccessMode": "The Apache Airflow *Web server* access mode. To learn more, see [Apache Airflow access modes](https://docs.aws.amazon.com/mwaa/latest/userguide/configuring-networking.html) . Valid values: `PRIVATE_ONLY` or `PUBLIC_ONLY` .", "WeeklyMaintenanceWindowStart": "The day and time of the week to start weekly maintenance updates of your environment in the following format: `DAY:HH:MM` . For example: `TUE:03:30` . You can specify a start time in 30 minute increments only. Supported input includes the following:\n\n- MON|TUE|WED|THU|FRI|SAT|SUN:([01]\\\\d|2[0-3]):(00|30)" }, @@ -19288,7 +22119,7 @@ "Criteria": "The criteria that specify the text or text pattern to ignore. The criteria can be the location and name of an Amazon S3 object that lists specific text to ignore ( `S3WordsList` ), or a regular expression ( `Regex` ) that defines a text pattern to ignore.", "Description": "A custom description of the allow list. The description can contain 1-512 characters.", "Name": "A custom name for the allow list. The name can contain 1-128 characters.", - "Tags": "An array of key-value pairs to apply to the allow list.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) ." + "Tags": "An array of key-value pairs to apply to the allow list.\n\nFor more information, see [Resource tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) ." }, "AWS::Macie::AllowList Criteria": { "Regex": "The regular expression ( *regex* ) that defines the text pattern to ignore. The expression can contain 1-512 characters.", @@ -19298,20 +22129,30 @@ "BucketName": "The full name of the S3 bucket that contains the object. This value correlates to the `Name` field of a bucket's properties in Amazon S3 .\n\nThis value is case sensitive. In addition, don't use wildcard characters or specify partial values for the name.", "ObjectKey": "The full name of the S3 object. This value correlates to the `Key` field of an object's properties in Amazon S3 . If the name includes a path, include the complete path. For example, `AllowLists/Macie/MyList.txt` .\n\nThis value is case sensitive. In addition, don't use wildcard characters or specify partial values for the name." }, + "AWS::Macie::AllowList Tag": { + "Key": "", + "Value": "" + }, "AWS::Macie::CustomDataIdentifier": { "Description": "A custom description of the custom data identifier. The description can contain 1-512 characters.\n\nAvoid including sensitive data in the description. Users of the account might be able to see the description, depending on the actions that they're allowed to perform in Amazon Macie .", "IgnoreWords": "An array of character sequences ( *ignore words* ) to exclude from the results. If text matches the regular expression ( `Regex` ) but it contains a string in this array, Amazon Macie ignores the text and doesn't include it in the results.\n\nThe array can contain 1-10 ignore words. Each ignore word can contain 4-90 UTF-8 characters. Ignore words are case sensitive.", "Keywords": "An array of character sequences ( *keywords* ), one of which must precede and be in proximity ( `MaximumMatchDistance` ) of the regular expression ( `Regex` ) to match.\n\nThe array can contain 1-50 keywords. Each keyword can contain 3-90 UTF-8 characters. Keywords aren't case sensitive.", "MaximumMatchDistance": "The maximum number of characters that can exist between the end of at least one complete character sequence specified by the `Keywords` array and the end of text that matches the regular expression ( `Regex` ). If a complete keyword precedes all the text that matches the regular expression and the keyword is within the specified distance, Amazon Macie includes the result.\n\nThe distance can be 1-300 characters. The default value is 50.", "Name": "A custom name for the custom data identifier. The name can contain 1-128 characters.\n\nAvoid including sensitive data in the name of a custom data identifier. Users of the account might be able to see the name, depending on the actions that they're allowed to perform in Amazon Macie .", - "Regex": "The regular expression ( *regex* ) that defines the text pattern to match. The expression can contain 1-512 characters." + "Regex": "The regular expression ( *regex* ) that defines the text pattern to match. The expression can contain 1-512 characters.", + "Tags": "An array of key-value pairs to apply to the custom data identifier.\n\nFor more information, see [Resource tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) ." + }, + "AWS::Macie::CustomDataIdentifier Tag": { + "Key": "", + "Value": "" }, "AWS::Macie::FindingsFilter": { "Action": "The action to perform on findings that match the filter criteria ( `FindingCriteria` ). Valid values are:\n\n- `ARCHIVE` - Suppress (automatically archive) the findings.\n- `NOOP` - Don't perform any action on the findings.", "Description": "A custom description of the findings filter. The description can contain 1-512 characters.\n\nAvoid including sensitive data in the description. Users of the account might be able to see the description, depending on the actions that they're allowed to perform in Amazon Macie .", "FindingCriteria": "The criteria to use to filter findings.", "Name": "A custom name for the findings filter. The name can contain 3-64 characters.\n\nAvoid including sensitive data in the name. Users of the account might be able to see the name, depending on the actions that they're allowed to perform in Amazon Macie .", - "Position": "The position of the findings filter in the list of saved filters on the Amazon Macie console. This value also determines the order in which the filter is applied to findings, relative to other filters that are also applied to findings." + "Position": "The position of the findings filter in the list of saved filter rules on the Amazon Macie console. This value also determines the order in which the filter is applied to findings, relative to other filters that are also applied to findings.", + "Tags": "An array of key-value pairs to apply to the findings filter.\n\nFor more information, see [Resource tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) ." }, "AWS::Macie::FindingsFilter CriterionAdditionalProperties": { "eq": "The value for the specified property matches (equals) the specified value. If you specify multiple values, Amazon Macie uses OR logic to join the values.", @@ -19324,14 +22165,23 @@ "AWS::Macie::FindingsFilter FindingCriteria": { "Criterion": "Specifies a condition that defines the property, operator, and one or more values to use to filter the results." }, + "AWS::Macie::FindingsFilter Tag": { + "Key": "", + "Value": "" + }, "AWS::Macie::Session": { "FindingPublishingFrequency": "Specifies how often Amazon Macie publishes updates to policy findings for the account. This includes publishing updates to AWS Security Hub and Amazon EventBridge (formerly Amazon CloudWatch Events ). Valid values are:\n\n- FIFTEEN_MINUTES\n- ONE_HOUR\n- SIX_HOURS", "Status": "The status of Amazon Macie for the account. Valid values are: `ENABLED` , start or resume all Macie activities for the account; and, `PAUSED` , suspend all Macie activities for the account." }, "AWS::ManagedBlockchain::Accessor": { "AccessorType": "The type of the accessor.\n\n> Currently, accessor type is restricted to `BILLING_TOKEN` .", + "NetworkType": "The blockchain network that the `Accessor` token is created for.\n\n> We recommend using the appropriate `networkType` value for the blockchain network that you are creating the `Accessor` token for. You cannnot use the value `ETHEREUM_MAINNET_AND_GOERLI` to specify a `networkType` for your Accessor token.\n> \n> The default value of `ETHEREUM_MAINNET_AND_GOERLI` is only applied:\n> \n> - when the `CreateAccessor` action does not set a `networkType` .\n> - to all existing `Accessor` tokens that were created before the `networkType` property was introduced.", "Tags": "The tags assigned to the Accessor.\n\nFor more information about tags, see [Tagging Resources](https://docs.aws.amazon.com/managed-blockchain/latest/ethereum-dev/tagging-resources.html) in the *Amazon Managed Blockchain Ethereum Developer Guide* , or [Tagging Resources](https://docs.aws.amazon.com/managed-blockchain/latest/hyperledger-fabric-dev/tagging-resources.html) in the *Amazon Managed Blockchain Hyperledger Fabric Developer Guide* ." }, + "AWS::ManagedBlockchain::Accessor Tag": { + "Key": "", + "Value": "" + }, "AWS::ManagedBlockchain::Member": { "InvitationId": "The unique identifier of the invitation to join the network sent to the account that creates the member.", "MemberConfiguration": "Configuration properties of the member.", @@ -19340,7 +22190,7 @@ }, "AWS::ManagedBlockchain::Member ApprovalThresholdPolicy": { "ProposalDurationInHours": "The duration from the time that a proposal is created until it expires. If members cast neither the required number of `YES` votes to approve the proposal nor the number of `NO` votes required to reject it before the duration expires, the proposal is `EXPIRED` and `ProposalActions` aren't carried out.", - "ThresholdComparator": "Determines whether the vote percentage must be greater than the `ThresholdPercentage` or must be greater than or equal to the `ThreholdPercentage` to be approved.", + "ThresholdComparator": "Determines whether the vote percentage must be greater than the `ThresholdPercentage` or must be greater than or equal to the `ThresholdPercentage` to be approved.", "ThresholdPercentage": "The percentage of votes among all members that must be `YES` for a proposal to be approved. For example, a `ThresholdPercentage` value of `50` indicates 50%. The `ThresholdComparator` determines the precise comparison. If a `ThresholdPercentage` value of `50` is specified on a network with 10 members, along with a `ThresholdComparator` value of `GREATER_THAN` , this indicates that 6 `YES` votes are required for the proposal to be approved." }, "AWS::ManagedBlockchain::Member MemberConfiguration": { @@ -19374,7 +22224,7 @@ }, "AWS::ManagedBlockchain::Node": { "MemberId": "The unique identifier of the member to which the node belongs. Applies only to Hyperledger Fabric.", - "NetworkId": "The unique identifier of the network for the node.\n\nEthereum public networks have the following `NetworkId` s:\n\n- `n-ethereum-mainnet`\n- `n-ethereum-goerli`\n- `n-ethereum-rinkeby`", + "NetworkId": "The unique identifier of the network for the node.\n\nEthereum public networks have the following `NetworkId` s:\n\n- `n-ethereum-mainnet`\n- `n-ethereum-goerli`", "NodeConfiguration": "Configuration properties of a peer node." }, "AWS::ManagedBlockchain::Node NodeConfiguration": { @@ -19384,7 +22234,7 @@ "AWS::MediaConnect::Bridge": { "EgressGatewayBridge": "Create a bridge with the egress bridge type. An egress bridge is a cloud-to-ground bridge. The content comes from an existing MediaConnect flow and is delivered to your premises.", "IngressGatewayBridge": "Create a bridge with the ingress bridge type. An ingress bridge is a ground-to-cloud bridge. The content originates at your premises and is delivered to the cloud.", - "Name": "The network output name. This name is used to reference the output and must be unique among outputs in this bridge.", + "Name": "The name of the bridge. This name can not be modified after the bridge is created.", "Outputs": "The outputs that you want to add to this bridge.", "PlacementArn": "The bridge placement Amazon Resource Number (ARN).", "SourceFailoverConfig": "The settings for source failover.", @@ -19450,7 +22300,7 @@ "AWS::MediaConnect::BridgeSource": { "BridgeArn": "The ARN of the bridge that you want to describe.", "FlowSource": "Add a flow source to an existing bridge.", - "Name": "The name of the network source. This name is used to reference the source and must be unique among sources in this bridge.", + "Name": "The name of the flow source. This name is used to reference the source and must be unique among sources in this bridge.", "NetworkSource": "Add a network source to an existing bridge." }, "AWS::MediaConnect::BridgeSource BridgeFlowSource": { @@ -19490,14 +22340,14 @@ "State": "The state of source failover on the flow. If the state is inactive, the flow can have only one source. If the state is active, the flow can have one or two sources." }, "AWS::MediaConnect::Flow GatewayBridgeSource": { - "BridgeArn": "", - "VpcInterfaceAttachment": "" + "BridgeArn": "The ARN of the bridge feeding this flow.", + "VpcInterfaceAttachment": "The name of the VPC interface attachment to use for this bridge source." }, "AWS::MediaConnect::Flow Source": { "Decryption": "The type of encryption that is used on the content ingested from the source.", "Description": "A description of the source. This description is not visible outside of the current AWS account.", "EntitlementArn": "The ARN of the entitlement that allows you to subscribe to content that comes from another AWS account. The entitlement is set by the content originator and the ARN is generated as part of the originator\u2019s flow.", - "GatewayBridgeSource": "", + "GatewayBridgeSource": "The source configuration for cloud flows receiving a stream from a bridge.", "IngestIp": "The IP address that the flow listens on for incoming content.", "IngestPort": "The port that the flow listens on for incoming content. If the protocol of the source is Zixi, the port must be set to 2088.", "MaxBitrate": "The maximum bitrate for RIST, RTP, and RTP-FEC streams.", @@ -19519,7 +22369,7 @@ "PrimarySource": "The name of the source you choose as the primary source for this flow." }, "AWS::MediaConnect::Flow VpcInterfaceAttachment": { - "VpcInterfaceName": "" + "VpcInterfaceName": "The name of the VPC interface that you want to send your output to." }, "AWS::MediaConnect::FlowEntitlement": { "DataTransferSubscriberFeePercent": "The percentage of the entitlement data transfer fee that you want the subscriber to be responsible for.", @@ -19549,7 +22399,7 @@ "FlowArn": "The Amazon Resource Name (ARN) of the flow this output is attached to.", "MaxLatency": "The maximum latency in milliseconds. This parameter applies only to RIST-based, Zixi-based, and Fujitsu-based streams.", "MinLatency": "The minimum latency in milliseconds for SRT-based streams. In streams that use the SRT protocol, this value that you set on your MediaConnect source or output represents the minimal potential latency of that connection. The latency of the stream is set to the highest number between the sender\u2019s minimum latency and the receiver\u2019s minimum latency.", - "Name": "The name of the VPC interface.", + "Name": "The name of the output. This value must be unique within the current flow.", "Port": "The port to use when MediaConnect distributes content to the output.", "Protocol": "The protocol to use for the output.", "RemoteId": "The identifier that is assigned to the Zixi receiver. This parameter applies only to outputs that use Zixi pull.", @@ -19571,7 +22421,7 @@ "Description": "A description of the source. This description is not visible outside of the current AWS account.", "EntitlementArn": "The ARN of the entitlement that allows you to subscribe to the flow. The entitlement is set by the content originator, and the ARN is generated as part of the originator's flow.", "FlowArn": "The Amazon Resource Name (ARN) of the flow this source is connected to. The flow must have Failover enabled to add an additional source.", - "GatewayBridgeSource": "", + "GatewayBridgeSource": "The source configuration for cloud flows receiving a stream from a bridge.", "IngestPort": "The port that the flow listens on for incoming content. If the protocol of the source is Zixi, the port must be set to 2088.", "MaxBitrate": "The maximum bitrate for RIST, RTP, and RTP-FEC streams.", "MaxLatency": "The maximum latency in milliseconds. This parameter applies only to RIST-based, Zixi-based, and Fujitsu-based streams.", @@ -19598,11 +22448,11 @@ "Url": "The URL from the API Gateway proxy that you set up to talk to your key server. This parameter is required for SPEKE encryption and is not valid for static key encryption." }, "AWS::MediaConnect::FlowSource GatewayBridgeSource": { - "BridgeArn": "", - "VpcInterfaceAttachment": "" + "BridgeArn": "The ARN of the bridge feeding this flow.", + "VpcInterfaceAttachment": "The name of the VPC interface attachment to use for this bridge source." }, "AWS::MediaConnect::FlowSource VpcInterfaceAttachment": { - "VpcInterfaceName": "" + "VpcInterfaceName": "The name of the VPC interface that you want to send your output to." }, "AWS::MediaConnect::FlowVpcInterface": { "FlowArn": "The Amazon Resource Name (ARN) of the flow.", @@ -19613,7 +22463,7 @@ }, "AWS::MediaConnect::Gateway": { "EgressCidrBlocks": "The range of IP addresses that are allowed to contribute content or initiate output requests for flows communicating with this gateway. These IP addresses should be in the form of a Classless Inter-Domain Routing (CIDR) block; for example, 10.0.0.0/16.", - "Name": "The name of the gateway. This name can not be modified after the gateway is created.", + "Name": "The name of the network. This name is used to reference the network and must be unique among networks in this gateway.", "Networks": "The list of networks that you want to add." }, "AWS::MediaConnect::Gateway GatewayNetwork": { @@ -19625,7 +22475,7 @@ "Category": "Optional. A category for the job template you are creating", "Description": "Optional. A description of the job template you are creating.", "HopDestinations": "Optional. Configuration for a destination queue to which the job can hop once a customer-defined minimum wait time has passed. For more information, see [Setting Up Queue Hopping to Avoid Long Waits](https://docs.aws.amazon.com/mediaconvert/latest/ug/setting-up-queue-hopping-to-avoid-long-waits.html) in the *AWS Elemental MediaConvert User Guide* .", - "Name": "The name of the job template you are creating.", + "Name": "Name of the output group", "Priority": "Specify the relative priority for this job. In any given queue, the service begins processing the job with the highest value first. When more than one job has the same priority, the service begins processing the job that you submitted first. If you don't specify a priority, the service uses the default value 0. Minimum: -50 Maximum: 50", "Queue": "Optional. The queue that jobs created from this template are assigned to. Specify the Amazon Resource Name (ARN) of the queue. For example, arn:aws:mediaconvert:us-west-2:505474453218:queues/Default. If you don't specify this, jobs will go to the default queue.", "SettingsJson": "Specify, in JSON format, the transcoding job settings for this job template. This specification must conform to the AWS Elemental MediaConvert job validation. For information about forming this specification, see the Remarks section later in this topic.\n\nFor more information about MediaConvert job templates, see [Working with AWS Elemental MediaConvert Job Templates](https://docs.aws.amazon.com/mediaconvert/latest/ug/working-with-job-templates.html) in the ** .", @@ -19662,7 +22512,7 @@ "InputAttachments": "The list of input attachments for the channel.", "InputSpecification": "The input specification for this channel. It specifies the key characteristics of the inputs for this channel: the maximum bitrate, the resolution, and the codec.", "LogLevel": "The verbosity for logging activity for this channel. Charges for logging (which are generated through Amazon CloudWatch Logging) are higher for higher verbosities.", - "Maintenance": "", + "Maintenance": "Maintenance settings for this channel.", "Name": "A name for this audio selector. The AudioDescription (in an output) references this name in order to identify a specific input audio to include in that output.", "RoleArn": "The IAM role for MediaLive to assume when running this channel. The role is identified by its ARN.", "Tags": "A collection of tags for this channel. Each tag is a key-value pair.", @@ -19680,6 +22530,7 @@ "VbrQuality": "The VBR quality level. This is used only if rateControlMode is VBR." }, "AWS::MediaLive::Channel Ac3Settings": { + "AttenuationControl": "", "Bitrate": "The average bitrate in bits/second. Valid bitrates depend on the coding mode.", "BitstreamMode": "Specifies the bitstream mode (bsmod) for the emitted AC-3 stream. For more information about these values, see ATSC A/52-2012.", "CodingMode": "The Dolby Digital coding mode. This determines the number of channels.", @@ -19711,8 +22562,6 @@ "AWS::MediaLive::Channel ArchiveS3Settings": { "CannedAcl": "Specify the canned ACL to apply to each S3 request. Defaults to none." }, - "AWS::MediaLive::Channel AribDestinationSettings": {}, - "AWS::MediaLive::Channel AribSourceSettings": {}, "AWS::MediaLive::Channel AudioChannelMapping": { "InputChannelLevels": "The indices and gain values for each input channel that should be remixed into this output channel.", "OutputChannel": "The index of the output channel that is being produced." @@ -19883,8 +22732,6 @@ "AWS::MediaLive::Channel CdiInputSpecification": { "Resolution": "Maximum CDI input resolution" }, - "AWS::MediaLive::Channel ColorSpacePassthroughSettings": {}, - "AWS::MediaLive::Channel DolbyVision81Settings": {}, "AWS::MediaLive::Channel DvbNitSettings": { "NetworkId": "The numeric value placed in the Network Information Table (NIT).", "NetworkName": "The network name text placed in the networkNameDescriptor inside the Network Information Table (NIT). The maximum length is 256 characters.", @@ -19959,8 +22806,6 @@ "FontFamily": "Specifies the font family to include in the font data attached to the EBU-TT captions. Valid only if styleControl is set to include. If you leave this field empty, the font family is set to \"monospaced\". (If styleControl is set to exclude, the font family is always set to \"monospaced\".) You specify only the font family. All other style information (color, bold, position and so on) is copied from the input captions. The size is always set to 100% to allow the downstream player to choose the size. - Enter a list of font families, as a comma-separated list of font names, in order of preference. The name can be a font family (such as \u201cArial\u201d), or a generic font family (such as \u201cserif\u201d), or \u201cdefault\u201d (to let the downstream player choose the font).\n- Leave blank to set the family to \u201cmonospace\u201d.", "StyleControl": "Specifies the style information (font color, font position, and so on) to include in the font data that is attached to the EBU-TT captions. - include: Take the style information (font color, font position, and so on) from the source captions and include that information in the font data attached to the EBU-TT captions. This option is valid only if the source captions are Embedded or Teletext.\n- exclude: In the font data attached to the EBU-TT captions, set the font family to \"monospaced\". Do not include any other style information." }, - "AWS::MediaLive::Channel EmbeddedDestinationSettings": {}, - "AWS::MediaLive::Channel EmbeddedPlusScte20DestinationSettings": {}, "AWS::MediaLive::Channel EmbeddedSourceSettings": { "Convert608To708": "If this is upconvert, 608 data is both passed through the \"608 compatibility bytes\" fields of the 708 wrapper as well as translated into 708. If 708 data is present in the source content, it is discarded.", "Scte20Detection": "Set to \"auto\" to handle streams with intermittent or non-aligned SCTE-20 and embedded captions.", @@ -19978,9 +22823,14 @@ "MotionGraphicsConfiguration": "Settings to enable and configure the motion graphics overlay feature in the channel.", "NielsenConfiguration": "The settings to configure Nielsen watermarks.", "OutputGroups": "The settings for the output groups in the channel.", + "ThumbnailConfiguration": "", "TimecodeConfig": "Contains settings used to acquire and adjust timecode information from the inputs.", "VideoDescriptions": "The encoding information for output videos." }, + "AWS::MediaLive::Channel EpochLockingSettings": { + "CustomEpoch": "", + "JamSyncTime": "" + }, "AWS::MediaLive::Channel Esam": { "AcquisitionPointId": "", "AdAvailOffset": "", @@ -19998,7 +22848,8 @@ "VideoBlackSettings": "MediaLive will perform a failover if content is considered black for the specified period." }, "AWS::MediaLive::Channel FeatureActivations": { - "InputPrepareScheduleActions": "Enables the Input Prepare feature. You can create Input Prepare actions in the schedule only if this feature is enabled.\nIf you disable the feature on an existing schedule, make sure that you first delete all input prepare actions from the schedule." + "InputPrepareScheduleActions": "Enables the Input Prepare feature. You can create Input Prepare actions in the schedule only if this feature is enabled.\nIf you disable the feature on an existing schedule, make sure that you first delete all input prepare actions from the schedule.", + "OutputStaticImageOverlayScheduleActions": "" }, "AWS::MediaLive::Channel FecOutputSettings": { "ColumnDepth": "The parameter D from SMPTE 2022-1. The height of the FEC protection matrix. The number of transport stream packets per column error correction packet. The number must be between 4 and 20, inclusive.", @@ -20017,7 +22868,6 @@ "Destination": "The destination for the frame capture files. The destination is either the URI for an Amazon S3 bucket and object, plus a file name prefix (for example, s3ssl://sportsDelivery/highlights/20180820/curling_) or the URI for a MediaStore container, plus a file name prefix (for example, mediastoressl://sportsDelivery/20180820/curling_). The final file names consist of the prefix from the destination field (for example, \"curling_\") + name modifier + the counter (5 digits, starting from 00001) + extension (which is always .jpg). For example, curlingLow.00001.jpg.", "FrameCaptureCdnSettings": "Settings to configure the destination of a Frame Capture output." }, - "AWS::MediaLive::Channel FrameCaptureHlsSettings": {}, "AWS::MediaLive::Channel FrameCaptureOutputSettings": { "NameModifier": "Required if the output group contains more than one output. This modifier forms part of the output file name." }, @@ -20034,6 +22884,7 @@ "InputEndAction": "Indicates the action to take when the current input completes (for example, end-of-file). When switchAndLoopInputs is configured, MediaLive restarts at the beginning of the first input. When \"none\" is configured, MediaLive transcodes either black, a solid color, or a user-specified slate images per the \"Input Loss Behavior\" configuration until the next input switch occurs (which is controlled through the Channel Schedule API).", "InputLossBehavior": "The settings for system actions when the input is lost.", "OutputLockingMode": "Indicates how MediaLive pipelines are synchronized. PIPELINELOCKING - MediaLive attempts to synchronize the output of each pipeline to the other. EPOCHLOCKING - MediaLive attempts to synchronize the output of each pipeline to the Unix epoch.", + "OutputLockingSettings": "", "OutputTimingSource": "Indicates whether the rate of frames emitted by the Live encoder should be paced by its system clock (which optionally might be locked to another source through NTP) or should be locked to the clock of the source that is providing the input stream.", "SupportLowFramerateInputs": "Adjusts the video input buffer for streams with very low video frame rates. This is commonly set to enabled for music channels with less than one video frame per second." }, @@ -20190,7 +23041,7 @@ "Mode": "If \"vod,\" all segments are indexed and kept permanently in the destination and manifest. If \"live,\" only the number segments specified in keepSegments and indexNSegments are kept. Newer segments replace older segments, which might prevent players from rewinding all the way to the beginning of the channel. VOD mode uses HLS EXT-X-PLAYLIST-TYPE of EVENT while the channel is running, converting it to a \"VOD\" type manifest on completion of the stream.", "OutputSelection": "MANIFESTSANDSEGMENTS: Generates manifests (the master manifest, if applicable, and media manifests) for this output group. SEGMENTSONLY: Doesn't generate any manifests for this output group.", "ProgramDateTime": "Includes or excludes the EXT-X-PROGRAM-DATE-TIME tag in .m3u8 manifest files. The value is calculated as follows: Either the program date and time are initialized using the input timecode source, or the time is initialized using the input timecode source and the date is initialized using the timestampOffset.", - "ProgramDateTimeClock": "", + "ProgramDateTimeClock": "Specifies the algorithm used to drive the HLS EXT-X-PROGRAM-DATE-TIME clock. Options include: INITIALIZE_FROM_OUTPUT_TIMECODE: The PDT clock is initialized as a function of the first output timecode, then incremented by the EXTINF duration of each encoded segment. SYSTEM_CLOCK: The PDT clock is initialized as a function of the UTC wall clock, then incremented by the EXTINF duration of each encoded segment. If the PDT clock diverges from the wall clock by more than 500ms, it is resynchronized to the wall clock.", "ProgramDateTimePeriod": "The period of insertion of the EXT-X-PROGRAM-DATE-TIME entry, in seconds.", "RedundantManifest": "ENABLED: The master manifest (.m3u8 file) for each pipeline includes information about both pipelines: first its own media files, then the media files of the other pipeline. This feature allows a playout device that supports stale manifest detection to switch from one manifest to the other, when the current manifest seems to be stale. There are still two destinations and two master manifests, but both master manifests reference the media files from both pipelines. DISABLED: The master manifest (.m3u8 file) for each pipeline includes information about its own pipeline only. For an HLS output group with MediaPackage as the destination, the DISABLED behavior is always followed. MediaPackage regenerates the manifests it serves to players, so a redundant manifest from MediaLive is irrelevant.", "SegmentLength": "The length of the MPEG-2 Transport Stream segments to create, in seconds. Note that segments will end on the next keyframe after this number of seconds, so the actual segment length might be longer.", @@ -20238,7 +23089,6 @@ "NumRetries": "The number of retry attempts that are made before the channel is put into an error state.", "RestartDelay": "If a streaming output fails, the number of seconds to wait until a restart is initiated. A value of 0 means never restart." }, - "AWS::MediaLive::Channel HtmlMotionGraphicsSettings": {}, "AWS::MediaLive::Channel InputAttachment": { "AutomaticInputFailoverSettings": "Settings to implement automatic input failover in this input.", "InputAttachmentName": "A name for the attachment. This is required if you want to use this input in an input switch action.", @@ -20339,6 +23189,8 @@ "AudioFramesPerPes": "The number of audio frames to insert for each PES packet.", "AudioPids": "The PID of the elementary audio streams in the transport stream. Multiple values are accepted, and can be entered in ranges or by comma separation. You can enter the value as a decimal or hexadecimal value.", "EcmPid": "This parameter is unused and deprecated.", + "KlvBehavior": "", + "KlvDataPids": "", "NielsenId3Behavior": "If set to passthrough, Nielsen inaudible tones for media tracking will be detected in the input audio and an equivalent ID3 tag will be inserted in the output.", "PatInterval": "The number of milliseconds between instances of this table in the output transport stream. A value of \\\"0\\\" writes out the PMT once per segment file.", "PcrControl": "When set to pcrEveryPesPacket, a Program Clock Reference value is inserted for every Packetized Elementary Stream (PES) header. This parameter is effective only when the PCR PID is the same as the video or audio elementary stream.", @@ -20355,13 +23207,8 @@ "VideoPid": "The PID of the elementary video stream in the transport stream. You can enter the value as a decimal or hexadecimal value." }, "AWS::MediaLive::Channel MaintenanceCreateSettings": { - "MaintenanceDay": "", - "MaintenanceStartTime": "" - }, - "AWS::MediaLive::Channel MaintenanceUpdateSettings": { - "MaintenanceDay": "", - "MaintenanceScheduledDate": "", - "MaintenanceStartTime": "" + "MaintenanceDay": "Choose one day of the week for maintenance. The chosen day is used for all future maintenance windows.", + "MaintenanceStartTime": "Choose the hour that maintenance will start. The chosen time is used for all future maintenance windows." }, "AWS::MediaLive::Channel MediaPackageGroupSettings": { "Destination": "The MediaPackage channel destination." @@ -20369,7 +23216,6 @@ "AWS::MediaLive::Channel MediaPackageOutputDestinationSettings": { "ChannelId": "The ID of the channel in MediaPackage that is the destination for this output group. You don't need to specify the individual inputs in MediaPackage; MediaLive handles the connection of the two MediaLive pipelines to the two MediaPackage inputs. The MediaPackage channel and MediaLive channel must be in the same Region." }, - "AWS::MediaLive::Channel MediaPackageOutputSettings": {}, "AWS::MediaLive::Channel MotionGraphicsConfiguration": { "MotionGraphicsInsertion": "Enables or disables the motion graphics overlay feature in the channel.", "MotionGraphicsSettings": "Settings to enable and configure the motion graphics overlay feature in the channel." @@ -20429,7 +23275,6 @@ "H265PackagingType": "Only applicable when this output is referencing an H.265 video description.\nSpecifies whether MP4 segments should be packaged as HEV1 or HVC1.", "NameModifier": "A string that is concatenated to the end of the destination file name. This is required for multiple outputs of the same type." }, - "AWS::MediaLive::Channel MultiplexGroupSettings": {}, "AWS::MediaLive::Channel MultiplexOutputSettings": { "Destination": "Destination is a Multiplex." }, @@ -20497,6 +23342,10 @@ "AWS::MediaLive::Channel OutputLocationRef": { "DestinationRefId": "A reference ID for this destination." }, + "AWS::MediaLive::Channel OutputLockingSettings": { + "EpochLockingSettings": "", + "PipelineLockingSettings": "" + }, "AWS::MediaLive::Channel OutputSettings": { "ArchiveOutputSettings": "The settings for an archive output.", "FrameCaptureOutputSettings": "The settings for a frame capture output.\n\nThe parent of this entity is OutputGroupSettings.", @@ -20507,22 +23356,18 @@ "RtmpOutputSettings": "The settings for an RTMP output.\n\nThe parent of this entity is OutputGroupSettings.", "UdpOutputSettings": "The settings for a UDP output.\n\nThe parent of this entity is OutputGroupSettings." }, - "AWS::MediaLive::Channel PassThroughSettings": {}, - "AWS::MediaLive::Channel RawSettings": {}, - "AWS::MediaLive::Channel Rec601Settings": {}, - "AWS::MediaLive::Channel Rec709Settings": {}, "AWS::MediaLive::Channel RemixSettings": { "ChannelMappings": "A mapping of input channels to output channels, with appropriate gain adjustments.", "ChannelsIn": "The number of input channels to be used.", "ChannelsOut": "The number of output channels to be produced. Valid values: 1, 2, 4, 6, 8." }, - "AWS::MediaLive::Channel RtmpCaptionInfoDestinationSettings": {}, "AWS::MediaLive::Channel RtmpGroupSettings": { "AdMarkers": "Choose the ad marker type for this output group. MediaLive will create a message based on the content of each SCTE-35 message, format it for that marker type, and insert it in the datastream.", "AuthenticationScheme": "An authentication scheme to use when connecting with a CDN.", "CacheFullBehavior": "Controls behavior when the content cache fills up. If a remote origin server stalls the RTMP connection and doesn't accept content fast enough, the media cache fills up. When the cache reaches the duration specified by cacheLength, the cache stops accepting new content. If set to disconnectImmediately, the RTMP output forces a disconnect. Clear the media cache, and reconnect after restartDelay seconds. If set to waitForServer, the RTMP output waits up to 5 minutes to allow the origin server to begin accepting data again.", "CacheLength": "The cache length, in seconds, that is used to calculate buffer size.", "CaptionData": "Controls the types of data that pass to onCaptionInfo outputs. If set to all, 608 and 708 carried DTVCC data is passed. If set to field1AndField2608, DTVCC data is stripped out, but 608 data from both fields is passed. If set to field1608, only the data carried in 608 from field 1 video is passed.", + "IncludeFillerNalUnits": "", "InputLossAction": "Controls the behavior of this RTMP group if the input becomes unavailable. emitOutput: Emit a slate until the input returns. pauseOutput: Stop transmitting data until the input returns. This does not close the underlying RTMP connection.", "RestartDelay": "If a streaming output fails, the number of seconds to wait until a restart is initiated. A value of 0 means never restart." }, @@ -20532,12 +23377,10 @@ "Destination": "The RTMP endpoint excluding the stream name (for example, rtmp://host/appname).", "NumRetries": "The number of retry attempts." }, - "AWS::MediaLive::Channel Scte20PlusEmbeddedDestinationSettings": {}, "AWS::MediaLive::Channel Scte20SourceSettings": { "Convert608To708": "If upconvert, 608 data is both passed through the \"608 compatibility bytes\" fields of the 708 wrapper as well as translated into 708. Any 708 data present in the source content is discarded.", "Source608ChannelNumber": "Specifies the 608/708 channel number within the video track from which to extract captions." }, - "AWS::MediaLive::Channel Scte27DestinationSettings": {}, "AWS::MediaLive::Channel Scte27SourceSettings": { "OcrLanguage": "If you will configure a WebVTT caption description that references this caption selector, use this field to\nprovide the language to consider when translating the image-based source to text.", "Pid": "The PID field is used in conjunction with the captions selector languageCode field as follows: Specify PID and Language: Extracts captions from that PID; the language is \"informational.\" Specify PID and omit Language: Extracts the specified PID. Omit PID and specify Language: Extracts the specified language, whichever PID that happens to be. Omit PID and omit Language: Valid only if source is DVB-Sub that is being passed through; all languages are passed through." @@ -20552,7 +23395,6 @@ "NoRegionalBlackoutFlag": "When set to ignore, segment descriptors with noRegionalBlackoutFlag set to 0 no longer trigger blackouts or ad avail slates.", "WebDeliveryAllowedFlag": "When set to ignore, segment descriptors with webDeliveryAllowedFlag set to 0 no longer trigger blackouts or ad avail slates." }, - "AWS::MediaLive::Channel SmpteTtDestinationSettings": {}, "AWS::MediaLive::Channel StandardHlsSettings": { "AudioRenditionSets": "Lists all the audio groups that are used with the video output stream. This inputs all the audio GROUP-IDs that are associated with the video, separated by a comma (,).", "M3u8Settings": "Settings for the M3U8 container." @@ -20561,7 +23403,6 @@ "KeyProviderServer": "The URL of the license server that is used for protecting content.", "StaticKeyValue": "The static key value as a 32 character hexadecimal string." }, - "AWS::MediaLive::Channel TeletextDestinationSettings": {}, "AWS::MediaLive::Channel TeletextSourceSettings": { "OutputRectangle": "Settings to configure the caption rectangle for an output captions that will be created using this Teletext source captions.", "PageNumber": "Specifies the Teletext page number within the data stream from which to extract captions. The range is 0x100 (256) to 0x8FF (2303). This is unused for passthrough. It should be specified as a hexadecimal string with no \"0x\" prefix." @@ -20570,6 +23411,9 @@ "PostFilterSharpening": "If you enable this filter, the results are the following:\n- If the source content is noisy (it contains excessive digital artifacts), the filter cleans up the source.\n- If the source content is already clean, the filter tends to decrease the bitrate, especially when the rate control mode is QVBR.", "Strength": "Choose a filter strength. We recommend a strength of 1 or 2. A higher strength might take out good information, resulting in an image that is overly soft." }, + "AWS::MediaLive::Channel ThumbnailConfiguration": { + "State": "" + }, "AWS::MediaLive::Channel TimecodeBurninSettings": { "FontSize": "", "Position": "", @@ -20662,9 +23506,6 @@ "AWS::MediaLive::Input InputDestinationRequest": { "StreamName": "The stream name (application name/application instance) for the location the RTMP source content will be pushed to in MediaLive." }, - "AWS::MediaLive::Input InputDeviceRequest": { - "Id": "This property is not used. Ignore it." - }, "AWS::MediaLive::Input InputDeviceSettings": { "Id": "The unique ID for the device." }, @@ -20687,6 +23528,76 @@ "AWS::MediaLive::InputSecurityGroup InputWhitelistRuleCidr": { "Cidr": "An IPv4 CIDR range to include in this input security group." }, + "AWS::MediaLive::Multiplex": { + "AvailabilityZones": "A list of availability zones for the multiplex.", + "Destinations": "A list of the multiplex output destinations.", + "MultiplexSettings": "Configuration for a multiplex event.", + "Name": "The name of the multiplex.", + "Tags": "A collection of key-value pairs." + }, + "AWS::MediaLive::Multiplex MultiplexMediaConnectOutputDestinationSettings": { + "EntitlementArn": "The MediaConnect entitlement ARN available as a Flow source." + }, + "AWS::MediaLive::Multiplex MultiplexOutputDestination": { + "MultiplexMediaConnectOutputDestinationSettings": "" + }, + "AWS::MediaLive::Multiplex MultiplexSettings": { + "MaximumVideoBufferDelayMilliseconds": "Maximum video buffer delay in milliseconds.", + "TransportStreamBitrate": "Transport stream bit rate.", + "TransportStreamId": "Transport stream ID.", + "TransportStreamReservedBitrate": "Transport stream reserved bit rate." + }, + "AWS::MediaLive::Multiplex Tags": { + "Key": "", + "Value": "" + }, + "AWS::MediaLive::Multiplexprogram": { + "ChannelId": "The unique ID of the channel.", + "MultiplexId": "The unique id of the multiplex.", + "MultiplexProgramSettings": "Multiplex Program settings configuration.", + "PacketIdentifiersMap": "", + "PipelineDetails": "", + "PreferredChannelPipeline": "Indicates which pipeline is preferred by the multiplex for program ingest.\nIf set to \\\"PIPELINE_0\\\" or \\\"PIPELINE_1\\\" and an unhealthy ingest causes the multiplex to switch to the non-preferred pipeline,\nit will switch back once that ingest is healthy again. If set to \\\"CURRENTLY_ACTIVE\\\",\nit will not switch back to the other pipeline based on it recovering to a healthy state,\nit will only switch if the active pipeline becomes unhealthy.", + "ProgramName": "" + }, + "AWS::MediaLive::Multiplexprogram MultiplexProgramPacketIdentifiersMap": { + "AudioPids": "", + "DvbSubPids": "", + "DvbTeletextPid": "", + "EtvPlatformPid": "", + "EtvSignalPid": "", + "KlvDataPids": "", + "PcrPid": "", + "PmtPid": "", + "PrivateMetadataPid": "", + "Scte27Pids": "", + "Scte35Pid": "", + "TimedMetadataPid": "", + "VideoPid": "" + }, + "AWS::MediaLive::Multiplexprogram MultiplexProgramPipelineDetail": { + "ActiveChannelPipeline": "Identifies the channel pipeline that is currently active for the pipeline (identified by PipelineId) in the multiplex.", + "PipelineId": "Identifies a specific pipeline in the multiplex." + }, + "AWS::MediaLive::Multiplexprogram MultiplexProgramServiceDescriptor": { + "ProviderName": "Name of the provider.", + "ServiceName": "Name of the service." + }, + "AWS::MediaLive::Multiplexprogram MultiplexProgramSettings": { + "PreferredChannelPipeline": "Indicates which pipeline is preferred by the multiplex for program ingest.", + "ProgramNumber": "Unique program number.", + "ServiceDescriptor": "Transport stream service descriptor configuration for the Multiplex program.", + "VideoSettings": "Program video settings configuration." + }, + "AWS::MediaLive::Multiplexprogram MultiplexStatmuxVideoSettings": { + "MaximumBitrate": "Maximum statmux bitrate.", + "MinimumBitrate": "Minimum statmux bitrate.", + "Priority": "The purpose of the priority is to use a combination of the\\nmultiplex rate control algorithm and the QVBR capability of the\\nencoder to prioritize the video quality of some channels in a\\nmultiplex over others. Channels that have a higher priority will\\nget higher video quality at the expense of the video quality of\\nother channels in the multiplex with lower priority." + }, + "AWS::MediaLive::Multiplexprogram MultiplexVideoSettings": { + "ConstantBitrate": "The constant bitrate configuration for the video encode.\nWhen this field is defined, StatmuxSettings must be undefined.", + "StatmuxSettings": "Statmux rate control settings.\nWhen this field is defined, ConstantBitrate must be undefined." + }, "AWS::MediaPackage::Asset": { "EgressEndpoints": "List of playback endpoints that are available for this asset.", "Id": "Unique identifier that you assign to the asset.", @@ -20700,6 +23611,10 @@ "PackagingConfigurationId": "The ID of a packaging configuration that's applied to this asset.", "Url": "The URL that's used to request content from this endpoint." }, + "AWS::MediaPackage::Asset Tag": { + "Key": "", + "Value": "" + }, "AWS::MediaPackage::Channel": { "Description": "Any descriptive information that you want to add to the channel for future identification purposes.", "EgressAccessLogs": "Configures egress access logs.", @@ -20720,6 +23635,10 @@ "AWS::MediaPackage::Channel LogConfiguration": { "LogGroupName": "Sets a custom Amazon CloudWatch log group name." }, + "AWS::MediaPackage::Channel Tag": { + "Key": "", + "Value": "" + }, "AWS::MediaPackage::OriginEndpoint": { "Authorization": "Parameters for CDN authorization.", "ChannelId": "The ID of the channel associated with this endpoint.", @@ -20775,7 +23694,10 @@ "UtcTiming": "Determines the type of UTC timing included in the DASH Media Presentation Description (MPD).", "UtcTimingUri": "Specifies the value attribute of the UTC timing field when utcTiming is set to HTTP-ISO or HTTP-HEAD." }, - "AWS::MediaPackage::OriginEndpoint EncryptionContractConfiguration": {}, + "AWS::MediaPackage::OriginEndpoint EncryptionContractConfiguration": { + "PresetSpeke20Audio": "A collection of audio encryption presets.\n\nValue description:\n\n- `PRESET-AUDIO-1` - Use one content key to encrypt all of the audio tracks in your stream.\n- `PRESET-AUDIO-2` - Use one content key to encrypt all of the stereo audio tracks and one content key to encrypt all of the multichannel audio tracks.\n- `PRESET-AUDIO-3` - Use one content key to encrypt all of the stereo audio tracks, one content key to encrypt all of the multichannel audio tracks with 3 to 6 channels, and one content key to encrypt all of the multichannel audio tracks with more than 6 channels.\n- `SHARED` - Use the same content key for all of the audio and video tracks in your stream.\n- `UNENCRYPTED` - Don't encrypt any of the audio tracks in your stream.", + "PresetSpeke20Video": "A collection of video encryption presets.\n\nValue description:\n\n- `PRESET-VIDEO-1` - Use one content key to encrypt all of the video tracks in your stream.\n- `PRESET-VIDEO-2` - Use one content key to encrypt all of the SD video tracks and one content key for all HD and higher resolutions video tracks.\n- `PRESET-VIDEO-3` - Use one content key to encrypt all of the SD video tracks, one content key for HD video tracks and one content key for all UHD video tracks.\n- `PRESET-VIDEO-4` - Use one content key to encrypt all of the SD video tracks, one content key for HD video tracks, one content key for all UHD1 video tracks and one content key for all UHD2 video tracks.\n- `PRESET-VIDEO-5` - Use one content key to encrypt all of the SD video tracks, one content key for HD1 video tracks, one content key for HD2 video tracks, one content key for all UHD1 video tracks and one content key for all UHD2 video tracks.\n- `PRESET-VIDEO-6` - Use one content key to encrypt all of the SD video tracks, one content key for HD1 video tracks, one content key for HD2 video tracks and one content key for all UHD video tracks.\n- `PRESET-VIDEO-7` - Use one content key to encrypt all of the SD+HD1 video tracks, one content key for HD2 video tracks and one content key for all UHD video tracks.\n- `PRESET-VIDEO-8` - Use one content key to encrypt all of the SD+HD1 video tracks, one content key for HD2 video tracks, one content key for all UHD1 video tracks and one content key for all UHD2 video tracks.\n- `SHARED` - Use the same content key for all of the video and audio tracks in your stream.\n- `UNENCRYPTED` - Don't encrypt any of the video tracks in your stream." + }, "AWS::MediaPackage::OriginEndpoint HlsEncryption": { "ConstantInitializationVector": "A 128-bit, 16-byte hex value represented by a 32-character string, used with the key for encrypting blocks.", "EncryptionMethod": "HLS encryption type.", @@ -20831,6 +23753,10 @@ "MinVideoBitsPerSecond": "The lower limit of the bitrates that this endpoint serves. If the video track is below this threshold, then AWS Elemental MediaPackage excludes it from output. If you don't specify a value, it defaults to 0 bits per second.", "StreamOrder": "Order in which the different video bitrates are presented to the player.\n\nValid values: `ORIGINAL` , `VIDEO_BITRATE_ASCENDING` , `VIDEO_BITRATE_DESCENDING` ." }, + "AWS::MediaPackage::OriginEndpoint Tag": { + "Key": "", + "Value": "" + }, "AWS::MediaPackage::PackagingConfiguration": { "CmafPackage": "Parameters for CMAF packaging.", "DashPackage": "Parameters for DASH-ISO packaging.", @@ -20869,7 +23795,10 @@ "SegmentDurationSeconds": "Duration (in seconds) of each fragment. Actual fragments are rounded to the nearest multiple of the source segment duration.", "SegmentTemplateFormat": "Determines the type of SegmentTemplate included in the Media Presentation Description (MPD). When set to `NUMBER_WITH_TIMELINE` , a full timeline is presented in each SegmentTemplate, with $Number$ media URLs. When set to `TIME_WITH_TIMELINE` , a full timeline is presented in each SegmentTemplate, with $Time$ media URLs. When set to `NUMBER_WITH_DURATION` , only a duration is included in each SegmentTemplate, with $Number$ media URLs." }, - "AWS::MediaPackage::PackagingConfiguration EncryptionContractConfiguration": {}, + "AWS::MediaPackage::PackagingConfiguration EncryptionContractConfiguration": { + "PresetSpeke20Audio": "A collection of audio encryption presets.\n\nValue description:\n\n- `PRESET-AUDIO-1` - Use one content key to encrypt all of the audio tracks in your stream.\n- `PRESET-AUDIO-2` - Use one content key to encrypt all of the stereo audio tracks and one content key to encrypt all of the multichannel audio tracks.\n- `PRESET-AUDIO-3` - Use one content key to encrypt all of the stereo audio tracks, one content key to encrypt all of the multichannel audio tracks with 3 to 6 channels, and one content key to encrypt all of the multichannel audio tracks with more than 6 channels.\n- `SHARED` - Use the same content key for all of the audio and video tracks in your stream.\n- `UNENCRYPTED` - Don't encrypt any of the audio tracks in your stream.", + "PresetSpeke20Video": "A collection of video encryption presets.\n\nValue description:\n\n- `PRESET-VIDEO-1` - Use one content key to encrypt all of the video tracks in your stream.\n- `PRESET-VIDEO-2` - Use one content key to encrypt all of the SD video tracks and one content key for all HD and higher resolutions video tracks.\n- `PRESET-VIDEO-3` - Use one content key to encrypt all of the SD video tracks, one content key for HD video tracks and one content key for all UHD video tracks.\n- `PRESET-VIDEO-4` - Use one content key to encrypt all of the SD video tracks, one content key for HD video tracks, one content key for all UHD1 video tracks and one content key for all UHD2 video tracks.\n- `PRESET-VIDEO-5` - Use one content key to encrypt all of the SD video tracks, one content key for HD1 video tracks, one content key for HD2 video tracks, one content key for all UHD1 video tracks and one content key for all UHD2 video tracks.\n- `PRESET-VIDEO-6` - Use one content key to encrypt all of the SD video tracks, one content key for HD1 video tracks, one content key for HD2 video tracks and one content key for all UHD video tracks.\n- `PRESET-VIDEO-7` - Use one content key to encrypt all of the SD+HD1 video tracks, one content key for HD2 video tracks and one content key for all UHD video tracks.\n- `PRESET-VIDEO-8` - Use one content key to encrypt all of the SD+HD1 video tracks, one content key for HD2 video tracks, one content key for all UHD1 video tracks and one content key for all UHD2 video tracks.\n- `SHARED` - Use the same content key for all of the video and audio tracks in your stream.\n- `UNENCRYPTED` - Don't encrypt any of the video tracks in your stream." + }, "AWS::MediaPackage::PackagingConfiguration HlsEncryption": { "ConstantInitializationVector": "A 128-bit, 16-byte hex value represented by a 32-character string, used with the key for encrypting blocks. If you don't specify a constant initialization vector (IV), AWS Elemental MediaPackage periodically rotates the IV.", "EncryptionMethod": "HLS encryption type.", @@ -20913,6 +23842,10 @@ "MinVideoBitsPerSecond": "The lower limit of the bitrates that this endpoint serves. If the video track is below this threshold, then AWS Elemental MediaPackage excludes it from output. If you don't specify a value, it defaults to 0 bits per second.", "StreamOrder": "Order in which the different video bitrates are presented to the player.\n\nValid values: `ORIGINAL` , `VIDEO_BITRATE_ASCENDING` , `VIDEO_BITRATE_DESCENDING` ." }, + "AWS::MediaPackage::PackagingConfiguration Tag": { + "Key": "", + "Value": "" + }, "AWS::MediaPackage::PackagingGroup": { "Authorization": "Parameters for CDN authorization.", "EgressAccessLogs": "The configuration parameters for egress access logging.", @@ -20926,12 +23859,126 @@ "AWS::MediaPackage::PackagingGroup LogConfiguration": { "LogGroupName": "Sets a custom Amazon CloudWatch log group name for egress logs. If a log group name isn't specified, the default name is used: /aws/MediaPackage/EgressAccessLogs." }, + "AWS::MediaPackage::PackagingGroup Tag": { + "Key": "", + "Value": "" + }, + "AWS::MediaPackageV2::Channel": { + "ChannelGroupName": "The name of the channel group associated with the channel configuration.", + "ChannelName": "The name of the channel.", + "Description": "The description of the channel.", + "Tags": "The tags associated with the channel." + }, + "AWS::MediaPackageV2::Channel IngestEndpoint": { + "Id": "The identifier associated with the ingest endpoint of the channel.", + "Url": "The URL associated with the ingest endpoint of the channel." + }, + "AWS::MediaPackageV2::Channel Tag": { + "Key": "", + "Value": "" + }, + "AWS::MediaPackageV2::ChannelGroup": { + "ChannelGroupName": "The name of the channel group.", + "Description": "The configuration for a MediaPackage V2 channel group.", + "Tags": "The tags associated with the channel group." + }, + "AWS::MediaPackageV2::ChannelGroup Tag": { + "Key": "", + "Value": "" + }, + "AWS::MediaPackageV2::ChannelPolicy": { + "ChannelGroupName": "The name of the channel group associated with the channel policy.", + "ChannelName": "The name of the channel associated with the channel policy.", + "Policy": "The policy associated with the channel." + }, + "AWS::MediaPackageV2::OriginEndpoint": { + "ChannelGroupName": "The name of the channel group associated with the origin endpoint configuration.", + "ChannelName": "The channel name associated with the origin endpoint.", + "ContainerType": "The container type associated with the origin endpoint configuration.", + "Description": "The description associated with the origin endpoint.", + "HlsManifests": "The HLS manfiests associated with the origin endpoint configuration.", + "LowLatencyHlsManifests": "The low-latency HLS (LL-HLS) manifests associated with the origin endpoint.", + "OriginEndpointName": "The name of the origin endpoint associated with the origin endpoint configuration.", + "Segment": "The segment associated with the origin endpoint.", + "StartoverWindowSeconds": "The size of the window (in seconds) to specify a window of the live stream that's available for on-demand viewing. Viewers can start-over or catch-up on content that falls within the window.", + "Tags": "The tags associated with the origin endpoint." + }, + "AWS::MediaPackageV2::OriginEndpoint Encryption": { + "ConstantInitializationVector": "A 128-bit, 16-byte hex value represented by a 32-character string, used in conjunction with the key for encrypting content. If you don't specify a value, then MediaPackage creates the constant initialization vector (IV).", + "EncryptionMethod": "The encryption method to use.", + "KeyRotationIntervalSeconds": "The interval, in seconds, to rotate encryption keys for the origin endpoint.", + "SpekeKeyProvider": "The SPEKE key provider to use for encryption." + }, + "AWS::MediaPackageV2::OriginEndpoint EncryptionContractConfiguration": { + "PresetSpeke20Audio": "A collection of audio encryption presets.\n\nValue description:\n\n- `PRESET-AUDIO-1` - Use one content key to encrypt all of the audio tracks in your stream.\n- `PRESET-AUDIO-2` - Use one content key to encrypt all of the stereo audio tracks and one content key to encrypt all of the multichannel audio tracks.\n- `PRESET-AUDIO-3` - Use one content key to encrypt all of the stereo audio tracks, one content key to encrypt all of the multichannel audio tracks with 3 to 6 channels, and one content key to encrypt all of the multichannel audio tracks with more than 6 channels.\n- `SHARED` - Use the same content key for all of the audio and video tracks in your stream.\n- `UNENCRYPTED` - Don't encrypt any of the audio tracks in your stream.", + "PresetSpeke20Video": "The SPEKE Version 2.0 preset video associated with the encryption contract configuration of the origin endpoint." + }, + "AWS::MediaPackageV2::OriginEndpoint EncryptionMethod": { + "CmafEncryptionMethod": "The encryption method to use.", + "TsEncryptionMethod": "The encryption method to use." + }, + "AWS::MediaPackageV2::OriginEndpoint FilterConfiguration": { + "End": "", + "ManifestFilter": "", + "Start": "", + "TimeDelaySeconds": "" + }, + "AWS::MediaPackageV2::OriginEndpoint HlsManifestConfiguration": { + "ChildManifestName": "The name of the child manifest associated with the HLS manifest configuration.", + "FilterConfiguration": "", + "ManifestName": "The name of the manifest associated with the HLS manifest configuration.", + "ManifestWindowSeconds": "The duration of the manifest window, in seconds, for the HLS manifest configuration.", + "ProgramDateTimeIntervalSeconds": "The `EXT-X-PROGRAM-DATE-TIME` interval, in seconds, associated with the HLS manifest configuration.", + "ScteHls": "THE SCTE-35 HLS configuration associated with the HLS manifest configuration.", + "Url": "The URL of the HLS manifest configuration." + }, + "AWS::MediaPackageV2::OriginEndpoint LowLatencyHlsManifestConfiguration": { + "ChildManifestName": "The name of the child manifest associated with the low-latency HLS (LL-HLS) manifest configuration of the origin endpoint.", + "FilterConfiguration": "", + "ManifestName": "A short short string that's appended to the endpoint URL. The manifest name creates a unique path to this endpoint. If you don't enter a value, MediaPackage uses the default manifest name, `index` . MediaPackage automatically inserts the format extension, such as `.m3u8` . You can't use the same manifest name if you use HLS manifest and low-latency HLS manifest. The `manifestName` on the `HLSManifest` object overrides the `manifestName` you provided on the `originEndpoint` object.", + "ManifestWindowSeconds": "The total duration (in seconds) of the manifest's content.", + "ProgramDateTimeIntervalSeconds": "Inserts `EXT-X-PROGRAM-DATE-TIME` tags in the output manifest at the interval that you specify. If you don't enter an interval, `EXT-X-PROGRAM-DATE-TIME` tags aren't included in the manifest. The tags sync the stream to the wall clock so that viewers can seek to a specific time in the playback timeline on the player. `ID3Timed` metadata messages generate every 5 seconds whenever MediaPackage ingests the content.\n\nIrrespective of this parameter, if any `ID3Timed` metadata is in the HLS input, MediaPackage passes through that metadata to the HLS output.", + "ScteHls": "The SCTE-35 HLS configuration associated with the low-latency HLS (LL-HLS) manifest configuration of the origin endpoint.", + "Url": "The URL of the low-latency HLS (LL-HLS) manifest configuration of the origin endpoint." + }, + "AWS::MediaPackageV2::OriginEndpoint Scte": { + "ScteFilter": "The filter associated with the SCTE-35 configuration." + }, + "AWS::MediaPackageV2::OriginEndpoint ScteHls": { + "AdMarkerHls": "The SCTE-35 HLS ad-marker configuration." + }, + "AWS::MediaPackageV2::OriginEndpoint Segment": { + "Encryption": "Whether to use encryption for the segment.", + "IncludeIframeOnlyStreams": "Whether the segment includes I-frame-only streams.", + "Scte": "The SCTE-35 configuration associated with the segment.", + "SegmentDurationSeconds": "The duration of the segment, in seconds.", + "SegmentName": "The name of the segment associated with the origin endpoint.", + "TsIncludeDvbSubtitles": "Whether the segment includes DVB subtitles.", + "TsUseAudioRenditionGroup": "Whether the segment is an audio rendition group." + }, + "AWS::MediaPackageV2::OriginEndpoint SpekeKeyProvider": { + "DrmSystems": "The DRM solution provider you're using to protect your content during distribution.", + "EncryptionContractConfiguration": "The encryption contract configuration associated with the SPEKE key provider.", + "ResourceId": "The unique identifier for the content. The service sends this identifier to the key server to identify the current endpoint. How unique you make this identifier depends on how fine-grained you want access controls to be. The service does not permit you to use the same ID for two simultaneous encryption processes. The resource ID is also known as the content ID.\n\nThe following example shows a resource ID: `MovieNight20171126093045`", + "RoleArn": "The ARN for the IAM role granted by the key provider that provides access to the key provider API. This role must have a trust policy that allows MediaPackage to assume the role, and it must have a sufficient permissions policy to allow access to the specific key retrieval URL. Get this from your DRM solution provider.\n\nValid format: `arn:aws:iam::{accountID}:role/{name}` . The following example shows a role ARN: `arn:aws:iam::444455556666:role/SpekeAccess`", + "Url": "The URL of the SPEKE key provider." + }, + "AWS::MediaPackageV2::OriginEndpoint Tag": { + "Key": "", + "Value": "" + }, + "AWS::MediaPackageV2::OriginEndpointPolicy": { + "ChannelGroupName": "The name of the channel group associated with the origin endpoint policy.", + "ChannelName": "The channel name associated with the origin endpoint policy.", + "OriginEndpointName": "The name of the origin endpoint associated with the origin endpoint policy.", + "Policy": "The policy associated with the origin endpoint." + }, "AWS::MediaStore::Container": { "AccessLoggingEnabled": "The state of access logging on the container. This value is `false` by default, indicating that AWS Elemental MediaStore does not send access logs to Amazon CloudWatch Logs. When you enable access logging on the container, MediaStore changes this value to `true` , indicating that the service delivers access logs for objects stored in that container to CloudWatch Logs.", "ContainerName": "The name for the container. The name must be from 1 to 255 characters. Container names must be unique to your AWS account within a specific region. As an example, you could create a container named `movies` in every region, as long as you don\u2019t have an existing container with that name.", "CorsPolicy": "Sets the cross-origin resource sharing (CORS) configuration on a container so that the container can service cross-origin requests. For example, you might want to enable a request whose origin is http://www.example.com to access your AWS Elemental MediaStore container at my.example.container.com by using the browser's XMLHttpRequest capability.\n\nTo enable CORS on a container, you attach a CORS policy to the container. In the CORS policy, you configure rules that identify origins and the HTTP methods that can be executed on your container. The policy can contain up to 398,000 characters. You can add up to 100 rules to a CORS policy. If more than one rule applies, the service uses the first applicable rule listed.\n\nTo learn more about CORS, see [Cross-Origin Resource Sharing (CORS) in AWS Elemental MediaStore](https://docs.aws.amazon.com/mediastore/latest/ug/cors-policy.html) .", "LifecyclePolicy": "Writes an object lifecycle policy to a container. If the container already has an object lifecycle policy, the service replaces the existing policy with the new policy. It takes up to 20 minutes for the change to take effect.\n\nFor information about how to construct an object lifecycle policy, see [Components of an Object Lifecycle Policy](https://docs.aws.amazon.com/mediastore/latest/ug/policies-object-lifecycle-components.html) .", - "MetricPolicy": "", + "MetricPolicy": "The metric policy that is associated with the container. A metric policy allows AWS Elemental MediaStore to send metrics to Amazon CloudWatch. In the policy, you must indicate whether you want MediaStore to send container-level metrics. You can also include rules to define groups of objects that you want MediaStore to send object-level metrics for.\n\nTo view examples of how to construct a metric policy for your use case, see [Example Metric Policies](https://docs.aws.amazon.com/mediastore/latest/ug/policies-metric-examples.html) .", "Policy": "Creates an access policy for the specified container to restrict the users and clients that can access it. For information about the data that is included in an access policy, see the [AWS Identity and Access Management User Guide](https://docs.aws.amazon.com/iam/) .\n\nFor this release of the REST API, you can create only one policy for a container. If you enter `PutContainerPolicy` twice, the second command modifies the existing policy.", "Tags": "" }, @@ -20950,37 +23997,96 @@ "ObjectGroup": "A path or file name that defines which objects to include in the group. Wildcards (*) are acceptable.", "ObjectGroupName": "A name that allows you to refer to the object group." }, + "AWS::MediaStore::Container Tag": { + "Key": "Part of the key:value pair that defines a tag. You can use a tag key to describe a category of information, such as \"customer.\" Tag keys are case-sensitive.", + "Value": "Part of the key:value pair that defines a tag. You can use a tag value to describe a specific value within a category, such as \"companyA\" or \"companyB.\" Tag values are case-sensitive." + }, + "AWS::MediaTailor::Channel": { + "ChannelName": "The name of the channel.", + "FillerSlate": "The slate used to fill gaps between programs in the schedule. You must configure filler slate if your channel uses the `LINEAR` `PlaybackMode` . MediaTailor doesn't support filler slate for channels using the `LOOP` `PlaybackMode` .", + "LogConfiguration": "The log configuration.", + "Outputs": "The channel's output properties.", + "PlaybackMode": "The type of playback mode for this channel.\n\n`LINEAR` - Programs play back-to-back only once.\n\n`LOOP` - Programs play back-to-back in an endless loop. When the last program in the schedule plays, playback loops back to the first program in the schedule.", + "Tags": "The tags to assign to the channel. Tags are key-value pairs that you can associate with Amazon resources to help with organization, access control, and cost tracking. For more information, see [Tagging AWS Elemental MediaTailor Resources](https://docs.aws.amazon.com/mediatailor/latest/ug/tagging.html) .", + "Tier": "The tier for this channel. STANDARD tier channels can contain live programs." + }, + "AWS::MediaTailor::Channel DashPlaylistSettings": { + "ManifestWindowSeconds": "The total duration (in seconds) of each manifest. Minimum value: `30` seconds. Maximum value: `3600` seconds.", + "MinBufferTimeSeconds": "Minimum amount of content (measured in seconds) that a player must keep available in the buffer. Minimum value: `2` seconds. Maximum value: `60` seconds.", + "MinUpdatePeriodSeconds": "Minimum amount of time (in seconds) that the player should wait before requesting updates to the manifest. Minimum value: `2` seconds. Maximum value: `60` seconds.", + "SuggestedPresentationDelaySeconds": "Amount of time (in seconds) that the player should be from the live point at the end of the manifest. Minimum value: `2` seconds. Maximum value: `60` seconds." + }, + "AWS::MediaTailor::Channel HlsPlaylistSettings": { + "AdMarkupType": "Determines the type of SCTE 35 tags to use in ad markup. Specify `DATERANGE` to use `DATERANGE` tags (for live or VOD content). Specify `SCTE35_ENHANCED` to use `EXT-X-CUE-OUT` and `EXT-X-CUE-IN` tags (for VOD content only).", + "ManifestWindowSeconds": "The total duration (in seconds) of each manifest. Minimum value: `30` seconds. Maximum value: `3600` seconds." + }, + "AWS::MediaTailor::Channel LogConfigurationForChannel": { + "LogTypes": "The log types." + }, + "AWS::MediaTailor::Channel RequestOutputItem": { + "DashPlaylistSettings": "DASH manifest configuration parameters.", + "HlsPlaylistSettings": "HLS playlist configuration parameters.", + "ManifestName": "The name of the manifest for the channel. The name appears in the `PlaybackUrl` .", + "SourceGroup": "A string used to match which `HttpPackageConfiguration` is used for each `VodSource` ." + }, + "AWS::MediaTailor::Channel SlateSource": { + "SourceLocationName": "The name of the source location where the slate VOD source is stored.", + "VodSourceName": "The slate VOD source name. The VOD source must already exist in a source location before it can be used for slate." + }, + "AWS::MediaTailor::Channel Tag": { + "Key": "", + "Value": "" + }, + "AWS::MediaTailor::ChannelPolicy": { + "ChannelName": "The name of the channel associated with this Channel Policy.", + "Policy": "The IAM policy for the channel. IAM policies are used to control access to your channel." + }, + "AWS::MediaTailor::LiveSource": { + "HttpPackageConfigurations": "The HTTP package configurations for the live source.", + "LiveSourceName": "The name that's used to refer to a live source.", + "SourceLocationName": "The name of the source location.", + "Tags": "The tags assigned to the live source. Tags are key-value pairs that you can associate with Amazon resources to help with organization, access control, and cost tracking. For more information, see [Tagging AWS Elemental MediaTailor Resources](https://docs.aws.amazon.com/mediatailor/latest/ug/tagging.html) ." + }, + "AWS::MediaTailor::LiveSource HttpPackageConfiguration": { + "Path": "The relative path to the URL for this VOD source. This is combined with `SourceLocation::HttpConfiguration::BaseUrl` to form a valid URL.", + "SourceGroup": "The name of the source group. This has to match one of the `Channel::Outputs::SourceGroup` .", + "Type": "The streaming protocol for this package configuration. Supported values are `HLS` and `DASH` ." + }, + "AWS::MediaTailor::LiveSource Tag": { + "Key": "", + "Value": "" + }, "AWS::MediaTailor::PlaybackConfiguration": { - "AdDecisionServerUrl": "", - "AvailSuppression": "", - "Bumper": "", - "CdnConfiguration": "", + "AdDecisionServerUrl": "The URL for the ad decision server (ADS). This includes the specification of static parameters and placeholders for dynamic parameters. AWS Elemental MediaTailor substitutes player-specific and session-specific parameters as needed when calling the ADS. Alternately, for testing you can provide a static VAST URL. The maximum length is 25,000 characters.", + "AvailSuppression": "The configuration for avail suppression, also known as ad suppression. For more information about ad suppression, see [Ad Suppression](https://docs.aws.amazon.com/mediatailor/latest/ug/ad-behavior.html) .", + "Bumper": "The configuration for bumpers. Bumpers are short audio or video clips that play at the start or before the end of an ad break. To learn more about bumpers, see [Bumpers](https://docs.aws.amazon.com/mediatailor/latest/ug/bumpers.html) .", + "CdnConfiguration": "The configuration for using a content delivery network (CDN), like Amazon CloudFront, for content and ad segment management.", "ConfigurationAliases": "The player parameters and aliases used as dynamic variables during session initialization. For more information, see [Domain Variables](https://docs.aws.amazon.com/mediatailor/latest/ug/variables-domain.html) .", - "DashConfiguration": "", + "DashConfiguration": "The configuration for a DASH source.", "HlsConfiguration": "The configuration for HLS content.", - "LivePreRollConfiguration": "", - "ManifestProcessingRules": "", - "Name": "", - "PersonalizationThresholdSeconds": "", - "SlateAdUrl": "", - "Tags": "", - "TranscodeProfileName": "", - "VideoContentSourceUrl": "" + "LivePreRollConfiguration": "The configuration for pre-roll ad insertion.", + "ManifestProcessingRules": "The configuration for manifest processing rules. Manifest processing rules enable customization of the personalized manifests created by MediaTailor.", + "Name": "The identifier for the playback configuration.", + "PersonalizationThresholdSeconds": "Defines the maximum duration of underfilled ad time (in seconds) allowed in an ad break. If the duration of underfilled ad time exceeds the personalization threshold, then the personalization of the ad break is abandoned and the underlying content is shown. This feature applies to *ad replacement* in live and VOD streams, rather than ad insertion, because it relies on an underlying content stream. For more information about ad break behavior, including ad replacement and insertion, see [Ad Behavior in AWS Elemental MediaTailor](https://docs.aws.amazon.com/mediatailor/latest/ug/ad-behavior.html) .", + "SlateAdUrl": "The URL for a video asset to transcode and use to fill in time that's not used by ads. AWS Elemental MediaTailor shows the slate to fill in gaps in media content. Configuring the slate is optional for non-VPAID playback configurations. For VPAID, the slate is required because MediaTailor provides it in the slots designated for dynamic ad content. The slate must be a high-quality asset that contains both audio and video.", + "Tags": "The tags to assign to the playback configuration. Tags are key-value pairs that you can associate with Amazon resources to help with organization, access control, and cost tracking. For more information, see [Tagging AWS Elemental MediaTailor Resources](https://docs.aws.amazon.com/mediatailor/latest/ug/tagging.html) .", + "TranscodeProfileName": "The name that is used to associate this playback configuration with a custom transcode profile. This overrides the dynamic transcoding defaults of MediaTailor. Use this only if you have already set up custom profiles with the help of AWS Support.", + "VideoContentSourceUrl": "The URL prefix for the parent manifest for the stream, minus the asset ID. The maximum length is 512 characters." }, "AWS::MediaTailor::PlaybackConfiguration AdMarkerPassthrough": { - "Enabled": "" + "Enabled": "Enables ad marker passthrough for your configuration." }, "AWS::MediaTailor::PlaybackConfiguration AvailSuppression": { - "Mode": "", - "Value": "" + "Mode": "Sets the ad suppression mode. By default, ad suppression is off and all ad breaks are filled with ads or slate. When Mode is set to `BEHIND_LIVE_EDGE` , ad suppression is active and MediaTailor won't fill ad breaks on or behind the ad suppression Value time in the manifest lookback window. When Mode is set to `AFTER_LIVE_EDGE` , ad suppression is active and MediaTailor won't fill ad breaks that are within the live edge plus the avail suppression value.", + "Value": "A live edge offset time in HH:MM:SS. MediaTailor won't fill ad breaks on or behind this time in the manifest lookback window. If Value is set to 00:00:00, it is in sync with the live edge, and MediaTailor won't fill any ad breaks on or behind the live edge. If you set a Value time, MediaTailor won't fill any ad breaks on or behind this time in the manifest lookback window. For example, if you set 00:45:00, then MediaTailor will fill ad breaks that occur within 45 minutes behind the live edge, but won't fill ad breaks on or behind 45 minutes behind the live edge." }, "AWS::MediaTailor::PlaybackConfiguration Bumper": { - "EndUrl": "", - "StartUrl": "" + "EndUrl": "The URL for the end bumper asset.", + "StartUrl": "The URL for the start bumper asset." }, "AWS::MediaTailor::PlaybackConfiguration CdnConfiguration": { - "AdSegmentUrlPrefix": "", - "ContentSegmentUrlPrefix": "" + "AdSegmentUrlPrefix": "A non-default content delivery network (CDN) to serve ad segments. By default, AWS Elemental MediaTailor uses Amazon CloudFront with default cache settings as its CDN for ad segments. To set up an alternate CDN, create a rule in your CDN for the origin ads.mediatailor. ** .amazonaws.com. Then specify the rule's name in this `AdSegmentUrlPrefix` . When AWS Elemental MediaTailor serves a manifest, it reports your CDN as the source for ad segments.", + "ContentSegmentUrlPrefix": "A content delivery network (CDN) to cache content segments, so that content requests don\u2019t always have to go to the origin server. First, create a rule in your CDN for the content segment origin server. Then specify the rule's name in this `ContentSegmentUrlPrefix` . When AWS Elemental MediaTailor serves a manifest, it reports your CDN as the source for content segments." }, "AWS::MediaTailor::PlaybackConfiguration DashConfiguration": { "ManifestEndpointPrefix": "The URL generated by MediaTailor to initiate a playback session. The session uses server-side reporting. This setting is ignored in PUT operations.", @@ -20991,17 +24097,71 @@ "ManifestEndpointPrefix": "The URL that is used to initiate a playback session for devices that support Apple HLS. The session uses server-side reporting." }, "AWS::MediaTailor::PlaybackConfiguration LivePreRollConfiguration": { - "AdDecisionServerUrl": "", - "MaxDurationSeconds": "" + "AdDecisionServerUrl": "The URL for the ad decision server (ADS) for pre-roll ads. This includes the specification of static parameters and placeholders for dynamic parameters. AWS Elemental MediaTailor substitutes player-specific and session-specific parameters as needed when calling the ADS. Alternately, for testing, you can provide a static VAST URL. The maximum length is 25,000 characters.", + "MaxDurationSeconds": "The maximum allowed duration for the pre-roll ad avail. AWS Elemental MediaTailor won't play pre-roll ads to exceed this duration, regardless of the total duration of ads that the ADS returns." }, "AWS::MediaTailor::PlaybackConfiguration ManifestProcessingRules": { - "AdMarkerPassthrough": "" + "AdMarkerPassthrough": "For HLS, when set to `true` , MediaTailor passes through `EXT-X-CUE-IN` , `EXT-X-CUE-OUT` , and `EXT-X-SPLICEPOINT-SCTE35` ad markers from the origin manifest to the MediaTailor personalized manifest.\n\nNo logic is applied to these ad markers. For example, if `EXT-X-CUE-OUT` has a value of `60` , but no ads are filled for that ad break, MediaTailor will not set the value to `0` ." + }, + "AWS::MediaTailor::PlaybackConfiguration Tag": { + "Key": "", + "Value": "" + }, + "AWS::MediaTailor::SourceLocation": { + "AccessConfiguration": "The access configuration for the source location.", + "DefaultSegmentDeliveryConfiguration": "The default segment delivery configuration.", + "HttpConfiguration": "The HTTP configuration for the source location.", + "SegmentDeliveryConfigurations": "The segment delivery configurations for the source location.", + "SourceLocationName": "The name of the source location.", + "Tags": "The tags assigned to the source location. Tags are key-value pairs that you can associate with Amazon resources to help with organization, access control, and cost tracking. For more information, see [Tagging AWS Elemental MediaTailor Resources](https://docs.aws.amazon.com/mediatailor/latest/ug/tagging.html) ." + }, + "AWS::MediaTailor::SourceLocation AccessConfiguration": { + "AccessType": "The type of authentication used to access content from `HttpConfiguration::BaseUrl` on your source location. Accepted value: `S3_SIGV4` .\n\n`S3_SIGV4` - AWS Signature Version 4 authentication for Amazon S3 hosted virtual-style access. If your source location base URL is an Amazon S3 bucket, MediaTailor can use AWS Signature Version 4 (SigV4) authentication to access the bucket where your source content is stored. Your MediaTailor source location baseURL must follow the S3 virtual hosted-style request URL format. For example, https://bucket-name.s3.Region.amazonaws.com/key-name.\n\nBefore you can use `S3_SIGV4` , you must meet these requirements:\n\n\u2022 You must allow MediaTailor to access your S3 bucket by granting mediatailor.amazonaws.com principal access in IAM. For information about configuring access in IAM, see Access management in the IAM User Guide.\n\n\u2022 The mediatailor.amazonaws.com service principal must have permissions to read all top level manifests referenced by the VodSource packaging configurations.\n\n\u2022 The caller of the API must have s3:GetObject IAM permissions to read all top level manifests referenced by your MediaTailor VodSource packaging configurations.", + "SecretsManagerAccessTokenConfiguration": "AWS Secrets Manager access token configuration parameters." + }, + "AWS::MediaTailor::SourceLocation DefaultSegmentDeliveryConfiguration": { + "BaseUrl": "The hostname of the server that will be used to serve segments. This string must include the protocol, such as *https://* ." + }, + "AWS::MediaTailor::SourceLocation HttpConfiguration": { + "BaseUrl": "The base URL for the source location host server. This string must include the protocol, such as *https://* ." + }, + "AWS::MediaTailor::SourceLocation SecretsManagerAccessTokenConfiguration": { + "HeaderName": "The name of the HTTP header used to supply the access token in requests to the source location.", + "SecretArn": "The Amazon Resource Name (ARN) of the AWS Secrets Manager secret that contains the access token.", + "SecretStringKey": "The AWS Secrets Manager [SecretString](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_CreateSecret.html#SecretsManager-CreateSecret-request-SecretString.html) key associated with the access token. MediaTailor uses the key to look up SecretString key and value pair containing the access token." + }, + "AWS::MediaTailor::SourceLocation SegmentDeliveryConfiguration": { + "BaseUrl": "The base URL of the host or path of the segment delivery server that you're using to serve segments. This is typically a content delivery network (CDN). The URL can be absolute or relative. To use an absolute URL include the protocol, such as `https://example.com/some/path` . To use a relative URL specify the relative path, such as `/some/path*` .", + "Name": "A unique identifier used to distinguish between multiple segment delivery configurations in a source location." + }, + "AWS::MediaTailor::SourceLocation Tag": { + "Key": "", + "Value": "" + }, + "AWS::MediaTailor::VodSource": { + "HttpPackageConfigurations": "The HTTP package configurations for the VOD source.", + "SourceLocationName": "The name of the source location that the VOD source is associated with.", + "Tags": "The tags assigned to the VOD source. Tags are key-value pairs that you can associate with Amazon resources to help with organization, access control, and cost tracking. For more information, see [Tagging AWS Elemental MediaTailor Resources](https://docs.aws.amazon.com/mediatailor/latest/ug/tagging.html) .", + "VodSourceName": "The name of the VOD source." + }, + "AWS::MediaTailor::VodSource HttpPackageConfiguration": { + "Path": "The relative path to the URL for this VOD source. This is combined with `SourceLocation::HttpConfiguration::BaseUrl` to form a valid URL.", + "SourceGroup": "The name of the source group. This has to match one of the `Channel::Outputs::SourceGroup` .", + "Type": "The streaming protocol for this package configuration. Supported values are `HLS` and `DASH` ." + }, + "AWS::MediaTailor::VodSource Tag": { + "Key": "", + "Value": "" }, "AWS::MemoryDB::ACL": { "ACLName": "The name of the Access Control List.", "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) .", "UserNames": "The list of users that belong to the Access Control List." }, + "AWS::MemoryDB::ACL Tag": { + "Key": "The key for the tag. May not be null.", + "Value": "The tag's value. May be null." + }, "AWS::MemoryDB::Cluster": { "ACLName": "The name of the Access Control List to associate with the cluster .", "AutoMinorVersionUpgrade": "When set to true, the cluster will automatically receive minor engine version upgrades after launch.", @@ -21033,6 +24193,10 @@ "Address": "The DNS hostname of the node.", "Port": "The port number that the engine is listening on." }, + "AWS::MemoryDB::Cluster Tag": { + "Key": "The key for the tag. May not be null.", + "Value": "The tag's value. May be null." + }, "AWS::MemoryDB::ParameterGroup": { "Description": "A description of the parameter group.", "Family": "The name of the parameter group family that this parameter group is compatible with.", @@ -21040,12 +24204,20 @@ "Parameters": "Returns the detailed parameter list for the parameter group.", "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) ." }, + "AWS::MemoryDB::ParameterGroup Tag": { + "Key": "The key for the tag. May not be null.", + "Value": "The tag's value. May be null." + }, "AWS::MemoryDB::SubnetGroup": { "Description": "A description of the subnet group.", "SubnetGroupName": "The name of the subnet group to be used for the cluster .", "SubnetIds": "A list of Amazon VPC subnet IDs for the subnet group.", "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) ." }, + "AWS::MemoryDB::SubnetGroup Tag": { + "Key": "The key for the tag. May not be null.", + "Value": "The tag's value. May be null." + }, "AWS::MemoryDB::User": { "AccessString": "Access permissions string used for this user.", "AuthenticationMode": "Denotes whether the user requires a password to authenticate.\n\n*Example:*\n\n`mynewdbuser: Type: AWS::MemoryDB::User Properties: AccessString: on ~* &* +@all AuthenticationMode: Passwords: '1234567890123456' Type: password UserName: mynewdbuser AuthenticationMode: { \"Passwords\": [\"1234567890123456\"], \"Type\": \"Password\" }`", @@ -21053,8 +24225,12 @@ "UserName": "The name of the user." }, "AWS::MemoryDB::User AuthenticationMode": { - "Passwords": "", - "Type": "" + "Passwords": "The password(s) used for authentication", + "Type": "Indicates whether the user requires a password to authenticate. All newly-created users require a password." + }, + "AWS::MemoryDB::User Tag": { + "Key": "The key for the tag. May not be null.", + "Value": "The tag's value. May be null." }, "AWS::Neptune::DBCluster": { "AssociatedRoles": "Provides a list of the Amazon Identity and Access Management (IAM) roles that are associated with the DB cluster. IAM roles that are associated with a DB cluster grant permission for the DB cluster to access other Amazon services on your behalf.", @@ -21064,12 +24240,14 @@ "DBClusterIdentifier": "Contains a user-supplied DB cluster identifier. This identifier is the unique key that identifies a DB cluster.", "DBClusterParameterGroupName": "Provides the name of the DB cluster parameter group.\n\nAn update may require some interruption. See [ModifyDBInstance](https://docs.aws.amazon.com/neptune/latest/userguide/api-instances.html#ModifyDBInstance) in the Amazon Neptune User Guide for more information.", "DBInstanceParameterGroupName": "The name of the DB parameter group to apply to all instances of the DB cluster. Used only in case of a major engine version upgrade request\n\nNote that when you apply a parameter group using `DBInstanceParameterGroupName` , parameter changes are applied immediately, not during the next maintenance window.\n\n**Constraints** - The DB parameter group must be in the same DB parameter group family as the target DB cluster version.\n- The `DBInstanceParameterGroupName` parameter is only valid for major engine version upgrades.", + "DBPort": "The port number on which the DB instances in the DB cluster accept connections.\n\nIf not specified, the default port used is `8182` .\n\n> The `Port` property will soon be deprecated. Please update existing templates to use the new `DBPort` property that has the same functionality.", "DBSubnetGroupName": "Specifies information on the subnet group associated with the DB cluster, including the name, description, and subnets in the subnet group.", "DeletionProtection": "Indicates whether or not the DB cluster has deletion protection enabled. The database can't be deleted when deletion protection is enabled.", "EnableCloudwatchLogsExports": "Specifies a list of log types that are enabled for export to CloudWatch Logs.", "EngineVersion": "Indicates the database engine version.", "IamAuthEnabled": "True if mapping of Amazon Identity and Access Management (IAM) accounts to database accounts is enabled, and otherwise false.", "KmsKeyId": "If `StorageEncrypted` is true, the Amazon KMS key identifier for the encrypted DB cluster.", + "Port": "The port number on which the DB instances in the DB cluster accept connections.\n\nIf not specified, the default port used is `8182` .\n\n> This property will soon be deprecated. Please update existing templates to use the new `DBPort` property that has the same functionality.", "PreferredBackupWindow": "Specifies the daily time range during which automated backups are created if automated backups are enabled, as determined by the `BackupRetentionPeriod` .\n\nAn update may require some interruption.", "PreferredMaintenanceWindow": "Specifies the weekly time range during which system maintenance can occur, in Universal Coordinated Time (UTC).", "RestoreToTime": "Creates a new DB cluster from a DB snapshot or DB cluster snapshot.\n\nIf a DB snapshot is specified, the target DB cluster is created from the source DB snapshot with a default configuration and default security group.\n\nIf a DB cluster snapshot is specified, the target DB cluster is created from the source DB cluster restore point with the same configuration as the original source DB cluster, except that the new DB cluster is created with the default security group.", @@ -21087,8 +24265,12 @@ "RoleArn": "The Amazon Resource Name (ARN) of the IAM role that is associated with the DB cluster." }, "AWS::Neptune::DBCluster ServerlessScalingConfiguration": { - "MaxCapacity": "", - "MinCapacity": "" + "MaxCapacity": "The maximum number of Neptune capacity units (NCUs) for a DB instance in a Neptune Serverless cluster. You can specify NCU values in half-step increments, such as 40, 40.5, 41, and so on.", + "MinCapacity": "The minimum number of Neptune capacity units (NCUs) for a DB instance in a Neptune Serverless cluster. You can specify NCU values in half-step increments, such as 8, 8.5, 9, and so on." + }, + "AWS::Neptune::DBCluster Tag": { + "Key": "A key is the required name of the tag. The string value can be from 1 to 128 Unicode characters in length and can't be prefixed with `aws:` or `rds:` . The string can only contain the set of Unicode letters, digits, white-space, '_', '.', '/', '=', '+', '-' (Java regex: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-]*)$\").", + "Value": "A value is the optional value of the tag. The string value can be from 1 to 256 Unicode characters in length and can't be prefixed with `aws:` or `rds:` . The string can only contain the set of Unicode letters, digits, white-space, '_', '.', '/', '=', '+', '-' (Java regex: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-]*)$\")." }, "AWS::Neptune::DBClusterParameterGroup": { "Description": "Provides the customer-specified description for this DB cluster parameter group.", @@ -21097,6 +24279,10 @@ "Parameters": "The parameters to set for this DB cluster parameter group.\n\nThe parameters are expressed as a JSON object consisting of key-value pairs.\n\nIf you update the parameters, some interruption may occur depending on which parameters you update.", "Tags": "The tags that you want to attach to this parameter group." }, + "AWS::Neptune::DBClusterParameterGroup Tag": { + "Key": "A key is the required name of the tag. The string value can be from 1 to 128 Unicode characters in length and can't be prefixed with `aws:` or `rds:` . The string can only contain the set of Unicode letters, digits, white-space, '_', '.', '/', '=', '+', '-' (Java regex: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-]*)$\").", + "Value": "A value is the optional value of the tag. The string value can be from 1 to 256 Unicode characters in length and can't be prefixed with `aws:` or `rds:` . The string can only contain the set of Unicode letters, digits, white-space, '_', '.', '/', '=', '+', '-' (Java regex: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-]*)$\")." + }, "AWS::Neptune::DBInstance": { "AllowMajorVersionUpgrade": "Indicates that major version upgrades are allowed. Changing this parameter doesn't result in an outage and the change is asynchronously applied as soon as possible. This parameter must be set to true when specifying a value for the EngineVersion parameter that is a different major version than the DB instance's current version.\n\nWhen you change this parameter for an existing DB cluster, CloudFormation will replace your existing DB cluster with a new, empty one that uses the engine version you specified.", "AutoMinorVersionUpgrade": "Indicates that minor version patches are applied automatically.\n\nWhen updating this property, some interruptions may occur.", @@ -21110,6 +24296,10 @@ "PreferredMaintenanceWindow": "Specifies the weekly time range during which system maintenance can occur, in Universal Coordinated Time (UTC).", "Tags": "An arbitrary set of tags (key-value pairs) for this DB instance." }, + "AWS::Neptune::DBInstance Tag": { + "Key": "A key is the required name of the tag. The string value can be from 1 to 128 Unicode characters in length and can't be prefixed with `aws:` or `rds:` . The string can only contain the set of Unicode letters, digits, white-space, '_', '.', '/', '=', '+', '-' (Java regex: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-]*)$\").", + "Value": "A value is the optional value of the tag. The string value can be from 1 to 256 Unicode characters in length and can't be prefixed with `aws:` or `rds:` . The string can only contain the set of Unicode letters, digits, white-space, '_', '.', '/', '=', '+', '-' (Java regex: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-]*)$\")." + }, "AWS::Neptune::DBParameterGroup": { "Description": "Provides the customer-specified description for this DB parameter group.", "Family": "Must be `neptune1` for engine versions prior to [1.2.0.0](https://docs.aws.amazon.com/neptune/latest/userguide/engine-releases-1.2.0.0.html) , or `neptune1.2` for engine version `1.2.0.0` and higher.", @@ -21117,12 +24307,20 @@ "Parameters": "The parameters to set for this DB parameter group.\n\nThe parameters are expressed as a JSON object consisting of key-value pairs.\n\nChanges to dynamic parameters are applied immediately. During an update, if you have static parameters (whether they were changed or not), it triggers AWS CloudFormation to reboot the associated DB instance without failover.", "Tags": "The tags that you want to attach to this parameter group." }, + "AWS::Neptune::DBParameterGroup Tag": { + "Key": "A key is the required name of the tag. The string value can be from 1 to 128 Unicode characters in length and can't be prefixed with `aws:` or `rds:` . The string can only contain the set of Unicode letters, digits, white-space, '_', '.', '/', '=', '+', '-' (Java regex: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-]*)$\").", + "Value": "A value is the optional value of the tag. The string value can be from 1 to 256 Unicode characters in length and can't be prefixed with `aws:` or `rds:` . The string can only contain the set of Unicode letters, digits, white-space, '_', '.', '/', '=', '+', '-' (Java regex: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-]*)$\")." + }, "AWS::Neptune::DBSubnetGroup": { "DBSubnetGroupDescription": "Provides the description of the DB subnet group.", "DBSubnetGroupName": "The name of the DB subnet group.", "SubnetIds": "The Amazon EC2 subnet IDs for the DB subnet group.", "Tags": "The tags that you want to attach to the DB subnet group." }, + "AWS::Neptune::DBSubnetGroup Tag": { + "Key": "A key is the required name of the tag. The string value can be from 1 to 128 Unicode characters in length and can't be prefixed with `aws:` or `rds:` . The string can only contain the set of Unicode letters, digits, white-space, '_', '.', '/', '=', '+', '-' (Java regex: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-]*)$\").", + "Value": "A value is the optional value of the tag. The string value can be from 1 to 256 Unicode characters in length and can't be prefixed with `aws:` or `rds:` . The string can only contain the set of Unicode letters, digits, white-space, '_', '.', '/', '=', '+', '-' (Java regex: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-]*)$\")." + }, "AWS::NetworkFirewall::Firewall": { "DeleteProtection": "A flag indicating whether it is possible to delete the firewall. A setting of `TRUE` indicates that the firewall is protected against deletion. Use this setting to protect against accidentally deleting a firewall that is in use. When you create a firewall, the operation initializes this flag to `TRUE` .", "Description": "A description of the firewall.", @@ -21138,6 +24336,10 @@ "IPAddressType": "The subnet's IP address type. You can't change the IP address type after you create the subnet.", "SubnetId": "The unique identifier for the subnet." }, + "AWS::NetworkFirewall::Firewall Tag": { + "Key": "The part of the key:value pair that defines a tag. You can use a tag key to describe a category of information, such as \"customer.\" Tag keys are case-sensitive.", + "Value": "The part of the key:value pair that defines a tag. You can use a tag value to describe a specific value within a category, such as \"companyA\" or \"companyB.\" Tag values are case-sensitive." + }, "AWS::NetworkFirewall::FirewallPolicy": { "Description": "A description of the firewall policy.", "FirewallPolicy": "The traffic filtering behavior of a firewall policy, defined in a collection of stateless and stateful rule groups and other settings.", @@ -21174,7 +24376,7 @@ "Dimensions": "" }, "AWS::NetworkFirewall::FirewallPolicy StatefulEngineOptions": { - "RuleOrder": "Indicates how to manage the order of stateful rule evaluation for the policy. `DEFAULT_ACTION_ORDER` is the default behavior. Stateful rules are provided to the rule engine as Suricata compatible strings, and Suricata evaluates them based on certain settings. For more information, see [Evaluation order for stateful rules](https://docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-rule-evaluation-order.html) in the *AWS Network Firewall Developer Guide* .", + "RuleOrder": "Indicates how to manage the order of stateful rule evaluation for the policy. `STRICT_ORDER` is the default and recommended option. With `STRICT_ORDER` , provide your rules in the order that you want them to be evaluated. You can then choose one or more default actions for packets that don't match any rules. Choose `STRICT_ORDER` to have the stateful rules engine determine the evaluation order of your rules. The default action for this rule order is `PASS` , followed by `DROP` , `REJECT` , and `ALERT` actions. Stateful rules are provided to the rule engine as Suricata compatible strings, and Suricata evaluates them based on your settings. For more information, see [Evaluation order for stateful rules](https://docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-rule-evaluation-order.html) in the *AWS Network Firewall Developer Guide* .", "StreamExceptionPolicy": "Configures how Network Firewall processes traffic when a network connection breaks midstream. Network connections can break due to disruptions in external networks or within the firewall itself.\n\n- `DROP` - Network Firewall fails closed and drops all subsequent traffic going to the firewall. This is the default behavior.\n- `CONTINUE` - Network Firewall continues to apply rules to the subsequent traffic without context from traffic before the break. This impacts the behavior of rules that depend on this context. For example, if you have a stateful rule to `drop http` traffic, Network Firewall won't match the traffic for this rule because the service won't have the context from session initialization defining the application layer protocol as HTTP. However, this behavior is rule dependent\u2014a TCP-layer rule using a `flow:stateless` rule would still match, as would the `aws:drop_strict` default action.\n- `REJECT` - Network Firewall fails closed and drops all subsequent traffic going to the firewall. Network Firewall also sends a TCP reject packet back to your client so that the client can immediately establish a new session. Network Firewall will have context about the new session and will apply rules to the subsequent traffic." }, "AWS::NetworkFirewall::FirewallPolicy StatefulRuleGroupOverride": { @@ -21189,6 +24391,10 @@ "Priority": "An integer setting that indicates the order in which to run the stateless rule groups in a single `FirewallPolicy` . Network Firewall applies each stateless rule group to a packet starting with the group that has the lowest priority setting. You must ensure that the priority settings are unique within each policy.", "ResourceArn": "The Amazon Resource Name (ARN) of the stateless rule group." }, + "AWS::NetworkFirewall::FirewallPolicy Tag": { + "Key": "The part of the key:value pair that defines a tag. You can use a tag key to describe a category of information, such as \"customer.\" Tag keys are case-sensitive.", + "Value": "The part of the key:value pair that defines a tag. You can use a tag value to describe a specific value within a category, such as \"companyA\" or \"companyB.\" Tag values are case-sensitive." + }, "AWS::NetworkFirewall::LoggingConfiguration": { "FirewallArn": "The Amazon Resource Name (ARN) of the `Firewall` that the logging configuration is associated with. You can't change the firewall specification after you create the logging configuration.", "FirewallName": "The name of the firewall that the logging configuration is associated with. You can't change the firewall specification after you create the logging configuration.", @@ -21266,7 +24472,7 @@ "ReferenceSets": "The reference sets for the stateful rule group.", "RuleVariables": "Settings that are available for use in the rules in the rule group. You can only use these for stateful rule groups.", "RulesSource": "The stateful rules or stateless rules for the rule group.", - "StatefulRuleOptions": "Additional options governing how Network Firewall handles stateful rules. The policies where you use your stateful rule group must have stateful rule options settings that are compatible with these settings." + "StatefulRuleOptions": "Additional options governing how Network Firewall handles stateful rules. The policies where you use your stateful rule group must have stateful rule options settings that are compatible with these settings. Some limitations apply; for more information, see [Strict evaluation order](https://docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-limitations-caveats.html) in the *AWS Network Firewall Developer Guide* ." }, "AWS::NetworkFirewall::RuleGroup RuleOption": { "Keyword": "The Suricata rule option keywords. For Network Firewall , the keyword signature ID (sid) is required in the format `sid: 112233` . The sid must be unique within the rule group. For information about Suricata rule option keywords, see [Rule options](https://docs.aws.amazon.com/https://suricata.readthedocs.io/en/suricata-6.0.9/rules/intro.html#rule-options) .", @@ -21278,7 +24484,7 @@ }, "AWS::NetworkFirewall::RuleGroup RulesSource": { "RulesSourceList": "Stateful inspection criteria for a domain list rule group.", - "RulesString": "Stateful inspection criteria, provided in Suricata compatible intrusion prevention system (IPS) rules. Suricata is an open-source network IPS that includes a standard rule-based language for network traffic inspection.\n\nThese rules contain the inspection criteria and the action to take for traffic that matches the criteria, so this type of rule group doesn't have a separate action setting.", + "RulesString": "Stateful inspection criteria, provided in Suricata compatible rules. Suricata is an open-source threat detection framework that includes a standard rule-based language for network traffic inspection.\n\nThese rules contain the inspection criteria and the action to take for traffic that matches the criteria, so this type of rule group doesn't have a separate action setting.\n\n> You can't use the `priority` keyword if the `RuleOrder` option in `StatefulRuleOptions` is set to `STRICT_ORDER` .", "StatefulRules": "An array of individual stateful rules inspection criteria to be used together in a stateful rule group. Use this option to specify simple Suricata rules with protocol, source and destination, ports, direction, and rule options. For information about the Suricata `Rules` format, see [Rules Format](https://docs.aws.amazon.com/https://suricata.readthedocs.io/en/suricata-6.0.9/rules/intro.html) .", "StatelessRulesAndCustomActions": "Stateless inspection criteria to be used in a stateless rule group." }, @@ -21307,11 +24513,15 @@ "Flags": "Used in conjunction with the `Masks` setting to define the flags that must be set and flags that must not be set in order for the packet to match. This setting can only specify values that are also specified in the `Masks` setting.\n\nFor the flags that are specified in the masks setting, the following must be true for the packet to match:\n\n- The ones that are set in this flags setting must be set in the packet.\n- The ones that are not set in this flags setting must also not be set in the packet.", "Masks": "The set of flags to consider in the inspection. To inspect all flags in the valid values list, leave this with no setting." }, + "AWS::NetworkFirewall::RuleGroup Tag": { + "Key": "The part of the key:value pair that defines a tag. You can use a tag key to describe a category of information, such as \"customer.\" Tag keys are case-sensitive.", + "Value": "The part of the key:value pair that defines a tag. You can use a tag value to describe a specific value within a category, such as \"companyA\" or \"companyB.\" Tag values are case-sensitive." + }, "AWS::NetworkManager::ConnectAttachment": { "CoreNetworkId": "The ID of the core network where the Connect attachment is located.", "EdgeLocation": "The Region where the edge is located.", "Options": "Options for connecting an attachment.", - "ProposedSegmentChange": "", + "ProposedSegmentChange": "Describes a proposed segment change. In some cases, the segment change must first be evaluated and accepted.", "Tags": "", "TransportAttachmentId": "The ID of the transport attachment." }, @@ -21323,12 +24533,17 @@ "SegmentName": "The name of the segment to change.", "Tags": "The list of key-value tags that changed for the segment." }, + "AWS::NetworkManager::ConnectAttachment Tag": { + "Key": "The tag key.\n\nConstraints: Maximum length of 128 characters.", + "Value": "The tag value.\n\nConstraints: Maximum length of 256 characters." + }, "AWS::NetworkManager::ConnectPeer": { - "BgpOptions": "", + "BgpOptions": "Describes the BGP options.", "ConnectAttachmentId": "The ID of the attachment to connect.", "CoreNetworkAddress": "The IP address of a core network.", "InsideCidrBlocks": "The inside IP addresses used for a Connect peer configuration.", "PeerAddress": "The IP address of the Connect peer.", + "SubnetArn": "The subnet ARN of the Connect peer.", "Tags": "The list of key-value tags associated with the Connect peer." }, "AWS::NetworkManager::ConnectPeer BgpOptions": { @@ -21347,6 +24562,10 @@ "PeerAddress": "The IP address of the Connect peer.", "Protocol": "The protocol used for a Connect peer configuration." }, + "AWS::NetworkManager::ConnectPeer Tag": { + "Key": "The tag key.\n\nConstraints: Maximum length of 128 characters.", + "Value": "The tag value.\n\nConstraints: Maximum length of 256 characters." + }, "AWS::NetworkManager::CoreNetwork": { "Description": "The description of a core network.", "GlobalNetworkId": "The ID of the global network that your core network is a part of.", @@ -21363,6 +24582,10 @@ "Name": "The name of a core network segment.", "SharedSegments": "The shared segments of a core network." }, + "AWS::NetworkManager::CoreNetwork Tag": { + "Key": "The tag key.\n\nConstraints: Maximum length of 128 characters.", + "Value": "The tag value.\n\nConstraints: Maximum length of 256 characters." + }, "AWS::NetworkManager::CustomerGatewayAssociation": { "CustomerGatewayArn": "The Amazon Resource Name (ARN) of the customer gateway.", "DeviceId": "The ID of the device.", @@ -21370,7 +24593,7 @@ "LinkId": "The ID of the link." }, "AWS::NetworkManager::Device": { - "AWSLocation": "", + "AWSLocation": "The AWS location of the device.", "Description": "A description of the device.\n\nConstraints: Maximum length of 256 characters.", "GlobalNetworkId": "The ID of the global network.", "Location": "The site location.", @@ -21382,18 +24605,28 @@ "Vendor": "The vendor of the device.\n\nConstraints: Maximum length of 128 characters." }, "AWS::NetworkManager::Device AWSLocation": { - "SubnetArn": "", - "Zone": "" + "SubnetArn": "The Amazon Resource Name (ARN) of the subnet that the device is located in.", + "Zone": "The Zone that the device is located in. Specify the ID of an Availability Zone, Local Zone, Wavelength Zone, or an Outpost." }, "AWS::NetworkManager::Device Location": { "Address": "The physical address.", "Latitude": "The latitude.", "Longitude": "The longitude." }, + "AWS::NetworkManager::Device Tag": { + "Key": "The tag key.\n\nConstraints: Maximum length of 128 characters.", + "Value": "The tag value.\n\nConstraints: Maximum length of 256 characters." + }, "AWS::NetworkManager::GlobalNetwork": { + "CreatedAt": "The date and time that the global network was created.", "Description": "A description of the global network.\n\nConstraints: Maximum length of 256 characters.", + "State": "The state of the global network.", "Tags": "The tags for the global network." }, + "AWS::NetworkManager::GlobalNetwork Tag": { + "Key": "The tag key.\n\nConstraints: Maximum length of 128 characters.", + "Value": "The tag value.\n\nConstraints: Maximum length of 256 characters." + }, "AWS::NetworkManager::Link": { "Bandwidth": "The bandwidth for the link.", "Description": "A description of the link.\n\nConstraints: Maximum length of 256 characters.", @@ -21407,6 +24640,10 @@ "DownloadSpeed": "Download speed in Mbps.", "UploadSpeed": "Upload speed in Mbps." }, + "AWS::NetworkManager::Link Tag": { + "Key": "The tag key.\n\nConstraints: Maximum length of 128 characters.", + "Value": "The tag value.\n\nConstraints: Maximum length of 256 characters." + }, "AWS::NetworkManager::LinkAssociation": { "DeviceId": "The device ID for the link association.", "GlobalNetworkId": "The ID of the global network.", @@ -21423,9 +24660,13 @@ "Latitude": "The latitude.", "Longitude": "The longitude." }, + "AWS::NetworkManager::Site Tag": { + "Key": "The tag key.\n\nConstraints: Maximum length of 128 characters.", + "Value": "The tag value.\n\nConstraints: Maximum length of 256 characters." + }, "AWS::NetworkManager::SiteToSiteVpnAttachment": { "CoreNetworkId": "", - "ProposedSegmentChange": "", + "ProposedSegmentChange": "Describes a proposed segment change. In some cases, the segment change must first be evaluated and accepted.", "Tags": "", "VpnConnectionArn": "The ARN of the site-to-site VPN attachment." }, @@ -21434,11 +24675,19 @@ "SegmentName": "The name of the segment to change.", "Tags": "The list of key-value tags that changed for the segment." }, + "AWS::NetworkManager::SiteToSiteVpnAttachment Tag": { + "Key": "The tag key.\n\nConstraints: Maximum length of 128 characters.", + "Value": "The tag value.\n\nConstraints: Maximum length of 256 characters." + }, "AWS::NetworkManager::TransitGatewayPeering": { "CoreNetworkId": "The ID of the core network.", "Tags": "The list of key-value tags associated with the peering.", "TransitGatewayArn": "The ARN of the transit gateway." }, + "AWS::NetworkManager::TransitGatewayPeering Tag": { + "Key": "The tag key.\n\nConstraints: Maximum length of 128 characters.", + "Value": "The tag value.\n\nConstraints: Maximum length of 256 characters." + }, "AWS::NetworkManager::TransitGatewayRegistration": { "GlobalNetworkId": "The ID of the global network.", "TransitGatewayArn": "The Amazon Resource Name (ARN) of the transit gateway." @@ -21454,10 +24703,14 @@ "SegmentName": "The name of the segment to change.", "Tags": "The list of key-value tags that changed for the segment." }, + "AWS::NetworkManager::TransitGatewayRouteTableAttachment Tag": { + "Key": "The tag key.\n\nConstraints: Maximum length of 128 characters.", + "Value": "The tag value.\n\nConstraints: Maximum length of 256 characters." + }, "AWS::NetworkManager::VpcAttachment": { "CoreNetworkId": "The core network ID.", "Options": "Options for creating the VPC attachment.", - "ProposedSegmentChange": "", + "ProposedSegmentChange": "Describes a proposed segment change. In some cases, the segment change must first be evaluated and accepted.", "SubnetArns": "The subnet ARNs.", "Tags": "The tags associated with the VPC attachment.", "VpcArn": "The ARN of the VPC attachment." @@ -21467,6 +24720,10 @@ "SegmentName": "The name of the segment to change.", "Tags": "The list of key-value tags that changed for the segment." }, + "AWS::NetworkManager::VpcAttachment Tag": { + "Key": "The tag key.\n\nConstraints: Maximum length of 128 characters.", + "Value": "The tag value.\n\nConstraints: Maximum length of 256 characters." + }, "AWS::NetworkManager::VpcAttachment VpcOptions": { "ApplianceModeSupport": "Indicates whether appliance mode is supported. If enabled, traffic flow between a source and destination use the same Availability Zone for the VPC attachment for the lifetime of that flow. The default value is `false` .", "Ipv6Support": "Indicates whether IPv6 is supported." @@ -21482,20 +24739,20 @@ "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) ." }, "AWS::NimbleStudio::LaunchProfile StreamConfiguration": { - "AutomaticTerminationMode": "", + "AutomaticTerminationMode": "Indicates if a streaming session created from this launch profile should be terminated automatically or retained without termination after being in a `STOPPED` state.\n\n- When `ACTIVATED` , the streaming session is scheduled for termination after being in the `STOPPED` state for the time specified in `maxStoppedSessionLengthInMinutes` .\n- When `DEACTIVATED` , the streaming session can remain in the `STOPPED` state indefinitely.\n\nThis parameter is only allowed when `sessionPersistenceMode` is `ACTIVATED` . When allowed, the default value for this parameter is `DEACTIVATED` .", "ClipboardMode": "Allows or deactivates the use of the system clipboard to copy and paste between the streaming session and streaming client.", "Ec2InstanceTypes": "The EC2 instance types that users can select from when launching a streaming session with this launch profile.", "MaxSessionLengthInMinutes": "The length of time, in minutes, that a streaming session can be active before it is stopped or terminated. After this point, Nimble Studio automatically terminates or stops the session. The default length of time is 690 minutes, and the maximum length of time is 30 days.", "MaxStoppedSessionLengthInMinutes": "Integer that determines if you can start and stop your sessions and how long a session can stay in the `STOPPED` state. The default value is 0. The maximum value is 5760.\n\nThis field is allowed only when `sessionPersistenceMode` is `ACTIVATED` and `automaticTerminationMode` is `ACTIVATED` .\n\nIf the value is set to 0, your sessions can\u2019t be `STOPPED` . If you then call `StopStreamingSession` , the session fails. If the time that a session stays in the `READY` state exceeds the `maxSessionLengthInMinutes` value, the session will automatically be terminated (instead of `STOPPED` ).\n\nIf the value is set to a positive number, the session can be stopped. You can call `StopStreamingSession` to stop sessions in the `READY` state. If the time that a session stays in the `READY` state exceeds the `maxSessionLengthInMinutes` value, the session will automatically be stopped (instead of terminated).", - "SessionBackup": "", - "SessionPersistenceMode": "", + "SessionBackup": "Information about the streaming session backup.", + "SessionPersistenceMode": "Determine if a streaming session created from this launch profile can configure persistent storage. This means that `volumeConfiguration` and `automaticTerminationMode` are configured.", "SessionStorage": "The upload storage for a streaming session.", "StreamingImageIds": "The streaming images that users can select from when launching a streaming session with this launch profile.", - "VolumeConfiguration": "" + "VolumeConfiguration": "Custom volume configuration for the root volumes that are attached to streaming sessions.\n\nThis parameter is only allowed when `sessionPersistenceMode` is `ACTIVATED` ." }, "AWS::NimbleStudio::LaunchProfile StreamConfigurationSessionBackup": { - "MaxBackupsToRetain": "", - "Mode": "" + "MaxBackupsToRetain": "The maximum number of backups that each streaming session created from this launch profile can have.", + "Mode": "Specifies how artists sessions are backed up.\n\nConfigures backups for streaming sessions launched with this launch profile. The default value is `DEACTIVATED` , which means that backups are deactivated. To allow backups, set this value to `AUTOMATIC` ." }, "AWS::NimbleStudio::LaunchProfile StreamConfigurationSessionStorage": { "Mode": "Allows artists to upload files to their workstations. The only valid option is `UPLOAD` .", @@ -21506,9 +24763,9 @@ "Windows": "The folder path in Windows workstations where files are uploaded." }, "AWS::NimbleStudio::LaunchProfile VolumeConfiguration": { - "Iops": "", - "Size": "", - "Throughput": "" + "Iops": "The number of I/O operations per second for the root volume that is attached to streaming session.", + "Size": "The size of the root volume that is attached to the streaming session. The root volume size is measured in GiBs.", + "Throughput": "The throughput to provision for the root volume that is attached to the streaming session. The throughput is measured in MiB/s." }, "AWS::NimbleStudio::StreamingImage": { "Description": "A human-readable description of the streaming image.", @@ -21518,8 +24775,8 @@ "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) ." }, "AWS::NimbleStudio::StreamingImage StreamingImageEncryptionConfiguration": { - "KeyArn": "", - "KeyType": "" + "KeyArn": "The ARN for a KMS key that is used to encrypt studio data.", + "KeyType": "The type of KMS key that is used to encrypt studio data." }, "AWS::NimbleStudio::Studio": { "AdminRoleArn": "The IAM role that studio admins assume when logging in to the Nimble Studio portal.", @@ -21539,7 +24796,9 @@ "Ec2SecurityGroupIds": "The EC2 security groups that control access to the studio component.", "InitializationScripts": "Initialization scripts for studio components.", "Name": "A friendly name for the studio component resource.", + "RuntimeRoleArn": "An IAM role attached to a Studio Component that gives the studio component access to AWS resources at anytime while the instance is running.", "ScriptParameters": "Parameters for the studio component scripts.", + "SecureInitializationRoleArn": "An IAM role attached to Studio Component when the system initialization script runs which give the studio component access to AWS resources when the system initialization script runs.", "StudioId": "The unique identifier for a studio resource. In Nimble Studio , all other resources are contained in a studio resource.", "Subtype": "The specific subtype of a studio component.", "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) .", @@ -21585,6 +24844,8 @@ "Script": "The initialization script." }, "AWS::OSIS::Pipeline": { + "BufferOptions": "Options that specify the configuration of a persistent buffer. To configure how OpenSearch Ingestion encrypts this data, set the EncryptionAtRestOptions.", + "EncryptionAtRestOptions": "Options to control how OpenSearch encrypts all data-at-rest.", "LogPublishingOptions": "Key-value pairs that represent log publishing settings.", "MaxUnits": "The maximum pipeline capacity, in Ingestion Compute Units (ICUs).", "MinUnits": "The minimum pipeline capacity, in Ingestion Compute Units (ICUs).", @@ -21593,13 +24854,23 @@ "Tags": "List of tags to add to the pipeline upon creation.", "VpcOptions": "Options that specify the subnets and security groups for an OpenSearch Ingestion VPC endpoint." }, + "AWS::OSIS::Pipeline BufferOptions": { + "PersistentBufferEnabled": "Whether persistent buffering should be enabled." + }, "AWS::OSIS::Pipeline CloudWatchLogDestination": { - "LogGroup": "" + "LogGroup": "The name of the CloudWatch Logs group to send pipeline logs to. You can specify an existing log group or create a new one. For example, `/aws/OpenSearchService/IngestionService/my-pipeline` ." + }, + "AWS::OSIS::Pipeline EncryptionAtRestOptions": { + "KmsKeyArn": "The ARN of the KMS key used to encrypt data-at-rest in OpenSearch Ingestion. By default, data is encrypted using an AWS owned key." }, "AWS::OSIS::Pipeline LogPublishingOptions": { "CloudWatchLogDestination": "The destination for OpenSearch Ingestion logs sent to Amazon CloudWatch Logs. This parameter is required if `IsLoggingEnabled` is set to `true` .", "IsLoggingEnabled": "Whether logs should be published." }, + "AWS::OSIS::Pipeline Tag": { + "Key": "The tag key. Tag keys must be unique for the pipeline to which they are attached.", + "Value": "The value assigned to the corresponding tag key. Tag values can be null and don't have to be unique in a tag set. For example, you can have a key value pair in a tag set of `project : Trinity` and `cost-center : Trinity`" + }, "AWS::OSIS::Pipeline VpcEndpoint": { "VpcEndpointId": "The unique identifier of the endpoint.", "VpcId": "The ID for your VPC. AWS PrivateLink generates this value when you create a VPC.", @@ -21611,7 +24882,7 @@ }, "AWS::Oam::Link": { "LabelTemplate": "Specify a friendly human-readable name to use to identify this source account when you are viewing data from it in the monitoring account.\n\nYou can include the following variables in your template:\n\n- `$AccountName` is the name of the account\n- `$AccountEmail` is a globally-unique email address, which includes the email domain, such as `mariagarcia@example.com`\n- `$AccountEmailNoDomain` is an email address without the domain name, such as `mariagarcia`", - "ResourceTypes": "An array of strings that define which types of data that the source account shares with the monitoring account. Valid values are `AWS::CloudWatch::Metric | AWS::Logs::LogGroup | AWS::XRay::Trace` .", + "ResourceTypes": "An array of strings that define which types of data that the source account shares with the monitoring account. Valid values are `AWS::CloudWatch::Metric | AWS::Logs::LogGroup | AWS::XRay::Trace | AWS::ApplicationInsights::Application` .", "SinkIdentifier": "The ARN of the sink in the monitoring account that you want to link to. You can use [ListSinks](https://docs.aws.amazon.com/OAM/latest/APIReference/API_ListSinks.html) to find the ARNs of sinks.", "Tags": "An array of key-value pairs to apply to the link.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) ." }, @@ -21657,13 +24928,14 @@ "AWS::Omics::RunGroup": { "MaxCpus": "The group's maximum CPU count setting.", "MaxDuration": "The group's maximum duration setting in minutes.", + "MaxGpus": "The maximum GPUs that can be used by a run group.", "MaxRuns": "The group's maximum concurrent run setting.", "Name": "The group's name.", "Tags": "Tags for the group." }, "AWS::Omics::SequenceStore": { "Description": "A description for the store.", - "FallbackLocation": "", + "FallbackLocation": "An S3 location that is used to store files that have failed a direct upload.", "Name": "A name for the store.", "SseConfig": "Server-side encryption (SSE) settings for the store.", "Tags": "Tags for the store." @@ -21687,6 +24959,7 @@ "Type": "The encryption type." }, "AWS::Omics::Workflow": { + "Accelerators": "", "DefinitionUri": "The URI of a definition for the workflow.", "Description": "The parameter's description.", "Engine": "An engine for the workflow.", @@ -21709,8 +24982,19 @@ "AWS::OpenSearchServerless::Collection": { "Description": "A description of the collection.", "Name": "The name of the collection.\n\nCollection names must meet the following criteria:\n\n- Starts with a lowercase letter\n- Unique to your account and AWS Region\n- Contains between 3 and 28 characters\n- Contains only lowercase letters a-z, the numbers 0-9, and the hyphen (-)", + "StandbyReplicas": "Details about an OpenSearch Serverless collection.", "Tags": "An arbitrary set of tags (key\u2013value pairs) to associate with the collection.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) .", - "Type": "The type of collection. Possible values are `SEARCH` and `TIMESERIES` . For more information, see [Choosing a collection type](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/serverless-overview.html#serverless-usecase) ." + "Type": "The type of collection. Possible values are `SEARCH` , `TIMESERIES` , and `VECTORSEARCH` . For more information, see [Choosing a collection type](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/serverless-overview.html#serverless-usecase) ." + }, + "AWS::OpenSearchServerless::Collection Tag": { + "Key": "The key to use in the tag.", + "Value": "The value of the tag." + }, + "AWS::OpenSearchServerless::LifecyclePolicy": { + "Description": "The description of the lifecycle policy.", + "Name": "The name of the lifecycle policy.", + "Policy": "The JSON policy document without any whitespaces.", + "Type": "The type of lifecycle policy." }, "AWS::OpenSearchServerless::SecurityConfig": { "Description": "The description of the security configuration.", @@ -21747,6 +25031,7 @@ "EBSOptions": "The configurations of Amazon Elastic Block Store (Amazon EBS) volumes that are attached to data nodes in the OpenSearch Service domain. For more information, see [EBS volume size limits](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/limits.html#ebsresource) in the *Amazon OpenSearch Service Developer Guide* .", "EncryptionAtRestOptions": "Whether the domain should encrypt data at rest, and if so, the AWS KMS key to use. See [Encryption of data at rest for Amazon OpenSearch Service](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/encryption-at-rest.html) .", "EngineVersion": "The version of OpenSearch to use. The value must be in the format `OpenSearch_X.Y` or `Elasticsearch_X.Y` . If not specified, the latest version of OpenSearch is used. For information about the versions that OpenSearch Service supports, see [Supported versions of OpenSearch and Elasticsearch](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/what-is.html#choosing-version) in the *Amazon OpenSearch Service Developer Guide* .\n\nIf you set the [EnableVersionUpgrade](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-updatepolicy.html#cfn-attributes-updatepolicy-upgradeopensearchdomain) update policy to `true` , you can update `EngineVersion` without interruption. When `EnableVersionUpgrade` is set to `false` , or is not specified, updating `EngineVersion` results in [replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) .", + "IPAddressType": "The type of IP addresses supported by the endpoint for the domain.", "LogPublishingOptions": "An object with one or more of the following keys: `SEARCH_SLOW_LOGS` , `ES_APPLICATION_LOGS` , `INDEX_SLOW_LOGS` , `AUDIT_LOGS` , depending on the types of logs you want to publish. Each key needs a valid `LogPublishingOption` value. For the full syntax, see the [examples](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-opensearchservice-domain.html#aws-resource-opensearchservice-domain--examples) .", "NodeToNodeEncryptionOptions": "Specifies whether node-to-node encryption is enabled. See [Node-to-node encryption for Amazon OpenSearch Service](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/ntn.html) .", "OffPeakWindowOptions": "Options for a domain's off-peak window, during which OpenSearch Service can perform mandatory configuration changes on the domain.", @@ -21848,6 +25133,10 @@ "AWS::OpenSearchService::Domain SoftwareUpdateOptions": { "AutoSoftwareUpdateEnabled": "Specifies whether automatic service software updates are enabled for the domain." }, + "AWS::OpenSearchService::Domain Tag": { + "Key": "The tag key. Tag keys must be unique for the domain to which they are attached.", + "Value": "The value assigned to the corresponding tag key. Tag values can be null and don't have to be unique in a tag set. For example, you can have a key value pair in a tag set of `project : Trinity` and `cost-center : Trinity`" + }, "AWS::OpenSearchService::Domain VPCOptions": { "SecurityGroupIds": "The list of security group IDs that are associated with the VPC endpoints for the domain. If you don't provide a security group ID, OpenSearch Service uses the default security group for the VPC. To learn more, see [Security groups for your VPC](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html) in the *Amazon VPC User Guide* .", "SubnetIds": "Provide one subnet ID for each Availability Zone that your domain uses. For example, you must specify three subnet IDs for a three-AZ domain. To learn more, see [VPCs and subnets](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Subnets.html) in the *Amazon VPC User Guide* .\n\nIf you specify more than one subnet, you must also configure `ZoneAwarenessEnabled` and `ZoneAwarenessConfig` within [ClusterConfig](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-opensearchservice-domain-clusterconfig.html) , otherwise you'll see the error \"You must specify exactly one subnet\" during template creation." @@ -21880,7 +25169,7 @@ }, "AWS::OpsWorks::App EnvironmentVariable": { "Key": "(Required) The environment variable's name, which can consist of up to 64 characters and must be specified. The name can contain upper- and lowercase letters, numbers, and underscores (_), but it must start with a letter or underscore.", - "Secure": "(Optional) Whether the variable's value is returned by the [DescribeApps](https://docs.aws.amazon.com/goto/WebAPI/opsworks-2013-02-18/DescribeApps) action. To hide an environment variable's value, set `Secure` to `true` . `DescribeApps` returns `*****FILTERED*****` instead of the actual value. The default value for `Secure` is `false` .", + "Secure": "(Optional) Whether the variable's value is returned by the `DescribeApps` action. To hide an environment variable's value, set `Secure` to `true` . `DescribeApps` returns `*****FILTERED*****` instead of the actual value. The default value for `Secure` is `false` .", "Value": "(Optional) The environment variable's value, which can be left empty. If you specify a value, it can contain up to 256 characters, which must all be printable." }, "AWS::OpsWorks::App Source": { @@ -21901,7 +25190,7 @@ "LayerId": "The AWS OpsWorks layer ID to which the Elastic Load Balancing load balancer is attached." }, "AWS::OpsWorks::Instance": { - "AgentVersion": "The default AWS OpsWorks Stacks agent version. You have the following options:\n\n- `INHERIT` - Use the stack's default agent version setting.\n- *version_number* - Use the specified agent version. This value overrides the stack's default setting. To update the agent version, edit the instance configuration and specify a new version. AWS OpsWorks Stacks installs that version on the instance.\n\nThe default setting is `INHERIT` . To specify an agent version, you must use the complete version number, not the abbreviated number shown on the console. For a list of available agent version numbers, call [DescribeAgentVersions](https://docs.aws.amazon.com/goto/WebAPI/opsworks-2013-02-18/DescribeAgentVersions) . AgentVersion cannot be set to Chef 12.2.", + "AgentVersion": "The default AWS OpsWorks Stacks agent version. You have the following options:\n\n- `INHERIT` - Use the stack's default agent version setting.\n- *version_number* - Use the specified agent version. This value overrides the stack's default setting. To update the agent version, edit the instance configuration and specify a new version. AWS OpsWorks Stacks installs that version on the instance.\n\nThe default setting is `INHERIT` . To specify an agent version, you must use the complete version number, not the abbreviated number shown on the console. For a list of available agent version numbers, call `DescribeAgentVersions` . AgentVersion cannot be set to Chef 12.2.", "AmiId": "A custom AMI ID to be used to create the instance. The AMI should be based on one of the supported operating systems. For more information, see [Using Custom AMIs](https://docs.aws.amazon.com/opsworks/latest/userguide/workinginstances-custom-ami.html) .\n\n> If you specify a custom AMI, you must set `Os` to `Custom` .", "Architecture": "The instance architecture. The default option is `x86_64` . Instance types do not necessarily support both architectures. For a list of the architectures that are supported by the different instance types, see [Instance Families and Types](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html) .", "AutoScalingType": "For load-based or time-based instances, the type. Windows stacks can use only time-based instances.", @@ -21910,10 +25199,10 @@ "EbsOptimized": "Whether to create an Amazon EBS-optimized instance.", "ElasticIps": "A list of Elastic IP addresses to associate with the instance.", "Hostname": "The instance host name. The following are character limits for instance host names.\n\n- Linux-based instances: 63 characters\n- Windows-based instances: 15 characters", - "InstallUpdatesOnBoot": "Whether to install operating system and package updates when the instance boots. The default value is `true` . To control when updates are installed, set this value to `false` . You must then update your instances manually by using [CreateDeployment](https://docs.aws.amazon.com/goto/WebAPI/opsworks-2013-02-18/CreateDeployment) to run the `update_dependencies` stack command or by manually running `yum` (Amazon Linux) or `apt-get` (Ubuntu) on the instances.\n\n> We strongly recommend using the default value of `true` to ensure that your instances have the latest security updates.", + "InstallUpdatesOnBoot": "Whether to install operating system and package updates when the instance boots. The default value is `true` . To control when updates are installed, set this value to `false` . You must then update your instances manually by using `CreateDeployment` to run the `update_dependencies` stack command or by manually running `yum` (Amazon Linux) or `apt-get` (Ubuntu) on the instances.\n\n> We strongly recommend using the default value of `true` to ensure that your instances have the latest security updates.", "InstanceType": "The instance type, such as `t2.micro` . For a list of supported instance types, open the stack in the console, choose *Instances* , and choose *+ Instance* . The *Size* list contains the currently supported types. For more information, see [Instance Families and Types](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html) . The parameter values that you use to specify the various types are in the *API Name* column of the *Available Instance Types* table.", "LayerIds": "An array that contains the instance's layer IDs.", - "Os": "The instance's operating system, which must be set to one of the following.\n\n- A supported Linux operating system: An Amazon Linux version, such as `Amazon Linux 2` , `Amazon Linux 2018.03` , `Amazon Linux 2017.09` , `Amazon Linux 2017.03` , `Amazon Linux 2016.09` , `Amazon Linux 2016.03` , `Amazon Linux 2015.09` , or `Amazon Linux 2015.03` .\n- A supported Ubuntu operating system, such as `Ubuntu 18.04 LTS` , `Ubuntu 16.04 LTS` , `Ubuntu 14.04 LTS` , or `Ubuntu 12.04 LTS` .\n- `CentOS Linux 7`\n- `Red Hat Enterprise Linux 7`\n- A supported Windows operating system, such as `Microsoft Windows Server 2012 R2 Base` , `Microsoft Windows Server 2012 R2 with SQL Server Express` , `Microsoft Windows Server 2012 R2 with SQL Server Standard` , or `Microsoft Windows Server 2012 R2 with SQL Server Web` .\n- A custom AMI: `Custom` .\n\nNot all operating systems are supported with all versions of Chef. For more information about the supported operating systems, see [AWS OpsWorks Stacks Operating Systems](https://docs.aws.amazon.com/opsworks/latest/userguide/workinginstances-os.html) .\n\nThe default option is the current Amazon Linux version. If you set this parameter to `Custom` , you must use the [CreateInstance](https://docs.aws.amazon.com/goto/WebAPI/opsworks-2013-02-18/CreateInstance) action's AmiId parameter to specify the custom AMI that you want to use. Block device mappings are not supported if the value is `Custom` . For more information about how to use custom AMIs with AWS OpsWorks Stacks, see [Using Custom AMIs](https://docs.aws.amazon.com/opsworks/latest/userguide/workinginstances-custom-ami.html) .", + "Os": "The instance's operating system, which must be set to one of the following.\n\n- A supported Linux operating system: An Amazon Linux version, such as `Amazon Linux 2` , `Amazon Linux 2018.03` , `Amazon Linux 2017.09` , `Amazon Linux 2017.03` , `Amazon Linux 2016.09` , `Amazon Linux 2016.03` , `Amazon Linux 2015.09` , or `Amazon Linux 2015.03` .\n- A supported Ubuntu operating system, such as `Ubuntu 18.04 LTS` , `Ubuntu 16.04 LTS` , `Ubuntu 14.04 LTS` , or `Ubuntu 12.04 LTS` .\n- `CentOS Linux 7`\n- `Red Hat Enterprise Linux 7`\n- A supported Windows operating system, such as `Microsoft Windows Server 2012 R2 Base` , `Microsoft Windows Server 2012 R2 with SQL Server Express` , `Microsoft Windows Server 2012 R2 with SQL Server Standard` , or `Microsoft Windows Server 2012 R2 with SQL Server Web` .\n- A custom AMI: `Custom` .\n\nNot all operating systems are supported with all versions of Chef. For more information about the supported operating systems, see [AWS OpsWorks Stacks Operating Systems](https://docs.aws.amazon.com/opsworks/latest/userguide/workinginstances-os.html) .\n\nThe default option is the current Amazon Linux version. If you set this parameter to `Custom` , you must use the `CreateInstance` action's AmiId parameter to specify the custom AMI that you want to use. Block device mappings are not supported if the value is `Custom` . For more information about how to use custom AMIs with AWS OpsWorks Stacks, see [Using Custom AMIs](https://docs.aws.amazon.com/opsworks/latest/userguide/workinginstances-custom-ami.html) .", "RootDeviceType": "The instance root device type. For more information, see [Storage for the Root Device](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ComponentsAMIs.html#storage-for-the-root-device) .", "SshKeyName": "The instance's Amazon EC2 key-pair name.", "StackId": "The stack ID.", @@ -21954,7 +25243,7 @@ "CustomRecipes": "A `LayerCustomRecipes` object that specifies the layer custom recipes.", "CustomSecurityGroupIds": "An array containing the layer custom security group IDs.", "EnableAutoHealing": "Whether to disable auto healing for the layer.", - "InstallUpdatesOnBoot": "Whether to install operating system and package updates when the instance boots. The default value is `true` . To control when updates are installed, set this value to `false` . You must then update your instances manually by using [CreateDeployment](https://docs.aws.amazon.com/goto/WebAPI/opsworks-2013-02-18/CreateDeployment) to run the `update_dependencies` stack command or by manually running `yum` (Amazon Linux) or `apt-get` (Ubuntu) on the instances.\n\n> To ensure that your instances have the latest security updates, we strongly recommend using the default value of `true` .", + "InstallUpdatesOnBoot": "Whether to install operating system and package updates when the instance boots. The default value is `true` . To control when updates are installed, set this value to `false` . You must then update your instances manually by using `CreateDeployment` to run the `update_dependencies` stack command or by manually running `yum` (Amazon Linux) or `apt-get` (Ubuntu) on the instances.\n\n> To ensure that your instances have the latest security updates, we strongly recommend using the default value of `true` .", "LifecycleEventConfiguration": "A `LifeCycleEventConfiguration` object that you can use to configure the Shutdown event to specify an execution timeout and enable or disable Elastic Load Balancer connection draining.", "LoadBasedAutoScaling": "The load-based scaling configuration for the AWS OpsWorks layer.", "Name": "The layer name, which is used by the console. Layer names can be a maximum of 32 characters.", @@ -21993,6 +25282,10 @@ "DelayUntilElbConnectionsDrained": "Whether to enable Elastic Load Balancing connection draining. For more information, see [Connection Draining](https://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/TerminologyandKeyConcepts.html#conn-drain)", "ExecutionTimeout": "The time, in seconds, that AWS OpsWorks Stacks waits after triggering a Shutdown event before shutting down an instance." }, + "AWS::OpsWorks::Layer Tag": { + "Key": "", + "Value": "" + }, "AWS::OpsWorks::Layer VolumeConfiguration": { "Encrypted": "Specifies whether an Amazon EBS volume is encrypted. For more information, see [Amazon EBS Encryption](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html) .", "Iops": "The number of I/O operations per second (IOPS) to provision for the volume. For PIOPS volumes, the IOPS per disk.\n\nIf you specify `io1` for the volume type, you must specify this property.", @@ -22003,7 +25296,7 @@ "VolumeType": "The volume type. For more information, see [Amazon EBS Volume Types](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSVolumeTypes.html) .\n\n- `standard` - Magnetic. Magnetic volumes must have a minimum size of 1 GiB and a maximum size of 1024 GiB.\n- `io1` - Provisioned IOPS (SSD). PIOPS volumes must have a minimum size of 4 GiB and a maximum size of 16384 GiB.\n- `gp2` - General Purpose (SSD). General purpose volumes must have a minimum size of 1 GiB and a maximum size of 16384 GiB.\n- `st1` - Throughput Optimized hard disk drive (HDD). Throughput optimized HDD volumes must have a minimum size of 500 GiB and a maximum size of 16384 GiB.\n- `sc1` - Cold HDD. Cold HDD volumes must have a minimum size of 500 GiB and a maximum size of 16384 GiB." }, "AWS::OpsWorks::Stack": { - "AgentVersion": "The default AWS OpsWorks Stacks agent version. You have the following options:\n\n- Auto-update - Set this parameter to `LATEST` . AWS OpsWorks Stacks automatically installs new agent versions on the stack's instances as soon as they are available.\n- Fixed version - Set this parameter to your preferred agent version. To update the agent version, you must edit the stack configuration and specify a new version. AWS OpsWorks Stacks installs that version on the stack's instances.\n\nThe default setting is the most recent release of the agent. To specify an agent version, you must use the complete version number, not the abbreviated number shown on the console. For a list of available agent version numbers, call [DescribeAgentVersions](https://docs.aws.amazon.com/goto/WebAPI/opsworks-2013-02-18/DescribeAgentVersions) . AgentVersion cannot be set to Chef 12.2.\n\n> You can also specify an agent version when you create or update an instance, which overrides the stack's default setting.", + "AgentVersion": "The default AWS OpsWorks Stacks agent version. You have the following options:\n\n- Auto-update - Set this parameter to `LATEST` . AWS OpsWorks Stacks automatically installs new agent versions on the stack's instances as soon as they are available.\n- Fixed version - Set this parameter to your preferred agent version. To update the agent version, you must edit the stack configuration and specify a new version. AWS OpsWorks Stacks installs that version on the stack's instances.\n\nThe default setting is the most recent release of the agent. To specify an agent version, you must use the complete version number, not the abbreviated number shown on the console. For a list of available agent version numbers, call `DescribeAgentVersions` . AgentVersion cannot be set to Chef 12.2.\n\n> You can also specify an agent version when you create or update an instance, which overrides the stack's default setting.", "Attributes": "One or more user-defined key-value pairs to be added to the stack attributes.", "ChefConfiguration": "A `ChefConfiguration` object that specifies whether to enable Berkshelf and the Berkshelf version on Chef 11.10 stacks. For more information, see [Create a New Stack](https://docs.aws.amazon.com/opsworks/latest/userguide/workingstacks-creating.html) .", "CloneAppIds": "If you're cloning an AWS OpsWorks stack, a list of AWS OpsWorks application stack IDs from the source stack to include in the cloned stack.", @@ -22054,6 +25347,10 @@ "Name": "The name. This parameter must be set to `Chef` .", "Version": "The Chef version. This parameter must be set to 12, 11.10, or 11.4 for Linux stacks, and to 12.2 for Windows stacks. The default value for Linux stacks is 12." }, + "AWS::OpsWorks::Stack Tag": { + "Key": "", + "Value": "" + }, "AWS::OpsWorks::UserProfile": { "AllowSelfManagement": "Whether users can specify their own SSH public key through the My Settings page. For more information, see [Managing User Permissions](https://docs.aws.amazon.com/opsworks/latest/userguide/security-settingsshkey.html) .", "IamUserArn": "The user's IAM ARN.", @@ -22092,33 +25389,279 @@ "Name": "The name of the engine attribute.\n\n*Attribute name for Chef Automate servers:*\n\n- `CHEF_AUTOMATE_ADMIN_PASSWORD`\n\n*Attribute names for Puppet Enterprise servers:*\n\n- `PUPPET_ADMIN_PASSWORD`\n- `PUPPET_R10K_REMOTE`\n- `PUPPET_R10K_PRIVATE_KEY`", "Value": "The value of the engine attribute.\n\n*Attribute value for Chef Automate servers:*\n\n- `CHEF_AUTOMATE_PIVOTAL_KEY` : A base64-encoded RSA public key. The corresponding private key is required to access the Chef API. You can generate this key by running the following [OpenSSL](https://docs.aws.amazon.com/https://www.openssl.org/) command on Linux-based computers.\n\n`openssl genrsa -out *pivotal_key_file_name* .pem 2048`\n\nOn Windows-based computers, you can use the PuTTYgen utility to generate a base64-encoded RSA private key. For more information, see [PuTTYgen - Key Generator for PuTTY on Windows](https://docs.aws.amazon.com/https://www.ssh.com/ssh/putty/windows/puttygen) on SSH.com.\n\n*Attribute values for Puppet Enterprise servers:*\n\n- `PUPPET_ADMIN_PASSWORD` : An administrator password that you can use to sign in to the Puppet Enterprise console webpage after the server is online. The password must use between 8 and 32 ASCII characters.\n- `PUPPET_R10K_REMOTE` : The r10k remote is the URL of your control repository (for example, ssh://git@your.git-repo.com:user/control-repo.git). Specifying an r10k remote opens TCP port 8170.\n- `PUPPET_R10K_PRIVATE_KEY` : If you are using a private Git repository, add `PUPPET_R10K_PRIVATE_KEY` to specify a PEM-encoded private SSH key." }, + "AWS::OpsWorksCM::Server Tag": { + "Key": "A tag key, such as `Stage` or `Name` . A tag key cannot be empty. The key can be a maximum of 127 characters, and can contain only Unicode letters, numbers, or separators, or the following special characters: `+ - = . _ : /`", + "Value": "An optional tag value, such as `Production` or `test-owcm-server` . The value can be a maximum of 255 characters, and contain only Unicode letters, numbers, or separators, or the following special characters: `+ - = . _ : /`" + }, "AWS::Organizations::Account": { "AccountName": "The account name given to the account when it was created.", "Email": "The email address associated with the AWS account.\n\nThe [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) for this parameter is a string of characters that represents a standard internet email address.", "ParentIds": "The unique identifier (ID) of the root or organizational unit (OU) that you want to create the new account in. If you don't specify this parameter, the `ParentId` defaults to the root ID.\n\nThis parameter only accepts a string array with one string value.\n\nThe [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) for a parent ID string requires one of the following:\n\n- *Root* - A string that begins with \"r-\" followed by from 4 to 32 lowercase letters or digits.\n- *Organizational unit (OU)* - A string that begins with \"ou-\" followed by from 4 to 32 lowercase letters or digits (the ID of the root that the OU is in). This string is followed by a second \"-\" dash and from 8 to 32 additional lowercase letters or digits.", - "RoleName": "The name of an IAM role that AWS Organizations automatically preconfigures in the new member account. This role trusts the management account, allowing users in the management account to assume the role, as permitted by the management account administrator. The role has administrator permissions in the new member account.\n\nIf you don't specify this parameter, the role name defaults to `OrganizationAccountAccessRole` .\n\nFor more information about how to use this role to access the member account, see the following links:\n\n- [Accessing and Administering the Member Accounts in Your Organization](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html#orgs_manage_accounts_create-cross-account-role) in the *AWS Organizations User Guide*\n- Steps 2 and 3 in [Tutorial: Delegate Access Across AWS accounts Using IAM Roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html) in the *IAM User Guide*\n\nThe [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) that is used to validate this parameter. The pattern can include uppercase letters, lowercase letters, digits with no spaces, and any of the following characters: =,.@-", + "RoleName": "The name of an IAM role that AWS Organizations automatically preconfigures in the new member account. This role trusts the management account, allowing users in the management account to assume the role, as permitted by the management account administrator. The role has administrator permissions in the new member account.\n\nIf you don't specify this parameter, the role name defaults to `OrganizationAccountAccessRole` .\n\nFor more information about how to use this role to access the member account, see the following links:\n\n- [Creating the OrganizationAccountAccessRole in an invited member account](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html#orgs_manage_accounts_create-cross-account-role) in the *AWS Organizations User Guide*\n- Steps 2 and 3 in [IAM Tutorial: Delegate access across AWS accounts using IAM roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html) in the *IAM User Guide*\n\nThe [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) that is used to validate this parameter. The pattern can include uppercase letters, lowercase letters, digits with no spaces, and any of the following characters: =,.@-", "Tags": "A list of tags that you want to attach to the newly created account. For each tag in the list, you must specify both a tag key and a value. You can set the value to an empty string, but you can't set it to `null` . For more information about tagging, see [Tagging AWS Organizations resources](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_tagging.html) in the AWS Organizations User Guide.\n\n> If any one of the tags is not valid or if you exceed the maximum allowed number of tags for an account, then the entire request fails and the account is not created." }, + "AWS::Organizations::Account Tag": { + "Key": "The key identifier, or name, of the tag.", + "Value": "The string value that's associated with the key of the tag. You can set the value of a tag to an empty string, but you can't set the value of a tag to null." + }, "AWS::Organizations::Organization": { - "FeatureSet": "Specifies the feature set supported by the new organization. Each feature set supports different levels of functionality.\n\n- `ALL` In addition to all the features supported by the consolidated billing feature set, the management account gains access to advanced features that give you more control over accounts in your organization. By default or if you set the `FeatureSet` property to `ALL` , the new organization is created with all features enabled and service control policies automatically enabled in the [root](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#root) . For more information, see [All features](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#feature-set-all) in the *AWS Organizations User Guide* .\n- `CONSOLIDATED_BILLING` All member accounts have their bills consolidated to and paid by the management account. For more information, see [Consolidated billing](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#feature-set-cb-only) in the *AWS Organizations User Guide.*\n\nThe consolidated billing feature subset isn't available for organizations in the AWS GovCloud (US) Region.\n\nFeature set `ALL` provides the following advanced features:\n\n- Apply any [policy type](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies.html#orgs-policy-types) to any member account in the organization.\n- Apply [service control policies (SCPs)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html) to member accounts that restrict the services and actions that users (including the root user) and roles in an account can access. Using SCPs you can prevent member accounts from leaving the organization.\n- Enable [integration with supported AWS services](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services_list.html) to let those services provide functionality across all of the accounts in your organization.\n\nIf you don't specify this property, the default value is `ALL` ." + "FeatureSet": "Specifies the feature set supported by the new organization. Each feature set supports different levels of functionality.\n\n- `ALL` In addition to all the features supported by the consolidated billing feature set, the management account gains access to advanced features that give you more control over accounts in your organization. By default or if you set the `FeatureSet` property to `ALL` , the new organization is created with all features enabled and service control policies automatically enabled in the [root](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#root) . For more information, see [All features](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#feature-set-all) in the *AWS Organizations User Guide* .\n- `CONSOLIDATED_BILLING` All member accounts have their bills consolidated to and paid by the management account. For more information, see [Consolidated billing](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#feature-set-cb-only) in the *AWS Organizations User Guide* .\n\nThe consolidated billing feature subset isn't available for organizations in the AWS GovCloud (US) Region.\n\nFeature set `ALL` provides the following advanced features:\n\n- Apply any [policy type](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies.html#orgs-policy-types) to any member account in the organization.\n- Apply [service control policies (SCPs)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html) to member accounts that restrict the services and actions that users (including the root user) and roles in an account can access. Using SCPs you can prevent member accounts from leaving the organization.\n- Enable [integration with supported AWS services](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services_list.html) to let those services provide functionality across all of the accounts in your organization.\n\nIf you don't specify this property, the default value is `ALL` ." }, "AWS::Organizations::OrganizationalUnit": { "Name": "The friendly name of this OU.\n\nThe [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) that is used to validate this parameter is a string of any of the characters in the ASCII character range.", "ParentId": "The unique identifier (ID) of the parent root or OU that you want to create the new OU in.\n\n> To update the `ParentId` parameter value, you must first remove all accounts attached to the organizational unit (OU). OUs can't be moved within the organization with accounts still attached. \n\nThe [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) for a parent ID string requires one of the following:\n\n- *Root* - A string that begins with \"r-\" followed by from 4 to 32 lowercase letters or digits.\n- *Organizational unit (OU)* - A string that begins with \"ou-\" followed by from 4 to 32 lowercase letters or digits (the ID of the root that the OU is in). This string is followed by a second \"-\" dash and from 8 to 32 additional lowercase letters or digits.", "Tags": "A list of tags that you want to attach to the newly created OU. For each tag in the list, you must specify both a tag key and a value. You can set the value to an empty string, but you can't set it to `null` . For more information about tagging, see [Tagging AWS Organizations resources](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_tagging.html) in the AWS Organizations User Guide.\n\n> If any one of the tags is not valid or if you exceed the allowed number of tags for an OU, then the entire request fails and the OU is not created." }, + "AWS::Organizations::OrganizationalUnit Tag": { + "Key": "The key identifier, or name, of the tag.", + "Value": "The string value that's associated with the key of the tag. You can set the value of a tag to an empty string, but you can't set the value of a tag to null." + }, "AWS::Organizations::Policy": { - "Content": "The policy text content. You can specify the policy content as a JSON object or a JSON string.\n\n> When you specify the policy content as a JSON string, you can't perform drift detection on the CloudFormation stack. For this reason, we recommend specifying the policy content as a JSON object instead. \n\nThe text that you supply must adhere to the rules of the policy type you specify in the `Type` parameter. The following AWS Organizations quotas are enforced for the maximum size of a policy document:\n\n- Service control policies: 5,120 bytes *(not characters)*\n- AI services opt-out policies: 2,500 characters\n- Backup policies: 10,000 characters\n- Tag policies: 10,000 characters\n\nFor more information about Organizations service quotas, see [Quotas for AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_reference_limits.html) in the *AWS Organizations User Guide* .", + "Content": "The policy text content. You can specify the policy content as a JSON object or a JSON string.\n\n> When you specify the policy content as a JSON string, you can't perform drift detection on the CloudFormation stack. For this reason, we recommend specifying the policy content as a JSON object instead. \n\nThe text that you supply must adhere to the rules of the policy type you specify in the `Type` parameter. The following AWS Organizations quotas are enforced for the maximum size of a policy document:\n\n- Service control policies: 5,120 characters\n- AI services opt-out policies: 2,500 characters\n- Backup policies: 10,000 characters\n- Tag policies: 10,000 characters\n\nFor more information about Organizations service quotas, see [Quotas for AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_reference_limits.html) in the *AWS Organizations User Guide* .", "Description": "Human readable description of the policy.", "Name": "Name of the policy.\n\nThe [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) that is used to validate this parameter is a string of any of the characters in the ASCII character range.", "Tags": "A list of tags that you want to attach to the newly created policy. For each tag in the list, you must specify both a tag key and a value. You can set the value to an empty string, but you can't set it to `null` . For more information about tagging, see [Tagging AWS Organizations resources](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_tagging.html) in the AWS Organizations User Guide.\n\n> If any one of the tags is not valid or if you exceed the allowed number of tags for a policy, then the entire request fails and the policy is not created.", "TargetIds": "List of unique identifiers (IDs) of the root, OU, or account that you want to attach the policy to. You can get the ID by calling the [ListRoots](https://docs.aws.amazon.com/organizations/latest/APIReference/API_ListRoots.html) , [ListOrganizationalUnitsForParent](https://docs.aws.amazon.com/organizations/latest/APIReference/API_ListOrganizationalUnitsForParent.html) , or [ListAccounts](https://docs.aws.amazon.com/organizations/latest/APIReference/API_ListAccounts.html) operations. If you don't specify this parameter, the policy is created but not attached to any organization resource.\n\nThe [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) for a target ID string requires one of the following:\n\n- *Root* - A string that begins with \"r-\" followed by from 4 to 32 lowercase letters or digits.\n- *Account* - A string that consists of exactly 12 digits.\n- *Organizational unit (OU)* - A string that begins with \"ou-\" followed by from 4 to 32 lowercase letters or digits (the ID of the root that the OU is in). This string is followed by a second \"-\" dash and from 8 to 32 additional lowercase letters or digits.", "Type": "The type of policy to create." }, + "AWS::Organizations::Policy Tag": { + "Key": "The key identifier, or name, of the tag.", + "Value": "The string value that's associated with the key of the tag. You can set the value of a tag to an empty string, but you can't set the value of a tag to null." + }, "AWS::Organizations::ResourcePolicy": { "Content": "The policy text of the organization resource policy. You can specify the resource policy content as a JSON object or a JSON string.\n\n> When you specify the resource policy content as a JSON string, you can't perform drift detection on the CloudFormation stack. For this reason, we recommend specifying the resource policy content as a JSON object instead.", "Tags": "A list of tags that you want to attach to the newly created resource policy. For each tag in the list, you must specify both a tag key and a value. You can set the value to an empty string, but you can't set it to `null` . For more information about tagging, see [Tagging AWS Organizations resources](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_tagging.html) in the *AWS Organizations User Guide* .\n\n> If any one of the tags is not valid or if you exceed the allowed number of tags for the resource policy, then the entire request fails and the resource policy is not created." }, + "AWS::Organizations::ResourcePolicy Tag": { + "Key": "The key identifier, or name, of the tag.", + "Value": "The string value that's associated with the key of the tag. You can set the value of a tag to an empty string, but you can't set the value of a tag to null." + }, + "AWS::PCAConnectorAD::Connector": { + "CertificateAuthorityArn": "The Amazon Resource Name (ARN) of the certificate authority being used.", + "DirectoryId": "The identifier of the Active Directory.", + "Tags": "Metadata assigned to a connector consisting of a key-value pair.", + "VpcInformation": "Information of the VPC and security group(s) used with the connector." + }, + "AWS::PCAConnectorAD::Connector VpcInformation": { + "SecurityGroupIds": "The security groups used with the connector. You can use a maximum of 4 security groups with a connector." + }, + "AWS::PCAConnectorAD::DirectoryRegistration": { + "DirectoryId": "The identifier of the Active Directory.", + "Tags": "Metadata assigned to a directory registration consisting of a key-value pair." + }, + "AWS::PCAConnectorAD::ServicePrincipalName": { + "ConnectorArn": "The Amazon Resource Name (ARN) that was returned when you called [CreateConnector.html](https://docs.aws.amazon.com/pca-connector-ad/latest/APIReference/API_CreateConnector.html) .", + "DirectoryRegistrationArn": "The Amazon Resource Name (ARN) that was returned when you called [CreateDirectoryRegistration](https://docs.aws.amazon.com/pca-connector-ad/latest/APIReference/API_CreateDirectoryRegistration.html) ." + }, + "AWS::PCAConnectorAD::Template": { + "ConnectorArn": "The Amazon Resource Name (ARN) that was returned when you called [CreateConnector](https://docs.aws.amazon.com/pca-connector-ad/latest/APIReference/API_CreateConnector.html) .", + "Definition": "Template configuration to define the information included in certificates. Define certificate validity and renewal periods, certificate request handling and enrollment options, key usage extensions, application policies, and cryptography settings.", + "Name": "Name of the templates. Template names must be unique.", + "ReenrollAllCertificateHolders": "This setting allows the major version of a template to be increased automatically. All members of Active Directory groups that are allowed to enroll with a template will receive a new certificate issued using that template.", + "Tags": "Metadata assigned to a template consisting of a key-value pair." + }, + "AWS::PCAConnectorAD::Template ApplicationPolicies": { + "Critical": "Marks the application policy extension as critical.", + "Policies": "Application policies describe what the certificate can be used for." + }, + "AWS::PCAConnectorAD::Template ApplicationPolicy": { + "PolicyObjectIdentifier": "The object identifier (OID) of an application policy.", + "PolicyType": "The type of application policy" + }, + "AWS::PCAConnectorAD::Template CertificateValidity": { + "RenewalPeriod": "Renewal period is the period of time before certificate expiration when a new certificate will be requested.", + "ValidityPeriod": "Information describing the end of the validity period of the certificate. This parameter sets the \u201cNot After\u201d date for the certificate. Certificate validity is the period of time during which a certificate is valid. Validity can be expressed as an explicit date and time when the certificate expires, or as a span of time after issuance, stated in days, months, or years. For more information, see Validity in RFC 5280. This value is unaffected when ValidityNotBefore is also specified. For example, if Validity is set to 20 days in the future, the certificate will expire 20 days from issuance time regardless of the ValidityNotBefore value." + }, + "AWS::PCAConnectorAD::Template EnrollmentFlagsV2": { + "EnableKeyReuseOnNtTokenKeysetStorageFull": "Allow renewal using the same key.", + "IncludeSymmetricAlgorithms": "Include symmetric algorithms allowed by the subject.", + "NoSecurityExtension": "This flag instructs the CA to not include the security extension szOID_NTDS_CA_SECURITY_EXT (OID:1.3.6.1.4.1.311.25.2), as specified in [MS-WCCE] sections 2.2.2.7.7.4 and 3.2.2.6.2.1.4.5.9, in the issued certificate. This addresses a Windows Kerberos elevation-of-privilege vulnerability.", + "RemoveInvalidCertificateFromPersonalStore": "Delete expired or revoked certificates instead of archiving them.", + "UserInteractionRequired": "Require user interaction when the subject is enrolled and the private key associated with the certificate is used." + }, + "AWS::PCAConnectorAD::Template EnrollmentFlagsV3": { + "EnableKeyReuseOnNtTokenKeysetStorageFull": "Allow renewal using the same key.", + "IncludeSymmetricAlgorithms": "Include symmetric algorithms allowed by the subject.", + "NoSecurityExtension": "This flag instructs the CA to not include the security extension szOID_NTDS_CA_SECURITY_EXT (OID:1.3.6.1.4.1.311.25.2), as specified in [MS-WCCE] sections 2.2.2.7.7.4 and 3.2.2.6.2.1.4.5.9, in the issued certificate. This addresses a Windows Kerberos elevation-of-privilege vulnerability.", + "RemoveInvalidCertificateFromPersonalStore": "Delete expired or revoked certificates instead of archiving them.", + "UserInteractionRequired": "Require user interaction when the subject is enrolled and the private key associated with the certificate is used." + }, + "AWS::PCAConnectorAD::Template EnrollmentFlagsV4": { + "EnableKeyReuseOnNtTokenKeysetStorageFull": "Allow renewal using the same key.", + "IncludeSymmetricAlgorithms": "Include symmetric algorithms allowed by the subject.", + "NoSecurityExtension": "This flag instructs the CA to not include the security extension szOID_NTDS_CA_SECURITY_EXT (OID:1.3.6.1.4.1.311.25.2), as specified in [MS-WCCE] sections 2.2.2.7.7.4 and 3.2.2.6.2.1.4.5.9, in the issued certificate. This addresses a Windows Kerberos elevation-of-privilege vulnerability.", + "RemoveInvalidCertificateFromPersonalStore": "Delete expired or revoked certificates instead of archiving them.", + "UserInteractionRequired": "Require user interaction when the subject is enrolled and the private key associated with the certificate is used." + }, + "AWS::PCAConnectorAD::Template ExtensionsV2": { + "ApplicationPolicies": "Application policies specify what the certificate is used for and its purpose.", + "KeyUsage": "The key usage extension defines the purpose (e.g., encipherment, signature, certificate signing) of the key contained in the certificate." + }, + "AWS::PCAConnectorAD::Template ExtensionsV3": { + "ApplicationPolicies": "Application policies specify what the certificate is used for and its purpose.", + "KeyUsage": "The key usage extension defines the purpose (e.g., encipherment, signature, certificate signing) of the key contained in the certificate." + }, + "AWS::PCAConnectorAD::Template ExtensionsV4": { + "ApplicationPolicies": "Application policies specify what the certificate is used for and its purpose.", + "KeyUsage": "The key usage extension defines the purpose (e.g., encipherment, signature) of the key contained in the certificate." + }, + "AWS::PCAConnectorAD::Template GeneralFlagsV2": { + "AutoEnrollment": "Allows certificate issuance using autoenrollment. Set to TRUE to allow autoenrollment.", + "MachineType": "Defines if the template is for machines or users. Set to TRUE if the template is for machines. Set to FALSE if the template is for users." + }, + "AWS::PCAConnectorAD::Template GeneralFlagsV3": { + "AutoEnrollment": "Allows certificate issuance using autoenrollment. Set to TRUE to allow autoenrollment.", + "MachineType": "Defines if the template is for machines or users. Set to TRUE if the template is for machines. Set to FALSE if the template is for users" + }, + "AWS::PCAConnectorAD::Template GeneralFlagsV4": { + "AutoEnrollment": "Allows certificate issuance using autoenrollment. Set to TRUE to allow autoenrollment.", + "MachineType": "Defines if the template is for machines or users. Set to TRUE if the template is for machines. Set to FALSE if the template is for users" + }, + "AWS::PCAConnectorAD::Template KeyUsage": { + "Critical": "Sets the key usage extension to critical.", + "UsageFlags": "The key usage flags represent the purpose (e.g., encipherment, signature) of the key contained in the certificate." + }, + "AWS::PCAConnectorAD::Template KeyUsageFlags": { + "DataEncipherment": "DataEncipherment is asserted when the subject public key is used for directly enciphering raw user data without the use of an intermediate symmetric cipher.", + "DigitalSignature": "The digitalSignature is asserted when the subject public key is used for verifying digital signatures.", + "KeyAgreement": "KeyAgreement is asserted when the subject public key is used for key agreement.", + "KeyEncipherment": "KeyEncipherment is asserted when the subject public key is used for enciphering private or secret keys, i.e., for key transport.", + "NonRepudiation": "NonRepudiation is asserted when the subject public key is used to verify digital signatures." + }, + "AWS::PCAConnectorAD::Template KeyUsageProperty": { + "PropertyFlags": "You can specify key usage for encryption, key agreement, and signature. You can use property flags or property type but not both.", + "PropertyType": "You can specify all key usages using property type ALL. You can use property type or property flags but not both." + }, + "AWS::PCAConnectorAD::Template KeyUsagePropertyFlags": { + "Decrypt": "Allows key for encryption and decryption.", + "KeyAgreement": "Allows key exchange without encryption.", + "Sign": "Allow key use for digital signature." + }, + "AWS::PCAConnectorAD::Template PrivateKeyAttributesV2": { + "CryptoProviders": "Defines the cryptographic providers used to generate the private key.", + "KeySpec": "Defines the purpose of the private key. Set it to \"KEY_EXCHANGE\" or \"SIGNATURE\" value.", + "MinimalKeyLength": "Set the minimum key length of the private key." + }, + "AWS::PCAConnectorAD::Template PrivateKeyAttributesV3": { + "Algorithm": "Defines the algorithm used to generate the private key.", + "CryptoProviders": "Defines the cryptographic providers used to generate the private key.", + "KeySpec": "Defines the purpose of the private key. Set it to \"KEY_EXCHANGE\" or \"SIGNATURE\" value.", + "KeyUsageProperty": "The key usage property defines the purpose of the private key contained in the certificate. You can specify specific purposes using property flags or all by using property type ALL.", + "MinimalKeyLength": "Set the minimum key length of the private key." + }, + "AWS::PCAConnectorAD::Template PrivateKeyAttributesV4": { + "Algorithm": "Defines the algorithm used to generate the private key.", + "CryptoProviders": "Defines the cryptographic providers used to generate the private key.", + "KeySpec": "Defines the purpose of the private key. Set it to \"KEY_EXCHANGE\" or \"SIGNATURE\" value.", + "KeyUsageProperty": "The key usage property defines the purpose of the private key contained in the certificate. You can specify specific purposes using property flags or all by using property type ALL.", + "MinimalKeyLength": "Set the minimum key length of the private key." + }, + "AWS::PCAConnectorAD::Template PrivateKeyFlagsV2": { + "ClientVersion": "Defines the minimum client compatibility.", + "ExportableKey": "Allows the private key to be exported.", + "StrongKeyProtectionRequired": "Require user input when using the private key for enrollment." + }, + "AWS::PCAConnectorAD::Template PrivateKeyFlagsV3": { + "ClientVersion": "Defines the minimum client compatibility.", + "ExportableKey": "Allows the private key to be exported.", + "RequireAlternateSignatureAlgorithm": "Reguires the PKCS #1 v2.1 signature format for certificates. You should verify that your CA, objects, and applications can accept this signature format.", + "StrongKeyProtectionRequired": "Requirer user input when using the private key for enrollment." + }, + "AWS::PCAConnectorAD::Template PrivateKeyFlagsV4": { + "ClientVersion": "Defines the minimum client compatibility.", + "ExportableKey": "Allows the private key to be exported.", + "RequireAlternateSignatureAlgorithm": "Requires the PKCS #1 v2.1 signature format for certificates. You should verify that your CA, objects, and applications can accept this signature format.", + "RequireSameKeyRenewal": "Renew certificate using the same private key.", + "StrongKeyProtectionRequired": "Require user input when using the private key for enrollment.", + "UseLegacyProvider": "Specifies the cryptographic service provider category used to generate private keys. Set to TRUE to use Legacy Cryptographic Service Providers and FALSE to use Key Storage Providers." + }, + "AWS::PCAConnectorAD::Template SubjectNameFlagsV2": { + "RequireCommonName": "Include the common name in the subject name.", + "RequireDirectoryPath": "Include the directory path in the subject name.", + "RequireDnsAsCn": "Include the DNS as common name in the subject name.", + "RequireEmail": "Include the subject's email in the subject name.", + "SanRequireDirectoryGuid": "Include the globally unique identifier (GUID) in the subject alternate name.", + "SanRequireDns": "Include the DNS in the subject alternate name.", + "SanRequireDomainDns": "Include the domain DNS in the subject alternate name.", + "SanRequireEmail": "Include the subject's email in the subject alternate name.", + "SanRequireSpn": "Include the service principal name (SPN) in the subject alternate name.", + "SanRequireUpn": "Include the user principal name (UPN) in the subject alternate name." + }, + "AWS::PCAConnectorAD::Template SubjectNameFlagsV3": { + "RequireCommonName": "Include the common name in the subject name.", + "RequireDirectoryPath": "Include the directory path in the subject name.", + "RequireDnsAsCn": "Include the DNS as common name in the subject name.", + "RequireEmail": "Include the subject's email in the subject name.", + "SanRequireDirectoryGuid": "Include the globally unique identifier (GUID) in the subject alternate name.", + "SanRequireDns": "Include the DNS in the subject alternate name.", + "SanRequireDomainDns": "Include the domain DNS in the subject alternate name.", + "SanRequireEmail": "Include the subject's email in the subject alternate name.", + "SanRequireSpn": "Include the service principal name (SPN) in the subject alternate name.", + "SanRequireUpn": "Include the user principal name (UPN) in the subject alternate name." + }, + "AWS::PCAConnectorAD::Template SubjectNameFlagsV4": { + "RequireCommonName": "Include the common name in the subject name.", + "RequireDirectoryPath": "Include the directory path in the subject name.", + "RequireDnsAsCn": "Include the DNS as common name in the subject name.", + "RequireEmail": "Include the subject's email in the subject name.", + "SanRequireDirectoryGuid": "Include the globally unique identifier (GUID) in the subject alternate name.", + "SanRequireDns": "Include the DNS in the subject alternate name.", + "SanRequireDomainDns": "Include the domain DNS in the subject alternate name.", + "SanRequireEmail": "Include the subject's email in the subject alternate name.", + "SanRequireSpn": "Include the service principal name (SPN) in the subject alternate name.", + "SanRequireUpn": "Include the user principal name (UPN) in the subject alternate name." + }, + "AWS::PCAConnectorAD::Template TemplateDefinition": { + "TemplateV2": "Template configuration to define the information included in certificates. Define certificate validity and renewal periods, certificate request handling and enrollment options, key usage extensions, application policies, and cryptography settings.", + "TemplateV3": "Template configuration to define the information included in certificates. Define certificate validity and renewal periods, certificate request handling and enrollment options, key usage extensions, application policies, and cryptography settings.", + "TemplateV4": "Template configuration to define the information included in certificates. Define certificate validity and renewal periods, certificate request handling and enrollment options, key usage extensions, application policies, and cryptography settings." + }, + "AWS::PCAConnectorAD::Template TemplateV2": { + "CertificateValidity": "Certificate validity describes the validity and renewal periods of a certificate.", + "EnrollmentFlags": "Enrollment flags describe the enrollment settings for certificates such as using the existing private key and deleting expired or revoked certificates.", + "Extensions": "Extensions describe the key usage extensions and application policies for a template.", + "GeneralFlags": "General flags describe whether the template is used for computers or users and if the template can be used with autoenrollment.", + "PrivateKeyAttributes": "Private key attributes allow you to specify the minimal key length, key spec, and cryptographic providers for the private key of a certificate for v2 templates. V2 templates allow you to use Legacy Cryptographic Service Providers.", + "PrivateKeyFlags": "Private key flags for v2 templates specify the client compatibility, if the private key can be exported, and if user input is required when using a private key.", + "SubjectNameFlags": "Subject name flags describe the subject name and subject alternate name that is included in a certificate.", + "SupersededTemplates": "List of templates in Active Directory that are superseded by this template." + }, + "AWS::PCAConnectorAD::Template TemplateV3": { + "CertificateValidity": "Certificate validity describes the validity and renewal periods of a certificate.", + "EnrollmentFlags": "Enrollment flags describe the enrollment settings for certificates such as using the existing private key and deleting expired or revoked certificates.", + "Extensions": "Extensions describe the key usage extensions and application policies for a template.", + "GeneralFlags": "General flags describe whether the template is used for computers or users and if the template can be used with autoenrollment.", + "HashAlgorithm": "Specifies the hash algorithm used to hash the private key.", + "PrivateKeyAttributes": "Private key attributes allow you to specify the algorithm, minimal key length, key spec, key usage, and cryptographic providers for the private key of a certificate for v3 templates. V3 templates allow you to use Key Storage Providers.", + "PrivateKeyFlags": "Private key flags for v3 templates specify the client compatibility, if the private key can be exported, if user input is required when using a private key, and if an alternate signature algorithm should be used.", + "SubjectNameFlags": "Subject name flags describe the subject name and subject alternate name that is included in a certificate.", + "SupersededTemplates": "List of templates in Active Directory that are superseded by this template." + }, + "AWS::PCAConnectorAD::Template TemplateV4": { + "CertificateValidity": "Certificate validity describes the validity and renewal periods of a certificate.", + "EnrollmentFlags": "Enrollment flags describe the enrollment settings for certificates using the existing private key and deleting expired or revoked certificates.", + "Extensions": "Extensions describe the key usage extensions and application policies for a template.", + "GeneralFlags": "General flags describe whether the template is used for computers or users and if the template can be used with autoenrollment.", + "HashAlgorithm": "Specifies the hash algorithm used to hash the private key. Hash algorithm can only be specified when using Key Storage Providers.", + "PrivateKeyAttributes": "Private key attributes allow you to specify the minimal key length, key spec, key usage, and cryptographic providers for the private key of a certificate for v4 templates. V4 templates allow you to use either Key Storage Providers or Legacy Cryptographic Service Providers. You specify the cryptography provider category in private key flags.", + "PrivateKeyFlags": "Private key flags for v4 templates specify the client compatibility, if the private key can be exported, if user input is required when using a private key, if an alternate signature algorithm should be used, and if certificates are renewed using the same private key.", + "SubjectNameFlags": "Subject name flags describe the subject name and subject alternate name that is included in a certificate.", + "SupersededTemplates": "List of templates in Active Directory that are superseded by this template." + }, + "AWS::PCAConnectorAD::Template ValidityPeriod": { + "Period": "The numeric value for the validity period.", + "PeriodType": "The unit of time. You can select hours, days, weeks, months, and years." + }, + "AWS::PCAConnectorAD::TemplateGroupAccessControlEntry": { + "AccessRights": "Permissions to allow or deny an Active Directory group to enroll or autoenroll certificates issued against a template.", + "GroupDisplayName": "Name of the Active Directory group. This name does not need to match the group name in Active Directory.", + "GroupSecurityIdentifier": "Security identifier (SID) of the group object from Active Directory. The SID starts with \"S-\".", + "TemplateArn": "The Amazon Resource Name (ARN) that was returned when you called [CreateTemplate](https://docs.aws.amazon.com/pca-connector-ad/latest/APIReference/API_CreateTemplate.html) ." + }, + "AWS::PCAConnectorAD::TemplateGroupAccessControlEntry AccessRights": { + "AutoEnroll": "Allow or deny an Active Directory group from autoenrolling certificates issued against a template. The Active Directory group must be allowed to enroll to allow autoenrollment", + "Enroll": "Allow or deny an Active Directory group from enrolling certificates issued against a template." + }, "AWS::Panorama::ApplicationInstance": { "ApplicationInstanceIdToReplace": "The ID of an application instance to replace with the new instance.", "DefaultRuntimeContextDevice": "The device's ID.", @@ -22135,17 +25678,25 @@ "AWS::Panorama::ApplicationInstance ManifestPayload": { "PayloadData": "The application manifest." }, + "AWS::Panorama::ApplicationInstance Tag": { + "Key": "", + "Value": "" + }, "AWS::Panorama::Package": { "PackageName": "A name for the package.", - "StorageLocation": "", + "StorageLocation": "A storage location.", "Tags": "Tags for the package." }, "AWS::Panorama::Package StorageLocation": { - "BinaryPrefixLocation": "", - "Bucket": "", - "GeneratedPrefixLocation": "", - "ManifestPrefixLocation": "", - "RepoPrefixLocation": "" + "BinaryPrefixLocation": "The location's binary prefix.", + "Bucket": "The location's bucket.", + "GeneratedPrefixLocation": "The location's generated prefix.", + "ManifestPrefixLocation": "The location's manifest prefix.", + "RepoPrefixLocation": "The location's repo prefix." + }, + "AWS::Panorama::Package Tag": { + "Key": "", + "Value": "" }, "AWS::Panorama::PackageVersion": { "MarkLatest": "Whether to mark the new version as the latest version.", @@ -22157,13 +25708,13 @@ }, "AWS::Personalize::Dataset": { "DatasetGroupArn": "The Amazon Resource Name (ARN) of the dataset group.", - "DatasetImportJob": "Describes a job that imports training data from a data source (Amazon S3 bucket) to an Amazon Personalize dataset.", - "DatasetType": "One of the following values:\n\n- Interactions\n- Items\n- Users", + "DatasetImportJob": "Describes a job that imports training data from a data source (Amazon S3 bucket) to an Amazon Personalize dataset. If you specify a dataset import job as part of a dataset, all dataset import job fields are required.", + "DatasetType": "One of the following values:\n\n- Interactions\n- Items\n- Users\n- Actions\n- Action_Interactions", "Name": "The name of the dataset.", "SchemaArn": "The ARN of the associated schema." }, "AWS::Personalize::Dataset DataSource": { - "DataLocation": "" + "DataLocation": "The path to the Amazon S3 bucket where the data that you want to upload to your dataset is stored. For example:\n\n`s3://bucket-name/folder-name/`" }, "AWS::Personalize::Dataset DatasetImportJob": { "DataSource": "The Amazon S3 bucket that contains the training data to import.", @@ -22176,7 +25727,7 @@ "Domain": "The domain of a Domain dataset group.", "KmsKeyArn": "The Amazon Resource Name (ARN) of the AWS Key Management Service (KMS) key used to encrypt the datasets.", "Name": "The name of the dataset group.", - "RoleArn": "The ARN of the IAM role that has permissions to create the dataset group." + "RoleArn": "The ARN of the AWS Identity and Access Management (IAM) role that has permissions to access the AWS Key Management Service (KMS) key. Supplying an IAM role is only valid when also specifying a KMS key." }, "AWS::Personalize::Schema": { "Domain": "The domain of a schema that you created for a dataset in a Domain dataset group.", @@ -22193,44 +25744,44 @@ "SolutionConfig": "Describes the configuration properties for the solution." }, "AWS::Personalize::Solution AlgorithmHyperParameterRanges": { - "CategoricalHyperParameterRanges": "", - "ContinuousHyperParameterRanges": "", - "IntegerHyperParameterRanges": "" + "CategoricalHyperParameterRanges": "Provides the name and range of a categorical hyperparameter.", + "ContinuousHyperParameterRanges": "Provides the name and range of a continuous hyperparameter.", + "IntegerHyperParameterRanges": "Provides the name and range of an integer-valued hyperparameter." }, "AWS::Personalize::Solution AutoMLConfig": { - "MetricName": "", - "RecipeList": "" + "MetricName": "The metric to optimize.", + "RecipeList": "The list of candidate recipes." }, "AWS::Personalize::Solution CategoricalHyperParameterRange": { - "Name": "", - "Values": "" + "Name": "The name of the hyperparameter.", + "Values": "A list of the categories for the hyperparameter." }, "AWS::Personalize::Solution ContinuousHyperParameterRange": { - "MaxValue": "", - "MinValue": "", - "Name": "" + "MaxValue": "The maximum allowable value for the hyperparameter.", + "MinValue": "The minimum allowable value for the hyperparameter.", + "Name": "The name of the hyperparameter." }, "AWS::Personalize::Solution HpoConfig": { - "AlgorithmHyperParameterRanges": "", - "HpoObjective": "", - "HpoResourceConfig": "" + "AlgorithmHyperParameterRanges": "The hyperparameters and their allowable ranges.", + "HpoObjective": "The metric to optimize during HPO.\n\n> Amazon Personalize doesn't support configuring the `hpoObjective` at this time.", + "HpoResourceConfig": "Describes the resource configuration for HPO." }, "AWS::Personalize::Solution HpoObjective": { - "MetricName": "", - "MetricRegex": "", - "Type": "" + "MetricName": "The name of the metric.", + "MetricRegex": "A regular expression for finding the metric in the training job logs.", + "Type": "The type of the metric. Valid values are `Maximize` and `Minimize` ." }, "AWS::Personalize::Solution HpoResourceConfig": { - "MaxNumberOfTrainingJobs": "", - "MaxParallelTrainingJobs": "" + "MaxNumberOfTrainingJobs": "The maximum number of training jobs when you create a solution version. The maximum value for `maxNumberOfTrainingJobs` is `40` .", + "MaxParallelTrainingJobs": "The maximum number of parallel training jobs when you create a solution version. The maximum value for `maxParallelTrainingJobs` is `10` ." }, "AWS::Personalize::Solution IntegerHyperParameterRange": { - "MaxValue": "", - "MinValue": "", - "Name": "" + "MaxValue": "The maximum allowable value for the hyperparameter.", + "MinValue": "The minimum allowable value for the hyperparameter.", + "Name": "The name of the hyperparameter." }, "AWS::Personalize::Solution SolutionConfig": { - "AlgorithmHyperParameters": "Lists the hyperparameter names and ranges.", + "AlgorithmHyperParameters": "Lists the algorithm hyperparameters and their values.", "AutoMLConfig": "The [AutoMLConfig](https://docs.aws.amazon.com/personalize/latest/dg/API_AutoMLConfig.html) object containing a list of recipes to search when AutoML is performed.", "EventValueThreshold": "Only events with a value greater than or equal to this threshold are used for training a model.", "FeatureTransformationParameters": "Lists the feature transformation parameters.", @@ -22293,7 +25844,7 @@ "AWS::Pinpoint::ApplicationSettings": { "ApplicationId": "The unique identifier for the Amazon Pinpoint application.", "CampaignHook": "The settings for the Lambda function to use by default as a code hook for campaigns in the application. To override these settings for a specific campaign, use the Campaign resource to define custom Lambda function settings for the campaign.", - "CloudWatchMetricsEnabled": "Specifies whether to enable application-related alarms in Amazon CloudWatch.", + "CloudWatchMetricsEnabled": "", "Limits": "The default sending limits for campaigns in the application. To override these limits for a specific campaign, use the Campaign resource to define custom limits for the campaign.", "QuietTime": "The default quiet time for campaigns in the application. Quiet time is a specific time range when campaigns don't send messages to endpoints, if all the following conditions are met:\n\n- The `EndpointDemographic.Timezone` property of the endpoint is set to a valid value.\n\n- The current time in the endpoint's time zone is later than or equal to the time specified by the `QuietTime.Start` property for the application (or a campaign that has custom quiet time settings).\n\n- The current time in the endpoint's time zone is earlier than or equal to the time specified by the `QuietTime.End` property for the application (or a campaign that has custom quiet time settings).\n\nIf any of the preceding conditions isn't met, the endpoint will receive messages from a campaign, even if quiet time is enabled.\n\nTo override the default quiet time settings for a specific campaign, use the Campaign resource to define a custom quiet time for the campaign." }, @@ -22327,20 +25878,16 @@ "HoldoutPercent": "The allocated percentage of users (segment members) who shouldn't receive messages from the campaign.", "IsPaused": "Specifies whether to pause the campaign. A paused campaign doesn't run unless you resume it by changing this value to `false` . If you restart a campaign, the campaign restarts from the beginning and not at the point you paused it. If a campaign is running it will complete and then pause. Pause only pauses or skips the next run for a recurring future scheduled campaign. A campaign scheduled for immediate can't be paused.", "Limits": "The messaging limits for the campaign.", - "MessageConfiguration": "The message configuration settings for the campaign.", + "MessageConfiguration": "The message configuration settings for the treatment.", "Name": "The name of the campaign.", "Priority": "An integer between 1 and 5, inclusive, that represents the priority of the in-app message campaign, where 1 is the highest priority and 5 is the lowest. If there are multiple messages scheduled to be displayed at the same time, the priority determines the order in which those messages are displayed.", - "Schedule": "The schedule settings for the campaign.", + "Schedule": "The schedule settings for the treatment.", "SegmentId": "The unique identifier for the segment to associate with the campaign.", "SegmentVersion": "The version of the segment to associate with the campaign.", "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) .", "TemplateConfiguration": "The message template to use for the treatment.", - "TreatmentDescription": "A custom description of the default treatment for the campaign.", - "TreatmentName": "A custom name of the default treatment for the campaign, if the campaign has multiple treatments. A *treatment* is a variation of a campaign that's used for A/B testing." - }, - "AWS::Pinpoint::Campaign AttributeDimension": { - "AttributeType": "The type of segment dimension to use. Valid values are:\n\n- `INCLUSIVE` \u2013 endpoints that have attributes matching the values are included in the segment.\n- `EXCLUSIVE` \u2013 endpoints that have attributes matching the values are excluded from the segment.\n- `CONTAINS` \u2013 endpoints that have attributes' substrings match the values are included in the segment.\n- `BEFORE` \u2013 endpoints with attributes read as ISO_INSTANT datetimes before the value are included in the segment.\n- `AFTER` \u2013 endpoints with attributes read as ISO_INSTANT datetimes after the value are included in the segment.\n- `BETWEEN` \u2013 endpoints with attributes read as ISO_INSTANT datetimes between the values are included in the segment.\n- `ON` \u2013 endpoints with attributes read as ISO_INSTANT dates on the value are included in the segment. Time is ignored in this comparison.", - "Values": "The criteria values to use for the segment dimension. Depending on the value of the `AttributeType` property, endpoints are included or excluded from the segment if their attribute values match the criteria values." + "TreatmentDescription": "A custom description of the treatment.", + "TreatmentName": "A custom name for the treatment." }, "AWS::Pinpoint::Campaign CampaignCustomMessage": { "Data": "The raw, JSON-formatted string to use as the payload for the message. The maximum size is 5 KB." @@ -22446,10 +25993,6 @@ "InAppMessage": "The default message for the in-app messaging channel. This message overrides the default message ( `DefaultMessage` ).", "SMSMessage": "The message that the campaign sends through the SMS channel. If specified, this message overrides the default message." }, - "AWS::Pinpoint::Campaign MetricDimension": { - "ComparisonOperator": "The operator to use when comparing metric values. Valid values are: `GREATER_THAN` , `LESS_THAN` , `GREATER_THAN_OR_EQUAL` , `LESS_THAN_OR_EQUAL` , and `EQUAL` .", - "Value": "The value to compare." - }, "AWS::Pinpoint::Campaign OverrideButtonConfiguration": { "ButtonAction": "The action that occurs when a recipient chooses a button in an in-app message. You can specify one of the following:\n\n- `LINK` \u2013 A link to a web destination.\n- `DEEP_LINK` \u2013 A link to a specific page in an application.\n- `CLOSE` \u2013 Dismisses the message.", "Link": "The destination (such as a URL) for a button." @@ -22570,7 +26113,7 @@ "GCM": "The message template to use for the GCM channel, which is used to send notifications through the Firebase Cloud Messaging (FCM), formerly Google Cloud Messaging (GCM), service. This message template overrides the default template for push notification channels ( `Default` ).", "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) .", "TemplateDescription": "A custom description of the message template.", - "TemplateName": "The name of the message template." + "TemplateName": "The name of the message template to use for the message. If specified, this value must match the name of an existing message template." }, "AWS::Pinpoint::PushTemplate APNSPushNotificationTemplate": { "Action": "The action to occur if a recipient taps a push notification that's based on the message template. Valid values are:\n\n- `OPEN_APP` \u2013 Your app opens or it becomes the foreground app if it was sent to the background. This is the default action.\n- `DEEP_LINK` \u2013 Your app opens and displays a designated user interface in the app. This setting uses the deep-linking features of the iOS platform.\n- `URL` \u2013 The default mobile browser on the recipient's device opens and loads the web page at a URL that you specify.", @@ -22605,15 +26148,11 @@ }, "AWS::Pinpoint::Segment": { "ApplicationId": "The unique identifier for the Amazon Pinpoint application that the segment is associated with.", - "Dimensions": "The criteria that define the dimensions for the segment.", + "Dimensions": "An array that defines the dimensions for the segment.", "Name": "The name of the segment.\n\n> A segment must have a name otherwise it will not appear in the Amazon Pinpoint console.", "SegmentGroups": "The segment group to use and the dimensions to apply to the group's base segments in order to build the segment. A segment group can consist of zero or more base segments. Your request can include only one segment group.", "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) ." }, - "AWS::Pinpoint::Segment AttributeDimension": { - "AttributeType": "The type of segment dimension to use. Valid values are:\n\n- `INCLUSIVE` \u2013 endpoints that have attributes matching the values are included in the segment.\n- `EXCLUSIVE` \u2013 endpoints that have attributes matching the values are excluded from the segment.\n- `CONTAINS` \u2013 endpoints that have attributes' substrings match the values are included in the segment.\n- `BEFORE` \u2013 endpoints with attributes read as ISO_INSTANT datetimes before the value are included in the segment.\n- `AFTER` \u2013 endpoints with attributes read as ISO_INSTANT datetimes after the value are included in the segment.\n- `BETWEEN` \u2013 endpoints with attributes read as ISO_INSTANT datetimes between the values are included in the segment.\n- `ON` \u2013 endpoints with attributes read as ISO_INSTANT dates on the value are included in the segment. Time is ignored in this comparison.", - "Values": "The criteria values to use for the segment dimension. Depending on the value of the `AttributeType` property, endpoints are included or excluded from the segment if their attribute values match the criteria values." - }, "AWS::Pinpoint::Segment Behavior": { "Recency": "Specifies how recently segment members were active." }, @@ -22672,7 +26211,7 @@ "DefaultSubstitutions": "A JSON object that specifies the default values to use for message variables in the message template. This object is a set of key-value pairs. Each key defines a message variable in the template. The corresponding value defines the default value for that variable. When you create a message that's based on the template, you can override these defaults with message-specific and address-specific variables and values.", "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) .", "TemplateDescription": "A custom description of the message template.", - "TemplateName": "The name of the message template." + "TemplateName": "The name of the message template to use for the message. If specified, this value must match the name of an existing message template." }, "AWS::Pinpoint::VoiceChannel": { "ApplicationId": "The unique identifier for the Amazon Pinpoint application that the voice channel applies to.", @@ -22761,6 +26300,7 @@ "DesiredState": "The state the pipe should be in.", "Enrichment": "The ARN of the enrichment resource.", "EnrichmentParameters": "The parameters required to set up enrichment on your pipe.", + "LogConfiguration": "The logging configuration settings for the pipe.", "Name": "The name of the pipe.", "RoleArn": "The ARN of the role that allows the pipe to send data to the target.", "Source": "The ARN of the source resource.", @@ -22803,8 +26343,11 @@ "CapacityProvider": "The short name of the capacity provider.", "Weight": "The weight value designates the relative percentage of the total number of tasks launched that should use the specified capacity provider. The weight value is taken into consideration after the base value, if defined, is satisfied." }, + "AWS::Pipes::Pipe CloudwatchLogsLogDestination": { + "LogGroupArn": "The AWS Resource Name (ARN) for the CloudWatch log group to which EventBridge sends the log records." + }, "AWS::Pipes::Pipe DeadLetterConfig": { - "Arn": "The ARN of the Amazon SQS queue specified as the target for the dead-letter queue." + "Arn": "The ARN of the specified target for the dead-letter queue.\n\nFor Amazon Kinesis stream and Amazon DynamoDB stream sources, specify either an Amazon SNS topic or Amazon SQS queue ARN." }, "AWS::Pipes::Pipe EcsContainerOverride": { "Command": "The command to send to the container that overrides the default command from the Docker image or the task definition. You must also specify a container name.", @@ -22850,6 +26393,9 @@ "AWS::Pipes::Pipe FilterCriteria": { "Filters": "The event patterns." }, + "AWS::Pipes::Pipe FirehoseLogDestination": { + "DeliveryStreamArn": "The Amazon Resource Name (ARN) of the Kinesis Data Firehose delivery stream to which EventBridge delivers the pipe log records." + }, "AWS::Pipes::Pipe MQBrokerAccessCredentials": { "BasicAuth": "The ARN of the Secrets Manager secret." }, @@ -22869,6 +26415,13 @@ "HttpParameters": "Contains the HTTP parameters to use when the target is a API Gateway REST endpoint or EventBridge ApiDestination.\n\nIf you specify an API Gateway REST API or EventBridge ApiDestination as a target, you can use this parameter to specify headers, path parameters, and query string keys/values as part of your target invoking request. If you're using ApiDestinations, the corresponding Connection can also have these values configured. In case of any conflicting keys, values from the Connection take precedence.", "InputTemplate": "Valid JSON text passed to the enrichment. In this case, nothing from the event itself is passed to the enrichment. For more information, see [The JavaScript Object Notation (JSON) Data Interchange Format](https://docs.aws.amazon.com/http://www.rfc-editor.org/rfc/rfc7159.txt) .\n\nTo remove an input template, specify an empty string." }, + "AWS::Pipes::Pipe PipeLogConfiguration": { + "CloudwatchLogsLogDestination": "The logging configuration settings for the pipe.", + "FirehoseLogDestination": "The Amazon Kinesis Data Firehose logging configuration settings for the pipe.", + "IncludeExecutionData": "Whether the execution data (specifically, the `payload` , `awsRequest` , and `awsResponse` fields) is included in the log messages for this pipe.\n\nThis applies to all log destinations for the pipe.\n\nFor more information, see [Including execution data in logs](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-pipes-logs.html#eb-pipes-logs-execution-data) in the *Amazon EventBridge User Guide* .", + "Level": "The level of logging detail to include. This applies to all log destinations for the pipe.", + "S3LogDestination": "The Amazon S3 logging configuration settings for the pipe." + }, "AWS::Pipes::Pipe PipeSourceActiveMQBrokerParameters": { "BatchSize": "The maximum number of records to include in each batch.", "Credentials": "The credentials needed to access the resource.", @@ -22911,7 +26464,7 @@ "KinesisStreamParameters": "The parameters for using a Kinesis stream as a source.", "ManagedStreamingKafkaParameters": "The parameters for using an MSK stream as a source.", "RabbitMQBrokerParameters": "The parameters for using a Rabbit MQ broker as a source.", - "SelfManagedKafkaParameters": "The parameters for using a self-managed Apache Kafka stream as a source.", + "SelfManagedKafkaParameters": "The parameters for using a stream as a source.", "SqsQueueParameters": "The parameters for using a Amazon SQS stream as a source." }, "AWS::Pipes::Pipe PipeSourceRabbitMQBrokerParameters": { @@ -23024,6 +26577,12 @@ "Field": "The field to apply the placement strategy against. For the spread placement strategy, valid values are instanceId (or host, which has the same effect), or any platform or custom attribute that is applied to a container instance, such as attribute:ecs.availability-zone. For the binpack placement strategy, valid values are cpu and memory. For the random placement strategy, this field is not used.", "Type": "The type of placement strategy. The random placement strategy randomly places tasks on available candidates. The spread placement strategy spreads placement across available candidates evenly based on the field parameter. The binpack strategy places tasks on available candidates that have the least available amount of the resource that is specified with the field parameter. For example, if you binpack on memory, a task is placed on the instance with the least amount of remaining memory (but still enough to run the task)." }, + "AWS::Pipes::Pipe S3LogDestination": { + "BucketName": "The name of the Amazon S3 bucket to which EventBridge delivers the log records for the pipe.", + "BucketOwner": "The AWS account that owns the Amazon S3 bucket to which EventBridge delivers the log records for the pipe.", + "OutputFormat": "The format EventBridge uses for the log records.\n\n- `json` : JSON\n- `plain` : Plain text\n- `w3c` : [W3C extended logging file format](https://docs.aws.amazon.com/https://www.w3.org/TR/WD-logfile)", + "Prefix": "The prefix text with which to begin Amazon S3 log object names.\n\nFor more information, see [Organizing objects using prefixes](https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-prefixes.html) in the *Amazon Simple Storage Service User Guide* ." + }, "AWS::Pipes::Pipe SageMakerPipelineParameter": { "Name": "Name of parameter to start execution of a SageMaker Model Building Pipeline.", "Value": "Value of parameter to start execution of a SageMaker Model Building Pipeline." @@ -23038,6 +26597,10 @@ "SecurityGroup": "Specifies the security groups associated with the stream. These security groups must all be in the same VPC. You can specify as many as five security groups. If you do not specify a security group, the default security group for the VPC is used.", "Subnets": "Specifies the subnets associated with the stream. These subnets must all be in the same VPC. You can specify as many as 16 subnets." }, + "AWS::Pipes::Pipe Tag": { + "Key": "The key of the key-value pair.", + "Value": "The value of the key-value pair." + }, "AWS::Proton::EnvironmentAccountConnection": { "CodebuildRoleArn": "The Amazon Resource Name (ARN) of an IAM service role in the environment account. AWS Proton uses this role to provision infrastructure resources using CodeBuild-based provisioning in the associated environment account.", "ComponentRoleArn": "The Amazon Resource Name (ARN) of the IAM service role that AWS Proton uses when provisioning directly defined components in the associated environment account. It determines the scope of infrastructure that a component can provision in the account.\n\nThe environment account connection must have a `componentRoleArn` to allow directly defined components to be associated with any environments running in the account.\n\nFor more information about components, see [AWS Proton components](https://docs.aws.amazon.com/proton/latest/userguide/ag-components.html) in the *AWS Proton User Guide* .", @@ -23047,6 +26610,10 @@ "RoleArn": "The IAM service role that's associated with the environment account connection.", "Tags": "An optional list of metadata items that you can associate with the AWS Proton environment account connection. A tag is a key-value pair.\n\nFor more information, see [AWS Proton resources and tagging](https://docs.aws.amazon.com/proton/latest/userguide/resources.html) in the *AWS Proton User Guide* ." }, + "AWS::Proton::EnvironmentAccountConnection Tag": { + "Key": "The key of the resource tag.", + "Value": "The value of the resource tag." + }, "AWS::Proton::EnvironmentTemplate": { "Description": "A description of the environment template.", "DisplayName": "The name of the environment template as displayed in the developer interface.", @@ -23055,6 +26622,10 @@ "Provisioning": "When included, indicates that the environment template is for customer provisioned and managed infrastructure.", "Tags": "An optional list of metadata items that you can associate with the AWS Proton environment template. A tag is a key-value pair.\n\nFor more information, see [AWS Proton resources and tagging](https://docs.aws.amazon.com/proton/latest/userguide/resources.html) in the *AWS Proton User Guide* ." }, + "AWS::Proton::EnvironmentTemplate Tag": { + "Key": "The key of the resource tag.", + "Value": "The value of the resource tag." + }, "AWS::Proton::ServiceTemplate": { "Description": "A description of the service template.", "DisplayName": "The service template name as displayed in the developer interface.", @@ -23063,6 +26634,10 @@ "PipelineProvisioning": "If `pipelineProvisioning` is `true` , a service pipeline is included in the service template. Otherwise, a service pipeline *isn't* included in the service template.", "Tags": "An object that includes the template bundle S3 bucket path and name for the new version of a service template." }, + "AWS::Proton::ServiceTemplate Tag": { + "Key": "The key of the resource tag.", + "Value": "The value of the resource tag." + }, "AWS::QLDB::Ledger": { "DeletionProtection": "Specifies whether the ledger is protected from being deleted by any user. If not defined during ledger creation, this feature is enabled ( `true` ) by default.\n\nIf deletion protection is enabled, you must first disable it before you can delete the ledger. You can disable it by calling the `UpdateLedger` operation to set this parameter to `false` .", "KmsKey": "The key in AWS Key Management Service ( AWS KMS ) to use for encryption of data at rest in the ledger. For more information, see [Encryption at rest](https://docs.aws.amazon.com/qldb/latest/developerguide/encryption-at-rest.html) in the *Amazon QLDB Developer Guide* .\n\nUse one of the following options to specify this parameter:\n\n- `AWS_OWNED_KMS_KEY` : Use an AWS KMS key that is owned and managed by AWS on your behalf.\n- *Undefined* : By default, use an AWS owned KMS key.\n- *A valid symmetric customer managed KMS key* : Use the specified symmetric encryption KMS key in your account that you create, own, and manage.\n\nAmazon QLDB does not support asymmetric keys. For more information, see [Using symmetric and asymmetric keys](https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html) in the *AWS Key Management Service Developer Guide* .\n\nTo specify a customer managed KMS key, you can use its key ID, Amazon Resource Name (ARN), alias name, or alias ARN. When using an alias name, prefix it with `\"alias/\"` . To specify a key in a different AWS account , you must use the key ARN or alias ARN.\n\nFor example:\n\n- Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`\n- Key ARN: `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`\n- Alias name: `alias/ExampleAlias`\n- Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`\n\nFor more information, see [Key identifiers (KeyId)](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id) in the *AWS Key Management Service Developer Guide* .", @@ -23070,6 +26645,10 @@ "PermissionsMode": "The permissions mode to assign to the ledger that you want to create. This parameter can have one of the following values:\n\n- `ALLOW_ALL` : A legacy permissions mode that enables access control with API-level granularity for ledgers.\n\nThis mode allows users who have the `SendCommand` API permission for this ledger to run all PartiQL commands (hence, `ALLOW_ALL` ) on any tables in the specified ledger. This mode disregards any table-level or command-level IAM permissions policies that you create for the ledger.\n- `STANDARD` : ( *Recommended* ) A permissions mode that enables access control with finer granularity for ledgers, tables, and PartiQL commands.\n\nBy default, this mode denies all user requests to run any PartiQL commands on any tables in this ledger. To allow PartiQL commands to run, you must create IAM permissions policies for specific table resources and PartiQL actions, in addition to the `SendCommand` API permission for the ledger. For information, see [Getting started with the standard permissions mode](https://docs.aws.amazon.com/qldb/latest/developerguide/getting-started-standard-mode.html) in the *Amazon QLDB Developer Guide* .\n\n> We strongly recommend using the `STANDARD` permissions mode to maximize the security of your ledger data.", "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) ." }, + "AWS::QLDB::Ledger Tag": { + "Key": "", + "Value": "" + }, "AWS::QLDB::Stream": { "ExclusiveEndTime": "The exclusive date and time that specifies when the stream ends. If you don't define this parameter, the stream runs indefinitely until you cancel it.\n\nThe `ExclusiveEndTime` must be in `ISO 8601` date and time format and in Universal Coordinated Time (UTC). For example: `2019-06-13T21:36:34Z` .", "InclusiveStartTime": "The inclusive start date and time from which to start streaming journal data. This parameter must be in `ISO 8601` date and time format and in Universal Coordinated Time (UTC). For example: `2019-06-13T21:36:34Z` .\n\nThe `InclusiveStartTime` cannot be in the future and must be before `ExclusiveEndTime` .\n\nIf you provide an `InclusiveStartTime` that is before the ledger's `CreationDateTime` , QLDB effectively defaults it to the ledger's `CreationDateTime` .", @@ -23083,6 +26662,10 @@ "AggregationEnabled": "Enables QLDB to publish multiple data records in a single Kinesis Data Streams record, increasing the number of records sent per API call.\n\nDefault: `True`\n\n> Record aggregation has important implications for processing records and requires de-aggregation in your stream consumer. To learn more, see [KPL Key Concepts](https://docs.aws.amazon.com/streams/latest/dev/kinesis-kpl-concepts.html) and [Consumer De-aggregation](https://docs.aws.amazon.com/streams/latest/dev/kinesis-kpl-consumer-deaggregation.html) in the *Amazon Kinesis Data Streams Developer Guide* .", "StreamArn": "The Amazon Resource Name (ARN) of the Kinesis Data Streams resource." }, + "AWS::QLDB::Stream Tag": { + "Key": "", + "Value": "" + }, "AWS::QuickSight::Analysis": { "AnalysisId": "The ID for the analysis that you're creating. This ID displays in the URL of the analysis.", "AwsAccountId": "The ID of the AWS account where you are creating an analysis.", @@ -23093,9 +26676,11 @@ "SourceEntity": "A source entity to use for the analysis that you're creating. This metadata structure contains details that describe a source template and one or more datasets.\n\nEither a `SourceEntity` or a `Definition` must be provided in order for the request to be valid.", "Status": "Status associated with the analysis.", "Tags": "Contains a map of the key-value pairs for the resource tag or tags assigned to the analysis.", - "ThemeArn": "The ARN for the theme to apply to the analysis that you're creating. To see the theme in the Amazon QuickSight console, make sure that you have access to it." + "ThemeArn": "The ARN for the theme to apply to the analysis that you're creating. To see the theme in the Amazon QuickSight console, make sure that you have access to it.", + "ValidationStrategy": "The option to relax the validation that is required to create and update analyses, dashboards, and templates with definition objects. When you set this value to `LENIENT` , validation is skipped for specific errors." }, "AWS::QuickSight::Analysis AggregationFunction": { + "AttributeAggregationFunction": "Aggregation for attributes.", "CategoricalAggregationFunction": "Aggregation for categorical values.\n\n- `COUNT` : Aggregate by the total number of values, including duplicates.\n- `DISTINCT_COUNT` : Aggregate by the total number of distinct values.", "DateAggregationFunction": "Aggregation for date values.\n\n- `COUNT` : Aggregate by the total number of values, including duplicates.\n- `DISTINCT_COUNT` : Aggregate by the total number of distinct values.\n- `MIN` : Select the smallest date value.\n- `MAX` : Select the largest date value.", "NumericalAggregationFunction": "Aggregation for numerical values." @@ -23114,6 +26699,7 @@ "ColumnConfigurations": "An array of analysis-level column configurations. Column configurations can be used to set default formatting for a column to be used throughout an analysis.", "DataSetIdentifierDeclarations": "An array of dataset identifier declarations. This mapping allows the usage of dataset identifiers instead of dataset ARNs throughout analysis sub-structures.", "FilterGroups": "Filter definitions for an analysis.\n\nFor more information, see [Filtering Data in Amazon QuickSight](https://docs.aws.amazon.com/quicksight/latest/user/adding-a-filter.html) in the *Amazon QuickSight User Guide* .", + "Options": "An array of option definitions for an analysis.", "ParameterDeclarations": "An array of parameter declarations for an analysis.\n\nParameters are named variables that can transfer a value for use by an action or an object.\n\nFor more information, see [Parameters in Amazon QuickSight](https://docs.aws.amazon.com/quicksight/latest/user/parameters-in-quicksight.html) in the *Amazon QuickSight User Guide* .", "Sheets": "An array of sheet definitions for an analysis. Each `SheetDefinition` provides detailed information about a sheet within this analysis." }, @@ -23148,6 +26734,14 @@ "AWS::QuickSight::Analysis ArcOptions": { "ArcThickness": "The arc thickness of a `GaugeChartVisual` ." }, + "AWS::QuickSight::Analysis AssetOptions": { + "Timezone": "Determines the timezone for the analysis.", + "WeekStart": "Determines the week start day for an analysis." + }, + "AWS::QuickSight::Analysis AttributeAggregationFunction": { + "SimpleAttributeAggregation": "The built-in aggregation functions for attributes.\n\n- `UNIQUE_VALUE` : Returns the unique value for a field, aggregated by the dimension fields.", + "ValueForMultipleValues": "Used by the `UNIQUE_VALUE` aggregation function. If there are multiple values for the field used by the aggregation, the value for this property will be returned instead. Defaults to '*'." + }, "AWS::QuickSight::Analysis AxisDataOptions": { "DateAxisOptions": "The options for an axis with a date field.", "NumericAxisOptions": "The options for an axis with a numeric field." @@ -23349,7 +26943,11 @@ "Colors": "Determines the list of colors that are applied to the visual.", "NullValueColor": "Determines the color that is applied to null values." }, + "AWS::QuickSight::Analysis ColorsConfiguration": { + "CustomColors": "A list of up to 50 custom colors." + }, "AWS::QuickSight::Analysis ColumnConfiguration": { + "ColorsConfiguration": "The color configurations of the column.", "Column": "The column.", "FormatConfiguration": "The format configuration of a column.", "Role": "The role of the column." @@ -23496,6 +27094,11 @@ "URLTarget": "The target of the `CustomActionURLOperation` .\n\nValid values are defined as follows:\n\n- `NEW_TAB` : Opens the target URL in a new browser tab.\n- `NEW_WINDOW` : Opens the target URL in a new browser window.\n- `SAME_TAB` : Opens the target URL in the same browser tab.", "URLTemplate": "THe URL link of the `CustomActionURLOperation` ." }, + "AWS::QuickSight::Analysis CustomColor": { + "Color": "The color that is applied to the data value.", + "FieldValue": "The data value that the color is applied to.", + "SpecialValue": "The value of a special data value." + }, "AWS::QuickSight::Analysis CustomContentConfiguration": { "ContentType": "The content type of the custom content visual. You can use this to have the visual render as an image.", "ContentUrl": "The input URL that links to the custom content that you want in the custom visual.", @@ -23583,7 +27186,11 @@ "Direction": "Determines the sort direction.", "SortPaths": "The list of data paths that need to be sorted." }, + "AWS::QuickSight::Analysis DataPathType": { + "PivotTableDataPathType": "The type of data path value utilized in a pivot table. Choose one of the following options:\n\n- `HIERARCHY_ROWS_LAYOUT_COLUMN` - The type of data path for the rows layout column, when `RowsLayout` is set to `HIERARCHY` .\n- `MULTIPLE_ROW_METRICS_COLUMN` - The type of data path for the metric column when the row is set to Metric Placement.\n- `EMPTY_COLUMN_HEADER` - The type of data path for the column with empty column header, when there is no field in `ColumnsFieldWell` and the row is set to Metric Placement.\n- `COUNT_METRIC_COLUMN` - The type of data path for the column with `COUNT` as the metric, when there is no field in the `ValuesFieldWell` ." + }, "AWS::QuickSight::Analysis DataPathValue": { + "DataPathType": "The type configuration of the field.", "FieldId": "The field ID of the field that needs to be sorted.", "FieldValue": "The actual value of the field that needs to be sorted." }, @@ -23638,6 +27245,7 @@ }, "AWS::QuickSight::Analysis DateTimePickerControlDisplayOptions": { "DateTimeFormat": "Customize how dates are formatted in controls.", + "InfoIconLabelOptions": "The configuration of info icon label options.", "TitleOptions": "The options to configure the title visibility, name, and font size." }, "AWS::QuickSight::Analysis DateTimeValueWhenUnsetConfiguration": { @@ -23712,6 +27320,7 @@ "TimeRangeFilter": "The time range drill down filter. This filter is used for date time columns." }, "AWS::QuickSight::Analysis DropDownControlDisplayOptions": { + "InfoIconLabelOptions": "The configuration of info icon label options.", "SelectAllOptions": "The configuration of the `Select all` options in a dropdown control.", "TitleOptions": "The options to configure the title visibility, name, and font size." }, @@ -23846,6 +27455,7 @@ "AWS::QuickSight::Analysis FilterListConfiguration": { "CategoryValues": "The list of category values for the filter.", "MatchOperator": "The match operator that is used to determine if a filter should be applied.", + "NullOption": "This option determines how null values should be treated when filtering data.\n\n- `ALL_VALUES` : Include null values in filtered results.\n- `NULLS_ONLY` : Only include null values in filtered results.\n- `NON_NULLS_ONLY` : Exclude null values from filtered results.", "SelectAllOptions": "Select all of the values. Null is not the assigned value of select all.\n\n- `FILTER_ALL_VALUES`" }, "AWS::QuickSight::Analysis FilterListControl": { @@ -23872,6 +27482,7 @@ "Title": "The title of the `FilterTextAreaControl` ." }, "AWS::QuickSight::Analysis FilterScopeConfiguration": { + "AllSheets": "The configuration for applying a filter to all sheets.", "SelectedSheets": "The configuration for applying a filter to specific sheets." }, "AWS::QuickSight::Analysis FilterSelectableValues": { @@ -24242,10 +27853,20 @@ "ItemsLimit": "The limit on how many items of a field are showed in the chart. For example, the number of slices that are displayed in a pie chart.", "OtherCategories": "The `Show other` of an axis in the chart. Choose one of the following options:\n\n- `INCLUDE`\n- `EXCLUDE`" }, + "AWS::QuickSight::Analysis KPIActualValueConditionalFormatting": { + "Icon": "The conditional formatting of the actual value's icon.", + "TextColor": "The conditional formatting of the actual value's text color." + }, + "AWS::QuickSight::Analysis KPIComparisonValueConditionalFormatting": { + "Icon": "The conditional formatting of the comparison value's icon.", + "TextColor": "The conditional formatting of the comparison value's text color." + }, "AWS::QuickSight::Analysis KPIConditionalFormatting": { "ConditionalFormattingOptions": "The conditional formatting options of a KPI visual." }, "AWS::QuickSight::Analysis KPIConditionalFormattingOption": { + "ActualValue": "The conditional formatting for the actual value of a KPI visual.", + "ComparisonValue": "The conditional formatting for the comparison value of a KPI visual.", "PrimaryValue": "The conditional formatting for the primary value of a KPI visual.", "ProgressBar": "The conditional formatting for the progress bar of a KPI visual." }, @@ -24266,7 +27887,9 @@ "ProgressBar": "The options that determine the presentation of the progress bar of a KPI visual.", "SecondaryValue": "The options that determine the presentation of the secondary value of a KPI visual.", "SecondaryValueFontConfiguration": "The options that determine the secondary value font configuration.", - "TrendArrows": "The options that determine the presentation of trend arrows in a KPI visual." + "Sparkline": "The options that determine the visibility, color, type, and tooltip visibility of the sparkline of a KPI visual.", + "TrendArrows": "The options that determine the presentation of trend arrows in a KPI visual.", + "VisualLayoutOptions": "The options that determine the layout a KPI visual." }, "AWS::QuickSight::Analysis KPIPrimaryValueConditionalFormatting": { "Icon": "The conditional formatting of the primary value's icon.", @@ -24278,6 +27901,12 @@ "AWS::QuickSight::Analysis KPISortConfiguration": { "TrendGroupSort": "The sort configuration of the trend group fields." }, + "AWS::QuickSight::Analysis KPISparklineOptions": { + "Color": "The color of the sparkline.", + "TooltipVisibility": "The tooltip visibility of the sparkline.", + "Type": "The type of the sparkline.", + "Visibility": "The visibility of the sparkline." + }, "AWS::QuickSight::Analysis KPIVisual": { "Actions": "The list of custom actions that are configured for a visual.", "ChartConfiguration": "The configuration of a KPI visual.", @@ -24287,6 +27916,12 @@ "Title": "The title that is displayed on the visual.", "VisualId": "The unique identifier of a visual. This identifier must be unique within the context of a dashboard, template, or analysis. Two dashboards, analyses, or templates can have visuals with the same identifiers." }, + "AWS::QuickSight::Analysis KPIVisualLayoutOptions": { + "StandardLayout": "The standard layout of the KPI visual." + }, + "AWS::QuickSight::Analysis KPIVisualStandardLayout": { + "Type": "The standard layout type." + }, "AWS::QuickSight::Analysis LabelOptions": { "CustomLabel": "The text for the label.", "FontConfiguration": "The font configuration of the label.", @@ -24378,6 +28013,7 @@ "MissingDataConfigurations": "The configuration options that determine how missing data is treated during the rendering of a line chart." }, "AWS::QuickSight::Analysis ListControlDisplayOptions": { + "InfoIconLabelOptions": "The configuration of info icon label options.", "SearchOptions": "The configuration of the search options in a list control.", "SelectAllOptions": "The configuration of the `Select all` options in a list control.", "TitleOptions": "The options to configure the title visibility, name, and font size." @@ -24725,10 +28361,13 @@ "CollapsedRowDimensionsVisibility": "The visibility setting of a pivot table's collapsed row dimension fields. If the value of this structure is `HIDDEN` , all collapsed columns in a pivot table are automatically hidden. The default value is `VISIBLE` .", "ColumnHeaderStyle": "The table cell style of the column header.", "ColumnNamesVisibility": "The visibility of the column names.", + "DefaultCellWidth": "The default cell width of the pivot table.", "MetricPlacement": "The metric placement (row, column) options.", "RowAlternateColorOptions": "The row alternate color options (widget status, row alternate colors).", "RowFieldNamesStyle": "The table cell style of row field names.", "RowHeaderStyle": "The table cell style of the row headers.", + "RowsLabelOptions": "The options for the label that is located above the row headers. This option is only applicable when `RowsLayout` is set to `HIERARCHY` .", + "RowsLayout": "The layout for the row dimension headers of a pivot table. Choose one of the following options.\n\n- `TABULAR` : (Default) Each row field is displayed in a separate column.\n- `HIERARCHY` : All row fields are displayed in a single column. Indentation is used to differentiate row headers of different fields.", "SingleMetricVisibility": "The visibility of the single metric options.", "ToggleButtonsVisibility": "Determines the visibility of the pivot table." }, @@ -24736,6 +28375,10 @@ "OverflowColumnHeaderVisibility": "The visibility of the repeating header rows on each page.", "VerticalOverflowVisibility": "The visibility of the printing table overflow across pages." }, + "AWS::QuickSight::Analysis PivotTableRowsLabelOptions": { + "CustomLabel": "The custom label string for the rows label.", + "Visibility": "The visibility of the rows label." + }, "AWS::QuickSight::Analysis PivotTableSortBy": { "Column": "The column sort (field id, direction) for the pivot table sort by options.", "DataPath": "The data path sort (data path value, direction) for the pivot table sort by options.", @@ -24763,6 +28406,7 @@ "MetricHeaderCellStyle": "The cell styling options for the total of header cells.", "Placement": "The placement (start, end) for the total cells.", "ScrollStatus": "The scroll status (pinned, scrolled) for the total cells.", + "TotalAggregationOptions": "The total aggregation options for each value field.", "TotalCellStyle": "The cell styling options for the total cells.", "TotalsVisibility": "The visibility configuration for the total cells.", "ValueCellStyle": "The cell styling options for the totals of value cells." @@ -24833,8 +28477,9 @@ "CustomLabel": "The string text of the custom label." }, "AWS::QuickSight::Analysis ReferenceLineDataConfiguration": { - "AxisBinding": "The axis binding type of the reference line. Choose one of the following options:\n\n- PrimaryY\n- SecondaryY", + "AxisBinding": "The axis binding type of the reference line. Choose one of the following options:\n\n- `PrimaryY`\n- `SecondaryY`", "DynamicConfiguration": "The dynamic configuration of the reference line data configuration.", + "SeriesType": "The series type of the reference line data configuration. Choose one of the following options:\n\n- `BAR`\n- `LINE`", "StaticConfiguration": "The static data configuration of the reference line data configuration." }, "AWS::QuickSight::Analysis ReferenceLineDynamicDataConfiguration": { @@ -24863,6 +28508,7 @@ }, "AWS::QuickSight::Analysis RelativeDateTimeControlDisplayOptions": { "DateTimeFormat": "Customize how dates are formatted in controls.", + "InfoIconLabelOptions": "The configuration of info icon label options.", "TitleOptions": "The options to configure the title visibility, name, and font size." }, "AWS::QuickSight::Analysis RelativeDatesFilter": { @@ -24888,7 +28534,8 @@ }, "AWS::QuickSight::Analysis RowAlternateColorOptions": { "RowAlternateColors": "Determines the list of row alternate colors.", - "Status": "Determines the widget status." + "Status": "Determines the widget status.", + "UsePrimaryBackgroundColor": "The primary background color options for alternate rows." }, "AWS::QuickSight::Analysis SameSheetTargetVisualConfiguration": { "TargetVisualOptions": "The options that choose the target visual in the same sheet.\n\nValid values are defined as follows:\n\n- `ALL_VISUALS` : Applies the filter operation to all visuals in the same sheet.", @@ -25008,6 +28655,10 @@ "Name": "The name of a sheet. This name is displayed on the sheet's tab in the Amazon QuickSight console.", "SheetId": "The unique identifier associated with a sheet." }, + "AWS::QuickSight::Analysis SheetControlInfoIconLabelOptions": { + "InfoIconText": "The text content of info icon.", + "Visibility": "The visibility configuration of info icon label options." + }, "AWS::QuickSight::Analysis SheetControlLayout": { "Configuration": "The configuration that determines the elements and canvas size options of sheet control." }, @@ -25051,12 +28702,19 @@ "Color": "The color of the simple cluster marker." }, "AWS::QuickSight::Analysis SliderControlDisplayOptions": { + "InfoIconLabelOptions": "The configuration of info icon label options.", "TitleOptions": "The options to configure the title visibility, name, and font size." }, + "AWS::QuickSight::Analysis SmallMultiplesAxisProperties": { + "Placement": "Defines the placement of the axis. By default, axes are rendered `OUTSIDE` of the panels. Axes with `INDEPENDENT` scale are rendered `INSIDE` the panels.", + "Scale": "Determines whether scale of the axes are shared or independent. The default value is `SHARED` ." + }, "AWS::QuickSight::Analysis SmallMultiplesOptions": { "MaxVisibleColumns": "Sets the maximum number of visible columns to display in the grid of small multiples panels.\n\nThe default is `Auto` , which automatically adjusts the columns in the grid to fit the overall layout and size of the given chart.", "MaxVisibleRows": "Sets the maximum number of visible rows to display in the grid of small multiples panels.\n\nThe default value is `Auto` , which automatically adjusts the rows in the grid to fit the overall layout and size of the given chart.", - "PanelConfiguration": "Configures the display options for each small multiples panel." + "PanelConfiguration": "Configures the display options for each small multiples panel.", + "XAxis": "The properties of a small multiples X axis.", + "YAxis": "The properties of a small multiples Y axis." }, "AWS::QuickSight::Analysis Spacing": { "Bottom": "Define the bottom spacing.", @@ -25092,6 +28750,7 @@ "FieldLevel": "The field level (all, custom, last) for the subtotal cells.", "FieldLevelOptions": "The optional configuration of subtotal cells.", "MetricHeaderCellStyle": "The cell styling options for the subtotals of header cells.", + "StyleTargets": "The style targets options for subtotals.", "TotalCellStyle": "The cell styling options for the subtotal cells.", "TotalsVisibility": "The visibility configuration for the subtotal cells.", "ValueCellStyle": "The cell styling options for the subtotals of value cells." @@ -25164,8 +28823,9 @@ "Width": "The width for a table field." }, "AWS::QuickSight::Analysis TableFieldOptions": { - "Order": "The order of field IDs of the field options for a table visual.", - "SelectedFieldOptions": "The selected field options for the table field options." + "Order": "The order of the field IDs that are configured as field options for a table visual.", + "PinnedFieldOptions": "The settings for the pinned columns of a table visual.", + "SelectedFieldOptions": "The field options to be configured to a table." }, "AWS::QuickSight::Analysis TableFieldURLConfiguration": { "ImageConfiguration": "The image configuration of a table field URL.", @@ -25188,6 +28848,9 @@ "OverflowColumnHeaderVisibility": "The visibility of repeating header rows on each page.", "VerticalOverflowVisibility": "The visibility of printing table overflow across pages." }, + "AWS::QuickSight::Analysis TablePinnedFieldOptions": { + "PinnedLeftFields": "A list of columns to be pinned to the left of a table visual." + }, "AWS::QuickSight::Analysis TableRowConditionalFormatting": { "BackgroundColor": "The conditional formatting color (solid, gradient) of the background for a table row.", "TextColor": "The conditional formatting color (solid, gradient) of the text for a table row." @@ -25204,6 +28867,9 @@ "PaginationConfiguration": "The pagination configuration (page size, page number) for the table.", "RowSort": "The field sort options for rows in the table." }, + "AWS::QuickSight::Analysis TableStyleTarget": { + "CellType": "The cell type of the table style target." + }, "AWS::QuickSight::Analysis TableUnaggregatedFieldWells": { "Values": "The values field well for a pivot table. Values are unaggregated for an unaggregated table." }, @@ -25215,7 +28881,12 @@ "Title": "The title that is displayed on the visual.", "VisualId": "The unique identifier of a visual. This identifier must be unique within the context of a dashboard, template, or analysis. Two dashboards, analyses, or templates can have visuals with the same identifiers.." }, + "AWS::QuickSight::Analysis Tag": { + "Key": "", + "Value": "" + }, "AWS::QuickSight::Analysis TextAreaControlDisplayOptions": { + "InfoIconLabelOptions": "The configuration of info icon label options.", "PlaceholderOptions": "The configuration of the placeholder options in a text area control.", "TitleOptions": "The options to configure the title visibility, name, and font size." }, @@ -25228,6 +28899,7 @@ "Visibility": "The visibility configuration of the placeholder options in a text control." }, "AWS::QuickSight::Analysis TextFieldControlDisplayOptions": { + "InfoIconLabelOptions": "The configuration of info icon label options.", "PlaceholderOptions": "The configuration of the placeholder options in a text field control.", "TitleOptions": "The options to configure the title visibility, name, and font size." }, @@ -25246,9 +28918,10 @@ "AWS::QuickSight::Analysis TimeEqualityFilter": { "Column": "The column that the filter is applied to.", "FilterId": "An identifier that uniquely identifies a filter within a dashboard, analysis, or template.", - "ParameterName": "The parameter whose value should be used for the filter value.\n\nThis field is mutually exclusive to `Value` .", + "ParameterName": "The parameter whose value should be used for the filter value.\n\nThis field is mutually exclusive to `Value` and `RollingDate` .", + "RollingDate": "The rolling date input for the `TimeEquality` filter.\n\nThis field is mutually exclusive to `Value` and `ParameterName` .", "TimeGranularity": "The level of time precision that is used to aggregate `DateTime` values.", - "Value": "The value of a `TimeEquality` filter.\n\nThis field is mutually exclusive to `ParameterName` ." + "Value": "The value of a `TimeEquality` filter.\n\nThis field is mutually exclusive to `RollingDate` and `ParameterName` ." }, "AWS::QuickSight::Analysis TimeRangeDrillDownFilter": { "Column": "The column that the filter is applied to.", @@ -25312,10 +28985,18 @@ "Name": "The name of a computation.", "Value": "The value field that is used in a computation." }, + "AWS::QuickSight::Analysis TotalAggregationFunction": { + "SimpleTotalAggregationFunction": "A built in aggregation function for total values." + }, + "AWS::QuickSight::Analysis TotalAggregationOption": { + "FieldId": "The field id that's associated with the total aggregation option.", + "TotalAggregationFunction": "The total aggregation function that you want to set for a specified field id." + }, "AWS::QuickSight::Analysis TotalOptions": { "CustomLabel": "The custom label string for the total cells.", "Placement": "The placement (start, end) for the total cells.", "ScrollStatus": "The scroll status (pinned, scrolled) for the total cells.", + "TotalAggregationOptions": "The total aggregation settings for each value field.", "TotalCellStyle": "Cell styling options for the total cells.", "TotalsVisibility": "The visibility configuration for the total cells." }, @@ -25363,6 +29044,9 @@ "ComputationId": "The ID for a computation.", "Name": "The name of a computation." }, + "AWS::QuickSight::Analysis ValidationStrategy": { + "Mode": "The mode of validation for the asset to be created or updated. When you set this value to `STRICT` , strict validation for every error is enforced. When you set this value to `LENIENT` , validation is skipped for specific UI errors." + }, "AWS::QuickSight::Analysis VisibleRangeOptions": { "PercentRange": "The percent range in the visible range." }, @@ -25498,18 +29182,21 @@ "DashboardId": "The ID for the dashboard, also added to the IAM policy.", "DashboardPublishOptions": "Options for publishing the dashboard when you create it:\n\n- `AvailabilityStatus` for `AdHocFilteringOption` - This status can be either `ENABLED` or `DISABLED` . When this is set to `DISABLED` , Amazon QuickSight disables the left filter pane on the published dashboard, which can be used for ad hoc (one-time) filtering. This option is `ENABLED` by default.\n- `AvailabilityStatus` for `ExportToCSVOption` - This status can be either `ENABLED` or `DISABLED` . The visual option to export data to .CSV format isn't enabled when this is set to `DISABLED` . This option is `ENABLED` by default.\n- `VisibilityState` for `SheetControlsOption` - This visibility state can be either `COLLAPSED` or `EXPANDED` . This option is `COLLAPSED` by default.", "Definition": "", + "LinkSharingConfiguration": "A structure that contains the link sharing configurations that you want to apply overrides to.", "Name": "The display name of the dashboard.", "Parameters": "The parameters for the creation of the dashboard, which you want to use to override the default settings. A dashboard can have any type of parameters, and some parameters might accept multiple values.", "Permissions": "A structure that contains the permissions of the dashboard. You can use this structure for granting permissions by providing a list of IAM action information for each principal ARN.\n\nTo specify no permissions, omit the permissions list.", "SourceEntity": "The entity that you are using as a source when you create the dashboard. In `SourceEntity` , you specify the type of object that you want to use. You can only create a dashboard from a template, so you use a `SourceTemplate` entity. If you need to create a dashboard from an analysis, first convert the analysis to a template by using the `CreateTemplate` API operation. For `SourceTemplate` , specify the Amazon Resource Name (ARN) of the source template. The `SourceTemplate` ARN can contain any AWS account; and any QuickSight-supported AWS Region .\n\nUse the `DataSetReferences` entity within `SourceTemplate` to list the replacement datasets for the placeholders listed in the original. The schema in each dataset must match its placeholder.", "Tags": "Contains a map of the key-value pairs for the resource tag or tags assigned to the dashboard.", "ThemeArn": "The Amazon Resource Name (ARN) of the theme that is being used for this dashboard. If you add a value for this field, it overrides the value that is used in the source entity. The theme ARN must exist in the same AWS account where you create the dashboard.", + "ValidationStrategy": "The option to relax the validation that is required to create and update analyses, dashboards, and templates with definition objects. When you set this value to `LENIENT` , validation is skipped for specific errors.", "VersionDescription": "A description for the first version of the dashboard being created." }, "AWS::QuickSight::Dashboard AdHocFilteringOption": { "AvailabilityStatus": "Availability status." }, "AWS::QuickSight::Dashboard AggregationFunction": { + "AttributeAggregationFunction": "Aggregation for attributes.", "CategoricalAggregationFunction": "Aggregation for categorical values.\n\n- `COUNT` : Aggregate by the total number of values, including duplicates.\n- `DISTINCT_COUNT` : Aggregate by the total number of distinct values.", "DateAggregationFunction": "Aggregation for date values.\n\n- `COUNT` : Aggregate by the total number of values, including duplicates.\n- `DISTINCT_COUNT` : Aggregate by the total number of distinct values.\n- `MIN` : Select the smallest date value.\n- `MAX` : Select the largest date value.", "NumericalAggregationFunction": "Aggregation for numerical values." @@ -25541,6 +29228,14 @@ "AWS::QuickSight::Dashboard ArcOptions": { "ArcThickness": "The arc thickness of a `GaugeChartVisual` ." }, + "AWS::QuickSight::Dashboard AssetOptions": { + "Timezone": "Determines the timezone for the analysis.", + "WeekStart": "Determines the week start day for an analysis." + }, + "AWS::QuickSight::Dashboard AttributeAggregationFunction": { + "SimpleAttributeAggregation": "The built-in aggregation functions for attributes.\n\n- `UNIQUE_VALUE` : Returns the unique value for a field, aggregated by the dimension fields.", + "ValueForMultipleValues": "Used by the `UNIQUE_VALUE` aggregation function. If there are multiple values for the field used by the aggregation, the value for this property will be returned instead. Defaults to '*'." + }, "AWS::QuickSight::Dashboard AxisDataOptions": { "DateAxisOptions": "The options for an axis with a date field.", "NumericAxisOptions": "The options for an axis with a numeric field." @@ -25742,7 +29437,11 @@ "Colors": "Determines the list of colors that are applied to the visual.", "NullValueColor": "Determines the color that is applied to null values." }, + "AWS::QuickSight::Dashboard ColorsConfiguration": { + "CustomColors": "A list of up to 50 custom colors." + }, "AWS::QuickSight::Dashboard ColumnConfiguration": { + "ColorsConfiguration": "The color configurations of the column.", "Column": "The column.", "FormatConfiguration": "The format configuration of a column.", "Role": "The role of the column." @@ -25889,6 +29588,11 @@ "URLTarget": "The target of the `CustomActionURLOperation` .\n\nValid values are defined as follows:\n\n- `NEW_TAB` : Opens the target URL in a new browser tab.\n- `NEW_WINDOW` : Opens the target URL in a new browser window.\n- `SAME_TAB` : Opens the target URL in the same browser tab.", "URLTemplate": "THe URL link of the `CustomActionURLOperation` ." }, + "AWS::QuickSight::Dashboard CustomColor": { + "Color": "The color that is applied to the data value.", + "FieldValue": "The data value that the color is applied to.", + "SpecialValue": "The value of a special data value." + }, "AWS::QuickSight::Dashboard CustomContentConfiguration": { "ContentType": "The content type of the custom content visual. You can use this to have the visual render as an image.", "ContentUrl": "The input URL that links to the custom content that you want in the custom visual.", @@ -25971,6 +29675,7 @@ "ColumnConfigurations": "An array of dashboard-level column configurations. Column configurations are used to set the default formatting for a column that is used throughout a dashboard.", "DataSetIdentifierDeclarations": "An array of dataset identifier declarations. With this mapping,you can use dataset identifiers instead of dataset Amazon Resource Names (ARNs) throughout the dashboard's sub-structures.", "FilterGroups": "The filter definitions for a dashboard.\n\nFor more information, see [Filtering Data in Amazon QuickSight](https://docs.aws.amazon.com/quicksight/latest/user/adding-a-filter.html) in the *Amazon QuickSight User Guide* .", + "Options": "An array of option definitions for a dashboard.", "ParameterDeclarations": "The parameter declarations for a dashboard. Parameters are named variables that can transfer a value for use by an action or an object.\n\nFor more information, see [Parameters in Amazon QuickSight](https://docs.aws.amazon.com/quicksight/latest/user/parameters-in-quicksight.html) in the *Amazon QuickSight User Guide* .", "Sheets": "An array of sheet definitions for a dashboard." }, @@ -26025,7 +29730,11 @@ "Direction": "Determines the sort direction.", "SortPaths": "The list of data paths that need to be sorted." }, + "AWS::QuickSight::Dashboard DataPathType": { + "PivotTableDataPathType": "The type of data path value utilized in a pivot table. Choose one of the following options:\n\n- `HIERARCHY_ROWS_LAYOUT_COLUMN` - The type of data path for the rows layout column, when `RowsLayout` is set to `HIERARCHY` .\n- `MULTIPLE_ROW_METRICS_COLUMN` - The type of data path for the metric column when the row is set to Metric Placement.\n- `EMPTY_COLUMN_HEADER` - The type of data path for the column with empty column header, when there is no field in `ColumnsFieldWell` and the row is set to Metric Placement.\n- `COUNT_METRIC_COLUMN` - The type of data path for the column with `COUNT` as the metric, when there is no field in the `ValuesFieldWell` ." + }, "AWS::QuickSight::Dashboard DataPathValue": { + "DataPathType": "The type configuration of the field.", "FieldId": "The field ID of the field that needs to be sorted.", "FieldValue": "The actual value of the field that needs to be sorted." }, @@ -26089,6 +29798,7 @@ }, "AWS::QuickSight::Dashboard DateTimePickerControlDisplayOptions": { "DateTimeFormat": "Customize how dates are formatted in controls.", + "InfoIconLabelOptions": "The configuration of info icon label options.", "TitleOptions": "The options to configure the title visibility, name, and font size." }, "AWS::QuickSight::Dashboard DateTimeValueWhenUnsetConfiguration": { @@ -26163,6 +29873,7 @@ "TimeRangeFilter": "The time range drill down filter. This filter is used for date time columns." }, "AWS::QuickSight::Dashboard DropDownControlDisplayOptions": { + "InfoIconLabelOptions": "The configuration of info icon label options.", "SelectAllOptions": "The configuration of the `Select all` options in a dropdown control.", "TitleOptions": "The options to configure the title visibility, name, and font size." }, @@ -26306,6 +30017,7 @@ "AWS::QuickSight::Dashboard FilterListConfiguration": { "CategoryValues": "The list of category values for the filter.", "MatchOperator": "The match operator that is used to determine if a filter should be applied.", + "NullOption": "This option determines how null values should be treated when filtering data.\n\n- `ALL_VALUES` : Include null values in filtered results.\n- `NULLS_ONLY` : Only include null values in filtered results.\n- `NON_NULLS_ONLY` : Exclude null values from filtered results.", "SelectAllOptions": "Select all of the values. Null is not the assigned value of select all.\n\n- `FILTER_ALL_VALUES`" }, "AWS::QuickSight::Dashboard FilterListControl": { @@ -26332,6 +30044,7 @@ "Title": "The title of the `FilterTextAreaControl` ." }, "AWS::QuickSight::Dashboard FilterScopeConfiguration": { + "AllSheets": "The configuration for applying a filter to all sheets.", "SelectedSheets": "The configuration for applying a filter to specific sheets." }, "AWS::QuickSight::Dashboard FilterSelectableValues": { @@ -26702,10 +30415,20 @@ "ItemsLimit": "The limit on how many items of a field are showed in the chart. For example, the number of slices that are displayed in a pie chart.", "OtherCategories": "The `Show other` of an axis in the chart. Choose one of the following options:\n\n- `INCLUDE`\n- `EXCLUDE`" }, + "AWS::QuickSight::Dashboard KPIActualValueConditionalFormatting": { + "Icon": "The conditional formatting of the actual value's icon.", + "TextColor": "The conditional formatting of the actual value's text color." + }, + "AWS::QuickSight::Dashboard KPIComparisonValueConditionalFormatting": { + "Icon": "The conditional formatting of the comparison value's icon.", + "TextColor": "The conditional formatting of the comparison value's text color." + }, "AWS::QuickSight::Dashboard KPIConditionalFormatting": { "ConditionalFormattingOptions": "The conditional formatting options of a KPI visual." }, "AWS::QuickSight::Dashboard KPIConditionalFormattingOption": { + "ActualValue": "The conditional formatting for the actual value of a KPI visual.", + "ComparisonValue": "The conditional formatting for the comparison value of a KPI visual.", "PrimaryValue": "The conditional formatting for the primary value of a KPI visual.", "ProgressBar": "The conditional formatting for the progress bar of a KPI visual." }, @@ -26726,7 +30449,9 @@ "ProgressBar": "The options that determine the presentation of the progress bar of a KPI visual.", "SecondaryValue": "The options that determine the presentation of the secondary value of a KPI visual.", "SecondaryValueFontConfiguration": "The options that determine the secondary value font configuration.", - "TrendArrows": "The options that determine the presentation of trend arrows in a KPI visual." + "Sparkline": "The options that determine the visibility, color, type, and tooltip visibility of the sparkline of a KPI visual.", + "TrendArrows": "The options that determine the presentation of trend arrows in a KPI visual.", + "VisualLayoutOptions": "The options that determine the layout a KPI visual." }, "AWS::QuickSight::Dashboard KPIPrimaryValueConditionalFormatting": { "Icon": "The conditional formatting of the primary value's icon.", @@ -26738,6 +30463,12 @@ "AWS::QuickSight::Dashboard KPISortConfiguration": { "TrendGroupSort": "The sort configuration of the trend group fields." }, + "AWS::QuickSight::Dashboard KPISparklineOptions": { + "Color": "The color of the sparkline.", + "TooltipVisibility": "The tooltip visibility of the sparkline.", + "Type": "The type of the sparkline.", + "Visibility": "The visibility of the sparkline." + }, "AWS::QuickSight::Dashboard KPIVisual": { "Actions": "The list of custom actions that are configured for a visual.", "ChartConfiguration": "The configuration of a KPI visual.", @@ -26747,6 +30478,12 @@ "Title": "The title that is displayed on the visual.", "VisualId": "The unique identifier of a visual. This identifier must be unique within the context of a dashboard, template, or analysis. Two dashboards, analyses, or templates can have visuals with the same identifiers." }, + "AWS::QuickSight::Dashboard KPIVisualLayoutOptions": { + "StandardLayout": "The standard layout of the KPI visual." + }, + "AWS::QuickSight::Dashboard KPIVisualStandardLayout": { + "Type": "The standard layout type." + }, "AWS::QuickSight::Dashboard LabelOptions": { "CustomLabel": "The text for the label.", "FontConfiguration": "The font configuration of the label.", @@ -26837,7 +30574,11 @@ "AxisOptions": "The options that determine the presentation of the line series axis.", "MissingDataConfigurations": "The configuration options that determine how missing data is treated during the rendering of a line chart." }, + "AWS::QuickSight::Dashboard LinkSharingConfiguration": { + "Permissions": "A structure that contains the permissions of a shareable link." + }, "AWS::QuickSight::Dashboard ListControlDisplayOptions": { + "InfoIconLabelOptions": "The configuration of info icon label options.", "SearchOptions": "The configuration of the search options in a list control.", "SelectAllOptions": "The configuration of the `Select all` options in a list control.", "TitleOptions": "The options to configure the title visibility, name, and font size." @@ -27185,10 +30926,13 @@ "CollapsedRowDimensionsVisibility": "The visibility setting of a pivot table's collapsed row dimension fields. If the value of this structure is `HIDDEN` , all collapsed columns in a pivot table are automatically hidden. The default value is `VISIBLE` .", "ColumnHeaderStyle": "The table cell style of the column header.", "ColumnNamesVisibility": "The visibility of the column names.", + "DefaultCellWidth": "The default cell width of the pivot table.", "MetricPlacement": "The metric placement (row, column) options.", "RowAlternateColorOptions": "The row alternate color options (widget status, row alternate colors).", "RowFieldNamesStyle": "The table cell style of row field names.", "RowHeaderStyle": "The table cell style of the row headers.", + "RowsLabelOptions": "The options for the label that is located above the row headers. This option is only applicable when `RowsLayout` is set to `HIERARCHY` .", + "RowsLayout": "The layout for the row dimension headers of a pivot table. Choose one of the following options.\n\n- `TABULAR` : (Default) Each row field is displayed in a separate column.\n- `HIERARCHY` : All row fields are displayed in a single column. Indentation is used to differentiate row headers of different fields.", "SingleMetricVisibility": "The visibility of the single metric options.", "ToggleButtonsVisibility": "Determines the visibility of the pivot table." }, @@ -27196,6 +30940,10 @@ "OverflowColumnHeaderVisibility": "The visibility of the repeating header rows on each page.", "VerticalOverflowVisibility": "The visibility of the printing table overflow across pages." }, + "AWS::QuickSight::Dashboard PivotTableRowsLabelOptions": { + "CustomLabel": "The custom label string for the rows label.", + "Visibility": "The visibility of the rows label." + }, "AWS::QuickSight::Dashboard PivotTableSortBy": { "Column": "The column sort (field id, direction) for the pivot table sort by options.", "DataPath": "The data path sort (data path value, direction) for the pivot table sort by options.", @@ -27223,6 +30971,7 @@ "MetricHeaderCellStyle": "The cell styling options for the total of header cells.", "Placement": "The placement (start, end) for the total cells.", "ScrollStatus": "The scroll status (pinned, scrolled) for the total cells.", + "TotalAggregationOptions": "The total aggregation options for each value field.", "TotalCellStyle": "The cell styling options for the total cells.", "TotalsVisibility": "The visibility configuration for the total cells.", "ValueCellStyle": "The cell styling options for the totals of value cells." @@ -27293,8 +31042,9 @@ "CustomLabel": "The string text of the custom label." }, "AWS::QuickSight::Dashboard ReferenceLineDataConfiguration": { - "AxisBinding": "The axis binding type of the reference line. Choose one of the following options:\n\n- PrimaryY\n- SecondaryY", + "AxisBinding": "The axis binding type of the reference line. Choose one of the following options:\n\n- `PrimaryY`\n- `SecondaryY`", "DynamicConfiguration": "The dynamic configuration of the reference line data configuration.", + "SeriesType": "The series type of the reference line data configuration. Choose one of the following options:\n\n- `BAR`\n- `LINE`", "StaticConfiguration": "The static data configuration of the reference line data configuration." }, "AWS::QuickSight::Dashboard ReferenceLineDynamicDataConfiguration": { @@ -27323,6 +31073,7 @@ }, "AWS::QuickSight::Dashboard RelativeDateTimeControlDisplayOptions": { "DateTimeFormat": "Customize how dates are formatted in controls.", + "InfoIconLabelOptions": "The configuration of info icon label options.", "TitleOptions": "The options to configure the title visibility, name, and font size." }, "AWS::QuickSight::Dashboard RelativeDatesFilter": { @@ -27348,7 +31099,8 @@ }, "AWS::QuickSight::Dashboard RowAlternateColorOptions": { "RowAlternateColors": "Determines the list of row alternate colors.", - "Status": "Determines the widget status." + "Status": "Determines the widget status.", + "UsePrimaryBackgroundColor": "The primary background color options for alternate rows." }, "AWS::QuickSight::Dashboard SameSheetTargetVisualConfiguration": { "TargetVisualOptions": "The options that choose the target visual in the same sheet.\n\nValid values are defined as follows:\n\n- `ALL_VISUALS` : Applies the filter operation to all visuals in the same sheet.", @@ -27468,6 +31220,10 @@ "Name": "The name of a sheet. This name is displayed on the sheet's tab in the Amazon QuickSight console.", "SheetId": "The unique identifier associated with a sheet." }, + "AWS::QuickSight::Dashboard SheetControlInfoIconLabelOptions": { + "InfoIconText": "The text content of info icon.", + "Visibility": "The visibility configuration of info icon label options." + }, "AWS::QuickSight::Dashboard SheetControlLayout": { "Configuration": "The configuration that determines the elements and canvas size options of sheet control." }, @@ -27517,12 +31273,19 @@ "Color": "The color of the simple cluster marker." }, "AWS::QuickSight::Dashboard SliderControlDisplayOptions": { + "InfoIconLabelOptions": "The configuration of info icon label options.", "TitleOptions": "The options to configure the title visibility, name, and font size." }, + "AWS::QuickSight::Dashboard SmallMultiplesAxisProperties": { + "Placement": "Defines the placement of the axis. By default, axes are rendered `OUTSIDE` of the panels. Axes with `INDEPENDENT` scale are rendered `INSIDE` the panels.", + "Scale": "Determines whether scale of the axes are shared or independent. The default value is `SHARED` ." + }, "AWS::QuickSight::Dashboard SmallMultiplesOptions": { "MaxVisibleColumns": "Sets the maximum number of visible columns to display in the grid of small multiples panels.\n\nThe default is `Auto` , which automatically adjusts the columns in the grid to fit the overall layout and size of the given chart.", "MaxVisibleRows": "Sets the maximum number of visible rows to display in the grid of small multiples panels.\n\nThe default value is `Auto` , which automatically adjusts the rows in the grid to fit the overall layout and size of the given chart.", - "PanelConfiguration": "Configures the display options for each small multiples panel." + "PanelConfiguration": "Configures the display options for each small multiples panel.", + "XAxis": "The properties of a small multiples X axis.", + "YAxis": "The properties of a small multiples Y axis." }, "AWS::QuickSight::Dashboard Spacing": { "Bottom": "Define the bottom spacing.", @@ -27558,6 +31321,7 @@ "FieldLevel": "The field level (all, custom, last) for the subtotal cells.", "FieldLevelOptions": "The optional configuration of subtotal cells.", "MetricHeaderCellStyle": "The cell styling options for the subtotals of header cells.", + "StyleTargets": "The style targets options for subtotals.", "TotalCellStyle": "The cell styling options for the subtotal cells.", "TotalsVisibility": "The visibility configuration for the subtotal cells.", "ValueCellStyle": "The cell styling options for the subtotals of value cells." @@ -27630,8 +31394,9 @@ "Width": "The width for a table field." }, "AWS::QuickSight::Dashboard TableFieldOptions": { - "Order": "The order of field IDs of the field options for a table visual.", - "SelectedFieldOptions": "The selected field options for the table field options." + "Order": "The order of the field IDs that are configured as field options for a table visual.", + "PinnedFieldOptions": "The settings for the pinned columns of a table visual.", + "SelectedFieldOptions": "The field options to be configured to a table." }, "AWS::QuickSight::Dashboard TableFieldURLConfiguration": { "ImageConfiguration": "The image configuration of a table field URL.", @@ -27654,6 +31419,9 @@ "OverflowColumnHeaderVisibility": "The visibility of repeating header rows on each page.", "VerticalOverflowVisibility": "The visibility of printing table overflow across pages." }, + "AWS::QuickSight::Dashboard TablePinnedFieldOptions": { + "PinnedLeftFields": "A list of columns to be pinned to the left of a table visual." + }, "AWS::QuickSight::Dashboard TableRowConditionalFormatting": { "BackgroundColor": "The conditional formatting color (solid, gradient) of the background for a table row.", "TextColor": "The conditional formatting color (solid, gradient) of the text for a table row." @@ -27670,6 +31438,9 @@ "PaginationConfiguration": "The pagination configuration (page size, page number) for the table.", "RowSort": "The field sort options for rows in the table." }, + "AWS::QuickSight::Dashboard TableStyleTarget": { + "CellType": "The cell type of the table style target." + }, "AWS::QuickSight::Dashboard TableUnaggregatedFieldWells": { "Values": "The values field well for a pivot table. Values are unaggregated for an unaggregated table." }, @@ -27681,7 +31452,12 @@ "Title": "The title that is displayed on the visual.", "VisualId": "The unique identifier of a visual. This identifier must be unique within the context of a dashboard, template, or analysis. Two dashboards, analyses, or templates can have visuals with the same identifiers.." }, + "AWS::QuickSight::Dashboard Tag": { + "Key": "", + "Value": "" + }, "AWS::QuickSight::Dashboard TextAreaControlDisplayOptions": { + "InfoIconLabelOptions": "The configuration of info icon label options.", "PlaceholderOptions": "The configuration of the placeholder options in a text area control.", "TitleOptions": "The options to configure the title visibility, name, and font size." }, @@ -27694,6 +31470,7 @@ "Visibility": "The visibility configuration of the placeholder options in a text control." }, "AWS::QuickSight::Dashboard TextFieldControlDisplayOptions": { + "InfoIconLabelOptions": "The configuration of info icon label options.", "PlaceholderOptions": "The configuration of the placeholder options in a text field control.", "TitleOptions": "The options to configure the title visibility, name, and font size." }, @@ -27712,9 +31489,10 @@ "AWS::QuickSight::Dashboard TimeEqualityFilter": { "Column": "The column that the filter is applied to.", "FilterId": "An identifier that uniquely identifies a filter within a dashboard, analysis, or template.", - "ParameterName": "The parameter whose value should be used for the filter value.\n\nThis field is mutually exclusive to `Value` .", + "ParameterName": "The parameter whose value should be used for the filter value.\n\nThis field is mutually exclusive to `Value` and `RollingDate` .", + "RollingDate": "The rolling date input for the `TimeEquality` filter.\n\nThis field is mutually exclusive to `Value` and `ParameterName` .", "TimeGranularity": "The level of time precision that is used to aggregate `DateTime` values.", - "Value": "The value of a `TimeEquality` filter.\n\nThis field is mutually exclusive to `ParameterName` ." + "Value": "The value of a `TimeEquality` filter.\n\nThis field is mutually exclusive to `RollingDate` and `ParameterName` ." }, "AWS::QuickSight::Dashboard TimeRangeDrillDownFilter": { "Column": "The column that the filter is applied to.", @@ -27778,10 +31556,18 @@ "Name": "The name of a computation.", "Value": "The value field that is used in a computation." }, + "AWS::QuickSight::Dashboard TotalAggregationFunction": { + "SimpleTotalAggregationFunction": "A built in aggregation function for total values." + }, + "AWS::QuickSight::Dashboard TotalAggregationOption": { + "FieldId": "The field id that's associated with the total aggregation option.", + "TotalAggregationFunction": "The total aggregation function that you want to set for a specified field id." + }, "AWS::QuickSight::Dashboard TotalOptions": { "CustomLabel": "The custom label string for the total cells.", "Placement": "The placement (start, end) for the total cells.", "ScrollStatus": "The scroll status (pinned, scrolled) for the total cells.", + "TotalAggregationOptions": "The total aggregation settings for each value field.", "TotalCellStyle": "Cell styling options for the total cells.", "TotalsVisibility": "The visibility configuration for the total cells." }, @@ -27829,6 +31615,9 @@ "ComputationId": "The ID for a computation.", "Name": "The name of a computation." }, + "AWS::QuickSight::Dashboard ValidationStrategy": { + "Mode": "The mode of validation for the asset to be created or updated. When you set this value to `STRICT` , strict validation for every error is enforced. When you set this value to `LENIENT` , validation is skipped for specific UI errors." + }, "AWS::QuickSight::Dashboard VisibleRangeOptions": { "PercentRange": "The percent range in the visible range." }, @@ -27970,9 +31759,9 @@ "ColumnGroups": "Groupings of columns that work together in certain Amazon QuickSight features. Currently, only geospatial hierarchy is supported.", "ColumnLevelPermissionRules": "A set of one or more definitions of a `ColumnLevelPermissionRule` .", "DataSetId": "An ID for the dataset that you want to create. This ID is unique per AWS Region for each AWS account.", - "DataSetRefreshProperties": "", + "DataSetRefreshProperties": "The refresh properties of a dataset.", "DataSetUsageConfiguration": "The usage configuration to apply to child datasets that reference this dataset as a source.", - "DatasetParameters": "", + "DatasetParameters": "The parameters that are declared in a dataset.", "FieldFolders": "The folder that contains fields and nested subfolders for your dataset.", "ImportMode": "Indicates whether you want to import the data into SPICE.", "IngestionWaitPolicy": "The wait policy to use when creating or updating a Dataset. The default is to wait for SPICE ingestion to finish with timeout of 36 hours.", @@ -27992,7 +31781,8 @@ "AWS::QuickSight::DataSet CastColumnTypeOperation": { "ColumnName": "Column name.", "Format": "When casting a column from string to datetime type, you can supply a string in a format supported by Amazon QuickSight to denote the source data format.", - "NewColumnType": "New column data type." + "NewColumnType": "New column data type.", + "SubType": "The sub data type of the new column. Sub types are only available for decimal columns that are part of a SPICE dataset." }, "AWS::QuickSight::DataSet ColumnDescription": { "Text": "The text of a description for a column." @@ -28025,29 +31815,29 @@ "DisableUseAsImportedSource": "An option that controls whether a child dataset that's stored in QuickSight can use this dataset as a source." }, "AWS::QuickSight::DataSet DatasetParameter": { - "DateTimeDatasetParameter": "", - "DecimalDatasetParameter": "", - "IntegerDatasetParameter": "", - "StringDatasetParameter": "" + "DateTimeDatasetParameter": "A date time parameter that is created in the dataset.", + "DecimalDatasetParameter": "A decimal parameter that is created in the dataset.", + "IntegerDatasetParameter": "An integer parameter that is created in the dataset.", + "StringDatasetParameter": "A string parameter that is created in the dataset." }, "AWS::QuickSight::DataSet DateTimeDatasetParameter": { - "DefaultValues": "", - "Id": "", - "Name": "", - "TimeGranularity": "", - "ValueType": "" + "DefaultValues": "A list of default values for a given date time parameter. This structure only accepts static values.", + "Id": "An identifier for the parameter that is created in the dataset.", + "Name": "The name of the date time parameter that is created in the dataset.", + "TimeGranularity": "The time granularity of the date time parameter.", + "ValueType": "The value type of the dataset parameter. Valid values are `single value` or `multi value` ." }, "AWS::QuickSight::DataSet DateTimeDatasetParameterDefaultValues": { "StaticValues": "A list of static default values for a given date time parameter. The valid format for this property is `yyyy-MM-dd\u2019T\u2019HH:mm:ss\u2019Z\u2019` ." }, "AWS::QuickSight::DataSet DecimalDatasetParameter": { - "DefaultValues": "", - "Id": "", - "Name": "", - "ValueType": "" + "DefaultValues": "A list of default values for a given decimal parameter. This structure only accepts static values.", + "Id": "An identifier for the decimal parameter created in the dataset.", + "Name": "The name of the decimal parameter that is created in the dataset.", + "ValueType": "The value type of the dataset parameter. Valid values are `single value` or `multi value` ." }, "AWS::QuickSight::DataSet DecimalDatasetParameterDefaultValues": { - "StaticValues": "" + "StaticValues": "A list of static default values for a given decimal parameter." }, "AWS::QuickSight::DataSet FieldFolder": { "Columns": "A folder has a list of columns. A column can only be in one folder.", @@ -28070,16 +31860,17 @@ }, "AWS::QuickSight::DataSet InputColumn": { "Name": "The name of this column in the underlying data source.", + "SubType": "The sub data type of the column. Sub types are only available for decimal columns that are part of a SPICE dataset.", "Type": "The data type of the column." }, "AWS::QuickSight::DataSet IntegerDatasetParameter": { - "DefaultValues": "", - "Id": "", - "Name": "", - "ValueType": "" + "DefaultValues": "A list of default values for a given integer parameter. This structure only accepts static values.", + "Id": "An identifier for the integer parameter created in the dataset.", + "Name": "The name of the integer parameter that is created in the dataset.", + "ValueType": "The value type of the dataset parameter. Valid values are `single value` or `multi value` ." }, "AWS::QuickSight::DataSet IntegerDatasetParameterDefaultValues": { - "StaticValues": "" + "StaticValues": "A list of static default values for a given integer parameter." }, "AWS::QuickSight::DataSet JoinInstruction": { "LeftJoinKeyProperties": "Join key properties of the left operand.", @@ -28109,19 +31900,20 @@ }, "AWS::QuickSight::DataSet NewDefaultValues": { "DateTimeStaticValues": "A list of static default values for a given date time parameter. The valid format for this property is `yyyy-MM-dd\u2019T\u2019HH:mm:ss\u2019Z\u2019` .", - "DecimalStaticValues": "", - "IntegerStaticValues": "", - "StringStaticValues": "" + "DecimalStaticValues": "A list of static default values for a given decimal parameter.", + "IntegerStaticValues": "A list of static default values for a given integer parameter.", + "StringStaticValues": "A list of static default values for a given string parameter." }, "AWS::QuickSight::DataSet OutputColumn": { "Description": "A description for a column.", - "Name": "A display name for the dataset.", - "Type": "The type." + "Name": "The display name of the column..", + "SubType": "The sub data type of the column.", + "Type": "The data type of the column." }, "AWS::QuickSight::DataSet OverrideDatasetParameterOperation": { "NewDefaultValues": "The new default values for the parameter.", "NewParameterName": "The new name for the parameter.", - "ParameterName": "" + "ParameterName": "The name of the parameter to be overridden with different values." }, "AWS::QuickSight::DataSet PhysicalTable": { "CustomSql": "A physical table type built from the results of the custom SQL query.", @@ -28135,7 +31927,7 @@ "IncrementalRefresh": "The incremental refresh for the dataset." }, "AWS::QuickSight::DataSet RelationalTable": { - "Catalog": "", + "Catalog": "The catalog associated with a table.", "DataSourceArn": "The Amazon Resource Name (ARN) for the data source.", "InputColumns": "The column schema of the table.", "Name": "The name of the relational table.", @@ -28157,15 +31949,15 @@ "Status": "The status of the row-level security permission dataset. If enabled, the status is `ENABLED` . If disabled, the status is `DISABLED` ." }, "AWS::QuickSight::DataSet RowLevelPermissionTagConfiguration": { - "Status": "", - "TagRuleConfigurations": "", - "TagRules": "" + "Status": "The status of row-level security tags. If enabled, the status is `ENABLED` . If disabled, the status is `DISABLED` .", + "TagRuleConfigurations": "The configuration of tags on a dataset to set row-level security.", + "TagRules": "A set of rules associated with row-level security, such as the tag names and columns that they are assigned to." }, "AWS::QuickSight::DataSet RowLevelPermissionTagRule": { - "ColumnName": "", - "MatchAllValue": "", - "TagKey": "", - "TagMultiValueDelimiter": "" + "ColumnName": "The column name that a tag key is assigned to.", + "MatchAllValue": "A string that you want to use to filter by all the values in a column in the dataset and don\u2019t want to list the values one by one. For example, you can use an asterisk as your match all value.", + "TagKey": "The unique key for a tag.", + "TagMultiValueDelimiter": "A string that you want to use to delimit the values when you pass the values at run time. For example, you can delimit the values with a comma." }, "AWS::QuickSight::DataSet S3Source": { "DataSourceArn": "The Amazon Resource Name (ARN) for the data source.", @@ -28173,13 +31965,17 @@ "UploadSettings": "Information about the format for the S3 source file or files." }, "AWS::QuickSight::DataSet StringDatasetParameter": { - "DefaultValues": "", - "Id": "", - "Name": "", - "ValueType": "" + "DefaultValues": "A list of default values for a given string dataset parameter type. This structure only accepts static values.", + "Id": "An identifier for the string parameter that is created in the dataset.", + "Name": "The name of the string parameter that is created in the dataset.", + "ValueType": "The value type of the dataset parameter. Valid values are `single value` or `multi value` ." }, "AWS::QuickSight::DataSet StringDatasetParameterDefaultValues": { - "StaticValues": "" + "StaticValues": "A list of static default values for a given string parameter." + }, + "AWS::QuickSight::DataSet Tag": { + "Key": "", + "Value": "" }, "AWS::QuickSight::DataSet TagColumnOperation": { "ColumnName": "The column that this operation acts on.", @@ -28267,7 +32063,9 @@ "SnowflakeParameters": "The parameters for Snowflake.", "SparkParameters": "The parameters for Spark.", "SqlServerParameters": "The parameters for SQL Server.", - "TeradataParameters": "The parameters for Teradata." + "StarburstParameters": "The parameters that are required to connect to a Starburst data source.", + "TeradataParameters": "The parameters for Teradata.", + "TrinoParameters": "The parameters that are required to connect to a Trino data source." }, "AWS::QuickSight::DataSource DatabricksParameters": { "Host": "The host name of the Databricks data source.", @@ -28338,11 +32136,26 @@ "AWS::QuickSight::DataSource SslProperties": { "DisableSsl": "A Boolean option to control whether SSL should be disabled." }, + "AWS::QuickSight::DataSource StarburstParameters": { + "Catalog": "The catalog name for the Starburst data source.", + "Host": "The host name of the Starburst data source.", + "Port": "The port for the Starburst data source.", + "ProductType": "The product type for the Starburst data source." + }, + "AWS::QuickSight::DataSource Tag": { + "Key": "", + "Value": "" + }, "AWS::QuickSight::DataSource TeradataParameters": { "Database": "Database.", "Host": "Host.", "Port": "Port." }, + "AWS::QuickSight::DataSource TrinoParameters": { + "Catalog": "The catalog name for the Trino data source.", + "Host": "The host name of the Trino data source.", + "Port": "The port for the Trino data source." + }, "AWS::QuickSight::DataSource VpcConnectionProperties": { "VpcConnectionArn": "The Amazon Resource Name (ARN) for the VPC connection." }, @@ -28375,9 +32188,11 @@ "SourceEntity": "The entity that you are using as a source when you create the template. In `SourceEntity` , you specify the type of object you're using as source: `SourceTemplate` for a template or `SourceAnalysis` for an analysis. Both of these require an Amazon Resource Name (ARN). For `SourceTemplate` , specify the ARN of the source template. For `SourceAnalysis` , specify the ARN of the source analysis. The `SourceTemplate` ARN can contain any AWS account and any Amazon QuickSight-supported AWS Region .\n\nUse the `DataSetReferences` entity within `SourceTemplate` or `SourceAnalysis` to list the replacement datasets for the placeholders listed in the original. The schema in each dataset must match its placeholder.\n\nEither a `SourceEntity` or a `Definition` must be provided in order for the request to be valid.", "Tags": "Contains a map of the key-value pairs for the resource tag or tags assigned to the resource.", "TemplateId": "An ID for the template that you want to create. This template is unique per AWS Region ; in each AWS account.", + "ValidationStrategy": "The option to relax the validation that is required to create and update analyses, dashboards, and templates with definition objects. When you set this value to `LENIENT` , validation is skipped for specific errors.", "VersionDescription": "A description of the current template version being created. This API operation creates the first version of the template. Every time `UpdateTemplate` is called, a new version is created. Each version of the template maintains a description of the version in the `VersionDescription` field." }, "AWS::QuickSight::Template AggregationFunction": { + "AttributeAggregationFunction": "Aggregation for attributes.", "CategoricalAggregationFunction": "Aggregation for categorical values.\n\n- `COUNT` : Aggregate by the total number of values, including duplicates.\n- `DISTINCT_COUNT` : Aggregate by the total number of distinct values.", "DateAggregationFunction": "Aggregation for date values.\n\n- `COUNT` : Aggregate by the total number of values, including duplicates.\n- `DISTINCT_COUNT` : Aggregate by the total number of distinct values.\n- `MIN` : Select the smallest date value.\n- `MAX` : Select the largest date value.", "NumericalAggregationFunction": "Aggregation for numerical values." @@ -28409,6 +32224,14 @@ "AWS::QuickSight::Template ArcOptions": { "ArcThickness": "The arc thickness of a `GaugeChartVisual` ." }, + "AWS::QuickSight::Template AssetOptions": { + "Timezone": "Determines the timezone for the analysis.", + "WeekStart": "Determines the week start day for an analysis." + }, + "AWS::QuickSight::Template AttributeAggregationFunction": { + "SimpleAttributeAggregation": "The built-in aggregation functions for attributes.\n\n- `UNIQUE_VALUE` : Returns the unique value for a field, aggregated by the dimension fields.", + "ValueForMultipleValues": "Used by the `UNIQUE_VALUE` aggregation function. If there are multiple values for the field used by the aggregation, the value for this property will be returned instead. Defaults to '*'." + }, "AWS::QuickSight::Template AxisDataOptions": { "DateAxisOptions": "The options for an axis with a date field.", "NumericAxisOptions": "The options for an axis with a numeric field." @@ -28610,7 +32433,11 @@ "Colors": "Determines the list of colors that are applied to the visual.", "NullValueColor": "Determines the color that is applied to null values." }, + "AWS::QuickSight::Template ColorsConfiguration": { + "CustomColors": "A list of up to 50 custom colors." + }, "AWS::QuickSight::Template ColumnConfiguration": { + "ColorsConfiguration": "The color configurations of the column.", "Column": "The column.", "FormatConfiguration": "The format configuration of a column.", "Role": "The role of the column." @@ -28769,6 +32596,11 @@ "URLTarget": "The target of the `CustomActionURLOperation` .\n\nValid values are defined as follows:\n\n- `NEW_TAB` : Opens the target URL in a new browser tab.\n- `NEW_WINDOW` : Opens the target URL in a new browser window.\n- `SAME_TAB` : Opens the target URL in the same browser tab.", "URLTemplate": "THe URL link of the `CustomActionURLOperation` ." }, + "AWS::QuickSight::Template CustomColor": { + "Color": "The color that is applied to the data value.", + "FieldValue": "The data value that the color is applied to.", + "SpecialValue": "The value of a special data value." + }, "AWS::QuickSight::Template CustomContentConfiguration": { "ContentType": "The content type of the custom content visual. You can use this to have the visual render as an image.", "ContentUrl": "The input URL that links to the custom content that you want in the custom visual.", @@ -28856,7 +32688,11 @@ "Direction": "Determines the sort direction.", "SortPaths": "The list of data paths that need to be sorted." }, + "AWS::QuickSight::Template DataPathType": { + "PivotTableDataPathType": "The type of data path value utilized in a pivot table. Choose one of the following options:\n\n- `HIERARCHY_ROWS_LAYOUT_COLUMN` - The type of data path for the rows layout column, when `RowsLayout` is set to `HIERARCHY` .\n- `MULTIPLE_ROW_METRICS_COLUMN` - The type of data path for the metric column when the row is set to Metric Placement.\n- `EMPTY_COLUMN_HEADER` - The type of data path for the column with empty column header, when there is no field in `ColumnsFieldWell` and the row is set to Metric Placement.\n- `COUNT_METRIC_COLUMN` - The type of data path for the column with `COUNT` as the metric, when there is no field in the `ValuesFieldWell` ." + }, "AWS::QuickSight::Template DataPathValue": { + "DataPathType": "The type configuration of the field.", "FieldId": "The field ID of the field that needs to be sorted.", "FieldValue": "The actual value of the field that needs to be sorted." }, @@ -28911,6 +32747,7 @@ }, "AWS::QuickSight::Template DateTimePickerControlDisplayOptions": { "DateTimeFormat": "Customize how dates are formatted in controls.", + "InfoIconLabelOptions": "The configuration of info icon label options.", "TitleOptions": "The options to configure the title visibility, name, and font size." }, "AWS::QuickSight::Template DateTimeValueWhenUnsetConfiguration": { @@ -28981,6 +32818,7 @@ "TimeRangeFilter": "The time range drill down filter. This filter is used for date time columns." }, "AWS::QuickSight::Template DropDownControlDisplayOptions": { + "InfoIconLabelOptions": "The configuration of info icon label options.", "SelectAllOptions": "The configuration of the `Select all` options in a dropdown control.", "TitleOptions": "The options to configure the title visibility, name, and font size." }, @@ -29115,6 +32953,7 @@ "AWS::QuickSight::Template FilterListConfiguration": { "CategoryValues": "The list of category values for the filter.", "MatchOperator": "The match operator that is used to determine if a filter should be applied.", + "NullOption": "This option determines how null values should be treated when filtering data.\n\n- `ALL_VALUES` : Include null values in filtered results.\n- `NULLS_ONLY` : Only include null values in filtered results.\n- `NON_NULLS_ONLY` : Exclude null values from filtered results.", "SelectAllOptions": "Select all of the values. Null is not the assigned value of select all.\n\n- `FILTER_ALL_VALUES`" }, "AWS::QuickSight::Template FilterListControl": { @@ -29141,6 +32980,7 @@ "Title": "The title of the `FilterTextAreaControl` ." }, "AWS::QuickSight::Template FilterScopeConfiguration": { + "AllSheets": "The configuration for applying a filter to all sheets.", "SelectedSheets": "The configuration for applying a filter to specific sheets." }, "AWS::QuickSight::Template FilterSelectableValues": { @@ -29507,10 +33347,20 @@ "ItemsLimit": "The limit on how many items of a field are showed in the chart. For example, the number of slices that are displayed in a pie chart.", "OtherCategories": "The `Show other` of an axis in the chart. Choose one of the following options:\n\n- `INCLUDE`\n- `EXCLUDE`" }, + "AWS::QuickSight::Template KPIActualValueConditionalFormatting": { + "Icon": "The conditional formatting of the actual value's icon.", + "TextColor": "The conditional formatting of the actual value's text color." + }, + "AWS::QuickSight::Template KPIComparisonValueConditionalFormatting": { + "Icon": "The conditional formatting of the comparison value's icon.", + "TextColor": "The conditional formatting of the comparison value's text color." + }, "AWS::QuickSight::Template KPIConditionalFormatting": { "ConditionalFormattingOptions": "The conditional formatting options of a KPI visual." }, "AWS::QuickSight::Template KPIConditionalFormattingOption": { + "ActualValue": "The conditional formatting for the actual value of a KPI visual.", + "ComparisonValue": "The conditional formatting for the comparison value of a KPI visual.", "PrimaryValue": "The conditional formatting for the primary value of a KPI visual.", "ProgressBar": "The conditional formatting for the progress bar of a KPI visual." }, @@ -29531,7 +33381,9 @@ "ProgressBar": "The options that determine the presentation of the progress bar of a KPI visual.", "SecondaryValue": "The options that determine the presentation of the secondary value of a KPI visual.", "SecondaryValueFontConfiguration": "The options that determine the secondary value font configuration.", - "TrendArrows": "The options that determine the presentation of trend arrows in a KPI visual." + "Sparkline": "The options that determine the visibility, color, type, and tooltip visibility of the sparkline of a KPI visual.", + "TrendArrows": "The options that determine the presentation of trend arrows in a KPI visual.", + "VisualLayoutOptions": "The options that determine the layout a KPI visual." }, "AWS::QuickSight::Template KPIPrimaryValueConditionalFormatting": { "Icon": "The conditional formatting of the primary value's icon.", @@ -29543,6 +33395,12 @@ "AWS::QuickSight::Template KPISortConfiguration": { "TrendGroupSort": "The sort configuration of the trend group fields." }, + "AWS::QuickSight::Template KPISparklineOptions": { + "Color": "The color of the sparkline.", + "TooltipVisibility": "The tooltip visibility of the sparkline.", + "Type": "The type of the sparkline.", + "Visibility": "The visibility of the sparkline." + }, "AWS::QuickSight::Template KPIVisual": { "Actions": "The list of custom actions that are configured for a visual.", "ChartConfiguration": "The configuration of a KPI visual.", @@ -29552,6 +33410,12 @@ "Title": "The title that is displayed on the visual.", "VisualId": "The unique identifier of a visual. This identifier must be unique within the context of a dashboard, template, or analysis. Two dashboards, analyses, or templates can have visuals with the same identifiers." }, + "AWS::QuickSight::Template KPIVisualLayoutOptions": { + "StandardLayout": "The standard layout of the KPI visual." + }, + "AWS::QuickSight::Template KPIVisualStandardLayout": { + "Type": "The standard layout type." + }, "AWS::QuickSight::Template LabelOptions": { "CustomLabel": "The text for the label.", "FontConfiguration": "The font configuration of the label.", @@ -29643,6 +33507,7 @@ "MissingDataConfigurations": "The configuration options that determine how missing data is treated during the rendering of a line chart." }, "AWS::QuickSight::Template ListControlDisplayOptions": { + "InfoIconLabelOptions": "The configuration of info icon label options.", "SearchOptions": "The configuration of the search options in a list control.", "SelectAllOptions": "The configuration of the `Select all` options in a list control.", "TitleOptions": "The options to configure the title visibility, name, and font size." @@ -29984,10 +33849,13 @@ "CollapsedRowDimensionsVisibility": "The visibility setting of a pivot table's collapsed row dimension fields. If the value of this structure is `HIDDEN` , all collapsed columns in a pivot table are automatically hidden. The default value is `VISIBLE` .", "ColumnHeaderStyle": "The table cell style of the column header.", "ColumnNamesVisibility": "The visibility of the column names.", + "DefaultCellWidth": "The default cell width of the pivot table.", "MetricPlacement": "The metric placement (row, column) options.", "RowAlternateColorOptions": "The row alternate color options (widget status, row alternate colors).", "RowFieldNamesStyle": "The table cell style of row field names.", "RowHeaderStyle": "The table cell style of the row headers.", + "RowsLabelOptions": "The options for the label that is located above the row headers. This option is only applicable when `RowsLayout` is set to `HIERARCHY` .", + "RowsLayout": "The layout for the row dimension headers of a pivot table. Choose one of the following options.\n\n- `TABULAR` : (Default) Each row field is displayed in a separate column.\n- `HIERARCHY` : All row fields are displayed in a single column. Indentation is used to differentiate row headers of different fields.", "SingleMetricVisibility": "The visibility of the single metric options.", "ToggleButtonsVisibility": "Determines the visibility of the pivot table." }, @@ -29995,6 +33863,10 @@ "OverflowColumnHeaderVisibility": "The visibility of the repeating header rows on each page.", "VerticalOverflowVisibility": "The visibility of the printing table overflow across pages." }, + "AWS::QuickSight::Template PivotTableRowsLabelOptions": { + "CustomLabel": "The custom label string for the rows label.", + "Visibility": "The visibility of the rows label." + }, "AWS::QuickSight::Template PivotTableSortBy": { "Column": "The column sort (field id, direction) for the pivot table sort by options.", "DataPath": "The data path sort (data path value, direction) for the pivot table sort by options.", @@ -30022,6 +33894,7 @@ "MetricHeaderCellStyle": "The cell styling options for the total of header cells.", "Placement": "The placement (start, end) for the total cells.", "ScrollStatus": "The scroll status (pinned, scrolled) for the total cells.", + "TotalAggregationOptions": "The total aggregation options for each value field.", "TotalCellStyle": "The cell styling options for the total cells.", "TotalsVisibility": "The visibility configuration for the total cells.", "ValueCellStyle": "The cell styling options for the totals of value cells." @@ -30092,8 +33965,9 @@ "CustomLabel": "The string text of the custom label." }, "AWS::QuickSight::Template ReferenceLineDataConfiguration": { - "AxisBinding": "The axis binding type of the reference line. Choose one of the following options:\n\n- PrimaryY\n- SecondaryY", + "AxisBinding": "The axis binding type of the reference line. Choose one of the following options:\n\n- `PrimaryY`\n- `SecondaryY`", "DynamicConfiguration": "The dynamic configuration of the reference line data configuration.", + "SeriesType": "The series type of the reference line data configuration. Choose one of the following options:\n\n- `BAR`\n- `LINE`", "StaticConfiguration": "The static data configuration of the reference line data configuration." }, "AWS::QuickSight::Template ReferenceLineDynamicDataConfiguration": { @@ -30122,6 +33996,7 @@ }, "AWS::QuickSight::Template RelativeDateTimeControlDisplayOptions": { "DateTimeFormat": "Customize how dates are formatted in controls.", + "InfoIconLabelOptions": "The configuration of info icon label options.", "TitleOptions": "The options to configure the title visibility, name, and font size." }, "AWS::QuickSight::Template RelativeDatesFilter": { @@ -30147,7 +34022,8 @@ }, "AWS::QuickSight::Template RowAlternateColorOptions": { "RowAlternateColors": "Determines the list of row alternate colors.", - "Status": "Determines the widget status." + "Status": "Determines the widget status.", + "UsePrimaryBackgroundColor": "The primary background color options for alternate rows." }, "AWS::QuickSight::Template SameSheetTargetVisualConfiguration": { "TargetVisualOptions": "The options that choose the target visual in the same sheet.\n\nValid values are defined as follows:\n\n- `ALL_VISUALS` : Applies the filter operation to all visuals in the same sheet.", @@ -30267,6 +34143,10 @@ "Name": "The name of a sheet. This name is displayed on the sheet's tab in the Amazon QuickSight console.", "SheetId": "The unique identifier associated with a sheet." }, + "AWS::QuickSight::Template SheetControlInfoIconLabelOptions": { + "InfoIconText": "The text content of info icon.", + "Visibility": "The visibility configuration of info icon label options." + }, "AWS::QuickSight::Template SheetControlLayout": { "Configuration": "The configuration that determines the elements and canvas size options of sheet control." }, @@ -30310,12 +34190,19 @@ "Color": "The color of the simple cluster marker." }, "AWS::QuickSight::Template SliderControlDisplayOptions": { + "InfoIconLabelOptions": "The configuration of info icon label options.", "TitleOptions": "The options to configure the title visibility, name, and font size." }, + "AWS::QuickSight::Template SmallMultiplesAxisProperties": { + "Placement": "Defines the placement of the axis. By default, axes are rendered `OUTSIDE` of the panels. Axes with `INDEPENDENT` scale are rendered `INSIDE` the panels.", + "Scale": "Determines whether scale of the axes are shared or independent. The default value is `SHARED` ." + }, "AWS::QuickSight::Template SmallMultiplesOptions": { "MaxVisibleColumns": "Sets the maximum number of visible columns to display in the grid of small multiples panels.\n\nThe default is `Auto` , which automatically adjusts the columns in the grid to fit the overall layout and size of the given chart.", "MaxVisibleRows": "Sets the maximum number of visible rows to display in the grid of small multiples panels.\n\nThe default value is `Auto` , which automatically adjusts the rows in the grid to fit the overall layout and size of the given chart.", - "PanelConfiguration": "Configures the display options for each small multiples panel." + "PanelConfiguration": "Configures the display options for each small multiples panel.", + "XAxis": "The properties of a small multiples X axis.", + "YAxis": "The properties of a small multiples Y axis." }, "AWS::QuickSight::Template Spacing": { "Bottom": "Define the bottom spacing.", @@ -30347,6 +34234,7 @@ "FieldLevel": "The field level (all, custom, last) for the subtotal cells.", "FieldLevelOptions": "The optional configuration of subtotal cells.", "MetricHeaderCellStyle": "The cell styling options for the subtotals of header cells.", + "StyleTargets": "The style targets options for subtotals.", "TotalCellStyle": "The cell styling options for the subtotal cells.", "TotalsVisibility": "The visibility configuration for the subtotal cells.", "ValueCellStyle": "The cell styling options for the subtotals of value cells." @@ -30419,8 +34307,9 @@ "Width": "The width for a table field." }, "AWS::QuickSight::Template TableFieldOptions": { - "Order": "The order of field IDs of the field options for a table visual.", - "SelectedFieldOptions": "The selected field options for the table field options." + "Order": "The order of the field IDs that are configured as field options for a table visual.", + "PinnedFieldOptions": "The settings for the pinned columns of a table visual.", + "SelectedFieldOptions": "The field options to be configured to a table." }, "AWS::QuickSight::Template TableFieldURLConfiguration": { "ImageConfiguration": "The image configuration of a table field URL.", @@ -30443,6 +34332,9 @@ "OverflowColumnHeaderVisibility": "The visibility of repeating header rows on each page.", "VerticalOverflowVisibility": "The visibility of printing table overflow across pages." }, + "AWS::QuickSight::Template TablePinnedFieldOptions": { + "PinnedLeftFields": "A list of columns to be pinned to the left of a table visual." + }, "AWS::QuickSight::Template TableRowConditionalFormatting": { "BackgroundColor": "The conditional formatting color (solid, gradient) of the background for a table row.", "TextColor": "The conditional formatting color (solid, gradient) of the text for a table row." @@ -30459,6 +34351,9 @@ "PaginationConfiguration": "The pagination configuration (page size, page number) for the table.", "RowSort": "The field sort options for rows in the table." }, + "AWS::QuickSight::Template TableStyleTarget": { + "CellType": "The cell type of the table style target." + }, "AWS::QuickSight::Template TableUnaggregatedFieldWells": { "Values": "The values field well for a pivot table. Values are unaggregated for an unaggregated table." }, @@ -30470,6 +34365,10 @@ "Title": "The title that is displayed on the visual.", "VisualId": "The unique identifier of a visual. This identifier must be unique within the context of a dashboard, template, or analysis. Two dashboards, analyses, or templates can have visuals with the same identifiers.." }, + "AWS::QuickSight::Template Tag": { + "Key": "", + "Value": "" + }, "AWS::QuickSight::Template TemplateError": { "Message": "Description of the error type.", "Type": "Type of error.", @@ -30503,10 +34402,12 @@ "ColumnConfigurations": "An array of template-level column configurations. Column configurations are used to set default formatting for a column that's used throughout a template.", "DataSetConfigurations": "An array of dataset configurations. These configurations define the required columns for each dataset used within a template.", "FilterGroups": "Filter definitions for a template.\n\nFor more information, see [Filtering Data](https://docs.aws.amazon.com/quicksight/latest/user/filtering-visual-data.html) in the *Amazon QuickSight User Guide* .", + "Options": "An array of option definitions for a template.", "ParameterDeclarations": "An array of parameter declarations for a template.\n\n*Parameters* are named variables that can transfer a value for use by an action or an object.\n\nFor more information, see [Parameters in Amazon QuickSight](https://docs.aws.amazon.com/quicksight/latest/user/parameters-in-quicksight.html) in the *Amazon QuickSight User Guide* .", "Sheets": "An array of sheet definitions for a template." }, "AWS::QuickSight::Template TextAreaControlDisplayOptions": { + "InfoIconLabelOptions": "The configuration of info icon label options.", "PlaceholderOptions": "The configuration of the placeholder options in a text area control.", "TitleOptions": "The options to configure the title visibility, name, and font size." }, @@ -30519,6 +34420,7 @@ "Visibility": "The visibility configuration of the placeholder options in a text control." }, "AWS::QuickSight::Template TextFieldControlDisplayOptions": { + "InfoIconLabelOptions": "The configuration of info icon label options.", "PlaceholderOptions": "The configuration of the placeholder options in a text field control.", "TitleOptions": "The options to configure the title visibility, name, and font size." }, @@ -30537,9 +34439,10 @@ "AWS::QuickSight::Template TimeEqualityFilter": { "Column": "The column that the filter is applied to.", "FilterId": "An identifier that uniquely identifies a filter within a dashboard, analysis, or template.", - "ParameterName": "The parameter whose value should be used for the filter value.\n\nThis field is mutually exclusive to `Value` .", + "ParameterName": "The parameter whose value should be used for the filter value.\n\nThis field is mutually exclusive to `Value` and `RollingDate` .", + "RollingDate": "The rolling date input for the `TimeEquality` filter.\n\nThis field is mutually exclusive to `Value` and `ParameterName` .", "TimeGranularity": "The level of time precision that is used to aggregate `DateTime` values.", - "Value": "The value of a `TimeEquality` filter.\n\nThis field is mutually exclusive to `ParameterName` ." + "Value": "The value of a `TimeEquality` filter.\n\nThis field is mutually exclusive to `RollingDate` and `ParameterName` ." }, "AWS::QuickSight::Template TimeRangeDrillDownFilter": { "Column": "The column that the filter is applied to.", @@ -30603,10 +34506,18 @@ "Name": "The name of a computation.", "Value": "The value field that is used in a computation." }, + "AWS::QuickSight::Template TotalAggregationFunction": { + "SimpleTotalAggregationFunction": "A built in aggregation function for total values." + }, + "AWS::QuickSight::Template TotalAggregationOption": { + "FieldId": "The field id that's associated with the total aggregation option.", + "TotalAggregationFunction": "The total aggregation function that you want to set for a specified field id." + }, "AWS::QuickSight::Template TotalOptions": { "CustomLabel": "The custom label string for the total cells.", "Placement": "The placement (start, end) for the total cells.", "ScrollStatus": "The scroll status (pinned, scrolled) for the total cells.", + "TotalAggregationOptions": "The total aggregation settings for each value field.", "TotalCellStyle": "Cell styling options for the total cells.", "TotalsVisibility": "The visibility configuration for the total cells." }, @@ -30654,6 +34565,9 @@ "ComputationId": "The ID for a computation.", "Name": "The name of a computation." }, + "AWS::QuickSight::Template ValidationStrategy": { + "Mode": "The mode of validation for the asset to be created or updated. When you set this value to `STRICT` , strict validation for every error is enforced. When you set this value to `LENIENT` , validation is skipped for specific UI errors." + }, "AWS::QuickSight::Template VisibleRangeOptions": { "PercentRange": "The percent range in the visible range." }, @@ -30803,7 +34717,7 @@ "MinMaxGradient": "The minimum and maximum hexadecimal codes that describe a color gradient." }, "AWS::QuickSight::Theme Font": { - "FontFamily": "" + "FontFamily": "Determines the font family settings." }, "AWS::QuickSight::Theme GutterStyle": { "Show": "This Boolean value controls whether to display a gutter space between sheet tiles." @@ -30820,6 +34734,10 @@ "Tile": "The display options for tiles.", "TileLayout": "The layout options for tiles." }, + "AWS::QuickSight::Theme Tag": { + "Key": "", + "Value": "" + }, "AWS::QuickSight::Theme ThemeConfiguration": { "DataColorPalette": "Color properties that apply to chart data colors.", "Sheet": "Display options related to sheets.", @@ -30848,7 +34766,7 @@ "Border": "The border around a tile." }, "AWS::QuickSight::Theme Typography": { - "FontFamilies": "" + "FontFamilies": "Determines the list of font families." }, "AWS::QuickSight::Theme UIColorPalette": { "Accent": "This color is that applies to selected states and buttons.", @@ -30965,6 +34883,7 @@ "Expression": "The calculated field expression.", "IsIncludedInTopic": "A boolean value that indicates if a calculated field is included in the topic.", "NeverAggregateInFilter": "A Boolean value that indicates whether to never aggregate calculated field in filters.", + "NonAdditive": "The non additive for the table style target.", "NotAllowedAggregations": "The list of aggregation types that are not allowed for the calculated field. Valid values for this structure are `COUNT` , `DISTINCT_COUNT` , `MIN` , `MAX` , `MEDIAN` , `SUM` , `AVERAGE` , `STDEV` , `STDEVP` , `VAR` , `VARP` , and `PERCENTILE` .", "SemanticType": "The semantic type.", "TimeGranularity": "The level of time precision that is used to aggregate `DateTime` values." @@ -30981,7 +34900,7 @@ "SingularConstant": "A singular constant used in a category filter. This element is used to specify a single value for the constant." }, "AWS::QuickSight::Topic TopicColumn": { - "Aggregation": "The type of aggregation that is performed on the column data when it's queried. Valid values for this structure are `SUM` , `MAX` , `MIN` , `COUNT` , `DISTINCT_COUNT` , and `AVERAGE` .", + "Aggregation": "The type of aggregation that is performed on the column data when it's queried.", "AllowedAggregations": "The list of aggregation types that are allowed for the column. Valid values for this structure are `COUNT` , `DISTINCT_COUNT` , `MIN` , `MAX` , `MEDIAN` , `SUM` , `AVERAGE` , `STDEV` , `STDEVP` , `VAR` , `VARP` , and `PERCENTILE` .", "CellValueSynonyms": "The other names or aliases for the column cell value.", "ColumnDataRole": "The role of the column in the data. Valid values are `DIMENSION` and `MEASURE` .", @@ -30993,6 +34912,7 @@ "DefaultFormatting": "The default formatting used for values in the column.", "IsIncludedInTopic": "A Boolean value that indicates whether the column is included in the query results.", "NeverAggregateInFilter": "A Boolean value that indicates whether to aggregate the column data when it's used in a filter context.", + "NonAdditive": "The non additive value for the column.", "NotAllowedAggregations": "The list of aggregation types that are not allowed for the column. Valid values for this structure are `COUNT` , `DISTINCT_COUNT` , `MIN` , `MAX` , `MEDIAN` , `SUM` , `AVERAGE` , `STDEV` , `STDEVP` , `VAR` , `VARP` , and `PERCENTILE` .", "SemanticType": "The semantic type of data contained in the column.", "TimeGranularity": "The level of time precision that is used to aggregate `DateTime` values." @@ -31061,20 +34981,33 @@ "Status": "The status of the network interface.", "SubnetId": "The subnet ID associated with the network interface." }, + "AWS::QuickSight::VPCConnection Tag": { + "Key": "", + "Value": "" + }, "AWS::RAM::Permission": { "Name": "Specifies the name of the customer managed permission. The name must be unique within the AWS Region .", "PolicyTemplate": "A string in JSON format string that contains the following elements of a resource-based policy:\n\n- *Effect* : must be set to `ALLOW` .\n- *Action* : specifies the actions that are allowed by this customer managed permission. The list must contain only actions that are supported by the specified resource type. For a list of all actions supported by each resource type, see [Actions, resources, and condition keys for AWS services](https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html) in the *AWS Identity and Access Management User Guide* .\n- *Condition* : (optional) specifies conditional parameters that must evaluate to true when a user attempts an action for that action to be allowed. For more information about the Condition element, see [IAM policies: Condition element](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html) in the *AWS Identity and Access Management User Guide* .\n\nThis template can't include either the `Resource` or `Principal` elements. Those are both filled in by AWS RAM when it instantiates the resource-based policy on each resource shared using this managed permission. The `Resource` comes from the ARN of the specific resource that you are sharing. The `Principal` comes from the list of identities added to the resource share.", "ResourceType": "Specifies the name of the resource type that this customer managed permission applies to.\n\nThe format is `** : **` and is not case sensitive. For example, to specify an Amazon EC2 Subnet, you can use the string `ec2:subnet` . To see the list of valid values for this parameter, query the [ListResourceTypes](https://docs.aws.amazon.com/ram/latest/APIReference/API_ListResourceTypes.html) operation.", "Tags": "Specifies a list of one or more tag key and value pairs to attach to the permission." }, + "AWS::RAM::Permission Tag": { + "Key": "The key, or name, attached to the tag. Every tag must have a key. Key names are case sensitive.", + "Value": "The string value attached to the tag. The value can be an empty string. Key values are case sensitive." + }, "AWS::RAM::ResourceShare": { "AllowExternalPrincipals": "Specifies whether principals outside your organization in AWS Organizations can be associated with a resource share. A value of `true` lets you share with individual AWS accounts that are *not* in your organization. A value of `false` only has meaning if your account is a member of an AWS Organization. The default value is `true` .", "Name": "Specifies the name of the resource share.", "PermissionArns": "Specifies the [Amazon Resource Names (ARNs)](https://docs.aws.amazon.com//general/latest/gr/aws-arns-and-namespaces.html) of the AWS RAM permission to associate with the resource share. If you do not specify an ARN for the permission, AWS RAM automatically attaches the default version of the permission for each resource type. You can associate only one permission with each resource type included in the resource share.", "Principals": "Specifies the principals to associate with the resource share. The possible values are:\n\n- An AWS account ID\n- An Amazon Resource Name (ARN) of an organization in AWS Organizations\n- An ARN of an organizational unit (OU) in AWS Organizations\n- An ARN of an IAM role\n- An ARN of an IAM user\n\n> Not all resource types can be shared with IAM roles and users. For more information, see the column *Can share with IAM roles and users* in the tables on [Shareable AWS resources](https://docs.aws.amazon.com/ram/latest/userguide/shareable.html) in the *AWS Resource Access Manager User Guide* .", "ResourceArns": "Specifies a list of one or more ARNs of the resources to associate with the resource share.", + "Sources": "", "Tags": "Specifies one or more tags to attach to the resource share itself. It doesn't attach the tags to the resources associated with the resource share." }, + "AWS::RAM::ResourceShare Tag": { + "Key": "The key, or name, attached to the tag. Every tag must have a key. Key names are case sensitive.", + "Value": "The string value attached to the tag. The value can be an empty string. Key values are case sensitive." + }, "AWS::RDS::CustomDBEngineVersion": { "DatabaseInstallationFilesS3BucketName": "The name of an Amazon S3 bucket that contains database installation files for your CEV. For example, a valid bucket name is `my-custom-installation-files` .", "DatabaseInstallationFilesS3Prefix": "The Amazon S3 directory that contains the database installation files for your CEV. For example, a valid bucket name is `123456789012/cev1` . If this setting isn't specified, no prefix is assumed.", @@ -31086,6 +35019,10 @@ "Status": "A value that indicates the status of a custom engine version (CEV).", "Tags": "A list of tags. For more information, see [Tagging Amazon RDS Resources](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_Tagging.html) in the *Amazon RDS User Guide.*" }, + "AWS::RDS::CustomDBEngineVersion Tag": { + "Key": "A key is the required name of the tag. The string value can be from 1 to 128 Unicode characters in length and can't be prefixed with `aws:` or `rds:` . The string can only contain only the set of Unicode letters, digits, white-space, '_', '.', ':', '/', '=', '+', '-', '@' (Java regex: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-@]*)$\").", + "Value": "A value is the optional value of the tag. The string value can be from 1 to 256 Unicode characters in length and can't be prefixed with `aws:` or `rds:` . The string can only contain only the set of Unicode letters, digits, white-space, '_', '.', ':', '/', '=', '+', '-', '@' (Java regex: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-@]*)$\")." + }, "AWS::RDS::DBCluster": { "AllocatedStorage": "The amount of storage in gibibytes (GiB) to allocate to each DB instance in the Multi-AZ DB cluster.\n\nValid for Cluster Type: Multi-AZ DB clusters only\n\nThis setting is required to create a Multi-AZ DB cluster.", "AssociatedRoles": "Provides a list of the AWS Identity and Access Management (IAM) roles that are associated with the DB cluster. IAM roles that are associated with a DB cluster grant permission for the DB cluster to access other Amazon Web Services on your behalf.\n\nValid for: Aurora DB clusters and Multi-AZ DB clusters", @@ -31105,6 +35042,7 @@ "Domain": "Indicates the directory ID of the Active Directory to create the DB cluster.\n\nFor Amazon Aurora DB clusters, Amazon RDS can use Kerberos authentication to authenticate users that connect to the DB cluster.\n\nFor more information, see [Kerberos authentication](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/kerberos-authentication.html) in the *Amazon Aurora User Guide* .\n\nValid for: Aurora DB clusters only", "DomainIAMRoleName": "Specifies the name of the IAM role to use when making API calls to the Directory Service.\n\nValid for: Aurora DB clusters only", "EnableCloudwatchLogsExports": "The list of log types that need to be enabled for exporting to CloudWatch Logs. The values in the list depend on the DB engine being used. For more information, see [Publishing Database Logs to Amazon CloudWatch Logs](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/USER_LogAccess.html#USER_LogAccess.Procedural.UploadtoCloudWatch) in the *Amazon Aurora User Guide* .\n\n*Aurora MySQL*\n\nValid values: `audit` , `error` , `general` , `slowquery`\n\n*Aurora PostgreSQL*\n\nValid values: `postgresql`\n\nValid for: Aurora DB clusters and Multi-AZ DB clusters", + "EnableGlobalWriteForwarding": "Specifies whether to enable this DB cluster to forward write operations to the primary cluster of a global cluster (Aurora global database). By default, write operations are not allowed on Aurora DB clusters that are secondary clusters in an Aurora global database.\n\nYou can set this value only on Aurora DB clusters that are members of an Aurora global database. With this parameter enabled, a secondary cluster can forward writes to the current primary cluster, and the resulting changes are replicated back to this cluster. For the primary DB cluster of an Aurora global database, this value is used immediately if the primary is demoted by a global cluster API operation, but it does nothing until then.\n\nValid for Cluster Type: Aurora DB clusters only", "EnableHttpEndpoint": "A value that indicates whether to enable the HTTP endpoint for an Aurora Serverless DB cluster. By default, the HTTP endpoint is disabled.\n\nWhen enabled, the HTTP endpoint provides a connectionless web service API for running SQL queries on the Aurora Serverless DB cluster. You can also query your database from inside the RDS console with the query editor.\n\nFor more information, see [Using the Data API for Aurora Serverless](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/data-api.html) in the *Amazon Aurora User Guide* .\n\nValid for: Aurora DB clusters only", "EnableIAMDatabaseAuthentication": "A value that indicates whether to enable mapping of AWS Identity and Access Management (IAM) accounts to database accounts. By default, mapping is disabled.\n\nFor more information, see [IAM Database Authentication](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.IAMDBAuth.html) in the *Amazon Aurora User Guide.*\n\nValid for: Aurora DB clusters only", "Engine": "The name of the database engine to be used for this DB cluster.\n\nValid Values:\n\n- `aurora-mysql`\n- `aurora-postgresql`\n- `mysql`\n- `postgres`\n\nValid for: Aurora DB clusters and Multi-AZ DB clusters", @@ -31112,7 +35050,7 @@ "EngineVersion": "The version number of the database engine to use.\n\nTo list all of the available engine versions for Aurora MySQL version 2 (5.7-compatible) and version 3 (8.0-compatible), use the following command:\n\n`aws rds describe-db-engine-versions --engine aurora-mysql --query \"DBEngineVersions[].EngineVersion\"`\n\nYou can supply either `5.7` or `8.0` to use the default engine version for Aurora MySQL version 2 or version 3, respectively.\n\nTo list all of the available engine versions for Aurora PostgreSQL, use the following command:\n\n`aws rds describe-db-engine-versions --engine aurora-postgresql --query \"DBEngineVersions[].EngineVersion\"`\n\nTo list all of the available engine versions for RDS for MySQL, use the following command:\n\n`aws rds describe-db-engine-versions --engine mysql --query \"DBEngineVersions[].EngineVersion\"`\n\nTo list all of the available engine versions for RDS for PostgreSQL, use the following command:\n\n`aws rds describe-db-engine-versions --engine postgres --query \"DBEngineVersions[].EngineVersion\"`\n\n*Aurora MySQL*\n\nFor information, see [Database engine updates for Amazon Aurora MySQL](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/AuroraMySQL.Updates.html) in the *Amazon Aurora User Guide* .\n\n*Aurora PostgreSQL*\n\nFor information, see [Amazon Aurora PostgreSQL releases and engine versions](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/AuroraPostgreSQL.Updates.20180305.html) in the *Amazon Aurora User Guide* .\n\n*MySQL*\n\nFor information, see [Amazon RDS for MySQL](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_MySQL.html#MySQL.Concepts.VersionMgmt) in the *Amazon RDS User Guide* .\n\n*PostgreSQL*\n\nFor information, see [Amazon RDS for PostgreSQL](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_PostgreSQL.html#PostgreSQL.Concepts) in the *Amazon RDS User Guide* .\n\nValid for: Aurora DB clusters and Multi-AZ DB clusters", "GlobalClusterIdentifier": "If you are configuring an Aurora global database cluster and want your Aurora DB cluster to be a secondary member in the global database cluster, specify the global cluster ID of the global database cluster. To define the primary database cluster of the global cluster, use the [AWS::RDS::GlobalCluster](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-rds-globalcluster.html) resource.\n\nIf you aren't configuring a global database cluster, don't specify this property.\n\n> To remove the DB cluster from a global database cluster, specify an empty value for the `GlobalClusterIdentifier` property. \n\nFor information about Aurora global databases, see [Working with Amazon Aurora Global Databases](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/aurora-global-database.html) in the *Amazon Aurora User Guide* .\n\nValid for: Aurora DB clusters only", "Iops": "The amount of Provisioned IOPS (input/output operations per second) to be initially allocated for each DB instance in the Multi-AZ DB cluster.\n\nFor information about valid IOPS values, see [Provisioned IOPS storage](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_Storage.html#USER_PIOPS) in the *Amazon RDS User Guide* .\n\nThis setting is required to create a Multi-AZ DB cluster.\n\nValid for Cluster Type: Multi-AZ DB clusters only\n\nConstraints:\n\n- Must be a multiple between .5 and 50 of the storage amount for the DB cluster.", - "KmsKeyId": "The Amazon Resource Name (ARN) of the AWS KMS key that is used to encrypt the database instances in the DB cluster, such as `arn:aws:kms:us-east-1:012345678910:key/abcd1234-a123-456a-a12b-a123b4cd56ef` . If you enable the `StorageEncrypted` property but don't specify this property, the default KMS key is used. If you specify this property, you must set the `StorageEncrypted` property to `true` .\n\nIf you specify the `SnapshotIdentifier` property, the `StorageEncrypted` property value is inherited from the snapshot, and if the DB cluster is encrypted, the specified `KmsKeyId` property is used.\n\nValid for: Aurora DB clusters and Multi-AZ DB clusters", + "KmsKeyId": "The Amazon Resource Name (ARN) of the AWS KMS key that is used to encrypt the database instances in the DB cluster, such as `arn:aws:kms:us-east-1:012345678910:key/abcd1234-a123-456a-a12b-a123b4cd56ef` . If you enable the `StorageEncrypted` property but don't specify this property, the default KMS key is used. If you specify this property, you must set the `StorageEncrypted` property to `true` .\n\nIf you specify the `SnapshotIdentifier` property, the `StorageEncrypted` property value is inherited from the snapshot, and if the DB cluster is encrypted, the specified `KmsKeyId` property is used.\n\nIf you create a read replica of an encrypted DB cluster in another AWS Region, make sure to set `KmsKeyId` to a KMS key identifier that is valid in the destination AWS Region. This KMS key is used to encrypt the read replica in that AWS Region.\n\nValid for: Aurora DB clusters and Multi-AZ DB clusters", "ManageMasterUserPassword": "Specifies whether to manage the master user password with AWS Secrets Manager.\n\nFor more information, see [Password management with AWS Secrets Manager](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/rds-secrets-manager.html) in the *Amazon RDS User Guide* and [Password management with AWS Secrets Manager](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/rds-secrets-manager.html) in the *Amazon Aurora User Guide.*\n\nValid for Cluster Type: Aurora DB clusters and Multi-AZ DB clusters\n\nConstraints:\n\n- Can't manage the master user password with AWS Secrets Manager if `MasterUserPassword` is specified.", "MasterUserPassword": "The master password for the DB instance.\n\n> If you specify the `SourceDBClusterIdentifier` , `SnapshotIdentifier` , or `GlobalClusterIdentifier` property, don't specify this property. The value is inherited from the source DB cluster, the snapshot, or the primary DB cluster for the global database cluster, respectively. \n\nValid for: Aurora DB clusters and Multi-AZ DB clusters", "MasterUserSecret": "The secret managed by RDS in AWS Secrets Manager for the master user password.\n\nFor more information, see [Password management with AWS Secrets Manager](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/rds-secrets-manager.html) in the *Amazon RDS User Guide* and [Password management with AWS Secrets Manager](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/rds-secrets-manager.html) in the *Amazon Aurora User Guide.*", @@ -31127,8 +35065,9 @@ "PreferredBackupWindow": "The daily time range during which automated backups are created. For more information, see [Backup Window](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Aurora.Managing.Backups.html#Aurora.Managing.Backups.BackupWindow) in the *Amazon Aurora User Guide.*\n\nConstraints:\n\n- Must be in the format `hh24:mi-hh24:mi` .\n- Must be in Universal Coordinated Time (UTC).\n- Must not conflict with the preferred maintenance window.\n- Must be at least 30 minutes.\n\nValid for: Aurora DB clusters and Multi-AZ DB clusters", "PreferredMaintenanceWindow": "The weekly time range during which system maintenance can occur, in Universal Coordinated Time (UTC).\n\nFormat: `ddd:hh24:mi-ddd:hh24:mi`\n\nThe default is a 30-minute window selected at random from an 8-hour block of time for each AWS Region, occurring on a random day of the week. To see the time blocks available, see [Adjusting the Preferred DB Cluster Maintenance Window](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/USER_UpgradeDBInstance.Maintenance.html#AdjustingTheMaintenanceWindow.Aurora) in the *Amazon Aurora User Guide.*\n\nValid Days: Mon, Tue, Wed, Thu, Fri, Sat, Sun.\n\nConstraints: Minimum 30-minute window.\n\nValid for: Aurora DB clusters and Multi-AZ DB clusters", "PubliclyAccessible": "Specifies whether the DB cluster is publicly accessible.\n\nWhen the DB cluster is publicly accessible, its Domain Name System (DNS) endpoint resolves to the private IP address from within the DB cluster's virtual private cloud (VPC). It resolves to the public IP address from outside of the DB cluster's VPC. Access to the DB cluster is ultimately controlled by the security group it uses. That public access isn't permitted if the security group assigned to the DB cluster doesn't permit it.\n\nWhen the DB cluster isn't publicly accessible, it is an internal DB cluster with a DNS name that resolves to a private IP address.\n\nValid for Cluster Type: Multi-AZ DB clusters only\n\nDefault: The default behavior varies depending on whether `DBSubnetGroupName` is specified.\n\nIf `DBSubnetGroupName` isn't specified, and `PubliclyAccessible` isn't specified, the following applies:\n\n- If the default VPC in the target Region doesn\u2019t have an internet gateway attached to it, the DB cluster is private.\n- If the default VPC in the target Region has an internet gateway attached to it, the DB cluster is public.\n\nIf `DBSubnetGroupName` is specified, and `PubliclyAccessible` isn't specified, the following applies:\n\n- If the subnets are part of a VPC that doesn\u2019t have an internet gateway attached to it, the DB cluster is private.\n- If the subnets are part of a VPC that has an internet gateway attached to it, the DB cluster is public.", + "ReadEndpoint": "This data type represents the information you need to connect to an Amazon RDS DB instance. This data type is used as a response element in the following actions:\n\n- `CreateDBInstance`\n- `DescribeDBInstances`\n- `DeleteDBInstance`\n\nFor the data structure that represents Amazon Aurora DB cluster endpoints, see `DBClusterEndpoint` .", "ReplicationSourceIdentifier": "The Amazon Resource Name (ARN) of the source DB instance or DB cluster if this DB cluster is created as a read replica.\n\nValid for: Aurora DB clusters only", - "RestoreToTime": "The date and time to restore the DB cluster to.\n\nValid Values: Value must be a time in Universal Coordinated Time (UTC) format\n\nConstraints:\n\n- Must be before the latest restorable time for the DB instance\n- Must be specified if `UseLatestRestorableTime` parameter isn't provided\n- Can't be specified if the `UseLatestRestorableTime` parameter is enabled\n- Can't be specified if the `RestoreType` parameter is `copy-on-write`\n\nExample: `2015-03-07T23:45:00Z`\n\nValid for: Aurora DB clusters and Multi-AZ DB clusters", + "RestoreToTime": "The date and time to restore the DB cluster to.\n\nValid Values: Value must be a time in Universal Coordinated Time (UTC) format\n\nConstraints:\n\n- Must be before the latest restorable time for the DB instance\n- Must be specified if `UseLatestRestorableTime` parameter isn't provided\n- Can't be specified if the `UseLatestRestorableTime` parameter is enabled\n- Can't be specified if the `RestoreType` parameter is `copy-on-write`\n\nThis property must be used with `SourceDBClusterIdentifier` property. The resulting cluster will have the identifier that matches the value of the `DBclusterIdentifier` property.\n\nExample: `2015-03-07T23:45:00Z`\n\nValid for: Aurora DB clusters and Multi-AZ DB clusters", "RestoreType": "The type of restore to be performed. You can specify one of the following values:\n\n- `full-copy` - The new DB cluster is restored as a full copy of the source DB cluster.\n- `copy-on-write` - The new DB cluster is restored as a clone of the source DB cluster.\n\nIf you don't specify a `RestoreType` value, then the new DB cluster is restored as a full copy of the source DB cluster.\n\nValid for: Aurora DB clusters and Multi-AZ DB clusters", "ScalingConfiguration": "The `ScalingConfiguration` property type specifies the scaling configuration of an Aurora Serverless DB cluster.\n\nThis property is only supported for Aurora Serverless v1. For Aurora Serverless v2, use `ServerlessV2ScalingConfiguration` property.\n\nValid for: Aurora DB clusters only", "ServerlessV2ScalingConfiguration": "The `ServerlessV2ScalingConfiguration` property type specifies the scaling configuration of an Aurora Serverless V2 DB cluster.\n\nThis property is only supported for Aurora Serverless v2. For Aurora Serverless v1, use `ScalingConfiguration` property.\n\nValid for: Aurora DB clusters only", @@ -31136,7 +35075,7 @@ "SourceDBClusterIdentifier": "When restoring a DB cluster to a point in time, the identifier of the source DB cluster from which to restore.\n\nConstraints:\n\n- Must match the identifier of an existing DBCluster.\n\nValid for: Aurora DB clusters and Multi-AZ DB clusters", "SourceRegion": "The AWS Region which contains the source DB cluster when replicating a DB cluster. For example, `us-east-1` .\n\nValid for: Aurora DB clusters only", "StorageEncrypted": "Indicates whether the DB cluster is encrypted.\n\nIf you specify the `KmsKeyId` property, then you must enable encryption.\n\nIf you specify the `SourceDBClusterIdentifier` property, don't specify this property. The value is inherited from the source DB cluster, and if the DB cluster is encrypted, the specified `KmsKeyId` property is used.\n\nIf you specify the `SnapshotIdentifier` and the specified snapshot is encrypted, don't specify this property. The value is inherited from the snapshot, and the specified `KmsKeyId` property is used.\n\nIf you specify the `SnapshotIdentifier` and the specified snapshot isn't encrypted, you can use this property to specify that the restored DB cluster is encrypted. Specify the `KmsKeyId` property for the KMS key to use for encryption. If you don't want the restored DB cluster to be encrypted, then don't set this property or set it to `false` .\n\nValid for: Aurora DB clusters and Multi-AZ DB clusters", - "StorageType": "The storage type to associate with the DB cluster.\n\nFor information on storage types for Aurora DB clusters, see [Storage configurations for Amazon Aurora DB clusters](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Aurora.Overview.StorageReliability.html#aurora-storage-type) . For information on storage types for Multi-AZ DB clusters, see [Settings for creating Multi-AZ DB clusters](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/create-multi-az-db-cluster.html#create-multi-az-db-cluster-settings) .\n\nThis setting is required to create a Multi-AZ DB cluster.\n\nWhen specified for a Multi-AZ DB cluster, a value for the `Iops` parameter is required.\n\nValid for Cluster Type: Aurora DB clusters and Multi-AZ DB clusters\n\nValid Values:\n\n- Aurora DB clusters - `aurora | aurora-iopt1`\n- Multi-AZ DB clusters - `io1`\n\nDefault:\n\n- Aurora DB clusters - `aurora`\n- Multi-AZ DB clusters - `io1`", + "StorageType": "The storage type to associate with the DB cluster.\n\nFor information on storage types for Aurora DB clusters, see [Storage configurations for Amazon Aurora DB clusters](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Aurora.Overview.StorageReliability.html#aurora-storage-type) . For information on storage types for Multi-AZ DB clusters, see [Settings for creating Multi-AZ DB clusters](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/create-multi-az-db-cluster.html#create-multi-az-db-cluster-settings) .\n\nThis setting is required to create a Multi-AZ DB cluster.\n\nWhen specified for a Multi-AZ DB cluster, a value for the `Iops` parameter is required.\n\nValid for Cluster Type: Aurora DB clusters and Multi-AZ DB clusters\n\nValid Values:\n\n- Aurora DB clusters - `aurora | aurora-iopt1`\n- Multi-AZ DB clusters - `io1`\n\nDefault:\n\n- Aurora DB clusters - `aurora`\n- Multi-AZ DB clusters - `io1`\n\n> When you create an Aurora DB cluster with the storage type set to `aurora-iopt1` , the storage type is returned in the response. The storage type isn't returned when you set it to `aurora` .", "Tags": "An optional array of key-value pairs to apply to this DB cluster.\n\nValid for: Aurora DB clusters and Multi-AZ DB clusters", "UseLatestRestorableTime": "A value that indicates whether to restore the DB cluster to the latest restorable backup time. By default, the DB cluster is not restored to the latest restorable backup time.\n\nValid for: Aurora DB clusters and Multi-AZ DB clusters", "VpcSecurityGroupIds": "A list of EC2 VPC security groups to associate with this DB cluster.\n\nIf you plan to update the resource, don't specify VPC security groups in a shared VPC.\n\nValid for: Aurora DB clusters and Multi-AZ DB clusters" @@ -31157,7 +35096,7 @@ "Address": "The host address of the reader endpoint." }, "AWS::RDS::DBCluster ScalingConfiguration": { - "AutoPause": "A value that indicates whether to allow or disallow automatic pause for an Aurora DB cluster in `serverless` DB engine mode. A DB cluster can be paused only when it's idle (it has no connections).\n\n> If a DB cluster is paused for more than seven days, the DB cluster might be backed up with a snapshot. In this case, the DB cluster is restored when there is a request to connect to it.", + "AutoPause": "Indicates whether to allow or disallow automatic pause for an Aurora DB cluster in `serverless` DB engine mode. A DB cluster can be paused only when it's idle (it has no connections).\n\n> If a DB cluster is paused for more than seven days, the DB cluster might be backed up with a snapshot. In this case, the DB cluster is restored when there is a request to connect to it.", "MaxCapacity": "The maximum capacity for an Aurora DB cluster in `serverless` DB engine mode.\n\nFor Aurora MySQL, valid capacity values are `1` , `2` , `4` , `8` , `16` , `32` , `64` , `128` , and `256` .