From 6fefac5e2200264cd21ce0c560720c3576ca2243 Mon Sep 17 00:00:00 2001
From: jonathan Ifegunni <jonife@amazon.com>
Date: Thu, 6 Feb 2025 09:56:09 -0800
Subject: [PATCH 01/13] SAM support for Dual Auth FURL
---
samtranslator/model/lambda_.py | 1 +
samtranslator/model/sam_resources.py | 85 ++++-
samtranslator/schema/schema.json | 34 +-
schema_source/cloudformation-docs.json | 313 ++++++++++++++++--
schema_source/cloudformation.schema.json | 2 +-
tests/model/test_sam_resources.py | 14 +-
.../function_with_function_url_config.json | 13 +-
...ction_url_config_and_autopublishalias.json | 13 +-
...n_with_function_url_config_conditions.json | 14 +-
...nction_url_config_without_cors_config.json | 13 +-
.../function_with_function_url_config.json | 13 +-
...ction_url_config_and_autopublishalias.json | 13 +-
...n_with_function_url_config_conditions.json | 14 +-
...nction_url_config_without_cors_config.json | 13 +-
.../function_with_function_url_config.json | 13 +-
...ction_url_config_and_autopublishalias.json | 13 +-
...n_with_function_url_config_conditions.json | 14 +-
...nction_url_config_without_cors_config.json | 13 +-
18 files changed, 537 insertions(+), 71 deletions(-)
diff --git a/samtranslator/model/lambda_.py b/samtranslator/model/lambda_.py
index 27e9636ed4..c6fecd242e 100644
--- a/samtranslator/model/lambda_.py
+++ b/samtranslator/model/lambda_.py
@@ -139,6 +139,7 @@ class LambdaPermission(Resource):
"SourceArn": GeneratedProperty(),
"EventSourceToken": GeneratedProperty(),
"FunctionUrlAuthType": GeneratedProperty(),
+ "InvokedViaFunctionUrl": GeneratedProperty(),
}
diff --git a/samtranslator/model/sam_resources.py b/samtranslator/model/sam_resources.py
index 2cdbc3c8bc..b9701f9044 100644
--- a/samtranslator/model/sam_resources.py
+++ b/samtranslator/model/sam_resources.py
@@ -133,6 +133,8 @@
from .tags.resource_tagging import get_tag_list
_CONDITION_CHAR_LIMIT = 255
+FUNCTION_URL_PUBLIC_PERMISSION_ACTION = "lambda:InvokeFunctionUrl"
+FUNCTION_INVOKE_PERMISSION_ACTION = "lambda:InvokeFunction"
class SamFunction(SamResourceMacro):
@@ -320,9 +322,10 @@ def to_cloudformation(self, **kwargs): # type: ignore[no-untyped-def] # noqa: P
if self.FunctionUrlConfig:
lambda_url = self._construct_function_url(lambda_function, lambda_alias, self.FunctionUrlConfig)
resources.append(lambda_url)
- url_permission = self._construct_url_permission(lambda_function, lambda_alias, self.FunctionUrlConfig)
- if url_permission:
- resources.append(url_permission)
+ url_permissions = self._construct_url_permissions(lambda_function, lambda_alias, self.FunctionUrlConfig)
+ if url_permissions:
+ for permission in url_permissions:
+ resources.append(permission)
self._validate_deployment_preference_and_add_update_policy(
kwargs.get("deployment_preference_collection"),
@@ -332,7 +335,6 @@ def to_cloudformation(self, **kwargs): # type: ignore[no-untyped-def] # noqa: P
self.get_passthrough_resource_attributes(),
feature_toggle,
)
-
event_invoke_policies: List[Dict[str, Any]] = []
if self.EventInvokeConfig:
function_name = lambda_function.logical_id
@@ -1213,11 +1215,11 @@ def _validate_cors_config_parameter(
"{} must be of type {}.".format(prop_name, str(prop_type).split("'")[1]),
)
- def _construct_url_permission(
+ def _construct_url_permissions(
self, lambda_function: LambdaFunction, lambda_alias: Optional[LambdaAlias], function_url_config: Dict[str, Any]
- ) -> Optional[LambdaPermission]:
+ ) -> Optional[Tuple[LambdaPermission, LambdaPermission]]:
"""
- Construct the lambda permission associated with the function url resource in a case
+ Construct the lambda permissions associated with the function url resource in a case
for public access when AuthType is NONE
Parameters
@@ -1225,28 +1227,83 @@ def _construct_url_permission(
lambda_function : LambdaUrl
Lambda Function resource
- llambda_alias : LambdaAlias
+ lambda_alias : LambdaAlias
Lambda Alias resource
Returns
-------
- LambdaPermission
- The lambda permission appended to a function url resource with public access
+ Optional[Tuple[LambdaPermission, LambdaPermission]]
+ The lambda permission appended to a function url resource with public access and the
+ Permission to invoke the function in general.
"""
auth_type = function_url_config.get("AuthType")
if auth_type not in ["NONE"] or is_intrinsic(function_url_config):
return None
- logical_id = f"{lambda_function.logical_id}UrlPublicPermissions"
+ url_public_permission_logical_id = f"{lambda_function.logical_id}UrlPublicPermissions"
+ lambda_url_public_permission = self.get_lambda_url_permissions(
+ url_public_permission_logical_id,
+ lambda_function,
+ lambda_alias,
+ FUNCTION_URL_PUBLIC_PERMISSION_ACTION,
+ auth_type,
+ )
+
+ url_invoke_permission_logical_id = f"{lambda_function.logical_id}URLInvokeAllowPublicAccess"
+ lambda_invoke_permission = self.get_lambda_url_permissions(
+ url_invoke_permission_logical_id,
+ lambda_function,
+ lambda_alias,
+ FUNCTION_INVOKE_PERMISSION_ACTION,
+ auth_type,
+ )
+
+ return (lambda_url_public_permission, lambda_invoke_permission)
+
+ def get_lambda_url_permissions(
+ self,
+ logical_id: str,
+ lambda_function: LambdaFunction,
+ lambda_alias: Optional[LambdaAlias],
+ action: str,
+ auth_type: str,
+ ) -> LambdaPermission:
+ """
+ get_lambda_url_permissions
+
+ Parameters
+ ----------
+ logical_id : str
+ Unique id of the function
+ lambda_function : LambdaFuntion
+ Lambda Function resource
+ lambda_alias : Optional[LambdaAlias]
+ Lambda Alias resource
+ action : str
+ The action or actions that will be allowed or denied
+ auth_type : str
+ Function URL AuthType
+
+ Returns
+ -------
+ LambdaPermission
+ The lambda permission appended to a function url resource with public access
+ """
lambda_permission_attributes = self.get_passthrough_resource_attributes()
+
lambda_permission = LambdaPermission(logical_id=logical_id, attributes=lambda_permission_attributes)
- lambda_permission.Action = "lambda:InvokeFunctionUrl"
+ lambda_permission.Action = action
+ lambda_permission.Principal = "*"
lambda_permission.FunctionName = (
lambda_alias.get_runtime_attr("arn") if lambda_alias else lambda_function.get_runtime_attr("name")
)
- lambda_permission.Principal = "*"
- lambda_permission.FunctionUrlAuthType = auth_type
+ if action == FUNCTION_URL_PUBLIC_PERMISSION_ACTION:
+ lambda_permission.FunctionUrlAuthType = auth_type
+
+ if action == FUNCTION_INVOKE_PERMISSION_ACTION:
+ lambda_permission.InvokedViaFunctionUrl = True
+
return lambda_permission
diff --git a/samtranslator/schema/schema.json b/samtranslator/schema/schema.json
index aed4e150db..1e141a644e 100644
--- a/samtranslator/schema/schema.json
+++ b/samtranslator/schema/schema.json
@@ -37324,6 +37324,7 @@
"type": "string"
},
"SslSupportMethod": {
+ "markdownDescription": "> In CloudFormation, this field name is `SslSupportMethod` . Note the different capitalization. \n\nIf the distribution uses `Aliases` (alternate domain names or CNAMEs), specify which viewers the distribution accepts HTTPS connections from.\n\n- `sni-only` \u2013 The distribution accepts HTTPS connections from only viewers that support [server name indication (SNI)](https://docs.aws.amazon.com/https://en.wikipedia.org/wiki/Server_Name_Indication) . This is recommended. Most browsers and clients support SNI.\n- `vip` \u2013 The distribution accepts HTTPS connections from all viewers including those that don't support SNI. This is not recommended, and results in additional monthly charges from CloudFront.\n- `static-ip` - Do not specify this value unless your distribution has been enabled for this feature by the CloudFront team. If you have a use case that requires static IP addresses for a distribution, contact CloudFront through the [Support Center](https://docs.aws.amazon.com/support/home) .\n\nIf the distribution uses the CloudFront domain name such as `d111111abcdef8.cloudfront.net` , don't set a value for this field.",
"markdownDescription": "> In CloudFormation, this field name is `SslSupportMethod` . Note the different capitalization. \n\nIf the distribution uses `Aliases` (alternate domain names or CNAMEs), specify which viewers the distribution accepts HTTPS connections from.\n\n- `sni-only` \u2013 The distribution accepts HTTPS connections from only viewers that support [server name indication (SNI)](https://docs.aws.amazon.com/https://en.wikipedia.org/wiki/Server_Name_Indication) . This is recommended. Most browsers and clients support SNI.\n- `vip` \u2013 The distribution accepts HTTPS connections from all viewers including those that don't support SNI. This is not recommended, and results in additional monthly charges from CloudFront.\n- `static-ip` - Do not specify this value unless your distribution has been enabled for this feature by the CloudFront team. If you have a use case that requires static IP addresses for a distribution, contact CloudFront through the [Support Center](https://docs.aws.amazon.com/support/home) .\n\nIf the distribution uses the CloudFront domain name such as `d111111abcdef8.cloudfront.net` , don't set a value for this field.",
"title": "SslSupportMethod",
"type": "string"
@@ -41962,7 +41963,8 @@
"type": "string"
},
"Type": {
- "markdownDescription": "The type of webhook filter. There are 11 webhook filter types: `EVENT` , `ACTOR_ACCOUNT_ID` , `HEAD_REF` , `BASE_REF` , `FILE_PATH` , `COMMIT_MESSAGE` , `TAG_NAME` , `RELEASE_NAME` , `REPOSITORY_NAME` , `ORGANIZATION_NAME` , and `WORKFLOW_NAME` .\n\n- EVENT\n\n- A webhook event triggers a build when the provided `pattern` matches one of nine event types: `PUSH` , `PULL_REQUEST_CREATED` , `PULL_REQUEST_UPDATED` , `PULL_REQUEST_CLOSED` , `PULL_REQUEST_REOPENED` , `PULL_REQUEST_MERGED` , `RELEASED` , `PRERELEASED` , and `WORKFLOW_JOB_QUEUED` . The `EVENT` patterns are specified as a comma-separated string. For example, `PUSH, PULL_REQUEST_CREATED, PULL_REQUEST_UPDATED` filters all push, pull request created, and pull request updated events.\n\n> Types `PULL_REQUEST_REOPENED` and `WORKFLOW_JOB_QUEUED` work with GitHub and GitHub Enterprise only. Types `RELEASED` and `PRERELEASED` work with GitHub only.\n- ACTOR_ACCOUNT_ID\n\n- A webhook event triggers a build when a GitHub, GitHub Enterprise, or Bitbucket account ID matches the regular expression `pattern` .\n- HEAD_REF\n\n- A webhook event triggers a build when the head reference matches the regular expression `pattern` . For example, `refs/heads/branch-name` and `refs/tags/tag-name` .\n\n> Works with GitHub and GitHub Enterprise push, GitHub and GitHub Enterprise pull request, Bitbucket push, and Bitbucket pull request events.\n- BASE_REF\n\n- A webhook event triggers a build when the base reference matches the regular expression `pattern` . For example, `refs/heads/branch-name` .\n\n> Works with pull request events only.\n- FILE_PATH\n\n- A webhook triggers a build when the path of a changed file matches the regular expression `pattern` .\n\n> Works with push and pull request events only.\n- COMMIT_MESSAGE\n\n- A webhook triggers a build when the head commit message matches the regular expression `pattern` .\n\n> Works with push and pull request events only.\n- TAG_NAME\n\n- A webhook triggers a build when the tag name of the release matches the regular expression `pattern` .\n\n> Works with `RELEASED` and `PRERELEASED` events only.\n- RELEASE_NAME\n\n- A webhook triggers a build when the release name matches the regular expression `pattern` .\n\n> Works with `RELEASED` and `PRERELEASED` events only.\n- REPOSITORY_NAME\n\n- A webhook triggers a build when the repository name matches the regular expression `pattern` .\n\n> Works with GitHub global or organization webhooks only.\n- ORGANIZATION_NAME\n\n- A webhook triggers a build when the organization name matches the regular expression `pattern` .\n\n> Works with GitHub global webhooks only.\n- WORKFLOW_NAME\n\n- A webhook triggers a build when the workflow name matches the regular expression `pattern` .\n\n> Works with `WORKFLOW_JOB_QUEUED` events only. > For CodeBuild-hosted Buildkite runner builds, WORKFLOW_NAME filters will filter by pipeline name.",
+ "markdownDescription": "The type of webhook filter. There are nine webhook filter types: `EVENT` , `ACTOR_ACCOUNT_ID` , `HEAD_REF` , `BASE_REF` , `FILE_PATH` , `COMMIT_MESSAGE` , `TAG_NAME` , `RELEASE_NAME` , and `WORKFLOW_NAME` .\n\n- EVENT\n\n- A webhook event triggers a build when the provided `pattern` matches one of nine event types: `PUSH` , `PULL_REQUEST_CREATED` , `PULL_REQUEST_UPDATED` , `PULL_REQUEST_CLOSED` , `PULL_REQUEST_REOPENED` , `PULL_REQUEST_MERGED` , `RELEASED` , `PRERELEASED` , and `WORKFLOW_JOB_QUEUED` . The `EVENT` patterns are specified as a comma-separated string. For example, `PUSH, PULL_REQUEST_CREATED, PULL_REQUEST_UPDATED` filters all push, pull request created, and pull request updated events.\n\n> Types `PULL_REQUEST_REOPENED` and `WORKFLOW_JOB_QUEUED` work with GitHub and GitHub Enterprise only. Types `RELEASED` and `PRERELEASED` work with GitHub only.\n- ACTOR_ACCOUNT_ID\n\n- A webhook event triggers a build when a GitHub, GitHub Enterprise, or Bitbucket account ID matches the regular expression `pattern` .\n- HEAD_REF\n\n- A webhook event triggers a build when the head reference matches the regular expression `pattern` . For example, `refs/heads/branch-name` and `refs/tags/tag-name` .\n\n> Works with GitHub and GitHub Enterprise push, GitHub and GitHub Enterprise pull request, Bitbucket push, and Bitbucket pull request events.\n- BASE_REF\n\n- A webhook event triggers a build when the base reference matches the regular expression `pattern` . For example, `refs/heads/branch-name` .\n\n> Works with pull request events only.\n- FILE_PATH\n\n- A webhook triggers a build when the path of a changed file matches the regular expression `pattern` .\n\n> Works with GitHub and Bitbucket events push and pull requests events. Also works with GitHub Enterprise push events, but does not work with GitHub Enterprise pull request events.\n- COMMIT_MESSAGE\n\n- A webhook triggers a build when the head commit message matches the regular expression `pattern` .\n\n> Works with GitHub and Bitbucket events push and pull requests events. Also works with GitHub Enterprise push events, but does not work with GitHub Enterprise pull request events.\n- TAG_NAME\n\n- A webhook triggers a build when the tag name of the release matches the regular expression `pattern` .\n\n> Works with `RELEASED` and `PRERELEASED` events only.\n- RELEASE_NAME\n\n- A webhook triggers a build when the release name matches the regular expression `pattern` .\n\n> Works with `RELEASED` and `PRERELEASED` events only.\n- REPOSITORY_NAME\n\n- A webhook triggers a build when the repository name matches the regular expression pattern.\n\n> Works with GitHub global or organization webhooks only.\n- WORKFLOW_NAME\n\n- A webhook triggers a build when the workflow name matches the regular expression `pattern` .\n\n> Works with `WORKFLOW_JOB_QUEUED` events only. > For CodeBuild-hosted Buildkite runner builds, WORKFLOW_NAME filters will filter by pipeline name.",
+ "markdownDescription": "The type of webhook filter. There are nine webhook filter types: `EVENT` , `ACTOR_ACCOUNT_ID` , `HEAD_REF` , `BASE_REF` , `FILE_PATH` , `COMMIT_MESSAGE` , `TAG_NAME` , `RELEASE_NAME` , and `WORKFLOW_NAME` .\n\n- EVENT\n\n- A webhook event triggers a build when the provided `pattern` matches one of nine event types: `PUSH` , `PULL_REQUEST_CREATED` , `PULL_REQUEST_UPDATED` , `PULL_REQUEST_CLOSED` , `PULL_REQUEST_REOPENED` , `PULL_REQUEST_MERGED` , `RELEASED` , `PRERELEASED` , and `WORKFLOW_JOB_QUEUED` . The `EVENT` patterns are specified as a comma-separated string. For example, `PUSH, PULL_REQUEST_CREATED, PULL_REQUEST_UPDATED` filters all push, pull request created, and pull request updated events.\n\n> Types `PULL_REQUEST_REOPENED` and `WORKFLOW_JOB_QUEUED` work with GitHub and GitHub Enterprise only. Types `RELEASED` and `PRERELEASED` work with GitHub only.\n- ACTOR_ACCOUNT_ID\n\n- A webhook event triggers a build when a GitHub, GitHub Enterprise, or Bitbucket account ID matches the regular expression `pattern` .\n- HEAD_REF\n\n- A webhook event triggers a build when the head reference matches the regular expression `pattern` . For example, `refs/heads/branch-name` and `refs/tags/tag-name` .\n\n> Works with GitHub and GitHub Enterprise push, GitHub and GitHub Enterprise pull request, Bitbucket push, and Bitbucket pull request events.\n- BASE_REF\n\n- A webhook event triggers a build when the base reference matches the regular expression `pattern` . For example, `refs/heads/branch-name` .\n\n> Works with pull request events only.\n- FILE_PATH\n\n- A webhook triggers a build when the path of a changed file matches the regular expression `pattern` .\n\n> Works with GitHub and Bitbucket events push and pull requests events. Also works with GitHub Enterprise push events, but does not work with GitHub Enterprise pull request events.\n- COMMIT_MESSAGE\n\n- A webhook triggers a build when the head commit message matches the regular expression `pattern` .\n\n> Works with GitHub and Bitbucket events push and pull requests events. Also works with GitHub Enterprise push events, but does not work with GitHub Enterprise pull request events.\n- TAG_NAME\n\n- A webhook triggers a build when the tag name of the release matches the regular expression `pattern` .\n\n> Works with `RELEASED` and `PRERELEASED` events only.\n- RELEASE_NAME\n\n- A webhook triggers a build when the release name matches the regular expression `pattern` .\n\n> Works with `RELEASED` and `PRERELEASED` events only.\n- REPOSITORY_NAME\n\n- A webhook triggers a build when the repository name matches the regular expression pattern.\n\n> Works with GitHub global or organization webhooks only.\n- WORKFLOW_NAME\n\n- A webhook triggers a build when the workflow name matches the regular expression `pattern` .\n\n> Works with `WORKFLOW_JOB_QUEUED` events only. > For CodeBuild-hosted Buildkite runner builds, WORKFLOW_NAME filters will filter by pipeline name.",
"title": "Type",
"type": "string"
}
@@ -55779,6 +55781,7 @@
"title": "Parameters"
},
"Type": {
+ "markdownDescription": "The source of the event. Currently only managed Amazon EventBridge (formerly known as Amazon CloudWatch) events are supported.",
"markdownDescription": "The source of the event. Currently only managed Amazon EventBridge (formerly known as Amazon CloudWatch) events are supported.",
"title": "Type",
"type": "string"
@@ -62801,6 +62804,7 @@
"type": "array"
},
"Domain": {
+ "markdownDescription": "Specifies the Windows domain name that your SMB file server belongs to. This parameter applies only if `AuthenticationType` is set to `NTLM` .\n\nIf you have multiple domains in your environment, configuring this parameter makes sure that DataSync connects to the right file server.",
"markdownDescription": "Specifies the Windows domain name that your SMB file server belongs to. This parameter applies only if `AuthenticationType` is set to `NTLM` .\n\nIf you have multiple domains in your environment, configuring this parameter makes sure that DataSync connects to the right file server.",
"title": "Domain",
"type": "string"
@@ -62816,7 +62820,8 @@
"type": "string"
},
"ServerHostname": {
- "markdownDescription": "Specifies the domain name or IP address of the SMB file server that your DataSync agent connects to.\n\nRemember the following when configuring this parameter:\n\n- You can't specify an IP version 6 (IPv6) address.\n- If you're using Kerberos authentication, you must specify a domain name.",
+ "markdownDescription": "Specifies the domain name or IP address of the SMB file server that your DataSync agent will mount.\n\nRemember the following when configuring this parameter:\n\n- You can't specify an IP version 6 (IPv6) address.\n- If you're using Kerberos authentication, you must specify a domain name.",
+ "markdownDescription": "Specifies the domain name or IP address of the SMB file server that your DataSync agent will mount.\n\nRemember the following when configuring this parameter:\n\n- You can't specify an IP version 6 (IPv6) address.\n- If you're using Kerberos authentication, you must specify a domain name.",
"title": "ServerHostname",
"type": "string"
},
@@ -68396,6 +68401,7 @@
"type": "boolean"
},
"InstanceCount": {
+ "markdownDescription": "The number of instances for which to reserve capacity.\n\n> You can request future-dated Capacity Reservations for an instance count with a minimum of 100 vCPUs. For example, if you request a future-dated Capacity Reservation for `m5.xlarge` instances, you must request at least 25 instances ( *25 * m5.xlarge = 100 vCPUs* ). \n\nValid range: 1 - 1000",
"markdownDescription": "The number of instances for which to reserve capacity.\n\n> You can request future-dated Capacity Reservations for an instance count with a minimum of 100 vCPUs. For example, if you request a future-dated Capacity Reservation for `m5.xlarge` instances, you must request at least 25 instances ( *25 * m5.xlarge = 100 vCPUs* ). \n\nValid range: 1 - 1000",
"title": "InstanceCount",
"type": "number"
@@ -71643,6 +71649,7 @@
"title": "CreditSpecification"
},
"DisableApiTermination": {
+ "markdownDescription": "Indicates whether termination protection is enabled for the instance. The default is `false` , which means that you can terminate the instance using the Amazon EC2 console, command line tools, or API. You can enable termination protection when you launch an instance, while the instance is running, or while the instance is stopped.",
"markdownDescription": "Indicates whether termination protection is enabled for the instance. The default is `false` , which means that you can terminate the instance using the Amazon EC2 console, command line tools, or API. You can enable termination protection when you launch an instance, while the instance is running, or while the instance is stopped.",
"title": "DisableApiTermination",
"type": "boolean"
@@ -73104,6 +73111,7 @@
"type": "boolean"
},
"DisableApiTermination": {
+ "markdownDescription": "Indicates whether termination protection is enabled for the instance. The default is `false` , which means that you can terminate the instance using the Amazon EC2 console, command line tools, or API. You can enable termination protection when you launch an instance, while the instance is running, or while the instance is stopped.",
"markdownDescription": "Indicates whether termination protection is enabled for the instance. The default is `false` , which means that you can terminate the instance using the Amazon EC2 console, command line tools, or API. You can enable termination protection when you launch an instance, while the instance is running, or while the instance is stopped.",
"title": "DisableApiTermination",
"type": "boolean"
@@ -83492,7 +83500,7 @@
"items": {
"$ref": "#/definitions/AWS::ECS::Service.CapacityProviderStrategyItem"
},
- "markdownDescription": "The capacity provider strategy to use for the service.\n\nIf a `capacityProviderStrategy` is specified, the `launchType` parameter must be omitted. If no `capacityProviderStrategy` or `launchType` is specified, the `defaultCapacityProviderStrategy` for the cluster is used.\n\nA capacity provider strategy can contain a maximum of 20 capacity providers.\n\n> To remove this property from your service resource, specify an empty `CapacityProviderStrategyItem` array.",
+ "markdownDescription": "The capacity provider strategy to use for the service.\n\nIf a `capacityProviderStrategy` is specified, the `launchType` parameter must be omitted. If no `capacityProviderStrategy` or `launchType` is specified, the `defaultCapacityProviderStrategy` for the cluster is used.\n\nA capacity provider strategy may contain a maximum of 6 capacity providers.\n\n> To remove this property from your service resource, specify an empty `CapacityProviderStrategyItem` array.",
"title": "CapacityProviderStrategy",
"type": "array"
},
@@ -83541,6 +83549,7 @@
"$ref": "#/definitions/AWS::ECS::Service.LoadBalancer"
},
"markdownDescription": "A list of load balancer objects to associate with the service. If you specify the `Role` property, `LoadBalancers` must be specified as well. For information about the number of load balancers that you can specify per service, see [Service Load Balancing](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/service-load-balancing.html) in the *Amazon Elastic Container Service Developer Guide* .\n\n> To remove this property from your service resource, specify an empty `LoadBalancer` array.",
+ "markdownDescription": "A list of load balancer objects to associate with the service. If you specify the `Role` property, `LoadBalancers` must be specified as well. For information about the number of load balancers that you can specify per service, see [Service Load Balancing](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/service-load-balancing.html) in the *Amazon Elastic Container Service Developer Guide* .\n\n> To remove this property from your service resource, specify an empty `LoadBalancer` array.",
"title": "LoadBalancers",
"type": "array"
},
@@ -83554,6 +83563,7 @@
"$ref": "#/definitions/AWS::ECS::Service.PlacementConstraint"
},
"markdownDescription": "An array of placement constraint objects to use for tasks in your service. You can specify a maximum of 10 constraints for each task. This limit includes constraints in the task definition and those specified at runtime.\n\n> To remove this property from your service resource, specify an empty `PlacementConstraint` array.",
+ "markdownDescription": "An array of placement constraint objects to use for tasks in your service. You can specify a maximum of 10 constraints for each task. This limit includes constraints in the task definition and those specified at runtime.\n\n> To remove this property from your service resource, specify an empty `PlacementConstraint` array.",
"title": "PlacementConstraints",
"type": "array"
},
@@ -83562,6 +83572,7 @@
"$ref": "#/definitions/AWS::ECS::Service.PlacementStrategy"
},
"markdownDescription": "The placement strategy objects to use for tasks in your service. You can specify a maximum of 5 strategy rules for each service.\n\n> To remove this property from your service resource, specify an empty `PlacementStrategy` array.",
+ "markdownDescription": "The placement strategy objects to use for tasks in your service. You can specify a maximum of 5 strategy rules for each service.\n\n> To remove this property from your service resource, specify an empty `PlacementStrategy` array.",
"title": "PlacementStrategies",
"type": "array"
},
@@ -83600,6 +83611,7 @@
"$ref": "#/definitions/AWS::ECS::Service.ServiceRegistry"
},
"markdownDescription": "The details of the service discovery registry to associate with this service. For more information, see [Service discovery](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/service-discovery.html) .\n\n> Each service may be associated with one service registry. Multiple service registries for each service isn't supported. > To remove this property from your service resource, specify an empty `ServiceRegistry` array.",
+ "markdownDescription": "The details of the service discovery registry to associate with this service. For more information, see [Service discovery](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/service-discovery.html) .\n\n> Each service may be associated with one service registry. Multiple service registries for each service isn't supported. > To remove this property from your service resource, specify an empty `ServiceRegistry` array.",
"title": "ServiceRegistries",
"type": "array"
},
@@ -83621,6 +83633,7 @@
"$ref": "#/definitions/AWS::ECS::Service.ServiceVolumeConfiguration"
},
"markdownDescription": "The configuration for a volume specified in the task definition as a volume that is configured at launch time. Currently, the only supported volume type is an Amazon EBS volume.\n\n> To remove this property from your service resource, specify an empty `ServiceVolumeConfiguration` array.",
+ "markdownDescription": "The configuration for a volume specified in the task definition as a volume that is configured at launch time. Currently, the only supported volume type is an Amazon EBS volume.\n\n> To remove this property from your service resource, specify an empty `ServiceVolumeConfiguration` array.",
"title": "VolumeConfigurations",
"type": "array"
}
@@ -85828,6 +85841,7 @@
"type": "string"
},
"ProvisionedThroughputInMibps": {
+ "markdownDescription": "The throughput, measured in mebibytes per second (MiBps), that you want to provision for a file system that you're creating. Required if `ThroughputMode` is set to `provisioned` . Valid values are 1-3414 MiBps, with the upper limit depending on Region. To increase this limit, contact Support . For more information, see [Amazon EFS quotas that you can increase](https://docs.aws.amazon.com/efs/latest/ug/limits.html#soft-limits) in the *Amazon EFS User Guide* .",
"markdownDescription": "The throughput, measured in mebibytes per second (MiBps), that you want to provision for a file system that you're creating. Required if `ThroughputMode` is set to `provisioned` . Valid values are 1-3414 MiBps, with the upper limit depending on Region. To increase this limit, contact Support . For more information, see [Amazon EFS quotas that you can increase](https://docs.aws.amazon.com/efs/latest/ug/limits.html#soft-limits) in the *Amazon EFS User Guide* .",
"title": "ProvisionedThroughputInMibps",
"type": "number"
@@ -86115,6 +86129,7 @@
"type": "array"
},
"PrincipalArn": {
+ "markdownDescription": "The ARN of the IAM principal for the `AccessEntry` . You can specify one ARN for each access entry. You can't specify the same ARN in more than one access entry. This value can't be changed after access entry creation.\n\nThe valid principals differ depending on the type of the access entry in the `type` field. For `STANDARD` access entries, you can use every IAM principal type. For nodes ( `EC2` (for EKS Auto Mode), `EC2_LINUX` , `EC2_WINDOWS` , `FARGATE_LINUX` , and `HYBRID_LINUX` ), the only valid ARN is IAM roles. You can't use the STS session principal type with access entries because this is a temporary principal for each session and not a permanent identity that can be assigned permissions.\n\n[IAM best practices](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#bp-users-federation-idp) recommend using IAM roles with temporary credentials, rather than IAM users with long-term credentials.",
"markdownDescription": "The ARN of the IAM principal for the `AccessEntry` . You can specify one ARN for each access entry. You can't specify the same ARN in more than one access entry. This value can't be changed after access entry creation.\n\nThe valid principals differ depending on the type of the access entry in the `type` field. For `STANDARD` access entries, you can use every IAM principal type. For nodes ( `EC2` (for EKS Auto Mode), `EC2_LINUX` , `EC2_WINDOWS` , `FARGATE_LINUX` , and `HYBRID_LINUX` ), the only valid ARN is IAM roles. You can't use the STS session principal type with access entries because this is a temporary principal for each session and not a permanent identity that can be assigned permissions.\n\n[IAM best practices](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#bp-users-federation-idp) recommend using IAM roles with temporary credentials, rather than IAM users with long-term credentials.",
"title": "PrincipalArn",
"type": "string"
@@ -86128,6 +86143,7 @@
"type": "array"
},
"Type": {
+ "markdownDescription": "The type of the new access entry. Valid values are `STANDARD` , `FARGATE_LINUX` , `EC2_LINUX` , `EC2_WINDOWS` , `EC2` (for EKS Auto Mode), `HYBRID_LINUX` , and `HYPERPOD_LINUX` .\n\nIf the `principalArn` is for an IAM role that's used for self-managed Amazon EC2 nodes, specify `EC2_LINUX` or `EC2_WINDOWS` . Amazon EKS grants the necessary permissions to the node for you. If the `principalArn` is for any other purpose, specify `STANDARD` . If you don't specify a value, Amazon EKS sets the value to `STANDARD` . If you have the access mode of the cluster set to `API_AND_CONFIG_MAP` , it's unnecessary to create access entries for IAM roles used with Fargate profiles or managed Amazon EC2 nodes, because Amazon EKS creates entries in the `aws-auth` `ConfigMap` for the roles. You can't change this value once you've created the access entry.\n\nIf you set the value to `EC2_LINUX` or `EC2_WINDOWS` , you can't specify values for `kubernetesGroups` , or associate an `AccessPolicy` to the access entry.",
"markdownDescription": "The type of the new access entry. Valid values are `STANDARD` , `FARGATE_LINUX` , `EC2_LINUX` , `EC2_WINDOWS` , `EC2` (for EKS Auto Mode), `HYBRID_LINUX` , and `HYPERPOD_LINUX` .\n\nIf the `principalArn` is for an IAM role that's used for self-managed Amazon EC2 nodes, specify `EC2_LINUX` or `EC2_WINDOWS` . Amazon EKS grants the necessary permissions to the node for you. If the `principalArn` is for any other purpose, specify `STANDARD` . If you don't specify a value, Amazon EKS sets the value to `STANDARD` . If you have the access mode of the cluster set to `API_AND_CONFIG_MAP` , it's unnecessary to create access entries for IAM roles used with Fargate profiles or managed Amazon EC2 nodes, because Amazon EKS creates entries in the `aws-auth` `ConfigMap` for the roles. You can't change this value once you've created the access entry.\n\nIf you set the value to `EC2_LINUX` or `EC2_WINDOWS` , you can't specify values for `kubernetesGroups` , or associate an `AccessPolicy` to the access entry.",
"title": "Type",
"type": "string"
@@ -86268,6 +86284,7 @@
"type": "boolean"
},
"ResolveConflicts": {
+ "markdownDescription": "How to resolve field value conflicts for an Amazon EKS add-on. Conflicts are handled based on the value you choose:\n\n- *None* \u2013 If the self-managed version of the add-on is installed on your cluster, Amazon EKS doesn't change the value. Creation of the add-on might fail.\n- *Overwrite* \u2013 If the self-managed version of the add-on is installed on your cluster and the Amazon EKS default value is different than the existing value, Amazon EKS changes the value to the Amazon EKS default value.\n- *Preserve* \u2013 This is similar to the NONE option. If the self-managed version of the add-on is installed on your cluster Amazon EKS doesn't change the add-on resource properties. Creation of the add-on might fail if conflicts are detected. This option works differently during the update operation. For more information, see [`UpdateAddon`](https://docs.aws.amazon.com/eks/latest/APIReference/API_UpdateAddon.html) .\n\nIf you don't currently have the self-managed version of the add-on installed on your cluster, the Amazon EKS add-on is installed. Amazon EKS sets all values to default values, regardless of the option that you specify.",
"markdownDescription": "How to resolve field value conflicts for an Amazon EKS add-on. Conflicts are handled based on the value you choose:\n\n- *None* \u2013 If the self-managed version of the add-on is installed on your cluster, Amazon EKS doesn't change the value. Creation of the add-on might fail.\n- *Overwrite* \u2013 If the self-managed version of the add-on is installed on your cluster and the Amazon EKS default value is different than the existing value, Amazon EKS changes the value to the Amazon EKS default value.\n- *Preserve* \u2013 This is similar to the NONE option. If the self-managed version of the add-on is installed on your cluster Amazon EKS doesn't change the add-on resource properties. Creation of the add-on might fail if conflicts are detected. This option works differently during the update operation. For more information, see [`UpdateAddon`](https://docs.aws.amazon.com/eks/latest/APIReference/API_UpdateAddon.html) .\n\nIf you don't currently have the self-managed version of the add-on installed on your cluster, the Amazon EKS add-on is installed. Amazon EKS sets all values to default values, regardless of the option that you specify.",
"title": "ResolveConflicts",
"type": "string"
@@ -93223,7 +93240,8 @@
"type": "boolean"
},
"Mode": {
- "markdownDescription": "The client certificate handling method. Options are `off` , `passthrough` or `verify` . The default value is `off` .",
+ "markdownDescription": "The client certificate handling method. The possible values are `off` , `passthrough` , and `verify` . The default value is `off` .",
+ "markdownDescription": "The client certificate handling method. The possible values are `off` , `passthrough` , and `verify` . The default value is `off` .",
"title": "Mode",
"type": "string"
},
@@ -93972,6 +93990,7 @@
"additionalProperties": false,
"properties": {
"EnforceSecurityGroupInboundRulesOnPrivateLinkTraffic": {
+ "markdownDescription": "Indicates whether to evaluate inbound security group rules for traffic sent to a Network Load Balancer through AWS PrivateLink . The default is `on` .",
"markdownDescription": "Indicates whether to evaluate inbound security group rules for traffic sent to a Network Load Balancer through AWS PrivateLink . The default is `on` .",
"title": "EnforceSecurityGroupInboundRulesOnPrivateLinkTraffic",
"type": "string"
@@ -113933,6 +113952,7 @@
"additionalProperties": false,
"properties": {
"AuthorizationStrategy": {
+ "markdownDescription": "The authorization strategy selected when the HealthLake data store is created.\n\n> HealthLake provides support for both SMART on FHIR V1 and V2 as described below.\n> \n> - `SMART_ON_FHIR_V1` \u2013 Support for only SMART on FHIR V1, which includes `read` (read/search) and `write` (create/update/delete) permissions.\n> - `SMART_ON_FHIR` \u2013 Support for both SMART on FHIR V1 and V2, which includes `create` , `read` , `update` , `delete` , and `search` permissions.\n> - `AWS_AUTH` \u2013 The default HealthLake authorization strategy; not affiliated with SMART on FHIR.",
"markdownDescription": "The authorization strategy selected when the HealthLake data store is created.\n\n> HealthLake provides support for both SMART on FHIR V1 and V2 as described below.\n> \n> - `SMART_ON_FHIR_V1` \u2013 Support for only SMART on FHIR V1, which includes `read` (read/search) and `write` (create/update/delete) permissions.\n> - `SMART_ON_FHIR` \u2013 Support for both SMART on FHIR V1 and V2, which includes `create` , `read` , `update` , `delete` , and `search` permissions.\n> - `AWS_AUTH` \u2013 The default HealthLake authorization strategy; not affiliated with SMART on FHIR.",
"title": "AuthorizationStrategy",
"type": "string"
@@ -241102,6 +241122,7 @@
"type": "string"
},
"markdownDescription": "The names or Amazon Resource Names (ARNs) of the Change Calendar type documents your associations are gated under. The associations only run when that Change Calendar is open. For more information, see [AWS Systems Manager Change Calendar](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-change-calendar) in the *AWS Systems Manager User Guide* .",
+ "markdownDescription": "The names or Amazon Resource Names (ARNs) of the Change Calendar type documents your associations are gated under. The associations only run when that Change Calendar is open. For more information, see [AWS Systems Manager Change Calendar](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-change-calendar) in the *AWS Systems Manager User Guide* .",
"title": "CalendarNames",
"type": "array"
},
@@ -244263,6 +244284,7 @@
"type": "string"
},
"SageMakerImageVersionArn": {
+ "markdownDescription": "The ARN of the image version created on the instance. To clear the value set for `SageMakerImageVersionArn` , pass `None` as the value.",
"markdownDescription": "The ARN of the image version created on the instance. To clear the value set for `SageMakerImageVersionArn` , pass `None` as the value.",
"title": "SageMakerImageVersionArn",
"type": "string"
@@ -245830,6 +245852,7 @@
"type": "string"
},
"SageMakerImageVersionArn": {
+ "markdownDescription": "The ARN of the image version created on the instance. To clear the value set for `SageMakerImageVersionArn` , pass `None` as the value.",
"markdownDescription": "The ARN of the image version created on the instance. To clear the value set for `SageMakerImageVersionArn` , pass `None` as the value.",
"title": "SageMakerImageVersionArn",
"type": "string"
@@ -253077,6 +253100,7 @@
"type": "string"
},
"SageMakerImageVersionArn": {
+ "markdownDescription": "The ARN of the image version created on the instance. To clear the value set for `SageMakerImageVersionArn` , pass `None` as the value.",
"markdownDescription": "The ARN of the image version created on the instance. To clear the value set for `SageMakerImageVersionArn` , pass `None` as the value.",
"title": "SageMakerImageVersionArn",
"type": "string"
@@ -253521,6 +253545,7 @@
"type": "string"
},
"SageMakerImageVersionArn": {
+ "markdownDescription": "The ARN of the image version created on the instance. To clear the value set for `SageMakerImageVersionArn` , pass `None` as the value.",
"markdownDescription": "The ARN of the image version created on the instance. To clear the value set for `SageMakerImageVersionArn` , pass `None` as the value.",
"title": "SageMakerImageVersionArn",
"type": "string"
@@ -254472,6 +254497,7 @@
"title": "HostedRotationLambda"
},
"RotateImmediatelyOnUpdate": {
+ "markdownDescription": "Determines whether to rotate the secret immediately or wait until the next scheduled rotation window when the rotation schedule is updated. The rotation schedule is defined in `RotationRules` .\n\nThe default for `RotateImmediatelyOnUpdate` is `true` . If you don't specify this value, Secrets Manager rotates the secret immediately.\n\nIf you set `RotateImmediatelyOnUpdate` to `false` , Secrets Manager tests the rotation configuration by running the [`testSecret` step](https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotate-secrets_how.html) of the Lambda rotation function. This test creates an `AWSPENDING` version of the secret and then removes it.\n\n> When changing an existing rotation schedule and setting `RotateImmediatelyOnUpdate` to `false` :\n> \n> - If using `AutomaticallyAfterDays` or a `ScheduleExpression` with `rate()` , the previously scheduled rotation might still occur.\n> - To prevent unintended rotations, use a `ScheduleExpression` with `cron()` for granular control over rotation windows. \n\nRotation is an asynchronous process. For more information, see [How rotation works](https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotate-secrets_how.html) .",
"markdownDescription": "Determines whether to rotate the secret immediately or wait until the next scheduled rotation window when the rotation schedule is updated. The rotation schedule is defined in `RotationRules` .\n\nThe default for `RotateImmediatelyOnUpdate` is `true` . If you don't specify this value, Secrets Manager rotates the secret immediately.\n\nIf you set `RotateImmediatelyOnUpdate` to `false` , Secrets Manager tests the rotation configuration by running the [`testSecret` step](https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotate-secrets_how.html) of the Lambda rotation function. This test creates an `AWSPENDING` version of the secret and then removes it.\n\n> When changing an existing rotation schedule and setting `RotateImmediatelyOnUpdate` to `false` :\n> \n> - If using `AutomaticallyAfterDays` or a `ScheduleExpression` with `rate()` , the previously scheduled rotation might still occur.\n> - To prevent unintended rotations, use a `ScheduleExpression` with `cron()` for granular control over rotation windows. \n\nRotation is an asynchronous process. For more information, see [How rotation works](https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotate-secrets_how.html) .",
"title": "RotateImmediatelyOnUpdate",
"type": "boolean"
diff --git a/schema_source/cloudformation-docs.json b/schema_source/cloudformation-docs.json
index 41a09c2698..4daa06ac2a 100644
--- a/schema_source/cloudformation-docs.json
+++ b/schema_source/cloudformation-docs.json
@@ -218,6 +218,7 @@
"Alias": "An optional user-assigned scraper alias.",
"Destination": "The Amazon Managed Service for Prometheus workspace the scraper sends metrics to.",
"RoleConfiguration": "",
+ "RoleConfiguration": "",
"ScrapeConfiguration": "The configuration in use by the scraper.",
"Source": "The Amazon EKS cluster from which the scraper collects metrics.",
"Tags": "(Optional) The list of tag keys and values associated with the scraper."
@@ -237,6 +238,10 @@
"SourceRoleArn": "",
"TargetRoleArn": ""
},
+ "AWS::APS::Scraper RoleConfiguration": {
+ "SourceRoleArn": "",
+ "TargetRoleArn": ""
+ },
"AWS::APS::Scraper ScrapeConfiguration": {
"ConfigurationBlob": "The base 64 encoded scrape configuration file."
},
@@ -4956,6 +4961,8 @@
"Name": "The name the volume mount. This must match the name of one of the volumes in the pod.",
"ReadOnly": "If this value is `true` , the container has read-only access to the volume. Otherwise, the container can write to the volume. The default value is `false` .",
"SubPath": "A sub-path inside the referenced volume instead of its root."
+ "ReadOnly": "If this value is `true` , the container has read-only access to the volume. Otherwise, the container can write to the volume. The default value is `false` .",
+ "SubPath": "A sub-path inside the referenced volume instead of its root."
},
"AWS::Batch::JobDefinition EksEmptyDir": {
"Medium": "The medium to store the volume. The default value is an empty string, which uses the storage of the node.\n\n- **\"\"** - *(Default)* Use the disk storage of the node.\n- **\"Memory\"** - Use the `tmpfs` volume that's backed by the RAM of the node. Contents of the volume are lost when the node reboots, and any storage on the volume counts against the container's memory limit.",
@@ -4969,6 +4976,13 @@
"Labels": "Key-value pairs used to identify, sort, and organize cube resources. Can contain up to 63 uppercase letters, lowercase letters, numbers, hyphens (-), and underscores (_). Labels can be added or modified at any time. Each resource can have multiple labels, but each key must be unique for a given object.",
"Namespace": "The namespace of the Amazon EKS cluster. In Kubernetes, namespaces provide a mechanism for isolating groups of resources within a single cluster. Names of resources need to be unique within a namespace, but not across namespaces. AWS Batch places Batch Job pods in this namespace. If this field is provided, the value can't be empty or null. It must meet the following requirements:\n\n- 1-63 characters long\n- Can't be set to default\n- Can't start with `kube`\n- Must match the following regular expression: `^[a-z0-9]([-a-z0-9]*[a-z0-9])?$`\n\nFor more information, see [Namespaces](https://docs.aws.amazon.com/https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/) in the *Kubernetes documentation* . This namespace can be different from the `kubernetesNamespace` set in the compute environment's `EksConfiguration` , but must have identical role-based access control (RBAC) roles as the compute environment's `kubernetesNamespace` . For multi-node parallel jobs, the same value must be provided across all the node ranges."
},
+ "AWS::Batch::JobDefinition EksPersistentVolumeClaim": {
+ "ClaimName": "The name of the `persistentVolumeClaim` bounded to a `persistentVolume` . For more information, see [Persistent Volume Claims](https://docs.aws.amazon.com/https://kubernetes.io/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims) in the *Kubernetes documentation* .",
+ "ReadOnly": "An optional boolean value indicating if the mount is read only. Default is false. For more information, see [Read Only Mounts](https://docs.aws.amazon.com/https://kubernetes.io/docs/concepts/storage/volumes/#read-only-mounts) in the *Kubernetes documentation* ."
+ "Annotations": "Key-value pairs used to attach arbitrary, non-identifying metadata to Kubernetes objects. Valid annotation keys have two segments: an optional prefix and a name, separated by a slash (/).\n\n- The prefix is optional and must be 253 characters or less. If specified, the prefix must be a DNS subdomain\u2212 a series of DNS labels separated by dots (.), and it must end with a slash (/).\n- The name segment is required and must be 63 characters or less. It can include alphanumeric characters ([a-z0-9A-Z]), dashes (-), underscores (_), and dots (.), but must begin and end with an alphanumeric character.\n\n> Annotation values must be 255 characters or less. \n\nAnnotations can be added or modified at any time. Each resource can have multiple annotations.",
+ "Labels": "Key-value pairs used to identify, sort, and organize cube resources. Can contain up to 63 uppercase letters, lowercase letters, numbers, hyphens (-), and underscores (_). Labels can be added or modified at any time. Each resource can have multiple labels, but each key must be unique for a given object.",
+ "Namespace": "The namespace of the Amazon EKS cluster. In Kubernetes, namespaces provide a mechanism for isolating groups of resources within a single cluster. Names of resources need to be unique within a namespace, but not across namespaces. AWS Batch places Batch Job pods in this namespace. If this field is provided, the value can't be empty or null. It must meet the following requirements:\n\n- 1-63 characters long\n- Can't be set to default\n- Can't start with `kube`\n- Must match the following regular expression: `^[a-z0-9]([-a-z0-9]*[a-z0-9])?$`\n\nFor more information, see [Namespaces](https://docs.aws.amazon.com/https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/) in the *Kubernetes documentation* . This namespace can be different from the `kubernetesNamespace` set in the compute environment's `EksConfiguration` , but must have identical role-based access control (RBAC) roles as the compute environment's `kubernetesNamespace` . For multi-node parallel jobs, the same value must be provided across all the node ranges."
+ },
"AWS::Batch::JobDefinition EksPersistentVolumeClaim": {
"ClaimName": "The name of the `persistentVolumeClaim` bounded to a `persistentVolume` . For more information, see [Persistent Volume Claims](https://docs.aws.amazon.com/https://kubernetes.io/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims) in the *Kubernetes documentation* .",
"ReadOnly": "An optional boolean value indicating if the mount is read only. Default is false. For more information, see [Read Only Mounts](https://docs.aws.amazon.com/https://kubernetes.io/docs/concepts/storage/volumes/#read-only-mounts) in the *Kubernetes documentation* ."
@@ -4996,6 +5010,7 @@
"HostPath": "Specifies the configuration of a Kubernetes `hostPath` volume. For more information, see [hostPath](https://docs.aws.amazon.com/https://kubernetes.io/docs/concepts/storage/volumes/#hostpath) in the *Kubernetes documentation* .",
"Name": "The name of the volume. The name must be allowed as a DNS subdomain name. For more information, see [DNS subdomain names](https://docs.aws.amazon.com/https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#dns-subdomain-names) in the *Kubernetes documentation* .",
"PersistentVolumeClaim": "Specifies the configuration of a Kubernetes `persistentVolumeClaim` bounded to a `persistentVolume` . For more information, see [Persistent Volume Claims](https://docs.aws.amazon.com/https://kubernetes.io/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims) in the *Kubernetes documentation* .",
+ "PersistentVolumeClaim": "Specifies the configuration of a Kubernetes `persistentVolumeClaim` bounded to a `persistentVolume` . For more information, see [Persistent Volume Claims](https://docs.aws.amazon.com/https://kubernetes.io/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims) in the *Kubernetes documentation* .",
"Secret": "Specifies the configuration of a Kubernetes `secret` volume. For more information, see [secret](https://docs.aws.amazon.com/https://kubernetes.io/docs/concepts/storage/volumes/#secret) in the *Kubernetes documentation* ."
},
"AWS::Batch::JobDefinition Environment": {
@@ -5063,9 +5078,31 @@
"User": "The user name to use inside the container. This parameter maps to `User` in the [Create a container](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.23/#create-a-container) section of the [Docker Remote API](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.23/) and the `--user` option to [docker run](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/) .",
"Vcpus": "This parameter is deprecated, use `resourceRequirements` to specify the vCPU requirements for the job definition. It's not supported for jobs running on Fargate resources. For jobs running on Amazon EC2 resources, it specifies the number of vCPUs reserved for the job.\n\nEach vCPU is equivalent to 1,024 CPU shares. This parameter maps to `CpuShares` in the [Create a container](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.23/#create-a-container) section of the [Docker Remote API](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.23/) and the `--cpu-shares` option to [docker run](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/) . The number of vCPUs must be specified but can be specified in several places. You must specify it at least once for each node.",
"Volumes": "A list of data volumes used in a job."
+ "Command": "The command that's passed to the container. This parameter maps to `Cmd` in the [Create a container](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.23/#create-a-container) section of the [Docker Remote API](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.23/) and the `COMMAND` parameter to [docker run](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/) . For more information, see [https://docs.docker.com/engine/reference/builder/#cmd](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/builder/#cmd) .",
+ "Environment": "The environment variables to pass to a container. This parameter maps to `Env` in the [Create a container](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.23/#create-a-container) section of the [Docker Remote API](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.23/) and the `--env` option to [docker run](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/) .\n\n> We don't recommend using plaintext environment variables for sensitive information, such as credential data. > Environment variables cannot start with \" `AWS_BATCH` \". This naming convention is reserved for variables that AWS Batch sets.",
+ "EphemeralStorage": "The amount of ephemeral storage to allocate for the task. This parameter is used to expand the total amount of ephemeral storage available, beyond the default amount, for tasks hosted on AWS Fargate .",
+ "ExecutionRoleArn": "The Amazon Resource Name (ARN) of the execution role that AWS Batch can assume. For jobs that run on Fargate resources, you must provide an execution role. For more information, see [AWS Batch execution IAM role](https://docs.aws.amazon.com/batch/latest/userguide/execution-IAM-role.html) in the *AWS Batch User Guide* .",
+ "Image": "Required. The image used to start a container. This string is passed directly to the Docker daemon. Images in the Docker Hub registry are available by default. Other repositories are specified with `*repository-url* / *image* : *tag*` . It can be 255 characters long. It can contain uppercase and lowercase letters, numbers, hyphens (-), underscores (_), colons (:), periods (.), forward slashes (/), and number signs (#). This parameter maps to `Image` in the [Create a container](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.23/#create-a-container) section of the [Docker Remote API](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.23/) and the `IMAGE` parameter of [docker run](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/) .\n\n> Docker image architecture must match the processor architecture of the compute resources that they're scheduled on. For example, ARM-based Docker images can only run on ARM-based compute resources. \n\n- Images in Amazon ECR Public repositories use the full `registry/repository[:tag]` or `registry/repository[@digest]` naming conventions. For example, `public.ecr.aws/ *registry_alias* / *my-web-app* : *latest*` .\n- Images in Amazon ECR repositories use the full registry and repository URI (for example, `123456789012.dkr.ecr.<region-name>.amazonaws.com/<repository-name>` ).\n- Images in official repositories on Docker Hub use a single name (for example, `ubuntu` or `mongo` ).\n- Images in other repositories on Docker Hub are qualified with an organization name (for example, `amazon/amazon-ecs-agent` ).\n- Images in other online repositories are qualified further by a domain name (for example, `quay.io/assemblyline/ubuntu` ).",
+ "InstanceType": "The instance type to use for a multi-node parallel job. All node groups in a multi-node parallel job must use the same instance type.\n\n> This parameter isn't applicable to single-node container jobs or jobs that run on Fargate resources, and shouldn't be provided.",
+ "JobRoleArn": "The Amazon Resource Name (ARN) of the IAM role that the container can assume for AWS permissions. For more information, see [IAM roles for tasks](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html) in the *Amazon Elastic Container Service Developer Guide* .",
+ "LinuxParameters": "Linux-specific modifications that are applied to the container, such as details for device mappings.",
+ "LogConfiguration": "The log configuration specification for the container.\n\nThis parameter maps to `LogConfig` in the [Create a container](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.23/#create-a-container) section of the [Docker Remote API](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.23/) and the `--log-driver` option to [docker run](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/) . By default, containers use the same logging driver that the Docker daemon uses. However the container might use a different logging driver than the Docker daemon by specifying a log driver with this parameter in the container definition. To use a different logging driver for a container, the log system must be configured properly on the container instance (or on a different log server for remote logging options). For more information on the options for different supported log drivers, see [Configure logging drivers](https://docs.aws.amazon.com/https://docs.docker.com/engine/admin/logging/overview/) in the Docker documentation.\n\n> AWS Batch currently supports a subset of the logging drivers available to the Docker daemon (shown in the [LogConfiguration](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-batch-jobdefinition-containerproperties-logconfiguration.html) data type). \n\nThis parameter requires version 1.18 of the Docker Remote API or greater on your container instance. To check the Docker Remote API version on your container instance, log in to your container instance and run the following command: `sudo docker version | grep \"Server API version\"`\n\n> The Amazon ECS container agent running on a container instance must register the logging drivers available on that instance with the `ECS_AVAILABLE_LOGGING_DRIVERS` environment variable before containers placed on that instance can use these log configuration options. For more information, see [Amazon ECS container agent configuration](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-agent-config.html) in the *Amazon Elastic Container Service Developer Guide* .",
+ "Memory": "This parameter is deprecated, use `resourceRequirements` to specify the memory requirements for the job definition. It's not supported for jobs running on Fargate resources. For jobs that run on Amazon EC2 resources, it specifies the memory hard limit (in MiB) for a container. If your container attempts to exceed the specified number, it's terminated. You must specify at least 4 MiB of memory for a job using this parameter. The memory hard limit can be specified in several places. It must be specified for each node at least once.",
+ "MountPoints": "The mount points for data volumes in your container.\n\nThis parameter maps to `Volumes` in the [Create a container](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/#operation/ContainerCreate) section of the [Docker Remote API](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/) and the [--volume](https://docs.aws.amazon.com/) option to [docker run](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/#security-configuration) .\n\nWindows containers can mount whole directories on the same drive as `$env:ProgramData` . Windows containers can't mount directories on a different drive, and mount point can't be across drives.",
+ "Privileged": "When this parameter is true, the container is given elevated permissions on the host container instance (similar to the `root` user). This parameter maps to `Privileged` in the [Create a container](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.23/#create-a-container) section of the [Docker Remote API](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.23/) and the `--privileged` option to [docker run](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/) . The default value is false.\n\n> This parameter isn't applicable to jobs that are running on Fargate resources and shouldn't be provided, or specified as false.",
+ "ReadonlyRootFilesystem": "When this parameter is true, the container is given read-only access to its root file system. This parameter maps to `ReadonlyRootfs` in the [Create a container](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.23/#create-a-container) section of the [Docker Remote API](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.23/) and the `--read-only` option to `docker run` .",
+ "RepositoryCredentials": "The private repository authentication credentials to use.",
+ "ResourceRequirements": "The type and amount of resources to assign to a container. The supported resources include `GPU` , `MEMORY` , and `VCPU` .",
+ "RuntimePlatform": "An object that represents the compute environment architecture for AWS Batch jobs on Fargate.",
+ "Secrets": "The secrets for the container. For more information, see [Specifying sensitive data](https://docs.aws.amazon.com/batch/latest/userguide/specifying-sensitive-data.html) in the *AWS Batch User Guide* .",
+ "Ulimits": "A list of `ulimits` to set in the container. This parameter maps to `Ulimits` in the [Create a container](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.23/#create-a-container) section of the [Docker Remote API](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.23/) and the `--ulimit` option to [docker run](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/) .\n\n> This parameter isn't applicable to jobs that are running on Fargate resources and shouldn't be provided.",
+ "User": "The user name to use inside the container. This parameter maps to `User` in the [Create a container](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.23/#create-a-container) section of the [Docker Remote API](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.23/) and the `--user` option to [docker run](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/) .",
+ "Vcpus": "This parameter is deprecated, use `resourceRequirements` to specify the vCPU requirements for the job definition. It's not supported for jobs running on Fargate resources. For jobs running on Amazon EC2 resources, it specifies the number of vCPUs reserved for the job.\n\nEach vCPU is equivalent to 1,024 CPU shares. This parameter maps to `CpuShares` in the [Create a container](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.23/#create-a-container) section of the [Docker Remote API](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.23/) and the `--cpu-shares` option to [docker run](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/) . The number of vCPUs must be specified but can be specified in several places. You must specify it at least once for each node.",
+ "Volumes": "A list of data volumes used in a job."