\n\nFor Aurora PostgreSQL, valid capacity values are `2` , `4` , `8` , `16` , `32` , `64` , `192` , and `384` .\n\nThe maximum capacity must be greater than or equal to the minimum capacity.", "MinCapacity": "The minimum capacity for an Aurora DB cluster in `serverless` DB engine mode.\n\nFor Aurora MySQL, valid capacity values are `1` , `2` , `4` , `8` , `16` , `32` , `64` , `128` , and `256` .\n\nFor Aurora PostgreSQL, valid capacity values are `2` , `4` , `8` , `16` , `32` , `64` , `192` , and `384` .\n\nThe minimum capacity must be less than or equal to the maximum capacity.", "SecondsBeforeTimeout": "The amount of time, in seconds, that Aurora Serverless v1 tries to find a scaling point to perform seamless scaling before enforcing the timeout action. The default is 300.\n\nSpecify a value between 60 and 600 seconds.", @@ -31168,6 +35107,10 @@ "MaxCapacity": "The maximum number of Aurora capacity units (ACUs) for a DB instance in an Aurora Serverless v2 cluster. You can specify ACU values in half-step increments, such as 40, 40.5, 41, and so on. The largest value that you can use is 128.\n\nThe maximum capacity must be higher than 0.5 ACUs. For more information, see [Choosing the maximum Aurora Serverless v2 capacity setting for a cluster](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/aurora-serverless-v2.setting-capacity.html#aurora-serverless-v2.max_capacity_considerations) in the *Amazon Aurora User Guide* .", "MinCapacity": "The minimum number of Aurora capacity units (ACUs) for a DB instance in an Aurora Serverless v2 cluster. You can specify ACU values in half-step increments, such as 8, 8.5, 9, and so on. The smallest value that you can use is 0.5." }, + "AWS::RDS::DBCluster Tag": { + "Key": "A key is the required name of the tag. The string value can be from 1 to 128 Unicode characters in length and can't be prefixed with `aws:` or `rds:` . The string can only contain only the set of Unicode letters, digits, white-space, '_', '.', ':', '/', '=', '+', '-', '@' (Java regex: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-@]*)$\").", + "Value": "A value is the optional value of the tag. The string value can be from 1 to 256 Unicode characters in length and can't be prefixed with `aws:` or `rds:` . The string can only contain only the set of Unicode letters, digits, white-space, '_', '.', ':', '/', '=', '+', '-', '@' (Java regex: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-@]*)$\")." + }, "AWS::RDS::DBClusterParameterGroup": { "DBClusterParameterGroupName": "The name of the DB cluster parameter group.\n\nConstraints:\n\n- Must not match the name of an existing DB cluster parameter group.\n\nIf you don't specify a value for `DBClusterParameterGroupName` property, a name is automatically created for the DB cluster parameter group.\n\n> This value is stored as a lowercase string.", "Description": "A friendly description for this DB cluster parameter group.", @@ -31175,11 +35118,16 @@ "Parameters": "Provides a list of parameters for the DB cluster parameter group.", "Tags": "An optional array of key-value pairs to apply to this DB cluster parameter group." }, + "AWS::RDS::DBClusterParameterGroup Tag": { + "Key": "A key is the required name of the tag. The string value can be from 1 to 128 Unicode characters in length and can't be prefixed with `aws:` or `rds:` . The string can only contain only the set of Unicode letters, digits, white-space, '_', '.', ':', '/', '=', '+', '-', '@' (Java regex: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-@]*)$\").", + "Value": "A value is the optional value of the tag. The string value can be from 1 to 256 Unicode characters in length and can't be prefixed with `aws:` or `rds:` . The string can only contain only the set of Unicode letters, digits, white-space, '_', '.', ':', '/', '=', '+', '-', '@' (Java regex: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-@]*)$\")." + }, "AWS::RDS::DBInstance": { - "AllocatedStorage": "The amount of storage in gibibytes (GiB) to be initially allocated for the database instance.\n\n> If any value is set in the `Iops` parameter, `AllocatedStorage` must be at least 100 GiB, which corresponds to the minimum Iops value of 1,000. If you increase the `Iops` value (in 1,000 IOPS increments), then you must also increase the `AllocatedStorage` value (in 100-GiB increments). \n\n*Amazon Aurora*\n\nNot applicable. Aurora cluster volumes automatically grow as the amount of data in your database increases, though you are only charged for the space that you use in an Aurora cluster volume.\n\n*MySQL*\n\nConstraints to the amount of storage for each storage type are the following:\n\n- General Purpose (SSD) storage (gp2): Must be an integer from 20 to 65536.\n- Provisioned IOPS storage (io1): Must be an integer from 100 to 65536.\n- Magnetic storage (standard): Must be an integer from 5 to 3072.\n\n*MariaDB*\n\nConstraints to the amount of storage for each storage type are the following:\n\n- General Purpose (SSD) storage (gp2): Must be an integer from 20 to 65536.\n- Provisioned IOPS storage (io1): Must be an integer from 100 to 65536.\n- Magnetic storage (standard): Must be an integer from 5 to 3072.\n\n*PostgreSQL*\n\nConstraints to the amount of storage for each storage type are the following:\n\n- General Purpose (SSD) storage (gp2): Must be an integer from 20 to 65536.\n- Provisioned IOPS storage (io1): Must be an integer from 100 to 65536.\n- Magnetic storage (standard): Must be an integer from 5 to 3072.\n\n*Oracle*\n\nConstraints to the amount of storage for each storage type are the following:\n\n- General Purpose (SSD) storage (gp2): Must be an integer from 20 to 65536.\n- Provisioned IOPS storage (io1): Must be an integer from 100 to 65536.\n- Magnetic storage (standard): Must be an integer from 10 to 3072.\n\n*SQL Server*\n\nConstraints to the amount of storage for each storage type are the following:\n\n- General Purpose (SSD) storage (gp2):\n\n- Enterprise and Standard editions: Must be an integer from 20 to 16384.\n- Web and Express editions: Must be an integer from 20 to 16384.\n- Provisioned IOPS storage (io1):\n\n- Enterprise and Standard editions: Must be an integer from 20 to 16384.\n- Web and Express editions: Must be an integer from 20 to 16384.\n- Magnetic storage (standard):\n\n- Enterprise and Standard editions: Must be an integer from 20 to 1024.\n- Web and Express editions: Must be an integer from 20 to 1024.", + "AllocatedStorage": "The amount of storage in gibibytes (GiB) to be initially allocated for the database instance.\n\n> If any value is set in the `Iops` parameter, `AllocatedStorage` must be at least 100 GiB, which corresponds to the minimum Iops value of 1,000. If you increase the `Iops` value (in 1,000 IOPS increments), then you must also increase the `AllocatedStorage` value (in 100-GiB increments). \n\n*Amazon Aurora*\n\nNot applicable. Aurora cluster volumes automatically grow as the amount of data in your database increases, though you are only charged for the space that you use in an Aurora cluster volume.\n\n*Db2*\n\nConstraints to the amount of storage for each storage type are the following:\n\n- General Purpose (SSD) storage (gp3): Must be an integer from 20 to 64000.\n- Provisioned IOPS storage (io1): Must be an integer from 100 to 64000.\n\n*MySQL*\n\nConstraints to the amount of storage for each storage type are the following:\n\n- General Purpose (SSD) storage (gp2): Must be an integer from 20 to 65536.\n- Provisioned IOPS storage (io1): Must be an integer from 100 to 65536.\n- Magnetic storage (standard): Must be an integer from 5 to 3072.\n\n*MariaDB*\n\nConstraints to the amount of storage for each storage type are the following:\n\n- General Purpose (SSD) storage (gp2): Must be an integer from 20 to 65536.\n- Provisioned IOPS storage (io1): Must be an integer from 100 to 65536.\n- Magnetic storage (standard): Must be an integer from 5 to 3072.\n\n*PostgreSQL*\n\nConstraints to the amount of storage for each storage type are the following:\n\n- General Purpose (SSD) storage (gp2): Must be an integer from 20 to 65536.\n- Provisioned IOPS storage (io1): Must be an integer from 100 to 65536.\n- Magnetic storage (standard): Must be an integer from 5 to 3072.\n\n*Oracle*\n\nConstraints to the amount of storage for each storage type are the following:\n\n- General Purpose (SSD) storage (gp2): Must be an integer from 20 to 65536.\n- Provisioned IOPS storage (io1): Must be an integer from 100 to 65536.\n- Magnetic storage (standard): Must be an integer from 10 to 3072.\n\n*SQL Server*\n\nConstraints to the amount of storage for each storage type are the following:\n\n- General Purpose (SSD) storage (gp2):\n\n- Enterprise and Standard editions: Must be an integer from 20 to 16384.\n- Web and Express editions: Must be an integer from 20 to 16384.\n- Provisioned IOPS storage (io1):\n\n- Enterprise and Standard editions: Must be an integer from 20 to 16384.\n- Web and Express editions: Must be an integer from 20 to 16384.\n- Magnetic storage (standard):\n\n- Enterprise and Standard editions: Must be an integer from 20 to 1024.\n- Web and Express editions: Must be an integer from 20 to 1024.", "AllowMajorVersionUpgrade": "A value that indicates whether major version upgrades are allowed. Changing this parameter doesn't result in an outage and the change is asynchronously applied as soon as possible.\n\nConstraints: Major version upgrades must be allowed when specifying a value for the `EngineVersion` parameter that is a different major version than the DB instance's current version.", "AssociatedRoles": "The AWS Identity and Access Management (IAM) roles associated with the DB instance.\n\n*Amazon Aurora*\n\nNot applicable. The associated roles are managed by the DB cluster.", "AutoMinorVersionUpgrade": "A value that indicates whether minor engine upgrades are applied automatically to the DB instance during the maintenance window. By default, minor engine upgrades are applied automatically.", + "AutomaticBackupReplicationRegion": "The destination region for the backup replication of the DB instance. For more info, see [Replicating automated backups to another AWS Region](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_ReplicateBackups.html) in the *Amazon RDS User Guide* .", "AvailabilityZone": "The Availability Zone (AZ) where the database will be created. For information on AWS Regions and Availability Zones, see [Regions and Availability Zones](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.RegionsAndAvailabilityZones.html) .\n\nFor Amazon Aurora, each Aurora DB cluster hosts copies of its storage in three separate Availability Zones. Specify one of these Availability Zones. Aurora automatically chooses an appropriate Availability Zone if you don't specify one.\n\nDefault: A random, system-chosen Availability Zone in the endpoint's AWS Region .\n\nConstraints:\n\n- The `AvailabilityZone` parameter can't be specified if the DB instance is a Multi-AZ deployment.\n- The specified Availability Zone must be in the same AWS Region as the current endpoint.\n\nExample: `us-east-1d`", "BackupRetentionPeriod": "The number of days for which automated backups are retained. Setting this parameter to a positive number enables backups. Setting this parameter to 0 disables automated backups.\n\n*Amazon Aurora*\n\nNot applicable. The retention period for automated backups is managed by the DB cluster.\n\nDefault: 1\n\nConstraints:\n\n- Must be a value from 0 to 35\n- Can't be set to 0 if the DB instance is a source to read replicas", "CACertificateIdentifier": "The identifier of the CA certificate for this DB instance.\n\n> Specifying or updating this property triggers a reboot. \n\nFor more information about CA certificate identifiers for RDS DB engines, see [Rotating Your SSL/TLS Certificate](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL-certificate-rotation.html) in the *Amazon RDS User Guide* .\n\nFor more information about CA certificate identifiers for Aurora DB engines, see [Rotating Your SSL/TLS Certificate](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.SSL-certificate-rotation.html) in the *Amazon Aurora User Guide* .", @@ -31192,28 +35140,34 @@ "DBClusterSnapshotIdentifier": "The identifier for the RDS for MySQL Multi-AZ DB cluster snapshot to restore from.\n\nFor more information on Multi-AZ DB clusters, see [Multi-AZ DB cluster deployments](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/multi-az-db-clusters-concepts.html) in the *Amazon RDS User Guide* .\n\nConstraints:\n\n- Must match the identifier of an existing Multi-AZ DB cluster snapshot.\n- Can't be specified when `DBSnapshotIdentifier` is specified.\n- Must be specified when `DBSnapshotIdentifier` isn't specified.\n- If you are restoring from a shared manual Multi-AZ DB cluster snapshot, the `DBClusterSnapshotIdentifier` must be the ARN of the shared snapshot.\n- Can't be the identifier of an Aurora DB cluster snapshot.\n- Can't be the identifier of an RDS for PostgreSQL Multi-AZ DB cluster snapshot.", "DBInstanceClass": "The compute and memory capacity of the DB instance, for example, `db.m4.large` . Not all DB instance classes are available in all AWS Regions, or for all database engines.\n\nFor the full list of DB instance classes, and availability for your engine, see [DB Instance Class](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.DBInstanceClass.html) in the *Amazon RDS User Guide.* For more information about DB instance class pricing and AWS Region support for DB instance classes, see [Amazon RDS Pricing](https://docs.aws.amazon.com/rds/pricing/) .", "DBInstanceIdentifier": "A name for the DB instance. If you specify a name, AWS CloudFormation converts it to lowercase. If you don't specify a name, AWS CloudFormation generates a unique physical ID and uses that ID for the DB instance. For more information, see [Name Type](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-name.html) .\n\nFor information about constraints that apply to DB instance identifiers, see [Naming constraints in Amazon RDS](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_Limits.html#RDS_Limits.Constraints) in the *Amazon RDS User Guide* .\n\n> If you specify a name, you can't perform updates that require replacement of this resource. You can perform updates that require no or some interruption. If you must replace the resource, specify a new name.", - "DBName": "The meaning of this parameter differs according to the database engine you use.\n\n> If you specify the `[DBSnapshotIdentifier](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-database-instance.html#cfn-rds-dbinstance-dbsnapshotidentifier)` property, this property only applies to RDS for Oracle. \n\n*Amazon Aurora*\n\nNot applicable. The database name is managed by the DB cluster.\n\n*MySQL*\n\nThe name of the database to create when the DB instance is created. If this parameter is not specified, no database is created in the DB instance.\n\nConstraints:\n\n- Must contain 1 to 64 letters or numbers.\n- Can't be a word reserved by the specified database engine\n\n*MariaDB*\n\nThe name of the database to create when the DB instance is created. If this parameter is not specified, no database is created in the DB instance.\n\nConstraints:\n\n- Must contain 1 to 64 letters or numbers.\n- Can't be a word reserved by the specified database engine\n\n*PostgreSQL*\n\nThe name of the database to create when the DB instance is created. If this parameter is not specified, the default `postgres` database is created in the DB instance.\n\nConstraints:\n\n- Must begin with a letter. Subsequent characters can be letters, underscores, or digits (0-9).\n- Must contain 1 to 63 characters.\n- Can't be a word reserved by the specified database engine\n\n*Oracle*\n\nThe Oracle System ID (SID) of the created DB instance. If you specify `null` , the default value `ORCL` is used. You can't specify the string NULL, or any other reserved word, for `DBName` .\n\nDefault: `ORCL`\n\nConstraints:\n\n- Can't be longer than 8 characters\n\n*SQL Server*\n\nNot applicable. Must be null.", + "DBName": "The meaning of this parameter differs according to the database engine you use.\n\n> If you specify the `[DBSnapshotIdentifier](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-database-instance.html#cfn-rds-dbinstance-dbsnapshotidentifier)` property, this property only applies to RDS for Oracle. \n\n*Amazon Aurora*\n\nNot applicable. The database name is managed by the DB cluster.\n\n*Db2*\n\nThe name of the database to create when the DB instance is created. If this parameter isn't specified, no database is created in the DB instance.\n\nConstraints:\n\n- Must contain 1 to 64 letters or numbers.\n- Must begin with a letter. Subsequent characters can be letters, underscores, or digits (0-9).\n- Can't be a word reserved by the specified database engine.\n\n*MySQL*\n\nThe name of the database to create when the DB instance is created. If this parameter is not specified, no database is created in the DB instance.\n\nConstraints:\n\n- Must contain 1 to 64 letters or numbers.\n- Can't be a word reserved by the specified database engine\n\n*MariaDB*\n\nThe name of the database to create when the DB instance is created. If this parameter is not specified, no database is created in the DB instance.\n\nConstraints:\n\n- Must contain 1 to 64 letters or numbers.\n- Can't be a word reserved by the specified database engine\n\n*PostgreSQL*\n\nThe name of the database to create when the DB instance is created. If this parameter is not specified, the default `postgres` database is created in the DB instance.\n\nConstraints:\n\n- Must begin with a letter. Subsequent characters can be letters, underscores, or digits (0-9).\n- Must contain 1 to 63 characters.\n- Can't be a word reserved by the specified database engine\n\n*Oracle*\n\nThe Oracle System ID (SID) of the created DB instance. If you specify `null` , the default value `ORCL` is used. You can't specify the string NULL, or any other reserved word, for `DBName` .\n\nDefault: `ORCL`\n\nConstraints:\n\n- Can't be longer than 8 characters\n\n*SQL Server*\n\nNot applicable. Must be null.", "DBParameterGroupName": "The name of an existing DB parameter group or a reference to an [AWS::RDS::DBParameterGroup](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-dbparametergroup.html) resource created in the template.\n\nTo list all of the available DB parameter group names, use the following command:\n\n`aws rds describe-db-parameter-groups --query \"DBParameterGroups[].DBParameterGroupName\" --output text`\n\n> If any of the data members of the referenced parameter group are changed during an update, the DB instance might need to be restarted, which causes some interruption. If the parameter group contains static parameters, whether they were changed or not, an update triggers a reboot. \n\nIf you don't specify a value for `DBParameterGroupName` property, the default DB parameter group for the specified engine and engine version is used.", "DBSecurityGroups": "A list of the DB security groups to assign to the DB instance. The list can include both the name of existing DB security groups or references to AWS::RDS::DBSecurityGroup resources created in the template.\n\nIf you set DBSecurityGroups, you must not set VPCSecurityGroups, and vice versa. Also, note that the DBSecurityGroups property exists only for backwards compatibility with older regions and is no longer recommended for providing security information to an RDS DB instance. Instead, use VPCSecurityGroups.\n\n> If you specify this property, AWS CloudFormation sends only the following properties (if specified) to Amazon RDS during create operations:\n> \n> - `AllocatedStorage`\n> - `AutoMinorVersionUpgrade`\n> - `AvailabilityZone`\n> - `BackupRetentionPeriod`\n> - `CharacterSetName`\n> - `DBInstanceClass`\n> - `DBName`\n> - `DBParameterGroupName`\n> - `DBSecurityGroups`\n> - `DBSubnetGroupName`\n> - `Engine`\n> - `EngineVersion`\n> - `Iops`\n> - `LicenseModel`\n> - `MasterUsername`\n> - `MasterUserPassword`\n> - `MultiAZ`\n> - `OptionGroupName`\n> - `PreferredBackupWindow`\n> - `PreferredMaintenanceWindow`\n> \n> All other properties are ignored. Specify a virtual private cloud (VPC) security group if you want to submit other properties, such as `StorageType` , `StorageEncrypted` , or `KmsKeyId` . If you're already using the `DBSecurityGroups` property, you can't use these other properties by updating your DB instance to use a VPC security group. You must recreate the DB instance.", "DBSnapshotIdentifier": "The name or Amazon Resource Name (ARN) of the DB snapshot that's used to restore the DB instance. If you're restoring from a shared manual DB snapshot, you must specify the ARN of the snapshot.\n\nBy specifying this property, you can create a DB instance from the specified DB snapshot. If the `DBSnapshotIdentifier` property is an empty string or the `AWS::RDS::DBInstance` declaration has no `DBSnapshotIdentifier` property, AWS CloudFormation creates a new database. If the property contains a value (other than an empty string), AWS CloudFormation creates a database from the specified snapshot. If a snapshot with the specified name doesn't exist, AWS CloudFormation can't create the database and it rolls back the stack.\n\nSome DB instance properties aren't valid when you restore from a snapshot, such as the `MasterUsername` and `MasterUserPassword` properties. For information about the properties that you can specify, see the `RestoreDBInstanceFromDBSnapshot` action in the *Amazon RDS API Reference* .\n\nAfter you restore a DB instance with a `DBSnapshotIdentifier` property, you must specify the same `DBSnapshotIdentifier` property for any future updates to the DB instance. When you specify this property for an update, the DB instance is not restored from the DB snapshot again, and the data in the database is not changed. However, if you don't specify the `DBSnapshotIdentifier` property, an empty DB instance is created, and the original DB instance is deleted. If you specify a property that is different from the previous snapshot restore property, a new DB instance is restored from the specified `DBSnapshotIdentifier` property, and the original DB instance is deleted.\n\nIf you specify the `DBSnapshotIdentifier` property to restore a DB instance (as opposed to specifying it for DB instance updates), then don't specify the following properties:\n\n- `CharacterSetName`\n- `DBClusterIdentifier`\n- `DBName`\n- `DeleteAutomatedBackups`\n- `EnablePerformanceInsights`\n- `KmsKeyId`\n- `MasterUsername`\n- `MasterUserPassword`\n- `PerformanceInsightsKMSKeyId`\n- `PerformanceInsightsRetentionPeriod`\n- `PromotionTier`\n- `SourceDBInstanceIdentifier`\n- `SourceRegion`\n- `StorageEncrypted` (for an encrypted snapshot)\n- `Timezone`\n\n*Amazon Aurora*\n\nNot applicable. Snapshot restore is managed by the DB cluster.", "DBSubnetGroupName": "A DB subnet group to associate with the DB instance. If you update this value, the new subnet group must be a subnet group in a new VPC.\n\nIf there's no DB subnet group, then the DB instance isn't a VPC DB instance.\n\nFor more information about using Amazon RDS in a VPC, see [Using Amazon RDS with Amazon Virtual Private Cloud (VPC)](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.html) in the *Amazon RDS User Guide* .\n\n*Amazon Aurora*\n\nNot applicable. The DB subnet group is managed by the DB cluster. If specified, the setting must match the DB cluster setting.", + "DBSystemId": "The Oracle system identifier (SID), which is the name of the Oracle database instance that manages your database files. In this context, the term \"Oracle database instance\" refers exclusively to the system global area (SGA) and Oracle background processes. If you don't specify a SID, the value defaults to `RDSCDB` . The Oracle SID is also the name of your CDB.", + "DedicatedLogVolume": "Indicates whether the DB instance has a dedicated log volume (DLV) enabled.", "DeleteAutomatedBackups": "A value that indicates whether to remove automated backups immediately after the DB instance is deleted. This parameter isn't case-sensitive. The default is to remove automated backups immediately after the DB instance is deleted.\n\n*Amazon Aurora*\n\nNot applicable. When you delete a DB cluster, all automated backups for that DB cluster are deleted and can't be recovered. Manual DB cluster snapshots of the DB cluster are not deleted.", "DeletionProtection": "A value that indicates whether the DB instance has deletion protection enabled. The database can't be deleted when deletion protection is enabled. By default, deletion protection is disabled. For more information, see [Deleting a DB Instance](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_DeleteInstance.html) .\n\n*Amazon Aurora*\n\nNot applicable. You can enable or disable deletion protection for the DB cluster. For more information, see `CreateDBCluster` . DB instances in a DB cluster can be deleted even when deletion protection is enabled for the DB cluster.", - "Domain": "The Active Directory directory ID to create the DB instance in. Currently, only Microsoft SQL Server, Oracle, and PostgreSQL DB instances can be created in an Active Directory Domain.\n\nFor more information, see [Kerberos Authentication](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/kerberos-authentication.html) in the *Amazon RDS User Guide* .", + "Domain": "The Active Directory directory ID to create the DB instance in. Currently, only Db2, MySQL, Microsoft SQL Server, Oracle, and PostgreSQL DB instances can be created in an Active Directory Domain.\n\nFor more information, see [Kerberos Authentication](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/kerberos-authentication.html) in the *Amazon RDS User Guide* .", + "DomainAuthSecretArn": "The ARN for the Secrets Manager secret with the credentials for the user joining the domain.\n\nExample: `arn:aws:secretsmanager:region:account-number:secret:myselfmanagedADtestsecret-123456`", + "DomainDnsIps": "The IPv4 DNS IP addresses of your primary and secondary Active Directory domain controllers.\n\nConstraints:\n\n- Two IP addresses must be provided. If there isn't a secondary domain controller, use the IP address of the primary domain controller for both entries in the list.\n\nExample: `123.124.125.126,234.235.236.237`", + "DomainFqdn": "The fully qualified domain name (FQDN) of an Active Directory domain.\n\nConstraints:\n\n- Can't be longer than 64 characters.\n\nExample: `mymanagedADtest.mymanagedAD.mydomain`", "DomainIAMRoleName": "The name of the IAM role to use when making API calls to the Directory Service.\n\nThis setting doesn't apply to the following DB instances:\n\n- Amazon Aurora (The domain is managed by the DB cluster.)\n- RDS Custom", - "EnableCloudwatchLogsExports": "The list of log types that need to be enabled for exporting to CloudWatch Logs. The values in the list depend on the DB engine being used. For more information, see [Publishing Database Logs to Amazon CloudWatch Logs](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_LogAccess.html#USER_LogAccess.Procedural.UploadtoCloudWatch) in the *Amazon Relational Database Service User Guide* .\n\n*Amazon Aurora*\n\nNot applicable. CloudWatch Logs exports are managed by the DB cluster.\n\n*MariaDB*\n\nValid values: `audit` , `error` , `general` , `slowquery`\n\n*Microsoft SQL Server*\n\nValid values: `agent` , `error`\n\n*MySQL*\n\nValid values: `audit` , `error` , `general` , `slowquery`\n\n*Oracle*\n\nValid values: `alert` , `audit` , `listener` , `trace`\n\n*PostgreSQL*\n\nValid values: `postgresql` , `upgrade`", + "DomainOu": "The Active Directory organizational unit for your DB instance to join.\n\nConstraints:\n\n- Must be in the distinguished name format.\n- Can't be longer than 64 characters.\n\nExample: `OU=mymanagedADtestOU,DC=mymanagedADtest,DC=mymanagedAD,DC=mydomain`", + "EnableCloudwatchLogsExports": "The list of log types that need to be enabled for exporting to CloudWatch Logs. The values in the list depend on the DB engine being used. For more information, see [Publishing Database Logs to Amazon CloudWatch Logs](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_LogAccess.html#USER_LogAccess.Procedural.UploadtoCloudWatch) in the *Amazon Relational Database Service User Guide* .\n\n*Amazon Aurora*\n\nNot applicable. CloudWatch Logs exports are managed by the DB cluster.\n\n*Db2*\n\nValid values: `diag.log` , `notify.log`\n\n*MariaDB*\n\nValid values: `audit` , `error` , `general` , `slowquery`\n\n*Microsoft SQL Server*\n\nValid values: `agent` , `error`\n\n*MySQL*\n\nValid values: `audit` , `error` , `general` , `slowquery`\n\n*Oracle*\n\nValid values: `alert` , `audit` , `listener` , `trace` , `oemagent`\n\n*PostgreSQL*\n\nValid values: `postgresql` , `upgrade`", "EnableIAMDatabaseAuthentication": "A value that indicates whether to enable mapping of AWS Identity and Access Management (IAM) accounts to database accounts. By default, mapping is disabled.\n\nThis property is supported for RDS for MariaDB, RDS for MySQL, and RDS for PostgreSQL. For more information, see [IAM Database Authentication for MariaDB, MySQL, and PostgreSQL](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.html) in the *Amazon RDS User Guide.*\n\n*Amazon Aurora*\n\nNot applicable. Mapping AWS IAM accounts to database accounts is managed by the DB cluster.", "EnablePerformanceInsights": "Specifies whether to enable Performance Insights for the DB instance. For more information, see [Using Amazon Performance Insights](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_PerfInsights.html) in the *Amazon RDS User Guide* .\n\nThis setting doesn't apply to RDS Custom DB instances.", "Endpoint": "The connection endpoint for the DB instance.\n\n> The endpoint might not be shown for instances with the status of `creating` .", - "Engine": "The name of the database engine that you want to use for this DB instance.\n\n> When you are creating a DB instance, the `Engine` property is required. \n\nValid Values:\n\n- `aurora-mysql` (for Aurora MySQL DB instances)\n- `aurora-postgresql` (for Aurora PostgreSQL DB instances)\n- `custom-oracle-ee` (for RDS Custom for Oracle DB instances)\n- `custom-oracle-ee-cdb` (for RDS Custom for Oracle DB instances)\n- `custom-sqlserver-ee` (for RDS Custom for SQL Server DB instances)\n- `custom-sqlserver-se` (for RDS Custom for SQL Server DB instances)\n- `custom-sqlserver-web` (for RDS Custom for SQL Server DB instances)\n- `mariadb`\n- `mysql`\n- `oracle-ee`\n- `oracle-ee-cdb`\n- `oracle-se2`\n- `oracle-se2-cdb`\n- `postgres`\n- `sqlserver-ee`\n- `sqlserver-se`\n- `sqlserver-ex`\n- `sqlserver-web`", - "EngineVersion": "The version number of the database engine to use.\n\nFor a list of valid engine versions, use the `DescribeDBEngineVersions` action.\n\nThe following are the database engines and links to information about the major and minor versions that are available with Amazon RDS. Not every database engine is available for every AWS Region.\n\n*Amazon Aurora*\n\nNot applicable. The version number of the database engine to be used by the DB instance is managed by the DB cluster.\n\n*MariaDB*\n\nSee [MariaDB on Amazon RDS Versions](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_MariaDB.html#MariaDB.Concepts.VersionMgmt) in the *Amazon RDS User Guide.*\n\n*Microsoft SQL Server*\n\nSee [Microsoft SQL Server Versions on Amazon RDS](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_SQLServer.html#SQLServer.Concepts.General.VersionSupport) in the *Amazon RDS User Guide.*\n\n*MySQL*\n\nSee [MySQL on Amazon RDS Versions](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_MySQL.html#MySQL.Concepts.VersionMgmt) in the *Amazon RDS User Guide.*\n\n*Oracle*\n\nSee [Oracle Database Engine Release Notes](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Appendix.Oracle.PatchComposition.html) in the *Amazon RDS User Guide.*\n\n*PostgreSQL*\n\nSee [Supported PostgreSQL Database Versions](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_PostgreSQL.html#PostgreSQL.Concepts.General.DBVersions) in the *Amazon RDS User Guide.*", - "Iops": "The number of I/O operations per second (IOPS) that the database provisions. The value must be equal to or greater than 1000.\n\nIf you specify this property, you must follow the range of allowed ratios of your requested IOPS rate to the amount of storage that you allocate (IOPS to allocated storage). For example, you can provision an Oracle database instance with 1000 IOPS and 200 GiB of storage (a ratio of 5:1), or specify 2000 IOPS with 200 GiB of storage (a ratio of 10:1). For more information, see [Amazon RDS Provisioned IOPS Storage to Improve Performance](https://docs.aws.amazon.com/AmazonRDS/latest/DeveloperGuide/CHAP_Storage.html#USER_PIOPS) in the *Amazon RDS User Guide* .\n\n> If you specify `io1` for the `StorageType` property, then you must also specify the `Iops` property.", + "Engine": "The name of the database engine that you want to use for this DB instance.\n\nNot every database engine is available in every AWS Region.\n\n> When you are creating a DB instance, the `Engine` property is required. \n\nValid Values:\n\n- `aurora-mysql` (for Aurora MySQL DB instances)\n- `aurora-postgresql` (for Aurora PostgreSQL DB instances)\n- `custom-oracle-ee` (for RDS Custom for Oracle DB instances)\n- `custom-oracle-ee-cdb` (for RDS Custom for Oracle DB instances)\n- `custom-sqlserver-ee` (for RDS Custom for SQL Server DB instances)\n- `custom-sqlserver-se` (for RDS Custom for SQL Server DB instances)\n- `custom-sqlserver-web` (for RDS Custom for SQL Server DB instances)\n- `db2-ae`\n- `db2-se`\n- `mariadb`\n- `mysql`\n- `oracle-ee`\n- `oracle-ee-cdb`\n- `oracle-se2`\n- `oracle-se2-cdb`\n- `postgres`\n- `sqlserver-ee`\n- `sqlserver-se`\n- `sqlserver-ex`\n- `sqlserver-web`", + "EngineVersion": "The version number of the database engine to use.\n\nFor a list of valid engine versions, use the `DescribeDBEngineVersions` action.\n\nThe following are the database engines and links to information about the major and minor versions that are available with Amazon RDS. Not every database engine is available for every AWS Region.\n\n*Amazon Aurora*\n\nNot applicable. The version number of the database engine to be used by the DB instance is managed by the DB cluster.\n\n*Db2*\n\nSee [Amazon RDS for Db2](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_Db2.html#Db2.Concepts.VersionMgmt) in the *Amazon RDS User Guide.*\n\n*MariaDB*\n\nSee [MariaDB on Amazon RDS Versions](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_MariaDB.html#MariaDB.Concepts.VersionMgmt) in the *Amazon RDS User Guide.*\n\n*Microsoft SQL Server*\n\nSee [Microsoft SQL Server Versions on Amazon RDS](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_SQLServer.html#SQLServer.Concepts.General.VersionSupport) in the *Amazon RDS User Guide.*\n\n*MySQL*\n\nSee [MySQL on Amazon RDS Versions](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_MySQL.html#MySQL.Concepts.VersionMgmt) in the *Amazon RDS User Guide.*\n\n*Oracle*\n\nSee [Oracle Database Engine Release Notes](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Appendix.Oracle.PatchComposition.html) in the *Amazon RDS User Guide.*\n\n*PostgreSQL*\n\nSee [Supported PostgreSQL Database Versions](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_PostgreSQL.html#PostgreSQL.Concepts.General.DBVersions) in the *Amazon RDS User Guide.*", + "Iops": "The number of I/O operations per second (IOPS) that the database provisions. The value must be equal to or greater than 1000.\n\nIf you specify this property, you must follow the range of allowed ratios of your requested IOPS rate to the amount of storage that you allocate (IOPS to allocated storage). For example, you can provision an Oracle database instance with 1000 IOPS and 200 GiB of storage (a ratio of 5:1), or specify 2000 IOPS with 200 GiB of storage (a ratio of 10:1). For more information, see [Amazon RDS Provisioned IOPS Storage to Improve Performance](https://docs.aws.amazon.com/AmazonRDS/latest/DeveloperGuide/CHAP_Storage.html#USER_PIOPS) in the *Amazon RDS User Guide* .\n\n> If you specify `io1` for the `StorageType` property, then you must also specify the `Iops` property. \n\nConstraints:\n\n- For RDS for Db2, MariaDB, MySQL, Oracle, and PostgreSQL - Must be a multiple between .5 and 50 of the storage amount for the DB instance.\n- For RDS for SQL Server - Must be a multiple between 1 and 50 of the storage amount for the DB instance.", "KmsKeyId": "The ARN of the AWS KMS key that's used to encrypt the DB instance, such as `arn:aws:kms:us-east-1:012345678910:key/abcd1234-a123-456a-a12b-a123b4cd56ef` . If you enable the StorageEncrypted property but don't specify this property, AWS CloudFormation uses the default KMS key. If you specify this property, you must set the StorageEncrypted property to true.\n\nIf you specify the `SourceDBInstanceIdentifier` property, the value is inherited from the source DB instance if the read replica is created in the same region.\n\nIf you create an encrypted read replica in a different AWS Region, then you must specify a KMS key for the destination AWS Region. KMS encryption keys are specific to the region that they're created in, and you can't use encryption keys from one region in another region.\n\nIf you specify the `SnapshotIdentifier` property, the `StorageEncrypted` property value is inherited from the snapshot, and if the DB instance is encrypted, the specified `KmsKeyId` property is used.\n\nIf you specify `DBSecurityGroups` , AWS CloudFormation ignores this property. To specify both a security group and this property, you must use a VPC security group. For more information about Amazon RDS and VPC, see [Using Amazon RDS with Amazon VPC](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.html) in the *Amazon RDS User Guide* .\n\n*Amazon Aurora*\n\nNot applicable. The KMS key identifier is managed by the DB cluster.", - "LicenseModel": "License model information for this DB instance.\n\nValid values:\n\n- Aurora MySQL - `general-public-license`\n- Aurora PostgreSQL - `postgresql-license`\n- MariaDB - `general-public-license`\n- Microsoft SQL Server - `license-included`\n- MySQL - `general-public-license`\n- Oracle - `bring-your-own-license` or `license-included`\n- PostgreSQL - `postgresql-license`\n\n> If you've specified `DBSecurityGroups` and then you update the license model, AWS CloudFormation replaces the underlying DB instance. This will incur some interruptions to database availability.", + "LicenseModel": "License model information for this DB instance.\n\nValid Values:\n\n- Aurora MySQL - `general-public-license`\n- Aurora PostgreSQL - `postgresql-license`\n- RDS for Db2 - `bring-your-own-license` . For more information about RDS for Db2 licensing, see [](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/db2-licensing.html) in the *Amazon RDS User Guide.*\n- RDS for MariaDB - `general-public-license`\n- RDS for Microsoft SQL Server - `license-included`\n- RDS for MySQL - `general-public-license`\n- RDS for Oracle - `bring-your-own-license` or `license-included`\n- RDS for PostgreSQL - `postgresql-license`\n\n> If you've specified `DBSecurityGroups` and then you update the license model, AWS CloudFormation replaces the underlying DB instance. This will incur some interruptions to database availability.", "ManageMasterUserPassword": "Specifies whether to manage the master user password with AWS Secrets Manager.\n\nFor more information, see [Password management with AWS Secrets Manager](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/rds-secrets-manager.html) in the *Amazon RDS User Guide.*\n\nConstraints:\n\n- Can't manage the master user password with AWS Secrets Manager if `MasterUserPassword` is specified.", - "MasterUserPassword": "The password for the master user. The password can include any printable ASCII character except \"/\", \"\"\", or \"@\".\n\n*Amazon Aurora*\n\nNot applicable. The password for the master user is managed by the DB cluster.\n\n*MariaDB*\n\nConstraints: Must contain from 8 to 41 characters.\n\n*Microsoft SQL Server*\n\nConstraints: Must contain from 8 to 128 characters.\n\n*MySQL*\n\nConstraints: Must contain from 8 to 41 characters.\n\n*Oracle*\n\nConstraints: Must contain from 8 to 30 characters.\n\n*PostgreSQL*\n\nConstraints: Must contain from 8 to 128 characters.", + "MasterUserPassword": "The password for the master user. The password can include any printable ASCII character except \"/\", \"\"\", or \"@\".\n\n*Amazon Aurora*\n\nNot applicable. The password for the master user is managed by the DB cluster.\n\n*RDS for Db2*\n\nMust contain from 8 to 255 characters.\n\n*RDS for MariaDB*\n\nConstraints: Must contain from 8 to 41 characters.\n\n*RDS for Microsoft SQL Server*\n\nConstraints: Must contain from 8 to 128 characters.\n\n*RDS for MySQL*\n\nConstraints: Must contain from 8 to 41 characters.\n\n*RDS for Oracle*\n\nConstraints: Must contain from 8 to 30 characters.\n\n*RDS for PostgreSQL*\n\nConstraints: Must contain from 8 to 128 characters.", "MasterUserSecret": "The secret managed by RDS in AWS Secrets Manager for the master user password.\n\nFor more information, see [Password management with AWS Secrets Manager](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/rds-secrets-manager.html) in the *Amazon RDS User Guide.*", - "MasterUsername": "The master user name for the DB instance.\n\n> If you specify the `SourceDBInstanceIdentifier` or `DBSnapshotIdentifier` property, don't specify this property. The value is inherited from the source DB instance or snapshot. \n\n*Amazon Aurora*\n\nNot applicable. The name for the master user is managed by the DB cluster.\n\n*MariaDB*\n\nConstraints:\n\n- Required for MariaDB.\n- Must be 1 to 16 letters or numbers.\n- Can't be a reserved word for the chosen database engine.\n\n*Microsoft SQL Server*\n\nConstraints:\n\n- Required for SQL Server.\n- Must be 1 to 128 letters or numbers.\n- The first character must be a letter.\n- Can't be a reserved word for the chosen database engine.\n\n*MySQL*\n\nConstraints:\n\n- Required for MySQL.\n- Must be 1 to 16 letters or numbers.\n- First character must be a letter.\n- Can't be a reserved word for the chosen database engine.\n\n*Oracle*\n\nConstraints:\n\n- Required for Oracle.\n- Must be 1 to 30 letters or numbers.\n- First character must be a letter.\n- Can't be a reserved word for the chosen database engine.\n\n*PostgreSQL*\n\nConstraints:\n\n- Required for PostgreSQL.\n- Must be 1 to 63 letters or numbers.\n- First character must be a letter.\n- Can't be a reserved word for the chosen database engine.", + "MasterUsername": "The master user name for the DB instance.\n\n> If you specify the `SourceDBInstanceIdentifier` or `DBSnapshotIdentifier` property, don't specify this property. The value is inherited from the source DB instance or snapshot.\n> \n> When migrating a self-managed Db2 database, we recommend that you use the same master username as your self-managed Db2 instance name. \n\n*Amazon Aurora*\n\nNot applicable. The name for the master user is managed by the DB cluster.\n\n*RDS for Db2*\n\nConstraints:\n\n- Must be 1 to 16 letters or numbers.\n- First character must be a letter.\n- Can't be a reserved word for the chosen database engine.\n\n*RDS for MariaDB*\n\nConstraints:\n\n- Must be 1 to 16 letters or numbers.\n- Can't be a reserved word for the chosen database engine.\n\n*RDS for Microsoft SQL Server*\n\nConstraints:\n\n- Must be 1 to 128 letters or numbers.\n- First character must be a letter.\n- Can't be a reserved word for the chosen database engine.\n\n*RDS for MySQL*\n\nConstraints:\n\n- Must be 1 to 16 letters or numbers.\n- First character must be a letter.\n- Can't be a reserved word for the chosen database engine.\n\n*RDS for Oracle*\n\nConstraints:\n\n- Must be 1 to 30 letters or numbers.\n- First character must be a letter.\n- Can't be a reserved word for the chosen database engine.\n\n*RDS for PostgreSQL*\n\nConstraints:\n\n- Must be 1 to 63 letters or numbers.\n- First character must be a letter.\n- Can't be a reserved word for the chosen database engine.", "MaxAllocatedStorage": "The upper limit in gibibytes (GiB) to which Amazon RDS can automatically scale the storage of the DB instance.\n\nFor more information about this setting, including limitations that apply to it, see [Managing capacity automatically with Amazon RDS storage autoscaling](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_PIOPS.StorageTypes.html#USER_PIOPS.Autoscaling) in the *Amazon RDS User Guide* .\n\nThis setting doesn't apply to the following DB instances:\n\n- Amazon Aurora (Storage is managed by the DB cluster.)\n- RDS Custom", "MonitoringInterval": "The interval, in seconds, between points when Enhanced Monitoring metrics are collected for the DB instance. To disable collection of Enhanced Monitoring metrics, specify 0. The default is 0.\n\nIf `MonitoringRoleArn` is specified, then you must set `MonitoringInterval` to a value other than 0.\n\nThis setting doesn't apply to RDS Custom.\n\nValid Values: `0, 1, 5, 10, 15, 30, 60`", "MonitoringRoleArn": "The ARN for the IAM role that permits RDS to send enhanced monitoring metrics to Amazon CloudWatch Logs. For example, `arn:aws:iam:123456789012:role/emaccess` . For information on creating a monitoring role, see [Setting Up and Enabling Enhanced Monitoring](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_Monitoring.OS.html#USER_Monitoring.OS.Enabling) in the *Amazon RDS User Guide* .\n\nIf `MonitoringInterval` is set to a value other than `0` , then you must supply a `MonitoringRoleArn` value.\n\nThis setting doesn't apply to RDS Custom DB instances.", @@ -31223,26 +35177,26 @@ "OptionGroupName": "Indicates that the DB instance should be associated with the specified option group.\n\nPermanent options, such as the TDE option for Oracle Advanced Security TDE, can't be removed from an option group. Also, that option group can't be removed from a DB instance once it is associated with a DB instance.", "PerformanceInsightsKMSKeyId": "The AWS KMS key identifier for encryption of Performance Insights data.\n\nThe KMS key identifier is the key ARN, key ID, alias ARN, or alias name for the KMS key.\n\nIf you do not specify a value for `PerformanceInsightsKMSKeyId` , then Amazon RDS uses your default KMS key. There is a default KMS key for your AWS account. Your AWS account has a different default KMS key for each AWS Region.\n\nFor information about enabling Performance Insights, see [EnablePerformanceInsights](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-database-instance.html#cfn-rds-dbinstance-enableperformanceinsights) .", "PerformanceInsightsRetentionPeriod": "The number of days to retain Performance Insights data.\n\nThis setting doesn't apply to RDS Custom DB instances.\n\nValid Values:\n\n- `7`\n- *month* * 31, where *month* is a number of months from 1-23. Examples: `93` (3 months * 31), `341` (11 months * 31), `589` (19 months * 31)\n- `731`\n\nDefault: `7` days\n\nIf you specify a retention period that isn't valid, such as `94` , Amazon RDS returns an error.", - "Port": "The port number on which the database accepts connections.\n\n*Amazon Aurora*\n\nNot applicable. The port number is managed by the DB cluster.", + "Port": "The port number on which the database accepts connections.\n\n*Amazon Aurora*\n\nNot applicable. The port number is managed by the DB cluster.\n\n*Db2*\n\nDefault value: `50000`", "PreferredBackupWindow": "The daily time range during which automated backups are created if automated backups are enabled, using the `BackupRetentionPeriod` parameter. For more information, see [Backup Window](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_WorkingWithAutomatedBackups.html#USER_WorkingWithAutomatedBackups.BackupWindow) in the *Amazon RDS User Guide.*\n\nConstraints:\n\n- Must be in the format `hh24:mi-hh24:mi` .\n- Must be in Universal Coordinated Time (UTC).\n- Must not conflict with the preferred maintenance window.\n- Must be at least 30 minutes.\n\n*Amazon Aurora*\n\nNot applicable. The daily time range for creating automated backups is managed by the DB cluster.", "PreferredMaintenanceWindow": "The weekly time range during which system maintenance can occur, in Universal Coordinated Time (UTC).\n\nFormat: `ddd:hh24:mi-ddd:hh24:mi`\n\nThe default is a 30-minute window selected at random from an 8-hour block of time for each AWS Region, occurring on a random day of the week. To see the time blocks available, see [Adjusting the Preferred DB Instance Maintenance Window](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_UpgradeDBInstance.Maintenance.html#AdjustingTheMaintenanceWindow) in the *Amazon RDS User Guide.*\n\n> This property applies when AWS CloudFormation initially creates the DB instance. If you use AWS CloudFormation to update the DB instance, those updates are applied immediately. \n\nConstraints: Minimum 30-minute window.", "ProcessorFeatures": "The number of CPU cores and the number of threads per core for the DB instance class of the DB instance.\n\nThis setting doesn't apply to Amazon Aurora or RDS Custom DB instances.", "PromotionTier": "The order of priority in which an Aurora Replica is promoted to the primary instance after a failure of the existing primary instance. For more information, see [Fault Tolerance for an Aurora DB Cluster](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Concepts.AuroraHighAvailability.html#Aurora.Managing.FaultTolerance) in the *Amazon Aurora User Guide* .\n\nThis setting doesn't apply to RDS Custom DB instances.\n\nDefault: `1`\n\nValid Values: `0 - 15`", "PubliclyAccessible": "Indicates whether the DB instance is an internet-facing instance. If you specify true, AWS CloudFormation creates an instance with a publicly resolvable DNS name, which resolves to a public IP address. If you specify false, AWS CloudFormation creates an internal instance with a DNS name that resolves to a private IP address.\n\nThe default behavior value depends on your VPC setup and the database subnet group. For more information, see the `PubliclyAccessible` parameter in the [CreateDBInstance](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateDBInstance.html) in the *Amazon RDS API Reference* .", "ReplicaMode": "The open mode of an Oracle read replica. For more information, see [Working with Oracle Read Replicas for Amazon RDS](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/oracle-read-replicas.html) in the *Amazon RDS User Guide* .\n\nThis setting is only supported in RDS for Oracle.\n\nDefault: `open-read-only`\n\nValid Values: `open-read-only` or `mounted`", - "RestoreTime": "The date and time to restore from.\n\nValid Values: Value must be a time in Universal Coordinated Time (UTC) format\n\nConstraints:\n\n- Must be before the latest restorable time for the DB instance\n- Can't be specified if the `UseLatestRestorableTime` parameter is enabled\n\nExample: `2009-09-07T23:45:00Z`", + "RestoreTime": "The date and time to restore from.\n\nConstraints:\n\n- Must be a time in Universal Coordinated Time (UTC) format.\n- Must be before the latest restorable time for the DB instance.\n- Can't be specified if the `UseLatestRestorableTime` parameter is enabled.\n\nExample: `2009-09-07T23:45:00Z`", "SourceDBClusterIdentifier": "The identifier of the Multi-AZ DB cluster that will act as the source for the read replica. Each DB cluster can have up to 15 read replicas.\n\nConstraints:\n\n- Must be the identifier of an existing Multi-AZ DB cluster.\n- Can't be specified if the `SourceDBInstanceIdentifier` parameter is also specified.\n- The specified DB cluster must have automatic backups enabled, that is, its backup retention period must be greater than 0.\n- The source DB cluster must be in the same AWS Region as the read replica. Cross-Region replication isn't supported.", - "SourceDBInstanceAutomatedBackupsArn": "The Amazon Resource Name (ARN) of the replicated automated backups from which to restore, for example, `arn:aws:rds:useast-1:123456789012:auto-backup:ab-L2IJCEXJP7XQ7HOJ4SIEXAMPLE` .\n\nThis setting doesn't apply to RDS Custom.", + "SourceDBInstanceAutomatedBackupsArn": "The Amazon Resource Name (ARN) of the replicated automated backups from which to restore, for example, `arn:aws:rds:us-east-1:123456789012:auto-backup:ab-L2IJCEXJP7XQ7HOJ4SIEXAMPLE` .\n\nThis setting doesn't apply to RDS Custom.", "SourceDBInstanceIdentifier": "If you want to create a read replica DB instance, specify the ID of the source DB instance. Each DB instance can have a limited number of read replicas. For more information, see [Working with Read Replicas](https://docs.aws.amazon.com/AmazonRDS/latest/DeveloperGuide/USER_ReadRepl.html) in the *Amazon RDS User Guide* .\n\nFor information about constraints that apply to DB instance identifiers, see [Naming constraints in Amazon RDS](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_Limits.html#RDS_Limits.Constraints) in the *Amazon RDS User Guide* .\n\nThe `SourceDBInstanceIdentifier` property determines whether a DB instance is a read replica. If you remove the `SourceDBInstanceIdentifier` property from your template and then update your stack, AWS CloudFormation promotes the Read Replica to a standalone DB instance.\n\n> - If you specify a source DB instance that uses VPC security groups, we recommend that you specify the `VPCSecurityGroups` property. If you don't specify the property, the read replica inherits the value of the `VPCSecurityGroups` property from the source DB when you create the replica. However, if you update the stack, AWS CloudFormation reverts the replica's `VPCSecurityGroups` property to the default value because it's not defined in the stack's template. This change might cause unexpected issues.\n> - Read replicas don't support deletion policies. AWS CloudFormation ignores any deletion policy that's associated with a read replica.\n> - If you specify `SourceDBInstanceIdentifier` , don't specify the `DBSnapshotIdentifier` property. You can't create a read replica from a snapshot.\n> - Don't set the `BackupRetentionPeriod` , `DBName` , `MasterUsername` , `MasterUserPassword` , and `PreferredBackupWindow` properties. The database attributes are inherited from the source DB instance, and backups are disabled for read replicas.\n> - If the source DB instance is in a different region than the read replica, specify the source region in `SourceRegion` , and specify an ARN for a valid DB instance in `SourceDBInstanceIdentifier` . For more information, see [Constructing a Amazon RDS Amazon Resource Name (ARN)](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_Tagging.html#USER_Tagging.ARN) in the *Amazon RDS User Guide* .\n> - For DB instances in Amazon Aurora clusters, don't specify this property. Amazon RDS automatically assigns writer and reader DB instances.", "SourceDbiResourceId": "The resource ID of the source DB instance from which to restore.", "SourceRegion": "The ID of the region that contains the source DB instance for the read replica.", - "StorageEncrypted": "A value that indicates whether the DB instance is encrypted. By default, it isn't encrypted.\n\nIf you specify the `KmsKeyId` property, then you must enable encryption.\n\nIf you specify the `SourceDBInstanceIdentifier` property, don't specify this property. The value is inherited from the source DB instance, and if the DB instance is encrypted, the specified `KmsKeyId` property is used.\n\nIf you specify the `SnapshotIdentifier` and the specified snapshot is encrypted, don't specify this property. The value is inherited from the snapshot, and the specified `KmsKeyId` property is used.\n\nIf you specify the `SnapshotIdentifier` and the specified snapshot isn't encrypted, you can use this property to specify that the restored DB instance is encrypted. Specify the `KmsKeyId` property for the KMS key to use for encryption. If you don't want the restored DB instance to be encrypted, then don't set this property or set it to `false` .\n\n*Amazon Aurora*\n\nNot applicable. The encryption for DB instances is managed by the DB cluster.", + "StorageEncrypted": "A value that indicates whether the DB instance is encrypted. By default, it isn't encrypted.\n\nIf you specify the `KmsKeyId` property, then you must enable encryption.\n\nIf you specify the `SourceDBInstanceIdentifier` property, don't specify this property. The value is inherited from the source DB instance, and if the DB instance is encrypted, the specified `KmsKeyId` property is used.\n\nIf you specify the `DBSnapshotIdentifier` and the specified snapshot is encrypted, don't specify this property. The value is inherited from the snapshot, and the specified `KmsKeyId` property is used.\n\nIf you specify the `DBSnapshotIdentifier` and the specified snapshot isn't encrypted, you can use this property to specify that the restored DB instance is encrypted. Specify the `KmsKeyId` property for the KMS key to use for encryption. If you don't want the restored DB instance to be encrypted, then don't set this property or set it to `false` .\n\n*Amazon Aurora*\n\nNot applicable. The encryption for DB instances is managed by the DB cluster.", "StorageThroughput": "Specifies the storage throughput value for the DB instance. This setting applies only to the `gp3` storage type.\n\nThis setting doesn't apply to RDS Custom or Amazon Aurora.", "StorageType": "Specifies the storage type to be associated with the DB instance.\n\nValid values: `gp2 | gp3 | io1 | standard`\n\nThe `standard` value is also known as magnetic.\n\nIf you specify `io1` or `gp3` , you must also include a value for the `Iops` parameter.\n\nDefault: `io1` if the `Iops` parameter is specified, otherwise `gp2`\n\nFor more information, see [Amazon RDS DB Instance Storage](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_Storage.html) in the *Amazon RDS User Guide* .\n\n*Amazon Aurora*\n\nNot applicable. Aurora data is stored in the cluster volume, which is a single, virtual volume that uses solid state drives (SSDs).", "Tags": "An optional array of key-value pairs to apply to this DB instance.", "Timezone": "The time zone of the DB instance. The time zone parameter is currently supported only by [Microsoft SQL Server](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_SQLServer.html#SQLServer.Concepts.General.TimeZone) .", "UseDefaultProcessorFeatures": "Specifies whether the DB instance class of the DB instance uses its default processor features.\n\nThis setting doesn't apply to RDS Custom DB instances.", - "UseLatestRestorableTime": "A value that indicates whether the DB instance is restored from the latest backup time. By default, the DB instance isn't restored from the latest backup time.\n\nConstraints: Can't be specified if the `RestoreTime` parameter is provided.", + "UseLatestRestorableTime": "Specifies whether the DB instance is restored from the latest backup time. By default, the DB instance isn't restored from the latest backup time.\n\nConstraints:\n\n- Can't be specified if the `RestoreTime` parameter is provided.", "VPCSecurityGroups": "A list of the VPC security group IDs to assign to the DB instance. The list can include both the physical IDs of existing VPC security groups and references to [AWS::EC2::SecurityGroup](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html) resources created in the template.\n\nIf you plan to update the resource, don't specify VPC security groups in a shared VPC.\n\nIf you set `VPCSecurityGroups` , you must not set [`DBSecurityGroups`](https://docs.aws.amazon.com//AWSCloudFormation/latest/UserGuide/aws-properties-rds-database-instance.html#cfn-rds-dbinstance-dbsecuritygroups) , and vice versa.\n\n> You can migrate a DB instance in your stack from an RDS DB security group to a VPC security group, but keep the following in mind:\n> \n> - You can't revert to using an RDS security group after you establish a VPC security group membership.\n> - When you migrate your DB instance to VPC security groups, if your stack update rolls back because the DB instance update fails or because an update fails in another AWS CloudFormation resource, the rollback fails because it can't revert to an RDS security group.\n> - To use the properties that are available when you use a VPC security group, you must recreate the DB instance. If you don't, AWS CloudFormation submits only the property values that are listed in the [`DBSecurityGroups`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-database-instance.html#cfn-rds-dbinstance-dbsecuritygroups) property. \n\nTo avoid this situation, migrate your DB instance to using VPC security groups only when that is the only change in your stack template.\n\n*Amazon Aurora*\n\nNot applicable. The associated list of EC2 VPC security groups is managed by the DB cluster. If specified, the setting must match the DB cluster setting." }, "AWS::RDS::DBInstance CertificateDetails": { @@ -31266,20 +35220,28 @@ "Name": "The name of the processor feature. Valid names are `coreCount` and `threadsPerCore` .", "Value": "The value of a processor feature name." }, + "AWS::RDS::DBInstance Tag": { + "Key": "A key is the required name of the tag. The string value can be from 1 to 128 Unicode characters in length and can't be prefixed with `aws:` or `rds:` . The string can only contain only the set of Unicode letters, digits, white-space, '_', '.', ':', '/', '=', '+', '-', '@' (Java regex: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-@]*)$\").", + "Value": "A value is the optional value of the tag. The string value can be from 1 to 256 Unicode characters in length and can't be prefixed with `aws:` or `rds:` . The string can only contain only the set of Unicode letters, digits, white-space, '_', '.', ':', '/', '=', '+', '-', '@' (Java regex: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-@]*)$\")." + }, "AWS::RDS::DBParameterGroup": { "DBParameterGroupName": "The name of the DB parameter group.\n\nConstraints:\n\n- Must be 1 to 255 letters, numbers, or hyphens.\n- First character must be a letter\n- Can't end with a hyphen or contain two consecutive hyphens\n\nIf you don't specify a value for `DBParameterGroupName` property, a name is automatically created for the DB parameter group.\n\n> This value is stored as a lowercase string.", "Description": "Provides the customer-specified description for this DB parameter group.", "Family": "The DB parameter group family name. A DB parameter group can be associated with one and only one DB parameter group family, and can be applied only to a DB instance running a DB engine and engine version compatible with that DB parameter group family.\n\n> The DB parameter group family can't be changed when updating a DB parameter group. \n\nTo list all of the available parameter group families, use the following command:\n\n`aws rds describe-db-engine-versions --query \"DBEngineVersions[].DBParameterGroupFamily\"`\n\nThe output contains duplicates.\n\nFor more information, see `[CreateDBParameterGroup](https://docs.aws.amazon.com//AmazonRDS/latest/APIReference/API_CreateDBParameterGroup.html)` .", - "Parameters": "An array of parameter names and values for the parameter update. At least one parameter name and value must be supplied. Subsequent arguments are optional.\n\nFor more information about DB parameters and DB parameter groups for Amazon RDS DB engines, see [Working with DB Parameter Groups](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_WorkingWithParamGroups.html) in the *Amazon RDS User Guide* .\n\nFor more information about DB cluster and DB instance parameters and parameter groups for Amazon Aurora DB engines, see [Working with DB Parameter Groups and DB Cluster Parameter Groups](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/USER_WorkingWithParamGroups.html) in the *Amazon Aurora User Guide* .\n\n> AWS CloudFormation doesn't support specifying an apply method for each individual parameter. The default apply method for each parameter is used.", + "Parameters": "An array of parameter names and values for the parameter update. At least one parameter name and value must be supplied. Subsequent arguments are optional.\n\nRDS for Db2 requires you to bring your own Db2 license. You must enter your IBM customer ID ( `rds.ibm_customer_id` ) and site number ( `rds.ibm_site_id` ) before starting a Db2 instance.\n\nFor more information about DB parameters and DB parameter groups for Amazon RDS DB engines, see [Working with DB Parameter Groups](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_WorkingWithParamGroups.html) in the *Amazon RDS User Guide* .\n\nFor more information about DB cluster and DB instance parameters and parameter groups for Amazon Aurora DB engines, see [Working with DB Parameter Groups and DB Cluster Parameter Groups](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/USER_WorkingWithParamGroups.html) in the *Amazon Aurora User Guide* .\n\n> AWS CloudFormation doesn't support specifying an apply method for each individual parameter. The default apply method for each parameter is used.", "Tags": "An optional array of key-value pairs to apply to this DB parameter group.\n\n> Currently, this is the only property that supports drift detection." }, + "AWS::RDS::DBParameterGroup Tag": { + "Key": "A key is the required name of the tag. The string value can be from 1 to 128 Unicode characters in length and can't be prefixed with `aws:` or `rds:` . The string can only contain only the set of Unicode letters, digits, white-space, '_', '.', ':', '/', '=', '+', '-', '@' (Java regex: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-@]*)$\").", + "Value": "A value is the optional value of the tag. The string value can be from 1 to 256 Unicode characters in length and can't be prefixed with `aws:` or `rds:` . The string can only contain only the set of Unicode letters, digits, white-space, '_', '.', ':', '/', '=', '+', '-', '@' (Java regex: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-@]*)$\")." + }, "AWS::RDS::DBProxy": { "Auth": "The authorization mechanism that the proxy uses.", "DBProxyName": "The identifier for the proxy. This name must be unique for all proxies owned by your AWS account in the specified AWS Region . An identifier must begin with a letter and must contain only ASCII letters, digits, and hyphens; it can't end with a hyphen or contain two consecutive hyphens.", - "DebugLogging": "Whether the proxy includes detailed information about SQL statements in its logs. This information helps you to debug issues involving SQL behavior or the performance and scalability of the proxy connections. The debug information includes the text of SQL statements that you submit through the proxy. Thus, only enable this setting when needed for debugging, and only when you have security measures in place to safeguard any sensitive information that appears in the logs.", - "EngineFamily": "The kinds of databases that the proxy can connect to. This value determines which database network protocol the proxy recognizes when it interprets network traffic to and from the database. For Aurora MySQL, RDS for MariaDB, and RDS for MySQL databases, specify `MYSQL` . For Aurora PostgreSQL and RDS for PostgreSQL databases, specify `POSTGRESQL` . For RDS for Microsoft SQL Server, specify `SQLSERVER` .\n\n*Valid values* : `MYSQL` | `POSTGRESQL` | `SQLSERVER`", + "DebugLogging": "Specifies whether the proxy includes detailed information about SQL statements in its logs. This information helps you to debug issues involving SQL behavior or the performance and scalability of the proxy connections. The debug information includes the text of SQL statements that you submit through the proxy. Thus, only enable this setting when needed for debugging, and only when you have security measures in place to safeguard any sensitive information that appears in the logs.", + "EngineFamily": "The kinds of databases that the proxy can connect to. This value determines which database network protocol the proxy recognizes when it interprets network traffic to and from the database. For Aurora MySQL, RDS for MariaDB, and RDS for MySQL databases, specify `MYSQL` . For Aurora PostgreSQL and RDS for PostgreSQL databases, specify `POSTGRESQL` . For RDS for Microsoft SQL Server, specify `SQLSERVER` .\n\n*Valid Values* : `MYSQL` | `POSTGRESQL` | `SQLSERVER`", "IdleClientTimeout": "The number of seconds that a connection to the proxy can be inactive before the proxy disconnects it. You can set this value higher or lower than the connection timeout limit for the associated database.", - "RequireTLS": "A Boolean parameter that specifies whether Transport Layer Security (TLS) encryption is required for connections to the proxy. By enabling this setting, you can enforce encrypted TLS connections to the proxy.", + "RequireTLS": "Specifies whether Transport Layer Security (TLS) encryption is required for connections to the proxy. By enabling this setting, you can enforce encrypted TLS connections to the proxy.", "RoleArn": "The Amazon Resource Name (ARN) of the IAM role that the proxy uses to access secrets in AWS Secrets Manager.", "Tags": "An optional set of key-value pairs to associate arbitrary data of your choosing with the proxy.", "VpcSecurityGroupIds": "One or more VPC security group IDs to associate with the new proxy.\n\nIf you plan to update the resource, don't specify VPC security groups in a shared VPC.", @@ -31316,10 +35278,10 @@ "TargetGroupName": "The identifier for the target group.\n\n> Currently, this property must be set to `default` ." }, "AWS::RDS::DBProxyTargetGroup ConnectionPoolConfigurationInfoFormat": { - "ConnectionBorrowTimeout": "The number of seconds for a proxy to wait for a connection to become available in the connection pool. Only applies when the proxy has opened its maximum number of connections and all connections are busy with client sessions.\n\nDefault: 120\n\nConstraints: between 1 and 3600, or 0 representing unlimited", + "ConnectionBorrowTimeout": "The number of seconds for a proxy to wait for a connection to become available in the connection pool. This setting only applies when the proxy has opened its maximum number of connections and all connections are busy with client sessions. For an unlimited wait time, specify `0` .\n\nDefault: `120`\n\nConstraints:\n\n- Must be between 0 and 3600.", "InitQuery": "One or more SQL statements for the proxy to run when opening each new database connection. Typically used with `SET` statements to make sure that each connection has identical settings such as time zone and character set. For multiple statements, use semicolons as the separator. You can also include multiple variables in a single `SET` statement, such as `SET x=1, y=2` .\n\nDefault: no initialization query", - "MaxConnectionsPercent": "The maximum size of the connection pool for each target in a target group. The value is expressed as a percentage of the `max_connections` setting for the RDS DB instance or Aurora DB cluster used by the target group.\n\nIf you specify `MaxIdleConnectionsPercent` , then you must also include a value for this parameter.\n\nDefault: 10 for RDS for Microsoft SQL Server, and 100 for all other engines\n\nConstraints: Must be between 1 and 100.", - "MaxIdleConnectionsPercent": "Controls how actively the proxy closes idle database connections in the connection pool. The value is expressed as a percentage of the `max_connections` setting for the RDS DB instance or Aurora DB cluster used by the target group. With a high value, the proxy leaves a high percentage of idle database connections open. A low value causes the proxy to close more idle connections and return them to the database.\n\nIf you specify this parameter, then you must also include a value for `MaxConnectionsPercent` .\n\nDefault: The default value is half of the value of `MaxConnectionsPercent` . For example, if `MaxConnectionsPercent` is 80, then the default value of `MaxIdleConnectionsPercent` is 40. If the value of `MaxConnectionsPercent` isn't specified, then for SQL Server, `MaxIdleConnectionsPercent` is 5, and for all other engines, the default is 50.\n\nConstraints: Must be between 0 and the value of `MaxConnectionsPercent` .", + "MaxConnectionsPercent": "The maximum size of the connection pool for each target in a target group. The value is expressed as a percentage of the `max_connections` setting for the RDS DB instance or Aurora DB cluster used by the target group.\n\nIf you specify `MaxIdleConnectionsPercent` , then you must also include a value for this parameter.\n\nDefault: `10` for RDS for Microsoft SQL Server, and `100` for all other engines\n\nConstraints:\n\n- Must be between 1 and 100.", + "MaxIdleConnectionsPercent": "A value that controls how actively the proxy closes idle database connections in the connection pool. The value is expressed as a percentage of the `max_connections` setting for the RDS DB instance or Aurora DB cluster used by the target group. With a high value, the proxy leaves a high percentage of idle database connections open. A low value causes the proxy to close more idle connections and return them to the database.\n\nIf you specify this parameter, then you must also include a value for `MaxConnectionsPercent` .\n\nDefault: The default value is half of the value of `MaxConnectionsPercent` . For example, if `MaxConnectionsPercent` is 80, then the default value of `MaxIdleConnectionsPercent` is 40. If the value of `MaxConnectionsPercent` isn't specified, then for SQL Server, `MaxIdleConnectionsPercent` is `5` , and for all other engines, the default is `50` .\n\nConstraints:\n\n- Must be between 0 and the value of `MaxConnectionsPercent` .", "SessionPinningFilters": "Each item in the list represents a class of SQL operations that normally cause all later statements in a session using a proxy to be pinned to the same underlying database connection. Including an item in the list exempts that class of SQL operations from the pinning behavior.\n\nDefault: no session pinning filters" }, "AWS::RDS::DBSecurityGroup": { @@ -31334,6 +35296,10 @@ "EC2SecurityGroupName": "Name of the EC2 security group to authorize. For VPC DB security groups, `EC2SecurityGroupId` must be provided. Otherwise, `EC2SecurityGroupOwnerId` and either `EC2SecurityGroupName` or `EC2SecurityGroupId` must be provided.", "EC2SecurityGroupOwnerId": "AWS account number of the owner of the EC2 security group specified in the `EC2SecurityGroupName` parameter. The AWS access key ID isn't an acceptable value. For VPC DB security groups, `EC2SecurityGroupId` must be provided. Otherwise, `EC2SecurityGroupOwnerId` and either `EC2SecurityGroupName` or `EC2SecurityGroupId` must be provided." }, + "AWS::RDS::DBSecurityGroup Tag": { + "Key": "A key is the required name of the tag. The string value can be from 1 to 128 Unicode characters in length and can't be prefixed with `aws:` or `rds:` . The string can only contain only the set of Unicode letters, digits, white-space, '_', '.', ':', '/', '=', '+', '-', '@' (Java regex: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-@]*)$\").", + "Value": "A value is the optional value of the tag. The string value can be from 1 to 256 Unicode characters in length and can't be prefixed with `aws:` or `rds:` . The string can only contain only the set of Unicode letters, digits, white-space, '_', '.', ':', '/', '=', '+', '-', '@' (Java regex: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-@]*)$\")." + }, "AWS::RDS::DBSecurityGroupIngress": { "CIDRIP": "The IP range to authorize.", "DBSecurityGroupName": "The name of the DB security group to add authorization to.", @@ -31347,8 +35313,12 @@ "SubnetIds": "The EC2 Subnet IDs for the DB subnet group.", "Tags": "An optional array of key-value pairs to apply to this DB subnet group." }, + "AWS::RDS::DBSubnetGroup Tag": { + "Key": "A key is the required name of the tag. The string value can be from 1 to 128 Unicode characters in length and can't be prefixed with `aws:` or `rds:` . The string can only contain only the set of Unicode letters, digits, white-space, '_', '.', ':', '/', '=', '+', '-', '@' (Java regex: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-@]*)$\").", + "Value": "A value is the optional value of the tag. The string value can be from 1 to 256 Unicode characters in length and can't be prefixed with `aws:` or `rds:` . The string can only contain only the set of Unicode letters, digits, white-space, '_', '.', ':', '/', '=', '+', '-', '@' (Java regex: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-@]*)$\")." + }, "AWS::RDS::EventSubscription": { - "Enabled": "A value that indicates whether to activate the subscription. If the event notification subscription isn't activated, the subscription is created but not active.", + "Enabled": "Specifies whether to activate the subscription. If the event notification subscription isn't activated, the subscription is created but not active.", "EventCategories": "A list of event categories for a particular source type ( `SourceType` ) that you want to subscribe to. You can see a list of the categories for a given source type in the \"Amazon RDS event categories and event messages\" section of the [*Amazon RDS User Guide*](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_Events.Messages.html) or the [*Amazon Aurora User Guide*](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/USER_Events.Messages.html) . You can also see this list by using the `DescribeEventCategories` operation.", "SnsTopicArn": "The Amazon Resource Name (ARN) of the SNS topic created for event notification. The ARN is created by Amazon SNS when you create a topic and subscribe to it.", "SourceIds": "The list of identifiers of the event sources for which events are returned. If not specified, then all sources are included in the response. An identifier must begin with a letter and must contain only ASCII letters, digits, and hyphens. It can't end with a hyphen or contain two consecutive hyphens.\n\nConstraints:\n\n- If a `SourceIds` value is supplied, `SourceType` must also be provided.\n- If the source type is a DB instance, a `DBInstanceIdentifier` value must be supplied.\n- If the source type is a DB cluster, a `DBClusterIdentifier` value must be supplied.\n- If the source type is a DB parameter group, a `DBParameterGroupName` value must be supplied.\n- If the source type is a DB security group, a `DBSecurityGroupName` value must be supplied.\n- If the source type is a DB snapshot, a `DBSnapshotIdentifier` value must be supplied.\n- If the source type is a DB cluster snapshot, a `DBClusterSnapshotIdentifier` value must be supplied.", @@ -31356,6 +35326,10 @@ "SubscriptionName": "The name of the subscription.\n\nConstraints: The name must be less than 255 characters.", "Tags": "An optional array of key-value pairs to apply to this subscription." }, + "AWS::RDS::EventSubscription Tag": { + "Key": "A key is the required name of the tag. The string value can be from 1 to 128 Unicode characters in length and can't be prefixed with `aws:` or `rds:` . The string can only contain only the set of Unicode letters, digits, white-space, '_', '.', ':', '/', '=', '+', '-', '@' (Java regex: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-@]*)$\").", + "Value": "A value is the optional value of the tag. The string value can be from 1 to 256 Unicode characters in length and can't be prefixed with `aws:` or `rds:` . The string can only contain only the set of Unicode letters, digits, white-space, '_', '.', ':', '/', '=', '+', '-', '@' (Java regex: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-@]*)$\")." + }, "AWS::RDS::GlobalCluster": { "DeletionProtection": "Specifies whether to enable deletion protection for the new global database cluster. The global database can't be deleted when deletion protection is enabled.", "Engine": "The database engine to use for this global database cluster.\n\nValid Values: `aurora-mysql | aurora-postgresql`\n\nConstraints:\n\n- Can't be specified if `SourceDBClusterIdentifier` is specified. In this case, Amazon Aurora uses the engine of the source DB cluster.", @@ -31384,6 +35358,10 @@ "Name": "The name of the option that has settings that you can set.", "Value": "The current value of the option setting." }, + "AWS::RDS::OptionGroup Tag": { + "Key": "A key is the required name of the tag. The string value can be from 1 to 128 Unicode characters in length and can't be prefixed with `aws:` or `rds:` . The string can only contain only the set of Unicode letters, digits, white-space, '_', '.', ':', '/', '=', '+', '-', '@' (Java regex: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-@]*)$\").", + "Value": "A value is the optional value of the tag. The string value can be from 1 to 256 Unicode characters in length and can't be prefixed with `aws:` or `rds:` . The string can only contain only the set of Unicode letters, digits, white-space, '_', '.', ':', '/', '=', '+', '-', '@' (Java regex: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-@]*)$\")." + }, "AWS::RUM::AppMonitor": { "AppMonitorConfiguration": "A structure that contains much of the configuration data for the app monitor. If you are using Amazon Cognito for authorization, you must include this structure in your request, and it must include the ID of the Amazon Cognito identity pool to use for authorization. If you don't include `AppMonitorConfiguration` , you must set up your own authorization method. For more information, see [Authorize your application to send data to AWS](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-RUM-get-started-authorization.html) .\n\nIf you omit this argument, the sample rate used for CloudWatch RUM is set to 10% of the user sessions.", "CustomEvents": "Specifies whether this app monitor allows the web client to define and send custom events. If you omit this parameter, custom events are `DISABLED` .", @@ -31421,6 +35399,10 @@ "IamRoleArn": "This parameter is required if `Destination` is `Evidently` . If `Destination` is `CloudWatch` , do not use this parameter.\n\nThis parameter specifies the ARN of an IAM role that RUM will assume to write to the Evidently experiment that you are sending metrics to. This role must have permission to write to that experiment.", "MetricDefinitions": "An array of structures which define the metrics that you want to send." }, + "AWS::RUM::AppMonitor Tag": { + "Key": "", + "Value": "" + }, "AWS::Redshift::Cluster": { "AllowVersionUpgrade": "If `true` , major version upgrades can be applied during the maintenance window to the Amazon Redshift engine that is running on the cluster.\n\nWhen a new major version of the Amazon Redshift engine is released, you can request that the service automatically apply upgrades during the maintenance window to the Amazon Redshift engine that is running on your cluster.\n\nDefault: `true`", "AquaConfigurationStatus": "This parameter is retired. It does not set the AQUA configuration status. Amazon Redshift automatically determines whether to use AQUA (Advanced Query Accelerator).", @@ -31452,15 +35434,16 @@ "LoggingProperties": "Specifies logging information, such as queries and connection attempts, for the specified Amazon Redshift cluster.", "MaintenanceTrackName": "An optional parameter for the name of the maintenance track for the cluster. If you don't provide a maintenance track name, the cluster is assigned to the `current` track.", "ManualSnapshotRetentionPeriod": "The default number of days to retain a manual snapshot. If the value is -1, the snapshot is retained indefinitely. This setting doesn't change the retention period of existing snapshots.\n\nThe value must be either -1 or an integer between 1 and 3,653.", - "MasterUserPassword": "The password associated with the admin user account for the cluster that is being created.\n\nConstraints:\n\n- Must be between 8 and 64 characters in length.\n- Must contain at least one uppercase letter.\n- Must contain at least one lowercase letter.\n- Must contain one number.\n- Can be any printable ASCII character (ASCII code 33-126) except `'` (single quote), `\"` (double quote), `\\` , `/` , or `@` .", + "MasterUserPassword": "The password associated with the admin user account for the cluster that is being created.\n\nYou can't use `MasterUserPassword` if `ManageMasterPassword` is `true` .\n\nConstraints:\n\n- Must be between 8 and 64 characters in length.\n- Must contain at least one uppercase letter.\n- Must contain at least one lowercase letter.\n- Must contain one number.\n- Can be any printable ASCII character (ASCII code 33-126) except `'` (single quote), `\"` (double quote), `\\` , `/` , or `@` .", "MasterUsername": "The user name associated with the admin user account for the cluster that is being created.\n\nConstraints:\n\n- Must be 1 - 128 alphanumeric characters or hyphens. The user name can't be `PUBLIC` .\n- Must contain only lowercase letters, numbers, underscore, plus sign, period (dot), at symbol (@), or hyphen.\n- The first character must be a letter.\n- Must not contain a colon (:) or a slash (/).\n- Cannot be a reserved word. A list of reserved words can be found in [Reserved Words](https://docs.aws.amazon.com/redshift/latest/dg/r_pg_keywords.html) in the Amazon Redshift Database Developer Guide.", + "MultiAZ": "A boolean indicating whether Amazon Redshift should deploy the cluster in two Availability Zones. The default is false.", "NodeType": "The node type to be provisioned for the cluster. For information about node types, go to [Working with Clusters](https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-clusters.html#how-many-nodes) in the *Amazon Redshift Cluster Management Guide* .\n\nValid Values: `ds2.xlarge` | `ds2.8xlarge` | `dc1.large` | `dc1.8xlarge` | `dc2.large` | `dc2.8xlarge` | `ra3.xlplus` | `ra3.4xlarge` | `ra3.16xlarge`", "NumberOfNodes": "The number of compute nodes in the cluster. This parameter is required when the *ClusterType* parameter is specified as `multi-node` .\n\nFor information about determining how many nodes you need, go to [Working with Clusters](https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-clusters.html#how-many-nodes) in the *Amazon Redshift Cluster Management Guide* .\n\nIf you don't specify this parameter, you get a single-node cluster. When requesting a multi-node cluster, you must specify the number of nodes that you want in the cluster.\n\nDefault: `1`\n\nConstraints: Value must be at least 1 and no more than 100.", "OwnerAccount": "The AWS account used to create or copy the snapshot. Required if you are restoring a snapshot you do not own, optional if you own the snapshot.", "Port": "The port number on which the cluster accepts incoming connections.\n\nThe cluster is accessible only via the JDBC and ODBC connection strings. Part of the connection string requires the port on which the cluster will listen for incoming connections.\n\nDefault: `5439`\n\nValid Values: `1150-65535`", "PreferredMaintenanceWindow": "The weekly time range (in UTC) during which automated cluster maintenance can occur.\n\nFormat: `ddd:hh24:mi-ddd:hh24:mi`\n\nDefault: A 30-minute window selected at random from an 8-hour block of time per region, occurring on a random day of the week. For more information about the time blocks for each region, see [Maintenance Windows](https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-clusters.html#rs-maintenance-windows) in Amazon Redshift Cluster Management Guide.\n\nValid Days: Mon | Tue | Wed | Thu | Fri | Sat | Sun\n\nConstraints: Minimum 30-minute window.", "PubliclyAccessible": "If `true` , the cluster can be accessed from a public network.", - "ResourceAction": "The Amazon Redshift operation to be performed. Supported operations are `pause-cluster` and `resume-cluster` .", + "ResourceAction": "The Amazon Redshift operation to be performed. Supported operations are `pause-cluster` , `resume-cluster` , and `failover-primary-compute` .", "RevisionTarget": "Describes a `RevisionTarget` object.", "RotateEncryptionKey": "Rotates the encryption keys for a cluster.", "SnapshotClusterIdentifier": "The name of the cluster the source snapshot was created from. This parameter is required if your user or role has a policy containing a snapshot resource element that specifies anything other than * for the cluster name.", @@ -31479,6 +35462,10 @@ "BucketName": "The name of an existing S3 bucket where the log files are to be stored.\n\nConstraints:\n\n- Must be in the same region as the cluster\n- The cluster must have read bucket and put object permissions", "S3KeyPrefix": "The prefix applied to the log file names.\n\nConstraints:\n\n- Cannot exceed 512 characters\n- Cannot contain spaces( ), double quotes (\"), single quotes ('), a backslash (\\), or control characters. The hexadecimal codes for invalid characters are:\n\n- x00 to x20\n- x22\n- x27\n- x5c\n- x7f or larger" }, + "AWS::Redshift::Cluster Tag": { + "Key": "The key, or name, for the resource tag.", + "Value": "The value for the resource tag." + }, "AWS::Redshift::ClusterParameterGroup": { "Description": "The description of the parameter group.", "ParameterGroupFamily": "The name of the cluster parameter group family that this cluster parameter group is compatible with. You can create a custom parameter group and then associate your cluster with it. For more information, see [Amazon Redshift parameter groups](https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-parameter-groups.html) .", @@ -31490,10 +35477,18 @@ "ParameterName": "The name of the parameter.", "ParameterValue": "The value of the parameter. If `ParameterName` is `wlm_json_configuration` , then the maximum size of `ParameterValue` is 8000 characters." }, + "AWS::Redshift::ClusterParameterGroup Tag": { + "Key": "The key, or name, for the resource tag.", + "Value": "The value for the resource tag." + }, "AWS::Redshift::ClusterSecurityGroup": { "Description": "A description for the security group.", "Tags": "Specifies an arbitrary set of tags (key\u2013value pairs) to associate with this security group. Use tags to manage your resources." }, + "AWS::Redshift::ClusterSecurityGroup Tag": { + "Key": "The key, or name, for the resource tag.", + "Value": "The value for the resource tag." + }, "AWS::Redshift::ClusterSecurityGroupIngress": { "CIDRIP": "The IP range to be added the Amazon Redshift security group.", "ClusterSecurityGroupName": "The name of the security group to which the ingress rule is added.", @@ -31505,6 +35500,10 @@ "SubnetIds": "An array of VPC subnet IDs. A maximum of 20 subnets can be modified in a single request.", "Tags": "Specifies an arbitrary set of tags (key\u2013value pairs) to associate with this subnet group. Use tags to manage your resources." }, + "AWS::Redshift::ClusterSubnetGroup Tag": { + "Key": "The key, or name, for the resource tag.", + "Value": "The value for the resource tag." + }, "AWS::Redshift::EndpointAccess": { "ClusterIdentifier": "The cluster identifier of the cluster associated with the endpoint.", "EndpointName": "The name of the endpoint.", @@ -31543,6 +35542,10 @@ "SubscriptionName": "The name of the event subscription to be created.\n\nConstraints:\n\n- Cannot be null, empty, or blank.\n- Must contain from 1 to 255 alphanumeric characters or hyphens.\n- First character must be a letter.\n- Cannot end with a hyphen or contain two consecutive hyphens.", "Tags": "A list of tag instances." }, + "AWS::Redshift::EventSubscription Tag": { + "Key": "The key, or name, for the resource tag.", + "Value": "The value for the resource tag." + }, "AWS::Redshift::ScheduledAction": { "Enable": "If true, the schedule is enabled. If false, the scheduled action does not trigger. For more information about `state` of the scheduled action, see `ScheduledAction` .", "EndTime": "The end time in UTC when the schedule is no longer active. After this time, the scheduled action does not trigger.", @@ -31597,6 +35600,10 @@ "NamespaceName": "The name of the namespace. Must be between 3-64 alphanumeric characters in lowercase, and it cannot be a reserved word. A list of reserved words can be found in [Reserved Words](https://docs.aws.amazon.com//redshift/latest/dg/r_pg_keywords.html) in the Amazon Redshift Database Developer Guide.", "Status": "The status of the namespace." }, + "AWS::RedshiftServerless::Namespace Tag": { + "Key": "The key to use in the tag.", + "Value": "The value of the tag." + }, "AWS::RedshiftServerless::Workgroup": { "BaseCapacity": "The base compute capacity of the workgroup in Redshift Processing Units (RPUs).", "ConfigParameters": "A list of parameters to set for finer control over a database. Available options are `datestyle` , `enable_user_activity_logging` , `query_group` , `search_path` , and `max_query_execution_time` .", @@ -31624,6 +35631,10 @@ "PrivateIpAddress": "The IPv4 address of the network interface within the subnet.", "SubnetId": "The unique identifier of the subnet." }, + "AWS::RedshiftServerless::Workgroup Tag": { + "Key": "The key to use in the tag.", + "Value": "The value of the tag." + }, "AWS::RedshiftServerless::Workgroup VpcEndpoint": { "NetworkInterfaces": "One or more network interfaces of the endpoint. Also known as an interface endpoint.", "VpcEndpointId": "The connection endpoint ID for connecting to Amazon Redshift Serverless.", @@ -31631,7 +35642,7 @@ }, "AWS::RedshiftServerless::Workgroup Workgroup": { "BaseCapacity": "The base data warehouse capacity of the workgroup in Redshift Processing Units (RPUs).", - "ConfigParameters": "An array of parameters to set for advanced control over a database. The options are `auto_mv` , `datestyle` , `enable_case_sensitivity_identifier` , `enable_user_activity_logging` , `query_group` , , `search_path` , and query monitoring metrics that let you define performance boundaries. For more information about query monitoring rules and available metrics, see [Query monitoring metrics for Amazon Redshift Serverless](https://docs.aws.amazon.com/redshift/latest/dg/cm-c-wlm-query-monitoring-rules.html#cm-c-wlm-query-monitoring-metrics-serverless) .", + "ConfigParameters": "An array of parameters to set for advanced control over a database. The options are `auto_mv` , `datestyle` , `enable_case_sensitive_identifier` , `enable_user_activity_logging` , `query_group` , `search_path` , and query monitoring metrics that let you define performance boundaries. For more information about query monitoring rules and available metrics, see [Query monitoring metrics for Amazon Redshift Serverless](https://docs.aws.amazon.com/redshift/latest/dg/cm-c-wlm-query-monitoring-rules.html#cm-c-wlm-query-monitoring-metrics-serverless) .", "CreationDate": "The creation date of the workgroup.", "Endpoint": "The endpoint that is created from the workgroup.", "EnhancedVpcRouting": "The value that specifies whether to enable enhanced virtual private cloud (VPC) routing, which forces Amazon Redshift Serverless to route traffic through your VPC.", @@ -31656,12 +35667,20 @@ "EndpointType": "The type of endpoint to use for the API Gateway proxy. If no value is specified in the request, the value is set to `REGIONAL` by default.\n\nIf the value is set to `PRIVATE` in the request, this creates a private API endpoint that is isolated from the public internet. The private endpoint can only be accessed by using Amazon Virtual Private Cloud ( Amazon VPC ) interface endpoints for the Amazon API Gateway that has been granted access. For more information about creating a private connection with Refactor Spaces and interface endpoint ( AWS PrivateLink ) availability, see [Access Refactor Spaces using an interface endpoint ( AWS PrivateLink )](https://docs.aws.amazon.com/migrationhub-refactor-spaces/latest/userguide/vpc-interface-endpoints.html) .", "StageName": "The name of the API Gateway stage. The name defaults to `prod` ." }, + "AWS::RefactorSpaces::Application Tag": { + "Key": "", + "Value": "" + }, "AWS::RefactorSpaces::Environment": { "Description": "A description of the environment.", "Name": "The name of the environment.", "NetworkFabricType": "The network fabric type of the environment.", "Tags": "The tags assigned to the environment." }, + "AWS::RefactorSpaces::Environment Tag": { + "Key": "", + "Value": "" + }, "AWS::RefactorSpaces::Route": { "ApplicationIdentifier": "The unique identifier of the application.", "DefaultRoute": "Configuration for the default route type.", @@ -31674,6 +35693,10 @@ "AWS::RefactorSpaces::Route DefaultRouteInput": { "ActivationState": "If set to `ACTIVE` , traffic is forwarded to this route\u2019s service after the route is created." }, + "AWS::RefactorSpaces::Route Tag": { + "Key": "", + "Value": "" + }, "AWS::RefactorSpaces::Route UriPathRouteInput": { "ActivationState": "If set to `ACTIVE` , traffic is forwarded to this route\u2019s service after the route is created.", "AppendSourcePath": "If set to `true` , this option appends the source path to the service URL endpoint.", @@ -31695,6 +35718,10 @@ "AWS::RefactorSpaces::Service LambdaEndpointInput": { "Arn": "The Amazon Resource Name (ARN) of the Lambda function or alias." }, + "AWS::RefactorSpaces::Service Tag": { + "Key": "", + "Value": "" + }, "AWS::RefactorSpaces::Service UrlEndpointInput": { "HealthUrl": "The health check URL of the URL endpoint type. If the URL is a public endpoint, the `HealthUrl` must also be a public endpoint. If the URL is a private endpoint inside a virtual private cloud (VPC), the health URL must also be a private endpoint, and the host must be the same as the URL.", "Url": "The URL to route traffic to. The URL must be an [rfc3986-formatted URL](https://docs.aws.amazon.com/https://datatracker.ietf.org/doc/html/rfc3986) . If the host is a domain name, the name must be resolvable over the public internet. If the scheme is `https` , the top level domain of the host must be listed in the [IANA root zone database](https://docs.aws.amazon.com/https://www.iana.org/domains/root/db) ." @@ -31703,6 +35730,10 @@ "CollectionId": "ID for the collection that you are creating.", "Tags": "A set of tags (key-value pairs) that you want to attach to the collection." }, + "AWS::Rekognition::Collection Tag": { + "Key": "", + "Value": "" + }, "AWS::Rekognition::Project": { "ProjectName": "The name of the project to create." }, @@ -31747,44 +35778,64 @@ "AWS::Rekognition::StreamProcessor NotificationChannel": { "Arn": "The ARN of the SNS topic that receives notifications." }, + "AWS::Rekognition::StreamProcessor Point": { + "X": "The value of the X coordinate for a point on a `Polygon` .", + "Y": "The value of the Y coordinate for a point on a `Polygon` ." + }, "AWS::Rekognition::StreamProcessor S3Destination": { "BucketName": "Describes the destination Amazon Simple Storage Service (Amazon S3) bucket name of a stream processor's exports.", "ObjectKeyPrefix": "Describes the destination Amazon Simple Storage Service (Amazon S3) object keys of a stream processor's exports." }, + "AWS::Rekognition::StreamProcessor Tag": { + "Key": "", + "Value": "" + }, "AWS::ResilienceHub::App": { "AppAssessmentSchedule": "Assessment execution schedule with 'Daily' or 'Disabled' values.", - "AppTemplateBody": "A JSON string that provides information about your application structure. To learn more about the `appTemplateBody` template, see the sample template provided in the *Examples* section.\n\nThe `appTemplateBody` JSON string has the following structure:\n\n- *`resources`*\n\nThe list of logical resources that needs to be included in the AWS Resilience Hub application.\n\nType: Array\n\n> Don't add the resources that you want to exclude. \n\nEach `resources` array item includes the following fields:\n\n- *`logicalResourceId`*\n\nThe logical identifier of the resource.\n\nType: Object\n\nEach `logicalResourceId` object includes the following fields:\n\n- `identifier`\n\nThe identifier of the resource.\n\nType: String\n- `logicalStackName`\n\nThe name of the AWS CloudFormation stack this resource belongs to.\n\nType: String\n- `resourceGroupName`\n\nThe name of the resource group this resource belongs to.\n\nType: String\n- `terraformSourceName`\n\nThe name of the Terraform S3 state file this resource belongs to.\n\nType: String\n- `eksSourceName`\n\nThe name of the Amazon Elastic Kubernetes Service cluster and namespace this resource belongs to.\n\n> This parameter accepts values in \"eks-cluster/namespace\" format. \n\nType: String\n- *`type`*\n\nThe type of resource.\n\nType: string\n- *`name`*\n\nThe name of the resource.\n\nType: String\n- `additionalInfo`\n\nAdditional configuration parameters for an AWS Resilience Hub application. If you want to implement `additionalInfo` through the AWS Resilience Hub console rather than using an API call, see [Configure the application configuration parameters](https://docs.aws.amazon.com//resilience-hub/latest/userguide/app-config-param.html) .\n\n> Currently, this parameter accepts a key-value mapping (in a string format) of only one failover region and one associated account.\n> \n> Key: `\"failover-regions\"`\n> \n> Value: `\"[{\"region\":\"\", \"accounts\":[{\"id\":\"\"}]}]\"`\n- *`appComponents`*\n\nThe list of Application Components (AppComponent) that this resource belongs to. If an AppComponent is not part of the AWS Resilience Hub application, it will be added.\n\nType: Array\n\nEach `appComponents` array item includes the following fields:\n\n- `name`\n\nThe name of the AppComponent.\n\nType: String\n- `type`\n\nThe type of AppComponent. For more information about the types of AppComponent, see [Grouping resources in an AppComponent](https://docs.aws.amazon.com/resilience-hub/latest/userguide/AppComponent.grouping.html) .\n\nType: String\n- `resourceNames`\n\nThe list of included resources that are assigned to the AppComponent.\n\nType: Array of strings\n- `additionalInfo`\n\nAdditional configuration parameters for an AWS Resilience Hub application. If you want to implement `additionalInfo` through the AWS Resilience Hub console rather than using an API call, see [Configure the application configuration parameters](https://docs.aws.amazon.com//resilience-hub/latest/userguide/app-config-param.html) .\n\n> Currently, this parameter accepts a key-value mapping (in a string format) of only one failover region and one associated account.\n> \n> Key: `\"failover-regions\"`\n> \n> Value: `\"[{\"region\":\"\", \"accounts\":[{\"id\":\"\"}]}]\"`\n- *`excludedResources`*\n\nThe list of logical resource identifiers to be excluded from the application.\n\nType: Array\n\n> Don't add the resources that you want to include. \n\nEach `excludedResources` array item includes the following fields:\n\n- *`logicalResourceIds`*\n\nThe logical identifier of the resource.\n\nType: Object\n\n> You can configure only one of the following fields:\n> \n> - `logicalStackName`\n> - `resourceGroupName`\n> - `terraformSourceName`\n> - `eksSourceName` \n\nEach `logicalResourceIds` object includes the following fields:\n\n- `identifier`\n\nThe identifier of the resource.\n\nType: String\n- `logicalStackName`\n\nThe name of the AWS CloudFormation stack this resource belongs to.\n\nType: String\n- `resourceGroupName`\n\nThe name of the resource group this resource belongs to.\n\nType: String\n- `terraformSourceName`\n\nThe name of the Terraform S3 state file this resource belongs to.\n\nType: String\n- `eksSourceName`\n\nThe name of the Amazon Elastic Kubernetes Service cluster and namespace this resource belongs to.\n\n> This parameter accepts values in \"eks-cluster/namespace\" format. \n\nType: String\n- *`version`*\n\nThe AWS Resilience Hub application version.\n- `additionalInfo`\n\nAdditional configuration parameters for an AWS Resilience Hub application. If you want to implement `additionalInfo` through the AWS Resilience Hub console rather than using an API call, see [Configure the application configuration parameters](https://docs.aws.amazon.com//resilience-hub/latest/userguide/app-config-param.html) .\n\n> Currently, this parameter accepts a key-value mapping (in a string format) of only one failover region and one associated account.\n> \n> Key: `\"failover-regions\"`\n> \n> Value: `\"[{\"region\":\"\", \"accounts\":[{\"id\":\"\"}]}]\"`", - "Description": "The optional description for an app.", - "Name": "The name for the application.", + "AppTemplateBody": "A JSON string that provides information about your application structure. To learn more about the `appTemplateBody` template, see the sample template in [Sample appTemplateBody template](https://docs.aws.amazon.com//resilience-hub/latest/APIReference/API_PutDraftAppVersionTemplate.html#API_PutDraftAppVersionTemplate_Examples) .\n\nThe `appTemplateBody` JSON string has the following structure:\n\n- *`resources`*\n\nThe list of logical resources that needs to be included in the AWS Resilience Hub application.\n\nType: Array\n\n> Don't add the resources that you want to exclude. \n\nEach `resources` array item includes the following fields:\n\n- *`logicalResourceId`*\n\nThe logical identifier of the resource.\n\nType: Object\n\nEach `logicalResourceId` object includes the following fields:\n\n- `identifier`\n\nIdentifier of the resource.\n\nType: String\n- `logicalStackName`\n\nName of the AWS CloudFormation stack this resource belongs to.\n\nType: String\n- `resourceGroupName`\n\nName of the resource group this resource belongs to.\n\nType: String\n- `terraformSourceName`\n\nName of the Terraform S3 state file this resource belongs to.\n\nType: String\n- `eksSourceName`\n\nName of the Amazon Elastic Kubernetes Service cluster and namespace this resource belongs to.\n\n> This parameter accepts values in \"eks-cluster/namespace\" format. \n\nType: String\n- *`type`*\n\nThe type of resource.\n\nType: string\n- *`name`*\n\nName of the resource.\n\nType: String\n- `additionalInfo`\n\nAdditional configuration parameters for an AWS Resilience Hub application. If you want to implement `additionalInfo` through the AWS Resilience Hub console rather than using an API call, see [Configure the application configuration parameters](https://docs.aws.amazon.com//resilience-hub/latest/userguide/app-config-param.html) .\n\n> Currently, this parameter accepts a key-value mapping (in a string format) of only one failover region and one associated account.\n> \n> Key: `\"failover-regions\"`\n> \n> Value: `\"[{\"region\":\"\", \"accounts\":[{\"id\":\"\"}]}]\"`\n- *`appComponents`*\n\nThe list of Application Components (AppComponent) that this resource belongs to. If an AppComponent is not part of the AWS Resilience Hub application, it will be added.\n\nType: Array\n\nEach `appComponents` array item includes the following fields:\n\n- `name`\n\nName of the AppComponent.\n\nType: String\n- `type`\n\nThe type of AppComponent. For more information about the types of AppComponent, see [Grouping resources in an AppComponent](https://docs.aws.amazon.com/resilience-hub/latest/userguide/AppComponent.grouping.html) .\n\nType: String\n- `resourceNames`\n\nThe list of included resources that are assigned to the AppComponent.\n\nType: Array of strings\n- `additionalInfo`\n\nAdditional configuration parameters for an AWS Resilience Hub application. If you want to implement `additionalInfo` through the AWS Resilience Hub console rather than using an API call, see [Configure the application configuration parameters](https://docs.aws.amazon.com//resilience-hub/latest/userguide/app-config-param.html) .\n\n> Currently, this parameter accepts a key-value mapping (in a string format) of only one failover region and one associated account.\n> \n> Key: `\"failover-regions\"`\n> \n> Value: `\"[{\"region\":\"\", \"accounts\":[{\"id\":\"\"}]}]\"`\n- *`excludedResources`*\n\nThe list of logical resource identifiers to be excluded from the application.\n\nType: Array\n\n> Don't add the resources that you want to include. \n\nEach `excludedResources` array item includes the following fields:\n\n- *`logicalResourceIds`*\n\nThe logical identifier of the resource.\n\nType: Object\n\n> You can configure only one of the following fields:\n> \n> - `logicalStackName`\n> - `resourceGroupName`\n> - `terraformSourceName`\n> - `eksSourceName` \n\nEach `logicalResourceIds` object includes the following fields:\n\n- `identifier`\n\nThe identifier of the resource.\n\nType: String\n- `logicalStackName`\n\nName of the AWS CloudFormation stack this resource belongs to.\n\nType: String\n- `resourceGroupName`\n\nName of the resource group this resource belongs to.\n\nType: String\n- `terraformSourceName`\n\nName of the Terraform S3 state file this resource belongs to.\n\nType: String\n- `eksSourceName`\n\nName of the Amazon Elastic Kubernetes Service cluster and namespace this resource belongs to.\n\n> This parameter accepts values in \"eks-cluster/namespace\" format. \n\nType: String\n- *`version`*\n\nThe AWS Resilience Hub application version.\n- `additionalInfo`\n\nAdditional configuration parameters for an AWS Resilience Hub application. If you want to implement `additionalInfo` through the AWS Resilience Hub console rather than using an API call, see [Configure the application configuration parameters](https://docs.aws.amazon.com//resilience-hub/latest/userguide/app-config-param.html) .\n\n> Currently, this parameter accepts a key-value mapping (in a string format) of only one failover region and one associated account.\n> \n> Key: `\"failover-regions\"`\n> \n> Value: `\"[{\"region\":\"\", \"accounts\":[{\"id\":\"\"}]}]\"`", + "Description": "Optional description for an application.", + "EventSubscriptions": "The list of events you would like to subscribe and get notification for. Currently, AWS Resilience Hub supports notifications only for *Drift detected* and *Scheduled assessment failure* events.", + "Name": "Name for the application.", + "PermissionModel": "Defines the roles and credentials that AWS Resilience Hub would use while creating the application, importing its resources, and running an assessment.", "ResiliencyPolicyArn": "The Amazon Resource Name (ARN) of the resiliency policy.", - "ResourceMappings": "An array of ResourceMapping objects.", - "Tags": "The tags assigned to the resource. A tag is a label that you assign to an AWS resource. Each tag consists of a key/value pair." + "ResourceMappings": "An array of `ResourceMapping` objects.", + "Tags": "Tags assigned to the resource. A tag is a label that you assign to an AWS resource. Each tag consists of a key/value pair." + }, + "AWS::ResilienceHub::App EventSubscription": { + "EventType": "The type of event you would like to subscribe and get notification for. Currently, AWS Resilience Hub supports notifications only for *Drift detected* ( `DriftDetected` ) and *Scheduled assessment failure* ( `ScheduledAssessmentFailure` ) events.", + "Name": "Unique name to identify an event subscription.", + "SnsTopicArn": "Amazon Resource Name (ARN) of the Amazon Simple Notification Service topic. The format for this ARN is: `arn:partition:sns:region:account:topic-name` . For more information about ARNs, see [Amazon Resource Names (ARNs)](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) in the *AWS General Reference* guide." + }, + "AWS::ResilienceHub::App PermissionModel": { + "CrossAccountRoleArns": "Defines a list of role Amazon Resource Names (ARNs) to be used in other accounts. These ARNs are used for querying purposes while importing resources and assessing your application.\n\n> - These ARNs are required only when your resources are in other accounts and you have different role name in these accounts. Else, the invoker role name will be used in the other accounts.\n> - These roles must have a trust policy with `iam:AssumeRole` permission to the invoker role in the primary account.", + "InvokerRoleName": "Existing AWS IAM role name in the primary AWS account that will be assumed by AWS Resilience Hub Service Principle to obtain a read-only access to your application resources while running an assessment.\n\n> - You must have `iam:passRole` permission for this role while creating or updating the application.\n> - Currently, `invokerRoleName` accepts only `[A-Za-z0-9_+=,.@-]` characters.", + "Type": "Defines how AWS Resilience Hub scans your resources. It can scan for the resources by using a pre-existing role in your AWS account, or by using the credentials of the current IAM user." }, "AWS::ResilienceHub::App PhysicalResourceId": { "AwsAccountId": "The AWS account that owns the physical resource.", "AwsRegion": "The AWS Region that the physical resource is located in.", - "Identifier": "The identifier of the physical resource.", + "Identifier": "Identifier of the physical resource.", "Type": "Specifies the type of physical resource identifier.\n\n- **Arn** - The resource identifier is an Amazon Resource Name (ARN) and it can identify the following list of resources:\n\n- `AWS::ECS::Service`\n- `AWS::EFS::FileSystem`\n- `AWS::ElasticLoadBalancingV2::LoadBalancer`\n- `AWS::Lambda::Function`\n- `AWS::SNS::Topic`\n- **Native** - The resource identifier is an AWS Resilience Hub -native identifier and it can identify the following list of resources:\n\n- `AWS::ApiGateway::RestApi`\n- `AWS::ApiGatewayV2::Api`\n- `AWS::AutoScaling::AutoScalingGroup`\n- `AWS::DocDB::DBCluster`\n- `AWS::DocDB::DBGlobalCluster`\n- `AWS::DocDB::DBInstance`\n- `AWS::DynamoDB::GlobalTable`\n- `AWS::DynamoDB::Table`\n- `AWS::EC2::EC2Fleet`\n- `AWS::EC2::Instance`\n- `AWS::EC2::NatGateway`\n- `AWS::EC2::Volume`\n- `AWS::ElasticLoadBalancing::LoadBalancer`\n- `AWS::RDS::DBCluster`\n- `AWS::RDS::DBInstance`\n- `AWS::RDS::GlobalCluster`\n- `AWS::Route53::RecordSet`\n- `AWS::S3::Bucket`\n- `AWS::SQS::Queue`" }, "AWS::ResilienceHub::App ResourceMapping": { - "EksSourceName": "", - "LogicalStackName": "The name of the CloudFormation stack this resource is mapped to.", - "MappingType": "Specifies the type of resource mapping.\n\nValid Values: CfnStack | Resource | AppRegistryApp | ResourceGroup | Terraform\n\n- **AppRegistryApp** - The resource is mapped to another application. The name of the application is contained in the `appRegistryAppName` property.\n- **CfnStack** - The resource is mapped to a CloudFormation stack. The name of the CloudFormation stack is contained in the `logicalStackName` property.\n- **Resource** - The resource is mapped to another resource. The name of the resource is contained in the `resourceName` property.\n- **ResourceGroup** - The resource is mapped to a resource group. The name of the resource group is contained in the `resourceGroupName` property.", - "PhysicalResourceId": "The identifier of this resource.", - "ResourceName": "The name of the resource this resource is mapped to.", - "TerraformSourceName": "The short name of the Terraform source." + "EksSourceName": "Name of the Amazon Elastic Kubernetes Service cluster and namespace that this resource is mapped to when the `mappingType` is `EKS` .\n\n> This parameter accepts values in \"eks-cluster/namespace\" format.", + "LogicalStackName": "Name of the AWS CloudFormation stack this resource is mapped to when the `mappingType` is `CfnStack` .", + "MappingType": "Specifies the type of resource mapping.", + "PhysicalResourceId": "Identifier of the physical resource.", + "ResourceName": "Name of the resource that this resource is mapped to when the `mappingType` is `Resource` .", + "TerraformSourceName": "Name of the Terraform source that this resource is mapped to when the `mappingType` is `Terraform` ." }, "AWS::ResilienceHub::ResiliencyPolicy": { "DataLocationConstraint": "Specifies a high-level geographical location constraint for where your resilience policy data can be stored.", "Policy": "The resiliency policy.", "PolicyDescription": "The description for the policy.", "PolicyName": "The name of the policy", - "Tags": "The tags assigned to the resource. A tag is a label that you assign to an AWS resource. Each tag consists of a key/value pair.", + "Tags": "Tags assigned to the resource. A tag is a label that you assign to an AWS resource. Each tag consists of a key/value pair.", "Tier": "The tier for this resiliency policy, ranging from the highest severity ( `MissionCritical` ) to lowest ( `NonCritical` )." }, "AWS::ResilienceHub::ResiliencyPolicy FailurePolicy": { - "RpoInSecs": "The Recovery Point Objective (RPO), in seconds.", - "RtoInSecs": "The Recovery Time Objective (RTO), in seconds." + "RpoInSecs": "Recovery Point Objective (RPO) in seconds.", + "RtoInSecs": "Recovery Time Objective (RTO) in seconds." }, "AWS::ResourceExplorer2::DefaultViewAssociation": { "ViewArn": "The ARN of the view to set as the default for the AWS Region and AWS account in which you call this operation. The specified view must already exist in the specified Region." @@ -31796,15 +35847,16 @@ "AWS::ResourceExplorer2::View": { "Filters": "An array of strings that include search keywords, prefixes, and operators that filter the results that are returned for queries made using this view. When you use this view in a [Search](https://docs.aws.amazon.com/resource-explorer/latest/apireference/API_Search.html) operation, the filter string is combined with the search's `QueryString` parameter using a logical `AND` operator.\n\nFor information about the supported syntax, see [Search query reference for Resource Explorer](https://docs.aws.amazon.com/resource-explorer/latest/userguide/using-search-query-syntax.html) in the *AWS Resource Explorer User Guide* .\n\n> This query string in the context of this operation supports only [filter prefixes](https://docs.aws.amazon.com/resource-explorer/latest/userguide/using-search-query-syntax.html#query-syntax-filters) with optional [operators](https://docs.aws.amazon.com/resource-explorer/latest/userguide/using-search-query-syntax.html#query-syntax-operators) . It doesn't support free-form text. For example, the string `region:us* service:ec2 -tag:stage=prod` includes all Amazon EC2 resources in any AWS Region that begin with the letters `us` and are *not* tagged with a key `Stage` that has the value `prod` .", "IncludedProperties": "A list of fields that provide additional information about the view.", + "Scope": "The root ARN of the account, an organizational unit (OU), or an organization ARN. If left empty, the default is account.", "Tags": "Tag key and value pairs that are attached to the view.", "ViewName": "The name of the new view." }, - "AWS::ResourceExplorer2::View Filters": { - "FilterString": "" - }, "AWS::ResourceExplorer2::View IncludedProperty": { "Name": "The name of the property that is included in this view." }, + "AWS::ResourceExplorer2::View SearchFilter": { + "FilterString": "The string that contains the search keywords, prefixes, and operators to control the results that can be returned by a Search operation.\n\nFor information about the supported syntax, see [Search query reference](https://docs.aws.amazon.com/resource-explorer/latest/userguide/using-search-query-syntax.html) in the *AWS Resource Explorer User Guide* .\n\n> This query string in the context of this operation supports only [filter prefixes](https://docs.aws.amazon.com/resource-explorer/latest/userguide/using-search-query-syntax.html#query-syntax-filters) with optional [operators](https://docs.aws.amazon.com/resource-explorer/latest/userguide/using-search-query-syntax.html#query-syntax-operators) . It doesn't support free-form text. For example, the string `region:us* service:ec2 -tag:stage=prod` includes all Amazon EC2 resources in any AWS Region that begin with the letters `us` and are *not* tagged with a key `Stage` that has the value `prod` ." + }, "AWS::ResourceGroups::Group": { "Configuration": "The service configuration currently associated with the resource group and in effect for the members of the resource group. A `Configuration` consists of one or more `ConfigurationItem` entries. For information about service configurations for resource groups and how to construct them, see [Service configurations for resource groups](https://docs.aws.amazon.com//ARG/latest/APIReference/about-slg.html) in the *AWS Resource Groups User Guide* .\n\n> You can include either a `Configuration` or a `ResourceQuery` , but not both.", "Description": "The description of the resource group.", @@ -31830,6 +35882,10 @@ "Query": "The query that defines the membership of the group. This is a structure with properties that depend on the `Type` .\n\nThe `Query` structure must be included in the following scenarios:\n\n- When the `Type` is `TAG_FILTERS_1_0` , you must specify a `Query` structure that contains a `TagFilters` list of tags. Resources with tags that match those in the `TagFilter` list become members of the resource group.\n- When the `Type` is `CLOUDFORMATION_STACK_1_0` then this field is required only when you must specify a CloudFormation stack other than the one you are defining. To do this, the `Query` structure must contain the `StackIdentifier` property. If you don't specify either a `Query` structure or a `StackIdentifier` within that `Query` , then it defaults to the CloudFormation stack that you're currently constructing.", "Type": "Specifies the type of resource query that determines this group's membership. There are two valid query types:\n\n- `TAG_FILTERS_1_0` indicates that the group is a tag-based group. To complete the group membership, you must include the `TagFilters` property to specify the tag filters to use in the query.\n- `CLOUDFORMATION_STACK_1_0` , the default, indicates that the group is a CloudFormation stack-based group. Group membership is based on the CloudFormation stack. You must specify the `StackIdentifier` property in the query to define which stack to associate the group with, or leave it empty to default to the stack where the group is defined." }, + "AWS::ResourceGroups::Group Tag": { + "Key": "", + "Value": "" + }, "AWS::ResourceGroups::Group TagFilter": { "Key": "A string that defines a tag key. Only resources in the account that are tagged with a specified tag key are members of the tag-based resource group.\n\nThis field is required when the `ResourceQuery` structure's `Type` property is `TAG_FILTERS_1_0` . You must specify at least one tag key.", "Values": "A list of tag values that can be included in the tag-based resource group. This is optional. If you don't specify a value or values for a key, then an AWS resource with any value for that key is a member." @@ -31898,36 +35954,55 @@ "CurrentRevisionId": "The current revision id for the simulation application. If you provide a value and it matches the latest revision ID, a new version will be created." }, "AWS::RolesAnywhere::CRL": { - "CrlData": "The x509 v3 specified certificate revocation list (CRL).", - "Enabled": "Specifies whether the certificate revocation list (CRL) is enabled.", - "Name": "The name of the certificate revocation list (CRL).", - "Tags": "A list of tags to attach to the certificate revocation list (CRL).", + "CrlData": "", + "Enabled": "", + "Name": "", + "Tags": "", "TrustAnchorArn": "The ARN of the TrustAnchor the certificate revocation list (CRL) will provide revocation for." }, + "AWS::RolesAnywhere::CRL Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::RolesAnywhere::Profile": { - "DurationSeconds": "Sets the maximum number of seconds that vended temporary credentials through [CreateSession](https://docs.aws.amazon.com/rolesanywhere/latest/userguide/authentication-create-session.html) will be valid for, between 900 and 3600.", - "Enabled": "Indicates whether the profile is enabled.", - "ManagedPolicyArns": "A list of managed policy ARNs that apply to the vended session credentials.", - "Name": "The name of the profile.", - "RequireInstanceProperties": "Specifies whether instance properties are required in temporary credential requests with this profile.", - "RoleArns": "A list of IAM role ARNs. During `CreateSession` , if a matching role ARN is provided, the properties in this profile will be applied to the intersection session policy.", - "SessionPolicy": "A session policy that applies to the trust boundary of the vended session credentials.", - "Tags": "The tags to attach to the profile." + "DurationSeconds": "The number of seconds vended session credentials will be valid for", + "Enabled": "The enabled status of the resource.", + "ManagedPolicyArns": "A list of managed policy ARNs. Managed policies identified by this list will be applied to the vended session credentials.", + "Name": "The customer specified name of the resource.", + "RequireInstanceProperties": "Specifies whether instance properties are required in CreateSession requests with this profile.", + "RoleArns": "A list of IAM role ARNs that can be assumed when this profile is specified in a CreateSession request.", + "SessionPolicy": "A session policy that will applied to the trust boundary of the vended session credentials.", + "Tags": "A list of Tags." + }, + "AWS::RolesAnywhere::Profile Tag": { + "Key": "The tag key.", + "Value": "The tag value." }, "AWS::RolesAnywhere::TrustAnchor": { "Enabled": "Indicates whether the trust anchor is enabled.", "Name": "The name of the trust anchor.", + "NotificationSettings": "A list of notification settings to be associated to the trust anchor.", "Source": "The trust anchor type and its related certificate data.", "Tags": "The tags to attach to the trust anchor." }, + "AWS::RolesAnywhere::TrustAnchor NotificationSetting": { + "Channel": "The specified channel of notification. IAM Roles Anywhere uses CloudWatch metrics, EventBridge , and AWS Health Dashboard to notify for an event.\n\n> In the absence of a specific channel, IAM Roles Anywhere applies this setting to 'ALL' channels.", + "Enabled": "Indicates whether the notification setting is enabled.", + "Event": "The event to which this notification setting is applied.", + "Threshold": "The number of days before a notification event. This value is required for a notification setting that is enabled." + }, "AWS::RolesAnywhere::TrustAnchor Source": { - "SourceData": "The data field of the trust anchor depending on its type.", - "SourceType": "The type of the TrustAnchor.\n\n> `AWS_ACM_PCA` is not an allowed value in your region." + "SourceData": "A union object representing the data field of the TrustAnchor depending on its type", + "SourceType": "The type of the TrustAnchor." }, "AWS::RolesAnywhere::TrustAnchor SourceData": { "AcmPcaArn": "The root certificate of the AWS Private Certificate Authority specified by this ARN is used in trust validation for temporary credential requests. Included for trust anchors of type `AWS_ACM_PCA` .\n\n> This field is not supported in your region.", "X509CertificateData": "The PEM-encoded data for the certificate anchor. Included for trust anchors of type `CERTIFICATE_BUNDLE` ." }, + "AWS::RolesAnywhere::TrustAnchor Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::Route53::CidrCollection": { "Locations": "A complex type that contains information about the list of CIDR locations.", "Name": "The name of a CIDR collection." @@ -31962,7 +36037,7 @@ "Regions": "A complex type that contains one `Region` element for each region from which you want Amazon Route 53 health checkers to check the specified endpoint.\n\nIf you don't specify any regions, Route 53 health checkers automatically performs checks from all of the regions that are listed under *Valid Values* .\n\nIf you update a health check to remove a region that has been performing health checks, Route 53 will briefly continue to perform checks from that region to ensure that some health checkers are always checking the endpoint (for example, if you replace three regions with four different regions).", "RequestInterval": "The number of seconds between the time that Amazon Route 53 gets a response from your endpoint and the time that it sends the next health check request. Each Route 53 health checker makes requests at this interval.\n\n> You can't change the value of `RequestInterval` after you create a health check. \n\nIf you don't specify a value for `RequestInterval` , the default value is `30` seconds.", "ResourcePath": "The path, if any, that you want Amazon Route 53 to request when performing health checks. The path can be any value for which your endpoint will return an HTTP status code of 2xx or 3xx when the endpoint is healthy, for example, the file /docs/route53-health-check.html. You can also include query string parameters, for example, `/welcome.html?language=jp&login=y` .", - "RoutingControlArn": "", + "RoutingControlArn": "The Amazon Resource Name (ARN) for the Route 53 Application Recovery Controller routing control.\n\nFor more information about Route 53 Application Recovery Controller, see [Route 53 Application Recovery Controller Developer Guide.](https://docs.aws.amazon.com/r53recovery/latest/dg/what-is-route-53-recovery.html) .", "SearchString": "If the value of Type is `HTTP_STR_MATCH` or `HTTPS_STR_MATCH` , the string that you want Amazon Route 53 to search for in the response body from the specified resource. If the string appears in the response body, Route 53 considers the resource healthy.\n\nRoute 53 considers case when searching for `SearchString` in the response body.", "Type": "The type of health check that you want to create, which indicates how Amazon Route 53 determines whether an endpoint is healthy.\n\n> You can't change the value of `Type` after you create a health check. \n\nYou can create the following types of health checks:\n\n- *HTTP* : Route 53 tries to establish a TCP connection. If successful, Route 53 submits an HTTP request and waits for an HTTP status code of 200 or greater and less than 400.\n- *HTTPS* : Route 53 tries to establish a TCP connection. If successful, Route 53 submits an HTTPS request and waits for an HTTP status code of 200 or greater and less than 400.\n\n> If you specify `HTTPS` for the value of `Type` , the endpoint must support TLS v1.0 or later.\n- *HTTP_STR_MATCH* : Route 53 tries to establish a TCP connection. If successful, Route 53 submits an HTTP request and searches the first 5,120 bytes of the response body for the string that you specify in `SearchString` .\n- *HTTPS_STR_MATCH* : Route 53 tries to establish a TCP connection. If successful, Route 53 submits an `HTTPS` request and searches the first 5,120 bytes of the response body for the string that you specify in `SearchString` .\n- *TCP* : Route 53 tries to establish a TCP connection.\n- *CLOUDWATCH_METRIC* : The health check is associated with a CloudWatch alarm. If the state of the alarm is `OK` , the health check is considered healthy. If the state is `ALARM` , the health check is considered unhealthy. If CloudWatch doesn't have sufficient data to determine whether the state is `OK` or `ALARM` , the health check status depends on the setting for `InsufficientDataHealthStatus` : `Healthy` , `Unhealthy` , or `LastKnownStatus` .\n\n> Route 53 supports CloudWatch alarms with the following features:\n> \n> - Standard-resolution metrics. High-resolution metrics aren't supported. For more information, see [High-Resolution Metrics](https://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/publishingMetrics.html#high-resolution-metrics) in the *Amazon CloudWatch User Guide* .\n> - Statistics: Average, Minimum, Maximum, Sum, and SampleCount. Extended statistics aren't supported.\n- *CALCULATED* : For health checks that monitor the status of other health checks, Route 53 adds up the number of health checks that Route 53 health checkers consider to be healthy and compares that number with the value of `HealthThreshold` .\n- *RECOVERY_CONTROL* : The health check is assocated with a Route53 Application Recovery Controller routing control. If the routing control state is `ON` , the health check is considered healthy. If the state is `OFF` , the health check is considered unhealthy.\n\nFor more information, see [How Route 53 Determines Whether an Endpoint Is Healthy](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/dns-failover-determining-health-of-endpoints.html) in the *Amazon Route 53 Developer Guide* ." }, @@ -32007,7 +36082,7 @@ "HostedZoneId": "The ID of the hosted zone that you want to create records in.\n\nSpecify either `HostedZoneName` or `HostedZoneId` , but not both. If you have multiple hosted zones with the same domain name, you must specify the hosted zone using `HostedZoneId` .", "HostedZoneName": "The name of the hosted zone that you want to create records in. You must include a trailing dot (for example, `www.example.com.` ) as part of the `HostedZoneName` .\n\nWhen you create a stack using an AWS::Route53::RecordSet that specifies `HostedZoneName` , AWS CloudFormation attempts to find a hosted zone whose name matches the HostedZoneName. If AWS CloudFormation cannot find a hosted zone with a matching domain name, or if there is more than one hosted zone with the specified domain name, AWS CloudFormation will not create the stack.\n\nSpecify either `HostedZoneName` or `HostedZoneId` , but not both. If you have multiple hosted zones with the same domain name, you must specify the hosted zone using `HostedZoneId` .", "MultiValueAnswer": "*Multivalue answer resource record sets only* : To route traffic approximately randomly to multiple resources, such as web servers, create one multivalue answer record for each resource and specify `true` for `MultiValueAnswer` . Note the following:\n\n- If you associate a health check with a multivalue answer resource record set, Amazon Route 53 responds to DNS queries with the corresponding IP address only when the health check is healthy.\n- If you don't associate a health check with a multivalue answer record, Route 53 always considers the record to be healthy.\n- Route 53 responds to DNS queries with up to eight healthy records; if you have eight or fewer healthy records, Route 53 responds to all DNS queries with all the healthy records.\n- If you have more than eight healthy records, Route 53 responds to different DNS resolvers with different combinations of healthy records.\n- When all records are unhealthy, Route 53 responds to DNS queries with up to eight unhealthy records.\n- If a resource becomes unavailable after a resolver caches a response, client software typically tries another of the IP addresses in the response.\n\nYou can't create multivalue answer alias records.", - "Name": "For `ChangeResourceRecordSets` requests, the name of the record that you want to create, update, or delete. For `ListResourceRecordSets` responses, the name of a record in the specified hosted zone.\n\n*ChangeResourceRecordSets Only*\n\nEnter a fully qualified domain name, for example, `www.example.com` . You can optionally include a trailing dot. If you omit the trailing dot, Amazon Route 53 assumes that the domain name that you specify is fully qualified. This means that Route 53 treats `www.example.com` (without a trailing dot) and `www.example.com.` (with a trailing dot) as identical.\n\nFor information about how to specify characters other than `a-z` , `0-9` , and `-` (hyphen) and how to specify internationalized domain names, see [DNS Domain Name Format](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/DomainNameFormat.html) in the *Amazon Route 53 Developer Guide* .\n\nYou can use the asterisk (*) wildcard to replace the leftmost label in a domain name, for example, `*.example.com` . Note the following:\n\n- The * must replace the entire label. For example, you can't specify `*prod.example.com` or `prod*.example.com` .\n- The * can't replace any of the middle labels, for example, marketing.*.example.com.\n- If you include * in any position other than the leftmost label in a domain name, DNS treats it as an * character (ASCII 42), not as a wildcard.\n\n> You can't use the * wildcard for resource records sets that have a type of NS.\n\nYou can use the * wildcard as the leftmost label in a domain name, for example, `*.example.com` . You can't use an * for one of the middle labels, for example, `marketing.*.example.com` . In addition, the * must replace the entire label; for example, you can't specify `prod*.example.com` .", + "Name": "For `ChangeResourceRecordSets` requests, the name of the record that you want to create, update, or delete. For `ListResourceRecordSets` responses, the name of a record in the specified hosted zone.\n\n*ChangeResourceRecordSets Only*\n\nEnter a fully qualified domain name, for example, `www.example.com` . You can optionally include a trailing dot. If you omit the trailing dot, Amazon Route 53 assumes that the domain name that you specify is fully qualified. This means that Route 53 treats `www.example.com` (without a trailing dot) and `www.example.com.` (with a trailing dot) as identical.\n\nFor information about how to specify characters other than `a-z` , `0-9` , and `-` (hyphen) and how to specify internationalized domain names, see [DNS Domain Name Format](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/DomainNameFormat.html) in the *Amazon Route 53 Developer Guide* .\n\nYou can use the asterisk (*) wildcard to replace the leftmost label in a domain name, for example, `*.example.com` . Note the following:\n\n- The * must replace the entire label. For example, you can't specify `*prod.example.com` or `prod*.example.com` .\n- The * can't replace any of the middle labels, for example, marketing.*.example.com.\n- If you include * in any position other than the leftmost label in a domain name, DNS treats it as an * character (ASCII 42), not as a wildcard.\n\n> You can't use the * wildcard for resource records sets that have a type of NS.", "Region": "*Latency-based resource record sets only:* The Amazon EC2 Region where you created the resource that this resource record set refers to. The resource typically is an AWS resource, such as an EC2 instance or an ELB load balancer, and is referred to by an IP address or a DNS domain name, depending on the record type.\n\nWhen Amazon Route 53 receives a DNS query for a domain name and type for which you have created latency resource record sets, Route 53 selects the latency resource record set that has the lowest latency between the end user and the associated Amazon EC2 Region. Route 53 then returns the value that is associated with the selected resource record set.\n\nNote the following:\n\n- You can only specify one `ResourceRecord` per latency resource record set.\n- You can only create one latency resource record set for each Amazon EC2 Region.\n- You aren't required to create latency resource record sets for all Amazon EC2 Regions. Route 53 will choose the region with the best latency from among the regions that you create latency resource record sets for.\n- You can't create non-latency resource record sets that have the same values for the `Name` and `Type` elements as latency resource record sets.", "ResourceRecords": "One or more values that correspond with the value that you specified for the `Type` property. For example, if you specified `A` for `Type` , you specify one or more IP addresses in IPv4 format for `ResourceRecords` . For information about the format of values for each record type, see [Supported DNS Resource Record Types](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/ResourceRecordTypes.html) in the *Amazon Route 53 Developer Guide* .\n\nNote the following:\n\n- You can specify more than one value for all record types except CNAME and SOA.\n- The maximum length of a value is 4000 characters.\n- If you're creating an alias record, omit `ResourceRecords` .", "SetIdentifier": "*Resource record sets that have a routing policy other than simple:* An identifier that differentiates among multiple resource record sets that have the same combination of name and type, such as multiple weighted resource record sets named acme.example.com that have a type of A. In a group of resource record sets that have the same name and type, the value of `SetIdentifier` must be unique for each resource record set.\n\nFor information about routing policies, see [Choosing a Routing Policy](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-policy.html) in the *Amazon Route 53 Developer Guide* .", @@ -32055,10 +36130,10 @@ "Failover": "*Failover resource record sets only:* To configure failover, you add the `Failover` element to two resource record sets. For one resource record set, you specify `PRIMARY` as the value for `Failover` ; for the other resource record set, you specify `SECONDARY` . In addition, you include the `HealthCheckId` element and specify the health check that you want Amazon Route 53 to perform for each resource record set.\n\nExcept where noted, the following failover behaviors assume that you have included the `HealthCheckId` element in both resource record sets:\n\n- When the primary resource record set is healthy, Route 53 responds to DNS queries with the applicable value from the primary resource record set regardless of the health of the secondary resource record set.\n- When the primary resource record set is unhealthy and the secondary resource record set is healthy, Route 53 responds to DNS queries with the applicable value from the secondary resource record set.\n- When the secondary resource record set is unhealthy, Route 53 responds to DNS queries with the applicable value from the primary resource record set regardless of the health of the primary resource record set.\n- If you omit the `HealthCheckId` element for the secondary resource record set, and if the primary resource record set is unhealthy, Route 53 always responds to DNS queries with the applicable value from the secondary resource record set. This is true regardless of the health of the associated endpoint.\n\nYou can't create non-failover resource record sets that have the same values for the `Name` and `Type` elements as failover resource record sets.\n\nFor failover alias resource record sets, you must also include the `EvaluateTargetHealth` element and set the value to true.\n\nFor more information about configuring failover for Route 53, see the following topics in the *Amazon Route 53 Developer Guide* :\n\n- [Route 53 Health Checks and DNS Failover](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/dns-failover.html)\n- [Configuring Failover in a Private Hosted Zone](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/dns-failover-private-hosted-zones.html)", "GeoLocation": "*Geolocation resource record sets only:* A complex type that lets you control how Amazon Route 53 responds to DNS queries based on the geographic origin of the query. For example, if you want all queries from Africa to be routed to a web server with an IP address of `192.0.2.111` , create a resource record set with a `Type` of `A` and a `ContinentCode` of `AF` .\n\n> Although creating geolocation and geolocation alias resource record sets in a private hosted zone is allowed, it's not supported. \n\nIf you create separate resource record sets for overlapping geographic regions (for example, one resource record set for a continent and one for a country on the same continent), priority goes to the smallest geographic region. This allows you to route most queries for a continent to one resource and to route queries for a country on that continent to a different resource.\n\nYou can't create two geolocation resource record sets that specify the same geographic location.\n\nThe value `*` in the `CountryCode` element matches all geographic locations that aren't specified in other geolocation resource record sets that have the same values for the `Name` and `Type` elements.\n\n> Geolocation works by mapping IP addresses to locations. However, some IP addresses aren't mapped to geographic locations, so even if you create geolocation resource record sets that cover all seven continents, Route 53 will receive some DNS queries from locations that it can't identify. We recommend that you create a resource record set for which the value of `CountryCode` is `*` . Two groups of queries are routed to the resource that you specify in this record: queries that come from locations for which you haven't created geolocation resource record sets and queries from IP addresses that aren't mapped to a location. If you don't create a `*` resource record set, Route 53 returns a \"no answer\" response for queries from those locations. \n\nYou can't create non-geolocation resource record sets that have the same values for the `Name` and `Type` elements as geolocation resource record sets.", "HealthCheckId": "If you want Amazon Route 53 to return this resource record set in response to a DNS query only when the status of a health check is healthy, include the `HealthCheckId` element and specify the ID of the applicable health check.\n\nRoute 53 determines whether a resource record set is healthy based on one of the following:\n\n- By periodically sending a request to the endpoint that is specified in the health check\n- By aggregating the status of a specified group of health checks (calculated health checks)\n- By determining the current state of a CloudWatch alarm (CloudWatch metric health checks)\n\n> Route 53 doesn't check the health of the endpoint that is specified in the resource record set, for example, the endpoint specified by the IP address in the `Value` element. When you add a `HealthCheckId` element to a resource record set, Route 53 checks the health of the endpoint that you specified in the health check. \n\nFor more information, see the following topics in the *Amazon Route 53 Developer Guide* :\n\n- [How Amazon Route 53 Determines Whether an Endpoint Is Healthy](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/dns-failover-determining-health-of-endpoints.html)\n- [Route 53 Health Checks and DNS Failover](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/dns-failover.html)\n- [Configuring Failover in a Private Hosted Zone](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/dns-failover-private-hosted-zones.html)\n\n*When to Specify HealthCheckId*\n\nSpecifying a value for `HealthCheckId` is useful only when Route 53 is choosing between two or more resource record sets to respond to a DNS query, and you want Route 53 to base the choice in part on the status of a health check. Configuring health checks makes sense only in the following configurations:\n\n- *Non-alias resource record sets* : You're checking the health of a group of non-alias resource record sets that have the same routing policy, name, and type (such as multiple weighted records named www.example.com with a type of A) and you specify health check IDs for all the resource record sets.\n\nIf the health check status for a resource record set is healthy, Route 53 includes the record among the records that it responds to DNS queries with.\n\nIf the health check status for a resource record set is unhealthy, Route 53 stops responding to DNS queries using the value for that resource record set.\n\nIf the health check status for all resource record sets in the group is unhealthy, Route 53 considers all resource record sets in the group healthy and responds to DNS queries accordingly.\n- *Alias resource record sets* : You specify the following settings:\n\n- You set `EvaluateTargetHealth` to true for an alias resource record set in a group of resource record sets that have the same routing policy, name, and type (such as multiple weighted records named www.example.com with a type of A).\n- You configure the alias resource record set to route traffic to a non-alias resource record set in the same hosted zone.\n- You specify a health check ID for the non-alias resource record set.\n\nIf the health check status is healthy, Route 53 considers the alias resource record set to be healthy and includes the alias record among the records that it responds to DNS queries with.\n\nIf the health check status is unhealthy, Route 53 stops responding to DNS queries using the alias resource record set.\n\n> The alias resource record set can also route traffic to a *group* of non-alias resource record sets that have the same routing policy, name, and type. In that configuration, associate health checks with all of the resource record sets in the group of non-alias resource record sets.\n\n*Geolocation Routing*\n\nFor geolocation resource record sets, if an endpoint is unhealthy, Route 53 looks for a resource record set for the larger, associated geographic region. For example, suppose you have resource record sets for a state in the United States, for the entire United States, for North America, and a resource record set that has `*` for `CountryCode` is `*` , which applies to all locations. If the endpoint for the state resource record set is unhealthy, Route 53 checks for healthy resource record sets in the following order until it finds a resource record set for which the endpoint is healthy:\n\n- The United States\n- North America\n- The default resource record set\n\n*Specifying the Health Check Endpoint by Domain Name*\n\nIf your health checks specify the endpoint only by domain name, we recommend that you create a separate health check for each endpoint. For example, create a health check for each `HTTP` server that is serving content for `www.example.com` . For the value of `FullyQualifiedDomainName` , specify the domain name of the server (such as `us-east-2-www.example.com` ), not the name of the resource record sets ( `www.example.com` ).\n\n> Health check results will be unpredictable if you do the following:\n> \n> - Create a health check that has the same value for `FullyQualifiedDomainName` as the name of a resource record set.\n> - Associate that health check with the resource record set.", - "HostedZoneId": "The ID of the hosted zone that you want to create records in.\n\nSpecify either `HostedZoneName` or `HostedZoneId` , but not both. If you have multiple hosted zones with the same domain name, you must specify the hosted zone using `HostedZoneId` .", + "HostedZoneId": "The ID of the hosted zone that you want to create records in.\n\nSpecify either `HostedZoneName` or `HostedZoneId` , but not both. If you have multiple hosted zones with the same domain name, you must specify the hosted zone using `HostedZoneId` .\n\nDo not provide the `HostedZoneId` if it is already defined in `AWS::Route53::RecordSetGroup` . The creation fails if `HostedZoneId` is defined in both.", "HostedZoneName": "The name of the hosted zone that you want to create records in. You must include a trailing dot (for example, `www.example.com.` ) as part of the `HostedZoneName` .\n\nWhen you create a stack using an `AWS::Route53::RecordSet` that specifies `HostedZoneName` , AWS CloudFormation attempts to find a hosted zone whose name matches the `HostedZoneName` . If AWS CloudFormation can't find a hosted zone with a matching domain name, or if there is more than one hosted zone with the specified domain name, AWS CloudFormation will not create the stack.\n\nSpecify either `HostedZoneName` or `HostedZoneId` , but not both. If you have multiple hosted zones with the same domain name, you must specify the hosted zone using `HostedZoneId` .", "MultiValueAnswer": "*Multivalue answer resource record sets only* : To route traffic approximately randomly to multiple resources, such as web servers, create one multivalue answer record for each resource and specify `true` for `MultiValueAnswer` . Note the following:\n\n- If you associate a health check with a multivalue answer resource record set, Amazon Route 53 responds to DNS queries with the corresponding IP address only when the health check is healthy.\n- If you don't associate a health check with a multivalue answer record, Route 53 always considers the record to be healthy.\n- Route 53 responds to DNS queries with up to eight healthy records; if you have eight or fewer healthy records, Route 53 responds to all DNS queries with all the healthy records.\n- If you have more than eight healthy records, Route 53 responds to different DNS resolvers with different combinations of healthy records.\n- When all records are unhealthy, Route 53 responds to DNS queries with up to eight unhealthy records.\n- If a resource becomes unavailable after a resolver caches a response, client software typically tries another of the IP addresses in the response.\n\nYou can't create multivalue answer alias records.", - "Name": "For `ChangeResourceRecordSets` requests, the name of the record that you want to create, update, or delete. For `ListResourceRecordSets` responses, the name of a record in the specified hosted zone.\n\n*ChangeResourceRecordSets Only*\n\nEnter a fully qualified domain name, for example, `www.example.com` . You can optionally include a trailing dot. If you omit the trailing dot, Amazon Route 53 assumes that the domain name that you specify is fully qualified. This means that Route 53 treats `www.example.com` (without a trailing dot) and `www.example.com.` (with a trailing dot) as identical.\n\nFor information about how to specify characters other than `a-z` , `0-9` , and `-` (hyphen) and how to specify internationalized domain names, see [DNS Domain Name Format](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/DomainNameFormat.html) in the *Amazon Route 53 Developer Guide* .\n\nYou can use the asterisk (*) wildcard to replace the leftmost label in a domain name, for example, `*.example.com` . Note the following:\n\n- The * must replace the entire label. For example, you can't specify `*prod.example.com` or `prod*.example.com` .\n- The * can't replace any of the middle labels, for example, marketing.*.example.com.\n- If you include * in any position other than the leftmost label in a domain name, DNS treats it as an * character (ASCII 42), not as a wildcard.\n\n> You can't use the * wildcard for resource records sets that have a type of NS.\n\nYou can use the * wildcard as the leftmost label in a domain name, for example, `*.example.com` . You can't use an * for one of the middle labels, for example, `marketing.*.example.com` . In addition, the * must replace the entire label; for example, you can't specify `prod*.example.com` .", + "Name": "For `ChangeResourceRecordSets` requests, the name of the record that you want to create, update, or delete. For `ListResourceRecordSets` responses, the name of a record in the specified hosted zone.\n\n*ChangeResourceRecordSets Only*\n\nEnter a fully qualified domain name, for example, `www.example.com` . You can optionally include a trailing dot. If you omit the trailing dot, Amazon Route 53 assumes that the domain name that you specify is fully qualified. This means that Route 53 treats `www.example.com` (without a trailing dot) and `www.example.com.` (with a trailing dot) as identical.\n\nFor information about how to specify characters other than `a-z` , `0-9` , and `-` (hyphen) and how to specify internationalized domain names, see [DNS Domain Name Format](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/DomainNameFormat.html) in the *Amazon Route 53 Developer Guide* .\n\nYou can use the asterisk (*) wildcard to replace the leftmost label in a domain name, for example, `*.example.com` . Note the following:\n\n- The * must replace the entire label. For example, you can't specify `*prod.example.com` or `prod*.example.com` .\n- The * can't replace any of the middle labels, for example, marketing.*.example.com.\n- If you include * in any position other than the leftmost label in a domain name, DNS treats it as an * character (ASCII 42), not as a wildcard.\n\n> You can't use the * wildcard for resource records sets that have a type of NS.", "Region": "*Latency-based resource record sets only:* The Amazon EC2 Region where you created the resource that this resource record set refers to. The resource typically is an AWS resource, such as an EC2 instance or an ELB load balancer, and is referred to by an IP address or a DNS domain name, depending on the record type.\n\nWhen Amazon Route 53 receives a DNS query for a domain name and type for which you have created latency resource record sets, Route 53 selects the latency resource record set that has the lowest latency between the end user and the associated Amazon EC2 Region. Route 53 then returns the value that is associated with the selected resource record set.\n\nNote the following:\n\n- You can only specify one `ResourceRecord` per latency resource record set.\n- You can only create one latency resource record set for each Amazon EC2 Region.\n- You aren't required to create latency resource record sets for all Amazon EC2 Regions. Route 53 will choose the region with the best latency from among the regions that you create latency resource record sets for.\n- You can't create non-latency resource record sets that have the same values for the `Name` and `Type` elements as latency resource record sets.", "ResourceRecords": "Information about the records that you want to create. Each record should be in the format appropriate for the record type specified by the `Type` property. For information about different record types and their record formats, see [Values That You Specify When You Create or Edit Amazon Route 53 Records](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resource-record-sets-values.html) in the *Amazon Route 53 Developer Guide* .", "SetIdentifier": "*Resource record sets that have a routing policy other than simple:* An identifier that differentiates among multiple resource record sets that have the same combination of name and type, such as multiple weighted resource record sets named acme.example.com that have a type of A. In a group of resource record sets that have the same name and type, the value of `SetIdentifier` must be unique for each resource record set.\n\nFor information about routing policies, see [Choosing a Routing Policy](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-policy.html) in the *Amazon Route 53 Developer Guide* .", @@ -32068,16 +36143,24 @@ }, "AWS::Route53RecoveryControl::Cluster": { "Name": "Name of the cluster. You can use any non-white space character in the name except the following: & > < ' (single quote) \" (double quote) ; (semicolon).", - "Tags": "The value for a tag." + "Tags": "The tags associated with the cluster." }, "AWS::Route53RecoveryControl::Cluster ClusterEndpoint": { "Endpoint": "A cluster endpoint URL for one of the five redundant clusters that you specify to set or retrieve a routing control state.", "Region": "The AWS Region for a cluster endpoint." }, + "AWS::Route53RecoveryControl::Cluster Tag": { + "Key": "The key for a tag.", + "Value": "The value for a tag." + }, "AWS::Route53RecoveryControl::ControlPanel": { "ClusterArn": "The Amazon Resource Name (ARN) of the cluster for the control panel.", "Name": "The name of the control panel. You can use any non-white space character in the name.", - "Tags": "The value for a tag." + "Tags": "The tags associated with the control panel." + }, + "AWS::Route53RecoveryControl::ControlPanel Tag": { + "Key": "The key for a tag.", + "Value": "The value for a tag." }, "AWS::Route53RecoveryControl::RoutingControl": { "ClusterArn": "The Amazon Resource Name (ARN) of the cluster that hosts the routing control.", @@ -32086,11 +36169,11 @@ }, "AWS::Route53RecoveryControl::SafetyRule": { "AssertionRule": "An assertion rule enforces that, when you change a routing control state, that the criteria that you set in the rule configuration is met. Otherwise, the change to the routing control is not accepted. For example, the criteria might be that at least one routing control state is `On` after the transaction so that traffic continues to flow to at least one cell for the application. This ensures that you avoid a fail-open scenario.", - "ControlPanelArn": "The Amazon Resource Name (ARN) for the control panel.", + "ControlPanelArn": "The Amazon Resource Name (ARN) of the control panel.", "GatingRule": "A gating rule verifies that a gating routing control or set of gating routing controls, evaluates as true, based on a rule configuration that you specify, which allows a set of routing control state changes to complete.\n\nFor example, if you specify one gating routing control and you set the `Type` in the rule configuration to `OR` , that indicates that you must set the gating routing control to `On` for the rule to evaluate as true; that is, for the gating control switch to be On. When you do that, then you can update the routing control states for the target routing controls that you specify in the gating rule.", "Name": "The name of the assertion rule. The name must be unique within a control panel. You can use any non-white space character in the name except the following: & > < ' (single quote) \" (double quote) ; (semicolon)", "RuleConfig": "The criteria that you set for specific assertion controls (routing controls) that designate how many control states must be `ON` as the result of a transaction. For example, if you have three assertion controls, you might specify `ATLEAST 2` for your rule configuration. This means that at least two assertion controls must be `ON` , so that at least two AWS Regions have traffic flowing to them.", - "Tags": "The value for a tag." + "Tags": "The tags associated with the safety rule." }, "AWS::Route53RecoveryControl::SafetyRule AssertionRule": { "AssertedControls": "The routing controls that are part of transactions that are evaluated to determine if a request to change a routing control state is allowed. For example, you might include three routing controls, one for each of three AWS Regions.", @@ -32106,21 +36189,37 @@ "Threshold": "The value of N, when you specify an `ATLEAST` rule type. That is, `Threshold` is the number of controls that must be set when you specify an `ATLEAST` type.", "Type": "A rule can be one of the following: `ATLEAST` , `AND` , or `OR` ." }, + "AWS::Route53RecoveryControl::SafetyRule Tag": { + "Key": "The key for a tag.", + "Value": "The value for a tag." + }, "AWS::Route53RecoveryReadiness::Cell": { "CellName": "The name of the cell to create.", "Cells": "A list of cell Amazon Resource Names (ARNs) contained within this cell, for use in nested cells. For example, Availability Zones within specific AWS Regions .", "Tags": "A collection of tags associated with a resource." }, + "AWS::Route53RecoveryReadiness::Cell Tag": { + "Key": "", + "Value": "" + }, "AWS::Route53RecoveryReadiness::ReadinessCheck": { "ReadinessCheckName": "The name of the readiness check to create.", "ResourceSetName": "The name of the resource set to check.", "Tags": "A collection of tags associated with a resource." }, + "AWS::Route53RecoveryReadiness::ReadinessCheck Tag": { + "Key": "", + "Value": "" + }, "AWS::Route53RecoveryReadiness::RecoveryGroup": { "Cells": "A list of the cell Amazon Resource Names (ARNs) in the recovery group.", "RecoveryGroupName": "The name of the recovery group to create.", "Tags": "A collection of tags associated with a resource." }, + "AWS::Route53RecoveryReadiness::RecoveryGroup Tag": { + "Key": "", + "Value": "" + }, "AWS::Route53RecoveryReadiness::ResourceSet": { "ResourceSetName": "The name of the resource set to create.", "ResourceSetType": "The resource type of the resources in the resource set. Enter one of the following values for resource type:\n\nAWS::ApiGateway::Stage, AWS::ApiGatewayV2::Stage, AWS::AutoScaling::AutoScalingGroup, AWS::CloudWatch::Alarm, AWS::EC2::CustomerGateway, AWS::DynamoDB::Table, AWS::EC2::Volume, AWS::ElasticLoadBalancing::LoadBalancer, AWS::ElasticLoadBalancingV2::LoadBalancer, AWS::Lambda::Function, AWS::MSK::Cluster, AWS::RDS::DBCluster, AWS::Route53::HealthCheck, AWS::SQS::Queue, AWS::SNS::Topic, AWS::SNS::Subscription, AWS::EC2::VPC, AWS::EC2::VPNConnection, AWS::EC2::VPNGateway, AWS::Route53RecoveryReadiness::DNSTargetResource.\n\nNote that AWS::Route53RecoveryReadiness::DNSTargetResource is only used for this setting. It isn't an actual AWS CloudFormation resource type.", @@ -32147,6 +36246,10 @@ "ReadinessScopes": "The recovery group Amazon Resource Name (ARN) or the cell ARN that the readiness checks for this resource set are scoped to.", "ResourceArn": "The Amazon Resource Name (ARN) of the AWS resource. This is a required setting for all `ResourceSet` `ResourceSetType` settings except `AWS::Route53RecoveryReadiness::DNSTargetResource` . Do not set this when `ResourceSetType` is set to `AWS::Route53RecoveryReadiness::DNSTargetResource` ." }, + "AWS::Route53RecoveryReadiness::ResourceSet Tag": { + "Key": "", + "Value": "" + }, "AWS::Route53RecoveryReadiness::ResourceSet TargetResource": { "NLBResource": "The Network Load Balancer resource that a DNS target resource points to.", "R53Resource": "The Route 53 resource that a DNS target resource record points to." @@ -32157,6 +36260,10 @@ "Name": "The name of the domain list.", "Tags": "A list of the tag keys and values that you want to associate with the domain list." }, + "AWS::Route53Resolver::FirewallDomainList Tag": { + "Key": "The name for the tag. For example, if you want to associate Resolver resources with the account IDs of your customers for billing purposes, the value of `Key` might be `account-id` .", + "Value": "The value for the tag. For example, if `Key` is `account-id` , then `Value` might be the ID of the customer account that you're creating the resource for." + }, "AWS::Route53Resolver::FirewallRuleGroup": { "FirewallRules": "A list of the rules that you have defined.", "Name": "The name of the rule group.", @@ -32171,6 +36278,10 @@ "FirewallDomainListId": "The ID of the domain list that's used in the rule.", "Priority": "The priority of the rule in the rule group. This value must be unique within the rule group. DNS Firewall processes the rules in a rule group by order of priority, starting from the lowest setting." }, + "AWS::Route53Resolver::FirewallRuleGroup Tag": { + "Key": "The name for the tag. For example, if you want to associate Resolver resources with the account IDs of your customers for billing purposes, the value of `Key` might be `account-id` .", + "Value": "The value for the tag. For example, if `Key` is `account-id` , then `Value` might be the ID of the customer account that you're creating the resource for." + }, "AWS::Route53Resolver::FirewallRuleGroupAssociation": { "FirewallRuleGroupId": "The unique identifier of the firewall rule group.", "MutationProtection": "If enabled, this setting disallows modification or removal of the association, to help prevent against accidentally altering DNS firewall protections.", @@ -32179,6 +36290,21 @@ "Tags": "A list of the tag keys and values that you want to associate with the rule group.", "VpcId": "The unique identifier of the VPC that is associated with the rule group." }, + "AWS::Route53Resolver::FirewallRuleGroupAssociation Tag": { + "Key": "The name for the tag. For example, if you want to associate Resolver resources with the account IDs of your customers for billing purposes, the value of `Key` might be `account-id` .", + "Value": "The value for the tag. For example, if `Key` is `account-id` , then `Value` might be the ID of the customer account that you're creating the resource for." + }, + "AWS::Route53Resolver::OutpostResolver": { + "InstanceCount": "Amazon EC2 instance count for the Resolver on the Outpost.", + "Name": "Name of the Resolver.", + "OutpostArn": "The ARN (Amazon Resource Name) for the Outpost.", + "PreferredInstanceType": "The Amazon EC2 instance type. If you specify this, you must also specify a value for the `OutpostArn` .", + "Tags": "A key value pair that helps you identify a Route\u00a053 Resolver ." + }, + "AWS::Route53Resolver::OutpostResolver Tag": { + "Key": "The name for the tag. For example, if you want to associate Resolver resources with the account IDs of your customers for billing purposes, the value of `Key` might be `account-id` .", + "Value": "The value for the tag. For example, if `Key` is `account-id` , then `Value` might be the ID of the customer account that you're creating the resource for." + }, "AWS::Route53Resolver::ResolverConfig": { "AutodefinedReverseFlag": "Represents the desired status of `AutodefinedReverse` . The only supported value on creation is `DISABLE` . Deletion of this resource will return `AutodefinedReverse` to its default value of `ENABLED` .", "ResourceId": "The ID of the Amazon Virtual Private Cloud VPC that you're configuring Resolver for." @@ -32190,8 +36316,9 @@ "Direction": "Indicates whether the Resolver endpoint allows inbound or outbound DNS queries:\n\n- `INBOUND` : allows DNS queries to your VPC from your network\n- `OUTBOUND` : allows DNS queries from your VPC to your network", "IpAddresses": "The subnets and IP addresses in your VPC that DNS queries originate from (for outbound endpoints) or that you forward DNS queries to (for inbound endpoints). The subnet ID uniquely identifies a VPC.\n\n> Even though the minimum is 1, Route\u00a053 requires that you create at least two.", "Name": "A friendly name that lets you easily find a configuration in the Resolver dashboard in the Route 53 console.", - "OutpostArn": "", - "PreferredInstanceType": "", + "OutpostArn": "The ARN (Amazon Resource Name) for the Outpost.", + "PreferredInstanceType": "The Amazon EC2 instance type.", + "Protocols": "", "ResolverEndpointType": "The Resolver endpoint IP address type.", "SecurityGroupIds": "The ID of one or more security groups that control access to this VPC. The security group must include one or more inbound rules (for inbound endpoints) or outbound rules (for outbound endpoints). Inbound and outbound rules must allow TCP and UDP access. For inbound access, open port 53. For outbound access, open the port that you're using for DNS queries on your network.", "Tags": "Route 53 Resolver doesn't support updating tags through CloudFormation." @@ -32201,6 +36328,10 @@ "Ipv6": "The IPv6 address that you want to use for DNS queries.", "SubnetId": "The ID of the subnet that contains the IP address." }, + "AWS::Route53Resolver::ResolverEndpoint Tag": { + "Key": "The name for the tag. For example, if you want to associate Resolver resources with the account IDs of your customers for billing purposes, the value of `Key` might be `account-id` .", + "Value": "The value for the tag. For example, if `Key` is `account-id` , then `Value` might be the ID of the customer account that you're creating the resource for." + }, "AWS::Route53Resolver::ResolverQueryLoggingConfig": { "DestinationArn": "The ARN of the resource that you want Resolver to send query logs: an Amazon S3 bucket, a CloudWatch Logs log group, or a Kinesis Data Firehose delivery stream.", "Name": "The name of the query logging configuration." @@ -32217,16 +36348,58 @@ "Tags": "Tags help organize and categorize your Resolver rules. Each tag consists of a key and an optional value, both of which you define.", "TargetIps": "An array that contains the IP addresses and ports that an outbound endpoint forwards DNS queries to. Typically, these are the IP addresses of DNS resolvers on your network." }, + "AWS::Route53Resolver::ResolverRule Tag": { + "Key": "The name for the tag. For example, if you want to associate Resolver resources with the account IDs of your customers for billing purposes, the value of `Key` might be `account-id` .", + "Value": "The value for the tag. For example, if `Key` is `account-id` , then `Value` might be the ID of the customer account that you're creating the resource for." + }, "AWS::Route53Resolver::ResolverRule TargetAddress": { "Ip": "One IPv4 address that you want to forward DNS queries to.", "Ipv6": "One IPv6 address that you want to forward DNS queries to.", - "Port": "The port at `Ip` that you want to forward DNS queries to." + "Port": "The port at `Ip` that you want to forward DNS queries to.", + "Protocol": "" }, "AWS::Route53Resolver::ResolverRuleAssociation": { "Name": "The name of an association between a Resolver rule and a VPC.", "ResolverRuleId": "The ID of the Resolver rule that you associated with the VPC that is specified by `VPCId` .", "VPCId": "The ID of the VPC that you associated the Resolver rule with." }, + "AWS::S3::AccessGrant": { + "AccessGrantsLocationConfiguration": "The configuration options of the grant location. The grant location is the S3 path to the data to which you are granting access. It contains the `S3SubPrefix` field. The grant scope is the result of appending the subprefix to the location scope of the registered location.", + "AccessGrantsLocationId": "The ID of the registered location to which you are granting access. S3 Access Grants assigns this ID when you register the location. S3 Access Grants assigns the ID `default` to the default location `s3://` and assigns an auto-generated ID to other locations that you register.", + "ApplicationArn": "The Amazon Resource Name (ARN) of an AWS IAM Identity Center application associated with your Identity Center instance. If the grant includes an application ARN, the grantee can only access the S3 data through this application.", + "Grantee": "The user, group, or role to which you are granting access. You can grant access to an IAM user or role. If you have added your corporate directory to AWS IAM Identity Center and associated your Identity Center instance with your S3 Access Grants instance, the grantee can also be a corporate directory user or group.", + "Permission": "The type of access that you are granting to your S3 data, which can be set to one of the following values:\n\n- `READ` \u2013 Grant read-only access to the S3 data.\n- `WRITE` \u2013 Grant write-only access to the S3 data.\n- `READWRITE` \u2013 Grant both read and write access to the S3 data.", + "S3PrefixType": "The type of `S3SubPrefix` . The only possible value is `Object` . Pass this value if the access grant scope is an object. Do not pass this value if the access grant scope is a bucket or a bucket and a prefix.", + "Tags": "The AWS resource tags that you are adding to the access grant. Each tag is a label consisting of a user-defined key and value. Tags can help you manage, identify, organize, search for, and filter resources." + }, + "AWS::S3::AccessGrant AccessGrantsLocationConfiguration": { + "S3SubPrefix": "The `S3SubPrefix` is appended to the location scope creating the grant scope. Use this field to narrow the scope of the grant to a subset of the location scope. This field is required if the location scope is the default location `s3://` because you cannot create a grant for all of your S3 data in the Region and must narrow the scope. For example, if the location scope is the default location `s3://` , the `S3SubPrefx` can be a `/*` , so the full grant scope path would be `s3:///*` . Or the `S3SubPrefx` can be `/*` , so the full grant scope path would be `s3:///*` .\n\nIf the `S3SubPrefix` includes a prefix, append the wildcard character `*` after the prefix to indicate that you want to include all object key names in the bucket that start with that prefix." + }, + "AWS::S3::AccessGrant Grantee": { + "GranteeIdentifier": "The unique identifier of the `Grantee` . If the grantee type is `IAM` , the identifier is the IAM Amazon Resource Name (ARN) of the user or role. If the grantee type is a directory user or group, the identifier is 128-bit universally unique identifier (UUID) in the format `a1b2c3d4-5678-90ab-cdef-EXAMPLE11111` . You can obtain this UUID from your AWS IAM Identity Center instance.", + "GranteeType": "The type of the grantee to which access has been granted. It can be one of the following values:\n\n- `IAM` - An IAM user or role.\n- `DIRECTORY_USER` - Your corporate directory user. You can use this option if you have added your corporate identity directory to IAM Identity Center and associated the IAM Identity Center instance with your S3 Access Grants instance.\n- `DIRECTORY_GROUP` - Your corporate directory group. You can use this option if you have added your corporate identity directory to IAM Identity Center and associated the IAM Identity Center instance with your S3 Access Grants instance." + }, + "AWS::S3::AccessGrant Tag": { + "Key": "Name of the object key.", + "Value": "Value of the tag." + }, + "AWS::S3::AccessGrantsInstance": { + "IdentityCenterArn": "If you would like to associate your S3 Access Grants instance with an AWS IAM Identity Center instance, use this field to pass the Amazon Resource Name (ARN) of the AWS IAM Identity Center instance that you are associating with your S3 Access Grants instance. An IAM Identity Center instance is your corporate identity directory that you added to the IAM Identity Center.", + "Tags": "The AWS resource tags that you are adding to the S3 Access Grants instance. Each tag is a label consisting of a user-defined key and value. Tags can help you manage, identify, organize, search for, and filter resources." + }, + "AWS::S3::AccessGrantsInstance Tag": { + "Key": "Name of the object key.", + "Value": "Value of the tag." + }, + "AWS::S3::AccessGrantsLocation": { + "IamRoleArn": "The Amazon Resource Name (ARN) of the IAM role for the registered location. S3 Access Grants assumes this role to manage access to the registered location.", + "LocationScope": "The S3 URI path to the location that you are registering. The location scope can be the default S3 location `s3://` , the S3 path to a bucket, or the S3 path to a bucket and prefix. A prefix in S3 is a string of characters at the beginning of an object key name used to organize the objects that you store in your S3 buckets. For example, object key names that start with the `engineering/` prefix or object key names that start with the `marketing/campaigns/` prefix.", + "Tags": "The AWS resource tags that you are adding to the S3 Access Grants location. Each tag is a label consisting of a user-defined key and value. Tags can help you manage, identify, organize, search for, and filter resources." + }, + "AWS::S3::AccessGrantsLocation Tag": { + "Key": "Name of the object key.", + "Value": "Value of the tag." + }, "AWS::S3::AccessPoint": { "Bucket": "The name of the bucket associated with this access point.", "BucketAccountId": "The AWS account ID associated with the S3 bucket associated with this access point.", @@ -32246,7 +36419,7 @@ }, "AWS::S3::Bucket": { "AccelerateConfiguration": "Configures the transfer acceleration state for an Amazon S3 bucket. For more information, see [Amazon S3 Transfer Acceleration](https://docs.aws.amazon.com/AmazonS3/latest/dev/transfer-acceleration.html) in the *Amazon S3 User Guide* .", - "AccessControl": "A canned access control list (ACL) that grants predefined permissions to the bucket. For more information about canned ACLs, see [Canned ACL](https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#canned-acl) in the *Amazon S3 User Guide* .\n\nBe aware that the syntax for this property differs from the information provided in the *Amazon S3 User Guide* . The AccessControl property is case-sensitive and must be one of the following values: Private, PublicRead, PublicReadWrite, AuthenticatedRead, LogDeliveryWrite, BucketOwnerRead, BucketOwnerFullControl, or AwsExecRead.", + "AccessControl": "> This is a legacy property, and it is not recommended for most use cases. A majority of modern use cases in Amazon S3 no longer require the use of ACLs, and we recommend that you keep ACLs disabled. For more information, see [Controlling object ownership](https://docs.aws.amazon.com//AmazonS3/latest/userguide/about-object-ownership.html) in the *Amazon S3 User Guide* . \n\nA canned access control list (ACL) that grants predefined permissions to the bucket. For more information about canned ACLs, see [Canned ACL](https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#canned-acl) in the *Amazon S3 User Guide* .\n\nS3 buckets are created with ACLs disabled by default. Therefore, unless you explicitly set the [AWS::S3::OwnershipControls](https://docs.aws.amazon.com//AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-ownershipcontrols.html) property to enable ACLs, your resource will fail to deploy with any value other than Private. Use cases requiring ACLs are uncommon.\n\nThe majority of access control configurations can be successfully and more easily achieved with bucket policies. For more information, see [AWS::S3::BucketPolicy](https://docs.aws.amazon.com//AWSCloudFormation/latest/UserGuide/aws-properties-s3-policy.html) . For examples of common policy configurations, including S3 Server Access Logs buckets and more, see [Bucket policy examples](https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html) in the *Amazon S3 User Guide* .", "AnalyticsConfigurations": "Specifies the configuration and any analyses for the analytics filter of an Amazon S3 bucket.", "BucketEncryption": "Specifies default encryption for a bucket using server-side encryption with Amazon S3-managed keys (SSE-S3), AWS KMS-managed keys (SSE-KMS), or dual-layer server-side encryption with KMS-managed keys (DSSE-KMS). For information about the Amazon S3 default encryption feature, see [Amazon S3 Default Encryption for S3 Buckets](https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html) in the *Amazon S3 User Guide* .", "BucketName": "A name for the bucket. If you don't specify a name, AWS CloudFormation generates a unique ID and uses that ID for the bucket name. The bucket name must contain only lowercase letters, numbers, periods (.), and dashes (-) and must follow [Amazon S3 bucket restrictions and limitations](https://docs.aws.amazon.com/AmazonS3/latest/dev/BucketRestrictions.html) . For more information, see [Rules for naming Amazon S3 buckets](https://docs.aws.amazon.com/AmazonS3/latest/dev/BucketRestrictions.html#bucketnamingrules) in the *Amazon S3 User Guide* .\n\n> If you specify a name, you can't perform updates that require replacement of this resource. You can perform updates that require no or some interruption. If you need to replace the resource, specify a new name.", @@ -32257,7 +36430,7 @@ "LoggingConfiguration": "Settings that define where logs are stored.", "MetricsConfigurations": "Specifies a metrics configuration for the CloudWatch request metrics (specified by the metrics configuration ID) from an Amazon S3 bucket. If you're updating an existing metrics configuration, note that this is a full replacement of the existing metrics configuration. If you don't include the elements you want to keep, they are erased. For more information, see [PutBucketMetricsConfiguration](https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTMetricConfiguration.html) .", "NotificationConfiguration": "Configuration that defines how Amazon S3 handles bucket notifications.", - "ObjectLockConfiguration": "Places an Object Lock configuration on the specified bucket. The rule specified in the Object Lock configuration will be applied by default to every new object placed in the specified bucket. For more information, see [Locking Objects](https://docs.aws.amazon.com/AmazonS3/latest/dev/object-lock.html) .\n\n> - The `DefaultRetention` settings require both a mode and a period.\n> - The `DefaultRetention` period can be either `Days` or `Years` but you must select one. You cannot specify `Days` and `Years` at the same time.\n> - You can only enable Object Lock for new buckets. If you want to turn on Object Lock for an existing bucket, contact AWS Support.", + "ObjectLockConfiguration": "> This operation is not supported by directory buckets. \n\nPlaces an Object Lock configuration on the specified bucket. The rule specified in the Object Lock configuration will be applied by default to every new object placed in the specified bucket. For more information, see [Locking Objects](https://docs.aws.amazon.com/AmazonS3/latest/dev/object-lock.html) .\n\n> - The `DefaultRetention` settings require both a mode and a period.\n> - The `DefaultRetention` period can be either `Days` or `Years` but you must select one. You cannot specify `Days` and `Years` at the same time.\n> - You can enable Object Lock for new or existing buckets. For more information, see [Configuring Object Lock](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock-configure.html) .", "ObjectLockEnabled": "Indicates whether this bucket has an Object Lock configuration enabled. Enable `ObjectLockEnabled` when you apply `ObjectLockConfiguration` to a bucket.", "OwnershipControls": "Configuration that defines how Amazon S3 handles Object Ownership rules.", "PublicAccessBlockConfiguration": "Configuration that defines how Amazon S3 handles public access.", @@ -32310,7 +36483,7 @@ "AWS::S3::Bucket Destination": { "BucketAccountId": "The account ID that owns the destination S3 bucket. If no account ID is provided, the owner is not validated before exporting data.\n\n> Although this value is optional, we strongly recommend that you set it to help prevent problems if the destination bucket ownership changes.", "BucketArn": "The Amazon Resource Name (ARN) of the bucket to which data is exported.", - "Format": "Specifies the file format used when exporting data to Amazon S3.", + "Format": "Specifies the file format used when exporting data to Amazon S3.\n\n*Allowed values* : `CSV` | `ORC` | `Parquet`", "Prefix": "The prefix to use when exporting data. The prefix is prepended to all results." }, "AWS::S3::Bucket EncryptionConfiguration": { @@ -32335,9 +36508,9 @@ "Enabled": "Specifies whether the inventory is enabled or disabled. If set to `True` , an inventory list is generated. If set to `False` , no inventory list is generated.", "Id": "The ID used to identify the inventory configuration.", "IncludedObjectVersions": "Object versions to include in the inventory list. If set to `All` , the list includes all the object versions, which adds the version-related fields `VersionId` , `IsLatest` , and `DeleteMarker` to the list. If set to `Current` , the list does not contain these version-related fields.", - "OptionalFields": "Contains the optional fields that are included in the inventory results.\n\n*Valid values* : `Size | LastModifiedDate | StorageClass | ETag | IsMultipartUploaded | ReplicationStatus | EncryptionStatus | ObjectLockRetainUntilDate | ObjectLockMode | ObjectLockLegalHoldStatus | IntelligentTieringAccessTier | BucketKeyStatus`", + "OptionalFields": "Contains the optional fields that are included in the inventory results.", "Prefix": "Specifies the inventory filter prefix.", - "ScheduleFrequency": "Specifies the schedule for generating inventory results.\n\n*Allowed values* : `Daily` | `Weekly`" + "ScheduleFrequency": "Specifies the schedule for generating inventory results." }, "AWS::S3::Bucket LambdaConfiguration": { "Event": "The Amazon S3 bucket event for which to invoke the AWS Lambda function. For more information, see [Supported Event Types](https://docs.aws.amazon.com/AmazonS3/latest/dev/NotificationHowTo.html) in the *Amazon S3 User Guide* .", @@ -32349,7 +36522,8 @@ }, "AWS::S3::Bucket LoggingConfiguration": { "DestinationBucketName": "The name of the bucket where Amazon S3 should store server access log files. You can store log files in any bucket that you own. By default, logs are stored in the bucket where the `LoggingConfiguration` property is defined.", - "LogFilePrefix": "A prefix for all log object keys. If you store log files from multiple Amazon S3 buckets in a single bucket, you can use a prefix to distinguish which log files came from which bucket." + "LogFilePrefix": "A prefix for all log object keys. If you store log files from multiple Amazon S3 buckets in a single bucket, you can use a prefix to distinguish which log files came from which bucket.", + "TargetObjectKeyFormat": "Amazon S3 key format for log objects. Only one format, PartitionedPrefix or SimplePrefix, is allowed." }, "AWS::S3::Bucket Metrics": { "EventThreshold": "A container specifying the time threshold for emitting the `s3:Replication:OperationMissedThreshold` event.", @@ -32392,6 +36566,9 @@ "AWS::S3::Bucket OwnershipControlsRule": { "ObjectOwnership": "Specifies an Object Ownership rule.\n\n*Allowed values* : `BucketOwnerEnforced` | `ObjectWriter` | `BucketOwnerPreferred`" }, + "AWS::S3::Bucket PartitionedPrefix": { + "PartitionDateSource": "Specifies the partition date source for the partitioned prefix. PartitionDateSource can be EventTime or DeliveryTime." + }, "AWS::S3::Bucket PublicAccessBlockConfiguration": { "BlockPublicAcls": "Specifies whether Amazon S3 should block public access control lists (ACLs) for this bucket and objects in this bucket. Setting this element to `TRUE` causes the following behavior:\n\n- PUT Bucket ACL and PUT Object ACL calls fail if the specified ACL is public.\n- PUT Object calls fail if the request includes a public ACL.\n- PUT Bucket calls fail if the request includes a public ACL.\n\nEnabling this setting doesn't affect existing policies or ACLs.", "BlockPublicPolicy": "Specifies whether Amazon S3 should block public bucket policies for this bucket. Setting this element to `TRUE` causes Amazon S3 to reject calls to PUT Bucket policy if the specified bucket policy allows public access.\n\nEnabling this setting doesn't affect existing bucket policies.", @@ -32503,10 +36680,18 @@ "AWS::S3::Bucket StorageClassAnalysis": { "DataExport": "Specifies how data related to the storage class analysis for an Amazon S3 bucket should be exported." }, + "AWS::S3::Bucket Tag": { + "Key": "Name of the object key.", + "Value": "Value of the tag." + }, "AWS::S3::Bucket TagFilter": { "Key": "The tag key.", "Value": "The tag value." }, + "AWS::S3::Bucket TargetObjectKeyFormat": { + "PartitionedPrefix": "Partitioned S3 key for log objects.", + "SimplePrefix": "To use the simple format for S3 keys for log objects. To specify SimplePrefix format, set SimplePrefix to {}." + }, "AWS::S3::Bucket Tiering": { "AccessTier": "S3 Intelligent-Tiering access tier. See [Storage class for automatically optimizing frequently and infrequently accessed objects](https://docs.aws.amazon.com/AmazonS3/latest/dev/storage-class-intro.html#sc-dynamic-data-access) for a list of access tiers in the S3 Intelligent-Tiering storage class.", "Days": "The number of consecutive days of no access after which an object will be eligible to be transitioned to the corresponding tier. The minimum number of days specified for Archive Access tier must be at least 90 days and Deep Archive Access tier must be at least 180 days. The maximum can be up to 2 years (730 days)." @@ -32565,7 +36750,8 @@ "AdvancedCostOptimizationMetrics": "This property contains the details of account-level advanced cost optimization metrics for S3 Storage Lens.", "AdvancedDataProtectionMetrics": "This property contains the details of account-level advanced data protection metrics for S3 Storage Lens.", "BucketLevel": "This property contains the details of the account-level bucket-level configurations for Amazon S3 Storage Lens.", - "DetailedStatusCodesMetrics": "This property contains the details of account-level detailed status code metrics for S3 Storage Lens." + "DetailedStatusCodesMetrics": "This property contains the details of account-level detailed status code metrics for S3 Storage Lens.", + "StorageLensGroupLevel": "This property determines the scope of Storage Lens group data that is displayed in the Storage Lens dashboard." }, "AWS::S3::StorageLens ActivityMetrics": { "IsEnabled": "A property that indicates whether the activity metrics is enabled." @@ -32637,6 +36823,66 @@ "IsEnabled": "This property contains the details of whether the Amazon S3 Storage Lens configuration is enabled.", "StorageLensArn": "This property contains the details of the ARN of the S3 Storage Lens configuration. This property is read-only." }, + "AWS::S3::StorageLens StorageLensGroupLevel": { + "StorageLensGroupSelectionCriteria": "This property indicates which Storage Lens group ARNs to include or exclude in the Storage Lens group aggregation. If this value is left null, then all Storage Lens groups are selected." + }, + "AWS::S3::StorageLens StorageLensGroupSelectionCriteria": { + "Exclude": "This property indicates which Storage Lens group ARNs to exclude from the Storage Lens group aggregation.", + "Include": "This property indicates which Storage Lens group ARNs to include in the Storage Lens group aggregation." + }, + "AWS::S3::StorageLens Tag": { + "Key": "Name of the object key.", + "Value": "Value of the tag." + }, + "AWS::S3::StorageLensGroup": { + "Filter": "This property contains the criteria for the Storage Lens group data that is displayed", + "Name": "This property contains the Storage Lens group name.", + "Tags": "This property contains the AWS resource tags that you're adding to your Storage Lens group. This parameter is optional." + }, + "AWS::S3::StorageLensGroup And": { + "MatchAnyPrefix": "This property contains a list of prefixes. At least one prefix must be specified. Up to 10 prefixes are allowed.", + "MatchAnySuffix": "This property contains a list of suffixes. At least one suffix must be specified. Up to 10 suffixes are allowed.", + "MatchAnyTag": "This property contains the list of object tags. At least one object tag must be specified. Up to 10 object tags are allowed.", + "MatchObjectAge": "This property contains `DaysGreaterThan` and `DaysLessThan` properties to define the object age range (minimum and maximum number of days).", + "MatchObjectSize": "This property contains `BytesGreaterThan` and `BytesLessThan` to define the object size range (minimum and maximum number of Bytes)." + }, + "AWS::S3::StorageLensGroup Filter": { + "And": "This property contains the `And` logical operator, which allows multiple filter conditions to be joined for more complex comparisons of Storage Lens group data. Objects must match all of the listed filter conditions that are joined by the `And` logical operator. Only one of each filter condition is allowed.", + "MatchAnyPrefix": "This property contains a list of prefixes. At least one prefix must be specified. Up to 10 prefixes are allowed.", + "MatchAnySuffix": "This property contains a list of suffixes. At least one suffix must be specified. Up to 10 suffixes are allowed.", + "MatchAnyTag": "This property contains the list of S3 object tags. At least one object tag must be specified. Up to 10 object tags are allowed.", + "MatchObjectAge": "This property contains `DaysGreaterThan` and `DaysLessThan` to define the object age range (minimum and maximum number of days).", + "MatchObjectSize": "This property contains `BytesGreaterThan` and `BytesLessThan` to define the object size range (minimum and maximum number of Bytes).", + "Or": "This property contains the `Or` logical operator, which allows multiple filter conditions to be joined. Objects can match any of the listed filter conditions, which are joined by the `Or` logical operator. Only one of each filter condition is allowed." + }, + "AWS::S3::StorageLensGroup MatchObjectAge": { + "DaysGreaterThan": "This property indicates the minimum object age in days.", + "DaysLessThan": "This property indicates the maximum object age in days." + }, + "AWS::S3::StorageLensGroup MatchObjectSize": { + "BytesGreaterThan": "This property specifies the minimum object size in bytes. The value must be a positive number, greater than 0 and less than 5 TB.", + "BytesLessThan": "This property specifies the maximum object size in bytes. The value must be a positive number, greater than the minimum object size and less than 5 TB." + }, + "AWS::S3::StorageLensGroup Or": { + "MatchAnyPrefix": "This property contains a list of prefixes. At least one prefix must be specified. Up to 10 prefixes are allowed.", + "MatchAnySuffix": "This property contains the list of suffixes. At least one suffix must be specified. Up to 10 suffixes are allowed.", + "MatchAnyTag": "This property contains the list of S3 object tags. At least one object tag must be specified. Up to 10 object tags are allowed.", + "MatchObjectAge": "This property filters objects that match the specified object age range.", + "MatchObjectSize": "This property contains the `BytesGreaterThan` and `BytesLessThan` values to define the object size range (minimum and maximum number of Bytes)." + }, + "AWS::S3::StorageLensGroup Tag": { + "Key": "Name of the object key.", + "Value": "Value of the tag." + }, + "AWS::S3Express::BucketPolicy": { + "Bucket": "The name of the S3 directory bucket to which the policy applies.", + "PolicyDocument": "A policy document containing permissions to add to the specified bucket. In IAM, you must provide policy documents in JSON format. However, in CloudFormation you can provide the policy in JSON or YAML format because CloudFormation converts YAML to JSON before submitting it to IAM. For more information, see the AWS::IAM::Policy [PolicyDocument](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html#cfn-iam-policy-policydocument) resource description in this guide and [Policies and Permissions in Amazon S3](https://docs.aws.amazon.com/AmazonS3/latest/dev/access-policy-language-overview.html) in the *Amazon S3 User Guide* ." + }, + "AWS::S3Express::DirectoryBucket": { + "BucketName": "A name for the bucket. The bucket name must contain only lowercase letters, numbers, and hyphens (-). A directory bucket name must be unique in the chosen Availability Zone. The bucket name must also follow the format `*bucket_base_name* -- *az_id* --x-s3` (for example, `*DOC-EXAMPLE-BUCKET* -- *usw2-az1* --x-s3` ). If you don't specify a name, AWS CloudFormation generates a unique ID and uses that ID for the bucket name. For information about bucket naming restrictions, see [Directory bucket naming rules](https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-bucket-naming-rules.html) in the *Amazon S3 User Guide* .\n\n> If you specify a name, you can't perform updates that require replacement of this resource. You can perform updates that require no or some interruption. If you need to replace the resource, specify a new name.", + "DataRedundancy": "The number of Availability Zone that's used for redundancy for the bucket.", + "LocationName": "The name of the location where the bucket will be created.\n\nFor directory buckets, the name of the location is the AZ ID of the Availability Zone where the bucket will be created. An example AZ ID value is `usw2-az1` ." + }, "AWS::S3ObjectLambda::AccessPoint": { "Name": "The name of this access point.", "ObjectLambdaConfiguration": "A configuration used when creating an Object Lambda Access Point." @@ -32658,9 +36904,6 @@ "SupportingAccessPoint": "Standard access point associated with the Object Lambda Access Point.", "TransformationConfigurations": "A container for transformation configurations for an Object Lambda Access Point." }, - "AWS::S3ObjectLambda::AccessPoint PolicyStatus": { - "IsPublic": "" - }, "AWS::S3ObjectLambda::AccessPoint PublicAccessBlockConfiguration": { "BlockPublicAcls": "Specifies whether Amazon S3 should block public access control lists (ACLs) for buckets in this account. Setting this element to `TRUE` causes the following behavior:\n\n- `PutBucketAcl` and `PutObjectAcl` calls fail if the specified ACL is public.\n- PUT Object calls fail if the request includes a public ACL.\n- PUT Bucket calls fail if the request includes a public ACL.\n\nEnabling this setting doesn't affect existing policies or ACLs.\n\nThis property is not supported for Amazon S3 on Outposts.", "BlockPublicPolicy": "Specifies whether Amazon S3 should block public bucket policies for buckets in this account. Setting this element to `TRUE` causes Amazon S3 to reject calls to PUT Bucket policy if the specified bucket policy allows public access.\n\nEnabling this setting doesn't affect existing bucket policies.\n\nThis property is not supported for Amazon S3 on Outposts.", @@ -32682,7 +36925,7 @@ "VpcConfiguration": "The virtual private cloud (VPC) configuration for this access point, if one exists." }, "AWS::S3Outposts::AccessPoint VpcConfiguration": { - "VpcId": "The ID of the VPC configuration." + "VpcId": "" }, "AWS::S3Outposts::Bucket": { "BucketName": "A name for the S3 on Outposts bucket. If you don't specify a name, AWS CloudFormation generates a unique ID and uses that ID for the bucket name. The bucket name must contain only lowercase letters, numbers, periods (.), and dashes (-) and must follow [Amazon S3 bucket restrictions and limitations](https://docs.aws.amazon.com/AmazonS3/latest/userguide/BucketRestrictions.html) . For more information, see [Bucket naming rules](https://docs.aws.amazon.com/AmazonS3/latest/userguide/BucketRestrictions.html#bucketnamingrules) .\n\n> If you specify a name, you can't perform updates that require replacement of this resource. You can perform updates that require no or some interruption. If you need to replace the resource, specify a new name.", @@ -32714,9 +36957,13 @@ "ExpirationDate": "Specifies the expiration for the lifecycle of the object by specifying an expiry date.", "ExpirationInDays": "Specifies the expiration for the lifecycle of the object in the form of days that the object has been in the S3 on Outposts bucket.", "Filter": "The container for the filter of the lifecycle rule.", - "Id": "The unique identifier for the lifecycle rule. The value can't be longer than 255 characters.", + "Id": "", "Status": "If `Enabled` , the rule is currently being applied. If `Disabled` , the rule is not currently being applied." }, + "AWS::S3Outposts::Bucket Tag": { + "Key": "", + "Value": "" + }, "AWS::S3Outposts::BucketPolicy": { "Bucket": "The name of the Amazon S3 Outposts bucket to which the policy applies.", "PolicyDocument": "A policy document containing permissions to add to the specified bucket. In IAM, you must provide policy documents in JSON format. However, in CloudFormation, you can provide the policy in JSON or YAML format because CloudFormation converts YAML to JSON before submitting it to IAM. For more information, see the AWS::IAM::Policy [PolicyDocument](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html#cfn-iam-policy-policydocument) resource description in this guide and [Access Policy Language Overview](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-policy-language-overview.html) ." @@ -32724,14 +36971,14 @@ "AWS::S3Outposts::Endpoint": { "AccessType": "The container for the type of connectivity used to access the Amazon S3 on Outposts endpoint. To use the Amazon VPC , choose `Private` . To use the endpoint with an on-premises network, choose `CustomerOwnedIp` . If you choose `CustomerOwnedIp` , you must also provide the customer-owned IP address pool (CoIP pool).\n\n> `Private` is the default access type value.", "CustomerOwnedIpv4Pool": "The ID of the customer-owned IPv4 address pool (CoIP pool) for the endpoint. IP addresses are allocated from this pool for the endpoint.", - "FailedReason": "", + "FailedReason": "The failure reason, if any, for a create or delete endpoint operation.", "OutpostId": "The ID of the Outpost.", - "SecurityGroupId": "The ID of the security group to use with the endpoint.", - "SubnetId": "The ID of the subnet." + "SecurityGroupId": "The ID of the security group used for the endpoint.", + "SubnetId": "The ID of the subnet used for the endpoint." }, "AWS::S3Outposts::Endpoint FailedReason": { - "ErrorCode": "", - "Message": "" + "ErrorCode": "The failure code, if any, for a create or delete endpoint operation.", + "Message": "Additional error details describing the endpoint failure and recommended action." }, "AWS::S3Outposts::Endpoint NetworkInterface": { "NetworkInterfaceId": "The ID for the network interface." @@ -32807,6 +37054,10 @@ "Tags": "The tags associated with a contact list.", "Topics": "An interest group, theme, or label within a list. A contact list can have multiple topics." }, + "AWS::SES::ContactList Tag": { + "Key": "", + "Value": "" + }, "AWS::SES::ContactList Topic": { "DefaultSubscriptionStatus": "The default subscription status to be applied to a contact if the contact has not noted their preference for subscribing to a topic.", "Description": "A description of what the topic is about, which the contact will see.", @@ -32941,12 +37192,15 @@ "RawMessageDelivery": "When set to `true` , enables raw message delivery. Raw messages don't contain any JSON formatting and can be sent to Amazon SQS and HTTP/S endpoints. For more information, see `[GetSubscriptionAttributes](https://docs.aws.amazon.com/sns/latest/api/API_GetSubscriptionAttributes.html)` in the *Amazon SNS API Reference* .", "RedrivePolicy": "When specified, sends undeliverable messages to the specified Amazon SQS dead-letter queue. Messages that can't be delivered due to client errors (for example, when the subscribed endpoint is unreachable) or server errors (for example, when the service that powers the subscribed endpoint becomes unavailable) are held in the dead-letter queue for further analysis or reprocessing.\n\nFor more information about the redrive policy and dead-letter queues, see [Amazon SQS dead-letter queues](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-dead-letter-queues.html) in the *Amazon SQS Developer Guide* .", "Region": "For cross-region subscriptions, the region in which the topic resides.\n\nIf no region is specified, AWS CloudFormation uses the region of the caller as the default.\n\nIf you perform an update operation that only updates the `Region` property of a `AWS::SNS::Subscription` resource, that operation will fail unless you are either:\n\n- Updating the `Region` from `NULL` to the caller region.\n- Updating the `Region` from the caller region to `NULL` .", + "ReplayPolicy": "", "SubscriptionRoleArn": "This property applies only to Amazon Kinesis Data Firehose delivery stream subscriptions. Specify the ARN of the IAM role that has the following:\n\n- Permission to write to the Amazon Kinesis Data Firehose delivery stream\n- Amazon SNS listed as a trusted entity\n\nSpecifying a valid ARN for this attribute is required for Kinesis Data Firehose delivery stream subscriptions. For more information, see [Fanout to Amazon Kinesis Data Firehose delivery streams](https://docs.aws.amazon.com/sns/latest/dg/sns-firehose-as-subscriber.html) in the *Amazon SNS Developer Guide.*", "TopicArn": "The ARN of the topic to subscribe to." }, "AWS::SNS::Topic": { + "ArchivePolicy": "The archive policy determines the number of days Amazon SNS retains messages. You can set a retention period from 1 to 365 days.", "ContentBasedDeduplication": "Enables content-based deduplication for FIFO topics.\n\n- By default, `ContentBasedDeduplication` is set to `false` . If you create a FIFO topic and this attribute is `false` , you must specify a value for the `MessageDeduplicationId` parameter for the [Publish](https://docs.aws.amazon.com/sns/latest/api/API_Publish.html) action.\n- When you set `ContentBasedDeduplication` to `true` , Amazon SNS uses a SHA-256 hash to generate the `MessageDeduplicationId` using the body of the message (but not the attributes of the message).\n\n(Optional) To override the generated value, you can specify a value for the the `MessageDeduplicationId` parameter for the `Publish` action.", "DataProtectionPolicy": "The body of the policy document you want to use for this topic.\n\nYou can only add one policy per topic.\n\nThe policy must be in JSON string format.\n\nLength Constraints: Maximum length of 30,720.", + "DeliveryStatusLogging": "The `DeliveryStatusLogging` configuration enables you to log the delivery status of messages sent from your Amazon SNS topic to subscribed endpoints with the following supported delivery protocols:\n\n- HTTP\n- Amazon Kinesis Data Firehose\n- AWS Lambda\n- Platform application endpoint\n- Amazon Simple Queue Service\n\nOnce configured, log entries are sent to Amazon CloudWatch Logs.", "DisplayName": "The display name to use for an Amazon SNS topic with SMS subscriptions. The display name must be maximum 100 characters long, including hyphens (-), underscores (_), spaces, and tabs.", "FifoTopic": "Set to true to create a FIFO topic.", "KmsMasterKeyId": "The ID of an AWS managed customer master key (CMK) for Amazon SNS or a custom CMK. For more information, see [Key terms](https://docs.aws.amazon.com/sns/latest/dg/sns-server-side-encryption.html#sse-key-terms) . For more examples, see `[KeyId](https://docs.aws.amazon.com/kms/latest/APIReference/API_DescribeKey.html#API_DescribeKey_RequestParameters)` in the *AWS Key Management Service API Reference* .\n\nThis property applies only to [server-side-encryption](https://docs.aws.amazon.com/sns/latest/dg/sns-server-side-encryption.html) .", @@ -32954,12 +37208,26 @@ "Subscription": "The Amazon SNS subscriptions (endpoints) for this topic.\n\n> If you specify the `Subscription` property in the `AWS::SNS::Topic` resource and it creates an associated subscription resource, the associated subscription is not deleted when the `AWS::SNS::Topic` resource is deleted.", "Tags": "The list of tags to add to a new topic.\n\n> To be able to tag a topic on creation, you must have the `sns:CreateTopic` and `sns:TagResource` permissions.", "TopicName": "The name of the topic you want to create. Topic names must include only uppercase and lowercase ASCII letters, numbers, underscores, and hyphens, and must be between 1 and 256 characters long. FIFO topic names must end with `.fifo` .\n\nIf you don't specify a name, AWS CloudFormation generates a unique physical ID and uses that ID for the topic name. For more information, see [Name type](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-name.html) .\n\n> If you specify a name, you can't perform updates that require replacement of this resource. You can perform updates that require no or some interruption. If you must replace the resource, specify a new name.", - "TracingConfig": "Tracing mode of an Amazon SNS topic. By default `TracingConfig` is set to `PassThrough` , and the topic passes through the tracing header it receives from an SNS publisher to its subscriptions. If set to `Active` , SNS will vend X-Ray segment data to topic owner account if the sampled flag in the tracing header is true. Only supported on standard topics." + "TracingConfig": "Tracing mode of an Amazon SNS topic. By default `TracingConfig` is set to `PassThrough` , and the topic passes through the tracing header it receives from an Amazon SNS publisher to its subscriptions. If set to `Active` , Amazon SNS will vend X-Ray segment data to topic owner account if the sampled flag in the tracing header is true." + }, + "AWS::SNS::Topic LoggingConfig": { + "FailureFeedbackRoleArn": "The IAM role ARN to be used when logging failed message deliveries in Amazon CloudWatch.", + "Protocol": "Indicates one of the supported protocols for the Amazon SNS topic.\n\n> At least one of the other three `LoggingConfig` properties is recommend along with `Protocol` .", + "SuccessFeedbackRoleArn": "The IAM role ARN to be used when logging successful message deliveries in Amazon CloudWatch.", + "SuccessFeedbackSampleRate": "The percentage of successful message deliveries to be logged in Amazon CloudWatch. Valid percentage values range from 0 to 100." }, "AWS::SNS::Topic Subscription": { "Endpoint": "The endpoint that receives notifications from the Amazon SNS topic. The endpoint value depends on the protocol that you specify. For more information, see the `Endpoint` parameter of the `[Subscribe](https://docs.aws.amazon.com/sns/latest/api/API_Subscribe.html)` action in the *Amazon SNS API Reference* .", "Protocol": "The subscription's protocol. For more information, see the `Protocol` parameter of the `[Subscribe](https://docs.aws.amazon.com/sns/latest/api/API_Subscribe.html)` action in the *Amazon SNS API Reference* ." }, + "AWS::SNS::Topic Tag": { + "Key": "The required key portion of the tag.", + "Value": "The optional value portion of the tag." + }, + "AWS::SNS::TopicInlinePolicy": { + "PolicyDocument": "A policy document that contains permissions to add to the specified Amazon SNS topic.", + "TopicArn": "The Amazon Resource Name (ARN) of the topic to which you want to add the policy." + }, "AWS::SNS::TopicPolicy": { "PolicyDocument": "A policy document that contains permissions to add to the specified SNS topics.", "Topics": "The Amazon Resource Names (ARN) of the topics to which you want to add the policy. You can use the `[Ref](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-ref.html)` function to specify an `[AWS::SNS::Topic](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-sns-topic.html)` resource." @@ -32978,10 +37246,18 @@ "ReceiveMessageWaitTimeSeconds": "Specifies the duration, in seconds, that the ReceiveMessage action call waits until a message is in the queue in order to include it in the response, rather than returning an empty response if a message isn't yet available. You can specify an integer from 1 to 20. Short polling is used as the default or when you specify 0 for this property. For more information, see [Consuming messages using long polling](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-short-and-long-polling.html#sqs-long-polling) in the *Amazon SQS Developer Guide* .", "RedriveAllowPolicy": "The string that includes the parameters for the permissions for the dead-letter queue redrive permission and which source queues can specify dead-letter queues as a JSON object. The parameters are as follows:\n\n- `redrivePermission` : The permission type that defines which source queues can specify the current queue as the dead-letter queue. Valid values are:\n\n- `allowAll` : (Default) Any source queues in this AWS account in the same Region can specify this queue as the dead-letter queue.\n- `denyAll` : No source queues can specify this queue as the dead-letter queue.\n- `byQueue` : Only queues specified by the `sourceQueueArns` parameter can specify this queue as the dead-letter queue.\n- `sourceQueueArns` : The Amazon Resource Names (ARN)s of the source queues that can specify this queue as the dead-letter queue and redrive messages. You can specify this parameter only when the `redrivePermission` parameter is set to `byQueue` . You can specify up to 10 source queue ARNs. To allow more than 10 source queues to specify dead-letter queues, set the `redrivePermission` parameter to `allowAll` .", "RedrivePolicy": "The string that includes the parameters for the dead-letter queue functionality of the source queue as a JSON object. The parameters are as follows:\n\n- `deadLetterTargetArn` : The Amazon Resource Name (ARN) of the dead-letter queue to which Amazon SQS moves messages after the value of `maxReceiveCount` is exceeded.\n- `maxReceiveCount` : The number of times a message is delivered to the source queue before being moved to the dead-letter queue. When the `ReceiveCount` for a message exceeds the `maxReceiveCount` for a queue, Amazon SQS moves the message to the dead-letter-queue.\n\n> The dead-letter queue of a FIFO queue must also be a FIFO queue. Similarly, the dead-letter queue of a standard queue must also be a standard queue. \n\n*JSON*\n\n`{ \"deadLetterTargetArn\" : *String* , \"maxReceiveCount\" : *Integer* }`\n\n*YAML*\n\n`deadLetterTargetArn : *String*`\n\n`maxReceiveCount : *Integer*`", - "SqsManagedSseEnabled": "Enables server-side queue encryption using SQS owned encryption keys. Only one server-side encryption option is supported per queue (for example, [SSE-KMS](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-configure-sse-existing-queue.html) or [SSE-SQS](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-configure-sqs-sse-queue.html) ).", + "SqsManagedSseEnabled": "Enables server-side queue encryption using SQS owned encryption keys. Only one server-side encryption option is supported per queue (for example, [SSE-KMS](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-configure-sse-existing-queue.html) or [SSE-SQS](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-configure-sqs-sse-queue.html) ). When `SqsManagedSseEnabled` is not defined, `SSE-SQS` encryption is enabled by default.", "Tags": "The tags that you attach to this queue. For more information, see [Resource tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) in the *AWS CloudFormation User Guide* .", "VisibilityTimeout": "The length of time during which a message will be unavailable after a message is delivered from the queue. This blocks other components from receiving the same message and gives the initial component time to process and delete the message from the queue.\n\nValues must be from 0 to 43,200 seconds (12 hours). If you don't specify a value, AWS CloudFormation uses the default value of 30 seconds.\n\nFor more information about Amazon SQS queue visibility timeouts, see [Visibility timeout](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-visibility-timeout.html) in the *Amazon SQS Developer Guide* ." }, + "AWS::SQS::Queue Tag": { + "Key": "", + "Value": "" + }, + "AWS::SQS::QueueInlinePolicy": { + "PolicyDocument": "A policy document that contains the permissions for the specified Amazon SQS queues. For more information about Amazon SQS policies, see [Using custom policies with the Amazon SQS access policy language](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-creating-custom-policies.html) in the *Amazon SQS Developer Guide* .", + "Queue": "The URLs of the queues to which you want to add the policy. You can use the `[Ref](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-ref.html)` function to specify an `[AWS::SQS::Queue](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-sqs-queues.html)` resource." + }, "AWS::SQS::QueuePolicy": { "PolicyDocument": "A policy document that contains the permissions for the specified Amazon SQS queues. For more information about Amazon SQS policies, see [Using custom policies with the Amazon SQS access policy language](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-creating-custom-policies.html) in the *Amazon SQS Developer Guide* .", "Queues": "The URLs of the queues to which you want to add the policy. You can use the `[Ref](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-ref.html)` function to specify an `[AWS::SQS::Queue](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-sqs-queues.html)` resource." @@ -32998,12 +37274,12 @@ "MaxErrors": "The number of errors that are allowed before the system stops sending requests to run the association on additional targets. You can specify either an absolute number of errors, for example 10, or a percentage of the target set, for example 10%. If you specify 3, for example, the system stops sending requests when the fourth error is received. If you specify 0, then the system stops sending requests after the first error is returned. If you run an association on 50 managed nodes and set `MaxError` to 10%, then the system stops sending the request when the sixth error is received.\n\nExecutions that are already running an association when `MaxErrors` is reached are allowed to complete, but some of these executions may fail as well. If you need to ensure that there won't be more than max-errors failed executions, set `MaxConcurrency` to 1 so that executions proceed one at a time.", "Name": "The name of the SSM document that contains the configuration information for the instance. You can specify `Command` or `Automation` documents. The documents can be AWS -predefined documents, documents you created, or a document that is shared with you from another account. For SSM documents that are shared with you from other AWS accounts , you must specify the complete SSM document ARN, in the following format:\n\n`arn:partition:ssm:region:account-id:document/document-name`\n\nFor example: `arn:aws:ssm:us-east-2:12345678912:document/My-Shared-Document`\n\nFor AWS -predefined documents and SSM documents you created in your account, you only need to specify the document name. For example, `AWS -ApplyPatchBaseline` or `My-Document` .", "OutputLocation": "An Amazon Simple Storage Service (Amazon S3) bucket where you want to store the output details of the request.", - "Parameters": "The parameters for the runtime configuration of the document.", + "ParameterValues": "A description of the parameters for a document.", "ScheduleExpression": "A cron expression that specifies a schedule when the association runs. The schedule runs in Coordinated Universal Time (UTC).", "ScheduleOffset": "Number of days to wait after the scheduled day to run an association.", "SyncCompliance": "The mode for generating association compliance. You can specify `AUTO` or `MANUAL` . In `AUTO` mode, the system uses the status of the association execution to determine the compliance status. If the association execution runs successfully, then the association is `COMPLIANT` . If the association execution doesn't run successfully, the association is `NON-COMPLIANT` .\n\nIn `MANUAL` mode, you must specify the `AssociationId` as a parameter for the PutComplianceItems API action. In this case, compliance data is not managed by State Manager. It is managed by your direct call to the PutComplianceItems API action.\n\nBy default, all associations use `AUTO` mode.", "Targets": "The targets for the association. You must specify the `InstanceId` or `Targets` property. You can target all instances in an AWS account by specifying the `InstanceIds` key with a value of `*` . To view a JSON and a YAML example that targets all instances, see \"Create an association for all managed instances in an AWS account \" on the Examples page.", - "WaitForSuccessTimeoutSeconds": "The number of seconds the service should wait for the association status to show \"Success\" before proceeding with the stack execution. If the association status doesn't show \"Success\" after the specified number of seconds, then stack creation fails." + "WaitForSuccessTimeoutSeconds": "The number of seconds the service should wait for the association status to show \"Success\" before proceeding with the stack execution. If the association status doesn't show \"Success\" after the specified number of seconds, then stack creation fails.\n\n> When you specify a value for the `WaitForSuccessTimeoutSeconds` , [drift detection](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-stack-drift.html) for your AWS CloudFormation stack\u2019s configuration might yield inaccurate results. If drift detection is important in your scenario, we recommend that you don\u2019t include `WaitForSuccessTimeoutSeconds` in your template." }, "AWS::SSM::Association InstanceAssociationOutputLocation": { "S3Location": "`S3OutputLocation` is a property of the [InstanceAssociationOutputLocation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ssm-association-instanceassociationoutputlocation.html) property that specifies an Amazon S3 bucket where you want to store the results of this request." @@ -33021,7 +37297,7 @@ "Attachments": "A list of key-value pairs that describe attachments to a version of a document.", "Content": "The content for the new SSM document in JSON or YAML. For more information about the schemas for SSM document content, see [SSM document schema features and examples](https://docs.aws.amazon.com/systems-manager/latest/userguide/document-schemas-features.html) in the *AWS Systems Manager User Guide* .\n\n> This parameter also supports `String` data types.", "DocumentFormat": "Specify the document format for the request. JSON is the default format.", - "DocumentType": "The type of document to create.\n\n*Allowed Values* : `ApplicationConfigurationSchema` | `Automation` | `Automation.ChangeTemplate` | `Command` | `DeploymentStrategy` | `Package` | `Policy` | `Session`", + "DocumentType": "The type of document to create.", "Name": "A name for the SSM document.\n\n> You can't use the following strings as document name prefixes. These are reserved by AWS for use as document name prefixes:\n> \n> - `aws`\n> - `amazon`\n> - `amzn`", "Requires": "A list of SSM documents required by a document. This parameter is used exclusively by AWS AppConfig . When a user creates an AWS AppConfig configuration in an SSM document, the user must also specify a required document for validation purposes. In this case, an `ApplicationConfiguration` document requires an `ApplicationConfigurationSchema` document for validation purposes. For more information, see [What is AWS AppConfig ?](https://docs.aws.amazon.com/appconfig/latest/userguide/what-is-appconfig.html) in the *AWS AppConfig User Guide* .", "Tags": "AWS CloudFormation resource tags to apply to the document. Use tags to help you identify and categorize resources.", @@ -33038,6 +37314,10 @@ "Name": "The name of the required SSM document. The name can be an Amazon Resource Name (ARN).", "Version": "The document version required by the current document." }, + "AWS::SSM::Document Tag": { + "Key": "The name of the tag.", + "Value": "The value of the tag." + }, "AWS::SSM::MaintenanceWindow": { "AllowUnassociatedTargets": "Enables a maintenance window task to run on managed instances, even if you have not registered those instances as targets. If enabled, then you must specify the unregistered instances (by instance ID) when you register a task with the maintenance window.", "Cutoff": "The number of hours before the end of the maintenance window that AWS Systems Manager stops scheduling new tasks for execution.", @@ -33051,6 +37331,10 @@ "StartDate": "The date and time, in ISO-8601 Extended format, for when the maintenance window is scheduled to become active. StartDate allows you to delay activation of the Maintenance Window until the specified future date.", "Tags": "Optional metadata that you assign to a resource in the form of an arbitrary set of tags (key-value pairs). Tags enable you to categorize a resource in different ways, such as by purpose, owner, or environment. For example, you might want to tag a maintenance window to identify the type of tasks it will run, the types of targets, and the environment it will run in." }, + "AWS::SSM::MaintenanceWindow Tag": { + "Key": "The name of the tag.", + "Value": "The value of the tag." + }, "AWS::SSM::MaintenanceWindowTarget": { "Description": "A description for the target.", "Name": "The name for the maintenance window target.", @@ -33137,7 +37421,7 @@ "Policies": "Information about the policies assigned to a parameter.\n\n[Assigning parameter policies](https://docs.aws.amazon.com/systems-manager/latest/userguide/parameter-store-policies.html) in the *AWS Systems Manager User Guide* .", "Tags": "Optional metadata that you assign to a resource in the form of an arbitrary set of tags (key-value pairs). Tags enable you to categorize a resource in different ways, such as by purpose, owner, or environment. For example, you might want to tag a Systems Manager parameter to identify the type of resource to which it applies, the environment, or the type of configuration data referenced by the parameter.", "Tier": "The parameter tier.", - "Type": "The type of parameter.\n\n> AWS CloudFormation doesn't support creating a `SecureString` parameter type. \n\n*Allowed Values* : String | StringList", + "Type": "The type of parameter.\n\n> Although `SecureString` is included in the list of valid values, AWS CloudFormation does *not* current support creating a `SecureString` parameter type.", "Value": "The parameter value.\n\n> If type is `StringList` , the system returns a comma-separated string with no spaces between commas in the `Value` field." }, "AWS::SSM::PatchBaseline": { @@ -33167,7 +37451,6 @@ "Name": "The name specified to identify the patch source.", "Products": "The specific operating system versions a patch repository applies to, such as \"Ubuntu16.04\", \"AmazonLinux2016.09\", \"RedhatEnterpriseLinux7.2\" or \"Suse12.7\". For lists of supported product values, see [PatchFilter](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_PatchFilter.html) in the *AWS Systems Manager API Reference* ." }, - "AWS::SSM::PatchBaseline PatchStringDate": {}, "AWS::SSM::PatchBaseline Rule": { "ApproveAfterDays": "The number of days after the release date of each patch matched by the rule that the patch is marked as approved in the patch baseline. For example, a value of `7` means that patches are approved seven days after they are released.\n\nYou must specify a value for `ApproveAfterDays` .\n\nException: Not supported on Debian Server or Ubuntu Server.", "ApproveUntilDate": "The cutoff date for auto approval of released patches. Any patches released on or before this date are installed automatically. Not supported on Debian Server or Ubuntu Server.\n\nEnter dates in the format `YYYY-MM-DD` . For example, `2021-12-31` .", @@ -33178,6 +37461,10 @@ "AWS::SSM::PatchBaseline RuleGroup": { "PatchRules": "The rules that make up the rule group." }, + "AWS::SSM::PatchBaseline Tag": { + "Key": "The name of the tag.", + "Value": "The value of the tag." + }, "AWS::SSM::ResourceDataSync": { "BucketName": "The name of the S3 bucket where the aggregated data is stored.", "BucketPrefix": "An Amazon S3 prefix for the bucket.", @@ -33185,7 +37472,6 @@ "KMSKeyArn": "The ARN of an encryption key for a destination in Amazon S3 . You can use a KMS key to encrypt inventory data in Amazon S3 . You must specify a key that exist in the same region as the destination Amazon S3 bucket.", "S3Destination": "Configuration information for the target S3 bucket.", "SyncFormat": "A supported sync format. The following format is currently supported: JsonSerDe", - "SyncName": "A name for the resource data sync.", "SyncSource": "Information about the source where the data was synchronized.", "SyncType": "The type of resource data sync. If `SyncType` is `SyncToDestination` , then the resource data sync synchronizes data to an S3 bucket. If the `SyncType` is `SyncFromSource` then the resource data sync synchronizes data from AWS Organizations or from multiple AWS Regions ." }, @@ -33289,6 +37575,10 @@ "CoverageTimes": "The start and end times of the shift.", "DayOfWeek": "A list of days on which the schedule is active." }, + "AWS::SSMContacts::Rotation Tag": { + "Key": "Name of the object key.", + "Value": "Value of the tag." + }, "AWS::SSMContacts::Rotation WeeklySetting": { "DayOfWeek": "The day of the week when weekly recurring on-call shift rotations begins.", "HandOffTime": "The time of day when a weekly recurring on-call shift rotation begins." @@ -33305,6 +37595,10 @@ "RegionConfiguration": "Specifies the Region configuration.", "RegionName": "Specifies the region name to add to the replication set." }, + "AWS::SSMIncidents::ReplicationSet Tag": { + "Key": "", + "Value": "" + }, "AWS::SSMIncidents::ResponsePlan": { "Actions": "The actions that the response plan starts at the beginning of an incident.", "ChatChannel": "The AWS Chatbot chat channel used for collaboration during an incident.", @@ -33362,6 +37656,10 @@ "Key": "The key parameter to use when running the automation document.", "Values": "The value parameter to use when running the automation document." }, + "AWS::SSMIncidents::ResponsePlan Tag": { + "Key": "", + "Value": "" + }, "AWS::SSO::Assignment": { "InstanceArn": "The ARN of the IAM Identity Center instance under which the operation will be executed. For more information about ARNs, see [Amazon Resource Names (ARNs) and AWS Service Namespaces](https://docs.aws.amazon.com//general/latest/gr/aws-arns-and-namespaces.html) in the *AWS General Reference* .", "PermissionSetArn": "The ARN of the permission set.", @@ -33401,9 +37699,13 @@ "CustomerManagedPolicyReference": "Specifies the name and path of a customer managed policy. You must have an IAM policy that matches the name and path in each AWS account where you want to deploy your permission set.", "ManagedPolicyArn": "The AWS managed policy ARN that you want to attach to a permission set as a permissions boundary." }, + "AWS::SSO::PermissionSet Tag": { + "Key": "The key for the tag.", + "Value": "The value of the tag." + }, "AWS::SageMaker::App": { "AppName": "The name of the app.", - "AppType": "The type of app.\n\n*Allowed Values* : `JupyterServer | KernelGateway | RSessionGateway | RStudioServerPro | TensorBoard | Canvas`", + "AppType": "The type of app.", "DomainId": "The domain ID.", "ResourceSpec": "Specifies the ARNs of a SageMaker image and SageMaker image version, and the instance type that the version runs on.", "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) .", @@ -33414,6 +37716,10 @@ "SageMakerImageArn": "The ARN of the SageMaker image that the image version belongs to.", "SageMakerImageVersionArn": "The ARN of the image version created on the instance." }, + "AWS::SageMaker::App Tag": { + "Key": "The tag key. Tag keys must be unique per resource.", + "Value": "The tag value." + }, "AWS::SageMaker::AppImageConfig": { "AppImageConfigName": "The name of the AppImageConfig. Must be unique to your account.", "KernelGatewayImageConfig": "The configuration for the file system and kernels in the SageMaker image.", @@ -33432,6 +37738,10 @@ "DisplayName": "The display name of the kernel.", "Name": "The name of the Jupyter kernel in the image. This value is case sensitive." }, + "AWS::SageMaker::AppImageConfig Tag": { + "Key": "The tag key. Tag keys must be unique per resource.", + "Value": "The tag value." + }, "AWS::SageMaker::CodeRepository": { "CodeRepositoryName": "The name of the Git repository.", "GitConfig": "Configuration details for the Git repository, including the URL where it is located and the ARN of the AWS Secrets Manager secret that contains the credentials used to access the repository.", @@ -33442,6 +37752,10 @@ "RepositoryUrl": "The URL where the Git repository is located.", "SecretArn": "The Amazon Resource Name (ARN) of the AWS Secrets Manager secret that contains the credentials used to access the git repository. The secret must have a staging label of `AWSCURRENT` and must be in the following format:\n\n`{\"username\": *UserName* , \"password\": *Password* }`" }, + "AWS::SageMaker::CodeRepository Tag": { + "Key": "The tag key. Tag keys must be unique per resource.", + "Value": "The tag value." + }, "AWS::SageMaker::DataQualityJobDefinition": { "DataQualityAppSpecification": "Specifies the container that runs the monitoring job.", "DataQualityBaselineConfig": "Configures the constraints and baselines for the monitoring job.", @@ -33456,11 +37770,12 @@ "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) ." }, "AWS::SageMaker::DataQualityJobDefinition BatchTransformInput": { - "DataCapturedDestinationS3Uri": "", - "DatasetFormat": "", - "LocalPath": "", - "S3DataDistributionType": "", - "S3InputMode": "" + "DataCapturedDestinationS3Uri": "The Amazon S3 location being used to capture the data.", + "DatasetFormat": "The dataset format for your batch transform job.", + "ExcludeFeaturesAttribute": "The attributes of the input data to exclude from the analysis.", + "LocalPath": "Path to the filesystem where the batch transform data is available to the container.", + "S3DataDistributionType": "Whether input data distributed in Amazon S3 is fully replicated or sharded by an S3 key. Defaults to `FullyReplicated`", + "S3InputMode": "Whether the `Pipe` or `File` is used as the input mode for transferring data for the monitoring job. `Pipe` mode is recommended for large datasets. `File` mode is useful for small files that fit in memory. Defaults to `File` ." }, "AWS::SageMaker::DataQualityJobDefinition ClusterConfig": { "InstanceCount": "The number of ML compute instances to use in the model monitoring job. For distributed processing jobs, specify a value greater than 1. The default value is 1.", @@ -33480,7 +37795,7 @@ "Environment": "Sets the environment variables in the container that the monitoring job runs.", "ImageUri": "The container image that the data quality monitoring job runs.", "PostAnalyticsProcessorSourceUri": "An Amazon S3 URI to a script that is called after analysis has been performed. Applicable only for the built-in (first party) containers.", - "RecordPreprocessorSourceUri": "An Amazon S3 URI to a script that is called per row prior to running analysis. It can base64 decode the payload and convert it into a flatted json so that the built-in container can use the converted data. Applicable only for the built-in (first party) containers." + "RecordPreprocessorSourceUri": "An Amazon S3 URI to a script that is called per row prior to running analysis. It can base64 decode the payload and convert it into a flattened JSON so that the built-in container can use the converted data. Applicable only for the built-in (first party) containers." }, "AWS::SageMaker::DataQualityJobDefinition DataQualityBaselineConfig": { "BaseliningJobName": "The name of the job that performs baselining for the data quality monitoring job.", @@ -33488,7 +37803,7 @@ "StatisticsResource": "Configuration for monitoring constraints and monitoring statistics. These baseline resources are compared against the results of the current job from the series of jobs scheduled to collect data periodically." }, "AWS::SageMaker::DataQualityJobDefinition DataQualityJobInput": { - "BatchTransformInput": "", + "BatchTransformInput": "Input object for the batch transform job.", "EndpointInput": "Input object for the endpoint" }, "AWS::SageMaker::DataQualityJobDefinition DatasetFormat": { @@ -33498,8 +37813,9 @@ }, "AWS::SageMaker::DataQualityJobDefinition EndpointInput": { "EndpointName": "An endpoint in customer's account which has enabled `DataCaptureConfig` enabled.", + "ExcludeFeaturesAttribute": "The attributes of the input data to exclude from the analysis.", "LocalPath": "Path to the filesystem where the endpoint data is available to the container.", - "S3DataDistributionType": "Whether input data distributed in Amazon S3 is fully replicated or sharded by an S3 key. Defaults to `FullyReplicated`", + "S3DataDistributionType": "Whether input data distributed in Amazon S3 is fully replicated or sharded by an Amazon S3 key. Defaults to `FullyReplicated`", "S3InputMode": "Whether the `Pipe` or `File` is used as the input mode for transferring data for the monitoring job. `Pipe` mode is recommended for large datasets. `File` mode is useful for small files that fit in memory. Defaults to `File` ." }, "AWS::SageMaker::DataQualityJobDefinition Json": { @@ -33509,7 +37825,7 @@ "S3Output": "The Amazon S3 storage location where the results of a monitoring job are saved." }, "AWS::SageMaker::DataQualityJobDefinition MonitoringOutputConfig": { - "KmsKeyId": "The AWS Key Management Service ( AWS KMS) key that Amazon SageMaker uses to encrypt the model artifacts at rest using Amazon S3 server-side encryption.", + "KmsKeyId": "The AWS Key Management Service ( AWS KMS ) key that Amazon SageMaker uses to encrypt the model artifacts at rest using Amazon S3 server-side encryption.", "MonitoringOutputs": "Monitoring outputs for monitoring jobs. This is where the output of the periodic monitoring jobs is uploaded." }, "AWS::SageMaker::DataQualityJobDefinition MonitoringResources": { @@ -33531,8 +37847,12 @@ "AWS::SageMaker::DataQualityJobDefinition StoppingCondition": { "MaxRuntimeInSeconds": "The maximum length of time, in seconds, that a training or compilation job can run before it is stopped.\n\nFor compilation jobs, if the job does not complete during this time, a `TimeOut` error is generated. We recommend starting with 900 seconds and increasing as necessary based on your model.\n\nFor all other jobs, if the job does not complete during this time, SageMaker ends the job. When `RetryStrategy` is specified in the job request, `MaxRuntimeInSeconds` specifies the maximum time for all of the attempts in total, not each individual attempt. The default value is 1 day. The maximum value is 28 days.\n\nThe maximum time that a `TrainingJob` can run in total, including any time spent publishing metrics or archiving and uploading models after it has been stopped, is 30 days." }, + "AWS::SageMaker::DataQualityJobDefinition Tag": { + "Key": "The tag key. Tag keys must be unique per resource.", + "Value": "The tag value." + }, "AWS::SageMaker::DataQualityJobDefinition VpcConfig": { - "SecurityGroupIds": "The VPC security group IDs, in the form sg-xxxxxxxx. Specify the security groups for the VPC that is specified in the `Subnets` field.", + "SecurityGroupIds": "The VPC security group IDs, in the form `sg-xxxxxxxx` . Specify the security groups for the VPC that is specified in the `Subnets` field.", "Subnets": "The ID of the subnets in the VPC to which you want to connect your training job or model. For information about the availability of specific instance types, see [Supported Instance Types and Availability Zones](https://docs.aws.amazon.com/sagemaker/latest/dg/instance-types-az.html) ." }, "AWS::SageMaker::Device": { @@ -33545,6 +37865,10 @@ "DeviceName": "The name of the device.", "IotThingName": "AWS Internet of Things (IoT) object name." }, + "AWS::SageMaker::Device Tag": { + "Key": "The tag key. Tag keys must be unique per resource.", + "Value": "The tag value." + }, "AWS::SageMaker::DeviceFleet": { "Description": "A description of the fleet.", "DeviceFleetName": "Name of the device fleet.", @@ -33556,11 +37880,15 @@ "KmsKeyId": "The AWS Key Management Service ( AWS KMS) key that Amazon SageMaker uses to encrypt data on the storage volume after compilation job. If you don't provide a KMS key ID, Amazon SageMaker uses the default KMS key for Amazon S3 for your role's account.", "S3OutputLocation": "The Amazon Simple Storage (S3) bucket URI." }, + "AWS::SageMaker::DeviceFleet Tag": { + "Key": "The tag key. Tag keys must be unique per resource.", + "Value": "The tag value." + }, "AWS::SageMaker::Domain": { "AppNetworkAccessType": "Specifies the VPC used for non-EFS traffic. The default value is `PublicInternetOnly` .\n\n- `PublicInternetOnly` - Non-EFS traffic is through a VPC managed by Amazon SageMaker , which allows direct internet access\n- `VpcOnly` - All Studio traffic is through the specified VPC and subnets\n\n*Valid Values* : `PublicInternetOnly | VpcOnly`", "AppSecurityGroupManagement": "The entity that creates and manages the required security groups for inter-app communication in `VpcOnly` mode. Required when `CreateDomain.AppNetworkAccessType` is `VpcOnly` and `DomainSettings.RStudioServerProDomainSettings.DomainExecutionRoleArn` is provided. If setting up the domain for use with RStudio, this value must be set to `Service` .\n\n*Allowed Values* : `Service` | `Customer`", "AuthMode": "The mode of authentication that members use to access the Domain.\n\n*Valid Values* : `SSO | IAM`", - "DefaultSpaceSettings": "", + "DefaultSpaceSettings": "A collection of settings that apply to spaces created in the Domain.", "DefaultUserSettings": "The default user settings.", "DomainName": "The domain name.", "DomainSettings": "A collection of settings that apply to the `SageMaker Domain` . These settings are specified through the `CreateDomain` API call.", @@ -33569,21 +37897,52 @@ "Tags": "Tags to associated with the Domain. Each tag consists of a key and an optional value. Tag keys must be unique per resource. Tags are searchable using the Search API.\n\nTags that you specify for the Domain are also added to all apps that are launched in the Domain.\n\n*Array members* : Minimum number of 0 items. Maximum number of 50 items.", "VpcId": "The ID of the Amazon Virtual Private Cloud (Amazon VPC) that Studio uses for communication.\n\n*Length Constraints* : Maximum length of 32.\n\n*Pattern* : `[-0-9a-zA-Z]+`" }, + "AWS::SageMaker::Domain CodeEditorAppSettings": { + "DefaultResourceSpec": "", + "LifecycleConfigArns": "The Amazon Resource Name (ARN) of the Code Editor application lifecycle configuration." + }, + "AWS::SageMaker::Domain CodeRepository": { + "RepositoryUrl": "The URL of the Git repository." + }, + "AWS::SageMaker::Domain CustomFileSystemConfig": { + "EFSFileSystemConfig": "The settings for a custom Amazon EFS file system." + }, "AWS::SageMaker::Domain CustomImage": { "AppImageConfigName": "The name of the AppImageConfig.", "ImageName": "The name of the CustomImage. Must be unique to your account.", "ImageVersionNumber": "The version number of the CustomImage." }, + "AWS::SageMaker::Domain CustomPosixUserConfig": { + "Gid": "The POSIX group ID.", + "Uid": "The POSIX user ID." + }, + "AWS::SageMaker::Domain DefaultEbsStorageSettings": { + "DefaultEbsVolumeSizeInGb": "The default size of the EBS storage volume for a private space.", + "MaximumEbsVolumeSizeInGb": "The maximum size of the EBS storage volume for a private space." + }, "AWS::SageMaker::Domain DefaultSpaceSettings": { "ExecutionRole": "The ARN of the execution role for the space.", "JupyterServerAppSettings": "The JupyterServer app settings.", "KernelGatewayAppSettings": "The KernelGateway app settings.", "SecurityGroups": "The security group IDs for the Amazon Virtual Private Cloud that the space uses for communication." }, + "AWS::SageMaker::Domain DefaultSpaceStorageSettings": { + "DefaultEbsStorageSettings": "The default EBS storage settings for a private space." + }, "AWS::SageMaker::Domain DomainSettings": { "RStudioServerProDomainSettings": "A collection of settings that configure the `RStudioServerPro` Domain-level app.", "SecurityGroupIds": "The security groups for the Amazon Virtual Private Cloud that the `Domain` uses for communication between Domain-level apps and user apps." }, + "AWS::SageMaker::Domain EFSFileSystemConfig": { + "FileSystemId": "The ID of your Amazon EFS file system.", + "FileSystemPath": "The path to the file system directory that is accessible in Amazon SageMaker Studio. Permitted users can access only this directory and below." + }, + "AWS::SageMaker::Domain JupyterLabAppSettings": { + "CodeRepositories": "A list of Git repositories that SageMaker automatically displays to users for cloning in the JupyterLab application.", + "CustomImages": "A list of custom SageMaker images that are configured to run as a JupyterLab app.", + "DefaultResourceSpec": "", + "LifecycleConfigArns": "The Amazon Resource Name (ARN) of the lifecycle configurations attached to the user profile or domain. To remove a lifecycle config, you must set `LifecycleConfigArns` to an empty list." + }, "AWS::SageMaker::Domain JupyterServerAppSettings": { "DefaultResourceSpec": "The default instance type and the Amazon Resource Name (ARN) of the default SageMaker image used by the JupyterServer app." }, @@ -33616,14 +37975,25 @@ "S3KmsKeyId": "When `NotebookOutputOption` is `Allowed` , the AWS Key Management Service (KMS) encryption key ID used to encrypt the notebook cell output in the Amazon S3 bucket.", "S3OutputPath": "When `NotebookOutputOption` is `Allowed` , the Amazon S3 bucket used to store the shared notebook snapshots." }, + "AWS::SageMaker::Domain Tag": { + "Key": "The tag key. Tag keys must be unique per resource.", + "Value": "The tag value." + }, "AWS::SageMaker::Domain UserSettings": { + "CodeEditorAppSettings": "The Code Editor application settings.", + "CustomFileSystemConfigs": "The settings for assigning a custom file system to a user profile. Permitted users can access this file system in Amazon SageMaker Studio.", + "CustomPosixUserConfig": "Details about the POSIX identity that is used for file system operations.", + "DefaultLandingUri": "The default experience that the user is directed to when accessing the domain. The supported values are:\n\n- `studio::` : Indicates that Studio is the default experience. This value can only be passed if `StudioWebPortal` is set to `ENABLED` .\n- `app:JupyterServer:` : Indicates that Studio Classic is the default experience.", "ExecutionRole": "The execution role for the user.", + "JupyterLabAppSettings": "The settings for the JupyterLab application.", "JupyterServerAppSettings": "The Jupyter server's app settings.", "KernelGatewayAppSettings": "The kernel gateway app settings.", "RSessionAppSettings": "A collection of settings that configure the `RSessionGateway` app.", "RStudioServerProAppSettings": "A collection of settings that configure user interaction with the `RStudioServerPro` app.", - "SecurityGroups": "The security groups for the Amazon Virtual Private Cloud (VPC) that Studio uses for communication.\n\nOptional when the `CreateDomain.AppNetworkAccessType` parameter is set to `PublicInternetOnly` .\n\nRequired when the `CreateDomain.AppNetworkAccessType` parameter is set to `VpcOnly` , unless specified as part of the `DefaultUserSettings` for the domain.\n\nAmazon SageMaker adds a security group to allow NFS traffic from SageMaker Studio. Therefore, the number of security groups that you can specify is one less than the maximum number shown.", - "SharingSettings": "Specifies options for sharing SageMaker Studio notebooks." + "SecurityGroups": "The security groups for the Amazon Virtual Private Cloud (VPC) that the domain uses for communication.\n\nOptional when the `CreateDomain.AppNetworkAccessType` parameter is set to `PublicInternetOnly` .\n\nRequired when the `CreateDomain.AppNetworkAccessType` parameter is set to `VpcOnly` , unless specified as part of the `DefaultUserSettings` for the domain.\n\nAmazon SageMaker adds a security group to allow NFS traffic from Amazon SageMaker Studio. Therefore, the number of security groups that you can specify is one less than the maximum number shown.", + "SharingSettings": "Specifies options for sharing Amazon SageMaker Studio notebooks.", + "SpaceStorageSettings": "The storage settings for a private space.", + "StudioWebPortal": "Whether the user can access Studio. If this value is set to `DISABLED` , the user cannot access Studio, even if that is the default experience for the domain." }, "AWS::SageMaker::Endpoint": { "DeploymentConfig": "The deployment configuration for an endpoint, which contains the desired deployment strategy and rollback configurations.", @@ -33651,7 +38021,18 @@ }, "AWS::SageMaker::Endpoint DeploymentConfig": { "AutoRollbackConfiguration": "Automatic rollback configuration for handling endpoint deployment failures and recovery.", - "BlueGreenUpdatePolicy": "Update policy for a blue/green deployment. If this update policy is specified, SageMaker creates a new fleet during the deployment while maintaining the old fleet. SageMaker flips traffic to the new fleet according to the specified traffic routing configuration. Only one update policy should be used in the deployment configuration. If no update policy is specified, SageMaker uses a blue/green deployment strategy with all at once traffic shifting by default." + "BlueGreenUpdatePolicy": "Update policy for a blue/green deployment. If this update policy is specified, SageMaker creates a new fleet during the deployment while maintaining the old fleet. SageMaker flips traffic to the new fleet according to the specified traffic routing configuration. Only one update policy should be used in the deployment configuration. If no update policy is specified, SageMaker uses a blue/green deployment strategy with all at once traffic shifting by default.", + "RollingUpdatePolicy": "Specifies a rolling deployment strategy for updating a SageMaker endpoint." + }, + "AWS::SageMaker::Endpoint RollingUpdatePolicy": { + "MaximumBatchSize": "Batch size for each rolling step to provision capacity and turn on traffic on the new endpoint fleet, and terminate capacity on the old endpoint fleet. Value must be between 5% to 50% of the variant's total instance count.", + "MaximumExecutionTimeoutInSeconds": "The time limit for the total deployment. Exceeding this limit causes a timeout.", + "RollbackMaximumBatchSize": "Batch size for rollback to the old endpoint fleet. Each rolling step to provision capacity and turn on traffic on the old endpoint fleet, and terminate capacity on the new endpoint fleet. If this field is absent, the default value will be set to 100% of total capacity which means to bring up the whole capacity of the old fleet at once during rollback.", + "WaitIntervalInSeconds": "The length of the baking period, during which SageMaker monitors alarms for each batch on the new fleet." + }, + "AWS::SageMaker::Endpoint Tag": { + "Key": "The tag key. Tag keys must be unique per resource.", + "Value": "The tag value." }, "AWS::SageMaker::Endpoint TrafficRoutingConfig": { "CanarySize": "Batch size for the first step to turn on traffic on the new endpoint fleet. `Value` must be less than or equal to 50% of the variant's total instance count.", @@ -33666,7 +38047,7 @@ "AsyncInferenceConfig": "Specifies configuration for how an endpoint performs asynchronous inference.", "DataCaptureConfig": "Specifies how to capture endpoint data for model monitor. The data capture configuration applies to all production variants hosted at the endpoint.", "EndpointConfigName": "The name of the endpoint configuration.", - "ExplainerConfig": "", + "ExplainerConfig": "A parameter to activate explainers.", "KmsKeyId": "The Amazon Resource Name (ARN) of an AWS Key Management Service key that Amazon SageMaker uses to encrypt data on the storage volume attached to the ML compute instance that hosts the endpoint.\n\n- Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`\n- Key ARN: `arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`\n- Alias name: `alias/ExampleAlias`\n- Alias name ARN: `arn:aws:kms:us-west-2:111122223333:alias/ExampleAlias`\n\nThe KMS key policy must grant permission to the IAM role that you specify in your `CreateEndpoint` , `UpdateEndpoint` requests. For more information, refer to the AWS Key Management Service section [Using Key Policies in AWS KMS](https://docs.aws.amazon.com//kms/latest/developerguide/key-policies.html)\n\n> Certain Nitro-based instances include local storage, dependent on the instance type. Local storage volumes are encrypted using a hardware module on the instance. You can't request a `KmsKeyId` when using an instance type with local storage. If any of the models that you specify in the `ProductionVariants` parameter use nitro-based instances with local storage, do not specify a value for the `KmsKeyId` parameter. If you specify a value for `KmsKeyId` when using any nitro-based instances with local storage, the call to `CreateEndpointConfig` fails.\n> \n> For a list of instance types that support local instance storage, see [Instance Store Volumes](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/InstanceStorage.html#instance-store-volumes) .\n> \n> For more information about local instance storage encryption, see [SSD Instance Store Volumes](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ssd-instance-store.html) .", "ProductionVariants": "A list of `ProductionVariant` objects, one for each model that you want to host at this endpoint.", "ShadowProductionVariants": "Array of `ProductionVariant` objects. There is one for each model that you want to host at this endpoint in shadow mode with production traffic replicated from the model specified on `ProductionVariants` . If you use this field, you can only specify one variant for `ProductionVariants` and one variant for `ShadowProductionVariants` .", @@ -33681,13 +38062,13 @@ }, "AWS::SageMaker::EndpointConfig AsyncInferenceNotificationConfig": { "ErrorTopic": "Amazon SNS topic to post a notification to when an inference fails. If no topic is provided, no notification is sent on failure.", - "IncludeInferenceResponseIn": "", + "IncludeInferenceResponseIn": "The Amazon SNS topics where you want the inference response to be included.\n\n> The inference response is included only if the response size is less than or equal to 128 KB.", "SuccessTopic": "Amazon SNS topic to post a notification to when an inference completes successfully. If no topic is provided, no notification is sent on success." }, "AWS::SageMaker::EndpointConfig AsyncInferenceOutputConfig": { "KmsKeyId": "The AWS Key Management Service ( AWS KMS) key that Amazon SageMaker uses to encrypt the asynchronous inference output in Amazon S3.", "NotificationConfig": "Specifies the configuration for notifications of inference results for asynchronous inference.", - "S3FailurePath": "", + "S3FailurePath": "The Amazon S3 location to upload failure inference responses to.", "S3OutputPath": "The Amazon S3 location to upload inference responses to." }, "AWS::SageMaker::EndpointConfig CaptureContentTypeHeader": { @@ -33698,40 +38079,38 @@ "CaptureMode": "Specifies whether the endpoint captures input data or output data." }, "AWS::SageMaker::EndpointConfig ClarifyExplainerConfig": { - "EnableExplanations": "", - "InferenceConfig": "", - "ShapConfig": "" + "EnableExplanations": "A JMESPath boolean expression used to filter which records to explain. Explanations are activated by default. See [`EnableExplanations`](https://docs.aws.amazon.com/sagemaker/latest/dg/clarify-online-explainability-create-endpoint.html#clarify-online-explainability-create-endpoint-enable) for additional information.", + "InferenceConfig": "The inference configuration parameter for the model container.", + "ShapConfig": "The configuration for SHAP analysis." }, - "AWS::SageMaker::EndpointConfig ClarifyFeatureType": {}, - "AWS::SageMaker::EndpointConfig ClarifyHeader": {}, "AWS::SageMaker::EndpointConfig ClarifyInferenceConfig": { - "ContentTemplate": "", - "FeatureHeaders": "", - "FeatureTypes": "", - "FeaturesAttribute": "", - "LabelAttribute": "", - "LabelHeaders": "", - "LabelIndex": "", - "MaxPayloadInMB": "", - "MaxRecordCount": "", - "ProbabilityAttribute": "", - "ProbabilityIndex": "" + "ContentTemplate": "A template string used to format a JSON record into an acceptable model container input. For example, a `ContentTemplate` string `'{\"myfeatures\":$features}'` will format a list of features `[1,2,3]` into the record string `'{\"myfeatures\":[1,2,3]}'` . Required only when the model container input is in JSON Lines format.", + "FeatureHeaders": "The names of the features. If provided, these are included in the endpoint response payload to help readability of the `InvokeEndpoint` output. See the [Response](https://docs.aws.amazon.com/sagemaker/latest/dg/clarify-online-explainability-invoke-endpoint.html#clarify-online-explainability-response) section under *Invoke the endpoint* in the Developer Guide for more information.", + "FeatureTypes": "A list of data types of the features (optional). Applicable only to NLP explainability. If provided, `FeatureTypes` must have at least one `'text'` string (for example, `['text']` ). If `FeatureTypes` is not provided, the explainer infers the feature types based on the baseline data. The feature types are included in the endpoint response payload. For additional information see the [response](https://docs.aws.amazon.com/sagemaker/latest/dg/clarify-online-explainability-invoke-endpoint.html#clarify-online-explainability-response) section under *Invoke the endpoint* in the Developer Guide for more information.", + "FeaturesAttribute": "Provides the JMESPath expression to extract the features from a model container input in JSON Lines format. For example, if `FeaturesAttribute` is the JMESPath expression `'myfeatures'` , it extracts a list of features `[1,2,3]` from request data `'{\"myfeatures\":[1,2,3]}'` .", + "LabelAttribute": "A JMESPath expression used to locate the list of label headers in the model container output.\n\n*Example* : If the model container output of a batch request is `'{\"labels\":[\"cat\",\"dog\",\"fish\"],\"probability\":[0.6,0.3,0.1]}'` , then set `LabelAttribute` to `'labels'` to extract the list of label headers `[\"cat\",\"dog\",\"fish\"]`", + "LabelHeaders": "For multiclass classification problems, the label headers are the names of the classes. Otherwise, the label header is the name of the predicted label. These are used to help readability for the output of the `InvokeEndpoint` API. See the [response](https://docs.aws.amazon.com/sagemaker/latest/dg/clarify-online-explainability-invoke-endpoint.html#clarify-online-explainability-response) section under *Invoke the endpoint* in the Developer Guide for more information. If there are no label headers in the model container output, provide them manually using this parameter.", + "LabelIndex": "A zero-based index used to extract a label header or list of label headers from model container output in CSV format.\n\n*Example for a multiclass model:* If the model container output consists of label headers followed by probabilities: `'\"[\\'cat\\',\\'dog\\',\\'fish\\']\",\"[0.1,0.6,0.3]\"'` , set `LabelIndex` to `0` to select the label headers `['cat','dog','fish']` .", + "MaxPayloadInMB": "The maximum payload size (MB) allowed of a request from the explainer to the model container. Defaults to `6` MB.", + "MaxRecordCount": "The maximum number of records in a request that the model container can process when querying the model container for the predictions of a [synthetic dataset](https://docs.aws.amazon.com/sagemaker/latest/dg/clarify-online-explainability-create-endpoint.html#clarify-online-explainability-create-endpoint-synthetic) . A record is a unit of input data that inference can be made on, for example, a single line in CSV data. If `MaxRecordCount` is `1` , the model container expects one record per request. A value of 2 or greater means that the model expects batch requests, which can reduce overhead and speed up the inferencing process. If this parameter is not provided, the explainer will tune the record count per request according to the model container's capacity at runtime.", + "ProbabilityAttribute": "A JMESPath expression used to extract the probability (or score) from the model container output if the model container is in JSON Lines format.\n\n*Example* : If the model container output of a single request is `'{\"predicted_label\":1,\"probability\":0.6}'` , then set `ProbabilityAttribute` to `'probability'` .", + "ProbabilityIndex": "A zero-based index used to extract a probability value (score) or list from model container output in CSV format. If this value is not provided, the entire model container output will be treated as a probability value (score) or list.\n\n*Example for a single class model:* If the model container output consists of a string-formatted prediction label followed by its probability: `'1,0.6'` , set `ProbabilityIndex` to `1` to select the probability value `0.6` .\n\n*Example for a multiclass model:* If the model container output consists of a string-formatted prediction label followed by its probability: `'\"[\\'cat\\',\\'dog\\',\\'fish\\']\",\"[0.1,0.6,0.3]\"'` , set `ProbabilityIndex` to `1` to select the probability values `[0.1,0.6,0.3]` ." }, "AWS::SageMaker::EndpointConfig ClarifyShapBaselineConfig": { - "MimeType": "", - "ShapBaseline": "", - "ShapBaselineUri": "" + "MimeType": "The MIME type of the baseline data. Choose from `'text/csv'` or `'application/jsonlines'` . Defaults to `'text/csv'` .", + "ShapBaseline": "The inline SHAP baseline data in string format. `ShapBaseline` can have one or multiple records to be used as the baseline dataset. The format of the SHAP baseline file should be the same format as the training dataset. For example, if the training dataset is in CSV format and each record contains four features, and all features are numerical, then the format of the baseline data should also share these characteristics. For natural language processing (NLP) of text columns, the baseline value should be the value used to replace the unit of text specified by the `Granularity` of the `TextConfig` parameter. The size limit for `ShapBasline` is 4 KB. Use the `ShapBaselineUri` parameter if you want to provide more than 4 KB of baseline data.", + "ShapBaselineUri": "The uniform resource identifier (URI) of the S3 bucket where the SHAP baseline file is stored. The format of the SHAP baseline file should be the same format as the format of the training dataset. For example, if the training dataset is in CSV format, and each record in the training dataset has four features, and all features are numerical, then the baseline file should also have this same format. Each record should contain only the features. If you are using a virtual private cloud (VPC), the `ShapBaselineUri` should be accessible to the VPC. For more information about setting up endpoints with Amazon Virtual Private Cloud, see [Give SageMaker access to Resources in your Amazon Virtual Private Cloud](https://docs.aws.amazon.com/sagemaker/latest/dg/infrastructure-give-access.html) ." }, "AWS::SageMaker::EndpointConfig ClarifyShapConfig": { - "NumberOfSamples": "", - "Seed": "", - "ShapBaselineConfig": "", - "TextConfig": "", - "UseLogit": "" + "NumberOfSamples": "The number of samples to be used for analysis by the Kernal SHAP algorithm.\n\n> The number of samples determines the size of the synthetic dataset, which has an impact on latency of explainability requests. For more information, see the *Synthetic data* of [Configure and create an endpoint](https://docs.aws.amazon.com/sagemaker/latest/dg/clarify-online-explainability-create-endpoint.html) .", + "Seed": "The starting value used to initialize the random number generator in the explainer. Provide a value for this parameter to obtain a deterministic SHAP result.", + "ShapBaselineConfig": "The configuration for the SHAP baseline of the Kernal SHAP algorithm.", + "TextConfig": "A parameter that indicates if text features are treated as text and explanations are provided for individual units of text. Required for natural language processing (NLP) explainability only.", + "UseLogit": "A Boolean toggle to indicate if you want to use the logit function (true) or log-odds units (false) for model predictions. Defaults to false." }, "AWS::SageMaker::EndpointConfig ClarifyTextConfig": { - "Granularity": "", - "Language": "" + "Granularity": "The unit of granularity for the analysis of text features. For example, if the unit is `'token'` , then each token (like a word in English) of the text is treated as a feature. SHAP values are computed for each unit/feature.", + "Language": "Specifies the language of the text features in [ISO 639-1](https://docs.aws.amazon.com/ https://en.wikipedia.org/wiki/List_of_ISO_639-1_codes) or [ISO 639-3](https://docs.aws.amazon.com/https://en.wikipedia.org/wiki/ISO_639-3) code of a supported language.\n\n> For a mix of multiple languages, use code `'xx'` ." }, "AWS::SageMaker::EndpointConfig DataCaptureConfig": { "CaptureContentTypeHeader": "A list of the JSON and CSV content type that the endpoint captures.", @@ -33742,26 +38121,30 @@ "KmsKeyId": "The AWS Key Management Service ( AWS KMS) key that Amazon SageMaker uses to encrypt the captured data at rest using Amazon S3 server-side encryption. The KmsKeyId can be any of the following formats: Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab Key ARN: arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab Alias name: alias/ExampleAlias Alias name ARN: arn:aws:kms:us-west-2:111122223333:alias/ExampleAlias If you don't provide a KMS key ID, Amazon SageMaker uses the default KMS key for Amazon S3 for your role's account. For more information, see KMS-Managed Encryption Keys (https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingKMSEncryption.html) in the Amazon Simple Storage Service Developer Guide. The KMS key policy must grant permission to the IAM role that you specify in your CreateModel (https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_CreateModel.html) request. For more information, see Using Key Policies in AWS KMS (http://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html) in the AWS Key Management Service Developer Guide." }, "AWS::SageMaker::EndpointConfig ExplainerConfig": { - "ClarifyExplainerConfig": "" + "ClarifyExplainerConfig": "A member of `ExplainerConfig` that contains configuration parameters for the SageMaker Clarify explainer." }, "AWS::SageMaker::EndpointConfig ProductionVariant": { "AcceleratorType": "The size of the Elastic Inference (EI) instance to use for the production variant. EI instances provide on-demand GPU computing for inference. For more information, see [Using Elastic Inference in Amazon SageMaker](https://docs.aws.amazon.com/sagemaker/latest/dg/ei.html) . For more information, see [Using Elastic Inference in Amazon SageMaker](https://docs.aws.amazon.com/sagemaker/latest/dg/ei.html) .", - "ContainerStartupHealthCheckTimeoutInSeconds": "", - "EnableSSMAccess": "", + "ContainerStartupHealthCheckTimeoutInSeconds": "The timeout value, in seconds, for your inference container to pass health check by SageMaker Hosting. For more information about health check, see [How Your Container Should Respond to Health Check (Ping) Requests](https://docs.aws.amazon.com/sagemaker/latest/dg/your-algorithms-inference-code.html#your-algorithms-inference-algo-ping-requests) .", + "EnableSSMAccess": "You can use this parameter to turn on native AWS Systems Manager (SSM) access for a production variant behind an endpoint. By default, SSM access is disabled for all production variants behind an endpoint. You can turn on or turn off SSM access for a production variant behind an existing endpoint by creating a new endpoint configuration and calling `UpdateEndpoint` .", "InitialInstanceCount": "Number of instances to launch initially.", "InitialVariantWeight": "Determines initial traffic distribution among all of the models that you specify in the endpoint configuration. The traffic to a production variant is determined by the ratio of the `VariantWeight` to the sum of all `VariantWeight` values across all ProductionVariants. If unspecified, it defaults to 1.0.", "InstanceType": "The ML compute instance type.", - "ModelDataDownloadTimeoutInSeconds": "", + "ModelDataDownloadTimeoutInSeconds": "The timeout value, in seconds, to download and extract the model that you want to host from Amazon S3 to the individual inference instance associated with this production variant.", "ModelName": "The name of the model that you want to host. This is the name that you specified when creating the model.", "ServerlessConfig": "The serverless configuration for an endpoint. Specifies a serverless endpoint configuration instead of an instance-based endpoint configuration.", "VariantName": "The name of the production variant.", - "VolumeSizeInGB": "" + "VolumeSizeInGB": "The size, in GB, of the ML storage volume attached to individual inference instance associated with the production variant. Currently only Amazon EBS gp2 storage volumes are supported." }, "AWS::SageMaker::EndpointConfig ServerlessConfig": { "MaxConcurrency": "The maximum number of concurrent invocations your serverless endpoint can process.", "MemorySizeInMB": "The memory size of your serverless endpoint. Valid values are in 1 GB increments: 1024 MB, 2048 MB, 3072 MB, 4096 MB, 5120 MB, or 6144 MB.", "ProvisionedConcurrency": "" }, + "AWS::SageMaker::EndpointConfig Tag": { + "Key": "The tag key. Tag keys must be unique per resource.", + "Value": "The tag value." + }, "AWS::SageMaker::FeatureGroup": { "Description": "A free form description of a `FeatureGroup` .", "EventTimeFeatureName": "The name of the feature that stores the `EventTime` of a Record in a `FeatureGroup` .\n\nA `EventTime` is point in time when a new event occurs that corresponds to the creation or update of a `Record` in `FeatureGroup` . All `Records` in the `FeatureGroup` must have a corresponding `EventTime` .", @@ -33786,11 +38169,12 @@ "DataCatalogConfig": "The meta data of the Glue table that is autogenerated when an `OfflineStore` is created.", "DisableGlueTableCreation": "Set to `True` to disable the automatic creation of an AWS Glue table when configuring an `OfflineStore` . If set to `False` , Feature Store will name the `OfflineStore` Glue table following [Athena's naming recommendations](https://docs.aws.amazon.com/athena/latest/ug/tables-databases-columns-names.html) .\n\nThe default value is `False` .", "S3StorageConfig": "The Amazon Simple Storage (Amazon S3) location of `OfflineStore` .", - "TableFormat": "" + "TableFormat": "Format for the offline store table. Supported formats are Glue (Default) and [Apache Iceberg](https://docs.aws.amazon.com/https://iceberg.apache.org/) ." }, "AWS::SageMaker::FeatureGroup OnlineStoreConfig": { "EnableOnlineStore": "Turn `OnlineStore` off by specifying `False` for the `EnableOnlineStore` flag. Turn `OnlineStore` on by specifying `True` for the `EnableOnlineStore` flag.\n\nThe default value is `False` .", - "SecurityConfig": "Use to specify KMS Key ID ( `KMSKeyId` ) for at-rest encryption of your `OnlineStore` ." + "SecurityConfig": "Use to specify KMS Key ID ( `KMSKeyId` ) for at-rest encryption of your `OnlineStore` .", + "StorageType": "Option for different tiers of low latency storage for real-time data retrieval.\n\n- `Standard` : A managed low latency data store for feature groups.\n- `InMemory` : A managed data store for feature groups that supports very low latency retrieval." }, "AWS::SageMaker::FeatureGroup OnlineStoreSecurityConfig": { "KmsKeyId": "The AWS Key Management Service (KMS) key ARN that SageMaker Feature Store uses to encrypt the Amazon S3 objects at rest using Amazon S3 server-side encryption.\n\nThe caller (either user or IAM role) of `CreateFeatureGroup` must have below permissions to the `OnlineStore` `KmsKeyId` :\n\n- `\"kms:Encrypt\"`\n- `\"kms:Decrypt\"`\n- `\"kms:DescribeKey\"`\n- `\"kms:CreateGrant\"`\n- `\"kms:RetireGrant\"`\n- `\"kms:ReEncryptFrom\"`\n- `\"kms:ReEncryptTo\"`\n- `\"kms:GenerateDataKey\"`\n- `\"kms:ListAliases\"`\n- `\"kms:ListGrants\"`\n- `\"kms:RevokeGrant\"`\n\nThe caller (either user or IAM role) to all DataPlane operations ( `PutRecord` , `GetRecord` , `DeleteRecord` ) must have the following permissions to the `KmsKeyId` :\n\n- `\"kms:Decrypt\"`" @@ -33799,16 +38183,78 @@ "KmsKeyId": "The AWS Key Management Service (KMS) key ARN of the key used to encrypt any objects written into the `OfflineStore` S3 location.\n\nThe IAM `roleARN` that is passed as a parameter to `CreateFeatureGroup` must have below permissions to the `KmsKeyId` :\n\n- `\"kms:GenerateDataKey\"`", "S3Uri": "The S3 URI, or location in Amazon S3, of `OfflineStore` .\n\nS3 URIs have a format similar to the following: `s3://example-bucket/prefix/` ." }, + "AWS::SageMaker::FeatureGroup Tag": { + "Key": "The tag key. Tag keys must be unique per resource.", + "Value": "The tag value." + }, "AWS::SageMaker::Image": { - "ImageDescription": "The description of the image.\n\n*Length Constraints* : Minimum length of 1. Maximum length of 512.\n\n*Pattern* : `.*`", + "ImageDescription": "The description of the image.", "ImageDisplayName": "The display name of the image.\n\n*Length Constraints* : Minimum length of 1. Maximum length of 128.\n\n*Pattern* : `^\\S(.*\\S)?$`", "ImageName": "The name of the Image. Must be unique by region in your account.\n\n*Length Constraints* : Minimum length of 1. Maximum length of 63.\n\n*Pattern* : `^[a-zA-Z0-9]([-.]?[a-zA-Z0-9]){0,62}$`", "ImageRoleArn": "The Amazon Resource Name (ARN) of an IAM role that enables Amazon SageMaker to perform tasks on your behalf.\n\n*Length Constraints* : Minimum length of 20. Maximum length of 2048.\n\n*Pattern* : `^arn:aws[a-z\\-]*:iam::\\d{12}:role/?[a-zA-Z_0-9+=,.@\\-_/]+$`", "Tags": "A list of key-value pairs to apply to this resource.\n\n*Array Members* : Minimum number of 0 items. Maximum number of 50 items." }, + "AWS::SageMaker::Image Tag": { + "Key": "The tag key. Tag keys must be unique per resource.", + "Value": "The tag value." + }, "AWS::SageMaker::ImageVersion": { - "BaseImage": "The container image that the SageMaker image version is based on.\n\n*Length Constraints* : Minimum length of 1. Maximum length of 255.\n\n*Pattern* : `.*`", - "ImageName": "The name of the parent image.\n\n*Length Constraints* : Minimum length of 1. Maximum length of 63.\n\n*Pattern* : `^[a-zA-Z0-9]([-.]?[a-zA-Z0-9]){0,62}$`" + "Alias": "", + "Aliases": "", + "BaseImage": "The container image that the SageMaker image version is based on.", + "Horovod": "", + "ImageName": "The name of the parent image.\n\n*Length Constraints* : Minimum length of 1. Maximum length of 63.\n\n*Pattern* : `^[a-zA-Z0-9]([-.]?[a-zA-Z0-9]){0,62}$`", + "JobType": "", + "MLFramework": "", + "Processor": "", + "ProgrammingLang": "", + "ReleaseNotes": "", + "VendorGuidance": "" + }, + "AWS::SageMaker::InferenceComponent": { + "EndpointArn": "The Amazon Resource Name (ARN) of the endpoint that hosts the inference component.", + "EndpointName": "The name of the endpoint that hosts the inference component.", + "InferenceComponentName": "The name of the inference component.", + "RuntimeConfig": "", + "Specification": "", + "Tags": "", + "VariantName": "The name of the production variant that hosts the inference component." + }, + "AWS::SageMaker::InferenceComponent DeployedImage": { + "ResolutionTime": "The date and time when the image path for the model resolved to the `ResolvedImage`", + "ResolvedImage": "The specific digest path of the image hosted in this `ProductionVariant` .", + "SpecifiedImage": "The image path you specified when you created the model." + }, + "AWS::SageMaker::InferenceComponent InferenceComponentComputeResourceRequirements": { + "MaxMemoryRequiredInMb": "The maximum MB of memory to allocate to run a model that you assign to an inference component.", + "MinMemoryRequiredInMb": "The minimum MB of memory to allocate to run a model that you assign to an inference component.", + "NumberOfAcceleratorDevicesRequired": "The number of accelerators to allocate to run a model that you assign to an inference component. Accelerators include GPUs and AWS Inferentia.", + "NumberOfCpuCoresRequired": "The number of CPU cores to allocate to run a model that you assign to an inference component." + }, + "AWS::SageMaker::InferenceComponent InferenceComponentContainerSpecification": { + "ArtifactUrl": "The Amazon S3 path where the model artifacts, which result from model training, are stored. This path must point to a single gzip compressed tar archive (.tar.gz suffix).", + "DeployedImage": "", + "Environment": "The environment variables to set in the Docker container. Each key and value in the Environment string-to-string map can have length of up to 1024. We support up to 16 entries in the map.", + "Image": "The Amazon Elastic Container Registry (Amazon ECR) path where the Docker image for the model is stored." + }, + "AWS::SageMaker::InferenceComponent InferenceComponentRuntimeConfig": { + "CopyCount": "The number of runtime copies of the model container to deploy with the inference component. Each copy can serve inference requests.", + "CurrentCopyCount": "", + "DesiredCopyCount": "" + }, + "AWS::SageMaker::InferenceComponent InferenceComponentSpecification": { + "ComputeResourceRequirements": "The compute resources allocated to run the model assigned to the inference component.", + "Container": "Defines a container that provides the runtime environment for a model that you deploy with an inference component.", + "ModelName": "The name of an existing SageMaker model object in your account that you want to deploy with the inference component.", + "StartupParameters": "Settings that take effect while the model container starts up." + }, + "AWS::SageMaker::InferenceComponent InferenceComponentStartupParameters": { + "ContainerStartupHealthCheckTimeoutInSeconds": "The timeout value, in seconds, for your inference container to pass health check by Amazon S3 Hosting. For more information about health check, see [How Your Container Should Respond to Health Check (Ping) Requests](https://docs.aws.amazon.com/sagemaker/latest/dg/your-algorithms-inference-code.html#your-algorithms-inference-algo-ping-requests) .", + "ModelDataDownloadTimeoutInSeconds": "The timeout value, in seconds, to download and extract the model that you want to host from Amazon S3 to the individual inference instance associated with this inference component." + }, + "AWS::SageMaker::InferenceComponent Tag": { + "Key": "The tag key. Tag keys must be unique per resource.", + "Value": "The tag value." }, "AWS::SageMaker::InferenceExperiment": { "DataStorageConfig": "The Amazon S3 location and configuration for storing inference request and response data.", @@ -33826,7 +38272,7 @@ "Type": "The type of the inference experiment." }, "AWS::SageMaker::InferenceExperiment CaptureContentTypeHeader": { - "CsvContentTypes": "The list of all content type headers that SageMaker will treat as CSV and capture accordingly.", + "CsvContentTypes": "The list of all content type headers that Amazon SageMaker will treat as CSV and capture accordingly.", "JsonContentTypes": "The list of all content type headers that SageMaker will treat as JSON and capture accordingly." }, "AWS::SageMaker::InferenceExperiment DataStorageConfig": { @@ -33864,6 +38310,10 @@ "SamplingPercentage": "The percentage of inference requests that Amazon SageMaker replicates from the production variant to the shadow variant.", "ShadowModelVariantName": "The name of the shadow variant." }, + "AWS::SageMaker::InferenceExperiment Tag": { + "Key": "The tag key. Tag keys must be unique per resource.", + "Value": "The tag value." + }, "AWS::SageMaker::Model": { "Containers": "Specifies the containers in the inference pipeline.", "EnableNetworkIsolation": "Isolates the model container. No inbound or outbound network calls can be made to or from the model container.", @@ -33881,6 +38331,7 @@ "ImageConfig": "Specifies whether the model container is in Amazon ECR or a private Docker registry accessible from your Amazon Virtual Private Cloud (VPC). For information about storing containers in a private Docker registry, see [Use a Private Docker Registry for Real-Time Inference Containers](https://docs.aws.amazon.com/sagemaker/latest/dg/your-algorithms-containers-inference-private.html) .\n\n> The model artifacts in an Amazon S3 bucket and the Docker image for inference container in Amazon EC2 Container Registry must be in the same region as the model or endpoint you are creating.", "InferenceSpecificationName": "The inference specification name in the model package version.", "Mode": "Whether the container hosts a single model or multiple models.", + "ModelDataSource": "Specifies the location of ML model data to deploy.\n\n> Currently you cannot use `ModelDataSource` in conjunction with SageMaker batch transform, SageMaker serverless endpoints, SageMaker multi-model endpoints, and SageMaker Marketplace.", "ModelDataUrl": "The S3 path where the model artifacts, which result from model training, are stored. This path must point to a single gzip compressed tar archive (.tar.gz suffix). The S3 path is required for SageMaker built-in algorithms, but not if you use your own algorithms. For more information on built-in algorithms, see [Common Parameters](https://docs.aws.amazon.com/sagemaker/latest/dg/sagemaker-algo-docker-registry-paths.html) .\n\n> The model artifacts must be in an S3 bucket that is in the same region as the model or endpoint you are creating. \n\nIf you provide a value for this parameter, SageMaker uses AWS Security Token Service to download model artifacts from the S3 path you provide. AWS STS is activated in your AWS account by default. If you previously deactivated AWS STS for a region, you need to reactivate AWS STS for that region. For more information, see [Activating and Deactivating AWS STS in an AWS Region](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html) in the *AWS Identity and Access Management User Guide* .\n\n> If you use a built-in algorithm to create a model, SageMaker requires that you provide a S3 path to the model artifacts in `ModelDataUrl` .", "ModelPackageName": "The name or Amazon Resource Name (ARN) of the model package to use to create the model.", "MultiModelConfig": "Specifies additional configuration for multi-model endpoints." @@ -33892,14 +38343,26 @@ "AWS::SageMaker::Model InferenceExecutionConfig": { "Mode": "How containers in a multi-container are run. The following values are valid.\n\n- `Serial` - Containers run as a serial pipeline.\n- `Direct` - Only the individual container that you specify is run." }, + "AWS::SageMaker::Model ModelDataSource": { + "S3DataSource": "Specifies the S3 location of ML model data to deploy." + }, "AWS::SageMaker::Model MultiModelConfig": { "ModelCacheSetting": "Whether to cache models for a multi-model endpoint. By default, multi-model endpoints cache models so that a model does not have to be loaded into memory each time it is invoked. Some use cases do not benefit from model caching. For example, if an endpoint hosts a large number of models that are each invoked infrequently, the endpoint might perform better if you disable model caching. To disable model caching, set the value of this parameter to Disabled." }, "AWS::SageMaker::Model RepositoryAuthConfig": { "RepositoryCredentialsProviderArn": "The Amazon Resource Name (ARN) of an AWS Lambda function that provides credentials to authenticate to the private Docker registry where your model image is hosted. For information about how to create an AWS Lambda function, see [Create a Lambda function with the console](https://docs.aws.amazon.com/lambda/latest/dg/getting-started-create-function.html) in the *AWS Lambda Developer Guide* ." }, + "AWS::SageMaker::Model S3DataSource": { + "CompressionType": "", + "S3DataType": "If you choose `S3Prefix` , `S3Uri` identifies a key name prefix. SageMaker uses all objects that match the specified key name prefix for model training.\n\nIf you choose `ManifestFile` , `S3Uri` identifies an object that is a manifest file containing a list of object keys that you want SageMaker to use for model training.\n\nIf you choose `AugmentedManifestFile` , S3Uri identifies an object that is an augmented manifest file in JSON lines format. This file contains the data you want to use for model training. `AugmentedManifestFile` can only be used if the Channel's input mode is `Pipe` .", + "S3Uri": "Depending on the value specified for the `S3DataType` , identifies either a key name prefix or a manifest. For example:\n\n- A key name prefix might look like this: `s3://bucketname/exampleprefix`\n- A manifest might look like this: `s3://bucketname/example.manifest`\n\nA manifest is an S3 object which is a JSON file consisting of an array of elements. The first element is a prefix which is followed by one or more suffixes. SageMaker appends the suffix elements to the prefix to get a full set of `S3Uri` . Note that the prefix must be a valid non-empty `S3Uri` that precludes users from specifying a manifest whose individual `S3Uri` is sourced from different S3 buckets.\n\nThe following code example shows a valid manifest format:\n\n`[ {\"prefix\": \"s3://customer_bucket/some/prefix/\"},`\n\n`\"relative/path/to/custdata-1\",`\n\n`\"relative/path/custdata-2\",`\n\n`...`\n\n`\"relative/path/custdata-N\"`\n\n`]`\n\nThis JSON is equivalent to the following `S3Uri` list:\n\n`s3://customer_bucket/some/prefix/relative/path/to/custdata-1`\n\n`s3://customer_bucket/some/prefix/relative/path/custdata-2`\n\n`...`\n\n`s3://customer_bucket/some/prefix/relative/path/custdata-N`\n\nThe complete set of `S3Uri` in this manifest is the input data for the channel for this data source. The object that each `S3Uri` points to must be readable by the IAM role that SageMaker uses to perform tasks on your behalf.\n\nYour input bucket must be located in same AWS region as your training job." + }, + "AWS::SageMaker::Model Tag": { + "Key": "The tag key. Tag keys must be unique per resource.", + "Value": "The tag value." + }, "AWS::SageMaker::Model VpcConfig": { - "SecurityGroupIds": "The VPC security group IDs, in the form sg-xxxxxxxx. Specify the security groups for the VPC that is specified in the `Subnets` field.", + "SecurityGroupIds": "The VPC security group IDs, in the form `sg-xxxxxxxx` . Specify the security groups for the VPC that is specified in the `Subnets` field.", "Subnets": "The ID of the subnets in the VPC to which you want to connect your training job or model. For information about the availability of specific instance types, see [Supported Instance Types and Availability Zones](https://docs.aws.amazon.com/sagemaker/latest/dg/instance-types-az.html) ." }, "AWS::SageMaker::ModelBiasJobDefinition": { @@ -33916,17 +38379,17 @@ "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) ." }, "AWS::SageMaker::ModelBiasJobDefinition BatchTransformInput": { - "DataCapturedDestinationS3Uri": "", - "DatasetFormat": "", - "EndTimeOffset": "", - "FeaturesAttribute": "", - "InferenceAttribute": "", - "LocalPath": "", - "ProbabilityAttribute": "", - "ProbabilityThresholdAttribute": "", - "S3DataDistributionType": "", - "S3InputMode": "", - "StartTimeOffset": "" + "DataCapturedDestinationS3Uri": "The Amazon S3 location being used to capture the data.", + "DatasetFormat": "The dataset format for your batch transform job.", + "EndTimeOffset": "If specified, monitoring jobs subtract this time from the end time. For information about using offsets for scheduling monitoring jobs, see [Schedule Model Quality Monitoring Jobs](https://docs.aws.amazon.com/sagemaker/latest/dg/model-monitor-model-quality-schedule.html) .", + "FeaturesAttribute": "The attributes of the input data that are the input features.", + "InferenceAttribute": "The attribute of the input data that represents the ground truth label.", + "LocalPath": "Path to the filesystem where the batch transform data is available to the container.", + "ProbabilityAttribute": "In a classification problem, the attribute that represents the class probability.", + "ProbabilityThresholdAttribute": "The threshold for the class probability to be evaluated as a positive result.", + "S3DataDistributionType": "Whether input data distributed in Amazon S3 is fully replicated or sharded by an S3 key. Defaults to `FullyReplicated`", + "S3InputMode": "Whether the `Pipe` or `File` is used as the input mode for transferring data for the monitoring job. `Pipe` mode is recommended for large datasets. `File` mode is useful for small files that fit in memory. Defaults to `File` .", + "StartTimeOffset": "If specified, monitoring jobs substract this time from the start time. For information about using offsets for scheduling monitoring jobs, see [Schedule Model Quality Monitoring Jobs](https://docs.aws.amazon.com/sagemaker/latest/dg/model-monitor-model-quality-schedule.html) ." }, "AWS::SageMaker::ModelBiasJobDefinition ClusterConfig": { "InstanceCount": "The number of ML compute instances to use in the model monitoring job. For distributed processing jobs, specify a value greater than 1. The default value is 1.", @@ -33953,7 +38416,7 @@ "LocalPath": "Path to the filesystem where the endpoint data is available to the container.", "ProbabilityAttribute": "In a classification problem, the attribute that represents the class probability.", "ProbabilityThresholdAttribute": "The threshold for the class probability to be evaluated as a positive result.", - "S3DataDistributionType": "Whether input data distributed in Amazon S3 is fully replicated or sharded by an S3 key. Defaults to `FullyReplicated`", + "S3DataDistributionType": "Whether input data distributed in Amazon S3 is fully replicated or sharded by an Amazon S3 key. Defaults to `FullyReplicated`", "S3InputMode": "Whether the `Pipe` or `File` is used as the input mode for transferring data for the monitoring job. `Pipe` mode is recommended for large datasets. `File` mode is useful for small files that fit in memory. Defaults to `File` .", "StartTimeOffset": "If specified, monitoring jobs substract this time from the start time. For information about using offsets for scheduling monitoring jobs, see [Schedule Model Quality Monitoring Jobs](https://docs.aws.amazon.com/sagemaker/latest/dg/model-monitor-model-quality-schedule.html) ." }, @@ -33970,7 +38433,7 @@ "ConstraintsResource": "The constraints resource for a monitoring job." }, "AWS::SageMaker::ModelBiasJobDefinition ModelBiasJobInput": { - "BatchTransformInput": "", + "BatchTransformInput": "Input object for the batch transform job.", "EndpointInput": "Input object for the endpoint", "GroundTruthS3Input": "Location of ground truth labels to use in model bias job." }, @@ -33981,7 +38444,7 @@ "S3Output": "The Amazon S3 storage location where the results of a monitoring job are saved." }, "AWS::SageMaker::ModelBiasJobDefinition MonitoringOutputConfig": { - "KmsKeyId": "The AWS Key Management Service ( AWS KMS) key that Amazon SageMaker uses to encrypt the model artifacts at rest using Amazon S3 server-side encryption.", + "KmsKeyId": "The AWS Key Management Service ( AWS KMS ) key that Amazon SageMaker uses to encrypt the model artifacts at rest using Amazon S3 server-side encryption.", "MonitoringOutputs": "Monitoring outputs for monitoring jobs. This is where the output of the periodic monitoring jobs is uploaded." }, "AWS::SageMaker::ModelBiasJobDefinition MonitoringResources": { @@ -34000,8 +38463,12 @@ "AWS::SageMaker::ModelBiasJobDefinition StoppingCondition": { "MaxRuntimeInSeconds": "The maximum length of time, in seconds, that a training or compilation job can run before it is stopped.\n\nFor compilation jobs, if the job does not complete during this time, a `TimeOut` error is generated. We recommend starting with 900 seconds and increasing as necessary based on your model.\n\nFor all other jobs, if the job does not complete during this time, SageMaker ends the job. When `RetryStrategy` is specified in the job request, `MaxRuntimeInSeconds` specifies the maximum time for all of the attempts in total, not each individual attempt. The default value is 1 day. The maximum value is 28 days.\n\nThe maximum time that a `TrainingJob` can run in total, including any time spent publishing metrics or archiving and uploading models after it has been stopped, is 30 days." }, + "AWS::SageMaker::ModelBiasJobDefinition Tag": { + "Key": "The tag key. Tag keys must be unique per resource.", + "Value": "The tag value." + }, "AWS::SageMaker::ModelBiasJobDefinition VpcConfig": { - "SecurityGroupIds": "The VPC security group IDs, in the form sg-xxxxxxxx. Specify the security groups for the VPC that is specified in the `Subnets` field.", + "SecurityGroupIds": "The VPC security group IDs, in the form `sg-xxxxxxxx` . Specify the security groups for the VPC that is specified in the `Subnets` field.", "Subnets": "The ID of the subnets in the VPC to which you want to connect your training job or model. For information about the availability of specific instance types, see [Supported Instance Types and Availability Zones](https://docs.aws.amazon.com/sagemaker/latest/dg/instance-types-az.html) ." }, "AWS::SageMaker::ModelCard": { @@ -34054,7 +38521,7 @@ "ContainerImage": "The container used to run the inference environment." }, "AWS::SageMaker::ModelCard InferenceSpecification": { - "Containers": "" + "Containers": "The Amazon ECR registry path of the Docker image that contains the inference code." }, "AWS::SageMaker::ModelCard IntendedUses": { "ExplanationsForRiskRating": "An explanation of why your organization categorizes the model with its risk rating.", @@ -34064,12 +38531,7 @@ "RiskRating": "Your organization's risk rating. You can specify one the following values as the risk rating:\n\n- High\n- Medium\n- Low\n- Unknown" }, "AWS::SageMaker::ModelCard MetricDataItems": { - "Name": "The names of the metrics.", - "Notes": "Any notes to add to the metric.", - "Type": "You must specify one of the following data types:\n\n- Bar Chart `bar_char`\n- Boolean `boolean`\n- Linear Graph `linear_graph`\n- Matrix `matrix`\n- Number `number`\n- String `string`", - "Value": "The datatype of the metric. The metric's *value* must be compatible with the metric's *type* .", - "XAxisName": "The name of the x axis.", - "YAxisName": "The name of the y axis." + "MetricDataItems": "" }, "AWS::SageMaker::ModelCard MetricGroup": { "MetricData": "A list of metric objects. The `MetricDataItems` list can have one of the following values:\n\n- `bar_chart_metric`\n- `matrix_metric`\n- `simple_metric`\n- `linear_graph_metric`\n\nFor more information about the metric schema, see the definition section of the [model card JSON schema](https://docs.aws.amazon.com/sagemaker/latest/dg/model-cards.html#model-cards-json-schema) .", @@ -34112,9 +38574,21 @@ "AWS::SageMaker::ModelCard SecurityConfig": { "KmsKeyId": "A AWS Key Management Service [key ID](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-id) used to encrypt a model card." }, + "AWS::SageMaker::ModelCard SimpleMetric": { + "Name": "", + "Notes": "", + "Type": "", + "Value": "", + "XAxisName": "", + "YAxisName": "" + }, "AWS::SageMaker::ModelCard SourceAlgorithm": { - "AlgorithmName": "", - "ModelDataUrl": "" + "AlgorithmName": "The name of an algorithm that was used to create the model package. The algorithm must be either an algorithm resource in your SageMaker account or an algorithm in AWS Marketplace that you are subscribed to.", + "ModelDataUrl": "The Amazon S3 path where the model artifacts, which result from model training, are stored. This path must point to a single `gzip` compressed tar archive ( `.tar.gz` suffix).\n\n> The model artifacts must be in an S3 bucket that is in the same AWS region as the algorithm." + }, + "AWS::SageMaker::ModelCard Tag": { + "Key": "The tag key. Tag keys must be unique per resource.", + "Value": "The tag value." }, "AWS::SageMaker::ModelCard TrainingDetails": { "ObjectiveFunction": "The function that is optimized during model training.", @@ -34161,14 +38635,14 @@ "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) ." }, "AWS::SageMaker::ModelExplainabilityJobDefinition BatchTransformInput": { - "DataCapturedDestinationS3Uri": "", - "DatasetFormat": "", - "FeaturesAttribute": "", - "InferenceAttribute": "", - "LocalPath": "", - "ProbabilityAttribute": "", - "S3DataDistributionType": "", - "S3InputMode": "" + "DataCapturedDestinationS3Uri": "The Amazon S3 location being used to capture the data.", + "DatasetFormat": "The dataset format for your batch transform job.", + "FeaturesAttribute": "The attributes of the input data that are the input features.", + "InferenceAttribute": "The attribute of the input data that represents the ground truth label.", + "LocalPath": "Path to the filesystem where the batch transform data is available to the container.", + "ProbabilityAttribute": "In a classification problem, the attribute that represents the class probability.", + "S3DataDistributionType": "Whether input data distributed in Amazon S3 is fully replicated or sharded by an S3 key. Defaults to `FullyReplicated`", + "S3InputMode": "Whether the `Pipe` or `File` is used as the input mode for transferring data for the monitoring job. `Pipe` mode is recommended for large datasets. `File` mode is useful for small files that fit in memory. Defaults to `File` ." }, "AWS::SageMaker::ModelExplainabilityJobDefinition ClusterConfig": { "InstanceCount": "The number of ML compute instances to use in the model monitoring job. For distributed processing jobs, specify a value greater than 1. The default value is 1.", @@ -34193,14 +38667,14 @@ "InferenceAttribute": "The attribute of the input data that represents the ground truth label.", "LocalPath": "Path to the filesystem where the endpoint data is available to the container.", "ProbabilityAttribute": "In a classification problem, the attribute that represents the class probability.", - "S3DataDistributionType": "Whether input data distributed in Amazon S3 is fully replicated or sharded by an S3 key. Defaults to `FullyReplicated`", + "S3DataDistributionType": "Whether input data distributed in Amazon S3 is fully replicated or sharded by an Amazon S3 key. Defaults to `FullyReplicated`", "S3InputMode": "Whether the `Pipe` or `File` is used as the input mode for transferring data for the monitoring job. `Pipe` mode is recommended for large datasets. `File` mode is useful for small files that fit in memory. Defaults to `File` ." }, "AWS::SageMaker::ModelExplainabilityJobDefinition Json": { "Line": "" }, "AWS::SageMaker::ModelExplainabilityJobDefinition ModelExplainabilityAppSpecification": { - "ConfigUri": "JSON formatted S3 file that defines explainability parameters. For more information on this JSON configuration file, see [Configure model explainability parameters](https://docs.aws.amazon.com/sagemaker/latest/dg/clarify-config-json-monitor-model-explainability-parameters.html) .", + "ConfigUri": "JSON formatted Amazon S3 file that defines explainability parameters. For more information on this JSON configuration file, see [Configure model explainability parameters](https://docs.aws.amazon.com/sagemaker/latest/dg/clarify-config-json-monitor-model-explainability-parameters.html) .", "Environment": "Sets the environment variables in the Docker container.", "ImageUri": "The container image to be run by the model explainability job." }, @@ -34209,14 +38683,14 @@ "ConstraintsResource": "The constraints resource for a model explainability job." }, "AWS::SageMaker::ModelExplainabilityJobDefinition ModelExplainabilityJobInput": { - "BatchTransformInput": "", + "BatchTransformInput": "Input object for the batch transform job.", "EndpointInput": "" }, "AWS::SageMaker::ModelExplainabilityJobDefinition MonitoringOutput": { "S3Output": "The Amazon S3 storage location where the results of a monitoring job are saved." }, "AWS::SageMaker::ModelExplainabilityJobDefinition MonitoringOutputConfig": { - "KmsKeyId": "The AWS Key Management Service ( AWS KMS) key that Amazon SageMaker uses to encrypt the model artifacts at rest using Amazon S3 server-side encryption.", + "KmsKeyId": "The AWS Key Management Service ( AWS KMS ) key that Amazon SageMaker uses to encrypt the model artifacts at rest using Amazon S3 server-side encryption.", "MonitoringOutputs": "Monitoring outputs for monitoring jobs. This is where the output of the periodic monitoring jobs is uploaded." }, "AWS::SageMaker::ModelExplainabilityJobDefinition MonitoringResources": { @@ -34235,8 +38709,12 @@ "AWS::SageMaker::ModelExplainabilityJobDefinition StoppingCondition": { "MaxRuntimeInSeconds": "The maximum length of time, in seconds, that a training or compilation job can run before it is stopped.\n\nFor compilation jobs, if the job does not complete during this time, a `TimeOut` error is generated. We recommend starting with 900 seconds and increasing as necessary based on your model.\n\nFor all other jobs, if the job does not complete during this time, SageMaker ends the job. When `RetryStrategy` is specified in the job request, `MaxRuntimeInSeconds` specifies the maximum time for all of the attempts in total, not each individual attempt. The default value is 1 day. The maximum value is 28 days.\n\nThe maximum time that a `TrainingJob` can run in total, including any time spent publishing metrics or archiving and uploading models after it has been stopped, is 30 days." }, + "AWS::SageMaker::ModelExplainabilityJobDefinition Tag": { + "Key": "The tag key. Tag keys must be unique per resource.", + "Value": "The tag value." + }, "AWS::SageMaker::ModelExplainabilityJobDefinition VpcConfig": { - "SecurityGroupIds": "The VPC security group IDs, in the form sg-xxxxxxxx. Specify the security groups for the VPC that is specified in the `Subnets` field.", + "SecurityGroupIds": "The VPC security group IDs, in the form `sg-xxxxxxxx` . Specify the security groups for the VPC that is specified in the `Subnets` field.", "Subnets": "The ID of the subnets in the VPC to which you want to connect your training job or model. For information about the availability of specific instance types, see [Supported Instance Types and Availability Zones](https://docs.aws.amazon.com/sagemaker/latest/dg/instance-types-az.html) ." }, "AWS::SageMaker::ModelPackage": { @@ -34259,6 +38737,7 @@ "ModelPackageStatusDetails": "Specifies the validation and image scan statuses of the model package.", "ModelPackageVersion": "The version number of a versioned model.", "SamplePayloadUrl": "The Amazon Simple Storage Service path where the sample payload are stored. This path must point to a single gzip compressed tar archive (.tar.gz suffix).", + "SkipModelValidation": "Indicates if you want to skip model validation.", "SourceAlgorithmSpecification": "A list of algorithms that were used to create a model package.", "Tags": "A list of the tags associated with the model package. For more information, see [Tagging AWS resources](https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html) in the *AWS General Reference Guide* .", "Task": "The machine learning task your model package accomplishes. Common machine learning tasks include object detection and image classification.", @@ -34377,6 +38856,10 @@ "AWS::SageMaker::ModelPackage SourceAlgorithmSpecification": { "SourceAlgorithms": "A list of the algorithms that were used to create a model package." }, + "AWS::SageMaker::ModelPackage Tag": { + "Key": "The tag key. Tag keys must be unique per resource.", + "Value": "The tag value." + }, "AWS::SageMaker::ModelPackage TransformInput": { "CompressionType": "If your transform data is compressed, specify the compression type. Amazon SageMaker automatically decompresses the data for the transform job accordingly. The default value is `None` .", "ContentType": "The multipurpose internet mail extension (MIME) type of the data. Amazon SageMaker uses the MIME type with each http call to transfer data to the transform job.", @@ -34417,6 +38900,10 @@ "ModelPackageGroupPolicy": "A resouce policy to control access to a model group. For information about resoure policies, see [Identity-based policies and resource-based policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_identity-vs-resource.html) in the *AWS Identity and Access Management User Guide.* .", "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) ." }, + "AWS::SageMaker::ModelPackageGroup Tag": { + "Key": "The tag key. Tag keys must be unique per resource.", + "Value": "The tag value." + }, "AWS::SageMaker::ModelQualityJobDefinition": { "EndpointName": "", "JobDefinitionName": "The name of the monitoring job definition.", @@ -34431,16 +38918,16 @@ "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) ." }, "AWS::SageMaker::ModelQualityJobDefinition BatchTransformInput": { - "DataCapturedDestinationS3Uri": "", - "DatasetFormat": "", - "EndTimeOffset": "", - "InferenceAttribute": "", - "LocalPath": "", - "ProbabilityAttribute": "", - "ProbabilityThresholdAttribute": "", - "S3DataDistributionType": "", - "S3InputMode": "", - "StartTimeOffset": "" + "DataCapturedDestinationS3Uri": "The Amazon S3 location being used to capture the data.", + "DatasetFormat": "The dataset format for your batch transform job.", + "EndTimeOffset": "If specified, monitoring jobs subtract this time from the end time. For information about using offsets for scheduling monitoring jobs, see [Schedule Model Quality Monitoring Jobs](https://docs.aws.amazon.com/sagemaker/latest/dg/model-monitor-model-quality-schedule.html) .", + "InferenceAttribute": "The attribute of the input data that represents the ground truth label.", + "LocalPath": "Path to the filesystem where the batch transform data is available to the container.", + "ProbabilityAttribute": "In a classification problem, the attribute that represents the class probability.", + "ProbabilityThresholdAttribute": "The threshold for the class probability to be evaluated as a positive result.", + "S3DataDistributionType": "Whether input data distributed in Amazon S3 is fully replicated or sharded by an S3 key. Defaults to `FullyReplicated`", + "S3InputMode": "Whether the `Pipe` or `File` is used as the input mode for transferring data for the monitoring job. `Pipe` mode is recommended for large datasets. `File` mode is useful for small files that fit in memory. Defaults to `File` .", + "StartTimeOffset": "If specified, monitoring jobs substract this time from the start time. For information about using offsets for scheduling monitoring jobs, see [Schedule Model Quality Monitoring Jobs](https://docs.aws.amazon.com/sagemaker/latest/dg/model-monitor-model-quality-schedule.html) ." }, "AWS::SageMaker::ModelQualityJobDefinition ClusterConfig": { "InstanceCount": "The number of ML compute instances to use in the model monitoring job. For distributed processing jobs, specify a value greater than 1. The default value is 1.", @@ -34466,7 +38953,7 @@ "LocalPath": "Path to the filesystem where the endpoint data is available to the container.", "ProbabilityAttribute": "In a classification problem, the attribute that represents the class probability.", "ProbabilityThresholdAttribute": "The threshold for the class probability to be evaluated as a positive result.", - "S3DataDistributionType": "Whether input data distributed in Amazon S3 is fully replicated or sharded by an S3 key. Defaults to `FullyReplicated`", + "S3DataDistributionType": "Whether input data distributed in Amazon S3 is fully replicated or sharded by an Amazon S3 key. Defaults to `FullyReplicated`", "S3InputMode": "Whether the `Pipe` or `File` is used as the input mode for transferring data for the monitoring job. `Pipe` mode is recommended for large datasets. `File` mode is useful for small files that fit in memory. Defaults to `File` .", "StartTimeOffset": "If specified, monitoring jobs substract this time from the start time. For information about using offsets for scheduling monitoring jobs, see [Schedule Model Quality Monitoring Jobs](https://docs.aws.amazon.com/sagemaker/latest/dg/model-monitor-model-quality-schedule.html) ." }, @@ -34480,14 +38967,14 @@ "ImageUri": "The address of the container image that the monitoring job runs.", "PostAnalyticsProcessorSourceUri": "An Amazon S3 URI to a script that is called after analysis has been performed. Applicable only for the built-in (first party) containers.", "ProblemType": "The machine learning problem type of the model that the monitoring job monitors.", - "RecordPreprocessorSourceUri": "An Amazon S3 URI to a script that is called per row prior to running analysis. It can base64 decode the payload and convert it into a flatted json so that the built-in container can use the converted data. Applicable only for the built-in (first party) containers." + "RecordPreprocessorSourceUri": "An Amazon S3 URI to a script that is called per row prior to running analysis. It can base64 decode the payload and convert it into a flattened JSON so that the built-in container can use the converted data. Applicable only for the built-in (first party) containers." }, "AWS::SageMaker::ModelQualityJobDefinition ModelQualityBaselineConfig": { "BaseliningJobName": "The name of the job that performs baselining for the monitoring job.", "ConstraintsResource": "The constraints resource for a monitoring job." }, "AWS::SageMaker::ModelQualityJobDefinition ModelQualityJobInput": { - "BatchTransformInput": "", + "BatchTransformInput": "Input object for the batch transform job.", "EndpointInput": "Input object for the endpoint", "GroundTruthS3Input": "The ground truth label provided for the model." }, @@ -34498,7 +38985,7 @@ "S3Output": "The Amazon S3 storage location where the results of a monitoring job are saved." }, "AWS::SageMaker::ModelQualityJobDefinition MonitoringOutputConfig": { - "KmsKeyId": "The AWS Key Management Service ( AWS KMS) key that Amazon SageMaker uses to encrypt the model artifacts at rest using Amazon S3 server-side encryption.", + "KmsKeyId": "The AWS Key Management Service ( AWS KMS ) key that Amazon SageMaker uses to encrypt the model artifacts at rest using Amazon S3 server-side encryption.", "MonitoringOutputs": "Monitoring outputs for monitoring jobs. This is where the output of the periodic monitoring jobs is uploaded." }, "AWS::SageMaker::ModelQualityJobDefinition MonitoringResources": { @@ -34517,8 +39004,12 @@ "AWS::SageMaker::ModelQualityJobDefinition StoppingCondition": { "MaxRuntimeInSeconds": "The maximum length of time, in seconds, that a training or compilation job can run before it is stopped.\n\nFor compilation jobs, if the job does not complete during this time, a `TimeOut` error is generated. We recommend starting with 900 seconds and increasing as necessary based on your model.\n\nFor all other jobs, if the job does not complete during this time, SageMaker ends the job. When `RetryStrategy` is specified in the job request, `MaxRuntimeInSeconds` specifies the maximum time for all of the attempts in total, not each individual attempt. The default value is 1 day. The maximum value is 28 days.\n\nThe maximum time that a `TrainingJob` can run in total, including any time spent publishing metrics or archiving and uploading models after it has been stopped, is 30 days." }, + "AWS::SageMaker::ModelQualityJobDefinition Tag": { + "Key": "The tag key. Tag keys must be unique per resource.", + "Value": "The tag value." + }, "AWS::SageMaker::ModelQualityJobDefinition VpcConfig": { - "SecurityGroupIds": "The VPC security group IDs, in the form sg-xxxxxxxx. Specify the security groups for the VPC that is specified in the `Subnets` field.", + "SecurityGroupIds": "The VPC security group IDs, in the form `sg-xxxxxxxx` . Specify the security groups for the VPC that is specified in the `Subnets` field.", "Subnets": "The ID of the subnets in the VPC to which you want to connect your training job or model. For information about the availability of specific instance types, see [Supported Instance Types and Availability Zones](https://docs.aws.amazon.com/sagemaker/latest/dg/instance-types-az.html) ." }, "AWS::SageMaker::MonitoringSchedule": { @@ -34535,11 +39026,12 @@ "StatisticsResource": "The baseline statistics file in Amazon S3 that the current monitoring job should be validated against." }, "AWS::SageMaker::MonitoringSchedule BatchTransformInput": { - "DataCapturedDestinationS3Uri": "", - "DatasetFormat": "", - "LocalPath": "", - "S3DataDistributionType": "", - "S3InputMode": "" + "DataCapturedDestinationS3Uri": "The Amazon S3 location being used to capture the data.", + "DatasetFormat": "The dataset format for your batch transform job.", + "ExcludeFeaturesAttribute": "The attributes of the input data to exclude from the analysis.", + "LocalPath": "Path to the filesystem where the batch transform data is available to the container.", + "S3DataDistributionType": "Whether input data distributed in Amazon S3 is fully replicated or sharded by an S3 key. Defaults to `FullyReplicated`", + "S3InputMode": "Whether the `Pipe` or `File` is used as the input mode for transferring data for the monitoring job. `Pipe` mode is recommended for large datasets. `File` mode is useful for small files that fit in memory. Defaults to `File` ." }, "AWS::SageMaker::MonitoringSchedule ClusterConfig": { "InstanceCount": "The number of ML compute instances to use in the model monitoring job. For distributed processing jobs, specify a value greater than 1. The default value is 1.", @@ -34560,8 +39052,9 @@ }, "AWS::SageMaker::MonitoringSchedule EndpointInput": { "EndpointName": "An endpoint in customer's account which has enabled `DataCaptureConfig` enabled.", + "ExcludeFeaturesAttribute": "The attributes of the input data to exclude from the analysis.", "LocalPath": "Path to the filesystem where the endpoint data is available to the container.", - "S3DataDistributionType": "Whether input data distributed in Amazon S3 is fully replicated or sharded by an S3 key. Defaults to `FullyReplicated`", + "S3DataDistributionType": "Whether input data distributed in Amazon S3 is fully replicated or sharded by an Amazon S3 key. Defaults to `FullyReplicated`", "S3InputMode": "Whether the `Pipe` or `File` is used as the input mode for transferring data for the monitoring job. `Pipe` mode is recommended for large datasets. `File` mode is useful for small files that fit in memory. Defaults to `File` ." }, "AWS::SageMaker::MonitoringSchedule Json": { @@ -34572,7 +39065,7 @@ "ContainerEntrypoint": "Specifies the entrypoint for a container used to run the monitoring job.", "ImageUri": "The container image to be run by the monitoring job.", "PostAnalyticsProcessorSourceUri": "An Amazon S3 URI to a script that is called after analysis has been performed. Applicable only for the built-in (first party) containers.", - "RecordPreprocessorSourceUri": "An Amazon S3 URI to a script that is called per row prior to running analysis. It can base64 decode the payload and convert it into a flatted json so that the built-in container can use the converted data. Applicable only for the built-in (first party) containers." + "RecordPreprocessorSourceUri": "An Amazon S3 URI to a script that is called per row prior to running analysis. It can base64 decode the payload and convert it into a flattened JSON so that the built-in container can use the converted data. Applicable only for the built-in (first party) containers." }, "AWS::SageMaker::MonitoringSchedule MonitoringExecutionSummary": { "CreationTime": "The time at which the monitoring job was created.", @@ -34585,7 +39078,7 @@ "ScheduledTime": "The time the monitoring job was scheduled." }, "AWS::SageMaker::MonitoringSchedule MonitoringInput": { - "BatchTransformInput": "", + "BatchTransformInput": "Input object for the batch transform job.", "EndpointInput": "The endpoint for a monitoring job." }, "AWS::SageMaker::MonitoringSchedule MonitoringJobDefinition": { @@ -34593,7 +39086,7 @@ "Environment": "Sets the environment variables in the Docker container.", "MonitoringAppSpecification": "Configures the monitoring job to run a specified Docker container image.", "MonitoringInputs": "The array of inputs for the monitoring job. Currently we support monitoring an Amazon SageMaker Endpoint.", - "MonitoringOutputConfig": "The array of outputs from the monitoring job to be uploaded to Amazon Simple Storage Service (Amazon S3).", + "MonitoringOutputConfig": "The array of outputs from the monitoring job to be uploaded to Amazon S3.", "MonitoringResources": "Identifies the resources, ML compute instances, and ML storage volumes to deploy for a monitoring job. In distributed processing, you specify more than one instance.", "NetworkConfig": "Specifies networking options for an monitoring job.", "RoleArn": "The Amazon Resource Name (ARN) of an IAM role that Amazon SageMaker can assume to perform tasks on your behalf.", @@ -34603,7 +39096,7 @@ "S3Output": "The Amazon S3 storage location where the results of a monitoring job are saved." }, "AWS::SageMaker::MonitoringSchedule MonitoringOutputConfig": { - "KmsKeyId": "The AWS Key Management Service ( AWS KMS) key that Amazon SageMaker uses to encrypt the model artifacts at rest using Amazon S3 server-side encryption.", + "KmsKeyId": "The AWS Key Management Service ( AWS KMS ) key that Amazon SageMaker uses to encrypt the model artifacts at rest using Amazon S3 server-side encryption.", "MonitoringOutputs": "Monitoring outputs for monitoring jobs. This is where the output of the periodic monitoring jobs is uploaded." }, "AWS::SageMaker::MonitoringSchedule MonitoringResources": { @@ -34626,7 +39119,9 @@ "S3Uri": "A URI that identifies the S3 storage location where SageMaker saves the results of a monitoring job." }, "AWS::SageMaker::MonitoringSchedule ScheduleConfig": { - "ScheduleExpression": "A cron expression that describes details about the monitoring schedule.\n\nCurrently the only supported cron expressions are:\n\n- If you want to set the job to start every hour, please use the following:\n\n`Hourly: cron(0 * ? * * *)`\n- If you want to start the job daily:\n\n`cron(0 [00-23] ? * * *)`\n\nFor example, the following are valid cron expressions:\n\n- Daily at noon UTC: `cron(0 12 ? * * *)`\n- Daily at midnight UTC: `cron(0 0 ? * * *)`\n\nTo support running every 6, 12 hours, the following are also supported:\n\n`cron(0 [00-23]/[01-24] ? * * *)`\n\nFor example, the following are valid cron expressions:\n\n- Every 12 hours, starting at 5pm UTC: `cron(0 17/12 ? * * *)`\n- Every two hours starting at midnight: `cron(0 0/2 ? * * *)`\n\n> - Even though the cron expression is set to start at 5PM UTC, note that there could be a delay of 0-20 minutes from the actual requested time to run the execution.\n> - We recommend that if you would like a daily schedule, you do not provide this parameter. Amazon SageMaker will pick a time for running every day." + "DataAnalysisEndTime": "Sets the end time for a monitoring job window. Express this time as an offset to the times that you schedule your monitoring jobs to run. You schedule monitoring jobs with the `ScheduleExpression` parameter. Specify this offset in ISO 8601 duration format. For example, if you want to end the window one hour before the start of each monitoring job, you would specify: `\"-PT1H\"` .\n\nThe end time that you specify must not follow the start time that you specify by more than 24 hours. You specify the start time with the `DataAnalysisStartTime` parameter.\n\nIf you set `ScheduleExpression` to `NOW` , this parameter is required.", + "DataAnalysisStartTime": "Sets the start time for a monitoring job window. Express this time as an offset to the times that you schedule your monitoring jobs to run. You schedule monitoring jobs with the `ScheduleExpression` parameter. Specify this offset in ISO 8601 duration format. For example, if you want to monitor the five hours of data in your dataset that precede the start of each monitoring job, you would specify: `\"-PT5H\"` .\n\nThe start time that you specify must not precede the end time that you specify by more than 24 hours. You specify the end time with the `DataAnalysisEndTime` parameter.\n\nIf you set `ScheduleExpression` to `NOW` , this parameter is required.", + "ScheduleExpression": "A cron expression that describes details about the monitoring schedule.\n\nThe supported cron expressions are:\n\n- If you want to set the job to start every hour, use the following:\n\n`Hourly: cron(0 * ? * * *)`\n- If you want to start the job daily:\n\n`cron(0 [00-23] ? * * *)`\n- If you want to run the job one time, immediately, use the following keyword:\n\n`NOW`\n\nFor example, the following are valid cron expressions:\n\n- Daily at noon UTC: `cron(0 12 ? * * *)`\n- Daily at midnight UTC: `cron(0 0 ? * * *)`\n\nTo support running every 6, 12 hours, the following are also supported:\n\n`cron(0 [00-23]/[01-24] ? * * *)`\n\nFor example, the following are valid cron expressions:\n\n- Every 12 hours, starting at 5pm UTC: `cron(0 17/12 ? * * *)`\n- Every two hours starting at midnight: `cron(0 0/2 ? * * *)`\n\n> - Even though the cron expression is set to start at 5PM UTC, note that there could be a delay of 0-20 minutes from the actual requested time to run the execution.\n> - We recommend that if you would like a daily schedule, you do not provide this parameter. Amazon SageMaker will pick a time for running every day. \n\nYou can also specify the keyword `NOW` to run the monitoring job immediately, one time, without recurring." }, "AWS::SageMaker::MonitoringSchedule StatisticsResource": { "S3Uri": "The S3 URI for the statistics resource." @@ -34634,8 +39129,12 @@ "AWS::SageMaker::MonitoringSchedule StoppingCondition": { "MaxRuntimeInSeconds": "The maximum length of time, in seconds, that a training or compilation job can run before it is stopped.\n\nFor compilation jobs, if the job does not complete during this time, a `TimeOut` error is generated. We recommend starting with 900 seconds and increasing as necessary based on your model.\n\nFor all other jobs, if the job does not complete during this time, SageMaker ends the job. When `RetryStrategy` is specified in the job request, `MaxRuntimeInSeconds` specifies the maximum time for all of the attempts in total, not each individual attempt. The default value is 1 day. The maximum value is 28 days.\n\nThe maximum time that a `TrainingJob` can run in total, including any time spent publishing metrics or archiving and uploading models after it has been stopped, is 30 days." }, + "AWS::SageMaker::MonitoringSchedule Tag": { + "Key": "The tag key. Tag keys must be unique per resource.", + "Value": "The tag value." + }, "AWS::SageMaker::MonitoringSchedule VpcConfig": { - "SecurityGroupIds": "The VPC security group IDs, in the form sg-xxxxxxxx. Specify the security groups for the VPC that is specified in the `Subnets` field.", + "SecurityGroupIds": "The VPC security group IDs, in the form `sg-xxxxxxxx` . Specify the security groups for the VPC that is specified in the `Subnets` field.", "Subnets": "The ID of the subnets in the VPC to which you want to connect your training job or model. For information about the availability of specific instance types, see [Supported Instance Types and Availability Zones](https://docs.aws.amazon.com/sagemaker/latest/dg/instance-types-az.html) ." }, "AWS::SageMaker::NotebookInstance": { @@ -34659,6 +39158,10 @@ "AWS::SageMaker::NotebookInstance InstanceMetadataServiceConfiguration": { "MinimumInstanceMetadataServiceVersion": "Indicates the minimum IMDS version that the notebook instance supports. When passed as part of `CreateNotebookInstance` , if no value is selected, then it defaults to IMDSv1. This means that both IMDSv1 and IMDSv2 are supported. If passed as part of `UpdateNotebookInstance` , there is no default." }, + "AWS::SageMaker::NotebookInstance Tag": { + "Key": "The tag key. Tag keys must be unique per resource.", + "Value": "The tag value." + }, "AWS::SageMaker::NotebookInstanceLifecycleConfig": { "NotebookInstanceLifecycleConfigName": "The name of the lifecycle configuration.", "OnCreate": "A shell script that runs only once, when you create a notebook instance. The shell script must be a base64-encoded string.", @@ -34668,7 +39171,7 @@ "Content": "A base64-encoded string that contains a shell script for a notebook instance lifecycle configuration." }, "AWS::SageMaker::Pipeline": { - "ParallelismConfiguration": "", + "ParallelismConfiguration": "The parallelism configuration applied to the pipeline.", "PipelineDefinition": "The definition of the pipeline. This can be either a JSON string or an Amazon S3 location.", "PipelineDescription": "The description of the pipeline.", "PipelineDisplayName": "The display name of the pipeline.", @@ -34680,19 +39183,23 @@ "MaxParallelExecutionSteps": "The max number of steps that can be executed in parallel." }, "AWS::SageMaker::Pipeline PipelineDefinition": { - "PipelineDefinitionBody": "", - "PipelineDefinitionS3Location": "" + "PipelineDefinitionBody": "The [JSON pipeline definition](https://docs.aws.amazon.com/https://aws-sagemaker-mlops.github.io/sagemaker-model-building-pipeline-definition-JSON-schema/) of the pipeline.", + "PipelineDefinitionS3Location": "The location of the pipeline definition stored in Amazon S3. If specified, SageMaker retrieves the pipeline definition from this location." }, "AWS::SageMaker::Pipeline S3Location": { - "Bucket": "", - "ETag": "", - "Key": "", - "Version": "" + "Bucket": "The name of the S3 bucket.", + "ETag": "A file checksum of the pipeline definition file.", + "Key": "The object key (or key name) which uniquely identifies the object in an S3 bucket.", + "Version": "The version ID of the pipeline definition file. If not specified, Amazon SageMaker will retrieve the latest version." + }, + "AWS::SageMaker::Pipeline Tag": { + "Key": "The tag key. Tag keys must be unique per resource.", + "Value": "The tag value." }, "AWS::SageMaker::Project": { "ProjectDescription": "The description of the project.", "ProjectName": "The name of the project.", - "ServiceCatalogProvisionedProductDetails": "", + "ServiceCatalogProvisionedProductDetails": "Details of a provisioned service catalog product. For information about service catalog, see [What is AWS Service Catalog](https://docs.aws.amazon.com/servicecatalog/latest/adminguide/introduction.html) .", "ServiceCatalogProvisioningDetails": "The product ID and provisioning artifact ID to provision a service catalog. For information, see [What is AWS Service Catalog](https://docs.aws.amazon.com/servicecatalog/latest/adminguide/introduction.html) .", "Tags": "A list of key-value pairs to apply to this resource.\n\nFor more information, see [Resource Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) and [Using Cost Allocation Tags](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/cost-alloc-tags.html#allocation-what) in the *AWS Billing and Cost Management User Guide* ." }, @@ -34710,6 +39217,10 @@ "ProvisioningArtifactId": "The ID of the provisioning artifact.", "ProvisioningParameters": "A list of key value pairs that you specify when you provision a product." }, + "AWS::SageMaker::Project Tag": { + "Key": "The tag key. Tag keys must be unique per resource.", + "Value": "The tag value." + }, "AWS::SageMaker::Space": { "DomainId": "The ID of the associated Domain.", "SpaceName": "The name of the space.", @@ -34737,6 +39248,10 @@ "JupyterServerAppSettings": "The JupyterServer app settings.", "KernelGatewayAppSettings": "The KernelGateway app settings." }, + "AWS::SageMaker::Space Tag": { + "Key": "The tag key. Tag keys must be unique per resource.", + "Value": "The tag value." + }, "AWS::SageMaker::UserProfile": { "DomainId": "The domain ID.", "SingleSignOnUserIdentifier": "A specifier for the type of value specified in SingleSignOnUserValue. Currently, the only supported value is \"UserName\". If the Domain's AuthMode is IAM Identity Center , this field is required. If the Domain's AuthMode is not IAM Identity Center , this field cannot be specified.", @@ -34745,11 +39260,42 @@ "UserProfileName": "The user profile name.", "UserSettings": "A collection of settings that apply to users of Amazon SageMaker Studio." }, + "AWS::SageMaker::UserProfile CodeEditorAppSettings": { + "DefaultResourceSpec": "", + "LifecycleConfigArns": "The Amazon Resource Name (ARN) of the Code Editor application lifecycle configuration." + }, + "AWS::SageMaker::UserProfile CodeRepository": { + "RepositoryUrl": "The URL of the Git repository." + }, + "AWS::SageMaker::UserProfile CustomFileSystemConfig": { + "EFSFileSystemConfig": "The settings for a custom Amazon EFS file system." + }, "AWS::SageMaker::UserProfile CustomImage": { "AppImageConfigName": "The name of the AppImageConfig.", "ImageName": "The name of the CustomImage. Must be unique to your account.", "ImageVersionNumber": "The version number of the CustomImage." }, + "AWS::SageMaker::UserProfile CustomPosixUserConfig": { + "Gid": "The POSIX group ID.", + "Uid": "The POSIX user ID." + }, + "AWS::SageMaker::UserProfile DefaultEbsStorageSettings": { + "DefaultEbsVolumeSizeInGb": "The default size of the EBS storage volume for a private space.", + "MaximumEbsVolumeSizeInGb": "The maximum size of the EBS storage volume for a private space." + }, + "AWS::SageMaker::UserProfile DefaultSpaceStorageSettings": { + "DefaultEbsStorageSettings": "The default EBS storage settings for a private space." + }, + "AWS::SageMaker::UserProfile EFSFileSystemConfig": { + "FileSystemId": "The ID of your Amazon EFS file system.", + "FileSystemPath": "The path to the file system directory that is accessible in Amazon SageMaker Studio. Permitted users can access only this directory and below." + }, + "AWS::SageMaker::UserProfile JupyterLabAppSettings": { + "CodeRepositories": "A list of Git repositories that SageMaker automatically displays to users for cloning in the JupyterLab application.", + "CustomImages": "A list of custom SageMaker images that are configured to run as a JupyterLab app.", + "DefaultResourceSpec": "", + "LifecycleConfigArns": "The Amazon Resource Name (ARN) of the lifecycle configurations attached to the user profile or domain. To remove a lifecycle config, you must set `LifecycleConfigArns` to an empty list." + }, "AWS::SageMaker::UserProfile JupyterServerAppSettings": { "DefaultResourceSpec": "The default instance type and the Amazon Resource Name (ARN) of the default SageMaker image used by the JupyterServer app." }, @@ -34771,13 +39317,24 @@ "S3KmsKeyId": "When `NotebookOutputOption` is `Allowed` , the AWS Key Management Service (KMS) encryption key ID used to encrypt the notebook cell output in the Amazon S3 bucket.", "S3OutputPath": "When `NotebookOutputOption` is `Allowed` , the Amazon S3 bucket used to store the shared notebook snapshots." }, + "AWS::SageMaker::UserProfile Tag": { + "Key": "The tag key. Tag keys must be unique per resource.", + "Value": "The tag value." + }, "AWS::SageMaker::UserProfile UserSettings": { + "CodeEditorAppSettings": "The Code Editor application settings.", + "CustomFileSystemConfigs": "The settings for assigning a custom file system to a user profile. Permitted users can access this file system in Amazon SageMaker Studio.", + "CustomPosixUserConfig": "Details about the POSIX identity that is used for file system operations.", + "DefaultLandingUri": "The default experience that the user is directed to when accessing the domain. The supported values are:\n\n- `studio::` : Indicates that Studio is the default experience. This value can only be passed if `StudioWebPortal` is set to `ENABLED` .\n- `app:JupyterServer:` : Indicates that Studio Classic is the default experience.", "ExecutionRole": "The execution role for the user.", + "JupyterLabAppSettings": "The settings for the JupyterLab application.", "JupyterServerAppSettings": "The Jupyter server's app settings.", "KernelGatewayAppSettings": "The kernel gateway app settings.", "RStudioServerProAppSettings": "A collection of settings that configure user interaction with the `RStudioServerPro` app.", - "SecurityGroups": "The security groups for the Amazon Virtual Private Cloud (VPC) that Studio uses for communication.\n\nOptional when the `CreateDomain.AppNetworkAccessType` parameter is set to `PublicInternetOnly` .\n\nRequired when the `CreateDomain.AppNetworkAccessType` parameter is set to `VpcOnly` , unless specified as part of the `DefaultUserSettings` for the domain.\n\nAmazon SageMaker adds a security group to allow NFS traffic from SageMaker Studio. Therefore, the number of security groups that you can specify is one less than the maximum number shown.", - "SharingSettings": "Specifies options for sharing SageMaker Studio notebooks." + "SecurityGroups": "The security groups for the Amazon Virtual Private Cloud (VPC) that the domain uses for communication.\n\nOptional when the `CreateDomain.AppNetworkAccessType` parameter is set to `PublicInternetOnly` .\n\nRequired when the `CreateDomain.AppNetworkAccessType` parameter is set to `VpcOnly` , unless specified as part of the `DefaultUserSettings` for the domain.\n\nAmazon SageMaker adds a security group to allow NFS traffic from Amazon SageMaker Studio. Therefore, the number of security groups that you can specify is one less than the maximum number shown.", + "SharingSettings": "Specifies options for sharing Amazon SageMaker Studio notebooks.", + "SpaceStorageSettings": "The storage settings for a private space.", + "StudioWebPortal": "Whether the user can access Studio. If this value is set to `DISABLED` , the user cannot access Studio, even if that is the default experience for the domain." }, "AWS::SageMaker::Workteam": { "Description": "A description of the work team.", @@ -34802,6 +39359,10 @@ "AWS::SageMaker::Workteam OidcMemberDefinition": { "OidcGroups": "" }, + "AWS::SageMaker::Workteam Tag": { + "Key": "The tag key. Tag keys must be unique per resource.", + "Value": "The tag value." + }, "AWS::Scheduler::Schedule": { "Description": "The description you specify for the schedule.", "EndDate": "The date, in UTC, before which the schedule can invoke its target. Depending on the schedule's recurrence expression, invocations might stop on, or before, the `EndDate` you specify.\nEventBridge Scheduler ignores `EndDate` for one-time schedules.", @@ -34850,7 +39411,7 @@ }, "AWS::Scheduler::Schedule FlexibleTimeWindow": { "MaximumWindowInMinutes": "The maximum time window during which a schedule can be invoked.\n\n*Minimum* : `1`\n\n*Maximum* : `1440`", - "Mode": "Determines whether the schedule is invoked within a flexible time window.\n\n*Allowed Values* : `OFF` | `FLEXIBLE`" + "Mode": "Determines whether the schedule is invoked within a flexible time window. You must use quotation marks when you specify this value in your JSON or YAML template.