},
"AWS::Batch::JobDefinition MultiNodeEcsProperties": {
"TaskProperties": "An object that contains the properties for the Amazon ECS task definition of a job.\n\n> This object is currently limited to one task element. However, the task element can run up to 10 containers."
+ "TaskProperties": "An object that contains the properties for the Amazon ECS task definition of a job.\n\n> This object is currently limited to one task element. However, the task element can run up to 10 containers."
},
"AWS::Batch::JobDefinition MultiNodeEcsTaskProperties": {
"Containers": "This object is a list of containers.",
@@ -5074,6 +5111,12 @@
"PidMode": "The process namespace to use for the containers in the task. The valid values are `host` or `task` . For example, monitoring sidecars might need `pidMode` to access information about other containers running in the same task.\n\nIf `host` is specified, all containers within the tasks that specified the `host` PID mode on the same container instance share the process namespace with the host Amazon EC2 instance.\n\nIf `task` is specified, all containers within the specified task share the same process namespace.\n\nIf no value is specified, the default is a private namespace for each container. For more information, see [PID settings](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/#pid-settings---pid) in the Docker run reference.",
"TaskRoleArn": "The Amazon Resource Name (ARN) that's associated with the Amazon ECS task.\n\n> This is object is comparable to [ContainerProperties:jobRoleArn](https://docs.aws.amazon.com/batch/latest/APIReference/API_ContainerProperties.html) .",
"Volumes": "A list of volumes that are associated with the job."
+ "Containers": "This object is a list of containers.",
+ "ExecutionRoleArn": "The Amazon Resource Name (ARN) of the execution role that AWS Batch can assume. For jobs that run on Fargate resources, you must provide an execution role. For more information, see [AWS Batch execution IAM role](https://docs.aws.amazon.com/batch/latest/userguide/execution-IAM-role.html) in the *AWS Batch User Guide* .",
+ "IpcMode": "The IPC resource namespace to use for the containers in the task. The valid values are `host` , `task` , or `none` .\n\nIf `host` is specified, all containers within the tasks that specified the `host` IPC mode on the same container instance share the same IPC resources with the host Amazon EC2 instance.\n\nIf `task` is specified, all containers within the specified `task` share the same IPC resources.\n\nIf `none` is specified, the IPC resources within the containers of a task are private, and are not shared with other containers in a task or on the container instance.\n\nIf no value is specified, then the IPC resource namespace sharing depends on the Docker daemon setting on the container instance. For more information, see [IPC settings](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/#ipc-settings---ipc) in the Docker run reference.",
+ "PidMode": "The process namespace to use for the containers in the task. The valid values are `host` or `task` . For example, monitoring sidecars might need `pidMode` to access information about other containers running in the same task.\n\nIf `host` is specified, all containers within the tasks that specified the `host` PID mode on the same container instance share the process namespace with the host Amazon EC2 instance.\n\nIf `task` is specified, all containers within the specified task share the same process namespace.\n\nIf no value is specified, the default is a private namespace for each container. For more information, see [PID settings](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/#pid-settings---pid) in the Docker run reference.",
+ "TaskRoleArn": "The Amazon Resource Name (ARN) that's associated with the Amazon ECS task.\n\n> This is object is comparable to [ContainerProperties:jobRoleArn](https://docs.aws.amazon.com/batch/latest/APIReference/API_ContainerProperties.html) .",
+ "Volumes": "A list of volumes that are associated with the job."
},
"AWS::Batch::JobDefinition NetworkConfiguration": {
"AssignPublicIp": "Indicates whether the job has a public IP address. For a job that's running on Fargate resources in a private subnet to send outbound traffic to the internet (for example, to pull container images), the private subnet requires a NAT gateway be attached to route requests to the internet. For more information, see [Amazon ECS task networking](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-networking.html) in the *Amazon Elastic Container Service Developer Guide* . The default value is \" `DISABLED` \"."
@@ -6007,6 +6050,8 @@
"AWS::Bedrock::KnowledgeBase BedrockEmbeddingModelConfiguration": {
"Dimensions": "The dimensions details for the vector configuration used on the Bedrock embeddings model.",
"EmbeddingDataType": "The data type for the vectors when using a model to convert text into vector embeddings. The model must support the specified data type for vector embeddings. Floating-point (float32) is the default data type, and is supported by most models for vector embeddings. See [Supported embeddings models](https://docs.aws.amazon.com/bedrock/latest/userguide/knowledge-base-supported.html) for information on the available models and their vector data types."
+ "Dimensions": "The dimensions details for the vector configuration used on the Bedrock embeddings model.",
+ "EmbeddingDataType": "The data type for the vectors when using a model to convert text into vector embeddings. The model must support the specified data type for vector embeddings. Floating-point (float32) is the default data type, and is supported by most models for vector embeddings. See [Supported embeddings models](https://docs.aws.amazon.com/bedrock/latest/userguide/knowledge-base-supported.html) for information on the available models and their vector data types."
},
"AWS::Bedrock::KnowledgeBase CuratedQuery": {
"NaturalLanguage": "An example natural language query.",
@@ -7140,8 +7185,8 @@
"LogBucket": "Specifies the name of an S3 bucket to store the Guard output report. This report contains the results of your Guard rule validations.",
"Options": "Specifies the S3 location of your input parameters.",
"RuleLocation": "Specifies the S3 location of your Guard rules.",
- "StackFilters": "Specifies the stack level filters for the Hook.\n\nExample stack level filter in JSON:\n\n`\"StackFilters\": {\"FilteringCriteria\": \"ALL\", \"StackNames\": {\"Exclude\": [ \"stack-1\", \"stack-2\"]}}` \n\nExample stack level filter in YAML:\n\n`StackFilters: FilteringCriteria: ALL StackNames: Exclude: - stack-1 - stack-2`",
- "TargetFilters": "Specifies the target filters for the Hook.\n\nExample target filter in JSON:\n\n`\"TargetFilters\": {\"Actions\": [ \"Create\", \"Update\", \"Delete\" ]}` \n\nExample target filter in YAML:\n\n`TargetFilters: Actions: - CREATE - UPDATE - DELETE`",
+ "StackFilters": "Specifies the stack level filters for the Hook.",
+ "TargetFilters": "Specifies the target filters for the Hook.",
"TargetOperations": "Specifies the list of operations the Hook is run against. For more information, see [Hook targets](https://docs.aws.amazon.com/cloudformation-cli/latest/hooks-userguide/hooks-concepts.html#hook-terms-hook-target) in the *AWS CloudFormation Hooks User Guide* .\n\nValid values: `STACK` | `RESOURCE` | `CHANGE_SET` | `CLOUD_CONTROL`"
},
"AWS::CloudFormation::GuardHook Options": {
@@ -7199,8 +7244,8 @@
"FailureMode": "Specifies how the Hook responds when the Lambda function invoked by the Hook returns a `FAILED` response.\n\n- `FAIL` : Prevents the action from proceeding. This is helpful for enforcing strict compliance or security policies.\n- `WARN` : Issues warnings to users but allows actions to continue. This is useful for non-critical validations or informational checks.",
"HookStatus": "Specifies if the Hook is `ENABLED` or `DISABLED` .",
"LambdaFunction": "Specifies the Lambda function for the Hook. You can use:\n\n- The full Amazon Resource Name (ARN) without a suffix.\n- A qualified ARN with a version or alias suffix.",
- "StackFilters": "Specifies the stack level filters for the Hook.\n\nExample stack level filter in JSON:\n\n`\"StackFilters\": {\"FilteringCriteria\": \"ALL\", \"StackNames\": {\"Exclude\": [ \"stack-1\", \"stack-2\"]}}` \n\nExample stack level filter in YAML:\n\n`StackFilters: FilteringCriteria: ALL StackNames: Exclude: - stack-1 - stack-2`",
- "TargetFilters": "Specifies the target filters for the Hook.\n\nExample target filter in JSON:\n\n`\"TargetFilters\": {\"Actions\": [ \"Create\", \"Update\", \"Delete\" ]}` \n\nExample target filter in YAML:\n\n`TargetFilters: Actions: - CREATE - UPDATE - DELETE`",
+ "StackFilters": "Specifies the stack level filters for the Hook.",
+ "TargetFilters": "Specifies the target filters for the Hook.",
"TargetOperations": "Specifies the list of operations the Hook is run against. For more information, see [Hook targets](https://docs.aws.amazon.com/cloudformation-cli/latest/hooks-userguide/hooks-concepts.html#hook-terms-hook-target) in the *AWS CloudFormation Hooks User Guide* .\n\nValid values: `STACK` | `RESOURCE` | `CHANGE_SET` | `CLOUD_CONTROL`"
},
"AWS::CloudFormation::LambdaHook StackFilters": {
@@ -7609,6 +7654,8 @@
"OriginShield": "CloudFront Origin Shield. Using Origin Shield can help reduce the load on your origin.\n\nFor more information, see [Using Origin Shield](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/origin-shield.html) in the *Amazon CloudFront Developer Guide* .",
"S3OriginConfig": "Use this type to specify an origin that is an Amazon S3 bucket that is not configured with static website hosting. To specify any other type of origin, including an Amazon S3 bucket that is configured with static website hosting, use the `CustomOriginConfig` type instead.",
"VpcOriginConfig": "The VPC origin configuration."
+ "S3OriginConfig": "Use this type to specify an origin that is an Amazon S3 bucket that is not configured with static website hosting. To specify any other type of origin, including an Amazon S3 bucket that is configured with static website hosting, use the `CustomOriginConfig` type instead.",
+ "VpcOriginConfig": "The VPC origin configuration."
},
"AWS::CloudFront::Distribution OriginCustomHeader": {
"HeaderName": "The name of a header that you want CloudFront to send to your origin. For more information, see [Adding Custom Headers to Origin Requests](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/forward-custom-headers.html) in the *Amazon CloudFront Developer Guide* .",
@@ -7659,6 +7706,12 @@
"MinimumProtocolVersion": "If the distribution uses `Aliases` (alternate domain names or CNAMEs), specify the security policy that you want CloudFront to use for HTTPS connections with viewers. The security policy determines two settings:\n\n- The minimum SSL/TLS protocol that CloudFront can use to communicate with viewers.\n- The ciphers that CloudFront can use to encrypt the content that it returns to viewers.\n\nFor more information, see [Security Policy](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-values-specify.html#DownloadDistValues-security-policy) and [Supported Protocols and Ciphers Between Viewers and CloudFront](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/secure-connections-supported-viewer-protocols-ciphers.html#secure-connections-supported-ciphers) in the *Amazon CloudFront Developer Guide* .\n\n> On the CloudFront console, this setting is called *Security Policy* . \n\nWhen you're using SNI only (you set `SSLSupportMethod` to `sni-only` ), you must specify `TLSv1` or higher. (In CloudFormation, the field name is `SslSupportMethod` . Note the different capitalization.)\n\nIf the distribution uses the CloudFront domain name such as `d111111abcdef8.cloudfront.net` (you set `CloudFrontDefaultCertificate` to `true` ), CloudFront automatically sets the security policy to `TLSv1` regardless of the value that you set here.",
"SslSupportMethod": "> In CloudFormation, this field name is `SslSupportMethod` . Note the different capitalization. \n\nIf the distribution uses `Aliases` (alternate domain names or CNAMEs), specify which viewers the distribution accepts HTTPS connections from.\n\n- `sni-only` \u2013 The distribution accepts HTTPS connections from only viewers that support [server name indication (SNI)](https://docs.aws.amazon.com/https://en.wikipedia.org/wiki/Server_Name_Indication) . This is recommended. Most browsers and clients support SNI.\n- `vip` \u2013 The distribution accepts HTTPS connections from all viewers including those that don't support SNI. This is not recommended, and results in additional monthly charges from CloudFront.\n- `static-ip` - Do not specify this value unless your distribution has been enabled for this feature by the CloudFront team. If you have a use case that requires static IP addresses for a distribution, contact CloudFront through the [Support Center](https://docs.aws.amazon.com/support/home) .\n\nIf the distribution uses the CloudFront domain name such as `d111111abcdef8.cloudfront.net` , don't set a value for this field."
},
+ "AWS::CloudFront::Distribution VpcOriginConfig": {
+ "OriginKeepaliveTimeout": "Specifies how long, in seconds, CloudFront persists its connection to the origin. The minimum timeout is 1 second, the maximum is 60 seconds, and the default (if you don't specify otherwise) is 5 seconds.\n\nFor more information, see [Keep-alive timeout (custom origins only)](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-values-specify.html#DownloadDistValuesOriginKeepaliveTimeout) in the *Amazon CloudFront Developer Guide* .",
+ "OriginReadTimeout": "Specifies how long, in seconds, CloudFront waits for a response from the origin. This is also known as the *origin response timeout* . The minimum timeout is 1 second, the maximum is 60 seconds, and the default (if you don't specify otherwise) is 30 seconds.\n\nFor more information, see [Response timeout (custom origins only)](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-values-specify.html#DownloadDistValuesOriginResponseTimeout) in the *Amazon CloudFront Developer Guide* .",
+ "VpcOriginId": "The VPC origin ID."
+ "SslSupportMethod": "> In CloudFormation, this field name is `SslSupportMethod` . Note the different capitalization. \n\nIf the distribution uses `Aliases` (alternate domain names or CNAMEs), specify which viewers the distribution accepts HTTPS connections from.\n\n- `sni-only` \u2013 The distribution accepts HTTPS connections from only viewers that support [server name indication (SNI)](https://docs.aws.amazon.com/https://en.wikipedia.org/wiki/Server_Name_Indication) . This is recommended. Most browsers and clients support SNI.\n- `vip` \u2013 The distribution accepts HTTPS connections from all viewers including those that don't support SNI. This is not recommended, and results in additional monthly charges from CloudFront.\n- `static-ip` - Do not specify this value unless your distribution has been enabled for this feature by the CloudFront team. If you have a use case that requires static IP addresses for a distribution, contact CloudFront through the [Support Center](https://docs.aws.amazon.com/support/home) .\n\nIf the distribution uses the CloudFront domain name such as `d111111abcdef8.cloudfront.net` , don't set a value for this field."
+ },
"AWS::CloudFront::Distribution VpcOriginConfig": {
"OriginKeepaliveTimeout": "Specifies how long, in seconds, CloudFront persists its connection to the origin. The minimum timeout is 1 second, the maximum is 60 seconds, and the default (if you don't specify otherwise) is 5 seconds.\n\nFor more information, see [Keep-alive timeout (custom origins only)](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-values-specify.html#DownloadDistValuesOriginKeepaliveTimeout) in the *Amazon CloudFront Developer Guide* .",
"OriginReadTimeout": "Specifies how long, in seconds, CloudFront waits for a response from the origin. This is also known as the *origin response timeout* . The minimum timeout is 1 second, the maximum is 60 seconds, and the default (if you don't specify otherwise) is 30 seconds.\n\nFor more information, see [Response timeout (custom origins only)](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-values-specify.html#DownloadDistValuesOriginResponseTimeout) in the *Amazon CloudFront Developer Guide* .",
@@ -7896,6 +7949,22 @@
"OriginProtocolPolicy": "The origin protocol policy for the CloudFront VPC origin endpoint configuration.",
"OriginSSLProtocols": ""
},
+ "AWS::CloudFront::VpcOrigin": {
+ "Tags": "A complex type that contains zero or more `Tag` elements.",
+ "VpcOriginEndpointConfig": "The VPC origin endpoint configuration."
+ },
+ "AWS::CloudFront::VpcOrigin Tag": {
+ "Key": "A string that contains `Tag` key.\n\nThe string length should be between 1 and 128 characters. Valid characters include `a-z` , `A-Z` , `0-9` , space, and the special characters `_ - . : / = + @` .",
+ "Value": "A string that contains an optional `Tag` value.\n\nThe string length should be between 0 and 256 characters. Valid characters include `a-z` , `A-Z` , `0-9` , space, and the special characters `_ - . : / = + @` ."
+ },
+ "AWS::CloudFront::VpcOrigin VpcOriginEndpointConfig": {
+ "Arn": "The ARN of the CloudFront VPC origin endpoint configuration.",
+ "HTTPPort": "The HTTP port for the CloudFront VPC origin endpoint configuration. The default value is `80` .",
+ "HTTPSPort": "The HTTPS port of the CloudFront VPC origin endpoint configuration. The default value is `443` .",
+ "Name": "The name of the CloudFront VPC origin endpoint configuration.",
+ "OriginProtocolPolicy": "The origin protocol policy for the CloudFront VPC origin endpoint configuration.",
+ "OriginSSLProtocols": ""
+ },
"AWS::CloudTrail::Channel": {
"Destinations": "One or more event data stores to which events arriving through a channel will be logged.",
"Name": "The name of the channel.",
@@ -8425,7 +8494,8 @@
"AWS::CodeBuild::Project WebhookFilter": {
"ExcludeMatchedPattern": "Used to indicate that the `pattern` determines which webhook events do not trigger a build. If true, then a webhook event that does not match the `pattern` triggers a build. If false, then a webhook event that matches the `pattern` triggers a build.",
"Pattern": "For a `WebHookFilter` that uses `EVENT` type, a comma-separated string that specifies one or more events. For example, the webhook filter `PUSH, PULL_REQUEST_CREATED, PULL_REQUEST_UPDATED` allows all push, pull request created, and pull request updated events to trigger a build.\n\nFor a `WebHookFilter` that uses any of the other filter types, a regular expression pattern. For example, a `WebHookFilter` that uses `HEAD_REF` for its `type` and the pattern `^refs/heads/` triggers a build when the head reference is a branch with a reference name `refs/heads/branch-name` .",
- "Type": "The type of webhook filter. There are 11 webhook filter types: `EVENT` , `ACTOR_ACCOUNT_ID` , `HEAD_REF` , `BASE_REF` , `FILE_PATH` , `COMMIT_MESSAGE` , `TAG_NAME` , `RELEASE_NAME` , `REPOSITORY_NAME` , `ORGANIZATION_NAME` , and `WORKFLOW_NAME` .\n\n- EVENT\n\n- A webhook event triggers a build when the provided `pattern` matches one of nine event types: `PUSH` , `PULL_REQUEST_CREATED` , `PULL_REQUEST_UPDATED` , `PULL_REQUEST_CLOSED` , `PULL_REQUEST_REOPENED` , `PULL_REQUEST_MERGED` , `RELEASED` , `PRERELEASED` , and `WORKFLOW_JOB_QUEUED` . The `EVENT` patterns are specified as a comma-separated string. For example, `PUSH, PULL_REQUEST_CREATED, PULL_REQUEST_UPDATED` filters all push, pull request created, and pull request updated events.\n\n> Types `PULL_REQUEST_REOPENED` and `WORKFLOW_JOB_QUEUED` work with GitHub and GitHub Enterprise only. Types `RELEASED` and `PRERELEASED` work with GitHub only.\n- ACTOR_ACCOUNT_ID\n\n- A webhook event triggers a build when a GitHub, GitHub Enterprise, or Bitbucket account ID matches the regular expression `pattern` .\n- HEAD_REF\n\n- A webhook event triggers a build when the head reference matches the regular expression `pattern` . For example, `refs/heads/branch-name` and `refs/tags/tag-name` .\n\n> Works with GitHub and GitHub Enterprise push, GitHub and GitHub Enterprise pull request, Bitbucket push, and Bitbucket pull request events.\n- BASE_REF\n\n- A webhook event triggers a build when the base reference matches the regular expression `pattern` . For example, `refs/heads/branch-name` .\n\n> Works with pull request events only.\n- FILE_PATH\n\n- A webhook triggers a build when the path of a changed file matches the regular expression `pattern` .\n\n> Works with push and pull request events only.\n- COMMIT_MESSAGE\n\n- A webhook triggers a build when the head commit message matches the regular expression `pattern` .\n\n> Works with push and pull request events only.\n- TAG_NAME\n\n- A webhook triggers a build when the tag name of the release matches the regular expression `pattern` .\n\n> Works with `RELEASED` and `PRERELEASED` events only.\n- RELEASE_NAME\n\n- A webhook triggers a build when the release name matches the regular expression `pattern` .\n\n> Works with `RELEASED` and `PRERELEASED` events only.\n- REPOSITORY_NAME\n\n- A webhook triggers a build when the repository name matches the regular expression `pattern` .\n\n> Works with GitHub global or organization webhooks only.\n- ORGANIZATION_NAME\n\n- A webhook triggers a build when the organization name matches the regular expression `pattern` .\n\n> Works with GitHub global webhooks only.\n- WORKFLOW_NAME\n\n- A webhook triggers a build when the workflow name matches the regular expression `pattern` .\n\n> Works with `WORKFLOW_JOB_QUEUED` events only. > For CodeBuild-hosted Buildkite runner builds, WORKFLOW_NAME filters will filter by pipeline name."
+ "Type": "The type of webhook filter. There are nine webhook filter types: `EVENT` , `ACTOR_ACCOUNT_ID` , `HEAD_REF` , `BASE_REF` , `FILE_PATH` , `COMMIT_MESSAGE` , `TAG_NAME` , `RELEASE_NAME` , and `WORKFLOW_NAME` .\n\n- EVENT\n\n- A webhook event triggers a build when the provided `pattern` matches one of nine event types: `PUSH` , `PULL_REQUEST_CREATED` , `PULL_REQUEST_UPDATED` , `PULL_REQUEST_CLOSED` , `PULL_REQUEST_REOPENED` , `PULL_REQUEST_MERGED` , `RELEASED` , `PRERELEASED` , and `WORKFLOW_JOB_QUEUED` . The `EVENT` patterns are specified as a comma-separated string. For example, `PUSH, PULL_REQUEST_CREATED, PULL_REQUEST_UPDATED` filters all push, pull request created, and pull request updated events.\n\n> Types `PULL_REQUEST_REOPENED` and `WORKFLOW_JOB_QUEUED` work with GitHub and GitHub Enterprise only. Types `RELEASED` and `PRERELEASED` work with GitHub only.\n- ACTOR_ACCOUNT_ID\n\n- A webhook event triggers a build when a GitHub, GitHub Enterprise, or Bitbucket account ID matches the regular expression `pattern` .\n- HEAD_REF\n\n- A webhook event triggers a build when the head reference matches the regular expression `pattern` . For example, `refs/heads/branch-name` and `refs/tags/tag-name` .\n\n> Works with GitHub and GitHub Enterprise push, GitHub and GitHub Enterprise pull request, Bitbucket push, and Bitbucket pull request events.\n- BASE_REF\n\n- A webhook event triggers a build when the base reference matches the regular expression `pattern` . For example, `refs/heads/branch-name` .\n\n> Works with pull request events only.\n- FILE_PATH\n\n- A webhook triggers a build when the path of a changed file matches the regular expression `pattern` .\n\n> Works with GitHub and Bitbucket events push and pull requests events. Also works with GitHub Enterprise push events, but does not work with GitHub Enterprise pull request events.\n- COMMIT_MESSAGE\n\n- A webhook triggers a build when the head commit message matches the regular expression `pattern` .\n\n> Works with GitHub and Bitbucket events push and pull requests events. Also works with GitHub Enterprise push events, but does not work with GitHub Enterprise pull request events.\n- TAG_NAME\n\n- A webhook triggers a build when the tag name of the release matches the regular expression `pattern` .\n\n> Works with `RELEASED` and `PRERELEASED` events only.\n- RELEASE_NAME\n\n- A webhook triggers a build when the release name matches the regular expression `pattern` .\n\n> Works with `RELEASED` and `PRERELEASED` events only.\n- REPOSITORY_NAME\n\n- A webhook triggers a build when the repository name matches the regular expression pattern.\n\n> Works with GitHub global or organization webhooks only.\n- WORKFLOW_NAME\n\n- A webhook triggers a build when the workflow name matches the regular expression `pattern` .\n\n> Works with `WORKFLOW_JOB_QUEUED` events only. > For CodeBuild-hosted Buildkite runner builds, WORKFLOW_NAME filters will filter by pipeline name."
+ "Type": "The type of webhook filter. There are nine webhook filter types: `EVENT` , `ACTOR_ACCOUNT_ID` , `HEAD_REF` , `BASE_REF` , `FILE_PATH` , `COMMIT_MESSAGE` , `TAG_NAME` , `RELEASE_NAME` , and `WORKFLOW_NAME` .\n\n- EVENT\n\n- A webhook event triggers a build when the provided `pattern` matches one of nine event types: `PUSH` , `PULL_REQUEST_CREATED` , `PULL_REQUEST_UPDATED` , `PULL_REQUEST_CLOSED` , `PULL_REQUEST_REOPENED` , `PULL_REQUEST_MERGED` , `RELEASED` , `PRERELEASED` , and `WORKFLOW_JOB_QUEUED` . The `EVENT` patterns are specified as a comma-separated string. For example, `PUSH, PULL_REQUEST_CREATED, PULL_REQUEST_UPDATED` filters all push, pull request created, and pull request updated events.\n\n> Types `PULL_REQUEST_REOPENED` and `WORKFLOW_JOB_QUEUED` work with GitHub and GitHub Enterprise only. Types `RELEASED` and `PRERELEASED` work with GitHub only.\n- ACTOR_ACCOUNT_ID\n\n- A webhook event triggers a build when a GitHub, GitHub Enterprise, or Bitbucket account ID matches the regular expression `pattern` .\n- HEAD_REF\n\n- A webhook event triggers a build when the head reference matches the regular expression `pattern` . For example, `refs/heads/branch-name` and `refs/tags/tag-name` .\n\n> Works with GitHub and GitHub Enterprise push, GitHub and GitHub Enterprise pull request, Bitbucket push, and Bitbucket pull request events.\n- BASE_REF\n\n- A webhook event triggers a build when the base reference matches the regular expression `pattern` . For example, `refs/heads/branch-name` .\n\n> Works with pull request events only.\n- FILE_PATH\n\n- A webhook triggers a build when the path of a changed file matches the regular expression `pattern` .\n\n> Works with GitHub and Bitbucket events push and pull requests events. Also works with GitHub Enterprise push events, but does not work with GitHub Enterprise pull request events.\n- COMMIT_MESSAGE\n\n- A webhook triggers a build when the head commit message matches the regular expression `pattern` .\n\n> Works with GitHub and Bitbucket events push and pull requests events. Also works with GitHub Enterprise push events, but does not work with GitHub Enterprise pull request events.\n- TAG_NAME\n\n- A webhook triggers a build when the tag name of the release matches the regular expression `pattern` .\n\n> Works with `RELEASED` and `PRERELEASED` events only.\n- RELEASE_NAME\n\n- A webhook triggers a build when the release name matches the regular expression `pattern` .\n\n> Works with `RELEASED` and `PRERELEASED` events only.\n- REPOSITORY_NAME\n\n- A webhook triggers a build when the repository name matches the regular expression pattern.\n\n> Works with GitHub global or organization webhooks only.\n- WORKFLOW_NAME\n\n- A webhook triggers a build when the workflow name matches the regular expression `pattern` .\n\n> Works with `WORKFLOW_JOB_QUEUED` events only. > For CodeBuild-hosted Buildkite runner builds, WORKFLOW_NAME filters will filter by pipeline name."
},
"AWS::CodeBuild::ReportGroup": {
"DeleteReports": "When deleting a report group, specifies if reports within the report group should be deleted.\n\n- **true** - Deletes any reports that belong to the report group before deleting the report group.\n- **false** - You must delete any reports in the report group. This is the default value. If you delete a report group that contains one or more reports, an exception is thrown.",
@@ -10899,6 +10969,7 @@
"AWS::DLM::LifecyclePolicy EventSource": {
"Parameters": "Information about the event.",
"Type": "The source of the event. Currently only managed Amazon EventBridge (formerly known as Amazon CloudWatch) events are supported."
+ "Type": "The source of the event. Currently only managed Amazon EventBridge (formerly known as Amazon CloudWatch) events are supported."
},
"AWS::DLM::LifecyclePolicy Exclusions": {
"ExcludeBootVolumes": "*[Default policies for EBS snapshots only]* Indicates whether to exclude volumes that are attached to instances as the boot volume. If you exclude boot volumes, only volumes attached as data (non-boot) volumes will be backed up by the policy. To exclude boot volumes, specify `true` .",
@@ -12178,17 +12249,12 @@
"Value": "The value for an AWS resource tag."
},
"AWS::DataSync::LocationSMB": {
- "AgentArns": "Specifies the DataSync agent (or agents) that can connect to your SMB file server. You specify an agent by using its Amazon Resource Name (ARN).",
- "AuthenticationType": "Specifies the authentication protocol that DataSync uses to connect to your SMB file server. DataSync supports `NTLM` (default) and `KERBEROS` authentication.\n\nFor more information, see [Providing DataSync access to SMB file servers](https://docs.aws.amazon.com/datasync/latest/userguide/create-smb-location.html#configuring-smb-permissions) .",
- "DnsIpAddresses": "Specifies the IPv4 addresses for the DNS servers that your SMB file server belongs to. This parameter applies only if `AuthenticationType` is set to `KERBEROS` .\n\nIf you have multiple domains in your environment, configuring this parameter makes sure that DataSync connects to the right SMB file server.",
+ "AgentArns": "The Amazon Resource Names (ARNs) of agents to use for a Server Message Block (SMB) location.",
"Domain": "Specifies the Windows domain name that your SMB file server belongs to. This parameter applies only if `AuthenticationType` is set to `NTLM` .\n\nIf you have multiple domains in your environment, configuring this parameter makes sure that DataSync connects to the right file server.",
- "KerberosKeytab": "Specifies your Kerberos key table (keytab) file, which includes mappings between your Kerberos principal and encryption keys.\n\nThe file must be base64 encoded.\n\nTo avoid task execution errors, make sure that the Kerberos principal that you use to create the keytab file matches exactly what you specify for `KerberosPrincipal` .",
- "KerberosKrb5Conf": "Specifies a Kerberos configuration file ( `krb5.conf` ) that defines your Kerberos realm configuration.\n\nThe file must be base64 encoded.",
- "KerberosPrincipal": "Specifies a Kerberos prinicpal, which is an identity in your Kerberos realm that has permission to access the files, folders, and file metadata in your SMB file server.\n\nA Kerberos principal might look like `HOST/kerberosuser@MYDOMAIN.ORG` .\n\nPrincipal names are case sensitive. Your DataSync task execution will fail if the principal that you specify for this parameter doesn\u2019t exactly match the principal that you use to create the keytab file.",
"MountOptions": "Specifies the version of the SMB protocol that DataSync uses to access your SMB file server.",
- "Password": "Specifies the password of the user who can mount your SMB file server and has permission to access the files and folders involved in your transfer. This parameter applies only if `AuthenticationType` is set to `NTLM` .",
- "ServerHostname": "Specifies the domain name or IP address of the SMB file server that your DataSync agent connects to.\n\nRemember the following when configuring this parameter:\n\n- You can't specify an IP version 6 (IPv6) address.\n- If you're using Kerberos authentication, you must specify a domain name.",
- "Subdirectory": "Specifies the name of the share exported by your SMB file server where DataSync will read or write data. You can include a subdirectory in the share path (for example, `/path/to/subdirectory` ). Make sure that other SMB clients in your network can also mount this path.\n\nTo copy all data in the subdirectory, DataSync must be able to mount the SMB share and access all of its data. For more information, see [Providing DataSync access to SMB file servers](https://docs.aws.amazon.com/datasync/latest/userguide/create-smb-location.html#configuring-smb-permissions) .",
+ "Password": "The password of the user who can mount the share and has the permissions to access files and folders in the SMB share.",
+ "ServerHostname": "Specifies the domain name or IP address of the SMB file server that your DataSync agent will mount.\n\nRemember the following when configuring this parameter:\n\n- You can't specify an IP version 6 (IPv6) address.\n- If you're using Kerberos authentication, you must specify a domain name.",
+ "Subdirectory": "The subdirectory in the SMB file system that is used to read data from the SMB source location or write data to the SMB destination. The SMB path should be a path that's exported by the SMB server, or a subdirectory of that path. The path should be such that it can be mounted by other SMB clients in your network.\n\n> `Subdirectory` must be specified with forward slashes. For example, `/path/to/folder` . \n\nTo transfer all the data in the folder you specified, DataSync must have permissions to mount the SMB share, as well as to access all the data in that share. To ensure this, either make sure that the user name and password specified belongs to the user who can mount the share, and who has the appropriate permissions for all of the files and directories that you want DataSync to access, or use credentials of a member of the Backup Operators group to mount the share. Doing either one enables the agent to access the data. For the agent to access directories, you must additionally enable all execute access.",
"Tags": "Specifies labels that help you categorize, filter, and search for your AWS resources. We recommend creating at least a name tag for your location.",
"User": "Specifies the user that can mount and access the files, folders, and file metadata in your SMB file server. This parameter applies only if `AuthenticationType` is set to `NTLM` .\n\nFor information about choosing a user with the right level of access for your transfer, see [Providing DataSync access to SMB file servers](https://docs.aws.amazon.com/datasync/latest/userguide/create-smb-location.html#configuring-smb-permissions) ."
},
@@ -12452,6 +12518,7 @@
"AssetFormsInput": "The metadata forms attached to the assets that the data source works with.",
"Configuration": "The configuration of the data source.",
"ConnectionIdentifier": "",
+ "ConnectionIdentifier": "",
"Description": "The description of the data source.",
"DomainIdentifier": "The ID of the Amazon DataZone domain where the data source is created.",
"EnableSetting": "Specifies whether the data source is enabled.",
@@ -12481,6 +12548,7 @@
"AWS::DataZone::DataSource GlueRunConfigurationInput": {
"AutoImportDataQualityResult": "Specifies whether to automatically import data quality metrics as part of the data source run.",
"CatalogName": "",
+ "CatalogName": "",
"DataAccessRole": "The data access role included in the configuration details of the AWS Glue data source.",
"RelationalFilterConfigurations": "The relational filter configurations included in the configuration details of the AWS Glue data source."
},
@@ -13338,11 +13406,13 @@
"AWS::EC2::CapacityReservation": {
"AvailabilityZone": "The Availability Zone in which to create the Capacity Reservation.",
"AvailabilityZoneId": "The Availability Zone ID of the Capacity Reservation.",
+ "AvailabilityZoneId": "The Availability Zone ID of the Capacity Reservation.",
"EbsOptimized": "Indicates whether the Capacity Reservation supports EBS-optimized instances. This optimization provides dedicated throughput to Amazon EBS and an optimized configuration stack to provide optimal I/O performance. This optimization isn't available with all instance types. Additional usage charges apply when using an EBS- optimized instance.",
"EndDate": "The date and time at which the Capacity Reservation expires. When a Capacity Reservation expires, the reserved capacity is released and you can no longer launch instances into it. The Capacity Reservation's state changes to `expired` when it reaches its end date and time.\n\nYou must provide an `EndDate` value if `EndDateType` is `limited` . Omit `EndDate` if `EndDateType` is `unlimited` .\n\nIf the `EndDateType` is `limited` , the Capacity Reservation is cancelled within an hour from the specified time. For example, if you specify 5/31/2019, 13:30:55, the Capacity Reservation is guaranteed to end between 13:30:55 and 14:30:55 on 5/31/2019.\n\nIf you are requesting a future-dated Capacity Reservation, you can't specify an end date and time that is within the commitment duration.",
"EndDateType": "Indicates the way in which the Capacity Reservation ends. A Capacity Reservation can have one of the following end types:\n\n- `unlimited` - The Capacity Reservation remains active until you explicitly cancel it. Do not provide an `EndDate` if the `EndDateType` is `unlimited` .\n- `limited` - The Capacity Reservation expires automatically at a specified date and time. You must provide an `EndDate` value if the `EndDateType` value is `limited` .",
"EphemeralStorage": "*Deprecated.*",
"InstanceCount": "The number of instances for which to reserve capacity.\n\n> You can request future-dated Capacity Reservations for an instance count with a minimum of 100 vCPUs. For example, if you request a future-dated Capacity Reservation for `m5.xlarge` instances, you must request at least 25 instances ( *25 * m5.xlarge = 100 vCPUs* ). \n\nValid range: 1 - 1000",
+ "InstanceCount": "The number of instances for which to reserve capacity.\n\n> You can request future-dated Capacity Reservations for an instance count with a minimum of 100 vCPUs. For example, if you request a future-dated Capacity Reservation for `m5.xlarge` instances, you must request at least 25 instances ( *25 * m5.xlarge = 100 vCPUs* ). \n\nValid range: 1 - 1000",
"InstanceMatchCriteria": "Indicates the type of instance launches that the Capacity Reservation accepts. The options include:\n\n- `open` - The Capacity Reservation automatically matches all instances that have matching attributes (instance type, platform, and Availability Zone). Instances that have matching attributes run in the Capacity Reservation automatically without specifying any additional parameters.\n- `targeted` - The Capacity Reservation only accepts instances that have matching attributes (instance type, platform, and Availability Zone), and explicitly target the Capacity Reservation. This ensures that only permitted instances can use the reserved capacity.\n\n> If you are requesting a future-dated Capacity Reservation, you must specify `targeted` . \n\nDefault: `open`",
"InstancePlatform": "The type of operating system for which to reserve capacity.",
"InstanceType": "The instance type for which to reserve capacity.\n\n> You can request future-dated Capacity Reservations for instance types in the C, M, R, I, and T instance families only. \n\nFor more information, see [Instance types](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html) in the *Amazon EC2 User Guide* .",
@@ -13419,6 +13489,7 @@
"ConnectionLogOptions": "Information about the client connection logging options.\n\nIf you enable client connection logging, data about client connections is sent to a Cloudwatch Logs log stream. The following information is logged:\n\n- Client connection requests\n- Client connection results (successful and unsuccessful)\n- Reasons for unsuccessful client connection requests\n- Client connection termination time",
"Description": "A brief description of the Client VPN endpoint.",
"DisconnectOnSessionTimeout": "Indicates whether the client VPN session is disconnected after the maximum `sessionTimeoutHours` is reached. If `true` , users are prompted to reconnect client VPN. If `false` , client VPN attempts to reconnect automatically. The default value is `false` .",
+ "DisconnectOnSessionTimeout": "Indicates whether the client VPN session is disconnected after the maximum `sessionTimeoutHours` is reached. If `true` , users are prompted to reconnect client VPN. If `false` , client VPN attempts to reconnect automatically. The default value is `false` .",
"DnsServers": "Information about the DNS servers to be used for DNS resolution. A Client VPN endpoint can have up to two DNS servers. If no DNS server is specified, the DNS address configured on the device is used for the DNS server.",
"SecurityGroupIds": "The IDs of one or more security groups to apply to the target network. You must also specify the ID of the VPC that contains the security groups.",
"SelfServicePortal": "Specify whether to enable the self-service portal for the Client VPN endpoint.\n\nDefault Value: `enabled`",
@@ -13827,6 +13898,7 @@
"CpuOptions": "The CPU options for the instance. For more information, see [Optimize CPU options](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-optimize-cpu.html) in the *Amazon Elastic Compute Cloud User Guide* .",
"CreditSpecification": "The credit option for CPU usage of the burstable performance instance. Valid values are `standard` and `unlimited` . To change this attribute after launch, use [ModifyInstanceCreditSpecification](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyInstanceCreditSpecification.html) . For more information, see [Burstable performance instances](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/burstable-performance-instances.html) in the *Amazon EC2 User Guide* .\n\nDefault: `standard` (T2 instances) or `unlimited` (T3/T3a/T4g instances)\n\nFor T3 instances with `host` tenancy, only `standard` is supported.",
"DisableApiTermination": "Indicates whether termination protection is enabled for the instance. The default is `false` , which means that you can terminate the instance using the Amazon EC2 console, command line tools, or API. You can enable termination protection when you launch an instance, while the instance is running, or while the instance is stopped.",
+ "DisableApiTermination": "Indicates whether termination protection is enabled for the instance. The default is `false` , which means that you can terminate the instance using the Amazon EC2 console, command line tools, or API. You can enable termination protection when you launch an instance, while the instance is running, or while the instance is stopped.",
"EbsOptimized": "Indicates whether the instance is optimized for Amazon EBS I/O. This optimization provides dedicated throughput to Amazon EBS and an optimized configuration stack to provide optimal Amazon EBS I/O performance. This optimization isn't available with all instance types. Additional usage charges apply when using an EBS-optimized instance.\n\nDefault: `false`",
"ElasticGpuSpecifications": "An elastic GPU to associate with the instance.\n\n> Amazon Elastic Graphics reached end of life on January 8, 2024.",
"ElasticInferenceAccelerators": "An elastic inference accelerator to associate with the instance.\n\n> Amazon Elastic Inference is no longer available.",
@@ -14114,7 +14186,7 @@
"CapacityReservationSpecification": "The Capacity Reservation targeting option. If you do not specify this parameter, the instance's Capacity Reservation preference defaults to `open` , which enables it to run in any open Capacity Reservation that has matching attributes (instance type, platform, Availability Zone).",
"CpuOptions": "The CPU options for the instance. For more information, see [CPU options for Amazon EC2 instances](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-optimize-cpu.html) in the *Amazon EC2 User Guide* .",
"CreditSpecification": "The credit option for CPU usage of the instance. Valid only for T instances.",
- "DisableApiStop": "Indicates whether to enable the instance for stop protection. For more information, see [Enable stop protection for your EC2 instances](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-stop-protection.html) in the *Amazon EC2 User Guide* .",
+ "DisableApiStop": "Indicates whether to enable the instance for stop protection. For more information, see [Enable stop protection for your instance](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-stop-protection.html) in the *Amazon EC2 User Guide* .",
"DisableApiTermination": "Indicates whether termination protection is enabled for the instance. The default is `false` , which means that you can terminate the instance using the Amazon EC2 console, command line tools, or API. You can enable termination protection when you launch an instance, while the instance is running, or while the instance is stopped.",
"EbsOptimized": "Indicates whether the instance is optimized for Amazon EBS I/O. This optimization provides dedicated throughput to Amazon EBS and an optimized configuration stack to provide optimal Amazon EBS I/O performance. This optimization isn't available with all instance types. Additional usage charges apply when using an EBS-optimized instance.",
"ElasticGpuSpecifications": "Deprecated.\n\n> Amazon Elastic Graphics reached end of life on January 8, 2024.",
@@ -15215,6 +15287,7 @@
"Ipv4NetmaskLength": "The netmask length of the IPv4 CIDR you would like to associate from an Amazon VPC IP Address Manager (IPAM) pool. For more information about IPAM, see [What is IPAM?](https://docs.aws.amazon.com//vpc/latest/ipam/what-is-it-ipam.html) in the *Amazon VPC IPAM User Guide* .",
"Ipv6CidrBlock": "An IPv6 CIDR block from the IPv6 address pool. You must also specify `Ipv6Pool` in the request.\n\nTo let Amazon choose the IPv6 CIDR block for you, omit this parameter.",
"Ipv6CidrBlockNetworkBorderGroup": "The name of the location from which we advertise the IPV6 CIDR block. Use this parameter to limit the CIDR block to this location.\n\nYou must set `AmazonProvidedIpv6CidrBlock` to `true` to use this parameter.\n\nYou can have one IPv6 CIDR block association per network border group.",
+ "Ipv6CidrBlockNetworkBorderGroup": "The name of the location from which we advertise the IPV6 CIDR block. Use this parameter to limit the CIDR block to this location.\n\nYou must set `AmazonProvidedIpv6CidrBlock` to `true` to use this parameter.\n\nYou can have one IPv6 CIDR block association per network border group.",
"Ipv6IpamPoolId": "Associates a CIDR allocated from an IPv6 IPAM pool to a VPC. For more information about Amazon VPC IP Address Manager (IPAM), see [What is IPAM?](https://docs.aws.amazon.com//vpc/latest/ipam/what-is-it-ipam.html) in the *Amazon VPC IPAM User Guide* .",
"Ipv6NetmaskLength": "The netmask length of the IPv6 CIDR you would like to associate from an Amazon VPC IP Address Manager (IPAM) pool. For more information about IPAM, see [What is IPAM?](https://docs.aws.amazon.com//vpc/latest/ipam/what-is-it-ipam.html) in the *Amazon VPC IPAM User Guide* .",
"Ipv6Pool": "The ID of an IPv6 address pool from which to allocate the IPv6 CIDR block.",
@@ -15236,6 +15309,7 @@
"ServiceNetworkArn": "The Amazon Resource Name (ARN) of the service network.",
"SubnetIds": "The IDs of the subnets in which to create endpoint network interfaces. You must specify this property for an interface endpoint or a Gateway Load Balancer endpoint. You can't specify this property for a gateway endpoint. For a Gateway Load Balancer endpoint, you can specify only one subnet.",
"Tags": "The tags to associate with the endpoint.",
+ "Tags": "The tags to associate with the endpoint.",
"VpcEndpointType": "The type of endpoint.\n\nDefault: Gateway",
"VpcId": "The ID of the VPC."
},
@@ -15259,8 +15333,7 @@
"GatewayLoadBalancerArns": "The Amazon Resource Names (ARNs) of the Gateway Load Balancers.",
"NetworkLoadBalancerArns": "The Amazon Resource Names (ARNs) of the Network Load Balancers.",
"PayerResponsibility": "The entity that is responsible for the endpoint costs. The default is the endpoint owner. If you set the payer responsibility to the service owner, you cannot set it back to the endpoint owner.",
- "SupportedIpAddressTypes": "The supported IP address types. The possible values are `ipv4` and `ipv6` .",
- "SupportedRegions": "The Regions from which service consumers can access the service.",
+ "Tags": "The tags to associate with the service."
"Tags": "The tags to associate with the service."
},
"AWS::EC2::VPCEndpointService Tag": {
@@ -15381,6 +15454,7 @@
"ApplicationDomain": "The DNS name for users to reach your application.",
"AttachmentType": "The type of attachment used to provide connectivity between the AWS Verified Access endpoint and the application.",
"CidrOptions": "The options for a CIDR endpoint.",
+ "CidrOptions": "The options for a CIDR endpoint.",
"Description": "A description for the AWS Verified Access endpoint.",
"DomainCertificateArn": "The ARN of a public TLS/SSL certificate imported into or created with ACM.",
"EndpointDomainPrefix": "A custom identifier that is prepended to the DNS name that is generated for the endpoint.",
@@ -15390,6 +15464,7 @@
"PolicyDocument": "The Verified Access policy document.",
"PolicyEnabled": "The status of the Verified Access policy.",
"RdsOptions": "The options for an RDS endpoint.",
+ "RdsOptions": "The options for an RDS endpoint.",
"SecurityGroupIds": "The IDs of the security groups for the endpoint.",
"SseSpecification": "The options for additional server side encryption.",
"Tags": "The tags.",
@@ -15401,10 +15476,17 @@
"Protocol": "The protocol.",
"SubnetIds": "The IDs of the subnets."
},
+ "AWS::EC2::VerifiedAccessEndpoint CidrOptions": {
+ "Cidr": "The CIDR.",
+ "PortRanges": "The port ranges.",
+ "Protocol": "The protocol.",
+ "SubnetIds": "The IDs of the subnets."
+ },
"AWS::EC2::VerifiedAccessEndpoint LoadBalancerOptions": {
"LoadBalancerArn": "The ARN of the load balancer.",
"Port": "The IP port number.",
"PortRanges": "The port ranges.",
+ "PortRanges": "The port ranges.",
"Protocol": "The IP protocol.",
"SubnetIds": "The IDs of the subnets. You can specify only one subnet per Availability Zone."
},
@@ -15412,6 +15494,7 @@
"NetworkInterfaceId": "The ID of the network interface.",
"Port": "The IP port number.",
"PortRanges": "The port ranges.",
+ "PortRanges": "The port ranges.",
"Protocol": "The IP protocol."
},
"AWS::EC2::VerifiedAccessEndpoint PortRange": {
@@ -15425,7 +15508,7 @@
"RdsDbInstanceArn": "The ARN of the RDS instance.",
"RdsDbProxyArn": "The ARN of the RDS proxy.",
"RdsEndpoint": "The RDS endpoint.",
- "SubnetIds": "The IDs of the subnets. You can specify only one subnet per Availability Zone."
+ "SubnetIds": "The IDs of the subnets."
},
"AWS::EC2::VerifiedAccessEndpoint SseSpecification": {
"CustomerManagedKeyEnabled": "Enable or disable the use of customer managed KMS keys for server side encryption.\n\nValid values: `True` | `False`",
@@ -15452,6 +15535,7 @@
"Value": "The tag value."
},
"AWS::EC2::VerifiedAccessInstance": {
+ "CidrEndpointsCustomSubDomain": "The custom subdomain.",
"CidrEndpointsCustomSubDomain": "The custom subdomain.",
"Description": "A description for the AWS Verified Access instance.",
"FipsEnabled": "Indicates whether support for Federal Information Processing Standards (FIPS) is enabled on the instance.",
@@ -15497,6 +15581,7 @@
"DeviceOptions": "The options for device-identity trust provider.",
"DeviceTrustProviderType": "The type of device-based trust provider.",
"NativeApplicationOidcOptions": "The OpenID Connect (OIDC) options.",
+ "NativeApplicationOidcOptions": "The OpenID Connect (OIDC) options.",
"OidcOptions": "The options for an OpenID Connect-compatible user-identity trust provider.",
"PolicyReferenceName": "The identifier to be used when working with policy rules.",
"SseSpecification": "The options for additional server side encryption.",
@@ -15518,6 +15603,16 @@
"TokenEndpoint": "The token endpoint of the IdP.",
"UserInfoEndpoint": "The user info endpoint of the IdP."
},
+ "AWS::EC2::VerifiedAccessTrustProvider NativeApplicationOidcOptions": {
+ "AuthorizationEndpoint": "The authorization endpoint of the IdP.",
+ "ClientId": "The OAuth 2.0 client identifier.",
+ "ClientSecret": "The OAuth 2.0 client secret.",
+ "Issuer": "The OIDC issuer identifier of the IdP.",
+ "PublicSigningKeyEndpoint": "The public signing key endpoint.",
+ "Scope": "The set of user claims to be requested from the IdP.",
+ "TokenEndpoint": "The token endpoint of the IdP.",
+ "UserInfoEndpoint": "The user info endpoint of the IdP."
+ },
"AWS::EC2::VerifiedAccessTrustProvider OidcOptions": {
"AuthorizationEndpoint": "The OIDC authorization endpoint.",
"ClientId": "The client identifier.",
@@ -15731,8 +15826,8 @@
"TaskSetId": "The short name or full Amazon Resource Name (ARN) of the task set to set as the primary task set in the deployment."