\n\n*Allowed Values* : `\"OFF\"` | `\"FLEXIBLE\"`" }, "AWS::Scheduler::Schedule KinesisParameters": { "PartitionKey": "Specifies the shard to which EventBridge Scheduler sends the event. For more information, see [Amazon Kinesis Data Streams terminology and concepts](https://docs.aws.amazon.com/streams/latest/dev/key-concepts.html) in the *Amazon Kinesis Streams Developer Guide* ." @@ -34896,6 +39457,10 @@ "Name": "The name of the schedule group.", "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) ." }, + "AWS::Scheduler::ScheduleGroup Tag": { + "Key": "The key for the tag.", + "Value": "The value for the tag." + }, "AWS::SecretsManager::ResourcePolicy": { "BlockPublicPolicy": "Specifies whether to block resource-based policies that allow broad access to the secret. By default, Secrets Manager blocks policies that allow broad access, for example those that use a wildcard for the principal.", "ResourcePolicy": "A JSON-formatted string for an AWS resource-based policy. For example policies, see [Permissions policy examples](https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_examples.html) .", @@ -34914,7 +39479,7 @@ "MasterSecretArn": "The ARN of the secret that contains superuser credentials, if you use the [Alternating users rotation strategy](https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets_strategies.html#rotating-secrets-two-users) . CloudFormation grants the execution role for the Lambda rotation function `GetSecretValue` permission to the secret in this property. For more information, see [Lambda rotation function execution role permissions for Secrets Manager](https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets-required-permissions-function.html) .\n\nYou must create the superuser secret before you can set this property.\n\nYou must also include the superuser secret ARN as a key in the JSON of the rotating secret so that the Lambda rotation function can find it. CloudFormation does not hardcode secret ARNs in the Lambda rotation function, so you can use the function to rotate multiple secrets. For more information, see [JSON structure of Secrets Manager secrets](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_secret_json_structure.html) .\n\nYou can specify `MasterSecretArn` or `SuperuserSecretArn` but not both. They represent the same superuser secret.", "MasterSecretKmsKeyArn": "The ARN of the KMS key that Secrets Manager used to encrypt the superuser secret, if you use the [alternating users strategy](https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets_strategies.html#rotating-secrets-two-users) and the superuser secret is encrypted with a customer managed key. You don't need to specify this property if the superuser secret is encrypted using the key `aws/secretsmanager` . CloudFormation grants the execution role for the Lambda rotation function `Decrypt` , `DescribeKey` , and `GenerateDataKey` permission to the key in this property. For more information, see [Lambda rotation function execution role permissions for Secrets Manager](https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets-required-permissions-function.html) .\n\nYou can specify `MasterSecretKmsKeyArn` or `SuperuserSecretKmsKeyArn` but not both. They represent the same superuser secret KMS key .", "RotationLambdaName": "The name of the Lambda rotation function.", - "RotationType": "The rotation template to base the rotation function on, one of the following:\n\n- `MySQLSingleUser` to use the template [SecretsManagerRDSMySQLRotationSingleUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-mysql-singleuser) .\n- `MySQLMultiUser` to use the template [SecretsManagerRDSMySQLRotationMultiUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-mysql-multiuser) .\n- `PostgreSQLSingleUser` to use the template [SecretsManagerRDSPostgreSQLRotationSingleUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-postgre-singleuser)\n- `PostgreSQLMultiUser` to use the template [SecretsManagerRDSPostgreSQLRotationMultiUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-postgre-multiuser) .\n- `OracleSingleUser` to use the template [SecretsManagerRDSOracleRotationSingleUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-oracle-singleuser) .\n- `OracleMultiUser` to use the template [SecretsManagerRDSOracleRotationMultiUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-oracle-multiuser) .\n- `MariaDBSingleUser` to use the template [SecretsManagerRDSMariaDBRotationSingleUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-mariadb-singleuser) .\n- `MariaDBMultiUser` to use the template [SecretsManagerRDSMariaDBRotationMultiUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-mariadb-multiuser) .\n- `SQLServerSingleUser` to use the template [SecretsManagerRDSSQLServerRotationSingleUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-sqlserver-singleuser) .\n- `SQLServerMultiUser` to use the template [SecretsManagerRDSSQLServerRotationMultiUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-sqlserver-multiuser) .\n- `RedshiftSingleUser` to use the template [SecretsManagerRedshiftRotationSingleUsr](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-redshift-singleuser) .\n- `RedshiftMultiUser` to use the template [SecretsManagerRedshiftRotationMultiUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-redshift-multiuser) .\n- `MongoDBSingleUser` to use the template [SecretsManagerMongoDBRotationSingleUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-mongodb-singleuser) .\n- `MongoDBMultiUser` to use the template [SecretsManagerMongoDBRotationMultiUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-mongodb-multiuser) .", + "RotationType": "The rotation template to base the rotation function on, one of the following:\n\n- `Db2SingleUser` to use the template [SecretsManagerRDSDb2RotationSingleUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-db2-singleuser) .\n- `Db2MultiUser` to use the template [SecretsManagerRDSDb2RotationMultiUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-db2-multiuser) .\n- `MySQLSingleUser` to use the template [SecretsManagerRDSMySQLRotationSingleUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-mysql-singleuser) .\n- `MySQLMultiUser` to use the template [SecretsManagerRDSMySQLRotationMultiUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-mysql-multiuser) .\n- `PostgreSQLSingleUser` to use the template [SecretsManagerRDSPostgreSQLRotationSingleUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-postgre-singleuser)\n- `PostgreSQLMultiUser` to use the template [SecretsManagerRDSPostgreSQLRotationMultiUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-postgre-multiuser) .\n- `OracleSingleUser` to use the template [SecretsManagerRDSOracleRotationSingleUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-oracle-singleuser) .\n- `OracleMultiUser` to use the template [SecretsManagerRDSOracleRotationMultiUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-oracle-multiuser) .\n- `MariaDBSingleUser` to use the template [SecretsManagerRDSMariaDBRotationSingleUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-mariadb-singleuser) .\n- `MariaDBMultiUser` to use the template [SecretsManagerRDSMariaDBRotationMultiUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-mariadb-multiuser) .\n- `SQLServerSingleUser` to use the template [SecretsManagerRDSSQLServerRotationSingleUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-sqlserver-singleuser) .\n- `SQLServerMultiUser` to use the template [SecretsManagerRDSSQLServerRotationMultiUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-sqlserver-multiuser) .\n- `RedshiftSingleUser` to use the template [SecretsManagerRedshiftRotationSingleUsr](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-redshift-singleuser) .\n- `RedshiftMultiUser` to use the template [SecretsManagerRedshiftRotationMultiUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-redshift-multiuser) .\n- `MongoDBSingleUser` to use the template [SecretsManagerMongoDBRotationSingleUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-mongodb-singleuser) .\n- `MongoDBMultiUser` to use the template [SecretsManagerMongoDBRotationMultiUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-mongodb-multiuser) .", "Runtime": "By default, CloudFormation deploys Python 3.9 binaries for the rotation function. To use a different version of Python, you must do the following two steps:\n\n- Deploy the matching version Python binaries with your rotation function.\n- Set the version number in this field. For example, for Python 3.7, enter *python3.7*\n\nIf you only do one of the steps, your rotation function will be incompatible with the binaries. For more information, see [Why did my Lambda rotation function fail with a \"pg module not found\" error](https://docs.aws.amazon.com/https://repost.aws/knowledge-center/secrets-manager-lambda-rotation) .", "SuperuserSecretArn": "The ARN of the secret that contains superuser credentials, if you use the [Alternating users rotation strategy](https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets_strategies.html#rotating-secrets-two-users) . CloudFormation grants the execution role for the Lambda rotation function `GetSecretValue` permission to the secret in this property. For more information, see [Lambda rotation function execution role permissions for Secrets Manager](https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets-required-permissions-function.html) .\n\nYou must create the superuser secret before you can set this property.\n\nYou must also include the superuser secret ARN as a key in the JSON of the rotating secret so that the Lambda rotation function can find it. CloudFormation does not hardcode secret ARNs in the Lambda rotation function, so you can use the function to rotate multiple secrets. For more information, see [JSON structure of Secrets Manager secrets](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_secret_json_structure.html) .\n\nYou can specify `MasterSecretArn` or `SuperuserSecretArn` but not both. They represent the same superuser secret.", "SuperuserSecretKmsKeyArn": "The ARN of the KMS key that Secrets Manager used to encrypt the superuser secret, if you use the [alternating users strategy](https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets_strategies.html#rotating-secrets-two-users) and the superuser secret is encrypted with a customer managed key. You don't need to specify this property if the superuser secret is encrypted using the key `aws/secretsmanager` . CloudFormation grants the execution role for the Lambda rotation function `Decrypt` , `DescribeKey` , and `GenerateDataKey` permission to the key in this property. For more information, see [Lambda rotation function execution role permissions for Secrets Manager](https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets-required-permissions-function.html) .\n\nYou can specify `MasterSecretKmsKeyArn` or `SuperuserSecretKmsKeyArn` but not both. They represent the same superuser secret KMS key .", @@ -34933,7 +39498,7 @@ "Name": "The name of the new secret.\n\nThe secret name can contain ASCII letters, numbers, and the following characters: /_+=.@-\n\nDo not end your secret name with a hyphen followed by six characters. If you do so, you risk confusion and unexpected results when searching for a secret by partial ARN. Secrets Manager automatically adds a hyphen and six random characters after the secret name at the end of the ARN.", "ReplicaRegions": "A custom type that specifies a `Region` and the `KmsKeyId` for a replica secret.", "SecretString": "The text to encrypt and store in the secret. We recommend you use a JSON structure of key/value pairs for your secret value. To generate a random password, use `GenerateSecretString` instead. If you omit both `GenerateSecretString` and `SecretString` , you create an empty secret. When you make a change to this property, a new secret version is created.", - "Tags": "A list of tags to attach to the secret. Each tag is a key and value pair of strings in a JSON text string, for example:\n\n`[{\"Key\":\"CostCenter\",\"Value\":\"12345\"},{\"Key\":\"environment\",\"Value\":\"production\"}]`\n\nSecrets Manager tag key names are case sensitive. A tag with the key \"ABC\" is a different tag from one with key \"abc\".\n\nIf you check tags in permissions policies as part of your security strategy, then adding or removing a tag can change permissions. If the completion of this operation would result in you losing your permissions for this secret, then Secrets Manager blocks the operation and returns an `Access Denied` error. For more information, see [Control access to secrets using tags](https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_examples.html#tag-secrets-abac) and [Limit access to identities with tags that match secrets' tags](https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_examples.html#auth-and-access_tags2) .\n\nFor information about how to format a JSON parameter for the various command line tool environments, see [Using JSON for Parameters](https://docs.aws.amazon.com/cli/latest/userguide/cli-using-param.html#cli-using-param-json) . If your command-line tool or SDK requires quotation marks around the parameter, you should use single quotes to avoid confusion with the double quotes required in the JSON text.\n\nThe following restrictions apply to tags:\n\n- Maximum number of tags per secret: 50\n- Maximum key length: 127 Unicode characters in UTF-8\n- Maximum value length: 255 Unicode characters in UTF-8\n- Tag keys and values are case sensitive.\n- Do not use the `aws:` prefix in your tag names or values because AWS reserves it for AWS use. You can't edit or delete tag names or values with this prefix. Tags with this prefix do not count against your tags per secret limit.\n- If you use your tagging schema across multiple services and resources, other services might have restrictions on allowed characters. Generally allowed characters: letters, spaces, and numbers representable in UTF-8, plus the following special characters: + - = . _ : / @." + "Tags": "A list of tags to attach to the secret. Each tag is a key and value pair of strings in a JSON text string, for example:\n\n`[{\"Key\":\"CostCenter\",\"Value\":\"12345\"},{\"Key\":\"environment\",\"Value\":\"production\"}]`\n\nSecrets Manager tag key names are case sensitive. A tag with the key \"ABC\" is a different tag from one with key \"abc\".\n\nStack-level tags, tags you apply to the CloudFormation stack, are also attached to the secret.\n\nIf you check tags in permissions policies as part of your security strategy, then adding or removing a tag can change permissions. If the completion of this operation would result in you losing your permissions for this secret, then Secrets Manager blocks the operation and returns an `Access Denied` error. For more information, see [Control access to secrets using tags](https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_examples.html#tag-secrets-abac) and [Limit access to identities with tags that match secrets' tags](https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_examples.html#auth-and-access_tags2) .\n\nFor information about how to format a JSON parameter for the various command line tool environments, see [Using JSON for Parameters](https://docs.aws.amazon.com/cli/latest/userguide/cli-using-param.html#cli-using-param-json) . If your command-line tool or SDK requires quotation marks around the parameter, you should use single quotes to avoid confusion with the double quotes required in the JSON text.\n\nThe following restrictions apply to tags:\n\n- Maximum number of tags per secret: 50\n- Maximum key length: 127 Unicode characters in UTF-8\n- Maximum value length: 255 Unicode characters in UTF-8\n- Tag keys and values are case sensitive.\n- Do not use the `aws:` prefix in your tag names or values because AWS reserves it for AWS use. You can't edit or delete tag names or values with this prefix. Tags with this prefix do not count against your tags per secret limit.\n- If you use your tagging schema across multiple services and resources, other services might have restrictions on allowed characters. Generally allowed characters: letters, spaces, and numbers representable in UTF-8, plus the following special characters: + - = . _ : / @." }, "AWS::SecretsManager::Secret GenerateSecretString": { "ExcludeCharacters": "A string of the characters that you don't want in the password.", @@ -34949,7 +39514,11 @@ }, "AWS::SecretsManager::Secret ReplicaRegion": { "KmsKeyId": "The ARN, key ID, or alias of the KMS key to encrypt the secret. If you don't include this field, Secrets Manager uses `aws/secretsmanager` .", - "Region": "(Optional) A string that represents a `Region` , for example \"us-east-1\"." + "Region": "A string that represents a `Region` , for example \"us-east-1\"." + }, + "AWS::SecretsManager::Secret Tag": { + "Key": "The key identifier, or name, of the tag.", + "Value": "The string value associated with the key of the tag." }, "AWS::SecretsManager::SecretTargetAttachment": { "SecretId": "The ARN or name of the secret. To reference a secret also created in this template, use the see [Ref](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-ref.html) function with the secret's logical ID.", @@ -34957,14 +39526,14 @@ "TargetType": "A string that defines the type of service or database associated with the secret. This value instructs Secrets Manager how to update the secret with the details of the service or database. This value must be one of the following:\n\n- AWS::RDS::DBInstance\n- AWS::RDS::DBCluster\n- AWS::Redshift::Cluster\n- AWS::DocDB::DBInstance\n- AWS::DocDB::DBCluster" }, "AWS::SecurityHub::AutomationRule": { - "Actions": "One or more actions to update finding fields if a finding matches the defined criteria of the rule.", - "Criteria": "A set of [AWS Security Finding Format](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html) finding field attributes and corresponding expected values that Security Hub uses to filter findings. If a rule is enabled and a finding matches the conditions specified in this parameter, Security Hub applies the rule action to the finding.", + "Actions": "One or more actions to update finding fields if a finding matches the conditions specified in `Criteria` .", + "Criteria": "A set of [AWS Security Finding Format (ASFF)](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html) finding field attributes and corresponding expected values that Security Hub uses to filter findings. If a rule is enabled and a finding matches the criteria specified in this parameter, Security Hub applies the rule action to the finding.", "Description": "A description of the rule.", - "IsTerminal": "Specifies whether a rule is the last to be applied with respect to a finding that matches the rule criteria. This is useful when a finding matches the criteria for multiple rules, and each rule has different actions. If the value of this field is set to `true` for a rule, Security Hub applies the rule action to a finding that matches the rule criteria and doesn't evaluate other rules for the finding. The default value of this field is `false` .", + "IsTerminal": "Specifies whether a rule is the last to be applied with respect to a finding that matches the rule criteria. This is useful when a finding matches the criteria for multiple rules, and each rule has different actions. If a rule is terminal, Security Hub applies the rule action to a finding that matches the rule criteria and doesn't evaluate other rules for the finding. By default, a rule isn't terminal.", "RuleName": "The name of the rule.", "RuleOrder": "An integer ranging from 1 to 1000 that represents the order in which the rule action is applied to findings. Security Hub applies rules with lower values for this parameter first.", "RuleStatus": "Whether the rule is active after it is created. If this parameter is equal to `ENABLED` , Security Hub applies the rule to findings and finding updates after the rule is created.", - "Tags": "User-defined tags that help you label the purpose of a rule." + "Tags": "User-defined tags associated with an automation rule." }, "AWS::SecurityHub::AutomationRule AutomationRulesAction": { "FindingFieldsUpdate": "Specifies that the automation rule action is an update to a finding field.", @@ -34982,41 +39551,41 @@ "Workflow": "The rule action will update the `Workflow` field of a finding." }, "AWS::SecurityHub::AutomationRule AutomationRulesFindingFilters": { - "AwsAccountId": "The AWS account ID in which a finding was generated.", - "CompanyName": "The name of the company for the product that generated the finding. For control-based findings, the company is AWS .", - "ComplianceAssociatedStandardsId": "The unique identifier of a standard in which a control is enabled. This field consists of the resource portion of the Amazon Resource Name (ARN) returned for a standard in the [DescribeStandards](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_DescribeStandards.html) API response.", - "ComplianceSecurityControlId": "The security control ID for which a finding was generated. Security control IDs are the same across standards.", - "ComplianceStatus": "The result of a security check. This field is only used for findings generated from controls.", - "Confidence": "The likelihood that a finding accurately identifies the behavior or issue that it was intended to identify. `Confidence` is scored on a 0\u2013100 basis using a ratio scale. A value of `0` means 0 percent confidence, and a value of `100` means 100 percent confidence. For example, a data exfiltration detection based on a statistical deviation of network traffic has low confidence because an actual exfiltration hasn't been verified. For more information, see [Confidence](https://docs.aws.amazon.com/securityhub/latest/userguide/asff-top-level-attributes.html#asff-confidence) in the *AWS Security Hub User Guide* .", - "CreatedAt": "A timestamp that indicates when this finding record was created.\n\nUses the `date-time` format specified in [RFC 3339 section 5.6, Internet Date/Time Format](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc3339#section-5.6) . The value cannot contain spaces. For example, `2020-03-22T13:22:13.933Z` .", - "Criticality": "The level of importance that is assigned to the resources that are associated with a finding. `Criticality` is scored on a 0\u2013100 basis, using a ratio scale that supports only full integers. A score of `0` means that the underlying resources have no criticality, and a score of `100` is reserved for the most critical resources. For more information, see [Criticality](https://docs.aws.amazon.com/securityhub/latest/userguide/asff-top-level-attributes.html#asff-criticality) in the *AWS Security Hub User Guide* .", - "Description": "A finding's description.", - "FirstObservedAt": "A timestamp that indicates when the potential security issue captured by a finding was first observed by the security findings product.\n\nUses the `date-time` format specified in [RFC 3339 section 5.6, Internet Date/Time Format](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc3339#section-5.6) . The value cannot contain spaces. For example, `2020-03-22T13:22:13.933Z` .", - "GeneratorId": "The identifier for the solution-specific component that generated a finding.", - "Id": "The product-specific identifier for a finding.", - "LastObservedAt": "A timestamp that indicates when the potential security issue captured by a finding was most recently observed by the security findings product.\n\nUses the `date-time` format specified in [RFC 3339 section 5.6, Internet Date/Time Format](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc3339#section-5.6) . The value cannot contain spaces. For example, `2020-03-22T13:22:13.933Z` .", - "NoteText": "The text of a user-defined note that's added to a finding.", - "NoteUpdatedAt": "The timestamp of when the note was updated. Uses the date-time format specified in [RFC 3339 section 5.6, Internet Date/Time Format](https://docs.aws.amazon.com/https://www.rfc-editor.org/rfc/rfc3339#section-5.6) . The value cannot contain spaces. For example, `2020-03-22T13:22:13.933Z` .", - "NoteUpdatedBy": "The principal that created a note.", - "ProductArn": "The Amazon Resource Name (ARN) for a third-party product that generated a finding in Security Hub.", - "ProductName": "Provides the name of the product that generated the finding. For control-based findings, the product name is Security Hub.", - "RecordState": "Provides the current state of a finding.", - "RelatedFindingsId": "The product-generated identifier for a related finding.", - "RelatedFindingsProductArn": "The ARN for the product that generated a related finding.", - "ResourceDetailsOther": "Custom fields and values about the resource that a finding pertains to.", - "ResourceId": "The identifier for the given resource type. For AWS resources that are identified by Amazon Resource Names (ARNs), this is the ARN. For AWS resources that lack ARNs, this is the identifier as defined by the AWS service that created the resource. For non- AWS resources, this is a unique identifier that is associated with the resource.", - "ResourcePartition": "The partition in which the resource that the finding pertains to is located. A partition is a group of AWS Regions . Each AWS account is scoped to one partition.", - "ResourceRegion": "The AWS Region where the resource that a finding pertains to is located.", - "ResourceTags": "A list of AWS tags associated with a resource at the time the finding was processed.", - "ResourceType": "A finding's title.", - "SeverityLabel": "The severity value of the finding.", - "SourceUrl": "Provides a URL that links to a page about the current finding in the finding product.", - "Title": "A finding's title.", - "Type": "One or more finding types in the format of namespace/category/classifier that classify a finding. For a list of namespaces, classifiers, and categories, see [Types taxonomy for ASFF](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format-type-taxonomy.html) in the *AWS Security Hub User Guide* .", - "UpdatedAt": "A timestamp that indicates when the finding record was most recently updated.\n\nUses the `date-time` format specified in [RFC 3339 section 5.6, Internet Date/Time Format](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc3339#section-5.6) . The value cannot contain spaces. For example, `2020-03-22T13:22:13.933Z` .", - "UserDefinedFields": "A list of user-defined name and value string pairs added to a finding.", - "VerificationState": "Provides the veracity of a finding.", - "WorkflowStatus": "Provides information about the status of the investigation into a finding." + "AwsAccountId": "The AWS account ID in which a finding was generated.\n\nArray Members: Minimum number of 1 item. Maximum number of 100 items.", + "CompanyName": "The name of the company for the product that generated the finding. For control-based findings, the company is AWS .\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", + "ComplianceAssociatedStandardsId": "The unique identifier of a standard in which a control is enabled. This field consists of the resource portion of the Amazon Resource Name (ARN) returned for a standard in the [DescribeStandards](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_DescribeStandards.html) API response.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", + "ComplianceSecurityControlId": "The security control ID for which a finding was generated. Security control IDs are the same across standards.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", + "ComplianceStatus": "The result of a security check. This field is only used for findings generated from controls.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", + "Confidence": "The likelihood that a finding accurately identifies the behavior or issue that it was intended to identify. `Confidence` is scored on a 0\u2013100 basis using a ratio scale. A value of `0` means 0 percent confidence, and a value of `100` means 100 percent confidence. For example, a data exfiltration detection based on a statistical deviation of network traffic has low confidence because an actual exfiltration hasn't been verified. For more information, see [Confidence](https://docs.aws.amazon.com/securityhub/latest/userguide/asff-top-level-attributes.html#asff-confidence) in the *AWS Security Hub User Guide* .\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", + "CreatedAt": "A timestamp that indicates when this finding record was created.\n\nUses the `date-time` format specified in [RFC 3339 section 5.6, Internet Date/Time Format](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc3339#section-5.6) . The value cannot contain spaces. For example, `2020-03-22T13:22:13.933Z` .\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", + "Criticality": "The level of importance that is assigned to the resources that are associated with a finding. `Criticality` is scored on a 0\u2013100 basis, using a ratio scale that supports only full integers. A score of `0` means that the underlying resources have no criticality, and a score of `100` is reserved for the most critical resources. For more information, see [Criticality](https://docs.aws.amazon.com/securityhub/latest/userguide/asff-top-level-attributes.html#asff-criticality) in the *AWS Security Hub User Guide* .\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", + "Description": "A finding's description.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", + "FirstObservedAt": "A timestamp that indicates when the potential security issue captured by a finding was first observed by the security findings product.\n\nUses the `date-time` format specified in [RFC 3339 section 5.6, Internet Date/Time Format](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc3339#section-5.6) . The value cannot contain spaces. For example, `2020-03-22T13:22:13.933Z` .\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", + "GeneratorId": "The identifier for the solution-specific component that generated a finding.\n\nArray Members: Minimum number of 1 item. Maximum number of 100 items.", + "Id": "The product-specific identifier for a finding.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", + "LastObservedAt": "A timestamp that indicates when the potential security issue captured by a finding was most recently observed by the security findings product.\n\nUses the `date-time` format specified in [RFC 3339 section 5.6, Internet Date/Time Format](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc3339#section-5.6) . The value cannot contain spaces. For example, `2020-03-22T13:22:13.933Z` .\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", + "NoteText": "The text of a user-defined note that's added to a finding.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", + "NoteUpdatedAt": "The timestamp of when the note was updated. Uses the date-time format specified in [RFC 3339 section 5.6, Internet Date/Time Format](https://docs.aws.amazon.com/https://www.rfc-editor.org/rfc/rfc3339#section-5.6) . The value cannot contain spaces. For example, `2020-03-22T13:22:13.933Z` .\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", + "NoteUpdatedBy": "The principal that created a note.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", + "ProductArn": "The Amazon Resource Name (ARN) for a third-party product that generated a finding in Security Hub.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", + "ProductName": "Provides the name of the product that generated the finding. For control-based findings, the product name is Security Hub.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", + "RecordState": "Provides the current state of a finding.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", + "RelatedFindingsId": "The product-generated identifier for a related finding.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", + "RelatedFindingsProductArn": "The ARN for the product that generated a related finding.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", + "ResourceDetailsOther": "Custom fields and values about the resource that a finding pertains to.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", + "ResourceId": "The identifier for the given resource type. For AWS resources that are identified by Amazon Resource Names (ARNs), this is the ARN. For AWS resources that lack ARNs, this is the identifier as defined by the AWS service that created the resource. For non- AWS resources, this is a unique identifier that is associated with the resource.\n\nArray Members: Minimum number of 1 item. Maximum number of 100 items.", + "ResourcePartition": "The partition in which the resource that the finding pertains to is located. A partition is a group of AWS Regions . Each AWS account is scoped to one partition.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", + "ResourceRegion": "The AWS Region where the resource that a finding pertains to is located.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", + "ResourceTags": "A list of AWS tags associated with a resource at the time the finding was processed.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", + "ResourceType": "A finding's title.\n\nArray Members: Minimum number of 1 item. Maximum number of 100 items.", + "SeverityLabel": "The severity value of the finding.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", + "SourceUrl": "Provides a URL that links to a page about the current finding in the finding product.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", + "Title": "A finding's title.\n\nArray Members: Minimum number of 1 item. Maximum number of 100 items.", + "Type": "One or more finding types in the format of namespace/category/classifier that classify a finding. For a list of namespaces, classifiers, and categories, see [Types taxonomy for ASFF](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format-type-taxonomy.html) in the *AWS Security Hub User Guide* .\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", + "UpdatedAt": "A timestamp that indicates when the finding record was most recently updated.\n\nUses the `date-time` format specified in [RFC 3339 section 5.6, Internet Date/Time Format](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc3339#section-5.6) . The value cannot contain spaces. For example, `2020-03-22T13:22:13.933Z` .\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", + "UserDefinedFields": "A list of user-defined name and value string pairs added to a finding.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", + "VerificationState": "Provides the veracity of a finding.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", + "WorkflowStatus": "Provides information about the status of the investigation into a finding.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items." }, "AWS::SecurityHub::AutomationRule DateFilter": { "DateRange": "A date range for the date filter.", @@ -35028,9 +39597,9 @@ "Value": "A date range value for the date filter." }, "AWS::SecurityHub::AutomationRule MapFilter": { - "Comparison": "The condition to apply to the key value when querying for findings with a map filter.\n\nTo search for values that exactly match the filter value, use `EQUALS` . For example, for the `ResourceTags` field, the filter `Department EQUALS Security` matches findings that have the value `Security` for the tag `Department` .\n\nTo search for values other than the filter value, use `NOT_EQUALS` . For example, for the `ResourceTags` field, the filter `Department NOT_EQUALS Finance` matches findings that do not have the value `Finance` for the tag `Department` .\n\n`EQUALS` filters on the same field are joined by `OR` . A finding matches if it matches any one of those filters.\n\n`NOT_EQUALS` filters on the same field are joined by `AND` . A finding matches only if it matches all of those filters.\n\nYou cannot have both an `EQUALS` filter and a `NOT_EQUALS` filter on the same field.", + "Comparison": "The condition to apply to the key value when filtering Security Hub findings with a map filter.\n\nTo search for values that have the filter value, use one of the following comparison operators:\n\n- To search for values that include the filter value, use `CONTAINS` . For example, for the `ResourceTags` field, the filter `Department CONTAINS Security` matches findings that include the value `Security` for the `Department` tag. In the same example, a finding with a value of `Security team` for the `Department` tag is a match.\n- To search for values that exactly match the filter value, use `EQUALS` . For example, for the `ResourceTags` field, the filter `Department EQUALS Security` matches findings that have the value `Security` for the `Department` tag.\n\n`CONTAINS` and `EQUALS` filters on the same field are joined by `OR` . A finding matches if it matches any one of those filters. For example, the filters `Department CONTAINS Security OR Department CONTAINS Finance` match a finding that includes either `Security` , `Finance` , or both values.\n\nTo search for values that don't have the filter value, use one of the following comparison operators:\n\n- To search for values that exclude the filter value, use `NOT_CONTAINS` . For example, for the `ResourceTags` field, the filter `Department NOT_CONTAINS Finance` matches findings that exclude the value `Finance` for the `Department` tag.\n- To search for values other than the filter value, use `NOT_EQUALS` . For example, for the `ResourceTags` field, the filter `Department NOT_EQUALS Finance` matches findings that don\u2019t have the value `Finance` for the `Department` tag.\n\n`NOT_CONTAINS` and `NOT_EQUALS` filters on the same field are joined by `AND` . A finding matches only if it matches all of those filters. For example, the filters `Department NOT_CONTAINS Security AND Department NOT_CONTAINS Finance` match a finding that excludes both the `Security` and `Finance` values.\n\n`CONTAINS` filters can only be used with other `CONTAINS` filters. `NOT_CONTAINS` filters can only be used with other `NOT_CONTAINS` filters.\n\nYou can\u2019t have both a `CONTAINS` filter and a `NOT_CONTAINS` filter on the same field. Similarly, you can\u2019t have both an `EQUALS` filter and a `NOT_EQUALS` filter on the same field. Combining filters in this way returns an error.\n\n`CONTAINS` and `NOT_CONTAINS` operators can be used only with automation rules. For more information, see [Automation rules](https://docs.aws.amazon.com/securityhub/latest/userguide/automation-rules.html) in the *AWS Security Hub User Guide* .", "Key": "The key of the map filter. For example, for `ResourceTags` , `Key` identifies the name of the tag. For `UserDefinedFields` , `Key` is the name of the field.", - "Value": "The value for the key in the map filter. Filter values are case sensitive. For example, one of the values for a tag called `Department` might be `Security` . If you provide `security` as the filter value, then there is no match." + "Value": "The value for the key in the map filter. Filter values are case sensitive. For example, one of the values for a tag called `Department` might be `Security` . If you provide `security` as the filter value, then there's no match." }, "AWS::SecurityHub::AutomationRule NoteUpdate": { "Text": "The updated note text.", @@ -35042,7 +39611,7 @@ "Lte": "The less-than-equal condition to be applied to a single field when querying for findings." }, "AWS::SecurityHub::AutomationRule RelatedFinding": { - "Id": "The product-generated identifier for a related finding.", + "Id": "The product-generated identifier for a related finding.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "ProductArn": "The Amazon Resource Name (ARN) for the product that generated a related finding." }, "AWS::SecurityHub::AutomationRule SeverityUpdate": { @@ -35051,8 +39620,8 @@ "Product": "The native severity as defined by the AWS service or integrated partner product that generated the finding." }, "AWS::SecurityHub::AutomationRule StringFilter": { - "Comparison": "The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:\n\n- To search for values that exactly match the filter value, use `EQUALS` .\n\nFor example, the filter `ResourceType EQUALS AwsEc2SecurityGroup` only matches findings that have a resource type of `AwsEc2SecurityGroup` .\n- To search for values that start with the filter value, use `PREFIX` .\n\nFor example, the filter `ResourceType PREFIX AwsIam` matches findings that have a resource type that starts with `AwsIam` . Findings with a resource type of `AwsIamPolicy` , `AwsIamRole` , or `AwsIamUser` would all match.\n\n`EQUALS` and `PREFIX` filters on the same field are joined by `OR` . A finding matches if it matches any one of those filters.\n\nTo search for values that do not contain the filter criteria value, use one of the following comparison operators:\n\n- To search for values that do not exactly match the filter value, use `NOT_EQUALS` .\n\nFor example, the filter `ResourceType NOT_EQUALS AwsIamPolicy` matches findings that have a resource type other than `AwsIamPolicy` .\n- To search for values that do not start with the filter value, use `PREFIX_NOT_EQUALS` .\n\nFor example, the filter `ResourceType PREFIX_NOT_EQUALS AwsIam` matches findings that have a resource type that does not start with `AwsIam` . Findings with a resource type of `AwsIamPolicy` , `AwsIamRole` , or `AwsIamUser` would all be excluded from the results.\n\n`NOT_EQUALS` and `PREFIX_NOT_EQUALS` filters on the same field are joined by `AND` . A finding matches only if it matches all of those filters.\n\nFor filters on the same field, you cannot provide both an `EQUALS` filter and a `NOT_EQUALS` or `PREFIX_NOT_EQUALS` filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.\n\nYou can combine `PREFIX` filters with `NOT_EQUALS` or `PREFIX_NOT_EQUALS` filters for the same field. Security Hub first processes the `PREFIX` filters, then the `NOT_EQUALS` or `PREFIX_NOT_EQUALS` filters.\n\nFor example, for the following filter, Security Hub first identifies findings that have resource types that start with either `AwsIAM` or `AwsEc2` . It then excludes findings that have a resource type of `AwsIamPolicy` and findings that have a resource type of `AwsEc2NetworkInterface` .\n\n- `ResourceType PREFIX AwsIam`\n- `ResourceType PREFIX AwsEc2`\n- `ResourceType NOT_EQUALS AwsIamPolicy`\n- `ResourceType NOT_EQUALS AwsEc2NetworkInterface`", - "Value": "The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is `Security Hub` . If you provide `security hub` as the filter text, then there is no match." + "Comparison": "The condition to apply to a string value when filtering Security Hub findings.\n\nTo search for values that have the filter value, use one of the following comparison operators:\n\n- To search for values that include the filter value, use `CONTAINS` . For example, the filter `Title CONTAINS CloudFront` matches findings that have a `Title` that includes the string CloudFront.\n- To search for values that exactly match the filter value, use `EQUALS` . For example, the filter `AwsAccountId EQUALS 123456789012` only matches findings that have an account ID of `123456789012` .\n- To search for values that start with the filter value, use `PREFIX` . For example, the filter `ResourceRegion PREFIX us` matches findings that have a `ResourceRegion` that starts with `us` . A `ResourceRegion` that starts with a different value, such as `af` , `ap` , or `ca` , doesn't match.\n\n`CONTAINS` , `EQUALS` , and `PREFIX` filters on the same field are joined by `OR` . A finding matches if it matches any one of those filters. For example, the filters `Title CONTAINS CloudFront OR Title CONTAINS CloudWatch` match a finding that includes either `CloudFront` , `CloudWatch` , or both strings in the title.\n\nTo search for values that don\u2019t have the filter value, use one of the following comparison operators:\n\n- To search for values that exclude the filter value, use `NOT_CONTAINS` . For example, the filter `Title NOT_CONTAINS CloudFront` matches findings that have a `Title` that excludes the string CloudFront.\n- To search for values other than the filter value, use `NOT_EQUALS` . For example, the filter `AwsAccountId NOT_EQUALS 123456789012` only matches findings that have an account ID other than `123456789012` .\n- To search for values that don't start with the filter value, use `PREFIX_NOT_EQUALS` . For example, the filter `ResourceRegion PREFIX_NOT_EQUALS us` matches findings with a `ResourceRegion` that starts with a value other than `us` .\n\n`NOT_CONTAINS` , `NOT_EQUALS` , and `PREFIX_NOT_EQUALS` filters on the same field are joined by `AND` . A finding matches only if it matches all of those filters. For example, the filters `Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch` match a finding that excludes both `CloudFront` and `CloudWatch` in the title.\n\nYou can\u2019t have both a `CONTAINS` filter and a `NOT_CONTAINS` filter on the same field. Similarly, you can't provide both an `EQUALS` filter and a `NOT_EQUALS` or `PREFIX_NOT_EQUALS` filter on the same field. Combining filters in this way returns an error. `CONTAINS` filters can only be used with other `CONTAINS` filters. `NOT_CONTAINS` filters can only be used with other `NOT_CONTAINS` filters.\n\nYou can combine `PREFIX` filters with `NOT_EQUALS` or `PREFIX_NOT_EQUALS` filters for the same field. Security Hub first processes the `PREFIX` filters, and then the `NOT_EQUALS` or `PREFIX_NOT_EQUALS` filters.\n\nFor example, for the following filters, Security Hub first identifies findings that have resource types that start with either `AwsIam` or `AwsEc2` . It then excludes findings that have a resource type of `AwsIamPolicy` and findings that have a resource type of `AwsEc2NetworkInterface` .\n\n- `ResourceType PREFIX AwsIam`\n- `ResourceType PREFIX AwsEc2`\n- `ResourceType NOT_EQUALS AwsIamPolicy`\n- `ResourceType NOT_EQUALS AwsEc2NetworkInterface`\n\n`CONTAINS` and `NOT_CONTAINS` operators can be used only with automation rules. For more information, see [Automation rules](https://docs.aws.amazon.com/securityhub/latest/userguide/automation-rules.html) in the *AWS Security Hub User Guide* .", + "Value": "The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is `Security Hub` . If you provide `security hub` as the filter value, there's no match." }, "AWS::SecurityHub::AutomationRule WorkflowUpdate": { "Status": "The status of the investigation into the finding. The workflow status is specific to an individual finding. It does not affect the generation of new findings. For example, setting the workflow status to `SUPPRESSED` or `RESOLVED` does not prevent a new finding for the same issue.\n\nThe allowed values are the following.\n\n- `NEW` - The initial state of a finding, before it is reviewed.\n\nSecurity Hub also resets `WorkFlowStatus` from `NOTIFIED` or `RESOLVED` to `NEW` in the following cases:\n\n- The record state changes from `ARCHIVED` to `ACTIVE` .\n- The compliance status changes from `PASSED` to either `WARNING` , `FAILED` , or `NOT_AVAILABLE` .\n- `NOTIFIED` - Indicates that you notified the resource owner about the security issue. Used when the initial reviewer is not the resource owner, and needs intervention from the resource owner.\n- `RESOLVED` - The finding was reviewed and remediated and is now considered resolved.\n- `SUPPRESSED` - Indicates that you reviewed the finding and do not believe that any action is needed. The finding is no longer updated." @@ -35064,7 +39633,7 @@ "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) ." }, "AWS::SecurityHub::Standard": { - "DisabledStandardsControls": "Specifies which controls are to be disabled in a standard.", + "DisabledStandardsControls": "Specifies which controls are to be disabled in a standard.\n\n*Maximum* : `100`", "StandardsArn": "The ARN of the standard that you want to enable. To view a list of available Security Hub standards and their ARNs, use the [`DescribeStandards`](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_DescribeStandards.html) API operation." }, "AWS::SecurityHub::Standard StandardsControl": { @@ -35104,12 +39673,16 @@ "DisableTemplateValidation": "If set to true, AWS Service Catalog stops validating the specified provisioning artifact even if it is invalid.", "Info": "Specify the template source with one of the following options, but not both. Keys accepted: [ `LoadTemplateFromURL` , `ImportFromPhysicalId` ]\n\nThe URL of the AWS CloudFormation template in Amazon S3 in JSON format. Specify the URL in JSON format as follows:\n\n`\"LoadTemplateFromURL\": \"https://s3.amazonaws.com/cf-templates-ozkq9d3hgiq2-us-east-1/...\"`\n\n`ImportFromPhysicalId` : The physical id of the resource that contains the template. Currently only supports AWS CloudFormation stack arn. Specify the physical id in JSON format as follows: `ImportFromPhysicalId: \u201carn:aws:cloudformation:[us-east-1]:[accountId]:stack/[StackName]/[resourceId]`", "Name": "The name of the provisioning artifact (for example, v1 v2beta). No spaces are allowed.", - "Type": "The type of provisioning artifact.\n\n- `CLOUD_FORMATION_TEMPLATE` - AWS CloudFormation template\n- `MARKETPLACE_AMI` - AWS Marketplace AMI\n- `MARKETPLACE_CAR` - AWS Marketplace Clusters and AWS Resources\n- `TERRAFORM_OPEN_SOURCE` - Terraform open source configuration file" + "Type": "The type of provisioning artifact.\n\n- `CLOUD_FORMATION_TEMPLATE` - AWS CloudFormation template\n- `TERRAFORM_OPEN_SOURCE` - Terraform Open Source configuration file\n- `TERRAFORM_CLOUD` - Terraform Cloud configuration file\n- `EXTERNAL` - External configuration file" }, "AWS::ServiceCatalog::CloudFormationProduct SourceConnection": { "ConnectionParameters": "The connection details based on the connection `Type` .", "Type": "The only supported `SourceConnection` type is Codestar." }, + "AWS::ServiceCatalog::CloudFormationProduct Tag": { + "Key": "The tag key.", + "Value": "The value for this key." + }, "AWS::ServiceCatalog::CloudFormationProvisionedProduct": { "AcceptLanguage": "The language code.\n\n- `jp` - Japanese\n- `zh` - Chinese", "NotificationArns": "Passed to AWS CloudFormation . The SNS topic ARNs to which to publish stack-related events.", @@ -35137,6 +39710,10 @@ "StackSetOperationType": "Determines what action AWS Service Catalog performs to a stack set or a stack instance represented by the provisioned product. The default value is `UPDATE` if nothing is specified.\n\nApplicable only to a `CFN_STACKSET` provisioned product type.\n\n- **CREATE** - Creates a new stack instance in the stack set represented by the provisioned product. In this case, only new stack instances are created based on accounts and Regions; if new ProductId or ProvisioningArtifactID are passed, they will be ignored.\n- **UPDATE** - Updates the stack set represented by the provisioned product and also its stack instances.\n- **DELETE** - Deletes a stack instance in the stack set represented by the provisioned product.", "StackSetRegions": "One or more AWS Regions where the provisioned product will be available.\n\nApplicable only to a `CFN_STACKSET` provisioned product type.\n\nThe specified Regions should be within the list of Regions from the `STACKSET` constraint. To get the list of Regions in the `STACKSET` constraint, use the `DescribeProvisioningParameters` operation.\n\nIf no values are specified, the default value is all Regions from the `STACKSET` constraint." }, + "AWS::ServiceCatalog::CloudFormationProvisionedProduct Tag": { + "Key": "The tag key.", + "Value": "The value for this key." + }, "AWS::ServiceCatalog::LaunchNotificationConstraint": { "AcceptLanguage": "The language code.\n\n- `jp` - Japanese\n- `zh` - Chinese", "Description": "The description of the constraint.", @@ -35166,11 +39743,15 @@ "ProviderName": "The name of the portfolio provider.", "Tags": "One or more tags." }, + "AWS::ServiceCatalog::Portfolio Tag": { + "Key": "The tag key.", + "Value": "The value for this key." + }, "AWS::ServiceCatalog::PortfolioPrincipalAssociation": { "AcceptLanguage": "The language code.\n\n- `jp` - Japanese\n- `zh` - Chinese", "PortfolioId": "The portfolio identifier.", "PrincipalARN": "The ARN of the principal ( IAM user, role, or group).", - "PrincipalType": "The principal type. The supported value is `IAM` .\n\n*Allowed Values* : `IAM`" + "PrincipalType": "The principal type. The supported values are `IAM` and `IAM_PATTERN` ." }, "AWS::ServiceCatalog::PortfolioProductAssociation": { "AcceptLanguage": "The language code.\n\n- `jp` - Japanese\n- `zh` - Chinese", @@ -35252,9 +39833,12 @@ "Name": "The name that you want to assign to this namespace.", "Tags": "The tags for the namespace. Each tag consists of a key and an optional value, both of which you define. Tag keys can have a maximum character length of 128 characters, and tag values can have a maximum length of 256 characters." }, + "AWS::ServiceDiscovery::HttpNamespace Tag": { + "Key": "The key identifier, or name, of the tag.", + "Value": "The string value that's associated with the key of the tag. You can set the value of a tag to an empty string, but you can't set the value of a tag to null." + }, "AWS::ServiceDiscovery::Instance": { "InstanceAttributes": "A string map that contains the following information for the service that you specify in `ServiceId` :\n\n- The attributes that apply to the records that are defined in the service.\n- For each attribute, the applicable value.\n\nSupported attribute keys include the following:\n\n- **AWS_ALIAS_DNS_NAME** - If you want AWS Cloud Map to create a Route\u00a053 alias record that routes traffic to an Elastic Load Balancing load balancer, specify the DNS name that is associated with the load balancer. For information about how to get the DNS name, see [AliasTarget->DNSName](https://docs.aws.amazon.com/Route53/latest/APIReference/API_AliasTarget.html#Route53-Type-AliasTarget-DNSName) in the *Route\u00a053 API Reference* .\n\nNote the following:\n\n- The configuration for the service that is specified by `ServiceId` must include settings for an `A` record, an `AAAA` record, or both.\n- In the service that is specified by `ServiceId` , the value of `RoutingPolicy` must be `WEIGHTED` .\n- If the service that is specified by `ServiceId` includes `HealthCheckConfig` settings, AWS Cloud Map will create the health check, but it won't associate the health check with the alias record.\n- Auto naming currently doesn't support creating alias records that route traffic to AWS resources other than ELB load balancers.\n- If you specify a value for `AWS_ALIAS_DNS_NAME` , don't specify values for any of the `AWS_INSTANCE` attributes.\n- **AWS_EC2_INSTANCE_ID** - *HTTP namespaces only.* The Amazon EC2 instance ID for the instance. The `AWS_INSTANCE_IPV4` attribute contains the primary private IPv4 address. When creating resources with a type of [AWS::ServiceDiscovery::Instance](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-servicediscovery-instance.html) , if the `AWS_EC2_INSTANCE_ID` attribute is specified, the only other attribute that can be specified is `AWS_INIT_HEALTH_STATUS` . After the resource has been created, the `AWS_INSTANCE_IPV4` attribute contains the primary private IPv4 address.\n- **AWS_INIT_HEALTH_STATUS** - If the service configuration includes `HealthCheckCustomConfig` , when creating resources with a type of [AWS::ServiceDiscovery::Instance](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-servicediscovery-instance.html) you can optionally use `AWS_INIT_HEALTH_STATUS` to specify the initial status of the custom health check, `HEALTHY` or `UNHEALTHY` . If you don't specify a value for `AWS_INIT_HEALTH_STATUS` , the initial status is `HEALTHY` . This attribute can only be used when creating resources and will not be seen on existing resources.\n- **AWS_INSTANCE_CNAME** - If the service configuration includes a `CNAME` record, the domain name that you want Route\u00a053 to return in response to DNS queries, for example, `example.com` .\n\nThis value is required if the service specified by `ServiceId` includes settings for an `CNAME` record.\n- **AWS_INSTANCE_IPV4** - If the service configuration includes an `A` record, the IPv4 address that you want Route\u00a053 to return in response to DNS queries, for example, `192.0.2.44` .\n\nThis value is required if the service specified by `ServiceId` includes settings for an `A` record. If the service includes settings for an `SRV` record, you must specify a value for `AWS_INSTANCE_IPV4` , `AWS_INSTANCE_IPV6` , or both.\n- **AWS_INSTANCE_IPV6** - If the service configuration includes an `AAAA` record, the IPv6 address that you want Route\u00a053 to return in response to DNS queries, for example, `2001:0db8:85a3:0000:0000:abcd:0001:2345` .\n\nThis value is required if the service specified by `ServiceId` includes settings for an `AAAA` record. If the service includes settings for an `SRV` record, you must specify a value for `AWS_INSTANCE_IPV4` , `AWS_INSTANCE_IPV6` , or both.\n- **AWS_INSTANCE_PORT** - If the service includes an `SRV` record, the value that you want Route\u00a053 to return for the port.\n\nIf the service includes `HealthCheckConfig` , the port on the endpoint that you want Route\u00a053 to send requests to.\n\nThis value is required if you specified settings for an `SRV` record or a Route\u00a053 health check when you created the service.", - "InstanceId": "An identifier that you want to associate with the instance. Note the following:\n\n- If the service that's specified by `ServiceId` includes settings for an `SRV` record, the value of `InstanceId` is automatically included as part of the value for the `SRV` record. For more information, see [DnsRecord > Type](https://docs.aws.amazon.com/cloud-map/latest/api/API_DnsRecord.html#cloudmap-Type-DnsRecord-Type) .\n- You can use this value to update an existing instance.\n- To register a new instance, you must specify a value that's unique among instances that you register by using the same service.\n- If you specify an existing `InstanceId` and `ServiceId` , AWS Cloud Map updates the existing DNS records, if any. If there's also an existing health check, AWS Cloud Map deletes the old health check and creates a new one.\n\n> The health check isn't deleted immediately, so it will still appear for a while if you submit a `ListHealthChecks` request, for example.\n\n> Do not include sensitive information in `InstanceId` if the namespace is discoverable by public DNS queries and any `Type` member of `DnsRecord` for the service contains `SRV` because the `InstanceId` is discoverable by public DNS queries.", "ServiceId": "The ID of the service that you want to use for settings for the instance." }, "AWS::ServiceDiscovery::PrivateDnsNamespace": { @@ -35273,6 +39857,10 @@ "AWS::ServiceDiscovery::PrivateDnsNamespace SOA": { "TTL": "The time to live (TTL) for purposes of negative caching." }, + "AWS::ServiceDiscovery::PrivateDnsNamespace Tag": { + "Key": "The key identifier, or name, of the tag.", + "Value": "The string value that's associated with the key of the tag. You can set the value of a tag to an empty string, but you can't set the value of a tag to null." + }, "AWS::ServiceDiscovery::PublicDnsNamespace": { "Description": "A description for the namespace.", "Name": "The name that you want to assign to this namespace.\n\n> Do not include sensitive information in the name. The name is publicly available using DNS queries.", @@ -35288,6 +39876,10 @@ "AWS::ServiceDiscovery::PublicDnsNamespace SOA": { "TTL": "The time to live (TTL) for purposes of negative caching." }, + "AWS::ServiceDiscovery::PublicDnsNamespace Tag": { + "Key": "The key identifier, or name, of the tag.", + "Value": "The string value that's associated with the key of the tag. You can set the value of a tag to an empty string, but you can't set the value of a tag to null." + }, "AWS::ServiceDiscovery::Service": { "Description": "The description of the service.", "DnsConfig": "A complex type that contains information about the Route\u00a053 DNS records that you want AWS Cloud Map to create when you register an instance.\n\n> The record types of a service can only be changed by deleting the service and recreating it with a new `Dnsconfig` .", @@ -35315,6 +39907,10 @@ "AWS::ServiceDiscovery::Service HealthCheckCustomConfig": { "FailureThreshold": "> This parameter is no longer supported and is always set to 1. AWS Cloud Map waits for approximately 30 seconds after receiving an `UpdateInstanceCustomHealthStatus` request before changing the status of the service instance. \n\nThe number of 30-second intervals that you want AWS Cloud Map to wait after receiving an `UpdateInstanceCustomHealthStatus` request before it changes the health status of a service instance.\n\nSending a second or subsequent `UpdateInstanceCustomHealthStatus` request with the same value before 30 seconds has passed doesn't accelerate the change. AWS Cloud Map still waits `30` seconds after the first request to make the change." }, + "AWS::ServiceDiscovery::Service Tag": { + "Key": "The key identifier, or name, of the tag.", + "Value": "The string value that's associated with the key of the tag. You can set the value of a tag to an empty string, but you can't set the value of a tag to null." + }, "AWS::Shield::DRTAccess": { "LogBucketList": "Authorizes the Shield Response Team (SRT) to access the specified Amazon S3 bucket containing log data such as Application Load Balancer access logs, CloudFront logs, or logs from third party sources. You can associate up to 10 Amazon S3 buckets with your subscription.\n\nUse this to share information with the SRT that's not available in AWS WAF logs.\n\nTo use the services of the SRT, you must be subscribed to the [Business Support plan](https://docs.aws.amazon.com/premiumsupport/business-support/) or the [Enterprise Support plan](https://docs.aws.amazon.com/premiumsupport/enterprise-support/) .", "RoleArn": "Authorizes the Shield Response Team (SRT) using the specified role, to access your AWS account to assist with DDoS attack mitigation during potential attacks. This enables the SRT to inspect your AWS WAF configuration and logs and to create or update AWS WAF rules and web ACLs.\n\nYou can associate only one `RoleArn` with your subscription. If you submit this update for an account that already has an associated role, the new `RoleArn` will replace the existing `RoleArn` .\n\nThis change requires the following:\n\n- You must be subscribed to the [Business Support plan](https://docs.aws.amazon.com/premiumsupport/business-support/) or the [Enterprise Support plan](https://docs.aws.amazon.com/premiumsupport/enterprise-support/) .\n- You must have the `iam:PassRole` permission. For more information, see [Granting a user permissions to pass a role to an AWS service](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_passrole.html) .\n- The `AWSShieldDRTAccessPolicy` managed policy must be attached to the role that you specify in the request. You can access this policy in the IAM console at [AWSShieldDRTAccessPolicy](https://docs.aws.amazon.com/iam/home?#/policies/arn:aws:iam::aws:policy/service-role/AWSShieldDRTAccessPolicy) . For information, see [Adding and removing IAM identity permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-attach-detach.html) .\n- The role must trust the service principal `drt.shield.amazonaws.com` . For information, see [IAM JSON policy elements: Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html) .\n\nThe SRT will have access only to your AWS WAF and Shield resources. By submitting this request, you provide permissions to the SRT to inspect your AWS WAF and Shield configuration and logs, and to create and update AWS WAF rules and web ACLs on your behalf. The SRT takes these actions only if explicitly authorized by you." @@ -35329,7 +39925,7 @@ "PhoneNumber": "The phone number for the contact." }, "AWS::Shield::Protection": { - "ApplicationLayerAutomaticResponseConfiguration": "The automatic application layer DDoS mitigation settings for the protection. This configuration determines whether Shield Advanced automatically manages rules in the web ACL in order to respond to application layer events that Shield Advanced determines to be DDoS attacks.", + "ApplicationLayerAutomaticResponseConfiguration": "The automatic application layer DDoS mitigation settings for the protection. This configuration determines whether Shield Advanced automatically manages rules in the web ACL in order to respond to application layer events that Shield Advanced determines to be DDoS attacks.\n\nIf you use AWS CloudFormation to manage the web ACLs that you use with Shield Advanced automatic mitigation, see the additional guidance about web ACL management in the `AWS::WAFv2::WebACL` resource description.", "HealthCheckArns": "The ARN (Amazon Resource Name) of the health check to associate with the protection. Health-based detection provides improved responsiveness and accuracy in attack detection and mitigation.\n\nYou can use this option with any resource type except for Route\u00a053 hosted zones.\n\nFor more information, see [Configuring health-based detection using health checks](https://docs.aws.amazon.com/waf/latest/developerguide/ddos-advanced-health-checks.html) in the *AWS Shield Advanced Developer Guide* .", "Name": "The name of the protection. For example, `My CloudFront distributions` .\n\n> If you change the name of an existing protection, Shield Advanced deletes the protection and replaces it with a new one. While this is happening, the protection isn't available on the AWS resource.", "ResourceArn": "The ARN (Amazon Resource Name) of the AWS resource that is protected.", @@ -35343,6 +39939,10 @@ "Action": "Specifies the action setting that Shield Advanced should use in the AWS WAF rules that it creates on behalf of the protected resource in response to DDoS attacks. You specify this as part of the configuration for the automatic application layer DDoS mitigation feature, when you enable or update automatic mitigation. Shield Advanced creates the AWS WAF rules in a Shield Advanced-managed rule group, inside the web ACL that you have associated with the resource.", "Status": "Indicates whether automatic application layer DDoS mitigation is enabled for the protection." }, + "AWS::Shield::Protection Tag": { + "Key": "Part of the key:value pair that defines a tag. You can use a tag key to describe a category of information, such as \"customer.\" Tag keys are case-sensitive.", + "Value": "Part of the key:value pair that defines a tag. You can use a tag value to describe a specific value within a category, such as \"companyA\" or \"companyB.\" Tag values are case-sensitive." + }, "AWS::Shield::ProtectionGroup": { "Aggregation": "Defines how AWS Shield combines resource data for the group in order to detect, mitigate, and report events.\n\n- Sum - Use the total traffic across the group. This is a good choice for most cases. Examples include Elastic IP addresses for EC2 instances that scale manually or automatically.\n- Mean - Use the average of the traffic across the group. This is a good choice for resources that share traffic uniformly. Examples include accelerators and load balancers.\n- Max - Use the highest traffic from each resource. This is useful for resources that don't share traffic and for resources that share that traffic in a non-uniform way. Examples include Amazon CloudFront distributions and origin resources for CloudFront distributions.", "Members": "The ARNs (Amazon Resource Names) of the resources to include in the protection group. You must set this when you set `Pattern` to `ARBITRARY` and you must not set it for any other `Pattern` setting.", @@ -35351,6 +39951,10 @@ "ResourceType": "The resource type to include in the protection group. All protected resources of this type are included in the protection group. You must set this when you set `Pattern` to `BY_RESOURCE_TYPE` and you must not set it for any other `Pattern` setting.", "Tags": "Key:value pairs associated with an AWS resource. The key:value pair can be anything you define. Typically, the tag key represents a category (such as \"environment\") and the tag value represents a specific value within that category (such as \"test,\" \"development,\" or \"production\"). You can add up to 50 tags to each AWS resource." }, + "AWS::Shield::ProtectionGroup Tag": { + "Key": "Part of the key:value pair that defines a tag. You can use a tag key to describe a category of information, such as \"customer.\" Tag keys are case-sensitive.", + "Value": "Part of the key:value pair that defines a tag. You can use a tag value to describe a specific value within a category, such as \"companyA\" or \"companyB.\" Tag values are case-sensitive." + }, "AWS::Signer::ProfilePermission": { "Action": "The AWS Signer action permitted as part of cross-account permissions.", "Principal": "The AWS principal receiving cross-account permissions. This may be an IAM role or another AWS account ID.", @@ -35367,6 +39971,10 @@ "Type": "The time unit for signature validity: DAYS | MONTHS | YEARS.", "Value": "The numerical value of the time unit for signature validity." }, + "AWS::Signer::SigningProfile Tag": { + "Key": "", + "Value": "" + }, "AWS::SimSpaceWeaver::Simulation": { "MaximumDuration": "The maximum running time of the simulation, specified as a number of minutes (m or M), hours (h or H), or days (d or D). The simulation stops when it reaches this limit. The maximum value is `14D` , or its equivalent in the other units. The default value is `14D` . A value equivalent to `0` makes the simulation immediately transition to `STOPPING` as soon as it reaches `STARTED` .", "Name": "The name of the simulation.", @@ -35422,7 +40030,7 @@ "Enabled": "When set to `true` , X-Ray tracing is enabled." }, "AWS::StepFunctions::StateMachineAlias": { - "DeploymentPreference": "The settings that enable gradual state machine deployments. These settings include [Alarms](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-stepfunctions-statemachinealias-deploymentpreference.html#cfn-stepfunctions-statemachinealias-deploymentpreference-alarms) , [Interval](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-stepfunctions-statemachinealias-deploymentpreference.html#cfn-stepfunctions-statemachinealias-deploymentpreference-interval) , [Percentage](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-stepfunctions-statemachinealias-deploymentpreference.html#cfn-stepfunctions-statemachinealias-deploymentpreference-percentage) , [StateMachineVersionArn](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-stepfunctions-statemachinealias-deploymentpreference.html#cfn-stepfunctions-statemachinealias-deploymentpreference-statemachineversionarn) , and [Type](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-stepfunctions-statemachinealias-deploymentpreference.html#cfn-stepfunctions-statemachinealias-deploymentpreference-type) .\n\nCloudFormation automatically shifts traffic from the version an alias currently points to, to a new state machine version that you specify.\n\n> `RoutingConfiguration` and `DeploymentPreference` are mutually exclusive properties. You must define only one of these properties. \n\nBased on the type of deployment you want to perform, you can specify one of the following settings:\n\n- `LINEAR` - Shifts traffic to the new version in equal increments with an equal number of seconds between each increment.\n\nFor example, if you specify the increment percent as `20` with an interval of `600` seconds, this deployment increases traffic by 20 percent every 600 seconds until the new version receives 100 percent of the traffic. This deployment immediately rolls back the new version if any Amazon CloudWatch alarms are triggered.\n- `ALL_AT_ONCE` - Shifts 100 percent of traffic to the new version immediately. CloudFormation monitors the new version and rolls it back automatically to the previous version if any CloudWatch alarms are triggered.\n- `CANARY` - Shifts traffic in two increments.\n\nIn the first increment, a small percentage of traffic, for example, 10 percent is shifted to the new version. In the second increment, before a specified time interval in seconds gets over, the remaining traffic is shifted to the new version. The shift to the new version for the remaining traffic takes place only if no CloudWatch alarms are triggered during the specified time interval.", + "DeploymentPreference": "The settings that enable gradual state machine deployments. These settings include [Alarms](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-stepfunctions-statemachinealias-deploymentpreference.html#cfn-stepfunctions-statemachinealias-deploymentpreference-alarms) , [Interval](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-stepfunctions-statemachinealias-deploymentpreference.html#cfn-stepfunctions-statemachinealias-deploymentpreference-interval) , [Percentage](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-stepfunctions-statemachinealias-deploymentpreference.html#cfn-stepfunctions-statemachinealias-deploymentpreference-percentage) , [StateMachineVersionArn](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-stepfunctions-statemachinealias-deploymentpreference.html#cfn-stepfunctions-statemachinealias-deploymentpreference-statemachineversionarn) , and [Type](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-stepfunctions-statemachinealias-deploymentpreference.html#cfn-stepfunctions-statemachinealias-deploymentpreference-type) .\n\nCloudFormation automatically shifts traffic from the version an alias currently points to, to a new state machine version that you specify.\n\n> `RoutingConfiguration` and `DeploymentPreference` are mutually exclusive properties. You must define only one of these properties. \n\nBased on the type of deployment you want to perform, you can specify one of the following settings:\n\n- `LINEAR` - Shifts traffic to the new version in equal increments with an equal number of minutes between each increment.\n\nFor example, if you specify the increment percent as `20` with an interval of `600` minutes, this deployment increases traffic by 20 percent every 600 minutes until the new version receives 100 percent of the traffic. This deployment immediately rolls back the new version if any Amazon CloudWatch alarms are triggered.\n- `ALL_AT_ONCE` - Shifts 100 percent of traffic to the new version immediately. CloudFormation monitors the new version and rolls it back automatically to the previous version if any CloudWatch alarms are triggered.\n- `CANARY` - Shifts traffic in two increments.\n\nIn the first increment, a small percentage of traffic, for example, 10 percent is shifted to the new version. In the second increment, before a specified time interval in seconds gets over, the remaining traffic is shifted to the new version. The shift to the new version for the remaining traffic takes place only if no CloudWatch alarms are triggered during the specified time interval.", "Description": "An optional description of the state machine alias.", "Name": "The name of the state machine alias. If you don't provide a name, it uses an automatically generated name based on the logical ID.", "RoutingConfiguration": "The routing configuration of an alias. Routing configuration splits [StartExecution](https://docs.aws.amazon.com/step-functions/latest/apireference/API_StartExecution.html) requests between one or two versions of the same state machine.\n\nUse `RoutingConfiguration` if you want to explicitly set the alias [weights](https://docs.aws.amazon.com/step-functions/latest/apireference/API_RoutingConfigurationListItem.html#StepFunctions-Type-RoutingConfigurationListItem-weight) . Weight is the percentage of traffic you want to route to a state machine version.\n\n> `RoutingConfiguration` and `DeploymentPreference` are mutually exclusive properties. You must define only one of these properties." @@ -35432,7 +40040,7 @@ "Interval": "The time in minutes between each traffic shifting increment.", "Percentage": "The percentage of traffic to shift to the new version in each increment.", "StateMachineVersionArn": "The Amazon Resource Name (ARN) of the [`AWS::StepFunctions::StateMachineVersion`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-stepfunctions-statemachineversion.html) resource that will be the final version to which the alias points to when the traffic shifting is complete.\n\nWhile performing gradual deployments, you can only provide a single state machine version ARN. To explicitly set version weights in a CloudFormation template, use `RoutingConfiguration` instead.", - "Type": "The type of deployment you want to perform. You can specify one of the following types:\n\n- `LINEAR` - Shifts traffic to the new version in equal increments with an equal number of seconds between each increment.\n\nFor example, if you specify the increment percent as `20` with an interval of `600` seconds, this deployment increases traffic by 20 percent every 600 seconds until the new version receives 100 percent of the traffic. This deployment immediately rolls back the new version if any CloudWatch alarms are triggered.\n- `ALL_AT_ONCE` - Shifts 100 percent of traffic to the new version immediately. CloudFormation monitors the new version and rolls it back automatically to the previous version if any CloudWatch alarms are triggered.\n- `CANARY` - Shifts traffic in two increments.\n\nIn the first increment, a small percentage of traffic, for example, 10 percent is shifted to the new version. In the second increment, before a specified time interval in seconds gets over, the remaining traffic is shifted to the new version. The shift to the new version for the remaining traffic takes place only if no CloudWatch alarms are triggered during the specified time interval." + "Type": "The type of deployment you want to perform. You can specify one of the following types:\n\n- `LINEAR` - Shifts traffic to the new version in equal increments with an equal number of minutes between each increment.\n\nFor example, if you specify the increment percent as `20` with an interval of `600` minutes, this deployment increases traffic by 20 percent every 600 minutes until the new version receives 100 percent of the traffic. This deployment immediately rolls back the new version if any CloudWatch alarms are triggered.\n- `ALL_AT_ONCE` - Shifts 100 percent of traffic to the new version immediately. CloudFormation monitors the new version and rolls it back automatically to the previous version if any CloudWatch alarms are triggered.\n- `CANARY` - Shifts traffic in two increments.\n\nIn the first increment, a small percentage of traffic, for example, 10 percent is shifted to the new version. In the second increment, before a specified time interval in seconds gets over, the remaining traffic is shifted to the new version. The shift to the new version for the remaining traffic takes place only if no CloudWatch alarms are triggered during the specified time interval." }, "AWS::StepFunctions::StateMachineAlias RoutingConfigurationVersion": { "StateMachineVersionArn": "The Amazon Resource Name (ARN) that identifies one or two state machine versions defined in the routing configuration.\n\nIf you specify the ARN of a second version, it must belong to the same state machine as the first version.", @@ -35505,6 +40113,10 @@ "DurationInSeconds": "How long, in seconds, for the canary to continue making regular runs according to the schedule in the `Expression` value. If you specify 0, the canary continues making runs until you stop it. If you omit this field, the default of 0 is used.", "Expression": "A `rate` expression or a `cron` expression that defines how often the canary is to run.\n\nFor a rate expression, The syntax is `rate( *number unit* )` . *unit* can be `minute` , `minutes` , or `hour` .\n\nFor example, `rate(1 minute)` runs the canary once a minute, `rate(10 minutes)` runs it once every 10 minutes, and `rate(1 hour)` runs it once every hour. You can specify a frequency between `rate(1 minute)` and `rate(1 hour)` .\n\nSpecifying `rate(0 minute)` or `rate(0 hour)` is a special value that causes the canary to run only once when it is started.\n\nUse `cron( *expression* )` to specify a cron expression. You can't schedule a canary to wait for more than a year before running. For information about the syntax for cron expressions, see [Scheduling canary runs using cron](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch_Synthetics_Canaries_cron.html) ." }, + "AWS::Synthetics::Canary Tag": { + "Key": "", + "Value": "" + }, "AWS::Synthetics::Canary VPCConfig": { "SecurityGroupIds": "The IDs of the security groups for this canary.", "SubnetIds": "The IDs of the subnets where this canary is to run.", @@ -35519,6 +40131,10 @@ "ResourceArns": "The ARNs of the canaries that you want to associate with this group.", "Tags": "The list of key-value pairs that are associated with the group." }, + "AWS::Synthetics::Group Tag": { + "Key": "", + "Value": "" + }, "AWS::SystemsManagerSAP::Application": { "ApplicationId": "The ID of the application.", "ApplicationType": "The type of the application.", @@ -35533,11 +40149,19 @@ "DatabaseName": "The name of the SAP HANA database.", "SecretId": "The secret ID created in AWS Secrets Manager to store the credentials of the SAP application." }, + "AWS::SystemsManagerSAP::Application Tag": { + "Key": "", + "Value": "" + }, "AWS::Timestream::Database": { "DatabaseName": "The name of the Timestream database.\n\n*Length Constraints* : Minimum length of 3 bytes. Maximum length of 256 bytes.", "KmsKeyId": "The identifier of the AWS KMS key used to encrypt the data stored in the database.", "Tags": "The tags to add to the database." }, + "AWS::Timestream::Database Tag": { + "Key": "The key of the tag. Tag keys are case sensitive.", + "Value": "The value of the tag. Tag values are case-sensitive and can be null." + }, "AWS::Timestream::ScheduledQuery": { "ClientToken": "Using a ClientToken makes the call to CreateScheduledQuery idempotent, in other words, making the same request repeatedly will produce the same result. Making multiple identical CreateScheduledQuery requests has the same effect as making a single request.\n\n- If CreateScheduledQuery is called without a `ClientToken` , the Query SDK generates a `ClientToken` on your behalf.\n- After 8 hours, any request with the same `ClientToken` is treated as a new request.", "ErrorReportConfiguration": "Configuration for error reporting. Error reports will be generated when a problem is encountered when writing the query results.", @@ -35587,6 +40211,10 @@ "AWS::Timestream::ScheduledQuery SnsConfiguration": { "TopicArn": "SNS topic ARN that the scheduled query status notifications will be sent to." }, + "AWS::Timestream::ScheduledQuery Tag": { + "Key": "The key of the tag. Tag keys are case sensitive.", + "Value": "The value of the tag. Tag values are case-sensitive and can be null." + }, "AWS::Timestream::ScheduledQuery TargetConfiguration": { "TimestreamConfiguration": "Configuration needed to write data into the Timestream database and table." }, @@ -35603,6 +40231,7 @@ "DatabaseName": "The name of the Timestream database that contains this table.\n\n*Length Constraints* : Minimum length of 3 bytes. Maximum length of 256 bytes.", "MagneticStoreWriteProperties": "Contains properties to set on the table when enabling magnetic store writes.\n\nThis object has the following attributes:\n\n- *EnableMagneticStoreWrites* : A `boolean` flag to enable magnetic store writes.\n- *MagneticStoreRejectedDataLocation* : The location to write error reports for records rejected, asynchronously, during magnetic store writes. Only `S3Configuration` objects are allowed. The `S3Configuration` object has the following attributes:\n\n- *BucketName* : The name of the S3 bucket.\n- *EncryptionOption* : The encryption option for the S3 location. Valid values are S3 server-side encryption with an S3 managed key ( `SSE_S3` ) or AWS managed key ( `SSE_KMS` ).\n- *KmsKeyId* : The AWS KMS key ID to use when encrypting with an AWS managed key.\n- *ObjectKeyPrefix* : The prefix to use option for the objects stored in S3.\n\nBoth `BucketName` and `EncryptionOption` are *required* when `S3Configuration` is specified. If you specify `SSE_KMS` as your `EncryptionOption` then `KmsKeyId` is *required* .\n\n`EnableMagneticStoreWrites` attribute is *required* when `MagneticStoreWriteProperties` is specified. `MagneticStoreRejectedDataLocation` attribute is *required* when `EnableMagneticStoreWrites` is set to `true` .\n\nSee the following examples:\n\n*JSON*\n\n```json\n{ \"Type\" : AWS::Timestream::Table\", \"Properties\":{ \"DatabaseName\":\"TestDatabase\", \"TableName\":\"TestTable\", \"MagneticStoreWriteProperties\":{ \"EnableMagneticStoreWrites\":true, \"MagneticStoreRejectedDataLocation\":{ \"S3Configuration\":{ \"BucketName\":\"testbucket\", \"EncryptionOption\":\"SSE_KMS\", \"KmsKeyId\":\"1234abcd-12ab-34cd-56ef-1234567890ab\", \"ObjectKeyPrefix\":\"prefix\" } } } }\n}\n```\n\n*YAML*\n\n```\nType: AWS::Timestream::Table\nDependsOn: TestDatabase\nProperties: TableName: \"TestTable\" DatabaseName: \"TestDatabase\" MagneticStoreWriteProperties: EnableMagneticStoreWrites: true MagneticStoreRejectedDataLocation: S3Configuration: BucketName: \"testbucket\" EncryptionOption: \"SSE_KMS\" KmsKeyId: \"1234abcd-12ab-34cd-56ef-1234567890ab\" ObjectKeyPrefix: \"prefix\"\n```", "RetentionProperties": "The retention duration for the memory store and magnetic store. This object has the following attributes:\n\n- *MemoryStoreRetentionPeriodInHours* : Retention duration for memory store, in hours.\n- *MagneticStoreRetentionPeriodInDays* : Retention duration for magnetic store, in days.\n\nBoth attributes are of type `string` . Both attributes are *required* when `RetentionProperties` is specified.\n\nSee the following examples:\n\n*JSON*\n\n`{ \"Type\" : AWS::Timestream::Table\", \"Properties\" : { \"DatabaseName\" : \"TestDatabase\", \"TableName\" : \"TestTable\", \"RetentionProperties\" : { \"MemoryStoreRetentionPeriodInHours\": \"24\", \"MagneticStoreRetentionPeriodInDays\": \"7\" } } }` \n\n*YAML*\n\n```\nType: AWS::Timestream::Table\nDependsOn: TestDatabase\nProperties: TableName: \"TestTable\" DatabaseName: \"TestDatabase\" RetentionProperties: MemoryStoreRetentionPeriodInHours: \"24\" MagneticStoreRetentionPeriodInDays: \"7\"\n```", + "Schema": "The schema of the table.", "TableName": "The name of the Timestream table.\n\n*Length Constraints* : Minimum length of 3 bytes. Maximum length of 256 bytes.", "Tags": "The tags to add to the table" }, @@ -35613,6 +40242,11 @@ "EnableMagneticStoreWrites": "A flag to enable magnetic store writes.", "MagneticStoreRejectedDataLocation": "The location to write error reports for records rejected asynchronously during magnetic store writes." }, + "AWS::Timestream::Table PartitionKey": { + "EnforcementInRecord": "The level of enforcement for the specification of a dimension key in ingested records. Options are REQUIRED (dimension key must be specified) and OPTIONAL (dimension key does not have to be specified).", + "Name": "The name of the attribute used for a dimension key.", + "Type": "The type of the partition key. Options are DIMENSION (dimension key) and MEASURE (measure key)." + }, "AWS::Timestream::Table RetentionProperties": { "MagneticStoreRetentionPeriodInDays": "The duration for which data must be stored in the magnetic store.", "MemoryStoreRetentionPeriodInHours": "The duration for which data must be stored in the memory store." @@ -35623,8 +40257,15 @@ "KmsKeyId": "The AWS KMS key ID for the customer S3 location when encrypting with an AWS managed key.", "ObjectKeyPrefix": "The object key preview for the customer S3 location." }, + "AWS::Timestream::Table Schema": { + "CompositePartitionKey": "A non-empty list of partition keys defining the attributes used to partition the table data. The order of the list determines the partition hierarchy. The name and type of each partition key as well as the partition key order cannot be changed after the table is created. However, the enforcement level of each partition key can be changed." + }, + "AWS::Timestream::Table Tag": { + "Key": "The key of the tag. Tag keys are case sensitive.", + "Value": "The value of the tag. Tag values are case-sensitive and can be null." + }, "AWS::Transfer::Agreement": { - "AccessRole": "With AS2, you can send files by calling `StartFileTransfer` and specifying the file paths in the request parameter, `SendFilePaths` . We use the file\u2019s parent directory (for example, for `--send-file-paths /bucket/dir/file.txt` , parent directory is `/bucket/dir/` ) to temporarily store a processed AS2 message file, store the MDN when we receive them from the partner, and write a final JSON file containing relevant metadata of the transmission. So, the `AccessRole` needs to provide read and write access to the parent directory of the file location used in the `StartFileTransfer` request. Additionally, you need to provide read and write access to the parent directory of the files that you intend to send with `StartFileTransfer` .\n\nIf you are using Basic authentication for your AS2 connector, the access role requires the `secretsmanager:GetSecretValue` permission for the secret. If the secret is encrypted using a customer-managed key instead of the AWS managed key in Secrets Manager, then the role also needs the `kms:Decrypt` permission for that key.", + "AccessRole": "Connectors are used to send files using either the AS2 or SFTP protocol. For the access role, provide the Amazon Resource Name (ARN) of the AWS Identity and Access Management role to use.\n\n*For AS2 connectors*\n\nWith AS2, you can send files by calling `StartFileTransfer` and specifying the file paths in the request parameter, `SendFilePaths` . We use the file\u2019s parent directory (for example, for `--send-file-paths /bucket/dir/file.txt` , parent directory is `/bucket/dir/` ) to temporarily store a processed AS2 message file, store the MDN when we receive them from the partner, and write a final JSON file containing relevant metadata of the transmission. So, the `AccessRole` needs to provide read and write access to the parent directory of the file location used in the `StartFileTransfer` request. Additionally, you need to provide read and write access to the parent directory of the files that you intend to send with `StartFileTransfer` .\n\nIf you are using Basic authentication for your AS2 connector, the access role requires the `secretsmanager:GetSecretValue` permission for the secret. If the secret is encrypted using a customer-managed key instead of the AWS managed key in Secrets Manager, then the role also needs the `kms:Decrypt` permission for that key.\n\n*For SFTP connectors*\n\nMake sure that the access role provides read and write access to the parent directory of the file location that's used in the `StartFileTransfer` request. Additionally, make sure that the role provides `secretsmanager:GetSecretValue` permission to AWS Secrets Manager .", "BaseDirectory": "The landing directory (folder) for files that are transferred by using the AS2 protocol.", "Description": "The name or short description that's used to identify the agreement.", "LocalProfileId": "A unique identifier for the AS2 local profile.", @@ -35633,6 +40274,10 @@ "Status": "The current status of the agreement, either `ACTIVE` or `INACTIVE` .", "Tags": "Key-value pairs that can be used to group and search for agreements." }, + "AWS::Transfer::Agreement Tag": { + "Key": "The name assigned to the tag that you create.", + "Value": "Contains one or more values that you assigned to the key name you create." + }, "AWS::Transfer::Certificate": { "ActiveDate": "An optional date that specifies when the certificate becomes active.", "Certificate": "The file name for the certificate.", @@ -35643,14 +40288,20 @@ "Tags": "Key-value pairs that can be used to group and search for certificates.", "Usage": "Specifies whether this certificate is used for signing or encryption." }, + "AWS::Transfer::Certificate Tag": { + "Key": "The name assigned to the tag that you create.", + "Value": "Contains one or more values that you assigned to the key name you create." + }, "AWS::Transfer::Connector": { - "AccessRole": "With AS2, you can send files by calling `StartFileTransfer` and specifying the file paths in the request parameter, `SendFilePaths` . We use the file\u2019s parent directory (for example, for `--send-file-paths /bucket/dir/file.txt` , parent directory is `/bucket/dir/` ) to temporarily store a processed AS2 message file, store the MDN when we receive them from the partner, and write a final JSON file containing relevant metadata of the transmission. So, the `AccessRole` needs to provide read and write access to the parent directory of the file location used in the `StartFileTransfer` request. Additionally, you need to provide read and write access to the parent directory of the files that you intend to send with `StartFileTransfer` .\n\nIf you are using Basic authentication for your AS2 connector, the access role requires the `secretsmanager:GetSecretValue` permission for the secret. If the secret is encrypted using a customer-managed key instead of the AWS managed key in Secrets Manager, then the role also needs the `kms:Decrypt` permission for that key.", - "As2Config": "A structure that contains the parameters for a connector object.", + "AccessRole": "Connectors are used to send files using either the AS2 or SFTP protocol. For the access role, provide the Amazon Resource Name (ARN) of the AWS Identity and Access Management role to use.\n\n*For AS2 connectors*\n\nWith AS2, you can send files by calling `StartFileTransfer` and specifying the file paths in the request parameter, `SendFilePaths` . We use the file\u2019s parent directory (for example, for `--send-file-paths /bucket/dir/file.txt` , parent directory is `/bucket/dir/` ) to temporarily store a processed AS2 message file, store the MDN when we receive them from the partner, and write a final JSON file containing relevant metadata of the transmission. So, the `AccessRole` needs to provide read and write access to the parent directory of the file location used in the `StartFileTransfer` request. Additionally, you need to provide read and write access to the parent directory of the files that you intend to send with `StartFileTransfer` .\n\nIf you are using Basic authentication for your AS2 connector, the access role requires the `secretsmanager:GetSecretValue` permission for the secret. If the secret is encrypted using a customer-managed key instead of the AWS managed key in Secrets Manager, then the role also needs the `kms:Decrypt` permission for that key.\n\n*For SFTP connectors*\n\nMake sure that the access role provides read and write access to the parent directory of the file location that's used in the `StartFileTransfer` request. Additionally, make sure that the role provides `secretsmanager:GetSecretValue` permission to AWS Secrets Manager .", + "As2Config": "A structure that contains the parameters for an AS2 connector object.", "LoggingRole": "The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows a connector to turn on CloudWatch logging for Amazon S3 events. When set, you can view connector activity in your CloudWatch logs.", + "SftpConfig": "A structure that contains the parameters for an SFTP connector object.", "Tags": "Key-value pairs that can be used to group and search for connectors.", - "Url": "The URL of the partner's AS2 endpoint." + "Url": "The URL of the partner's AS2 or SFTP endpoint." }, "AWS::Transfer::Connector As2Config": { + "BasicAuthSecretId": "Provides Basic authentication support to the AS2 Connectors API. To use Basic authentication, you must provide the name or Amazon Resource Name (ARN) of a secret in AWS Secrets Manager .\n\nThe default value for this parameter is `null` , which indicates that Basic authentication is not enabled for the connector.\n\nIf the connector should use Basic authentication, the secret needs to be in the following format:\n\n`{ \"Username\": \"user-name\", \"Password\": \"user-password\" }`\n\nReplace `user-name` and `user-password` with the credentials for the actual user that is being authenticated.\n\nNote the following:\n\n- You are storing these credentials in Secrets Manager, *not passing them directly* into this API.\n- If you are using the API, SDKs, or CloudFormation to configure your connector, then you must create the secret before you can enable Basic authentication. However, if you are using the AWS management console, you can have the system create the secret for you.\n\nIf you have previously enabled Basic authentication for a connector, you can disable it by using the `UpdateConnector` API call. For example, if you are using the CLI, you can run the following command to remove Basic authentication:\n\n`update-connector --connector-id my-connector-id --as2-config 'BasicAuthSecretId=\"\"'`", "Compression": "Specifies whether the AS2 file is compressed.", "EncryptionAlgorithm": "The algorithm that is used to encrypt the file.\n\n> You can only specify `NONE` if the URL for your connector uses HTTPS. This ensures that no traffic is sent in clear text.", "LocalProfileId": "A unique identifier for the AS2 local profile.", @@ -35660,17 +40311,29 @@ "PartnerProfileId": "A unique identifier for the partner profile for the connector.", "SigningAlgorithm": "The algorithm that is used to sign the AS2 messages sent with the connector." }, + "AWS::Transfer::Connector SftpConfig": { + "TrustedHostKeys": "The public portion of the host key, or keys, that are used to identify the external server to which you are connecting. You can use the `ssh-keyscan` command against the SFTP server to retrieve the necessary key.\n\nThe three standard SSH public key format elements are `` , `` , and an optional `` , with spaces between each element. Specify only the `` and `` : do not enter the `` portion of the key.\n\nFor the trusted host key, AWS Transfer Family accepts RSA and ECDSA keys.\n\n- For RSA keys, the `` string is `ssh-rsa` .\n- For ECDSA keys, the `` string is either `ecdsa-sha2-nistp256` , `ecdsa-sha2-nistp384` , or `ecdsa-sha2-nistp521` , depending on the size of the key you generated.", + "UserSecretId": "The identifier for the secret (in AWS Secrets Manager) that contains the SFTP user's private key, password, or both. The identifier must be the Amazon Resource Name (ARN) of the secret." + }, + "AWS::Transfer::Connector Tag": { + "Key": "The name assigned to the tag that you create.", + "Value": "Contains one or more values that you assigned to the key name you create." + }, "AWS::Transfer::Profile": { "As2Id": "The `As2Id` is the *AS2-name* , as defined in the [RFC 4130](https://docs.aws.amazon.com/https://datatracker.ietf.org/doc/html/rfc4130) . For inbound transfers, this is the `AS2-From` header for the AS2 messages sent from the partner. For outbound connectors, this is the `AS2-To` header for the AS2 messages sent to the partner using the `StartFileTransfer` API operation. This ID cannot include spaces.", "CertificateIds": "An array of identifiers for the imported certificates. You use this identifier for working with profiles and partner profiles.", "ProfileType": "Indicates whether to list only `LOCAL` type profiles or only `PARTNER` type profiles. If not supplied in the request, the command lists all types of profiles.", "Tags": "Key-value pairs that can be used to group and search for profiles." }, + "AWS::Transfer::Profile Tag": { + "Key": "The name assigned to the tag that you create.", + "Value": "Contains one or more values that you assigned to the key name you create." + }, "AWS::Transfer::Server": { "Certificate": "The Amazon Resource Name (ARN) of the AWS Certificate Manager (ACM) certificate. Required when `Protocols` is set to `FTPS` .\n\nTo request a new public certificate, see [Request a public certificate](https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-request-public.html) in the *AWS Certificate Manager User Guide* .\n\nTo import an existing certificate into ACM, see [Importing certificates into ACM](https://docs.aws.amazon.com/acm/latest/userguide/import-certificate.html) in the *AWS Certificate Manager User Guide* .\n\nTo request a private certificate to use FTPS through private IP addresses, see [Request a private certificate](https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-request-private.html) in the *AWS Certificate Manager User Guide* .\n\nCertificates with the following cryptographic algorithms and key sizes are supported:\n\n- 2048-bit RSA (RSA_2048)\n- 4096-bit RSA (RSA_4096)\n- Elliptic Prime Curve 256 bit (EC_prime256v1)\n- Elliptic Prime Curve 384 bit (EC_secp384r1)\n- Elliptic Prime Curve 521 bit (EC_secp521r1)\n\n> The certificate must be a valid SSL/TLS X.509 version 3 certificate with FQDN or IP address specified and information about the issuer.", "Domain": "Specifies the domain of the storage system that is used for file transfers.", "EndpointDetails": "The virtual private cloud (VPC) endpoint settings that are configured for your server. When you host your endpoint within your VPC, you can make your endpoint accessible only to resources within your VPC, or you can attach Elastic IP addresses and make your endpoint accessible to clients over the internet. Your VPC's default security groups are automatically assigned to your endpoint.", - "EndpointType": "The type of endpoint that you want your server to use. You can choose to make your server's endpoint publicly accessible (PUBLIC) or host it inside your VPC. With an endpoint that is hosted in a VPC, you can restrict access to your server and resources only within your VPC or choose to make it internet facing by attaching Elastic IP addresses directly to it.", + "EndpointType": "The type of endpoint that you want your server to use. You can choose to make your server's endpoint publicly accessible (PUBLIC) or host it inside your VPC. With an endpoint that is hosted in a VPC, you can restrict access to your server and resources only within your VPC or choose to make it internet facing by attaching Elastic IP addresses directly to it.\n\n> After May 19, 2021, you won't be able to create a server using `EndpointType=VPC_ENDPOINT` in your AWS account if your account hasn't already done so before May 19, 2021. If you have already created servers with `EndpointType=VPC_ENDPOINT` in your AWS account on or before May 19, 2021, you will not be affected. After this date, use `EndpointType` = `VPC` .\n> \n> For more information, see [Discontinuing the use of VPC_ENDPOINT](https://docs.aws.amazon.com//transfer/latest/userguide/create-server-in-vpc.html#deprecate-vpc-endpoint) .\n> \n> It is recommended that you use `VPC` as the `EndpointType` . With this endpoint type, you have the option to directly associate up to three Elastic IPv4 addresses (BYO IP included) with your server's endpoint and use VPC security groups to restrict traffic by the client's public IP address. This is not possible with `EndpointType` set to `VPC_ENDPOINT` .", "IdentityProviderDetails": "Required when `IdentityProviderType` is set to `AWS_DIRECTORY_SERVICE` , `AWS _LAMBDA` or `API_GATEWAY` . Accepts an array containing all of the information required to use a directory in `AWS_DIRECTORY_SERVICE` or invoke a customer-supplied authentication API, including the API Gateway URL. Not required when `IdentityProviderType` is set to `SERVICE_MANAGED` .", "IdentityProviderType": "The mode of authentication for a server. The default value is `SERVICE_MANAGED` , which allows you to store and access user credentials within the AWS Transfer Family service.\n\nUse `AWS_DIRECTORY_SERVICE` to provide access to Active Directory groups in AWS Directory Service for Microsoft Active Directory or Microsoft Active Directory in your on-premises environment or in AWS using AD Connector. This option also requires you to provide a Directory ID by using the `IdentityProviderDetails` parameter.\n\nUse the `API_GATEWAY` value to integrate with an identity provider of your choosing. The `API_GATEWAY` setting requires you to provide an Amazon API Gateway endpoint URL to call for authentication by using the `IdentityProviderDetails` parameter.\n\nUse the `AWS_LAMBDA` value to directly use an AWS Lambda function as your identity provider. If you choose this value, you must specify the ARN for the Lambda function in the `Function` parameter for the `IdentityProviderDetails` data type.", "LoggingRole": "The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows a server to turn on Amazon CloudWatch logging for Amazon S3 or Amazon EFSevents. When set, you can view user activity in your CloudWatch logs.", @@ -35678,34 +40341,39 @@ "PreAuthenticationLoginBanner": "Specifies a string to display when users connect to a server. This string is displayed before the user authenticates. For example, the following banner displays details about using the system:\n\n`This system is for the use of authorized users only. Individuals using this computer system without authority, or in excess of their authority, are subject to having all of their activities on this system monitored and recorded by system personnel.`", "ProtocolDetails": "The protocol settings that are configured for your server.\n\n- To indicate passive mode (for FTP and FTPS protocols), use the `PassiveIp` parameter. Enter a single dotted-quad IPv4 address, such as the external IP address of a firewall, router, or load balancer.\n- To ignore the error that is generated when the client attempts to use the `SETSTAT` command on a file that you are uploading to an Amazon S3 bucket, use the `SetStatOption` parameter. To have the AWS Transfer Family server ignore the `SETSTAT` command and upload files without needing to make any changes to your SFTP client, set the value to `ENABLE_NO_OP` . If you set the `SetStatOption` parameter to `ENABLE_NO_OP` , Transfer Family generates a log entry to Amazon CloudWatch Logs, so that you can determine when the client is making a `SETSTAT` call.\n- To determine whether your AWS Transfer Family server resumes recent, negotiated sessions through a unique session ID, use the `TlsSessionResumptionMode` parameter.\n- `As2Transports` indicates the transport method for the AS2 messages. Currently, only HTTP is supported.\n\nThe `Protocols` parameter is an array of strings.\n\n*Allowed values* : One or more of `SFTP` , `FTPS` , `FTP` , `AS2`", "Protocols": "Specifies the file transfer protocol or protocols over which your file transfer protocol client can connect to your server's endpoint. The available protocols are:\n\n- `SFTP` (Secure Shell (SSH) File Transfer Protocol): File transfer over SSH\n- `FTPS` (File Transfer Protocol Secure): File transfer with TLS encryption\n- `FTP` (File Transfer Protocol): Unencrypted file transfer\n- `AS2` (Applicability Statement 2): used for transporting structured business-to-business data\n\n> - If you select `FTPS` , you must choose a certificate stored in AWS Certificate Manager (ACM) which is used to identify your server when clients connect to it over FTPS.\n> - If `Protocol` includes either `FTP` or `FTPS` , then the `EndpointType` must be `VPC` and the `IdentityProviderType` must be either `AWS_DIRECTORY_SERVICE` , `AWS_LAMBDA` , or `API_GATEWAY` .\n> - If `Protocol` includes `FTP` , then `AddressAllocationIds` cannot be associated.\n> - If `Protocol` is set only to `SFTP` , the `EndpointType` can be set to `PUBLIC` and the `IdentityProviderType` can be set any of the supported identity types: `SERVICE_MANAGED` , `AWS_DIRECTORY_SERVICE` , `AWS_LAMBDA` , or `API_GATEWAY` .\n> - If `Protocol` includes `AS2` , then the `EndpointType` must be `VPC` , and domain must be Amazon S3. \n\nThe `Protocols` parameter is an array of strings.\n\n*Allowed values* : One or more of `SFTP` , `FTPS` , `FTP` , `AS2`", + "S3StorageOptions": "Specifies whether or not performance for your Amazon S3 directories is optimized. This is disabled by default.\n\nBy default, home directory mappings have a `TYPE` of `DIRECTORY` . If you enable this option, you would then need to explicitly set the `HomeDirectoryMapEntry` `Type` to `FILE` if you want a mapping to have a file target.", "SecurityPolicyName": "Specifies the name of the security policy that is attached to the server.", "StructuredLogDestinations": "Specifies the log groups to which your server logs are sent.\n\nTo specify a log group, you must provide the ARN for an existing log group. In this case, the format of the log group is as follows:\n\n`arn:aws:logs:region-name:amazon-account-id:log-group:log-group-name:*`\n\nFor example, `arn:aws:logs:us-east-1:111122223333:log-group:mytestgroup:*`\n\nIf you have previously specified a log group for a server, you can clear it, and in effect turn off structured logging, by providing an empty value for this parameter in an `update-server` call. For example:\n\n`update-server --server-id s-1234567890abcdef0 --structured-log-destinations`", "Tags": "Key-value pairs that can be used to group and search for servers.", "WorkflowDetails": "Specifies the workflow ID for the workflow to assign and the execution role that's used for executing the workflow.\n\nIn addition to a workflow to execute when a file is uploaded completely, `WorkflowDetails` can also contain a workflow ID (and execution role) for a workflow to execute on partial upload. A partial upload occurs when a file is open when the session disconnects." }, - "AWS::Transfer::Server As2Transport": {}, "AWS::Transfer::Server EndpointDetails": { - "AddressAllocationIds": "A list of address allocation IDs that are required to attach an Elastic IP address to your server's endpoint.\n\n> This property can only be set when `EndpointType` is set to `VPC` and it is only valid in the `UpdateServer` API.", + "AddressAllocationIds": "A list of address allocation IDs that are required to attach an Elastic IP address to your server's endpoint.\n\nAn address allocation ID corresponds to the allocation ID of an Elastic IP address. This value can be retrieved from the `allocationId` field from the Amazon EC2 [Address](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_Address.html) data type. One way to retrieve this value is by calling the EC2 [DescribeAddresses](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeAddresses.html) API.\n\nThis parameter is optional. Set this parameter if you want to make your VPC endpoint public-facing. For details, see [Create an internet-facing endpoint for your server](https://docs.aws.amazon.com/transfer/latest/userguide/create-server-in-vpc.html#create-internet-facing-endpoint) .\n\n> This property can only be set as follows:\n> \n> - `EndpointType` must be set to `VPC`\n> - The Transfer Family server must be offline.\n> - You cannot set this parameter for Transfer Family servers that use the FTP protocol.\n> - The server must already have `SubnetIds` populated ( `SubnetIds` and `AddressAllocationIds` cannot be updated simultaneously).\n> - `AddressAllocationIds` can't contain duplicates, and must be equal in length to `SubnetIds` . For example, if you have three subnet IDs, you must also specify three address allocation IDs.\n> - Call the `UpdateServer` API to set or change this parameter.", "SecurityGroupIds": "A list of security groups IDs that are available to attach to your server's endpoint.\n\n> This property can only be set when `EndpointType` is set to `VPC` .\n> \n> You can edit the `SecurityGroupIds` property in the [UpdateServer](https://docs.aws.amazon.com/transfer/latest/userguide/API_UpdateServer.html) API only if you are changing the `EndpointType` from `PUBLIC` or `VPC_ENDPOINT` to `VPC` . To change security groups associated with your server's VPC endpoint after creation, use the Amazon EC2 [ModifyVpcEndpoint](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyVpcEndpoint.html) API.", "SubnetIds": "A list of subnet IDs that are required to host your server endpoint in your VPC.\n\n> This property can only be set when `EndpointType` is set to `VPC` .", "VpcEndpointId": "The ID of the VPC endpoint.\n\n> This property can only be set when `EndpointType` is set to `VPC_ENDPOINT` .", "VpcId": "The VPC ID of the virtual private cloud in which the server's endpoint will be hosted.\n\n> This property can only be set when `EndpointType` is set to `VPC` ." }, "AWS::Transfer::Server IdentityProviderDetails": { - "DirectoryId": "The identifier of the AWS Directory Service directory that you want to stop sharing.", + "DirectoryId": "The identifier of the AWS Directory Service directory that you want to use as your identity provider.", "Function": "The ARN for a Lambda function to use for the Identity provider.", "InvocationRole": "This parameter is only applicable if your `IdentityProviderType` is `API_GATEWAY` . Provides the type of `InvocationRole` used to authenticate the user account.", "SftpAuthenticationMethods": "For SFTP-enabled servers, and for custom identity providers *only* , you can specify whether to authenticate using a password, SSH key pair, or both.\n\n- `PASSWORD` - users must provide their password to connect.\n- `PUBLIC_KEY` - users must provide their private key to connect.\n- `PUBLIC_KEY_OR_PASSWORD` - users can authenticate with either their password or their key. This is the default value.\n- `PUBLIC_KEY_AND_PASSWORD` - users must provide both their private key and their password to connect. The server checks the key first, and then if the key is valid, the system prompts for a password. If the private key provided does not match the public key that is stored, authentication fails.", "Url": "Provides the location of the service endpoint used to authenticate users." }, - "AWS::Transfer::Server Protocol": {}, "AWS::Transfer::Server ProtocolDetails": { "As2Transports": "List of `As2Transport` objects.", "PassiveIp": "Indicates passive mode, for FTP and FTPS protocols. Enter a single IPv4 address, such as the public IP address of a firewall, router, or load balancer. For example:\n\n`aws transfer update-server --protocol-details PassiveIp=0.0.0.0`\n\nReplace `0.0.0.0` in the example above with the actual IP address you want to use.\n\n> If you change the `PassiveIp` value, you must stop and then restart your Transfer Family server for the change to take effect. For details on using passive mode (PASV) in a NAT environment, see [Configuring your FTPS server behind a firewall or NAT with AWS Transfer Family](https://docs.aws.amazon.com/storage/configuring-your-ftps-server-behind-a-firewall-or-nat-with-aws-transfer-family/) . \n\n*Special values*\n\nThe `AUTO` and `0.0.0.0` are special values for the `PassiveIp` parameter. The value `PassiveIp=AUTO` is assigned by default to FTP and FTPS type servers. In this case, the server automatically responds with one of the endpoint IPs within the PASV response. `PassiveIp=0.0.0.0` has a more unique application for its usage. For example, if you have a High Availability (HA) Network Load Balancer (NLB) environment, where you have 3 subnets, you can only specify a single IP address using the `PassiveIp` parameter. This reduces the effectiveness of having High Availability. In this case, you can specify `PassiveIp=0.0.0.0` . This tells the client to use the same IP address as the Control connection and utilize all AZs for their connections. Note, however, that not all FTP clients support the `PassiveIp=0.0.0.0` response. FileZilla and WinSCP do support it. If you are using other clients, check to see if your client supports the `PassiveIp=0.0.0.0` response.", "SetStatOption": "Use the `SetStatOption` to ignore the error that is generated when the client attempts to use `SETSTAT` on a file you are uploading to an S3 bucket.\n\nSome SFTP file transfer clients can attempt to change the attributes of remote files, including timestamp and permissions, using commands, such as `SETSTAT` when uploading the file. However, these commands are not compatible with object storage systems, such as Amazon S3. Due to this incompatibility, file uploads from these clients can result in errors even when the file is otherwise successfully uploaded.\n\nSet the value to `ENABLE_NO_OP` to have the Transfer Family server ignore the `SETSTAT` command, and upload files without needing to make any changes to your SFTP client. While the `SetStatOption` `ENABLE_NO_OP` setting ignores the error, it does generate a log entry in Amazon CloudWatch Logs, so you can determine when the client is making a `SETSTAT` call.\n\n> If you want to preserve the original timestamp for your file, and modify other file attributes using `SETSTAT` , you can use Amazon EFS as backend storage with Transfer Family.", "TlsSessionResumptionMode": "A property used with Transfer Family servers that use the FTPS protocol. TLS Session Resumption provides a mechanism to resume or share a negotiated secret key between the control and data connection for an FTPS session. `TlsSessionResumptionMode` determines whether or not the server resumes recent, negotiated sessions through a unique session ID. This property is available during `CreateServer` and `UpdateServer` calls. If a `TlsSessionResumptionMode` value is not specified during `CreateServer` , it is set to `ENFORCED` by default.\n\n- `DISABLED` : the server does not process TLS session resumption client requests and creates a new TLS session for each request.\n- `ENABLED` : the server processes and accepts clients that are performing TLS session resumption. The server doesn't reject client data connections that do not perform the TLS session resumption client processing.\n- `ENFORCED` : the server processes and accepts clients that are performing TLS session resumption. The server rejects client data connections that do not perform the TLS session resumption client processing. Before you set the value to `ENFORCED` , test your clients.\n\n> Not all FTPS clients perform TLS session resumption. So, if you choose to enforce TLS session resumption, you prevent any connections from FTPS clients that don't perform the protocol negotiation. To determine whether or not you can use the `ENFORCED` value, you need to test your clients." }, - "AWS::Transfer::Server StructuredLogDestination": {}, + "AWS::Transfer::Server S3StorageOptions": { + "DirectoryListingOptimization": "Specifies whether or not performance for your Amazon S3 directories is optimized. This is disabled by default.\n\nBy default, home directory mappings have a `TYPE` of `DIRECTORY` . If you enable this option, you would then need to explicitly set the `HomeDirectoryMapEntry` `Type` to `FILE` if you want a mapping to have a file target." + }, + "AWS::Transfer::Server Tag": { + "Key": "The name assigned to the tag that you create.", + "Value": "Contains one or more values that you assigned to the key name you create." + }, "AWS::Transfer::Server WorkflowDetail": { "ExecutionRole": "Includes the necessary permissions for S3, EFS, and Lambda operations that Transfer can assume, so that all workflow steps can operate on the required resources", "WorkflowId": "A unique identifier for the workflow." @@ -35715,9 +40383,9 @@ "OnUpload": "A trigger that starts a workflow: the workflow begins to execute after a file is uploaded.\n\nTo remove an associated workflow from a server, you can provide an empty `OnUpload` object, as in the following example.\n\n`aws transfer update-server --server-id s-01234567890abcdef --workflow-details '{\"OnUpload\":[]}'`" }, "AWS::Transfer::User": { - "HomeDirectory": "The landing directory (folder) for a user when they log in to the server using the client.\n\nA `HomeDirectory` example is `/bucket_name/home/mydirectory` .", - "HomeDirectoryMappings": "Logical directory mappings that specify what Amazon S3 paths and keys should be visible to your user and how you want to make them visible. You will need to specify the \" `Entry` \" and \" `Target` \" pair, where `Entry` shows how the path is made visible and `Target` is the actual Amazon S3 path. If you only specify a target, it will be displayed as is. You will need to also make sure that your IAM role provides access to paths in `Target` . The following is an example.\n\n`'[ { \"Entry\": \"/\", \"Target\": \"/bucket3/customized-reports/\" } ]'`\n\nIn most cases, you can use this value instead of the session policy to lock your user down to the designated home directory (\"chroot\"). To do this, you can set `Entry` to '/' and set `Target` to the HomeDirectory parameter value.\n\n> If the target of a logical directory entry does not exist in Amazon S3, the entry will be ignored. As a workaround, you can use the Amazon S3 API to create 0 byte objects as place holders for your directory. If using the CLI, use the `s3api` call instead of `s3` so you can use the put-object operation. For example, you use the following: `AWS s3api put-object --bucket bucketname --key path/to/folder/` . Make sure that the end of the key name ends in a '/' for it to be considered a folder.", - "HomeDirectoryType": "The type of landing directory (folder) that you want your users' home directory to be when they log in to the server. If you set it to `PATH` , the user will see the absolute Amazon S3 bucket or EFS paths as is in their file transfer protocol clients. If you set it `LOGICAL` , you need to provide mappings in the `HomeDirectoryMappings` for how you want to make Amazon S3 or Amazon EFS paths visible to your users.", + "HomeDirectory": "The landing directory (folder) for a user when they log in to the server using the client.\n\nA `HomeDirectory` example is `/bucket_name/home/mydirectory` .\n\n> The `HomeDirectory` parameter is only used if `HomeDirectoryType` is set to `PATH` .", + "HomeDirectoryMappings": "Logical directory mappings that specify what Amazon S3 or Amazon EFS paths and keys should be visible to your user and how you want to make them visible. You must specify the `Entry` and `Target` pair, where `Entry` shows how the path is made visible and `Target` is the actual Amazon S3 or Amazon EFS path. If you only specify a target, it is displayed as is. You also must ensure that your AWS Identity and Access Management (IAM) role provides access to paths in `Target` . This value can be set only when `HomeDirectoryType` is set to *LOGICAL* .\n\nThe following is an `Entry` and `Target` pair example.\n\n`[ { \"Entry\": \"/directory1\", \"Target\": \"/bucket_name/home/mydirectory\" } ]`\n\nIn most cases, you can use this value instead of the session policy to lock your user down to the designated home directory (\" `chroot` \"). To do this, you can set `Entry` to `/` and set `Target` to the value the user should see for their home directory when they log in.\n\nThe following is an `Entry` and `Target` pair example for `chroot` .\n\n`[ { \"Entry\": \"/\", \"Target\": \"/bucket_name/home/mydirectory\" } ]`", + "HomeDirectoryType": "The type of landing directory (folder) that you want your users' home directory to be when they log in to the server. If you set it to `PATH` , the user will see the absolute Amazon S3 bucket or Amazon EFS path as is in their file transfer protocol clients. If you set it to `LOGICAL` , you need to provide mappings in the `HomeDirectoryMappings` for how you want to make Amazon S3 or Amazon EFS paths visible to your users.\n\n> If `HomeDirectoryType` is `LOGICAL` , you must provide mappings, using the `HomeDirectoryMappings` parameter. If, on the other hand, `HomeDirectoryType` is `PATH` , you provide an absolute path using the `HomeDirectory` parameter. You cannot have both `HomeDirectory` and `HomeDirectoryMappings` in your template.", "Policy": "A session policy for your user so you can use the same IAM role across multiple users. This policy restricts user access to portions of their Amazon S3 bucket. Variables that you can use inside this policy include `${Transfer:UserName}` , `${Transfer:HomeDirectory}` , and `${Transfer:HomeBucket}` .\n\n> For session policies, AWS Transfer Family stores the policy as a JSON blob, instead of the Amazon Resource Name (ARN) of the policy. You save the policy as a JSON blob and pass it in the `Policy` argument.\n> \n> For an example of a session policy, see [Example session policy](https://docs.aws.amazon.com/transfer/latest/userguide/session-policy.html) .\n> \n> For more information, see [AssumeRole](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) in the *AWS Security Token Service API Reference* .", "PosixProfile": "Specifies the full POSIX identity, including user ID ( `Uid` ), group ID ( `Gid` ), and any secondary groups IDs ( `SecondaryGids` ), that controls your users' access to your Amazon Elastic File System (Amazon EFS) file systems. The POSIX permissions that are set on files and directories in your file system determine the level of access your users get when transferring files into and out of your Amazon EFS file systems.", "Role": "The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that controls your users' access to your Amazon S3 bucket or Amazon EFS file system. The policies attached to this role determine the level of access that you want to provide your users when transferring files into and out of your Amazon S3 bucket or Amazon EFS file system. The IAM role should also contain a trust relationship that allows the server to access your resources when servicing your users' transfer requests.", @@ -35728,14 +40396,18 @@ }, "AWS::Transfer::User HomeDirectoryMapEntry": { "Entry": "Represents an entry for `HomeDirectoryMappings` .", - "Target": "Represents the map target that is used in a `HomeDirectorymapEntry` ." + "Target": "Represents the map target that is used in a `HomeDirectoryMapEntry` .", + "Type": "Specifies the type of mapping. Set the type to `FILE` if you want the mapping to point to a file, or `DIRECTORY` for the directory to point to a directory.\n\n> By default, home directory mappings have a `Type` of `DIRECTORY` when you create a Transfer Family server. You would need to explicitly set `Type` to `FILE` if you want a mapping to have a file target." }, "AWS::Transfer::User PosixProfile": { "Gid": "The POSIX group ID used for all EFS operations by this user.", "SecondaryGids": "The secondary POSIX group IDs used for all EFS operations by this user.", "Uid": "The POSIX user ID used for all EFS operations by this user." }, - "AWS::Transfer::User SshPublicKey": {}, + "AWS::Transfer::User Tag": { + "Key": "The name assigned to the tag that you create.", + "Value": "Contains one or more values that you assigned to the key name you create." + }, "AWS::Transfer::Workflow": { "Description": "Specifies the text description for the workflow.", "OnExceptionSteps": "Specifies the steps (actions) to take if errors are encountered during execution of the workflow.", @@ -35784,6 +40456,10 @@ "Key": "The name assigned to the tag that you create.", "Value": "The value that corresponds to the key." }, + "AWS::Transfer::Workflow Tag": { + "Key": "The name assigned to the tag that you create.", + "Value": "Contains one or more values that you assigned to the key name you create." + }, "AWS::Transfer::Workflow TagStepDetails": { "Name": "The name of the step, used as an identifier.", "SourceFileLocation": "Specifies which file to use as input to the workflow step: either the output from the previous step, or the originally uploaded file for the workflow.\n\n- To use the previous file as the input, enter `${previous.file}` . In this case, this workflow step uses the output file from the previous workflow step as input. This is the default value.\n- To use the originally uploaded file location as input for this step, enter `${original.file}` .", @@ -35798,7 +40474,7 @@ "Type": "Currently, the following step types are supported.\n\n- *`COPY`* - Copy the file to another location.\n- *`CUSTOM`* - Perform a custom step with an AWS Lambda function target.\n- *`DECRYPT`* - Decrypt a file that was encrypted before it was uploaded.\n- *`DELETE`* - Delete the file.\n- *`TAG`* - Add a tag to the file." }, "AWS::VerifiedPermissions::IdentitySource": { - "Configuration": "Contains configuration information used when creating or updating an identity source.\n\n> At this time, the only valid member of this structure is a Amazon Cognito user pool configuration.\n> \n> You must specify a `userPoolArn` , and optionally, a `ClientId` .", + "Configuration": "Contains configuration information used when creating a new identity source.\n\n> At this time, the only valid member of this structure is a Amazon Cognito user pool configuration.\n> \n> You must specify a `userPoolArn` , and optionally, a `ClientId` . \n\nThis data type is used as a request parameter for the [CreateIdentitySource](https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_CreateIdentitySource.html) operation.", "PolicyStoreId": "Specifies the ID of the policy store in which you want to store this identity source. Only policies and requests made using this policy store can reference identities from the identity provider configured in the new identity source.", "PrincipalEntityType": "Specifies the namespace and data type of the principals generated for identities authenticated by the new identity source." }, @@ -35860,43 +40536,55 @@ "AWS::VoiceID::Domain ServerSideEncryptionConfiguration": { "KmsKeyId": "The identifier of the KMS key to use to encrypt data stored by Voice ID. Voice ID doesn't support asymmetric customer managed keys ." }, + "AWS::VoiceID::Domain Tag": { + "Key": "The first part of a key:value pair that forms a tag associated with a given resource. For example, in the tag 'Department':'Sales', the key is 'Department'.", + "Value": "The second part of a key:value pair that forms a tag associated with a given resource. For example, in the tag 'Department':'Sales', the value is 'Sales'." + }, "AWS::VpcLattice::AccessLogSubscription": { "DestinationArn": "The Amazon Resource Name (ARN) of the destination. The supported destination types are CloudWatch Log groups, Kinesis Data Firehose delivery streams, and Amazon S3 buckets.", "ResourceIdentifier": "The ID or Amazon Resource Name (ARN) of the service network or service.", "Tags": "The tags for the access log subscription." }, + "AWS::VpcLattice::AccessLogSubscription Tag": { + "Key": "", + "Value": "" + }, "AWS::VpcLattice::AuthPolicy": { "Policy": "The auth policy.", "ResourceIdentifier": "The ID or Amazon Resource Name (ARN) of the service network or service for which the policy is created." }, "AWS::VpcLattice::Listener": { - "DefaultAction": "The action for the default rule. Each listener has a default rule. Each rule consists of a priority, one or more actions, and one or more conditions. The default rule is the rule that's used if no other rules match. Each rule must include exactly one of the following types of actions: `forward` or `fixed-response` , and it must be the last action to be performed.", + "DefaultAction": "The action for the default rule. Each listener has a default rule. The default rule is used if no other rules match.", "Name": "The name of the listener. A listener name must be unique within a service. The valid characters are a-z, 0-9, and hyphens (-). You can't use a hyphen as the first or last character, or immediately after another hyphen.\n\nIf you don't specify a name, CloudFormation generates one. However, if you specify a name, and later want to replace the resource, you must specify a new name.", - "Port": "The listener port. You can specify a value from `1` to `65535` . For HTTP, the default is `80` . For HTTPS, the default is `443` .", - "Protocol": "The listener protocol HTTP or HTTPS.", + "Port": "The listener port. You can specify a value from 1 to 65535. For HTTP, the default is 80. For HTTPS, the default is 443.", + "Protocol": "The listener protocol.", "ServiceIdentifier": "The ID or Amazon Resource Name (ARN) of the service.", "Tags": "The tags for the listener." }, "AWS::VpcLattice::Listener DefaultAction": { - "FixedResponse": "Information about an action that returns a custom HTTP response.", + "FixedResponse": "Describes an action that returns a custom HTTP response.", "Forward": "Describes a forward action. You can use forward actions to route requests to one or more target groups." }, "AWS::VpcLattice::Listener FixedResponse": { "StatusCode": "The HTTP response code." }, "AWS::VpcLattice::Listener Forward": { - "TargetGroups": "The target groups. Traffic matching the rule is forwarded to the specified target groups. With forward actions, you can assign a weight that controls the prioritization and selection of each target group. This means that requests are distributed to individual target groups based on their weights. For example, if two target groups have the same weight, each target group receives half of the traffic.\n\nThe default value is 1. This means that if only one target group is provided, there is no need to set the weight; 100% of traffic will go to that target group." + "TargetGroups": "The target groups. Traffic matching the rule is forwarded to the specified target groups. With forward actions, you can assign a weight that controls the prioritization and selection of each target group. This means that requests are distributed to individual target groups based on their weights. For example, if two target groups have the same weight, each target group receives half of the traffic.\n\nThe default value is 1. This means that if only one target group is provided, there is no need to set the weight; 100% of the traffic goes to that target group." + }, + "AWS::VpcLattice::Listener Tag": { + "Key": "", + "Value": "" }, "AWS::VpcLattice::Listener WeightedTargetGroup": { "TargetGroupIdentifier": "The ID of the target group.", - "Weight": "Only required if you specify multiple target groups for a forward action. The \"weight\" determines how requests are distributed to the target group. For example, if you specify two target groups, each with a weight of 10, each target group receives half the requests. If you specify two target groups, one with a weight of 10 and the other with a weight of 20, the target group with a weight of 20 receives twice as many requests as the other target group. If there's only one target group specified, then the default value is 100." + "Weight": "Only required if you specify multiple target groups for a forward action. The weight determines how requests are distributed to the target group. For example, if you specify two target groups, each with a weight of 10, each target group receives half the requests. If you specify two target groups, one with a weight of 10 and the other with a weight of 20, the target group with a weight of 20 receives twice as many requests as the other target group. If there's only one target group specified, then the default value is 100." }, "AWS::VpcLattice::ResourcePolicy": { "Policy": "The Amazon Resource Name (ARN) of the service network or service.", "ResourceArn": "An IAM policy." }, "AWS::VpcLattice::Rule": { - "Action": "Describes the action for a rule. Each rule must include exactly one of the following types of actions: `forward` or `fixed-response` , and it must be the last action to be performed.", + "Action": "Describes the action for a rule.", "ListenerIdentifier": "The ID or Amazon Resource Name (ARN) of the listener.", "Match": "The rule match.", "Name": "The name of the rule. The name must be unique within the listener. The valid characters are a-z, 0-9, and hyphens (-). You can't use a hyphen as the first or last character, or immediately after another hyphen.\n\nIf you don't specify a name, CloudFormation generates one. However, if you specify a name, and later want to replace the resource, you must specify a new name.", @@ -35905,24 +40593,24 @@ "Tags": "The tags for the rule." }, "AWS::VpcLattice::Rule Action": { - "FixedResponse": "Describes the rule action that returns a custom HTTP response.", + "FixedResponse": "The fixed response action. The rule returns a custom HTTP response.", "Forward": "The forward action. Traffic that matches the rule is forwarded to the specified target groups." }, "AWS::VpcLattice::Rule FixedResponse": { "StatusCode": "The HTTP response code." }, "AWS::VpcLattice::Rule Forward": { - "TargetGroups": "The target groups. Traffic matching the rule is forwarded to the specified target groups. With forward actions, you can assign a weight that controls the prioritization and selection of each target group. This means that requests are distributed to individual target groups based on their weights. For example, if two target groups have the same weight, each target group receives half of the traffic.\n\nThe default value is 1. This means that if only one target group is provided, there is no need to set the weight; 100% of traffic will go to that target group." + "TargetGroups": "The target groups. Traffic matching the rule is forwarded to the specified target groups. With forward actions, you can assign a weight that controls the prioritization and selection of each target group. This means that requests are distributed to individual target groups based on their weights. For example, if two target groups have the same weight, each target group receives half of the traffic.\n\nThe default value is 1. This means that if only one target group is provided, there is no need to set the weight; 100% of the traffic goes to that target group." }, "AWS::VpcLattice::Rule HeaderMatch": { - "CaseSensitive": "Indicates whether the match is case sensitive. Defaults to false.", + "CaseSensitive": "Indicates whether the match is case sensitive.", "Match": "The header match type.", "Name": "The name of the header." }, "AWS::VpcLattice::Rule HeaderMatchType": { - "Contains": "Specifies a contains type match.", - "Exact": "Specifies an exact type match.", - "Prefix": "Specifies a prefix type match. Matches the value with the prefix." + "Contains": "A contains type match.", + "Exact": "An exact type match.", + "Prefix": "A prefix type match. Matches the value with the prefix." }, "AWS::VpcLattice::Rule HttpMatch": { "HeaderMatches": "The header matches. Matches incoming requests with rule based on request header value before applying rule action.", @@ -35933,22 +40621,26 @@ "HttpMatch": "The HTTP criteria that a rule must match." }, "AWS::VpcLattice::Rule PathMatch": { - "CaseSensitive": "Indicates whether the match is case sensitive. Defaults to false.", + "CaseSensitive": "Indicates whether the match is case sensitive.", "Match": "The type of path match." }, "AWS::VpcLattice::Rule PathMatchType": { "Exact": "An exact match of the path.", "Prefix": "A prefix match of the path." }, + "AWS::VpcLattice::Rule Tag": { + "Key": "", + "Value": "" + }, "AWS::VpcLattice::Rule WeightedTargetGroup": { "TargetGroupIdentifier": "The ID of the target group.", - "Weight": "Only required if you specify multiple target groups for a forward action. The \"weight\" determines how requests are distributed to the target group. For example, if you specify two target groups, each with a weight of 10, each target group receives half the requests. If you specify two target groups, one with a weight of 10 and the other with a weight of 20, the target group with a weight of 20 receives twice as many requests as the other target group. If there's only one target group specified, then the default value is 100." + "Weight": "Only required if you specify multiple target groups for a forward action. The weight determines how requests are distributed to the target group. For example, if you specify two target groups, each with a weight of 10, each target group receives half the requests. If you specify two target groups, one with a weight of 10 and the other with a weight of 20, the target group with a weight of 20 receives twice as many requests as the other target group. If there's only one target group specified, then the default value is 100." }, "AWS::VpcLattice::Service": { "AuthType": "The type of IAM policy.\n\n- `NONE` : The resource does not use an IAM policy. This is the default.\n- `AWS_IAM` : The resource uses an IAM policy. When this type is used, auth is enabled and an auth policy is required.", "CertificateArn": "The Amazon Resource Name (ARN) of the certificate.", "CustomDomainName": "The custom domain name of the service.", - "DnsEntry": "", + "DnsEntry": "The DNS information of the service.", "Name": "The name of the service. The name must be unique within the account. The valid characters are a-z, 0-9, and hyphens (-). You can't use a hyphen as the first or last character, or immediately after another hyphen.\n\nIf you don't specify a name, CloudFormation generates one. However, if you specify a name, and later want to replace the resource, you must specify a new name.", "Tags": "The tags for the service." }, @@ -35956,13 +40648,21 @@ "DomainName": "The domain name of the service.", "HostedZoneId": "The ID of the hosted zone." }, + "AWS::VpcLattice::Service Tag": { + "Key": "", + "Value": "" + }, "AWS::VpcLattice::ServiceNetwork": { "AuthType": "The type of IAM policy.\n\n- `NONE` : The resource does not use an IAM policy. This is the default.\n- `AWS_IAM` : The resource uses an IAM policy. When this type is used, auth is enabled and an auth policy is required.", "Name": "The name of the service network. The name must be unique to the account. The valid characters are a-z, 0-9, and hyphens (-). You can't use a hyphen as the first or last character, or immediately after another hyphen.\n\nIf you don't specify a name, CloudFormation generates one. However, if you specify a name, and later want to replace the resource, you must specify a new name.", "Tags": "The tags for the service network." }, + "AWS::VpcLattice::ServiceNetwork Tag": { + "Key": "", + "Value": "" + }, "AWS::VpcLattice::ServiceNetworkServiceAssociation": { - "DnsEntry": "", + "DnsEntry": "The DNS information of the service.", "ServiceIdentifier": "The ID or Amazon Resource Name (ARN) of the service.", "ServiceNetworkIdentifier": "The ID or Amazon Resource Name (ARN) of the service network. You must use the ARN if the resources specified in the operation are in different accounts.", "Tags": "The tags for the association." @@ -35971,14 +40671,22 @@ "DomainName": "The domain name of the service.", "HostedZoneId": "The ID of the hosted zone." }, + "AWS::VpcLattice::ServiceNetworkServiceAssociation Tag": { + "Key": "", + "Value": "" + }, "AWS::VpcLattice::ServiceNetworkVpcAssociation": { "SecurityGroupIds": "The IDs of the security groups. Security groups aren't added by default. You can add a security group to apply network level controls to control which resources in a VPC are allowed to access the service network and its services. For more information, see [Control traffic to resources using security groups](https://docs.aws.amazon.com//vpc/latest/userguide/VPC_SecurityGroups.html) in the *Amazon VPC User Guide* .", "ServiceNetworkIdentifier": "The ID or Amazon Resource Name (ARN) of the service network. You must use the ARN when the resources specified in the operation are in different accounts.", "Tags": "The tags for the association.", "VpcIdentifier": "The ID of the VPC." }, + "AWS::VpcLattice::ServiceNetworkVpcAssociation Tag": { + "Key": "", + "Value": "" + }, "AWS::VpcLattice::TargetGroup": { - "Config": "The target group configuration. If `type` is set to `LAMBDA` , this parameter doesn't apply.", + "Config": "The target group configuration.", "Name": "The name of the target group. The name must be unique within the account. The valid characters are a-z, 0-9, and hyphens (-). You can't use a hyphen as the first or last character, or immediately after another hyphen.\n\nIf you don't specify a name, CloudFormation generates one. However, if you specify a name, and later want to replace the resource, you must specify a new name.", "Tags": "The tags for the target group.", "Targets": "Describes a target.", @@ -35989,7 +40697,7 @@ "HealthCheckIntervalSeconds": "The approximate amount of time, in seconds, between health checks of an individual target. The range is 5\u2013300 seconds. The default is 30 seconds.", "HealthCheckTimeoutSeconds": "The amount of time, in seconds, to wait before reporting a target as unhealthy. The range is 1\u2013120 seconds. The default is 5 seconds.", "HealthyThresholdCount": "The number of consecutive successful health checks required before considering an unhealthy target healthy. The range is 2\u201310. The default is 5.", - "Matcher": "The codes to use when checking for a successful response from a target. These are called *Success codes* in the console.", + "Matcher": "The codes to use when checking for a successful response from a target.", "Path": "The destination for health checks on the targets. If the protocol version is `HTTP/1.1` or `HTTP/2` , specify a valid URI (for example, `/path?query` ). The default path is `/` . Health checks are not supported if the protocol version is `gRPC` , however, you can choose `HTTP/1.1` or `HTTP/2` and specify a valid URI.", "Port": "The port used when performing health checks on targets. The default setting is the port that a target receives traffic on.", "Protocol": "The protocol used when performing health checks on targets. The possible protocols are `HTTP` and `HTTPS` . The default is `HTTP` .", @@ -35999,17 +40707,22 @@ "AWS::VpcLattice::TargetGroup Matcher": { "HttpCode": "The HTTP code to use when checking for a successful response from a target." }, + "AWS::VpcLattice::TargetGroup Tag": { + "Key": "", + "Value": "" + }, "AWS::VpcLattice::TargetGroup Target": { - "Id": "The ID of the target. If the target type of the target group is `INSTANCE` , this is an instance ID. If the target type is `IP` , this is an IP address. If the target type is `LAMBDA` , this is the ARN of the Lambda function. If the target type is `ALB` , this is the ARN of the Application Load Balancer.", - "Port": "The port on which the target is listening. For HTTP, the default is `80` . For HTTPS, the default is `443` ." + "Id": "The ID of the target. If the target group type is `INSTANCE` , this is an instance ID. If the target group type is `IP` , this is an IP address. If the target group type is `LAMBDA` , this is the ARN of a Lambda function. If the target group type is `ALB` , this is the ARN of an Application Load Balancer.", + "Port": "The port on which the target is listening. For HTTP, the default is 80. For HTTPS, the default is 443." }, "AWS::VpcLattice::TargetGroup TargetGroupConfig": { - "HealthCheck": "The health check configuration.", - "IpAddressType": "The type of IP address used for the target group. The possible values are `ipv4` and `ipv6` . This is an optional parameter. If not specified, the IP address type defaults to `ipv4` .", - "Port": "The port on which the targets are listening. For HTTP, the default is `80` . For HTTPS, the default is `443`", - "Protocol": "The protocol to use for routing traffic to the targets. Default is the protocol of a target group.", - "ProtocolVersion": "The protocol version. Default value is `HTTP1` .", - "VpcIdentifier": "The ID of the VPC." + "HealthCheck": "The health check configuration. Not supported if the target group type is `LAMBDA` or `ALB` .", + "IpAddressType": "The type of IP address used for the target group. Supported only if the target group type is `IP` . The default is `IPV4` .", + "LambdaEventStructureVersion": "The version of the event structure that your Lambda function receives. Supported only if the target group type is `LAMBDA` . The default is `V1` .", + "Port": "The port on which the targets are listening. For HTTP, the default is 80. For HTTPS, the default is 443. Not supported if the target group type is `LAMBDA` .", + "Protocol": "The protocol to use for routing traffic to the targets. The default is the protocol of the target group. Not supported if the target group type is `LAMBDA` .", + "ProtocolVersion": "The protocol version. The default is `HTTP1` . Not supported if the target group type is `LAMBDA` .", + "VpcIdentifier": "The ID of the VPC. Not supported if the target group type is `LAMBDA` ." }, "AWS::WAF::ByteMatchSet": { "ByteMatchTuples": "Specifies the bytes (typically a string that corresponds with ASCII characters) that you want AWS WAF to search for in web requests, the location in requests that you want AWS WAF to search, and other settings.", @@ -36210,13 +40923,17 @@ "TextTransformation": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass AWS WAF . If you specify a transformation, AWS WAF performs the transformation on `FieldToMatch` before inspecting it for a match.\n\nYou can only specify a single type of TextTransformation.\n\n*CMD_LINE*\n\nWhen you're concerned that attackers are injecting an operating system command line command and using unusual formatting to disguise some or all of the command, use this option to perform the following transformations:\n\n- Delete the following characters: \\ \" ' ^\n- Delete spaces before the following characters: / (\n- Replace the following characters with a space: , ;\n- Replace multiple spaces with one space\n- Convert uppercase letters (A-Z) to lowercase (a-z)\n\n*COMPRESS_WHITE_SPACE*\n\nUse this option to replace the following characters with a space character (decimal 32):\n\n- \\f, formfeed, decimal 12\n- \\t, tab, decimal 9\n- \\n, newline, decimal 10\n- \\r, carriage return, decimal 13\n- \\v, vertical tab, decimal 11\n- non-breaking space, decimal 160\n\n`COMPRESS_WHITE_SPACE` also replaces multiple spaces with one space.\n\n*HTML_ENTITY_DECODE*\n\nUse this option to replace HTML-encoded characters with unencoded characters. `HTML_ENTITY_DECODE` performs the following operations:\n\n- Replaces `(ampersand)quot;` with `\"`\n- Replaces `(ampersand)nbsp;` with a non-breaking space, decimal 160\n- Replaces `(ampersand)lt;` with a \"less than\" symbol\n- Replaces `(ampersand)gt;` with `>`\n- Replaces characters that are represented in hexadecimal format, `(ampersand)#xhhhh;` , with the corresponding characters\n- Replaces characters that are represented in decimal format, `(ampersand)#nnnn;` , with the corresponding characters\n\n*LOWERCASE*\n\nUse this option to convert uppercase letters (A-Z) to lowercase (a-z).\n\n*URL_DECODE*\n\nUse this option to decode a URL-encoded value.\n\n*NONE*\n\nSpecify `NONE` if you don't want to perform any text transformations." }, "AWS::WAFv2::IPSet": { - "Addresses": "Contains an array of strings that specifies zero or more IP addresses or blocks of IP addresses. All addresses must be specified using Classless Inter-Domain Routing (CIDR) notation. AWS WAF supports all IPv4 and IPv6 CIDR ranges except for `/0` .\n\nExample address strings:\n\n- To configure AWS WAF to allow, block, or count requests that originated from the IP address 192.0.2.44, specify `192.0.2.44/32` .\n- To configure AWS WAF to allow, block, or count requests that originated from IP addresses from 192.0.2.0 to 192.0.2.255, specify `192.0.2.0/24` .\n- To configure AWS WAF to allow, block, or count requests that originated from the IP address 1111:0000:0000:0000:0000:0000:0000:0111, specify `1111:0000:0000:0000:0000:0000:0000:0111/128` .\n- To configure AWS WAF to allow, block, or count requests that originated from IP addresses 1111:0000:0000:0000:0000:0000:0000:0000 to 1111:0000:0000:0000:ffff:ffff:ffff:ffff, specify `1111:0000:0000:0000:0000:0000:0000:0000/64` .\n\nFor more information about CIDR notation, see the Wikipedia entry [Classless Inter-Domain Routing](https://docs.aws.amazon.com/https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) .\n\nExample JSON `Addresses` specifications:\n\n- Empty array: `\"Addresses\": []`\n- Array with one address: `\"Addresses\": [\"192.0.2.44/32\"]`\n- Array with three addresses: `\"Addresses\": [\"192.0.2.44/32\", \"192.0.2.0/24\", \"192.0.0.0/16\"]`\n- INVALID specification: `\"Addresses\": [\"\"]` INVALID", + "Addresses": "Contains an array of strings that specifies zero or more IP addresses or blocks of IP addresses that you want AWS WAF to inspect for in incoming requests. All addresses must be specified using Classless Inter-Domain Routing (CIDR) notation. AWS WAF supports all IPv4 and IPv6 CIDR ranges except for `/0` .\n\nExample address strings:\n\n- For requests that originated from the IP address 192.0.2.44, specify `192.0.2.44/32` .\n- For requests that originated from IP addresses from 192.0.2.0 to 192.0.2.255, specify `192.0.2.0/24` .\n- For requests that originated from the IP address 1111:0000:0000:0000:0000:0000:0000:0111, specify `1111:0000:0000:0000:0000:0000:0000:0111/128` .\n- For requests that originated from IP addresses 1111:0000:0000:0000:0000:0000:0000:0000 to 1111:0000:0000:0000:ffff:ffff:ffff:ffff, specify `1111:0000:0000:0000:0000:0000:0000:0000/64` .\n\nFor more information about CIDR notation, see the Wikipedia entry [Classless Inter-Domain Routing](https://docs.aws.amazon.com/https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) .\n\nExample JSON `Addresses` specifications:\n\n- Empty array: `\"Addresses\": []`\n- Array with one address: `\"Addresses\": [\"192.0.2.44/32\"]`\n- Array with three addresses: `\"Addresses\": [\"192.0.2.44/32\", \"192.0.2.0/24\", \"192.0.0.0/16\"]`\n- INVALID specification: `\"Addresses\": [\"\"]` INVALID", "Description": "A description of the IP set that helps with identification.", "IPAddressVersion": "The version of the IP addresses, either `IPV4` or `IPV6` .", "Name": "The name of the IP set. You cannot change the name of an `IPSet` after you create it.", "Scope": "Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AWS AppSync GraphQL API, an Amazon Cognito user pool, an AWS App Runner service, or an AWS Verified Access instance. Valid Values are `CLOUDFRONT` and `REGIONAL` .\n\n> For `CLOUDFRONT` , you must create your WAFv2 resources in the US East (N. Virginia) Region, `us-east-1` .", "Tags": "Key:value pairs associated with an AWS resource. The key:value pair can be anything you define. Typically, the tag key represents a category (such as \"environment\") and the tag value represents a specific value within that category (such as \"test,\" \"development,\" or \"production\"). You can add up to 50 tags to each AWS resource.\n\n> To modify tags on existing resources, use the AWS WAF APIs or command line interface. With AWS CloudFormation , you can only add tags to AWS WAF resources during resource creation." }, + "AWS::WAFv2::IPSet Tag": { + "Key": "Part of the key:value pair that defines a tag. You can use a tag key to describe a category of information, such as \"customer.\" Tag keys are case-sensitive.", + "Value": "Part of the key:value pair that defines a tag. You can use a tag value to describe a specific value within a category, such as \"companyA\" or \"companyB.\" Tag values are case-sensitive." + }, "AWS::WAFv2::LoggingConfiguration": { "LogDestinationConfigs": "The logging destination configuration that you want to associate with the web ACL.\n\n> You can associate one logging destination to a web ACL.", "LoggingFilter": "Filtering that specifies which web requests are kept in the logs and which are dropped. You can filter on the rule action and on the web request labels that were applied by matching rules during web ACL evaluation.", @@ -36245,7 +40962,7 @@ "AWS::WAFv2::LoggingConfiguration JsonBody": { "InvalidFallbackBehavior": "What AWS WAF should do if it fails to completely parse the JSON body. The options are the following:\n\n- `EVALUATE_AS_STRING` - Inspect the body as plain text. AWS WAF applies the text transformations and inspection criteria that you defined for the JSON inspection to the body text string.\n- `MATCH` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.\n- `NO_MATCH` - Treat the web request as not matching the rule statement.\n\nIf you don't provide this setting, AWS WAF parses and evaluates the content only up to the first parsing failure that it encounters.\n\nAWS WAF does its best to parse the entire JSON body, but might be forced to stop for reasons such as invalid characters, duplicate keys, truncation, and any content whose root node isn't an object or an array.\n\nAWS WAF parses the JSON in the following examples as two valid key, value pairs:\n\n- Missing comma: `{\"key1\":\"value1\"\"key2\":\"value2\"}`\n- Missing colon: `{\"key1\":\"value1\",\"key2\"\"value2\"}`\n- Extra colons: `{\"key1\"::\"value1\",\"key2\"\"value2\"}`", "MatchPattern": "The patterns to look for in the JSON body. AWS WAF inspects the results of these pattern matches against the rule inspection criteria.", - "MatchScope": "The parts of the JSON to match against using the `MatchPattern` . If you specify `All` , AWS WAF matches against keys and values." + "MatchScope": "The parts of the JSON to match against using the `MatchPattern` . If you specify `ALL` , AWS WAF matches against keys and values.\n\n`All` does not require a match to be found in the keys and a match to be found in the values. It requires a match to be found in the keys or the values or both. To require a match in the keys and in the values, use a logical `AND` statement to combine two match rules, one that inspects the keys and another that inspects the values." }, "AWS::WAFv2::LoggingConfiguration LabelNameCondition": { "LabelName": "The label name that a log record must contain in order to meet the condition. This must be a fully qualified label name. Fully qualified labels have a prefix, optional namespaces, and label name. The prefix identifies the rule group or web ACL context of the rule that added the label." @@ -36268,6 +40985,10 @@ "Scope": "Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AWS AppSync GraphQL API, an Amazon Cognito user pool, an AWS App Runner service, or an AWS Verified Access instance. Valid Values are `CLOUDFRONT` and `REGIONAL` .\n\n> For `CLOUDFRONT` , you must create your WAFv2 resources in the US East (N. Virginia) Region, `us-east-1` .", "Tags": "Key:value pairs associated with an AWS resource. The key:value pair can be anything you define. Typically, the tag key represents a category (such as \"environment\") and the tag value represents a specific value within that category (such as \"test,\" \"development,\" or \"production\"). You can add up to 50 tags to each AWS resource.\n\n> To modify tags on existing resources, use the AWS WAF APIs or command line interface. With AWS CloudFormation , you can only add tags to AWS WAF resources during resource creation." }, + "AWS::WAFv2::RegexPatternSet Tag": { + "Key": "Part of the key:value pair that defines a tag. You can use a tag key to describe a category of information, such as \"customer.\" Tag keys are case-sensitive.", + "Value": "Part of the key:value pair that defines a tag. You can use a tag value to describe a specific value within a category, such as \"companyA\" or \"companyB.\" Tag values are case-sensitive." + }, "AWS::WAFv2::RuleGroup": { "AvailableLabels": "The labels that one or more rules in this rule group add to matching web requests. These labels are defined in the `RuleLabels` for a `Rule` .", "Capacity": "The web ACL capacity units (WCUs) required for this rule group.\n\nWhen you create your own rule group, you define this, and you cannot change it after creation. When you add or modify the rules in a rule group, AWS WAF enforces this limit.\n\nAWS WAF uses WCUs to calculate and control the operating resources that are used to run your rules, rule groups, and web ACLs. AWS WAF calculates capacity differently for each rule type, to reflect the relative cost of each rule. Simple rules that cost little to run use fewer WCUs than more complex rules that use more processing power. Rule group capacity is fixed at creation, which helps users plan their web ACL WCU usage when they use a rule group. The WCU limit for web ACLs is 1,500.", @@ -36290,7 +41011,7 @@ "CustomResponse": "Defines a custom response for the web request.\n\nFor information about customizing web requests and responses, see [Customizing web requests and responses in AWS WAF](https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html) in the *AWS WAF Developer Guide* ." }, "AWS::WAFv2::RuleGroup Body": { - "OversizeHandling": "What AWS WAF should do if the body is larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. If the body is larger than the limit, the underlying host service only forwards the contents that are below the limit to AWS WAF for inspection.\n\nThe default limit is 8 KB (8,192 kilobytes) for regional resources and 16 KB (16,384 kilobytes) for CloudFront distributions. For CloudFront distributions, you can increase the limit in the web ACL `AssociationConfig` , for additional processing fees.\n\nThe options for oversize handling are the following:\n\n- `CONTINUE` - Inspect the available body contents normally, according to the rule inspection criteria.\n- `MATCH` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.\n- `NO_MATCH` - Treat the web request as not matching the rule statement.\n\nYou can combine the `MATCH` or `NO_MATCH` settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over the limit.\n\nDefault: `CONTINUE`" + "OversizeHandling": "What AWS WAF should do if the body is larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. If the body is larger than the limit, the underlying host service only forwards the contents that are below the limit to AWS WAF for inspection.\n\nThe default limit is 8 KB (8,192 bytes) for regional resources and 16 KB (16,384 bytes) for CloudFront distributions. For CloudFront distributions, you can increase the limit in the web ACL `AssociationConfig` , for additional processing fees.\n\nThe options for oversize handling are the following:\n\n- `CONTINUE` - Inspect the available body contents normally, according to the rule inspection criteria.\n- `MATCH` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.\n- `NO_MATCH` - Treat the web request as not matching the rule statement.\n\nYou can combine the `MATCH` or `NO_MATCH` settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over the limit.\n\nDefault: `CONTINUE`" }, "AWS::WAFv2::RuleGroup ByteMatchStatement": { "FieldToMatch": "The part of the web request that you want AWS WAF to inspect.", @@ -36318,7 +41039,7 @@ }, "AWS::WAFv2::RuleGroup Cookies": { "MatchPattern": "The filter to use to identify the subset of cookies to inspect in a web request.\n\nYou must specify exactly one setting: either `All` , `IncludedCookies` , or `ExcludedCookies` .\n\nExample JSON: `\"MatchPattern\": { \"IncludedCookies\": [ \"session-id-time\", \"session-id\" ] }`", - "MatchScope": "The parts of the cookies to inspect with the rule inspection criteria. If you specify `All` , AWS WAF inspects both keys and values.", + "MatchScope": "The parts of the cookies to inspect with the rule inspection criteria. If you specify `ALL` , AWS WAF inspects both keys and values.\n\n`All` does not require a match to be found in the keys and a match to be found in the values. It requires a match to be found in the keys or the values or both. To require a match in the keys and in the values, use a logical `AND` statement to combine two match rules, one that inspects the keys and another that inspects the values.", "OversizeHandling": "What AWS WAF should do if the cookies of the request are more numerous or larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request cookies when they exceed 8 KB (8192 bytes) or 200 total cookies. The underlying host service forwards a maximum of 200 cookies and at most 8 KB of cookie contents to AWS WAF .\n\nThe options for oversize handling are the following:\n\n- `CONTINUE` - Inspect the available cookies normally, according to the rule inspection criteria.\n- `MATCH` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.\n- `NO_MATCH` - Treat the web request as not matching the rule statement." }, "AWS::WAFv2::RuleGroup CountAction": { @@ -36334,7 +41055,7 @@ "AWS::WAFv2::RuleGroup CustomResponse": { "CustomResponseBodyKey": "References the response body that you want AWS WAF to return to the web request client. You can define a custom response for a rule action or a default web ACL action that is set to block. To do this, you first define the response body key and value in the `CustomResponseBodies` setting for the `WebACL` or `RuleGroup` where you want to use it. Then, in the rule action or web ACL default action `BlockAction` setting, you reference the response body using this key.", "ResponseCode": "The HTTP status code to return to the client.\n\nFor a list of status codes that you can use in your custom responses, see [Supported status codes for custom response](https://docs.aws.amazon.com/waf/latest/developerguide/customizing-the-response-status-codes.html) in the *AWS WAF Developer Guide* .", - "ResponseHeaders": "The HTTP headers to use in the response. Duplicate header names are not allowed.\n\nFor information about the limits on count and size for custom request and response settings, see [AWS WAF quotas](https://docs.aws.amazon.com/waf/latest/developerguide/limits.html) in the *AWS WAF Developer Guide* ." + "ResponseHeaders": "The HTTP headers to use in the response. You can specify any header name except for `content-type` . Duplicate header names are not allowed.\n\nFor information about the limits on count and size for custom request and response settings, see [AWS WAF quotas](https://docs.aws.amazon.com/waf/latest/developerguide/limits.html) in the *AWS WAF Developer Guide* ." }, "AWS::WAFv2::RuleGroup CustomResponseBody": { "Content": "The payload of the custom response.\n\nYou can use JSON escape strings in JSON content. To do this, you must specify JSON content in the `ContentType` setting.\n\nFor information about the limits on count and size for custom request and response settings, see [AWS WAF quotas](https://docs.aws.amazon.com/waf/latest/developerguide/limits.html) in the *AWS WAF Developer Guide* .", @@ -36342,10 +41063,10 @@ }, "AWS::WAFv2::RuleGroup FieldToMatch": { "AllQueryArguments": "Inspect all query arguments.", - "Body": "Inspect the request body as plain text. The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form.\n\nA limited amount of the request body is forwarded to AWS WAF for inspection by the underlying host service. For regional resources, the limit is 8 KB (8,192 kilobytes) and for CloudFront distributions, the limit is 16 KB (16,384 kilobytes). For CloudFront distributions, you can increase the limit in the web ACL's `AssociationConfig` , for additional processing fees.\n\nFor information about how to handle oversized request bodies, see the `Body` object configuration.", + "Body": "Inspect the request body as plain text. The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form.\n\nA limited amount of the request body is forwarded to AWS WAF for inspection by the underlying host service. For regional resources, the limit is 8 KB (8,192 bytes) and for CloudFront distributions, the limit is 16 KB (16,384 bytes). For CloudFront distributions, you can increase the limit in the web ACL's `AssociationConfig` , for additional processing fees.\n\nFor information about how to handle oversized request bodies, see the `Body` object configuration.", "Cookies": "Inspect the request cookies. You must configure scope and pattern matching filters in the `Cookies` object, to define the set of cookies and the parts of the cookies that AWS WAF inspects.\n\nOnly the first 8 KB (8192 bytes) of a request's cookies and only the first 200 cookies are forwarded to AWS WAF for inspection by the underlying host service. You must configure how to handle any oversize cookie content in the `Cookies` object. AWS WAF applies the pattern matching filters to the cookies that it receives from the underlying host service.", "Headers": "Inspect the request headers. You must configure scope and pattern matching filters in the `Headers` object, to define the set of headers to and the parts of the headers that AWS WAF inspects.\n\nOnly the first 8 KB (8192 bytes) of a request's headers and only the first 200 headers are forwarded to AWS WAF for inspection by the underlying host service. You must configure how to handle any oversize header content in the `Headers` object. AWS WAF applies the pattern matching filters to the headers that it receives from the underlying host service.", - "JsonBody": "Inspect the request body as JSON. The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form.\n\nA limited amount of the request body is forwarded to AWS WAF for inspection by the underlying host service. For regional resources, the limit is 8 KB (8,192 kilobytes) and for CloudFront distributions, the limit is 16 KB (16,384 kilobytes). For CloudFront distributions, you can increase the limit in the web ACL's `AssociationConfig` , for additional processing fees.\n\nFor information about how to handle oversized request bodies, see the `JsonBody` object configuration.", + "JsonBody": "Inspect the request body as JSON. The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form.\n\nA limited amount of the request body is forwarded to AWS WAF for inspection by the underlying host service. For regional resources, the limit is 8 KB (8,192 bytes) and for CloudFront distributions, the limit is 16 KB (16,384 bytes). For CloudFront distributions, you can increase the limit in the web ACL's `AssociationConfig` , for additional processing fees.\n\nFor information about how to handle oversized request bodies, see the `JsonBody` object configuration.", "Method": "Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform.", "QueryString": "Inspect the query string. This is the part of a URL that appears after a `?` character, if any.", "SingleHeader": "Inspect a single header. Provide the name of the header to inspect, for example, `User-Agent` or `Referer` . This setting isn't case sensitive.\n\nExample JSON: `\"SingleHeader\": { \"Name\": \"haystack\" }`\n\nAlternately, you can filter and inspect all headers with the `Headers` `FieldToMatch` setting.", @@ -36367,7 +41088,7 @@ }, "AWS::WAFv2::RuleGroup Headers": { "MatchPattern": "The filter to use to identify the subset of headers to inspect in a web request.\n\nYou must specify exactly one setting: either `All` , `IncludedHeaders` , or `ExcludedHeaders` .\n\nExample JSON: `\"MatchPattern\": { \"ExcludedHeaders\": [ \"KeyToExclude1\", \"KeyToExclude2\" ] }`", - "MatchScope": "The parts of the headers to match with the rule inspection criteria. If you specify `All` , AWS WAF inspects both keys and values.", + "MatchScope": "The parts of the headers to match with the rule inspection criteria. If you specify `ALL` , AWS WAF inspects both keys and values.\n\n`All` does not require a match to be found in the keys and a match to be found in the values. It requires a match to be found in the keys or the values or both. To require a match in the keys and in the values, use a logical `AND` statement to combine two match rules, one that inspects the keys and another that inspects the values.", "OversizeHandling": "What AWS WAF should do if the headers of the request are more numerous or larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request headers when they exceed 8 KB (8192 bytes) or 200 total headers. The underlying host service forwards a maximum of 200 headers and at most 8 KB of header contents to AWS WAF .\n\nThe options for oversize handling are the following:\n\n- `CONTINUE` - Inspect the available headers normally, according to the rule inspection criteria.\n- `MATCH` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.\n- `NO_MATCH` - Treat the web request as not matching the rule statement." }, "AWS::WAFv2::RuleGroup IPSetForwardedIPConfiguration": { @@ -36385,8 +41106,8 @@ "AWS::WAFv2::RuleGroup JsonBody": { "InvalidFallbackBehavior": "What AWS WAF should do if it fails to completely parse the JSON body. The options are the following:\n\n- `EVALUATE_AS_STRING` - Inspect the body as plain text. AWS WAF applies the text transformations and inspection criteria that you defined for the JSON inspection to the body text string.\n- `MATCH` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.\n- `NO_MATCH` - Treat the web request as not matching the rule statement.\n\nIf you don't provide this setting, AWS WAF parses and evaluates the content only up to the first parsing failure that it encounters.\n\nAWS WAF does its best to parse the entire JSON body, but might be forced to stop for reasons such as invalid characters, duplicate keys, truncation, and any content whose root node isn't an object or an array.\n\nAWS WAF parses the JSON in the following examples as two valid key, value pairs:\n\n- Missing comma: `{\"key1\":\"value1\"\"key2\":\"value2\"}`\n- Missing colon: `{\"key1\":\"value1\",\"key2\"\"value2\"}`\n- Extra colons: `{\"key1\"::\"value1\",\"key2\"\"value2\"}`", "MatchPattern": "The patterns to look for in the JSON body. AWS WAF inspects the results of these pattern matches against the rule inspection criteria.", - "MatchScope": "The parts of the JSON to match against using the `MatchPattern` . If you specify `All` , AWS WAF matches against keys and values.", - "OversizeHandling": "What AWS WAF should do if the body is larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. If the body is larger than the limit, the underlying host service only forwards the contents that are below the limit to AWS WAF for inspection.\n\nThe default limit is 8 KB (8,192 kilobytes) for regional resources and 16 KB (16,384 kilobytes) for CloudFront distributions. For CloudFront distributions, you can increase the limit in the web ACL `AssociationConfig` , for additional processing fees.\n\nThe options for oversize handling are the following:\n\n- `CONTINUE` - Inspect the available body contents normally, according to the rule inspection criteria.\n- `MATCH` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.\n- `NO_MATCH` - Treat the web request as not matching the rule statement.\n\nYou can combine the `MATCH` or `NO_MATCH` settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over the limit.\n\nDefault: `CONTINUE`" + "MatchScope": "The parts of the JSON to match against using the `MatchPattern` . If you specify `ALL` , AWS WAF matches against keys and values.\n\n`All` does not require a match to be found in the keys and a match to be found in the values. It requires a match to be found in the keys or the values or both. To require a match in the keys and in the values, use a logical `AND` statement to combine two match rules, one that inspects the keys and another that inspects the values.", + "OversizeHandling": "What AWS WAF should do if the body is larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. If the body is larger than the limit, the underlying host service only forwards the contents that are below the limit to AWS WAF for inspection.\n\nThe default limit is 8 KB (8,192 bytes) for regional resources and 16 KB (16,384 bytes) for CloudFront distributions. For CloudFront distributions, you can increase the limit in the web ACL `AssociationConfig` , for additional processing fees.\n\nThe options for oversize handling are the following:\n\n- `CONTINUE` - Inspect the available body contents normally, according to the rule inspection criteria.\n- `MATCH` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.\n- `NO_MATCH` - Treat the web request as not matching the rule statement.\n\nYou can combine the `MATCH` or `NO_MATCH` settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over the limit.\n\nDefault: `CONTINUE`" }, "AWS::WAFv2::RuleGroup JsonMatchPattern": { "All": "Match all of the elements. See also `MatchScope` in the `JsonBody` `FieldToMatch` specification.\n\nYou must specify either this setting or the `IncludedPaths` setting, but not both.", @@ -36409,10 +41130,43 @@ "Statements": "The statements to combine with OR logic. You can use any statements that can be nested." }, "AWS::WAFv2::RuleGroup RateBasedStatement": { - "AggregateKeyType": "Setting that indicates how to aggregate the request counts. The options are the following:\n\n- `IP` - Aggregate the request counts on the IP address from the web request origin.\n- `FORWARDED_IP` - Aggregate the request counts on the first IP address in an HTTP header. If you use this, configure the `ForwardedIPConfig` , to specify the header to use.\n\n> You can only use the `IP` and `FORWARDED_IP` key types.", + "AggregateKeyType": "Setting that indicates how to aggregate the request counts.\n\n> Web requests that are missing any of the components specified in the aggregation keys are omitted from the rate-based rule evaluation and handling. \n\n- `CONSTANT` - Count and limit the requests that match the rate-based rule's scope-down statement. With this option, the counted requests aren't further aggregated. The scope-down statement is the only specification used. When the count of all requests that satisfy the scope-down statement goes over the limit, AWS WAF applies the rule action to all requests that satisfy the scope-down statement.\n\nWith this option, you must configure the `ScopeDownStatement` property.\n- `CUSTOM_KEYS` - Aggregate the request counts using one or more web request components as the aggregate keys.\n\nWith this option, you must specify the aggregate keys in the `CustomKeys` property.\n\nTo aggregate on only the IP address or only the forwarded IP address, don't use custom keys. Instead, set the aggregate key type to `IP` or `FORWARDED_IP` .\n- `FORWARDED_IP` - Aggregate the request counts on the first IP address in an HTTP header.\n\nWith this option, you must specify the header to use in the `ForwardedIPConfig` property.\n\nTo aggregate on a combination of the forwarded IP address with other aggregate keys, use `CUSTOM_KEYS` .\n- `IP` - Aggregate the request counts on the IP address from the web request origin.\n\nTo aggregate on a combination of the IP address with other aggregate keys, use `CUSTOM_KEYS` .", + "CustomKeys": "Specifies the aggregate keys to use in a rate-base rule.", "ForwardedIPConfig": "The configuration for inspecting IP addresses in an HTTP header that you specify, instead of using the IP address that's reported by the web request origin. Commonly, this is the X-Forwarded-For (XFF) header, but you can specify any header name.\n\n> If the specified header isn't present in the request, AWS WAF doesn't apply the rule to the web request at all. \n\nThis is required if you specify a forwarded IP in the rule's aggregate key settings.", - "Limit": "The limit on requests per 5-minute period for a single originating IP address. If the statement includes a `ScopeDownStatement` , this limit is applied only to the requests that match the statement.", - "ScopeDownStatement": "An optional nested statement that narrows the scope of the web requests that are evaluated by the rate-based statement. Requests are only tracked by the rate-based statement if they match the scope-down statement. You can use any nestable statement in the scope-down statement, and you can nest statements at any level, the same as you can for a rule statement." + "Limit": "The limit on requests per 5-minute period for a single aggregation instance for the rate-based rule. If the rate-based statement includes a `ScopeDownStatement` , this limit is applied only to the requests that match the statement.\n\nExamples:\n\n- If you aggregate on just the IP address, this is the limit on requests from any single IP address.\n- If you aggregate on the HTTP method and the query argument name \"city\", then this is the limit on requests for any single method, city pair.", + "ScopeDownStatement": "An optional nested statement that narrows the scope of the web requests that are evaluated and managed by the rate-based statement. When you use a scope-down statement, the rate-based rule only tracks and rate limits requests that match the scope-down statement. You can use any nestable `Statement` in the scope-down statement, and you can nest statements at any level, the same as you can for a rule statement." + }, + "AWS::WAFv2::RuleGroup RateBasedStatementCustomKey": { + "Cookie": "Use the value of a cookie in the request as an aggregate key. Each distinct value in the cookie contributes to the aggregation instance. If you use a single cookie as your custom key, then each value fully defines an aggregation instance.", + "ForwardedIP": "Use the first IP address in an HTTP header as an aggregate key. Each distinct forwarded IP address contributes to the aggregation instance.\n\nWhen you specify an IP or forwarded IP in the custom key settings, you must also specify at least one other key to use. You can aggregate on only the forwarded IP address by specifying `FORWARDED_IP` in your rate-based statement's `AggregateKeyType` .\n\nWith this option, you must specify the header to use in the rate-based rule's `ForwardedIPConfig` property.", + "HTTPMethod": "Use the request's HTTP method as an aggregate key. Each distinct HTTP method contributes to the aggregation instance. If you use just the HTTP method as your custom key, then each method fully defines an aggregation instance.", + "Header": "Use the value of a header in the request as an aggregate key. Each distinct value in the header contributes to the aggregation instance. If you use a single header as your custom key, then each value fully defines an aggregation instance.", + "IP": "Use the request's originating IP address as an aggregate key. Each distinct IP address contributes to the aggregation instance.\n\nWhen you specify an IP or forwarded IP in the custom key settings, you must also specify at least one other key to use. You can aggregate on only the IP address by specifying `IP` in your rate-based statement's `AggregateKeyType` .", + "LabelNamespace": "Use the specified label namespace as an aggregate key. Each distinct fully qualified label name that has the specified label namespace contributes to the aggregation instance. If you use just one label namespace as your custom key, then each label name fully defines an aggregation instance.\n\nThis uses only labels that have been added to the request by rules that are evaluated before this rate-based rule in the web ACL.\n\nFor information about label namespaces and names, see [Label syntax and naming requirements](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-label-requirements.html) in the *AWS WAF Developer Guide* .", + "QueryArgument": "Use the specified query argument as an aggregate key. Each distinct value for the named query argument contributes to the aggregation instance. If you use a single query argument as your custom key, then each value fully defines an aggregation instance.", + "QueryString": "Use the request's query string as an aggregate key. Each distinct string contributes to the aggregation instance. If you use just the query string as your custom key, then each string fully defines an aggregation instance.", + "UriPath": "Use the request's URI path as an aggregate key. Each distinct URI path contributes to the aggregation instance. If you use just the URI path as your custom key, then each URI path fully defines an aggregation instance." + }, + "AWS::WAFv2::RuleGroup RateLimitCookie": { + "Name": "The name of the cookie to use.", + "TextTransformations": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. Text transformations are used in rule match statements, to transform the `FieldToMatch` request component before inspecting it, and they're used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, AWS WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the transformed component contents." + }, + "AWS::WAFv2::RuleGroup RateLimitHeader": { + "Name": "The name of the header to use.", + "TextTransformations": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. Text transformations are used in rule match statements, to transform the `FieldToMatch` request component before inspecting it, and they're used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, AWS WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the transformed component contents." + }, + "AWS::WAFv2::RuleGroup RateLimitLabelNamespace": { + "Namespace": "The namespace to use for aggregation." + }, + "AWS::WAFv2::RuleGroup RateLimitQueryArgument": { + "Name": "The name of the query argument to use.", + "TextTransformations": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. Text transformations are used in rule match statements, to transform the `FieldToMatch` request component before inspecting it, and they're used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, AWS WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the transformed component contents." + }, + "AWS::WAFv2::RuleGroup RateLimitQueryString": { + "TextTransformations": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. Text transformations are used in rule match statements, to transform the `FieldToMatch` request component before inspecting it, and they're used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, AWS WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the transformed component contents." + }, + "AWS::WAFv2::RuleGroup RateLimitUriPath": { + "TextTransformations": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. Text transformations are used in rule match statements, to transform the `FieldToMatch` request component before inspecting it, and they're used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, AWS WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the transformed component contents." }, "AWS::WAFv2::RuleGroup RegexMatchStatement": { "FieldToMatch": "The part of the web request that you want AWS WAF to inspect.", @@ -36428,11 +41182,11 @@ "Action": "The action that AWS WAF should take on a web request when it matches the rule statement. Settings at the web ACL level can override the rule action setting.", "CaptchaConfig": "Specifies how AWS WAF should handle `CAPTCHA` evaluations. If you don't specify this, AWS WAF uses the `CAPTCHA` configuration that's defined for the web ACL.", "ChallengeConfig": "Specifies how AWS WAF should handle `Challenge` evaluations. If you don't specify this, AWS WAF uses the challenge configuration that's defined for the web ACL.", - "Name": "The name of the rule. You can't change the name of a `Rule` after you create it.", + "Name": "The name of the rule.\n\nIf you change the name of a `Rule` after you create it and you want the rule's metric name to reflect the change, update the metric name in the rule's `VisibilityConfig` settings. AWS WAF doesn't automatically update the metric name when you update the rule name.", "Priority": "If you define more than one `Rule` in a `WebACL` , AWS WAF evaluates each request against the `Rules` in order based on the value of `Priority` . AWS WAF processes rules with lower priority first. The priorities don't need to be consecutive, but they must all be different.", "RuleLabels": "Labels to apply to web requests that match the rule match statement. AWS WAF applies fully qualified labels to matching web requests. A fully qualified label is the concatenation of a label namespace and a rule label. The rule's rule group or web ACL defines the label namespace.\n\nRules that run after this rule in the web ACL can match against these labels using a `LabelMatchStatement` .\n\nFor each label, provide a case-sensitive string containing optional namespaces and a label name, according to the following guidelines:\n\n- Separate each component of the label with a colon.\n- Each namespace or name can have up to 128 characters.\n- You can specify up to 5 namespaces in a label.\n- Don't use the following reserved words in your label specification: `aws` , `waf` , `managed` , `rulegroup` , `webacl` , `regexpatternset` , or `ipset` .\n\nFor example, `myLabelName` or `nameSpace1:nameSpace2:myLabelName` .", "Statement": "The AWS WAF processing statement for the rule, for example `ByteMatchStatement` or `SizeConstraintStatement` .", - "VisibilityConfig": "Defines and enables Amazon CloudWatch metrics and web request sample collection." + "VisibilityConfig": "Defines and enables Amazon CloudWatch metrics and web request sample collection.\n\nIf you change the name of a `Rule` after you create it and you want the rule's metric name to reflect the change, update the metric name as well. AWS WAF doesn't automatically update the metric name." }, "AWS::WAFv2::RuleGroup RuleAction": { "Allow": "Instructs AWS WAF to allow the web request.", @@ -36466,16 +41220,20 @@ "LabelMatchStatement": "A rule statement to match against labels that have been added to the web request by rules that have already run in the web ACL.\n\nThe label match statement provides the label or namespace string to search for. The label string can represent a part or all of the fully qualified label name that had been added to the web request. Fully qualified labels have a prefix, optional namespaces, and label name. The prefix identifies the rule group or web ACL context of the rule that added the label. If you do not provide the fully qualified name in your label match string, AWS WAF performs the search for labels that were added in the same context as the label match statement.", "NotStatement": "A logical rule statement used to negate the results of another rule statement. You provide one `Statement` within the `NotStatement` .", "OrStatement": "A logical rule statement used to combine other rule statements with OR logic. You provide more than one `Statement` within the `OrStatement` .", - "RateBasedStatement": "A rate-based rule tracks the rate of requests for each originating IP address, and triggers the rule action when the rate exceeds a limit that you specify on the number of requests in any 5-minute time span. You can use this to put a temporary block on requests from an IP address that is sending excessive requests.\n\nAWS WAF tracks and manages web requests separately for each instance of a rate-based rule that you use. For example, if you provide the same rate-based rule settings in two web ACLs, each of the two rule statements represents a separate instance of the rate-based rule and gets its own tracking and management by AWS WAF . If you define a rate-based rule inside a rule group, and then use that rule group in multiple places, each use creates a separate instance of the rate-based rule that gets its own tracking and management by AWS WAF .\n\nWhen the rule action triggers, AWS WAF blocks additional requests from the IP address until the request rate falls below the limit.\n\nYou can optionally nest another statement inside the rate-based statement, to narrow the scope of the rule so that it only counts requests that match the nested statement. For example, based on recent requests that you have seen from an attacker, you might create a rate-based rule with a nested AND rule statement that contains the following nested statements:\n\n- An IP match statement with an IP set that specifies the address 192.0.2.44.\n- A string match statement that searches in the User-Agent header for the string BadBot.\n\nIn this rate-based rule, you also define a rate limit. For this example, the rate limit is 1,000. Requests that meet the criteria of both of the nested statements are counted. If the count exceeds 1,000 requests per five minutes, the rule action triggers. Requests that do not meet the criteria of both of the nested statements are not counted towards the rate limit and are not affected by this rule.\n\nYou cannot nest a `RateBasedStatement` inside another statement, for example inside a `NotStatement` or `OrStatement` . You can define a `RateBasedStatement` inside a web ACL and inside a rule group.", + "RateBasedStatement": "A rate-based rule counts incoming requests and rate limits requests when they are coming at too fast a rate. The rule categorizes requests according to your aggregation criteria, collects them into aggregation instances, and counts and rate limits the requests for each instance.\n\nYou can specify individual aggregation keys, like IP address or HTTP method. You can also specify aggregation key combinations, like IP address and HTTP method, or HTTP method, query argument, and cookie.\n\nEach unique set of values for the aggregation keys that you specify is a separate aggregation instance, with the value from each key contributing to the aggregation instance definition.\n\nFor example, assume the rule evaluates web requests with the following IP address and HTTP method values:\n\n- IP address 10.1.1.1, HTTP method POST\n- IP address 10.1.1.1, HTTP method GET\n- IP address 127.0.0.0, HTTP method POST\n- IP address 10.1.1.1, HTTP method GET\n\nThe rule would create different aggregation instances according to your aggregation criteria, for example:\n\n- If the aggregation criteria is just the IP address, then each individual address is an aggregation instance, and AWS WAF counts requests separately for each. The aggregation instances and request counts for our example would be the following:\n\n- IP address 10.1.1.1: count 3\n- IP address 127.0.0.0: count 1\n- If the aggregation criteria is HTTP method, then each individual HTTP method is an aggregation instance. The aggregation instances and request counts for our example would be the following:\n\n- HTTP method POST: count 2\n- HTTP method GET: count 2\n- If the aggregation criteria is IP address and HTTP method, then each IP address and each HTTP method would contribute to the combined aggregation instance. The aggregation instances and request counts for our example would be the following:\n\n- IP address 10.1.1.1, HTTP method POST: count 1\n- IP address 10.1.1.1, HTTP method GET: count 2\n- IP address 127.0.0.0, HTTP method POST: count 1\n\nFor any n-tuple of aggregation keys, each unique combination of values for the keys defines a separate aggregation instance, which AWS WAF counts and rate-limits individually.\n\nYou can optionally nest another statement inside the rate-based statement, to narrow the scope of the rule so that it only counts and rate limits requests that match the nested statement. You can use this nested scope-down statement in conjunction with your aggregation key specifications or you can just count and rate limit all requests that match the scope-down statement, without additional aggregation. When you choose to just manage all requests that match a scope-down statement, the aggregation instance is singular for the rule.\n\nYou cannot nest a `RateBasedStatement` inside another statement, for example inside a `NotStatement` or `OrStatement` . You can define a `RateBasedStatement` inside a web ACL and inside a rule group.\n\nFor additional information about the options, see [Rate limiting web requests using rate-based rules](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rate-based-rules.html) in the *AWS WAF Developer Guide* .\n\nIf you only aggregate on the individual IP address or forwarded IP address, you can retrieve the list of IP addresses that AWS WAF is currently rate limiting for a rule through the API call `GetRateBasedStatementManagedKeys` . This option is not available for other aggregation configurations.\n\nAWS WAF tracks and manages web requests separately for each instance of a rate-based rule that you use. For example, if you provide the same rate-based rule settings in two web ACLs, each of the two rule statements represents a separate instance of the rate-based rule and gets its own tracking and management by AWS WAF . If you define a rate-based rule inside a rule group, and then use that rule group in multiple places, each use creates a separate instance of the rate-based rule that gets its own tracking and management by AWS WAF .", "RegexMatchStatement": "A rule statement used to search web request components for a match against a single regular expression.", "RegexPatternSetReferenceStatement": "A rule statement used to search web request components for matches with regular expressions. To use this, create a `RegexPatternSet` that specifies the expressions that you want to detect, then use the ARN of that set in this statement. A web request matches the pattern set rule statement if the request component matches any of the patterns in the set.\n\nEach regex pattern set rule statement references a regex pattern set. You create and maintain the set independent of your rules. This allows you to use the single set in multiple rules. When you update the referenced set, AWS WAF automatically updates all rules that reference it.", - "SizeConstraintStatement": "A rule statement that compares a number of bytes against the size of a request component, using a comparison operator, such as greater than (>) or less than (<). For example, you can use a size constraint statement to look for query strings that are longer than 100 bytes.\n\nIf you configure AWS WAF to inspect the request body, AWS WAF inspects only the number of bytes of the body up to the limit for the web ACL. By default, for regional web ACLs, this limit is 8 KB (8,192 kilobytes) and for CloudFront web ACLs, this limit is 16 KB (16,384 kilobytes). For CloudFront web ACLs, you can increase the limit in the web ACL `AssociationConfig` , for additional fees. If you know that the request body for your web requests should never exceed the inspection limit, you could use a size constraint statement to block requests that have a larger request body size.\n\nIf you choose URI for the value of Part of the request to filter on, the slash (/) in the URI counts as one character. For example, the URI `/logo.jpg` is nine characters long.", + "SizeConstraintStatement": "A rule statement that compares a number of bytes against the size of a request component, using a comparison operator, such as greater than (>) or less than (<). For example, you can use a size constraint statement to look for query strings that are longer than 100 bytes.\n\nIf you configure AWS WAF to inspect the request body, AWS WAF inspects only the number of bytes of the body up to the limit for the web ACL. By default, for regional web ACLs, this limit is 8 KB (8,192 bytes) and for CloudFront web ACLs, this limit is 16 KB (16,384 bytes). For CloudFront web ACLs, you can increase the limit in the web ACL `AssociationConfig` , for additional fees. If you know that the request body for your web requests should never exceed the inspection limit, you could use a size constraint statement to block requests that have a larger request body size.\n\nIf you choose URI for the value of Part of the request to filter on, the slash (/) in the URI counts as one character. For example, the URI `/logo.jpg` is nine characters long.", "SqliMatchStatement": "A rule statement that inspects for malicious SQL code. Attackers insert malicious SQL code into web requests to do things like modify your database or extract data from it.", "XssMatchStatement": "A rule statement that inspects for cross-site scripting (XSS) attacks. In XSS attacks, the attacker uses vulnerabilities in a benign website as a vehicle to inject malicious client-site scripts into other legitimate web browsers." }, + "AWS::WAFv2::RuleGroup Tag": { + "Key": "Part of the key:value pair that defines a tag. You can use a tag key to describe a category of information, such as \"customer.\" Tag keys are case-sensitive.", + "Value": "Part of the key:value pair that defines a tag. You can use a tag value to describe a specific value within a category, such as \"companyA\" or \"companyB.\" Tag values are case-sensitive." + }, "AWS::WAFv2::RuleGroup TextTransformation": { "Priority": "Sets the relative processing order for multiple transformations. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content. The priorities don't need to be consecutive, but they must all be different.", - "Type": "You can specify the following transformation types:\n\n*BASE64_DECODE* - Decode a `Base64` -encoded string.\n\n*BASE64_DECODE_EXT* - Decode a `Base64` -encoded string, but use a forgiving implementation that ignores characters that aren't valid.\n\n*CMD_LINE* - Command-line transformations. These are helpful in reducing effectiveness of attackers who inject an operating system command-line command and use unusual formatting to disguise some or all of the command.\n\n- Delete the following characters: `\\ \" ' ^`\n- Delete spaces before the following characters: `/ (`\n- Replace the following characters with a space: `, ;`\n- Replace multiple spaces with one space\n- Convert uppercase letters (A-Z) to lowercase (a-z)\n\n*COMPRESS_WHITE_SPACE* - Replace these characters with a space character (decimal 32):\n\n- `\\f` , formfeed, decimal 12\n- `\\t` , tab, decimal 9\n- `\\n` , newline, decimal 10\n- `\\r` , carriage return, decimal 13\n- `\\v` , vertical tab, decimal 11\n- Non-breaking space, decimal 160\n\n`COMPRESS_WHITE_SPACE` also replaces multiple spaces with one space.\n\n*CSS_DECODE* - Decode characters that were encoded using CSS 2.x escape rules `syndata.html#characters` . This function uses up to two bytes in the decoding process, so it can help to uncover ASCII characters that were encoded using CSS encoding that wouldn\u2019t typically be encoded. It's also useful in countering evasion, which is a combination of a backslash and non-hexadecimal characters. For example, `ja\\vascript` for javascript.\n\n*ESCAPE_SEQ_DECODE* - Decode the following ANSI C escape sequences: `\\a` , `\\b` , `\\f` , `\\n` , `\\r` , `\\t` , `\\v` , `\\\\` , `\\?` , `\\'` , `\\\"` , `\\xHH` (hexadecimal), `\\0OOO` (octal). Encodings that aren't valid remain in the output.\n\n*HEX_DECODE* - Decode a string of hexadecimal characters into a binary.\n\n*HTML_ENTITY_DECODE* - Replace HTML-encoded characters with unencoded characters. `HTML_ENTITY_DECODE` performs these operations:\n\n- Replaces `(ampersand)quot;` with `\"`\n- Replaces `(ampersand)nbsp;` with a non-breaking space, decimal 160\n- Replaces `(ampersand)lt;` with a \"less than\" symbol\n- Replaces `(ampersand)gt;` with `>`\n- Replaces characters that are represented in hexadecimal format, `(ampersand)#xhhhh;` , with the corresponding characters\n- Replaces characters that are represented in decimal format, `(ampersand)#nnnn;` , with the corresponding characters\n\n*JS_DECODE* - Decode JavaScript escape sequences. If a `\\` `u` `HHHH` code is in the full-width ASCII code range of `FF01-FF5E` , then the higher byte is used to detect and adjust the lower byte. If not, only the lower byte is used and the higher byte is zeroed, causing a possible loss of information.\n\n*LOWERCASE* - Convert uppercase letters (A-Z) to lowercase (a-z).\n\n*MD5* - Calculate an MD5 hash from the data in the input. The computed hash is in a raw binary form.\n\n*NONE* - Specify `NONE` if you don't want any text transformations.\n\n*NORMALIZE_PATH* - Remove multiple slashes, directory self-references, and directory back-references that are not at the beginning of the input from an input string.\n\n*NORMALIZE_PATH_WIN* - This is the same as `NORMALIZE_PATH` , but first converts backslash characters to forward slashes.\n\n*REMOVE_NULLS* - Remove all `NULL` bytes from the input.\n\n*REPLACE_COMMENTS* - Replace each occurrence of a C-style comment ( `/* ... */` ) with a single space. Multiple consecutive occurrences are not compressed. Unterminated comments are also replaced with a space (ASCII 0x20). However, a standalone termination of a comment ( `*/` ) is not acted upon.\n\n*REPLACE_NULLS* - Replace NULL bytes in the input with space characters (ASCII `0x20` ).\n\n*SQL_HEX_DECODE* - Decode SQL hex data. Example ( `0x414243` ) will be decoded to ( `ABC` ).\n\n*URL_DECODE* - Decode a URL-encoded value.\n\n*URL_DECODE_UNI* - Like `URL_DECODE` , but with support for Microsoft-specific `%u` encoding. If the code is in the full-width ASCII code range of `FF01-FF5E` , the higher byte is used to detect and adjust the lower byte. Otherwise, only the lower byte is used and the higher byte is zeroed.\n\n*UTF8_TO_UNICODE* - Convert all UTF-8 character sequences to Unicode. This helps input normalization, and minimizing false-positives and false-negatives for non-English languages." + "Type": "For detailed descriptions of each of the transformation types, see [Text transformations](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-transformation.html) in the *AWS WAF Developer Guide* ." }, "AWS::WAFv2::RuleGroup VisibilityConfig": { "CloudWatchMetricsEnabled": "Indicates whether the associated resource sends metrics to Amazon CloudWatch. For the list of available metrics, see [AWS WAF Metrics](https://docs.aws.amazon.com/waf/latest/developerguide/monitoring-cloudwatch.html#waf-metrics) in the *AWS WAF Developer Guide* .\n\nFor web ACLs, the metrics are for web requests that have the web ACL default action applied. AWS WAF applies the default action to web requests that pass the inspection of all rules in the web ACL without being either allowed or blocked. For more information,\nsee [The web ACL default action](https://docs.aws.amazon.com/waf/latest/developerguide/web-acl-default-action.html) in the *AWS WAF Developer Guide* .", @@ -36487,26 +41245,35 @@ "TextTransformations": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. If you specify one or more transformations in a rule statement, AWS WAF performs all transformations on the content of the request component identified by `FieldToMatch` , starting from the lowest priority setting, before inspecting the content for a match." }, "AWS::WAFv2::WebACL": { - "AssociationConfig": "Specifies custom configurations for the associations between the web ACL and protected resources.\n\nUse this to customize the maximum size of the request body that your protected CloudFront distributions forward to AWS WAF for inspection. The default is 16 KB (16,384 kilobytes).\n\n> You are charged additional fees when your protected resources forward body sizes that are larger than the default. For more information, see [AWS WAF Pricing](https://docs.aws.amazon.com/waf/pricing/) .", + "AssociationConfig": "Specifies custom configurations for the associations between the web ACL and protected resources.\n\nUse this to customize the maximum size of the request body that your protected CloudFront distributions forward to AWS WAF for inspection. The default is 16 KB (16,384 bytes).\n\n> You are charged additional fees when your protected resources forward body sizes that are larger than the default. For more information, see [AWS WAF Pricing](https://docs.aws.amazon.com/waf/pricing/) .", "CaptchaConfig": "Specifies how AWS WAF should handle `CAPTCHA` evaluations for rules that don't have their own `CaptchaConfig` settings. If you don't specify this, AWS WAF uses its default settings for `CaptchaConfig` .", "ChallengeConfig": "Specifies how AWS WAF should handle challenge evaluations for rules that don't have their own `ChallengeConfig` settings. If you don't specify this, AWS WAF uses its default settings for `ChallengeConfig` .", "CustomResponseBodies": "A map of custom response keys and content bodies. When you create a rule with a block action, you can send a custom response to the web request. You define these for the web ACL, and then use them in the rules and default actions that you define in the web ACL.\n\nFor information about customizing web requests and responses, see [Customizing web requests and responses in AWS WAF](https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html) in the *AWS WAF Developer Guide* .\n\nFor information about the limits on count and size for custom request and response settings, see [AWS WAF quotas](https://docs.aws.amazon.com/waf/latest/developerguide/limits.html) in the *AWS WAF Developer Guide* .", "DefaultAction": "The action to perform if none of the `Rules` contained in the `WebACL` match.", "Description": "A description of the web ACL that helps with identification.", "Name": "The name of the web ACL. You cannot change the name of a web ACL after you create it.", - "Rules": "The rule statements used to identify the web requests that you want to allow, block, or count. Each rule includes one top-level statement that AWS WAF uses to identify matching web requests, and parameters that govern how AWS WAF handles them.", + "Rules": "The rule statements used to identify the web requests that you want to manage. Each rule includes one top-level statement that AWS WAF uses to identify matching web requests, and parameters that govern how AWS WAF handles them.", "Scope": "Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AWS AppSync GraphQL API, an Amazon Cognito user pool, an AWS App Runner service, or an AWS Verified Access instance. Valid Values are `CLOUDFRONT` and `REGIONAL` .\n\n> For `CLOUDFRONT` , you must create your WAFv2 resources in the US East (N. Virginia) Region, `us-east-1` . \n\nFor information about how to define the association of the web ACL with your resource, see `WebACLAssociation` .", "Tags": "Key:value pairs associated with an AWS resource. The key:value pair can be anything you define. Typically, the tag key represents a category (such as \"environment\") and the tag value represents a specific value within that category (such as \"test,\" \"development,\" or \"production\"). You can add up to 50 tags to each AWS resource.\n\n> To modify tags on existing resources, use the AWS WAF APIs or command line interface. With AWS CloudFormation , you can only add tags to AWS WAF resources during resource creation.", "TokenDomains": "Specifies the domains that AWS WAF should accept in a web request token. This enables the use of tokens across multiple protected websites. When AWS WAF provides a token, it uses the domain of the AWS resource that the web ACL is protecting. If you don't specify a list of token domains, AWS WAF accepts tokens only for the domain of the protected resource. With a token domain list, AWS WAF accepts the resource's host domain plus all domains in the token domain list, including their prefixed subdomains.", "VisibilityConfig": "Defines and enables Amazon CloudWatch metrics and web request sample collection." }, + "AWS::WAFv2::WebACL AWSManagedRulesACFPRuleSet": { + "CreationPath": "The path of the account creation endpoint for your application. This is the page on your website that accepts the completed registration form for a new user. This page must accept `POST` requests.\n\nFor example, for the URL `https://example.com/web/newaccount` , you would provide the path `/web/newaccount` . Account creation page paths that start with the path that you provide are considered a match. For example `/web/newaccount` matches the account creation paths `/web/newaccount` , `/web/newaccount/` , `/web/newaccountPage` , and `/web/newaccount/thisPage` , but doesn't match the path `/home/web/newaccount` or `/website/newaccount` .", + "EnableRegexInPath": "Allow the use of regular expressions in the registration page path and the account creation path.", + "RegistrationPagePath": "The path of the account registration endpoint for your application. This is the page on your website that presents the registration form to new users.\n\n> This page must accept `GET` text/html requests. \n\nFor example, for the URL `https://example.com/web/registration` , you would provide the path `/web/registration` . Registration page paths that start with the path that you provide are considered a match. For example `/web/registration` matches the registration paths `/web/registration` , `/web/registration/` , `/web/registrationPage` , and `/web/registration/thisPage` , but doesn't match the path `/home/web/registration` or `/website/registration` .", + "RequestInspection": "The criteria for inspecting account creation requests, used by the ACFP rule group to validate and track account creation attempts.", + "ResponseInspection": "The criteria for inspecting responses to account creation requests, used by the ACFP rule group to track account creation success rates.\n\n> Response inspection is available only in web ACLs that protect Amazon CloudFront distributions. \n\nThe ACFP rule group evaluates the responses that your protected resources send back to client account creation attempts, keeping count of successful and failed attempts from each IP address and client session. Using this information, the rule group labels and mitigates requests from client sessions and IP addresses that have had too many successful account creation attempts in a short amount of time." + }, "AWS::WAFv2::WebACL AWSManagedRulesATPRuleSet": { - "LoginPath": "The path of the login endpoint for your application. For example, for the URL `https://example.com/web/login` , you would provide the path `/web/login` .\n\nThe rule group inspects only HTTP `POST` requests to your specified login endpoint.", + "EnableRegexInPath": "Allow the use of regular expressions in the login page path.", + "LoginPath": "The path of the login endpoint for your application. For example, for the URL `https://example.com/web/login` , you would provide the path `/web/login` . Login paths that start with the path that you provide are considered a match. For example `/web/login` matches the login paths `/web/login` , `/web/login/` , `/web/loginPage` , and `/web/login/thisPage` , but doesn't match the login path `/home/web/login` or `/website/login` .\n\nThe rule group inspects only HTTP `POST` requests to your specified login endpoint.", "RequestInspection": "The criteria for inspecting login requests, used by the ATP rule group to validate credentials usage.", - "ResponseInspection": "The criteria for inspecting responses to login requests, used by the ATP rule group to track login failure rates.\n\nThe ATP rule group evaluates the responses that your protected resources send back to client login attempts, keeping count of successful and failed attempts from each IP address and client session. Using this information, the rule group labels and mitigates requests from client sessions and IP addresses that submit too many failed login attempts in a short amount of time.\n\n> Response inspection is available only in web ACLs that protect Amazon CloudFront distributions." + "ResponseInspection": "The criteria for inspecting responses to login requests, used by the ATP rule group to track login failure rates.\n\n> Response inspection is available only in web ACLs that protect Amazon CloudFront distributions. \n\nThe ATP rule group evaluates the responses that your protected resources send back to client login attempts, keeping count of successful and failed attempts for each IP address and client session. Using this information, the rule group labels and mitigates requests from client sessions and IP addresses that have had too many failed login attempts in a short amount of time." }, "AWS::WAFv2::WebACL AWSManagedRulesBotControlRuleSet": { - "InspectionLevel": "The inspection level to use for the Bot Control rule group. The common level is the least expensive. The targeted level includes all common level rules and adds rules with more advanced inspection criteria. For details, see [AWS WAF Bot Control rule group](https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-bot.html) ." + "EnableMachineLearning": "Applies only to the targeted inspection level.\n\nDetermines whether to use machine learning (ML) to analyze your web traffic for bot-related activity. Machine learning is required for the Bot Control rules `TGT_ML_CoordinatedActivityLow` and `TGT_ML_CoordinatedActivityMedium` , which\ninspect for anomalous behavior that might indicate distributed, coordinated bot activity.\n\nFor more information about this choice, see the listing for these rules in the table at [Bot Control rules listing](https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-bot.html#aws-managed-rule-groups-bot-rules) in the *AWS WAF Developer Guide* .\n\nDefault: `TRUE`", + "InspectionLevel": "The inspection level to use for the Bot Control rule group. The common level is the least expensive. The targeted level includes all common level rules and adds rules with more advanced inspection criteria. For details, see [AWS WAF Bot Control rule group](https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-bot.html) in the *AWS WAF Developer Guide* ." }, "AWS::WAFv2::WebACL AllowAction": { "CustomRequestHandling": "Defines custom handling for the web request.\n\nFor information about customizing web requests and responses, see [Customizing web requests and responses in AWS WAF](https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html) in the *AWS WAF Developer Guide* ." @@ -36515,13 +41282,13 @@ "Statements": "The statements to combine with AND logic. You can use any statements that can be nested." }, "AWS::WAFv2::WebACL AssociationConfig": { - "RequestBody": "Customizes the maximum size of the request body that your protected CloudFront distributions forward to AWS WAF for inspection. The default size is 16 KB (16,384 kilobytes).\n\n> You are charged additional fees when your protected resources forward body sizes that are larger than the default. For more information, see [AWS WAF Pricing](https://docs.aws.amazon.com/waf/pricing/) ." + "RequestBody": "Customizes the maximum size of the request body that your protected CloudFront distributions forward to AWS WAF for inspection. The default size is 16 KB (16,384 bytes).\n\n> You are charged additional fees when your protected resources forward body sizes that are larger than the default. For more information, see [AWS WAF Pricing](https://docs.aws.amazon.com/waf/pricing/) ." }, "AWS::WAFv2::WebACL BlockAction": { "CustomResponse": "Defines a custom response for the web request.\n\nFor information about customizing web requests and responses, see [Customizing web requests and responses in AWS WAF](https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html) in the *AWS WAF Developer Guide* ." }, "AWS::WAFv2::WebACL Body": { - "OversizeHandling": "What AWS WAF should do if the body is larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. If the body is larger than the limit, the underlying host service only forwards the contents that are below the limit to AWS WAF for inspection.\n\nThe default limit is 8 KB (8,192 kilobytes) for regional resources and 16 KB (16,384 kilobytes) for CloudFront distributions. For CloudFront distributions, you can increase the limit in the web ACL `AssociationConfig` , for additional processing fees.\n\nThe options for oversize handling are the following:\n\n- `CONTINUE` - Inspect the available body contents normally, according to the rule inspection criteria.\n- `MATCH` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.\n- `NO_MATCH` - Treat the web request as not matching the rule statement.\n\nYou can combine the `MATCH` or `NO_MATCH` settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over the limit.\n\nDefault: `CONTINUE`" + "OversizeHandling": "What AWS WAF should do if the body is larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. If the body is larger than the limit, the underlying host service only forwards the contents that are below the limit to AWS WAF for inspection.\n\nThe default limit is 8 KB (8,192 bytes) for regional resources and 16 KB (16,384 bytes) for CloudFront distributions. For CloudFront distributions, you can increase the limit in the web ACL `AssociationConfig` , for additional processing fees.\n\nThe options for oversize handling are the following:\n\n- `CONTINUE` - Inspect the available body contents normally, according to the rule inspection criteria.\n- `MATCH` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.\n- `NO_MATCH` - Treat the web request as not matching the rule statement.\n\nYou can combine the `MATCH` or `NO_MATCH` settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over the limit.\n\nDefault: `CONTINUE`" }, "AWS::WAFv2::WebACL ByteMatchStatement": { "FieldToMatch": "The part of the web request that you want AWS WAF to inspect.", @@ -36537,7 +41304,7 @@ "ImmunityTimeProperty": "Determines how long a `CAPTCHA` timestamp in the token remains valid after the client successfully solves a `CAPTCHA` puzzle." }, "AWS::WAFv2::WebACL ChallengeAction": { - "CustomRequestHandling": "Defines custom handling for the web request, used when the challenge inspection determines that the request's token is valid and unexpired.\n\nFor information about customizing web requests and responses, see [Customizing web requests and responses in AWS WAF](https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html) in the [AWS WAF Developer Guide](https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html) ." + "CustomRequestHandling": "Defines custom handling for the web request, used when the challenge inspection determines that the request's token is valid and unexpired.\n\nFor information about customizing web requests and responses, see [Customizing web requests and responses in AWS WAF](https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html) in the [AWS WAF developer guide](https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html) ." }, "AWS::WAFv2::WebACL ChallengeConfig": { "ImmunityTimeProperty": "Determines how long a challenge timestamp in the token remains valid after the client successfully responds to a challenge." @@ -36549,7 +41316,7 @@ }, "AWS::WAFv2::WebACL Cookies": { "MatchPattern": "The filter to use to identify the subset of cookies to inspect in a web request.\n\nYou must specify exactly one setting: either `All` , `IncludedCookies` , or `ExcludedCookies` .\n\nExample JSON: `\"MatchPattern\": { \"IncludedCookies\": [ \"session-id-time\", \"session-id\" ] }`", - "MatchScope": "The parts of the cookies to inspect with the rule inspection criteria. If you specify `All` , AWS WAF inspects both keys and values.", + "MatchScope": "The parts of the cookies to inspect with the rule inspection criteria. If you specify `ALL` , AWS WAF inspects both keys and values.\n\n`All` does not require a match to be found in the keys and a match to be found in the values. It requires a match to be found in the keys or the values or both. To require a match in the keys and in the values, use a logical `AND` statement to combine two match rules, one that inspects the keys and another that inspects the values.", "OversizeHandling": "What AWS WAF should do if the cookies of the request are more numerous or larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request cookies when they exceed 8 KB (8192 bytes) or 200 total cookies. The underlying host service forwards a maximum of 200 cookies and at most 8 KB of cookie contents to AWS WAF .\n\nThe options for oversize handling are the following:\n\n- `CONTINUE` - Inspect the available cookies normally, according to the rule inspection criteria.\n- `MATCH` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.\n- `NO_MATCH` - Treat the web request as not matching the rule statement." }, "AWS::WAFv2::WebACL CountAction": { @@ -36565,7 +41332,7 @@ "AWS::WAFv2::WebACL CustomResponse": { "CustomResponseBodyKey": "References the response body that you want AWS WAF to return to the web request client. You can define a custom response for a rule action or a default web ACL action that is set to block. To do this, you first define the response body key and value in the `CustomResponseBodies` setting for the `WebACL` or `RuleGroup` where you want to use it. Then, in the rule action or web ACL default action `BlockAction` setting, you reference the response body using this key.", "ResponseCode": "The HTTP status code to return to the client.\n\nFor a list of status codes that you can use in your custom responses, see [Supported status codes for custom response](https://docs.aws.amazon.com/waf/latest/developerguide/customizing-the-response-status-codes.html) in the *AWS WAF Developer Guide* .", - "ResponseHeaders": "The HTTP headers to use in the response. Duplicate header names are not allowed.\n\nFor information about the limits on count and size for custom request and response settings, see [AWS WAF quotas](https://docs.aws.amazon.com/waf/latest/developerguide/limits.html) in the *AWS WAF Developer Guide* ." + "ResponseHeaders": "The HTTP headers to use in the response. You can specify any header name except for `content-type` . Duplicate header names are not allowed.\n\nFor information about the limits on count and size for custom request and response settings, see [AWS WAF quotas](https://docs.aws.amazon.com/waf/latest/developerguide/limits.html) in the *AWS WAF Developer Guide* ." }, "AWS::WAFv2::WebACL CustomResponseBody": { "Content": "The payload of the custom response.\n\nYou can use JSON escape strings in JSON content. To do this, you must specify JSON content in the `ContentType` setting.\n\nFor information about the limits on count and size for custom request and response settings, see [AWS WAF quotas](https://docs.aws.amazon.com/waf/latest/developerguide/limits.html) in the *AWS WAF Developer Guide* .", @@ -36579,14 +41346,14 @@ "Name": "The name of the rule whose action you want to override to `Count` ." }, "AWS::WAFv2::WebACL FieldIdentifier": { - "Identifier": "The name of the username or password field, used in the `ManagedRuleGroupConfig` settings.\n\nWhen the `PayloadType` is `JSON` , the identifier must be in JSON pointer syntax. For example `/form/username` . For information about the JSON Pointer syntax, see the Internet Engineering Task Force (IETF) documentation [JavaScript Object Notation (JSON) Pointer](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc6901) .\n\nWhen the `PayloadType` is `FORM_ENCODED` , use the HTML form names. For example, `username` ." + "Identifier": "The name of the field.\n\nWhen the `PayloadType` in the request inspection is `JSON` , this identifier must be in JSON pointer syntax. For example `/form/username` . For information about the JSON Pointer syntax, see the Internet Engineering Task Force (IETF) documentation [JavaScript Object Notation (JSON) Pointer](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc6901) .\n\nWhen the `PayloadType` is `FORM_ENCODED` , use the HTML form names. For example, `username` .\n\nFor more information, see the descriptions for each field type in the request inspection properties." }, "AWS::WAFv2::WebACL FieldToMatch": { "AllQueryArguments": "Inspect all query arguments.", - "Body": "Inspect the request body as plain text. The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form.\n\nA limited amount of the request body is forwarded to AWS WAF for inspection by the underlying host service. For regional resources, the limit is 8 KB (8,192 kilobytes) and for CloudFront distributions, the limit is 16 KB (16,384 kilobytes). For CloudFront distributions, you can increase the limit in the web ACL's `AssociationConfig` , for additional processing fees.\n\nFor information about how to handle oversized request bodies, see the `Body` object configuration.", + "Body": "Inspect the request body as plain text. The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form.\n\nA limited amount of the request body is forwarded to AWS WAF for inspection by the underlying host service. For regional resources, the limit is 8 KB (8,192 bytes) and for CloudFront distributions, the limit is 16 KB (16,384 bytes). For CloudFront distributions, you can increase the limit in the web ACL's `AssociationConfig` , for additional processing fees.\n\nFor information about how to handle oversized request bodies, see the `Body` object configuration.", "Cookies": "Inspect the request cookies. You must configure scope and pattern matching filters in the `Cookies` object, to define the set of cookies and the parts of the cookies that AWS WAF inspects.\n\nOnly the first 8 KB (8192 bytes) of a request's cookies and only the first 200 cookies are forwarded to AWS WAF for inspection by the underlying host service. You must configure how to handle any oversize cookie content in the `Cookies` object. AWS WAF applies the pattern matching filters to the cookies that it receives from the underlying host service.", "Headers": "Inspect the request headers. You must configure scope and pattern matching filters in the `Headers` object, to define the set of headers to and the parts of the headers that AWS WAF inspects.\n\nOnly the first 8 KB (8192 bytes) of a request's headers and only the first 200 headers are forwarded to AWS WAF for inspection by the underlying host service. You must configure how to handle any oversize header content in the `Headers` object. AWS WAF applies the pattern matching filters to the headers that it receives from the underlying host service.", - "JsonBody": "Inspect the request body as JSON. The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form.\n\nA limited amount of the request body is forwarded to AWS WAF for inspection by the underlying host service. For regional resources, the limit is 8 KB (8,192 kilobytes) and for CloudFront distributions, the limit is 16 KB (16,384 kilobytes). For CloudFront distributions, you can increase the limit in the web ACL's `AssociationConfig` , for additional processing fees.\n\nFor information about how to handle oversized request bodies, see the `JsonBody` object configuration.", + "JsonBody": "Inspect the request body as JSON. The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form.\n\nA limited amount of the request body is forwarded to AWS WAF for inspection by the underlying host service. For regional resources, the limit is 8 KB (8,192 bytes) and for CloudFront distributions, the limit is 16 KB (16,384 bytes). For CloudFront distributions, you can increase the limit in the web ACL's `AssociationConfig` , for additional processing fees.\n\nFor information about how to handle oversized request bodies, see the `JsonBody` object configuration.", "Method": "Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform.", "QueryString": "Inspect the query string. This is the part of a URL that appears after a `?` character, if any.", "SingleHeader": "Inspect a single header. Provide the name of the header to inspect, for example, `User-Agent` or `Referer` . This setting isn't case sensitive.\n\nExample JSON: `\"SingleHeader\": { \"Name\": \"haystack\" }`\n\nAlternately, you can filter and inspect all headers with the `Headers` `FieldToMatch` setting.", @@ -36608,7 +41375,7 @@ }, "AWS::WAFv2::WebACL Headers": { "MatchPattern": "The filter to use to identify the subset of headers to inspect in a web request.\n\nYou must specify exactly one setting: either `All` , `IncludedHeaders` , or `ExcludedHeaders` .\n\nExample JSON: `\"MatchPattern\": { \"ExcludedHeaders\": [ \"KeyToExclude1\", \"KeyToExclude2\" ] }`", - "MatchScope": "The parts of the headers to match with the rule inspection criteria. If you specify `All` , AWS WAF inspects both keys and values.", + "MatchScope": "The parts of the headers to match with the rule inspection criteria. If you specify `ALL` , AWS WAF inspects both keys and values.\n\n`All` does not require a match to be found in the keys and a match to be found in the values. It requires a match to be found in the keys or the values or both. To require a match in the keys and in the values, use a logical `AND` statement to combine two match rules, one that inspects the keys and another that inspects the values.", "OversizeHandling": "What AWS WAF should do if the headers of the request are more numerous or larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request headers when they exceed 8 KB (8192 bytes) or 200 total headers. The underlying host service forwards a maximum of 200 headers and at most 8 KB of header contents to AWS WAF .\n\nThe options for oversize handling are the following:\n\n- `CONTINUE` - Inspect the available headers normally, according to the rule inspection criteria.\n- `MATCH` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.\n- `NO_MATCH` - Treat the web request as not matching the rule statement." }, "AWS::WAFv2::WebACL IPSetForwardedIPConfiguration": { @@ -36626,8 +41393,8 @@ "AWS::WAFv2::WebACL JsonBody": { "InvalidFallbackBehavior": "What AWS WAF should do if it fails to completely parse the JSON body. The options are the following:\n\n- `EVALUATE_AS_STRING` - Inspect the body as plain text. AWS WAF applies the text transformations and inspection criteria that you defined for the JSON inspection to the body text string.\n- `MATCH` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.\n- `NO_MATCH` - Treat the web request as not matching the rule statement.\n\nIf you don't provide this setting, AWS WAF parses and evaluates the content only up to the first parsing failure that it encounters.\n\nAWS WAF does its best to parse the entire JSON body, but might be forced to stop for reasons such as invalid characters, duplicate keys, truncation, and any content whose root node isn't an object or an array.\n\nAWS WAF parses the JSON in the following examples as two valid key, value pairs:\n\n- Missing comma: `{\"key1\":\"value1\"\"key2\":\"value2\"}`\n- Missing colon: `{\"key1\":\"value1\",\"key2\"\"value2\"}`\n- Extra colons: `{\"key1\"::\"value1\",\"key2\"\"value2\"}`", "MatchPattern": "The patterns to look for in the JSON body. AWS WAF inspects the results of these pattern matches against the rule inspection criteria.", - "MatchScope": "The parts of the JSON to match against using the `MatchPattern` . If you specify `All` , AWS WAF matches against keys and values.", - "OversizeHandling": "What AWS WAF should do if the body is larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. If the body is larger than the limit, the underlying host service only forwards the contents that are below the limit to AWS WAF for inspection.\n\nThe default limit is 8 KB (8,192 kilobytes) for regional resources and 16 KB (16,384 kilobytes) for CloudFront distributions. For CloudFront distributions, you can increase the limit in the web ACL `AssociationConfig` , for additional processing fees.\n\nThe options for oversize handling are the following:\n\n- `CONTINUE` - Inspect the available body contents normally, according to the rule inspection criteria.\n- `MATCH` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.\n- `NO_MATCH` - Treat the web request as not matching the rule statement.\n\nYou can combine the `MATCH` or `NO_MATCH` settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over the limit.\n\nDefault: `CONTINUE`" + "MatchScope": "The parts of the JSON to match against using the `MatchPattern` . If you specify `ALL` , AWS WAF matches against keys and values.\n\n`All` does not require a match to be found in the keys and a match to be found in the values. It requires a match to be found in the keys or the values or both. To require a match in the keys and in the values, use a logical `AND` statement to combine two match rules, one that inspects the keys and another that inspects the values.", + "OversizeHandling": "What AWS WAF should do if the body is larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. If the body is larger than the limit, the underlying host service only forwards the contents that are below the limit to AWS WAF for inspection.\n\nThe default limit is 8 KB (8,192 bytes) for regional resources and 16 KB (16,384 bytes) for CloudFront distributions. For CloudFront distributions, you can increase the limit in the web ACL `AssociationConfig` , for additional processing fees.\n\nThe options for oversize handling are the following:\n\n- `CONTINUE` - Inspect the available body contents normally, according to the rule inspection criteria.\n- `MATCH` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.\n- `NO_MATCH` - Treat the web request as not matching the rule statement.\n\nYou can combine the `MATCH` or `NO_MATCH` settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over the limit.\n\nDefault: `CONTINUE`" }, "AWS::WAFv2::WebACL JsonMatchPattern": { "All": "Match all of the elements. See also `MatchScope` in the `JsonBody` `FieldToMatch` specification.\n\nYou must specify either this setting or the `IncludedPaths` setting, but not both.", @@ -36641,16 +41408,17 @@ "Scope": "Specify whether you want to match using the label name or just the namespace." }, "AWS::WAFv2::WebACL ManagedRuleGroupConfig": { + "AWSManagedRulesACFPRuleSet": "Additional configuration for using the account creation fraud prevention (ACFP) managed rule group, `AWSManagedRulesACFPRuleSet` . Use this to provide account creation request information to the rule group. For web ACLs that protect CloudFront distributions, use this to also provide the information about how your distribution responds to account creation requests.\n\nFor information about using the ACFP managed rule group, see [AWS WAF Fraud Control account creation fraud prevention (ACFP) rule group](https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-acfp.html) and [AWS WAF Fraud Control account creation fraud prevention (ACFP)](https://docs.aws.amazon.com/waf/latest/developerguide/waf-acfp.html) in the *AWS WAF Developer Guide* .", "AWSManagedRulesATPRuleSet": "Additional configuration for using the account takeover prevention (ATP) managed rule group, `AWSManagedRulesATPRuleSet` . Use this to provide login request information to the rule group. For web ACLs that protect CloudFront distributions, use this to also provide the information about how your distribution responds to login requests.\n\nThis configuration replaces the individual configuration fields in `ManagedRuleGroupConfig` and provides additional feature configuration.\n\nFor information about using the ATP managed rule group, see [AWS WAF Fraud Control account takeover prevention (ATP) rule group](https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-atp.html) and [AWS WAF Fraud Control account takeover prevention (ATP)](https://docs.aws.amazon.com/waf/latest/developerguide/waf-atp.html) in the *AWS WAF Developer Guide* .", "AWSManagedRulesBotControlRuleSet": "Additional configuration for using the Bot Control managed rule group. Use this to specify the inspection level that you want to use. For information about using the Bot Control managed rule group, see [AWS WAF Bot Control rule group](https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-bot.html) and [AWS WAF Bot Control](https://docs.aws.amazon.com/waf/latest/developerguide/waf-bot-control.html) in the *AWS WAF Developer Guide* .", "LoginPath": "> Instead of this setting, provide your configuration under `AWSManagedRulesATPRuleSet` .", - "PasswordField": "> Instead of this setting, provide your configuration under `AWSManagedRulesATPRuleSet` `RequestInspection` .", - "PayloadType": "> Instead of this setting, provide your configuration under `AWSManagedRulesATPRuleSet` `RequestInspection` .", - "UsernameField": "> Instead of this setting, provide your configuration under `AWSManagedRulesATPRuleSet` `RequestInspection` ." + "PasswordField": "> Instead of this setting, provide your configuration under the request inspection configuration for `AWSManagedRulesATPRuleSet` or `AWSManagedRulesACFPRuleSet` .", + "PayloadType": "> Instead of this setting, provide your configuration under the request inspection configuration for `AWSManagedRulesATPRuleSet` or `AWSManagedRulesACFPRuleSet` .", + "UsernameField": "> Instead of this setting, provide your configuration under the request inspection configuration for `AWSManagedRulesATPRuleSet` or `AWSManagedRulesACFPRuleSet` ." }, "AWS::WAFv2::WebACL ManagedRuleGroupStatement": { "ExcludedRules": "Rules in the referenced rule group whose actions are set to `Count` .\n\n> Instead of this option, use `RuleActionOverrides` . It accepts any valid action setting, including `Count` .", - "ManagedRuleGroupConfigs": "Additional information that's used by a managed rule group. Many managed rule groups don't require this.\n\nUse the `AWSManagedRulesATPRuleSet` configuration object for the account takeover prevention managed rule group, to provide information such as the sign-in page of your application and the type of content to accept or reject from the client.\n\nUse the `AWSManagedRulesBotControlRuleSet` configuration object to configure the protection level that you want the Bot Control rule group to use.", + "ManagedRuleGroupConfigs": "Additional information that's used by a managed rule group. Many managed rule groups don't require this.\n\nThe rule groups used for intelligent threat mitigation require additional configuration:\n\n- Use the `AWSManagedRulesACFPRuleSet` configuration object to configure the account creation fraud prevention managed rule group. The configuration includes the registration and sign-up pages of your application and the locations in the account creation request payload of data, such as the user email and phone number fields.\n- Use the `AWSManagedRulesATPRuleSet` configuration object to configure the account takeover prevention managed rule group. The configuration includes the sign-in page of your application and the locations in the login request payload of data such as the username and password.\n- Use the `AWSManagedRulesBotControlRuleSet` configuration object to configure the protection level that you want the Bot Control rule group to use.", "Name": "The name of the managed rule group. You use this, along with the vendor name, to identify the rule group.", "RuleActionOverrides": "Action settings to use in the place of the rule actions that are configured inside the rule group. You specify one override for each rule whose action you want to change.\n\nYou can use overrides for testing, for example you can override all of rule actions to `Count` and then monitor the resulting count metrics to understand how the rule group would handle your web traffic. You can also permanently override some or all actions, to modify how the rule group manages your web traffic.", "ScopeDownStatement": "An optional nested statement that narrows the scope of the web requests that are evaluated by the managed rule group. Requests are only evaluated by the rule group if they match the scope-down statement. You can use any nestable `Statement` in the scope-down statement, and you can nest statements at any level, the same as you can for a rule statement.", @@ -36668,10 +41436,43 @@ "None": "Don't override the rule group evaluation result. This is the most common setting." }, "AWS::WAFv2::WebACL RateBasedStatement": { - "AggregateKeyType": "Setting that indicates how to aggregate the request counts. The options are the following:\n\n- `IP` - Aggregate the request counts on the IP address from the web request origin.\n- `FORWARDED_IP` - Aggregate the request counts on the first IP address in an HTTP header. If you use this, configure the `ForwardedIPConfig` , to specify the header to use.\n\n> You can only use the `IP` and `FORWARDED_IP` key types.", + "AggregateKeyType": "Setting that indicates how to aggregate the request counts.\n\n> Web requests that are missing any of the components specified in the aggregation keys are omitted from the rate-based rule evaluation and handling. \n\n- `CONSTANT` - Count and limit the requests that match the rate-based rule's scope-down statement. With this option, the counted requests aren't further aggregated. The scope-down statement is the only specification used. When the count of all requests that satisfy the scope-down statement goes over the limit, AWS WAF applies the rule action to all requests that satisfy the scope-down statement.\n\nWith this option, you must configure the `ScopeDownStatement` property.\n- `CUSTOM_KEYS` - Aggregate the request counts using one or more web request components as the aggregate keys.\n\nWith this option, you must specify the aggregate keys in the `CustomKeys` property.\n\nTo aggregate on only the IP address or only the forwarded IP address, don't use custom keys. Instead, set the aggregate key type to `IP` or `FORWARDED_IP` .\n- `FORWARDED_IP` - Aggregate the request counts on the first IP address in an HTTP header.\n\nWith this option, you must specify the header to use in the `ForwardedIPConfig` property.\n\nTo aggregate on a combination of the forwarded IP address with other aggregate keys, use `CUSTOM_KEYS` .\n- `IP` - Aggregate the request counts on the IP address from the web request origin.\n\nTo aggregate on a combination of the IP address with other aggregate keys, use `CUSTOM_KEYS` .", + "CustomKeys": "Specifies the aggregate keys to use in a rate-base rule.", "ForwardedIPConfig": "The configuration for inspecting IP addresses in an HTTP header that you specify, instead of using the IP address that's reported by the web request origin. Commonly, this is the X-Forwarded-For (XFF) header, but you can specify any header name.\n\n> If the specified header isn't present in the request, AWS WAF doesn't apply the rule to the web request at all. \n\nThis is required if you specify a forwarded IP in the rule's aggregate key settings.", - "Limit": "The limit on requests per 5-minute period for a single originating IP address. If the statement includes a `ScopeDownStatement` , this limit is applied only to the requests that match the statement.", - "ScopeDownStatement": "An optional nested statement that narrows the scope of the web requests that are evaluated by the rate-based statement. Requests are only tracked by the rate-based statement if they match the scope-down statement. You can use any nestable `Statement` in the scope-down statement, and you can nest statements at any level, the same as you can for a rule statement." + "Limit": "The limit on requests per 5-minute period for a single aggregation instance for the rate-based rule. If the rate-based statement includes a `ScopeDownStatement` , this limit is applied only to the requests that match the statement.\n\nExamples:\n\n- If you aggregate on just the IP address, this is the limit on requests from any single IP address.\n- If you aggregate on the HTTP method and the query argument name \"city\", then this is the limit on requests for any single method, city pair.", + "ScopeDownStatement": "An optional nested statement that narrows the scope of the web requests that are evaluated and managed by the rate-based statement. When you use a scope-down statement, the rate-based rule only tracks and rate limits requests that match the scope-down statement. You can use any nestable `Statement` in the scope-down statement, and you can nest statements at any level, the same as you can for a rule statement." + }, + "AWS::WAFv2::WebACL RateBasedStatementCustomKey": { + "Cookie": "Use the value of a cookie in the request as an aggregate key. Each distinct value in the cookie contributes to the aggregation instance. If you use a single cookie as your custom key, then each value fully defines an aggregation instance.", + "ForwardedIP": "Use the first IP address in an HTTP header as an aggregate key. Each distinct forwarded IP address contributes to the aggregation instance.\n\nWhen you specify an IP or forwarded IP in the custom key settings, you must also specify at least one other key to use. You can aggregate on only the forwarded IP address by specifying `FORWARDED_IP` in your rate-based statement's `AggregateKeyType` .\n\nWith this option, you must specify the header to use in the rate-based rule's `ForwardedIPConfig` property.", + "HTTPMethod": "Use the request's HTTP method as an aggregate key. Each distinct HTTP method contributes to the aggregation instance. If you use just the HTTP method as your custom key, then each method fully defines an aggregation instance.", + "Header": "Use the value of a header in the request as an aggregate key. Each distinct value in the header contributes to the aggregation instance. If you use a single header as your custom key, then each value fully defines an aggregation instance.", + "IP": "Use the request's originating IP address as an aggregate key. Each distinct IP address contributes to the aggregation instance.\n\nWhen you specify an IP or forwarded IP in the custom key settings, you must also specify at least one other key to use. You can aggregate on only the IP address by specifying `IP` in your rate-based statement's `AggregateKeyType` .", + "LabelNamespace": "Use the specified label namespace as an aggregate key. Each distinct fully qualified label name that has the specified label namespace contributes to the aggregation instance. If you use just one label namespace as your custom key, then each label name fully defines an aggregation instance.\n\nThis uses only labels that have been added to the request by rules that are evaluated before this rate-based rule in the web ACL.\n\nFor information about label namespaces and names, see [Label syntax and naming requirements](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-label-requirements.html) in the *AWS WAF Developer Guide* .", + "QueryArgument": "Use the specified query argument as an aggregate key. Each distinct value for the named query argument contributes to the aggregation instance. If you use a single query argument as your custom key, then each value fully defines an aggregation instance.", + "QueryString": "Use the request's query string as an aggregate key. Each distinct string contributes to the aggregation instance. If you use just the query string as your custom key, then each string fully defines an aggregation instance.", + "UriPath": "Use the request's URI path as an aggregate key. Each distinct URI path contributes to the aggregation instance. If you use just the URI path as your custom key, then each URI path fully defines an aggregation instance." + }, + "AWS::WAFv2::WebACL RateLimitCookie": { + "Name": "The name of the cookie to use.", + "TextTransformations": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. Text transformations are used in rule match statements, to transform the `FieldToMatch` request component before inspecting it, and they're used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, AWS WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the transformed component contents." + }, + "AWS::WAFv2::WebACL RateLimitHeader": { + "Name": "The name of the header to use.", + "TextTransformations": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. Text transformations are used in rule match statements, to transform the `FieldToMatch` request component before inspecting it, and they're used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, AWS WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the transformed component contents." + }, + "AWS::WAFv2::WebACL RateLimitLabelNamespace": { + "Namespace": "The namespace to use for aggregation." + }, + "AWS::WAFv2::WebACL RateLimitQueryArgument": { + "Name": "The name of the query argument to use.", + "TextTransformations": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. Text transformations are used in rule match statements, to transform the `FieldToMatch` request component before inspecting it, and they're used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, AWS WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the transformed component contents." + }, + "AWS::WAFv2::WebACL RateLimitQueryString": { + "TextTransformations": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. Text transformations are used in rule match statements, to transform the `FieldToMatch` request component before inspecting it, and they're used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, AWS WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the transformed component contents." + }, + "AWS::WAFv2::WebACL RateLimitUriPath": { + "TextTransformations": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. Text transformations are used in rule match statements, to transform the `FieldToMatch` request component before inspecting it, and they're used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, AWS WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the transformed component contents." }, "AWS::WAFv2::WebACL RegexMatchStatement": { "FieldToMatch": "The part of the web request that you want AWS WAF to inspect.", @@ -36684,47 +41485,55 @@ "TextTransformations": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. If you specify one or more transformations in a rule statement, AWS WAF performs all transformations on the content of the request component identified by `FieldToMatch` , starting from the lowest priority setting, before inspecting the content for a match." }, "AWS::WAFv2::WebACL RequestBodyAssociatedResourceTypeConfig": { - "DefaultSizeInspectionLimit": "Specifies the maximum size of the web request body component that an associated CloudFront distribution should send to AWS WAF for inspection. This applies to statements in the web ACL that inspect the body or JSON body.\n\nDefault: `16 KB (16,384 kilobytes)`" + "DefaultSizeInspectionLimit": "Specifies the maximum size of the web request body component that an associated CloudFront distribution should send to AWS WAF for inspection. This applies to statements in the web ACL that inspect the body or JSON body.\n\nDefault: `16 KB (16,384 bytes)`" }, "AWS::WAFv2::WebACL RequestInspection": { "PasswordField": "The name of the field in the request payload that contains your customer's password.\n\nHow you specify this depends on the request inspection payload type.\n\n- For JSON payloads, specify the field name in JSON pointer syntax. For information about the JSON Pointer syntax, see the Internet Engineering Task Force (IETF) documentation [JavaScript Object Notation (JSON) Pointer](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc6901) .\n\nFor example, for the JSON payload `{ \"form\": { \"password\": \"THE_PASSWORD\" } }` , the password field specification is `/form/password` .\n- For form encoded payload types, use the HTML form names.\n\nFor example, for an HTML form with the input element named `password1` , the password field specification is `password1` .", "PayloadType": "The payload type for your login endpoint, either JSON or form encoded.", "UsernameField": "The name of the field in the request payload that contains your customer's username.\n\nHow you specify this depends on the request inspection payload type.\n\n- For JSON payloads, specify the field name in JSON pointer syntax. For information about the JSON Pointer syntax, see the Internet Engineering Task Force (IETF) documentation [JavaScript Object Notation (JSON) Pointer](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc6901) .\n\nFor example, for the JSON payload `{ \"form\": { \"username\": \"THE_USERNAME\" } }` , the username field specification is `/form/username` .\n- For form encoded payload types, use the HTML form names.\n\nFor example, for an HTML form with the input element named `username1` , the username field specification is `username1`" }, + "AWS::WAFv2::WebACL RequestInspectionACFP": { + "AddressFields": "The names of the fields in the request payload that contain your customer's primary physical address.\n\nOrder the address fields in the array exactly as they are ordered in the request payload.\n\nHow you specify the address fields depends on the request inspection payload type.\n\n- For JSON payloads, specify the field identifiers in JSON pointer syntax. For information about the JSON Pointer syntax, see the Internet Engineering Task Force (IETF) documentation [JavaScript Object Notation (JSON) Pointer](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc6901) .\n\nFor example, for the JSON payload `{ \"form\": { \"primaryaddressline1\": \"THE_ADDRESS1\", \"primaryaddressline2\": \"THE_ADDRESS2\", \"primaryaddressline3\": \"THE_ADDRESS3\" } }` , the address field idenfiers are `/form/primaryaddressline1` , `/form/primaryaddressline2` , and `/form/primaryaddressline3` .\n- For form encoded payload types, use the HTML form names.\n\nFor example, for an HTML form with input elements named `primaryaddressline1` , `primaryaddressline2` , and `primaryaddressline3` , the address fields identifiers are `primaryaddressline1` , `primaryaddressline2` , and `primaryaddressline3` .", + "EmailField": "The name of the field in the request payload that contains your customer's email.\n\nHow you specify this depends on the request inspection payload type.\n\n- For JSON payloads, specify the field name in JSON pointer syntax. For information about the JSON Pointer syntax, see the Internet Engineering Task Force (IETF) documentation [JavaScript Object Notation (JSON) Pointer](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc6901) .\n\nFor example, for the JSON payload `{ \"form\": { \"email\": \"THE_EMAIL\" } }` , the email field specification is `/form/email` .\n- For form encoded payload types, use the HTML form names.\n\nFor example, for an HTML form with the input element named `email1` , the email field specification is `email1` .", + "PasswordField": "The name of the field in the request payload that contains your customer's password.\n\nHow you specify this depends on the request inspection payload type.\n\n- For JSON payloads, specify the field name in JSON pointer syntax. For information about the JSON Pointer syntax, see the Internet Engineering Task Force (IETF) documentation [JavaScript Object Notation (JSON) Pointer](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc6901) .\n\nFor example, for the JSON payload `{ \"form\": { \"password\": \"THE_PASSWORD\" } }` , the password field specification is `/form/password` .\n- For form encoded payload types, use the HTML form names.\n\nFor example, for an HTML form with the input element named `password1` , the password field specification is `password1` .", + "PayloadType": "The payload type for your account creation endpoint, either JSON or form encoded.", + "PhoneNumberFields": "The names of the fields in the request payload that contain your customer's primary phone number.\n\nOrder the phone number fields in the array exactly as they are ordered in the request payload.\n\nHow you specify the phone number fields depends on the request inspection payload type.\n\n- For JSON payloads, specify the field identifiers in JSON pointer syntax. For information about the JSON Pointer syntax, see the Internet Engineering Task Force (IETF) documentation [JavaScript Object Notation (JSON) Pointer](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc6901) .\n\nFor example, for the JSON payload `{ \"form\": { \"primaryphoneline1\": \"THE_PHONE1\", \"primaryphoneline2\": \"THE_PHONE2\", \"primaryphoneline3\": \"THE_PHONE3\" } }` , the phone number field identifiers are `/form/primaryphoneline1` , `/form/primaryphoneline2` , and `/form/primaryphoneline3` .\n- For form encoded payload types, use the HTML form names.\n\nFor example, for an HTML form with input elements named `primaryphoneline1` , `primaryphoneline2` , and `primaryphoneline3` , the phone number field identifiers are `primaryphoneline1` , `primaryphoneline2` , and `primaryphoneline3` .", + "UsernameField": "The name of the field in the request payload that contains your customer's username.\n\nHow you specify this depends on the request inspection payload type.\n\n- For JSON payloads, specify the field name in JSON pointer syntax. For information about the JSON Pointer syntax, see the Internet Engineering Task Force (IETF) documentation [JavaScript Object Notation (JSON) Pointer](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc6901) .\n\nFor example, for the JSON payload `{ \"form\": { \"username\": \"THE_USERNAME\" } }` , the username field specification is `/form/username` .\n- For form encoded payload types, use the HTML form names.\n\nFor example, for an HTML form with the input element named `username1` , the username field specification is `username1`" + }, "AWS::WAFv2::WebACL ResponseInspection": { - "BodyContains": "Configures inspection of the response body. AWS WAF can inspect the first 65,536 bytes (64 KB) of the response body.", - "Header": "Configures inspection of the response header.", - "Json": "Configures inspection of the response JSON. AWS WAF can inspect the first 65,536 bytes (64 KB) of the response JSON.", - "StatusCode": "Configures inspection of the response status code." + "BodyContains": "Configures inspection of the response body for success and failure indicators. AWS WAF can inspect the first 65,536 bytes (64 KB) of the response body.", + "Header": "Configures inspection of the response header for success and failure indicators.", + "Json": "Configures inspection of the response JSON for success and failure indicators. AWS WAF can inspect the first 65,536 bytes (64 KB) of the response JSON.", + "StatusCode": "Configures inspection of the response status code for success and failure indicators." }, "AWS::WAFv2::WebACL ResponseInspectionBodyContains": { - "FailureStrings": "Strings in the body of the response that indicate a failed login attempt. To be counted as a failed login, the string can be anywhere in the body and must be an exact match, including case. Each string must be unique among the success and failure strings.\n\nJSON example: `\"FailureStrings\": [ \"Login failed\" ]`", - "SuccessStrings": "Strings in the body of the response that indicate a successful login attempt. To be counted as a successful login, the string can be anywhere in the body and must be an exact match, including case. Each string must be unique among the success and failure strings.\n\nJSON example: `\"SuccessStrings\": [ \"Login successful\", \"Welcome to our site!\" ]`" + "FailureStrings": "Strings in the body of the response that indicate a failed login or account creation attempt. To be counted as a failure, the string can be anywhere in the body and must be an exact match, including case. Each string must be unique among the success and failure strings.\n\nJSON example: `\"FailureStrings\": [ \"Request failed\" ]`", + "SuccessStrings": "Strings in the body of the response that indicate a successful login or account creation attempt. To be counted as a success, the string can be anywhere in the body and must be an exact match, including case. Each string must be unique among the success and failure strings.\n\nJSON examples: `\"SuccessStrings\": [ \"Login successful\" ]` and `\"SuccessStrings\": [ \"Account creation successful\", \"Welcome to our site!\" ]`" }, "AWS::WAFv2::WebACL ResponseInspectionHeader": { - "FailureValues": "Values in the response header with the specified name that indicate a failed login attempt. To be counted as a failed login, the value must be an exact match, including case. Each value must be unique among the success and failure values.\n\nJSON example: `\"FailureValues\": [ \"LoginFailed\", \"Failed login\" ]`", - "Name": "The name of the header to match against. The name must be an exact match, including case.\n\nJSON example: `\"Name\": [ \"LoginResult\" ]`", - "SuccessValues": "Values in the response header with the specified name that indicate a successful login attempt. To be counted as a successful login, the value must be an exact match, including case. Each value must be unique among the success and failure values.\n\nJSON example: `\"SuccessValues\": [ \"LoginPassed\", \"Successful login\" ]`" + "FailureValues": "Values in the response header with the specified name that indicate a failed login or account creation attempt. To be counted as a failure, the value must be an exact match, including case. Each value must be unique among the success and failure values.\n\nJSON examples: `\"FailureValues\": [ \"LoginFailed\", \"Failed login\" ]` and `\"FailureValues\": [ \"AccountCreationFailed\" ]`", + "Name": "The name of the header to match against. The name must be an exact match, including case.\n\nJSON example: `\"Name\": [ \"RequestResult\" ]`", + "SuccessValues": "Values in the response header with the specified name that indicate a successful login or account creation attempt. To be counted as a success, the value must be an exact match, including case. Each value must be unique among the success and failure values.\n\nJSON examples: `\"SuccessValues\": [ \"LoginPassed\", \"Successful login\" ]` and `\"SuccessValues\": [ \"AccountCreated\", \"Successful account creation\" ]`" }, "AWS::WAFv2::WebACL ResponseInspectionJson": { - "FailureValues": "Values for the specified identifier in the response JSON that indicate a failed login attempt. To be counted as a failed login, the value must be an exact match, including case. Each value must be unique among the success and failure values.\n\nJSON example: `\"FailureValues\": [ \"False\", \"Failed\" ]`", - "Identifier": "The identifier for the value to match against in the JSON. The identifier must be an exact match, including case.\n\nJSON example: `\"Identifier\": [ \"/login/success\" ]`", - "SuccessValues": "Values for the specified identifier in the response JSON that indicate a successful login attempt. To be counted as a successful login, the value must be an exact match, including case. Each value must be unique among the success and failure values.\n\nJSON example: `\"SuccessValues\": [ \"True\", \"Succeeded\" ]`" + "FailureValues": "Values for the specified identifier in the response JSON that indicate a failed login or account creation attempt. To be counted as a failure, the value must be an exact match, including case. Each value must be unique among the success and failure values.\n\nJSON example: `\"FailureValues\": [ \"False\", \"Failed\" ]`", + "Identifier": "The identifier for the value to match against in the JSON. The identifier must be an exact match, including case.\n\nJSON examples: `\"Identifier\": [ \"/login/success\" ]` and `\"Identifier\": [ \"/sign-up/success\" ]`", + "SuccessValues": "Values for the specified identifier in the response JSON that indicate a successful login or account creation attempt. To be counted as a success, the value must be an exact match, including case. Each value must be unique among the success and failure values.\n\nJSON example: `\"SuccessValues\": [ \"True\", \"Succeeded\" ]`" }, "AWS::WAFv2::WebACL ResponseInspectionStatusCode": { - "FailureCodes": "Status codes in the response that indicate a failed login attempt. To be counted as a failed login, the response status code must match one of these. Each code must be unique among the success and failure status codes.\n\nJSON example: `\"FailureCodes\": [ 400, 404 ]`", - "SuccessCodes": "Status codes in the response that indicate a successful login attempt. To be counted as a successful login, the response status code must match one of these. Each code must be unique among the success and failure status codes.\n\nJSON example: `\"SuccessCodes\": [ 200, 201 ]`" + "FailureCodes": "Status codes in the response that indicate a failed login or account creation attempt. To be counted as a failure, the response status code must match one of these. Each code must be unique among the success and failure status codes.\n\nJSON example: `\"FailureCodes\": [ 400, 404 ]`", + "SuccessCodes": "Status codes in the response that indicate a successful login or account creation attempt. To be counted as a success, the response status code must match one of these. Each code must be unique among the success and failure status codes.\n\nJSON example: `\"SuccessCodes\": [ 200, 201 ]`" }, "AWS::WAFv2::WebACL Rule": { "Action": "The action that AWS WAF should take on a web request when it matches the rule's statement. Settings at the web ACL level can override the rule action setting.\n\nThis is used only for rules whose statements don't reference a rule group. Rule statements that reference a rule group are `RuleGroupReferenceStatement` and `ManagedRuleGroupStatement` .\n\nYou must set either this `Action` setting or the rule's `OverrideAction` , but not both:\n\n- If the rule statement doesn't reference a rule group, you must set this rule action setting and you must not set the rule's override action setting.\n- If the rule statement references a rule group, you must not set this action setting, because the actions are already set on the rules inside the rule group. You must set the rule's override action setting to indicate specifically whether to override the actions that are set on the rules in the rule group.", "CaptchaConfig": "Specifies how AWS WAF should handle `CAPTCHA` evaluations. If you don't specify this, AWS WAF uses the `CAPTCHA` configuration that's defined for the web ACL.", "ChallengeConfig": "Specifies how AWS WAF should handle `Challenge` evaluations. If you don't specify this, AWS WAF uses the challenge configuration that's defined for the web ACL.", - "Name": "The name of the rule. You can't change the name of a `Rule` after you create it.", + "Name": "The name of the rule.\n\nIf you change the name of a `Rule` after you create it and you want the rule's metric name to reflect the change, update the metric name in the rule's `VisibilityConfig` settings. AWS WAF doesn't automatically update the metric name when you update the rule name.", "OverrideAction": "The override action to apply to the rules in a rule group, instead of the individual rule action settings. This is used only for rules whose statements reference a rule group. Rule statements that reference a rule group are `RuleGroupReferenceStatement` and `ManagedRuleGroupStatement` .\n\nSet the override action to none to leave the rule group rule actions in effect. Set it to count to only count matches, regardless of the rule action settings.\n\nYou must set either this `OverrideAction` setting or the `Action` setting, but not both:\n\n- If the rule statement references a rule group, you must set this override action setting and you must not set the rule's action setting.\n- If the rule statement doesn't reference a rule group, you must set the rule action setting and you must not set the rule's override action setting.", "Priority": "If you define more than one `Rule` in a `WebACL` , AWS WAF evaluates each request against the `Rules` in order based on the value of `Priority` . AWS WAF processes rules with lower priority first. The priorities don't need to be consecutive, but they must all be different.", "RuleLabels": "Labels to apply to web requests that match the rule match statement. AWS WAF applies fully qualified labels to matching web requests. A fully qualified label is the concatenation of a label namespace and a rule label. The rule's rule group or web ACL defines the label namespace.\n\nRules that run after this rule in the web ACL can match against these labels using a `LabelMatchStatement` .\n\nFor each label, provide a case-sensitive string containing optional namespaces and a label name, according to the following guidelines:\n\n- Separate each component of the label with a colon.\n- Each namespace or name can have up to 128 characters.\n- You can specify up to 5 namespaces in a label.\n- Don't use the following reserved words in your label specification: `aws` , `waf` , `managed` , `rulegroup` , `webacl` , `regexpatternset` , or `ipset` .\n\nFor example, `myLabelName` or `nameSpace1:nameSpace2:myLabelName` .", "Statement": "The AWS WAF processing statement for the rule, for example `ByteMatchStatement` or `SizeConstraintStatement` .", - "VisibilityConfig": "Defines and enables Amazon CloudWatch metrics and web request sample collection." + "VisibilityConfig": "Defines and enables Amazon CloudWatch metrics and web request sample collection.\n\nIf you change the name of a `Rule` after you create it and you want the rule's metric name to reflect the change, update the metric name as well. AWS WAF doesn't automatically update the metric name." }, "AWS::WAFv2::WebACL RuleAction": { "Allow": "Instructs AWS WAF to allow the web request.", @@ -36765,20 +41574,24 @@ "GeoMatchStatement": "A rule statement that labels web requests by country and region and that matches against web requests based on country code. A geo match rule labels every request that it inspects regardless of whether it finds a match.\n\n- To manage requests only by country, you can use this statement by itself and specify the countries that you want to match against in the `CountryCodes` array.\n- Otherwise, configure your geo match rule with Count action so that it only labels requests. Then, add one or more label match rules to run after the geo match rule and configure them to match against the geographic labels and handle the requests as needed.\n\nAWS WAF labels requests using the alpha-2 country and region codes from the International Organization for Standardization (ISO) 3166 standard. AWS WAF determines the codes using either the IP address in the web request origin or, if you specify it, the address in the geo match `ForwardedIPConfig` .\n\nIf you use the web request origin, the label formats are `awswaf:clientip:geo:region:-` and `awswaf:clientip:geo:country:` .\n\nIf you use a forwarded IP address, the label formats are `awswaf:forwardedip:geo:region:-` and `awswaf:forwardedip:geo:country:` .\n\nFor additional details, see [Geographic match rule statement](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-type-geo-match.html) in the [AWS WAF Developer Guide](https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html) .", "IPSetReferenceStatement": "A rule statement used to detect web requests coming from particular IP addresses or address ranges. To use this, create an `IPSet` that specifies the addresses you want to detect, then use the ARN of that set in this statement.\n\nEach IP set rule statement references an IP set. You create and maintain the set independent of your rules. This allows you to use the single set in multiple rules. When you update the referenced set, AWS WAF automatically updates all rules that reference it.", "LabelMatchStatement": "A rule statement to match against labels that have been added to the web request by rules that have already run in the web ACL.\n\nThe label match statement provides the label or namespace string to search for. The label string can represent a part or all of the fully qualified label name that had been added to the web request. Fully qualified labels have a prefix, optional namespaces, and label name. The prefix identifies the rule group or web ACL context of the rule that added the label. If you do not provide the fully qualified name in your label match string, AWS WAF performs the search for labels that were added in the same context as the label match statement.", - "ManagedRuleGroupStatement": "A rule statement used to run the rules that are defined in a managed rule group. To use this, provide the vendor name and the name of the rule group in this statement.\n\nYou cannot nest a `ManagedRuleGroupStatement` , for example for use inside a `NotStatement` or `OrStatement` . It can only be referenced as a top-level statement within a rule.", + "ManagedRuleGroupStatement": "A rule statement used to run the rules that are defined in a managed rule group. To use this, provide the vendor name and the name of the rule group in this statement. You can retrieve the required names through the API call `ListAvailableManagedRuleGroups` .\n\nYou cannot nest a `ManagedRuleGroupStatement` , for example for use inside a `NotStatement` or `OrStatement` . It can only be referenced as a top-level statement within a rule.\n\n> You are charged additional fees when you use the AWS WAF Bot Control managed rule group `AWSManagedRulesBotControlRuleSet` , the AWS WAF Fraud Control account takeover prevention (ATP) managed rule group `AWSManagedRulesATPRuleSet` , or the AWS WAF Fraud Control account creation fraud prevention (ACFP) managed rule group `AWSManagedRulesACFPRuleSet` . For more information, see [AWS WAF Pricing](https://docs.aws.amazon.com/waf/pricing/) .", "NotStatement": "A logical rule statement used to negate the results of another rule statement. You provide one `Statement` within the `NotStatement` .", "OrStatement": "A logical rule statement used to combine other rule statements with OR logic. You provide more than one `Statement` within the `OrStatement` .", - "RateBasedStatement": "A rate-based rule tracks the rate of requests for each originating IP address, and triggers the rule action when the rate exceeds a limit that you specify on the number of requests in any 5-minute time span. You can use this to put a temporary block on requests from an IP address that is sending excessive requests.\n\nAWS WAF tracks and manages web requests separately for each instance of a rate-based rule that you use. For example, if you provide the same rate-based rule settings in two web ACLs, each of the two rule statements represents a separate instance of the rate-based rule and gets its own tracking and management by AWS WAF . If you define a rate-based rule inside a rule group, and then use that rule group in multiple places, each use creates a separate instance of the rate-based rule that gets its own tracking and management by AWS WAF .\n\nWhen the rule action triggers, AWS WAF blocks additional requests from the IP address until the request rate falls below the limit.\n\nYou can optionally nest another statement inside the rate-based statement, to narrow the scope of the rule so that it only counts requests that match the nested statement. For example, based on recent requests that you have seen from an attacker, you might create a rate-based rule with a nested AND rule statement that contains the following nested statements:\n\n- An IP match statement with an IP set that specifies the address 192.0.2.44.\n- A string match statement that searches in the User-Agent header for the string BadBot.\n\nIn this rate-based rule, you also define a rate limit. For this example, the rate limit is 1,000. Requests that meet the criteria of both of the nested statements are counted. If the count exceeds 1,000 requests per five minutes, the rule action triggers. Requests that do not meet the criteria of both of the nested statements are not counted towards the rate limit and are not affected by this rule.\n\nYou cannot nest a `RateBasedStatement` inside another statement, for example inside a `NotStatement` or `OrStatement` . You can define a `RateBasedStatement` inside a web ACL and inside a rule group.", + "RateBasedStatement": "A rate-based rule counts incoming requests and rate limits requests when they are coming at too fast a rate. The rule categorizes requests according to your aggregation criteria, collects them into aggregation instances, and counts and rate limits the requests for each instance.\n\nYou can specify individual aggregation keys, like IP address or HTTP method. You can also specify aggregation key combinations, like IP address and HTTP method, or HTTP method, query argument, and cookie.\n\nEach unique set of values for the aggregation keys that you specify is a separate aggregation instance, with the value from each key contributing to the aggregation instance definition.\n\nFor example, assume the rule evaluates web requests with the following IP address and HTTP method values:\n\n- IP address 10.1.1.1, HTTP method POST\n- IP address 10.1.1.1, HTTP method GET\n- IP address 127.0.0.0, HTTP method POST\n- IP address 10.1.1.1, HTTP method GET\n\nThe rule would create different aggregation instances according to your aggregation criteria, for example:\n\n- If the aggregation criteria is just the IP address, then each individual address is an aggregation instance, and AWS WAF counts requests separately for each. The aggregation instances and request counts for our example would be the following:\n\n- IP address 10.1.1.1: count 3\n- IP address 127.0.0.0: count 1\n- If the aggregation criteria is HTTP method, then each individual HTTP method is an aggregation instance. The aggregation instances and request counts for our example would be the following:\n\n- HTTP method POST: count 2\n- HTTP method GET: count 2\n- If the aggregation criteria is IP address and HTTP method, then each IP address and each HTTP method would contribute to the combined aggregation instance. The aggregation instances and request counts for our example would be the following:\n\n- IP address 10.1.1.1, HTTP method POST: count 1\n- IP address 10.1.1.1, HTTP method GET: count 2\n- IP address 127.0.0.0, HTTP method POST: count 1\n\nFor any n-tuple of aggregation keys, each unique combination of values for the keys defines a separate aggregation instance, which AWS WAF counts and rate-limits individually.\n\nYou can optionally nest another statement inside the rate-based statement, to narrow the scope of the rule so that it only counts and rate limits requests that match the nested statement. You can use this nested scope-down statement in conjunction with your aggregation key specifications or you can just count and rate limit all requests that match the scope-down statement, without additional aggregation. When you choose to just manage all requests that match a scope-down statement, the aggregation instance is singular for the rule.\n\nYou cannot nest a `RateBasedStatement` inside another statement, for example inside a `NotStatement` or `OrStatement` . You can define a `RateBasedStatement` inside a web ACL and inside a rule group.\n\nFor additional information about the options, see [Rate limiting web requests using rate-based rules](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rate-based-rules.html) in the *AWS WAF Developer Guide* .\n\nIf you only aggregate on the individual IP address or forwarded IP address, you can retrieve the list of IP addresses that AWS WAF is currently rate limiting for a rule through the API call `GetRateBasedStatementManagedKeys` . This option is not available for other aggregation configurations.\n\nAWS WAF tracks and manages web requests separately for each instance of a rate-based rule that you use. For example, if you provide the same rate-based rule settings in two web ACLs, each of the two rule statements represents a separate instance of the rate-based rule and gets its own tracking and management by AWS WAF . If you define a rate-based rule inside a rule group, and then use that rule group in multiple places, each use creates a separate instance of the rate-based rule that gets its own tracking and management by AWS WAF .", "RegexMatchStatement": "A rule statement used to search web request components for a match against a single regular expression.", "RegexPatternSetReferenceStatement": "A rule statement used to search web request components for matches with regular expressions. To use this, create a `RegexPatternSet` that specifies the expressions that you want to detect, then use the ARN of that set in this statement. A web request matches the pattern set rule statement if the request component matches any of the patterns in the set.\n\nEach regex pattern set rule statement references a regex pattern set. You create and maintain the set independent of your rules. This allows you to use the single set in multiple rules. When you update the referenced set, AWS WAF automatically updates all rules that reference it.", - "RuleGroupReferenceStatement": "A rule statement used to run the rules that are defined in a `RuleGroup` . To use this, create a rule group with your rules, then provide the ARN of the rule group in this statement.\n\nYou cannot nest a `RuleGroupReferenceStatement` , for example for use inside a `NotStatement` or `OrStatement` . You can only use a rule group reference statement at the top level inside a web ACL.", - "SizeConstraintStatement": "A rule statement that compares a number of bytes against the size of a request component, using a comparison operator, such as greater than (>) or less than (<). For example, you can use a size constraint statement to look for query strings that are longer than 100 bytes.\n\nIf you configure AWS WAF to inspect the request body, AWS WAF inspects only the number of bytes of the body up to the limit for the web ACL. By default, for regional web ACLs, this limit is 8 KB (8,192 kilobytes) and for CloudFront web ACLs, this limit is 16 KB (16,384 kilobytes). For CloudFront web ACLs, you can increase the limit in the web ACL `AssociationConfig` , for additional fees. If you know that the request body for your web requests should never exceed the inspection limit, you could use a size constraint statement to block requests that have a larger request body size.\n\nIf you choose URI for the value of Part of the request to filter on, the slash (/) in the URI counts as one character. For example, the URI `/logo.jpg` is nine characters long.", + "RuleGroupReferenceStatement": "A rule statement used to run the rules that are defined in a `RuleGroup` . To use this, create a rule group with your rules, then provide the ARN of the rule group in this statement.\n\nYou cannot nest a `RuleGroupReferenceStatement` , for example for use inside a `NotStatement` or `OrStatement` . You cannot use a rule group reference statement inside another rule group. You can only reference a rule group as a top-level statement within a rule that you define in a web ACL.", + "SizeConstraintStatement": "A rule statement that compares a number of bytes against the size of a request component, using a comparison operator, such as greater than (>) or less than (<). For example, you can use a size constraint statement to look for query strings that are longer than 100 bytes.\n\nIf you configure AWS WAF to inspect the request body, AWS WAF inspects only the number of bytes of the body up to the limit for the web ACL. By default, for regional web ACLs, this limit is 8 KB (8,192 bytes) and for CloudFront web ACLs, this limit is 16 KB (16,384 bytes). For CloudFront web ACLs, you can increase the limit in the web ACL `AssociationConfig` , for additional fees. If you know that the request body for your web requests should never exceed the inspection limit, you could use a size constraint statement to block requests that have a larger request body size.\n\nIf you choose URI for the value of Part of the request to filter on, the slash (/) in the URI counts as one character. For example, the URI `/logo.jpg` is nine characters long.", "SqliMatchStatement": "A rule statement that inspects for malicious SQL code. Attackers insert malicious SQL code into web requests to do things like modify your database or extract data from it.", "XssMatchStatement": "A rule statement that inspects for cross-site scripting (XSS) attacks. In XSS attacks, the attacker uses vulnerabilities in a benign website as a vehicle to inject malicious client-site scripts into other legitimate web browsers." }, + "AWS::WAFv2::WebACL Tag": { + "Key": "Part of the key:value pair that defines a tag. You can use a tag key to describe a category of information, such as \"customer.\" Tag keys are case-sensitive.", + "Value": "Part of the key:value pair that defines a tag. You can use a tag value to describe a specific value within a category, such as \"companyA\" or \"companyB.\" Tag values are case-sensitive." + }, "AWS::WAFv2::WebACL TextTransformation": { "Priority": "Sets the relative processing order for multiple transformations. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content. The priorities don't need to be consecutive, but they must all be different.", - "Type": "You can specify the following transformation types:\n\n*BASE64_DECODE* - Decode a `Base64` -encoded string.\n\n*BASE64_DECODE_EXT* - Decode a `Base64` -encoded string, but use a forgiving implementation that ignores characters that aren't valid.\n\n*CMD_LINE* - Command-line transformations. These are helpful in reducing effectiveness of attackers who inject an operating system command-line command and use unusual formatting to disguise some or all of the command.\n\n- Delete the following characters: `\\ \" ' ^`\n- Delete spaces before the following characters: `/ (`\n- Replace the following characters with a space: `, ;`\n- Replace multiple spaces with one space\n- Convert uppercase letters (A-Z) to lowercase (a-z)\n\n*COMPRESS_WHITE_SPACE* - Replace these characters with a space character (decimal 32):\n\n- `\\f` , formfeed, decimal 12\n- `\\t` , tab, decimal 9\n- `\\n` , newline, decimal 10\n- `\\r` , carriage return, decimal 13\n- `\\v` , vertical tab, decimal 11\n- Non-breaking space, decimal 160\n\n`COMPRESS_WHITE_SPACE` also replaces multiple spaces with one space.\n\n*CSS_DECODE* - Decode characters that were encoded using CSS 2.x escape rules `syndata.html#characters` . This function uses up to two bytes in the decoding process, so it can help to uncover ASCII characters that were encoded using CSS encoding that wouldn\u2019t typically be encoded. It's also useful in countering evasion, which is a combination of a backslash and non-hexadecimal characters. For example, `ja\\vascript` for javascript.\n\n*ESCAPE_SEQ_DECODE* - Decode the following ANSI C escape sequences: `\\a` , `\\b` , `\\f` , `\\n` , `\\r` , `\\t` , `\\v` , `\\\\` , `\\?` , `\\'` , `\\\"` , `\\xHH` (hexadecimal), `\\0OOO` (octal). Encodings that aren't valid remain in the output.\n\n*HEX_DECODE* - Decode a string of hexadecimal characters into a binary.\n\n*HTML_ENTITY_DECODE* - Replace HTML-encoded characters with unencoded characters. `HTML_ENTITY_DECODE` performs these operations:\n\n- Replaces `(ampersand)quot;` with `\"`\n- Replaces `(ampersand)nbsp;` with a non-breaking space, decimal 160\n- Replaces `(ampersand)lt;` with a \"less than\" symbol\n- Replaces `(ampersand)gt;` with `>`\n- Replaces characters that are represented in hexadecimal format, `(ampersand)#xhhhh;` , with the corresponding characters\n- Replaces characters that are represented in decimal format, `(ampersand)#nnnn;` , with the corresponding characters\n\n*JS_DECODE* - Decode JavaScript escape sequences. If a `\\` `u` `HHHH` code is in the full-width ASCII code range of `FF01-FF5E` , then the higher byte is used to detect and adjust the lower byte. If not, only the lower byte is used and the higher byte is zeroed, causing a possible loss of information.\n\n*LOWERCASE* - Convert uppercase letters (A-Z) to lowercase (a-z).\n\n*MD5* - Calculate an MD5 hash from the data in the input. The computed hash is in a raw binary form.\n\n*NONE* - Specify `NONE` if you don't want any text transformations.\n\n*NORMALIZE_PATH* - Remove multiple slashes, directory self-references, and directory back-references that are not at the beginning of the input from an input string.\n\n*NORMALIZE_PATH_WIN* - This is the same as `NORMALIZE_PATH` , but first converts backslash characters to forward slashes.\n\n*REMOVE_NULLS* - Remove all `NULL` bytes from the input.\n\n*REPLACE_COMMENTS* - Replace each occurrence of a C-style comment ( `/* ... */` ) with a single space. Multiple consecutive occurrences are not compressed. Unterminated comments are also replaced with a space (ASCII 0x20). However, a standalone termination of a comment ( `*/` ) is not acted upon.\n\n*REPLACE_NULLS* - Replace NULL bytes in the input with space characters (ASCII `0x20` ).\n\n*SQL_HEX_DECODE* - Decode SQL hex data. Example ( `0x414243` ) will be decoded to ( `ABC` ).\n\n*URL_DECODE* - Decode a URL-encoded value.\n\n*URL_DECODE_UNI* - Like `URL_DECODE` , but with support for Microsoft-specific `%u` encoding. If the code is in the full-width ASCII code range of `FF01-FF5E` , the higher byte is used to detect and adjust the lower byte. Otherwise, only the lower byte is used and the higher byte is zeroed.\n\n*UTF8_TO_UNICODE* - Convert all UTF-8 character sequences to Unicode. This helps input normalization, and minimizing false-positives and false-negatives for non-English languages." + "Type": "For detailed descriptions of each of the transformation types, see [Text transformations](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-transformation.html) in the *AWS WAF Developer Guide* ." }, "AWS::WAFv2::WebACL VisibilityConfig": { "CloudWatchMetricsEnabled": "Indicates whether the associated resource sends metrics to Amazon CloudWatch. For the list of available metrics, see [AWS WAF Metrics](https://docs.aws.amazon.com/waf/latest/developerguide/monitoring-cloudwatch.html#waf-metrics) in the *AWS WAF Developer Guide* .\n\nFor web ACLs, the metrics are for web requests that have the web ACL default action applied. AWS WAF applies the default action to web requests that pass the inspection of all rules in the web ACL without being either allowed or blocked. For more information,\nsee [The web ACL default action](https://docs.aws.amazon.com/waf/latest/developerguide/web-acl-default-action.html) in the *AWS WAF Developer Guide* .", @@ -36796,12 +41609,16 @@ "AWS::Wisdom::Assistant": { "Description": "The description of the assistant.", "Name": "The name of the assistant.", - "ServerSideEncryptionConfiguration": "The KMS key used for encryption.", + "ServerSideEncryptionConfiguration": "The configuration information for the customer managed key used for encryption. The customer managed key must have a policy that allows `kms:CreateGrant` and `kms:DescribeKey` permissions to the IAM identity using the key to invoke Wisdom. To use Wisdom with chat, the key policy must also allow `kms:Decrypt` , `kms:GenerateDataKey*` , and `kms:DescribeKey` permissions to the `connect.amazonaws.com` service principal. For more information about setting up a customer managed key for Wisdom, see [Enable Amazon Connect Wisdom for your instance](https://docs.aws.amazon.com/connect/latest/adminguide/enable-wisdom.html) .", "Tags": "The tags used to organize, track, or control access for this resource.", "Type": "The type of assistant." }, "AWS::Wisdom::Assistant ServerSideEncryptionConfiguration": { - "KmsKeyId": "The KMS key . For information about valid ID values, see [Key identifiers (KeyId)](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id) in the *AWS Key Management Service Developer Guide* ." + "KmsKeyId": "The customer managed key used for encryption. The customer managed key must have a policy that allows `kms:CreateGrant` and `kms:DescribeKey` permissions to the IAM identity using the key to invoke Wisdom. To use Wisdom with chat, the key policy must also allow `kms:Decrypt` , `kms:GenerateDataKey*` , and `kms:DescribeKey` permissions to the `connect.amazonaws.com` service principal. For more information about setting up a customer managed key for Wisdom, see [Enable Amazon Connect Wisdom for your instance](https://docs.aws.amazon.com/connect/latest/adminguide/enable-wisdom.html) . For information about valid ID values, see [Key identifiers (KeyId)](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id) in the *AWS Key Management Service Developer Guide* ." + }, + "AWS::Wisdom::Assistant Tag": { + "Key": "", + "Value": "" }, "AWS::Wisdom::AssistantAssociation": { "AssistantId": "The identifier of the Wisdom assistant.", @@ -36812,37 +41629,49 @@ "AWS::Wisdom::AssistantAssociation AssociationData": { "KnowledgeBaseId": "The identifier of the knowledge base." }, + "AWS::Wisdom::AssistantAssociation Tag": { + "Key": "", + "Value": "" + }, "AWS::Wisdom::KnowledgeBase": { "Description": "The description.", "KnowledgeBaseType": "The type of knowledge base. Only CUSTOM knowledge bases allow you to upload your own content. EXTERNAL knowledge bases support integrations with third-party systems whose content is synchronized automatically.", "Name": "The name of the knowledge base.", "RenderingConfiguration": "Information about how to render the content.", - "ServerSideEncryptionConfiguration": "The KMS key used for encryption.", + "ServerSideEncryptionConfiguration": "This customer managed key must have a policy that allows `kms:CreateGrant` and `kms:DescribeKey` permissions to the IAM identity using the key to invoke Wisdom. For more information about setting up a customer managed key for Wisdom, see [Enable Amazon Connect Wisdom for your instance](https://docs.aws.amazon.com/connect/latest/adminguide/enable-wisdom.html) . For information about valid ID values, see [Key identifiers (KeyId)](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id) in the *AWS Key Management Service Developer Guide* .", "SourceConfiguration": "The source of the knowledge base content. Only set this argument for EXTERNAL knowledge bases.", "Tags": "The tags used to organize, track, or control access for this resource." }, "AWS::Wisdom::KnowledgeBase AppIntegrationsConfiguration": { - "AppIntegrationArn": "The Amazon Resource Name (ARN) of the AppIntegrations DataIntegration to use for ingesting content.\n\n- For [Salesforce](https://docs.aws.amazon.com/https://developer.salesforce.com/docs/atlas.en-us.knowledge_dev.meta/knowledge_dev/sforce_api_objects_knowledge__kav.htm) , your AppIntegrations DataIntegration must have an ObjectConfiguration if objectFields is not provided, including at least `Id` , `ArticleNumber` , `VersionNumber` , `Title` , `PublishStatus` , and `IsDeleted` as source fields.\n- For [ServiceNow](https://docs.aws.amazon.com/https://developer.servicenow.com/dev.do#!/reference/api/rome/rest/knowledge-management-api) , your AppIntegrations DataIntegration must have an ObjectConfiguration if objectFields is not provided, including at least `number` , `short_description` , `sys_mod_count` , `workflow_state` , and `active` as source fields.\n- For [Zendesk](https://docs.aws.amazon.com/https://developer.zendesk.com/api-reference/help_center/help-center-api/articles/) , your AppIntegrations DataIntegration must have an ObjectConfiguration if `objectFields` is not provided, including at least `id` , `title` , `updated_at` , and `draft` as source fields.\n- For [SharePoint](https://docs.aws.amazon.com/https://learn.microsoft.com/en-us/sharepoint/dev/sp-add-ins/sharepoint-net-server-csom-jsom-and-rest-api-index) , your AppIntegrations DataIntegration must have a FileConfiguration, including only file extensions that are among `docx` , `pdf` , `html` , `htm` , and `txt` .", - "ObjectFields": "The fields from the source that are made available to your agents in Wisdom. Optional if ObjectConfiguration is included in the provided DataIntegration.\n\n- For [Salesforce](https://docs.aws.amazon.com/https://developer.salesforce.com/docs/atlas.en-us.knowledge_dev.meta/knowledge_dev/sforce_api_objects_knowledge__kav.htm) , you must include at least `Id` , `ArticleNumber` , `VersionNumber` , `Title` , `PublishStatus` , and `IsDeleted` .\n- For [ServiceNow](https://docs.aws.amazon.com/https://developer.servicenow.com/dev.do#!/reference/api/rome/rest/knowledge-management-api) , you must include at least `number` , `short_description` , `sys_mod_count` , `workflow_state` , and `active` .\n- For [Zendesk](https://docs.aws.amazon.com/https://developer.zendesk.com/api-reference/help_center/help-center-api/articles/) , you must include at least `id` , `title` , `updated_at` , and `draft` .\n\nMake sure to include additional fields. These fields are indexed and used to source recommendations." + "AppIntegrationArn": "The Amazon Resource Name (ARN) of the AppIntegrations DataIntegration to use for ingesting content.\n\n- For [Salesforce](https://docs.aws.amazon.com/https://developer.salesforce.com/docs/atlas.en-us.knowledge_dev.meta/knowledge_dev/sforce_api_objects_knowledge__kav.htm) , your AppIntegrations DataIntegration must have an ObjectConfiguration if objectFields is not provided, including at least `Id` , `ArticleNumber` , `VersionNumber` , `Title` , `PublishStatus` , and `IsDeleted` as source fields.\n- For [ServiceNow](https://docs.aws.amazon.com/https://developer.servicenow.com/dev.do#!/reference/api/rome/rest/knowledge-management-api) , your AppIntegrations DataIntegration must have an ObjectConfiguration if objectFields is not provided, including at least `number` , `short_description` , `sys_mod_count` , `workflow_state` , and `active` as source fields.\n- For [Zendesk](https://docs.aws.amazon.com/https://developer.zendesk.com/api-reference/help_center/help-center-api/articles/) , your AppIntegrations DataIntegration must have an ObjectConfiguration if `objectFields` is not provided, including at least `id` , `title` , `updated_at` , and `draft` as source fields.\n- For [SharePoint](https://docs.aws.amazon.com/https://learn.microsoft.com/en-us/sharepoint/dev/sp-add-ins/sharepoint-net-server-csom-jsom-and-rest-api-index) , your AppIntegrations DataIntegration must have a FileConfiguration, including only file extensions that are among `docx` , `pdf` , `html` , `htm` , and `txt` .\n- For [Amazon S3](https://docs.aws.amazon.com/https://aws.amazon.com/s3/) , the ObjectConfiguration and FileConfiguration of your AppIntegrations DataIntegration must be null. The `SourceURI` of your DataIntegration must use the following format: `s3://your_s3_bucket_name` .\n\n> The bucket policy of the corresponding S3 bucket must allow the AWS principal `app-integrations.amazonaws.com` to perform `s3:ListBucket` , `s3:GetObject` , and `s3:GetBucketLocation` against the bucket.", + "ObjectFields": "The fields from the source that are made available to your agents in Amazon Q. Optional if ObjectConfiguration is included in the provided DataIntegration.\n\n- For [Salesforce](https://docs.aws.amazon.com/https://developer.salesforce.com/docs/atlas.en-us.knowledge_dev.meta/knowledge_dev/sforce_api_objects_knowledge__kav.htm) , you must include at least `Id` , `ArticleNumber` , `VersionNumber` , `Title` , `PublishStatus` , and `IsDeleted` .\n- For [ServiceNow](https://docs.aws.amazon.com/https://developer.servicenow.com/dev.do#!/reference/api/rome/rest/knowledge-management-api) , you must include at least `number` , `short_description` , `sys_mod_count` , `workflow_state` , and `active` .\n- For [Zendesk](https://docs.aws.amazon.com/https://developer.zendesk.com/api-reference/help_center/help-center-api/articles/) , you must include at least `id` , `title` , `updated_at` , and `draft` .\n\nMake sure to include additional fields. These fields are indexed and used to source recommendations." }, "AWS::Wisdom::KnowledgeBase RenderingConfiguration": { - "TemplateUri": "A URI template containing exactly one variable in `${variableName}` format. This can only be set for `EXTERNAL` knowledge bases. For Salesforce, ServiceNow, and Zendesk, the variable must be one of the following:\n\n- Salesforce: `Id` , `ArticleNumber` , `VersionNumber` , `Title` , `PublishStatus` , or `IsDeleted`\n- ServiceNow: `number` , `short_description` , `sys_mod_count` , `workflow_state` , or `active`\n- Zendesk: `id` , `title` , `updated_at` , or `draft`\n\nThe variable is replaced with the actual value for a piece of content when calling [GetContent](https://docs.aws.amazon.com/wisdom/latest/APIReference/API_GetContent.html) ." + "TemplateUri": "A URI template containing exactly one variable in `${variableName}` format. This can only be set for `EXTERNAL` knowledge bases. For Salesforce, ServiceNow, and Zendesk, the variable must be one of the following:\n\n- Salesforce: `Id` , `ArticleNumber` , `VersionNumber` , `Title` , `PublishStatus` , or `IsDeleted`\n- ServiceNow: `number` , `short_description` , `sys_mod_count` , `workflow_state` , or `active`\n- Zendesk: `id` , `title` , `updated_at` , or `draft`\n\nThe variable is replaced with the actual value for a piece of content when calling [GetContent](https://docs.aws.amazon.com/amazon-q-connect/latest/APIReference/API_GetContent.html) ." }, "AWS::Wisdom::KnowledgeBase ServerSideEncryptionConfiguration": { - "KmsKeyId": "The KMS key . For information about valid ID values, see [Key identifiers (KeyId)](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id) in the *AWS Key Management Service Developer Guide* ." + "KmsKeyId": "The customer managed key used for encryption.\n\nThis customer managed key must have a policy that allows `kms:CreateGrant` and `kms:DescribeKey` permissions to the IAM identity using the key to invoke Wisdom.\n\nFor more information about setting up a customer managed key for Wisdom, see [Enable Amazon Connect Wisdom for your instance](https://docs.aws.amazon.com/connect/latest/adminguide/enable-wisdom.html) . For information about valid ID values, see [Key identifiers (KeyId)](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id) ." }, "AWS::Wisdom::KnowledgeBase SourceConfiguration": { "AppIntegrations": "Configuration information for Amazon AppIntegrations to automatically ingest content." }, + "AWS::Wisdom::KnowledgeBase Tag": { + "Key": "", + "Value": "" + }, "AWS::WorkSpaces::ConnectionAlias": { "ConnectionString": "The connection string specified for the connection alias. The connection string must be in the form of a fully qualified domain name (FQDN), such as `www.example.com` .", "Tags": "The tags to associate with the connection alias." }, "AWS::WorkSpaces::ConnectionAlias ConnectionAliasAssociation": { - "AssociatedAccountId": "", - "AssociationStatus": "", - "ConnectionIdentifier": "", - "ResourceId": "" + "AssociatedAccountId": "The identifier of the AWS account that associated the connection alias with a directory.", + "AssociationStatus": "The association status of the connection alias.", + "ConnectionIdentifier": "The identifier of the connection alias association. You use the connection identifier in the DNS TXT record when you're configuring your DNS routing policies.", + "ResourceId": "The identifier of the directory associated with a connection alias." + }, + "AWS::WorkSpaces::ConnectionAlias Tag": { + "Key": "The key of the tag.", + "Value": "The value of the tag." }, "AWS::WorkSpaces::Workspace": { "BundleId": "The identifier of the bundle for the WorkSpace.", @@ -36854,6 +41683,10 @@ "VolumeEncryptionKey": "The ARN of the symmetric AWS KMS key used to encrypt data stored on your WorkSpace. Amazon WorkSpaces does not support asymmetric KMS keys.", "WorkspaceProperties": "The WorkSpace properties." }, + "AWS::WorkSpaces::Workspace Tag": { + "Key": "The key of the tag.", + "Value": "The value of the tag." + }, "AWS::WorkSpaces::Workspace WorkspaceProperties": { "ComputeTypeName": "The compute type. For more information, see [Amazon WorkSpaces Bundles](https://docs.aws.amazon.com/workspaces/details/#Amazon_WorkSpaces_Bundles) .", "RootVolumeSizeGib": "The size of the root volume. For important information about how to modify the size of the root and user volumes, see [Modify a WorkSpace](https://docs.aws.amazon.com/workspaces/latest/adminguide/modify-workspaces.html) .", @@ -36861,6 +41694,131 @@ "RunningModeAutoStopTimeoutInMinutes": "The time after a user logs off when WorkSpaces are automatically stopped. Configured in 60-minute intervals.", "UserVolumeSizeGib": "The size of the user storage. For important information about how to modify the size of the root and user volumes, see [Modify a WorkSpace](https://docs.aws.amazon.com/workspaces/latest/adminguide/modify-workspaces.html) ." }, + "AWS::WorkSpacesThinClient::Environment": { + "DesiredSoftwareSetId": "The ID of the software set to apply.", + "DesktopArn": "The Amazon Resource Name (ARN) of the desktop to stream from Amazon WorkSpaces , WorkSpaces Web, or AppStream 2.0 .", + "DesktopEndpoint": "The URL for the identity provider login (only for environments that use AppStream 2.0 ).", + "KmsKeyArn": "The Amazon Resource Name (ARN) of the AWS Key Management Service key used to encrypt the environment.", + "MaintenanceWindow": "A specification for a time window to apply software updates.", + "Name": "The name of the environment.", + "SoftwareSetUpdateMode": "An option to define which software updates to apply.", + "SoftwareSetUpdateSchedule": "An option to define if software updates should be applied within a maintenance window.", + "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) ." + }, + "AWS::WorkSpacesThinClient::Environment MaintenanceWindow": { + "ApplyTimeOf": "The option to set the maintenance window during the device local time or Universal Coordinated Time (UTC).", + "DaysOfTheWeek": "The days of the week during which the maintenance window is open.", + "EndTimeHour": "The hour for the maintenance window end ( `00` - `23` ).", + "EndTimeMinute": "The minutes for the maintenance window end ( `00` - `59` ).", + "StartTimeHour": "The hour for the maintenance window start ( `00` - `23` ).", + "StartTimeMinute": "The minutes past the hour for the maintenance window start ( `00` - `59` ).", + "Type": "An option to select the default or custom maintenance window." + }, + "AWS::WorkSpacesThinClient::Environment Tag": { + "Key": "The key name of the tag.", + "Value": "The value for the tag." + }, + "AWS::WorkSpacesWeb::BrowserSettings": { + "AdditionalEncryptionContext": "Additional encryption context of the browser settings.", + "BrowserPolicy": "A JSON string containing Chrome Enterprise policies that will be applied to all streaming sessions.", + "CustomerManagedKey": "The custom managed key of the browser settings.\n\n*Pattern* : `^arn:[\\w+=\\/,.@-]+:kms:[a-zA-Z0-9\\-]*:[a-zA-Z0-9]{1,12}:key\\/[a-zA-Z0-9-]+$`", + "Tags": "The tags to add to the browser settings resource. A tag is a key-value pair." + }, + "AWS::WorkSpacesWeb::BrowserSettings Tag": { + "Key": "The key of the tag.", + "Value": "The value of the tag" + }, + "AWS::WorkSpacesWeb::IdentityProvider": { + "IdentityProviderDetails": "The identity provider details. The following list describes the provider detail keys for each identity provider type.\n\n- For Google and Login with Amazon:\n\n- `client_id`\n- `client_secret`\n- `authorize_scopes`\n- For Facebook:\n\n- `client_id`\n- `client_secret`\n- `authorize_scopes`\n- `api_version`\n- For Sign in with Apple:\n\n- `client_id`\n- `team_id`\n- `key_id`\n- `private_key`\n- `authorize_scopes`\n- For OIDC providers:\n\n- `client_id`\n- `client_secret`\n- `attributes_request_method`\n- `oidc_issuer`\n- `authorize_scopes`\n- `authorize_url` *if not available from discovery URL specified by oidc_issuer key*\n- `token_url` *if not available from discovery URL specified by oidc_issuer key*\n- `attributes_url` *if not available from discovery URL specified by oidc_issuer key*\n- `jwks_uri` *if not available from discovery URL specified by oidc_issuer key*\n- For SAML providers:\n\n- `MetadataFile` OR `MetadataURL`\n- `IDPSignout` *optional*", + "IdentityProviderName": "The identity provider name.", + "IdentityProviderType": "The identity provider type.", + "PortalArn": "The ARN of the identity provider." + }, + "AWS::WorkSpacesWeb::IpAccessSettings": { + "AdditionalEncryptionContext": "Additional encryption context of the IP access settings.", + "CustomerManagedKey": "The custom managed key of the IP access settings.\n\n*Pattern* : `^arn:[\\w+=\\/,.@-]+:kms:[a-zA-Z0-9\\-]*:[a-zA-Z0-9]{1,12}:key\\/[a-zA-Z0-9-]+$`", + "Description": "The description of the IP access settings.", + "DisplayName": "The display name of the IP access settings.", + "IpRules": "The IP rules of the IP access settings.", + "Tags": "The tags to add to the browser settings resource. A tag is a key-value pair." + }, + "AWS::WorkSpacesWeb::IpAccessSettings IpRule": { + "Description": "The description of the IP rule.", + "IpRange": "The IP range of the IP rule. This can either be a single IP address or a range using CIDR notation." + }, + "AWS::WorkSpacesWeb::IpAccessSettings Tag": { + "Key": "The key of the tag.", + "Value": "The value of the tag" + }, + "AWS::WorkSpacesWeb::NetworkSettings": { + "SecurityGroupIds": "One or more security groups used to control access from streaming instances to your VPC.\n\n*Pattern* : `^[\\w+\\-]+$`", + "SubnetIds": "The subnets in which network interfaces are created to connect streaming instances to your VPC. At least two of these subnets must be in different availability zones.\n\n*Pattern* : `^subnet-([0-9a-f]{8}|[0-9a-f]{17})$`", + "Tags": "The tags to add to the network settings resource. A tag is a key-value pair.", + "VpcId": "The VPC that streaming instances will connect to.\n\n*Pattern* : `^vpc-[0-9a-z]*$`" + }, + "AWS::WorkSpacesWeb::NetworkSettings Tag": { + "Key": "The key of the tag.", + "Value": "The value of the tag" + }, + "AWS::WorkSpacesWeb::Portal": { + "AdditionalEncryptionContext": "The additional encryption context of the portal.", + "AuthenticationType": "The type of authentication integration points used when signing into the web portal. Defaults to `Standard` .\n\n`Standard` web portals are authenticated directly through your identity provider (IdP). User and group access to your web portal is controlled through your IdP. You need to include an IdP resource in your template to integrate your IdP with your web portal. Completing the configuration for your IdP requires exchanging WorkSpaces Web\u2019s SP metadata with your IdP\u2019s IdP metadata. If your IdP requires the SP metadata first before returning the IdP metadata, you should follow these steps:\n\n1. Create and deploy a CloudFormation template with a `Standard` portal with no `IdentityProvider` resource.\n\n2. Retrieve the SP metadata using `Fn:GetAtt` , the WorkSpaces Web console, or by the calling the `GetPortalServiceProviderMetadata` API.\n\n3. Submit the data to your IdP.\n\n4. Add an `IdentityProvider` resource to your CloudFormation template.\n\n`IAM Identity Center` web portals are authenticated through AWS IAM Identity Center . They provide additional features, such as IdP-initiated authentication. Identity sources (including external identity provider integration) and other identity provider information must be configured in IAM Identity Center . User and group assignment must be done through the WorkSpaces Web console. These cannot be configured in CloudFormation.", + "BrowserSettingsArn": "The ARN of the browser settings that is associated with this web portal.", + "CustomerManagedKey": "The customer managed key of the web portal.\n\n*Pattern* : `^arn:[\\w+=\\/,.@-]+:kms:[a-zA-Z0-9\\-]*:[a-zA-Z0-9]{1,12}:key\\/[a-zA-Z0-9-]+$`", + "DisplayName": "The name of the web portal.", + "IpAccessSettingsArn": "The ARN of the IP access settings that is associated with the web portal.", + "NetworkSettingsArn": "The ARN of the network settings that is associated with the web portal.", + "Tags": "The tags to add to the web portal. A tag is a key-value pair.", + "TrustStoreArn": "The ARN of the trust store that is associated with the web portal.", + "UserAccessLoggingSettingsArn": "The ARN of the user access logging settings that is associated with the web portal.", + "UserSettingsArn": "The ARN of the user settings that is associated with the web portal." + }, + "AWS::WorkSpacesWeb::Portal Tag": { + "Key": "The key of the tag.", + "Value": "The value of the tag" + }, + "AWS::WorkSpacesWeb::TrustStore": { + "CertificateList": "A list of CA certificates to be added to the trust store.", + "Tags": "The tags to add to the trust store. A tag is a key-value pair." + }, + "AWS::WorkSpacesWeb::TrustStore Tag": { + "Key": "The key of the tag.", + "Value": "The value of the tag" + }, + "AWS::WorkSpacesWeb::UserAccessLoggingSettings": { + "KinesisStreamArn": "The ARN of the Kinesis stream.", + "Tags": "The tags to add to the user access logging settings resource. A tag is a key-value pair." + }, + "AWS::WorkSpacesWeb::UserAccessLoggingSettings Tag": { + "Key": "The key of the tag.", + "Value": "The value of the tag" + }, + "AWS::WorkSpacesWeb::UserSettings": { + "AdditionalEncryptionContext": "", + "CookieSynchronizationConfiguration": "The configuration that specifies which cookies should be synchronized from the end user's local browser to the remote browser.", + "CopyAllowed": "Specifies whether the user can copy text from the streaming session to the local device.", + "CustomerManagedKey": "", + "DisconnectTimeoutInMinutes": "The amount of time that a streaming session remains active after users disconnect.", + "DownloadAllowed": "Specifies whether the user can download files from the streaming session to the local device.", + "IdleDisconnectTimeoutInMinutes": "The amount of time that users can be idle (inactive) before they are disconnected from their streaming session and the disconnect timeout interval begins.", + "PasteAllowed": "Specifies whether the user can paste text from the local device to the streaming session.", + "PrintAllowed": "Specifies whether the user can print to the local device.", + "Tags": "The tags to add to the user settings resource. A tag is a key-value pair.", + "UploadAllowed": "Specifies whether the user can upload files from the local device to the streaming session." + }, + "AWS::WorkSpacesWeb::UserSettings CookieSpecification": { + "Domain": "The domain of the cookie.", + "Name": "The name of the cookie.", + "Path": "The path of the cookie." + }, + "AWS::WorkSpacesWeb::UserSettings CookieSynchronizationConfiguration": { + "Allowlist": "The list of cookie specifications that are allowed to be synchronized to the remote browser.", + "Blocklist": "The list of cookie specifications that are blocked from being synchronized to the remote browser." + }, + "AWS::WorkSpacesWeb::UserSettings Tag": { + "Key": "The key of the tag.", + "Value": "The value of the tag" + }, "AWS::XRay::Group": { "FilterExpression": "The filter expression defining the parameters to include traces.", "GroupName": "The unique case-sensitive name of the group.", @@ -36871,6 +41829,10 @@ "InsightsEnabled": "Set the InsightsEnabled value to true to enable insights or false to disable insights.", "NotificationsEnabled": "Set the NotificationsEnabled value to true to enable insights notifications. Notifications can only be enabled on a group with InsightsEnabled set to true." }, + "AWS::XRay::Group Tag": { + "Key": "A tag key, such as `Stage` or `Name` . A tag key cannot be empty. The key can be a maximum of 128 characters, and can contain only Unicode letters, numbers, or separators, or the following special characters: `+ - = . _ : /`", + "Value": "An optional tag value, such as `Production` or `test-only` . The value can be a maximum of 255 characters, and contain only Unicode letters, numbers, or separators, or the following special characters: `+ - = . _ : /`" + }, "AWS::XRay::ResourcePolicy": { "BypassPolicyLockoutCheck": "A flag to indicate whether to bypass the resource-based policy lockout safety check.", "PolicyDocument": "The resource-based policy document, which can be up to 5kb in size.", @@ -36895,6 +41857,10 @@ "URLPath": "Matches the path from a request URL.", "Version": "The version of the sampling rule. `Version` can only be set when creating a new sampling rule." }, + "AWS::XRay::SamplingRule Tag": { + "Key": "A tag key, such as `Stage` or `Name` . A tag key cannot be empty. The key can be a maximum of 128 characters, and can contain only Unicode letters, numbers, or separators, or the following special characters: `+ - = . _ : /`", + "Value": "An optional tag value, such as `Production` or `test-only` . The value can be a maximum of 255 characters, and contain only Unicode letters, numbers, or separators, or the following special characters: `+ - = . _ : /`" + }, "Alexa::ASK::Skill": { "AuthenticationConfiguration": "Login with Amazon (LWA) configuration used to authenticate with the Alexa service. Only Login with Amazon clients created through the are supported. The client ID, client secret, and refresh token are required.", "SkillPackage": "Configuration for the skill package that contains the components of the Alexa skill. Skill packages are retrieved from an Amazon S3 bucket and key and used to create and update the skill. For more information about the skill package format, see the .", diff --git a/schema_source/cloudformation.schema.json b/schema_source/cloudformation.schema.json index 99780da128..933820b905 100644 --- a/schema_source/cloudformation.schema.json +++ b/schema_source/cloudformation.schema.json @@ -1340,6 +1340,140 @@ }, "type": "object" }, + "AWS::ARCZonalShift::ZonalAutoshiftConfiguration": { + "additionalProperties": false, + "properties": { + "Condition": { + "type": "string" + }, + "DeletionPolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + }, + "DependsOn": { + "anyOf": [ + { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + { + "items": { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + "type": "array" + } + ] + }, + "Metadata": { + "type": "object" + }, + "Properties": { + "additionalProperties": false, + "properties": { + "PracticeRunConfiguration": { + "$ref": "#/definitions/AWS::ARCZonalShift::ZonalAutoshiftConfiguration.PracticeRunConfiguration", + "markdownDescription": "A practice run configuration for a resource includes the Amazon CloudWatch alarms that you've specified for a practice run, as well as any blocked dates or blocked windows for the practice run. When a resource has a practice run configuration, Route 53 ARC shifts traffic for the resource weekly for practice runs.\n\nPractice runs are required for zonal autoshift. The zonal shifts that Route 53 ARC starts for practice runs help you to ensure that shifting away traffic from an Availability Zone during an autoshift is safe for your application.\n\nYou can update or delete a practice run configuration. Before you delete a practice run configuration, you must disable zonal autoshift for the resource. A practice run configuration is required when zonal autoshift is enabled.", + "title": "PracticeRunConfiguration" + }, + "ResourceIdentifier": { + "markdownDescription": "The identifier for the resource that AWS shifts traffic for. The identifier is the Amazon Resource Name (ARN) for the resource.\n\nAt this time, supported resources are Network Load Balancers and Application Load Balancers with cross-zone load balancing turned off.", + "title": "ResourceIdentifier", + "type": "string" + }, + "ZonalAutoshiftStatus": { + "markdownDescription": "When zonal autoshift is `ENABLED` , you authorize AWS to shift away resource traffic for an application from an Availability Zone during events, on your behalf, to help reduce time to recovery. Traffic is also shifted away for the required weekly practice runs.", + "title": "ZonalAutoshiftStatus", + "type": "string" + } + }, + "type": "object" + }, + "Type": { + "enum": [ + "AWS::ARCZonalShift::ZonalAutoshiftConfiguration" + ], + "type": "string" + }, + "UpdateReplacePolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + } + }, + "required": [ + "Type" + ], + "type": "object" + }, + "AWS::ARCZonalShift::ZonalAutoshiftConfiguration.ControlCondition": { + "additionalProperties": false, + "properties": { + "AlarmIdentifier": { + "markdownDescription": "The Amazon Resource Name (ARN) for an Amazon CloudWatch alarm that you specify as a control condition for a practice run.", + "title": "AlarmIdentifier", + "type": "string" + }, + "Type": { + "markdownDescription": "The type of alarm specified for a practice run. You can only specify Amazon CloudWatch alarms for practice runs, so the only valid value is `CLOUDWATCH` .", + "title": "Type", + "type": "string" + } + }, + "required": [ + "AlarmIdentifier", + "Type" + ], + "type": "object" + }, + "AWS::ARCZonalShift::ZonalAutoshiftConfiguration.PracticeRunConfiguration": { + "additionalProperties": false, + "properties": { + "BlockedDates": { + "items": { + "type": "string" + }, + "markdownDescription": "An array of one or more dates that you can specify when AWS does not start practice runs for a resource. Dates are in UTC.\n\nSpecify blocked dates in the format `YYYY-MM-DD` , separated by spaces.", + "title": "BlockedDates", + "type": "array" + }, + "BlockedWindows": { + "items": { + "type": "string" + }, + "markdownDescription": "An array of one or more days and times that you can specify when Route 53 ARC does not start practice runs for a resource. Days and times are in UTC.\n\nSpecify blocked windows in the format `DAY:HH:MM-DAY:HH:MM` , separated by spaces. For example, `MON:18:30-MON:19:30 TUE:18:30-TUE:19:30` .", + "title": "BlockedWindows", + "type": "array" + }, + "BlockingAlarms": { + "items": { + "$ref": "#/definitions/AWS::ARCZonalShift::ZonalAutoshiftConfiguration.ControlCondition" + }, + "markdownDescription": "An optional alarm that you can specify that blocks practice runs when the alarm is in an `ALARM` state. When a blocking alarm goes into an `ALARM` state, it prevents practice runs from being started, and ends practice runs that are in progress.", + "title": "BlockingAlarms", + "type": "array" + }, + "OutcomeAlarms": { + "items": { + "$ref": "#/definitions/AWS::ARCZonalShift::ZonalAutoshiftConfiguration.ControlCondition" + }, + "markdownDescription": "The alarm that you specify to monitor the health of your application during practice runs. When the outcome alarm goes into an `ALARM` state, the practice run is ended and the outcome is set to `FAILED` .", + "title": "OutcomeAlarms", + "type": "array" + } + }, + "required": [ + "OutcomeAlarms" + ], + "type": "object" + }, "AWS::AccessAnalyzer::Analyzer": { "additionalProperties": false, "properties": { @@ -1375,6 +1509,11 @@ "Properties": { "additionalProperties": false, "properties": { + "AnalyzerConfiguration": { + "$ref": "#/definitions/AWS::AccessAnalyzer::Analyzer.AnalyzerConfiguration", + "markdownDescription": "Contains information about the configuration of an unused access analyzer for an AWS organization or account.", + "title": "AnalyzerConfiguration" + }, "AnalyzerName": { "markdownDescription": "The name of the analyzer.", "title": "AnalyzerName", @@ -1384,7 +1523,7 @@ "items": { "$ref": "#/definitions/AWS::AccessAnalyzer::Analyzer.ArchiveRule" }, - "markdownDescription": "Specifies the archive rules to add for the analyzer.", + "markdownDescription": "Specifies the archive rules to add for the analyzer. Archive rules automatically archive findings that meet the criteria you define for the rule.", "title": "ArchiveRules", "type": "array" }, @@ -1392,12 +1531,12 @@ "items": { "$ref": "#/definitions/Tag" }, - "markdownDescription": "The tags to apply to the analyzer.", + "markdownDescription": "An array of key-value pairs to apply to the analyzer.", "title": "Tags", "type": "array" }, "Type": { - "markdownDescription": "The type represents the zone of trust for the analyzer.\n\n*Allowed Values* : ACCOUNT | ORGANIZATION", + "markdownDescription": "The type represents the zone of trust for the analyzer.\n\n*Allowed Values* : ACCOUNT | ORGANIZATION | ACCOUNT_UNUSED_ACCESS | ORGANIZATION_UNUSED_ACCESS", "title": "Type", "type": "string" } @@ -1428,6 +1567,17 @@ ], "type": "object" }, + "AWS::AccessAnalyzer::Analyzer.AnalyzerConfiguration": { + "additionalProperties": false, + "properties": { + "UnusedAccessConfiguration": { + "$ref": "#/definitions/AWS::AccessAnalyzer::Analyzer.UnusedAccessConfiguration", + "markdownDescription": "Specifies the configuration of an unused access analyzer for an AWS organization or account. External access analyzers do not support any configuration.", + "title": "UnusedAccessConfiguration" + } + }, + "type": "object" + }, "AWS::AccessAnalyzer::Analyzer.ArchiveRule": { "additionalProperties": false, "properties": { @@ -1440,7 +1590,7 @@ "type": "array" }, "RuleName": { - "markdownDescription": "The name of the archive rule.", + "markdownDescription": "The name of the rule to create.", "title": "RuleName", "type": "string" } @@ -1494,6 +1644,17 @@ ], "type": "object" }, + "AWS::AccessAnalyzer::Analyzer.UnusedAccessConfiguration": { + "additionalProperties": false, + "properties": { + "UnusedAccessAge": { + "markdownDescription": "The specified access age in days for which to generate findings for unused access. For example, if you specify 90 days, the analyzer will generate findings for IAM entities within the accounts of the selected organization for any access that hasn't been used in 90 or more days since the analyzer's last scan. You can choose a value between 1 and 180 days.", + "title": "UnusedAccessAge", + "type": "number" + } + }, + "type": "object" + }, "AWS::AmazonMQ::Broker": { "additionalProperties": false, "properties": { @@ -1550,9 +1711,13 @@ "title": "Configuration" }, "DataReplicationMode": { + "markdownDescription": "Defines whether this broker is a part of a data replication pair.", + "title": "DataReplicationMode", "type": "string" }, "DataReplicationPrimaryBrokerArn": { + "markdownDescription": "The Amazon Resource Name (ARN) of the primary broker that is used to replicate data from in a data replication pair, and is applied to the replica broker. Must be set when dataReplicationMode is set to CRDR.", + "title": "DataReplicationPrimaryBrokerArn", "type": "string" }, "DeploymentMode": { @@ -2414,12 +2579,14 @@ "additionalProperties": false, "properties": { "AppId": { - "markdownDescription": "The unique ID for an Amplify app.\n\n*Length Constraints:* Minimum length of 1. Maximum length of 20.\n\n*Pattern:* d[a-z0-9]+", + "markdownDescription": "The unique ID for an Amplify app.", "title": "AppId", "type": "string" }, "Backend": { - "$ref": "#/definitions/AWS::Amplify::Branch.Backend" + "$ref": "#/definitions/AWS::Amplify::Branch.Backend", + "markdownDescription": "The backend environment for an Amplify app.", + "title": "Backend" }, "BasicAuthConfig": { "$ref": "#/definitions/AWS::Amplify::Branch.BasicAuthConfig", @@ -2519,6 +2686,8 @@ "additionalProperties": false, "properties": { "StackArn": { + "markdownDescription": "The Amazon Resource Name (ARN) for the AWS CloudFormation stack.", + "title": "StackArn", "type": "string" } }, @@ -4405,8 +4574,6 @@ "type": "string" }, "Id": { - "markdownDescription": "", - "title": "Id", "type": "string" }, "RestApiId": { @@ -4693,7 +4860,7 @@ "type": "boolean" }, "DataTraceEnabled": { - "markdownDescription": "Specifies whether data trace logging is enabled for this method, which affects the log entries pushed to Amazon CloudWatch Logs.", + "markdownDescription": "Specifies whether data trace logging is enabled for this method, which affects the log entries pushed to Amazon CloudWatch Logs. This can be useful to troubleshoot APIs, but can result in logging sensitive data. We recommend that you don't enable this option for production APIs.", "title": "DataTraceEnabled", "type": "boolean" }, @@ -5359,7 +5526,7 @@ "markdownDescription": "A key-value map defining required or optional method request parameters that can be accepted by API Gateway. A key is a method request parameter name matching the pattern of `method.request.{location}.{name}` , where `location` is `querystring` , `path` , or `header` and `name` is a valid and unique parameter name. The value associated with the key is a Boolean flag indicating whether the parameter is required ( `true` ) or optional ( `false` ). The method request parameter names defined here are available in Integration to be mapped to integration request parameters or templates.", "patternProperties": { "^[a-zA-Z0-9]+$": { - "type": "boolean" + "type": "string" } }, "title": "RequestParameters", @@ -5501,6 +5668,9 @@ "type": "string" } }, + "required": [ + "Type" + ], "type": "object" }, "AWS::ApiGateway::Method.IntegrationResponse": { @@ -5568,7 +5738,7 @@ "markdownDescription": "A key-value map specifying required or optional response parameters that API Gateway can send back to the caller. A key defines a method response header and the value specifies whether the associated method response header is required or not. The expression of the key must match the pattern `method.response.header.{name}` , where `name` is a valid and unique header name. API Gateway passes certain integration response data to the method response headers specified here according to the mapping you prescribe in the API's IntegrationResponse. The integration response data that can be mapped include an integration response header expressed in `integration.response.header.{name}` , a static value enclosed within a pair of single quotes (e.g., `'application/json'` ), or a JSON expression from the back-end response payload in the form of `integration.response.body.{JSON-expression}` , where `JSON-expression` is a valid JSON expression without the `$` prefix.)", "patternProperties": { "^[a-zA-Z0-9]+$": { - "type": "boolean" + "type": "string" } }, "title": "ResponseParameters", @@ -6237,7 +6407,7 @@ "type": "boolean" }, "DataTraceEnabled": { - "markdownDescription": "Specifies whether data trace logging is enabled for this method, which affects the log entries pushed to Amazon CloudWatch Logs.", + "markdownDescription": "Specifies whether data trace logging is enabled for this method, which affects the log entries pushed to Amazon CloudWatch Logs. This can be useful to troubleshoot APIs, but can result in logging sensitive data. We recommend that you don't enable this option for production APIs.", "title": "DataTraceEnabled", "type": "boolean" }, @@ -7084,7 +7254,7 @@ "additionalProperties": false, "properties": { "ApiId": { - "markdownDescription": "The identifier of the API.", + "markdownDescription": "The API identifier.", "title": "ApiId", "type": "string" }, @@ -7645,13 +7815,9 @@ "additionalProperties": false, "properties": { "Destination": { - "markdownDescription": "Specifies the location of the response to modify, and how to modify it. To learn more, see [Transforming API requests and responses](https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-parameter-mapping.html) .", - "title": "Destination", "type": "string" }, "Source": { - "markdownDescription": "Specifies the data to update the parameter with. To learn more, see [Transforming API requests and responses](https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-parameter-mapping.html) .", - "title": "Source", "type": "string" } }, @@ -7668,8 +7834,6 @@ "items": { "$ref": "#/definitions/AWS::ApiGatewayV2::Integration.ResponseParameter" }, - "markdownDescription": "Supported only for HTTP APIs. You use response parameters to transform the HTTP response from a backend integration before returning the response to clients. Specify a key-value map from a selection key to response parameters. The selection key must be a valid HTTP status code within the range of 200-599. Response parameters are a key-value map. The key must match the pattern `:
.` or `overwrite.statuscode` . The action can be `append` , `overwrite` or `remove` . The value can be a static value, or map to response data, stage variables, or context variables that are evaluated at runtime. To learn more, see [Transforming API requests and responses](https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-parameter-mapping.html) .", - "title": "ResponseParameters", "type": "array" } }, @@ -8525,6 +8689,8 @@ "type": "string" }, "KmsKeyIdentifier": { + "markdownDescription": "", + "title": "KmsKeyIdentifier", "type": "string" }, "LocationUri": { @@ -8690,7 +8856,7 @@ "type": "string" }, "KmsKeyIdentifier": { - "markdownDescription": "The AWS KMS key identifier (key ID, key alias, or key ARN). AWS AppConfig uses this ID to encrypt the configuration data using a customer managed key.", + "markdownDescription": "The AWS Key Management Service key identifier (key ID, key alias, or key ARN) provided when the resource was created or updated.", "title": "KmsKeyIdentifier", "type": "string" }, @@ -9645,7 +9811,7 @@ }, "Pardot": { "$ref": "#/definitions/AWS::AppFlow::ConnectorProfile.PardotConnectorProfileCredentials", - "markdownDescription": "", + "markdownDescription": "The connector-specific credentials required when using Salesforce Pardot.", "title": "Pardot" }, "Redshift": { @@ -9731,7 +9897,7 @@ }, "Pardot": { "$ref": "#/definitions/AWS::AppFlow::ConnectorProfile.PardotConnectorProfileProperties", - "markdownDescription": "", + "markdownDescription": "The connector-specific properties required by Salesforce Pardot.", "title": "Pardot" }, "Redshift": { @@ -10162,12 +10328,12 @@ "additionalProperties": false, "properties": { "AccessToken": { - "markdownDescription": "", + "markdownDescription": "The credentials used to access protected Salesforce Pardot resources.", "title": "AccessToken", "type": "string" }, "ClientCredentialsArn": { - "markdownDescription": "", + "markdownDescription": "The secret manager ARN, which contains the client ID and client secret of the connected app.", "title": "ClientCredentialsArn", "type": "string" }, @@ -10177,7 +10343,7 @@ "title": "ConnectorOAuthRequest" }, "RefreshToken": { - "markdownDescription": "", + "markdownDescription": "The credentials used to acquire new access tokens.", "title": "RefreshToken", "type": "string" } @@ -10188,17 +10354,17 @@ "additionalProperties": false, "properties": { "BusinessUnitId": { - "markdownDescription": "", + "markdownDescription": "The business unit id of Salesforce Pardot instance.", "title": "BusinessUnitId", "type": "string" }, "InstanceUrl": { - "markdownDescription": "", + "markdownDescription": "The location of the Salesforce Pardot resource.", "title": "InstanceUrl", "type": "string" }, "IsSandboxEnvironment": { - "markdownDescription": "", + "markdownDescription": "Indicates whether the connector profile applies to a sandbox or production environment.", "title": "IsSandboxEnvironment", "type": "boolean" } @@ -10238,17 +10404,17 @@ "type": "string" }, "ClusterIdentifier": { - "markdownDescription": "", + "markdownDescription": "The unique ID that's assigned to an Amazon Redshift cluster.", "title": "ClusterIdentifier", "type": "string" }, "DataApiRoleArn": { - "markdownDescription": "", + "markdownDescription": "The Amazon Resource Name (ARN) of an IAM role that permits Amazon AppFlow to access your Amazon Redshift database through the Data API. For more information, and for the polices that you attach to this role, see [Allow Amazon AppFlow to access Amazon Redshift databases with the Data API](https://docs.aws.amazon.com/appflow/latest/userguide/security_iam_service-role-policies.html#access-redshift) .", "title": "DataApiRoleArn", "type": "string" }, "DatabaseName": { - "markdownDescription": "", + "markdownDescription": "The name of an Amazon Redshift database.", "title": "DatabaseName", "type": "string" }, @@ -10258,7 +10424,7 @@ "type": "string" }, "IsRedshiftServerless": { - "markdownDescription": "", + "markdownDescription": "Indicates whether the connector profile defines a connection to an Amazon Redshift Serverless data warehouse.", "title": "IsRedshiftServerless", "type": "boolean" }, @@ -10268,7 +10434,7 @@ "type": "string" }, "WorkgroupName": { - "markdownDescription": "", + "markdownDescription": "The name of an Amazon Redshift workgroup.", "title": "WorkgroupName", "type": "string" } @@ -10360,12 +10526,12 @@ "title": "ConnectorOAuthRequest" }, "JwtToken": { - "markdownDescription": "", + "markdownDescription": "A JSON web token (JWT) that authorizes Amazon AppFlow to access your Salesforce records.", "title": "JwtToken", "type": "string" }, "OAuth2GrantType": { - "markdownDescription": "", + "markdownDescription": "Specifies the OAuth 2.0 grant type that Amazon AppFlow uses when it requests an access token from Salesforce. Amazon AppFlow requires an access token each time it attempts to access your Salesforce records.\n\nYou can specify one of the following values:\n\n- **AUTHORIZATION_CODE** - Amazon AppFlow passes an authorization code when it requests the access token from Salesforce. Amazon AppFlow receives the authorization code from Salesforce after you log in to your Salesforce account and authorize Amazon AppFlow to access your records.\n- **CLIENT_CREDENTIALS** - Amazon AppFlow passes client credentials (a client ID and client secret) when it requests the access token from Salesforce. You provide these credentials to Amazon AppFlow when you define the connection to your Salesforce account.\n- **JWT_BEARER** - Amazon AppFlow passes a JSON web token (JWT) when it requests the access token from Salesforce. You provide the JWT to Amazon AppFlow when you define the connection to your Salesforce account. When you use this grant type, you don't need to log in to your Salesforce account to authorize Amazon AppFlow to access your records.", "title": "OAuth2GrantType", "type": "string" }, @@ -10391,7 +10557,7 @@ "type": "boolean" }, "usePrivateLinkForMetadataAndAuthorization": { - "markdownDescription": "", + "markdownDescription": "If the connection mode for the connector profile is private, this parameter sets whether Amazon AppFlow uses the private network to send metadata and authorization calls to Salesforce. Amazon AppFlow sends private calls through AWS PrivateLink . These calls travel through AWS infrastructure without being exposed to the public internet.\n\nSet either of the following values:\n\n- **true** - Amazon AppFlow sends all calls to Salesforce over the private network.\n\nThese private calls are:\n\n- Calls to get metadata about your Salesforce records. This metadata describes your Salesforce objects and their fields.\n- Calls to get or refresh access tokens that allow Amazon AppFlow to access your Salesforce records.\n- Calls to transfer your Salesforce records as part of a flow run.\n- **false** - The default value. Amazon AppFlow sends some calls to Salesforce privately and other calls over the public internet.\n\nThe public calls are:\n\n- Calls to get metadata about your Salesforce records.\n- Calls to get or refresh access tokens.\n\nThe private calls are:\n\n- Calls to transfer your Salesforce records as part of a flow run.", "title": "usePrivateLinkForMetadataAndAuthorization", "type": "boolean" } @@ -10402,7 +10568,9 @@ "additionalProperties": false, "properties": { "OAuth2Credentials": { - "$ref": "#/definitions/AWS::AppFlow::ConnectorProfile.OAuth2Credentials" + "$ref": "#/definitions/AWS::AppFlow::ConnectorProfile.OAuth2Credentials", + "markdownDescription": "", + "title": "OAuth2Credentials" }, "Password": { "markdownDescription": "The password that corresponds to the user name.", @@ -10712,7 +10880,7 @@ }, "MetadataCatalogConfig": { "$ref": "#/definitions/AWS::AppFlow::Flow.MetadataCatalogConfig", - "markdownDescription": "", + "markdownDescription": "Specifies the configuration that Amazon AppFlow uses when it catalogs your data. When Amazon AppFlow catalogs your data, it stores metadata in a data catalog.", "title": "MetadataCatalogConfig" }, "SourceFlowConfig": { @@ -10781,7 +10949,7 @@ "type": "string" }, "TargetFileSize": { - "markdownDescription": "", + "markdownDescription": "The desired file size, in MB, for each output file that Amazon AppFlow writes to the flow destination. For each file, Amazon AppFlow attempts to achieve the size that you specify. The actual file sizes might differ from this target based on the number and size of the records that each file contains.", "title": "TargetFileSize", "type": "number" } @@ -10841,7 +11009,7 @@ "type": "string" }, "Pardot": { - "markdownDescription": "", + "markdownDescription": "The operation to be performed on the provided Salesforce Pardot source fields.", "title": "Pardot", "type": "string" }, @@ -10952,7 +11120,7 @@ }, "DataTransferApi": { "$ref": "#/definitions/AWS::AppFlow::Flow.DataTransferApi", - "markdownDescription": "", + "markdownDescription": "The API of the connector application that Amazon AppFlow uses to transfer your data.", "title": "DataTransferApi" }, "EntityName": { @@ -10970,12 +11138,12 @@ "additionalProperties": false, "properties": { "Name": { - "markdownDescription": "", + "markdownDescription": "The name of the connector application API.", "title": "Name", "type": "string" }, "Type": { - "markdownDescription": "", + "markdownDescription": "You can specify one of the following types:\n\n- **AUTOMATIC** - The default. Optimizes a flow for datasets that fluctuate in size from small to large. For each flow run, Amazon AppFlow chooses to use the SYNC or ASYNC API type based on the amount of data that the run transfers.\n- **SYNC** - A synchronous API. This type of API optimizes a flow for small to medium-sized datasets.\n- **ASYNC** - An asynchronous API. This type of API optimizes a flow for large datasets.", "title": "Type", "type": "string" } @@ -11075,7 +11243,7 @@ "type": "string" }, "ConnectorType": { - "markdownDescription": "The type of destination connector, such as Sales force, Amazon S3, and so on.\n\n*Allowed Values* : `EventBridge | Redshift | S3 | Salesforce | Snowflake`", + "markdownDescription": "The type of destination connector, such as Sales force, Amazon S3, and so on.", "title": "ConnectorType", "type": "string" }, @@ -11259,7 +11427,7 @@ "properties": { "GlueDataCatalog": { "$ref": "#/definitions/AWS::AppFlow::Flow.GlueDataCatalog", - "markdownDescription": "", + "markdownDescription": "Specifies the configuration that Amazon AppFlow uses when it catalogs your data with the AWS Glue Data Catalog .", "title": "GlueDataCatalog" } }, @@ -11269,7 +11437,7 @@ "additionalProperties": false, "properties": { "Object": { - "markdownDescription": "", + "markdownDescription": "The object specified in the Salesforce Pardot flow source.", "title": "Object", "type": "string" } @@ -11286,7 +11454,7 @@ "items": { "type": "string" }, - "markdownDescription": "", + "markdownDescription": "Specifies whether the destination file path includes either or both of the following elements:\n\n- **EXECUTION_ID** - The ID that Amazon AppFlow assigns to the flow run.\n- **SCHEMA_VERSION** - The version number of your data schema. Amazon AppFlow assigns this version number. The version number increases by one when you change any of the following settings in your flow configuration:\n\n- Source-to-destination field mappings\n- Field data types\n- Partition keys", "title": "PathPrefixHierarchy", "type": "array" }, @@ -11387,7 +11555,7 @@ "title": "PrefixConfig" }, "PreserveSourceDataTyping": { - "markdownDescription": "", + "markdownDescription": "If your file output format is Parquet, use this parameter to set whether Amazon AppFlow preserves the data types in your source data when it writes the output to Amazon S3.\n\n- `true` : Amazon AppFlow preserves the data types when it writes to Amazon S3. For example, an integer or `1` in your source data is still an integer in your output.\n- `false` : Amazon AppFlow converts all of the source data into strings when it writes to Amazon S3. For example, an integer of `1` in your source data becomes the string `\"1\"` in the output.", "title": "PreserveSourceDataTyping", "type": "boolean" } @@ -11460,6 +11628,8 @@ "additionalProperties": false, "properties": { "maxPageSize": { + "markdownDescription": "", + "title": "maxPageSize", "type": "number" } }, @@ -11472,6 +11642,8 @@ "additionalProperties": false, "properties": { "maxParallelism": { + "markdownDescription": "", + "title": "maxParallelism", "type": "number" } }, @@ -11489,10 +11661,14 @@ "type": "string" }, "paginationConfig": { - "$ref": "#/definitions/AWS::AppFlow::Flow.SAPODataPaginationConfig" + "$ref": "#/definitions/AWS::AppFlow::Flow.SAPODataPaginationConfig", + "markdownDescription": "", + "title": "paginationConfig" }, "parallelismConfig": { - "$ref": "#/definitions/AWS::AppFlow::Flow.SAPODataParallelismConfig" + "$ref": "#/definitions/AWS::AppFlow::Flow.SAPODataParallelismConfig", + "markdownDescription": "", + "title": "parallelismConfig" } }, "required": [ @@ -11580,7 +11756,7 @@ "type": "number" }, "FlowErrorDeactivationThreshold": { - "markdownDescription": "", + "markdownDescription": "Defines how many times a scheduled flow fails consecutively before Amazon AppFlow deactivates it.", "title": "FlowErrorDeactivationThreshold", "type": "number" }, @@ -11727,7 +11903,7 @@ }, "Pardot": { "$ref": "#/definitions/AWS::AppFlow::Flow.PardotSourceProperties", - "markdownDescription": "", + "markdownDescription": "Specifies the information that is required for querying Salesforce Pardot.", "title": "Pardot" }, "S3": { @@ -11874,7 +12050,7 @@ "additionalProperties": false, "properties": { "Key": { - "markdownDescription": "The task property key.\n\n*Allowed Values* : `VALUE | VALUES | DATA_TYPE | UPPER_BOUND | LOWER_BOUND | SOURCE_DATA_TYPE | DESTINATION_DATA_TYPE | VALIDATION_ACTION | MASK_VALUE | MASK_LENGTH | TRUNCATE_LENGTH | MATH_OPERATION_FIELDS_ORDER | CONCAT_FORMAT | SUBFIELD_CATEGORY_MAP` | `EXCLUDE_SOURCE_FIELDS_LIST`", + "markdownDescription": "The task property key.", "title": "Key", "type": "string" }, @@ -16001,6 +16177,8 @@ "title": "SourceCodeVersion" }, "SourceDirectory": { + "markdownDescription": "The path of the directory that stores source code and configuration files. The build and start commands also execute from here. The path is absolute from root and, if not specified, defaults to the repository root.", + "title": "SourceDirectory", "type": "string" } }, @@ -16199,6 +16377,11 @@ "$ref": "#/definitions/AWS::AppRunner::Service.IngressConfiguration", "markdownDescription": "Network configuration settings for inbound message traffic.", "title": "IngressConfiguration" + }, + "IpAddressType": { + "markdownDescription": "App Runner provides you with the option to choose between *Internet Protocol version 4 (IPv4)* and *dual stack* (IPv4 and IPv6) for your incoming public network configuration. This is an optional parameter. If you do not specify an `IpAddressType` , it defaults to select IPv4.\n\n> Currently, App Runner supports dual stack for only Public endpoint. Only IPv4 is supported for Private endpoint. If you update a service that's using dual-stack Public endpoint to a Private endpoint, your App Runner service will default to support only IPv4 for Private endpoint and fail to receive traffic originating from IPv6 endpoint.", + "title": "IpAddressType", + "type": "string" } }, "type": "object" @@ -16522,7 +16705,7 @@ }, "PostSetupScriptDetails": { "$ref": "#/definitions/AWS::AppStream::AppBlock.ScriptDetails", - "markdownDescription": "The post setup script details of the app block.\n\nThis only applies to app blocks with PackagingType `APPSTREAM2` .", + "markdownDescription": "The post setup script details of the app block.", "title": "PostSetupScriptDetails" }, "SetupScriptDetails": { @@ -16660,7 +16843,7 @@ "items": { "$ref": "#/definitions/AWS::AppStream::AppBlockBuilder.AccessEndpoint" }, - "markdownDescription": "", + "markdownDescription": "The access endpoints of the app block builder.", "title": "AccessEndpoints", "type": "array" }, @@ -16668,7 +16851,7 @@ "items": { "type": "string" }, - "markdownDescription": "", + "markdownDescription": "The ARN of the app block.\n\n*Maximum* : `1`", "title": "AppBlockArns", "type": "array" }, @@ -16703,7 +16886,7 @@ "type": "string" }, "Platform": { - "markdownDescription": "The platform of the app block builder.\n\n`WINDOWS_SERVER_2019` is the only valid value.", + "markdownDescription": "The platform of the app block builder.\n\n*Allowed values* : `WINDOWS_SERVER_2019`", "title": "Platform", "type": "string" }, @@ -16711,7 +16894,7 @@ "items": { "$ref": "#/definitions/Tag" }, - "markdownDescription": "", + "markdownDescription": "The tags of the app block builder.", "title": "Tags", "type": "array" }, @@ -17440,10 +17623,12 @@ "type": "number" }, "MaxSessionsPerInstance": { + "markdownDescription": "The maximum number of user sessions on an instance. This only applies to multi-session fleets.", + "title": "MaxSessionsPerInstance", "type": "number" }, "MaxUserDurationInSeconds": { - "markdownDescription": "The maximum amount of time that a streaming session can remain active, in seconds. If users are still connected to a streaming instance five minutes before this limit is reached, they are prompted to save any open documents before being disconnected. After this time elapses, the instance is terminated and replaced by a new instance.\n\nSpecify a value between 600 and 360000.", + "markdownDescription": "The maximum amount of time that a streaming session can remain active, in seconds. If users are still connected to a streaming instance five minutes before this limit is reached, they are prompted to save any open documents before being disconnected. After this time elapses, the instance is terminated and replaced by a new instance.\n\nSpecify a value between 600 and 432000.", "title": "MaxUserDurationInSeconds", "type": "number" }, @@ -17453,7 +17638,7 @@ "type": "string" }, "Platform": { - "markdownDescription": "The platform of the fleet. Platform is a required setting for Elastic fleets, and is not used for other fleet types.\n\n*Allowed Values* : `WINDOWS_SERVER_2019` | `AMAZON_LINUX2`", + "markdownDescription": "The platform of the fleet. Platform is a required setting for Elastic fleets, and is not used for other fleet types.", "title": "Platform", "type": "string" }, @@ -17525,6 +17710,8 @@ "type": "number" }, "DesiredSessions": { + "markdownDescription": "The desired number of user sessions for a multi-session fleet. This is not allowed for single-session fleets.\n\nWhen you create a fleet, you must set either the DesiredSessions or DesiredInstances attribute, based on the type of fleet you create. You can\u2019t define both attributes or leave both attributes blank.", + "title": "DesiredSessions", "type": "number" } }, @@ -18011,6 +18198,11 @@ "title": "Action", "type": "string" }, + "MaximumLength": { + "markdownDescription": "", + "title": "MaximumLength", + "type": "number" + }, "Permission": { "markdownDescription": "Indicates whether the action is enabled or disabled.", "title": "Permission", @@ -18404,8 +18596,6 @@ "type": "string" }, "ApiKeyId": { - "markdownDescription": "The API key ID.", - "title": "ApiKeyId", "type": "string" }, "Description": { @@ -19055,7 +19245,7 @@ }, "Runtime": { "$ref": "#/definitions/AWS::AppSync::FunctionConfiguration.AppSyncRuntime", - "markdownDescription": "Describes a runtime used by an AWS AppSync pipeline resolver or AWS AppSync function. Specifies the name and version of the runtime to use. Note that if a runtime is specified, code must also be specified.", + "markdownDescription": "Describes a runtime used by an AWS AppSync resolver or AWS AppSync function. Specifies the name and version of the runtime to use. Note that if a runtime is specified, code must also be specified.", "title": "Runtime" }, "SyncConfig": { @@ -19604,7 +19794,7 @@ }, "Runtime": { "$ref": "#/definitions/AWS::AppSync::Resolver.AppSyncRuntime", - "markdownDescription": "Describes a runtime used by an AWS AppSync pipeline resolver or AWS AppSync function. Specifies the name and version of the runtime to use. Note that if a runtime is specified, code must also be specified.", + "markdownDescription": "Describes a runtime used by an AWS AppSync resolver or AWS AppSync function. Specifies the name and version of the runtime to use. Note that if a runtime is specified, code must also be specified.", "title": "Runtime" }, "SyncConfig": { @@ -19872,7 +20062,7 @@ "type": "number" }, "ResourceId": { - "markdownDescription": "The identifier of the resource associated with the scalable target. This string consists of the resource type and unique identifier.\n\n- ECS service - The resource type is `service` and the unique identifier is the cluster name and service name. Example: `service/default/sample-webapp` .\n- Spot Fleet - The resource type is `spot-fleet-request` and the unique identifier is the Spot Fleet request ID. Example: `spot-fleet-request/sfr-73fbd2ce-aa30-494c-8788-1cee4EXAMPLE` .\n- EMR cluster - The resource type is `instancegroup` and the unique identifier is the cluster ID and instance group ID. Example: `instancegroup/j-2EEZNYKUA1NTV/ig-1791Y4E1L8YI0` .\n- AppStream 2.0 fleet - The resource type is `fleet` and the unique identifier is the fleet name. Example: `fleet/sample-fleet` .\n- DynamoDB table - The resource type is `table` and the unique identifier is the table name. Example: `table/my-table` .\n- DynamoDB global secondary index - The resource type is `index` and the unique identifier is the index name. Example: `table/my-table/index/my-table-index` .\n- Aurora DB cluster - The resource type is `cluster` and the unique identifier is the cluster name. Example: `cluster:my-db-cluster` .\n- SageMaker endpoint variant - The resource type is `variant` and the unique identifier is the resource ID. Example: `endpoint/my-end-point/variant/KMeansClustering` .\n- Custom resources are not supported with a resource type. This parameter must specify the `OutputValue` from the CloudFormation template stack used to access the resources. The unique identifier is defined by the service provider. More information is available in our [GitHub repository](https://docs.aws.amazon.com/https://github.com/aws/aws-auto-scaling-custom-resource) .\n- Amazon Comprehend document classification endpoint - The resource type and unique identifier are specified using the endpoint ARN. Example: `arn:aws:comprehend:us-west-2:123456789012:document-classifier-endpoint/EXAMPLE` .\n- Amazon Comprehend entity recognizer endpoint - The resource type and unique identifier are specified using the endpoint ARN. Example: `arn:aws:comprehend:us-west-2:123456789012:entity-recognizer-endpoint/EXAMPLE` .\n- Lambda provisioned concurrency - The resource type is `function` and the unique identifier is the function name with a function version or alias name suffix that is not `$LATEST` . Example: `function:my-function:prod` or `function:my-function:1` .\n- Amazon Keyspaces table - The resource type is `table` and the unique identifier is the table name. Example: `keyspace/mykeyspace/table/mytable` .\n- Amazon MSK cluster - The resource type and unique identifier are specified using the cluster ARN. Example: `arn:aws:kafka:us-east-1:123456789012:cluster/demo-cluster-1/6357e0b2-0e6a-4b86-a0b4-70df934c2e31-5` .\n- Amazon ElastiCache replication group - The resource type is `replication-group` and the unique identifier is the replication group name. Example: `replication-group/mycluster` .\n- Neptune cluster - The resource type is `cluster` and the unique identifier is the cluster name. Example: `cluster:mycluster` .\n- SageMaker Serverless endpoint - The resource type is `variant` and the unique identifier is the resource ID. Example: `endpoint/my-end-point/variant/KMeansClustering` .", + "markdownDescription": "The identifier of the resource associated with the scalable target. This string consists of the resource type and unique identifier.\n\n- ECS service - The resource type is `service` and the unique identifier is the cluster name and service name. Example: `service/default/sample-webapp` .\n- Spot Fleet - The resource type is `spot-fleet-request` and the unique identifier is the Spot Fleet request ID. Example: `spot-fleet-request/sfr-73fbd2ce-aa30-494c-8788-1cee4EXAMPLE` .\n- EMR cluster - The resource type is `instancegroup` and the unique identifier is the cluster ID and instance group ID. Example: `instancegroup/j-2EEZNYKUA1NTV/ig-1791Y4E1L8YI0` .\n- AppStream 2.0 fleet - The resource type is `fleet` and the unique identifier is the fleet name. Example: `fleet/sample-fleet` .\n- DynamoDB table - The resource type is `table` and the unique identifier is the table name. Example: `table/my-table` .\n- DynamoDB global secondary index - The resource type is `index` and the unique identifier is the index name. Example: `table/my-table/index/my-table-index` .\n- Aurora DB cluster - The resource type is `cluster` and the unique identifier is the cluster name. Example: `cluster:my-db-cluster` .\n- SageMaker endpoint variant - The resource type is `variant` and the unique identifier is the resource ID. Example: `endpoint/my-end-point/variant/KMeansClustering` .\n- Custom resources are not supported with a resource type. This parameter must specify the `OutputValue` from the CloudFormation template stack used to access the resources. The unique identifier is defined by the service provider. More information is available in our [GitHub repository](https://docs.aws.amazon.com/https://github.com/aws/aws-auto-scaling-custom-resource) .\n- Amazon Comprehend document classification endpoint - The resource type and unique identifier are specified using the endpoint ARN. Example: `arn:aws:comprehend:us-west-2:123456789012:document-classifier-endpoint/EXAMPLE` .\n- Amazon Comprehend entity recognizer endpoint - The resource type and unique identifier are specified using the endpoint ARN. Example: `arn:aws:comprehend:us-west-2:123456789012:entity-recognizer-endpoint/EXAMPLE` .\n- Lambda provisioned concurrency - The resource type is `function` and the unique identifier is the function name with a function version or alias name suffix that is not `$LATEST` . Example: `function:my-function:prod` or `function:my-function:1` .\n- Amazon Keyspaces table - The resource type is `table` and the unique identifier is the table name. Example: `keyspace/mykeyspace/table/mytable` .\n- Amazon MSK cluster - The resource type and unique identifier are specified using the cluster ARN. Example: `arn:aws:kafka:us-east-1:123456789012:cluster/demo-cluster-1/6357e0b2-0e6a-4b86-a0b4-70df934c2e31-5` .\n- Amazon ElastiCache replication group - The resource type is `replication-group` and the unique identifier is the replication group name. Example: `replication-group/mycluster` .\n- Neptune cluster - The resource type is `cluster` and the unique identifier is the cluster name. Example: `cluster:mycluster` .\n- SageMaker serverless endpoint - The resource type is `variant` and the unique identifier is the resource ID. Example: `endpoint/my-end-point/variant/KMeansClustering` .\n- SageMaker inference component - The resource type is `inference-component` and the unique identifier is the resource ID. Example: `inference-component/my-inference-component` .", "title": "ResourceId", "type": "string" }, @@ -19882,7 +20072,7 @@ "type": "string" }, "ScalableDimension": { - "markdownDescription": "The scalable dimension associated with the scalable target. This string consists of the service namespace, resource type, and scaling property.\n\n- `ecs:service:DesiredCount` - The desired task count of an ECS service.\n- `elasticmapreduce:instancegroup:InstanceCount` - The instance count of an EMR Instance Group.\n- `ec2:spot-fleet-request:TargetCapacity` - The target capacity of a Spot Fleet.\n- `appstream:fleet:DesiredCapacity` - The desired capacity of an AppStream 2.0 fleet.\n- `dynamodb:table:ReadCapacityUnits` - The provisioned read capacity for a DynamoDB table.\n- `dynamodb:table:WriteCapacityUnits` - The provisioned write capacity for a DynamoDB table.\n- `dynamodb:index:ReadCapacityUnits` - The provisioned read capacity for a DynamoDB global secondary index.\n- `dynamodb:index:WriteCapacityUnits` - The provisioned write capacity for a DynamoDB global secondary index.\n- `rds:cluster:ReadReplicaCount` - The count of Aurora Replicas in an Aurora DB cluster. Available for Aurora MySQL-compatible edition and Aurora PostgreSQL-compatible edition.\n- `sagemaker:variant:DesiredInstanceCount` - The number of EC2 instances for a SageMaker model endpoint variant.\n- `custom-resource:ResourceType:Property` - The scalable dimension for a custom resource provided by your own application or service.\n- `comprehend:document-classifier-endpoint:DesiredInferenceUnits` - The number of inference units for an Amazon Comprehend document classification endpoint.\n- `comprehend:entity-recognizer-endpoint:DesiredInferenceUnits` - The number of inference units for an Amazon Comprehend entity recognizer endpoint.\n- `lambda:function:ProvisionedConcurrency` - The provisioned concurrency for a Lambda function.\n- `cassandra:table:ReadCapacityUnits` - The provisioned read capacity for an Amazon Keyspaces table.\n- `cassandra:table:WriteCapacityUnits` - The provisioned write capacity for an Amazon Keyspaces table.\n- `kafka:broker-storage:VolumeSize` - The provisioned volume size (in GiB) for brokers in an Amazon MSK cluster.\n- `elasticache:replication-group:NodeGroups` - The number of node groups for an Amazon ElastiCache replication group.\n- `elasticache:replication-group:Replicas` - The number of replicas per node group for an Amazon ElastiCache replication group.\n- `neptune:cluster:ReadReplicaCount` - The count of read replicas in an Amazon Neptune DB cluster.\n- `sagemaker:variant:DesiredProvisionedConcurrency` - The provisioned concurrency for a SageMaker Serverless endpoint.", + "markdownDescription": "The scalable dimension associated with the scalable target. This string consists of the service namespace, resource type, and scaling property.\n\n- `ecs:service:DesiredCount` - The desired task count of an ECS service.\n- `elasticmapreduce:instancegroup:InstanceCount` - The instance count of an EMR Instance Group.\n- `ec2:spot-fleet-request:TargetCapacity` - The target capacity of a Spot Fleet.\n- `appstream:fleet:DesiredCapacity` - The desired capacity of an AppStream 2.0 fleet.\n- `dynamodb:table:ReadCapacityUnits` - The provisioned read capacity for a DynamoDB table.\n- `dynamodb:table:WriteCapacityUnits` - The provisioned write capacity for a DynamoDB table.\n- `dynamodb:index:ReadCapacityUnits` - The provisioned read capacity for a DynamoDB global secondary index.\n- `dynamodb:index:WriteCapacityUnits` - The provisioned write capacity for a DynamoDB global secondary index.\n- `rds:cluster:ReadReplicaCount` - The count of Aurora Replicas in an Aurora DB cluster. Available for Aurora MySQL-compatible edition and Aurora PostgreSQL-compatible edition.\n- `sagemaker:variant:DesiredInstanceCount` - The number of EC2 instances for a SageMaker model endpoint variant.\n- `custom-resource:ResourceType:Property` - The scalable dimension for a custom resource provided by your own application or service.\n- `comprehend:document-classifier-endpoint:DesiredInferenceUnits` - The number of inference units for an Amazon Comprehend document classification endpoint.\n- `comprehend:entity-recognizer-endpoint:DesiredInferenceUnits` - The number of inference units for an Amazon Comprehend entity recognizer endpoint.\n- `lambda:function:ProvisionedConcurrency` - The provisioned concurrency for a Lambda function.\n- `cassandra:table:ReadCapacityUnits` - The provisioned read capacity for an Amazon Keyspaces table.\n- `cassandra:table:WriteCapacityUnits` - The provisioned write capacity for an Amazon Keyspaces table.\n- `kafka:broker-storage:VolumeSize` - The provisioned volume size (in GiB) for brokers in an Amazon MSK cluster.\n- `elasticache:replication-group:NodeGroups` - The number of node groups for an Amazon ElastiCache replication group.\n- `elasticache:replication-group:Replicas` - The number of replicas per node group for an Amazon ElastiCache replication group.\n- `neptune:cluster:ReadReplicaCount` - The count of read replicas in an Amazon Neptune DB cluster.\n- `sagemaker:variant:DesiredProvisionedConcurrency` - The provisioned concurrency for a SageMaker serverless endpoint.\n- `sagemaker:inference-component:DesiredCopyCount` - The number of copies across an endpoint for a SageMaker inference component.", "title": "ScalableDimension", "type": "string" }, @@ -20058,12 +20248,12 @@ "type": "string" }, "ResourceId": { - "markdownDescription": "The identifier of the resource associated with the scaling policy. This string consists of the resource type and unique identifier.\n\n- ECS service - The resource type is `service` and the unique identifier is the cluster name and service name. Example: `service/default/sample-webapp` .\n- Spot Fleet - The resource type is `spot-fleet-request` and the unique identifier is the Spot Fleet request ID. Example: `spot-fleet-request/sfr-73fbd2ce-aa30-494c-8788-1cee4EXAMPLE` .\n- EMR cluster - The resource type is `instancegroup` and the unique identifier is the cluster ID and instance group ID. Example: `instancegroup/j-2EEZNYKUA1NTV/ig-1791Y4E1L8YI0` .\n- AppStream 2.0 fleet - The resource type is `fleet` and the unique identifier is the fleet name. Example: `fleet/sample-fleet` .\n- DynamoDB table - The resource type is `table` and the unique identifier is the table name. Example: `table/my-table` .\n- DynamoDB global secondary index - The resource type is `index` and the unique identifier is the index name. Example: `table/my-table/index/my-table-index` .\n- Aurora DB cluster - The resource type is `cluster` and the unique identifier is the cluster name. Example: `cluster:my-db-cluster` .\n- SageMaker endpoint variant - The resource type is `variant` and the unique identifier is the resource ID. Example: `endpoint/my-end-point/variant/KMeansClustering` .\n- Custom resources are not supported with a resource type. This parameter must specify the `OutputValue` from the CloudFormation template stack used to access the resources. The unique identifier is defined by the service provider. More information is available in our [GitHub repository](https://docs.aws.amazon.com/https://github.com/aws/aws-auto-scaling-custom-resource) .\n- Amazon Comprehend document classification endpoint - The resource type and unique identifier are specified using the endpoint ARN. Example: `arn:aws:comprehend:us-west-2:123456789012:document-classifier-endpoint/EXAMPLE` .\n- Amazon Comprehend entity recognizer endpoint - The resource type and unique identifier are specified using the endpoint ARN. Example: `arn:aws:comprehend:us-west-2:123456789012:entity-recognizer-endpoint/EXAMPLE` .\n- Lambda provisioned concurrency - The resource type is `function` and the unique identifier is the function name with a function version or alias name suffix that is not `$LATEST` . Example: `function:my-function:prod` or `function:my-function:1` .\n- Amazon Keyspaces table - The resource type is `table` and the unique identifier is the table name. Example: `keyspace/mykeyspace/table/mytable` .\n- Amazon MSK cluster - The resource type and unique identifier are specified using the cluster ARN. Example: `arn:aws:kafka:us-east-1:123456789012:cluster/demo-cluster-1/6357e0b2-0e6a-4b86-a0b4-70df934c2e31-5` .\n- Amazon ElastiCache replication group - The resource type is `replication-group` and the unique identifier is the replication group name. Example: `replication-group/mycluster` .\n- Neptune cluster - The resource type is `cluster` and the unique identifier is the cluster name. Example: `cluster:mycluster` .\n- SageMaker Serverless endpoint - The resource type is `variant` and the unique identifier is the resource ID. Example: `endpoint/my-end-point/variant/KMeansClustering` .", + "markdownDescription": "The identifier of the resource associated with the scaling policy. This string consists of the resource type and unique identifier.\n\n- ECS service - The resource type is `service` and the unique identifier is the cluster name and service name. Example: `service/default/sample-webapp` .\n- Spot Fleet - The resource type is `spot-fleet-request` and the unique identifier is the Spot Fleet request ID. Example: `spot-fleet-request/sfr-73fbd2ce-aa30-494c-8788-1cee4EXAMPLE` .\n- EMR cluster - The resource type is `instancegroup` and the unique identifier is the cluster ID and instance group ID. Example: `instancegroup/j-2EEZNYKUA1NTV/ig-1791Y4E1L8YI0` .\n- AppStream 2.0 fleet - The resource type is `fleet` and the unique identifier is the fleet name. Example: `fleet/sample-fleet` .\n- DynamoDB table - The resource type is `table` and the unique identifier is the table name. Example: `table/my-table` .\n- DynamoDB global secondary index - The resource type is `index` and the unique identifier is the index name. Example: `table/my-table/index/my-table-index` .\n- Aurora DB cluster - The resource type is `cluster` and the unique identifier is the cluster name. Example: `cluster:my-db-cluster` .\n- SageMaker endpoint variant - The resource type is `variant` and the unique identifier is the resource ID. Example: `endpoint/my-end-point/variant/KMeansClustering` .\n- Custom resources are not supported with a resource type. This parameter must specify the `OutputValue` from the CloudFormation template stack used to access the resources. The unique identifier is defined by the service provider. More information is available in our [GitHub repository](https://docs.aws.amazon.com/https://github.com/aws/aws-auto-scaling-custom-resource) .\n- Amazon Comprehend document classification endpoint - The resource type and unique identifier are specified using the endpoint ARN. Example: `arn:aws:comprehend:us-west-2:123456789012:document-classifier-endpoint/EXAMPLE` .\n- Amazon Comprehend entity recognizer endpoint - The resource type and unique identifier are specified using the endpoint ARN. Example: `arn:aws:comprehend:us-west-2:123456789012:entity-recognizer-endpoint/EXAMPLE` .\n- Lambda provisioned concurrency - The resource type is `function` and the unique identifier is the function name with a function version or alias name suffix that is not `$LATEST` . Example: `function:my-function:prod` or `function:my-function:1` .\n- Amazon Keyspaces table - The resource type is `table` and the unique identifier is the table name. Example: `keyspace/mykeyspace/table/mytable` .\n- Amazon MSK cluster - The resource type and unique identifier are specified using the cluster ARN. Example: `arn:aws:kafka:us-east-1:123456789012:cluster/demo-cluster-1/6357e0b2-0e6a-4b86-a0b4-70df934c2e31-5` .\n- Amazon ElastiCache replication group - The resource type is `replication-group` and the unique identifier is the replication group name. Example: `replication-group/mycluster` .\n- Neptune cluster - The resource type is `cluster` and the unique identifier is the cluster name. Example: `cluster:mycluster` .\n- SageMaker serverless endpoint - The resource type is `variant` and the unique identifier is the resource ID. Example: `endpoint/my-end-point/variant/KMeansClustering` .\n- SageMaker inference component - The resource type is `inference-component` and the unique identifier is the resource ID. Example: `inference-component/my-inference-component` .", "title": "ResourceId", "type": "string" }, "ScalableDimension": { - "markdownDescription": "The scalable dimension. This string consists of the service namespace, resource type, and scaling property.\n\n- `ecs:service:DesiredCount` - The desired task count of an ECS service.\n- `elasticmapreduce:instancegroup:InstanceCount` - The instance count of an EMR Instance Group.\n- `ec2:spot-fleet-request:TargetCapacity` - The target capacity of a Spot Fleet.\n- `appstream:fleet:DesiredCapacity` - The desired capacity of an AppStream 2.0 fleet.\n- `dynamodb:table:ReadCapacityUnits` - The provisioned read capacity for a DynamoDB table.\n- `dynamodb:table:WriteCapacityUnits` - The provisioned write capacity for a DynamoDB table.\n- `dynamodb:index:ReadCapacityUnits` - The provisioned read capacity for a DynamoDB global secondary index.\n- `dynamodb:index:WriteCapacityUnits` - The provisioned write capacity for a DynamoDB global secondary index.\n- `rds:cluster:ReadReplicaCount` - The count of Aurora Replicas in an Aurora DB cluster. Available for Aurora MySQL-compatible edition and Aurora PostgreSQL-compatible edition.\n- `sagemaker:variant:DesiredInstanceCount` - The number of EC2 instances for a SageMaker model endpoint variant.\n- `custom-resource:ResourceType:Property` - The scalable dimension for a custom resource provided by your own application or service.\n- `comprehend:document-classifier-endpoint:DesiredInferenceUnits` - The number of inference units for an Amazon Comprehend document classification endpoint.\n- `comprehend:entity-recognizer-endpoint:DesiredInferenceUnits` - The number of inference units for an Amazon Comprehend entity recognizer endpoint.\n- `lambda:function:ProvisionedConcurrency` - The provisioned concurrency for a Lambda function.\n- `cassandra:table:ReadCapacityUnits` - The provisioned read capacity for an Amazon Keyspaces table.\n- `cassandra:table:WriteCapacityUnits` - The provisioned write capacity for an Amazon Keyspaces table.\n- `kafka:broker-storage:VolumeSize` - The provisioned volume size (in GiB) for brokers in an Amazon MSK cluster.\n- `elasticache:replication-group:NodeGroups` - The number of node groups for an Amazon ElastiCache replication group.\n- `elasticache:replication-group:Replicas` - The number of replicas per node group for an Amazon ElastiCache replication group.\n- `neptune:cluster:ReadReplicaCount` - The count of read replicas in an Amazon Neptune DB cluster.\n- `sagemaker:variant:DesiredProvisionedConcurrency` - The provisioned concurrency for a SageMaker Serverless endpoint.", + "markdownDescription": "The scalable dimension. This string consists of the service namespace, resource type, and scaling property.\n\n- `ecs:service:DesiredCount` - The desired task count of an ECS service.\n- `elasticmapreduce:instancegroup:InstanceCount` - The instance count of an EMR Instance Group.\n- `ec2:spot-fleet-request:TargetCapacity` - The target capacity of a Spot Fleet.\n- `appstream:fleet:DesiredCapacity` - The desired capacity of an AppStream 2.0 fleet.\n- `dynamodb:table:ReadCapacityUnits` - The provisioned read capacity for a DynamoDB table.\n- `dynamodb:table:WriteCapacityUnits` - The provisioned write capacity for a DynamoDB table.\n- `dynamodb:index:ReadCapacityUnits` - The provisioned read capacity for a DynamoDB global secondary index.\n- `dynamodb:index:WriteCapacityUnits` - The provisioned write capacity for a DynamoDB global secondary index.\n- `rds:cluster:ReadReplicaCount` - The count of Aurora Replicas in an Aurora DB cluster. Available for Aurora MySQL-compatible edition and Aurora PostgreSQL-compatible edition.\n- `sagemaker:variant:DesiredInstanceCount` - The number of EC2 instances for a SageMaker model endpoint variant.\n- `custom-resource:ResourceType:Property` - The scalable dimension for a custom resource provided by your own application or service.\n- `comprehend:document-classifier-endpoint:DesiredInferenceUnits` - The number of inference units for an Amazon Comprehend document classification endpoint.\n- `comprehend:entity-recognizer-endpoint:DesiredInferenceUnits` - The number of inference units for an Amazon Comprehend entity recognizer endpoint.\n- `lambda:function:ProvisionedConcurrency` - The provisioned concurrency for a Lambda function.\n- `cassandra:table:ReadCapacityUnits` - The provisioned read capacity for an Amazon Keyspaces table.\n- `cassandra:table:WriteCapacityUnits` - The provisioned write capacity for an Amazon Keyspaces table.\n- `kafka:broker-storage:VolumeSize` - The provisioned volume size (in GiB) for brokers in an Amazon MSK cluster.\n- `elasticache:replication-group:NodeGroups` - The number of node groups for an Amazon ElastiCache replication group.\n- `elasticache:replication-group:Replicas` - The number of replicas per node group for an Amazon ElastiCache replication group.\n- `neptune:cluster:ReadReplicaCount` - The count of read replicas in an Amazon Neptune DB cluster.\n- `sagemaker:variant:DesiredProvisionedConcurrency` - The provisioned concurrency for a SageMaker serverless endpoint.\n- `sagemaker:inference-component:DesiredCopyCount` - The number of copies across an endpoint for a SageMaker inference component.", "title": "ScalableDimension", "type": "string" }, @@ -20131,6 +20321,14 @@ "title": "MetricName", "type": "string" }, + "Metrics": { + "items": { + "$ref": "#/definitions/AWS::ApplicationAutoScaling::ScalingPolicy.TargetTrackingMetricDataQuery" + }, + "markdownDescription": "The metrics to include in the target tracking scaling policy, as a metric data query. This can include both raw metric and metric math expressions.", + "title": "Metrics", + "type": "array" + }, "Namespace": { "markdownDescription": "The namespace of the metric.", "title": "Namespace", @@ -20147,11 +20345,6 @@ "type": "string" } }, - "required": [ - "MetricName", - "Namespace", - "Statistic" - ], "type": "object" }, "AWS::ApplicationAutoScaling::ScalingPolicy.MetricDimension": { @@ -20226,7 +20419,7 @@ "type": "string" }, "Cooldown": { - "markdownDescription": "The amount of time, in seconds, to wait for a previous scaling activity to take effect. If not specified, the default value is 300. For more information, see [Cooldown period](https://docs.aws.amazon.com/autoscaling/application/userguide/application-auto-scaling-step-scaling-policies.html#step-scaling-cooldown) in the *Application Auto Scaling User Guide* .", + "markdownDescription": "The amount of time, in seconds, to wait for a previous scaling activity to take effect. If not specified, the default value is 300. For more information, see [Cooldown period](https://docs.aws.amazon.com/autoscaling/application/userguide/step-scaling-policy-overview.html#step-scaling-cooldown) in the *Application Auto Scaling User Guide* .", "title": "Cooldown", "type": "number" }, @@ -20251,6 +20444,98 @@ }, "type": "object" }, + "AWS::ApplicationAutoScaling::ScalingPolicy.TargetTrackingMetric": { + "additionalProperties": false, + "properties": { + "Dimensions": { + "items": { + "$ref": "#/definitions/AWS::ApplicationAutoScaling::ScalingPolicy.TargetTrackingMetricDimension" + }, + "markdownDescription": "The dimensions for the metric. For the list of available dimensions, see the AWS documentation available from the table in [AWS services that publish CloudWatch metrics](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/aws-services-cloudwatch-metrics.html) in the *Amazon CloudWatch User Guide* .\n\nConditional: If you published your metric with dimensions, you must specify the same dimensions in your scaling policy.", + "title": "Dimensions", + "type": "array" + }, + "MetricName": { + "markdownDescription": "The name of the metric.", + "title": "MetricName", + "type": "string" + }, + "Namespace": { + "markdownDescription": "The namespace of the metric. For more information, see the table in [AWS services that publish CloudWatch metrics](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/aws-services-cloudwatch-metrics.html) in the *Amazon CloudWatch User Guide* .", + "title": "Namespace", + "type": "string" + } + }, + "type": "object" + }, + "AWS::ApplicationAutoScaling::ScalingPolicy.TargetTrackingMetricDataQuery": { + "additionalProperties": false, + "properties": { + "Expression": { + "markdownDescription": "The math expression to perform on the returned data, if this object is performing a math expression. This expression can use the `Id` of the other metrics to refer to those metrics, and can also use the `Id` of other expressions to use the result of those expressions.\n\nConditional: Within each `TargetTrackingMetricDataQuery` object, you must specify either `Expression` or `MetricStat` , but not both.", + "title": "Expression", + "type": "string" + }, + "Id": { + "markdownDescription": "A short name that identifies the object's results in the response. This name must be unique among all `MetricDataQuery` objects specified for a single scaling policy. If you are performing math expressions on this set of data, this name represents that data and can serve as a variable in the mathematical expression. The valid characters are letters, numbers, and underscores. The first character must be a lowercase letter.", + "title": "Id", + "type": "string" + }, + "Label": { + "markdownDescription": "A human-readable label for this metric or expression. This is especially useful if this is a math expression, so that you know what the value represents.", + "title": "Label", + "type": "string" + }, + "MetricStat": { + "$ref": "#/definitions/AWS::ApplicationAutoScaling::ScalingPolicy.TargetTrackingMetricStat", + "markdownDescription": "Information about the metric data to return.\n\nConditional: Within each `MetricDataQuery` object, you must specify either `Expression` or `MetricStat` , but not both.", + "title": "MetricStat" + }, + "ReturnData": { + "markdownDescription": "Indicates whether to return the timestamps and raw data values of this metric.\n\nIf you use any math expressions, specify `true` for this value for only the final math expression that the metric specification is based on. You must specify `false` for `ReturnData` for all the other metrics and expressions used in the metric specification.\n\nIf you are only retrieving metrics and not performing any math expressions, do not specify anything for `ReturnData` . This sets it to its default ( `true` ).", + "title": "ReturnData", + "type": "boolean" + } + }, + "type": "object" + }, + "AWS::ApplicationAutoScaling::ScalingPolicy.TargetTrackingMetricDimension": { + "additionalProperties": false, + "properties": { + "Name": { + "markdownDescription": "The name of the dimension.", + "title": "Name", + "type": "string" + }, + "Value": { + "markdownDescription": "The value of the dimension.", + "title": "Value", + "type": "string" + } + }, + "type": "object" + }, + "AWS::ApplicationAutoScaling::ScalingPolicy.TargetTrackingMetricStat": { + "additionalProperties": false, + "properties": { + "Metric": { + "$ref": "#/definitions/AWS::ApplicationAutoScaling::ScalingPolicy.TargetTrackingMetric", + "markdownDescription": "The CloudWatch metric to return, including the metric name, namespace, and dimensions. To get the exact metric name, namespace, and dimensions, inspect the [Metric](https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_Metric.html) object that is returned by a call to [ListMetrics](https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_ListMetrics.html) .", + "title": "Metric" + }, + "Stat": { + "markdownDescription": "The statistic to return. It can include any CloudWatch statistic or extended statistic. For a list of valid values, see the table in [Statistics](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/cloudwatch_concepts.html#Statistic) in the *Amazon CloudWatch User Guide* .\n\nThe most commonly used metric for scaling is `Average` .", + "title": "Stat", + "type": "string" + }, + "Unit": { + "markdownDescription": "The unit to use for the returned data points. For a complete list of the units that CloudWatch supports, see the [MetricDatum](https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_MetricDatum.html) data type in the *Amazon CloudWatch API Reference* .", + "title": "Unit", + "type": "string" + } + }, + "type": "object" + }, "AWS::ApplicationAutoScaling::ScalingPolicy.TargetTrackingScalingPolicyConfiguration": { "additionalProperties": false, "properties": { @@ -20270,12 +20555,12 @@ "title": "PredefinedMetricSpecification" }, "ScaleInCooldown": { - "markdownDescription": "The amount of time, in seconds, after a scale-in activity completes before another scale-in activity can start. For more information and for default values, see [Define cooldown periods](https://docs.aws.amazon.com/autoscaling/application/userguide/application-auto-scaling-target-tracking.html#target-tracking-cooldown) in the *Application Auto Scaling User Guide* .", + "markdownDescription": "The amount of time, in seconds, after a scale-in activity completes before another scale-in activity can start. For more information and for default values, see [Define cooldown periods](https://docs.aws.amazon.com/autoscaling/application/userguide/target-tracking-scaling-policy-overview.html#target-tracking-cooldown) in the *Application Auto Scaling User Guide* .", "title": "ScaleInCooldown", "type": "number" }, "ScaleOutCooldown": { - "markdownDescription": "The amount of time, in seconds, to wait for a previous scale-out activity to take effect. For more information and for default values, see [Define cooldown periods](https://docs.aws.amazon.com/autoscaling/application/userguide/application-auto-scaling-target-tracking.html#target-tracking-cooldown) in the *Application Auto Scaling User Guide* .", + "markdownDescription": "The amount of time, in seconds, to wait for a previous scale-out activity to take effect. For more information and for default values, see [Define cooldown periods](https://docs.aws.amazon.com/autoscaling/application/userguide/target-tracking-scaling-policy-overview.html#target-tracking-cooldown) in the *Application Auto Scaling User Guide* .", "title": "ScaleOutCooldown", "type": "number" }, @@ -20985,7 +21270,7 @@ }, "Parameters": { "additionalProperties": true, - "markdownDescription": "Specifies the Lambda function or functions to use for the data catalog. The mapping used depends on the catalog type.\n\n- The `HIVE` data catalog type uses the following syntax. The `metadata-function` parameter is required. `The sdk-version` parameter is optional and defaults to the currently supported version.\n\n`metadata-function= *lambda_arn* , sdk-version= *version_number*`\n- The `LAMBDA` data catalog type uses one of the following sets of required parameters, but not both.\n\n- When one Lambda function processes metadata and another Lambda function reads data, the following syntax is used. Both parameters are required.\n\n`metadata-function= *lambda_arn* , record-function= *lambda_arn*`\n- A composite Lambda function that processes both metadata and data uses the following syntax.\n\n`function= *lambda_arn*`\n- The `GLUE` type takes a catalog ID parameter and is required. The `*catalog_id*` is the account ID of the AWS account to which the Glue catalog belongs.\n\n`catalog-id= *catalog_id*`\n\n- The `GLUE` data catalog type also applies to the default `AwsDataCatalog` that already exists in your account, of which you can have only one and cannot modify.\n- Queries that specify a GLUE data catalog other than the default `AwsDataCatalog` must be run on Athena engine version 2.\n- In Regions where Athena engine version 2 is not available, creating new GLUE data catalogs results in an `INVALID_INPUT` error.", + "markdownDescription": "Specifies the Lambda function or functions to use for the data catalog. The mapping used depends on the catalog type.\n\n- The `HIVE` data catalog type uses the following syntax. The `metadata-function` parameter is required. `The sdk-version` parameter is optional and defaults to the currently supported version.\n\n`metadata-function= *lambda_arn* , sdk-version= *version_number*`\n- The `LAMBDA` data catalog type uses one of the following sets of required parameters, but not both.\n\n- When one Lambda function processes metadata and another Lambda function reads data, the following syntax is used. Both parameters are required.\n\n`metadata-function= *lambda_arn* , record-function= *lambda_arn*`\n- A composite Lambda function that processes both metadata and data uses the following syntax.\n\n`function= *lambda_arn*`\n- The `GLUE` type takes a catalog ID parameter and is required. The `*catalog_id*` is the account ID of the AWS account to which the Glue catalog belongs.\n\n`catalog-id= *catalog_id*`\n\n- The `GLUE` data catalog type also applies to the default `AwsDataCatalog` that already exists in your account, of which you can have only one and cannot modify.", "patternProperties": { "^[a-zA-Z0-9]+$": { "type": "string" @@ -21320,7 +21605,7 @@ "additionalProperties": false, "properties": { "KmsKey": { - "markdownDescription": "The KMS key that is used to encrypt the user's data stores in Athena.", + "markdownDescription": "The customer managed KMS key that is used to encrypt the user's data stores in Athena.", "title": "KmsKey", "type": "string" } @@ -21802,6 +22087,11 @@ "title": "InstanceId", "type": "string" }, + "InstanceMaintenancePolicy": { + "$ref": "#/definitions/AWS::AutoScaling::AutoScalingGroup.InstanceMaintenancePolicy", + "markdownDescription": "An instance maintenance policy. For more information, see [Set instance maintenance policy](https://docs.aws.amazon.com/autoscaling/ec2/userguide/ec2-auto-scaling-instance-maintenance-policy.html) in the *Amazon EC2 Auto Scaling User Guide* .", + "title": "InstanceMaintenancePolicy" + }, "LaunchConfigurationName": { "markdownDescription": "The name of the launch configuration to use to launch instances.\n\nRequired only if you don't specify `LaunchTemplate` , `MixedInstancesPolicy` , or `InstanceId` .", "title": "LaunchConfigurationName", @@ -21990,6 +22280,22 @@ }, "type": "object" }, + "AWS::AutoScaling::AutoScalingGroup.InstanceMaintenancePolicy": { + "additionalProperties": false, + "properties": { + "MaxHealthyPercentage": { + "markdownDescription": "Specifies the upper threshold as a percentage of the desired capacity of the Auto Scaling group. It represents the maximum percentage of the group that can be in service and healthy, or pending, to support your workload when replacing instances. Value range is 100 to 200. After it's set, a value of `-1` will clear the previously set value.\n\nBoth `MinHealthyPercentage` and `MaxHealthyPercentage` must be specified, and the difference between them cannot be greater than 100. A large range increases the number of instances that can be replaced at the same time.", + "title": "MaxHealthyPercentage", + "type": "number" + }, + "MinHealthyPercentage": { + "markdownDescription": "Specifies the lower threshold as a percentage of the desired capacity of the Auto Scaling group. It represents the minimum percentage of the group to keep in service, healthy, and ready to use to support your workload when replacing instances. Value range is 0 to 100. After it's set, a value of `-1` will clear the previously set value.", + "title": "MinHealthyPercentage", + "type": "number" + } + }, + "type": "object" + }, "AWS::AutoScaling::AutoScalingGroup.InstanceRequirements": { "additionalProperties": false, "properties": { @@ -22133,6 +22439,10 @@ "title": "VCpuCount" } }, + "required": [ + "MemoryMiB", + "VCpuCount" + ], "type": "object" }, "AWS::AutoScaling::AutoScalingGroup.InstancesDistribution": { @@ -22233,7 +22543,7 @@ "type": "string" }, "Version": { - "markdownDescription": "The version number of the launch template.\n\nSpecifying `$Latest` or `$Default` for the template version number is not supported. However, you can specify `LatestVersionNumber` or `DefaultVersionNumber` using the `Fn::GetAtt` intrinsic function. For more information, see [Fn::GetAtt](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-getatt.html) .\n\n> For an example of using the `Fn::GetAtt` function, see the [Examples](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-as-group.html#aws-properties-as-group--examples) section of the `AWS::AutoScaling::AutoScalingGroup` resource.", + "markdownDescription": "The version number of the launch template.\n\nSpecifying `$Latest` or `$Default` for the template version number is not supported. However, you can specify `LatestVersionNumber` or `DefaultVersionNumber` using the `Fn::GetAtt` intrinsic function. For more information, see [Fn::GetAtt](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-getatt.html) .\n\n> For an example of using the `Fn::GetAtt` function, see the [Examples](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-autoscaling-autoscalinggroup.html#aws-resource-autoscaling-autoscalinggroup--examples) section of the `AWS::AutoScaling::AutoScalingGroup` resource.", "title": "Version", "type": "string" } @@ -23804,7 +24114,7 @@ "title": "CustomizedLoadMetricSpecification" }, "DisableDynamicScaling": { - "markdownDescription": "Controls whether dynamic scaling by AWS Auto Scaling is disabled. When dynamic scaling is enabled, AWS Auto Scaling creates target tracking scaling policies based on the specified target tracking configurations.\n\nThe default is enabled ( `false` ).", + "markdownDescription": "Controls whether dynamic scaling is disabled. When dynamic scaling is enabled, AWS Auto Scaling creates target tracking scaling policies based on the specified target tracking configurations.\n\nThe default is enabled ( `false` ).", "title": "DisableDynamicScaling", "type": "boolean" }, @@ -23849,7 +24159,7 @@ "type": "string" }, "ScalingPolicyUpdateBehavior": { - "markdownDescription": "Controls whether your scaling policies that are external to AWS Auto Scaling are deleted and new target tracking scaling policies created. The default value is `KeepExternalPolicies` .\n\nValid only when configuring dynamic scaling.", + "markdownDescription": "Controls whether a resource's externally created scaling policies are deleted and new target tracking scaling policies created. The default value is `KeepExternalPolicies` .\n\nValid only when configuring dynamic scaling.", "title": "ScalingPolicyUpdateBehavior", "type": "string" }, @@ -23948,6 +24258,243 @@ ], "type": "object" }, + "AWS::B2BI::Profile": { + "additionalProperties": false, + "properties": { + "Condition": { + "type": "string" + }, + "DeletionPolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + }, + "DependsOn": { + "anyOf": [ + { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + { + "items": { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + "type": "array" + } + ] + }, + "Metadata": { + "type": "object" + }, + "Properties": { + "additionalProperties": false, + "properties": { + "BusinessName": { + "markdownDescription": "Returns the name for the business associated with this profile.", + "title": "BusinessName", + "type": "string" + }, + "Email": { + "markdownDescription": "", + "title": "Email", + "type": "string" + }, + "Logging": { + "markdownDescription": "Specifies whether or not logging is enabled for this profile.", + "title": "Logging", + "type": "string" + }, + "Name": { + "markdownDescription": "Returns the display name for profile.", + "title": "Name", + "type": "string" + }, + "Phone": { + "markdownDescription": "", + "title": "Phone", + "type": "string" + }, + "Tags": { + "items": { + "$ref": "#/definitions/Tag" + }, + "markdownDescription": "A key-value pair for a specific profile. Tags are metadata that you can use to search for and group capabilities for various purposes.", + "title": "Tags", + "type": "array" + } + }, + "required": [ + "BusinessName", + "Logging", + "Name", + "Phone" + ], + "type": "object" + }, + "Type": { + "enum": [ + "AWS::B2BI::Profile" + ], + "type": "string" + }, + "UpdateReplacePolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + } + }, + "required": [ + "Type", + "Properties" + ], + "type": "object" + }, + "AWS::B2BI::Transformer": { + "additionalProperties": false, + "properties": { + "Condition": { + "type": "string" + }, + "DeletionPolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + }, + "DependsOn": { + "anyOf": [ + { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + { + "items": { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + "type": "array" + } + ] + }, + "Metadata": { + "type": "object" + }, + "Properties": { + "additionalProperties": false, + "properties": { + "EdiType": { + "$ref": "#/definitions/AWS::B2BI::Transformer.EdiType", + "markdownDescription": "Returns the details for the EDI standard that is being used for the transformer. Currently, only X12 is supported. X12 is a set of standards and corresponding messages that define specific business documents.", + "title": "EdiType" + }, + "FileFormat": { + "markdownDescription": "Returns that the currently supported file formats for EDI transformations are `JSON` and `XML` .", + "title": "FileFormat", + "type": "string" + }, + "MappingTemplate": { + "markdownDescription": "Returns a sample EDI document that is used by a transformer as a guide for processing the EDI data.", + "title": "MappingTemplate", + "type": "string" + }, + "ModifiedAt": { + "markdownDescription": "Returns a timestamp representing the date and time for the most recent change for the transformer object.", + "title": "ModifiedAt", + "type": "string" + }, + "Name": { + "markdownDescription": "Returns the descriptive name for the transformer.", + "title": "Name", + "type": "string" + }, + "SampleDocument": { + "markdownDescription": "Returns a sample EDI document that is used by a transformer as a guide for processing the EDI data.", + "title": "SampleDocument", + "type": "string" + }, + "Status": { + "markdownDescription": "Returns the state of the newly created transformer. The transformer can be either `active` or `inactive` . For the transformer to be used in a capability, its status must `active` .", + "title": "Status", + "type": "string" + }, + "Tags": { + "items": { + "$ref": "#/definitions/Tag" + }, + "markdownDescription": "A key-value pair for a specific transformer. Tags are metadata that you can use to search for and group capabilities for various purposes.", + "title": "Tags", + "type": "array" + } + }, + "required": [ + "EdiType", + "FileFormat", + "MappingTemplate", + "Name", + "Status" + ], + "type": "object" + }, + "Type": { + "enum": [ + "AWS::B2BI::Transformer" + ], + "type": "string" + }, + "UpdateReplacePolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + } + }, + "required": [ + "Type", + "Properties" + ], + "type": "object" + }, + "AWS::B2BI::Transformer.EdiType": { + "additionalProperties": false, + "properties": { + "X12Details": { + "$ref": "#/definitions/AWS::B2BI::Transformer.X12Details", + "markdownDescription": "Returns the details for the EDI standard that is being used for the transformer. Currently, only X12 is supported. X12 is a set of standards and corresponding messages that define specific business documents.", + "title": "X12Details" + } + }, + "required": [ + "X12Details" + ], + "type": "object" + }, + "AWS::B2BI::Transformer.X12Details": { + "additionalProperties": false, + "properties": { + "TransactionSet": { + "markdownDescription": "Returns an enumerated type where each value identifies an X12 transaction set. Transaction sets are maintained by the X12 Accredited Standards Committee.", + "title": "TransactionSet", + "type": "string" + }, + "Version": { + "markdownDescription": "Returns the version to use for the specified X12 transaction set. Supported versions are `4010` , `4030` , and `5010` .", + "title": "Version", + "type": "string" + } + }, + "type": "object" + }, "AWS::Backup::BackupPlan": { "additionalProperties": false, "properties": { @@ -24125,6 +24672,8 @@ "type": "string" }, "ScheduleExpressionTimezone": { + "markdownDescription": "", + "title": "ScheduleExpressionTimezone", "type": "string" }, "StartWindowMinutes": { @@ -24682,7 +25231,7 @@ }, "ControlScope": { "$ref": "#/definitions/AWS::Backup::Framework.ControlScope", - "markdownDescription": "The scope of a control. The control scope defines what the control will evaluate. Three examples of control scopes are: a specific backup plan, all backup plans with a specific tag, or all backup plans. For more information, see [`ControlScope` .](https://docs.aws.amazon.com/aws-backup/latest/devguide/API_ControlScope.html)", + "markdownDescription": "The scope of a control. The control scope defines what the control will evaluate. Three examples of control scopes are: a specific backup plan, all backup plans with a specific tag, or all backup plans.", "title": "ControlScope" } }, @@ -24855,7 +25404,7 @@ ], "type": "object" }, - "AWS::BackupGateway::Hypervisor": { + "AWS::Backup::RestoreTestingPlan": { "additionalProperties": false, "properties": { "Condition": { @@ -24890,50 +25439,50 @@ "Properties": { "additionalProperties": false, "properties": { - "Host": { - "markdownDescription": "The server host of the hypervisor. This can be either an IP address or a fully-qualified domain name (FQDN).", - "title": "Host", - "type": "string" + "RecoveryPointSelection": { + "$ref": "#/definitions/AWS::Backup::RestoreTestingPlan.RestoreTestingRecoveryPointSelection", + "markdownDescription": "The specified criteria to assign a set of resources, such as recovery point types or backup vaults.", + "title": "RecoveryPointSelection" }, - "KmsKeyArn": { - "markdownDescription": "The Amazon Resource Name (ARN) of the AWS Key Management Service used to encrypt the hypervisor.", - "title": "KmsKeyArn", + "RestoreTestingPlanName": { + "markdownDescription": "This is the restore testing plan name.", + "title": "RestoreTestingPlanName", "type": "string" }, - "LogGroupArn": { - "markdownDescription": "The Amazon Resource Name (ARN) of the group of gateways within the requested log.", - "title": "LogGroupArn", + "ScheduleExpression": { + "markdownDescription": "A CRON expression in specified timezone when a restore testing plan is executed.", + "title": "ScheduleExpression", "type": "string" }, - "Name": { - "markdownDescription": "The name of the hypervisor.", - "title": "Name", + "ScheduleExpressionTimezone": { + "markdownDescription": "Optional. This is the timezone in which the schedule expression is set. By default, ScheduleExpressions are in UTC. You can modify this to a specified timezone.", + "title": "ScheduleExpressionTimezone", "type": "string" }, - "Password": { - "markdownDescription": "The password for the hypervisor.", - "title": "Password", - "type": "string" + "StartWindowHours": { + "markdownDescription": "Defaults to 24 hours.\n\nA value in hours after a restore test is scheduled before a job will be canceled if it doesn't start successfully. This value is optional. If this value is included, this parameter has a maximum value of 168 hours (one week).", + "title": "StartWindowHours", + "type": "number" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, - "markdownDescription": "The tags of the hypervisor configuration to import.", + "markdownDescription": "", "title": "Tags", "type": "array" - }, - "Username": { - "markdownDescription": "The username for the hypervisor.", - "title": "Username", - "type": "string" } }, + "required": [ + "RecoveryPointSelection", + "RestoreTestingPlanName", + "ScheduleExpression" + ], "type": "object" }, "Type": { "enum": [ - "AWS::BackupGateway::Hypervisor" + "AWS::Backup::RestoreTestingPlan" ], "type": "string" }, @@ -24947,11 +25496,309 @@ } }, "required": [ - "Type" + "Type", + "Properties" ], "type": "object" }, - "AWS::Batch::ComputeEnvironment": { + "AWS::Backup::RestoreTestingPlan.RestoreTestingRecoveryPointSelection": { + "additionalProperties": false, + "properties": { + "Algorithm": { + "markdownDescription": "Acceptable values include \"LATEST_WITHIN_WINDOW\" or \"RANDOM_WITHIN_WINDOW\"", + "title": "Algorithm", + "type": "string" + }, + "ExcludeVaults": { + "items": { + "type": "string" + }, + "markdownDescription": "Accepted values include specific ARNs or list of selectors. Defaults to empty list if not listed.", + "title": "ExcludeVaults", + "type": "array" + }, + "IncludeVaults": { + "items": { + "type": "string" + }, + "markdownDescription": "Accepted values include wildcard [\"*\"] or by specific ARNs or ARN wilcard replacement [\"arn:aws:backup:us-west-2:123456789012:backup-vault:asdf\", ...] [\"arn:aws:backup:*:*:backup-vault:asdf-*\", ...]", + "title": "IncludeVaults", + "type": "array" + }, + "RecoveryPointTypes": { + "items": { + "type": "string" + }, + "markdownDescription": "These are the types of recovery points.", + "title": "RecoveryPointTypes", + "type": "array" + }, + "SelectionWindowDays": { + "markdownDescription": "Accepted values are integers from 1 to 365.", + "title": "SelectionWindowDays", + "type": "number" + } + }, + "required": [ + "Algorithm", + "IncludeVaults", + "RecoveryPointTypes" + ], + "type": "object" + }, + "AWS::Backup::RestoreTestingSelection": { + "additionalProperties": false, + "properties": { + "Condition": { + "type": "string" + }, + "DeletionPolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + }, + "DependsOn": { + "anyOf": [ + { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + { + "items": { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + "type": "array" + } + ] + }, + "Metadata": { + "type": "object" + }, + "Properties": { + "additionalProperties": false, + "properties": { + "IamRoleArn": { + "markdownDescription": "The Amazon Resource Name (ARN) of the IAM role that AWS Backup uses to create the target resource; for example: `arn:aws:iam::123456789012:role/S3Access` .", + "title": "IamRoleArn", + "type": "string" + }, + "ProtectedResourceArns": { + "items": { + "type": "string" + }, + "markdownDescription": "You can include specific ARNs, such as `ProtectedResourceArns: [\"arn:aws:...\", \"arn:aws:...\"]` or you can include a wildcard: `ProtectedResourceArns: [\"*\"]` , but not both.", + "title": "ProtectedResourceArns", + "type": "array" + }, + "ProtectedResourceConditions": { + "$ref": "#/definitions/AWS::Backup::RestoreTestingSelection.ProtectedResourceConditions", + "markdownDescription": "In a resource testing selection, this parameter filters by specific conditions such as `StringEquals` or `StringNotEquals` .", + "title": "ProtectedResourceConditions" + }, + "ProtectedResourceType": { + "markdownDescription": "The type of AWS resource included in a resource testing selection; for example, an Amazon EBS volume or an Amazon RDS database.", + "title": "ProtectedResourceType", + "type": "string" + }, + "RestoreMetadataOverrides": { + "additionalProperties": true, + "markdownDescription": "You can override certain restore metadata keys by including the parameter `RestoreMetadataOverrides` in the body of `RestoreTestingSelection` . Key values are not case sensitive.\n\nSee the complete list of [restore testing inferred metadata](https://docs.aws.amazon.com/aws-backup/latest/devguide/restore-testing-inferred-metadata.html) .", + "patternProperties": { + "^[a-zA-Z0-9]+$": { + "type": "string" + } + }, + "title": "RestoreMetadataOverrides", + "type": "object" + }, + "RestoreTestingPlanName": { + "markdownDescription": "The RestoreTestingPlanName is a unique string that is the name of the restore testing plan.", + "title": "RestoreTestingPlanName", + "type": "string" + }, + "RestoreTestingSelectionName": { + "markdownDescription": "This is the unique name of the restore testing selection that belongs to the related restore testing plan.", + "title": "RestoreTestingSelectionName", + "type": "string" + }, + "ValidationWindowHours": { + "markdownDescription": "This is amount of hours (1 to 168) available to run a validation script on the data. The data will be deleted upon the completion of the validation script or the end of the specified retention period, whichever comes first.", + "title": "ValidationWindowHours", + "type": "number" + } + }, + "required": [ + "IamRoleArn", + "ProtectedResourceType", + "RestoreTestingPlanName", + "RestoreTestingSelectionName" + ], + "type": "object" + }, + "Type": { + "enum": [ + "AWS::Backup::RestoreTestingSelection" + ], + "type": "string" + }, + "UpdateReplacePolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + } + }, + "required": [ + "Type", + "Properties" + ], + "type": "object" + }, + "AWS::Backup::RestoreTestingSelection.KeyValue": { + "additionalProperties": false, + "properties": { + "Key": { + "markdownDescription": "The tag key (String). The key can't start with `aws:` .\n\nLength Constraints: Minimum length of 1. Maximum length of 128.\n\nPattern: `^(?![aA]{1}[wW]{1}[sS]{1}:)([\\p{L}\\p{Z}\\p{N}_.:/=+\\-@]+)$`", + "title": "Key", + "type": "string" + }, + "Value": { + "markdownDescription": "The value of the key.\n\nLength Constraints: Maximum length of 256.\n\nPattern: `^([\\p{L}\\p{Z}\\p{N}_.:/=+\\-@]*)$`", + "title": "Value", + "type": "string" + } + }, + "required": [ + "Key", + "Value" + ], + "type": "object" + }, + "AWS::Backup::RestoreTestingSelection.ProtectedResourceConditions": { + "additionalProperties": false, + "properties": { + "StringEquals": { + "items": { + "$ref": "#/definitions/AWS::Backup::RestoreTestingSelection.KeyValue" + }, + "markdownDescription": "Filters the values of your tagged resources for only those resources that you tagged with the same value. Also called \"exact matching.\"", + "title": "StringEquals", + "type": "array" + }, + "StringNotEquals": { + "items": { + "$ref": "#/definitions/AWS::Backup::RestoreTestingSelection.KeyValue" + }, + "markdownDescription": "Filters the values of your tagged resources for only those resources that you tagged that do not have the same value. Also called \"negated matching.\"", + "title": "StringNotEquals", + "type": "array" + } + }, + "type": "object" + }, + "AWS::BackupGateway::Hypervisor": { + "additionalProperties": false, + "properties": { + "Condition": { + "type": "string" + }, + "DeletionPolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + }, + "DependsOn": { + "anyOf": [ + { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + { + "items": { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + "type": "array" + } + ] + }, + "Metadata": { + "type": "object" + }, + "Properties": { + "additionalProperties": false, + "properties": { + "Host": { + "markdownDescription": "The server host of the hypervisor. This can be either an IP address or a fully-qualified domain name (FQDN).", + "title": "Host", + "type": "string" + }, + "KmsKeyArn": { + "markdownDescription": "The Amazon Resource Name (ARN) of the AWS Key Management Service used to encrypt the hypervisor.", + "title": "KmsKeyArn", + "type": "string" + }, + "LogGroupArn": { + "markdownDescription": "The Amazon Resource Name (ARN) of the group of gateways within the requested log.", + "title": "LogGroupArn", + "type": "string" + }, + "Name": { + "markdownDescription": "The name of the hypervisor.", + "title": "Name", + "type": "string" + }, + "Password": { + "markdownDescription": "The password for the hypervisor.", + "title": "Password", + "type": "string" + }, + "Tags": { + "items": { + "$ref": "#/definitions/Tag" + }, + "markdownDescription": "The tags of the hypervisor configuration to import.", + "title": "Tags", + "type": "array" + }, + "Username": { + "markdownDescription": "The username for the hypervisor.", + "title": "Username", + "type": "string" + } + }, + "type": "object" + }, + "Type": { + "enum": [ + "AWS::BackupGateway::Hypervisor" + ], + "type": "string" + }, + "UpdateReplacePolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + } + }, + "required": [ + "Type" + ], + "type": "object" + }, + "AWS::Batch::ComputeEnvironment": { "additionalProperties": false, "properties": { "Condition": { @@ -25073,7 +25920,7 @@ "additionalProperties": false, "properties": { "AllocationStrategy": { - "markdownDescription": "The allocation strategy to use for the compute resource if not enough instances of the best fitting instance type can be allocated. This might be because of availability of the instance type in the Region or [Amazon EC2 service limits](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-resource-limits.html) . For more information, see [Allocation strategies](https://docs.aws.amazon.com/batch/latest/userguide/allocation-strategies.html) in the *AWS Batch User Guide* .\n\nWhen updating a compute environment, changing the allocation strategy requires an infrastructure update of the compute environment. For more information, see [Updating compute environments](https://docs.aws.amazon.com/batch/latest/userguide/updating-compute-environments.html) in the *AWS Batch User Guide* . `BEST_FIT` is not supported when updating a compute environment.\n\n> This parameter isn't applicable to jobs that are running on Fargate resources, and shouldn't be specified. \n\n- **BEST_FIT (default)** - AWS Batch selects an instance type that best fits the needs of the jobs with a preference for the lowest-cost instance type. If additional instances of the selected instance type aren't available, AWS Batch waits for the additional instances to be available. If there aren't enough instances available, or if the user is reaching [Amazon EC2 service limits](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-resource-limits.html) then additional jobs aren't run until the currently running jobs have completed. This allocation strategy keeps costs lower but can limit scaling. If you are using Spot Fleets with `BEST_FIT` then the Spot Fleet IAM role must be specified.\n- **BEST_FIT_PROGRESSIVE** - AWS Batch will select additional instance types that are large enough to meet the requirements of the jobs in the queue, with a preference for instance types with a lower cost per unit vCPU. If additional instances of the previously selected instance types aren't available, AWS Batch will select new instance types.\n- **SPOT_CAPACITY_OPTIMIZED** - AWS Batch will select one or more instance types that are large enough to meet the requirements of the jobs in the queue, with a preference for instance types that are less likely to be interrupted. This allocation strategy is only available for Spot Instance compute resources.\n\nWith both `BEST_FIT_PROGRESSIVE` and `SPOT_CAPACITY_OPTIMIZED` allocation strategies using On-Demand or Spot Instances, and the `BEST_FIT` strategy using Spot Instances, AWS Batch might need to go above `maxvCpus` to meet your capacity requirements. In this event, AWS Batch never exceeds `maxvCpus` by more than a single instance.", + "markdownDescription": "The allocation strategy to use for the compute resource if not enough instances of the best fitting instance type can be allocated. This might be because of availability of the instance type in the Region or [Amazon EC2 service limits](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-resource-limits.html) . For more information, see [Allocation strategies](https://docs.aws.amazon.com/batch/latest/userguide/allocation-strategies.html) in the *AWS Batch User Guide* .\n\nWhen updating a compute environment, changing the allocation strategy requires an infrastructure update of the compute environment. For more information, see [Updating compute environments](https://docs.aws.amazon.com/batch/latest/userguide/updating-compute-environments.html) in the *AWS Batch User Guide* . `BEST_FIT` is not supported when updating a compute environment.\n\n> This parameter isn't applicable to jobs that are running on Fargate resources, and shouldn't be specified. \n\n- **BEST_FIT (default)** - AWS Batch selects an instance type that best fits the needs of the jobs with a preference for the lowest-cost instance type. If additional instances of the selected instance type aren't available, AWS Batch waits for the additional instances to be available. If there aren't enough instances available, or if the user is reaching [Amazon EC2 service limits](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-resource-limits.html) then additional jobs aren't run until the currently running jobs have completed. This allocation strategy keeps costs lower but can limit scaling. If you are using Spot Fleets with `BEST_FIT` then the Spot Fleet IAM role must be specified.\n- **BEST_FIT_PROGRESSIVE** - AWS Batch will select additional instance types that are large enough to meet the requirements of the jobs in the queue, with a preference for instance types with a lower cost per unit vCPU. If additional instances of the previously selected instance types aren't available, AWS Batch will select new instance types.\n- **SPOT_CAPACITY_OPTIMIZED** - AWS Batch will select one or more instance types that are large enough to meet the requirements of the jobs in the queue, with a preference for instance types that are less likely to be interrupted. This allocation strategy is only available for Spot Instance compute resources.\n- **SPOT_PRICE_CAPACITY_OPTIMIZED** - The price and capacity optimized allocation strategy looks at both price and capacity to select the Spot Instance pools that are the least likely to be interrupted and have the lowest possible price. This allocation strategy is only available for Spot Instance compute resources.\n\n> We recommend that you use `SPOT_PRICE_CAPACITY_OPTIMIZED` rather than `SPOT_CAPACITY_OPTIMIZED` in most instances.\n\nWith `BEST_FIT_PROGRESSIVE` , `SPOT_CAPACITY_OPTIMIZED` , and `SPOT_PRICE_CAPACITY_OPTIMIZED` allocation strategies using On-Demand or Spot Instances, and the `BEST_FIT` strategy using Spot Instances, AWS Batch might need to go above `maxvCpus` to meet your capacity requirements. In this event, AWS Batch never exceeds `maxvCpus` by more than a single instance.", "title": "AllocationStrategy", "type": "string" }, @@ -25106,7 +25953,7 @@ "type": "string" }, "InstanceRole": { - "markdownDescription": "The Amazon ECS instance profile applied to Amazon EC2 instances in a compute environment. You can specify the short name or full Amazon Resource Name (ARN) of an instance profile. For example, `*ecsInstanceRole*` or `arn:aws:iam:: ** :instance-profile/ *ecsInstanceRole*` . For more information, see [Amazon ECS instance role](https://docs.aws.amazon.com/batch/latest/userguide/instance_IAM_role.html) in the *AWS Batch User Guide* .\n\nWhen updating a compute environment, changing this setting requires an infrastructure update of the compute environment. For more information, see [Updating compute environments](https://docs.aws.amazon.com/batch/latest/userguide/updating-compute-environments.html) in the *AWS Batch User Guide* .\n\n> This parameter isn't applicable to jobs that are running on Fargate resources. Don't specify it.", + "markdownDescription": "The Amazon ECS instance profile applied to Amazon EC2 instances in a compute environment. Required for Amazon EC2 instances. You can specify the short name or full Amazon Resource Name (ARN) of an instance profile. For example, `*ecsInstanceRole*` or `arn:aws:iam:: ** :instance-profile/ *ecsInstanceRole*` . For more information, see [Amazon ECS instance role](https://docs.aws.amazon.com/batch/latest/userguide/instance_IAM_role.html) in the *AWS Batch User Guide* .\n\nWhen updating a compute environment, changing this setting requires an infrastructure update of the compute environment. For more information, see [Updating compute environments](https://docs.aws.amazon.com/batch/latest/userguide/updating-compute-environments.html) in the *AWS Batch User Guide* .\n\n> This parameter isn't applicable to jobs that are running on Fargate resources. Don't specify it.", "title": "InstanceRole", "type": "string" }, @@ -25124,7 +25971,7 @@ "title": "LaunchTemplate" }, "MaxvCpus": { - "markdownDescription": "The maximum number of Amazon EC2 vCPUs that an environment can reach.\n\n> With both `BEST_FIT_PROGRESSIVE` and `SPOT_CAPACITY_OPTIMIZED` allocation strategies using On-Demand or Spot Instances, and the `BEST_FIT` strategy using Spot Instances, AWS Batch might need to exceed `maxvCpus` to meet your capacity requirements. In this event, AWS Batch never exceeds `maxvCpus` by more than a single instance. That is, no more than a single instance from among those specified in your compute environment.", + "markdownDescription": "The maximum number of Amazon EC2 vCPUs that an environment can reach.\n\n> With `BEST_FIT_PROGRESSIVE` , `SPOT_CAPACITY_OPTIMIZED` and `SPOT_PRICE_CAPACITY_OPTIMIZED` (recommended) strategies using On-Demand or Spot Instances, and the `BEST_FIT` strategy using Spot Instances, AWS Batch might need to exceed `maxvCpus` to meet your capacity requirements. In this event, AWS Batch never exceeds `maxvCpus` by more than a single instance.", "title": "MaxvCpus", "type": "number" }, @@ -25202,7 +26049,7 @@ "type": "string" }, "ImageType": { - "markdownDescription": "The image type to match with the instance type to select an AMI. The supported values are different for `ECS` and `EKS` resources.\n\n- **ECS** - If the `imageIdOverride` parameter isn't specified, then a recent [Amazon ECS-optimized Amazon Linux 2 AMI](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html#al2ami) ( `ECS_AL2` ) is used. If a new image type is specified in an update, but neither an `imageId` nor a `imageIdOverride` parameter is specified, then the latest Amazon ECS optimized AMI for that image type that's supported by AWS Batch is used.\n\n- **ECS_AL2** - [Amazon Linux 2](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html#al2ami) : Default for all non-GPU instance families.\n- **ECS_AL2_NVIDIA** - [Amazon Linux 2 (GPU)](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html#gpuami) : Default for all GPU instance families (for example `P4` and `G4` ) and can be used for all non AWS Graviton-based instance types.\n- **ECS_AL1** - [Amazon Linux](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html#alami) . Amazon Linux has reached the end-of-life of standard support. For more information, see [Amazon Linux AMI](https://docs.aws.amazon.com/amazon-linux-ami/) .\n- **EKS** - If the `imageIdOverride` parameter isn't specified, then a recent [Amazon EKS-optimized Amazon Linux AMI](https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html) ( `EKS_AL2` ) is used. If a new image type is specified in an update, but neither an `imageId` nor a `imageIdOverride` parameter is specified, then the latest Amazon EKS optimized AMI for that image type that AWS Batch supports is used.\n\n- **EKS_AL2** - [Amazon Linux 2](https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html) : Default for all non-GPU instance families.\n- **EKS_AL2_NVIDIA** - [Amazon Linux 2 (accelerated)](https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html) : Default for all GPU instance families (for example, `P4` and `G4` ) and can be used for all non AWS Graviton-based instance types.", + "markdownDescription": "The image type to match with the instance type to select an AMI. The supported values are different for `ECS` and `EKS` resources.\n\n- **ECS** - If the `imageIdOverride` parameter isn't specified, then a recent [Amazon ECS-optimized Amazon Linux 2 AMI](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html#al2ami) ( `ECS_AL2` ) is used. If a new image type is specified in an update, but neither an `imageId` nor a `imageIdOverride` parameter is specified, then the latest Amazon ECS optimized AMI for that image type that's supported by AWS Batch is used.\n\n- **ECS_AL2** - [Amazon Linux 2](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html#al2ami) : Default for all non-GPU instance families.\n- **ECS_AL2_NVIDIA** - [Amazon Linux 2 (GPU)](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html#gpuami) : Default for all GPU instance families (for example `P4` and `G4` ) and can be used for all non AWS Graviton-based instance types.\n- **ECS_AL2023** - [Amazon Linux 2023](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html) : AWS Batch supports Amazon Linux 2023.\n\n> Amazon Linux 2023 does not support `A1` instances.\n- **ECS_AL1** - [Amazon Linux](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html#alami) . Amazon Linux has reached the end-of-life of standard support. For more information, see [Amazon Linux AMI](https://docs.aws.amazon.com/amazon-linux-ami/) .\n- **EKS** - If the `imageIdOverride` parameter isn't specified, then a recent [Amazon EKS-optimized Amazon Linux AMI](https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html) ( `EKS_AL2` ) is used. If a new image type is specified in an update, but neither an `imageId` nor a `imageIdOverride` parameter is specified, then the latest Amazon EKS optimized AMI for that image type that AWS Batch supports is used.\n\n- **EKS_AL2** - [Amazon Linux 2](https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html) : Default for all non-GPU instance families.\n- **EKS_AL2_NVIDIA** - [Amazon Linux 2 (accelerated)](https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html) : Default for all GPU instance families (for example, `P4` and `G4` ) and can be used for all non AWS Graviton-based instance types.", "title": "ImageType", "type": "string" } @@ -25445,7 +26292,7 @@ "title": "FargatePlatformConfiguration" }, "Image": { - "markdownDescription": "The image used to start a container. This string is passed directly to the Docker daemon. Images in the Docker Hub registry are available by default. Other repositories are specified with `*repository-url* / *image* : *tag*` . It can be 255 characters long. It can contain uppercase and lowercase letters, numbers, hyphens (-), underscores (_), colons (:), periods (.), forward slashes (/), and number signs (#). This parameter maps to `Image` in the [Create a container](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.23/#create-a-container) section of the [Docker Remote API](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.23/) and the `IMAGE` parameter of [docker run](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/) .\n\n> Docker image architecture must match the processor architecture of the compute resources that they're scheduled on. For example, ARM-based Docker images can only run on ARM-based compute resources. \n\n- Images in Amazon ECR Public repositories use the full `registry/repository[:tag]` or `registry/repository[@digest]` naming conventions. For example, `public.ecr.aws/ *registry_alias* / *my-web-app* : *latest*` .\n- Images in Amazon ECR repositories use the full registry and repository URI (for example, `123456789012.dkr.ecr..amazonaws.com/` ).\n- Images in official repositories on Docker Hub use a single name (for example, `ubuntu` or `mongo` ).\n- Images in other repositories on Docker Hub are qualified with an organization name (for example, `amazon/amazon-ecs-agent` ).\n- Images in other online repositories are qualified further by a domain name (for example, `quay.io/assemblyline/ubuntu` ).", + "markdownDescription": "Required. The image used to start a container. This string is passed directly to the Docker daemon. Images in the Docker Hub registry are available by default. Other repositories are specified with `*repository-url* / *image* : *tag*` . It can be 255 characters long. It can contain uppercase and lowercase letters, numbers, hyphens (-), underscores (_), colons (:), periods (.), forward slashes (/), and number signs (#). This parameter maps to `Image` in the [Create a container](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.23/#create-a-container) section of the [Docker Remote API](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.23/) and the `IMAGE` parameter of [docker run](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/) .\n\n> Docker image architecture must match the processor architecture of the compute resources that they're scheduled on. For example, ARM-based Docker images can only run on ARM-based compute resources. \n\n- Images in Amazon ECR Public repositories use the full `registry/repository[:tag]` or `registry/repository[@digest]` naming conventions. For example, `public.ecr.aws/ *registry_alias* / *my-web-app* : *latest*` .\n- Images in Amazon ECR repositories use the full registry and repository URI (for example, `123456789012.dkr.ecr..amazonaws.com/` ).\n- Images in official repositories on Docker Hub use a single name (for example, `ubuntu` or `mongo` ).\n- Images in other repositories on Docker Hub are qualified with an organization name (for example, `amazon/amazon-ecs-agent` ).\n- Images in other online repositories are qualified further by a domain name (for example, `quay.io/assemblyline/ubuntu` ).", "title": "Image", "type": "string" }, @@ -25506,7 +26353,9 @@ "type": "array" }, "RuntimePlatform": { - "$ref": "#/definitions/AWS::Batch::JobDefinition.RuntimePlatform" + "$ref": "#/definitions/AWS::Batch::JobDefinition.RuntimePlatform", + "markdownDescription": "An object that represents the compute environment architecture for AWS Batch jobs on Fargate.", + "title": "RuntimePlatform" }, "Secrets": { "items": { @@ -25655,7 +26504,7 @@ }, "SecurityContext": { "$ref": "#/definitions/AWS::Batch::JobDefinition.EksContainerSecurityContext", - "markdownDescription": "", + "markdownDescription": "The security context for a job. For more information, see [Configure a security context for a pod or container](https://docs.aws.amazon.com/https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) in the *Kubernetes documentation* .", "title": "SecurityContext" }, "VolumeMounts": { @@ -26156,9 +27005,13 @@ "additionalProperties": false, "properties": { "CpuArchitecture": { + "markdownDescription": "The vCPU architecture. The default value is `X86_64` . Valid values are `X86_64` and `ARM64` .\n\n> This parameter must be set to `X86_64` for Windows containers. > Fargate Spot is not supported for `ARM64` and Windows-based containers on Fargate. A job queue will be blocked if a Fargate `ARM64` or Windows job is submitted to a job queue with only Fargate Spot compute environments. However, you can attach both `FARGATE` and `FARGATE_SPOT` compute environments to the same job queue.", + "title": "CpuArchitecture", "type": "string" }, "OperatingSystemFamily": { + "markdownDescription": "The operating system for the compute environment. Valid values are: `LINUX` (default), `WINDOWS_SERVER_2019_CORE` , `WINDOWS_SERVER_2019_FULL` , `WINDOWS_SERVER_2022_CORE` , and `WINDOWS_SERVER_2022_FULL` .\n\n> The following parameters can\u2019t be set for Windows containers: `linuxParameters` , `privileged` , `user` , `ulimits` , `readonlyRootFilesystem` , and `efsVolumeConfiguration` . > The AWS Batch Scheduler checks the compute environments that are attached to the job queue before registering a task definition with Fargate. In this scenario, the job queue is where the job is submitted. If the job requires a Windows container and the first compute environment is `LINUX` , the compute environment is skipped and the next compute environment is checked until a Windows-based compute environment is found. > Fargate Spot is not supported for `ARM64` and Windows-based containers on Fargate. A job queue will be blocked if a Fargate `ARM64` or Windows job is submitted to a job queue with only Fargate Spot compute environments. However, you can attach both `FARGATE` and `FARGATE_SPOT` compute environments to the same job queue.", + "title": "OperatingSystemFamily", "type": "string" } }, @@ -26232,7 +27085,7 @@ "type": "number" }, "Name": { - "markdownDescription": "The `type` of the `ulimit` .", + "markdownDescription": "The `type` of the `ulimit` . Valid values are: `core` | `cpu` | `data` | `fsize` | `locks` | `memlock` | `msgqueue` | `nice` | `nofile` | `nproc` | `rss` | `rtprio` | `rttime` | `sigpending` | `stack` .", "title": "Name", "type": "string" }, @@ -26559,7 +27412,7 @@ "properties": { "AccountGrouping": { "$ref": "#/definitions/AWS::BillingConductor::BillingGroup.AccountGrouping", - "markdownDescription": "The set of accounts that will be under the billing group. The set of accounts resemble the linked accounts in a consolidated family.", + "markdownDescription": "The set of accounts that will be under the billing group. The set of accounts resemble the linked accounts in a consolidated billing family.", "title": "AccountGrouping" }, "ComputationPreference": { @@ -26586,7 +27439,7 @@ "items": { "$ref": "#/definitions/Tag" }, - "markdownDescription": "", + "markdownDescription": "A map that contains tag keys and tag values that are attached to a billing group.", "title": "Tags", "type": "array" } @@ -26624,6 +27477,8 @@ "additionalProperties": false, "properties": { "AutoAssociate": { + "markdownDescription": "Specifies if this billing group will automatically associate newly added AWS accounts that join your consolidated billing family.", + "title": "AutoAssociate", "type": "boolean" }, "LinkedAccountIds": { @@ -26689,6 +27544,11 @@ "Properties": { "additionalProperties": false, "properties": { + "AccountId": { + "markdownDescription": "The AWS account in which this custom line item will be applied to.", + "title": "AccountId", + "type": "string" + }, "BillingGroupArn": { "markdownDescription": "The Amazon Resource Name (ARN) that references the billing group where the custom line item applies to.", "title": "BillingGroupArn", @@ -26778,6 +27638,8 @@ "items": { "$ref": "#/definitions/AWS::BillingConductor::CustomLineItem.LineItemFilter" }, + "markdownDescription": "A representation of the line item filter.", + "title": "LineItemFilters", "type": "array" }, "Percentage": { @@ -26836,15 +27698,21 @@ "additionalProperties": false, "properties": { "Attribute": { + "markdownDescription": "The attribute of the line item filter. This specifies what attribute that you can filter on.", + "title": "Attribute", "type": "string" }, "MatchOption": { + "markdownDescription": "The match criteria of the line item filter. This parameter specifies whether not to include the resource value from the billing group total cost.", + "title": "MatchOption", "type": "string" }, "Values": { "items": { "type": "string" }, + "markdownDescription": "The values of the line item filter. This specifies the values to filter on. Currently, you can only exclude Savings Plan discounts.", + "title": "Values", "type": "array" } }, @@ -27084,7 +27952,7 @@ "properties": { "FreeTier": { "$ref": "#/definitions/AWS::BillingConductor::PricingRule.FreeTier", - "markdownDescription": "", + "markdownDescription": "The possible AWS Free Tier configurations.", "title": "FreeTier" } }, @@ -27208,7 +28076,7 @@ "type": "string" }, "CostFilters": { - "markdownDescription": "The cost filters, such as `Region` , `Service` , `member account` , `Tag` , or `Cost Category` , that are applied to a budget.\n\nAWS Budgets supports the following services as a `Service` filter for RI budgets:\n\n- Amazon EC2\n- Amazon Redshift\n- Amazon Relational Database Service\n- Amazon ElastiCache\n- Amazon OpenSearch Service", + "markdownDescription": "The cost filters, such as `Region` , `Service` , `LinkedAccount` , `Tag` , or `CostCategory` , that are applied to a budget.\n\nAWS Budgets supports the following services as a `Service` filter for RI budgets:\n\n- Amazon EC2\n- Amazon Redshift\n- Amazon Relational Database Service\n- Amazon ElastiCache\n- Amazon OpenSearch Service", "title": "CostFilters", "type": "object" }, @@ -27377,7 +28245,7 @@ "type": "number" }, "Unit": { - "markdownDescription": "The unit of measurement that's used for the budget forecast, actual spend, or budget threshold, such as USD or GBP.", + "markdownDescription": "The unit of measurement that's used for the budget forecast, actual spend, or budget threshold.", "title": "Unit", "type": "string" } @@ -28635,6 +29503,8 @@ "type": "array" }, "KeyAlgorithm": { + "markdownDescription": "Specifies the algorithm of the public and private key pair that your certificate uses to encrypt data. RSA is the default key algorithm for ACM certificates. Elliptic Curve Digital Signature Algorithm (ECDSA) keys are smaller, offering security comparable to RSA keys but with greater computing efficiency. However, ECDSA is not supported by all network clients. Some AWS services may require RSA keys, or only support ECDSA keys of a particular size, while others allow the use of either RSA and ECDSA keys to ensure that compatibility is not broken. Check the requirements for the AWS service where you plan to deploy your certificate. For more information about selecting an algorithm, see [Key algorithms](https://docs.aws.amazon.com/acm/latest/userguide/acm-certificate.html#algorithms) .\n\n> Algorithms supported for an ACM certificate request include:\n> \n> - `RSA_2048`\n> - `EC_prime256v1`\n> - `EC_secp384r1`\n> \n> Other listed algorithms are for imported certificates only. > When you request a private PKI certificate signed by a CA from AWS Private CA, the specified signing algorithm family (RSA or ECDSA) must match the algorithm family of the CA's secret key. \n\nDefault: RSA_2048", + "title": "KeyAlgorithm", "type": "string" }, "SubjectAlternativeNames": { @@ -28781,7 +29651,7 @@ "type": "string" }, "TeamsChannelId": { - "markdownDescription": "The ID of the Microsoft Teams channel.\n\nTo get the channel ID, open Microsoft Teams, right click on the channel name in the left pane, then choose Copy. An example of the channel ID syntax is: `19%3ab6ef35dc342d56ba5654e6fc6d25a071%40thread.tacv2` .", + "markdownDescription": "", "title": "TeamsChannelId", "type": "string" }, @@ -28976,27 +29846,41 @@ "items": { "$ref": "#/definitions/AWS::CleanRooms::AnalysisTemplate.AnalysisParameter" }, + "markdownDescription": "The parameters of the analysis template.", + "title": "AnalysisParameters", "type": "array" }, "Description": { + "markdownDescription": "The description of the analysis template.", + "title": "Description", "type": "string" }, "Format": { + "markdownDescription": "The format of the analysis template.", + "title": "Format", "type": "string" }, "MembershipIdentifier": { + "markdownDescription": "The identifier for a membership resource.", + "title": "MembershipIdentifier", "type": "string" }, "Name": { + "markdownDescription": "The name of the analysis template.", + "title": "Name", "type": "string" }, "Source": { - "$ref": "#/definitions/AWS::CleanRooms::AnalysisTemplate.AnalysisSource" + "$ref": "#/definitions/AWS::CleanRooms::AnalysisTemplate.AnalysisSource", + "markdownDescription": "The source of the analysis template.", + "title": "Source" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "An optional label that you can assign to a resource when you create it. Each tag consists of a key and an optional value, both of which you define. When you use tagging, you can also use tag-based access control in IAM policies to control access to this resource.", + "title": "Tags", "type": "array" } }, @@ -29033,12 +29917,18 @@ "additionalProperties": false, "properties": { "DefaultValue": { + "markdownDescription": "Optional. The default value that is applied in the analysis template. The member who can query can override this value in the query editor.", + "title": "DefaultValue", "type": "string" }, "Name": { + "markdownDescription": "The name of the parameter. The name must use only alphanumeric, underscore (_), or hyphen (-) characters but cannot start or end with a hyphen.", + "title": "Name", "type": "string" }, "Type": { + "markdownDescription": "The type of parameter.", + "title": "Type", "type": "string" } }, @@ -29055,6 +29945,8 @@ "items": { "type": "string" }, + "markdownDescription": "The tables referenced in the analysis schema.", + "title": "ReferencedTables", "type": "array" } }, @@ -29067,6 +29959,8 @@ "additionalProperties": false, "properties": { "Text": { + "markdownDescription": "The query text.", + "title": "Text", "type": "string" } }, @@ -29119,10 +30013,15 @@ "items": { "type": "string" }, - "markdownDescription": "The abilities granted to the collaboration creator.", + "markdownDescription": "The abilities granted to the collaboration creator.\n\n*Allowed values* `CAN_QUERY` | `CAN_RECEIVE_RESULTS`", "title": "CreatorMemberAbilities", "type": "array" }, + "CreatorPaymentConfiguration": { + "$ref": "#/definitions/AWS::CleanRooms::Collaboration.PaymentConfiguration", + "markdownDescription": "An object representing the collaboration member's payment responsibilities set by the collaboration creator.", + "title": "CreatorPaymentConfiguration" + }, "DataEncryptionMetadata": { "$ref": "#/definitions/AWS::CleanRooms::Collaboration.DataEncryptionMetadata", "markdownDescription": "The settings for client-side encryption for cryptographic computing.", @@ -29195,22 +30094,22 @@ "additionalProperties": false, "properties": { "AllowCleartext": { - "markdownDescription": "Indicates whether encrypted tables can contain cleartext data (true) or are to cryptographically process every column (false).", + "markdownDescription": "Indicates whether encrypted tables can contain cleartext data ( `TRUE` ) or are to cryptographically process every column ( `FALSE` ).", "title": "AllowCleartext", "type": "boolean" }, "AllowDuplicates": { - "markdownDescription": "Indicates whether Fingerprint columns can contain duplicate entries (true) or are to contain only non-repeated values (false).", + "markdownDescription": "Indicates whether Fingerprint columns can contain duplicate entries ( `TRUE` ) or are to contain only non-repeated values ( `FALSE` ).", "title": "AllowDuplicates", "type": "boolean" }, "AllowJoinsOnColumnsWithDifferentNames": { - "markdownDescription": "Indicates whether Fingerprint columns can be joined on any other Fingerprint column with a different name (true) or can only be joined on Fingerprint columns of the same name (false).", + "markdownDescription": "Indicates whether Fingerprint columns can be joined on any other Fingerprint column with a different name ( `TRUE` ) or can only be joined on Fingerprint columns of the same name ( `FALSE` ).", "title": "AllowJoinsOnColumnsWithDifferentNames", "type": "boolean" }, "PreserveNulls": { - "markdownDescription": "Indicates whether NULL values are to be copied as NULL to encrypted tables (true) or cryptographically processed (false).", + "markdownDescription": "Indicates whether NULL values are to be copied as NULL to encrypted tables ( `TRUE` ) or cryptographically processed ( `FALSE` ).", "title": "PreserveNulls", "type": "boolean" } @@ -29243,6 +30142,11 @@ "markdownDescription": "The abilities granted to the collaboration member.\n\n*Allowed Values* : `CAN_QUERY` | `CAN_RECEIVE_RESULTS`", "title": "MemberAbilities", "type": "array" + }, + "PaymentConfiguration": { + "$ref": "#/definitions/AWS::CleanRooms::Collaboration.PaymentConfiguration", + "markdownDescription": "The collaboration member's payment responsibilities set by the collaboration creator.\n\nIf the collaboration creator hasn't speci\ufb01ed anyone as the member paying for query compute costs, then the member who can query is the default payer.", + "title": "PaymentConfiguration" } }, "required": [ @@ -29252,6 +30156,34 @@ ], "type": "object" }, + "AWS::CleanRooms::Collaboration.PaymentConfiguration": { + "additionalProperties": false, + "properties": { + "QueryCompute": { + "$ref": "#/definitions/AWS::CleanRooms::Collaboration.QueryComputePaymentConfig", + "markdownDescription": "The collaboration member's payment responsibilities set by the collaboration creator for query compute costs.", + "title": "QueryCompute" + } + }, + "required": [ + "QueryCompute" + ], + "type": "object" + }, + "AWS::CleanRooms::Collaboration.QueryComputePaymentConfig": { + "additionalProperties": false, + "properties": { + "IsResponsible": { + "markdownDescription": "Indicates whether the collaboration creator has configured the collaboration member to pay for query compute costs ( `TRUE` ) or has not configured the collaboration member to pay for query compute costs ( `FALSE` ).\n\nExactly one member can be configured to pay for query compute costs. An error is returned if the collaboration creator sets a `TRUE` value for more than one member in the collaboration.\n\nIf the collaboration creator hasn't specified anyone as the member paying for query compute costs, then the member who can query is the default payer. An error is returned if the collaboration creator sets a `FALSE` value for the member who can query.", + "title": "IsResponsible", + "type": "boolean" + } + }, + "required": [ + "IsResponsible" + ], + "type": "object" + }, "AWS::CleanRooms::ConfiguredTable": { "additionalProperties": false, "properties": { @@ -29419,7 +30351,7 @@ "title": "Policy" }, "Type": { - "markdownDescription": "The type of analysis rule. Valid values are `AGGREGATION` and `LIST`.", + "markdownDescription": "The type of analysis rule.", "title": "Type", "type": "string" } @@ -29503,12 +30435,16 @@ "items": { "type": "string" }, + "markdownDescription": "The analysis templates that are allowed by the custom analysis rule.", + "title": "AllowedAnalyses", "type": "array" }, "AllowedAnalysisProviders": { "items": { "type": "string" }, + "markdownDescription": "The AWS accounts that are allowed to query by the custom analysis rule. Required when `allowedAnalyses` is `ANY_QUERY` .", + "title": "AllowedAnalysisProviders", "type": "array" } }, @@ -29524,7 +30460,7 @@ "items": { "type": "string" }, - "markdownDescription": "Which logical operators (if any) are to be used in an INNER JOIN match condition. Default is `AND` .", + "markdownDescription": "The logical operators (if any) that are to be used in an INNER JOIN match condition. Default is `AND` .", "title": "AllowedJoinOperators", "type": "array" }, @@ -29574,7 +30510,9 @@ "title": "Aggregation" }, "Custom": { - "$ref": "#/definitions/AWS::CleanRooms::ConfiguredTable.AnalysisRuleCustom" + "$ref": "#/definitions/AWS::CleanRooms::ConfiguredTable.AnalysisRuleCustom", + "markdownDescription": "Analysis rule type that enables custom SQL queries on a configured table.", + "title": "Custom" }, "List": { "$ref": "#/definitions/AWS::CleanRooms::ConfiguredTable.AnalysisRuleList", @@ -29757,10 +30695,17 @@ "type": "string" }, "DefaultResultConfiguration": { - "$ref": "#/definitions/AWS::CleanRooms::Membership.MembershipProtectedQueryResultConfiguration" + "$ref": "#/definitions/AWS::CleanRooms::Membership.MembershipProtectedQueryResultConfiguration", + "markdownDescription": "The default protected query result configuration as specified by the member who can receive results.", + "title": "DefaultResultConfiguration" + }, + "PaymentConfiguration": { + "$ref": "#/definitions/AWS::CleanRooms::Membership.MembershipPaymentConfiguration", + "markdownDescription": "The payment responsibilities accepted by the collaboration member.", + "title": "PaymentConfiguration" }, "QueryLogStatus": { - "markdownDescription": "An indicator as to whether query logging has been enabled or disabled for the collaboration.", + "markdownDescription": "An indicator as to whether query logging has been enabled or disabled for the membership.", "title": "QueryLogStatus", "type": "string" }, @@ -29800,11 +30745,27 @@ ], "type": "object" }, + "AWS::CleanRooms::Membership.MembershipPaymentConfiguration": { + "additionalProperties": false, + "properties": { + "QueryCompute": { + "$ref": "#/definitions/AWS::CleanRooms::Membership.MembershipQueryComputePaymentConfig", + "markdownDescription": "The payment responsibilities accepted by the collaboration member for query compute costs.", + "title": "QueryCompute" + } + }, + "required": [ + "QueryCompute" + ], + "type": "object" + }, "AWS::CleanRooms::Membership.MembershipProtectedQueryOutputConfiguration": { "additionalProperties": false, "properties": { "S3": { - "$ref": "#/definitions/AWS::CleanRooms::Membership.ProtectedQueryS3OutputConfiguration" + "$ref": "#/definitions/AWS::CleanRooms::Membership.ProtectedQueryS3OutputConfiguration", + "markdownDescription": "Required configuration for a protected query with an `S3` output type.", + "title": "S3" } }, "required": [ @@ -29816,9 +30777,13 @@ "additionalProperties": false, "properties": { "OutputConfiguration": { - "$ref": "#/definitions/AWS::CleanRooms::Membership.MembershipProtectedQueryOutputConfiguration" + "$ref": "#/definitions/AWS::CleanRooms::Membership.MembershipProtectedQueryOutputConfiguration", + "markdownDescription": "Configuration for protected query results.", + "title": "OutputConfiguration" }, "RoleArn": { + "markdownDescription": "The unique ARN for an IAM role that is used by AWS Clean Rooms to write protected query results to the result location, given by the member who can receive results.", + "title": "RoleArn", "type": "string" } }, @@ -29827,16 +30792,36 @@ ], "type": "object" }, + "AWS::CleanRooms::Membership.MembershipQueryComputePaymentConfig": { + "additionalProperties": false, + "properties": { + "IsResponsible": { + "markdownDescription": "Indicates whether the collaboration member has accepted to pay for query compute costs ( `TRUE` ) or has not accepted to pay for query compute costs ( `FALSE` ).\n\nIf the collaboration creator has not specified anyone to pay for query compute costs, then the member who can query is the default payer.\n\nAn error message is returned for the following reasons:\n\n- If you set the value to `FALSE` but you are responsible to pay for query compute costs.\n- If you set the value to `TRUE` but you are not responsible to pay for query compute costs.", + "title": "IsResponsible", + "type": "boolean" + } + }, + "required": [ + "IsResponsible" + ], + "type": "object" + }, "AWS::CleanRooms::Membership.ProtectedQueryS3OutputConfiguration": { "additionalProperties": false, "properties": { "Bucket": { + "markdownDescription": "The S3 bucket to unload the protected query results.", + "title": "Bucket", "type": "string" }, "KeyPrefix": { + "markdownDescription": "The S3 prefix to unload the protected query results.", + "title": "KeyPrefix", "type": "string" }, "ResultFormat": { + "markdownDescription": "Intended file format of the result.", + "title": "ResultFormat", "type": "string" } }, @@ -29897,7 +30882,7 @@ "type": "string" }, "ImageId": { - "markdownDescription": "The identifier for the Amazon Machine Image (AMI) that's used to create the EC2 instance. To choose an AMI for the instance, you must specify a valid AMI alias or a valid AWS Systems Manager path.\n\nThe default AMI is used if the parameter isn't explicitly assigned a value in the request.\n\n*AMI aliases*\n\n- *Amazon Linux (default): `amazonlinux-1-x86_64`*\n- Amazon Linux 2: `amazonlinux-2-x86_64`\n- Ubuntu 18.04: `ubuntu-18.04-x86_64`\n\n*SSM paths*\n\n- *Amazon Linux (default): `resolve:ssm:/aws/service/cloud9/amis/amazonlinux-1-x86_64`*\n- Amazon Linux 2: `resolve:ssm:/aws/service/cloud9/amis/amazonlinux-2-x86_64`\n- Ubuntu 18.04: `resolve:ssm:/aws/service/cloud9/amis/ubuntu-18.04-x86_64`", + "markdownDescription": "The identifier for the Amazon Machine Image (AMI) that's used to create the EC2 instance. To choose an AMI for the instance, you must specify a valid AMI alias or a valid AWS Systems Manager path.\n\nFrom December 04, 2023, you will be required to include the `imageId` parameter for the `CreateEnvironmentEC2` action. This change will be reflected across all direct methods of communicating with the API, such as AWS SDK, AWS CLI and AWS CloudFormation. This change will only affect direct API consumers, and not AWS Cloud9 console users.\n\nFrom January 22, 2024, Amazon Linux (AL1) will be removed from the list of available image IDs for Cloud9. This is necessary as AL1 will reach the end of maintenance support in December 2023, and as a result will no longer receive security updates. We recommend using Amazon Linux 2023 as the new AMI to create your environment as it is fully supported. This change will only affect direct API consumers, and not AWS Cloud9 console users.\n\nSince Ubuntu 18.04 has ended standard support as of May 31, 2023, we recommend you choose Ubuntu 22.04.\n\n*AMI aliases*\n\n- Amazon Linux (end of maintenance support December 2023): `amazonlinux-1-x86_64`\n- Amazon Linux 2: `amazonlinux-2-x86_64`\n- Amazon Linux 2023 (recommended): `amazonlinux-2023-x86_64`\n- Ubuntu 18.04: `ubuntu-18.04-x86_64`\n- Ubuntu 22.04: `ubuntu-22.04-x86_64`\n\n*SSM paths*\n\n- Amazon Linux (end of maintenance support December 2023): `resolve:ssm:/aws/service/cloud9/amis/amazonlinux-1-x86_64`\n- Amazon Linux 2: `resolve:ssm:/aws/service/cloud9/amis/amazonlinux-2-x86_64`\n- Amazon Linux 2023 (recommended): `resolve:ssm:/aws/service/cloud9/amis/amazonlinux-2023-x86_64`\n- Ubuntu 18.04: `resolve:ssm:/aws/service/cloud9/amis/ubuntu-18.04-x86_64`\n- Ubuntu 22.04: `resolve:ssm:/aws/service/cloud9/amis/ubuntu-22.04-x86_64`", "title": "ImageId", "type": "string" }, @@ -29939,6 +30924,7 @@ } }, "required": [ + "ImageId", "InstanceType" ], "type": "object" @@ -31065,7 +32051,7 @@ "type": "array" }, "StackSetName": { - "markdownDescription": "The name to associate with the stack set. The name must be unique in the Region where you create your stack set.\n\n*Maximum* : `128`\n\n*Pattern* : `^[a-zA-Z][a-zA-Z0-9-]{0,127}$`\n\n> The `StackSetName` property is required.", + "markdownDescription": "The name to associate with the stack set. The name must be unique in the Region where you create your stack set.\n\n> The `StackSetName` property is required.", "title": "StackSetName", "type": "string" }, @@ -31073,17 +32059,17 @@ "items": { "$ref": "#/definitions/Tag" }, - "markdownDescription": "The key-value pairs to associate with this stack set and the stacks created from it. AWS CloudFormation also propagates these tags to supported resources that are created in the stacks. A maximum number of 50 tags can be specified.", + "markdownDescription": "Key-value pairs to associate with this stack. AWS CloudFormation also propagates these tags to supported resources in the stack. You can specify a maximum number of 50 tags.\n\nIf you don't specify this parameter, AWS CloudFormation doesn't modify the stack's tags. If you specify an empty value, AWS CloudFormation removes all associated tags.", "title": "Tags", "type": "array" }, "TemplateBody": { - "markdownDescription": "The structure that contains the template body, with a minimum length of 1 byte and a maximum length of 51,200 bytes.\n\nYou must include either `TemplateURL` or `TemplateBody` in a StackSet, but you can't use both. Dynamic references in the `TemplateBody` may not work correctly in all cases. It's recommended to pass templates containing dynamic references through `TemplateUrl` instead.\n\n*Minimum* : `1`\n\n*Maximum* : `51200`", + "markdownDescription": "The structure that contains the template body, with a minimum length of 1 byte and a maximum length of 51,200 bytes.\n\nYou must include either `TemplateURL` or `TemplateBody` in a StackSet, but you can't use both. Dynamic references in the `TemplateBody` may not work correctly in all cases. It's recommended to pass templates containing dynamic references through `TemplateUrl` instead.", "title": "TemplateBody", "type": "string" }, "TemplateURL": { - "markdownDescription": "Location of file containing the template body. The URL must point to a template (max size: 460,800 bytes) that's located in an Amazon S3 bucket.\n\nYou must include either `TemplateURL` or `TemplateBody` in a StackSet, but you can't use both.\n\n*Minimum* : `1`\n\n*Maximum* : `1024`", + "markdownDescription": "Location of file containing the template body. The URL must point to a template that's located in an Amazon S3 bucket or a Systems Manager document. For more information, go to [Template Anatomy](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/template-anatomy.html) in the AWS CloudFormation User Guide.\n\nConditional: You must specify only one of the following parameters: `TemplateBody` , `TemplateURL` .", "title": "TemplateURL", "type": "string" } @@ -31148,6 +32134,8 @@ "type": "array" }, "AccountsUrl": { + "markdownDescription": "Returns the value of the `AccountsUrl` property.", + "title": "AccountsUrl", "type": "string" }, "OrganizationalUnitIds": { @@ -31204,7 +32192,7 @@ "items": { "type": "string" }, - "markdownDescription": "The order of the Regions where you want to perform the stack operation.", + "markdownDescription": "The order of the Regions where you want to perform the stack operation.\n\n> `RegionOrder` isn't followed if `AutoDeployment` is enabled.", "title": "RegionOrder", "type": "array" } @@ -31889,10 +32877,14 @@ "type": "boolean" }, "SingleHeaderPolicyConfig": { - "$ref": "#/definitions/AWS::CloudFront::ContinuousDeploymentPolicy.SingleHeaderPolicyConfig" + "$ref": "#/definitions/AWS::CloudFront::ContinuousDeploymentPolicy.SingleHeaderPolicyConfig", + "markdownDescription": "This configuration determines which HTTP requests are sent to the staging distribution. If the HTTP request contains a header and value that matches what you specify here, the request is sent to the staging distribution. Otherwise the request is sent to the primary distribution.", + "title": "SingleHeaderPolicyConfig" }, "SingleWeightPolicyConfig": { - "$ref": "#/definitions/AWS::CloudFront::ContinuousDeploymentPolicy.SingleWeightPolicyConfig" + "$ref": "#/definitions/AWS::CloudFront::ContinuousDeploymentPolicy.SingleWeightPolicyConfig", + "markdownDescription": "This configuration determines the percentage of HTTP requests that are sent to the staging distribution.", + "title": "SingleWeightPolicyConfig" }, "StagingDistributionDnsNames": { "items": { @@ -31908,6 +32900,8 @@ "title": "TrafficConfig" }, "Type": { + "markdownDescription": "The type of traffic configuration.", + "title": "Type", "type": "string" } }, @@ -31961,9 +32955,13 @@ "additionalProperties": false, "properties": { "Header": { + "markdownDescription": "", + "title": "Header", "type": "string" }, "Value": { + "markdownDescription": "", + "title": "Value", "type": "string" } }, @@ -31996,9 +32994,13 @@ "additionalProperties": false, "properties": { "SessionStickinessConfig": { - "$ref": "#/definitions/AWS::CloudFront::ContinuousDeploymentPolicy.SessionStickinessConfig" + "$ref": "#/definitions/AWS::CloudFront::ContinuousDeploymentPolicy.SessionStickinessConfig", + "markdownDescription": "", + "title": "SessionStickinessConfig" }, "Weight": { + "markdownDescription": "", + "title": "Weight", "type": "number" } }, @@ -33012,7 +34014,7 @@ "type": "string" }, "CloudFrontDefaultCertificate": { - "markdownDescription": "If the distribution uses the CloudFront domain name such as `d111111abcdef8.cloudfront.net` , set this field to `true` .\n\nIf the distribution uses `Aliases` (alternate domain names or CNAMEs), set this field to `false` and specify values for the following fields:\n\n- `ACMCertificateArn` or `IAMCertificateId` (specify a value for one, not both)\n\nIn CloudFormation, these field names are `AcmCertificateArn` and `IamCertificateId` . Note the different capitalization.\n- `MinimumProtocolVersion`\n- `SSLSupportMethod` (In CloudFormation, this field name is `SslSupportMethod` . Note the different capitalization.)", + "markdownDescription": "If the distribution uses the CloudFront domain name such as `d111111abcdef8.cloudfront.net` , set this field to `true` .\n\nIf the distribution uses `Aliases` (alternate domain names or CNAMEs), omit this field and specify values for the following fields:\n\n- `AcmCertificateArn` or `IamCertificateId` (specify a value for one, not both)\n- `MinimumProtocolVersion`\n- `SslSupportMethod`", "title": "CloudFrontDefaultCertificate", "type": "boolean" }, @@ -33132,7 +34134,7 @@ "type": "string" }, "Runtime": { - "markdownDescription": "The function's runtime environment. The only valid value is `cloudfront-js-1.0` .", + "markdownDescription": "The function's runtime environment version.", "title": "Runtime", "type": "string" } @@ -33249,7 +34251,7 @@ ], "type": "object" }, - "AWS::CloudFront::MonitoringSubscription": { + "AWS::CloudFront::KeyValueStore": { "additionalProperties": false, "properties": { "Condition": { @@ -33284,26 +34286,30 @@ "Properties": { "additionalProperties": false, "properties": { - "DistributionId": { - "markdownDescription": "The ID of the distribution that you are enabling metrics for.", - "title": "DistributionId", + "Comment": { + "markdownDescription": "A comment for the Key Value Store.", + "title": "Comment", "type": "string" }, - "MonitoringSubscription": { - "$ref": "#/definitions/AWS::CloudFront::MonitoringSubscription.MonitoringSubscription", - "markdownDescription": "A subscription configuration for additional CloudWatch metrics.", - "title": "MonitoringSubscription" + "ImportSource": { + "$ref": "#/definitions/AWS::CloudFront::KeyValueStore.ImportSource", + "markdownDescription": "The import source for the Key Value Store.", + "title": "ImportSource" + }, + "Name": { + "markdownDescription": "The name of the Key Value Store.", + "title": "Name", + "type": "string" } }, "required": [ - "DistributionId", - "MonitoringSubscription" + "Name" ], "type": "object" }, "Type": { "enum": [ - "AWS::CloudFront::MonitoringSubscription" + "AWS::CloudFront::KeyValueStore" ], "type": "string" }, @@ -33322,32 +34328,27 @@ ], "type": "object" }, - "AWS::CloudFront::MonitoringSubscription.MonitoringSubscription": { - "additionalProperties": false, - "properties": { - "RealtimeMetricsSubscriptionConfig": { - "$ref": "#/definitions/AWS::CloudFront::MonitoringSubscription.RealtimeMetricsSubscriptionConfig", - "markdownDescription": "A subscription configuration for additional CloudWatch metrics.", - "title": "RealtimeMetricsSubscriptionConfig" - } - }, - "type": "object" - }, - "AWS::CloudFront::MonitoringSubscription.RealtimeMetricsSubscriptionConfig": { + "AWS::CloudFront::KeyValueStore.ImportSource": { "additionalProperties": false, "properties": { - "RealtimeMetricsSubscriptionStatus": { - "markdownDescription": "A flag that indicates whether additional CloudWatch metrics are enabled for a given CloudFront distribution.", - "title": "RealtimeMetricsSubscriptionStatus", + "SourceArn": { + "markdownDescription": "The Amazon Resource Name (ARN) of the import source for the Key Value Store.", + "title": "SourceArn", + "type": "string" + }, + "SourceType": { + "markdownDescription": "The source type of the import source for the Key Value Store.", + "title": "SourceType", "type": "string" } }, "required": [ - "RealtimeMetricsSubscriptionStatus" + "SourceArn", + "SourceType" ], "type": "object" }, - "AWS::CloudFront::OriginAccessControl": { + "AWS::CloudFront::MonitoringSubscription": { "additionalProperties": false, "properties": { "Condition": { @@ -33382,20 +34383,26 @@ "Properties": { "additionalProperties": false, "properties": { - "OriginAccessControlConfig": { - "$ref": "#/definitions/AWS::CloudFront::OriginAccessControl.OriginAccessControlConfig", - "markdownDescription": "The origin access control.", - "title": "OriginAccessControlConfig" + "DistributionId": { + "markdownDescription": "The ID of the distribution that you are enabling metrics for.", + "title": "DistributionId", + "type": "string" + }, + "MonitoringSubscription": { + "$ref": "#/definitions/AWS::CloudFront::MonitoringSubscription.MonitoringSubscription", + "markdownDescription": "A subscription configuration for additional CloudWatch metrics.", + "title": "MonitoringSubscription" } }, "required": [ - "OriginAccessControlConfig" + "DistributionId", + "MonitoringSubscription" ], "type": "object" }, "Type": { "enum": [ - "AWS::CloudFront::OriginAccessControl" + "AWS::CloudFront::MonitoringSubscription" ], "type": "string" }, @@ -33414,44 +34421,32 @@ ], "type": "object" }, - "AWS::CloudFront::OriginAccessControl.OriginAccessControlConfig": { + "AWS::CloudFront::MonitoringSubscription.MonitoringSubscription": { "additionalProperties": false, "properties": { - "Description": { - "markdownDescription": "A description of the origin access control.", - "title": "Description", - "type": "string" - }, - "Name": { - "markdownDescription": "A name to identify the origin access control.", - "title": "Name", - "type": "string" - }, - "OriginAccessControlOriginType": { - "markdownDescription": "The type of origin that this origin access control is for.", - "title": "OriginAccessControlOriginType", - "type": "string" - }, - "SigningBehavior": { - "markdownDescription": "Specifies which requests CloudFront signs (adds authentication information to). Specify `always` for the most common use case. For more information, see [origin access control advanced settings](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html#oac-advanced-settings) in the *Amazon CloudFront Developer Guide* .\n\nThis field can have one of the following values:\n\n- `always` \u2013 CloudFront signs all origin requests, overwriting the `Authorization` header from the viewer request if one exists.\n- `never` \u2013 CloudFront doesn't sign any origin requests. This value turns off origin access control for all origins in all distributions that use this origin access control.\n- `no-override` \u2013 If the viewer request doesn't contain the `Authorization` header, then CloudFront signs the origin request. If the viewer request contains the `Authorization` header, then CloudFront doesn't sign the origin request and instead passes along the `Authorization` header from the viewer request. *WARNING: To pass along the `Authorization` header from the viewer request, you *must* add the `Authorization` header to a [cache policy](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/controlling-the-cache-key.html) for all cache behaviors that use origins associated with this origin access control.*", - "title": "SigningBehavior", - "type": "string" - }, - "SigningProtocol": { - "markdownDescription": "The signing protocol of the origin access control, which determines how CloudFront signs (authenticates) requests. The only valid value is `sigv4` .", - "title": "SigningProtocol", + "RealtimeMetricsSubscriptionConfig": { + "$ref": "#/definitions/AWS::CloudFront::MonitoringSubscription.RealtimeMetricsSubscriptionConfig", + "markdownDescription": "A subscription configuration for additional CloudWatch metrics.", + "title": "RealtimeMetricsSubscriptionConfig" + } + }, + "type": "object" + }, + "AWS::CloudFront::MonitoringSubscription.RealtimeMetricsSubscriptionConfig": { + "additionalProperties": false, + "properties": { + "RealtimeMetricsSubscriptionStatus": { + "markdownDescription": "A flag that indicates whether additional CloudWatch metrics are enabled for a given CloudFront distribution.", + "title": "RealtimeMetricsSubscriptionStatus", "type": "string" } }, "required": [ - "Name", - "OriginAccessControlOriginType", - "SigningBehavior", - "SigningProtocol" + "RealtimeMetricsSubscriptionStatus" ], "type": "object" }, - "AWS::CloudFront::OriginRequestPolicy": { + "AWS::CloudFront::OriginAccessControl": { "additionalProperties": false, "properties": { "Condition": { @@ -33486,20 +34481,20 @@ "Properties": { "additionalProperties": false, "properties": { - "OriginRequestPolicyConfig": { - "$ref": "#/definitions/AWS::CloudFront::OriginRequestPolicy.OriginRequestPolicyConfig", - "markdownDescription": "The origin request policy configuration.", - "title": "OriginRequestPolicyConfig" + "OriginAccessControlConfig": { + "$ref": "#/definitions/AWS::CloudFront::OriginAccessControl.OriginAccessControlConfig", + "markdownDescription": "The origin access control.", + "title": "OriginAccessControlConfig" } }, "required": [ - "OriginRequestPolicyConfig" + "OriginAccessControlConfig" ], "type": "object" }, "Type": { "enum": [ - "AWS::CloudFront::OriginRequestPolicy" + "AWS::CloudFront::OriginAccessControl" ], "type": "string" }, @@ -33518,110 +34513,214 @@ ], "type": "object" }, - "AWS::CloudFront::OriginRequestPolicy.CookiesConfig": { + "AWS::CloudFront::OriginAccessControl.OriginAccessControlConfig": { "additionalProperties": false, "properties": { - "CookieBehavior": { - "markdownDescription": "Determines whether cookies in viewer requests are included in requests that CloudFront sends to the origin. Valid values are:\n\n- `none` \u2013 No cookies in viewer requests are included in requests that CloudFront sends to the origin. Even when this field is set to `none` , any cookies that are listed in a `CachePolicy` *are* included in origin requests.\n- `whitelist` \u2013 Only the cookies in viewer requests that are listed in the `CookieNames` type are included in requests that CloudFront sends to the origin.\n- `all` \u2013 All cookies in viewer requests are included in requests that CloudFront sends to the origin.\n- `allExcept` \u2013 All cookies in viewer requests are included in requests that CloudFront sends to the origin, **except** for those listed in the `CookieNames` type, which are not included.", - "title": "CookieBehavior", + "Description": { + "markdownDescription": "A description of the origin access control.", + "title": "Description", "type": "string" }, - "Cookies": { - "items": { - "type": "string" - }, - "markdownDescription": "Contains a list of cookie names.", - "title": "Cookies", - "type": "array" - } - }, - "required": [ - "CookieBehavior" - ], - "type": "object" - }, - "AWS::CloudFront::OriginRequestPolicy.HeadersConfig": { - "additionalProperties": false, - "properties": { - "HeaderBehavior": { - "markdownDescription": "Determines whether any HTTP headers are included in requests that CloudFront sends to the origin. Valid values are:\n\n- `none` \u2013 No HTTP headers in viewer requests are included in requests that CloudFront sends to the origin. Even when this field is set to `none` , any headers that are listed in a `CachePolicy` *are* included in origin requests.\n- `whitelist` \u2013 Only the HTTP headers that are listed in the `Headers` type are included in requests that CloudFront sends to the origin.\n- `allViewer` \u2013 All HTTP headers in viewer requests are included in requests that CloudFront sends to the origin.\n- `allViewerAndWhitelistCloudFront` \u2013 All HTTP headers in viewer requests and the additional CloudFront headers that are listed in the `Headers` type are included in requests that CloudFront sends to the origin. The additional headers are added by CloudFront.\n- `allExcept` \u2013 All HTTP headers in viewer requests are included in requests that CloudFront sends to the origin, **except** for those listed in the `Headers` type, which are not included.", - "title": "HeaderBehavior", + "Name": { + "markdownDescription": "A name to identify the origin access control.", + "title": "Name", "type": "string" }, - "Headers": { - "items": { - "type": "string" - }, - "markdownDescription": "Contains a list of HTTP header names.", - "title": "Headers", - "type": "array" - } - }, - "required": [ - "HeaderBehavior" - ], - "type": "object" - }, - "AWS::CloudFront::OriginRequestPolicy.OriginRequestPolicyConfig": { - "additionalProperties": false, - "properties": { - "Comment": { - "markdownDescription": "A comment to describe the origin request policy. The comment cannot be longer than 128 characters.", - "title": "Comment", + "OriginAccessControlOriginType": { + "markdownDescription": "The type of origin that this origin access control is for.", + "title": "OriginAccessControlOriginType", "type": "string" }, - "CookiesConfig": { - "$ref": "#/definitions/AWS::CloudFront::OriginRequestPolicy.CookiesConfig", - "markdownDescription": "The cookies from viewer requests to include in origin requests.", - "title": "CookiesConfig" - }, - "HeadersConfig": { - "$ref": "#/definitions/AWS::CloudFront::OriginRequestPolicy.HeadersConfig", - "markdownDescription": "The HTTP headers to include in origin requests. These can include headers from viewer requests and additional headers added by CloudFront.", - "title": "HeadersConfig" - }, - "Name": { - "markdownDescription": "A unique name to identify the origin request policy.", - "title": "Name", + "SigningBehavior": { + "markdownDescription": "Specifies which requests CloudFront signs (adds authentication information to). Specify `always` for the most common use case. For more information, see [origin access control advanced settings](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html#oac-advanced-settings) in the *Amazon CloudFront Developer Guide* .\n\nThis field can have one of the following values:\n\n- `always` \u2013 CloudFront signs all origin requests, overwriting the `Authorization` header from the viewer request if one exists.\n- `never` \u2013 CloudFront doesn't sign any origin requests. This value turns off origin access control for all origins in all distributions that use this origin access control.\n- `no-override` \u2013 If the viewer request doesn't contain the `Authorization` header, then CloudFront signs the origin request. If the viewer request contains the `Authorization` header, then CloudFront doesn't sign the origin request and instead passes along the `Authorization` header from the viewer request. *WARNING: To pass along the `Authorization` header from the viewer request, you *must* add the `Authorization` header to a [cache policy](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/controlling-the-cache-key.html) for all cache behaviors that use origins associated with this origin access control.*", + "title": "SigningBehavior", "type": "string" }, - "QueryStringsConfig": { - "$ref": "#/definitions/AWS::CloudFront::OriginRequestPolicy.QueryStringsConfig", - "markdownDescription": "The URL query strings from viewer requests to include in origin requests.", - "title": "QueryStringsConfig" - } - }, - "required": [ - "CookiesConfig", - "HeadersConfig", - "Name", - "QueryStringsConfig" - ], - "type": "object" - }, - "AWS::CloudFront::OriginRequestPolicy.QueryStringsConfig": { - "additionalProperties": false, - "properties": { - "QueryStringBehavior": { - "markdownDescription": "Determines whether any URL query strings in viewer requests are included in requests that CloudFront sends to the origin. Valid values are:\n\n- `none` \u2013 No query strings in viewer requests are included in requests that CloudFront sends to the origin. Even when this field is set to `none` , any query strings that are listed in a `CachePolicy` *are* included in origin requests.\n- `whitelist` \u2013 Only the query strings in viewer requests that are listed in the `QueryStringNames` type are included in requests that CloudFront sends to the origin.\n- `all` \u2013 All query strings in viewer requests are included in requests that CloudFront sends to the origin.\n- `allExcept` \u2013 All query strings in viewer requests are included in requests that CloudFront sends to the origin, **except** for those listed in the `QueryStringNames` type, which are not included.", - "title": "QueryStringBehavior", + "SigningProtocol": { + "markdownDescription": "The signing protocol of the origin access control, which determines how CloudFront signs (authenticates) requests. The only valid value is `sigv4` .", + "title": "SigningProtocol", "type": "string" - }, - "QueryStrings": { - "items": { - "type": "string" - }, - "markdownDescription": "Contains a list of query string names.", - "title": "QueryStrings", - "type": "array" } }, "required": [ - "QueryStringBehavior" + "Name", + "OriginAccessControlOriginType", + "SigningBehavior", + "SigningProtocol" ], "type": "object" }, - "AWS::CloudFront::PublicKey": { + "AWS::CloudFront::OriginRequestPolicy": { + "additionalProperties": false, + "properties": { + "Condition": { + "type": "string" + }, + "DeletionPolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + }, + "DependsOn": { + "anyOf": [ + { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + { + "items": { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + "type": "array" + } + ] + }, + "Metadata": { + "type": "object" + }, + "Properties": { + "additionalProperties": false, + "properties": { + "OriginRequestPolicyConfig": { + "$ref": "#/definitions/AWS::CloudFront::OriginRequestPolicy.OriginRequestPolicyConfig", + "markdownDescription": "The origin request policy configuration.", + "title": "OriginRequestPolicyConfig" + } + }, + "required": [ + "OriginRequestPolicyConfig" + ], + "type": "object" + }, + "Type": { + "enum": [ + "AWS::CloudFront::OriginRequestPolicy" + ], + "type": "string" + }, + "UpdateReplacePolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + } + }, + "required": [ + "Type", + "Properties" + ], + "type": "object" + }, + "AWS::CloudFront::OriginRequestPolicy.CookiesConfig": { + "additionalProperties": false, + "properties": { + "CookieBehavior": { + "markdownDescription": "Determines whether cookies in viewer requests are included in requests that CloudFront sends to the origin. Valid values are:\n\n- `none` \u2013 No cookies in viewer requests are included in requests that CloudFront sends to the origin. Even when this field is set to `none` , any cookies that are listed in a `CachePolicy` *are* included in origin requests.\n- `whitelist` \u2013 Only the cookies in viewer requests that are listed in the `CookieNames` type are included in requests that CloudFront sends to the origin.\n- `all` \u2013 All cookies in viewer requests are included in requests that CloudFront sends to the origin.\n- `allExcept` \u2013 All cookies in viewer requests are included in requests that CloudFront sends to the origin, **except** for those listed in the `CookieNames` type, which are not included.", + "title": "CookieBehavior", + "type": "string" + }, + "Cookies": { + "items": { + "type": "string" + }, + "markdownDescription": "Contains a list of cookie names.", + "title": "Cookies", + "type": "array" + } + }, + "required": [ + "CookieBehavior" + ], + "type": "object" + }, + "AWS::CloudFront::OriginRequestPolicy.HeadersConfig": { + "additionalProperties": false, + "properties": { + "HeaderBehavior": { + "markdownDescription": "Determines whether any HTTP headers are included in requests that CloudFront sends to the origin. Valid values are:\n\n- `none` \u2013 No HTTP headers in viewer requests are included in requests that CloudFront sends to the origin. Even when this field is set to `none` , any headers that are listed in a `CachePolicy` *are* included in origin requests.\n- `whitelist` \u2013 Only the HTTP headers that are listed in the `Headers` type are included in requests that CloudFront sends to the origin.\n- `allViewer` \u2013 All HTTP headers in viewer requests are included in requests that CloudFront sends to the origin.\n- `allViewerAndWhitelistCloudFront` \u2013 All HTTP headers in viewer requests and the additional CloudFront headers that are listed in the `Headers` type are included in requests that CloudFront sends to the origin. The additional headers are added by CloudFront.\n- `allExcept` \u2013 All HTTP headers in viewer requests are included in requests that CloudFront sends to the origin, **except** for those listed in the `Headers` type, which are not included.", + "title": "HeaderBehavior", + "type": "string" + }, + "Headers": { + "items": { + "type": "string" + }, + "markdownDescription": "Contains a list of HTTP header names.", + "title": "Headers", + "type": "array" + } + }, + "required": [ + "HeaderBehavior" + ], + "type": "object" + }, + "AWS::CloudFront::OriginRequestPolicy.OriginRequestPolicyConfig": { + "additionalProperties": false, + "properties": { + "Comment": { + "markdownDescription": "A comment to describe the origin request policy. The comment cannot be longer than 128 characters.", + "title": "Comment", + "type": "string" + }, + "CookiesConfig": { + "$ref": "#/definitions/AWS::CloudFront::OriginRequestPolicy.CookiesConfig", + "markdownDescription": "The cookies from viewer requests to include in origin requests.", + "title": "CookiesConfig" + }, + "HeadersConfig": { + "$ref": "#/definitions/AWS::CloudFront::OriginRequestPolicy.HeadersConfig", + "markdownDescription": "The HTTP headers to include in origin requests. These can include headers from viewer requests and additional headers added by CloudFront.", + "title": "HeadersConfig" + }, + "Name": { + "markdownDescription": "A unique name to identify the origin request policy.", + "title": "Name", + "type": "string" + }, + "QueryStringsConfig": { + "$ref": "#/definitions/AWS::CloudFront::OriginRequestPolicy.QueryStringsConfig", + "markdownDescription": "The URL query strings from viewer requests to include in origin requests.", + "title": "QueryStringsConfig" + } + }, + "required": [ + "CookiesConfig", + "HeadersConfig", + "Name", + "QueryStringsConfig" + ], + "type": "object" + }, + "AWS::CloudFront::OriginRequestPolicy.QueryStringsConfig": { + "additionalProperties": false, + "properties": { + "QueryStringBehavior": { + "markdownDescription": "Determines whether any URL query strings in viewer requests are included in requests that CloudFront sends to the origin. Valid values are:\n\n- `none` \u2013 No query strings in viewer requests are included in requests that CloudFront sends to the origin. Even when this field is set to `none` , any query strings that are listed in a `CachePolicy` *are* included in origin requests.\n- `whitelist` \u2013 Only the query strings in viewer requests that are listed in the `QueryStringNames` type are included in requests that CloudFront sends to the origin.\n- `all` \u2013 All query strings in viewer requests are included in requests that CloudFront sends to the origin.\n- `allExcept` \u2013 All query strings in viewer requests are included in requests that CloudFront sends to the origin, **except** for those listed in the `QueryStringNames` type, which are not included.", + "title": "QueryStringBehavior", + "type": "string" + }, + "QueryStrings": { + "items": { + "type": "string" + }, + "markdownDescription": "Contains a list of query string names.", + "title": "QueryStrings", + "type": "array" + } + }, + "required": [ + "QueryStringBehavior" + ], + "type": "object" + }, + "AWS::CloudFront::PublicKey": { "additionalProperties": false, "properties": { "Condition": { @@ -34627,7 +35726,7 @@ "type": "string" }, "Type": { - "markdownDescription": "The type of destination for events arriving from a channel. For channels used for a CloudTrail Lake integration, the value is `EventDataStore` . For service-linked channels, the value is `AWS_SERVICE` .", + "markdownDescription": "The type of destination for events arriving from a channel. For channels used for a CloudTrail Lake integration, the value is `EVENT_DATA_STORE` . For service-linked channels, the value is `AWS_SERVICE` .", "title": "Type", "type": "string" } @@ -34681,11 +35780,39 @@ "title": "AdvancedEventSelectors", "type": "array" }, + "BillingMode": { + "markdownDescription": "The billing mode for the event data store determines the cost for ingesting events and the default and maximum retention period for the event data store.\n\nThe following are the possible values:\n\n- `EXTENDABLE_RETENTION_PRICING` - This billing mode is generally recommended if you want a flexible retention period of up to 3653 days (about 10 years). The default retention period for this billing mode is 366 days.\n- `FIXED_RETENTION_PRICING` - This billing mode is recommended if you expect to ingest more than 25 TB of event data per month and need a retention period of up to 2557 days (about 7 years). The default retention period for this billing mode is 2557 days.\n\nThe default value is `EXTENDABLE_RETENTION_PRICING` .\n\nFor more information about CloudTrail pricing, see [AWS CloudTrail Pricing](https://docs.aws.amazon.com/cloudtrail/pricing/) and [Managing CloudTrail Lake costs](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-lake-manage-costs.html) .", + "title": "BillingMode", + "type": "string" + }, + "FederationEnabled": { + "markdownDescription": "Indicates if [Lake query federation](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/query-federation.html) is enabled. By default, Lake query federation is disabled. You cannot delete an event data store if Lake query federation is enabled.", + "title": "FederationEnabled", + "type": "boolean" + }, + "FederationRoleArn": { + "markdownDescription": "If Lake query federation is enabled, provides the ARN of the federation role used to access the resources for the federated event data store.\n\nThe federation role must exist in your account and provide the [required minimum permissions](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/query-federation.html#query-federation-permissions-role) .", + "title": "FederationRoleArn", + "type": "string" + }, "IngestionEnabled": { "markdownDescription": "Specifies whether the event data store should start ingesting live events. The default is true.", "title": "IngestionEnabled", "type": "boolean" }, + "InsightSelectors": { + "items": { + "$ref": "#/definitions/AWS::CloudTrail::EventDataStore.InsightSelector" + }, + "markdownDescription": "A JSON string that contains the Insights types you want to log on an event data store. `ApiCallRateInsight` and `ApiErrorRateInsight` are valid Insight types.\n\nThe `ApiCallRateInsight` Insights type analyzes write-only management API calls that are aggregated per minute against a baseline API call volume.\n\nThe `ApiErrorRateInsight` Insights type analyzes management API calls that result in error codes. The error is shown if the API call is unsuccessful.", + "title": "InsightSelectors", + "type": "array" + }, + "InsightsDestination": { + "markdownDescription": "The ARN (or ID suffix of the ARN) of the destination event data store that logs Insights events. For more information, see [Create an event data store for CloudTrail Insights events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/query-event-data-store-insights.html) .", + "title": "InsightsDestination", + "type": "string" + }, "KmsKeyId": { "markdownDescription": "Specifies the AWS KMS key ID to use to encrypt the events delivered by CloudTrail. The value can be an alias name prefixed by `alias/` , a fully specified ARN to an alias, a fully specified ARN to a key, or a globally unique identifier.\n\n> Disabling or deleting the KMS key, or removing CloudTrail permissions on the key, prevents CloudTrail from logging events to the event data store, and prevents users from querying the data in the event data store that was encrypted with the key. After you associate an event data store with a KMS key, the KMS key cannot be removed or changed. Before you disable or delete a KMS key that you are using with an event data store, delete or back up your event data store. \n\nCloudTrail also supports AWS KMS multi-Region keys. For more information about multi-Region keys, see [Using multi-Region keys](https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html) in the *AWS Key Management Service Developer Guide* .\n\nExamples:\n\n- `alias/MyAliasName`\n- `arn:aws:kms:us-east-2:123456789012:alias/MyAliasName`\n- `arn:aws:kms:us-east-2:123456789012:key/12345678-1234-1234-1234-123456789012`\n- `12345678-1234-1234-1234-123456789012`", "title": "KmsKeyId", @@ -34707,7 +35834,7 @@ "type": "boolean" }, "RetentionPeriod": { - "markdownDescription": "The retention period of the event data store, in days. You can set a retention period of up to 2557 days, the equivalent of seven years.", + "markdownDescription": "The retention period of the event data store, in days. If `BillingMode` is set to `EXTENDABLE_RETENTION_PRICING` , you can set a retention period of up to 3653 days, the equivalent of 10 years. If `BillingMode` is set to `FIXED_RETENTION_PRICING` , you can set a retention period of up to 2557 days, the equivalent of seven years.\n\nCloudTrail Lake determines whether to retain an event by checking if the `eventTime` of the event is within the specified retention period. For example, if you set a retention period of 90 days, CloudTrail will remove events when the `eventTime` is older than 90 days.\n\n> If you plan to copy trail events to this event data store, we recommend that you consider both the age of the events that you want to copy as well as how long you want to keep the copied events in your event data store. For example, if you copy trail events that are 5 years old and specify a retention period of 7 years, the event data store will retain those events for two years.", "title": "RetentionPeriod", "type": "number" }, @@ -34789,7 +35916,7 @@ "type": "array" }, "Field": { - "markdownDescription": "A field in a CloudTrail event record on which to filter events to be logged. For event data stores for AWS Config configuration items, Audit Manager evidence, or non- AWS events, the field is used only for selecting events as filtering is not supported.\n\nFor CloudTrail event records, supported fields include `readOnly` , `eventCategory` , `eventSource` (for management events), `eventName` , `resources.type` , and `resources.ARN` .\n\nFor event data stores for AWS Config configuration items, Audit Manager evidence, or non- AWS events, the only supported field is `eventCategory` .\n\n- *`readOnly`* - Optional. Can be set to `Equals` a value of `true` or `false` . If you do not add this field, CloudTrail logs both `read` and `write` events. A value of `true` logs only `read` events. A value of `false` logs only `write` events.\n- *`eventSource`* - For filtering management events only. This can be set only to `NotEquals` `kms.amazonaws.com` .\n- *`eventName`* - Can use any operator. You can use it to \ufb01lter in or \ufb01lter out any data event logged to CloudTrail, such as `PutBucket` or `GetSnapshotBlock` . You can have multiple values for this \ufb01eld, separated by commas.\n- *`eventCategory`* - This is required and must be set to `Equals` .\n\n- For CloudTrail event records, the value must be `Management` or `Data` .\n- For AWS Config configuration items, the value must be `ConfigurationItem` .\n- For Audit Manager evidence, the value must be `Evidence` .\n- For non- AWS events, the value must be `ActivityAuditLog` .\n- *`resources.type`* - This \ufb01eld is required for CloudTrail data events. `resources.type` can only use the `Equals` operator, and the value can be one of the following:\n\n- `AWS::DynamoDB::Table`\n- `AWS::Lambda::Function`\n- `AWS::S3::Object`\n- `AWS::CloudTrail::Channel`\n- `AWS::CodeWhisperer::Profile`\n- `AWS::Cognito::IdentityPool`\n- `AWS::DynamoDB::Stream`\n- `AWS::EC2::Snapshot`\n- `AWS::EMRWAL::Workspace`\n- `AWS::FinSpace::Environment`\n- `AWS::Glue::Table`\n- `AWS::GuardDuty::Detector`\n- `AWS::KendraRanking::ExecutionPlan`\n- `AWS::ManagedBlockchain::Network`\n- `AWS::ManagedBlockchain::Node`\n- `AWS::SageMaker::ExperimentTrialComponent`\n- `AWS::SageMaker::FeatureGroup`\n- `AWS::S3::AccessPoint`\n- `AWS::S3ObjectLambda::AccessPoint`\n- `AWS::S3Outposts::Object`\n- `AWS::SSMMessages::ControlChannel`\n- `AWS::VerifiedPermissions::PolicyStore`\n\nYou can have only one `resources.type` \ufb01eld per selector. To log data events on more than one resource type, add another selector.\n- *`resources.ARN`* - You can use any operator with `resources.ARN` , but if you use `Equals` or `NotEquals` , the value must exactly match the ARN of a valid resource of the type you've speci\ufb01ed in the template as the value of resources.type. For example, if resources.type equals `AWS::S3::Object` , the ARN must be in one of the following formats. To log all data events for all objects in a specific S3 bucket, use the `StartsWith` operator, and include only the bucket ARN as the matching value.\n\nThe trailing slash is intentional; do not exclude it. Replace the text between less than and greater than symbols (<>) with resource-specific information.\n\n- `arn::s3:::/`\n- `arn::s3::://`\n\nWhen resources.type equals `AWS::DynamoDB::Table` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::dynamodb:::table/`\n\nWhen resources.type equals `AWS::Lambda::Function` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::lambda:::function:`\n\nWhen resources.type equals `AWS::CloudTrail::Channel` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::cloudtrail:::channel/`\n\nWhen resources.type equals `AWS::CodeWhisperer::Profile` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::codewhisperer:::profile/`\n\nWhen resources.type equals `AWS::Cognito::IdentityPool` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::cognito-identity:::identitypool/`\n\nWhen `resources.type` equals `AWS::DynamoDB::Stream` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::dynamodb:::table//stream/`\n\nWhen `resources.type` equals `AWS::EC2::Snapshot` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::ec2:::snapshot/`\n\nWhen `resources.type` equals `AWS::EMRWAL::Workspace` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::emrwal:::workspace/`\n\nWhen `resources.type` equals `AWS::FinSpace::Environment` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::finspace:::environment/`\n\nWhen `resources.type` equals `AWS::Glue::Table` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::glue:::table//`\n\nWhen `resources.type` equals `AWS::GuardDuty::Detector` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::guardduty:::detector/`\n\nWhen `resources.type` equals `AWS::KendraRanking::ExecutionPlan` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::kendra-ranking:::rescore-execution-plan/`\n\nWhen `resources.type` equals `AWS::ManagedBlockchain::Network` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::managedblockchain:::networks/`\n\nWhen `resources.type` equals `AWS::ManagedBlockchain::Node` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::managedblockchain:::nodes/`\n\nWhen `resources.type` equals `AWS::SageMaker::ExperimentTrialComponent` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::sagemaker:::experiment-trial-component/`\n\nWhen `resources.type` equals `AWS::SageMaker::FeatureGroup` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::sagemaker:::feature-group/`\n\nWhen `resources.type` equals `AWS::S3::AccessPoint` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in one of the following formats. To log events on all objects in an S3 access point, we recommend that you use only the access point ARN, don\u2019t include the object path, and use the `StartsWith` or `NotStartsWith` operators.\n\n- `arn::s3:::accesspoint/`\n- `arn::s3:::accesspoint//object/`\n\nWhen `resources.type` equals `AWS::S3ObjectLambda::AccessPoint` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::s3-object-lambda:::accesspoint/`\n\nWhen `resources.type` equals `AWS::S3Outposts::Object` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::s3-outposts:::`\n\nWhen `resources.type` equals `AWS::SSMMessages::ControlChannel` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::ssmmessages:::control-channel/`\n\nWhen resources.type equals `AWS::VerifiedPermissions::PolicyStore` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::verifiedpermissions:::policy-store/`", + "markdownDescription": "A field in a CloudTrail event record on which to filter events to be logged. For event data stores for CloudTrail Insights events, AWS Config configuration items, Audit Manager evidence, or events outside of AWS , the field is used only for selecting events as filtering is not supported.\n\nFor CloudTrail management events, supported fields include `readOnly` , `eventCategory` , and `eventSource` .\n\nFor CloudTrail data events, supported fields include `readOnly` , `eventCategory` , `eventName` , `resources.type` , and `resources.ARN` .\n\nFor event data stores for CloudTrail Insights events, AWS Config configuration items, Audit Manager evidence, or events outside of AWS , the only supported field is `eventCategory` .\n\n- *`readOnly`* - Optional. Can be set to `Equals` a value of `true` or `false` . If you do not add this field, CloudTrail logs both `read` and `write` events. A value of `true` logs only `read` events. A value of `false` logs only `write` events.\n- *`eventSource`* - For filtering management events only. This can be set to `NotEquals` `kms.amazonaws.com` or `NotEquals` `rdsdata.amazonaws.com` .\n- *`eventName`* - Can use any operator. You can use it to \ufb01lter in or \ufb01lter out any data event logged to CloudTrail, such as `PutBucket` or `GetSnapshotBlock` . You can have multiple values for this \ufb01eld, separated by commas.\n- *`eventCategory`* - This is required and must be set to `Equals` .\n\n- For CloudTrail management events, the value must be `Management` .\n- For CloudTrail data events, the value must be `Data` .\n\nThe following are used only for event data stores:\n\n- For CloudTrail Insights events, the value must be `Insight` .\n- For AWS Config configuration items, the value must be `ConfigurationItem` .\n- For Audit Manager evidence, the value must be `Evidence` .\n- For non- AWS events, the value must be `ActivityAuditLog` .\n- *`resources.type`* - This \ufb01eld is required for CloudTrail data events. `resources.type` can only use the `Equals` operator, and the value can be one of the following:\n\n- `AWS::DynamoDB::Table`\n- `AWS::Lambda::Function`\n- `AWS::S3::Object`\n- `AWS::B2BI::Transformer`\n- `AWS::Bedrock::AgentAlias`\n- `AWS::Bedrock::KnowledgeBase`\n- `AWS::CloudFront:KeyValueStore`\n- `AWS::CloudTrail::Channel`\n- `AWS::CodeWhisperer::Customization`\n- `AWS::CodeWhisperer::Profile`\n- `AWS::Cognito::IdentityPool`\n- `AWS::DynamoDB::Stream`\n- `AWS::EC2::Snapshot`\n- `AWS::EMRWAL::Workspace`\n- `AWS::FinSpace::Environment`\n- `AWS::Glue::Table`\n- `AWS::GuardDuty::Detector`\n- `AWS::KendraRanking::ExecutionPlan`\n- `AWS::KinesisVideo::Stream`\n- `AWS::ManagedBlockchain::Network`\n- `AWS::ManagedBlockchain::Node`\n- `AWS::MedicalImaging::Datastore`\n- `AWS::NeptuneGraph::Graph`\n- `AWS::PCAConnectorAD::Connector`\n- `AWS::QBusiness::Application`\n- `AWS::QBusiness::DataSource`\n- `AWS::QBusiness::Index`\n- `AWS::QBusiness::WebExperience`\n- `AWS::SageMaker::Endpoint`\n- `AWS::SageMaker::ExperimentTrialComponent`\n- `AWS::SageMaker::FeatureGroup`\n- `AWS::ServiceDiscovery::Namespace`\n- `AWS::ServiceDiscovery::Service`\n- `AWS::SNS::PlatformEndpoint`\n- `AWS::SNS::Topic`\n- `AWS::SQS::Queue`\n- `AWS::S3::AccessPoint`\n- `AWS::S3ObjectLambda::AccessPoint`\n- `AWS::S3Outposts::Object`\n- `AWS::SSMMessages::ControlChannel`\n- `AWS::ThinClient::Device`\n- `AWS::ThinClient::Environment`\n- `AWS::Timestream::Database`\n- `AWS::Timestream::Table`\n- `AWS::VerifiedPermissions::PolicyStore`\n\nYou can have only one `resources.type` \ufb01eld per selector. To log data events on more than one resource type, add another selector.\n- *`resources.ARN`* - You can use any operator with `resources.ARN` , but if you use `Equals` or `NotEquals` , the value must exactly match the ARN of a valid resource of the type you've speci\ufb01ed in the template as the value of resources.type. For example, if resources.type equals `AWS::S3::Object` , the ARN must be in one of the following formats. To log all data events for all objects in a specific S3 bucket, use the `StartsWith` operator, and include only the bucket ARN as the matching value.\n\nThe trailing slash is intentional; do not exclude it. Replace the text between less than and greater than symbols (<>) with resource-specific information.\n\n- `arn::s3:::/`\n- `arn::s3::://`\n\nWhen resources.type equals `AWS::DynamoDB::Table` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::dynamodb:::table/`\n\nWhen resources.type equals `AWS::Lambda::Function` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::lambda:::function:`\n\nWhen resources.type equals `AWS::B2BI::Transformer` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::b2bi:::transformer/`\n\nWhen resources.type equals `AWS::Bedrock::AgentAlias` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::bedrock:::agent-alias//`\n\nWhen resources.type equals `AWS::Bedrock::KnowledgeBase` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::bedrock:::knowledge-base/`\n\nWhen resources.type equals `AWS::CloudFront:KeyValueStore` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::cloudfront:::key-value-store/`\n\nWhen resources.type equals `AWS::CloudTrail::Channel` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::cloudtrail:::channel/`\n\nWhen resources.type equals `AWS::CodeWhisperer::Customization` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::codewhisperer:::customization/`\n\nWhen resources.type equals `AWS::CodeWhisperer::Profile` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::codewhisperer:::profile/`\n\nWhen resources.type equals `AWS::Cognito::IdentityPool` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::cognito-identity:::identitypool/`\n\nWhen `resources.type` equals `AWS::DynamoDB::Stream` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::dynamodb:::table//stream/`\n\nWhen `resources.type` equals `AWS::EC2::Snapshot` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::ec2:::snapshot/`\n\nWhen `resources.type` equals `AWS::EMRWAL::Workspace` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::emrwal:::workspace/`\n\nWhen `resources.type` equals `AWS::FinSpace::Environment` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::finspace:::environment/`\n\nWhen `resources.type` equals `AWS::Glue::Table` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::glue:::table//`\n\nWhen `resources.type` equals `AWS::GuardDuty::Detector` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::guardduty:::detector/`\n\nWhen `resources.type` equals `AWS::KendraRanking::ExecutionPlan` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::kendra-ranking:::rescore-execution-plan/`\n\nWhen `resources.type` equals `AWS::KinesisVideo::Stream` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::kinesisvideo:::stream/`\n\nWhen `resources.type` equals `AWS::ManagedBlockchain::Network` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::managedblockchain:::networks/`\n\nWhen `resources.type` equals `AWS::ManagedBlockchain::Node` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::managedblockchain:::nodes/`\n\nWhen `resources.type` equals `AWS::MedicalImaging::Datastore` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::medical-imaging:::datastore/`\n\nWhen `resources.type` equals `AWS::NeptuneGraph::Graph` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::neptune-graph:::graph/`\n\nWhen `resources.type` equals `AWS::PCAConnectorAD::Connector` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::pca-connector-ad:::connector/`\n\nWhen `resources.type` equals `AWS::QBusiness::Application` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::qbusiness:::application/`\n\nWhen `resources.type` equals `AWS::QBusiness::DataSource` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::qbusiness:::application//index//data-source/`\n\nWhen `resources.type` equals `AWS::QBusiness::Index` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::qbusiness:::application//index/`\n\nWhen `resources.type` equals `AWS::QBusiness::WebExperience` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::qbusiness:::application//web-experience/`\n\nWhen `resources.type` equals `AWS::SageMaker::Endpoint` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::sagemaker:::endpoint/`\n\nWhen `resources.type` equals `AWS::SageMaker::ExperimentTrialComponent` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::sagemaker:::experiment-trial-component/`\n\nWhen `resources.type` equals `AWS::SageMaker::FeatureGroup` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::sagemaker:::feature-group/`\n\nWhen `resources.type` equals `AWS::ServiceDiscovery::Namespace` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::servicediscovery:::namespace/`\n\nWhen `resources.type` equals `AWS::ServiceDiscovery::Service` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::servicediscovery:::service/`\n\nWhen `resources.type` equals `AWS::SNS::PlatformEndpoint` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::sns:::endpoint///`\n\nWhen `resources.type` equals `AWS::SNS::Topic` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::sns:::`\n\nWhen `resources.type` equals `AWS::SQS::Queue` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::sqs:::`\n\nWhen `resources.type` equals `AWS::S3::AccessPoint` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in one of the following formats. To log events on all objects in an S3 access point, we recommend that you use only the access point ARN, don\u2019t include the object path, and use the `StartsWith` or `NotStartsWith` operators.\n\n- `arn::s3:::accesspoint/`\n- `arn::s3:::accesspoint//object/`\n\nWhen `resources.type` equals `AWS::S3ObjectLambda::AccessPoint` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::s3-object-lambda:::accesspoint/`\n\nWhen `resources.type` equals `AWS::S3Outposts::Object` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::s3-outposts:::`\n\nWhen `resources.type` equals `AWS::SSMMessages::ControlChannel` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::ssmmessages:::control-channel/`\n\nWhen `resources.type` equals `AWS::ThinClient::Device` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::thinclient:::device/`\n\nWhen `resources.type` equals `AWS::ThinClient::Environment` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::thinclient:::environment/`\n\nWhen `resources.type` equals `AWS::Timestream::Database` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::timestream:::database/`\n\nWhen `resources.type` equals `AWS::Timestream::Table` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::timestream:::database//table/`\n\nWhen resources.type equals `AWS::VerifiedPermissions::PolicyStore` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::verifiedpermissions:::policy-store/`", "title": "Field", "type": "string" }, @@ -34831,6 +35958,17 @@ ], "type": "object" }, + "AWS::CloudTrail::EventDataStore.InsightSelector": { + "additionalProperties": false, + "properties": { + "InsightType": { + "markdownDescription": "The type of Insights events to log on an event data store. `ApiCallRateInsight` and `ApiErrorRateInsight` are valid Insight types.\n\nThe `ApiCallRateInsight` Insights type analyzes write-only management API calls that are aggregated per minute against a baseline API call volume.\n\nThe `ApiErrorRateInsight` Insights type analyzes management API calls that result in error codes. The error is shown if the API call is unsuccessful.", + "title": "InsightType", + "type": "string" + } + }, + "type": "object" + }, "AWS::CloudTrail::ResourcePolicy": { "additionalProperties": false, "properties": { @@ -34966,7 +36104,7 @@ "items": { "$ref": "#/definitions/AWS::CloudTrail::Trail.EventSelector" }, - "markdownDescription": "Use event selectors to further specify the management and data event settings for your trail. By default, trails created without specific event selectors will be configured to log all read and write management events, and no data events. When an event occurs in your account, CloudTrail evaluates the event selector for all trails. For each trail, if the event matches any event selector, the trail processes and logs the event. If the event doesn't match any event selector, the trail doesn't log the event.\n\nYou can configure up to five event selectors for a trail.\n\nFor more information about how to configure event selectors, see [Examples](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudtrail-trail.html#aws-resource-cloudtrail-trail--examples) and [Configuring event selectors](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-additional-cli-commands.html#configuring-event-selector-examples) in the *AWS CloudTrail User Guide* .", + "markdownDescription": "Use event selectors to further specify the management and data event settings for your trail. By default, trails created without specific event selectors will be configured to log all read and write management events, and no data events. When an event occurs in your account, CloudTrail evaluates the event selector for all trails. For each trail, if the event matches any event selector, the trail processes and logs the event. If the event doesn't match any event selector, the trail doesn't log the event.\n\nYou can configure up to five event selectors for a trail.\n\nYou cannot apply both event selectors and advanced event selectors to a trail.", "title": "EventSelectors", "type": "array" }, @@ -34979,7 +36117,7 @@ "items": { "$ref": "#/definitions/AWS::CloudTrail::Trail.InsightSelector" }, - "markdownDescription": "A JSON string that contains the insight types you want to log on a trail. `ApiCallRateInsight` and `ApiErrorRateInsight` are valid Insight types.\n\nThe `ApiCallRateInsight` Insights type analyzes write-only management API calls that are aggregated per minute against a baseline API call volume.\n\nThe `ApiErrorRateInsight` Insights type analyzes management API calls that result in error codes. The error is shown if the API call is unsuccessful.", + "markdownDescription": "A JSON string that contains the Insights types you want to log on a trail. `ApiCallRateInsight` and `ApiErrorRateInsight` are valid Insight types.\n\nThe `ApiCallRateInsight` Insights type analyzes write-only management API calls that are aggregated per minute against a baseline API call volume.\n\nThe `ApiErrorRateInsight` Insights type analyzes management API calls that result in error codes. The error is shown if the API call is unsuccessful.", "title": "InsightSelectors", "type": "array" }, @@ -34994,7 +36132,7 @@ "type": "boolean" }, "IsOrganizationTrail": { - "markdownDescription": "Specifies whether the trail is applied to all accounts in an organization in AWS Organizations , or only for the current AWS account . The default is false, and cannot be true unless the call is made on behalf of an AWS account that is the management account or delegated administrator account for an organization in AWS Organizations . If the trail is not an organization trail and this is set to `true` , the trail will be created in all AWS accounts that belong to the organization. If the trail is an organization trail and this is set to `false` , the trail will remain in the current AWS account but be deleted from all member accounts in the organization.", + "markdownDescription": "Specifies whether the trail is applied to all accounts in an organization in AWS Organizations , or only for the current AWS account . The default is false, and cannot be true unless the call is made on behalf of an AWS account that is the management account for an organization in AWS Organizations . If the trail is not an organization trail and this is set to `true` , the trail will be created in all AWS accounts that belong to the organization. If the trail is an organization trail and this is set to `false` , the trail will remain in the current AWS account but be deleted from all member accounts in the organization.\n\n> Only the management account for the organization can convert an organization trail to a non-organization trail, or convert a non-organization trail to an organization trail.", "title": "IsOrganizationTrail", "type": "boolean" }, @@ -35101,7 +36239,7 @@ "type": "array" }, "Field": { - "markdownDescription": "A field in a CloudTrail event record on which to filter events to be logged. For event data stores for AWS Config configuration items, Audit Manager evidence, or non- AWS events, the field is used only for selecting events as filtering is not supported.\n\nFor CloudTrail event records, supported fields include `readOnly` , `eventCategory` , `eventSource` (for management events), `eventName` , `resources.type` , and `resources.ARN` .\n\nFor event data stores for AWS Config configuration items, Audit Manager evidence, or non- AWS events, the only supported field is `eventCategory` .\n\n- *`readOnly`* - Optional. Can be set to `Equals` a value of `true` or `false` . If you do not add this field, CloudTrail logs both `read` and `write` events. A value of `true` logs only `read` events. A value of `false` logs only `write` events.\n- *`eventSource`* - For filtering management events only. This can be set only to `NotEquals` `kms.amazonaws.com` .\n- *`eventName`* - Can use any operator. You can use it to \ufb01lter in or \ufb01lter out any data event logged to CloudTrail, such as `PutBucket` or `GetSnapshotBlock` . You can have multiple values for this \ufb01eld, separated by commas.\n- *`eventCategory`* - This is required and must be set to `Equals` .\n\n- For CloudTrail event records, the value must be `Management` or `Data` .\n- For AWS Config configuration items, the value must be `ConfigurationItem` .\n- For Audit Manager evidence, the value must be `Evidence` .\n- For non- AWS events, the value must be `ActivityAuditLog` .\n- *`resources.type`* - This \ufb01eld is required for CloudTrail data events. `resources.type` can only use the `Equals` operator, and the value can be one of the following:\n\n- `AWS::DynamoDB::Table`\n- `AWS::Lambda::Function`\n- `AWS::S3::Object`\n- `AWS::CloudTrail::Channel`\n- `AWS::CodeWhisperer::Profile`\n- `AWS::Cognito::IdentityPool`\n- `AWS::DynamoDB::Stream`\n- `AWS::EC2::Snapshot`\n- `AWS::EMRWAL::Workspace`\n- `AWS::FinSpace::Environment`\n- `AWS::Glue::Table`\n- `AWS::GuardDuty::Detector`\n- `AWS::KendraRanking::ExecutionPlan`\n- `AWS::ManagedBlockchain::Network`\n- `AWS::ManagedBlockchain::Node`\n- `AWS::SageMaker::ExperimentTrialComponent`\n- `AWS::SageMaker::FeatureGroup`\n- `AWS::S3::AccessPoint`\n- `AWS::S3ObjectLambda::AccessPoint`\n- `AWS::S3Outposts::Object`\n- `AWS::SSMMessages::ControlChannel`\n- `AWS::VerifiedPermissions::PolicyStore`\n\nYou can have only one `resources.type` \ufb01eld per selector. To log data events on more than one resource type, add another selector.\n- *`resources.ARN`* - You can use any operator with `resources.ARN` , but if you use `Equals` or `NotEquals` , the value must exactly match the ARN of a valid resource of the type you've speci\ufb01ed in the template as the value of resources.type. For example, if resources.type equals `AWS::S3::Object` , the ARN must be in one of the following formats. To log all data events for all objects in a specific S3 bucket, use the `StartsWith` operator, and include only the bucket ARN as the matching value.\n\nThe trailing slash is intentional; do not exclude it. Replace the text between less than and greater than symbols (<>) with resource-specific information.\n\n- `arn::s3:::/`\n- `arn::s3::://`\n\nWhen resources.type equals `AWS::DynamoDB::Table` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::dynamodb:::table/`\n\nWhen resources.type equals `AWS::Lambda::Function` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::lambda:::function:`\n\nWhen resources.type equals `AWS::CloudTrail::Channel` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::cloudtrail:::channel/`\n\nWhen resources.type equals `AWS::CodeWhisperer::Profile` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::codewhisperer:::profile/`\n\nWhen resources.type equals `AWS::Cognito::IdentityPool` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::cognito-identity:::identitypool/`\n\nWhen `resources.type` equals `AWS::DynamoDB::Stream` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::dynamodb:::table//stream/`\n\nWhen `resources.type` equals `AWS::EC2::Snapshot` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::ec2:::snapshot/`\n\nWhen `resources.type` equals `AWS::EMRWAL::Workspace` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::emrwal:::workspace/`\n\nWhen `resources.type` equals `AWS::FinSpace::Environment` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::finspace:::environment/`\n\nWhen `resources.type` equals `AWS::Glue::Table` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::glue:::table//`\n\nWhen `resources.type` equals `AWS::GuardDuty::Detector` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::guardduty:::detector/`\n\nWhen `resources.type` equals `AWS::KendraRanking::ExecutionPlan` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::kendra-ranking:::rescore-execution-plan/`\n\nWhen `resources.type` equals `AWS::ManagedBlockchain::Network` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::managedblockchain:::networks/`\n\nWhen `resources.type` equals `AWS::ManagedBlockchain::Node` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::managedblockchain:::nodes/`\n\nWhen `resources.type` equals `AWS::SageMaker::ExperimentTrialComponent` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::sagemaker:::experiment-trial-component/`\n\nWhen `resources.type` equals `AWS::SageMaker::FeatureGroup` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::sagemaker:::feature-group/`\n\nWhen `resources.type` equals `AWS::S3::AccessPoint` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in one of the following formats. To log events on all objects in an S3 access point, we recommend that you use only the access point ARN, don\u2019t include the object path, and use the `StartsWith` or `NotStartsWith` operators.\n\n- `arn::s3:::accesspoint/`\n- `arn::s3:::accesspoint//object/`\n\nWhen `resources.type` equals `AWS::S3ObjectLambda::AccessPoint` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::s3-object-lambda:::accesspoint/`\n\nWhen `resources.type` equals `AWS::S3Outposts::Object` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::s3-outposts:::`\n\nWhen `resources.type` equals `AWS::SSMMessages::ControlChannel` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::ssmmessages:::control-channel/`\n\nWhen resources.type equals `AWS::VerifiedPermissions::PolicyStore` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::verifiedpermissions:::policy-store/`", + "markdownDescription": "A field in a CloudTrail event record on which to filter events to be logged. For event data stores for CloudTrail Insights events, AWS Config configuration items, Audit Manager evidence, or events outside of AWS , the field is used only for selecting events as filtering is not supported.\n\nFor CloudTrail management events, supported fields include `readOnly` , `eventCategory` , and `eventSource` .\n\nFor CloudTrail data events, supported fields include `readOnly` , `eventCategory` , `eventName` , `resources.type` , and `resources.ARN` .\n\nFor event data stores for CloudTrail Insights events, AWS Config configuration items, Audit Manager evidence, or events outside of AWS , the only supported field is `eventCategory` .\n\n- *`readOnly`* - Optional. Can be set to `Equals` a value of `true` or `false` . If you do not add this field, CloudTrail logs both `read` and `write` events. A value of `true` logs only `read` events. A value of `false` logs only `write` events.\n- *`eventSource`* - For filtering management events only. This can be set to `NotEquals` `kms.amazonaws.com` or `NotEquals` `rdsdata.amazonaws.com` .\n- *`eventName`* - Can use any operator. You can use it to \ufb01lter in or \ufb01lter out any data event logged to CloudTrail, such as `PutBucket` or `GetSnapshotBlock` . You can have multiple values for this \ufb01eld, separated by commas.\n- *`eventCategory`* - This is required and must be set to `Equals` .\n\n- For CloudTrail management events, the value must be `Management` .\n- For CloudTrail data events, the value must be `Data` .\n\nThe following are used only for event data stores:\n\n- For CloudTrail Insights events, the value must be `Insight` .\n- For AWS Config configuration items, the value must be `ConfigurationItem` .\n- For Audit Manager evidence, the value must be `Evidence` .\n- For non- AWS events, the value must be `ActivityAuditLog` .\n- *`resources.type`* - This \ufb01eld is required for CloudTrail data events. `resources.type` can only use the `Equals` operator, and the value can be one of the following:\n\n- `AWS::DynamoDB::Table`\n- `AWS::Lambda::Function`\n- `AWS::S3::Object`\n- `AWS::B2BI::Transformer`\n- `AWS::Bedrock::AgentAlias`\n- `AWS::Bedrock::KnowledgeBase`\n- `AWS::CloudFront:KeyValueStore`\n- `AWS::CloudTrail::Channel`\n- `AWS::CodeWhisperer::Customization`\n- `AWS::CodeWhisperer::Profile`\n- `AWS::Cognito::IdentityPool`\n- `AWS::DynamoDB::Stream`\n- `AWS::EC2::Snapshot`\n- `AWS::EMRWAL::Workspace`\n- `AWS::FinSpace::Environment`\n- `AWS::Glue::Table`\n- `AWS::GuardDuty::Detector`\n- `AWS::KendraRanking::ExecutionPlan`\n- `AWS::KinesisVideo::Stream`\n- `AWS::ManagedBlockchain::Network`\n- `AWS::ManagedBlockchain::Node`\n- `AWS::MedicalImaging::Datastore`\n- `AWS::NeptuneGraph::Graph`\n- `AWS::PCAConnectorAD::Connector`\n- `AWS::QBusiness::Application`\n- `AWS::QBusiness::DataSource`\n- `AWS::QBusiness::Index`\n- `AWS::QBusiness::WebExperience`\n- `AWS::SageMaker::Endpoint`\n- `AWS::SageMaker::ExperimentTrialComponent`\n- `AWS::SageMaker::FeatureGroup`\n- `AWS::ServiceDiscovery::Namespace`\n- `AWS::ServiceDiscovery::Service`\n- `AWS::SNS::PlatformEndpoint`\n- `AWS::SNS::Topic`\n- `AWS::SQS::Queue`\n- `AWS::S3::AccessPoint`\n- `AWS::S3ObjectLambda::AccessPoint`\n- `AWS::S3Outposts::Object`\n- `AWS::SSMMessages::ControlChannel`\n- `AWS::ThinClient::Device`\n- `AWS::ThinClient::Environment`\n- `AWS::Timestream::Database`\n- `AWS::Timestream::Table`\n- `AWS::VerifiedPermissions::PolicyStore`\n\nYou can have only one `resources.type` \ufb01eld per selector. To log data events on more than one resource type, add another selector.\n- *`resources.ARN`* - You can use any operator with `resources.ARN` , but if you use `Equals` or `NotEquals` , the value must exactly match the ARN of a valid resource of the type you've speci\ufb01ed in the template as the value of resources.type. For example, if resources.type equals `AWS::S3::Object` , the ARN must be in one of the following formats. To log all data events for all objects in a specific S3 bucket, use the `StartsWith` operator, and include only the bucket ARN as the matching value.\n\nThe trailing slash is intentional; do not exclude it. Replace the text between less than and greater than symbols (<>) with resource-specific information.\n\n- `arn::s3:::/`\n- `arn::s3::://`\n\nWhen resources.type equals `AWS::DynamoDB::Table` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::dynamodb:::table/`\n\nWhen resources.type equals `AWS::Lambda::Function` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::lambda:::function:`\n\nWhen resources.type equals `AWS::B2BI::Transformer` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::b2bi:::transformer/`\n\nWhen resources.type equals `AWS::Bedrock::AgentAlias` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::bedrock:::agent-alias//`\n\nWhen resources.type equals `AWS::Bedrock::KnowledgeBase` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::bedrock:::knowledge-base/`\n\nWhen resources.type equals `AWS::CloudFront:KeyValueStore` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::cloudfront:::key-value-store/`\n\nWhen resources.type equals `AWS::CloudTrail::Channel` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::cloudtrail:::channel/`\n\nWhen resources.type equals `AWS::CodeWhisperer::Customization` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::codewhisperer:::customization/`\n\nWhen resources.type equals `AWS::CodeWhisperer::Profile` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::codewhisperer:::profile/`\n\nWhen resources.type equals `AWS::Cognito::IdentityPool` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::cognito-identity:::identitypool/`\n\nWhen `resources.type` equals `AWS::DynamoDB::Stream` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::dynamodb:::table//stream/`\n\nWhen `resources.type` equals `AWS::EC2::Snapshot` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::ec2:::snapshot/`\n\nWhen `resources.type` equals `AWS::EMRWAL::Workspace` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::emrwal:::workspace/`\n\nWhen `resources.type` equals `AWS::FinSpace::Environment` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::finspace:::environment/`\n\nWhen `resources.type` equals `AWS::Glue::Table` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::glue:::table//`\n\nWhen `resources.type` equals `AWS::GuardDuty::Detector` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::guardduty:::detector/`\n\nWhen `resources.type` equals `AWS::KendraRanking::ExecutionPlan` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::kendra-ranking:::rescore-execution-plan/`\n\nWhen `resources.type` equals `AWS::KinesisVideo::Stream` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::kinesisvideo:::stream/`\n\nWhen `resources.type` equals `AWS::ManagedBlockchain::Network` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::managedblockchain:::networks/`\n\nWhen `resources.type` equals `AWS::ManagedBlockchain::Node` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::managedblockchain:::nodes/`\n\nWhen `resources.type` equals `AWS::MedicalImaging::Datastore` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::medical-imaging:::datastore/`\n\nWhen `resources.type` equals `AWS::NeptuneGraph::Graph` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::neptune-graph:::graph/`\n\nWhen `resources.type` equals `AWS::PCAConnectorAD::Connector` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::pca-connector-ad:::connector/`\n\nWhen `resources.type` equals `AWS::QBusiness::Application` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::qbusiness:::application/`\n\nWhen `resources.type` equals `AWS::QBusiness::DataSource` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::qbusiness:::application//index//data-source/`\n\nWhen `resources.type` equals `AWS::QBusiness::Index` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::qbusiness:::application//index/`\n\nWhen `resources.type` equals `AWS::QBusiness::WebExperience` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::qbusiness:::application//web-experience/`\n\nWhen `resources.type` equals `AWS::SageMaker::Endpoint` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::sagemaker:::endpoint/`\n\nWhen `resources.type` equals `AWS::SageMaker::ExperimentTrialComponent` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::sagemaker:::experiment-trial-component/`\n\nWhen `resources.type` equals `AWS::SageMaker::FeatureGroup` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::sagemaker:::feature-group/`\n\nWhen `resources.type` equals `AWS::ServiceDiscovery::Namespace` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::servicediscovery:::namespace/`\n\nWhen `resources.type` equals `AWS::ServiceDiscovery::Service` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::servicediscovery:::service/`\n\nWhen `resources.type` equals `AWS::SNS::PlatformEndpoint` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::sns:::endpoint///`\n\nWhen `resources.type` equals `AWS::SNS::Topic` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::sns:::`\n\nWhen `resources.type` equals `AWS::SQS::Queue` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::sqs:::`\n\nWhen `resources.type` equals `AWS::S3::AccessPoint` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in one of the following formats. To log events on all objects in an S3 access point, we recommend that you use only the access point ARN, don\u2019t include the object path, and use the `StartsWith` or `NotStartsWith` operators.\n\n- `arn::s3:::accesspoint/`\n- `arn::s3:::accesspoint//object/`\n\nWhen `resources.type` equals `AWS::S3ObjectLambda::AccessPoint` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::s3-object-lambda:::accesspoint/`\n\nWhen `resources.type` equals `AWS::S3Outposts::Object` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::s3-outposts:::`\n\nWhen `resources.type` equals `AWS::SSMMessages::ControlChannel` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::ssmmessages:::control-channel/`\n\nWhen `resources.type` equals `AWS::ThinClient::Device` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::thinclient:::device/`\n\nWhen `resources.type` equals `AWS::ThinClient::Environment` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::thinclient:::environment/`\n\nWhen `resources.type` equals `AWS::Timestream::Database` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::timestream:::database/`\n\nWhen `resources.type` equals `AWS::Timestream::Table` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::timestream:::database//table/`\n\nWhen resources.type equals `AWS::VerifiedPermissions::PolicyStore` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::verifiedpermissions:::policy-store/`", "title": "Field", "type": "string" }, @@ -35147,7 +36285,7 @@ "additionalProperties": false, "properties": { "Type": { - "markdownDescription": "The resource type in which you want to log data events. You can specify the following *basic* event selector resource types:\n\n- `AWS::S3::Object`\n- `AWS::Lambda::Function`\n- `AWS::DynamoDB::Table`", + "markdownDescription": "The resource type in which you want to log data events. You can specify the following *basic* event selector resource types:\n\n- `AWS::DynamoDB::Table`\n- `AWS::Lambda::Function`\n- `AWS::S3::Object`\n\nThe following resource types are only available through *advanced* event selectors. Basic event selector resource types are valid in advanced event selectors, but advanced event selector resource types are not valid in basic event selectors. For more information, see [AdvancedFieldSelector](https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_AdvancedFieldSelector.html) .\n\n- `AWS::B2BI::Transformer`\n- `AWS::Bedrock::AgentAlias`\n- `AWS::Bedrock::KnowledgeBase`\n- `AWS::CloudFront:KeyValueStore`\n- `AWS::CloudTrail::Channel`\n- `AWS::CodeWhisperer::Customization`\n- `AWS::CodeWhisperer::Profile`\n- `AWS::Cognito::IdentityPool`\n- `AWS::DynamoDB::Stream`\n- `AWS::EC2::Snapshot`\n- `AWS::EMRWAL::Workspace`\n- `AWS::FinSpace::Environment`\n- `AWS::Glue::Table`\n- `AWS::GuardDuty::Detector`\n- `AWS::KendraRanking::ExecutionPlan`\n- `AWS::KinesisVideo::Stream`\n- `AWS::ManagedBlockchain::Network`\n- `AWS::ManagedBlockchain::Node`\n- `AWS::MedicalImaging::Datastore`\n- `AWS::NeptuneGraph::Graph`\n- `AWS::PCAConnectorAD::Connector`\n- `AWS::QBusiness::Application`\n- `AWS::QBusiness::DataSource`\n- `AWS::QBusiness::Index`\n- `AWS::QBusiness::WebExperience`\n- `AWS::SageMaker::Endpoint`\n- `AWS::SageMaker::ExperimentTrialComponent`\n- `AWS::SageMaker::FeatureGroup`\n- `AWS::ServiceDiscovery::Namespace`\n- `AWS::ServiceDiscovery::Service`\n- `AWS::SNS::PlatformEndpoint`\n- `AWS::SNS::Topic`\n- `AWS::SQS::Queue`\n- `AWS::S3::AccessPoint`\n- `AWS::S3ObjectLambda::AccessPoint`\n- `AWS::S3Outposts::Object`\n- `AWS::SSMMessages::ControlChannel`\n- `AWS::ThinClient::Device`\n- `AWS::ThinClient::Environment`\n- `AWS::Timestream::Database`\n- `AWS::Timestream::Table`\n- `AWS::VerifiedPermissions::PolicyStore`", "title": "Type", "type": "string" }, @@ -35172,7 +36310,7 @@ "items": { "$ref": "#/definitions/AWS::CloudTrail::Trail.DataResource" }, - "markdownDescription": "In AWS CloudFormation , CloudTrail supports data event logging for Amazon S3 objects, Amazon DynamoDB tables, and AWS Lambda functions. Currently, advanced event selectors for data events are not supported in AWS CloudFormation templates. You can specify up to 250 resources for an individual event selector, but the total number of data resources cannot exceed 250 across all event selectors in a trail. This limit does not apply if you configure resource logging for all data events.\n\nFor more information, see [Logging data events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html) and [Limits in AWS CloudTrail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/WhatIsCloudTrail-Limits.html) in the *AWS CloudTrail User Guide* .", + "markdownDescription": "CloudTrail supports data event logging for Amazon S3 objects, AWS Lambda functions, and Amazon DynamoDB tables with basic event selectors. You can specify up to 250 resources for an individual event selector, but the total number of data resources cannot exceed 250 across all event selectors in a trail. This limit does not apply if you configure resource logging for all data events.\n\nFor more information, see [Data Events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html) and [Limits in AWS CloudTrail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/WhatIsCloudTrail-Limits.html) in the *AWS CloudTrail User Guide* .", "title": "DataResources", "type": "array" }, @@ -36165,7 +37303,7 @@ "type": "string" }, "OutputFormat": { - "markdownDescription": "The output format for the stream. Valid values are `json` and `opentelemetry0.7` For more information about metric stream output formats, see [Metric streams output formats](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-metric-streams-formats.html) .\n\nThis parameter is required.", + "markdownDescription": "The output format for the stream. Valid values are `json` , `opentelemetry1.0` and `opentelemetry0.7` For more information about metric stream output formats, see [Metric streams output formats](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-metric-streams-formats.html) .\n\nThis parameter is required.", "title": "OutputFormat", "type": "string" }, @@ -36178,7 +37316,7 @@ "items": { "$ref": "#/definitions/AWS::CloudWatch::MetricStream.MetricStreamStatisticsConfiguration" }, - "markdownDescription": "By default, a metric stream always sends the MAX, MIN, SUM, and SAMPLECOUNT statistics for each metric that is streamed. You can use this parameter to have the metric stream also send additional statistics in the stream. This array can have up to 100 members.\n\nFor each entry in this array, you specify one or more metrics and the list of additional statistics to stream for those metrics. The additional statistics that you can stream depend on the stream's `OutputFormat` . If the `OutputFormat` is `json` , you can stream any additional statistic that is supported by CloudWatch , listed in [CloudWatch statistics definitions](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Statistics-definitions.html.html) . If the `OutputFormat` is `opentelemetry0` .7, you can stream percentile statistics *(p??)* .", + "markdownDescription": "By default, a metric stream always sends the MAX, MIN, SUM, and SAMPLECOUNT statistics for each metric that is streamed. You can use this parameter to have the metric stream also send additional statistics in the stream. This array can have up to 100 members.\n\nFor each entry in this array, you specify one or more metrics and the list of additional statistics to stream for those metrics. The additional statistics that you can stream depend on the stream's `OutputFormat` . If the `OutputFormat` is `json` , you can stream any additional statistic that is supported by CloudWatch , listed in [CloudWatch statistics definitions](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Statistics-definitions.html) . If the `OutputFormat` is OpenTelemetry, you can stream percentile statistics.", "title": "StatisticsConfigurations", "type": "array" }, @@ -36328,8 +37466,6 @@ "type": "string" }, "EncryptionKey": { - "markdownDescription": "The key used to encrypt the domain.", - "title": "EncryptionKey", "type": "string" }, "PermissionsPolicyDocument": { @@ -36418,8 +37554,6 @@ "type": "string" }, "DomainOwner": { - "markdownDescription": "The 12-digit account number of the AWS account that owns the domain that contains the repository. It does not include dashes or spaces.", - "title": "DomainOwner", "type": "string" }, "ExternalConnections": { @@ -36839,15 +37973,13 @@ "title": "RegistryCredential" }, "Type": { - "markdownDescription": "The type of build environment to use for related builds.\n\n- The environment type `ARM_CONTAINER` is available only in regions US East (N. Virginia), US East (Ohio), US West (Oregon), EU (Ireland), Asia Pacific (Mumbai), Asia Pacific (Tokyo), Asia Pacific (Sydney), and EU (Frankfurt).\n- The environment type `LINUX_CONTAINER` with compute type `build.general1.2xlarge` is available only in regions US East (N. Virginia), US East (Ohio), US West (Oregon), Canada (Central), EU (Ireland), EU (London), EU (Frankfurt), Asia Pacific (Tokyo), Asia Pacific (Seoul), Asia Pacific (Singapore), Asia Pacific (Sydney), China (Beijing), and China (Ningxia).\n- The environment type `LINUX_GPU_CONTAINER` is available only in regions US East (N. Virginia), US East (Ohio), US West (Oregon), Canada (Central), EU (Ireland), EU (London), EU (Frankfurt), Asia Pacific (Tokyo), Asia Pacific (Seoul), Asia Pacific (Singapore), Asia Pacific (Sydney) , China (Beijing), and China (Ningxia).\n\n- The environment types `WINDOWS_CONTAINER` and `WINDOWS_SERVER_2019_CONTAINER` are available only in regions US East (N. Virginia), US East (Ohio), US West (Oregon), and EU (Ireland).\n\nFor more information, see [Build environment compute types](https://docs.aws.amazon.com//codebuild/latest/userguide/build-env-ref-compute-types.html) in the *AWS CodeBuild user guide* .", + "markdownDescription": "The type of build environment to use for related builds.\n\n- The environment type `ARM_CONTAINER` is available only in regions US East (Ohio), US East (N. Virginia), US West (N. California), US West (Oregon), Asia Pacific (Hong Kong), Asia Pacific (Jakarta), Asia Pacific (Hyderabad), Asia Pacific (Melbourne), Asia Pacific (Mumbai), Asia Pacific (Osaka), Asia Pacific (Seoul), Asia Pacific (Singapore), Asia Pacific (Sydney), Asia Pacific (Tokyo), Canada (Central), China (Beijing), China (Ningxia), Europe (Frankfurt), Europe (Ireland), Europe (London), Europe (Milan), Europe (Paris), Europe (Spain), Europe (Stockholm), Europe (Zurich), Israel (Tel Aviv), Middle East (Bahrain), Middle East (UAE), and South America (S\u00e3o Paulo).\n- The environment type `LINUX_CONTAINER` with compute type `build.general1.2xlarge` is available only in regions US East (Ohio), US East (N. Virginia), US West (N. California), US West (Oregon), Asia Pacific (Hyderabad), Asia Pacific (Hong Kong), Asia Pacific (Jakarta), Asia Pacific (Melbourne), Asia Pacific (Mumbai), Asia Pacific (Seoul), Asia Pacific (Singapore), Asia Pacific (Sydney), Asia Pacific (Tokyo), Canada (Central), China (Beijing), China (Ningxia), Europe (Frankfurt), Europe (Ireland), Europe (London), Europe (Paris), Europe (Spain), Europe (Stockholm), Europe (Zurich), Israel (Tel Aviv), Middle East (Bahrain), Middle East (UAE), and South America (S\u00e3o Paulo).\n- The environment type `LINUX_GPU_CONTAINER` is available only in regions US East (Ohio), US East (N. Virginia), US West (Oregon), Asia Pacific (Seoul), Asia Pacific (Singapore), Asia Pacific (Sydney), Asia Pacific (Tokyo), Canada (Central), China (Beijing), China (Ningxia), Europe (Frankfurt), Europe (Ireland), and Europe (London).\n\n- The environment types `WINDOWS_SERVER_2019_CONTAINER` are available only in regions US East (N. Virginia), US East (Ohio), US West (Oregon), and Europe (Ireland).\n\nFor more information, see [Build environment compute types](https://docs.aws.amazon.com//codebuild/latest/userguide/build-env-ref-compute-types.html) in the *AWS CodeBuild user guide* .", "title": "Type", "type": "string" } }, "required": [ - "ComputeType", - "Image", - "Type" + "Image" ], "type": "object" }, @@ -36865,7 +37997,7 @@ "type": "string" }, "Value": { - "markdownDescription": "The value of the environment variable.\n\n> We strongly discourage the use of `PLAINTEXT` environment variables to store sensitive values, especially AWS secret key IDs and secret access keys. `PLAINTEXT` environment variables can be displayed in plain text using the AWS CodeBuild console and the AWS CLI . For sensitive values, we recommend you use an environment variable of type `PARAMETER_STORE` or `SECRETS_MANAGER` .", + "markdownDescription": "The value of the environment variable.\n\n> We strongly discourage the use of `PLAINTEXT` environment variables to store sensitive values, especially AWS secret key IDs. `PLAINTEXT` environment variables can be displayed in plain text using the AWS CodeBuild console and the AWS CLI . For sensitive values, we recommend you use an environment variable of type `PARAMETER_STORE` or `SECRETS_MANAGER` .", "title": "Value", "type": "string" } @@ -37006,6 +38138,15 @@ ], "type": "object" }, + "AWS::CodeBuild::Project.ProjectFleet": { + "additionalProperties": false, + "properties": { + "FleetArn": { + "type": "string" + } + }, + "type": "object" + }, "AWS::CodeBuild::Project.ProjectSourceVersion": { "additionalProperties": false, "properties": { @@ -37765,6 +38906,11 @@ "$ref": "#/definitions/AWS::CodeDeploy::DeploymentConfig.TrafficRoutingConfig", "markdownDescription": "The configuration that specifies how the deployment traffic is routed.", "title": "TrafficRoutingConfig" + }, + "ZonalConfig": { + "$ref": "#/definitions/AWS::CodeDeploy::DeploymentConfig.ZonalConfig", + "markdownDescription": "Configure the `ZonalConfig` object if you want AWS CodeDeploy to deploy your application to one [Availability Zone](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-availability-zones) at a time, within an AWS Region.\n\nFor more information about the zonal configuration feature, see [zonal configuration](https://docs.aws.amazon.com/codedeploy/latest/userguide/deployment-configurations-create.html#zonal-config) in the *CodeDeploy User Guide* .", + "title": "ZonalConfig" } }, "type": "object" @@ -37809,6 +38955,26 @@ ], "type": "object" }, + "AWS::CodeDeploy::DeploymentConfig.MinimumHealthyHostsPerZone": { + "additionalProperties": false, + "properties": { + "Type": { + "markdownDescription": "The `type` associated with the `MinimumHealthyHostsPerZone` option.", + "title": "Type", + "type": "string" + }, + "Value": { + "markdownDescription": "The `value` associated with the `MinimumHealthyHostsPerZone` option.", + "title": "Value", + "type": "number" + } + }, + "required": [ + "Type", + "Value" + ], + "type": "object" + }, "AWS::CodeDeploy::DeploymentConfig.TimeBasedCanary": { "additionalProperties": false, "properties": { @@ -37873,6 +39039,27 @@ ], "type": "object" }, + "AWS::CodeDeploy::DeploymentConfig.ZonalConfig": { + "additionalProperties": false, + "properties": { + "FirstZoneMonitorDurationInSeconds": { + "markdownDescription": "The period of time, in seconds, that CodeDeploy must wait after completing a deployment to the *first* Availability Zone. CodeDeploy will wait this amount of time before starting a deployment to the second Availability Zone. You might set this option if you want to allow extra bake time for the first Availability Zone. If you don't specify a value for `firstZoneMonitorDurationInSeconds` , then CodeDeploy uses the `monitorDurationInSeconds` value for the first Availability Zone.\n\nFor more information about the zonal configuration feature, see [zonal configuration](https://docs.aws.amazon.com/codedeploy/latest/userguide/deployment-configurations-create.html#zonal-config) in the *CodeDeploy User Guide* .", + "title": "FirstZoneMonitorDurationInSeconds", + "type": "number" + }, + "MinimumHealthyHostsPerZone": { + "$ref": "#/definitions/AWS::CodeDeploy::DeploymentConfig.MinimumHealthyHostsPerZone", + "markdownDescription": "The number or percentage of instances that must remain available per Availability Zone during a deployment. This option works in conjunction with the `MinimumHealthyHosts` option. For more information, see [About the minimum number of healthy hosts per Availability Zone](https://docs.aws.amazon.com//codedeploy/latest/userguide/instances-health.html#minimum-healthy-hosts-az) in the *CodeDeploy User Guide* .\n\nIf you don't specify the `minimumHealthyHostsPerZone` option, then CodeDeploy uses a default value of `0` percent.\n\nFor more information about the zonal configuration feature, see [zonal configuration](https://docs.aws.amazon.com/codedeploy/latest/userguide/deployment-configurations-create.html#zonal-config) in the *CodeDeploy User Guide* .", + "title": "MinimumHealthyHostsPerZone" + }, + "MonitorDurationInSeconds": { + "markdownDescription": "The period of time, in seconds, that CodeDeploy must wait after completing a deployment to an Availability Zone. CodeDeploy will wait this amount of time before starting a deployment to the next Availability Zone. Consider adding a monitor duration to give the deployment some time to prove itself (or 'bake') in one Availability Zone before it is released in the next zone. If you don't specify a `monitorDurationInSeconds` , CodeDeploy starts deploying to the next Availability Zone immediately.\n\nFor more information about the zonal configuration feature, see [zonal configuration](https://docs.aws.amazon.com/codedeploy/latest/userguide/deployment-configurations-create.html#zonal-config) in the *CodeDeploy User Guide* .", + "title": "MonitorDurationInSeconds", + "type": "number" + } + }, + "type": "object" + }, "AWS::CodeDeploy::DeploymentGroup": { "additionalProperties": false, "properties": { @@ -37996,7 +39183,7 @@ "title": "OnPremisesTagSet" }, "OutdatedInstancesStrategy": { - "markdownDescription": "", + "markdownDescription": "Indicates what happens when new Amazon EC2 instances are launched mid-deployment and do not receive the deployed application revision.\n\nIf this option is set to `UPDATE` or is unspecified, CodeDeploy initiates one or more 'auto-update outdated instances' deployments to apply the deployed application revision to the new Amazon EC2 instances.\n\nIf this option is set to `IGNORE` , CodeDeploy does not initiate a deployment to update the new Amazon EC2 instances. This may result in instances having different revisions.", "title": "OutdatedInstancesStrategy", "type": "string" }, @@ -38009,10 +39196,13 @@ "items": { "$ref": "#/definitions/Tag" }, - "markdownDescription": "", + "markdownDescription": "The metadata that you apply to CodeDeploy deployment groups to help you organize and categorize them. Each tag consists of a key and an optional value, both of which you define.", "title": "Tags", "type": "array" }, + "TerminationHookEnabled": { + "type": "boolean" + }, "TriggerConfigurations": { "items": { "$ref": "#/definitions/AWS::CodeDeploy::DeploymentGroup.TriggerConfig" @@ -38314,7 +39504,7 @@ "items": { "$ref": "#/definitions/AWS::CodeDeploy::DeploymentGroup.ELBInfo" }, - "markdownDescription": "An array that contains information about the load balancer to use for load balancing in a deployment. In Elastic Load Balancing, load balancers are used with Classic Load Balancers.\n\n> Adding more than one load balancer to the array is not supported.", + "markdownDescription": "An array that contains information about the load balancers to use for load balancing in a deployment. If you're using Classic Load Balancers, specify those load balancers in this array.\n\n> You can add up to 10 load balancers to the array. > If you're using Application Load Balancers or Network Load Balancers, use the `targetGroupInfoList` array instead of this one.", "title": "ElbInfoList", "type": "array" }, @@ -38322,7 +39512,7 @@ "items": { "$ref": "#/definitions/AWS::CodeDeploy::DeploymentGroup.TargetGroupInfo" }, - "markdownDescription": "An array that contains information about the target group to use for load balancing in a deployment. In Elastic Load Balancing , target groups are used with Application Load Balancers .\n\n> Adding more than one target group to the array is not supported.", + "markdownDescription": "An array that contains information about the target groups to use for load balancing in a deployment. If you're using Application Load Balancers and Network Load Balancers, specify their associated target groups in this array.\n\n> You can add up to 10 target groups to the array. > If you're using Classic Load Balancers, use the `elbInfoList` array instead of this one.", "title": "TargetGroupInfoList", "type": "array" }, @@ -38330,7 +39520,7 @@ "items": { "$ref": "#/definitions/AWS::CodeDeploy::DeploymentGroup.TargetGroupPairInfo" }, - "markdownDescription": "", + "markdownDescription": "The target group pair information. This is an array of `TargeGroupPairInfo` objects with a maximum size of one.", "title": "TargetGroupPairInfoList", "type": "array" } @@ -38458,20 +39648,20 @@ "properties": { "ProdTrafficRoute": { "$ref": "#/definitions/AWS::CodeDeploy::DeploymentGroup.TrafficRoute", - "markdownDescription": "", + "markdownDescription": "The path used by a load balancer to route production traffic when an Amazon ECS deployment is complete.", "title": "ProdTrafficRoute" }, "TargetGroups": { "items": { "$ref": "#/definitions/AWS::CodeDeploy::DeploymentGroup.TargetGroupInfo" }, - "markdownDescription": "", + "markdownDescription": "One pair of target groups. One is associated with the original task set. The second is associated with the task set that serves traffic after the deployment is complete.", "title": "TargetGroups", "type": "array" }, "TestTrafficRoute": { "$ref": "#/definitions/AWS::CodeDeploy::DeploymentGroup.TrafficRoute", - "markdownDescription": "", + "markdownDescription": "An optional path used by a load balancer to route test traffic after an Amazon ECS deployment. Validation can occur while test traffic is served during a deployment.", "title": "TestTrafficRoute" } }, @@ -38484,7 +39674,7 @@ "items": { "type": "string" }, - "markdownDescription": "", + "markdownDescription": "The Amazon Resource Name (ARN) of one listener. The listener identifies the route between a target group and a load balancer. This is an array of strings with a maximum size of one.", "title": "ListenerArns", "type": "array" } @@ -39006,6 +40196,11 @@ "title": "Name", "type": "string" }, + "PipelineType": { + "markdownDescription": "CodePipeline provides the following pipeline types, which differ in characteristics and price, so that you can tailor your pipeline features and cost to the needs of your applications.\n\n- V1 type pipelines have a JSON structure that contains standard pipeline, stage, and action-level parameters.\n- V2 type pipelines have the same structure as a V1 type, along with additional parameters for release safety and trigger configuration.\n\n> Including V2 parameters, such as triggers on Git tags, in the pipeline JSON when creating or updating a pipeline will result in the pipeline having the V2 type of pipeline and the associated costs. \n\nFor information about pricing for CodePipeline, see [Pricing](https://docs.aws.amazon.com/https://aws.amazon.com/codepipeline/pricing/) .\n\nFor information about which type of pipeline to choose, see [What type of pipeline is right for me?](https://docs.aws.amazon.com/codepipeline/latest/userguide/pipeline-types-planning.html) .", + "title": "PipelineType", + "type": "string" + }, "RestartExecutionOnUpdate": { "markdownDescription": "Indicates whether to rerun the CodePipeline pipeline after you update it.", "title": "RestartExecutionOnUpdate", @@ -39031,6 +40226,22 @@ "markdownDescription": "Specifies the tags applied to the pipeline.", "title": "Tags", "type": "array" + }, + "Triggers": { + "items": { + "$ref": "#/definitions/AWS::CodePipeline::Pipeline.PipelineTriggerDeclaration" + }, + "markdownDescription": "The trigger configuration specifying a type of event, such as Git tags, that starts the pipeline.\n\n> When a trigger configuration is specified, default change detection for repository and branch commits is disabled.", + "title": "Triggers", + "type": "array" + }, + "Variables": { + "items": { + "$ref": "#/definitions/AWS::CodePipeline::Pipeline.VariableDeclaration" + }, + "markdownDescription": "A list that defines the pipeline variables for a pipeline resource. Variable names can have alphanumeric and underscore characters, and the values must match `[A-Za-z0-9@\\-_]+` .", + "title": "Variables", + "type": "array" } }, "required": [ @@ -39238,6 +40449,61 @@ ], "type": "object" }, + "AWS::CodePipeline::Pipeline.GitConfiguration": { + "additionalProperties": false, + "properties": { + "Push": { + "items": { + "$ref": "#/definitions/AWS::CodePipeline::Pipeline.GitPushFilter" + }, + "markdownDescription": "The field where the repository event that will start the pipeline, such as pushing Git tags, is specified with details.\n\n> Git tags is the only supported event type.", + "title": "Push", + "type": "array" + }, + "SourceActionName": { + "markdownDescription": "The name of the pipeline source action where the trigger configuration, such as Git tags, is specified. The trigger configuration will start the pipeline upon the specified change only.\n\n> You can only specify one trigger configuration per source action.", + "title": "SourceActionName", + "type": "string" + } + }, + "required": [ + "SourceActionName" + ], + "type": "object" + }, + "AWS::CodePipeline::Pipeline.GitPushFilter": { + "additionalProperties": false, + "properties": { + "Tags": { + "$ref": "#/definitions/AWS::CodePipeline::Pipeline.GitTagFilterCriteria", + "markdownDescription": "The field that contains the details for the Git tags trigger configuration.", + "title": "Tags" + } + }, + "type": "object" + }, + "AWS::CodePipeline::Pipeline.GitTagFilterCriteria": { + "additionalProperties": false, + "properties": { + "Excludes": { + "items": { + "type": "string" + }, + "markdownDescription": "The list of patterns of Git tags that, when pushed, are to be excluded from starting the pipeline.", + "title": "Excludes", + "type": "array" + }, + "Includes": { + "items": { + "type": "string" + }, + "markdownDescription": "The list of patterns of Git tags that, when pushed, are to be included as criteria that starts the pipeline.", + "title": "Includes", + "type": "array" + } + }, + "type": "object" + }, "AWS::CodePipeline::Pipeline.InputArtifact": { "additionalProperties": false, "properties": { @@ -39266,6 +40532,25 @@ ], "type": "object" }, + "AWS::CodePipeline::Pipeline.PipelineTriggerDeclaration": { + "additionalProperties": false, + "properties": { + "GitConfiguration": { + "$ref": "#/definitions/AWS::CodePipeline::Pipeline.GitConfiguration", + "markdownDescription": "Provides the filter criteria and the source stage for the repository event that starts the pipeline, such as Git tags.", + "title": "GitConfiguration" + }, + "ProviderType": { + "markdownDescription": "The source provider for the event, such as connections configured for a repository with Git tags, for the specified trigger configuration.", + "title": "ProviderType", + "type": "string" + } + }, + "required": [ + "ProviderType" + ], + "type": "object" + }, "AWS::CodePipeline::Pipeline.StageDeclaration": { "additionalProperties": false, "properties": { @@ -39317,6 +40602,30 @@ ], "type": "object" }, + "AWS::CodePipeline::Pipeline.VariableDeclaration": { + "additionalProperties": false, + "properties": { + "DefaultValue": { + "markdownDescription": "The value of a pipeline-level variable.", + "title": "DefaultValue", + "type": "string" + }, + "Description": { + "markdownDescription": "The description of a pipeline-level variable. It's used to add additional context about the variable, and not being used at time when pipeline executes.", + "title": "Description", + "type": "string" + }, + "Name": { + "markdownDescription": "The name of a pipeline-level variable.", + "title": "Name", + "type": "string" + } + }, + "required": [ + "Name" + ], + "type": "object" + }, "AWS::CodePipeline::Webhook": { "additionalProperties": false, "properties": { @@ -39640,7 +40949,7 @@ "additionalProperties": false, "properties": { "ConnectionName": { - "markdownDescription": "The name of the connection. Connection names must be unique in an AWS user account.", + "markdownDescription": "The name of the connection. Connection names must be unique in an AWS account .", "title": "ConnectionName", "type": "string" }, @@ -39689,6 +40998,195 @@ ], "type": "object" }, + "AWS::CodeStarConnections::RepositoryLink": { + "additionalProperties": false, + "properties": { + "Condition": { + "type": "string" + }, + "DeletionPolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + }, + "DependsOn": { + "anyOf": [ + { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + { + "items": { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + "type": "array" + } + ] + }, + "Metadata": { + "type": "object" + }, + "Properties": { + "additionalProperties": false, + "properties": { + "ConnectionArn": { + "markdownDescription": "The Amazon Resource Name (ARN) of the connection associated with the repository link.", + "title": "ConnectionArn", + "type": "string" + }, + "EncryptionKeyArn": { + "markdownDescription": "The Amazon Resource Name (ARN) of the encryption key for the repository associated with the repository link.", + "title": "EncryptionKeyArn", + "type": "string" + }, + "OwnerId": { + "markdownDescription": "The owner ID for the repository associated with the repository link, such as the owner ID in GitHub.", + "title": "OwnerId", + "type": "string" + }, + "RepositoryName": { + "markdownDescription": "The name of the repository associated with the repository link.", + "title": "RepositoryName", + "type": "string" + }, + "Tags": { + "items": { + "$ref": "#/definitions/Tag" + }, + "markdownDescription": "The tags for the repository to be associated with the repository link.", + "title": "Tags", + "type": "array" + } + }, + "required": [ + "ConnectionArn", + "OwnerId", + "RepositoryName" + ], + "type": "object" + }, + "Type": { + "enum": [ + "AWS::CodeStarConnections::RepositoryLink" + ], + "type": "string" + }, + "UpdateReplacePolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + } + }, + "required": [ + "Type", + "Properties" + ], + "type": "object" + }, + "AWS::CodeStarConnections::SyncConfiguration": { + "additionalProperties": false, + "properties": { + "Condition": { + "type": "string" + }, + "DeletionPolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + }, + "DependsOn": { + "anyOf": [ + { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + { + "items": { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + "type": "array" + } + ] + }, + "Metadata": { + "type": "object" + }, + "Properties": { + "additionalProperties": false, + "properties": { + "Branch": { + "markdownDescription": "The branch associated with a specific sync configuration.", + "title": "Branch", + "type": "string" + }, + "ConfigFile": { + "markdownDescription": "The file path to the configuration file associated with a specific sync configuration. The path should point to an actual file in the sync configurations linked repository.", + "title": "ConfigFile", + "type": "string" + }, + "RepositoryLinkId": { + "markdownDescription": "The ID of the repository link associated with a specific sync configuration.", + "title": "RepositoryLinkId", + "type": "string" + }, + "ResourceName": { + "markdownDescription": "The name of the connection resource associated with a specific sync configuration.", + "title": "ResourceName", + "type": "string" + }, + "RoleArn": { + "markdownDescription": "The Amazon Resource Name (ARN) of the IAM role associated with a specific sync configuration.", + "title": "RoleArn", + "type": "string" + }, + "SyncType": { + "markdownDescription": "The type of sync for a specific sync configuration.", + "title": "SyncType", + "type": "string" + } + }, + "required": [ + "Branch", + "ConfigFile", + "RepositoryLinkId", + "ResourceName", + "RoleArn", + "SyncType" + ], + "type": "object" + }, + "Type": { + "enum": [ + "AWS::CodeStarConnections::SyncConfiguration" + ], + "type": "string" + }, + "UpdateReplacePolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + } + }, + "required": [ + "Type", + "Properties" + ], + "type": "object" + }, "AWS::CodeStarNotifications::NotificationRule": { "additionalProperties": false, "properties": { @@ -40301,9 +41799,13 @@ "items": { "$ref": "#/definitions/AWS::Cognito::LogDeliveryConfiguration.LogConfiguration" }, + "markdownDescription": "The detailed activity logging destination of a user pool.", + "title": "LogConfigurations", "type": "array" }, "UserPoolId": { + "markdownDescription": "The ID of the user pool where you configured detailed activity logging.", + "title": "UserPoolId", "type": "string" } }, @@ -40337,6 +41839,8 @@ "additionalProperties": false, "properties": { "LogGroupArn": { + "markdownDescription": "The Amazon Resource Name (arn) of a CloudWatch Logs log group where your user pool sends logs. The log group must not be encrypted with AWS Key Management Service and must be in the same AWS account as your user pool.\n\nTo send logs to log groups with a resource policy of a size greater than 5120 characters, configure a log group with a path that starts with `/aws/vendedlogs` . For more information, see [Enabling logging from certain AWS services](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html) .", + "title": "LogGroupArn", "type": "string" } }, @@ -40346,12 +41850,18 @@ "additionalProperties": false, "properties": { "CloudWatchLogsConfiguration": { - "$ref": "#/definitions/AWS::Cognito::LogDeliveryConfiguration.CloudWatchLogsConfiguration" + "$ref": "#/definitions/AWS::Cognito::LogDeliveryConfiguration.CloudWatchLogsConfiguration", + "markdownDescription": "The CloudWatch logging destination of a user pool detailed activity logging configuration.", + "title": "CloudWatchLogsConfiguration" }, "EventSource": { + "markdownDescription": "The source of events that your user pool sends for detailed activity logging.", + "title": "EventSource", "type": "string" }, "LogLevel": { + "markdownDescription": "The `errorlevel` selection of logs that a user pool sends for detailed activity logging.", + "title": "LogLevel", "type": "string" } }, @@ -40496,7 +42006,7 @@ }, "UserPoolAddOns": { "$ref": "#/definitions/AWS::Cognito::UserPool.UserPoolAddOns", - "markdownDescription": "Enables advanced security risk detection. Set the key `AdvancedSecurityMode` to the value \"AUDIT\".", + "markdownDescription": "User pool add-ons. Contains settings for activation of advanced security features. To log user security information but take no action, set to `AUDIT` . To configure automatic security responses to risky traffic to your user pool, set to `ENFORCED` .\n\nFor more information, see [Adding advanced security to a user pool](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html) .", "title": "UserPoolAddOns" }, "UserPoolName": { @@ -40663,7 +42173,7 @@ "type": "string" }, "SourceArn": { - "markdownDescription": "The ARN of a verified email address in Amazon SES. Amazon Cognito uses this email address in one of the following ways, depending on the value that you specify for the `EmailSendingAccount` parameter:\n\n- If you specify `COGNITO_DEFAULT` , Amazon Cognito uses this address as the custom FROM address when it emails your users using its built-in email account.\n- If you specify `DEVELOPER` , Amazon Cognito emails your users with this address by calling Amazon SES on your behalf.\n\nThe Region value of the `SourceArn` parameter must indicate a supported AWS Region of your user pool. Typically, the Region in the `SourceArn` and the user pool Region are the same. For more information, see [Amazon SES email configuration regions](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-email.html#user-pool-email-developer-region-mapping) in the [Amazon Cognito Developer Guide](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools.html) .", + "markdownDescription": "The ARN of a verified email address or an address from a verified domain in Amazon SES. You can set a `SourceArn` email from a verified domain only with an API request. You can set a verified email address, but not an address in a verified domain, in the Amazon Cognito console. Amazon Cognito uses the email address that you provide in one of the following ways, depending on the value that you specify for the `EmailSendingAccount` parameter:\n\n- If you specify `COGNITO_DEFAULT` , Amazon Cognito uses this address as the custom FROM address when it emails your users using its built-in email account.\n- If you specify `DEVELOPER` , Amazon Cognito emails your users with this address by calling Amazon SES on your behalf.\n\nThe Region value of the `SourceArn` parameter must indicate a supported AWS Region of your user pool. Typically, the Region in the `SourceArn` and the user pool Region are the same. For more information, see [Amazon SES email configuration regions](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-email.html#user-pool-email-developer-region-mapping) in the [Amazon Cognito Developer Guide](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools.html) .", "title": "SourceArn", "type": "string" } @@ -40807,7 +42317,7 @@ "type": "boolean" }, "TemporaryPasswordValidityDays": { - "markdownDescription": "The number of days a temporary password is valid in the password policy. If the user doesn't sign in during this time, an administrator must reset their password.\n\n> When you set `TemporaryPasswordValidityDays` for a user pool, you can no longer set a value for the legacy `UnusedAccountValidityDays` parameter in that user pool.", + "markdownDescription": "The number of days a temporary password is valid in the password policy. If the user doesn't sign in during this time, an administrator must reset their password. Defaults to `7` . If you submit a value of `0` , Amazon Cognito treats it as a null value and sets `TemporaryPasswordValidityDays` to its default value.\n\n> When you set `TemporaryPasswordValidityDays` for a user pool, you can no longer set a value for the legacy `UnusedAccountValidityDays` parameter in that user pool.", "title": "TemporaryPasswordValidityDays", "type": "number" } @@ -40845,7 +42355,7 @@ "additionalProperties": false, "properties": { "AttributeDataType": { - "markdownDescription": "The attribute data type.", + "markdownDescription": "The data format of the values for your attribute. When you choose an `AttributeDataType` , Amazon Cognito validates the input against the data type. A custom attribute value in your user's ID token is always a string, for example `\"custom:isMember\" : \"true\"` or `\"custom:YearsAsMember\" : \"12\"` .", "title": "AttributeDataType", "type": "string" }, @@ -40855,12 +42365,12 @@ "type": "boolean" }, "Mutable": { - "markdownDescription": "Specifies whether the value of the attribute can be changed.\n\nFor any user pool attribute that is mapped to an IdP attribute, you must set this parameter to `true` . Amazon Cognito updates mapped attributes when users sign in to your application through an IdP. If an attribute is immutable, Amazon Cognito throws an error when it attempts to update the attribute. For more information, see [Specifying Identity Provider Attribute Mappings for Your User Pool](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-specifying-attribute-mapping.html) .", + "markdownDescription": "Specifies whether the value of the attribute can be changed.\n\nAny user pool attribute whose value you map from an IdP attribute must be mutable, with a parameter value of `true` . Amazon Cognito updates mapped attributes when users sign in to your application through an IdP. If an attribute is immutable, Amazon Cognito throws an error when it attempts to update the attribute. For more information, see [Specifying Identity Provider Attribute Mappings for Your User Pool](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-specifying-attribute-mapping.html) .", "title": "Mutable", "type": "boolean" }, "Name": { - "markdownDescription": "A schema attribute of the name type.", + "markdownDescription": "The name of your user pool attribute. When you create or update a user pool, adding a schema attribute creates a custom or developer-only attribute. When you add an attribute with a `Name` value of `MyAttribute` , Amazon Cognito creates the custom attribute `custom:MyAttribute` . When `DeveloperOnlyAttribute` is `true` , Amazon Cognito creates your attribute as `dev:MyAttribute` . In an operation that describes a user pool, Amazon Cognito returns this value as `value` for standard attributes, `custom:value` for custom attributes, and `dev:value` for developer-only attributes..", "title": "Name", "type": "string" }, @@ -40940,7 +42450,7 @@ "additionalProperties": false, "properties": { "AdvancedSecurityMode": { - "markdownDescription": "The advanced security mode.", + "markdownDescription": "The operating mode of advanced security features in your user pool.", "title": "AdvancedSecurityMode", "type": "string" } @@ -41038,12 +42548,12 @@ "items": { "type": "string" }, - "markdownDescription": "The allowed OAuth flows.\n\n- **code** - Use a code grant flow, which provides an authorization code as the response. This code can be exchanged for access tokens with the `/oauth2/token` endpoint.\n- **implicit** - Issue the access token (and, optionally, ID token, based on scopes) directly to your user.\n- **client_credentials** - Issue the access token from the `/oauth2/token` endpoint directly to a non-person user using a combination of the client ID and client secret.", + "markdownDescription": "The OAuth grant types that you want your app client to generate. To create an app client that generates client credentials grants, you must add `client_credentials` as the only allowed OAuth flow.\n\n- **code** - Use a code grant flow, which provides an authorization code as the response. This code can be exchanged for access tokens with the `/oauth2/token` endpoint.\n- **implicit** - Issue the access token (and, optionally, ID token, based on scopes) directly to your user.\n- **client_credentials** - Issue the access token from the `/oauth2/token` endpoint directly to a non-person user using a combination of the client ID and client secret.", "title": "AllowedOAuthFlows", "type": "array" }, "AllowedOAuthFlowsUserPoolClient": { - "markdownDescription": "Set to true if the client is allowed to follow the OAuth protocol when interacting with Amazon Cognito user pools.", + "markdownDescription": "Set to `true` to use OAuth 2.0 features in your user pool app client.\n\n`AllowedOAuthFlowsUserPoolClient` must be `true` before you can configure the following features in your app client.\n\n- `CallBackURLs` : Callback URLs.\n- `LogoutURLs` : Sign-out redirect URLs.\n- `AllowedOAuthScopes` : OAuth 2.0 scopes.\n- `AllowedOAuthFlows` : Support for authorization code, implicit, and client credentials OAuth 2.0 grants.\n\nTo use OAuth 2.0 features, configure one of these features in the Amazon Cognito console or set `AllowedOAuthFlowsUserPoolClient` to `true` in a `CreateUserPoolClient` or `UpdateUserPoolClient` API request. If you don't set a value for `AllowedOAuthFlowsUserPoolClient` in a request with the AWS CLI or SDKs, it defaults to `false` .", "title": "AllowedOAuthFlowsUserPoolClient", "type": "boolean" }, @@ -41128,7 +42638,7 @@ "items": { "type": "string" }, - "markdownDescription": "The read attributes.", + "markdownDescription": "The list of user attributes that you want your app client to have read-only access to. After your user authenticates in your app, their access token authorizes them to read their own attribute value for any attribute in this list. An example of this kind of activity is when your user selects a link to view their profile information. Your app makes a [GetUser](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GetUser.html) API request to retrieve and display your user's profile data.\n\nWhen you don't specify the `ReadAttributes` for your app client, your app can read the values of `email_verified` , `phone_number_verified` , and the Standard attributes of your user pool. When your user pool has read access to these default attributes, `ReadAttributes` doesn't return any information. Amazon Cognito only populates `ReadAttributes` in the API response if you have specified your own custom set of read attributes.", "title": "ReadAttributes", "type": "array" }, @@ -41159,7 +42669,7 @@ "items": { "type": "string" }, - "markdownDescription": "The user pool attributes that the app client can write to.\n\nIf your app client allows users to sign in through an IdP, this array must include all attributes that you have mapped to IdP attributes. Amazon Cognito updates mapped attributes when users sign in to your application through an IdP. If your app client does not have write access to a mapped attribute, Amazon Cognito throws an error when it tries to update the attribute. For more information, see [Specifying IdP Attribute Mappings for Your user pool](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-specifying-attribute-mapping.html) .", + "markdownDescription": "The list of user attributes that you want your app client to have write access to. After your user authenticates in your app, their access token authorizes them to set or modify their own attribute value for any attribute in this list. An example of this kind of activity is when you present your user with a form to update their profile information and they change their last name. Your app then makes an [UpdateUserAttributes](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserAttributes.html) API request and sets `family_name` to the new value.\n\nWhen you don't specify the `WriteAttributes` for your app client, your app can write the values of the Standard attributes of your user pool. When your user pool has write access to these default attributes, `WriteAttributes` doesn't return any information. Amazon Cognito only populates `WriteAttributes` in the API response if you have specified your own custom set of write attributes.\n\nIf your app client allows users to sign in through an IdP, this array must include all attributes that you have mapped to IdP attributes. Amazon Cognito updates mapped attributes when users sign in to your application through an IdP. If your app client does not have write access to a mapped attribute, Amazon Cognito throws an error when it tries to update the attribute. For more information, see [Specifying IdP Attribute Mappings for Your user pool](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-specifying-attribute-mapping.html) .", "title": "WriteAttributes", "type": "array" } @@ -42037,7 +43547,7 @@ "items": { "$ref": "#/definitions/AWS::Cognito::UserPoolUser.AttributeType" }, - "markdownDescription": "The user attributes and attribute values to be set for the user to be created. These are name-value pairs You can create a user without specifying any attributes other than `Username` . However, any attributes that you specify as required (in [](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html) or in the *Attributes* tab of the console) must be supplied either by you (in your call to `AdminCreateUser` ) or by the user (when they sign up in response to your welcome message).\n\nFor custom attributes, you must prepend the `custom:` prefix to the attribute name.\n\nTo send a message inviting the user to sign up, you must specify the user's email address or phone number. This can be done in your call to AdminCreateUser or in the *Users* tab of the Amazon Cognito console for managing your user pools.\n\nIn your call to `AdminCreateUser` , you can set the `email_verified` attribute to `True` , and you can set the `phone_number_verified` attribute to `True` . (You can also do this by calling [](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminUpdateUserAttributes.html) .)\n\n- *email* : The email address of the user to whom the message that contains the code and user name will be sent. Required if the `email_verified` attribute is set to `True` , or if `\"EMAIL\"` is specified in the `DesiredDeliveryMediums` parameter.\n- *phone_number* : The phone number of the user to whom the message that contains the code and user name will be sent. Required if the `phone_number_verified` attribute is set to `True` , or if `\"SMS\"` is specified in the `DesiredDeliveryMediums` parameter.", + "markdownDescription": "An array of name-value pairs that contain user attributes and attribute values.", "title": "UserAttributes", "type": "array" }, @@ -42047,7 +43557,7 @@ "type": "string" }, "Username": { - "markdownDescription": "The username for the user. Must be unique within the user pool. Must be a UTF-8 string between 1 and 128 characters. After the user is created, the username can't be changed.", + "markdownDescription": "The value that you want to set as the username sign-in attribute. The following conditions apply to the username parameter.\n\n- The username can't be a duplicate of another username in the same user pool.\n- You can't change the value of a username after you create it.\n- You can only provide a value if usernames are a valid sign-in attribute for your user pool. If your user pool only supports phone numbers or email addresses as sign-in attributes, Amazon Cognito automatically generates a username value. For more information, see [Customizing sign-in attributes](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html#user-pool-settings-aliases) .", "title": "Username", "type": "string" }, @@ -42055,7 +43565,7 @@ "items": { "$ref": "#/definitions/AWS::Cognito::UserPoolUser.AttributeType" }, - "markdownDescription": "The user's validation data. This is an array of name-value pairs that contain user attributes and attribute values that you can use for custom validation, such as restricting the types of user accounts that can be registered. For example, you might choose to allow or disallow user sign-up based on the user's domain.\n\nTo configure custom validation, you must create a Pre Sign-up AWS Lambda trigger for the user pool as described in the Amazon Cognito Developer Guide. The Lambda trigger receives the validation data and uses it in the validation process.\n\nThe user's validation data isn't persisted.", + "markdownDescription": "Temporary user attributes that contribute to the outcomes of your pre sign-up Lambda trigger. This set of key-value pairs are for custom validation of information that you collect from your users but don't need to retain.\n\nYour Lambda function can analyze this additional data and act on it. Your function might perform external API operations like logging user attributes and validation data to Amazon CloudWatch Logs. Validation data might also affect the response that your function returns to Amazon Cognito, like automatically confirming the user if they sign up from within your network.\n\nFor more information about the pre sign-up Lambda trigger, see [Pre sign-up Lambda trigger](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-sign-up.html) .", "title": "ValidationData", "type": "array" } @@ -42138,7 +43648,7 @@ "additionalProperties": false, "properties": { "GroupName": { - "markdownDescription": "The group name.", + "markdownDescription": "The name of the group that you want to add your user to.", "title": "GroupName", "type": "string" }, @@ -42148,7 +43658,7 @@ "type": "string" }, "Username": { - "markdownDescription": "The username for the user.", + "markdownDescription": "", "title": "Username", "type": "string" } @@ -42237,7 +43747,7 @@ "type": "string" }, "Mode": { - "markdownDescription": "Indicates the mode in which the classifier will be trained. The classifier can be trained in multi-class mode, which identifies one and only one class for each document, or multi-label mode, which identifies one or more labels for each document. In multi-label mode, multiple labels for an individual document are separated by a delimiter. The default delimiter between labels is a pipe (|).", + "markdownDescription": "Indicates the mode in which the classifier will be trained. The classifier can be trained in multi-class (single-label) mode or multi-label mode. Multi-class mode identifies a single class label for each document and multi-label mode identifies one or more class labels for each document. Multiple labels for an individual document are separated by a delimiter. The default delimiter between labels is a pipe (|).", "title": "Mode", "type": "string" }, @@ -42438,7 +43948,7 @@ "items": { "type": "string" }, - "markdownDescription": "Specifies the type of Amazon Textract features to apply. If you chose `TEXTRACT_ANALYZE_DOCUMENT` as the read action, you must specify one or both of the following values:\n\n- `TABLES` - Returns information about any tables that are detected in the input document.\n- `FORMS` - Returns information and the data from any forms that are detected in the input document.", + "markdownDescription": "Specifies the type of Amazon Textract features to apply. If you chose `TEXTRACT_ANALYZE_DOCUMENT` as the read action, you must specify one or both of the following values:\n\n- `TABLES` - Returns additional information about any tables that are detected in the input document.\n- `FORMS` - Returns additional information about any forms that are detected in the input document.", "title": "FeatureTypes", "type": "array" } @@ -42647,7 +44157,7 @@ "additionalProperties": false, "properties": { "Type": { - "markdownDescription": "An entity type within a labeled training dataset that Amazon Comprehend uses to train a custom entity recognizer.\n\nEntity types must not contain the following invalid characters: \\n (line break), \\\\n (escaped line break, \\r (carriage return), \\\\r (escaped carriage return), \\t (tab), \\\\t (escaped tab), space, and , (comma).", + "markdownDescription": "An entity type within a labeled training dataset that Amazon Comprehend uses to train a custom entity recognizer.\n\nEntity types must not contain the following invalid characters: \\n (line break), \\\\n (escaped line break, \\r (carriage return), \\\\r (escaped carriage return), \\t (tab), \\\\t (escaped tab), and , (comma).", "title": "Type", "type": "string" } @@ -42824,7 +44334,9 @@ "additionalProperties": false, "properties": { "Compliance": { - "$ref": "#/definitions/AWS::Config::ConfigRule.Compliance" + "$ref": "#/definitions/AWS::Config::ConfigRule.Compliance", + "markdownDescription": "Indicates whether an AWS resource or AWS Config rule is compliant and provides the number of contributors that affect the compliance.", + "title": "Compliance" }, "ConfigRuleName": { "markdownDescription": "A name for the AWS Config rule. If you don't specify a name, AWS CloudFormation generates a unique physical ID and uses that ID for the rule name. For more information, see [Name Type](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-name.html) .", @@ -42840,6 +44352,8 @@ "items": { "$ref": "#/definitions/AWS::Config::ConfigRule.EvaluationModeConfiguration" }, + "markdownDescription": "The modes the AWS Config rule can be evaluated in. The valid values are distinct objects. By default, the value is Detective evaluation mode only.", + "title": "EvaluationModes", "type": "array" }, "InputParameters": { @@ -42893,6 +44407,8 @@ "additionalProperties": false, "properties": { "Type": { + "markdownDescription": "Indicates whether an AWS resource or AWS Config rule is compliant.\n\nA resource is compliant if it complies with all of the AWS Config rules that evaluate it. A resource is noncompliant if it does not comply with one or more of these rules.\n\nA rule is compliant if all of the resources that the rule evaluates comply with it. A rule is noncompliant if any of these resources do not comply.\n\nAWS Config returns the `INSUFFICIENT_DATA` value when no evaluation results are available for the AWS resource or AWS Config rule.\n\nFor the `Compliance` data type, AWS Config supports only `COMPLIANT` , `NON_COMPLIANT` , and `INSUFFICIENT_DATA` values. AWS Config does not support the `NOT_APPLICABLE` value for the `Compliance` data type.", + "title": "Type", "type": "string" } }, @@ -42923,6 +44439,8 @@ "additionalProperties": false, "properties": { "Mode": { + "markdownDescription": "The mode of an evaluation. The valid values are Detective or Proactive.", + "title": "Mode", "type": "string" } }, @@ -43191,17 +44709,22 @@ "additionalProperties": false, "properties": { "Name": { - "markdownDescription": "A name for the configuration recorder. If you don't specify a name, AWS CloudFormation CloudFormation generates a unique physical ID and uses that ID for the configuration recorder name. For more information, see [Name Type](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-name.html) .\n\n> After you create a configuration recorder, you cannot rename it. If you don't want a name that AWS CloudFormation generates, specify a value for this property. \n\nUpdates are not supported.", + "markdownDescription": "The name of the configuration recorder. AWS Config automatically assigns the name of \"default\" when creating the configuration recorder.\n\nYou cannot change the name of the configuration recorder after it has been created. To change the configuration recorder name, you must delete it and create a new configuration recorder with a new name.", "title": "Name", "type": "string" }, "RecordingGroup": { "$ref": "#/definitions/AWS::Config::ConfigurationRecorder.RecordingGroup", - "markdownDescription": "Indicates whether to record configurations for all supported resources or for a list of resource types. The resource types that you list must be supported by AWS Config .", + "markdownDescription": "Specifies which resource types AWS Config records for configuration changes.\n\n> *High Number of AWS Config Evaluations*\n> \n> You may notice increased activity in your account during your initial month recording with AWS Config when compared to subsequent months. During the initial bootstrapping process, AWS Config runs evaluations on all the resources in your account that you have selected for AWS Config to record.\n> \n> If you are running ephemeral workloads, you may see increased activity from AWS Config as it records configuration changes associated with creating and deleting these temporary resources. An *ephemeral workload* is a temporary use of computing resources that are loaded and run when needed. Examples include Amazon Elastic Compute Cloud ( Amazon EC2 ) Spot Instances, Amazon EMR jobs, and AWS Auto Scaling . If you want to avoid the increased activity from running ephemeral workloads, you can run these types of workloads in a separate account with AWS Config turned off to avoid increased configuration recording and rule evaluations.", "title": "RecordingGroup" }, + "RecordingMode": { + "$ref": "#/definitions/AWS::Config::ConfigurationRecorder.RecordingMode", + "markdownDescription": "Specifies the default recording frequency that AWS Config uses to record configuration changes. AWS Config supports *Continuous recording* and *Daily recording* .\n\n- Continuous recording allows you to record configuration changes continuously whenever a change occurs.\n- Daily recording allows you to receive a configuration item (CI) representing the most recent state of your resources over the last 24-hour period, only if it\u2019s different from the previous CI recorded.\n\n> AWS Firewall Manager depends on continuous recording to monitor your resources. If you are using Firewall Manager, it is recommended that you set the recording frequency to Continuous. \n\nYou can also override the recording frequency for specific resource types.", + "title": "RecordingMode" + }, "RoleARN": { - "markdownDescription": "The Amazon Resource Name (ARN) of the IAM (IAM) role that is used to make read or write requests to the delivery channel that you specify and to get configuration details for supported AWS resources. For more information, see [Permissions for the IAM Role Assigned](https://docs.aws.amazon.com/config/latest/developerguide/iamrole-permissions.html) to AWS Config in the AWS Config Developer Guide.", + "markdownDescription": "Amazon Resource Name (ARN) of the IAM role assumed by AWS Config and used by the configuration recorder. For more information, see [Permissions for the IAM Role Assigned](https://docs.aws.amazon.com/config/latest/developerguide/iamrole-permissions.html) to AWS Config in the AWS Config Developer Guide.\n\n> *Pre-existing AWS Config role*\n> \n> If you have used an AWS service that uses AWS Config , such as AWS Security Hub or AWS Control Tower , and an AWS Config role has already been created, make sure that the IAM role that you use when setting up AWS Config keeps the same minimum permissions as the already created AWS Config role. You must do this so that the other AWS service continues to run as expected.\n> \n> For example, if AWS Control Tower has an IAM role that allows AWS Config to read Amazon Simple Storage Service ( Amazon S3 ) objects, make sure that the same permissions are granted within the IAM role you use when setting up AWS Config . Otherwise, it may interfere with how AWS Control Tower operates. For more information about IAM roles for AWS Config , see [*Identity and Access Management for AWS Config*](https://docs.aws.amazon.com/config/latest/developerguide/security-iam.html) in the *AWS Config Developer Guide* .", "title": "RoleARN", "type": "string" } @@ -43239,6 +44762,8 @@ "items": { "type": "string" }, + "markdownDescription": "A comma-separated list of resource types to exclude from recording by the configuration recorder.", + "title": "ResourceTypes", "type": "array" } }, @@ -43251,36 +44776,92 @@ "additionalProperties": false, "properties": { "AllSupported": { - "markdownDescription": "Specifies whether AWS Config records configuration changes for all supported regional resource types.\n\nIf you set this field to `true` , when AWS Config adds support for a new type of regional resource, AWS Config starts recording resources of that type automatically.\n\nIf you set this field to `true` , you cannot enumerate specific resource types to record in the `resourceTypes` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) , or to exclude in the `resourceTypes` field of [ExclusionByResourceTypes](https://docs.aws.amazon.com/config/latest/APIReference/API_ExclusionByResourceTypes.html) .", + "markdownDescription": "Specifies whether AWS Config records configuration changes for all supported resource types, excluding the global IAM resource types.\n\nIf you set this field to `true` , when AWS Config adds support for a new resource type, AWS Config starts recording resources of that type automatically.\n\nIf you set this field to `true` , you cannot enumerate specific resource types to record in the `resourceTypes` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) , or to exclude in the `resourceTypes` field of [ExclusionByResourceTypes](https://docs.aws.amazon.com/config/latest/APIReference/API_ExclusionByResourceTypes.html) .\n\n> *Region availability*\n> \n> Check [Resource Coverage by Region Availability](https://docs.aws.amazon.com/config/latest/developerguide/what-is-resource-config-coverage.html) to see if a resource type is supported in the AWS Region where you set up AWS Config .", "title": "AllSupported", "type": "boolean" }, "ExclusionByResourceTypes": { - "$ref": "#/definitions/AWS::Config::ConfigurationRecorder.ExclusionByResourceTypes" + "$ref": "#/definitions/AWS::Config::ConfigurationRecorder.ExclusionByResourceTypes", + "markdownDescription": "An object that specifies how AWS Config excludes resource types from being recorded by the configuration recorder.\n\nTo use this option, you must set the `useOnly` field of [AWS::Config::ConfigurationRecorder RecordingStrategy](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-config-configurationrecorder-recordingstrategy.html) to `EXCLUSION_BY_RESOURCE_TYPES` .", + "title": "ExclusionByResourceTypes" }, "IncludeGlobalResourceTypes": { - "markdownDescription": "Specifies whether AWS Config includes all supported types of global resources (for example, IAM resources) with the resources that it records.\n\nBefore you can set this option to `true` , you must set the `AllSupported` option to `true` .\n\nIf you set this option to `true` , when AWS Config adds support for a new type of global resource, it starts recording resources of that type automatically.\n\nThe configuration details for any global resource are the same in all regions. To prevent duplicate configuration items, you should consider customizing AWS Config in only one region to record global resources.", + "markdownDescription": "This option is a bundle which only applies to the global IAM resource types: IAM users, groups, roles, and customer managed policies. These global IAM resource types can only be recorded by AWS Config in Regions where AWS Config was available before February 2022. You cannot be record the global IAM resouce types in Regions supported by AWS Config after February 2022. This list where you cannot record the global IAM resource types includes the following Regions:\n\n- Asia Pacific (Hyderabad)\n- Asia Pacific (Melbourne)\n- Europe (Spain)\n- Europe (Zurich)\n- Israel (Tel Aviv)\n- Middle East (UAE)\n\n> *Aurora global clusters are recorded in all enabled Regions*\n> \n> The `AWS::RDS::GlobalCluster` resource type will be recorded in all supported AWS Config Regions where the configuration recorder is enabled, even if `includeGlobalResourceTypes` is not set to `true` . The `includeGlobalResourceTypes` option is a bundle which only applies to IAM users, groups, roles, and customer managed policies.\n> \n> If you do not want to record `AWS::RDS::GlobalCluster` in all enabled Regions, use one of the following recording strategies:\n> \n> - *Record all current and future resource types with exclusions* ( `EXCLUSION_BY_RESOURCE_TYPES` ), or\n> - *Record specific resource types* ( `INCLUSION_BY_RESOURCE_TYPES` ).\n> \n> For more information, see [Selecting Which Resources are Recorded](https://docs.aws.amazon.com/config/latest/developerguide/select-resources.html#select-resources-all) in the *AWS Config developer guide* . > Before you set this field to `true` , set the `allSupported` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) to `true` . Optionally, you can set the `useOnly` field of [RecordingStrategy](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingStrategy.html) to `ALL_SUPPORTED_RESOURCE_TYPES` . > *Overriding fields*\n> \n> If you set this field to `false` but list global IAM resource types in the `resourceTypes` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) , AWS Config will still record configuration changes for those specified resource types *regardless* of if you set the `includeGlobalResourceTypes` field to false.\n> \n> If you do not want to record configuration changes to the global IAM resource types (IAM users, groups, roles, and customer managed policies), make sure to not list them in the `resourceTypes` field in addition to setting the `includeGlobalResourceTypes` field to false.", "title": "IncludeGlobalResourceTypes", "type": "boolean" }, "RecordingStrategy": { - "$ref": "#/definitions/AWS::Config::ConfigurationRecorder.RecordingStrategy" + "$ref": "#/definitions/AWS::Config::ConfigurationRecorder.RecordingStrategy", + "markdownDescription": "An object that specifies the recording strategy for the configuration recorder.\n\n- If you set the `useOnly` field of [RecordingStrategy](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingStrategy.html) to `ALL_SUPPORTED_RESOURCE_TYPES` , AWS Config records configuration changes for all supported resource types, excluding the global IAM resource types. You also must set the `allSupported` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) to `true` . When AWS Config adds support for a new resource type, AWS Config automatically starts recording resources of that type.\n- If you set the `useOnly` field of [RecordingStrategy](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingStrategy.html) to `INCLUSION_BY_RESOURCE_TYPES` , AWS Config records configuration changes for only the resource types you specify in the `resourceTypes` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) .\n- If you set the `useOnly` field of [RecordingStrategy](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingStrategy.html) to `EXCLUSION_BY_RESOURCE_TYPES` , AWS Config records configuration changes for all supported resource types except the resource types that you specify to exclude from being recorded in the `resourceTypes` field of [ExclusionByResourceTypes](https://docs.aws.amazon.com/config/latest/APIReference/API_ExclusionByResourceTypes.html) .\n\n> *Required and optional fields*\n> \n> The `recordingStrategy` field is optional when you set the `allSupported` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) to `true` .\n> \n> The `recordingStrategy` field is optional when you list resource types in the `resourceTypes` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) .\n> \n> The `recordingStrategy` field is required if you list resource types to exclude from recording in the `resourceTypes` field of [ExclusionByResourceTypes](https://docs.aws.amazon.com/config/latest/APIReference/API_ExclusionByResourceTypes.html) . > *Overriding fields*\n> \n> If you choose `EXCLUSION_BY_RESOURCE_TYPES` for the recording strategy, the `exclusionByResourceTypes` field will override other properties in the request.\n> \n> For example, even if you set `includeGlobalResourceTypes` to false, global IAM resource types will still be automatically recorded in this option unless those resource types are specifically listed as exclusions in the `resourceTypes` field of `exclusionByResourceTypes` . > *Global resources types and the resource exclusion recording strategy*\n> \n> By default, if you choose the `EXCLUSION_BY_RESOURCE_TYPES` recording strategy, when AWS Config adds support for a new resource type in the Region where you set up the configuration recorder, including global resource types, AWS Config starts recording resources of that type automatically.\n> \n> Unless specifically listed as exclusions, `AWS::RDS::GlobalCluster` will be recorded automatically in all supported AWS Config Regions were the configuration recorder is enabled.\n> \n> IAM users, groups, roles, and customer managed policies will be recorded in the Region where you set up the configuration recorder if that is a Region where AWS Config was available before February 2022. You cannot be record the global IAM resouce types in Regions supported by AWS Config after February 2022. This list where you cannot record the global IAM resource types includes the following Regions:\n> \n> - Asia Pacific (Hyderabad)\n> - Asia Pacific (Melbourne)\n> - Europe (Spain)\n> - Europe (Zurich)\n> - Israel (Tel Aviv)\n> - Middle East (UAE)", + "title": "RecordingStrategy" + }, + "ResourceTypes": { + "items": { + "type": "string" + }, + "markdownDescription": "A comma-separated list that specifies which resource types AWS Config records.\n\nFor a list of valid `resourceTypes` values, see the *Resource Type Value* column in [Supported AWS resource Types](https://docs.aws.amazon.com/config/latest/developerguide/resource-config-reference.html#supported-resources) in the *AWS Config developer guide* .\n\n> *Required and optional fields*\n> \n> Optionally, you can set the `useOnly` field of [RecordingStrategy](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingStrategy.html) to `INCLUSION_BY_RESOURCE_TYPES` .\n> \n> To record all configuration changes, set the `allSupported` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) to `true` , and either omit this field or don't specify any resource types in this field. If you set the `allSupported` field to `false` and specify values for `resourceTypes` , when AWS Config adds support for a new type of resource, it will not record resources of that type unless you manually add that type to your recording group. > *Region availability*\n> \n> Before specifying a resource type for AWS Config to track, check [Resource Coverage by Region Availability](https://docs.aws.amazon.com/config/latest/developerguide/what-is-resource-config-coverage.html) to see if the resource type is supported in the AWS Region where you set up AWS Config . If a resource type is supported by AWS Config in at least one Region, you can enable the recording of that resource type in all Regions supported by AWS Config , even if the specified resource type is not supported in the AWS Region where you set up AWS Config .", + "title": "ResourceTypes", + "type": "array" + } + }, + "type": "object" + }, + "AWS::Config::ConfigurationRecorder.RecordingMode": { + "additionalProperties": false, + "properties": { + "RecordingFrequency": { + "markdownDescription": "The default recording frequency that AWS Config uses to record configuration changes.\n\n> Daily recording is not supported for the following resource types:\n> \n> - `AWS::Config::ResourceCompliance`\n> - `AWS::Config::ConformancePackCompliance`\n> - `AWS::Config::ConfigurationRecorder`\n> \n> For the *allSupported* ( `ALL_SUPPORTED_RESOURCE_TYPES` ) recording strategy, these resource types will be set to Continuous recording.", + "title": "RecordingFrequency", + "type": "string" + }, + "RecordingModeOverrides": { + "items": { + "$ref": "#/definitions/AWS::Config::ConfigurationRecorder.RecordingModeOverride" + }, + "markdownDescription": "An array of `recordingModeOverride` objects for you to specify your overrides for the recording mode. The `recordingModeOverride` object in the `recordingModeOverrides` array consists of three fields: a `description` , the new `recordingFrequency` , and an array of `resourceTypes` to override.", + "title": "RecordingModeOverrides", + "type": "array" + } + }, + "required": [ + "RecordingFrequency" + ], + "type": "object" + }, + "AWS::Config::ConfigurationRecorder.RecordingModeOverride": { + "additionalProperties": false, + "properties": { + "Description": { + "markdownDescription": "A description that you provide for the override.", + "title": "Description", + "type": "string" + }, + "RecordingFrequency": { + "markdownDescription": "The recording frequency that will be applied to all the resource types specified in the override.\n\n- Continuous recording allows you to record configuration changes continuously whenever a change occurs.\n- Daily recording allows you to receive a configuration item (CI) representing the most recent state of your resources over the last 24-hour period, only if it\u2019s different from the previous CI recorded.\n\n> AWS Firewall Manager depends on continuous recording to monitor your resources. If you are using Firewall Manager, it is recommended that you set the recording frequency to Continuous.", + "title": "RecordingFrequency", + "type": "string" }, "ResourceTypes": { "items": { "type": "string" }, - "markdownDescription": "A comma-separated list that specifies the types of AWS resources for which AWS Config records configuration changes (for example, `AWS::EC2::Instance` or `AWS::CloudTrail::Trail` ).\n\nTo record all configuration changes, you must set the `AllSupported` option to `false` .\n\nIf you set the `AllSupported` option to false and populate the `ResourceTypes` option with values, when AWS Config adds support for a new type of resource, it will not record resources of that type unless you manually add that type to your recording group.\n\nFor a list of valid `resourceTypes` values, see the *resourceType Value* column in [Supported AWS Resource Types](https://docs.aws.amazon.com/config/latest/developerguide/resource-config-reference.html#supported-resources) .", + "markdownDescription": "A comma-separated list that specifies which resource types AWS Config includes in the override.\n\n> Daily recording is not supported for the following resource types:\n> \n> - `AWS::Config::ResourceCompliance`\n> - `AWS::Config::ConformancePackCompliance`\n> - `AWS::Config::ConfigurationRecorder`", "title": "ResourceTypes", "type": "array" } }, + "required": [ + "RecordingFrequency", + "ResourceTypes" + ], "type": "object" }, "AWS::Config::ConfigurationRecorder.RecordingStrategy": { "additionalProperties": false, "properties": { "UseOnly": { + "markdownDescription": "The recording strategy for the configuration recorder.\n\n- If you set this option to `ALL_SUPPORTED_RESOURCE_TYPES` , AWS Config records configuration changes for all supported resource types, excluding the global IAM resource types. You also must set the `allSupported` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) to `true` . When AWS Config adds support for a new resource type, AWS Config automatically starts recording resources of that type. For a list of supported resource types, see [Supported Resource Types](https://docs.aws.amazon.com/config/latest/developerguide/resource-config-reference.html#supported-resources) in the *AWS Config developer guide* .\n- If you set this option to `INCLUSION_BY_RESOURCE_TYPES` , AWS Config records configuration changes for only the resource types that you specify in the `resourceTypes` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) .\n- If you set this option to `EXCLUSION_BY_RESOURCE_TYPES` , AWS Config records configuration changes for all supported resource types, except the resource types that you specify to exclude from being recorded in the `resourceTypes` field of [ExclusionByResourceTypes](https://docs.aws.amazon.com/config/latest/APIReference/API_ExclusionByResourceTypes.html) .\n\n> *Required and optional fields*\n> \n> The `recordingStrategy` field is optional when you set the `allSupported` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) to `true` .\n> \n> The `recordingStrategy` field is optional when you list resource types in the `resourceTypes` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) .\n> \n> The `recordingStrategy` field is required if you list resource types to exclude from recording in the `resourceTypes` field of [ExclusionByResourceTypes](https://docs.aws.amazon.com/config/latest/APIReference/API_ExclusionByResourceTypes.html) . > *Overriding fields*\n> \n> If you choose `EXCLUSION_BY_RESOURCE_TYPES` for the recording strategy, the `exclusionByResourceTypes` field will override other properties in the request.\n> \n> For example, even if you set `includeGlobalResourceTypes` to false, global IAM resource types will still be automatically recorded in this option unless those resource types are specifically listed as exclusions in the `resourceTypes` field of `exclusionByResourceTypes` . > *Global resource types and the exclusion recording strategy*\n> \n> By default, if you choose the `EXCLUSION_BY_RESOURCE_TYPES` recording strategy, when AWS Config adds support for a new resource type in the Region where you set up the configuration recorder, including global resource types, AWS Config starts recording resources of that type automatically.\n> \n> Unless specifically listed as exclusions, `AWS::RDS::GlobalCluster` will be recorded automatically in all supported AWS Config Regions were the configuration recorder is enabled.\n> \n> IAM users, groups, roles, and customer managed policies will be recorded in the Region where you set up the configuration recorder if that is a Region where AWS Config was available before February 2022. You cannot be record the global IAM resouce types in Regions supported by AWS Config after February 2022. This list where you cannot record the global IAM resource types includes the following Regions:\n> \n> - Asia Pacific (Hyderabad)\n> - Asia Pacific (Melbourne)\n> - Europe (Spain)\n> - Europe (Zurich)\n> - Israel (Tel Aviv)\n> - Middle East (UAE)", + "title": "UseOnly", "type": "string" } }, @@ -43359,7 +44940,7 @@ }, "TemplateSSMDocumentDetails": { "$ref": "#/definitions/AWS::Config::ConformancePack.TemplateSSMDocumentDetails", - "markdownDescription": "", + "markdownDescription": "An object that contains the name or Amazon Resource Name (ARN) of the AWS Systems Manager document (SSM document) and the version of the SSM document that is used to create a conformance pack.", "title": "TemplateSSMDocumentDetails" } }, @@ -43578,7 +45159,7 @@ }, "OrganizationCustomPolicyRuleMetadata": { "$ref": "#/definitions/AWS::Config::OrganizationConfigRule.OrganizationCustomPolicyRuleMetadata", - "markdownDescription": "", + "markdownDescription": "An object that specifies metadata for your organization's AWS Config Custom Policy rule. The metadata includes the runtime system in use, which accounts have debug logging enabled, and other custom rule metadata, such as resource type, resource ID of AWS resource, and organization trigger types that initiate AWS Config to evaluate AWS resources against a rule.", "title": "OrganizationCustomPolicyRuleMetadata" }, "OrganizationCustomRuleMetadata": { @@ -43625,22 +45206,22 @@ "items": { "type": "string" }, - "markdownDescription": "", + "markdownDescription": "A list of accounts that you can enable debug logging for your organization AWS Config Custom Policy rule. List is null when debug logging is enabled for all accounts.", "title": "DebugLogDeliveryAccounts", "type": "array" }, "Description": { - "markdownDescription": "", + "markdownDescription": "The description that you provide for your organization AWS Config Custom Policy rule.", "title": "Description", "type": "string" }, "InputParameters": { - "markdownDescription": "", + "markdownDescription": "A string, in JSON format, that is passed to your organization AWS Config Custom Policy rule.", "title": "InputParameters", "type": "string" }, "MaximumExecutionFrequency": { - "markdownDescription": "", + "markdownDescription": "The maximum frequency with which AWS Config runs evaluations for a rule. Your AWS Config Custom Policy rule is triggered when AWS Config delivers the configuration snapshot. For more information, see `ConfigSnapshotDeliveryProperties` .", "title": "MaximumExecutionFrequency", "type": "string" }, @@ -43648,17 +45229,17 @@ "items": { "type": "string" }, - "markdownDescription": "", + "markdownDescription": "The type of notification that initiates AWS Config to run an evaluation for a rule. For AWS Config Custom Policy rules, AWS Config supports change-initiated notification types:\n\n- `ConfigurationItemChangeNotification` - Initiates an evaluation when AWS Config delivers a configuration item as a result of a resource change.\n- `OversizedConfigurationItemChangeNotification` - Initiates an evaluation when AWS Config delivers an oversized configuration item. AWS Config may generate this notification type when a resource changes and the notification exceeds the maximum size allowed by Amazon SNS.", "title": "OrganizationConfigRuleTriggerTypes", "type": "array" }, "PolicyText": { - "markdownDescription": "", + "markdownDescription": "The policy definition containing the logic for your organization AWS Config Custom Policy rule.", "title": "PolicyText", "type": "string" }, "ResourceIdScope": { - "markdownDescription": "", + "markdownDescription": "The ID of the AWS resource that was evaluated.", "title": "ResourceIdScope", "type": "string" }, @@ -43666,22 +45247,22 @@ "items": { "type": "string" }, - "markdownDescription": "", + "markdownDescription": "The type of the AWS resource that was evaluated.", "title": "ResourceTypesScope", "type": "array" }, "Runtime": { - "markdownDescription": "", + "markdownDescription": "The runtime system for your organization AWS Config Custom Policy rules. Guard is a policy-as-code language that allows you to write policies that are enforced by AWS Config Custom Policy rules. For more information about Guard, see the [Guard GitHub Repository](https://docs.aws.amazon.com/https://github.com/aws-cloudformation/cloudformation-guard) .", "title": "Runtime", "type": "string" }, "TagKeyScope": { - "markdownDescription": "", + "markdownDescription": "One part of a key-value pair that make up a tag. A key is a general label that acts like a category for more specific tag values.", "title": "TagKeyScope", "type": "string" }, "TagValueScope": { - "markdownDescription": "", + "markdownDescription": "The optional part of a key-value pair that make up a tag. A value acts as a descriptor within a tag category (key).", "title": "TagValueScope", "type": "string" } @@ -43994,7 +45575,7 @@ "type": "string" }, "RetryAttemptSeconds": { - "markdownDescription": "Maximum time in seconds that AWS Config runs auto-remediation. If you do not select a number, the default is 60 seconds.\n\nFor example, if you specify RetryAttemptSeconds as 50 seconds and MaximumAutomaticAttempts as 5, AWS Config will run auto-remediations 5 times within 50 seconds before throwing an exception.", + "markdownDescription": "Time window to determine whether or not to add a remediation exception to prevent infinite remediation attempts. If `MaximumAutomaticAttempts` remediation attempts have been made under `RetryAttemptSeconds` , a remediation exception will be added to the resource. If you do not select a number, the default is 60 seconds.\n\nFor example, if you specify `RetryAttemptSeconds` as 50 seconds and `MaximumAutomaticAttempts` as 5, AWS Config will run auto-remediations 5 times within 50 seconds before adding a remediation exception to the resource.", "title": "RetryAttemptSeconds", "type": "number" }, @@ -44073,8 +45654,6 @@ "additionalProperties": false, "properties": { "Value": { - "markdownDescription": "The value is a resource ID.", - "title": "Value", "type": "string" } }, @@ -44103,8 +45682,6 @@ "items": { "type": "string" }, - "markdownDescription": "A list of values. For example, the ARN of the assumed role.", - "title": "Values", "type": "array" } }, @@ -44879,7 +46456,7 @@ "additionalProperties": false, "properties": { "Label": { - "markdownDescription": "The property label of the automation.\n\n*Allowed values* : `OVERALL_CUSTOMER_SENTIMENT_SCORE` , `OVERALL_AGENT_SENTIMENT_SCORE` | `NON_TALK_TIME` | `NON_TALK_TIME_PERCENTAGE` | `NUMBER_OF_INTERRUPTIONS` | `CONTACT_DURATION` | `AGENT_INTERACTION_DURATION` | `CUSTOMER_HOLD_TIME`", + "markdownDescription": "The property label of the automation.", "title": "Label", "type": "string" } @@ -44997,7 +46574,7 @@ "items": { "$ref": "#/definitions/Tag" }, - "markdownDescription": "The tags used to organize, track, or control access for this resource. For example, { \"tags\": {\"key1\":\"value1\", \"key2\":\"value2\"} }.", + "markdownDescription": "The tags used to organize, track, or control access for this resource. For example, { \"Tags\": {\"key1\":\"value1\", \"key2\":\"value2\"} }.", "title": "Tags", "type": "array" }, @@ -45136,6 +46713,14 @@ "markdownDescription": "The alias of instance. `InstanceAlias` is only required when `IdentityManagementType` is `CONNECT_MANAGED` or `SAML` . `InstanceAlias` is not required when `IdentityManagementType` is `EXISTING_DIRECTORY` .", "title": "InstanceAlias", "type": "string" + }, + "Tags": { + "items": { + "$ref": "#/definitions/Tag" + }, + "markdownDescription": "The tags of an instance.", + "title": "Tags", + "type": "array" } }, "required": [ @@ -45377,6 +46962,7 @@ } }, "required": [ + "EncryptionConfig", "Prefix", "RetentionPeriodHours" ], @@ -45545,7 +47131,7 @@ "type": "array" }, "TargetArn": { - "markdownDescription": "The Amazon Resource Name (ARN) of Amazon Connect instances or traffic distribution group that phone numbers are claimed to.", + "markdownDescription": "The Amazon Resource Name (ARN) for Amazon Connect instances or traffic distribution group that phone numbers are claimed to.", "title": "TargetArn", "type": "string" }, @@ -45710,36 +47296,54 @@ "additionalProperties": false, "properties": { "Description": { + "markdownDescription": "The description of the queue.", + "title": "Description", "type": "string" }, "HoursOfOperationArn": { + "markdownDescription": "The Amazon Resource Name (ARN) of the hours of operation.", + "title": "HoursOfOperationArn", "type": "string" }, "InstanceArn": { + "markdownDescription": "The identifier of the Amazon Connect instance.", + "title": "InstanceArn", "type": "string" }, "MaxContacts": { + "markdownDescription": "The maximum number of contacts that can be in the queue before it is considered full.", + "title": "MaxContacts", "type": "number" }, "Name": { + "markdownDescription": "The name of the queue.", + "title": "Name", "type": "string" }, "OutboundCallerConfig": { - "$ref": "#/definitions/AWS::Connect::Queue.OutboundCallerConfig" + "$ref": "#/definitions/AWS::Connect::Queue.OutboundCallerConfig", + "markdownDescription": "The outbound caller ID name, number, and outbound whisper flow.", + "title": "OutboundCallerConfig" }, "QuickConnectArns": { "items": { "type": "string" }, + "markdownDescription": "The Amazon Resource Names (ARN) of the of the quick connects available to agents who are working the queue.", + "title": "QuickConnectArns", "type": "array" }, "Status": { + "markdownDescription": "The status of the queue.", + "title": "Status", "type": "string" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "The tags used to organize, track, or control access for this resource. For example, { \"Tags\": {\"key1\":\"value1\", \"key2\":\"value2\"} }.", + "title": "Tags", "type": "array" } }, @@ -45775,12 +47379,18 @@ "additionalProperties": false, "properties": { "OutboundCallerIdName": { + "markdownDescription": "The caller ID name.", + "title": "OutboundCallerIdName", "type": "string" }, "OutboundCallerIdNumberArn": { + "markdownDescription": "The Amazon Resource Name (ARN) of the outbound caller ID number.\n\n> Only use the phone number ARN format that doesn't contain `instance` in the path, for example, `arn:aws:connect:us-east-1:1234567890:phone-number/uuid` . This is the same ARN format that is returned when you create a phone number using CloudFormation , or when you call the [ListPhoneNumbersV2](https://docs.aws.amazon.com/connect/latest/APIReference/API_ListPhoneNumbersV2.html) API.", + "title": "OutboundCallerIdNumberArn", "type": "string" }, "OutboundFlowArn": { + "markdownDescription": "The Amazon Resource Name (ARN) of the outbound flow.", + "title": "OutboundFlowArn", "type": "string" } }, @@ -45845,7 +47455,7 @@ "items": { "$ref": "#/definitions/Tag" }, - "markdownDescription": "The tags used to organize, track, or control access for this resource. For example, { \"tags\": {\"key1\":\"value1\", \"key2\":\"value2\"} }.", + "markdownDescription": "The tags used to organize, track, or control access for this resource. For example, { \"Tags\": {\"key1\":\"value1\", \"key2\":\"value2\"} }.", "title": "Tags", "type": "array" } @@ -45997,36 +47607,52 @@ "additionalProperties": false, "properties": { "AgentAvailabilityTimer": { + "markdownDescription": "Whether agents with this routing profile will have their routing order calculated based on *time since their last inbound contact* or *longest idle time* .", + "title": "AgentAvailabilityTimer", "type": "string" }, "DefaultOutboundQueueArn": { + "markdownDescription": "The Amazon Resource Name (ARN) of the default outbound queue for the routing profile.", + "title": "DefaultOutboundQueueArn", "type": "string" }, "Description": { + "markdownDescription": "The description of the routing profile.", + "title": "Description", "type": "string" }, "InstanceArn": { + "markdownDescription": "The identifier of the Amazon Connect instance.", + "title": "InstanceArn", "type": "string" }, "MediaConcurrencies": { "items": { "$ref": "#/definitions/AWS::Connect::RoutingProfile.MediaConcurrency" }, + "markdownDescription": "The channels agents can handle in the Contact Control Panel (CCP) for this routing profile.", + "title": "MediaConcurrencies", "type": "array" }, "Name": { + "markdownDescription": "The name of the routing profile.", + "title": "Name", "type": "string" }, "QueueConfigs": { "items": { "$ref": "#/definitions/AWS::Connect::RoutingProfile.RoutingProfileQueueConfig" }, + "markdownDescription": "The inbound queues associated with the routing profile. If no queue is added, the agent can make only outbound calls.", + "title": "QueueConfigs", "type": "array" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "The tags used to organize, track, or control access for this resource. For example, { \"Tags\": {\"key1\":\"value1\", \"key2\":\"value2\"} }.", + "title": "Tags", "type": "array" } }, @@ -46064,6 +47690,8 @@ "additionalProperties": false, "properties": { "BehaviorType": { + "markdownDescription": "Specifies the other channels that can be routed to an agent handling their current channel.", + "title": "BehaviorType", "type": "string" } }, @@ -46076,13 +47704,19 @@ "additionalProperties": false, "properties": { "Channel": { + "markdownDescription": "The channels that agents can handle in the Contact Control Panel (CCP).", + "title": "Channel", "type": "string" }, "Concurrency": { + "markdownDescription": "The number of contacts an agent can have on a channel simultaneously.\n\nValid Range for `VOICE` : Minimum value of 1. Maximum value of 1.\n\nValid Range for `CHAT` : Minimum value of 1. Maximum value of 10.\n\nValid Range for `TASK` : Minimum value of 1. Maximum value of 10.", + "title": "Concurrency", "type": "number" }, "CrossChannelBehavior": { - "$ref": "#/definitions/AWS::Connect::RoutingProfile.CrossChannelBehavior" + "$ref": "#/definitions/AWS::Connect::RoutingProfile.CrossChannelBehavior", + "markdownDescription": "Defines the cross-channel routing behavior for each channel that is enabled for this Routing Profile. For example, this allows you to offer an agent a different contact from another channel when they are currently working with a contact from a Voice channel.", + "title": "CrossChannelBehavior" } }, "required": [ @@ -46095,13 +47729,19 @@ "additionalProperties": false, "properties": { "Delay": { + "markdownDescription": "The delay, in seconds, a contact should be in the queue before they are routed to an available agent. For more information, see [Queues: priority and delay](https://docs.aws.amazon.com/connect/latest/adminguide/concepts-routing-profiles-priority.html) in the *Amazon Connect Administrator Guide* .", + "title": "Delay", "type": "number" }, "Priority": { + "markdownDescription": "The order in which contacts are to be handled for the queue. For more information, see [Queues: priority and delay](https://docs.aws.amazon.com/connect/latest/adminguide/concepts-routing-profiles-priority.html) .", + "title": "Priority", "type": "number" }, "QueueReference": { - "$ref": "#/definitions/AWS::Connect::RoutingProfile.RoutingProfileQueueReference" + "$ref": "#/definitions/AWS::Connect::RoutingProfile.RoutingProfileQueueReference", + "markdownDescription": "Contains information about a queue resource.", + "title": "QueueReference" } }, "required": [ @@ -46115,9 +47755,13 @@ "additionalProperties": false, "properties": { "Channel": { + "markdownDescription": "The channels agents can handle in the Contact Control Panel (CCP) for this routing profile.", + "title": "Channel", "type": "string" }, "QueueArn": { + "markdownDescription": "The Amazon Resource Name (ARN) of the queue.", + "title": "QueueArn", "type": "string" } }, @@ -46333,7 +47977,7 @@ "additionalProperties": false, "properties": { "EventSourceName": { - "markdownDescription": "The name of the event source.\n\n*Allowed values* : `OnPostCallAnalysisAvailable` | `OnRealTimeCallAnalysisAvailable` | `OnPostChatAnalysisAvailable` | `OnZendeskTicketCreate` | `OnZendeskTicketStatusUpdate` | `OnSalesforceCaseCreate`", + "markdownDescription": "The name of the event source.", "title": "EventSourceName", "type": "string" }, @@ -46533,33 +48177,47 @@ "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "The list of tags that a security profile uses to restrict access to resources in Amazon Connect.", + "title": "AllowedAccessControlTags", "type": "array" }, "Description": { + "markdownDescription": "The description of the security profile.", + "title": "Description", "type": "string" }, "InstanceArn": { + "markdownDescription": "The identifier of the Amazon Connect instance.", + "title": "InstanceArn", "type": "string" }, "Permissions": { "items": { "type": "string" }, + "markdownDescription": "Permissions assigned to the security profile. For a list of valid permissions, see [List of security profile permissions](https://docs.aws.amazon.com/connect/latest/adminguide/security-profile-list.html) .", + "title": "Permissions", "type": "array" }, "SecurityProfileName": { + "markdownDescription": "The name for the security profile.", + "title": "SecurityProfileName", "type": "string" }, "TagRestrictedResources": { "items": { "type": "string" }, + "markdownDescription": "The list of resources that a security profile applies tag restrictions to in Amazon Connect.", + "title": "TagRestrictedResources", "type": "array" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "The tags used to organize, track, or control access for this resource. For example, { \"Tags\": {\"key1\":\"value1\", \"key2\":\"value2\"} }.", + "title": "Tags", "type": "array" } }, @@ -46886,18 +48544,26 @@ "additionalProperties": false, "properties": { "Description": { + "markdownDescription": "The description of the traffic distribution group.", + "title": "Description", "type": "string" }, "InstanceArn": { + "markdownDescription": "The Amazon Resource Name (ARN).", + "title": "InstanceArn", "type": "string" }, "Name": { + "markdownDescription": "The name of the traffic distribution group.", + "title": "Name", "type": "string" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "The tags used to organize, track, or control access for this resource. For example, {\"tags\": {\"key1\":\"value1\", \"key2\":\"value2\"} }.", + "title": "Tags", "type": "array" } }, @@ -47164,6 +48830,8 @@ "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "", + "title": "Tags", "type": "array" } }, @@ -47233,24 +48901,36 @@ "items": { "type": "string" }, + "markdownDescription": "A list of actions possible from the view.", + "title": "Actions", "type": "array" }, "Description": { + "markdownDescription": "The description of the view.", + "title": "Description", "type": "string" }, "InstanceArn": { + "markdownDescription": "The Amazon Resource Name (ARN) of the instance.", + "title": "InstanceArn", "type": "string" }, "Name": { + "markdownDescription": "The name of the view.", + "title": "Name", "type": "string" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "The tags associated with the view resource (not specific to view version).", + "title": "Tags", "type": "array" }, "Template": { + "markdownDescription": "The view template representing the structure of the view.", + "title": "Template", "type": "object" } }, @@ -47319,12 +48999,18 @@ "additionalProperties": false, "properties": { "VersionDescription": { + "markdownDescription": "The description of the view version.", + "title": "VersionDescription", "type": "string" }, "ViewArn": { + "markdownDescription": "The unqualified Amazon Resource Name (ARN) of the view.\n\nFor example:\n\n`arn::connect:::instance/00000000-0000-0000-0000-000000000000/view/00000000-0000-0000-0000-000000000000`", + "title": "ViewArn", "type": "string" }, "ViewContentSha256": { + "markdownDescription": "Indicates the checksum value of the latest published view content.", + "title": "ViewContentSha256", "type": "string" } }, @@ -47451,6 +49137,8 @@ "additionalProperties": false, "properties": { "DialingCapacity": { + "markdownDescription": "The allocation of dialing capacity between multiple active campaigns.", + "title": "DialingCapacity", "type": "number" } }, @@ -47460,7 +49148,7 @@ "additionalProperties": false, "properties": { "EnableAnswerMachineDetection": { - "markdownDescription": "", + "markdownDescription": "Whether answering machine detection is enabled.", "title": "EnableAnswerMachineDetection", "type": "boolean" } @@ -47474,7 +49162,9 @@ "additionalProperties": false, "properties": { "AgentlessDialerConfig": { - "$ref": "#/definitions/AWS::ConnectCampaigns::Campaign.AgentlessDialerConfig" + "$ref": "#/definitions/AWS::ConnectCampaigns::Campaign.AgentlessDialerConfig", + "markdownDescription": "The configuration of the agentless dialer.", + "title": "AgentlessDialerConfig" }, "PredictiveDialerConfig": { "$ref": "#/definitions/AWS::ConnectCampaigns::Campaign.PredictiveDialerConfig", @@ -47494,7 +49184,7 @@ "properties": { "AnswerMachineDetectionConfig": { "$ref": "#/definitions/AWS::ConnectCampaigns::Campaign.AnswerMachineDetectionConfig", - "markdownDescription": "", + "markdownDescription": "Whether answering machine detection has been enabled.", "title": "AnswerMachineDetectionConfig" }, "ConnectContactFlowArn": { @@ -47527,6 +49217,8 @@ "type": "number" }, "DialingCapacity": { + "markdownDescription": "The allocation of dialing capacity between multiple active campaigns.", + "title": "DialingCapacity", "type": "number" } }, @@ -47544,6 +49236,8 @@ "type": "number" }, "DialingCapacity": { + "markdownDescription": "The allocation of dialing capacity between multiple active campaigns.", + "title": "DialingCapacity", "type": "number" } }, @@ -47588,12 +49282,20 @@ "additionalProperties": false, "properties": { "ControlIdentifier": { - "markdownDescription": "The ARN of the control. Only *Strongly recommended* and *Elective* controls are permitted, with the exception of the *Region deny* guardrail.", + "markdownDescription": "The ARN of the control. Only *Strongly recommended* and *Elective* controls are permitted, with the exception of the *landing zone Region deny* control. For information on how to find the `controlIdentifier` , see [the overview page](https://docs.aws.amazon.com//controltower/latest/APIReference/Welcome.html) .", "title": "ControlIdentifier", "type": "string" }, + "Parameters": { + "items": { + "$ref": "#/definitions/AWS::ControlTower::EnabledControl.EnabledControlParameter" + }, + "markdownDescription": "Array of `EnabledControlParameter` objects.", + "title": "Parameters", + "type": "array" + }, "TargetIdentifier": { - "markdownDescription": "The ARN of the organizational unit.", + "markdownDescription": "The ARN of the organizational unit. For information on how to find the `targetIdentifier` , see [the overview page](https://docs.aws.amazon.com//controltower/latest/APIReference/Welcome.html) .", "title": "TargetIdentifier", "type": "string" } @@ -47625,213 +49327,314 @@ ], "type": "object" }, - "AWS::CustomerProfiles::CalculatedAttributeDefinition": { - "additionalProperties": false, - "properties": { - "Condition": { - "type": "string" - }, - "DeletionPolicy": { - "enum": [ - "Delete", - "Retain", - "Snapshot" - ], - "type": "string" - }, - "DependsOn": { - "anyOf": [ - { - "pattern": "^[a-zA-Z0-9]+$", - "type": "string" - }, - { - "items": { - "pattern": "^[a-zA-Z0-9]+$", - "type": "string" - }, - "type": "array" - } - ] - }, - "Metadata": { - "type": "object" - }, - "Properties": { - "additionalProperties": false, - "properties": { - "AttributeDetails": { - "$ref": "#/definitions/AWS::CustomerProfiles::CalculatedAttributeDefinition.AttributeDetails", - "markdownDescription": "Mathematical expression and a list of attribute items specified in that expression.", - "title": "AttributeDetails" - }, - "CalculatedAttributeName": { - "markdownDescription": "The name of an attribute defined in a profile object type.", - "title": "CalculatedAttributeName", - "type": "string" - }, - "Conditions": { - "$ref": "#/definitions/AWS::CustomerProfiles::CalculatedAttributeDefinition.Conditions", - "markdownDescription": "The conditions including range, object count, and threshold for the calculated attribute.", - "title": "Conditions" - }, - "Description": { - "markdownDescription": "The description of the calculated attribute.", - "title": "Description", - "type": "string" - }, - "DisplayName": { - "markdownDescription": "The display name of the calculated attribute.", - "title": "DisplayName", - "type": "string" - }, - "DomainName": { - "markdownDescription": "The unique name of the domain.", - "title": "DomainName", - "type": "string" - }, - "Statistic": { - "markdownDescription": "The aggregation operation to perform for the calculated attribute.", - "title": "Statistic", - "type": "string" - }, - "Tags": { - "items": { - "$ref": "#/definitions/Tag" - }, - "markdownDescription": "An array of key-value pairs to apply to this resource.", - "title": "Tags", - "type": "array" - } - }, - "required": [ - "AttributeDetails", - "CalculatedAttributeName", - "DomainName", - "Statistic" - ], - "type": "object" - }, - "Type": { - "enum": [ - "AWS::CustomerProfiles::CalculatedAttributeDefinition" - ], - "type": "string" - }, - "UpdateReplacePolicy": { - "enum": [ - "Delete", - "Retain", - "Snapshot" - ], - "type": "string" - } - }, - "required": [ - "Type", - "Properties" - ], - "type": "object" - }, - "AWS::CustomerProfiles::CalculatedAttributeDefinition.AttributeDetails": { - "additionalProperties": false, - "properties": { - "Attributes": { - "items": { - "$ref": "#/definitions/AWS::CustomerProfiles::CalculatedAttributeDefinition.AttributeItem" - }, - "markdownDescription": "Mathematical expression and a list of attribute items specified in that expression.", - "title": "Attributes", - "type": "array" - }, - "Expression": { - "markdownDescription": "Mathematical expression that is performed on attribute items provided in the attribute list. Each element in the expression should follow the structure of \\\"{ObjectTypeName.AttributeName}\\\".", - "title": "Expression", - "type": "string" - } - }, - "required": [ - "Attributes", - "Expression" - ], - "type": "object" - }, - "AWS::CustomerProfiles::CalculatedAttributeDefinition.AttributeItem": { + "AWS::ControlTower::EnabledControl.EnabledControlParameter": { "additionalProperties": false, "properties": { - "Name": { - "markdownDescription": "The unique name of the calculated attribute.", - "title": "Name", - "type": "string" - } - }, - "required": [ - "Name" - ], - "type": "object" - }, - "AWS::CustomerProfiles::CalculatedAttributeDefinition.Conditions": { - "additionalProperties": false, - "properties": { - "ObjectCount": { - "markdownDescription": "The number of profile objects used for the calculated attribute.", - "title": "ObjectCount", - "type": "number" - }, - "Range": { - "$ref": "#/definitions/AWS::CustomerProfiles::CalculatedAttributeDefinition.Range", - "markdownDescription": "The relative time period over which data is included in the aggregation.", - "title": "Range" - }, - "Threshold": { - "$ref": "#/definitions/AWS::CustomerProfiles::CalculatedAttributeDefinition.Threshold", - "markdownDescription": "The threshold for the calculated attribute.", - "title": "Threshold" - } - }, - "type": "object" - }, - "AWS::CustomerProfiles::CalculatedAttributeDefinition.Range": { - "additionalProperties": false, - "properties": { - "Unit": { - "markdownDescription": "The unit of time.", - "title": "Unit", - "type": "string" - }, - "Value": { - "markdownDescription": "The amount of time of the specified unit.", - "title": "Value", - "type": "number" - } - }, - "required": [ - "Unit", - "Value" - ], - "type": "object" - }, - "AWS::CustomerProfiles::CalculatedAttributeDefinition.Threshold": { - "additionalProperties": false, - "properties": { - "Operator": { - "markdownDescription": "The operator of the threshold.", - "title": "Operator", + "Key": { + "markdownDescription": "The key of a key/value pair. It is of type `string` .", + "title": "Key", "type": "string" }, "Value": { - "markdownDescription": "The value of the threshold.", + "markdownDescription": "The value of a key/value pair. It can be of type `array` , `string` , `number` , `object` , or `boolean` . [Note: The *Type* field that follows may show a single type such as Number, which is only one possible type.]", "title": "Value", - "type": "string" + "type": "object" } }, "required": [ - "Operator", + "Key", "Value" ], "type": "object" }, - "AWS::CustomerProfiles::Domain": { + "AWS::ControlTower::LandingZone": { + "additionalProperties": false, + "properties": { + "Condition": { + "type": "string" + }, + "DeletionPolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + }, + "DependsOn": { + "anyOf": [ + { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + { + "items": { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + "type": "array" + } + ] + }, + "Metadata": { + "type": "object" + }, + "Properties": { + "additionalProperties": false, + "properties": { + "Manifest": { + "markdownDescription": "The landing zone manifest JSON text file that specifies the landing zone configurations.", + "title": "Manifest", + "type": "object" + }, + "Tags": { + "items": { + "$ref": "#/definitions/Tag" + }, + "markdownDescription": "Tags to be applied to the landing zone.", + "title": "Tags", + "type": "array" + }, + "Version": { + "markdownDescription": "The landing zone's current deployed version.", + "title": "Version", + "type": "string" + } + }, + "required": [ + "Manifest", + "Version" + ], + "type": "object" + }, + "Type": { + "enum": [ + "AWS::ControlTower::LandingZone" + ], + "type": "string" + }, + "UpdateReplacePolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + } + }, + "required": [ + "Type", + "Properties" + ], + "type": "object" + }, + "AWS::CustomerProfiles::CalculatedAttributeDefinition": { + "additionalProperties": false, + "properties": { + "Condition": { + "type": "string" + }, + "DeletionPolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + }, + "DependsOn": { + "anyOf": [ + { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + { + "items": { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + "type": "array" + } + ] + }, + "Metadata": { + "type": "object" + }, + "Properties": { + "additionalProperties": false, + "properties": { + "AttributeDetails": { + "$ref": "#/definitions/AWS::CustomerProfiles::CalculatedAttributeDefinition.AttributeDetails", + "markdownDescription": "Mathematical expression and a list of attribute items specified in that expression.", + "title": "AttributeDetails" + }, + "CalculatedAttributeName": { + "markdownDescription": "The name of an attribute defined in a profile object type.", + "title": "CalculatedAttributeName", + "type": "string" + }, + "Conditions": { + "$ref": "#/definitions/AWS::CustomerProfiles::CalculatedAttributeDefinition.Conditions", + "markdownDescription": "The conditions including range, object count, and threshold for the calculated attribute.", + "title": "Conditions" + }, + "Description": { + "markdownDescription": "The description of the calculated attribute.", + "title": "Description", + "type": "string" + }, + "DisplayName": { + "markdownDescription": "The display name of the calculated attribute.", + "title": "DisplayName", + "type": "string" + }, + "DomainName": { + "markdownDescription": "The unique name of the domain.", + "title": "DomainName", + "type": "string" + }, + "Statistic": { + "markdownDescription": "The aggregation operation to perform for the calculated attribute.", + "title": "Statistic", + "type": "string" + }, + "Tags": { + "items": { + "$ref": "#/definitions/Tag" + }, + "markdownDescription": "An array of key-value pairs to apply to this resource.", + "title": "Tags", + "type": "array" + } + }, + "required": [ + "AttributeDetails", + "CalculatedAttributeName", + "DomainName", + "Statistic" + ], + "type": "object" + }, + "Type": { + "enum": [ + "AWS::CustomerProfiles::CalculatedAttributeDefinition" + ], + "type": "string" + }, + "UpdateReplacePolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + } + }, + "required": [ + "Type", + "Properties" + ], + "type": "object" + }, + "AWS::CustomerProfiles::CalculatedAttributeDefinition.AttributeDetails": { + "additionalProperties": false, + "properties": { + "Attributes": { + "items": { + "$ref": "#/definitions/AWS::CustomerProfiles::CalculatedAttributeDefinition.AttributeItem" + }, + "markdownDescription": "Mathematical expression and a list of attribute items specified in that expression.", + "title": "Attributes", + "type": "array" + }, + "Expression": { + "markdownDescription": "Mathematical expression that is performed on attribute items provided in the attribute list. Each element in the expression should follow the structure of \\\"{ObjectTypeName.AttributeName}\\\".", + "title": "Expression", + "type": "string" + } + }, + "required": [ + "Attributes", + "Expression" + ], + "type": "object" + }, + "AWS::CustomerProfiles::CalculatedAttributeDefinition.AttributeItem": { + "additionalProperties": false, + "properties": { + "Name": { + "markdownDescription": "The unique name of the calculated attribute.", + "title": "Name", + "type": "string" + } + }, + "required": [ + "Name" + ], + "type": "object" + }, + "AWS::CustomerProfiles::CalculatedAttributeDefinition.Conditions": { + "additionalProperties": false, + "properties": { + "ObjectCount": { + "markdownDescription": "The number of profile objects used for the calculated attribute.", + "title": "ObjectCount", + "type": "number" + }, + "Range": { + "$ref": "#/definitions/AWS::CustomerProfiles::CalculatedAttributeDefinition.Range", + "markdownDescription": "The relative time period over which data is included in the aggregation.", + "title": "Range" + }, + "Threshold": { + "$ref": "#/definitions/AWS::CustomerProfiles::CalculatedAttributeDefinition.Threshold", + "markdownDescription": "The threshold for the calculated attribute.", + "title": "Threshold" + } + }, + "type": "object" + }, + "AWS::CustomerProfiles::CalculatedAttributeDefinition.Range": { + "additionalProperties": false, + "properties": { + "Unit": { + "markdownDescription": "The unit of time.", + "title": "Unit", + "type": "string" + }, + "Value": { + "markdownDescription": "The amount of time of the specified unit.", + "title": "Value", + "type": "number" + } + }, + "required": [ + "Unit", + "Value" + ], + "type": "object" + }, + "AWS::CustomerProfiles::CalculatedAttributeDefinition.Threshold": { + "additionalProperties": false, + "properties": { + "Operator": { + "markdownDescription": "The operator of the threshold.", + "title": "Operator", + "type": "string" + }, + "Value": { + "markdownDescription": "The value of the threshold.", + "title": "Value", + "type": "string" + } + }, + "required": [ + "Operator", + "Value" + ], + "type": "object" + }, + "AWS::CustomerProfiles::Domain": { "additionalProperties": false, "properties": { "Condition": { @@ -47867,7 +49670,7 @@ "additionalProperties": false, "properties": { "DeadLetterQueueUrl": { - "markdownDescription": "The URL of the SQS dead letter queue, which is used for reporting errors associated with ingesting data from third party applications. You must set up a policy on the DeadLetterQueue for the SendMessage operation to enable Amazon Connect Customer Profiles to send messages to the DeadLetterQueue.", + "markdownDescription": "The URL of the SQS dead letter queue, which is used for reporting errors associated with ingesting data from third party applications. You must set up a policy on the `DeadLetterQueue` for the `SendMessage` operation to enable Amazon Connect Customer Profiles to send messages to the `DeadLetterQueue` .", "title": "DeadLetterQueueUrl", "type": "string" }, @@ -47887,10 +49690,14 @@ "type": "string" }, "Matching": { - "$ref": "#/definitions/AWS::CustomerProfiles::Domain.Matching" + "$ref": "#/definitions/AWS::CustomerProfiles::Domain.Matching", + "markdownDescription": "The process of matching duplicate profiles.", + "title": "Matching" }, "RuleBasedMatching": { - "$ref": "#/definitions/AWS::CustomerProfiles::Domain.RuleBasedMatching" + "$ref": "#/definitions/AWS::CustomerProfiles::Domain.RuleBasedMatching", + "markdownDescription": "The process of matching duplicate profiles using Rule-Based matching.", + "title": "RuleBasedMatching" }, "Tags": { "items": { @@ -47934,21 +49741,29 @@ "items": { "type": "string" }, + "markdownDescription": "The `Address` type. You can choose from `Address` , `BusinessAddress` , `MaillingAddress` , and `ShippingAddress` . You only can use the `Address` type in the `MatchingRule` . For example, if you want to match a profile based on `BusinessAddress.City` or `MaillingAddress.City` , you can choose the `BusinessAddress` and the `MaillingAddress` to represent the `Address` type and specify the `Address.City` on the matching rule.", + "title": "Address", "type": "array" }, "AttributeMatchingModel": { + "markdownDescription": "Configures the `AttributeMatchingModel` , you can either choose `ONE_TO_ONE` or `MANY_TO_MANY` .", + "title": "AttributeMatchingModel", "type": "string" }, "EmailAddress": { "items": { "type": "string" }, + "markdownDescription": "The Email type. You can choose from `EmailAddress` , `BusinessEmailAddress` and `PersonalEmailAddress` . You only can use the `EmailAddress` type in the `MatchingRule` . For example, if you want to match profile based on `PersonalEmailAddress` or `BusinessEmailAddress` , you can choose the `PersonalEmailAddress` and the `BusinessEmailAddress` to represent the `EmailAddress` type and only specify the `EmailAddress` on the matching rule.", + "title": "EmailAddress", "type": "array" }, "PhoneNumber": { "items": { "type": "string" }, + "markdownDescription": "The `PhoneNumber` type. You can choose from `PhoneNumber` , `HomePhoneNumber` , and `MobilePhoneNumber` . You only can use the `PhoneNumber` type in the `MatchingRule` . For example, if you want to match a profile based on `Phone` or `HomePhone` , you can choose the `Phone` and the `HomePhone` to represent the `PhoneNumber` type and only specify the `PhoneNumber` on the matching rule.", + "title": "PhoneNumber", "type": "array" } }, @@ -47961,15 +49776,23 @@ "additionalProperties": false, "properties": { "ConflictResolution": { - "$ref": "#/definitions/AWS::CustomerProfiles::Domain.ConflictResolution" + "$ref": "#/definitions/AWS::CustomerProfiles::Domain.ConflictResolution", + "markdownDescription": "Determines how the auto-merging process should resolve conflicts between different profiles. For example, if Profile A and Profile B have the same `FirstName` and `LastName` , `ConflictResolution` specifies which `EmailAddress` should be used.", + "title": "ConflictResolution" }, "Consolidation": { - "$ref": "#/definitions/AWS::CustomerProfiles::Domain.Consolidation" + "$ref": "#/definitions/AWS::CustomerProfiles::Domain.Consolidation", + "markdownDescription": "A list of matching attributes that represent matching criteria. If two profiles meet at least one of the requirements in the matching attributes list, they will be merged.", + "title": "Consolidation" }, "Enabled": { + "markdownDescription": "The flag that enables the auto-merging of duplicate profiles.", + "title": "Enabled", "type": "boolean" }, "MinAllowedConfidenceScoreForMerging": { + "markdownDescription": "A number between 0 and 1 that represents the minimum confidence score required for profiles within a matching group to be merged during the auto-merge process. A higher score means that a higher similarity is required to merge profiles.", + "title": "MinAllowedConfidenceScoreForMerging", "type": "number" } }, @@ -47982,9 +49805,13 @@ "additionalProperties": false, "properties": { "ConflictResolvingModel": { + "markdownDescription": "How the auto-merging process should resolve conflicts between different profiles.", + "title": "ConflictResolvingModel", "type": "string" }, "SourceName": { + "markdownDescription": "The `ObjectType` name that is used to resolve profile merging conflicts when choosing `SOURCE` as the `ConflictResolvingModel` .", + "title": "SourceName", "type": "string" } }, @@ -47997,6 +49824,8 @@ "additionalProperties": false, "properties": { "MatchingAttributesList": { + "markdownDescription": "A list of matching criteria.", + "title": "MatchingAttributesList", "type": "object" } }, @@ -48009,15 +49838,23 @@ "additionalProperties": false, "properties": { "MeteringProfileCount": { + "markdownDescription": "The number of profiles that you are currently paying for in the domain. If you have more than 100 objects associated with a single profile, that profile counts as two profiles. If you have more than 200 objects, that profile counts as three, and so on.", + "title": "MeteringProfileCount", "type": "number" }, "ObjectCount": { + "markdownDescription": "The total number of objects in domain.", + "title": "ObjectCount", "type": "number" }, "ProfileCount": { + "markdownDescription": "The total number of profiles currently in the domain.", + "title": "ProfileCount", "type": "number" }, "TotalSize": { + "markdownDescription": "The total size, in bytes, of all objects in the domain.", + "title": "TotalSize", "type": "number" } }, @@ -48027,7 +49864,9 @@ "additionalProperties": false, "properties": { "S3Exporting": { - "$ref": "#/definitions/AWS::CustomerProfiles::Domain.S3ExportingConfig" + "$ref": "#/definitions/AWS::CustomerProfiles::Domain.S3ExportingConfig", + "markdownDescription": "", + "title": "S3Exporting" } }, "type": "object" @@ -48036,9 +49875,13 @@ "additionalProperties": false, "properties": { "DayOfTheWeek": { + "markdownDescription": "The day when the Identity Resolution Job should run every week.", + "title": "DayOfTheWeek", "type": "string" }, "Time": { + "markdownDescription": "The time when the Identity Resolution Job should run every week.", + "title": "Time", "type": "string" } }, @@ -48052,16 +49895,24 @@ "additionalProperties": false, "properties": { "AutoMerging": { - "$ref": "#/definitions/AWS::CustomerProfiles::Domain.AutoMerging" + "$ref": "#/definitions/AWS::CustomerProfiles::Domain.AutoMerging", + "markdownDescription": "Configuration information about the auto-merging process.", + "title": "AutoMerging" }, "Enabled": { + "markdownDescription": "The flag that enables the matching process of duplicate profiles.", + "title": "Enabled", "type": "boolean" }, "ExportingConfig": { - "$ref": "#/definitions/AWS::CustomerProfiles::Domain.ExportingConfig" + "$ref": "#/definitions/AWS::CustomerProfiles::Domain.ExportingConfig", + "markdownDescription": "The S3 location where Identity Resolution Jobs write result files.", + "title": "ExportingConfig" }, "JobSchedule": { - "$ref": "#/definitions/AWS::CustomerProfiles::Domain.JobSchedule" + "$ref": "#/definitions/AWS::CustomerProfiles::Domain.JobSchedule", + "markdownDescription": "The day and time when do you want to start the Identity Resolution Job every week.", + "title": "JobSchedule" } }, "required": [ @@ -48076,6 +49927,8 @@ "items": { "type": "string" }, + "markdownDescription": "A single rule level of the `MatchRules` . Configures how the rule-based matching process should match profiles.", + "title": "Rule", "type": "array" } }, @@ -48088,30 +49941,46 @@ "additionalProperties": false, "properties": { "AttributeTypesSelector": { - "$ref": "#/definitions/AWS::CustomerProfiles::Domain.AttributeTypesSelector" + "$ref": "#/definitions/AWS::CustomerProfiles::Domain.AttributeTypesSelector", + "markdownDescription": "Configures information about the `AttributeTypesSelector` where the rule-based identity resolution uses to match profiles.", + "title": "AttributeTypesSelector" }, "ConflictResolution": { - "$ref": "#/definitions/AWS::CustomerProfiles::Domain.ConflictResolution" + "$ref": "#/definitions/AWS::CustomerProfiles::Domain.ConflictResolution", + "markdownDescription": "Determines how the auto-merging process should resolve conflicts between different profiles. For example, if Profile A and Profile B have the same `FirstName` and `LastName` , `ConflictResolution` specifies which `EmailAddress` should be used.", + "title": "ConflictResolution" }, "Enabled": { + "markdownDescription": "The flag that enables the matching process of duplicate profiles.", + "title": "Enabled", "type": "boolean" }, "ExportingConfig": { - "$ref": "#/definitions/AWS::CustomerProfiles::Domain.ExportingConfig" + "$ref": "#/definitions/AWS::CustomerProfiles::Domain.ExportingConfig", + "markdownDescription": "The S3 location where Identity Resolution Jobs write result files.", + "title": "ExportingConfig" }, "MatchingRules": { "items": { "$ref": "#/definitions/AWS::CustomerProfiles::Domain.MatchingRule" }, + "markdownDescription": "Configures how the rule-based matching process should match profiles. You can have up to 15 `MatchingRule` in the `MatchingRules` .", + "title": "MatchingRules", "type": "array" }, "MaxAllowedRuleLevelForMatching": { + "markdownDescription": "Indicates the maximum allowed rule level for matching.", + "title": "MaxAllowedRuleLevelForMatching", "type": "number" }, "MaxAllowedRuleLevelForMerging": { + "markdownDescription": "Indicates the maximum allowed rule level for merging.", + "title": "MaxAllowedRuleLevelForMerging", "type": "number" }, "Status": { + "markdownDescription": "The status of rule-based matching rule.", + "title": "Status", "type": "string" } }, @@ -48124,9 +49993,13 @@ "additionalProperties": false, "properties": { "S3BucketName": { + "markdownDescription": "The name of the S3 bucket where Identity Resolution Jobs write result files.", + "title": "S3BucketName", "type": "string" }, "S3KeyName": { + "markdownDescription": "The S3 key name of the location where Identity Resolution Jobs write result files.", + "title": "S3KeyName", "type": "string" } }, @@ -48811,6 +50684,8 @@ "type": "string" }, "SourceLastUpdatedTimestampFormat": { + "markdownDescription": "The format of your sourceLastUpdatedTimestamp that was previously set up.", + "title": "SourceLastUpdatedTimestampFormat", "type": "string" }, "Tags": { @@ -49270,21 +51145,56 @@ "Properties": { "additionalProperties": false, "properties": { + "CopyTags": { + "markdownDescription": "*[Default policies only]* Indicates whether the policy should copy tags from the source resource to the snapshot or AMI. If you do not specify a value, the default is `false` .\n\nDefault: false", + "title": "CopyTags", + "type": "boolean" + }, + "CreateInterval": { + "markdownDescription": "*[Default policies only]* Specifies how often the policy should run and create snapshots or AMIs. The creation frequency can range from 1 to 7 days. If you do not specify a value, the default is 1.\n\nDefault: 1", + "title": "CreateInterval", + "type": "number" + }, + "CrossRegionCopyTargets": { + "$ref": "#/definitions/AWS::DLM::LifecyclePolicy.CrossRegionCopyTargets", + "markdownDescription": "*[Default policies only]* Specifies destination Regions for snapshot or AMI copies. You can specify up to 3 destination Regions. If you do not want to create cross-Region copies, omit this parameter.", + "title": "CrossRegionCopyTargets" + }, + "DefaultPolicy": { + "markdownDescription": "Indicates whether the policy is a default lifecycle policy or a custom lifecycle policy.\n\n- `true` - the policy is a default policy.\n- `false` - the policy is a custom policy.", + "title": "DefaultPolicy", + "type": "string" + }, "Description": { "markdownDescription": "A description of the lifecycle policy. The characters ^[0-9A-Za-z _-]+$ are supported.", "title": "Description", "type": "string" }, + "Exclusions": { + "$ref": "#/definitions/AWS::DLM::LifecyclePolicy.Exclusions", + "markdownDescription": "*[Default policies only]* Specifies exclusion parameters for volumes or instances for which you do not want to create snapshots or AMIs. The policy will not create snapshots or AMIs for target resources that match any of the specified exclusion parameters.", + "title": "Exclusions" + }, "ExecutionRoleArn": { "markdownDescription": "The Amazon Resource Name (ARN) of the IAM role used to run the operations specified by the lifecycle policy.", "title": "ExecutionRoleArn", "type": "string" }, + "ExtendDeletion": { + "markdownDescription": "*[Default policies only]* Defines the snapshot or AMI retention behavior for the policy if the source volume or instance is deleted, or if the policy enters the error, disabled, or deleted state.\n\nBy default ( *ExtendDeletion=false* ):\n\n- If a source resource is deleted, Amazon Data Lifecycle Manager will continue to delete previously created snapshots or AMIs, up to but not including the last one, based on the specified retention period. If you want Amazon Data Lifecycle Manager to delete all snapshots or AMIs, including the last one, specify `true` .\n- If a policy enters the error, disabled, or deleted state, Amazon Data Lifecycle Manager stops deleting snapshots and AMIs. If you want Amazon Data Lifecycle Manager to continue deleting snapshots or AMIs, including the last one, if the policy enters one of these states, specify `true` .\n\nIf you enable extended deletion ( *ExtendDeletion=true* ), you override both default behaviors simultaneously.\n\nIf you do not specify a value, the default is `false` .\n\nDefault: false", + "title": "ExtendDeletion", + "type": "boolean" + }, "PolicyDetails": { "$ref": "#/definitions/AWS::DLM::LifecyclePolicy.PolicyDetails", - "markdownDescription": "The configuration details of the lifecycle policy.", + "markdownDescription": "The configuration details of the lifecycle policy.\n\n> If you create a default policy, you can specify the request parameters either in the request body, or in the PolicyDetails request structure, but not both.", "title": "PolicyDetails" }, + "RetainInterval": { + "markdownDescription": "*[Default policies only]* Specifies how long the policy should retain snapshots or AMIs before deleting them. The retention period can range from 2 to 14 days, but it must be greater than the creation frequency to ensure that the policy retains at least 1 snapshot or AMI at any given time. If you do not specify a value, the default is 7.\n\nDefault: 7", + "title": "RetainInterval", + "type": "number" + }, "State": { "markdownDescription": "The activation state of the lifecycle policy.", "title": "State", @@ -49349,7 +51259,7 @@ "properties": { "RetentionArchiveTier": { "$ref": "#/definitions/AWS::DLM::LifecyclePolicy.RetentionArchiveTier", - "markdownDescription": "", + "markdownDescription": "Information about retention period in the Amazon EBS Snapshots Archive. For more information, see [Archive Amazon EBS snapshots](https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/snapshot-archive.html) .", "title": "RetentionArchiveTier" } }, @@ -49363,7 +51273,7 @@ "properties": { "RetainRule": { "$ref": "#/definitions/AWS::DLM::LifecyclePolicy.ArchiveRetainRule", - "markdownDescription": "", + "markdownDescription": "Information about the retention period for the snapshot archiving rule.", "title": "RetainRule" } }, @@ -49391,10 +51301,18 @@ "type": "string" }, "Location": { - "markdownDescription": "*[Snapshot policies only]* Specifies the destination for snapshots created by the policy. To create snapshots in the same Region as the source resource, specify `CLOUD` . To create snapshots on the same Outpost as the source resource, specify `OUTPOST_LOCAL` . If you omit this parameter, `CLOUD` is used by default.\n\nIf the policy targets resources in an AWS Region , then you must create snapshots in the same Region as the source resource. If the policy targets resources on an Outpost, then you can create snapshots on the same Outpost as the source resource, or in the Region of that Outpost.", + "markdownDescription": "*[Custom snapshot policies only]* Specifies the destination for snapshots created by the policy. To create snapshots in the same Region as the source resource, specify `CLOUD` . To create snapshots on the same Outpost as the source resource, specify `OUTPOST_LOCAL` . If you omit this parameter, `CLOUD` is used by default.\n\nIf the policy targets resources in an AWS Region , then you must create snapshots in the same Region as the source resource. If the policy targets resources on an Outpost, then you can create snapshots on the same Outpost as the source resource, or in the Region of that Outpost.", "title": "Location", "type": "string" }, + "Scripts": { + "items": { + "$ref": "#/definitions/AWS::DLM::LifecyclePolicy.Script" + }, + "markdownDescription": "*[Custom snapshot policies that target instances only]* Specifies pre and/or post scripts for a snapshot lifecycle policy that targets instances. This is useful for creating application-consistent snapshots, or for performing specific administrative tasks before or after Amazon Data Lifecycle Manager initiates snapshot creation.\n\nFor more information, see [Automating application-consistent snapshots with pre and post scripts](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/automate-app-consistent-backups.html) .", + "title": "Scripts", + "type": "array" + }, "Times": { "items": { "type": "string" @@ -49435,12 +51353,12 @@ "additionalProperties": false, "properties": { "Interval": { - "markdownDescription": "", + "markdownDescription": "The period after which to deprecate the cross-Region AMI copies. The period must be less than or equal to the cross-Region AMI copy retention period, and it can't be greater than 10 years. This is equivalent to 120 months, 520 weeks, or 3650 days.", "title": "Interval", "type": "number" }, "IntervalUnit": { - "markdownDescription": "", + "markdownDescription": "The unit of time in which to measure the *Interval* . For example, to deprecate a cross-Region AMI copy after 3 months, specify `Interval=3` and `IntervalUnit=MONTHS` .", "title": "IntervalUnit", "type": "string" } @@ -49486,7 +51404,7 @@ }, "DeprecateRule": { "$ref": "#/definitions/AWS::DLM::LifecyclePolicy.CrossRegionCopyDeprecateRule", - "markdownDescription": "", + "markdownDescription": "*[Custom AMI policies only]* The AMI deprecation rule for cross-Region AMI copies created by the rule.", "title": "DeprecateRule" }, "Encrypted": { @@ -49500,12 +51418,12 @@ "title": "RetainRule" }, "Target": { - "markdownDescription": "The target Region or the Amazon Resource Name (ARN) of the target Outpost for the snapshot copies.\n\nUse this parameter instead of *TargetRegion* . Do not specify both.", + "markdownDescription": "> Use this parameter for snapshot policies only. For AMI policies, use *TargetRegion* instead. \n\n*[Custom snapshot policies only]* The target Region or the Amazon Resource Name (ARN) of the target Outpost for the snapshot copies.", "title": "Target", "type": "string" }, "TargetRegion": { - "markdownDescription": "> Avoid using this parameter when creating new policies. Instead, use *Target* to specify a target Region or a target Outpost for snapshot copies.\n> \n> For policies created before the *Target* parameter was introduced, this parameter indicates the target Region for snapshot copies.", + "markdownDescription": "> Use this parameter for AMI policies only. For snapshot policies, use *Target* instead. For snapshot policies created before the *Target* parameter was introduced, this parameter indicates the target Region for snapshot copies. \n\n*[Custom AMI policies only]* The target Region or the Amazon Resource Name (ARN) of the target Outpost for the snapshot copies.", "title": "TargetRegion", "type": "string" } @@ -49515,21 +51433,35 @@ ], "type": "object" }, + "AWS::DLM::LifecyclePolicy.CrossRegionCopyTarget": { + "additionalProperties": false, + "properties": { + "TargetRegion": { + "type": "string" + } + }, + "type": "object" + }, + "AWS::DLM::LifecyclePolicy.CrossRegionCopyTargets": { + "additionalProperties": false, + "properties": {}, + "type": "object" + }, "AWS::DLM::LifecyclePolicy.DeprecateRule": { "additionalProperties": false, "properties": { "Count": { - "markdownDescription": "", + "markdownDescription": "If the schedule has a count-based retention rule, this parameter specifies the number of oldest AMIs to deprecate. The count must be less than or equal to the schedule's retention count, and it can't be greater than 1000.", "title": "Count", "type": "number" }, "Interval": { - "markdownDescription": "", + "markdownDescription": "If the schedule has an age-based retention rule, this parameter specifies the period after which to deprecate AMIs created by the schedule. The period must be less than or equal to the schedule's retention period, and it can't be greater than 10 years. This is equivalent to 120 months, 520 weeks, or 3650 days.", "title": "Interval", "type": "number" }, "IntervalUnit": { - "markdownDescription": "", + "markdownDescription": "The unit of time in which to measure the *Interval* .", "title": "IntervalUnit", "type": "string" } @@ -49602,6 +51534,37 @@ ], "type": "object" }, + "AWS::DLM::LifecyclePolicy.ExcludeTags": { + "additionalProperties": false, + "properties": {}, + "type": "object" + }, + "AWS::DLM::LifecyclePolicy.ExcludeVolumeTypesList": { + "additionalProperties": false, + "properties": {}, + "type": "object" + }, + "AWS::DLM::LifecyclePolicy.Exclusions": { + "additionalProperties": false, + "properties": { + "ExcludeBootVolumes": { + "markdownDescription": "*[Default policies for EBS snapshots only]* Indicates whether to exclude volumes that are attached to instances as the boot volume. If you exclude boot volumes, only volumes attached as data (non-boot) volumes will be backed up by the policy. To exclude boot volumes, specify `true` .", + "title": "ExcludeBootVolumes", + "type": "boolean" + }, + "ExcludeTags": { + "$ref": "#/definitions/AWS::DLM::LifecyclePolicy.ExcludeTags", + "markdownDescription": "*[Default policies for EBS-backed AMIs only]* Specifies whether to exclude volumes that have specific tags.", + "title": "ExcludeTags" + }, + "ExcludeVolumeTypes": { + "$ref": "#/definitions/AWS::DLM::LifecyclePolicy.ExcludeVolumeTypesList", + "markdownDescription": "*[Default policies for EBS snapshots only]* Specifies the volume types to exclude. Volumes of the specified types will not be targeted by the policy.", + "title": "ExcludeVolumeTypes" + } + }, + "type": "object" + }, "AWS::DLM::LifecyclePolicy.FastRestoreRule": { "additionalProperties": false, "properties": { @@ -49635,7 +51598,7 @@ "additionalProperties": false, "properties": { "ExcludeBootVolume": { - "markdownDescription": "*[Snapshot policies that target instances only]* Indicates whether to exclude the root volume from multi-volume snapshot sets. The default is `false` . If you specify `true` , then the root volumes attached to targeted instances will be excluded from the multi-volume snapshot sets created by the policy.", + "markdownDescription": "*[Custom snapshot policies that target instances only]* Indicates whether to exclude the root volume from multi-volume snapshot sets. The default is `false` . If you specify `true` , then the root volumes attached to targeted instances will be excluded from the multi-volume snapshot sets created by the policy.", "title": "ExcludeBootVolume", "type": "boolean" }, @@ -49643,12 +51606,12 @@ "items": { "$ref": "#/definitions/Tag" }, - "markdownDescription": "", + "markdownDescription": "*[Custom snapshot policies that target instances only]* The tags used to identify data (non-root) volumes to exclude from multi-volume snapshot sets.\n\nIf you create a snapshot lifecycle policy that targets instances and you specify tags for this parameter, then data volumes with the specified tags that are attached to targeted instances will be excluded from the multi-volume snapshot sets created by the policy.", "title": "ExcludeDataVolumeTags", "type": "array" }, "NoReboot": { - "markdownDescription": "*[AMI policies only]* Indicates whether targeted instances are rebooted when the lifecycle policy runs. `true` indicates that targeted instances are not rebooted when the policy runs. `false` indicates that target instances are rebooted when the policy runs. The default is `true` (instances are not rebooted).", + "markdownDescription": "*[Custom AMI policies only]* Indicates whether targeted instances are rebooted when the lifecycle policy runs. `true` indicates that targeted instances are not rebooted when the policy runs. `false` indicates that target instances are rebooted when the policy runs. The default is `true` (instances are not rebooted).", "title": "NoReboot", "type": "boolean" } @@ -49666,18 +51629,48 @@ "title": "Actions", "type": "array" }, + "CopyTags": { + "markdownDescription": "*[Default policies only]* Indicates whether the policy should copy tags from the source resource to the snapshot or AMI. If you do not specify a value, the default is `false` .\n\nDefault: false", + "title": "CopyTags", + "type": "boolean" + }, + "CreateInterval": { + "markdownDescription": "*[Default policies only]* Specifies how often the policy should run and create snapshots or AMIs. The creation frequency can range from 1 to 7 days. If you do not specify a value, the default is 1.\n\nDefault: 1", + "title": "CreateInterval", + "type": "number" + }, + "CrossRegionCopyTargets": { + "$ref": "#/definitions/AWS::DLM::LifecyclePolicy.CrossRegionCopyTargets", + "markdownDescription": "*[Default policies only]* Specifies destination Regions for snapshot or AMI copies. You can specify up to 3 destination Regions. If you do not want to create cross-Region copies, omit this parameter.", + "title": "CrossRegionCopyTargets" + }, "EventSource": { "$ref": "#/definitions/AWS::DLM::LifecyclePolicy.EventSource", "markdownDescription": "*[Event-based policies only]* The event that activates the event-based policy.", "title": "EventSource" }, + "Exclusions": { + "$ref": "#/definitions/AWS::DLM::LifecyclePolicy.Exclusions", + "markdownDescription": "*[Default policies only]* Specifies exclusion parameters for volumes or instances for which you do not want to create snapshots or AMIs. The policy will not create snapshots or AMIs for target resources that match any of the specified exclusion parameters.", + "title": "Exclusions" + }, + "ExtendDeletion": { + "markdownDescription": "*[Default policies only]* Defines the snapshot or AMI retention behavior for the policy if the source volume or instance is deleted, or if the policy enters the error, disabled, or deleted state.\n\nBy default ( *ExtendDeletion=false* ):\n\n- If a source resource is deleted, Amazon Data Lifecycle Manager will continue to delete previously created snapshots or AMIs, up to but not including the last one, based on the specified retention period. If you want Amazon Data Lifecycle Manager to delete all snapshots or AMIs, including the last one, specify `true` .\n- If a policy enters the error, disabled, or deleted state, Amazon Data Lifecycle Manager stops deleting snapshots and AMIs. If you want Amazon Data Lifecycle Manager to continue deleting snapshots or AMIs, including the last one, if the policy enters one of these states, specify `true` .\n\nIf you enable extended deletion ( *ExtendDeletion=true* ), you override both default behaviors simultaneously.\n\nIf you do not specify a value, the default is `false` .\n\nDefault: false", + "title": "ExtendDeletion", + "type": "boolean" + }, "Parameters": { "$ref": "#/definitions/AWS::DLM::LifecyclePolicy.Parameters", - "markdownDescription": "*[Snapshot and AMI policies only]* A set of optional parameters for snapshot and AMI lifecycle policies.\n\n> If you are modifying a policy that was created or previously modified using the Amazon Data Lifecycle Manager console, then you must include this parameter and specify either the default values or the new values that you require. You can't omit this parameter or set its values to null.", + "markdownDescription": "*[Custom snapshot and AMI policies only]* A set of optional parameters for snapshot and AMI lifecycle policies.\n\n> If you are modifying a policy that was created or previously modified using the Amazon Data Lifecycle Manager console, then you must include this parameter and specify either the default values or the new values that you require. You can't omit this parameter or set its values to null.", "title": "Parameters" }, + "PolicyLanguage": { + "markdownDescription": "The type of policy to create. Specify one of the following:\n\n- `SIMPLIFIED` To create a default policy.\n- `STANDARD` To create a custom policy.", + "title": "PolicyLanguage", + "type": "string" + }, "PolicyType": { - "markdownDescription": "*[All policy types]* The valid target resource types and actions a policy can manage. Specify `EBS_SNAPSHOT_MANAGEMENT` to create a lifecycle policy that manages the lifecycle of Amazon EBS snapshots. Specify `IMAGE_MANAGEMENT` to create a lifecycle policy that manages the lifecycle of EBS-backed AMIs. Specify `EVENT_BASED_POLICY` to create an event-based policy that performs specific actions when a defined event occurs in your AWS account .\n\nThe default is `EBS_SNAPSHOT_MANAGEMENT` .", + "markdownDescription": "The type of policy. Specify `EBS_SNAPSHOT_MANAGEMENT` to create a lifecycle policy that manages the lifecycle of Amazon EBS snapshots. Specify `IMAGE_MANAGEMENT` to create a lifecycle policy that manages the lifecycle of EBS-backed AMIs. Specify `EVENT_BASED_POLICY` to create an event-based policy that performs specific actions when a defined event occurs in your AWS account .\n\nThe default is `EBS_SNAPSHOT_MANAGEMENT` .", "title": "PolicyType", "type": "string" }, @@ -49685,23 +51678,33 @@ "items": { "type": "string" }, - "markdownDescription": "*[Snapshot and AMI policies only]* The location of the resources to backup. If the source resources are located in an AWS Region , specify `CLOUD` . If the source resources are located on an Outpost in your account, specify `OUTPOST` .\n\nIf you specify `OUTPOST` , Amazon Data Lifecycle Manager backs up all resources of the specified type with matching target tags across all of the Outposts in your account.", + "markdownDescription": "*[Custom snapshot and AMI policies only]* The location of the resources to backup. If the source resources are located in an AWS Region , specify `CLOUD` . If the source resources are located on an Outpost in your account, specify `OUTPOST` .\n\nIf you specify `OUTPOST` , Amazon Data Lifecycle Manager backs up all resources of the specified type with matching target tags across all of the Outposts in your account.", "title": "ResourceLocations", "type": "array" }, + "ResourceType": { + "markdownDescription": "*[Default policies only]* Specify the type of default policy to create.\n\n- To create a default policy for EBS snapshots, that creates snapshots of all volumes in the Region that do not have recent backups, specify `VOLUME` .\n- To create a default policy for EBS-backed AMIs, that creates EBS-backed AMIs from all instances in the Region that do not have recent backups, specify `INSTANCE` .", + "title": "ResourceType", + "type": "string" + }, "ResourceTypes": { "items": { "type": "string" }, - "markdownDescription": "*[Snapshot policies only]* The target resource type for snapshot and AMI lifecycle policies. Use `VOLUME` to create snapshots of individual volumes or use `INSTANCE` to create multi-volume snapshots from the volumes for an instance.", + "markdownDescription": "*[Custom snapshot policies only]* The target resource type for snapshot and AMI lifecycle policies. Use `VOLUME` to create snapshots of individual volumes or use `INSTANCE` to create multi-volume snapshots from the volumes for an instance.", "title": "ResourceTypes", "type": "array" }, + "RetainInterval": { + "markdownDescription": "*[Default policies only]* Specifies how long the policy should retain snapshots or AMIs before deleting them. The retention period can range from 2 to 14 days, but it must be greater than the creation frequency to ensure that the policy retains at least 1 snapshot or AMI at any given time. If you do not specify a value, the default is 7.\n\nDefault: 7", + "title": "RetainInterval", + "type": "number" + }, "Schedules": { "items": { "$ref": "#/definitions/AWS::DLM::LifecyclePolicy.Schedule" }, - "markdownDescription": "*[Snapshot and AMI policies only]* The schedules of policy-defined actions for snapshot and AMI lifecycle policies. A policy can have up to four schedules\u2014one mandatory schedule and up to three optional schedules.", + "markdownDescription": "*[Custom snapshot and AMI policies only]* The schedules of policy-defined actions for snapshot and AMI lifecycle policies. A policy can have up to four schedules\u2014one mandatory schedule and up to three optional schedules.", "title": "Schedules", "type": "array" }, @@ -49709,7 +51712,7 @@ "items": { "$ref": "#/definitions/Tag" }, - "markdownDescription": "*[Snapshot and AMI policies only]* The single tag that identifies targeted resources for this policy.", + "markdownDescription": "*[Custom snapshot and AMI policies only]* The single tag that identifies targeted resources for this policy.", "title": "TargetTags", "type": "array" } @@ -49720,7 +51723,7 @@ "additionalProperties": false, "properties": { "Count": { - "markdownDescription": "The number of snapshots to retain for each volume, up to a maximum of 1000. For example if you want to retain a maximum of three snapshots, specify `3` . When the fourth snapshot is created, the oldest retained snapshot is deleted, or it is moved to the archive tier if you have specified an `ArchiveRule` .", + "markdownDescription": "The number of snapshots to retain for each volume, up to a maximum of 1000. For example if you want to retain a maximum of three snapshots, specify `3` . When the fourth snapshot is created, the oldest retained snapshot is deleted, or it is moved to the archive tier if you have specified an [ArchiveRule](https://docs.aws.amazon.com/dlm/latest/APIReference/API_ArchiveRule.html) .", "title": "Count", "type": "number" }, @@ -49730,7 +51733,7 @@ "type": "number" }, "IntervalUnit": { - "markdownDescription": "The unit of time for time-based retention. For example, to retain snapshots for 3 months, specify `Interval=3` and `IntervalUnit=MONTHS` . Once the snapshot has been retained for 3 months, it is deleted, or it is moved to the archive tier if you have specified an `ArchiveRule` .", + "markdownDescription": "The unit of time for time-based retention. For example, to retain snapshots for 3 months, specify `Interval=3` and `IntervalUnit=MONTHS` . Once the snapshot has been retained for 3 months, it is deleted, or it is moved to the archive tier if you have specified an [ArchiveRule](https://docs.aws.amazon.com/dlm/latest/APIReference/API_ArchiveRule.html) .", "title": "IntervalUnit", "type": "string" } @@ -49741,17 +51744,17 @@ "additionalProperties": false, "properties": { "Count": { - "markdownDescription": "", + "markdownDescription": "The maximum number of snapshots to retain in the archive storage tier for each volume. The count must ensure that each snapshot remains in the archive tier for at least 90 days. For example, if the schedule creates snapshots every 30 days, you must specify a count of 3 or more to ensure that each snapshot is archived for at least 90 days.", "title": "Count", "type": "number" }, "Interval": { - "markdownDescription": "", + "markdownDescription": "Specifies the period of time to retain snapshots in the archive tier. After this period expires, the snapshot is permanently deleted.", "title": "Interval", "type": "number" }, "IntervalUnit": { - "markdownDescription": "", + "markdownDescription": "The unit of time in which to measure the *Interval* . For example, to retain a snapshots in the archive tier for 6 months, specify `Interval=6` and `IntervalUnit=MONTHS` .", "title": "IntervalUnit", "type": "string" } @@ -49763,7 +51766,7 @@ "properties": { "ArchiveRule": { "$ref": "#/definitions/AWS::DLM::LifecyclePolicy.ArchiveRule", - "markdownDescription": "", + "markdownDescription": "*[Custom snapshot policies that target volumes only]* The snapshot archiving rule for the schedule. When you specify an archiving rule, snapshots are automatically moved from the standard tier to the archive tier once the schedule's retention threshold is met. Snapshots are then retained in the archive tier for the archive retention period that you specify.\n\nFor more information about using snapshot archiving, see [Considerations for snapshot lifecycle policies](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/snapshot-ami-policy.html#dlm-archive) .", "title": "ArchiveRule" }, "CopyTags": { @@ -49786,12 +51789,12 @@ }, "DeprecateRule": { "$ref": "#/definitions/AWS::DLM::LifecyclePolicy.DeprecateRule", - "markdownDescription": "", + "markdownDescription": "*[Custom AMI policies only]* The AMI deprecation rule for the schedule.", "title": "DeprecateRule" }, "FastRestoreRule": { "$ref": "#/definitions/AWS::DLM::LifecyclePolicy.FastRestoreRule", - "markdownDescription": "*[Snapshot policies only]* The rule for enabling fast snapshot restore.", + "markdownDescription": "*[Custom snapshot policies only]* The rule for enabling fast snapshot restore.", "title": "FastRestoreRule" }, "Name": { @@ -49808,7 +51811,7 @@ "items": { "$ref": "#/definitions/AWS::DLM::LifecyclePolicy.ShareRule" }, - "markdownDescription": "*[Snapshot policies only]* The rule for sharing snapshots with other AWS accounts .", + "markdownDescription": "*[Custom snapshot policies only]* The rule for sharing snapshots with other AWS accounts .", "title": "ShareRules", "type": "array" }, @@ -49831,6 +51834,45 @@ }, "type": "object" }, + "AWS::DLM::LifecyclePolicy.Script": { + "additionalProperties": false, + "properties": { + "ExecuteOperationOnScriptFailure": { + "markdownDescription": "Indicates whether Amazon Data Lifecycle Manager should default to crash-consistent snapshots if the pre script fails.\n\n- To default to crash consistent snapshot if the pre script fails, specify `true` .\n- To skip the instance for snapshot creation if the pre script fails, specify `false` .\n\nThis parameter is supported only if you run a pre script. If you run a post script only, omit this parameter.\n\nDefault: true", + "title": "ExecuteOperationOnScriptFailure", + "type": "boolean" + }, + "ExecutionHandler": { + "markdownDescription": "The SSM document that includes the pre and/or post scripts to run.\n\n- If you are automating VSS backups, specify `AWS_VSS_BACKUP` . In this case, Amazon Data Lifecycle Manager automatically uses the `AWSEC2-CreateVssSnapshot` SSM document.\n- If you are automating application-consistent snapshots for SAP HANA workloads, specify `AWSSystemsManagerSAP-CreateDLMSnapshotForSAPHANA` .\n- If you are using a custom SSM document that you own, specify either the name or ARN of the SSM document. If you are using a custom SSM document that is shared with you, specify the ARN of the SSM document.", + "title": "ExecutionHandler", + "type": "string" + }, + "ExecutionHandlerService": { + "markdownDescription": "Indicates the service used to execute the pre and/or post scripts.\n\n- If you are using custom SSM documents or automating application-consistent snapshots of SAP HANA workloads, specify `AWS_SYSTEMS_MANAGER` .\n- If you are automating VSS Backups, omit this parameter.\n\nDefault: AWS_SYSTEMS_MANAGER", + "title": "ExecutionHandlerService", + "type": "string" + }, + "ExecutionTimeout": { + "markdownDescription": "Specifies a timeout period, in seconds, after which Amazon Data Lifecycle Manager fails the script run attempt if it has not completed. If a script does not complete within its timeout period, Amazon Data Lifecycle Manager fails the attempt. The timeout period applies to the pre and post scripts individually.\n\nIf you are automating VSS Backups, omit this parameter.\n\nDefault: 10", + "title": "ExecutionTimeout", + "type": "number" + }, + "MaximumRetryCount": { + "markdownDescription": "Specifies the number of times Amazon Data Lifecycle Manager should retry scripts that fail.\n\n- If the pre script fails, Amazon Data Lifecycle Manager retries the entire snapshot creation process, including running the pre and post scripts.\n- If the post script fails, Amazon Data Lifecycle Manager retries the post script only; in this case, the pre script will have completed and the snapshot might have been created.\n\nIf you do not want Amazon Data Lifecycle Manager to retry failed scripts, specify `0` .\n\nDefault: 0", + "title": "MaximumRetryCount", + "type": "number" + }, + "Stages": { + "items": { + "type": "string" + }, + "markdownDescription": "Indicate which scripts Amazon Data Lifecycle Manager should run on target instances. Pre scripts run before Amazon Data Lifecycle Manager initiates snapshot creation. Post scripts run after Amazon Data Lifecycle Manager initiates snapshot creation.\n\n- To run a pre script only, specify `PRE` . In this case, Amazon Data Lifecycle Manager calls the SSM document with the `pre-script` parameter before initiating snapshot creation.\n- To run a post script only, specify `POST` . In this case, Amazon Data Lifecycle Manager calls the SSM document with the `post-script` parameter after initiating snapshot creation.\n- To run both pre and post scripts, specify both `PRE` and `POST` . In this case, Amazon Data Lifecycle Manager calls the SSM document with the `pre-script` parameter before initiating snapshot creation, and then it calls the SSM document again with the `post-script` parameter after initiating snapshot creation.\n\nIf you are automating VSS Backups, omit this parameter.\n\nDefault: PRE and POST", + "title": "Stages", + "type": "array" + } + }, + "type": "object" + }, "AWS::DLM::LifecyclePolicy.ShareRule": { "additionalProperties": false, "properties": { @@ -49855,6 +51897,11 @@ }, "type": "object" }, + "AWS::DLM::LifecyclePolicy.VolumeTypeValues": { + "additionalProperties": false, + "properties": {}, + "type": "object" + }, "AWS::DMS::Certificate": { "additionalProperties": false, "properties": { @@ -49928,6 +51975,276 @@ ], "type": "object" }, + "AWS::DMS::DataProvider": { + "additionalProperties": false, + "properties": { + "Condition": { + "type": "string" + }, + "DeletionPolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + }, + "DependsOn": { + "anyOf": [ + { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + { + "items": { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + "type": "array" + } + ] + }, + "Metadata": { + "type": "object" + }, + "Properties": { + "additionalProperties": false, + "properties": { + "DataProviderIdentifier": { + "markdownDescription": "The identifier of the data provider. Identifiers must begin with a letter and must contain only ASCII letters, digits, and hyphens. They can't end with a hyphen, or contain two consecutive hyphens.", + "title": "DataProviderIdentifier", + "type": "string" + }, + "DataProviderName": { + "markdownDescription": "The name of the data provider.", + "title": "DataProviderName", + "type": "string" + }, + "Description": { + "markdownDescription": "A description of the data provider. Descriptions can have up to 31 characters. A description can contain only ASCII letters, digits, and hyphens ('-'). Also, it can't end with a hyphen or contain two consecutive hyphens, and can only begin with a letter.", + "title": "Description", + "type": "string" + }, + "Engine": { + "markdownDescription": "The type of database engine for the data provider. Valid values include `\"aurora\"` , `\"aurora-postgresql\"` , `\"mysql\"` , `\"oracle\"` , `\"postgres\"` , `\"sqlserver\"` , `redshift` , `mariadb` , `mongodb` , and `docdb` . A value of `\"aurora\"` represents Amazon Aurora MySQL-Compatible Edition.", + "title": "Engine", + "type": "string" + }, + "ExactSettings": { + "markdownDescription": "", + "title": "ExactSettings", + "type": "boolean" + }, + "Settings": { + "$ref": "#/definitions/AWS::DMS::DataProvider.Settings", + "markdownDescription": "The settings in JSON format for a data provider.", + "title": "Settings" + }, + "Tags": { + "items": { + "$ref": "#/definitions/Tag" + }, + "markdownDescription": "", + "title": "Tags", + "type": "array" + } + }, + "required": [ + "Engine" + ], + "type": "object" + }, + "Type": { + "enum": [ + "AWS::DMS::DataProvider" + ], + "type": "string" + }, + "UpdateReplacePolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + } + }, + "required": [ + "Type", + "Properties" + ], + "type": "object" + }, + "AWS::DMS::DataProvider.MicrosoftSqlServerSettings": { + "additionalProperties": false, + "properties": { + "CertificateArn": { + "markdownDescription": "", + "title": "CertificateArn", + "type": "string" + }, + "DatabaseName": { + "markdownDescription": "Database name for the endpoint.", + "title": "DatabaseName", + "type": "string" + }, + "Port": { + "markdownDescription": "Endpoint TCP port.", + "title": "Port", + "type": "number" + }, + "ServerName": { + "markdownDescription": "Fully qualified domain name of the endpoint. For an Amazon RDS SQL Server instance, this is the output of [DescribeDBInstances](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DescribeDBInstances.html) , in the `[Endpoint](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Endpoint.html) .Address` field.", + "title": "ServerName", + "type": "string" + }, + "SslMode": { + "markdownDescription": "", + "title": "SslMode", + "type": "string" + } + }, + "type": "object" + }, + "AWS::DMS::DataProvider.MySqlSettings": { + "additionalProperties": false, + "properties": { + "CertificateArn": { + "markdownDescription": "", + "title": "CertificateArn", + "type": "string" + }, + "Port": { + "markdownDescription": "Endpoint TCP port.", + "title": "Port", + "type": "number" + }, + "ServerName": { + "markdownDescription": "The host name of the endpoint database.\n\nFor an Amazon RDS MySQL instance, this is the output of [DescribeDBInstances](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DescribeDBInstances.html) , in the `[Endpoint](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Endpoint.html) .Address` field.\n\nFor an Aurora MySQL instance, this is the output of [DescribeDBClusters](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DescribeDBClusters.html) , in the `Endpoint` field.", + "title": "ServerName", + "type": "string" + }, + "SslMode": { + "markdownDescription": "", + "title": "SslMode", + "type": "string" + } + }, + "type": "object" + }, + "AWS::DMS::DataProvider.OracleSettings": { + "additionalProperties": false, + "properties": { + "AsmServer": { + "markdownDescription": "For an Oracle source endpoint, your ASM server address. You can set this value from the `asm_server` value. You set `asm_server` as part of the extra connection attribute string to access an Oracle server with Binary Reader that uses ASM. For more information, see [Configuration for change data capture (CDC) on an Oracle source database](https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Source.Oracle.html#dms/latest/userguide/CHAP_Source.Oracle.html#CHAP_Source.Oracle.CDC.Configuration) .", + "title": "AsmServer", + "type": "string" + }, + "CertificateArn": { + "markdownDescription": "", + "title": "CertificateArn", + "type": "string" + }, + "DatabaseName": { + "markdownDescription": "Database name for the endpoint.", + "title": "DatabaseName", + "type": "string" + }, + "Port": { + "markdownDescription": "Endpoint TCP port.", + "title": "Port", + "type": "number" + }, + "SecretsManagerOracleAsmAccessRoleArn": { + "markdownDescription": "Required only if your Oracle endpoint uses Automatic Storage Management (ASM). The full ARN of the IAM role that specifies AWS DMS as the trusted entity and grants the required permissions to access the `SecretsManagerOracleAsmSecret` . This `SecretsManagerOracleAsmSecret` has the secret value that allows access to the Oracle ASM of the endpoint.\n\n> You can specify one of two sets of values for these permissions. You can specify the values for this setting and `SecretsManagerOracleAsmSecretId` . Or you can specify clear-text values for `AsmUser` , `AsmPassword` , and `AsmServerName` . You can't specify both. For more information on creating this `SecretsManagerOracleAsmSecret` and the `SecretsManagerOracleAsmAccessRoleArn` and `SecretsManagerOracleAsmSecretId` required to access it, see [Using secrets to access AWS Database Migration Service resources](https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Security.html#security-iam-secretsmanager) in the *AWS Database Migration Service User Guide* .", + "title": "SecretsManagerOracleAsmAccessRoleArn", + "type": "string" + }, + "SecretsManagerOracleAsmSecretId": { + "markdownDescription": "Required only if your Oracle endpoint uses Automatic Storage Management (ASM). The full ARN, partial ARN, or friendly name of the `SecretsManagerOracleAsmSecret` that contains the Oracle ASM connection details for the Oracle endpoint.", + "title": "SecretsManagerOracleAsmSecretId", + "type": "string" + }, + "SecretsManagerSecurityDbEncryptionAccessRoleArn": { + "markdownDescription": "", + "title": "SecretsManagerSecurityDbEncryptionAccessRoleArn", + "type": "string" + }, + "SecretsManagerSecurityDbEncryptionSecretId": { + "markdownDescription": "", + "title": "SecretsManagerSecurityDbEncryptionSecretId", + "type": "string" + }, + "ServerName": { + "markdownDescription": "Fully qualified domain name of the endpoint.\n\nFor an Amazon RDS Oracle instance, this is the output of [DescribeDBInstances](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DescribeDBInstances.html) , in the `[Endpoint](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Endpoint.html) .Address` field.", + "title": "ServerName", + "type": "string" + }, + "SslMode": { + "markdownDescription": "", + "title": "SslMode", + "type": "string" + } + }, + "type": "object" + }, + "AWS::DMS::DataProvider.PostgreSqlSettings": { + "additionalProperties": false, + "properties": { + "CertificateArn": { + "markdownDescription": "", + "title": "CertificateArn", + "type": "string" + }, + "DatabaseName": { + "markdownDescription": "Database name for the endpoint.", + "title": "DatabaseName", + "type": "string" + }, + "Port": { + "markdownDescription": "Endpoint TCP port. The default is 5432.", + "title": "Port", + "type": "number" + }, + "ServerName": { + "markdownDescription": "The host name of the endpoint database.\n\nFor an Amazon RDS PostgreSQL instance, this is the output of [DescribeDBInstances](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DescribeDBInstances.html) , in the `[Endpoint](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Endpoint.html) .Address` field.\n\nFor an Aurora PostgreSQL instance, this is the output of [DescribeDBClusters](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DescribeDBClusters.html) , in the `Endpoint` field.", + "title": "ServerName", + "type": "string" + }, + "SslMode": { + "markdownDescription": "", + "title": "SslMode", + "type": "string" + } + }, + "type": "object" + }, + "AWS::DMS::DataProvider.Settings": { + "additionalProperties": false, + "properties": { + "MicrosoftSqlServerSettings": { + "$ref": "#/definitions/AWS::DMS::DataProvider.MicrosoftSqlServerSettings", + "markdownDescription": "", + "title": "MicrosoftSqlServerSettings" + }, + "MySqlSettings": { + "$ref": "#/definitions/AWS::DMS::DataProvider.MySqlSettings", + "markdownDescription": "", + "title": "MySqlSettings" + }, + "OracleSettings": { + "$ref": "#/definitions/AWS::DMS::DataProvider.OracleSettings", + "markdownDescription": "", + "title": "OracleSettings" + }, + "PostgreSqlSettings": { + "$ref": "#/definitions/AWS::DMS::DataProvider.PostgreSqlSettings", + "markdownDescription": "", + "title": "PostgreSqlSettings" + } + }, + "type": "object" + }, "AWS::DMS::Endpoint": { "additionalProperties": false, "properties": { @@ -49999,7 +52316,7 @@ "type": "string" }, "EngineName": { - "markdownDescription": "The type of engine for the endpoint, depending on the `EndpointType` value.\n\n*Valid values* : `mysql` | `oracle` | `postgres` | `mariadb` | `aurora` | `aurora-postgresql` | `opensearch` | `redshift` | `s3` | `db2` | `azuredb` | `sybase` | `dynamodb` | `mongodb` | `kinesis` | `kafka` | `elasticsearch` | `docdb` | `sqlserver` | `neptune`", + "markdownDescription": "The type of engine for the endpoint, depending on the `EndpointType` value.\n\n*Valid values* : `mysql` | `oracle` | `postgres` | `mariadb` | `aurora` | `aurora-postgresql` | `opensearch` | `redshift` | `redshift-serverless` | `s3` | `db2` | `azuredb` | `sybase` | `dynamodb` | `mongodb` | `kinesis` | `kafka` | `elasticsearch` | `docdb` | `sqlserver` | `neptune`", "title": "EngineName", "type": "string" }, @@ -50271,7 +52588,7 @@ "type": "string" }, "ServerName": { - "markdownDescription": "Endpoint TCP port.", + "markdownDescription": "The MySQL host name.", "title": "ServerName", "type": "string" }, @@ -50296,6 +52613,21 @@ "title": "CurrentLsn", "type": "string" }, + "KeepCsvFiles": { + "markdownDescription": "If true, AWS DMS saves any .csv files to the Db2 LUW target that were used to replicate data. DMS uses these files for analysis and troubleshooting.\n\nThe default value is false.", + "title": "KeepCsvFiles", + "type": "boolean" + }, + "LoadTimeout": { + "markdownDescription": "The amount of time (in milliseconds) before AWS DMS times out operations performed by DMS on the Db2 target. The default value is 1200 (20 minutes).", + "title": "LoadTimeout", + "type": "number" + }, + "MaxFileSize": { + "markdownDescription": "Specifies the maximum size (in KB) of .csv files used to transfer data to Db2 LUW.", + "title": "MaxFileSize", + "type": "number" + }, "MaxKBytesPerRead": { "markdownDescription": "Maximum number of bytes per read, as a NUMBER value. The default is 64 KB.", "title": "MaxKBytesPerRead", @@ -50315,6 +52647,11 @@ "markdownDescription": "Enables ongoing replication (CDC) as a BOOLEAN value. The default is true.", "title": "SetDataCaptureChanges", "type": "boolean" + }, + "WriteBufferSize": { + "markdownDescription": "The size (in KB) of the in-memory file write buffer used when generating .csv files on the local disk on the DMS replication instance. The default value is 1024 (1 MB).", + "title": "WriteBufferSize", + "type": "number" } }, "type": "object" @@ -50485,15 +52822,23 @@ "type": "string" }, "DatabaseName": { + "markdownDescription": "Database name for the endpoint.", + "title": "DatabaseName", "type": "string" }, "ForceLobLookup": { + "markdownDescription": "Forces LOB lookup on inline LOB.", + "title": "ForceLobLookup", "type": "boolean" }, "Password": { + "markdownDescription": "Endpoint connection password.", + "title": "Password", "type": "string" }, "Port": { + "markdownDescription": "Endpoint TCP port.", + "title": "Port", "type": "number" }, "QuerySingleAlwaysOnNode": { @@ -50522,12 +52867,18 @@ "type": "string" }, "ServerName": { + "markdownDescription": "Fully qualified domain name of the endpoint. For an Amazon RDS SQL Server instance, this is the output of [DescribeDBInstances](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DescribeDBInstances.html) , in the `[Endpoint](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Endpoint.html) .Address` field.", + "title": "ServerName", "type": "string" }, "TlogAccessMode": { + "markdownDescription": "Indicates the mode used to fetch CDC data.", + "title": "TlogAccessMode", "type": "string" }, "TrimSpaceInChar": { + "markdownDescription": "Use the `TrimSpaceInChar` source endpoint setting to right-trim data on CHAR and NCHAR data types during migration. Setting `TrimSpaceInChar` does not left-trim data. The default value is `true` .", + "title": "TrimSpaceInChar", "type": "boolean" }, "UseBcpFullLoad": { @@ -50541,6 +52892,8 @@ "type": "boolean" }, "Username": { + "markdownDescription": "Endpoint connection user name.", + "title": "Username", "type": "string" } }, @@ -50831,7 +53184,7 @@ "type": "string" }, "SecretsManagerOracleAsmAccessRoleArn": { - "markdownDescription": "Required only if your Oracle endpoint uses Advanced Storage Manager (ASM). The full ARN of the IAM role that specifies AWS DMS as the trusted entity and grants the required permissions to access the `SecretsManagerOracleAsmSecret` . This `SecretsManagerOracleAsmSecret` has the secret value that allows access to the Oracle ASM of the endpoint.\n\n> You can specify one of two sets of values for these permissions. You can specify the values for this setting and `SecretsManagerOracleAsmSecretId` . Or you can specify clear-text values for `AsmUserName` , `AsmPassword` , and `AsmServerName` . You can't specify both.\n> \n> For more information on creating this `SecretsManagerOracleAsmSecret` , the corresponding `SecretsManagerOracleAsmAccessRoleArn` , and the `SecretsManagerOracleAsmSecretId` that is required to access it, see [Using secrets to access AWS Database Migration Service resources](https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Security.html#security-iam-secretsmanager) in the *AWS Database Migration Service User Guide* .", + "markdownDescription": "Required only if your Oracle endpoint uses Advanced Storage Manager (ASM). The full ARN of the IAM role that specifies AWS DMS as the trusted entity and grants the required permissions to access the `SecretsManagerOracleAsmSecret` . This `SecretsManagerOracleAsmSecret` has the secret value that allows access to the Oracle ASM of the endpoint.\n\n> You can specify one of two sets of values for these permissions. You can specify the values for this setting and `SecretsManagerOracleAsmSecretId` . Or you can specify clear-text values for `AsmUser` , `AsmPassword` , and `AsmServerName` . You can't specify both.\n> \n> For more information on creating this `SecretsManagerOracleAsmSecret` , the corresponding `SecretsManagerOracleAsmAccessRoleArn` , and the `SecretsManagerOracleAsmSecretId` that is required to access it, see [Using secrets to access AWS Database Migration Service resources](https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Security.html#security-iam-secretsmanager) in the *AWS Database Migration Service User Guide* .", "title": "SecretsManagerOracleAsmAccessRoleArn", "type": "string" }, @@ -50902,6 +53255,8 @@ "type": "string" }, "BabelfishDatabaseName": { + "markdownDescription": "The Babelfish for Aurora PostgreSQL database name for the endpoint.", + "title": "BabelfishDatabaseName", "type": "string" }, "CaptureDdls": { @@ -50910,6 +53265,8 @@ "type": "boolean" }, "DatabaseMode": { + "markdownDescription": "Specifies the default behavior of the replication's handling of PostgreSQL- compatible endpoints that require some additional configuration, such as Babelfish endpoints.", + "title": "DatabaseMode", "type": "string" }, "DdlArtifactsSchema": { @@ -50943,7 +53300,7 @@ "type": "string" }, "MapBooleanAsBoolean": { - "markdownDescription": "", + "markdownDescription": "When true, lets PostgreSQL migrate the boolean type as boolean. By default, PostgreSQL migrates booleans as `varchar(5)` . You must set this setting on both the source and target endpoints for it to take effect.", "title": "MapBooleanAsBoolean", "type": "boolean" }, @@ -51085,7 +53442,7 @@ "type": "number" }, "MapBooleanAsBoolean": { - "markdownDescription": "", + "markdownDescription": "When true, lets Redshift migrate the boolean type as boolean. By default, Redshift migrates booleans as `varchar(1)` . You must set this setting on both the source and target endpoints for it to take effect.", "title": "MapBooleanAsBoolean", "type": "boolean" }, @@ -51160,6 +53517,11 @@ "title": "AddColumnName", "type": "boolean" }, + "AddTrailingPaddingCharacter": { + "markdownDescription": "Use the S3 target endpoint setting `AddTrailingPaddingCharacter` to add padding on string data. The default value is `false` .", + "title": "AddTrailingPaddingCharacter", + "type": "boolean" + }, "BucketFolder": { "markdownDescription": "An optional parameter to set a folder name in the S3 bucket. If provided, tables are created in the path `*bucketFolder* / *schema_name* / *table_name* /` . If this parameter isn't specified, the path used is `*schema_name* / *table_name* /` .", "title": "BucketFolder", @@ -51275,11 +53637,21 @@ "title": "EncryptionMode", "type": "string" }, + "ExpectedBucketOwner": { + "markdownDescription": "To specify a bucket owner and prevent sniping, you can use the `ExpectedBucketOwner` endpoint setting.\n\nExample: `--s3-settings='{\"ExpectedBucketOwner\": \" *AWS_Account_ID* \"}'`\n\nWhen you make a request to test a connection or perform a migration, S3 checks the account ID of the bucket owner against the specified parameter.", + "title": "ExpectedBucketOwner", + "type": "string" + }, "ExternalTableDefinition": { "markdownDescription": "The external table definition.\n\nConditional: If `S3` is used as a source then `ExternalTableDefinition` is required.", "title": "ExternalTableDefinition", "type": "string" }, + "GlueCatalogGeneration": { + "markdownDescription": "When true, allows AWS Glue to catalog your S3 bucket. Creating an AWS Glue catalog lets you use Athena to query your data.", + "title": "GlueCatalogGeneration", + "type": "boolean" + }, "IgnoreHeaderRows": { "markdownDescription": "When this value is set to 1, AWS DMS ignores the first row header in a .csv file. A value of 1 turns on the feature; a value of 0 turns off the feature.\n\nThe default is 0.", "title": "IgnoreHeaderRows", @@ -51470,6 +53842,289 @@ ], "type": "object" }, + "AWS::DMS::InstanceProfile": { + "additionalProperties": false, + "properties": { + "Condition": { + "type": "string" + }, + "DeletionPolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + }, + "DependsOn": { + "anyOf": [ + { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + { + "items": { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + "type": "array" + } + ] + }, + "Metadata": { + "type": "object" + }, + "Properties": { + "additionalProperties": false, + "properties": { + "AvailabilityZone": { + "markdownDescription": "The Availability Zone where the instance profile runs.", + "title": "AvailabilityZone", + "type": "string" + }, + "Description": { + "markdownDescription": "A description of the instance profile. Descriptions can have up to 31 characters. A description can contain only ASCII letters, digits, and hyphens ('-'). Also, it can't end with a hyphen or contain two consecutive hyphens, and can only begin with a letter.", + "title": "Description", + "type": "string" + }, + "InstanceProfileIdentifier": { + "markdownDescription": "The identifier of the instance profile. Identifiers must begin with a letter and must contain only ASCII letters, digits, and hyphens. They can't end with a hyphen, or contain two consecutive hyphens.", + "title": "InstanceProfileIdentifier", + "type": "string" + }, + "InstanceProfileName": { + "markdownDescription": "The user-friendly name for the instance profile.", + "title": "InstanceProfileName", + "type": "string" + }, + "KmsKeyArn": { + "markdownDescription": "The Amazon Resource Name (ARN) of the AWS KMS key that is used to encrypt the connection parameters for the instance profile.\n\nIf you don't specify a value for the `KmsKeyArn` parameter, then AWS DMS uses your default encryption key.\n\nAWS KMS creates the default encryption key for your AWS account . Your AWS account has a different default encryption key for each AWS Region .", + "title": "KmsKeyArn", + "type": "string" + }, + "NetworkType": { + "markdownDescription": "Specifies the network type for the instance profile. A value of `IPV4` represents an instance profile with IPv4 network type and only supports IPv4 addressing. A value of `IPV6` represents an instance profile with IPv6 network type and only supports IPv6 addressing. A value of `DUAL` represents an instance profile with dual network type that supports IPv4 and IPv6 addressing.", + "title": "NetworkType", + "type": "string" + }, + "PubliclyAccessible": { + "markdownDescription": "Specifies the accessibility options for the instance profile. A value of `true` represents an instance profile with a public IP address. A value of `false` represents an instance profile with a private IP address. The default value is `true` .", + "title": "PubliclyAccessible", + "type": "boolean" + }, + "SubnetGroupIdentifier": { + "markdownDescription": "The identifier of the subnet group that is associated with the instance profile.", + "title": "SubnetGroupIdentifier", + "type": "string" + }, + "Tags": { + "items": { + "$ref": "#/definitions/Tag" + }, + "markdownDescription": "", + "title": "Tags", + "type": "array" + }, + "VpcSecurityGroups": { + "items": { + "type": "string" + }, + "markdownDescription": "The VPC security groups that are used with the instance profile. The VPC security group must work with the VPC containing the instance profile.", + "title": "VpcSecurityGroups", + "type": "array" + } + }, + "type": "object" + }, + "Type": { + "enum": [ + "AWS::DMS::InstanceProfile" + ], + "type": "string" + }, + "UpdateReplacePolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + } + }, + "required": [ + "Type" + ], + "type": "object" + }, + "AWS::DMS::MigrationProject": { + "additionalProperties": false, + "properties": { + "Condition": { + "type": "string" + }, + "DeletionPolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + }, + "DependsOn": { + "anyOf": [ + { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + { + "items": { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + "type": "array" + } + ] + }, + "Metadata": { + "type": "object" + }, + "Properties": { + "additionalProperties": false, + "properties": { + "Description": { + "markdownDescription": "A user-friendly description of the migration project.", + "title": "Description", + "type": "string" + }, + "InstanceProfileArn": { + "markdownDescription": "The Amazon Resource Name (ARN) of the instance profile for your migration project.", + "title": "InstanceProfileArn", + "type": "string" + }, + "InstanceProfileIdentifier": { + "markdownDescription": "The identifier of the instance profile for your migration project.", + "title": "InstanceProfileIdentifier", + "type": "string" + }, + "InstanceProfileName": { + "markdownDescription": "The name of the associated instance profile.", + "title": "InstanceProfileName", + "type": "string" + }, + "MigrationProjectIdentifier": { + "markdownDescription": "The identifier of the migration project. Identifiers must begin with a letter and must contain only ASCII letters, digits, and hyphens. They can't end with a hyphen, or contain two consecutive hyphens.", + "title": "MigrationProjectIdentifier", + "type": "string" + }, + "MigrationProjectName": { + "markdownDescription": "The name of the migration project.", + "title": "MigrationProjectName", + "type": "string" + }, + "SchemaConversionApplicationAttributes": { + "$ref": "#/definitions/AWS::DMS::MigrationProject.SchemaConversionApplicationAttributes", + "markdownDescription": "The schema conversion application attributes, including the Amazon S3 bucket name and Amazon S3 role ARN.", + "title": "SchemaConversionApplicationAttributes" + }, + "SourceDataProviderDescriptors": { + "items": { + "$ref": "#/definitions/AWS::DMS::MigrationProject.DataProviderDescriptor" + }, + "markdownDescription": "Information about the source data provider, including the name or ARN, and AWS Secrets Manager parameters.", + "title": "SourceDataProviderDescriptors", + "type": "array" + }, + "Tags": { + "items": { + "$ref": "#/definitions/Tag" + }, + "markdownDescription": "", + "title": "Tags", + "type": "array" + }, + "TargetDataProviderDescriptors": { + "items": { + "$ref": "#/definitions/AWS::DMS::MigrationProject.DataProviderDescriptor" + }, + "markdownDescription": "Information about the target data provider, including the name or ARN, and AWS Secrets Manager parameters.", + "title": "TargetDataProviderDescriptors", + "type": "array" + }, + "TransformationRules": { + "markdownDescription": "The settings in JSON format for migration rules. Migration rules make it possible for you to change the object names according to the rules that you specify. For example, you can change an object name to lowercase or uppercase, add or remove a prefix or suffix, or rename objects.", + "title": "TransformationRules", + "type": "string" + } + }, + "type": "object" + }, + "Type": { + "enum": [ + "AWS::DMS::MigrationProject" + ], + "type": "string" + }, + "UpdateReplacePolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + } + }, + "required": [ + "Type" + ], + "type": "object" + }, + "AWS::DMS::MigrationProject.DataProviderDescriptor": { + "additionalProperties": false, + "properties": { + "DataProviderArn": { + "markdownDescription": "The Amazon Resource Name (ARN) of the data provider.", + "title": "DataProviderArn", + "type": "string" + }, + "DataProviderIdentifier": { + "markdownDescription": "", + "title": "DataProviderIdentifier", + "type": "string" + }, + "DataProviderName": { + "markdownDescription": "The user-friendly name of the data provider.", + "title": "DataProviderName", + "type": "string" + }, + "SecretsManagerAccessRoleArn": { + "markdownDescription": "The ARN of the role used to access AWS Secrets Manager.", + "title": "SecretsManagerAccessRoleArn", + "type": "string" + }, + "SecretsManagerSecretId": { + "markdownDescription": "The identifier of the AWS Secrets Manager Secret used to store access credentials for the data provider.", + "title": "SecretsManagerSecretId", + "type": "string" + } + }, + "type": "object" + }, + "AWS::DMS::MigrationProject.SchemaConversionApplicationAttributes": { + "additionalProperties": false, + "properties": { + "S3BucketPath": { + "markdownDescription": "", + "title": "S3BucketPath", + "type": "string" + }, + "S3BucketRoleArn": { + "markdownDescription": "", + "title": "S3BucketRoleArn", + "type": "string" + } + }, + "type": "object" + }, "AWS::DMS::ReplicationConfig": { "additionalProperties": false, "properties": { @@ -51506,39 +54161,61 @@ "additionalProperties": false, "properties": { "ComputeConfig": { - "$ref": "#/definitions/AWS::DMS::ReplicationConfig.ComputeConfig" + "$ref": "#/definitions/AWS::DMS::ReplicationConfig.ComputeConfig", + "markdownDescription": "Configuration parameters for provisioning an AWS DMS Serverless replication.", + "title": "ComputeConfig" }, "ReplicationConfigArn": { + "markdownDescription": "The Amazon Resource Name (ARN) of this AWS DMS Serverless replication configuration.", + "title": "ReplicationConfigArn", "type": "string" }, "ReplicationConfigIdentifier": { + "markdownDescription": "A unique identifier that you want to use to create a `ReplicationConfigArn` that is returned as part of the output from this action. You can then pass this output `ReplicationConfigArn` as the value of the `ReplicationConfigArn` option for other actions to identify both AWS DMS Serverless replications and replication configurations that you want those actions to operate on. For some actions, you can also use either this unique identifier or a corresponding ARN in action filters to identify the specific replication and replication configuration to operate on.", + "title": "ReplicationConfigIdentifier", "type": "string" }, "ReplicationSettings": { + "markdownDescription": "Optional JSON settings for AWS DMS Serverless replications that are provisioned using this replication configuration. For example, see [Change processing tuning settings](https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Tasks.CustomizingTasks.TaskSettings.ChangeProcessingTuning.html) .", + "title": "ReplicationSettings", "type": "object" }, "ReplicationType": { + "markdownDescription": "The type of AWS DMS Serverless replication to provision using this replication configuration.\n\nPossible values:\n\n- `\"full-load\"`\n- `\"cdc\"`\n- `\"full-load-and-cdc\"`", + "title": "ReplicationType", "type": "string" }, "ResourceIdentifier": { + "markdownDescription": "Optional unique value or name that you set for a given resource that can be used to construct an Amazon Resource Name (ARN) for that resource. For more information, see [Fine-grained access control using resource names and tags](https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Security.html#CHAP_Security.FineGrainedAccess) .", + "title": "ResourceIdentifier", "type": "string" }, "SourceEndpointArn": { + "markdownDescription": "The Amazon Resource Name (ARN) of the source endpoint for this AWS DMS Serverless replication configuration.", + "title": "SourceEndpointArn", "type": "string" }, "SupplementalSettings": { + "markdownDescription": "Optional JSON settings for specifying supplemental data. For more information, see [Specifying supplemental data for task settings](https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Tasks.TaskData.html) .", + "title": "SupplementalSettings", "type": "object" }, "TableMappings": { + "markdownDescription": "JSON table mappings for AWS DMS Serverless replications that are provisioned using this replication configuration. For more information, see [Specifying table selection and transformations rules using JSON](https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Tasks.CustomizingTasks.TableMapping.SelectionTransformation.html) .", + "title": "TableMappings", "type": "object" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "One or more optional tags associated with resources used by the AWS DMS Serverless replication. For more information, see [Tagging resources in AWS Database Migration Service](https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Tagging.html) .", + "title": "Tags", "type": "array" }, "TargetEndpointArn": { + "markdownDescription": "The Amazon Resource Name (ARN) of the target endpoint for this AWS DMS serverless replication configuration.", + "title": "TargetEndpointArn", "type": "string" } }, @@ -51568,33 +54245,51 @@ "additionalProperties": false, "properties": { "AvailabilityZone": { + "markdownDescription": "The Availability Zone where the AWS DMS Serverless replication using this configuration will run. The default value is a random, system-chosen Availability Zone in the configuration's AWS Region , for example, `\"us-west-2\"` . You can't set this parameter if the `MultiAZ` parameter is set to `true` .", + "title": "AvailabilityZone", "type": "string" }, "DnsNameServers": { + "markdownDescription": "A list of custom DNS name servers supported for the AWS DMS Serverless replication to access your source or target database. This list overrides the default name servers supported by the AWS DMS Serverless replication. You can specify a comma-separated list of internet addresses for up to four DNS name servers. For example: `\"1.1.1.1,2.2.2.2,3.3.3.3,4.4.4.4\"`", + "title": "DnsNameServers", "type": "string" }, "KmsKeyId": { + "markdownDescription": "An AWS Key Management Service ( AWS KMS ) key Amazon Resource Name (ARN) that is used to encrypt the data during AWS DMS Serverless replication.\n\nIf you don't specify a value for the `KmsKeyId` parameter, AWS DMS uses your default encryption key.\n\nAWS KMS creates the default encryption key for your Amazon Web Services account. Your AWS account has a different default encryption key for each AWS Region .", + "title": "KmsKeyId", "type": "string" }, "MaxCapacityUnits": { + "markdownDescription": "Specifies the maximum value of the AWS DMS capacity units (DCUs) for which a given AWS DMS Serverless replication can be provisioned. A single DCU is 2GB of RAM, with 1 DCU as the minimum value allowed. The list of valid DCU values includes 1, 2, 4, 8, 16, 32, 64, 128, 192, 256, and 384. So, the maximum value that you can specify for AWS DMS Serverless is 384. The `MaxCapacityUnits` parameter is the only DCU parameter you are required to specify.", + "title": "MaxCapacityUnits", "type": "number" }, "MinCapacityUnits": { + "markdownDescription": "Specifies the minimum value of the AWS DMS capacity units (DCUs) for which a given AWS DMS Serverless replication can be provisioned. A single DCU is 2GB of RAM, with 1 DCU as the minimum value allowed. The list of valid DCU values includes 1, 2, 4, 8, 16, 32, 64, 128, 192, 256, and 384. So, the minimum DCU value that you can specify for AWS DMS Serverless is 1. If you don't set this value, AWS DMS sets this parameter to the minimum DCU value allowed, 1. If there is no current source activity, AWS DMS scales down your replication until it reaches the value specified in `MinCapacityUnits` .", + "title": "MinCapacityUnits", "type": "number" }, "MultiAZ": { + "markdownDescription": "Specifies whether the AWS DMS Serverless replication is a Multi-AZ deployment. You can't set the `AvailabilityZone` parameter if the `MultiAZ` parameter is set to `true` .", + "title": "MultiAZ", "type": "boolean" }, "PreferredMaintenanceWindow": { + "markdownDescription": "The weekly time range during which system maintenance can occur for the AWS DMS Serverless replication, in Universal Coordinated Time (UTC). The format is `ddd:hh24:mi-ddd:hh24:mi` .\n\nThe default is a 30-minute window selected at random from an 8-hour block of time per AWS Region . This maintenance occurs on a random day of the week. Valid values for days of the week include `Mon` , `Tue` , `Wed` , `Thu` , `Fri` , `Sat` , and `Sun` .\n\nConstraints include a minimum 30-minute window.", + "title": "PreferredMaintenanceWindow", "type": "string" }, "ReplicationSubnetGroupId": { + "markdownDescription": "Specifies a subnet group identifier to associate with the AWS DMS Serverless replication.", + "title": "ReplicationSubnetGroupId", "type": "string" }, "VpcSecurityGroupIds": { "items": { "type": "string" }, + "markdownDescription": "Specifies the virtual private cloud (VPC) security group to use with the AWS DMS Serverless replication. The VPC security group must work with the VPC containing the replication.", + "title": "VpcSecurityGroupIds", "type": "array" } }, @@ -51934,7 +54629,7 @@ "type": "string" }, "TaskData": { - "markdownDescription": "", + "markdownDescription": "Supplemental information that the task requires to migrate the data for certain source and target endpoints. For more information, see [Specifying Supplemental Data for Task Settings](https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Tasks.TaskData.html) in the *AWS Database Migration Service User Guide.*", "title": "TaskData", "type": "string" } @@ -52514,7 +55209,7 @@ }, "OutputLocation": { "$ref": "#/definitions/AWS::DataBrew::Job.OutputLocation", - "markdownDescription": "", + "markdownDescription": "The location in Amazon S3 where the job writes its output.", "title": "OutputLocation" }, "Outputs": { @@ -53307,12 +56002,12 @@ "properties": { "DataCatalogInputDefinition": { "$ref": "#/definitions/AWS::DataBrew::Recipe.DataCatalogInputDefinition", - "markdownDescription": "", + "markdownDescription": "The AWS Glue Data Catalog parameters for the data.", "title": "DataCatalogInputDefinition" }, "S3InputDefinition": { "$ref": "#/definitions/AWS::DataBrew::Recipe.S3Location", - "markdownDescription": "", + "markdownDescription": "The Amazon S3 location where the data is stored.", "title": "S3InputDefinition" } }, @@ -54566,30 +57261,46 @@ "items": { "type": "string" }, + "markdownDescription": "Specifies the Amazon Resource Name (ARN) of the DataSync agent that can connect with your Azure Blob Storage container.\n\nYou can specify more than one agent. For more information, see [Using multiple agents for your transfer](https://docs.aws.amazon.com/datasync/latest/userguide/multiple-agents.html) .", + "title": "AgentArns", "type": "array" }, "AzureAccessTier": { + "markdownDescription": "Specifies the access tier that you want your objects or files transferred into. This only applies when using the location as a transfer destination. For more information, see [Access tiers](https://docs.aws.amazon.com/datasync/latest/userguide/creating-azure-blob-location.html#azure-blob-access-tiers) .", + "title": "AzureAccessTier", "type": "string" }, "AzureBlobAuthenticationType": { + "markdownDescription": "Specifies the authentication method DataSync uses to access your Azure Blob Storage. DataSync can access blob storage using a shared access signature (SAS).", + "title": "AzureBlobAuthenticationType", "type": "string" }, "AzureBlobContainerUrl": { + "markdownDescription": "Specifies the URL of the Azure Blob Storage container involved in your transfer.", + "title": "AzureBlobContainerUrl", "type": "string" }, "AzureBlobSasConfiguration": { - "$ref": "#/definitions/AWS::DataSync::LocationAzureBlob.AzureBlobSasConfiguration" + "$ref": "#/definitions/AWS::DataSync::LocationAzureBlob.AzureBlobSasConfiguration", + "markdownDescription": "Specifies the SAS configuration that allows DataSync to access your Azure Blob Storage.", + "title": "AzureBlobSasConfiguration" }, "AzureBlobType": { + "markdownDescription": "Specifies the type of blob that you want your objects or files to be when transferring them into Azure Blob Storage. Currently, DataSync only supports moving data into Azure Blob Storage as block blobs. For more information on blob types, see the [Azure Blob Storage documentation](https://docs.aws.amazon.com/https://learn.microsoft.com/en-us/rest/api/storageservices/understanding-block-blobs--append-blobs--and-page-blobs) .", + "title": "AzureBlobType", "type": "string" }, "Subdirectory": { + "markdownDescription": "Specifies path segments if you want to limit your transfer to a virtual directory in your container (for example, `/my/images` ).", + "title": "Subdirectory", "type": "string" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "Specifies labels that help you categorize, filter, and search for your AWS resources. We recommend creating at least a name tag for your transfer location.", + "title": "Tags", "type": "array" } }, @@ -54624,6 +57335,8 @@ "additionalProperties": false, "properties": { "AzureBlobSasToken": { + "markdownDescription": "Specifies a SAS token that provides permissions to access your Azure Blob Storage.\n\nThe token is part of the SAS URI string that comes after the storage resource URI and a question mark. A token looks something like this:\n\n`sp=r&st=2023-12-20T14:54:52Z&se=2023-12-20T22:54:52Z&spr=https&sv=2021-06-08&sr=c&sig=aBBKDWQvyuVcTPH9EBp%2FXTI9E%2F%2Fmq171%2BZU178wcwqU%3D`", + "title": "AzureBlobSasToken", "type": "string" } }, @@ -54982,7 +57695,7 @@ "additionalProperties": false, "properties": { "Domain": { - "markdownDescription": "Specifies the fully qualified domain name (FQDN) of the Microsoft Active Directory that your storage virtual machine (SVM) belongs to.", + "markdownDescription": "Specifies the fully qualified domain name (FQDN) of the Microsoft Active Directory that your storage virtual machine (SVM) belongs to.\n\nIf you have multiple domains in your environment, configuring this setting makes sure that DataSync connects to the right SVM.", "title": "Domain", "type": "string" }, @@ -55186,7 +57899,7 @@ "additionalProperties": false, "properties": { "Domain": { - "markdownDescription": "Specifies the name of the Windows domain that the FSx for Windows File Server belongs to.", + "markdownDescription": "Specifies the name of the Microsoft Active Directory domain that the FSx for Windows File Server file system belongs to.\n\nIf you have multiple Active Directory domains in your environment, configuring this parameter makes sure that DataSync connects to the right file system.", "title": "Domain", "type": "string" }, @@ -55196,7 +57909,7 @@ "type": "string" }, "Password": { - "markdownDescription": "Specifies the password of the user who has the permissions to access files and folders in the file system.", + "markdownDescription": "Specifies the password of the user with the permissions to mount and access the files, folders, and file metadata in your FSx for Windows File Server file system.", "title": "Password", "type": "string" }, @@ -55465,21 +58178,21 @@ "properties": { "MountOptions": { "$ref": "#/definitions/AWS::DataSync::LocationNFS.MountOptions", - "markdownDescription": "Specifies the mount options that DataSync can use to mount your NFS share.", + "markdownDescription": "Specifies the options that DataSync can use to mount your NFS file server.", "title": "MountOptions" }, "OnPremConfig": { "$ref": "#/definitions/AWS::DataSync::LocationNFS.OnPremConfig", - "markdownDescription": "Specifies the Amazon Resource Names (ARNs) of agents that DataSync uses to connect to your NFS file server.\n\nIf you are copying data to or from your AWS Snowcone device, see [NFS Server on AWS Snowcone](https://docs.aws.amazon.com/datasync/latest/userguide/create-nfs-location.html#nfs-on-snowcone) for more information.", + "markdownDescription": "Specifies the Amazon Resource Name (ARN) of the DataSync agent that want to connect to your NFS file server.\n\nYou can specify more than one agent. For more information, see [Using multiple agents for transfers](https://docs.aws.amazon.com/datasync/latest/userguide/multiple-agents.html) .", "title": "OnPremConfig" }, "ServerHostname": { - "markdownDescription": "Specifies the IP address or domain name of your NFS file server. An agent that is installed on-premises uses this hostname to mount the NFS server in a network.\n\nIf you are copying data to or from your AWS Snowcone device, see [NFS Server on AWS Snowcone](https://docs.aws.amazon.com/datasync/latest/userguide/create-nfs-location.html#nfs-on-snowcone) for more information.\n\n> You must specify be an IP version 4 address or Domain Name System (DNS)-compliant name.", + "markdownDescription": "Specifies the Domain Name System (DNS) name or IP version 4 address of the NFS file server that your DataSync agent connects to.", "title": "ServerHostname", "type": "string" }, "Subdirectory": { - "markdownDescription": "Specifies the subdirectory in the NFS file server that DataSync transfers to or from. The NFS path should be a path that's exported by the NFS server, or a subdirectory of that path. The path should be such that it can be mounted by other NFS clients in your network.\n\nTo see all the paths exported by your NFS server, run \" `showmount -e nfs-server-name` \" from an NFS client that has access to your server. You can specify any directory that appears in the results, and any subdirectory of that directory. Ensure that the NFS export is accessible without Kerberos authentication.\n\nTo transfer all the data in the folder you specified, DataSync needs to have permissions to read all the data. To ensure this, either configure the NFS export with `no_root_squash,` or ensure that the permissions for all of the files that you want DataSync allow read access for all users. Doing either enables the agent to read the files. For the agent to access directories, you must additionally enable all execute access.\n\nIf you are copying data to or from your AWS Snowcone device, see [NFS Server on AWS Snowcone](https://docs.aws.amazon.com/datasync/latest/userguide/create-nfs-location.html#nfs-on-snowcone) for more information.", + "markdownDescription": "Specifies the export path in your NFS file server that you want DataSync to mount.\n\nThis path (or a subdirectory of the path) is where DataSync transfers data to or from. For information on configuring an export for DataSync, see [Accessing NFS file servers](https://docs.aws.amazon.com/datasync/latest/userguide/create-nfs-location.html#accessing-nfs) .", "title": "Subdirectory", "type": "string" }, @@ -55536,7 +58249,7 @@ "items": { "type": "string" }, - "markdownDescription": "ARNs of the agents to use for an NFS location.", + "markdownDescription": "The Amazon Resource Names (ARNs) of the agents connecting to a transfer location.", "title": "AgentArns", "type": "array" } @@ -55812,7 +58525,7 @@ "type": "array" }, "Domain": { - "markdownDescription": "Specifies the Windows domain name that your SMB file server belongs to.\n\nFor more information, see [required permissions](https://docs.aws.amazon.com/datasync/latest/userguide/create-smb-location.html#configuring-smb-permissions) for SMB locations.", + "markdownDescription": "Specifies the name of the Active Directory domain that your SMB file server belongs to.\n\nIf you have multiple Active Directory domains in your environment, configuring this parameter makes sure that DataSync connects to the right file server.", "title": "Domain", "type": "string" }, @@ -56122,7 +58835,9 @@ "type": "array" }, "TaskReportConfig": { - "$ref": "#/definitions/AWS::DataSync::Task.TaskReportConfig" + "$ref": "#/definitions/AWS::DataSync::Task.TaskReportConfig", + "markdownDescription": "Specifies how you want to configure a task report, which provides detailed information about for your DataSync transfer.", + "title": "TaskReportConfig" } }, "required": [ @@ -56156,6 +58871,8 @@ "additionalProperties": false, "properties": { "ReportLevel": { + "markdownDescription": "Specifies whether you want your task report to include only what went wrong with your transfer or a list of what succeeded and didn't.\n\n- `ERRORS_ONLY` : A report shows what DataSync was unable to delete.\n- `SUCCESSES_AND_ERRORS` : A report shows what DataSync was able and unable to delete.", + "title": "ReportLevel", "type": "string" } }, @@ -56165,7 +58882,9 @@ "additionalProperties": false, "properties": { "S3": { - "$ref": "#/definitions/AWS::DataSync::Task.S3" + "$ref": "#/definitions/AWS::DataSync::Task.S3", + "markdownDescription": "Specifies the Amazon S3 bucket where DataSync uploads your task report.", + "title": "S3" } }, "type": "object" @@ -56205,7 +58924,7 @@ "type": "string" }, "LogLevel": { - "markdownDescription": "Specifies the type of logs that DataSync publishes to a Amazon CloudWatch Logs log group. To specify the log group, see [CloudWatchLogGroupArn](https://docs.aws.amazon.com/datasync/latest/userguide/API_CreateTask.html#DataSync-CreateTask-request-CloudWatchLogGroupArn) .\n\nIf you set `LogLevel` to `OFF` , no logs are published. `BASIC` publishes logs on errors for individual files transferred. `TRANSFER` publishes logs for every file or object that is transferred and integrity checked.", + "markdownDescription": "Specifies the type of logs that DataSync publishes to a Amazon CloudWatch Logs log group. To specify the log group, see [CloudWatchLogGroupArn](https://docs.aws.amazon.com/datasync/latest/userguide/API_CreateTask.html#DataSync-CreateTask-request-CloudWatchLogGroupArn) .\n\n- `BASIC` - Publishes logs with only basic information (such as transfer errors).\n- `TRANSFER` - Publishes logs for all files or objects that your DataSync task transfers and performs data-integrity checks on.\n- `OFF` - No logs are published.", "title": "LogLevel", "type": "string" }, @@ -56215,12 +58934,12 @@ "type": "string" }, "ObjectTags": { - "markdownDescription": "Specifies whether object tags are preserved when transferring between object storage systems. If you want your DataSync task to ignore object tags, specify the `NONE` value.\n\nDefault Value: `PRESERVE`", + "markdownDescription": "Specifies whether you want DataSync to `PRESERVE` object tags (default behavior) when transferring between object storage systems. If you want your DataSync task to ignore object tags, specify the `NONE` value.", "title": "ObjectTags", "type": "string" }, "OverwriteMode": { - "markdownDescription": "Specifies whether data at the destination location should be overwritten or preserved. If set to `NEVER` , a destination file for example will not be replaced by a source file (even if the destination file differs from the source file). If you modify files in the destination and you sync the files, you can use this value to protect against overwriting those changes.\n\nSome storage classes have specific behaviors that can affect your Amazon S3 storage cost. For detailed information, see [Considerations when working with Amazon S3 storage classes in DataSync](https://docs.aws.amazon.com/datasync/latest/userguide/create-s3-location.html#using-storage-classes) .", + "markdownDescription": "Specifies whether DataSync should modify or preserve data at the destination location.\n\n- `ALWAYS` (default) - DataSync modifies data in the destination location when source data (including metadata) has changed.\n\nIf DataSync overwrites objects, you might incur additional charges for certain Amazon S3 storage classes (for example, for retrieval or early deletion). For more information, see [Storage class considerations with Amazon S3 transfers](https://docs.aws.amazon.com/datasync/latest/userguide/create-s3-location.html#using-storage-classes) .\n- `NEVER` - DataSync doesn't overwrite data in the destination location even if the source data has changed. You can use this option to protect against overwriting changes made to files or objects in the destination.", "title": "OverwriteMode", "type": "string" }, @@ -56271,16 +58990,24 @@ "additionalProperties": false, "properties": { "Deleted": { - "$ref": "#/definitions/AWS::DataSync::Task.Deleted" + "$ref": "#/definitions/AWS::DataSync::Task.Deleted", + "markdownDescription": "Specifies the level of reporting for the files, objects, and directories that DataSync attempted to delete in your destination location. This only applies if you [configure your task](https://docs.aws.amazon.com/datasync/latest/userguide/configure-metadata.html) to delete data in the destination that isn't in the source.", + "title": "Deleted" }, "Skipped": { - "$ref": "#/definitions/AWS::DataSync::Task.Skipped" + "$ref": "#/definitions/AWS::DataSync::Task.Skipped", + "markdownDescription": "Specifies the level of reporting for the files, objects, and directories that DataSync attempted to skip during your transfer.", + "title": "Skipped" }, "Transferred": { - "$ref": "#/definitions/AWS::DataSync::Task.Transferred" + "$ref": "#/definitions/AWS::DataSync::Task.Transferred", + "markdownDescription": "Specifies the level of reporting for the files, objects, and directories that DataSync attempted to transfer.", + "title": "Transferred" }, "Verified": { - "$ref": "#/definitions/AWS::DataSync::Task.Verified" + "$ref": "#/definitions/AWS::DataSync::Task.Verified", + "markdownDescription": "Specifies the level of reporting for the files, objects, and directories that DataSync attempted to verify during your transfer.", + "title": "Verified" } }, "type": "object" @@ -56289,12 +59016,18 @@ "additionalProperties": false, "properties": { "BucketAccessRoleArn": { + "markdownDescription": "Specifies the Amazon Resource Name (ARN) of the IAM policy that allows DataSync to upload a task report to your S3 bucket. For more information, see [Allowing DataSync to upload a task report to an Amazon S3 bucket](https://docs.aws.amazon.com/datasync/latest/userguide/creating-task-reports.html) .", + "title": "BucketAccessRoleArn", "type": "string" }, "S3BucketArn": { + "markdownDescription": "Specifies the ARN of the S3 bucket where DataSync uploads your report.", + "title": "S3BucketArn", "type": "string" }, "Subdirectory": { + "markdownDescription": "Specifies a bucket prefix for your report.", + "title": "Subdirectory", "type": "string" } }, @@ -56304,6 +59037,8 @@ "additionalProperties": false, "properties": { "ReportLevel": { + "markdownDescription": "Specifies whether you want your task report to include only what went wrong with your transfer or a list of what succeeded and didn't.\n\n- `ERRORS_ONLY` : A report shows what DataSync was unable to skip.\n- `SUCCESSES_AND_ERRORS` : A report shows what DataSync was able and unable to skip.", + "title": "ReportLevel", "type": "string" } }, @@ -56313,18 +59048,28 @@ "additionalProperties": false, "properties": { "Destination": { - "$ref": "#/definitions/AWS::DataSync::Task.Destination" + "$ref": "#/definitions/AWS::DataSync::Task.Destination", + "markdownDescription": "Specifies the Amazon S3 bucket where DataSync uploads your task report. For more information, see [Task reports](https://docs.aws.amazon.com/datasync/latest/userguide/task-reports.html#task-report-access) .", + "title": "Destination" }, "ObjectVersionIds": { + "markdownDescription": "Specifies whether your task report includes the new version of each object transferred into an S3 bucket. This only applies if you [enable versioning on your bucket](https://docs.aws.amazon.com/AmazonS3/latest/userguide/manage-versioning-examples.html) . Keep in mind that setting this to `INCLUDE` can increase the duration of your task execution.", + "title": "ObjectVersionIds", "type": "string" }, "OutputType": { + "markdownDescription": "Specifies the type of task report that you want:\n\n- `SUMMARY_ONLY` : Provides necessary details about your task, including the number of files, objects, and directories transferred and transfer duration.\n- `STANDARD` : Provides complete details about your task, including a full list of files, objects, and directories that were transferred, skipped, verified, and more.", + "title": "OutputType", "type": "string" }, "Overrides": { - "$ref": "#/definitions/AWS::DataSync::Task.Overrides" + "$ref": "#/definitions/AWS::DataSync::Task.Overrides", + "markdownDescription": "Customizes the reporting level for aspects of your task report. For example, your report might generally only include errors, but you could specify that you want a list of successes and errors just for the files that DataSync attempted to delete in your destination location.", + "title": "Overrides" }, "ReportLevel": { + "markdownDescription": "Specifies whether you want your task report to include only what went wrong with your transfer or a list of what succeeded and didn't.\n\n- `ERRORS_ONLY` : A report shows what DataSync was unable to transfer, skip, verify, and delete.\n- `SUCCESSES_AND_ERRORS` : A report shows what DataSync was able and unable to transfer, skip, verify, and delete.", + "title": "ReportLevel", "type": "string" } }, @@ -56352,6 +59097,8 @@ "additionalProperties": false, "properties": { "ReportLevel": { + "markdownDescription": "Specifies whether you want your task report to include only what went wrong with your transfer or a list of what succeeded and didn't.\n\n- `ERRORS_ONLY` : A report shows what DataSync was unable to transfer.\n- `SUCCESSES_AND_ERRORS` : A report shows what DataSync was able and unable to transfer.", + "title": "ReportLevel", "type": "string" } }, @@ -56361,6 +59108,8 @@ "additionalProperties": false, "properties": { "ReportLevel": { + "markdownDescription": "Specifies whether you want your task report to include only what went wrong with your transfer or a list of what succeeded and didn't.\n\n- `ERRORS_ONLY` : A report shows what DataSync was unable to verify.\n- `SUCCESSES_AND_ERRORS` : A report shows what DataSync was able and unable to verify.", + "title": "ReportLevel", "type": "string" } }, @@ -56852,7 +59601,7 @@ "properties": { "CloudFormation": { "$ref": "#/definitions/AWS::DevOpsGuru::ResourceCollection.CloudFormationCollectionFilter", - "markdownDescription": "Information about AWS CloudFormation stacks. You can use up to 500 stacks to specify which AWS resources in your account to analyze. For more information, see [Stacks](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacks.html) in the *AWS CloudFormation User Guide* .", + "markdownDescription": "Information about AWS CloudFormation stacks. You can use up to 1000 stacks to specify which AWS resources in your account to analyze. For more information, see [Stacks](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacks.html) in the *AWS CloudFormation User Guide* .", "title": "CloudFormation" }, "Tags": { @@ -57251,12 +60000,12 @@ "type": "string" }, "RestoreToTime": { - "markdownDescription": "", + "markdownDescription": "The date and time to restore the cluster to.\n\nValid values: A time in Universal Coordinated Time (UTC) format.\n\nConstraints:\n\n- Must be before the latest restorable time for the instance.\n- Must be specified if the `UseLatestRestorableTime` parameter is not provided.\n- Cannot be specified if the `UseLatestRestorableTime` parameter is `true` .\n- Cannot be specified if the `RestoreType` parameter is `copy-on-write` .\n\nExample: `2015-03-07T23:45:00Z`", "title": "RestoreToTime", "type": "string" }, "RestoreType": { - "markdownDescription": "", + "markdownDescription": "The type of restore to be performed. You can specify one of the following values:\n\n- `full-copy` - The new DB cluster is restored as a full copy of the source DB cluster.\n- `copy-on-write` - The new DB cluster is restored as a clone of the source DB cluster.\n\nConstraints: You can't specify `copy-on-write` if the engine version of the source DB cluster is earlier than 1.11.\n\nIf you don't specify a `RestoreType` value, then the new DB cluster is restored as a full copy of the source DB cluster.", "title": "RestoreType", "type": "string" }, @@ -57266,7 +60015,7 @@ "type": "string" }, "SourceDBClusterIdentifier": { - "markdownDescription": "", + "markdownDescription": "The identifier of the source cluster from which to restore.\n\nConstraints:\n\n- Must match the identifier of an existing `DBCluster` .", "title": "SourceDBClusterIdentifier", "type": "string" }, @@ -57284,7 +60033,7 @@ "type": "array" }, "UseLatestRestorableTime": { - "markdownDescription": "", + "markdownDescription": "A value that is set to `true` to restore the cluster to the latest restorable backup time, and `false` otherwise.\n\nDefault: `false`\n\nConstraints: Cannot be specified if the `RestoreToTime` parameter is provided.", "title": "UseLatestRestorableTime", "type": "boolean" }, @@ -57456,6 +60205,16 @@ "title": "AvailabilityZone", "type": "string" }, + "CACertificateIdentifier": { + "markdownDescription": "The CA certificate identifier to use for the DB instance's server certificate.\n\nFor more information, see [Updating Your Amazon DocumentDB TLS Certificates](https://docs.aws.amazon.com/documentdb/latest/developerguide/ca_cert_rotation.html) and [Encrypting Data in Transit](https://docs.aws.amazon.com/documentdb/latest/developerguide/security.encryption.ssl.html) in the *Amazon DocumentDB Developer Guide* .", + "title": "CACertificateIdentifier", + "type": "string" + }, + "CertificateRotationRestart": { + "markdownDescription": "Specifies whether the DB instance is restarted when you rotate your SSL/TLS certificate.\n\nBy default, the DB instance is restarted when you rotate your SSL/TLS certificate. The certificate is not updated until the DB instance is restarted.\n\n> Set this parameter only if you are *not* using SSL/TLS to connect to the DB instance. \n\nIf you are using SSL/TLS to connect to the DB instance, see [Updating Your Amazon DocumentDB TLS Certificates](https://docs.aws.amazon.com/documentdb/latest/developerguide/ca_cert_rotation.html) and [Encrypting Data in Transit](https://docs.aws.amazon.com/documentdb/latest/developerguide/security.encryption.ssl.html) in the *Amazon DocumentDB Developer Guide* .", + "title": "CertificateRotationRestart", + "type": "boolean" + }, "DBClusterIdentifier": { "markdownDescription": "The identifier of the cluster that the instance will belong to.", "title": "DBClusterIdentifier", @@ -57472,7 +60231,7 @@ "type": "string" }, "EnablePerformanceInsights": { - "markdownDescription": "", + "markdownDescription": "A value that indicates whether to enable Performance Insights for the DB Instance. For more information, see [Using Amazon Performance Insights](https://docs.aws.amazon.com/documentdb/latest/developerguide/performance-insights.html) .", "title": "EnablePerformanceInsights", "type": "boolean" }, @@ -57606,6 +60365,92 @@ ], "type": "object" }, + "AWS::DocDB::EventSubscription": { + "additionalProperties": false, + "properties": { + "Condition": { + "type": "string" + }, + "DeletionPolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + }, + "DependsOn": { + "anyOf": [ + { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + { + "items": { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + "type": "array" + } + ] + }, + "Metadata": { + "type": "object" + }, + "Properties": { + "additionalProperties": false, + "properties": { + "Enabled": { + "type": "boolean" + }, + "EventCategories": { + "items": { + "type": "string" + }, + "type": "array" + }, + "SnsTopicArn": { + "type": "string" + }, + "SourceIds": { + "items": { + "type": "string" + }, + "type": "array" + }, + "SourceType": { + "type": "string" + }, + "SubscriptionName": { + "type": "string" + } + }, + "required": [ + "SnsTopicArn" + ], + "type": "object" + }, + "Type": { + "enum": [ + "AWS::DocDB::EventSubscription" + ], + "type": "string" + }, + "UpdateReplacePolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + } + }, + "required": [ + "Type", + "Properties" + ], + "type": "object" + }, "AWS::DocDBElastic::Cluster": { "additionalProperties": false, "properties": { @@ -59985,7 +62830,7 @@ "items": { "$ref": "#/definitions/AWS::EC2::EC2Fleet.TagSpecification" }, - "markdownDescription": "The key-value pair for tagging the EC2 Fleet request on creation. For more information, see [Tagging your resources](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html#tag-resources) .\n\nIf the fleet type is `instant` , specify a resource type of `fleet` to tag the fleet or `instance` to tag the instances at launch.\n\nIf the fleet type is `maintain` or `request` , specify a resource type of `fleet` to tag the fleet. You cannot specify a resource type of `instance` . To tag instances at launch, specify the tags in a [launch template](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-launch-templates.html#create-launch-template) .", + "markdownDescription": "The key-value pair for tagging the EC2 Fleet request on creation. For more information, see [Tag your resources](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html#tag-resources) .\n\nIf the fleet type is `instant` , specify a resource type of `fleet` to tag the fleet or `instance` to tag the instances at launch.\n\nIf the fleet type is `maintain` or `request` , specify a resource type of `fleet` to tag the fleet. You cannot specify a resource type of `instance` . To tag instances at launch, specify the tags in a [launch template](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-launch-templates.html#create-launch-template) .", "title": "TagSpecifications", "type": "array" }, @@ -60218,7 +63063,7 @@ "items": { "type": "string" }, - "markdownDescription": "Indicates whether instance types must have accelerators by specific manufacturers.\n\n- For instance types with NVIDIA devices, specify `nvidia` .\n- For instance types with AMD devices, specify `amd` .\n- For instance types with AWS devices, specify `amazon-web-services` .\n- For instance types with Xilinx devices, specify `xilinx` .\n\nDefault: Any manufacturer", + "markdownDescription": "Indicates whether instance types must have accelerators by specific manufacturers.\n\n- For instance types with AWS devices, specify `amazon-web-services` .\n- For instance types with AMD devices, specify `amd` .\n- For instance types with Habana devices, specify `habana` .\n- For instance types with NVIDIA devices, specify `nvidia` .\n- For instance types with Xilinx devices, specify `xilinx` .\n\nDefault: Any manufacturer", "title": "AcceleratorManufacturers", "type": "array" }, @@ -60226,7 +63071,7 @@ "items": { "type": "string" }, - "markdownDescription": "The accelerators that must be on the instance type.\n\n- For instance types with NVIDIA A100 GPUs, specify `a100` .\n- For instance types with NVIDIA V100 GPUs, specify `v100` .\n- For instance types with NVIDIA K80 GPUs, specify `k80` .\n- For instance types with NVIDIA T4 GPUs, specify `t4` .\n- For instance types with NVIDIA M60 GPUs, specify `m60` .\n- For instance types with AMD Radeon Pro V520 GPUs, specify `radeon-pro-v520` .\n- For instance types with Xilinx VU9P FPGAs, specify `vu9p` .\n- For instance types with AWS Inferentia chips, specify `inferentia` .\n- For instance types with NVIDIA GRID K520 GPUs, specify `k520` .\n\nDefault: Any accelerator", + "markdownDescription": "The accelerators that must be on the instance type.\n\n- For instance types with NVIDIA A10G GPUs, specify `a10g` .\n- For instance types with NVIDIA A100 GPUs, specify `a100` .\n- For instance types with NVIDIA H100 GPUs, specify `h100` .\n- For instance types with AWS Inferentia chips, specify `inferentia` .\n- For instance types with NVIDIA GRID K520 GPUs, specify `k520` .\n- For instance types with NVIDIA K80 GPUs, specify `k80` .\n- For instance types with NVIDIA M60 GPUs, specify `m60` .\n- For instance types with AMD Radeon Pro V520 GPUs, specify `radeon-pro-v520` .\n- For instance types with NVIDIA T4 GPUs, specify `t4` .\n- For instance types with NVIDIA T4G GPUs, specify `t4g` .\n- For instance types with Xilinx VU9P FPGAs, specify `vu9p` .\n- For instance types with NVIDIA V100 GPUs, specify `v100` .\n\nDefault: Any accelerator", "title": "AcceleratorNames", "type": "array" }, @@ -60440,7 +63285,7 @@ "title": "CapacityReservationOptions" }, "MaxTotalPrice": { - "markdownDescription": "The maximum amount per hour for On-Demand Instances that you're willing to pay.", + "markdownDescription": "The maximum amount per hour for On-Demand Instances that you're willing to pay.\n\n> If your fleet includes T instances that are configured as `unlimited` , and if their average CPU usage exceeds the baseline utilization, you will incur a charge for surplus credits. The `MaxTotalPrice` does not account for surplus credits, and, if you use surplus credits, your final cost might be higher than what you specified for `MaxTotalPrice` . For more information, see [Surplus credits can incur charges](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/burstable-performance-instances-unlimited-mode-concepts.html#unlimited-mode-surplus-credits) in the *EC2 User Guide* .", "title": "MaxTotalPrice", "type": "string" }, @@ -60532,7 +63377,7 @@ "title": "MaintenanceStrategies" }, "MaxTotalPrice": { - "markdownDescription": "The maximum amount per hour for Spot Instances that you're willing to pay. We do not recommend using this parameter because it can lead to increased interruptions. If you do not specify this parameter, you will pay the current Spot price.\n\n> If you specify a maximum price, your Spot Instances will be interrupted more frequently than if you do not specify this parameter.", + "markdownDescription": "The maximum amount per hour for Spot Instances that you're willing to pay. We do not recommend using this parameter because it can lead to increased interruptions. If you do not specify this parameter, you will pay the current Spot price.\n\n> If you specify a maximum price, your Spot Instances will be interrupted more frequently than if you do not specify this parameter. > If your fleet includes T instances that are configured as `unlimited` , and if their average CPU usage exceeds the baseline utilization, you will incur a charge for surplus credits. The `MaxTotalPrice` does not account for surplus credits, and, if you use surplus credits, your final cost might be higher than what you specified for `MaxTotalPrice` . For more information, see [Surplus credits can incur charges](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/burstable-performance-instances-unlimited-mode-concepts.html#unlimited-mode-surplus-credits) in the *EC2 User Guide* .", "title": "MaxTotalPrice", "type": "string" }, @@ -60558,7 +63403,7 @@ "additionalProperties": false, "properties": { "ResourceType": { - "markdownDescription": "The type of resource to tag. `ResourceType` must be `fleet` .", + "markdownDescription": "The type of resource to tag.", "title": "ResourceType", "type": "string" }, @@ -60577,7 +63422,7 @@ "additionalProperties": false, "properties": { "DefaultTargetCapacityType": { - "markdownDescription": "The default `TotalTargetCapacity` , which is either `Spot` or `On-Demand` .", + "markdownDescription": "The default target capacity type.", "title": "DefaultTargetCapacityType", "type": "string" }, @@ -60592,12 +63437,12 @@ "type": "number" }, "TargetCapacityUnitType": { - "markdownDescription": "The unit for the target capacity. `TargetCapacityUnitType` can only be specified when `InstanceRequirements` is specified.\n\nDefault: `units` (translates to number of instances)", + "markdownDescription": "The unit for the target capacity. You can specify this parameter only when using attributed-based instance type selection.\n\nDefault: `units` (the number of instances)", "title": "TargetCapacityUnitType", "type": "string" }, "TotalTargetCapacity": { - "markdownDescription": "The number of units to request, filled using `DefaultTargetCapacityType` .", + "markdownDescription": "The number of units to request, filled using the default target capacity type.", "title": "TotalTargetCapacity", "type": "number" } @@ -60685,7 +63530,7 @@ "type": "string" }, "NetworkBorderGroup": { - "markdownDescription": "A unique set of Availability Zones, Local Zones, or Wavelength Zones from which AWS advertises IP addresses. Use this parameter to limit the IP address to this location. IP addresses cannot move between network border groups.\n\nUse [DescribeAvailabilityZones](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeAvailabilityZones.html) to view the network border groups.\n\nYou cannot use a network border group with EC2 Classic. If you attempt this operation on EC2 Classic, you receive an `InvalidParameterCombination` error.", + "markdownDescription": "A unique set of Availability Zones, Local Zones, or Wavelength Zones from which AWS advertises IP addresses. Use this parameter to limit the IP address to this location. IP addresses cannot move between network border groups.\n\nUse [DescribeAvailabilityZones](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeAvailabilityZones.html) to view the network border groups.", "title": "NetworkBorderGroup", "type": "string" }, @@ -60984,6 +63829,8 @@ "additionalProperties": false, "properties": { "DeliverCrossAccountRole": { + "markdownDescription": "The ARN of the IAM role that allows the service to publish flow logs across accounts.", + "title": "DeliverCrossAccountRole", "type": "string" }, "DeliverLogsPermissionArn": { @@ -61207,6 +64054,8 @@ "additionalProperties": false, "properties": { "AssetId": { + "markdownDescription": "The ID of the Outpost hardware asset on which the Dedicated Host is allocated.", + "title": "AssetId", "type": "string" }, "AutoPlacement": { @@ -61326,6 +64175,11 @@ "markdownDescription": "The key/value combination of a tag assigned to the resource. Use the tag key in the filter name and the tag value as the filter value. For example, to find all resources that have a tag with the key `Owner` and the value `TeamA` , specify `tag:Owner` for the filter name and `TeamA` for the filter value.", "title": "Tags", "type": "array" + }, + "Tier": { + "markdownDescription": "IPAM is offered in a Free Tier and an Advanced Tier. For more information about the features available in each tier and the costs associated with the tiers, see the [VPC IPAM product pricing page](https://docs.aws.amazon.com//vpc/pricing/) .", + "title": "Tier", + "type": "string" } }, "type": "object" @@ -62174,7 +65028,7 @@ "items": { "$ref": "#/definitions/AWS::EC2::Instance.SsmAssociation" }, - "markdownDescription": "The SSM [document](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ssm-document.html) and parameter values in AWS Systems Manager to associate with this instance. To use this property, you must specify an IAM instance profile role for the instance. For more information, see [Create an IAM instance profile for Systems Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-configuring-access-role.html) in the *AWS Systems Manager User Guide* .\n\n> You can currently associate only one document with an instance.", + "markdownDescription": "The SSM [document](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ssm-document.html) and parameter values in AWS Systems Manager to associate with this instance. To use this property, you must specify an IAM instance profile role for the instance. For more information, see [Create an IAM instance profile for Systems Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-configuring-access-role.html) in the *AWS Systems Manager User Guide* .\n\n> You can associate only one document with an instance.", "title": "SsmAssociations", "type": "array" }, @@ -62197,7 +65051,7 @@ "type": "string" }, "UserData": { - "markdownDescription": "The user data script to make available to the instance. User data is limited to 16 KB. You must provide base64-encoded text. For more information, see [Fn::Base64](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-base64.html) .\n\nUser data runs only at instance launch. For more information, see [Run commands on your Linux instance at launch](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/user-data.html) and [Run commands on your Windows instance at launch](https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ec2-windows-user-data.html) .", + "markdownDescription": "The parameters or scripts to store as user data. Any scripts in user data are run when you launch the instance. User data is limited to 16 KB. You must provide base64-encoded text. For more information, see [Fn::Base64](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-base64.html) .\n\nIf the root volume is an EBS volume and you update user data, CloudFormation restarts the instance. If the root volume is an instance store volume and you update user data, the instance is replaced.", "title": "UserData", "type": "string" }, @@ -62269,9 +65123,9 @@ "title": "Ebs" }, "NoDevice": { - "$ref": "#/definitions/AWS::EC2::Instance.NoDevice", "markdownDescription": "To omit the device from the block device mapping, specify an empty string.\n\n> After the instance is running, modifying this parameter results in instance [replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) .", - "title": "NoDevice" + "title": "NoDevice", + "type": "object" }, "VirtualName": { "markdownDescription": "The virtual device name ( `ephemeral` N). The name must be in the form `ephemeral` *X* where *X* is a number starting from zero (0). For example, an instance type with 2 available instance store volumes can specify mappings for `ephemeral0` and `ephemeral1` . The number of available instance store volumes depends on the instance type. After you connect to the instance, you must mount the volume.\n\nNVMe instance store volumes are automatically enumerated and assigned a device name. Including them in your block device mapping has no effect.\n\n*Constraints* : For M3 instances, you must specify instance store volumes in the block device mapping for the instance. When you launch an M3 instance, we ignore any instance store volumes specified in the block device mapping for the AMI.\n\n> After the instance is running, modifying this parameter results in instance [replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) .", @@ -62400,7 +65254,7 @@ "additionalProperties": false, "properties": { "Configured": { - "markdownDescription": "Set to `true` to enable your instance for hibernation.\n\nDefault: `false`", + "markdownDescription": "Set to `true` to enable your instance for hibernation.\n\nFor Spot Instances, if you set `Configured` to `true` , either omit the `InstanceInterruptionBehavior` parameter (for [`SpotMarketOptions`](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_SpotMarketOptions.html) ), or set it to `hibernate` . When `Configured` is true:\n\n- If you omit `InstanceInterruptionBehavior` , it defaults to `hibernate` .\n- If you set `InstanceInterruptionBehavior` to a value other than `hibernate` , you'll get an error.\n\nDefault: `false`", "title": "Configured", "type": "boolean" } @@ -62468,7 +65322,7 @@ "type": "boolean" }, "AssociatePublicIpAddress": { - "markdownDescription": "Indicates whether to assign a public IPv4 address to an instance. Applies only if creating a network interface when launching an instance. The network interface must be the primary network interface. If launching into a default subnet, the default value is `true` .", + "markdownDescription": "Indicates whether to assign a public IPv4 address to an instance. Applies only if creating a network interface when launching an instance. The network interface must be the primary network interface. If launching into a default subnet, the default value is `true` .\n\nStarting on February 1, 2024, AWS will charge for all public IPv4 addresses, including public IPv4 addresses associated with running instances and Elastic IP addresses. For more information, see the *Public IPv4 Address* tab on the [VPC pricing page](https://docs.aws.amazon.com/vpc/pricing/) .", "title": "AssociatePublicIpAddress", "type": "boolean" }, @@ -62542,11 +65396,6 @@ ], "type": "object" }, - "AWS::EC2::Instance.NoDevice": { - "additionalProperties": false, - "properties": {}, - "type": "object" - }, "AWS::EC2::Instance.PrivateDnsNameOptions": { "additionalProperties": false, "properties": { @@ -62666,24 +65515,34 @@ "additionalProperties": false, "properties": { "ClientToken": { + "markdownDescription": "Unique, case-sensitive identifier that you provide to ensure the idempotency of the request.", + "title": "ClientToken", "type": "string" }, "PreserveClientIp": { + "markdownDescription": "Indicates whether your client's IP address is preserved as the source. The value is `true` or `false` .\n\n- If `true` , your client's IP address is used when you connect to a resource.\n- If `false` , the elastic network interface IP address is used when you connect to a resource.\n\nDefault: `true`", + "title": "PreserveClientIp", "type": "boolean" }, "SecurityGroupIds": { "items": { "type": "string" }, + "markdownDescription": "One or more security groups to associate with the endpoint. If you don't specify a security group, the default security group for your VPC will be associated with the endpoint.", + "title": "SecurityGroupIds", "type": "array" }, "SubnetId": { + "markdownDescription": "The ID of the subnet in which to create the EC2 Instance Connect Endpoint.", + "title": "SubnetId", "type": "string" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "The tags to apply to the EC2 Instance Connect Endpoint during creation.", + "title": "Tags", "type": "array" } }, @@ -62918,7 +65777,7 @@ "items": { "$ref": "#/definitions/AWS::EC2::LaunchTemplate.LaunchTemplateTagSpecification" }, - "markdownDescription": "The tags to apply to the launch template on creation. To tag the launch template, the resource type must be `launch-template` .\n\n> To specify the tags for the resources that are created when an instance is launched, you must use the `TagSpecifications` parameter in the [launch template data](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RequestLaunchTemplateData.html) structure.", + "markdownDescription": "The tags to apply to the launch template on creation. To tag the launch template, the resource type must be `launch-template` .\n\nTo specify the tags for the resources that are created when an instance is launched, you must use [TagSpecifications](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-launchtemplate.html#cfn-ec2-launchtemplate-tagspecifications) .", "title": "TagSpecifications", "type": "array" }, @@ -63060,6 +65919,27 @@ }, "type": "object" }, + "AWS::EC2::LaunchTemplate.ConnectionTrackingSpecification": { + "additionalProperties": false, + "properties": { + "TcpEstablishedTimeout": { + "markdownDescription": "Timeout (in seconds) for idle TCP connections in an established state. Min: 60 seconds. Max: 432000 seconds (5 days). Default: 432000 seconds. Recommended: Less than 432000 seconds.", + "title": "TcpEstablishedTimeout", + "type": "number" + }, + "UdpStreamTimeout": { + "markdownDescription": "Timeout (in seconds) for idle UDP flows classified as streams which have seen more than one request-response transaction. Min: 60 seconds. Max: 180 seconds (3 minutes). Default: 180 seconds.", + "title": "UdpStreamTimeout", + "type": "number" + }, + "UdpTimeout": { + "markdownDescription": "Timeout (in seconds) for idle UDP flows that have seen traffic only in a single direction or a single request-response transaction. Min: 30 seconds. Max: 60 seconds. Default: 30 seconds.", + "title": "UdpTimeout", + "type": "number" + } + }, + "type": "object" + }, "AWS::EC2::LaunchTemplate.CpuOptions": { "additionalProperties": false, "properties": { @@ -63106,7 +65986,7 @@ "type": "boolean" }, "Iops": { - "markdownDescription": "The number of I/O operations per second (IOPS). For `gp3` , `io1` , and `io2` volumes, this represents the number of IOPS that are provisioned for the volume. For `gp2` volumes, this represents the baseline performance of the volume and the rate at which the volume accumulates I/O credits for bursting.\n\nThe following are the supported values for each volume type:\n\n- `gp3` : 3,000-16,000 IOPS\n- `io1` : 100-64,000 IOPS\n- `io2` : 100-64,000 IOPS\n\nFor `io1` and `io2` volumes, we guarantee 64,000 IOPS only for [Instances built on the Nitro System](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html#ec2-nitro-instances) . Other instance families guarantee performance up to 32,000 IOPS.\n\nThis parameter is supported for `io1` , `io2` , and `gp3` volumes only. This parameter is not supported for `gp2` , `st1` , `sc1` , or `standard` volumes.", + "markdownDescription": "The number of I/O operations per second (IOPS). For `gp3` , `io1` , and `io2` volumes, this represents the number of IOPS that are provisioned for the volume. For `gp2` volumes, this represents the baseline performance of the volume and the rate at which the volume accumulates I/O credits for bursting.\n\nThe following are the supported values for each volume type:\n\n- `gp3` : 3,000 - 16,000 IOPS\n- `io1` : 100 - 64,000 IOPS\n- `io2` : 100 - 256,000 IOPS\n\nFor `io2` volumes, you can achieve up to 256,000 IOPS on [instances built on the Nitro System](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html#ec2-nitro-instances) . On other instances, you can achieve performance up to 32,000 IOPS.\n\nThis parameter is supported for `io1` , `io2` , and `gp3` volumes only.", "title": "Iops", "type": "number" }, @@ -63126,7 +66006,7 @@ "type": "number" }, "VolumeSize": { - "markdownDescription": "The size of the volume, in GiBs. You must specify either a snapshot ID or a volume size. The following are the supported volumes sizes for each volume type:\n\n- `gp2` and `gp3` : 1-16,384\n- `io1` and `io2` : 4-16,384\n- `st1` and `sc1` : 125-16,384\n- `standard` : 1-1,024", + "markdownDescription": "The size of the volume, in GiBs. You must specify either a snapshot ID or a volume size. The following are the supported volumes sizes for each volume type:\n\n- `gp2` and `gp3` : 1 - 16,384 GiB\n- `io1` : 4 - 16,384 GiB\n- `io2` : 4 - 65,536 GiB\n- `st1` and `sc1` : 125 - 16,384 GiB\n- `standard` : 1 - 1024 GiB", "title": "VolumeSize", "type": "number" }, @@ -63149,6 +66029,33 @@ }, "type": "object" }, + "AWS::EC2::LaunchTemplate.EnaSrdSpecification": { + "additionalProperties": false, + "properties": { + "EnaSrdEnabled": { + "markdownDescription": "Indicates whether ENA Express is enabled for the network interface.", + "title": "EnaSrdEnabled", + "type": "boolean" + }, + "EnaSrdUdpSpecification": { + "$ref": "#/definitions/AWS::EC2::LaunchTemplate.EnaSrdUdpSpecification", + "markdownDescription": "Configures ENA Express for UDP network traffic.", + "title": "EnaSrdUdpSpecification" + } + }, + "type": "object" + }, + "AWS::EC2::LaunchTemplate.EnaSrdUdpSpecification": { + "additionalProperties": false, + "properties": { + "EnaSrdUdpEnabled": { + "markdownDescription": "Indicates whether UDP traffic to and from the instance uses ENA Express. To specify this setting, you must first enable ENA Express.", + "title": "EnaSrdUdpEnabled", + "type": "boolean" + } + }, + "type": "object" + }, "AWS::EC2::LaunchTemplate.EnclaveOptions": { "additionalProperties": false, "properties": { @@ -63215,7 +66122,7 @@ "items": { "type": "string" }, - "markdownDescription": "Indicates whether instance types must have accelerators by specific manufacturers.\n\n- For instance types with NVIDIA devices, specify `nvidia` .\n- For instance types with AMD devices, specify `amd` .\n- For instance types with AWS devices, specify `amazon-web-services` .\n- For instance types with Xilinx devices, specify `xilinx` .\n\nDefault: Any manufacturer", + "markdownDescription": "Indicates whether instance types must have accelerators by specific manufacturers.\n\n- For instance types with AWS devices, specify `amazon-web-services` .\n- For instance types with AMD devices, specify `amd` .\n- For instance types with Habana devices, specify `habana` .\n- For instance types with NVIDIA devices, specify `nvidia` .\n- For instance types with Xilinx devices, specify `xilinx` .\n\nDefault: Any manufacturer", "title": "AcceleratorManufacturers", "type": "array" }, @@ -63223,7 +66130,7 @@ "items": { "type": "string" }, - "markdownDescription": "The accelerators that must be on the instance type.\n\n- For instance types with NVIDIA A100 GPUs, specify `a100` .\n- For instance types with NVIDIA V100 GPUs, specify `v100` .\n- For instance types with NVIDIA K80 GPUs, specify `k80` .\n- For instance types with NVIDIA T4 GPUs, specify `t4` .\n- For instance types with NVIDIA M60 GPUs, specify `m60` .\n- For instance types with AMD Radeon Pro V520 GPUs, specify `radeon-pro-v520` .\n- For instance types with Xilinx VU9P FPGAs, specify `vu9p` .\n- For instance types with AWS Inferentia chips, specify `inferentia` .\n- For instance types with NVIDIA GRID K520 GPUs, specify `k520` .\n\nDefault: Any accelerator", + "markdownDescription": "The accelerators that must be on the instance type.\n\n- For instance types with NVIDIA A10G GPUs, specify `a10g` .\n- For instance types with NVIDIA A100 GPUs, specify `a100` .\n- For instance types with NVIDIA H100 GPUs, specify `h100` .\n- For instance types with AWS Inferentia chips, specify `inferentia` .\n- For instance types with NVIDIA GRID K520 GPUs, specify `k520` .\n- For instance types with NVIDIA K80 GPUs, specify `k80` .\n- For instance types with NVIDIA M60 GPUs, specify `m60` .\n- For instance types with AMD Radeon Pro V520 GPUs, specify `radeon-pro-v520` .\n- For instance types with NVIDIA T4 GPUs, specify `t4` .\n- For instance types with NVIDIA T4G GPUs, specify `t4g` .\n- For instance types with Xilinx VU9P FPGAs, specify `vu9p` .\n- For instance types with NVIDIA V100 GPUs, specify `v100` .\n\nDefault: Any accelerator", "title": "AcceleratorNames", "type": "array" }, @@ -63434,7 +66341,7 @@ "items": { "$ref": "#/definitions/AWS::EC2::LaunchTemplate.LaunchTemplateElasticInferenceAccelerator" }, - "markdownDescription": "The elastic inference accelerator for the instance.", + "markdownDescription": "An elastic inference accelerator to associate with the instance. Elastic inference accelerators are a resource you can attach to your Amazon EC2 instances to accelerate your Deep Learning (DL) inference workloads.\n\nYou cannot specify accelerators from different generations in the same request.\n\n> Starting April 15, 2023, AWS will not onboard new customers to Amazon Elastic Inference (EI), and will help current customers migrate their workloads to options that offer better price and performance. After April 15, 2023, new customers will not be able to launch instances with Amazon EI accelerators in Amazon SageMaker, Amazon ECS, or Amazon EC2. However, customers who have used Amazon EI at least once during the past 30-day period are considered current customers and will be able to continue using the service.", "title": "ElasticInferenceAccelerators", "type": "array" }, @@ -63546,7 +66453,7 @@ "items": { "type": "string" }, - "markdownDescription": "One or more security group names. For a nondefault VPC, you must use security group IDs instead. You cannot specify both a security group ID and security name in the same request.", + "markdownDescription": "One or more security group names. For a nondefault VPC, you must use security group IDs instead.", "title": "SecurityGroups", "type": "array" }, @@ -63554,7 +66461,7 @@ "items": { "$ref": "#/definitions/AWS::EC2::LaunchTemplate.TagSpecification" }, - "markdownDescription": "The tags to apply to the resources that are created during instance launch.\n\nYou can specify tags for the following resources only:\n\n- Instances\n- Volumes\n- Elastic graphics\n- Spot Instance requests\n- Network interfaces\n\nTo tag a resource after it has been created, see [CreateTags](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateTags.html) .\n\n> To tag the launch template itself, you must use the [TagSpecification](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateLaunchTemplate.html) parameter.", + "markdownDescription": "The tags to apply to the resources that are created during instance launch.\n\nTo tag a resource after it has been created, see [CreateTags](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateTags.html) .\n\nTo tag the launch template itself, use [TagSpecifications](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-launchtemplate.html#cfn-ec2-launchtemplate-tagspecifications) .", "title": "TagSpecifications", "type": "array" }, @@ -63674,7 +66581,7 @@ "type": "number" }, "HttpTokens": { - "markdownDescription": "IMDSv2 uses token-backed sessions. Set the use of HTTP tokens to `optional` (in other words, set the use of IMDSv2 to `optional` ) or `required` (in other words, set the use of IMDSv2 to `required` ).\n\n- `optional` - When IMDSv2 is optional, you can choose to retrieve instance metadata with or without a session token in your request. If you retrieve the IAM role credentials without a token, the IMDSv1 role credentials are returned. If you retrieve the IAM role credentials using a valid session token, the IMDSv2 role credentials are returned.\n- `required` - When IMDSv2 is required, you must send a session token with any instance metadata retrieval requests. In this state, retrieving the IAM role credentials always returns IMDSv2 credentials; IMDSv1 credentials are not available.\n\nDefault: `optional`", + "markdownDescription": "Indicates whether IMDSv2 is required.\n\n- `optional` - IMDSv2 is optional. You can choose whether to send a session token in your instance metadata retrieval requests. If you retrieve IAM role credentials without a session token, you receive the IMDSv1 role credentials. If you retrieve IAM role credentials using a valid session token, you receive the IMDSv2 role credentials.\n- `required` - IMDSv2 is required. You must send a session token in your instance metadata retrieval requests. With this option, retrieving the IAM role credentials always returns IMDSv2 credentials; IMDSv1 credentials are not available.\n\nDefault: If the value of `ImdsSupport` for the Amazon Machine Image (AMI) for your instance is `v2.0` , the default is `required` .", "title": "HttpTokens", "type": "string" }, @@ -63717,15 +66624,20 @@ "additionalProperties": false, "properties": { "AssociateCarrierIpAddress": { - "markdownDescription": "Indicates whether to associate a Carrier IP address with eth0 for a new network interface.\n\nUse this option when you launch an instance in a Wavelength Zone and want to associate a Carrier IP address with the network interface. For more information about Carrier IP addresses, see [Carrier IP addresses](https://docs.aws.amazon.com/wavelength/latest/developerguide/how-wavelengths-work.html#provider-owned-ip) in the *AWS Wavelength Developer Guide* .", + "markdownDescription": "Associates a Carrier IP address with eth0 for a new network interface.\n\nUse this option when you launch an instance in a Wavelength Zone and want to associate a Carrier IP address with the network interface. For more information about Carrier IP addresses, see [Carrier IP addresses](https://docs.aws.amazon.com/wavelength/latest/developerguide/how-wavelengths-work.html#provider-owned-ip) in the *AWS Wavelength Developer Guide* .", "title": "AssociateCarrierIpAddress", "type": "boolean" }, "AssociatePublicIpAddress": { - "markdownDescription": "Associates a public IPv4 address with eth0 for a new network interface.", + "markdownDescription": "Associates a public IPv4 address with eth0 for a new network interface.\n\nStarting on February 1, 2024, AWS will charge for all public IPv4 addresses, including public IPv4 addresses associated with running instances and Elastic IP addresses. For more information, see the *Public IPv4 Address* tab on the [Amazon VPC pricing page](https://docs.aws.amazon.com/vpc/pricing/) .", "title": "AssociatePublicIpAddress", "type": "boolean" }, + "ConnectionTrackingSpecification": { + "$ref": "#/definitions/AWS::EC2::LaunchTemplate.ConnectionTrackingSpecification", + "markdownDescription": "A connection tracking specification for the network interface.", + "title": "ConnectionTrackingSpecification" + }, "DeleteOnTermination": { "markdownDescription": "Indicates whether the network interface is deleted when the instance is terminated.", "title": "DeleteOnTermination", @@ -63741,6 +66653,11 @@ "title": "DeviceIndex", "type": "number" }, + "EnaSrdSpecification": { + "$ref": "#/definitions/AWS::EC2::LaunchTemplate.EnaSrdSpecification", + "markdownDescription": "The ENA Express configuration for the network interface.", + "title": "EnaSrdSpecification" + }, "Groups": { "items": { "type": "string" @@ -63804,6 +66721,8 @@ "type": "string" }, "PrimaryIpv6": { + "markdownDescription": "The primary IPv6 address of the network interface. When you enable an IPv6 GUA address to be a primary IPv6, the first IPv6 GUA will be made the primary IPv6 address until the instance is terminated or the network interface is detached. For more information about primary IPv6 addresses, see [RunInstances](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RunInstances.html) .", + "title": "PrimaryIpv6", "type": "boolean" }, "PrivateIpAddress": { @@ -63971,7 +66890,7 @@ "additionalProperties": false, "properties": { "ResourceType": { - "markdownDescription": "The type of resource to tag.\n\nThe `Valid Values` are all the resource types that can be tagged. However, when creating a launch template, you can specify tags for the following resource types only: `instance` | `volume` | `elastic-gpu` | `network-interface` | `spot-instances-request`\n\nTo tag a resource after it has been created, see [CreateTags](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateTags.html) .", + "markdownDescription": "The type of resource to tag.\n\nValid Values lists all resource types for Amazon EC2 that can be tagged. When you create a launch template, you can specify tags for the following resource types only: `instance` | `volume` | `elastic-gpu` | `network-interface` | `spot-instances-request` . If the instance does not include the resource type that you specify, the instance launch fails. For example, not all instance types include an Elastic GPU.\n\nTo tag a resource after it has been created, see [CreateTags](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateTags.html) .", "title": "ResourceType", "type": "string" }, @@ -64407,7 +67326,7 @@ "type": "array" }, "SecondaryPrivateIpAddressCount": { - "markdownDescription": "[Private NAT gateway only] The number of secondary private IPv4 addresses you want to assign to the NAT gateway. For more information about secondary addresses, see [Create a NAT gateway](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html#nat-gateway-creating) in the *Amazon Virtual Private Cloud User Guide* .\n\n> `SecondaryPrivateIpAddressCount` and `SecondaryPrivateIpAddresses` cannot be set at the same time.", + "markdownDescription": "[Private NAT gateway only] The number of secondary private IPv4 addresses you want to assign to the NAT gateway. For more information about secondary addresses, see [Create a NAT gateway](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html#nat-gateway-creating) in the *Amazon Virtual Private Cloud User Guide* .\n\n`SecondaryPrivateIpAddressCount` and `SecondaryPrivateIpAddresses` cannot be set at the same time.", "title": "SecondaryPrivateIpAddressCount", "type": "number" }, @@ -64415,7 +67334,7 @@ "items": { "type": "string" }, - "markdownDescription": "Secondary private IPv4 addresses. For more information about secondary addresses, see [Create a NAT gateway](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html#nat-gateway-creating) in the *Amazon Virtual Private Cloud User Guide* .\n\n> `SecondaryPrivateIpAddressCount` and `SecondaryPrivateIpAddresses` cannot be set at the same time.", + "markdownDescription": "Secondary private IPv4 addresses. For more information about secondary addresses, see [Create a NAT gateway](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html#nat-gateway-creating) in the *Amazon Virtual Private Cloud User Guide* .\n\n`SecondaryPrivateIpAddressCount` and `SecondaryPrivateIpAddresses` cannot be set at the same time.", "title": "SecondaryPrivateIpAddresses", "type": "array" }, @@ -65981,16 +68900,20 @@ "type": "string" }, "Ipv4PrefixCount": { + "markdownDescription": "The number of IPv4 prefixes to be automatically assigned to the network interface.\n\nWhen creating a network interface, you can't specify a count of IPv4 prefixes if you've specified one of the following: specific IPv4 prefixes, specific private IPv4 addresses, or a count of private IPv4 addresses.", + "title": "Ipv4PrefixCount", "type": "number" }, "Ipv4Prefixes": { "items": { "$ref": "#/definitions/AWS::EC2::NetworkInterface.Ipv4PrefixSpecification" }, + "markdownDescription": "The IPv4 delegated prefixes that are assigned to the network interface.\n\nWhen creating a network interface, you can't specify IPv4 prefixes if you've specified one of the following: a count of IPv4 prefixes, specific private IPv4 addresses, or a count of private IPv4 addresses.", + "title": "Ipv4Prefixes", "type": "array" }, "Ipv6AddressCount": { - "markdownDescription": "The number of IPv6 addresses to assign to a network interface. Amazon EC2 automatically selects the IPv6 addresses from the subnet range. To specify specific IPv6 addresses, use the `Ipv6Addresses` property and don't specify this property.", + "markdownDescription": "The number of IPv6 addresses to assign to a network interface. Amazon EC2 automatically selects the IPv6 addresses from the subnet range. To specify specific IPv6 addresses, use the `Ipv6Addresses` property and don't specify this property.\n\nWhen creating a network interface, you can't specify a count of IPv6 addresses if you've specified one of the following: specific IPv6 addresses, specific IPv6 prefixes, or a count of IPv6 prefixes.", "title": "Ipv6AddressCount", "type": "number" }, @@ -65998,17 +68921,21 @@ "items": { "$ref": "#/definitions/AWS::EC2::NetworkInterface.InstanceIpv6Address" }, - "markdownDescription": "One or more specific IPv6 addresses from the IPv6 CIDR block range of your subnet to associate with the network interface. If you're specifying a number of IPv6 addresses, use the `Ipv6AddressCount` property and don't specify this property.", + "markdownDescription": "One or more specific IPv6 addresses from the IPv6 CIDR block range of your subnet to associate with the network interface. If you're specifying a number of IPv6 addresses, use the `Ipv6AddressCount` property and don't specify this property.\n\nWhen creating a network interface, you can't specify IPv6 addresses if you've specified one of the following: a count of IPv6 addresses, specific IPv6 prefixes, or a count of IPv6 prefixes.", "title": "Ipv6Addresses", "type": "array" }, "Ipv6PrefixCount": { + "markdownDescription": "The number of IPv6 prefixes to be automatically assigned to the network interface.\n\nWhen creating a network interface, you can't specify a count of IPv6 prefixes if you've specified one of the following: specific IPv6 prefixes, specific IPv6 addresses, or a count of IPv6 addresses.", + "title": "Ipv6PrefixCount", "type": "number" }, "Ipv6Prefixes": { "items": { "$ref": "#/definitions/AWS::EC2::NetworkInterface.Ipv6PrefixSpecification" }, + "markdownDescription": "The IPv6 delegated prefixes that are assigned to the network interface.\n\nWhen creating a network interface, you can't specify IPv6 prefixes if you've specified one of the following: a count of IPv6 prefixes, specific IPv6 addresses, or a count of IPv6 addresses.", + "title": "Ipv6Prefixes", "type": "array" }, "PrivateIpAddress": { @@ -66020,12 +68947,12 @@ "items": { "$ref": "#/definitions/AWS::EC2::NetworkInterface.PrivateIpAddressSpecification" }, - "markdownDescription": "Assigns private IP addresses to the network interface. You can specify a primary private IP address by setting the value of the `Primary` property to `true` in the `PrivateIpAddressSpecification` property. If you want EC2 to automatically assign private IP addresses, use the `SecondaryPrivateIpAddressCount` property and do not specify this property.", + "markdownDescription": "Assigns private IP addresses to the network interface. You can specify a primary private IP address by setting the value of the `Primary` property to `true` in the `PrivateIpAddressSpecification` property. If you want EC2 to automatically assign private IP addresses, use the `SecondaryPrivateIpAddressCount` property and do not specify this property.\n\nWhen creating a network interface, you can't specify private IPv4 addresses if you've specified one of the following: a count of private IPv4 addresses, specific IPv4 prefixes, or a count of IPv4 prefixes.", "title": "PrivateIpAddresses", "type": "array" }, "SecondaryPrivateIpAddressCount": { - "markdownDescription": "The number of secondary private IPv4 addresses to assign to a network interface. When you specify a number of secondary IPv4 addresses, Amazon EC2 selects these IP addresses within the subnet's IPv4 CIDR range. You can't specify this option and specify more than one private IP address using `privateIpAddresses` .\n\nYou can't specify a count of private IPv4 addresses if you've specified one of the following: specific private IPv4 addresses, specific IPv4 prefixes, or a count of IPv4 prefixes.", + "markdownDescription": "The number of secondary private IPv4 addresses to assign to a network interface. When you specify a number of secondary IPv4 addresses, Amazon EC2 selects these IP addresses within the subnet's IPv4 CIDR range. You can't specify this option and specify more than one private IP address using `privateIpAddresses` .\n\nWhen creating a Network Interface, you can't specify a count of private IPv4 addresses if you've specified one of the following: specific private IPv4 addresses, specific IPv4 prefixes, or a count of IPv4 prefixes.", "title": "SecondaryPrivateIpAddressCount", "type": "number" }, @@ -66092,6 +69019,8 @@ "additionalProperties": false, "properties": { "Ipv4Prefix": { + "markdownDescription": "The IPv4 prefix. For information, see [Assigning prefixes to Amazon EC2 network interfaces](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-prefix-eni.html) in the *Amazon Elastic Compute Cloud User Guide* .", + "title": "Ipv4Prefix", "type": "string" } }, @@ -66104,6 +69033,8 @@ "additionalProperties": false, "properties": { "Ipv6Prefix": { + "markdownDescription": "The IPv6 prefix. For information, see [Assigning prefixes to Amazon EC2 network interfaces](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-prefix-eni.html) in the *Amazon Elastic Compute Cloud User Guide* .", + "title": "Ipv6Prefix", "type": "string" } }, @@ -66615,6 +69546,11 @@ "title": "CarrierGatewayId", "type": "string" }, + "CoreNetworkArn": { + "markdownDescription": "The Amazon Resource Name (ARN) of the core network.", + "title": "CoreNetworkArn", + "type": "string" + }, "DestinationCidrBlock": { "markdownDescription": "The IPv4 CIDR address block used for the destination match. Routing decisions are based on the most specific match. We modify the specified CIDR block to its canonical form; for example, if you specify `100.68.0.18/18` , we modify it to `100.68.0.0/18` .", "title": "DestinationCidrBlock", @@ -66626,6 +69562,8 @@ "type": "string" }, "DestinationPrefixListId": { + "markdownDescription": "The ID of a prefix list used for the destination match.", + "title": "DestinationPrefixListId", "type": "string" }, "EgressOnlyInternetGatewayId": { @@ -67219,6 +70157,73 @@ ], "type": "object" }, + "AWS::EC2::SnapshotBlockPublicAccess": { + "additionalProperties": false, + "properties": { + "Condition": { + "type": "string" + }, + "DeletionPolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + }, + "DependsOn": { + "anyOf": [ + { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + { + "items": { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + "type": "array" + } + ] + }, + "Metadata": { + "type": "object" + }, + "Properties": { + "additionalProperties": false, + "properties": { + "State": { + "markdownDescription": "The mode in which to enable block public access for snapshots for the Region. Specify one of the following values:\n\n- `block-all-sharing` - Prevents all public sharing of snapshots in the Region. Users in the account will no longer be able to request new public sharing. Additionally, snapshots that are already publicly shared are treated as private and they are no longer publicly available.\n\n> If you enable block public access for snapshots in `block-all-sharing` mode, it does not change the permissions for snapshots that are already publicly shared. Instead, it prevents these snapshots from be publicly visible and publicly accessible. Therefore, the attributes for these snapshots still indicate that they are publicly shared, even though they are not publicly available.\n- `block-new-sharing` - Prevents only new public sharing of snapshots in the Region. Users in the account will no longer be able to request new public sharing. However, snapshots that are already publicly shared, remain publicly available.", + "title": "State", + "type": "string" + } + }, + "required": [ + "State" + ], + "type": "object" + }, + "Type": { + "enum": [ + "AWS::EC2::SnapshotBlockPublicAccess" + ], + "type": "string" + }, + "UpdateReplacePolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + } + }, + "required": [ + "Type", + "Properties" + ], + "type": "object" + }, "AWS::EC2::SpotFleet": { "additionalProperties": false, "properties": { @@ -67408,7 +70413,7 @@ "type": "boolean" }, "Iops": { - "markdownDescription": "The number of I/O operations per second (IOPS). For `gp3` , `io1` , and `io2` volumes, this represents the number of IOPS that are provisioned for the volume. For `gp2` volumes, this represents the baseline performance of the volume and the rate at which the volume accumulates I/O credits for bursting.\n\nThe following are the supported values for each volume type:\n\n- `gp3` : 3,000-16,000 IOPS\n- `io1` : 100-64,000 IOPS\n- `io2` : 100-64,000 IOPS\n\nFor `io1` and `io2` volumes, we guarantee 64,000 IOPS only for [Instances built on the Nitro System](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html#ec2-nitro-instances) . Other instance families guarantee performance up to 32,000 IOPS.\n\nThis parameter is required for `io1` and `io2` volumes. The default for `gp3` volumes is 3,000 IOPS. This parameter is not supported for `gp2` , `st1` , `sc1` , or `standard` volumes.", + "markdownDescription": "The number of I/O operations per second (IOPS). For `gp3` , `io1` , and `io2` volumes, this represents the number of IOPS that are provisioned for the volume. For `gp2` volumes, this represents the baseline performance of the volume and the rate at which the volume accumulates I/O credits for bursting.\n\nThe following are the supported values for each volume type:\n\n- `gp3` : 3,000 - 16,000 IOPS\n- `io1` : 100 - 64,000 IOPS\n- `io2` : 100 - 256,000 IOPS\n\nFor `io2` volumes, you can achieve up to 256,000 IOPS on [instances built on the Nitro System](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html#ec2-nitro-instances) . On other instances, you can achieve performance up to 32,000 IOPS.\n\nThis parameter is required for `io1` and `io2` volumes. The default for `gp3` volumes is 3,000 IOPS.", "title": "Iops", "type": "number" }, @@ -67418,12 +70423,12 @@ "type": "string" }, "VolumeSize": { - "markdownDescription": "The size of the volume, in GiBs. You must specify either a snapshot ID or a volume size. If you specify a snapshot, the default is the snapshot size. You can specify a volume size that is equal to or larger than the snapshot size.\n\nThe following are the supported volumes sizes for each volume type:\n\n- `gp2` and `gp3` :1-16,384\n- `io1` and `io2` : 4-16,384\n- `st1` and `sc1` : 125-16,384\n- `standard` : 1-1,024", + "markdownDescription": "The size of the volume, in GiBs. You must specify either a snapshot ID or a volume size. If you specify a snapshot, the default is the snapshot size. You can specify a volume size that is equal to or larger than the snapshot size.\n\nThe following are the supported sizes for each volume type:\n\n- `gp2` and `gp3` : 1 - 16,384 GiB\n- `io1` : 4 - 16,384 GiB\n- `io2` : 4 - 65,536 GiB\n- `st1` and `sc1` : 125 - 16,384 GiB\n- `standard` : 1 - 1024 GiB", "title": "VolumeSize", "type": "number" }, "VolumeType": { - "markdownDescription": "The volume type. For more information, see [Amazon EBS volume types](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSVolumeTypes.html) in the *Amazon EC2 User Guide* . If the volume type is `io1` or `io2` , you must specify the IOPS that the volume supports.", + "markdownDescription": "The volume type. For more information, see [Amazon EBS volume types](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSVolumeTypes.html) in the *Amazon EC2 User Guide* .", "title": "VolumeType", "type": "string" } @@ -67497,7 +70502,7 @@ "additionalProperties": false, "properties": { "AssociatePublicIpAddress": { - "markdownDescription": "Indicates whether to assign a public IPv4 address to an instance you launch in a VPC. The public IP address can only be assigned to a network interface for eth0, and can only be assigned to a new network interface, not an existing one. You cannot specify more than one network interface in the request. If launching into a default subnet, the default value is `true` .", + "markdownDescription": "Indicates whether to assign a public IPv4 address to an instance you launch in a VPC. The public IP address can only be assigned to a network interface for eth0, and can only be assigned to a new network interface, not an existing one. You cannot specify more than one network interface in the request. If launching into a default subnet, the default value is `true` .\n\nStarting on February 1, 2024, AWS will charge for all public IPv4 addresses, including public IPv4 addresses associated with running instances and Elastic IP addresses. For more information, see the *Public IPv4 Address* tab on the [Amazon VPC pricing page](https://docs.aws.amazon.com/vpc/pricing/) .", "title": "AssociatePublicIpAddress", "type": "boolean" }, @@ -67575,7 +70580,7 @@ "items": { "type": "string" }, - "markdownDescription": "Indicates whether instance types must have accelerators by specific manufacturers.\n\n- For instance types with NVIDIA devices, specify `nvidia` .\n- For instance types with AMD devices, specify `amd` .\n- For instance types with AWS devices, specify `amazon-web-services` .\n- For instance types with Xilinx devices, specify `xilinx` .\n\nDefault: Any manufacturer", + "markdownDescription": "Indicates whether instance types must have accelerators by specific manufacturers.\n\n- For instance types with AWS devices, specify `amazon-web-services` .\n- For instance types with AMD devices, specify `amd` .\n- For instance types with Habana devices, specify `habana` .\n- For instance types with NVIDIA devices, specify `nvidia` .\n- For instance types with Xilinx devices, specify `xilinx` .\n\nDefault: Any manufacturer", "title": "AcceleratorManufacturers", "type": "array" }, @@ -67583,7 +70588,7 @@ "items": { "type": "string" }, - "markdownDescription": "The accelerators that must be on the instance type.\n\n- For instance types with NVIDIA A100 GPUs, specify `a100` .\n- For instance types with NVIDIA V100 GPUs, specify `v100` .\n- For instance types with NVIDIA K80 GPUs, specify `k80` .\n- For instance types with NVIDIA T4 GPUs, specify `t4` .\n- For instance types with NVIDIA M60 GPUs, specify `m60` .\n- For instance types with AMD Radeon Pro V520 GPUs, specify `radeon-pro-v520` .\n- For instance types with Xilinx VU9P FPGAs, specify `vu9p` .\n- For instance types with AWS Inferentia chips, specify `inferentia` .\n- For instance types with NVIDIA GRID K520 GPUs, specify `k520` .\n\nDefault: Any accelerator", + "markdownDescription": "The accelerators that must be on the instance type.\n\n- For instance types with NVIDIA A10G GPUs, specify `a10g` .\n- For instance types with NVIDIA A100 GPUs, specify `a100` .\n- For instance types with NVIDIA H100 GPUs, specify `h100` .\n- For instance types with AWS Inferentia chips, specify `inferentia` .\n- For instance types with NVIDIA GRID K520 GPUs, specify `k520` .\n- For instance types with NVIDIA K80 GPUs, specify `k80` .\n- For instance types with NVIDIA M60 GPUs, specify `m60` .\n- For instance types with AMD Radeon Pro V520 GPUs, specify `radeon-pro-v520` .\n- For instance types with NVIDIA T4 GPUs, specify `t4` .\n- For instance types with NVIDIA T4G GPUs, specify `t4g` .\n- For instance types with Xilinx VU9P FPGAs, specify `vu9p` .\n- For instance types with NVIDIA V100 GPUs, specify `v100` .\n\nDefault: Any accelerator", "title": "AcceleratorNames", "type": "array" }, @@ -68065,7 +71070,7 @@ "type": "string" }, "OnDemandMaxTotalPrice": { - "markdownDescription": "The maximum amount per hour for On-Demand Instances that you're willing to pay. You can use the `onDemandMaxTotalPrice` parameter, the `spotMaxTotalPrice` parameter, or both parameters to ensure that your fleet cost does not exceed your budget. If you set a maximum price per hour for the On-Demand Instances and Spot Instances in your request, Spot Fleet will launch instances until it reaches the maximum amount you're willing to pay. When the maximum amount you're willing to pay is reached, the fleet stops launching instances even if it hasn\u2019t met the target capacity.", + "markdownDescription": "The maximum amount per hour for On-Demand Instances that you're willing to pay. You can use the `onDemandMaxTotalPrice` parameter, the `spotMaxTotalPrice` parameter, or both parameters to ensure that your fleet cost does not exceed your budget. If you set a maximum price per hour for the On-Demand Instances and Spot Instances in your request, Spot Fleet will launch instances until it reaches the maximum amount you're willing to pay. When the maximum amount you're willing to pay is reached, the fleet stops launching instances even if it hasn\u2019t met the target capacity.\n\n> If your fleet includes T instances that are configured as `unlimited` , and if their average CPU usage exceeds the baseline utilization, you will incur a charge for surplus credits. The `onDemandMaxTotalPrice` does not account for surplus credits, and, if you use surplus credits, your final cost might be higher than what you specified for `onDemandMaxTotalPrice` . For more information, see [Surplus credits can incur charges](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/burstable-performance-instances-unlimited-mode-concepts.html#unlimited-mode-surplus-credits) in the *EC2 User Guide* .", "title": "OnDemandMaxTotalPrice", "type": "string" }, @@ -68085,7 +71090,7 @@ "title": "SpotMaintenanceStrategies" }, "SpotMaxTotalPrice": { - "markdownDescription": "The maximum amount per hour for Spot Instances that you're willing to pay. You can use the `spotdMaxTotalPrice` parameter, the `onDemandMaxTotalPrice` parameter, or both parameters to ensure that your fleet cost does not exceed your budget. If you set a maximum price per hour for the On-Demand Instances and Spot Instances in your request, Spot Fleet will launch instances until it reaches the maximum amount you're willing to pay. When the maximum amount you're willing to pay is reached, the fleet stops launching instances even if it hasn\u2019t met the target capacity.", + "markdownDescription": "The maximum amount per hour for Spot Instances that you're willing to pay. You can use the `spotMaxTotalPrice` parameter, the `onDemandMaxTotalPrice` parameter, or both parameters to ensure that your fleet cost does not exceed your budget. If you set a maximum price per hour for the On-Demand Instances and Spot Instances in your request, Spot Fleet will launch instances until it reaches the maximum amount you're willing to pay. When the maximum amount you're willing to pay is reached, the fleet stops launching instances even if it hasn\u2019t met the target capacity.\n\n> If your fleet includes T instances that are configured as `unlimited` , and if their average CPU usage exceeds the baseline utilization, you will incur a charge for surplus credits. The `spotMaxTotalPrice` does not account for surplus credits, and, if you use surplus credits, your final cost might be higher than what you specified for `spotMaxTotalPrice` . For more information, see [Surplus credits can incur charges](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/burstable-performance-instances-unlimited-mode-concepts.html#unlimited-mode-surplus-credits) in the *EC2 User Guide* .", "title": "SpotMaxTotalPrice", "type": "string" }, @@ -68098,7 +71103,7 @@ "items": { "$ref": "#/definitions/AWS::EC2::SpotFleet.SpotFleetTagSpecification" }, - "markdownDescription": "The key-value pair for tagging the Spot Fleet request on creation. The value for `ResourceType` must be `spot-fleet-request` , otherwise the Spot Fleet request fails. To tag instances at launch, specify the tags in the [launch template](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-launch-templates.html#create-launch-template) (valid only if you use `LaunchTemplateConfigs` ) or in the `[SpotFleetTagSpecification](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_SpotFleetTagSpecification.html)` (valid only if you use `LaunchSpecifications` ). For information about tagging after launch, see [Tagging Your Resources](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html#tag-resources) .", + "markdownDescription": "The key-value pair for tagging the Spot Fleet request on creation. The value for `ResourceType` must be `spot-fleet-request` , otherwise the Spot Fleet request fails. To tag instances at launch, specify the tags in the [launch template](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-launch-templates.html#create-launch-template) (valid only if you use `LaunchTemplateConfigs` ) or in the `[SpotFleetTagSpecification](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_SpotFleetTagSpecification.html)` (valid only if you use `LaunchSpecifications` ). For information about tagging after launch, see [Tag your resources](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html#tag-resources) .", "title": "TagSpecifications", "type": "array" }, @@ -68108,7 +71113,7 @@ "type": "number" }, "TargetCapacityUnitType": { - "markdownDescription": "The unit for the target capacity. `TargetCapacityUnitType` can only be specified when `InstanceRequirements` is specified.\n\nDefault: `units` (translates to number of instances)", + "markdownDescription": "The unit for the target capacity. You can specify this parameter only when using attribute-based instance type selection.\n\nDefault: `units` (the number of instances)", "title": "TargetCapacityUnitType", "type": "string" }, @@ -68313,6 +71318,11 @@ "title": "EnableDns64", "type": "boolean" }, + "Ipv4NetmaskLength": { + "markdownDescription": "An IPv4 netmask length for the subnet.", + "title": "Ipv4NetmaskLength", + "type": "number" + }, "Ipv6CidrBlock": { "markdownDescription": "The IPv6 CIDR block.\n\nIf you specify `AssignIpv6AddressOnCreation` , you must also specify `Ipv6CidrBlock` .", "title": "Ipv6CidrBlock", @@ -68323,8 +71333,13 @@ "title": "Ipv6Native", "type": "boolean" }, + "Ipv6NetmaskLength": { + "markdownDescription": "An IPv6 netmask length for the subnet.", + "title": "Ipv6NetmaskLength", + "type": "number" + }, "MapPublicIpOnLaunch": { - "markdownDescription": "Indicates whether instances launched in this subnet receive a public IPv4 address. The default value is `false` .", + "markdownDescription": "Indicates whether instances launched in this subnet receive a public IPv4 address. The default value is `false` .\n\nStarting on February 1, 2024, AWS will charge for all public IPv4 addresses, including public IPv4 addresses associated with running instances and Elastic IP addresses. For more information, see the *Public IPv4 Address* tab on the [VPC pricing page](https://docs.aws.amazon.com/vpc/pricing/) .", "title": "MapPublicIpOnLaunch", "type": "boolean" }, @@ -68435,7 +71450,7 @@ "additionalProperties": false, "properties": { "Ipv6CidrBlock": { - "markdownDescription": "The IPv6 network range for the subnet, in CIDR notation. The subnet size must use a /64 prefix length.\n\nThis parameter is required for an IPv6 only subnet.", + "markdownDescription": "The IPv6 network range for the subnet, in CIDR notation. This parameter is required for an IPv6 only subnet.", "title": "Ipv6CidrBlock", "type": "string" }, @@ -68880,7 +71895,7 @@ "type": "string" }, "PacketLength": { - "markdownDescription": "The number of bytes in each packet to mirror. These are bytes after the VXLAN header. Do not specify this parameter when you want to mirror the entire packet. To mirror a subset of the packet, set this to the length (in bytes) that you want to mirror. For example, if you set this value to 100, then the first 100 bytes that meet the filter criteria are copied to the target.\n\nIf you do not want to mirror the entire packet, use the `PacketLength` parameter to specify the number of bytes in each packet to mirror.", + "markdownDescription": "The number of bytes in each packet to mirror. These are bytes after the VXLAN header. Do not specify this parameter when you want to mirror the entire packet. To mirror a subset of the packet, set this to the length (in bytes) that you want to mirror. For example, if you set this value to 100, then the first 100 bytes that meet the filter criteria are copied to the target.\n\nIf you do not want to mirror the entire packet, use the `PacketLength` parameter to specify the number of bytes in each packet to mirror.\n\nFor sessions with Network Load Balancer (NLB) Traffic Mirror targets the default `PacketLength` will be set to 8500. Valid values are 1-8500. Setting a `PacketLength` greater than 8500 will result in an error response.", "title": "PacketLength", "type": "number" }, @@ -69264,6 +72279,11 @@ "markdownDescription": "Enable or disable IPv6 support. The default is `disable` .", "title": "Ipv6Support", "type": "string" + }, + "SecurityGroupReferencingSupport": { + "markdownDescription": "Enables you to reference a security group across VPCs attached to a transit gateway (TGW). Use this option to simplify security group management and control of instance-to-instance traffic across VPCs that are connected by transit gateway. You can also use this option to migrate from VPC peering (which was the only option that supported security group referencing) to transit gateways (which now also support security group referencing). This option is disabled by default and there are no additional costs to use this feature.\n\nFor important information about this feature, see [Create a transit gateway](https://docs.aws.amazon.com/vpc/latest/tgw/tgw-transit-gateways.html#create-tgw) in the *AWS Transit Gateway Guide* .", + "title": "SecurityGroupReferencingSupport", + "type": "string" } }, "type": "object" @@ -70374,7 +73394,7 @@ "additionalProperties": false, "properties": { "AmazonProvidedIpv6CidrBlock": { - "markdownDescription": "Requests an Amazon-provided IPv6 CIDR block with a /56 prefix length for the VPC. You cannot specify the range of IPv6 addresses, or the size of the CIDR block.", + "markdownDescription": "Requests an Amazon-provided IPv6 CIDR block with a /56 prefix length for the VPC. You cannot specify the range of IPv6 addresses or the size of the CIDR block.", "title": "AmazonProvidedIpv6CidrBlock", "type": "boolean" }, @@ -71496,7 +74516,9 @@ "type": "array" }, "SseSpecification": { - "$ref": "#/definitions/AWS::EC2::VerifiedAccessEndpoint.SseSpecification" + "$ref": "#/definitions/AWS::EC2::VerifiedAccessEndpoint.SseSpecification", + "markdownDescription": "The options for additional server side encryption.", + "title": "SseSpecification" }, "Tags": { "items": { @@ -71597,9 +74619,13 @@ "additionalProperties": false, "properties": { "CustomerManagedKeyEnabled": { + "markdownDescription": "Enable or disable the use of customer managed KMS keys for server side encryption.\n\nValid values: `True` | `False`", + "title": "CustomerManagedKeyEnabled", "type": "boolean" }, "KmsKeyArn": { + "markdownDescription": "The ARN of the KMS key.", + "title": "KmsKeyArn", "type": "string" } }, @@ -71656,7 +74682,9 @@ "type": "boolean" }, "SseSpecification": { - "$ref": "#/definitions/AWS::EC2::VerifiedAccessGroup.SseSpecification" + "$ref": "#/definitions/AWS::EC2::VerifiedAccessGroup.SseSpecification", + "markdownDescription": "The options for additional server side encryption.", + "title": "SseSpecification" }, "Tags": { "items": { @@ -71702,9 +74730,13 @@ "additionalProperties": false, "properties": { "CustomerManagedKeyEnabled": { + "markdownDescription": "Enable or disable the use of customer managed KMS keys for server side encryption.\n\nValid values: `True` | `False`", + "title": "CustomerManagedKeyEnabled", "type": "boolean" }, "KmsKeyArn": { + "markdownDescription": "The ARN of the KMS key.", + "title": "KmsKeyArn", "type": "string" } }, @@ -71751,11 +74783,13 @@ "type": "string" }, "FipsEnabled": { + "markdownDescription": "Indicates whether support for Federal Information Processing Standards (FIPS) is enabled on the instance.", + "title": "FipsEnabled", "type": "boolean" }, "LoggingConfigurations": { "$ref": "#/definitions/AWS::EC2::VerifiedAccessInstance.VerifiedAccessLogs", - "markdownDescription": "The current logging configuration for the Verified Access instances.", + "markdownDescription": "The logging configuration for the Verified Access instances.", "title": "LoggingConfigurations" }, "Tags": { @@ -71872,7 +74906,7 @@ "title": "CloudWatchLogs" }, "IncludeTrustContext": { - "markdownDescription": "Include trust data sent by trust providers into the logs.", + "markdownDescription": "Indicates whether to include trust data sent by trust providers in the logs.", "title": "IncludeTrustContext", "type": "boolean" }, @@ -71882,7 +74916,7 @@ "title": "KinesisDataFirehose" }, "LogVersion": { - "markdownDescription": "The logging version to use.\n\nValid values: `ocsf-0.1` | `ocsf-1.0.0-rc.2`", + "markdownDescription": "The logging version.\n\nValid values: `ocsf-0.1` | `ocsf-1.0.0-rc.2`", "title": "LogVersion", "type": "string" }, @@ -71986,7 +75020,9 @@ "type": "string" }, "SseSpecification": { - "$ref": "#/definitions/AWS::EC2::VerifiedAccessTrustProvider.SseSpecification" + "$ref": "#/definitions/AWS::EC2::VerifiedAccessTrustProvider.SseSpecification", + "markdownDescription": "The options for additional server side encryption.", + "title": "SseSpecification" }, "Tags": { "items": { @@ -72037,6 +75073,11 @@ "AWS::EC2::VerifiedAccessTrustProvider.DeviceOptions": { "additionalProperties": false, "properties": { + "PublicSigningKeyUrl": { + "markdownDescription": "The URL AWS Verified Access will use to verify the authenticity of the device tokens.", + "title": "PublicSigningKeyUrl", + "type": "string" + }, "TenantId": { "markdownDescription": "The ID of the tenant application with the device-identity provider.", "title": "TenantId", @@ -72090,9 +75131,13 @@ "additionalProperties": false, "properties": { "CustomerManagedKeyEnabled": { + "markdownDescription": "Enable or disable the use of customer managed KMS keys for server side encryption.\n\nValid values: `True` | `False`", + "title": "CustomerManagedKeyEnabled", "type": "boolean" }, "KmsKeyArn": { + "markdownDescription": "The ARN of the KMS key.", + "title": "KmsKeyArn", "type": "string" } }, @@ -72149,7 +75194,7 @@ "type": "boolean" }, "Iops": { - "markdownDescription": "The number of I/O operations per second (IOPS). For `gp3` , `io1` , and `io2` volumes, this represents the number of IOPS that are provisioned for the volume. For `gp2` volumes, this represents the baseline performance of the volume and the rate at which the volume accumulates I/O credits for bursting.\n\nThe following are the supported values for each volume type:\n\n- `gp3` : 3,000-16,000 IOPS\n- `io1` : 100-64,000 IOPS\n- `io2` : 100-64,000 IOPS\n\n`io1` and `io2` volumes support up to 64,000 IOPS only on [Instances built on the Nitro System](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html#ec2-nitro-instances) . Other instance families support performance up to 32,000 IOPS.\n\nThis parameter is required for `io1` and `io2` volumes. The default for `gp3` volumes is 3,000 IOPS. This parameter is not supported for `gp2` , `st1` , `sc1` , or `standard` volumes.", + "markdownDescription": "The number of I/O operations per second (IOPS). For `gp3` , `io1` , and `io2` volumes, this represents the number of IOPS that are provisioned for the volume. For `gp2` volumes, this represents the baseline performance of the volume and the rate at which the volume accumulates I/O credits for bursting.\n\nThe following are the supported values for each volume type:\n\n- `gp3` : 3,000 - 16,000 IOPS\n- `io1` : 100 - 64,000 IOPS\n- `io2` : 100 - 256,000 IOPS\n\nFor `io2` volumes, you can achieve up to 256,000 IOPS on [instances built on the Nitro System](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html#ec2-nitro-instances) . On other instances, you can achieve performance up to 32,000 IOPS.\n\nThis parameter is required for `io1` and `io2` volumes. The default for `gp3` volumes is 3,000 IOPS. This parameter is not supported for `gp2` , `st1` , `sc1` , or `standard` volumes.", "title": "Iops", "type": "number" }, @@ -72169,7 +75214,7 @@ "type": "string" }, "Size": { - "markdownDescription": "The size of the volume, in GiBs. You must specify either a snapshot ID or a volume size. If you specify a snapshot, the default is the snapshot size. You can specify a volume size that is equal to or larger than the snapshot size.\n\nThe following are the supported volumes sizes for each volume type:\n\n- `gp2` and `gp3` : 1-16,384\n- `io1` and `io2` : 4-16,384\n- `st1` and `sc1` : 125-16,384\n- `standard` : 1-1,024", + "markdownDescription": "The size of the volume, in GiBs. You must specify either a snapshot ID or a volume size. If you specify a snapshot, the default is the snapshot size. You can specify a volume size that is equal to or larger than the snapshot size.\n\nThe following are the supported volumes sizes for each volume type:\n\n- `gp2` and `gp3` : 1 - 16,384 GiB\n- `io1` : 4 - 16,384 GiB\n- `io2` : 4 - 65,536 GiB\n- `st1` and `sc1` : 125 - 16,384 GiB\n- `standard` : 1 - 1024 GiB", "title": "Size", "type": "number" }, @@ -72338,7 +75383,7 @@ "properties": { "RepositoryCatalogData": { "$ref": "#/definitions/AWS::ECR::PublicRepository.RepositoryCatalogData", - "markdownDescription": "", + "markdownDescription": "The details about the repository that are publicly visible in the Amazon ECR Public Gallery. For more information, see [Amazon ECR Public repository catalog data](https://docs.aws.amazon.com/AmazonECR/latest/public/public-repository-catalog-data.html) in the *Amazon ECR Public User Guide* .", "title": "RepositoryCatalogData" }, "RepositoryName": { @@ -72454,11 +75499,21 @@ "Properties": { "additionalProperties": false, "properties": { + "CredentialArn": { + "markdownDescription": "The ARN of the Secrets Manager secret associated with the pull through cache rule.", + "title": "CredentialArn", + "type": "string" + }, "EcrRepositoryPrefix": { "markdownDescription": "The Amazon ECR repository prefix associated with the pull through cache rule.", "title": "EcrRepositoryPrefix", "type": "string" }, + "UpstreamRegistry": { + "markdownDescription": "The name of the upstream source registry associated with the pull through cache rule.", + "title": "UpstreamRegistry", + "type": "string" + }, "UpstreamRegistryUrl": { "markdownDescription": "The upstream registry URL associated with the pull through cache rule.", "title": "UpstreamRegistryUrl", @@ -72739,6 +75794,8 @@ "additionalProperties": false, "properties": { "EmptyOnDelete": { + "markdownDescription": "If true, deleting the repository force deletes the contents of the repository. If false, the repository must be empty before attempting to delete it.", + "title": "EmptyOnDelete", "type": "boolean" }, "EncryptionConfiguration": { @@ -72932,10 +75989,15 @@ "additionalProperties": false, "properties": { "AutoScalingGroupArn": { - "markdownDescription": "The Amazon Resource Name (ARN) that identifies the Auto Scaling group.", + "markdownDescription": "The Amazon Resource Name (ARN) that identifies the Auto Scaling group, or the Auto Scaling group name.", "title": "AutoScalingGroupArn", "type": "string" }, + "ManagedDraining": { + "markdownDescription": "", + "title": "ManagedDraining", + "type": "string" + }, "ManagedScaling": { "$ref": "#/definitions/AWS::ECS::CapacityProvider.ManagedScaling", "markdownDescription": "The managed scaling settings for the Auto Scaling group capacity provider.", @@ -72961,7 +76023,7 @@ "type": "number" }, "MaximumScalingStepSize": { - "markdownDescription": "The maximum number of Amazon EC2 instances that Amazon ECS will scale out at one time. The scale in process is not affected by this parameter. If this parameter is omitted, the default value of `1` is used.", + "markdownDescription": "The maximum number of Amazon EC2 instances that Amazon ECS will scale out at one time. The scale in process is not affected by this parameter. If this parameter is omitted, the default value of `10000` is used.", "title": "MaximumScalingStepSize", "type": "number" }, @@ -73192,7 +76254,7 @@ "additionalProperties": false, "properties": { "Namespace": { - "markdownDescription": "The namespace name or full Amazon Resource Name (ARN) of the AWS Cloud Map namespace that's used when you create a service and don't specify a Service Connect configuration. The namespace name can include up to 1024 characters. The name is case-sensitive. The name can't include hyphens (-), tilde (~), greater than (>), less than (<), or slash (/).\n\nIf you enter an existing namespace name or ARN, then that namespace will be used. Any namespace type is supported. The namespace must be in this account and this AWS Region.\n\nIf you enter a new name, a AWS Cloud Map namespace will be created. Amazon ECS creates a AWS Cloud Map namespace with the \"API calls\" method of instance discovery only. This instance discovery method is the \"HTTP\" namespace type in the AWS Command Line Interface . Other types of instance discovery aren't used by Service Connect.\n\nIf you update the service with an empty string `\"\"` for the namespace name, the cluster configuration for Service Connect is removed. Note that the namespace will remain in AWS Cloud Map and must be deleted separately.\n\nFor more information about AWS Cloud Map , see [Working with Services](https://docs.aws.amazon.com/cloud-map/latest/dg/working-with-services.html) in the *AWS Cloud Map Developer Guide* .", + "markdownDescription": "The namespace name or full Amazon Resource Name (ARN) of the AWS Cloud Map namespace that's used when you create a service and don't specify a Service Connect configuration. The namespace name can include up to 1024 characters. The name is case-sensitive. The name can't include hyphens (-), tilde (~), greater than (>), less than (<), or slash (/).\n\nIf you enter an existing namespace name or ARN, then that namespace will be used. Any namespace type is supported. The namespace must be in this account and this AWS Region.\n\nIf you enter a new name, a AWS Cloud Map namespace will be created. Amazon ECS creates a AWS Cloud Map namespace with the \"API calls\" method of instance discovery only. This instance discovery method is the \"HTTP\" namespace type in the AWS Command Line Interface . Other types of instance discovery aren't used by Service Connect.\n\nIf you update the cluster with an empty string `\"\"` for the namespace name, the cluster configuration for Service Connect is removed. Note that the namespace will remain in AWS Cloud Map and must be deleted separately.\n\nFor more information about AWS Cloud Map , see [Working with Services](https://docs.aws.amazon.com/cloud-map/latest/dg/working-with-services.html) in the *AWS Cloud Map Developer Guide* .", "title": "Namespace", "type": "string" } @@ -73721,12 +76783,12 @@ "type": "number" }, "LoadBalancerName": { - "markdownDescription": "The name of the load balancer to associate with the Amazon ECS service or task set.\n\nA load balancer name is only specified when using a Classic Load Balancer. If you are using an Application Load Balancer or a Network Load Balancer the load balancer name parameter should be omitted.", + "markdownDescription": "The name of the load balancer to associate with the Amazon ECS service or task set.\n\nIf you are using an Application Load Balancer or a Network Load Balancer the load balancer name parameter should be omitted.", "title": "LoadBalancerName", "type": "string" }, "TargetGroupArn": { - "markdownDescription": "The full Amazon Resource Name (ARN) of the Elastic Load Balancing target group or groups associated with a service or task set.\n\nA target group ARN is only specified when using an Application Load Balancer or Network Load Balancer. If you're using a Classic Load Balancer, omit the target group ARN.\n\nFor services using the `ECS` deployment controller, you can specify one or multiple target groups. For more information, see [Registering multiple target groups with a service](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/register-multiple-targetgroups.html) in the *Amazon Elastic Container Service Developer Guide* .\n\nFor services using the `CODE_DEPLOY` deployment controller, you're required to define two target groups for the load balancer. For more information, see [Blue/green deployment with CodeDeploy](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/deployment-type-bluegreen.html) in the *Amazon Elastic Container Service Developer Guide* .\n\n> If your service's task definition uses the `awsvpc` network mode, you must choose `ip` as the target type, not `instance` . Do this when creating your target groups because tasks that use the `awsvpc` network mode are associated with an elastic network interface, not an Amazon EC2 instance. This network mode is required for the Fargate launch type.", + "markdownDescription": "The full Amazon Resource Name (ARN) of the Elastic Load Balancing target group or groups associated with a service or task set.\n\nA target group ARN is only specified when using an Application Load Balancer or Network Load Balancer.\n\nFor services using the `ECS` deployment controller, you can specify one or multiple target groups. For more information, see [Registering multiple target groups with a service](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/register-multiple-targetgroups.html) in the *Amazon Elastic Container Service Developer Guide* .\n\nFor services using the `CODE_DEPLOY` deployment controller, you're required to define two target groups for the load balancer. For more information, see [Blue/green deployment with CodeDeploy](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/deployment-type-bluegreen.html) in the *Amazon Elastic Container Service Developer Guide* .\n\n> If your service's task definition uses the `awsvpc` network mode, you must choose `ip` as the target type, not `instance` . Do this when creating your target groups because tasks that use the `awsvpc` network mode are associated with an elastic network interface, not an Amazon EC2 instance. This network mode is required for the Fargate launch type.", "title": "TargetGroupArn", "type": "string" } @@ -73861,7 +76923,7 @@ }, "LogConfiguration": { "$ref": "#/definitions/AWS::ECS::Service.LogConfiguration", - "markdownDescription": "The log configuration for the container. This parameter maps to `LogConfig` in the [Create a container](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/#operation/ContainerCreate) section of the [Docker Remote API](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/) and the `--log-driver` option to [`docker run`](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/commandline/run/) .\n\nBy default, containers use the same logging driver that the Docker daemon uses. However, the container might use a different logging driver than the Docker daemon by specifying a log driver configuration in the container definition. For more information about the options for different supported log drivers, see [Configure logging drivers](https://docs.aws.amazon.com/https://docs.docker.com/engine/admin/logging/overview/) in the Docker documentation.\n\nUnderstand the following when specifying a log configuration for your containers.\n\n- Amazon ECS currently supports a subset of the logging drivers available to the Docker daemon (shown in the valid values below). Additional log drivers may be available in future releases of the Amazon ECS container agent.\n- This parameter requires version 1.18 of the Docker Remote API or greater on your container instance.\n- For tasks that are hosted on Amazon EC2 instances, the Amazon ECS container agent must register the available logging drivers with the `ECS_AVAILABLE_LOGGING_DRIVERS` environment variable before containers placed on that instance can use these log configuration options. For more information, see [Amazon ECS container agent configuration](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-agent-config.html) in the *Amazon Elastic Container Service Developer Guide* .\n- For tasks that are on AWS Fargate , because you don't have access to the underlying infrastructure your tasks are hosted on, any additional software needed must be installed outside of the task. For example, the Fluentd output aggregators or a remote host running Logstash to send Gelf logs to.", + "markdownDescription": "The log configuration for the container. This parameter maps to `LogConfig` in the [Create a container](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/#operation/ContainerCreate) section of the [Docker Remote API](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/) and the `--log-driver` option to [`docker run`](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/commandline/run/) .\n\nBy default, containers use the same logging driver that the Docker daemon uses. However, the container might use a different logging driver than the Docker daemon by specifying a log driver configuration in the container definition. For more information about the options for different supported log drivers, see [Configure logging drivers](https://docs.aws.amazon.com/https://docs.docker.com/engine/admin/logging/overview/) in the Docker documentation.\n\nUnderstand the following when specifying a log configuration for your containers.\n\n- Amazon ECS currently supports a subset of the logging drivers available to the Docker daemon. Additional log drivers may be available in future releases of the Amazon ECS container agent.\n\nFor tasks on AWS Fargate , the supported log drivers are `awslogs` , `splunk` , and `awsfirelens` .\n\nFor tasks hosted on Amazon EC2 instances, the supported log drivers are `awslogs` , `fluentd` , `gelf` , `json-file` , `journald` , `logentries` , `syslog` , `splunk` , and `awsfirelens` .\n- This parameter requires version 1.18 of the Docker Remote API or greater on your container instance.\n- For tasks that are hosted on Amazon EC2 instances, the Amazon ECS container agent must register the available logging drivers with the `ECS_AVAILABLE_LOGGING_DRIVERS` environment variable before containers placed on that instance can use these log configuration options. For more information, see [Amazon ECS container agent configuration](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-agent-config.html) in the *Amazon Elastic Container Service Developer Guide* .\n- For tasks that are on AWS Fargate , because you don't have access to the underlying infrastructure your tasks are hosted on, any additional software needed must be installed outside of the task. For example, the Fluentd output aggregators or a remote host running Logstash to send Gelf logs to.", "title": "LogConfiguration" }, "Namespace": { @@ -74028,7 +77090,7 @@ "type": "string" }, "PidMode": { - "markdownDescription": "The process namespace to use for the containers in the task. The valid values are `host` or `task` . If `host` is specified, then all containers within the tasks that specified the `host` PID mode on the same container instance share the same process namespace with the host Amazon EC2 instance. If `task` is specified, all containers within the specified task share the same process namespace. If no value is specified, the default is a private namespace. For more information, see [PID settings](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/#pid-settings---pid) in the *Docker run reference* .\n\nIf the `host` PID mode is used, be aware that there is a heightened risk of undesired process namespace expose. For more information, see [Docker security](https://docs.aws.amazon.com/https://docs.docker.com/engine/security/security/) .\n\n> This parameter is not supported for Windows containers or tasks run on AWS Fargate .", + "markdownDescription": "The process namespace to use for the containers in the task. The valid values are `host` or `task` . On Fargate for Linux containers, the only valid value is `task` . For example, monitoring sidecars might need `pidMode` to access information about other containers running in the same task.\n\nIf `host` is specified, all containers within the tasks that specified the `host` PID mode on the same container instance share the same process namespace with the host Amazon EC2 instance.\n\nIf `task` is specified, all containers within the specified task share the same process namespace.\n\nIf no value is specified, the default is a private namespace for each container. For more information, see [PID settings](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/#pid-settings---pid) in the *Docker run reference* .\n\nIf the `host` PID mode is used, there's a heightened risk of undesired process namespace exposure. For more information, see [Docker security](https://docs.aws.amazon.com/https://docs.docker.com/engine/security/security/) .\n\n> This parameter is not supported for Windows containers. > This parameter is only supported for tasks that are hosted on AWS Fargate if the tasks are using platform version `1.4.0` or later (Linux). This isn't supported for Windows containers on Fargate.", "title": "PidMode", "type": "string" }, @@ -74343,7 +77405,7 @@ "items": { "$ref": "#/definitions/AWS::ECS::TaskDefinition.SystemControl" }, - "markdownDescription": "A list of namespaced kernel parameters to set in the container. This parameter maps to `Sysctls` in the [Create a container](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/#operation/ContainerCreate) section of the [Docker Remote API](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/) and the `--sysctl` option to [docker run](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/#security-configuration) .\n\n> We don't recommended that you specify network-related `systemControls` parameters for multiple containers in a single task that also uses either the `awsvpc` or `host` network modes. For tasks that use the `awsvpc` network mode, the container that's started last determines which `systemControls` parameters take effect. For tasks that use the `host` network mode, it changes the container instance's namespaced kernel parameters as well as the containers.", + "markdownDescription": "A list of namespaced kernel parameters to set in the container. This parameter maps to `Sysctls` in the [Create a container](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/#operation/ContainerCreate) section of the [Docker Remote API](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/) and the `--sysctl` option to [docker run](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/#security-configuration) . For example, you can configure `net.ipv4.tcp_keepalive_time` setting to maintain longer lived connections.\n\n> We don't recommended that you specify network-related `systemControls` parameters for multiple containers in a single task that also uses either the `awsvpc` or `host` network modes. For tasks that use the `awsvpc` network mode, the container that's started last determines which `systemControls` parameters take effect. For tasks that use the `host` network mode, it changes the container instance's namespaced kernel parameters as well as the containers. > This parameter is not supported for Windows containers. > This parameter is only supported for tasks that are hosted on AWS Fargate if the tasks are using platform version `1.4.0` or later (Linux). This isn't supported for Windows containers on Fargate.", "title": "SystemControls", "type": "array" }, @@ -74766,7 +77828,7 @@ "additionalProperties": false, "properties": { "AppProtocol": { - "markdownDescription": "The application protocol that's used for the port mapping. This parameter only applies to Service Connect. We recommend that you set this parameter to be consistent with the protocol that your application uses. If you set this parameter, Amazon ECS adds protocol-specific connection handling to the Service Connect proxy. If you set this parameter, Amazon ECS adds protocol-specific telemetry in the Amazon ECS console and CloudWatch.\n\nIf you don't set a value for this parameter, then TCP is used. However, Amazon ECS doesn't add protocol-specific telemetry for TCP.\n\nTasks that run in a namespace can use short names to connect to services in the namespace. Tasks can connect to services across all of the clusters in the namespace. Tasks connect through a managed proxy container that collects logs and metrics for increased visibility. Only the tasks that Amazon ECS services create are supported with Service Connect. For more information, see [Service Connect](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/service-connect.html) in the *Amazon Elastic Container Service Developer Guide* .", + "markdownDescription": "The application protocol that's used for the port mapping. This parameter only applies to Service Connect. We recommend that you set this parameter to be consistent with the protocol that your application uses. If you set this parameter, Amazon ECS adds protocol-specific connection handling to the Service Connect proxy. If you set this parameter, Amazon ECS adds protocol-specific telemetry in the Amazon ECS console and CloudWatch.\n\nIf you don't set a value for this parameter, then TCP is used. However, Amazon ECS doesn't add protocol-specific telemetry for TCP.\n\n`appProtocol` is immutable in a Service Connect service. Updating this field requires a service deletion and redeployment.\n\nTasks that run in a namespace can use short names to connect to services in the namespace. Tasks can connect to services across all of the clusters in the namespace. Tasks connect through a managed proxy container that collects logs and metrics for increased visibility. Only the tasks that Amazon ECS services create are supported with Service Connect. For more information, see [Service Connect](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/service-connect.html) in the *Amazon Elastic Container Service Developer Guide* .", "title": "AppProtocol", "type": "string" }, @@ -74776,12 +77838,12 @@ "type": "number" }, "ContainerPortRange": { - "markdownDescription": "The port number range on the container that's bound to the dynamically mapped host port range.\n\nThe following rules apply when you specify a `containerPortRange` :\n\n- You must use either the `bridge` network mode or the `awsvpc` network mode.\n- This parameter is available for both the EC2 and AWS Fargate launch types.\n- This parameter is available for both the Linux and Windows operating systems.\n- The container instance must have at least version 1.67.0 of the container agent and at least version 1.67.0-1 of the `ecs-init` package\n- You can specify a maximum of 100 port ranges per container.\n- You do not specify a `hostPortRange` . The value of the `hostPortRange` is set as follows:\n\n- For containers in a task with the `awsvpc` network mode, the `hostPort` is set to the same value as the `containerPort` . This is a static mapping strategy.\n- For containers in a task with the `bridge` network mode, the Amazon ECS agent finds open host ports from the default ephemeral range and passes it to docker to bind them to the container ports.\n- The `containerPortRange` valid values are between 1 and 65535.\n- A port can only be included in one port mapping per container.\n- You cannot specify overlapping port ranges.\n- The first port in the range must be less than last port in the range.\n- Docker recommends that you turn off the docker-proxy in the Docker daemon config file when you have a large number of ports.\n\nFor more information, see [Issue #11185](https://docs.aws.amazon.com/https://github.com/moby/moby/issues/11185) on the Github website.\n\nFor information about how to turn off the docker-proxy in the Docker daemon config file, see [Docker daemon](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/bootstrap_container_instance.html#bootstrap_docker_daemon) in the *Amazon ECS Developer Guide* .\n\nYou can call [`DescribeTasks`](https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_DescribeTasks.html) to view the `hostPortRange` which are the host ports that are bound to the container ports.", + "markdownDescription": "The port number range on the container that's bound to the dynamically mapped host port range.\n\nThe following rules apply when you specify a `containerPortRange` :\n\n- You must use either the `bridge` network mode or the `awsvpc` network mode.\n- This parameter is available for both the EC2 and AWS Fargate launch types.\n- This parameter is available for both the Linux and Windows operating systems.\n- The container instance must have at least version 1.67.0 of the container agent and at least version 1.67.0-1 of the `ecs-init` package\n- You can specify a maximum of 100 port ranges per container.\n- You do not specify a `hostPortRange` . The value of the `hostPortRange` is set as follows:\n\n- For containers in a task with the `awsvpc` network mode, the `hostPortRange` is set to the same value as the `containerPortRange` . This is a static mapping strategy.\n- For containers in a task with the `bridge` network mode, the Amazon ECS agent finds open host ports from the default ephemeral range and passes it to docker to bind them to the container ports.\n- The `containerPortRange` valid values are between 1 and 65535.\n- A port can only be included in one port mapping per container.\n- You cannot specify overlapping port ranges.\n- The first port in the range must be less than last port in the range.\n- Docker recommends that you turn off the docker-proxy in the Docker daemon config file when you have a large number of ports.\n\nFor more information, see [Issue #11185](https://docs.aws.amazon.com/https://github.com/moby/moby/issues/11185) on the Github website.\n\nFor information about how to turn off the docker-proxy in the Docker daemon config file, see [Docker daemon](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/bootstrap_container_instance.html#bootstrap_docker_daemon) in the *Amazon ECS Developer Guide* .\n\nYou can call [`DescribeTasks`](https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_DescribeTasks.html) to view the `hostPortRange` which are the host ports that are bound to the container ports.", "title": "ContainerPortRange", "type": "string" }, "HostPort": { - "markdownDescription": "The port number on the container instance to reserve for your container.\n\nIf you specify a `containerPortRange` , leave this field empty and the value of the `hostPort` is set as follows:\n\n- For containers in a task with the `awsvpc` network mode, the `hostPort` is set to the same value as the `containerPort` . This is a static mapping strategy.\n- For containers in a task with the `bridge` network mode, the Amazon ECS agent finds open ports on the host and automatically binds them to the container ports. This is a dynamic mapping strategy.\n\nIf you use containers in a task with the `awsvpc` or `host` network mode, the `hostPort` can either be left blank or set to the same value as the `containerPort` .\n\nIf you use containers in a task with the `bridge` network mode, you can specify a non-reserved host port for your container port mapping, or you can omit the `hostPort` (or set it to `0` ) while specifying a `containerPort` and your container automatically receives a port in the ephemeral port range for your container instance operating system and Docker version.\n\nThe default ephemeral port range for Docker version 1.6.0 and later is listed on the instance under `/proc/sys/net/ipv4/ip_local_port_range` . If this kernel parameter is unavailable, the default ephemeral port range from 49153 through 65535 is used. Do not attempt to specify a host port in the ephemeral port range as these are reserved for automatic assignment. In general, ports below 32768 are outside of the ephemeral port range.\n\nThe default reserved ports are 22 for SSH, the Docker ports 2375 and 2376, and the Amazon ECS container agent ports 51678-51680. Any host port that was previously specified in a running task is also reserved while the task is running. That is, after a task stops, the host port is released. The current reserved ports are displayed in the `remainingResources` of [DescribeContainerInstances](https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_DescribeContainerInstances.html) output. A container instance can have up to 100 reserved ports at a time. This number includes the default reserved ports. Automatically assigned ports aren't included in the 100 reserved ports quota.", + "markdownDescription": "The port number on the container instance to reserve for your container.\n\nIf you specify a `containerPortRange` , leave this field empty and the value of the `hostPort` is set as follows:\n\n- For containers in a task with the `awsvpc` network mode, the `hostPort` is set to the same value as the `containerPort` . This is a static mapping strategy.\n- For containers in a task with the `bridge` network mode, the Amazon ECS agent finds open ports on the host and automatically binds them to the container ports. This is a dynamic mapping strategy.\n\nIf you use containers in a task with the `awsvpc` or `host` network mode, the `hostPort` can either be left blank or set to the same value as the `containerPort` .\n\nIf you use containers in a task with the `bridge` network mode, you can specify a non-reserved host port for your container port mapping, or you can omit the `hostPort` (or set it to `0` ) while specifying a `containerPort` and your container automatically receives a port in the ephemeral port range for your container instance operating system and Docker version.\n\nThe default ephemeral port range for Docker version 1.6.0 and later is listed on the instance under `/proc/sys/net/ipv4/ip_local_port_range` . If this kernel parameter is unavailable, the default ephemeral port range from 49153 through 65535 (Linux) or 49152 through 65535 (Windows) is used. Do not attempt to specify a host port in the ephemeral port range as these are reserved for automatic assignment. In general, ports below 32768 are outside of the ephemeral port range.\n\nThe default reserved ports are 22 for SSH, the Docker ports 2375 and 2376, and the Amazon ECS container agent ports 51678-51680. Any host port that was previously specified in a running task is also reserved while the task is running. That is, after a task stops, the host port is released. The current reserved ports are displayed in the `remainingResources` of [DescribeContainerInstances](https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_DescribeContainerInstances.html) output. A container instance can have up to 100 reserved ports at a time. This number includes the default reserved ports. Automatically assigned ports aren't included in the 100 reserved ports quota.", "title": "HostPort", "type": "number" }, @@ -74791,7 +77853,7 @@ "type": "string" }, "Protocol": { - "markdownDescription": "The protocol used for the port mapping. Valid values are `tcp` and `udp` . The default is `tcp` .", + "markdownDescription": "The protocol used for the port mapping. Valid values are `tcp` and `udp` . The default is `tcp` . `protocol` is immutable in a Service Connect service. Updating this field requires a service deletion and redeployment.", "title": "Protocol", "type": "string" } @@ -74901,7 +77963,7 @@ "type": "string" }, "Value": { - "markdownDescription": "The value for the namespaced kernel parameter that's specified in `namespace` .", + "markdownDescription": "The namespaced kernel parameter to set a `value` for.\n\nValid IPC namespace values: `\"kernel.msgmax\" | \"kernel.msgmnb\" | \"kernel.msgmni\" | \"kernel.sem\" | \"kernel.shmall\" | \"kernel.shmmax\" | \"kernel.shmmni\" | \"kernel.shm_rmid_forced\"` , and `Sysctls` that start with `\"fs.mqueue.*\"`\n\nValid network namespace values: `Sysctls` that start with `\"net.*\"`\n\nAll of these values are supported by Fargate.", "title": "Value", "type": "string" } @@ -74999,7 +78061,7 @@ "title": "Host" }, "Name": { - "markdownDescription": "The name of the volume. Up to 255 letters (uppercase and lowercase), numbers, underscores, and hyphens are allowed. This name is referenced in the `sourceVolume` parameter of container definition `mountPoints` .", + "markdownDescription": "The name of the volume. Up to 255 letters (uppercase and lowercase), numbers, underscores, and hyphens are allowed. This name is referenced in the `sourceVolume` parameter of container definition `mountPoints` .\n\nThis is required wwhen you use an Amazon EFS volume.", "title": "Name", "type": "string" } @@ -75186,7 +78248,7 @@ "type": "number" }, "TargetGroupArn": { - "markdownDescription": "The full Amazon Resource Name (ARN) of the Elastic Load Balancing target group or groups associated with a service or task set.\n\nA target group ARN is only specified when using an Application Load Balancer or Network Load Balancer. If you're using a Classic Load Balancer, omit the target group ARN.\n\nFor services using the `ECS` deployment controller, you can specify one or multiple target groups. For more information, see [Registering multiple target groups with a service](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/register-multiple-targetgroups.html) in the *Amazon Elastic Container Service Developer Guide* .\n\nFor services using the `CODE_DEPLOY` deployment controller, you're required to define two target groups for the load balancer. For more information, see [Blue/green deployment with CodeDeploy](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/deployment-type-bluegreen.html) in the *Amazon Elastic Container Service Developer Guide* .\n\n> If your service's task definition uses the `awsvpc` network mode, you must choose `ip` as the target type, not `instance` . Do this when creating your target groups because tasks that use the `awsvpc` network mode are associated with an elastic network interface, not an Amazon EC2 instance. This network mode is required for the Fargate launch type.", + "markdownDescription": "The full Amazon Resource Name (ARN) of the Elastic Load Balancing target group or groups associated with a service or task set.\n\nA target group ARN is only specified when using an Application Load Balancer or Network Load Balancer.\n\nFor services using the `ECS` deployment controller, you can specify one or multiple target groups. For more information, see [Registering multiple target groups with a service](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/register-multiple-targetgroups.html) in the *Amazon Elastic Container Service Developer Guide* .\n\nFor services using the `CODE_DEPLOY` deployment controller, you're required to define two target groups for the load balancer. For more information, see [Blue/green deployment with CodeDeploy](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/deployment-type-bluegreen.html) in the *Amazon Elastic Container Service Developer Guide* .\n\n> If your service's task definition uses the `awsvpc` network mode, you must choose `ip` as the target type, not `instance` . Do this when creating your target groups because tasks that use the `awsvpc` network mode are associated with an elastic network interface, not an Amazon EC2 instance. This network mode is required for the Fargate launch type.", "title": "TargetGroupArn", "type": "string" } @@ -75306,7 +78368,7 @@ }, "RootDirectory": { "$ref": "#/definitions/AWS::EFS::AccessPoint.RootDirectory", - "markdownDescription": "The directory on the Amazon EFS file system that the access point exposes as the root directory to NFS clients using the access point.", + "markdownDescription": "The directory on the EFS file system that the access point exposes as the root directory to NFS clients using the access point.", "title": "RootDirectory" } }, @@ -75458,7 +78520,7 @@ "additionalProperties": false, "properties": { "AvailabilityZoneName": { - "markdownDescription": "Used to create a file system that uses One Zone storage classes. It specifies the AWS Availability Zone in which to create the file system. Use the format `us-east-1a` to specify the Availability Zone. For more information about One Zone storage classes, see [Using EFS storage classes](https://docs.aws.amazon.com/efs/latest/ug/storage-classes.html) in the *Amazon EFS User Guide* .\n\n> One Zone storage classes are not available in all Availability Zones in AWS Regions where Amazon EFS is available.", + "markdownDescription": "Used to create a One Zone file system. It specifies the AWS Availability Zone in which to create the file system. Use the format `us-east-1a` to specify the Availability Zone. For more information about One Zone file systems, see [Using EFS storage classes](https://docs.aws.amazon.com/efs/latest/ug/storage-classes.html) in the *Amazon EFS User Guide* .\n\n> One Zone file systems are not available in all Availability Zones in AWS Regions where Amazon EFS is available.", "title": "AvailabilityZoneName", "type": "string" }, @@ -75482,6 +78544,11 @@ "title": "FileSystemPolicy", "type": "object" }, + "FileSystemProtection": { + "$ref": "#/definitions/AWS::EFS::FileSystem.FileSystemProtection", + "markdownDescription": "Describes the protection on the file system.", + "title": "FileSystemProtection" + }, "FileSystemTags": { "items": { "$ref": "#/definitions/AWS::EFS::FileSystem.ElasticFileSystemTag" @@ -75504,7 +78571,7 @@ "type": "array" }, "PerformanceMode": { - "markdownDescription": "The performance mode of the file system. We recommend `generalPurpose` performance mode for most file systems. File systems using the `maxIO` performance mode can scale to higher levels of aggregate throughput and operations per second with a tradeoff of slightly higher latencies for most file operations. The performance mode can't be changed after the file system has been created.\n\n> The `maxIO` mode is not supported on file systems using One Zone storage classes. \n\nDefault is `generalPurpose` .", + "markdownDescription": "The Performance mode of the file system. We recommend `generalPurpose` performance mode for all file systems. File systems using the `maxIO` performance mode can scale to higher levels of aggregate throughput and operations per second with a tradeoff of slightly higher latencies for most file operations. The performance mode can't be changed after the file system has been created. The `maxIO` mode is not supported on One Zone file systems.\n\n> Due to the higher per-operation latencies with Max I/O, we recommend using General Purpose performance mode for all file systems. \n\nDefault is `generalPurpose` .", "title": "PerformanceMode", "type": "string" }, @@ -75514,10 +78581,12 @@ "type": "number" }, "ReplicationConfiguration": { - "$ref": "#/definitions/AWS::EFS::FileSystem.ReplicationConfiguration" + "$ref": "#/definitions/AWS::EFS::FileSystem.ReplicationConfiguration", + "markdownDescription": "Describes the replication configuration for a specific file system.", + "title": "ReplicationConfiguration" }, "ThroughputMode": { - "markdownDescription": "Specifies the throughput mode for the file system. The mode can be `bursting` , `provisioned` , or `elastic` . If you set `ThroughputMode` to `provisioned` , you must also set a value for `ProvisionedThroughputInMibps` . After you create the file system, you can decrease your file system's throughput in Provisioned Throughput mode or change between the throughput modes, with certain time restrictions. For more information, see [Specifying throughput with provisioned mode](https://docs.aws.amazon.com/efs/latest/ug/performance.html#provisioned-throughput) in the *Amazon EFS User Guide* .\n\nDefault is `elastic` .", + "markdownDescription": "Specifies the throughput mode for the file system. The mode can be `bursting` , `provisioned` , or `elastic` . If you set `ThroughputMode` to `provisioned` , you must also set a value for `ProvisionedThroughputInMibps` . After you create the file system, you can decrease your file system's Provisioned throughput or change between the throughput modes, with certain time restrictions. For more information, see [Specifying throughput with provisioned mode](https://docs.aws.amazon.com/efs/latest/ug/performance.html#provisioned-throughput) in the *Amazon EFS User Guide* .\n\nDefault is `bursting` .", "title": "ThroughputMode", "type": "string" } @@ -75578,16 +78647,32 @@ ], "type": "object" }, + "AWS::EFS::FileSystem.FileSystemProtection": { + "additionalProperties": false, + "properties": { + "ReplicationOverwriteProtection": { + "markdownDescription": "", + "title": "ReplicationOverwriteProtection", + "type": "string" + } + }, + "type": "object" + }, "AWS::EFS::FileSystem.LifecyclePolicy": { "additionalProperties": false, "properties": { + "TransitionToArchive": { + "markdownDescription": "The number of days after files were last accessed in primary storage (the Standard storage class) files at which to move them to Archive storage. Metadata operations such as listing the contents of a directory don't count as file access events.", + "title": "TransitionToArchive", + "type": "string" + }, "TransitionToIA": { - "markdownDescription": "Describes the period of time that a file is not accessed, after which it transitions to IA storage. Metadata operations such as listing the contents of a directory don't count as file access events.", + "markdownDescription": "The number of days after files were last accessed in primary storage (the Standard storage class) at which to move them to Infrequent Access (IA) storage. Metadata operations such as listing the contents of a directory don't count as file access events.", "title": "TransitionToIA", "type": "string" }, "TransitionToPrimaryStorageClass": { - "markdownDescription": "Describes when to transition a file from IA storage to primary storage. Metadata operations such as listing the contents of a directory don't count as file access events.", + "markdownDescription": "Whether to move files back to primary (Standard) storage after they are accessed in IA or Archive storage. Metadata operations such as listing the contents of a directory don't count as file access events.", "title": "TransitionToPrimaryStorageClass", "type": "string" } @@ -75601,6 +78686,8 @@ "items": { "$ref": "#/definitions/AWS::EFS::FileSystem.ReplicationDestination" }, + "markdownDescription": "An array of destination objects. Only one destination object is supported.", + "title": "Destinations", "type": "array" } }, @@ -75610,15 +78697,23 @@ "additionalProperties": false, "properties": { "AvailabilityZoneName": { + "markdownDescription": "The AWS Availability Zone in which to create the file system.\n\n> For file systems using One Zone storage classes, the replication configuration must specify the Availability Zone in which the destination file system is located. \n\nUse the format `us-east-1a` to specify the Availability Zone. For more information about One Zone storage classes, see [Using EFS storage classes](https://docs.aws.amazon.com/efs/latest/ug/storage-classes.html) in the *Amazon EFS User Guide* .\n\n> One Zone storage classes are not available in all Availability Zones in AWS Regions where Amazon EFS is available.", + "title": "AvailabilityZoneName", "type": "string" }, "FileSystemId": { + "markdownDescription": "The ID of the destination Amazon EFS file system.", + "title": "FileSystemId", "type": "string" }, "KmsKeyId": { + "markdownDescription": "The ID of an AWS KMS key used to protect the encrypted file system.", + "title": "KmsKeyId", "type": "string" }, "Region": { + "markdownDescription": "The AWS Region in which the destination file system is located.\n\n> For file systems using Standard storage classes, the replication configuration must specify the AWS Region in which the destination file system is located.", + "title": "Region", "type": "string" } }, @@ -75678,7 +78773,7 @@ "type": "array" }, "SubnetId": { - "markdownDescription": "The ID of the subnet to add the mount target in. For file systems that use One Zone storage classes, use the subnet that is associated with the file system's Availability Zone.", + "markdownDescription": "The ID of the subnet to add the mount target in. For One Zone file systems, use the subnet that is associated with the file system's Availability Zone.", "title": "SubnetId", "type": "string" } @@ -75882,7 +78977,7 @@ }, "ResourcesVpcConfig": { "$ref": "#/definitions/AWS::EKS::Cluster.ResourcesVpcConfig", - "markdownDescription": "The VPC configuration that's used by the cluster control plane. Amazon EKS VPC resources have specific requirements to work properly with Kubernetes. For more information, see [Cluster VPC Considerations](https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html) and [Cluster Security Group Considerations](https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html) in the *Amazon EKS User Guide* . You must specify at least two subnets. You can specify up to five security groups, but we recommend that you use a dedicated security group for your cluster control plane.\n\n> Updates require replacement of the `SecurityGroupIds` and `SubnetIds` sub-properties.", + "markdownDescription": "The VPC configuration that's used by the cluster control plane. Amazon EKS VPC resources have specific requirements to work properly with Kubernetes. For more information, see [Cluster VPC Considerations](https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html) and [Cluster Security Group Considerations](https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html) in the *Amazon EKS User Guide* . You must specify at least two subnets. You can specify up to five security groups. However, we recommend that you use a dedicated security group for your cluster control plane.", "title": "ResourcesVpcConfig" }, "RoleArn": { @@ -76680,6 +79775,99 @@ }, "type": "object" }, + "AWS::EKS::PodIdentityAssociation": { + "additionalProperties": false, + "properties": { + "Condition": { + "type": "string" + }, + "DeletionPolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + }, + "DependsOn": { + "anyOf": [ + { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + { + "items": { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + "type": "array" + } + ] + }, + "Metadata": { + "type": "object" + }, + "Properties": { + "additionalProperties": false, + "properties": { + "ClusterName": { + "markdownDescription": "The name of the cluster that the association is in.", + "title": "ClusterName", + "type": "string" + }, + "Namespace": { + "markdownDescription": "The name of the Kubernetes namespace inside the cluster to create the association in. The service account and the pods that use the service account must be in this namespace.", + "title": "Namespace", + "type": "string" + }, + "RoleArn": { + "markdownDescription": "The Amazon Resource Name (ARN) of the IAM role to associate with the service account. The EKS Pod Identity agent manages credentials to assume this role for applications in the containers in the pods that use this service account.", + "title": "RoleArn", + "type": "string" + }, + "ServiceAccount": { + "markdownDescription": "The name of the Kubernetes service account inside the cluster to associate the IAM credentials with.", + "title": "ServiceAccount", + "type": "string" + }, + "Tags": { + "items": { + "$ref": "#/definitions/Tag" + }, + "markdownDescription": "The metadata that you apply to a resource to assist with categorization and organization. Each tag consists of a key and an optional value. You define both.\n\nThe following basic restrictions apply to tags:\n\n- Maximum number of tags per resource \u2013 50\n- For each resource, each tag key must be unique, and each tag key can have only one value.\n- Maximum key length \u2013 128 Unicode characters in UTF-8\n- Maximum value length \u2013 256 Unicode characters in UTF-8\n- If your tagging schema is used across multiple services and resources, remember that other services may have restrictions on allowed characters. Generally allowed characters are: letters, numbers, and spaces representable in UTF-8, and the following characters: + - = . _ : / @.\n- Tag keys and values are case-sensitive.\n- Do not use `aws:` , `AWS:` , or any upper or lowercase combination of such as a prefix for either keys or values as it is reserved for AWS use. You cannot edit or delete tag keys or values with this prefix. Tags with this prefix do not count against your tags per resource limit.", + "title": "Tags", + "type": "array" + } + }, + "required": [ + "ClusterName", + "Namespace", + "RoleArn", + "ServiceAccount" + ], + "type": "object" + }, + "Type": { + "enum": [ + "AWS::EKS::PodIdentityAssociation" + ], + "type": "string" + }, + "UpdateReplacePolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + } + }, + "required": [ + "Type", + "Properties" + ], + "type": "object" + }, "AWS::EMR::Cluster": { "additionalProperties": false, "properties": { @@ -76735,7 +79923,7 @@ }, "AutoTerminationPolicy": { "$ref": "#/definitions/AWS::EMR::Cluster.AutoTerminationPolicy", - "markdownDescription": "", + "markdownDescription": "An auto-termination policy defines the amount of idle time in seconds after which a cluster automatically terminates. For alternative cluster termination options, see [Control cluster termination](https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-plan-termination.html)", "title": "AutoTerminationPolicy" }, "BootstrapActions": { @@ -76759,11 +79947,17 @@ "title": "CustomAmiId", "type": "string" }, + "EbsRootVolumeIops": { + "type": "number" + }, "EbsRootVolumeSize": { "markdownDescription": "The size, in GiB, of the Amazon EBS root device volume of the Linux AMI that is used for each Amazon EC2 instance. Available in Amazon EMR releases 4.x and later.", "title": "EbsRootVolumeSize", "type": "number" }, + "EbsRootVolumeThroughput": { + "type": "number" + }, "Instances": { "$ref": "#/definitions/AWS::EMR::Cluster.JobFlowInstancesConfig", "markdownDescription": "A specification of the number and type of Amazon EC2 instances.", @@ -76800,10 +79994,16 @@ "type": "string" }, "OSReleaseLabel": { - "markdownDescription": "", + "markdownDescription": "The Amazon Linux release specified in a cluster launch RunJobFlow request. If no Amazon Linux release was specified, the default Amazon Linux release is shown in the response.", "title": "OSReleaseLabel", "type": "string" }, + "PlacementGroupConfigs": { + "items": { + "$ref": "#/definitions/AWS::EMR::Cluster.PlacementGroupConfig" + }, + "type": "array" + }, "ReleaseLabel": { "markdownDescription": "The Amazon EMR release label, which determines the version of open-source application packages installed on the cluster. Release labels are in the form `emr-x.x.x` , where x.x.x is an Amazon EMR release version such as `emr-5.14.0` . For more information about Amazon EMR release versions and included application versions and features, see [](https://docs.aws.amazon.com/emr/latest/ReleaseGuide/) . The release label applies only to Amazon EMR releases version 4.0 and later. Earlier versions use `AmiVersion` .", "title": "ReleaseLabel", @@ -76942,7 +80142,7 @@ "additionalProperties": false, "properties": { "IdleTimeout": { - "markdownDescription": "", + "markdownDescription": "Specifies the amount of idle time in seconds after which the cluster automatically terminates. You can specify a minimum of 60 seconds and a maximum of 604800 seconds (seven days).", "title": "IdleTimeout", "type": "number" } @@ -77530,6 +80730,21 @@ ], "type": "object" }, + "AWS::EMR::Cluster.PlacementGroupConfig": { + "additionalProperties": false, + "properties": { + "InstanceRole": { + "type": "string" + }, + "PlacementStrategy": { + "type": "string" + } + }, + "required": [ + "InstanceRole" + ], + "type": "object" + }, "AWS::EMR::Cluster.PlacementType": { "additionalProperties": false, "properties": { @@ -77743,6 +80958,8 @@ "type": "number" }, "Throughput": { + "markdownDescription": "The throughput, in mebibyte per second (MiB/s). This optional parameter can be a number from 125 - 1000 and is valid only for gp3 volumes.", + "title": "Throughput", "type": "number" }, "VolumeType": { @@ -78047,6 +81264,8 @@ "type": "number" }, "Throughput": { + "markdownDescription": "The throughput, in mebibyte per second (MiB/s). This optional parameter can be a number from 125 - 1000 and is valid only for gp3 volumes.", + "title": "Throughput", "type": "number" }, "VolumeType": { @@ -78477,6 +81696,8 @@ "type": "number" }, "Throughput": { + "markdownDescription": "The throughput, in mebibyte per second (MiB/s). This optional parameter can be a number from 125 - 1000 and is valid only for gp3 volumes.", + "title": "Throughput", "type": "number" }, "VolumeType": { @@ -78749,11 +81970,26 @@ "title": "Description", "type": "string" }, + "EncryptionKeyArn": { + "markdownDescription": "The AWS KMS key identifier (ARN) used to encrypt Amazon EMR Studio workspace and notebook files when backed up to Amazon S3.", + "title": "EncryptionKeyArn", + "type": "string" + }, "EngineSecurityGroupId": { "markdownDescription": "The ID of the Amazon EMR Studio Engine security group. The Engine security group allows inbound network traffic from the Workspace security group, and it must be in the same VPC specified by `VpcId` .", "title": "EngineSecurityGroupId", "type": "string" }, + "IdcInstanceArn": { + "markdownDescription": "The ARN of the IAM Identity Center instance the Studio application belongs to.", + "title": "IdcInstanceArn", + "type": "string" + }, + "IdcUserAssignment": { + "markdownDescription": "Indicates whether the Studio has `REQUIRED` or `OPTIONAL` IAM Identity Center user assignment. If the value is set to `REQUIRED` , users must be explicitly assigned to the Studio application to access the Studio.", + "title": "IdcUserAssignment", + "type": "string" + }, "IdpAuthUrl": { "markdownDescription": "Your identity provider's authentication endpoint. Amazon EMR Studio redirects federated users to this endpoint for authentication when logging in to a Studio with the Studio URL.", "title": "IdpAuthUrl", @@ -78790,6 +82026,11 @@ "title": "Tags", "type": "array" }, + "TrustedIdentityPropagationEnabled": { + "markdownDescription": "Indicates whether the Studio has Trusted identity propagation enabled. The default value is `false` .", + "title": "TrustedIdentityPropagationEnabled", + "type": "boolean" + }, "UserRole": { "markdownDescription": "The Amazon Resource Name (ARN) of the IAM user role that will be assumed by users and groups logged in to a Studio. The permissions attached to this IAM role can be scoped down for each user or group using session policies. You only need to specify `UserRole` when you set `AuthMode` to `SSO` .", "title": "UserRole", @@ -78963,9 +82204,13 @@ "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "You can add tags when you create a new workspace. You can add, remove, or list tags from an active workspace, but you can't update tags. Instead, remove the tag and add a new one. For more information, see see [Tag your Amazon EMR WAL workspaces](https://docs.aws.amazon.com/emr/latest/ReleaseGuide/emr-hbase-wal.html#emr-hbase-wal-tagging) .", + "title": "Tags", "type": "array" }, "WALWorkspaceName": { + "markdownDescription": "The name of the WAL workspace.", + "title": "WALWorkspaceName", "type": "string" } }, @@ -79162,7 +82407,7 @@ "additionalProperties": false, "properties": { "Architecture": { - "markdownDescription": "The CPU architecture type of the application. Allowed values: `X86_64` or `ARM64`", + "markdownDescription": "The CPU architecture of an application.", "title": "Architecture", "type": "string" }, @@ -79178,7 +82423,7 @@ }, "ImageConfiguration": { "$ref": "#/definitions/AWS::EMRServerless::Application.ImageConfigurationInput", - "markdownDescription": "", + "markdownDescription": "The image configuration applied to all worker types.", "title": "ImageConfiguration" }, "InitialCapacity": { @@ -79194,8 +82439,13 @@ "markdownDescription": "The maximum capacity of the application. This is cumulative across all workers at any given point in time during the lifespan of the application is created. No new resources will be created once any one of the defined limits is hit.", "title": "MaximumCapacity" }, + "MonitoringConfiguration": { + "$ref": "#/definitions/AWS::EMRServerless::Application.MonitoringConfiguration", + "markdownDescription": "A configuration specification to be used when provisioning an application. A configuration consists of a classification, properties, and optional nested configurations. A classification refers to an application-specific configuration file. Properties are the settings you want to change in that file.", + "title": "MonitoringConfiguration" + }, "Name": { - "markdownDescription": "The name of the application.\n\n*Minimum* : 1\n\n*Maximum* : 64\n\n*Pattern* : `^[A-Za-z0-9._\\\\/#-]+$`", + "markdownDescription": "The name of the application.", "title": "Name", "type": "string" }, @@ -79205,10 +82455,18 @@ "title": "NetworkConfiguration" }, "ReleaseLabel": { - "markdownDescription": "The EMR release version associated with the application.\n\n*Minimum* : 1\n\n*Maximum* : 64\n\n*Pattern* : `^[A-Za-z0-9._/-]+$`", + "markdownDescription": "The EMR release associated with the application.", "title": "ReleaseLabel", "type": "string" }, + "RuntimeConfiguration": { + "items": { + "$ref": "#/definitions/AWS::EMRServerless::Application.ConfigurationObject" + }, + "markdownDescription": "The [Configuration](https://docs.aws.amazon.com/emr-serverless/latest/APIReference/API_Configuration.html) specifications of an application. Each configuration consists of a classification and properties. You use this parameter when creating or updating an application. To see the runtimeConfiguration object of an application, run the [GetApplication](https://docs.aws.amazon.com/emr-serverless/latest/APIReference/API_GetApplication.html) API operation.", + "title": "RuntimeConfiguration", + "type": "array" + }, "Tags": { "items": { "$ref": "#/definitions/Tag" @@ -79224,7 +82482,7 @@ }, "WorkerTypeSpecifications": { "additionalProperties": false, - "markdownDescription": "", + "markdownDescription": "The specification applied to each worker type.", "patternProperties": { "^[a-zA-Z0-9]+$": { "$ref": "#/definitions/AWS::EMRServerless::Application.WorkerTypeSpecificationInput" @@ -79265,7 +82523,7 @@ "additionalProperties": false, "properties": { "Enabled": { - "markdownDescription": "Enables the application to automatically start on job submission. Defaults to true.", + "markdownDescription": "", "title": "Enabled", "type": "boolean" } @@ -79276,23 +82534,54 @@ "additionalProperties": false, "properties": { "Enabled": { - "markdownDescription": "Enables the application to automatically stop after a certain amount of time being idle. Defaults to true.", + "markdownDescription": "", "title": "Enabled", "type": "boolean" }, "IdleTimeoutMinutes": { - "markdownDescription": "The amount of idle time in minutes after which your application will automatically stop. Defaults to 15 minutes.\n\n*Minimum* : 1\n\n*Maximum* : 10080", + "markdownDescription": "", "title": "IdleTimeoutMinutes", "type": "number" } }, "type": "object" }, + "AWS::EMRServerless::Application.ConfigurationObject": { + "additionalProperties": false, + "properties": { + "Classification": { + "markdownDescription": "", + "title": "Classification", + "type": "string" + }, + "Configurations": { + "items": { + "$ref": "#/definitions/AWS::EMRServerless::Application.ConfigurationObject" + }, + "markdownDescription": "", + "title": "Configurations", + "type": "array" + }, + "Properties": { + "additionalProperties": true, + "patternProperties": { + "^[a-zA-Z0-9]+$": { + "type": "string" + } + }, + "type": "object" + } + }, + "required": [ + "Classification" + ], + "type": "object" + }, "AWS::EMRServerless::Application.ImageConfigurationInput": { "additionalProperties": false, "properties": { "ImageUri": { - "markdownDescription": "", + "markdownDescription": "The URI of an image in the Amazon ECR registry. This field is required when you create a new application. If you leave this field blank in an update, Amazon EMR will remove the image configuration.", "title": "ImageUri", "type": "string" } @@ -79308,7 +82597,7 @@ "title": "WorkerConfiguration" }, "WorkerCount": { - "markdownDescription": "The number of workers in the initial capacity configuration.\n\n*Minimum* : 1\n\n*Maximum* : 1000000", + "markdownDescription": "The number of workers in the initial capacity configuration.", "title": "WorkerCount", "type": "number" } @@ -79323,13 +82612,13 @@ "additionalProperties": false, "properties": { "Key": { - "markdownDescription": "The worker type for an analytics framework. For Spark applications, the key can either be set to `Driver` or `Executor` . For Hive applications, it can be set to `HiveDriver` or `TezTask` .\n\n*Minimum* : 1\n\n*Maximum* : 50\n\n*Pattern* : `^[a-zA-Z]+[-_]*[a-zA-Z]+$`", + "markdownDescription": "", "title": "Key", "type": "string" }, "Value": { "$ref": "#/definitions/AWS::EMRServerless::Application.InitialCapacityConfig", - "markdownDescription": "The value for the initial capacity configuration per worker.", + "markdownDescription": "", "title": "Value" } }, @@ -79339,21 +82628,37 @@ ], "type": "object" }, + "AWS::EMRServerless::Application.ManagedPersistenceMonitoringConfiguration": { + "additionalProperties": false, + "properties": { + "Enabled": { + "markdownDescription": "Enables managed logging and defaults to true. If set to false, managed logging will be turned off.", + "title": "Enabled", + "type": "boolean" + }, + "EncryptionKeyArn": { + "markdownDescription": "The KMS key ARN to encrypt the logs stored in managed log persistence.", + "title": "EncryptionKeyArn", + "type": "string" + } + }, + "type": "object" + }, "AWS::EMRServerless::Application.MaximumAllowedResources": { "additionalProperties": false, "properties": { "Cpu": { - "markdownDescription": "The maximum allowed CPU for an application.\n\n*Minimum* : 1\n\n*Maximum* : 15\n\n*Pattern* : `^[1-9][0-9]*(\\\\s)?(vCPU|vcpu|VCPU)?$`", + "markdownDescription": "The maximum allowed CPU for an application.", "title": "Cpu", "type": "string" }, "Disk": { - "markdownDescription": "The maximum allowed disk for an application.\n\n*Minimum* : 1\n\n*Maximum* : 15\n\n*Pattern* : `^[1-9][0-9]*(\\\\s)?(GB|gb|gB|Gb)$\"`", + "markdownDescription": "The maximum allowed disk for an application.", "title": "Disk", "type": "string" }, "Memory": { - "markdownDescription": "The maximum allowed resources for an application.\n\n*Minimum* : 1\n\n*Maximum* : 15\n\n*Pattern* : `^[1-9][0-9]*(\\\\s)?(GB|gb|gB|Gb)?$`", + "markdownDescription": "The maximum allowed resources for an application.", "title": "Memory", "type": "string" } @@ -79364,6 +82669,22 @@ ], "type": "object" }, + "AWS::EMRServerless::Application.MonitoringConfiguration": { + "additionalProperties": false, + "properties": { + "ManagedPersistenceMonitoringConfiguration": { + "$ref": "#/definitions/AWS::EMRServerless::Application.ManagedPersistenceMonitoringConfiguration", + "markdownDescription": "The managed log persistence configuration for a job run.", + "title": "ManagedPersistenceMonitoringConfiguration" + }, + "S3MonitoringConfiguration": { + "$ref": "#/definitions/AWS::EMRServerless::Application.S3MonitoringConfiguration", + "markdownDescription": "The Amazon S3 configuration for monitoring log publishing.", + "title": "S3MonitoringConfiguration" + } + }, + "type": "object" + }, "AWS::EMRServerless::Application.NetworkConfiguration": { "additionalProperties": false, "properties": { @@ -79371,7 +82692,7 @@ "items": { "type": "string" }, - "markdownDescription": "The array of security group Ids for customer VPC connectivity.\n\n*Minimum* : 1\n\n*Maximum* : 32\n\n*Pattern* : `^[-0-9a-zA-Z]+`", + "markdownDescription": "The array of security group Ids for customer VPC connectivity.", "title": "SecurityGroupIds", "type": "array" }, @@ -79379,28 +82700,44 @@ "items": { "type": "string" }, - "markdownDescription": "The array of subnet Ids for customer VPC connectivity.\n\n*Minimum* : 1\n\n*Maximum* : 32\n\n*Pattern* : `^[-0-9a-zA-Z]+`", + "markdownDescription": "The array of subnet Ids for customer VPC connectivity.", "title": "SubnetIds", "type": "array" } }, "type": "object" }, + "AWS::EMRServerless::Application.S3MonitoringConfiguration": { + "additionalProperties": false, + "properties": { + "EncryptionKeyArn": { + "markdownDescription": "The KMS key ARN to encrypt the logs published to the given Amazon S3 destination.", + "title": "EncryptionKeyArn", + "type": "string" + }, + "LogUri": { + "markdownDescription": "The Amazon S3 destination URI for log publishing.", + "title": "LogUri", + "type": "string" + } + }, + "type": "object" + }, "AWS::EMRServerless::Application.WorkerConfiguration": { "additionalProperties": false, "properties": { "Cpu": { - "markdownDescription": "*Minimum* : 1\n\n*Maximum* : 15\n\n*Pattern* : `^[1-9][0-9]*(\\\\s)?(vCPU|vcpu|VCPU)?$`", + "markdownDescription": "", "title": "Cpu", "type": "string" }, "Disk": { - "markdownDescription": "*Minimum* : 1\n\n*Maximum* : 15\n\n*Pattern* : `^[1-9][0-9]*(\\\\s)?(GB|gb|gB|Gb)$\"`", + "markdownDescription": "", "title": "Disk", "type": "string" }, "Memory": { - "markdownDescription": "*Minimum* : 1\n\n*Maximum* : 15\n\n*Pattern* : `^[1-9][0-9]*(\\\\s)?(GB|gb|gB|Gb)?$`", + "markdownDescription": "", "title": "Memory", "type": "string" } @@ -79416,7 +82753,7 @@ "properties": { "ImageConfiguration": { "$ref": "#/definitions/AWS::EMRServerless::Application.ImageConfigurationInput", - "markdownDescription": "", + "markdownDescription": "The image configuration for a worker type.", "title": "ImageConfiguration" } }, @@ -79486,12 +82823,12 @@ "type": "array" }, "CacheSubnetGroupName": { - "markdownDescription": "The name of the subnet group to be used for the cluster.\n\nUse this parameter only when you are creating a cluster in an Amazon Virtual Private Cloud (Amazon VPC).\n\n> If you're going to launch your cluster in an Amazon VPC, you need to create a subnet group before you start creating a cluster. For more information, see [AWS::ElastiCache::SubnetGroup](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-elasticache-subnetgroup.html) .", + "markdownDescription": "The name of the subnet group to be used for the cluster.\n\nUse this parameter only when you are creating a cluster in an Amazon Virtual Private Cloud (Amazon VPC).\n\n> If you're going to launch your cluster in an Amazon VPC, you need to create a subnet group before you start creating a cluster. For more information, see `[AWS::ElastiCache::SubnetGroup](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-elasticache-subnetgroup.html) .`", "title": "CacheSubnetGroupName", "type": "string" }, "ClusterName": { - "markdownDescription": "A name for the cache cluster. If you don't specify a name, AWSCloudFormation generates a unique physical ID and uses that ID for the cache cluster. For more information, see [Name Type](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-name.html) .\n\nThe name must contain 1 to 50 alphanumeric characters or hyphens. The name must start with a letter and cannot end with a hyphen or contain two consecutive hyphens.", + "markdownDescription": "A name for the cache cluster. If you don't specify a name, AWS CloudFormation generates a unique physical ID and uses that ID for the cache cluster. For more information, see [Name Type](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-name.html) .\n\nThe name must contain 1 to 50 alphanumeric characters or hyphens. The name must start with a letter and cannot end with a hyphen or contain two consecutive hyphens.", "title": "ClusterName", "type": "string" }, @@ -80162,8 +83499,6 @@ "type": "string" }, "ReplicationGroupId": { - "markdownDescription": "The replication group identifier. This parameter is stored as a lowercase string.\n\nConstraints:\n\n- A name must contain from 1 to 40 alphanumeric characters or hyphens.\n- The first character must be a letter.\n- A name cannot end with a hyphen or contain two consecutive hyphens.", - "title": "ReplicationGroupId", "type": "string" }, "SecurityGroupIds": { @@ -80518,7 +83853,7 @@ ], "type": "object" }, - "AWS::ElastiCache::SubnetGroup": { + "AWS::ElastiCache::ServerlessCache": { "additionalProperties": false, "properties": { "Condition": { @@ -80553,21 +83888,82 @@ "Properties": { "additionalProperties": false, "properties": { - "CacheSubnetGroupName": { - "markdownDescription": "The name for the cache subnet group. This value is stored as a lowercase string.\n\nConstraints: Must contain no more than 255 alphanumeric characters or hyphens.\n\nExample: `mysubnetgroup`", - "title": "CacheSubnetGroupName", + "CacheUsageLimits": { + "$ref": "#/definitions/AWS::ElastiCache::ServerlessCache.CacheUsageLimits", + "markdownDescription": "The cache usage limit for the serverless cache.", + "title": "CacheUsageLimits" + }, + "DailySnapshotTime": { + "markdownDescription": "The daily time that a cache snapshot will be created. Default is NULL, i.e. snapshots will not be created at a specific time on a daily basis. Available for Redis only.", + "title": "DailySnapshotTime", "type": "string" }, "Description": { - "markdownDescription": "The description for the cache subnet group.", + "markdownDescription": "A description of the serverless cache.", "title": "Description", "type": "string" }, + "Endpoint": { + "$ref": "#/definitions/AWS::ElastiCache::ServerlessCache.Endpoint", + "markdownDescription": "Represents the information required for client programs to connect to a cache node.", + "title": "Endpoint" + }, + "Engine": { + "markdownDescription": "The engine the serverless cache is compatible with.", + "title": "Engine", + "type": "string" + }, + "FinalSnapshotName": { + "markdownDescription": "The name of the final snapshot taken of a cache before the cache is deleted.", + "title": "FinalSnapshotName", + "type": "string" + }, + "KmsKeyId": { + "markdownDescription": "The ID of the AWS Key Management Service (KMS) key that is used to encrypt data at rest in the serverless cache.", + "title": "KmsKeyId", + "type": "string" + }, + "MajorEngineVersion": { + "markdownDescription": "The version number of the engine the serverless cache is compatible with.", + "title": "MajorEngineVersion", + "type": "string" + }, + "ReaderEndpoint": { + "$ref": "#/definitions/AWS::ElastiCache::ServerlessCache.Endpoint", + "markdownDescription": "Represents the information required for client programs to connect to a cache node.", + "title": "ReaderEndpoint" + }, + "SecurityGroupIds": { + "items": { + "type": "string" + }, + "markdownDescription": "The IDs of the EC2 security groups associated with the serverless cache.", + "title": "SecurityGroupIds", + "type": "array" + }, + "ServerlessCacheName": { + "markdownDescription": "The unique identifier of the serverless cache.", + "title": "ServerlessCacheName", + "type": "string" + }, + "SnapshotArnsToRestore": { + "items": { + "type": "string" + }, + "markdownDescription": "The ARN of the snapshot from which to restore data into the new cache.", + "title": "SnapshotArnsToRestore", + "type": "array" + }, + "SnapshotRetentionLimit": { + "markdownDescription": "The current setting for the number of serverless cache snapshots the system will retain. Available for Redis only.", + "title": "SnapshotRetentionLimit", + "type": "number" + }, "SubnetIds": { "items": { "type": "string" }, - "markdownDescription": "The EC2 subnet IDs for the cache subnet group.", + "markdownDescription": "If no subnet IDs are given and your VPC is in SFO, then ElastiCache will select 2 default subnets across AZs in your VPC. For all other Regions, if no subnet IDs are given then ElastiCache will select 3 default subnets across AZs in your default VPC.", "title": "SubnetIds", "type": "array" }, @@ -80575,20 +83971,25 @@ "items": { "$ref": "#/definitions/Tag" }, - "markdownDescription": "A tag that can be added to an ElastiCache subnet group. Tags are composed of a Key/Value pair. You can use tags to categorize and track all your subnet groups. A tag with a null Value is permitted.", + "markdownDescription": "A list of tags to be added to this resource.", "title": "Tags", "type": "array" + }, + "UserGroupId": { + "markdownDescription": "The identifier of the user group associated with the serverless cache. Available for Redis only. Default is NULL.", + "title": "UserGroupId", + "type": "string" } }, "required": [ - "Description", - "SubnetIds" + "Engine", + "ServerlessCacheName" ], "type": "object" }, "Type": { "enum": [ - "AWS::ElastiCache::SubnetGroup" + "AWS::ElastiCache::ServerlessCache" ], "type": "string" }, @@ -80607,7 +84008,162 @@ ], "type": "object" }, - "AWS::ElastiCache::User": { + "AWS::ElastiCache::ServerlessCache.CacheUsageLimits": { + "additionalProperties": false, + "properties": { + "DataStorage": { + "$ref": "#/definitions/AWS::ElastiCache::ServerlessCache.DataStorage", + "markdownDescription": "The maximum data storage limit in the cache, expressed in Gigabytes.", + "title": "DataStorage" + }, + "ECPUPerSecond": { + "$ref": "#/definitions/AWS::ElastiCache::ServerlessCache.ECPUPerSecond", + "markdownDescription": "The number of ElastiCache Processing Units (ECPU) the cache can consume per second.", + "title": "ECPUPerSecond" + } + }, + "type": "object" + }, + "AWS::ElastiCache::ServerlessCache.DataStorage": { + "additionalProperties": false, + "properties": { + "Maximum": { + "markdownDescription": "The upper limit for data storage the cache is set to use.", + "title": "Maximum", + "type": "number" + }, + "Unit": { + "markdownDescription": "The unit that the storage is measured in, in GB.", + "title": "Unit", + "type": "string" + } + }, + "required": [ + "Maximum", + "Unit" + ], + "type": "object" + }, + "AWS::ElastiCache::ServerlessCache.ECPUPerSecond": { + "additionalProperties": false, + "properties": { + "Maximum": { + "markdownDescription": "The configuration for the maximum number of ECPUs the cache can consume per second.", + "title": "Maximum", + "type": "number" + } + }, + "required": [ + "Maximum" + ], + "type": "object" + }, + "AWS::ElastiCache::ServerlessCache.Endpoint": { + "additionalProperties": false, + "properties": { + "Address": { + "markdownDescription": "The DNS hostname of the cache node.", + "title": "Address", + "type": "string" + }, + "Port": { + "markdownDescription": "The port number that the cache engine is listening on.", + "title": "Port", + "type": "number" + } + }, + "type": "object" + }, + "AWS::ElastiCache::SubnetGroup": { + "additionalProperties": false, + "properties": { + "Condition": { + "type": "string" + }, + "DeletionPolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + }, + "DependsOn": { + "anyOf": [ + { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + { + "items": { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + "type": "array" + } + ] + }, + "Metadata": { + "type": "object" + }, + "Properties": { + "additionalProperties": false, + "properties": { + "CacheSubnetGroupName": { + "markdownDescription": "The name for the cache subnet group. This value is stored as a lowercase string.\n\nConstraints: Must contain no more than 255 alphanumeric characters or hyphens.\n\nExample: `mysubnetgroup`", + "title": "CacheSubnetGroupName", + "type": "string" + }, + "Description": { + "markdownDescription": "The description for the cache subnet group.", + "title": "Description", + "type": "string" + }, + "SubnetIds": { + "items": { + "type": "string" + }, + "markdownDescription": "The EC2 subnet IDs for the cache subnet group.", + "title": "SubnetIds", + "type": "array" + }, + "Tags": { + "items": { + "$ref": "#/definitions/Tag" + }, + "markdownDescription": "A tag that can be added to an ElastiCache subnet group. Tags are composed of a Key/Value pair. You can use tags to categorize and track all your subnet groups. A tag with a null Value is permitted.", + "title": "Tags", + "type": "array" + } + }, + "required": [ + "Description", + "SubnetIds" + ], + "type": "object" + }, + "Type": { + "enum": [ + "AWS::ElastiCache::SubnetGroup" + ], + "type": "string" + }, + "UpdateReplacePolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + } + }, + "required": [ + "Type", + "Properties" + ], + "type": "object" + }, + "AWS::ElastiCache::User": { "additionalProperties": false, "properties": { "Condition": { @@ -81461,16 +85017,16 @@ }, "ConnectionDrainingPolicy": { "$ref": "#/definitions/AWS::ElasticLoadBalancing::LoadBalancer.ConnectionDrainingPolicy", - "markdownDescription": "If enabled, the load balancer allows existing requests to complete before the load balancer shifts traffic away from a deregistered or unhealthy instance.\n\nFor more information, see [Configure Connection Draining](https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/config-conn-drain.html) in the *Classic Load Balancers Guide* .", + "markdownDescription": "If enabled, the load balancer allows existing requests to complete before the load balancer shifts traffic away from a deregistered or unhealthy instance.\n\nFor more information, see [Configure connection draining](https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/config-conn-drain.html) in the *User Guide for Classic Load Balancers* .", "title": "ConnectionDrainingPolicy" }, "ConnectionSettings": { "$ref": "#/definitions/AWS::ElasticLoadBalancing::LoadBalancer.ConnectionSettings", - "markdownDescription": "If enabled, the load balancer allows the connections to remain idle (no data is sent over the connection) for the specified duration.\n\nBy default, Elastic Load Balancing maintains a 60-second idle connection timeout for both front-end and back-end connections of your load balancer. For more information, see [Configure Idle Connection Timeout](https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/config-idle-timeout.html) in the *Classic Load Balancers Guide* .", + "markdownDescription": "If enabled, the load balancer allows the connections to remain idle (no data is sent over the connection) for the specified duration.\n\nBy default, Elastic Load Balancing maintains a 60-second idle connection timeout for both front-end and back-end connections of your load balancer. For more information, see [Configure idle connection timeout](https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/config-idle-timeout.html) in the *User Guide for Classic Load Balancers* .", "title": "ConnectionSettings" }, "CrossZone": { - "markdownDescription": "If enabled, the load balancer routes the request traffic evenly across all instances regardless of the Availability Zones.\n\nFor more information, see [Configure Cross-Zone Load Balancing](https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-disable-crosszone-lb.html) in the *Classic Load Balancers Guide* .", + "markdownDescription": "If enabled, the load balancer routes the request traffic evenly across all instances regardless of the Availability Zones.\n\nFor more information, see [Configure cross-zone load balancing](https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-disable-crosszone-lb.html) in the *User Guide for Classic Load Balancers* .", "title": "CrossZone", "type": "boolean" }, @@ -81862,6 +85418,11 @@ "title": "LoadBalancerArn", "type": "string" }, + "MutualAuthentication": { + "$ref": "#/definitions/AWS::ElasticLoadBalancingV2::Listener.MutualAuthentication", + "markdownDescription": "The mutual authentication configuration information.", + "title": "MutualAuthentication" + }, "Port": { "markdownDescription": "The port on which the load balancer is listening. You cannot specify a port for a Gateway Load Balancer.", "title": "Port", @@ -82144,6 +85705,27 @@ }, "type": "object" }, + "AWS::ElasticLoadBalancingV2::Listener.MutualAuthentication": { + "additionalProperties": false, + "properties": { + "IgnoreClientCertificateExpiry": { + "markdownDescription": "Indicates whether expired client certificates are ignored.", + "title": "IgnoreClientCertificateExpiry", + "type": "boolean" + }, + "Mode": { + "markdownDescription": "The client certificate handling method. Options are `off` , `passthrough` or `verify` . The default value is `off` .", + "title": "Mode", + "type": "string" + }, + "TrustStoreArn": { + "markdownDescription": "The Amazon Resource Name (ARN) of the trust store.", + "title": "TrustStoreArn", + "type": "string" + } + }, + "type": "object" + }, "AWS::ElasticLoadBalancingV2::Listener.RedirectConfig": { "additionalProperties": false, "properties": { @@ -82907,7 +86489,7 @@ "items": { "type": "string" }, - "markdownDescription": "[Application Load Balancers] The IDs of the security groups for the load balancer.", + "markdownDescription": "[Application Load Balancers and Network Load Balancers] The IDs of the security groups for the load balancer.", "title": "SecurityGroups", "type": "array" }, @@ -82967,7 +86549,7 @@ "additionalProperties": false, "properties": { "Key": { - "markdownDescription": "The name of the attribute.\n\nThe following attributes are supported by all load balancers:\n\n- `deletion_protection.enabled` - Indicates whether deletion protection is enabled. The value is `true` or `false` . The default is `false` .\n- `load_balancing.cross_zone.enabled` - Indicates whether cross-zone load balancing is enabled. The possible values are `true` and `false` . The default for Network Load Balancers and Gateway Load Balancers is `false` . The default for Application Load Balancers is `true` , and cannot be changed.\n\nThe following attributes are supported by both Application Load Balancers and Network Load Balancers:\n\n- `access_logs.s3.enabled` - Indicates whether access logs are enabled. The value is `true` or `false` . The default is `false` .\n- `access_logs.s3.bucket` - The name of the S3 bucket for the access logs. This attribute is required if access logs are enabled. The bucket must exist in the same region as the load balancer and have a bucket policy that grants Elastic Load Balancing permissions to write to the bucket.\n- `access_logs.s3.prefix` - The prefix for the location in the S3 bucket for the access logs.\n- `ipv6.deny_all_igw_traffic` - Blocks internet gateway (IGW) access to the load balancer. It is set to `false` for internet-facing load balancers and `true` for internal load balancers, preventing unintended access to your internal load balancer through an internet gateway.\n\nThe following attributes are supported by only Application Load Balancers:\n\n- `idle_timeout.timeout_seconds` - The idle timeout value, in seconds. The valid range is 1-4000 seconds. The default is 60 seconds.\n- `routing.http.desync_mitigation_mode` - Determines how the load balancer handles requests that might pose a security risk to your application. The possible values are `monitor` , `defensive` , and `strictest` . The default is `defensive` .\n- `routing.http.drop_invalid_header_fields.enabled` - Indicates whether HTTP headers with invalid header fields are removed by the load balancer ( `true` ) or routed to targets ( `false` ). The default is `false` .\n- `routing.http.preserve_host_header.enabled` - Indicates whether the Application Load Balancer should preserve the `Host` header in the HTTP request and send it to the target without any change. The possible values are `true` and `false` . The default is `false` .\n- `routing.http.x_amzn_tls_version_and_cipher_suite.enabled` - Indicates whether the two headers ( `x-amzn-tls-version` and `x-amzn-tls-cipher-suite` ), which contain information about the negotiated TLS version and cipher suite, are added to the client request before sending it to the target. The `x-amzn-tls-version` header has information about the TLS protocol version negotiated with the client, and the `x-amzn-tls-cipher-suite` header has information about the cipher suite negotiated with the client. Both headers are in OpenSSL format. The possible values for the attribute are `true` and `false` . The default is `false` .\n- `routing.http.xff_client_port.enabled` - Indicates whether the `X-Forwarded-For` header should preserve the source port that the client used to connect to the load balancer. The possible values are `true` and `false` . The default is `false` .\n- `routing.http.xff_header_processing.mode` - Enables you to modify, preserve, or remove the `X-Forwarded-For` header in the HTTP request before the Application Load Balancer sends the request to the target. The possible values are `append` , `preserve` , and `remove` . The default is `append` .\n\n- If the value is `append` , the Application Load Balancer adds the client IP address (of the last hop) to the `X-Forwarded-For` header in the HTTP request before it sends it to targets.\n- If the value is `preserve` the Application Load Balancer preserves the `X-Forwarded-For` header in the HTTP request, and sends it to targets without any change.\n- If the value is `remove` , the Application Load Balancer removes the `X-Forwarded-For` header in the HTTP request before it sends it to targets.\n- `routing.http2.enabled` - Indicates whether HTTP/2 is enabled. The possible values are `true` and `false` . The default is `true` . Elastic Load Balancing requires that message header names contain only alphanumeric characters and hyphens.\n- `waf.fail_open.enabled` - Indicates whether to allow a WAF-enabled load balancer to route requests to targets if it is unable to forward the request to AWS WAF. The possible values are `true` and `false` . The default is `false` .", + "markdownDescription": "The name of the attribute.\n\nThe following attributes are supported by all load balancers:\n\n- `deletion_protection.enabled` - Indicates whether deletion protection is enabled. The value is `true` or `false` . The default is `false` .\n- `load_balancing.cross_zone.enabled` - Indicates whether cross-zone load balancing is enabled. The possible values are `true` and `false` . The default for Network Load Balancers and Gateway Load Balancers is `false` . The default for Application Load Balancers is `true` , and cannot be changed.\n\nThe following attributes are supported by both Application Load Balancers and Network Load Balancers:\n\n- `access_logs.s3.enabled` - Indicates whether access logs are enabled. The value is `true` or `false` . The default is `false` .\n- `access_logs.s3.bucket` - The name of the S3 bucket for the access logs. This attribute is required if access logs are enabled. The bucket must exist in the same region as the load balancer and have a bucket policy that grants Elastic Load Balancing permissions to write to the bucket.\n- `access_logs.s3.prefix` - The prefix for the location in the S3 bucket for the access logs.\n- `ipv6.deny_all_igw_traffic` - Blocks internet gateway (IGW) access to the load balancer. It is set to `false` for internet-facing load balancers and `true` for internal load balancers, preventing unintended access to your internal load balancer through an internet gateway.\n\nThe following attributes are supported by only Application Load Balancers:\n\n- `idle_timeout.timeout_seconds` - The idle timeout value, in seconds. The valid range is 1-4000 seconds. The default is 60 seconds.\n- `connection_logs.s3.enabled` - Indicates whether connection logs are enabled. The value is `true` or `false` . The default is `false` .\n- `connection_logs.s3.bucket` - The name of the S3 bucket for the connection logs. This attribute is required if connection logs are enabled. The bucket must exist in the same region as the load balancer and have a bucket policy that grants Elastic Load Balancing permissions to write to the bucket.\n- `connection_logs.s3.prefix` - The prefix for the location in the S3 bucket for the connection logs.\n- `routing.http.desync_mitigation_mode` - Determines how the load balancer handles requests that might pose a security risk to your application. The possible values are `monitor` , `defensive` , and `strictest` . The default is `defensive` .\n- `routing.http.drop_invalid_header_fields.enabled` - Indicates whether HTTP headers with invalid header fields are removed by the load balancer ( `true` ) or routed to targets ( `false` ). The default is `false` .\n- `routing.http.preserve_host_header.enabled` - Indicates whether the Application Load Balancer should preserve the `Host` header in the HTTP request and send it to the target without any change. The possible values are `true` and `false` . The default is `false` .\n- `routing.http.x_amzn_tls_version_and_cipher_suite.enabled` - Indicates whether the two headers ( `x-amzn-tls-version` and `x-amzn-tls-cipher-suite` ), which contain information about the negotiated TLS version and cipher suite, are added to the client request before sending it to the target. The `x-amzn-tls-version` header has information about the TLS protocol version negotiated with the client, and the `x-amzn-tls-cipher-suite` header has information about the cipher suite negotiated with the client. Both headers are in OpenSSL format. The possible values for the attribute are `true` and `false` . The default is `false` .\n- `routing.http.xff_client_port.enabled` - Indicates whether the `X-Forwarded-For` header should preserve the source port that the client used to connect to the load balancer. The possible values are `true` and `false` . The default is `false` .\n- `routing.http.xff_header_processing.mode` - Enables you to modify, preserve, or remove the `X-Forwarded-For` header in the HTTP request before the Application Load Balancer sends the request to the target. The possible values are `append` , `preserve` , and `remove` . The default is `append` .\n\n- If the value is `append` , the Application Load Balancer adds the client IP address (of the last hop) to the `X-Forwarded-For` header in the HTTP request before it sends it to targets.\n- If the value is `preserve` the Application Load Balancer preserves the `X-Forwarded-For` header in the HTTP request, and sends it to targets without any change.\n- If the value is `remove` , the Application Load Balancer removes the `X-Forwarded-For` header in the HTTP request before it sends it to targets.\n- `routing.http2.enabled` - Indicates whether HTTP/2 is enabled. The possible values are `true` and `false` . The default is `true` . Elastic Load Balancing requires that message header names contain only alphanumeric characters and hyphens.\n- `waf.fail_open.enabled` - Indicates whether to allow a WAF-enabled load balancer to route requests to targets if it is unable to forward the request to AWS WAF. The possible values are `true` and `false` . The default is `false` .\n\nThe following attributes are supported by only Network Load Balancers:\n\n- `dns_record.client_routing_policy` - Indicates how traffic is distributed among the load balancer Availability Zones. The possible values are `availability_zone_affinity` with 100 percent zonal affinity, `partial_availability_zone_affinity` with 85 percent zonal affinity, and `any_availability_zone` with 0 percent zonal affinity.", "title": "Key", "type": "string" }, @@ -83214,7 +86796,7 @@ "additionalProperties": false, "properties": { "Key": { - "markdownDescription": "The name of the attribute.\n\nThe following attributes are supported by all load balancers:\n\n- `deregistration_delay.timeout_seconds` - The amount of time, in seconds, for Elastic Load Balancing to wait before changing the state of a deregistering target from `draining` to `unused` . The range is 0-3600 seconds. The default value is 300 seconds. If the target is a Lambda function, this attribute is not supported.\n- `stickiness.enabled` - Indicates whether target stickiness is enabled. The value is `true` or `false` . The default is `false` .\n- `stickiness.type` - Indicates the type of stickiness. The possible values are:\n\n- `lb_cookie` and `app_cookie` for Application Load Balancers.\n- `source_ip` for Network Load Balancers.\n- `source_ip_dest_ip` and `source_ip_dest_ip_proto` for Gateway Load Balancers.\n\nThe following attributes are supported by Application Load Balancers and Network Load Balancers:\n\n- `load_balancing.cross_zone.enabled` - Indicates whether cross zone load balancing is enabled. The value is `true` , `false` or `use_load_balancer_configuration` . The default is `use_load_balancer_configuration` .\n- `target_group_health.dns_failover.minimum_healthy_targets.count` - The minimum number of targets that must be healthy. If the number of healthy targets is below this value, mark the zone as unhealthy in DNS, so that traffic is routed only to healthy zones. The possible values are `off` or an integer from 1 to the maximum number of targets. The default is `off` .\n- `target_group_health.dns_failover.minimum_healthy_targets.percentage` - The minimum percentage of targets that must be healthy. If the percentage of healthy targets is below this value, mark the zone as unhealthy in DNS, so that traffic is routed only to healthy zones. The possible values are `off` or an integer from 1 to 100. The default is `off` .\n- `target_group_health.unhealthy_state_routing.minimum_healthy_targets.count` - The minimum number of targets that must be healthy. If the number of healthy targets is below this value, send traffic to all targets, including unhealthy targets. The possible values are 1 to the maximum number of targets. The default is 1.\n- `target_group_health.unhealthy_state_routing.minimum_healthy_targets.percentage` - The minimum percentage of targets that must be healthy. If the percentage of healthy targets is below this value, send traffic to all targets, including unhealthy targets. The possible values are `off` or an integer from 1 to 100. The default is `off` .\n\nThe following attributes are supported only if the load balancer is an Application Load Balancer and the target is an instance or an IP address:\n\n- `load_balancing.algorithm.type` - The load balancing algorithm determines how the load balancer selects targets when routing requests. The value is `round_robin` or `least_outstanding_requests` . The default is `round_robin` .\n- `slow_start.duration_seconds` - The time period, in seconds, during which a newly registered target receives an increasing share of the traffic to the target group. After this time period ends, the target receives its full share of traffic. The range is 30-900 seconds (15 minutes). The default is 0 seconds (disabled).\n- `stickiness.app_cookie.cookie_name` - Indicates the name of the application-based cookie. Names that start with the following prefixes are not allowed: `AWSALB` , `AWSALBAPP` , and `AWSALBTG` ; they're reserved for use by the load balancer.\n- `stickiness.app_cookie.duration_seconds` - The time period, in seconds, during which requests from a client should be routed to the same target. After this time period expires, the application-based cookie is considered stale. The range is 1 second to 1 week (604800 seconds). The default value is 1 day (86400 seconds).\n- `stickiness.lb_cookie.duration_seconds` - The time period, in seconds, during which requests from a client should be routed to the same target. After this time period expires, the load balancer-generated cookie is considered stale. The range is 1 second to 1 week (604800 seconds). The default value is 1 day (86400 seconds).\n\nThe following attribute is supported only if the load balancer is an Application Load Balancer and the target is a Lambda function:\n\n- `lambda.multi_value_headers.enabled` - Indicates whether the request and response headers that are exchanged between the load balancer and the Lambda function include arrays of values or strings. The value is `true` or `false` . The default is `false` . If the value is `false` and the request contains a duplicate header field name or query parameter key, the load balancer uses the last value sent by the client.\n\nThe following attributes are supported only by Network Load Balancers:\n\n- `deregistration_delay.connection_termination.enabled` - Indicates whether the load balancer terminates connections at the end of the deregistration timeout. The value is `true` or `false` . The default is `false` .\n- `preserve_client_ip.enabled` - Indicates whether client IP preservation is enabled. The value is `true` or `false` . The default is disabled if the target group type is IP address and the target group protocol is TCP or TLS. Otherwise, the default is enabled. Client IP preservation cannot be disabled for UDP and TCP_UDP target groups.\n- `proxy_protocol_v2.enabled` - Indicates whether Proxy Protocol version 2 is enabled. The value is `true` or `false` . The default is `false` .\n\nThe following attributes are supported only by Gateway Load Balancers:\n\n- `target_failover.on_deregistration` - Indicates how the Gateway Load Balancer handles existing flows when a target is deregistered. The possible values are `rebalance` and `no_rebalance` . The default is `no_rebalance` . The two attributes ( `target_failover.on_deregistration` and `target_failover.on_unhealthy` ) can't be set independently. The value you set for both attributes must be the same.\n- `target_failover.on_unhealthy` - Indicates how the Gateway Load Balancer handles existing flows when a target is unhealthy. The possible values are `rebalance` and `no_rebalance` . The default is `no_rebalance` . The two attributes ( `target_failover.on_deregistration` and `target_failover.on_unhealthy` ) cannot be set independently. The value you set for both attributes must be the same.", + "markdownDescription": "The name of the attribute.\n\nThe following attributes are supported by all load balancers:\n\n- `deregistration_delay.timeout_seconds` - The amount of time, in seconds, for Elastic Load Balancing to wait before changing the state of a deregistering target from `draining` to `unused` . The range is 0-3600 seconds. The default value is 300 seconds. If the target is a Lambda function, this attribute is not supported.\n- `stickiness.enabled` - Indicates whether target stickiness is enabled. The value is `true` or `false` . The default is `false` .\n- `stickiness.type` - Indicates the type of stickiness. The possible values are:\n\n- `lb_cookie` and `app_cookie` for Application Load Balancers.\n- `source_ip` for Network Load Balancers.\n- `source_ip_dest_ip` and `source_ip_dest_ip_proto` for Gateway Load Balancers.\n\nThe following attributes are supported by Application Load Balancers and Network Load Balancers:\n\n- `load_balancing.cross_zone.enabled` - Indicates whether cross zone load balancing is enabled. The value is `true` , `false` or `use_load_balancer_configuration` . The default is `use_load_balancer_configuration` .\n- `target_group_health.dns_failover.minimum_healthy_targets.count` - The minimum number of targets that must be healthy. If the number of healthy targets is below this value, mark the zone as unhealthy in DNS, so that traffic is routed only to healthy zones. The possible values are `off` or an integer from 1 to the maximum number of targets. The default is `off` .\n- `target_group_health.dns_failover.minimum_healthy_targets.percentage` - The minimum percentage of targets that must be healthy. If the percentage of healthy targets is below this value, mark the zone as unhealthy in DNS, so that traffic is routed only to healthy zones. The possible values are `off` or an integer from 1 to 100. The default is `off` .\n- `target_group_health.unhealthy_state_routing.minimum_healthy_targets.count` - The minimum number of targets that must be healthy. If the number of healthy targets is below this value, send traffic to all targets, including unhealthy targets. The possible values are 1 to the maximum number of targets. The default is 1.\n- `target_group_health.unhealthy_state_routing.minimum_healthy_targets.percentage` - The minimum percentage of targets that must be healthy. If the percentage of healthy targets is below this value, send traffic to all targets, including unhealthy targets. The possible values are `off` or an integer from 1 to 100. The default is `off` .\n\nThe following attributes are supported only if the load balancer is an Application Load Balancer and the target is an instance or an IP address:\n\n- `load_balancing.algorithm.type` - The load balancing algorithm determines how the load balancer selects targets when routing requests. The value is `round_robin` , `least_outstanding_requests` , or `weighted_random` . The default is `round_robin` .\n- `load_balancing.algorithm.anomaly_mitigation` - Only available when `load_balancing.algorithm.type` is `weighted_random` . Indicates whether anomaly mitigation is enabled. The value is `on` or `off` . The default is `off` .\n- `slow_start.duration_seconds` - The time period, in seconds, during which a newly registered target receives an increasing share of the traffic to the target group. After this time period ends, the target receives its full share of traffic. The range is 30-900 seconds (15 minutes). The default is 0 seconds (disabled).\n- `stickiness.app_cookie.cookie_name` - Indicates the name of the application-based cookie. Names that start with the following prefixes are not allowed: `AWSALB` , `AWSALBAPP` , and `AWSALBTG` ; they're reserved for use by the load balancer.\n- `stickiness.app_cookie.duration_seconds` - The time period, in seconds, during which requests from a client should be routed to the same target. After this time period expires, the application-based cookie is considered stale. The range is 1 second to 1 week (604800 seconds). The default value is 1 day (86400 seconds).\n- `stickiness.lb_cookie.duration_seconds` - The time period, in seconds, during which requests from a client should be routed to the same target. After this time period expires, the load balancer-generated cookie is considered stale. The range is 1 second to 1 week (604800 seconds). The default value is 1 day (86400 seconds).\n\nThe following attribute is supported only if the load balancer is an Application Load Balancer and the target is a Lambda function:\n\n- `lambda.multi_value_headers.enabled` - Indicates whether the request and response headers that are exchanged between the load balancer and the Lambda function include arrays of values or strings. The value is `true` or `false` . The default is `false` . If the value is `false` and the request contains a duplicate header field name or query parameter key, the load balancer uses the last value sent by the client.\n\nThe following attributes are supported only by Network Load Balancers:\n\n- `deregistration_delay.connection_termination.enabled` - Indicates whether the load balancer terminates connections at the end of the deregistration timeout. The value is `true` or `false` . For new UDP/TCP_UDP target groups the default is `true` . Otherwise, the default is `false` .\n- `preserve_client_ip.enabled` - Indicates whether client IP preservation is enabled. The value is `true` or `false` . The default is disabled if the target group type is IP address and the target group protocol is TCP or TLS. Otherwise, the default is enabled. Client IP preservation cannot be disabled for UDP and TCP_UDP target groups.\n- `proxy_protocol_v2.enabled` - Indicates whether Proxy Protocol version 2 is enabled. The value is `true` or `false` . The default is `false` .\n- `target_health_state.unhealthy.connection_termination.enabled` - Indicates whether the load balancer terminates connections to unhealthy targets. The value is `true` or `false` . The default is `true` .\n\nThe following attributes are supported only by Gateway Load Balancers:\n\n- `target_failover.on_deregistration` - Indicates how the Gateway Load Balancer handles existing flows when a target is deregistered. The possible values are `rebalance` and `no_rebalance` . The default is `no_rebalance` . The two attributes ( `target_failover.on_deregistration` and `target_failover.on_unhealthy` ) can't be set independently. The value you set for both attributes must be the same.\n- `target_failover.on_unhealthy` - Indicates how the Gateway Load Balancer handles existing flows when a target is unhealthy. The possible values are `rebalance` and `no_rebalance` . The default is `no_rebalance` . The two attributes ( `target_failover.on_deregistration` and `target_failover.on_unhealthy` ) cannot be set independently. The value you set for both attributes must be the same.", "title": "Key", "type": "string" }, @@ -83226,6 +86808,215 @@ }, "type": "object" }, + "AWS::ElasticLoadBalancingV2::TrustStore": { + "additionalProperties": false, + "properties": { + "Condition": { + "type": "string" + }, + "DeletionPolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + }, + "DependsOn": { + "anyOf": [ + { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + { + "items": { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + "type": "array" + } + ] + }, + "Metadata": { + "type": "object" + }, + "Properties": { + "additionalProperties": false, + "properties": { + "CaCertificatesBundleS3Bucket": { + "markdownDescription": "The Amazon S3 bucket for the ca certificates bundle.", + "title": "CaCertificatesBundleS3Bucket", + "type": "string" + }, + "CaCertificatesBundleS3Key": { + "markdownDescription": "The Amazon S3 path for the ca certificates bundle.", + "title": "CaCertificatesBundleS3Key", + "type": "string" + }, + "CaCertificatesBundleS3ObjectVersion": { + "markdownDescription": "The Amazon S3 object version for the ca certificates bundle. If undefined the current version is used.", + "title": "CaCertificatesBundleS3ObjectVersion", + "type": "string" + }, + "Name": { + "markdownDescription": "The name of the trust store.", + "title": "Name", + "type": "string" + }, + "Tags": { + "items": { + "$ref": "#/definitions/Tag" + }, + "markdownDescription": "The tags to assign to the trust store.", + "title": "Tags", + "type": "array" + } + }, + "type": "object" + }, + "Type": { + "enum": [ + "AWS::ElasticLoadBalancingV2::TrustStore" + ], + "type": "string" + }, + "UpdateReplacePolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + } + }, + "required": [ + "Type" + ], + "type": "object" + }, + "AWS::ElasticLoadBalancingV2::TrustStoreRevocation": { + "additionalProperties": false, + "properties": { + "Condition": { + "type": "string" + }, + "DeletionPolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + }, + "DependsOn": { + "anyOf": [ + { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + { + "items": { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + "type": "array" + } + ] + }, + "Metadata": { + "type": "object" + }, + "Properties": { + "additionalProperties": false, + "properties": { + "RevocationContents": { + "items": { + "$ref": "#/definitions/AWS::ElasticLoadBalancingV2::TrustStoreRevocation.RevocationContent" + }, + "markdownDescription": "The revocation file to add.", + "title": "RevocationContents", + "type": "array" + }, + "TrustStoreArn": { + "markdownDescription": "The Amazon Resource Name (ARN) of the trust store.", + "title": "TrustStoreArn", + "type": "string" + } + }, + "type": "object" + }, + "Type": { + "enum": [ + "AWS::ElasticLoadBalancingV2::TrustStoreRevocation" + ], + "type": "string" + }, + "UpdateReplacePolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + } + }, + "required": [ + "Type" + ], + "type": "object" + }, + "AWS::ElasticLoadBalancingV2::TrustStoreRevocation.RevocationContent": { + "additionalProperties": false, + "properties": { + "RevocationType": { + "markdownDescription": "The type of revocation file.", + "title": "RevocationType", + "type": "string" + }, + "S3Bucket": { + "markdownDescription": "The Amazon S3 bucket for the revocation file.", + "title": "S3Bucket", + "type": "string" + }, + "S3Key": { + "markdownDescription": "The Amazon S3 path for the revocation file.", + "title": "S3Key", + "type": "string" + }, + "S3ObjectVersion": { + "markdownDescription": "The Amazon S3 object version of the revocation file.", + "title": "S3ObjectVersion", + "type": "string" + } + }, + "type": "object" + }, + "AWS::ElasticLoadBalancingV2::TrustStoreRevocation.TrustStoreRevocation": { + "additionalProperties": false, + "properties": { + "NumberOfRevokedEntries": { + "markdownDescription": "The number of revoked certificates.", + "title": "NumberOfRevokedEntries", + "type": "number" + }, + "RevocationId": { + "markdownDescription": "The revocation ID of the revocation file.", + "title": "RevocationId", + "type": "string" + }, + "RevocationType": { + "markdownDescription": "The type of revocation file.", + "title": "RevocationType", + "type": "string" + }, + "TrustStoreArn": { + "markdownDescription": "The Amazon Resource Name (ARN) of the trust store.", + "title": "TrustStoreArn", + "type": "string" + } + }, + "type": "object" + }, "AWS::Elasticsearch::Domain": { "additionalProperties": false, "properties": { @@ -83699,33 +87490,47 @@ "additionalProperties": false, "properties": { "Description": { + "markdownDescription": "A description of the workflow.", + "title": "Description", "type": "string" }, "IdMappingTechniques": { - "$ref": "#/definitions/AWS::EntityResolution::IdMappingWorkflow.IdMappingTechniques" + "$ref": "#/definitions/AWS::EntityResolution::IdMappingWorkflow.IdMappingTechniques", + "markdownDescription": "An object which defines the `idMappingType` and the `providerProperties` .", + "title": "IdMappingTechniques" }, "InputSourceConfig": { "items": { "$ref": "#/definitions/AWS::EntityResolution::IdMappingWorkflow.IdMappingWorkflowInputSource" }, + "markdownDescription": "A list of `InputSource` objects, which have the fields `InputSourceARN` and `SchemaName` .", + "title": "InputSourceConfig", "type": "array" }, "OutputSourceConfig": { "items": { "$ref": "#/definitions/AWS::EntityResolution::IdMappingWorkflow.IdMappingWorkflowOutputSource" }, + "markdownDescription": "A list of `IdMappingWorkflowOutputSource` objects, each of which contains fields `OutputS3Path` and `Output` .", + "title": "OutputSourceConfig", "type": "array" }, "RoleArn": { + "markdownDescription": "The Amazon Resource Name (ARN) of the IAM role. AWS Entity Resolution assumes this role to create resources on your behalf as part of workflow execution.", + "title": "RoleArn", "type": "string" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "The tags used to organize, track, or control access for this resource.", + "title": "Tags", "type": "array" }, "WorkflowName": { + "markdownDescription": "The name of the workflow. There can't be multiple `IdMappingWorkflows` with the same name.", + "title": "WorkflowName", "type": "string" } }, @@ -83763,10 +87568,14 @@ "additionalProperties": false, "properties": { "IdMappingType": { + "markdownDescription": "The type of ID mapping.", + "title": "IdMappingType", "type": "string" }, "ProviderProperties": { - "$ref": "#/definitions/AWS::EntityResolution::IdMappingWorkflow.ProviderProperties" + "$ref": "#/definitions/AWS::EntityResolution::IdMappingWorkflow.ProviderProperties", + "markdownDescription": "An object which defines any additional configurations required by the provider service.", + "title": "ProviderProperties" } }, "type": "object" @@ -83775,9 +87584,13 @@ "additionalProperties": false, "properties": { "InputSourceARN": { + "markdownDescription": "An AWS Glue table ARN for the input source table.", + "title": "InputSourceARN", "type": "string" }, "SchemaArn": { + "markdownDescription": "The ARN (Amazon Resource Name) that AWS Entity Resolution generated for the `SchemaMapping` .", + "title": "SchemaArn", "type": "string" } }, @@ -83791,9 +87604,13 @@ "additionalProperties": false, "properties": { "KMSArn": { + "markdownDescription": "Customer AWS KMS ARN for encryption at rest. If not provided, system will use an AWS Entity Resolution managed KMS key.", + "title": "KMSArn", "type": "string" }, "OutputS3Path": { + "markdownDescription": "The S3 path to which AWS Entity Resolution will write the output table.", + "title": "OutputS3Path", "type": "string" } }, @@ -83806,6 +87623,8 @@ "additionalProperties": false, "properties": { "IntermediateS3Path": { + "markdownDescription": "The Amazon S3 location (bucket and prefix). For example: `s3://provider_bucket/DOC-EXAMPLE-BUCKET`", + "title": "IntermediateS3Path", "type": "string" } }, @@ -83818,18 +87637,24 @@ "additionalProperties": false, "properties": { "IntermediateSourceConfiguration": { - "$ref": "#/definitions/AWS::EntityResolution::IdMappingWorkflow.IntermediateSourceConfiguration" + "$ref": "#/definitions/AWS::EntityResolution::IdMappingWorkflow.IntermediateSourceConfiguration", + "markdownDescription": "The Amazon S3 location that temporarily stores your data while it processes. Your information won't be saved permanently.", + "title": "IntermediateSourceConfiguration" }, "ProviderConfiguration": { "additionalProperties": true, + "markdownDescription": "The required configuration fields to use with the provider service.", "patternProperties": { "^[a-zA-Z0-9]+$": { "type": "string" } }, + "title": "ProviderConfiguration", "type": "object" }, "ProviderServiceArn": { + "markdownDescription": "The ARN of the provider service.", + "title": "ProviderServiceArn", "type": "string" } }, @@ -83874,33 +87699,47 @@ "additionalProperties": false, "properties": { "Description": { + "markdownDescription": "A description of the workflow.", + "title": "Description", "type": "string" }, "InputSourceConfig": { "items": { "$ref": "#/definitions/AWS::EntityResolution::MatchingWorkflow.InputSource" }, + "markdownDescription": "A list of `InputSource` objects, which have the fields `InputSourceARN` and `SchemaName` .", + "title": "InputSourceConfig", "type": "array" }, "OutputSourceConfig": { "items": { "$ref": "#/definitions/AWS::EntityResolution::MatchingWorkflow.OutputSource" }, + "markdownDescription": "A list of `OutputSource` objects, each of which contains fields `OutputS3Path` , `ApplyNormalization` , and `Output` .", + "title": "OutputSourceConfig", "type": "array" }, "ResolutionTechniques": { - "$ref": "#/definitions/AWS::EntityResolution::MatchingWorkflow.ResolutionTechniques" + "$ref": "#/definitions/AWS::EntityResolution::MatchingWorkflow.ResolutionTechniques", + "markdownDescription": "An object which defines the `resolutionType` and the `ruleBasedProperties` .", + "title": "ResolutionTechniques" }, "RoleArn": { + "markdownDescription": "The Amazon Resource Name (ARN) of the IAM role. AWS Entity Resolution assumes this role to create resources on your behalf as part of workflow execution.", + "title": "RoleArn", "type": "string" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "The tags used to organize, track, or control access for this resource.", + "title": "Tags", "type": "array" }, "WorkflowName": { + "markdownDescription": "The name of the workflow. There can't be multiple `MatchingWorkflows` with the same name.", + "title": "WorkflowName", "type": "string" } }, @@ -83938,12 +87777,18 @@ "additionalProperties": false, "properties": { "ApplyNormalization": { + "markdownDescription": "Normalizes the attributes defined in the schema in the input data. For example, if an attribute has an `AttributeType` of `PHONE_NUMBER` , and the data in the input table is in a format of 1234567890, AWS Entity Resolution will normalize this field in the output to (123)-456-7890.", + "title": "ApplyNormalization", "type": "boolean" }, "InputSourceARN": { + "markdownDescription": "An object containing `InputSourceARN` , `SchemaName` , and `ApplyNormalization` .", + "title": "InputSourceARN", "type": "string" }, "SchemaArn": { + "markdownDescription": "The name of the schema.", + "title": "SchemaArn", "type": "string" } }, @@ -83957,6 +87802,8 @@ "additionalProperties": false, "properties": { "IntermediateS3Path": { + "markdownDescription": "The Amazon S3 location (bucket and prefix). For example: `s3://provider_bucket/DOC-EXAMPLE-BUCKET`", + "title": "IntermediateS3Path", "type": "string" } }, @@ -83969,9 +87816,13 @@ "additionalProperties": false, "properties": { "Hashed": { + "markdownDescription": "Enables the ability to hash the column values in the output.", + "title": "Hashed", "type": "boolean" }, "Name": { + "markdownDescription": "A name of a column to be written to the output. This must be an `InputField` name in the schema mapping.", + "title": "Name", "type": "string" } }, @@ -83984,18 +87835,26 @@ "additionalProperties": false, "properties": { "ApplyNormalization": { + "markdownDescription": "Normalizes the attributes defined in the schema in the input data. For example, if an attribute has an `AttributeType` of `PHONE_NUMBER` , and the data in the input table is in a format of 1234567890, AWS Entity Resolution will normalize this field in the output to (123)-456-7890.", + "title": "ApplyNormalization", "type": "boolean" }, "KMSArn": { + "markdownDescription": "Customer KMS ARN for encryption at rest. If not provided, system will use an AWS Entity Resolution managed KMS key.", + "title": "KMSArn", "type": "string" }, "Output": { "items": { "$ref": "#/definitions/AWS::EntityResolution::MatchingWorkflow.OutputAttribute" }, + "markdownDescription": "A list of `OutputAttribute` objects, each of which have the fields `Name` and `Hashed` . Each of these objects selects a column to be included in the output table, and whether the values of the column should be hashed.", + "title": "Output", "type": "array" }, "OutputS3Path": { + "markdownDescription": "The S3 path to which AWS Entity Resolution will write the output table.", + "title": "OutputS3Path", "type": "string" } }, @@ -84009,18 +87868,24 @@ "additionalProperties": false, "properties": { "IntermediateSourceConfiguration": { - "$ref": "#/definitions/AWS::EntityResolution::MatchingWorkflow.IntermediateSourceConfiguration" + "$ref": "#/definitions/AWS::EntityResolution::MatchingWorkflow.IntermediateSourceConfiguration", + "markdownDescription": "The Amazon S3 location that temporarily stores your data while it processes. Your information won't be saved permanently.", + "title": "IntermediateSourceConfiguration" }, "ProviderConfiguration": { "additionalProperties": true, + "markdownDescription": "The required configuration fields to use with the provider service.", "patternProperties": { "^[a-zA-Z0-9]+$": { "type": "string" } }, + "title": "ProviderConfiguration", "type": "object" }, "ProviderServiceArn": { + "markdownDescription": "The ARN of the provider service.", + "title": "ProviderServiceArn", "type": "string" } }, @@ -84033,13 +87898,19 @@ "additionalProperties": false, "properties": { "ProviderProperties": { - "$ref": "#/definitions/AWS::EntityResolution::MatchingWorkflow.ProviderProperties" + "$ref": "#/definitions/AWS::EntityResolution::MatchingWorkflow.ProviderProperties", + "markdownDescription": "The properties of the provider service.", + "title": "ProviderProperties" }, "ResolutionType": { + "markdownDescription": "The type of matching. There are two types of matching: `RULE_MATCHING` and `ML_MATCHING` .", + "title": "ResolutionType", "type": "string" }, "RuleBasedProperties": { - "$ref": "#/definitions/AWS::EntityResolution::MatchingWorkflow.RuleBasedProperties" + "$ref": "#/definitions/AWS::EntityResolution::MatchingWorkflow.RuleBasedProperties", + "markdownDescription": "An object which defines the list of matching rules to run and has a field `Rules` , which is a list of rule objects.", + "title": "RuleBasedProperties" } }, "type": "object" @@ -84051,9 +87922,13 @@ "items": { "type": "string" }, + "markdownDescription": "A list of `MatchingKeys` . The `MatchingKeys` must have been defined in the `SchemaMapping` . Two records are considered to match according to this rule if all of the `MatchingKeys` match.", + "title": "MatchingKeys", "type": "array" }, "RuleName": { + "markdownDescription": "A name for the matching rule.", + "title": "RuleName", "type": "string" } }, @@ -84067,12 +87942,16 @@ "additionalProperties": false, "properties": { "AttributeMatchingModel": { + "markdownDescription": "The comparison type. You can either choose `ONE_TO_ONE` or `MANY_TO_MANY` as the AttributeMatchingModel. When choosing `MANY_TO_MANY` , the system can match attributes across the sub-types of an attribute type. For example, if the value of the `Email` field of Profile A and the value of `BusinessEmail` field of Profile B matches, the two profiles are matched on the `Email` type. When choosing `ONE_TO_ONE` ,the system can only match if the sub-types are exact matches. For example, only when the value of the `Email` field of Profile A and the value of the `Email` field of Profile B matches, the two profiles are matched on the `Email` type.", + "title": "AttributeMatchingModel", "type": "string" }, "Rules": { "items": { "$ref": "#/definitions/AWS::EntityResolution::MatchingWorkflow.Rule" }, + "markdownDescription": "A list of `Rule` objects, each of which have fields `RuleName` and `MatchingKeys` .", + "title": "Rules", "type": "array" } }, @@ -84118,21 +87997,29 @@ "additionalProperties": false, "properties": { "Description": { + "markdownDescription": "A description of the schema.", + "title": "Description", "type": "string" }, "MappedInputFields": { "items": { "$ref": "#/definitions/AWS::EntityResolution::SchemaMapping.SchemaInputAttribute" }, + "markdownDescription": "A list of `MappedInputFields` . Each `MappedInputField` corresponds to a column the source data table, and contains column name plus additional information that AWS Entity Resolution uses for matching.", + "title": "MappedInputFields", "type": "array" }, "SchemaName": { + "markdownDescription": "The name of the schema. There can't be multiple `SchemaMappings` with the same name.", + "title": "SchemaName", "type": "string" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "The tags used to organize, track, or control access for this resource.", + "title": "Tags", "type": "array" } }, @@ -84167,18 +88054,28 @@ "additionalProperties": false, "properties": { "FieldName": { + "markdownDescription": "A string containing the field name.", + "title": "FieldName", "type": "string" }, "GroupName": { + "markdownDescription": "Instruct AWS Entity Resolution to combine several columns into a unified column with the identical attribute type. For example, when working with columns such as first_name, middle_name, and last_name, assigning them a common `GroupName` will prompt AWS Entity Resolution to concatenate them into a single value.", + "title": "GroupName", "type": "string" }, "MatchKey": { + "markdownDescription": "A key that allows grouping of multiple input attributes into a unified matching group. For example, let's consider a scenario where the source table contains various addresses, such as `business_address` and `shipping_address` . By assigning the `MatchKey` *Address* to both attributes, AWS Entity Resolution will match records across these fields to create a consolidated matching group. If no `MatchKey` is specified for a column, it won't be utilized for matching purposes but will still be included in the output table.", + "title": "MatchKey", "type": "string" }, "SubType": { + "markdownDescription": "The subtype of the attribute, selected from a list of values.", + "title": "SubType", "type": "string" }, "Type": { + "markdownDescription": "The type of the attribute, selected from a list of values.", + "title": "Type", "type": "string" } }, @@ -84277,12 +88174,12 @@ "additionalProperties": false, "properties": { "Key": { - "markdownDescription": "They key of a key-value pair.", + "markdownDescription": "The key of a key-value pair.", "title": "Key", "type": "string" }, "Value": { - "markdownDescription": "They value of a key-value pair.", + "markdownDescription": "The value of a key-value pair.", "title": "Value", "type": "string" } @@ -84373,12 +88270,12 @@ "additionalProperties": false, "properties": { "Key": { - "markdownDescription": "They key of a key-value pair.", + "markdownDescription": "The key of a key-value pair.", "title": "Key", "type": "string" }, "Value": { - "markdownDescription": "They value of a key-value pair.", + "markdownDescription": "The value of a key-value pair.", "title": "Value", "type": "string" } @@ -84568,12 +88465,12 @@ "additionalProperties": false, "properties": { "Key": { - "markdownDescription": "They key of a key-value pair.", + "markdownDescription": "The key of a key-value pair.", "title": "Key", "type": "string" }, "Value": { - "markdownDescription": "They value of a key-value pair.", + "markdownDescription": "The value of a key-value pair.", "title": "Value", "type": "string" } @@ -85247,6 +89144,8 @@ "type": "string" }, "Policy": { + "markdownDescription": "The permissions policy of the event bus, describing which other AWS accounts can write events to this event bus.", + "title": "Policy", "type": "object" }, "Tags": { @@ -85463,7 +89362,7 @@ "type": "string" }, "State": { - "markdownDescription": "The state of the rule.", + "markdownDescription": "The state of the rule.\n\nValid values include:\n\n- `DISABLED` : The rule is disabled. EventBridge does not match any events against the rule.\n- `ENABLED` : The rule is enabled. EventBridge matches events against the rule, *except* for AWS management events delivered through CloudTrail.\n- `ENABLED_WITH_ALL_CLOUDTRAIL_MANAGEMENT_EVENTS` : The rule is enabled for all events, including AWS management events delivered through CloudTrail.\n\nManagement events provide visibility into management operations that are performed on resources in your AWS account. These are also known as control plane operations. For more information, see [Logging management events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-management-events-with-cloudtrail.html#logging-management-events) in the *CloudTrail User Guide* , and [Filtering management events from AWS services](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-service-event.html#eb-service-event-cloudtrail) in the *Amazon EventBridge User Guide* .\n\nThis value is only valid for rules on the [default](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-what-is-how-it-works-concepts.html#eb-bus-concepts-buses) event bus or [custom event buses](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-create-event-bus.html) . It does not apply to [partner event buses](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-saas.html) .", "title": "State", "type": "string" }, @@ -85851,6 +89750,8 @@ "items": { "type": "string" }, + "markdownDescription": "One or more SQL statements to run. The SQL statements are run as a single transaction. They run serially in the order of the array. Subsequent SQL statements don't start until the previous statement in the array completes. If any SQL statement fails, then because they are run as one transaction, all work is rolled back.", + "title": "Sqls", "type": "array" }, "StatementName": { @@ -86147,7 +90048,7 @@ "type": "number" }, "Segment": { - "markdownDescription": "Specifies an audience *segment* to use in the experiment. When a segment is used in an experiment, only user sessions that match the segment pattern are used in the experiment.\n\nFor more information, see [Segment rule pattern syntax](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Evidently-segments-syntax.html) .", + "markdownDescription": "Specifies an audience *segment* to use in the experiment. When a segment is used in an experiment, only user sessions that match the segment pattern are used in the experiment.\n\nFor more information, see [Segment rule pattern syntax](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Evidently-segments.html#CloudWatch-Evidently-segments-syntax) .", "title": "Segment", "type": "string" }, @@ -86986,7 +90887,7 @@ "type": "string" }, "Pattern": { - "markdownDescription": "The pattern to use for the segment. For more information about pattern syntax, see [Segment rule pattern syntax](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Evidently-segments-syntax.html) .", + "markdownDescription": "The pattern to use for the segment. For more information about pattern syntax, see [Segment rule pattern syntax](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Evidently-segments.html#CloudWatch-Evidently-segments-syntax) .", "title": "Pattern", "type": "string" }, @@ -87072,17 +90973,22 @@ "type": "object" }, "Description": { - "markdownDescription": "A description for the experiment template.", + "markdownDescription": "The description for the experiment template.", "title": "Description", "type": "string" }, + "ExperimentOptions": { + "$ref": "#/definitions/AWS::FIS::ExperimentTemplate.ExperimentTemplateExperimentOptions", + "markdownDescription": "The experiment options for an experiment template.", + "title": "ExperimentOptions" + }, "LogConfiguration": { "$ref": "#/definitions/AWS::FIS::ExperimentTemplate.ExperimentTemplateLogConfiguration", "markdownDescription": "The configuration for experiment logging.", "title": "LogConfiguration" }, "RoleArn": { - "markdownDescription": "The Amazon Resource Name (ARN) of an IAM role that grants the AWS FIS service permission to perform service actions on your behalf.", + "markdownDescription": "The Amazon Resource Name (ARN) of an IAM role.", "title": "RoleArn", "type": "string" }, @@ -87090,13 +90996,13 @@ "items": { "$ref": "#/definitions/AWS::FIS::ExperimentTemplate.ExperimentTemplateStopCondition" }, - "markdownDescription": "The stop conditions.", + "markdownDescription": "The stop conditions for the experiment.", "title": "StopConditions", "type": "array" }, "Tags": { "additionalProperties": true, - "markdownDescription": "The tags to apply to the experiment template.", + "markdownDescription": "The tags for the experiment template.", "patternProperties": { "^[a-zA-Z0-9]+$": { "type": "string" @@ -87165,7 +91071,7 @@ "additionalProperties": false, "properties": { "ActionId": { - "markdownDescription": "The ID of the action. The format of the action ID is: aws: *service-name* : *action-type* .", + "markdownDescription": "The ID of the action.", "title": "ActionId", "type": "string" }, @@ -87176,32 +91082,28 @@ }, "Parameters": { "additionalProperties": true, - "markdownDescription": "The parameters for the action, if applicable.", "patternProperties": { "^[a-zA-Z0-9]+$": { "type": "string" } }, - "title": "Parameters", "type": "object" }, "StartAfter": { "items": { "type": "string" }, - "markdownDescription": "The name of the action that must be completed before the current action starts. Omit this parameter to run the action at the start of the experiment.", + "markdownDescription": "The name of the action that must be completed before the current action starts.", "title": "StartAfter", "type": "array" }, "Targets": { "additionalProperties": true, - "markdownDescription": "The targets for the action.", "patternProperties": { "^[a-zA-Z0-9]+$": { "type": "string" } }, - "title": "Targets", "type": "object" } }, @@ -87210,12 +91112,28 @@ ], "type": "object" }, + "AWS::FIS::ExperimentTemplate.ExperimentTemplateExperimentOptions": { + "additionalProperties": false, + "properties": { + "AccountTargeting": { + "markdownDescription": "The account targeting setting for an experiment template.", + "title": "AccountTargeting", + "type": "string" + }, + "EmptyTargetResolutionMode": { + "markdownDescription": "The empty target resolution mode for an experiment template.", + "title": "EmptyTargetResolutionMode", + "type": "string" + } + }, + "type": "object" + }, "AWS::FIS::ExperimentTemplate.ExperimentTemplateLogConfiguration": { "additionalProperties": false, "properties": { "CloudWatchLogsConfiguration": { "$ref": "#/definitions/AWS::FIS::ExperimentTemplate.CloudWatchLogsConfiguration", - "markdownDescription": "The configuration for experiment logging to CloudWatch Logs .", + "markdownDescription": "The configuration for experiment logging to Amazon CloudWatch Logs.", "title": "CloudWatchLogsConfiguration" }, "LogSchemaVersion": { @@ -87225,7 +91143,7 @@ }, "S3Configuration": { "$ref": "#/definitions/AWS::FIS::ExperimentTemplate.S3Configuration", - "markdownDescription": "The configuration for experiment logging to Amazon S3 .", + "markdownDescription": "The configuration for experiment logging to Amazon S3.", "title": "S3Configuration" } }, @@ -87238,12 +91156,12 @@ "additionalProperties": false, "properties": { "Source": { - "markdownDescription": "The source for the stop condition. Specify `aws:cloudwatch:alarm` if the stop condition is defined by a CloudWatch alarm. Specify `none` if there is no stop condition.", + "markdownDescription": "The source for the stop condition.", "title": "Source", "type": "string" }, "Value": { - "markdownDescription": "The Amazon Resource Name (ARN) of the CloudWatch alarm. This is required if the source is a CloudWatch alarm.", + "markdownDescription": "The Amazon Resource Name (ARN) of the CloudWatch alarm, if applicable.", "title": "Value", "type": "string" } @@ -87266,7 +91184,7 @@ }, "Parameters": { "additionalProperties": true, - "markdownDescription": "The parameters for the resource type.", + "markdownDescription": "The resource type parameters.", "patternProperties": { "^[a-zA-Z0-9]+$": { "type": "string" @@ -87279,7 +91197,7 @@ "items": { "type": "string" }, - "markdownDescription": "The Amazon Resource Names (ARNs) of the resources.", + "markdownDescription": "The Amazon Resource Names (ARNs) of the targets.", "title": "ResourceArns", "type": "array" }, @@ -87295,12 +91213,12 @@ "type": "object" }, "ResourceType": { - "markdownDescription": "The resource type. The resource type must be supported for the specified action.", + "markdownDescription": "The resource type.", "title": "ResourceType", "type": "string" }, "SelectionMode": { - "markdownDescription": "Scopes the identified resources to a specific count of the resources at random, or a percentage of the resources. All identified resources are included in the target.\n\n- ALL - Run the action on all identified targets. This is the default.\n- COUNT(n) - Run the action on the specified number of targets, chosen from the identified targets at random. For example, COUNT(1) selects one of the targets.\n- PERCENT(n) - Run the action on the specified percentage of targets, chosen from the identified targets at random. For example, PERCENT(25) selects 25% of the targets.", + "markdownDescription": "Scopes the identified resources to a specific count or percentage.", "title": "SelectionMode", "type": "string" } @@ -87353,6 +91271,90 @@ ], "type": "object" }, + "AWS::FIS::TargetAccountConfiguration": { + "additionalProperties": false, + "properties": { + "Condition": { + "type": "string" + }, + "DeletionPolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + }, + "DependsOn": { + "anyOf": [ + { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + { + "items": { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + "type": "array" + } + ] + }, + "Metadata": { + "type": "object" + }, + "Properties": { + "additionalProperties": false, + "properties": { + "AccountId": { + "markdownDescription": "The AWS account ID of the target account.", + "title": "AccountId", + "type": "string" + }, + "Description": { + "markdownDescription": "The description of the target account.", + "title": "Description", + "type": "string" + }, + "ExperimentTemplateId": { + "markdownDescription": "The ID of the experiment template.", + "title": "ExperimentTemplateId", + "type": "string" + }, + "RoleArn": { + "markdownDescription": "The Amazon Resource Name (ARN) of an IAM role for the target account.", + "title": "RoleArn", + "type": "string" + } + }, + "required": [ + "AccountId", + "ExperimentTemplateId", + "RoleArn" + ], + "type": "object" + }, + "Type": { + "enum": [ + "AWS::FIS::TargetAccountConfiguration" + ], + "type": "string" + }, + "UpdateReplacePolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + } + }, + "required": [ + "Type", + "Properties" + ], + "type": "object" + }, "AWS::FMS::NotificationChannel": { "additionalProperties": false, "properties": { @@ -87513,7 +91515,7 @@ "type": "array" }, "ResourceType": { - "markdownDescription": "The type of resource protected by or in scope of the policy. This is in the format shown in the [AWS Resource Types Reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-template-resource-type-ref.html) . To apply this policy to multiple resource types, specify a resource type of `ResourceTypeList` and then specify the resource types in a `ResourceTypeList` .\n\nFor AWS WAF and Shield Advanced, example resource types include `AWS::ElasticLoadBalancingV2::LoadBalancer` and `AWS::CloudFront::Distribution` . For a security group common policy, valid values are `AWS::EC2::NetworkInterface` and `AWS::EC2::Instance` . For a security group content audit policy, valid values are `AWS::EC2::SecurityGroup` , `AWS::EC2::NetworkInterface` , and `AWS::EC2::Instance` . For a security group usage audit policy, the value is `AWS::EC2::SecurityGroup` . For an AWS Network Firewall policy or DNS Firewall policy, the value is `AWS::EC2::VPC` .", + "markdownDescription": "The type of resource protected by or in scope of the policy. This is in the format shown in the [AWS Resource Types Reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-template-resource-type-ref.html) . To apply this policy to multiple resource types, specify a resource type of `ResourceTypeList` and then specify the resource types in a `ResourceTypeList` .\n\nThe following are valid resource types for each Firewall Manager policy type:\n\n- AWS WAF Classic - `AWS::ApiGateway::Stage` , `AWS::CloudFront::Distribution` , and `AWS::ElasticLoadBalancingV2::LoadBalancer` .\n- AWS WAF - `AWS::ApiGateway::Stage` , `AWS::ElasticLoadBalancingV2::LoadBalancer` , and `AWS::CloudFront::Distribution` .\n- DNS Firewall, AWS Network Firewall , and third-party firewall - `AWS::EC2::VPC` .\n- AWS Shield Advanced - `AWS::ElasticLoadBalancingV2::LoadBalancer` , `AWS::ElasticLoadBalancing::LoadBalancer` , `AWS::EC2::EIP` , and `AWS::CloudFront::Distribution` .\n- Security group content audit - `AWS::EC2::SecurityGroup` , `AWS::EC2::NetworkInterface` , and `AWS::EC2::Instance` .\n- Security group usage audit - `AWS::EC2::SecurityGroup` .", "title": "ResourceType", "type": "string" }, @@ -87532,7 +91534,7 @@ }, "SecurityServicePolicyData": { "$ref": "#/definitions/AWS::FMS::Policy.SecurityServicePolicyData", - "markdownDescription": "Details about the security service that is being used to protect the resources.\n\nThis contains the following settings:\n\n- Type - Indicates the service type that the policy uses to protect the resource. For security group policies, Firewall Manager supports one security group for each common policy and for each content audit policy. This is an adjustable limit that you can increase by contacting AWS Support .\n\nValid values: `DNS_FIREWALL` | `NETWORK_FIREWALL` | `SECURITY_GROUPS_COMMON` | `SECURITY_GROUPS_CONTENT_AUDIT` | `SECURITY_GROUPS_USAGE_AUDIT` | `SHIELD_ADVANCED` | `THIRD_PARTY_FIREWALL` | `WAFV2` | `WAF`\n- ManagedServiceData - Details about the service that are specific to the service type, in JSON format.\n\n- Example: `DNS_FIREWALL`\n\n`\"{\\\"type\\\":\\\"DNS_FIREWALL\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupId\\\":\\\"rslvr-frg-1\\\",\\\"priority\\\":10}],\\\"postProcessRuleGroups\\\":[{\\\"ruleGroupId\\\":\\\"rslvr-frg-2\\\",\\\"priority\\\":9911}]}\"`\n\n> Valid values for `preProcessRuleGroups` are between 1 and 99. Valid values for `postProcessRuleGroups` are between 9901 and 10000.\n- Example: `NETWORK_FIREWALL` - Centralized deployment model\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"awsNetworkFirewallConfig\\\":{\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}},\\\"firewallDeploymentModel\\\":{\\\"centralizedFirewallDeploymentModel\\\":{\\\"centralizedFirewallOrchestrationConfig\\\":{\\\"inspectionVpcIds\\\":[{\\\"resourceId\\\":\\\"vpc-1234\\\",\\\"accountId\\\":\\\"123456789011\\\"}],\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneId\\\":null,\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]}]}},\\\"allowedIPV4CidrList\\\":[]}}}}\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `NETWORK_FIREWALL` - Distributed deployment model with automatic Availability Zone configuration\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\",\\\"192.168.0.0/28\\\"],\\\"routeManagementAction\\\":\\\"OFF\\\"},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}}\"`\n\nWith automatic Availbility Zone configuration, Firewall Manager chooses which Availability Zones to create the endpoints in. To use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `NETWORK_FIREWALL` - Distributed deployment model with automatic Availability Zone configuration and route management\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\",\\\"192.168.0.0/28\\\"],\\\"routeManagementAction\\\":\\\"MONITOR\\\",\\\"routeManagementTargetTypes\\\":[\\\"InternetGateway\\\"]},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\": \\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}}\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `NETWORK_FIREWALL` - Distributed deployment model with custom Availability Zone configuration\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"fragmentcustomactionname\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\", \\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}},{\\\"actionName\\\":\\\"fragmentcustomactionname\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"fragmentmetricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"firewallCreationConfig\\\":{ \\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]},{\\\"availabilityZoneName\\\":\\\"us-east-1b\\\",\\\"allowedIPV4CidrList\\\":[ \\\"10.0.0.0/28\\\"]}]} },\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":null,\\\"routeManagementAction\\\":\\\"OFF\\\",\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":boolean}}\"`\n\nWith custom Availability Zone configuration, you define which specific Availability Zones to create endpoints in by configuring `firewallCreationConfig` . To configure the Availability Zones in `firewallCreationConfig` , specify either the `availabilityZoneName` or `availabilityZoneId` parameter, not both parameters.\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `NETWORK_FIREWALL` - Distributed deployment model with custom Availability Zone configuration and route management\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"fragmentcustomactionname\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}},{\\\"actionName\\\":\\\"fragmentcustomactionname\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"fragmentmetricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]},{\\\"availabilityZoneName\\\":\\\"us-east-1b\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]}]}},\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":null,\\\"routeManagementAction\\\":\\\"MONITOR\\\",\\\"routeManagementTargetTypes\\\":[\\\"InternetGateway\\\"],\\\"routeManagementConfig\\\":{\\\"allowCrossAZTrafficIfNoEndpoint\\\":true}},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":boolean}}\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `THIRD_PARTY_FIREWALL` - Palo Alto Networks Cloud Next-Generation Firewall centralized deployment model\n\n`\"{ \\\"type\\\":\\\"THIRD_PARTY_FIREWALL\\\", \\\"thirdPartyFirewall\\\":\\\"PALO_ALTO_NETWORKS_CLOUD_NGFW\\\", \\\"thirdPartyFirewallConfig\\\":{ \\\"thirdPartyFirewallPolicyList\\\":[\\\"global-1\\\"] },\\\"firewallDeploymentModel\\\":{\\\"centralizedFirewallDeploymentModel\\\":{\\\"centralizedFirewallOrchestrationConfig\\\":{\\\"inspectionVpcIds\\\":[{\\\"resourceId\\\":\\\"vpc-1234\\\",\\\"accountId\\\":\\\"123456789011\\\"}],\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneId\\\":null,\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]}]}},\\\"allowedIPV4CidrList\\\":[]}}}}\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-thirdpartyfirewallpolicy.html) to `CENTRALIZED` .\n- Example: `THIRD_PARTY_FIREWALL` - Palo Alto Networks Cloud Next-Generation Firewall distributed deployment model\n\n`\"{\\\"type\\\":\\\"THIRD_PARTY_FIREWALL\\\",\\\"thirdPartyFirewall\\\":\\\"PALO_ALTO_NETWORKS_CLOUD_NGFW\\\",\\\"thirdPartyFirewallConfig\\\":{\\\"thirdPartyFirewallPolicyList\\\":[\\\"global-1\\\"] },\\\"firewallDeploymentModel\\\":{ \\\"distributedFirewallDeploymentModel\\\":{ \\\"distributedFirewallOrchestrationConfig\\\":{\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{ \\\"availabilityZoneConfigList\\\":[ {\\\"availabilityZoneName\\\":\\\"${AvailabilityZone}\\\" } ] } }, \\\"allowedIPV4CidrList\\\":[ ] } } } }\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-thirdpartyfirewallpolicy.html) to `DISTRIBUTED` .\n- Specification for `SHIELD_ADVANCED` for Amazon CloudFront distributions\n\n`\"{\\\"type\\\":\\\"SHIELD_ADVANCED\\\",\\\"automaticResponseConfiguration\\\": {\\\"automaticResponseStatus\\\":\\\"ENABLED|IGNORED|DISABLED\\\", \\\"automaticResponseAction\\\":\\\"BLOCK|COUNT\\\"}, \\\"overrideCustomerWebaclClassic\\\":true|false}\"`\n\nFor example: `\"{\\\"type\\\":\\\"SHIELD_ADVANCED\\\",\\\"automaticResponseConfiguration\\\": {\\\"automaticResponseStatus\\\":\\\"ENABLED\\\", \\\"automaticResponseAction\\\":\\\"COUNT\\\"}}\"`\n\nThe default value for `automaticResponseStatus` is `IGNORED` . The value for `automaticResponseAction` is only required when `automaticResponseStatus` is set to `ENABLED` . The default value for `overrideCustomerWebaclClassic` is `false` .\n\nFor other resource types that you can protect with a Shield Advanced policy, this `ManagedServiceData` configuration is an empty string.\n- Example: `WAFV2`\n\n`\"{\\\"type\\\":\\\"WAFV2\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupArn\\\":null,\\\"overrideAction\\\":{\\\"type\\\":\\\"NONE\\\"},\\\"managedRuleGroupIdentifier\\\":{\\\"version\\\":null,\\\"vendorName\\\":\\\"AWS\\\",\\\"managedRuleGroupName\\\":\\\"AWSManagedRulesAmazonIpReputationList\\\"},\\\"ruleGroupType\\\":\\\"ManagedRuleGroup\\\",\\\"excludeRules\\\":[{\\\"name\\\":\\\"NoUserAgent_HEADER\\\"}]}],\\\"postProcessRuleGroups\\\":[],\\\"defaultAction\\\":{\\\"type\\\":\\\"ALLOW\\\"},\\\"overrideCustomerWebACLAssociation\\\":false,\\\"loggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[\\\"arn:aws:firehose:us-west-2:12345678912:deliverystream/aws-waf-logs-fms-admin-destination\\\"],\\\"redactedFields\\\":[{\\\"redactedFieldType\\\":\\\"SingleHeader\\\",\\\"redactedFieldValue\\\":\\\"Cookies\\\"},{\\\"redactedFieldType\\\":\\\"Method\\\"}]}}\"`\n\nIn the `loggingConfiguration` , you can specify one `logDestinationConfigs` , you can optionally provide up to 20 `redactedFields` , and the `RedactedFieldType` must be one of `URI` , `QUERY_STRING` , `HEADER` , or `METHOD` .\n- Example: `AWS WAF Classic`\n\n`\"{\\\"type\\\": \\\"WAF\\\", \\\"ruleGroups\\\": [{\\\"id\\\":\\\"12345678-1bcd-9012-efga-0987654321ab\\\", \\\"overrideAction\\\" : {\\\"type\\\": \\\"COUNT\\\"}}], \\\"defaultAction\\\": {\\\"type\\\": \\\"BLOCK\\\"}}\"`\n- Example: `WAFV2` - AWS Firewall Manager support for AWS WAF managed rule group versioning\n\n`\"{\\\"type\\\":\\\"WAFV2\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupArn\\\":null,\\\"overrideAction\\\":{\\\"type\\\":\\\"NONE\\\"},\\\"managedRuleGroupIdentifier\\\":{\\\"versionEnabled\\\":true,\\\"version\\\":\\\"Version_2.0\\\",\\\"vendorName\\\":\\\"AWS\\\",\\\"managedRuleGroupName\\\":\\\"AWSManagedRulesCommonRuleSet\\\"},\\\"ruleGroupType\\\":\\\"ManagedRuleGroup\\\",\\\"excludeRules\\\":[{\\\"name\\\":\\\"NoUserAgent_HEADER\\\"}]}],\\\"postProcessRuleGroups\\\":[],\\\"defaultAction\\\":{\\\"type\\\":\\\"ALLOW\\\"},\\\"overrideCustomerWebACLAssociation\\\":false,\\\"loggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[\\\"arn:aws:firehose:us-west-2:12345678912:deliverystream/aws-waf-logs-fms-admin-destination\\\"],\\\"redactedFields\\\":[{\\\"redactedFieldType\\\":\\\"SingleHeader\\\",\\\"redactedFieldValue\\\":\\\"Cookies\\\"},{\\\"redactedFieldType\\\":\\\"Method\\\"}]}}\"`\n\nTo use a specific version of a AWS WAF managed rule group in your Firewall Manager policy, you must set `versionEnabled` to `true` , and set `version` to the version you'd like to use. If you don't set `versionEnabled` to `true` , or if you omit `versionEnabled` , then Firewall Manager uses the default version of the AWS WAF managed rule group.\n- Example: `SECURITY_GROUPS_COMMON`\n\n`\"{\\\"type\\\":\\\"SECURITY_GROUPS_COMMON\\\",\\\"revertManualSecurityGroupChanges\\\":false,\\\"exclusiveResourceSecurityGroupManagement\\\":false, \\\"applyToAllEC2InstanceENIs\\\":false,\\\"securityGroups\\\":[{\\\"id\\\":\\\" sg-000e55995d61a06bd\\\"}]}\"`\n- Example: Shared VPCs. Apply the preceding policy to resources in shared VPCs as well as to those in VPCs that the account owns\n\n`\"{\\\"type\\\":\\\"SECURITY_GROUPS_COMMON\\\",\\\"revertManualSecurityGroupChanges\\\":false,\\\"exclusiveResourceSecurityGroupManagement\\\":false, \\\"applyToAllEC2InstanceENIs\\\":false,\\\"includeSharedVPC\\\":true,\\\"securityGroups\\\":[{\\\"id\\\":\\\" sg-000e55995d61a06bd\\\"}]}\"`\n- Example: `SECURITY_GROUPS_CONTENT_AUDIT`\n\n`\"{\\\"type\\\":\\\"SECURITY_GROUPS_CONTENT_AUDIT\\\",\\\"securityGroups\\\":[{\\\"id\\\":\\\"sg-000e55995d61a06bd\\\"}],\\\"securityGroupAction\\\":{\\\"type\\\":\\\"ALLOW\\\"}}\"`\n\nThe security group action for content audit can be `ALLOW` or `DENY` . For `ALLOW` , all in-scope security group rules must be within the allowed range of the policy's security group rules. For `DENY` , all in-scope security group rules must not contain a value or a range that matches a rule value or range in the policy security group.\n- Example: `SECURITY_GROUPS_USAGE_AUDIT`\n\n`\"{\\\"type\\\":\\\"SECURITY_GROUPS_USAGE_AUDIT\\\",\\\"deleteUnusedSecurityGroups\\\":true,\\\"coalesceRedundantSecurityGroups\\\":true}\"`", + "markdownDescription": "Details about the security service that is being used to protect the resources.\n\nThis contains the following settings:\n\n- Type - Indicates the service type that the policy uses to protect the resource. For security group policies, Firewall Manager supports one security group for each common policy and for each content audit policy. This is an adjustable limit that you can increase by contacting AWS Support .\n\nValid values: `DNS_FIREWALL` | `NETWORK_FIREWALL` | `SECURITY_GROUPS_COMMON` | `SECURITY_GROUPS_CONTENT_AUDIT` | `SECURITY_GROUPS_USAGE_AUDIT` | `SHIELD_ADVANCED` | `THIRD_PARTY_FIREWALL` | `WAFV2` | `WAF`\n- ManagedServiceData - Details about the service that are specific to the service type, in JSON format.\n\n- Example: `DNS_FIREWALL`\n\n`\"{\\\"type\\\":\\\"DNS_FIREWALL\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupId\\\":\\\"rslvr-frg-1\\\",\\\"priority\\\":10}],\\\"postProcessRuleGroups\\\":[{\\\"ruleGroupId\\\":\\\"rslvr-frg-2\\\",\\\"priority\\\":9911}]}\"`\n\n> Valid values for `preProcessRuleGroups` are between 1 and 99. Valid values for `postProcessRuleGroups` are between 9901 and 10000.\n- Example: `NETWORK_FIREWALL` - Centralized deployment model\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"awsNetworkFirewallConfig\\\":{\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}},\\\"firewallDeploymentModel\\\":{\\\"centralizedFirewallDeploymentModel\\\":{\\\"centralizedFirewallOrchestrationConfig\\\":{\\\"inspectionVpcIds\\\":[{\\\"resourceId\\\":\\\"vpc-1234\\\",\\\"accountId\\\":\\\"123456789011\\\"}],\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneId\\\":null,\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]}]}},\\\"allowedIPV4CidrList\\\":[]}}}}\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `NETWORK_FIREWALL` - Distributed deployment model with automatic Availability Zone configuration\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\",\\\"192.168.0.0/28\\\"],\\\"routeManagementAction\\\":\\\"OFF\\\"},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}}\"`\n\nWith automatic Availbility Zone configuration, Firewall Manager chooses which Availability Zones to create the endpoints in. To use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `NETWORK_FIREWALL` - Distributed deployment model with automatic Availability Zone configuration and route management\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\",\\\"192.168.0.0/28\\\"],\\\"routeManagementAction\\\":\\\"MONITOR\\\",\\\"routeManagementTargetTypes\\\":[\\\"InternetGateway\\\"]},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\": \\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}}\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `NETWORK_FIREWALL` - Distributed deployment model with custom Availability Zone configuration\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"fragmentcustomactionname\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\", \\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}},{\\\"actionName\\\":\\\"fragmentcustomactionname\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"fragmentmetricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"firewallCreationConfig\\\":{ \\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]},{\\\"availabilityZoneName\\\":\\\"us-east-1b\\\",\\\"allowedIPV4CidrList\\\":[ \\\"10.0.0.0/28\\\"]}]} },\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":null,\\\"routeManagementAction\\\":\\\"OFF\\\",\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":boolean}}\"`\n\nWith custom Availability Zone configuration, you define which specific Availability Zones to create endpoints in by configuring `firewallCreationConfig` . To configure the Availability Zones in `firewallCreationConfig` , specify either the `availabilityZoneName` or `availabilityZoneId` parameter, not both parameters.\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `NETWORK_FIREWALL` - Distributed deployment model with custom Availability Zone configuration and route management\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"fragmentcustomactionname\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}},{\\\"actionName\\\":\\\"fragmentcustomactionname\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"fragmentmetricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]},{\\\"availabilityZoneName\\\":\\\"us-east-1b\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]}]}},\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":null,\\\"routeManagementAction\\\":\\\"MONITOR\\\",\\\"routeManagementTargetTypes\\\":[\\\"InternetGateway\\\"],\\\"routeManagementConfig\\\":{\\\"allowCrossAZTrafficIfNoEndpoint\\\":true}},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":boolean}}\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `THIRD_PARTY_FIREWALL` - Centralized deployment model\n\nReplace `THIRD_PARTY_FIREWALL_NAME` with the third-party firewall name.\n\n`\"{ \\\"type\\\":\\\"THIRD_PARTY_FIREWALL\\\", \\\"thirdPartyFirewall\\\":\\\"THIRD_PARTY_FIREWALL_NAME\\\", \\\"thirdPartyFirewallConfig\\\":{ \\\"thirdPartyFirewallPolicyList\\\":[\\\"global-1\\\"] },\\\"firewallDeploymentModel\\\":{\\\"centralizedFirewallDeploymentModel\\\":{\\\"centralizedFirewallOrchestrationConfig\\\":{\\\"inspectionVpcIds\\\":[{\\\"resourceId\\\":\\\"vpc-1234\\\",\\\"accountId\\\":\\\"123456789011\\\"}],\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneId\\\":null,\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]}]}},\\\"allowedIPV4CidrList\\\":[]}}}}\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-thirdpartyfirewallpolicy.html) to `CENTRALIZED` .\n- Example: `THIRD_PARTY_FIREWALL` - Distributed deployment model\n\nReplace `THIRD_PARTY_FIREWALL_NAME` with the third-party firewall name.\n\n`\"{\\\"type\\\":\\\"THIRD_PARTY_FIREWALL\\\",\\\"thirdPartyFirewall\\\":\\\"THIRD_PARTY_FIREWALL_NAME\\\",\\\"thirdPartyFirewallConfig\\\":{\\\"thirdPartyFirewallPolicyList\\\":[\\\"global-1\\\"] },\\\"firewallDeploymentModel\\\":{ \\\"distributedFirewallDeploymentModel\\\":{ \\\"distributedFirewallOrchestrationConfig\\\":{\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{ \\\"availabilityZoneConfigList\\\":[ {\\\"availabilityZoneName\\\":\\\"${AvailabilityZone}\\\" } ] } }, \\\"allowedIPV4CidrList\\\":[ ] } } } }\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-thirdpartyfirewallpolicy.html) to `DISTRIBUTED` .\n- Specification for `SHIELD_ADVANCED` for Amazon CloudFront distributions\n\n`\"{\\\"type\\\":\\\"SHIELD_ADVANCED\\\",\\\"automaticResponseConfiguration\\\": {\\\"automaticResponseStatus\\\":\\\"ENABLED|IGNORED|DISABLED\\\", \\\"automaticResponseAction\\\":\\\"BLOCK|COUNT\\\"}, \\\"overrideCustomerWebaclClassic\\\":true|false}\"`\n\nFor example: `\"{\\\"type\\\":\\\"SHIELD_ADVANCED\\\",\\\"automaticResponseConfiguration\\\": {\\\"automaticResponseStatus\\\":\\\"ENABLED\\\", \\\"automaticResponseAction\\\":\\\"COUNT\\\"}}\"`\n\nThe default value for `automaticResponseStatus` is `IGNORED` . The value for `automaticResponseAction` is only required when `automaticResponseStatus` is set to `ENABLED` . The default value for `overrideCustomerWebaclClassic` is `false` .\n\nFor other resource types that you can protect with a Shield Advanced policy, this `ManagedServiceData` configuration is an empty string.\n- Example: `WAFV2`\n\n`\"{\\\"type\\\":\\\"WAFV2\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupArn\\\":null,\\\"overrideAction\\\":{\\\"type\\\":\\\"NONE\\\"},\\\"managedRuleGroupIdentifier\\\":{\\\"version\\\":null,\\\"vendorName\\\":\\\"AWS\\\",\\\"managedRuleGroupName\\\":\\\"AWSManagedRulesAmazonIpReputationList\\\"},\\\"ruleGroupType\\\":\\\"ManagedRuleGroup\\\",\\\"excludeRules\\\":[{\\\"name\\\":\\\"NoUserAgent_HEADER\\\"}]}],\\\"postProcessRuleGroups\\\":[],\\\"defaultAction\\\":{\\\"type\\\":\\\"ALLOW\\\"},\\\"overrideCustomerWebACLAssociation\\\":false,\\\"loggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[\\\"arn:aws:firehose:us-west-2:12345678912:deliverystream/aws-waf-logs-fms-admin-destination\\\"],\\\"redactedFields\\\":[{\\\"redactedFieldType\\\":\\\"SingleHeader\\\",\\\"redactedFieldValue\\\":\\\"Cookies\\\"},{\\\"redactedFieldType\\\":\\\"Method\\\"}]}}\"`\n\nIn the `loggingConfiguration` , you can specify one `logDestinationConfigs` , you can optionally provide up to 20 `redactedFields` , and the `RedactedFieldType` must be one of `URI` , `QUERY_STRING` , `HEADER` , or `METHOD` .\n- Example: `AWS WAF Classic`\n\n`\"{\\\"type\\\": \\\"WAF\\\", \\\"ruleGroups\\\": [{\\\"id\\\":\\\"12345678-1bcd-9012-efga-0987654321ab\\\", \\\"overrideAction\\\" : {\\\"type\\\": \\\"COUNT\\\"}}], \\\"defaultAction\\\": {\\\"type\\\": \\\"BLOCK\\\"}}\"`\n- Example: `WAFV2` - AWS Firewall Manager support for AWS WAF managed rule group versioning\n\n`\"{\\\"type\\\":\\\"WAFV2\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupArn\\\":null,\\\"overrideAction\\\":{\\\"type\\\":\\\"NONE\\\"},\\\"managedRuleGroupIdentifier\\\":{\\\"versionEnabled\\\":true,\\\"version\\\":\\\"Version_2.0\\\",\\\"vendorName\\\":\\\"AWS\\\",\\\"managedRuleGroupName\\\":\\\"AWSManagedRulesCommonRuleSet\\\"},\\\"ruleGroupType\\\":\\\"ManagedRuleGroup\\\",\\\"excludeRules\\\":[{\\\"name\\\":\\\"NoUserAgent_HEADER\\\"}]}],\\\"postProcessRuleGroups\\\":[],\\\"defaultAction\\\":{\\\"type\\\":\\\"ALLOW\\\"},\\\"overrideCustomerWebACLAssociation\\\":false,\\\"loggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[\\\"arn:aws:firehose:us-west-2:12345678912:deliverystream/aws-waf-logs-fms-admin-destination\\\"],\\\"redactedFields\\\":[{\\\"redactedFieldType\\\":\\\"SingleHeader\\\",\\\"redactedFieldValue\\\":\\\"Cookies\\\"},{\\\"redactedFieldType\\\":\\\"Method\\\"}]}}\"`\n\nTo use a specific version of a AWS WAF managed rule group in your Firewall Manager policy, you must set `versionEnabled` to `true` , and set `version` to the version you'd like to use. If you don't set `versionEnabled` to `true` , or if you omit `versionEnabled` , then Firewall Manager uses the default version of the AWS WAF managed rule group.\n- Example: `SECURITY_GROUPS_COMMON`\n\n`\"{\\\"type\\\":\\\"SECURITY_GROUPS_COMMON\\\",\\\"revertManualSecurityGroupChanges\\\":false,\\\"exclusiveResourceSecurityGroupManagement\\\":false, \\\"applyToAllEC2InstanceENIs\\\":false,\\\"securityGroups\\\":[{\\\"id\\\":\\\" sg-000e55995d61a06bd\\\"}]}\"`\n- Example: Shared VPCs. Apply the preceding policy to resources in shared VPCs as well as to those in VPCs that the account owns\n\n`\"{\\\"type\\\":\\\"SECURITY_GROUPS_COMMON\\\",\\\"revertManualSecurityGroupChanges\\\":false,\\\"exclusiveResourceSecurityGroupManagement\\\":false, \\\"applyToAllEC2InstanceENIs\\\":false,\\\"includeSharedVPC\\\":true,\\\"securityGroups\\\":[{\\\"id\\\":\\\" sg-000e55995d61a06bd\\\"}]}\"`\n- Example: `SECURITY_GROUPS_CONTENT_AUDIT`\n\n`\"{\\\"type\\\":\\\"SECURITY_GROUPS_CONTENT_AUDIT\\\",\\\"securityGroups\\\":[{\\\"id\\\":\\\"sg-000e55995d61a06bd\\\"}],\\\"securityGroupAction\\\":{\\\"type\\\":\\\"ALLOW\\\"}}\"`\n\nThe security group action for content audit can be `ALLOW` or `DENY` . For `ALLOW` , all in-scope security group rules must be within the allowed range of the policy's security group rules. For `DENY` , all in-scope security group rules must not contain a value or a range that matches a rule value or range in the policy security group.\n- Example: `SECURITY_GROUPS_USAGE_AUDIT`\n\n`\"{\\\"type\\\":\\\"SECURITY_GROUPS_USAGE_AUDIT\\\",\\\"deleteUnusedSecurityGroups\\\":true,\\\"coalesceRedundantSecurityGroups\\\":true}\"`", "title": "SecurityServicePolicyData" }, "Tags": { @@ -87668,7 +91670,7 @@ "additionalProperties": false, "properties": { "ManagedServiceData": { - "markdownDescription": "Details about the service that are specific to the service type, in JSON format.\n\n- Example: `DNS_FIREWALL`\n\n`\"{\\\"type\\\":\\\"DNS_FIREWALL\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupId\\\":\\\"rslvr-frg-1\\\",\\\"priority\\\":10}],\\\"postProcessRuleGroups\\\":[{\\\"ruleGroupId\\\":\\\"rslvr-frg-2\\\",\\\"priority\\\":9911}]}\"`\n\n> Valid values for `preProcessRuleGroups` are between 1 and 99. Valid values for `postProcessRuleGroups` are between 9901 and 10000.\n- Example: `NETWORK_FIREWALL` - Centralized deployment model\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"awsNetworkFirewallConfig\\\":{\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}},\\\"firewallDeploymentModel\\\":{\\\"centralizedFirewallDeploymentModel\\\":{\\\"centralizedFirewallOrchestrationConfig\\\":{\\\"inspectionVpcIds\\\":[{\\\"resourceId\\\":\\\"vpc-1234\\\",\\\"accountId\\\":\\\"123456789011\\\"}],\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneId\\\":null,\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]}]}},\\\"allowedIPV4CidrList\\\":[]}}}}\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `NETWORK_FIREWALL` - Distributed deployment model with automatic Availability Zone configuration\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\",\\\"192.168.0.0/28\\\"],\\\"routeManagementAction\\\":\\\"OFF\\\"},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}}\"`\n\nWith automatic Availbility Zone configuration, Firewall Manager chooses which Availability Zones to create the endpoints in. To use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `NETWORK_FIREWALL` - Distributed deployment model with automatic Availability Zone configuration and route management\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\",\\\"192.168.0.0/28\\\"],\\\"routeManagementAction\\\":\\\"MONITOR\\\",\\\"routeManagementTargetTypes\\\":[\\\"InternetGateway\\\"]},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\": \\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}}\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `NETWORK_FIREWALL` - Distributed deployment model with custom Availability Zone configuration\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"fragmentcustomactionname\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\", \\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}},{\\\"actionName\\\":\\\"fragmentcustomactionname\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"fragmentmetricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"firewallCreationConfig\\\":{ \\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]},{\\\"availabilityZoneName\\\":\\\"us-east-1b\\\",\\\"allowedIPV4CidrList\\\":[ \\\"10.0.0.0/28\\\"]}]} },\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":null,\\\"routeManagementAction\\\":\\\"OFF\\\",\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":boolean}}\"`\n\nWith custom Availability Zone configuration, you define which specific Availability Zones to create endpoints in by configuring `firewallCreationConfig` . To configure the Availability Zones in `firewallCreationConfig` , specify either the `availabilityZoneName` or `availabilityZoneId` parameter, not both parameters.\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `NETWORK_FIREWALL` - Distributed deployment model with custom Availability Zone configuration and route management\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"fragmentcustomactionname\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}},{\\\"actionName\\\":\\\"fragmentcustomactionname\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"fragmentmetricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]},{\\\"availabilityZoneName\\\":\\\"us-east-1b\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]}]}},\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":null,\\\"routeManagementAction\\\":\\\"MONITOR\\\",\\\"routeManagementTargetTypes\\\":[\\\"InternetGateway\\\"],\\\"routeManagementConfig\\\":{\\\"allowCrossAZTrafficIfNoEndpoint\\\":true}},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":boolean}}\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `THIRD_PARTY_FIREWALL` - Palo Alto Networks Cloud Next-Generation Firewall centralized deployment model\n\n`\"{ \\\"type\\\":\\\"THIRD_PARTY_FIREWALL\\\", \\\"thirdPartyFirewall\\\":\\\"PALO_ALTO_NETWORKS_CLOUD_NGFW\\\", \\\"thirdPartyFirewallConfig\\\":{ \\\"thirdPartyFirewallPolicyList\\\":[\\\"global-1\\\"] },\\\"firewallDeploymentModel\\\":{\\\"centralizedFirewallDeploymentModel\\\":{\\\"centralizedFirewallOrchestrationConfig\\\":{\\\"inspectionVpcIds\\\":[{\\\"resourceId\\\":\\\"vpc-1234\\\",\\\"accountId\\\":\\\"123456789011\\\"}],\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneId\\\":null,\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]}]}},\\\"allowedIPV4CidrList\\\":[]}}}}\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-thirdpartyfirewallpolicy.html) to `CENTRALIZED` .\n- Example: `THIRD_PARTY_FIREWALL` - Palo Alto Networks Cloud Next-Generation Firewall distributed deployment model\n\n`\"{\\\"type\\\":\\\"THIRD_PARTY_FIREWALL\\\",\\\"thirdPartyFirewall\\\":\\\"PALO_ALTO_NETWORKS_CLOUD_NGFW\\\",\\\"thirdPartyFirewallConfig\\\":{\\\"thirdPartyFirewallPolicyList\\\":[\\\"global-1\\\"] },\\\"firewallDeploymentModel\\\":{ \\\"distributedFirewallDeploymentModel\\\":{ \\\"distributedFirewallOrchestrationConfig\\\":{\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{ \\\"availabilityZoneConfigList\\\":[ {\\\"availabilityZoneName\\\":\\\"${AvailabilityZone}\\\" } ] } }, \\\"allowedIPV4CidrList\\\":[ ] } } } }\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-thirdpartyfirewallpolicy.html) to `DISTRIBUTED` .\n- Specification for `SHIELD_ADVANCED` for Amazon CloudFront distributions\n\n`\"{\\\"type\\\":\\\"SHIELD_ADVANCED\\\",\\\"automaticResponseConfiguration\\\": {\\\"automaticResponseStatus\\\":\\\"ENABLED|IGNORED|DISABLED\\\", \\\"automaticResponseAction\\\":\\\"BLOCK|COUNT\\\"}, \\\"overrideCustomerWebaclClassic\\\":true|false}\"`\n\nFor example: `\"{\\\"type\\\":\\\"SHIELD_ADVANCED\\\",\\\"automaticResponseConfiguration\\\": {\\\"automaticResponseStatus\\\":\\\"ENABLED\\\", \\\"automaticResponseAction\\\":\\\"COUNT\\\"}}\"`\n\nThe default value for `automaticResponseStatus` is `IGNORED` . The value for `automaticResponseAction` is only required when `automaticResponseStatus` is set to `ENABLED` . The default value for `overrideCustomerWebaclClassic` is `false` .\n\nFor other resource types that you can protect with a Shield Advanced policy, this `ManagedServiceData` configuration is an empty string.\n- Example: `WAFV2`\n\n`\"{\\\"type\\\":\\\"WAFV2\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupArn\\\":null,\\\"overrideAction\\\":{\\\"type\\\":\\\"NONE\\\"},\\\"managedRuleGroupIdentifier\\\":{\\\"version\\\":null,\\\"vendorName\\\":\\\"AWS\\\",\\\"managedRuleGroupName\\\":\\\"AWSManagedRulesAmazonIpReputationList\\\"},\\\"ruleGroupType\\\":\\\"ManagedRuleGroup\\\",\\\"excludeRules\\\":[{\\\"name\\\":\\\"NoUserAgent_HEADER\\\"}]}],\\\"postProcessRuleGroups\\\":[],\\\"defaultAction\\\":{\\\"type\\\":\\\"ALLOW\\\"},\\\"overrideCustomerWebACLAssociation\\\":false,\\\"loggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[\\\"arn:aws:firehose:us-west-2:12345678912:deliverystream/aws-waf-logs-fms-admin-destination\\\"],\\\"redactedFields\\\":[{\\\"redactedFieldType\\\":\\\"SingleHeader\\\",\\\"redactedFieldValue\\\":\\\"Cookies\\\"},{\\\"redactedFieldType\\\":\\\"Method\\\"}]}}\"`\n\nIn the `loggingConfiguration` , you can specify one `logDestinationConfigs` , you can optionally provide up to 20 `redactedFields` , and the `RedactedFieldType` must be one of `URI` , `QUERY_STRING` , `HEADER` , or `METHOD` .\n- Example: `AWS WAF Classic`\n\n`\"{\\\"type\\\": \\\"WAF\\\", \\\"ruleGroups\\\": [{\\\"id\\\":\\\"12345678-1bcd-9012-efga-0987654321ab\\\", \\\"overrideAction\\\" : {\\\"type\\\": \\\"COUNT\\\"}}], \\\"defaultAction\\\": {\\\"type\\\": \\\"BLOCK\\\"}}\"`\n- Example: `WAFV2` - AWS Firewall Manager support for AWS WAF managed rule group versioning\n\n`\"{\\\"type\\\":\\\"WAFV2\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupArn\\\":null,\\\"overrideAction\\\":{\\\"type\\\":\\\"NONE\\\"},\\\"managedRuleGroupIdentifier\\\":{\\\"versionEnabled\\\":true,\\\"version\\\":\\\"Version_2.0\\\",\\\"vendorName\\\":\\\"AWS\\\",\\\"managedRuleGroupName\\\":\\\"AWSManagedRulesCommonRuleSet\\\"},\\\"ruleGroupType\\\":\\\"ManagedRuleGroup\\\",\\\"excludeRules\\\":[{\\\"name\\\":\\\"NoUserAgent_HEADER\\\"}]}],\\\"postProcessRuleGroups\\\":[],\\\"defaultAction\\\":{\\\"type\\\":\\\"ALLOW\\\"},\\\"overrideCustomerWebACLAssociation\\\":false,\\\"loggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[\\\"arn:aws:firehose:us-west-2:12345678912:deliverystream/aws-waf-logs-fms-admin-destination\\\"],\\\"redactedFields\\\":[{\\\"redactedFieldType\\\":\\\"SingleHeader\\\",\\\"redactedFieldValue\\\":\\\"Cookies\\\"},{\\\"redactedFieldType\\\":\\\"Method\\\"}]}}\"`\n\nTo use a specific version of a AWS WAF managed rule group in your Firewall Manager policy, you must set `versionEnabled` to `true` , and set `version` to the version you'd like to use. If you don't set `versionEnabled` to `true` , or if you omit `versionEnabled` , then Firewall Manager uses the default version of the AWS WAF managed rule group.\n- Example: `SECURITY_GROUPS_COMMON`\n\n`\"{\\\"type\\\":\\\"SECURITY_GROUPS_COMMON\\\",\\\"revertManualSecurityGroupChanges\\\":false,\\\"exclusiveResourceSecurityGroupManagement\\\":false, \\\"applyToAllEC2InstanceENIs\\\":false,\\\"securityGroups\\\":[{\\\"id\\\":\\\" sg-000e55995d61a06bd\\\"}]}\"`\n- Example: Shared VPCs. Apply the preceding policy to resources in shared VPCs as well as to those in VPCs that the account owns\n\n`\"{\\\"type\\\":\\\"SECURITY_GROUPS_COMMON\\\",\\\"revertManualSecurityGroupChanges\\\":false,\\\"exclusiveResourceSecurityGroupManagement\\\":false, \\\"applyToAllEC2InstanceENIs\\\":false,\\\"includeSharedVPC\\\":true,\\\"securityGroups\\\":[{\\\"id\\\":\\\" sg-000e55995d61a06bd\\\"}]}\"`\n- Example: `SECURITY_GROUPS_CONTENT_AUDIT`\n\n`\"{\\\"type\\\":\\\"SECURITY_GROUPS_CONTENT_AUDIT\\\",\\\"securityGroups\\\":[{\\\"id\\\":\\\"sg-000e55995d61a06bd\\\"}],\\\"securityGroupAction\\\":{\\\"type\\\":\\\"ALLOW\\\"}}\"`\n\nThe security group action for content audit can be `ALLOW` or `DENY` . For `ALLOW` , all in-scope security group rules must be within the allowed range of the policy's security group rules. For `DENY` , all in-scope security group rules must not contain a value or a range that matches a rule value or range in the policy security group.\n- Example: `SECURITY_GROUPS_USAGE_AUDIT`\n\n`\"{\\\"type\\\":\\\"SECURITY_GROUPS_USAGE_AUDIT\\\",\\\"deleteUnusedSecurityGroups\\\":true,\\\"coalesceRedundantSecurityGroups\\\":true}\"`", + "markdownDescription": "Details about the service that are specific to the service type, in JSON format.\n\n- Example: `DNS_FIREWALL`\n\n`\"{\\\"type\\\":\\\"DNS_FIREWALL\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupId\\\":\\\"rslvr-frg-1\\\",\\\"priority\\\":10}],\\\"postProcessRuleGroups\\\":[{\\\"ruleGroupId\\\":\\\"rslvr-frg-2\\\",\\\"priority\\\":9911}]}\"`\n\n> Valid values for `preProcessRuleGroups` are between 1 and 99. Valid values for `postProcessRuleGroups` are between 9901 and 10000.\n- Example: `NETWORK_FIREWALL` - Centralized deployment model\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"awsNetworkFirewallConfig\\\":{\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}},\\\"firewallDeploymentModel\\\":{\\\"centralizedFirewallDeploymentModel\\\":{\\\"centralizedFirewallOrchestrationConfig\\\":{\\\"inspectionVpcIds\\\":[{\\\"resourceId\\\":\\\"vpc-1234\\\",\\\"accountId\\\":\\\"123456789011\\\"}],\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneId\\\":null,\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]}]}},\\\"allowedIPV4CidrList\\\":[]}}}}\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `NETWORK_FIREWALL` - Distributed deployment model with automatic Availability Zone configuration\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\",\\\"192.168.0.0/28\\\"],\\\"routeManagementAction\\\":\\\"OFF\\\"},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}}\"`\n\nWith automatic Availbility Zone configuration, Firewall Manager chooses which Availability Zones to create the endpoints in. To use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `NETWORK_FIREWALL` - Distributed deployment model with automatic Availability Zone configuration and route management\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\",\\\"192.168.0.0/28\\\"],\\\"routeManagementAction\\\":\\\"MONITOR\\\",\\\"routeManagementTargetTypes\\\":[\\\"InternetGateway\\\"]},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\": \\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}}\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `NETWORK_FIREWALL` - Distributed deployment model with custom Availability Zone configuration\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"fragmentcustomactionname\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\", \\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}},{\\\"actionName\\\":\\\"fragmentcustomactionname\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"fragmentmetricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"firewallCreationConfig\\\":{ \\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]},{\\\"availabilityZoneName\\\":\\\"us-east-1b\\\",\\\"allowedIPV4CidrList\\\":[ \\\"10.0.0.0/28\\\"]}]} },\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":null,\\\"routeManagementAction\\\":\\\"OFF\\\",\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":boolean}}\"`\n\nWith custom Availability Zone configuration, you define which specific Availability Zones to create endpoints in by configuring `firewallCreationConfig` . To configure the Availability Zones in `firewallCreationConfig` , specify either the `availabilityZoneName` or `availabilityZoneId` parameter, not both parameters.\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `NETWORK_FIREWALL` - Distributed deployment model with custom Availability Zone configuration and route management\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"fragmentcustomactionname\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}},{\\\"actionName\\\":\\\"fragmentcustomactionname\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"fragmentmetricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]},{\\\"availabilityZoneName\\\":\\\"us-east-1b\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]}]}},\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":null,\\\"routeManagementAction\\\":\\\"MONITOR\\\",\\\"routeManagementTargetTypes\\\":[\\\"InternetGateway\\\"],\\\"routeManagementConfig\\\":{\\\"allowCrossAZTrafficIfNoEndpoint\\\":true}},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":boolean}}\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Specification for `SHIELD_ADVANCED` for Amazon CloudFront distributions\n\n`\"{\\\"type\\\":\\\"SHIELD_ADVANCED\\\",\\\"automaticResponseConfiguration\\\": {\\\"automaticResponseStatus\\\":\\\"ENABLED|IGNORED|DISABLED\\\", \\\"automaticResponseAction\\\":\\\"BLOCK|COUNT\\\"}, \\\"overrideCustomerWebaclClassic\\\":true|false, \\\"optimizeUnassociatedWebACL\\\":true|false}\"`\n\nFor example: `\"{\\\"type\\\":\\\"SHIELD_ADVANCED\\\",\\\"automaticResponseConfiguration\\\": {\\\"automaticResponseStatus\\\":\\\"ENABLED\\\", \\\"automaticResponseAction\\\":\\\"COUNT\\\"}}\"`\n\nThe default value for `automaticResponseStatus` is `IGNORED` . The value for `automaticResponseAction` is only required when `automaticResponseStatus` is set to `ENABLED` . The default value for `overrideCustomerWebaclClassic` is `false` .\n\nFor other resource types that you can protect with a Shield Advanced policy, this `ManagedServiceData` configuration is an empty string.\n- Example: `THIRD_PARTY_FIREWALL` - Centralized deployment model\n\nReplace `THIRD_PARTY_FIREWALL_NAME` with the name of the third-party firewall.\n\n`\"{ \\\"type\\\":\\\"THIRD_PARTY_FIREWALL\\\", \\\"thirdPartyFirewall\\\":\\\"\\THIRD_PARTY_FIREWALL_NAME\\\", \\\"thirdPartyFirewallConfig\\\":{ \\\"thirdPartyFirewallPolicyList\\\":[\\\"global-1\\\"] },\\\"firewallDeploymentModel\\\":{\\\"centralizedFirewallDeploymentModel\\\":{\\\"centralizedFirewallOrchestrationConfig\\\":{\\\"inspectionVpcIds\\\":[{\\\"resourceId\\\":\\\"vpc-1234\\\",\\\"accountId\\\":\\\"123456789011\\\"}],\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneId\\\":null,\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]}]}},\\\"allowedIPV4CidrList\\\":[]}}}}\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-thirdpartyfirewallpolicy.html) to `CENTRALIZED` .\n- Example: `THIRD_PARTY_FIREWALL` - Distributed deployment model\n\nReplace `THIRD_PARTY_FIREWALL_NAME` with the name of the third-party firewall.\n\n`\"{\\\"type\\\":\\\"THIRD_PARTY_FIREWALL\\\",\\\"thirdPartyFirewall\\\":\\\"THIRD_PARTY_FIREWALL_NAME\\\",\\\"thirdPartyFirewallConfig\\\":{\\\"thirdPartyFirewallPolicyList\\\":[\\\"global-1\\\"] },\\\"firewallDeploymentModel\\\":{ \\\"distributedFirewallDeploymentModel\\\":{ \\\"distributedFirewallOrchestrationConfig\\\":{\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{ \\\"availabilityZoneConfigList\\\":[ {\\\"availabilityZoneName\\\":\\\"${AvailabilityZone}\\\" } ] } }, \\\"allowedIPV4CidrList\\\":[ ] } } } }\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-thirdpartyfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `WAFV2`\n\n`\"{\\\"type\\\":\\\"WAFV2\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupArn\\\":null,\\\"overrideAction\\\":{\\\"type\\\":\\\"NONE\\\"},\\\"managedRuleGroupIdentifier\\\":{\\\"version\\\":null,\\\"vendorName\\\":\\\"AWS\\\",\\\"managedRuleGroupName\\\":\\\"AWSManagedRulesAmazonIpReputationList\\\"},\\\"ruleGroupType\\\":\\\"ManagedRuleGroup\\\",\\\"excludeRules\\\":[{\\\"name\\\":\\\"NoUserAgent_HEADER\\\"}]}],\\\"postProcessRuleGroups\\\":[],\\\"defaultAction\\\":{\\\"type\\\":\\\"ALLOW\\\"},\\\"overrideCustomerWebACLAssociation\\\":false,\\\"loggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[\\\"arn:aws:firehose:us-west-2:12345678912:deliverystream/aws-waf-logs-fms-admin-destination\\\"],\\\"redactedFields\\\":[{\\\"redactedFieldType\\\":\\\"SingleHeader\\\",\\\"redactedFieldValue\\\":\\\"Cookies\\\"},{\\\"redactedFieldType\\\":\\\"Method\\\"}]},\\\"optimizeUnassociatedWebACL\\\":true}\"`\n\nIn the `loggingConfiguration` , you can specify one `logDestinationConfigs` , you can optionally provide up to 20 `redactedFields` , and the `RedactedFieldType` must be one of `URI` , `QUERY_STRING` , `HEADER` , or `METHOD` .\n- Example: `AWS WAF Classic`\n\n`\"{\\\"type\\\": \\\"WAF\\\", \\\"ruleGroups\\\": [{\\\"id\\\":\\\"12345678-1bcd-9012-efga-0987654321ab\\\", \\\"overrideAction\\\" : {\\\"type\\\": \\\"COUNT\\\"}}], \\\"defaultAction\\\": {\\\"type\\\": \\\"BLOCK\\\"}}\"`\n- Example: `WAFV2` - AWS Firewall Manager support for AWS WAF managed rule group versioning\n\n`\"{\\\"type\\\":\\\"WAFV2\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupArn\\\":null,\\\"overrideAction\\\":{\\\"type\\\":\\\"NONE\\\"},\\\"managedRuleGroupIdentifier\\\":{\\\"versionEnabled\\\":true,\\\"version\\\":\\\"Version_2.0\\\",\\\"vendorName\\\":\\\"AWS\\\",\\\"managedRuleGroupName\\\":\\\"AWSManagedRulesCommonRuleSet\\\"},\\\"ruleGroupType\\\":\\\"ManagedRuleGroup\\\",\\\"excludeRules\\\":[{\\\"name\\\":\\\"NoUserAgent_HEADER\\\"}]}],\\\"postProcessRuleGroups\\\":[],\\\"defaultAction\\\":{\\\"type\\\":\\\"ALLOW\\\"},\\\"overrideCustomerWebACLAssociation\\\":false,\\\"loggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[\\\"arn:aws:firehose:us-west-2:12345678912:deliverystream/aws-waf-logs-fms-admin-destination\\\"],\\\"redactedFields\\\":[{\\\"redactedFieldType\\\":\\\"SingleHeader\\\",\\\"redactedFieldValue\\\":\\\"Cookies\\\"},{\\\"redactedFieldType\\\":\\\"Method\\\"}]}}\"`\n\nTo use a specific version of a AWS WAF managed rule group in your Firewall Manager policy, you must set `versionEnabled` to `true` , and set `version` to the version you'd like to use. If you don't set `versionEnabled` to `true` , or if you omit `versionEnabled` , then Firewall Manager uses the default version of the AWS WAF managed rule group.\n- Example: `SECURITY_GROUPS_COMMON`\n\n`\"{\\\"type\\\":\\\"SECURITY_GROUPS_COMMON\\\",\\\"revertManualSecurityGroupChanges\\\":false,\\\"exclusiveResourceSecurityGroupManagement\\\":false, \\\"applyToAllEC2InstanceENIs\\\":false,\\\"securityGroups\\\":[{\\\"id\\\":\\\" sg-000e55995d61a06bd\\\"}]}\"`\n- Example: Shared VPCs. Apply the preceding policy to resources in shared VPCs as well as to those in VPCs that the account owns\n\n`\"{\\\"type\\\":\\\"SECURITY_GROUPS_COMMON\\\",\\\"revertManualSecurityGroupChanges\\\":false,\\\"exclusiveResourceSecurityGroupManagement\\\":false, \\\"applyToAllEC2InstanceENIs\\\":false,\\\"includeSharedVPC\\\":true,\\\"securityGroups\\\":[{\\\"id\\\":\\\" sg-000e55995d61a06bd\\\"}]}\"`\n- Example: `SECURITY_GROUPS_CONTENT_AUDIT`\n\n`\"{\\\"type\\\":\\\"SECURITY_GROUPS_CONTENT_AUDIT\\\",\\\"securityGroups\\\":[{\\\"id\\\":\\\"sg-000e55995d61a06bd\\\"}],\\\"securityGroupAction\\\":{\\\"type\\\":\\\"ALLOW\\\"}}\"`\n\nThe security group action for content audit can be `ALLOW` or `DENY` . For `ALLOW` , all in-scope security group rules must be within the allowed range of the policy's security group rules. For `DENY` , all in-scope security group rules must not contain a value or a range that matches a rule value or range in the policy security group.\n- Example: `SECURITY_GROUPS_USAGE_AUDIT`\n\n`\"{\\\"type\\\":\\\"SECURITY_GROUPS_USAGE_AUDIT\\\",\\\"deleteUnusedSecurityGroups\\\":true,\\\"coalesceRedundantSecurityGroups\\\":true}\"`", "title": "ManagedServiceData", "type": "string" }, @@ -87759,7 +91761,7 @@ "items": { "type": "string" }, - "markdownDescription": "The resources included in the resource set.", + "markdownDescription": "", "title": "Resources", "type": "array" }, @@ -87767,7 +91769,7 @@ "items": { "$ref": "#/definitions/Tag" }, - "markdownDescription": "A collection of key:value pairs associated with a resource set. The key:value pair can be anything you define. Typically, the tag key represents a category (such as \"environment\") and the tag value represents a specific value within that category (such as \"test,\" \"development,\" or \"production\"). You can add up to 50 tags to each AWS resource.", + "markdownDescription": "", "title": "Tags", "type": "array" } @@ -87997,7 +91999,7 @@ "type": "string" }, "FileSystemTypeVersion": { - "markdownDescription": "(Optional) For FSx for Lustre file systems, sets the Lustre version for the file system that you're creating. Valid values are `2.10` and `2.12` :\n\n- 2.10 is supported by the Scratch and Persistent_1 Lustre deployment types.\n- 2.12 is supported by all Lustre deployment types. `2.12` is required when setting FSx for Lustre `DeploymentType` to `PERSISTENT_2` .\n\nDefault value = `2.10` , except when `DeploymentType` is set to `PERSISTENT_2` , then the default is `2.12` .\n\n> If you set `FileSystemTypeVersion` to `2.10` for a `PERSISTENT_2` Lustre deployment type, the `CreateFileSystem` operation fails.", + "markdownDescription": "(Optional) For FSx for Lustre file systems, sets the Lustre version for the file system that you're creating. Valid values are `2.10` , `2.12` , and `2.15` :\n\n- 2.10 is supported by the Scratch and Persistent_1 Lustre deployment types.\n- 2.12 and 2.15 are supported by all Lustre deployment types. `2.12` or `2.15` is required when setting FSx for Lustre `DeploymentType` to `PERSISTENT_2` .\n\nDefault value = `2.10` , except when `DeploymentType` is set to `PERSISTENT_2` , then the default is `2.12` .\n\n> If you set `FileSystemTypeVersion` to `2.10` for a `PERSISTENT_2` Lustre deployment type, the `CreateFileSystem` operation fails.", "title": "FileSystemTypeVersion", "type": "string" }, @@ -88136,7 +92138,7 @@ "additionalProperties": false, "properties": { "Iops": { - "markdownDescription": "The total number of SSD IOPS provisioned for the file system.", + "markdownDescription": "The total number of SSD IOPS provisioned for the file system.\n\nThe minimum and maximum values for this property depend on the value of `HAPairs` and `StorageCapacity` . The minimum value is calculated as `StorageCapacity` * 3 * `HAPairs` (3 IOPS per GB of `StorageCapacity` ). The maximum value is calculated as 200,000 * `HAPairs` .\n\nAmazon FSx responds with an HTTP status code 400 (Bad Request) if the value of `Iops` is outside of the minimum or maximum values.", "title": "Iops", "type": "number" }, @@ -88242,7 +92244,7 @@ "type": "string" }, "DeploymentType": { - "markdownDescription": "Specifies the FSx for ONTAP file system deployment type to use in creating the file system.\n\n- `MULTI_AZ_1` - (Default) A high availability file system configured for Multi-AZ redundancy to tolerate temporary Availability Zone (AZ) unavailability.\n- `SINGLE_AZ_1` - A file system configured for Single-AZ redundancy.\n\nFor information about the use cases for Multi-AZ and Single-AZ deployments, refer to [Choosing a file system deployment type](https://docs.aws.amazon.com/fsx/latest/ONTAPGuide/high-availability-AZ.html) .", + "markdownDescription": "Specifies the FSx for ONTAP file system deployment type to use in creating the file system.\n\n- `MULTI_AZ_1` - (Default) A high availability file system configured for Multi-AZ redundancy to tolerate temporary Availability Zone (AZ) unavailability.\n- `SINGLE_AZ_1` - A file system configured for Single-AZ redundancy.\n- `SINGLE_AZ_2` - A file system configured with multiple high-availability (HA) pairs for Single-AZ redundancy.\n\nFor information about the use cases for Multi-AZ and Single-AZ deployments, refer to [Choosing a file system deployment type](https://docs.aws.amazon.com/fsx/latest/ONTAPGuide/high-availability-AZ.html) .", "title": "DeploymentType", "type": "string" }, @@ -88261,6 +92263,11 @@ "title": "FsxAdminPassword", "type": "string" }, + "HAPairs": { + "markdownDescription": "", + "title": "HAPairs", + "type": "number" + }, "PreferredSubnetId": { "markdownDescription": "Required when `DeploymentType` is set to `MULTI_AZ_1` . This specifies the subnet in which you want the preferred file server to be located.", "title": "PreferredSubnetId", @@ -88270,15 +92277,20 @@ "items": { "type": "string" }, - "markdownDescription": "(Multi-AZ only) Specifies the virtual private cloud (VPC) route tables in which your file system's endpoints will be created. You should specify all VPC route tables associated with the subnets in which your clients are located. By default, Amazon FSx selects your VPC's default route table.", + "markdownDescription": "(Multi-AZ only) Specifies the route tables in which Amazon FSx creates the rules for routing traffic to the correct file server. You should specify all virtual private cloud (VPC) route tables associated with the subnets in which your clients are located. By default, Amazon FSx selects your VPC's default route table.", "title": "RouteTableIds", "type": "array" }, "ThroughputCapacity": { - "markdownDescription": "Sets the throughput capacity for the file system that you're creating. Valid values are 128, 256, 512, 1024, 2048, and 4096 MBps.", + "markdownDescription": "Sets the throughput capacity for the file system that you're creating in megabytes per second (MBps). For more information, see [Managing throughput capacity](https://docs.aws.amazon.com/fsx/latest/ONTAPGuide/managing-throughput-capacity.html) in the FSx for ONTAP User Guide.\n\nAmazon FSx responds with an HTTP status code 400 (Bad Request) for the following conditions:\n\n- The value of `ThroughputCapacity` and `ThroughputCapacityPerHAPair` are not the same value.\n- The value of `ThroughputCapacity` when divided by the value of `HAPairs` is outside of the valid range for `ThroughputCapacity` .", "title": "ThroughputCapacity", "type": "number" }, + "ThroughputCapacityPerHAPair": { + "markdownDescription": "", + "title": "ThroughputCapacityPerHAPair", + "type": "number" + }, "WeeklyMaintenanceStartTime": { "markdownDescription": "A recurring weekly time, in the format `D:HH:MM` .\n\n`D` is the day of the week, for which 1 represents Monday and 7 represents Sunday. For further details, see [the ISO-8601 spec as described on Wikipedia](https://docs.aws.amazon.com/https://en.wikipedia.org/wiki/ISO_week_date) .\n\n`HH` is the zero-padded hour of the day (0-23), and `MM` is the zero-padded minute of the hour.\n\nFor example, `1:05:00` specifies maintenance at 5 AM Monday.", "title": "WeeklyMaintenanceStartTime", @@ -88314,16 +92326,18 @@ "type": "string" }, "DeploymentType": { - "markdownDescription": "Specifies the file system deployment type. Single AZ deployment types are configured for redundancy within a single Availability Zone in an AWS Region . Valid values are the following:\n\n- `SINGLE_AZ_1` - (Default) Creates file systems with throughput capacities of 64 - 4,096 MBps. `Single_AZ_1` is available in all AWS Regions where Amazon FSx for OpenZFS is available.\n- `SINGLE_AZ_2` - Creates file systems with throughput capacities of 160 - 10,240 MB/s using an NVMe L2ARC cache. `Single_AZ_2` is available only in the US East (N. Virginia), US East (Ohio), US West (Oregon), and Europe (Ireland) AWS Regions .\n\nFor more information, see: [Deployment type availability](https://docs.aws.amazon.com/fsx/latest/OpenZFSGuide/availability-durability.html#available-aws-regions) and [File system performance](https://docs.aws.amazon.com/fsx/latest/OpenZFSGuide/performance.html#zfs-fs-performance) in the *Amazon FSx for OpenZFS User Guide* .", + "markdownDescription": "Specifies the file system deployment type. Single AZ deployment types are configured for redundancy within a single Availability Zone in an AWS Region . Valid values are the following:\n\n- `MULTI_AZ_1` - Creates file systems with high availability that are configured for Multi-AZ redundancy to tolerate temporary unavailability in Availability Zones (AZs). `Multi_AZ_1` is available only in the US East (N. Virginia), US East (Ohio), US West (Oregon), Asia Pacific (Singapore), Asia Pacific (Tokyo), and Europe (Ireland) AWS Regions .\n- `SINGLE_AZ_1` - Creates file systems with throughput capacities of 64 - 4,096 MB/s. `Single_AZ_1` is available in all AWS Regions where Amazon FSx for OpenZFS is available.