},
"AWS::ECS::Service": {
- "AvailabilityZoneRebalancing": "Indicates whether to use Availability Zone rebalancing for the service.\n\nFor more information, see [Balancing an Amazon ECS service across Availability Zones](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/service-rebalancing.html) in the **Amazon Elastic Container Service Developer Guide** .",
- "CapacityProviderStrategy": "The capacity provider strategy to use for the service.\n\nIf a `capacityProviderStrategy` is specified, the `launchType` parameter must be omitted. If no `capacityProviderStrategy` or `launchType` is specified, the `defaultCapacityProviderStrategy` for the cluster is used.\n\nA capacity provider strategy can contain a maximum of 20 capacity providers.\n\n> To remove this property from your service resource, specify an empty `CapacityProviderStrategyItem` array.",
+ "AvailabilityZoneRebalancing": "Indicates whether to use Availability Zone rebalancing for the service.\n\nFor more information, see [Balancing an Amazon ECS service across Availability Zones](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/service-rebalancing.html) in the *Amazon Elastic Container Service Developer Guide* .",
+ "CapacityProviderStrategy": "The capacity provider strategy to use for the service.\n\nIf a `capacityProviderStrategy` is specified, the `launchType` parameter must be omitted. If no `capacityProviderStrategy` or `launchType` is specified, the `defaultCapacityProviderStrategy` for the cluster is used.\n\nA capacity provider strategy may contain a maximum of 6 capacity providers.\n\n> To remove this property from your service resource, specify an empty `CapacityProviderStrategyItem` array.",
"Cluster": "The short name or full Amazon Resource Name (ARN) of the cluster that you run your service on. If you do not specify a cluster, the default cluster is assumed.",
"DeploymentConfiguration": "Optional deployment parameters that control how many tasks run during the deployment and the ordering of stopping and starting tasks.",
"DeploymentController": "The deployment controller to use for the service. If no deployment controller is specified, the default value of `ECS` is used.",
@@ -15742,9 +15837,12 @@
"HealthCheckGracePeriodSeconds": "The period of time, in seconds, that the Amazon ECS service scheduler ignores unhealthy Elastic Load Balancing, VPC Lattice, and container health checks after a task has first started. If you don't specify a health check grace period value, the default value of `0` is used. If you don't use any of the health checks, then `healthCheckGracePeriodSeconds` is unused.\n\nIf your service's tasks take a while to start and respond to health checks, you can specify a health check grace period of up to 2,147,483,647 seconds (about 69 years). During that time, the Amazon ECS service scheduler ignores health check status. This grace period can prevent the service scheduler from marking tasks as unhealthy and stopping them before they have time to come up.",
"LaunchType": "The launch type on which to run your service. For more information, see [Amazon ECS Launch Types](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/launch_types.html) in the *Amazon Elastic Container Service Developer Guide* .",
"LoadBalancers": "A list of load balancer objects to associate with the service. If you specify the `Role` property, `LoadBalancers` must be specified as well. For information about the number of load balancers that you can specify per service, see [Service Load Balancing](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/service-load-balancing.html) in the *Amazon Elastic Container Service Developer Guide* .\n\n> To remove this property from your service resource, specify an empty `LoadBalancer` array.",
+ "LoadBalancers": "A list of load balancer objects to associate with the service. If you specify the `Role` property, `LoadBalancers` must be specified as well. For information about the number of load balancers that you can specify per service, see [Service Load Balancing](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/service-load-balancing.html) in the *Amazon Elastic Container Service Developer Guide* .\n\n> To remove this property from your service resource, specify an empty `LoadBalancer` array.",
"NetworkConfiguration": "The network configuration for the service. This parameter is required for task definitions that use the `awsvpc` network mode to receive their own elastic network interface, and it is not supported for other network modes. For more information, see [Task Networking](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-networking.html) in the *Amazon Elastic Container Service Developer Guide* .",
"PlacementConstraints": "An array of placement constraint objects to use for tasks in your service. You can specify a maximum of 10 constraints for each task. This limit includes constraints in the task definition and those specified at runtime.\n\n> To remove this property from your service resource, specify an empty `PlacementConstraint` array.",
"PlacementStrategies": "The placement strategy objects to use for tasks in your service. You can specify a maximum of 5 strategy rules for each service.\n\n> To remove this property from your service resource, specify an empty `PlacementStrategy` array.",
+ "PlacementConstraints": "An array of placement constraint objects to use for tasks in your service. You can specify a maximum of 10 constraints for each task. This limit includes constraints in the task definition and those specified at runtime.\n\n> To remove this property from your service resource, specify an empty `PlacementConstraint` array.",
+ "PlacementStrategies": "The placement strategy objects to use for tasks in your service. You can specify a maximum of 5 strategy rules for each service.\n\n> To remove this property from your service resource, specify an empty `PlacementStrategy` array.",
"PlatformVersion": "The platform version that your tasks in the service are running on. A platform version is specified only for tasks using the Fargate launch type. If one isn't specified, the `LATEST` platform version is used. For more information, see [AWS Fargate platform versions](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/platform_versions.html) in the *Amazon Elastic Container Service Developer Guide* .",
"PropagateTags": "Specifies whether to propagate the tags from the task definition to the task. If no value is specified, the tags aren't propagated. Tags can only be propagated to the task during task creation. To add tags to a task after task creation, use the [TagResource](https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_TagResource.html) API action.\n\nYou must set this to a value other than `NONE` when you use Cost Explorer. For more information, see [Amazon ECS usage reports](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/usage-reports.html) in the *Amazon Elastic Container Service Developer Guide* .\n\nThe default is `NONE` .",
"Role": "The name or full Amazon Resource Name (ARN) of the IAM role that allows Amazon ECS to make calls to your load balancer on your behalf. This parameter is only permitted if you are using a load balancer with your service and your task definition doesn't use the `awsvpc` network mode. If you specify the `role` parameter, you must also specify a load balancer object with the `loadBalancers` parameter.\n\n> If your account has already created the Amazon ECS service-linked role, that role is used for your service unless you specify a role here. The service-linked role is required if your task definition uses the `awsvpc` network mode or if the service is configured to use service discovery, an external deployment controller, multiple target groups, or Elastic Inference accelerators in which case you don't specify a role here. For more information, see [Using service-linked roles for Amazon ECS](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/using-service-linked-roles.html) in the *Amazon Elastic Container Service Developer Guide* . \n\nIf your specified role has a path other than `/` , then you must either specify the full role ARN (this is recommended) or prefix the role name with the path. For example, if a role with the name `bar` has a path of `/foo/` then you would specify `/foo/bar` as the role name. For more information, see [Friendly names and paths](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-friendly-names) in the *IAM User Guide* .",
@@ -15752,9 +15850,11 @@
"ServiceConnectConfiguration": "The configuration for this service to discover and connect to services, and be discovered by, and connected from, other services within a namespace.\n\nTasks that run in a namespace can use short names to connect to services in the namespace. Tasks can connect to services across all of the clusters in the namespace. Tasks connect through a managed proxy container that collects logs and metrics for increased visibility. Only the tasks that Amazon ECS services create are supported with Service Connect. For more information, see [Service Connect](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/service-connect.html) in the *Amazon Elastic Container Service Developer Guide* .",
"ServiceName": "The name of your service. Up to 255 letters (uppercase and lowercase), numbers, underscores, and hyphens are allowed. Service names must be unique within a cluster, but you can have similarly named services in multiple clusters within a Region or across multiple Regions.\n\n> The stack update fails if you change any properties that require replacement and the `ServiceName` is configured. This is because AWS CloudFormation creates the replacement service first, but each `ServiceName` must be unique in the cluster.",
"ServiceRegistries": "The details of the service discovery registry to associate with this service. For more information, see [Service discovery](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/service-discovery.html) .\n\n> Each service may be associated with one service registry. Multiple service registries for each service isn't supported. > To remove this property from your service resource, specify an empty `ServiceRegistry` array.",
+ "ServiceRegistries": "The details of the service discovery registry to associate with this service. For more information, see [Service discovery](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/service-discovery.html) .\n\n> Each service may be associated with one service registry. Multiple service registries for each service isn't supported. > To remove this property from your service resource, specify an empty `ServiceRegistry` array.",
"Tags": "The metadata that you apply to the service to help you categorize and organize them. Each tag consists of a key and an optional value, both of which you define. When a service is deleted, the tags are deleted as well.\n\nThe following basic restrictions apply to tags:\n\n- Maximum number of tags per resource - 50\n- For each resource, each tag key must be unique, and each tag key can have only one value.\n- Maximum key length - 128 Unicode characters in UTF-8\n- Maximum value length - 256 Unicode characters in UTF-8\n- If your tagging schema is used across multiple services and resources, remember that other services may have restrictions on allowed characters. Generally allowed characters are: letters, numbers, and spaces representable in UTF-8, and the following characters: + - = . _ : / @.\n- Tag keys and values are case-sensitive.\n- Do not use `aws:` , `AWS:` , or any upper or lowercase combination of such as a prefix for either keys or values as it is reserved for AWS use. You cannot edit or delete tag keys or values with this prefix. Tags with this prefix do not count against your tags per resource limit.",
"TaskDefinition": "The `family` and `revision` ( `family:revision` ) or full ARN of the task definition to run in your service. If a `revision` isn't specified, the latest `ACTIVE` revision is used.\n\nA task definition must be specified if the service uses either the `ECS` or `CODE_DEPLOY` deployment controllers.\n\nFor more information about deployment types, see [Amazon ECS deployment types](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/deployment-types.html) .",
"VolumeConfigurations": "The configuration for a volume specified in the task definition as a volume that is configured at launch time. Currently, the only supported volume type is an Amazon EBS volume.\n\n> To remove this property from your service resource, specify an empty `ServiceVolumeConfiguration` array.",
+ "VolumeConfigurations": "The configuration for a volume specified in the task definition as a volume that is configured at launch time. Currently, the only supported volume type is an Amazon EBS volume.\n\n> To remove this property from your service resource, specify an empty `ServiceVolumeConfiguration` array.",
"VpcLatticeConfigurations": "The VPC Lattice configuration for the service being created."
},
"AWS::ECS::Service AwsVpcConfiguration": {
@@ -16183,6 +16283,7 @@
"LifecyclePolicies": "An array of `LifecyclePolicy` objects that define the file system's `LifecycleConfiguration` object. A `LifecycleConfiguration` object informs Lifecycle management of the following:\n\n- When to move files in the file system from primary storage to IA storage.\n- When to move files in the file system from primary storage or IA storage to Archive storage.\n- When to move files that are in IA or Archive storage to primary storage.\n\n> Amazon EFS requires that each `LifecyclePolicy` object have only a single transition. This means that in a request body, `LifecyclePolicies` needs to be structured as an array of `LifecyclePolicy` objects, one object for each transition, `TransitionToIA` , `TransitionToArchive` `TransitionToPrimaryStorageClass` . See the example requests in the following section for more information.",
"PerformanceMode": "The performance mode of the file system. We recommend `generalPurpose` performance mode for all file systems. File systems using the `maxIO` performance mode can scale to higher levels of aggregate throughput and operations per second with a tradeoff of slightly higher latencies for most file operations. The performance mode can't be changed after the file system has been created. The `maxIO` mode is not supported on One Zone file systems.\n\n> Due to the higher per-operation latencies with Max I/O, we recommend using General Purpose performance mode for all file systems. \n\nDefault is `generalPurpose` .",
"ProvisionedThroughputInMibps": "The throughput, measured in mebibytes per second (MiBps), that you want to provision for a file system that you're creating. Required if `ThroughputMode` is set to `provisioned` . Valid values are 1-3414 MiBps, with the upper limit depending on Region. To increase this limit, contact Support . For more information, see [Amazon EFS quotas that you can increase](https://docs.aws.amazon.com/efs/latest/ug/limits.html#soft-limits) in the *Amazon EFS User Guide* .",
+ "ProvisionedThroughputInMibps": "The throughput, measured in mebibytes per second (MiBps), that you want to provision for a file system that you're creating. Required if `ThroughputMode` is set to `provisioned` . Valid values are 1-3414 MiBps, with the upper limit depending on Region. To increase this limit, contact Support . For more information, see [Amazon EFS quotas that you can increase](https://docs.aws.amazon.com/efs/latest/ug/limits.html#soft-limits) in the *Amazon EFS User Guide* .",
"ReplicationConfiguration": "Describes the replication configuration for a specific file system.",
"ThroughputMode": "Specifies the throughput mode for the file system. The mode can be `bursting` , `provisioned` , or `elastic` . If you set `ThroughputMode` to `provisioned` , you must also set a value for `ProvisionedThroughputInMibps` . After you create the file system, you can decrease your file system's Provisioned throughput or change between the throughput modes, with certain time restrictions. For more information, see [Specifying throughput with provisioned mode](https://docs.aws.amazon.com/efs/latest/ug/performance.html#provisioned-throughput) in the *Amazon EFS User Guide* .\n\nDefault is `bursting` ."
},
@@ -16224,8 +16325,10 @@
"ClusterName": "The name of your cluster.",
"KubernetesGroups": "The value for `name` that you've specified for `kind: Group` as a `subject` in a Kubernetes `RoleBinding` or `ClusterRoleBinding` object. Amazon EKS doesn't confirm that the value for `name` exists in any bindings on your cluster. You can specify one or more names.\n\nKubernetes authorizes the `principalArn` of the access entry to access any cluster objects that you've specified in a Kubernetes `Role` or `ClusterRole` object that is also specified in a binding's `roleRef` . For more information about creating Kubernetes `RoleBinding` , `ClusterRoleBinding` , `Role` , or `ClusterRole` objects, see [Using RBAC Authorization in the Kubernetes documentation](https://docs.aws.amazon.com/https://kubernetes.io/docs/reference/access-authn-authz/rbac/) .\n\nIf you want Amazon EKS to authorize the `principalArn` (instead of, or in addition to Kubernetes authorizing the `principalArn` ), you can associate one or more access policies to the access entry using `AssociateAccessPolicy` . If you associate any access policies, the `principalARN` has all permissions assigned in the associated access policies and all permissions in any Kubernetes `Role` or `ClusterRole` objects that the group names are bound to.",
"PrincipalArn": "The ARN of the IAM principal for the `AccessEntry` . You can specify one ARN for each access entry. You can't specify the same ARN in more than one access entry. This value can't be changed after access entry creation.\n\nThe valid principals differ depending on the type of the access entry in the `type` field. For `STANDARD` access entries, you can use every IAM principal type. For nodes ( `EC2` (for EKS Auto Mode), `EC2_LINUX` , `EC2_WINDOWS` , `FARGATE_LINUX` , and `HYBRID_LINUX` ), the only valid ARN is IAM roles. You can't use the STS session principal type with access entries because this is a temporary principal for each session and not a permanent identity that can be assigned permissions.\n\n[IAM best practices](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#bp-users-federation-idp) recommend using IAM roles with temporary credentials, rather than IAM users with long-term credentials.",
+ "PrincipalArn": "The ARN of the IAM principal for the `AccessEntry` . You can specify one ARN for each access entry. You can't specify the same ARN in more than one access entry. This value can't be changed after access entry creation.\n\nThe valid principals differ depending on the type of the access entry in the `type` field. For `STANDARD` access entries, you can use every IAM principal type. For nodes ( `EC2` (for EKS Auto Mode), `EC2_LINUX` , `EC2_WINDOWS` , `FARGATE_LINUX` , and `HYBRID_LINUX` ), the only valid ARN is IAM roles. You can't use the STS session principal type with access entries because this is a temporary principal for each session and not a permanent identity that can be assigned permissions.\n\n[IAM best practices](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#bp-users-federation-idp) recommend using IAM roles with temporary credentials, rather than IAM users with long-term credentials.",
"Tags": "Metadata that assists with categorization and organization. Each tag consists of a key and an optional value. You define both. Tags don't propagate to any other cluster or AWS resources.",
"Type": "The type of the new access entry. Valid values are `STANDARD` , `FARGATE_LINUX` , `EC2_LINUX` , `EC2_WINDOWS` , `EC2` (for EKS Auto Mode), `HYBRID_LINUX` , and `HYPERPOD_LINUX` .\n\nIf the `principalArn` is for an IAM role that's used for self-managed Amazon EC2 nodes, specify `EC2_LINUX` or `EC2_WINDOWS` . Amazon EKS grants the necessary permissions to the node for you. If the `principalArn` is for any other purpose, specify `STANDARD` . If you don't specify a value, Amazon EKS sets the value to `STANDARD` . If you have the access mode of the cluster set to `API_AND_CONFIG_MAP` , it's unnecessary to create access entries for IAM roles used with Fargate profiles or managed Amazon EC2 nodes, because Amazon EKS creates entries in the `aws-auth` `ConfigMap` for the roles. You can't change this value once you've created the access entry.\n\nIf you set the value to `EC2_LINUX` or `EC2_WINDOWS` , you can't specify values for `kubernetesGroups` , or associate an `AccessPolicy` to the access entry.",
+ "Type": "The type of the new access entry. Valid values are `STANDARD` , `FARGATE_LINUX` , `EC2_LINUX` , `EC2_WINDOWS` , `EC2` (for EKS Auto Mode), `HYBRID_LINUX` , and `HYPERPOD_LINUX` .\n\nIf the `principalArn` is for an IAM role that's used for self-managed Amazon EC2 nodes, specify `EC2_LINUX` or `EC2_WINDOWS` . Amazon EKS grants the necessary permissions to the node for you. If the `principalArn` is for any other purpose, specify `STANDARD` . If you don't specify a value, Amazon EKS sets the value to `STANDARD` . If you have the access mode of the cluster set to `API_AND_CONFIG_MAP` , it's unnecessary to create access entries for IAM roles used with Fargate profiles or managed Amazon EC2 nodes, because Amazon EKS creates entries in the `aws-auth` `ConfigMap` for the roles. You can't change this value once you've created the access entry.\n\nIf you set the value to `EC2_LINUX` or `EC2_WINDOWS` , you can't specify values for `kubernetesGroups` , or associate an `AccessPolicy` to the access entry.",
"Username": "The username to authenticate to Kubernetes with. We recommend not specifying a username and letting Amazon EKS specify it for you. For more information about the value Amazon EKS specifies for you, or constraints before specifying your own username, see [Creating access entries](https://docs.aws.amazon.com/eks/latest/userguide/access-entries.html#creating-access-entries) in the *Amazon EKS User Guide* ."
},
"AWS::EKS::AccessEntry AccessPolicy": {
@@ -16248,6 +16351,7 @@
"PodIdentityAssociations": "An array of Pod Identity Assocations owned by the Addon. Each EKS Pod Identity association maps a role to a service account in a namespace in the cluster.\n\nFor more information, see [Attach an IAM Role to an Amazon EKS add-on using Pod Identity](https://docs.aws.amazon.com/eks/latest/userguide/add-ons-iam.html) in the *Amazon EKS User Guide* .",
"PreserveOnDelete": "Specifying this option preserves the add-on software on your cluster but Amazon EKS stops managing any settings for the add-on. If an IAM account is associated with the add-on, it isn't removed.",
"ResolveConflicts": "How to resolve field value conflicts for an Amazon EKS add-on. Conflicts are handled based on the value you choose:\n\n- *None* \u2013 If the self-managed version of the add-on is installed on your cluster, Amazon EKS doesn't change the value. Creation of the add-on might fail.\n- *Overwrite* \u2013 If the self-managed version of the add-on is installed on your cluster and the Amazon EKS default value is different than the existing value, Amazon EKS changes the value to the Amazon EKS default value.\n- *Preserve* \u2013 This is similar to the NONE option. If the self-managed version of the add-on is installed on your cluster Amazon EKS doesn't change the add-on resource properties. Creation of the add-on might fail if conflicts are detected. This option works differently during the update operation. For more information, see [`UpdateAddon`](https://docs.aws.amazon.com/eks/latest/APIReference/API_UpdateAddon.html) .\n\nIf you don't currently have the self-managed version of the add-on installed on your cluster, the Amazon EKS add-on is installed. Amazon EKS sets all values to default values, regardless of the option that you specify.",
+ "ResolveConflicts": "How to resolve field value conflicts for an Amazon EKS add-on. Conflicts are handled based on the value you choose:\n\n- *None* \u2013 If the self-managed version of the add-on is installed on your cluster, Amazon EKS doesn't change the value. Creation of the add-on might fail.\n- *Overwrite* \u2013 If the self-managed version of the add-on is installed on your cluster and the Amazon EKS default value is different than the existing value, Amazon EKS changes the value to the Amazon EKS default value.\n- *Preserve* \u2013 This is similar to the NONE option. If the self-managed version of the add-on is installed on your cluster Amazon EKS doesn't change the add-on resource properties. Creation of the add-on might fail if conflicts are detected. This option works differently during the update operation. For more information, see [`UpdateAddon`](https://docs.aws.amazon.com/eks/latest/APIReference/API_UpdateAddon.html) .\n\nIf you don't currently have the self-managed version of the add-on installed on your cluster, the Amazon EKS add-on is installed. Amazon EKS sets all values to default values, regardless of the option that you specify.",
"ServiceAccountRoleArn": "The Amazon Resource Name (ARN) of an existing IAM role to bind to the add-on's service account. The role must be assigned the IAM permissions required by the add-on. If you don't specify an existing IAM role, then the add-on uses the permissions assigned to the node IAM role. For more information, see [Amazon EKS node IAM role](https://docs.aws.amazon.com/eks/latest/userguide/create-node-role.html) in the *Amazon EKS User Guide* .\n\n> To specify an existing IAM role, you must have an IAM OpenID Connect (OIDC) provider created for your cluster. For more information, see [Enabling IAM roles for service accounts on your cluster](https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html) in the *Amazon EKS User Guide* .",
"Tags": "The metadata that you apply to the add-on to assist with categorization and organization. Each tag consists of a key and an optional value, both of which you define. Add-on tags do not propagate to any other resources associated with the cluster."
},
@@ -17456,9 +17560,11 @@
"Value": "The value of the attribute."
},
"AWS::ElasticLoadBalancingV2::Listener MutualAuthentication": {
- "AdvertiseTrustStoreCaNames": "Indicates whether trust store CA certificate names are advertised.",
+ "AdvertiseTrustStoreCaNames": "Indicates whether trust store CA certificate names are advertised. The default value is `off` .",
+ "AdvertiseTrustStoreCaNames": "Indicates whether trust store CA certificate names are advertised. The default value is `off` .",
"IgnoreClientCertificateExpiry": "Indicates whether expired client certificates are ignored.",
- "Mode": "The client certificate handling method. Options are `off` , `passthrough` or `verify` . The default value is `off` .",
+ "Mode": "The client certificate handling method. The possible values are `off` , `passthrough` , and `verify` . The default value is `off` .",
+ "Mode": "The client certificate handling method. The possible values are `off` , `passthrough` , and `verify` . The default value is `off` .",
"TrustStoreArn": "The Amazon Resource Name (ARN) of the trust store."
},
"AWS::ElasticLoadBalancingV2::Listener RedirectConfig": {
@@ -17585,6 +17691,7 @@
"AWS::ElasticLoadBalancingV2::LoadBalancer": {
"EnablePrefixForIpv6SourceNat": "[Network Load Balancers with UDP listeners] Indicates whether to use an IPv6 prefix from each subnet for source NAT. The IP address type must be `dualstack` . The default value is `off` .",
"EnforceSecurityGroupInboundRulesOnPrivateLinkTraffic": "Indicates whether to evaluate inbound security group rules for traffic sent to a Network Load Balancer through AWS PrivateLink . The default is `on` .",
+ "EnforceSecurityGroupInboundRulesOnPrivateLinkTraffic": "Indicates whether to evaluate inbound security group rules for traffic sent to a Network Load Balancer through AWS PrivateLink . The default is `on` .",
"IpAddressType": "The IP address type. Internal load balancers must use `ipv4` .\n\n[Application Load Balancers] The possible values are `ipv4` (IPv4 addresses), `dualstack` (IPv4 and IPv6 addresses), and `dualstack-without-public-ipv4` (public IPv6 addresses and private IPv4 and IPv6 addresses).\n\nApplication Load Balancer authentication supports IPv4 addresses only when connecting to an Identity Provider (IdP) or Amazon Cognito endpoint. Without a public IPv4 address the load balancer can't complete the authentication process, resulting in HTTP 500 errors.\n\n[Network Load Balancers and Gateway Load Balancers] The possible values are `ipv4` (IPv4 addresses) and `dualstack` (IPv4 and IPv6 addresses).",
"Ipv4IpamPoolId": "",
"LoadBalancerAttributes": "The load balancer attributes.",
@@ -18458,6 +18565,7 @@
"RemediationEnabled": "Indicates if the policy should be automatically applied to new resources.",
"ResourceSetIds": "The unique identifiers of the resource sets used by the policy.",
"ResourceTagLogicalOperator": "Specifies whether to combine multiple resource tags with AND, so that a resource must have all tags to be included or excluded, or OR, so that a resource must have at least one tag.\n\nDefault: `AND`",
+ "ResourceTagLogicalOperator": "Specifies whether to combine multiple resource tags with AND, so that a resource must have all tags to be included or excluded, or OR, so that a resource must have at least one tag.\n\nDefault: `AND`",
"ResourceTags": "An array of `ResourceTag` objects, used to explicitly include resources in the policy scope or explicitly exclude them. If this isn't set, then tags aren't used to modify policy scope. See also `ExcludeResourceTags` .",
"ResourceType": "The type of resource protected by or in scope of the policy. This is in the format shown in the [AWS Resource Types Reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-template-resource-type-ref.html) . To apply this policy to multiple resource types, specify a resource type of `ResourceTypeList` and then specify the resource types in a `ResourceTypeList` .\n\nThe following are valid resource types for each Firewall Manager policy type:\n\n- AWS WAF Classic - `AWS::ApiGateway::Stage` , `AWS::CloudFront::Distribution` , and `AWS::ElasticLoadBalancingV2::LoadBalancer` .\n- AWS WAF - `AWS::ApiGateway::Stage` , `AWS::ElasticLoadBalancingV2::LoadBalancer` , and `AWS::CloudFront::Distribution` .\n- Shield Advanced - `AWS::ElasticLoadBalancingV2::LoadBalancer` , `AWS::ElasticLoadBalancing::LoadBalancer` , `AWS::EC2::EIP` , and `AWS::CloudFront::Distribution` .\n- Network ACL - `AWS::EC2::Subnet` .\n- Security group usage audit - `AWS::EC2::SecurityGroup` .\n- Security group content audit - `AWS::EC2::SecurityGroup` , `AWS::EC2::NetworkInterface` , and `AWS::EC2::Instance` .\n- DNS Firewall, AWS Network Firewall , and third-party firewall - `AWS::EC2::VPC` .",
"ResourceTypeList": "An array of `ResourceType` objects. Use this only to specify multiple resource types. To specify a single resource type, use `ResourceType` .",
@@ -19538,7 +19646,25 @@
"Password": "The password to connect to the data source.",
"Username": "The username to connect to the data source."
},
+ "AWS::Glue::Connection AuthenticationConfigurationInput": {
+ "AuthenticationType": "A structure containing the authentication configuration in the CreateConnection request.",
+ "BasicAuthenticationCredentials": "The credentials used when the authentication type is basic authentication.",
+ "CustomAuthenticationCredentials": "The credentials used when the authentication type is custom authentication.",
+ "KmsKeyArn": "The ARN of the KMS key used to encrypt the connection. Only taken an as input in the request and stored in the Secret Manager.",
+ "OAuth2Properties": "The properties for OAuth2 authentication in the CreateConnection request.",
+ "SecretArn": "The secret manager ARN to store credentials in the CreateConnection request."
+ },
+ "AWS::Glue::Connection AuthorizationCodeProperties": {
+ "AuthorizationCode": "An authorization code to be used in the third leg of the `AUTHORIZATION_CODE` grant workflow. This is a single-use code which becomes invalid once exchanged for an access token, thus it is acceptable to have this value as a request parameter.",
+ "RedirectUri": "The redirect URI where the user gets redirected to by authorization server when issuing an authorization code. The URI is subsequently used when the authorization code is exchanged for an access token."
+ },
+ "AWS::Glue::Connection BasicAuthenticationCredentials": {
+ "Password": "The password to connect to the data source.",
+ "Username": "The username to connect to the data source."
+ },
"AWS::Glue::Connection ConnectionInput": {
+ "AthenaProperties": "Connection properties specific to the Athena compute environment.",
+ "AuthenticationConfiguration": "The authentication properties of the connection.",
"AthenaProperties": "Connection properties specific to the Athena compute environment.",
"AuthenticationConfiguration": "The authentication properties of the connection.",
"ConnectionProperties": "These key-value pairs define parameters for the connection.",
@@ -19562,6 +19688,29 @@
"RefreshToken": "The refresh token used when the authentication type is OAuth2.",
"UserManagedClientApplicationClientSecret": "The client application client secret if the client application is user managed."
},
+ "AWS::Glue::Connection OAuth2PropertiesInput": {
+ "AuthorizationCodeProperties": "The set of properties required for the the OAuth2 `AUTHORIZATION_CODE` grant type.",
+ "OAuth2ClientApplication": "The client application type in the CreateConnection request. For example, `AWS_MANAGED` or `USER_MANAGED` .",
+ "OAuth2Credentials": "The credentials used when the authentication type is OAuth2 authentication.",
+ "OAuth2GrantType": "The OAuth2 grant type in the CreateConnection request. For example, `AUTHORIZATION_CODE` , `JWT_BEARER` , or `CLIENT_CREDENTIALS` .",
+ "TokenUrl": "The URL of the provider's authentication server, to exchange an authorization code for an access token.",
+ "TokenUrlParametersMap": "A map of parameters that are added to the token `GET` request."
+ "PhysicalConnectionRequirements": "The physical connection requirements, such as virtual private cloud (VPC) and `SecurityGroup` , that are needed to successfully make this connection.",
+ "PythonProperties": "Connection properties specific to the Python compute environment.",
+ "SparkProperties": "Connection properties specific to the Spark compute environment.",
+ "ValidateCredentials": "A flag to validate the credentials during create connection. Default is true.",
+ "ValidateForComputeEnvironments": "The compute environments that the specified connection properties are validated against."
+ },
+ "AWS::Glue::Connection OAuth2ClientApplication": {
+ "AWSManagedClientApplicationReference": "The reference to the SaaS-side client app that is AWS managed.",
+ "UserManagedClientApplicationClientId": "The client application clientID if the ClientAppType is `USER_MANAGED` ."
+ },
+ "AWS::Glue::Connection OAuth2Credentials": {
+ "AccessToken": "The access token used when the authentication type is OAuth2.",
+ "JwtToken": "The JSON Web Token (JWT) used when the authentication type is OAuth2.",
+ "RefreshToken": "The refresh token used when the authentication type is OAuth2.",
+ "UserManagedClientApplicationClientSecret": "The client application client secret if the client application is user managed."
+ },
"AWS::Glue::Connection OAuth2PropertiesInput": {
"AuthorizationCodeProperties": "The set of properties required for the the OAuth2 `AUTHORIZATION_CODE` grant type.",
"OAuth2ClientApplication": "The client application type in the CreateConnection request. For example, `AWS_MANAGED` or `USER_MANAGED` .",
@@ -20039,6 +20188,16 @@
"AWS::Glue::TableOptimizer RetentionConfiguration": {
"IcebergConfiguration": ""
},
+ "AWS::Glue::TableOptimizer IcebergConfiguration": {
+ "Location": "",
+ "OrphanFileRetentionPeriodInDays": ""
+ },
+ "AWS::Glue::TableOptimizer OrphanFileDeletionConfiguration": {
+ "IcebergConfiguration": ""
+ },
+ "AWS::Glue::TableOptimizer RetentionConfiguration": {
+ "IcebergConfiguration": ""
+ },
"AWS::Glue::TableOptimizer TableOptimizerConfiguration": {
"Enabled": "Whether the table optimization is enabled.",
"OrphanFileDeletionConfiguration": "",
@@ -20046,6 +20205,13 @@
"RoleArn": "A role passed by the caller which gives the service permission to update the resources associated with the optimizer on the caller's behalf.",
"VpcConfiguration": ""
},
+ "AWS::Glue::TableOptimizer VpcConfiguration": {
+ "GlueConnectionName": ""
+ "OrphanFileDeletionConfiguration": "",
+ "RetentionConfiguration": "",
+ "RoleArn": "A role passed by the caller which gives the service permission to update the resources associated with the optimizer on the caller's behalf.",
+ "VpcConfiguration": ""
+ },
"AWS::Glue::TableOptimizer VpcConfiguration": {
"GlueConnectionName": ""
},
@@ -20935,6 +21101,7 @@
"Seconds": ""
},
"AWS::HealthLake::FHIRDatastore IdentityProviderConfiguration": {
+ "AuthorizationStrategy": "The authorization strategy selected when the HealthLake data store is created.\n\n> HealthLake provides support for both SMART on FHIR V1 and V2 as described below.\n> \n> - `SMART_ON_FHIR_V1` \u2013 Support for only SMART on FHIR V1, which includes `read` (read/search) and `write` (create/update/delete) permissions.\n> - `SMART_ON_FHIR` \u2013 Support for both SMART on FHIR V1 and V2, which includes `create` , `read` , `update` , `delete` , and `search` permissions.\n> - `AWS_AUTH` \u2013 The default HealthLake authorization strategy; not affiliated with SMART on FHIR.",
"AuthorizationStrategy": "The authorization strategy selected when the HealthLake data store is created.\n\n> HealthLake provides support for both SMART on FHIR V1 and V2 as described below.\n> \n> - `SMART_ON_FHIR_V1` \u2013 Support for only SMART on FHIR V1, which includes `read` (read/search) and `write` (create/update/delete) permissions.\n> - `SMART_ON_FHIR` \u2013 Support for both SMART on FHIR V1 and V2, which includes `create` , `read` , `update` , `delete` , and `search` permissions.\n> - `AWS_AUTH` \u2013 The default HealthLake authorization strategy; not affiliated with SMART on FHIR.",
"FineGrainedAuthorizationEnabled": "The parameter to enable SMART on FHIR fine-grained authorization for the data store.",
"IdpLambdaArn": "The Amazon Resource Name (ARN) of the Lambda function to use to decode the access token created by the authorization server.",
@@ -21107,14 +21274,16 @@
"AWS::IVS::Channel": {
"Authorized": "Whether the channel is authorized.\n\n*Default* : `false`",
"ContainerFormat": "Indicates which content-packaging format is used (MPEG-TS or fMP4). If `multitrackInputConfiguration` is specified and `enabled` is `true` , then `containerFormat` is required and must be set to `FRAGMENTED_MP4` . Otherwise, `containerFormat` may be set to `TS` or `FRAGMENTED_MP4` . Default: `TS` .",
+ "ContainerFormat": "Indicates which content-packaging format is used (MPEG-TS or fMP4). If `multitrackInputConfiguration` is specified and `enabled` is `true` , then `containerFormat` is required and must be set to `FRAGMENTED_MP4` . Otherwise, `containerFormat` may be set to `TS` or `FRAGMENTED_MP4` . Default: `TS` .",
"InsecureIngest": "Whether the channel allows insecure RTMP ingest.\n\n*Default* : `false`",
"LatencyMode": "Channel latency mode. Valid values:\n\n- `NORMAL` : Use NORMAL to broadcast and deliver live video up to Full HD.\n- `LOW` : Use LOW for near real-time interactions with viewers.\n\n> In the console, `LOW` and `NORMAL` correspond to `Ultra-low` and `Standard` , respectively. \n\n*Default* : `LOW`",
"MultitrackInputConfiguration": "Object specifying multitrack input configuration. Default: no multitrack input configuration is specified.",
+ "MultitrackInputConfiguration": "Object specifying multitrack input configuration. Default: no multitrack input configuration is specified.",
"Name": "Channel name.",
"Preset": "An optional transcode preset for the channel. This is selectable only for `ADVANCED_HD` and `ADVANCED_SD` channel types. For those channel types, the default preset is `HIGHER_BANDWIDTH_DELIVERY` . For other channel types ( `BASIC` and `STANDARD` ), `preset` is the empty string (\"\").",
"RecordingConfigurationArn": "The ARN of a RecordingConfiguration resource. An empty string indicates that recording is disabled for the channel. A RecordingConfiguration ARN indicates that recording is enabled using the specified recording configuration. See the [RecordingConfiguration](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ivs-recordingconfiguration.html) resource for more information and an example.\n\n*Default* : \"\" (empty string, recording is disabled)",
"Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ivs-channel-tag.html) .",
- "Type": "The channel type, which determines the allowable resolution and bitrate. *If you exceed the allowable resolution or bitrate, the stream probably will disconnect immediately.* For details, see [Channel Types](https://docs.aws.amazon.com/ivs/latest/LowLatencyAPIReference/channel-types.html) .\n\n*Default* : `STANDARD`"
+ "Type": "The channel type, which determines the allowable resolution and bitrate. *If you exceed the allowable resolution or bitrate, the stream probably will disconnect immediately.* Valid values:\n\n- `STANDARD` : Video is transcoded: multiple qualities are generated from the original input to automatically give viewers the best experience for their devices and network conditions. Transcoding allows higher playback quality across a range of download speeds. Resolution can be up to 1080p and bitrate can be up to 8.5 Mbps. Audio is transcoded only for renditions 360p and below; above that, audio is passed through.\n- `BASIC` : Video is transmuxed: Amazon IVS delivers the original input to viewers. The viewer\u2019s video-quality choice is limited to the original input. Resolution can be up to 1080p and bitrate can be up to 1.5 Mbps for 480p and up to 3.5 Mbps for resolutions between 480p and 1080p.\n- `ADVANCED_SD` : Video is transcoded; multiple qualities are generated from the original input, to automatically give viewers the best experience for their devices and network conditions. Input resolution can be up to 1080p and bitrate can be up to 8.5 Mbps; output is capped at SD quality (480p). You can select an optional transcode preset (see below). Audio for all renditions is transcoded, and an audio-only rendition is available.\n- `ADVANCED_HD` : Video is transcoded; multiple qualities are generated from the original input, to automatically give viewers the best experience for their devices and network conditions. Input resolution can be up to 1080p and bitrate can be up to 8.5 Mbps; output is capped at HD quality (720p). You can select an optional transcode preset (see below). Audio for all renditions is transcoded, and an audio-only rendition is available.\n\nOptional *transcode presets* (available for the `ADVANCED` types) allow you to trade off available download bandwidth and video quality, to optimize the viewing experience. There are two presets:\n\n- *Constrained bandwidth delivery* uses a lower bitrate for each quality level. Use it if you have low download bandwidth and/or simple video content (e.g., talking heads)\n- *Higher bandwidth delivery* uses a higher bitrate for each quality level. Use it if you have high download bandwidth and/or complex video content (e.g., flashes and quick scene changes).\n\n*Default* : `STANDARD`"
},
"AWS::IVS::Channel MultitrackInputConfiguration": {
"Enabled": "Indicates whether multitrack input is enabled. Can be set to `true` only if channel type is `STANDARD` . Setting `enabled` to `true` with any other channel type will cause an exception. If `true` , then `policy` , `maximumResolution` , and `containerFormat` are required, and `containerFormat` must be set to `FRAGMENTED_MP4` . Default: `false` .",
@@ -23477,6 +23646,7 @@
"ModelManifestArn": "The Amazon Resource Name (ARN) of the vehicle model (model manifest) to create the vehicle from.",
"Name": "The unique ID of the vehicle.",
"StateTemplates": "Associate state templates to track the state of the vehicle. State templates determine which signal updates the vehicle sends to the cloud.",
+ "StateTemplates": "Associate state templates to track the state of the vehicle. State templates determine which signal updates the vehicle sends to the cloud.",
"Tags": "Metadata which can be used to manage the vehicle."
},
"AWS::IoTFleetWise::Vehicle PeriodicStateTemplateUpdateStrategy": {
@@ -23490,6 +23660,17 @@
"OnChange": "",
"Periodic": ""
},
+ "AWS::IoTFleetWise::Vehicle PeriodicStateTemplateUpdateStrategy": {
+ "StateTemplateUpdateRate": ""
+ },
+ "AWS::IoTFleetWise::Vehicle StateTemplateAssociation": {
+ "Identifier": "The unique ID of the state template.",
+ "StateTemplateUpdateStrategy": ""
+ },
+ "AWS::IoTFleetWise::Vehicle StateTemplateUpdateStrategy": {
+ "OnChange": "",
+ "Periodic": ""
+ },
"AWS::IoTFleetWise::Vehicle Tag": {
"Key": "The tag's key.",
"Value": "The tag's value."
@@ -23498,6 +23679,10 @@
"Unit": "A unit of time.",
"Value": "A number of time units."
},
+ "AWS::IoTFleetWise::Vehicle TimePeriod": {
+ "Unit": "A unit of time.",
+ "Value": "A number of time units."
+ },
"AWS::IoTSiteWise::AccessPolicy": {
"AccessPolicyIdentity": "The identity for this access policy. Choose an IAM Identity Center user, an IAM Identity Center group, or an IAM user.",
"AccessPolicyPermission": "The permission level for this access policy. Note that a project `ADMINISTRATOR` is also known as a project owner.",
@@ -23674,7 +23859,8 @@
"GatewayCapabilitySummaries": "A list of gateway capability summaries that each contain a namespace and status. Each gateway capability defines data sources for the gateway. To retrieve a capability configuration's definition, use [DescribeGatewayCapabilityConfiguration](https://docs.aws.amazon.com/iot-sitewise/latest/APIReference/API_DescribeGatewayCapabilityConfiguration.html) .",
"GatewayName": "A unique name for the gateway.",
"GatewayPlatform": "The gateway's platform. You can only specify one platform in a gateway.",
- "GatewayVersion": "The version of the gateway. A value of `3` indicates an MQTT-enabled, V3 gateway, while `2` indicates a Classic streams, V2 gateway.",
+ "GatewayVersion": "",
+ "GatewayVersion": "",
"Tags": "A list of key-value pairs that contain metadata for the gateway. For more information, see [Tagging your AWS IoT SiteWise resources](https://docs.aws.amazon.com/iot-sitewise/latest/userguide/tag-resources.html) in the *AWS IoT SiteWise User Guide* ."
},
"AWS::IoTSiteWise::Gateway GatewayCapabilitySummary": {
@@ -23686,6 +23872,7 @@
"SiemensIE": "An AWS IoT SiteWise Edge gateway that runs on a Siemens Industrial Edge Device."
},
"AWS::IoTSiteWise::Gateway GreengrassV2": {
+ "CoreDeviceOperatingSystem": "",
"CoreDeviceOperatingSystem": "",
"CoreDeviceThingName": "The name of the AWS IoT thing for your AWS IoT Greengrass V2 core device."
},
@@ -25143,6 +25330,7 @@
"DeliveryStreamName": "The name of the Firehose stream.",
"DeliveryStreamType": "The Firehose stream type. This can be one of the following values:\n\n- `DirectPut` : Provider applications access the Firehose stream directly.\n- `KinesisStreamAsSource` : The Firehose stream uses a Kinesis data stream as a source.",
"DirectPutSourceConfiguration": "The structure that configures parameters such as `ThroughputHintInMBs` for a stream configured with Direct PUT as a source.",
+ "DirectPutSourceConfiguration": "The structure that configures parameters such as `ThroughputHintInMBs` for a stream configured with Direct PUT as a source.",
"ElasticsearchDestinationConfiguration": "An Amazon ES destination for the delivery stream.\n\nConditional. You must specify only one destination configuration.\n\nIf you change the delivery stream destination from an Amazon ES destination to an Amazon S3 or Amazon Redshift destination, update requires [some interruptions](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-some-interrupt) .",
"ExtendedS3DestinationConfiguration": "An Amazon S3 destination for the delivery stream.\n\nConditional. You must specify only one destination configuration.\n\nIf you change the delivery stream destination from an Amazon Extended S3 destination to an Amazon ES destination, update requires [some interruptions](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-some-interrupt) .",
"HttpEndpointDestinationConfiguration": "Enables configuring Kinesis Firehose to deliver data to any HTTP endpoint destination. You can specify only one destination.",
@@ -25274,6 +25462,9 @@
"AWS::KinesisFirehose::DeliveryStream DirectPutSourceConfiguration": {
"ThroughputHintInMBs": "The value that you configure for this parameter is for information purpose only and does not affect Firehose delivery throughput limit. You can use the [Firehose Limits form](https://docs.aws.amazon.com/https://support.console.aws.amazon.com/support/home#/case/create%3FissueType=service-limit-increase%26limitType=kinesis-firehose-limits) to request a throughput limit increase."
},
+ "AWS::KinesisFirehose::DeliveryStream DirectPutSourceConfiguration": {
+ "ThroughputHintInMBs": "The value that you configure for this parameter is for information purpose only and does not affect Firehose delivery throughput limit. You can use the [Firehose Limits form](https://docs.aws.amazon.com/https://support.console.aws.amazon.com/support/home#/case/create%3FissueType=service-limit-increase%26limitType=kinesis-firehose-limits) to request a throughput limit increase."
+ },
"AWS::KinesisFirehose::DeliveryStream DocumentIdOptions": {
"DefaultDocumentIdFormat": "When the `FIREHOSE_DEFAULT` option is chosen, Firehose generates a unique document ID for each record based on a unique internal identifier. The generated document ID is stable across multiple delivery attempts, which helps prevent the same record from being indexed multiple times with different document IDs.\n\nWhen the `NO_DOCUMENT_ID` option is chosen, Firehose does not include any document IDs in the requests it sends to the Amazon OpenSearch Service. This causes the Amazon OpenSearch Service domain to generate document IDs. In case of multiple delivery attempts, this may cause the same record to be indexed more than once with different document IDs. This option enables write-heavy operations, such as the ingestion of logs and observability data, to consume less resources in the Amazon OpenSearch Service domain, resulting in improved performance."
},
@@ -25354,6 +25545,7 @@
"ContentEncoding": "Kinesis Data Firehose uses the content encoding to compress the body of a request before sending the request to the destination. For more information, see Content-Encoding in MDN Web Docs, the official Mozilla documentation."
},
"AWS::KinesisFirehose::DeliveryStream IcebergDestinationConfiguration": {
+ "AppendOnly": "Describes whether all incoming data for this delivery stream will be append only (inserts only and not for updates and deletes) for Iceberg delivery. This feature is only applicable for Apache Iceberg Tables.\n\nThe default value is false. If you set this value to true, Firehose automatically increases the throughput limit of a stream based on the throttling levels of the stream. If you set this parameter to true for a stream with updates and deletes, you will see out of order delivery.",
"AppendOnly": "Describes whether all incoming data for this delivery stream will be append only (inserts only and not for updates and deletes) for Iceberg delivery. This feature is only applicable for Apache Iceberg Tables.\n\nThe default value is false. If you set this value to true, Firehose automatically increases the throughput limit of a stream based on the throttling levels of the stream. If you set this parameter to true for a stream with updates and deletes, you will see out of order delivery.",
"BufferingHints": "",
"CatalogConfiguration": "Configuration describing where the destination Apache Iceberg Tables are persisted.",
@@ -27945,7 +28137,8 @@
"Protocol": "The network source protocol.\n\n> AWS Elemental MediaConnect no longer supports the Fujitsu QoS protocol. This reference is maintained for legacy purposes only."
},
"AWS::MediaConnect::BridgeSource MulticastSourceSettings": {
- "MulticastSourceIp": "The IP address of the source for source-specific multicast (SSM)."
+ "MulticastSourceIp": ""
+ "MulticastSourceIp": ""
},
"AWS::MediaConnect::BridgeSource VpcInterfaceAttachment": {
"VpcInterfaceName": "The name of the VPC interface to use for this resource."
@@ -27965,6 +28158,20 @@
"AWS::MediaConnect::Flow AudioMonitoringSetting": {
"SilentAudio": "Detects periods of silence."
},
+ "AWS::MediaConnect::Flow BlackFrames": {
+ "State": "Indicates whether the `BlackFrames` metric is enabled or disabled.",
+ "ThresholdSeconds": "Specifies the number of consecutive seconds of black frames that triggers an event or alert."
+ },
+ "AWS::MediaConnect::Flow AudioMonitoringSetting": {
+ "SilentAudio": "Detects periods of silence."
+ },
+ "AWS::MediaConnect::Flow BlackFrames": {
+ "State": "Indicates whether the `BlackFrames` metric is enabled or disabled.",
+ "ThresholdSeconds": "Specifies the number of consecutive seconds of black frames that triggers an event or alert."
+ },
+ "AWS::MediaConnect::Flow AudioMonitoringSetting": {
+ "SilentAudio": "Detects periods of silence."
+ },
"AWS::MediaConnect::Flow BlackFrames": {
"State": "Indicates whether the `BlackFrames` metric is enabled or disabled..",
"ThresholdSeconds": "Specifies the number of consecutive seconds of black frames that triggers an event or alert."
@@ -27999,6 +28206,10 @@
"State": "Indicates whether the `FrozenFrames` metric is enabled or disabled.",
"ThresholdSeconds": "Specifies the number of consecutive seconds of a static image that triggers an event or alert."
},
+ "AWS::MediaConnect::Flow FrozenFrames": {
+ "State": "Indicates whether the `FrozenFrames` metric is enabled or disabled.",
+ "ThresholdSeconds": "Specifies the number of consecutive seconds of a static image that triggers an event or alert."
+ },
"AWS::MediaConnect::Flow GatewayBridgeSource": {
"BridgeArn": "The ARN of the bridge feeding this flow.",
"VpcInterfaceAttachment": "The name of the VPC interface attachment to use for this bridge source."
@@ -28033,15 +28244,9 @@
"InputConfigurations": "The media streams that you want to associate with the source.",
"MediaStreamName": "A name that helps you distinguish one media stream from another."
},
- "AWS::MediaConnect::Flow NdiConfig": {
- "MachineName": "A prefix for the names of the NDI sources that the flow creates. If a custom name isn't specified, MediaConnect generates a unique 12-character ID as the prefix.",
- "NdiDiscoveryServers": "A list of up to three NDI discovery server configurations. While not required by the API, this configuration is necessary for NDI functionality to work properly.",
- "NdiState": "A setting that controls whether NDI outputs can be used in the flow. Must be ENABLED to add NDI outputs. Default is DISABLED."
- },
- "AWS::MediaConnect::Flow NdiDiscoveryServerConfig": {
- "DiscoveryServerAddress": "The unique network address of the NDI discovery server.",
- "DiscoveryServerPort": "The port for the NDI discovery server. Defaults to 5959 if a custom port isn't specified.",
- "VpcInterfaceAdapter": "The identifier for the Virtual Private Cloud (VPC) network interface used by the flow."
+ "AWS::MediaConnect::Flow SilentAudio": {
+ "State": "Indicates whether the `SilentAudio` metric is enabled or disabled.",
+ "ThresholdSeconds": "Specifies the number of consecutive seconds of silence that triggers an event or alert."
},
"AWS::MediaConnect::Flow SilentAudio": {
"State": "Indicates whether the `SilentAudio` metric is enabled or disabled.",
@@ -28076,6 +28281,10 @@
"ContentQualityAnalysisState": "Indicates whether content quality analysis is enabled or disabled.",
"ThumbnailState": "The current state of the thumbnail monitoring.\n\n- If you don't explicitly specify a value when creating a flow, no thumbnail state will be set.\n- If you update an existing flow and remove a previously set thumbnail state, the value will change to `DISABLED` .",
"VideoMonitoringSettings": "Contains the settings for video stream metrics monitoring."
+ "AudioMonitoringSettings": "Contains the settings for audio stream metrics monitoring.",
+ "ContentQualityAnalysisState": "Indicates whether content quality analysis is enabled or disabled.",
+ "ThumbnailState": "The current state of the thumbnail monitoring.\n\n- If you don't explicitly specify a value when creating a flow, no thumbnail state will be set.\n- If you update an existing flow and remove a previously set thumbnail state, the value will change to `DISABLED` .",
+ "VideoMonitoringSettings": "Contains the settings for video stream metrics monitoring."
},
"AWS::MediaConnect::Flow SourcePriority": {
"PrimarySource": "The name of the source you choose as the primary source for this flow."
@@ -28084,6 +28293,10 @@
"BlackFrames": "Detects video frames that are black.",
"FrozenFrames": "Detects video frames that have not changed."
},
+ "AWS::MediaConnect::Flow VideoMonitoringSetting": {
+ "BlackFrames": "Detects video frames that are black.",
+ "FrozenFrames": "Detects video frames that have not changed."
+ },
"AWS::MediaConnect::Flow VpcInterface": {
"Name": "Immutable and has to be a unique against other VpcInterfaces in this Flow.",
"NetworkInterfaceIds": "IDs of the network interfaces created in customer's account by MediaConnect .",
@@ -33456,6 +33669,7 @@
"AWS::QBusiness::WebExperience": {
"ApplicationId": "The identifier of the Amazon Q Business web experience.",
"BrowserExtensionConfiguration": "The container for browser extension configuration for an Amazon Q Business web experience.",
+ "BrowserExtensionConfiguration": "The container for browser extension configuration for an Amazon Q Business web experience.",
"CustomizationConfiguration": "Contains the configuration information to customize the logo, font, and color of an Amazon Q Business web experience with individual files for each property or a CSS file for them all.",
"IdentityProviderConfiguration": "Provides information about the identity provider (IdP) used to authenticate end users of an Amazon Q Business web experience.",
"Origins": "Sets the website domain origins that are allowed to embed the Amazon Q Business web experience. The *domain origin* refers to the base URL for accessing a website including the protocol ( `http/https` ), the domain name, and the port number (if specified).\n\n> You must only submit a *base URL* and not a full path. For example, `https://docs.aws.amazon.com` .",
@@ -33469,6 +33683,9 @@
"AWS::QBusiness::WebExperience BrowserExtensionConfiguration": {
"EnabledBrowserExtensions": "Specify the browser extensions allowed for your Amazon Q web experience.\n\n- `CHROME` \u2014 Enables the extension for Chromium-based browsers (Google Chrome, Microsoft Edge, Opera, etc.).\n- `FIREFOX` \u2014 Enables the extension for Mozilla Firefox.\n- `CHROME` and `FIREFOX` \u2014 Enable the extension for Chromium-based browsers and Mozilla Firefox."
},
+ "AWS::QBusiness::WebExperience BrowserExtensionConfiguration": {
+ "EnabledBrowserExtensions": "Specify the browser extensions allowed for your Amazon Q web experience.\n\n- `CHROME` \u2014 Enables the extension for Chromium-based browsers (Google Chrome, Microsoft Edge, Opera, etc.).\n- `FIREFOX` \u2014 Enables the extension for Mozilla Firefox.\n- `CHROME` and `FIREFOX` \u2014 Enable the extension for Chromium-based browsers and Mozilla Firefox."
+ },
"AWS::QBusiness::WebExperience CustomizationConfiguration": {
"CustomCSSUrl": "Provides the URL where the custom CSS file is hosted for an Amazon Q web experience.",
"FaviconUrl": "Provides the URL where the custom favicon file is hosted for an Amazon Q web experience.",
@@ -42892,9 +43109,11 @@
"AWS::QuickSight::Topic": {
"AwsAccountId": "The ID of the AWS account that you want to create a topic in.",
"ConfigOptions": "Configuration options for a `Topic` .",
+ "ConfigOptions": "Configuration options for a `Topic` .",
"DataSets": "The data sets that the topic is associated with.",
"Description": "The description of the topic.",
"FolderArns": "",
+ "FolderArns": "",
"Name": "The name of the topic.",
"TopicId": "The ID for the topic. This ID is unique per AWS Region for each AWS account.",
"UserExperienceVersion": "The user experience version of the topic."
@@ -43028,6 +43247,9 @@
"AWS::QuickSight::Topic TopicConfigOptions": {
"QBusinessInsightsEnabled": "Enables Amazon Q Business Insights for a `Topic` ."
},
+ "AWS::QuickSight::Topic TopicConfigOptions": {
+ "QBusinessInsightsEnabled": "Enables Amazon Q Business Insights for a `Topic` ."
+ },
"AWS::QuickSight::Topic TopicDateRangeFilter": {
"Constant": "The constant used in a date range filter.",
"Inclusive": "A Boolean value that indicates whether the date range filter should include the boundary values. If set to true, the filter includes the start and end dates. If set to false, the filter excludes them."
@@ -44740,6 +44962,7 @@
"LifecycleConfiguration": "Specifies the lifecycle configuration for objects in an Amazon S3 bucket. For more information, see [Object Lifecycle Management](https://docs.aws.amazon.com/AmazonS3/latest/dev/object-lifecycle-mgmt.html) in the *Amazon S3 User Guide* .",
"LoggingConfiguration": "Settings that define where logs are stored.",
"MetadataTableConfiguration": "The metadata table configuration of an Amazon S3 general purpose bucket. For more information, see [Accelerating data discovery with S3 Metadata](https://docs.aws.amazon.com/AmazonS3/latest/userguide/metadata-tables-overview.html) and [Setting up permissions for configuring metadata tables](https://docs.aws.amazon.com/AmazonS3/latest/userguide/metadata-tables-permissions.html) .",
+ "MetadataTableConfiguration": "The metadata table configuration of an Amazon S3 general purpose bucket. For more information, see [Accelerating data discovery with S3 Metadata](https://docs.aws.amazon.com/AmazonS3/latest/userguide/metadata-tables-overview.html) and [Setting up permissions for configuring metadata tables](https://docs.aws.amazon.com/AmazonS3/latest/userguide/metadata-tables-permissions.html) .",
"MetricsConfigurations": "Specifies a metrics configuration for the CloudWatch request metrics (specified by the metrics configuration ID) from an Amazon S3 bucket. If you're updating an existing metrics configuration, note that this is a full replacement of the existing metrics configuration. If you don't include the elements you want to keep, they are erased. For more information, see [PutBucketMetricsConfiguration](https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTMetricConfiguration.html) .",
"NotificationConfiguration": "Configuration that defines how Amazon S3 handles bucket notifications.",
"ObjectLockConfiguration": "> This operation is not supported for directory buckets. \n\nPlaces an Object Lock configuration on the specified bucket. The rule specified in the Object Lock configuration will be applied by default to every new object placed in the specified bucket. For more information, see [Locking Objects](https://docs.aws.amazon.com/AmazonS3/latest/dev/object-lock.html) .\n\n> - The `DefaultRetention` settings require both a mode and a period.\n> - The `DefaultRetention` period can be either `Days` or `Years` but you must select one. You cannot specify `Days` and `Years` at the same time.\n> - You can enable Object Lock for new or existing buckets. For more information, see [Configuring Object Lock](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock-configure.html) .",
@@ -44841,6 +45064,9 @@
"AWS::S3::Bucket MetadataTableConfiguration": {
"S3TablesDestination": "The destination information for the metadata table configuration. The destination table bucket must be in the same Region and AWS account as the general purpose bucket. The specified metadata table name must be unique within the `aws_s3_metadata` namespace in the destination table bucket."