\n- `SINGLE_AZ_2` - Creates file systems with throughput capacities of 160 - 10,240 MB/s using an NVMe L2ARC cache. `Single_AZ_2` is available only in the US East (N. Virginia), US East (Ohio), US West (Oregon), Asia Pacific (Singapore), Asia Pacific (Tokyo), and Europe (Ireland) AWS Regions .\n\nFor more information, see [Deployment type availability](https://docs.aws.amazon.com/fsx/latest/OpenZFSGuide/availability-durability.html#available-aws-regions) and [File system performance](https://docs.aws.amazon.com/fsx/latest/OpenZFSGuide/performance.html#zfs-fs-performance) in the *Amazon FSx for OpenZFS User Guide* .", "title": "DeploymentType", "type": "string" }, "DiskIopsConfiguration": { "$ref": "#/definitions/AWS::FSx::FileSystem.DiskIopsConfiguration", - "markdownDescription": "The SSD IOPS (input/output operations per second) configuration for an Amazon FSx for NetApp ONTAP or FSx for OpenZFS file system. By default, Amazon FSx automatically provisions 3 IOPS per GB of storage capacity. You can provision additional IOPS per GB of storage. The configuration consists of the total number of provisioned SSD IOPS and how it is was provisioned, or the mode (by the customer or by Amazon FSx).", + "markdownDescription": "The SSD IOPS (input/output operations per second) configuration for an Amazon FSx for NetApp ONTAP, Amazon FSx for Windows File Server, or FSx for OpenZFS file system. By default, Amazon FSx automatically provisions 3 IOPS per GB of storage capacity. You can provision additional IOPS per GB of storage. The configuration consists of the total number of provisioned SSD IOPS and how it is was provisioned, or the mode (by the customer or by Amazon FSx).", "title": "DiskIopsConfiguration" }, "EndpointIpAddressRange": { + "markdownDescription": "(Multi-AZ only) Specifies the IP address range in which the endpoints to access your file system will be created. By default in the Amazon FSx API and Amazon FSx console, Amazon FSx selects an available /28 IP address range for you from one of the VPC's CIDR ranges. You can have overlapping endpoint IP addresses for file systems deployed in the same VPC/route tables.", + "title": "EndpointIpAddressRange", "type": "string" }, "Options": { @@ -88335,6 +92349,8 @@ "type": "array" }, "PreferredSubnetId": { + "markdownDescription": "Required when `DeploymentType` is set to `MULTI_AZ_1` . This specifies the subnet in which you want the preferred file server to be located.", + "title": "PreferredSubnetId", "type": "string" }, "RootVolumeConfiguration": { @@ -88346,10 +92362,12 @@ "items": { "type": "string" }, + "markdownDescription": "(Multi-AZ only) Specifies the route tables in which Amazon FSx creates the rules for routing traffic to the correct file server. You should specify all virtual private cloud (VPC) route tables associated with the subnets in which your clients are located. By default, Amazon FSx selects your VPC's default route table.", + "title": "RouteTableIds", "type": "array" }, "ThroughputCapacity": { - "markdownDescription": "Specifies the throughput of an Amazon FSx for OpenZFS file system, measured in megabytes per second (MBps). Valid values depend on the DeploymentType you choose, as follows:\n\n- For `SINGLE_AZ_1` , valid values are 64, 128, 256, 512, 1024, 2048, 3072, or 4096 MBps.\n- For `SINGLE_AZ_2` , valid values are 160, 320, 640, 1280, 2560, 3840, 5120, 7680, or 10240 MBps.\n\nYou pay for additional throughput capacity that you provision.", + "markdownDescription": "Specifies the throughput of an Amazon FSx for OpenZFS file system, measured in megabytes per second (MBps). Valid values depend on the DeploymentType you choose, as follows:\n\n- For `MULTI_AZ_1` and `SINGLE_AZ_2` , valid values are 160, 320, 640, 1280, 2560, 3840, 5120, 7680, or 10240 MBps.\n- For `SINGLE_AZ_1` , valid values are 64, 128, 256, 512, 1024, 2048, 3072, or 4096 MBps.\n\nYou pay for additional throughput capacity that you provision.", "title": "ThroughputCapacity", "type": "number" }, @@ -88508,7 +92526,9 @@ "type": "string" }, "DiskIopsConfiguration": { - "$ref": "#/definitions/AWS::FSx::FileSystem.DiskIopsConfiguration" + "$ref": "#/definitions/AWS::FSx::FileSystem.DiskIopsConfiguration", + "markdownDescription": "The SSD IOPS (input/output operations per second) configuration for an Amazon FSx for Windows file system. By default, Amazon FSx automatically provisions 3 IOPS per GiB of storage capacity. You can provision additional IOPS per GiB of storage, up to the maximum limit associated with your chosen throughput capacity.", + "title": "DiskIopsConfiguration" }, "PreferredSubnetId": { "markdownDescription": "Required when `DeploymentType` is set to `MULTI_AZ_1` . This specifies the subnet in which you want the preferred file server to be located. For in- AWS applications, we recommend that you launch your clients in the same availability zone as your preferred file server to reduce cross-availability zone data transfer costs and minimize latency.", @@ -88863,13 +92883,36 @@ ], "type": "object" }, + "AWS::FSx::Volume.AggregateConfiguration": { + "additionalProperties": false, + "properties": { + "Aggregates": { + "items": { + "type": "string" + }, + "markdownDescription": "The list of aggregates that this volume resides on. Aggregates are storage pools which make up your primary storage tier. Each high-availability (HA) pair has one aggregate. The names of the aggregates map to the names of the aggregates in the ONTAP CLI and REST API. For FlexVols, there will always be a single entry.\n\nAmazon FSx responds with an HTTP status code 400 (Bad Request) for the following conditions:\n\n- The strings in the value of `Aggregates` are not are not formatted as `aggrX` , where X is a number between 1 and 6.\n- The value of `Aggregates` contains aggregates that are not present.\n- One or more of the aggregates supplied are too close to the volume limit to support adding more volumes.", + "title": "Aggregates", + "type": "array" + }, + "ConstituentsPerAggregate": { + "markdownDescription": "", + "title": "ConstituentsPerAggregate", + "type": "number" + } + }, + "type": "object" + }, "AWS::FSx::Volume.AutocommitPeriod": { "additionalProperties": false, "properties": { "Type": { + "markdownDescription": "Defines the type of time for the autocommit period of a file in an FSx for ONTAP SnapLock volume. Setting this value to `NONE` disables autocommit. The default value is `NONE` .", + "title": "Type", "type": "string" }, "Value": { + "markdownDescription": "Defines the amount of time for the autocommit period of a file in an FSx for ONTAP SnapLock volume. The following ranges are valid:\n\n- `Minutes` : 5 - 65,535\n- `Hours` : 1 - 65,535\n- `Days` : 1 - 3,650\n- `Months` : 1 - 120\n- `Years` : 1 - 10", + "title": "Value", "type": "number" } }, @@ -88921,6 +92964,11 @@ "AWS::FSx::Volume.OntapConfiguration": { "additionalProperties": false, "properties": { + "AggregateConfiguration": { + "$ref": "#/definitions/AWS::FSx::Volume.AggregateConfiguration", + "markdownDescription": "", + "title": "AggregateConfiguration" + }, "CopyTagsToBackups": { "markdownDescription": "A boolean flag indicating whether tags for the volume should be copied to backups. This value defaults to false. If it's set to true, all tags for the volume are copied to all automatic and user-initiated backups where the user doesn't specify tags. If this value is true, and you specify one or more tags, only the specified tags are copied to backups. If you specify one or more tags when creating a user-initiated backup, no tags are copied from the volume, regardless of this value.", "title": "CopyTagsToBackups", @@ -88941,13 +92989,20 @@ "title": "SecurityStyle", "type": "string" }, + "SizeInBytes": { + "markdownDescription": "", + "title": "SizeInBytes", + "type": "string" + }, "SizeInMegabytes": { "markdownDescription": "Specifies the size of the volume, in megabytes (MB), that you are creating.", "title": "SizeInMegabytes", "type": "string" }, "SnaplockConfiguration": { - "$ref": "#/definitions/AWS::FSx::Volume.SnaplockConfiguration" + "$ref": "#/definitions/AWS::FSx::Volume.SnaplockConfiguration", + "markdownDescription": "The SnapLock configuration object for an FSx for ONTAP SnapLock volume.", + "title": "SnaplockConfiguration" }, "SnapshotPolicy": { "markdownDescription": "Specifies the snapshot policy for the volume. There are three built-in snapshot policies:\n\n- `default` : This is the default policy. A maximum of six hourly snapshots taken five minutes past the hour. A maximum of two daily snapshots taken Monday through Saturday at 10 minutes after midnight. A maximum of two weekly snapshots taken every Sunday at 15 minutes after midnight.\n- `default-1weekly` : This policy is the same as the `default` policy except that it only retains one snapshot from the weekly schedule.\n- `none` : This policy does not take any snapshots. This policy can be assigned to volumes to prevent automatic snapshots from being taken.\n\nYou can also provide the name of a custom policy that you created with the ONTAP CLI or REST API.\n\nFor more information, see [Snapshot policies](https://docs.aws.amazon.com/fsx/latest/ONTAPGuide/snapshots-ontap.html#snapshot-policies) in the *Amazon FSx for NetApp ONTAP User Guide* .", @@ -88968,10 +93023,14 @@ "$ref": "#/definitions/AWS::FSx::Volume.TieringPolicy", "markdownDescription": "Describes the data tiering policy for an ONTAP volume. When enabled, Amazon FSx for ONTAP's intelligent tiering automatically transitions a volume's data between the file system's primary storage and capacity pool storage based on your access patterns.\n\nValid tiering policies are the following:\n\n- `SNAPSHOT_ONLY` - (Default value) moves cold snapshots to the capacity pool storage tier.\n\n- `AUTO` - moves cold user data and snapshots to the capacity pool storage tier based on your access patterns.\n\n- `ALL` - moves all user data blocks in both the active file system and Snapshot copies to the storage pool tier.\n\n- `NONE` - keeps a volume's data in the primary storage tier, preventing it from being moved to the capacity pool tier.", "title": "TieringPolicy" + }, + "VolumeStyle": { + "markdownDescription": "", + "title": "VolumeStyle", + "type": "string" } }, "required": [ - "SizeInMegabytes", "StorageVirtualMachineId" ], "type": "object" @@ -89053,7 +93112,7 @@ "additionalProperties": false, "properties": { "CopyStrategy": { - "markdownDescription": "The strategy used when copying data from the snapshot to the new volume.\n\n- `CLONE` - The new volume references the data in the origin snapshot. Cloning a snapshot is faster than copying data from the snapshot to a new volume and doesn't consume disk throughput. However, the origin snapshot can't be deleted if there is a volume using its copied data.\n- `FULL_COPY` - Copies all data from the snapshot to the new volume.", + "markdownDescription": "Specifies the strategy used when copying data from the snapshot to the new volume.\n\n- `CLONE` - The new volume references the data in the origin snapshot. Cloning a snapshot is faster than copying data from the snapshot to a new volume and doesn't consume disk throughput. However, the origin snapshot can't be deleted if there is a volume using its copied data.\n- `FULL_COPY` - Copies all data from the snapshot to the new volume.\n\nSpecify this option to create the volume from a snapshot on another FSx for OpenZFS file system.\n\n> The `INCREMENTAL_COPY` option is only for updating an existing volume by using a snapshot from another FSx for OpenZFS file system. For more information, see [CopySnapshotAndUpdateVolume](https://docs.aws.amazon.com/fsx/latest/APIReference/API_CopySnapshotAndUpdateVolume.html) .", "title": "CopyStrategy", "type": "string" }, @@ -89073,9 +93132,13 @@ "additionalProperties": false, "properties": { "Type": { + "markdownDescription": "Defines the type of time for the retention period of an FSx for ONTAP SnapLock volume. Set it to one of the valid types. If you set it to `INFINITE` , the files are retained forever. If you set it to `UNSPECIFIED` , the files are retained until you set an explicit retention period.", + "title": "Type", "type": "string" }, "Value": { + "markdownDescription": "Defines the amount of time for the retention period of an FSx for ONTAP SnapLock volume. You can't set a value for `INFINITE` or `UNSPECIFIED` . For all other options, the following ranges are valid:\n\n- `Seconds` : 0 - 65,535\n- `Minutes` : 0 - 65,535\n- `Hours` : 0 - 24\n- `Days` : 0 - 365\n- `Months` : 0 - 12\n- `Years` : 0 - 100", + "title": "Value", "type": "number" } }, @@ -89088,21 +93151,33 @@ "additionalProperties": false, "properties": { "AuditLogVolume": { + "markdownDescription": "Enables or disables the audit log volume for an FSx for ONTAP SnapLock volume. The default value is `false` . If you set `AuditLogVolume` to `true` , the SnapLock volume is created as an audit log volume. The minimum retention period for an audit log volume is six months.\n\nFor more information, see [SnapLock audit log volumes](https://docs.aws.amazon.com/fsx/latest/ONTAPGuide/how-snaplock-works.html#snaplock-audit-log-volume) .", + "title": "AuditLogVolume", "type": "string" }, "AutocommitPeriod": { - "$ref": "#/definitions/AWS::FSx::Volume.AutocommitPeriod" + "$ref": "#/definitions/AWS::FSx::Volume.AutocommitPeriod", + "markdownDescription": "The configuration object for setting the autocommit period of files in an FSx for ONTAP SnapLock volume.", + "title": "AutocommitPeriod" }, "PrivilegedDelete": { + "markdownDescription": "Enables, disables, or permanently disables privileged delete on an FSx for ONTAP SnapLock Enterprise volume. Enabling privileged delete allows SnapLock administrators to delete write once, read many (WORM) files even if they have active retention periods. `PERMANENTLY_DISABLED` is a terminal state. If privileged delete is permanently disabled on a SnapLock volume, you can't re-enable it. The default value is `DISABLED` .\n\nFor more information, see [Privileged delete](https://docs.aws.amazon.com/fsx/latest/ONTAPGuide/snaplock-enterprise.html#privileged-delete) .", + "title": "PrivilegedDelete", "type": "string" }, "RetentionPeriod": { - "$ref": "#/definitions/AWS::FSx::Volume.SnaplockRetentionPeriod" + "$ref": "#/definitions/AWS::FSx::Volume.SnaplockRetentionPeriod", + "markdownDescription": "Specifies the retention period of an FSx for ONTAP SnapLock volume.", + "title": "RetentionPeriod" }, "SnaplockType": { + "markdownDescription": "Specifies the retention mode of an FSx for ONTAP SnapLock volume. After it is set, it can't be changed. You can choose one of the following retention modes:\n\n- `COMPLIANCE` : Files transitioned to write once, read many (WORM) on a Compliance volume can't be deleted until their retention periods expire. This retention mode is used to address government or industry-specific mandates or to protect against ransomware attacks. For more information, see [SnapLock Compliance](https://docs.aws.amazon.com/fsx/latest/ONTAPGuide/snaplock-compliance.html) .\n- `ENTERPRISE` : Files transitioned to WORM on an Enterprise volume can be deleted by authorized users before their retention periods expire using privileged delete. This retention mode is used to advance an organization's data integrity and internal compliance or to test retention settings before using SnapLock Compliance. For more information, see [SnapLock Enterprise](https://docs.aws.amazon.com/fsx/latest/ONTAPGuide/snaplock-enterprise.html) .", + "title": "SnaplockType", "type": "string" }, "VolumeAppendModeEnabled": { + "markdownDescription": "Enables or disables volume-append mode on an FSx for ONTAP SnapLock volume. Volume-append mode allows you to create WORM-appendable files and write data to them incrementally. The default value is `false` .\n\nFor more information, see [Volume-append mode](https://docs.aws.amazon.com/fsx/latest/ONTAPGuide/worm-state.html#worm-state-append) .", + "title": "VolumeAppendModeEnabled", "type": "string" } }, @@ -89115,13 +93190,19 @@ "additionalProperties": false, "properties": { "DefaultRetention": { - "$ref": "#/definitions/AWS::FSx::Volume.RetentionPeriod" + "$ref": "#/definitions/AWS::FSx::Volume.RetentionPeriod", + "markdownDescription": "The retention period assigned to a write once, read many (WORM) file by default if an explicit retention period is not set for an FSx for ONTAP SnapLock volume. The default retention period must be greater than or equal to the minimum retention period and less than or equal to the maximum retention period.", + "title": "DefaultRetention" }, "MaximumRetention": { - "$ref": "#/definitions/AWS::FSx::Volume.RetentionPeriod" + "$ref": "#/definitions/AWS::FSx::Volume.RetentionPeriod", + "markdownDescription": "The longest retention period that can be assigned to a WORM file on an FSx for ONTAP SnapLock volume.", + "title": "MaximumRetention" }, "MinimumRetention": { - "$ref": "#/definitions/AWS::FSx::Volume.RetentionPeriod" + "$ref": "#/definitions/AWS::FSx::Volume.RetentionPeriod", + "markdownDescription": "The shortest retention period that can be assigned to a WORM file on an FSx for ONTAP SnapLock volume.", + "title": "MinimumRetention" } }, "required": [ @@ -89944,7 +94025,7 @@ "additionalProperties": false, "properties": { "Arn": { - "markdownDescription": "", + "markdownDescription": "The ARN of the model.", "title": "Arn", "type": "string" } @@ -90024,7 +94105,7 @@ "type": "string" }, "Language": { - "markdownDescription": "The rule language.", + "markdownDescription": "The rule language.\n\nValid Value: DETECTORPL", "title": "Language", "type": "string" }, @@ -90900,12 +94981,12 @@ "type": "string" }, "OperatingSystem": { - "markdownDescription": "The operating system that your game server binaries run on. This value determines the type of fleet resources that you use for this build. If your game build contains multiple executables, they all must run on the same operating system. You must specify a valid operating system in this request. There is no default value. You can't change a build's operating system later.\n\n> The Amazon Linux 2023 OS is not available in the China Regions. > Support is ending in 2023 for the Windows Server 2012 and Amazon Linux (AL1) operating systems. If you have active fleets using these operating systems, you can continue to create new builds using these until their end of support. All other users must use Windows Server 2016, Amazon Linux 2, or Amazon Linux 2023. For more information, including specific end-of-support dates, see the Amazon GameLift FAQs for [Windows Server](https://docs.aws.amazon.com/gamelift/faq/win2012/) and [Linux Server](https://docs.aws.amazon.com/gamelift/faq/al1/) .", + "markdownDescription": "The operating system that your game server binaries run on. This value determines the type of fleet resources that you use for this build. If your game build contains multiple executables, they all must run on the same operating system. You must specify a valid operating system in this request. There is no default value. You can't change a build's operating system later.\n\n> If you have active fleets using the Windows Server 2012 operating system, you can continue to create new builds using this OS until October 10, 2023, when Microsoft ends its support. All others must use Windows Server 2016 when creating new Windows-based builds.", "title": "OperatingSystem", "type": "string" }, "ServerSdkVersion": { - "markdownDescription": "The Amazon GameLift Server SDK version used to develop your game server.", + "markdownDescription": "A server SDK version you used when integrating your game server build with Amazon GameLift. For more information see [Integrate games with custom game servers](https://docs.aws.amazon.com/gamelift/latest/developerguide/integration-custom-intro.html) . By default Amazon GameLift sets this value to `4.0.2` .", "title": "ServerSdkVersion", "type": "string" }, @@ -90946,22 +95027,22 @@ "additionalProperties": false, "properties": { "Bucket": { - "markdownDescription": "", + "markdownDescription": "An Amazon S3 bucket identifier. The name of the S3 bucket.\n\n> Amazon GameLift doesn't support uploading from Amazon S3 buckets with names that contain a dot (.).", "title": "Bucket", "type": "string" }, "Key": { - "markdownDescription": "", + "markdownDescription": "The name of the zip file that contains the build files or script files.", "title": "Key", "type": "string" }, "ObjectVersion": { - "markdownDescription": "", + "markdownDescription": "A version of a stored file to retrieve, if the object versioning feature is turned on for the S3 bucket. Use this parameter to specify a specific version. If this parameter isn't set, Amazon GameLift retrieves the latest version of the file.", "title": "ObjectVersion", "type": "string" }, "RoleArn": { - "markdownDescription": "", + "markdownDescription": "The ARNfor an IAM role that allows Amazon GameLift to access the S3 bucket.", "title": "RoleArn", "type": "string" } @@ -91010,9 +95091,14 @@ "properties": { "AnywhereConfiguration": { "$ref": "#/definitions/AWS::GameLift::Fleet.AnywhereConfiguration", - "markdownDescription": "", + "markdownDescription": "Amazon GameLift Anywhere configuration options.", "title": "AnywhereConfiguration" }, + "ApplyCapacity": { + "markdownDescription": "Current resource capacity settings in a specified fleet or location. The location value might refer to a fleet's remote location or its home Region.\n\n*Related actions*\n\n[DescribeFleetCapacity](https://docs.aws.amazon.com/gamelift/latest/apireference/API_DescribeFleetCapacity.html) | [DescribeFleetLocationCapacity](https://docs.aws.amazon.com/gamelift/latest/apireference/API_DescribeFleetLocationCapacity.html) | [UpdateFleetCapacity](https://docs.aws.amazon.com/gamelift/latest/apireference/API_UpdateFleetCapacity.html)", + "title": "ApplyCapacity", + "type": "string" + }, "BuildId": { "markdownDescription": "A unique identifier for a build to be deployed on the new fleet. If you are deploying the fleet with a custom game build, you must specify this property. The build must have been successfully uploaded to Amazon GameLift and be in a `READY` status. This fleet setting cannot be changed once the fleet is created.", "title": "BuildId", @@ -91024,7 +95110,7 @@ "title": "CertificateConfiguration" }, "ComputeType": { - "markdownDescription": "The type of compute resource used to host your game servers. You can use your own compute resources with Amazon GameLift Anywhere or use Amazon EC2 instances with managed Amazon GameLift.", + "markdownDescription": "The type of compute resource used to host your game servers. You can use your own compute resources with Amazon GameLift Anywhere or use Amazon EC2 instances with managed Amazon GameLift. By default, this property is set to `EC2` .", "title": "ComputeType", "type": "string" }, @@ -91052,16 +95138,18 @@ "type": "string" }, "FleetType": { - "markdownDescription": "Indicates whether to use On-Demand or Spot instances for this fleet. By default, this property is set to `ON_DEMAND` . Learn more about when to use [On-Demand versus Spot Instances](https://docs.aws.amazon.com/gamelift/latest/developerguide/gamelift-ec2-instances.html#gamelift-ec2-instances-spot) . This property cannot be changed after the fleet is created.", + "markdownDescription": "Indicates whether to use On-Demand or Spot instances for this fleet. By default, this property is set to `ON_DEMAND` . Learn more about when to use [On-Demand versus Spot Instances](https://docs.aws.amazon.com/gamelift/latest/developerguide/gamelift-ec2-instances.html#gamelift-ec2-instances-spot) . This fleet property can't be changed after the fleet is created.", "title": "FleetType", "type": "string" }, "InstanceRoleARN": { - "markdownDescription": "A unique identifier for an IAM role that manages access to your AWS services. With an instance role ARN set, any application that runs on an instance in this fleet can assume the role, including install scripts, server processes, and daemons (background processes). Create a role or look up a role's ARN by using the [IAM dashboard](https://docs.aws.amazon.com/iam/) in the AWS Management Console . Learn more about using on-box credentials for your game servers at [Access external resources from a game server](https://docs.aws.amazon.com/gamelift/latest/developerguide/gamelift-sdk-server-resources.html) . This property cannot be changed after the fleet is created.", + "markdownDescription": "A unique identifier for an IAM role with access permissions to other AWS services. Any application that runs on an instance in the fleet--including install scripts, server processes, and other processes--can use these permissions to interact with AWS resources that you own or have access to. For more information about using the role with your game server builds, see [Communicate with other AWS resources from your fleets](https://docs.aws.amazon.com/gamelift/latest/developerguide/gamelift-sdk-server-resources.html) .", "title": "InstanceRoleARN", "type": "string" }, "InstanceRoleCredentialsProvider": { + "markdownDescription": "Indicates that fleet instances maintain a shared credentials file for the IAM role defined in `InstanceRoleArn` . Shared credentials allow applications that are deployed with the game server executable to communicate with other AWS resources. This property is used only when the game server is integrated with the server SDK version 5.x. For more information about using shared credentials, see [Communicate with other AWS resources from your fleets](https://docs.aws.amazon.com/gamelift/latest/developerguide/gamelift-sdk-server-resources.html) .", + "title": "InstanceRoleCredentialsProvider", "type": "string" }, "Locations": { @@ -91120,6 +95208,14 @@ "markdownDescription": "Instructions for how to launch and maintain server processes on instances in the fleet. The runtime configuration defines one or more server process configurations, each identifying a build executable or Realtime script file and the number of processes of that type to run concurrently.\n\n> The `RuntimeConfiguration` parameter is required unless the fleet is being configured using the older parameters `ServerLaunchPath` and `ServerLaunchParameters` , which are still supported for backward compatibility.", "title": "RuntimeConfiguration" }, + "ScalingPolicies": { + "items": { + "$ref": "#/definitions/AWS::GameLift::Fleet.ScalingPolicy" + }, + "markdownDescription": "Rule that controls how a fleet is scaled. Scaling policies are uniquely identified by the combination of name and fleet ID.", + "title": "ScalingPolicies", + "type": "array" + }, "ScriptId": { "markdownDescription": "The unique identifier for a Realtime configuration script to be deployed on fleet instances. You can use either the script ID or ARN. Scripts must be uploaded to Amazon GameLift prior to creating the fleet. This fleet property cannot be changed later.\n\n> You can't use the `!Ref` command to reference a script created with a CloudFormation template for the fleet property `ScriptId` . Instead, use `Fn::GetAtt Script.Arn` or `Fn::GetAtt Script.Id` to retrieve either of these properties as input for `ScriptId` . Alternatively, enter a `ScriptId` string manually.", "title": "ScriptId", @@ -91216,7 +95312,7 @@ "additionalProperties": false, "properties": { "DesiredEC2Instances": { - "markdownDescription": "The number of Amazon EC2 instances you want to maintain in the specified fleet location. This value must fall between the minimum and maximum size limits.", + "markdownDescription": "The number of Amazon EC2 instances you want to maintain in the specified fleet location. This value must fall between the minimum and maximum size limits. Changes in desired instance value can take up to 1 minute to be reflected when viewing the fleet's capacity settings.", "title": "DesiredEC2Instances", "type": "number" }, @@ -91297,6 +95393,76 @@ }, "type": "object" }, + "AWS::GameLift::Fleet.ScalingPolicy": { + "additionalProperties": false, + "properties": { + "ComparisonOperator": { + "markdownDescription": "Comparison operator to use when measuring a metric against the threshold value.", + "title": "ComparisonOperator", + "type": "string" + }, + "EvaluationPeriods": { + "markdownDescription": "Length of time (in minutes) the metric must be at or beyond the threshold before a scaling event is triggered.", + "title": "EvaluationPeriods", + "type": "number" + }, + "Location": { + "markdownDescription": "The fleet location.", + "title": "Location", + "type": "string" + }, + "MetricName": { + "markdownDescription": "Name of the Amazon GameLift-defined metric that is used to trigger a scaling adjustment. For detailed descriptions of fleet metrics, see [Monitor Amazon GameLift with Amazon CloudWatch](https://docs.aws.amazon.com/gamelift/latest/developerguide/monitoring-cloudwatch.html) .\n\n- *ActivatingGameSessions* -- Game sessions in the process of being created.\n- *ActiveGameSessions* -- Game sessions that are currently running.\n- *ActiveInstances* -- Fleet instances that are currently running at least one game session.\n- *AvailableGameSessions* -- Additional game sessions that fleet could host simultaneously, given current capacity.\n- *AvailablePlayerSessions* -- Empty player slots in currently active game sessions. This includes game sessions that are not currently accepting players. Reserved player slots are not included.\n- *CurrentPlayerSessions* -- Player slots in active game sessions that are being used by a player or are reserved for a player.\n- *IdleInstances* -- Active instances that are currently hosting zero game sessions.\n- *PercentAvailableGameSessions* -- Unused percentage of the total number of game sessions that a fleet could host simultaneously, given current capacity. Use this metric for a target-based scaling policy.\n- *PercentIdleInstances* -- Percentage of the total number of active instances that are hosting zero game sessions.\n- *QueueDepth* -- Pending game session placement requests, in any queue, where the current fleet is the top-priority destination.\n- *WaitTime* -- Current wait time for pending game session placement requests, in any queue, where the current fleet is the top-priority destination.", + "title": "MetricName", + "type": "string" + }, + "Name": { + "markdownDescription": "A descriptive label that is associated with a fleet's scaling policy. Policy names do not need to be unique.", + "title": "Name", + "type": "string" + }, + "PolicyType": { + "markdownDescription": "The type of scaling policy to create. For a target-based policy, set the parameter *MetricName* to 'PercentAvailableGameSessions' and specify a *TargetConfiguration* . For a rule-based policy set the following parameters: *MetricName* , *ComparisonOperator* , *Threshold* , *EvaluationPeriods* , *ScalingAdjustmentType* , and *ScalingAdjustment* .", + "title": "PolicyType", + "type": "string" + }, + "ScalingAdjustment": { + "markdownDescription": "Amount of adjustment to make, based on the scaling adjustment type.", + "title": "ScalingAdjustment", + "type": "number" + }, + "ScalingAdjustmentType": { + "markdownDescription": "The type of adjustment to make to a fleet's instance count.\n\n- *ChangeInCapacity* -- add (or subtract) the scaling adjustment value from the current instance count. Positive values scale up while negative values scale down.\n- *ExactCapacity* -- set the instance count to the scaling adjustment value.\n- *PercentChangeInCapacity* -- increase or reduce the current instance count by the scaling adjustment, read as a percentage. Positive values scale up while negative values scale down.", + "title": "ScalingAdjustmentType", + "type": "string" + }, + "Status": { + "markdownDescription": "Current status of the scaling policy. The scaling policy can be in force only when in an `ACTIVE` status. Scaling policies can be suspended for individual fleets. If the policy is suspended for a fleet, the policy status does not change.\n\n- *ACTIVE* -- The scaling policy can be used for auto-scaling a fleet.\n- *UPDATE_REQUESTED* -- A request to update the scaling policy has been received.\n- *UPDATING* -- A change is being made to the scaling policy.\n- *DELETE_REQUESTED* -- A request to delete the scaling policy has been received.\n- *DELETING* -- The scaling policy is being deleted.\n- *DELETED* -- The scaling policy has been deleted.\n- *ERROR* -- An error occurred in creating the policy. It should be removed and recreated.", + "title": "Status", + "type": "string" + }, + "TargetConfiguration": { + "$ref": "#/definitions/AWS::GameLift::Fleet.TargetConfiguration", + "markdownDescription": "An object that contains settings for a target-based scaling policy.", + "title": "TargetConfiguration" + }, + "Threshold": { + "markdownDescription": "Metric value used to trigger a scaling event.", + "title": "Threshold", + "type": "number" + }, + "UpdateStatus": { + "markdownDescription": "The current status of the fleet's scaling policies in a requested fleet location. The status `PENDING_UPDATE` indicates that an update was requested for the fleet but has not yet been completed for the location.", + "title": "UpdateStatus", + "type": "string" + } + }, + "required": [ + "MetricName", + "Name" + ], + "type": "object" + }, "AWS::GameLift::Fleet.ServerProcess": { "additionalProperties": false, "properties": { @@ -91306,12 +95472,12 @@ "type": "number" }, "LaunchPath": { - "markdownDescription": "The location of a game build executable or the Realtime script file that contains the `Init()` function. Game builds and Realtime scripts are installed on instances at the root:\n\n- Windows (custom game builds only): `C:\\game` . Example: \" `C:\\game\\MyGame\\server.exe` \"\n- Linux: `/local/game` . Examples: \" `/local/game/MyGame/server.exe` \" or \" `/local/game/MyRealtimeScript.js` \"", + "markdownDescription": "The location of a game build executable or Realtime script. Game builds and Realtime scripts are installed on instances at the root:\n\n- Windows (custom game builds only): `C:\\game` . Example: \" `C:\\game\\MyGame\\server.exe` \"\n- Linux: `/local/game` . Examples: \" `/local/game/MyGame/server.exe` \" or \" `/local/game/MyRealtimeScript.js` \"\n\n> Amazon GameLift doesn't support the use of setup scripts that launch the game executable. For custom game builds, this parameter must indicate the executable that calls the server SDK operations `initSDK()` and `ProcessReady()` .", "title": "LaunchPath", "type": "string" }, "Parameters": { - "markdownDescription": "An optional list of parameters to pass to the server executable or Realtime script on launch.", + "markdownDescription": "An optional list of parameters to pass to the server executable or Realtime script on launch.\n\nLength Constraints: Minimum length of 1. Maximum length of 1024.\n\nPattern: [A-Za-z0-9_:.+\\/\\\\\\- =@{},?'\\[\\]\"]+", "title": "Parameters", "type": "string" } @@ -91322,6 +95488,20 @@ ], "type": "object" }, + "AWS::GameLift::Fleet.TargetConfiguration": { + "additionalProperties": false, + "properties": { + "TargetValue": { + "markdownDescription": "Desired value to use with a target-based scaling policy. The value must be relevant for whatever metric the scaling policy is using. For example, in a policy using the metric PercentAvailableGameSessions, the target value should be the preferred size of the fleet's buffer (the percent of capacity that should be idle and ready for new game sessions).", + "title": "TargetValue", + "type": "number" + } + }, + "required": [ + "TargetValue" + ], + "type": "object" + }, "AWS::GameLift::GameServerGroup": { "additionalProperties": false, "properties": { @@ -91570,7 +95750,7 @@ }, "Destinations": { "items": { - "$ref": "#/definitions/AWS::GameLift::GameSessionQueue.Destination" + "$ref": "#/definitions/AWS::GameLift::GameSessionQueue.GameSessionQueueDestination" }, "markdownDescription": "A list of fleets and/or fleet aliases that can be used to fulfill game session placement requests in the queue. Destinations are identified by either a fleet ARN or a fleet alias ARN, and are listed in order of placement preference.", "title": "Destinations", @@ -91644,17 +95824,6 @@ ], "type": "object" }, - "AWS::GameLift::GameSessionQueue.Destination": { - "additionalProperties": false, - "properties": { - "DestinationArn": { - "markdownDescription": "The Amazon Resource Name (ARN) that is assigned to fleet or fleet alias. ARNs, which include a fleet ID or alias ID and a Region name, provide a unique identifier across all Regions.", - "title": "DestinationArn", - "type": "string" - } - }, - "type": "object" - }, "AWS::GameLift::GameSessionQueue.FilterConfiguration": { "additionalProperties": false, "properties": { @@ -91669,6 +95838,17 @@ }, "type": "object" }, + "AWS::GameLift::GameSessionQueue.GameSessionQueueDestination": { + "additionalProperties": false, + "properties": { + "DestinationArn": { + "markdownDescription": "The Amazon Resource Name (ARN) that is assigned to fleet or fleet alias. ARNs, which include a fleet ID or alias ID and a Region name, provide a unique identifier across all Regions.", + "title": "DestinationArn", + "type": "string" + } + }, + "type": "object" + }, "AWS::GameLift::GameSessionQueue.PlayerLatencyPolicy": { "additionalProperties": false, "properties": { @@ -91743,7 +95923,7 @@ "additionalProperties": false, "properties": { "LocationName": { - "markdownDescription": "The location's name.", + "markdownDescription": "A descriptive name for the custom location.", "title": "LocationName", "type": "string" }, @@ -91751,7 +95931,7 @@ "items": { "$ref": "#/definitions/Tag" }, - "markdownDescription": "", + "markdownDescription": "A list of labels to assign to the new matchmaking configuration resource. Tags are developer-defined key-value pairs. Tagging AWS resources are useful for resource management, access management and cost allocation. For more information, see [Tagging AWS Resources](https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html) in the *AWS General Rareference* .", "title": "Tags", "type": "array" } @@ -91837,6 +96017,11 @@ "title": "BackfillMode", "type": "string" }, + "CreationTime": { + "markdownDescription": "A time stamp indicating when this data object was created. Format is a number expressed in Unix time as milliseconds (for example `\"1469498468.057\"` ).", + "title": "CreationTime", + "type": "string" + }, "CustomEventData": { "markdownDescription": "Information to add to all events related to the matchmaking configuration.", "title": "CustomEventData", @@ -91888,6 +96073,11 @@ "title": "RequestTimeoutSeconds", "type": "number" }, + "RuleSetArn": { + "markdownDescription": "The Amazon Resource Name ( [ARN](https://docs.aws.amazon.com/AmazonS3/latest/dev/s3-arn-format.html) ) associated with the GameLift matchmaking rule set resource that this configuration uses.", + "title": "RuleSetArn", + "type": "string" + }, "RuleSetName": { "markdownDescription": "A unique identifier for the matchmaking rule set to use with this configuration. You can use either the rule set name or ARN value. A matchmaking configuration can only use rule sets that are defined in the same Region.", "title": "RuleSetName", @@ -92369,7 +96559,7 @@ "type": "boolean" }, "EndpointId": { - "markdownDescription": "An ID for the endpoint. If the endpoint is a Network Load Balancer or Application Load Balancer, this is the Amazon Resource Name (ARN) of the resource. If the endpoint is an Elastic IP address, this is the Elastic IP address allocation ID. For Amazon EC2 instances, this is the EC2 instance ID. A resource must be valid and active when you add it as an endpoint.\n\nAn Application Load Balancer can be either internal or internet-facing.", + "markdownDescription": "An ID for the endpoint. If the endpoint is a Network Load Balancer or Application Load Balancer, this is the Amazon Resource Name (ARN) of the resource. If the endpoint is an Elastic IP address, this is the Elastic IP address allocation ID. For Amazon EC2 instances, this is the EC2 instance ID. A resource must be valid and active when you add it as an endpoint.\n\nFor cross-account endpoints, this must be the ARN of the resource.", "title": "EndpointId", "type": "string" }, @@ -92601,6 +96791,8 @@ "items": { "type": "string" }, + "markdownDescription": "", + "title": "ContainsCustomDatatype", "type": "array" }, "ContainsHeader": { @@ -92609,6 +96801,8 @@ "type": "string" }, "CustomDatatypeConfigured": { + "markdownDescription": "Enables the custom datatype to be configured.", + "title": "CustomDatatypeConfigured", "type": "boolean" }, "Delimiter": { @@ -93064,21 +97258,29 @@ "additionalProperties": false, "properties": { "ConnectionName": { + "markdownDescription": "The name of the connection to use to connect to the Iceberg target.", + "title": "ConnectionName", "type": "string" }, "Exclusions": { "items": { "type": "string" }, + "markdownDescription": "A list of glob patterns used to exclude from the crawl. For more information, see [Catalog Tables with a Crawler](https://docs.aws.amazon.com/glue/latest/dg/add-crawler.html) .", + "title": "Exclusions", "type": "array" }, "MaximumTraversalDepth": { + "markdownDescription": "The maximum depth of Amazon S3 paths that the crawler can traverse to discover the Iceberg metadata folder in your Amazon S3 path. Used to limit the crawler run time.", + "title": "MaximumTraversalDepth", "type": "number" }, "Paths": { "items": { "type": "string" }, + "markdownDescription": "One or more Amazon S3 paths that contains Iceberg metadata folders as `s3://bucket/prefix` .", + "title": "Paths", "type": "array" } }, @@ -93232,6 +97434,8 @@ "items": { "$ref": "#/definitions/AWS::Glue::Crawler.IcebergTarget" }, + "markdownDescription": "", + "title": "IcebergTargets", "type": "array" }, "JdbcTargets": { @@ -93261,6 +97465,79 @@ }, "type": "object" }, + "AWS::Glue::CustomEntityType": { + "additionalProperties": false, + "properties": { + "Condition": { + "type": "string" + }, + "DeletionPolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + }, + "DependsOn": { + "anyOf": [ + { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + { + "items": { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + "type": "array" + } + ] + }, + "Metadata": { + "type": "object" + }, + "Properties": { + "additionalProperties": false, + "properties": { + "ContextWords": { + "items": { + "type": "string" + }, + "type": "array" + }, + "Name": { + "type": "string" + }, + "RegexString": { + "type": "string" + }, + "Tags": { + "type": "object" + } + }, + "type": "object" + }, + "Type": { + "enum": [ + "AWS::Glue::CustomEntityType" + ], + "type": "string" + }, + "UpdateReplacePolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + } + }, + "required": [ + "Type" + ], + "type": "object" + }, "AWS::Glue::DataCatalogEncryptionSettings": { "additionalProperties": false, "properties": { @@ -93584,6 +97861,8 @@ "type": "string" }, "Region": { + "markdownDescription": "Region of the target database.", + "title": "Region", "type": "string" } }, @@ -95203,7 +99482,9 @@ "type": "string" }, "OpenTableFormatInput": { - "$ref": "#/definitions/AWS::Glue::Table.OpenTableFormatInput" + "$ref": "#/definitions/AWS::Glue::Table.OpenTableFormatInput", + "markdownDescription": "A structure representing an open format table.", + "title": "OpenTableFormatInput" }, "TableInput": { "$ref": "#/definitions/AWS::Glue::Table.TableInput", @@ -95267,9 +99548,13 @@ "additionalProperties": false, "properties": { "MetadataOperation": { - "$ref": "#/definitions/AWS::Glue::Table.MetadataOperation" + "$ref": "#/definitions/AWS::Glue::Table.MetadataOperation", + "markdownDescription": "A required metadata operation. Can only be set to `CREATE` .", + "title": "MetadataOperation" }, "Version": { + "markdownDescription": "The table version for the Iceberg table. Defaults to 2.", + "title": "Version", "type": "string" } }, @@ -95284,7 +99569,9 @@ "additionalProperties": false, "properties": { "IcebergInput": { - "$ref": "#/definitions/AWS::Glue::Table.IcebergInput" + "$ref": "#/definitions/AWS::Glue::Table.IcebergInput", + "markdownDescription": "Specifies an `IcebergInput` structure that defines an Apache Iceberg metadata table.", + "title": "IcebergInput" } }, "type": "object" @@ -95498,6 +99785,8 @@ "type": "string" }, "Region": { + "markdownDescription": "Region of the target table.", + "title": "Region", "type": "string" } }, @@ -95926,7 +100215,7 @@ "items": { "type": "string" }, - "markdownDescription": "Specifies whether this workspace uses SAML 2.0, AWS IAM Identity Center (successor to AWS Single Sign-On) , or both to authenticate users for using the Grafana console within a workspace. For more information, see [User authentication in Amazon Managed Grafana](https://docs.aws.amazon.com/grafana/latest/userguide/authentication-in-AMG.html) .", + "markdownDescription": "Specifies whether this workspace uses SAML 2.0, AWS IAM Identity Center , or both to authenticate users for using the Grafana console within a workspace. For more information, see [User authentication in Amazon Managed Grafana](https://docs.aws.amazon.com/grafana/latest/userguide/authentication-in-AMG.html) .", "title": "AuthenticationProviders", "type": "array" }, @@ -95949,7 +100238,7 @@ "type": "string" }, "GrafanaVersion": { - "markdownDescription": "Specifies the version of Grafana to support in the new workspace.\n\nSupported values are `8.4` and `9.4` .", + "markdownDescription": "Specifies the version of Grafana to support in the workspace. Defaults to the latest version on create (for example, 9.4), or the current version of the workspace on update.\n\nCan only be used to upgrade (for example, from 8.4 to 9.4), not downgrade (for example, from 9.4 to 8.4).\n\nTo know what versions are available to upgrade to for a specific workspace, see the [ListVersions](https://docs.aws.amazon.com/grafana/latest/APIReference/API_ListVersions.html) operation.", "title": "GrafanaVersion", "type": "string" }, @@ -95989,6 +100278,11 @@ "title": "PermissionType", "type": "string" }, + "PluginAdminEnabled": { + "markdownDescription": "Whether plugin administration is enabled in the workspace. Setting to `true` allows workspace admins to install, uninstall, and update plugins from within the Grafana workspace.\n\n> This option is only valid for workspaces that support Grafana version 9 or newer.", + "title": "PluginAdminEnabled", + "type": "boolean" + }, "RoleArn": { "markdownDescription": "The IAM role that grants permissions to the AWS resources that the workspace will view data from. This role must already exist.", "title": "RoleArn", @@ -96243,7 +100537,7 @@ "type": "string" }, "Tags": { - "markdownDescription": "Application-specific metadata to attach to the connector definition. You can use tags in IAM policies to control access to AWS IoT Greengrass resources. You can also use tags to categorize your resources. For more information, see [Tagging Your AWS IoT Greengrass Resources](https://docs.aws.amazon.com/greengrass/latest/developerguide/tagging.html) in the *Developer Guide* .\n\nThis `Json` property type is processed as a map of key-value pairs. It uses the following format, which is different from most `Tags` implementations in AWS CloudFormation templates.\n\n```json\n\"Tags\": { \"KeyName0\": \"value\", \"KeyName1\": \"value\", \"KeyName2\": \"value\"\n}\n```", + "markdownDescription": "Application-specific metadata to attach to the connector definition. You can use tags in IAM policies to control access to AWS IoT Greengrass resources. You can also use tags to categorize your resources. For more information, see [Tagging Your AWS IoT Greengrass Resources](https://docs.aws.amazon.com/greengrass/v1/developerguide/tagging.html) in the *Developer Guide* .\n\nThis `Json` property type is processed as a map of key-value pairs. It uses the following format, which is different from most `Tags` implementations in AWS CloudFormation templates.\n\n```json\n\"Tags\": { \"KeyName0\": \"value\", \"KeyName1\": \"value\", \"KeyName2\": \"value\"\n}\n```", "title": "Tags", "type": "object" } @@ -96278,7 +100572,7 @@ "additionalProperties": false, "properties": { "ConnectorArn": { - "markdownDescription": "The Amazon Resource Name (ARN) of the connector.\n\nFor more information about connectors provided by AWS , see [Greengrass Connectors Provided by AWS](https://docs.aws.amazon.com/greengrass/latest/developerguide/connectors-list.html) .", + "markdownDescription": "The Amazon Resource Name (ARN) of the connector.\n\nFor more information about connectors provided by AWS , see [Greengrass Connectors Provided by AWS](https://docs.aws.amazon.com/greengrass/v1/developerguide/connectors-list.html) .", "title": "ConnectorArn", "type": "string" }, @@ -96288,7 +100582,7 @@ "type": "string" }, "Parameters": { - "markdownDescription": "The parameters or configuration used by the connector.\n\nFor more information about connectors provided by AWS , see [Greengrass Connectors Provided by AWS](https://docs.aws.amazon.com/greengrass/latest/developerguide/connectors-list.html) .", + "markdownDescription": "The parameters or configuration used by the connector.\n\nFor more information about connectors provided by AWS , see [Greengrass Connectors Provided by AWS](https://docs.aws.amazon.com/greengrass/v1/developerguide/connectors-list.html) .", "title": "Parameters", "type": "object" } @@ -96396,7 +100690,7 @@ "additionalProperties": false, "properties": { "ConnectorArn": { - "markdownDescription": "The Amazon Resource Name (ARN) of the connector.\n\nFor more information about connectors provided by AWS , see [Greengrass Connectors Provided by AWS](https://docs.aws.amazon.com/greengrass/latest/developerguide/connectors-list.html) .", + "markdownDescription": "The Amazon Resource Name (ARN) of the connector.\n\nFor more information about connectors provided by AWS , see [Greengrass Connectors Provided by AWS](https://docs.aws.amazon.com/greengrass/v1/developerguide/connectors-list.html) .", "title": "ConnectorArn", "type": "string" }, @@ -96406,7 +100700,7 @@ "type": "string" }, "Parameters": { - "markdownDescription": "The parameters or configuration that the connector uses.\n\nFor more information about connectors provided by AWS , see [Greengrass Connectors Provided by AWS](https://docs.aws.amazon.com/greengrass/latest/developerguide/connectors-list.html) .", + "markdownDescription": "The parameters or configuration that the connector uses.\n\nFor more information about connectors provided by AWS , see [Greengrass Connectors Provided by AWS](https://docs.aws.amazon.com/greengrass/v1/developerguide/connectors-list.html) .", "title": "Parameters", "type": "object" } @@ -96463,7 +100757,7 @@ "type": "string" }, "Tags": { - "markdownDescription": "Application-specific metadata to attach to the core definition. You can use tags in IAM policies to control access to AWS IoT Greengrass resources. You can also use tags to categorize your resources. For more information, see [Tagging Your AWS IoT Greengrass Resources](https://docs.aws.amazon.com/greengrass/latest/developerguide/tagging.html) in the *Developer Guide* .\n\nThis `Json` property type is processed as a map of key-value pairs. It uses the following format, which is different from most `Tags` implementations in AWS CloudFormation templates.\n\n```json\n\"Tags\": { \"KeyName0\": \"value\", \"KeyName1\": \"value\", \"KeyName2\": \"value\"\n}\n```", + "markdownDescription": "Application-specific metadata to attach to the core definition. You can use tags in IAM policies to control access to AWS IoT Greengrass resources. You can also use tags to categorize your resources. For more information, see [Tagging Your AWS IoT Greengrass Resources](https://docs.aws.amazon.com/greengrass/v1/developerguide/tagging.html) in the *Developer Guide* .\n\nThis `Json` property type is processed as a map of key-value pairs. It uses the following format, which is different from most `Tags` implementations in AWS CloudFormation templates.\n\n```json\n\"Tags\": { \"KeyName0\": \"value\", \"KeyName1\": \"value\", \"KeyName2\": \"value\"\n}\n```", "title": "Tags", "type": "object" } @@ -96695,7 +100989,7 @@ "type": "string" }, "Tags": { - "markdownDescription": "Application-specific metadata to attach to the device definition. You can use tags in IAM policies to control access to AWS IoT Greengrass resources. You can also use tags to categorize your resources. For more information, see [Tagging Your AWS IoT Greengrass Resources](https://docs.aws.amazon.com/greengrass/latest/developerguide/tagging.html) in the *Developer Guide* .\n\nThis `Json` property type is processed as a map of key-value pairs. It uses the following format, which is different from most `Tags` implementations in AWS CloudFormation templates.\n\n```json\n\"Tags\": { \"KeyName0\": \"value\", \"KeyName1\": \"value\", \"KeyName2\": \"value\"\n}\n```", + "markdownDescription": "Application-specific metadata to attach to the device definition. You can use tags in IAM policies to control access to AWS IoT Greengrass resources. You can also use tags to categorize your resources. For more information, see [Tagging Your AWS IoT Greengrass Resources](https://docs.aws.amazon.com/greengrass/v1/developerguide/tagging.html) in the *Developer Guide* .\n\nThis `Json` property type is processed as a map of key-value pairs. It uses the following format, which is different from most `Tags` implementations in AWS CloudFormation templates.\n\n```json\n\"Tags\": { \"KeyName0\": \"value\", \"KeyName1\": \"value\", \"KeyName2\": \"value\"\n}\n```", "title": "Tags", "type": "object" } @@ -96927,7 +101221,7 @@ "type": "string" }, "Tags": { - "markdownDescription": "Application-specific metadata to attach to the function definition. You can use tags in IAM policies to control access to AWS IoT Greengrass resources. You can also use tags to categorize your resources. For more information, see [Tagging Your AWS IoT Greengrass Resources](https://docs.aws.amazon.com/greengrass/latest/developerguide/tagging.html) in the *Developer Guide* .\n\nThis `Json` property type is processed as a map of key-value pairs. It uses the following format, which is different from most `Tags` implementations in AWS CloudFormation templates.\n\n```json\n\"Tags\": { \"KeyName0\": \"value\", \"KeyName1\": \"value\", \"KeyName2\": \"value\"\n}\n```", + "markdownDescription": "Application-specific metadata to attach to the function definition. You can use tags in IAM policies to control access to AWS IoT Greengrass resources. You can also use tags to categorize your resources. For more information, see [Tagging Your AWS IoT Greengrass Resources](https://docs.aws.amazon.com/greengrass/v1/developerguide/tagging.html) in the *Developer Guide* .\n\nThis `Json` property type is processed as a map of key-value pairs. It uses the following format, which is different from most `Tags` implementations in AWS CloudFormation templates.\n\n```json\n\"Tags\": { \"KeyName0\": \"value\", \"KeyName1\": \"value\", \"KeyName2\": \"value\"\n}\n```", "title": "Tags", "type": "object" } @@ -97005,13 +101299,13 @@ "additionalProperties": false, "properties": { "IsolationMode": { - "markdownDescription": "The containerization that the Lambda function runs in. Valid values are `GreengrassContainer` or `NoContainer` . Typically, this is `GreengrassContainer` . For more information, see [Containerization](https://docs.aws.amazon.com/greengrass/latest/developerguide/lambda-group-config.html#lambda-function-containerization) in the *Developer Guide* .\n\n- When set on the [`DefaultConfig`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-greengrass-functiondefinitionversion-defaultconfig.html) property of a function definition version, this setting is used as the default containerization for all Lambda functions in the function definition version.\n- When set on the [`Environment`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-greengrass-functiondefinitionversion-environment.html) property of a function, this setting applies to the individual function and overrides the default. Omit this value to run the function with the default containerization.\n\n> We recommend that you run in a Greengrass container unless your business case requires that you run without containerization.", + "markdownDescription": "The containerization that the Lambda function runs in. Valid values are `GreengrassContainer` or `NoContainer` . Typically, this is `GreengrassContainer` . For more information, see [Containerization](https://docs.aws.amazon.com/greengrass/v1/developerguide/lambda-group-config.html#lambda-function-containerization) in the *Developer Guide* .\n\n- When set on the [`DefaultConfig`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-greengrass-functiondefinitionversion-defaultconfig.html) property of a function definition version, this setting is used as the default containerization for all Lambda functions in the function definition version.\n- When set on the [`Environment`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-greengrass-functiondefinitionversion-environment.html) property of a function, this setting applies to the individual function and overrides the default. Omit this value to run the function with the default containerization.\n\n> We recommend that you run in a Greengrass container unless your business case requires that you run without containerization.", "title": "IsolationMode", "type": "string" }, "RunAs": { "$ref": "#/definitions/AWS::Greengrass::FunctionDefinition.RunAs", - "markdownDescription": "The user and group permissions used to run the Lambda function. Typically, this is the ggc_user and ggc_group. For more information, see [Run as](https://docs.aws.amazon.com/greengrass/latest/developerguide/lambda-group-config.html#lambda-access-identity.html) in the *Developer Guide* .\n\n- When set on the [`DefaultConfig`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-greengrass-functiondefinitionversion-defaultconfig.html) property of a function definition version, this setting is used as the default access identity for all Lambda functions in the function definition version.\n- When set on the [`Environment`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-greengrass-functiondefinitionversion-environment.html) property of a function, this setting applies to the individual function and overrides the default. You can override the user, group, or both. Omit this value to run the function with the default permissions.\n\n> Running as the root user increases risks to your data and device. Do not run as root (UID/GID=0) unless your business case requires it. For more information and requirements, see [Running a Lambda Function as Root](https://docs.aws.amazon.com/greengrass/latest/developerguide/lambda-group-config.html#lambda-running-as-root) .", + "markdownDescription": "The user and group permissions used to run the Lambda function. Typically, this is the ggc_user and ggc_group. For more information, see [Run as](https://docs.aws.amazon.com/greengrass/v1/developerguide/lambda-group-config.html#lambda-access-identity.html) in the *Developer Guide* .\n\n- When set on the [`DefaultConfig`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-greengrass-functiondefinitionversion-defaultconfig.html) property of a function definition version, this setting is used as the default access identity for all Lambda functions in the function definition version.\n- When set on the [`Environment`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-greengrass-functiondefinitionversion-environment.html) property of a function, this setting applies to the individual function and overrides the default. You can override the user, group, or both. Omit this value to run the function with the default permissions.\n\n> Running as the root user increases risks to your data and device. Do not run as root (UID/GID=0) unless your business case requires it. For more information and requirements, see [Running a Lambda Function as Root](https://docs.aws.amazon.com/greengrass/v1/developerguide/lambda-group-config.html#lambda-running-as-root) .", "title": "RunAs" } }, @@ -97269,13 +101563,13 @@ "additionalProperties": false, "properties": { "IsolationMode": { - "markdownDescription": "The containerization that the Lambda function runs in. Valid values are `GreengrassContainer` or `NoContainer` . Typically, this is `GreengrassContainer` . For more information, see [Containerization](https://docs.aws.amazon.com/greengrass/latest/developerguide/lambda-group-config.html#lambda-function-containerization) in the *Developer Guide* .\n\n- When set on the [`DefaultConfig`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-greengrass-functiondefinitionversion-defaultconfig.html) property of a function definition version, this setting is used as the default containerization for all Lambda functions in the function definition version.\n- When set on the [`Environment`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-greengrass-functiondefinitionversion-environment.html) property of a function, this setting applies to the individual function and overrides the default. Omit this value to run the function with the default containerization.\n\n> We recommend that you run in a Greengrass container unless your business case requires that you run without containerization.", + "markdownDescription": "The containerization that the Lambda function runs in. Valid values are `GreengrassContainer` or `NoContainer` . Typically, this is `GreengrassContainer` . For more information, see [Containerization](https://docs.aws.amazon.com/greengrass/v1/developerguide/lambda-group-config.html#lambda-function-containerization) in the *Developer Guide* .\n\n- When set on the [`DefaultConfig`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-greengrass-functiondefinitionversion-defaultconfig.html) property of a function definition version, this setting is used as the default containerization for all Lambda functions in the function definition version.\n- When set on the [`Environment`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-greengrass-functiondefinitionversion-environment.html) property of a function, this setting applies to the individual function and overrides the default. Omit this value to run the function with the default containerization.\n\n> We recommend that you run in a Greengrass container unless your business case requires that you run without containerization.", "title": "IsolationMode", "type": "string" }, "RunAs": { "$ref": "#/definitions/AWS::Greengrass::FunctionDefinitionVersion.RunAs", - "markdownDescription": "The user and group permissions used to run the Lambda function. Typically, this is the ggc_user and ggc_group. For more information, see [Run as](https://docs.aws.amazon.com/greengrass/latest/developerguide/lambda-group-config.html#lambda-access-identity.html) in the *Developer Guide* .\n\n- When set on the [`DefaultConfig`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-greengrass-functiondefinitionversion-defaultconfig.html) property of a function definition version, this setting is used as the default access identity for all Lambda functions in the function definition version.\n- When set on the [`Environment`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-greengrass-functiondefinitionversion-environment.html) property of a function, this setting applies to the individual function and overrides the default. You can override the user, group, or both. Omit this value to run the function with the default permissions.\n\n> Running as the root user increases risks to your data and device. Do not run as root (UID/GID=0) unless your business case requires it. For more information and requirements, see [Running a Lambda Function as Root](https://docs.aws.amazon.com/greengrass/latest/developerguide/lambda-group-config.html#lambda-running-as-root) .", + "markdownDescription": "The user and group permissions used to run the Lambda function. Typically, this is the ggc_user and ggc_group. For more information, see [Run as](https://docs.aws.amazon.com/greengrass/v1/developerguide/lambda-group-config.html#lambda-access-identity.html) in the *Developer Guide* .\n\n- When set on the [`DefaultConfig`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-greengrass-functiondefinitionversion-defaultconfig.html) property of a function definition version, this setting is used as the default access identity for all Lambda functions in the function definition version.\n- When set on the [`Environment`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-greengrass-functiondefinitionversion-environment.html) property of a function, this setting applies to the individual function and overrides the default. You can override the user, group, or both. Omit this value to run the function with the default permissions.\n\n> Running as the root user increases risks to your data and device. Do not run as root (UID/GID=0) unless your business case requires it. For more information and requirements, see [Running a Lambda Function as Root](https://docs.aws.amazon.com/greengrass/v1/developerguide/lambda-group-config.html#lambda-running-as-root) .", "title": "RunAs" } }, @@ -97434,7 +101728,7 @@ "type": "string" }, "Tags": { - "markdownDescription": "Application-specific metadata to attach to the group. You can use tags in IAM policies to control access to AWS IoT Greengrass resources. You can also use tags to categorize your resources. For more information, see [Tagging Your AWS IoT Greengrass Resources](https://docs.aws.amazon.com/greengrass/latest/developerguide/tagging.html) in the *Developer Guide* .\n\nThis `Json` property type is processed as a map of key-value pairs. It uses the following format, which is different from most `Tags` implementations in AWS CloudFormation templates.\n\n```json\n\"Tags\": { \"KeyName0\": \"value\", \"KeyName1\": \"value\", \"KeyName2\": \"value\"\n}\n```", + "markdownDescription": "Application-specific metadata to attach to the group. You can use tags in IAM policies to control access to AWS IoT Greengrass resources. You can also use tags to categorize your resources. For more information, see [Tagging Your AWS IoT Greengrass Resources](https://docs.aws.amazon.com/greengrass/v1/developerguide/tagging.html) in the *Developer Guide* .\n\nThis `Json` property type is processed as a map of key-value pairs. It uses the following format, which is different from most `Tags` implementations in AWS CloudFormation templates.\n\n```json\n\"Tags\": { \"KeyName0\": \"value\", \"KeyName1\": \"value\", \"KeyName2\": \"value\"\n}\n```", "title": "Tags", "type": "object" } @@ -97654,7 +101948,7 @@ "type": "string" }, "Tags": { - "markdownDescription": "Application-specific metadata to attach to the logger definition. You can use tags in IAM policies to control access to AWS IoT Greengrass resources. You can also use tags to categorize your resources. For more information, see [Tagging Your AWS IoT Greengrass Resources](https://docs.aws.amazon.com/greengrass/latest/developerguide/tagging.html) in the *Developer Guide* .\n\nThis `Json` property type is processed as a map of key-value pairs. It uses the following format, which is different from most `Tags` implementations in AWS CloudFormation templates.\n\n```json\n\"Tags\": { \"KeyName0\": \"value\", \"KeyName1\": \"value\", \"KeyName2\": \"value\"\n}\n```", + "markdownDescription": "Application-specific metadata to attach to the logger definition. You can use tags in IAM policies to control access to AWS IoT Greengrass resources. You can also use tags to categorize your resources. For more information, see [Tagging Your AWS IoT Greengrass Resources](https://docs.aws.amazon.com/greengrass/v1/developerguide/tagging.html) in the *Developer Guide* .\n\nThis `Json` property type is processed as a map of key-value pairs. It uses the following format, which is different from most `Tags` implementations in AWS CloudFormation templates.\n\n```json\n\"Tags\": { \"KeyName0\": \"value\", \"KeyName1\": \"value\", \"KeyName2\": \"value\"\n}\n```", "title": "Tags", "type": "object" } @@ -97898,7 +102192,7 @@ "type": "string" }, "Tags": { - "markdownDescription": "Application-specific metadata to attach to the resource definition. You can use tags in IAM policies to control access to AWS IoT Greengrass resources. You can also use tags to categorize your resources. For more information, see [Tagging Your AWS IoT Greengrass Resources](https://docs.aws.amazon.com/greengrass/latest/developerguide/tagging.html) in the *Developer Guide* .\n\nThis `Json` property type is processed as a map of key-value pairs. It uses the following format, which is different from most `Tags` implementations in AWS CloudFormation templates.\n\n```json\n\"Tags\": { \"KeyName0\": \"value\", \"KeyName1\": \"value\", \"KeyName2\": \"value\"\n}\n```", + "markdownDescription": "Application-specific metadata to attach to the resource definition. You can use tags in IAM policies to control access to AWS IoT Greengrass resources. You can also use tags to categorize your resources. For more information, see [Tagging Your AWS IoT Greengrass Resources](https://docs.aws.amazon.com/greengrass/v1/developerguide/tagging.html) in the *Developer Guide* .\n\nThis `Json` property type is processed as a map of key-value pairs. It uses the following format, which is different from most `Tags` implementations in AWS CloudFormation templates.\n\n```json\n\"Tags\": { \"KeyName0\": \"value\", \"KeyName1\": \"value\", \"KeyName2\": \"value\"\n}\n```", "title": "Tags", "type": "object" } @@ -98096,7 +102390,7 @@ }, "OwnerSetting": { "$ref": "#/definitions/AWS::Greengrass::ResourceDefinition.ResourceDownloadOwnerSetting", - "markdownDescription": "The owner setting for the downloaded machine learning resource. For more information, see [Access Machine Learning Resources from Lambda Functions](https://docs.aws.amazon.com/greengrass/latest/developerguide/access-ml-resources.html) in the *Developer Guide* .", + "markdownDescription": "The owner setting for the downloaded machine learning resource. For more information, see [Access Machine Learning Resources from Lambda Functions](https://docs.aws.amazon.com/greengrass/v1/developerguide/access-ml-resources.html) in the *Developer Guide* .", "title": "OwnerSetting" }, "S3Uri": { @@ -98121,7 +102415,7 @@ }, "OwnerSetting": { "$ref": "#/definitions/AWS::Greengrass::ResourceDefinition.ResourceDownloadOwnerSetting", - "markdownDescription": "The owner setting for the downloaded machine learning resource. For more information, see [Access Machine Learning Resources from Lambda Functions](https://docs.aws.amazon.com/greengrass/latest/developerguide/access-ml-resources.html) in the *Developer Guide* .", + "markdownDescription": "The owner setting for the downloaded machine learning resource. For more information, see [Access Machine Learning Resources from Lambda Functions](https://docs.aws.amazon.com/greengrass/v1/developerguide/access-ml-resources.html) in the *Developer Guide* .", "title": "OwnerSetting" }, "SageMakerJobArn": { @@ -98384,7 +102678,7 @@ }, "OwnerSetting": { "$ref": "#/definitions/AWS::Greengrass::ResourceDefinitionVersion.ResourceDownloadOwnerSetting", - "markdownDescription": "The owner setting for the downloaded machine learning resource. For more information, see [Access Machine Learning Resources from Lambda Functions](https://docs.aws.amazon.com/greengrass/latest/developerguide/access-ml-resources.html) in the *Developer Guide* .", + "markdownDescription": "The owner setting for the downloaded machine learning resource. For more information, see [Access Machine Learning Resources from Lambda Functions](https://docs.aws.amazon.com/greengrass/v1/developerguide/access-ml-resources.html) in the *Developer Guide* .", "title": "OwnerSetting" }, "S3Uri": { @@ -98409,7 +102703,7 @@ }, "OwnerSetting": { "$ref": "#/definitions/AWS::Greengrass::ResourceDefinitionVersion.ResourceDownloadOwnerSetting", - "markdownDescription": "The owner setting for the downloaded machine learning resource. For more information, see [Access Machine Learning Resources from Lambda Functions](https://docs.aws.amazon.com/greengrass/latest/developerguide/access-ml-resources.html) in the *Developer Guide* .", + "markdownDescription": "The owner setting for the downloaded machine learning resource. For more information, see [Access Machine Learning Resources from Lambda Functions](https://docs.aws.amazon.com/greengrass/v1/developerguide/access-ml-resources.html) in the *Developer Guide* .", "title": "OwnerSetting" }, "SageMakerJobArn": { @@ -98492,7 +102786,7 @@ "type": "string" }, "Tags": { - "markdownDescription": "Application-specific metadata to attach to the subscription definition. You can use tags in IAM policies to control access to AWS IoT Greengrass resources. You can also use tags to categorize your resources. For more information, see [Tagging Your AWS IoT Greengrass Resources](https://docs.aws.amazon.com/greengrass/latest/developerguide/tagging.html) in the *Developer Guide* .\n\nThis `Json` property type is processed as a map of key-value pairs. It uses the following format, which is different from most `Tags` implementations in AWS CloudFormation templates.\n\n```json\n\"Tags\": { \"KeyName0\": \"value\", \"KeyName1\": \"value\", \"KeyName2\": \"value\"\n}\n```", + "markdownDescription": "Application-specific metadata to attach to the subscription definition. You can use tags in IAM policies to control access to AWS IoT Greengrass resources. You can also use tags to categorize your resources. For more information, see [Tagging Your AWS IoT Greengrass Resources](https://docs.aws.amazon.com/greengrass/v1/developerguide/tagging.html) in the *Developer Guide* .\n\nThis `Json` property type is processed as a map of key-value pairs. It uses the following format, which is different from most `Tags` implementations in AWS CloudFormation templates.\n\n```json\n\"Tags\": { \"KeyName0\": \"value\", \"KeyName1\": \"value\", \"KeyName2\": \"value\"\n}\n```", "title": "Tags", "type": "object" } @@ -99594,7 +103888,7 @@ "additionalProperties": false, "properties": { "UnvalidatedJSON": { - "markdownDescription": "The decoding settings are in JSON format and define a set of steps to perform to decode the data.", + "markdownDescription": "", "title": "UnvalidatedJSON", "type": "string" } @@ -99605,7 +103899,7 @@ "additionalProperties": false, "properties": { "UnvalidatedJSON": { - "markdownDescription": "The demodulation settings are in JSON format and define parameters for demodulation, for example which modulation scheme (e.g. PSK, QPSK, etc.) and matched filter to use.", + "markdownDescription": "", "title": "UnvalidatedJSON", "type": "string" } @@ -99889,7 +104183,7 @@ "title": "Address" }, "Mtu": { - "markdownDescription": "Maximum transmission unit (MTU) size in bytes of a dataflow endpoint. Valid values are between 1400 and 1500. A default value of 1500 is used if not set.", + "markdownDescription": "", "title": "Mtu", "type": "number" }, @@ -100279,9 +104573,13 @@ "additionalProperties": false, "properties": { "Name": { + "markdownDescription": "Name of the additional configuration.", + "title": "Name", "type": "string" }, "Status": { + "markdownDescription": "Status of the additional configuration.", + "title": "Status", "type": "string" } }, @@ -100294,12 +104592,18 @@ "items": { "$ref": "#/definitions/AWS::GuardDuty::Detector.CFNFeatureAdditionalConfiguration" }, + "markdownDescription": "Information about the additional configuration of a feature in your account.", + "title": "AdditionalConfiguration", "type": "array" }, "Name": { + "markdownDescription": "Name of the feature.", + "title": "Name", "type": "string" }, "Status": { + "markdownDescription": "Status of the feature configuration.", + "title": "Status", "type": "string" } }, @@ -100377,9 +104681,13 @@ "additionalProperties": false, "properties": { "Key": { + "markdownDescription": "The tag value.", + "title": "Key", "type": "string" }, "Value": { + "markdownDescription": "The tag key.", + "title": "Value", "type": "string" } }, @@ -100576,7 +104884,7 @@ "additionalProperties": false, "properties": { "Criterion": { - "markdownDescription": "Represents a map of finding properties that match specified conditions and values when querying findings.\n\nFor a mapping of JSON criterion to their console equivalent see [Finding criteria](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_filter-findings.html#filter_criteria) . The following are the available criterion:\n\n- accountId\n- region\n- confidence\n- id\n- resource.accessKeyDetails.accessKeyId\n- resource.accessKeyDetails.principalId\n- resource.accessKeyDetails.userName\n- resource.accessKeyDetails.userType\n- resource.instanceDetails.iamInstanceProfile.id\n- resource.instanceDetails.imageId\n- resource.instanceDetails.instanceId\n- resource.instanceDetails.outpostArn\n- resource.instanceDetails.networkInterfaces.ipv6Addresses\n- resource.instanceDetails.networkInterfaces.privateIpAddresses.privateIpAddress\n- resource.instanceDetails.networkInterfaces.publicDnsName\n- resource.instanceDetails.networkInterfaces.publicIp\n- resource.instanceDetails.networkInterfaces.securityGroups.groupId\n- resource.instanceDetails.networkInterfaces.securityGroups.groupName\n- resource.instanceDetails.networkInterfaces.subnetId\n- resource.instanceDetails.networkInterfaces.vpcId\n- resource.instanceDetails.tags.key\n- resource.instanceDetails.tags.value\n- resource.resourceType\n- service.action.actionType\n- service.action.awsApiCallAction.api\n- service.action.awsApiCallAction.callerType\n- service.action.awsApiCallAction.errorCode\n- service.action.awsApiCallAction.remoteIpDetails.city.cityName\n- service.action.awsApiCallAction.remoteIpDetails.country.countryName\n- service.action.awsApiCallAction.remoteIpDetails.ipAddressV4\n- service.action.awsApiCallAction.remoteIpDetails.organization.asn\n- service.action.awsApiCallAction.remoteIpDetails.organization.asnOrg\n- service.action.awsApiCallAction.serviceName\n- service.action.dnsRequestAction.domain\n- service.action.networkConnectionAction.blocked\n- service.action.networkConnectionAction.connectionDirection\n- service.action.networkConnectionAction.localPortDetails.port\n- service.action.networkConnectionAction.protocol\n- service.action.networkConnectionAction.localIpDetails.ipAddressV4\n- service.action.networkConnectionAction.remoteIpDetails.city.cityName\n- service.action.networkConnectionAction.remoteIpDetails.country.countryName\n- service.action.networkConnectionAction.remoteIpDetails.ipAddressV4\n- service.action.networkConnectionAction.remoteIpDetails.organization.asn\n- service.action.networkConnectionAction.remoteIpDetails.organization.asnOrg\n- service.action.networkConnectionAction.remotePortDetails.port\n- service.additionalInfo.threatListName\n- service.archived\n\nWhen this attribute is set to TRUE, only archived findings are listed. When it's set to FALSE, only unarchived findings are listed. When this attribute is not set, all existing findings are listed.\n- service.resourceRole\n- severity\n- type\n- updatedAt\n\nType: ISO 8601 string format: YYYY-MM-DDTHH:MM:SS.SSSZ or YYYY-MM-DDTHH:MM:SSZ depending on whether the value contains milliseconds.", + "markdownDescription": "Represents a map of finding properties that match specified conditions and values when querying findings.\n\nFor information about JSON criterion mapping to their console equivalent, see [Finding criteria](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_filter-findings.html#filter_criteria) . The following are the available criterion:\n\n- accountId\n- id\n- region\n- severity\n\nTo filter on the basis of severity, API and CFN use the following input list for the condition:\n\n- *Low* : `[\"1\", \"2\", \"3\"]`\n- *Medium* : `[\"4\", \"5\", \"6\"]`\n- *High* : `[\"7\", \"8\", \"9\"]`\n\nFor more information, see [Severity levels for GuardDuty findings](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html#guardduty_findings-severity) .\n- type\n- updatedAt\n\nType: ISO 8601 string format: YYYY-MM-DDTHH:MM:SS.SSSZ or YYYY-MM-DDTHH:MM:SSZ depending on whether the value contains milliseconds.\n- resource.accessKeyDetails.accessKeyId\n- resource.accessKeyDetails.principalId\n- resource.accessKeyDetails.userName\n- resource.accessKeyDetails.userType\n- resource.instanceDetails.iamInstanceProfile.id\n- resource.instanceDetails.imageId\n- resource.instanceDetails.instanceId\n- resource.instanceDetails.tags.key\n- resource.instanceDetails.tags.value\n- resource.instanceDetails.networkInterfaces.ipv6Addresses\n- resource.instanceDetails.networkInterfaces.privateIpAddresses.privateIpAddress\n- resource.instanceDetails.networkInterfaces.publicDnsName\n- resource.instanceDetails.networkInterfaces.publicIp\n- resource.instanceDetails.networkInterfaces.securityGroups.groupId\n- resource.instanceDetails.networkInterfaces.securityGroups.groupName\n- resource.instanceDetails.networkInterfaces.subnetId\n- resource.instanceDetails.networkInterfaces.vpcId\n- resource.instanceDetails.outpostArn\n- resource.resourceType\n- resource.s3BucketDetails.publicAccess.effectivePermissions\n- resource.s3BucketDetails.name\n- resource.s3BucketDetails.tags.key\n- resource.s3BucketDetails.tags.value\n- resource.s3BucketDetails.type\n- service.action.actionType\n- service.action.awsApiCallAction.api\n- service.action.awsApiCallAction.callerType\n- service.action.awsApiCallAction.errorCode\n- service.action.awsApiCallAction.remoteIpDetails.city.cityName\n- service.action.awsApiCallAction.remoteIpDetails.country.countryName\n- service.action.awsApiCallAction.remoteIpDetails.ipAddressV4\n- service.action.awsApiCallAction.remoteIpDetails.organization.asn\n- service.action.awsApiCallAction.remoteIpDetails.organization.asnOrg\n- service.action.awsApiCallAction.serviceName\n- service.action.dnsRequestAction.domain\n- service.action.networkConnectionAction.blocked\n- service.action.networkConnectionAction.connectionDirection\n- service.action.networkConnectionAction.localPortDetails.port\n- service.action.networkConnectionAction.protocol\n- service.action.networkConnectionAction.remoteIpDetails.city.cityName\n- service.action.networkConnectionAction.remoteIpDetails.country.countryName\n- service.action.networkConnectionAction.remoteIpDetails.ipAddressV4\n- service.action.networkConnectionAction.remoteIpDetails.organization.asn\n- service.action.networkConnectionAction.remoteIpDetails.organization.asnOrg\n- service.action.networkConnectionAction.remotePortDetails.port\n- service.action.awsApiCallAction.remoteAccountDetails.affiliated\n- service.action.kubernetesApiCallAction.remoteIpDetails.ipAddressV4\n- service.action.kubernetesApiCallAction.requestUri\n- service.action.networkConnectionAction.localIpDetails.ipAddressV4\n- service.action.networkConnectionAction.protocol\n- service.action.awsApiCallAction.serviceName\n- service.action.awsApiCallAction.remoteAccountDetails.accountId\n- service.additionalInfo.threatListName\n- service.resourceRole\n- resource.eksClusterDetails.name\n- resource.kubernetesDetails.kubernetesWorkloadDetails.name\n- resource.kubernetesDetails.kubernetesWorkloadDetails.namespace\n- resource.kubernetesDetails.kubernetesUserDetails.username\n- resource.kubernetesDetails.kubernetesWorkloadDetails.containers.image\n- resource.kubernetesDetails.kubernetesWorkloadDetails.containers.imagePrefix\n- service.ebsVolumeScanDetails.scanId\n- service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.name\n- service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.severity\n- service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.filePaths.hash\n- resource.ecsClusterDetails.name\n- resource.ecsClusterDetails.taskDetails.containers.image\n- resource.ecsClusterDetails.taskDetails.definitionArn\n- resource.containerDetails.image\n- resource.rdsDbInstanceDetails.dbInstanceIdentifier\n- resource.rdsDbInstanceDetails.dbClusterIdentifier\n- resource.rdsDbInstanceDetails.engine\n- resource.rdsDbUserDetails.user\n- resource.rdsDbInstanceDetails.tags.key\n- resource.rdsDbInstanceDetails.tags.value\n- service.runtimeDetails.process.executableSha256\n- service.runtimeDetails.process.name\n- service.runtimeDetails.process.name\n- resource.lambdaDetails.functionName\n- resource.lambdaDetails.functionArn\n- resource.lambdaDetails.tags.key\n- resource.lambdaDetails.tags.value", "title": "Criterion", "type": "object" }, @@ -100650,7 +104958,7 @@ }, "Tags": { "items": { - "$ref": "#/definitions/Tag" + "$ref": "#/definitions/AWS::GuardDuty::IPSet.TagItem" }, "markdownDescription": "The tags to be added to a new IP set resource. Each tag consists of a key and an optional value, both of which you define.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) .", "title": "Tags", @@ -100658,10 +104966,9 @@ } }, "required": [ - "Activate", - "DetectorId", "Format", - "Location" + "Location", + "Name" ], "type": "object" }, @@ -100686,6 +104993,26 @@ ], "type": "object" }, + "AWS::GuardDuty::IPSet.TagItem": { + "additionalProperties": false, + "properties": { + "Key": { + "markdownDescription": "", + "title": "Key", + "type": "string" + }, + "Value": { + "markdownDescription": "", + "title": "Value", + "type": "string" + } + }, + "required": [ + "Key", + "Value" + ], + "type": "object" + }, "AWS::GuardDuty::Master": { "additionalProperties": false, "properties": { @@ -100732,8 +105059,6 @@ "type": "string" }, "MasterId": { - "markdownDescription": "The AWS account ID of the account designated as the GuardDuty administrator account.", - "title": "MasterId", "type": "string" } }, @@ -100815,8 +105140,6 @@ "type": "string" }, "MemberId": { - "markdownDescription": "The AWS account ID of the account to designate as a member.", - "title": "MemberId", "type": "string" }, "Message": { @@ -100920,7 +105243,7 @@ }, "Tags": { "items": { - "$ref": "#/definitions/Tag" + "$ref": "#/definitions/AWS::GuardDuty::ThreatIntelSet.TagItem" }, "markdownDescription": "The tags to be added to a new threat list resource. Each tag consists of a key and an optional value, both of which you define.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) .", "title": "Tags", @@ -100928,10 +105251,9 @@ } }, "required": [ - "Activate", - "DetectorId", "Format", - "Location" + "Location", + "Name" ], "type": "object" }, @@ -100956,80 +105278,27 @@ ], "type": "object" }, - "AWS::HealthImaging::Datastore": { + "AWS::GuardDuty::ThreatIntelSet.TagItem": { "additionalProperties": false, "properties": { - "Condition": { - "type": "string" - }, - "DeletionPolicy": { - "enum": [ - "Delete", - "Retain", - "Snapshot" - ], - "type": "string" - }, - "DependsOn": { - "anyOf": [ - { - "pattern": "^[a-zA-Z0-9]+$", - "type": "string" - }, - { - "items": { - "pattern": "^[a-zA-Z0-9]+$", - "type": "string" - }, - "type": "array" - } - ] - }, - "Metadata": { - "type": "object" - }, - "Properties": { - "additionalProperties": false, - "properties": { - "DatastoreName": { - "type": "string" - }, - "KmsKeyArn": { - "type": "string" - }, - "Tags": { - "additionalProperties": true, - "patternProperties": { - "^[a-zA-Z0-9]+$": { - "type": "string" - } - }, - "type": "object" - } - }, - "type": "object" - }, - "Type": { - "enum": [ - "AWS::HealthImaging::Datastore" - ], + "Key": { + "markdownDescription": "", + "title": "Key", "type": "string" }, - "UpdateReplacePolicy": { - "enum": [ - "Delete", - "Retain", - "Snapshot" - ], + "Value": { + "markdownDescription": "", + "title": "Value", "type": "string" } }, "required": [ - "Type" + "Key", + "Value" ], "type": "object" }, - "AWS::HealthLake::FHIRDatastore": { + "AWS::HealthImaging::Datastore": { "additionalProperties": false, "properties": { "Condition": { @@ -101065,47 +105334,32 @@ "additionalProperties": false, "properties": { "DatastoreName": { - "markdownDescription": "The user generated name for the Data Store.", + "markdownDescription": "The data store name.", "title": "DatastoreName", "type": "string" }, - "DatastoreTypeVersion": { - "markdownDescription": "The FHIR version of the Data Store. The only supported version is R4.", - "title": "DatastoreTypeVersion", + "KmsKeyArn": { + "markdownDescription": "The Amazon Resource Name (ARN) assigned to the Key Management Service (KMS) key for accessing encrypted data.", + "title": "KmsKeyArn", "type": "string" }, - "IdentityProviderConfiguration": { - "$ref": "#/definitions/AWS::HealthLake::FHIRDatastore.IdentityProviderConfiguration", - "markdownDescription": "", - "title": "IdentityProviderConfiguration" - }, - "PreloadDataConfig": { - "$ref": "#/definitions/AWS::HealthLake::FHIRDatastore.PreloadDataConfig", - "markdownDescription": "The preloaded data configuration for the Data Store. Only data preloaded from Synthea is supported.", - "title": "PreloadDataConfig" - }, - "SseConfiguration": { - "$ref": "#/definitions/AWS::HealthLake::FHIRDatastore.SseConfiguration", - "markdownDescription": "The server-side encryption key configuration for a customer provided encryption key specified for creating a Data Store.", - "title": "SseConfiguration" - }, "Tags": { - "items": { - "$ref": "#/definitions/Tag" + "additionalProperties": true, + "markdownDescription": "The tags provided when creating a data store.", + "patternProperties": { + "^[a-zA-Z0-9]+$": { + "type": "string" + } }, - "markdownDescription": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) .", "title": "Tags", - "type": "array" + "type": "object" } }, - "required": [ - "DatastoreTypeVersion" - ], "type": "object" }, "Type": { "enum": [ - "AWS::HealthLake::FHIRDatastore" + "AWS::HealthImaging::Datastore" ], "type": "string" }, @@ -101119,108 +105373,202 @@ } }, "required": [ - "Type", - "Properties" - ], - "type": "object" - }, - "AWS::HealthLake::FHIRDatastore.CreatedAt": { - "additionalProperties": false, - "properties": { - "Nanos": { - "markdownDescription": "", - "title": "Nanos", - "type": "number" - }, - "Seconds": { - "markdownDescription": "", - "title": "Seconds", - "type": "string" - } - }, - "required": [ - "Nanos", - "Seconds" - ], - "type": "object" - }, - "AWS::HealthLake::FHIRDatastore.IdentityProviderConfiguration": { - "additionalProperties": false, - "properties": { - "AuthorizationStrategy": { - "markdownDescription": "", - "title": "AuthorizationStrategy", - "type": "string" - }, - "FineGrainedAuthorizationEnabled": { - "markdownDescription": "", - "title": "FineGrainedAuthorizationEnabled", - "type": "boolean" - }, - "IdpLambdaArn": { - "markdownDescription": "", - "title": "IdpLambdaArn", - "type": "string" - }, - "Metadata": { - "markdownDescription": "", - "title": "Metadata", - "type": "string" - } - }, - "required": [ - "AuthorizationStrategy" - ], - "type": "object" - }, - "AWS::HealthLake::FHIRDatastore.KmsEncryptionConfig": { - "additionalProperties": false, - "properties": { - "CmkType": { - "markdownDescription": "The type of customer-managed-key(CMK) used for encryption. The two types of supported CMKs are customer owned CMKs and Amazon owned CMKs. For more information on CMK types, see [KmsEncryptionConfig](https://docs.aws.amazon.com/healthlake/latest/APIReference/API_KmsEncryptionConfig.html#HealthLake-Type-KmsEncryptionConfig-CmkType) .", - "title": "CmkType", - "type": "string" - }, - "KmsKeyId": { - "markdownDescription": "The KMS encryption key id/alias used to encrypt the Data Store contents at rest.", - "title": "KmsKeyId", - "type": "string" - } - }, - "required": [ - "CmkType" - ], - "type": "object" - }, - "AWS::HealthLake::FHIRDatastore.PreloadDataConfig": { - "additionalProperties": false, - "properties": { - "PreloadDataType": { - "markdownDescription": "The type of preloaded data. Only Synthea preloaded data is supported.", - "title": "PreloadDataType", - "type": "string" - } - }, - "required": [ - "PreloadDataType" - ], - "type": "object" - }, - "AWS::HealthLake::FHIRDatastore.SseConfiguration": { - "additionalProperties": false, - "properties": { - "KmsEncryptionConfig": { - "$ref": "#/definitions/AWS::HealthLake::FHIRDatastore.KmsEncryptionConfig", - "markdownDescription": "The server-side encryption key configuration for a customer provided encryption key (CMK).", - "title": "KmsEncryptionConfig" - } - }, - "required": [ - "KmsEncryptionConfig" + "Type" ], "type": "object" }, - "AWS::IAM::AccessKey": { + "AWS::HealthLake::FHIRDatastore": { + "additionalProperties": false, + "properties": { + "Condition": { + "type": "string" + }, + "DeletionPolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + }, + "DependsOn": { + "anyOf": [ + { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + { + "items": { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + "type": "array" + } + ] + }, + "Metadata": { + "type": "object" + }, + "Properties": { + "additionalProperties": false, + "properties": { + "DatastoreName": { + "markdownDescription": "The user generated name for the data store.", + "title": "DatastoreName", + "type": "string" + }, + "DatastoreTypeVersion": { + "markdownDescription": "The FHIR version of the data store. The only supported version is R4.", + "title": "DatastoreTypeVersion", + "type": "string" + }, + "IdentityProviderConfiguration": { + "$ref": "#/definitions/AWS::HealthLake::FHIRDatastore.IdentityProviderConfiguration", + "markdownDescription": "The identity provider configuration that you gave when the data store was created.", + "title": "IdentityProviderConfiguration" + }, + "PreloadDataConfig": { + "$ref": "#/definitions/AWS::HealthLake::FHIRDatastore.PreloadDataConfig", + "markdownDescription": "The preloaded data configuration for the data store. Only data preloaded from Synthea is supported.", + "title": "PreloadDataConfig" + }, + "SseConfiguration": { + "$ref": "#/definitions/AWS::HealthLake::FHIRDatastore.SseConfiguration", + "markdownDescription": "The server-side encryption key configuration for a customer provided encryption key specified for creating a data store.", + "title": "SseConfiguration" + }, + "Tags": { + "items": { + "$ref": "#/definitions/Tag" + }, + "markdownDescription": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) .", + "title": "Tags", + "type": "array" + } + }, + "required": [ + "DatastoreTypeVersion" + ], + "type": "object" + }, + "Type": { + "enum": [ + "AWS::HealthLake::FHIRDatastore" + ], + "type": "string" + }, + "UpdateReplacePolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + } + }, + "required": [ + "Type", + "Properties" + ], + "type": "object" + }, + "AWS::HealthLake::FHIRDatastore.CreatedAt": { + "additionalProperties": false, + "properties": { + "Nanos": { + "markdownDescription": "", + "title": "Nanos", + "type": "number" + }, + "Seconds": { + "markdownDescription": "", + "title": "Seconds", + "type": "string" + } + }, + "required": [ + "Nanos", + "Seconds" + ], + "type": "object" + }, + "AWS::HealthLake::FHIRDatastore.IdentityProviderConfiguration": { + "additionalProperties": false, + "properties": { + "AuthorizationStrategy": { + "markdownDescription": "The authorization strategy that you selected when you created the data store.", + "title": "AuthorizationStrategy", + "type": "string" + }, + "FineGrainedAuthorizationEnabled": { + "markdownDescription": "If you enabled fine-grained authorization when you created the data store.", + "title": "FineGrainedAuthorizationEnabled", + "type": "boolean" + }, + "IdpLambdaArn": { + "markdownDescription": "The Amazon Resource Name (ARN) of the Lambda function that you want to use to decode the access token created by the authorization server.", + "title": "IdpLambdaArn", + "type": "string" + }, + "Metadata": { + "markdownDescription": "The JSON metadata elements that you want to use in your identity provider configuration. Required elements are listed based on the launch specification of the SMART application. For more information on all possible elements, see [Metadata](https://docs.aws.amazon.com/https://build.fhir.org/ig/HL7/smart-app-launch/conformance.html#metadata) in SMART's App Launch specification.\n\n`authorization_endpoint` : The URL to the OAuth2 authorization endpoint.\n\n`grant_types_supported` : An array of grant types that are supported at the token endpoint. You must provide at least one grant type option. Valid options are `authorization_code` and `client_credentials` .\n\n`token_endpoint` : The URL to the OAuth2 token endpoint.\n\n`capabilities` : An array of strings of the SMART capabilities that the authorization server supports.\n\n`code_challenge_methods_supported` : An array of strings of supported PKCE code challenge methods. You must include the `S256` method in the array of PKCE code challenge methods.", + "title": "Metadata", + "type": "string" + } + }, + "required": [ + "AuthorizationStrategy" + ], + "type": "object" + }, + "AWS::HealthLake::FHIRDatastore.KmsEncryptionConfig": { + "additionalProperties": false, + "properties": { + "CmkType": { + "markdownDescription": "The type of customer-managed-key(CMK) used for encryption. The two types of supported CMKs are customer owned CMKs and Amazon owned CMKs. For more information on CMK types, see [KmsEncryptionConfig](https://docs.aws.amazon.com/healthlake/latest/APIReference/API_KmsEncryptionConfig.html#HealthLake-Type-KmsEncryptionConfig-CmkType) .", + "title": "CmkType", + "type": "string" + }, + "KmsKeyId": { + "markdownDescription": "The KMS encryption key id/alias used to encrypt the data store contents at rest.", + "title": "KmsKeyId", + "type": "string" + } + }, + "required": [ + "CmkType" + ], + "type": "object" + }, + "AWS::HealthLake::FHIRDatastore.PreloadDataConfig": { + "additionalProperties": false, + "properties": { + "PreloadDataType": { + "markdownDescription": "The type of preloaded data. Only Synthea preloaded data is supported.", + "title": "PreloadDataType", + "type": "string" + } + }, + "required": [ + "PreloadDataType" + ], + "type": "object" + }, + "AWS::HealthLake::FHIRDatastore.SseConfiguration": { + "additionalProperties": false, + "properties": { + "KmsEncryptionConfig": { + "$ref": "#/definitions/AWS::HealthLake::FHIRDatastore.KmsEncryptionConfig", + "markdownDescription": "The server-side encryption key configuration for a customer provided encryption key (CMK).", + "title": "KmsEncryptionConfig" + } + }, + "required": [ + "KmsEncryptionConfig" + ], + "type": "object" + }, + "AWS::IAM::AccessKey": { "additionalProperties": false, "properties": { "Condition": { @@ -101437,12 +105785,18 @@ "additionalProperties": false, "properties": { "GroupName": { + "markdownDescription": "The name of the group to associate the policy with.\n\nThis parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-.", + "title": "GroupName", "type": "string" }, "PolicyDocument": { + "markdownDescription": "The policy document.\n\nYou must provide policies in JSON format in IAM. However, for AWS CloudFormation templates formatted in YAML, you can provide the policy in JSON or YAML format. AWS CloudFormation always converts a YAML policy to JSON format before submitting it to IAM.\n\nThe [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) used to validate this parameter is a string of characters consisting of the following:\n\n- Any printable ASCII character ranging from the space character ( `\\u0020` ) through the end of the ASCII character range\n- The printable characters in the Basic Latin and Latin-1 Supplement character set (through `\\u00FF` )\n- The special characters tab ( `\\u0009` ), line feed ( `\\u000A` ), and carriage return ( `\\u000D` )", + "title": "PolicyDocument", "type": "object" }, "PolicyName": { + "markdownDescription": "The name of the policy document.\n\nThis parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-", + "title": "PolicyName", "type": "string" } }, @@ -102019,12 +106373,18 @@ "additionalProperties": false, "properties": { "PolicyDocument": { + "markdownDescription": "The policy document.\n\nYou must provide policies in JSON format in IAM. However, for AWS CloudFormation templates formatted in YAML, you can provide the policy in JSON or YAML format. AWS CloudFormation always converts a YAML policy to JSON format before submitting it to IAM.\n\nThe [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) used to validate this parameter is a string of characters consisting of the following:\n\n- Any printable ASCII character ranging from the space character ( `\\u0020` ) through the end of the ASCII character range\n- The printable characters in the Basic Latin and Latin-1 Supplement character set (through `\\u00FF` )\n- The special characters tab ( `\\u0009` ), line feed ( `\\u000A` ), and carriage return ( `\\u000D` )", + "title": "PolicyDocument", "type": "object" }, "PolicyName": { + "markdownDescription": "The name of the policy document.\n\nThis parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-", + "title": "PolicyName", "type": "string" }, "RoleName": { + "markdownDescription": "The name of the role to associate the policy with.\n\nThis parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-", + "title": "RoleName", "type": "string" } }, @@ -102484,12 +106844,18 @@ "additionalProperties": false, "properties": { "PolicyDocument": { + "markdownDescription": "The policy document.\n\nYou must provide policies in JSON format in IAM. However, for AWS CloudFormation templates formatted in YAML, you can provide the policy in JSON or YAML format. AWS CloudFormation always converts a YAML policy to JSON format before submitting it to IAM.\n\nThe [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) used to validate this parameter is a string of characters consisting of the following:\n\n- Any printable ASCII character ranging from the space character ( `\\u0020` ) through the end of the ASCII character range\n- The printable characters in the Basic Latin and Latin-1 Supplement character set (through `\\u00FF` )\n- The special characters tab ( `\\u0009` ), line feed ( `\\u000A` ), and carriage return ( `\\u000D` )", + "title": "PolicyDocument", "type": "object" }, "PolicyName": { + "markdownDescription": "The name of the policy document.\n\nThis parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-", + "title": "PolicyName", "type": "string" }, "UserName": { + "markdownDescription": "The name of the user to associate the policy with.\n\nThis parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-", + "title": "UserName", "type": "string" } }, @@ -102753,7 +107119,7 @@ "items": { "$ref": "#/definitions/Tag" }, - "markdownDescription": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) .", + "markdownDescription": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ivs-channel-tag.html) .", "title": "Tags", "type": "array" }, @@ -102834,7 +107200,7 @@ "items": { "$ref": "#/definitions/Tag" }, - "markdownDescription": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) .", + "markdownDescription": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ivs-playbackkeypair-tag.html) .", "title": "Tags", "type": "array" } @@ -102898,7 +107264,7 @@ "properties": { "DestinationConfiguration": { "$ref": "#/definitions/AWS::IVS::RecordingConfiguration.DestinationConfiguration", - "markdownDescription": "A destination configuration contains information about where recorded video will be stored. See the [DestinationConfiguration](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ivs-recordingconfiguration-destinationconfiguration.html) property type for more information.", + "markdownDescription": "A destination configuration contains information about where recorded video will be stored. See the DestinationConfiguration property type for more information.", "title": "DestinationConfiguration" }, "Name": { @@ -102912,19 +107278,21 @@ "type": "number" }, "RenditionConfiguration": { - "$ref": "#/definitions/AWS::IVS::RecordingConfiguration.RenditionConfiguration" + "$ref": "#/definitions/AWS::IVS::RecordingConfiguration.RenditionConfiguration", + "markdownDescription": "A rendition configuration describes which renditions should be recorded for a stream. See the RenditionConfiguration property type for more information.", + "title": "RenditionConfiguration" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, - "markdownDescription": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) .", + "markdownDescription": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ivs-recordingconfiguration-tag.html) .", "title": "Tags", "type": "array" }, "ThumbnailConfiguration": { "$ref": "#/definitions/AWS::IVS::RecordingConfiguration.ThumbnailConfiguration", - "markdownDescription": "A thumbnail configuration enables/disables the recording of thumbnails for a live session and controls the interval at which thumbnails are generated for the live session. See the [ThumbnailConfiguration](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ivs-recordingconfiguration-thunbnailconfiguration.html) property type for more information.", + "markdownDescription": "A thumbnail configuration enables/disables the recording of thumbnails for a live session and controls the interval at which thumbnails are generated for the live session. See the ThumbnailConfiguration property type for more information.", "title": "ThumbnailConfiguration" } }, @@ -102969,12 +107337,16 @@ "additionalProperties": false, "properties": { "RenditionSelection": { + "markdownDescription": "The set of renditions are recorded for a stream. For `BASIC` channels, the `CUSTOM` value has no effect. If `CUSTOM` is specified, a set of renditions can be specified in the `renditions` field. Default: `ALL` .", + "title": "RenditionSelection", "type": "string" }, "Renditions": { "items": { "type": "string" }, + "markdownDescription": "A list of which renditions are recorded for a stream, if `renditionSelection` is `CUSTOM` ; otherwise, this field is irrelevant. The selected renditions are recorded if they are available during the stream. If a selected rendition is unavailable, the best available rendition is recorded. For details on the resolution dimensions of each rendition, see [Auto-Record to Amazon S3](https://docs.aws.amazon.com//ivs/latest/userguide/record-to-s3.html) .", + "title": "Renditions", "type": "array" } }, @@ -103003,16 +107375,20 @@ "type": "string" }, "Resolution": { + "markdownDescription": "The desired resolution of recorded thumbnails for a stream. Thumbnails are recorded at the selected resolution if the corresponding rendition is available during the stream; otherwise, they are recorded at source resolution. For more information about resolution values and their corresponding height and width dimensions, see [Auto-Record to Amazon S3](https://docs.aws.amazon.com//ivs/latest/userguide/record-to-s3.html) .", + "title": "Resolution", "type": "string" }, "Storage": { "items": { "type": "string" }, + "markdownDescription": "The format in which thumbnails are recorded for a stream. `SEQUENTIAL` records all generated thumbnails in a serial manner, to the media/thumbnails directory. `LATEST` saves the latest thumbnail in media/thumbnails/latest/thumb.jpg and overwrites it at the interval specified by `targetIntervalSeconds` . You can enable both `SEQUENTIAL` and `LATEST` . Default: `SEQUENTIAL` .", + "title": "Storage", "type": "array" }, "TargetIntervalSeconds": { - "markdownDescription": "The targeted thumbnail-generation interval in seconds. This is configurable (and required) only if [RecordingMode](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ivs-recordingconfiguration-thumbnailconfiguration.html#cfn-ivs-recordingconfiguration-thumbnailconfiguration-recordingmode) is `INTERVAL` .\n\n> Setting a value for `TargetIntervalSeconds` does not guarantee that thumbnails are generated at the specified interval. For thumbnails to be generated at the `TargetIntervalSeconds` interval, the `IDR/Keyframe` value for the input video must be less than the `TargetIntervalSeconds` value. See [Amazon IVS Streaming Configuration](https://docs.aws.amazon.com/ivs/latest/userguide/streaming-config.html) for information on setting `IDR/Keyframe` to the recommended value in video-encoder settings. \n\n*Default* : 60\n\n*Valid Range* : Minumum value of 5. Maximum value of 60.", + "markdownDescription": "The targeted thumbnail-generation interval in seconds. This is configurable (and required) only if [RecordingMode](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ivs-recordingconfiguration-thumbnailconfiguration.html#cfn-ivs-recordingconfiguration-thumbnailconfiguration-recordingmode) is `INTERVAL` .\n\n> Setting a value for `TargetIntervalSeconds` does not guarantee that thumbnails are generated at the specified interval. For thumbnails to be generated at the `TargetIntervalSeconds` interval, the `IDR/Keyframe` value for the input video must be less than the `TargetIntervalSeconds` value. See [Amazon IVS Streaming Configuration](https://docs.aws.amazon.com/ivs/latest/userguide/streaming-config.html) for information on setting `IDR/Keyframe` to the recommended value in video-encoder settings. \n\n*Default* : 60\n\n*Valid Range* : Minumum value of 1. Maximum value of 60.", "title": "TargetIntervalSeconds", "type": "number" } @@ -103063,7 +107439,7 @@ "items": { "$ref": "#/definitions/Tag" }, - "markdownDescription": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) .", + "markdownDescription": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ivs-streamkey-tag.html) .", "title": "Tags", "type": "array" } @@ -103143,7 +107519,7 @@ "items": { "$ref": "#/definitions/Tag" }, - "markdownDescription": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) .", + "markdownDescription": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ivschat-loggingconfiguration-tag.html) .", "title": "Tags", "type": "array" } @@ -103304,7 +107680,7 @@ "items": { "$ref": "#/definitions/Tag" }, - "markdownDescription": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) .", + "markdownDescription": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ivschat-room-tag.html) .", "title": "Tags", "type": "array" } @@ -103554,7 +107930,7 @@ "additionalProperties": false, "properties": { "ChangeDescription": { - "markdownDescription": "The change description of the component. Describes what change has been made in this version, or what makes this version different from other versions of this component.", + "markdownDescription": "The change description of the component. Describes what change has been made in this version, or what makes this version different from other versions of the component.", "title": "ChangeDescription", "type": "string" }, @@ -103804,7 +108180,7 @@ "items": { "$ref": "#/definitions/AWS::ImageBuilder::ContainerRecipe.ComponentParameter" }, - "markdownDescription": "", + "markdownDescription": "A group of parameter settings that Image Builder uses to configure the component for a specific recipe.", "title": "Parameters", "type": "array" } @@ -103815,7 +108191,7 @@ "additionalProperties": false, "properties": { "Name": { - "markdownDescription": "", + "markdownDescription": "The name of the component parameter to set.", "title": "Name", "type": "string" }, @@ -103823,7 +108199,7 @@ "items": { "type": "string" }, - "markdownDescription": "", + "markdownDescription": "Sets the value for the named component parameter.", "title": "Value", "type": "array" } @@ -104119,7 +108495,7 @@ "items": { "$ref": "#/definitions/AWS::ImageBuilder::DistributionConfiguration.FastLaunchConfiguration" }, - "markdownDescription": "", + "markdownDescription": "The Windows faster-launching configurations to use for AMI distribution.", "title": "FastLaunchConfigurations", "type": "array" }, @@ -104154,28 +108530,28 @@ "additionalProperties": false, "properties": { "AccountId": { - "markdownDescription": "", + "markdownDescription": "The owner account ID for the fast-launch enabled Windows AMI.", "title": "AccountId", "type": "string" }, "Enabled": { - "markdownDescription": "", + "markdownDescription": "A Boolean that represents the current state of faster launching for the Windows AMI. Set to `true` to start using Windows faster launching, or `false` to stop using it.", "title": "Enabled", "type": "boolean" }, "LaunchTemplate": { "$ref": "#/definitions/AWS::ImageBuilder::DistributionConfiguration.FastLaunchLaunchTemplateSpecification", - "markdownDescription": "", + "markdownDescription": "The launch template that the fast-launch enabled Windows AMI uses when it launches Windows instances to create pre-provisioned snapshots.", "title": "LaunchTemplate" }, "MaxParallelLaunches": { - "markdownDescription": "", + "markdownDescription": "The maximum number of parallel instances that are launched for creating resources.", "title": "MaxParallelLaunches", "type": "number" }, "SnapshotConfiguration": { "$ref": "#/definitions/AWS::ImageBuilder::DistributionConfiguration.FastLaunchSnapshotConfiguration", - "markdownDescription": "", + "markdownDescription": "Configuration settings for managing the number of snapshots that are created from pre-provisioned instances for the Windows AMI when faster launching is enabled.", "title": "SnapshotConfiguration" } }, @@ -104185,17 +108561,17 @@ "additionalProperties": false, "properties": { "LaunchTemplateId": { - "markdownDescription": "", + "markdownDescription": "The ID of the launch template to use for faster launching for a Windows AMI.", "title": "LaunchTemplateId", "type": "string" }, "LaunchTemplateName": { - "markdownDescription": "", + "markdownDescription": "The name of the launch template to use for faster launching for a Windows AMI.", "title": "LaunchTemplateName", "type": "string" }, "LaunchTemplateVersion": { - "markdownDescription": "", + "markdownDescription": "The version of the launch template to use for faster launching for a Windows AMI.", "title": "LaunchTemplateVersion", "type": "string" } @@ -104206,7 +108582,7 @@ "additionalProperties": false, "properties": { "TargetResourceCount": { - "markdownDescription": "", + "markdownDescription": "The number of pre-provisioned snapshots to keep on hand for a fast-launch enabled Windows AMI.", "title": "TargetResourceCount", "type": "number" } @@ -104345,7 +108721,7 @@ }, "ImageScanningConfiguration": { "$ref": "#/definitions/AWS::ImageBuilder::Image.ImageScanningConfiguration", - "markdownDescription": "", + "markdownDescription": "Contains settings for vulnerability scans.", "title": "ImageScanningConfiguration" }, "ImageTestsConfiguration": { @@ -104403,12 +108779,12 @@ "items": { "type": "string" }, - "markdownDescription": "", + "markdownDescription": "Tags for Image Builder to apply to the output container image that &INS; scans. Tags can help you identify and manage your scanned images.", "title": "ContainerTags", "type": "array" }, "RepositoryName": { - "markdownDescription": "", + "markdownDescription": "The name of the container repository that Amazon Inspector scans to identify findings for your container images. The name includes the path for the repository location. If you don\u2019t provide this information, Image Builder creates a repository in your account named `image-builder-image-scanning-repository` for vulnerability scans of your output container images.", "title": "RepositoryName", "type": "string" } @@ -104420,11 +108796,11 @@ "properties": { "EcrConfiguration": { "$ref": "#/definitions/AWS::ImageBuilder::Image.EcrConfiguration", - "markdownDescription": "", + "markdownDescription": "Contains Amazon ECR settings for vulnerability scans.", "title": "EcrConfiguration" }, "ImageScanningEnabled": { - "markdownDescription": "", + "markdownDescription": "A setting that indicates whether Image Builder keeps a snapshot of the vulnerability scans that Amazon Inspector runs against the build instance when you create a new image.", "title": "ImageScanningEnabled", "type": "boolean" } @@ -104509,7 +108885,7 @@ }, "ImageScanningConfiguration": { "$ref": "#/definitions/AWS::ImageBuilder::ImagePipeline.ImageScanningConfiguration", - "markdownDescription": "", + "markdownDescription": "Contains settings for vulnerability scans.", "title": "ImageScanningConfiguration" }, "ImageTestsConfiguration": { @@ -104583,12 +108959,12 @@ "items": { "type": "string" }, - "markdownDescription": "", + "markdownDescription": "Tags for Image Builder to apply to the output container image that &INS; scans. Tags can help you identify and manage your scanned images.", "title": "ContainerTags", "type": "array" }, "RepositoryName": { - "markdownDescription": "", + "markdownDescription": "The name of the container repository that Amazon Inspector scans to identify findings for your container images. The name includes the path for the repository location. If you don\u2019t provide this information, Image Builder creates a repository in your account named `image-builder-image-scanning-repository` for vulnerability scans of your output container images.", "title": "RepositoryName", "type": "string" } @@ -104600,11 +108976,11 @@ "properties": { "EcrConfiguration": { "$ref": "#/definitions/AWS::ImageBuilder::ImagePipeline.EcrConfiguration", - "markdownDescription": "", + "markdownDescription": "Contains Amazon ECR settings for vulnerability scans.", "title": "EcrConfiguration" }, "ImageScanningEnabled": { - "markdownDescription": "", + "markdownDescription": "A setting that indicates whether Image Builder keeps a snapshot of the vulnerability scans that Amazon Inspector runs against the build instance when you create a new image.", "title": "ImageScanningEnabled", "type": "boolean" } @@ -105095,7 +109471,7 @@ }, "type": "object" }, - "AWS::Inspector::AssessmentTarget": { + "AWS::ImageBuilder::LifecyclePolicy": { "additionalProperties": false, "properties": { "Condition": { @@ -105130,22 +109506,68 @@ "Properties": { "additionalProperties": false, "properties": { - "AssessmentTargetName": { - "markdownDescription": "The name of the Amazon Inspector assessment target. The name must be unique within the AWS account .", - "title": "AssessmentTargetName", + "Description": { + "markdownDescription": "Optional description for the lifecycle policy.", + "title": "Description", "type": "string" }, - "ResourceGroupArn": { - "markdownDescription": "The ARN that specifies the resource group that is used to create the assessment target. If `resourceGroupArn` is not specified, all EC2 instances in the current AWS account and Region are included in the assessment target.", - "title": "ResourceGroupArn", + "ExecutionRole": { + "markdownDescription": "The name or Amazon Resource Name (ARN) of the IAM role that Image Builder uses to run the lifecycle policy. This is a custom role that you create.", + "title": "ExecutionRole", + "type": "string" + }, + "Name": { + "markdownDescription": "The name of the lifecycle policy.", + "title": "Name", + "type": "string" + }, + "PolicyDetails": { + "items": { + "$ref": "#/definitions/AWS::ImageBuilder::LifecyclePolicy.PolicyDetail" + }, + "markdownDescription": "The configuration details for a lifecycle policy resource.", + "title": "PolicyDetails", + "type": "array" + }, + "ResourceSelection": { + "$ref": "#/definitions/AWS::ImageBuilder::LifecyclePolicy.ResourceSelection", + "markdownDescription": "Resource selection criteria used to run the lifecycle policy.", + "title": "ResourceSelection" + }, + "ResourceType": { + "markdownDescription": "The type of resources the lifecycle policy targets.", + "title": "ResourceType", + "type": "string" + }, + "Status": { + "markdownDescription": "Indicates whether the lifecycle policy resource is enabled.", + "title": "Status", "type": "string" + }, + "Tags": { + "additionalProperties": true, + "markdownDescription": "To help manage your lifecycle policy resources, you can assign your own metadata to each resource in the form of tags. Each tag consists of a key and an optional value, both of which you define.", + "patternProperties": { + "^[a-zA-Z0-9]+$": { + "type": "string" + } + }, + "title": "Tags", + "type": "object" } }, + "required": [ + "ExecutionRole", + "Name", + "PolicyDetails", + "ResourceSelection", + "ResourceType" + ], "type": "object" }, "Type": { "enum": [ - "AWS::Inspector::AssessmentTarget" + "AWS::ImageBuilder::LifecyclePolicy" ], "type": "string" }, @@ -105158,12 +109580,305 @@ "type": "string" } }, + "required": [ + "Type", + "Properties" + ], + "type": "object" + }, + "AWS::ImageBuilder::LifecyclePolicy.Action": { + "additionalProperties": false, + "properties": { + "IncludeResources": { + "$ref": "#/definitions/AWS::ImageBuilder::LifecyclePolicy.IncludeResources", + "markdownDescription": "", + "title": "IncludeResources" + }, + "Type": { + "markdownDescription": "", + "title": "Type", + "type": "string" + } + }, "required": [ "Type" ], "type": "object" }, - "AWS::Inspector::AssessmentTemplate": { + "AWS::ImageBuilder::LifecyclePolicy.AmiExclusionRules": { + "additionalProperties": false, + "properties": { + "IsPublic": { + "markdownDescription": "", + "title": "IsPublic", + "type": "boolean" + }, + "LastLaunched": { + "$ref": "#/definitions/AWS::ImageBuilder::LifecyclePolicy.LastLaunched", + "markdownDescription": "", + "title": "LastLaunched" + }, + "Regions": { + "items": { + "type": "string" + }, + "markdownDescription": "", + "title": "Regions", + "type": "array" + }, + "SharedAccounts": { + "items": { + "type": "string" + }, + "markdownDescription": "", + "title": "SharedAccounts", + "type": "array" + }, + "TagMap": { + "additionalProperties": true, + "markdownDescription": "", + "patternProperties": { + "^[a-zA-Z0-9]+$": { + "type": "string" + } + }, + "title": "TagMap", + "type": "object" + } + }, + "type": "object" + }, + "AWS::ImageBuilder::LifecyclePolicy.ExclusionRules": { + "additionalProperties": false, + "properties": { + "Amis": { + "$ref": "#/definitions/AWS::ImageBuilder::LifecyclePolicy.AmiExclusionRules", + "markdownDescription": "", + "title": "Amis" + }, + "TagMap": { + "additionalProperties": true, + "markdownDescription": "", + "patternProperties": { + "^[a-zA-Z0-9]+$": { + "type": "string" + } + }, + "title": "TagMap", + "type": "object" + } + }, + "type": "object" + }, + "AWS::ImageBuilder::LifecyclePolicy.Filter": { + "additionalProperties": false, + "properties": { + "RetainAtLeast": { + "markdownDescription": "", + "title": "RetainAtLeast", + "type": "number" + }, + "Type": { + "markdownDescription": "", + "title": "Type", + "type": "string" + }, + "Unit": { + "markdownDescription": "", + "title": "Unit", + "type": "string" + }, + "Value": { + "markdownDescription": "", + "title": "Value", + "type": "number" + } + }, + "required": [ + "Type", + "Value" + ], + "type": "object" + }, + "AWS::ImageBuilder::LifecyclePolicy.IncludeResources": { + "additionalProperties": false, + "properties": { + "Amis": { + "markdownDescription": "", + "title": "Amis", + "type": "boolean" + }, + "Containers": { + "markdownDescription": "", + "title": "Containers", + "type": "boolean" + }, + "Snapshots": { + "markdownDescription": "", + "title": "Snapshots", + "type": "boolean" + } + }, + "type": "object" + }, + "AWS::ImageBuilder::LifecyclePolicy.LastLaunched": { + "additionalProperties": false, + "properties": { + "Unit": { + "markdownDescription": "", + "title": "Unit", + "type": "string" + }, + "Value": { + "markdownDescription": "", + "title": "Value", + "type": "number" + } + }, + "required": [ + "Unit", + "Value" + ], + "type": "object" + }, + "AWS::ImageBuilder::LifecyclePolicy.PolicyDetail": { + "additionalProperties": false, + "properties": { + "Action": { + "$ref": "#/definitions/AWS::ImageBuilder::LifecyclePolicy.Action", + "markdownDescription": "", + "title": "Action" + }, + "ExclusionRules": { + "$ref": "#/definitions/AWS::ImageBuilder::LifecyclePolicy.ExclusionRules", + "markdownDescription": "", + "title": "ExclusionRules" + }, + "Filter": { + "$ref": "#/definitions/AWS::ImageBuilder::LifecyclePolicy.Filter", + "markdownDescription": "", + "title": "Filter" + } + }, + "required": [ + "Action", + "Filter" + ], + "type": "object" + }, + "AWS::ImageBuilder::LifecyclePolicy.RecipeSelection": { + "additionalProperties": false, + "properties": { + "Name": { + "markdownDescription": "", + "title": "Name", + "type": "string" + }, + "SemanticVersion": { + "markdownDescription": "", + "title": "SemanticVersion", + "type": "string" + } + }, + "required": [ + "Name" + ], + "type": "object" + }, + "AWS::ImageBuilder::LifecyclePolicy.ResourceSelection": { + "additionalProperties": false, + "properties": { + "Recipes": { + "items": { + "$ref": "#/definitions/AWS::ImageBuilder::LifecyclePolicy.RecipeSelection" + }, + "markdownDescription": "", + "title": "Recipes", + "type": "array" + }, + "TagMap": { + "additionalProperties": true, + "markdownDescription": "", + "patternProperties": { + "^[a-zA-Z0-9]+$": { + "type": "string" + } + }, + "title": "TagMap", + "type": "object" + } + }, + "type": "object" + }, + "AWS::Inspector::AssessmentTarget": { + "additionalProperties": false, + "properties": { + "Condition": { + "type": "string" + }, + "DeletionPolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + }, + "DependsOn": { + "anyOf": [ + { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + { + "items": { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + "type": "array" + } + ] + }, + "Metadata": { + "type": "object" + }, + "Properties": { + "additionalProperties": false, + "properties": { + "AssessmentTargetName": { + "markdownDescription": "The name of the Amazon Inspector assessment target. The name must be unique within the AWS account .", + "title": "AssessmentTargetName", + "type": "string" + }, + "ResourceGroupArn": { + "markdownDescription": "The ARN that specifies the resource group that is used to create the assessment target. If `resourceGroupArn` is not specified, all EC2 instances in the current AWS account and Region are included in the assessment target.", + "title": "ResourceGroupArn", + "type": "string" + } + }, + "type": "object" + }, + "Type": { + "enum": [ + "AWS::Inspector::AssessmentTarget" + ], + "type": "string" + }, + "UpdateReplacePolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + } + }, + "required": [ + "Type" + ], + "type": "object" + }, + "AWS::Inspector::AssessmentTemplate": { "additionalProperties": false, "properties": { "Condition": { @@ -105831,7 +110546,7 @@ "properties": { "HealthEventsConfig": { "$ref": "#/definitions/AWS::InternetMonitor::Monitor.HealthEventsConfig", - "markdownDescription": "", + "markdownDescription": "A complex type with the configuration information that determines the threshold and other conditions for when Internet Monitor creates a health event for an overall performance or availability issue, across an application's geographies.\n\nDefines the percentages, for overall performance scores and availability scores for an application, that are the thresholds for when Amazon CloudWatch Internet Monitor creates a health event. You can override the defaults to set a custom threshold for overall performance or availability scores, or both.\n\nYou can also set thresholds for local health scores,, where Internet Monitor creates a health event when scores cross a threshold for one or more city-networks, in addition to creating an event when an overall score crosses a threshold.\n\nIf you don't set a health event threshold, the default value is 95%.\n\nFor local thresholds, you also set a minimum percentage of overall traffic that is impacted by an issue before Internet Monitor creates an event. In addition, you can disable local thresholds, for performance scores, availability scores, or both.\n\nFor more information, see [Change health event thresholds](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-IM-overview.html#IMUpdateThresholdFromOverview) in the Internet Monitor section of the *CloudWatch User Guide* .", "title": "HealthEventsConfig" }, "InternetMeasurementsLogDelivery": { @@ -105853,7 +110568,7 @@ "items": { "type": "string" }, - "markdownDescription": "The resources that have been added for the monitor, listed by their Amazon Resource Names (ARNs).", + "markdownDescription": "The resources that have been added for the monitor, listed by their Amazon Resource Names (ARNs). Use this option to add or remove resources when making an update.\n\n> Be aware that if you include content in the `Resources` field when you update a monitor, the `ResourcesToAdd` and `ResourcesToRemove` fields must be empty.", "title": "Resources", "type": "array" }, @@ -105861,7 +110576,7 @@ "items": { "type": "string" }, - "markdownDescription": "The resources to add to a monitor, which you provide as a set of Amazon Resource Names (ARNs).\n\nYou can add a combination of Virtual Private Clouds (VPCs) and Amazon CloudFront distributions, or you can add WorkSpaces directories. You can't add all three types of resources.\n\n> If you add only VPC resources, at least one VPC must have an Internet Gateway attached to it, to make sure that it has internet connectivity.", + "markdownDescription": "The resources to include in a monitor, which you provide as a set of Amazon Resource Names (ARNs). Resources can be Amazon Virtual Private Cloud VPCs, Network Load Balancers (NLBs), Amazon CloudFront distributions, or Amazon WorkSpaces directories.\n\nYou can add a combination of VPCs and CloudFront distributions, or you can add WorkSpaces directories, or you can add NLBs. You can't add NLBs or WorkSpaces directories together with any other resources.\n\nIf you add only VPC resources, at least one VPC must have an Internet Gateway attached to it, to make sure that it has internet connectivity.\n\n> You can specify this field for a monitor update only if the `Resources` field is empty.", "title": "ResourcesToAdd", "type": "array" }, @@ -105869,7 +110584,7 @@ "items": { "type": "string" }, - "markdownDescription": "The resources to remove from a monitor, which you provide as a set of Amazon Resource Names (ARNs).", + "markdownDescription": "The resources to remove from a monitor, which you provide as a set of Amazon Resource Names (ARNs)\n\n> You can specify this field for a monitor update only if the `Resources` field is empty.", "title": "ResourcesToRemove", "type": "array" }, @@ -105922,18 +110637,22 @@ "additionalProperties": false, "properties": { "AvailabilityLocalHealthEventsConfig": { - "$ref": "#/definitions/AWS::InternetMonitor::Monitor.LocalHealthEventsConfig" + "$ref": "#/definitions/AWS::InternetMonitor::Monitor.LocalHealthEventsConfig", + "markdownDescription": "The configuration that determines the threshold and other conditions for when Internet Monitor creates a health event for a local availability issue.", + "title": "AvailabilityLocalHealthEventsConfig" }, "AvailabilityScoreThreshold": { - "markdownDescription": "", + "markdownDescription": "The health event threshold percentage set for availability scores. When the overall availability score is at or below this percentage, Internet Monitor creates a health event.", "title": "AvailabilityScoreThreshold", "type": "number" }, "PerformanceLocalHealthEventsConfig": { - "$ref": "#/definitions/AWS::InternetMonitor::Monitor.LocalHealthEventsConfig" + "$ref": "#/definitions/AWS::InternetMonitor::Monitor.LocalHealthEventsConfig", + "markdownDescription": "The configuration that determines the threshold and other conditions for when Internet Monitor creates a health event for a local performance issue.", + "title": "PerformanceLocalHealthEventsConfig" }, "PerformanceScoreThreshold": { - "markdownDescription": "", + "markdownDescription": "The health event threshold percentage set for performance scores. When the overall performance score is at or below this percentage, Internet Monitor creates a health event.", "title": "PerformanceScoreThreshold", "type": "number" } @@ -105945,7 +110664,7 @@ "properties": { "S3Config": { "$ref": "#/definitions/AWS::InternetMonitor::Monitor.S3Config", - "markdownDescription": "The configuration information for publishing Amazon CloudWatch Internet Monitor internet measurements to Amazon S3. The configuration includes the bucket name and (optionally) bucket prefix for the S3 bucket to store the measurements, and the delivery status. The delivery status is `ENABLED` if you choose to deliver internet measurements to an S3 bucket, and `DISABLED` otherwise.", + "markdownDescription": "The configuration information for publishing Internet Monitor internet measurements to Amazon S3. The configuration includes the bucket name and (optionally) prefix for the S3 bucket to store the measurements, and the delivery status. The delivery status is `ENABLED` or `DISABLED` , depending on whether you choose to deliver internet measurements to S3 logs.", "title": "S3Config" } }, @@ -105955,12 +110674,18 @@ "additionalProperties": false, "properties": { "HealthScoreThreshold": { + "markdownDescription": "The health event threshold percentage set for a local health score.", + "title": "HealthScoreThreshold", "type": "number" }, "MinTrafficImpact": { + "markdownDescription": "The minimum percentage of overall traffic for an application that must be impacted by an issue before Internet Monitor creates an event when a threshold is crossed for a local health score.\n\nIf you don't set a minimum traffic impact threshold, the default value is 0.01%.", + "title": "MinTrafficImpact", "type": "number" }, "Status": { + "markdownDescription": "The status of whether Internet Monitor creates a health event based on a threshold percentage set for a local health score. The status can be `ENABLED` or `DISABLED` .", + "title": "Status", "type": "string" } }, @@ -105970,17 +110695,17 @@ "additionalProperties": false, "properties": { "BucketName": { - "markdownDescription": "The Amazon S3 bucket name for internet measurements publishing.", + "markdownDescription": "The Amazon S3 bucket name.", "title": "BucketName", "type": "string" }, "BucketPrefix": { - "markdownDescription": "An optional Amazon S3 bucket prefix for internet measurements publishing.", + "markdownDescription": "The Amazon S3 bucket prefix.", "title": "BucketPrefix", "type": "string" }, "LogDeliveryStatus": { - "markdownDescription": "The status of publishing Internet Monitor internet measurements to an Amazon S3 bucket. The delivery status is `ENABLED` if you choose to deliver internet measurements to an S3 bucket, and `DISABLED` otherwise.", + "markdownDescription": "The status of publishing Internet Monitor internet measurements to an Amazon S3 bucket.", "title": "LogDeliveryStatus", "type": "string" } @@ -106223,13 +110948,9 @@ "additionalProperties": false, "properties": { "CallbackOverrides": { - "markdownDescription": "An optional AWS Lambda function to invoke instead of the default AWS Lambda function provided by the placement template.", - "title": "CallbackOverrides", "type": "object" }, "DeviceType": { - "markdownDescription": "The device type, which currently must be `\"button\"` .", - "title": "DeviceType", "type": "string" } }, @@ -106386,12 +111107,12 @@ }, "IntermediateCaRevokedForActiveDeviceCertificatesCheck": { "$ref": "#/definitions/AWS::IoT::AccountAuditConfiguration.AuditCheckConfiguration", - "markdownDescription": "", + "markdownDescription": "Checks if device certificates are still active despite being revoked by an intermediate CA.", "title": "IntermediateCaRevokedForActiveDeviceCertificatesCheck" }, "IoTPolicyPotentialMisConfigurationCheck": { "$ref": "#/definitions/AWS::IoT::AccountAuditConfiguration.AuditCheckConfiguration", - "markdownDescription": "", + "markdownDescription": "Checks if an AWS IoT policy is potentially misconfigured. Misconfigured policies, including overly permissive policies, can cause security incidents like allowing devices access to unintended resources. This check is a warning for you to make sure that only intended actions are allowed before updating the policy.", "title": "IoTPolicyPotentialMisConfigurationCheck" }, "IotPolicyOverlyPermissiveCheck": { @@ -107394,6 +112115,8 @@ "items": { "type": "string" }, + "markdownDescription": "The package version Amazon Resource Names (ARNs) that are installed on the device\u2019s reserved named shadow ( `$package` ) when the job successfully completes.\n\n*Note:* Up to 25 package version ARNS are allowed.", + "title": "DestinationPackageVersions", "type": "array" }, "Document": { @@ -108014,6 +112737,8 @@ "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "", + "title": "Tags", "type": "array" } }, @@ -108563,6 +113288,11 @@ "title": "Behaviors", "type": "array" }, + "MetricsExportConfig": { + "$ref": "#/definitions/AWS::IoT::SecurityProfile.MetricsExportConfig", + "markdownDescription": "Specifies the MQTT topic and role ARN required for metric export.", + "title": "MetricsExportConfig" + }, "SecurityProfileDescription": { "markdownDescription": "A description of the security profile.", "title": "SecurityProfileDescription", @@ -108637,9 +113367,14 @@ "properties": { "Criteria": { "$ref": "#/definitions/AWS::IoT::SecurityProfile.BehaviorCriteria", - "markdownDescription": "The criteria that determine if a device is behaving normally in regard to the `metric` .", + "markdownDescription": "The criteria that determine if a device is behaving normally in regard to the `metric` .\n\n> In the AWS IoT console, you can choose to be sent an alert through Amazon SNS when AWS IoT Device Defender detects that a device is behaving anomalously.", "title": "Criteria" }, + "ExportMetric": { + "markdownDescription": "Value indicates exporting metrics related to the behavior when it is true.", + "title": "ExportMetric", + "type": "boolean" + }, "Metric": { "markdownDescription": "What is measured by the behavior.", "title": "Metric", @@ -108740,6 +113475,11 @@ "AWS::IoT::SecurityProfile.MetricToRetain": { "additionalProperties": false, "properties": { + "ExportMetric": { + "markdownDescription": "The value indicates exporting metrics related to the `MetricToRetain` when it's true.", + "title": "ExportMetric", + "type": "boolean" + }, "Metric": { "markdownDescription": "A standard of measurement.", "title": "Metric", @@ -108804,6 +113544,26 @@ }, "type": "object" }, + "AWS::IoT::SecurityProfile.MetricsExportConfig": { + "additionalProperties": false, + "properties": { + "MqttTopic": { + "markdownDescription": "The MQTT topic that Device Defender Detect should publish messages to for metrics export.", + "title": "MqttTopic", + "type": "string" + }, + "RoleArn": { + "markdownDescription": "This role ARN has permission to publish MQTT messages, after which Device Defender Detect can assume the role and publish messages on your behalf.", + "title": "RoleArn", + "type": "string" + } + }, + "required": [ + "MqttTopic", + "RoleArn" + ], + "type": "object" + }, "AWS::IoT::SecurityProfile.StatisticalThreshold": { "additionalProperties": false, "properties": { @@ -108851,15 +113611,21 @@ "additionalProperties": false, "properties": { "Description": { + "markdownDescription": "A summary of the package being created. This can be used to outline the package's contents or purpose.", + "title": "Description", "type": "string" }, "PackageName": { + "markdownDescription": "The name of the new software package.", + "title": "PackageName", "type": "string" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "Metadata that can be used to manage the package.", + "title": "Tags", "type": "array" } }, @@ -108922,26 +113688,36 @@ "properties": { "Attributes": { "additionalProperties": true, + "markdownDescription": "Metadata that can be used to define a package version\u2019s configuration. For example, the S3 file location, configuration options that are being sent to the device or fleet.\n\nThe combined size of all the attributes on a package version is limited to 3KB.", "patternProperties": { "^[a-zA-Z0-9]+$": { "type": "string" } }, + "title": "Attributes", "type": "object" }, "Description": { + "markdownDescription": "A summary of the package version being created. This can be used to outline the package's contents or purpose.", + "title": "Description", "type": "string" }, "PackageName": { + "markdownDescription": "The name of the associated software package.", + "title": "PackageName", "type": "string" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "Metadata that can be used to manage the package version.", + "title": "Tags", "type": "array" }, "VersionName": { + "markdownDescription": "The name of the new package version.", + "title": "VersionName", "type": "string" } }, @@ -110019,6 +114795,8 @@ "items": { "$ref": "#/definitions/AWS::IoT::TopicRule.KafkaActionHeader" }, + "markdownDescription": "The list of Kafka headers that you specify.", + "title": "Headers", "type": "array" }, "Key": { @@ -110048,9 +114826,13 @@ "additionalProperties": false, "properties": { "Key": { + "markdownDescription": "The key of the Kafka header.", + "title": "Key", "type": "string" }, "Value": { + "markdownDescription": "The value of the Kafka header.", + "title": "Value", "type": "string" } }, @@ -112199,12 +116981,12 @@ "additionalProperties": false, "properties": { "CertificateArn": { - "markdownDescription": "", + "markdownDescription": "Lists device's certificate ARN.", "title": "CertificateArn", "type": "string" }, "ThingArn": { - "markdownDescription": "", + "markdownDescription": "Lists device's thing ARN.", "title": "ThingArn", "type": "string" } @@ -112215,7 +116997,7 @@ "additionalProperties": false, "properties": { "DevicePermissionRoleArn": { - "markdownDescription": "", + "markdownDescription": "Gets the device permission ARN. This is a required parameter.", "title": "DevicePermissionRoleArn", "type": "string" }, @@ -112223,22 +117005,22 @@ "items": { "$ref": "#/definitions/AWS::IoTCoreDeviceAdvisor::SuiteDefinition.DeviceUnderTest" }, - "markdownDescription": "", + "markdownDescription": "Gets the devices configured.", "title": "Devices", "type": "array" }, "IntendedForQualification": { - "markdownDescription": "", + "markdownDescription": "Gets the tests intended for qualification in a suite.", "title": "IntendedForQualification", "type": "boolean" }, "RootGroup": { - "markdownDescription": "", + "markdownDescription": "Gets the test suite root group. This is a required parameter. For updating or creating the latest qualification suite, if `intendedForQualification` is set to true, `rootGroup` can be an empty string. If `intendedForQualification` is false, `rootGroup` cannot be an empty string. If `rootGroup` is empty, and `intendedForQualification` is set to true, all the qualification tests are included, and the configuration is default.\n\nFor a qualification suite, the minimum length is 0, and the maximum is 2048. For a non-qualification suite, the minimum length is 1, and the maximum is 2048.", "title": "RootGroup", "type": "string" }, "SuiteDefinitionName": { - "markdownDescription": "", + "markdownDescription": "Gets the suite definition name. This is a required parameter.", "title": "SuiteDefinitionName", "type": "string" } @@ -114264,23 +119046,15 @@ "additionalProperties": false, "properties": { "CanInterface": { - "$ref": "#/definitions/AWS::IoTFleetWise::DecoderManifest.CanInterface", - "markdownDescription": "(Optional) Information about a network interface specified by the Controller Area Network (CAN) protocol.", - "title": "CanInterface" + "$ref": "#/definitions/AWS::IoTFleetWise::DecoderManifest.CanInterface" }, "InterfaceId": { - "markdownDescription": "The ID of the network interface.", - "title": "InterfaceId", "type": "string" }, "ObdInterface": { - "$ref": "#/definitions/AWS::IoTFleetWise::DecoderManifest.ObdInterface", - "markdownDescription": "(Optional) Information about a network interface specified by the On-board diagnostic (OBD) II protocol.", - "title": "ObdInterface" + "$ref": "#/definitions/AWS::IoTFleetWise::DecoderManifest.ObdInterface" }, "Type": { - "markdownDescription": "The network protocol for the vehicle. For example, `CAN_SIGNAL` specifies a protocol that defines how data is communicated between electronic control units (ECUs). `OBD_SIGNAL` specifies a protocol that defines how self-diagnostic data is communicated between ECUs.", - "title": "Type", "type": "string" } }, @@ -114399,28 +119173,18 @@ "additionalProperties": false, "properties": { "CanSignal": { - "$ref": "#/definitions/AWS::IoTFleetWise::DecoderManifest.CanSignal", - "markdownDescription": "(Optional) Information about a single controller area network (CAN) signal and the messages it receives and transmits.", - "title": "CanSignal" + "$ref": "#/definitions/AWS::IoTFleetWise::DecoderManifest.CanSignal" }, "FullyQualifiedName": { - "markdownDescription": "The fully qualified name of a signal decoder as defined in a vehicle model.", - "title": "FullyQualifiedName", "type": "string" }, "InterfaceId": { - "markdownDescription": "The ID of a network interface that specifies what network protocol a vehicle follows.", - "title": "InterfaceId", "type": "string" }, "ObdSignal": { - "$ref": "#/definitions/AWS::IoTFleetWise::DecoderManifest.ObdSignal", - "markdownDescription": "(Optional) Information about signal messages using the on-board diagnostics (OBD) II protocol in a vehicle.", - "title": "ObdSignal" + "$ref": "#/definitions/AWS::IoTFleetWise::DecoderManifest.ObdSignal" }, "Type": { - "markdownDescription": "The network protocol for the vehicle. For example, `CAN_SIGNAL` specifies a protocol that defines how data is communicated between electronic control units (ECUs). `OBD_SIGNAL` specifies a protocol that defines how self-diagnostic data is communicated between ECUs.", - "title": "Type", "type": "string" } }, @@ -115263,7 +120027,7 @@ "type": "array" }, "AssetModelId": { - "markdownDescription": "The ID of the asset model from which to create the asset.", + "markdownDescription": "The ID of the asset model from which to create the asset. This can be either the actual ID in UUID format, or else `externalId:` followed by the external ID, if it has one. For more information, see [Referencing objects with external IDs](https://docs.aws.amazon.com/iot-sitewise/latest/userguide/object-ids.html#external-id-references) in the *AWS IoT SiteWise User Guide* .", "title": "AssetModelId", "type": "string" }, @@ -116021,7 +120785,7 @@ "type": "string" }, "PortalAuthMode": { - "markdownDescription": "The service to use to authenticate users to the portal. Choose from the following options:\n\n- `SSO` \u2013 The portal uses AWS IAM Identity Center (successor to AWS Single Sign-On) to authenticate users and manage user permissions. Before you can create a portal that uses IAM Identity Center , you must enable IAM Identity Center . For more information, see [Enabling IAM Identity Center](https://docs.aws.amazon.com/iot-sitewise/latest/userguide/monitor-get-started.html#mon-gs-sso) in the *AWS IoT SiteWise User Guide* . This option is only available in AWS Regions other than the China Regions.\n- `IAM` \u2013 The portal uses AWS Identity and Access Management ( IAM ) to authenticate users and manage user permissions.\n\nYou can't change this value after you create a portal.\n\nDefault: `SSO`", + "markdownDescription": "The service to use to authenticate users to the portal. Choose from the following options:\n\n- `SSO` \u2013 The portal uses AWS IAM Identity Center to authenticate users and manage user permissions. Before you can create a portal that uses IAM Identity Center , you must enable IAM Identity Center . For more information, see [Enabling IAM Identity Center](https://docs.aws.amazon.com/iot-sitewise/latest/userguide/monitor-get-started.html#mon-gs-sso) in the *AWS IoT SiteWise User Guide* . This option is only available in AWS Regions other than the China Regions.\n- `IAM` \u2013 The portal uses AWS Identity and Access Management ( IAM ) to authenticate users and manage user permissions.\n\nYou can't change this value after you create a portal.\n\nDefault: `SSO`", "title": "PortalAuthMode", "type": "string" }, @@ -116316,6 +121080,17 @@ "title": "ComponentTypeId", "type": "string" }, + "CompositeComponentTypes": { + "additionalProperties": false, + "markdownDescription": "Maps strings to `compositeComponentTypes` of the `componentType` . `CompositeComponentType` is referenced by `componentTypeId` .", + "patternProperties": { + "^[a-zA-Z0-9]+$": { + "$ref": "#/definitions/AWS::IoTTwinMaker::ComponentType.CompositeComponentType" + } + }, + "title": "CompositeComponentTypes", + "type": "object" + }, "Description": { "markdownDescription": "The description of the component type.", "title": "Description", @@ -116379,7 +121154,7 @@ "type": "object" }, "WorkspaceId": { - "markdownDescription": "The ID of the workspace.", + "markdownDescription": "The ID of the workspace that contains the component type.", "title": "WorkspaceId", "type": "string" } @@ -116411,6 +121186,17 @@ ], "type": "object" }, + "AWS::IoTTwinMaker::ComponentType.CompositeComponentType": { + "additionalProperties": false, + "properties": { + "ComponentTypeId": { + "markdownDescription": "The ID of the component type.", + "title": "ComponentTypeId", + "type": "string" + } + }, + "type": "object" + }, "AWS::IoTTwinMaker::ComponentType.DataConnector": { "additionalProperties": false, "properties": { @@ -116603,7 +121389,7 @@ "title": "DefaultValue" }, "IsExternalId": { - "markdownDescription": "A boolean value that specifies whether the property ID comes from an external data store.", + "markdownDescription": "A Boolean value that specifies whether the property ID comes from an external data source.", "title": "IsExternalId", "type": "boolean" }, @@ -116738,13 +121524,24 @@ "title": "Components", "type": "object" }, + "CompositeComponents": { + "additionalProperties": false, + "markdownDescription": "Maps string to `compositeComponent` updates in the request. Each key of the map represents the `componentPath` of the `compositeComponent` .", + "patternProperties": { + "^[a-zA-Z0-9]+$": { + "$ref": "#/definitions/AWS::IoTTwinMaker::Entity.CompositeComponent" + } + }, + "title": "CompositeComponents", + "type": "object" + }, "Description": { "markdownDescription": "The description of the entity.", "title": "Description", "type": "string" }, "EntityId": { - "markdownDescription": "The entity ID.", + "markdownDescription": "The ID of the entity.", "title": "EntityId", "type": "string" }, @@ -116770,7 +121567,7 @@ "type": "object" }, "WorkspaceId": { - "markdownDescription": "The ID of the workspace.", + "markdownDescription": "The ID of the workspace that contains the entity.", "title": "WorkspaceId", "type": "string" } @@ -116811,7 +121608,7 @@ "type": "string" }, "ComponentTypeId": { - "markdownDescription": "The ID of the ComponentType.", + "markdownDescription": "The ID of the component type.", "title": "ComponentTypeId", "type": "string" }, @@ -116855,6 +121652,59 @@ }, "type": "object" }, + "AWS::IoTTwinMaker::Entity.CompositeComponent": { + "additionalProperties": false, + "properties": { + "ComponentName": { + "markdownDescription": "The name of the component.", + "title": "ComponentName", + "type": "string" + }, + "ComponentPath": { + "markdownDescription": "The path to the composite component, starting from the top-level component.", + "title": "ComponentPath", + "type": "string" + }, + "ComponentTypeId": { + "markdownDescription": "The ID of the composite component type.", + "title": "ComponentTypeId", + "type": "string" + }, + "Description": { + "markdownDescription": "The description of the component type.", + "title": "Description", + "type": "string" + }, + "Properties": { + "additionalProperties": false, + "markdownDescription": "Map of strings to the properties in the component type. Each string in the mapping must be unique to this component.", + "patternProperties": { + "^[a-zA-Z0-9]+$": { + "$ref": "#/definitions/AWS::IoTTwinMaker::Entity.Property" + } + }, + "title": "Properties", + "type": "object" + }, + "PropertyGroups": { + "additionalProperties": false, + "markdownDescription": "The property groups.", + "patternProperties": { + "^[a-zA-Z0-9]+$": { + "$ref": "#/definitions/AWS::IoTTwinMaker::Entity.PropertyGroup" + } + }, + "title": "PropertyGroups", + "type": "object" + }, + "Status": { + "$ref": "#/definitions/AWS::IoTTwinMaker::Entity.Status", + "markdownDescription": "The current status of the composite component.", + "title": "Status" + } + }, + "type": "object" + }, "AWS::IoTTwinMaker::Entity.DataType": { "additionalProperties": false, "properties": { @@ -117164,7 +122014,7 @@ "type": "string" }, "SceneId": { - "markdownDescription": "The scene ID.", + "markdownDescription": "The ID of the scene.", "title": "SceneId", "type": "string" }, @@ -117191,7 +122041,7 @@ "type": "object" }, "WorkspaceId": { - "markdownDescription": "The ID of the workspace.", + "markdownDescription": "", "title": "WorkspaceId", "type": "string" } @@ -118100,6 +122950,8 @@ "additionalProperties": false, "properties": { "AccountLinked": { + "markdownDescription": "Whether the partner account is linked to the AWS account.", + "title": "AccountLinked", "type": "boolean" }, "PartnerAccountId": { @@ -118108,6 +122960,8 @@ "type": "string" }, "PartnerType": { + "markdownDescription": "The partner type.", + "title": "PartnerType", "type": "string" }, "Sidewalk": { @@ -118116,10 +122970,14 @@ "title": "Sidewalk" }, "SidewalkResponse": { - "$ref": "#/definitions/AWS::IoTWireless::PartnerAccount.SidewalkAccountInfoWithFingerprint" + "$ref": "#/definitions/AWS::IoTWireless::PartnerAccount.SidewalkAccountInfoWithFingerprint", + "markdownDescription": "", + "title": "SidewalkResponse" }, "SidewalkUpdate": { - "$ref": "#/definitions/AWS::IoTWireless::PartnerAccount.SidewalkUpdateAccount" + "$ref": "#/definitions/AWS::IoTWireless::PartnerAccount.SidewalkUpdateAccount", + "markdownDescription": "Sidewalk update.", + "title": "SidewalkUpdate" }, "Tags": { "items": { @@ -118416,7 +123274,9 @@ "type": "boolean" }, "LoRaWANUpdateGatewayTaskEntry": { - "$ref": "#/definitions/AWS::IoTWireless::TaskDefinition.LoRaWANUpdateGatewayTaskEntry" + "$ref": "#/definitions/AWS::IoTWireless::TaskDefinition.LoRaWANUpdateGatewayTaskEntry", + "markdownDescription": "LoRaWANUpdateGatewayTaskEntry object.", + "title": "LoRaWANUpdateGatewayTaskEntry" }, "Name": { "markdownDescription": "The name of the new resource.", @@ -118432,6 +123292,8 @@ "type": "array" }, "TaskDefinitionType": { + "markdownDescription": "A filter to list only the wireless gateway task definitions that use this task definition type.", + "title": "TaskDefinitionType", "type": "string" }, "Update": { @@ -118660,13 +123522,13 @@ "additionalProperties": false, "properties": { "DevAddr": { - "markdownDescription": "The DevAddr value.", + "markdownDescription": "", "title": "DevAddr", "type": "string" }, "SessionKeys": { "$ref": "#/definitions/AWS::IoTWireless::WirelessDevice.SessionKeysAbpV10x", - "markdownDescription": "Session keys for ABP v1.0.x", + "markdownDescription": "", "title": "SessionKeys" } }, @@ -118701,7 +123563,7 @@ "properties": { "AbpV10x": { "$ref": "#/definitions/AWS::IoTWireless::WirelessDevice.AbpV10x", - "markdownDescription": "LoRaWAN object for create APIs.", + "markdownDescription": "", "title": "AbpV10x" }, "AbpV11": { @@ -118741,12 +123603,12 @@ "additionalProperties": false, "properties": { "AppEui": { - "markdownDescription": "The AppEUI value, with pattern of `[a-fA-F0-9]{16}` .", + "markdownDescription": "", "title": "AppEui", "type": "string" }, "AppKey": { - "markdownDescription": "The AppKey is a secret key, which you should handle in a similar way as you would an application password. You can protect the AppKey value by storing it in the AWS Secrets Manager and use the [secretsmanager](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/dynamic-references.html#dynamic-references-secretsmanager) to reference this value.", + "markdownDescription": "", "title": "AppKey", "type": "string" } @@ -118787,12 +123649,12 @@ "additionalProperties": false, "properties": { "AppSKey": { - "markdownDescription": "The AppSKey is a secret key, which you should handle in a similar way as you would an application password. You can protect the AppSKey value by storing it in the AWS Secrets Manager and use the [secretsmanager](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/dynamic-references.html#dynamic-references-secretsmanager) to reference this value.", + "markdownDescription": "", "title": "AppSKey", "type": "string" }, "NwkSKey": { - "markdownDescription": "The NwkSKey is a secret key, which you should handle in a similar way as you would an application password. You can protect the NwkSKey value by storing it in the AWS Secrets Manager and use the [secretsmanager](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/dynamic-references.html#dynamic-references-secretsmanager) to reference this value.", + "markdownDescription": "", "title": "NwkSKey", "type": "string" } @@ -119101,7 +123963,7 @@ "additionalProperties": false, "properties": { "AliasName": { - "markdownDescription": "Specifies the alias name. This value must begin with `alias/` followed by a name, such as `alias/ExampleAlias` .\n\n> If you change the value of the `AliasName` property, the existing alias is deleted and a new alias is created for the specified KMS key. This change can disrupt applications that use the alias. It can also allow or deny access to a KMS key affected by attribute-based access control (ABAC). \n\nThe alias must be string of 1-256 characters. It can contain only alphanumeric characters, forward slashes (/), underscores (_), and dashes (-). The alias name cannot begin with `alias/aws/` . The `alias/aws/` prefix is reserved for [AWS managed keys](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk) .\n\n*Pattern* : `^alias/[a-zA-Z0-9/_-]+$`\n\n*Minimum* : `1`\n\n*Maximum* : `256`", + "markdownDescription": "Specifies the alias name. This value must begin with `alias/` followed by a name, such as `alias/ExampleAlias` .\n\n> If you change the value of the `AliasName` property, the existing alias is deleted and a new alias is created for the specified KMS key. This change can disrupt applications that use the alias. It can also allow or deny access to a KMS key affected by attribute-based access control (ABAC). \n\nThe alias must be string of 1-256 characters. It can contain only alphanumeric characters, forward slashes (/), underscores (_), and dashes (-). The alias name cannot begin with `alias/aws/` . The `alias/aws/` prefix is reserved for [AWS managed keys](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk) .", "title": "AliasName", "type": "string" }, @@ -119174,6 +124036,8 @@ "additionalProperties": false, "properties": { "BypassPolicyLockoutSafetyCheck": { + "markdownDescription": "Skips (\"bypasses\") the key policy lockout safety check. The default value is false.\n\n> Setting this value to true increases the risk that the KMS key becomes unmanageable. Do not set this value to true indiscriminately.\n> \n> For more information, see [Default key policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#prevent-unmanageable-key) in the *AWS Key Management Service Developer Guide* . \n\nUse this parameter only when you intend to prevent the principal that is making the request from making a subsequent [PutKeyPolicy](https://docs.aws.amazon.com/kms/latest/APIReference/API_PutKeyPolicy.html) request on the KMS key.", + "title": "BypassPolicyLockoutSafetyCheck", "type": "boolean" }, "Description": { @@ -119182,7 +124046,7 @@ "type": "string" }, "EnableKeyRotation": { - "markdownDescription": "Enables automatic rotation of the key material for the specified KMS key. By default, automatic key rotation is not enabled.\n\nAWS KMS supports automatic rotation only for symmetric encryption KMS keys ( `KeySpec` = `SYMMETRIC_DEFAULT` ). For asymmetric KMS keys and HMAC KMS keys, omit the `EnableKeyRotation` property or set it to `false` .\n\nTo enable automatic key rotation of the key material for a multi-Region KMS key, set `EnableKeyRotation` to `true` on the primary key (created by using `AWS::KMS::Key` ). AWS KMS copies the rotation status to all replica keys. For details, see [Rotating multi-Region keys](https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate) in the *AWS Key Management Service Developer Guide* .\n\nWhen you enable automatic rotation, AWS KMS automatically creates new key material for the KMS key one year after the enable date and every year thereafter. AWS KMS retains all key material until you delete the KMS key. For detailed information about automatic key rotation, see [Rotating KMS keys](https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html) in the *AWS Key Management Service Developer Guide* .", + "markdownDescription": "Enables automatic rotation of the key material for the specified KMS key. By default, automatic key rotation is not enabled.\n\nAWS KMS supports automatic rotation only for symmetric encryption KMS keys ( `KeySpec` = `SYMMETRIC_DEFAULT` ). For asymmetric KMS keys, HMAC KMS keys, and KMS keys with Origin `EXTERNAL` , omit the `EnableKeyRotation` property or set it to `false` .\n\nTo enable automatic key rotation of the key material for a multi-Region KMS key, set `EnableKeyRotation` to `true` on the primary key (created by using `AWS::KMS::Key` ). AWS KMS copies the rotation status to all replica keys. For details, see [Rotating multi-Region keys](https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate) in the *AWS Key Management Service Developer Guide* .\n\nWhen you enable automatic rotation, AWS KMS automatically creates new key material for the KMS key one year after the enable date and every year thereafter. AWS KMS retains all key material until you delete the KMS key. For detailed information about automatic key rotation, see [Rotating KMS keys](https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html) in the *AWS Key Management Service Developer Guide* .", "title": "EnableKeyRotation", "type": "boolean" }, @@ -119192,7 +124056,7 @@ "type": "boolean" }, "KeyPolicy": { - "markdownDescription": "The key policy that authorizes use of the KMS key. The key policy must conform to the following rules.\n\n- The key policy must allow the caller to make a subsequent [PutKeyPolicy](https://docs.aws.amazon.com/kms/latest/APIReference/API_PutKeyPolicy.html) request on the KMS key. This reduces the risk that the KMS key becomes unmanageable. For more information, refer to the scenario in the [Default key policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam) section of the **AWS Key Management Service Developer Guide** .\n- Each statement in the key policy must contain one or more principals. The principals in the key policy must exist and be visible to AWS KMS . When you create a new AWS principal (for example, an IAM user or role), you might need to enforce a delay before including the new principal in a key policy because the new principal might not be immediately visible to AWS KMS . For more information, see [Changes that I make are not always immediately visible](https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency) in the *AWS Identity and Access Management User Guide* .\n\nIf you are unsure of which policy to use, consider the *default key policy* . This is the key policy that AWS KMS applies to KMS keys that are created by using the CreateKey API with no specified key policy. It gives the AWS account that owns the key permission to perform all operations on the key. It also allows you write IAM policies to authorize access to the key. For details, see [Default key policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default) in the *AWS Key Management Service Developer Guide* .\n\nA key policy document can include only the following characters:\n\n- Printable ASCII characters\n- Printable characters in the Basic Latin and Latin-1 Supplement character set\n- The tab ( `\\u0009` ), line feed ( `\\u000A` ), and carriage return ( `\\u000D` ) special characters\n\n*Minimum* : `1`\n\n*Maximum* : `32768`", + "markdownDescription": "The key policy to attach to the KMS key.\n\nIf you provide a key policy, it must meet the following criteria:\n\n- The key policy must allow the caller to make a subsequent [PutKeyPolicy](https://docs.aws.amazon.com/kms/latest/APIReference/API_PutKeyPolicy.html) request on the KMS key. This reduces the risk that the KMS key becomes unmanageable. For more information, see [Default key policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam) in the *AWS Key Management Service Developer Guide* . (To omit this condition, set `BypassPolicyLockoutSafetyCheck` to true.)\n- Each statement in the key policy must contain one or more principals. The principals in the key policy must exist and be visible to AWS KMS . When you create a new AWS principal (for example, an IAM user or role), you might need to enforce a delay before including the new principal in a key policy because the new principal might not be immediately visible to AWS KMS . For more information, see [Changes that I make are not always immediately visible](https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency) in the *AWS Identity and Access Management User Guide* .\n\nIf you do not provide a key policy, AWS KMS attaches a default key policy to the KMS key. For more information, see [Default key policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default) in the *AWS Key Management Service Developer Guide* .\n\nA key policy document can include only the following characters:\n\n- Printable ASCII characters\n- Printable characters in the Basic Latin and Latin-1 Supplement character set\n- The tab ( `\\u0009` ), line feed ( `\\u000A` ), and carriage return ( `\\u000D` ) special characters\n\n*Minimum* : `1`\n\n*Maximum* : `32768`", "title": "KeyPolicy", "type": "object" }, @@ -119212,10 +124076,12 @@ "type": "boolean" }, "Origin": { + "markdownDescription": "The source of the key material for the KMS key. You cannot change the origin after you create the KMS key. The default is `AWS_KMS` , which means that AWS KMS creates the key material.\n\nTo [create a KMS key with no key material](https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-create-cmk.html) (for imported key material), set this value to `EXTERNAL` . For more information about importing key material into AWS KMS , see [Importing Key Material](https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html) in the *AWS Key Management Service Developer Guide* .\n\nYou can ignore `ENABLED` when Origin is `EXTERNAL` . When a KMS key with Origin `EXTERNAL` is created, the key state is `PENDING_IMPORT` and `ENABLED` is `false` . After you import the key material, `ENABLED` updated to `true` . The KMS key can then be used for Cryptographic Operations.\n\n> AWS CloudFormation doesn't support creating an `Origin` parameter of the `AWS_CLOUDHSM` or `EXTERNAL_KEY_STORE` values.", + "title": "Origin", "type": "string" }, "PendingWindowInDays": { - "markdownDescription": "Specifies the number of days in the waiting period before AWS KMS deletes a KMS key that has been removed from a CloudFormation stack. Enter a value between 7 and 30 days. The default value is 30 days.\n\nWhen you remove a KMS key from a CloudFormation stack, AWS KMS schedules the KMS key for deletion and starts the mandatory waiting period. The `PendingWindowInDays` property determines the length of waiting period. During the waiting period, the key state of KMS key is `Pending Deletion` or `Pending Replica Deletion` , which prevents the KMS key from being used in cryptographic operations. When the waiting period expires, AWS KMS permanently deletes the KMS key.\n\nAWS KMS will not delete a [multi-Region primary key](https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html) that has replica keys. If you remove a multi-Region primary key from a CloudFormation stack, its key state changes to `PendingReplicaDeletion` so it cannot be replicated or used in cryptographic operations. This state can persist indefinitely. When the last of its replica keys is deleted, the key state of the primary key changes to `PendingDeletion` and the waiting period specified by `PendingWindowInDays` begins. When this waiting period expires, AWS KMS deletes the primary key. For details, see [Deleting multi-Region keys](https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-delete.html) in the *AWS Key Management Service Developer Guide* .\n\nYou cannot use a CloudFormation template to cancel deletion of the KMS key after you remove it from the stack, regardless of the waiting period. If you specify a KMS key in your template, even one with the same name, CloudFormation creates a new KMS key. To cancel deletion of a KMS key, use the AWS KMS console or the [CancelKeyDeletion](https://docs.aws.amazon.com/kms/latest/APIReference/API_CancelKeyDeletion.html) operation.\n\nFor information about the `Pending Deletion` and `Pending Replica Deletion` key states, see [Key state: Effect on your KMS key](https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) in the *AWS Key Management Service Developer Guide* . For more information about deleting KMS keys, see the [ScheduleKeyDeletion](https://docs.aws.amazon.com/kms/latest/APIReference/API_ScheduleKeyDeletion.html) operation in the *AWS Key Management Service API Reference* and [Deleting KMS keys](https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html) in the *AWS Key Management Service Developer Guide* .\n\n*Minimum* : 7\n\n*Maximum* : 30", + "markdownDescription": "Specifies the number of days in the waiting period before AWS KMS deletes a KMS key that has been removed from a CloudFormation stack. Enter a value between 7 and 30 days. The default value is 30 days.\n\nWhen you remove a KMS key from a CloudFormation stack, AWS KMS schedules the KMS key for deletion and starts the mandatory waiting period. The `PendingWindowInDays` property determines the length of waiting period. During the waiting period, the key state of KMS key is `Pending Deletion` or `Pending Replica Deletion` , which prevents the KMS key from being used in cryptographic operations. When the waiting period expires, AWS KMS permanently deletes the KMS key.\n\nAWS KMS will not delete a [multi-Region primary key](https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html) that has replica keys. If you remove a multi-Region primary key from a CloudFormation stack, its key state changes to `PendingReplicaDeletion` so it cannot be replicated or used in cryptographic operations. This state can persist indefinitely. When the last of its replica keys is deleted, the key state of the primary key changes to `PendingDeletion` and the waiting period specified by `PendingWindowInDays` begins. When this waiting period expires, AWS KMS deletes the primary key. For details, see [Deleting multi-Region keys](https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-delete.html) in the *AWS Key Management Service Developer Guide* .\n\nYou cannot use a CloudFormation template to cancel deletion of the KMS key after you remove it from the stack, regardless of the waiting period. If you specify a KMS key in your template, even one with the same name, CloudFormation creates a new KMS key. To cancel deletion of a KMS key, use the AWS KMS console or the [CancelKeyDeletion](https://docs.aws.amazon.com/kms/latest/APIReference/API_CancelKeyDeletion.html) operation.\n\nFor information about the `Pending Deletion` and `Pending Replica Deletion` key states, see [Key state: Effect on your KMS key](https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) in the *AWS Key Management Service Developer Guide* . For more information about deleting KMS keys, see the [ScheduleKeyDeletion](https://docs.aws.amazon.com/kms/latest/APIReference/API_ScheduleKeyDeletion.html) operation in the *AWS Key Management Service API Reference* and [Deleting KMS keys](https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html) in the *AWS Key Management Service Developer Guide* .", "title": "PendingWindowInDays", "type": "number" }, @@ -119301,7 +124167,7 @@ "type": "object" }, "PendingWindowInDays": { - "markdownDescription": "Specifies the number of days in the waiting period before AWS KMS deletes a replica key that has been removed from a CloudFormation stack. Enter a value between 7 and 30 days. The default value is 30 days.\n\nWhen you remove a replica key from a CloudFormation stack, AWS KMS schedules the replica key for deletion and starts the mandatory waiting period. The `PendingWindowInDays` property determines the length of waiting period. During the waiting period, the key state of replica key is `Pending Deletion` , which prevents it from being used in cryptographic operations. When the waiting period expires, AWS KMS permanently deletes the replica key.\n\nIf the KMS key is a multi-Region primary key with replica keys, the waiting period begins when the last of its replica keys is deleted. Otherwise, the waiting period begins immediately.\n\nYou cannot use a CloudFormation template to cancel deletion of the replica after you remove it from the stack, regardless of the waiting period. However, if you specify a replica key in your template that is based on the same primary key as the original replica key, CloudFormation creates a new replica key with the same key ID, key material, and other shared properties of the original replica key. This new replica key can decrypt ciphertext that was encrypted under the original replica key, or any related multi-Region key.\n\nFor detailed information about deleting multi-Region keys, see [Deleting multi-Region keys](https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-delete.html) in the *AWS Key Management Service Developer Guide* .\n\nFor information about the `PendingDeletion` key state, see [Key state: Effect on your KMS key](https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) in the *AWS Key Management Service Developer Guide* . For more information about deleting KMS keys, see the [ScheduleKeyDeletion](https://docs.aws.amazon.com/kms/latest/APIReference/API_ScheduleKeyDeletion.html) operation in the *AWS Key Management Service API Reference* and [Deleting KMS keys](https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html) in the *AWS Key Management Service Developer Guide* .\n\n*Minimum* : 7\n\n*Maximum* : 30", + "markdownDescription": "Specifies the number of days in the waiting period before AWS KMS deletes a replica key that has been removed from a CloudFormation stack. Enter a value between 7 and 30 days. The default value is 30 days.\n\nWhen you remove a replica key from a CloudFormation stack, AWS KMS schedules the replica key for deletion and starts the mandatory waiting period. The `PendingWindowInDays` property determines the length of waiting period. During the waiting period, the key state of replica key is `Pending Deletion` , which prevents it from being used in cryptographic operations. When the waiting period expires, AWS KMS permanently deletes the replica key.\n\nIf the KMS key is a multi-Region primary key with replica keys, the waiting period begins when the last of its replica keys is deleted. Otherwise, the waiting period begins immediately.\n\nYou cannot use a CloudFormation template to cancel deletion of the replica after you remove it from the stack, regardless of the waiting period. However, if you specify a replica key in your template that is based on the same primary key as the original replica key, CloudFormation creates a new replica key with the same key ID, key material, and other shared properties of the original replica key. This new replica key can decrypt ciphertext that was encrypted under the original replica key, or any related multi-Region key.\n\nFor detailed information about deleting multi-Region keys, see [Deleting multi-Region keys](https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-delete.html) in the *AWS Key Management Service Developer Guide* .\n\nFor information about the `PendingDeletion` key state, see [Key state: Effect on your KMS key](https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) in the *AWS Key Management Service Developer Guide* . For more information about deleting KMS keys, see the [ScheduleKeyDeletion](https://docs.aws.amazon.com/kms/latest/APIReference/API_ScheduleKeyDeletion.html) operation in the *AWS Key Management Service API Reference* and [Deleting KMS keys](https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html) in the *AWS Key Management Service Developer Guide* .", "title": "PendingWindowInDays", "type": "number" }, @@ -119881,6 +124747,8 @@ "type": "string" }, "LanguageCode": { + "markdownDescription": "The code for a language. This shows a supported language for all documents in the data source. English is supported by default. For more information on supported languages, including their codes, see [Adding documents in languages other than English](https://docs.aws.amazon.com/kendra/latest/dg/in-adding-languages.html) .", + "title": "LanguageCode", "type": "string" }, "Name": { @@ -120388,17 +125256,17 @@ "additionalProperties": false, "properties": { "DataSourceFieldName": { - "markdownDescription": "The name of the column or attribute in the data source.", + "markdownDescription": "The name of the field in the data source. You must first create the index field using the `UpdateIndex` API.", "title": "DataSourceFieldName", "type": "string" }, "DateFieldFormat": { - "markdownDescription": "The type of data stored in the column or attribute.", + "markdownDescription": "The format for date fields in the data source. If the field specified in `DataSourceFieldName` is a date field, you must specify the date format. If the field is not a date field, an exception is thrown.", "title": "DateFieldFormat", "type": "string" }, "IndexFieldName": { - "markdownDescription": "The name of the field in the index.", + "markdownDescription": "The name of the index field to map to the data source field. The index field type must match the data source field type.", "title": "IndexFieldName", "type": "string" } @@ -121680,7 +126548,7 @@ "properties": { "CapacityUnits": { "$ref": "#/definitions/AWS::Kendra::Index.CapacityUnitsConfiguration", - "markdownDescription": "", + "markdownDescription": "Specifies additional capacity units configured for your Enterprise Edition index. You can add and remove capacity units to fit your usage requirements.", "title": "CapacityUnits" }, "Description": { @@ -123094,7 +127962,7 @@ }, "RunConfiguration": { "$ref": "#/definitions/AWS::KinesisAnalyticsV2::Application.RunConfiguration", - "markdownDescription": "", + "markdownDescription": "Describes the starting parameters for an Managed Service for Apache Flink application.", "title": "RunConfiguration" }, "RuntimeEnvironment": { @@ -123168,27 +128036,27 @@ "properties": { "ApplicationCodeConfiguration": { "$ref": "#/definitions/AWS::KinesisAnalyticsV2::Application.ApplicationCodeConfiguration", - "markdownDescription": "The code location and type parameters for a Flink-based Kinesis Data Analytics application.", + "markdownDescription": "The code location and type parameters for a Managed Service for Apache Flink application.", "title": "ApplicationCodeConfiguration" }, "ApplicationSnapshotConfiguration": { "$ref": "#/definitions/AWS::KinesisAnalyticsV2::Application.ApplicationSnapshotConfiguration", - "markdownDescription": "Describes whether snapshots are enabled for a Flink-based Kinesis Data Analytics application.", + "markdownDescription": "Describes whether snapshots are enabled for a Managed Service for Apache Flink application.", "title": "ApplicationSnapshotConfiguration" }, "EnvironmentProperties": { "$ref": "#/definitions/AWS::KinesisAnalyticsV2::Application.EnvironmentProperties", - "markdownDescription": "Describes execution properties for a Flink-based Kinesis Data Analytics application.", + "markdownDescription": "Describes execution properties for a Managed Service for Apache Flink application.", "title": "EnvironmentProperties" }, "FlinkApplicationConfiguration": { "$ref": "#/definitions/AWS::KinesisAnalyticsV2::Application.FlinkApplicationConfiguration", - "markdownDescription": "The creation and update parameters for a Flink-based Kinesis Data Analytics application.", + "markdownDescription": "The creation and update parameters for a Managed Service for Apache Flink application.", "title": "FlinkApplicationConfiguration" }, "SqlApplicationConfiguration": { "$ref": "#/definitions/AWS::KinesisAnalyticsV2::Application.SqlApplicationConfiguration", - "markdownDescription": "The creation and update parameters for a SQL-based Kinesis Data Analytics application.", + "markdownDescription": "The creation and update parameters for a SQL-based Managed Service for Apache Flink application.", "title": "SqlApplicationConfiguration" }, "VpcConfigurations": { @@ -123244,7 +128112,7 @@ "additionalProperties": false, "properties": { "SnapshotsEnabled": { - "markdownDescription": "Describes whether snapshots are enabled for a Flink-based Kinesis Data Analytics application.", + "markdownDescription": "Describes whether snapshots are enabled for a Managed Service for Apache Flink application.", "title": "SnapshotsEnabled", "type": "boolean" } @@ -123294,12 +128162,12 @@ "type": "number" }, "CheckpointingEnabled": { - "markdownDescription": "Describes whether checkpointing is enabled for a Flink-based Kinesis Data Analytics application.\n\n> If `CheckpointConfiguration.ConfigurationType` is `DEFAULT` , the application will use a `CheckpointingEnabled` value of `true` , even if this value is set to another value using this API or in application code.", + "markdownDescription": "Describes whether checkpointing is enabled for a Managed Service for Apache Flink application.\n\n> If `CheckpointConfiguration.ConfigurationType` is `DEFAULT` , the application will use a `CheckpointingEnabled` value of `true` , even if this value is set to another value using this API or in application code.", "title": "CheckpointingEnabled", "type": "boolean" }, "ConfigurationType": { - "markdownDescription": "Describes whether the application uses Kinesis Data Analytics' default checkpointing behavior. You must set this property to `CUSTOM` in order to set the `CheckpointingEnabled` , `CheckpointInterval` , or `MinPauseBetweenCheckpoints` parameters.\n\n> If this value is set to `DEFAULT` , the application will use the following values, even if they are set to other values using APIs or application code:\n> \n> - *CheckpointingEnabled:* true\n> - *CheckpointInterval:* 60000\n> - *MinPauseBetweenCheckpoints:* 5000", + "markdownDescription": "Describes whether the application uses Managed Service for Apache Flink' default checkpointing behavior. You must set this property to `CUSTOM` in order to set the `CheckpointingEnabled` , `CheckpointInterval` , or `MinPauseBetweenCheckpoints` parameters.\n\n> If this value is set to `DEFAULT` , the application will use the following values, even if they are set to other values using APIs or application code:\n> \n> - *CheckpointingEnabled:* true\n> - *CheckpointInterval:* 60000\n> - *MinPauseBetweenCheckpoints:* 5000", "title": "ConfigurationType", "type": "string" }, @@ -123323,12 +128191,12 @@ "title": "S3ContentLocation" }, "TextContent": { - "markdownDescription": "The text-format code for a Flink-based Kinesis Data Analytics application.", + "markdownDescription": "The text-format code for a Managed Service for Apache Flink application.", "title": "TextContent", "type": "string" }, "ZipFileContent": { - "markdownDescription": "The zip-format code for a Flink-based Kinesis Data Analytics application.", + "markdownDescription": "The zip-format code for a Managed Service for Apache Flink application.", "title": "ZipFileContent", "type": "string" } @@ -123440,7 +128308,7 @@ }, "InputProcessingConfiguration": { "$ref": "#/definitions/AWS::KinesisAnalyticsV2::Application.InputProcessingConfiguration", - "markdownDescription": "The [InputProcessingConfiguration](https://docs.aws.amazon.com/kinesisanalytics/latest/apiv2/API_InputProcessingConfiguration.html) for the input. An input processor transforms records as they are received from the stream, before the application's SQL code executes. Currently, the only input processing configuration available is [InputLambdaProcessor](https://docs.aws.amazon.com/kinesisanalytics/latest/apiv2/API_InputLambdaProcessor.html) .", + "markdownDescription": "The [InputProcessingConfiguration](https://docs.aws.amazon.com/managed-flink/latest/apiv2/API_InputProcessingConfiguration.html) for the input. An input processor transforms records as they are received from the stream, before the application's SQL code executes. Currently, the only input processing configuration available is [InputLambdaProcessor](https://docs.aws.amazon.com/managed-flink/latest/apiv2/API_InputLambdaProcessor.html) .", "title": "InputProcessingConfiguration" }, "InputSchema": { @@ -123459,7 +128327,7 @@ "title": "KinesisStreamsInput" }, "NamePrefix": { - "markdownDescription": "The name prefix to use when creating an in-application stream. Suppose that you specify a prefix \" `MyInApplicationStream` .\" Kinesis Data Analytics then creates one or more (as per the `InputParallelism` count you specified) in-application streams with the names \" `MyInApplicationStream_001` ,\" \" `MyInApplicationStream_002` ,\" and so on.", + "markdownDescription": "The name prefix to use when creating an in-application stream. Suppose that you specify a prefix \" `MyInApplicationStream` .\" Managed Service for Apache Flink then creates one or more (as per the `InputParallelism` count you specified) in-application streams with the names \" `MyInApplicationStream_001` ,\" \" `MyInApplicationStream_002` ,\" and so on.", "title": "NamePrefix", "type": "string" } @@ -123500,7 +128368,7 @@ "properties": { "InputLambdaProcessor": { "$ref": "#/definitions/AWS::KinesisAnalyticsV2::Application.InputLambdaProcessor", - "markdownDescription": "The [InputLambdaProcessor](https://docs.aws.amazon.com/kinesisanalytics/latest/apiv2/API_InputLambdaProcessor.html) that is used to preprocess the records in the stream before being processed by your application code.", + "markdownDescription": "The [InputLambdaProcessor](https://docs.aws.amazon.com/managed-flink/latest/apiv2/API_InputLambdaProcessor.html) that is used to preprocess the records in the stream before being processed by your application code.", "title": "InputLambdaProcessor" } }, @@ -123646,17 +128514,17 @@ "additionalProperties": false, "properties": { "AutoScalingEnabled": { - "markdownDescription": "Describes whether the Kinesis Data Analytics service can increase the parallelism of the application in response to increased throughput.", + "markdownDescription": "Describes whether the Managed Service for Apache Flink service can increase the parallelism of the application in response to increased throughput.", "title": "AutoScalingEnabled", "type": "boolean" }, "ConfigurationType": { - "markdownDescription": "Describes whether the application uses the default parallelism for the Kinesis Data Analytics service. You must set this property to `CUSTOM` in order to change your application's `AutoScalingEnabled` , `Parallelism` , or `ParallelismPerKPU` properties.", + "markdownDescription": "Describes whether the application uses the default parallelism for the Managed Service for Apache Flink service. You must set this property to `CUSTOM` in order to change your application's `AutoScalingEnabled` , `Parallelism` , or `ParallelismPerKPU` properties.", "title": "ConfigurationType", "type": "string" }, "Parallelism": { - "markdownDescription": "Describes the initial number of parallel tasks that a Java-based Kinesis Data Analytics application can perform. The Kinesis Data Analytics service can increase this number automatically if [ParallelismConfiguration:AutoScalingEnabled](https://docs.aws.amazon.com/kinesisanalytics/latest/apiv2/API_ParallelismConfiguration.html#kinesisanalytics-Type-ParallelismConfiguration-AutoScalingEnabled.html) is set to `true` .", + "markdownDescription": "Describes the initial number of parallel tasks that a Java-based Kinesis Data Analytics application can perform. The Kinesis Data Analytics service can increase this number automatically if [ParallelismConfiguration:AutoScalingEnabled](https://docs.aws.amazon.com/managed-flink/latest/apiv2/API_ParallelismConfiguration.html#kinesisanalytics-Type-ParallelismConfiguration-AutoScalingEnabled.html) is set to `true` .", "title": "Parallelism", "type": "number" }, @@ -123747,7 +128615,7 @@ }, "FlinkRunConfiguration": { "$ref": "#/definitions/AWS::KinesisAnalyticsV2::Application.FlinkRunConfiguration", - "markdownDescription": "Describes the starting parameters for a Flink-based Kinesis Data Analytics application.", + "markdownDescription": "Describes the starting parameters for a Managed Service for Apache Flink application.", "title": "FlinkRunConfiguration" } }, @@ -123804,7 +128672,7 @@ "items": { "$ref": "#/definitions/AWS::KinesisAnalyticsV2::Application.Input" }, - "markdownDescription": "The array of [Input](https://docs.aws.amazon.com/kinesisanalytics/latest/apiv2/API_Input.html) objects describing the input streams used by the application.", + "markdownDescription": "The array of [Input](https://docs.aws.amazon.com/managed-flink/latest/apiv2/API_Input.html) objects describing the input streams used by the application.", "title": "Inputs", "type": "array" } @@ -124006,7 +128874,7 @@ }, "Output": { "$ref": "#/definitions/AWS::KinesisAnalyticsV2::ApplicationOutput.Output", - "markdownDescription": "Describes a SQL-based Kinesis Data Analytics application's output configuration, in which you identify an in-application stream and a destination where you want the in-application stream data to be written. The destination can be a Kinesis data stream or a Kinesis Data Firehose delivery stream.", + "markdownDescription": "Describes a SQL-based Managed Service for Apache Flink application's output configuration, in which you identify an in-application stream and a destination where you want the in-application stream data to be written. The destination can be a Kinesis data stream or a Kinesis Data Firehose delivery stream.", "title": "Output" } }, @@ -124166,7 +129034,7 @@ }, "ReferenceDataSource": { "$ref": "#/definitions/AWS::KinesisAnalyticsV2::ApplicationReferenceDataSource.ReferenceDataSource", - "markdownDescription": "For a SQL-based Kinesis Data Analytics application, describes the reference data source by providing the source information (Amazon S3 bucket name and object key name), the resulting in-application table name that is created, and the necessary schema to map the data elements in the Amazon S3 object to the in-application table.", + "markdownDescription": "For a SQL-based Managed Service for Apache Flink application, describes the reference data source by providing the source information (Amazon S3 bucket name and object key name), the resulting in-application table name that is created, and the necessary schema to map the data elements in the Amazon S3 object to the in-application table.", "title": "ReferenceDataSource" } }, @@ -124301,7 +129169,7 @@ }, "S3ReferenceDataSource": { "$ref": "#/definitions/AWS::KinesisAnalyticsV2::ApplicationReferenceDataSource.S3ReferenceDataSource", - "markdownDescription": "Identifies the S3 bucket and object that contains the reference data. A Kinesis Data Analytics application loads reference data only once. If the data changes, you call the [UpdateApplication](https://docs.aws.amazon.com/kinesisanalytics/latest/apiv2/API_UpdateApplication.html) operation to trigger reloading of data into your application.", + "markdownDescription": "Identifies the S3 bucket and object that contains the reference data. A Kinesis Data Analytics application loads reference data only once. If the data changes, you call the [UpdateApplication](https://docs.aws.amazon.com/managed-flink/latest/apiv2/API_UpdateApplication.html) operation to trigger reloading of data into your application.", "title": "S3ReferenceDataSource" }, "TableName": { @@ -124400,7 +129268,7 @@ "properties": { "AmazonOpenSearchServerlessDestinationConfiguration": { "$ref": "#/definitions/AWS::KinesisFirehose::DeliveryStream.AmazonOpenSearchServerlessDestinationConfiguration", - "markdownDescription": "", + "markdownDescription": "Describes the configuration of a destination in the Serverless offering for Amazon OpenSearch Service.", "title": "AmazonOpenSearchServerlessDestinationConfiguration" }, "AmazonopensearchserviceDestinationConfiguration": { @@ -124444,7 +129312,9 @@ "title": "KinesisStreamSourceConfiguration" }, "MSKSourceConfiguration": { - "$ref": "#/definitions/AWS::KinesisFirehose::DeliveryStream.MSKSourceConfiguration" + "$ref": "#/definitions/AWS::KinesisFirehose::DeliveryStream.MSKSourceConfiguration", + "markdownDescription": "The configuration for the Amazon MSK cluster to be used as the source for a delivery stream.", + "title": "MSKSourceConfiguration" }, "RedshiftDestinationConfiguration": { "$ref": "#/definitions/AWS::KinesisFirehose::DeliveryStream.RedshiftDestinationConfiguration", @@ -124496,12 +129366,12 @@ "additionalProperties": false, "properties": { "IntervalInSeconds": { - "markdownDescription": "", + "markdownDescription": "Buffer incoming data for the specified period of time, in seconds, before delivering it to the destination. The default value is 300 (5 minutes).", "title": "IntervalInSeconds", "type": "number" }, "SizeInMBs": { - "markdownDescription": "", + "markdownDescription": "Buffer incoming data to the specified size, in MBs, before delivering it to the destination. The default value is 5.\n\nWe recommend setting this parameter to a value greater than the amount of data you typically ingest into the delivery stream in 10 seconds. For example, if you typically ingest data at 1 MB/sec, the value should be 10 MB or higher.", "title": "SizeInMBs", "type": "number" } @@ -124513,7 +129383,7 @@ "properties": { "BufferingHints": { "$ref": "#/definitions/AWS::KinesisFirehose::DeliveryStream.AmazonOpenSearchServerlessBufferingHints", - "markdownDescription": "", + "markdownDescription": "The buffering options. If no value is specified, the default values for AmazonopensearchserviceBufferingHints are used.", "title": "BufferingHints" }, "CloudWatchLoggingOptions": { @@ -124522,12 +129392,12 @@ "title": "CloudWatchLoggingOptions" }, "CollectionEndpoint": { - "markdownDescription": "", + "markdownDescription": "The endpoint to use when communicating with the collection in the Serverless offering for Amazon OpenSearch Service.", "title": "CollectionEndpoint", "type": "string" }, "IndexName": { - "markdownDescription": "", + "markdownDescription": "The Serverless offering for Amazon OpenSearch Service index name.", "title": "IndexName", "type": "string" }, @@ -124538,16 +129408,16 @@ }, "RetryOptions": { "$ref": "#/definitions/AWS::KinesisFirehose::DeliveryStream.AmazonOpenSearchServerlessRetryOptions", - "markdownDescription": "", + "markdownDescription": "The retry behavior in case Kinesis Data Firehose is unable to deliver documents to the Serverless offering for Amazon OpenSearch Service. The default value is 300 (5 minutes).", "title": "RetryOptions" }, "RoleARN": { - "markdownDescription": "", + "markdownDescription": "The Amazon Resource Name (ARN) of the IAM role to be assumed by Kinesis Data Firehose for calling the Serverless offering for Amazon OpenSearch Service Configuration API and for indexing documents.", "title": "RoleARN", "type": "string" }, "S3BackupMode": { - "markdownDescription": "", + "markdownDescription": "Defines how documents should be delivered to Amazon S3. When it is set to FailedDocumentsOnly, Kinesis Data Firehose writes any documents that could not be indexed to the configured Amazon S3 destination, with AmazonOpenSearchService-failed/ appended to the key prefix. When set to AllDocuments, Kinesis Data Firehose delivers all incoming records to Amazon S3, and also writes failed documents with AmazonOpenSearchService-failed/ appended to the prefix.", "title": "S3BackupMode", "type": "string" }, @@ -124573,7 +129443,7 @@ "additionalProperties": false, "properties": { "DurationInSeconds": { - "markdownDescription": "", + "markdownDescription": "After an initial failure to deliver to the Serverless offering for Amazon OpenSearch Service, the total amount of time during which Kinesis Data Firehose retries delivery (including the first attempt). After this time has elapsed, the failed documents are written to Amazon S3. Default value is 300 seconds (5 minutes). A value of 0 (zero) results in no retries.", "title": "DurationInSeconds", "type": "number" } @@ -124616,7 +129486,7 @@ }, "DocumentIdOptions": { "$ref": "#/definitions/AWS::KinesisFirehose::DeliveryStream.DocumentIdOptions", - "markdownDescription": "", + "markdownDescription": "Indicates the method for setting up document ID. The supported methods are Kinesis Data Firehose generated document ID and OpenSearch Service generated document ID.", "title": "DocumentIdOptions" }, "DomainARN": { @@ -124692,9 +129562,13 @@ "additionalProperties": false, "properties": { "Connectivity": { + "markdownDescription": "The type of connectivity used to access the Amazon MSK cluster.", + "title": "Connectivity", "type": "string" }, "RoleARN": { + "markdownDescription": "The ARN of the role used to access the Amazon MSK cluster.", + "title": "RoleARN", "type": "string" } }, @@ -124830,7 +129704,7 @@ "additionalProperties": false, "properties": { "DefaultDocumentIdFormat": { - "markdownDescription": "", + "markdownDescription": "When the `FIREHOSE_DEFAULT` option is chosen, Kinesis Data Firehose generates a unique document ID for each record based on a unique internal identifier. The generated document ID is stable across multiple delivery attempts, which helps prevent the same record from being indexed multiple times with different document IDs.\n\nWhen the `NO_DOCUMENT_ID` option is chosen, Kinesis Data Firehose does not include any document IDs in the requests it sends to the Amazon OpenSearch Service. This causes the Amazon OpenSearch Service domain to generate document IDs. In case of multiple delivery attempts, this may cause the same record to be indexed more than once with different document IDs. This option enables write-heavy operations, such as the ingestion of logs and observability data, to consume less resources in the Amazon OpenSearch Service domain, resulting in improved performance.", "title": "DefaultDocumentIdFormat", "type": "string" } @@ -124892,7 +129766,7 @@ }, "DocumentIdOptions": { "$ref": "#/definitions/AWS::KinesisFirehose::DeliveryStream.DocumentIdOptions", - "markdownDescription": "", + "markdownDescription": "Indicates the method for setting up document ID. The supported methods are Kinesis Data Firehose generated document ID and OpenSearch Service generated document ID.", "title": "DocumentIdOptions" }, "DomainARN": { @@ -125236,12 +130110,18 @@ "additionalProperties": false, "properties": { "AuthenticationConfiguration": { - "$ref": "#/definitions/AWS::KinesisFirehose::DeliveryStream.AuthenticationConfiguration" + "$ref": "#/definitions/AWS::KinesisFirehose::DeliveryStream.AuthenticationConfiguration", + "markdownDescription": "The authentication configuration of the Amazon MSK cluster.", + "title": "AuthenticationConfiguration" }, "MSKClusterARN": { + "markdownDescription": "The ARN of the Amazon MSK cluster.", + "title": "MSKClusterARN", "type": "string" }, "TopicName": { + "markdownDescription": "The topic name within the Amazon MSK cluster.", + "title": "TopicName", "type": "string" } }, @@ -126090,6 +130970,8 @@ "type": "boolean" }, "AllowFullTableExternalDataAccess": { + "markdownDescription": "Specifies whether query engines and applications can get credentials without IAM session tags if the user has full table access. It provides query engines and applications performance benefits as well as simplifies data access. Amazon EMR on Amazon EC2 is able to leverage this setting.\n\nFor more information, see [](https://docs.aws.amazon.com/lake-formation/latest/dg/using-cred-vending.html)", + "title": "AllowFullTableExternalDataAccess", "type": "boolean" }, "AuthorizedSessionTagValueList": { @@ -126116,6 +130998,8 @@ "title": "ExternalDataFilteringAllowList" }, "MutationType": { + "markdownDescription": "Specifies whether the data lake settings are updated by adding new values to the current settings ( `APPEND` ) or by replacing the current settings with new settings ( `REPLACE` ).\n\n> If you choose `REPLACE` , your current data lake settings will be replaced with the new values in your template.", + "title": "MutationType", "type": "string" }, "Parameters": { @@ -126768,7 +131652,7 @@ "additionalProperties": false, "properties": { "CatalogId": { - "markdownDescription": "", + "markdownDescription": "The identifier for the Data Catalog. By default, it is the account ID of the caller.", "title": "CatalogId", "type": "string" }, @@ -127574,7 +132458,7 @@ "additionalProperties": false, "properties": { "Destination": { - "markdownDescription": "The Amazon Resource Name (ARN) of the destination resource.", + "markdownDescription": "The Amazon Resource Name (ARN) of the destination resource.\n\nTo retain records of [asynchronous invocations](https://docs.aws.amazon.com/lambda/latest/dg/invocation-async.html#invocation-async-destinations) , you can configure an Amazon SNS topic, Amazon SQS queue, Lambda function, or Amazon EventBridge event bus as the destination.\n\nTo retain records of failed invocations from [Kinesis and DynamoDB event sources](https://docs.aws.amazon.com/lambda/latest/dg/invocation-eventsourcemapping.html#event-source-mapping-destinations) , you can configure an Amazon SNS topic or Amazon SQS queue as the destination.\n\nTo retain records of failed invocations from [self-managed Kafka](https://docs.aws.amazon.com/lambda/latest/dg/with-kafka.html#services-smaa-onfailure-destination) or [Amazon MSK](https://docs.aws.amazon.com/lambda/latest/dg/with-msk.html#services-msk-onfailure-destination) , you can configure an Amazon SNS topic or Amazon SQS queue as the destination.", "title": "Destination", "type": "string" } @@ -127664,7 +132548,7 @@ "type": "boolean" }, "EventSourceArn": { - "markdownDescription": "The Amazon Resource Name (ARN) of the event source.\n\n- *Amazon Kinesis* \u2013 The ARN of the data stream or a stream consumer.\n- *Amazon DynamoDB Streams* \u2013 The ARN of the stream.\n- *Amazon Simple Queue Service* \u2013 The ARN of the queue.\n- *Amazon Managed Streaming for Apache Kafka* \u2013 The ARN of the cluster.\n- *Amazon MQ* \u2013 The ARN of the broker.\n- *Amazon DocumentDB* \u2013 The ARN of the DocumentDB change stream.", + "markdownDescription": "The Amazon Resource Name (ARN) of the event source.\n\n- *Amazon Kinesis* \u2013 The ARN of the data stream or a stream consumer.\n- *Amazon DynamoDB Streams* \u2013 The ARN of the stream.\n- *Amazon Simple Queue Service* \u2013 The ARN of the queue.\n- *Amazon Managed Streaming for Apache Kafka* \u2013 The ARN of the cluster or the ARN of the VPC connection (for [cross-account event source mappings](https://docs.aws.amazon.com/lambda/latest/dg/with-msk.html#msk-multi-vpc) ).\n- *Amazon MQ* \u2013 The ARN of the broker.\n- *Amazon DocumentDB* \u2013 The ARN of the DocumentDB change stream.", "title": "EventSourceArn", "type": "string" }, @@ -127873,7 +132757,7 @@ "additionalProperties": false, "properties": { "Destination": { - "markdownDescription": "The Amazon Resource Name (ARN) of the destination resource.", + "markdownDescription": "The Amazon Resource Name (ARN) of the destination resource.\n\nTo retain records of [asynchronous invocations](https://docs.aws.amazon.com/lambda/latest/dg/invocation-async.html#invocation-async-destinations) , you can configure an Amazon SNS topic, Amazon SQS queue, Lambda function, or Amazon EventBridge event bus as the destination.\n\nTo retain records of failed invocations from [Kinesis and DynamoDB event sources](https://docs.aws.amazon.com/lambda/latest/dg/invocation-eventsourcemapping.html#event-source-mapping-destinations) , you can configure an Amazon SNS topic or Amazon SQS queue as the destination.\n\nTo retain records of failed invocations from [self-managed Kafka](https://docs.aws.amazon.com/lambda/latest/dg/with-kafka.html#services-smaa-onfailure-destination) or [Amazon MSK](https://docs.aws.amazon.com/lambda/latest/dg/with-msk.html#services-msk-onfailure-destination) , you can configure an Amazon SNS topic or Amazon SQS queue as the destination.", "title": "Destination", "type": "string" } @@ -128038,8 +132922,13 @@ "title": "Layers", "type": "array" }, + "LoggingConfig": { + "$ref": "#/definitions/AWS::Lambda::Function.LoggingConfig", + "markdownDescription": "The function's Amazon CloudWatch Logs configuration settings.", + "title": "LoggingConfig" + }, "MemorySize": { - "markdownDescription": "The amount of [memory available to the function](https://docs.aws.amazon.com/lambda/latest/dg/configuration-function-common.html#configuration-memory-console) at runtime. Increasing the function memory also increases its CPU allocation. The default value is 128 MB. The value can be any multiple of 1 MB.", + "markdownDescription": "The amount of [memory available to the function](https://docs.aws.amazon.com/lambda/latest/dg/configuration-function-common.html#configuration-memory-console) at runtime. Increasing the function memory also increases its CPU allocation. The default value is 128 MB. The value can be any multiple of 1 MB. Note that new AWS accounts have reduced concurrency and memory quotas. AWS raises these quotas automatically based on your usage. You can also request a quota increase.", "title": "MemorySize", "type": "number" }, @@ -128048,9 +132937,6 @@ "title": "PackageType", "type": "string" }, - "Policy": { - "type": "object" - }, "ReservedConcurrentExecutions": { "markdownDescription": "The number of simultaneous executions to reserve for the function.", "title": "ReservedConcurrentExecutions", @@ -128247,6 +133133,32 @@ }, "type": "object" }, + "AWS::Lambda::Function.LoggingConfig": { + "additionalProperties": false, + "properties": { + "ApplicationLogLevel": { + "markdownDescription": "Set this property to filter the application logs for your function that Lambda sends to CloudWatch. Lambda only sends application logs at the selected level and lower.", + "title": "ApplicationLogLevel", + "type": "string" + }, + "LogFormat": { + "markdownDescription": "The format in which Lambda sends your function's application and system logs to CloudWatch. Select between plain text and structured JSON.", + "title": "LogFormat", + "type": "string" + }, + "LogGroup": { + "markdownDescription": "The name of the Amazon CloudWatch log group the function sends logs to. By default, Lambda functions send logs to a default log group named `/aws/lambda/` . To use a different log group, enter an existing log group or enter a new log group name.", + "title": "LogGroup", + "type": "string" + }, + "SystemLogLevel": { + "markdownDescription": "Set this property to filter the system logs for your function that Lambda sends to CloudWatch. Lambda only sends system logs at the selected level and lower.", + "title": "SystemLogLevel", + "type": "string" + } + }, + "type": "object" + }, "AWS::Lambda::Function.RuntimeManagementConfig": { "additionalProperties": false, "properties": { @@ -128311,6 +133223,8 @@ "additionalProperties": false, "properties": { "Ipv6AllowedForDualStack": { + "markdownDescription": "Allows outbound IPv6 traffic on VPC functions that are connected to dual-stack subnets.", + "title": "Ipv6AllowedForDualStack", "type": "boolean" }, "SecurityGroupIds": { @@ -128835,7 +133749,9 @@ "title": "ProvisionedConcurrencyConfig" }, "RuntimePolicy": { - "$ref": "#/definitions/AWS::Lambda::Version.RuntimePolicy" + "$ref": "#/definitions/AWS::Lambda::Version.RuntimePolicy", + "markdownDescription": "", + "title": "RuntimePolicy" } }, "required": [ @@ -128882,9 +133798,13 @@ "additionalProperties": false, "properties": { "RuntimeVersionArn": { + "markdownDescription": "", + "title": "RuntimeVersionArn", "type": "string" }, "UpdateRuntimeOn": { + "markdownDescription": "", + "title": "UpdateRuntimeOn", "type": "string" } }, @@ -132305,7 +137225,9 @@ "type": "string" }, "PrivateRegistryAccess": { - "$ref": "#/definitions/AWS::Lightsail::Container.PrivateRegistryAccess" + "$ref": "#/definitions/AWS::Lightsail::Container.PrivateRegistryAccess", + "markdownDescription": "An object that describes the configuration for the container service to access private container image repositories, such as Amazon Elastic Container Registry ( Amazon ECR ) private repositories.\n\nFor more information, see [Configuring access to an Amazon ECR private repository for an Amazon Lightsail container service](https://docs.aws.amazon.com/latest/userguide/amazon-lightsail-container-service-ecr-private-repo-access) in the *Amazon Lightsail Developer Guide* .", + "title": "PrivateRegistryAccess" }, "PublicDomainNames": { "items": { @@ -132425,9 +137347,13 @@ "additionalProperties": false, "properties": { "IsActive": { + "markdownDescription": "A boolean value that indicates whether the `ECRImagePullerRole` is active.", + "title": "IsActive", "type": "boolean" }, "PrincipalArn": { + "markdownDescription": "The principle Amazon Resource Name (ARN) of the role. This property is read-only.", + "title": "PrincipalArn", "type": "string" } }, @@ -132505,7 +137431,9 @@ "additionalProperties": false, "properties": { "EcrImagePullerRole": { - "$ref": "#/definitions/AWS::Lightsail::Container.EcrImagePullerRole" + "$ref": "#/definitions/AWS::Lightsail::Container.EcrImagePullerRole", + "markdownDescription": "An object that describes the activation status of the role that you can use to grant a Lightsail container service access to Amazon ECR private repositories. If the role is activated, the Amazon Resource Name (ARN) of the role is also listed.", + "title": "EcrImagePullerRole" } }, "type": "object" @@ -132591,7 +137519,7 @@ "type": "string" }, "BackupRetention": { - "markdownDescription": "A Boolean value indicating whether automated backup retention is enabled for the database.", + "markdownDescription": "A Boolean value indicating whether automated backup retention is enabled for the database. Data Import Mode is enabled when `BackupRetention` is set to `false` , and is disabled when `BackupRetention` is set to `true` .", "title": "BackupRetention", "type": "boolean" }, @@ -132798,7 +137726,7 @@ }, "Location": { "$ref": "#/definitions/AWS::Lightsail::Disk.Location", - "markdownDescription": "", + "markdownDescription": "The AWS Region and Availability Zone where the disk is located.", "title": "Location" }, "SizeInGb": { @@ -132881,12 +137809,12 @@ "additionalProperties": false, "properties": { "AvailabilityZone": { - "markdownDescription": "", + "markdownDescription": "The Availability Zone where the disk is located.", "title": "AvailabilityZone", "type": "string" }, "RegionName": { - "markdownDescription": "", + "markdownDescription": "The AWS Region where the disk is located.", "title": "RegionName", "type": "string" } @@ -134359,15 +139287,23 @@ "additionalProperties": false, "properties": { "PolicyDocument": { + "markdownDescription": "Specify the data protection policy, in JSON.\n\nThis policy must include two JSON blocks:\n\n- The first block must include both a `DataIdentifer` array and an `Operation` property with an `Audit` action. The `DataIdentifer` array lists the types of sensitive data that you want to mask. For more information about the available options, see [Types of data that you can mask](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/mask-sensitive-log-data-types.html) .\n\nThe `Operation` property with an `Audit` action is required to find the sensitive data terms. This `Audit` action must contain a `FindingsDestination` object. You can optionally use that `FindingsDestination` object to list one or more destinations to send audit findings to. If you specify destinations such as log groups, Kinesis Data Firehose streams, and S3 buckets, they must already exist.\n- The second block must include both a `DataIdentifer` array and an `Operation` property with an `Deidentify` action. The `DataIdentifer` array must exactly match the `DataIdentifer` array in the first block of the policy.\n\nThe `Operation` property with the `Deidentify` action is what actually masks the data, and it must contain the `\"MaskConfig\": {}` object. The `\"MaskConfig\": {}` object must be empty.\n\n> The contents of the two `DataIdentifer` arrays must match exactly.", + "title": "PolicyDocument", "type": "string" }, "PolicyName": { + "markdownDescription": "A name for the policy. This must be unique within the account.", + "title": "PolicyName", "type": "string" }, "PolicyType": { + "markdownDescription": "Currently the only valid value for this parameter is `DATA_PROTECTION_POLICY` .", + "title": "PolicyType", "type": "string" }, "Scope": { + "markdownDescription": "Currently the only valid value for this parameter is `ALL` , which specifies that the data protection policy applies to all log groups in the account. If you omit this parameter, the default of `ALL` is used.", + "title": "Scope", "type": "string" } }, @@ -134399,6 +139335,257 @@ ], "type": "object" }, + "AWS::Logs::Delivery": { + "additionalProperties": false, + "properties": { + "Condition": { + "type": "string" + }, + "DeletionPolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + }, + "DependsOn": { + "anyOf": [ + { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + { + "items": { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + "type": "array" + } + ] + }, + "Metadata": { + "type": "object" + }, + "Properties": { + "additionalProperties": false, + "properties": { + "DeliveryDestinationArn": { + "markdownDescription": "The ARN of the delivery destination that is associated with this delivery.", + "title": "DeliveryDestinationArn", + "type": "string" + }, + "DeliverySourceName": { + "markdownDescription": "The name of the delivery source that is associated with this delivery.", + "title": "DeliverySourceName", + "type": "string" + }, + "Tags": { + "items": { + "$ref": "#/definitions/Tag" + }, + "markdownDescription": "The tags that have been assigned to this delivery.", + "title": "Tags", + "type": "array" + } + }, + "required": [ + "DeliveryDestinationArn", + "DeliverySourceName" + ], + "type": "object" + }, + "Type": { + "enum": [ + "AWS::Logs::Delivery" + ], + "type": "string" + }, + "UpdateReplacePolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + } + }, + "required": [ + "Type", + "Properties" + ], + "type": "object" + }, + "AWS::Logs::DeliveryDestination": { + "additionalProperties": false, + "properties": { + "Condition": { + "type": "string" + }, + "DeletionPolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + }, + "DependsOn": { + "anyOf": [ + { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + { + "items": { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + "type": "array" + } + ] + }, + "Metadata": { + "type": "object" + }, + "Properties": { + "additionalProperties": false, + "properties": { + "DeliveryDestinationPolicy": { + "markdownDescription": "A structure that contains information about one delivery destination policy.", + "title": "DeliveryDestinationPolicy", + "type": "object" + }, + "DestinationResourceArn": { + "markdownDescription": "The ARN of the AWS destination that this delivery destination represents. That AWS destination can be a log group in CloudWatch Logs, an Amazon S3 bucket, or a delivery stream in Kinesis Data Firehose.", + "title": "DestinationResourceArn", + "type": "string" + }, + "Name": { + "markdownDescription": "The name of this delivery destination.", + "title": "Name", + "type": "string" + }, + "Tags": { + "items": { + "$ref": "#/definitions/Tag" + }, + "markdownDescription": "The tags that have been assigned to this delivery destination.", + "title": "Tags", + "type": "array" + } + }, + "required": [ + "Name" + ], + "type": "object" + }, + "Type": { + "enum": [ + "AWS::Logs::DeliveryDestination" + ], + "type": "string" + }, + "UpdateReplacePolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + } + }, + "required": [ + "Type", + "Properties" + ], + "type": "object" + }, + "AWS::Logs::DeliverySource": { + "additionalProperties": false, + "properties": { + "Condition": { + "type": "string" + }, + "DeletionPolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + }, + "DependsOn": { + "anyOf": [ + { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + { + "items": { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + "type": "array" + } + ] + }, + "Metadata": { + "type": "object" + }, + "Properties": { + "additionalProperties": false, + "properties": { + "LogType": { + "markdownDescription": "The type of log that the source is sending. For valid values for this parameter, see the documentation for the source service.", + "title": "LogType", + "type": "string" + }, + "Name": { + "markdownDescription": "The unique name of the delivery source.", + "title": "Name", + "type": "string" + }, + "ResourceArn": { + "markdownDescription": "", + "title": "ResourceArn", + "type": "string" + }, + "Tags": { + "items": { + "$ref": "#/definitions/Tag" + }, + "markdownDescription": "The tags that have been assigned to this delivery source.", + "title": "Tags", + "type": "array" + } + }, + "required": [ + "Name" + ], + "type": "object" + }, + "Type": { + "enum": [ + "AWS::Logs::DeliverySource" + ], + "type": "string" + }, + "UpdateReplacePolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + } + }, + "required": [ + "Type", + "Properties" + ], + "type": "object" + }, "AWS::Logs::Destination": { "additionalProperties": false, "properties": { @@ -134483,7 +139670,7 @@ ], "type": "object" }, - "AWS::Logs::LogGroup": { + "AWS::Logs::LogAnomalyDetector": { "additionalProperties": false, "properties": { "Condition": { @@ -134518,32 +139705,42 @@ "Properties": { "additionalProperties": false, "properties": { - "DataProtectionPolicy": { - "markdownDescription": "Creates a data protection policy and assigns it to the log group. A data protection policy can help safeguard sensitive data that's ingested by the log group by auditing and masking the sensitive log data. When a user who does not have permission to view masked data views a log event that includes masked data, the sensitive data is replaced by asterisks.\n\nFor more information, including a list of types of data that can be audited and masked, see [Protect sensitive log data with masking](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/mask-sensitive-log-data.html) .", - "title": "DataProtectionPolicy", - "type": "object" + "AccountId": { + "markdownDescription": "The ID of the account to create the anomaly detector in.", + "title": "AccountId", + "type": "string" }, - "KmsKeyId": { - "markdownDescription": "The Amazon Resource Name (ARN) of the AWS KMS key to use when encrypting log data.\n\nTo associate an AWS KMS key with the log group, specify the ARN of that KMS key here. If you do so, ingested data is encrypted using this key. This association is stored as long as the data encrypted with the KMS key is still within CloudWatch Logs . This enables CloudWatch Logs to decrypt this data whenever it is requested.\n\nIf you attempt to associate a KMS key with the log group but the KMS key doesn't exist or is deactivated, you will receive an `InvalidParameterException` error.\n\nLog group data is always encrypted in CloudWatch Logs . If you omit this key, the encryption does not use AWS KMS . For more information, see [Encrypt log data in CloudWatch Logs using AWS Key Management Service](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/encrypt-log-data-kms.html)", - "title": "KmsKeyId", + "AnomalyVisibilityTime": { + "markdownDescription": "The number of days to have visibility on an anomaly. After this time period has elapsed for an anomaly, it will be automatically baselined and the anomaly detector will treat new occurrences of a similar anomaly as normal. Therefore, if you do not correct the cause of an anomaly during the time period specified in `AnomalyVisibilityTime` , it will be considered normal going forward and will not be detected as an anomaly.", + "title": "AnomalyVisibilityTime", + "type": "number" + }, + "DetectorName": { + "markdownDescription": "A name for this anomaly detector.", + "title": "DetectorName", "type": "string" }, - "LogGroupName": { - "markdownDescription": "The name of the log group. If you don't specify a name, AWS CloudFormation generates a unique ID for the log group.", - "title": "LogGroupName", + "EvaluationFrequency": { + "markdownDescription": "Specifies how often the anomaly detector is to run and look for anomalies. Set this value according to the frequency that the log group receives new logs. For example, if the log group receives new log events every 10 minutes, then 15 minutes might be a good setting for `EvaluationFrequency` .", + "title": "EvaluationFrequency", "type": "string" }, - "RetentionInDays": { - "markdownDescription": "The number of days to retain the log events in the specified log group. Possible values are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1096, 1827, 2192, 2557, 2922, 3288, and 3653.\n\nTo set a log group so that its log events do not expire, use [DeleteRetentionPolicy](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DeleteRetentionPolicy.html) .", - "title": "RetentionInDays", - "type": "number" + "FilterPattern": { + "markdownDescription": "You can use this parameter to limit the anomaly detection model to examine only log events that match the pattern you specify here. For more information, see [Filter and Pattern Syntax](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/FilterAndPatternSyntax.html) .", + "title": "FilterPattern", + "type": "string" }, - "Tags": { + "KmsKeyId": { + "markdownDescription": "Optionally assigns a AWS KMS key to secure this anomaly detector and its findings. If a key is assigned, the anomalies found and the model used by this detector are encrypted at rest with the key. If a key is assigned to an anomaly detector, a user must have permissions for both this key and for the anomaly detector to retrieve information about the anomalies that it finds.\n\nFor more information about using a AWS KMS key and to see the required IAM policy, see [Use a AWS KMS key with an anomaly detector](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/LogsAnomalyDetection-KMS.html) .", + "title": "KmsKeyId", + "type": "string" + }, + "LogGroupArnList": { "items": { - "$ref": "#/definitions/Tag" + "type": "string" }, - "markdownDescription": "An array of key-value pairs to apply to the log group.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) .", - "title": "Tags", + "markdownDescription": "The ARN of the log group that is associated with this anomaly detector. You can specify only one log group ARN.", + "title": "LogGroupArnList", "type": "array" } }, @@ -134551,7 +139748,7 @@ }, "Type": { "enum": [ - "AWS::Logs::LogGroup" + "AWS::Logs::LogAnomalyDetector" ], "type": "string" }, @@ -134569,7 +139766,98 @@ ], "type": "object" }, - "AWS::Logs::LogStream": { + "AWS::Logs::LogGroup": { + "additionalProperties": false, + "properties": { + "Condition": { + "type": "string" + }, + "DeletionPolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + }, + "DependsOn": { + "anyOf": [ + { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + { + "items": { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + "type": "array" + } + ] + }, + "Metadata": { + "type": "object" + }, + "Properties": { + "additionalProperties": false, + "properties": { + "DataProtectionPolicy": { + "markdownDescription": "Creates a data protection policy and assigns it to the log group. A data protection policy can help safeguard sensitive data that's ingested by the log group by auditing and masking the sensitive log data. When a user who does not have permission to view masked data views a log event that includes masked data, the sensitive data is replaced by asterisks.\n\nFor more information, including a list of types of data that can be audited and masked, see [Protect sensitive log data with masking](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/mask-sensitive-log-data.html) .", + "title": "DataProtectionPolicy", + "type": "object" + }, + "KmsKeyId": { + "markdownDescription": "The Amazon Resource Name (ARN) of the AWS KMS key to use when encrypting log data.\n\nTo associate an AWS KMS key with the log group, specify the ARN of that KMS key here. If you do so, ingested data is encrypted using this key. This association is stored as long as the data encrypted with the KMS key is still within CloudWatch Logs . This enables CloudWatch Logs to decrypt this data whenever it is requested.\n\nIf you attempt to associate a KMS key with the log group but the KMS key doesn't exist or is deactivated, you will receive an `InvalidParameterException` error.\n\nLog group data is always encrypted in CloudWatch Logs . If you omit this key, the encryption does not use AWS KMS . For more information, see [Encrypt log data in CloudWatch Logs using AWS Key Management Service](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/encrypt-log-data-kms.html)", + "title": "KmsKeyId", + "type": "string" + }, + "LogGroupClass": { + "markdownDescription": "Specifies the log group class for this log group. There are two classes:\n\n- The `Standard` log class supports all CloudWatch Logs features.\n- The `Infrequent Access` log class supports a subset of CloudWatch Logs features and incurs lower costs.\n\nFor details about the features supported by each class, see [Log classes](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CloudWatch_Logs_Log_Classes.html)", + "title": "LogGroupClass", + "type": "string" + }, + "LogGroupName": { + "markdownDescription": "The name of the log group. If you don't specify a name, AWS CloudFormation generates a unique ID for the log group.", + "title": "LogGroupName", + "type": "string" + }, + "RetentionInDays": { + "markdownDescription": "The number of days to retain the log events in the specified log group. Possible values are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1096, 1827, 2192, 2557, 2922, 3288, and 3653.\n\nTo set a log group so that its log events do not expire, use [DeleteRetentionPolicy](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DeleteRetentionPolicy.html) .", + "title": "RetentionInDays", + "type": "number" + }, + "Tags": { + "items": { + "$ref": "#/definitions/Tag" + }, + "markdownDescription": "An array of key-value pairs to apply to the log group.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) .", + "title": "Tags", + "type": "array" + } + }, + "type": "object" + }, + "Type": { + "enum": [ + "AWS::Logs::LogGroup" + ], + "type": "string" + }, + "UpdateReplacePolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + } + }, + "required": [ + "Type" + ], + "type": "object" + }, + "AWS::Logs::LogStream": { "additionalProperties": false, "properties": { "Condition": { @@ -135101,7 +140389,7 @@ "type": "string" }, "ModelName": { - "markdownDescription": "The name of the ML model used for the inference scheduler.", + "markdownDescription": "The name of the machine learning model used for the inference scheduler.", "title": "ModelName", "type": "string" }, @@ -136042,7 +141330,7 @@ "type": "string" }, "RoleArn": { - "markdownDescription": "", + "markdownDescription": "The Amazon Resource Name (ARN) of the role associated with the application.", "title": "RoleArn", "type": "string" }, @@ -136433,7 +141721,7 @@ }, "ClientAuthentication": { "$ref": "#/definitions/AWS::MSK::Cluster.ClientAuthentication", - "markdownDescription": "Includes all client authentication related information.", + "markdownDescription": "VPC connection control settings for brokers.", "title": "ClientAuthentication" }, "ClusterName": { @@ -136570,7 +141858,7 @@ "title": "ConnectivityInfo" }, "InstanceType": { - "markdownDescription": "The type of Amazon EC2 instances to use for brokers. The following instance types are allowed: kafka.m5.large, kafka.m5.xlarge, kafka.m5.2xlarge, kafka.m5.4xlarge, kafka.m5.8xlarge, kafka.m5.12xlarge, kafka.m5.16xlarge, and kafka.m5.24xlarge, and kafka.t3.small.", + "markdownDescription": "The type of Amazon EC2 instances to use for brokers. The following instance types are allowed: kafka.m5.large, kafka.m5.xlarge, kafka.m5.2xlarge, kafka.m5.4xlarge, kafka.m5.8xlarge, kafka.m5.12xlarge, kafka.m5.16xlarge, kafka.m5.24xlarge, and kafka.t3.small.", "title": "InstanceType", "type": "string" }, @@ -136690,7 +141978,7 @@ "additionalProperties": false, "properties": { "DataVolumeKMSKeyId": { - "markdownDescription": "The ARN of the Amazon KMS key for encrypting data at rest. If you don't specify a KMS key, MSK creates one for you and uses it.", + "markdownDescription": "The Amazon Resource Name (ARN) of the Amazon KMS key for encrypting data at rest. If you don't specify a KMS key, MSK creates one for you and uses it.", "title": "DataVolumeKMSKeyId", "type": "string" } @@ -136741,7 +142029,7 @@ "type": "string" }, "Enabled": { - "markdownDescription": "Specifies whether broker logs get send to the specified Kinesis Data Firehose delivery stream.", + "markdownDescription": "Specifies whether broker logs get sent to the specified Kinesis Data Firehose delivery stream.", "title": "Enabled", "type": "boolean" } @@ -136936,7 +142224,7 @@ "items": { "type": "string" }, - "markdownDescription": "List of AWS Private CA ARNs.", + "markdownDescription": "List of AWS Private CA Amazon Resource Name (ARN)s.", "title": "CertificateAuthorityArnList", "type": "array" }, @@ -137169,7 +142457,9 @@ "type": "array" }, "LatestRevision": { - "$ref": "#/definitions/AWS::MSK::Configuration.LatestRevision" + "$ref": "#/definitions/AWS::MSK::Configuration.LatestRevision", + "markdownDescription": "Latest revision of the configuration.", + "title": "LatestRevision" }, "Name": { "markdownDescription": "The name of the configuration. Configuration names are strings that match the regex \"^[0-9A-Za-z][0-9A-Za-z-]{0,}$\".", @@ -137213,12 +142503,18 @@ "additionalProperties": false, "properties": { "CreationTime": { + "markdownDescription": "", + "title": "CreationTime", "type": "string" }, "Description": { + "markdownDescription": "", + "title": "Description", "type": "string" }, "Revision": { + "markdownDescription": "", + "title": "Revision", "type": "number" } }, @@ -137260,33 +142556,47 @@ "additionalProperties": false, "properties": { "CurrentVersion": { + "markdownDescription": "", + "title": "CurrentVersion", "type": "string" }, "Description": { + "markdownDescription": "", + "title": "Description", "type": "string" }, "KafkaClusters": { "items": { "$ref": "#/definitions/AWS::MSK::Replicator.KafkaCluster" }, + "markdownDescription": "", + "title": "KafkaClusters", "type": "array" }, "ReplicationInfoList": { "items": { "$ref": "#/definitions/AWS::MSK::Replicator.ReplicationInfo" }, + "markdownDescription": "", + "title": "ReplicationInfoList", "type": "array" }, "ReplicatorName": { + "markdownDescription": "", + "title": "ReplicatorName", "type": "string" }, "ServiceExecutionRoleArn": { + "markdownDescription": "", + "title": "ServiceExecutionRoleArn", "type": "string" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "", + "title": "Tags", "type": "array" } }, @@ -137323,6 +142633,8 @@ "additionalProperties": false, "properties": { "MskClusterArn": { + "markdownDescription": "", + "title": "MskClusterArn", "type": "string" } }, @@ -137338,18 +142650,26 @@ "items": { "type": "string" }, + "markdownDescription": "", + "title": "ConsumerGroupsToExclude", "type": "array" }, "ConsumerGroupsToReplicate": { "items": { "type": "string" }, + "markdownDescription": "", + "title": "ConsumerGroupsToReplicate", "type": "array" }, "DetectAndCopyNewConsumerGroups": { + "markdownDescription": "", + "title": "DetectAndCopyNewConsumerGroups", "type": "boolean" }, "SynchroniseConsumerGroupOffsets": { + "markdownDescription": "", + "title": "SynchroniseConsumerGroupOffsets", "type": "boolean" } }, @@ -137362,10 +142682,14 @@ "additionalProperties": false, "properties": { "AmazonMskCluster": { - "$ref": "#/definitions/AWS::MSK::Replicator.AmazonMskCluster" + "$ref": "#/definitions/AWS::MSK::Replicator.AmazonMskCluster", + "markdownDescription": "", + "title": "AmazonMskCluster" }, "VpcConfig": { - "$ref": "#/definitions/AWS::MSK::Replicator.KafkaClusterClientVpcConfig" + "$ref": "#/definitions/AWS::MSK::Replicator.KafkaClusterClientVpcConfig", + "markdownDescription": "", + "title": "VpcConfig" } }, "required": [ @@ -137381,12 +142705,16 @@ "items": { "type": "string" }, + "markdownDescription": "", + "title": "SecurityGroupIds", "type": "array" }, "SubnetIds": { "items": { "type": "string" }, + "markdownDescription": "", + "title": "SubnetIds", "type": "array" } }, @@ -137399,19 +142727,29 @@ "additionalProperties": false, "properties": { "ConsumerGroupReplication": { - "$ref": "#/definitions/AWS::MSK::Replicator.ConsumerGroupReplication" + "$ref": "#/definitions/AWS::MSK::Replicator.ConsumerGroupReplication", + "markdownDescription": "", + "title": "ConsumerGroupReplication" }, "SourceKafkaClusterArn": { + "markdownDescription": "", + "title": "SourceKafkaClusterArn", "type": "string" }, "TargetCompressionType": { + "markdownDescription": "", + "title": "TargetCompressionType", "type": "string" }, "TargetKafkaClusterArn": { + "markdownDescription": "", + "title": "TargetKafkaClusterArn", "type": "string" }, "TopicReplication": { - "$ref": "#/definitions/AWS::MSK::Replicator.TopicReplication" + "$ref": "#/definitions/AWS::MSK::Replicator.TopicReplication", + "markdownDescription": "", + "title": "TopicReplication" } }, "required": [ @@ -137427,24 +142765,34 @@ "additionalProperties": false, "properties": { "CopyAccessControlListsForTopics": { + "markdownDescription": "", + "title": "CopyAccessControlListsForTopics", "type": "boolean" }, "CopyTopicConfigurations": { + "markdownDescription": "", + "title": "CopyTopicConfigurations", "type": "boolean" }, "DetectAndCopyNewTopics": { + "markdownDescription": "", + "title": "DetectAndCopyNewTopics", "type": "boolean" }, "TopicsToExclude": { "items": { "type": "string" }, + "markdownDescription": "", + "title": "TopicsToExclude", "type": "array" }, "TopicsToReplicate": { "items": { "type": "string" }, + "markdownDescription": "", + "title": "TopicsToReplicate", "type": "array" } }, @@ -137490,7 +142838,7 @@ "properties": { "ClientAuthentication": { "$ref": "#/definitions/AWS::MSK::ServerlessCluster.ClientAuthentication", - "markdownDescription": "", + "markdownDescription": "Includes all client authentication information.", "title": "ClientAuthentication" }, "ClusterName": { @@ -137762,7 +143110,7 @@ "type": "object" }, "AirflowVersion": { - "markdownDescription": "The version of Apache Airflow to use for the environment. If no value is specified, defaults to the latest version.\n\n*Allowed Values* : `2.0.2` | `1.10.12` | `2.2.2` | `2.4.3` | `2.5.1` (latest)", + "markdownDescription": "The version of Apache Airflow to use for the environment. If no value is specified, defaults to the latest version.\n\nIf you specify a newer version number for an existing environment, the version update requires some service interruption before taking effect.\n\n*Allowed Values* : `1.10.12` | `2.0.2` | `2.2.2` | `2.4.3` | `2.5.1` | `2.6.3` | `2.7.2` (latest)", "title": "AirflowVersion", "type": "string" }, @@ -137771,6 +143119,11 @@ "title": "DagS3Path", "type": "string" }, + "EndpointManagement": { + "markdownDescription": "Defines whether the VPC endpoints configured for the environment are created, and managed, by the customer or by Amazon MWAA. If set to `SERVICE` , Amazon MWAA will create and manage the required VPC endpoints in your VPC. If set to `CUSTOMER` , you must create, and manage, the VPC endpoints in your VPC.", + "title": "EndpointManagement", + "type": "string" + }, "EnvironmentClass": { "markdownDescription": "The environment class type. Valid values: `mw1.small` , `mw1.medium` , `mw1.large` . To learn more, see [Amazon MWAA environment class](https://docs.aws.amazon.com/mwaa/latest/userguide/environment-class.html) .", "title": "EnvironmentClass", @@ -137852,7 +143205,7 @@ "type": "string" }, "Tags": { - "markdownDescription": "The key-value tag pairs associated to your environment. For example, `\"Environment\": \"Staging\"` . To learn more, see [Tagging](https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html) .", + "markdownDescription": "The key-value tag pairs associated to your environment. For example, `\"Environment\": \"Staging\"` . To learn more, see [Tagging](https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html) .\n\nIf you specify new tags for an existing environment, the update requires service interruption before taking effect.", "title": "Tags", "type": "object" }, @@ -138021,7 +143374,7 @@ "items": { "$ref": "#/definitions/Tag" }, - "markdownDescription": "An array of key-value pairs to apply to the allow list.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) .", + "markdownDescription": "An array of key-value pairs to apply to the allow list.\n\nFor more information, see [Resource tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) .", "title": "Tags", "type": "array" } @@ -138164,6 +143517,8 @@ "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "An array of key-value pairs to apply to the custom data identifier.\n\nFor more information, see [Resource tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) .", + "title": "Tags", "type": "array" } }, @@ -138250,7 +143605,7 @@ "type": "string" }, "Position": { - "markdownDescription": "The position of the findings filter in the list of saved filters on the Amazon Macie console. This value also determines the order in which the filter is applied to findings, relative to other filters that are also applied to findings.", + "markdownDescription": "The position of the findings filter in the list of saved filter rules on the Amazon Macie console. This value also determines the order in which the filter is applied to findings, relative to other filters that are also applied to findings.", "title": "Position", "type": "number" }, @@ -138258,6 +143613,8 @@ "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "An array of key-value pairs to apply to the findings filter.\n\nFor more information, see [Resource tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) .", + "title": "Tags", "type": "array" } }, @@ -138455,6 +143812,11 @@ "title": "AccessorType", "type": "string" }, + "NetworkType": { + "markdownDescription": "The blockchain network that the `Accessor` token is created for.\n\n> We recommend using the appropriate `networkType` value for the blockchain network that you are creating the `Accessor` token for. You cannnot use the value `ETHEREUM_MAINNET_AND_GOERLI` to specify a `networkType` for your Accessor token.\n> \n> The default value of `ETHEREUM_MAINNET_AND_GOERLI` is only applied:\n> \n> - when the `CreateAccessor` action does not set a `networkType` .\n> - to all existing `Accessor` tokens that were created before the `networkType` property was introduced.", + "title": "NetworkType", + "type": "string" + }, "Tags": { "items": { "$ref": "#/definitions/Tag" @@ -138581,7 +143943,7 @@ "type": "number" }, "ThresholdComparator": { - "markdownDescription": "Determines whether the vote percentage must be greater than the `ThresholdPercentage` or must be greater than or equal to the `ThreholdPercentage` to be approved.", + "markdownDescription": "Determines whether the vote percentage must be greater than the `ThresholdPercentage` or must be greater than or equal to the `ThresholdPercentage` to be approved.", "title": "ThresholdComparator", "type": "string" }, @@ -138767,7 +144129,7 @@ "type": "string" }, "NetworkId": { - "markdownDescription": "The unique identifier of the network for the node.\n\nEthereum public networks have the following `NetworkId` s:\n\n- `n-ethereum-mainnet`\n- `n-ethereum-goerli`\n- `n-ethereum-rinkeby`", + "markdownDescription": "The unique identifier of the network for the node.\n\nEthereum public networks have the following `NetworkId` s:\n\n- `n-ethereum-mainnet`\n- `n-ethereum-goerli`", "title": "NetworkId", "type": "string" }, @@ -138870,7 +144232,7 @@ "title": "IngressGatewayBridge" }, "Name": { - "markdownDescription": "The network output name. This name is used to reference the output and must be unique among outputs in this bridge.", + "markdownDescription": "The name of the bridge. This name can not be modified after the bridge is created.", "title": "Name", "type": "string" }, @@ -139306,7 +144668,7 @@ "title": "FlowSource" }, "Name": { - "markdownDescription": "The name of the network source. This name is used to reference the source and must be unique among sources in this bridge.", + "markdownDescription": "The name of the flow source. This name is used to reference the source and must be unique among sources in this bridge.", "title": "Name", "type": "string" }, @@ -139572,13 +144934,13 @@ "additionalProperties": false, "properties": { "BridgeArn": { - "markdownDescription": "", + "markdownDescription": "The ARN of the bridge feeding this flow.", "title": "BridgeArn", "type": "string" }, "VpcInterfaceAttachment": { "$ref": "#/definitions/AWS::MediaConnect::Flow.VpcInterfaceAttachment", - "markdownDescription": "", + "markdownDescription": "The name of the VPC interface attachment to use for this bridge source.", "title": "VpcInterfaceAttachment" } }, @@ -139607,7 +144969,7 @@ }, "GatewayBridgeSource": { "$ref": "#/definitions/AWS::MediaConnect::Flow.GatewayBridgeSource", - "markdownDescription": "", + "markdownDescription": "The source configuration for cloud flows receiving a stream from a bridge.", "title": "GatewayBridgeSource" }, "IngestIp": { @@ -139711,7 +145073,7 @@ "additionalProperties": false, "properties": { "VpcInterfaceName": { - "markdownDescription": "", + "markdownDescription": "The name of the VPC interface that you want to send your output to.", "title": "VpcInterfaceName", "type": "string" } @@ -139950,7 +145312,7 @@ "type": "number" }, "Name": { - "markdownDescription": "The name of the VPC interface.", + "markdownDescription": "The name of the output. This value must be unique within the current flow.", "title": "Name", "type": "string" }, @@ -140110,7 +145472,7 @@ }, "GatewayBridgeSource": { "$ref": "#/definitions/AWS::MediaConnect::FlowSource.GatewayBridgeSource", - "markdownDescription": "", + "markdownDescription": "The source configuration for cloud flows receiving a stream from a bridge.", "title": "GatewayBridgeSource" }, "IngestPort": { @@ -140264,13 +145626,13 @@ "additionalProperties": false, "properties": { "BridgeArn": { - "markdownDescription": "", + "markdownDescription": "The ARN of the bridge feeding this flow.", "title": "BridgeArn", "type": "string" }, "VpcInterfaceAttachment": { "$ref": "#/definitions/AWS::MediaConnect::FlowSource.VpcInterfaceAttachment", - "markdownDescription": "", + "markdownDescription": "The name of the VPC interface attachment to use for this bridge source.", "title": "VpcInterfaceAttachment" } }, @@ -140283,7 +145645,7 @@ "additionalProperties": false, "properties": { "VpcInterfaceName": { - "markdownDescription": "", + "markdownDescription": "The name of the VPC interface that you want to send your output to.", "title": "VpcInterfaceName", "type": "string" } @@ -140428,7 +145790,7 @@ "type": "array" }, "Name": { - "markdownDescription": "The name of the gateway. This name can not be modified after the gateway is created.", + "markdownDescription": "The name of the network. This name is used to reference the network and must be unique among networks in this gateway.", "title": "Name", "type": "string" }, @@ -140548,7 +145910,7 @@ "type": "array" }, "Name": { - "markdownDescription": "The name of the job template you are creating.", + "markdownDescription": "Name of the output group", "title": "Name", "type": "string" }, @@ -140887,7 +146249,7 @@ }, "Maintenance": { "$ref": "#/definitions/AWS::MediaLive::Channel.MaintenanceCreateSettings", - "markdownDescription": "", + "markdownDescription": "Maintenance settings for this channel.", "title": "Maintenance" }, "Name": { @@ -140988,6 +146350,8 @@ "additionalProperties": false, "properties": { "AttenuationControl": { + "markdownDescription": "", + "title": "AttenuationControl", "type": "string" }, "Bitrate": { @@ -142323,7 +147687,9 @@ "type": "array" }, "ThumbnailConfiguration": { - "$ref": "#/definitions/AWS::MediaLive::Channel.ThumbnailConfiguration" + "$ref": "#/definitions/AWS::MediaLive::Channel.ThumbnailConfiguration", + "markdownDescription": "", + "title": "ThumbnailConfiguration" }, "TimecodeConfig": { "$ref": "#/definitions/AWS::MediaLive::Channel.TimecodeConfig", @@ -142341,6 +147707,22 @@ }, "type": "object" }, + "AWS::MediaLive::Channel.EpochLockingSettings": { + "additionalProperties": false, + "properties": { + "CustomEpoch": { + "markdownDescription": "", + "title": "CustomEpoch", + "type": "string" + }, + "JamSyncTime": { + "markdownDescription": "", + "title": "JamSyncTime", + "type": "string" + } + }, + "type": "object" + }, "AWS::MediaLive::Channel.Esam": { "additionalProperties": false, "properties": { @@ -142416,6 +147798,11 @@ "markdownDescription": "Enables the Input Prepare feature. You can create Input Prepare actions in the schedule only if this feature is enabled.\nIf you disable the feature on an existing schedule, make sure that you first delete all input prepare actions from the schedule.", "title": "InputPrepareScheduleActions", "type": "string" + }, + "OutputStaticImageOverlayScheduleActions": { + "markdownDescription": "", + "title": "OutputStaticImageOverlayScheduleActions", + "type": "string" } }, "type": "object" @@ -142560,6 +147947,11 @@ "title": "OutputLockingMode", "type": "string" }, + "OutputLockingSettings": { + "$ref": "#/definitions/AWS::MediaLive::Channel.OutputLockingSettings", + "markdownDescription": "", + "title": "OutputLockingSettings" + }, "OutputTimingSource": { "markdownDescription": "Indicates whether the rate of frames emitted by the Live encoder should be paced by its system clock (which optionally might be locked to another source through NTP) or should be locked to the clock of the source that is providing the input stream.", "title": "OutputTimingSource", @@ -143303,7 +148695,7 @@ "type": "string" }, "ProgramDateTimeClock": { - "markdownDescription": "", + "markdownDescription": "Specifies the algorithm used to drive the HLS EXT-X-PROGRAM-DATE-TIME clock. Options include: INITIALIZE_FROM_OUTPUT_TIMECODE: The PDT clock is initialized as a function of the first output timecode, then incremented by the EXTINF duration of each encoded segment. SYSTEM_CLOCK: The PDT clock is initialized as a function of the UTC wall clock, then incremented by the EXTINF duration of each encoded segment. If the PDT clock diverges from the wall clock by more than 500ms, it is resynchronized to the wall clock.", "title": "ProgramDateTimeClock", "type": "string" }, @@ -143990,9 +149382,13 @@ "type": "string" }, "KlvBehavior": { + "markdownDescription": "", + "title": "KlvBehavior", "type": "string" }, "KlvDataPids": { + "markdownDescription": "", + "title": "KlvDataPids", "type": "string" }, "NielsenId3Behavior": { @@ -144072,12 +149468,12 @@ "additionalProperties": false, "properties": { "MaintenanceDay": { - "markdownDescription": "", + "markdownDescription": "Choose one day of the week for maintenance. The chosen day is used for all future maintenance windows.", "title": "MaintenanceDay", "type": "string" }, "MaintenanceStartTime": { - "markdownDescription": "", + "markdownDescription": "Choose the hour that maintenance will start. The chosen time is used for all future maintenance windows.", "title": "MaintenanceStartTime", "type": "string" } @@ -144088,18 +149484,12 @@ "additionalProperties": false, "properties": { "MaintenanceDay": { - "markdownDescription": "", - "title": "MaintenanceDay", "type": "string" }, "MaintenanceScheduledDate": { - "markdownDescription": "", - "title": "MaintenanceScheduledDate", "type": "string" }, "MaintenanceStartTime": { - "markdownDescription": "", - "title": "MaintenanceStartTime", "type": "string" } }, @@ -144702,6 +150092,22 @@ }, "type": "object" }, + "AWS::MediaLive::Channel.OutputLockingSettings": { + "additionalProperties": false, + "properties": { + "EpochLockingSettings": { + "$ref": "#/definitions/AWS::MediaLive::Channel.EpochLockingSettings", + "markdownDescription": "", + "title": "EpochLockingSettings" + }, + "PipelineLockingSettings": { + "$ref": "#/definitions/AWS::MediaLive::Channel.PipelineLockingSettings", + "markdownDescription": "", + "title": "PipelineLockingSettings" + } + }, + "type": "object" + }, "AWS::MediaLive::Channel.OutputSettings": { "additionalProperties": false, "properties": { @@ -144753,6 +150159,11 @@ "properties": {}, "type": "object" }, + "AWS::MediaLive::Channel.PipelineLockingSettings": { + "additionalProperties": false, + "properties": {}, + "type": "object" + }, "AWS::MediaLive::Channel.RawSettings": { "additionalProperties": false, "properties": {}, @@ -144829,6 +150240,8 @@ "type": "string" }, "IncludeFillerNalUnits": { + "markdownDescription": "", + "title": "IncludeFillerNalUnits", "type": "string" }, "InputLossAction": { @@ -145032,6 +150445,8 @@ "additionalProperties": false, "properties": { "State": { + "markdownDescription": "", + "title": "State", "type": "string" } }, @@ -145501,8 +150916,6 @@ "additionalProperties": false, "properties": { "Id": { - "markdownDescription": "This property is not used. Ignore it.", - "title": "Id", "type": "string" } }, @@ -145655,7 +151068,7 @@ }, "type": "object" }, - "AWS::MediaPackage::Asset": { + "AWS::MediaLive::Multiplex": { "additionalProperties": false, "properties": { "Condition": { @@ -145690,59 +151103,51 @@ "Properties": { "additionalProperties": false, "properties": { - "EgressEndpoints": { + "AvailabilityZones": { "items": { - "$ref": "#/definitions/AWS::MediaPackage::Asset.EgressEndpoint" + "type": "string" }, - "markdownDescription": "List of playback endpoints that are available for this asset.", - "title": "EgressEndpoints", + "markdownDescription": "A list of availability zones for the multiplex.", + "title": "AvailabilityZones", "type": "array" }, - "Id": { - "markdownDescription": "Unique identifier that you assign to the asset.", - "title": "Id", - "type": "string" - }, - "PackagingGroupId": { - "markdownDescription": "The ID of the packaging group associated with this asset.", - "title": "PackagingGroupId", - "type": "string" - }, - "ResourceId": { - "markdownDescription": "Unique identifier for this asset, as it's configured in the key provider service.", - "title": "ResourceId", - "type": "string" + "Destinations": { + "items": { + "$ref": "#/definitions/AWS::MediaLive::Multiplex.MultiplexOutputDestination" + }, + "markdownDescription": "A list of the multiplex output destinations.", + "title": "Destinations", + "type": "array" }, - "SourceArn": { - "markdownDescription": "The ARN for the source content in Amazon S3.", - "title": "SourceArn", - "type": "string" + "MultiplexSettings": { + "$ref": "#/definitions/AWS::MediaLive::Multiplex.MultiplexSettings", + "markdownDescription": "Configuration for a multiplex event.", + "title": "MultiplexSettings" }, - "SourceRoleArn": { - "markdownDescription": "The ARN for the IAM role that provides AWS Elemental MediaPackage access to the Amazon S3 bucket where the source content is stored. Valid format: arn:aws:iam::{accountID}:role/{name}", - "title": "SourceRoleArn", + "Name": { + "markdownDescription": "The name of the multiplex.", + "title": "Name", "type": "string" }, "Tags": { "items": { - "$ref": "#/definitions/Tag" + "$ref": "#/definitions/AWS::MediaLive::Multiplex.Tags" }, - "markdownDescription": "The tags to assign to the asset.", + "markdownDescription": "A collection of key-value pairs.", "title": "Tags", "type": "array" } }, "required": [ - "Id", - "PackagingGroupId", - "SourceArn", - "SourceRoleArn" + "AvailabilityZones", + "MultiplexSettings", + "Name" ], "type": "object" }, "Type": { "enum": [ - "AWS::MediaPackage::Asset" + "AWS::MediaLive::Multiplex" ], "type": "string" }, @@ -145761,27 +151166,482 @@ ], "type": "object" }, - "AWS::MediaPackage::Asset.EgressEndpoint": { + "AWS::MediaLive::Multiplex.MultiplexMediaConnectOutputDestinationSettings": { "additionalProperties": false, "properties": { - "PackagingConfigurationId": { - "markdownDescription": "The ID of a packaging configuration that's applied to this asset.", - "title": "PackagingConfigurationId", + "EntitlementArn": { + "markdownDescription": "The MediaConnect entitlement ARN available as a Flow source.", + "title": "EntitlementArn", "type": "string" + } + }, + "type": "object" + }, + "AWS::MediaLive::Multiplex.MultiplexOutputDestination": { + "additionalProperties": false, + "properties": { + "MultiplexMediaConnectOutputDestinationSettings": { + "$ref": "#/definitions/AWS::MediaLive::Multiplex.MultiplexMediaConnectOutputDestinationSettings", + "markdownDescription": "", + "title": "MultiplexMediaConnectOutputDestinationSettings" + } + }, + "type": "object" + }, + "AWS::MediaLive::Multiplex.MultiplexSettings": { + "additionalProperties": false, + "properties": { + "MaximumVideoBufferDelayMilliseconds": { + "markdownDescription": "Maximum video buffer delay in milliseconds.", + "title": "MaximumVideoBufferDelayMilliseconds", + "type": "number" }, - "Url": { - "markdownDescription": "The URL that's used to request content from this endpoint.", - "title": "Url", - "type": "string" + "TransportStreamBitrate": { + "markdownDescription": "Transport stream bit rate.", + "title": "TransportStreamBitrate", + "type": "number" + }, + "TransportStreamId": { + "markdownDescription": "Transport stream ID.", + "title": "TransportStreamId", + "type": "number" + }, + "TransportStreamReservedBitrate": { + "markdownDescription": "Transport stream reserved bit rate.", + "title": "TransportStreamReservedBitrate", + "type": "number" } }, "required": [ - "PackagingConfigurationId", - "Url" + "TransportStreamBitrate", + "TransportStreamId" ], "type": "object" }, - "AWS::MediaPackage::Channel": { + "AWS::MediaLive::Multiplex.Tags": { + "additionalProperties": false, + "properties": { + "Key": { + "markdownDescription": "", + "title": "Key", + "type": "string" + }, + "Value": { + "markdownDescription": "", + "title": "Value", + "type": "string" + } + }, + "type": "object" + }, + "AWS::MediaLive::Multiplexprogram": { + "additionalProperties": false, + "properties": { + "Condition": { + "type": "string" + }, + "DeletionPolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + }, + "DependsOn": { + "anyOf": [ + { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + { + "items": { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + "type": "array" + } + ] + }, + "Metadata": { + "type": "object" + }, + "Properties": { + "additionalProperties": false, + "properties": { + "ChannelId": { + "markdownDescription": "The unique ID of the channel.", + "title": "ChannelId", + "type": "string" + }, + "MultiplexId": { + "markdownDescription": "The unique id of the multiplex.", + "title": "MultiplexId", + "type": "string" + }, + "MultiplexProgramSettings": { + "$ref": "#/definitions/AWS::MediaLive::Multiplexprogram.MultiplexProgramSettings", + "markdownDescription": "Multiplex Program settings configuration.", + "title": "MultiplexProgramSettings" + }, + "PacketIdentifiersMap": { + "$ref": "#/definitions/AWS::MediaLive::Multiplexprogram.MultiplexProgramPacketIdentifiersMap", + "markdownDescription": "", + "title": "PacketIdentifiersMap" + }, + "PipelineDetails": { + "items": { + "$ref": "#/definitions/AWS::MediaLive::Multiplexprogram.MultiplexProgramPipelineDetail" + }, + "markdownDescription": "", + "title": "PipelineDetails", + "type": "array" + }, + "PreferredChannelPipeline": { + "markdownDescription": "Indicates which pipeline is preferred by the multiplex for program ingest.\nIf set to \\\"PIPELINE_0\\\" or \\\"PIPELINE_1\\\" and an unhealthy ingest causes the multiplex to switch to the non-preferred pipeline,\nit will switch back once that ingest is healthy again. If set to \\\"CURRENTLY_ACTIVE\\\",\nit will not switch back to the other pipeline based on it recovering to a healthy state,\nit will only switch if the active pipeline becomes unhealthy.", + "title": "PreferredChannelPipeline", + "type": "string" + }, + "ProgramName": { + "markdownDescription": "", + "title": "ProgramName", + "type": "string" + } + }, + "type": "object" + }, + "Type": { + "enum": [ + "AWS::MediaLive::Multiplexprogram" + ], + "type": "string" + }, + "UpdateReplacePolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + } + }, + "required": [ + "Type" + ], + "type": "object" + }, + "AWS::MediaLive::Multiplexprogram.MultiplexProgramPacketIdentifiersMap": { + "additionalProperties": false, + "properties": { + "AudioPids": { + "items": { + "type": "number" + }, + "markdownDescription": "", + "title": "AudioPids", + "type": "array" + }, + "DvbSubPids": { + "items": { + "type": "number" + }, + "markdownDescription": "", + "title": "DvbSubPids", + "type": "array" + }, + "DvbTeletextPid": { + "markdownDescription": "", + "title": "DvbTeletextPid", + "type": "number" + }, + "EtvPlatformPid": { + "markdownDescription": "", + "title": "EtvPlatformPid", + "type": "number" + }, + "EtvSignalPid": { + "markdownDescription": "", + "title": "EtvSignalPid", + "type": "number" + }, + "KlvDataPids": { + "items": { + "type": "number" + }, + "markdownDescription": "", + "title": "KlvDataPids", + "type": "array" + }, + "PcrPid": { + "markdownDescription": "", + "title": "PcrPid", + "type": "number" + }, + "PmtPid": { + "markdownDescription": "", + "title": "PmtPid", + "type": "number" + }, + "PrivateMetadataPid": { + "markdownDescription": "", + "title": "PrivateMetadataPid", + "type": "number" + }, + "Scte27Pids": { + "items": { + "type": "number" + }, + "markdownDescription": "", + "title": "Scte27Pids", + "type": "array" + }, + "Scte35Pid": { + "markdownDescription": "", + "title": "Scte35Pid", + "type": "number" + }, + "TimedMetadataPid": { + "markdownDescription": "", + "title": "TimedMetadataPid", + "type": "number" + }, + "VideoPid": { + "markdownDescription": "", + "title": "VideoPid", + "type": "number" + } + }, + "type": "object" + }, + "AWS::MediaLive::Multiplexprogram.MultiplexProgramPipelineDetail": { + "additionalProperties": false, + "properties": { + "ActiveChannelPipeline": { + "markdownDescription": "Identifies the channel pipeline that is currently active for the pipeline (identified by PipelineId) in the multiplex.", + "title": "ActiveChannelPipeline", + "type": "string" + }, + "PipelineId": { + "markdownDescription": "Identifies a specific pipeline in the multiplex.", + "title": "PipelineId", + "type": "string" + } + }, + "type": "object" + }, + "AWS::MediaLive::Multiplexprogram.MultiplexProgramServiceDescriptor": { + "additionalProperties": false, + "properties": { + "ProviderName": { + "markdownDescription": "Name of the provider.", + "title": "ProviderName", + "type": "string" + }, + "ServiceName": { + "markdownDescription": "Name of the service.", + "title": "ServiceName", + "type": "string" + } + }, + "required": [ + "ProviderName", + "ServiceName" + ], + "type": "object" + }, + "AWS::MediaLive::Multiplexprogram.MultiplexProgramSettings": { + "additionalProperties": false, + "properties": { + "PreferredChannelPipeline": { + "markdownDescription": "Indicates which pipeline is preferred by the multiplex for program ingest.", + "title": "PreferredChannelPipeline", + "type": "string" + }, + "ProgramNumber": { + "markdownDescription": "Unique program number.", + "title": "ProgramNumber", + "type": "number" + }, + "ServiceDescriptor": { + "$ref": "#/definitions/AWS::MediaLive::Multiplexprogram.MultiplexProgramServiceDescriptor", + "markdownDescription": "Transport stream service descriptor configuration for the Multiplex program.", + "title": "ServiceDescriptor" + }, + "VideoSettings": { + "$ref": "#/definitions/AWS::MediaLive::Multiplexprogram.MultiplexVideoSettings", + "markdownDescription": "Program video settings configuration.", + "title": "VideoSettings" + } + }, + "required": [ + "ProgramNumber" + ], + "type": "object" + }, + "AWS::MediaLive::Multiplexprogram.MultiplexStatmuxVideoSettings": { + "additionalProperties": false, + "properties": { + "MaximumBitrate": { + "markdownDescription": "Maximum statmux bitrate.", + "title": "MaximumBitrate", + "type": "number" + }, + "MinimumBitrate": { + "markdownDescription": "Minimum statmux bitrate.", + "title": "MinimumBitrate", + "type": "number" + }, + "Priority": { + "markdownDescription": "The purpose of the priority is to use a combination of the\\nmultiplex rate control algorithm and the QVBR capability of the\\nencoder to prioritize the video quality of some channels in a\\nmultiplex over others. Channels that have a higher priority will\\nget higher video quality at the expense of the video quality of\\nother channels in the multiplex with lower priority.", + "title": "Priority", + "type": "number" + } + }, + "type": "object" + }, + "AWS::MediaLive::Multiplexprogram.MultiplexVideoSettings": { + "additionalProperties": false, + "properties": { + "ConstantBitrate": { + "markdownDescription": "The constant bitrate configuration for the video encode.\nWhen this field is defined, StatmuxSettings must be undefined.", + "title": "ConstantBitrate", + "type": "number" + }, + "StatmuxSettings": { + "$ref": "#/definitions/AWS::MediaLive::Multiplexprogram.MultiplexStatmuxVideoSettings", + "markdownDescription": "Statmux rate control settings.\nWhen this field is defined, ConstantBitrate must be undefined.", + "title": "StatmuxSettings" + } + }, + "type": "object" + }, + "AWS::MediaPackage::Asset": { + "additionalProperties": false, + "properties": { + "Condition": { + "type": "string" + }, + "DeletionPolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + }, + "DependsOn": { + "anyOf": [ + { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + { + "items": { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + "type": "array" + } + ] + }, + "Metadata": { + "type": "object" + }, + "Properties": { + "additionalProperties": false, + "properties": { + "EgressEndpoints": { + "items": { + "$ref": "#/definitions/AWS::MediaPackage::Asset.EgressEndpoint" + }, + "markdownDescription": "List of playback endpoints that are available for this asset.", + "title": "EgressEndpoints", + "type": "array" + }, + "Id": { + "markdownDescription": "Unique identifier that you assign to the asset.", + "title": "Id", + "type": "string" + }, + "PackagingGroupId": { + "markdownDescription": "The ID of the packaging group associated with this asset.", + "title": "PackagingGroupId", + "type": "string" + }, + "ResourceId": { + "markdownDescription": "Unique identifier for this asset, as it's configured in the key provider service.", + "title": "ResourceId", + "type": "string" + }, + "SourceArn": { + "markdownDescription": "The ARN for the source content in Amazon S3.", + "title": "SourceArn", + "type": "string" + }, + "SourceRoleArn": { + "markdownDescription": "The ARN for the IAM role that provides AWS Elemental MediaPackage access to the Amazon S3 bucket where the source content is stored. Valid format: arn:aws:iam::{accountID}:role/{name}", + "title": "SourceRoleArn", + "type": "string" + }, + "Tags": { + "items": { + "$ref": "#/definitions/Tag" + }, + "markdownDescription": "The tags to assign to the asset.", + "title": "Tags", + "type": "array" + } + }, + "required": [ + "Id", + "PackagingGroupId", + "SourceArn", + "SourceRoleArn" + ], + "type": "object" + }, + "Type": { + "enum": [ + "AWS::MediaPackage::Asset" + ], + "type": "string" + }, + "UpdateReplacePolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + } + }, + "required": [ + "Type", + "Properties" + ], + "type": "object" + }, + "AWS::MediaPackage::Asset.EgressEndpoint": { + "additionalProperties": false, + "properties": { + "PackagingConfigurationId": { + "markdownDescription": "The ID of a packaging configuration that's applied to this asset.", + "title": "PackagingConfigurationId", + "type": "string" + }, + "Url": { + "markdownDescription": "The URL that's used to request content from this endpoint.", + "title": "Url", + "type": "string" + } + }, + "required": [ + "PackagingConfigurationId", + "Url" + ], + "type": "object" + }, + "AWS::MediaPackage::Channel": { "additionalProperties": false, "properties": { "Condition": { @@ -146793,9 +152653,13 @@ "additionalProperties": false, "properties": { "PresetSpeke20Audio": { + "markdownDescription": "A collection of audio encryption presets.\n\nValue description:\n\n- `PRESET-AUDIO-1` - Use one content key to encrypt all of the audio tracks in your stream.\n- `PRESET-AUDIO-2` - Use one content key to encrypt all of the stereo audio tracks and one content key to encrypt all of the multichannel audio tracks.\n- `PRESET-AUDIO-3` - Use one content key to encrypt all of the stereo audio tracks, one content key to encrypt all of the multichannel audio tracks with 3 to 6 channels, and one content key to encrypt all of the multichannel audio tracks with more than 6 channels.\n- `SHARED` - Use the same content key for all of the audio and video tracks in your stream.\n- `UNENCRYPTED` - Don't encrypt any of the audio tracks in your stream.", + "title": "PresetSpeke20Audio", "type": "string" }, "PresetSpeke20Video": { + "markdownDescription": "A collection of video encryption presets.\n\nValue description:\n\n- `PRESET-VIDEO-1` - Use one content key to encrypt all of the video tracks in your stream.\n- `PRESET-VIDEO-2` - Use one content key to encrypt all of the SD video tracks and one content key for all HD and higher resolutions video tracks.\n- `PRESET-VIDEO-3` - Use one content key to encrypt all of the SD video tracks, one content key for HD video tracks and one content key for all UHD video tracks.\n- `PRESET-VIDEO-4` - Use one content key to encrypt all of the SD video tracks, one content key for HD video tracks, one content key for all UHD1 video tracks and one content key for all UHD2 video tracks.\n- `PRESET-VIDEO-5` - Use one content key to encrypt all of the SD video tracks, one content key for HD1 video tracks, one content key for HD2 video tracks, one content key for all UHD1 video tracks and one content key for all UHD2 video tracks.\n- `PRESET-VIDEO-6` - Use one content key to encrypt all of the SD video tracks, one content key for HD1 video tracks, one content key for HD2 video tracks and one content key for all UHD video tracks.\n- `PRESET-VIDEO-7` - Use one content key to encrypt all of the SD+HD1 video tracks, one content key for HD2 video tracks and one content key for all UHD video tracks.\n- `PRESET-VIDEO-8` - Use one content key to encrypt all of the SD+HD1 video tracks, one content key for HD2 video tracks, one content key for all UHD1 video tracks and one content key for all UHD2 video tracks.\n- `SHARED` - Use the same content key for all of the video and audio tracks in your stream.\n- `UNENCRYPTED` - Don't encrypt any of the video tracks in your stream.", + "title": "PresetSpeke20Video", "type": "string" } }, @@ -147166,18 +153030,26 @@ "additionalProperties": false, "properties": { "ChannelGroupName": { + "markdownDescription": "The name of the channel group associated with the channel configuration.", + "title": "ChannelGroupName", "type": "string" }, "ChannelName": { + "markdownDescription": "The name of the channel.", + "title": "ChannelName", "type": "string" }, "Description": { + "markdownDescription": "The description of the channel.", + "title": "Description", "type": "string" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "The tags associated with the channel.", + "title": "Tags", "type": "array" } }, @@ -147207,9 +153079,13 @@ "additionalProperties": false, "properties": { "Id": { + "markdownDescription": "The identifier associated with the ingest endpoint of the channel.", + "title": "Id", "type": "string" }, "Url": { + "markdownDescription": "The URL associated with the ingest endpoint of the channel.", + "title": "Url", "type": "string" } }, @@ -147251,15 +153127,21 @@ "additionalProperties": false, "properties": { "ChannelGroupName": { + "markdownDescription": "The name of the channel group.", + "title": "ChannelGroupName", "type": "string" }, "Description": { + "markdownDescription": "The configuration for a MediaPackage V2 channel group.", + "title": "Description", "type": "string" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "The tags associated with the channel group.", + "title": "Tags", "type": "array" } }, @@ -147321,12 +153203,18 @@ "additionalProperties": false, "properties": { "ChannelGroupName": { + "markdownDescription": "The name of the channel group associated with the channel policy.", + "title": "ChannelGroupName", "type": "string" }, "ChannelName": { + "markdownDescription": "The name of the channel associated with the channel policy.", + "title": "ChannelName", "type": "string" }, "Policy": { + "markdownDescription": "The policy associated with the channel.", + "title": "Policy", "type": "object" } }, @@ -147392,42 +153280,62 @@ "additionalProperties": false, "properties": { "ChannelGroupName": { + "markdownDescription": "The name of the channel group associated with the origin endpoint configuration.", + "title": "ChannelGroupName", "type": "string" }, "ChannelName": { + "markdownDescription": "The channel name associated with the origin endpoint.", + "title": "ChannelName", "type": "string" }, "ContainerType": { + "markdownDescription": "The container type associated with the origin endpoint configuration.", + "title": "ContainerType", "type": "string" }, "Description": { + "markdownDescription": "The description associated with the origin endpoint.", + "title": "Description", "type": "string" }, "HlsManifests": { "items": { "$ref": "#/definitions/AWS::MediaPackageV2::OriginEndpoint.HlsManifestConfiguration" }, + "markdownDescription": "The HLS manfiests associated with the origin endpoint configuration.", + "title": "HlsManifests", "type": "array" }, "LowLatencyHlsManifests": { "items": { "$ref": "#/definitions/AWS::MediaPackageV2::OriginEndpoint.LowLatencyHlsManifestConfiguration" }, + "markdownDescription": "The low-latency HLS (LL-HLS) manifests associated with the origin endpoint.", + "title": "LowLatencyHlsManifests", "type": "array" }, "OriginEndpointName": { + "markdownDescription": "The name of the origin endpoint associated with the origin endpoint configuration.", + "title": "OriginEndpointName", "type": "string" }, "Segment": { - "$ref": "#/definitions/AWS::MediaPackageV2::OriginEndpoint.Segment" + "$ref": "#/definitions/AWS::MediaPackageV2::OriginEndpoint.Segment", + "markdownDescription": "The segment associated with the origin endpoint.", + "title": "Segment" }, "StartoverWindowSeconds": { + "markdownDescription": "The size of the window (in seconds) to specify a window of the live stream that's available for on-demand viewing. Viewers can start-over or catch-up on content that falls within the window.", + "title": "StartoverWindowSeconds", "type": "number" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "The tags associated with the origin endpoint.", + "title": "Tags", "type": "array" } }, @@ -147461,16 +153369,24 @@ "additionalProperties": false, "properties": { "ConstantInitializationVector": { + "markdownDescription": "A 128-bit, 16-byte hex value represented by a 32-character string, used in conjunction with the key for encrypting content. If you don't specify a value, then MediaPackage creates the constant initialization vector (IV).", + "title": "ConstantInitializationVector", "type": "string" }, "EncryptionMethod": { - "$ref": "#/definitions/AWS::MediaPackageV2::OriginEndpoint.EncryptionMethod" + "$ref": "#/definitions/AWS::MediaPackageV2::OriginEndpoint.EncryptionMethod", + "markdownDescription": "The encryption method to use.", + "title": "EncryptionMethod" }, "KeyRotationIntervalSeconds": { + "markdownDescription": "The interval, in seconds, to rotate encryption keys for the origin endpoint.", + "title": "KeyRotationIntervalSeconds", "type": "number" }, "SpekeKeyProvider": { - "$ref": "#/definitions/AWS::MediaPackageV2::OriginEndpoint.SpekeKeyProvider" + "$ref": "#/definitions/AWS::MediaPackageV2::OriginEndpoint.SpekeKeyProvider", + "markdownDescription": "The SPEKE key provider to use for encryption.", + "title": "SpekeKeyProvider" } }, "required": [ @@ -147483,9 +153399,13 @@ "additionalProperties": false, "properties": { "PresetSpeke20Audio": { + "markdownDescription": "A collection of audio encryption presets.\n\nValue description:\n\n- `PRESET-AUDIO-1` - Use one content key to encrypt all of the audio tracks in your stream.\n- `PRESET-AUDIO-2` - Use one content key to encrypt all of the stereo audio tracks and one content key to encrypt all of the multichannel audio tracks.\n- `PRESET-AUDIO-3` - Use one content key to encrypt all of the stereo audio tracks, one content key to encrypt all of the multichannel audio tracks with 3 to 6 channels, and one content key to encrypt all of the multichannel audio tracks with more than 6 channels.\n- `SHARED` - Use the same content key for all of the audio and video tracks in your stream.\n- `UNENCRYPTED` - Don't encrypt any of the audio tracks in your stream.", + "title": "PresetSpeke20Audio", "type": "string" }, "PresetSpeke20Video": { + "markdownDescription": "The SPEKE Version 2.0 preset video associated with the encryption contract configuration of the origin endpoint.", + "title": "PresetSpeke20Video", "type": "string" } }, @@ -147499,33 +153419,80 @@ "additionalProperties": false, "properties": { "CmafEncryptionMethod": { + "markdownDescription": "The encryption method to use.", + "title": "CmafEncryptionMethod", "type": "string" }, "TsEncryptionMethod": { + "markdownDescription": "The encryption method to use.", + "title": "TsEncryptionMethod", "type": "string" } }, "type": "object" }, + "AWS::MediaPackageV2::OriginEndpoint.FilterConfiguration": { + "additionalProperties": false, + "properties": { + "End": { + "markdownDescription": "", + "title": "End", + "type": "string" + }, + "ManifestFilter": { + "markdownDescription": "", + "title": "ManifestFilter", + "type": "string" + }, + "Start": { + "markdownDescription": "", + "title": "Start", + "type": "string" + }, + "TimeDelaySeconds": { + "markdownDescription": "", + "title": "TimeDelaySeconds", + "type": "number" + } + }, + "type": "object" + }, "AWS::MediaPackageV2::OriginEndpoint.HlsManifestConfiguration": { "additionalProperties": false, "properties": { "ChildManifestName": { + "markdownDescription": "The name of the child manifest associated with the HLS manifest configuration.", + "title": "ChildManifestName", "type": "string" }, + "FilterConfiguration": { + "$ref": "#/definitions/AWS::MediaPackageV2::OriginEndpoint.FilterConfiguration", + "markdownDescription": "", + "title": "FilterConfiguration" + }, "ManifestName": { + "markdownDescription": "The name of the manifest associated with the HLS manifest configuration.", + "title": "ManifestName", "type": "string" }, "ManifestWindowSeconds": { + "markdownDescription": "The duration of the manifest window, in seconds, for the HLS manifest configuration.", + "title": "ManifestWindowSeconds", "type": "number" }, "ProgramDateTimeIntervalSeconds": { + "markdownDescription": "The `EXT-X-PROGRAM-DATE-TIME` interval, in seconds, associated with the HLS manifest configuration.", + "title": "ProgramDateTimeIntervalSeconds", "type": "number" }, "ScteHls": { - "$ref": "#/definitions/AWS::MediaPackageV2::OriginEndpoint.ScteHls" + "$ref": "#/definitions/AWS::MediaPackageV2::OriginEndpoint.ScteHls", + "markdownDescription": "THE SCTE-35 HLS configuration associated with the HLS manifest configuration.", + "title": "ScteHls" }, "Url": { + "markdownDescription": "The URL of the HLS manifest configuration.", + "title": "Url", "type": "string" } }, @@ -147538,21 +153505,38 @@ "additionalProperties": false, "properties": { "ChildManifestName": { + "markdownDescription": "The name of the child manifest associated with the low-latency HLS (LL-HLS) manifest configuration of the origin endpoint.", + "title": "ChildManifestName", "type": "string" }, + "FilterConfiguration": { + "$ref": "#/definitions/AWS::MediaPackageV2::OriginEndpoint.FilterConfiguration", + "markdownDescription": "", + "title": "FilterConfiguration" + }, "ManifestName": { + "markdownDescription": "A short short string that's appended to the endpoint URL. The manifest name creates a unique path to this endpoint. If you don't enter a value, MediaPackage uses the default manifest name, `index` . MediaPackage automatically inserts the format extension, such as `.m3u8` . You can't use the same manifest name if you use HLS manifest and low-latency HLS manifest. The `manifestName` on the `HLSManifest` object overrides the `manifestName` you provided on the `originEndpoint` object.", + "title": "ManifestName", "type": "string" }, "ManifestWindowSeconds": { + "markdownDescription": "The total duration (in seconds) of the manifest's content.", + "title": "ManifestWindowSeconds", "type": "number" }, "ProgramDateTimeIntervalSeconds": { + "markdownDescription": "Inserts `EXT-X-PROGRAM-DATE-TIME` tags in the output manifest at the interval that you specify. If you don't enter an interval, `EXT-X-PROGRAM-DATE-TIME` tags aren't included in the manifest. The tags sync the stream to the wall clock so that viewers can seek to a specific time in the playback timeline on the player. `ID3Timed` metadata messages generate every 5 seconds whenever MediaPackage ingests the content.\n\nIrrespective of this parameter, if any `ID3Timed` metadata is in the HLS input, MediaPackage passes through that metadata to the HLS output.", + "title": "ProgramDateTimeIntervalSeconds", "type": "number" }, "ScteHls": { - "$ref": "#/definitions/AWS::MediaPackageV2::OriginEndpoint.ScteHls" + "$ref": "#/definitions/AWS::MediaPackageV2::OriginEndpoint.ScteHls", + "markdownDescription": "The SCTE-35 HLS configuration associated with the low-latency HLS (LL-HLS) manifest configuration of the origin endpoint.", + "title": "ScteHls" }, "Url": { + "markdownDescription": "The URL of the low-latency HLS (LL-HLS) manifest configuration of the origin endpoint.", + "title": "Url", "type": "string" } }, @@ -147568,6 +153552,8 @@ "items": { "type": "string" }, + "markdownDescription": "The filter associated with the SCTE-35 configuration.", + "title": "ScteFilter", "type": "array" } }, @@ -147577,6 +153563,8 @@ "additionalProperties": false, "properties": { "AdMarkerHls": { + "markdownDescription": "The SCTE-35 HLS ad-marker configuration.", + "title": "AdMarkerHls", "type": "string" } }, @@ -147586,24 +153574,38 @@ "additionalProperties": false, "properties": { "Encryption": { - "$ref": "#/definitions/AWS::MediaPackageV2::OriginEndpoint.Encryption" + "$ref": "#/definitions/AWS::MediaPackageV2::OriginEndpoint.Encryption", + "markdownDescription": "Whether to use encryption for the segment.", + "title": "Encryption" }, "IncludeIframeOnlyStreams": { + "markdownDescription": "Whether the segment includes I-frame-only streams.", + "title": "IncludeIframeOnlyStreams", "type": "boolean" }, "Scte": { - "$ref": "#/definitions/AWS::MediaPackageV2::OriginEndpoint.Scte" + "$ref": "#/definitions/AWS::MediaPackageV2::OriginEndpoint.Scte", + "markdownDescription": "The SCTE-35 configuration associated with the segment.", + "title": "Scte" }, "SegmentDurationSeconds": { + "markdownDescription": "The duration of the segment, in seconds.", + "title": "SegmentDurationSeconds", "type": "number" }, "SegmentName": { + "markdownDescription": "The name of the segment associated with the origin endpoint.", + "title": "SegmentName", "type": "string" }, "TsIncludeDvbSubtitles": { + "markdownDescription": "Whether the segment includes DVB subtitles.", + "title": "TsIncludeDvbSubtitles", "type": "boolean" }, "TsUseAudioRenditionGroup": { + "markdownDescription": "Whether the segment is an audio rendition group.", + "title": "TsUseAudioRenditionGroup", "type": "boolean" } }, @@ -147616,18 +153618,28 @@ "items": { "type": "string" }, + "markdownDescription": "The DRM solution provider you're using to protect your content during distribution.", + "title": "DrmSystems", "type": "array" }, "EncryptionContractConfiguration": { - "$ref": "#/definitions/AWS::MediaPackageV2::OriginEndpoint.EncryptionContractConfiguration" + "$ref": "#/definitions/AWS::MediaPackageV2::OriginEndpoint.EncryptionContractConfiguration", + "markdownDescription": "The encryption contract configuration associated with the SPEKE key provider.", + "title": "EncryptionContractConfiguration" }, "ResourceId": { + "markdownDescription": "The unique identifier for the content. The service sends this identifier to the key server to identify the current endpoint. How unique you make this identifier depends on how fine-grained you want access controls to be. The service does not permit you to use the same ID for two simultaneous encryption processes. The resource ID is also known as the content ID.\n\nThe following example shows a resource ID: `MovieNight20171126093045`", + "title": "ResourceId", "type": "string" }, "RoleArn": { + "markdownDescription": "The ARN for the IAM role granted by the key provider that provides access to the key provider API. This role must have a trust policy that allows MediaPackage to assume the role, and it must have a sufficient permissions policy to allow access to the specific key retrieval URL. Get this from your DRM solution provider.\n\nValid format: `arn:aws:iam::{accountID}:role/{name}` . The following example shows a role ARN: `arn:aws:iam::444455556666:role/SpekeAccess`", + "title": "RoleArn", "type": "string" }, "Url": { + "markdownDescription": "The URL of the SPEKE key provider.", + "title": "Url", "type": "string" } }, @@ -147676,15 +153688,23 @@ "additionalProperties": false, "properties": { "ChannelGroupName": { + "markdownDescription": "The name of the channel group associated with the origin endpoint policy.", + "title": "ChannelGroupName", "type": "string" }, "ChannelName": { + "markdownDescription": "The channel name associated with the origin endpoint policy.", + "title": "ChannelName", "type": "string" }, "OriginEndpointName": { + "markdownDescription": "The name of the origin endpoint associated with the origin endpoint policy.", + "title": "OriginEndpointName", "type": "string" }, "Policy": { + "markdownDescription": "The policy associated with the origin endpoint.", + "title": "Policy", "type": "object" } }, @@ -147774,7 +153794,7 @@ }, "MetricPolicy": { "$ref": "#/definitions/AWS::MediaStore::Container.MetricPolicy", - "markdownDescription": "", + "markdownDescription": "The metric policy that is associated with the container. A metric policy allows AWS Elemental MediaStore to send metrics to Amazon CloudWatch. In the policy, you must indicate whether you want MediaStore to send container-level metrics. You can also include rules to define groups of objects that you want MediaStore to send object-level metrics for.\n\nTo view examples of how to construct a metric policy for your use case, see [Example Metric Policies](https://docs.aws.amazon.com/mediastore/latest/ug/policies-metric-examples.html) .", "title": "MetricPolicy" }, "Policy": { @@ -147938,30 +153958,44 @@ "additionalProperties": false, "properties": { "ChannelName": { + "markdownDescription": "The name of the channel.", + "title": "ChannelName", "type": "string" }, "FillerSlate": { - "$ref": "#/definitions/AWS::MediaTailor::Channel.SlateSource" + "$ref": "#/definitions/AWS::MediaTailor::Channel.SlateSource", + "markdownDescription": "The slate used to fill gaps between programs in the schedule. You must configure filler slate if your channel uses the `LINEAR` `PlaybackMode` . MediaTailor doesn't support filler slate for channels using the `LOOP` `PlaybackMode` .", + "title": "FillerSlate" }, "LogConfiguration": { - "$ref": "#/definitions/AWS::MediaTailor::Channel.LogConfigurationForChannel" + "$ref": "#/definitions/AWS::MediaTailor::Channel.LogConfigurationForChannel", + "markdownDescription": "The log configuration.", + "title": "LogConfiguration" }, "Outputs": { "items": { "$ref": "#/definitions/AWS::MediaTailor::Channel.RequestOutputItem" }, + "markdownDescription": "The channel's output properties.", + "title": "Outputs", "type": "array" }, "PlaybackMode": { + "markdownDescription": "The type of playback mode for this channel.\n\n`LINEAR` - Programs play back-to-back only once.\n\n`LOOP` - Programs play back-to-back in an endless loop. When the last program in the schedule plays, playback loops back to the first program in the schedule.", + "title": "PlaybackMode", "type": "string" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "The tags to assign to the channel. Tags are key-value pairs that you can associate with Amazon resources to help with organization, access control, and cost tracking. For more information, see [Tagging AWS Elemental MediaTailor Resources](https://docs.aws.amazon.com/mediatailor/latest/ug/tagging.html) .", + "title": "Tags", "type": "array" }, "Tier": { + "markdownDescription": "The tier for this channel. STANDARD tier channels can contain live programs.", + "title": "Tier", "type": "string" } }, @@ -147997,15 +154031,23 @@ "additionalProperties": false, "properties": { "ManifestWindowSeconds": { + "markdownDescription": "The total duration (in seconds) of each manifest. Minimum value: `30` seconds. Maximum value: `3600` seconds.", + "title": "ManifestWindowSeconds", "type": "number" }, "MinBufferTimeSeconds": { + "markdownDescription": "Minimum amount of content (measured in seconds) that a player must keep available in the buffer. Minimum value: `2` seconds. Maximum value: `60` seconds.", + "title": "MinBufferTimeSeconds", "type": "number" }, "MinUpdatePeriodSeconds": { + "markdownDescription": "Minimum amount of time (in seconds) that the player should wait before requesting updates to the manifest. Minimum value: `2` seconds. Maximum value: `60` seconds.", + "title": "MinUpdatePeriodSeconds", "type": "number" }, "SuggestedPresentationDelaySeconds": { + "markdownDescription": "Amount of time (in seconds) that the player should be from the live point at the end of the manifest. Minimum value: `2` seconds. Maximum value: `60` seconds.", + "title": "SuggestedPresentationDelaySeconds", "type": "number" } }, @@ -148018,9 +154060,13 @@ "items": { "type": "string" }, + "markdownDescription": "Determines the type of SCTE 35 tags to use in ad markup. Specify `DATERANGE` to use `DATERANGE` tags (for live or VOD content). Specify `SCTE35_ENHANCED` to use `EXT-X-CUE-OUT` and `EXT-X-CUE-IN` tags (for VOD content only).", + "title": "AdMarkupType", "type": "array" }, "ManifestWindowSeconds": { + "markdownDescription": "The total duration (in seconds) of each manifest. Minimum value: `30` seconds. Maximum value: `3600` seconds.", + "title": "ManifestWindowSeconds", "type": "number" } }, @@ -148033,6 +154079,8 @@ "items": { "type": "string" }, + "markdownDescription": "The log types.", + "title": "LogTypes", "type": "array" } }, @@ -148042,15 +154090,23 @@ "additionalProperties": false, "properties": { "DashPlaylistSettings": { - "$ref": "#/definitions/AWS::MediaTailor::Channel.DashPlaylistSettings" + "$ref": "#/definitions/AWS::MediaTailor::Channel.DashPlaylistSettings", + "markdownDescription": "DASH manifest configuration parameters.", + "title": "DashPlaylistSettings" }, "HlsPlaylistSettings": { - "$ref": "#/definitions/AWS::MediaTailor::Channel.HlsPlaylistSettings" + "$ref": "#/definitions/AWS::MediaTailor::Channel.HlsPlaylistSettings", + "markdownDescription": "HLS playlist configuration parameters.", + "title": "HlsPlaylistSettings" }, "ManifestName": { + "markdownDescription": "The name of the manifest for the channel. The name appears in the `PlaybackUrl` .", + "title": "ManifestName", "type": "string" }, "SourceGroup": { + "markdownDescription": "A string used to match which `HttpPackageConfiguration` is used for each `VodSource` .", + "title": "SourceGroup", "type": "string" } }, @@ -148064,9 +154120,13 @@ "additionalProperties": false, "properties": { "SourceLocationName": { + "markdownDescription": "The name of the source location where the slate VOD source is stored.", + "title": "SourceLocationName", "type": "string" }, "VodSourceName": { + "markdownDescription": "The slate VOD source name. The VOD source must already exist in a source location before it can be used for slate.", + "title": "VodSourceName", "type": "string" } }, @@ -148108,9 +154168,13 @@ "additionalProperties": false, "properties": { "ChannelName": { + "markdownDescription": "The name of the channel associated with this Channel Policy.", + "title": "ChannelName", "type": "string" }, "Policy": { + "markdownDescription": "The IAM policy for the channel. IAM policies are used to control access to your channel.", + "title": "Policy", "type": "object" } }, @@ -148180,18 +154244,26 @@ "items": { "$ref": "#/definitions/AWS::MediaTailor::LiveSource.HttpPackageConfiguration" }, + "markdownDescription": "The HTTP package configurations for the live source.", + "title": "HttpPackageConfigurations", "type": "array" }, "LiveSourceName": { + "markdownDescription": "The name that's used to refer to a live source.", + "title": "LiveSourceName", "type": "string" }, "SourceLocationName": { + "markdownDescription": "The name of the source location.", + "title": "SourceLocationName", "type": "string" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "The tags assigned to the live source. Tags are key-value pairs that you can associate with Amazon resources to help with organization, access control, and cost tracking. For more information, see [Tagging AWS Elemental MediaTailor Resources](https://docs.aws.amazon.com/mediatailor/latest/ug/tagging.html) .", + "title": "Tags", "type": "array" } }, @@ -148227,12 +154299,18 @@ "additionalProperties": false, "properties": { "Path": { + "markdownDescription": "The relative path to the URL for this VOD source. This is combined with `SourceLocation::HttpConfiguration::BaseUrl` to form a valid URL.", + "title": "Path", "type": "string" }, "SourceGroup": { + "markdownDescription": "The name of the source group. This has to match one of the `Channel::Outputs::SourceGroup` .", + "title": "SourceGroup", "type": "string" }, "Type": { + "markdownDescription": "The streaming protocol for this package configuration. Supported values are `HLS` and `DASH` .", + "title": "Type", "type": "string" } }, @@ -148279,23 +154357,23 @@ "additionalProperties": false, "properties": { "AdDecisionServerUrl": { - "markdownDescription": "", + "markdownDescription": "The URL for the ad decision server (ADS). This includes the specification of static parameters and placeholders for dynamic parameters. AWS Elemental MediaTailor substitutes player-specific and session-specific parameters as needed when calling the ADS. Alternately, for testing you can provide a static VAST URL. The maximum length is 25,000 characters.", "title": "AdDecisionServerUrl", "type": "string" }, "AvailSuppression": { "$ref": "#/definitions/AWS::MediaTailor::PlaybackConfiguration.AvailSuppression", - "markdownDescription": "", + "markdownDescription": "The configuration for avail suppression, also known as ad suppression. For more information about ad suppression, see [Ad Suppression](https://docs.aws.amazon.com/mediatailor/latest/ug/ad-behavior.html) .", "title": "AvailSuppression" }, "Bumper": { "$ref": "#/definitions/AWS::MediaTailor::PlaybackConfiguration.Bumper", - "markdownDescription": "", + "markdownDescription": "The configuration for bumpers. Bumpers are short audio or video clips that play at the start or before the end of an ad break. To learn more about bumpers, see [Bumpers](https://docs.aws.amazon.com/mediatailor/latest/ug/bumpers.html) .", "title": "Bumper" }, "CdnConfiguration": { "$ref": "#/definitions/AWS::MediaTailor::PlaybackConfiguration.CdnConfiguration", - "markdownDescription": "", + "markdownDescription": "The configuration for using a content delivery network (CDN), like Amazon CloudFront, for content and ad segment management.", "title": "CdnConfiguration" }, "ConfigurationAliases": { @@ -148311,7 +154389,7 @@ }, "DashConfiguration": { "$ref": "#/definitions/AWS::MediaTailor::PlaybackConfiguration.DashConfiguration", - "markdownDescription": "", + "markdownDescription": "The configuration for a DASH source.", "title": "DashConfiguration" }, "HlsConfiguration": { @@ -148321,26 +154399,26 @@ }, "LivePreRollConfiguration": { "$ref": "#/definitions/AWS::MediaTailor::PlaybackConfiguration.LivePreRollConfiguration", - "markdownDescription": "", + "markdownDescription": "The configuration for pre-roll ad insertion.", "title": "LivePreRollConfiguration" }, "ManifestProcessingRules": { "$ref": "#/definitions/AWS::MediaTailor::PlaybackConfiguration.ManifestProcessingRules", - "markdownDescription": "", + "markdownDescription": "The configuration for manifest processing rules. Manifest processing rules enable customization of the personalized manifests created by MediaTailor.", "title": "ManifestProcessingRules" }, "Name": { - "markdownDescription": "", + "markdownDescription": "The identifier for the playback configuration.", "title": "Name", "type": "string" }, "PersonalizationThresholdSeconds": { - "markdownDescription": "", + "markdownDescription": "Defines the maximum duration of underfilled ad time (in seconds) allowed in an ad break. If the duration of underfilled ad time exceeds the personalization threshold, then the personalization of the ad break is abandoned and the underlying content is shown. This feature applies to *ad replacement* in live and VOD streams, rather than ad insertion, because it relies on an underlying content stream. For more information about ad break behavior, including ad replacement and insertion, see [Ad Behavior in AWS Elemental MediaTailor](https://docs.aws.amazon.com/mediatailor/latest/ug/ad-behavior.html) .", "title": "PersonalizationThresholdSeconds", "type": "number" }, "SlateAdUrl": { - "markdownDescription": "", + "markdownDescription": "The URL for a video asset to transcode and use to fill in time that's not used by ads. AWS Elemental MediaTailor shows the slate to fill in gaps in media content. Configuring the slate is optional for non-VPAID playback configurations. For VPAID, the slate is required because MediaTailor provides it in the slots designated for dynamic ad content. The slate must be a high-quality asset that contains both audio and video.", "title": "SlateAdUrl", "type": "string" }, @@ -148348,17 +154426,17 @@ "items": { "$ref": "#/definitions/Tag" }, - "markdownDescription": "", + "markdownDescription": "The tags to assign to the playback configuration. Tags are key-value pairs that you can associate with Amazon resources to help with organization, access control, and cost tracking. For more information, see [Tagging AWS Elemental MediaTailor Resources](https://docs.aws.amazon.com/mediatailor/latest/ug/tagging.html) .", "title": "Tags", "type": "array" }, "TranscodeProfileName": { - "markdownDescription": "", + "markdownDescription": "The name that is used to associate this playback configuration with a custom transcode profile. This overrides the dynamic transcoding defaults of MediaTailor. Use this only if you have already set up custom profiles with the help of AWS Support.", "title": "TranscodeProfileName", "type": "string" }, "VideoContentSourceUrl": { - "markdownDescription": "", + "markdownDescription": "The URL prefix for the parent manifest for the stream, minus the asset ID. The maximum length is 512 characters.", "title": "VideoContentSourceUrl", "type": "string" } @@ -148395,7 +154473,7 @@ "additionalProperties": false, "properties": { "Enabled": { - "markdownDescription": "", + "markdownDescription": "Enables ad marker passthrough for your configuration.", "title": "Enabled", "type": "boolean" } @@ -148406,12 +154484,12 @@ "additionalProperties": false, "properties": { "Mode": { - "markdownDescription": "", + "markdownDescription": "Sets the ad suppression mode. By default, ad suppression is off and all ad breaks are filled with ads or slate. When Mode is set to `BEHIND_LIVE_EDGE` , ad suppression is active and MediaTailor won't fill ad breaks on or behind the ad suppression Value time in the manifest lookback window. When Mode is set to `AFTER_LIVE_EDGE` , ad suppression is active and MediaTailor won't fill ad breaks that are within the live edge plus the avail suppression value.", "title": "Mode", "type": "string" }, "Value": { - "markdownDescription": "", + "markdownDescription": "A live edge offset time in HH:MM:SS. MediaTailor won't fill ad breaks on or behind this time in the manifest lookback window. If Value is set to 00:00:00, it is in sync with the live edge, and MediaTailor won't fill any ad breaks on or behind the live edge. If you set a Value time, MediaTailor won't fill any ad breaks on or behind this time in the manifest lookback window. For example, if you set 00:45:00, then MediaTailor will fill ad breaks that occur within 45 minutes behind the live edge, but won't fill ad breaks on or behind 45 minutes behind the live edge.", "title": "Value", "type": "string" } @@ -148422,12 +154500,12 @@ "additionalProperties": false, "properties": { "EndUrl": { - "markdownDescription": "", + "markdownDescription": "The URL for the end bumper asset.", "title": "EndUrl", "type": "string" }, "StartUrl": { - "markdownDescription": "", + "markdownDescription": "The URL for the start bumper asset.", "title": "StartUrl", "type": "string" } @@ -148438,12 +154516,12 @@ "additionalProperties": false, "properties": { "AdSegmentUrlPrefix": { - "markdownDescription": "", + "markdownDescription": "A non-default content delivery network (CDN) to serve ad segments. By default, AWS Elemental MediaTailor uses Amazon CloudFront with default cache settings as its CDN for ad segments. To set up an alternate CDN, create a rule in your CDN for the origin ads.mediatailor. ** .amazonaws.com. Then specify the rule's name in this `AdSegmentUrlPrefix` . When AWS Elemental MediaTailor serves a manifest, it reports your CDN as the source for ad segments.", "title": "AdSegmentUrlPrefix", "type": "string" }, "ContentSegmentUrlPrefix": { - "markdownDescription": "", + "markdownDescription": "A content delivery network (CDN) to cache content segments, so that content requests don\u2019t always have to go to the origin server. First, create a rule in your CDN for the content segment origin server. Then specify the rule's name in this `ContentSegmentUrlPrefix` . When AWS Elemental MediaTailor serves a manifest, it reports your CDN as the source for content segments.", "title": "ContentSegmentUrlPrefix", "type": "string" } @@ -148486,12 +154564,12 @@ "additionalProperties": false, "properties": { "AdDecisionServerUrl": { - "markdownDescription": "", + "markdownDescription": "The URL for the ad decision server (ADS) for pre-roll ads. This includes the specification of static parameters and placeholders for dynamic parameters. AWS Elemental MediaTailor substitutes player-specific and session-specific parameters as needed when calling the ADS. Alternately, for testing, you can provide a static VAST URL. The maximum length is 25,000 characters.", "title": "AdDecisionServerUrl", "type": "string" }, "MaxDurationSeconds": { - "markdownDescription": "", + "markdownDescription": "The maximum allowed duration for the pre-roll ad avail. AWS Elemental MediaTailor won't play pre-roll ads to exceed this duration, regardless of the total duration of ads that the ADS returns.", "title": "MaxDurationSeconds", "type": "number" } @@ -148503,7 +154581,7 @@ "properties": { "AdMarkerPassthrough": { "$ref": "#/definitions/AWS::MediaTailor::PlaybackConfiguration.AdMarkerPassthrough", - "markdownDescription": "", + "markdownDescription": "For HLS, when set to `true` , MediaTailor passes through `EXT-X-CUE-IN` , `EXT-X-CUE-OUT` , and `EXT-X-SPLICEPOINT-SCTE35` ad markers from the origin manifest to the MediaTailor personalized manifest.\n\nNo logic is applied to these ad markers. For example, if `EXT-X-CUE-OUT` has a value of `60` , but no ads are filled for that ad break, MediaTailor will not set the value to `0` .", "title": "AdMarkerPassthrough" } }, @@ -148545,27 +154623,39 @@ "additionalProperties": false, "properties": { "AccessConfiguration": { - "$ref": "#/definitions/AWS::MediaTailor::SourceLocation.AccessConfiguration" + "$ref": "#/definitions/AWS::MediaTailor::SourceLocation.AccessConfiguration", + "markdownDescription": "The access configuration for the source location.", + "title": "AccessConfiguration" }, "DefaultSegmentDeliveryConfiguration": { - "$ref": "#/definitions/AWS::MediaTailor::SourceLocation.DefaultSegmentDeliveryConfiguration" + "$ref": "#/definitions/AWS::MediaTailor::SourceLocation.DefaultSegmentDeliveryConfiguration", + "markdownDescription": "The default segment delivery configuration.", + "title": "DefaultSegmentDeliveryConfiguration" }, "HttpConfiguration": { - "$ref": "#/definitions/AWS::MediaTailor::SourceLocation.HttpConfiguration" + "$ref": "#/definitions/AWS::MediaTailor::SourceLocation.HttpConfiguration", + "markdownDescription": "The HTTP configuration for the source location.", + "title": "HttpConfiguration" }, "SegmentDeliveryConfigurations": { "items": { "$ref": "#/definitions/AWS::MediaTailor::SourceLocation.SegmentDeliveryConfiguration" }, + "markdownDescription": "The segment delivery configurations for the source location.", + "title": "SegmentDeliveryConfigurations", "type": "array" }, "SourceLocationName": { + "markdownDescription": "The name of the source location.", + "title": "SourceLocationName", "type": "string" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "The tags assigned to the source location. Tags are key-value pairs that you can associate with Amazon resources to help with organization, access control, and cost tracking. For more information, see [Tagging AWS Elemental MediaTailor Resources](https://docs.aws.amazon.com/mediatailor/latest/ug/tagging.html) .", + "title": "Tags", "type": "array" } }, @@ -148600,10 +154690,14 @@ "additionalProperties": false, "properties": { "AccessType": { + "markdownDescription": "The type of authentication used to access content from `HttpConfiguration::BaseUrl` on your source location. Accepted value: `S3_SIGV4` .\n\n`S3_SIGV4` - AWS Signature Version 4 authentication for Amazon S3 hosted virtual-style access. If your source location base URL is an Amazon S3 bucket, MediaTailor can use AWS Signature Version 4 (SigV4) authentication to access the bucket where your source content is stored. Your MediaTailor source location baseURL must follow the S3 virtual hosted-style request URL format. For example, https://bucket-name.s3.Region.amazonaws.com/key-name.\n\nBefore you can use `S3_SIGV4` , you must meet these requirements:\n\n\u2022 You must allow MediaTailor to access your S3 bucket by granting mediatailor.amazonaws.com principal access in IAM. For information about configuring access in IAM, see Access management in the IAM User Guide.\n\n\u2022 The mediatailor.amazonaws.com service principal must have permissions to read all top level manifests referenced by the VodSource packaging configurations.\n\n\u2022 The caller of the API must have s3:GetObject IAM permissions to read all top level manifests referenced by your MediaTailor VodSource packaging configurations.", + "title": "AccessType", "type": "string" }, "SecretsManagerAccessTokenConfiguration": { - "$ref": "#/definitions/AWS::MediaTailor::SourceLocation.SecretsManagerAccessTokenConfiguration" + "$ref": "#/definitions/AWS::MediaTailor::SourceLocation.SecretsManagerAccessTokenConfiguration", + "markdownDescription": "AWS Secrets Manager access token configuration parameters.", + "title": "SecretsManagerAccessTokenConfiguration" } }, "type": "object" @@ -148612,6 +154706,8 @@ "additionalProperties": false, "properties": { "BaseUrl": { + "markdownDescription": "The hostname of the server that will be used to serve segments. This string must include the protocol, such as *https://* .", + "title": "BaseUrl", "type": "string" } }, @@ -148621,6 +154717,8 @@ "additionalProperties": false, "properties": { "BaseUrl": { + "markdownDescription": "The base URL for the source location host server. This string must include the protocol, such as *https://* .", + "title": "BaseUrl", "type": "string" } }, @@ -148633,12 +154731,18 @@ "additionalProperties": false, "properties": { "HeaderName": { + "markdownDescription": "The name of the HTTP header used to supply the access token in requests to the source location.", + "title": "HeaderName", "type": "string" }, "SecretArn": { + "markdownDescription": "The Amazon Resource Name (ARN) of the AWS Secrets Manager secret that contains the access token.", + "title": "SecretArn", "type": "string" }, "SecretStringKey": { + "markdownDescription": "The AWS Secrets Manager [SecretString](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_CreateSecret.html#SecretsManager-CreateSecret-request-SecretString.html) key associated with the access token. MediaTailor uses the key to look up SecretString key and value pair containing the access token.", + "title": "SecretStringKey", "type": "string" } }, @@ -148648,9 +154752,13 @@ "additionalProperties": false, "properties": { "BaseUrl": { + "markdownDescription": "The base URL of the host or path of the segment delivery server that you're using to serve segments. This is typically a content delivery network (CDN). The URL can be absolute or relative. To use an absolute URL include the protocol, such as `https://example.com/some/path` . To use a relative URL specify the relative path, such as `/some/path*` .", + "title": "BaseUrl", "type": "string" }, "Name": { + "markdownDescription": "A unique identifier used to distinguish between multiple segment delivery configurations in a source location.", + "title": "Name", "type": "string" } }, @@ -148695,18 +154803,26 @@ "items": { "$ref": "#/definitions/AWS::MediaTailor::VodSource.HttpPackageConfiguration" }, + "markdownDescription": "The HTTP package configurations for the VOD source.", + "title": "HttpPackageConfigurations", "type": "array" }, "SourceLocationName": { + "markdownDescription": "The name of the source location that the VOD source is associated with.", + "title": "SourceLocationName", "type": "string" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "The tags assigned to the VOD source. Tags are key-value pairs that you can associate with Amazon resources to help with organization, access control, and cost tracking. For more information, see [Tagging AWS Elemental MediaTailor Resources](https://docs.aws.amazon.com/mediatailor/latest/ug/tagging.html) .", + "title": "Tags", "type": "array" }, "VodSourceName": { + "markdownDescription": "The name of the VOD source.", + "title": "VodSourceName", "type": "string" } }, @@ -148742,12 +154858,18 @@ "additionalProperties": false, "properties": { "Path": { + "markdownDescription": "The relative path to the URL for this VOD source. This is combined with `SourceLocation::HttpConfiguration::BaseUrl` to form a valid URL.", + "title": "Path", "type": "string" }, "SourceGroup": { + "markdownDescription": "The name of the source group. This has to match one of the `Channel::Outputs::SourceGroup` .", + "title": "SourceGroup", "type": "string" }, "Type": { + "markdownDescription": "The streaming protocol for this package configuration. Supported values are `HLS` and `DASH` .", + "title": "Type", "type": "string" } }, @@ -149327,12 +155449,12 @@ "items": { "type": "string" }, - "markdownDescription": "", + "markdownDescription": "The password(s) used for authentication", "title": "Passwords", "type": "array" }, "Type": { - "markdownDescription": "", + "markdownDescription": "Indicates whether the user requires a password to authenticate. All newly-created users require a password.", "title": "Type", "type": "string" } @@ -149416,6 +155538,8 @@ "type": "string" }, "DBPort": { + "markdownDescription": "The port number on which the DB instances in the DB cluster accept connections.\n\nIf not specified, the default port used is `8182` .\n\n> The `Port` property will soon be deprecated. Please update existing templates to use the new `DBPort` property that has the same functionality.", + "title": "DBPort", "type": "number" }, "DBSubnetGroupName": { @@ -149558,12 +155682,12 @@ "additionalProperties": false, "properties": { "MaxCapacity": { - "markdownDescription": "", + "markdownDescription": "The maximum number of Neptune capacity units (NCUs) for a DB instance in a Neptune Serverless cluster. You can specify NCU values in half-step increments, such as 40, 40.5, 41, and so on.", "title": "MaxCapacity", "type": "number" }, "MinCapacity": { - "markdownDescription": "", + "markdownDescription": "The minimum number of Neptune capacity units (NCUs) for a DB instance in a Neptune Serverless cluster. You can specify NCU values in half-step increments, such as 8, 8.5, 9, and so on.", "title": "MinCapacity", "type": "number" } @@ -150353,7 +156477,7 @@ "additionalProperties": false, "properties": { "RuleOrder": { - "markdownDescription": "Indicates how to manage the order of stateful rule evaluation for the policy. `DEFAULT_ACTION_ORDER` is the default behavior. Stateful rules are provided to the rule engine as Suricata compatible strings, and Suricata evaluates them based on certain settings. For more information, see [Evaluation order for stateful rules](https://docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-rule-evaluation-order.html) in the *AWS Network Firewall Developer Guide* .", + "markdownDescription": "Indicates how to manage the order of stateful rule evaluation for the policy. `STRICT_ORDER` is the default and recommended option. With `STRICT_ORDER` , provide your rules in the order that you want them to be evaluated. You can then choose one or more default actions for packets that don't match any rules. Choose `STRICT_ORDER` to have the stateful rules engine determine the evaluation order of your rules. The default action for this rule order is `PASS` , followed by `DROP` , `REJECT` , and `ALERT` actions. Stateful rules are provided to the rule engine as Suricata compatible strings, and Suricata evaluates them based on your settings. For more information, see [Evaluation order for stateful rules](https://docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-rule-evaluation-order.html) in the *AWS Network Firewall Developer Guide* .", "title": "RuleOrder", "type": "string" }, @@ -150937,7 +157061,7 @@ }, "StatefulRuleOptions": { "$ref": "#/definitions/AWS::NetworkFirewall::RuleGroup.StatefulRuleOptions", - "markdownDescription": "Additional options governing how Network Firewall handles stateful rules. The policies where you use your stateful rule group must have stateful rule options settings that are compatible with these settings.", + "markdownDescription": "Additional options governing how Network Firewall handles stateful rules. The policies where you use your stateful rule group must have stateful rule options settings that are compatible with these settings. Some limitations apply; for more information, see [Strict evaluation order](https://docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-limitations-caveats.html) in the *AWS Network Firewall Developer Guide* .", "title": "StatefulRuleOptions" } }, @@ -151005,7 +157129,7 @@ "title": "RulesSourceList" }, "RulesString": { - "markdownDescription": "Stateful inspection criteria, provided in Suricata compatible intrusion prevention system (IPS) rules. Suricata is an open-source network IPS that includes a standard rule-based language for network traffic inspection.\n\nThese rules contain the inspection criteria and the action to take for traffic that matches the criteria, so this type of rule group doesn't have a separate action setting.", + "markdownDescription": "Stateful inspection criteria, provided in Suricata compatible rules. Suricata is an open-source threat detection framework that includes a standard rule-based language for network traffic inspection.\n\nThese rules contain the inspection criteria and the action to take for traffic that matches the criteria, so this type of rule group doesn't have a separate action setting.\n\n> You can't use the `priority` keyword if the `RuleOrder` option in `StatefulRuleOptions` is set to `STRICT_ORDER` .", "title": "RulesString", "type": "string" }, @@ -151219,7 +157343,7 @@ }, "ProposedSegmentChange": { "$ref": "#/definitions/AWS::NetworkManager::ConnectAttachment.ProposedSegmentChange", - "markdownDescription": "", + "markdownDescription": "Describes a proposed segment change. In some cases, the segment change must first be evaluated and accepted.", "title": "ProposedSegmentChange" }, "Tags": { @@ -151337,7 +157461,7 @@ "properties": { "BgpOptions": { "$ref": "#/definitions/AWS::NetworkManager::ConnectPeer.BgpOptions", - "markdownDescription": "", + "markdownDescription": "Describes the BGP options.", "title": "BgpOptions" }, "ConnectAttachmentId": { @@ -151364,6 +157488,8 @@ "type": "string" }, "SubnetArn": { + "markdownDescription": "The subnet ARN of the Connect peer.", + "title": "SubnetArn", "type": "string" }, "Tags": { @@ -151733,7 +157859,7 @@ "properties": { "AWSLocation": { "$ref": "#/definitions/AWS::NetworkManager::Device.AWSLocation", - "markdownDescription": "", + "markdownDescription": "The AWS location of the device.", "title": "AWSLocation" }, "Description": { @@ -151815,12 +157941,12 @@ "additionalProperties": false, "properties": { "SubnetArn": { - "markdownDescription": "", + "markdownDescription": "The Amazon Resource Name (ARN) of the subnet that the device is located in.", "title": "SubnetArn", "type": "string" }, "Zone": { - "markdownDescription": "", + "markdownDescription": "The Zone that the device is located in. Specify the ID of an Availability Zone, Local Zone, Wavelength Zone, or an Outpost.", "title": "Zone", "type": "string" } @@ -151884,6 +158010,8 @@ "additionalProperties": false, "properties": { "CreatedAt": { + "markdownDescription": "The date and time that the global network was created.", + "title": "CreatedAt", "type": "string" }, "Description": { @@ -151892,6 +158020,8 @@ "type": "string" }, "State": { + "markdownDescription": "The state of the global network.", + "title": "State", "type": "string" }, "Tags": { @@ -152270,7 +158400,7 @@ }, "ProposedSegmentChange": { "$ref": "#/definitions/AWS::NetworkManager::SiteToSiteVpnAttachment.ProposedSegmentChange", - "markdownDescription": "", + "markdownDescription": "Describes a proposed segment change. In some cases, the segment change must first be evaluated and accepted.", "title": "ProposedSegmentChange" }, "Tags": { @@ -152649,7 +158779,7 @@ }, "ProposedSegmentChange": { "$ref": "#/definitions/AWS::NetworkManager::VpcAttachment.ProposedSegmentChange", - "markdownDescription": "", + "markdownDescription": "Describes a proposed segment change. In some cases, the segment change must first be evaluated and accepted.", "title": "ProposedSegmentChange" }, "SubnetArns": { @@ -152868,7 +158998,7 @@ "additionalProperties": false, "properties": { "AutomaticTerminationMode": { - "markdownDescription": "", + "markdownDescription": "Indicates if a streaming session created from this launch profile should be terminated automatically or retained without termination after being in a `STOPPED` state.\n\n- When `ACTIVATED` , the streaming session is scheduled for termination after being in the `STOPPED` state for the time specified in `maxStoppedSessionLengthInMinutes` .\n- When `DEACTIVATED` , the streaming session can remain in the `STOPPED` state indefinitely.\n\nThis parameter is only allowed when `sessionPersistenceMode` is `ACTIVATED` . When allowed, the default value for this parameter is `DEACTIVATED` .", "title": "AutomaticTerminationMode", "type": "string" }, @@ -152897,11 +159027,11 @@ }, "SessionBackup": { "$ref": "#/definitions/AWS::NimbleStudio::LaunchProfile.StreamConfigurationSessionBackup", - "markdownDescription": "", + "markdownDescription": "Information about the streaming session backup.", "title": "SessionBackup" }, "SessionPersistenceMode": { - "markdownDescription": "", + "markdownDescription": "Determine if a streaming session created from this launch profile can configure persistent storage. This means that `volumeConfiguration` and `automaticTerminationMode` are configured.", "title": "SessionPersistenceMode", "type": "string" }, @@ -152920,7 +159050,7 @@ }, "VolumeConfiguration": { "$ref": "#/definitions/AWS::NimbleStudio::LaunchProfile.VolumeConfiguration", - "markdownDescription": "", + "markdownDescription": "Custom volume configuration for the root volumes that are attached to streaming sessions.\n\nThis parameter is only allowed when `sessionPersistenceMode` is `ACTIVATED` .", "title": "VolumeConfiguration" } }, @@ -152935,12 +159065,12 @@ "additionalProperties": false, "properties": { "MaxBackupsToRetain": { - "markdownDescription": "", + "markdownDescription": "The maximum number of backups that each streaming session created from this launch profile can have.", "title": "MaxBackupsToRetain", "type": "number" }, "Mode": { - "markdownDescription": "", + "markdownDescription": "Specifies how artists sessions are backed up.\n\nConfigures backups for streaming sessions launched with this launch profile. The default value is `DEACTIVATED` , which means that backups are deactivated. To allow backups, set this value to `AUTOMATIC` .", "title": "Mode", "type": "string" } @@ -152989,17 +159119,17 @@ "additionalProperties": false, "properties": { "Iops": { - "markdownDescription": "", + "markdownDescription": "The number of I/O operations per second for the root volume that is attached to streaming session.", "title": "Iops", "type": "number" }, "Size": { - "markdownDescription": "", + "markdownDescription": "The size of the root volume that is attached to the streaming session. The root volume size is measured in GiBs.", "title": "Size", "type": "number" }, "Throughput": { - "markdownDescription": "", + "markdownDescription": "The throughput to provision for the root volume that is attached to the streaming session. The throughput is measured in MiB/s.", "title": "Throughput", "type": "number" } @@ -153105,12 +159235,12 @@ "additionalProperties": false, "properties": { "KeyArn": { - "markdownDescription": "", + "markdownDescription": "The ARN for a KMS key that is used to encrypt studio data.", "title": "KeyArn", "type": "string" }, "KeyType": { - "markdownDescription": "", + "markdownDescription": "The type of KMS key that is used to encrypt studio data.", "title": "KeyType", "type": "string" } @@ -153570,6 +159700,16 @@ "Properties": { "additionalProperties": false, "properties": { + "BufferOptions": { + "$ref": "#/definitions/AWS::OSIS::Pipeline.BufferOptions", + "markdownDescription": "Options that specify the configuration of a persistent buffer. To configure how OpenSearch Ingestion encrypts this data, set the EncryptionAtRestOptions.", + "title": "BufferOptions" + }, + "EncryptionAtRestOptions": { + "$ref": "#/definitions/AWS::OSIS::Pipeline.EncryptionAtRestOptions", + "markdownDescription": "Options to control how OpenSearch encrypts all data-at-rest.", + "title": "EncryptionAtRestOptions" + }, "LogPublishingOptions": { "$ref": "#/definitions/AWS::OSIS::Pipeline.LogPublishingOptions", "markdownDescription": "Key-value pairs that represent log publishing settings.", @@ -153638,15 +159778,46 @@ ], "type": "object" }, + "AWS::OSIS::Pipeline.BufferOptions": { + "additionalProperties": false, + "properties": { + "PersistentBufferEnabled": { + "markdownDescription": "Whether persistent buffering should be enabled.", + "title": "PersistentBufferEnabled", + "type": "boolean" + } + }, + "required": [ + "PersistentBufferEnabled" + ], + "type": "object" + }, "AWS::OSIS::Pipeline.CloudWatchLogDestination": { "additionalProperties": false, "properties": { "LogGroup": { - "markdownDescription": "", + "markdownDescription": "The name of the CloudWatch Logs group to send pipeline logs to. You can specify an existing log group or create a new one. For example, `/aws/OpenSearchService/IngestionService/my-pipeline` .", "title": "LogGroup", "type": "string" } }, + "required": [ + "LogGroup" + ], + "type": "object" + }, + "AWS::OSIS::Pipeline.EncryptionAtRestOptions": { + "additionalProperties": false, + "properties": { + "KmsKeyArn": { + "markdownDescription": "The ARN of the KMS key used to encrypt data-at-rest in OpenSearch Ingestion. By default, data is encrypted using an AWS owned key.", + "title": "KmsKeyArn", + "type": "string" + } + }, + "required": [ + "KmsKeyArn" + ], "type": "object" }, "AWS::OSIS::Pipeline.LogPublishingOptions": { @@ -153706,6 +159877,9 @@ "type": "array" } }, + "required": [ + "SubnetIds" + ], "type": "object" }, "AWS::Oam::Link": { @@ -153752,7 +159926,7 @@ "items": { "type": "string" }, - "markdownDescription": "An array of strings that define which types of data that the source account shares with the monitoring account. Valid values are `AWS::CloudWatch::Metric | AWS::Logs::LogGroup | AWS::XRay::Trace` .", + "markdownDescription": "An array of strings that define which types of data that the source account shares with the monitoring account. Valid values are `AWS::CloudWatch::Metric | AWS::Logs::LogGroup | AWS::XRay::Trace | AWS::ApplicationInsights::Application` .", "title": "ResourceTypes", "type": "array" }, @@ -154214,6 +160388,8 @@ "type": "number" }, "MaxGpus": { + "markdownDescription": "The maximum GPUs that can be used by a run group.", + "title": "MaxGpus", "type": "number" }, "MaxRuns": { @@ -154301,7 +160477,7 @@ "type": "string" }, "FallbackLocation": { - "markdownDescription": "", + "markdownDescription": "An S3 location that is used to store files that have failed a direct upload.", "title": "FallbackLocation", "type": "string" }, @@ -154535,6 +160711,8 @@ "additionalProperties": false, "properties": { "Accelerators": { + "markdownDescription": "", + "title": "Accelerators", "type": "string" }, "DefinitionUri": { @@ -154757,6 +160935,11 @@ "title": "Name", "type": "string" }, + "StandbyReplicas": { + "markdownDescription": "Details about an OpenSearch Serverless collection.", + "title": "StandbyReplicas", + "type": "string" + }, "Tags": { "items": { "$ref": "#/definitions/Tag" @@ -154766,7 +160949,7 @@ "type": "array" }, "Type": { - "markdownDescription": "The type of collection. Possible values are `SEARCH` and `TIMESERIES` . For more information, see [Choosing a collection type](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/serverless-overview.html#serverless-usecase) .", + "markdownDescription": "The type of collection. Possible values are `SEARCH` , `TIMESERIES` , and `VECTORSEARCH` . For more information, see [Choosing a collection type](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/serverless-overview.html#serverless-usecase) .", "title": "Type", "type": "string" } @@ -154797,6 +160980,90 @@ ], "type": "object" }, + "AWS::OpenSearchServerless::LifecyclePolicy": { + "additionalProperties": false, + "properties": { + "Condition": { + "type": "string" + }, + "DeletionPolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + }, + "DependsOn": { + "anyOf": [ + { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + { + "items": { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + "type": "array" + } + ] + }, + "Metadata": { + "type": "object" + }, + "Properties": { + "additionalProperties": false, + "properties": { + "Description": { + "markdownDescription": "The description of the lifecycle policy.", + "title": "Description", + "type": "string" + }, + "Name": { + "markdownDescription": "The name of the lifecycle policy.", + "title": "Name", + "type": "string" + }, + "Policy": { + "markdownDescription": "The JSON policy document without any whitespaces.", + "title": "Policy", + "type": "string" + }, + "Type": { + "markdownDescription": "The type of lifecycle policy.", + "title": "Type", + "type": "string" + } + }, + "required": [ + "Name", + "Policy", + "Type" + ], + "type": "object" + }, + "Type": { + "enum": [ + "AWS::OpenSearchServerless::LifecyclePolicy" + ], + "type": "string" + }, + "UpdateReplacePolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + } + }, + "required": [ + "Type", + "Properties" + ], + "type": "object" + }, "AWS::OpenSearchServerless::SecurityConfig": { "additionalProperties": false, "properties": { @@ -155169,6 +161436,11 @@ "title": "EngineVersion", "type": "string" }, + "IPAddressType": { + "markdownDescription": "The type of IP addresses supported by the endpoint for the domain.", + "title": "IPAddressType", + "type": "string" + }, "LogPublishingOptions": { "additionalProperties": false, "markdownDescription": "An object with one or more of the following keys: `SEARCH_SLOW_LOGS` , `ES_APPLICATION_LOGS` , `INDEX_SLOW_LOGS` , `AUDIT_LOGS` , depending on the types of logs you want to publish. Each key needs a valid `LogPublishingOption` value. For the full syntax, see the [examples](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-opensearchservice-domain.html#aws-resource-opensearchservice-domain--examples) .", @@ -155863,7 +162135,7 @@ "type": "string" }, "Secure": { - "markdownDescription": "(Optional) Whether the variable's value is returned by the [DescribeApps](https://docs.aws.amazon.com/goto/WebAPI/opsworks-2013-02-18/DescribeApps) action. To hide an environment variable's value, set `Secure` to `true` . `DescribeApps` returns `*****FILTERED*****` instead of the actual value. The default value for `Secure` is `false` .", + "markdownDescription": "(Optional) Whether the variable's value is returned by the `DescribeApps` action. To hide an environment variable's value, set `Secure` to `true` . `DescribeApps` returns `*****FILTERED*****` instead of the actual value. The default value for `Secure` is `false` .", "title": "Secure", "type": "boolean" }, @@ -156045,7 +162317,7 @@ "additionalProperties": false, "properties": { "AgentVersion": { - "markdownDescription": "The default AWS OpsWorks Stacks agent version. You have the following options:\n\n- `INHERIT` - Use the stack's default agent version setting.\n- *version_number* - Use the specified agent version. This value overrides the stack's default setting. To update the agent version, edit the instance configuration and specify a new version. AWS OpsWorks Stacks installs that version on the instance.\n\nThe default setting is `INHERIT` . To specify an agent version, you must use the complete version number, not the abbreviated number shown on the console. For a list of available agent version numbers, call [DescribeAgentVersions](https://docs.aws.amazon.com/goto/WebAPI/opsworks-2013-02-18/DescribeAgentVersions) . AgentVersion cannot be set to Chef 12.2.", + "markdownDescription": "The default AWS OpsWorks Stacks agent version. You have the following options:\n\n- `INHERIT` - Use the stack's default agent version setting.\n- *version_number* - Use the specified agent version. This value overrides the stack's default setting. To update the agent version, edit the instance configuration and specify a new version. AWS OpsWorks Stacks installs that version on the instance.\n\nThe default setting is `INHERIT` . To specify an agent version, you must use the complete version number, not the abbreviated number shown on the console. For a list of available agent version numbers, call `DescribeAgentVersions` . AgentVersion cannot be set to Chef 12.2.", "title": "AgentVersion", "type": "string" }, @@ -156096,7 +162368,7 @@ "type": "string" }, "InstallUpdatesOnBoot": { - "markdownDescription": "Whether to install operating system and package updates when the instance boots. The default value is `true` . To control when updates are installed, set this value to `false` . You must then update your instances manually by using [CreateDeployment](https://docs.aws.amazon.com/goto/WebAPI/opsworks-2013-02-18/CreateDeployment) to run the `update_dependencies` stack command or by manually running `yum` (Amazon Linux) or `apt-get` (Ubuntu) on the instances.\n\n> We strongly recommend using the default value of `true` to ensure that your instances have the latest security updates.", + "markdownDescription": "Whether to install operating system and package updates when the instance boots. The default value is `true` . To control when updates are installed, set this value to `false` . You must then update your instances manually by using `CreateDeployment` to run the `update_dependencies` stack command or by manually running `yum` (Amazon Linux) or `apt-get` (Ubuntu) on the instances.\n\n> We strongly recommend using the default value of `true` to ensure that your instances have the latest security updates.", "title": "InstallUpdatesOnBoot", "type": "boolean" }, @@ -156114,7 +162386,7 @@ "type": "array" }, "Os": { - "markdownDescription": "The instance's operating system, which must be set to one of the following.\n\n- A supported Linux operating system: An Amazon Linux version, such as `Amazon Linux 2` , `Amazon Linux 2018.03` , `Amazon Linux 2017.09` , `Amazon Linux 2017.03` , `Amazon Linux 2016.09` , `Amazon Linux 2016.03` , `Amazon Linux 2015.09` , or `Amazon Linux 2015.03` .\n- A supported Ubuntu operating system, such as `Ubuntu 18.04 LTS` , `Ubuntu 16.04 LTS` , `Ubuntu 14.04 LTS` , or `Ubuntu 12.04 LTS` .\n- `CentOS Linux 7`\n- `Red Hat Enterprise Linux 7`\n- A supported Windows operating system, such as `Microsoft Windows Server 2012 R2 Base` , `Microsoft Windows Server 2012 R2 with SQL Server Express` , `Microsoft Windows Server 2012 R2 with SQL Server Standard` , or `Microsoft Windows Server 2012 R2 with SQL Server Web` .\n- A custom AMI: `Custom` .\n\nNot all operating systems are supported with all versions of Chef. For more information about the supported operating systems, see [AWS OpsWorks Stacks Operating Systems](https://docs.aws.amazon.com/opsworks/latest/userguide/workinginstances-os.html) .\n\nThe default option is the current Amazon Linux version. If you set this parameter to `Custom` , you must use the [CreateInstance](https://docs.aws.amazon.com/goto/WebAPI/opsworks-2013-02-18/CreateInstance) action's AmiId parameter to specify the custom AMI that you want to use. Block device mappings are not supported if the value is `Custom` . For more information about how to use custom AMIs with AWS OpsWorks Stacks, see [Using Custom AMIs](https://docs.aws.amazon.com/opsworks/latest/userguide/workinginstances-custom-ami.html) .", + "markdownDescription": "The instance's operating system, which must be set to one of the following.\n\n- A supported Linux operating system: An Amazon Linux version, such as `Amazon Linux 2` , `Amazon Linux 2018.03` , `Amazon Linux 2017.09` , `Amazon Linux 2017.03` , `Amazon Linux 2016.09` , `Amazon Linux 2016.03` , `Amazon Linux 2015.09` , or `Amazon Linux 2015.03` .\n- A supported Ubuntu operating system, such as `Ubuntu 18.04 LTS` , `Ubuntu 16.04 LTS` , `Ubuntu 14.04 LTS` , or `Ubuntu 12.04 LTS` .\n- `CentOS Linux 7`\n- `Red Hat Enterprise Linux 7`\n- A supported Windows operating system, such as `Microsoft Windows Server 2012 R2 Base` , `Microsoft Windows Server 2012 R2 with SQL Server Express` , `Microsoft Windows Server 2012 R2 with SQL Server Standard` , or `Microsoft Windows Server 2012 R2 with SQL Server Web` .\n- A custom AMI: `Custom` .\n\nNot all operating systems are supported with all versions of Chef. For more information about the supported operating systems, see [AWS OpsWorks Stacks Operating Systems](https://docs.aws.amazon.com/opsworks/latest/userguide/workinginstances-os.html) .\n\nThe default option is the current Amazon Linux version. If you set this parameter to `Custom` , you must use the `CreateInstance` action's AmiId parameter to specify the custom AMI that you want to use. Block device mappings are not supported if the value is `Custom` . For more information about how to use custom AMIs with AWS OpsWorks Stacks, see [Using Custom AMIs](https://docs.aws.amazon.com/opsworks/latest/userguide/workinginstances-custom-ami.html) .", "title": "Os", "type": "string" }, @@ -156415,7 +162687,7 @@ "type": "boolean" }, "InstallUpdatesOnBoot": { - "markdownDescription": "Whether to install operating system and package updates when the instance boots. The default value is `true` . To control when updates are installed, set this value to `false` . You must then update your instances manually by using [CreateDeployment](https://docs.aws.amazon.com/goto/WebAPI/opsworks-2013-02-18/CreateDeployment) to run the `update_dependencies` stack command or by manually running `yum` (Amazon Linux) or `apt-get` (Ubuntu) on the instances.\n\n> To ensure that your instances have the latest security updates, we strongly recommend using the default value of `true` .", + "markdownDescription": "Whether to install operating system and package updates when the instance boots. The default value is `true` . To control when updates are installed, set this value to `false` . You must then update your instances manually by using `CreateDeployment` to run the `update_dependencies` stack command or by manually running `yum` (Amazon Linux) or `apt-get` (Ubuntu) on the instances.\n\n> To ensure that your instances have the latest security updates, we strongly recommend using the default value of `true` .", "title": "InstallUpdatesOnBoot", "type": "boolean" }, @@ -156718,7 +162990,7 @@ "additionalProperties": false, "properties": { "AgentVersion": { - "markdownDescription": "The default AWS OpsWorks Stacks agent version. You have the following options:\n\n- Auto-update - Set this parameter to `LATEST` . AWS OpsWorks Stacks automatically installs new agent versions on the stack's instances as soon as they are available.\n- Fixed version - Set this parameter to your preferred agent version. To update the agent version, you must edit the stack configuration and specify a new version. AWS OpsWorks Stacks installs that version on the stack's instances.\n\nThe default setting is the most recent release of the agent. To specify an agent version, you must use the complete version number, not the abbreviated number shown on the console. For a list of available agent version numbers, call [DescribeAgentVersions](https://docs.aws.amazon.com/goto/WebAPI/opsworks-2013-02-18/DescribeAgentVersions) . AgentVersion cannot be set to Chef 12.2.\n\n> You can also specify an agent version when you create or update an instance, which overrides the stack's default setting.", + "markdownDescription": "The default AWS OpsWorks Stacks agent version. You have the following options:\n\n- Auto-update - Set this parameter to `LATEST` . AWS OpsWorks Stacks automatically installs new agent versions on the stack's instances as soon as they are available.\n- Fixed version - Set this parameter to your preferred agent version. To update the agent version, you must edit the stack configuration and specify a new version. AWS OpsWorks Stacks installs that version on the stack's instances.\n\nThe default setting is the most recent release of the agent. To specify an agent version, you must use the complete version number, not the abbreviated number shown on the console. For a list of available agent version numbers, call `DescribeAgentVersions` . AgentVersion cannot be set to Chef 12.2.\n\n> You can also specify an agent version when you create or update an instance, which overrides the stack's default setting.", "title": "AgentVersion", "type": "string" }, @@ -157413,7 +163685,7 @@ "type": "array" }, "RoleName": { - "markdownDescription": "The name of an IAM role that AWS Organizations automatically preconfigures in the new member account. This role trusts the management account, allowing users in the management account to assume the role, as permitted by the management account administrator. The role has administrator permissions in the new member account.\n\nIf you don't specify this parameter, the role name defaults to `OrganizationAccountAccessRole` .