},
+ "AWS::S3::Bucket MetadataTableConfiguration": {
+ "S3TablesDestination": "The destination information for the metadata table configuration. The destination table bucket must be in the same Region and AWS account as the general purpose bucket. The specified metadata table name must be unique within the `aws_s3_metadata` namespace in the destination table bucket."
+ },
"AWS::S3::Bucket Metrics": {
"EventThreshold": "A container specifying the time threshold for emitting the `s3:Replication:OperationMissedThreshold` event.",
"Status": "Specifies whether the replication metrics are enabled."
@@ -44984,6 +45210,12 @@
"TableName": "The name for the metadata table in your metadata table configuration. The specified metadata table name must be unique within the `aws_s3_metadata` namespace in the destination table bucket.",
"TableNamespace": "The table bucket namespace for the metadata table in your metadata table configuration. This value is always `aws_s3_metadata` ."
},
+ "AWS::S3::Bucket S3TablesDestination": {
+ "TableArn": "The Amazon Resource Name (ARN) for the metadata table in the metadata table configuration. The specified metadata table name must be unique within the `aws_s3_metadata` namespace in the destination table bucket.",
+ "TableBucketArn": "The Amazon Resource Name (ARN) for the table bucket that's specified as the destination in the metadata table configuration. The destination table bucket must be in the same Region and AWS account as the general purpose bucket.",
+ "TableName": "The name for the metadata table in your metadata table configuration. The specified metadata table name must be unique within the `aws_s3_metadata` namespace in the destination table bucket.",
+ "TableNamespace": "The table bucket namespace for the metadata table in your metadata table configuration. This value is always `aws_s3_metadata` ."
+ },
"AWS::S3::Bucket ServerSideEncryptionByDefault": {
"KMSMasterKeyID": "AWS Key Management Service (KMS) customer managed key ID to use for the default encryption.\n\n> - *General purpose buckets* - This parameter is allowed if and only if `SSEAlgorithm` is set to `aws:kms` or `aws:kms:dsse` .\n> - *Directory buckets* - This parameter is allowed if and only if `SSEAlgorithm` is set to `aws:kms` . \n\nYou can specify the key ID, key alias, or the Amazon Resource Name (ARN) of the KMS key.\n\n- Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`\n- Key ARN: `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`\n- Key Alias: `alias/alias-name`\n\nIf you are using encryption with cross-account or AWS service operations, you must use a fully qualified KMS key ARN. For more information, see [Using encryption for cross-account operations](https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html#bucket-encryption-update-bucket-policy) .\n\n> - *General purpose buckets* - If you're specifying a customer managed KMS key, we recommend using a fully qualified KMS key ARN. If you use a KMS key alias instead, then AWS KMS resolves the key within the requester\u2019s account. This behavior can result in data that's encrypted with a KMS key that belongs to the requester, and not the bucket owner. Also, if you use a key ID, you can run into a LogDestination undeliverable error when creating a VPC flow log.\n> - *Directory buckets* - When you specify an [AWS KMS customer managed key](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk) for encryption in your directory bucket, only use the key ID or key ARN. The key alias format of the KMS key isn't supported. > Amazon S3 only supports symmetric encryption KMS keys. For more information, see [Asymmetric keys in AWS KMS](https://docs.aws.amazon.com//kms/latest/developerguide/symmetric-asymmetric.html) in the *AWS Key Management Service Developer Guide* .",
"SSEAlgorithm": "Server-side encryption algorithm to use for the default encryption.\n\n> For directory buckets, there are only two supported values for server-side encryption: `AES256` and `aws:kms` ."
@@ -45816,6 +46048,7 @@
"DeliveryStatusLogging": "The `DeliveryStatusLogging` configuration enables you to log the delivery status of messages sent from your Amazon SNS topic to subscribed endpoints with the following supported delivery protocols:\n\n- HTTP\n- Amazon Kinesis Data Firehose\n- AWS Lambda\n- Platform application endpoint\n- Amazon Simple Queue Service\n\nOnce configured, log entries are sent to Amazon CloudWatch Logs.",
"DisplayName": "The display name to use for an Amazon SNS topic with SMS subscriptions. The display name must be maximum 100 characters long, including hyphens (-), underscores (_), spaces, and tabs.",
"FifoThroughputScope": "Specifies the throughput quota and deduplication behavior to apply for the FIFO topic. Valid values are `Topic` or `MessageGroup` .",
+ "FifoThroughputScope": "Specifies the throughput quota and deduplication behavior to apply for the FIFO topic. Valid values are `Topic` or `MessageGroup` .",
"FifoTopic": "Set to true to create a FIFO topic.",
"KmsMasterKeyId": "The ID of an AWS managed customer master key (CMK) for Amazon SNS or a custom CMK. For more information, see [Key terms](https://docs.aws.amazon.com/sns/latest/dg/sns-server-side-encryption.html#sse-key-terms) . For more examples, see `[KeyId](https://docs.aws.amazon.com/kms/latest/APIReference/API_DescribeKey.html#API_DescribeKey_RequestParameters)` in the *AWS Key Management Service API Reference* .\n\nThis property applies only to [server-side-encryption](https://docs.aws.amazon.com/sns/latest/dg/sns-server-side-encryption.html) .",
"SignatureVersion": "The signature version corresponds to the hashing algorithm used while creating the signature of the notifications, subscription confirmations, or unsubscribe confirmation messages sent by Amazon SNS. By default, `SignatureVersion` is set to `1` .",
@@ -45881,6 +46114,7 @@
"AssociationName": "Specify a descriptive name for the association.",
"AutomationTargetParameterName": "Choose the parameter that will define how your automation will branch out. This target is required for associations that use an Automation runbook and target resources by using rate controls. Automation is a tool in AWS Systems Manager .",
"CalendarNames": "The names or Amazon Resource Names (ARNs) of the Change Calendar type documents your associations are gated under. The associations only run when that Change Calendar is open. For more information, see [AWS Systems Manager Change Calendar](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-change-calendar) in the *AWS Systems Manager User Guide* .",
+ "CalendarNames": "The names or Amazon Resource Names (ARNs) of the Change Calendar type documents your associations are gated under. The associations only run when that Change Calendar is open. For more information, see [AWS Systems Manager Change Calendar](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-change-calendar) in the *AWS Systems Manager User Guide* .",
"ComplianceSeverity": "The severity level that is assigned to the association.",
"DocumentVersion": "The version of the SSM document to associate with the target.\n\n> Note the following important information.\n> \n> - State Manager doesn't support running associations that use a new version of a document if that document is shared from another account. State Manager always runs the `default` version of a document if shared from another account, even though the Systems Manager console shows that a new version was processed. If you want to run an association using a new version of a document shared form another account, you must set the document version to `default` .\n> - `DocumentVersion` is not valid for documents owned by AWS , such as `AWS-RunPatchBaseline` or `AWS-UpdateSSMAgent` . If you specify `DocumentVersion` for an AWS document, the system returns the following error: \"Error occurred during operation 'CreateAssociation'.\" (RequestToken: <token>, HandlerErrorCode: GeneralServiceException).",
"InstanceId": "The ID of the instance that the SSM document is associated with. You must specify the `InstanceId` or `Targets` property.\n\n> `InstanceId` has been deprecated. To specify an instance ID for an association, use the `Targets` parameter. If you use the parameter `InstanceId` , you cannot use the parameters `AssociationName` , `DocumentVersion` , `MaxErrors` , `MaxConcurrency` , `OutputLocation` , or `ScheduleExpression` . To use these parameters, you must use the `Targets` parameter.",
@@ -46285,7 +46519,8 @@
"AWS::SSMQuickSetup::ConfigurationManager ConfigurationDefinition": {
"LocalDeploymentAdministrationRoleArn": "The ARN of the IAM role used to administrate local configuration deployments.",
"LocalDeploymentExecutionRoleName": "The name of the IAM role used to deploy local configurations.",
- "Parameters": "The parameters for the configuration definition type. Parameters for configuration definitions vary based the configuration type. The following lists outline the parameters for each configuration type.\n\n- **AWS Config Recording (Type: AWS QuickSetupType-CFGRecording)** - - `RecordAllResources`\n\n- Description: (Optional) A boolean value that determines whether all supported resources are recorded. The default value is \" `true` \".\n- `ResourceTypesToRecord`\n\n- Description: (Optional) A comma separated list of resource types you want to record.\n- `RecordGlobalResourceTypes`\n\n- Description: (Optional) A boolean value that determines whether global resources are recorded with all resource configurations. The default value is \" `false` \".\n- `GlobalResourceTypesRegion`\n\n- Description: (Optional) Determines the AWS Region where global resources are recorded.\n- `UseCustomBucket`\n\n- Description: (Optional) A boolean value that determines whether a custom Amazon S3 bucket is used for delivery. The default value is \" `false` \".\n- `DeliveryBucketName`\n\n- Description: (Optional) The name of the Amazon S3 bucket you want AWS Config to deliver configuration snapshots and configuration history files to.\n- `DeliveryBucketPrefix`\n\n- Description: (Optional) The key prefix you want to use in the custom Amazon S3 bucket.\n- `NotificationOptions`\n\n- Description: (Optional) Determines the notification configuration for the recorder. The valid values are `NoStreaming` , `UseExistingTopic` , and `CreateTopic` . The default value is `NoStreaming` .\n- `CustomDeliveryTopicAccountId`\n\n- Description: (Optional) The ID of the AWS account where the Amazon SNS topic you want to use for notifications resides. You must specify a value for this parameter if you use the `UseExistingTopic` notification option.\n- `CustomDeliveryTopicName`\n\n- Description: (Optional) The name of the Amazon SNS topic you want to use for notifications. You must specify a value for this parameter if you use the `UseExistingTopic` notification option.\n- `RemediationSchedule`\n\n- Description: (Optional) A rate expression that defines the schedule for drift remediation. The valid values are `rate(30 days)` , `rate(7 days)` , `rate(1 days)` , and `none` . The default value is \" `none` \".\n- `TargetAccounts`\n\n- Description: (Optional) The ID of the AWS account initiating the configuration deployment. You only need to provide a value for this parameter if you want to deploy the configuration locally. A value must be provided for either `TargetAccounts` or `TargetOrganizationalUnits` .\n- `TargetOrganizationalUnits`\n\n- Description: (Optional) The ID of the root of your Organization. This configuration type doesn't currently support choosing specific OUs. The configuration will be deployed to all the OUs in the Organization.\n- `TargetRegions`\n\n- Description: (Required) A comma separated list of AWS Regions you want to deploy the configuration to.\n- **Change Manager (Type: AWS QuickSetupType-SSMChangeMgr)** - - `DelegatedAccountId`\n\n- Description: (Required) The ID of the delegated administrator account.\n- `JobFunction`\n\n- Description: (Required) The name for the Change Manager job function.\n- `PermissionType`\n\n- Description: (Optional) Specifies whether you want to use default administrator permissions for the job function role, or provide a custom IAM policy. The valid values are `CustomPermissions` and `AdminPermissions` . The default value for the parameter is `CustomerPermissions` .\n- `CustomPermissions`\n\n- Description: (Optional) A JSON string containing the IAM policy you want your job function to use. You must provide a value for this parameter if you specify `CustomPermissions` for the `PermissionType` parameter.\n- `TargetOrganizationalUnits`\n\n- Description: (Required) A comma separated list of organizational units (OUs) you want to deploy the configuration to.\n- `TargetRegions`\n\n- Description: (Required) A comma separated list of AWS Regions you want to deploy the configuration to.\n- **Conformance Packs (Type: AWS QuickSetupType-CFGCPacks)** - - `DelegatedAccountId`\n\n- Description: (Optional) The ID of the delegated administrator account. This parameter is required for Organization deployments.\n- `RemediationSchedule`\n\n- Description: (Optional) A rate expression that defines the schedule for drift remediation. The valid values are `rate(30 days)` , `rate(14 days)` , `rate(2 days)` , and `none` . The default value is \" `none` \".\n- `CPackNames`\n\n- Description: (Required) A comma separated list of AWS Config conformance packs.\n- `TargetAccounts`\n\n- Description: (Optional) The ID of the AWS account initiating the configuration deployment. You only need to provide a value for this parameter if you want to deploy the configuration locally. A value must be provided for either `TargetAccounts` or `TargetOrganizationalUnits` .\n- `TargetOrganizationalUnits`\n\n- Description: (Optional) The ID of the root of your Organization. This configuration type doesn't currently support choosing specific OUs. The configuration will be deployed to all the OUs in the Organization.\n- `TargetRegions`\n\n- Description: (Required) A comma separated list of AWS Regions you want to deploy the configuration to.\n- **Default Host Management Configuration (Type: AWS QuickSetupType-DHMC)** - - `UpdateSSMAgent`\n\n- Description: (Optional) A boolean value that determines whether the SSM Agent is updated on the target instances every 2 weeks. The default value is \" `true` \".\n- `TargetOrganizationalUnits`\n\n- Description: (Required) A comma separated list of organizational units (OUs) you want to deploy the configuration to.\n- `TargetRegions`\n\n- Description: (Required) The AWS Regions to deploy the configuration to. For this type, the parameter only accepts a value of `AllRegions` .\n- **DevOps\u00a0Guru (Type: AWS QuickSetupType-DevOpsGuru)** - - `AnalyseAllResources`\n\n- Description: (Optional) A boolean value that determines whether DevOps\u00a0Guru analyzes all AWS CloudFormation stacks in the account. The default value is \" `false` \".\n- `EnableSnsNotifications`\n\n- Description: (Optional) A boolean value that determines whether DevOps\u00a0Guru sends notifications when an insight is created. The default value is \" `true` \".\n- `EnableSsmOpsItems`\n\n- Description: (Optional) A boolean value that determines whether DevOps\u00a0Guru creates an OpsCenter OpsItem when an insight is created. The default value is \" `true` \".\n- `EnableDriftRemediation`\n\n- Description: (Optional) A boolean value that determines whether a drift remediation schedule is used. The default value is \" `false` \".\n- `RemediationSchedule`\n\n- Description: (Optional) A rate expression that defines the schedule for drift remediation. The valid values are `rate(30 days)` , `rate(14 days)` , `rate(1 days)` , and `none` . The default value is \" `none` \".\n- `TargetAccounts`\n\n- Description: (Optional) The ID of the AWS account initiating the configuration deployment. You only need to provide a value for this parameter if you want to deploy the configuration locally. A value must be provided for either `TargetAccounts` or `TargetOrganizationalUnits` .\n- `TargetOrganizationalUnits`\n\n- Description: (Optional) A comma separated list of organizational units (OUs) you want to deploy the configuration to.\n- `TargetRegions`\n\n- Description: (Required) A comma separated list of AWS Regions you want to deploy the configuration to.\n- **Distributor (Type: AWS QuickSetupType-Distributor)** - - `PackagesToInstall`\n\n- Description: (Required) A comma separated list of packages you want to install on the target instances. The valid values are `AWSEFSTools` , `AWSCWAgent` , and `AWSEC2LaunchAgent` .\n- `RemediationSchedule`\n\n- Description: (Optional) A rate expression that defines the schedule for drift remediation. The valid values are `rate(30 days)` , `rate(14 days)` , `rate(2 days)` , and `none` . The default value is \" `rate(30 days)` \".\n- `IsPolicyAttachAllowed`\n\n- Description: (Optional) A boolean value that determines whether Quick Setup attaches policies to instances profiles already associated with the target instances. The default value is \" `false` \".\n- `TargetType`\n\n- Description: (Optional) Determines how instances are targeted for local account deployments. Don't specify a value for this parameter if you're deploying to OUs. The valid values are `*` , `InstanceIds` , `ResourceGroups` , and `Tags` . Use `*` to target all instances in the account.\n- `TargetInstances`\n\n- Description: (Optional) A comma separated list of instance IDs. You must provide a value for this parameter if you specify `InstanceIds` for the `TargetType` parameter.\n- `TargetTagKey`\n\n- Description: (Required) The tag key assigned to the instances you want to target. You must provide a value for this parameter if you specify `Tags` for the `TargetType` parameter.\n- `TargetTagValue`\n\n- Description: (Required) The value of the tag key assigned to the instances you want to target. You must provide a value for this parameter if you specify `Tags` for the `TargetType` parameter.\n- `ResourceGroupName`\n\n- Description: (Required) The name of the resource group associated with the instances you want to target. You must provide a value for this parameter if you specify `ResourceGroups` for the `TargetType` parameter.\n- `TargetAccounts`\n\n- Description: (Optional) The ID of the AWS account initiating the configuration deployment. You only need to provide a value for this parameter if you want to deploy the configuration locally. A value must be provided for either `TargetAccounts` or `TargetOrganizationalUnits` .\n- `TargetOrganizationalUnits`\n\n- Description: (Optional) A comma separated list of organizational units (OUs) you want to deploy the configuration to.\n- `TargetRegions`\n\n- Description: (Required) A comma separated list of AWS Regions you want to deploy the configuration to.\n- **Host Management (Type: AWS QuickSetupType-SSMHostMgmt)** - - `UpdateSSMAgent`\n\n- Description: (Optional) A boolean value that determines whether the SSM Agent is updated on the target instances every 2 weeks. The default value is \" `true` \".\n- `UpdateEc2LaunchAgent`\n\n- Description: (Optional) A boolean value that determines whether the EC2 Launch agent is updated on the target instances every month. The default value is \" `false` \".\n- `CollectInventory`\n\n- Description: (Optional) A boolean value that determines whether instance metadata is collected on the target instances every 30 minutes. The default value is \" `true` \".\n- `ScanInstances`\n\n- Description: (Optional) A boolean value that determines whether the target instances are scanned daily for available patches. The default value is \" `true` \".\n- `InstallCloudWatchAgent`\n\n- Description: (Optional) A boolean value that determines whether the Amazon CloudWatch agent is installed on the target instances. The default value is \" `false` \".\n- `UpdateCloudWatchAgent`\n\n- Description: (Optional) A boolean value that determines whether the Amazon CloudWatch agent is updated on the target instances every month. The default value is \" `false` \".\n- `IsPolicyAttachAllowed`\n\n- Description: (Optional) A boolean value that determines whether Quick Setup attaches policies to instances profiles already associated with the target instances. The default value is \" `false` \".\n- `TargetType`\n\n- Description: (Optional) Determines how instances are targeted for local account deployments. Don't specify a value for this parameter if you're deploying to OUs. The valid values are `*` , `InstanceIds` , `ResourceGroups` , and `Tags` . Use `*` to target all instances in the account.\n- `TargetInstances`\n\n- Description: (Optional) A comma separated list of instance IDs. You must provide a value for this parameter if you specify `InstanceIds` for the `TargetType` parameter.\n- `TargetTagKey`\n\n- Description: (Optional) The tag key assigned to the instances you want to target. You must provide a value for this parameter if you specify `Tags` for the `TargetType` parameter.\n- `TargetTagValue`\n\n- Description: (Optional) The value of the tag key assigned to the instances you want to target. You must provide a value for this parameter if you specify `Tags` for the `TargetType` parameter.\n- `ResourceGroupName`\n\n- Description: (Optional) The name of the resource group associated with the instances you want to target. You must provide a value for this parameter if you specify `ResourceGroups` for the `TargetType` parameter.\n- `TargetAccounts`\n\n- Description: (Optional) The ID of the AWS account initiating the configuration deployment. You only need to provide a value for this parameter if you want to deploy the configuration locally. A value must be provided for either `TargetAccounts` or `TargetOrganizationalUnits` .\n- `TargetOrganizationalUnits`\n\n- Description: (Optional) A comma separated list of organizational units (OUs) you want to deploy the configuration to.\n- `TargetRegions`\n\n- Description: (Required) A comma separated list of AWS Regions you want to deploy the configuration to.\n- **OpsCenter (Type: AWS QuickSetupType-SSMOpsCenter)** - - `DelegatedAccountId`\n\n- Description: (Required) The ID of the delegated administrator account.\n- `TargetOrganizationalUnits`\n\n- Description: (Required) A comma separated list of organizational units (OUs) you want to deploy the configuration to.\n- `TargetRegions`\n\n- Description: (Required) A comma separated list of AWS Regions you want to deploy the configuration to.\n- **Patch Policy (Type: AWS QuickSetupType-PatchPolicy)** - - `PatchPolicyName`\n\n- Description: (Required) A name for the patch policy. The value you provide is applied to target Amazon EC2 instances as a tag.\n- `SelectedPatchBaselines`\n\n- Description: (Required) An array of JSON objects containing the information for the patch baselines to include in your patch policy.\n- `PatchBaselineUseDefault`\n\n- Description: (Optional) A value that determines whether the selected patch baselines are all AWS provided. Supported values are `default` and `custom` .\n- `PatchBaselineRegion`\n\n- Description: (Required) The AWS Region where the patch baseline exist.\n- `ConfigurationOptionsPatchOperation`\n\n- Description: (Optional) Determines whether target instances scan for available patches, or scan and install available patches. The valid values are `Scan` and `ScanAndInstall` . The default value for the parameter is `Scan` .\n- `ConfigurationOptionsScanValue`\n\n- Description: (Optional) A cron expression that is used as the schedule for when instances scan for available patches.\n- `ConfigurationOptionsInstallValue`\n\n- Description: (Optional) A cron expression that is used as the schedule for when instances install available patches.\n- `ConfigurationOptionsScanNextInterval`\n\n- Description: (Optional) A boolean value that determines whether instances should scan for available patches at the next cron interval. The default value is \" `false` \".\n- `ConfigurationOptionsInstallNextInterval`\n\n- Description: (Optional) A boolean value that determines whether instances should scan for available patches at the next cron interval. The default value is \" `false` \".\n- `RebootOption`\n\n- Description: (Optional) Determines whether instances are rebooted after patches are installed. Valid values are `RebootIfNeeded` and `NoReboot` .\n- `IsPolicyAttachAllowed`\n\n- Description: (Optional) A boolean value that determines whether Quick Setup attaches policies to instances profiles already associated with the target instances. The default value is \" `false` \".\n- `OutputLogEnableS3`\n\n- Description: (Optional) A boolean value that determines whether command output logs are sent to Amazon S3.\n- `OutputS3Location`\n\n- Description: (Optional) A JSON string containing information about the Amazon S3 bucket where you want to store the output details of the request.\n\n- `OutputS3BucketRegion`\n\n- Description: (Optional) The AWS Region where the Amazon S3 bucket you want to deliver command output to is located.\n- `OutputS3BucketName`\n\n- Description: (Optional) The name of the Amazon S3 bucket you want to deliver command output to.\n- `OutputS3KeyPrefix`\n\n- Description: (Optional) The key prefix you want to use in the custom Amazon S3 bucket.\n- `TargetType`\n\n- Description: (Optional) Determines how instances are targeted for local account deployments. Don't specify a value for this parameter if you're deploying to OUs. The valid values are `*` , `InstanceIds` , `ResourceGroups` , and `Tags` . Use `*` to target all instances in the account.\n- `TargetInstances`\n\n- Description: (Optional) A comma separated list of instance IDs. You must provide a value for this parameter if you specify `InstanceIds` for the `TargetType` parameter.\n- `TargetTagKey`\n\n- Description: (Required) The tag key assigned to the instances you want to target. You must provide a value for this parameter if you specify `Tags` for the `TargetType` parameter.\n- `TargetTagValue`\n\n- Description: (Required) The value of the tag key assigned to the instances you want to target. You must provide a value for this parameter if you specify `Tags` for the `TargetType` parameter.\n- `ResourceGroupName`\n\n- Description: (Required) The name of the resource group associated with the instances you want to target. You must provide a value for this parameter if you specify `ResourceGroups` for the `TargetType` parameter.\n- `TargetAccounts`\n\n- Description: (Optional) The ID of the AWS account initiating the configuration deployment. You only need to provide a value for this parameter if you want to deploy the configuration locally. A value must be provided for either `TargetAccounts` or `TargetOrganizationalUnits` .\n- `TargetOrganizationalUnits`\n\n- Description: (Optional) A comma separated list of organizational units (OUs) you want to deploy the configuration to.\n- `TargetRegions`\n\n- Description: (Required) A comma separated list of AWS Regions you want to deploy the configuration to.\n- **Resource Explorer (Type: AWS QuickSetupType-ResourceExplorer)** - - `SelectedAggregatorRegion`\n\n- Description: (Required) The AWS Region where you want to create the aggregator index.\n- `ReplaceExistingAggregator`\n\n- Description: (Required) A boolean value that determines whether to demote an existing aggregator if it is in a Region that differs from the value you specify for the `SelectedAggregatorRegion` .\n- `TargetOrganizationalUnits`\n\n- Description: (Required) A comma separated list of organizational units (OUs) you want to deploy the configuration to.\n- `TargetRegions`\n\n- Description: (Required) A comma separated list of AWS Regions you want to deploy the configuration to.\n- **Resource Scheduler (Type: AWS QuickSetupType-Scheduler)** - - `TargetTagKey`\n\n- Description: (Required) The tag key assigned to the instances you want to target.\n- `TargetTagValue`\n\n- Description: (Required) The value of the tag key assigned to the instances you want to target.\n- `ICalendarString`\n\n- Description: (Required) An iCalendar formatted string containing the schedule you want Change Manager to use.\n- `TargetAccounts`\n\n- Description: (Optional) The ID of the AWS account initiating the configuration deployment. You only need to provide a value for this parameter if you want to deploy the configuration locally. A value must be provided for either `TargetAccounts` or `TargetOrganizationalUnits` .\n- `TargetOrganizationalUnits`\n\n- Description: (Optional) A comma separated list of organizational units (OUs) you want to deploy the configuration to.\n- `TargetRegions`\n\n- Description: (Required) A comma separated list of AWS Regions you want to deploy the configuration to.",
+ "Parameters": "The parameters for the configuration definition type. Parameters for configuration definitions vary based the configuration type. The following lists outline the parameters for each configuration type.\n\n- **AWS Config Recording (Type: AWS QuickSetupType-CFGRecording)** - - `RecordAllResources`\n\n- Description: (Optional) A boolean value that determines whether all supported resources are recorded. The default value is \" `true` \".\n- `ResourceTypesToRecord`\n\n- Description: (Optional) A comma separated list of resource types you want to record.\n- `RecordGlobalResourceTypes`\n\n- Description: (Optional) A boolean value that determines whether global resources are recorded with all resource configurations. The default value is \" `false` \".\n- `GlobalResourceTypesRegion`\n\n- Description: (Optional) Determines the AWS Region where global resources are recorded.\n- `UseCustomBucket`\n\n- Description: (Optional) A boolean value that determines whether a custom Amazon S3 bucket is used for delivery. The default value is \" `false` \".\n- `DeliveryBucketName`\n\n- Description: (Optional) The name of the Amazon S3 bucket you want AWS Config to deliver configuration snapshots and configuration history files to.\n- `DeliveryBucketPrefix`\n\n- Description: (Optional) The key prefix you want to use in the custom Amazon S3 bucket.\n- `NotificationOptions`\n\n- Description: (Optional) Determines the notification configuration for the recorder. The valid values are `NoStreaming` , `UseExistingTopic` , and `CreateTopic` . The default value is `NoStreaming` .\n- `CustomDeliveryTopicAccountId`\n\n- Description: (Optional) The ID of the AWS account where the Amazon SNS topic you want to use for notifications resides. You must specify a value for this parameter if you use the `UseExistingTopic` notification option.\n- `CustomDeliveryTopicName`\n\n- Description: (Optional) The name of the Amazon SNS topic you want to use for notifications. You must specify a value for this parameter if you use the `UseExistingTopic` notification option.\n- `RemediationSchedule`\n\n- Description: (Optional) A rate expression that defines the schedule for drift remediation. The valid values are `rate(30 days)` , `rate(7 days)` , `rate(1 days)` , and `none` . The default value is \" `none` \".\n- `TargetAccounts`\n\n- Description: (Optional) The ID of the AWS account initiating the configuration deployment. You only need to provide a value for this parameter if you want to deploy the configuration locally. A value must be provided for either `TargetAccounts` or `TargetOrganizationalUnits` .\n- `TargetOrganizationalUnits`\n\n- Description: (Optional) The ID of the root of your Organization. This configuration type doesn't currently support choosing specific OUs. The configuration will be deployed to all the OUs in the Organization.\n- `TargetRegions`\n\n- Description: (Required) A comma separated list of AWS Regions you want to deploy the configuration to.\n- **Change Manager (Type: AWS QuickSetupType-SSMChangeMgr)** - - `DelegatedAccountId`\n\n- Description: (Required) The ID of the delegated administrator account.\n- `JobFunction`\n\n- Description: (Required) The name for the Change Manager job function.\n- `PermissionType`\n\n- Description: (Optional) Specifies whether you want to use default administrator permissions for the job function role, or provide a custom IAM policy. The valid values are `CustomPermissions` and `AdminPermissions` . The default value for the parameter is `CustomerPermissions` .\n- `CustomPermissions`\n\n- Description: (Optional) A JSON string containing the IAM policy you want your job function to use. You must provide a value for this parameter if you specify `CustomPermissions` for the `PermissionType` parameter.\n- `TargetOrganizationalUnits`\n\n- Description: (Required) A comma separated list of organizational units (OUs) you want to deploy the configuration to.\n- `TargetRegions`\n\n- Description: (Required) A comma separated list of AWS Regions you want to deploy the configuration to.\n- **Conformance Packs (Type: AWS QuickSetupType-CFGCPacks)** - - `DelegatedAccountId`\n\n- Description: (Optional) The ID of the delegated administrator account. This parameter is required for Organization deployments.\n- `RemediationSchedule`\n\n- Description: (Optional) A rate expression that defines the schedule for drift remediation. The valid values are `rate(30 days)` , `rate(14 days)` , `rate(2 days)` , and `none` . The default value is \" `none` \".\n- `CPackNames`\n\n- Description: (Required) A comma separated list of AWS Config conformance packs.\n- `TargetAccounts`\n\n- Description: (Optional) The ID of the AWS account initiating the configuration deployment. You only need to provide a value for this parameter if you want to deploy the configuration locally. A value must be provided for either `TargetAccounts` or `TargetOrganizationalUnits` .\n- `TargetOrganizationalUnits`\n\n- Description: (Optional) The ID of the root of your Organization. This configuration type doesn't currently support choosing specific OUs. The configuration will be deployed to all the OUs in the Organization.\n- `TargetRegions`\n\n- Description: (Required) A comma separated list of AWS Regions you want to deploy the configuration to.\n- **Default Host Management Configuration (Type: AWS QuickSetupType-DHMC)** - - `UpdateSSMAgent`\n\n- Description: (Optional) A boolean value that determines whether the SSM Agent is updated on the target instances every 2 weeks. The default value is \" `true` \".\n- `TargetOrganizationalUnits`\n\n- Description: (Required) A comma separated list of organizational units (OUs) you want to deploy the configuration to.\n- `TargetRegions`\n\n- Description: (Required) A comma separated list of AWS Regions you want to deploy the configuration to.\n- **DevOps\u00a0Guru (Type: AWS QuickSetupType-DevOpsGuru)** - - `AnalyseAllResources`\n\n- Description: (Optional) A boolean value that determines whether DevOps\u00a0Guru analyzes all AWS CloudFormation stacks in the account. The default value is \" `false` \".\n- `EnableSnsNotifications`\n\n- Description: (Optional) A boolean value that determines whether DevOps\u00a0Guru sends notifications when an insight is created. The default value is \" `true` \".\n- `EnableSsmOpsItems`\n\n- Description: (Optional) A boolean value that determines whether DevOps\u00a0Guru creates an OpsCenter OpsItem when an insight is created. The default value is \" `true` \".\n- `EnableDriftRemediation`\n\n- Description: (Optional) A boolean value that determines whether a drift remediation schedule is used. The default value is \" `false` \".\n- `RemediationSchedule`\n\n- Description: (Optional) A rate expression that defines the schedule for drift remediation. The valid values are `rate(30 days)` , `rate(14 days)` , `rate(1 days)` , and `none` . The default value is \" `none` \".\n- `TargetAccounts`\n\n- Description: (Optional) The ID of the AWS account initiating the configuration deployment. You only need to provide a value for this parameter if you want to deploy the configuration locally. A value must be provided for either `TargetAccounts` or `TargetOrganizationalUnits` .\n- `TargetOrganizationalUnits`\n\n- Description: (Optional) A comma separated list of organizational units (OUs) you want to deploy the configuration to.\n- `TargetRegions`\n\n- Description: (Required) A comma separated list of AWS Regions you want to deploy the configuration to.\n- **Distributor (Type: AWS QuickSetupType-Distributor)** - - `PackagesToInstall`\n\n- Description: (Required) A comma separated list of packages you want to install on the target instances. The valid values are `AWSEFSTools` , `AWSCWAgent` , and `AWSEC2LaunchAgent` .\n- `RemediationSchedule`\n\n- Description: (Optional) A rate expression that defines the schedule for drift remediation. The valid values are `rate(30 days)` , `rate(14 days)` , `rate(2 days)` , and `none` . The default value is \" `rate(30 days)` \".\n- `IsPolicyAttachAllowed`\n\n- Description: (Optional) A boolean value that determines whether Quick Setup attaches policies to instances profiles already associated with the target instances. The default value is \" `false` \".\n- `TargetType`\n\n- Description: (Optional) Determines how instances are targeted for local account deployments. Don't specify a value for this parameter if you're deploying to OUs. The valid values are `*` , `InstanceIds` , `ResourceGroups` , and `Tags` . Use `*` to target all instances in the account.\n- `TargetInstances`\n\n- Description: (Optional) A comma separated list of instance IDs. You must provide a value for this parameter if you specify `InstanceIds` for the `TargetType` parameter.\n- `TargetTagKey`\n\n- Description: (Required) The tag key assigned to the instances you want to target. You must provide a value for this parameter if you specify `Tags` for the `TargetType` parameter.\n- `TargetTagValue`\n\n- Description: (Required) The value of the tag key assigned to the instances you want to target. You must provide a value for this parameter if you specify `Tags` for the `TargetType` parameter.\n- `ResourceGroupName`\n\n- Description: (Required) The name of the resource group associated with the instances you want to target. You must provide a value for this parameter if you specify `ResourceGroups` for the `TargetType` parameter.\n- `TargetAccounts`\n\n- Description: (Optional) The ID of the AWS account initiating the configuration deployment. You only need to provide a value for this parameter if you want to deploy the configuration locally. A value must be provided for either `TargetAccounts` or `TargetOrganizationalUnits` .\n- `TargetOrganizationalUnits`\n\n- Description: (Optional) A comma separated list of organizational units (OUs) you want to deploy the configuration to.\n- `TargetRegions`\n\n- Description: (Required) A comma separated list of AWS Regions you want to deploy the configuration to.\n- **Host Management (Type: AWS QuickSetupType-SSMHostMgmt)** - - `UpdateSSMAgent`\n\n- Description: (Optional) A boolean value that determines whether the SSM Agent is updated on the target instances every 2 weeks. The default value is \" `true` \".\n- `UpdateEc2LaunchAgent`\n\n- Description: (Optional) A boolean value that determines whether the EC2 Launch agent is updated on the target instances every month. The default value is \" `false` \".\n- `CollectInventory`\n\n- Description: (Optional) A boolean value that determines whether instance metadata is collected on the target instances every 30 minutes. The default value is \" `true` \".\n- `ScanInstances`\n\n- Description: (Optional) A boolean value that determines whether the target instances are scanned daily for available patches. The default value is \" `true` \".\n- `InstallCloudWatchAgent`\n\n- Description: (Optional) A boolean value that determines whether the Amazon CloudWatch agent is installed on the target instances. The default value is \" `false` \".\n- `UpdateCloudWatchAgent`\n\n- Description: (Optional) A boolean value that determines whether the Amazon CloudWatch agent is updated on the target instances every month. The default value is \" `false` \".\n- `IsPolicyAttachAllowed`\n\n- Description: (Optional) A boolean value that determines whether Quick Setup attaches policies to instances profiles already associated with the target instances. The default value is \" `false` \".\n- `TargetType`\n\n- Description: (Optional) Determines how instances are targeted for local account deployments. Don't specify a value for this parameter if you're deploying to OUs. The valid values are `*` , `InstanceIds` , `ResourceGroups` , and `Tags` . Use `*` to target all instances in the account.\n- `TargetInstances`\n\n- Description: (Optional) A comma separated list of instance IDs. You must provide a value for this parameter if you specify `InstanceIds` for the `TargetType` parameter.\n- `TargetTagKey`\n\n- Description: (Optional) The tag key assigned to the instances you want to target. You must provide a value for this parameter if you specify `Tags` for the `TargetType` parameter.\n- `TargetTagValue`\n\n- Description: (Optional) The value of the tag key assigned to the instances you want to target. You must provide a value for this parameter if you specify `Tags` for the `TargetType` parameter.\n- `ResourceGroupName`\n\n- Description: (Optional) The name of the resource group associated with the instances you want to target. You must provide a value for this parameter if you specify `ResourceGroups` for the `TargetType` parameter.\n- `TargetAccounts`\n\n- Description: (Optional) The ID of the AWS account initiating the configuration deployment. You only need to provide a value for this parameter if you want to deploy the configuration locally. A value must be provided for either `TargetAccounts` or `TargetOrganizationalUnits` .\n- `TargetOrganizationalUnits`\n\n- Description: (Optional) A comma separated list of organizational units (OUs) you want to deploy the configuration to.\n- `TargetRegions`\n\n- Description: (Required) A comma separated list of AWS Regions you want to deploy the configuration to.\n- **OpsCenter (Type: AWS QuickSetupType-SSMOpsCenter)** - - `DelegatedAccountId`\n\n- Description: (Required) The ID of the delegated administrator account.\n- `TargetOrganizationalUnits`\n\n- Description: (Required) A comma separated list of organizational units (OUs) you want to deploy the configuration to.\n- `TargetRegions`\n\n- Description: (Required) A comma separated list of AWS Regions you want to deploy the configuration to.\n- **Patch Policy (Type: AWS QuickSetupType-PatchPolicy)** - - `PatchPolicyName`\n\n- Description: (Required) A name for the patch policy. The value you provide is applied to target Amazon EC2 instances as a tag.\n- `SelectedPatchBaselines`\n\n- Description: (Required) An array of JSON objects containing the information for the patch baselines to include in your patch policy.\n- `PatchBaselineUseDefault`\n\n- Description: (Optional) A boolean value that determines whether the selected patch baselines are all AWS provided.\n- `ConfigurationOptionsPatchOperation`\n\n- Description: (Optional) Determines whether target instances scan for available patches, or scan and install available patches. The valid values are `Scan` and `ScanAndInstall` . The default value for the parameter is `Scan` .\n- `ConfigurationOptionsScanValue`\n\n- Description: (Optional) A cron expression that is used as the schedule for when instances scan for available patches.\n- `ConfigurationOptionsInstallValue`\n\n- Description: (Optional) A cron expression that is used as the schedule for when instances install available patches.\n- `ConfigurationOptionsScanNextInterval`\n\n- Description: (Optional) A boolean value that determines whether instances should scan for available patches at the next cron interval. The default value is \" `false` \".\n- `ConfigurationOptionsInstallNextInterval`\n\n- Description: (Optional) A boolean value that determines whether instances should scan for available patches at the next cron interval. The default value is \" `false` \".\n- `RebootOption`\n\n- Description: (Optional) Determines whether instances are rebooted after patches are installed. Valid values are `RebootIfNeeded` and `NoReboot` .\n- `IsPolicyAttachAllowed`\n\n- Description: (Optional) A boolean value that determines whether Quick Setup attaches policies to instances profiles already associated with the target instances. The default value is \" `false` \".\n- `OutputLogEnableS3`\n\n- Description: (Optional) A boolean value that determines whether command output logs are sent to Amazon S3.\n- `OutputS3Location`\n\n- Description: (Optional) A JSON string containing information about the Amazon S3 bucket where you want to store the output details of the request.\n\n- `OutputS3BucketRegion`\n\n- Description: (Optional) The AWS Region where the Amazon S3 bucket you want to deliver command output to is located.\n- `OutputS3BucketName`\n\n- Description: (Optional) The name of the Amazon S3 bucket you want to deliver command output to.\n- `OutputS3KeyPrefix`\n\n- Description: (Optional) The key prefix you want to use in the custom Amazon S3 bucket.\n- `TargetType`\n\n- Description: (Optional) Determines how instances are targeted for local account deployments. Don't specify a value for this parameter if you're deploying to OUs. The valid values are `*` , `InstanceIds` , `ResourceGroups` , and `Tags` . Use `*` to target all instances in the account.\n- `TargetInstances`\n\n- Description: (Optional) A comma separated list of instance IDs. You must provide a value for this parameter if you specify `InstanceIds` for the `TargetType` parameter.\n- `TargetTagKey`\n\n- Description: (Required) The tag key assigned to the instances you want to target. You must provide a value for this parameter if you specify `Tags` for the `TargetType` parameter.\n- `TargetTagValue`\n\n- Description: (Required) The value of the tag key assigned to the instances you want to target. You must provide a value for this parameter if you specify `Tags` for the `TargetType` parameter.\n- `ResourceGroupName`\n\n- Description: (Required) The name of the resource group associated with the instances you want to target. You must provide a value for this parameter if you specify `ResourceGroups` for the `TargetType` parameter.\n- `TargetAccounts`\n\n- Description: (Optional) The ID of the AWS account initiating the configuration deployment. You only need to provide a value for this parameter if you want to deploy the configuration locally. A value must be provided for either `TargetAccounts` or `TargetOrganizationalUnits` .\n- `TargetOrganizationalUnits`\n\n- Description: (Optional) A comma separated list of organizational units (OUs) you want to deploy the configuration to.\n- `TargetRegions`\n\n- Description: (Required) A comma separated list of AWS Regions you want to deploy the configuration to.\n- **Resource Explorer (Type: AWS QuickSetupType-ResourceExplorer)** - - `SelectedAggregatorRegion`\n\n- Description: (Required) The AWS Region where you want to create the aggregator index.\n- `ReplaceExistingAggregator`\n\n- Description: (Required) A boolean value that determines whether to demote an existing aggregator if it is in a Region that differs from the value you specify for the `SelectedAggregatorRegion` .\n- `TargetOrganizationalUnits`\n\n- Description: (Required) A comma separated list of organizational units (OUs) you want to deploy the configuration to.\n- `TargetRegions`\n\n- Description: (Required) A comma separated list of AWS Regions you want to deploy the configuration to.\n- **Resource Scheduler (Type: AWS QuickSetupType-Scheduler)** - - `TargetTagKey`\n\n- Description: (Required) The tag key assigned to the instances you want to target.\n- `TargetTagValue`\n\n- Description: (Required) The value of the tag key assigned to the instances you want to target.\n- `ICalendarString`\n\n- Description: (Required) An iCalendar formatted string containing the schedule you want Change Manager to use.\n- `TargetAccounts`\n\n- Description: (Optional) The ID of the AWS account initiating the configuration deployment. You only need to provide a value for this parameter if you want to deploy the configuration locally. A value must be provided for either `TargetAccounts` or `TargetOrganizationalUnits` .\n- `TargetOrganizationalUnits`\n\n- Description: (Optional) A comma separated list of organizational units (OUs) you want to deploy the configuration to.\n- `TargetRegions`\n\n- Description: (Required) A comma separated list of AWS Regions you want to deploy the configuration to.",
+ "Parameters": "The parameters for the configuration definition type. Parameters for configuration definitions vary based the configuration type. The following lists outline the parameters for each configuration type.\n\n- **AWS Config Recording (Type: AWS QuickSetupType-CFGRecording)** - - `RecordAllResources`\n\n- Description: (Optional) A boolean value that determines whether all supported resources are recorded. The default value is \" `true` \".\n- `ResourceTypesToRecord`\n\n- Description: (Optional) A comma separated list of resource types you want to record.\n- `RecordGlobalResourceTypes`\n\n- Description: (Optional) A boolean value that determines whether global resources are recorded with all resource configurations. The default value is \" `false` \".\n- `GlobalResourceTypesRegion`\n\n- Description: (Optional) Determines the AWS Region where global resources are recorded.\n- `UseCustomBucket`\n\n- Description: (Optional) A boolean value that determines whether a custom Amazon S3 bucket is used for delivery. The default value is \" `false` \".\n- `DeliveryBucketName`\n\n- Description: (Optional) The name of the Amazon S3 bucket you want AWS Config to deliver configuration snapshots and configuration history files to.\n- `DeliveryBucketPrefix`\n\n- Description: (Optional) The key prefix you want to use in the custom Amazon S3 bucket.\n- `NotificationOptions`\n\n- Description: (Optional) Determines the notification configuration for the recorder. The valid values are `NoStreaming` , `UseExistingTopic` , and `CreateTopic` . The default value is `NoStreaming` .\n- `CustomDeliveryTopicAccountId`\n\n- Description: (Optional) The ID of the AWS account where the Amazon SNS topic you want to use for notifications resides. You must specify a value for this parameter if you use the `UseExistingTopic` notification option.\n- `CustomDeliveryTopicName`\n\n- Description: (Optional) The name of the Amazon SNS topic you want to use for notifications. You must specify a value for this parameter if you use the `UseExistingTopic` notification option.\n- `RemediationSchedule`\n\n- Description: (Optional) A rate expression that defines the schedule for drift remediation. The valid values are `rate(30 days)` , `rate(7 days)` , `rate(1 days)` , and `none` . The default value is \" `none` \".\n- `TargetAccounts`\n\n- Description: (Optional) The ID of the AWS account initiating the configuration deployment. You only need to provide a value for this parameter if you want to deploy the configuration locally. A value must be provided for either `TargetAccounts` or `TargetOrganizationalUnits` .\n- `TargetOrganizationalUnits`\n\n- Description: (Optional) The ID of the root of your Organization. This configuration type doesn't currently support choosing specific OUs. The configuration will be deployed to all the OUs in the Organization.\n- `TargetRegions`\n\n- Description: (Required) A comma separated list of AWS Regions you want to deploy the configuration to.\n- **Change Manager (Type: AWS QuickSetupType-SSMChangeMgr)** - - `DelegatedAccountId`\n\n- Description: (Required) The ID of the delegated administrator account.\n- `JobFunction`\n\n- Description: (Required) The name for the Change Manager job function.\n- `PermissionType`\n\n- Description: (Optional) Specifies whether you want to use default administrator permissions for the job function role, or provide a custom IAM policy. The valid values are `CustomPermissions` and `AdminPermissions` . The default value for the parameter is `CustomerPermissions` .\n- `CustomPermissions`\n\n- Description: (Optional) A JSON string containing the IAM policy you want your job function to use. You must provide a value for this parameter if you specify `CustomPermissions` for the `PermissionType` parameter.\n- `TargetOrganizationalUnits`\n\n- Description: (Required) A comma separated list of organizational units (OUs) you want to deploy the configuration to.\n- `TargetRegions`\n\n- Description: (Required) A comma separated list of AWS Regions you want to deploy the configuration to.\n- **Conformance Packs (Type: AWS QuickSetupType-CFGCPacks)** - - `DelegatedAccountId`\n\n- Description: (Optional) The ID of the delegated administrator account. This parameter is required for Organization deployments.\n- `RemediationSchedule`\n\n- Description: (Optional) A rate expression that defines the schedule for drift remediation. The valid values are `rate(30 days)` , `rate(14 days)` , `rate(2 days)` , and `none` . The default value is \" `none` \".\n- `CPackNames`\n\n- Description: (Required) A comma separated list of AWS Config conformance packs.\n- `TargetAccounts`\n\n- Description: (Optional) The ID of the AWS account initiating the configuration deployment. You only need to provide a value for this parameter if you want to deploy the configuration locally. A value must be provided for either `TargetAccounts` or `TargetOrganizationalUnits` .\n- `TargetOrganizationalUnits`\n\n- Description: (Optional) The ID of the root of your Organization. This configuration type doesn't currently support choosing specific OUs. The configuration will be deployed to all the OUs in the Organization.\n- `TargetRegions`\n\n- Description: (Required) A comma separated list of AWS Regions you want to deploy the configuration to.\n- **Default Host Management Configuration (Type: AWS QuickSetupType-DHMC)** - - `UpdateSSMAgent`\n\n- Description: (Optional) A boolean value that determines whether the SSM Agent is updated on the target instances every 2 weeks. The default value is \" `true` \".\n- `TargetOrganizationalUnits`\n\n- Description: (Required) A comma separated list of organizational units (OUs) you want to deploy the configuration to.\n- `TargetRegions`\n\n- Description: (Required) A comma separated list of AWS Regions you want to deploy the configuration to.\n- **DevOps\u00a0Guru (Type: AWS QuickSetupType-DevOpsGuru)** - - `AnalyseAllResources`\n\n- Description: (Optional) A boolean value that determines whether DevOps\u00a0Guru analyzes all AWS CloudFormation stacks in the account. The default value is \" `false` \".\n- `EnableSnsNotifications`\n\n- Description: (Optional) A boolean value that determines whether DevOps\u00a0Guru sends notifications when an insight is created. The default value is \" `true` \".\n- `EnableSsmOpsItems`\n\n- Description: (Optional) A boolean value that determines whether DevOps\u00a0Guru creates an OpsCenter OpsItem when an insight is created. The default value is \" `true` \".\n- `EnableDriftRemediation`\n\n- Description: (Optional) A boolean value that determines whether a drift remediation schedule is used. The default value is \" `false` \".\n- `RemediationSchedule`\n\n- Description: (Optional) A rate expression that defines the schedule for drift remediation. The valid values are `rate(30 days)` , `rate(14 days)` , `rate(1 days)` , and `none` . The default value is \" `none` \".\n- `TargetAccounts`\n\n- Description: (Optional) The ID of the AWS account initiating the configuration deployment. You only need to provide a value for this parameter if you want to deploy the configuration locally. A value must be provided for either `TargetAccounts` or `TargetOrganizationalUnits` .\n- `TargetOrganizationalUnits`\n\n- Description: (Optional) A comma separated list of organizational units (OUs) you want to deploy the configuration to.\n- `TargetRegions`\n\n- Description: (Required) A comma separated list of AWS Regions you want to deploy the configuration to.\n- **Distributor (Type: AWS QuickSetupType-Distributor)** - - `PackagesToInstall`\n\n- Description: (Required) A comma separated list of packages you want to install on the target instances. The valid values are `AWSEFSTools` , `AWSCWAgent` , and `AWSEC2LaunchAgent` .\n- `RemediationSchedule`\n\n- Description: (Optional) A rate expression that defines the schedule for drift remediation. The valid values are `rate(30 days)` , `rate(14 days)` , `rate(2 days)` , and `none` . The default value is \" `rate(30 days)` \".\n- `IsPolicyAttachAllowed`\n\n- Description: (Optional) A boolean value that determines whether Quick Setup attaches policies to instances profiles already associated with the target instances. The default value is \" `false` \".\n- `TargetType`\n\n- Description: (Optional) Determines how instances are targeted for local account deployments. Don't specify a value for this parameter if you're deploying to OUs. The valid values are `*` , `InstanceIds` , `ResourceGroups` , and `Tags` . Use `*` to target all instances in the account.\n- `TargetInstances`\n\n- Description: (Optional) A comma separated list of instance IDs. You must provide a value for this parameter if you specify `InstanceIds` for the `TargetType` parameter.\n- `TargetTagKey`\n\n- Description: (Required) The tag key assigned to the instances you want to target. You must provide a value for this parameter if you specify `Tags` for the `TargetType` parameter.\n- `TargetTagValue`\n\n- Description: (Required) The value of the tag key assigned to the instances you want to target. You must provide a value for this parameter if you specify `Tags` for the `TargetType` parameter.\n- `ResourceGroupName`\n\n- Description: (Required) The name of the resource group associated with the instances you want to target. You must provide a value for this parameter if you specify `ResourceGroups` for the `TargetType` parameter.\n- `TargetAccounts`\n\n- Description: (Optional) The ID of the AWS account initiating the configuration deployment. You only need to provide a value for this parameter if you want to deploy the configuration locally. A value must be provided for either `TargetAccounts` or `TargetOrganizationalUnits` .\n- `TargetOrganizationalUnits`\n\n- Description: (Optional) A comma separated list of organizational units (OUs) you want to deploy the configuration to.\n- `TargetRegions`\n\n- Description: (Required) A comma separated list of AWS Regions you want to deploy the configuration to.\n- **Host Management (Type: AWS QuickSetupType-SSMHostMgmt)** - - `UpdateSSMAgent`\n\n- Description: (Optional) A boolean value that determines whether the SSM Agent is updated on the target instances every 2 weeks. The default value is \" `true` \".\n- `UpdateEc2LaunchAgent`\n\n- Description: (Optional) A boolean value that determines whether the EC2 Launch agent is updated on the target instances every month. The default value is \" `false` \".\n- `CollectInventory`\n\n- Description: (Optional) A boolean value that determines whether instance metadata is collected on the target instances every 30 minutes. The default value is \" `true` \".\n- `ScanInstances`\n\n- Description: (Optional) A boolean value that determines whether the target instances are scanned daily for available patches. The default value is \" `true` \".\n- `InstallCloudWatchAgent`\n\n- Description: (Optional) A boolean value that determines whether the Amazon CloudWatch agent is installed on the target instances. The default value is \" `false` \".\n- `UpdateCloudWatchAgent`\n\n- Description: (Optional) A boolean value that determines whether the Amazon CloudWatch agent is updated on the target instances every month. The default value is \" `false` \".\n- `IsPolicyAttachAllowed`\n\n- Description: (Optional) A boolean value that determines whether Quick Setup attaches policies to instances profiles already associated with the target instances. The default value is \" `false` \".\n- `TargetType`\n\n- Description: (Optional) Determines how instances are targeted for local account deployments. Don't specify a value for this parameter if you're deploying to OUs. The valid values are `*` , `InstanceIds` , `ResourceGroups` , and `Tags` . Use `*` to target all instances in the account.\n- `TargetInstances`\n\n- Description: (Optional) A comma separated list of instance IDs. You must provide a value for this parameter if you specify `InstanceIds` for the `TargetType` parameter.\n- `TargetTagKey`\n\n- Description: (Optional) The tag key assigned to the instances you want to target. You must provide a value for this parameter if you specify `Tags` for the `TargetType` parameter.\n- `TargetTagValue`\n\n- Description: (Optional) The value of the tag key assigned to the instances you want to target. You must provide a value for this parameter if you specify `Tags` for the `TargetType` parameter.\n- `ResourceGroupName`\n\n- Description: (Optional) The name of the resource group associated with the instances you want to target. You must provide a value for this parameter if you specify `ResourceGroups` for the `TargetType` parameter.\n- `TargetAccounts`\n\n- Description: (Optional) The ID of the AWS account initiating the configuration deployment. You only need to provide a value for this parameter if you want to deploy the configuration locally. A value must be provided for either `TargetAccounts` or `TargetOrganizationalUnits` .\n- `TargetOrganizationalUnits`\n\n- Description: (Optional) A comma separated list of organizational units (OUs) you want to deploy the configuration to.\n- `TargetRegions`\n\n- Description: (Required) A comma separated list of AWS Regions you want to deploy the configuration to.\n- **OpsCenter (Type: AWS QuickSetupType-SSMOpsCenter)** - - `DelegatedAccountId`\n\n- Description: (Required) The ID of the delegated administrator account.\n- `TargetOrganizationalUnits`\n\n- Description: (Required) A comma separated list of organizational units (OUs) you want to deploy the configuration to.\n- `TargetRegions`\n\n- Description: (Required) A comma separated list of AWS Regions you want to deploy the configuration to.\n- **Patch Policy (Type: AWS QuickSetupType-PatchPolicy)** - - `PatchPolicyName`\n\n- Description: (Required) A name for the patch policy. The value you provide is applied to target Amazon EC2 instances as a tag.\n- `SelectedPatchBaselines`\n\n- Description: (Required) An array of JSON objects containing the information for the patch baselines to include in your patch policy.\n- `PatchBaselineUseDefault`\n\n- Description: (Optional) A boolean value that determines whether the selected patch baselines are all AWS provided.\n- `ConfigurationOptionsPatchOperation`\n\n- Description: (Optional) Determines whether target instances scan for available patches, or scan and install available patches. The valid values are `Scan` and `ScanAndInstall` . The default value for the parameter is `Scan` .\n- `ConfigurationOptionsScanValue`\n\n- Description: (Optional) A cron expression that is used as the schedule for when instances scan for available patches.\n- `ConfigurationOptionsInstallValue`\n\n- Description: (Optional) A cron expression that is used as the schedule for when instances install available patches.\n- `ConfigurationOptionsScanNextInterval`\n\n- Description: (Optional) A boolean value that determines whether instances should scan for available patches at the next cron interval. The default value is \" `false` \".\n- `ConfigurationOptionsInstallNextInterval`\n\n- Description: (Optional) A boolean value that determines whether instances should scan for available patches at the next cron interval. The default value is \" `false` \".\n- `RebootOption`\n\n- Description: (Optional) Determines whether instances are rebooted after patches are installed. Valid values are `RebootIfNeeded` and `NoReboot` .\n- `IsPolicyAttachAllowed`\n\n- Description: (Optional) A boolean value that determines whether Quick Setup attaches policies to instances profiles already associated with the target instances. The default value is \" `false` \".\n- `OutputLogEnableS3`\n\n- Description: (Optional) A boolean value that determines whether command output logs are sent to Amazon S3.\n- `OutputS3Location`\n\n- Description: (Optional) A JSON string containing information about the Amazon S3 bucket where you want to store the output details of the request.\n\n- `OutputS3BucketRegion`\n\n- Description: (Optional) The AWS Region where the Amazon S3 bucket you want to deliver command output to is located.\n- `OutputS3BucketName`\n\n- Description: (Optional) The name of the Amazon S3 bucket you want to deliver command output to.\n- `OutputS3KeyPrefix`\n\n- Description: (Optional) The key prefix you want to use in the custom Amazon S3 bucket.\n- `TargetType`\n\n- Description: (Optional) Determines how instances are targeted for local account deployments. Don't specify a value for this parameter if you're deploying to OUs. The valid values are `*` , `InstanceIds` , `ResourceGroups` , and `Tags` . Use `*` to target all instances in the account.\n- `TargetInstances`\n\n- Description: (Optional) A comma separated list of instance IDs. You must provide a value for this parameter if you specify `InstanceIds` for the `TargetType` parameter.\n- `TargetTagKey`\n\n- Description: (Required) The tag key assigned to the instances you want to target. You must provide a value for this parameter if you specify `Tags` for the `TargetType` parameter.\n- `TargetTagValue`\n\n- Description: (Required) The value of the tag key assigned to the instances you want to target. You must provide a value for this parameter if you specify `Tags` for the `TargetType` parameter.\n- `ResourceGroupName`\n\n- Description: (Required) The name of the resource group associated with the instances you want to target. You must provide a value for this parameter if you specify `ResourceGroups` for the `TargetType` parameter.\n- `TargetAccounts`\n\n- Description: (Optional) The ID of the AWS account initiating the configuration deployment. You only need to provide a value for this parameter if you want to deploy the configuration locally. A value must be provided for either `TargetAccounts` or `TargetOrganizationalUnits` .\n- `TargetOrganizationalUnits`\n\n- Description: (Optional) A comma separated list of organizational units (OUs) you want to deploy the configuration to.\n- `TargetRegions`\n\n- Description: (Required) A comma separated list of AWS Regions you want to deploy the configuration to.\n- **Resource Explorer (Type: AWS QuickSetupType-ResourceExplorer)** - - `SelectedAggregatorRegion`\n\n- Description: (Required) The AWS Region where you want to create the aggregator index.\n- `ReplaceExistingAggregator`\n\n- Description: (Required) A boolean value that determines whether to demote an existing aggregator if it is in a Region that differs from the value you specify for the `SelectedAggregatorRegion` .\n- `TargetOrganizationalUnits`\n\n- Description: (Required) A comma separated list of organizational units (OUs) you want to deploy the configuration to.\n- `TargetRegions`\n\n- Description: (Required) A comma separated list of AWS Regions you want to deploy the configuration to.\n- **Resource Scheduler (Type: AWS QuickSetupType-Scheduler)** - - `TargetTagKey`\n\n- Description: (Required) The tag key assigned to the instances you want to target.\n- `TargetTagValue`\n\n- Description: (Required) The value of the tag key assigned to the instances you want to target.\n- `ICalendarString`\n\n- Description: (Required) An iCalendar formatted string containing the schedule you want Change Manager to use.\n- `TargetAccounts`\n\n- Description: (Optional) The ID of the AWS account initiating the configuration deployment. You only need to provide a value for this parameter if you want to deploy the configuration locally. A value must be provided for either `TargetAccounts` or `TargetOrganizationalUnits` .\n- `TargetOrganizationalUnits`\n\n- Description: (Optional) A comma separated list of organizational units (OUs) you want to deploy the configuration to.\n- `TargetRegions`\n\n- Description: (Required) A comma separated list of AWS Regions you want to deploy the configuration to.",
"Type": "The type of the Quick Setup configuration.",
"TypeVersion": "The version of the Quick Setup type used.",
"id": "The ID of the configuration definition."
@@ -46387,6 +46622,7 @@
"LifecycleConfigArn": "The Amazon Resource Name (ARN) of the Lifecycle Configuration attached to the Resource.",
"SageMakerImageArn": "The ARN of the SageMaker AI image that the image version belongs to.",
"SageMakerImageVersionArn": "The ARN of the image version created on the instance. To clear the value set for `SageMakerImageVersionArn` , pass `None` as the value."
+ "SageMakerImageVersionArn": "The ARN of the image version created on the instance. To clear the value set for `SageMakerImageVersionArn` , pass `None` as the value."
},
"AWS::SageMaker::App Tag": {
"Key": "The tag key. Tag keys must be unique per resource.",
@@ -46732,6 +46968,7 @@
"LifecycleConfigArn": "The Amazon Resource Name (ARN) of the Lifecycle Configuration attached to the Resource.",
"SageMakerImageArn": "The ARN of the SageMaker AI image that the image version belongs to.",
"SageMakerImageVersionArn": "The ARN of the image version created on the instance. To clear the value set for `SageMakerImageVersionArn` , pass `None` as the value."
+ "SageMakerImageVersionArn": "The ARN of the image version created on the instance. To clear the value set for `SageMakerImageVersionArn` , pass `None` as the value."
},
"AWS::SageMaker::Domain SharingSettings": {
"NotebookOutputOption": "Whether to include the notebook cell output when sharing the notebook. The default is `Disabled` .",
@@ -48136,6 +48373,7 @@
"LifecycleConfigArn": "The Amazon Resource Name (ARN) of the Lifecycle Configuration attached to the Resource.",
"SageMakerImageArn": "The ARN of the SageMaker AI image that the image version belongs to.",
"SageMakerImageVersionArn": "The ARN of the image version created on the instance. To clear the value set for `SageMakerImageVersionArn` , pass `None` as the value."
+ "SageMakerImageVersionArn": "The ARN of the image version created on the instance. To clear the value set for `SageMakerImageVersionArn` , pass `None` as the value."
},
"AWS::SageMaker::Space SpaceAppLifecycleManagement": {
"IdleSettings": "Settings related to idle shutdown of Studio applications."
@@ -48260,6 +48498,7 @@
"LifecycleConfigArn": "The Amazon Resource Name (ARN) of the Lifecycle Configuration attached to the Resource.",
"SageMakerImageArn": "The ARN of the SageMaker AI image that the image version belongs to.",
"SageMakerImageVersionArn": "The ARN of the image version created on the instance. To clear the value set for `SageMakerImageVersionArn` , pass `None` as the value."
+ "SageMakerImageVersionArn": "The ARN of the image version created on the instance. To clear the value set for `SageMakerImageVersionArn` , pass `None` as the value."
},
"AWS::SageMaker::UserProfile SharingSettings": {
"NotebookOutputOption": "Whether to include the notebook cell output when sharing the notebook. The default is `Disabled` .",
@@ -48423,6 +48662,7 @@
"AWS::SecretsManager::RotationSchedule": {
"HostedRotationLambda": "Creates a new Lambda rotation function based on one of the [Secrets Manager rotation function templates](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html) . To use a rotation function that already exists, specify `RotationLambdaARN` instead.\n\nYou must specify `Transform: AWS::SecretsManager-2024-09-16` at the beginning of the CloudFormation template. Transforms are macros hosted by AWS CloudFormation that help you create and manage complex infrastructure. The `Transform: AWS::SecretsManager-2024-09-16` transform automatically extends the CloudFormation stack to include a nested stack (of type `AWS::CloudFormation::Stack` ), which then creates and updates on your behalf during subsequent stack operations, the appropriate rotation Lambda function for your database or service. For general information on transforms, see the [AWS CloudFormation documentation.](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/transform-reference.html)\n\nFor Amazon RDS master user credentials, see [AWS::RDS::DBCluster MasterUserSecret](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-dbcluster-masterusersecret.html) .\n\nFor Amazon Redshift admin user credentials, see [AWS::Redshift::Cluster](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-redshift-cluster.html) .",
"RotateImmediatelyOnUpdate": "Determines whether to rotate the secret immediately or wait until the next scheduled rotation window when the rotation schedule is updated. The rotation schedule is defined in `RotationRules` .\n\nThe default for `RotateImmediatelyOnUpdate` is `true` . If you don't specify this value, Secrets Manager rotates the secret immediately.\n\nIf you set `RotateImmediatelyOnUpdate` to `false` , Secrets Manager tests the rotation configuration by running the [`testSecret` step](https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotate-secrets_how.html) of the Lambda rotation function. This test creates an `AWSPENDING` version of the secret and then removes it.\n\n> When changing an existing rotation schedule and setting `RotateImmediatelyOnUpdate` to `false` :\n> \n> - If using `AutomaticallyAfterDays` or a `ScheduleExpression` with `rate()` , the previously scheduled rotation might still occur.\n> - To prevent unintended rotations, use a `ScheduleExpression` with `cron()` for granular control over rotation windows. \n\nRotation is an asynchronous process. For more information, see [How rotation works](https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotate-secrets_how.html) .",
+ "RotateImmediatelyOnUpdate": "Determines whether to rotate the secret immediately or wait until the next scheduled rotation window when the rotation schedule is updated. The rotation schedule is defined in `RotationRules` .\n\nThe default for `RotateImmediatelyOnUpdate` is `true` . If you don't specify this value, Secrets Manager rotates the secret immediately.\n\nIf you set `RotateImmediatelyOnUpdate` to `false` , Secrets Manager tests the rotation configuration by running the [`testSecret` step](https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotate-secrets_how.html) of the Lambda rotation function. This test creates an `AWSPENDING` version of the secret and then removes it.\n\n> When changing an existing rotation schedule and setting `RotateImmediatelyOnUpdate` to `false` :\n> \n> - If using `AutomaticallyAfterDays` or a `ScheduleExpression` with `rate()` , the previously scheduled rotation might still occur.\n> - To prevent unintended rotations, use a `ScheduleExpression` with `cron()` for granular control over rotation windows. \n\nRotation is an asynchronous process. For more information, see [How rotation works](https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotate-secrets_how.html) .",
"RotationLambdaARN": "The ARN of an existing Lambda rotation function. To specify a rotation function that is also defined in this template, use the [Ref](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-ref.html) function.\n\nFor Amazon RDS master user credentials, see [AWS::RDS::DBCluster MasterUserSecret](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-dbcluster-masterusersecret.html) .\n\nFor Amazon Redshift admin user credentials, see [AWS::Redshift::Cluster](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-redshift-cluster.html) .\n\nTo create a new rotation function based on one of the [Secrets Manager rotation function templates](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html) , specify `HostedRotationLambda` instead.",
"RotationRules": "A structure that defines the rotation configuration for this secret.",
"SecretId": "The ARN or name of the secret to rotate. This is unique for each rotation schedule definition.\n\nTo reference a secret also created in this template, use the [Ref](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-ref.html) function with the secret's logical ID."
@@ -49450,9 +49690,11 @@
"LogDeliveryConfiguration": "Configuration for sending InfluxDB engine logs to a specified S3 bucket.",
"Name": "The name that uniquely identifies the DB instance when interacting with the Amazon Timestream for InfluxDB API and CLI commands. This name will also be a prefix included in the endpoint. DB instance names must be unique per customer and per region.",
"NetworkType": "",
+ "NetworkType": "",
"Organization": "The name of the initial organization for the initial admin user in InfluxDB. An InfluxDB organization is a workspace for a group of users.",
"Password": "The password of the initial admin user created in InfluxDB. This password will allow you to access the InfluxDB UI to perform various administrative tasks and also use the InfluxDB CLI to create an operator token. These attributes will be stored in a Secret created in Amazon SecretManager in your account.",
"Port": "",
+ "Port": "",
"PubliclyAccessible": "Configures the DB instance with a public IP to facilitate access.",
"Tags": "A list of key-value pairs to associate with the DB instance.",
"Username": "The username of the initial admin user created in InfluxDB. Must start with a letter and can't end with a hyphen or contain two consecutive hyphens. For example, my-user1. This username will allow you to access the InfluxDB UI to perform various administrative tasks and also use the InfluxDB CLI to create an operator token. These attributes will be stored in a Secret created in Amazon Secrets Manager in your account.",
@@ -49961,6 +50203,7 @@
"AWS::VpcLattice::ResourceConfiguration DnsResource": {
"DomainName": "The domain name of the resource configuration.",
"IpAddressType": "The IP address type for the resource configuration."
+ "IpAddressType": "The IP address type for the resource configuration."
},
"AWS::VpcLattice::ResourceConfiguration ResourceConfigurationDefinition": {
"ArnResource": "The Amazon Resource Name (ARN) of the resource configuration. For the ARN syntax and format, see [ARN format](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference-arns.html#arns-syntax) in the *AWS Identity and Access Management user guide* .",
diff --git a/schema_source/cloudformation.schema.json b/schema_source/cloudformation.schema.json
index daa71469a5..c1b442e764 100644
--- a/schema_source/cloudformation.schema.json
+++ b/schema_source/cloudformation.schema.json
@@ -83457,7 +83457,7 @@
"items": {
"$ref": "#/definitions/AWS::ECS::Service.CapacityProviderStrategyItem"
},
- "markdownDescription": "The capacity provider strategy to use for the service.\n\nIf a `capacityProviderStrategy` is specified, the `launchType` parameter must be omitted. If no `capacityProviderStrategy` or `launchType` is specified, the `defaultCapacityProviderStrategy` for the cluster is used.\n\nA capacity provider strategy can contain a maximum of 20 capacity providers.\n\n> To remove this property from your service resource, specify an empty `CapacityProviderStrategyItem` array.",
+ "markdownDescription": "The capacity provider strategy to use for the service.\n\nIf a `capacityProviderStrategy` is specified, the `launchType` parameter must be omitted. If no `capacityProviderStrategy` or `launchType` is specified, the `defaultCapacityProviderStrategy` for the cluster is used.\n\nA capacity provider strategy may contain a maximum of 6 capacity providers.\n\n> To remove this property from your service resource, specify an empty `CapacityProviderStrategyItem` array.",
"title": "CapacityProviderStrategy",
"type": "array"
},
diff --git a/tests/model/test_sam_resources.py b/tests/model/test_sam_resources.py
index 9b6c289088..da1ea963df 100644
--- a/tests/model/test_sam_resources.py
+++ b/tests/model/test_sam_resources.py
@@ -583,11 +583,15 @@ def test_with_valid_function_url_config_with_lambda_permission(self):
cfnResources = function.to_cloudformation(**self.kwargs)
generatedUrlList = [x for x in cfnResources if isinstance(x, LambdaPermission)]
- self.assertEqual(generatedUrlList.__len__(), 1)
- self.assertEqual(generatedUrlList[0].Action, "lambda:InvokeFunctionUrl")
- self.assertEqual(generatedUrlList[0].FunctionName, {"Ref": "foo"})
- self.assertEqual(generatedUrlList[0].Principal, "*")
- self.assertEqual(generatedUrlList[0].FunctionUrlAuthType, "NONE")
+ self.assertEqual(generatedUrlList.__len__(), 2)
+ for permission in generatedUrlList:
+ self.assertEqual(permission.FunctionName, {"Ref": "foo"})
+ self.assertEqual(permission.Principal, "*")
+ self.assertTrue(permission.Action in ["lambda:InvokeFunctionUrl", "lambda:InvokeFunction"])
+ if permission.Action == "lambda:InvokeFunctionUrl":
+ self.assertEqual(permission.FunctionUrlAuthType, "NONE")
+ if permission.Action == "lambda:InvokeFunction":
+ self.assertEqual(permission.InvokedViaFunctionUrl, True)
@patch("boto3.session.Session.region_name", "ap-southeast-1")
def test_with_invalid_function_url_config_with_authorization_type_value_as_None(self):
diff --git a/tests/translator/output/aws-cn/function_with_function_url_config.json b/tests/translator/output/aws-cn/function_with_function_url_config.json
index 7404f943e2..7bff5c2157 100644
--- a/tests/translator/output/aws-cn/function_with_function_url_config.json
+++ b/tests/translator/output/aws-cn/function_with_function_url_config.json
@@ -58,6 +58,17 @@
},
"Type": "AWS::IAM::Role"
},
+ "MyFunctionURLInvokeAllowPublicAccess": {
+ "Properties": {
+ "Action": "lambda:InvokeFunction",
+ "FunctionName": {
+ "Ref": "MyFunction"
+ },
+ "InvokedViaFunctionUrl": true,
+ "Principal": "*"
+ },
+ "Type": "AWS::Lambda::Permission"
+ },
"MyFunctionUrl": {
"Properties": {
"AuthType": "NONE",
@@ -99,4 +110,4 @@
"Type": "AWS::Lambda::Permission"
}
}
-}
+}
\ No newline at end of file
diff --git a/tests/translator/output/aws-cn/function_with_function_url_config_and_autopublishalias.json b/tests/translator/output/aws-cn/function_with_function_url_config_and_autopublishalias.json
index b12e0271ca..e226aa8ce5 100644
--- a/tests/translator/output/aws-cn/function_with_function_url_config_and_autopublishalias.json
+++ b/tests/translator/output/aws-cn/function_with_function_url_config_and_autopublishalias.json
@@ -73,6 +73,17 @@
},
"Type": "AWS::IAM::Role"
},
+ "MyFunctionURLInvokeAllowPublicAccess": {
+ "Properties": {
+ "Action": "lambda:InvokeFunction",
+ "FunctionName": {
+ "Ref": "MyFunctionAliaslive"
+ },
+ "InvokedViaFunctionUrl": true,
+ "Principal": "*"
+ },
+ "Type": "AWS::Lambda::Permission"
+ },
"MyFunctionUrl": {
"Properties": {
"AuthType": "NONE",
@@ -123,4 +134,4 @@
"Type": "AWS::Lambda::Version"
}
}
-}
+}
\ No newline at end of file
diff --git a/tests/translator/output/aws-cn/function_with_function_url_config_conditions.json b/tests/translator/output/aws-cn/function_with_function_url_config_conditions.json
index 5cb30218d3..3eb2a5b690 100644
--- a/tests/translator/output/aws-cn/function_with_function_url_config_conditions.json
+++ b/tests/translator/output/aws-cn/function_with_function_url_config_conditions.json
@@ -68,6 +68,18 @@
},
"Type": "AWS::IAM::Role"
},
+ "MyFunctionURLInvokeAllowPublicAccess": {
+ "Condition": "MyCondition",
+ "Properties": {
+ "Action": "lambda:InvokeFunction",
+ "FunctionName": {
+ "Ref": "MyFunction"
+ },
+ "InvokedViaFunctionUrl": true,
+ "Principal": "*"
+ },
+ "Type": "AWS::Lambda::Permission"
+ },
"MyFunctionUrl": {
"Condition": "MyCondition",
"Properties": {
@@ -110,4 +122,4 @@
"Type": "AWS::Lambda::Permission"
}
}
-}
+}
\ No newline at end of file
diff --git a/tests/translator/output/aws-cn/function_with_function_url_config_without_cors_config.json b/tests/translator/output/aws-cn/function_with_function_url_config_without_cors_config.json
index b20af083f9..7983629f87 100644
--- a/tests/translator/output/aws-cn/function_with_function_url_config_without_cors_config.json
+++ b/tests/translator/output/aws-cn/function_with_function_url_config_without_cors_config.json
@@ -58,6 +58,17 @@
},
"Type": "AWS::IAM::Role"
},
+ "MyFunctionURLInvokeAllowPublicAccess": {
+ "Properties": {
+ "Action": "lambda:InvokeFunction",
+ "FunctionName": {
+ "Ref": "MyFunction"
+ },
+ "InvokedViaFunctionUrl": true,
+ "Principal": "*"
+ },
+ "Type": "AWS::Lambda::Permission"
+ },
"MyFunctionUrl": {
"Properties": {
"AuthType": "NONE",
@@ -79,4 +90,4 @@
"Type": "AWS::Lambda::Permission"
}
}
-}
+}
\ No newline at end of file
diff --git a/tests/translator/output/aws-us-gov/function_with_function_url_config.json b/tests/translator/output/aws-us-gov/function_with_function_url_config.json
index 2d04a4c321..02121e2052 100644
--- a/tests/translator/output/aws-us-gov/function_with_function_url_config.json
+++ b/tests/translator/output/aws-us-gov/function_with_function_url_config.json
@@ -58,6 +58,17 @@
},
"Type": "AWS::IAM::Role"
},
+ "MyFunctionURLInvokeAllowPublicAccess": {
+ "Properties": {
+ "Action": "lambda:InvokeFunction",
+ "FunctionName": {
+ "Ref": "MyFunction"
+ },
+ "InvokedViaFunctionUrl": true,
+ "Principal": "*"
+ },
+ "Type": "AWS::Lambda::Permission"
+ },
"MyFunctionUrl": {
"Properties": {
"AuthType": "NONE",
@@ -99,4 +110,4 @@
"Type": "AWS::Lambda::Permission"
}
}
-}
+}
\ No newline at end of file
diff --git a/tests/translator/output/aws-us-gov/function_with_function_url_config_and_autopublishalias.json b/tests/translator/output/aws-us-gov/function_with_function_url_config_and_autopublishalias.json
index 5d558e29e8..7d85c8d0da 100644
--- a/tests/translator/output/aws-us-gov/function_with_function_url_config_and_autopublishalias.json
+++ b/tests/translator/output/aws-us-gov/function_with_function_url_config_and_autopublishalias.json
@@ -73,6 +73,17 @@
},
"Type": "AWS::IAM::Role"
},
+ "MyFunctionURLInvokeAllowPublicAccess": {
+ "Properties": {
+ "Action": "lambda:InvokeFunction",
+ "FunctionName": {
+ "Ref": "MyFunctionAliaslive"
+ },
+ "InvokedViaFunctionUrl": true,
+ "Principal": "*"
+ },
+ "Type": "AWS::Lambda::Permission"
+ },
"MyFunctionUrl": {
"Properties": {
"AuthType": "NONE",
@@ -123,4 +134,4 @@
"Type": "AWS::Lambda::Version"
}
}
-}
+}
\ No newline at end of file
diff --git a/tests/translator/output/aws-us-gov/function_with_function_url_config_conditions.json b/tests/translator/output/aws-us-gov/function_with_function_url_config_conditions.json
index e2763bcd95..3d1abb6026 100644
--- a/tests/translator/output/aws-us-gov/function_with_function_url_config_conditions.json
+++ b/tests/translator/output/aws-us-gov/function_with_function_url_config_conditions.json
@@ -68,6 +68,18 @@
},
"Type": "AWS::IAM::Role"
},
+ "MyFunctionURLInvokeAllowPublicAccess": {
+ "Condition": "MyCondition",
+ "Properties": {
+ "Action": "lambda:InvokeFunction",
+ "FunctionName": {
+ "Ref": "MyFunction"
+ },
+ "InvokedViaFunctionUrl": true,
+ "Principal": "*"
+ },
+ "Type": "AWS::Lambda::Permission"
+ },
"MyFunctionUrl": {
"Condition": "MyCondition",
"Properties": {
@@ -110,4 +122,4 @@
"Type": "AWS::Lambda::Permission"
}
}
-}
+}
\ No newline at end of file
diff --git a/tests/translator/output/aws-us-gov/function_with_function_url_config_without_cors_config.json b/tests/translator/output/aws-us-gov/function_with_function_url_config_without_cors_config.json
index c274150d6e..f98ad3ab9e 100644
--- a/tests/translator/output/aws-us-gov/function_with_function_url_config_without_cors_config.json
+++ b/tests/translator/output/aws-us-gov/function_with_function_url_config_without_cors_config.json
@@ -58,6 +58,17 @@
},
"Type": "AWS::IAM::Role"
},
+ "MyFunctionURLInvokeAllowPublicAccess": {
+ "Properties": {
+ "Action": "lambda:InvokeFunction",
+ "FunctionName": {
+ "Ref": "MyFunction"
+ },
+ "InvokedViaFunctionUrl": true,
+ "Principal": "*"
+ },
+ "Type": "AWS::Lambda::Permission"
+ },
"MyFunctionUrl": {
"Properties": {
"AuthType": "NONE",
@@ -79,4 +90,4 @@
"Type": "AWS::Lambda::Permission"
}
}
-}
+}
\ No newline at end of file
diff --git a/tests/translator/output/function_with_function_url_config.json b/tests/translator/output/function_with_function_url_config.json
index a185781cbe..f025cab14a 100644
--- a/tests/translator/output/function_with_function_url_config.json
+++ b/tests/translator/output/function_with_function_url_config.json
@@ -58,6 +58,17 @@
},
"Type": "AWS::IAM::Role"
},
+ "MyFunctionURLInvokeAllowPublicAccess": {
+ "Properties": {
+ "Action": "lambda:InvokeFunction",
+ "FunctionName": {
+ "Ref": "MyFunction"
+ },
+ "InvokedViaFunctionUrl": true,
+ "Principal": "*"
+ },
+ "Type": "AWS::Lambda::Permission"
+ },
"MyFunctionUrl": {
"Properties": {
"AuthType": "NONE",
@@ -99,4 +110,4 @@
"Type": "AWS::Lambda::Permission"
}
}
-}
+}
\ No newline at end of file
diff --git a/tests/translator/output/function_with_function_url_config_and_autopublishalias.json b/tests/translator/output/function_with_function_url_config_and_autopublishalias.json
index d62e345658..73a6a04a85 100644
--- a/tests/translator/output/function_with_function_url_config_and_autopublishalias.json
+++ b/tests/translator/output/function_with_function_url_config_and_autopublishalias.json
@@ -73,6 +73,17 @@
},
"Type": "AWS::IAM::Role"
},
+ "MyFunctionURLInvokeAllowPublicAccess": {
+ "Properties": {
+ "Action": "lambda:InvokeFunction",
+ "FunctionName": {
+ "Ref": "MyFunctionAliaslive"
+ },
+ "InvokedViaFunctionUrl": true,
+ "Principal": "*"
+ },
+ "Type": "AWS::Lambda::Permission"
+ },
"MyFunctionUrl": {
"Properties": {
"AuthType": "NONE",
@@ -123,4 +134,4 @@
"Type": "AWS::Lambda::Version"
}
}
-}
+}
\ No newline at end of file
diff --git a/tests/translator/output/function_with_function_url_config_conditions.json b/tests/translator/output/function_with_function_url_config_conditions.json
index 94cc22817f..30a5e2894f 100644
--- a/tests/translator/output/function_with_function_url_config_conditions.json
+++ b/tests/translator/output/function_with_function_url_config_conditions.json
@@ -68,6 +68,18 @@
},
"Type": "AWS::IAM::Role"
},
+ "MyFunctionURLInvokeAllowPublicAccess": {
+ "Condition": "MyCondition",
+ "Properties": {
+ "Action": "lambda:InvokeFunction",
+ "FunctionName": {
+ "Ref": "MyFunction"
+ },
+ "InvokedViaFunctionUrl": true,
+ "Principal": "*"
+ },
+ "Type": "AWS::Lambda::Permission"
+ },
"MyFunctionUrl": {
"Condition": "MyCondition",
"Properties": {
@@ -110,4 +122,4 @@
"Type": "AWS::Lambda::Permission"
}
}
-}
+}
\ No newline at end of file
diff --git a/tests/translator/output/function_with_function_url_config_without_cors_config.json b/tests/translator/output/function_with_function_url_config_without_cors_config.json
index 07520fa011..d962cd14b2 100644
--- a/tests/translator/output/function_with_function_url_config_without_cors_config.json
+++ b/tests/translator/output/function_with_function_url_config_without_cors_config.json
@@ -58,6 +58,17 @@
},
"Type": "AWS::IAM::Role"
},
+ "MyFunctionURLInvokeAllowPublicAccess": {
+ "Properties": {
+ "Action": "lambda:InvokeFunction",
+ "FunctionName": {
+ "Ref": "MyFunction"
+ },
+ "InvokedViaFunctionUrl": true,
+ "Principal": "*"
+ },
+ "Type": "AWS::Lambda::Permission"
+ },
"MyFunctionUrl": {
"Properties": {
"AuthType": "NONE",
@@ -79,4 +90,4 @@
"Type": "AWS::Lambda::Permission"
}
}
-}
+}
\ No newline at end of file
From 94c7ca1cb932ce35c3d4ac3eb345982f83d63ad0 Mon Sep 17 00:00:00 2001
From: jonathan Ifegunni <jonife@amazon.com>
Date: Thu, 6 Feb 2025 10:22:45 -0800
Subject: [PATCH 02/13] completed make pr
---
.../output/aws-cn/function_with_function_url_config.json | 2 +-
.../function_with_function_url_config_and_autopublishalias.json | 2 +-
.../aws-cn/function_with_function_url_config_conditions.json | 2 +-
.../function_with_function_url_config_without_cors_config.json | 2 +-
.../output/aws-us-gov/function_with_function_url_config.json | 2 +-
.../function_with_function_url_config_and_autopublishalias.json | 2 +-
.../function_with_function_url_config_conditions.json | 2 +-
.../function_with_function_url_config_without_cors_config.json | 2 +-
tests/translator/output/function_with_function_url_config.json | 2 +-
.../function_with_function_url_config_and_autopublishalias.json | 2 +-
.../output/function_with_function_url_config_conditions.json | 2 +-
.../function_with_function_url_config_without_cors_config.json | 2 +-
12 files changed, 12 insertions(+), 12 deletions(-)
diff --git a/tests/translator/output/aws-cn/function_with_function_url_config.json b/tests/translator/output/aws-cn/function_with_function_url_config.json
index 7bff5c2157..bd007a3627 100644
--- a/tests/translator/output/aws-cn/function_with_function_url_config.json
+++ b/tests/translator/output/aws-cn/function_with_function_url_config.json
@@ -110,4 +110,4 @@
"Type": "AWS::Lambda::Permission"
}
}
-}
\ No newline at end of file
+}
diff --git a/tests/translator/output/aws-cn/function_with_function_url_config_and_autopublishalias.json b/tests/translator/output/aws-cn/function_with_function_url_config_and_autopublishalias.json
index e226aa8ce5..e648b94608 100644
--- a/tests/translator/output/aws-cn/function_with_function_url_config_and_autopublishalias.json
+++ b/tests/translator/output/aws-cn/function_with_function_url_config_and_autopublishalias.json
@@ -134,4 +134,4 @@
"Type": "AWS::Lambda::Version"
}
}
-}
\ No newline at end of file
+}
diff --git a/tests/translator/output/aws-cn/function_with_function_url_config_conditions.json b/tests/translator/output/aws-cn/function_with_function_url_config_conditions.json
index 3eb2a5b690..3f2fcbda62 100644
--- a/tests/translator/output/aws-cn/function_with_function_url_config_conditions.json
+++ b/tests/translator/output/aws-cn/function_with_function_url_config_conditions.json
@@ -122,4 +122,4 @@
"Type": "AWS::Lambda::Permission"
}
}
-}
\ No newline at end of file
+}
diff --git a/tests/translator/output/aws-cn/function_with_function_url_config_without_cors_config.json b/tests/translator/output/aws-cn/function_with_function_url_config_without_cors_config.json
index 7983629f87..11393799b5 100644
--- a/tests/translator/output/aws-cn/function_with_function_url_config_without_cors_config.json
+++ b/tests/translator/output/aws-cn/function_with_function_url_config_without_cors_config.json
@@ -90,4 +90,4 @@
"Type": "AWS::Lambda::Permission"
}
}
-}
\ No newline at end of file
+}
diff --git a/tests/translator/output/aws-us-gov/function_with_function_url_config.json b/tests/translator/output/aws-us-gov/function_with_function_url_config.json
index 02121e2052..717276ba4a 100644
--- a/tests/translator/output/aws-us-gov/function_with_function_url_config.json
+++ b/tests/translator/output/aws-us-gov/function_with_function_url_config.json
@@ -110,4 +110,4 @@
"Type": "AWS::Lambda::Permission"
}
}
-}
\ No newline at end of file
+}
diff --git a/tests/translator/output/aws-us-gov/function_with_function_url_config_and_autopublishalias.json b/tests/translator/output/aws-us-gov/function_with_function_url_config_and_autopublishalias.json
index 7d85c8d0da..ab22babe3d 100644
--- a/tests/translator/output/aws-us-gov/function_with_function_url_config_and_autopublishalias.json
+++ b/tests/translator/output/aws-us-gov/function_with_function_url_config_and_autopublishalias.json
@@ -134,4 +134,4 @@
"Type": "AWS::Lambda::Version"
}
}
-}
\ No newline at end of file
+}
diff --git a/tests/translator/output/aws-us-gov/function_with_function_url_config_conditions.json b/tests/translator/output/aws-us-gov/function_with_function_url_config_conditions.json
index 3d1abb6026..98bd4aeda7 100644
--- a/tests/translator/output/aws-us-gov/function_with_function_url_config_conditions.json
+++ b/tests/translator/output/aws-us-gov/function_with_function_url_config_conditions.json
@@ -122,4 +122,4 @@
"Type": "AWS::Lambda::Permission"
}
}
-}
\ No newline at end of file
+}
diff --git a/tests/translator/output/aws-us-gov/function_with_function_url_config_without_cors_config.json b/tests/translator/output/aws-us-gov/function_with_function_url_config_without_cors_config.json
index f98ad3ab9e..34e72dd452 100644
--- a/tests/translator/output/aws-us-gov/function_with_function_url_config_without_cors_config.json
+++ b/tests/translator/output/aws-us-gov/function_with_function_url_config_without_cors_config.json
@@ -90,4 +90,4 @@
"Type": "AWS::Lambda::Permission"
}
}
-}
\ No newline at end of file
+}
diff --git a/tests/translator/output/function_with_function_url_config.json b/tests/translator/output/function_with_function_url_config.json
index f025cab14a..f8470b1997 100644
--- a/tests/translator/output/function_with_function_url_config.json
+++ b/tests/translator/output/function_with_function_url_config.json
@@ -110,4 +110,4 @@
"Type": "AWS::Lambda::Permission"
}
}
-}
\ No newline at end of file
+}
diff --git a/tests/translator/output/function_with_function_url_config_and_autopublishalias.json b/tests/translator/output/function_with_function_url_config_and_autopublishalias.json
index 73a6a04a85..29f8dd5b48 100644
--- a/tests/translator/output/function_with_function_url_config_and_autopublishalias.json
+++ b/tests/translator/output/function_with_function_url_config_and_autopublishalias.json
@@ -134,4 +134,4 @@
"Type": "AWS::Lambda::Version"
}
}
-}
\ No newline at end of file
+}
diff --git a/tests/translator/output/function_with_function_url_config_conditions.json b/tests/translator/output/function_with_function_url_config_conditions.json
index 30a5e2894f..736511c8b0 100644
--- a/tests/translator/output/function_with_function_url_config_conditions.json
+++ b/tests/translator/output/function_with_function_url_config_conditions.json
@@ -122,4 +122,4 @@
"Type": "AWS::Lambda::Permission"
}
}
-}
\ No newline at end of file
+}
diff --git a/tests/translator/output/function_with_function_url_config_without_cors_config.json b/tests/translator/output/function_with_function_url_config_without_cors_config.json
index d962cd14b2..4f1a321b77 100644
--- a/tests/translator/output/function_with_function_url_config_without_cors_config.json
+++ b/tests/translator/output/function_with_function_url_config_without_cors_config.json
@@ -90,4 +90,4 @@
"Type": "AWS::Lambda::Permission"
}
}
-}
\ No newline at end of file
+}
From 5142575e9df7c220b32d5ca819d233ce42db356a Mon Sep 17 00:00:00 2001
From: Roger Zhang <ruojiazh@amazon.com>
Date: Wed, 19 Mar 2025 22:11:19 +0000
Subject: [PATCH 03/13] update schema
---
samtranslator/schema/schema.json | 28 +--
schema_source/cloudformation-docs.json | 289 ++---------------------
schema_source/cloudformation.schema.json | 2 +-
3 files changed, 19 insertions(+), 300 deletions(-)
diff --git a/samtranslator/schema/schema.json b/samtranslator/schema/schema.json
index 1e141a644e..4c0d122db3 100644
--- a/samtranslator/schema/schema.json
+++ b/samtranslator/schema/schema.json
@@ -37324,7 +37324,6 @@
"type": "string"
},
"SslSupportMethod": {
- "markdownDescription": "> In CloudFormation, this field name is `SslSupportMethod` . Note the different capitalization. \n\nIf the distribution uses `Aliases` (alternate domain names or CNAMEs), specify which viewers the distribution accepts HTTPS connections from.\n\n- `sni-only` \u2013 The distribution accepts HTTPS connections from only viewers that support [server name indication (SNI)](https://docs.aws.amazon.com/https://en.wikipedia.org/wiki/Server_Name_Indication) . This is recommended. Most browsers and clients support SNI.\n- `vip` \u2013 The distribution accepts HTTPS connections from all viewers including those that don't support SNI. This is not recommended, and results in additional monthly charges from CloudFront.\n- `static-ip` - Do not specify this value unless your distribution has been enabled for this feature by the CloudFront team. If you have a use case that requires static IP addresses for a distribution, contact CloudFront through the [Support Center](https://docs.aws.amazon.com/support/home) .\n\nIf the distribution uses the CloudFront domain name such as `d111111abcdef8.cloudfront.net` , don't set a value for this field.",
"markdownDescription": "> In CloudFormation, this field name is `SslSupportMethod` . Note the different capitalization. \n\nIf the distribution uses `Aliases` (alternate domain names or CNAMEs), specify which viewers the distribution accepts HTTPS connections from.\n\n- `sni-only` \u2013 The distribution accepts HTTPS connections from only viewers that support [server name indication (SNI)](https://docs.aws.amazon.com/https://en.wikipedia.org/wiki/Server_Name_Indication) . This is recommended. Most browsers and clients support SNI.\n- `vip` \u2013 The distribution accepts HTTPS connections from all viewers including those that don't support SNI. This is not recommended, and results in additional monthly charges from CloudFront.\n- `static-ip` - Do not specify this value unless your distribution has been enabled for this feature by the CloudFront team. If you have a use case that requires static IP addresses for a distribution, contact CloudFront through the [Support Center](https://docs.aws.amazon.com/support/home) .\n\nIf the distribution uses the CloudFront domain name such as `d111111abcdef8.cloudfront.net` , don't set a value for this field.",
"title": "SslSupportMethod",
"type": "string"
@@ -41963,7 +41962,6 @@
"type": "string"
},
"Type": {
- "markdownDescription": "The type of webhook filter. There are nine webhook filter types: `EVENT` , `ACTOR_ACCOUNT_ID` , `HEAD_REF` , `BASE_REF` , `FILE_PATH` , `COMMIT_MESSAGE` , `TAG_NAME` , `RELEASE_NAME` , and `WORKFLOW_NAME` .\n\n- EVENT\n\n- A webhook event triggers a build when the provided `pattern` matches one of nine event types: `PUSH` , `PULL_REQUEST_CREATED` , `PULL_REQUEST_UPDATED` , `PULL_REQUEST_CLOSED` , `PULL_REQUEST_REOPENED` , `PULL_REQUEST_MERGED` , `RELEASED` , `PRERELEASED` , and `WORKFLOW_JOB_QUEUED` . The `EVENT` patterns are specified as a comma-separated string. For example, `PUSH, PULL_REQUEST_CREATED, PULL_REQUEST_UPDATED` filters all push, pull request created, and pull request updated events.\n\n> Types `PULL_REQUEST_REOPENED` and `WORKFLOW_JOB_QUEUED` work with GitHub and GitHub Enterprise only. Types `RELEASED` and `PRERELEASED` work with GitHub only.\n- ACTOR_ACCOUNT_ID\n\n- A webhook event triggers a build when a GitHub, GitHub Enterprise, or Bitbucket account ID matches the regular expression `pattern` .\n- HEAD_REF\n\n- A webhook event triggers a build when the head reference matches the regular expression `pattern` . For example, `refs/heads/branch-name` and `refs/tags/tag-name` .\n\n> Works with GitHub and GitHub Enterprise push, GitHub and GitHub Enterprise pull request, Bitbucket push, and Bitbucket pull request events.\n- BASE_REF\n\n- A webhook event triggers a build when the base reference matches the regular expression `pattern` . For example, `refs/heads/branch-name` .\n\n> Works with pull request events only.\n- FILE_PATH\n\n- A webhook triggers a build when the path of a changed file matches the regular expression `pattern` .\n\n> Works with GitHub and Bitbucket events push and pull requests events. Also works with GitHub Enterprise push events, but does not work with GitHub Enterprise pull request events.\n- COMMIT_MESSAGE\n\n- A webhook triggers a build when the head commit message matches the regular expression `pattern` .\n\n> Works with GitHub and Bitbucket events push and pull requests events. Also works with GitHub Enterprise push events, but does not work with GitHub Enterprise pull request events.\n- TAG_NAME\n\n- A webhook triggers a build when the tag name of the release matches the regular expression `pattern` .\n\n> Works with `RELEASED` and `PRERELEASED` events only.\n- RELEASE_NAME\n\n- A webhook triggers a build when the release name matches the regular expression `pattern` .\n\n> Works with `RELEASED` and `PRERELEASED` events only.\n- REPOSITORY_NAME\n\n- A webhook triggers a build when the repository name matches the regular expression pattern.\n\n> Works with GitHub global or organization webhooks only.\n- WORKFLOW_NAME\n\n- A webhook triggers a build when the workflow name matches the regular expression `pattern` .\n\n> Works with `WORKFLOW_JOB_QUEUED` events only. > For CodeBuild-hosted Buildkite runner builds, WORKFLOW_NAME filters will filter by pipeline name.",
"markdownDescription": "The type of webhook filter. There are nine webhook filter types: `EVENT` , `ACTOR_ACCOUNT_ID` , `HEAD_REF` , `BASE_REF` , `FILE_PATH` , `COMMIT_MESSAGE` , `TAG_NAME` , `RELEASE_NAME` , and `WORKFLOW_NAME` .\n\n- EVENT\n\n- A webhook event triggers a build when the provided `pattern` matches one of nine event types: `PUSH` , `PULL_REQUEST_CREATED` , `PULL_REQUEST_UPDATED` , `PULL_REQUEST_CLOSED` , `PULL_REQUEST_REOPENED` , `PULL_REQUEST_MERGED` , `RELEASED` , `PRERELEASED` , and `WORKFLOW_JOB_QUEUED` . The `EVENT` patterns are specified as a comma-separated string. For example, `PUSH, PULL_REQUEST_CREATED, PULL_REQUEST_UPDATED` filters all push, pull request created, and pull request updated events.\n\n> Types `PULL_REQUEST_REOPENED` and `WORKFLOW_JOB_QUEUED` work with GitHub and GitHub Enterprise only. Types `RELEASED` and `PRERELEASED` work with GitHub only.\n- ACTOR_ACCOUNT_ID\n\n- A webhook event triggers a build when a GitHub, GitHub Enterprise, or Bitbucket account ID matches the regular expression `pattern` .\n- HEAD_REF\n\n- A webhook event triggers a build when the head reference matches the regular expression `pattern` . For example, `refs/heads/branch-name` and `refs/tags/tag-name` .\n\n> Works with GitHub and GitHub Enterprise push, GitHub and GitHub Enterprise pull request, Bitbucket push, and Bitbucket pull request events.\n- BASE_REF\n\n- A webhook event triggers a build when the base reference matches the regular expression `pattern` . For example, `refs/heads/branch-name` .\n\n> Works with pull request events only.\n- FILE_PATH\n\n- A webhook triggers a build when the path of a changed file matches the regular expression `pattern` .\n\n> Works with GitHub and Bitbucket events push and pull requests events. Also works with GitHub Enterprise push events, but does not work with GitHub Enterprise pull request events.\n- COMMIT_MESSAGE\n\n- A webhook triggers a build when the head commit message matches the regular expression `pattern` .\n\n> Works with GitHub and Bitbucket events push and pull requests events. Also works with GitHub Enterprise push events, but does not work with GitHub Enterprise pull request events.\n- TAG_NAME\n\n- A webhook triggers a build when the tag name of the release matches the regular expression `pattern` .\n\n> Works with `RELEASED` and `PRERELEASED` events only.\n- RELEASE_NAME\n\n- A webhook triggers a build when the release name matches the regular expression `pattern` .\n\n> Works with `RELEASED` and `PRERELEASED` events only.\n- REPOSITORY_NAME\n\n- A webhook triggers a build when the repository name matches the regular expression pattern.\n\n> Works with GitHub global or organization webhooks only.\n- WORKFLOW_NAME\n\n- A webhook triggers a build when the workflow name matches the regular expression `pattern` .\n\n> Works with `WORKFLOW_JOB_QUEUED` events only. > For CodeBuild-hosted Buildkite runner builds, WORKFLOW_NAME filters will filter by pipeline name.",
"title": "Type",
"type": "string"
@@ -55781,7 +55779,6 @@
"title": "Parameters"
},
"Type": {
- "markdownDescription": "The source of the event. Currently only managed Amazon EventBridge (formerly known as Amazon CloudWatch) events are supported.",
"markdownDescription": "The source of the event. Currently only managed Amazon EventBridge (formerly known as Amazon CloudWatch) events are supported.",
"title": "Type",
"type": "string"
@@ -62804,7 +62801,6 @@
"type": "array"
},
"Domain": {
- "markdownDescription": "Specifies the Windows domain name that your SMB file server belongs to. This parameter applies only if `AuthenticationType` is set to `NTLM` .\n\nIf you have multiple domains in your environment, configuring this parameter makes sure that DataSync connects to the right file server.",
"markdownDescription": "Specifies the Windows domain name that your SMB file server belongs to. This parameter applies only if `AuthenticationType` is set to `NTLM` .\n\nIf you have multiple domains in your environment, configuring this parameter makes sure that DataSync connects to the right file server.",
"title": "Domain",
"type": "string"
@@ -62820,7 +62816,6 @@
"type": "string"
},
"ServerHostname": {
- "markdownDescription": "Specifies the domain name or IP address of the SMB file server that your DataSync agent will mount.\n\nRemember the following when configuring this parameter:\n\n- You can't specify an IP version 6 (IPv6) address.\n- If you're using Kerberos authentication, you must specify a domain name.",
"markdownDescription": "Specifies the domain name or IP address of the SMB file server that your DataSync agent will mount.\n\nRemember the following when configuring this parameter:\n\n- You can't specify an IP version 6 (IPv6) address.\n- If you're using Kerberos authentication, you must specify a domain name.",
"title": "ServerHostname",
"type": "string"
@@ -68401,7 +68396,6 @@
"type": "boolean"
},
"InstanceCount": {
- "markdownDescription": "The number of instances for which to reserve capacity.\n\n> You can request future-dated Capacity Reservations for an instance count with a minimum of 100 vCPUs. For example, if you request a future-dated Capacity Reservation for `m5.xlarge` instances, you must request at least 25 instances ( *25 * m5.xlarge = 100 vCPUs* ). \n\nValid range: 1 - 1000",
"markdownDescription": "The number of instances for which to reserve capacity.\n\n> You can request future-dated Capacity Reservations for an instance count with a minimum of 100 vCPUs. For example, if you request a future-dated Capacity Reservation for `m5.xlarge` instances, you must request at least 25 instances ( *25 * m5.xlarge = 100 vCPUs* ). \n\nValid range: 1 - 1000",
"title": "InstanceCount",
"type": "number"
@@ -71649,7 +71643,6 @@
"title": "CreditSpecification"
},
"DisableApiTermination": {
- "markdownDescription": "Indicates whether termination protection is enabled for the instance. The default is `false` , which means that you can terminate the instance using the Amazon EC2 console, command line tools, or API. You can enable termination protection when you launch an instance, while the instance is running, or while the instance is stopped.",
"markdownDescription": "Indicates whether termination protection is enabled for the instance. The default is `false` , which means that you can terminate the instance using the Amazon EC2 console, command line tools, or API. You can enable termination protection when you launch an instance, while the instance is running, or while the instance is stopped.",
"title": "DisableApiTermination",
"type": "boolean"
@@ -73111,7 +73104,6 @@
"type": "boolean"
},
"DisableApiTermination": {
- "markdownDescription": "Indicates whether termination protection is enabled for the instance. The default is `false` , which means that you can terminate the instance using the Amazon EC2 console, command line tools, or API. You can enable termination protection when you launch an instance, while the instance is running, or while the instance is stopped.",
"markdownDescription": "Indicates whether termination protection is enabled for the instance. The default is `false` , which means that you can terminate the instance using the Amazon EC2 console, command line tools, or API. You can enable termination protection when you launch an instance, while the instance is running, or while the instance is stopped.",
"title": "DisableApiTermination",
"type": "boolean"
@@ -83500,7 +83492,7 @@
"items": {
"$ref": "#/definitions/AWS::ECS::Service.CapacityProviderStrategyItem"
},
- "markdownDescription": "The capacity provider strategy to use for the service.\n\nIf a `capacityProviderStrategy` is specified, the `launchType` parameter must be omitted. If no `capacityProviderStrategy` or `launchType` is specified, the `defaultCapacityProviderStrategy` for the cluster is used.\n\nA capacity provider strategy may contain a maximum of 6 capacity providers.\n\n> To remove this property from your service resource, specify an empty `CapacityProviderStrategyItem` array.",
+ "markdownDescription": "The capacity provider strategy to use for the service.\n\nIf a `capacityProviderStrategy` is specified, the `launchType` parameter must be omitted. If no `capacityProviderStrategy` or `launchType` is specified, the `defaultCapacityProviderStrategy` for the cluster is used.\n\nA capacity provider strategy can contain a maximum of 20 capacity providers.\n\n> To remove this property from your service resource, specify an empty `CapacityProviderStrategyItem` array.",
"title": "CapacityProviderStrategy",
"type": "array"
},
@@ -83549,7 +83541,6 @@
"$ref": "#/definitions/AWS::ECS::Service.LoadBalancer"
},
"markdownDescription": "A list of load balancer objects to associate with the service. If you specify the `Role` property, `LoadBalancers` must be specified as well. For information about the number of load balancers that you can specify per service, see [Service Load Balancing](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/service-load-balancing.html) in the *Amazon Elastic Container Service Developer Guide* .\n\n> To remove this property from your service resource, specify an empty `LoadBalancer` array.",
- "markdownDescription": "A list of load balancer objects to associate with the service. If you specify the `Role` property, `LoadBalancers` must be specified as well. For information about the number of load balancers that you can specify per service, see [Service Load Balancing](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/service-load-balancing.html) in the *Amazon Elastic Container Service Developer Guide* .\n\n> To remove this property from your service resource, specify an empty `LoadBalancer` array.",
"title": "LoadBalancers",
"type": "array"
},
@@ -83563,7 +83554,6 @@
"$ref": "#/definitions/AWS::ECS::Service.PlacementConstraint"
},
"markdownDescription": "An array of placement constraint objects to use for tasks in your service. You can specify a maximum of 10 constraints for each task. This limit includes constraints in the task definition and those specified at runtime.\n\n> To remove this property from your service resource, specify an empty `PlacementConstraint` array.",
- "markdownDescription": "An array of placement constraint objects to use for tasks in your service. You can specify a maximum of 10 constraints for each task. This limit includes constraints in the task definition and those specified at runtime.\n\n> To remove this property from your service resource, specify an empty `PlacementConstraint` array.",
"title": "PlacementConstraints",
"type": "array"
},
@@ -83572,7 +83562,6 @@
"$ref": "#/definitions/AWS::ECS::Service.PlacementStrategy"
},
"markdownDescription": "The placement strategy objects to use for tasks in your service. You can specify a maximum of 5 strategy rules for each service.\n\n> To remove this property from your service resource, specify an empty `PlacementStrategy` array.",
- "markdownDescription": "The placement strategy objects to use for tasks in your service. You can specify a maximum of 5 strategy rules for each service.\n\n> To remove this property from your service resource, specify an empty `PlacementStrategy` array.",
"title": "PlacementStrategies",
"type": "array"
},
@@ -83611,7 +83600,6 @@
"$ref": "#/definitions/AWS::ECS::Service.ServiceRegistry"
},
"markdownDescription": "The details of the service discovery registry to associate with this service. For more information, see [Service discovery](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/service-discovery.html) .\n\n> Each service may be associated with one service registry. Multiple service registries for each service isn't supported. > To remove this property from your service resource, specify an empty `ServiceRegistry` array.",
- "markdownDescription": "The details of the service discovery registry to associate with this service. For more information, see [Service discovery](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/service-discovery.html) .\n\n> Each service may be associated with one service registry. Multiple service registries for each service isn't supported. > To remove this property from your service resource, specify an empty `ServiceRegistry` array.",
"title": "ServiceRegistries",
"type": "array"
},
@@ -83633,7 +83621,6 @@
"$ref": "#/definitions/AWS::ECS::Service.ServiceVolumeConfiguration"
},
"markdownDescription": "The configuration for a volume specified in the task definition as a volume that is configured at launch time. Currently, the only supported volume type is an Amazon EBS volume.\n\n> To remove this property from your service resource, specify an empty `ServiceVolumeConfiguration` array.",
- "markdownDescription": "The configuration for a volume specified in the task definition as a volume that is configured at launch time. Currently, the only supported volume type is an Amazon EBS volume.\n\n> To remove this property from your service resource, specify an empty `ServiceVolumeConfiguration` array.",
"title": "VolumeConfigurations",
"type": "array"
}
@@ -85841,7 +85828,6 @@
"type": "string"
},
"ProvisionedThroughputInMibps": {
- "markdownDescription": "The throughput, measured in mebibytes per second (MiBps), that you want to provision for a file system that you're creating. Required if `ThroughputMode` is set to `provisioned` . Valid values are 1-3414 MiBps, with the upper limit depending on Region. To increase this limit, contact Support . For more information, see [Amazon EFS quotas that you can increase](https://docs.aws.amazon.com/efs/latest/ug/limits.html#soft-limits) in the *Amazon EFS User Guide* .",
"markdownDescription": "The throughput, measured in mebibytes per second (MiBps), that you want to provision for a file system that you're creating. Required if `ThroughputMode` is set to `provisioned` . Valid values are 1-3414 MiBps, with the upper limit depending on Region. To increase this limit, contact Support . For more information, see [Amazon EFS quotas that you can increase](https://docs.aws.amazon.com/efs/latest/ug/limits.html#soft-limits) in the *Amazon EFS User Guide* .",
"title": "ProvisionedThroughputInMibps",
"type": "number"
@@ -86129,7 +86115,6 @@
"type": "array"
},
"PrincipalArn": {
- "markdownDescription": "The ARN of the IAM principal for the `AccessEntry` . You can specify one ARN for each access entry. You can't specify the same ARN in more than one access entry. This value can't be changed after access entry creation.\n\nThe valid principals differ depending on the type of the access entry in the `type` field. For `STANDARD` access entries, you can use every IAM principal type. For nodes ( `EC2` (for EKS Auto Mode), `EC2_LINUX` , `EC2_WINDOWS` , `FARGATE_LINUX` , and `HYBRID_LINUX` ), the only valid ARN is IAM roles. You can't use the STS session principal type with access entries because this is a temporary principal for each session and not a permanent identity that can be assigned permissions.\n\n[IAM best practices](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#bp-users-federation-idp) recommend using IAM roles with temporary credentials, rather than IAM users with long-term credentials.",
"markdownDescription": "The ARN of the IAM principal for the `AccessEntry` . You can specify one ARN for each access entry. You can't specify the same ARN in more than one access entry. This value can't be changed after access entry creation.\n\nThe valid principals differ depending on the type of the access entry in the `type` field. For `STANDARD` access entries, you can use every IAM principal type. For nodes ( `EC2` (for EKS Auto Mode), `EC2_LINUX` , `EC2_WINDOWS` , `FARGATE_LINUX` , and `HYBRID_LINUX` ), the only valid ARN is IAM roles. You can't use the STS session principal type with access entries because this is a temporary principal for each session and not a permanent identity that can be assigned permissions.\n\n[IAM best practices](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#bp-users-federation-idp) recommend using IAM roles with temporary credentials, rather than IAM users with long-term credentials.",
"title": "PrincipalArn",
"type": "string"
@@ -86143,7 +86128,6 @@
"type": "array"
},
"Type": {
- "markdownDescription": "The type of the new access entry. Valid values are `STANDARD` , `FARGATE_LINUX` , `EC2_LINUX` , `EC2_WINDOWS` , `EC2` (for EKS Auto Mode), `HYBRID_LINUX` , and `HYPERPOD_LINUX` .\n\nIf the `principalArn` is for an IAM role that's used for self-managed Amazon EC2 nodes, specify `EC2_LINUX` or `EC2_WINDOWS` . Amazon EKS grants the necessary permissions to the node for you. If the `principalArn` is for any other purpose, specify `STANDARD` . If you don't specify a value, Amazon EKS sets the value to `STANDARD` . If you have the access mode of the cluster set to `API_AND_CONFIG_MAP` , it's unnecessary to create access entries for IAM roles used with Fargate profiles or managed Amazon EC2 nodes, because Amazon EKS creates entries in the `aws-auth` `ConfigMap` for the roles. You can't change this value once you've created the access entry.\n\nIf you set the value to `EC2_LINUX` or `EC2_WINDOWS` , you can't specify values for `kubernetesGroups` , or associate an `AccessPolicy` to the access entry.",
"markdownDescription": "The type of the new access entry. Valid values are `STANDARD` , `FARGATE_LINUX` , `EC2_LINUX` , `EC2_WINDOWS` , `EC2` (for EKS Auto Mode), `HYBRID_LINUX` , and `HYPERPOD_LINUX` .\n\nIf the `principalArn` is for an IAM role that's used for self-managed Amazon EC2 nodes, specify `EC2_LINUX` or `EC2_WINDOWS` . Amazon EKS grants the necessary permissions to the node for you. If the `principalArn` is for any other purpose, specify `STANDARD` . If you don't specify a value, Amazon EKS sets the value to `STANDARD` . If you have the access mode of the cluster set to `API_AND_CONFIG_MAP` , it's unnecessary to create access entries for IAM roles used with Fargate profiles or managed Amazon EC2 nodes, because Amazon EKS creates entries in the `aws-auth` `ConfigMap` for the roles. You can't change this value once you've created the access entry.\n\nIf you set the value to `EC2_LINUX` or `EC2_WINDOWS` , you can't specify values for `kubernetesGroups` , or associate an `AccessPolicy` to the access entry.",
"title": "Type",
"type": "string"
@@ -86284,7 +86268,6 @@
"type": "boolean"
},
"ResolveConflicts": {
- "markdownDescription": "How to resolve field value conflicts for an Amazon EKS add-on. Conflicts are handled based on the value you choose:\n\n- *None* \u2013 If the self-managed version of the add-on is installed on your cluster, Amazon EKS doesn't change the value. Creation of the add-on might fail.\n- *Overwrite* \u2013 If the self-managed version of the add-on is installed on your cluster and the Amazon EKS default value is different than the existing value, Amazon EKS changes the value to the Amazon EKS default value.\n- *Preserve* \u2013 This is similar to the NONE option. If the self-managed version of the add-on is installed on your cluster Amazon EKS doesn't change the add-on resource properties. Creation of the add-on might fail if conflicts are detected. This option works differently during the update operation. For more information, see [`UpdateAddon`](https://docs.aws.amazon.com/eks/latest/APIReference/API_UpdateAddon.html) .\n\nIf you don't currently have the self-managed version of the add-on installed on your cluster, the Amazon EKS add-on is installed. Amazon EKS sets all values to default values, regardless of the option that you specify.",
"markdownDescription": "How to resolve field value conflicts for an Amazon EKS add-on. Conflicts are handled based on the value you choose:\n\n- *None* \u2013 If the self-managed version of the add-on is installed on your cluster, Amazon EKS doesn't change the value. Creation of the add-on might fail.\n- *Overwrite* \u2013 If the self-managed version of the add-on is installed on your cluster and the Amazon EKS default value is different than the existing value, Amazon EKS changes the value to the Amazon EKS default value.\n- *Preserve* \u2013 This is similar to the NONE option. If the self-managed version of the add-on is installed on your cluster Amazon EKS doesn't change the add-on resource properties. Creation of the add-on might fail if conflicts are detected. This option works differently during the update operation. For more information, see [`UpdateAddon`](https://docs.aws.amazon.com/eks/latest/APIReference/API_UpdateAddon.html) .\n\nIf you don't currently have the self-managed version of the add-on installed on your cluster, the Amazon EKS add-on is installed. Amazon EKS sets all values to default values, regardless of the option that you specify.",
"title": "ResolveConflicts",
"type": "string"
@@ -93240,7 +93223,6 @@
"type": "boolean"
},
"Mode": {
- "markdownDescription": "The client certificate handling method. The possible values are `off` , `passthrough` , and `verify` . The default value is `off` .",
"markdownDescription": "The client certificate handling method. The possible values are `off` , `passthrough` , and `verify` . The default value is `off` .",
"title": "Mode",
"type": "string"
@@ -93990,7 +93972,6 @@
"additionalProperties": false,
"properties": {
"EnforceSecurityGroupInboundRulesOnPrivateLinkTraffic": {
- "markdownDescription": "Indicates whether to evaluate inbound security group rules for traffic sent to a Network Load Balancer through AWS PrivateLink . The default is `on` .",
"markdownDescription": "Indicates whether to evaluate inbound security group rules for traffic sent to a Network Load Balancer through AWS PrivateLink . The default is `on` .",
"title": "EnforceSecurityGroupInboundRulesOnPrivateLinkTraffic",
"type": "string"
@@ -113952,7 +113933,6 @@
"additionalProperties": false,
"properties": {
"AuthorizationStrategy": {
- "markdownDescription": "The authorization strategy selected when the HealthLake data store is created.\n\n> HealthLake provides support for both SMART on FHIR V1 and V2 as described below.\n> \n> - `SMART_ON_FHIR_V1` \u2013 Support for only SMART on FHIR V1, which includes `read` (read/search) and `write` (create/update/delete) permissions.\n> - `SMART_ON_FHIR` \u2013 Support for both SMART on FHIR V1 and V2, which includes `create` , `read` , `update` , `delete` , and `search` permissions.\n> - `AWS_AUTH` \u2013 The default HealthLake authorization strategy; not affiliated with SMART on FHIR.",
"markdownDescription": "The authorization strategy selected when the HealthLake data store is created.\n\n> HealthLake provides support for both SMART on FHIR V1 and V2 as described below.\n> \n> - `SMART_ON_FHIR_V1` \u2013 Support for only SMART on FHIR V1, which includes `read` (read/search) and `write` (create/update/delete) permissions.\n> - `SMART_ON_FHIR` \u2013 Support for both SMART on FHIR V1 and V2, which includes `create` , `read` , `update` , `delete` , and `search` permissions.\n> - `AWS_AUTH` \u2013 The default HealthLake authorization strategy; not affiliated with SMART on FHIR.",
"title": "AuthorizationStrategy",
"type": "string"
@@ -241122,7 +241102,6 @@
"type": "string"
},
"markdownDescription": "The names or Amazon Resource Names (ARNs) of the Change Calendar type documents your associations are gated under. The associations only run when that Change Calendar is open. For more information, see [AWS Systems Manager Change Calendar](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-change-calendar) in the *AWS Systems Manager User Guide* .",
- "markdownDescription": "The names or Amazon Resource Names (ARNs) of the Change Calendar type documents your associations are gated under. The associations only run when that Change Calendar is open. For more information, see [AWS Systems Manager Change Calendar](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-change-calendar) in the *AWS Systems Manager User Guide* .",
"title": "CalendarNames",
"type": "array"
},
@@ -244284,7 +244263,6 @@
"type": "string"
},
"SageMakerImageVersionArn": {
- "markdownDescription": "The ARN of the image version created on the instance. To clear the value set for `SageMakerImageVersionArn` , pass `None` as the value.",
"markdownDescription": "The ARN of the image version created on the instance. To clear the value set for `SageMakerImageVersionArn` , pass `None` as the value.",
"title": "SageMakerImageVersionArn",
"type": "string"
@@ -245852,7 +245830,6 @@
"type": "string"
},
"SageMakerImageVersionArn": {
- "markdownDescription": "The ARN of the image version created on the instance. To clear the value set for `SageMakerImageVersionArn` , pass `None` as the value.",
"markdownDescription": "The ARN of the image version created on the instance. To clear the value set for `SageMakerImageVersionArn` , pass `None` as the value.",
"title": "SageMakerImageVersionArn",
"type": "string"
@@ -253100,7 +253077,6 @@
"type": "string"
},
"SageMakerImageVersionArn": {
- "markdownDescription": "The ARN of the image version created on the instance. To clear the value set for `SageMakerImageVersionArn` , pass `None` as the value.",
"markdownDescription": "The ARN of the image version created on the instance. To clear the value set for `SageMakerImageVersionArn` , pass `None` as the value.",
"title": "SageMakerImageVersionArn",
"type": "string"
@@ -253545,7 +253521,6 @@
"type": "string"
},
"SageMakerImageVersionArn": {
- "markdownDescription": "The ARN of the image version created on the instance. To clear the value set for `SageMakerImageVersionArn` , pass `None` as the value.",
"markdownDescription": "The ARN of the image version created on the instance. To clear the value set for `SageMakerImageVersionArn` , pass `None` as the value.",
"title": "SageMakerImageVersionArn",
"type": "string"
@@ -254497,7 +254472,6 @@
"title": "HostedRotationLambda"
},
"RotateImmediatelyOnUpdate": {
- "markdownDescription": "Determines whether to rotate the secret immediately or wait until the next scheduled rotation window when the rotation schedule is updated. The rotation schedule is defined in `RotationRules` .\n\nThe default for `RotateImmediatelyOnUpdate` is `true` . If you don't specify this value, Secrets Manager rotates the secret immediately.\n\nIf you set `RotateImmediatelyOnUpdate` to `false` , Secrets Manager tests the rotation configuration by running the [`testSecret` step](https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotate-secrets_how.html) of the Lambda rotation function. This test creates an `AWSPENDING` version of the secret and then removes it.\n\n> When changing an existing rotation schedule and setting `RotateImmediatelyOnUpdate` to `false` :\n> \n> - If using `AutomaticallyAfterDays` or a `ScheduleExpression` with `rate()` , the previously scheduled rotation might still occur.\n> - To prevent unintended rotations, use a `ScheduleExpression` with `cron()` for granular control over rotation windows. \n\nRotation is an asynchronous process. For more information, see [How rotation works](https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotate-secrets_how.html) .",
"markdownDescription": "Determines whether to rotate the secret immediately or wait until the next scheduled rotation window when the rotation schedule is updated. The rotation schedule is defined in `RotationRules` .\n\nThe default for `RotateImmediatelyOnUpdate` is `true` . If you don't specify this value, Secrets Manager rotates the secret immediately.\n\nIf you set `RotateImmediatelyOnUpdate` to `false` , Secrets Manager tests the rotation configuration by running the [`testSecret` step](https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotate-secrets_how.html) of the Lambda rotation function. This test creates an `AWSPENDING` version of the secret and then removes it.\n\n> When changing an existing rotation schedule and setting `RotateImmediatelyOnUpdate` to `false` :\n> \n> - If using `AutomaticallyAfterDays` or a `ScheduleExpression` with `rate()` , the previously scheduled rotation might still occur.\n> - To prevent unintended rotations, use a `ScheduleExpression` with `cron()` for granular control over rotation windows. \n\nRotation is an asynchronous process. For more information, see [How rotation works](https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotate-secrets_how.html) .",
"title": "RotateImmediatelyOnUpdate",
"type": "boolean"
diff --git a/schema_source/cloudformation-docs.json b/schema_source/cloudformation-docs.json
index 4daa06ac2a..07bae4b16e 100644
--- a/schema_source/cloudformation-docs.json
+++ b/schema_source/cloudformation-docs.json
@@ -218,7 +218,6 @@
"Alias": "An optional user-assigned scraper alias.",
"Destination": "The Amazon Managed Service for Prometheus workspace the scraper sends metrics to.",
"RoleConfiguration": "",
- "RoleConfiguration": "",
"ScrapeConfiguration": "The configuration in use by the scraper.",
"Source": "The Amazon EKS cluster from which the scraper collects metrics.",
"Tags": "(Optional) The list of tag keys and values associated with the scraper."