\n\nFor more information about how to use this role to access the member account, see the following links:\n\n- [Accessing and Administering the Member Accounts in Your Organization](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html#orgs_manage_accounts_create-cross-account-role) in the *AWS Organizations User Guide*\n- Steps 2 and 3 in [Tutorial: Delegate Access Across AWS accounts Using IAM Roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html) in the *IAM User Guide*\n\nThe [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) that is used to validate this parameter. The pattern can include uppercase letters, lowercase letters, digits with no spaces, and any of the following characters: =,.@-", + "markdownDescription": "The name of an IAM role that AWS Organizations automatically preconfigures in the new member account. This role trusts the management account, allowing users in the management account to assume the role, as permitted by the management account administrator. The role has administrator permissions in the new member account.\n\nIf you don't specify this parameter, the role name defaults to `OrganizationAccountAccessRole` .\n\nFor more information about how to use this role to access the member account, see the following links:\n\n- [Creating the OrganizationAccountAccessRole in an invited member account](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html#orgs_manage_accounts_create-cross-account-role) in the *AWS Organizations User Guide*\n- Steps 2 and 3 in [IAM Tutorial: Delegate access across AWS accounts using IAM roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html) in the *IAM User Guide*\n\nThe [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) that is used to validate this parameter. The pattern can include uppercase letters, lowercase letters, digits with no spaces, and any of the following characters: =,.@-", "title": "RoleName", "type": "string" }, @@ -157489,7 +163761,7 @@ "additionalProperties": false, "properties": { "FeatureSet": { - "markdownDescription": "Specifies the feature set supported by the new organization. Each feature set supports different levels of functionality.\n\n- `ALL` In addition to all the features supported by the consolidated billing feature set, the management account gains access to advanced features that give you more control over accounts in your organization. By default or if you set the `FeatureSet` property to `ALL` , the new organization is created with all features enabled and service control policies automatically enabled in the [root](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#root) . For more information, see [All features](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#feature-set-all) in the *AWS Organizations User Guide* .\n- `CONSOLIDATED_BILLING` All member accounts have their bills consolidated to and paid by the management account. For more information, see [Consolidated billing](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#feature-set-cb-only) in the *AWS Organizations User Guide.*\n\nThe consolidated billing feature subset isn't available for organizations in the AWS GovCloud (US) Region.\n\nFeature set `ALL` provides the following advanced features:\n\n- Apply any [policy type](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies.html#orgs-policy-types) to any member account in the organization.\n- Apply [service control policies (SCPs)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html) to member accounts that restrict the services and actions that users (including the root user) and roles in an account can access. Using SCPs you can prevent member accounts from leaving the organization.\n- Enable [integration with supported AWS services](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services_list.html) to let those services provide functionality across all of the accounts in your organization.\n\nIf you don't specify this property, the default value is `ALL` .", + "markdownDescription": "Specifies the feature set supported by the new organization. Each feature set supports different levels of functionality.\n\n- `ALL` In addition to all the features supported by the consolidated billing feature set, the management account gains access to advanced features that give you more control over accounts in your organization. By default or if you set the `FeatureSet` property to `ALL` , the new organization is created with all features enabled and service control policies automatically enabled in the [root](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#root) . For more information, see [All features](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#feature-set-all) in the *AWS Organizations User Guide* .\n- `CONSOLIDATED_BILLING` All member accounts have their bills consolidated to and paid by the management account. For more information, see [Consolidated billing](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#feature-set-cb-only) in the *AWS Organizations User Guide* .\n\nThe consolidated billing feature subset isn't available for organizations in the AWS GovCloud (US) Region.\n\nFeature set `ALL` provides the following advanced features:\n\n- Apply any [policy type](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies.html#orgs-policy-types) to any member account in the organization.\n- Apply [service control policies (SCPs)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html) to member accounts that restrict the services and actions that users (including the root user) and roles in an account can access. Using SCPs you can prevent member accounts from leaving the organization.\n- Enable [integration with supported AWS services](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services_list.html) to let those services provide functionality across all of the accounts in your organization.\n\nIf you don't specify this property, the default value is `ALL` .", "title": "FeatureSet", "type": "string" } @@ -157633,7 +163905,7 @@ "additionalProperties": false, "properties": { "Content": { - "markdownDescription": "The policy text content. You can specify the policy content as a JSON object or a JSON string.\n\n> When you specify the policy content as a JSON string, you can't perform drift detection on the CloudFormation stack. For this reason, we recommend specifying the policy content as a JSON object instead. \n\nThe text that you supply must adhere to the rules of the policy type you specify in the `Type` parameter. The following AWS Organizations quotas are enforced for the maximum size of a policy document:\n\n- Service control policies: 5,120 bytes *(not characters)*\n- AI services opt-out policies: 2,500 characters\n- Backup policies: 10,000 characters\n- Tag policies: 10,000 characters\n\nFor more information about Organizations service quotas, see [Quotas for AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_reference_limits.html) in the *AWS Organizations User Guide* .", + "markdownDescription": "The policy text content. You can specify the policy content as a JSON object or a JSON string.\n\n> When you specify the policy content as a JSON string, you can't perform drift detection on the CloudFormation stack. For this reason, we recommend specifying the policy content as a JSON object instead. \n\nThe text that you supply must adhere to the rules of the policy type you specify in the `Type` parameter. The following AWS Organizations quotas are enforced for the maximum size of a policy document:\n\n- Service control policies: 5,120 characters\n- AI services opt-out policies: 2,500 characters\n- Backup policies: 10,000 characters\n- Tag policies: 10,000 characters\n\nFor more information about Organizations service quotas, see [Quotas for AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_reference_limits.html) in the *AWS Organizations User Guide* .", "title": "Content", "type": "object" }, @@ -157808,22 +164080,30 @@ "additionalProperties": false, "properties": { "CertificateAuthorityArn": { + "markdownDescription": "The Amazon Resource Name (ARN) of the certificate authority being used.", + "title": "CertificateAuthorityArn", "type": "string" }, "DirectoryId": { + "markdownDescription": "The identifier of the Active Directory.", + "title": "DirectoryId", "type": "string" }, "Tags": { "additionalProperties": true, + "markdownDescription": "Metadata assigned to a connector consisting of a key-value pair.", "patternProperties": { "^[a-zA-Z0-9]+$": { "type": "string" } }, + "title": "Tags", "type": "object" }, "VpcInformation": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Connector.VpcInformation" + "$ref": "#/definitions/AWS::PCAConnectorAD::Connector.VpcInformation", + "markdownDescription": "Information of the VPC and security group(s) used with the connector.", + "title": "VpcInformation" } }, "required": [ @@ -157861,6 +164141,8 @@ "items": { "type": "string" }, + "markdownDescription": "The security groups used with the connector. You can use a maximum of 4 security groups with a connector.", + "title": "SecurityGroupIds", "type": "array" } }, @@ -157905,15 +164187,19 @@ "additionalProperties": false, "properties": { "DirectoryId": { + "markdownDescription": "The identifier of the Active Directory.", + "title": "DirectoryId", "type": "string" }, "Tags": { "additionalProperties": true, + "markdownDescription": "Metadata assigned to a directory registration consisting of a key-value pair.", "patternProperties": { "^[a-zA-Z0-9]+$": { "type": "string" } }, + "title": "Tags", "type": "object" } }, @@ -157979,9 +164265,13 @@ "additionalProperties": false, "properties": { "ConnectorArn": { + "markdownDescription": "The Amazon Resource Name (ARN) that was returned when you called [CreateConnector.html](https://docs.aws.amazon.com/pca-connector-ad/latest/APIReference/API_CreateConnector.html) .", + "title": "ConnectorArn", "type": "string" }, "DirectoryRegistrationArn": { + "markdownDescription": "The Amazon Resource Name (ARN) that was returned when you called [CreateDirectoryRegistration](https://docs.aws.amazon.com/pca-connector-ad/latest/APIReference/API_CreateDirectoryRegistration.html) .", + "title": "DirectoryRegistrationArn", "type": "string" } }, @@ -158043,24 +164333,34 @@ "additionalProperties": false, "properties": { "ConnectorArn": { + "markdownDescription": "The Amazon Resource Name (ARN) that was returned when you called [CreateConnector](https://docs.aws.amazon.com/pca-connector-ad/latest/APIReference/API_CreateConnector.html) .", + "title": "ConnectorArn", "type": "string" }, "Definition": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.TemplateDefinition" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.TemplateDefinition", + "markdownDescription": "Template configuration to define the information included in certificates. Define certificate validity and renewal periods, certificate request handling and enrollment options, key usage extensions, application policies, and cryptography settings.", + "title": "Definition" }, "Name": { + "markdownDescription": "Name of the templates. Template names must be unique.", + "title": "Name", "type": "string" }, "ReenrollAllCertificateHolders": { + "markdownDescription": "This setting allows the major version of a template to be increased automatically. All members of Active Directory groups that are allowed to enroll with a template will receive a new certificate issued using that template.", + "title": "ReenrollAllCertificateHolders", "type": "boolean" }, "Tags": { "additionalProperties": true, + "markdownDescription": "Metadata assigned to a template consisting of a key-value pair.", "patternProperties": { "^[a-zA-Z0-9]+$": { "type": "string" } }, + "title": "Tags", "type": "object" } }, @@ -158096,12 +164396,16 @@ "additionalProperties": false, "properties": { "Critical": { + "markdownDescription": "Marks the application policy extension as critical.", + "title": "Critical", "type": "boolean" }, "Policies": { "items": { "$ref": "#/definitions/AWS::PCAConnectorAD::Template.ApplicationPolicy" }, + "markdownDescription": "Application policies describe what the certificate can be used for.", + "title": "Policies", "type": "array" } }, @@ -158114,9 +164418,13 @@ "additionalProperties": false, "properties": { "PolicyObjectIdentifier": { + "markdownDescription": "The object identifier (OID) of an application policy.", + "title": "PolicyObjectIdentifier", "type": "string" }, "PolicyType": { + "markdownDescription": "The type of application policy", + "title": "PolicyType", "type": "string" } }, @@ -158126,10 +164434,14 @@ "additionalProperties": false, "properties": { "RenewalPeriod": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.ValidityPeriod" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.ValidityPeriod", + "markdownDescription": "Renewal period is the period of time before certificate expiration when a new certificate will be requested.", + "title": "RenewalPeriod" }, "ValidityPeriod": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.ValidityPeriod" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.ValidityPeriod", + "markdownDescription": "Information describing the end of the validity period of the certificate. This parameter sets the \u201cNot After\u201d date for the certificate. Certificate validity is the period of time during which a certificate is valid. Validity can be expressed as an explicit date and time when the certificate expires, or as a span of time after issuance, stated in days, months, or years. For more information, see Validity in RFC 5280. This value is unaffected when ValidityNotBefore is also specified. For example, if Validity is set to 20 days in the future, the certificate will expire 20 days from issuance time regardless of the ValidityNotBefore value.", + "title": "ValidityPeriod" } }, "required": [ @@ -158142,18 +164454,28 @@ "additionalProperties": false, "properties": { "EnableKeyReuseOnNtTokenKeysetStorageFull": { + "markdownDescription": "Allow renewal using the same key.", + "title": "EnableKeyReuseOnNtTokenKeysetStorageFull", "type": "boolean" }, "IncludeSymmetricAlgorithms": { + "markdownDescription": "Include symmetric algorithms allowed by the subject.", + "title": "IncludeSymmetricAlgorithms", "type": "boolean" }, "NoSecurityExtension": { + "markdownDescription": "This flag instructs the CA to not include the security extension szOID_NTDS_CA_SECURITY_EXT (OID:1.3.6.1.4.1.311.25.2), as specified in [MS-WCCE] sections 2.2.2.7.7.4 and 3.2.2.6.2.1.4.5.9, in the issued certificate. This addresses a Windows Kerberos elevation-of-privilege vulnerability.", + "title": "NoSecurityExtension", "type": "boolean" }, "RemoveInvalidCertificateFromPersonalStore": { + "markdownDescription": "Delete expired or revoked certificates instead of archiving them.", + "title": "RemoveInvalidCertificateFromPersonalStore", "type": "boolean" }, "UserInteractionRequired": { + "markdownDescription": "Require user interaction when the subject is enrolled and the private key associated with the certificate is used.", + "title": "UserInteractionRequired", "type": "boolean" } }, @@ -158163,18 +164485,28 @@ "additionalProperties": false, "properties": { "EnableKeyReuseOnNtTokenKeysetStorageFull": { + "markdownDescription": "Allow renewal using the same key.", + "title": "EnableKeyReuseOnNtTokenKeysetStorageFull", "type": "boolean" }, "IncludeSymmetricAlgorithms": { + "markdownDescription": "Include symmetric algorithms allowed by the subject.", + "title": "IncludeSymmetricAlgorithms", "type": "boolean" }, "NoSecurityExtension": { + "markdownDescription": "This flag instructs the CA to not include the security extension szOID_NTDS_CA_SECURITY_EXT (OID:1.3.6.1.4.1.311.25.2), as specified in [MS-WCCE] sections 2.2.2.7.7.4 and 3.2.2.6.2.1.4.5.9, in the issued certificate. This addresses a Windows Kerberos elevation-of-privilege vulnerability.", + "title": "NoSecurityExtension", "type": "boolean" }, "RemoveInvalidCertificateFromPersonalStore": { + "markdownDescription": "Delete expired or revoked certificates instead of archiving them.", + "title": "RemoveInvalidCertificateFromPersonalStore", "type": "boolean" }, "UserInteractionRequired": { + "markdownDescription": "Require user interaction when the subject is enrolled and the private key associated with the certificate is used.", + "title": "UserInteractionRequired", "type": "boolean" } }, @@ -158184,18 +164516,28 @@ "additionalProperties": false, "properties": { "EnableKeyReuseOnNtTokenKeysetStorageFull": { + "markdownDescription": "Allow renewal using the same key.", + "title": "EnableKeyReuseOnNtTokenKeysetStorageFull", "type": "boolean" }, "IncludeSymmetricAlgorithms": { + "markdownDescription": "Include symmetric algorithms allowed by the subject.", + "title": "IncludeSymmetricAlgorithms", "type": "boolean" }, "NoSecurityExtension": { + "markdownDescription": "This flag instructs the CA to not include the security extension szOID_NTDS_CA_SECURITY_EXT (OID:1.3.6.1.4.1.311.25.2), as specified in [MS-WCCE] sections 2.2.2.7.7.4 and 3.2.2.6.2.1.4.5.9, in the issued certificate. This addresses a Windows Kerberos elevation-of-privilege vulnerability.", + "title": "NoSecurityExtension", "type": "boolean" }, "RemoveInvalidCertificateFromPersonalStore": { + "markdownDescription": "Delete expired or revoked certificates instead of archiving them.", + "title": "RemoveInvalidCertificateFromPersonalStore", "type": "boolean" }, "UserInteractionRequired": { + "markdownDescription": "Require user interaction when the subject is enrolled and the private key associated with the certificate is used.", + "title": "UserInteractionRequired", "type": "boolean" } }, @@ -158205,10 +164547,14 @@ "additionalProperties": false, "properties": { "ApplicationPolicies": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.ApplicationPolicies" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.ApplicationPolicies", + "markdownDescription": "Application policies specify what the certificate is used for and its purpose.", + "title": "ApplicationPolicies" }, "KeyUsage": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.KeyUsage" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.KeyUsage", + "markdownDescription": "The key usage extension defines the purpose (e.g., encipherment, signature, certificate signing) of the key contained in the certificate.", + "title": "KeyUsage" } }, "required": [ @@ -158220,10 +164566,14 @@ "additionalProperties": false, "properties": { "ApplicationPolicies": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.ApplicationPolicies" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.ApplicationPolicies", + "markdownDescription": "Application policies specify what the certificate is used for and its purpose.", + "title": "ApplicationPolicies" }, "KeyUsage": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.KeyUsage" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.KeyUsage", + "markdownDescription": "The key usage extension defines the purpose (e.g., encipherment, signature, certificate signing) of the key contained in the certificate.", + "title": "KeyUsage" } }, "required": [ @@ -158235,10 +164585,14 @@ "additionalProperties": false, "properties": { "ApplicationPolicies": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.ApplicationPolicies" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.ApplicationPolicies", + "markdownDescription": "Application policies specify what the certificate is used for and its purpose.", + "title": "ApplicationPolicies" }, "KeyUsage": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.KeyUsage" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.KeyUsage", + "markdownDescription": "The key usage extension defines the purpose (e.g., encipherment, signature) of the key contained in the certificate.", + "title": "KeyUsage" } }, "required": [ @@ -158250,9 +164604,13 @@ "additionalProperties": false, "properties": { "AutoEnrollment": { + "markdownDescription": "Allows certificate issuance using autoenrollment. Set to TRUE to allow autoenrollment.", + "title": "AutoEnrollment", "type": "boolean" }, "MachineType": { + "markdownDescription": "Defines if the template is for machines or users. Set to TRUE if the template is for machines. Set to FALSE if the template is for users.", + "title": "MachineType", "type": "boolean" } }, @@ -158262,9 +164620,13 @@ "additionalProperties": false, "properties": { "AutoEnrollment": { + "markdownDescription": "Allows certificate issuance using autoenrollment. Set to TRUE to allow autoenrollment.", + "title": "AutoEnrollment", "type": "boolean" }, "MachineType": { + "markdownDescription": "Defines if the template is for machines or users. Set to TRUE if the template is for machines. Set to FALSE if the template is for users", + "title": "MachineType", "type": "boolean" } }, @@ -158274,9 +164636,13 @@ "additionalProperties": false, "properties": { "AutoEnrollment": { + "markdownDescription": "Allows certificate issuance using autoenrollment. Set to TRUE to allow autoenrollment.", + "title": "AutoEnrollment", "type": "boolean" }, "MachineType": { + "markdownDescription": "Defines if the template is for machines or users. Set to TRUE if the template is for machines. Set to FALSE if the template is for users", + "title": "MachineType", "type": "boolean" } }, @@ -158286,10 +164652,14 @@ "additionalProperties": false, "properties": { "Critical": { + "markdownDescription": "Sets the key usage extension to critical.", + "title": "Critical", "type": "boolean" }, "UsageFlags": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.KeyUsageFlags" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.KeyUsageFlags", + "markdownDescription": "The key usage flags represent the purpose (e.g., encipherment, signature) of the key contained in the certificate.", + "title": "UsageFlags" } }, "required": [ @@ -158301,18 +164671,28 @@ "additionalProperties": false, "properties": { "DataEncipherment": { + "markdownDescription": "DataEncipherment is asserted when the subject public key is used for directly enciphering raw user data without the use of an intermediate symmetric cipher.", + "title": "DataEncipherment", "type": "boolean" }, "DigitalSignature": { + "markdownDescription": "The digitalSignature is asserted when the subject public key is used for verifying digital signatures.", + "title": "DigitalSignature", "type": "boolean" }, "KeyAgreement": { + "markdownDescription": "KeyAgreement is asserted when the subject public key is used for key agreement.", + "title": "KeyAgreement", "type": "boolean" }, "KeyEncipherment": { + "markdownDescription": "KeyEncipherment is asserted when the subject public key is used for enciphering private or secret keys, i.e., for key transport.", + "title": "KeyEncipherment", "type": "boolean" }, "NonRepudiation": { + "markdownDescription": "NonRepudiation is asserted when the subject public key is used to verify digital signatures.", + "title": "NonRepudiation", "type": "boolean" } }, @@ -158322,9 +164702,13 @@ "additionalProperties": false, "properties": { "PropertyFlags": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.KeyUsagePropertyFlags" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.KeyUsagePropertyFlags", + "markdownDescription": "You can specify key usage for encryption, key agreement, and signature. You can use property flags or property type but not both.", + "title": "PropertyFlags" }, "PropertyType": { + "markdownDescription": "You can specify all key usages using property type ALL. You can use property type or property flags but not both.", + "title": "PropertyType", "type": "string" } }, @@ -158334,12 +164718,18 @@ "additionalProperties": false, "properties": { "Decrypt": { + "markdownDescription": "Allows key for encryption and decryption.", + "title": "Decrypt", "type": "boolean" }, "KeyAgreement": { + "markdownDescription": "Allows key exchange without encryption.", + "title": "KeyAgreement", "type": "boolean" }, "Sign": { + "markdownDescription": "Allow key use for digital signature.", + "title": "Sign", "type": "boolean" } }, @@ -158352,12 +164742,18 @@ "items": { "type": "string" }, + "markdownDescription": "Defines the cryptographic providers used to generate the private key.", + "title": "CryptoProviders", "type": "array" }, "KeySpec": { + "markdownDescription": "Defines the purpose of the private key. Set it to \"KEY_EXCHANGE\" or \"SIGNATURE\" value.", + "title": "KeySpec", "type": "string" }, "MinimalKeyLength": { + "markdownDescription": "Set the minimum key length of the private key.", + "title": "MinimalKeyLength", "type": "number" } }, @@ -158371,21 +164767,31 @@ "additionalProperties": false, "properties": { "Algorithm": { + "markdownDescription": "Defines the algorithm used to generate the private key.", + "title": "Algorithm", "type": "string" }, "CryptoProviders": { "items": { "type": "string" }, + "markdownDescription": "Defines the cryptographic providers used to generate the private key.", + "title": "CryptoProviders", "type": "array" }, "KeySpec": { + "markdownDescription": "Defines the purpose of the private key. Set it to \"KEY_EXCHANGE\" or \"SIGNATURE\" value.", + "title": "KeySpec", "type": "string" }, "KeyUsageProperty": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.KeyUsageProperty" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.KeyUsageProperty", + "markdownDescription": "The key usage property defines the purpose of the private key contained in the certificate. You can specify specific purposes using property flags or all by using property type ALL.", + "title": "KeyUsageProperty" }, "MinimalKeyLength": { + "markdownDescription": "Set the minimum key length of the private key.", + "title": "MinimalKeyLength", "type": "number" } }, @@ -158401,21 +164807,31 @@ "additionalProperties": false, "properties": { "Algorithm": { + "markdownDescription": "Defines the algorithm used to generate the private key.", + "title": "Algorithm", "type": "string" }, "CryptoProviders": { "items": { "type": "string" }, + "markdownDescription": "Defines the cryptographic providers used to generate the private key.", + "title": "CryptoProviders", "type": "array" }, "KeySpec": { + "markdownDescription": "Defines the purpose of the private key. Set it to \"KEY_EXCHANGE\" or \"SIGNATURE\" value.", + "title": "KeySpec", "type": "string" }, "KeyUsageProperty": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.KeyUsageProperty" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.KeyUsageProperty", + "markdownDescription": "The key usage property defines the purpose of the private key contained in the certificate. You can specify specific purposes using property flags or all by using property type ALL.", + "title": "KeyUsageProperty" }, "MinimalKeyLength": { + "markdownDescription": "Set the minimum key length of the private key.", + "title": "MinimalKeyLength", "type": "number" } }, @@ -158429,12 +164845,18 @@ "additionalProperties": false, "properties": { "ClientVersion": { + "markdownDescription": "Defines the minimum client compatibility.", + "title": "ClientVersion", "type": "string" }, "ExportableKey": { + "markdownDescription": "Allows the private key to be exported.", + "title": "ExportableKey", "type": "boolean" }, "StrongKeyProtectionRequired": { + "markdownDescription": "Require user input when using the private key for enrollment.", + "title": "StrongKeyProtectionRequired", "type": "boolean" } }, @@ -158447,15 +164869,23 @@ "additionalProperties": false, "properties": { "ClientVersion": { + "markdownDescription": "Defines the minimum client compatibility.", + "title": "ClientVersion", "type": "string" }, "ExportableKey": { + "markdownDescription": "Allows the private key to be exported.", + "title": "ExportableKey", "type": "boolean" }, "RequireAlternateSignatureAlgorithm": { + "markdownDescription": "Reguires the PKCS #1 v2.1 signature format for certificates. You should verify that your CA, objects, and applications can accept this signature format.", + "title": "RequireAlternateSignatureAlgorithm", "type": "boolean" }, "StrongKeyProtectionRequired": { + "markdownDescription": "Requirer user input when using the private key for enrollment.", + "title": "StrongKeyProtectionRequired", "type": "boolean" } }, @@ -158468,21 +164898,33 @@ "additionalProperties": false, "properties": { "ClientVersion": { + "markdownDescription": "Defines the minimum client compatibility.", + "title": "ClientVersion", "type": "string" }, "ExportableKey": { + "markdownDescription": "Allows the private key to be exported.", + "title": "ExportableKey", "type": "boolean" }, "RequireAlternateSignatureAlgorithm": { + "markdownDescription": "Requires the PKCS #1 v2.1 signature format for certificates. You should verify that your CA, objects, and applications can accept this signature format.", + "title": "RequireAlternateSignatureAlgorithm", "type": "boolean" }, "RequireSameKeyRenewal": { + "markdownDescription": "Renew certificate using the same private key.", + "title": "RequireSameKeyRenewal", "type": "boolean" }, "StrongKeyProtectionRequired": { + "markdownDescription": "Require user input when using the private key for enrollment.", + "title": "StrongKeyProtectionRequired", "type": "boolean" }, "UseLegacyProvider": { + "markdownDescription": "Specifies the cryptographic service provider category used to generate private keys. Set to TRUE to use Legacy Cryptographic Service Providers and FALSE to use Key Storage Providers.", + "title": "UseLegacyProvider", "type": "boolean" } }, @@ -158495,33 +164937,53 @@ "additionalProperties": false, "properties": { "RequireCommonName": { + "markdownDescription": "Include the common name in the subject name.", + "title": "RequireCommonName", "type": "boolean" }, "RequireDirectoryPath": { + "markdownDescription": "Include the directory path in the subject name.", + "title": "RequireDirectoryPath", "type": "boolean" }, "RequireDnsAsCn": { + "markdownDescription": "Include the DNS as common name in the subject name.", + "title": "RequireDnsAsCn", "type": "boolean" }, "RequireEmail": { + "markdownDescription": "Include the subject's email in the subject name.", + "title": "RequireEmail", "type": "boolean" }, "SanRequireDirectoryGuid": { + "markdownDescription": "Include the globally unique identifier (GUID) in the subject alternate name.", + "title": "SanRequireDirectoryGuid", "type": "boolean" }, "SanRequireDns": { + "markdownDescription": "Include the DNS in the subject alternate name.", + "title": "SanRequireDns", "type": "boolean" }, "SanRequireDomainDns": { + "markdownDescription": "Include the domain DNS in the subject alternate name.", + "title": "SanRequireDomainDns", "type": "boolean" }, "SanRequireEmail": { + "markdownDescription": "Include the subject's email in the subject alternate name.", + "title": "SanRequireEmail", "type": "boolean" }, "SanRequireSpn": { + "markdownDescription": "Include the service principal name (SPN) in the subject alternate name.", + "title": "SanRequireSpn", "type": "boolean" }, "SanRequireUpn": { + "markdownDescription": "Include the user principal name (UPN) in the subject alternate name.", + "title": "SanRequireUpn", "type": "boolean" } }, @@ -158531,33 +164993,53 @@ "additionalProperties": false, "properties": { "RequireCommonName": { + "markdownDescription": "Include the common name in the subject name.", + "title": "RequireCommonName", "type": "boolean" }, "RequireDirectoryPath": { + "markdownDescription": "Include the directory path in the subject name.", + "title": "RequireDirectoryPath", "type": "boolean" }, "RequireDnsAsCn": { + "markdownDescription": "Include the DNS as common name in the subject name.", + "title": "RequireDnsAsCn", "type": "boolean" }, "RequireEmail": { + "markdownDescription": "Include the subject's email in the subject name.", + "title": "RequireEmail", "type": "boolean" }, "SanRequireDirectoryGuid": { + "markdownDescription": "Include the globally unique identifier (GUID) in the subject alternate name.", + "title": "SanRequireDirectoryGuid", "type": "boolean" }, "SanRequireDns": { + "markdownDescription": "Include the DNS in the subject alternate name.", + "title": "SanRequireDns", "type": "boolean" }, "SanRequireDomainDns": { + "markdownDescription": "Include the domain DNS in the subject alternate name.", + "title": "SanRequireDomainDns", "type": "boolean" }, "SanRequireEmail": { + "markdownDescription": "Include the subject's email in the subject alternate name.", + "title": "SanRequireEmail", "type": "boolean" }, "SanRequireSpn": { + "markdownDescription": "Include the service principal name (SPN) in the subject alternate name.", + "title": "SanRequireSpn", "type": "boolean" }, "SanRequireUpn": { + "markdownDescription": "Include the user principal name (UPN) in the subject alternate name.", + "title": "SanRequireUpn", "type": "boolean" } }, @@ -158567,33 +165049,53 @@ "additionalProperties": false, "properties": { "RequireCommonName": { + "markdownDescription": "Include the common name in the subject name.", + "title": "RequireCommonName", "type": "boolean" }, "RequireDirectoryPath": { + "markdownDescription": "Include the directory path in the subject name.", + "title": "RequireDirectoryPath", "type": "boolean" }, "RequireDnsAsCn": { + "markdownDescription": "Include the DNS as common name in the subject name.", + "title": "RequireDnsAsCn", "type": "boolean" }, "RequireEmail": { + "markdownDescription": "Include the subject's email in the subject name.", + "title": "RequireEmail", "type": "boolean" }, "SanRequireDirectoryGuid": { + "markdownDescription": "Include the globally unique identifier (GUID) in the subject alternate name.", + "title": "SanRequireDirectoryGuid", "type": "boolean" }, "SanRequireDns": { + "markdownDescription": "Include the DNS in the subject alternate name.", + "title": "SanRequireDns", "type": "boolean" }, "SanRequireDomainDns": { + "markdownDescription": "Include the domain DNS in the subject alternate name.", + "title": "SanRequireDomainDns", "type": "boolean" }, "SanRequireEmail": { + "markdownDescription": "Include the subject's email in the subject alternate name.", + "title": "SanRequireEmail", "type": "boolean" }, "SanRequireSpn": { + "markdownDescription": "Include the service principal name (SPN) in the subject alternate name.", + "title": "SanRequireSpn", "type": "boolean" }, "SanRequireUpn": { + "markdownDescription": "Include the user principal name (UPN) in the subject alternate name.", + "title": "SanRequireUpn", "type": "boolean" } }, @@ -158603,13 +165105,19 @@ "additionalProperties": false, "properties": { "TemplateV2": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.TemplateV2" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.TemplateV2", + "markdownDescription": "Template configuration to define the information included in certificates. Define certificate validity and renewal periods, certificate request handling and enrollment options, key usage extensions, application policies, and cryptography settings.", + "title": "TemplateV2" }, "TemplateV3": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.TemplateV3" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.TemplateV3", + "markdownDescription": "Template configuration to define the information included in certificates. Define certificate validity and renewal periods, certificate request handling and enrollment options, key usage extensions, application policies, and cryptography settings.", + "title": "TemplateV3" }, "TemplateV4": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.TemplateV4" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.TemplateV4", + "markdownDescription": "Template configuration to define the information included in certificates. Define certificate validity and renewal periods, certificate request handling and enrollment options, key usage extensions, application policies, and cryptography settings.", + "title": "TemplateV4" } }, "type": "object" @@ -158618,30 +165126,46 @@ "additionalProperties": false, "properties": { "CertificateValidity": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.CertificateValidity" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.CertificateValidity", + "markdownDescription": "Certificate validity describes the validity and renewal periods of a certificate.", + "title": "CertificateValidity" }, "EnrollmentFlags": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.EnrollmentFlagsV2" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.EnrollmentFlagsV2", + "markdownDescription": "Enrollment flags describe the enrollment settings for certificates such as using the existing private key and deleting expired or revoked certificates.", + "title": "EnrollmentFlags" }, "Extensions": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.ExtensionsV2" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.ExtensionsV2", + "markdownDescription": "Extensions describe the key usage extensions and application policies for a template.", + "title": "Extensions" }, "GeneralFlags": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.GeneralFlagsV2" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.GeneralFlagsV2", + "markdownDescription": "General flags describe whether the template is used for computers or users and if the template can be used with autoenrollment.", + "title": "GeneralFlags" }, "PrivateKeyAttributes": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.PrivateKeyAttributesV2" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.PrivateKeyAttributesV2", + "markdownDescription": "Private key attributes allow you to specify the minimal key length, key spec, and cryptographic providers for the private key of a certificate for v2 templates. V2 templates allow you to use Legacy Cryptographic Service Providers.", + "title": "PrivateKeyAttributes" }, "PrivateKeyFlags": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.PrivateKeyFlagsV2" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.PrivateKeyFlagsV2", + "markdownDescription": "Private key flags for v2 templates specify the client compatibility, if the private key can be exported, and if user input is required when using a private key.", + "title": "PrivateKeyFlags" }, "SubjectNameFlags": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.SubjectNameFlagsV2" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.SubjectNameFlagsV2", + "markdownDescription": "Subject name flags describe the subject name and subject alternate name that is included in a certificate.", + "title": "SubjectNameFlags" }, "SupersededTemplates": { "items": { "type": "string" }, + "markdownDescription": "List of templates in Active Directory that are superseded by this template.", + "title": "SupersededTemplates", "type": "array" } }, @@ -158660,33 +165184,51 @@ "additionalProperties": false, "properties": { "CertificateValidity": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.CertificateValidity" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.CertificateValidity", + "markdownDescription": "Certificate validity describes the validity and renewal periods of a certificate.", + "title": "CertificateValidity" }, "EnrollmentFlags": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.EnrollmentFlagsV3" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.EnrollmentFlagsV3", + "markdownDescription": "Enrollment flags describe the enrollment settings for certificates such as using the existing private key and deleting expired or revoked certificates.", + "title": "EnrollmentFlags" }, "Extensions": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.ExtensionsV3" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.ExtensionsV3", + "markdownDescription": "Extensions describe the key usage extensions and application policies for a template.", + "title": "Extensions" }, "GeneralFlags": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.GeneralFlagsV3" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.GeneralFlagsV3", + "markdownDescription": "General flags describe whether the template is used for computers or users and if the template can be used with autoenrollment.", + "title": "GeneralFlags" }, "HashAlgorithm": { + "markdownDescription": "Specifies the hash algorithm used to hash the private key.", + "title": "HashAlgorithm", "type": "string" }, "PrivateKeyAttributes": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.PrivateKeyAttributesV3" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.PrivateKeyAttributesV3", + "markdownDescription": "Private key attributes allow you to specify the algorithm, minimal key length, key spec, key usage, and cryptographic providers for the private key of a certificate for v3 templates. V3 templates allow you to use Key Storage Providers.", + "title": "PrivateKeyAttributes" }, "PrivateKeyFlags": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.PrivateKeyFlagsV3" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.PrivateKeyFlagsV3", + "markdownDescription": "Private key flags for v3 templates specify the client compatibility, if the private key can be exported, if user input is required when using a private key, and if an alternate signature algorithm should be used.", + "title": "PrivateKeyFlags" }, "SubjectNameFlags": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.SubjectNameFlagsV3" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.SubjectNameFlagsV3", + "markdownDescription": "Subject name flags describe the subject name and subject alternate name that is included in a certificate.", + "title": "SubjectNameFlags" }, "SupersededTemplates": { "items": { "type": "string" }, + "markdownDescription": "List of templates in Active Directory that are superseded by this template.", + "title": "SupersededTemplates", "type": "array" } }, @@ -158706,33 +165248,51 @@ "additionalProperties": false, "properties": { "CertificateValidity": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.CertificateValidity" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.CertificateValidity", + "markdownDescription": "Certificate validity describes the validity and renewal periods of a certificate.", + "title": "CertificateValidity" }, "EnrollmentFlags": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.EnrollmentFlagsV4" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.EnrollmentFlagsV4", + "markdownDescription": "Enrollment flags describe the enrollment settings for certificates using the existing private key and deleting expired or revoked certificates.", + "title": "EnrollmentFlags" }, "Extensions": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.ExtensionsV4" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.ExtensionsV4", + "markdownDescription": "Extensions describe the key usage extensions and application policies for a template.", + "title": "Extensions" }, "GeneralFlags": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.GeneralFlagsV4" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.GeneralFlagsV4", + "markdownDescription": "General flags describe whether the template is used for computers or users and if the template can be used with autoenrollment.", + "title": "GeneralFlags" }, "HashAlgorithm": { + "markdownDescription": "Specifies the hash algorithm used to hash the private key. Hash algorithm can only be specified when using Key Storage Providers.", + "title": "HashAlgorithm", "type": "string" }, "PrivateKeyAttributes": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.PrivateKeyAttributesV4" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.PrivateKeyAttributesV4", + "markdownDescription": "Private key attributes allow you to specify the minimal key length, key spec, key usage, and cryptographic providers for the private key of a certificate for v4 templates. V4 templates allow you to use either Key Storage Providers or Legacy Cryptographic Service Providers. You specify the cryptography provider category in private key flags.", + "title": "PrivateKeyAttributes" }, "PrivateKeyFlags": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.PrivateKeyFlagsV4" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.PrivateKeyFlagsV4", + "markdownDescription": "Private key flags for v4 templates specify the client compatibility, if the private key can be exported, if user input is required when using a private key, if an alternate signature algorithm should be used, and if certificates are renewed using the same private key.", + "title": "PrivateKeyFlags" }, "SubjectNameFlags": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.SubjectNameFlagsV4" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.SubjectNameFlagsV4", + "markdownDescription": "Subject name flags describe the subject name and subject alternate name that is included in a certificate.", + "title": "SubjectNameFlags" }, "SupersededTemplates": { "items": { "type": "string" }, + "markdownDescription": "List of templates in Active Directory that are superseded by this template.", + "title": "SupersededTemplates", "type": "array" } }, @@ -158751,9 +165311,13 @@ "additionalProperties": false, "properties": { "Period": { + "markdownDescription": "The numeric value for the validity period.", + "title": "Period", "type": "number" }, "PeriodType": { + "markdownDescription": "The unit of time. You can select hours, days, weeks, months, and years.", + "title": "PeriodType", "type": "string" } }, @@ -158799,15 +165363,23 @@ "additionalProperties": false, "properties": { "AccessRights": { - "$ref": "#/definitions/AWS::PCAConnectorAD::TemplateGroupAccessControlEntry.AccessRights" + "$ref": "#/definitions/AWS::PCAConnectorAD::TemplateGroupAccessControlEntry.AccessRights", + "markdownDescription": "Permissions to allow or deny an Active Directory group to enroll or autoenroll certificates issued against a template.", + "title": "AccessRights" }, "GroupDisplayName": { + "markdownDescription": "Name of the Active Directory group. This name does not need to match the group name in Active Directory.", + "title": "GroupDisplayName", "type": "string" }, "GroupSecurityIdentifier": { + "markdownDescription": "Security identifier (SID) of the group object from Active Directory. The SID starts with \"S-\".", + "title": "GroupSecurityIdentifier", "type": "string" }, "TemplateArn": { + "markdownDescription": "The Amazon Resource Name (ARN) that was returned when you called [CreateTemplate](https://docs.aws.amazon.com/pca-connector-ad/latest/APIReference/API_CreateTemplate.html) .", + "title": "TemplateArn", "type": "string" } }, @@ -158842,9 +165414,13 @@ "additionalProperties": false, "properties": { "AutoEnroll": { + "markdownDescription": "Allow or deny an Active Directory group from autoenrolling certificates issued against a template. The Active Directory group must be allowed to enroll to allow autoenrollment", + "title": "AutoEnroll", "type": "string" }, "Enroll": { + "markdownDescription": "Allow or deny an Active Directory group from enrolling certificates issued against a template.", + "title": "Enroll", "type": "string" } }, @@ -159020,7 +165596,7 @@ }, "StorageLocation": { "$ref": "#/definitions/AWS::Panorama::Package.StorageLocation", - "markdownDescription": "", + "markdownDescription": "A storage location.", "title": "StorageLocation" }, "Tags": { @@ -159062,27 +165638,27 @@ "additionalProperties": false, "properties": { "BinaryPrefixLocation": { - "markdownDescription": "", + "markdownDescription": "The location's binary prefix.", "title": "BinaryPrefixLocation", "type": "string" }, "Bucket": { - "markdownDescription": "", + "markdownDescription": "The location's bucket.", "title": "Bucket", "type": "string" }, "GeneratedPrefixLocation": { - "markdownDescription": "", + "markdownDescription": "The location's generated prefix.", "title": "GeneratedPrefixLocation", "type": "string" }, "ManifestPrefixLocation": { - "markdownDescription": "", + "markdownDescription": "The location's manifest prefix.", "title": "ManifestPrefixLocation", "type": "string" }, "RepoPrefixLocation": { - "markdownDescription": "", + "markdownDescription": "The location's repo prefix.", "title": "RepoPrefixLocation", "type": "string" } @@ -159225,11 +165801,11 @@ }, "DatasetImportJob": { "$ref": "#/definitions/AWS::Personalize::Dataset.DatasetImportJob", - "markdownDescription": "Describes a job that imports training data from a data source (Amazon S3 bucket) to an Amazon Personalize dataset.", + "markdownDescription": "Describes a job that imports training data from a data source (Amazon S3 bucket) to an Amazon Personalize dataset. If you specify a dataset import job as part of a dataset, all dataset import job fields are required.", "title": "DatasetImportJob" }, "DatasetType": { - "markdownDescription": "One of the following values:\n\n- Interactions\n- Items\n- Users", + "markdownDescription": "One of the following values:\n\n- Interactions\n- Items\n- Users\n- Actions\n- Action_Interactions", "title": "DatasetType", "type": "string" }, @@ -159277,7 +165853,7 @@ "additionalProperties": false, "properties": { "DataLocation": { - "markdownDescription": "", + "markdownDescription": "The path to the Amazon S3 bucket where the data that you want to upload to your dataset is stored. For example:\n\n`s3://bucket-name/folder-name/`", "title": "DataLocation", "type": "string" } @@ -159366,7 +165942,7 @@ "type": "string" }, "RoleArn": { - "markdownDescription": "The ARN of the IAM role that has permissions to create the dataset group.", + "markdownDescription": "The ARN of the AWS Identity and Access Management (IAM) role that has permissions to access the AWS Key Management Service (KMS) key. Supplying an IAM role is only valid when also specifying a KMS key.", "title": "RoleArn", "type": "string" } @@ -159580,7 +166156,7 @@ "items": { "$ref": "#/definitions/AWS::Personalize::Solution.CategoricalHyperParameterRange" }, - "markdownDescription": "", + "markdownDescription": "Provides the name and range of a categorical hyperparameter.", "title": "CategoricalHyperParameterRanges", "type": "array" }, @@ -159588,7 +166164,7 @@ "items": { "$ref": "#/definitions/AWS::Personalize::Solution.ContinuousHyperParameterRange" }, - "markdownDescription": "", + "markdownDescription": "Provides the name and range of a continuous hyperparameter.", "title": "ContinuousHyperParameterRanges", "type": "array" }, @@ -159596,7 +166172,7 @@ "items": { "$ref": "#/definitions/AWS::Personalize::Solution.IntegerHyperParameterRange" }, - "markdownDescription": "", + "markdownDescription": "Provides the name and range of an integer-valued hyperparameter.", "title": "IntegerHyperParameterRanges", "type": "array" } @@ -159607,7 +166183,7 @@ "additionalProperties": false, "properties": { "MetricName": { - "markdownDescription": "", + "markdownDescription": "The metric to optimize.", "title": "MetricName", "type": "string" }, @@ -159615,7 +166191,7 @@ "items": { "type": "string" }, - "markdownDescription": "", + "markdownDescription": "The list of candidate recipes.", "title": "RecipeList", "type": "array" } @@ -159626,7 +166202,7 @@ "additionalProperties": false, "properties": { "Name": { - "markdownDescription": "", + "markdownDescription": "The name of the hyperparameter.", "title": "Name", "type": "string" }, @@ -159634,7 +166210,7 @@ "items": { "type": "string" }, - "markdownDescription": "", + "markdownDescription": "A list of the categories for the hyperparameter.", "title": "Values", "type": "array" } @@ -159645,17 +166221,17 @@ "additionalProperties": false, "properties": { "MaxValue": { - "markdownDescription": "", + "markdownDescription": "The maximum allowable value for the hyperparameter.", "title": "MaxValue", "type": "number" }, "MinValue": { - "markdownDescription": "", + "markdownDescription": "The minimum allowable value for the hyperparameter.", "title": "MinValue", "type": "number" }, "Name": { - "markdownDescription": "", + "markdownDescription": "The name of the hyperparameter.", "title": "Name", "type": "string" } @@ -159667,17 +166243,17 @@ "properties": { "AlgorithmHyperParameterRanges": { "$ref": "#/definitions/AWS::Personalize::Solution.AlgorithmHyperParameterRanges", - "markdownDescription": "", + "markdownDescription": "The hyperparameters and their allowable ranges.", "title": "AlgorithmHyperParameterRanges" }, "HpoObjective": { "$ref": "#/definitions/AWS::Personalize::Solution.HpoObjective", - "markdownDescription": "", + "markdownDescription": "The metric to optimize during HPO.\n\n> Amazon Personalize doesn't support configuring the `hpoObjective` at this time.", "title": "HpoObjective" }, "HpoResourceConfig": { "$ref": "#/definitions/AWS::Personalize::Solution.HpoResourceConfig", - "markdownDescription": "", + "markdownDescription": "Describes the resource configuration for HPO.", "title": "HpoResourceConfig" } }, @@ -159687,17 +166263,17 @@ "additionalProperties": false, "properties": { "MetricName": { - "markdownDescription": "", + "markdownDescription": "The name of the metric.", "title": "MetricName", "type": "string" }, "MetricRegex": { - "markdownDescription": "", + "markdownDescription": "A regular expression for finding the metric in the training job logs.", "title": "MetricRegex", "type": "string" }, "Type": { - "markdownDescription": "", + "markdownDescription": "The type of the metric. Valid values are `Maximize` and `Minimize` .", "title": "Type", "type": "string" } @@ -159708,12 +166284,12 @@ "additionalProperties": false, "properties": { "MaxNumberOfTrainingJobs": { - "markdownDescription": "", + "markdownDescription": "The maximum number of training jobs when you create a solution version. The maximum value for `maxNumberOfTrainingJobs` is `40` .", "title": "MaxNumberOfTrainingJobs", "type": "string" }, "MaxParallelTrainingJobs": { - "markdownDescription": "", + "markdownDescription": "The maximum number of parallel training jobs when you create a solution version. The maximum value for `maxParallelTrainingJobs` is `10` .", "title": "MaxParallelTrainingJobs", "type": "string" } @@ -159724,17 +166300,17 @@ "additionalProperties": false, "properties": { "MaxValue": { - "markdownDescription": "", + "markdownDescription": "The maximum allowable value for the hyperparameter.", "title": "MaxValue", "type": "number" }, "MinValue": { - "markdownDescription": "", + "markdownDescription": "The minimum allowable value for the hyperparameter.", "title": "MinValue", "type": "number" }, "Name": { - "markdownDescription": "", + "markdownDescription": "The name of the hyperparameter.", "title": "Name", "type": "string" } @@ -159746,7 +166322,7 @@ "properties": { "AlgorithmHyperParameters": { "additionalProperties": true, - "markdownDescription": "Lists the hyperparameter names and ranges.", + "markdownDescription": "Lists the algorithm hyperparameters and their values.", "patternProperties": { "^[a-zA-Z0-9]+$": { "type": "string" @@ -160414,7 +166990,7 @@ "title": "CampaignHook" }, "CloudWatchMetricsEnabled": { - "markdownDescription": "Specifies whether to enable application-related alarms in Amazon CloudWatch.", + "markdownDescription": "", "title": "CloudWatchMetricsEnabled", "type": "boolean" }, @@ -160686,7 +167262,7 @@ }, "MessageConfiguration": { "$ref": "#/definitions/AWS::Pinpoint::Campaign.MessageConfiguration", - "markdownDescription": "The message configuration settings for the campaign.", + "markdownDescription": "The message configuration settings for the treatment.", "title": "MessageConfiguration" }, "Name": { @@ -160701,7 +167277,7 @@ }, "Schedule": { "$ref": "#/definitions/AWS::Pinpoint::Campaign.Schedule", - "markdownDescription": "The schedule settings for the campaign.", + "markdownDescription": "The schedule settings for the treatment.", "title": "Schedule" }, "SegmentId": { @@ -160725,12 +167301,12 @@ "title": "TemplateConfiguration" }, "TreatmentDescription": { - "markdownDescription": "A custom description of the default treatment for the campaign.", + "markdownDescription": "A custom description of the treatment.", "title": "TreatmentDescription", "type": "string" }, "TreatmentName": { - "markdownDescription": "A custom name of the default treatment for the campaign, if the campaign has multiple treatments. A *treatment* is a variation of a campaign that's used for A/B testing.", + "markdownDescription": "A custom name for the treatment.", "title": "TreatmentName", "type": "string" } @@ -160768,16 +167344,12 @@ "additionalProperties": false, "properties": { "AttributeType": { - "markdownDescription": "The type of segment dimension to use. Valid values are:\n\n- `INCLUSIVE` \u2013 endpoints that have attributes matching the values are included in the segment.\n- `EXCLUSIVE` \u2013 endpoints that have attributes matching the values are excluded from the segment.\n- `CONTAINS` \u2013 endpoints that have attributes' substrings match the values are included in the segment.\n- `BEFORE` \u2013 endpoints with attributes read as ISO_INSTANT datetimes before the value are included in the segment.\n- `AFTER` \u2013 endpoints with attributes read as ISO_INSTANT datetimes after the value are included in the segment.\n- `BETWEEN` \u2013 endpoints with attributes read as ISO_INSTANT datetimes between the values are included in the segment.\n- `ON` \u2013 endpoints with attributes read as ISO_INSTANT dates on the value are included in the segment. Time is ignored in this comparison.", - "title": "AttributeType", "type": "string" }, "Values": { "items": { "type": "string" }, - "markdownDescription": "The criteria values to use for the segment dimension. Depending on the value of the `AttributeType` property, endpoints are included or excluded from the segment if their attribute values match the criteria values.", - "title": "Values", "type": "array" } }, @@ -161249,13 +167821,9 @@ "additionalProperties": false, "properties": { "ComparisonOperator": { - "markdownDescription": "The operator to use when comparing metric values. Valid values are: `GREATER_THAN` , `LESS_THAN` , `GREATER_THAN_OR_EQUAL` , `LESS_THAN_OR_EQUAL` , and `EQUAL` .", - "title": "ComparisonOperator", "type": "string" }, "Value": { - "markdownDescription": "The value to compare.", - "title": "Value", "type": "number" } }, @@ -162116,7 +168684,7 @@ "type": "string" }, "TemplateName": { - "markdownDescription": "The name of the message template.", + "markdownDescription": "The name of the message template to use for the message. If specified, this value must match the name of an existing message template.", "title": "TemplateName", "type": "string" } @@ -162384,7 +168952,7 @@ }, "Dimensions": { "$ref": "#/definitions/AWS::Pinpoint::Segment.SegmentDimensions", - "markdownDescription": "The criteria that define the dimensions for the segment.", + "markdownDescription": "An array that defines the dimensions for the segment.", "title": "Dimensions" }, "Name": { @@ -162434,16 +169002,12 @@ "additionalProperties": false, "properties": { "AttributeType": { - "markdownDescription": "The type of segment dimension to use. Valid values are:\n\n- `INCLUSIVE` \u2013 endpoints that have attributes matching the values are included in the segment.\n- `EXCLUSIVE` \u2013 endpoints that have attributes matching the values are excluded from the segment.\n- `CONTAINS` \u2013 endpoints that have attributes' substrings match the values are included in the segment.\n- `BEFORE` \u2013 endpoints with attributes read as ISO_INSTANT datetimes before the value are included in the segment.\n- `AFTER` \u2013 endpoints with attributes read as ISO_INSTANT datetimes after the value are included in the segment.\n- `BETWEEN` \u2013 endpoints with attributes read as ISO_INSTANT datetimes between the values are included in the segment.\n- `ON` \u2013 endpoints with attributes read as ISO_INSTANT dates on the value are included in the segment. Time is ignored in this comparison.", - "title": "AttributeType", "type": "string" }, "Values": { "items": { "type": "string" }, - "markdownDescription": "The criteria values to use for the segment dimension. Depending on the value of the `AttributeType` property, endpoints are included or excluded from the segment if their attribute values match the criteria values.", - "title": "Values", "type": "array" } }, @@ -162753,7 +169317,7 @@ "type": "string" }, "TemplateName": { - "markdownDescription": "The name of the message template.", + "markdownDescription": "The name of the message template to use for the message. If specified, this value must match the name of an existing message template.", "title": "TemplateName", "type": "string" } @@ -163481,6 +170045,11 @@ "markdownDescription": "The parameters required to set up enrichment on your pipe.", "title": "EnrichmentParameters" }, + "LogConfiguration": { + "$ref": "#/definitions/AWS::Pipes::Pipe.PipeLogConfiguration", + "markdownDescription": "The logging configuration settings for the pipe.", + "title": "LogConfiguration" + }, "Name": { "markdownDescription": "The name of the pipe.", "title": "Name", @@ -163714,11 +170283,22 @@ ], "type": "object" }, + "AWS::Pipes::Pipe.CloudwatchLogsLogDestination": { + "additionalProperties": false, + "properties": { + "LogGroupArn": { + "markdownDescription": "The AWS Resource Name (ARN) for the CloudWatch log group to which EventBridge sends the log records.", + "title": "LogGroupArn", + "type": "string" + } + }, + "type": "object" + }, "AWS::Pipes::Pipe.DeadLetterConfig": { "additionalProperties": false, "properties": { "Arn": { - "markdownDescription": "The ARN of the Amazon SQS queue specified as the target for the dead-letter queue.", + "markdownDescription": "The ARN of the specified target for the dead-letter queue.\n\nFor Amazon Kinesis stream and Amazon DynamoDB stream sources, specify either an Amazon SNS topic or Amazon SQS queue ARN.", "title": "Arn", "type": "string" } @@ -163941,6 +170521,17 @@ }, "type": "object" }, + "AWS::Pipes::Pipe.FirehoseLogDestination": { + "additionalProperties": false, + "properties": { + "DeliveryStreamArn": { + "markdownDescription": "The Amazon Resource Name (ARN) of the Kinesis Data Firehose delivery stream to which EventBridge delivers the pipe log records.", + "title": "DeliveryStreamArn", + "type": "string" + } + }, + "type": "object" + }, "AWS::Pipes::Pipe.MQBrokerAccessCredentials": { "additionalProperties": false, "properties": { @@ -164034,6 +170625,40 @@ }, "type": "object" }, + "AWS::Pipes::Pipe.PipeLogConfiguration": { + "additionalProperties": false, + "properties": { + "CloudwatchLogsLogDestination": { + "$ref": "#/definitions/AWS::Pipes::Pipe.CloudwatchLogsLogDestination", + "markdownDescription": "The logging configuration settings for the pipe.", + "title": "CloudwatchLogsLogDestination" + }, + "FirehoseLogDestination": { + "$ref": "#/definitions/AWS::Pipes::Pipe.FirehoseLogDestination", + "markdownDescription": "The Amazon Kinesis Data Firehose logging configuration settings for the pipe.", + "title": "FirehoseLogDestination" + }, + "IncludeExecutionData": { + "items": { + "type": "string" + }, + "markdownDescription": "Whether the execution data (specifically, the `payload` , `awsRequest` , and `awsResponse` fields) is included in the log messages for this pipe.\n\nThis applies to all log destinations for the pipe.\n\nFor more information, see [Including execution data in logs](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-pipes-logs.html#eb-pipes-logs-execution-data) in the *Amazon EventBridge User Guide* .", + "title": "IncludeExecutionData", + "type": "array" + }, + "Level": { + "markdownDescription": "The level of logging detail to include. This applies to all log destinations for the pipe.", + "title": "Level", + "type": "string" + }, + "S3LogDestination": { + "$ref": "#/definitions/AWS::Pipes::Pipe.S3LogDestination", + "markdownDescription": "The Amazon S3 logging configuration settings for the pipe.", + "title": "S3LogDestination" + } + }, + "type": "object" + }, "AWS::Pipes::Pipe.PipeSourceActiveMQBrokerParameters": { "additionalProperties": false, "properties": { @@ -164241,7 +170866,7 @@ }, "SelfManagedKafkaParameters": { "$ref": "#/definitions/AWS::Pipes::Pipe.PipeSourceSelfManagedKafkaParameters", - "markdownDescription": "The parameters for using a self-managed Apache Kafka stream as a source.", + "markdownDescription": "The parameters for using a stream as a source.", "title": "SelfManagedKafkaParameters" }, "SqsQueueParameters": { @@ -164803,6 +171428,32 @@ }, "type": "object" }, + "AWS::Pipes::Pipe.S3LogDestination": { + "additionalProperties": false, + "properties": { + "BucketName": { + "markdownDescription": "The name of the Amazon S3 bucket to which EventBridge delivers the log records for the pipe.", + "title": "BucketName", + "type": "string" + }, + "BucketOwner": { + "markdownDescription": "The AWS account that owns the Amazon S3 bucket to which EventBridge delivers the log records for the pipe.", + "title": "BucketOwner", + "type": "string" + }, + "OutputFormat": { + "markdownDescription": "The format EventBridge uses for the log records.\n\n- `json` : JSON\n- `plain` : Plain text\n- `w3c` : [W3C extended logging file format](https://docs.aws.amazon.com/https://www.w3.org/TR/WD-logfile)", + "title": "OutputFormat", + "type": "string" + }, + "Prefix": { + "markdownDescription": "The prefix text with which to begin Amazon S3 log object names.\n\nFor more information, see [Organizing objects using prefixes](https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-prefixes.html) in the *Amazon Simple Storage Service User Guide* .", + "title": "Prefix", + "type": "string" + } + }, + "type": "object" + }, "AWS::Pipes::Pipe.SageMakerPipelineParameter": { "additionalProperties": false, "properties": { @@ -165451,7 +172102,9 @@ "type": "string" }, "ValidationStrategy": { - "$ref": "#/definitions/AWS::QuickSight::Analysis.ValidationStrategy" + "$ref": "#/definitions/AWS::QuickSight::Analysis.ValidationStrategy", + "markdownDescription": "The option to relax the validation that is required to create and update analyses, dashboards, and templates with definition objects. When you set this value to `LENIENT` , validation is skipped for specific errors.", + "title": "ValidationStrategy" } }, "required": [ @@ -165486,7 +172139,9 @@ "additionalProperties": false, "properties": { "AttributeAggregationFunction": { - "$ref": "#/definitions/AWS::QuickSight::Analysis.AttributeAggregationFunction" + "$ref": "#/definitions/AWS::QuickSight::Analysis.AttributeAggregationFunction", + "markdownDescription": "Aggregation for attributes.", + "title": "AttributeAggregationFunction" }, "CategoricalAggregationFunction": { "markdownDescription": "Aggregation for categorical values.\n\n- `COUNT` : Aggregate by the total number of values, including duplicates.\n- `DISTINCT_COUNT` : Aggregate by the total number of distinct values.", @@ -165585,6 +172240,11 @@ "title": "FilterGroups", "type": "array" }, + "Options": { + "$ref": "#/definitions/AWS::QuickSight::Analysis.AssetOptions", + "markdownDescription": "An array of option definitions for an analysis.", + "title": "Options" + }, "ParameterDeclarations": { "items": { "$ref": "#/definitions/AWS::QuickSight::Analysis.ParameterDeclaration" @@ -165740,13 +172400,33 @@ }, "type": "object" }, + "AWS::QuickSight::Analysis.AssetOptions": { + "additionalProperties": false, + "properties": { + "Timezone": { + "markdownDescription": "Determines the timezone for the analysis.", + "title": "Timezone", + "type": "string" + }, + "WeekStart": { + "markdownDescription": "Determines the week start day for an analysis.", + "title": "WeekStart", + "type": "string" + } + }, + "type": "object" + }, "AWS::QuickSight::Analysis.AttributeAggregationFunction": { "additionalProperties": false, "properties": { "SimpleAttributeAggregation": { + "markdownDescription": "The built-in aggregation functions for attributes.\n\n- `UNIQUE_VALUE` : Returns the unique value for a field, aggregated by the dimension fields.", + "title": "SimpleAttributeAggregation", "type": "string" }, "ValueForMultipleValues": { + "markdownDescription": "Used by the `UNIQUE_VALUE` aggregation function. If there are multiple values for the field used by the aggregation, the value for this property will be returned instead. Defaults to '*'.", + "title": "ValueForMultipleValues", "type": "string" } }, @@ -166715,6 +173395,8 @@ "items": { "$ref": "#/definitions/AWS::QuickSight::Analysis.CustomColor" }, + "markdownDescription": "A list of up to 50 custom colors.", + "title": "CustomColors", "type": "array" } }, @@ -166724,7 +173406,9 @@ "additionalProperties": false, "properties": { "ColorsConfiguration": { - "$ref": "#/definitions/AWS::QuickSight::Analysis.ColorsConfiguration" + "$ref": "#/definitions/AWS::QuickSight::Analysis.ColorsConfiguration", + "markdownDescription": "The color configurations of the column.", + "title": "ColorsConfiguration" }, "Column": { "$ref": "#/definitions/AWS::QuickSight::Analysis.ColumnIdentifier", @@ -167433,12 +174117,18 @@ "additionalProperties": false, "properties": { "Color": { + "markdownDescription": "The color that is applied to the data value.", + "title": "Color", "type": "string" }, "FieldValue": { + "markdownDescription": "The data value that the color is applied to.", + "title": "FieldValue", "type": "string" }, "SpecialValue": { + "markdownDescription": "The value of a special data value.", + "title": "SpecialValue", "type": "string" } }, @@ -167883,6 +174573,8 @@ "additionalProperties": false, "properties": { "PivotTableDataPathType": { + "markdownDescription": "The type of data path value utilized in a pivot table. Choose one of the following options:\n\n- `HIERARCHY_ROWS_LAYOUT_COLUMN` - The type of data path for the rows layout column, when `RowsLayout` is set to `HIERARCHY` .\n- `MULTIPLE_ROW_METRICS_COLUMN` - The type of data path for the metric column when the row is set to Metric Placement.\n- `EMPTY_COLUMN_HEADER` - The type of data path for the column with empty column header, when there is no field in `ColumnsFieldWell` and the row is set to Metric Placement.\n- `COUNT_METRIC_COLUMN` - The type of data path for the column with `COUNT` as the metric, when there is no field in the `ValuesFieldWell` .", + "title": "PivotTableDataPathType", "type": "string" } }, @@ -167892,7 +174584,9 @@ "additionalProperties": false, "properties": { "DataPathType": { - "$ref": "#/definitions/AWS::QuickSight::Analysis.DataPathType" + "$ref": "#/definitions/AWS::QuickSight::Analysis.DataPathType", + "markdownDescription": "The type configuration of the field.", + "title": "DataPathType" }, "FieldId": { "markdownDescription": "The field ID of the field that needs to be sorted.", @@ -168159,7 +174853,9 @@ "type": "string" }, "InfoIconLabelOptions": { - "$ref": "#/definitions/AWS::QuickSight::Analysis.SheetControlInfoIconLabelOptions" + "$ref": "#/definitions/AWS::QuickSight::Analysis.SheetControlInfoIconLabelOptions", + "markdownDescription": "The configuration of info icon label options.", + "title": "InfoIconLabelOptions" }, "TitleOptions": { "$ref": "#/definitions/AWS::QuickSight::Analysis.LabelOptions", @@ -168489,7 +175185,9 @@ "additionalProperties": false, "properties": { "InfoIconLabelOptions": { - "$ref": "#/definitions/AWS::QuickSight::Analysis.SheetControlInfoIconLabelOptions" + "$ref": "#/definitions/AWS::QuickSight::Analysis.SheetControlInfoIconLabelOptions", + "markdownDescription": "The configuration of info icon label options.", + "title": "InfoIconLabelOptions" }, "SelectAllOptions": { "$ref": "#/definitions/AWS::QuickSight::Analysis.ListControlSelectAllOptions", @@ -169152,6 +175850,8 @@ "type": "string" }, "NullOption": { + "markdownDescription": "This option determines how null values should be treated when filtering data.\n\n- `ALL_VALUES` : Include null values in filtered results.\n- `NULLS_ONLY` : Only include null values in filtered results.\n- `NON_NULLS_ONLY` : Exclude null values from filtered results.", + "title": "NullOption", "type": "string" }, "SelectAllOptions": { @@ -169284,6 +175984,8 @@ "additionalProperties": false, "properties": { "AllSheets": { + "markdownDescription": "The configuration for applying a filter to all sheets.", + "title": "AllSheets", "type": "object" }, "SelectedSheets": { @@ -171063,10 +177765,14 @@ "additionalProperties": false, "properties": { "Icon": { - "$ref": "#/definitions/AWS::QuickSight::Analysis.ConditionalFormattingIcon" + "$ref": "#/definitions/AWS::QuickSight::Analysis.ConditionalFormattingIcon", + "markdownDescription": "The conditional formatting of the actual value's icon.", + "title": "Icon" }, "TextColor": { - "$ref": "#/definitions/AWS::QuickSight::Analysis.ConditionalFormattingColor" + "$ref": "#/definitions/AWS::QuickSight::Analysis.ConditionalFormattingColor", + "markdownDescription": "The conditional formatting of the actual value's text color.", + "title": "TextColor" } }, "type": "object" @@ -171075,10 +177781,14 @@ "additionalProperties": false, "properties": { "Icon": { - "$ref": "#/definitions/AWS::QuickSight::Analysis.ConditionalFormattingIcon" + "$ref": "#/definitions/AWS::QuickSight::Analysis.ConditionalFormattingIcon", + "markdownDescription": "The conditional formatting of the comparison value's icon.", + "title": "Icon" }, "TextColor": { - "$ref": "#/definitions/AWS::QuickSight::Analysis.ConditionalFormattingColor" + "$ref": "#/definitions/AWS::QuickSight::Analysis.ConditionalFormattingColor", + "markdownDescription": "The conditional formatting of the comparison value's text color.", + "title": "TextColor" } }, "type": "object" @@ -171101,10 +177811,14 @@ "additionalProperties": false, "properties": { "ActualValue": { - "$ref": "#/definitions/AWS::QuickSight::Analysis.KPIActualValueConditionalFormatting" + "$ref": "#/definitions/AWS::QuickSight::Analysis.KPIActualValueConditionalFormatting", + "markdownDescription": "The conditional formatting for the actual value of a KPI visual.", + "title": "ActualValue" }, "ComparisonValue": { - "$ref": "#/definitions/AWS::QuickSight::Analysis.KPIComparisonValueConditionalFormatting" + "$ref": "#/definitions/AWS::QuickSight::Analysis.KPIComparisonValueConditionalFormatting", + "markdownDescription": "The conditional formatting for the comparison value of a KPI visual.", + "title": "ComparisonValue" }, "PrimaryValue": { "$ref": "#/definitions/AWS::QuickSight::Analysis.KPIPrimaryValueConditionalFormatting", @@ -171204,7 +177918,9 @@ "title": "SecondaryValueFontConfiguration" }, "Sparkline": { - "$ref": "#/definitions/AWS::QuickSight::Analysis.KPISparklineOptions" + "$ref": "#/definitions/AWS::QuickSight::Analysis.KPISparklineOptions", + "markdownDescription": "The options that determine the visibility, color, type, and tooltip visibility of the sparkline of a KPI visual.", + "title": "Sparkline" }, "TrendArrows": { "$ref": "#/definitions/AWS::QuickSight::Analysis.TrendArrowOptions", @@ -171212,7 +177928,9 @@ "title": "TrendArrows" }, "VisualLayoutOptions": { - "$ref": "#/definitions/AWS::QuickSight::Analysis.KPIVisualLayoutOptions" + "$ref": "#/definitions/AWS::QuickSight::Analysis.KPIVisualLayoutOptions", + "markdownDescription": "The options that determine the layout a KPI visual.", + "title": "VisualLayoutOptions" } }, "type": "object" @@ -171262,15 +177980,23 @@ "additionalProperties": false, "properties": { "Color": { + "markdownDescription": "The color of the sparkline.", + "title": "Color", "type": "string" }, "TooltipVisibility": { + "markdownDescription": "The tooltip visibility of the sparkline.", + "title": "TooltipVisibility", "type": "string" }, "Type": { + "markdownDescription": "The type of the sparkline.", + "title": "Type", "type": "string" }, "Visibility": { + "markdownDescription": "The visibility of the sparkline.", + "title": "Visibility", "type": "string" } }, @@ -171333,7 +178059,9 @@ "additionalProperties": false, "properties": { "StandardLayout": { - "$ref": "#/definitions/AWS::QuickSight::Analysis.KPIVisualStandardLayout" + "$ref": "#/definitions/AWS::QuickSight::Analysis.KPIVisualStandardLayout", + "markdownDescription": "The standard layout of the KPI visual.", + "title": "StandardLayout" } }, "type": "object" @@ -171342,6 +178070,8 @@ "additionalProperties": false, "properties": { "Type": { + "markdownDescription": "The standard layout type.", + "title": "Type", "type": "string" } }, @@ -171793,7 +178523,9 @@ "additionalProperties": false, "properties": { "InfoIconLabelOptions": { - "$ref": "#/definitions/AWS::QuickSight::Analysis.SheetControlInfoIconLabelOptions" + "$ref": "#/definitions/AWS::QuickSight::Analysis.SheetControlInfoIconLabelOptions", + "markdownDescription": "The configuration of info icon label options.", + "title": "InfoIconLabelOptions" }, "SearchOptions": { "$ref": "#/definitions/AWS::QuickSight::Analysis.ListControlSearchOptions", @@ -173449,6 +180181,8 @@ "type": "string" }, "DefaultCellWidth": { + "markdownDescription": "The default cell width of the pivot table.", + "title": "DefaultCellWidth", "type": "string" }, "MetricPlacement": { @@ -173472,9 +180206,13 @@ "title": "RowHeaderStyle" }, "RowsLabelOptions": { - "$ref": "#/definitions/AWS::QuickSight::Analysis.PivotTableRowsLabelOptions" + "$ref": "#/definitions/AWS::QuickSight::Analysis.PivotTableRowsLabelOptions", + "markdownDescription": "The options for the label that is located above the row headers. This option is only applicable when `RowsLayout` is set to `HIERARCHY` .", + "title": "RowsLabelOptions" }, "RowsLayout": { + "markdownDescription": "The layout for the row dimension headers of a pivot table. Choose one of the following options.\n\n- `TABULAR` : (Default) Each row field is displayed in a separate column.\n- `HIERARCHY` : All row fields are displayed in a single column. Indentation is used to differentiate row headers of different fields.", + "title": "RowsLayout", "type": "string" }, "SingleMetricVisibility": { @@ -173510,9 +180248,13 @@ "additionalProperties": false, "properties": { "CustomLabel": { + "markdownDescription": "The custom label string for the rows label.", + "title": "CustomLabel", "type": "string" }, "Visibility": { + "markdownDescription": "The visibility of the rows label.", + "title": "Visibility", "type": "string" } }, @@ -173648,6 +180390,8 @@ "items": { "$ref": "#/definitions/AWS::QuickSight::Analysis.TotalAggregationOption" }, + "markdownDescription": "The total aggregation options for each value field.", + "title": "TotalAggregationOptions", "type": "array" }, "TotalCellStyle": { @@ -173989,7 +180733,7 @@ "additionalProperties": false, "properties": { "AxisBinding": { - "markdownDescription": "The axis binding type of the reference line. Choose one of the following options:\n\n- PrimaryY\n- SecondaryY", + "markdownDescription": "The axis binding type of the reference line. Choose one of the following options:\n\n- `PrimaryY`\n- `SecondaryY`", "title": "AxisBinding", "type": "string" }, @@ -173999,6 +180743,8 @@ "title": "DynamicConfiguration" }, "SeriesType": { + "markdownDescription": "The series type of the reference line data configuration. Choose one of the following options:\n\n- `BAR`\n- `LINE`", + "title": "SeriesType", "type": "string" }, "StaticConfiguration": { @@ -174125,7 +180871,9 @@ "type": "string" }, "InfoIconLabelOptions": { - "$ref": "#/definitions/AWS::QuickSight::Analysis.SheetControlInfoIconLabelOptions" + "$ref": "#/definitions/AWS::QuickSight::Analysis.SheetControlInfoIconLabelOptions", + "markdownDescription": "The configuration of info icon label options.", + "title": "InfoIconLabelOptions" }, "TitleOptions": { "$ref": "#/definitions/AWS::QuickSight::Analysis.LabelOptions", @@ -174263,6 +181011,8 @@ "type": "string" }, "UsePrimaryBackgroundColor": { + "markdownDescription": "The primary background color options for alternate rows.", + "title": "UsePrimaryBackgroundColor", "type": "string" } }, @@ -174850,9 +181600,13 @@ "additionalProperties": false, "properties": { "InfoIconText": { + "markdownDescription": "The text content of info icon.", + "title": "InfoIconText", "type": "string" }, "Visibility": { + "markdownDescription": "The visibility configuration of info icon label options.", + "title": "Visibility", "type": "string" } }, @@ -175074,7 +181828,9 @@ "additionalProperties": false, "properties": { "InfoIconLabelOptions": { - "$ref": "#/definitions/AWS::QuickSight::Analysis.SheetControlInfoIconLabelOptions" + "$ref": "#/definitions/AWS::QuickSight::Analysis.SheetControlInfoIconLabelOptions", + "markdownDescription": "The configuration of info icon label options.", + "title": "InfoIconLabelOptions" }, "TitleOptions": { "$ref": "#/definitions/AWS::QuickSight::Analysis.LabelOptions", @@ -175088,9 +181844,13 @@ "additionalProperties": false, "properties": { "Placement": { + "markdownDescription": "Defines the placement of the axis. By default, axes are rendered `OUTSIDE` of the panels. Axes with `INDEPENDENT` scale are rendered `INSIDE` the panels.", + "title": "Placement", "type": "string" }, "Scale": { + "markdownDescription": "Determines whether scale of the axes are shared or independent. The default value is `SHARED` .", + "title": "Scale", "type": "string" } }, @@ -175115,10 +181875,14 @@ "title": "PanelConfiguration" }, "XAxis": { - "$ref": "#/definitions/AWS::QuickSight::Analysis.SmallMultiplesAxisProperties" + "$ref": "#/definitions/AWS::QuickSight::Analysis.SmallMultiplesAxisProperties", + "markdownDescription": "The properties of a small multiples X axis.", + "title": "XAxis" }, "YAxis": { - "$ref": "#/definitions/AWS::QuickSight::Analysis.SmallMultiplesAxisProperties" + "$ref": "#/definitions/AWS::QuickSight::Analysis.SmallMultiplesAxisProperties", + "markdownDescription": "The properties of a small multiples Y axis.", + "title": "YAxis" } }, "type": "object" @@ -175291,6 +182055,8 @@ "items": { "$ref": "#/definitions/AWS::QuickSight::Analysis.TableStyleTarget" }, + "markdownDescription": "The style targets options for subtotals.", + "title": "StyleTargets", "type": "array" }, "TotalCellStyle": { @@ -175622,18 +182388,20 @@ "items": { "type": "string" }, - "markdownDescription": "The order of field IDs of the field options for a table visual.", + "markdownDescription": "The order of the field IDs that are configured as field options for a table visual.", "title": "Order", "type": "array" }, "PinnedFieldOptions": { - "$ref": "#/definitions/AWS::QuickSight::Analysis.TablePinnedFieldOptions" + "$ref": "#/definitions/AWS::QuickSight::Analysis.TablePinnedFieldOptions", + "markdownDescription": "The settings for the pinned columns of a table visual.", + "title": "PinnedFieldOptions" }, "SelectedFieldOptions": { "items": { "$ref": "#/definitions/AWS::QuickSight::Analysis.TableFieldOption" }, - "markdownDescription": "The selected field options for the table field options.", + "markdownDescription": "The field options to be configured to a table.", "title": "SelectedFieldOptions", "type": "array" } @@ -175732,6 +182500,8 @@ "items": { "type": "string" }, + "markdownDescription": "A list of columns to be pinned to the left of a table visual.", + "title": "PinnedLeftFields", "type": "array" } }, @@ -175812,6 +182582,8 @@ "additionalProperties": false, "properties": { "CellType": { + "markdownDescription": "The cell type of the table style target.", + "title": "CellType", "type": "string" } }, @@ -175880,7 +182652,9 @@ "additionalProperties": false, "properties": { "InfoIconLabelOptions": { - "$ref": "#/definitions/AWS::QuickSight::Analysis.SheetControlInfoIconLabelOptions" + "$ref": "#/definitions/AWS::QuickSight::Analysis.SheetControlInfoIconLabelOptions", + "markdownDescription": "The configuration of info icon label options.", + "title": "InfoIconLabelOptions" }, "PlaceholderOptions": { "$ref": "#/definitions/AWS::QuickSight::Analysis.TextControlPlaceholderOptions", @@ -175931,7 +182705,9 @@ "additionalProperties": false, "properties": { "InfoIconLabelOptions": { - "$ref": "#/definitions/AWS::QuickSight::Analysis.SheetControlInfoIconLabelOptions" + "$ref": "#/definitions/AWS::QuickSight::Analysis.SheetControlInfoIconLabelOptions", + "markdownDescription": "The configuration of info icon label options.", + "title": "InfoIconLabelOptions" }, "PlaceholderOptions": { "$ref": "#/definitions/AWS::QuickSight::Analysis.TextControlPlaceholderOptions", @@ -176012,12 +182788,14 @@ "type": "string" }, "ParameterName": { - "markdownDescription": "The parameter whose value should be used for the filter value.\n\nThis field is mutually exclusive to `Value` .", + "markdownDescription": "The parameter whose value should be used for the filter value.\n\nThis field is mutually exclusive to `Value` and `RollingDate` .", "title": "ParameterName", "type": "string" }, "RollingDate": { - "$ref": "#/definitions/AWS::QuickSight::Analysis.RollingDateConfiguration" + "$ref": "#/definitions/AWS::QuickSight::Analysis.RollingDateConfiguration", + "markdownDescription": "The rolling date input for the `TimeEquality` filter.\n\nThis field is mutually exclusive to `Value` and `ParameterName` .", + "title": "RollingDate" }, "TimeGranularity": { "markdownDescription": "The level of time precision that is used to aggregate `DateTime` values.", @@ -176025,7 +182803,7 @@ "type": "string" }, "Value": { - "markdownDescription": "The value of a `TimeEquality` filter.\n\nThis field is mutually exclusive to `ParameterName` .", + "markdownDescription": "The value of a `TimeEquality` filter.\n\nThis field is mutually exclusive to `RollingDate` and `ParameterName` .", "title": "Value", "type": "string" } @@ -176344,6 +183122,8 @@ "additionalProperties": false, "properties": { "SimpleTotalAggregationFunction": { + "markdownDescription": "A built in aggregation function for total values.", + "title": "SimpleTotalAggregationFunction", "type": "string" } }, @@ -176353,10 +183133,14 @@ "additionalProperties": false, "properties": { "FieldId": { + "markdownDescription": "The field id that's associated with the total aggregation option.", + "title": "FieldId", "type": "string" }, "TotalAggregationFunction": { - "$ref": "#/definitions/AWS::QuickSight::Analysis.TotalAggregationFunction" + "$ref": "#/definitions/AWS::QuickSight::Analysis.TotalAggregationFunction", + "markdownDescription": "The total aggregation function that you want to set for a specified field id.", + "title": "TotalAggregationFunction" } }, "required": [ @@ -176387,6 +183171,8 @@ "items": { "$ref": "#/definitions/AWS::QuickSight::Analysis.TotalAggregationOption" }, + "markdownDescription": "The total aggregation settings for each value field.", + "title": "TotalAggregationOptions", "type": "array" }, "TotalCellStyle": { @@ -176622,6 +183408,8 @@ "additionalProperties": false, "properties": { "Mode": { + "markdownDescription": "The mode of validation for the asset to be created or updated. When you set this value to `STRICT` , strict validation for every error is enforced. When you set this value to `LENIENT` , validation is skipped for specific UI errors.", + "title": "Mode", "type": "string" } }, @@ -177311,6 +184099,11 @@ "markdownDescription": "", "title": "Definition" }, + "LinkSharingConfiguration": { + "$ref": "#/definitions/AWS::QuickSight::Dashboard.LinkSharingConfiguration", + "markdownDescription": "A structure that contains the link sharing configurations that you want to apply overrides to.", + "title": "LinkSharingConfiguration" + }, "Name": { "markdownDescription": "The display name of the dashboard.", "title": "Name", @@ -177348,7 +184141,9 @@ "type": "string" }, "ValidationStrategy": { - "$ref": "#/definitions/AWS::QuickSight::Dashboard.ValidationStrategy" + "$ref": "#/definitions/AWS::QuickSight::Dashboard.ValidationStrategy", + "markdownDescription": "The option to relax the validation that is required to create and update analyses, dashboards, and templates with definition objects. When you set this value to `LENIENT` , validation is skipped for specific errors.", + "title": "ValidationStrategy" }, "VersionDescription": { "markdownDescription": "A description for the first version of the dashboard being created.", @@ -177399,7 +184194,9 @@ "additionalProperties": false, "properties": { "AttributeAggregationFunction": { - "$ref": "#/definitions/AWS::QuickSight::Dashboard.AttributeAggregationFunction" + "$ref": "#/definitions/AWS::QuickSight::Dashboard.AttributeAggregationFunction", + "markdownDescription": "Aggregation for attributes.", + "title": "AttributeAggregationFunction" }, "CategoricalAggregationFunction": { "markdownDescription": "Aggregation for categorical values.\n\n- `COUNT` : Aggregate by the total number of values, including duplicates.\n- `DISTINCT_COUNT` : Aggregate by the total number of distinct values.", @@ -177533,13 +184330,33 @@ }, "type": "object" }, + "AWS::QuickSight::Dashboard.AssetOptions": { + "additionalProperties": false, + "properties": { + "Timezone": { + "markdownDescription": "Determines the timezone for the analysis.", + "title": "Timezone", + "type": "string" + }, + "WeekStart": { + "markdownDescription": "Determines the week start day for an analysis.", + "title": "WeekStart", + "type": "string" + } + }, + "type": "object" + }, "AWS::QuickSight::Dashboard.AttributeAggregationFunction": { "additionalProperties": false, "properties": { "SimpleAttributeAggregation": { + "markdownDescription": "The built-in aggregation functions for attributes.\n\n- `UNIQUE_VALUE` : Returns the unique value for a field, aggregated by the dimension fields.", + "title": "SimpleAttributeAggregation", "type": "string" }, "ValueForMultipleValues": { + "markdownDescription": "Used by the `UNIQUE_VALUE` aggregation function. If there are multiple values for the field used by the aggregation, the value for this property will be returned instead. Defaults to '*'.", + "title": "ValueForMultipleValues", "type": "string" } }, @@ -178508,6 +185325,8 @@ "items": { "$ref": "#/definitions/AWS::QuickSight::Dashboard.CustomColor" }, + "markdownDescription": "A list of up to 50 custom colors.", + "title": "CustomColors", "type": "array" } }, @@ -178517,7 +185336,9 @@ "additionalProperties": false, "properties": { "ColorsConfiguration": { - "$ref": "#/definitions/AWS::QuickSight::Dashboard.ColorsConfiguration" + "$ref": "#/definitions/AWS::QuickSight::Dashboard.ColorsConfiguration", + "markdownDescription": "The color configurations of the column.", + "title": "ColorsConfiguration" }, "Column": { "$ref": "#/definitions/AWS::QuickSight::Dashboard.ColumnIdentifier", @@ -179226,12 +186047,18 @@ "additionalProperties": false, "properties": { "Color": { + "markdownDescription": "The color that is applied to the data value.", + "title": "Color", "type": "string" }, "FieldValue": { + "markdownDescription": "The data value that the color is applied to.", + "title": "FieldValue", "type": "string" }, "SpecialValue": { + "markdownDescription": "The value of a special data value.", + "title": "SpecialValue", "type": "string" } }, @@ -179667,6 +186494,11 @@ "title": "FilterGroups", "type": "array" }, + "Options": { + "$ref": "#/definitions/AWS::QuickSight::Dashboard.AssetOptions", + "markdownDescription": "An array of option definitions for a dashboard.", + "title": "Options" + }, "ParameterDeclarations": { "items": { "$ref": "#/definitions/AWS::QuickSight::Dashboard.ParameterDeclaration" @@ -179933,6 +186765,8 @@ "additionalProperties": false, "properties": { "PivotTableDataPathType": { + "markdownDescription": "The type of data path value utilized in a pivot table. Choose one of the following options:\n\n- `HIERARCHY_ROWS_LAYOUT_COLUMN` - The type of data path for the rows layout column, when `RowsLayout` is set to `HIERARCHY` .\n- `MULTIPLE_ROW_METRICS_COLUMN` - The type of data path for the metric column when the row is set to Metric Placement.\n- `EMPTY_COLUMN_HEADER` - The type of data path for the column with empty column header, when there is no field in `ColumnsFieldWell` and the row is set to Metric Placement.\n- `COUNT_METRIC_COLUMN` - The type of data path for the column with `COUNT` as the metric, when there is no field in the `ValuesFieldWell` .", + "title": "PivotTableDataPathType", "type": "string" } }, @@ -179942,7 +186776,9 @@ "additionalProperties": false, "properties": { "DataPathType": { - "$ref": "#/definitions/AWS::QuickSight::Dashboard.DataPathType" + "$ref": "#/definitions/AWS::QuickSight::Dashboard.DataPathType", + "markdownDescription": "The type configuration of the field.", + "title": "DataPathType" }, "FieldId": { "markdownDescription": "The field ID of the field that needs to be sorted.", @@ -180242,7 +187078,9 @@ "type": "string" }, "InfoIconLabelOptions": { - "$ref": "#/definitions/AWS::QuickSight::Dashboard.SheetControlInfoIconLabelOptions" + "$ref": "#/definitions/AWS::QuickSight::Dashboard.SheetControlInfoIconLabelOptions", + "markdownDescription": "The configuration of info icon label options.", + "title": "InfoIconLabelOptions" }, "TitleOptions": { "$ref": "#/definitions/AWS::QuickSight::Dashboard.LabelOptions", @@ -180572,7 +187410,9 @@ "additionalProperties": false, "properties": { "InfoIconLabelOptions": { - "$ref": "#/definitions/AWS::QuickSight::Dashboard.SheetControlInfoIconLabelOptions" + "$ref": "#/definitions/AWS::QuickSight::Dashboard.SheetControlInfoIconLabelOptions", + "markdownDescription": "The configuration of info icon label options.", + "title": "InfoIconLabelOptions" }, "SelectAllOptions": { "$ref": "#/definitions/AWS::QuickSight::Dashboard.ListControlSelectAllOptions", @@ -181268,6 +188108,8 @@ "type": "string" }, "NullOption": { + "markdownDescription": "This option determines how null values should be treated when filtering data.\n\n- `ALL_VALUES` : Include null values in filtered results.\n- `NULLS_ONLY` : Only include null values in filtered results.\n- `NON_NULLS_ONLY` : Exclude null values from filtered results.", + "title": "NullOption", "type": "string" }, "SelectAllOptions": { @@ -181400,6 +188242,8 @@ "additionalProperties": false, "properties": { "AllSheets": { + "markdownDescription": "The configuration for applying a filter to all sheets.", + "title": "AllSheets", "type": "object" }, "SelectedSheets": { @@ -183179,10 +190023,14 @@ "additionalProperties": false, "properties": { "Icon": { - "$ref": "#/definitions/AWS::QuickSight::Dashboard.ConditionalFormattingIcon" + "$ref": "#/definitions/AWS::QuickSight::Dashboard.ConditionalFormattingIcon", + "markdownDescription": "The conditional formatting of the actual value's icon.", + "title": "Icon" }, "TextColor": { - "$ref": "#/definitions/AWS::QuickSight::Dashboard.ConditionalFormattingColor" + "$ref": "#/definitions/AWS::QuickSight::Dashboard.ConditionalFormattingColor", + "markdownDescription": "The conditional formatting of the actual value's text color.", + "title": "TextColor" } }, "type": "object" @@ -183191,10 +190039,14 @@ "additionalProperties": false, "properties": { "Icon": { - "$ref": "#/definitions/AWS::QuickSight::Dashboard.ConditionalFormattingIcon" + "$ref": "#/definitions/AWS::QuickSight::Dashboard.ConditionalFormattingIcon", + "markdownDescription": "The conditional formatting of the comparison value's icon.", + "title": "Icon" }, "TextColor": { - "$ref": "#/definitions/AWS::QuickSight::Dashboard.ConditionalFormattingColor" + "$ref": "#/definitions/AWS::QuickSight::Dashboard.ConditionalFormattingColor", + "markdownDescription": "The conditional formatting of the comparison value's text color.", + "title": "TextColor" } }, "type": "object" @@ -183217,10 +190069,14 @@ "additionalProperties": false, "properties": { "ActualValue": { - "$ref": "#/definitions/AWS::QuickSight::Dashboard.KPIActualValueConditionalFormatting" + "$ref": "#/definitions/AWS::QuickSight::Dashboard.KPIActualValueConditionalFormatting", + "markdownDescription": "The conditional formatting for the actual value of a KPI visual.", + "title": "ActualValue" }, "ComparisonValue": { - "$ref": "#/definitions/AWS::QuickSight::Dashboard.KPIComparisonValueConditionalFormatting" + "$ref": "#/definitions/AWS::QuickSight::Dashboard.KPIComparisonValueConditionalFormatting", + "markdownDescription": "The conditional formatting for the comparison value of a KPI visual.", + "title": "ComparisonValue" }, "PrimaryValue": { "$ref": "#/definitions/AWS::QuickSight::Dashboard.KPIPrimaryValueConditionalFormatting", @@ -183320,7 +190176,9 @@ "title": "SecondaryValueFontConfiguration" }, "Sparkline": { - "$ref": "#/definitions/AWS::QuickSight::Dashboard.KPISparklineOptions" + "$ref": "#/definitions/AWS::QuickSight::Dashboard.KPISparklineOptions", + "markdownDescription": "The options that determine the visibility, color, type, and tooltip visibility of the sparkline of a KPI visual.", + "title": "Sparkline" }, "TrendArrows": { "$ref": "#/definitions/AWS::QuickSight::Dashboard.TrendArrowOptions", @@ -183328,7 +190186,9 @@ "title": "TrendArrows" }, "VisualLayoutOptions": { - "$ref": "#/definitions/AWS::QuickSight::Dashboard.KPIVisualLayoutOptions" + "$ref": "#/definitions/AWS::QuickSight::Dashboard.KPIVisualLayoutOptions", + "markdownDescription": "The options that determine the layout a KPI visual.", + "title": "VisualLayoutOptions" } }, "type": "object" @@ -183378,15 +190238,23 @@ "additionalProperties": false, "properties": { "Color": { + "markdownDescription": "The color of the sparkline.", + "title": "Color", "type": "string" }, "TooltipVisibility": { + "markdownDescription": "The tooltip visibility of the sparkline.", + "title": "TooltipVisibility", "type": "string" }, "Type": { + "markdownDescription": "The type of the sparkline.", + "title": "Type", "type": "string" }, "Visibility": { + "markdownDescription": "The visibility of the sparkline.", + "title": "Visibility", "type": "string" } }, @@ -183449,7 +190317,9 @@ "additionalProperties": false, "properties": { "StandardLayout": { - "$ref": "#/definitions/AWS::QuickSight::Dashboard.KPIVisualStandardLayout" + "$ref": "#/definitions/AWS::QuickSight::Dashboard.KPIVisualStandardLayout", + "markdownDescription": "The standard layout of the KPI visual.", + "title": "StandardLayout" } }, "type": "object" @@ -183458,6 +190328,8 @@ "additionalProperties": false, "properties": { "Type": { + "markdownDescription": "The standard layout type.", + "title": "Type", "type": "string" } }, @@ -183905,11 +190777,27 @@ }, "type": "object" }, + "AWS::QuickSight::Dashboard.LinkSharingConfiguration": { + "additionalProperties": false, + "properties": { + "Permissions": { + "items": { + "$ref": "#/definitions/AWS::QuickSight::Dashboard.ResourcePermission" + }, + "markdownDescription": "A structure that contains the permissions of a shareable link.", + "title": "Permissions", + "type": "array" + } + }, + "type": "object" + }, "AWS::QuickSight::Dashboard.ListControlDisplayOptions": { "additionalProperties": false, "properties": { "InfoIconLabelOptions": { - "$ref": "#/definitions/AWS::QuickSight::Dashboard.SheetControlInfoIconLabelOptions" + "$ref": "#/definitions/AWS::QuickSight::Dashboard.SheetControlInfoIconLabelOptions", + "markdownDescription": "The configuration of info icon label options.", + "title": "InfoIconLabelOptions" }, "SearchOptions": { "$ref": "#/definitions/AWS::QuickSight::Dashboard.ListControlSearchOptions", @@ -185565,6 +192453,8 @@ "type": "string" }, "DefaultCellWidth": { + "markdownDescription": "The default cell width of the pivot table.", + "title": "DefaultCellWidth", "type": "string" }, "MetricPlacement": { @@ -185588,9 +192478,13 @@ "title": "RowHeaderStyle" }, "RowsLabelOptions": { - "$ref": "#/definitions/AWS::QuickSight::Dashboard.PivotTableRowsLabelOptions" + "$ref": "#/definitions/AWS::QuickSight::Dashboard.PivotTableRowsLabelOptions", + "markdownDescription": "The options for the label that is located above the row headers. This option is only applicable when `RowsLayout` is set to `HIERARCHY` .", + "title": "RowsLabelOptions" }, "RowsLayout": { + "markdownDescription": "The layout for the row dimension headers of a pivot table. Choose one of the following options.\n\n- `TABULAR` : (Default) Each row field is displayed in a separate column.\n- `HIERARCHY` : All row fields are displayed in a single column. Indentation is used to differentiate row headers of different fields.", + "title": "RowsLayout", "type": "string" }, "SingleMetricVisibility": { @@ -185626,9 +192520,13 @@ "additionalProperties": false, "properties": { "CustomLabel": { + "markdownDescription": "The custom label string for the rows label.", + "title": "CustomLabel", "type": "string" }, "Visibility": { + "markdownDescription": "The visibility of the rows label.", + "title": "Visibility", "type": "string" } }, @@ -185764,6 +192662,8 @@ "items": { "$ref": "#/definitions/AWS::QuickSight::Dashboard.TotalAggregationOption" }, + "markdownDescription": "The total aggregation options for each value field.", + "title": "TotalAggregationOptions", "type": "array" }, "TotalCellStyle": { @@ -186105,7 +193005,7 @@ "additionalProperties": false, "properties": { "AxisBinding": { - "markdownDescription": "The axis binding type of the reference line. Choose one of the following options:\n\n- PrimaryY\n- SecondaryY", + "markdownDescription": "The axis binding type of the reference line. Choose one of the following options:\n\n- `PrimaryY`\n- `SecondaryY`", "title": "AxisBinding", "type": "string" }, @@ -186115,6 +193015,8 @@ "title": "DynamicConfiguration" }, "SeriesType": { + "markdownDescription": "The series type of the reference line data configuration. Choose one of the following options:\n\n- `BAR`\n- `LINE`", + "title": "SeriesType", "type": "string" }, "StaticConfiguration": { @@ -186241,7 +193143,9 @@ "type": "string" }, "InfoIconLabelOptions": { - "$ref": "#/definitions/AWS::QuickSight::Dashboard.SheetControlInfoIconLabelOptions" + "$ref": "#/definitions/AWS::QuickSight::Dashboard.SheetControlInfoIconLabelOptions", + "markdownDescription": "The configuration of info icon label options.", + "title": "InfoIconLabelOptions" }, "TitleOptions": { "$ref": "#/definitions/AWS::QuickSight::Dashboard.LabelOptions", @@ -186379,6 +193283,8 @@ "type": "string" }, "UsePrimaryBackgroundColor": { + "markdownDescription": "The primary background color options for alternate rows.", + "title": "UsePrimaryBackgroundColor", "type": "string" } }, @@ -186966,9 +193872,13 @@ "additionalProperties": false, "properties": { "InfoIconText": { + "markdownDescription": "The text content of info icon.", + "title": "InfoIconText", "type": "string" }, "Visibility": { + "markdownDescription": "The visibility configuration of info icon label options.", + "title": "Visibility", "type": "string" } }, @@ -187212,7 +194122,9 @@ "additionalProperties": false, "properties": { "InfoIconLabelOptions": { - "$ref": "#/definitions/AWS::QuickSight::Dashboard.SheetControlInfoIconLabelOptions" + "$ref": "#/definitions/AWS::QuickSight::Dashboard.SheetControlInfoIconLabelOptions", + "markdownDescription": "The configuration of info icon label options.", + "title": "InfoIconLabelOptions" }, "TitleOptions": { "$ref": "#/definitions/AWS::QuickSight::Dashboard.LabelOptions", @@ -187226,9 +194138,13 @@ "additionalProperties": false, "properties": { "Placement": { + "markdownDescription": "Defines the placement of the axis. By default, axes are rendered `OUTSIDE` of the panels. Axes with `INDEPENDENT` scale are rendered `INSIDE` the panels.", + "title": "Placement", "type": "string" }, "Scale": { + "markdownDescription": "Determines whether scale of the axes are shared or independent. The default value is `SHARED` .", + "title": "Scale", "type": "string" } }, @@ -187253,10 +194169,14 @@ "title": "PanelConfiguration" }, "XAxis": { - "$ref": "#/definitions/AWS::QuickSight::Dashboard.SmallMultiplesAxisProperties" + "$ref": "#/definitions/AWS::QuickSight::Dashboard.SmallMultiplesAxisProperties", + "markdownDescription": "The properties of a small multiples X axis.", + "title": "XAxis" }, "YAxis": { - "$ref": "#/definitions/AWS::QuickSight::Dashboard.SmallMultiplesAxisProperties" + "$ref": "#/definitions/AWS::QuickSight::Dashboard.SmallMultiplesAxisProperties", + "markdownDescription": "The properties of a small multiples Y axis.", + "title": "YAxis" } }, "type": "object" @@ -187429,6 +194349,8 @@ "items": { "$ref": "#/definitions/AWS::QuickSight::Dashboard.TableStyleTarget" }, + "markdownDescription": "The style targets options for subtotals.", + "title": "StyleTargets", "type": "array" }, "TotalCellStyle": { @@ -187760,18 +194682,20 @@ "items": { "type": "string" }, - "markdownDescription": "The order of field IDs of the field options for a table visual.", + "markdownDescription": "The order of the field IDs that are configured as field options for a table visual.", "title": "Order", "type": "array" }, "PinnedFieldOptions": { - "$ref": "#/definitions/AWS::QuickSight::Dashboard.TablePinnedFieldOptions" + "$ref": "#/definitions/AWS::QuickSight::Dashboard.TablePinnedFieldOptions", + "markdownDescription": "The settings for the pinned columns of a table visual.", + "title": "PinnedFieldOptions" }, "SelectedFieldOptions": { "items": { "$ref": "#/definitions/AWS::QuickSight::Dashboard.TableFieldOption" }, - "markdownDescription": "The selected field options for the table field options.", + "markdownDescription": "The field options to be configured to a table.", "title": "SelectedFieldOptions", "type": "array" } @@ -187870,6 +194794,8 @@ "items": { "type": "string" }, + "markdownDescription": "A list of columns to be pinned to the left of a table visual.", + "title": "PinnedLeftFields", "type": "array" } }, @@ -187950,6 +194876,8 @@ "additionalProperties": false, "properties": { "CellType": { + "markdownDescription": "The cell type of the table style target.", + "title": "CellType", "type": "string" } }, @@ -188018,7 +194946,9 @@ "additionalProperties": false, "properties": { "InfoIconLabelOptions": { - "$ref": "#/definitions/AWS::QuickSight::Dashboard.SheetControlInfoIconLabelOptions" + "$ref": "#/definitions/AWS::QuickSight::Dashboard.SheetControlInfoIconLabelOptions", + "markdownDescription": "The configuration of info icon label options.", + "title": "InfoIconLabelOptions" }, "PlaceholderOptions": { "$ref": "#/definitions/AWS::QuickSight::Dashboard.TextControlPlaceholderOptions", @@ -188069,7 +194999,9 @@ "additionalProperties": false, "properties": { "InfoIconLabelOptions": { - "$ref": "#/definitions/AWS::QuickSight::Dashboard.SheetControlInfoIconLabelOptions" + "$ref": "#/definitions/AWS::QuickSight::Dashboard.SheetControlInfoIconLabelOptions", + "markdownDescription": "The configuration of info icon label options.", + "title": "InfoIconLabelOptions" }, "PlaceholderOptions": { "$ref": "#/definitions/AWS::QuickSight::Dashboard.TextControlPlaceholderOptions", @@ -188150,12 +195082,14 @@ "type": "string" }, "ParameterName": { - "markdownDescription": "The parameter whose value should be used for the filter value.\n\nThis field is mutually exclusive to `Value` .", + "markdownDescription": "The parameter whose value should be used for the filter value.\n\nThis field is mutually exclusive to `Value` and `RollingDate` .", "title": "ParameterName", "type": "string" }, "RollingDate": { - "$ref": "#/definitions/AWS::QuickSight::Dashboard.RollingDateConfiguration" + "$ref": "#/definitions/AWS::QuickSight::Dashboard.RollingDateConfiguration", + "markdownDescription": "The rolling date input for the `TimeEquality` filter.\n\nThis field is mutually exclusive to `Value` and `ParameterName` .", + "title": "RollingDate" }, "TimeGranularity": { "markdownDescription": "The level of time precision that is used to aggregate `DateTime` values.", @@ -188163,7 +195097,7 @@ "type": "string" }, "Value": { - "markdownDescription": "The value of a `TimeEquality` filter.\n\nThis field is mutually exclusive to `ParameterName` .", + "markdownDescription": "The value of a `TimeEquality` filter.\n\nThis field is mutually exclusive to `RollingDate` and `ParameterName` .", "title": "Value", "type": "string" } @@ -188482,6 +195416,8 @@ "additionalProperties": false, "properties": { "SimpleTotalAggregationFunction": { + "markdownDescription": "A built in aggregation function for total values.", + "title": "SimpleTotalAggregationFunction", "type": "string" } }, @@ -188491,10 +195427,14 @@ "additionalProperties": false, "properties": { "FieldId": { + "markdownDescription": "The field id that's associated with the total aggregation option.", + "title": "FieldId", "type": "string" }, "TotalAggregationFunction": { - "$ref": "#/definitions/AWS::QuickSight::Dashboard.TotalAggregationFunction" + "$ref": "#/definitions/AWS::QuickSight::Dashboard.TotalAggregationFunction", + "markdownDescription": "The total aggregation function that you want to set for a specified field id.", + "title": "TotalAggregationFunction" } }, "required": [ @@ -188525,6 +195465,8 @@ "items": { "$ref": "#/definitions/AWS::QuickSight::Dashboard.TotalAggregationOption" }, + "markdownDescription": "The total aggregation settings for each value field.", + "title": "TotalAggregationOptions", "type": "array" }, "TotalCellStyle": { @@ -188760,6 +195702,8 @@ "additionalProperties": false, "properties": { "Mode": { + "markdownDescription": "The mode of validation for the asset to be created or updated. When you set this value to `STRICT` , strict validation for every error is enforced. When you set this value to `LENIENT` , validation is skipped for specific UI errors.", + "title": "Mode", "type": "string" } }, @@ -189479,7 +196423,7 @@ }, "DataSetRefreshProperties": { "$ref": "#/definitions/AWS::QuickSight::DataSet.DataSetRefreshProperties", - "markdownDescription": "", + "markdownDescription": "The refresh properties of a dataset.", "title": "DataSetRefreshProperties" }, "DataSetUsageConfiguration": { @@ -189491,7 +196435,7 @@ "items": { "$ref": "#/definitions/AWS::QuickSight::DataSet.DatasetParameter" }, - "markdownDescription": "", + "markdownDescription": "The parameters that are declared in a dataset.", "title": "DatasetParameters", "type": "array" }, @@ -189635,6 +196579,11 @@ "markdownDescription": "New column data type.", "title": "NewColumnType", "type": "string" + }, + "SubType": { + "markdownDescription": "The sub data type of the new column. Sub types are only available for decimal columns that are part of a SPICE dataset.", + "title": "SubType", + "type": "string" } }, "required": [ @@ -189787,22 +196736,22 @@ "properties": { "DateTimeDatasetParameter": { "$ref": "#/definitions/AWS::QuickSight::DataSet.DateTimeDatasetParameter", - "markdownDescription": "", + "markdownDescription": "A date time parameter that is created in the dataset.", "title": "DateTimeDatasetParameter" }, "DecimalDatasetParameter": { "$ref": "#/definitions/AWS::QuickSight::DataSet.DecimalDatasetParameter", - "markdownDescription": "", + "markdownDescription": "A decimal parameter that is created in the dataset.", "title": "DecimalDatasetParameter" }, "IntegerDatasetParameter": { "$ref": "#/definitions/AWS::QuickSight::DataSet.IntegerDatasetParameter", - "markdownDescription": "", + "markdownDescription": "An integer parameter that is created in the dataset.", "title": "IntegerDatasetParameter" }, "StringDatasetParameter": { "$ref": "#/definitions/AWS::QuickSight::DataSet.StringDatasetParameter", - "markdownDescription": "", + "markdownDescription": "A string parameter that is created in the dataset.", "title": "StringDatasetParameter" } }, @@ -189813,26 +196762,26 @@ "properties": { "DefaultValues": { "$ref": "#/definitions/AWS::QuickSight::DataSet.DateTimeDatasetParameterDefaultValues", - "markdownDescription": "", + "markdownDescription": "A list of default values for a given date time parameter. This structure only accepts static values.", "title": "DefaultValues" }, "Id": { - "markdownDescription": "", + "markdownDescription": "An identifier for the parameter that is created in the dataset.", "title": "Id", "type": "string" }, "Name": { - "markdownDescription": "", + "markdownDescription": "The name of the date time parameter that is created in the dataset.", "title": "Name", "type": "string" }, "TimeGranularity": { - "markdownDescription": "", + "markdownDescription": "The time granularity of the date time parameter.", "title": "TimeGranularity", "type": "string" }, "ValueType": { - "markdownDescription": "", + "markdownDescription": "The value type of the dataset parameter. Valid values are `single value` or `multi value` .", "title": "ValueType", "type": "string" } @@ -189863,21 +196812,21 @@ "properties": { "DefaultValues": { "$ref": "#/definitions/AWS::QuickSight::DataSet.DecimalDatasetParameterDefaultValues", - "markdownDescription": "", + "markdownDescription": "A list of default values for a given decimal parameter. This structure only accepts static values.", "title": "DefaultValues" }, "Id": { - "markdownDescription": "", + "markdownDescription": "An identifier for the decimal parameter created in the dataset.", "title": "Id", "type": "string" }, "Name": { - "markdownDescription": "", + "markdownDescription": "The name of the decimal parameter that is created in the dataset.", "title": "Name", "type": "string" }, "ValueType": { - "markdownDescription": "", + "markdownDescription": "The value type of the dataset parameter. Valid values are `single value` or `multi value` .", "title": "ValueType", "type": "string" } @@ -189896,7 +196845,7 @@ "items": { "type": "number" }, - "markdownDescription": "", + "markdownDescription": "A list of static default values for a given decimal parameter.", "title": "StaticValues", "type": "array" } @@ -189999,6 +196948,11 @@ "title": "Name", "type": "string" }, + "SubType": { + "markdownDescription": "The sub data type of the column. Sub types are only available for decimal columns that are part of a SPICE dataset.", + "title": "SubType", + "type": "string" + }, "Type": { "markdownDescription": "The data type of the column.", "title": "Type", @@ -190016,21 +196970,21 @@ "properties": { "DefaultValues": { "$ref": "#/definitions/AWS::QuickSight::DataSet.IntegerDatasetParameterDefaultValues", - "markdownDescription": "", + "markdownDescription": "A list of default values for a given integer parameter. This structure only accepts static values.", "title": "DefaultValues" }, "Id": { - "markdownDescription": "", + "markdownDescription": "An identifier for the integer parameter created in the dataset.", "title": "Id", "type": "string" }, "Name": { - "markdownDescription": "", + "markdownDescription": "The name of the integer parameter that is created in the dataset.", "title": "Name", "type": "string" }, "ValueType": { - "markdownDescription": "", + "markdownDescription": "The value type of the dataset parameter. Valid values are `single value` or `multi value` .", "title": "ValueType", "type": "string" } @@ -190049,7 +197003,7 @@ "items": { "type": "number" }, - "markdownDescription": "", + "markdownDescription": "A list of static default values for a given integer parameter.", "title": "StaticValues", "type": "array" } @@ -190194,7 +197148,7 @@ "items": { "type": "number" }, - "markdownDescription": "", + "markdownDescription": "A list of static default values for a given decimal parameter.", "title": "DecimalStaticValues", "type": "array" }, @@ -190202,7 +197156,7 @@ "items": { "type": "number" }, - "markdownDescription": "", + "markdownDescription": "A list of static default values for a given integer parameter.", "title": "IntegerStaticValues", "type": "array" }, @@ -190210,7 +197164,7 @@ "items": { "type": "string" }, - "markdownDescription": "", + "markdownDescription": "A list of static default values for a given string parameter.", "title": "StringStaticValues", "type": "array" } @@ -190226,12 +197180,17 @@ "type": "string" }, "Name": { - "markdownDescription": "A display name for the dataset.", + "markdownDescription": "The display name of the column..", "title": "Name", "type": "string" }, + "SubType": { + "markdownDescription": "The sub data type of the column.", + "title": "SubType", + "type": "string" + }, "Type": { - "markdownDescription": "The type.", + "markdownDescription": "The data type of the column.", "title": "Type", "type": "string" } @@ -190252,7 +197211,7 @@ "type": "string" }, "ParameterName": { - "markdownDescription": "", + "markdownDescription": "The name of the parameter to be overridden with different values.", "title": "ParameterName", "type": "string" } @@ -190315,7 +197274,7 @@ "additionalProperties": false, "properties": { "Catalog": { - "markdownDescription": "", + "markdownDescription": "The catalog associated with a table.", "title": "Catalog", "type": "string" }, @@ -190432,12 +197391,12 @@ "additionalProperties": false, "properties": { "Status": { - "markdownDescription": "", + "markdownDescription": "The status of row-level security tags. If enabled, the status is `ENABLED` . If disabled, the status is `DISABLED` .", "title": "Status", "type": "string" }, "TagRuleConfigurations": { - "markdownDescription": "", + "markdownDescription": "The configuration of tags on a dataset to set row-level security.", "title": "TagRuleConfigurations", "type": "object" }, @@ -190445,7 +197404,7 @@ "items": { "$ref": "#/definitions/AWS::QuickSight::DataSet.RowLevelPermissionTagRule" }, - "markdownDescription": "", + "markdownDescription": "A set of rules associated with row-level security, such as the tag names and columns that they are assigned to.", "title": "TagRules", "type": "array" } @@ -190459,22 +197418,22 @@ "additionalProperties": false, "properties": { "ColumnName": { - "markdownDescription": "", + "markdownDescription": "The column name that a tag key is assigned to.", "title": "ColumnName", "type": "string" }, "MatchAllValue": { - "markdownDescription": "", + "markdownDescription": "A string that you want to use to filter by all the values in a column in the dataset and don\u2019t want to list the values one by one. For example, you can use an asterisk as your match all value.", "title": "MatchAllValue", "type": "string" }, "TagKey": { - "markdownDescription": "", + "markdownDescription": "The unique key for a tag.", "title": "TagKey", "type": "string" }, "TagMultiValueDelimiter": { - "markdownDescription": "", + "markdownDescription": "A string that you want to use to delimit the values when you pass the values at run time. For example, you can delimit the values with a comma.", "title": "TagMultiValueDelimiter", "type": "string" } @@ -190518,21 +197477,21 @@ "properties": { "DefaultValues": { "$ref": "#/definitions/AWS::QuickSight::DataSet.StringDatasetParameterDefaultValues", - "markdownDescription": "", + "markdownDescription": "A list of default values for a given string dataset parameter type. This structure only accepts static values.", "title": "DefaultValues" }, "Id": { - "markdownDescription": "", + "markdownDescription": "An identifier for the string parameter that is created in the dataset.", "title": "Id", "type": "string" }, "Name": { - "markdownDescription": "", + "markdownDescription": "The name of the string parameter that is created in the dataset.", "title": "Name", "type": "string" }, "ValueType": { - "markdownDescription": "", + "markdownDescription": "The value type of the dataset parameter. Valid values are `single value` or `multi value` .", "title": "ValueType", "type": "string" } @@ -190551,7 +197510,7 @@ "items": { "type": "string" }, - "markdownDescription": "", + "markdownDescription": "A list of static default values for a given string parameter.", "title": "StaticValues", "type": "array" } @@ -191029,10 +197988,20 @@ "markdownDescription": "The parameters for SQL Server.", "title": "SqlServerParameters" }, + "StarburstParameters": { + "$ref": "#/definitions/AWS::QuickSight::DataSource.StarburstParameters", + "markdownDescription": "The parameters that are required to connect to a Starburst data source.", + "title": "StarburstParameters" + }, "TeradataParameters": { "$ref": "#/definitions/AWS::QuickSight::DataSource.TeradataParameters", "markdownDescription": "The parameters for Teradata.", "title": "TeradataParameters" + }, + "TrinoParameters": { + "$ref": "#/definitions/AWS::QuickSight::DataSource.TrinoParameters", + "markdownDescription": "The parameters that are required to connect to a Trino data source.", + "title": "TrinoParameters" } }, "type": "object" @@ -191387,6 +198356,37 @@ }, "type": "object" }, + "AWS::QuickSight::DataSource.StarburstParameters": { + "additionalProperties": false, + "properties": { + "Catalog": { + "markdownDescription": "The catalog name for the Starburst data source.", + "title": "Catalog", + "type": "string" + }, + "Host": { + "markdownDescription": "The host name of the Starburst data source.", + "title": "Host", + "type": "string" + }, + "Port": { + "markdownDescription": "The port for the Starburst data source.", + "title": "Port", + "type": "number" + }, + "ProductType": { + "markdownDescription": "The product type for the Starburst data source.", + "title": "ProductType", + "type": "string" + } + }, + "required": [ + "Catalog", + "Host", + "Port" + ], + "type": "object" + }, "AWS::QuickSight::DataSource.TeradataParameters": { "additionalProperties": false, "properties": { @@ -191413,6 +198413,32 @@ ], "type": "object" }, + "AWS::QuickSight::DataSource.TrinoParameters": { + "additionalProperties": false, + "properties": { + "Catalog": { + "markdownDescription": "The catalog name for the Trino data source.", + "title": "Catalog", + "type": "string" + }, + "Host": { + "markdownDescription": "The host name of the Trino data source.", + "title": "Host", + "type": "string" + }, + "Port": { + "markdownDescription": "The port for the Trino data source.", + "title": "Port", + "type": "number" + } + }, + "required": [ + "Catalog", + "Host", + "Port" + ], + "type": "object" + }, "AWS::QuickSight::DataSource.VpcConnectionProperties": { "additionalProperties": false, "properties": { @@ -191645,7 +198671,9 @@ "type": "string" }, "ValidationStrategy": { - "$ref": "#/definitions/AWS::QuickSight::Template.ValidationStrategy" + "$ref": "#/definitions/AWS::QuickSight::Template.ValidationStrategy", + "markdownDescription": "The option to relax the validation that is required to create and update analyses, dashboards, and templates with definition objects. When you set this value to `LENIENT` , validation is skipped for specific errors.", + "title": "ValidationStrategy" }, "VersionDescription": { "markdownDescription": "A description of the current template version being created. This API operation creates the first version of the template. Every time `UpdateTemplate` is called, a new version is created. Each version of the template maintains a description of the version in the `VersionDescription` field.", @@ -191684,7 +198712,9 @@ "additionalProperties": false, "properties": { "AttributeAggregationFunction": { - "$ref": "#/definitions/AWS::QuickSight::Template.AttributeAggregationFunction" + "$ref": "#/definitions/AWS::QuickSight::Template.AttributeAggregationFunction", + "markdownDescription": "Aggregation for attributes.", + "title": "AttributeAggregationFunction" }, "CategoricalAggregationFunction": { "markdownDescription": "Aggregation for categorical values.\n\n- `COUNT` : Aggregate by the total number of values, including duplicates.\n- `DISTINCT_COUNT` : Aggregate by the total number of distinct values.", @@ -191818,13 +198848,33 @@ }, "type": "object" }, + "AWS::QuickSight::Template.AssetOptions": { + "additionalProperties": false, + "properties": { + "Timezone": { + "markdownDescription": "Determines the timezone for the analysis.", + "title": "Timezone", + "type": "string" + }, + "WeekStart": { + "markdownDescription": "Determines the week start day for an analysis.", + "title": "WeekStart", + "type": "string" + } + }, + "type": "object" + }, "AWS::QuickSight::Template.AttributeAggregationFunction": { "additionalProperties": false, "properties": { "SimpleAttributeAggregation": { + "markdownDescription": "The built-in aggregation functions for attributes.\n\n- `UNIQUE_VALUE` : Returns the unique value for a field, aggregated by the dimension fields.", + "title": "SimpleAttributeAggregation", "type": "string" }, "ValueForMultipleValues": { + "markdownDescription": "Used by the `UNIQUE_VALUE` aggregation function. If there are multiple values for the field used by the aggregation, the value for this property will be returned instead. Defaults to '*'.", + "title": "ValueForMultipleValues", "type": "string" } }, @@ -192793,6 +199843,8 @@ "items": { "$ref": "#/definitions/AWS::QuickSight::Template.CustomColor" }, + "markdownDescription": "A list of up to 50 custom colors.", + "title": "CustomColors", "type": "array" } }, @@ -192802,7 +199854,9 @@ "additionalProperties": false, "properties": { "ColorsConfiguration": { - "$ref": "#/definitions/AWS::QuickSight::Template.ColorsConfiguration" + "$ref": "#/definitions/AWS::QuickSight::Template.ColorsConfiguration", + "markdownDescription": "The color configurations of the column.", + "title": "ColorsConfiguration" }, "Column": { "$ref": "#/definitions/AWS::QuickSight::Template.ColumnIdentifier", @@ -193562,12 +200616,18 @@ "additionalProperties": false, "properties": { "Color": { + "markdownDescription": "The color that is applied to the data value.", + "title": "Color", "type": "string" }, "FieldValue": { + "markdownDescription": "The data value that the color is applied to.", + "title": "FieldValue", "type": "string" }, "SpecialValue": { + "markdownDescription": "The value of a special data value.", + "title": "SpecialValue", "type": "string" } }, @@ -194012,6 +201072,8 @@ "additionalProperties": false, "properties": { "PivotTableDataPathType": { + "markdownDescription": "The type of data path value utilized in a pivot table. Choose one of the following options:\n\n- `HIERARCHY_ROWS_LAYOUT_COLUMN` - The type of data path for the rows layout column, when `RowsLayout` is set to `HIERARCHY` .\n- `MULTIPLE_ROW_METRICS_COLUMN` - The type of data path for the metric column when the row is set to Metric Placement.\n- `EMPTY_COLUMN_HEADER` - The type of data path for the column with empty column header, when there is no field in `ColumnsFieldWell` and the row is set to Metric Placement.\n- `COUNT_METRIC_COLUMN` - The type of data path for the column with `COUNT` as the metric, when there is no field in the `ValuesFieldWell` .", + "title": "PivotTableDataPathType", "type": "string" } }, @@ -194021,7 +201083,9 @@ "additionalProperties": false, "properties": { "DataPathType": { - "$ref": "#/definitions/AWS::QuickSight::Template.DataPathType" + "$ref": "#/definitions/AWS::QuickSight::Template.DataPathType", + "markdownDescription": "The type configuration of the field.", + "title": "DataPathType" }, "FieldId": { "markdownDescription": "The field ID of the field that needs to be sorted.", @@ -194283,7 +201347,9 @@ "type": "string" }, "InfoIconLabelOptions": { - "$ref": "#/definitions/AWS::QuickSight::Template.SheetControlInfoIconLabelOptions" + "$ref": "#/definitions/AWS::QuickSight::Template.SheetControlInfoIconLabelOptions", + "markdownDescription": "The configuration of info icon label options.", + "title": "InfoIconLabelOptions" }, "TitleOptions": { "$ref": "#/definitions/AWS::QuickSight::Template.LabelOptions", @@ -194590,7 +201656,9 @@ "additionalProperties": false, "properties": { "InfoIconLabelOptions": { - "$ref": "#/definitions/AWS::QuickSight::Template.SheetControlInfoIconLabelOptions" + "$ref": "#/definitions/AWS::QuickSight::Template.SheetControlInfoIconLabelOptions", + "markdownDescription": "The configuration of info icon label options.", + "title": "InfoIconLabelOptions" }, "SelectAllOptions": { "$ref": "#/definitions/AWS::QuickSight::Template.ListControlSelectAllOptions", @@ -195253,6 +202321,8 @@ "type": "string" }, "NullOption": { + "markdownDescription": "This option determines how null values should be treated when filtering data.\n\n- `ALL_VALUES` : Include null values in filtered results.\n- `NULLS_ONLY` : Only include null values in filtered results.\n- `NON_NULLS_ONLY` : Exclude null values from filtered results.", + "title": "NullOption", "type": "string" }, "SelectAllOptions": { @@ -195385,6 +202455,8 @@ "additionalProperties": false, "properties": { "AllSheets": { + "markdownDescription": "The configuration for applying a filter to all sheets.", + "title": "AllSheets", "type": "object" }, "SelectedSheets": { @@ -197141,10 +204213,14 @@ "additionalProperties": false, "properties": { "Icon": { - "$ref": "#/definitions/AWS::QuickSight::Template.ConditionalFormattingIcon" + "$ref": "#/definitions/AWS::QuickSight::Template.ConditionalFormattingIcon", + "markdownDescription": "The conditional formatting of the actual value's icon.", + "title": "Icon" }, "TextColor": { - "$ref": "#/definitions/AWS::QuickSight::Template.ConditionalFormattingColor" + "$ref": "#/definitions/AWS::QuickSight::Template.ConditionalFormattingColor", + "markdownDescription": "The conditional formatting of the actual value's text color.", + "title": "TextColor" } }, "type": "object" @@ -197153,10 +204229,14 @@ "additionalProperties": false, "properties": { "Icon": { - "$ref": "#/definitions/AWS::QuickSight::Template.ConditionalFormattingIcon" + "$ref": "#/definitions/AWS::QuickSight::Template.ConditionalFormattingIcon", + "markdownDescription": "The conditional formatting of the comparison value's icon.", + "title": "Icon" }, "TextColor": { - "$ref": "#/definitions/AWS::QuickSight::Template.ConditionalFormattingColor" + "$ref": "#/definitions/AWS::QuickSight::Template.ConditionalFormattingColor", + "markdownDescription": "The conditional formatting of the comparison value's text color.", + "title": "TextColor" } }, "type": "object" @@ -197179,10 +204259,14 @@ "additionalProperties": false, "properties": { "ActualValue": { - "$ref": "#/definitions/AWS::QuickSight::Template.KPIActualValueConditionalFormatting" + "$ref": "#/definitions/AWS::QuickSight::Template.KPIActualValueConditionalFormatting", + "markdownDescription": "The conditional formatting for the actual value of a KPI visual.", + "title": "ActualValue" }, "ComparisonValue": { - "$ref": "#/definitions/AWS::QuickSight::Template.KPIComparisonValueConditionalFormatting" + "$ref": "#/definitions/AWS::QuickSight::Template.KPIComparisonValueConditionalFormatting", + "markdownDescription": "The conditional formatting for the comparison value of a KPI visual.", + "title": "ComparisonValue" }, "PrimaryValue": { "$ref": "#/definitions/AWS::QuickSight::Template.KPIPrimaryValueConditionalFormatting", @@ -197282,7 +204366,9 @@ "title": "SecondaryValueFontConfiguration" }, "Sparkline": { - "$ref": "#/definitions/AWS::QuickSight::Template.KPISparklineOptions" + "$ref": "#/definitions/AWS::QuickSight::Template.KPISparklineOptions", + "markdownDescription": "The options that determine the visibility, color, type, and tooltip visibility of the sparkline of a KPI visual.", + "title": "Sparkline" }, "TrendArrows": { "$ref": "#/definitions/AWS::QuickSight::Template.TrendArrowOptions", @@ -197290,7 +204376,9 @@ "title": "TrendArrows" }, "VisualLayoutOptions": { - "$ref": "#/definitions/AWS::QuickSight::Template.KPIVisualLayoutOptions" + "$ref": "#/definitions/AWS::QuickSight::Template.KPIVisualLayoutOptions", + "markdownDescription": "The options that determine the layout a KPI visual.", + "title": "VisualLayoutOptions" } }, "type": "object" @@ -197340,15 +204428,23 @@ "additionalProperties": false, "properties": { "Color": { + "markdownDescription": "The color of the sparkline.", + "title": "Color", "type": "string" }, "TooltipVisibility": { + "markdownDescription": "The tooltip visibility of the sparkline.", + "title": "TooltipVisibility", "type": "string" }, "Type": { + "markdownDescription": "The type of the sparkline.", + "title": "Type", "type": "string" }, "Visibility": { + "markdownDescription": "The visibility of the sparkline.", + "title": "Visibility", "type": "string" } }, @@ -197411,7 +204507,9 @@ "additionalProperties": false, "properties": { "StandardLayout": { - "$ref": "#/definitions/AWS::QuickSight::Template.KPIVisualStandardLayout" + "$ref": "#/definitions/AWS::QuickSight::Template.KPIVisualStandardLayout", + "markdownDescription": "The standard layout of the KPI visual.", + "title": "StandardLayout" } }, "type": "object" @@ -197420,6 +204518,8 @@ "additionalProperties": false, "properties": { "Type": { + "markdownDescription": "The standard layout type.", + "title": "Type", "type": "string" } }, @@ -197871,7 +204971,9 @@ "additionalProperties": false, "properties": { "InfoIconLabelOptions": { - "$ref": "#/definitions/AWS::QuickSight::Template.SheetControlInfoIconLabelOptions" + "$ref": "#/definitions/AWS::QuickSight::Template.SheetControlInfoIconLabelOptions", + "markdownDescription": "The configuration of info icon label options.", + "title": "InfoIconLabelOptions" }, "SearchOptions": { "$ref": "#/definitions/AWS::QuickSight::Template.ListControlSearchOptions", @@ -199489,6 +206591,8 @@ "type": "string" }, "DefaultCellWidth": { + "markdownDescription": "The default cell width of the pivot table.", + "title": "DefaultCellWidth", "type": "string" }, "MetricPlacement": { @@ -199512,9 +206616,13 @@ "title": "RowHeaderStyle" }, "RowsLabelOptions": { - "$ref": "#/definitions/AWS::QuickSight::Template.PivotTableRowsLabelOptions" + "$ref": "#/definitions/AWS::QuickSight::Template.PivotTableRowsLabelOptions", + "markdownDescription": "The options for the label that is located above the row headers. This option is only applicable when `RowsLayout` is set to `HIERARCHY` .", + "title": "RowsLabelOptions" }, "RowsLayout": { + "markdownDescription": "The layout for the row dimension headers of a pivot table. Choose one of the following options.\n\n- `TABULAR` : (Default) Each row field is displayed in a separate column.\n- `HIERARCHY` : All row fields are displayed in a single column. Indentation is used to differentiate row headers of different fields.", + "title": "RowsLayout", "type": "string" }, "SingleMetricVisibility": { @@ -199550,9 +206658,13 @@ "additionalProperties": false, "properties": { "CustomLabel": { + "markdownDescription": "The custom label string for the rows label.", + "title": "CustomLabel", "type": "string" }, "Visibility": { + "markdownDescription": "The visibility of the rows label.", + "title": "Visibility", "type": "string" } }, @@ -199688,6 +206800,8 @@ "items": { "$ref": "#/definitions/AWS::QuickSight::Template.TotalAggregationOption" }, + "markdownDescription": "The total aggregation options for each value field.", + "title": "TotalAggregationOptions", "type": "array" }, "TotalCellStyle": { @@ -200029,7 +207143,7 @@ "additionalProperties": false, "properties": { "AxisBinding": { - "markdownDescription": "The axis binding type of the reference line. Choose one of the following options:\n\n- PrimaryY\n- SecondaryY", + "markdownDescription": "The axis binding type of the reference line. Choose one of the following options:\n\n- `PrimaryY`\n- `SecondaryY`", "title": "AxisBinding", "type": "string" }, @@ -200039,6 +207153,8 @@ "title": "DynamicConfiguration" }, "SeriesType": { + "markdownDescription": "The series type of the reference line data configuration. Choose one of the following options:\n\n- `BAR`\n- `LINE`", + "title": "SeriesType", "type": "string" }, "StaticConfiguration": { @@ -200165,7 +207281,9 @@ "type": "string" }, "InfoIconLabelOptions": { - "$ref": "#/definitions/AWS::QuickSight::Template.SheetControlInfoIconLabelOptions" + "$ref": "#/definitions/AWS::QuickSight::Template.SheetControlInfoIconLabelOptions", + "markdownDescription": "The configuration of info icon label options.", + "title": "InfoIconLabelOptions" }, "TitleOptions": { "$ref": "#/definitions/AWS::QuickSight::Template.LabelOptions", @@ -200303,6 +207421,8 @@ "type": "string" }, "UsePrimaryBackgroundColor": { + "markdownDescription": "The primary background color options for alternate rows.", + "title": "UsePrimaryBackgroundColor", "type": "string" } }, @@ -200890,9 +208010,13 @@ "additionalProperties": false, "properties": { "InfoIconText": { + "markdownDescription": "The text content of info icon.", + "title": "InfoIconText", "type": "string" }, "Visibility": { + "markdownDescription": "The visibility configuration of info icon label options.", + "title": "Visibility", "type": "string" } }, @@ -201114,7 +208238,9 @@ "additionalProperties": false, "properties": { "InfoIconLabelOptions": { - "$ref": "#/definitions/AWS::QuickSight::Template.SheetControlInfoIconLabelOptions" + "$ref": "#/definitions/AWS::QuickSight::Template.SheetControlInfoIconLabelOptions", + "markdownDescription": "The configuration of info icon label options.", + "title": "InfoIconLabelOptions" }, "TitleOptions": { "$ref": "#/definitions/AWS::QuickSight::Template.LabelOptions", @@ -201128,9 +208254,13 @@ "additionalProperties": false, "properties": { "Placement": { + "markdownDescription": "Defines the placement of the axis. By default, axes are rendered `OUTSIDE` of the panels. Axes with `INDEPENDENT` scale are rendered `INSIDE` the panels.", + "title": "Placement", "type": "string" }, "Scale": { + "markdownDescription": "Determines whether scale of the axes are shared or independent. The default value is `SHARED` .", + "title": "Scale", "type": "string" } }, @@ -201155,10 +208285,14 @@ "title": "PanelConfiguration" }, "XAxis": { - "$ref": "#/definitions/AWS::QuickSight::Template.SmallMultiplesAxisProperties" + "$ref": "#/definitions/AWS::QuickSight::Template.SmallMultiplesAxisProperties", + "markdownDescription": "The properties of a small multiples X axis.", + "title": "XAxis" }, "YAxis": { - "$ref": "#/definitions/AWS::QuickSight::Template.SmallMultiplesAxisProperties" + "$ref": "#/definitions/AWS::QuickSight::Template.SmallMultiplesAxisProperties", + "markdownDescription": "The properties of a small multiples Y axis.", + "title": "YAxis" } }, "type": "object" @@ -201308,6 +208442,8 @@ "items": { "$ref": "#/definitions/AWS::QuickSight::Template.TableStyleTarget" }, + "markdownDescription": "The style targets options for subtotals.", + "title": "StyleTargets", "type": "array" }, "TotalCellStyle": { @@ -201639,18 +208775,20 @@ "items": { "type": "string" }, - "markdownDescription": "The order of field IDs of the field options for a table visual.", + "markdownDescription": "The order of the field IDs that are configured as field options for a table visual.", "title": "Order", "type": "array" }, "PinnedFieldOptions": { - "$ref": "#/definitions/AWS::QuickSight::Template.TablePinnedFieldOptions" + "$ref": "#/definitions/AWS::QuickSight::Template.TablePinnedFieldOptions", + "markdownDescription": "The settings for the pinned columns of a table visual.", + "title": "PinnedFieldOptions" }, "SelectedFieldOptions": { "items": { "$ref": "#/definitions/AWS::QuickSight::Template.TableFieldOption" }, - "markdownDescription": "The selected field options for the table field options.", + "markdownDescription": "The field options to be configured to a table.", "title": "SelectedFieldOptions", "type": "array" } @@ -201749,6 +208887,8 @@ "items": { "type": "string" }, + "markdownDescription": "A list of columns to be pinned to the left of a table visual.", + "title": "PinnedLeftFields", "type": "array" } }, @@ -201829,6 +208969,8 @@ "additionalProperties": false, "properties": { "CellType": { + "markdownDescription": "The cell type of the table style target.", + "title": "CellType", "type": "string" } }, @@ -202070,6 +209212,11 @@ "title": "FilterGroups", "type": "array" }, + "Options": { + "$ref": "#/definitions/AWS::QuickSight::Template.AssetOptions", + "markdownDescription": "An array of option definitions for a template.", + "title": "Options" + }, "ParameterDeclarations": { "items": { "$ref": "#/definitions/AWS::QuickSight::Template.ParameterDeclaration" @@ -202096,7 +209243,9 @@ "additionalProperties": false, "properties": { "InfoIconLabelOptions": { - "$ref": "#/definitions/AWS::QuickSight::Template.SheetControlInfoIconLabelOptions" + "$ref": "#/definitions/AWS::QuickSight::Template.SheetControlInfoIconLabelOptions", + "markdownDescription": "The configuration of info icon label options.", + "title": "InfoIconLabelOptions" }, "PlaceholderOptions": { "$ref": "#/definitions/AWS::QuickSight::Template.TextControlPlaceholderOptions", @@ -202147,7 +209296,9 @@ "additionalProperties": false, "properties": { "InfoIconLabelOptions": { - "$ref": "#/definitions/AWS::QuickSight::Template.SheetControlInfoIconLabelOptions" + "$ref": "#/definitions/AWS::QuickSight::Template.SheetControlInfoIconLabelOptions", + "markdownDescription": "The configuration of info icon label options.", + "title": "InfoIconLabelOptions" }, "PlaceholderOptions": { "$ref": "#/definitions/AWS::QuickSight::Template.TextControlPlaceholderOptions", @@ -202228,12 +209379,14 @@ "type": "string" }, "ParameterName": { - "markdownDescription": "The parameter whose value should be used for the filter value.\n\nThis field is mutually exclusive to `Value` .", + "markdownDescription": "The parameter whose value should be used for the filter value.\n\nThis field is mutually exclusive to `Value` and `RollingDate` .", "title": "ParameterName", "type": "string" }, "RollingDate": { - "$ref": "#/definitions/AWS::QuickSight::Template.RollingDateConfiguration" + "$ref": "#/definitions/AWS::QuickSight::Template.RollingDateConfiguration", + "markdownDescription": "The rolling date input for the `TimeEquality` filter.\n\nThis field is mutually exclusive to `Value` and `ParameterName` .", + "title": "RollingDate" }, "TimeGranularity": { "markdownDescription": "The level of time precision that is used to aggregate `DateTime` values.", @@ -202241,7 +209394,7 @@ "type": "string" }, "Value": { - "markdownDescription": "The value of a `TimeEquality` filter.\n\nThis field is mutually exclusive to `ParameterName` .", + "markdownDescription": "The value of a `TimeEquality` filter.\n\nThis field is mutually exclusive to `RollingDate` and `ParameterName` .", "title": "Value", "type": "string" } @@ -202560,6 +209713,8 @@ "additionalProperties": false, "properties": { "SimpleTotalAggregationFunction": { + "markdownDescription": "A built in aggregation function for total values.", + "title": "SimpleTotalAggregationFunction", "type": "string" } }, @@ -202569,10 +209724,14 @@ "additionalProperties": false, "properties": { "FieldId": { + "markdownDescription": "The field id that's associated with the total aggregation option.", + "title": "FieldId", "type": "string" }, "TotalAggregationFunction": { - "$ref": "#/definitions/AWS::QuickSight::Template.TotalAggregationFunction" + "$ref": "#/definitions/AWS::QuickSight::Template.TotalAggregationFunction", + "markdownDescription": "The total aggregation function that you want to set for a specified field id.", + "title": "TotalAggregationFunction" } }, "required": [ @@ -202603,6 +209762,8 @@ "items": { "$ref": "#/definitions/AWS::QuickSight::Template.TotalAggregationOption" }, + "markdownDescription": "The total aggregation settings for each value field.", + "title": "TotalAggregationOptions", "type": "array" }, "TotalCellStyle": { @@ -202838,6 +209999,8 @@ "additionalProperties": false, "properties": { "Mode": { + "markdownDescription": "The mode of validation for the asset to be created or updated. When you set this value to `STRICT` , strict validation for every error is enforced. When you set this value to `LENIENT` , validation is skipped for specific UI errors.", + "title": "Mode", "type": "string" } }, @@ -203626,7 +210789,7 @@ "additionalProperties": false, "properties": { "FontFamily": { - "markdownDescription": "", + "markdownDescription": "Determines the font family settings.", "title": "FontFamily", "type": "string" } @@ -203824,7 +210987,7 @@ "items": { "$ref": "#/definitions/AWS::QuickSight::Theme.Font" }, - "markdownDescription": "", + "markdownDescription": "Determines the list of font families.", "title": "FontFamilies", "type": "array" } @@ -204457,6 +211620,8 @@ "type": "boolean" }, "NonAdditive": { + "markdownDescription": "The non additive for the table style target.", + "title": "NonAdditive", "type": "boolean" }, "NotAllowedAggregations": { @@ -204535,7 +211700,7 @@ "additionalProperties": false, "properties": { "Aggregation": { - "markdownDescription": "The type of aggregation that is performed on the column data when it's queried. Valid values for this structure are `SUM` , `MAX` , `MIN` , `COUNT` , `DISTINCT_COUNT` , and `AVERAGE` .", + "markdownDescription": "The type of aggregation that is performed on the column data when it's queried.", "title": "Aggregation", "type": "string" }, @@ -204604,6 +211769,8 @@ "type": "boolean" }, "NonAdditive": { + "markdownDescription": "The non additive value for the column.", + "title": "NonAdditive", "type": "boolean" }, "NotAllowedAggregations": { @@ -205150,6 +212317,8 @@ "items": { "type": "string" }, + "markdownDescription": "", + "title": "Sources", "type": "array" }, "Tags": { @@ -205433,6 +212602,11 @@ "title": "EnableCloudwatchLogsExports", "type": "array" }, + "EnableGlobalWriteForwarding": { + "markdownDescription": "Specifies whether to enable this DB cluster to forward write operations to the primary cluster of a global cluster (Aurora global database). By default, write operations are not allowed on Aurora DB clusters that are secondary clusters in an Aurora global database.\n\nYou can set this value only on Aurora DB clusters that are members of an Aurora global database. With this parameter enabled, a secondary cluster can forward writes to the current primary cluster, and the resulting changes are replicated back to this cluster. For the primary DB cluster of an Aurora global database, this value is used immediately if the primary is demoted by a global cluster API operation, but it does nothing until then.\n\nValid for Cluster Type: Aurora DB clusters only", + "title": "EnableGlobalWriteForwarding", + "type": "boolean" + }, "EnableHttpEndpoint": { "markdownDescription": "A value that indicates whether to enable the HTTP endpoint for an Aurora Serverless DB cluster. By default, the HTTP endpoint is disabled.\n\nWhen enabled, the HTTP endpoint provides a connectionless web service API for running SQL queries on the Aurora Serverless DB cluster. You can also query your database from inside the RDS console with the query editor.\n\nFor more information, see [Using the Data API for Aurora Serverless](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/data-api.html) in the *Amazon Aurora User Guide* .\n\nValid for: Aurora DB clusters only", "title": "EnableHttpEndpoint", @@ -205469,7 +212643,7 @@ "type": "number" }, "KmsKeyId": { - "markdownDescription": "The Amazon Resource Name (ARN) of the AWS KMS key that is used to encrypt the database instances in the DB cluster, such as `arn:aws:kms:us-east-1:012345678910:key/abcd1234-a123-456a-a12b-a123b4cd56ef` . If you enable the `StorageEncrypted` property but don't specify this property, the default KMS key is used. If you specify this property, you must set the `StorageEncrypted` property to `true` .\n\nIf you specify the `SnapshotIdentifier` property, the `StorageEncrypted` property value is inherited from the snapshot, and if the DB cluster is encrypted, the specified `KmsKeyId` property is used.\n\nValid for: Aurora DB clusters and Multi-AZ DB clusters", + "markdownDescription": "The Amazon Resource Name (ARN) of the AWS KMS key that is used to encrypt the database instances in the DB cluster, such as `arn:aws:kms:us-east-1:012345678910:key/abcd1234-a123-456a-a12b-a123b4cd56ef` . If you enable the `StorageEncrypted` property but don't specify this property, the default KMS key is used. If you specify this property, you must set the `StorageEncrypted` property to `true` .\n\nIf you specify the `SnapshotIdentifier` property, the `StorageEncrypted` property value is inherited from the snapshot, and if the DB cluster is encrypted, the specified `KmsKeyId` property is used.\n\nIf you create a read replica of an encrypted DB cluster in another AWS Region, make sure to set `KmsKeyId` to a KMS key identifier that is valid in the destination AWS Region. This KMS key is used to encrypt the read replica in that AWS Region.\n\nValid for: Aurora DB clusters and Multi-AZ DB clusters", "title": "KmsKeyId", "type": "string" }, @@ -205549,7 +212723,7 @@ "type": "string" }, "RestoreToTime": { - "markdownDescription": "The date and time to restore the DB cluster to.\n\nValid Values: Value must be a time in Universal Coordinated Time (UTC) format\n\nConstraints:\n\n- Must be before the latest restorable time for the DB instance\n- Must be specified if `UseLatestRestorableTime` parameter isn't provided\n- Can't be specified if the `UseLatestRestorableTime` parameter is enabled\n- Can't be specified if the `RestoreType` parameter is `copy-on-write`\n\nExample: `2015-03-07T23:45:00Z`\n\nValid for: Aurora DB clusters and Multi-AZ DB clusters", + "markdownDescription": "The date and time to restore the DB cluster to.\n\nValid Values: Value must be a time in Universal Coordinated Time (UTC) format\n\nConstraints:\n\n- Must be before the latest restorable time for the DB instance\n- Must be specified if `UseLatestRestorableTime` parameter isn't provided\n- Can't be specified if the `UseLatestRestorableTime` parameter is enabled\n- Can't be specified if the `RestoreType` parameter is `copy-on-write`\n\nThis property must be used with `SourceDBClusterIdentifier` property. The resulting cluster will have the identifier that matches the value of the `DBclusterIdentifier` property.\n\nExample: `2015-03-07T23:45:00Z`\n\nValid for: Aurora DB clusters and Multi-AZ DB clusters", "title": "RestoreToTime", "type": "string" }, @@ -205589,7 +212763,7 @@ "type": "boolean" }, "StorageType": { - "markdownDescription": "The storage type to associate with the DB cluster.\n\nFor information on storage types for Aurora DB clusters, see [Storage configurations for Amazon Aurora DB clusters](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Aurora.Overview.StorageReliability.html#aurora-storage-type) . For information on storage types for Multi-AZ DB clusters, see [Settings for creating Multi-AZ DB clusters](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/create-multi-az-db-cluster.html#create-multi-az-db-cluster-settings) .\n\nThis setting is required to create a Multi-AZ DB cluster.\n\nWhen specified for a Multi-AZ DB cluster, a value for the `Iops` parameter is required.\n\nValid for Cluster Type: Aurora DB clusters and Multi-AZ DB clusters\n\nValid Values:\n\n- Aurora DB clusters - `aurora | aurora-iopt1`\n- Multi-AZ DB clusters - `io1`\n\nDefault:\n\n- Aurora DB clusters - `aurora`\n- Multi-AZ DB clusters - `io1`", + "markdownDescription": "The storage type to associate with the DB cluster.\n\nFor information on storage types for Aurora DB clusters, see [Storage configurations for Amazon Aurora DB clusters](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Aurora.Overview.StorageReliability.html#aurora-storage-type) . For information on storage types for Multi-AZ DB clusters, see [Settings for creating Multi-AZ DB clusters](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/create-multi-az-db-cluster.html#create-multi-az-db-cluster-settings) .\n\nThis setting is required to create a Multi-AZ DB cluster.\n\nWhen specified for a Multi-AZ DB cluster, a value for the `Iops` parameter is required.\n\nValid for Cluster Type: Aurora DB clusters and Multi-AZ DB clusters\n\nValid Values:\n\n- Aurora DB clusters - `aurora | aurora-iopt1`\n- Multi-AZ DB clusters - `io1`\n\nDefault:\n\n- Aurora DB clusters - `aurora`\n- Multi-AZ DB clusters - `io1`\n\n> When you create an Aurora DB cluster with the storage type set to `aurora-iopt1` , the storage type is returned in the response. The storage type isn't returned when you set it to `aurora` .", "title": "StorageType", "type": "string" }, @@ -205703,7 +212877,7 @@ "additionalProperties": false, "properties": { "AutoPause": { - "markdownDescription": "A value that indicates whether to allow or disallow automatic pause for an Aurora DB cluster in `serverless` DB engine mode. A DB cluster can be paused only when it's idle (it has no connections).\n\n> If a DB cluster is paused for more than seven days, the DB cluster might be backed up with a snapshot. In this case, the DB cluster is restored when there is a request to connect to it.", + "markdownDescription": "Indicates whether to allow or disallow automatic pause for an Aurora DB cluster in `serverless` DB engine mode. A DB cluster can be paused only when it's idle (it has no connections).\n\n> If a DB cluster is paused for more than seven days, the DB cluster might be backed up with a snapshot. In this case, the DB cluster is restored when there is a request to connect to it.", "title": "AutoPause", "type": "boolean" }, @@ -205879,7 +213053,7 @@ "additionalProperties": false, "properties": { "AllocatedStorage": { - "markdownDescription": "The amount of storage in gibibytes (GiB) to be initially allocated for the database instance.\n\n> If any value is set in the `Iops` parameter, `AllocatedStorage` must be at least 100 GiB, which corresponds to the minimum Iops value of 1,000. If you increase the `Iops` value (in 1,000 IOPS increments), then you must also increase the `AllocatedStorage` value (in 100-GiB increments). \n\n*Amazon Aurora*\n\nNot applicable. Aurora cluster volumes automatically grow as the amount of data in your database increases, though you are only charged for the space that you use in an Aurora cluster volume.\n\n*MySQL*\n\nConstraints to the amount of storage for each storage type are the following:\n\n- General Purpose (SSD) storage (gp2): Must be an integer from 20 to 65536.\n- Provisioned IOPS storage (io1): Must be an integer from 100 to 65536.\n- Magnetic storage (standard): Must be an integer from 5 to 3072.\n\n*MariaDB*\n\nConstraints to the amount of storage for each storage type are the following:\n\n- General Purpose (SSD) storage (gp2): Must be an integer from 20 to 65536.\n- Provisioned IOPS storage (io1): Must be an integer from 100 to 65536.\n- Magnetic storage (standard): Must be an integer from 5 to 3072.\n\n*PostgreSQL*\n\nConstraints to the amount of storage for each storage type are the following:\n\n- General Purpose (SSD) storage (gp2): Must be an integer from 20 to 65536.\n- Provisioned IOPS storage (io1): Must be an integer from 100 to 65536.\n- Magnetic storage (standard): Must be an integer from 5 to 3072.\n\n*Oracle*\n\nConstraints to the amount of storage for each storage type are the following:\n\n- General Purpose (SSD) storage (gp2): Must be an integer from 20 to 65536.\n- Provisioned IOPS storage (io1): Must be an integer from 100 to 65536.\n- Magnetic storage (standard): Must be an integer from 10 to 3072.\n\n*SQL Server*\n\nConstraints to the amount of storage for each storage type are the following:\n\n- General Purpose (SSD) storage (gp2):\n\n- Enterprise and Standard editions: Must be an integer from 20 to 16384.\n- Web and Express editions: Must be an integer from 20 to 16384.\n- Provisioned IOPS storage (io1):\n\n- Enterprise and Standard editions: Must be an integer from 20 to 16384.\n- Web and Express editions: Must be an integer from 20 to 16384.\n- Magnetic storage (standard):\n\n- Enterprise and Standard editions: Must be an integer from 20 to 1024.\n- Web and Express editions: Must be an integer from 20 to 1024.", + "markdownDescription": "The amount of storage in gibibytes (GiB) to be initially allocated for the database instance.\n\n> If any value is set in the `Iops` parameter, `AllocatedStorage` must be at least 100 GiB, which corresponds to the minimum Iops value of 1,000. If you increase the `Iops` value (in 1,000 IOPS increments), then you must also increase the `AllocatedStorage` value (in 100-GiB increments). \n\n*Amazon Aurora*\n\nNot applicable. Aurora cluster volumes automatically grow as the amount of data in your database increases, though you are only charged for the space that you use in an Aurora cluster volume.\n\n*Db2*\n\nConstraints to the amount of storage for each storage type are the following:\n\n- General Purpose (SSD) storage (gp3): Must be an integer from 20 to 64000.\n- Provisioned IOPS storage (io1): Must be an integer from 100 to 64000.\n\n*MySQL*\n\nConstraints to the amount of storage for each storage type are the following:\n\n- General Purpose (SSD) storage (gp2): Must be an integer from 20 to 65536.\n- Provisioned IOPS storage (io1): Must be an integer from 100 to 65536.\n- Magnetic storage (standard): Must be an integer from 5 to 3072.\n\n*MariaDB*\n\nConstraints to the amount of storage for each storage type are the following:\n\n- General Purpose (SSD) storage (gp2): Must be an integer from 20 to 65536.\n- Provisioned IOPS storage (io1): Must be an integer from 100 to 65536.\n- Magnetic storage (standard): Must be an integer from 5 to 3072.\n\n*PostgreSQL*\n\nConstraints to the amount of storage for each storage type are the following:\n\n- General Purpose (SSD) storage (gp2): Must be an integer from 20 to 65536.\n- Provisioned IOPS storage (io1): Must be an integer from 100 to 65536.\n- Magnetic storage (standard): Must be an integer from 5 to 3072.\n\n*Oracle*\n\nConstraints to the amount of storage for each storage type are the following:\n\n- General Purpose (SSD) storage (gp2): Must be an integer from 20 to 65536.\n- Provisioned IOPS storage (io1): Must be an integer from 100 to 65536.\n- Magnetic storage (standard): Must be an integer from 10 to 3072.\n\n*SQL Server*\n\nConstraints to the amount of storage for each storage type are the following:\n\n- General Purpose (SSD) storage (gp2):\n\n- Enterprise and Standard editions: Must be an integer from 20 to 16384.\n- Web and Express editions: Must be an integer from 20 to 16384.\n- Provisioned IOPS storage (io1):\n\n- Enterprise and Standard editions: Must be an integer from 20 to 16384.\n- Web and Express editions: Must be an integer from 20 to 16384.\n- Magnetic storage (standard):\n\n- Enterprise and Standard editions: Must be an integer from 20 to 1024.\n- Web and Express editions: Must be an integer from 20 to 1024.", "title": "AllocatedStorage", "type": "string" }, @@ -205902,6 +213076,8 @@ "type": "boolean" }, "AutomaticBackupReplicationRegion": { + "markdownDescription": "The destination region for the backup replication of the DB instance. For more info, see [Replicating automated backups to another AWS Region](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_ReplicateBackups.html) in the *Amazon RDS User Guide* .", + "title": "AutomaticBackupReplicationRegion", "type": "string" }, "AvailabilityZone": { @@ -205965,7 +213141,7 @@ "type": "string" }, "DBName": { - "markdownDescription": "The meaning of this parameter differs according to the database engine you use.\n\n> If you specify the `[DBSnapshotIdentifier](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-database-instance.html#cfn-rds-dbinstance-dbsnapshotidentifier)` property, this property only applies to RDS for Oracle. \n\n*Amazon Aurora*\n\nNot applicable. The database name is managed by the DB cluster.\n\n*MySQL*\n\nThe name of the database to create when the DB instance is created. If this parameter is not specified, no database is created in the DB instance.\n\nConstraints:\n\n- Must contain 1 to 64 letters or numbers.\n- Can't be a word reserved by the specified database engine\n\n*MariaDB*\n\nThe name of the database to create when the DB instance is created. If this parameter is not specified, no database is created in the DB instance.\n\nConstraints:\n\n- Must contain 1 to 64 letters or numbers.\n- Can't be a word reserved by the specified database engine\n\n*PostgreSQL*\n\nThe name of the database to create when the DB instance is created. If this parameter is not specified, the default `postgres` database is created in the DB instance.\n\nConstraints:\n\n- Must begin with a letter. Subsequent characters can be letters, underscores, or digits (0-9).\n- Must contain 1 to 63 characters.\n- Can't be a word reserved by the specified database engine\n\n*Oracle*\n\nThe Oracle System ID (SID) of the created DB instance. If you specify `null` , the default value `ORCL` is used. You can't specify the string NULL, or any other reserved word, for `DBName` .\n\nDefault: `ORCL`\n\nConstraints:\n\n- Can't be longer than 8 characters\n\n*SQL Server*\n\nNot applicable. Must be null.", + "markdownDescription": "The meaning of this parameter differs according to the database engine you use.\n\n> If you specify the `[DBSnapshotIdentifier](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-database-instance.html#cfn-rds-dbinstance-dbsnapshotidentifier)` property, this property only applies to RDS for Oracle. \n\n*Amazon Aurora*\n\nNot applicable. The database name is managed by the DB cluster.\n\n*Db2*\n\nThe name of the database to create when the DB instance is created. If this parameter isn't specified, no database is created in the DB instance.\n\nConstraints:\n\n- Must contain 1 to 64 letters or numbers.\n- Must begin with a letter. Subsequent characters can be letters, underscores, or digits (0-9).\n- Can't be a word reserved by the specified database engine.\n\n*MySQL*\n\nThe name of the database to create when the DB instance is created. If this parameter is not specified, no database is created in the DB instance.\n\nConstraints:\n\n- Must contain 1 to 64 letters or numbers.\n- Can't be a word reserved by the specified database engine\n\n*MariaDB*\n\nThe name of the database to create when the DB instance is created. If this parameter is not specified, no database is created in the DB instance.\n\nConstraints:\n\n- Must contain 1 to 64 letters or numbers.\n- Can't be a word reserved by the specified database engine\n\n*PostgreSQL*\n\nThe name of the database to create when the DB instance is created. If this parameter is not specified, the default `postgres` database is created in the DB instance.\n\nConstraints:\n\n- Must begin with a letter. Subsequent characters can be letters, underscores, or digits (0-9).\n- Must contain 1 to 63 characters.\n- Can't be a word reserved by the specified database engine\n\n*Oracle*\n\nThe Oracle System ID (SID) of the created DB instance. If you specify `null` , the default value `ORCL` is used. You can't specify the string NULL, or any other reserved word, for `DBName` .\n\nDefault: `ORCL`\n\nConstraints:\n\n- Can't be longer than 8 characters\n\n*SQL Server*\n\nNot applicable. Must be null.", "title": "DBName", "type": "string" }, @@ -205992,6 +213168,11 @@ "title": "DBSubnetGroupName", "type": "string" }, + "DedicatedLogVolume": { + "markdownDescription": "Indicates whether the DB instance has a dedicated log volume (DLV) enabled.", + "title": "DedicatedLogVolume", + "type": "boolean" + }, "DeleteAutomatedBackups": { "markdownDescription": "A value that indicates whether to remove automated backups immediately after the DB instance is deleted. This parameter isn't case-sensitive. The default is to remove automated backups immediately after the DB instance is deleted.\n\n*Amazon Aurora*\n\nNot applicable. When you delete a DB cluster, all automated backups for that DB cluster are deleted and can't be recovered. Manual DB cluster snapshots of the DB cluster are not deleted.", "title": "DeleteAutomatedBackups", @@ -206003,20 +213184,26 @@ "type": "boolean" }, "Domain": { - "markdownDescription": "The Active Directory directory ID to create the DB instance in. Currently, only Microsoft SQL Server, Oracle, and PostgreSQL DB instances can be created in an Active Directory Domain.\n\nFor more information, see [Kerberos Authentication](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/kerberos-authentication.html) in the *Amazon RDS User Guide* .", + "markdownDescription": "The Active Directory directory ID to create the DB instance in. Currently, only Db2, MySQL, Microsoft SQL Server, Oracle, and PostgreSQL DB instances can be created in an Active Directory Domain.\n\nFor more information, see [Kerberos Authentication](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/kerberos-authentication.html) in the *Amazon RDS User Guide* .", "title": "Domain", "type": "string" }, "DomainAuthSecretArn": { + "markdownDescription": "The ARN for the Secrets Manager secret with the credentials for the user joining the domain.\n\nExample: `arn:aws:secretsmanager:region:account-number:secret:myselfmanagedADtestsecret-123456`", + "title": "DomainAuthSecretArn", "type": "string" }, "DomainDnsIps": { "items": { "type": "string" }, + "markdownDescription": "The IPv4 DNS IP addresses of your primary and secondary Active Directory domain controllers.\n\nConstraints:\n\n- Two IP addresses must be provided. If there isn't a secondary domain controller, use the IP address of the primary domain controller for both entries in the list.\n\nExample: `123.124.125.126,234.235.236.237`", + "title": "DomainDnsIps", "type": "array" }, "DomainFqdn": { + "markdownDescription": "The fully qualified domain name (FQDN) of an Active Directory domain.\n\nConstraints:\n\n- Can't be longer than 64 characters.\n\nExample: `mymanagedADtest.mymanagedAD.mydomain`", + "title": "DomainFqdn", "type": "string" }, "DomainIAMRoleName": { @@ -206025,13 +213212,15 @@ "type": "string" }, "DomainOu": { + "markdownDescription": "The Active Directory organizational unit for your DB instance to join.\n\nConstraints:\n\n- Must be in the distinguished name format.\n- Can't be longer than 64 characters.\n\nExample: `OU=mymanagedADtestOU,DC=mymanagedADtest,DC=mymanagedAD,DC=mydomain`", + "title": "DomainOu", "type": "string" }, "EnableCloudwatchLogsExports": { "items": { "type": "string" }, - "markdownDescription": "The list of log types that need to be enabled for exporting to CloudWatch Logs. The values in the list depend on the DB engine being used. For more information, see [Publishing Database Logs to Amazon CloudWatch Logs](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_LogAccess.html#USER_LogAccess.Procedural.UploadtoCloudWatch) in the *Amazon Relational Database Service User Guide* .\n\n*Amazon Aurora*\n\nNot applicable. CloudWatch Logs exports are managed by the DB cluster.\n\n*MariaDB*\n\nValid values: `audit` , `error` , `general` , `slowquery`\n\n*Microsoft SQL Server*\n\nValid values: `agent` , `error`\n\n*MySQL*\n\nValid values: `audit` , `error` , `general` , `slowquery`\n\n*Oracle*\n\nValid values: `alert` , `audit` , `listener` , `trace`\n\n*PostgreSQL*\n\nValid values: `postgresql` , `upgrade`", + "markdownDescription": "The list of log types that need to be enabled for exporting to CloudWatch Logs. The values in the list depend on the DB engine being used. For more information, see [Publishing Database Logs to Amazon CloudWatch Logs](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_LogAccess.html#USER_LogAccess.Procedural.UploadtoCloudWatch) in the *Amazon Relational Database Service User Guide* .\n\n*Amazon Aurora*\n\nNot applicable. CloudWatch Logs exports are managed by the DB cluster.\n\n*Db2*\n\nValid values: `diag.log` , `notify.log`\n\n*MariaDB*\n\nValid values: `audit` , `error` , `general` , `slowquery`\n\n*Microsoft SQL Server*\n\nValid values: `agent` , `error`\n\n*MySQL*\n\nValid values: `audit` , `error` , `general` , `slowquery`\n\n*Oracle*\n\nValid values: `alert` , `audit` , `listener` , `trace` , `oemagent`\n\n*PostgreSQL*\n\nValid values: `postgresql` , `upgrade`", "title": "EnableCloudwatchLogsExports", "type": "array" }, @@ -206051,17 +213240,17 @@ "title": "Endpoint" }, "Engine": { - "markdownDescription": "The name of the database engine that you want to use for this DB instance.\n\n> When you are creating a DB instance, the `Engine` property is required. \n\nValid Values:\n\n- `aurora-mysql` (for Aurora MySQL DB instances)\n- `aurora-postgresql` (for Aurora PostgreSQL DB instances)\n- `custom-oracle-ee` (for RDS Custom for Oracle DB instances)\n- `custom-oracle-ee-cdb` (for RDS Custom for Oracle DB instances)\n- `custom-sqlserver-ee` (for RDS Custom for SQL Server DB instances)\n- `custom-sqlserver-se` (for RDS Custom for SQL Server DB instances)\n- `custom-sqlserver-web` (for RDS Custom for SQL Server DB instances)\n- `mariadb`\n- `mysql`\n- `oracle-ee`\n- `oracle-ee-cdb`\n- `oracle-se2`\n- `oracle-se2-cdb`\n- `postgres`\n- `sqlserver-ee`\n- `sqlserver-se`\n- `sqlserver-ex`\n- `sqlserver-web`", + "markdownDescription": "The name of the database engine that you want to use for this DB instance.\n\nNot every database engine is available in every AWS Region.\n\n> When you are creating a DB instance, the `Engine` property is required. \n\nValid Values:\n\n- `aurora-mysql` (for Aurora MySQL DB instances)\n- `aurora-postgresql` (for Aurora PostgreSQL DB instances)\n- `custom-oracle-ee` (for RDS Custom for Oracle DB instances)\n- `custom-oracle-ee-cdb` (for RDS Custom for Oracle DB instances)\n- `custom-sqlserver-ee` (for RDS Custom for SQL Server DB instances)\n- `custom-sqlserver-se` (for RDS Custom for SQL Server DB instances)\n- `custom-sqlserver-web` (for RDS Custom for SQL Server DB instances)\n- `db2-ae`\n- `db2-se`\n- `mariadb`\n- `mysql`\n- `oracle-ee`\n- `oracle-ee-cdb`\n- `oracle-se2`\n- `oracle-se2-cdb`\n- `postgres`\n- `sqlserver-ee`\n- `sqlserver-se`\n- `sqlserver-ex`\n- `sqlserver-web`", "title": "Engine", "type": "string" }, "EngineVersion": { - "markdownDescription": "The version number of the database engine to use.\n\nFor a list of valid engine versions, use the `DescribeDBEngineVersions` action.\n\nThe following are the database engines and links to information about the major and minor versions that are available with Amazon RDS. Not every database engine is available for every AWS Region.\n\n*Amazon Aurora*\n\nNot applicable. The version number of the database engine to be used by the DB instance is managed by the DB cluster.\n\n*MariaDB*\n\nSee [MariaDB on Amazon RDS Versions](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_MariaDB.html#MariaDB.Concepts.VersionMgmt) in the *Amazon RDS User Guide.*\n\n*Microsoft SQL Server*\n\nSee [Microsoft SQL Server Versions on Amazon RDS](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_SQLServer.html#SQLServer.Concepts.General.VersionSupport) in the *Amazon RDS User Guide.*\n\n*MySQL*\n\nSee [MySQL on Amazon RDS Versions](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_MySQL.html#MySQL.Concepts.VersionMgmt) in the *Amazon RDS User Guide.*\n\n*Oracle*\n\nSee [Oracle Database Engine Release Notes](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Appendix.Oracle.PatchComposition.html) in the *Amazon RDS User Guide.*\n\n*PostgreSQL*\n\nSee [Supported PostgreSQL Database Versions](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_PostgreSQL.html#PostgreSQL.Concepts.General.DBVersions) in the *Amazon RDS User Guide.*", + "markdownDescription": "The version number of the database engine to use.\n\nFor a list of valid engine versions, use the `DescribeDBEngineVersions` action.\n\nThe following are the database engines and links to information about the major and minor versions that are available with Amazon RDS. Not every database engine is available for every AWS Region.\n\n*Amazon Aurora*\n\nNot applicable. The version number of the database engine to be used by the DB instance is managed by the DB cluster.\n\n*Db2*\n\nSee [Amazon RDS for Db2](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_Db2.html#Db2.Concepts.VersionMgmt) in the *Amazon RDS User Guide.*\n\n*MariaDB*\n\nSee [MariaDB on Amazon RDS Versions](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_MariaDB.html#MariaDB.Concepts.VersionMgmt) in the *Amazon RDS User Guide.*\n\n*Microsoft SQL Server*\n\nSee [Microsoft SQL Server Versions on Amazon RDS](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_SQLServer.html#SQLServer.Concepts.General.VersionSupport) in the *Amazon RDS User Guide.*\n\n*MySQL*\n\nSee [MySQL on Amazon RDS Versions](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_MySQL.html#MySQL.Concepts.VersionMgmt) in the *Amazon RDS User Guide.*\n\n*Oracle*\n\nSee [Oracle Database Engine Release Notes](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Appendix.Oracle.PatchComposition.html) in the *Amazon RDS User Guide.*\n\n*PostgreSQL*\n\nSee [Supported PostgreSQL Database Versions](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_PostgreSQL.html#PostgreSQL.Concepts.General.DBVersions) in the *Amazon RDS User Guide.*", "title": "EngineVersion", "type": "string" }, "Iops": { - "markdownDescription": "The number of I/O operations per second (IOPS) that the database provisions. The value must be equal to or greater than 1000.\n\nIf you specify this property, you must follow the range of allowed ratios of your requested IOPS rate to the amount of storage that you allocate (IOPS to allocated storage). For example, you can provision an Oracle database instance with 1000 IOPS and 200 GiB of storage (a ratio of 5:1), or specify 2000 IOPS with 200 GiB of storage (a ratio of 10:1). For more information, see [Amazon RDS Provisioned IOPS Storage to Improve Performance](https://docs.aws.amazon.com/AmazonRDS/latest/DeveloperGuide/CHAP_Storage.html#USER_PIOPS) in the *Amazon RDS User Guide* .\n\n> If you specify `io1` for the `StorageType` property, then you must also specify the `Iops` property.", + "markdownDescription": "The number of I/O operations per second (IOPS) that the database provisions. The value must be equal to or greater than 1000.\n\nIf you specify this property, you must follow the range of allowed ratios of your requested IOPS rate to the amount of storage that you allocate (IOPS to allocated storage). For example, you can provision an Oracle database instance with 1000 IOPS and 200 GiB of storage (a ratio of 5:1), or specify 2000 IOPS with 200 GiB of storage (a ratio of 10:1). For more information, see [Amazon RDS Provisioned IOPS Storage to Improve Performance](https://docs.aws.amazon.com/AmazonRDS/latest/DeveloperGuide/CHAP_Storage.html#USER_PIOPS) in the *Amazon RDS User Guide* .\n\n> If you specify `io1` for the `StorageType` property, then you must also specify the `Iops` property. \n\nConstraints:\n\n- For RDS for Db2, MariaDB, MySQL, Oracle, and PostgreSQL - Must be a multiple between .5 and 50 of the storage amount for the DB instance.\n- For RDS for SQL Server - Must be a multiple between 1 and 50 of the storage amount for the DB instance.", "title": "Iops", "type": "number" }, @@ -206071,7 +213260,7 @@ "type": "string" }, "LicenseModel": { - "markdownDescription": "License model information for this DB instance.\n\nValid values:\n\n- Aurora MySQL - `general-public-license`\n- Aurora PostgreSQL - `postgresql-license`\n- MariaDB - `general-public-license`\n- Microsoft SQL Server - `license-included`\n- MySQL - `general-public-license`\n- Oracle - `bring-your-own-license` or `license-included`\n- PostgreSQL - `postgresql-license`\n\n> If you've specified `DBSecurityGroups` and then you update the license model, AWS CloudFormation replaces the underlying DB instance. This will incur some interruptions to database availability.", + "markdownDescription": "License model information for this DB instance.\n\nValid Values:\n\n- Aurora MySQL - `general-public-license`\n- Aurora PostgreSQL - `postgresql-license`\n- RDS for Db2 - `bring-your-own-license` . For more information about RDS for Db2 licensing, see [](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/db2-licensing.html) in the *Amazon RDS User Guide.*\n- RDS for MariaDB - `general-public-license`\n- RDS for Microsoft SQL Server - `license-included`\n- RDS for MySQL - `general-public-license`\n- RDS for Oracle - `bring-your-own-license` or `license-included`\n- RDS for PostgreSQL - `postgresql-license`\n\n> If you've specified `DBSecurityGroups` and then you update the license model, AWS CloudFormation replaces the underlying DB instance. This will incur some interruptions to database availability.", "title": "LicenseModel", "type": "string" }, @@ -206081,7 +213270,7 @@ "type": "boolean" }, "MasterUserPassword": { - "markdownDescription": "The password for the master user. The password can include any printable ASCII character except \"/\", \"\"\", or \"@\".\n\n*Amazon Aurora*\n\nNot applicable. The password for the master user is managed by the DB cluster.\n\n*MariaDB*\n\nConstraints: Must contain from 8 to 41 characters.\n\n*Microsoft SQL Server*\n\nConstraints: Must contain from 8 to 128 characters.\n\n*MySQL*\n\nConstraints: Must contain from 8 to 41 characters.\n\n*Oracle*\n\nConstraints: Must contain from 8 to 30 characters.\n\n*PostgreSQL*\n\nConstraints: Must contain from 8 to 128 characters.", + "markdownDescription": "The password for the master user. The password can include any printable ASCII character except \"/\", \"\"\", or \"@\".\n\n*Amazon Aurora*\n\nNot applicable. The password for the master user is managed by the DB cluster.\n\n*RDS for Db2*\n\nMust contain from 8 to 255 characters.\n\n*RDS for MariaDB*\n\nConstraints: Must contain from 8 to 41 characters.\n\n*RDS for Microsoft SQL Server*\n\nConstraints: Must contain from 8 to 128 characters.\n\n*RDS for MySQL*\n\nConstraints: Must contain from 8 to 41 characters.\n\n*RDS for Oracle*\n\nConstraints: Must contain from 8 to 30 characters.\n\n*RDS for PostgreSQL*\n\nConstraints: Must contain from 8 to 128 characters.", "title": "MasterUserPassword", "type": "string" }, @@ -206091,7 +213280,7 @@ "title": "MasterUserSecret" }, "MasterUsername": { - "markdownDescription": "The master user name for the DB instance.\n\n> If you specify the `SourceDBInstanceIdentifier` or `DBSnapshotIdentifier` property, don't specify this property. The value is inherited from the source DB instance or snapshot. \n\n*Amazon Aurora*\n\nNot applicable. The name for the master user is managed by the DB cluster.\n\n*MariaDB*\n\nConstraints:\n\n- Required for MariaDB.\n- Must be 1 to 16 letters or numbers.\n- Can't be a reserved word for the chosen database engine.\n\n*Microsoft SQL Server*\n\nConstraints:\n\n- Required for SQL Server.\n- Must be 1 to 128 letters or numbers.\n- The first character must be a letter.\n- Can't be a reserved word for the chosen database engine.\n\n*MySQL*\n\nConstraints:\n\n- Required for MySQL.\n- Must be 1 to 16 letters or numbers.\n- First character must be a letter.\n- Can't be a reserved word for the chosen database engine.\n\n*Oracle*\n\nConstraints:\n\n- Required for Oracle.\n- Must be 1 to 30 letters or numbers.\n- First character must be a letter.\n- Can't be a reserved word for the chosen database engine.\n\n*PostgreSQL*\n\nConstraints:\n\n- Required for PostgreSQL.\n- Must be 1 to 63 letters or numbers.\n- First character must be a letter.\n- Can't be a reserved word for the chosen database engine.", + "markdownDescription": "The master user name for the DB instance.\n\n> If you specify the `SourceDBInstanceIdentifier` or `DBSnapshotIdentifier` property, don't specify this property. The value is inherited from the source DB instance or snapshot.\n> \n> When migrating a self-managed Db2 database, we recommend that you use the same master username as your self-managed Db2 instance name. \n\n*Amazon Aurora*\n\nNot applicable. The name for the master user is managed by the DB cluster.\n\n*RDS for Db2*\n\nConstraints:\n\n- Must be 1 to 16 letters or numbers.\n- First character must be a letter.\n- Can't be a reserved word for the chosen database engine.\n\n*RDS for MariaDB*\n\nConstraints:\n\n- Must be 1 to 16 letters or numbers.\n- Can't be a reserved word for the chosen database engine.\n\n*RDS for Microsoft SQL Server*\n\nConstraints:\n\n- Must be 1 to 128 letters or numbers.\n- First character must be a letter.\n- Can't be a reserved word for the chosen database engine.\n\n*RDS for MySQL*\n\nConstraints:\n\n- Must be 1 to 16 letters or numbers.\n- First character must be a letter.\n- Can't be a reserved word for the chosen database engine.\n\n*RDS for Oracle*\n\nConstraints:\n\n- Must be 1 to 30 letters or numbers.\n- First character must be a letter.\n- Can't be a reserved word for the chosen database engine.\n\n*RDS for PostgreSQL*\n\nConstraints:\n\n- Must be 1 to 63 letters or numbers.\n- First character must be a letter.\n- Can't be a reserved word for the chosen database engine.", "title": "MasterUsername", "type": "string" }, @@ -206141,7 +213330,7 @@ "type": "number" }, "Port": { - "markdownDescription": "The port number on which the database accepts connections.\n\n*Amazon Aurora*\n\nNot applicable. The port number is managed by the DB cluster.", + "markdownDescription": "The port number on which the database accepts connections.\n\n*Amazon Aurora*\n\nNot applicable. The port number is managed by the DB cluster.\n\n*Db2*\n\nDefault value: `50000`", "title": "Port", "type": "string" }, @@ -206179,7 +213368,7 @@ "type": "string" }, "RestoreTime": { - "markdownDescription": "The date and time to restore from.\n\nValid Values: Value must be a time in Universal Coordinated Time (UTC) format\n\nConstraints:\n\n- Must be before the latest restorable time for the DB instance\n- Can't be specified if the `UseLatestRestorableTime` parameter is enabled\n\nExample: `2009-09-07T23:45:00Z`", + "markdownDescription": "The date and time to restore from.\n\nConstraints:\n\n- Must be a time in Universal Coordinated Time (UTC) format.\n- Must be before the latest restorable time for the DB instance.\n- Can't be specified if the `UseLatestRestorableTime` parameter is enabled.\n\nExample: `2009-09-07T23:45:00Z`", "title": "RestoreTime", "type": "string" }, @@ -206189,7 +213378,7 @@ "type": "string" }, "SourceDBInstanceAutomatedBackupsArn": { - "markdownDescription": "The Amazon Resource Name (ARN) of the replicated automated backups from which to restore, for example, `arn:aws:rds:useast-1:123456789012:auto-backup:ab-L2IJCEXJP7XQ7HOJ4SIEXAMPLE` .\n\nThis setting doesn't apply to RDS Custom.", + "markdownDescription": "The Amazon Resource Name (ARN) of the replicated automated backups from which to restore, for example, `arn:aws:rds:us-east-1:123456789012:auto-backup:ab-L2IJCEXJP7XQ7HOJ4SIEXAMPLE` .\n\nThis setting doesn't apply to RDS Custom.", "title": "SourceDBInstanceAutomatedBackupsArn", "type": "string" }, @@ -206209,7 +213398,7 @@ "type": "string" }, "StorageEncrypted": { - "markdownDescription": "A value that indicates whether the DB instance is encrypted. By default, it isn't encrypted.\n\nIf you specify the `KmsKeyId` property, then you must enable encryption.\n\nIf you specify the `SourceDBInstanceIdentifier` property, don't specify this property. The value is inherited from the source DB instance, and if the DB instance is encrypted, the specified `KmsKeyId` property is used.\n\nIf you specify the `SnapshotIdentifier` and the specified snapshot is encrypted, don't specify this property. The value is inherited from the snapshot, and the specified `KmsKeyId` property is used.\n\nIf you specify the `SnapshotIdentifier` and the specified snapshot isn't encrypted, you can use this property to specify that the restored DB instance is encrypted. Specify the `KmsKeyId` property for the KMS key to use for encryption. If you don't want the restored DB instance to be encrypted, then don't set this property or set it to `false` .\n\n*Amazon Aurora*\n\nNot applicable. The encryption for DB instances is managed by the DB cluster.", + "markdownDescription": "A value that indicates whether the DB instance is encrypted. By default, it isn't encrypted.\n\nIf you specify the `KmsKeyId` property, then you must enable encryption.\n\nIf you specify the `SourceDBInstanceIdentifier` property, don't specify this property. The value is inherited from the source DB instance, and if the DB instance is encrypted, the specified `KmsKeyId` property is used.\n\nIf you specify the `DBSnapshotIdentifier` and the specified snapshot is encrypted, don't specify this property. The value is inherited from the snapshot, and the specified `KmsKeyId` property is used.\n\nIf you specify the `DBSnapshotIdentifier` and the specified snapshot isn't encrypted, you can use this property to specify that the restored DB instance is encrypted. Specify the `KmsKeyId` property for the KMS key to use for encryption. If you don't want the restored DB instance to be encrypted, then don't set this property or set it to `false` .\n\n*Amazon Aurora*\n\nNot applicable. The encryption for DB instances is managed by the DB cluster.", "title": "StorageEncrypted", "type": "boolean" }, @@ -206242,7 +213431,7 @@ "type": "boolean" }, "UseLatestRestorableTime": { - "markdownDescription": "A value that indicates whether the DB instance is restored from the latest backup time. By default, the DB instance isn't restored from the latest backup time.\n\nConstraints: Can't be specified if the `RestoreTime` parameter is provided.", + "markdownDescription": "Specifies whether the DB instance is restored from the latest backup time. By default, the DB instance isn't restored from the latest backup time.\n\nConstraints:\n\n- Can't be specified if the `RestoreTime` parameter is provided.", "title": "UseLatestRestorableTime", "type": "boolean" }, @@ -206417,7 +213606,7 @@ "type": "string" }, "Parameters": { - "markdownDescription": "An array of parameter names and values for the parameter update. At least one parameter name and value must be supplied. Subsequent arguments are optional.\n\nFor more information about DB parameters and DB parameter groups for Amazon RDS DB engines, see [Working with DB Parameter Groups](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_WorkingWithParamGroups.html) in the *Amazon RDS User Guide* .\n\nFor more information about DB cluster and DB instance parameters and parameter groups for Amazon Aurora DB engines, see [Working with DB Parameter Groups and DB Cluster Parameter Groups](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/USER_WorkingWithParamGroups.html) in the *Amazon Aurora User Guide* .\n\n> AWS CloudFormation doesn't support specifying an apply method for each individual parameter. The default apply method for each parameter is used.", + "markdownDescription": "An array of parameter names and values for the parameter update. At least one parameter name and value must be supplied. Subsequent arguments are optional.\n\nRDS for Db2 requires you to bring your own Db2 license. You must enter your IBM customer ID ( `rds.ibm_customer_id` ) and site number ( `rds.ibm_site_id` ) before starting a Db2 instance.\n\nFor more information about DB parameters and DB parameter groups for Amazon RDS DB engines, see [Working with DB Parameter Groups](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_WorkingWithParamGroups.html) in the *Amazon RDS User Guide* .\n\nFor more information about DB cluster and DB instance parameters and parameter groups for Amazon Aurora DB engines, see [Working with DB Parameter Groups and DB Cluster Parameter Groups](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/USER_WorkingWithParamGroups.html) in the *Amazon Aurora User Guide* .\n\n> AWS CloudFormation doesn't support specifying an apply method for each individual parameter. The default apply method for each parameter is used.", "title": "Parameters", "type": "object" }, @@ -206506,12 +213695,12 @@ "type": "string" }, "DebugLogging": { - "markdownDescription": "Whether the proxy includes detailed information about SQL statements in its logs. This information helps you to debug issues involving SQL behavior or the performance and scalability of the proxy connections. The debug information includes the text of SQL statements that you submit through the proxy. Thus, only enable this setting when needed for debugging, and only when you have security measures in place to safeguard any sensitive information that appears in the logs.", + "markdownDescription": "Specifies whether the proxy includes detailed information about SQL statements in its logs. This information helps you to debug issues involving SQL behavior or the performance and scalability of the proxy connections. The debug information includes the text of SQL statements that you submit through the proxy. Thus, only enable this setting when needed for debugging, and only when you have security measures in place to safeguard any sensitive information that appears in the logs.", "title": "DebugLogging", "type": "boolean" }, "EngineFamily": { - "markdownDescription": "The kinds of databases that the proxy can connect to. This value determines which database network protocol the proxy recognizes when it interprets network traffic to and from the database. For Aurora MySQL, RDS for MariaDB, and RDS for MySQL databases, specify `MYSQL` . For Aurora PostgreSQL and RDS for PostgreSQL databases, specify `POSTGRESQL` . For RDS for Microsoft SQL Server, specify `SQLSERVER` .\n\n*Valid values* : `MYSQL` | `POSTGRESQL` | `SQLSERVER`", + "markdownDescription": "The kinds of databases that the proxy can connect to. This value determines which database network protocol the proxy recognizes when it interprets network traffic to and from the database. For Aurora MySQL, RDS for MariaDB, and RDS for MySQL databases, specify `MYSQL` . For Aurora PostgreSQL and RDS for PostgreSQL databases, specify `POSTGRESQL` . For RDS for Microsoft SQL Server, specify `SQLSERVER` .\n\n*Valid Values* : `MYSQL` | `POSTGRESQL` | `SQLSERVER`", "title": "EngineFamily", "type": "string" }, @@ -206521,7 +213710,7 @@ "type": "number" }, "RequireTLS": { - "markdownDescription": "A Boolean parameter that specifies whether Transport Layer Security (TLS) encryption is required for connections to the proxy. By enabling this setting, you can enforce encrypted TLS connections to the proxy.", + "markdownDescription": "Specifies whether Transport Layer Security (TLS) encryption is required for connections to the proxy. By enabling this setting, you can enforce encrypted TLS connections to the proxy.", "title": "RequireTLS", "type": "boolean" }, @@ -206849,7 +214038,7 @@ "additionalProperties": false, "properties": { "ConnectionBorrowTimeout": { - "markdownDescription": "The number of seconds for a proxy to wait for a connection to become available in the connection pool. Only applies when the proxy has opened its maximum number of connections and all connections are busy with client sessions.\n\nDefault: 120\n\nConstraints: between 1 and 3600, or 0 representing unlimited", + "markdownDescription": "The number of seconds for a proxy to wait for a connection to become available in the connection pool. This setting only applies when the proxy has opened its maximum number of connections and all connections are busy with client sessions. For an unlimited wait time, specify `0` .\n\nDefault: `120`\n\nConstraints:\n\n- Must be between 0 and 3600.", "title": "ConnectionBorrowTimeout", "type": "number" }, @@ -206859,12 +214048,12 @@ "type": "string" }, "MaxConnectionsPercent": { - "markdownDescription": "The maximum size of the connection pool for each target in a target group. The value is expressed as a percentage of the `max_connections` setting for the RDS DB instance or Aurora DB cluster used by the target group.\n\nIf you specify `MaxIdleConnectionsPercent` , then you must also include a value for this parameter.\n\nDefault: 10 for RDS for Microsoft SQL Server, and 100 for all other engines\n\nConstraints: Must be between 1 and 100.", + "markdownDescription": "The maximum size of the connection pool for each target in a target group. The value is expressed as a percentage of the `max_connections` setting for the RDS DB instance or Aurora DB cluster used by the target group.\n\nIf you specify `MaxIdleConnectionsPercent` , then you must also include a value for this parameter.\n\nDefault: `10` for RDS for Microsoft SQL Server, and `100` for all other engines\n\nConstraints:\n\n- Must be between 1 and 100.", "title": "MaxConnectionsPercent", "type": "number" }, "MaxIdleConnectionsPercent": { - "markdownDescription": "Controls how actively the proxy closes idle database connections in the connection pool. The value is expressed as a percentage of the `max_connections` setting for the RDS DB instance or Aurora DB cluster used by the target group. With a high value, the proxy leaves a high percentage of idle database connections open. A low value causes the proxy to close more idle connections and return them to the database.\n\nIf you specify this parameter, then you must also include a value for `MaxConnectionsPercent` .\n\nDefault: The default value is half of the value of `MaxConnectionsPercent` . For example, if `MaxConnectionsPercent` is 80, then the default value of `MaxIdleConnectionsPercent` is 40. If the value of `MaxConnectionsPercent` isn't specified, then for SQL Server, `MaxIdleConnectionsPercent` is 5, and for all other engines, the default is 50.\n\nConstraints: Must be between 0 and the value of `MaxConnectionsPercent` .", + "markdownDescription": "A value that controls how actively the proxy closes idle database connections in the connection pool. The value is expressed as a percentage of the `max_connections` setting for the RDS DB instance or Aurora DB cluster used by the target group. With a high value, the proxy leaves a high percentage of idle database connections open. A low value causes the proxy to close more idle connections and return them to the database.\n\nIf you specify this parameter, then you must also include a value for `MaxConnectionsPercent` .\n\nDefault: The default value is half of the value of `MaxConnectionsPercent` . For example, if `MaxConnectionsPercent` is 80, then the default value of `MaxIdleConnectionsPercent` is 40. If the value of `MaxConnectionsPercent` isn't specified, then for SQL Server, `MaxIdleConnectionsPercent` is `5` , and for all other engines, the default is `50` .\n\nConstraints:\n\n- Must be between 0 and the value of `MaxConnectionsPercent` .", "title": "MaxIdleConnectionsPercent", "type": "number" }, @@ -207206,7 +214395,7 @@ "additionalProperties": false, "properties": { "Enabled": { - "markdownDescription": "A value that indicates whether to activate the subscription. If the event notification subscription isn't activated, the subscription is created but not active.", + "markdownDescription": "Specifies whether to activate the subscription. If the event notification subscription isn't activated, the subscription is created but not active.", "title": "Enabled", "type": "boolean" }, @@ -207975,7 +215164,7 @@ "type": "number" }, "MasterUserPassword": { - "markdownDescription": "The password associated with the admin user account for the cluster that is being created.\n\nConstraints:\n\n- Must be between 8 and 64 characters in length.\n- Must contain at least one uppercase letter.\n- Must contain at least one lowercase letter.\n- Must contain one number.\n- Can be any printable ASCII character (ASCII code 33-126) except `'` (single quote), `\"` (double quote), `\\` , `/` , or `@` .", + "markdownDescription": "The password associated with the admin user account for the cluster that is being created.\n\nYou can't use `MasterUserPassword` if `ManageMasterPassword` is `true` .\n\nConstraints:\n\n- Must be between 8 and 64 characters in length.\n- Must contain at least one uppercase letter.\n- Must contain at least one lowercase letter.\n- Must contain one number.\n- Can be any printable ASCII character (ASCII code 33-126) except `'` (single quote), `\"` (double quote), `\\` , `/` , or `@` .", "title": "MasterUserPassword", "type": "string" }, @@ -207984,6 +215173,11 @@ "title": "MasterUsername", "type": "string" }, + "MultiAZ": { + "markdownDescription": "A boolean indicating whether Amazon Redshift should deploy the cluster in two Availability Zones. The default is false.", + "title": "MultiAZ", + "type": "boolean" + }, "NodeType": { "markdownDescription": "The node type to be provisioned for the cluster. For information about node types, go to [Working with Clusters](https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-clusters.html#how-many-nodes) in the *Amazon Redshift Cluster Management Guide* .\n\nValid Values: `ds2.xlarge` | `ds2.8xlarge` | `dc1.large` | `dc1.8xlarge` | `dc2.large` | `dc2.8xlarge` | `ra3.xlplus` | `ra3.4xlarge` | `ra3.16xlarge`", "title": "NodeType", @@ -208015,7 +215209,7 @@ "type": "boolean" }, "ResourceAction": { - "markdownDescription": "The Amazon Redshift operation to be performed. Supported operations are `pause-cluster` and `resume-cluster` .", + "markdownDescription": "The Amazon Redshift operation to be performed. Supported operations are `pause-cluster` , `resume-cluster` , and `failover-primary-compute` .", "title": "ResourceAction", "type": "string" }, @@ -209451,7 +216645,7 @@ "items": { "$ref": "#/definitions/AWS::RedshiftServerless::Workgroup.ConfigParameter" }, - "markdownDescription": "An array of parameters to set for advanced control over a database. The options are `auto_mv` , `datestyle` , `enable_case_sensitivity_identifier` , `enable_user_activity_logging` , `query_group` , , `search_path` , and query monitoring metrics that let you define performance boundaries. For more information about query monitoring rules and available metrics, see [Query monitoring metrics for Amazon Redshift Serverless](https://docs.aws.amazon.com/redshift/latest/dg/cm-c-wlm-query-monitoring-rules.html#cm-c-wlm-query-monitoring-metrics-serverless) .", + "markdownDescription": "An array of parameters to set for advanced control over a database. The options are `auto_mv` , `datestyle` , `enable_case_sensitive_identifier` , `enable_user_activity_logging` , `query_group` , `search_path` , and query monitoring metrics that let you define performance boundaries. For more information about query monitoring rules and available metrics, see [Query monitoring metrics for Amazon Redshift Serverless](https://docs.aws.amazon.com/redshift/latest/dg/cm-c-wlm-query-monitoring-rules.html#cm-c-wlm-query-monitoring-metrics-serverless) .", "title": "ConfigParameters", "type": "array" }, @@ -210484,12 +217678,12 @@ "type": "string" }, "AppTemplateBody": { - "markdownDescription": "A JSON string that provides information about your application structure. To learn more about the `appTemplateBody` template, see the sample template provided in the *Examples* section.\n\nThe `appTemplateBody` JSON string has the following structure:\n\n- *`resources`*\n\nThe list of logical resources that needs to be included in the AWS Resilience Hub application.\n\nType: Array\n\n> Don't add the resources that you want to exclude. \n\nEach `resources` array item includes the following fields:\n\n- *`logicalResourceId`*\n\nThe logical identifier of the resource.\n\nType: Object\n\nEach `logicalResourceId` object includes the following fields:\n\n- `identifier`\n\nThe identifier of the resource.\n\nType: String\n- `logicalStackName`\n\nThe name of the AWS CloudFormation stack this resource belongs to.\n\nType: String\n- `resourceGroupName`\n\nThe name of the resource group this resource belongs to.\n\nType: String\n- `terraformSourceName`\n\nThe name of the Terraform S3 state file this resource belongs to.\n\nType: String\n- `eksSourceName`\n\nThe name of the Amazon Elastic Kubernetes Service cluster and namespace this resource belongs to.\n\n> This parameter accepts values in \"eks-cluster/namespace\" format. \n\nType: String\n- *`type`*\n\nThe type of resource.\n\nType: string\n- *`name`*\n\nThe name of the resource.\n\nType: String\n- `additionalInfo`\n\nAdditional configuration parameters for an AWS Resilience Hub application. If you want to implement `additionalInfo` through the AWS Resilience Hub console rather than using an API call, see [Configure the application configuration parameters](https://docs.aws.amazon.com//resilience-hub/latest/userguide/app-config-param.html) .\n\n> Currently, this parameter accepts a key-value mapping (in a string format) of only one failover region and one associated account.\n> \n> Key: `\"failover-regions\"`\n> \n> Value: `\"[{\"region\":\"\", \"accounts\":[{\"id\":\"\"}]}]\"`\n- *`appComponents`*\n\nThe list of Application Components (AppComponent) that this resource belongs to. If an AppComponent is not part of the AWS Resilience Hub application, it will be added.\n\nType: Array\n\nEach `appComponents` array item includes the following fields:\n\n- `name`\n\nThe name of the AppComponent.\n\nType: String\n- `type`\n\nThe type of AppComponent. For more information about the types of AppComponent, see [Grouping resources in an AppComponent](https://docs.aws.amazon.com/resilience-hub/latest/userguide/AppComponent.grouping.html) .\n\nType: String\n- `resourceNames`\n\nThe list of included resources that are assigned to the AppComponent.\n\nType: Array of strings\n- `additionalInfo`\n\nAdditional configuration parameters for an AWS Resilience Hub application. If you want to implement `additionalInfo` through the AWS Resilience Hub console rather than using an API call, see [Configure the application configuration parameters](https://docs.aws.amazon.com//resilience-hub/latest/userguide/app-config-param.html) .\n\n> Currently, this parameter accepts a key-value mapping (in a string format) of only one failover region and one associated account.\n> \n> Key: `\"failover-regions\"`\n> \n> Value: `\"[{\"region\":\"\", \"accounts\":[{\"id\":\"\"}]}]\"`\n- *`excludedResources`*\n\nThe list of logical resource identifiers to be excluded from the application.\n\nType: Array\n\n> Don't add the resources that you want to include. \n\nEach `excludedResources` array item includes the following fields:\n\n- *`logicalResourceIds`*\n\nThe logical identifier of the resource.\n\nType: Object\n\n> You can configure only one of the following fields:\n> \n> - `logicalStackName`\n> - `resourceGroupName`\n> - `terraformSourceName`\n> - `eksSourceName` \n\nEach `logicalResourceIds` object includes the following fields:\n\n- `identifier`\n\nThe identifier of the resource.\n\nType: String\n- `logicalStackName`\n\nThe name of the AWS CloudFormation stack this resource belongs to.\n\nType: String\n- `resourceGroupName`\n\nThe name of the resource group this resource belongs to.\n\nType: String\n- `terraformSourceName`\n\nThe name of the Terraform S3 state file this resource belongs to.\n\nType: String\n- `eksSourceName`\n\nThe name of the Amazon Elastic Kubernetes Service cluster and namespace this resource belongs to.\n\n> This parameter accepts values in \"eks-cluster/namespace\" format. \n\nType: String\n- *`version`*\n\nThe AWS Resilience Hub application version.\n- `additionalInfo`\n\nAdditional configuration parameters for an AWS Resilience Hub application. If you want to implement `additionalInfo` through the AWS Resilience Hub console rather than using an API call, see [Configure the application configuration parameters](https://docs.aws.amazon.com//resilience-hub/latest/userguide/app-config-param.html) .\n\n> Currently, this parameter accepts a key-value mapping (in a string format) of only one failover region and one associated account.\n> \n> Key: `\"failover-regions\"`\n> \n> Value: `\"[{\"region\":\"\", \"accounts\":[{\"id\":\"\"}]}]\"`", + "markdownDescription": "A JSON string that provides information about your application structure. To learn more about the `appTemplateBody` template, see the sample template in [Sample appTemplateBody template](https://docs.aws.amazon.com//resilience-hub/latest/APIReference/API_PutDraftAppVersionTemplate.html#API_PutDraftAppVersionTemplate_Examples) .\n\nThe `appTemplateBody` JSON string has the following structure:\n\n- *`resources`*\n\nThe list of logical resources that needs to be included in the AWS Resilience Hub application.\n\nType: Array\n\n> Don't add the resources that you want to exclude. \n\nEach `resources` array item includes the following fields:\n\n- *`logicalResourceId`*\n\nThe logical identifier of the resource.\n\nType: Object\n\nEach `logicalResourceId` object includes the following fields:\n\n- `identifier`\n\nIdentifier of the resource.\n\nType: String\n- `logicalStackName`\n\nName of the AWS CloudFormation stack this resource belongs to.\n\nType: String\n- `resourceGroupName`\n\nName of the resource group this resource belongs to.\n\nType: String\n- `terraformSourceName`\n\nName of the Terraform S3 state file this resource belongs to.\n\nType: String\n- `eksSourceName`\n\nName of the Amazon Elastic Kubernetes Service cluster and namespace this resource belongs to.\n\n> This parameter accepts values in \"eks-cluster/namespace\" format. \n\nType: String\n- *`type`*\n\nThe type of resource.\n\nType: string\n- *`name`*\n\nName of the resource.\n\nType: String\n- `additionalInfo`\n\nAdditional configuration parameters for an AWS Resilience Hub application. If you want to implement `additionalInfo` through the AWS Resilience Hub console rather than using an API call, see [Configure the application configuration parameters](https://docs.aws.amazon.com//resilience-hub/latest/userguide/app-config-param.html) .\n\n> Currently, this parameter accepts a key-value mapping (in a string format) of only one failover region and one associated account.\n> \n> Key: `\"failover-regions\"`\n> \n> Value: `\"[{\"region\":\"\", \"accounts\":[{\"id\":\"\"}]}]\"`\n- *`appComponents`*\n\nThe list of Application Components (AppComponent) that this resource belongs to. If an AppComponent is not part of the AWS Resilience Hub application, it will be added.\n\nType: Array\n\nEach `appComponents` array item includes the following fields:\n\n- `name`\n\nName of the AppComponent.\n\nType: String\n- `type`\n\nThe type of AppComponent. For more information about the types of AppComponent, see [Grouping resources in an AppComponent](https://docs.aws.amazon.com/resilience-hub/latest/userguide/AppComponent.grouping.html) .\n\nType: String\n- `resourceNames`\n\nThe list of included resources that are assigned to the AppComponent.\n\nType: Array of strings\n- `additionalInfo`\n\nAdditional configuration parameters for an AWS Resilience Hub application. If you want to implement `additionalInfo` through the AWS Resilience Hub console rather than using an API call, see [Configure the application configuration parameters](https://docs.aws.amazon.com//resilience-hub/latest/userguide/app-config-param.html) .\n\n> Currently, this parameter accepts a key-value mapping (in a string format) of only one failover region and one associated account.\n> \n> Key: `\"failover-regions\"`\n> \n> Value: `\"[{\"region\":\"\", \"accounts\":[{\"id\":\"\"}]}]\"`\n- *`excludedResources`*\n\nThe list of logical resource identifiers to be excluded from the application.\n\nType: Array\n\n> Don't add the resources that you want to include. \n\nEach `excludedResources` array item includes the following fields:\n\n- *`logicalResourceIds`*\n\nThe logical identifier of the resource.\n\nType: Object\n\n> You can configure only one of the following fields:\n> \n> - `logicalStackName`\n> - `resourceGroupName`\n> - `terraformSourceName`\n> - `eksSourceName` \n\nEach `logicalResourceIds` object includes the following fields:\n\n- `identifier`\n\nThe identifier of the resource.\n\nType: String\n- `logicalStackName`\n\nName of the AWS CloudFormation stack this resource belongs to.\n\nType: String\n- `resourceGroupName`\n\nName of the resource group this resource belongs to.\n\nType: String\n- `terraformSourceName`\n\nName of the Terraform S3 state file this resource belongs to.\n\nType: String\n- `eksSourceName`\n\nName of the Amazon Elastic Kubernetes Service cluster and namespace this resource belongs to.\n\n> This parameter accepts values in \"eks-cluster/namespace\" format. \n\nType: String\n- *`version`*\n\nThe AWS Resilience Hub application version.\n- `additionalInfo`\n\nAdditional configuration parameters for an AWS Resilience Hub application. If you want to implement `additionalInfo` through the AWS Resilience Hub console rather than using an API call, see [Configure the application configuration parameters](https://docs.aws.amazon.com//resilience-hub/latest/userguide/app-config-param.html) .\n\n> Currently, this parameter accepts a key-value mapping (in a string format) of only one failover region and one associated account.\n> \n> Key: `\"failover-regions\"`\n> \n> Value: `\"[{\"region\":\"\", \"accounts\":[{\"id\":\"\"}]}]\"`", "title": "AppTemplateBody", "type": "string" }, "Description": { - "markdownDescription": "The optional description for an app.", + "markdownDescription": "Optional description for an application.", "title": "Description", "type": "string" }, @@ -210497,15 +217691,19 @@ "items": { "$ref": "#/definitions/AWS::ResilienceHub::App.EventSubscription" }, + "markdownDescription": "The list of events you would like to subscribe and get notification for. Currently, AWS Resilience Hub supports notifications only for *Drift detected* and *Scheduled assessment failure* events.", + "title": "EventSubscriptions", "type": "array" }, "Name": { - "markdownDescription": "The name for the application.", + "markdownDescription": "Name for the application.", "title": "Name", "type": "string" }, "PermissionModel": { - "$ref": "#/definitions/AWS::ResilienceHub::App.PermissionModel" + "$ref": "#/definitions/AWS::ResilienceHub::App.PermissionModel", + "markdownDescription": "Defines the roles and credentials that AWS Resilience Hub would use while creating the application, importing its resources, and running an assessment.", + "title": "PermissionModel" }, "ResiliencyPolicyArn": { "markdownDescription": "The Amazon Resource Name (ARN) of the resiliency policy.", @@ -210516,13 +217714,13 @@ "items": { "$ref": "#/definitions/AWS::ResilienceHub::App.ResourceMapping" }, - "markdownDescription": "An array of ResourceMapping objects.", + "markdownDescription": "An array of `ResourceMapping` objects.", "title": "ResourceMappings", "type": "array" }, "Tags": { "additionalProperties": true, - "markdownDescription": "The tags assigned to the resource. A tag is a label that you assign to an AWS resource. Each tag consists of a key/value pair.", + "markdownDescription": "Tags assigned to the resource. A tag is a label that you assign to an AWS resource. Each tag consists of a key/value pair.", "patternProperties": { "^[a-zA-Z0-9]+$": { "type": "string" @@ -210564,12 +217762,18 @@ "additionalProperties": false, "properties": { "EventType": { + "markdownDescription": "The type of event you would like to subscribe and get notification for. Currently, AWS Resilience Hub supports notifications only for *Drift detected* ( `DriftDetected` ) and *Scheduled assessment failure* ( `ScheduledAssessmentFailure` ) events.", + "title": "EventType", "type": "string" }, "Name": { + "markdownDescription": "Unique name to identify an event subscription.", + "title": "Name", "type": "string" }, "SnsTopicArn": { + "markdownDescription": "Amazon Resource Name (ARN) of the Amazon Simple Notification Service topic. The format for this ARN is: `arn:partition:sns:region:account:topic-name` . For more information about ARNs, see [Amazon Resource Names (ARNs)](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) in the *AWS General Reference* guide.", + "title": "SnsTopicArn", "type": "string" } }, @@ -210586,12 +217790,18 @@ "items": { "type": "string" }, + "markdownDescription": "Defines a list of role Amazon Resource Names (ARNs) to be used in other accounts. These ARNs are used for querying purposes while importing resources and assessing your application.\n\n> - These ARNs are required only when your resources are in other accounts and you have different role name in these accounts. Else, the invoker role name will be used in the other accounts.\n> - These roles must have a trust policy with `iam:AssumeRole` permission to the invoker role in the primary account.", + "title": "CrossAccountRoleArns", "type": "array" }, "InvokerRoleName": { + "markdownDescription": "Existing AWS IAM role name in the primary AWS account that will be assumed by AWS Resilience Hub Service Principle to obtain a read-only access to your application resources while running an assessment.\n\n> - You must have `iam:passRole` permission for this role while creating or updating the application.\n> - Currently, `invokerRoleName` accepts only `[A-Za-z0-9_+=,.@-]` characters.", + "title": "InvokerRoleName", "type": "string" }, "Type": { + "markdownDescription": "Defines how AWS Resilience Hub scans your resources. It can scan for the resources by using a pre-existing role in your AWS account, or by using the credentials of the current IAM user.", + "title": "Type", "type": "string" } }, @@ -210614,7 +217824,7 @@ "type": "string" }, "Identifier": { - "markdownDescription": "The identifier of the physical resource.", + "markdownDescription": "Identifier of the physical resource.", "title": "Identifier", "type": "string" }, @@ -210634,32 +217844,32 @@ "additionalProperties": false, "properties": { "EksSourceName": { - "markdownDescription": "", + "markdownDescription": "Name of the Amazon Elastic Kubernetes Service cluster and namespace that this resource is mapped to when the `mappingType` is `EKS` .\n\n> This parameter accepts values in \"eks-cluster/namespace\" format.", "title": "EksSourceName", "type": "string" }, "LogicalStackName": { - "markdownDescription": "The name of the CloudFormation stack this resource is mapped to.", + "markdownDescription": "Name of the AWS CloudFormation stack this resource is mapped to when the `mappingType` is `CfnStack` .", "title": "LogicalStackName", "type": "string" }, "MappingType": { - "markdownDescription": "Specifies the type of resource mapping.\n\nValid Values: CfnStack | Resource | AppRegistryApp | ResourceGroup | Terraform\n\n- **AppRegistryApp** - The resource is mapped to another application. The name of the application is contained in the `appRegistryAppName` property.\n- **CfnStack** - The resource is mapped to a CloudFormation stack. The name of the CloudFormation stack is contained in the `logicalStackName` property.\n- **Resource** - The resource is mapped to another resource. The name of the resource is contained in the `resourceName` property.\n- **ResourceGroup** - The resource is mapped to a resource group. The name of the resource group is contained in the `resourceGroupName` property.", + "markdownDescription": "Specifies the type of resource mapping.", "title": "MappingType", "type": "string" }, "PhysicalResourceId": { "$ref": "#/definitions/AWS::ResilienceHub::App.PhysicalResourceId", - "markdownDescription": "The identifier of this resource.", + "markdownDescription": "Identifier of the physical resource.", "title": "PhysicalResourceId" }, "ResourceName": { - "markdownDescription": "The name of the resource this resource is mapped to.", + "markdownDescription": "Name of the resource that this resource is mapped to when the `mappingType` is `Resource` .", "title": "ResourceName", "type": "string" }, "TerraformSourceName": { - "markdownDescription": "The short name of the Terraform source.", + "markdownDescription": "Name of the Terraform source that this resource is mapped to when the `mappingType` is `Terraform` .", "title": "TerraformSourceName", "type": "string" } @@ -210733,7 +217943,7 @@ }, "Tags": { "additionalProperties": true, - "markdownDescription": "The tags assigned to the resource. A tag is a label that you assign to an AWS resource. Each tag consists of a key/value pair.", + "markdownDescription": "Tags assigned to the resource. A tag is a label that you assign to an AWS resource. Each tag consists of a key/value pair.", "patternProperties": { "^[a-zA-Z0-9]+$": { "type": "string" @@ -210780,12 +217990,12 @@ "additionalProperties": false, "properties": { "RpoInSecs": { - "markdownDescription": "The Recovery Point Objective (RPO), in seconds.", + "markdownDescription": "Recovery Point Objective (RPO) in seconds.", "title": "RpoInSecs", "type": "number" }, "RtoInSecs": { - "markdownDescription": "The Recovery Time Objective (RTO), in seconds.", + "markdownDescription": "Recovery Time Objective (RTO) in seconds.", "title": "RtoInSecs", "type": "number" } @@ -210977,7 +218187,7 @@ "additionalProperties": false, "properties": { "Filters": { - "$ref": "#/definitions/AWS::ResourceExplorer2::View.Filters", + "$ref": "#/definitions/AWS::ResourceExplorer2::View.SearchFilter", "markdownDescription": "An array of strings that include search keywords, prefixes, and operators that filter the results that are returned for queries made using this view. When you use this view in a [Search](https://docs.aws.amazon.com/resource-explorer/latest/apireference/API_Search.html) operation, the filter string is combined with the search's `QueryString` parameter using a logical `AND` operator.\n\nFor information about the supported syntax, see [Search query reference for Resource Explorer](https://docs.aws.amazon.com/resource-explorer/latest/userguide/using-search-query-syntax.html) in the *AWS Resource Explorer User Guide* .\n\n> This query string in the context of this operation supports only [filter prefixes](https://docs.aws.amazon.com/resource-explorer/latest/userguide/using-search-query-syntax.html#query-syntax-filters) with optional [operators](https://docs.aws.amazon.com/resource-explorer/latest/userguide/using-search-query-syntax.html#query-syntax-operators) . It doesn't support free-form text. For example, the string `region:us* service:ec2 -tag:stage=prod` includes all Amazon EC2 resources in any AWS Region that begin with the letters `us` and are *not* tagged with a key `Stage` that has the value `prod` .", "title": "Filters" }, @@ -210989,6 +218199,11 @@ "title": "IncludedProperties", "type": "array" }, + "Scope": { + "markdownDescription": "The root ARN of the account, an organizational unit (OU), or an organization ARN. If left empty, the default is account.", + "title": "Scope", + "type": "string" + }, "Tags": { "additionalProperties": true, "markdownDescription": "Tag key and value pairs that are attached to the view.", @@ -211032,31 +218247,31 @@ ], "type": "object" }, - "AWS::ResourceExplorer2::View.Filters": { + "AWS::ResourceExplorer2::View.IncludedProperty": { "additionalProperties": false, "properties": { - "FilterString": { - "markdownDescription": "", - "title": "FilterString", + "Name": { + "markdownDescription": "The name of the property that is included in this view.", + "title": "Name", "type": "string" } }, "required": [ - "FilterString" + "Name" ], "type": "object" }, - "AWS::ResourceExplorer2::View.IncludedProperty": { + "AWS::ResourceExplorer2::View.SearchFilter": { "additionalProperties": false, "properties": { - "Name": { - "markdownDescription": "The name of the property that is included in this view.", - "title": "Name", + "FilterString": { + "markdownDescription": "The string that contains the search keywords, prefixes, and operators to control the results that can be returned by a Search operation.\n\nFor information about the supported syntax, see [Search query reference](https://docs.aws.amazon.com/resource-explorer/latest/userguide/using-search-query-syntax.html) in the *AWS Resource Explorer User Guide* .\n\n> This query string in the context of this operation supports only [filter prefixes](https://docs.aws.amazon.com/resource-explorer/latest/userguide/using-search-query-syntax.html#query-syntax-filters) with optional [operators](https://docs.aws.amazon.com/resource-explorer/latest/userguide/using-search-query-syntax.html#query-syntax-operators) . It doesn't support free-form text. For example, the string `region:us* service:ec2 -tag:stage=prod` includes all Amazon EC2 resources in any AWS Region that begin with the letters `us` and are *not* tagged with a key `Stage` that has the value `prod` .", + "title": "FilterString", "type": "string" } }, "required": [ - "Name" + "FilterString" ], "type": "object" }, @@ -211951,17 +219166,17 @@ "additionalProperties": false, "properties": { "CrlData": { - "markdownDescription": "The x509 v3 specified certificate revocation list (CRL).", + "markdownDescription": "", "title": "CrlData", "type": "string" }, "Enabled": { - "markdownDescription": "Specifies whether the certificate revocation list (CRL) is enabled.", + "markdownDescription": "", "title": "Enabled", "type": "boolean" }, "Name": { - "markdownDescription": "The name of the certificate revocation list (CRL).", + "markdownDescription": "", "title": "Name", "type": "string" }, @@ -211969,7 +219184,7 @@ "items": { "$ref": "#/definitions/Tag" }, - "markdownDescription": "A list of tags to attach to the certificate revocation list (CRL).", + "markdownDescription": "", "title": "Tags", "type": "array" }, @@ -212042,12 +219257,12 @@ "additionalProperties": false, "properties": { "DurationSeconds": { - "markdownDescription": "Sets the maximum number of seconds that vended temporary credentials through [CreateSession](https://docs.aws.amazon.com/rolesanywhere/latest/userguide/authentication-create-session.html) will be valid for, between 900 and 3600.", + "markdownDescription": "The number of seconds vended session credentials will be valid for", "title": "DurationSeconds", "type": "number" }, "Enabled": { - "markdownDescription": "Indicates whether the profile is enabled.", + "markdownDescription": "The enabled status of the resource.", "title": "Enabled", "type": "boolean" }, @@ -212055,17 +219270,17 @@ "items": { "type": "string" }, - "markdownDescription": "A list of managed policy ARNs that apply to the vended session credentials.", + "markdownDescription": "A list of managed policy ARNs. Managed policies identified by this list will be applied to the vended session credentials.", "title": "ManagedPolicyArns", "type": "array" }, "Name": { - "markdownDescription": "The name of the profile.", + "markdownDescription": "The customer specified name of the resource.", "title": "Name", "type": "string" }, "RequireInstanceProperties": { - "markdownDescription": "Specifies whether instance properties are required in temporary credential requests with this profile.", + "markdownDescription": "Specifies whether instance properties are required in CreateSession requests with this profile.", "title": "RequireInstanceProperties", "type": "boolean" }, @@ -212073,12 +219288,12 @@ "items": { "type": "string" }, - "markdownDescription": "A list of IAM role ARNs. During `CreateSession` , if a matching role ARN is provided, the properties in this profile will be applied to the intersection session policy.", + "markdownDescription": "A list of IAM role ARNs that can be assumed when this profile is specified in a CreateSession request.", "title": "RoleArns", "type": "array" }, "SessionPolicy": { - "markdownDescription": "A session policy that applies to the trust boundary of the vended session credentials.", + "markdownDescription": "A session policy that will applied to the trust boundary of the vended session credentials.", "title": "SessionPolicy", "type": "string" }, @@ -212086,7 +219301,7 @@ "items": { "$ref": "#/definitions/Tag" }, - "markdownDescription": "The tags to attach to the profile.", + "markdownDescription": "A list of Tags.", "title": "Tags", "type": "array" } @@ -212167,6 +219382,8 @@ "items": { "$ref": "#/definitions/AWS::RolesAnywhere::TrustAnchor.NotificationSetting" }, + "markdownDescription": "A list of notification settings to be associated to the trust anchor.", + "title": "NotificationSettings", "type": "array" }, "Source": { @@ -212214,15 +219431,23 @@ "additionalProperties": false, "properties": { "Channel": { + "markdownDescription": "The specified channel of notification. IAM Roles Anywhere uses CloudWatch metrics, EventBridge , and AWS Health Dashboard to notify for an event.\n\n> In the absence of a specific channel, IAM Roles Anywhere applies this setting to 'ALL' channels.", + "title": "Channel", "type": "string" }, "Enabled": { + "markdownDescription": "Indicates whether the notification setting is enabled.", + "title": "Enabled", "type": "boolean" }, "Event": { + "markdownDescription": "The event to which this notification setting is applied.", + "title": "Event", "type": "string" }, "Threshold": { + "markdownDescription": "The number of days before a notification event. This value is required for a notification setting that is enabled.", + "title": "Threshold", "type": "number" } }, @@ -212237,11 +219462,11 @@ "properties": { "SourceData": { "$ref": "#/definitions/AWS::RolesAnywhere::TrustAnchor.SourceData", - "markdownDescription": "The data field of the trust anchor depending on its type.", + "markdownDescription": "A union object representing the data field of the TrustAnchor depending on its type", "title": "SourceData" }, "SourceType": { - "markdownDescription": "The type of the TrustAnchor.\n\n> `AWS_ACM_PCA` is not an allowed value in your region.", + "markdownDescription": "The type of the TrustAnchor.", "title": "SourceType", "type": "string" } @@ -212604,7 +219829,7 @@ "type": "string" }, "RoutingControlArn": { - "markdownDescription": "", + "markdownDescription": "The Amazon Resource Name (ARN) for the Route 53 Application Recovery Controller routing control.\n\nFor more information about Route 53 Application Recovery Controller, see [Route 53 Application Recovery Controller Developer Guide.](https://docs.aws.amazon.com/r53recovery/latest/dg/what-is-route-53-recovery.html) .", "title": "RoutingControlArn", "type": "string" }, @@ -212964,7 +220189,7 @@ "type": "boolean" }, "Name": { - "markdownDescription": "For `ChangeResourceRecordSets` requests, the name of the record that you want to create, update, or delete. For `ListResourceRecordSets` responses, the name of a record in the specified hosted zone.\n\n*ChangeResourceRecordSets Only*\n\nEnter a fully qualified domain name, for example, `www.example.com` . You can optionally include a trailing dot. If you omit the trailing dot, Amazon Route 53 assumes that the domain name that you specify is fully qualified. This means that Route 53 treats `www.example.com` (without a trailing dot) and `www.example.com.` (with a trailing dot) as identical.\n\nFor information about how to specify characters other than `a-z` , `0-9` , and `-` (hyphen) and how to specify internationalized domain names, see [DNS Domain Name Format](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/DomainNameFormat.html) in the *Amazon Route 53 Developer Guide* .\n\nYou can use the asterisk (*) wildcard to replace the leftmost label in a domain name, for example, `*.example.com` . Note the following:\n\n- The * must replace the entire label. For example, you can't specify `*prod.example.com` or `prod*.example.com` .\n- The * can't replace any of the middle labels, for example, marketing.*.example.com.\n- If you include * in any position other than the leftmost label in a domain name, DNS treats it as an * character (ASCII 42), not as a wildcard.\n\n> You can't use the * wildcard for resource records sets that have a type of NS.\n\nYou can use the * wildcard as the leftmost label in a domain name, for example, `*.example.com` . You can't use an * for one of the middle labels, for example, `marketing.*.example.com` . In addition, the * must replace the entire label; for example, you can't specify `prod*.example.com` .", + "markdownDescription": "For `ChangeResourceRecordSets` requests, the name of the record that you want to create, update, or delete. For `ListResourceRecordSets` responses, the name of a record in the specified hosted zone.\n\n*ChangeResourceRecordSets Only*\n\nEnter a fully qualified domain name, for example, `www.example.com` . You can optionally include a trailing dot. If you omit the trailing dot, Amazon Route 53 assumes that the domain name that you specify is fully qualified. This means that Route 53 treats `www.example.com` (without a trailing dot) and `www.example.com.` (with a trailing dot) as identical.\n\nFor information about how to specify characters other than `a-z` , `0-9` , and `-` (hyphen) and how to specify internationalized domain names, see [DNS Domain Name Format](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/DomainNameFormat.html) in the *Amazon Route 53 Developer Guide* .\n\nYou can use the asterisk (*) wildcard to replace the leftmost label in a domain name, for example, `*.example.com` . Note the following:\n\n- The * must replace the entire label. For example, you can't specify `*prod.example.com` or `prod*.example.com` .\n- The * can't replace any of the middle labels, for example, marketing.*.example.com.\n- If you include * in any position other than the leftmost label in a domain name, DNS treats it as an * character (ASCII 42), not as a wildcard.\n\n> You can't use the * wildcard for resource records sets that have a type of NS.", "title": "Name", "type": "string" }, @@ -213271,7 +220496,7 @@ "type": "string" }, "HostedZoneId": { - "markdownDescription": "The ID of the hosted zone that you want to create records in.\n\nSpecify either `HostedZoneName` or `HostedZoneId` , but not both. If you have multiple hosted zones with the same domain name, you must specify the hosted zone using `HostedZoneId` .", + "markdownDescription": "The ID of the hosted zone that you want to create records in.\n\nSpecify either `HostedZoneName` or `HostedZoneId` , but not both. If you have multiple hosted zones with the same domain name, you must specify the hosted zone using `HostedZoneId` .\n\nDo not provide the `HostedZoneId` if it is already defined in `AWS::Route53::RecordSetGroup` . The creation fails if `HostedZoneId` is defined in both.", "title": "HostedZoneId", "type": "string" }, @@ -213286,7 +220511,7 @@ "type": "boolean" }, "Name": { - "markdownDescription": "For `ChangeResourceRecordSets` requests, the name of the record that you want to create, update, or delete. For `ListResourceRecordSets` responses, the name of a record in the specified hosted zone.\n\n*ChangeResourceRecordSets Only*\n\nEnter a fully qualified domain name, for example, `www.example.com` . You can optionally include a trailing dot. If you omit the trailing dot, Amazon Route 53 assumes that the domain name that you specify is fully qualified. This means that Route 53 treats `www.example.com` (without a trailing dot) and `www.example.com.` (with a trailing dot) as identical.\n\nFor information about how to specify characters other than `a-z` , `0-9` , and `-` (hyphen) and how to specify internationalized domain names, see [DNS Domain Name Format](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/DomainNameFormat.html) in the *Amazon Route 53 Developer Guide* .\n\nYou can use the asterisk (*) wildcard to replace the leftmost label in a domain name, for example, `*.example.com` . Note the following:\n\n- The * must replace the entire label. For example, you can't specify `*prod.example.com` or `prod*.example.com` .\n- The * can't replace any of the middle labels, for example, marketing.*.example.com.\n- If you include * in any position other than the leftmost label in a domain name, DNS treats it as an * character (ASCII 42), not as a wildcard.\n\n> You can't use the * wildcard for resource records sets that have a type of NS.\n\nYou can use the * wildcard as the leftmost label in a domain name, for example, `*.example.com` . You can't use an * for one of the middle labels, for example, `marketing.*.example.com` . In addition, the * must replace the entire label; for example, you can't specify `prod*.example.com` .", + "markdownDescription": "For `ChangeResourceRecordSets` requests, the name of the record that you want to create, update, or delete. For `ListResourceRecordSets` responses, the name of a record in the specified hosted zone.\n\n*ChangeResourceRecordSets Only*\n\nEnter a fully qualified domain name, for example, `www.example.com` . You can optionally include a trailing dot. If you omit the trailing dot, Amazon Route 53 assumes that the domain name that you specify is fully qualified. This means that Route 53 treats `www.example.com` (without a trailing dot) and `www.example.com.` (with a trailing dot) as identical.\n\nFor information about how to specify characters other than `a-z` , `0-9` , and `-` (hyphen) and how to specify internationalized domain names, see [DNS Domain Name Format](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/DomainNameFormat.html) in the *Amazon Route 53 Developer Guide* .\n\nYou can use the asterisk (*) wildcard to replace the leftmost label in a domain name, for example, `*.example.com` . Note the following:\n\n- The * must replace the entire label. For example, you can't specify `*prod.example.com` or `prod*.example.com` .\n- The * can't replace any of the middle labels, for example, marketing.*.example.com.\n- If you include * in any position other than the leftmost label in a domain name, DNS treats it as an * character (ASCII 42), not as a wildcard.\n\n> You can't use the * wildcard for resource records sets that have a type of NS.", "title": "Name", "type": "string" }, @@ -213374,7 +220599,7 @@ "items": { "$ref": "#/definitions/Tag" }, - "markdownDescription": "The value for a tag.", + "markdownDescription": "The tags associated with the cluster.", "title": "Tags", "type": "array" } @@ -213470,7 +220695,7 @@ "items": { "$ref": "#/definitions/Tag" }, - "markdownDescription": "The value for a tag.", + "markdownDescription": "The tags associated with the control panel.", "title": "Tags", "type": "array" } @@ -213619,7 +220844,7 @@ "title": "AssertionRule" }, "ControlPanelArn": { - "markdownDescription": "The Amazon Resource Name (ARN) for the control panel.", + "markdownDescription": "The Amazon Resource Name (ARN) of the control panel.", "title": "ControlPanelArn", "type": "string" }, @@ -213642,7 +220867,7 @@ "items": { "$ref": "#/definitions/Tag" }, - "markdownDescription": "The value for a tag.", + "markdownDescription": "The tags associated with the safety rule.", "title": "Tags", "type": "array" } @@ -214524,21 +221749,31 @@ "additionalProperties": false, "properties": { "InstanceCount": { + "markdownDescription": "Amazon EC2 instance count for the Resolver on the Outpost.", + "title": "InstanceCount", "type": "number" }, "Name": { + "markdownDescription": "Name of the Resolver.", + "title": "Name", "type": "string" }, "OutpostArn": { + "markdownDescription": "The ARN (Amazon Resource Name) for the Outpost.", + "title": "OutpostArn", "type": "string" }, "PreferredInstanceType": { + "markdownDescription": "The Amazon EC2 instance type. If you specify this, you must also specify a value for the `OutpostArn` .", + "title": "PreferredInstanceType", "type": "string" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "A key value pair that helps you identify a Route\u00a053 Resolver .", + "title": "Tags", "type": "array" } }, @@ -214760,15 +221995,23 @@ "type": "string" }, "OutpostArn": { - "markdownDescription": "", + "markdownDescription": "The ARN (Amazon Resource Name) for the Outpost.", "title": "OutpostArn", "type": "string" }, "PreferredInstanceType": { - "markdownDescription": "", + "markdownDescription": "The Amazon EC2 instance type.", "title": "PreferredInstanceType", "type": "string" }, + "Protocols": { + "items": { + "type": "string" + }, + "markdownDescription": "", + "title": "Protocols", + "type": "array" + }, "ResolverEndpointType": { "markdownDescription": "The Resolver endpoint IP address type.", "title": "ResolverEndpointType", @@ -215095,6 +222338,11 @@ "markdownDescription": "The port at `Ip` that you want to forward DNS queries to.", "title": "Port", "type": "string" + }, + "Protocol": { + "markdownDescription": "", + "title": "Protocol", + "type": "string" } }, "type": "object" @@ -215177,7 +222425,7 @@ ], "type": "object" }, - "AWS::S3::AccessPoint": { + "AWS::S3::AccessGrant": { "additionalProperties": false, "properties": { "Condition": { @@ -215212,45 +222460,55 @@ "Properties": { "additionalProperties": false, "properties": { - "Bucket": { - "markdownDescription": "The name of the bucket associated with this access point.", - "title": "Bucket", - "type": "string" + "AccessGrantsLocationConfiguration": { + "$ref": "#/definitions/AWS::S3::AccessGrant.AccessGrantsLocationConfiguration", + "markdownDescription": "The configuration options of the grant location. The grant location is the S3 path to the data to which you are granting access. It contains the `S3SubPrefix` field. The grant scope is the result of appending the subprefix to the location scope of the registered location.", + "title": "AccessGrantsLocationConfiguration" }, - "BucketAccountId": { - "markdownDescription": "The AWS account ID associated with the S3 bucket associated with this access point.", - "title": "BucketAccountId", + "AccessGrantsLocationId": { + "markdownDescription": "The ID of the registered location to which you are granting access. S3 Access Grants assigns this ID when you register the location. S3 Access Grants assigns the ID `default` to the default location `s3://` and assigns an auto-generated ID to other locations that you register.", + "title": "AccessGrantsLocationId", "type": "string" }, - "Name": { - "markdownDescription": "The name of this access point. If you don't specify a name, AWS CloudFormation generates a unique ID and uses that ID for the access point name.", - "title": "Name", + "ApplicationArn": { + "markdownDescription": "The Amazon Resource Name (ARN) of an AWS IAM Identity Center application associated with your Identity Center instance. If the grant includes an application ARN, the grantee can only access the S3 data through this application.", + "title": "ApplicationArn", "type": "string" }, - "Policy": { - "markdownDescription": "The access point policy associated with this access point.", - "title": "Policy", - "type": "object" + "Grantee": { + "$ref": "#/definitions/AWS::S3::AccessGrant.Grantee", + "markdownDescription": "The user, group, or role to which you are granting access. You can grant access to an IAM user or role. If you have added your corporate directory to AWS IAM Identity Center and associated your Identity Center instance with your S3 Access Grants instance, the grantee can also be a corporate directory user or group.", + "title": "Grantee" }, - "PublicAccessBlockConfiguration": { - "$ref": "#/definitions/AWS::S3::AccessPoint.PublicAccessBlockConfiguration", - "markdownDescription": "The PublicAccessBlock configuration that you want to apply to this Amazon S3 bucket. You can enable the configuration options in any combination. For more information about when Amazon S3 considers a bucket or object public, see [The Meaning of \"Public\"](https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html#access-control-block-public-access-policy-status) in the *Amazon S3 User Guide* .", - "title": "PublicAccessBlockConfiguration" + "Permission": { + "markdownDescription": "The type of access that you are granting to your S3 data, which can be set to one of the following values:\n\n- `READ` \u2013 Grant read-only access to the S3 data.\n- `WRITE` \u2013 Grant write-only access to the S3 data.\n- `READWRITE` \u2013 Grant both read and write access to the S3 data.", + "title": "Permission", + "type": "string" }, - "VpcConfiguration": { - "$ref": "#/definitions/AWS::S3::AccessPoint.VpcConfiguration", - "markdownDescription": "The Virtual Private Cloud (VPC) configuration for this access point, if one exists.", - "title": "VpcConfiguration" + "S3PrefixType": { + "markdownDescription": "The type of `S3SubPrefix` . The only possible value is `Object` . Pass this value if the access grant scope is an object. Do not pass this value if the access grant scope is a bucket or a bucket and a prefix.", + "title": "S3PrefixType", + "type": "string" + }, + "Tags": { + "items": { + "$ref": "#/definitions/Tag" + }, + "markdownDescription": "The AWS resource tags that you are adding to the access grant. Each tag is a label consisting of a user-defined key and value. Tags can help you manage, identify, organize, search for, and filter resources.", + "title": "Tags", + "type": "array" } }, "required": [ - "Bucket" + "AccessGrantsLocationId", + "Grantee", + "Permission" ], "type": "object" }, "Type": { "enum": [ - "AWS::S3::AccessPoint" + "AWS::S3::AccessGrant" ], "type": "string" }, @@ -215269,44 +222527,317 @@ ], "type": "object" }, - "AWS::S3::AccessPoint.PublicAccessBlockConfiguration": { + "AWS::S3::AccessGrant.AccessGrantsLocationConfiguration": { "additionalProperties": false, "properties": { - "BlockPublicAcls": { - "markdownDescription": "Specifies whether Amazon S3 should block public access control lists (ACLs) for this bucket and objects in this bucket. Setting this element to `TRUE` causes the following behavior:\n\n- PUT Bucket ACL and PUT Object ACL calls fail if the specified ACL is public.\n- PUT Object calls fail if the request includes a public ACL.\n- PUT Bucket calls fail if the request includes a public ACL.\n\nEnabling this setting doesn't affect existing policies or ACLs.", - "title": "BlockPublicAcls", - "type": "boolean" - }, - "BlockPublicPolicy": { - "markdownDescription": "Specifies whether Amazon S3 should block public bucket policies for this bucket. Setting this element to `TRUE` causes Amazon S3 to reject calls to PUT Bucket policy if the specified bucket policy allows public access.\n\nEnabling this setting doesn't affect existing bucket policies.", - "title": "BlockPublicPolicy", - "type": "boolean" - }, - "IgnorePublicAcls": { - "markdownDescription": "Specifies whether Amazon S3 should ignore public ACLs for this bucket and objects in this bucket. Setting this element to `TRUE` causes Amazon S3 to ignore all public ACLs on this bucket and objects in this bucket.\n\nEnabling this setting doesn't affect the persistence of any existing ACLs and doesn't prevent new public ACLs from being set.", - "title": "IgnorePublicAcls", - "type": "boolean" + "S3SubPrefix": { + "markdownDescription": "The `S3SubPrefix` is appended to the location scope creating the grant scope. Use this field to narrow the scope of the grant to a subset of the location scope. This field is required if the location scope is the default location `s3://` because you cannot create a grant for all of your S3 data in the Region and must narrow the scope. For example, if the location scope is the default location `s3://` , the `S3SubPrefx` can be a `/*` , so the full grant scope path would be `s3:///*` . Or the `S3SubPrefx` can be `/*` , so the full grant scope path would be `s3:///*` .\n\nIf the `S3SubPrefix` includes a prefix, append the wildcard character `*` after the prefix to indicate that you want to include all object key names in the bucket that start with that prefix.", + "title": "S3SubPrefix", + "type": "string" + } + }, + "required": [ + "S3SubPrefix" + ], + "type": "object" + }, + "AWS::S3::AccessGrant.Grantee": { + "additionalProperties": false, + "properties": { + "GranteeIdentifier": { + "markdownDescription": "The unique identifier of the `Grantee` . If the grantee type is `IAM` , the identifier is the IAM Amazon Resource Name (ARN) of the user or role. If the grantee type is a directory user or group, the identifier is 128-bit universally unique identifier (UUID) in the format `a1b2c3d4-5678-90ab-cdef-EXAMPLE11111` . You can obtain this UUID from your AWS IAM Identity Center instance.", + "title": "GranteeIdentifier", + "type": "string" }, - "RestrictPublicBuckets": { - "markdownDescription": "Specifies whether Amazon S3 should restrict public bucket policies for this bucket. Setting this element to `TRUE` restricts access to this bucket to only AWS service principals and authorized users within this account if the bucket has a public policy.\n\nEnabling this setting doesn't affect previously stored bucket policies, except that public and cross-account access within any public bucket policy, including non-public delegation to specific accounts, is blocked.", - "title": "RestrictPublicBuckets", - "type": "boolean" + "GranteeType": { + "markdownDescription": "The type of the grantee to which access has been granted. It can be one of the following values:\n\n- `IAM` - An IAM user or role.\n- `DIRECTORY_USER` - Your corporate directory user. You can use this option if you have added your corporate identity directory to IAM Identity Center and associated the IAM Identity Center instance with your S3 Access Grants instance.\n- `DIRECTORY_GROUP` - Your corporate directory group. You can use this option if you have added your corporate identity directory to IAM Identity Center and associated the IAM Identity Center instance with your S3 Access Grants instance.", + "title": "GranteeType", + "type": "string" } }, + "required": [ + "GranteeIdentifier", + "GranteeType" + ], "type": "object" }, - "AWS::S3::AccessPoint.VpcConfiguration": { + "AWS::S3::AccessGrantsInstance": { "additionalProperties": false, "properties": { - "VpcId": { - "markdownDescription": "If this field is specified, the access point will only allow connections from the specified VPC ID.", - "title": "VpcId", + "Condition": { + "type": "string" + }, + "DeletionPolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + }, + "DependsOn": { + "anyOf": [ + { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + { + "items": { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + "type": "array" + } + ] + }, + "Metadata": { + "type": "object" + }, + "Properties": { + "additionalProperties": false, + "properties": { + "IdentityCenterArn": { + "markdownDescription": "If you would like to associate your S3 Access Grants instance with an AWS IAM Identity Center instance, use this field to pass the Amazon Resource Name (ARN) of the AWS IAM Identity Center instance that you are associating with your S3 Access Grants instance. An IAM Identity Center instance is your corporate identity directory that you added to the IAM Identity Center.", + "title": "IdentityCenterArn", + "type": "string" + }, + "Tags": { + "items": { + "$ref": "#/definitions/Tag" + }, + "markdownDescription": "The AWS resource tags that you are adding to the S3 Access Grants instance. Each tag is a label consisting of a user-defined key and value. Tags can help you manage, identify, organize, search for, and filter resources.", + "title": "Tags", + "type": "array" + } + }, + "type": "object" + }, + "Type": { + "enum": [ + "AWS::S3::AccessGrantsInstance" + ], + "type": "string" + }, + "UpdateReplacePolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], "type": "string" } }, + "required": [ + "Type" + ], "type": "object" }, - "AWS::S3::Bucket": { + "AWS::S3::AccessGrantsLocation": { + "additionalProperties": false, + "properties": { + "Condition": { + "type": "string" + }, + "DeletionPolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + }, + "DependsOn": { + "anyOf": [ + { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + { + "items": { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + "type": "array" + } + ] + }, + "Metadata": { + "type": "object" + }, + "Properties": { + "additionalProperties": false, + "properties": { + "IamRoleArn": { + "markdownDescription": "The Amazon Resource Name (ARN) of the IAM role for the registered location. S3 Access Grants assumes this role to manage access to the registered location.", + "title": "IamRoleArn", + "type": "string" + }, + "LocationScope": { + "markdownDescription": "The S3 URI path to the location that you are registering. The location scope can be the default S3 location `s3://` , the S3 path to a bucket, or the S3 path to a bucket and prefix. A prefix in S3 is a string of characters at the beginning of an object key name used to organize the objects that you store in your S3 buckets. For example, object key names that start with the `engineering/` prefix or object key names that start with the `marketing/campaigns/` prefix.", + "title": "LocationScope", + "type": "string" + }, + "Tags": { + "items": { + "$ref": "#/definitions/Tag" + }, + "markdownDescription": "The AWS resource tags that you are adding to the S3 Access Grants location. Each tag is a label consisting of a user-defined key and value. Tags can help you manage, identify, organize, search for, and filter resources.", + "title": "Tags", + "type": "array" + } + }, + "type": "object" + }, + "Type": { + "enum": [ + "AWS::S3::AccessGrantsLocation" + ], + "type": "string" + }, + "UpdateReplacePolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + } + }, + "required": [ + "Type" + ], + "type": "object" + }, + "AWS::S3::AccessPoint": { + "additionalProperties": false, + "properties": { + "Condition": { + "type": "string" + }, + "DeletionPolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + }, + "DependsOn": { + "anyOf": [ + { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + { + "items": { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + "type": "array" + } + ] + }, + "Metadata": { + "type": "object" + }, + "Properties": { + "additionalProperties": false, + "properties": { + "Bucket": { + "markdownDescription": "The name of the bucket associated with this access point.", + "title": "Bucket", + "type": "string" + }, + "BucketAccountId": { + "markdownDescription": "The AWS account ID associated with the S3 bucket associated with this access point.", + "title": "BucketAccountId", + "type": "string" + }, + "Name": { + "markdownDescription": "The name of this access point. If you don't specify a name, AWS CloudFormation generates a unique ID and uses that ID for the access point name.", + "title": "Name", + "type": "string" + }, + "Policy": { + "markdownDescription": "The access point policy associated with this access point.", + "title": "Policy", + "type": "object" + }, + "PublicAccessBlockConfiguration": { + "$ref": "#/definitions/AWS::S3::AccessPoint.PublicAccessBlockConfiguration", + "markdownDescription": "The PublicAccessBlock configuration that you want to apply to this Amazon S3 bucket. You can enable the configuration options in any combination. For more information about when Amazon S3 considers a bucket or object public, see [The Meaning of \"Public\"](https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html#access-control-block-public-access-policy-status) in the *Amazon S3 User Guide* .", + "title": "PublicAccessBlockConfiguration" + }, + "VpcConfiguration": { + "$ref": "#/definitions/AWS::S3::AccessPoint.VpcConfiguration", + "markdownDescription": "The Virtual Private Cloud (VPC) configuration for this access point, if one exists.", + "title": "VpcConfiguration" + } + }, + "required": [ + "Bucket" + ], + "type": "object" + }, + "Type": { + "enum": [ + "AWS::S3::AccessPoint" + ], + "type": "string" + }, + "UpdateReplacePolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + } + }, + "required": [ + "Type", + "Properties" + ], + "type": "object" + }, + "AWS::S3::AccessPoint.PublicAccessBlockConfiguration": { + "additionalProperties": false, + "properties": { + "BlockPublicAcls": { + "markdownDescription": "Specifies whether Amazon S3 should block public access control lists (ACLs) for this bucket and objects in this bucket. Setting this element to `TRUE` causes the following behavior:\n\n- PUT Bucket ACL and PUT Object ACL calls fail if the specified ACL is public.\n- PUT Object calls fail if the request includes a public ACL.\n- PUT Bucket calls fail if the request includes a public ACL.\n\nEnabling this setting doesn't affect existing policies or ACLs.", + "title": "BlockPublicAcls", + "type": "boolean" + }, + "BlockPublicPolicy": { + "markdownDescription": "Specifies whether Amazon S3 should block public bucket policies for this bucket. Setting this element to `TRUE` causes Amazon S3 to reject calls to PUT Bucket policy if the specified bucket policy allows public access.\n\nEnabling this setting doesn't affect existing bucket policies.", + "title": "BlockPublicPolicy", + "type": "boolean" + }, + "IgnorePublicAcls": { + "markdownDescription": "Specifies whether Amazon S3 should ignore public ACLs for this bucket and objects in this bucket. Setting this element to `TRUE` causes Amazon S3 to ignore all public ACLs on this bucket and objects in this bucket.\n\nEnabling this setting doesn't affect the persistence of any existing ACLs and doesn't prevent new public ACLs from being set.", + "title": "IgnorePublicAcls", + "type": "boolean" + }, + "RestrictPublicBuckets": { + "markdownDescription": "Specifies whether Amazon S3 should restrict public bucket policies for this bucket. Setting this element to `TRUE` restricts access to this bucket to only AWS service principals and authorized users within this account if the bucket has a public policy.\n\nEnabling this setting doesn't affect previously stored bucket policies, except that public and cross-account access within any public bucket policy, including non-public delegation to specific accounts, is blocked.", + "title": "RestrictPublicBuckets", + "type": "boolean" + } + }, + "type": "object" + }, + "AWS::S3::AccessPoint.VpcConfiguration": { + "additionalProperties": false, + "properties": { + "VpcId": { + "markdownDescription": "If this field is specified, the access point will only allow connections from the specified VPC ID.", + "title": "VpcId", + "type": "string" + } + }, + "type": "object" + }, + "AWS::S3::Bucket": { "additionalProperties": false, "properties": { "Condition": { @@ -215347,7 +222878,7 @@ "title": "AccelerateConfiguration" }, "AccessControl": { - "markdownDescription": "A canned access control list (ACL) that grants predefined permissions to the bucket. For more information about canned ACLs, see [Canned ACL](https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#canned-acl) in the *Amazon S3 User Guide* .\n\nBe aware that the syntax for this property differs from the information provided in the *Amazon S3 User Guide* . The AccessControl property is case-sensitive and must be one of the following values: Private, PublicRead, PublicReadWrite, AuthenticatedRead, LogDeliveryWrite, BucketOwnerRead, BucketOwnerFullControl, or AwsExecRead.", + "markdownDescription": "> This is a legacy property, and it is not recommended for most use cases. A majority of modern use cases in Amazon S3 no longer require the use of ACLs, and we recommend that you keep ACLs disabled. For more information, see [Controlling object ownership](https://docs.aws.amazon.com//AmazonS3/latest/userguide/about-object-ownership.html) in the *Amazon S3 User Guide* . \n\nA canned access control list (ACL) that grants predefined permissions to the bucket. For more information about canned ACLs, see [Canned ACL](https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#canned-acl) in the *Amazon S3 User Guide* .\n\nS3 buckets are created with ACLs disabled by default. Therefore, unless you explicitly set the [AWS::S3::OwnershipControls](https://docs.aws.amazon.com//AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-ownershipcontrols.html) property to enable ACLs, your resource will fail to deploy with any value other than Private. Use cases requiring ACLs are uncommon.\n\nThe majority of access control configurations can be successfully and more easily achieved with bucket policies. For more information, see [AWS::S3::BucketPolicy](https://docs.aws.amazon.com//AWSCloudFormation/latest/UserGuide/aws-properties-s3-policy.html) . For examples of common policy configurations, including S3 Server Access Logs buckets and more, see [Bucket policy examples](https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html) in the *Amazon S3 User Guide* .", "title": "AccessControl", "type": "string" }, @@ -215415,7 +222946,7 @@ }, "ObjectLockConfiguration": { "$ref": "#/definitions/AWS::S3::Bucket.ObjectLockConfiguration", - "markdownDescription": "Places an Object Lock configuration on the specified bucket. The rule specified in the Object Lock configuration will be applied by default to every new object placed in the specified bucket. For more information, see [Locking Objects](https://docs.aws.amazon.com/AmazonS3/latest/dev/object-lock.html) .\n\n> - The `DefaultRetention` settings require both a mode and a period.\n> - The `DefaultRetention` period can be either `Days` or `Years` but you must select one. You cannot specify `Days` and `Years` at the same time.\n> - You can only enable Object Lock for new buckets. If you want to turn on Object Lock for an existing bucket, contact AWS Support.", + "markdownDescription": "> This operation is not supported by directory buckets. \n\nPlaces an Object Lock configuration on the specified bucket. The rule specified in the Object Lock configuration will be applied by default to every new object placed in the specified bucket. For more information, see [Locking Objects](https://docs.aws.amazon.com/AmazonS3/latest/dev/object-lock.html) .\n\n> - The `DefaultRetention` settings require both a mode and a period.\n> - The `DefaultRetention` period can be either `Days` or `Years` but you must select one. You cannot specify `Days` and `Years` at the same time.\n> - You can enable Object Lock for new or existing buckets. For more information, see [Configuring Object Lock](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock-configure.html) .", "title": "ObjectLockConfiguration" }, "ObjectLockEnabled": { @@ -215706,7 +223237,7 @@ "type": "string" }, "Format": { - "markdownDescription": "Specifies the file format used when exporting data to Amazon S3.", + "markdownDescription": "Specifies the file format used when exporting data to Amazon S3.\n\n*Allowed values* : `CSV` | `ORC` | `Parquet`", "title": "Format", "type": "string" }, @@ -215745,6 +223276,9 @@ "type": "boolean" } }, + "required": [ + "EventBridgeEnabled" + ], "type": "object" }, "AWS::S3::Bucket.FilterRule": { @@ -215836,7 +223370,7 @@ "items": { "type": "string" }, - "markdownDescription": "Contains the optional fields that are included in the inventory results.\n\n*Valid values* : `Size | LastModifiedDate | StorageClass | ETag | IsMultipartUploaded | ReplicationStatus | EncryptionStatus | ObjectLockRetainUntilDate | ObjectLockMode | ObjectLockLegalHoldStatus | IntelligentTieringAccessTier | BucketKeyStatus`", + "markdownDescription": "Contains the optional fields that are included in the inventory results.", "title": "OptionalFields", "type": "array" }, @@ -215846,7 +223380,7 @@ "type": "string" }, "ScheduleFrequency": { - "markdownDescription": "Specifies the schedule for generating inventory results.\n\n*Allowed values* : `Daily` | `Weekly`", + "markdownDescription": "Specifies the schedule for generating inventory results.", "title": "ScheduleFrequency", "type": "string" } @@ -215914,6 +223448,11 @@ "markdownDescription": "A prefix for all log object keys. If you store log files from multiple Amazon S3 buckets in a single bucket, you can use a prefix to distinguish which log files came from which bucket.", "title": "LogFilePrefix", "type": "string" + }, + "TargetObjectKeyFormat": { + "$ref": "#/definitions/AWS::S3::Bucket.TargetObjectKeyFormat", + "markdownDescription": "Amazon S3 key format for log objects. Only one format, PartitionedPrefix or SimplePrefix, is allowed.", + "title": "TargetObjectKeyFormat" } }, "type": "object" @@ -216117,6 +223656,17 @@ }, "type": "object" }, + "AWS::S3::Bucket.PartitionedPrefix": { + "additionalProperties": false, + "properties": { + "PartitionDateSource": { + "markdownDescription": "Specifies the partition date source for the partitioned prefix. PartitionDateSource can be EventTime or DeliveryTime.", + "title": "PartitionDateSource", + "type": "string" + } + }, + "type": "object" + }, "AWS::S3::Bucket.PublicAccessBlockConfiguration": { "additionalProperties": false, "properties": { @@ -216512,12 +224062,12 @@ "ObjectSizeGreaterThan": { "markdownDescription": "Specifies the minimum object size in bytes for this rule to apply to. Objects must be larger than this value in bytes. For more information about size based rules, see [Lifecycle configuration using size-based rules](https://docs.aws.amazon.com/AmazonS3/latest/userguide/lifecycle-configuration-examples.html#lc-size-rules) in the *Amazon S3 User Guide* .", "title": "ObjectSizeGreaterThan", - "type": "number" + "type": "string" }, "ObjectSizeLessThan": { "markdownDescription": "Specifies the maximum object size in bytes for this rule to apply to. Objects must be smaller than this value in bytes. For more information about sized based rules, see [Lifecycle configuration using size-based rules](https://docs.aws.amazon.com/AmazonS3/latest/userguide/lifecycle-configuration-examples.html#lc-size-rules) in the *Amazon S3 User Guide* .", "title": "ObjectSizeLessThan", - "type": "number" + "type": "string" }, "Prefix": { "markdownDescription": "Object key prefix that identifies one or more objects to which this rule applies.\n\n> Replacement must be made for object keys containing special characters (such as carriage returns) when using XML requests. For more information, see [XML related object key constraints](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-keys.html#object-key-xml-related-constraints) .", @@ -216669,6 +224219,22 @@ ], "type": "object" }, + "AWS::S3::Bucket.TargetObjectKeyFormat": { + "additionalProperties": false, + "properties": { + "PartitionedPrefix": { + "$ref": "#/definitions/AWS::S3::Bucket.PartitionedPrefix", + "markdownDescription": "Partitioned S3 key for log objects.", + "title": "PartitionedPrefix" + }, + "SimplePrefix": { + "markdownDescription": "To use the simple format for S3 keys for log objects. To specify SimplePrefix format, set SimplePrefix to {}.", + "title": "SimplePrefix", + "type": "object" + } + }, + "type": "object" + }, "AWS::S3::Bucket.Tiering": { "additionalProperties": false, "properties": { @@ -217168,6 +224734,11 @@ "$ref": "#/definitions/AWS::S3::StorageLens.DetailedStatusCodesMetrics", "markdownDescription": "This property contains the details of account-level detailed status code metrics for S3 Storage Lens.", "title": "DetailedStatusCodesMetrics" + }, + "StorageLensGroupLevel": { + "$ref": "#/definitions/AWS::S3::StorageLens.StorageLensGroupLevel", + "markdownDescription": "This property determines the scope of Storage Lens group data that is displayed in the Storage Lens dashboard.", + "title": "StorageLensGroupLevel" } }, "required": [ @@ -217490,6 +225061,433 @@ ], "type": "object" }, + "AWS::S3::StorageLens.StorageLensGroupLevel": { + "additionalProperties": false, + "properties": { + "StorageLensGroupSelectionCriteria": { + "$ref": "#/definitions/AWS::S3::StorageLens.StorageLensGroupSelectionCriteria", + "markdownDescription": "This property indicates which Storage Lens group ARNs to include or exclude in the Storage Lens group aggregation. If this value is left null, then all Storage Lens groups are selected.", + "title": "StorageLensGroupSelectionCriteria" + } + }, + "type": "object" + }, + "AWS::S3::StorageLens.StorageLensGroupSelectionCriteria": { + "additionalProperties": false, + "properties": { + "Exclude": { + "items": { + "type": "string" + }, + "markdownDescription": "This property indicates which Storage Lens group ARNs to exclude from the Storage Lens group aggregation.", + "title": "Exclude", + "type": "array" + }, + "Include": { + "items": { + "type": "string" + }, + "markdownDescription": "This property indicates which Storage Lens group ARNs to include in the Storage Lens group aggregation.", + "title": "Include", + "type": "array" + } + }, + "type": "object" + }, + "AWS::S3::StorageLensGroup": { + "additionalProperties": false, + "properties": { + "Condition": { + "type": "string" + }, + "DeletionPolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + }, + "DependsOn": { + "anyOf": [ + { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + { + "items": { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + "type": "array" + } + ] + }, + "Metadata": { + "type": "object" + }, + "Properties": { + "additionalProperties": false, + "properties": { + "Filter": { + "$ref": "#/definitions/AWS::S3::StorageLensGroup.Filter", + "markdownDescription": "This property contains the criteria for the Storage Lens group data that is displayed", + "title": "Filter" + }, + "Name": { + "markdownDescription": "This property contains the Storage Lens group name.", + "title": "Name", + "type": "string" + }, + "Tags": { + "items": { + "$ref": "#/definitions/Tag" + }, + "markdownDescription": "This property contains the AWS resource tags that you're adding to your Storage Lens group. This parameter is optional.", + "title": "Tags", + "type": "array" + } + }, + "required": [ + "Filter", + "Name" + ], + "type": "object" + }, + "Type": { + "enum": [ + "AWS::S3::StorageLensGroup" + ], + "type": "string" + }, + "UpdateReplacePolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + } + }, + "required": [ + "Type", + "Properties" + ], + "type": "object" + }, + "AWS::S3::StorageLensGroup.And": { + "additionalProperties": false, + "properties": { + "MatchAnyPrefix": { + "items": { + "type": "string" + }, + "markdownDescription": "This property contains a list of prefixes. At least one prefix must be specified. Up to 10 prefixes are allowed.", + "title": "MatchAnyPrefix", + "type": "array" + }, + "MatchAnySuffix": { + "items": { + "type": "string" + }, + "markdownDescription": "This property contains a list of suffixes. At least one suffix must be specified. Up to 10 suffixes are allowed.", + "title": "MatchAnySuffix", + "type": "array" + }, + "MatchAnyTag": { + "items": { + "$ref": "#/definitions/Tag" + }, + "markdownDescription": "This property contains the list of object tags. At least one object tag must be specified. Up to 10 object tags are allowed.", + "title": "MatchAnyTag", + "type": "array" + }, + "MatchObjectAge": { + "$ref": "#/definitions/AWS::S3::StorageLensGroup.MatchObjectAge", + "markdownDescription": "This property contains `DaysGreaterThan` and `DaysLessThan` properties to define the object age range (minimum and maximum number of days).", + "title": "MatchObjectAge" + }, + "MatchObjectSize": { + "$ref": "#/definitions/AWS::S3::StorageLensGroup.MatchObjectSize", + "markdownDescription": "This property contains `BytesGreaterThan` and `BytesLessThan` to define the object size range (minimum and maximum number of Bytes).", + "title": "MatchObjectSize" + } + }, + "type": "object" + }, + "AWS::S3::StorageLensGroup.Filter": { + "additionalProperties": false, + "properties": { + "And": { + "$ref": "#/definitions/AWS::S3::StorageLensGroup.And", + "markdownDescription": "This property contains the `And` logical operator, which allows multiple filter conditions to be joined for more complex comparisons of Storage Lens group data. Objects must match all of the listed filter conditions that are joined by the `And` logical operator. Only one of each filter condition is allowed.", + "title": "And" + }, + "MatchAnyPrefix": { + "items": { + "type": "string" + }, + "markdownDescription": "This property contains a list of prefixes. At least one prefix must be specified. Up to 10 prefixes are allowed.", + "title": "MatchAnyPrefix", + "type": "array" + }, + "MatchAnySuffix": { + "items": { + "type": "string" + }, + "markdownDescription": "This property contains a list of suffixes. At least one suffix must be specified. Up to 10 suffixes are allowed.", + "title": "MatchAnySuffix", + "type": "array" + }, + "MatchAnyTag": { + "items": { + "$ref": "#/definitions/Tag" + }, + "markdownDescription": "This property contains the list of S3 object tags. At least one object tag must be specified. Up to 10 object tags are allowed.", + "title": "MatchAnyTag", + "type": "array" + }, + "MatchObjectAge": { + "$ref": "#/definitions/AWS::S3::StorageLensGroup.MatchObjectAge", + "markdownDescription": "This property contains `DaysGreaterThan` and `DaysLessThan` to define the object age range (minimum and maximum number of days).", + "title": "MatchObjectAge" + }, + "MatchObjectSize": { + "$ref": "#/definitions/AWS::S3::StorageLensGroup.MatchObjectSize", + "markdownDescription": "This property contains `BytesGreaterThan` and `BytesLessThan` to define the object size range (minimum and maximum number of Bytes).", + "title": "MatchObjectSize" + }, + "Or": { + "$ref": "#/definitions/AWS::S3::StorageLensGroup.Or", + "markdownDescription": "This property contains the `Or` logical operator, which allows multiple filter conditions to be joined. Objects can match any of the listed filter conditions, which are joined by the `Or` logical operator. Only one of each filter condition is allowed.", + "title": "Or" + } + }, + "type": "object" + }, + "AWS::S3::StorageLensGroup.MatchObjectAge": { + "additionalProperties": false, + "properties": { + "DaysGreaterThan": { + "markdownDescription": "This property indicates the minimum object age in days.", + "title": "DaysGreaterThan", + "type": "number" + }, + "DaysLessThan": { + "markdownDescription": "This property indicates the maximum object age in days.", + "title": "DaysLessThan", + "type": "number" + } + }, + "type": "object" + }, + "AWS::S3::StorageLensGroup.MatchObjectSize": { + "additionalProperties": false, + "properties": { + "BytesGreaterThan": { + "markdownDescription": "This property specifies the minimum object size in bytes. The value must be a positive number, greater than 0 and less than 5 TB.", + "title": "BytesGreaterThan", + "type": "number" + }, + "BytesLessThan": { + "markdownDescription": "This property specifies the maximum object size in bytes. The value must be a positive number, greater than the minimum object size and less than 5 TB.", + "title": "BytesLessThan", + "type": "number" + } + }, + "type": "object" + }, + "AWS::S3::StorageLensGroup.Or": { + "additionalProperties": false, + "properties": { + "MatchAnyPrefix": { + "items": { + "type": "string" + }, + "markdownDescription": "This property contains a list of prefixes. At least one prefix must be specified. Up to 10 prefixes are allowed.", + "title": "MatchAnyPrefix", + "type": "array" + }, + "MatchAnySuffix": { + "items": { + "type": "string" + }, + "markdownDescription": "This property contains the list of suffixes. At least one suffix must be specified. Up to 10 suffixes are allowed.", + "title": "MatchAnySuffix", + "type": "array" + }, + "MatchAnyTag": { + "items": { + "$ref": "#/definitions/Tag" + }, + "markdownDescription": "This property contains the list of S3 object tags. At least one object tag must be specified. Up to 10 object tags are allowed.", + "title": "MatchAnyTag", + "type": "array" + }, + "MatchObjectAge": { + "$ref": "#/definitions/AWS::S3::StorageLensGroup.MatchObjectAge", + "markdownDescription": "This property filters objects that match the specified object age range.", + "title": "MatchObjectAge" + }, + "MatchObjectSize": { + "$ref": "#/definitions/AWS::S3::StorageLensGroup.MatchObjectSize", + "markdownDescription": "This property contains the `BytesGreaterThan` and `BytesLessThan` values to define the object size range (minimum and maximum number of Bytes).", + "title": "MatchObjectSize" + } + }, + "type": "object" + }, + "AWS::S3Express::BucketPolicy": { + "additionalProperties": false, + "properties": { + "Condition": { + "type": "string" + }, + "DeletionPolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + }, + "DependsOn": { + "anyOf": [ + { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + { + "items": { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + "type": "array" + } + ] + }, + "Metadata": { + "type": "object" + }, + "Properties": { + "additionalProperties": false, + "properties": { + "Bucket": { + "markdownDescription": "The name of the S3 directory bucket to which the policy applies.", + "title": "Bucket", + "type": "string" + }, + "PolicyDocument": { + "markdownDescription": "A policy document containing permissions to add to the specified bucket. In IAM, you must provide policy documents in JSON format. However, in CloudFormation you can provide the policy in JSON or YAML format because CloudFormation converts YAML to JSON before submitting it to IAM. For more information, see the AWS::IAM::Policy [PolicyDocument](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html#cfn-iam-policy-policydocument) resource description in this guide and [Policies and Permissions in Amazon S3](https://docs.aws.amazon.com/AmazonS3/latest/dev/access-policy-language-overview.html) in the *Amazon S3 User Guide* .", + "title": "PolicyDocument", + "type": "object" + } + }, + "required": [ + "Bucket", + "PolicyDocument" + ], + "type": "object" + }, + "Type": { + "enum": [ + "AWS::S3Express::BucketPolicy" + ], + "type": "string" + }, + "UpdateReplacePolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + } + }, + "required": [ + "Type", + "Properties" + ], + "type": "object" + }, + "AWS::S3Express::DirectoryBucket": { + "additionalProperties": false, + "properties": { + "Condition": { + "type": "string" + }, + "DeletionPolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + }, + "DependsOn": { + "anyOf": [ + { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + { + "items": { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + "type": "array" + } + ] + }, + "Metadata": { + "type": "object" + }, + "Properties": { + "additionalProperties": false, + "properties": { + "BucketName": { + "markdownDescription": "A name for the bucket. The bucket name must contain only lowercase letters, numbers, and hyphens (-). A directory bucket name must be unique in the chosen Availability Zone. The bucket name must also follow the format `*bucket_base_name* -- *az_id* --x-s3` (for example, `*DOC-EXAMPLE-BUCKET* -- *usw2-az1* --x-s3` ). If you don't specify a name, AWS CloudFormation generates a unique ID and uses that ID for the bucket name. For information about bucket naming restrictions, see [Directory bucket naming rules](https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-bucket-naming-rules.html) in the *Amazon S3 User Guide* .\n\n> If you specify a name, you can't perform updates that require replacement of this resource. You can perform updates that require no or some interruption. If you need to replace the resource, specify a new name.", + "title": "BucketName", + "type": "string" + }, + "DataRedundancy": { + "markdownDescription": "The number of Availability Zone that's used for redundancy for the bucket.", + "title": "DataRedundancy", + "type": "string" + }, + "LocationName": { + "markdownDescription": "The name of the location where the bucket will be created.\n\nFor directory buckets, the name of the location is the AZ ID of the Availability Zone where the bucket will be created. An example AZ ID value is `usw2-az1` .", + "title": "LocationName", + "type": "string" + } + }, + "required": [ + "DataRedundancy", + "LocationName" + ], + "type": "object" + }, + "Type": { + "enum": [ + "AWS::S3Express::DirectoryBucket" + ], + "type": "string" + }, + "UpdateReplacePolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + } + }, + "required": [ + "Type", + "Properties" + ], + "type": "object" + }, "AWS::S3ObjectLambda::AccessPoint": { "additionalProperties": false, "properties": { @@ -217860,7 +225858,7 @@ "additionalProperties": false, "properties": { "VpcId": { - "markdownDescription": "The ID of the VPC configuration.", + "markdownDescription": "", "title": "VpcId", "type": "string" } @@ -218071,7 +226069,7 @@ "title": "Filter" }, "Id": { - "markdownDescription": "The unique identifier for the lifecycle rule. The value can't be longer than 255 characters.", + "markdownDescription": "", "title": "Id", "type": "string" }, @@ -218206,7 +226204,7 @@ }, "FailedReason": { "$ref": "#/definitions/AWS::S3Outposts::Endpoint.FailedReason", - "markdownDescription": "", + "markdownDescription": "The failure reason, if any, for a create or delete endpoint operation.", "title": "FailedReason" }, "OutpostId": { @@ -218215,12 +226213,12 @@ "type": "string" }, "SecurityGroupId": { - "markdownDescription": "The ID of the security group to use with the endpoint.", + "markdownDescription": "The ID of the security group used for the endpoint.", "title": "SecurityGroupId", "type": "string" }, "SubnetId": { - "markdownDescription": "The ID of the subnet.", + "markdownDescription": "The ID of the subnet used for the endpoint.", "title": "SubnetId", "type": "string" } @@ -218257,12 +226255,12 @@ "additionalProperties": false, "properties": { "ErrorCode": { - "markdownDescription": "", + "markdownDescription": "The failure code, if any, for a create or delete endpoint operation.", "title": "ErrorCode", "type": "string" }, "Message": { - "markdownDescription": "", + "markdownDescription": "Additional error details describing the endpoint failure and recommended action.", "title": "Message", "type": "string" } @@ -219830,6 +227828,11 @@ "title": "Region", "type": "string" }, + "ReplayPolicy": { + "markdownDescription": "", + "title": "ReplayPolicy", + "type": "object" + }, "SubscriptionRoleArn": { "markdownDescription": "This property applies only to Amazon Kinesis Data Firehose delivery stream subscriptions. Specify the ARN of the IAM role that has the following:\n\n- Permission to write to the Amazon Kinesis Data Firehose delivery stream\n- Amazon SNS listed as a trusted entity\n\nSpecifying a valid ARN for this attribute is required for Kinesis Data Firehose delivery stream subscriptions. For more information, see [Fanout to Amazon Kinesis Data Firehose delivery streams](https://docs.aws.amazon.com/sns/latest/dg/sns-firehose-as-subscriber.html) in the *Amazon SNS Developer Guide.*", "title": "SubscriptionRoleArn", @@ -219904,6 +227907,8 @@ "additionalProperties": false, "properties": { "ArchivePolicy": { + "markdownDescription": "The archive policy determines the number of days Amazon SNS retains messages. You can set a retention period from 1 to 365 days.", + "title": "ArchivePolicy", "type": "object" }, "ContentBasedDeduplication": { @@ -219916,6 +227921,14 @@ "title": "DataProtectionPolicy", "type": "object" }, + "DeliveryStatusLogging": { + "items": { + "$ref": "#/definitions/AWS::SNS::Topic.LoggingConfig" + }, + "markdownDescription": "The `DeliveryStatusLogging` configuration enables you to log the delivery status of messages sent from your Amazon SNS topic to subscribed endpoints with the following supported delivery protocols:\n\n- HTTP\n- Amazon Kinesis Data Firehose\n- AWS Lambda\n- Platform application endpoint\n- Amazon Simple Queue Service\n\nOnce configured, log entries are sent to Amazon CloudWatch Logs.", + "title": "DeliveryStatusLogging", + "type": "array" + }, "DisplayName": { "markdownDescription": "The display name to use for an Amazon SNS topic with SMS subscriptions. The display name must be maximum 100 characters long, including hyphens (-), underscores (_), spaces, and tabs.", "title": "DisplayName", @@ -219958,7 +227971,7 @@ "type": "string" }, "TracingConfig": { - "markdownDescription": "Tracing mode of an Amazon SNS topic. By default `TracingConfig` is set to `PassThrough` , and the topic passes through the tracing header it receives from an SNS publisher to its subscriptions. If set to `Active` , SNS will vend X-Ray segment data to topic owner account if the sampled flag in the tracing header is true. Only supported on standard topics.", + "markdownDescription": "Tracing mode of an Amazon SNS topic. By default `TracingConfig` is set to `PassThrough` , and the topic passes through the tracing header it receives from an Amazon SNS publisher to its subscriptions. If set to `Active` , Amazon SNS will vend X-Ray segment data to topic owner account if the sampled flag in the tracing header is true.", "title": "TracingConfig", "type": "string" } @@ -219985,6 +227998,35 @@ ], "type": "object" }, + "AWS::SNS::Topic.LoggingConfig": { + "additionalProperties": false, + "properties": { + "FailureFeedbackRoleArn": { + "markdownDescription": "The IAM role ARN to be used when logging failed message deliveries in Amazon CloudWatch.", + "title": "FailureFeedbackRoleArn", + "type": "string" + }, + "Protocol": { + "markdownDescription": "Indicates one of the supported protocols for the Amazon SNS topic.\n\n> At least one of the other three `LoggingConfig` properties is recommend along with `Protocol` .", + "title": "Protocol", + "type": "string" + }, + "SuccessFeedbackRoleArn": { + "markdownDescription": "The IAM role ARN to be used when logging successful message deliveries in Amazon CloudWatch.", + "title": "SuccessFeedbackRoleArn", + "type": "string" + }, + "SuccessFeedbackSampleRate": { + "markdownDescription": "The percentage of successful message deliveries to be logged in Amazon CloudWatch. Valid percentage values range from 0 to 100.", + "title": "SuccessFeedbackSampleRate", + "type": "string" + } + }, + "required": [ + "Protocol" + ], + "type": "object" + }, "AWS::SNS::Topic.Subscription": { "additionalProperties": false, "properties": { @@ -220041,9 +228083,13 @@ "additionalProperties": false, "properties": { "PolicyDocument": { + "markdownDescription": "A policy document that contains permissions to add to the specified Amazon SNS topic.", + "title": "PolicyDocument", "type": "object" }, "TopicArn": { + "markdownDescription": "The Amazon Resource Name (ARN) of the topic to which you want to add the policy.", + "title": "TopicArn", "type": "string" } }, @@ -220110,226 +228156,230 @@ "additionalProperties": false, "properties": { "PolicyDocument": { - "markdownDescription": "A policy document that contains permissions to add to the specified SNS topics.", + "markdownDescription": "A policy document that contains permissions to add to the specified SNS topics.", + "title": "PolicyDocument", + "type": "object" + }, + "Topics": { + "items": { + "type": "string" + }, + "markdownDescription": "The Amazon Resource Names (ARN) of the topics to which you want to add the policy. You can use the `[Ref](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-ref.html)` function to specify an `[AWS::SNS::Topic](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-sns-topic.html)` resource.", + "title": "Topics", + "type": "array" + } + }, + "required": [ + "PolicyDocument", + "Topics" + ], + "type": "object" + }, + "Type": { + "enum": [ + "AWS::SNS::TopicPolicy" + ], + "type": "string" + }, + "UpdateReplacePolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + } + }, + "required": [ + "Type", + "Properties" + ], + "type": "object" + }, + "AWS::SQS::Queue": { + "additionalProperties": false, + "properties": { + "Condition": { + "type": "string" + }, + "DeletionPolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + }, + "DependsOn": { + "anyOf": [ + { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + { + "items": { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + "type": "array" + } + ] + }, + "Metadata": { + "type": "object" + }, + "Properties": { + "additionalProperties": false, + "properties": { + "ContentBasedDeduplication": { + "markdownDescription": "For first-in-first-out (FIFO) queues, specifies whether to enable content-based deduplication. During the deduplication interval, Amazon SQS treats messages that are sent with identical content as duplicates and delivers only one copy of the message. For more information, see the `ContentBasedDeduplication` attribute for the `[CreateQueue](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/API_CreateQueue.html)` action in the *Amazon SQS API Reference* .", + "title": "ContentBasedDeduplication", + "type": "boolean" + }, + "DeduplicationScope": { + "markdownDescription": "For high throughput for FIFO queues, specifies whether message deduplication occurs at the message group or queue level. Valid values are `messageGroup` and `queue` .\n\nTo enable high throughput for a FIFO queue, set this attribute to `messageGroup` *and* set the `FifoThroughputLimit` attribute to `perMessageGroupId` . If you set these attributes to anything other than these values, normal throughput is in effect and deduplication occurs as specified. For more information, see [High throughput for FIFO queues](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/high-throughput-fifo.html) and [Quotas related to messages](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/quotas-messages.html) in the *Amazon SQS Developer Guide* .", + "title": "DeduplicationScope", + "type": "string" + }, + "DelaySeconds": { + "markdownDescription": "The time in seconds for which the delivery of all messages in the queue is delayed. You can specify an integer value of `0` to `900` (15 minutes). The default value is `0` .", + "title": "DelaySeconds", + "type": "number" + }, + "FifoQueue": { + "markdownDescription": "If set to true, creates a FIFO queue. If you don't specify this property, Amazon SQS creates a standard queue. For more information, see [FIFO queues](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/FIFO-queues.html) in the *Amazon SQS Developer Guide* .", + "title": "FifoQueue", + "type": "boolean" + }, + "FifoThroughputLimit": { + "markdownDescription": "For high throughput for FIFO queues, specifies whether the FIFO queue throughput quota applies to the entire queue or per message group. Valid values are `perQueue` and `perMessageGroupId` .\n\nTo enable high throughput for a FIFO queue, set this attribute to `perMessageGroupId` *and* set the `DeduplicationScope` attribute to `messageGroup` . If you set these attributes to anything other than these values, normal throughput is in effect and deduplication occurs as specified. For more information, see [High throughput for FIFO queues](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/high-throughput-fifo.html) and [Quotas related to messages](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/quotas-messages.html) in the *Amazon SQS Developer Guide* .", + "title": "FifoThroughputLimit", + "type": "string" + }, + "KmsDataKeyReusePeriodSeconds": { + "markdownDescription": "The length of time in seconds for which Amazon SQS can reuse a data key to encrypt or decrypt messages before calling AWS KMS again. The value must be an integer between 60 (1 minute) and 86,400 (24 hours). The default is 300 (5 minutes).\n\n> A shorter time period provides better security, but results in more calls to AWS KMS , which might incur charges after Free Tier. For more information, see [Encryption at rest](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-server-side-encryption.html#sqs-how-does-the-data-key-reuse-period-work) in the *Amazon SQS Developer Guide* .", + "title": "KmsDataKeyReusePeriodSeconds", + "type": "number" + }, + "KmsMasterKeyId": { + "markdownDescription": "The ID of an AWS Key Management Service (KMS) for Amazon SQS , or a custom KMS. To use the AWS managed KMS for Amazon SQS , specify a (default) alias ARN, alias name (e.g. `alias/aws/sqs` ), key ARN, or key ID. For more information, see the following:\n\n- [Encryption at rest](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-server-side-encryption.html) in the *Amazon SQS Developer Guide*\n- [CreateQueue](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/API_CreateQueue.html) in the *Amazon SQS API Reference*\n- [Request Parameters](https://docs.aws.amazon.com/kms/latest/APIReference/API_DescribeKey.html#API_DescribeKey_RequestParameters) in the *AWS Key Management Service API Reference*\n- The Key Management Service (KMS) section of the [AWS Key Management Service Best Practices](https://docs.aws.amazon.com/https://d0.awsstatic.com/whitepapers/aws-kms-best-practices.pdf) whitepaper", + "title": "KmsMasterKeyId", + "type": "string" + }, + "MaximumMessageSize": { + "markdownDescription": "The limit of how many bytes that a message can contain before Amazon SQS rejects it. You can specify an integer value from `1,024` bytes (1 KiB) to `262,144` bytes (256 KiB). The default value is `262,144` (256 KiB).", + "title": "MaximumMessageSize", + "type": "number" + }, + "MessageRetentionPeriod": { + "markdownDescription": "The number of seconds that Amazon SQS retains a message. You can specify an integer value from `60` seconds (1 minute) to `1,209,600` seconds (14 days). The default value is `345,600` seconds (4 days).", + "title": "MessageRetentionPeriod", + "type": "number" + }, + "QueueName": { + "markdownDescription": "A name for the queue. To create a FIFO queue, the name of your FIFO queue must end with the `.fifo` suffix. For more information, see [FIFO queues](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/FIFO-queues.html) in the *Amazon SQS Developer Guide* .\n\nIf you don't specify a name, AWS CloudFormation generates a unique physical ID and uses that ID for the queue name. For more information, see [Name type](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-name.html) in the *AWS CloudFormation User Guide* .\n\n> If you specify a name, you can't perform updates that require replacement of this resource. You can perform updates that require no or some interruption. If you must replace the resource, specify a new name.", + "title": "QueueName", + "type": "string" + }, + "ReceiveMessageWaitTimeSeconds": { + "markdownDescription": "Specifies the duration, in seconds, that the ReceiveMessage action call waits until a message is in the queue in order to include it in the response, rather than returning an empty response if a message isn't yet available. You can specify an integer from 1 to 20. Short polling is used as the default or when you specify 0 for this property. For more information, see [Consuming messages using long polling](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-short-and-long-polling.html#sqs-long-polling) in the *Amazon SQS Developer Guide* .", + "title": "ReceiveMessageWaitTimeSeconds", + "type": "number" + }, + "RedriveAllowPolicy": { + "markdownDescription": "The string that includes the parameters for the permissions for the dead-letter queue redrive permission and which source queues can specify dead-letter queues as a JSON object. The parameters are as follows:\n\n- `redrivePermission` : The permission type that defines which source queues can specify the current queue as the dead-letter queue. Valid values are:\n\n- `allowAll` : (Default) Any source queues in this AWS account in the same Region can specify this queue as the dead-letter queue.\n- `denyAll` : No source queues can specify this queue as the dead-letter queue.\n- `byQueue` : Only queues specified by the `sourceQueueArns` parameter can specify this queue as the dead-letter queue.\n- `sourceQueueArns` : The Amazon Resource Names (ARN)s of the source queues that can specify this queue as the dead-letter queue and redrive messages. You can specify this parameter only when the `redrivePermission` parameter is set to `byQueue` . You can specify up to 10 source queue ARNs. To allow more than 10 source queues to specify dead-letter queues, set the `redrivePermission` parameter to `allowAll` .", + "title": "RedriveAllowPolicy", + "type": "object" + }, + "RedrivePolicy": { + "markdownDescription": "The string that includes the parameters for the dead-letter queue functionality of the source queue as a JSON object. The parameters are as follows:\n\n- `deadLetterTargetArn` : The Amazon Resource Name (ARN) of the dead-letter queue to which Amazon SQS moves messages after the value of `maxReceiveCount` is exceeded.\n- `maxReceiveCount` : The number of times a message is delivered to the source queue before being moved to the dead-letter queue. When the `ReceiveCount` for a message exceeds the `maxReceiveCount` for a queue, Amazon SQS moves the message to the dead-letter-queue.\n\n> The dead-letter queue of a FIFO queue must also be a FIFO queue. Similarly, the dead-letter queue of a standard queue must also be a standard queue. \n\n*JSON*\n\n`{ \"deadLetterTargetArn\" : *String* , \"maxReceiveCount\" : *Integer* }`\n\n*YAML*\n\n`deadLetterTargetArn : *String*`\n\n`maxReceiveCount : *Integer*`", + "title": "RedrivePolicy", + "type": "object" + }, + "SqsManagedSseEnabled": { + "markdownDescription": "Enables server-side queue encryption using SQS owned encryption keys. Only one server-side encryption option is supported per queue (for example, [SSE-KMS](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-configure-sse-existing-queue.html) or [SSE-SQS](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-configure-sqs-sse-queue.html) ). When `SqsManagedSseEnabled` is not defined, `SSE-SQS` encryption is enabled by default.", + "title": "SqsManagedSseEnabled", + "type": "boolean" + }, + "Tags": { + "items": { + "$ref": "#/definitions/Tag" + }, + "markdownDescription": "The tags that you attach to this queue. For more information, see [Resource tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) in the *AWS CloudFormation User Guide* .", + "title": "Tags", + "type": "array" + }, + "VisibilityTimeout": { + "markdownDescription": "The length of time during which a message will be unavailable after a message is delivered from the queue. This blocks other components from receiving the same message and gives the initial component time to process and delete the message from the queue.\n\nValues must be from 0 to 43,200 seconds (12 hours). If you don't specify a value, AWS CloudFormation uses the default value of 30 seconds.\n\nFor more information about Amazon SQS queue visibility timeouts, see [Visibility timeout](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-visibility-timeout.html) in the *Amazon SQS Developer Guide* .", + "title": "VisibilityTimeout", + "type": "number" + } + }, + "type": "object" + }, + "Type": { + "enum": [ + "AWS::SQS::Queue" + ], + "type": "string" + }, + "UpdateReplacePolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + } + }, + "required": [ + "Type" + ], + "type": "object" + }, + "AWS::SQS::QueueInlinePolicy": { + "additionalProperties": false, + "properties": { + "Condition": { + "type": "string" + }, + "DeletionPolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + }, + "DependsOn": { + "anyOf": [ + { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + { + "items": { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + "type": "array" + } + ] + }, + "Metadata": { + "type": "object" + }, + "Properties": { + "additionalProperties": false, + "properties": { + "PolicyDocument": { + "markdownDescription": "A policy document that contains the permissions for the specified Amazon SQS queues. For more information about Amazon SQS policies, see [Using custom policies with the Amazon SQS access policy language](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-creating-custom-policies.html) in the *Amazon SQS Developer Guide* .", "title": "PolicyDocument", "type": "object" }, - "Topics": { - "items": { - "type": "string" - }, - "markdownDescription": "The Amazon Resource Names (ARN) of the topics to which you want to add the policy. You can use the `[Ref](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-ref.html)` function to specify an `[AWS::SNS::Topic](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-sns-topic.html)` resource.", - "title": "Topics", - "type": "array" - } - }, - "required": [ - "PolicyDocument", - "Topics" - ], - "type": "object" - }, - "Type": { - "enum": [ - "AWS::SNS::TopicPolicy" - ], - "type": "string" - }, - "UpdateReplacePolicy": { - "enum": [ - "Delete", - "Retain", - "Snapshot" - ], - "type": "string" - } - }, - "required": [ - "Type", - "Properties" - ], - "type": "object" - }, - "AWS::SQS::Queue": { - "additionalProperties": false, - "properties": { - "Condition": { - "type": "string" - }, - "DeletionPolicy": { - "enum": [ - "Delete", - "Retain", - "Snapshot" - ], - "type": "string" - }, - "DependsOn": { - "anyOf": [ - { - "pattern": "^[a-zA-Z0-9]+$", - "type": "string" - }, - { - "items": { - "pattern": "^[a-zA-Z0-9]+$", - "type": "string" - }, - "type": "array" - } - ] - }, - "Metadata": { - "type": "object" - }, - "Properties": { - "additionalProperties": false, - "properties": { - "ContentBasedDeduplication": { - "markdownDescription": "For first-in-first-out (FIFO) queues, specifies whether to enable content-based deduplication. During the deduplication interval, Amazon SQS treats messages that are sent with identical content as duplicates and delivers only one copy of the message. For more information, see the `ContentBasedDeduplication` attribute for the `[CreateQueue](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/API_CreateQueue.html)` action in the *Amazon SQS API Reference* .", - "title": "ContentBasedDeduplication", - "type": "boolean" - }, - "DeduplicationScope": { - "markdownDescription": "For high throughput for FIFO queues, specifies whether message deduplication occurs at the message group or queue level. Valid values are `messageGroup` and `queue` .\n\nTo enable high throughput for a FIFO queue, set this attribute to `messageGroup` *and* set the `FifoThroughputLimit` attribute to `perMessageGroupId` . If you set these attributes to anything other than these values, normal throughput is in effect and deduplication occurs as specified. For more information, see [High throughput for FIFO queues](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/high-throughput-fifo.html) and [Quotas related to messages](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/quotas-messages.html) in the *Amazon SQS Developer Guide* .", - "title": "DeduplicationScope", - "type": "string" - }, - "DelaySeconds": { - "markdownDescription": "The time in seconds for which the delivery of all messages in the queue is delayed. You can specify an integer value of `0` to `900` (15 minutes). The default value is `0` .", - "title": "DelaySeconds", - "type": "number" - }, - "FifoQueue": { - "markdownDescription": "If set to true, creates a FIFO queue. If you don't specify this property, Amazon SQS creates a standard queue. For more information, see [FIFO queues](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/FIFO-queues.html) in the *Amazon SQS Developer Guide* .", - "title": "FifoQueue", - "type": "boolean" - }, - "FifoThroughputLimit": { - "markdownDescription": "For high throughput for FIFO queues, specifies whether the FIFO queue throughput quota applies to the entire queue or per message group. Valid values are `perQueue` and `perMessageGroupId` .\n\nTo enable high throughput for a FIFO queue, set this attribute to `perMessageGroupId` *and* set the `DeduplicationScope` attribute to `messageGroup` . If you set these attributes to anything other than these values, normal throughput is in effect and deduplication occurs as specified. For more information, see [High throughput for FIFO queues](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/high-throughput-fifo.html) and [Quotas related to messages](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/quotas-messages.html) in the *Amazon SQS Developer Guide* .", - "title": "FifoThroughputLimit", - "type": "string" - }, - "KmsDataKeyReusePeriodSeconds": { - "markdownDescription": "The length of time in seconds for which Amazon SQS can reuse a data key to encrypt or decrypt messages before calling AWS KMS again. The value must be an integer between 60 (1 minute) and 86,400 (24 hours). The default is 300 (5 minutes).\n\n> A shorter time period provides better security, but results in more calls to AWS KMS , which might incur charges after Free Tier. For more information, see [Encryption at rest](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-server-side-encryption.html#sqs-how-does-the-data-key-reuse-period-work) in the *Amazon SQS Developer Guide* .", - "title": "KmsDataKeyReusePeriodSeconds", - "type": "number" - }, - "KmsMasterKeyId": { - "markdownDescription": "The ID of an AWS Key Management Service (KMS) for Amazon SQS , or a custom KMS. To use the AWS managed KMS for Amazon SQS , specify a (default) alias ARN, alias name (e.g. `alias/aws/sqs` ), key ARN, or key ID. For more information, see the following:\n\n- [Encryption at rest](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-server-side-encryption.html) in the *Amazon SQS Developer Guide*\n- [CreateQueue](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/API_CreateQueue.html) in the *Amazon SQS API Reference*\n- [Request Parameters](https://docs.aws.amazon.com/kms/latest/APIReference/API_DescribeKey.html#API_DescribeKey_RequestParameters) in the *AWS Key Management Service API Reference*\n- The Key Management Service (KMS) section of the [AWS Key Management Service Best Practices](https://docs.aws.amazon.com/https://d0.awsstatic.com/whitepapers/aws-kms-best-practices.pdf) whitepaper", - "title": "KmsMasterKeyId", - "type": "string" - }, - "MaximumMessageSize": { - "markdownDescription": "The limit of how many bytes that a message can contain before Amazon SQS rejects it. You can specify an integer value from `1,024` bytes (1 KiB) to `262,144` bytes (256 KiB). The default value is `262,144` (256 KiB).", - "title": "MaximumMessageSize", - "type": "number" - }, - "MessageRetentionPeriod": { - "markdownDescription": "The number of seconds that Amazon SQS retains a message. You can specify an integer value from `60` seconds (1 minute) to `1,209,600` seconds (14 days). The default value is `345,600` seconds (4 days).", - "title": "MessageRetentionPeriod", - "type": "number" - }, - "QueueName": { - "markdownDescription": "A name for the queue. To create a FIFO queue, the name of your FIFO queue must end with the `.fifo` suffix. For more information, see [FIFO queues](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/FIFO-queues.html) in the *Amazon SQS Developer Guide* .\n\nIf you don't specify a name, AWS CloudFormation generates a unique physical ID and uses that ID for the queue name. For more information, see [Name type](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-name.html) in the *AWS CloudFormation User Guide* .\n\n> If you specify a name, you can't perform updates that require replacement of this resource. You can perform updates that require no or some interruption. If you must replace the resource, specify a new name.", - "title": "QueueName", - "type": "string" - }, - "ReceiveMessageWaitTimeSeconds": { - "markdownDescription": "Specifies the duration, in seconds, that the ReceiveMessage action call waits until a message is in the queue in order to include it in the response, rather than returning an empty response if a message isn't yet available. You can specify an integer from 1 to 20. Short polling is used as the default or when you specify 0 for this property. For more information, see [Consuming messages using long polling](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-short-and-long-polling.html#sqs-long-polling) in the *Amazon SQS Developer Guide* .", - "title": "ReceiveMessageWaitTimeSeconds", - "type": "number" - }, - "RedriveAllowPolicy": { - "markdownDescription": "The string that includes the parameters for the permissions for the dead-letter queue redrive permission and which source queues can specify dead-letter queues as a JSON object. The parameters are as follows:\n\n- `redrivePermission` : The permission type that defines which source queues can specify the current queue as the dead-letter queue. Valid values are:\n\n- `allowAll` : (Default) Any source queues in this AWS account in the same Region can specify this queue as the dead-letter queue.\n- `denyAll` : No source queues can specify this queue as the dead-letter queue.\n- `byQueue` : Only queues specified by the `sourceQueueArns` parameter can specify this queue as the dead-letter queue.\n- `sourceQueueArns` : The Amazon Resource Names (ARN)s of the source queues that can specify this queue as the dead-letter queue and redrive messages. You can specify this parameter only when the `redrivePermission` parameter is set to `byQueue` . You can specify up to 10 source queue ARNs. To allow more than 10 source queues to specify dead-letter queues, set the `redrivePermission` parameter to `allowAll` .", - "title": "RedriveAllowPolicy", - "type": "object" - }, - "RedrivePolicy": { - "markdownDescription": "The string that includes the parameters for the dead-letter queue functionality of the source queue as a JSON object. The parameters are as follows:\n\n- `deadLetterTargetArn` : The Amazon Resource Name (ARN) of the dead-letter queue to which Amazon SQS moves messages after the value of `maxReceiveCount` is exceeded.\n- `maxReceiveCount` : The number of times a message is delivered to the source queue before being moved to the dead-letter queue. When the `ReceiveCount` for a message exceeds the `maxReceiveCount` for a queue, Amazon SQS moves the message to the dead-letter-queue.\n\n> The dead-letter queue of a FIFO queue must also be a FIFO queue. Similarly, the dead-letter queue of a standard queue must also be a standard queue. \n\n*JSON*\n\n`{ \"deadLetterTargetArn\" : *String* , \"maxReceiveCount\" : *Integer* }`\n\n*YAML*\n\n`deadLetterTargetArn : *String*`\n\n`maxReceiveCount : *Integer*`", - "title": "RedrivePolicy", - "type": "object" - }, - "SqsManagedSseEnabled": { - "markdownDescription": "Enables server-side queue encryption using SQS owned encryption keys. Only one server-side encryption option is supported per queue (for example, [SSE-KMS](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-configure-sse-existing-queue.html) or [SSE-SQS](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-configure-sqs-sse-queue.html) ).", - "title": "SqsManagedSseEnabled", - "type": "boolean" - }, - "Tags": { - "items": { - "$ref": "#/definitions/Tag" - }, - "markdownDescription": "The tags that you attach to this queue. For more information, see [Resource tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) in the *AWS CloudFormation User Guide* .", - "title": "Tags", - "type": "array" - }, - "VisibilityTimeout": { - "markdownDescription": "The length of time during which a message will be unavailable after a message is delivered from the queue. This blocks other components from receiving the same message and gives the initial component time to process and delete the message from the queue.\n\nValues must be from 0 to 43,200 seconds (12 hours). If you don't specify a value, AWS CloudFormation uses the default value of 30 seconds.\n\nFor more information about Amazon SQS queue visibility timeouts, see [Visibility timeout](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-visibility-timeout.html) in the *Amazon SQS Developer Guide* .", - "title": "VisibilityTimeout", - "type": "number" - } - }, - "type": "object" - }, - "Type": { - "enum": [ - "AWS::SQS::Queue" - ], - "type": "string" - }, - "UpdateReplacePolicy": { - "enum": [ - "Delete", - "Retain", - "Snapshot" - ], - "type": "string" - } - }, - "required": [ - "Type" - ], - "type": "object" - }, - "AWS::SQS::QueueInlinePolicy": { - "additionalProperties": false, - "properties": { - "Condition": { - "type": "string" - }, - "DeletionPolicy": { - "enum": [ - "Delete", - "Retain", - "Snapshot" - ], - "type": "string" - }, - "DependsOn": { - "anyOf": [ - { - "pattern": "^[a-zA-Z0-9]+$", - "type": "string" - }, - { - "items": { - "pattern": "^[a-zA-Z0-9]+$", - "type": "string" - }, - "type": "array" - } - ] - }, - "Metadata": { - "type": "object" - }, - "Properties": { - "additionalProperties": false, - "properties": { - "PolicyDocument": { - "type": "object" - }, "Queue": { + "markdownDescription": "The URLs of the queues to which you want to add the policy. You can use the `[Ref](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-ref.html)` function to specify an `[AWS::SQS::Queue](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-sqs-queues.html)` resource.", + "title": "Queue", "type": "string" } }, @@ -220530,8 +228580,6 @@ "title": "OutputLocation" }, "Parameters": { - "markdownDescription": "The parameters for the runtime configuration of the document.", - "title": "Parameters", "type": "object" }, "ScheduleExpression": { @@ -220558,7 +228606,7 @@ "type": "array" }, "WaitForSuccessTimeoutSeconds": { - "markdownDescription": "The number of seconds the service should wait for the association status to show \"Success\" before proceeding with the stack execution. If the association status doesn't show \"Success\" after the specified number of seconds, then stack creation fails.", + "markdownDescription": "The number of seconds the service should wait for the association status to show \"Success\" before proceeding with the stack execution. If the association status doesn't show \"Success\" after the specified number of seconds, then stack creation fails.\n\n> When you specify a value for the `WaitForSuccessTimeoutSeconds` , [drift detection](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-stack-drift.html) for your AWS CloudFormation stack\u2019s configuration might yield inaccurate results. If drift detection is important in your scenario, we recommend that you don\u2019t include `WaitForSuccessTimeoutSeconds` in your template.", "title": "WaitForSuccessTimeoutSeconds", "type": "number" } @@ -220698,7 +228746,7 @@ "type": "string" }, "DocumentType": { - "markdownDescription": "The type of document to create.\n\n*Allowed Values* : `ApplicationConfigurationSchema` | `Automation` | `Automation.ChangeTemplate` | `Command` | `DeploymentStrategy` | `Package` | `Policy` | `Session`", + "markdownDescription": "The type of document to create.", "title": "DocumentType", "type": "string" }, @@ -221495,7 +229543,7 @@ "type": "string" }, "Type": { - "markdownDescription": "The type of parameter.\n\n> AWS CloudFormation doesn't support creating a `SecureString` parameter type. \n\n*Allowed Values* : String | StringList", + "markdownDescription": "The type of parameter.\n\n> Although `SecureString` is included in the list of valid values, AWS CloudFormation does *not* current support creating a `SecureString` parameter type.", "title": "Type", "type": "string" }, @@ -221847,8 +229895,6 @@ "type": "string" }, "SyncName": { - "markdownDescription": "A name for the resource data sync.", - "title": "SyncName", "type": "string" }, "SyncSource": { @@ -223581,7 +231627,7 @@ "type": "string" }, "AppType": { - "markdownDescription": "The type of app.\n\n*Allowed Values* : `JupyterServer | KernelGateway | RSessionGateway | RStudioServerPro | TensorBoard | Canvas`", + "markdownDescription": "The type of app.", "title": "AppType", "type": "string" }, @@ -224033,30 +232079,32 @@ "additionalProperties": false, "properties": { "DataCapturedDestinationS3Uri": { - "markdownDescription": "", + "markdownDescription": "The Amazon S3 location being used to capture the data.", "title": "DataCapturedDestinationS3Uri", "type": "string" }, "DatasetFormat": { "$ref": "#/definitions/AWS::SageMaker::DataQualityJobDefinition.DatasetFormat", - "markdownDescription": "", + "markdownDescription": "The dataset format for your batch transform job.", "title": "DatasetFormat" }, "ExcludeFeaturesAttribute": { + "markdownDescription": "The attributes of the input data to exclude from the analysis.", + "title": "ExcludeFeaturesAttribute", "type": "string" }, "LocalPath": { - "markdownDescription": "", + "markdownDescription": "Path to the filesystem where the batch transform data is available to the container.", "title": "LocalPath", "type": "string" }, "S3DataDistributionType": { - "markdownDescription": "", + "markdownDescription": "Whether input data distributed in Amazon S3 is fully replicated or sharded by an S3 key. Defaults to `FullyReplicated`", "title": "S3DataDistributionType", "type": "string" }, "S3InputMode": { - "markdownDescription": "", + "markdownDescription": "Whether the `Pipe` or `File` is used as the input mode for transferring data for the monitoring job. `Pipe` mode is recommended for large datasets. `File` mode is useful for small files that fit in memory. Defaults to `File` .", "title": "S3InputMode", "type": "string" } @@ -224162,7 +232210,7 @@ "type": "string" }, "RecordPreprocessorSourceUri": { - "markdownDescription": "An Amazon S3 URI to a script that is called per row prior to running analysis. It can base64 decode the payload and convert it into a flatted json so that the built-in container can use the converted data. Applicable only for the built-in (first party) containers.", + "markdownDescription": "An Amazon S3 URI to a script that is called per row prior to running analysis. It can base64 decode the payload and convert it into a flattened JSON so that the built-in container can use the converted data. Applicable only for the built-in (first party) containers.", "title": "RecordPreprocessorSourceUri", "type": "string" } @@ -224198,7 +232246,7 @@ "properties": { "BatchTransformInput": { "$ref": "#/definitions/AWS::SageMaker::DataQualityJobDefinition.BatchTransformInput", - "markdownDescription": "", + "markdownDescription": "Input object for the batch transform job.", "title": "BatchTransformInput" }, "EndpointInput": { @@ -224239,6 +232287,8 @@ "type": "string" }, "ExcludeFeaturesAttribute": { + "markdownDescription": "The attributes of the input data to exclude from the analysis.", + "title": "ExcludeFeaturesAttribute", "type": "string" }, "LocalPath": { @@ -224247,7 +232297,7 @@ "type": "string" }, "S3DataDistributionType": { - "markdownDescription": "Whether input data distributed in Amazon S3 is fully replicated or sharded by an S3 key. Defaults to `FullyReplicated`", + "markdownDescription": "Whether input data distributed in Amazon S3 is fully replicated or sharded by an Amazon S3 key. Defaults to `FullyReplicated`", "title": "S3DataDistributionType", "type": "string" }, @@ -224292,7 +232342,7 @@ "additionalProperties": false, "properties": { "KmsKeyId": { - "markdownDescription": "The AWS Key Management Service ( AWS KMS) key that Amazon SageMaker uses to encrypt the model artifacts at rest using Amazon S3 server-side encryption.", + "markdownDescription": "The AWS Key Management Service ( AWS KMS ) key that Amazon SageMaker uses to encrypt the model artifacts at rest using Amazon S3 server-side encryption.", "title": "KmsKeyId", "type": "string" }, @@ -224402,7 +232452,7 @@ "items": { "type": "string" }, - "markdownDescription": "The VPC security group IDs, in the form sg-xxxxxxxx. Specify the security groups for the VPC that is specified in the `Subnets` field.", + "markdownDescription": "The VPC security group IDs, in the form `sg-xxxxxxxx` . Specify the security groups for the VPC that is specified in the `Subnets` field.", "title": "SecurityGroupIds", "type": "array" }, @@ -224688,7 +232738,7 @@ }, "DefaultSpaceSettings": { "$ref": "#/definitions/AWS::SageMaker::Domain.DefaultSpaceSettings", - "markdownDescription": "", + "markdownDescription": "A collection of settings that apply to spaces created in the Domain.", "title": "DefaultSpaceSettings" }, "DefaultUserSettings": { @@ -224763,6 +232813,50 @@ ], "type": "object" }, + "AWS::SageMaker::Domain.CodeEditorAppSettings": { + "additionalProperties": false, + "properties": { + "DefaultResourceSpec": { + "$ref": "#/definitions/AWS::SageMaker::Domain.ResourceSpec", + "markdownDescription": "", + "title": "DefaultResourceSpec" + }, + "LifecycleConfigArns": { + "items": { + "type": "string" + }, + "markdownDescription": "The Amazon Resource Name (ARN) of the Code Editor application lifecycle configuration.", + "title": "LifecycleConfigArns", + "type": "array" + } + }, + "type": "object" + }, + "AWS::SageMaker::Domain.CodeRepository": { + "additionalProperties": false, + "properties": { + "RepositoryUrl": { + "markdownDescription": "The URL of the Git repository.", + "title": "RepositoryUrl", + "type": "string" + } + }, + "required": [ + "RepositoryUrl" + ], + "type": "object" + }, + "AWS::SageMaker::Domain.CustomFileSystemConfig": { + "additionalProperties": false, + "properties": { + "EFSFileSystemConfig": { + "$ref": "#/definitions/AWS::SageMaker::Domain.EFSFileSystemConfig", + "markdownDescription": "The settings for a custom Amazon EFS file system.", + "title": "EFSFileSystemConfig" + } + }, + "type": "object" + }, "AWS::SageMaker::Domain.CustomImage": { "additionalProperties": false, "properties": { @@ -224788,6 +232882,46 @@ ], "type": "object" }, + "AWS::SageMaker::Domain.CustomPosixUserConfig": { + "additionalProperties": false, + "properties": { + "Gid": { + "markdownDescription": "The POSIX group ID.", + "title": "Gid", + "type": "number" + }, + "Uid": { + "markdownDescription": "The POSIX user ID.", + "title": "Uid", + "type": "number" + } + }, + "required": [ + "Gid", + "Uid" + ], + "type": "object" + }, + "AWS::SageMaker::Domain.DefaultEbsStorageSettings": { + "additionalProperties": false, + "properties": { + "DefaultEbsVolumeSizeInGb": { + "markdownDescription": "The default size of the EBS storage volume for a private space.", + "title": "DefaultEbsVolumeSizeInGb", + "type": "number" + }, + "MaximumEbsVolumeSizeInGb": { + "markdownDescription": "The maximum size of the EBS storage volume for a private space.", + "title": "MaximumEbsVolumeSizeInGb", + "type": "number" + } + }, + "required": [ + "DefaultEbsVolumeSizeInGb", + "MaximumEbsVolumeSizeInGb" + ], + "type": "object" + }, "AWS::SageMaker::Domain.DefaultSpaceSettings": { "additionalProperties": false, "properties": { @@ -224820,6 +232954,17 @@ ], "type": "object" }, + "AWS::SageMaker::Domain.DefaultSpaceStorageSettings": { + "additionalProperties": false, + "properties": { + "DefaultEbsStorageSettings": { + "$ref": "#/definitions/AWS::SageMaker::Domain.DefaultEbsStorageSettings", + "markdownDescription": "The default EBS storage settings for a private space.", + "title": "DefaultEbsStorageSettings" + } + }, + "type": "object" + }, "AWS::SageMaker::Domain.DomainSettings": { "additionalProperties": false, "properties": { @@ -224839,6 +232984,60 @@ }, "type": "object" }, + "AWS::SageMaker::Domain.EFSFileSystemConfig": { + "additionalProperties": false, + "properties": { + "FileSystemId": { + "markdownDescription": "The ID of your Amazon EFS file system.", + "title": "FileSystemId", + "type": "string" + }, + "FileSystemPath": { + "markdownDescription": "The path to the file system directory that is accessible in Amazon SageMaker Studio. Permitted users can access only this directory and below.", + "title": "FileSystemPath", + "type": "string" + } + }, + "required": [ + "FileSystemId" + ], + "type": "object" + }, + "AWS::SageMaker::Domain.JupyterLabAppSettings": { + "additionalProperties": false, + "properties": { + "CodeRepositories": { + "items": { + "$ref": "#/definitions/AWS::SageMaker::Domain.CodeRepository" + }, + "markdownDescription": "A list of Git repositories that SageMaker automatically displays to users for cloning in the JupyterLab application.", + "title": "CodeRepositories", + "type": "array" + }, + "CustomImages": { + "items": { + "$ref": "#/definitions/AWS::SageMaker::Domain.CustomImage" + }, + "markdownDescription": "A list of custom SageMaker images that are configured to run as a JupyterLab app.", + "title": "CustomImages", + "type": "array" + }, + "DefaultResourceSpec": { + "$ref": "#/definitions/AWS::SageMaker::Domain.ResourceSpec", + "markdownDescription": "", + "title": "DefaultResourceSpec" + }, + "LifecycleConfigArns": { + "items": { + "type": "string" + }, + "markdownDescription": "The Amazon Resource Name (ARN) of the lifecycle configurations attached to the user profile or domain. To remove a lifecycle config, you must set `LifecycleConfigArns` to an empty list.", + "title": "LifecycleConfigArns", + "type": "array" + } + }, + "type": "object" + }, "AWS::SageMaker::Domain.JupyterServerAppSettings": { "additionalProperties": false, "properties": { @@ -224983,11 +233182,39 @@ "AWS::SageMaker::Domain.UserSettings": { "additionalProperties": false, "properties": { + "CodeEditorAppSettings": { + "$ref": "#/definitions/AWS::SageMaker::Domain.CodeEditorAppSettings", + "markdownDescription": "The Code Editor application settings.", + "title": "CodeEditorAppSettings" + }, + "CustomFileSystemConfigs": { + "items": { + "$ref": "#/definitions/AWS::SageMaker::Domain.CustomFileSystemConfig" + }, + "markdownDescription": "The settings for assigning a custom file system to a user profile. Permitted users can access this file system in Amazon SageMaker Studio.", + "title": "CustomFileSystemConfigs", + "type": "array" + }, + "CustomPosixUserConfig": { + "$ref": "#/definitions/AWS::SageMaker::Domain.CustomPosixUserConfig", + "markdownDescription": "Details about the POSIX identity that is used for file system operations.", + "title": "CustomPosixUserConfig" + }, + "DefaultLandingUri": { + "markdownDescription": "The default experience that the user is directed to when accessing the domain. The supported values are:\n\n- `studio::` : Indicates that Studio is the default experience. This value can only be passed if `StudioWebPortal` is set to `ENABLED` .\n- `app:JupyterServer:` : Indicates that Studio Classic is the default experience.", + "title": "DefaultLandingUri", + "type": "string" + }, "ExecutionRole": { "markdownDescription": "The execution role for the user.", "title": "ExecutionRole", "type": "string" }, + "JupyterLabAppSettings": { + "$ref": "#/definitions/AWS::SageMaker::Domain.JupyterLabAppSettings", + "markdownDescription": "The settings for the JupyterLab application.", + "title": "JupyterLabAppSettings" + }, "JupyterServerAppSettings": { "$ref": "#/definitions/AWS::SageMaker::Domain.JupyterServerAppSettings", "markdownDescription": "The Jupyter server's app settings.", @@ -225012,14 +233239,24 @@ "items": { "type": "string" }, - "markdownDescription": "The security groups for the Amazon Virtual Private Cloud (VPC) that Studio uses for communication.\n\nOptional when the `CreateDomain.AppNetworkAccessType` parameter is set to `PublicInternetOnly` .\n\nRequired when the `CreateDomain.AppNetworkAccessType` parameter is set to `VpcOnly` , unless specified as part of the `DefaultUserSettings` for the domain.\n\nAmazon SageMaker adds a security group to allow NFS traffic from SageMaker Studio. Therefore, the number of security groups that you can specify is one less than the maximum number shown.", + "markdownDescription": "The security groups for the Amazon Virtual Private Cloud (VPC) that the domain uses for communication.\n\nOptional when the `CreateDomain.AppNetworkAccessType` parameter is set to `PublicInternetOnly` .\n\nRequired when the `CreateDomain.AppNetworkAccessType` parameter is set to `VpcOnly` , unless specified as part of the `DefaultUserSettings` for the domain.\n\nAmazon SageMaker adds a security group to allow NFS traffic from Amazon SageMaker Studio. Therefore, the number of security groups that you can specify is one less than the maximum number shown.", "title": "SecurityGroups", "type": "array" }, "SharingSettings": { "$ref": "#/definitions/AWS::SageMaker::Domain.SharingSettings", - "markdownDescription": "Specifies options for sharing SageMaker Studio notebooks.", + "markdownDescription": "Specifies options for sharing Amazon SageMaker Studio notebooks.", "title": "SharingSettings" + }, + "SpaceStorageSettings": { + "$ref": "#/definitions/AWS::SageMaker::Domain.DefaultSpaceStorageSettings", + "markdownDescription": "The storage settings for a private space.", + "title": "SpaceStorageSettings" + }, + "StudioWebPortal": { + "markdownDescription": "Whether the user can access Studio. If this value is set to `DISABLED` , the user cannot access Studio, even if that is the default experience for the domain.", + "title": "StudioWebPortal", + "type": "string" } }, "required": [ @@ -225219,7 +233456,9 @@ "title": "BlueGreenUpdatePolicy" }, "RollingUpdatePolicy": { - "$ref": "#/definitions/AWS::SageMaker::Endpoint.RollingUpdatePolicy" + "$ref": "#/definitions/AWS::SageMaker::Endpoint.RollingUpdatePolicy", + "markdownDescription": "Specifies a rolling deployment strategy for updating a SageMaker endpoint.", + "title": "RollingUpdatePolicy" } }, "type": "object" @@ -225228,15 +233467,23 @@ "additionalProperties": false, "properties": { "MaximumBatchSize": { - "$ref": "#/definitions/AWS::SageMaker::Endpoint.CapacitySize" + "$ref": "#/definitions/AWS::SageMaker::Endpoint.CapacitySize", + "markdownDescription": "Batch size for each rolling step to provision capacity and turn on traffic on the new endpoint fleet, and terminate capacity on the old endpoint fleet. Value must be between 5% to 50% of the variant's total instance count.", + "title": "MaximumBatchSize" }, "MaximumExecutionTimeoutInSeconds": { + "markdownDescription": "The time limit for the total deployment. Exceeding this limit causes a timeout.", + "title": "MaximumExecutionTimeoutInSeconds", "type": "number" }, "RollbackMaximumBatchSize": { - "$ref": "#/definitions/AWS::SageMaker::Endpoint.CapacitySize" + "$ref": "#/definitions/AWS::SageMaker::Endpoint.CapacitySize", + "markdownDescription": "Batch size for rollback to the old endpoint fleet. Each rolling step to provision capacity and turn on traffic on the old endpoint fleet, and terminate capacity on the new endpoint fleet. If this field is absent, the default value will be set to 100% of total capacity which means to bring up the whole capacity of the old fleet at once during rollback.", + "title": "RollbackMaximumBatchSize" }, "WaitIntervalInSeconds": { + "markdownDescription": "The length of the baking period, during which SageMaker monitors alarms for each batch on the new fleet.", + "title": "WaitIntervalInSeconds", "type": "number" } }, @@ -225331,14 +233578,20 @@ "markdownDescription": "Specifies how to capture endpoint data for model monitor. The data capture configuration applies to all production variants hosted at the endpoint.", "title": "DataCaptureConfig" }, + "EnableNetworkIsolation": { + "type": "boolean" + }, "EndpointConfigName": { "markdownDescription": "The name of the endpoint configuration.", "title": "EndpointConfigName", "type": "string" }, + "ExecutionRoleArn": { + "type": "string" + }, "ExplainerConfig": { "$ref": "#/definitions/AWS::SageMaker::EndpointConfig.ExplainerConfig", - "markdownDescription": "", + "markdownDescription": "A parameter to activate explainers.", "title": "ExplainerConfig" }, "KmsKeyId": { @@ -225369,6 +233622,9 @@ "markdownDescription": "A list of key-value pairs to apply to this resource.\n\nFor more information, see [Resource Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) and [Using Cost Allocation Tags](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/cost-alloc-tags.html#allocation-what) .", "title": "Tags", "type": "array" + }, + "VpcConfig": { + "$ref": "#/definitions/AWS::SageMaker::EndpointConfig.VpcConfig" } }, "required": [ @@ -225439,7 +233695,7 @@ "items": { "type": "string" }, - "markdownDescription": "", + "markdownDescription": "The Amazon SNS topics where you want the inference response to be included.\n\n> The inference response is included only if the response size is less than or equal to 128 KB.", "title": "IncludeInferenceResponseIn", "type": "array" }, @@ -225465,7 +233721,7 @@ "title": "NotificationConfig" }, "S3FailurePath": { - "markdownDescription": "", + "markdownDescription": "The Amazon S3 location to upload failure inference responses to.", "title": "S3FailurePath", "type": "string" }, @@ -225517,18 +233773,18 @@ "additionalProperties": false, "properties": { "EnableExplanations": { - "markdownDescription": "", + "markdownDescription": "A JMESPath boolean expression used to filter which records to explain. Explanations are activated by default. See [`EnableExplanations`](https://docs.aws.amazon.com/sagemaker/latest/dg/clarify-online-explainability-create-endpoint.html#clarify-online-explainability-create-endpoint-enable) for additional information.", "title": "EnableExplanations", "type": "string" }, "InferenceConfig": { "$ref": "#/definitions/AWS::SageMaker::EndpointConfig.ClarifyInferenceConfig", - "markdownDescription": "", + "markdownDescription": "The inference configuration parameter for the model container.", "title": "InferenceConfig" }, "ShapConfig": { "$ref": "#/definitions/AWS::SageMaker::EndpointConfig.ClarifyShapConfig", - "markdownDescription": "", + "markdownDescription": "The configuration for SHAP analysis.", "title": "ShapConfig" } }, @@ -225551,7 +233807,7 @@ "additionalProperties": false, "properties": { "ContentTemplate": { - "markdownDescription": "", + "markdownDescription": "A template string used to format a JSON record into an acceptable model container input. For example, a `ContentTemplate` string `'{\"myfeatures\":$features}'` will format a list of features `[1,2,3]` into the record string `'{\"myfeatures\":[1,2,3]}'` . Required only when the model container input is in JSON Lines format.", "title": "ContentTemplate", "type": "string" }, @@ -225559,7 +233815,7 @@ "items": { "$ref": "#/definitions/AWS::SageMaker::EndpointConfig.ClarifyHeader" }, - "markdownDescription": "", + "markdownDescription": "The names of the features. If provided, these are included in the endpoint response payload to help readability of the `InvokeEndpoint` output. See the [Response](https://docs.aws.amazon.com/sagemaker/latest/dg/clarify-online-explainability-invoke-endpoint.html#clarify-online-explainability-response) section under *Invoke the endpoint* in the Developer Guide for more information.", "title": "FeatureHeaders", "type": "array" }, @@ -225567,17 +233823,17 @@ "items": { "$ref": "#/definitions/AWS::SageMaker::EndpointConfig.ClarifyFeatureType" }, - "markdownDescription": "", + "markdownDescription": "A list of data types of the features (optional). Applicable only to NLP explainability. If provided, `FeatureTypes` must have at least one `'text'` string (for example, `['text']` ). If `FeatureTypes` is not provided, the explainer infers the feature types based on the baseline data. The feature types are included in the endpoint response payload. For additional information see the [response](https://docs.aws.amazon.com/sagemaker/latest/dg/clarify-online-explainability-invoke-endpoint.html#clarify-online-explainability-response) section under *Invoke the endpoint* in the Developer Guide for more information.", "title": "FeatureTypes", "type": "array" }, "FeaturesAttribute": { - "markdownDescription": "", + "markdownDescription": "Provides the JMESPath expression to extract the features from a model container input in JSON Lines format. For example, if `FeaturesAttribute` is the JMESPath expression `'myfeatures'` , it extracts a list of features `[1,2,3]` from request data `'{\"myfeatures\":[1,2,3]}'` .", "title": "FeaturesAttribute", "type": "string" }, "LabelAttribute": { - "markdownDescription": "", + "markdownDescription": "A JMESPath expression used to locate the list of label headers in the model container output.\n\n*Example* : If the model container output of a batch request is `'{\"labels\":[\"cat\",\"dog\",\"fish\"],\"probability\":[0.6,0.3,0.1]}'` , then set `LabelAttribute` to `'labels'` to extract the list of label headers `[\"cat\",\"dog\",\"fish\"]`", "title": "LabelAttribute", "type": "string" }, @@ -225585,32 +233841,32 @@ "items": { "$ref": "#/definitions/AWS::SageMaker::EndpointConfig.ClarifyHeader" }, - "markdownDescription": "", + "markdownDescription": "For multiclass classification problems, the label headers are the names of the classes. Otherwise, the label header is the name of the predicted label. These are used to help readability for the output of the `InvokeEndpoint` API. See the [response](https://docs.aws.amazon.com/sagemaker/latest/dg/clarify-online-explainability-invoke-endpoint.html#clarify-online-explainability-response) section under *Invoke the endpoint* in the Developer Guide for more information. If there are no label headers in the model container output, provide them manually using this parameter.", "title": "LabelHeaders", "type": "array" }, "LabelIndex": { - "markdownDescription": "", + "markdownDescription": "A zero-based index used to extract a label header or list of label headers from model container output in CSV format.\n\n*Example for a multiclass model:* If the model container output consists of label headers followed by probabilities: `'\"[\\'cat\\',\\'dog\\',\\'fish\\']\",\"[0.1,0.6,0.3]\"'` , set `LabelIndex` to `0` to select the label headers `['cat','dog','fish']` .", "title": "LabelIndex", "type": "number" }, "MaxPayloadInMB": { - "markdownDescription": "", + "markdownDescription": "The maximum payload size (MB) allowed of a request from the explainer to the model container. Defaults to `6` MB.", "title": "MaxPayloadInMB", "type": "number" }, "MaxRecordCount": { - "markdownDescription": "", + "markdownDescription": "The maximum number of records in a request that the model container can process when querying the model container for the predictions of a [synthetic dataset](https://docs.aws.amazon.com/sagemaker/latest/dg/clarify-online-explainability-create-endpoint.html#clarify-online-explainability-create-endpoint-synthetic) . A record is a unit of input data that inference can be made on, for example, a single line in CSV data. If `MaxRecordCount` is `1` , the model container expects one record per request. A value of 2 or greater means that the model expects batch requests, which can reduce overhead and speed up the inferencing process. If this parameter is not provided, the explainer will tune the record count per request according to the model container's capacity at runtime.", "title": "MaxRecordCount", "type": "number" }, "ProbabilityAttribute": { - "markdownDescription": "", + "markdownDescription": "A JMESPath expression used to extract the probability (or score) from the model container output if the model container is in JSON Lines format.\n\n*Example* : If the model container output of a single request is `'{\"predicted_label\":1,\"probability\":0.6}'` , then set `ProbabilityAttribute` to `'probability'` .", "title": "ProbabilityAttribute", "type": "string" }, "ProbabilityIndex": { - "markdownDescription": "", + "markdownDescription": "A zero-based index used to extract a probability value (score) or list from model container output in CSV format. If this value is not provided, the entire model container output will be treated as a probability value (score) or list.\n\n*Example for a single class model:* If the model container output consists of a string-formatted prediction label followed by its probability: `'1,0.6'` , set `ProbabilityIndex` to `1` to select the probability value `0.6` .\n\n*Example for a multiclass model:* If the model container output consists of a string-formatted prediction label followed by its probability: `'\"[\\'cat\\',\\'dog\\',\\'fish\\']\",\"[0.1,0.6,0.3]\"'` , set `ProbabilityIndex` to `1` to select the probability values `[0.1,0.6,0.3]` .", "title": "ProbabilityIndex", "type": "number" } @@ -225621,17 +233877,17 @@ "additionalProperties": false, "properties": { "MimeType": { - "markdownDescription": "", + "markdownDescription": "The MIME type of the baseline data. Choose from `'text/csv'` or `'application/jsonlines'` . Defaults to `'text/csv'` .", "title": "MimeType", "type": "string" }, "ShapBaseline": { - "markdownDescription": "", + "markdownDescription": "The inline SHAP baseline data in string format. `ShapBaseline` can have one or multiple records to be used as the baseline dataset. The format of the SHAP baseline file should be the same format as the training dataset. For example, if the training dataset is in CSV format and each record contains four features, and all features are numerical, then the format of the baseline data should also share these characteristics. For natural language processing (NLP) of text columns, the baseline value should be the value used to replace the unit of text specified by the `Granularity` of the `TextConfig` parameter. The size limit for `ShapBasline` is 4 KB. Use the `ShapBaselineUri` parameter if you want to provide more than 4 KB of baseline data.", "title": "ShapBaseline", "type": "string" }, "ShapBaselineUri": { - "markdownDescription": "", + "markdownDescription": "The uniform resource identifier (URI) of the S3 bucket where the SHAP baseline file is stored. The format of the SHAP baseline file should be the same format as the format of the training dataset. For example, if the training dataset is in CSV format, and each record in the training dataset has four features, and all features are numerical, then the baseline file should also have this same format. Each record should contain only the features. If you are using a virtual private cloud (VPC), the `ShapBaselineUri` should be accessible to the VPC. For more information about setting up endpoints with Amazon Virtual Private Cloud, see [Give SageMaker access to Resources in your Amazon Virtual Private Cloud](https://docs.aws.amazon.com/sagemaker/latest/dg/infrastructure-give-access.html) .", "title": "ShapBaselineUri", "type": "string" } @@ -225642,27 +233898,27 @@ "additionalProperties": false, "properties": { "NumberOfSamples": { - "markdownDescription": "", + "markdownDescription": "The number of samples to be used for analysis by the Kernal SHAP algorithm.\n\n> The number of samples determines the size of the synthetic dataset, which has an impact on latency of explainability requests. For more information, see the *Synthetic data* of [Configure and create an endpoint](https://docs.aws.amazon.com/sagemaker/latest/dg/clarify-online-explainability-create-endpoint.html) .", "title": "NumberOfSamples", "type": "number" }, "Seed": { - "markdownDescription": "", + "markdownDescription": "The starting value used to initialize the random number generator in the explainer. Provide a value for this parameter to obtain a deterministic SHAP result.", "title": "Seed", "type": "number" }, "ShapBaselineConfig": { "$ref": "#/definitions/AWS::SageMaker::EndpointConfig.ClarifyShapBaselineConfig", - "markdownDescription": "", + "markdownDescription": "The configuration for the SHAP baseline of the Kernal SHAP algorithm.", "title": "ShapBaselineConfig" }, "TextConfig": { "$ref": "#/definitions/AWS::SageMaker::EndpointConfig.ClarifyTextConfig", - "markdownDescription": "", + "markdownDescription": "A parameter that indicates if text features are treated as text and explanations are provided for individual units of text. Required for natural language processing (NLP) explainability only.", "title": "TextConfig" }, "UseLogit": { - "markdownDescription": "", + "markdownDescription": "A Boolean toggle to indicate if you want to use the logit function (true) or log-odds units (false) for model predictions. Defaults to false.", "title": "UseLogit", "type": "boolean" } @@ -225676,12 +233932,12 @@ "additionalProperties": false, "properties": { "Granularity": { - "markdownDescription": "", + "markdownDescription": "The unit of granularity for the analysis of text features. For example, if the unit is `'token'` , then each token (like a word in English) of the text is treated as a feature. SHAP values are computed for each unit/feature.", "title": "Granularity", "type": "string" }, "Language": { - "markdownDescription": "", + "markdownDescription": "Specifies the language of the text features in [ISO 639-1](https://docs.aws.amazon.com/ https://en.wikipedia.org/wiki/List_of_ISO_639-1_codes) or [ISO 639-3](https://docs.aws.amazon.com/https://en.wikipedia.org/wiki/ISO_639-3) code of a supported language.\n\n> For a mix of multiple languages, use code `'xx'` .", "title": "Language", "type": "string" } @@ -225741,12 +233997,27 @@ "properties": { "ClarifyExplainerConfig": { "$ref": "#/definitions/AWS::SageMaker::EndpointConfig.ClarifyExplainerConfig", - "markdownDescription": "", + "markdownDescription": "A member of `ExplainerConfig` that contains configuration parameters for the SageMaker Clarify explainer.", "title": "ClarifyExplainerConfig" } }, "type": "object" }, + "AWS::SageMaker::EndpointConfig.ManagedInstanceScaling": { + "additionalProperties": false, + "properties": { + "MaxInstanceCount": { + "type": "number" + }, + "MinInstanceCount": { + "type": "number" + }, + "Status": { + "type": "string" + } + }, + "type": "object" + }, "AWS::SageMaker::EndpointConfig.ProductionVariant": { "additionalProperties": false, "properties": { @@ -225756,12 +234027,12 @@ "type": "string" }, "ContainerStartupHealthCheckTimeoutInSeconds": { - "markdownDescription": "", + "markdownDescription": "The timeout value, in seconds, for your inference container to pass health check by SageMaker Hosting. For more information about health check, see [How Your Container Should Respond to Health Check (Ping) Requests](https://docs.aws.amazon.com/sagemaker/latest/dg/your-algorithms-inference-code.html#your-algorithms-inference-algo-ping-requests) .", "title": "ContainerStartupHealthCheckTimeoutInSeconds", "type": "number" }, "EnableSSMAccess": { - "markdownDescription": "", + "markdownDescription": "You can use this parameter to turn on native AWS Systems Manager (SSM) access for a production variant behind an endpoint. By default, SSM access is disabled for all production variants behind an endpoint. You can turn on or turn off SSM access for a production variant behind an existing endpoint by creating a new endpoint configuration and calling `UpdateEndpoint` .", "title": "EnableSSMAccess", "type": "boolean" }, @@ -225780,8 +234051,11 @@ "title": "InstanceType", "type": "string" }, + "ManagedInstanceScaling": { + "$ref": "#/definitions/AWS::SageMaker::EndpointConfig.ManagedInstanceScaling" + }, "ModelDataDownloadTimeoutInSeconds": { - "markdownDescription": "", + "markdownDescription": "The timeout value, in seconds, to download and extract the model that you want to host from Amazon S3 to the individual inference instance associated with this production variant.", "title": "ModelDataDownloadTimeoutInSeconds", "type": "number" }, @@ -225790,6 +234064,9 @@ "title": "ModelName", "type": "string" }, + "RoutingConfig": { + "$ref": "#/definitions/AWS::SageMaker::EndpointConfig.RoutingConfig" + }, "ServerlessConfig": { "$ref": "#/definitions/AWS::SageMaker::EndpointConfig.ServerlessConfig", "markdownDescription": "The serverless configuration for an endpoint. Specifies a serverless endpoint configuration instead of an instance-based endpoint configuration.", @@ -225801,18 +234078,25 @@ "type": "string" }, "VolumeSizeInGB": { - "markdownDescription": "", + "markdownDescription": "The size, in GB, of the ML storage volume attached to individual inference instance associated with the production variant. Currently only Amazon EBS gp2 storage volumes are supported.", "title": "VolumeSizeInGB", "type": "number" } }, "required": [ - "InitialVariantWeight", - "ModelName", "VariantName" ], "type": "object" }, + "AWS::SageMaker::EndpointConfig.RoutingConfig": { + "additionalProperties": false, + "properties": { + "RoutingStrategy": { + "type": "string" + } + }, + "type": "object" + }, "AWS::SageMaker::EndpointConfig.ServerlessConfig": { "additionalProperties": false, "properties": { @@ -225838,6 +234122,28 @@ ], "type": "object" }, + "AWS::SageMaker::EndpointConfig.VpcConfig": { + "additionalProperties": false, + "properties": { + "SecurityGroupIds": { + "items": { + "type": "string" + }, + "type": "array" + }, + "Subnets": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "SecurityGroupIds", + "Subnets" + ], + "type": "object" + }, "AWS::SageMaker::FeatureGroup": { "additionalProperties": false, "properties": { @@ -226019,7 +234325,7 @@ "title": "S3StorageConfig" }, "TableFormat": { - "markdownDescription": "", + "markdownDescription": "Format for the offline store table. Supported formats are Glue (Default) and [Apache Iceberg](https://docs.aws.amazon.com/https://iceberg.apache.org/) .", "title": "TableFormat", "type": "string" } @@ -226041,6 +234347,11 @@ "$ref": "#/definitions/AWS::SageMaker::FeatureGroup.OnlineStoreSecurityConfig", "markdownDescription": "Use to specify KMS Key ID ( `KMSKeyId` ) for at-rest encryption of your `OnlineStore` .", "title": "SecurityConfig" + }, + "StorageType": { + "markdownDescription": "Option for different tiers of low latency storage for real-time data retrieval.\n\n- `Standard` : A managed low latency data store for feature groups.\n- `InMemory` : A managed data store for feature groups that supports very low latency retrieval.", + "title": "StorageType", + "type": "string" } }, "type": "object" @@ -226110,44 +234421,268 @@ "Properties": { "additionalProperties": false, "properties": { - "ImageDescription": { - "markdownDescription": "The description of the image.\n\n*Length Constraints* : Minimum length of 1. Maximum length of 512.\n\n*Pattern* : `.*`", - "title": "ImageDescription", + "ImageDescription": { + "markdownDescription": "The description of the image.", + "title": "ImageDescription", + "type": "string" + }, + "ImageDisplayName": { + "markdownDescription": "The display name of the image.\n\n*Length Constraints* : Minimum length of 1. Maximum length of 128.\n\n*Pattern* : `^\\S(.*\\S)?$`", + "title": "ImageDisplayName", + "type": "string" + }, + "ImageName": { + "markdownDescription": "The name of the Image. Must be unique by region in your account.\n\n*Length Constraints* : Minimum length of 1. Maximum length of 63.\n\n*Pattern* : `^[a-zA-Z0-9]([-.]?[a-zA-Z0-9]){0,62}$`", + "title": "ImageName", + "type": "string" + }, + "ImageRoleArn": { + "markdownDescription": "The Amazon Resource Name (ARN) of an IAM role that enables Amazon SageMaker to perform tasks on your behalf.\n\n*Length Constraints* : Minimum length of 20. Maximum length of 2048.\n\n*Pattern* : `^arn:aws[a-z\\-]*:iam::\\d{12}:role/?[a-zA-Z_0-9+=,.@\\-_/]+$`", + "title": "ImageRoleArn", + "type": "string" + }, + "Tags": { + "items": { + "$ref": "#/definitions/Tag" + }, + "markdownDescription": "A list of key-value pairs to apply to this resource.\n\n*Array Members* : Minimum number of 0 items. Maximum number of 50 items.", + "title": "Tags", + "type": "array" + } + }, + "required": [ + "ImageName", + "ImageRoleArn" + ], + "type": "object" + }, + "Type": { + "enum": [ + "AWS::SageMaker::Image" + ], + "type": "string" + }, + "UpdateReplacePolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + } + }, + "required": [ + "Type", + "Properties" + ], + "type": "object" + }, + "AWS::SageMaker::ImageVersion": { + "additionalProperties": false, + "properties": { + "Condition": { + "type": "string" + }, + "DeletionPolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + }, + "DependsOn": { + "anyOf": [ + { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + { + "items": { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + "type": "array" + } + ] + }, + "Metadata": { + "type": "object" + }, + "Properties": { + "additionalProperties": false, + "properties": { + "Alias": { + "markdownDescription": "", + "title": "Alias", + "type": "string" + }, + "Aliases": { + "items": { + "type": "string" + }, + "markdownDescription": "", + "title": "Aliases", + "type": "array" + }, + "BaseImage": { + "markdownDescription": "The container image that the SageMaker image version is based on.", + "title": "BaseImage", + "type": "string" + }, + "Horovod": { + "markdownDescription": "", + "title": "Horovod", + "type": "boolean" + }, + "ImageName": { + "markdownDescription": "The name of the parent image.\n\n*Length Constraints* : Minimum length of 1. Maximum length of 63.\n\n*Pattern* : `^[a-zA-Z0-9]([-.]?[a-zA-Z0-9]){0,62}$`", + "title": "ImageName", + "type": "string" + }, + "JobType": { + "markdownDescription": "", + "title": "JobType", + "type": "string" + }, + "MLFramework": { + "markdownDescription": "", + "title": "MLFramework", + "type": "string" + }, + "Processor": { + "markdownDescription": "", + "title": "Processor", + "type": "string" + }, + "ProgrammingLang": { + "markdownDescription": "", + "title": "ProgrammingLang", + "type": "string" + }, + "ReleaseNotes": { + "markdownDescription": "", + "title": "ReleaseNotes", + "type": "string" + }, + "VendorGuidance": { + "markdownDescription": "", + "title": "VendorGuidance", + "type": "string" + } + }, + "required": [ + "BaseImage", + "ImageName" + ], + "type": "object" + }, + "Type": { + "enum": [ + "AWS::SageMaker::ImageVersion" + ], + "type": "string" + }, + "UpdateReplacePolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + } + }, + "required": [ + "Type", + "Properties" + ], + "type": "object" + }, + "AWS::SageMaker::InferenceComponent": { + "additionalProperties": false, + "properties": { + "Condition": { + "type": "string" + }, + "DeletionPolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + }, + "DependsOn": { + "anyOf": [ + { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + { + "items": { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + "type": "array" + } + ] + }, + "Metadata": { + "type": "object" + }, + "Properties": { + "additionalProperties": false, + "properties": { + "EndpointArn": { + "markdownDescription": "The Amazon Resource Name (ARN) of the endpoint that hosts the inference component.", + "title": "EndpointArn", "type": "string" }, - "ImageDisplayName": { - "markdownDescription": "The display name of the image.\n\n*Length Constraints* : Minimum length of 1. Maximum length of 128.\n\n*Pattern* : `^\\S(.*\\S)?$`", - "title": "ImageDisplayName", + "EndpointName": { + "markdownDescription": "The name of the endpoint that hosts the inference component.", + "title": "EndpointName", "type": "string" }, - "ImageName": { - "markdownDescription": "The name of the Image. Must be unique by region in your account.\n\n*Length Constraints* : Minimum length of 1. Maximum length of 63.\n\n*Pattern* : `^[a-zA-Z0-9]([-.]?[a-zA-Z0-9]){0,62}$`", - "title": "ImageName", + "InferenceComponentName": { + "markdownDescription": "The name of the inference component.", + "title": "InferenceComponentName", "type": "string" }, - "ImageRoleArn": { - "markdownDescription": "The Amazon Resource Name (ARN) of an IAM role that enables Amazon SageMaker to perform tasks on your behalf.\n\n*Length Constraints* : Minimum length of 20. Maximum length of 2048.\n\n*Pattern* : `^arn:aws[a-z\\-]*:iam::\\d{12}:role/?[a-zA-Z_0-9+=,.@\\-_/]+$`", - "title": "ImageRoleArn", - "type": "string" + "RuntimeConfig": { + "$ref": "#/definitions/AWS::SageMaker::InferenceComponent.InferenceComponentRuntimeConfig", + "markdownDescription": "", + "title": "RuntimeConfig" + }, + "Specification": { + "$ref": "#/definitions/AWS::SageMaker::InferenceComponent.InferenceComponentSpecification", + "markdownDescription": "", + "title": "Specification" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, - "markdownDescription": "A list of key-value pairs to apply to this resource.\n\n*Array Members* : Minimum number of 0 items. Maximum number of 50 items.", + "markdownDescription": "", "title": "Tags", "type": "array" + }, + "VariantName": { + "markdownDescription": "The name of the production variant that hosts the inference component.", + "title": "VariantName", + "type": "string" } }, "required": [ - "ImageName", - "ImageRoleArn" + "EndpointName", + "RuntimeConfig", + "Specification", + "VariantName" ], "type": "object" }, "Type": { "enum": [ - "AWS::SageMaker::Image" + "AWS::SageMaker::InferenceComponent" ], "type": "string" }, @@ -226166,109 +234701,151 @@ ], "type": "object" }, - "AWS::SageMaker::ImageVersion": { + "AWS::SageMaker::InferenceComponent.DeployedImage": { "additionalProperties": false, "properties": { - "Condition": { + "ResolutionTime": { + "markdownDescription": "The date and time when the image path for the model resolved to the `ResolvedImage`", + "title": "ResolutionTime", "type": "string" }, - "DeletionPolicy": { - "enum": [ - "Delete", - "Retain", - "Snapshot" - ], + "ResolvedImage": { + "markdownDescription": "The specific digest path of the image hosted in this `ProductionVariant` .", + "title": "ResolvedImage", "type": "string" }, - "DependsOn": { - "anyOf": [ - { - "pattern": "^[a-zA-Z0-9]+$", - "type": "string" - }, - { - "items": { - "pattern": "^[a-zA-Z0-9]+$", - "type": "string" - }, - "type": "array" - } - ] + "SpecifiedImage": { + "markdownDescription": "The image path you specified when you created the model.", + "title": "SpecifiedImage", + "type": "string" + } + }, + "type": "object" + }, + "AWS::SageMaker::InferenceComponent.InferenceComponentComputeResourceRequirements": { + "additionalProperties": false, + "properties": { + "MaxMemoryRequiredInMb": { + "markdownDescription": "The maximum MB of memory to allocate to run a model that you assign to an inference component.", + "title": "MaxMemoryRequiredInMb", + "type": "number" }, - "Metadata": { - "type": "object" + "MinMemoryRequiredInMb": { + "markdownDescription": "The minimum MB of memory to allocate to run a model that you assign to an inference component.", + "title": "MinMemoryRequiredInMb", + "type": "number" }, - "Properties": { - "additionalProperties": false, - "properties": { - "Alias": { - "type": "string" - }, - "Aliases": { - "items": { - "type": "string" - }, - "type": "array" - }, - "BaseImage": { - "markdownDescription": "The container image that the SageMaker image version is based on.\n\n*Length Constraints* : Minimum length of 1. Maximum length of 255.\n\n*Pattern* : `.*`", - "title": "BaseImage", - "type": "string" - }, - "Horovod": { - "type": "boolean" - }, - "ImageName": { - "markdownDescription": "The name of the parent image.\n\n*Length Constraints* : Minimum length of 1. Maximum length of 63.\n\n*Pattern* : `^[a-zA-Z0-9]([-.]?[a-zA-Z0-9]){0,62}$`", - "title": "ImageName", - "type": "string" - }, - "JobType": { - "type": "string" - }, - "MLFramework": { - "type": "string" - }, - "Processor": { - "type": "string" - }, - "ProgrammingLang": { - "type": "string" - }, - "ReleaseNotes": { - "type": "string" - }, - "VendorGuidance": { + "NumberOfAcceleratorDevicesRequired": { + "markdownDescription": "The number of accelerators to allocate to run a model that you assign to an inference component. Accelerators include GPUs and AWS Inferentia.", + "title": "NumberOfAcceleratorDevicesRequired", + "type": "number" + }, + "NumberOfCpuCoresRequired": { + "markdownDescription": "The number of CPU cores to allocate to run a model that you assign to an inference component.", + "title": "NumberOfCpuCoresRequired", + "type": "number" + } + }, + "type": "object" + }, + "AWS::SageMaker::InferenceComponent.InferenceComponentContainerSpecification": { + "additionalProperties": false, + "properties": { + "ArtifactUrl": { + "markdownDescription": "The Amazon S3 path where the model artifacts, which result from model training, are stored. This path must point to a single gzip compressed tar archive (.tar.gz suffix).", + "title": "ArtifactUrl", + "type": "string" + }, + "DeployedImage": { + "$ref": "#/definitions/AWS::SageMaker::InferenceComponent.DeployedImage", + "markdownDescription": "", + "title": "DeployedImage" + }, + "Environment": { + "additionalProperties": true, + "markdownDescription": "The environment variables to set in the Docker container. Each key and value in the Environment string-to-string map can have length of up to 1024. We support up to 16 entries in the map.", + "patternProperties": { + "^[a-zA-Z0-9]+$": { "type": "string" } }, - "required": [ - "BaseImage", - "ImageName" - ], + "title": "Environment", "type": "object" }, - "Type": { - "enum": [ - "AWS::SageMaker::ImageVersion" - ], + "Image": { + "markdownDescription": "The Amazon Elastic Container Registry (Amazon ECR) path where the Docker image for the model is stored.", + "title": "Image", "type": "string" + } + }, + "type": "object" + }, + "AWS::SageMaker::InferenceComponent.InferenceComponentRuntimeConfig": { + "additionalProperties": false, + "properties": { + "CopyCount": { + "markdownDescription": "The number of runtime copies of the model container to deploy with the inference component. Each copy can serve inference requests.", + "title": "CopyCount", + "type": "number" }, - "UpdateReplacePolicy": { - "enum": [ - "Delete", - "Retain", - "Snapshot" - ], + "CurrentCopyCount": { + "markdownDescription": "", + "title": "CurrentCopyCount", + "type": "number" + }, + "DesiredCopyCount": { + "markdownDescription": "", + "title": "DesiredCopyCount", + "type": "number" + } + }, + "type": "object" + }, + "AWS::SageMaker::InferenceComponent.InferenceComponentSpecification": { + "additionalProperties": false, + "properties": { + "ComputeResourceRequirements": { + "$ref": "#/definitions/AWS::SageMaker::InferenceComponent.InferenceComponentComputeResourceRequirements", + "markdownDescription": "The compute resources allocated to run the model assigned to the inference component.", + "title": "ComputeResourceRequirements" + }, + "Container": { + "$ref": "#/definitions/AWS::SageMaker::InferenceComponent.InferenceComponentContainerSpecification", + "markdownDescription": "Defines a container that provides the runtime environment for a model that you deploy with an inference component.", + "title": "Container" + }, + "ModelName": { + "markdownDescription": "The name of an existing SageMaker model object in your account that you want to deploy with the inference component.", + "title": "ModelName", "type": "string" + }, + "StartupParameters": { + "$ref": "#/definitions/AWS::SageMaker::InferenceComponent.InferenceComponentStartupParameters", + "markdownDescription": "Settings that take effect while the model container starts up.", + "title": "StartupParameters" } }, "required": [ - "Type", - "Properties" + "ComputeResourceRequirements" ], "type": "object" }, + "AWS::SageMaker::InferenceComponent.InferenceComponentStartupParameters": { + "additionalProperties": false, + "properties": { + "ContainerStartupHealthCheckTimeoutInSeconds": { + "markdownDescription": "The timeout value, in seconds, for your inference container to pass health check by Amazon S3 Hosting. For more information about health check, see [How Your Container Should Respond to Health Check (Ping) Requests](https://docs.aws.amazon.com/sagemaker/latest/dg/your-algorithms-inference-code.html#your-algorithms-inference-algo-ping-requests) .", + "title": "ContainerStartupHealthCheckTimeoutInSeconds", + "type": "number" + }, + "ModelDataDownloadTimeoutInSeconds": { + "markdownDescription": "The timeout value, in seconds, to download and extract the model that you want to host from Amazon S3 to the individual inference instance associated with this inference component.", + "title": "ModelDataDownloadTimeoutInSeconds", + "type": "number" + } + }, + "type": "object" + }, "AWS::SageMaker::InferenceExperiment": { "additionalProperties": false, "properties": { @@ -226413,7 +234990,7 @@ "items": { "type": "string" }, - "markdownDescription": "The list of all content type headers that SageMaker will treat as CSV and capture accordingly.", + "markdownDescription": "The list of all content type headers that Amazon SageMaker will treat as CSV and capture accordingly.", "title": "CsvContentTypes", "type": "array" }, @@ -226683,9 +235260,6 @@ "title": "VpcConfig" } }, - "required": [ - "ExecutionRoleArn" - ], "type": "object" }, "Type": { @@ -226704,8 +235278,7 @@ } }, "required": [ - "Type", - "Properties" + "Type" ], "type": "object" }, @@ -226742,6 +235315,11 @@ "title": "Mode", "type": "string" }, + "ModelDataSource": { + "$ref": "#/definitions/AWS::SageMaker::Model.ModelDataSource", + "markdownDescription": "Specifies the location of ML model data to deploy.\n\n> Currently you cannot use `ModelDataSource` in conjunction with SageMaker batch transform, SageMaker serverless endpoints, SageMaker multi-model endpoints, and SageMaker Marketplace.", + "title": "ModelDataSource" + }, "ModelDataUrl": { "markdownDescription": "The S3 path where the model artifacts, which result from model training, are stored. This path must point to a single gzip compressed tar archive (.tar.gz suffix). The S3 path is required for SageMaker built-in algorithms, but not if you use your own algorithms. For more information on built-in algorithms, see [Common Parameters](https://docs.aws.amazon.com/sagemaker/latest/dg/sagemaker-algo-docker-registry-paths.html) .\n\n> The model artifacts must be in an S3 bucket that is in the same region as the model or endpoint you are creating. \n\nIf you provide a value for this parameter, SageMaker uses AWS Security Token Service to download model artifacts from the S3 path you provide. AWS STS is activated in your AWS account by default. If you previously deactivated AWS STS for a region, you need to reactivate AWS STS for that region. For more information, see [Activating and Deactivating AWS STS in an AWS Region](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html) in the *AWS Identity and Access Management User Guide* .\n\n> If you use a built-in algorithm to create a model, SageMaker requires that you provide a S3 path to the model artifacts in `ModelDataUrl` .", "title": "ModelDataUrl", @@ -226793,6 +235371,20 @@ ], "type": "object" }, + "AWS::SageMaker::Model.ModelDataSource": { + "additionalProperties": false, + "properties": { + "S3DataSource": { + "$ref": "#/definitions/AWS::SageMaker::Model.S3DataSource", + "markdownDescription": "Specifies the S3 location of ML model data to deploy.", + "title": "S3DataSource" + } + }, + "required": [ + "S3DataSource" + ], + "type": "object" + }, "AWS::SageMaker::Model.MultiModelConfig": { "additionalProperties": false, "properties": { @@ -226818,6 +235410,32 @@ ], "type": "object" }, + "AWS::SageMaker::Model.S3DataSource": { + "additionalProperties": false, + "properties": { + "CompressionType": { + "markdownDescription": "", + "title": "CompressionType", + "type": "string" + }, + "S3DataType": { + "markdownDescription": "If you choose `S3Prefix` , `S3Uri` identifies a key name prefix. SageMaker uses all objects that match the specified key name prefix for model training.\n\nIf you choose `ManifestFile` , `S3Uri` identifies an object that is a manifest file containing a list of object keys that you want SageMaker to use for model training.\n\nIf you choose `AugmentedManifestFile` , S3Uri identifies an object that is an augmented manifest file in JSON lines format. This file contains the data you want to use for model training. `AugmentedManifestFile` can only be used if the Channel's input mode is `Pipe` .", + "title": "S3DataType", + "type": "string" + }, + "S3Uri": { + "markdownDescription": "Depending on the value specified for the `S3DataType` , identifies either a key name prefix or a manifest. For example:\n\n- A key name prefix might look like this: `s3://bucketname/exampleprefix`\n- A manifest might look like this: `s3://bucketname/example.manifest`\n\nA manifest is an S3 object which is a JSON file consisting of an array of elements. The first element is a prefix which is followed by one or more suffixes. SageMaker appends the suffix elements to the prefix to get a full set of `S3Uri` . Note that the prefix must be a valid non-empty `S3Uri` that precludes users from specifying a manifest whose individual `S3Uri` is sourced from different S3 buckets.\n\nThe following code example shows a valid manifest format:\n\n`[ {\"prefix\": \"s3://customer_bucket/some/prefix/\"},`\n\n`\"relative/path/to/custdata-1\",`\n\n`\"relative/path/custdata-2\",`\n\n`...`\n\n`\"relative/path/custdata-N\"`\n\n`]`\n\nThis JSON is equivalent to the following `S3Uri` list:\n\n`s3://customer_bucket/some/prefix/relative/path/to/custdata-1`\n\n`s3://customer_bucket/some/prefix/relative/path/custdata-2`\n\n`...`\n\n`s3://customer_bucket/some/prefix/relative/path/custdata-N`\n\nThe complete set of `S3Uri` in this manifest is the input data for the channel for this data source. The object that each `S3Uri` points to must be readable by the IAM role that SageMaker uses to perform tasks on your behalf.\n\nYour input bucket must be located in same AWS region as your training job.", + "title": "S3Uri", + "type": "string" + } + }, + "required": [ + "CompressionType", + "S3DataType", + "S3Uri" + ], + "type": "object" + }, "AWS::SageMaker::Model.VpcConfig": { "additionalProperties": false, "properties": { @@ -226825,7 +235443,7 @@ "items": { "type": "string" }, - "markdownDescription": "The VPC security group IDs, in the form sg-xxxxxxxx. Specify the security groups for the VPC that is specified in the `Subnets` field.", + "markdownDescription": "The VPC security group IDs, in the form `sg-xxxxxxxx` . Specify the security groups for the VPC that is specified in the `Subnets` field.", "title": "SecurityGroupIds", "type": "array" }, @@ -226972,57 +235590,57 @@ "additionalProperties": false, "properties": { "DataCapturedDestinationS3Uri": { - "markdownDescription": "", + "markdownDescription": "The Amazon S3 location being used to capture the data.", "title": "DataCapturedDestinationS3Uri", "type": "string" }, "DatasetFormat": { "$ref": "#/definitions/AWS::SageMaker::ModelBiasJobDefinition.DatasetFormat", - "markdownDescription": "", + "markdownDescription": "The dataset format for your batch transform job.", "title": "DatasetFormat" }, "EndTimeOffset": { - "markdownDescription": "", + "markdownDescription": "If specified, monitoring jobs subtract this time from the end time. For information about using offsets for scheduling monitoring jobs, see [Schedule Model Quality Monitoring Jobs](https://docs.aws.amazon.com/sagemaker/latest/dg/model-monitor-model-quality-schedule.html) .", "title": "EndTimeOffset", "type": "string" }, "FeaturesAttribute": { - "markdownDescription": "", + "markdownDescription": "The attributes of the input data that are the input features.", "title": "FeaturesAttribute", "type": "string" }, "InferenceAttribute": { - "markdownDescription": "", + "markdownDescription": "The attribute of the input data that represents the ground truth label.", "title": "InferenceAttribute", "type": "string" }, "LocalPath": { - "markdownDescription": "", + "markdownDescription": "Path to the filesystem where the batch transform data is available to the container.", "title": "LocalPath", "type": "string" }, "ProbabilityAttribute": { - "markdownDescription": "", + "markdownDescription": "In a classification problem, the attribute that represents the class probability.", "title": "ProbabilityAttribute", "type": "string" }, "ProbabilityThresholdAttribute": { - "markdownDescription": "", + "markdownDescription": "The threshold for the class probability to be evaluated as a positive result.", "title": "ProbabilityThresholdAttribute", "type": "number" }, "S3DataDistributionType": { - "markdownDescription": "", + "markdownDescription": "Whether input data distributed in Amazon S3 is fully replicated or sharded by an S3 key. Defaults to `FullyReplicated`", "title": "S3DataDistributionType", "type": "string" }, "S3InputMode": { - "markdownDescription": "", + "markdownDescription": "Whether the `Pipe` or `File` is used as the input mode for transferring data for the monitoring job. `Pipe` mode is recommended for large datasets. `File` mode is useful for small files that fit in memory. Defaults to `File` .", "title": "S3InputMode", "type": "string" }, "StartTimeOffset": { - "markdownDescription": "", + "markdownDescription": "If specified, monitoring jobs substract this time from the start time. For information about using offsets for scheduling monitoring jobs, see [Schedule Model Quality Monitoring Jobs](https://docs.aws.amazon.com/sagemaker/latest/dg/model-monitor-model-quality-schedule.html) .", "title": "StartTimeOffset", "type": "string" } @@ -227147,7 +235765,7 @@ "type": "number" }, "S3DataDistributionType": { - "markdownDescription": "Whether input data distributed in Amazon S3 is fully replicated or sharded by an S3 key. Defaults to `FullyReplicated`", + "markdownDescription": "Whether input data distributed in Amazon S3 is fully replicated or sharded by an Amazon S3 key. Defaults to `FullyReplicated`", "title": "S3DataDistributionType", "type": "string" }, @@ -227231,7 +235849,7 @@ "properties": { "BatchTransformInput": { "$ref": "#/definitions/AWS::SageMaker::ModelBiasJobDefinition.BatchTransformInput", - "markdownDescription": "", + "markdownDescription": "Input object for the batch transform job.", "title": "BatchTransformInput" }, "EndpointInput": { @@ -227282,7 +235900,7 @@ "additionalProperties": false, "properties": { "KmsKeyId": { - "markdownDescription": "The AWS Key Management Service ( AWS KMS) key that Amazon SageMaker uses to encrypt the model artifacts at rest using Amazon S3 server-side encryption.", + "markdownDescription": "The AWS Key Management Service ( AWS KMS ) key that Amazon SageMaker uses to encrypt the model artifacts at rest using Amazon S3 server-side encryption.", "title": "KmsKeyId", "type": "string" }, @@ -227381,7 +235999,7 @@ "items": { "type": "string" }, - "markdownDescription": "The VPC security group IDs, in the form sg-xxxxxxxx. Specify the security groups for the VPC that is specified in the `Subnets` field.", + "markdownDescription": "The VPC security group IDs, in the form `sg-xxxxxxxx` . Specify the security groups for the VPC that is specified in the `Subnets` field.", "title": "SecurityGroupIds", "type": "array" }, @@ -227711,7 +236329,7 @@ "items": { "$ref": "#/definitions/AWS::SageMaker::ModelCard.Container" }, - "markdownDescription": "", + "markdownDescription": "The Amazon ECR registry path of the Docker image that contains the inference code.", "title": "Containers", "type": "array" } @@ -227756,39 +236374,27 @@ "additionalProperties": false, "properties": { "Name": { - "markdownDescription": "The names of the metrics.", - "title": "Name", "type": "string" }, "Notes": { - "markdownDescription": "Any notes to add to the metric.", - "title": "Notes", "type": "string" }, "Type": { - "markdownDescription": "You must specify one of the following data types:\n\n- Bar Chart `bar_char`\n- Boolean `boolean`\n- Linear Graph `linear_graph`\n- Matrix `matrix`\n- Number `number`\n- String `string`", - "title": "Type", "type": "string" }, "Value": { - "markdownDescription": "The datatype of the metric. The metric's *value* must be compatible with the metric's *type* .", - "title": "Value", "type": "object" }, "XAxisName": { "items": { "type": "string" }, - "markdownDescription": "The name of the x axis.", - "title": "XAxisName", "type": "array" }, "YAxisName": { "items": { "type": "string" }, - "markdownDescription": "The name of the y axis.", - "title": "YAxisName", "type": "array" } }, @@ -227997,12 +236603,12 @@ "additionalProperties": false, "properties": { "AlgorithmName": { - "markdownDescription": "", + "markdownDescription": "The name of an algorithm that was used to create the model package. The algorithm must be either an algorithm resource in your SageMaker account or an algorithm in AWS Marketplace that you are subscribed to.", "title": "AlgorithmName", "type": "string" }, "ModelDataUrl": { - "markdownDescription": "", + "markdownDescription": "The Amazon S3 path where the model artifacts, which result from model training, are stored. This path must point to a single `gzip` compressed tar archive ( `.tar.gz` suffix).\n\n> The model artifacts must be in an S3 bucket that is in the same AWS region as the algorithm.", "title": "ModelDataUrl", "type": "string" } @@ -228297,42 +236903,42 @@ "additionalProperties": false, "properties": { "DataCapturedDestinationS3Uri": { - "markdownDescription": "", + "markdownDescription": "The Amazon S3 location being used to capture the data.", "title": "DataCapturedDestinationS3Uri", "type": "string" }, "DatasetFormat": { "$ref": "#/definitions/AWS::SageMaker::ModelExplainabilityJobDefinition.DatasetFormat", - "markdownDescription": "", + "markdownDescription": "The dataset format for your batch transform job.", "title": "DatasetFormat" }, "FeaturesAttribute": { - "markdownDescription": "", + "markdownDescription": "The attributes of the input data that are the input features.", "title": "FeaturesAttribute", "type": "string" }, "InferenceAttribute": { - "markdownDescription": "", + "markdownDescription": "The attribute of the input data that represents the ground truth label.", "title": "InferenceAttribute", "type": "string" }, "LocalPath": { - "markdownDescription": "", + "markdownDescription": "Path to the filesystem where the batch transform data is available to the container.", "title": "LocalPath", "type": "string" }, "ProbabilityAttribute": { - "markdownDescription": "", + "markdownDescription": "In a classification problem, the attribute that represents the class probability.", "title": "ProbabilityAttribute", "type": "string" }, "S3DataDistributionType": { - "markdownDescription": "", + "markdownDescription": "Whether input data distributed in Amazon S3 is fully replicated or sharded by an S3 key. Defaults to `FullyReplicated`", "title": "S3DataDistributionType", "type": "string" }, "S3InputMode": { - "markdownDescription": "", + "markdownDescription": "Whether the `Pipe` or `File` is used as the input mode for transferring data for the monitoring job. `Pipe` mode is recommended for large datasets. `File` mode is useful for small files that fit in memory. Defaults to `File` .", "title": "S3InputMode", "type": "string" } @@ -228447,7 +237053,7 @@ "type": "string" }, "S3DataDistributionType": { - "markdownDescription": "Whether input data distributed in Amazon S3 is fully replicated or sharded by an S3 key. Defaults to `FullyReplicated`", + "markdownDescription": "Whether input data distributed in Amazon S3 is fully replicated or sharded by an Amazon S3 key. Defaults to `FullyReplicated`", "title": "S3DataDistributionType", "type": "string" }, @@ -228478,7 +237084,7 @@ "additionalProperties": false, "properties": { "ConfigUri": { - "markdownDescription": "JSON formatted S3 file that defines explainability parameters. For more information on this JSON configuration file, see [Configure model explainability parameters](https://docs.aws.amazon.com/sagemaker/latest/dg/clarify-config-json-monitor-model-explainability-parameters.html) .", + "markdownDescription": "JSON formatted Amazon S3 file that defines explainability parameters. For more information on this JSON configuration file, see [Configure model explainability parameters](https://docs.aws.amazon.com/sagemaker/latest/dg/clarify-config-json-monitor-model-explainability-parameters.html) .", "title": "ConfigUri", "type": "string" }, @@ -228526,7 +237132,7 @@ "properties": { "BatchTransformInput": { "$ref": "#/definitions/AWS::SageMaker::ModelExplainabilityJobDefinition.BatchTransformInput", - "markdownDescription": "", + "markdownDescription": "Input object for the batch transform job.", "title": "BatchTransformInput" }, "EndpointInput": { @@ -228555,7 +237161,7 @@ "additionalProperties": false, "properties": { "KmsKeyId": { - "markdownDescription": "The AWS Key Management Service ( AWS KMS) key that Amazon SageMaker uses to encrypt the model artifacts at rest using Amazon S3 server-side encryption.", + "markdownDescription": "The AWS Key Management Service ( AWS KMS ) key that Amazon SageMaker uses to encrypt the model artifacts at rest using Amazon S3 server-side encryption.", "title": "KmsKeyId", "type": "string" }, @@ -228654,7 +237260,7 @@ "items": { "type": "string" }, - "markdownDescription": "The VPC security group IDs, in the form sg-xxxxxxxx. Specify the security groups for the VPC that is specified in the `Subnets` field.", + "markdownDescription": "The VPC security group IDs, in the form `sg-xxxxxxxx` . Specify the security groups for the VPC that is specified in the `Subnets` field.", "title": "SecurityGroupIds", "type": "array" }, @@ -228816,6 +237422,8 @@ "type": "string" }, "SkipModelValidation": { + "markdownDescription": "Indicates if you want to skip model validation.", + "title": "SkipModelValidation", "type": "string" }, "SourceAlgorithmSpecification": { @@ -229809,52 +238417,52 @@ "additionalProperties": false, "properties": { "DataCapturedDestinationS3Uri": { - "markdownDescription": "", + "markdownDescription": "The Amazon S3 location being used to capture the data.", "title": "DataCapturedDestinationS3Uri", "type": "string" }, "DatasetFormat": { "$ref": "#/definitions/AWS::SageMaker::ModelQualityJobDefinition.DatasetFormat", - "markdownDescription": "", + "markdownDescription": "The dataset format for your batch transform job.", "title": "DatasetFormat" }, "EndTimeOffset": { - "markdownDescription": "", + "markdownDescription": "If specified, monitoring jobs subtract this time from the end time. For information about using offsets for scheduling monitoring jobs, see [Schedule Model Quality Monitoring Jobs](https://docs.aws.amazon.com/sagemaker/latest/dg/model-monitor-model-quality-schedule.html) .", "title": "EndTimeOffset", "type": "string" }, "InferenceAttribute": { - "markdownDescription": "", + "markdownDescription": "The attribute of the input data that represents the ground truth label.", "title": "InferenceAttribute", "type": "string" }, "LocalPath": { - "markdownDescription": "", + "markdownDescription": "Path to the filesystem where the batch transform data is available to the container.", "title": "LocalPath", "type": "string" }, "ProbabilityAttribute": { - "markdownDescription": "", + "markdownDescription": "In a classification problem, the attribute that represents the class probability.", "title": "ProbabilityAttribute", "type": "string" }, "ProbabilityThresholdAttribute": { - "markdownDescription": "", + "markdownDescription": "The threshold for the class probability to be evaluated as a positive result.", "title": "ProbabilityThresholdAttribute", "type": "number" }, "S3DataDistributionType": { - "markdownDescription": "", + "markdownDescription": "Whether input data distributed in Amazon S3 is fully replicated or sharded by an S3 key. Defaults to `FullyReplicated`", "title": "S3DataDistributionType", "type": "string" }, "S3InputMode": { - "markdownDescription": "", + "markdownDescription": "Whether the `Pipe` or `File` is used as the input mode for transferring data for the monitoring job. `Pipe` mode is recommended for large datasets. `File` mode is useful for small files that fit in memory. Defaults to `File` .", "title": "S3InputMode", "type": "string" }, "StartTimeOffset": { - "markdownDescription": "", + "markdownDescription": "If specified, monitoring jobs substract this time from the start time. For information about using offsets for scheduling monitoring jobs, see [Schedule Model Quality Monitoring Jobs](https://docs.aws.amazon.com/sagemaker/latest/dg/model-monitor-model-quality-schedule.html) .", "title": "StartTimeOffset", "type": "string" } @@ -229974,7 +238582,7 @@ "type": "number" }, "S3DataDistributionType": { - "markdownDescription": "Whether input data distributed in Amazon S3 is fully replicated or sharded by an S3 key. Defaults to `FullyReplicated`", + "markdownDescription": "Whether input data distributed in Amazon S3 is fully replicated or sharded by an Amazon S3 key. Defaults to `FullyReplicated`", "title": "S3DataDistributionType", "type": "string" }, @@ -230052,7 +238660,7 @@ "type": "string" }, "RecordPreprocessorSourceUri": { - "markdownDescription": "An Amazon S3 URI to a script that is called per row prior to running analysis. It can base64 decode the payload and convert it into a flatted json so that the built-in container can use the converted data. Applicable only for the built-in (first party) containers.", + "markdownDescription": "An Amazon S3 URI to a script that is called per row prior to running analysis. It can base64 decode the payload and convert it into a flattened JSON so that the built-in container can use the converted data. Applicable only for the built-in (first party) containers.", "title": "RecordPreprocessorSourceUri", "type": "string" } @@ -230084,7 +238692,7 @@ "properties": { "BatchTransformInput": { "$ref": "#/definitions/AWS::SageMaker::ModelQualityJobDefinition.BatchTransformInput", - "markdownDescription": "", + "markdownDescription": "Input object for the batch transform job.", "title": "BatchTransformInput" }, "EndpointInput": { @@ -230135,7 +238743,7 @@ "additionalProperties": false, "properties": { "KmsKeyId": { - "markdownDescription": "The AWS Key Management Service ( AWS KMS) key that Amazon SageMaker uses to encrypt the model artifacts at rest using Amazon S3 server-side encryption.", + "markdownDescription": "The AWS Key Management Service ( AWS KMS ) key that Amazon SageMaker uses to encrypt the model artifacts at rest using Amazon S3 server-side encryption.", "title": "KmsKeyId", "type": "string" }, @@ -230234,7 +238842,7 @@ "items": { "type": "string" }, - "markdownDescription": "The VPC security group IDs, in the form sg-xxxxxxxx. Specify the security groups for the VPC that is specified in the `Subnets` field.", + "markdownDescription": "The VPC security group IDs, in the form `sg-xxxxxxxx` . Specify the security groups for the VPC that is specified in the `Subnets` field.", "title": "SecurityGroupIds", "type": "array" }, @@ -230374,30 +238982,32 @@ "additionalProperties": false, "properties": { "DataCapturedDestinationS3Uri": { - "markdownDescription": "", + "markdownDescription": "The Amazon S3 location being used to capture the data.", "title": "DataCapturedDestinationS3Uri", "type": "string" }, "DatasetFormat": { "$ref": "#/definitions/AWS::SageMaker::MonitoringSchedule.DatasetFormat", - "markdownDescription": "", + "markdownDescription": "The dataset format for your batch transform job.", "title": "DatasetFormat" }, "ExcludeFeaturesAttribute": { + "markdownDescription": "The attributes of the input data to exclude from the analysis.", + "title": "ExcludeFeaturesAttribute", "type": "string" }, "LocalPath": { - "markdownDescription": "", + "markdownDescription": "Path to the filesystem where the batch transform data is available to the container.", "title": "LocalPath", "type": "string" }, "S3DataDistributionType": { - "markdownDescription": "", + "markdownDescription": "Whether input data distributed in Amazon S3 is fully replicated or sharded by an S3 key. Defaults to `FullyReplicated`", "title": "S3DataDistributionType", "type": "string" }, "S3InputMode": { - "markdownDescription": "", + "markdownDescription": "Whether the `Pipe` or `File` is used as the input mode for transferring data for the monitoring job. `Pipe` mode is recommended for large datasets. `File` mode is useful for small files that fit in memory. Defaults to `File` .", "title": "S3InputMode", "type": "string" } @@ -230492,6 +239102,8 @@ "type": "string" }, "ExcludeFeaturesAttribute": { + "markdownDescription": "The attributes of the input data to exclude from the analysis.", + "title": "ExcludeFeaturesAttribute", "type": "string" }, "LocalPath": { @@ -230500,7 +239112,7 @@ "type": "string" }, "S3DataDistributionType": { - "markdownDescription": "Whether input data distributed in Amazon S3 is fully replicated or sharded by an S3 key. Defaults to `FullyReplicated`", + "markdownDescription": "Whether input data distributed in Amazon S3 is fully replicated or sharded by an Amazon S3 key. Defaults to `FullyReplicated`", "title": "S3DataDistributionType", "type": "string" }, @@ -230557,7 +239169,7 @@ "type": "string" }, "RecordPreprocessorSourceUri": { - "markdownDescription": "An Amazon S3 URI to a script that is called per row prior to running analysis. It can base64 decode the payload and convert it into a flatted json so that the built-in container can use the converted data. Applicable only for the built-in (first party) containers.", + "markdownDescription": "An Amazon S3 URI to a script that is called per row prior to running analysis. It can base64 decode the payload and convert it into a flattened JSON so that the built-in container can use the converted data. Applicable only for the built-in (first party) containers.", "title": "RecordPreprocessorSourceUri", "type": "string" } @@ -230625,7 +239237,7 @@ "properties": { "BatchTransformInput": { "$ref": "#/definitions/AWS::SageMaker::MonitoringSchedule.BatchTransformInput", - "markdownDescription": "", + "markdownDescription": "Input object for the batch transform job.", "title": "BatchTransformInput" }, "EndpointInput": { @@ -230670,7 +239282,7 @@ }, "MonitoringOutputConfig": { "$ref": "#/definitions/AWS::SageMaker::MonitoringSchedule.MonitoringOutputConfig", - "markdownDescription": "The array of outputs from the monitoring job to be uploaded to Amazon Simple Storage Service (Amazon S3).", + "markdownDescription": "The array of outputs from the monitoring job to be uploaded to Amazon S3.", "title": "MonitoringOutputConfig" }, "MonitoringResources": { @@ -230721,7 +239333,7 @@ "additionalProperties": false, "properties": { "KmsKeyId": { - "markdownDescription": "The AWS Key Management Service ( AWS KMS) key that Amazon SageMaker uses to encrypt the model artifacts at rest using Amazon S3 server-side encryption.", + "markdownDescription": "The AWS Key Management Service ( AWS KMS ) key that Amazon SageMaker uses to encrypt the model artifacts at rest using Amazon S3 server-side encryption.", "title": "KmsKeyId", "type": "string" }, @@ -230829,13 +239441,17 @@ "additionalProperties": false, "properties": { "DataAnalysisEndTime": { + "markdownDescription": "Sets the end time for a monitoring job window. Express this time as an offset to the times that you schedule your monitoring jobs to run. You schedule monitoring jobs with the `ScheduleExpression` parameter. Specify this offset in ISO 8601 duration format. For example, if you want to end the window one hour before the start of each monitoring job, you would specify: `\"-PT1H\"` .\n\nThe end time that you specify must not follow the start time that you specify by more than 24 hours. You specify the start time with the `DataAnalysisStartTime` parameter.\n\nIf you set `ScheduleExpression` to `NOW` , this parameter is required.", + "title": "DataAnalysisEndTime", "type": "string" }, "DataAnalysisStartTime": { + "markdownDescription": "Sets the start time for a monitoring job window. Express this time as an offset to the times that you schedule your monitoring jobs to run. You schedule monitoring jobs with the `ScheduleExpression` parameter. Specify this offset in ISO 8601 duration format. For example, if you want to monitor the five hours of data in your dataset that precede the start of each monitoring job, you would specify: `\"-PT5H\"` .\n\nThe start time that you specify must not precede the end time that you specify by more than 24 hours. You specify the end time with the `DataAnalysisEndTime` parameter.\n\nIf you set `ScheduleExpression` to `NOW` , this parameter is required.", + "title": "DataAnalysisStartTime", "type": "string" }, "ScheduleExpression": { - "markdownDescription": "A cron expression that describes details about the monitoring schedule.\n\nCurrently the only supported cron expressions are:\n\n- If you want to set the job to start every hour, please use the following:\n\n`Hourly: cron(0 * ? * * *)`\n- If you want to start the job daily:\n\n`cron(0 [00-23] ? * * *)`\n\nFor example, the following are valid cron expressions:\n\n- Daily at noon UTC: `cron(0 12 ? * * *)`\n- Daily at midnight UTC: `cron(0 0 ? * * *)`\n\nTo support running every 6, 12 hours, the following are also supported:\n\n`cron(0 [00-23]/[01-24] ? * * *)`\n\nFor example, the following are valid cron expressions:\n\n- Every 12 hours, starting at 5pm UTC: `cron(0 17/12 ? * * *)`\n- Every two hours starting at midnight: `cron(0 0/2 ? * * *)`\n\n> - Even though the cron expression is set to start at 5PM UTC, note that there could be a delay of 0-20 minutes from the actual requested time to run the execution.\n> - We recommend that if you would like a daily schedule, you do not provide this parameter. Amazon SageMaker will pick a time for running every day.", + "markdownDescription": "A cron expression that describes details about the monitoring schedule.\n\nThe supported cron expressions are:\n\n- If you want to set the job to start every hour, use the following:\n\n`Hourly: cron(0 * ? * * *)`\n- If you want to start the job daily:\n\n`cron(0 [00-23] ? * * *)`\n- If you want to run the job one time, immediately, use the following keyword:\n\n`NOW`\n\nFor example, the following are valid cron expressions:\n\n- Daily at noon UTC: `cron(0 12 ? * * *)`\n- Daily at midnight UTC: `cron(0 0 ? * * *)`\n\nTo support running every 6, 12 hours, the following are also supported:\n\n`cron(0 [00-23]/[01-24] ? * * *)`\n\nFor example, the following are valid cron expressions:\n\n- Every 12 hours, starting at 5pm UTC: `cron(0 17/12 ? * * *)`\n- Every two hours starting at midnight: `cron(0 0/2 ? * * *)`\n\n> - Even though the cron expression is set to start at 5PM UTC, note that there could be a delay of 0-20 minutes from the actual requested time to run the execution.\n> - We recommend that if you would like a daily schedule, you do not provide this parameter. Amazon SageMaker will pick a time for running every day. \n\nYou can also specify the keyword `NOW` to run the monitoring job immediately, one time, without recurring.", "title": "ScheduleExpression", "type": "string" } @@ -230877,7 +239493,7 @@ "items": { "type": "string" }, - "markdownDescription": "The VPC security group IDs, in the form sg-xxxxxxxx. Specify the security groups for the VPC that is specified in the `Subnets` field.", + "markdownDescription": "The VPC security group IDs, in the form `sg-xxxxxxxx` . Specify the security groups for the VPC that is specified in the `Subnets` field.", "title": "SecurityGroupIds", "type": "array" }, @@ -231192,7 +239808,7 @@ "properties": { "ParallelismConfiguration": { "$ref": "#/definitions/AWS::SageMaker::Pipeline.ParallelismConfiguration", - "markdownDescription": "", + "markdownDescription": "The parallelism configuration applied to the pipeline.", "title": "ParallelismConfiguration" }, "PipelineDefinition": { @@ -231275,13 +239891,13 @@ "additionalProperties": false, "properties": { "PipelineDefinitionBody": { - "markdownDescription": "", + "markdownDescription": "The [JSON pipeline definition](https://docs.aws.amazon.com/https://aws-sagemaker-mlops.github.io/sagemaker-model-building-pipeline-definition-JSON-schema/) of the pipeline.", "title": "PipelineDefinitionBody", "type": "string" }, "PipelineDefinitionS3Location": { "$ref": "#/definitions/AWS::SageMaker::Pipeline.S3Location", - "markdownDescription": "", + "markdownDescription": "The location of the pipeline definition stored in Amazon S3. If specified, SageMaker retrieves the pipeline definition from this location.", "title": "PipelineDefinitionS3Location" } }, @@ -231291,22 +239907,22 @@ "additionalProperties": false, "properties": { "Bucket": { - "markdownDescription": "", + "markdownDescription": "The name of the S3 bucket.", "title": "Bucket", "type": "string" }, "ETag": { - "markdownDescription": "", + "markdownDescription": "A file checksum of the pipeline definition file.", "title": "ETag", "type": "string" }, "Key": { - "markdownDescription": "", + "markdownDescription": "The object key (or key name) which uniquely identifies the object in an S3 bucket.", "title": "Key", "type": "string" }, "Version": { - "markdownDescription": "", + "markdownDescription": "The version ID of the pipeline definition file. If not specified, Amazon SageMaker will retrieve the latest version.", "title": "Version", "type": "string" } @@ -231364,7 +239980,7 @@ }, "ServiceCatalogProvisionedProductDetails": { "$ref": "#/definitions/AWS::SageMaker::Project.ServiceCatalogProvisionedProductDetails", - "markdownDescription": "", + "markdownDescription": "Details of a provisioned service catalog product. For information about service catalog, see [What is AWS Service Catalog](https://docs.aws.amazon.com/servicecatalog/latest/adminguide/introduction.html) .", "title": "ServiceCatalogProvisionedProductDetails" }, "ServiceCatalogProvisioningDetails": { @@ -231750,6 +240366,50 @@ ], "type": "object" }, + "AWS::SageMaker::UserProfile.CodeEditorAppSettings": { + "additionalProperties": false, + "properties": { + "DefaultResourceSpec": { + "$ref": "#/definitions/AWS::SageMaker::UserProfile.ResourceSpec", + "markdownDescription": "", + "title": "DefaultResourceSpec" + }, + "LifecycleConfigArns": { + "items": { + "type": "string" + }, + "markdownDescription": "The Amazon Resource Name (ARN) of the Code Editor application lifecycle configuration.", + "title": "LifecycleConfigArns", + "type": "array" + } + }, + "type": "object" + }, + "AWS::SageMaker::UserProfile.CodeRepository": { + "additionalProperties": false, + "properties": { + "RepositoryUrl": { + "markdownDescription": "The URL of the Git repository.", + "title": "RepositoryUrl", + "type": "string" + } + }, + "required": [ + "RepositoryUrl" + ], + "type": "object" + }, + "AWS::SageMaker::UserProfile.CustomFileSystemConfig": { + "additionalProperties": false, + "properties": { + "EFSFileSystemConfig": { + "$ref": "#/definitions/AWS::SageMaker::UserProfile.EFSFileSystemConfig", + "markdownDescription": "The settings for a custom Amazon EFS file system.", + "title": "EFSFileSystemConfig" + } + }, + "type": "object" + }, "AWS::SageMaker::UserProfile.CustomImage": { "additionalProperties": false, "properties": { @@ -231775,6 +240435,111 @@ ], "type": "object" }, + "AWS::SageMaker::UserProfile.CustomPosixUserConfig": { + "additionalProperties": false, + "properties": { + "Gid": { + "markdownDescription": "The POSIX group ID.", + "title": "Gid", + "type": "number" + }, + "Uid": { + "markdownDescription": "The POSIX user ID.", + "title": "Uid", + "type": "number" + } + }, + "required": [ + "Gid", + "Uid" + ], + "type": "object" + }, + "AWS::SageMaker::UserProfile.DefaultEbsStorageSettings": { + "additionalProperties": false, + "properties": { + "DefaultEbsVolumeSizeInGb": { + "markdownDescription": "The default size of the EBS storage volume for a private space.", + "title": "DefaultEbsVolumeSizeInGb", + "type": "number" + }, + "MaximumEbsVolumeSizeInGb": { + "markdownDescription": "The maximum size of the EBS storage volume for a private space.", + "title": "MaximumEbsVolumeSizeInGb", + "type": "number" + } + }, + "required": [ + "DefaultEbsVolumeSizeInGb", + "MaximumEbsVolumeSizeInGb" + ], + "type": "object" + }, + "AWS::SageMaker::UserProfile.DefaultSpaceStorageSettings": { + "additionalProperties": false, + "properties": { + "DefaultEbsStorageSettings": { + "$ref": "#/definitions/AWS::SageMaker::UserProfile.DefaultEbsStorageSettings", + "markdownDescription": "The default EBS storage settings for a private space.", + "title": "DefaultEbsStorageSettings" + } + }, + "type": "object" + }, + "AWS::SageMaker::UserProfile.EFSFileSystemConfig": { + "additionalProperties": false, + "properties": { + "FileSystemId": { + "markdownDescription": "The ID of your Amazon EFS file system.", + "title": "FileSystemId", + "type": "string" + }, + "FileSystemPath": { + "markdownDescription": "The path to the file system directory that is accessible in Amazon SageMaker Studio. Permitted users can access only this directory and below.", + "title": "FileSystemPath", + "type": "string" + } + }, + "required": [ + "FileSystemId" + ], + "type": "object" + }, + "AWS::SageMaker::UserProfile.JupyterLabAppSettings": { + "additionalProperties": false, + "properties": { + "CodeRepositories": { + "items": { + "$ref": "#/definitions/AWS::SageMaker::UserProfile.CodeRepository" + }, + "markdownDescription": "A list of Git repositories that SageMaker automatically displays to users for cloning in the JupyterLab application.", + "title": "CodeRepositories", + "type": "array" + }, + "CustomImages": { + "items": { + "$ref": "#/definitions/AWS::SageMaker::UserProfile.CustomImage" + }, + "markdownDescription": "A list of custom SageMaker images that are configured to run as a JupyterLab app.", + "title": "CustomImages", + "type": "array" + }, + "DefaultResourceSpec": { + "$ref": "#/definitions/AWS::SageMaker::UserProfile.ResourceSpec", + "markdownDescription": "", + "title": "DefaultResourceSpec" + }, + "LifecycleConfigArns": { + "items": { + "type": "string" + }, + "markdownDescription": "The Amazon Resource Name (ARN) of the lifecycle configurations attached to the user profile or domain. To remove a lifecycle config, you must set `LifecycleConfigArns` to an empty list.", + "title": "LifecycleConfigArns", + "type": "array" + } + }, + "type": "object" + }, "AWS::SageMaker::UserProfile.JupyterServerAppSettings": { "additionalProperties": false, "properties": { @@ -231866,11 +240631,39 @@ "AWS::SageMaker::UserProfile.UserSettings": { "additionalProperties": false, "properties": { + "CodeEditorAppSettings": { + "$ref": "#/definitions/AWS::SageMaker::UserProfile.CodeEditorAppSettings", + "markdownDescription": "The Code Editor application settings.", + "title": "CodeEditorAppSettings" + }, + "CustomFileSystemConfigs": { + "items": { + "$ref": "#/definitions/AWS::SageMaker::UserProfile.CustomFileSystemConfig" + }, + "markdownDescription": "The settings for assigning a custom file system to a user profile. Permitted users can access this file system in Amazon SageMaker Studio.", + "title": "CustomFileSystemConfigs", + "type": "array" + }, + "CustomPosixUserConfig": { + "$ref": "#/definitions/AWS::SageMaker::UserProfile.CustomPosixUserConfig", + "markdownDescription": "Details about the POSIX identity that is used for file system operations.", + "title": "CustomPosixUserConfig" + }, + "DefaultLandingUri": { + "markdownDescription": "The default experience that the user is directed to when accessing the domain. The supported values are:\n\n- `studio::` : Indicates that Studio is the default experience. This value can only be passed if `StudioWebPortal` is set to `ENABLED` .\n- `app:JupyterServer:` : Indicates that Studio Classic is the default experience.", + "title": "DefaultLandingUri", + "type": "string" + }, "ExecutionRole": { "markdownDescription": "The execution role for the user.", "title": "ExecutionRole", "type": "string" }, + "JupyterLabAppSettings": { + "$ref": "#/definitions/AWS::SageMaker::UserProfile.JupyterLabAppSettings", + "markdownDescription": "The settings for the JupyterLab application.", + "title": "JupyterLabAppSettings" + }, "JupyterServerAppSettings": { "$ref": "#/definitions/AWS::SageMaker::UserProfile.JupyterServerAppSettings", "markdownDescription": "The Jupyter server's app settings.", @@ -231890,14 +240683,24 @@ "items": { "type": "string" }, - "markdownDescription": "The security groups for the Amazon Virtual Private Cloud (VPC) that Studio uses for communication.\n\nOptional when the `CreateDomain.AppNetworkAccessType` parameter is set to `PublicInternetOnly` .\n\nRequired when the `CreateDomain.AppNetworkAccessType` parameter is set to `VpcOnly` , unless specified as part of the `DefaultUserSettings` for the domain.\n\nAmazon SageMaker adds a security group to allow NFS traffic from SageMaker Studio. Therefore, the number of security groups that you can specify is one less than the maximum number shown.", + "markdownDescription": "The security groups for the Amazon Virtual Private Cloud (VPC) that the domain uses for communication.\n\nOptional when the `CreateDomain.AppNetworkAccessType` parameter is set to `PublicInternetOnly` .\n\nRequired when the `CreateDomain.AppNetworkAccessType` parameter is set to `VpcOnly` , unless specified as part of the `DefaultUserSettings` for the domain.\n\nAmazon SageMaker adds a security group to allow NFS traffic from Amazon SageMaker Studio. Therefore, the number of security groups that you can specify is one less than the maximum number shown.", "title": "SecurityGroups", "type": "array" }, "SharingSettings": { "$ref": "#/definitions/AWS::SageMaker::UserProfile.SharingSettings", - "markdownDescription": "Specifies options for sharing SageMaker Studio notebooks.", + "markdownDescription": "Specifies options for sharing Amazon SageMaker Studio notebooks.", "title": "SharingSettings" + }, + "SpaceStorageSettings": { + "$ref": "#/definitions/AWS::SageMaker::UserProfile.DefaultSpaceStorageSettings", + "markdownDescription": "The storage settings for a private space.", + "title": "SpaceStorageSettings" + }, + "StudioWebPortal": { + "markdownDescription": "Whether the user can access Studio. If this value is set to `DISABLED` , the user cannot access Studio, even if that is the default experience for the domain.", + "title": "StudioWebPortal", + "type": "string" } }, "type": "object" @@ -232370,7 +241173,7 @@ "type": "number" }, "Mode": { - "markdownDescription": "Determines whether the schedule is invoked within a flexible time window.\n\n*Allowed Values* : `OFF` | `FLEXIBLE`", + "markdownDescription": "Determines whether the schedule is invoked within a flexible time window. You must use quotation marks when you specify this value in your JSON or YAML template.\n\n*Allowed Values* : `\"OFF\"` | `\"FLEXIBLE\"`", "title": "Mode", "type": "string" } @@ -232823,7 +241626,7 @@ "type": "string" }, "RotationType": { - "markdownDescription": "The rotation template to base the rotation function on, one of the following:\n\n- `MySQLSingleUser` to use the template [SecretsManagerRDSMySQLRotationSingleUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-mysql-singleuser) .\n- `MySQLMultiUser` to use the template [SecretsManagerRDSMySQLRotationMultiUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-mysql-multiuser) .\n- `PostgreSQLSingleUser` to use the template [SecretsManagerRDSPostgreSQLRotationSingleUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-postgre-singleuser)\n- `PostgreSQLMultiUser` to use the template [SecretsManagerRDSPostgreSQLRotationMultiUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-postgre-multiuser) .\n- `OracleSingleUser` to use the template [SecretsManagerRDSOracleRotationSingleUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-oracle-singleuser) .\n- `OracleMultiUser` to use the template [SecretsManagerRDSOracleRotationMultiUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-oracle-multiuser) .\n- `MariaDBSingleUser` to use the template [SecretsManagerRDSMariaDBRotationSingleUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-mariadb-singleuser) .\n- `MariaDBMultiUser` to use the template [SecretsManagerRDSMariaDBRotationMultiUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-mariadb-multiuser) .\n- `SQLServerSingleUser` to use the template [SecretsManagerRDSSQLServerRotationSingleUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-sqlserver-singleuser) .\n- `SQLServerMultiUser` to use the template [SecretsManagerRDSSQLServerRotationMultiUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-sqlserver-multiuser) .\n- `RedshiftSingleUser` to use the template [SecretsManagerRedshiftRotationSingleUsr](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-redshift-singleuser) .\n- `RedshiftMultiUser` to use the template [SecretsManagerRedshiftRotationMultiUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-redshift-multiuser) .\n- `MongoDBSingleUser` to use the template [SecretsManagerMongoDBRotationSingleUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-mongodb-singleuser) .\n- `MongoDBMultiUser` to use the template [SecretsManagerMongoDBRotationMultiUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-mongodb-multiuser) .", + "markdownDescription": "The rotation template to base the rotation function on, one of the following:\n\n- `Db2SingleUser` to use the template [SecretsManagerRDSDb2RotationSingleUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-db2-singleuser) .\n- `Db2MultiUser` to use the template [SecretsManagerRDSDb2RotationMultiUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-db2-multiuser) .\n- `MySQLSingleUser` to use the template [SecretsManagerRDSMySQLRotationSingleUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-mysql-singleuser) .\n- `MySQLMultiUser` to use the template [SecretsManagerRDSMySQLRotationMultiUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-mysql-multiuser) .\n- `PostgreSQLSingleUser` to use the template [SecretsManagerRDSPostgreSQLRotationSingleUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-postgre-singleuser)\n- `PostgreSQLMultiUser` to use the template [SecretsManagerRDSPostgreSQLRotationMultiUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-postgre-multiuser) .\n- `OracleSingleUser` to use the template [SecretsManagerRDSOracleRotationSingleUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-oracle-singleuser) .\n- `OracleMultiUser` to use the template [SecretsManagerRDSOracleRotationMultiUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-oracle-multiuser) .\n- `MariaDBSingleUser` to use the template [SecretsManagerRDSMariaDBRotationSingleUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-mariadb-singleuser) .\n- `MariaDBMultiUser` to use the template [SecretsManagerRDSMariaDBRotationMultiUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-mariadb-multiuser) .\n- `SQLServerSingleUser` to use the template [SecretsManagerRDSSQLServerRotationSingleUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-sqlserver-singleuser) .\n- `SQLServerMultiUser` to use the template [SecretsManagerRDSSQLServerRotationMultiUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-sqlserver-multiuser) .\n- `RedshiftSingleUser` to use the template [SecretsManagerRedshiftRotationSingleUsr](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-redshift-singleuser) .\n- `RedshiftMultiUser` to use the template [SecretsManagerRedshiftRotationMultiUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-redshift-multiuser) .\n- `MongoDBSingleUser` to use the template [SecretsManagerMongoDBRotationSingleUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-mongodb-singleuser) .\n- `MongoDBMultiUser` to use the template [SecretsManagerMongoDBRotationMultiUser](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-mongodb-multiuser) .", "title": "RotationType", "type": "string" }, @@ -232951,7 +241754,7 @@ "items": { "$ref": "#/definitions/Tag" }, - "markdownDescription": "A list of tags to attach to the secret. Each tag is a key and value pair of strings in a JSON text string, for example:\n\n`[{\"Key\":\"CostCenter\",\"Value\":\"12345\"},{\"Key\":\"environment\",\"Value\":\"production\"}]`\n\nSecrets Manager tag key names are case sensitive. A tag with the key \"ABC\" is a different tag from one with key \"abc\".\n\nIf you check tags in permissions policies as part of your security strategy, then adding or removing a tag can change permissions. If the completion of this operation would result in you losing your permissions for this secret, then Secrets Manager blocks the operation and returns an `Access Denied` error. For more information, see [Control access to secrets using tags](https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_examples.html#tag-secrets-abac) and [Limit access to identities with tags that match secrets' tags](https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_examples.html#auth-and-access_tags2) .\n\nFor information about how to format a JSON parameter for the various command line tool environments, see [Using JSON for Parameters](https://docs.aws.amazon.com/cli/latest/userguide/cli-using-param.html#cli-using-param-json) . If your command-line tool or SDK requires quotation marks around the parameter, you should use single quotes to avoid confusion with the double quotes required in the JSON text.\n\nThe following restrictions apply to tags:\n\n- Maximum number of tags per secret: 50\n- Maximum key length: 127 Unicode characters in UTF-8\n- Maximum value length: 255 Unicode characters in UTF-8\n- Tag keys and values are case sensitive.\n- Do not use the `aws:` prefix in your tag names or values because AWS reserves it for AWS use. You can't edit or delete tag names or values with this prefix. Tags with this prefix do not count against your tags per secret limit.\n- If you use your tagging schema across multiple services and resources, other services might have restrictions on allowed characters. Generally allowed characters: letters, spaces, and numbers representable in UTF-8, plus the following special characters: + - = . _ : / @.", + "markdownDescription": "A list of tags to attach to the secret. Each tag is a key and value pair of strings in a JSON text string, for example:\n\n`[{\"Key\":\"CostCenter\",\"Value\":\"12345\"},{\"Key\":\"environment\",\"Value\":\"production\"}]`\n\nSecrets Manager tag key names are case sensitive. A tag with the key \"ABC\" is a different tag from one with key \"abc\".\n\nStack-level tags, tags you apply to the CloudFormation stack, are also attached to the secret.\n\nIf you check tags in permissions policies as part of your security strategy, then adding or removing a tag can change permissions. If the completion of this operation would result in you losing your permissions for this secret, then Secrets Manager blocks the operation and returns an `Access Denied` error. For more information, see [Control access to secrets using tags](https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_examples.html#tag-secrets-abac) and [Limit access to identities with tags that match secrets' tags](https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_examples.html#auth-and-access_tags2) .\n\nFor information about how to format a JSON parameter for the various command line tool environments, see [Using JSON for Parameters](https://docs.aws.amazon.com/cli/latest/userguide/cli-using-param.html#cli-using-param-json) . If your command-line tool or SDK requires quotation marks around the parameter, you should use single quotes to avoid confusion with the double quotes required in the JSON text.\n\nThe following restrictions apply to tags:\n\n- Maximum number of tags per secret: 50\n- Maximum key length: 127 Unicode characters in UTF-8\n- Maximum value length: 255 Unicode characters in UTF-8\n- Tag keys and values are case sensitive.\n- Do not use the `aws:` prefix in your tag names or values because AWS reserves it for AWS use. You can't edit or delete tag names or values with this prefix. Tags with this prefix do not count against your tags per secret limit.\n- If you use your tagging schema across multiple services and resources, other services might have restrictions on allowed characters. Generally allowed characters: letters, spaces, and numbers representable in UTF-8, plus the following special characters: + - = . _ : / @.", "title": "Tags", "type": "array" } @@ -233043,7 +241846,7 @@ "type": "string" }, "Region": { - "markdownDescription": "(Optional) A string that represents a `Region` , for example \"us-east-1\".", + "markdownDescription": "A string that represents a `Region` , for example \"us-east-1\".", "title": "Region", "type": "string" } @@ -233171,13 +241974,13 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.AutomationRulesAction" }, - "markdownDescription": "One or more actions to update finding fields if a finding matches the defined criteria of the rule.", + "markdownDescription": "One or more actions to update finding fields if a finding matches the conditions specified in `Criteria` .", "title": "Actions", "type": "array" }, "Criteria": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.AutomationRulesFindingFilters", - "markdownDescription": "A set of [AWS Security Finding Format](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html) finding field attributes and corresponding expected values that Security Hub uses to filter findings. If a rule is enabled and a finding matches the conditions specified in this parameter, Security Hub applies the rule action to the finding.", + "markdownDescription": "A set of [AWS Security Finding Format (ASFF)](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html) finding field attributes and corresponding expected values that Security Hub uses to filter findings. If a rule is enabled and a finding matches the criteria specified in this parameter, Security Hub applies the rule action to the finding.", "title": "Criteria" }, "Description": { @@ -233186,7 +241989,7 @@ "type": "string" }, "IsTerminal": { - "markdownDescription": "Specifies whether a rule is the last to be applied with respect to a finding that matches the rule criteria. This is useful when a finding matches the criteria for multiple rules, and each rule has different actions. If the value of this field is set to `true` for a rule, Security Hub applies the rule action to a finding that matches the rule criteria and doesn't evaluate other rules for the finding. The default value of this field is `false` .", + "markdownDescription": "Specifies whether a rule is the last to be applied with respect to a finding that matches the rule criteria. This is useful when a finding matches the criteria for multiple rules, and each rule has different actions. If a rule is terminal, Security Hub applies the rule action to a finding that matches the rule criteria and doesn't evaluate other rules for the finding. By default, a rule isn't terminal.", "title": "IsTerminal", "type": "boolean" }, @@ -233207,7 +242010,7 @@ }, "Tags": { "additionalProperties": true, - "markdownDescription": "User-defined tags that help you label the purpose of a rule.", + "markdownDescription": "User-defined tags associated with an automation rule.", "patternProperties": { "^[a-zA-Z0-9]+$": { "type": "string" @@ -233329,7 +242132,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.StringFilter" }, - "markdownDescription": "The AWS account ID in which a finding was generated.", + "markdownDescription": "The AWS account ID in which a finding was generated.\n\nArray Members: Minimum number of 1 item. Maximum number of 100 items.", "title": "AwsAccountId", "type": "array" }, @@ -233337,7 +242140,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.StringFilter" }, - "markdownDescription": "The name of the company for the product that generated the finding. For control-based findings, the company is AWS .", + "markdownDescription": "The name of the company for the product that generated the finding. For control-based findings, the company is AWS .\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "CompanyName", "type": "array" }, @@ -233345,7 +242148,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.StringFilter" }, - "markdownDescription": "The unique identifier of a standard in which a control is enabled. This field consists of the resource portion of the Amazon Resource Name (ARN) returned for a standard in the [DescribeStandards](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_DescribeStandards.html) API response.", + "markdownDescription": "The unique identifier of a standard in which a control is enabled. This field consists of the resource portion of the Amazon Resource Name (ARN) returned for a standard in the [DescribeStandards](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_DescribeStandards.html) API response.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "ComplianceAssociatedStandardsId", "type": "array" }, @@ -233353,7 +242156,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.StringFilter" }, - "markdownDescription": "The security control ID for which a finding was generated. Security control IDs are the same across standards.", + "markdownDescription": "The security control ID for which a finding was generated. Security control IDs are the same across standards.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "ComplianceSecurityControlId", "type": "array" }, @@ -233361,7 +242164,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.StringFilter" }, - "markdownDescription": "The result of a security check. This field is only used for findings generated from controls.", + "markdownDescription": "The result of a security check. This field is only used for findings generated from controls.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "ComplianceStatus", "type": "array" }, @@ -233369,7 +242172,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.NumberFilter" }, - "markdownDescription": "The likelihood that a finding accurately identifies the behavior or issue that it was intended to identify. `Confidence` is scored on a 0\u2013100 basis using a ratio scale. A value of `0` means 0 percent confidence, and a value of `100` means 100 percent confidence. For example, a data exfiltration detection based on a statistical deviation of network traffic has low confidence because an actual exfiltration hasn't been verified. For more information, see [Confidence](https://docs.aws.amazon.com/securityhub/latest/userguide/asff-top-level-attributes.html#asff-confidence) in the *AWS Security Hub User Guide* .", + "markdownDescription": "The likelihood that a finding accurately identifies the behavior or issue that it was intended to identify. `Confidence` is scored on a 0\u2013100 basis using a ratio scale. A value of `0` means 0 percent confidence, and a value of `100` means 100 percent confidence. For example, a data exfiltration detection based on a statistical deviation of network traffic has low confidence because an actual exfiltration hasn't been verified. For more information, see [Confidence](https://docs.aws.amazon.com/securityhub/latest/userguide/asff-top-level-attributes.html#asff-confidence) in the *AWS Security Hub User Guide* .\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "Confidence", "type": "array" }, @@ -233377,7 +242180,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.DateFilter" }, - "markdownDescription": "A timestamp that indicates when this finding record was created.\n\nUses the `date-time` format specified in [RFC 3339 section 5.6, Internet Date/Time Format](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc3339#section-5.6) . The value cannot contain spaces. For example, `2020-03-22T13:22:13.933Z` .", + "markdownDescription": "A timestamp that indicates when this finding record was created.\n\nUses the `date-time` format specified in [RFC 3339 section 5.6, Internet Date/Time Format](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc3339#section-5.6) . The value cannot contain spaces. For example, `2020-03-22T13:22:13.933Z` .\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "CreatedAt", "type": "array" }, @@ -233385,7 +242188,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.NumberFilter" }, - "markdownDescription": "The level of importance that is assigned to the resources that are associated with a finding. `Criticality` is scored on a 0\u2013100 basis, using a ratio scale that supports only full integers. A score of `0` means that the underlying resources have no criticality, and a score of `100` is reserved for the most critical resources. For more information, see [Criticality](https://docs.aws.amazon.com/securityhub/latest/userguide/asff-top-level-attributes.html#asff-criticality) in the *AWS Security Hub User Guide* .", + "markdownDescription": "The level of importance that is assigned to the resources that are associated with a finding. `Criticality` is scored on a 0\u2013100 basis, using a ratio scale that supports only full integers. A score of `0` means that the underlying resources have no criticality, and a score of `100` is reserved for the most critical resources. For more information, see [Criticality](https://docs.aws.amazon.com/securityhub/latest/userguide/asff-top-level-attributes.html#asff-criticality) in the *AWS Security Hub User Guide* .\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "Criticality", "type": "array" }, @@ -233393,7 +242196,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.StringFilter" }, - "markdownDescription": "A finding's description.", + "markdownDescription": "A finding's description.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "Description", "type": "array" }, @@ -233401,7 +242204,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.DateFilter" }, - "markdownDescription": "A timestamp that indicates when the potential security issue captured by a finding was first observed by the security findings product.\n\nUses the `date-time` format specified in [RFC 3339 section 5.6, Internet Date/Time Format](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc3339#section-5.6) . The value cannot contain spaces. For example, `2020-03-22T13:22:13.933Z` .", + "markdownDescription": "A timestamp that indicates when the potential security issue captured by a finding was first observed by the security findings product.\n\nUses the `date-time` format specified in [RFC 3339 section 5.6, Internet Date/Time Format](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc3339#section-5.6) . The value cannot contain spaces. For example, `2020-03-22T13:22:13.933Z` .\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "FirstObservedAt", "type": "array" }, @@ -233409,7 +242212,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.StringFilter" }, - "markdownDescription": "The identifier for the solution-specific component that generated a finding.", + "markdownDescription": "The identifier for the solution-specific component that generated a finding.\n\nArray Members: Minimum number of 1 item. Maximum number of 100 items.", "title": "GeneratorId", "type": "array" }, @@ -233417,7 +242220,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.StringFilter" }, - "markdownDescription": "The product-specific identifier for a finding.", + "markdownDescription": "The product-specific identifier for a finding.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "Id", "type": "array" }, @@ -233425,7 +242228,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.DateFilter" }, - "markdownDescription": "A timestamp that indicates when the potential security issue captured by a finding was most recently observed by the security findings product.\n\nUses the `date-time` format specified in [RFC 3339 section 5.6, Internet Date/Time Format](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc3339#section-5.6) . The value cannot contain spaces. For example, `2020-03-22T13:22:13.933Z` .", + "markdownDescription": "A timestamp that indicates when the potential security issue captured by a finding was most recently observed by the security findings product.\n\nUses the `date-time` format specified in [RFC 3339 section 5.6, Internet Date/Time Format](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc3339#section-5.6) . The value cannot contain spaces. For example, `2020-03-22T13:22:13.933Z` .\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "LastObservedAt", "type": "array" }, @@ -233433,7 +242236,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.StringFilter" }, - "markdownDescription": "The text of a user-defined note that's added to a finding.", + "markdownDescription": "The text of a user-defined note that's added to a finding.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "NoteText", "type": "array" }, @@ -233441,7 +242244,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.DateFilter" }, - "markdownDescription": "The timestamp of when the note was updated. Uses the date-time format specified in [RFC 3339 section 5.6, Internet Date/Time Format](https://docs.aws.amazon.com/https://www.rfc-editor.org/rfc/rfc3339#section-5.6) . The value cannot contain spaces. For example, `2020-03-22T13:22:13.933Z` .", + "markdownDescription": "The timestamp of when the note was updated. Uses the date-time format specified in [RFC 3339 section 5.6, Internet Date/Time Format](https://docs.aws.amazon.com/https://www.rfc-editor.org/rfc/rfc3339#section-5.6) . The value cannot contain spaces. For example, `2020-03-22T13:22:13.933Z` .\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "NoteUpdatedAt", "type": "array" }, @@ -233449,7 +242252,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.StringFilter" }, - "markdownDescription": "The principal that created a note.", + "markdownDescription": "The principal that created a note.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "NoteUpdatedBy", "type": "array" }, @@ -233457,7 +242260,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.StringFilter" }, - "markdownDescription": "The Amazon Resource Name (ARN) for a third-party product that generated a finding in Security Hub.", + "markdownDescription": "The Amazon Resource Name (ARN) for a third-party product that generated a finding in Security Hub.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "ProductArn", "type": "array" }, @@ -233465,7 +242268,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.StringFilter" }, - "markdownDescription": "Provides the name of the product that generated the finding. For control-based findings, the product name is Security Hub.", + "markdownDescription": "Provides the name of the product that generated the finding. For control-based findings, the product name is Security Hub.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "ProductName", "type": "array" }, @@ -233473,7 +242276,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.StringFilter" }, - "markdownDescription": "Provides the current state of a finding.", + "markdownDescription": "Provides the current state of a finding.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "RecordState", "type": "array" }, @@ -233481,7 +242284,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.StringFilter" }, - "markdownDescription": "The product-generated identifier for a related finding.", + "markdownDescription": "The product-generated identifier for a related finding.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "RelatedFindingsId", "type": "array" }, @@ -233489,7 +242292,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.StringFilter" }, - "markdownDescription": "The ARN for the product that generated a related finding.", + "markdownDescription": "The ARN for the product that generated a related finding.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "RelatedFindingsProductArn", "type": "array" }, @@ -233497,7 +242300,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.MapFilter" }, - "markdownDescription": "Custom fields and values about the resource that a finding pertains to.", + "markdownDescription": "Custom fields and values about the resource that a finding pertains to.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "ResourceDetailsOther", "type": "array" }, @@ -233505,7 +242308,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.StringFilter" }, - "markdownDescription": "The identifier for the given resource type. For AWS resources that are identified by Amazon Resource Names (ARNs), this is the ARN. For AWS resources that lack ARNs, this is the identifier as defined by the AWS service that created the resource. For non- AWS resources, this is a unique identifier that is associated with the resource.", + "markdownDescription": "The identifier for the given resource type. For AWS resources that are identified by Amazon Resource Names (ARNs), this is the ARN. For AWS resources that lack ARNs, this is the identifier as defined by the AWS service that created the resource. For non- AWS resources, this is a unique identifier that is associated with the resource.\n\nArray Members: Minimum number of 1 item. Maximum number of 100 items.", "title": "ResourceId", "type": "array" }, @@ -233513,7 +242316,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.StringFilter" }, - "markdownDescription": "The partition in which the resource that the finding pertains to is located. A partition is a group of AWS Regions . Each AWS account is scoped to one partition.", + "markdownDescription": "The partition in which the resource that the finding pertains to is located. A partition is a group of AWS Regions . Each AWS account is scoped to one partition.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "ResourcePartition", "type": "array" }, @@ -233521,7 +242324,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.StringFilter" }, - "markdownDescription": "The AWS Region where the resource that a finding pertains to is located.", + "markdownDescription": "The AWS Region where the resource that a finding pertains to is located.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "ResourceRegion", "type": "array" }, @@ -233529,7 +242332,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.MapFilter" }, - "markdownDescription": "A list of AWS tags associated with a resource at the time the finding was processed.", + "markdownDescription": "A list of AWS tags associated with a resource at the time the finding was processed.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "ResourceTags", "type": "array" }, @@ -233537,7 +242340,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.StringFilter" }, - "markdownDescription": "A finding's title.", + "markdownDescription": "A finding's title.\n\nArray Members: Minimum number of 1 item. Maximum number of 100 items.", "title": "ResourceType", "type": "array" }, @@ -233545,7 +242348,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.StringFilter" }, - "markdownDescription": "The severity value of the finding.", + "markdownDescription": "The severity value of the finding.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "SeverityLabel", "type": "array" }, @@ -233553,7 +242356,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.StringFilter" }, - "markdownDescription": "Provides a URL that links to a page about the current finding in the finding product.", + "markdownDescription": "Provides a URL that links to a page about the current finding in the finding product.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "SourceUrl", "type": "array" }, @@ -233561,7 +242364,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.StringFilter" }, - "markdownDescription": "A finding's title.", + "markdownDescription": "A finding's title.\n\nArray Members: Minimum number of 1 item. Maximum number of 100 items.", "title": "Title", "type": "array" }, @@ -233569,7 +242372,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.StringFilter" }, - "markdownDescription": "One or more finding types in the format of namespace/category/classifier that classify a finding. For a list of namespaces, classifiers, and categories, see [Types taxonomy for ASFF](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format-type-taxonomy.html) in the *AWS Security Hub User Guide* .", + "markdownDescription": "One or more finding types in the format of namespace/category/classifier that classify a finding. For a list of namespaces, classifiers, and categories, see [Types taxonomy for ASFF](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format-type-taxonomy.html) in the *AWS Security Hub User Guide* .\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "Type", "type": "array" }, @@ -233577,7 +242380,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.DateFilter" }, - "markdownDescription": "A timestamp that indicates when the finding record was most recently updated.\n\nUses the `date-time` format specified in [RFC 3339 section 5.6, Internet Date/Time Format](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc3339#section-5.6) . The value cannot contain spaces. For example, `2020-03-22T13:22:13.933Z` .", + "markdownDescription": "A timestamp that indicates when the finding record was most recently updated.\n\nUses the `date-time` format specified in [RFC 3339 section 5.6, Internet Date/Time Format](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc3339#section-5.6) . The value cannot contain spaces. For example, `2020-03-22T13:22:13.933Z` .\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "UpdatedAt", "type": "array" }, @@ -233585,7 +242388,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.MapFilter" }, - "markdownDescription": "A list of user-defined name and value string pairs added to a finding.", + "markdownDescription": "A list of user-defined name and value string pairs added to a finding.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "UserDefinedFields", "type": "array" }, @@ -233593,7 +242396,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.StringFilter" }, - "markdownDescription": "Provides the veracity of a finding.", + "markdownDescription": "Provides the veracity of a finding.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "VerificationState", "type": "array" }, @@ -233601,7 +242404,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.StringFilter" }, - "markdownDescription": "Provides information about the status of the investigation into a finding.", + "markdownDescription": "Provides information about the status of the investigation into a finding.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "WorkflowStatus", "type": "array" } @@ -233653,7 +242456,7 @@ "additionalProperties": false, "properties": { "Comparison": { - "markdownDescription": "The condition to apply to the key value when querying for findings with a map filter.\n\nTo search for values that exactly match the filter value, use `EQUALS` . For example, for the `ResourceTags` field, the filter `Department EQUALS Security` matches findings that have the value `Security` for the tag `Department` .\n\nTo search for values other than the filter value, use `NOT_EQUALS` . For example, for the `ResourceTags` field, the filter `Department NOT_EQUALS Finance` matches findings that do not have the value `Finance` for the tag `Department` .\n\n`EQUALS` filters on the same field are joined by `OR` . A finding matches if it matches any one of those filters.\n\n`NOT_EQUALS` filters on the same field are joined by `AND` . A finding matches only if it matches all of those filters.\n\nYou cannot have both an `EQUALS` filter and a `NOT_EQUALS` filter on the same field.", + "markdownDescription": "The condition to apply to the key value when filtering Security Hub findings with a map filter.\n\nTo search for values that have the filter value, use one of the following comparison operators:\n\n- To search for values that include the filter value, use `CONTAINS` . For example, for the `ResourceTags` field, the filter `Department CONTAINS Security` matches findings that include the value `Security` for the `Department` tag. In the same example, a finding with a value of `Security team` for the `Department` tag is a match.\n- To search for values that exactly match the filter value, use `EQUALS` . For example, for the `ResourceTags` field, the filter `Department EQUALS Security` matches findings that have the value `Security` for the `Department` tag.\n\n`CONTAINS` and `EQUALS` filters on the same field are joined by `OR` . A finding matches if it matches any one of those filters. For example, the filters `Department CONTAINS Security OR Department CONTAINS Finance` match a finding that includes either `Security` , `Finance` , or both values.\n\nTo search for values that don't have the filter value, use one of the following comparison operators:\n\n- To search for values that exclude the filter value, use `NOT_CONTAINS` . For example, for the `ResourceTags` field, the filter `Department NOT_CONTAINS Finance` matches findings that exclude the value `Finance` for the `Department` tag.\n- To search for values other than the filter value, use `NOT_EQUALS` . For example, for the `ResourceTags` field, the filter `Department NOT_EQUALS Finance` matches findings that don\u2019t have the value `Finance` for the `Department` tag.\n\n`NOT_CONTAINS` and `NOT_EQUALS` filters on the same field are joined by `AND` . A finding matches only if it matches all of those filters. For example, the filters `Department NOT_CONTAINS Security AND Department NOT_CONTAINS Finance` match a finding that excludes both the `Security` and `Finance` values.\n\n`CONTAINS` filters can only be used with other `CONTAINS` filters. `NOT_CONTAINS` filters can only be used with other `NOT_CONTAINS` filters.\n\nYou can\u2019t have both a `CONTAINS` filter and a `NOT_CONTAINS` filter on the same field. Similarly, you can\u2019t have both an `EQUALS` filter and a `NOT_EQUALS` filter on the same field. Combining filters in this way returns an error.\n\n`CONTAINS` and `NOT_CONTAINS` operators can be used only with automation rules. For more information, see [Automation rules](https://docs.aws.amazon.com/securityhub/latest/userguide/automation-rules.html) in the *AWS Security Hub User Guide* .", "title": "Comparison", "type": "string" }, @@ -233663,7 +242466,7 @@ "type": "string" }, "Value": { - "markdownDescription": "The value for the key in the map filter. Filter values are case sensitive. For example, one of the values for a tag called `Department` might be `Security` . If you provide `security` as the filter value, then there is no match.", + "markdownDescription": "The value for the key in the map filter. Filter values are case sensitive. For example, one of the values for a tag called `Department` might be `Security` . If you provide `security` as the filter value, then there's no match.", "title": "Value", "type": "string" } @@ -233720,7 +242523,7 @@ "additionalProperties": false, "properties": { "Id": { - "markdownDescription": "The product-generated identifier for a related finding.", + "markdownDescription": "The product-generated identifier for a related finding.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "Id", "type": "object" }, @@ -233761,12 +242564,12 @@ "additionalProperties": false, "properties": { "Comparison": { - "markdownDescription": "The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:\n\n- To search for values that exactly match the filter value, use `EQUALS` .\n\nFor example, the filter `ResourceType EQUALS AwsEc2SecurityGroup` only matches findings that have a resource type of `AwsEc2SecurityGroup` .\n- To search for values that start with the filter value, use `PREFIX` .\n\nFor example, the filter `ResourceType PREFIX AwsIam` matches findings that have a resource type that starts with `AwsIam` . Findings with a resource type of `AwsIamPolicy` , `AwsIamRole` , or `AwsIamUser` would all match.\n\n`EQUALS` and `PREFIX` filters on the same field are joined by `OR` . A finding matches if it matches any one of those filters.\n\nTo search for values that do not contain the filter criteria value, use one of the following comparison operators:\n\n- To search for values that do not exactly match the filter value, use `NOT_EQUALS` .\n\nFor example, the filter `ResourceType NOT_EQUALS AwsIamPolicy` matches findings that have a resource type other than `AwsIamPolicy` .\n- To search for values that do not start with the filter value, use `PREFIX_NOT_EQUALS` .\n\nFor example, the filter `ResourceType PREFIX_NOT_EQUALS AwsIam` matches findings that have a resource type that does not start with `AwsIam` . Findings with a resource type of `AwsIamPolicy` , `AwsIamRole` , or `AwsIamUser` would all be excluded from the results.\n\n`NOT_EQUALS` and `PREFIX_NOT_EQUALS` filters on the same field are joined by `AND` . A finding matches only if it matches all of those filters.\n\nFor filters on the same field, you cannot provide both an `EQUALS` filter and a `NOT_EQUALS` or `PREFIX_NOT_EQUALS` filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.\n\nYou can combine `PREFIX` filters with `NOT_EQUALS` or `PREFIX_NOT_EQUALS` filters for the same field. Security Hub first processes the `PREFIX` filters, then the `NOT_EQUALS` or `PREFIX_NOT_EQUALS` filters.\n\nFor example, for the following filter, Security Hub first identifies findings that have resource types that start with either `AwsIAM` or `AwsEc2` . It then excludes findings that have a resource type of `AwsIamPolicy` and findings that have a resource type of `AwsEc2NetworkInterface` .\n\n- `ResourceType PREFIX AwsIam`\n- `ResourceType PREFIX AwsEc2`\n- `ResourceType NOT_EQUALS AwsIamPolicy`\n- `ResourceType NOT_EQUALS AwsEc2NetworkInterface`", + "markdownDescription": "The condition to apply to a string value when filtering Security Hub findings.\n\nTo search for values that have the filter value, use one of the following comparison operators:\n\n- To search for values that include the filter value, use `CONTAINS` . For example, the filter `Title CONTAINS CloudFront` matches findings that have a `Title` that includes the string CloudFront.\n- To search for values that exactly match the filter value, use `EQUALS` . For example, the filter `AwsAccountId EQUALS 123456789012` only matches findings that have an account ID of `123456789012` .\n- To search for values that start with the filter value, use `PREFIX` . For example, the filter `ResourceRegion PREFIX us` matches findings that have a `ResourceRegion` that starts with `us` . A `ResourceRegion` that starts with a different value, such as `af` , `ap` , or `ca` , doesn't match.\n\n`CONTAINS` , `EQUALS` , and `PREFIX` filters on the same field are joined by `OR` . A finding matches if it matches any one of those filters. For example, the filters `Title CONTAINS CloudFront OR Title CONTAINS CloudWatch` match a finding that includes either `CloudFront` , `CloudWatch` , or both strings in the title.\n\nTo search for values that don\u2019t have the filter value, use one of the following comparison operators:\n\n- To search for values that exclude the filter value, use `NOT_CONTAINS` . For example, the filter `Title NOT_CONTAINS CloudFront` matches findings that have a `Title` that excludes the string CloudFront.\n- To search for values other than the filter value, use `NOT_EQUALS` . For example, the filter `AwsAccountId NOT_EQUALS 123456789012` only matches findings that have an account ID other than `123456789012` .\n- To search for values that don't start with the filter value, use `PREFIX_NOT_EQUALS` . For example, the filter `ResourceRegion PREFIX_NOT_EQUALS us` matches findings with a `ResourceRegion` that starts with a value other than `us` .\n\n`NOT_CONTAINS` , `NOT_EQUALS` , and `PREFIX_NOT_EQUALS` filters on the same field are joined by `AND` . A finding matches only if it matches all of those filters. For example, the filters `Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch` match a finding that excludes both `CloudFront` and `CloudWatch` in the title.\n\nYou can\u2019t have both a `CONTAINS` filter and a `NOT_CONTAINS` filter on the same field. Similarly, you can't provide both an `EQUALS` filter and a `NOT_EQUALS` or `PREFIX_NOT_EQUALS` filter on the same field. Combining filters in this way returns an error. `CONTAINS` filters can only be used with other `CONTAINS` filters. `NOT_CONTAINS` filters can only be used with other `NOT_CONTAINS` filters.\n\nYou can combine `PREFIX` filters with `NOT_EQUALS` or `PREFIX_NOT_EQUALS` filters for the same field. Security Hub first processes the `PREFIX` filters, and then the `NOT_EQUALS` or `PREFIX_NOT_EQUALS` filters.\n\nFor example, for the following filters, Security Hub first identifies findings that have resource types that start with either `AwsIam` or `AwsEc2` . It then excludes findings that have a resource type of `AwsIamPolicy` and findings that have a resource type of `AwsEc2NetworkInterface` .\n\n- `ResourceType PREFIX AwsIam`\n- `ResourceType PREFIX AwsEc2`\n- `ResourceType NOT_EQUALS AwsIamPolicy`\n- `ResourceType NOT_EQUALS AwsEc2NetworkInterface`\n\n`CONTAINS` and `NOT_CONTAINS` operators can be used only with automation rules. For more information, see [Automation rules](https://docs.aws.amazon.com/securityhub/latest/userguide/automation-rules.html) in the *AWS Security Hub User Guide* .", "title": "Comparison", "type": "string" }, "Value": { - "markdownDescription": "The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is `Security Hub` . If you provide `security hub` as the filter text, then there is no match.", + "markdownDescription": "The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is `Security Hub` . If you provide `security hub` as the filter value, there's no match.", "title": "Value", "type": "string" } @@ -233842,7 +242645,13 @@ "type": "boolean" }, "Tags": { + "additionalProperties": true, "markdownDescription": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) .", + "patternProperties": { + "^[a-zA-Z0-9]+$": { + "type": "string" + } + }, "title": "Tags", "type": "object" } @@ -233908,7 +242717,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::Standard.StandardsControl" }, - "markdownDescription": "Specifies which controls are to be disabled in a standard.", + "markdownDescription": "Specifies which controls are to be disabled in a standard.\n\n*Maximum* : `100`", "title": "DisabledStandardsControls", "type": "array" }, @@ -234236,7 +243045,7 @@ "type": "string" }, "Type": { - "markdownDescription": "The type of provisioning artifact.\n\n- `CLOUD_FORMATION_TEMPLATE` - AWS CloudFormation template\n- `MARKETPLACE_AMI` - AWS Marketplace AMI\n- `MARKETPLACE_CAR` - AWS Marketplace Clusters and AWS Resources\n- `TERRAFORM_OPEN_SOURCE` - Terraform open source configuration file", + "markdownDescription": "The type of provisioning artifact.\n\n- `CLOUD_FORMATION_TEMPLATE` - AWS CloudFormation template\n- `TERRAFORM_OPEN_SOURCE` - Terraform Open Source configuration file\n- `TERRAFORM_CLOUD` - Terraform Cloud configuration file\n- `EXTERNAL` - External configuration file", "title": "Type", "type": "string" } @@ -234876,7 +243685,7 @@ "type": "string" }, "PrincipalType": { - "markdownDescription": "The principal type. The supported value is `IAM` .\n\n*Allowed Values* : `IAM`", + "markdownDescription": "The principal type. The supported values are `IAM` and `IAM_PATTERN` .", "title": "PrincipalType", "type": "string" } @@ -236071,8 +244880,6 @@ "type": "object" }, "InstanceId": { - "markdownDescription": "An identifier that you want to associate with the instance. Note the following:\n\n- If the service that's specified by `ServiceId` includes settings for an `SRV` record, the value of `InstanceId` is automatically included as part of the value for the `SRV` record. For more information, see [DnsRecord > Type](https://docs.aws.amazon.com/cloud-map/latest/api/API_DnsRecord.html#cloudmap-Type-DnsRecord-Type) .\n- You can use this value to update an existing instance.\n- To register a new instance, you must specify a value that's unique among instances that you register by using the same service.\n- If you specify an existing `InstanceId` and `ServiceId` , AWS Cloud Map updates the existing DNS records, if any. If there's also an existing health check, AWS Cloud Map deletes the old health check and creates a new one.\n\n> The health check isn't deleted immediately, so it will still appear for a while if you submit a `ListHealthChecks` request, for example.\n\n> Do not include sensitive information in `InstanceId` if the namespace is discoverable by public DNS queries and any `Type` member of `DnsRecord` for the service contains `SRV` because the `InstanceId` is discoverable by public DNS queries.", - "title": "InstanceId", "type": "string" }, "ServiceId": { @@ -236745,7 +245552,7 @@ "properties": { "ApplicationLayerAutomaticResponseConfiguration": { "$ref": "#/definitions/AWS::Shield::Protection.ApplicationLayerAutomaticResponseConfiguration", - "markdownDescription": "The automatic application layer DDoS mitigation settings for the protection. This configuration determines whether Shield Advanced automatically manages rules in the web ACL in order to respond to application layer events that Shield Advanced determines to be DDoS attacks.", + "markdownDescription": "The automatic application layer DDoS mitigation settings for the protection. This configuration determines whether Shield Advanced automatically manages rules in the web ACL in order to respond to application layer events that Shield Advanced determines to be DDoS attacks.\n\nIf you use AWS CloudFormation to manage the web ACLs that you use with Shield Advanced automatic mitigation, see the additional guidance about web ACL management in the `AWS::WAFv2::WebACL` resource description.", "title": "ApplicationLayerAutomaticResponseConfiguration" }, "HealthCheckArns": { @@ -237587,7 +246394,7 @@ "properties": { "DeploymentPreference": { "$ref": "#/definitions/AWS::StepFunctions::StateMachineAlias.DeploymentPreference", - "markdownDescription": "The settings that enable gradual state machine deployments. These settings include [Alarms](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-stepfunctions-statemachinealias-deploymentpreference.html#cfn-stepfunctions-statemachinealias-deploymentpreference-alarms) , [Interval](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-stepfunctions-statemachinealias-deploymentpreference.html#cfn-stepfunctions-statemachinealias-deploymentpreference-interval) , [Percentage](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-stepfunctions-statemachinealias-deploymentpreference.html#cfn-stepfunctions-statemachinealias-deploymentpreference-percentage) , [StateMachineVersionArn](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-stepfunctions-statemachinealias-deploymentpreference.html#cfn-stepfunctions-statemachinealias-deploymentpreference-statemachineversionarn) , and [Type](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-stepfunctions-statemachinealias-deploymentpreference.html#cfn-stepfunctions-statemachinealias-deploymentpreference-type) .\n\nCloudFormation automatically shifts traffic from the version an alias currently points to, to a new state machine version that you specify.\n\n> `RoutingConfiguration` and `DeploymentPreference` are mutually exclusive properties. You must define only one of these properties. \n\nBased on the type of deployment you want to perform, you can specify one of the following settings:\n\n- `LINEAR` - Shifts traffic to the new version in equal increments with an equal number of seconds between each increment.\n\nFor example, if you specify the increment percent as `20` with an interval of `600` seconds, this deployment increases traffic by 20 percent every 600 seconds until the new version receives 100 percent of the traffic. This deployment immediately rolls back the new version if any Amazon CloudWatch alarms are triggered.\n- `ALL_AT_ONCE` - Shifts 100 percent of traffic to the new version immediately. CloudFormation monitors the new version and rolls it back automatically to the previous version if any CloudWatch alarms are triggered.\n- `CANARY` - Shifts traffic in two increments.\n\nIn the first increment, a small percentage of traffic, for example, 10 percent is shifted to the new version. In the second increment, before a specified time interval in seconds gets over, the remaining traffic is shifted to the new version. The shift to the new version for the remaining traffic takes place only if no CloudWatch alarms are triggered during the specified time interval.", + "markdownDescription": "The settings that enable gradual state machine deployments. These settings include [Alarms](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-stepfunctions-statemachinealias-deploymentpreference.html#cfn-stepfunctions-statemachinealias-deploymentpreference-alarms) , [Interval](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-stepfunctions-statemachinealias-deploymentpreference.html#cfn-stepfunctions-statemachinealias-deploymentpreference-interval) , [Percentage](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-stepfunctions-statemachinealias-deploymentpreference.html#cfn-stepfunctions-statemachinealias-deploymentpreference-percentage) , [StateMachineVersionArn](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-stepfunctions-statemachinealias-deploymentpreference.html#cfn-stepfunctions-statemachinealias-deploymentpreference-statemachineversionarn) , and [Type](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-stepfunctions-statemachinealias-deploymentpreference.html#cfn-stepfunctions-statemachinealias-deploymentpreference-type) .\n\nCloudFormation automatically shifts traffic from the version an alias currently points to, to a new state machine version that you specify.\n\n> `RoutingConfiguration` and `DeploymentPreference` are mutually exclusive properties. You must define only one of these properties. \n\nBased on the type of deployment you want to perform, you can specify one of the following settings:\n\n- `LINEAR` - Shifts traffic to the new version in equal increments with an equal number of minutes between each increment.\n\nFor example, if you specify the increment percent as `20` with an interval of `600` minutes, this deployment increases traffic by 20 percent every 600 minutes until the new version receives 100 percent of the traffic. This deployment immediately rolls back the new version if any Amazon CloudWatch alarms are triggered.\n- `ALL_AT_ONCE` - Shifts 100 percent of traffic to the new version immediately. CloudFormation monitors the new version and rolls it back automatically to the previous version if any CloudWatch alarms are triggered.\n- `CANARY` - Shifts traffic in two increments.\n\nIn the first increment, a small percentage of traffic, for example, 10 percent is shifted to the new version. In the second increment, before a specified time interval in seconds gets over, the remaining traffic is shifted to the new version. The shift to the new version for the remaining traffic takes place only if no CloudWatch alarms are triggered during the specified time interval.", "title": "DeploymentPreference" }, "Description": { @@ -237658,7 +246465,7 @@ "type": "string" }, "Type": { - "markdownDescription": "The type of deployment you want to perform. You can specify one of the following types:\n\n- `LINEAR` - Shifts traffic to the new version in equal increments with an equal number of seconds between each increment.\n\nFor example, if you specify the increment percent as `20` with an interval of `600` seconds, this deployment increases traffic by 20 percent every 600 seconds until the new version receives 100 percent of the traffic. This deployment immediately rolls back the new version if any CloudWatch alarms are triggered.\n- `ALL_AT_ONCE` - Shifts 100 percent of traffic to the new version immediately. CloudFormation monitors the new version and rolls it back automatically to the previous version if any CloudWatch alarms are triggered.\n- `CANARY` - Shifts traffic in two increments.\n\nIn the first increment, a small percentage of traffic, for example, 10 percent is shifted to the new version. In the second increment, before a specified time interval in seconds gets over, the remaining traffic is shifted to the new version. The shift to the new version for the remaining traffic takes place only if no CloudWatch alarms are triggered during the specified time interval.", + "markdownDescription": "The type of deployment you want to perform. You can specify one of the following types:\n\n- `LINEAR` - Shifts traffic to the new version in equal increments with an equal number of minutes between each increment.\n\nFor example, if you specify the increment percent as `20` with an interval of `600` minutes, this deployment increases traffic by 20 percent every 600 minutes until the new version receives 100 percent of the traffic. This deployment immediately rolls back the new version if any CloudWatch alarms are triggered.\n- `ALL_AT_ONCE` - Shifts 100 percent of traffic to the new version immediately. CloudFormation monitors the new version and rolls it back automatically to the previous version if any CloudWatch alarms are triggered.\n- `CANARY` - Shifts traffic in two increments.\n\nIn the first increment, a small percentage of traffic, for example, 10 percent is shifted to the new version. In the second increment, before a specified time interval in seconds gets over, the remaining traffic is shifted to the new version. The shift to the new version for the remaining traffic takes place only if no CloudWatch alarms are triggered during the specified time interval.", "title": "Type", "type": "string" } @@ -239050,7 +247857,9 @@ "title": "RetentionProperties" }, "Schema": { - "$ref": "#/definitions/AWS::Timestream::Table.Schema" + "$ref": "#/definitions/AWS::Timestream::Table.Schema", + "markdownDescription": "The schema of the table.", + "title": "Schema" }, "TableName": { "markdownDescription": "The name of the Timestream table.\n\n*Length Constraints* : Minimum length of 3 bytes. Maximum length of 256 bytes.", @@ -239126,12 +247935,18 @@ "additionalProperties": false, "properties": { "EnforcementInRecord": { + "markdownDescription": "The level of enforcement for the specification of a dimension key in ingested records. Options are REQUIRED (dimension key must be specified) and OPTIONAL (dimension key does not have to be specified).", + "title": "EnforcementInRecord", "type": "string" }, "Name": { + "markdownDescription": "The name of the attribute used for a dimension key.", + "title": "Name", "type": "string" }, "Type": { + "markdownDescription": "The type of the partition key. Options are DIMENSION (dimension key) and MEASURE (measure key).", + "title": "Type", "type": "string" } }, @@ -239193,6 +248008,8 @@ "items": { "$ref": "#/definitions/AWS::Timestream::Table.PartitionKey" }, + "markdownDescription": "A non-empty list of partition keys defining the attributes used to partition the table data. The order of the list determines the partition hierarchy. The name and type of each partition key as well as the partition key order cannot be changed after the table is created. However, the enforcement level of each partition key can be changed.", + "title": "CompositePartitionKey", "type": "array" } }, @@ -239234,7 +248051,7 @@ "additionalProperties": false, "properties": { "AccessRole": { - "markdownDescription": "With AS2, you can send files by calling `StartFileTransfer` and specifying the file paths in the request parameter, `SendFilePaths` . We use the file\u2019s parent directory (for example, for `--send-file-paths /bucket/dir/file.txt` , parent directory is `/bucket/dir/` ) to temporarily store a processed AS2 message file, store the MDN when we receive them from the partner, and write a final JSON file containing relevant metadata of the transmission. So, the `AccessRole` needs to provide read and write access to the parent directory of the file location used in the `StartFileTransfer` request. Additionally, you need to provide read and write access to the parent directory of the files that you intend to send with `StartFileTransfer` .\n\nIf you are using Basic authentication for your AS2 connector, the access role requires the `secretsmanager:GetSecretValue` permission for the secret. If the secret is encrypted using a customer-managed key instead of the AWS managed key in Secrets Manager, then the role also needs the `kms:Decrypt` permission for that key.", + "markdownDescription": "Connectors are used to send files using either the AS2 or SFTP protocol. For the access role, provide the Amazon Resource Name (ARN) of the AWS Identity and Access Management role to use.\n\n*For AS2 connectors*\n\nWith AS2, you can send files by calling `StartFileTransfer` and specifying the file paths in the request parameter, `SendFilePaths` . We use the file\u2019s parent directory (for example, for `--send-file-paths /bucket/dir/file.txt` , parent directory is `/bucket/dir/` ) to temporarily store a processed AS2 message file, store the MDN when we receive them from the partner, and write a final JSON file containing relevant metadata of the transmission. So, the `AccessRole` needs to provide read and write access to the parent directory of the file location used in the `StartFileTransfer` request. Additionally, you need to provide read and write access to the parent directory of the files that you intend to send with `StartFileTransfer` .\n\nIf you are using Basic authentication for your AS2 connector, the access role requires the `secretsmanager:GetSecretValue` permission for the secret. If the secret is encrypted using a customer-managed key instead of the AWS managed key in Secrets Manager, then the role also needs the `kms:Decrypt` permission for that key.\n\n*For SFTP connectors*\n\nMake sure that the access role provides read and write access to the parent directory of the file location that's used in the `StartFileTransfer` request. Additionally, make sure that the role provides `secretsmanager:GetSecretValue` permission to AWS Secrets Manager .", "title": "AccessRole", "type": "string" }, @@ -239449,13 +248266,13 @@ "additionalProperties": false, "properties": { "AccessRole": { - "markdownDescription": "With AS2, you can send files by calling `StartFileTransfer` and specifying the file paths in the request parameter, `SendFilePaths` . We use the file\u2019s parent directory (for example, for `--send-file-paths /bucket/dir/file.txt` , parent directory is `/bucket/dir/` ) to temporarily store a processed AS2 message file, store the MDN when we receive them from the partner, and write a final JSON file containing relevant metadata of the transmission. So, the `AccessRole` needs to provide read and write access to the parent directory of the file location used in the `StartFileTransfer` request. Additionally, you need to provide read and write access to the parent directory of the files that you intend to send with `StartFileTransfer` .\n\nIf you are using Basic authentication for your AS2 connector, the access role requires the `secretsmanager:GetSecretValue` permission for the secret. If the secret is encrypted using a customer-managed key instead of the AWS managed key in Secrets Manager, then the role also needs the `kms:Decrypt` permission for that key.", + "markdownDescription": "Connectors are used to send files using either the AS2 or SFTP protocol. For the access role, provide the Amazon Resource Name (ARN) of the AWS Identity and Access Management role to use.\n\n*For AS2 connectors*\n\nWith AS2, you can send files by calling `StartFileTransfer` and specifying the file paths in the request parameter, `SendFilePaths` . We use the file\u2019s parent directory (for example, for `--send-file-paths /bucket/dir/file.txt` , parent directory is `/bucket/dir/` ) to temporarily store a processed AS2 message file, store the MDN when we receive them from the partner, and write a final JSON file containing relevant metadata of the transmission. So, the `AccessRole` needs to provide read and write access to the parent directory of the file location used in the `StartFileTransfer` request. Additionally, you need to provide read and write access to the parent directory of the files that you intend to send with `StartFileTransfer` .\n\nIf you are using Basic authentication for your AS2 connector, the access role requires the `secretsmanager:GetSecretValue` permission for the secret. If the secret is encrypted using a customer-managed key instead of the AWS managed key in Secrets Manager, then the role also needs the `kms:Decrypt` permission for that key.\n\n*For SFTP connectors*\n\nMake sure that the access role provides read and write access to the parent directory of the file location that's used in the `StartFileTransfer` request. Additionally, make sure that the role provides `secretsmanager:GetSecretValue` permission to AWS Secrets Manager .", "title": "AccessRole", "type": "string" }, "As2Config": { "$ref": "#/definitions/AWS::Transfer::Connector.As2Config", - "markdownDescription": "A structure that contains the parameters for a connector object.", + "markdownDescription": "A structure that contains the parameters for an AS2 connector object.", "title": "As2Config" }, "LoggingRole": { @@ -239464,7 +248281,9 @@ "type": "string" }, "SftpConfig": { - "$ref": "#/definitions/AWS::Transfer::Connector.SftpConfig" + "$ref": "#/definitions/AWS::Transfer::Connector.SftpConfig", + "markdownDescription": "A structure that contains the parameters for an SFTP connector object.", + "title": "SftpConfig" }, "Tags": { "items": { @@ -239475,7 +248294,7 @@ "type": "array" }, "Url": { - "markdownDescription": "The URL of the partner's AS2 endpoint.", + "markdownDescription": "The URL of the partner's AS2 or SFTP endpoint.", "title": "Url", "type": "string" } @@ -239511,6 +248330,8 @@ "additionalProperties": false, "properties": { "BasicAuthSecretId": { + "markdownDescription": "Provides Basic authentication support to the AS2 Connectors API. To use Basic authentication, you must provide the name or Amazon Resource Name (ARN) of a secret in AWS Secrets Manager .\n\nThe default value for this parameter is `null` , which indicates that Basic authentication is not enabled for the connector.\n\nIf the connector should use Basic authentication, the secret needs to be in the following format:\n\n`{ \"Username\": \"user-name\", \"Password\": \"user-password\" }`\n\nReplace `user-name` and `user-password` with the credentials for the actual user that is being authenticated.\n\nNote the following:\n\n- You are storing these credentials in Secrets Manager, *not passing them directly* into this API.\n- If you are using the API, SDKs, or CloudFormation to configure your connector, then you must create the secret before you can enable Basic authentication. However, if you are using the AWS management console, you can have the system create the secret for you.\n\nIf you have previously enabled Basic authentication for a connector, you can disable it by using the `UpdateConnector` API call. For example, if you are using the CLI, you can run the following command to remove Basic authentication:\n\n`update-connector --connector-id my-connector-id --as2-config 'BasicAuthSecretId=\"\"'`", + "title": "BasicAuthSecretId", "type": "string" }, "Compression": { @@ -239563,9 +248384,13 @@ "items": { "type": "string" }, + "markdownDescription": "The public portion of the host key, or keys, that are used to identify the external server to which you are connecting. You can use the `ssh-keyscan` command against the SFTP server to retrieve the necessary key.\n\nThe three standard SSH public key format elements are `` , `` , and an optional `` , with spaces between each element. Specify only the `` and `` : do not enter the `` portion of the key.\n\nFor the trusted host key, AWS Transfer Family accepts RSA and ECDSA keys.\n\n- For RSA keys, the `` string is `ssh-rsa` .\n- For ECDSA keys, the `` string is either `ecdsa-sha2-nistp256` , `ecdsa-sha2-nistp384` , or `ecdsa-sha2-nistp521` , depending on the size of the key you generated.", + "title": "TrustedHostKeys", "type": "array" }, "UserSecretId": { + "markdownDescription": "The identifier for the secret (in AWS Secrets Manager) that contains the SFTP user's private key, password, or both. The identifier must be the Amazon Resource Name (ARN) of the secret.", + "title": "UserSecretId", "type": "string" } }, @@ -239711,7 +248536,7 @@ "title": "EndpointDetails" }, "EndpointType": { - "markdownDescription": "The type of endpoint that you want your server to use. You can choose to make your server's endpoint publicly accessible (PUBLIC) or host it inside your VPC. With an endpoint that is hosted in a VPC, you can restrict access to your server and resources only within your VPC or choose to make it internet facing by attaching Elastic IP addresses directly to it.", + "markdownDescription": "The type of endpoint that you want your server to use. You can choose to make your server's endpoint publicly accessible (PUBLIC) or host it inside your VPC. With an endpoint that is hosted in a VPC, you can restrict access to your server and resources only within your VPC or choose to make it internet facing by attaching Elastic IP addresses directly to it.\n\n> After May 19, 2021, you won't be able to create a server using `EndpointType=VPC_ENDPOINT` in your AWS account if your account hasn't already done so before May 19, 2021. If you have already created servers with `EndpointType=VPC_ENDPOINT` in your AWS account on or before May 19, 2021, you will not be affected. After this date, use `EndpointType` = `VPC` .\n> \n> For more information, see [Discontinuing the use of VPC_ENDPOINT](https://docs.aws.amazon.com//transfer/latest/userguide/create-server-in-vpc.html#deprecate-vpc-endpoint) .\n> \n> It is recommended that you use `VPC` as the `EndpointType` . With this endpoint type, you have the option to directly associate up to three Elastic IPv4 addresses (BYO IP included) with your server's endpoint and use VPC security groups to restrict traffic by the client's public IP address. This is not possible with `EndpointType` set to `VPC_ENDPOINT` .", "title": "EndpointType", "type": "string" }, @@ -239753,6 +248578,11 @@ "title": "Protocols", "type": "array" }, + "S3StorageOptions": { + "$ref": "#/definitions/AWS::Transfer::Server.S3StorageOptions", + "markdownDescription": "Specifies whether or not performance for your Amazon S3 directories is optimized. This is disabled by default.\n\nBy default, home directory mappings have a `TYPE` of `DIRECTORY` . If you enable this option, you would then need to explicitly set the `HomeDirectoryMapEntry` `Type` to `FILE` if you want a mapping to have a file target.", + "title": "S3StorageOptions" + }, "SecurityPolicyName": { "markdownDescription": "Specifies the name of the security policy that is attached to the server.", "title": "SecurityPolicyName", @@ -239814,7 +248644,7 @@ "items": { "type": "string" }, - "markdownDescription": "A list of address allocation IDs that are required to attach an Elastic IP address to your server's endpoint.\n\n> This property can only be set when `EndpointType` is set to `VPC` and it is only valid in the `UpdateServer` API.", + "markdownDescription": "A list of address allocation IDs that are required to attach an Elastic IP address to your server's endpoint.\n\nAn address allocation ID corresponds to the allocation ID of an Elastic IP address. This value can be retrieved from the `allocationId` field from the Amazon EC2 [Address](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_Address.html) data type. One way to retrieve this value is by calling the EC2 [DescribeAddresses](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeAddresses.html) API.\n\nThis parameter is optional. Set this parameter if you want to make your VPC endpoint public-facing. For details, see [Create an internet-facing endpoint for your server](https://docs.aws.amazon.com/transfer/latest/userguide/create-server-in-vpc.html#create-internet-facing-endpoint) .\n\n> This property can only be set as follows:\n> \n> - `EndpointType` must be set to `VPC`\n> - The Transfer Family server must be offline.\n> - You cannot set this parameter for Transfer Family servers that use the FTP protocol.\n> - The server must already have `SubnetIds` populated ( `SubnetIds` and `AddressAllocationIds` cannot be updated simultaneously).\n> - `AddressAllocationIds` can't contain duplicates, and must be equal in length to `SubnetIds` . For example, if you have three subnet IDs, you must also specify three address allocation IDs.\n> - Call the `UpdateServer` API to set or change this parameter.", "title": "AddressAllocationIds", "type": "array" }, @@ -239851,7 +248681,7 @@ "additionalProperties": false, "properties": { "DirectoryId": { - "markdownDescription": "The identifier of the AWS Directory Service directory that you want to stop sharing.", + "markdownDescription": "The identifier of the AWS Directory Service directory that you want to use as your identity provider.", "title": "DirectoryId", "type": "string" }, @@ -239912,6 +248742,17 @@ }, "type": "object" }, + "AWS::Transfer::Server.S3StorageOptions": { + "additionalProperties": false, + "properties": { + "DirectoryListingOptimization": { + "markdownDescription": "Specifies whether or not performance for your Amazon S3 directories is optimized. This is disabled by default.\n\nBy default, home directory mappings have a `TYPE` of `DIRECTORY` . If you enable this option, you would then need to explicitly set the `HomeDirectoryMapEntry` `Type` to `FILE` if you want a mapping to have a file target.", + "title": "DirectoryListingOptimization", + "type": "string" + } + }, + "type": "object" + }, "AWS::Transfer::Server.StructuredLogDestination": { "additionalProperties": false, "properties": {}, @@ -239995,7 +248836,7 @@ "additionalProperties": false, "properties": { "HomeDirectory": { - "markdownDescription": "The landing directory (folder) for a user when they log in to the server using the client.\n\nA `HomeDirectory` example is `/bucket_name/home/mydirectory` .", + "markdownDescription": "The landing directory (folder) for a user when they log in to the server using the client.\n\nA `HomeDirectory` example is `/bucket_name/home/mydirectory` .\n\n> The `HomeDirectory` parameter is only used if `HomeDirectoryType` is set to `PATH` .", "title": "HomeDirectory", "type": "string" }, @@ -240003,12 +248844,12 @@ "items": { "$ref": "#/definitions/AWS::Transfer::User.HomeDirectoryMapEntry" }, - "markdownDescription": "Logical directory mappings that specify what Amazon S3 paths and keys should be visible to your user and how you want to make them visible. You will need to specify the \" `Entry` \" and \" `Target` \" pair, where `Entry` shows how the path is made visible and `Target` is the actual Amazon S3 path. If you only specify a target, it will be displayed as is. You will need to also make sure that your IAM role provides access to paths in `Target` . The following is an example.\n\n`'[ { \"Entry\": \"/\", \"Target\": \"/bucket3/customized-reports/\" } ]'`\n\nIn most cases, you can use this value instead of the session policy to lock your user down to the designated home directory (\"chroot\"). To do this, you can set `Entry` to '/' and set `Target` to the HomeDirectory parameter value.\n\n> If the target of a logical directory entry does not exist in Amazon S3, the entry will be ignored. As a workaround, you can use the Amazon S3 API to create 0 byte objects as place holders for your directory. If using the CLI, use the `s3api` call instead of `s3` so you can use the put-object operation. For example, you use the following: `AWS s3api put-object --bucket bucketname --key path/to/folder/` . Make sure that the end of the key name ends in a '/' for it to be considered a folder.", + "markdownDescription": "Logical directory mappings that specify what Amazon S3 or Amazon EFS paths and keys should be visible to your user and how you want to make them visible. You must specify the `Entry` and `Target` pair, where `Entry` shows how the path is made visible and `Target` is the actual Amazon S3 or Amazon EFS path. If you only specify a target, it is displayed as is. You also must ensure that your AWS Identity and Access Management (IAM) role provides access to paths in `Target` . This value can be set only when `HomeDirectoryType` is set to *LOGICAL* .\n\nThe following is an `Entry` and `Target` pair example.\n\n`[ { \"Entry\": \"/directory1\", \"Target\": \"/bucket_name/home/mydirectory\" } ]`\n\nIn most cases, you can use this value instead of the session policy to lock your user down to the designated home directory (\" `chroot` \"). To do this, you can set `Entry` to `/` and set `Target` to the value the user should see for their home directory when they log in.\n\nThe following is an `Entry` and `Target` pair example for `chroot` .\n\n`[ { \"Entry\": \"/\", \"Target\": \"/bucket_name/home/mydirectory\" } ]`", "title": "HomeDirectoryMappings", "type": "array" }, "HomeDirectoryType": { - "markdownDescription": "The type of landing directory (folder) that you want your users' home directory to be when they log in to the server. If you set it to `PATH` , the user will see the absolute Amazon S3 bucket or EFS paths as is in their file transfer protocol clients. If you set it `LOGICAL` , you need to provide mappings in the `HomeDirectoryMappings` for how you want to make Amazon S3 or Amazon EFS paths visible to your users.", + "markdownDescription": "The type of landing directory (folder) that you want your users' home directory to be when they log in to the server. If you set it to `PATH` , the user will see the absolute Amazon S3 bucket or Amazon EFS path as is in their file transfer protocol clients. If you set it to `LOGICAL` , you need to provide mappings in the `HomeDirectoryMappings` for how you want to make Amazon S3 or Amazon EFS paths visible to your users.\n\n> If `HomeDirectoryType` is `LOGICAL` , you must provide mappings, using the `HomeDirectoryMappings` parameter. If, on the other hand, `HomeDirectoryType` is `PATH` , you provide an absolute path using the `HomeDirectory` parameter. You cannot have both `HomeDirectory` and `HomeDirectoryMappings` in your template.", "title": "HomeDirectoryType", "type": "string" }, @@ -240091,9 +248932,14 @@ "type": "string" }, "Target": { - "markdownDescription": "Represents the map target that is used in a `HomeDirectorymapEntry` .", + "markdownDescription": "Represents the map target that is used in a `HomeDirectoryMapEntry` .", "title": "Target", "type": "string" + }, + "Type": { + "markdownDescription": "Specifies the type of mapping. Set the type to `FILE` if you want the mapping to point to a file, or `DIRECTORY` for the directory to point to a directory.\n\n> By default, home directory mappings have a `Type` of `DIRECTORY` when you create a Transfer Family server. You would need to explicitly set `Type` to `FILE` if you want a mapping to have a file target.", + "title": "Type", + "type": "string" } }, "required": [ @@ -240501,7 +249347,7 @@ "properties": { "Configuration": { "$ref": "#/definitions/AWS::VerifiedPermissions::IdentitySource.IdentitySourceConfiguration", - "markdownDescription": "Contains configuration information used when creating or updating an identity source.\n\n> At this time, the only valid member of this structure is a Amazon Cognito user pool configuration.\n> \n> You must specify a `userPoolArn` , and optionally, a `ClientId` .", + "markdownDescription": "Contains configuration information used when creating a new identity source.\n\n> At this time, the only valid member of this structure is a Amazon Cognito user pool configuration.\n> \n> You must specify a `userPoolArn` , and optionally, a `ClientId` . \n\nThis data type is used as a request parameter for the [CreateIdentitySource](https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_CreateIdentitySource.html) operation.", "title": "Configuration" }, "PolicyStoreId": { @@ -241221,7 +250067,7 @@ "properties": { "DefaultAction": { "$ref": "#/definitions/AWS::VpcLattice::Listener.DefaultAction", - "markdownDescription": "The action for the default rule. Each listener has a default rule. Each rule consists of a priority, one or more actions, and one or more conditions. The default rule is the rule that's used if no other rules match. Each rule must include exactly one of the following types of actions: `forward` or `fixed-response` , and it must be the last action to be performed.", + "markdownDescription": "The action for the default rule. Each listener has a default rule. The default rule is used if no other rules match.", "title": "DefaultAction" }, "Name": { @@ -241230,12 +250076,12 @@ "type": "string" }, "Port": { - "markdownDescription": "The listener port. You can specify a value from `1` to `65535` . For HTTP, the default is `80` . For HTTPS, the default is `443` .", + "markdownDescription": "The listener port. You can specify a value from 1 to 65535. For HTTP, the default is 80. For HTTPS, the default is 443.", "title": "Port", "type": "number" }, "Protocol": { - "markdownDescription": "The listener protocol HTTP or HTTPS.", + "markdownDescription": "The listener protocol.", "title": "Protocol", "type": "string" }, @@ -241285,7 +250131,7 @@ "properties": { "FixedResponse": { "$ref": "#/definitions/AWS::VpcLattice::Listener.FixedResponse", - "markdownDescription": "Information about an action that returns a custom HTTP response.", + "markdownDescription": "Describes an action that returns a custom HTTP response.", "title": "FixedResponse" }, "Forward": { @@ -241317,7 +250163,7 @@ "items": { "$ref": "#/definitions/AWS::VpcLattice::Listener.WeightedTargetGroup" }, - "markdownDescription": "The target groups. Traffic matching the rule is forwarded to the specified target groups. With forward actions, you can assign a weight that controls the prioritization and selection of each target group. This means that requests are distributed to individual target groups based on their weights. For example, if two target groups have the same weight, each target group receives half of the traffic.\n\nThe default value is 1. This means that if only one target group is provided, there is no need to set the weight; 100% of traffic will go to that target group.", + "markdownDescription": "The target groups. Traffic matching the rule is forwarded to the specified target groups. With forward actions, you can assign a weight that controls the prioritization and selection of each target group. This means that requests are distributed to individual target groups based on their weights. For example, if two target groups have the same weight, each target group receives half of the traffic.\n\nThe default value is 1. This means that if only one target group is provided, there is no need to set the weight; 100% of the traffic goes to that target group.", "title": "TargetGroups", "type": "array" } @@ -241336,7 +250182,7 @@ "type": "string" }, "Weight": { - "markdownDescription": "Only required if you specify multiple target groups for a forward action. The \"weight\" determines how requests are distributed to the target group. For example, if you specify two target groups, each with a weight of 10, each target group receives half the requests. If you specify two target groups, one with a weight of 10 and the other with a weight of 20, the target group with a weight of 20 receives twice as many requests as the other target group. If there's only one target group specified, then the default value is 100.", + "markdownDescription": "Only required if you specify multiple target groups for a forward action. The weight determines how requests are distributed to the target group. For example, if you specify two target groups, each with a weight of 10, each target group receives half the requests. If you specify two target groups, one with a weight of 10 and the other with a weight of 20, the target group with a weight of 20 receives twice as many requests as the other target group. If there's only one target group specified, then the default value is 100.", "title": "Weight", "type": "number" } @@ -241456,7 +250302,7 @@ "properties": { "Action": { "$ref": "#/definitions/AWS::VpcLattice::Rule.Action", - "markdownDescription": "Describes the action for a rule. Each rule must include exactly one of the following types of actions: `forward` or `fixed-response` , and it must be the last action to be performed.", + "markdownDescription": "Describes the action for a rule.", "title": "Action" }, "ListenerIdentifier": { @@ -241526,7 +250372,7 @@ "properties": { "FixedResponse": { "$ref": "#/definitions/AWS::VpcLattice::Rule.FixedResponse", - "markdownDescription": "Describes the rule action that returns a custom HTTP response.", + "markdownDescription": "The fixed response action. The rule returns a custom HTTP response.", "title": "FixedResponse" }, "Forward": { @@ -241558,7 +250404,7 @@ "items": { "$ref": "#/definitions/AWS::VpcLattice::Rule.WeightedTargetGroup" }, - "markdownDescription": "The target groups. Traffic matching the rule is forwarded to the specified target groups. With forward actions, you can assign a weight that controls the prioritization and selection of each target group. This means that requests are distributed to individual target groups based on their weights. For example, if two target groups have the same weight, each target group receives half of the traffic.\n\nThe default value is 1. This means that if only one target group is provided, there is no need to set the weight; 100% of traffic will go to that target group.", + "markdownDescription": "The target groups. Traffic matching the rule is forwarded to the specified target groups. With forward actions, you can assign a weight that controls the prioritization and selection of each target group. This means that requests are distributed to individual target groups based on their weights. For example, if two target groups have the same weight, each target group receives half of the traffic.\n\nThe default value is 1. This means that if only one target group is provided, there is no need to set the weight; 100% of the traffic goes to that target group.", "title": "TargetGroups", "type": "array" } @@ -241572,7 +250418,7 @@ "additionalProperties": false, "properties": { "CaseSensitive": { - "markdownDescription": "Indicates whether the match is case sensitive. Defaults to false.", + "markdownDescription": "Indicates whether the match is case sensitive.", "title": "CaseSensitive", "type": "boolean" }, @@ -241597,17 +250443,17 @@ "additionalProperties": false, "properties": { "Contains": { - "markdownDescription": "Specifies a contains type match.", + "markdownDescription": "A contains type match.", "title": "Contains", "type": "string" }, "Exact": { - "markdownDescription": "Specifies an exact type match.", + "markdownDescription": "An exact type match.", "title": "Exact", "type": "string" }, "Prefix": { - "markdownDescription": "Specifies a prefix type match. Matches the value with the prefix.", + "markdownDescription": "A prefix type match. Matches the value with the prefix.", "title": "Prefix", "type": "string" } @@ -241656,7 +250502,7 @@ "additionalProperties": false, "properties": { "CaseSensitive": { - "markdownDescription": "Indicates whether the match is case sensitive. Defaults to false.", + "markdownDescription": "Indicates whether the match is case sensitive.", "title": "CaseSensitive", "type": "boolean" }, @@ -241696,7 +250542,7 @@ "type": "string" }, "Weight": { - "markdownDescription": "Only required if you specify multiple target groups for a forward action. The \"weight\" determines how requests are distributed to the target group. For example, if you specify two target groups, each with a weight of 10, each target group receives half the requests. If you specify two target groups, one with a weight of 10 and the other with a weight of 20, the target group with a weight of 20 receives twice as many requests as the other target group. If there's only one target group specified, then the default value is 100.", + "markdownDescription": "Only required if you specify multiple target groups for a forward action. The weight determines how requests are distributed to the target group. For example, if you specify two target groups, each with a weight of 10, each target group receives half the requests. If you specify two target groups, one with a weight of 10 and the other with a weight of 20, the target group with a weight of 20 receives twice as many requests as the other target group. If there's only one target group specified, then the default value is 100.", "title": "Weight", "type": "number" } @@ -241758,7 +250604,7 @@ }, "DnsEntry": { "$ref": "#/definitions/AWS::VpcLattice::Service.DnsEntry", - "markdownDescription": "", + "markdownDescription": "The DNS information of the service.", "title": "DnsEntry" }, "Name": { @@ -241926,7 +250772,7 @@ "properties": { "DnsEntry": { "$ref": "#/definitions/AWS::VpcLattice::ServiceNetworkServiceAssociation.DnsEntry", - "markdownDescription": "", + "markdownDescription": "The DNS information of the service.", "title": "DnsEntry" }, "ServiceIdentifier": { @@ -242107,7 +250953,7 @@ "properties": { "Config": { "$ref": "#/definitions/AWS::VpcLattice::TargetGroup.TargetGroupConfig", - "markdownDescription": "The target group configuration. If `type` is set to `LAMBDA` , this parameter doesn't apply.", + "markdownDescription": "The target group configuration.", "title": "Config" }, "Name": { @@ -242188,7 +251034,7 @@ }, "Matcher": { "$ref": "#/definitions/AWS::VpcLattice::TargetGroup.Matcher", - "markdownDescription": "The codes to use when checking for a successful response from a target. These are called *Success codes* in the console.", + "markdownDescription": "The codes to use when checking for a successful response from a target.", "title": "Matcher" }, "Path": { @@ -242237,12 +251083,12 @@ "additionalProperties": false, "properties": { "Id": { - "markdownDescription": "The ID of the target. If the target type of the target group is `INSTANCE` , this is an instance ID. If the target type is `IP` , this is an IP address. If the target type is `LAMBDA` , this is the ARN of the Lambda function. If the target type is `ALB` , this is the ARN of the Application Load Balancer.", + "markdownDescription": "The ID of the target. If the target group type is `INSTANCE` , this is an instance ID. If the target group type is `IP` , this is an IP address. If the target group type is `LAMBDA` , this is the ARN of a Lambda function. If the target group type is `ALB` , this is the ARN of an Application Load Balancer.", "title": "Id", "type": "string" }, "Port": { - "markdownDescription": "The port on which the target is listening. For HTTP, the default is `80` . For HTTPS, the default is `443` .", + "markdownDescription": "The port on which the target is listening. For HTTP, the default is 80. For HTTPS, the default is 443.", "title": "Port", "type": "number" } @@ -242257,34 +251103,36 @@ "properties": { "HealthCheck": { "$ref": "#/definitions/AWS::VpcLattice::TargetGroup.HealthCheckConfig", - "markdownDescription": "The health check configuration.", + "markdownDescription": "The health check configuration. Not supported if the target group type is `LAMBDA` or `ALB` .", "title": "HealthCheck" }, "IpAddressType": { - "markdownDescription": "The type of IP address used for the target group. The possible values are `ipv4` and `ipv6` . This is an optional parameter. If not specified, the IP address type defaults to `ipv4` .", + "markdownDescription": "The type of IP address used for the target group. Supported only if the target group type is `IP` . The default is `IPV4` .", "title": "IpAddressType", "type": "string" }, "LambdaEventStructureVersion": { + "markdownDescription": "The version of the event structure that your Lambda function receives. Supported only if the target group type is `LAMBDA` . The default is `V1` .", + "title": "LambdaEventStructureVersion", "type": "string" }, "Port": { - "markdownDescription": "The port on which the targets are listening. For HTTP, the default is `80` . For HTTPS, the default is `443`", + "markdownDescription": "The port on which the targets are listening. For HTTP, the default is 80. For HTTPS, the default is 443. Not supported if the target group type is `LAMBDA` .", "title": "Port", "type": "number" }, "Protocol": { - "markdownDescription": "The protocol to use for routing traffic to the targets. Default is the protocol of a target group.", + "markdownDescription": "The protocol to use for routing traffic to the targets. The default is the protocol of the target group. Not supported if the target group type is `LAMBDA` .", "title": "Protocol", "type": "string" }, "ProtocolVersion": { - "markdownDescription": "The protocol version. Default value is `HTTP1` .", + "markdownDescription": "The protocol version. The default is `HTTP1` . Not supported if the target group type is `LAMBDA` .", "title": "ProtocolVersion", "type": "string" }, "VpcIdentifier": { - "markdownDescription": "The ID of the VPC.", + "markdownDescription": "The ID of the VPC. Not supported if the target group type is `LAMBDA` .", "title": "VpcIdentifier", "type": "string" } @@ -244320,7 +253168,7 @@ "items": { "type": "string" }, - "markdownDescription": "Contains an array of strings that specifies zero or more IP addresses or blocks of IP addresses. All addresses must be specified using Classless Inter-Domain Routing (CIDR) notation. AWS WAF supports all IPv4 and IPv6 CIDR ranges except for `/0` .\n\nExample address strings:\n\n- To configure AWS WAF to allow, block, or count requests that originated from the IP address 192.0.2.44, specify `192.0.2.44/32` .\n- To configure AWS WAF to allow, block, or count requests that originated from IP addresses from 192.0.2.0 to 192.0.2.255, specify `192.0.2.0/24` .\n- To configure AWS WAF to allow, block, or count requests that originated from the IP address 1111:0000:0000:0000:0000:0000:0000:0111, specify `1111:0000:0000:0000:0000:0000:0000:0111/128` .\n- To configure AWS WAF to allow, block, or count requests that originated from IP addresses 1111:0000:0000:0000:0000:0000:0000:0000 to 1111:0000:0000:0000:ffff:ffff:ffff:ffff, specify `1111:0000:0000:0000:0000:0000:0000:0000/64` .\n\nFor more information about CIDR notation, see the Wikipedia entry [Classless Inter-Domain Routing](https://docs.aws.amazon.com/https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) .\n\nExample JSON `Addresses` specifications:\n\n- Empty array: `\"Addresses\": []`\n- Array with one address: `\"Addresses\": [\"192.0.2.44/32\"]`\n- Array with three addresses: `\"Addresses\": [\"192.0.2.44/32\", \"192.0.2.0/24\", \"192.0.0.0/16\"]`\n- INVALID specification: `\"Addresses\": [\"\"]` INVALID", + "markdownDescription": "Contains an array of strings that specifies zero or more IP addresses or blocks of IP addresses that you want AWS WAF to inspect for in incoming requests. All addresses must be specified using Classless Inter-Domain Routing (CIDR) notation. AWS WAF supports all IPv4 and IPv6 CIDR ranges except for `/0` .\n\nExample address strings:\n\n- For requests that originated from the IP address 192.0.2.44, specify `192.0.2.44/32` .\n- For requests that originated from IP addresses from 192.0.2.0 to 192.0.2.255, specify `192.0.2.0/24` .\n- For requests that originated from the IP address 1111:0000:0000:0000:0000:0000:0000:0111, specify `1111:0000:0000:0000:0000:0000:0000:0111/128` .\n- For requests that originated from IP addresses 1111:0000:0000:0000:0000:0000:0000:0000 to 1111:0000:0000:0000:ffff:ffff:ffff:ffff, specify `1111:0000:0000:0000:0000:0000:0000:0000/64` .\n\nFor more information about CIDR notation, see the Wikipedia entry [Classless Inter-Domain Routing](https://docs.aws.amazon.com/https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) .\n\nExample JSON `Addresses` specifications:\n\n- Empty array: `\"Addresses\": []`\n- Array with one address: `\"Addresses\": [\"192.0.2.44/32\"]`\n- Array with three addresses: `\"Addresses\": [\"192.0.2.44/32\", \"192.0.2.0/24\", \"192.0.0.0/16\"]`\n- INVALID specification: `\"Addresses\": [\"\"]` INVALID", "title": "Addresses", "type": "array" }, @@ -244574,7 +253422,7 @@ "title": "MatchPattern" }, "MatchScope": { - "markdownDescription": "The parts of the JSON to match against using the `MatchPattern` . If you specify `All` , AWS WAF matches against keys and values.", + "markdownDescription": "The parts of the JSON to match against using the `MatchPattern` . If you specify `ALL` , AWS WAF matches against keys and values.\n\n`All` does not require a match to be found in the keys and a match to be found in the values. It requires a match to be found in the keys or the values or both. To require a match in the keys and in the values, use a logical `AND` statement to combine two match rules, one that inspects the keys and another that inspects the values.", "title": "MatchScope", "type": "string" } @@ -244924,7 +253772,7 @@ "additionalProperties": false, "properties": { "OversizeHandling": { - "markdownDescription": "What AWS WAF should do if the body is larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. If the body is larger than the limit, the underlying host service only forwards the contents that are below the limit to AWS WAF for inspection.\n\nThe default limit is 8 KB (8,192 kilobytes) for regional resources and 16 KB (16,384 kilobytes) for CloudFront distributions. For CloudFront distributions, you can increase the limit in the web ACL `AssociationConfig` , for additional processing fees.\n\nThe options for oversize handling are the following:\n\n- `CONTINUE` - Inspect the available body contents normally, according to the rule inspection criteria.\n- `MATCH` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.\n- `NO_MATCH` - Treat the web request as not matching the rule statement.\n\nYou can combine the `MATCH` or `NO_MATCH` settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over the limit.\n\nDefault: `CONTINUE`", + "markdownDescription": "What AWS WAF should do if the body is larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. If the body is larger than the limit, the underlying host service only forwards the contents that are below the limit to AWS WAF for inspection.\n\nThe default limit is 8 KB (8,192 bytes) for regional resources and 16 KB (16,384 bytes) for CloudFront distributions. For CloudFront distributions, you can increase the limit in the web ACL `AssociationConfig` , for additional processing fees.\n\nThe options for oversize handling are the following:\n\n- `CONTINUE` - Inspect the available body contents normally, according to the rule inspection criteria.\n- `MATCH` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.\n- `NO_MATCH` - Treat the web request as not matching the rule statement.\n\nYou can combine the `MATCH` or `NO_MATCH` settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over the limit.\n\nDefault: `CONTINUE`", "title": "OversizeHandling", "type": "string" } @@ -245050,7 +253898,7 @@ "title": "MatchPattern" }, "MatchScope": { - "markdownDescription": "The parts of the cookies to inspect with the rule inspection criteria. If you specify `All` , AWS WAF inspects both keys and values.", + "markdownDescription": "The parts of the cookies to inspect with the rule inspection criteria. If you specify `ALL` , AWS WAF inspects both keys and values.\n\n`All` does not require a match to be found in the keys and a match to be found in the values. It requires a match to be found in the keys or the values or both. To require a match in the keys and in the values, use a logical `AND` statement to combine two match rules, one that inspects the keys and another that inspects the values.", "title": "MatchScope", "type": "string" }, @@ -245132,7 +253980,7 @@ "items": { "$ref": "#/definitions/AWS::WAFv2::RuleGroup.CustomHTTPHeader" }, - "markdownDescription": "The HTTP headers to use in the response. Duplicate header names are not allowed.\n\nFor information about the limits on count and size for custom request and response settings, see [AWS WAF quotas](https://docs.aws.amazon.com/waf/latest/developerguide/limits.html) in the *AWS WAF Developer Guide* .", + "markdownDescription": "The HTTP headers to use in the response. You can specify any header name except for `content-type` . Duplicate header names are not allowed.\n\nFor information about the limits on count and size for custom request and response settings, see [AWS WAF quotas](https://docs.aws.amazon.com/waf/latest/developerguide/limits.html) in the *AWS WAF Developer Guide* .", "title": "ResponseHeaders", "type": "array" } @@ -245172,7 +254020,7 @@ }, "Body": { "$ref": "#/definitions/AWS::WAFv2::RuleGroup.Body", - "markdownDescription": "Inspect the request body as plain text. The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form.\n\nA limited amount of the request body is forwarded to AWS WAF for inspection by the underlying host service. For regional resources, the limit is 8 KB (8,192 kilobytes) and for CloudFront distributions, the limit is 16 KB (16,384 kilobytes). For CloudFront distributions, you can increase the limit in the web ACL's `AssociationConfig` , for additional processing fees.\n\nFor information about how to handle oversized request bodies, see the `Body` object configuration.", + "markdownDescription": "Inspect the request body as plain text. The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form.\n\nA limited amount of the request body is forwarded to AWS WAF for inspection by the underlying host service. For regional resources, the limit is 8 KB (8,192 bytes) and for CloudFront distributions, the limit is 16 KB (16,384 bytes). For CloudFront distributions, you can increase the limit in the web ACL's `AssociationConfig` , for additional processing fees.\n\nFor information about how to handle oversized request bodies, see the `Body` object configuration.", "title": "Body" }, "Cookies": { @@ -245187,7 +254035,7 @@ }, "JsonBody": { "$ref": "#/definitions/AWS::WAFv2::RuleGroup.JsonBody", - "markdownDescription": "Inspect the request body as JSON. The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form.\n\nA limited amount of the request body is forwarded to AWS WAF for inspection by the underlying host service. For regional resources, the limit is 8 KB (8,192 kilobytes) and for CloudFront distributions, the limit is 16 KB (16,384 kilobytes). For CloudFront distributions, you can increase the limit in the web ACL's `AssociationConfig` , for additional processing fees.\n\nFor information about how to handle oversized request bodies, see the `JsonBody` object configuration.", + "markdownDescription": "Inspect the request body as JSON. The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form.\n\nA limited amount of the request body is forwarded to AWS WAF for inspection by the underlying host service. For regional resources, the limit is 8 KB (8,192 bytes) and for CloudFront distributions, the limit is 16 KB (16,384 bytes). For CloudFront distributions, you can increase the limit in the web ACL's `AssociationConfig` , for additional processing fees.\n\nFor information about how to handle oversized request bodies, see the `JsonBody` object configuration.", "title": "JsonBody" }, "Method": { @@ -245293,7 +254141,7 @@ "title": "MatchPattern" }, "MatchScope": { - "markdownDescription": "The parts of the headers to match with the rule inspection criteria. If you specify `All` , AWS WAF inspects both keys and values.", + "markdownDescription": "The parts of the headers to match with the rule inspection criteria. If you specify `ALL` , AWS WAF inspects both keys and values.\n\n`All` does not require a match to be found in the keys and a match to be found in the values. It requires a match to be found in the keys or the values or both. To require a match in the keys and in the values, use a logical `AND` statement to combine two match rules, one that inspects the keys and another that inspects the values.", "title": "MatchScope", "type": "string" }, @@ -245383,12 +254231,12 @@ "title": "MatchPattern" }, "MatchScope": { - "markdownDescription": "The parts of the JSON to match against using the `MatchPattern` . If you specify `All` , AWS WAF matches against keys and values.", + "markdownDescription": "The parts of the JSON to match against using the `MatchPattern` . If you specify `ALL` , AWS WAF matches against keys and values.\n\n`All` does not require a match to be found in the keys and a match to be found in the values. It requires a match to be found in the keys or the values or both. To require a match in the keys and in the values, use a logical `AND` statement to combine two match rules, one that inspects the keys and another that inspects the values.", "title": "MatchScope", "type": "string" }, "OversizeHandling": { - "markdownDescription": "What AWS WAF should do if the body is larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. If the body is larger than the limit, the underlying host service only forwards the contents that are below the limit to AWS WAF for inspection.\n\nThe default limit is 8 KB (8,192 kilobytes) for regional resources and 16 KB (16,384 kilobytes) for CloudFront distributions. For CloudFront distributions, you can increase the limit in the web ACL `AssociationConfig` , for additional processing fees.\n\nThe options for oversize handling are the following:\n\n- `CONTINUE` - Inspect the available body contents normally, according to the rule inspection criteria.\n- `MATCH` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.\n- `NO_MATCH` - Treat the web request as not matching the rule statement.\n\nYou can combine the `MATCH` or `NO_MATCH` settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over the limit.\n\nDefault: `CONTINUE`", + "markdownDescription": "What AWS WAF should do if the body is larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. If the body is larger than the limit, the underlying host service only forwards the contents that are below the limit to AWS WAF for inspection.\n\nThe default limit is 8 KB (8,192 bytes) for regional resources and 16 KB (16,384 bytes) for CloudFront distributions. For CloudFront distributions, you can increase the limit in the web ACL `AssociationConfig` , for additional processing fees.\n\nThe options for oversize handling are the following:\n\n- `CONTINUE` - Inspect the available body contents normally, according to the rule inspection criteria.\n- `MATCH` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.\n- `NO_MATCH` - Treat the web request as not matching the rule statement.\n\nYou can combine the `MATCH` or `NO_MATCH` settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over the limit.\n\nDefault: `CONTINUE`", "title": "OversizeHandling", "type": "string" } @@ -245498,7 +254346,7 @@ "additionalProperties": false, "properties": { "AggregateKeyType": { - "markdownDescription": "Setting that indicates how to aggregate the request counts. The options are the following:\n\n- `IP` - Aggregate the request counts on the IP address from the web request origin.\n- `FORWARDED_IP` - Aggregate the request counts on the first IP address in an HTTP header. If you use this, configure the `ForwardedIPConfig` , to specify the header to use.\n\n> You can only use the `IP` and `FORWARDED_IP` key types.", + "markdownDescription": "Setting that indicates how to aggregate the request counts.\n\n> Web requests that are missing any of the components specified in the aggregation keys are omitted from the rate-based rule evaluation and handling. \n\n- `CONSTANT` - Count and limit the requests that match the rate-based rule's scope-down statement. With this option, the counted requests aren't further aggregated. The scope-down statement is the only specification used. When the count of all requests that satisfy the scope-down statement goes over the limit, AWS WAF applies the rule action to all requests that satisfy the scope-down statement.\n\nWith this option, you must configure the `ScopeDownStatement` property.\n- `CUSTOM_KEYS` - Aggregate the request counts using one or more web request components as the aggregate keys.\n\nWith this option, you must specify the aggregate keys in the `CustomKeys` property.\n\nTo aggregate on only the IP address or only the forwarded IP address, don't use custom keys. Instead, set the aggregate key type to `IP` or `FORWARDED_IP` .\n- `FORWARDED_IP` - Aggregate the request counts on the first IP address in an HTTP header.\n\nWith this option, you must specify the header to use in the `ForwardedIPConfig` property.\n\nTo aggregate on a combination of the forwarded IP address with other aggregate keys, use `CUSTOM_KEYS` .\n- `IP` - Aggregate the request counts on the IP address from the web request origin.\n\nTo aggregate on a combination of the IP address with other aggregate keys, use `CUSTOM_KEYS` .", "title": "AggregateKeyType", "type": "string" }, @@ -245506,6 +254354,8 @@ "items": { "$ref": "#/definitions/AWS::WAFv2::RuleGroup.RateBasedStatementCustomKey" }, + "markdownDescription": "Specifies the aggregate keys to use in a rate-base rule.", + "title": "CustomKeys", "type": "array" }, "ForwardedIPConfig": { @@ -245514,13 +254364,13 @@ "title": "ForwardedIPConfig" }, "Limit": { - "markdownDescription": "The limit on requests per 5-minute period for a single originating IP address. If the statement includes a `ScopeDownStatement` , this limit is applied only to the requests that match the statement.", + "markdownDescription": "The limit on requests per 5-minute period for a single aggregation instance for the rate-based rule. If the rate-based statement includes a `ScopeDownStatement` , this limit is applied only to the requests that match the statement.\n\nExamples:\n\n- If you aggregate on just the IP address, this is the limit on requests from any single IP address.\n- If you aggregate on the HTTP method and the query argument name \"city\", then this is the limit on requests for any single method, city pair.", "title": "Limit", "type": "number" }, "ScopeDownStatement": { "$ref": "#/definitions/AWS::WAFv2::RuleGroup.Statement", - "markdownDescription": "An optional nested statement that narrows the scope of the web requests that are evaluated by the rate-based statement. Requests are only tracked by the rate-based statement if they match the scope-down statement. You can use any nestable statement in the scope-down statement, and you can nest statements at any level, the same as you can for a rule statement.", + "markdownDescription": "An optional nested statement that narrows the scope of the web requests that are evaluated and managed by the rate-based statement. When you use a scope-down statement, the rate-based rule only tracks and rate limits requests that match the scope-down statement. You can use any nestable `Statement` in the scope-down statement, and you can nest statements at any level, the same as you can for a rule statement.", "title": "ScopeDownStatement" } }, @@ -245534,31 +254384,49 @@ "additionalProperties": false, "properties": { "Cookie": { - "$ref": "#/definitions/AWS::WAFv2::RuleGroup.RateLimitCookie" + "$ref": "#/definitions/AWS::WAFv2::RuleGroup.RateLimitCookie", + "markdownDescription": "Use the value of a cookie in the request as an aggregate key. Each distinct value in the cookie contributes to the aggregation instance. If you use a single cookie as your custom key, then each value fully defines an aggregation instance.", + "title": "Cookie" }, "ForwardedIP": { + "markdownDescription": "Use the first IP address in an HTTP header as an aggregate key. Each distinct forwarded IP address contributes to the aggregation instance.\n\nWhen you specify an IP or forwarded IP in the custom key settings, you must also specify at least one other key to use. You can aggregate on only the forwarded IP address by specifying `FORWARDED_IP` in your rate-based statement's `AggregateKeyType` .\n\nWith this option, you must specify the header to use in the rate-based rule's `ForwardedIPConfig` property.", + "title": "ForwardedIP", "type": "object" }, "HTTPMethod": { + "markdownDescription": "Use the request's HTTP method as an aggregate key. Each distinct HTTP method contributes to the aggregation instance. If you use just the HTTP method as your custom key, then each method fully defines an aggregation instance.", + "title": "HTTPMethod", "type": "object" }, "Header": { - "$ref": "#/definitions/AWS::WAFv2::RuleGroup.RateLimitHeader" + "$ref": "#/definitions/AWS::WAFv2::RuleGroup.RateLimitHeader", + "markdownDescription": "Use the value of a header in the request as an aggregate key. Each distinct value in the header contributes to the aggregation instance. If you use a single header as your custom key, then each value fully defines an aggregation instance.", + "title": "Header" }, "IP": { + "markdownDescription": "Use the request's originating IP address as an aggregate key. Each distinct IP address contributes to the aggregation instance.\n\nWhen you specify an IP or forwarded IP in the custom key settings, you must also specify at least one other key to use. You can aggregate on only the IP address by specifying `IP` in your rate-based statement's `AggregateKeyType` .", + "title": "IP", "type": "object" }, "LabelNamespace": { - "$ref": "#/definitions/AWS::WAFv2::RuleGroup.RateLimitLabelNamespace" + "$ref": "#/definitions/AWS::WAFv2::RuleGroup.RateLimitLabelNamespace", + "markdownDescription": "Use the specified label namespace as an aggregate key. Each distinct fully qualified label name that has the specified label namespace contributes to the aggregation instance. If you use just one label namespace as your custom key, then each label name fully defines an aggregation instance.\n\nThis uses only labels that have been added to the request by rules that are evaluated before this rate-based rule in the web ACL.\n\nFor information about label namespaces and names, see [Label syntax and naming requirements](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-label-requirements.html) in the *AWS WAF Developer Guide* .", + "title": "LabelNamespace" }, "QueryArgument": { - "$ref": "#/definitions/AWS::WAFv2::RuleGroup.RateLimitQueryArgument" + "$ref": "#/definitions/AWS::WAFv2::RuleGroup.RateLimitQueryArgument", + "markdownDescription": "Use the specified query argument as an aggregate key. Each distinct value for the named query argument contributes to the aggregation instance. If you use a single query argument as your custom key, then each value fully defines an aggregation instance.", + "title": "QueryArgument" }, "QueryString": { - "$ref": "#/definitions/AWS::WAFv2::RuleGroup.RateLimitQueryString" + "$ref": "#/definitions/AWS::WAFv2::RuleGroup.RateLimitQueryString", + "markdownDescription": "Use the request's query string as an aggregate key. Each distinct string contributes to the aggregation instance. If you use just the query string as your custom key, then each string fully defines an aggregation instance.", + "title": "QueryString" }, "UriPath": { - "$ref": "#/definitions/AWS::WAFv2::RuleGroup.RateLimitUriPath" + "$ref": "#/definitions/AWS::WAFv2::RuleGroup.RateLimitUriPath", + "markdownDescription": "Use the request's URI path as an aggregate key. Each distinct URI path contributes to the aggregation instance. If you use just the URI path as your custom key, then each URI path fully defines an aggregation instance.", + "title": "UriPath" } }, "type": "object" @@ -245567,12 +254435,16 @@ "additionalProperties": false, "properties": { "Name": { + "markdownDescription": "The name of the cookie to use.", + "title": "Name", "type": "string" }, "TextTransformations": { "items": { "$ref": "#/definitions/AWS::WAFv2::RuleGroup.TextTransformation" }, + "markdownDescription": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. Text transformations are used in rule match statements, to transform the `FieldToMatch` request component before inspecting it, and they're used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, AWS WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the transformed component contents.", + "title": "TextTransformations", "type": "array" } }, @@ -245586,12 +254458,16 @@ "additionalProperties": false, "properties": { "Name": { + "markdownDescription": "The name of the header to use.", + "title": "Name", "type": "string" }, "TextTransformations": { "items": { "$ref": "#/definitions/AWS::WAFv2::RuleGroup.TextTransformation" }, + "markdownDescription": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. Text transformations are used in rule match statements, to transform the `FieldToMatch` request component before inspecting it, and they're used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, AWS WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the transformed component contents.", + "title": "TextTransformations", "type": "array" } }, @@ -245605,6 +254481,8 @@ "additionalProperties": false, "properties": { "Namespace": { + "markdownDescription": "The namespace to use for aggregation.", + "title": "Namespace", "type": "string" } }, @@ -245617,12 +254495,16 @@ "additionalProperties": false, "properties": { "Name": { + "markdownDescription": "The name of the query argument to use.", + "title": "Name", "type": "string" }, "TextTransformations": { "items": { "$ref": "#/definitions/AWS::WAFv2::RuleGroup.TextTransformation" }, + "markdownDescription": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. Text transformations are used in rule match statements, to transform the `FieldToMatch` request component before inspecting it, and they're used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, AWS WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the transformed component contents.", + "title": "TextTransformations", "type": "array" } }, @@ -245639,6 +254521,8 @@ "items": { "$ref": "#/definitions/AWS::WAFv2::RuleGroup.TextTransformation" }, + "markdownDescription": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. Text transformations are used in rule match statements, to transform the `FieldToMatch` request component before inspecting it, and they're used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, AWS WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the transformed component contents.", + "title": "TextTransformations", "type": "array" } }, @@ -245654,6 +254538,8 @@ "items": { "$ref": "#/definitions/AWS::WAFv2::RuleGroup.TextTransformation" }, + "markdownDescription": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. Text transformations are used in rule match statements, to transform the `FieldToMatch` request component before inspecting it, and they're used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, AWS WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the transformed component contents.", + "title": "TextTransformations", "type": "array" } }, @@ -245739,7 +254625,7 @@ "title": "ChallengeConfig" }, "Name": { - "markdownDescription": "The name of the rule. You can't change the name of a `Rule` after you create it.", + "markdownDescription": "The name of the rule.\n\nIf you change the name of a `Rule` after you create it and you want the rule's metric name to reflect the change, update the metric name in the rule's `VisibilityConfig` settings. AWS WAF doesn't automatically update the metric name when you update the rule name.", "title": "Name", "type": "string" }, @@ -245763,7 +254649,7 @@ }, "VisibilityConfig": { "$ref": "#/definitions/AWS::WAFv2::RuleGroup.VisibilityConfig", - "markdownDescription": "Defines and enables Amazon CloudWatch metrics and web request sample collection.", + "markdownDescription": "Defines and enables Amazon CloudWatch metrics and web request sample collection.\n\nIf you change the name of a `Rule` after you create it and you want the rule's metric name to reflect the change, update the metric name as well. AWS WAF doesn't automatically update the metric name.", "title": "VisibilityConfig" } }, @@ -245937,7 +254823,7 @@ }, "RateBasedStatement": { "$ref": "#/definitions/AWS::WAFv2::RuleGroup.RateBasedStatement", - "markdownDescription": "A rate-based rule tracks the rate of requests for each originating IP address, and triggers the rule action when the rate exceeds a limit that you specify on the number of requests in any 5-minute time span. You can use this to put a temporary block on requests from an IP address that is sending excessive requests.\n\nAWS WAF tracks and manages web requests separately for each instance of a rate-based rule that you use. For example, if you provide the same rate-based rule settings in two web ACLs, each of the two rule statements represents a separate instance of the rate-based rule and gets its own tracking and management by AWS WAF . If you define a rate-based rule inside a rule group, and then use that rule group in multiple places, each use creates a separate instance of the rate-based rule that gets its own tracking and management by AWS WAF .\n\nWhen the rule action triggers, AWS WAF blocks additional requests from the IP address until the request rate falls below the limit.\n\nYou can optionally nest another statement inside the rate-based statement, to narrow the scope of the rule so that it only counts requests that match the nested statement. For example, based on recent requests that you have seen from an attacker, you might create a rate-based rule with a nested AND rule statement that contains the following nested statements:\n\n- An IP match statement with an IP set that specifies the address 192.0.2.44.\n- A string match statement that searches in the User-Agent header for the string BadBot.\n\nIn this rate-based rule, you also define a rate limit. For this example, the rate limit is 1,000. Requests that meet the criteria of both of the nested statements are counted. If the count exceeds 1,000 requests per five minutes, the rule action triggers. Requests that do not meet the criteria of both of the nested statements are not counted towards the rate limit and are not affected by this rule.\n\nYou cannot nest a `RateBasedStatement` inside another statement, for example inside a `NotStatement` or `OrStatement` . You can define a `RateBasedStatement` inside a web ACL and inside a rule group.", + "markdownDescription": "A rate-based rule counts incoming requests and rate limits requests when they are coming at too fast a rate. The rule categorizes requests according to your aggregation criteria, collects them into aggregation instances, and counts and rate limits the requests for each instance.\n\nYou can specify individual aggregation keys, like IP address or HTTP method. You can also specify aggregation key combinations, like IP address and HTTP method, or HTTP method, query argument, and cookie.\n\nEach unique set of values for the aggregation keys that you specify is a separate aggregation instance, with the value from each key contributing to the aggregation instance definition.\n\nFor example, assume the rule evaluates web requests with the following IP address and HTTP method values:\n\n- IP address 10.1.1.1, HTTP method POST\n- IP address 10.1.1.1, HTTP method GET\n- IP address 127.0.0.0, HTTP method POST\n- IP address 10.1.1.1, HTTP method GET\n\nThe rule would create different aggregation instances according to your aggregation criteria, for example:\n\n- If the aggregation criteria is just the IP address, then each individual address is an aggregation instance, and AWS WAF counts requests separately for each. The aggregation instances and request counts for our example would be the following:\n\n- IP address 10.1.1.1: count 3\n- IP address 127.0.0.0: count 1\n- If the aggregation criteria is HTTP method, then each individual HTTP method is an aggregation instance. The aggregation instances and request counts for our example would be the following:\n\n- HTTP method POST: count 2\n- HTTP method GET: count 2\n- If the aggregation criteria is IP address and HTTP method, then each IP address and each HTTP method would contribute to the combined aggregation instance. The aggregation instances and request counts for our example would be the following:\n\n- IP address 10.1.1.1, HTTP method POST: count 1\n- IP address 10.1.1.1, HTTP method GET: count 2\n- IP address 127.0.0.0, HTTP method POST: count 1\n\nFor any n-tuple of aggregation keys, each unique combination of values for the keys defines a separate aggregation instance, which AWS WAF counts and rate-limits individually.\n\nYou can optionally nest another statement inside the rate-based statement, to narrow the scope of the rule so that it only counts and rate limits requests that match the nested statement. You can use this nested scope-down statement in conjunction with your aggregation key specifications or you can just count and rate limit all requests that match the scope-down statement, without additional aggregation. When you choose to just manage all requests that match a scope-down statement, the aggregation instance is singular for the rule.\n\nYou cannot nest a `RateBasedStatement` inside another statement, for example inside a `NotStatement` or `OrStatement` . You can define a `RateBasedStatement` inside a web ACL and inside a rule group.\n\nFor additional information about the options, see [Rate limiting web requests using rate-based rules](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rate-based-rules.html) in the *AWS WAF Developer Guide* .\n\nIf you only aggregate on the individual IP address or forwarded IP address, you can retrieve the list of IP addresses that AWS WAF is currently rate limiting for a rule through the API call `GetRateBasedStatementManagedKeys` . This option is not available for other aggregation configurations.\n\nAWS WAF tracks and manages web requests separately for each instance of a rate-based rule that you use. For example, if you provide the same rate-based rule settings in two web ACLs, each of the two rule statements represents a separate instance of the rate-based rule and gets its own tracking and management by AWS WAF . If you define a rate-based rule inside a rule group, and then use that rule group in multiple places, each use creates a separate instance of the rate-based rule that gets its own tracking and management by AWS WAF .", "title": "RateBasedStatement" }, "RegexMatchStatement": { @@ -245952,7 +254838,7 @@ }, "SizeConstraintStatement": { "$ref": "#/definitions/AWS::WAFv2::RuleGroup.SizeConstraintStatement", - "markdownDescription": "A rule statement that compares a number of bytes against the size of a request component, using a comparison operator, such as greater than (>) or less than (<). For example, you can use a size constraint statement to look for query strings that are longer than 100 bytes.\n\nIf you configure AWS WAF to inspect the request body, AWS WAF inspects only the number of bytes of the body up to the limit for the web ACL. By default, for regional web ACLs, this limit is 8 KB (8,192 kilobytes) and for CloudFront web ACLs, this limit is 16 KB (16,384 kilobytes). For CloudFront web ACLs, you can increase the limit in the web ACL `AssociationConfig` , for additional fees. If you know that the request body for your web requests should never exceed the inspection limit, you could use a size constraint statement to block requests that have a larger request body size.\n\nIf you choose URI for the value of Part of the request to filter on, the slash (/) in the URI counts as one character. For example, the URI `/logo.jpg` is nine characters long.", + "markdownDescription": "A rule statement that compares a number of bytes against the size of a request component, using a comparison operator, such as greater than (>) or less than (<). For example, you can use a size constraint statement to look for query strings that are longer than 100 bytes.\n\nIf you configure AWS WAF to inspect the request body, AWS WAF inspects only the number of bytes of the body up to the limit for the web ACL. By default, for regional web ACLs, this limit is 8 KB (8,192 bytes) and for CloudFront web ACLs, this limit is 16 KB (16,384 bytes). For CloudFront web ACLs, you can increase the limit in the web ACL `AssociationConfig` , for additional fees. If you know that the request body for your web requests should never exceed the inspection limit, you could use a size constraint statement to block requests that have a larger request body size.\n\nIf you choose URI for the value of Part of the request to filter on, the slash (/) in the URI counts as one character. For example, the URI `/logo.jpg` is nine characters long.", "title": "SizeConstraintStatement" }, "SqliMatchStatement": { @@ -245977,7 +254863,7 @@ "type": "number" }, "Type": { - "markdownDescription": "You can specify the following transformation types:\n\n*BASE64_DECODE* - Decode a `Base64` -encoded string.\n\n*BASE64_DECODE_EXT* - Decode a `Base64` -encoded string, but use a forgiving implementation that ignores characters that aren't valid.\n\n*CMD_LINE* - Command-line transformations. These are helpful in reducing effectiveness of attackers who inject an operating system command-line command and use unusual formatting to disguise some or all of the command.\n\n- Delete the following characters: `\\ \" ' ^`\n- Delete spaces before the following characters: `/ (`\n- Replace the following characters with a space: `, ;`\n- Replace multiple spaces with one space\n- Convert uppercase letters (A-Z) to lowercase (a-z)\n\n*COMPRESS_WHITE_SPACE* - Replace these characters with a space character (decimal 32):\n\n- `\\f` , formfeed, decimal 12\n- `\\t` , tab, decimal 9\n- `\\n` , newline, decimal 10\n- `\\r` , carriage return, decimal 13\n- `\\v` , vertical tab, decimal 11\n- Non-breaking space, decimal 160\n\n`COMPRESS_WHITE_SPACE` also replaces multiple spaces with one space.\n\n*CSS_DECODE* - Decode characters that were encoded using CSS 2.x escape rules `syndata.html#characters` . This function uses up to two bytes in the decoding process, so it can help to uncover ASCII characters that were encoded using CSS encoding that wouldn\u2019t typically be encoded. It's also useful in countering evasion, which is a combination of a backslash and non-hexadecimal characters. For example, `ja\\vascript` for javascript.\n\n*ESCAPE_SEQ_DECODE* - Decode the following ANSI C escape sequences: `\\a` , `\\b` , `\\f` , `\\n` , `\\r` , `\\t` , `\\v` , `\\\\` , `\\?` , `\\'` , `\\\"` , `\\xHH` (hexadecimal), `\\0OOO` (octal). Encodings that aren't valid remain in the output.\n\n*HEX_DECODE* - Decode a string of hexadecimal characters into a binary.\n\n*HTML_ENTITY_DECODE* - Replace HTML-encoded characters with unencoded characters. `HTML_ENTITY_DECODE` performs these operations:\n\n- Replaces `(ampersand)quot;` with `\"`\n- Replaces `(ampersand)nbsp;` with a non-breaking space, decimal 160\n- Replaces `(ampersand)lt;` with a \"less than\" symbol\n- Replaces `(ampersand)gt;` with `>`\n- Replaces characters that are represented in hexadecimal format, `(ampersand)#xhhhh;` , with the corresponding characters\n- Replaces characters that are represented in decimal format, `(ampersand)#nnnn;` , with the corresponding characters\n\n*JS_DECODE* - Decode JavaScript escape sequences. If a `\\` `u` `HHHH` code is in the full-width ASCII code range of `FF01-FF5E` , then the higher byte is used to detect and adjust the lower byte. If not, only the lower byte is used and the higher byte is zeroed, causing a possible loss of information.\n\n*LOWERCASE* - Convert uppercase letters (A-Z) to lowercase (a-z).\n\n*MD5* - Calculate an MD5 hash from the data in the input. The computed hash is in a raw binary form.\n\n*NONE* - Specify `NONE` if you don't want any text transformations.\n\n*NORMALIZE_PATH* - Remove multiple slashes, directory self-references, and directory back-references that are not at the beginning of the input from an input string.\n\n*NORMALIZE_PATH_WIN* - This is the same as `NORMALIZE_PATH` , but first converts backslash characters to forward slashes.\n\n*REMOVE_NULLS* - Remove all `NULL` bytes from the input.\n\n*REPLACE_COMMENTS* - Replace each occurrence of a C-style comment ( `/* ... */` ) with a single space. Multiple consecutive occurrences are not compressed. Unterminated comments are also replaced with a space (ASCII 0x20). However, a standalone termination of a comment ( `*/` ) is not acted upon.\n\n*REPLACE_NULLS* - Replace NULL bytes in the input with space characters (ASCII `0x20` ).\n\n*SQL_HEX_DECODE* - Decode SQL hex data. Example ( `0x414243` ) will be decoded to ( `ABC` ).\n\n*URL_DECODE* - Decode a URL-encoded value.\n\n*URL_DECODE_UNI* - Like `URL_DECODE` , but with support for Microsoft-specific `%u` encoding. If the code is in the full-width ASCII code range of `FF01-FF5E` , the higher byte is used to detect and adjust the lower byte. Otherwise, only the lower byte is used and the higher byte is zeroed.\n\n*UTF8_TO_UNICODE* - Convert all UTF-8 character sequences to Unicode. This helps input normalization, and minimizing false-positives and false-negatives for non-English languages.", + "markdownDescription": "For detailed descriptions of each of the transformation types, see [Text transformations](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-transformation.html) in the *AWS WAF Developer Guide* .", "title": "Type", "type": "string" } @@ -246074,7 +254960,7 @@ "properties": { "AssociationConfig": { "$ref": "#/definitions/AWS::WAFv2::WebACL.AssociationConfig", - "markdownDescription": "Specifies custom configurations for the associations between the web ACL and protected resources.\n\nUse this to customize the maximum size of the request body that your protected CloudFront distributions forward to AWS WAF for inspection. The default is 16 KB (16,384 kilobytes).\n\n> You are charged additional fees when your protected resources forward body sizes that are larger than the default. For more information, see [AWS WAF Pricing](https://docs.aws.amazon.com/waf/pricing/) .", + "markdownDescription": "Specifies custom configurations for the associations between the web ACL and protected resources.\n\nUse this to customize the maximum size of the request body that your protected CloudFront distributions forward to AWS WAF for inspection. The default is 16 KB (16,384 bytes).\n\n> You are charged additional fees when your protected resources forward body sizes that are larger than the default. For more information, see [AWS WAF Pricing](https://docs.aws.amazon.com/waf/pricing/) .", "title": "AssociationConfig" }, "CaptchaConfig": { @@ -246117,7 +255003,7 @@ "items": { "$ref": "#/definitions/AWS::WAFv2::WebACL.Rule" }, - "markdownDescription": "The rule statements used to identify the web requests that you want to allow, block, or count. Each rule includes one top-level statement that AWS WAF uses to identify matching web requests, and parameters that govern how AWS WAF handles them.", + "markdownDescription": "The rule statements used to identify the web requests that you want to manage. Each rule includes one top-level statement that AWS WAF uses to identify matching web requests, and parameters that govern how AWS WAF handles them.", "title": "Rules", "type": "array" }, @@ -246180,19 +255066,29 @@ "additionalProperties": false, "properties": { "CreationPath": { + "markdownDescription": "The path of the account creation endpoint for your application. This is the page on your website that accepts the completed registration form for a new user. This page must accept `POST` requests.\n\nFor example, for the URL `https://example.com/web/newaccount` , you would provide the path `/web/newaccount` . Account creation page paths that start with the path that you provide are considered a match. For example `/web/newaccount` matches the account creation paths `/web/newaccount` , `/web/newaccount/` , `/web/newaccountPage` , and `/web/newaccount/thisPage` , but doesn't match the path `/home/web/newaccount` or `/website/newaccount` .", + "title": "CreationPath", "type": "string" }, "EnableRegexInPath": { + "markdownDescription": "Allow the use of regular expressions in the registration page path and the account creation path.", + "title": "EnableRegexInPath", "type": "boolean" }, "RegistrationPagePath": { + "markdownDescription": "The path of the account registration endpoint for your application. This is the page on your website that presents the registration form to new users.\n\n> This page must accept `GET` text/html requests. \n\nFor example, for the URL `https://example.com/web/registration` , you would provide the path `/web/registration` . Registration page paths that start with the path that you provide are considered a match. For example `/web/registration` matches the registration paths `/web/registration` , `/web/registration/` , `/web/registrationPage` , and `/web/registration/thisPage` , but doesn't match the path `/home/web/registration` or `/website/registration` .", + "title": "RegistrationPagePath", "type": "string" }, "RequestInspection": { - "$ref": "#/definitions/AWS::WAFv2::WebACL.RequestInspectionACFP" + "$ref": "#/definitions/AWS::WAFv2::WebACL.RequestInspectionACFP", + "markdownDescription": "The criteria for inspecting account creation requests, used by the ACFP rule group to validate and track account creation attempts.", + "title": "RequestInspection" }, "ResponseInspection": { - "$ref": "#/definitions/AWS::WAFv2::WebACL.ResponseInspection" + "$ref": "#/definitions/AWS::WAFv2::WebACL.ResponseInspection", + "markdownDescription": "The criteria for inspecting responses to account creation requests, used by the ACFP rule group to track account creation success rates.\n\n> Response inspection is available only in web ACLs that protect Amazon CloudFront distributions. \n\nThe ACFP rule group evaluates the responses that your protected resources send back to client account creation attempts, keeping count of successful and failed attempts from each IP address and client session. Using this information, the rule group labels and mitigates requests from client sessions and IP addresses that have had too many successful account creation attempts in a short amount of time.", + "title": "ResponseInspection" } }, "required": [ @@ -246206,10 +255102,12 @@ "additionalProperties": false, "properties": { "EnableRegexInPath": { + "markdownDescription": "Allow the use of regular expressions in the login page path.", + "title": "EnableRegexInPath", "type": "boolean" }, "LoginPath": { - "markdownDescription": "The path of the login endpoint for your application. For example, for the URL `https://example.com/web/login` , you would provide the path `/web/login` .\n\nThe rule group inspects only HTTP `POST` requests to your specified login endpoint.", + "markdownDescription": "The path of the login endpoint for your application. For example, for the URL `https://example.com/web/login` , you would provide the path `/web/login` . Login paths that start with the path that you provide are considered a match. For example `/web/login` matches the login paths `/web/login` , `/web/login/` , `/web/loginPage` , and `/web/login/thisPage` , but doesn't match the login path `/home/web/login` or `/website/login` .\n\nThe rule group inspects only HTTP `POST` requests to your specified login endpoint.", "title": "LoginPath", "type": "string" }, @@ -246220,7 +255118,7 @@ }, "ResponseInspection": { "$ref": "#/definitions/AWS::WAFv2::WebACL.ResponseInspection", - "markdownDescription": "The criteria for inspecting responses to login requests, used by the ATP rule group to track login failure rates.\n\nThe ATP rule group evaluates the responses that your protected resources send back to client login attempts, keeping count of successful and failed attempts from each IP address and client session. Using this information, the rule group labels and mitigates requests from client sessions and IP addresses that submit too many failed login attempts in a short amount of time.\n\n> Response inspection is available only in web ACLs that protect Amazon CloudFront distributions.", + "markdownDescription": "The criteria for inspecting responses to login requests, used by the ATP rule group to track login failure rates.\n\n> Response inspection is available only in web ACLs that protect Amazon CloudFront distributions. \n\nThe ATP rule group evaluates the responses that your protected resources send back to client login attempts, keeping count of successful and failed attempts for each IP address and client session. Using this information, the rule group labels and mitigates requests from client sessions and IP addresses that have had too many failed login attempts in a short amount of time.", "title": "ResponseInspection" } }, @@ -246233,10 +255131,12 @@ "additionalProperties": false, "properties": { "EnableMachineLearning": { + "markdownDescription": "Applies only to the targeted inspection level.\n\nDetermines whether to use machine learning (ML) to analyze your web traffic for bot-related activity. Machine learning is required for the Bot Control rules `TGT_ML_CoordinatedActivityLow` and `TGT_ML_CoordinatedActivityMedium` , which\ninspect for anomalous behavior that might indicate distributed, coordinated bot activity.\n\nFor more information about this choice, see the listing for these rules in the table at [Bot Control rules listing](https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-bot.html#aws-managed-rule-groups-bot-rules) in the *AWS WAF Developer Guide* .\n\nDefault: `TRUE`", + "title": "EnableMachineLearning", "type": "boolean" }, "InspectionLevel": { - "markdownDescription": "The inspection level to use for the Bot Control rule group. The common level is the least expensive. The targeted level includes all common level rules and adds rules with more advanced inspection criteria. For details, see [AWS WAF Bot Control rule group](https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-bot.html) .", + "markdownDescription": "The inspection level to use for the Bot Control rule group. The common level is the least expensive. The targeted level includes all common level rules and adds rules with more advanced inspection criteria. For details, see [AWS WAF Bot Control rule group](https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-bot.html) in the *AWS WAF Developer Guide* .", "title": "InspectionLevel", "type": "string" } @@ -246279,7 +255179,7 @@ "properties": { "RequestBody": { "additionalProperties": false, - "markdownDescription": "Customizes the maximum size of the request body that your protected CloudFront distributions forward to AWS WAF for inspection. The default size is 16 KB (16,384 kilobytes).\n\n> You are charged additional fees when your protected resources forward body sizes that are larger than the default. For more information, see [AWS WAF Pricing](https://docs.aws.amazon.com/waf/pricing/) .", + "markdownDescription": "Customizes the maximum size of the request body that your protected CloudFront distributions forward to AWS WAF for inspection. The default size is 16 KB (16,384 bytes).\n\n> You are charged additional fees when your protected resources forward body sizes that are larger than the default. For more information, see [AWS WAF Pricing](https://docs.aws.amazon.com/waf/pricing/) .", "patternProperties": { "^[a-zA-Z0-9]+$": { "$ref": "#/definitions/AWS::WAFv2::WebACL.RequestBodyAssociatedResourceTypeConfig" @@ -246306,7 +255206,7 @@ "additionalProperties": false, "properties": { "OversizeHandling": { - "markdownDescription": "What AWS WAF should do if the body is larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. If the body is larger than the limit, the underlying host service only forwards the contents that are below the limit to AWS WAF for inspection.\n\nThe default limit is 8 KB (8,192 kilobytes) for regional resources and 16 KB (16,384 kilobytes) for CloudFront distributions. For CloudFront distributions, you can increase the limit in the web ACL `AssociationConfig` , for additional processing fees.\n\nThe options for oversize handling are the following:\n\n- `CONTINUE` - Inspect the available body contents normally, according to the rule inspection criteria.\n- `MATCH` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.\n- `NO_MATCH` - Treat the web request as not matching the rule statement.\n\nYou can combine the `MATCH` or `NO_MATCH` settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over the limit.\n\nDefault: `CONTINUE`", + "markdownDescription": "What AWS WAF should do if the body is larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. If the body is larger than the limit, the underlying host service only forwards the contents that are below the limit to AWS WAF for inspection.\n\nThe default limit is 8 KB (8,192 bytes) for regional resources and 16 KB (16,384 bytes) for CloudFront distributions. For CloudFront distributions, you can increase the limit in the web ACL `AssociationConfig` , for additional processing fees.\n\nThe options for oversize handling are the following:\n\n- `CONTINUE` - Inspect the available body contents normally, according to the rule inspection criteria.\n- `MATCH` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.\n- `NO_MATCH` - Treat the web request as not matching the rule statement.\n\nYou can combine the `MATCH` or `NO_MATCH` settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over the limit.\n\nDefault: `CONTINUE`", "title": "OversizeHandling", "type": "string" } @@ -246379,7 +255279,7 @@ "properties": { "CustomRequestHandling": { "$ref": "#/definitions/AWS::WAFv2::WebACL.CustomRequestHandling", - "markdownDescription": "Defines custom handling for the web request, used when the challenge inspection determines that the request's token is valid and unexpired.\n\nFor information about customizing web requests and responses, see [Customizing web requests and responses in AWS WAF](https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html) in the [AWS WAF Developer Guide](https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html) .", + "markdownDescription": "Defines custom handling for the web request, used when the challenge inspection determines that the request's token is valid and unexpired.\n\nFor information about customizing web requests and responses, see [Customizing web requests and responses in AWS WAF](https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html) in the [AWS WAF developer guide](https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html) .", "title": "CustomRequestHandling" } }, @@ -246432,7 +255332,7 @@ "title": "MatchPattern" }, "MatchScope": { - "markdownDescription": "The parts of the cookies to inspect with the rule inspection criteria. If you specify `All` , AWS WAF inspects both keys and values.", + "markdownDescription": "The parts of the cookies to inspect with the rule inspection criteria. If you specify `ALL` , AWS WAF inspects both keys and values.\n\n`All` does not require a match to be found in the keys and a match to be found in the values. It requires a match to be found in the keys or the values or both. To require a match in the keys and in the values, use a logical `AND` statement to combine two match rules, one that inspects the keys and another that inspects the values.", "title": "MatchScope", "type": "string" }, @@ -246514,7 +255414,7 @@ "items": { "$ref": "#/definitions/AWS::WAFv2::WebACL.CustomHTTPHeader" }, - "markdownDescription": "The HTTP headers to use in the response. Duplicate header names are not allowed.\n\nFor information about the limits on count and size for custom request and response settings, see [AWS WAF quotas](https://docs.aws.amazon.com/waf/latest/developerguide/limits.html) in the *AWS WAF Developer Guide* .", + "markdownDescription": "The HTTP headers to use in the response. You can specify any header name except for `content-type` . Duplicate header names are not allowed.\n\nFor information about the limits on count and size for custom request and response settings, see [AWS WAF quotas](https://docs.aws.amazon.com/waf/latest/developerguide/limits.html) in the *AWS WAF Developer Guide* .", "title": "ResponseHeaders", "type": "array" } @@ -246578,7 +255478,7 @@ "additionalProperties": false, "properties": { "Identifier": { - "markdownDescription": "The name of the username or password field, used in the `ManagedRuleGroupConfig` settings.\n\nWhen the `PayloadType` is `JSON` , the identifier must be in JSON pointer syntax. For example `/form/username` . For information about the JSON Pointer syntax, see the Internet Engineering Task Force (IETF) documentation [JavaScript Object Notation (JSON) Pointer](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc6901) .\n\nWhen the `PayloadType` is `FORM_ENCODED` , use the HTML form names. For example, `username` .", + "markdownDescription": "The name of the field.\n\nWhen the `PayloadType` in the request inspection is `JSON` , this identifier must be in JSON pointer syntax. For example `/form/username` . For information about the JSON Pointer syntax, see the Internet Engineering Task Force (IETF) documentation [JavaScript Object Notation (JSON) Pointer](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc6901) .\n\nWhen the `PayloadType` is `FORM_ENCODED` , use the HTML form names. For example, `username` .\n\nFor more information, see the descriptions for each field type in the request inspection properties.", "title": "Identifier", "type": "string" } @@ -246598,7 +255498,7 @@ }, "Body": { "$ref": "#/definitions/AWS::WAFv2::WebACL.Body", - "markdownDescription": "Inspect the request body as plain text. The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form.\n\nA limited amount of the request body is forwarded to AWS WAF for inspection by the underlying host service. For regional resources, the limit is 8 KB (8,192 kilobytes) and for CloudFront distributions, the limit is 16 KB (16,384 kilobytes). For CloudFront distributions, you can increase the limit in the web ACL's `AssociationConfig` , for additional processing fees.\n\nFor information about how to handle oversized request bodies, see the `Body` object configuration.", + "markdownDescription": "Inspect the request body as plain text. The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form.\n\nA limited amount of the request body is forwarded to AWS WAF for inspection by the underlying host service. For regional resources, the limit is 8 KB (8,192 bytes) and for CloudFront distributions, the limit is 16 KB (16,384 bytes). For CloudFront distributions, you can increase the limit in the web ACL's `AssociationConfig` , for additional processing fees.\n\nFor information about how to handle oversized request bodies, see the `Body` object configuration.", "title": "Body" }, "Cookies": { @@ -246613,7 +255513,7 @@ }, "JsonBody": { "$ref": "#/definitions/AWS::WAFv2::WebACL.JsonBody", - "markdownDescription": "Inspect the request body as JSON. The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form.\n\nA limited amount of the request body is forwarded to AWS WAF for inspection by the underlying host service. For regional resources, the limit is 8 KB (8,192 kilobytes) and for CloudFront distributions, the limit is 16 KB (16,384 kilobytes). For CloudFront distributions, you can increase the limit in the web ACL's `AssociationConfig` , for additional processing fees.\n\nFor information about how to handle oversized request bodies, see the `JsonBody` object configuration.", + "markdownDescription": "Inspect the request body as JSON. The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form.\n\nA limited amount of the request body is forwarded to AWS WAF for inspection by the underlying host service. For regional resources, the limit is 8 KB (8,192 bytes) and for CloudFront distributions, the limit is 16 KB (16,384 bytes). For CloudFront distributions, you can increase the limit in the web ACL's `AssociationConfig` , for additional processing fees.\n\nFor information about how to handle oversized request bodies, see the `JsonBody` object configuration.", "title": "JsonBody" }, "Method": { @@ -246719,7 +255619,7 @@ "title": "MatchPattern" }, "MatchScope": { - "markdownDescription": "The parts of the headers to match with the rule inspection criteria. If you specify `All` , AWS WAF inspects both keys and values.", + "markdownDescription": "The parts of the headers to match with the rule inspection criteria. If you specify `ALL` , AWS WAF inspects both keys and values.\n\n`All` does not require a match to be found in the keys and a match to be found in the values. It requires a match to be found in the keys or the values or both. To require a match in the keys and in the values, use a logical `AND` statement to combine two match rules, one that inspects the keys and another that inspects the values.", "title": "MatchScope", "type": "string" }, @@ -246809,12 +255709,12 @@ "title": "MatchPattern" }, "MatchScope": { - "markdownDescription": "The parts of the JSON to match against using the `MatchPattern` . If you specify `All` , AWS WAF matches against keys and values.", + "markdownDescription": "The parts of the JSON to match against using the `MatchPattern` . If you specify `ALL` , AWS WAF matches against keys and values.\n\n`All` does not require a match to be found in the keys and a match to be found in the values. It requires a match to be found in the keys or the values or both. To require a match in the keys and in the values, use a logical `AND` statement to combine two match rules, one that inspects the keys and another that inspects the values.", "title": "MatchScope", "type": "string" }, "OversizeHandling": { - "markdownDescription": "What AWS WAF should do if the body is larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. If the body is larger than the limit, the underlying host service only forwards the contents that are below the limit to AWS WAF for inspection.\n\nThe default limit is 8 KB (8,192 kilobytes) for regional resources and 16 KB (16,384 kilobytes) for CloudFront distributions. For CloudFront distributions, you can increase the limit in the web ACL `AssociationConfig` , for additional processing fees.\n\nThe options for oversize handling are the following:\n\n- `CONTINUE` - Inspect the available body contents normally, according to the rule inspection criteria.\n- `MATCH` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.\n- `NO_MATCH` - Treat the web request as not matching the rule statement.\n\nYou can combine the `MATCH` or `NO_MATCH` settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over the limit.\n\nDefault: `CONTINUE`", + "markdownDescription": "What AWS WAF should do if the body is larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. If the body is larger than the limit, the underlying host service only forwards the contents that are below the limit to AWS WAF for inspection.\n\nThe default limit is 8 KB (8,192 bytes) for regional resources and 16 KB (16,384 bytes) for CloudFront distributions. For CloudFront distributions, you can increase the limit in the web ACL `AssociationConfig` , for additional processing fees.\n\nThe options for oversize handling are the following:\n\n- `CONTINUE` - Inspect the available body contents normally, according to the rule inspection criteria.\n- `MATCH` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.\n- `NO_MATCH` - Treat the web request as not matching the rule statement.\n\nYou can combine the `MATCH` or `NO_MATCH` settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over the limit.\n\nDefault: `CONTINUE`", "title": "OversizeHandling", "type": "string" } @@ -246882,7 +255782,9 @@ "additionalProperties": false, "properties": { "AWSManagedRulesACFPRuleSet": { - "$ref": "#/definitions/AWS::WAFv2::WebACL.AWSManagedRulesACFPRuleSet" + "$ref": "#/definitions/AWS::WAFv2::WebACL.AWSManagedRulesACFPRuleSet", + "markdownDescription": "Additional configuration for using the account creation fraud prevention (ACFP) managed rule group, `AWSManagedRulesACFPRuleSet` . Use this to provide account creation request information to the rule group. For web ACLs that protect CloudFront distributions, use this to also provide the information about how your distribution responds to account creation requests.\n\nFor information about using the ACFP managed rule group, see [AWS WAF Fraud Control account creation fraud prevention (ACFP) rule group](https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-acfp.html) and [AWS WAF Fraud Control account creation fraud prevention (ACFP)](https://docs.aws.amazon.com/waf/latest/developerguide/waf-acfp.html) in the *AWS WAF Developer Guide* .", + "title": "AWSManagedRulesACFPRuleSet" }, "AWSManagedRulesATPRuleSet": { "$ref": "#/definitions/AWS::WAFv2::WebACL.AWSManagedRulesATPRuleSet", @@ -246901,17 +255803,17 @@ }, "PasswordField": { "$ref": "#/definitions/AWS::WAFv2::WebACL.FieldIdentifier", - "markdownDescription": "> Instead of this setting, provide your configuration under `AWSManagedRulesATPRuleSet` `RequestInspection` .", + "markdownDescription": "> Instead of this setting, provide your configuration under the request inspection configuration for `AWSManagedRulesATPRuleSet` or `AWSManagedRulesACFPRuleSet` .", "title": "PasswordField" }, "PayloadType": { - "markdownDescription": "> Instead of this setting, provide your configuration under `AWSManagedRulesATPRuleSet` `RequestInspection` .", + "markdownDescription": "> Instead of this setting, provide your configuration under the request inspection configuration for `AWSManagedRulesATPRuleSet` or `AWSManagedRulesACFPRuleSet` .", "title": "PayloadType", "type": "string" }, "UsernameField": { "$ref": "#/definitions/AWS::WAFv2::WebACL.FieldIdentifier", - "markdownDescription": "> Instead of this setting, provide your configuration under `AWSManagedRulesATPRuleSet` `RequestInspection` .", + "markdownDescription": "> Instead of this setting, provide your configuration under the request inspection configuration for `AWSManagedRulesATPRuleSet` or `AWSManagedRulesACFPRuleSet` .", "title": "UsernameField" } }, @@ -246932,7 +255834,7 @@ "items": { "$ref": "#/definitions/AWS::WAFv2::WebACL.ManagedRuleGroupConfig" }, - "markdownDescription": "Additional information that's used by a managed rule group. Many managed rule groups don't require this.\n\nUse the `AWSManagedRulesATPRuleSet` configuration object for the account takeover prevention managed rule group, to provide information such as the sign-in page of your application and the type of content to accept or reject from the client.\n\nUse the `AWSManagedRulesBotControlRuleSet` configuration object to configure the protection level that you want the Bot Control rule group to use.", + "markdownDescription": "Additional information that's used by a managed rule group. Many managed rule groups don't require this.\n\nThe rule groups used for intelligent threat mitigation require additional configuration:\n\n- Use the `AWSManagedRulesACFPRuleSet` configuration object to configure the account creation fraud prevention managed rule group. The configuration includes the registration and sign-up pages of your application and the locations in the account creation request payload of data, such as the user email and phone number fields.\n- Use the `AWSManagedRulesATPRuleSet` configuration object to configure the account takeover prevention managed rule group. The configuration includes the sign-in page of your application and the locations in the login request payload of data such as the username and password.\n- Use the `AWSManagedRulesBotControlRuleSet` configuration object to configure the protection level that you want the Bot Control rule group to use.", "title": "ManagedRuleGroupConfigs", "type": "array" }, @@ -247022,7 +255924,7 @@ "additionalProperties": false, "properties": { "AggregateKeyType": { - "markdownDescription": "Setting that indicates how to aggregate the request counts. The options are the following:\n\n- `IP` - Aggregate the request counts on the IP address from the web request origin.\n- `FORWARDED_IP` - Aggregate the request counts on the first IP address in an HTTP header. If you use this, configure the `ForwardedIPConfig` , to specify the header to use.\n\n> You can only use the `IP` and `FORWARDED_IP` key types.", + "markdownDescription": "Setting that indicates how to aggregate the request counts.\n\n> Web requests that are missing any of the components specified in the aggregation keys are omitted from the rate-based rule evaluation and handling. \n\n- `CONSTANT` - Count and limit the requests that match the rate-based rule's scope-down statement. With this option, the counted requests aren't further aggregated. The scope-down statement is the only specification used. When the count of all requests that satisfy the scope-down statement goes over the limit, AWS WAF applies the rule action to all requests that satisfy the scope-down statement.\n\nWith this option, you must configure the `ScopeDownStatement` property.\n- `CUSTOM_KEYS` - Aggregate the request counts using one or more web request components as the aggregate keys.\n\nWith this option, you must specify the aggregate keys in the `CustomKeys` property.\n\nTo aggregate on only the IP address or only the forwarded IP address, don't use custom keys. Instead, set the aggregate key type to `IP` or `FORWARDED_IP` .\n- `FORWARDED_IP` - Aggregate the request counts on the first IP address in an HTTP header.\n\nWith this option, you must specify the header to use in the `ForwardedIPConfig` property.\n\nTo aggregate on a combination of the forwarded IP address with other aggregate keys, use `CUSTOM_KEYS` .\n- `IP` - Aggregate the request counts on the IP address from the web request origin.\n\nTo aggregate on a combination of the IP address with other aggregate keys, use `CUSTOM_KEYS` .", "title": "AggregateKeyType", "type": "string" }, @@ -247030,6 +255932,8 @@ "items": { "$ref": "#/definitions/AWS::WAFv2::WebACL.RateBasedStatementCustomKey" }, + "markdownDescription": "Specifies the aggregate keys to use in a rate-base rule.", + "title": "CustomKeys", "type": "array" }, "ForwardedIPConfig": { @@ -247038,13 +255942,13 @@ "title": "ForwardedIPConfig" }, "Limit": { - "markdownDescription": "The limit on requests per 5-minute period for a single originating IP address. If the statement includes a `ScopeDownStatement` , this limit is applied only to the requests that match the statement.", + "markdownDescription": "The limit on requests per 5-minute period for a single aggregation instance for the rate-based rule. If the rate-based statement includes a `ScopeDownStatement` , this limit is applied only to the requests that match the statement.\n\nExamples:\n\n- If you aggregate on just the IP address, this is the limit on requests from any single IP address.\n- If you aggregate on the HTTP method and the query argument name \"city\", then this is the limit on requests for any single method, city pair.", "title": "Limit", "type": "number" }, "ScopeDownStatement": { "$ref": "#/definitions/AWS::WAFv2::WebACL.Statement", - "markdownDescription": "An optional nested statement that narrows the scope of the web requests that are evaluated by the rate-based statement. Requests are only tracked by the rate-based statement if they match the scope-down statement. You can use any nestable `Statement` in the scope-down statement, and you can nest statements at any level, the same as you can for a rule statement.", + "markdownDescription": "An optional nested statement that narrows the scope of the web requests that are evaluated and managed by the rate-based statement. When you use a scope-down statement, the rate-based rule only tracks and rate limits requests that match the scope-down statement. You can use any nestable `Statement` in the scope-down statement, and you can nest statements at any level, the same as you can for a rule statement.", "title": "ScopeDownStatement" } }, @@ -247058,31 +255962,49 @@ "additionalProperties": false, "properties": { "Cookie": { - "$ref": "#/definitions/AWS::WAFv2::WebACL.RateLimitCookie" + "$ref": "#/definitions/AWS::WAFv2::WebACL.RateLimitCookie", + "markdownDescription": "Use the value of a cookie in the request as an aggregate key. Each distinct value in the cookie contributes to the aggregation instance. If you use a single cookie as your custom key, then each value fully defines an aggregation instance.", + "title": "Cookie" }, "ForwardedIP": { + "markdownDescription": "Use the first IP address in an HTTP header as an aggregate key. Each distinct forwarded IP address contributes to the aggregation instance.\n\nWhen you specify an IP or forwarded IP in the custom key settings, you must also specify at least one other key to use. You can aggregate on only the forwarded IP address by specifying `FORWARDED_IP` in your rate-based statement's `AggregateKeyType` .\n\nWith this option, you must specify the header to use in the rate-based rule's `ForwardedIPConfig` property.", + "title": "ForwardedIP", "type": "object" }, "HTTPMethod": { + "markdownDescription": "Use the request's HTTP method as an aggregate key. Each distinct HTTP method contributes to the aggregation instance. If you use just the HTTP method as your custom key, then each method fully defines an aggregation instance.", + "title": "HTTPMethod", "type": "object" }, "Header": { - "$ref": "#/definitions/AWS::WAFv2::WebACL.RateLimitHeader" + "$ref": "#/definitions/AWS::WAFv2::WebACL.RateLimitHeader", + "markdownDescription": "Use the value of a header in the request as an aggregate key. Each distinct value in the header contributes to the aggregation instance. If you use a single header as your custom key, then each value fully defines an aggregation instance.", + "title": "Header" }, "IP": { + "markdownDescription": "Use the request's originating IP address as an aggregate key. Each distinct IP address contributes to the aggregation instance.\n\nWhen you specify an IP or forwarded IP in the custom key settings, you must also specify at least one other key to use. You can aggregate on only the IP address by specifying `IP` in your rate-based statement's `AggregateKeyType` .", + "title": "IP", "type": "object" }, "LabelNamespace": { - "$ref": "#/definitions/AWS::WAFv2::WebACL.RateLimitLabelNamespace" + "$ref": "#/definitions/AWS::WAFv2::WebACL.RateLimitLabelNamespace", + "markdownDescription": "Use the specified label namespace as an aggregate key. Each distinct fully qualified label name that has the specified label namespace contributes to the aggregation instance. If you use just one label namespace as your custom key, then each label name fully defines an aggregation instance.\n\nThis uses only labels that have been added to the request by rules that are evaluated before this rate-based rule in the web ACL.\n\nFor information about label namespaces and names, see [Label syntax and naming requirements](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-label-requirements.html) in the *AWS WAF Developer Guide* .", + "title": "LabelNamespace" }, "QueryArgument": { - "$ref": "#/definitions/AWS::WAFv2::WebACL.RateLimitQueryArgument" + "$ref": "#/definitions/AWS::WAFv2::WebACL.RateLimitQueryArgument", + "markdownDescription": "Use the specified query argument as an aggregate key. Each distinct value for the named query argument contributes to the aggregation instance. If you use a single query argument as your custom key, then each value fully defines an aggregation instance.", + "title": "QueryArgument" }, "QueryString": { - "$ref": "#/definitions/AWS::WAFv2::WebACL.RateLimitQueryString" + "$ref": "#/definitions/AWS::WAFv2::WebACL.RateLimitQueryString", + "markdownDescription": "Use the request's query string as an aggregate key. Each distinct string contributes to the aggregation instance. If you use just the query string as your custom key, then each string fully defines an aggregation instance.", + "title": "QueryString" }, "UriPath": { - "$ref": "#/definitions/AWS::WAFv2::WebACL.RateLimitUriPath" + "$ref": "#/definitions/AWS::WAFv2::WebACL.RateLimitUriPath", + "markdownDescription": "Use the request's URI path as an aggregate key. Each distinct URI path contributes to the aggregation instance. If you use just the URI path as your custom key, then each URI path fully defines an aggregation instance.", + "title": "UriPath" } }, "type": "object" @@ -247091,12 +256013,16 @@ "additionalProperties": false, "properties": { "Name": { + "markdownDescription": "The name of the cookie to use.", + "title": "Name", "type": "string" }, "TextTransformations": { "items": { "$ref": "#/definitions/AWS::WAFv2::WebACL.TextTransformation" }, + "markdownDescription": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. Text transformations are used in rule match statements, to transform the `FieldToMatch` request component before inspecting it, and they're used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, AWS WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the transformed component contents.", + "title": "TextTransformations", "type": "array" } }, @@ -247110,12 +256036,16 @@ "additionalProperties": false, "properties": { "Name": { + "markdownDescription": "The name of the header to use.", + "title": "Name", "type": "string" }, "TextTransformations": { "items": { "$ref": "#/definitions/AWS::WAFv2::WebACL.TextTransformation" }, + "markdownDescription": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. Text transformations are used in rule match statements, to transform the `FieldToMatch` request component before inspecting it, and they're used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, AWS WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the transformed component contents.", + "title": "TextTransformations", "type": "array" } }, @@ -247129,6 +256059,8 @@ "additionalProperties": false, "properties": { "Namespace": { + "markdownDescription": "The namespace to use for aggregation.", + "title": "Namespace", "type": "string" } }, @@ -247141,12 +256073,16 @@ "additionalProperties": false, "properties": { "Name": { + "markdownDescription": "The name of the query argument to use.", + "title": "Name", "type": "string" }, "TextTransformations": { "items": { "$ref": "#/definitions/AWS::WAFv2::WebACL.TextTransformation" }, + "markdownDescription": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. Text transformations are used in rule match statements, to transform the `FieldToMatch` request component before inspecting it, and they're used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, AWS WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the transformed component contents.", + "title": "TextTransformations", "type": "array" } }, @@ -247163,6 +256099,8 @@ "items": { "$ref": "#/definitions/AWS::WAFv2::WebACL.TextTransformation" }, + "markdownDescription": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. Text transformations are used in rule match statements, to transform the `FieldToMatch` request component before inspecting it, and they're used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, AWS WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the transformed component contents.", + "title": "TextTransformations", "type": "array" } }, @@ -247178,6 +256116,8 @@ "items": { "$ref": "#/definitions/AWS::WAFv2::WebACL.TextTransformation" }, + "markdownDescription": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. Text transformations are used in rule match statements, to transform the `FieldToMatch` request component before inspecting it, and they're used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, AWS WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the transformed component contents.", + "title": "TextTransformations", "type": "array" } }, @@ -247248,7 +256188,7 @@ "additionalProperties": false, "properties": { "DefaultSizeInspectionLimit": { - "markdownDescription": "Specifies the maximum size of the web request body component that an associated CloudFront distribution should send to AWS WAF for inspection. This applies to statements in the web ACL that inspect the body or JSON body.\n\nDefault: `16 KB (16,384 kilobytes)`", + "markdownDescription": "Specifies the maximum size of the web request body component that an associated CloudFront distribution should send to AWS WAF for inspection. This applies to statements in the web ACL that inspect the body or JSON body.\n\nDefault: `16 KB (16,384 bytes)`", "title": "DefaultSizeInspectionLimit", "type": "string" } @@ -247291,25 +256231,37 @@ "items": { "$ref": "#/definitions/AWS::WAFv2::WebACL.FieldIdentifier" }, + "markdownDescription": "The names of the fields in the request payload that contain your customer's primary physical address.\n\nOrder the address fields in the array exactly as they are ordered in the request payload.\n\nHow you specify the address fields depends on the request inspection payload type.\n\n- For JSON payloads, specify the field identifiers in JSON pointer syntax. For information about the JSON Pointer syntax, see the Internet Engineering Task Force (IETF) documentation [JavaScript Object Notation (JSON) Pointer](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc6901) .\n\nFor example, for the JSON payload `{ \"form\": { \"primaryaddressline1\": \"THE_ADDRESS1\", \"primaryaddressline2\": \"THE_ADDRESS2\", \"primaryaddressline3\": \"THE_ADDRESS3\" } }` , the address field idenfiers are `/form/primaryaddressline1` , `/form/primaryaddressline2` , and `/form/primaryaddressline3` .\n- For form encoded payload types, use the HTML form names.\n\nFor example, for an HTML form with input elements named `primaryaddressline1` , `primaryaddressline2` , and `primaryaddressline3` , the address fields identifiers are `primaryaddressline1` , `primaryaddressline2` , and `primaryaddressline3` .", + "title": "AddressFields", "type": "array" }, "EmailField": { - "$ref": "#/definitions/AWS::WAFv2::WebACL.FieldIdentifier" + "$ref": "#/definitions/AWS::WAFv2::WebACL.FieldIdentifier", + "markdownDescription": "The name of the field in the request payload that contains your customer's email.\n\nHow you specify this depends on the request inspection payload type.\n\n- For JSON payloads, specify the field name in JSON pointer syntax. For information about the JSON Pointer syntax, see the Internet Engineering Task Force (IETF) documentation [JavaScript Object Notation (JSON) Pointer](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc6901) .\n\nFor example, for the JSON payload `{ \"form\": { \"email\": \"THE_EMAIL\" } }` , the email field specification is `/form/email` .\n- For form encoded payload types, use the HTML form names.\n\nFor example, for an HTML form with the input element named `email1` , the email field specification is `email1` .", + "title": "EmailField" }, "PasswordField": { - "$ref": "#/definitions/AWS::WAFv2::WebACL.FieldIdentifier" + "$ref": "#/definitions/AWS::WAFv2::WebACL.FieldIdentifier", + "markdownDescription": "The name of the field in the request payload that contains your customer's password.\n\nHow you specify this depends on the request inspection payload type.\n\n- For JSON payloads, specify the field name in JSON pointer syntax. For information about the JSON Pointer syntax, see the Internet Engineering Task Force (IETF) documentation [JavaScript Object Notation (JSON) Pointer](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc6901) .\n\nFor example, for the JSON payload `{ \"form\": { \"password\": \"THE_PASSWORD\" } }` , the password field specification is `/form/password` .\n- For form encoded payload types, use the HTML form names.\n\nFor example, for an HTML form with the input element named `password1` , the password field specification is `password1` .", + "title": "PasswordField" }, "PayloadType": { + "markdownDescription": "The payload type for your account creation endpoint, either JSON or form encoded.", + "title": "PayloadType", "type": "string" }, "PhoneNumberFields": { "items": { "$ref": "#/definitions/AWS::WAFv2::WebACL.FieldIdentifier" }, + "markdownDescription": "The names of the fields in the request payload that contain your customer's primary phone number.\n\nOrder the phone number fields in the array exactly as they are ordered in the request payload.\n\nHow you specify the phone number fields depends on the request inspection payload type.\n\n- For JSON payloads, specify the field identifiers in JSON pointer syntax. For information about the JSON Pointer syntax, see the Internet Engineering Task Force (IETF) documentation [JavaScript Object Notation (JSON) Pointer](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc6901) .\n\nFor example, for the JSON payload `{ \"form\": { \"primaryphoneline1\": \"THE_PHONE1\", \"primaryphoneline2\": \"THE_PHONE2\", \"primaryphoneline3\": \"THE_PHONE3\" } }` , the phone number field identifiers are `/form/primaryphoneline1` , `/form/primaryphoneline2` , and `/form/primaryphoneline3` .\n- For form encoded payload types, use the HTML form names.\n\nFor example, for an HTML form with input elements named `primaryphoneline1` , `primaryphoneline2` , and `primaryphoneline3` , the phone number field identifiers are `primaryphoneline1` , `primaryphoneline2` , and `primaryphoneline3` .", + "title": "PhoneNumberFields", "type": "array" }, "UsernameField": { - "$ref": "#/definitions/AWS::WAFv2::WebACL.FieldIdentifier" + "$ref": "#/definitions/AWS::WAFv2::WebACL.FieldIdentifier", + "markdownDescription": "The name of the field in the request payload that contains your customer's username.\n\nHow you specify this depends on the request inspection payload type.\n\n- For JSON payloads, specify the field name in JSON pointer syntax. For information about the JSON Pointer syntax, see the Internet Engineering Task Force (IETF) documentation [JavaScript Object Notation (JSON) Pointer](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc6901) .\n\nFor example, for the JSON payload `{ \"form\": { \"username\": \"THE_USERNAME\" } }` , the username field specification is `/form/username` .\n- For form encoded payload types, use the HTML form names.\n\nFor example, for an HTML form with the input element named `username1` , the username field specification is `username1`", + "title": "UsernameField" } }, "required": [ @@ -247322,22 +256274,22 @@ "properties": { "BodyContains": { "$ref": "#/definitions/AWS::WAFv2::WebACL.ResponseInspectionBodyContains", - "markdownDescription": "Configures inspection of the response body. AWS WAF can inspect the first 65,536 bytes (64 KB) of the response body.", + "markdownDescription": "Configures inspection of the response body for success and failure indicators. AWS WAF can inspect the first 65,536 bytes (64 KB) of the response body.", "title": "BodyContains" }, "Header": { "$ref": "#/definitions/AWS::WAFv2::WebACL.ResponseInspectionHeader", - "markdownDescription": "Configures inspection of the response header.", + "markdownDescription": "Configures inspection of the response header for success and failure indicators.", "title": "Header" }, "Json": { "$ref": "#/definitions/AWS::WAFv2::WebACL.ResponseInspectionJson", - "markdownDescription": "Configures inspection of the response JSON. AWS WAF can inspect the first 65,536 bytes (64 KB) of the response JSON.", + "markdownDescription": "Configures inspection of the response JSON for success and failure indicators. AWS WAF can inspect the first 65,536 bytes (64 KB) of the response JSON.", "title": "Json" }, "StatusCode": { "$ref": "#/definitions/AWS::WAFv2::WebACL.ResponseInspectionStatusCode", - "markdownDescription": "Configures inspection of the response status code.", + "markdownDescription": "Configures inspection of the response status code for success and failure indicators.", "title": "StatusCode" } }, @@ -247350,7 +256302,7 @@ "items": { "type": "string" }, - "markdownDescription": "Strings in the body of the response that indicate a failed login attempt. To be counted as a failed login, the string can be anywhere in the body and must be an exact match, including case. Each string must be unique among the success and failure strings.\n\nJSON example: `\"FailureStrings\": [ \"Login failed\" ]`", + "markdownDescription": "Strings in the body of the response that indicate a failed login or account creation attempt. To be counted as a failure, the string can be anywhere in the body and must be an exact match, including case. Each string must be unique among the success and failure strings.\n\nJSON example: `\"FailureStrings\": [ \"Request failed\" ]`", "title": "FailureStrings", "type": "array" }, @@ -247358,7 +256310,7 @@ "items": { "type": "string" }, - "markdownDescription": "Strings in the body of the response that indicate a successful login attempt. To be counted as a successful login, the string can be anywhere in the body and must be an exact match, including case. Each string must be unique among the success and failure strings.\n\nJSON example: `\"SuccessStrings\": [ \"Login successful\", \"Welcome to our site!\" ]`", + "markdownDescription": "Strings in the body of the response that indicate a successful login or account creation attempt. To be counted as a success, the string can be anywhere in the body and must be an exact match, including case. Each string must be unique among the success and failure strings.\n\nJSON examples: `\"SuccessStrings\": [ \"Login successful\" ]` and `\"SuccessStrings\": [ \"Account creation successful\", \"Welcome to our site!\" ]`", "title": "SuccessStrings", "type": "array" } @@ -247376,12 +256328,12 @@ "items": { "type": "string" }, - "markdownDescription": "Values in the response header with the specified name that indicate a failed login attempt. To be counted as a failed login, the value must be an exact match, including case. Each value must be unique among the success and failure values.\n\nJSON example: `\"FailureValues\": [ \"LoginFailed\", \"Failed login\" ]`", + "markdownDescription": "Values in the response header with the specified name that indicate a failed login or account creation attempt. To be counted as a failure, the value must be an exact match, including case. Each value must be unique among the success and failure values.\n\nJSON examples: `\"FailureValues\": [ \"LoginFailed\", \"Failed login\" ]` and `\"FailureValues\": [ \"AccountCreationFailed\" ]`", "title": "FailureValues", "type": "array" }, "Name": { - "markdownDescription": "The name of the header to match against. The name must be an exact match, including case.\n\nJSON example: `\"Name\": [ \"LoginResult\" ]`", + "markdownDescription": "The name of the header to match against. The name must be an exact match, including case.\n\nJSON example: `\"Name\": [ \"RequestResult\" ]`", "title": "Name", "type": "string" }, @@ -247389,7 +256341,7 @@ "items": { "type": "string" }, - "markdownDescription": "Values in the response header with the specified name that indicate a successful login attempt. To be counted as a successful login, the value must be an exact match, including case. Each value must be unique among the success and failure values.\n\nJSON example: `\"SuccessValues\": [ \"LoginPassed\", \"Successful login\" ]`", + "markdownDescription": "Values in the response header with the specified name that indicate a successful login or account creation attempt. To be counted as a success, the value must be an exact match, including case. Each value must be unique among the success and failure values.\n\nJSON examples: `\"SuccessValues\": [ \"LoginPassed\", \"Successful login\" ]` and `\"SuccessValues\": [ \"AccountCreated\", \"Successful account creation\" ]`", "title": "SuccessValues", "type": "array" } @@ -247408,12 +256360,12 @@ "items": { "type": "string" }, - "markdownDescription": "Values for the specified identifier in the response JSON that indicate a failed login attempt. To be counted as a failed login, the value must be an exact match, including case. Each value must be unique among the success and failure values.\n\nJSON example: `\"FailureValues\": [ \"False\", \"Failed\" ]`", + "markdownDescription": "Values for the specified identifier in the response JSON that indicate a failed login or account creation attempt. To be counted as a failure, the value must be an exact match, including case. Each value must be unique among the success and failure values.\n\nJSON example: `\"FailureValues\": [ \"False\", \"Failed\" ]`", "title": "FailureValues", "type": "array" }, "Identifier": { - "markdownDescription": "The identifier for the value to match against in the JSON. The identifier must be an exact match, including case.\n\nJSON example: `\"Identifier\": [ \"/login/success\" ]`", + "markdownDescription": "The identifier for the value to match against in the JSON. The identifier must be an exact match, including case.\n\nJSON examples: `\"Identifier\": [ \"/login/success\" ]` and `\"Identifier\": [ \"/sign-up/success\" ]`", "title": "Identifier", "type": "string" }, @@ -247421,7 +256373,7 @@ "items": { "type": "string" }, - "markdownDescription": "Values for the specified identifier in the response JSON that indicate a successful login attempt. To be counted as a successful login, the value must be an exact match, including case. Each value must be unique among the success and failure values.\n\nJSON example: `\"SuccessValues\": [ \"True\", \"Succeeded\" ]`", + "markdownDescription": "Values for the specified identifier in the response JSON that indicate a successful login or account creation attempt. To be counted as a success, the value must be an exact match, including case. Each value must be unique among the success and failure values.\n\nJSON example: `\"SuccessValues\": [ \"True\", \"Succeeded\" ]`", "title": "SuccessValues", "type": "array" } @@ -247440,7 +256392,7 @@ "items": { "type": "number" }, - "markdownDescription": "Status codes in the response that indicate a failed login attempt. To be counted as a failed login, the response status code must match one of these. Each code must be unique among the success and failure status codes.\n\nJSON example: `\"FailureCodes\": [ 400, 404 ]`", + "markdownDescription": "Status codes in the response that indicate a failed login or account creation attempt. To be counted as a failure, the response status code must match one of these. Each code must be unique among the success and failure status codes.\n\nJSON example: `\"FailureCodes\": [ 400, 404 ]`", "title": "FailureCodes", "type": "array" }, @@ -247448,7 +256400,7 @@ "items": { "type": "number" }, - "markdownDescription": "Status codes in the response that indicate a successful login attempt. To be counted as a successful login, the response status code must match one of these. Each code must be unique among the success and failure status codes.\n\nJSON example: `\"SuccessCodes\": [ 200, 201 ]`", + "markdownDescription": "Status codes in the response that indicate a successful login or account creation attempt. To be counted as a success, the response status code must match one of these. Each code must be unique among the success and failure status codes.\n\nJSON example: `\"SuccessCodes\": [ 200, 201 ]`", "title": "SuccessCodes", "type": "array" } @@ -247478,7 +256430,7 @@ "title": "ChallengeConfig" }, "Name": { - "markdownDescription": "The name of the rule. You can't change the name of a `Rule` after you create it.", + "markdownDescription": "The name of the rule.\n\nIf you change the name of a `Rule` after you create it and you want the rule's metric name to reflect the change, update the metric name in the rule's `VisibilityConfig` settings. AWS WAF doesn't automatically update the metric name when you update the rule name.", "title": "Name", "type": "string" }, @@ -247507,7 +256459,7 @@ }, "VisibilityConfig": { "$ref": "#/definitions/AWS::WAFv2::WebACL.VisibilityConfig", - "markdownDescription": "Defines and enables Amazon CloudWatch metrics and web request sample collection.", + "markdownDescription": "Defines and enables Amazon CloudWatch metrics and web request sample collection.\n\nIf you change the name of a `Rule` after you create it and you want the rule's metric name to reflect the change, update the metric name as well. AWS WAF doesn't automatically update the metric name.", "title": "VisibilityConfig" } }, @@ -247721,7 +256673,7 @@ }, "ManagedRuleGroupStatement": { "$ref": "#/definitions/AWS::WAFv2::WebACL.ManagedRuleGroupStatement", - "markdownDescription": "A rule statement used to run the rules that are defined in a managed rule group. To use this, provide the vendor name and the name of the rule group in this statement.\n\nYou cannot nest a `ManagedRuleGroupStatement` , for example for use inside a `NotStatement` or `OrStatement` . It can only be referenced as a top-level statement within a rule.", + "markdownDescription": "A rule statement used to run the rules that are defined in a managed rule group. To use this, provide the vendor name and the name of the rule group in this statement. You can retrieve the required names through the API call `ListAvailableManagedRuleGroups` .\n\nYou cannot nest a `ManagedRuleGroupStatement` , for example for use inside a `NotStatement` or `OrStatement` . It can only be referenced as a top-level statement within a rule.\n\n> You are charged additional fees when you use the AWS WAF Bot Control managed rule group `AWSManagedRulesBotControlRuleSet` , the AWS WAF Fraud Control account takeover prevention (ATP) managed rule group `AWSManagedRulesATPRuleSet` , or the AWS WAF Fraud Control account creation fraud prevention (ACFP) managed rule group `AWSManagedRulesACFPRuleSet` . For more information, see [AWS WAF Pricing](https://docs.aws.amazon.com/waf/pricing/) .", "title": "ManagedRuleGroupStatement" }, "NotStatement": { @@ -247736,7 +256688,7 @@ }, "RateBasedStatement": { "$ref": "#/definitions/AWS::WAFv2::WebACL.RateBasedStatement", - "markdownDescription": "A rate-based rule tracks the rate of requests for each originating IP address, and triggers the rule action when the rate exceeds a limit that you specify on the number of requests in any 5-minute time span. You can use this to put a temporary block on requests from an IP address that is sending excessive requests.\n\nAWS WAF tracks and manages web requests separately for each instance of a rate-based rule that you use. For example, if you provide the same rate-based rule settings in two web ACLs, each of the two rule statements represents a separate instance of the rate-based rule and gets its own tracking and management by AWS WAF . If you define a rate-based rule inside a rule group, and then use that rule group in multiple places, each use creates a separate instance of the rate-based rule that gets its own tracking and management by AWS WAF .\n\nWhen the rule action triggers, AWS WAF blocks additional requests from the IP address until the request rate falls below the limit.\n\nYou can optionally nest another statement inside the rate-based statement, to narrow the scope of the rule so that it only counts requests that match the nested statement. For example, based on recent requests that you have seen from an attacker, you might create a rate-based rule with a nested AND rule statement that contains the following nested statements:\n\n- An IP match statement with an IP set that specifies the address 192.0.2.44.\n- A string match statement that searches in the User-Agent header for the string BadBot.\n\nIn this rate-based rule, you also define a rate limit. For this example, the rate limit is 1,000. Requests that meet the criteria of both of the nested statements are counted. If the count exceeds 1,000 requests per five minutes, the rule action triggers. Requests that do not meet the criteria of both of the nested statements are not counted towards the rate limit and are not affected by this rule.\n\nYou cannot nest a `RateBasedStatement` inside another statement, for example inside a `NotStatement` or `OrStatement` . You can define a `RateBasedStatement` inside a web ACL and inside a rule group.", + "markdownDescription": "A rate-based rule counts incoming requests and rate limits requests when they are coming at too fast a rate. The rule categorizes requests according to your aggregation criteria, collects them into aggregation instances, and counts and rate limits the requests for each instance.\n\nYou can specify individual aggregation keys, like IP address or HTTP method. You can also specify aggregation key combinations, like IP address and HTTP method, or HTTP method, query argument, and cookie.\n\nEach unique set of values for the aggregation keys that you specify is a separate aggregation instance, with the value from each key contributing to the aggregation instance definition.\n\nFor example, assume the rule evaluates web requests with the following IP address and HTTP method values:\n\n- IP address 10.1.1.1, HTTP method POST\n- IP address 10.1.1.1, HTTP method GET\n- IP address 127.0.0.0, HTTP method POST\n- IP address 10.1.1.1, HTTP method GET\n\nThe rule would create different aggregation instances according to your aggregation criteria, for example:\n\n- If the aggregation criteria is just the IP address, then each individual address is an aggregation instance, and AWS WAF counts requests separately for each. The aggregation instances and request counts for our example would be the following:\n\n- IP address 10.1.1.1: count 3\n- IP address 127.0.0.0: count 1\n- If the aggregation criteria is HTTP method, then each individual HTTP method is an aggregation instance. The aggregation instances and request counts for our example would be the following:\n\n- HTTP method POST: count 2\n- HTTP method GET: count 2\n- If the aggregation criteria is IP address and HTTP method, then each IP address and each HTTP method would contribute to the combined aggregation instance. The aggregation instances and request counts for our example would be the following:\n\n- IP address 10.1.1.1, HTTP method POST: count 1\n- IP address 10.1.1.1, HTTP method GET: count 2\n- IP address 127.0.0.0, HTTP method POST: count 1\n\nFor any n-tuple of aggregation keys, each unique combination of values for the keys defines a separate aggregation instance, which AWS WAF counts and rate-limits individually.\n\nYou can optionally nest another statement inside the rate-based statement, to narrow the scope of the rule so that it only counts and rate limits requests that match the nested statement. You can use this nested scope-down statement in conjunction with your aggregation key specifications or you can just count and rate limit all requests that match the scope-down statement, without additional aggregation. When you choose to just manage all requests that match a scope-down statement, the aggregation instance is singular for the rule.\n\nYou cannot nest a `RateBasedStatement` inside another statement, for example inside a `NotStatement` or `OrStatement` . You can define a `RateBasedStatement` inside a web ACL and inside a rule group.\n\nFor additional information about the options, see [Rate limiting web requests using rate-based rules](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rate-based-rules.html) in the *AWS WAF Developer Guide* .\n\nIf you only aggregate on the individual IP address or forwarded IP address, you can retrieve the list of IP addresses that AWS WAF is currently rate limiting for a rule through the API call `GetRateBasedStatementManagedKeys` . This option is not available for other aggregation configurations.\n\nAWS WAF tracks and manages web requests separately for each instance of a rate-based rule that you use. For example, if you provide the same rate-based rule settings in two web ACLs, each of the two rule statements represents a separate instance of the rate-based rule and gets its own tracking and management by AWS WAF . If you define a rate-based rule inside a rule group, and then use that rule group in multiple places, each use creates a separate instance of the rate-based rule that gets its own tracking and management by AWS WAF .", "title": "RateBasedStatement" }, "RegexMatchStatement": { @@ -247751,12 +256703,12 @@ }, "RuleGroupReferenceStatement": { "$ref": "#/definitions/AWS::WAFv2::WebACL.RuleGroupReferenceStatement", - "markdownDescription": "A rule statement used to run the rules that are defined in a `RuleGroup` . To use this, create a rule group with your rules, then provide the ARN of the rule group in this statement.\n\nYou cannot nest a `RuleGroupReferenceStatement` , for example for use inside a `NotStatement` or `OrStatement` . You can only use a rule group reference statement at the top level inside a web ACL.", + "markdownDescription": "A rule statement used to run the rules that are defined in a `RuleGroup` . To use this, create a rule group with your rules, then provide the ARN of the rule group in this statement.\n\nYou cannot nest a `RuleGroupReferenceStatement` , for example for use inside a `NotStatement` or `OrStatement` . You cannot use a rule group reference statement inside another rule group. You can only reference a rule group as a top-level statement within a rule that you define in a web ACL.", "title": "RuleGroupReferenceStatement" }, "SizeConstraintStatement": { "$ref": "#/definitions/AWS::WAFv2::WebACL.SizeConstraintStatement", - "markdownDescription": "A rule statement that compares a number of bytes against the size of a request component, using a comparison operator, such as greater than (>) or less than (<). For example, you can use a size constraint statement to look for query strings that are longer than 100 bytes.\n\nIf you configure AWS WAF to inspect the request body, AWS WAF inspects only the number of bytes of the body up to the limit for the web ACL. By default, for regional web ACLs, this limit is 8 KB (8,192 kilobytes) and for CloudFront web ACLs, this limit is 16 KB (16,384 kilobytes). For CloudFront web ACLs, you can increase the limit in the web ACL `AssociationConfig` , for additional fees. If you know that the request body for your web requests should never exceed the inspection limit, you could use a size constraint statement to block requests that have a larger request body size.\n\nIf you choose URI for the value of Part of the request to filter on, the slash (/) in the URI counts as one character. For example, the URI `/logo.jpg` is nine characters long.", + "markdownDescription": "A rule statement that compares a number of bytes against the size of a request component, using a comparison operator, such as greater than (>) or less than (<). For example, you can use a size constraint statement to look for query strings that are longer than 100 bytes.\n\nIf you configure AWS WAF to inspect the request body, AWS WAF inspects only the number of bytes of the body up to the limit for the web ACL. By default, for regional web ACLs, this limit is 8 KB (8,192 bytes) and for CloudFront web ACLs, this limit is 16 KB (16,384 bytes). For CloudFront web ACLs, you can increase the limit in the web ACL `AssociationConfig` , for additional fees. If you know that the request body for your web requests should never exceed the inspection limit, you could use a size constraint statement to block requests that have a larger request body size.\n\nIf you choose URI for the value of Part of the request to filter on, the slash (/) in the URI counts as one character. For example, the URI `/logo.jpg` is nine characters long.", "title": "SizeConstraintStatement" }, "SqliMatchStatement": { @@ -247781,7 +256733,7 @@ "type": "number" }, "Type": { - "markdownDescription": "You can specify the following transformation types:\n\n*BASE64_DECODE* - Decode a `Base64` -encoded string.\n\n*BASE64_DECODE_EXT* - Decode a `Base64` -encoded string, but use a forgiving implementation that ignores characters that aren't valid.\n\n*CMD_LINE* - Command-line transformations. These are helpful in reducing effectiveness of attackers who inject an operating system command-line command and use unusual formatting to disguise some or all of the command.\n\n- Delete the following characters: `\\ \" ' ^`\n- Delete spaces before the following characters: `/ (`\n- Replace the following characters with a space: `, ;`\n- Replace multiple spaces with one space\n- Convert uppercase letters (A-Z) to lowercase (a-z)\n\n*COMPRESS_WHITE_SPACE* - Replace these characters with a space character (decimal 32):\n\n- `\\f` , formfeed, decimal 12\n- `\\t` , tab, decimal 9\n- `\\n` , newline, decimal 10\n- `\\r` , carriage return, decimal 13\n- `\\v` , vertical tab, decimal 11\n- Non-breaking space, decimal 160\n\n`COMPRESS_WHITE_SPACE` also replaces multiple spaces with one space.\n\n*CSS_DECODE* - Decode characters that were encoded using CSS 2.x escape rules `syndata.html#characters` . This function uses up to two bytes in the decoding process, so it can help to uncover ASCII characters that were encoded using CSS encoding that wouldn\u2019t typically be encoded. It's also useful in countering evasion, which is a combination of a backslash and non-hexadecimal characters. For example, `ja\\vascript` for javascript.\n\n*ESCAPE_SEQ_DECODE* - Decode the following ANSI C escape sequences: `\\a` , `\\b` , `\\f` , `\\n` , `\\r` , `\\t` , `\\v` , `\\\\` , `\\?` , `\\'` , `\\\"` , `\\xHH` (hexadecimal), `\\0OOO` (octal). Encodings that aren't valid remain in the output.\n\n*HEX_DECODE* - Decode a string of hexadecimal characters into a binary.\n\n*HTML_ENTITY_DECODE* - Replace HTML-encoded characters with unencoded characters. `HTML_ENTITY_DECODE` performs these operations:\n\n- Replaces `(ampersand)quot;` with `\"`\n- Replaces `(ampersand)nbsp;` with a non-breaking space, decimal 160\n- Replaces `(ampersand)lt;` with a \"less than\" symbol\n- Replaces `(ampersand)gt;` with `>`\n- Replaces characters that are represented in hexadecimal format, `(ampersand)#xhhhh;` , with the corresponding characters\n- Replaces characters that are represented in decimal format, `(ampersand)#nnnn;` , with the corresponding characters\n\n*JS_DECODE* - Decode JavaScript escape sequences. If a `\\` `u` `HHHH` code is in the full-width ASCII code range of `FF01-FF5E` , then the higher byte is used to detect and adjust the lower byte. If not, only the lower byte is used and the higher byte is zeroed, causing a possible loss of information.\n\n*LOWERCASE* - Convert uppercase letters (A-Z) to lowercase (a-z).\n\n*MD5* - Calculate an MD5 hash from the data in the input. The computed hash is in a raw binary form.\n\n*NONE* - Specify `NONE` if you don't want any text transformations.\n\n*NORMALIZE_PATH* - Remove multiple slashes, directory self-references, and directory back-references that are not at the beginning of the input from an input string.\n\n*NORMALIZE_PATH_WIN* - This is the same as `NORMALIZE_PATH` , but first converts backslash characters to forward slashes.\n\n*REMOVE_NULLS* - Remove all `NULL` bytes from the input.\n\n*REPLACE_COMMENTS* - Replace each occurrence of a C-style comment ( `/* ... */` ) with a single space. Multiple consecutive occurrences are not compressed. Unterminated comments are also replaced with a space (ASCII 0x20). However, a standalone termination of a comment ( `*/` ) is not acted upon.\n\n*REPLACE_NULLS* - Replace NULL bytes in the input with space characters (ASCII `0x20` ).\n\n*SQL_HEX_DECODE* - Decode SQL hex data. Example ( `0x414243` ) will be decoded to ( `ABC` ).\n\n*URL_DECODE* - Decode a URL-encoded value.\n\n*URL_DECODE_UNI* - Like `URL_DECODE` , but with support for Microsoft-specific `%u` encoding. If the code is in the full-width ASCII code range of `FF01-FF5E` , the higher byte is used to detect and adjust the lower byte. Otherwise, only the lower byte is used and the higher byte is zeroed.\n\n*UTF8_TO_UNICODE* - Convert all UTF-8 character sequences to Unicode. This helps input normalization, and minimizing false-positives and false-negatives for non-English languages.", + "markdownDescription": "For detailed descriptions of each of the transformation types, see [Text transformations](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-transformation.html) in the *AWS WAF Developer Guide* .", "title": "Type", "type": "string" } @@ -247961,7 +256913,7 @@ }, "ServerSideEncryptionConfiguration": { "$ref": "#/definitions/AWS::Wisdom::Assistant.ServerSideEncryptionConfiguration", - "markdownDescription": "The KMS key used for encryption.", + "markdownDescription": "The configuration information for the customer managed key used for encryption. The customer managed key must have a policy that allows `kms:CreateGrant` and `kms:DescribeKey` permissions to the IAM identity using the key to invoke Wisdom. To use Wisdom with chat, the key policy must also allow `kms:Decrypt` , `kms:GenerateDataKey*` , and `kms:DescribeKey` permissions to the `connect.amazonaws.com` service principal. For more information about setting up a customer managed key for Wisdom, see [Enable Amazon Connect Wisdom for your instance](https://docs.aws.amazon.com/connect/latest/adminguide/enable-wisdom.html) .", "title": "ServerSideEncryptionConfiguration" }, "Tags": { @@ -248009,7 +256961,7 @@ "additionalProperties": false, "properties": { "KmsKeyId": { - "markdownDescription": "The KMS key . For information about valid ID values, see [Key identifiers (KeyId)](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id) in the *AWS Key Management Service Developer Guide* .", + "markdownDescription": "The customer managed key used for encryption. The customer managed key must have a policy that allows `kms:CreateGrant` and `kms:DescribeKey` permissions to the IAM identity using the key to invoke Wisdom. To use Wisdom with chat, the key policy must also allow `kms:Decrypt` , `kms:GenerateDataKey*` , and `kms:DescribeKey` permissions to the `connect.amazonaws.com` service principal. For more information about setting up a customer managed key for Wisdom, see [Enable Amazon Connect Wisdom for your instance](https://docs.aws.amazon.com/connect/latest/adminguide/enable-wisdom.html) . For information about valid ID values, see [Key identifiers (KeyId)](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id) in the *AWS Key Management Service Developer Guide* .", "title": "KmsKeyId", "type": "string" } @@ -248174,7 +257126,7 @@ }, "ServerSideEncryptionConfiguration": { "$ref": "#/definitions/AWS::Wisdom::KnowledgeBase.ServerSideEncryptionConfiguration", - "markdownDescription": "The KMS key used for encryption.", + "markdownDescription": "This customer managed key must have a policy that allows `kms:CreateGrant` and `kms:DescribeKey` permissions to the IAM identity using the key to invoke Wisdom. For more information about setting up a customer managed key for Wisdom, see [Enable Amazon Connect Wisdom for your instance](https://docs.aws.amazon.com/connect/latest/adminguide/enable-wisdom.html) . For information about valid ID values, see [Key identifiers (KeyId)](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id) in the *AWS Key Management Service Developer Guide* .", "title": "ServerSideEncryptionConfiguration" }, "SourceConfiguration": { @@ -248222,7 +257174,7 @@ "additionalProperties": false, "properties": { "AppIntegrationArn": { - "markdownDescription": "The Amazon Resource Name (ARN) of the AppIntegrations DataIntegration to use for ingesting content.\n\n- For [Salesforce](https://docs.aws.amazon.com/https://developer.salesforce.com/docs/atlas.en-us.knowledge_dev.meta/knowledge_dev/sforce_api_objects_knowledge__kav.htm) , your AppIntegrations DataIntegration must have an ObjectConfiguration if objectFields is not provided, including at least `Id` , `ArticleNumber` , `VersionNumber` , `Title` , `PublishStatus` , and `IsDeleted` as source fields.\n- For [ServiceNow](https://docs.aws.amazon.com/https://developer.servicenow.com/dev.do#!/reference/api/rome/rest/knowledge-management-api) , your AppIntegrations DataIntegration must have an ObjectConfiguration if objectFields is not provided, including at least `number` , `short_description` , `sys_mod_count` , `workflow_state` , and `active` as source fields.\n- For [Zendesk](https://docs.aws.amazon.com/https://developer.zendesk.com/api-reference/help_center/help-center-api/articles/) , your AppIntegrations DataIntegration must have an ObjectConfiguration if `objectFields` is not provided, including at least `id` , `title` , `updated_at` , and `draft` as source fields.\n- For [SharePoint](https://docs.aws.amazon.com/https://learn.microsoft.com/en-us/sharepoint/dev/sp-add-ins/sharepoint-net-server-csom-jsom-and-rest-api-index) , your AppIntegrations DataIntegration must have a FileConfiguration, including only file extensions that are among `docx` , `pdf` , `html` , `htm` , and `txt` .", + "markdownDescription": "The Amazon Resource Name (ARN) of the AppIntegrations DataIntegration to use for ingesting content.\n\n- For [Salesforce](https://docs.aws.amazon.com/https://developer.salesforce.com/docs/atlas.en-us.knowledge_dev.meta/knowledge_dev/sforce_api_objects_knowledge__kav.htm) , your AppIntegrations DataIntegration must have an ObjectConfiguration if objectFields is not provided, including at least `Id` , `ArticleNumber` , `VersionNumber` , `Title` , `PublishStatus` , and `IsDeleted` as source fields.\n- For [ServiceNow](https://docs.aws.amazon.com/https://developer.servicenow.com/dev.do#!/reference/api/rome/rest/knowledge-management-api) , your AppIntegrations DataIntegration must have an ObjectConfiguration if objectFields is not provided, including at least `number` , `short_description` , `sys_mod_count` , `workflow_state` , and `active` as source fields.\n- For [Zendesk](https://docs.aws.amazon.com/https://developer.zendesk.com/api-reference/help_center/help-center-api/articles/) , your AppIntegrations DataIntegration must have an ObjectConfiguration if `objectFields` is not provided, including at least `id` , `title` , `updated_at` , and `draft` as source fields.\n- For [SharePoint](https://docs.aws.amazon.com/https://learn.microsoft.com/en-us/sharepoint/dev/sp-add-ins/sharepoint-net-server-csom-jsom-and-rest-api-index) , your AppIntegrations DataIntegration must have a FileConfiguration, including only file extensions that are among `docx` , `pdf` , `html` , `htm` , and `txt` .\n- For [Amazon S3](https://docs.aws.amazon.com/https://aws.amazon.com/s3/) , the ObjectConfiguration and FileConfiguration of your AppIntegrations DataIntegration must be null. The `SourceURI` of your DataIntegration must use the following format: `s3://your_s3_bucket_name` .\n\n> The bucket policy of the corresponding S3 bucket must allow the AWS principal `app-integrations.amazonaws.com` to perform `s3:ListBucket` , `s3:GetObject` , and `s3:GetBucketLocation` against the bucket.", "title": "AppIntegrationArn", "type": "string" }, @@ -248230,7 +257182,7 @@ "items": { "type": "string" }, - "markdownDescription": "The fields from the source that are made available to your agents in Wisdom. Optional if ObjectConfiguration is included in the provided DataIntegration.\n\n- For [Salesforce](https://docs.aws.amazon.com/https://developer.salesforce.com/docs/atlas.en-us.knowledge_dev.meta/knowledge_dev/sforce_api_objects_knowledge__kav.htm) , you must include at least `Id` , `ArticleNumber` , `VersionNumber` , `Title` , `PublishStatus` , and `IsDeleted` .\n- For [ServiceNow](https://docs.aws.amazon.com/https://developer.servicenow.com/dev.do#!/reference/api/rome/rest/knowledge-management-api) , you must include at least `number` , `short_description` , `sys_mod_count` , `workflow_state` , and `active` .\n- For [Zendesk](https://docs.aws.amazon.com/https://developer.zendesk.com/api-reference/help_center/help-center-api/articles/) , you must include at least `id` , `title` , `updated_at` , and `draft` .\n\nMake sure to include additional fields. These fields are indexed and used to source recommendations.", + "markdownDescription": "The fields from the source that are made available to your agents in Amazon Q. Optional if ObjectConfiguration is included in the provided DataIntegration.\n\n- For [Salesforce](https://docs.aws.amazon.com/https://developer.salesforce.com/docs/atlas.en-us.knowledge_dev.meta/knowledge_dev/sforce_api_objects_knowledge__kav.htm) , you must include at least `Id` , `ArticleNumber` , `VersionNumber` , `Title` , `PublishStatus` , and `IsDeleted` .\n- For [ServiceNow](https://docs.aws.amazon.com/https://developer.servicenow.com/dev.do#!/reference/api/rome/rest/knowledge-management-api) , you must include at least `number` , `short_description` , `sys_mod_count` , `workflow_state` , and `active` .\n- For [Zendesk](https://docs.aws.amazon.com/https://developer.zendesk.com/api-reference/help_center/help-center-api/articles/) , you must include at least `id` , `title` , `updated_at` , and `draft` .\n\nMake sure to include additional fields. These fields are indexed and used to source recommendations.", "title": "ObjectFields", "type": "array" } @@ -248244,7 +257196,7 @@ "additionalProperties": false, "properties": { "TemplateUri": { - "markdownDescription": "A URI template containing exactly one variable in `${variableName}` format. This can only be set for `EXTERNAL` knowledge bases. For Salesforce, ServiceNow, and Zendesk, the variable must be one of the following:\n\n- Salesforce: `Id` , `ArticleNumber` , `VersionNumber` , `Title` , `PublishStatus` , or `IsDeleted`\n- ServiceNow: `number` , `short_description` , `sys_mod_count` , `workflow_state` , or `active`\n- Zendesk: `id` , `title` , `updated_at` , or `draft`\n\nThe variable is replaced with the actual value for a piece of content when calling [GetContent](https://docs.aws.amazon.com/wisdom/latest/APIReference/API_GetContent.html) .", + "markdownDescription": "A URI template containing exactly one variable in `${variableName}` format. This can only be set for `EXTERNAL` knowledge bases. For Salesforce, ServiceNow, and Zendesk, the variable must be one of the following:\n\n- Salesforce: `Id` , `ArticleNumber` , `VersionNumber` , `Title` , `PublishStatus` , or `IsDeleted`\n- ServiceNow: `number` , `short_description` , `sys_mod_count` , `workflow_state` , or `active`\n- Zendesk: `id` , `title` , `updated_at` , or `draft`\n\nThe variable is replaced with the actual value for a piece of content when calling [GetContent](https://docs.aws.amazon.com/amazon-q-connect/latest/APIReference/API_GetContent.html) .", "title": "TemplateUri", "type": "string" } @@ -248255,7 +257207,7 @@ "additionalProperties": false, "properties": { "KmsKeyId": { - "markdownDescription": "The KMS key . For information about valid ID values, see [Key identifiers (KeyId)](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id) in the *AWS Key Management Service Developer Guide* .", + "markdownDescription": "The customer managed key used for encryption.\n\nThis customer managed key must have a policy that allows `kms:CreateGrant` and `kms:DescribeKey` permissions to the IAM identity using the key to invoke Wisdom.\n\nFor more information about setting up a customer managed key for Wisdom, see [Enable Amazon Connect Wisdom for your instance](https://docs.aws.amazon.com/connect/latest/adminguide/enable-wisdom.html) . For information about valid ID values, see [Key identifiers (KeyId)](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id) .", "title": "KmsKeyId", "type": "string" } @@ -248311,28 +257263,161 @@ "Properties": { "additionalProperties": false, "properties": { - "ConnectionString": { - "markdownDescription": "The connection string specified for the connection alias. The connection string must be in the form of a fully qualified domain name (FQDN), such as `www.example.com` .", - "title": "ConnectionString", + "ConnectionString": { + "markdownDescription": "The connection string specified for the connection alias. The connection string must be in the form of a fully qualified domain name (FQDN), such as `www.example.com` .", + "title": "ConnectionString", + "type": "string" + }, + "Tags": { + "items": { + "$ref": "#/definitions/Tag" + }, + "markdownDescription": "The tags to associate with the connection alias.", + "title": "Tags", + "type": "array" + } + }, + "required": [ + "ConnectionString" + ], + "type": "object" + }, + "Type": { + "enum": [ + "AWS::WorkSpaces::ConnectionAlias" + ], + "type": "string" + }, + "UpdateReplacePolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + } + }, + "required": [ + "Type", + "Properties" + ], + "type": "object" + }, + "AWS::WorkSpaces::ConnectionAlias.ConnectionAliasAssociation": { + "additionalProperties": false, + "properties": { + "AssociatedAccountId": { + "markdownDescription": "The identifier of the AWS account that associated the connection alias with a directory.", + "title": "AssociatedAccountId", + "type": "string" + }, + "AssociationStatus": { + "markdownDescription": "The association status of the connection alias.", + "title": "AssociationStatus", + "type": "string" + }, + "ConnectionIdentifier": { + "markdownDescription": "The identifier of the connection alias association. You use the connection identifier in the DNS TXT record when you're configuring your DNS routing policies.", + "title": "ConnectionIdentifier", + "type": "string" + }, + "ResourceId": { + "markdownDescription": "The identifier of the directory associated with a connection alias.", + "title": "ResourceId", + "type": "string" + } + }, + "type": "object" + }, + "AWS::WorkSpaces::Workspace": { + "additionalProperties": false, + "properties": { + "Condition": { + "type": "string" + }, + "DeletionPolicy": { + "enum": [ + "Delete", + "Retain", + "Snapshot" + ], + "type": "string" + }, + "DependsOn": { + "anyOf": [ + { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + { + "items": { + "pattern": "^[a-zA-Z0-9]+$", + "type": "string" + }, + "type": "array" + } + ] + }, + "Metadata": { + "type": "object" + }, + "Properties": { + "additionalProperties": false, + "properties": { + "BundleId": { + "markdownDescription": "The identifier of the bundle for the WorkSpace.", + "title": "BundleId", "type": "string" }, + "DirectoryId": { + "markdownDescription": "The identifier of the AWS Directory Service directory for the WorkSpace.", + "title": "DirectoryId", + "type": "string" + }, + "RootVolumeEncryptionEnabled": { + "markdownDescription": "Indicates whether the data stored on the root volume is encrypted.", + "title": "RootVolumeEncryptionEnabled", + "type": "boolean" + }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, - "markdownDescription": "The tags to associate with the connection alias.", + "markdownDescription": "The tags for the WorkSpace.", "title": "Tags", "type": "array" + }, + "UserName": { + "markdownDescription": "The user name of the user for the WorkSpace. This user name must exist in the AWS Directory Service directory for the WorkSpace.", + "title": "UserName", + "type": "string" + }, + "UserVolumeEncryptionEnabled": { + "markdownDescription": "Indicates whether the data stored on the user volume is encrypted.", + "title": "UserVolumeEncryptionEnabled", + "type": "boolean" + }, + "VolumeEncryptionKey": { + "markdownDescription": "The ARN of the symmetric AWS KMS key used to encrypt data stored on your WorkSpace. Amazon WorkSpaces does not support asymmetric KMS keys.", + "title": "VolumeEncryptionKey", + "type": "string" + }, + "WorkspaceProperties": { + "$ref": "#/definitions/AWS::WorkSpaces::Workspace.WorkspaceProperties", + "markdownDescription": "The WorkSpace properties.", + "title": "WorkspaceProperties" } }, "required": [ - "ConnectionString" + "BundleId", + "DirectoryId", + "UserName" ], "type": "object" }, "Type": { "enum": [ - "AWS::WorkSpaces::ConnectionAlias" + "AWS::WorkSpaces::Workspace" ], "type": "string" }, @@ -248351,33 +257436,38 @@ ], "type": "object" }, - "AWS::WorkSpaces::ConnectionAlias.ConnectionAliasAssociation": { + "AWS::WorkSpaces::Workspace.WorkspaceProperties": { "additionalProperties": false, "properties": { - "AssociatedAccountId": { - "markdownDescription": "", - "title": "AssociatedAccountId", + "ComputeTypeName": { + "markdownDescription": "The compute type. For more information, see [Amazon WorkSpaces Bundles](https://docs.aws.amazon.com/workspaces/details/#Amazon_WorkSpaces_Bundles) .", + "title": "ComputeTypeName", "type": "string" }, - "AssociationStatus": { - "markdownDescription": "", - "title": "AssociationStatus", - "type": "string" + "RootVolumeSizeGib": { + "markdownDescription": "The size of the root volume. For important information about how to modify the size of the root and user volumes, see [Modify a WorkSpace](https://docs.aws.amazon.com/workspaces/latest/adminguide/modify-workspaces.html) .", + "title": "RootVolumeSizeGib", + "type": "number" }, - "ConnectionIdentifier": { - "markdownDescription": "", - "title": "ConnectionIdentifier", + "RunningMode": { + "markdownDescription": "The running mode. For more information, see [Manage the WorkSpace Running Mode](https://docs.aws.amazon.com/workspaces/latest/adminguide/running-mode.html) .\n\n> The `MANUAL` value is only supported by Amazon WorkSpaces Core. Contact your account team to be allow-listed to use this value. For more information, see [Amazon WorkSpaces Core](https://docs.aws.amazon.com/workspaces/core/) .", + "title": "RunningMode", "type": "string" }, - "ResourceId": { - "markdownDescription": "", - "title": "ResourceId", - "type": "string" + "RunningModeAutoStopTimeoutInMinutes": { + "markdownDescription": "The time after a user logs off when WorkSpaces are automatically stopped. Configured in 60-minute intervals.", + "title": "RunningModeAutoStopTimeoutInMinutes", + "type": "number" + }, + "UserVolumeSizeGib": { + "markdownDescription": "The size of the user storage. For important information about how to modify the size of the root and user volumes, see [Modify a WorkSpace](https://docs.aws.amazon.com/workspaces/latest/adminguide/modify-workspaces.html) .", + "title": "UserVolumeSizeGib", + "type": "number" } }, "type": "object" }, - "AWS::WorkSpaces::Workspace": { + "AWS::WorkSpacesThinClient::Environment": { "additionalProperties": false, "properties": { "Condition": { @@ -248412,60 +257502,63 @@ "Properties": { "additionalProperties": false, "properties": { - "BundleId": { - "markdownDescription": "The identifier of the bundle for the WorkSpace.", - "title": "BundleId", + "DesiredSoftwareSetId": { + "markdownDescription": "The ID of the software set to apply.", + "title": "DesiredSoftwareSetId", "type": "string" }, - "DirectoryId": { - "markdownDescription": "The identifier of the AWS Directory Service directory for the WorkSpace.", - "title": "DirectoryId", + "DesktopArn": { + "markdownDescription": "The Amazon Resource Name (ARN) of the desktop to stream from Amazon WorkSpaces , WorkSpaces Web, or AppStream 2.0 .", + "title": "DesktopArn", "type": "string" }, - "RootVolumeEncryptionEnabled": { - "markdownDescription": "Indicates whether the data stored on the root volume is encrypted.", - "title": "RootVolumeEncryptionEnabled", - "type": "boolean" + "DesktopEndpoint": { + "markdownDescription": "The URL for the identity provider login (only for environments that use AppStream 2.0 ).", + "title": "DesktopEndpoint", + "type": "string" }, - "Tags": { - "items": { - "$ref": "#/definitions/Tag" - }, - "markdownDescription": "The tags for the WorkSpace.", - "title": "Tags", - "type": "array" + "KmsKeyArn": { + "markdownDescription": "The Amazon Resource Name (ARN) of the AWS Key Management Service key used to encrypt the environment.", + "title": "KmsKeyArn", + "type": "string" }, - "UserName": { - "markdownDescription": "The user name of the user for the WorkSpace. This user name must exist in the AWS Directory Service directory for the WorkSpace.", - "title": "UserName", + "MaintenanceWindow": { + "$ref": "#/definitions/AWS::WorkSpacesThinClient::Environment.MaintenanceWindow", + "markdownDescription": "A specification for a time window to apply software updates.", + "title": "MaintenanceWindow" + }, + "Name": { + "markdownDescription": "The name of the environment.", + "title": "Name", "type": "string" }, - "UserVolumeEncryptionEnabled": { - "markdownDescription": "Indicates whether the data stored on the user volume is encrypted.", - "title": "UserVolumeEncryptionEnabled", - "type": "boolean" + "SoftwareSetUpdateMode": { + "markdownDescription": "An option to define which software updates to apply.", + "title": "SoftwareSetUpdateMode", + "type": "string" }, - "VolumeEncryptionKey": { - "markdownDescription": "The ARN of the symmetric AWS KMS key used to encrypt data stored on your WorkSpace. Amazon WorkSpaces does not support asymmetric KMS keys.", - "title": "VolumeEncryptionKey", + "SoftwareSetUpdateSchedule": { + "markdownDescription": "An option to define if software updates should be applied within a maintenance window.", + "title": "SoftwareSetUpdateSchedule", "type": "string" }, - "WorkspaceProperties": { - "$ref": "#/definitions/AWS::WorkSpaces::Workspace.WorkspaceProperties", - "markdownDescription": "The WorkSpace properties.", - "title": "WorkspaceProperties" + "Tags": { + "items": { + "$ref": "#/definitions/Tag" + }, + "markdownDescription": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) .", + "title": "Tags", + "type": "array" } }, "required": [ - "BundleId", - "DirectoryId", - "UserName" + "DesktopArn" ], "type": "object" }, "Type": { "enum": [ - "AWS::WorkSpaces::Workspace" + "AWS::WorkSpacesThinClient::Environment" ], "type": "string" }, @@ -248484,35 +257577,51 @@ ], "type": "object" }, - "AWS::WorkSpaces::Workspace.WorkspaceProperties": { + "AWS::WorkSpacesThinClient::Environment.MaintenanceWindow": { "additionalProperties": false, "properties": { - "ComputeTypeName": { - "markdownDescription": "The compute type. For more information, see [Amazon WorkSpaces Bundles](https://docs.aws.amazon.com/workspaces/details/#Amazon_WorkSpaces_Bundles) .", - "title": "ComputeTypeName", + "ApplyTimeOf": { + "markdownDescription": "The option to set the maintenance window during the device local time or Universal Coordinated Time (UTC).", + "title": "ApplyTimeOf", "type": "string" }, - "RootVolumeSizeGib": { - "markdownDescription": "The size of the root volume. For important information about how to modify the size of the root and user volumes, see [Modify a WorkSpace](https://docs.aws.amazon.com/workspaces/latest/adminguide/modify-workspaces.html) .", - "title": "RootVolumeSizeGib", + "DaysOfTheWeek": { + "items": { + "type": "string" + }, + "markdownDescription": "The days of the week during which the maintenance window is open.", + "title": "DaysOfTheWeek", + "type": "array" + }, + "EndTimeHour": { + "markdownDescription": "The hour for the maintenance window end ( `00` - `23` ).", + "title": "EndTimeHour", "type": "number" }, - "RunningMode": { - "markdownDescription": "The running mode. For more information, see [Manage the WorkSpace Running Mode](https://docs.aws.amazon.com/workspaces/latest/adminguide/running-mode.html) .\n\n> The `MANUAL` value is only supported by Amazon WorkSpaces Core. Contact your account team to be allow-listed to use this value. For more information, see [Amazon WorkSpaces Core](https://docs.aws.amazon.com/workspaces/core/) .", - "title": "RunningMode", - "type": "string" + "EndTimeMinute": { + "markdownDescription": "The minutes for the maintenance window end ( `00` - `59` ).", + "title": "EndTimeMinute", + "type": "number" }, - "RunningModeAutoStopTimeoutInMinutes": { - "markdownDescription": "The time after a user logs off when WorkSpaces are automatically stopped. Configured in 60-minute intervals.", - "title": "RunningModeAutoStopTimeoutInMinutes", + "StartTimeHour": { + "markdownDescription": "The hour for the maintenance window start ( `00` - `23` ).", + "title": "StartTimeHour", "type": "number" }, - "UserVolumeSizeGib": { - "markdownDescription": "The size of the user storage. For important information about how to modify the size of the root and user volumes, see [Modify a WorkSpace](https://docs.aws.amazon.com/workspaces/latest/adminguide/modify-workspaces.html) .", - "title": "UserVolumeSizeGib", + "StartTimeMinute": { + "markdownDescription": "The minutes past the hour for the maintenance window start ( `00` - `59` ).", + "title": "StartTimeMinute", "type": "number" + }, + "Type": { + "markdownDescription": "An option to select the default or custom maintenance window.", + "title": "Type", + "type": "string" } }, + "required": [ + "Type" + ], "type": "object" }, "AWS::WorkSpacesWeb::BrowserSettings": { @@ -248552,23 +257661,31 @@ "properties": { "AdditionalEncryptionContext": { "additionalProperties": true, + "markdownDescription": "Additional encryption context of the browser settings.", "patternProperties": { "^[a-zA-Z0-9]+$": { "type": "string" } }, + "title": "AdditionalEncryptionContext", "type": "object" }, "BrowserPolicy": { + "markdownDescription": "A JSON string containing Chrome Enterprise policies that will be applied to all streaming sessions.", + "title": "BrowserPolicy", "type": "string" }, "CustomerManagedKey": { + "markdownDescription": "The custom managed key of the browser settings.\n\n*Pattern* : `^arn:[\\w+=\\/,.@-]+:kms:[a-zA-Z0-9\\-]*:[a-zA-Z0-9]{1,12}:key\\/[a-zA-Z0-9-]+$`", + "title": "CustomerManagedKey", "type": "string" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "The tags to add to the browser settings resource. A tag is a key-value pair.", + "title": "Tags", "type": "array" } }, @@ -248631,20 +257748,28 @@ "properties": { "IdentityProviderDetails": { "additionalProperties": true, + "markdownDescription": "The identity provider details. The following list describes the provider detail keys for each identity provider type.\n\n- For Google and Login with Amazon:\n\n- `client_id`\n- `client_secret`\n- `authorize_scopes`\n- For Facebook:\n\n- `client_id`\n- `client_secret`\n- `authorize_scopes`\n- `api_version`\n- For Sign in with Apple:\n\n- `client_id`\n- `team_id`\n- `key_id`\n- `private_key`\n- `authorize_scopes`\n- For OIDC providers:\n\n- `client_id`\n- `client_secret`\n- `attributes_request_method`\n- `oidc_issuer`\n- `authorize_scopes`\n- `authorize_url` *if not available from discovery URL specified by oidc_issuer key*\n- `token_url` *if not available from discovery URL specified by oidc_issuer key*\n- `attributes_url` *if not available from discovery URL specified by oidc_issuer key*\n- `jwks_uri` *if not available from discovery URL specified by oidc_issuer key*\n- For SAML providers:\n\n- `MetadataFile` OR `MetadataURL`\n- `IDPSignout` *optional*", "patternProperties": { "^[a-zA-Z0-9]+$": { "type": "string" } }, + "title": "IdentityProviderDetails", "type": "object" }, "IdentityProviderName": { + "markdownDescription": "The identity provider name.", + "title": "IdentityProviderName", "type": "string" }, "IdentityProviderType": { + "markdownDescription": "The identity provider type.", + "title": "IdentityProviderType", "type": "string" }, "PortalArn": { + "markdownDescription": "The ARN of the identity provider.", + "title": "PortalArn", "type": "string" } }, @@ -248713,32 +257838,44 @@ "properties": { "AdditionalEncryptionContext": { "additionalProperties": true, + "markdownDescription": "Additional encryption context of the IP access settings.", "patternProperties": { "^[a-zA-Z0-9]+$": { "type": "string" } }, + "title": "AdditionalEncryptionContext", "type": "object" }, "CustomerManagedKey": { + "markdownDescription": "The custom managed key of the IP access settings.\n\n*Pattern* : `^arn:[\\w+=\\/,.@-]+:kms:[a-zA-Z0-9\\-]*:[a-zA-Z0-9]{1,12}:key\\/[a-zA-Z0-9-]+$`", + "title": "CustomerManagedKey", "type": "string" }, "Description": { + "markdownDescription": "The description of the IP access settings.", + "title": "Description", "type": "string" }, "DisplayName": { + "markdownDescription": "The display name of the IP access settings.", + "title": "DisplayName", "type": "string" }, "IpRules": { "items": { "$ref": "#/definitions/AWS::WorkSpacesWeb::IpAccessSettings.IpRule" }, + "markdownDescription": "The IP rules of the IP access settings.", + "title": "IpRules", "type": "array" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "The tags to add to the browser settings resource. A tag is a key-value pair.", + "title": "Tags", "type": "array" } }, @@ -248772,9 +257909,13 @@ "additionalProperties": false, "properties": { "Description": { + "markdownDescription": "The description of the IP rule.", + "title": "Description", "type": "string" }, "IpRange": { + "markdownDescription": "The IP range of the IP rule. This can either be a single IP address or a range using CIDR notation.", + "title": "IpRange", "type": "string" } }, @@ -248822,21 +257963,29 @@ "items": { "type": "string" }, + "markdownDescription": "One or more security groups used to control access from streaming instances to your VPC.\n\n*Pattern* : `^[\\w+\\-]+$`", + "title": "SecurityGroupIds", "type": "array" }, "SubnetIds": { "items": { "type": "string" }, + "markdownDescription": "The subnets in which network interfaces are created to connect streaming instances to your VPC. At least two of these subnets must be in different availability zones.\n\n*Pattern* : `^subnet-([0-9a-f]{8}|[0-9a-f]{17})$`", + "title": "SubnetIds", "type": "array" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "The tags to add to the network settings resource. A tag is a key-value pair.", + "title": "Tags", "type": "array" }, "VpcId": { + "markdownDescription": "The VPC that streaming instances will connect to.\n\n*Pattern* : `^vpc-[0-9a-z]*$`", + "title": "VpcId", "type": "string" } }, @@ -248905,44 +258054,66 @@ "properties": { "AdditionalEncryptionContext": { "additionalProperties": true, + "markdownDescription": "The additional encryption context of the portal.", "patternProperties": { "^[a-zA-Z0-9]+$": { "type": "string" } }, + "title": "AdditionalEncryptionContext", "type": "object" }, "AuthenticationType": { + "markdownDescription": "The type of authentication integration points used when signing into the web portal. Defaults to `Standard` .\n\n`Standard` web portals are authenticated directly through your identity provider (IdP). User and group access to your web portal is controlled through your IdP. You need to include an IdP resource in your template to integrate your IdP with your web portal. Completing the configuration for your IdP requires exchanging WorkSpaces Web\u2019s SP metadata with your IdP\u2019s IdP metadata. If your IdP requires the SP metadata first before returning the IdP metadata, you should follow these steps:\n\n1. Create and deploy a CloudFormation template with a `Standard` portal with no `IdentityProvider` resource.\n\n2. Retrieve the SP metadata using `Fn:GetAtt` , the WorkSpaces Web console, or by the calling the `GetPortalServiceProviderMetadata` API.\n\n3. Submit the data to your IdP.\n\n4. Add an `IdentityProvider` resource to your CloudFormation template.\n\n`IAM Identity Center` web portals are authenticated through AWS IAM Identity Center . They provide additional features, such as IdP-initiated authentication. Identity sources (including external identity provider integration) and other identity provider information must be configured in IAM Identity Center . User and group assignment must be done through the WorkSpaces Web console. These cannot be configured in CloudFormation.", + "title": "AuthenticationType", "type": "string" }, "BrowserSettingsArn": { + "markdownDescription": "The ARN of the browser settings that is associated with this web portal.", + "title": "BrowserSettingsArn", "type": "string" }, "CustomerManagedKey": { + "markdownDescription": "The customer managed key of the web portal.\n\n*Pattern* : `^arn:[\\w+=\\/,.@-]+:kms:[a-zA-Z0-9\\-]*:[a-zA-Z0-9]{1,12}:key\\/[a-zA-Z0-9-]+$`", + "title": "CustomerManagedKey", "type": "string" }, "DisplayName": { + "markdownDescription": "The name of the web portal.", + "title": "DisplayName", "type": "string" }, "IpAccessSettingsArn": { + "markdownDescription": "The ARN of the IP access settings that is associated with the web portal.", + "title": "IpAccessSettingsArn", "type": "string" }, "NetworkSettingsArn": { + "markdownDescription": "The ARN of the network settings that is associated with the web portal.", + "title": "NetworkSettingsArn", "type": "string" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "The tags to add to the web portal. A tag is a key-value pair.", + "title": "Tags", "type": "array" }, "TrustStoreArn": { + "markdownDescription": "The ARN of the trust store that is associated with the web portal.", + "title": "TrustStoreArn", "type": "string" }, "UserAccessLoggingSettingsArn": { + "markdownDescription": "The ARN of the user access logging settings that is associated with the web portal.", + "title": "UserAccessLoggingSettingsArn", "type": "string" }, "UserSettingsArn": { + "markdownDescription": "The ARN of the user settings that is associated with the web portal.", + "title": "UserSettingsArn", "type": "string" } }, @@ -249007,12 +258178,16 @@ "items": { "type": "string" }, + "markdownDescription": "A list of CA certificates to be added to the trust store.", + "title": "CertificateList", "type": "array" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "The tags to add to the trust store. A tag is a key-value pair.", + "title": "Tags", "type": "array" } }, @@ -249078,12 +258253,16 @@ "additionalProperties": false, "properties": { "KinesisStreamArn": { + "markdownDescription": "The ARN of the Kinesis stream.", + "title": "KinesisStreamArn", "type": "string" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "The tags to add to the user access logging settings resource. A tag is a key-value pair.", + "title": "Tags", "type": "array" } }, @@ -249150,44 +258329,66 @@ "properties": { "AdditionalEncryptionContext": { "additionalProperties": true, + "markdownDescription": "", "patternProperties": { "^[a-zA-Z0-9]+$": { "type": "string" } }, + "title": "AdditionalEncryptionContext", "type": "object" }, "CookieSynchronizationConfiguration": { - "$ref": "#/definitions/AWS::WorkSpacesWeb::UserSettings.CookieSynchronizationConfiguration" + "$ref": "#/definitions/AWS::WorkSpacesWeb::UserSettings.CookieSynchronizationConfiguration", + "markdownDescription": "The configuration that specifies which cookies should be synchronized from the end user's local browser to the remote browser.", + "title": "CookieSynchronizationConfiguration" }, "CopyAllowed": { + "markdownDescription": "Specifies whether the user can copy text from the streaming session to the local device.", + "title": "CopyAllowed", "type": "string" }, "CustomerManagedKey": { + "markdownDescription": "", + "title": "CustomerManagedKey", "type": "string" }, "DisconnectTimeoutInMinutes": { + "markdownDescription": "The amount of time that a streaming session remains active after users disconnect.", + "title": "DisconnectTimeoutInMinutes", "type": "number" }, "DownloadAllowed": { + "markdownDescription": "Specifies whether the user can download files from the streaming session to the local device.", + "title": "DownloadAllowed", "type": "string" }, "IdleDisconnectTimeoutInMinutes": { + "markdownDescription": "The amount of time that users can be idle (inactive) before they are disconnected from their streaming session and the disconnect timeout interval begins.", + "title": "IdleDisconnectTimeoutInMinutes", "type": "number" }, "PasteAllowed": { + "markdownDescription": "Specifies whether the user can paste text from the local device to the streaming session.", + "title": "PasteAllowed", "type": "string" }, "PrintAllowed": { + "markdownDescription": "Specifies whether the user can print to the local device.", + "title": "PrintAllowed", "type": "string" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "The tags to add to the user settings resource. A tag is a key-value pair.", + "title": "Tags", "type": "array" }, "UploadAllowed": { + "markdownDescription": "Specifies whether the user can upload files from the local device to the streaming session.", + "title": "UploadAllowed", "type": "string" } }, @@ -249225,12 +258426,18 @@ "additionalProperties": false, "properties": { "Domain": { + "markdownDescription": "The domain of the cookie.", + "title": "Domain", "type": "string" }, "Name": { + "markdownDescription": "The name of the cookie.", + "title": "Name", "type": "string" }, "Path": { + "markdownDescription": "The path of the cookie.", + "title": "Path", "type": "string" } }, @@ -249246,12 +258453,16 @@ "items": { "$ref": "#/definitions/AWS::WorkSpacesWeb::UserSettings.CookieSpecification" }, + "markdownDescription": "The list of cookie specifications that are allowed to be synchronized to the remote browser.", + "title": "Allowlist", "type": "array" }, "Blocklist": { "items": { "$ref": "#/definitions/AWS::WorkSpacesWeb::UserSettings.CookieSpecification" }, + "markdownDescription": "The list of cookie specifications that are blocked from being synchronized to the remote browser.", + "title": "Blocklist", "type": "array" } }, @@ -249962,6 +259173,9 @@ { "$ref": "#/definitions/AWS::APS::Workspace" }, + { + "$ref": "#/definitions/AWS::ARCZonalShift::ZonalAutoshiftConfiguration" + }, { "$ref": "#/definitions/AWS::AccessAnalyzer::Analyzer" }, @@ -250280,6 +259494,12 @@ { "$ref": "#/definitions/AWS::AutoScalingPlans::ScalingPlan" }, + { + "$ref": "#/definitions/AWS::B2BI::Profile" + }, + { + "$ref": "#/definitions/AWS::B2BI::Transformer" + }, { "$ref": "#/definitions/AWS::Backup::BackupPlan" }, @@ -250295,6 +259515,12 @@ { "$ref": "#/definitions/AWS::Backup::ReportPlan" }, + { + "$ref": "#/definitions/AWS::Backup::RestoreTestingPlan" + }, + { + "$ref": "#/definitions/AWS::Backup::RestoreTestingSelection" + }, { "$ref": "#/definitions/AWS::BackupGateway::Hypervisor" }, @@ -250442,6 +259668,9 @@ { "$ref": "#/definitions/AWS::CloudFront::KeyGroup" }, + { + "$ref": "#/definitions/AWS::CloudFront::KeyValueStore" + }, { "$ref": "#/definitions/AWS::CloudFront::MonitoringSubscription" }, @@ -250541,6 +259770,12 @@ { "$ref": "#/definitions/AWS::CodeStarConnections::Connection" }, + { + "$ref": "#/definitions/AWS::CodeStarConnections::RepositoryLink" + }, + { + "$ref": "#/definitions/AWS::CodeStarConnections::SyncConfiguration" + }, { "$ref": "#/definitions/AWS::CodeStarNotifications::NotificationRule" }, @@ -250694,6 +259929,9 @@ { "$ref": "#/definitions/AWS::ControlTower::EnabledControl" }, + { + "$ref": "#/definitions/AWS::ControlTower::LandingZone" + }, { "$ref": "#/definitions/AWS::CustomerProfiles::CalculatedAttributeDefinition" }, @@ -250724,12 +259962,21 @@ { "$ref": "#/definitions/AWS::DMS::Certificate" }, + { + "$ref": "#/definitions/AWS::DMS::DataProvider" + }, { "$ref": "#/definitions/AWS::DMS::Endpoint" }, { "$ref": "#/definitions/AWS::DMS::EventSubscription" }, + { + "$ref": "#/definitions/AWS::DMS::InstanceProfile" + }, + { + "$ref": "#/definitions/AWS::DMS::MigrationProject" + }, { "$ref": "#/definitions/AWS::DMS::ReplicationConfig" }, @@ -250841,6 +260088,9 @@ { "$ref": "#/definitions/AWS::DocDB::DBSubnetGroup" }, + { + "$ref": "#/definitions/AWS::DocDB::EventSubscription" + }, { "$ref": "#/definitions/AWS::DocDBElastic::Cluster" }, @@ -251003,6 +260253,9 @@ { "$ref": "#/definitions/AWS::EC2::SecurityGroupIngress" }, + { + "$ref": "#/definitions/AWS::EC2::SnapshotBlockPublicAccess" + }, { "$ref": "#/definitions/AWS::EC2::SpotFleet" }, @@ -251186,6 +260439,9 @@ { "$ref": "#/definitions/AWS::EKS::Nodegroup" }, + { + "$ref": "#/definitions/AWS::EKS::PodIdentityAssociation" + }, { "$ref": "#/definitions/AWS::EMR::Cluster" }, @@ -251234,6 +260490,9 @@ { "$ref": "#/definitions/AWS::ElastiCache::SecurityGroupIngress" }, + { + "$ref": "#/definitions/AWS::ElastiCache::ServerlessCache" + }, { "$ref": "#/definitions/AWS::ElastiCache::SubnetGroup" }, @@ -251273,6 +260532,12 @@ { "$ref": "#/definitions/AWS::ElasticLoadBalancingV2::TargetGroup" }, + { + "$ref": "#/definitions/AWS::ElasticLoadBalancingV2::TrustStore" + }, + { + "$ref": "#/definitions/AWS::ElasticLoadBalancingV2::TrustStoreRevocation" + }, { "$ref": "#/definitions/AWS::Elasticsearch::Domain" }, @@ -251336,6 +260601,9 @@ { "$ref": "#/definitions/AWS::FIS::ExperimentTemplate" }, + { + "$ref": "#/definitions/AWS::FIS::TargetAccountConfiguration" + }, { "$ref": "#/definitions/AWS::FMS::NotificationChannel" }, @@ -251435,6 +260703,9 @@ { "$ref": "#/definitions/AWS::Glue::Crawler" }, + { + "$ref": "#/definitions/AWS::Glue::CustomEntityType" + }, { "$ref": "#/definitions/AWS::Glue::DataCatalogEncryptionSettings" }, @@ -251663,6 +260934,9 @@ { "$ref": "#/definitions/AWS::ImageBuilder::InfrastructureConfiguration" }, + { + "$ref": "#/definitions/AWS::ImageBuilder::LifecyclePolicy" + }, { "$ref": "#/definitions/AWS::Inspector::AssessmentTarget" }, @@ -252068,9 +261342,21 @@ { "$ref": "#/definitions/AWS::Logs::AccountPolicy" }, + { + "$ref": "#/definitions/AWS::Logs::Delivery" + }, + { + "$ref": "#/definitions/AWS::Logs::DeliveryDestination" + }, + { + "$ref": "#/definitions/AWS::Logs::DeliverySource" + }, { "$ref": "#/definitions/AWS::Logs::Destination" }, + { + "$ref": "#/definitions/AWS::Logs::LogAnomalyDetector" + }, { "$ref": "#/definitions/AWS::Logs::LogGroup" }, @@ -252197,6 +261483,12 @@ { "$ref": "#/definitions/AWS::MediaLive::InputSecurityGroup" }, + { + "$ref": "#/definitions/AWS::MediaLive::Multiplex" + }, + { + "$ref": "#/definitions/AWS::MediaLive::Multiplexprogram" + }, { "$ref": "#/definitions/AWS::MediaPackage::Asset" }, @@ -252377,6 +261669,9 @@ { "$ref": "#/definitions/AWS::OpenSearchServerless::Collection" }, + { + "$ref": "#/definitions/AWS::OpenSearchServerless::LifecyclePolicy" + }, { "$ref": "#/definitions/AWS::OpenSearchServerless::SecurityConfig" }, @@ -252806,6 +262101,15 @@ { "$ref": "#/definitions/AWS::Route53Resolver::ResolverRuleAssociation" }, + { + "$ref": "#/definitions/AWS::S3::AccessGrant" + }, + { + "$ref": "#/definitions/AWS::S3::AccessGrantsInstance" + }, + { + "$ref": "#/definitions/AWS::S3::AccessGrantsLocation" + }, { "$ref": "#/definitions/AWS::S3::AccessPoint" }, @@ -252824,6 +262128,15 @@ { "$ref": "#/definitions/AWS::S3::StorageLens" }, + { + "$ref": "#/definitions/AWS::S3::StorageLensGroup" + }, + { + "$ref": "#/definitions/AWS::S3Express::BucketPolicy" + }, + { + "$ref": "#/definitions/AWS::S3Express::DirectoryBucket" + }, { "$ref": "#/definitions/AWS::S3ObjectLambda::AccessPoint" }, @@ -252986,6 +262299,9 @@ { "$ref": "#/definitions/AWS::SageMaker::ImageVersion" }, + { + "$ref": "#/definitions/AWS::SageMaker::InferenceComponent" + }, { "$ref": "#/definitions/AWS::SageMaker::InferenceExperiment" }, @@ -253349,6 +262665,9 @@ { "$ref": "#/definitions/AWS::WorkSpaces::Workspace" }, + { + "$ref": "#/definitions/AWS::WorkSpacesThinClient::Environment" + }, { "$ref": "#/definitions/AWS::WorkSpacesWeb::BrowserSettings" }, diff --git a/schema_source/sam.schema.json b/schema_source/sam.schema.json index 196150ed37..2a9899e1bb 100644 --- a/schema_source/sam.schema.json +++ b/schema_source/sam.schema.json @@ -6649,6 +6649,9 @@ "Name": { "$ref": "#/definitions/PassThroughProp" }, + "OwnerContact": { + "$ref": "#/definitions/PassThroughProp" + }, "Resolvers": { "additionalProperties": { "additionalProperties": { @@ -6669,6 +6672,9 @@ "title": "Tags", "type": "object" }, + "Visibility": { + "$ref": "#/definitions/PassThroughProp" + }, "XrayEnabled": { "title": "Xrayenabled", "type": "boolean" diff --git a/setup.py b/setup.py index 4eb35022db..69a68d14da 100755 --- a/setup.py +++ b/setup.py @@ -78,7 +78,7 @@ def read_requirements(req="base.txt"): "NOTICE", "THIRD_PARTY_LICENSES", ), - python_requires=">=3.7, <=4.0, !=4.0", + python_requires=">=3.8, <=4.0, !=4.0", install_requires=read_requirements("base.txt"), include_package_data=True, extras_require={"dev": read_requirements("dev.txt")}, @@ -93,7 +93,6 @@ def read_requirements(req="base.txt"): "License :: OSI Approved :: Apache Software License", "Operating System :: OS Independent", "Programming Language :: Python", - "Programming Language :: Python :: 3.7", "Programming Language :: Python :: 3.8", "Programming Language :: Python :: 3.9", "Programming Language :: Python :: 3.10", diff --git a/tests/ruff.toml b/tests/ruff.toml index 68c1f4b3ca..b9c75dbf33 100644 --- a/tests/ruff.toml +++ b/tests/ruff.toml @@ -15,8 +15,8 @@ select = [ "UP", # pyupgrade ] -# Mininal python version we support is 3.7 -target-version = "py37" +# Mininal python version we support is 3.8 +target-version = "py38" [per-file-ignores] diff --git a/tests/schema/test_validate_schema.py b/tests/schema/test_validate_schema.py index 3d0ad89496..2c1a716ed7 100644 --- a/tests/schema/test_validate_schema.py +++ b/tests/schema/test_validate_schema.py @@ -234,7 +234,7 @@ def test_sanity_valid(self, template): "Properties": { "InlineCode": "foo", "Handler": "bar", - "Runtime": "node16.x", + "Runtime": "node18.x", "Events": 1337, }, }, diff --git a/tests/translator/input/error_api_with_disable_api_endpoint_and_definition_body_with_swagger_definition_not_explicitly_in_template.yaml b/tests/translator/input/error_api_with_disable_api_endpoint_and_definition_body_with_swagger_definition_not_explicitly_in_template.yaml new file mode 100644 index 0000000000..b325fbca75 --- /dev/null +++ b/tests/translator/input/error_api_with_disable_api_endpoint_and_definition_body_with_swagger_definition_not_explicitly_in_template.yaml @@ -0,0 +1,10 @@ +Resources: + LambdaApiDefinition: + Type: AWS::Serverless::Api + Properties: + StageName: MyStageName + DisableExecuteApiEndpoint: true + DefinitionBody: + Fn::If: + - FalseCondition + - swaggerdefinition.api.json diff --git a/tests/translator/input/error_function_with_dynamic_ref_codeuri.yaml b/tests/translator/input/error_function_with_dynamic_ref_codeuri.yaml new file mode 100644 index 0000000000..5cf04c6bbd --- /dev/null +++ b/tests/translator/input/error_function_with_dynamic_ref_codeuri.yaml @@ -0,0 +1,7 @@ +Resources: + MinimalFunction: + Type: AWS::Serverless::Function + Properties: + CodeUri: s3://{{resolve:ssm:/name_of_bucket_parameter_from_step_2}}/name_of_file.zip + Handler: hello.handler + Runtime: python2.7 diff --git a/tests/translator/input/function_with_sns_event_source_all_parameters.yaml b/tests/translator/input/function_with_sns_event_source_all_parameters.yaml index 1b4d22dcdc..d4a0c767a9 100644 --- a/tests/translator/input/function_with_sns_event_source_all_parameters.yaml +++ b/tests/translator/input/function_with_sns_event_source_all_parameters.yaml @@ -9,7 +9,7 @@ Resources: NotificationTopic: Type: SNS Properties: - Topic: topicArn + Topic: topicArn-letsAddMoreSymbols Region: region FilterPolicy: store: diff --git a/tests/translator/input/graphqlapi_visibility_owner_contract.yaml b/tests/translator/input/graphqlapi_visibility_owner_contract.yaml new file mode 100644 index 0000000000..468b0b6070 --- /dev/null +++ b/tests/translator/input/graphqlapi_visibility_owner_contract.yaml @@ -0,0 +1,13 @@ +Transform: AWS::Serverless-2016-10-31 +Resources: + SuperCoolAPI: + Type: AWS::Serverless::GraphQLApi + Properties: + SchemaInline: | + type Mutation { + addTodo(id: ID!, name: String, description: String, priority: Int): Todo + } + Visibility: PRIVATE + OwnerContact: blah-blah + Auth: + Type: AWS_IAM diff --git a/tests/translator/input/simple_function_with_global_tags_false.yaml b/tests/translator/input/simple_function_with_global_tags_false.yaml new file mode 100644 index 0000000000..8ca243a8ab --- /dev/null +++ b/tests/translator/input/simple_function_with_global_tags_false.yaml @@ -0,0 +1,28 @@ +Globals: + Function: + Tags: + TagKey1: TagValue1 + TagKey2: '' + TagKey3: false + TagKey4: true + TagKey5: 0 + +Resources: + MyLambdaFunction: + Type: AWS::Serverless::Function + Properties: + Handler: index.handler + Runtime: nodejs18.x + InlineCode: | + exports.handler = async (event, context, callback) => { + return { + statusCode: 200, + body: 'Success' + } + } + MemorySize: 128 + Policies: + - AWSLambdaRole + - AmazonS3ReadOnlyAccess +Metadata: + SamTransformTest: true diff --git a/tests/translator/input/simple_function_with_tags_false.yaml b/tests/translator/input/simple_function_with_tags_false.yaml new file mode 100644 index 0000000000..5adee9fa19 --- /dev/null +++ b/tests/translator/input/simple_function_with_tags_false.yaml @@ -0,0 +1,24 @@ +Resources: + MyLambdaFunction: + Type: AWS::Serverless::Function + Properties: + Handler: index.handler + Runtime: nodejs18.x + InlineCode: | + exports.handler = async (event, context, callback) => { + return { + statusCode: 200, + body: 'Success' + } + } + MemorySize: 128 + Policies: + - AWSLambdaRole + - AmazonS3ReadOnlyAccess + Tags: + TagKey1: TagValue1 + TagKey2: '' + TagKey3: false + TagKey4: true +Metadata: + SamTransformTest: true diff --git a/tests/translator/input/simple_table_with_tags_false.yaml b/tests/translator/input/simple_table_with_tags_false.yaml new file mode 100644 index 0000000000..a0817238b2 --- /dev/null +++ b/tests/translator/input/simple_table_with_tags_false.yaml @@ -0,0 +1,18 @@ +Parameters: + TagValueParam: + Type: String + Default: value + +Resources: + MinimalTableWithTags: + Type: AWS::Serverless::SimpleTable + Properties: + Tags: + TagKey1: TagValue1 + TagKey2: '' + TagKey3: + Ref: TagValueParam + TagKey4: '123' + TagKey5: true + TagKey6: false + TagKey7: 0 diff --git a/tests/translator/output/aws-cn/function_with_sns_event_source_all_parameters.json b/tests/translator/output/aws-cn/function_with_sns_event_source_all_parameters.json index d98959aac3..4245545a5c 100644 --- a/tests/translator/output/aws-cn/function_with_sns_event_source_all_parameters.json +++ b/tests/translator/output/aws-cn/function_with_sns_event_source_all_parameters.json @@ -62,7 +62,7 @@ "FilterPolicyScope": "MessageAttributes", "Protocol": "lambda", "Region": "region", - "TopicArn": "topicArn" + "TopicArn": "topicArn-letsAddMoreSymbols" }, "Type": "AWS::SNS::Subscription" }, @@ -73,7 +73,7 @@ "Ref": "MyAwesomeFunction" }, "Principal": "sns.amazonaws.com", - "SourceArn": "topicArn" + "SourceArn": "topicArn-letsAddMoreSymbols" }, "Type": "AWS::Lambda::Permission" }, diff --git a/tests/translator/output/aws-cn/graphqlapi_visibility_owner_contract.json b/tests/translator/output/aws-cn/graphqlapi_visibility_owner_contract.json new file mode 100644 index 0000000000..aed0dd7202 --- /dev/null +++ b/tests/translator/output/aws-cn/graphqlapi_visibility_owner_contract.json @@ -0,0 +1,66 @@ +{ + "Resources": { + "SuperCoolAPI": { + "Properties": { + "AuthenticationType": "AWS_IAM", + "LogConfig": { + "CloudWatchLogsRoleArn": { + "Fn::GetAtt": [ + "SuperCoolAPICloudWatchRole", + "Arn" + ] + }, + "FieldLogLevel": "ALL" + }, + "Name": "SuperCoolAPI", + "OwnerContact": "blah-blah", + "Tags": [ + { + "Key": "graphqlapi:createdBy", + "Value": "SAM" + } + ], + "Visibility": "PRIVATE" + }, + "Type": "AWS::AppSync::GraphQLApi" + }, + "SuperCoolAPICloudWatchRole": { + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": [ + "sts:AssumeRole" + ], + "Effect": "Allow", + "Principal": { + "Service": [ + "appsync.amazonaws.com" + ] + } + } + ], + "Version": "2012-10-17" + }, + "ManagedPolicyArns": [ + { + "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/service-role/AWSAppSyncPushToCloudWatchLogs" + } + ] + }, + "Type": "AWS::IAM::Role" + }, + "SuperCoolAPISchema": { + "Properties": { + "ApiId": { + "Fn::GetAtt": [ + "SuperCoolAPI", + "ApiId" + ] + }, + "Definition": "type Mutation {\n addTodo(id: ID!, name: String, description: String, priority: Int): Todo\n}\n" + }, + "Type": "AWS::AppSync::GraphQLSchema" + } + } +} diff --git a/tests/translator/output/aws-cn/simple_function_with_global_tags_false.json b/tests/translator/output/aws-cn/simple_function_with_global_tags_false.json new file mode 100644 index 0000000000..355a796e3b --- /dev/null +++ b/tests/translator/output/aws-cn/simple_function_with_global_tags_false.json @@ -0,0 +1,102 @@ +{ + "Metadata": { + "SamTransformTest": true + }, + "Resources": { + "MyLambdaFunction": { + "Properties": { + "Code": { + "ZipFile": "exports.handler = async (event, context, callback) => {\n return {\n statusCode: 200,\n body: 'Success'\n }\n}\n" + }, + "Handler": "index.handler", + "MemorySize": 128, + "Role": { + "Fn::GetAtt": [ + "MyLambdaFunctionRole", + "Arn" + ] + }, + "Runtime": "nodejs18.x", + "Tags": [ + { + "Key": "lambda:createdBy", + "Value": "SAM" + }, + { + "Key": "TagKey1", + "Value": "TagValue1" + }, + { + "Key": "TagKey2", + "Value": "" + }, + { + "Key": "TagKey3", + "Value": false + }, + { + "Key": "TagKey4", + "Value": true + }, + { + "Key": "TagKey5", + "Value": 0 + } + ] + }, + "Type": "AWS::Lambda::Function" + }, + "MyLambdaFunctionRole": { + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": [ + "sts:AssumeRole" + ], + "Effect": "Allow", + "Principal": { + "Service": [ + "lambda.amazonaws.com" + ] + } + } + ], + "Version": "2012-10-17" + }, + "ManagedPolicyArns": [ + "arn:aws-cn:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole", + "arn:aws-cn:iam::aws:policy/service-role/AWSLambdaRole", + "arn:aws-cn:iam::aws:policy/AmazonS3ReadOnlyAccess" + ], + "Tags": [ + { + "Key": "lambda:createdBy", + "Value": "SAM" + }, + { + "Key": "TagKey1", + "Value": "TagValue1" + }, + { + "Key": "TagKey2", + "Value": "" + }, + { + "Key": "TagKey3", + "Value": false + }, + { + "Key": "TagKey4", + "Value": true + }, + { + "Key": "TagKey5", + "Value": 0 + } + ] + }, + "Type": "AWS::IAM::Role" + } + } +} diff --git a/tests/translator/output/aws-cn/simple_function_with_tags_false.json b/tests/translator/output/aws-cn/simple_function_with_tags_false.json new file mode 100644 index 0000000000..14c4e3962b --- /dev/null +++ b/tests/translator/output/aws-cn/simple_function_with_tags_false.json @@ -0,0 +1,94 @@ +{ + "Metadata": { + "SamTransformTest": true + }, + "Resources": { + "MyLambdaFunction": { + "Properties": { + "Code": { + "ZipFile": "exports.handler = async (event, context, callback) => {\n return {\n statusCode: 200,\n body: 'Success'\n }\n}\n" + }, + "Handler": "index.handler", + "MemorySize": 128, + "Role": { + "Fn::GetAtt": [ + "MyLambdaFunctionRole", + "Arn" + ] + }, + "Runtime": "nodejs18.x", + "Tags": [ + { + "Key": "lambda:createdBy", + "Value": "SAM" + }, + { + "Key": "TagKey1", + "Value": "TagValue1" + }, + { + "Key": "TagKey2", + "Value": "" + }, + { + "Key": "TagKey3", + "Value": false + }, + { + "Key": "TagKey4", + "Value": true + } + ] + }, + "Type": "AWS::Lambda::Function" + }, + "MyLambdaFunctionRole": { + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": [ + "sts:AssumeRole" + ], + "Effect": "Allow", + "Principal": { + "Service": [ + "lambda.amazonaws.com" + ] + } + } + ], + "Version": "2012-10-17" + }, + "ManagedPolicyArns": [ + "arn:aws-cn:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole", + "arn:aws-cn:iam::aws:policy/service-role/AWSLambdaRole", + "arn:aws-cn:iam::aws:policy/AmazonS3ReadOnlyAccess" + ], + "Tags": [ + { + "Key": "lambda:createdBy", + "Value": "SAM" + }, + { + "Key": "TagKey1", + "Value": "TagValue1" + }, + { + "Key": "TagKey2", + "Value": "" + }, + { + "Key": "TagKey3", + "Value": false + }, + { + "Key": "TagKey4", + "Value": true + } + ] + }, + "Type": "AWS::IAM::Role" + } + } +} diff --git a/tests/translator/output/aws-cn/simple_table_with_tags_false.json b/tests/translator/output/aws-cn/simple_table_with_tags_false.json new file mode 100644 index 0000000000..c86bf8b8a3 --- /dev/null +++ b/tests/translator/output/aws-cn/simple_table_with_tags_false.json @@ -0,0 +1,60 @@ +{ + "Parameters": { + "TagValueParam": { + "Default": "value", + "Type": "String" + } + }, + "Resources": { + "MinimalTableWithTags": { + "Properties": { + "AttributeDefinitions": [ + { + "AttributeName": "id", + "AttributeType": "S" + } + ], + "BillingMode": "PAY_PER_REQUEST", + "KeySchema": [ + { + "AttributeName": "id", + "KeyType": "HASH" + } + ], + "Tags": [ + { + "Key": "TagKey1", + "Value": "TagValue1" + }, + { + "Key": "TagKey2", + "Value": "" + }, + { + "Key": "TagKey3", + "Value": { + "Ref": "TagValueParam" + } + }, + { + "Key": "TagKey4", + "Value": "123" + }, + { + "Key": "TagKey5", + "Value": true + }, + { + "Key": "TagKey6", + "Value": false + }, + { + "Key": "TagKey7", + "Value": 0 + } + ] + }, + "Type": "AWS::DynamoDB::Table" + } + } +} diff --git a/tests/translator/output/aws-us-gov/function_with_sns_event_source_all_parameters.json b/tests/translator/output/aws-us-gov/function_with_sns_event_source_all_parameters.json index 10fd471646..4123e182a8 100644 --- a/tests/translator/output/aws-us-gov/function_with_sns_event_source_all_parameters.json +++ b/tests/translator/output/aws-us-gov/function_with_sns_event_source_all_parameters.json @@ -62,7 +62,7 @@ "FilterPolicyScope": "MessageAttributes", "Protocol": "lambda", "Region": "region", - "TopicArn": "topicArn" + "TopicArn": "topicArn-letsAddMoreSymbols" }, "Type": "AWS::SNS::Subscription" }, @@ -73,7 +73,7 @@ "Ref": "MyAwesomeFunction" }, "Principal": "sns.amazonaws.com", - "SourceArn": "topicArn" + "SourceArn": "topicArn-letsAddMoreSymbols" }, "Type": "AWS::Lambda::Permission" }, diff --git a/tests/translator/output/aws-us-gov/graphqlapi_visibility_owner_contract.json b/tests/translator/output/aws-us-gov/graphqlapi_visibility_owner_contract.json new file mode 100644 index 0000000000..aed0dd7202 --- /dev/null +++ b/tests/translator/output/aws-us-gov/graphqlapi_visibility_owner_contract.json @@ -0,0 +1,66 @@ +{ + "Resources": { + "SuperCoolAPI": { + "Properties": { + "AuthenticationType": "AWS_IAM", + "LogConfig": { + "CloudWatchLogsRoleArn": { + "Fn::GetAtt": [ + "SuperCoolAPICloudWatchRole", + "Arn" + ] + }, + "FieldLogLevel": "ALL" + }, + "Name": "SuperCoolAPI", + "OwnerContact": "blah-blah", + "Tags": [ + { + "Key": "graphqlapi:createdBy", + "Value": "SAM" + } + ], + "Visibility": "PRIVATE" + }, + "Type": "AWS::AppSync::GraphQLApi" + }, + "SuperCoolAPICloudWatchRole": { + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": [ + "sts:AssumeRole" + ], + "Effect": "Allow", + "Principal": { + "Service": [ + "appsync.amazonaws.com" + ] + } + } + ], + "Version": "2012-10-17" + }, + "ManagedPolicyArns": [ + { + "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/service-role/AWSAppSyncPushToCloudWatchLogs" + } + ] + }, + "Type": "AWS::IAM::Role" + }, + "SuperCoolAPISchema": { + "Properties": { + "ApiId": { + "Fn::GetAtt": [ + "SuperCoolAPI", + "ApiId" + ] + }, + "Definition": "type Mutation {\n addTodo(id: ID!, name: String, description: String, priority: Int): Todo\n}\n" + }, + "Type": "AWS::AppSync::GraphQLSchema" + } + } +} diff --git a/tests/translator/output/aws-us-gov/simple_function_with_global_tags_false.json b/tests/translator/output/aws-us-gov/simple_function_with_global_tags_false.json new file mode 100644 index 0000000000..6be7de88af --- /dev/null +++ b/tests/translator/output/aws-us-gov/simple_function_with_global_tags_false.json @@ -0,0 +1,102 @@ +{ + "Metadata": { + "SamTransformTest": true + }, + "Resources": { + "MyLambdaFunction": { + "Properties": { + "Code": { + "ZipFile": "exports.handler = async (event, context, callback) => {\n return {\n statusCode: 200,\n body: 'Success'\n }\n}\n" + }, + "Handler": "index.handler", + "MemorySize": 128, + "Role": { + "Fn::GetAtt": [ + "MyLambdaFunctionRole", + "Arn" + ] + }, + "Runtime": "nodejs18.x", + "Tags": [ + { + "Key": "lambda:createdBy", + "Value": "SAM" + }, + { + "Key": "TagKey1", + "Value": "TagValue1" + }, + { + "Key": "TagKey2", + "Value": "" + }, + { + "Key": "TagKey3", + "Value": false + }, + { + "Key": "TagKey4", + "Value": true + }, + { + "Key": "TagKey5", + "Value": 0 + } + ] + }, + "Type": "AWS::Lambda::Function" + }, + "MyLambdaFunctionRole": { + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": [ + "sts:AssumeRole" + ], + "Effect": "Allow", + "Principal": { + "Service": [ + "lambda.amazonaws.com" + ] + } + } + ], + "Version": "2012-10-17" + }, + "ManagedPolicyArns": [ + "arn:aws-us-gov:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole", + "arn:aws-us-gov:iam::aws:policy/service-role/AWSLambdaRole", + "arn:aws-us-gov:iam::aws:policy/AmazonS3ReadOnlyAccess" + ], + "Tags": [ + { + "Key": "lambda:createdBy", + "Value": "SAM" + }, + { + "Key": "TagKey1", + "Value": "TagValue1" + }, + { + "Key": "TagKey2", + "Value": "" + }, + { + "Key": "TagKey3", + "Value": false + }, + { + "Key": "TagKey4", + "Value": true + }, + { + "Key": "TagKey5", + "Value": 0 + } + ] + }, + "Type": "AWS::IAM::Role" + } + } +} diff --git a/tests/translator/output/aws-us-gov/simple_function_with_tags_false.json b/tests/translator/output/aws-us-gov/simple_function_with_tags_false.json new file mode 100644 index 0000000000..71e53f69c7 --- /dev/null +++ b/tests/translator/output/aws-us-gov/simple_function_with_tags_false.json @@ -0,0 +1,94 @@ +{ + "Metadata": { + "SamTransformTest": true + }, + "Resources": { + "MyLambdaFunction": { + "Properties": { + "Code": { + "ZipFile": "exports.handler = async (event, context, callback) => {\n return {\n statusCode: 200,\n body: 'Success'\n }\n}\n" + }, + "Handler": "index.handler", + "MemorySize": 128, + "Role": { + "Fn::GetAtt": [ + "MyLambdaFunctionRole", + "Arn" + ] + }, + "Runtime": "nodejs18.x", + "Tags": [ + { + "Key": "lambda:createdBy", + "Value": "SAM" + }, + { + "Key": "TagKey1", + "Value": "TagValue1" + }, + { + "Key": "TagKey2", + "Value": "" + }, + { + "Key": "TagKey3", + "Value": false + }, + { + "Key": "TagKey4", + "Value": true + } + ] + }, + "Type": "AWS::Lambda::Function" + }, + "MyLambdaFunctionRole": { + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": [ + "sts:AssumeRole" + ], + "Effect": "Allow", + "Principal": { + "Service": [ + "lambda.amazonaws.com" + ] + } + } + ], + "Version": "2012-10-17" + }, + "ManagedPolicyArns": [ + "arn:aws-us-gov:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole", + "arn:aws-us-gov:iam::aws:policy/service-role/AWSLambdaRole", + "arn:aws-us-gov:iam::aws:policy/AmazonS3ReadOnlyAccess" + ], + "Tags": [ + { + "Key": "lambda:createdBy", + "Value": "SAM" + }, + { + "Key": "TagKey1", + "Value": "TagValue1" + }, + { + "Key": "TagKey2", + "Value": "" + }, + { + "Key": "TagKey3", + "Value": false + }, + { + "Key": "TagKey4", + "Value": true + } + ] + }, + "Type": "AWS::IAM::Role" + } + } +} diff --git a/tests/translator/output/aws-us-gov/simple_table_with_tags_false.json b/tests/translator/output/aws-us-gov/simple_table_with_tags_false.json new file mode 100644 index 0000000000..c86bf8b8a3 --- /dev/null +++ b/tests/translator/output/aws-us-gov/simple_table_with_tags_false.json @@ -0,0 +1,60 @@ +{ + "Parameters": { + "TagValueParam": { + "Default": "value", + "Type": "String" + } + }, + "Resources": { + "MinimalTableWithTags": { + "Properties": { + "AttributeDefinitions": [ + { + "AttributeName": "id", + "AttributeType": "S" + } + ], + "BillingMode": "PAY_PER_REQUEST", + "KeySchema": [ + { + "AttributeName": "id", + "KeyType": "HASH" + } + ], + "Tags": [ + { + "Key": "TagKey1", + "Value": "TagValue1" + }, + { + "Key": "TagKey2", + "Value": "" + }, + { + "Key": "TagKey3", + "Value": { + "Ref": "TagValueParam" + } + }, + { + "Key": "TagKey4", + "Value": "123" + }, + { + "Key": "TagKey5", + "Value": true + }, + { + "Key": "TagKey6", + "Value": false + }, + { + "Key": "TagKey7", + "Value": 0 + } + ] + }, + "Type": "AWS::DynamoDB::Table" + } + } +} diff --git a/tests/translator/output/error_api_with_disable_api_endpoint_and_definition_body_with_swagger_definition_not_explicitly_in_template.json b/tests/translator/output/error_api_with_disable_api_endpoint_and_definition_body_with_swagger_definition_not_explicitly_in_template.json new file mode 100644 index 0000000000..e734169a6c --- /dev/null +++ b/tests/translator/output/error_api_with_disable_api_endpoint_and_definition_body_with_swagger_definition_not_explicitly_in_template.json @@ -0,0 +1,9 @@ +{ + "_autoGeneratedBreakdownErrorMessage": [ + "Invalid Serverless Application Specification document. ", + "Number of errors found: 1. ", + "Structure of the SAM template is invalid. ", + "Invalid Swagger document or the Swagger document is not explicitly defined in 'DefinitionBody'." + ], + "errorMessage": "Invalid Serverless Application Specification document. Number of errors found: 1. Structure of the SAM template is invalid. Invalid Swagger document or the Swagger document is not explicitly defined in 'DefinitionBody'." +} diff --git a/tests/translator/output/error_function_with_dynamic_ref_codeuri.json b/tests/translator/output/error_function_with_dynamic_ref_codeuri.json new file mode 100644 index 0000000000..df69899b58 --- /dev/null +++ b/tests/translator/output/error_function_with_dynamic_ref_codeuri.json @@ -0,0 +1,15 @@ +{ + "_autoGeneratedBreakdownErrorMessage": [ + "Invalid Serverless Application Specification document. ", + "Number of errors found: 1. ", + "Resource with id [MinimalFunction] is invalid. ", + "Unsupported dynamic reference detected in 'CodeUri'. ", + "Please consider using alternative 'FunctionCode' object format." + ], + "errorMessage": "Invalid Serverless Application Specification document. Number of errors found: 1. Resource with id [MinimalFunction] is invalid. Unsupported dynamic reference detected in 'CodeUri'. Please consider using alternative 'FunctionCode' object format.", + "errors": [ + { + "errorMessage": "Resource with id [MinimalFunction] is invalid. Unsupported dynamic reference detected in 'CodeUri'. Please consider using alternative 'FunctionCode' object format." + } + ] +} diff --git a/tests/translator/output/function_with_sns_event_source_all_parameters.json b/tests/translator/output/function_with_sns_event_source_all_parameters.json index d1b7bdfb5a..ff8c549893 100644 --- a/tests/translator/output/function_with_sns_event_source_all_parameters.json +++ b/tests/translator/output/function_with_sns_event_source_all_parameters.json @@ -62,7 +62,7 @@ "FilterPolicyScope": "MessageAttributes", "Protocol": "lambda", "Region": "region", - "TopicArn": "topicArn" + "TopicArn": "topicArn-letsAddMoreSymbols" }, "Type": "AWS::SNS::Subscription" }, @@ -73,7 +73,7 @@ "Ref": "MyAwesomeFunction" }, "Principal": "sns.amazonaws.com", - "SourceArn": "topicArn" + "SourceArn": "topicArn-letsAddMoreSymbols" }, "Type": "AWS::Lambda::Permission" }, diff --git a/tests/translator/output/graphqlapi_visibility_owner_contract.json b/tests/translator/output/graphqlapi_visibility_owner_contract.json new file mode 100644 index 0000000000..aed0dd7202 --- /dev/null +++ b/tests/translator/output/graphqlapi_visibility_owner_contract.json @@ -0,0 +1,66 @@ +{ + "Resources": { + "SuperCoolAPI": { + "Properties": { + "AuthenticationType": "AWS_IAM", + "LogConfig": { + "CloudWatchLogsRoleArn": { + "Fn::GetAtt": [ + "SuperCoolAPICloudWatchRole", + "Arn" + ] + }, + "FieldLogLevel": "ALL" + }, + "Name": "SuperCoolAPI", + "OwnerContact": "blah-blah", + "Tags": [ + { + "Key": "graphqlapi:createdBy", + "Value": "SAM" + } + ], + "Visibility": "PRIVATE" + }, + "Type": "AWS::AppSync::GraphQLApi" + }, + "SuperCoolAPICloudWatchRole": { + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": [ + "sts:AssumeRole" + ], + "Effect": "Allow", + "Principal": { + "Service": [ + "appsync.amazonaws.com" + ] + } + } + ], + "Version": "2012-10-17" + }, + "ManagedPolicyArns": [ + { + "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/service-role/AWSAppSyncPushToCloudWatchLogs" + } + ] + }, + "Type": "AWS::IAM::Role" + }, + "SuperCoolAPISchema": { + "Properties": { + "ApiId": { + "Fn::GetAtt": [ + "SuperCoolAPI", + "ApiId" + ] + }, + "Definition": "type Mutation {\n addTodo(id: ID!, name: String, description: String, priority: Int): Todo\n}\n" + }, + "Type": "AWS::AppSync::GraphQLSchema" + } + } +} diff --git a/tests/translator/output/simple_function_with_global_tags_false.json b/tests/translator/output/simple_function_with_global_tags_false.json new file mode 100644 index 0000000000..36b5812000 --- /dev/null +++ b/tests/translator/output/simple_function_with_global_tags_false.json @@ -0,0 +1,102 @@ +{ + "Metadata": { + "SamTransformTest": true + }, + "Resources": { + "MyLambdaFunction": { + "Properties": { + "Code": { + "ZipFile": "exports.handler = async (event, context, callback) => {\n return {\n statusCode: 200,\n body: 'Success'\n }\n}\n" + }, + "Handler": "index.handler", + "MemorySize": 128, + "Role": { + "Fn::GetAtt": [ + "MyLambdaFunctionRole", + "Arn" + ] + }, + "Runtime": "nodejs18.x", + "Tags": [ + { + "Key": "lambda:createdBy", + "Value": "SAM" + }, + { + "Key": "TagKey1", + "Value": "TagValue1" + }, + { + "Key": "TagKey2", + "Value": "" + }, + { + "Key": "TagKey3", + "Value": false + }, + { + "Key": "TagKey4", + "Value": true + }, + { + "Key": "TagKey5", + "Value": 0 + } + ] + }, + "Type": "AWS::Lambda::Function" + }, + "MyLambdaFunctionRole": { + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": [ + "sts:AssumeRole" + ], + "Effect": "Allow", + "Principal": { + "Service": [ + "lambda.amazonaws.com" + ] + } + } + ], + "Version": "2012-10-17" + }, + "ManagedPolicyArns": [ + "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole", + "arn:aws:iam::aws:policy/service-role/AWSLambdaRole", + "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess" + ], + "Tags": [ + { + "Key": "lambda:createdBy", + "Value": "SAM" + }, + { + "Key": "TagKey1", + "Value": "TagValue1" + }, + { + "Key": "TagKey2", + "Value": "" + }, + { + "Key": "TagKey3", + "Value": false + }, + { + "Key": "TagKey4", + "Value": true + }, + { + "Key": "TagKey5", + "Value": 0 + } + ] + }, + "Type": "AWS::IAM::Role" + } + } +} diff --git a/tests/translator/output/simple_function_with_tags_false.json b/tests/translator/output/simple_function_with_tags_false.json new file mode 100644 index 0000000000..0e205619ce --- /dev/null +++ b/tests/translator/output/simple_function_with_tags_false.json @@ -0,0 +1,94 @@ +{ + "Metadata": { + "SamTransformTest": true + }, + "Resources": { + "MyLambdaFunction": { + "Properties": { + "Code": { + "ZipFile": "exports.handler = async (event, context, callback) => {\n return {\n statusCode: 200,\n body: 'Success'\n }\n}\n" + }, + "Handler": "index.handler", + "MemorySize": 128, + "Role": { + "Fn::GetAtt": [ + "MyLambdaFunctionRole", + "Arn" + ] + }, + "Runtime": "nodejs18.x", + "Tags": [ + { + "Key": "lambda:createdBy", + "Value": "SAM" + }, + { + "Key": "TagKey1", + "Value": "TagValue1" + }, + { + "Key": "TagKey2", + "Value": "" + }, + { + "Key": "TagKey3", + "Value": false + }, + { + "Key": "TagKey4", + "Value": true + } + ] + }, + "Type": "AWS::Lambda::Function" + }, + "MyLambdaFunctionRole": { + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": [ + "sts:AssumeRole" + ], + "Effect": "Allow", + "Principal": { + "Service": [ + "lambda.amazonaws.com" + ] + } + } + ], + "Version": "2012-10-17" + }, + "ManagedPolicyArns": [ + "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole", + "arn:aws:iam::aws:policy/service-role/AWSLambdaRole", + "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess" + ], + "Tags": [ + { + "Key": "lambda:createdBy", + "Value": "SAM" + }, + { + "Key": "TagKey1", + "Value": "TagValue1" + }, + { + "Key": "TagKey2", + "Value": "" + }, + { + "Key": "TagKey3", + "Value": false + }, + { + "Key": "TagKey4", + "Value": true + } + ] + }, + "Type": "AWS::IAM::Role" + } + } +} diff --git a/tests/translator/output/simple_table_with_tags_false.json b/tests/translator/output/simple_table_with_tags_false.json new file mode 100644 index 0000000000..c86bf8b8a3 --- /dev/null +++ b/tests/translator/output/simple_table_with_tags_false.json @@ -0,0 +1,60 @@ +{ + "Parameters": { + "TagValueParam": { + "Default": "value", + "Type": "String" + } + }, + "Resources": { + "MinimalTableWithTags": { + "Properties": { + "AttributeDefinitions": [ + { + "AttributeName": "id", + "AttributeType": "S" + } + ], + "BillingMode": "PAY_PER_REQUEST", + "KeySchema": [ + { + "AttributeName": "id", + "KeyType": "HASH" + } + ], + "Tags": [ + { + "Key": "TagKey1", + "Value": "TagValue1" + }, + { + "Key": "TagKey2", + "Value": "" + }, + { + "Key": "TagKey3", + "Value": { + "Ref": "TagValueParam" + } + }, + { + "Key": "TagKey4", + "Value": "123" + }, + { + "Key": "TagKey5", + "Value": true + }, + { + "Key": "TagKey6", + "Value": false + }, + { + "Key": "TagKey7", + "Value": 0 + } + ] + }, + "Type": "AWS::DynamoDB::Table" + } + } +}