@@ -238,10 +237,6 @@
"SourceRoleArn": "",
"TargetRoleArn": ""
},
- "AWS::APS::Scraper RoleConfiguration": {
- "SourceRoleArn": "",
- "TargetRoleArn": ""
- },
"AWS::APS::Scraper ScrapeConfiguration": {
"ConfigurationBlob": "The base 64 encoded scrape configuration file."
},
@@ -4961,8 +4956,6 @@
"Name": "The name the volume mount. This must match the name of one of the volumes in the pod.",
"ReadOnly": "If this value is `true` , the container has read-only access to the volume. Otherwise, the container can write to the volume. The default value is `false` .",
"SubPath": "A sub-path inside the referenced volume instead of its root."
- "ReadOnly": "If this value is `true` , the container has read-only access to the volume. Otherwise, the container can write to the volume. The default value is `false` .",
- "SubPath": "A sub-path inside the referenced volume instead of its root."
},
"AWS::Batch::JobDefinition EksEmptyDir": {
"Medium": "The medium to store the volume. The default value is an empty string, which uses the storage of the node.\n\n- **\"\"** - *(Default)* Use the disk storage of the node.\n- **\"Memory\"** - Use the `tmpfs` volume that's backed by the RAM of the node. Contents of the volume are lost when the node reboots, and any storage on the volume counts against the container's memory limit.",
@@ -4976,13 +4969,6 @@
"Labels": "Key-value pairs used to identify, sort, and organize cube resources. Can contain up to 63 uppercase letters, lowercase letters, numbers, hyphens (-), and underscores (_). Labels can be added or modified at any time. Each resource can have multiple labels, but each key must be unique for a given object.",
"Namespace": "The namespace of the Amazon EKS cluster. In Kubernetes, namespaces provide a mechanism for isolating groups of resources within a single cluster. Names of resources need to be unique within a namespace, but not across namespaces. AWS Batch places Batch Job pods in this namespace. If this field is provided, the value can't be empty or null. It must meet the following requirements:\n\n- 1-63 characters long\n- Can't be set to default\n- Can't start with `kube`\n- Must match the following regular expression: `^[a-z0-9]([-a-z0-9]*[a-z0-9])?$`\n\nFor more information, see [Namespaces](https://docs.aws.amazon.com/https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/) in the *Kubernetes documentation* . This namespace can be different from the `kubernetesNamespace` set in the compute environment's `EksConfiguration` , but must have identical role-based access control (RBAC) roles as the compute environment's `kubernetesNamespace` . For multi-node parallel jobs, the same value must be provided across all the node ranges."
},
- "AWS::Batch::JobDefinition EksPersistentVolumeClaim": {
- "ClaimName": "The name of the `persistentVolumeClaim` bounded to a `persistentVolume` . For more information, see [Persistent Volume Claims](https://docs.aws.amazon.com/https://kubernetes.io/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims) in the *Kubernetes documentation* .",
- "ReadOnly": "An optional boolean value indicating if the mount is read only. Default is false. For more information, see [Read Only Mounts](https://docs.aws.amazon.com/https://kubernetes.io/docs/concepts/storage/volumes/#read-only-mounts) in the *Kubernetes documentation* ."
- "Annotations": "Key-value pairs used to attach arbitrary, non-identifying metadata to Kubernetes objects. Valid annotation keys have two segments: an optional prefix and a name, separated by a slash (/).\n\n- The prefix is optional and must be 253 characters or less. If specified, the prefix must be a DNS subdomain\u2212 a series of DNS labels separated by dots (.), and it must end with a slash (/).\n- The name segment is required and must be 63 characters or less. It can include alphanumeric characters ([a-z0-9A-Z]), dashes (-), underscores (_), and dots (.), but must begin and end with an alphanumeric character.\n\n> Annotation values must be 255 characters or less. \n\nAnnotations can be added or modified at any time. Each resource can have multiple annotations.",
- "Labels": "Key-value pairs used to identify, sort, and organize cube resources. Can contain up to 63 uppercase letters, lowercase letters, numbers, hyphens (-), and underscores (_). Labels can be added or modified at any time. Each resource can have multiple labels, but each key must be unique for a given object.",
- "Namespace": "The namespace of the Amazon EKS cluster. In Kubernetes, namespaces provide a mechanism for isolating groups of resources within a single cluster. Names of resources need to be unique within a namespace, but not across namespaces. AWS Batch places Batch Job pods in this namespace. If this field is provided, the value can't be empty or null. It must meet the following requirements:\n\n- 1-63 characters long\n- Can't be set to default\n- Can't start with `kube`\n- Must match the following regular expression: `^[a-z0-9]([-a-z0-9]*[a-z0-9])?$`\n\nFor more information, see [Namespaces](https://docs.aws.amazon.com/https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/) in the *Kubernetes documentation* . This namespace can be different from the `kubernetesNamespace` set in the compute environment's `EksConfiguration` , but must have identical role-based access control (RBAC) roles as the compute environment's `kubernetesNamespace` . For multi-node parallel jobs, the same value must be provided across all the node ranges."
- },
"AWS::Batch::JobDefinition EksPersistentVolumeClaim": {
"ClaimName": "The name of the `persistentVolumeClaim` bounded to a `persistentVolume` . For more information, see [Persistent Volume Claims](https://docs.aws.amazon.com/https://kubernetes.io/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims) in the *Kubernetes documentation* .",
"ReadOnly": "An optional boolean value indicating if the mount is read only. Default is false. For more information, see [Read Only Mounts](https://docs.aws.amazon.com/https://kubernetes.io/docs/concepts/storage/volumes/#read-only-mounts) in the *Kubernetes documentation* ."
@@ -5010,7 +4996,6 @@
"HostPath": "Specifies the configuration of a Kubernetes `hostPath` volume. For more information, see [hostPath](https://docs.aws.amazon.com/https://kubernetes.io/docs/concepts/storage/volumes/#hostpath) in the *Kubernetes documentation* .",
"Name": "The name of the volume. The name must be allowed as a DNS subdomain name. For more information, see [DNS subdomain names](https://docs.aws.amazon.com/https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#dns-subdomain-names) in the *Kubernetes documentation* .",
"PersistentVolumeClaim": "Specifies the configuration of a Kubernetes `persistentVolumeClaim` bounded to a `persistentVolume` . For more information, see [Persistent Volume Claims](https://docs.aws.amazon.com/https://kubernetes.io/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims) in the *Kubernetes documentation* .",
- "PersistentVolumeClaim": "Specifies the configuration of a Kubernetes `persistentVolumeClaim` bounded to a `persistentVolume` . For more information, see [Persistent Volume Claims](https://docs.aws.amazon.com/https://kubernetes.io/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims) in the *Kubernetes documentation* .",
"Secret": "Specifies the configuration of a Kubernetes `secret` volume. For more information, see [secret](https://docs.aws.amazon.com/https://kubernetes.io/docs/concepts/storage/volumes/#secret) in the *Kubernetes documentation* ."
},
"AWS::Batch::JobDefinition Environment": {
@@ -5078,31 +5063,9 @@
"User": "The user name to use inside the container. This parameter maps to `User` in the [Create a container](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.23/#create-a-container) section of the [Docker Remote API](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.23/) and the `--user` option to [docker run](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/) .",
"Vcpus": "This parameter is deprecated, use `resourceRequirements` to specify the vCPU requirements for the job definition. It's not supported for jobs running on Fargate resources. For jobs running on Amazon EC2 resources, it specifies the number of vCPUs reserved for the job.\n\nEach vCPU is equivalent to 1,024 CPU shares. This parameter maps to `CpuShares` in the [Create a container](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.23/#create-a-container) section of the [Docker Remote API](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.23/) and the `--cpu-shares` option to [docker run](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/) . The number of vCPUs must be specified but can be specified in several places. You must specify it at least once for each node.",
"Volumes": "A list of data volumes used in a job."
- "Command": "The command that's passed to the container. This parameter maps to `Cmd` in the [Create a container](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.23/#create-a-container) section of the [Docker Remote API](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.23/) and the `COMMAND` parameter to [docker run](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/) . For more information, see [https://docs.docker.com/engine/reference/builder/#cmd](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/builder/#cmd) .",
- "Environment": "The environment variables to pass to a container. This parameter maps to `Env` in the [Create a container](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.23/#create-a-container) section of the [Docker Remote API](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.23/) and the `--env` option to [docker run](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/) .\n\n> We don't recommend using plaintext environment variables for sensitive information, such as credential data. > Environment variables cannot start with \" `AWS_BATCH` \". This naming convention is reserved for variables that AWS Batch sets.",
- "EphemeralStorage": "The amount of ephemeral storage to allocate for the task. This parameter is used to expand the total amount of ephemeral storage available, beyond the default amount, for tasks hosted on AWS Fargate .",
- "ExecutionRoleArn": "The Amazon Resource Name (ARN) of the execution role that AWS Batch can assume. For jobs that run on Fargate resources, you must provide an execution role. For more information, see [AWS Batch execution IAM role](https://docs.aws.amazon.com/batch/latest/userguide/execution-IAM-role.html) in the *AWS Batch User Guide* .",
- "Image": "Required. The image used to start a container. This string is passed directly to the Docker daemon. Images in the Docker Hub registry are available by default. Other repositories are specified with `*repository-url* / *image* : *tag*` . It can be 255 characters long. It can contain uppercase and lowercase letters, numbers, hyphens (-), underscores (_), colons (:), periods (.), forward slashes (/), and number signs (#). This parameter maps to `Image` in the [Create a container](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.23/#create-a-container) section of the [Docker Remote API](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.23/) and the `IMAGE` parameter of [docker run](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/) .\n\n> Docker image architecture must match the processor architecture of the compute resources that they're scheduled on. For example, ARM-based Docker images can only run on ARM-based compute resources. \n\n- Images in Amazon ECR Public repositories use the full `registry/repository[:tag]` or `registry/repository[@digest]` naming conventions. For example, `public.ecr.aws/ *registry_alias* / *my-web-app* : *latest*` .\n- Images in Amazon ECR repositories use the full registry and repository URI (for example, `123456789012.dkr.ecr.<region-name>.amazonaws.com/<repository-name>` ).\n- Images in official repositories on Docker Hub use a single name (for example, `ubuntu` or `mongo` ).\n- Images in other repositories on Docker Hub are qualified with an organization name (for example, `amazon/amazon-ecs-agent` ).\n- Images in other online repositories are qualified further by a domain name (for example, `quay.io/assemblyline/ubuntu` ).",
- "InstanceType": "The instance type to use for a multi-node parallel job. All node groups in a multi-node parallel job must use the same instance type.\n\n> This parameter isn't applicable to single-node container jobs or jobs that run on Fargate resources, and shouldn't be provided.",
- "JobRoleArn": "The Amazon Resource Name (ARN) of the IAM role that the container can assume for AWS permissions. For more information, see [IAM roles for tasks](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html) in the *Amazon Elastic Container Service Developer Guide* .",
- "LinuxParameters": "Linux-specific modifications that are applied to the container, such as details for device mappings.",
- "LogConfiguration": "The log configuration specification for the container.\n\nThis parameter maps to `LogConfig` in the [Create a container](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.23/#create-a-container) section of the [Docker Remote API](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.23/) and the `--log-driver` option to [docker run](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/) . By default, containers use the same logging driver that the Docker daemon uses. However the container might use a different logging driver than the Docker daemon by specifying a log driver with this parameter in the container definition. To use a different logging driver for a container, the log system must be configured properly on the container instance (or on a different log server for remote logging options). For more information on the options for different supported log drivers, see [Configure logging drivers](https://docs.aws.amazon.com/https://docs.docker.com/engine/admin/logging/overview/) in the Docker documentation.\n\n> AWS Batch currently supports a subset of the logging drivers available to the Docker daemon (shown in the [LogConfiguration](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-batch-jobdefinition-containerproperties-logconfiguration.html) data type). \n\nThis parameter requires version 1.18 of the Docker Remote API or greater on your container instance. To check the Docker Remote API version on your container instance, log in to your container instance and run the following command: `sudo docker version | grep \"Server API version\"`\n\n> The Amazon ECS container agent running on a container instance must register the logging drivers available on that instance with the `ECS_AVAILABLE_LOGGING_DRIVERS` environment variable before containers placed on that instance can use these log configuration options. For more information, see [Amazon ECS container agent configuration](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-agent-config.html) in the *Amazon Elastic Container Service Developer Guide* .",
- "Memory": "This parameter is deprecated, use `resourceRequirements` to specify the memory requirements for the job definition. It's not supported for jobs running on Fargate resources. For jobs that run on Amazon EC2 resources, it specifies the memory hard limit (in MiB) for a container. If your container attempts to exceed the specified number, it's terminated. You must specify at least 4 MiB of memory for a job using this parameter. The memory hard limit can be specified in several places. It must be specified for each node at least once.",
- "MountPoints": "The mount points for data volumes in your container.\n\nThis parameter maps to `Volumes` in the [Create a container](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/#operation/ContainerCreate) section of the [Docker Remote API](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/) and the [--volume](https://docs.aws.amazon.com/) option to [docker run](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/#security-configuration) .\n\nWindows containers can mount whole directories on the same drive as `$env:ProgramData` . Windows containers can't mount directories on a different drive, and mount point can't be across drives.",
- "Privileged": "When this parameter is true, the container is given elevated permissions on the host container instance (similar to the `root` user). This parameter maps to `Privileged` in the [Create a container](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.23/#create-a-container) section of the [Docker Remote API](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.23/) and the `--privileged` option to [docker run](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/) . The default value is false.\n\n> This parameter isn't applicable to jobs that are running on Fargate resources and shouldn't be provided, or specified as false.",
- "ReadonlyRootFilesystem": "When this parameter is true, the container is given read-only access to its root file system. This parameter maps to `ReadonlyRootfs` in the [Create a container](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.23/#create-a-container) section of the [Docker Remote API](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.23/) and the `--read-only` option to `docker run` .",
- "RepositoryCredentials": "The private repository authentication credentials to use.",
- "ResourceRequirements": "The type and amount of resources to assign to a container. The supported resources include `GPU` , `MEMORY` , and `VCPU` .",
- "RuntimePlatform": "An object that represents the compute environment architecture for AWS Batch jobs on Fargate.",
- "Secrets": "The secrets for the container. For more information, see [Specifying sensitive data](https://docs.aws.amazon.com/batch/latest/userguide/specifying-sensitive-data.html) in the *AWS Batch User Guide* .",
- "Ulimits": "A list of `ulimits` to set in the container. This parameter maps to `Ulimits` in the [Create a container](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.23/#create-a-container) section of the [Docker Remote API](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.23/) and the `--ulimit` option to [docker run](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/) .\n\n> This parameter isn't applicable to jobs that are running on Fargate resources and shouldn't be provided.",
- "User": "The user name to use inside the container. This parameter maps to `User` in the [Create a container](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.23/#create-a-container) section of the [Docker Remote API](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.23/) and the `--user` option to [docker run](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/) .",
- "Vcpus": "This parameter is deprecated, use `resourceRequirements` to specify the vCPU requirements for the job definition. It's not supported for jobs running on Fargate resources. For jobs running on Amazon EC2 resources, it specifies the number of vCPUs reserved for the job.\n\nEach vCPU is equivalent to 1,024 CPU shares. This parameter maps to `CpuShares` in the [Create a container](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.23/#create-a-container) section of the [Docker Remote API](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.23/) and the `--cpu-shares` option to [docker run](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/) . The number of vCPUs must be specified but can be specified in several places. You must specify it at least once for each node.",
- "Volumes": "A list of data volumes used in a job."
},
"AWS::Batch::JobDefinition MultiNodeEcsProperties": {
"TaskProperties": "An object that contains the properties for the Amazon ECS task definition of a job.\n\n> This object is currently limited to one task element. However, the task element can run up to 10 containers."
- "TaskProperties": "An object that contains the properties for the Amazon ECS task definition of a job.\n\n> This object is currently limited to one task element. However, the task element can run up to 10 containers."
},
"AWS::Batch::JobDefinition MultiNodeEcsTaskProperties": {
"Containers": "This object is a list of containers.",
@@ -5111,12 +5074,6 @@
"PidMode": "The process namespace to use for the containers in the task. The valid values are `host` or `task` . For example, monitoring sidecars might need `pidMode` to access information about other containers running in the same task.\n\nIf `host` is specified, all containers within the tasks that specified the `host` PID mode on the same container instance share the process namespace with the host Amazon EC2 instance.\n\nIf `task` is specified, all containers within the specified task share the same process namespace.\n\nIf no value is specified, the default is a private namespace for each container. For more information, see [PID settings](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/#pid-settings---pid) in the Docker run reference.",
"TaskRoleArn": "The Amazon Resource Name (ARN) that's associated with the Amazon ECS task.\n\n> This is object is comparable to [ContainerProperties:jobRoleArn](https://docs.aws.amazon.com/batch/latest/APIReference/API_ContainerProperties.html) .",
"Volumes": "A list of volumes that are associated with the job."
- "Containers": "This object is a list of containers.",
- "ExecutionRoleArn": "The Amazon Resource Name (ARN) of the execution role that AWS Batch can assume. For jobs that run on Fargate resources, you must provide an execution role. For more information, see [AWS Batch execution IAM role](https://docs.aws.amazon.com/batch/latest/userguide/execution-IAM-role.html) in the *AWS Batch User Guide* .",
- "IpcMode": "The IPC resource namespace to use for the containers in the task. The valid values are `host` , `task` , or `none` .\n\nIf `host` is specified, all containers within the tasks that specified the `host` IPC mode on the same container instance share the same IPC resources with the host Amazon EC2 instance.\n\nIf `task` is specified, all containers within the specified `task` share the same IPC resources.\n\nIf `none` is specified, the IPC resources within the containers of a task are private, and are not shared with other containers in a task or on the container instance.\n\nIf no value is specified, then the IPC resource namespace sharing depends on the Docker daemon setting on the container instance. For more information, see [IPC settings](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/#ipc-settings---ipc) in the Docker run reference.",
- "PidMode": "The process namespace to use for the containers in the task. The valid values are `host` or `task` . For example, monitoring sidecars might need `pidMode` to access information about other containers running in the same task.\n\nIf `host` is specified, all containers within the tasks that specified the `host` PID mode on the same container instance share the process namespace with the host Amazon EC2 instance.\n\nIf `task` is specified, all containers within the specified task share the same process namespace.\n\nIf no value is specified, the default is a private namespace for each container. For more information, see [PID settings](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/#pid-settings---pid) in the Docker run reference.",
- "TaskRoleArn": "The Amazon Resource Name (ARN) that's associated with the Amazon ECS task.\n\n> This is object is comparable to [ContainerProperties:jobRoleArn](https://docs.aws.amazon.com/batch/latest/APIReference/API_ContainerProperties.html) .",
- "Volumes": "A list of volumes that are associated with the job."
},
"AWS::Batch::JobDefinition NetworkConfiguration": {
"AssignPublicIp": "Indicates whether the job has a public IP address. For a job that's running on Fargate resources in a private subnet to send outbound traffic to the internet (for example, to pull container images), the private subnet requires a NAT gateway be attached to route requests to the internet. For more information, see [Amazon ECS task networking](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-networking.html) in the *Amazon Elastic Container Service Developer Guide* . The default value is \" `DISABLED` \"."
@@ -6050,8 +6007,6 @@
"AWS::Bedrock::KnowledgeBase BedrockEmbeddingModelConfiguration": {
"Dimensions": "The dimensions details for the vector configuration used on the Bedrock embeddings model.",
"EmbeddingDataType": "The data type for the vectors when using a model to convert text into vector embeddings. The model must support the specified data type for vector embeddings. Floating-point (float32) is the default data type, and is supported by most models for vector embeddings. See [Supported embeddings models](https://docs.aws.amazon.com/bedrock/latest/userguide/knowledge-base-supported.html) for information on the available models and their vector data types."
- "Dimensions": "The dimensions details for the vector configuration used on the Bedrock embeddings model.",
- "EmbeddingDataType": "The data type for the vectors when using a model to convert text into vector embeddings. The model must support the specified data type for vector embeddings. Floating-point (float32) is the default data type, and is supported by most models for vector embeddings. See [Supported embeddings models](https://docs.aws.amazon.com/bedrock/latest/userguide/knowledge-base-supported.html) for information on the available models and their vector data types."
},
"AWS::Bedrock::KnowledgeBase CuratedQuery": {
"NaturalLanguage": "An example natural language query.",
@@ -7185,8 +7140,8 @@
"LogBucket": "Specifies the name of an S3 bucket to store the Guard output report. This report contains the results of your Guard rule validations.",
"Options": "Specifies the S3 location of your input parameters.",
"RuleLocation": "Specifies the S3 location of your Guard rules.",
- "StackFilters": "Specifies the stack level filters for the Hook.",
- "TargetFilters": "Specifies the target filters for the Hook.",
+ "StackFilters": "Specifies the stack level filters for the Hook.\n\nExample stack level filter in JSON:\n\n`\"StackFilters\": {\"FilteringCriteria\": \"ALL\", \"StackNames\": {\"Exclude\": [ \"stack-1\", \"stack-2\"]}}` \n\nExample stack level filter in YAML:\n\n`StackFilters: FilteringCriteria: ALL StackNames: Exclude: - stack-1 - stack-2`",
+ "TargetFilters": "Specifies the target filters for the Hook.\n\nExample target filter in JSON:\n\n`\"TargetFilters\": {\"Actions\": [ \"Create\", \"Update\", \"Delete\" ]}` \n\nExample target filter in YAML:\n\n`TargetFilters: Actions: - CREATE - UPDATE - DELETE`",
"TargetOperations": "Specifies the list of operations the Hook is run against. For more information, see [Hook targets](https://docs.aws.amazon.com/cloudformation-cli/latest/hooks-userguide/hooks-concepts.html#hook-terms-hook-target) in the *AWS CloudFormation Hooks User Guide* .\n\nValid values: `STACK` | `RESOURCE` | `CHANGE_SET` | `CLOUD_CONTROL`"
},
"AWS::CloudFormation::GuardHook Options": {
@@ -7244,8 +7199,8 @@
"FailureMode": "Specifies how the Hook responds when the Lambda function invoked by the Hook returns a `FAILED` response.\n\n- `FAIL` : Prevents the action from proceeding. This is helpful for enforcing strict compliance or security policies.\n- `WARN` : Issues warnings to users but allows actions to continue. This is useful for non-critical validations or informational checks.",
"HookStatus": "Specifies if the Hook is `ENABLED` or `DISABLED` .",
"LambdaFunction": "Specifies the Lambda function for the Hook. You can use:\n\n- The full Amazon Resource Name (ARN) without a suffix.\n- A qualified ARN with a version or alias suffix.",
- "StackFilters": "Specifies the stack level filters for the Hook.",
- "TargetFilters": "Specifies the target filters for the Hook.",
+ "StackFilters": "Specifies the stack level filters for the Hook.\n\nExample stack level filter in JSON:\n\n`\"StackFilters\": {\"FilteringCriteria\": \"ALL\", \"StackNames\": {\"Exclude\": [ \"stack-1\", \"stack-2\"]}}` \n\nExample stack level filter in YAML:\n\n`StackFilters: FilteringCriteria: ALL StackNames: Exclude: - stack-1 - stack-2`",
+ "TargetFilters": "Specifies the target filters for the Hook.\n\nExample target filter in JSON:\n\n`\"TargetFilters\": {\"Actions\": [ \"Create\", \"Update\", \"Delete\" ]}` \n\nExample target filter in YAML:\n\n`TargetFilters: Actions: - CREATE - UPDATE - DELETE`",
"TargetOperations": "Specifies the list of operations the Hook is run against. For more information, see [Hook targets](https://docs.aws.amazon.com/cloudformation-cli/latest/hooks-userguide/hooks-concepts.html#hook-terms-hook-target) in the *AWS CloudFormation Hooks User Guide* .\n\nValid values: `STACK` | `RESOURCE` | `CHANGE_SET` | `CLOUD_CONTROL`"
},
"AWS::CloudFormation::LambdaHook StackFilters": {
@@ -7654,8 +7609,6 @@
"OriginShield": "CloudFront Origin Shield. Using Origin Shield can help reduce the load on your origin.\n\nFor more information, see [Using Origin Shield](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/origin-shield.html) in the *Amazon CloudFront Developer Guide* .",
"S3OriginConfig": "Use this type to specify an origin that is an Amazon S3 bucket that is not configured with static website hosting. To specify any other type of origin, including an Amazon S3 bucket that is configured with static website hosting, use the `CustomOriginConfig` type instead.",
"VpcOriginConfig": "The VPC origin configuration."
- "S3OriginConfig": "Use this type to specify an origin that is an Amazon S3 bucket that is not configured with static website hosting. To specify any other type of origin, including an Amazon S3 bucket that is configured with static website hosting, use the `CustomOriginConfig` type instead.",
- "VpcOriginConfig": "The VPC origin configuration."
},
"AWS::CloudFront::Distribution OriginCustomHeader": {
"HeaderName": "The name of a header that you want CloudFront to send to your origin. For more information, see [Adding Custom Headers to Origin Requests](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/forward-custom-headers.html) in the *Amazon CloudFront Developer Guide* .",
@@ -7706,12 +7659,6 @@
"MinimumProtocolVersion": "If the distribution uses `Aliases` (alternate domain names or CNAMEs), specify the security policy that you want CloudFront to use for HTTPS connections with viewers. The security policy determines two settings:\n\n- The minimum SSL/TLS protocol that CloudFront can use to communicate with viewers.\n- The ciphers that CloudFront can use to encrypt the content that it returns to viewers.\n\nFor more information, see [Security Policy](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-values-specify.html#DownloadDistValues-security-policy) and [Supported Protocols and Ciphers Between Viewers and CloudFront](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/secure-connections-supported-viewer-protocols-ciphers.html#secure-connections-supported-ciphers) in the *Amazon CloudFront Developer Guide* .\n\n> On the CloudFront console, this setting is called *Security Policy* . \n\nWhen you're using SNI only (you set `SSLSupportMethod` to `sni-only` ), you must specify `TLSv1` or higher. (In CloudFormation, the field name is `SslSupportMethod` . Note the different capitalization.)\n\nIf the distribution uses the CloudFront domain name such as `d111111abcdef8.cloudfront.net` (you set `CloudFrontDefaultCertificate` to `true` ), CloudFront automatically sets the security policy to `TLSv1` regardless of the value that you set here.",
"SslSupportMethod": "> In CloudFormation, this field name is `SslSupportMethod` . Note the different capitalization. \n\nIf the distribution uses `Aliases` (alternate domain names or CNAMEs), specify which viewers the distribution accepts HTTPS connections from.\n\n- `sni-only` \u2013 The distribution accepts HTTPS connections from only viewers that support [server name indication (SNI)](https://docs.aws.amazon.com/https://en.wikipedia.org/wiki/Server_Name_Indication) . This is recommended. Most browsers and clients support SNI.\n- `vip` \u2013 The distribution accepts HTTPS connections from all viewers including those that don't support SNI. This is not recommended, and results in additional monthly charges from CloudFront.\n- `static-ip` - Do not specify this value unless your distribution has been enabled for this feature by the CloudFront team. If you have a use case that requires static IP addresses for a distribution, contact CloudFront through the [Support Center](https://docs.aws.amazon.com/support/home) .\n\nIf the distribution uses the CloudFront domain name such as `d111111abcdef8.cloudfront.net` , don't set a value for this field."
},
- "AWS::CloudFront::Distribution VpcOriginConfig": {
- "OriginKeepaliveTimeout": "Specifies how long, in seconds, CloudFront persists its connection to the origin. The minimum timeout is 1 second, the maximum is 60 seconds, and the default (if you don't specify otherwise) is 5 seconds.\n\nFor more information, see [Keep-alive timeout (custom origins only)](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-values-specify.html#DownloadDistValuesOriginKeepaliveTimeout) in the *Amazon CloudFront Developer Guide* .",
- "OriginReadTimeout": "Specifies how long, in seconds, CloudFront waits for a response from the origin. This is also known as the *origin response timeout* . The minimum timeout is 1 second, the maximum is 60 seconds, and the default (if you don't specify otherwise) is 30 seconds.\n\nFor more information, see [Response timeout (custom origins only)](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-values-specify.html#DownloadDistValuesOriginResponseTimeout) in the *Amazon CloudFront Developer Guide* .",
- "VpcOriginId": "The VPC origin ID."
- "SslSupportMethod": "> In CloudFormation, this field name is `SslSupportMethod` . Note the different capitalization. \n\nIf the distribution uses `Aliases` (alternate domain names or CNAMEs), specify which viewers the distribution accepts HTTPS connections from.\n\n- `sni-only` \u2013 The distribution accepts HTTPS connections from only viewers that support [server name indication (SNI)](https://docs.aws.amazon.com/https://en.wikipedia.org/wiki/Server_Name_Indication) . This is recommended. Most browsers and clients support SNI.\n- `vip` \u2013 The distribution accepts HTTPS connections from all viewers including those that don't support SNI. This is not recommended, and results in additional monthly charges from CloudFront.\n- `static-ip` - Do not specify this value unless your distribution has been enabled for this feature by the CloudFront team. If you have a use case that requires static IP addresses for a distribution, contact CloudFront through the [Support Center](https://docs.aws.amazon.com/support/home) .\n\nIf the distribution uses the CloudFront domain name such as `d111111abcdef8.cloudfront.net` , don't set a value for this field."
- },
"AWS::CloudFront::Distribution VpcOriginConfig": {
"OriginKeepaliveTimeout": "Specifies how long, in seconds, CloudFront persists its connection to the origin. The minimum timeout is 1 second, the maximum is 60 seconds, and the default (if you don't specify otherwise) is 5 seconds.\n\nFor more information, see [Keep-alive timeout (custom origins only)](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-values-specify.html#DownloadDistValuesOriginKeepaliveTimeout) in the *Amazon CloudFront Developer Guide* .",
"OriginReadTimeout": "Specifies how long, in seconds, CloudFront waits for a response from the origin. This is also known as the *origin response timeout* . The minimum timeout is 1 second, the maximum is 60 seconds, and the default (if you don't specify otherwise) is 30 seconds.\n\nFor more information, see [Response timeout (custom origins only)](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-values-specify.html#DownloadDistValuesOriginResponseTimeout) in the *Amazon CloudFront Developer Guide* .",
@@ -7949,22 +7896,6 @@
"OriginProtocolPolicy": "The origin protocol policy for the CloudFront VPC origin endpoint configuration.",
"OriginSSLProtocols": ""
},
- "AWS::CloudFront::VpcOrigin": {
- "Tags": "A complex type that contains zero or more `Tag` elements.",
- "VpcOriginEndpointConfig": "The VPC origin endpoint configuration."
- },
- "AWS::CloudFront::VpcOrigin Tag": {
- "Key": "A string that contains `Tag` key.\n\nThe string length should be between 1 and 128 characters. Valid characters include `a-z` , `A-Z` , `0-9` , space, and the special characters `_ - . : / = + @` .",
- "Value": "A string that contains an optional `Tag` value.\n\nThe string length should be between 0 and 256 characters. Valid characters include `a-z` , `A-Z` , `0-9` , space, and the special characters `_ - . : / = + @` ."
- },
- "AWS::CloudFront::VpcOrigin VpcOriginEndpointConfig": {
- "Arn": "The ARN of the CloudFront VPC origin endpoint configuration.",
- "HTTPPort": "The HTTP port for the CloudFront VPC origin endpoint configuration. The default value is `80` .",
- "HTTPSPort": "The HTTPS port of the CloudFront VPC origin endpoint configuration. The default value is `443` .",
- "Name": "The name of the CloudFront VPC origin endpoint configuration.",
- "OriginProtocolPolicy": "The origin protocol policy for the CloudFront VPC origin endpoint configuration.",
- "OriginSSLProtocols": ""
- },
"AWS::CloudTrail::Channel": {
"Destinations": "One or more event data stores to which events arriving through a channel will be logged.",
"Name": "The name of the channel.",
@@ -8495,7 +8426,6 @@
"ExcludeMatchedPattern": "Used to indicate that the `pattern` determines which webhook events do not trigger a build. If true, then a webhook event that does not match the `pattern` triggers a build. If false, then a webhook event that matches the `pattern` triggers a build.",
"Pattern": "For a `WebHookFilter` that uses `EVENT` type, a comma-separated string that specifies one or more events. For example, the webhook filter `PUSH, PULL_REQUEST_CREATED, PULL_REQUEST_UPDATED` allows all push, pull request created, and pull request updated events to trigger a build.\n\nFor a `WebHookFilter` that uses any of the other filter types, a regular expression pattern. For example, a `WebHookFilter` that uses `HEAD_REF` for its `type` and the pattern `^refs/heads/` triggers a build when the head reference is a branch with a reference name `refs/heads/branch-name` .",
"Type": "The type of webhook filter. There are nine webhook filter types: `EVENT` , `ACTOR_ACCOUNT_ID` , `HEAD_REF` , `BASE_REF` , `FILE_PATH` , `COMMIT_MESSAGE` , `TAG_NAME` , `RELEASE_NAME` , and `WORKFLOW_NAME` .\n\n- EVENT\n\n- A webhook event triggers a build when the provided `pattern` matches one of nine event types: `PUSH` , `PULL_REQUEST_CREATED` , `PULL_REQUEST_UPDATED` , `PULL_REQUEST_CLOSED` , `PULL_REQUEST_REOPENED` , `PULL_REQUEST_MERGED` , `RELEASED` , `PRERELEASED` , and `WORKFLOW_JOB_QUEUED` . The `EVENT` patterns are specified as a comma-separated string. For example, `PUSH, PULL_REQUEST_CREATED, PULL_REQUEST_UPDATED` filters all push, pull request created, and pull request updated events.\n\n> Types `PULL_REQUEST_REOPENED` and `WORKFLOW_JOB_QUEUED` work with GitHub and GitHub Enterprise only. Types `RELEASED` and `PRERELEASED` work with GitHub only.\n- ACTOR_ACCOUNT_ID\n\n- A webhook event triggers a build when a GitHub, GitHub Enterprise, or Bitbucket account ID matches the regular expression `pattern` .\n- HEAD_REF\n\n- A webhook event triggers a build when the head reference matches the regular expression `pattern` . For example, `refs/heads/branch-name` and `refs/tags/tag-name` .\n\n> Works with GitHub and GitHub Enterprise push, GitHub and GitHub Enterprise pull request, Bitbucket push, and Bitbucket pull request events.\n- BASE_REF\n\n- A webhook event triggers a build when the base reference matches the regular expression `pattern` . For example, `refs/heads/branch-name` .\n\n> Works with pull request events only.\n- FILE_PATH\n\n- A webhook triggers a build when the path of a changed file matches the regular expression `pattern` .\n\n> Works with GitHub and Bitbucket events push and pull requests events. Also works with GitHub Enterprise push events, but does not work with GitHub Enterprise pull request events.\n- COMMIT_MESSAGE\n\n- A webhook triggers a build when the head commit message matches the regular expression `pattern` .\n\n> Works with GitHub and Bitbucket events push and pull requests events. Also works with GitHub Enterprise push events, but does not work with GitHub Enterprise pull request events.\n- TAG_NAME\n\n- A webhook triggers a build when the tag name of the release matches the regular expression `pattern` .\n\n> Works with `RELEASED` and `PRERELEASED` events only.\n- RELEASE_NAME\n\n- A webhook triggers a build when the release name matches the regular expression `pattern` .\n\n> Works with `RELEASED` and `PRERELEASED` events only.\n- REPOSITORY_NAME\n\n- A webhook triggers a build when the repository name matches the regular expression pattern.\n\n> Works with GitHub global or organization webhooks only.\n- WORKFLOW_NAME\n\n- A webhook triggers a build when the workflow name matches the regular expression `pattern` .\n\n> Works with `WORKFLOW_JOB_QUEUED` events only. > For CodeBuild-hosted Buildkite runner builds, WORKFLOW_NAME filters will filter by pipeline name."
- "Type": "The type of webhook filter. There are nine webhook filter types: `EVENT` , `ACTOR_ACCOUNT_ID` , `HEAD_REF` , `BASE_REF` , `FILE_PATH` , `COMMIT_MESSAGE` , `TAG_NAME` , `RELEASE_NAME` , and `WORKFLOW_NAME` .\n\n- EVENT\n\n- A webhook event triggers a build when the provided `pattern` matches one of nine event types: `PUSH` , `PULL_REQUEST_CREATED` , `PULL_REQUEST_UPDATED` , `PULL_REQUEST_CLOSED` , `PULL_REQUEST_REOPENED` , `PULL_REQUEST_MERGED` , `RELEASED` , `PRERELEASED` , and `WORKFLOW_JOB_QUEUED` . The `EVENT` patterns are specified as a comma-separated string. For example, `PUSH, PULL_REQUEST_CREATED, PULL_REQUEST_UPDATED` filters all push, pull request created, and pull request updated events.\n\n> Types `PULL_REQUEST_REOPENED` and `WORKFLOW_JOB_QUEUED` work with GitHub and GitHub Enterprise only. Types `RELEASED` and `PRERELEASED` work with GitHub only.\n- ACTOR_ACCOUNT_ID\n\n- A webhook event triggers a build when a GitHub, GitHub Enterprise, or Bitbucket account ID matches the regular expression `pattern` .\n- HEAD_REF\n\n- A webhook event triggers a build when the head reference matches the regular expression `pattern` . For example, `refs/heads/branch-name` and `refs/tags/tag-name` .\n\n> Works with GitHub and GitHub Enterprise push, GitHub and GitHub Enterprise pull request, Bitbucket push, and Bitbucket pull request events.\n- BASE_REF\n\n- A webhook event triggers a build when the base reference matches the regular expression `pattern` . For example, `refs/heads/branch-name` .\n\n> Works with pull request events only.\n- FILE_PATH\n\n- A webhook triggers a build when the path of a changed file matches the regular expression `pattern` .\n\n> Works with GitHub and Bitbucket events push and pull requests events. Also works with GitHub Enterprise push events, but does not work with GitHub Enterprise pull request events.\n- COMMIT_MESSAGE\n\n- A webhook triggers a build when the head commit message matches the regular expression `pattern` .\n\n> Works with GitHub and Bitbucket events push and pull requests events. Also works with GitHub Enterprise push events, but does not work with GitHub Enterprise pull request events.\n- TAG_NAME\n\n- A webhook triggers a build when the tag name of the release matches the regular expression `pattern` .\n\n> Works with `RELEASED` and `PRERELEASED` events only.\n- RELEASE_NAME\n\n- A webhook triggers a build when the release name matches the regular expression `pattern` .\n\n> Works with `RELEASED` and `PRERELEASED` events only.\n- REPOSITORY_NAME\n\n- A webhook triggers a build when the repository name matches the regular expression pattern.\n\n> Works with GitHub global or organization webhooks only.\n- WORKFLOW_NAME\n\n- A webhook triggers a build when the workflow name matches the regular expression `pattern` .\n\n> Works with `WORKFLOW_JOB_QUEUED` events only. > For CodeBuild-hosted Buildkite runner builds, WORKFLOW_NAME filters will filter by pipeline name."
},
"AWS::CodeBuild::ReportGroup": {
"DeleteReports": "When deleting a report group, specifies if reports within the report group should be deleted.\n\n- **true** - Deletes any reports that belong to the report group before deleting the report group.\n- **false** - You must delete any reports in the report group. This is the default value. If you delete a report group that contains one or more reports, an exception is thrown.",
@@ -10969,7 +10899,6 @@
"AWS::DLM::LifecyclePolicy EventSource": {
"Parameters": "Information about the event.",
"Type": "The source of the event. Currently only managed Amazon EventBridge (formerly known as Amazon CloudWatch) events are supported."
- "Type": "The source of the event. Currently only managed Amazon EventBridge (formerly known as Amazon CloudWatch) events are supported."
},
"AWS::DLM::LifecyclePolicy Exclusions": {
"ExcludeBootVolumes": "*[Default policies for EBS snapshots only]* Indicates whether to exclude volumes that are attached to instances as the boot volume. If you exclude boot volumes, only volumes attached as data (non-boot) volumes will be backed up by the policy. To exclude boot volumes, specify `true` .",
@@ -12249,12 +12178,17 @@
"Value": "The value for an AWS resource tag."
},
"AWS::DataSync::LocationSMB": {
- "AgentArns": "The Amazon Resource Names (ARNs) of agents to use for a Server Message Block (SMB) location.",
+ "AgentArns": "Specifies the DataSync agent (or agents) that can connect to your SMB file server. You specify an agent by using its Amazon Resource Name (ARN).",
+ "AuthenticationType": "Specifies the authentication protocol that DataSync uses to connect to your SMB file server. DataSync supports `NTLM` (default) and `KERBEROS` authentication.\n\nFor more information, see [Providing DataSync access to SMB file servers](https://docs.aws.amazon.com/datasync/latest/userguide/create-smb-location.html#configuring-smb-permissions) .",
+ "DnsIpAddresses": "Specifies the IPv4 addresses for the DNS servers that your SMB file server belongs to. This parameter applies only if `AuthenticationType` is set to `KERBEROS` .\n\nIf you have multiple domains in your environment, configuring this parameter makes sure that DataSync connects to the right SMB file server.",
"Domain": "Specifies the Windows domain name that your SMB file server belongs to. This parameter applies only if `AuthenticationType` is set to `NTLM` .\n\nIf you have multiple domains in your environment, configuring this parameter makes sure that DataSync connects to the right file server.",
+ "KerberosKeytab": "Specifies your Kerberos key table (keytab) file, which includes mappings between your Kerberos principal and encryption keys.\n\nThe file must be base64 encoded.\n\nTo avoid task execution errors, make sure that the Kerberos principal that you use to create the keytab file matches exactly what you specify for `KerberosPrincipal` .",
+ "KerberosKrb5Conf": "Specifies a Kerberos configuration file ( `krb5.conf` ) that defines your Kerberos realm configuration.\n\nThe file must be base64 encoded.",
+ "KerberosPrincipal": "Specifies a Kerberos prinicpal, which is an identity in your Kerberos realm that has permission to access the files, folders, and file metadata in your SMB file server.\n\nA Kerberos principal might look like `HOST/kerberosuser@MYDOMAIN.ORG` .\n\nPrincipal names are case sensitive. Your DataSync task execution will fail if the principal that you specify for this parameter doesn\u2019t exactly match the principal that you use to create the keytab file.",
"MountOptions": "Specifies the version of the SMB protocol that DataSync uses to access your SMB file server.",
- "Password": "The password of the user who can mount the share and has the permissions to access files and folders in the SMB share.",
+ "Password": "Specifies the password of the user who can mount your SMB file server and has permission to access the files and folders involved in your transfer. This parameter applies only if `AuthenticationType` is set to `NTLM` .",
"ServerHostname": "Specifies the domain name or IP address of the SMB file server that your DataSync agent will mount.\n\nRemember the following when configuring this parameter:\n\n- You can't specify an IP version 6 (IPv6) address.\n- If you're using Kerberos authentication, you must specify a domain name.",
- "Subdirectory": "The subdirectory in the SMB file system that is used to read data from the SMB source location or write data to the SMB destination. The SMB path should be a path that's exported by the SMB server, or a subdirectory of that path. The path should be such that it can be mounted by other SMB clients in your network.\n\n> `Subdirectory` must be specified with forward slashes. For example, `/path/to/folder` . \n\nTo transfer all the data in the folder you specified, DataSync must have permissions to mount the SMB share, as well as to access all the data in that share. To ensure this, either make sure that the user name and password specified belongs to the user who can mount the share, and who has the appropriate permissions for all of the files and directories that you want DataSync to access, or use credentials of a member of the Backup Operators group to mount the share. Doing either one enables the agent to access the data. For the agent to access directories, you must additionally enable all execute access.",
+ "Subdirectory": "Specifies the name of the share exported by your SMB file server where DataSync will read or write data. You can include a subdirectory in the share path (for example, `/path/to/subdirectory` ). Make sure that other SMB clients in your network can also mount this path.\n\nTo copy all data in the subdirectory, DataSync must be able to mount the SMB share and access all of its data. For more information, see [Providing DataSync access to SMB file servers](https://docs.aws.amazon.com/datasync/latest/userguide/create-smb-location.html#configuring-smb-permissions) .",
"Tags": "Specifies labels that help you categorize, filter, and search for your AWS resources. We recommend creating at least a name tag for your location.",
"User": "Specifies the user that can mount and access the files, folders, and file metadata in your SMB file server. This parameter applies only if `AuthenticationType` is set to `NTLM` .\n\nFor information about choosing a user with the right level of access for your transfer, see [Providing DataSync access to SMB file servers](https://docs.aws.amazon.com/datasync/latest/userguide/create-smb-location.html#configuring-smb-permissions) ."
},
@@ -12518,7 +12452,6 @@
"AssetFormsInput": "The metadata forms attached to the assets that the data source works with.",
"Configuration": "The configuration of the data source.",
"ConnectionIdentifier": "",
- "ConnectionIdentifier": "",
"Description": "The description of the data source.",
"DomainIdentifier": "The ID of the Amazon DataZone domain where the data source is created.",
"EnableSetting": "Specifies whether the data source is enabled.",
@@ -12548,7 +12481,6 @@
"AWS::DataZone::DataSource GlueRunConfigurationInput": {
"AutoImportDataQualityResult": "Specifies whether to automatically import data quality metrics as part of the data source run.",
"CatalogName": "",
- "CatalogName": "",
"DataAccessRole": "The data access role included in the configuration details of the AWS Glue data source.",
"RelationalFilterConfigurations": "The relational filter configurations included in the configuration details of the AWS Glue data source."
},
@@ -13406,13 +13338,11 @@
"AWS::EC2::CapacityReservation": {
"AvailabilityZone": "The Availability Zone in which to create the Capacity Reservation.",
"AvailabilityZoneId": "The Availability Zone ID of the Capacity Reservation.",
- "AvailabilityZoneId": "The Availability Zone ID of the Capacity Reservation.",
"EbsOptimized": "Indicates whether the Capacity Reservation supports EBS-optimized instances. This optimization provides dedicated throughput to Amazon EBS and an optimized configuration stack to provide optimal I/O performance. This optimization isn't available with all instance types. Additional usage charges apply when using an EBS- optimized instance.",
"EndDate": "The date and time at which the Capacity Reservation expires. When a Capacity Reservation expires, the reserved capacity is released and you can no longer launch instances into it. The Capacity Reservation's state changes to `expired` when it reaches its end date and time.\n\nYou must provide an `EndDate` value if `EndDateType` is `limited` . Omit `EndDate` if `EndDateType` is `unlimited` .\n\nIf the `EndDateType` is `limited` , the Capacity Reservation is cancelled within an hour from the specified time. For example, if you specify 5/31/2019, 13:30:55, the Capacity Reservation is guaranteed to end between 13:30:55 and 14:30:55 on 5/31/2019.\n\nIf you are requesting a future-dated Capacity Reservation, you can't specify an end date and time that is within the commitment duration.",
"EndDateType": "Indicates the way in which the Capacity Reservation ends. A Capacity Reservation can have one of the following end types:\n\n- `unlimited` - The Capacity Reservation remains active until you explicitly cancel it. Do not provide an `EndDate` if the `EndDateType` is `unlimited` .\n- `limited` - The Capacity Reservation expires automatically at a specified date and time. You must provide an `EndDate` value if the `EndDateType` value is `limited` .",
"EphemeralStorage": "*Deprecated.*",
"InstanceCount": "The number of instances for which to reserve capacity.\n\n> You can request future-dated Capacity Reservations for an instance count with a minimum of 100 vCPUs. For example, if you request a future-dated Capacity Reservation for `m5.xlarge` instances, you must request at least 25 instances ( *25 * m5.xlarge = 100 vCPUs* ). \n\nValid range: 1 - 1000",
- "InstanceCount": "The number of instances for which to reserve capacity.\n\n> You can request future-dated Capacity Reservations for an instance count with a minimum of 100 vCPUs. For example, if you request a future-dated Capacity Reservation for `m5.xlarge` instances, you must request at least 25 instances ( *25 * m5.xlarge = 100 vCPUs* ). \n\nValid range: 1 - 1000",
"InstanceMatchCriteria": "Indicates the type of instance launches that the Capacity Reservation accepts. The options include:\n\n- `open` - The Capacity Reservation automatically matches all instances that have matching attributes (instance type, platform, and Availability Zone). Instances that have matching attributes run in the Capacity Reservation automatically without specifying any additional parameters.\n- `targeted` - The Capacity Reservation only accepts instances that have matching attributes (instance type, platform, and Availability Zone), and explicitly target the Capacity Reservation. This ensures that only permitted instances can use the reserved capacity.\n\n> If you are requesting a future-dated Capacity Reservation, you must specify `targeted` . \n\nDefault: `open`",
"InstancePlatform": "The type of operating system for which to reserve capacity.",
"InstanceType": "The instance type for which to reserve capacity.\n\n> You can request future-dated Capacity Reservations for instance types in the C, M, R, I, and T instance families only. \n\nFor more information, see [Instance types](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html) in the *Amazon EC2 User Guide* .",
@@ -13489,7 +13419,6 @@
"ConnectionLogOptions": "Information about the client connection logging options.\n\nIf you enable client connection logging, data about client connections is sent to a Cloudwatch Logs log stream. The following information is logged:\n\n- Client connection requests\n- Client connection results (successful and unsuccessful)\n- Reasons for unsuccessful client connection requests\n- Client connection termination time",
"Description": "A brief description of the Client VPN endpoint.",
"DisconnectOnSessionTimeout": "Indicates whether the client VPN session is disconnected after the maximum `sessionTimeoutHours` is reached. If `true` , users are prompted to reconnect client VPN. If `false` , client VPN attempts to reconnect automatically. The default value is `false` .",
- "DisconnectOnSessionTimeout": "Indicates whether the client VPN session is disconnected after the maximum `sessionTimeoutHours` is reached. If `true` , users are prompted to reconnect client VPN. If `false` , client VPN attempts to reconnect automatically. The default value is `false` .",
"DnsServers": "Information about the DNS servers to be used for DNS resolution. A Client VPN endpoint can have up to two DNS servers. If no DNS server is specified, the DNS address configured on the device is used for the DNS server.",
"SecurityGroupIds": "The IDs of one or more security groups to apply to the target network. You must also specify the ID of the VPC that contains the security groups.",
"SelfServicePortal": "Specify whether to enable the self-service portal for the Client VPN endpoint.\n\nDefault Value: `enabled`",
@@ -13898,7 +13827,6 @@
"CpuOptions": "The CPU options for the instance. For more information, see [Optimize CPU options](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-optimize-cpu.html) in the *Amazon Elastic Compute Cloud User Guide* .",
"CreditSpecification": "The credit option for CPU usage of the burstable performance instance. Valid values are `standard` and `unlimited` . To change this attribute after launch, use [ModifyInstanceCreditSpecification](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyInstanceCreditSpecification.html) . For more information, see [Burstable performance instances](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/burstable-performance-instances.html) in the *Amazon EC2 User Guide* .\n\nDefault: `standard` (T2 instances) or `unlimited` (T3/T3a/T4g instances)\n\nFor T3 instances with `host` tenancy, only `standard` is supported.",
"DisableApiTermination": "Indicates whether termination protection is enabled for the instance. The default is `false` , which means that you can terminate the instance using the Amazon EC2 console, command line tools, or API. You can enable termination protection when you launch an instance, while the instance is running, or while the instance is stopped.",
- "DisableApiTermination": "Indicates whether termination protection is enabled for the instance. The default is `false` , which means that you can terminate the instance using the Amazon EC2 console, command line tools, or API. You can enable termination protection when you launch an instance, while the instance is running, or while the instance is stopped.",
"EbsOptimized": "Indicates whether the instance is optimized for Amazon EBS I/O. This optimization provides dedicated throughput to Amazon EBS and an optimized configuration stack to provide optimal Amazon EBS I/O performance. This optimization isn't available with all instance types. Additional usage charges apply when using an EBS-optimized instance.\n\nDefault: `false`",
"ElasticGpuSpecifications": "An elastic GPU to associate with the instance.\n\n> Amazon Elastic Graphics reached end of life on January 8, 2024.",
"ElasticInferenceAccelerators": "An elastic inference accelerator to associate with the instance.\n\n> Amazon Elastic Inference is no longer available.",
@@ -14186,7 +14114,7 @@
"CapacityReservationSpecification": "The Capacity Reservation targeting option. If you do not specify this parameter, the instance's Capacity Reservation preference defaults to `open` , which enables it to run in any open Capacity Reservation that has matching attributes (instance type, platform, Availability Zone).",
"CpuOptions": "The CPU options for the instance. For more information, see [CPU options for Amazon EC2 instances](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-optimize-cpu.html) in the *Amazon EC2 User Guide* .",
"CreditSpecification": "The credit option for CPU usage of the instance. Valid only for T instances.",
- "DisableApiStop": "Indicates whether to enable the instance for stop protection. For more information, see [Enable stop protection for your instance](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-stop-protection.html) in the *Amazon EC2 User Guide* .",
+ "DisableApiStop": "Indicates whether to enable the instance for stop protection. For more information, see [Enable stop protection for your EC2 instances](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-stop-protection.html) in the *Amazon EC2 User Guide* .",
"DisableApiTermination": "Indicates whether termination protection is enabled for the instance. The default is `false` , which means that you can terminate the instance using the Amazon EC2 console, command line tools, or API. You can enable termination protection when you launch an instance, while the instance is running, or while the instance is stopped.",
"EbsOptimized": "Indicates whether the instance is optimized for Amazon EBS I/O. This optimization provides dedicated throughput to Amazon EBS and an optimized configuration stack to provide optimal Amazon EBS I/O performance. This optimization isn't available with all instance types. Additional usage charges apply when using an EBS-optimized instance.",
"ElasticGpuSpecifications": "Deprecated.\n\n> Amazon Elastic Graphics reached end of life on January 8, 2024.",
@@ -15287,7 +15215,6 @@
"Ipv4NetmaskLength": "The netmask length of the IPv4 CIDR you would like to associate from an Amazon VPC IP Address Manager (IPAM) pool. For more information about IPAM, see [What is IPAM?](https://docs.aws.amazon.com//vpc/latest/ipam/what-is-it-ipam.html) in the *Amazon VPC IPAM User Guide* .",
"Ipv6CidrBlock": "An IPv6 CIDR block from the IPv6 address pool. You must also specify `Ipv6Pool` in the request.\n\nTo let Amazon choose the IPv6 CIDR block for you, omit this parameter.",
"Ipv6CidrBlockNetworkBorderGroup": "The name of the location from which we advertise the IPV6 CIDR block. Use this parameter to limit the CIDR block to this location.\n\nYou must set `AmazonProvidedIpv6CidrBlock` to `true` to use this parameter.\n\nYou can have one IPv6 CIDR block association per network border group.",
- "Ipv6CidrBlockNetworkBorderGroup": "The name of the location from which we advertise the IPV6 CIDR block. Use this parameter to limit the CIDR block to this location.\n\nYou must set `AmazonProvidedIpv6CidrBlock` to `true` to use this parameter.\n\nYou can have one IPv6 CIDR block association per network border group.",
"Ipv6IpamPoolId": "Associates a CIDR allocated from an IPv6 IPAM pool to a VPC. For more information about Amazon VPC IP Address Manager (IPAM), see [What is IPAM?](https://docs.aws.amazon.com//vpc/latest/ipam/what-is-it-ipam.html) in the *Amazon VPC IPAM User Guide* .",
"Ipv6NetmaskLength": "The netmask length of the IPv6 CIDR you would like to associate from an Amazon VPC IP Address Manager (IPAM) pool. For more information about IPAM, see [What is IPAM?](https://docs.aws.amazon.com//vpc/latest/ipam/what-is-it-ipam.html) in the *Amazon VPC IPAM User Guide* .",
"Ipv6Pool": "The ID of an IPv6 address pool from which to allocate the IPv6 CIDR block.",
@@ -15309,7 +15236,6 @@
"ServiceNetworkArn": "The Amazon Resource Name (ARN) of the service network.",
"SubnetIds": "The IDs of the subnets in which to create endpoint network interfaces. You must specify this property for an interface endpoint or a Gateway Load Balancer endpoint. You can't specify this property for a gateway endpoint. For a Gateway Load Balancer endpoint, you can specify only one subnet.",
"Tags": "The tags to associate with the endpoint.",
- "Tags": "The tags to associate with the endpoint.",
"VpcEndpointType": "The type of endpoint.\n\nDefault: Gateway",
"VpcId": "The ID of the VPC."
},
@@ -15334,7 +15260,6 @@
"NetworkLoadBalancerArns": "The Amazon Resource Names (ARNs) of the Network Load Balancers.",
"PayerResponsibility": "The entity that is responsible for the endpoint costs. The default is the endpoint owner. If you set the payer responsibility to the service owner, you cannot set it back to the endpoint owner.",
"Tags": "The tags to associate with the service."
- "Tags": "The tags to associate with the service."
},
"AWS::EC2::VPCEndpointService Tag": {
"Key": "The key of the tag.\n\nConstraints: Tag keys are case-sensitive and accept a maximum of 127 Unicode characters. May not begin with `aws:` .",
@@ -15454,7 +15379,6 @@
"ApplicationDomain": "The DNS name for users to reach your application.",
"AttachmentType": "The type of attachment used to provide connectivity between the AWS Verified Access endpoint and the application.",
"CidrOptions": "The options for a CIDR endpoint.",
- "CidrOptions": "The options for a CIDR endpoint.",
"Description": "A description for the AWS Verified Access endpoint.",
"DomainCertificateArn": "The ARN of a public TLS/SSL certificate imported into or created with ACM.",
"EndpointDomainPrefix": "A custom identifier that is prepended to the DNS name that is generated for the endpoint.",
@@ -15464,7 +15388,6 @@
"PolicyDocument": "The Verified Access policy document.",
"PolicyEnabled": "The status of the Verified Access policy.",
"RdsOptions": "The options for an RDS endpoint.",
- "RdsOptions": "The options for an RDS endpoint.",
"SecurityGroupIds": "The IDs of the security groups for the endpoint.",
"SseSpecification": "The options for additional server side encryption.",
"Tags": "The tags.",
@@ -15476,17 +15399,10 @@
"Protocol": "The protocol.",
"SubnetIds": "The IDs of the subnets."
},
- "AWS::EC2::VerifiedAccessEndpoint CidrOptions": {
- "Cidr": "The CIDR.",
- "PortRanges": "The port ranges.",
- "Protocol": "The protocol.",
- "SubnetIds": "The IDs of the subnets."
- },
"AWS::EC2::VerifiedAccessEndpoint LoadBalancerOptions": {
"LoadBalancerArn": "The ARN of the load balancer.",
"Port": "The IP port number.",
"PortRanges": "The port ranges.",
- "PortRanges": "The port ranges.",
"Protocol": "The IP protocol.",
"SubnetIds": "The IDs of the subnets. You can specify only one subnet per Availability Zone."
},
@@ -15494,7 +15410,6 @@
"NetworkInterfaceId": "The ID of the network interface.",
"Port": "The IP port number.",
"PortRanges": "The port ranges.",
- "PortRanges": "The port ranges.",
"Protocol": "The IP protocol."
},
"AWS::EC2::VerifiedAccessEndpoint PortRange": {
@@ -15508,7 +15423,7 @@
"RdsDbInstanceArn": "The ARN of the RDS instance.",
"RdsDbProxyArn": "The ARN of the RDS proxy.",
"RdsEndpoint": "The RDS endpoint.",
- "SubnetIds": "The IDs of the subnets."
+ "SubnetIds": "The IDs of the subnets. You can specify only one subnet per Availability Zone."
},
"AWS::EC2::VerifiedAccessEndpoint SseSpecification": {
"CustomerManagedKeyEnabled": "Enable or disable the use of customer managed KMS keys for server side encryption.\n\nValid values: `True` | `False`",
@@ -15535,7 +15450,6 @@
"Value": "The tag value."
},
"AWS::EC2::VerifiedAccessInstance": {
- "CidrEndpointsCustomSubDomain": "The custom subdomain.",
"CidrEndpointsCustomSubDomain": "The custom subdomain.",
"Description": "A description for the AWS Verified Access instance.",
"FipsEnabled": "Indicates whether support for Federal Information Processing Standards (FIPS) is enabled on the instance.",
@@ -15581,7 +15495,6 @@
"DeviceOptions": "The options for device-identity trust provider.",
"DeviceTrustProviderType": "The type of device-based trust provider.",
"NativeApplicationOidcOptions": "The OpenID Connect (OIDC) options.",
- "NativeApplicationOidcOptions": "The OpenID Connect (OIDC) options.",
"OidcOptions": "The options for an OpenID Connect-compatible user-identity trust provider.",
"PolicyReferenceName": "The identifier to be used when working with policy rules.",
"SseSpecification": "The options for additional server side encryption.",
@@ -15603,16 +15516,6 @@
"TokenEndpoint": "The token endpoint of the IdP.",
"UserInfoEndpoint": "The user info endpoint of the IdP."
},
- "AWS::EC2::VerifiedAccessTrustProvider NativeApplicationOidcOptions": {
- "AuthorizationEndpoint": "The authorization endpoint of the IdP.",
- "ClientId": "The OAuth 2.0 client identifier.",
- "ClientSecret": "The OAuth 2.0 client secret.",
- "Issuer": "The OIDC issuer identifier of the IdP.",
- "PublicSigningKeyEndpoint": "The public signing key endpoint.",
- "Scope": "The set of user claims to be requested from the IdP.",
- "TokenEndpoint": "The token endpoint of the IdP.",
- "UserInfoEndpoint": "The user info endpoint of the IdP."
- },
"AWS::EC2::VerifiedAccessTrustProvider OidcOptions": {
"AuthorizationEndpoint": "The OIDC authorization endpoint.",
"ClientId": "The client identifier.",
@@ -15826,8 +15729,8 @@
"TaskSetId": "The short name or full Amazon Resource Name (ARN) of the task set to set as the primary task set in the deployment."
},
"AWS::ECS::Service": {
- "AvailabilityZoneRebalancing": "Indicates whether to use Availability Zone rebalancing for the service.\n\nFor more information, see [Balancing an Amazon ECS service across Availability Zones](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/service-rebalancing.html) in the *Amazon Elastic Container Service Developer Guide* .",
- "CapacityProviderStrategy": "The capacity provider strategy to use for the service.\n\nIf a `capacityProviderStrategy` is specified, the `launchType` parameter must be omitted. If no `capacityProviderStrategy` or `launchType` is specified, the `defaultCapacityProviderStrategy` for the cluster is used.\n\nA capacity provider strategy may contain a maximum of 6 capacity providers.\n\n> To remove this property from your service resource, specify an empty `CapacityProviderStrategyItem` array.",
+ "AvailabilityZoneRebalancing": "Indicates whether to use Availability Zone rebalancing for the service.\n\nFor more information, see [Balancing an Amazon ECS service across Availability Zones](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/service-rebalancing.html) in the **Amazon Elastic Container Service Developer Guide** .",
+ "CapacityProviderStrategy": "The capacity provider strategy to use for the service.\n\nIf a `capacityProviderStrategy` is specified, the `launchType` parameter must be omitted. If no `capacityProviderStrategy` or `launchType` is specified, the `defaultCapacityProviderStrategy` for the cluster is used.\n\nA capacity provider strategy can contain a maximum of 20 capacity providers.\n\n> To remove this property from your service resource, specify an empty `CapacityProviderStrategyItem` array.",
"Cluster": "The short name or full Amazon Resource Name (ARN) of the cluster that you run your service on. If you do not specify a cluster, the default cluster is assumed.",
"DeploymentConfiguration": "Optional deployment parameters that control how many tasks run during the deployment and the ordering of stopping and starting tasks.",
"DeploymentController": "The deployment controller to use for the service. If no deployment controller is specified, the default value of `ECS` is used.",
@@ -15837,12 +15740,9 @@
"HealthCheckGracePeriodSeconds": "The period of time, in seconds, that the Amazon ECS service scheduler ignores unhealthy Elastic Load Balancing, VPC Lattice, and container health checks after a task has first started. If you don't specify a health check grace period value, the default value of `0` is used. If you don't use any of the health checks, then `healthCheckGracePeriodSeconds` is unused.\n\nIf your service's tasks take a while to start and respond to health checks, you can specify a health check grace period of up to 2,147,483,647 seconds (about 69 years). During that time, the Amazon ECS service scheduler ignores health check status. This grace period can prevent the service scheduler from marking tasks as unhealthy and stopping them before they have time to come up.",
"LaunchType": "The launch type on which to run your service. For more information, see [Amazon ECS Launch Types](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/launch_types.html) in the *Amazon Elastic Container Service Developer Guide* .",
"LoadBalancers": "A list of load balancer objects to associate with the service. If you specify the `Role` property, `LoadBalancers` must be specified as well. For information about the number of load balancers that you can specify per service, see [Service Load Balancing](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/service-load-balancing.html) in the *Amazon Elastic Container Service Developer Guide* .\n\n> To remove this property from your service resource, specify an empty `LoadBalancer` array.",
- "LoadBalancers": "A list of load balancer objects to associate with the service. If you specify the `Role` property, `LoadBalancers` must be specified as well. For information about the number of load balancers that you can specify per service, see [Service Load Balancing](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/service-load-balancing.html) in the *Amazon Elastic Container Service Developer Guide* .\n\n> To remove this property from your service resource, specify an empty `LoadBalancer` array.",
"NetworkConfiguration": "The network configuration for the service. This parameter is required for task definitions that use the `awsvpc` network mode to receive their own elastic network interface, and it is not supported for other network modes. For more information, see [Task Networking](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-networking.html) in the *Amazon Elastic Container Service Developer Guide* .",
"PlacementConstraints": "An array of placement constraint objects to use for tasks in your service. You can specify a maximum of 10 constraints for each task. This limit includes constraints in the task definition and those specified at runtime.\n\n> To remove this property from your service resource, specify an empty `PlacementConstraint` array.",
"PlacementStrategies": "The placement strategy objects to use for tasks in your service. You can specify a maximum of 5 strategy rules for each service.\n\n> To remove this property from your service resource, specify an empty `PlacementStrategy` array.",
- "PlacementConstraints": "An array of placement constraint objects to use for tasks in your service. You can specify a maximum of 10 constraints for each task. This limit includes constraints in the task definition and those specified at runtime.\n\n> To remove this property from your service resource, specify an empty `PlacementConstraint` array.",
- "PlacementStrategies": "The placement strategy objects to use for tasks in your service. You can specify a maximum of 5 strategy rules for each service.\n\n> To remove this property from your service resource, specify an empty `PlacementStrategy` array.",
"PlatformVersion": "The platform version that your tasks in the service are running on. A platform version is specified only for tasks using the Fargate launch type. If one isn't specified, the `LATEST` platform version is used. For more information, see [AWS Fargate platform versions](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/platform_versions.html) in the *Amazon Elastic Container Service Developer Guide* .",
"PropagateTags": "Specifies whether to propagate the tags from the task definition to the task. If no value is specified, the tags aren't propagated. Tags can only be propagated to the task during task creation. To add tags to a task after task creation, use the [TagResource](https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_TagResource.html) API action.\n\nYou must set this to a value other than `NONE` when you use Cost Explorer. For more information, see [Amazon ECS usage reports](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/usage-reports.html) in the *Amazon Elastic Container Service Developer Guide* .\n\nThe default is `NONE` .",
"Role": "The name or full Amazon Resource Name (ARN) of the IAM role that allows Amazon ECS to make calls to your load balancer on your behalf. This parameter is only permitted if you are using a load balancer with your service and your task definition doesn't use the `awsvpc` network mode. If you specify the `role` parameter, you must also specify a load balancer object with the `loadBalancers` parameter.\n\n> If your account has already created the Amazon ECS service-linked role, that role is used for your service unless you specify a role here. The service-linked role is required if your task definition uses the `awsvpc` network mode or if the service is configured to use service discovery, an external deployment controller, multiple target groups, or Elastic Inference accelerators in which case you don't specify a role here. For more information, see [Using service-linked roles for Amazon ECS](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/using-service-linked-roles.html) in the *Amazon Elastic Container Service Developer Guide* . \n\nIf your specified role has a path other than `/` , then you must either specify the full role ARN (this is recommended) or prefix the role name with the path. For example, if a role with the name `bar` has a path of `/foo/` then you would specify `/foo/bar` as the role name. For more information, see [Friendly names and paths](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-friendly-names) in the *IAM User Guide* .",
@@ -15850,11 +15750,9 @@
"ServiceConnectConfiguration": "The configuration for this service to discover and connect to services, and be discovered by, and connected from, other services within a namespace.\n\nTasks that run in a namespace can use short names to connect to services in the namespace. Tasks can connect to services across all of the clusters in the namespace. Tasks connect through a managed proxy container that collects logs and metrics for increased visibility. Only the tasks that Amazon ECS services create are supported with Service Connect. For more information, see [Service Connect](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/service-connect.html) in the *Amazon Elastic Container Service Developer Guide* .",
"ServiceName": "The name of your service. Up to 255 letters (uppercase and lowercase), numbers, underscores, and hyphens are allowed. Service names must be unique within a cluster, but you can have similarly named services in multiple clusters within a Region or across multiple Regions.\n\n> The stack update fails if you change any properties that require replacement and the `ServiceName` is configured. This is because AWS CloudFormation creates the replacement service first, but each `ServiceName` must be unique in the cluster.",
"ServiceRegistries": "The details of the service discovery registry to associate with this service. For more information, see [Service discovery](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/service-discovery.html) .\n\n> Each service may be associated with one service registry. Multiple service registries for each service isn't supported. > To remove this property from your service resource, specify an empty `ServiceRegistry` array.",
- "ServiceRegistries": "The details of the service discovery registry to associate with this service. For more information, see [Service discovery](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/service-discovery.html) .\n\n> Each service may be associated with one service registry. Multiple service registries for each service isn't supported. > To remove this property from your service resource, specify an empty `ServiceRegistry` array.",
"Tags": "The metadata that you apply to the service to help you categorize and organize them. Each tag consists of a key and an optional value, both of which you define. When a service is deleted, the tags are deleted as well.\n\nThe following basic restrictions apply to tags:\n\n- Maximum number of tags per resource - 50\n- For each resource, each tag key must be unique, and each tag key can have only one value.\n- Maximum key length - 128 Unicode characters in UTF-8\n- Maximum value length - 256 Unicode characters in UTF-8\n- If your tagging schema is used across multiple services and resources, remember that other services may have restrictions on allowed characters. Generally allowed characters are: letters, numbers, and spaces representable in UTF-8, and the following characters: + - = . _ : / @.\n- Tag keys and values are case-sensitive.\n- Do not use `aws:` , `AWS:` , or any upper or lowercase combination of such as a prefix for either keys or values as it is reserved for AWS use. You cannot edit or delete tag keys or values with this prefix. Tags with this prefix do not count against your tags per resource limit.",
"TaskDefinition": "The `family` and `revision` ( `family:revision` ) or full ARN of the task definition to run in your service. If a `revision` isn't specified, the latest `ACTIVE` revision is used.\n\nA task definition must be specified if the service uses either the `ECS` or `CODE_DEPLOY` deployment controllers.\n\nFor more information about deployment types, see [Amazon ECS deployment types](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/deployment-types.html) .",
"VolumeConfigurations": "The configuration for a volume specified in the task definition as a volume that is configured at launch time. Currently, the only supported volume type is an Amazon EBS volume.\n\n> To remove this property from your service resource, specify an empty `ServiceVolumeConfiguration` array.",
- "VolumeConfigurations": "The configuration for a volume specified in the task definition as a volume that is configured at launch time. Currently, the only supported volume type is an Amazon EBS volume.\n\n> To remove this property from your service resource, specify an empty `ServiceVolumeConfiguration` array.",
"VpcLatticeConfigurations": "The VPC Lattice configuration for the service being created."
},
"AWS::ECS::Service AwsVpcConfiguration": {
@@ -16283,7 +16181,6 @@
"LifecyclePolicies": "An array of `LifecyclePolicy` objects that define the file system's `LifecycleConfiguration` object. A `LifecycleConfiguration` object informs Lifecycle management of the following:\n\n- When to move files in the file system from primary storage to IA storage.\n- When to move files in the file system from primary storage or IA storage to Archive storage.\n- When to move files that are in IA or Archive storage to primary storage.\n\n> Amazon EFS requires that each `LifecyclePolicy` object have only a single transition. This means that in a request body, `LifecyclePolicies` needs to be structured as an array of `LifecyclePolicy` objects, one object for each transition, `TransitionToIA` , `TransitionToArchive` `TransitionToPrimaryStorageClass` . See the example requests in the following section for more information.",
"PerformanceMode": "The performance mode of the file system. We recommend `generalPurpose` performance mode for all file systems. File systems using the `maxIO` performance mode can scale to higher levels of aggregate throughput and operations per second with a tradeoff of slightly higher latencies for most file operations. The performance mode can't be changed after the file system has been created. The `maxIO` mode is not supported on One Zone file systems.\n\n> Due to the higher per-operation latencies with Max I/O, we recommend using General Purpose performance mode for all file systems. \n\nDefault is `generalPurpose` .",
"ProvisionedThroughputInMibps": "The throughput, measured in mebibytes per second (MiBps), that you want to provision for a file system that you're creating. Required if `ThroughputMode` is set to `provisioned` . Valid values are 1-3414 MiBps, with the upper limit depending on Region. To increase this limit, contact Support . For more information, see [Amazon EFS quotas that you can increase](https://docs.aws.amazon.com/efs/latest/ug/limits.html#soft-limits) in the *Amazon EFS User Guide* .",
- "ProvisionedThroughputInMibps": "The throughput, measured in mebibytes per second (MiBps), that you want to provision for a file system that you're creating. Required if `ThroughputMode` is set to `provisioned` . Valid values are 1-3414 MiBps, with the upper limit depending on Region. To increase this limit, contact Support . For more information, see [Amazon EFS quotas that you can increase](https://docs.aws.amazon.com/efs/latest/ug/limits.html#soft-limits) in the *Amazon EFS User Guide* .",
"ReplicationConfiguration": "Describes the replication configuration for a specific file system.",
"ThroughputMode": "Specifies the throughput mode for the file system. The mode can be `bursting` , `provisioned` , or `elastic` . If you set `ThroughputMode` to `provisioned` , you must also set a value for `ProvisionedThroughputInMibps` . After you create the file system, you can decrease your file system's Provisioned throughput or change between the throughput modes, with certain time restrictions. For more information, see [Specifying throughput with provisioned mode](https://docs.aws.amazon.com/efs/latest/ug/performance.html#provisioned-throughput) in the *Amazon EFS User Guide* .\n\nDefault is `bursting` ."
},
@@ -16325,10 +16222,8 @@
"ClusterName": "The name of your cluster.",
"KubernetesGroups": "The value for `name` that you've specified for `kind: Group` as a `subject` in a Kubernetes `RoleBinding` or `ClusterRoleBinding` object. Amazon EKS doesn't confirm that the value for `name` exists in any bindings on your cluster. You can specify one or more names.\n\nKubernetes authorizes the `principalArn` of the access entry to access any cluster objects that you've specified in a Kubernetes `Role` or `ClusterRole` object that is also specified in a binding's `roleRef` . For more information about creating Kubernetes `RoleBinding` , `ClusterRoleBinding` , `Role` , or `ClusterRole` objects, see [Using RBAC Authorization in the Kubernetes documentation](https://docs.aws.amazon.com/https://kubernetes.io/docs/reference/access-authn-authz/rbac/) .\n\nIf you want Amazon EKS to authorize the `principalArn` (instead of, or in addition to Kubernetes authorizing the `principalArn` ), you can associate one or more access policies to the access entry using `AssociateAccessPolicy` . If you associate any access policies, the `principalARN` has all permissions assigned in the associated access policies and all permissions in any Kubernetes `Role` or `ClusterRole` objects that the group names are bound to.",
"PrincipalArn": "The ARN of the IAM principal for the `AccessEntry` . You can specify one ARN for each access entry. You can't specify the same ARN in more than one access entry. This value can't be changed after access entry creation.\n\nThe valid principals differ depending on the type of the access entry in the `type` field. For `STANDARD` access entries, you can use every IAM principal type. For nodes ( `EC2` (for EKS Auto Mode), `EC2_LINUX` , `EC2_WINDOWS` , `FARGATE_LINUX` , and `HYBRID_LINUX` ), the only valid ARN is IAM roles. You can't use the STS session principal type with access entries because this is a temporary principal for each session and not a permanent identity that can be assigned permissions.\n\n[IAM best practices](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#bp-users-federation-idp) recommend using IAM roles with temporary credentials, rather than IAM users with long-term credentials.",
- "PrincipalArn": "The ARN of the IAM principal for the `AccessEntry` . You can specify one ARN for each access entry. You can't specify the same ARN in more than one access entry. This value can't be changed after access entry creation.\n\nThe valid principals differ depending on the type of the access entry in the `type` field. For `STANDARD` access entries, you can use every IAM principal type. For nodes ( `EC2` (for EKS Auto Mode), `EC2_LINUX` , `EC2_WINDOWS` , `FARGATE_LINUX` , and `HYBRID_LINUX` ), the only valid ARN is IAM roles. You can't use the STS session principal type with access entries because this is a temporary principal for each session and not a permanent identity that can be assigned permissions.\n\n[IAM best practices](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#bp-users-federation-idp) recommend using IAM roles with temporary credentials, rather than IAM users with long-term credentials.",
"Tags": "Metadata that assists with categorization and organization. Each tag consists of a key and an optional value. You define both. Tags don't propagate to any other cluster or AWS resources.",
"Type": "The type of the new access entry. Valid values are `STANDARD` , `FARGATE_LINUX` , `EC2_LINUX` , `EC2_WINDOWS` , `EC2` (for EKS Auto Mode), `HYBRID_LINUX` , and `HYPERPOD_LINUX` .\n\nIf the `principalArn` is for an IAM role that's used for self-managed Amazon EC2 nodes, specify `EC2_LINUX` or `EC2_WINDOWS` . Amazon EKS grants the necessary permissions to the node for you. If the `principalArn` is for any other purpose, specify `STANDARD` . If you don't specify a value, Amazon EKS sets the value to `STANDARD` . If you have the access mode of the cluster set to `API_AND_CONFIG_MAP` , it's unnecessary to create access entries for IAM roles used with Fargate profiles or managed Amazon EC2 nodes, because Amazon EKS creates entries in the `aws-auth` `ConfigMap` for the roles. You can't change this value once you've created the access entry.\n\nIf you set the value to `EC2_LINUX` or `EC2_WINDOWS` , you can't specify values for `kubernetesGroups` , or associate an `AccessPolicy` to the access entry.",
- "Type": "The type of the new access entry. Valid values are `STANDARD` , `FARGATE_LINUX` , `EC2_LINUX` , `EC2_WINDOWS` , `EC2` (for EKS Auto Mode), `HYBRID_LINUX` , and `HYPERPOD_LINUX` .\n\nIf the `principalArn` is for an IAM role that's used for self-managed Amazon EC2 nodes, specify `EC2_LINUX` or `EC2_WINDOWS` . Amazon EKS grants the necessary permissions to the node for you. If the `principalArn` is for any other purpose, specify `STANDARD` . If you don't specify a value, Amazon EKS sets the value to `STANDARD` . If you have the access mode of the cluster set to `API_AND_CONFIG_MAP` , it's unnecessary to create access entries for IAM roles used with Fargate profiles or managed Amazon EC2 nodes, because Amazon EKS creates entries in the `aws-auth` `ConfigMap` for the roles. You can't change this value once you've created the access entry.\n\nIf you set the value to `EC2_LINUX` or `EC2_WINDOWS` , you can't specify values for `kubernetesGroups` , or associate an `AccessPolicy` to the access entry.",
"Username": "The username to authenticate to Kubernetes with. We recommend not specifying a username and letting Amazon EKS specify it for you. For more information about the value Amazon EKS specifies for you, or constraints before specifying your own username, see [Creating access entries](https://docs.aws.amazon.com/eks/latest/userguide/access-entries.html#creating-access-entries) in the *Amazon EKS User Guide* ."
},
"AWS::EKS::AccessEntry AccessPolicy": {
@@ -16351,7 +16246,6 @@
"PodIdentityAssociations": "An array of Pod Identity Assocations owned by the Addon. Each EKS Pod Identity association maps a role to a service account in a namespace in the cluster.\n\nFor more information, see [Attach an IAM Role to an Amazon EKS add-on using Pod Identity](https://docs.aws.amazon.com/eks/latest/userguide/add-ons-iam.html) in the *Amazon EKS User Guide* .",
"PreserveOnDelete": "Specifying this option preserves the add-on software on your cluster but Amazon EKS stops managing any settings for the add-on. If an IAM account is associated with the add-on, it isn't removed.",
"ResolveConflicts": "How to resolve field value conflicts for an Amazon EKS add-on. Conflicts are handled based on the value you choose:\n\n- *None* \u2013 If the self-managed version of the add-on is installed on your cluster, Amazon EKS doesn't change the value. Creation of the add-on might fail.\n- *Overwrite* \u2013 If the self-managed version of the add-on is installed on your cluster and the Amazon EKS default value is different than the existing value, Amazon EKS changes the value to the Amazon EKS default value.\n- *Preserve* \u2013 This is similar to the NONE option. If the self-managed version of the add-on is installed on your cluster Amazon EKS doesn't change the add-on resource properties. Creation of the add-on might fail if conflicts are detected. This option works differently during the update operation. For more information, see [`UpdateAddon`](https://docs.aws.amazon.com/eks/latest/APIReference/API_UpdateAddon.html) .\n\nIf you don't currently have the self-managed version of the add-on installed on your cluster, the Amazon EKS add-on is installed. Amazon EKS sets all values to default values, regardless of the option that you specify.",
- "ResolveConflicts": "How to resolve field value conflicts for an Amazon EKS add-on. Conflicts are handled based on the value you choose:\n\n- *None* \u2013 If the self-managed version of the add-on is installed on your cluster, Amazon EKS doesn't change the value. Creation of the add-on might fail.\n- *Overwrite* \u2013 If the self-managed version of the add-on is installed on your cluster and the Amazon EKS default value is different than the existing value, Amazon EKS changes the value to the Amazon EKS default value.\n- *Preserve* \u2013 This is similar to the NONE option. If the self-managed version of the add-on is installed on your cluster Amazon EKS doesn't change the add-on resource properties. Creation of the add-on might fail if conflicts are detected. This option works differently during the update operation. For more information, see [`UpdateAddon`](https://docs.aws.amazon.com/eks/latest/APIReference/API_UpdateAddon.html) .\n\nIf you don't currently have the self-managed version of the add-on installed on your cluster, the Amazon EKS add-on is installed. Amazon EKS sets all values to default values, regardless of the option that you specify.",
"ServiceAccountRoleArn": "The Amazon Resource Name (ARN) of an existing IAM role to bind to the add-on's service account. The role must be assigned the IAM permissions required by the add-on. If you don't specify an existing IAM role, then the add-on uses the permissions assigned to the node IAM role. For more information, see [Amazon EKS node IAM role](https://docs.aws.amazon.com/eks/latest/userguide/create-node-role.html) in the *Amazon EKS User Guide* .\n\n> To specify an existing IAM role, you must have an IAM OpenID Connect (OIDC) provider created for your cluster. For more information, see [Enabling IAM roles for service accounts on your cluster](https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html) in the *Amazon EKS User Guide* .",
"Tags": "The metadata that you apply to the add-on to assist with categorization and organization. Each tag consists of a key and an optional value, both of which you define. Add-on tags do not propagate to any other resources associated with the cluster."
},
@@ -17560,11 +17454,9 @@
"Value": "The value of the attribute."
},
"AWS::ElasticLoadBalancingV2::Listener MutualAuthentication": {
- "AdvertiseTrustStoreCaNames": "Indicates whether trust store CA certificate names are advertised. The default value is `off` .",
"AdvertiseTrustStoreCaNames": "Indicates whether trust store CA certificate names are advertised. The default value is `off` .",
"IgnoreClientCertificateExpiry": "Indicates whether expired client certificates are ignored.",
"Mode": "The client certificate handling method. The possible values are `off` , `passthrough` , and `verify` . The default value is `off` .",
- "Mode": "The client certificate handling method. The possible values are `off` , `passthrough` , and `verify` . The default value is `off` .",
"TrustStoreArn": "The Amazon Resource Name (ARN) of the trust store."
},
"AWS::ElasticLoadBalancingV2::Listener RedirectConfig": {
@@ -17691,7 +17583,6 @@
"AWS::ElasticLoadBalancingV2::LoadBalancer": {
"EnablePrefixForIpv6SourceNat": "[Network Load Balancers with UDP listeners] Indicates whether to use an IPv6 prefix from each subnet for source NAT. The IP address type must be `dualstack` . The default value is `off` .",
"EnforceSecurityGroupInboundRulesOnPrivateLinkTraffic": "Indicates whether to evaluate inbound security group rules for traffic sent to a Network Load Balancer through AWS PrivateLink . The default is `on` .",
- "EnforceSecurityGroupInboundRulesOnPrivateLinkTraffic": "Indicates whether to evaluate inbound security group rules for traffic sent to a Network Load Balancer through AWS PrivateLink . The default is `on` .",
"IpAddressType": "The IP address type. Internal load balancers must use `ipv4` .\n\n[Application Load Balancers] The possible values are `ipv4` (IPv4 addresses), `dualstack` (IPv4 and IPv6 addresses), and `dualstack-without-public-ipv4` (public IPv6 addresses and private IPv4 and IPv6 addresses).\n\nApplication Load Balancer authentication supports IPv4 addresses only when connecting to an Identity Provider (IdP) or Amazon Cognito endpoint. Without a public IPv4 address the load balancer can't complete the authentication process, resulting in HTTP 500 errors.\n\n[Network Load Balancers and Gateway Load Balancers] The possible values are `ipv4` (IPv4 addresses) and `dualstack` (IPv4 and IPv6 addresses).",
"Ipv4IpamPoolId": "",
"LoadBalancerAttributes": "The load balancer attributes.",
@@ -18565,7 +18456,6 @@
"RemediationEnabled": "Indicates if the policy should be automatically applied to new resources.",
"ResourceSetIds": "The unique identifiers of the resource sets used by the policy.",
"ResourceTagLogicalOperator": "Specifies whether to combine multiple resource tags with AND, so that a resource must have all tags to be included or excluded, or OR, so that a resource must have at least one tag.\n\nDefault: `AND`",
- "ResourceTagLogicalOperator": "Specifies whether to combine multiple resource tags with AND, so that a resource must have all tags to be included or excluded, or OR, so that a resource must have at least one tag.\n\nDefault: `AND`",
"ResourceTags": "An array of `ResourceTag` objects, used to explicitly include resources in the policy scope or explicitly exclude them. If this isn't set, then tags aren't used to modify policy scope. See also `ExcludeResourceTags` .",
"ResourceType": "The type of resource protected by or in scope of the policy. This is in the format shown in the [AWS Resource Types Reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-template-resource-type-ref.html) . To apply this policy to multiple resource types, specify a resource type of `ResourceTypeList` and then specify the resource types in a `ResourceTypeList` .\n\nThe following are valid resource types for each Firewall Manager policy type:\n\n- AWS WAF Classic - `AWS::ApiGateway::Stage` , `AWS::CloudFront::Distribution` , and `AWS::ElasticLoadBalancingV2::LoadBalancer` .\n- AWS WAF - `AWS::ApiGateway::Stage` , `AWS::ElasticLoadBalancingV2::LoadBalancer` , and `AWS::CloudFront::Distribution` .\n- Shield Advanced - `AWS::ElasticLoadBalancingV2::LoadBalancer` , `AWS::ElasticLoadBalancing::LoadBalancer` , `AWS::EC2::EIP` , and `AWS::CloudFront::Distribution` .\n- Network ACL - `AWS::EC2::Subnet` .\n- Security group usage audit - `AWS::EC2::SecurityGroup` .\n- Security group content audit - `AWS::EC2::SecurityGroup` , `AWS::EC2::NetworkInterface` , and `AWS::EC2::Instance` .\n- DNS Firewall, AWS Network Firewall , and third-party firewall - `AWS::EC2::VPC` .",
"ResourceTypeList": "An array of `ResourceType` objects. Use this only to specify multiple resource types. To specify a single resource type, use `ResourceType` .",
@@ -19646,25 +19536,7 @@
"Password": "The password to connect to the data source.",
"Username": "The username to connect to the data source."
},
- "AWS::Glue::Connection AuthenticationConfigurationInput": {
- "AuthenticationType": "A structure containing the authentication configuration in the CreateConnection request.",
- "BasicAuthenticationCredentials": "The credentials used when the authentication type is basic authentication.",
- "CustomAuthenticationCredentials": "The credentials used when the authentication type is custom authentication.",
- "KmsKeyArn": "The ARN of the KMS key used to encrypt the connection. Only taken an as input in the request and stored in the Secret Manager.",
- "OAuth2Properties": "The properties for OAuth2 authentication in the CreateConnection request.",
- "SecretArn": "The secret manager ARN to store credentials in the CreateConnection request."
- },
- "AWS::Glue::Connection AuthorizationCodeProperties": {
- "AuthorizationCode": "An authorization code to be used in the third leg of the `AUTHORIZATION_CODE` grant workflow. This is a single-use code which becomes invalid once exchanged for an access token, thus it is acceptable to have this value as a request parameter.",
- "RedirectUri": "The redirect URI where the user gets redirected to by authorization server when issuing an authorization code. The URI is subsequently used when the authorization code is exchanged for an access token."
- },
- "AWS::Glue::Connection BasicAuthenticationCredentials": {
- "Password": "The password to connect to the data source.",
- "Username": "The username to connect to the data source."
- },
"AWS::Glue::Connection ConnectionInput": {
- "AthenaProperties": "Connection properties specific to the Athena compute environment.",
- "AuthenticationConfiguration": "The authentication properties of the connection.",
"AthenaProperties": "Connection properties specific to the Athena compute environment.",
"AuthenticationConfiguration": "The authentication properties of the connection.",
"ConnectionProperties": "These key-value pairs define parameters for the connection.",
@@ -19688,29 +19560,6 @@
"RefreshToken": "The refresh token used when the authentication type is OAuth2.",
"UserManagedClientApplicationClientSecret": "The client application client secret if the client application is user managed."
},
- "AWS::Glue::Connection OAuth2PropertiesInput": {
- "AuthorizationCodeProperties": "The set of properties required for the the OAuth2 `AUTHORIZATION_CODE` grant type.",
- "OAuth2ClientApplication": "The client application type in the CreateConnection request. For example, `AWS_MANAGED` or `USER_MANAGED` .",
- "OAuth2Credentials": "The credentials used when the authentication type is OAuth2 authentication.",
- "OAuth2GrantType": "The OAuth2 grant type in the CreateConnection request. For example, `AUTHORIZATION_CODE` , `JWT_BEARER` , or `CLIENT_CREDENTIALS` .",
- "TokenUrl": "The URL of the provider's authentication server, to exchange an authorization code for an access token.",
- "TokenUrlParametersMap": "A map of parameters that are added to the token `GET` request."
- "PhysicalConnectionRequirements": "The physical connection requirements, such as virtual private cloud (VPC) and `SecurityGroup` , that are needed to successfully make this connection.",
- "PythonProperties": "Connection properties specific to the Python compute environment.",
- "SparkProperties": "Connection properties specific to the Spark compute environment.",
- "ValidateCredentials": "A flag to validate the credentials during create connection. Default is true.",
- "ValidateForComputeEnvironments": "The compute environments that the specified connection properties are validated against."
- },
- "AWS::Glue::Connection OAuth2ClientApplication": {
- "AWSManagedClientApplicationReference": "The reference to the SaaS-side client app that is AWS managed.",
- "UserManagedClientApplicationClientId": "The client application clientID if the ClientAppType is `USER_MANAGED` ."
- },
- "AWS::Glue::Connection OAuth2Credentials": {
- "AccessToken": "The access token used when the authentication type is OAuth2.",
- "JwtToken": "The JSON Web Token (JWT) used when the authentication type is OAuth2.",
- "RefreshToken": "The refresh token used when the authentication type is OAuth2.",
- "UserManagedClientApplicationClientSecret": "The client application client secret if the client application is user managed."
- },
"AWS::Glue::Connection OAuth2PropertiesInput": {
"AuthorizationCodeProperties": "The set of properties required for the the OAuth2 `AUTHORIZATION_CODE` grant type.",
"OAuth2ClientApplication": "The client application type in the CreateConnection request. For example, `AWS_MANAGED` or `USER_MANAGED` .",
@@ -20188,16 +20037,6 @@
"AWS::Glue::TableOptimizer RetentionConfiguration": {
"IcebergConfiguration": ""
},
- "AWS::Glue::TableOptimizer IcebergConfiguration": {
- "Location": "",
- "OrphanFileRetentionPeriodInDays": ""
- },
- "AWS::Glue::TableOptimizer OrphanFileDeletionConfiguration": {
- "IcebergConfiguration": ""
- },
- "AWS::Glue::TableOptimizer RetentionConfiguration": {
- "IcebergConfiguration": ""
- },
"AWS::Glue::TableOptimizer TableOptimizerConfiguration": {
"Enabled": "Whether the table optimization is enabled.",
"OrphanFileDeletionConfiguration": "",
@@ -20205,13 +20044,6 @@
"RoleArn": "A role passed by the caller which gives the service permission to update the resources associated with the optimizer on the caller's behalf.",
"VpcConfiguration": ""
},
- "AWS::Glue::TableOptimizer VpcConfiguration": {
- "GlueConnectionName": ""
- "OrphanFileDeletionConfiguration": "",
- "RetentionConfiguration": "",
- "RoleArn": "A role passed by the caller which gives the service permission to update the resources associated with the optimizer on the caller's behalf.",
- "VpcConfiguration": ""
- },
"AWS::Glue::TableOptimizer VpcConfiguration": {
"GlueConnectionName": ""
},
@@ -21101,7 +20933,6 @@
"Seconds": ""
},
"AWS::HealthLake::FHIRDatastore IdentityProviderConfiguration": {
- "AuthorizationStrategy": "The authorization strategy selected when the HealthLake data store is created.\n\n> HealthLake provides support for both SMART on FHIR V1 and V2 as described below.\n> \n> - `SMART_ON_FHIR_V1` \u2013 Support for only SMART on FHIR V1, which includes `read` (read/search) and `write` (create/update/delete) permissions.\n> - `SMART_ON_FHIR` \u2013 Support for both SMART on FHIR V1 and V2, which includes `create` , `read` , `update` , `delete` , and `search` permissions.\n> - `AWS_AUTH` \u2013 The default HealthLake authorization strategy; not affiliated with SMART on FHIR.",
"AuthorizationStrategy": "The authorization strategy selected when the HealthLake data store is created.\n\n> HealthLake provides support for both SMART on FHIR V1 and V2 as described below.\n> \n> - `SMART_ON_FHIR_V1` \u2013 Support for only SMART on FHIR V1, which includes `read` (read/search) and `write` (create/update/delete) permissions.\n> - `SMART_ON_FHIR` \u2013 Support for both SMART on FHIR V1 and V2, which includes `create` , `read` , `update` , `delete` , and `search` permissions.\n> - `AWS_AUTH` \u2013 The default HealthLake authorization strategy; not affiliated with SMART on FHIR.",
"FineGrainedAuthorizationEnabled": "The parameter to enable SMART on FHIR fine-grained authorization for the data store.",
"IdpLambdaArn": "The Amazon Resource Name (ARN) of the Lambda function to use to decode the access token created by the authorization server.",
@@ -21274,16 +21105,14 @@
"AWS::IVS::Channel": {
"Authorized": "Whether the channel is authorized.\n\n*Default* : `false`",
"ContainerFormat": "Indicates which content-packaging format is used (MPEG-TS or fMP4). If `multitrackInputConfiguration` is specified and `enabled` is `true` , then `containerFormat` is required and must be set to `FRAGMENTED_MP4` . Otherwise, `containerFormat` may be set to `TS` or `FRAGMENTED_MP4` . Default: `TS` .",
- "ContainerFormat": "Indicates which content-packaging format is used (MPEG-TS or fMP4). If `multitrackInputConfiguration` is specified and `enabled` is `true` , then `containerFormat` is required and must be set to `FRAGMENTED_MP4` . Otherwise, `containerFormat` may be set to `TS` or `FRAGMENTED_MP4` . Default: `TS` .",
"InsecureIngest": "Whether the channel allows insecure RTMP ingest.\n\n*Default* : `false`",
"LatencyMode": "Channel latency mode. Valid values:\n\n- `NORMAL` : Use NORMAL to broadcast and deliver live video up to Full HD.\n- `LOW` : Use LOW for near real-time interactions with viewers.\n\n> In the console, `LOW` and `NORMAL` correspond to `Ultra-low` and `Standard` , respectively. \n\n*Default* : `LOW`",
"MultitrackInputConfiguration": "Object specifying multitrack input configuration. Default: no multitrack input configuration is specified.",
- "MultitrackInputConfiguration": "Object specifying multitrack input configuration. Default: no multitrack input configuration is specified.",
"Name": "Channel name.",
"Preset": "An optional transcode preset for the channel. This is selectable only for `ADVANCED_HD` and `ADVANCED_SD` channel types. For those channel types, the default preset is `HIGHER_BANDWIDTH_DELIVERY` . For other channel types ( `BASIC` and `STANDARD` ), `preset` is the empty string (\"\").",
"RecordingConfigurationArn": "The ARN of a RecordingConfiguration resource. An empty string indicates that recording is disabled for the channel. A RecordingConfiguration ARN indicates that recording is enabled using the specified recording configuration. See the [RecordingConfiguration](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ivs-recordingconfiguration.html) resource for more information and an example.\n\n*Default* : \"\" (empty string, recording is disabled)",
"Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ivs-channel-tag.html) .",
- "Type": "The channel type, which determines the allowable resolution and bitrate. *If you exceed the allowable resolution or bitrate, the stream probably will disconnect immediately.* Valid values:\n\n- `STANDARD` : Video is transcoded: multiple qualities are generated from the original input to automatically give viewers the best experience for their devices and network conditions. Transcoding allows higher playback quality across a range of download speeds. Resolution can be up to 1080p and bitrate can be up to 8.5 Mbps. Audio is transcoded only for renditions 360p and below; above that, audio is passed through.\n- `BASIC` : Video is transmuxed: Amazon IVS delivers the original input to viewers. The viewer\u2019s video-quality choice is limited to the original input. Resolution can be up to 1080p and bitrate can be up to 1.5 Mbps for 480p and up to 3.5 Mbps for resolutions between 480p and 1080p.\n- `ADVANCED_SD` : Video is transcoded; multiple qualities are generated from the original input, to automatically give viewers the best experience for their devices and network conditions. Input resolution can be up to 1080p and bitrate can be up to 8.5 Mbps; output is capped at SD quality (480p). You can select an optional transcode preset (see below). Audio for all renditions is transcoded, and an audio-only rendition is available.\n- `ADVANCED_HD` : Video is transcoded; multiple qualities are generated from the original input, to automatically give viewers the best experience for their devices and network conditions. Input resolution can be up to 1080p and bitrate can be up to 8.5 Mbps; output is capped at HD quality (720p). You can select an optional transcode preset (see below). Audio for all renditions is transcoded, and an audio-only rendition is available.\n\nOptional *transcode presets* (available for the `ADVANCED` types) allow you to trade off available download bandwidth and video quality, to optimize the viewing experience. There are two presets:\n\n- *Constrained bandwidth delivery* uses a lower bitrate for each quality level. Use it if you have low download bandwidth and/or simple video content (e.g., talking heads)\n- *Higher bandwidth delivery* uses a higher bitrate for each quality level. Use it if you have high download bandwidth and/or complex video content (e.g., flashes and quick scene changes).\n\n*Default* : `STANDARD`"
+ "Type": "The channel type, which determines the allowable resolution and bitrate. *If you exceed the allowable resolution or bitrate, the stream probably will disconnect immediately.* For details, see [Channel Types](https://docs.aws.amazon.com/ivs/latest/LowLatencyAPIReference/channel-types.html) .\n\n*Default* : `STANDARD`"
},
"AWS::IVS::Channel MultitrackInputConfiguration": {
"Enabled": "Indicates whether multitrack input is enabled. Can be set to `true` only if channel type is `STANDARD` . Setting `enabled` to `true` with any other channel type will cause an exception. If `true` , then `policy` , `maximumResolution` , and `containerFormat` are required, and `containerFormat` must be set to `FRAGMENTED_MP4` . Default: `false` .",
@@ -23646,7 +23475,6 @@
"ModelManifestArn": "The Amazon Resource Name (ARN) of the vehicle model (model manifest) to create the vehicle from.",
"Name": "The unique ID of the vehicle.",
"StateTemplates": "Associate state templates to track the state of the vehicle. State templates determine which signal updates the vehicle sends to the cloud.",
- "StateTemplates": "Associate state templates to track the state of the vehicle. State templates determine which signal updates the vehicle sends to the cloud.",
"Tags": "Metadata which can be used to manage the vehicle."
},
"AWS::IoTFleetWise::Vehicle PeriodicStateTemplateUpdateStrategy": {
@@ -23660,17 +23488,6 @@
"OnChange": "",
"Periodic": ""
},
- "AWS::IoTFleetWise::Vehicle PeriodicStateTemplateUpdateStrategy": {
- "StateTemplateUpdateRate": ""
- },
- "AWS::IoTFleetWise::Vehicle StateTemplateAssociation": {
- "Identifier": "The unique ID of the state template.",
- "StateTemplateUpdateStrategy": ""
- },
- "AWS::IoTFleetWise::Vehicle StateTemplateUpdateStrategy": {
- "OnChange": "",
- "Periodic": ""
- },
"AWS::IoTFleetWise::Vehicle Tag": {
"Key": "The tag's key.",
"Value": "The tag's value."
@@ -23679,10 +23496,6 @@
"Unit": "A unit of time.",
"Value": "A number of time units."
},
- "AWS::IoTFleetWise::Vehicle TimePeriod": {
- "Unit": "A unit of time.",
- "Value": "A number of time units."
- },
"AWS::IoTSiteWise::AccessPolicy": {
"AccessPolicyIdentity": "The identity for this access policy. Choose an IAM Identity Center user, an IAM Identity Center group, or an IAM user.",
"AccessPolicyPermission": "The permission level for this access policy. Note that a project `ADMINISTRATOR` is also known as a project owner.",
@@ -23860,7 +23673,6 @@
"GatewayName": "A unique name for the gateway.",
"GatewayPlatform": "The gateway's platform. You can only specify one platform in a gateway.",
"GatewayVersion": "",
- "GatewayVersion": "",
"Tags": "A list of key-value pairs that contain metadata for the gateway. For more information, see [Tagging your AWS IoT SiteWise resources](https://docs.aws.amazon.com/iot-sitewise/latest/userguide/tag-resources.html) in the *AWS IoT SiteWise User Guide* ."
},
"AWS::IoTSiteWise::Gateway GatewayCapabilitySummary": {
@@ -23872,7 +23684,6 @@
"SiemensIE": "An AWS IoT SiteWise Edge gateway that runs on a Siemens Industrial Edge Device."
},
"AWS::IoTSiteWise::Gateway GreengrassV2": {
- "CoreDeviceOperatingSystem": "",
"CoreDeviceOperatingSystem": "",
"CoreDeviceThingName": "The name of the AWS IoT thing for your AWS IoT Greengrass V2 core device."
},
@@ -25330,7 +25141,6 @@
"DeliveryStreamName": "The name of the Firehose stream.",
"DeliveryStreamType": "The Firehose stream type. This can be one of the following values:\n\n- `DirectPut` : Provider applications access the Firehose stream directly.\n- `KinesisStreamAsSource` : The Firehose stream uses a Kinesis data stream as a source.",
"DirectPutSourceConfiguration": "The structure that configures parameters such as `ThroughputHintInMBs` for a stream configured with Direct PUT as a source.",
- "DirectPutSourceConfiguration": "The structure that configures parameters such as `ThroughputHintInMBs` for a stream configured with Direct PUT as a source.",
"ElasticsearchDestinationConfiguration": "An Amazon ES destination for the delivery stream.\n\nConditional. You must specify only one destination configuration.\n\nIf you change the delivery stream destination from an Amazon ES destination to an Amazon S3 or Amazon Redshift destination, update requires [some interruptions](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-some-interrupt) .",
"ExtendedS3DestinationConfiguration": "An Amazon S3 destination for the delivery stream.\n\nConditional. You must specify only one destination configuration.\n\nIf you change the delivery stream destination from an Amazon Extended S3 destination to an Amazon ES destination, update requires [some interruptions](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-some-interrupt) .",
"HttpEndpointDestinationConfiguration": "Enables configuring Kinesis Firehose to deliver data to any HTTP endpoint destination. You can specify only one destination.",
@@ -25462,9 +25272,6 @@
"AWS::KinesisFirehose::DeliveryStream DirectPutSourceConfiguration": {
"ThroughputHintInMBs": "The value that you configure for this parameter is for information purpose only and does not affect Firehose delivery throughput limit. You can use the [Firehose Limits form](https://docs.aws.amazon.com/https://support.console.aws.amazon.com/support/home#/case/create%3FissueType=service-limit-increase%26limitType=kinesis-firehose-limits) to request a throughput limit increase."
},
- "AWS::KinesisFirehose::DeliveryStream DirectPutSourceConfiguration": {
- "ThroughputHintInMBs": "The value that you configure for this parameter is for information purpose only and does not affect Firehose delivery throughput limit. You can use the [Firehose Limits form](https://docs.aws.amazon.com/https://support.console.aws.amazon.com/support/home#/case/create%3FissueType=service-limit-increase%26limitType=kinesis-firehose-limits) to request a throughput limit increase."
- },
"AWS::KinesisFirehose::DeliveryStream DocumentIdOptions": {
"DefaultDocumentIdFormat": "When the `FIREHOSE_DEFAULT` option is chosen, Firehose generates a unique document ID for each record based on a unique internal identifier. The generated document ID is stable across multiple delivery attempts, which helps prevent the same record from being indexed multiple times with different document IDs.\n\nWhen the `NO_DOCUMENT_ID` option is chosen, Firehose does not include any document IDs in the requests it sends to the Amazon OpenSearch Service. This causes the Amazon OpenSearch Service domain to generate document IDs. In case of multiple delivery attempts, this may cause the same record to be indexed more than once with different document IDs. This option enables write-heavy operations, such as the ingestion of logs and observability data, to consume less resources in the Amazon OpenSearch Service domain, resulting in improved performance."
},
@@ -25545,7 +25352,6 @@
"ContentEncoding": "Kinesis Data Firehose uses the content encoding to compress the body of a request before sending the request to the destination. For more information, see Content-Encoding in MDN Web Docs, the official Mozilla documentation."
},
"AWS::KinesisFirehose::DeliveryStream IcebergDestinationConfiguration": {
- "AppendOnly": "Describes whether all incoming data for this delivery stream will be append only (inserts only and not for updates and deletes) for Iceberg delivery. This feature is only applicable for Apache Iceberg Tables.\n\nThe default value is false. If you set this value to true, Firehose automatically increases the throughput limit of a stream based on the throttling levels of the stream. If you set this parameter to true for a stream with updates and deletes, you will see out of order delivery.",
"AppendOnly": "Describes whether all incoming data for this delivery stream will be append only (inserts only and not for updates and deletes) for Iceberg delivery. This feature is only applicable for Apache Iceberg Tables.\n\nThe default value is false. If you set this value to true, Firehose automatically increases the throughput limit of a stream based on the throttling levels of the stream. If you set this parameter to true for a stream with updates and deletes, you will see out of order delivery.",
"BufferingHints": "",
"CatalogConfiguration": "Configuration describing where the destination Apache Iceberg Tables are persisted.",
@@ -28138,7 +27944,6 @@
},
"AWS::MediaConnect::BridgeSource MulticastSourceSettings": {
"MulticastSourceIp": ""
- "MulticastSourceIp": ""
},
"AWS::MediaConnect::BridgeSource VpcInterfaceAttachment": {
"VpcInterfaceName": "The name of the VPC interface to use for this resource."
@@ -28158,20 +27963,6 @@
"AWS::MediaConnect::Flow AudioMonitoringSetting": {
"SilentAudio": "Detects periods of silence."
},
- "AWS::MediaConnect::Flow BlackFrames": {
- "State": "Indicates whether the `BlackFrames` metric is enabled or disabled.",
- "ThresholdSeconds": "Specifies the number of consecutive seconds of black frames that triggers an event or alert."
- },
- "AWS::MediaConnect::Flow AudioMonitoringSetting": {
- "SilentAudio": "Detects periods of silence."
- },
- "AWS::MediaConnect::Flow BlackFrames": {
- "State": "Indicates whether the `BlackFrames` metric is enabled or disabled.",
- "ThresholdSeconds": "Specifies the number of consecutive seconds of black frames that triggers an event or alert."
- },
- "AWS::MediaConnect::Flow AudioMonitoringSetting": {
- "SilentAudio": "Detects periods of silence."
- },
"AWS::MediaConnect::Flow BlackFrames": {
"State": "Indicates whether the `BlackFrames` metric is enabled or disabled..",
"ThresholdSeconds": "Specifies the number of consecutive seconds of black frames that triggers an event or alert."
@@ -28206,10 +27997,6 @@
"State": "Indicates whether the `FrozenFrames` metric is enabled or disabled.",
"ThresholdSeconds": "Specifies the number of consecutive seconds of a static image that triggers an event or alert."
},
- "AWS::MediaConnect::Flow FrozenFrames": {
- "State": "Indicates whether the `FrozenFrames` metric is enabled or disabled.",
- "ThresholdSeconds": "Specifies the number of consecutive seconds of a static image that triggers an event or alert."
- },
"AWS::MediaConnect::Flow GatewayBridgeSource": {
"BridgeArn": "The ARN of the bridge feeding this flow.",
"VpcInterfaceAttachment": "The name of the VPC interface attachment to use for this bridge source."
@@ -28248,10 +28035,6 @@
"State": "Indicates whether the `SilentAudio` metric is enabled or disabled.",
"ThresholdSeconds": "Specifies the number of consecutive seconds of silence that triggers an event or alert."
},
- "AWS::MediaConnect::Flow SilentAudio": {
- "State": "Indicates whether the `SilentAudio` metric is enabled or disabled.",
- "ThresholdSeconds": "Specifies the number of consecutive seconds of silence that triggers an event or alert."
- },
"AWS::MediaConnect::Flow Source": {
"Decryption": "The type of encryption that is used on the content ingested from this source.",
"Description": "A description for the source. This value is not used or seen outside of the current MediaConnect account.",
@@ -28281,10 +28064,6 @@
"ContentQualityAnalysisState": "Indicates whether content quality analysis is enabled or disabled.",
"ThumbnailState": "The current state of the thumbnail monitoring.\n\n- If you don't explicitly specify a value when creating a flow, no thumbnail state will be set.\n- If you update an existing flow and remove a previously set thumbnail state, the value will change to `DISABLED` .",
"VideoMonitoringSettings": "Contains the settings for video stream metrics monitoring."
- "AudioMonitoringSettings": "Contains the settings for audio stream metrics monitoring.",
- "ContentQualityAnalysisState": "Indicates whether content quality analysis is enabled or disabled.",
- "ThumbnailState": "The current state of the thumbnail monitoring.\n\n- If you don't explicitly specify a value when creating a flow, no thumbnail state will be set.\n- If you update an existing flow and remove a previously set thumbnail state, the value will change to `DISABLED` .",
- "VideoMonitoringSettings": "Contains the settings for video stream metrics monitoring."
},
"AWS::MediaConnect::Flow SourcePriority": {
"PrimarySource": "The name of the source you choose as the primary source for this flow."
@@ -28293,10 +28072,6 @@
"BlackFrames": "Detects video frames that are black.",
"FrozenFrames": "Detects video frames that have not changed."
},
- "AWS::MediaConnect::Flow VideoMonitoringSetting": {
- "BlackFrames": "Detects video frames that are black.",
- "FrozenFrames": "Detects video frames that have not changed."
- },
"AWS::MediaConnect::Flow VpcInterface": {
"Name": "Immutable and has to be a unique against other VpcInterfaces in this Flow.",
"NetworkInterfaceIds": "IDs of the network interfaces created in customer's account by MediaConnect .",
@@ -33669,7 +33444,6 @@
"AWS::QBusiness::WebExperience": {
"ApplicationId": "The identifier of the Amazon Q Business web experience.",
"BrowserExtensionConfiguration": "The container for browser extension configuration for an Amazon Q Business web experience.",
- "BrowserExtensionConfiguration": "The container for browser extension configuration for an Amazon Q Business web experience.",
"CustomizationConfiguration": "Contains the configuration information to customize the logo, font, and color of an Amazon Q Business web experience with individual files for each property or a CSS file for them all.",
"IdentityProviderConfiguration": "Provides information about the identity provider (IdP) used to authenticate end users of an Amazon Q Business web experience.",
"Origins": "Sets the website domain origins that are allowed to embed the Amazon Q Business web experience. The *domain origin* refers to the base URL for accessing a website including the protocol ( `http/https` ), the domain name, and the port number (if specified).\n\n> You must only submit a *base URL* and not a full path. For example, `https://docs.aws.amazon.com` .",
@@ -33683,9 +33457,6 @@
"AWS::QBusiness::WebExperience BrowserExtensionConfiguration": {
"EnabledBrowserExtensions": "Specify the browser extensions allowed for your Amazon Q web experience.\n\n- `CHROME` \u2014 Enables the extension for Chromium-based browsers (Google Chrome, Microsoft Edge, Opera, etc.).\n- `FIREFOX` \u2014 Enables the extension for Mozilla Firefox.\n- `CHROME` and `FIREFOX` \u2014 Enable the extension for Chromium-based browsers and Mozilla Firefox."
},
- "AWS::QBusiness::WebExperience BrowserExtensionConfiguration": {
- "EnabledBrowserExtensions": "Specify the browser extensions allowed for your Amazon Q web experience.\n\n- `CHROME` \u2014 Enables the extension for Chromium-based browsers (Google Chrome, Microsoft Edge, Opera, etc.).\n- `FIREFOX` \u2014 Enables the extension for Mozilla Firefox.\n- `CHROME` and `FIREFOX` \u2014 Enable the extension for Chromium-based browsers and Mozilla Firefox."
- },
"AWS::QBusiness::WebExperience CustomizationConfiguration": {
"CustomCSSUrl": "Provides the URL where the custom CSS file is hosted for an Amazon Q web experience.",
"FaviconUrl": "Provides the URL where the custom favicon file is hosted for an Amazon Q web experience.",
@@ -43109,11 +42880,9 @@
"AWS::QuickSight::Topic": {
"AwsAccountId": "The ID of the AWS account that you want to create a topic in.",
"ConfigOptions": "Configuration options for a `Topic` .",
- "ConfigOptions": "Configuration options for a `Topic` .",
"DataSets": "The data sets that the topic is associated with.",
"Description": "The description of the topic.",
"FolderArns": "",
- "FolderArns": "",
"Name": "The name of the topic.",
"TopicId": "The ID for the topic. This ID is unique per AWS Region for each AWS account.",
"UserExperienceVersion": "The user experience version of the topic."
@@ -43247,9 +43016,6 @@
"AWS::QuickSight::Topic TopicConfigOptions": {
"QBusinessInsightsEnabled": "Enables Amazon Q Business Insights for a `Topic` ."
},
- "AWS::QuickSight::Topic TopicConfigOptions": {
- "QBusinessInsightsEnabled": "Enables Amazon Q Business Insights for a `Topic` ."
- },
"AWS::QuickSight::Topic TopicDateRangeFilter": {
"Constant": "The constant used in a date range filter.",
"Inclusive": "A Boolean value that indicates whether the date range filter should include the boundary values. If set to true, the filter includes the start and end dates. If set to false, the filter excludes them."
@@ -44962,7 +44728,6 @@
"LifecycleConfiguration": "Specifies the lifecycle configuration for objects in an Amazon S3 bucket. For more information, see [Object Lifecycle Management](https://docs.aws.amazon.com/AmazonS3/latest/dev/object-lifecycle-mgmt.html) in the *Amazon S3 User Guide* .",
"LoggingConfiguration": "Settings that define where logs are stored.",
"MetadataTableConfiguration": "The metadata table configuration of an Amazon S3 general purpose bucket. For more information, see [Accelerating data discovery with S3 Metadata](https://docs.aws.amazon.com/AmazonS3/latest/userguide/metadata-tables-overview.html) and [Setting up permissions for configuring metadata tables](https://docs.aws.amazon.com/AmazonS3/latest/userguide/metadata-tables-permissions.html) .",
- "MetadataTableConfiguration": "The metadata table configuration of an Amazon S3 general purpose bucket. For more information, see [Accelerating data discovery with S3 Metadata](https://docs.aws.amazon.com/AmazonS3/latest/userguide/metadata-tables-overview.html) and [Setting up permissions for configuring metadata tables](https://docs.aws.amazon.com/AmazonS3/latest/userguide/metadata-tables-permissions.html) .",
"MetricsConfigurations": "Specifies a metrics configuration for the CloudWatch request metrics (specified by the metrics configuration ID) from an Amazon S3 bucket. If you're updating an existing metrics configuration, note that this is a full replacement of the existing metrics configuration. If you don't include the elements you want to keep, they are erased. For more information, see [PutBucketMetricsConfiguration](https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTMetricConfiguration.html) .",
"NotificationConfiguration": "Configuration that defines how Amazon S3 handles bucket notifications.",
"ObjectLockConfiguration": "> This operation is not supported for directory buckets. \n\nPlaces an Object Lock configuration on the specified bucket. The rule specified in the Object Lock configuration will be applied by default to every new object placed in the specified bucket. For more information, see [Locking Objects](https://docs.aws.amazon.com/AmazonS3/latest/dev/object-lock.html) .\n\n> - The `DefaultRetention` settings require both a mode and a period.\n> - The `DefaultRetention` period can be either `Days` or `Years` but you must select one. You cannot specify `Days` and `Years` at the same time.\n> - You can enable Object Lock for new or existing buckets. For more information, see [Configuring Object Lock](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock-configure.html) .",
@@ -45064,9 +44829,6 @@
"AWS::S3::Bucket MetadataTableConfiguration": {
"S3TablesDestination": "The destination information for the metadata table configuration. The destination table bucket must be in the same Region and AWS account as the general purpose bucket. The specified metadata table name must be unique within the `aws_s3_metadata` namespace in the destination table bucket."
},
- "AWS::S3::Bucket MetadataTableConfiguration": {
- "S3TablesDestination": "The destination information for the metadata table configuration. The destination table bucket must be in the same Region and AWS account as the general purpose bucket. The specified metadata table name must be unique within the `aws_s3_metadata` namespace in the destination table bucket."
- },
"AWS::S3::Bucket Metrics": {
"EventThreshold": "A container specifying the time threshold for emitting the `s3:Replication:OperationMissedThreshold` event.",
"Status": "Specifies whether the replication metrics are enabled."
@@ -45210,12 +44972,6 @@
"TableName": "The name for the metadata table in your metadata table configuration. The specified metadata table name must be unique within the `aws_s3_metadata` namespace in the destination table bucket.",
"TableNamespace": "The table bucket namespace for the metadata table in your metadata table configuration. This value is always `aws_s3_metadata` ."
},
- "AWS::S3::Bucket S3TablesDestination": {
- "TableArn": "The Amazon Resource Name (ARN) for the metadata table in the metadata table configuration. The specified metadata table name must be unique within the `aws_s3_metadata` namespace in the destination table bucket.",
- "TableBucketArn": "The Amazon Resource Name (ARN) for the table bucket that's specified as the destination in the metadata table configuration. The destination table bucket must be in the same Region and AWS account as the general purpose bucket.",
- "TableName": "The name for the metadata table in your metadata table configuration. The specified metadata table name must be unique within the `aws_s3_metadata` namespace in the destination table bucket.",
- "TableNamespace": "The table bucket namespace for the metadata table in your metadata table configuration. This value is always `aws_s3_metadata` ."
- },
"AWS::S3::Bucket ServerSideEncryptionByDefault": {
"KMSMasterKeyID": "AWS Key Management Service (KMS) customer managed key ID to use for the default encryption.\n\n> - *General purpose buckets* - This parameter is allowed if and only if `SSEAlgorithm` is set to `aws:kms` or `aws:kms:dsse` .\n> - *Directory buckets* - This parameter is allowed if and only if `SSEAlgorithm` is set to `aws:kms` . \n\nYou can specify the key ID, key alias, or the Amazon Resource Name (ARN) of the KMS key.\n\n- Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`\n- Key ARN: `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`\n- Key Alias: `alias/alias-name`\n\nIf you are using encryption with cross-account or AWS service operations, you must use a fully qualified KMS key ARN. For more information, see [Using encryption for cross-account operations](https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html#bucket-encryption-update-bucket-policy) .\n\n> - *General purpose buckets* - If you're specifying a customer managed KMS key, we recommend using a fully qualified KMS key ARN. If you use a KMS key alias instead, then AWS KMS resolves the key within the requester\u2019s account. This behavior can result in data that's encrypted with a KMS key that belongs to the requester, and not the bucket owner. Also, if you use a key ID, you can run into a LogDestination undeliverable error when creating a VPC flow log.\n> - *Directory buckets* - When you specify an [AWS KMS customer managed key](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk) for encryption in your directory bucket, only use the key ID or key ARN. The key alias format of the KMS key isn't supported. > Amazon S3 only supports symmetric encryption KMS keys. For more information, see [Asymmetric keys in AWS KMS](https://docs.aws.amazon.com//kms/latest/developerguide/symmetric-asymmetric.html) in the *AWS Key Management Service Developer Guide* .",
"SSEAlgorithm": "Server-side encryption algorithm to use for the default encryption.\n\n> For directory buckets, there are only two supported values for server-side encryption: `AES256` and `aws:kms` ."
@@ -46048,7 +45804,6 @@
"DeliveryStatusLogging": "The `DeliveryStatusLogging` configuration enables you to log the delivery status of messages sent from your Amazon SNS topic to subscribed endpoints with the following supported delivery protocols:\n\n- HTTP\n- Amazon Kinesis Data Firehose\n- AWS Lambda\n- Platform application endpoint\n- Amazon Simple Queue Service\n\nOnce configured, log entries are sent to Amazon CloudWatch Logs.",
"DisplayName": "The display name to use for an Amazon SNS topic with SMS subscriptions. The display name must be maximum 100 characters long, including hyphens (-), underscores (_), spaces, and tabs.",
"FifoThroughputScope": "Specifies the throughput quota and deduplication behavior to apply for the FIFO topic. Valid values are `Topic` or `MessageGroup` .",
- "FifoThroughputScope": "Specifies the throughput quota and deduplication behavior to apply for the FIFO topic. Valid values are `Topic` or `MessageGroup` .",
"FifoTopic": "Set to true to create a FIFO topic.",
"KmsMasterKeyId": "The ID of an AWS managed customer master key (CMK) for Amazon SNS or a custom CMK. For more information, see [Key terms](https://docs.aws.amazon.com/sns/latest/dg/sns-server-side-encryption.html#sse-key-terms) . For more examples, see `[KeyId](https://docs.aws.amazon.com/kms/latest/APIReference/API_DescribeKey.html#API_DescribeKey_RequestParameters)` in the *AWS Key Management Service API Reference* .\n\nThis property applies only to [server-side-encryption](https://docs.aws.amazon.com/sns/latest/dg/sns-server-side-encryption.html) .",
"SignatureVersion": "The signature version corresponds to the hashing algorithm used while creating the signature of the notifications, subscription confirmations, or unsubscribe confirmation messages sent by Amazon SNS. By default, `SignatureVersion` is set to `1` .",
@@ -46114,7 +45869,6 @@
"AssociationName": "Specify a descriptive name for the association.",
"AutomationTargetParameterName": "Choose the parameter that will define how your automation will branch out. This target is required for associations that use an Automation runbook and target resources by using rate controls. Automation is a tool in AWS Systems Manager .",
"CalendarNames": "The names or Amazon Resource Names (ARNs) of the Change Calendar type documents your associations are gated under. The associations only run when that Change Calendar is open. For more information, see [AWS Systems Manager Change Calendar](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-change-calendar) in the *AWS Systems Manager User Guide* .",
- "CalendarNames": "The names or Amazon Resource Names (ARNs) of the Change Calendar type documents your associations are gated under. The associations only run when that Change Calendar is open. For more information, see [AWS Systems Manager Change Calendar](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-change-calendar) in the *AWS Systems Manager User Guide* .",
"ComplianceSeverity": "The severity level that is assigned to the association.",
"DocumentVersion": "The version of the SSM document to associate with the target.\n\n> Note the following important information.\n> \n> - State Manager doesn't support running associations that use a new version of a document if that document is shared from another account. State Manager always runs the `default` version of a document if shared from another account, even though the Systems Manager console shows that a new version was processed. If you want to run an association using a new version of a document shared form another account, you must set the document version to `default` .\n> - `DocumentVersion` is not valid for documents owned by AWS , such as `AWS-RunPatchBaseline` or `AWS-UpdateSSMAgent` . If you specify `DocumentVersion` for an AWS document, the system returns the following error: \"Error occurred during operation 'CreateAssociation'.\" (RequestToken: <token>, HandlerErrorCode: GeneralServiceException).",
"InstanceId": "The ID of the instance that the SSM document is associated with. You must specify the `InstanceId` or `Targets` property.\n\n> `InstanceId` has been deprecated. To specify an instance ID for an association, use the `Targets` parameter. If you use the parameter `InstanceId` , you cannot use the parameters `AssociationName` , `DocumentVersion` , `MaxErrors` , `MaxConcurrency` , `OutputLocation` , or `ScheduleExpression` . To use these parameters, you must use the `Targets` parameter.",
@@ -46520,7 +46274,6 @@
"LocalDeploymentAdministrationRoleArn": "The ARN of the IAM role used to administrate local configuration deployments.",
"LocalDeploymentExecutionRoleName": "The name of the IAM role used to deploy local configurations.",
"Parameters": "The parameters for the configuration definition type. Parameters for configuration definitions vary based the configuration type. The following lists outline the parameters for each configuration type.\n\n- **AWS Config Recording (Type: AWS QuickSetupType-CFGRecording)** - - `RecordAllResources`\n\n- Description: (Optional) A boolean value that determines whether all supported resources are recorded. The default value is \" `true` \".\n- `ResourceTypesToRecord`\n\n- Description: (Optional) A comma separated list of resource types you want to record.\n- `RecordGlobalResourceTypes`\n\n- Description: (Optional) A boolean value that determines whether global resources are recorded with all resource configurations. The default value is \" `false` \".\n- `GlobalResourceTypesRegion`\n\n- Description: (Optional) Determines the AWS Region where global resources are recorded.\n- `UseCustomBucket`\n\n- Description: (Optional) A boolean value that determines whether a custom Amazon S3 bucket is used for delivery. The default value is \" `false` \".\n- `DeliveryBucketName`\n\n- Description: (Optional) The name of the Amazon S3 bucket you want AWS Config to deliver configuration snapshots and configuration history files to.\n- `DeliveryBucketPrefix`\n\n- Description: (Optional) The key prefix you want to use in the custom Amazon S3 bucket.\n- `NotificationOptions`\n\n- Description: (Optional) Determines the notification configuration for the recorder. The valid values are `NoStreaming` , `UseExistingTopic` , and `CreateTopic` . The default value is `NoStreaming` .\n- `CustomDeliveryTopicAccountId`\n\n- Description: (Optional) The ID of the AWS account where the Amazon SNS topic you want to use for notifications resides. You must specify a value for this parameter if you use the `UseExistingTopic` notification option.\n- `CustomDeliveryTopicName`\n\n- Description: (Optional) The name of the Amazon SNS topic you want to use for notifications. You must specify a value for this parameter if you use the `UseExistingTopic` notification option.\n- `RemediationSchedule`\n\n- Description: (Optional) A rate expression that defines the schedule for drift remediation. The valid values are `rate(30 days)` , `rate(7 days)` , `rate(1 days)` , and `none` . The default value is \" `none` \".\n- `TargetAccounts`\n\n- Description: (Optional) The ID of the AWS account initiating the configuration deployment. You only need to provide a value for this parameter if you want to deploy the configuration locally. A value must be provided for either `TargetAccounts` or `TargetOrganizationalUnits` .\n- `TargetOrganizationalUnits`\n\n- Description: (Optional) The ID of the root of your Organization. This configuration type doesn't currently support choosing specific OUs. The configuration will be deployed to all the OUs in the Organization.\n- `TargetRegions`\n\n- Description: (Required) A comma separated list of AWS Regions you want to deploy the configuration to.\n- **Change Manager (Type: AWS QuickSetupType-SSMChangeMgr)** - - `DelegatedAccountId`\n\n- Description: (Required) The ID of the delegated administrator account.\n- `JobFunction`\n\n- Description: (Required) The name for the Change Manager job function.\n- `PermissionType`\n\n- Description: (Optional) Specifies whether you want to use default administrator permissions for the job function role, or provide a custom IAM policy. The valid values are `CustomPermissions` and `AdminPermissions` . The default value for the parameter is `CustomerPermissions` .\n- `CustomPermissions`\n\n- Description: (Optional) A JSON string containing the IAM policy you want your job function to use. You must provide a value for this parameter if you specify `CustomPermissions` for the `PermissionType` parameter.\n- `TargetOrganizationalUnits`\n\n- Description: (Required) A comma separated list of organizational units (OUs) you want to deploy the configuration to.\n- `TargetRegions`\n\n- Description: (Required) A comma separated list of AWS Regions you want to deploy the configuration to.\n- **Conformance Packs (Type: AWS QuickSetupType-CFGCPacks)** - - `DelegatedAccountId`\n\n- Description: (Optional) The ID of the delegated administrator account. This parameter is required for Organization deployments.\n- `RemediationSchedule`\n\n- Description: (Optional) A rate expression that defines the schedule for drift remediation. The valid values are `rate(30 days)` , `rate(14 days)` , `rate(2 days)` , and `none` . The default value is \" `none` \".\n- `CPackNames`\n\n- Description: (Required) A comma separated list of AWS Config conformance packs.\n- `TargetAccounts`\n\n- Description: (Optional) The ID of the AWS account initiating the configuration deployment. You only need to provide a value for this parameter if you want to deploy the configuration locally. A value must be provided for either `TargetAccounts` or `TargetOrganizationalUnits` .\n- `TargetOrganizationalUnits`\n\n- Description: (Optional) The ID of the root of your Organization. This configuration type doesn't currently support choosing specific OUs. The configuration will be deployed to all the OUs in the Organization.\n- `TargetRegions`\n\n- Description: (Required) A comma separated list of AWS Regions you want to deploy the configuration to.\n- **Default Host Management Configuration (Type: AWS QuickSetupType-DHMC)** - - `UpdateSSMAgent`\n\n- Description: (Optional) A boolean value that determines whether the SSM Agent is updated on the target instances every 2 weeks. The default value is \" `true` \".\n- `TargetOrganizationalUnits`\n\n- Description: (Required) A comma separated list of organizational units (OUs) you want to deploy the configuration to.\n- `TargetRegions`\n\n- Description: (Required) A comma separated list of AWS Regions you want to deploy the configuration to.\n- **DevOps\u00a0Guru (Type: AWS QuickSetupType-DevOpsGuru)** - - `AnalyseAllResources`\n\n- Description: (Optional) A boolean value that determines whether DevOps\u00a0Guru analyzes all AWS CloudFormation stacks in the account. The default value is \" `false` \".\n- `EnableSnsNotifications`\n\n- Description: (Optional) A boolean value that determines whether DevOps\u00a0Guru sends notifications when an insight is created. The default value is \" `true` \".\n- `EnableSsmOpsItems`\n\n- Description: (Optional) A boolean value that determines whether DevOps\u00a0Guru creates an OpsCenter OpsItem when an insight is created. The default value is \" `true` \".\n- `EnableDriftRemediation`\n\n- Description: (Optional) A boolean value that determines whether a drift remediation schedule is used. The default value is \" `false` \".\n- `RemediationSchedule`\n\n- Description: (Optional) A rate expression that defines the schedule for drift remediation. The valid values are `rate(30 days)` , `rate(14 days)` , `rate(1 days)` , and `none` . The default value is \" `none` \".\n- `TargetAccounts`\n\n- Description: (Optional) The ID of the AWS account initiating the configuration deployment. You only need to provide a value for this parameter if you want to deploy the configuration locally. A value must be provided for either `TargetAccounts` or `TargetOrganizationalUnits` .\n- `TargetOrganizationalUnits`\n\n- Description: (Optional) A comma separated list of organizational units (OUs) you want to deploy the configuration to.\n- `TargetRegions`\n\n- Description: (Required) A comma separated list of AWS Regions you want to deploy the configuration to.\n- **Distributor (Type: AWS QuickSetupType-Distributor)** - - `PackagesToInstall`\n\n- Description: (Required) A comma separated list of packages you want to install on the target instances. The valid values are `AWSEFSTools` , `AWSCWAgent` , and `AWSEC2LaunchAgent` .\n- `RemediationSchedule`\n\n- Description: (Optional) A rate expression that defines the schedule for drift remediation. The valid values are `rate(30 days)` , `rate(14 days)` , `rate(2 days)` , and `none` . The default value is \" `rate(30 days)` \".\n- `IsPolicyAttachAllowed`\n\n- Description: (Optional) A boolean value that determines whether Quick Setup attaches policies to instances profiles already associated with the target instances. The default value is \" `false` \".\n- `TargetType`\n\n- Description: (Optional) Determines how instances are targeted for local account deployments. Don't specify a value for this parameter if you're deploying to OUs. The valid values are `*` , `InstanceIds` , `ResourceGroups` , and `Tags` . Use `*` to target all instances in the account.\n- `TargetInstances`\n\n- Description: (Optional) A comma separated list of instance IDs. You must provide a value for this parameter if you specify `InstanceIds` for the `TargetType` parameter.\n- `TargetTagKey`\n\n- Description: (Required) The tag key assigned to the instances you want to target. You must provide a value for this parameter if you specify `Tags` for the `TargetType` parameter.\n- `TargetTagValue`\n\n- Description: (Required) The value of the tag key assigned to the instances you want to target. You must provide a value for this parameter if you specify `Tags` for the `TargetType` parameter.\n- `ResourceGroupName`\n\n- Description: (Required) The name of the resource group associated with the instances you want to target. You must provide a value for this parameter if you specify `ResourceGroups` for the `TargetType` parameter.\n- `TargetAccounts`\n\n- Description: (Optional) The ID of the AWS account initiating the configuration deployment. You only need to provide a value for this parameter if you want to deploy the configuration locally. A value must be provided for either `TargetAccounts` or `TargetOrganizationalUnits` .\n- `TargetOrganizationalUnits`\n\n- Description: (Optional) A comma separated list of organizational units (OUs) you want to deploy the configuration to.\n- `TargetRegions`\n\n- Description: (Required) A comma separated list of AWS Regions you want to deploy the configuration to.\n- **Host Management (Type: AWS QuickSetupType-SSMHostMgmt)** - - `UpdateSSMAgent`\n\n- Description: (Optional) A boolean value that determines whether the SSM Agent is updated on the target instances every 2 weeks. The default value is \" `true` \".\n- `UpdateEc2LaunchAgent`\n\n- Description: (Optional) A boolean value that determines whether the EC2 Launch agent is updated on the target instances every month. The default value is \" `false` \".\n- `CollectInventory`\n\n- Description: (Optional) A boolean value that determines whether instance metadata is collected on the target instances every 30 minutes. The default value is \" `true` \".\n- `ScanInstances`\n\n- Description: (Optional) A boolean value that determines whether the target instances are scanned daily for available patches. The default value is \" `true` \".\n- `InstallCloudWatchAgent`\n\n- Description: (Optional) A boolean value that determines whether the Amazon CloudWatch agent is installed on the target instances. The default value is \" `false` \".\n- `UpdateCloudWatchAgent`\n\n- Description: (Optional) A boolean value that determines whether the Amazon CloudWatch agent is updated on the target instances every month. The default value is \" `false` \".\n- `IsPolicyAttachAllowed`\n\n- Description: (Optional) A boolean value that determines whether Quick Setup attaches policies to instances profiles already associated with the target instances. The default value is \" `false` \".\n- `TargetType`\n\n- Description: (Optional) Determines how instances are targeted for local account deployments. Don't specify a value for this parameter if you're deploying to OUs. The valid values are `*` , `InstanceIds` , `ResourceGroups` , and `Tags` . Use `*` to target all instances in the account.\n- `TargetInstances`\n\n- Description: (Optional) A comma separated list of instance IDs. You must provide a value for this parameter if you specify `InstanceIds` for the `TargetType` parameter.\n- `TargetTagKey`\n\n- Description: (Optional) The tag key assigned to the instances you want to target. You must provide a value for this parameter if you specify `Tags` for the `TargetType` parameter.\n- `TargetTagValue`\n\n- Description: (Optional) The value of the tag key assigned to the instances you want to target. You must provide a value for this parameter if you specify `Tags` for the `TargetType` parameter.\n- `ResourceGroupName`\n\n- Description: (Optional) The name of the resource group associated with the instances you want to target. You must provide a value for this parameter if you specify `ResourceGroups` for the `TargetType` parameter.\n- `TargetAccounts`\n\n- Description: (Optional) The ID of the AWS account initiating the configuration deployment. You only need to provide a value for this parameter if you want to deploy the configuration locally. A value must be provided for either `TargetAccounts` or `TargetOrganizationalUnits` .\n- `TargetOrganizationalUnits`\n\n- Description: (Optional) A comma separated list of organizational units (OUs) you want to deploy the configuration to.\n- `TargetRegions`\n\n- Description: (Required) A comma separated list of AWS Regions you want to deploy the configuration to.\n- **OpsCenter (Type: AWS QuickSetupType-SSMOpsCenter)** - - `DelegatedAccountId`\n\n- Description: (Required) The ID of the delegated administrator account.\n- `TargetOrganizationalUnits`\n\n- Description: (Required) A comma separated list of organizational units (OUs) you want to deploy the configuration to.\n- `TargetRegions`\n\n- Description: (Required) A comma separated list of AWS Regions you want to deploy the configuration to.\n- **Patch Policy (Type: AWS QuickSetupType-PatchPolicy)** - - `PatchPolicyName`\n\n- Description: (Required) A name for the patch policy. The value you provide is applied to target Amazon EC2 instances as a tag.\n- `SelectedPatchBaselines`\n\n- Description: (Required) An array of JSON objects containing the information for the patch baselines to include in your patch policy.\n- `PatchBaselineUseDefault`\n\n- Description: (Optional) A boolean value that determines whether the selected patch baselines are all AWS provided.\n- `ConfigurationOptionsPatchOperation`\n\n- Description: (Optional) Determines whether target instances scan for available patches, or scan and install available patches. The valid values are `Scan` and `ScanAndInstall` . The default value for the parameter is `Scan` .\n- `ConfigurationOptionsScanValue`\n\n- Description: (Optional) A cron expression that is used as the schedule for when instances scan for available patches.\n- `ConfigurationOptionsInstallValue`\n\n- Description: (Optional) A cron expression that is used as the schedule for when instances install available patches.\n- `ConfigurationOptionsScanNextInterval`\n\n- Description: (Optional) A boolean value that determines whether instances should scan for available patches at the next cron interval. The default value is \" `false` \".\n- `ConfigurationOptionsInstallNextInterval`\n\n- Description: (Optional) A boolean value that determines whether instances should scan for available patches at the next cron interval. The default value is \" `false` \".\n- `RebootOption`\n\n- Description: (Optional) Determines whether instances are rebooted after patches are installed. Valid values are `RebootIfNeeded` and `NoReboot` .\n- `IsPolicyAttachAllowed`\n\n- Description: (Optional) A boolean value that determines whether Quick Setup attaches policies to instances profiles already associated with the target instances. The default value is \" `false` \".\n- `OutputLogEnableS3`\n\n- Description: (Optional) A boolean value that determines whether command output logs are sent to Amazon S3.\n- `OutputS3Location`\n\n- Description: (Optional) A JSON string containing information about the Amazon S3 bucket where you want to store the output details of the request.\n\n- `OutputS3BucketRegion`\n\n- Description: (Optional) The AWS Region where the Amazon S3 bucket you want to deliver command output to is located.\n- `OutputS3BucketName`\n\n- Description: (Optional) The name of the Amazon S3 bucket you want to deliver command output to.\n- `OutputS3KeyPrefix`\n\n- Description: (Optional) The key prefix you want to use in the custom Amazon S3 bucket.\n- `TargetType`\n\n- Description: (Optional) Determines how instances are targeted for local account deployments. Don't specify a value for this parameter if you're deploying to OUs. The valid values are `*` , `InstanceIds` , `ResourceGroups` , and `Tags` . Use `*` to target all instances in the account.\n- `TargetInstances`\n\n- Description: (Optional) A comma separated list of instance IDs. You must provide a value for this parameter if you specify `InstanceIds` for the `TargetType` parameter.\n- `TargetTagKey`\n\n- Description: (Required) The tag key assigned to the instances you want to target. You must provide a value for this parameter if you specify `Tags` for the `TargetType` parameter.\n- `TargetTagValue`\n\n- Description: (Required) The value of the tag key assigned to the instances you want to target. You must provide a value for this parameter if you specify `Tags` for the `TargetType` parameter.\n- `ResourceGroupName`\n\n- Description: (Required) The name of the resource group associated with the instances you want to target. You must provide a value for this parameter if you specify `ResourceGroups` for the `TargetType` parameter.\n- `TargetAccounts`\n\n- Description: (Optional) The ID of the AWS account initiating the configuration deployment. You only need to provide a value for this parameter if you want to deploy the configuration locally. A value must be provided for either `TargetAccounts` or `TargetOrganizationalUnits` .\n- `TargetOrganizationalUnits`\n\n- Description: (Optional) A comma separated list of organizational units (OUs) you want to deploy the configuration to.\n- `TargetRegions`\n\n- Description: (Required) A comma separated list of AWS Regions you want to deploy the configuration to.\n- **Resource Explorer (Type: AWS QuickSetupType-ResourceExplorer)** - - `SelectedAggregatorRegion`\n\n- Description: (Required) The AWS Region where you want to create the aggregator index.\n- `ReplaceExistingAggregator`\n\n- Description: (Required) A boolean value that determines whether to demote an existing aggregator if it is in a Region that differs from the value you specify for the `SelectedAggregatorRegion` .\n- `TargetOrganizationalUnits`\n\n- Description: (Required) A comma separated list of organizational units (OUs) you want to deploy the configuration to.\n- `TargetRegions`\n\n- Description: (Required) A comma separated list of AWS Regions you want to deploy the configuration to.\n- **Resource Scheduler (Type: AWS QuickSetupType-Scheduler)** - - `TargetTagKey`\n\n- Description: (Required) The tag key assigned to the instances you want to target.\n- `TargetTagValue`\n\n- Description: (Required) The value of the tag key assigned to the instances you want to target.\n- `ICalendarString`\n\n- Description: (Required) An iCalendar formatted string containing the schedule you want Change Manager to use.\n- `TargetAccounts`\n\n- Description: (Optional) The ID of the AWS account initiating the configuration deployment. You only need to provide a value for this parameter if you want to deploy the configuration locally. A value must be provided for either `TargetAccounts` or `TargetOrganizationalUnits` .\n- `TargetOrganizationalUnits`\n\n- Description: (Optional) A comma separated list of organizational units (OUs) you want to deploy the configuration to.\n- `TargetRegions`\n\n- Description: (Required) A comma separated list of AWS Regions you want to deploy the configuration to.",
- "Parameters": "The parameters for the configuration definition type. Parameters for configuration definitions vary based the configuration type. The following lists outline the parameters for each configuration type.\n\n- **AWS Config Recording (Type: AWS QuickSetupType-CFGRecording)** - - `RecordAllResources`\n\n- Description: (Optional) A boolean value that determines whether all supported resources are recorded. The default value is \" `true` \".\n- `ResourceTypesToRecord`\n\n- Description: (Optional) A comma separated list of resource types you want to record.\n- `RecordGlobalResourceTypes`\n\n- Description: (Optional) A boolean value that determines whether global resources are recorded with all resource configurations. The default value is \" `false` \".\n- `GlobalResourceTypesRegion`\n\n- Description: (Optional) Determines the AWS Region where global resources are recorded.\n- `UseCustomBucket`\n\n- Description: (Optional) A boolean value that determines whether a custom Amazon S3 bucket is used for delivery. The default value is \" `false` \".\n- `DeliveryBucketName`\n\n- Description: (Optional) The name of the Amazon S3 bucket you want AWS Config to deliver configuration snapshots and configuration history files to.\n- `DeliveryBucketPrefix`\n\n- Description: (Optional) The key prefix you want to use in the custom Amazon S3 bucket.\n- `NotificationOptions`\n\n- Description: (Optional) Determines the notification configuration for the recorder. The valid values are `NoStreaming` , `UseExistingTopic` , and `CreateTopic` . The default value is `NoStreaming` .\n- `CustomDeliveryTopicAccountId`\n\n- Description: (Optional) The ID of the AWS account where the Amazon SNS topic you want to use for notifications resides. You must specify a value for this parameter if you use the `UseExistingTopic` notification option.\n- `CustomDeliveryTopicName`\n\n- Description: (Optional) The name of the Amazon SNS topic you want to use for notifications. You must specify a value for this parameter if you use the `UseExistingTopic` notification option.\n- `RemediationSchedule`\n\n- Description: (Optional) A rate expression that defines the schedule for drift remediation. The valid values are `rate(30 days)` , `rate(7 days)` , `rate(1 days)` , and `none` . The default value is \" `none` \".\n- `TargetAccounts`\n\n- Description: (Optional) The ID of the AWS account initiating the configuration deployment. You only need to provide a value for this parameter if you want to deploy the configuration locally. A value must be provided for either `TargetAccounts` or `TargetOrganizationalUnits` .\n- `TargetOrganizationalUnits`\n\n- Description: (Optional) The ID of the root of your Organization. This configuration type doesn't currently support choosing specific OUs. The configuration will be deployed to all the OUs in the Organization.\n- `TargetRegions`\n\n- Description: (Required) A comma separated list of AWS Regions you want to deploy the configuration to.\n- **Change Manager (Type: AWS QuickSetupType-SSMChangeMgr)** - - `DelegatedAccountId`\n\n- Description: (Required) The ID of the delegated administrator account.\n- `JobFunction`\n\n- Description: (Required) The name for the Change Manager job function.\n- `PermissionType`\n\n- Description: (Optional) Specifies whether you want to use default administrator permissions for the job function role, or provide a custom IAM policy. The valid values are `CustomPermissions` and `AdminPermissions` . The default value for the parameter is `CustomerPermissions` .\n- `CustomPermissions`\n\n- Description: (Optional) A JSON string containing the IAM policy you want your job function to use. You must provide a value for this parameter if you specify `CustomPermissions` for the `PermissionType` parameter.\n- `TargetOrganizationalUnits`\n\n- Description: (Required) A comma separated list of organizational units (OUs) you want to deploy the configuration to.\n- `TargetRegions`\n\n- Description: (Required) A comma separated list of AWS Regions you want to deploy the configuration to.\n- **Conformance Packs (Type: AWS QuickSetupType-CFGCPacks)** - - `DelegatedAccountId`\n\n- Description: (Optional) The ID of the delegated administrator account. This parameter is required for Organization deployments.\n- `RemediationSchedule`\n\n- Description: (Optional) A rate expression that defines the schedule for drift remediation. The valid values are `rate(30 days)` , `rate(14 days)` , `rate(2 days)` , and `none` . The default value is \" `none` \".\n- `CPackNames`\n\n- Description: (Required) A comma separated list of AWS Config conformance packs.\n- `TargetAccounts`\n\n- Description: (Optional) The ID of the AWS account initiating the configuration deployment. You only need to provide a value for this parameter if you want to deploy the configuration locally. A value must be provided for either `TargetAccounts` or `TargetOrganizationalUnits` .\n- `TargetOrganizationalUnits`\n\n- Description: (Optional) The ID of the root of your Organization. This configuration type doesn't currently support choosing specific OUs. The configuration will be deployed to all the OUs in the Organization.\n- `TargetRegions`\n\n- Description: (Required) A comma separated list of AWS Regions you want to deploy the configuration to.\n- **Default Host Management Configuration (Type: AWS QuickSetupType-DHMC)** - - `UpdateSSMAgent`\n\n- Description: (Optional) A boolean value that determines whether the SSM Agent is updated on the target instances every 2 weeks. The default value is \" `true` \".\n- `TargetOrganizationalUnits`\n\n- Description: (Required) A comma separated list of organizational units (OUs) you want to deploy the configuration to.\n- `TargetRegions`\n\n- Description: (Required) A comma separated list of AWS Regions you want to deploy the configuration to.\n- **DevOps\u00a0Guru (Type: AWS QuickSetupType-DevOpsGuru)** - - `AnalyseAllResources`\n\n- Description: (Optional) A boolean value that determines whether DevOps\u00a0Guru analyzes all AWS CloudFormation stacks in the account. The default value is \" `false` \".\n- `EnableSnsNotifications`\n\n- Description: (Optional) A boolean value that determines whether DevOps\u00a0Guru sends notifications when an insight is created. The default value is \" `true` \".\n- `EnableSsmOpsItems`\n\n- Description: (Optional) A boolean value that determines whether DevOps\u00a0Guru creates an OpsCenter OpsItem when an insight is created. The default value is \" `true` \".\n- `EnableDriftRemediation`\n\n- Description: (Optional) A boolean value that determines whether a drift remediation schedule is used. The default value is \" `false` \".\n- `RemediationSchedule`\n\n- Description: (Optional) A rate expression that defines the schedule for drift remediation. The valid values are `rate(30 days)` , `rate(14 days)` , `rate(1 days)` , and `none` . The default value is \" `none` \".\n- `TargetAccounts`\n\n- Description: (Optional) The ID of the AWS account initiating the configuration deployment. You only need to provide a value for this parameter if you want to deploy the configuration locally. A value must be provided for either `TargetAccounts` or `TargetOrganizationalUnits` .\n- `TargetOrganizationalUnits`\n\n- Description: (Optional) A comma separated list of organizational units (OUs) you want to deploy the configuration to.\n- `TargetRegions`\n\n- Description: (Required) A comma separated list of AWS Regions you want to deploy the configuration to.\n- **Distributor (Type: AWS QuickSetupType-Distributor)** - - `PackagesToInstall`\n\n- Description: (Required) A comma separated list of packages you want to install on the target instances. The valid values are `AWSEFSTools` , `AWSCWAgent` , and `AWSEC2LaunchAgent` .\n- `RemediationSchedule`\n\n- Description: (Optional) A rate expression that defines the schedule for drift remediation. The valid values are `rate(30 days)` , `rate(14 days)` , `rate(2 days)` , and `none` . The default value is \" `rate(30 days)` \".\n- `IsPolicyAttachAllowed`\n\n- Description: (Optional) A boolean value that determines whether Quick Setup attaches policies to instances profiles already associated with the target instances. The default value is \" `false` \".\n- `TargetType`\n\n- Description: (Optional) Determines how instances are targeted for local account deployments. Don't specify a value for this parameter if you're deploying to OUs. The valid values are `*` , `InstanceIds` , `ResourceGroups` , and `Tags` . Use `*` to target all instances in the account.\n- `TargetInstances`\n\n- Description: (Optional) A comma separated list of instance IDs. You must provide a value for this parameter if you specify `InstanceIds` for the `TargetType` parameter.\n- `TargetTagKey`\n\n- Description: (Required) The tag key assigned to the instances you want to target. You must provide a value for this parameter if you specify `Tags` for the `TargetType` parameter.\n- `TargetTagValue`\n\n- Description: (Required) The value of the tag key assigned to the instances you want to target. You must provide a value for this parameter if you specify `Tags` for the `TargetType` parameter.\n- `ResourceGroupName`\n\n- Description: (Required) The name of the resource group associated with the instances you want to target. You must provide a value for this parameter if you specify `ResourceGroups` for the `TargetType` parameter.\n- `TargetAccounts`\n\n- Description: (Optional) The ID of the AWS account initiating the configuration deployment. You only need to provide a value for this parameter if you want to deploy the configuration locally. A value must be provided for either `TargetAccounts` or `TargetOrganizationalUnits` .\n- `TargetOrganizationalUnits`\n\n- Description: (Optional) A comma separated list of organizational units (OUs) you want to deploy the configuration to.\n- `TargetRegions`\n\n- Description: (Required) A comma separated list of AWS Regions you want to deploy the configuration to.\n- **Host Management (Type: AWS QuickSetupType-SSMHostMgmt)** - - `UpdateSSMAgent`\n\n- Description: (Optional) A boolean value that determines whether the SSM Agent is updated on the target instances every 2 weeks. The default value is \" `true` \".\n- `UpdateEc2LaunchAgent`\n\n- Description: (Optional) A boolean value that determines whether the EC2 Launch agent is updated on the target instances every month. The default value is \" `false` \".\n- `CollectInventory`\n\n- Description: (Optional) A boolean value that determines whether instance metadata is collected on the target instances every 30 minutes. The default value is \" `true` \".\n- `ScanInstances`\n\n- Description: (Optional) A boolean value that determines whether the target instances are scanned daily for available patches. The default value is \" `true` \".\n- `InstallCloudWatchAgent`\n\n- Description: (Optional) A boolean value that determines whether the Amazon CloudWatch agent is installed on the target instances. The default value is \" `false` \".\n- `UpdateCloudWatchAgent`\n\n- Description: (Optional) A boolean value that determines whether the Amazon CloudWatch agent is updated on the target instances every month. The default value is \" `false` \".\n- `IsPolicyAttachAllowed`\n\n- Description: (Optional) A boolean value that determines whether Quick Setup attaches policies to instances profiles already associated with the target instances. The default value is \" `false` \".\n- `TargetType`\n\n- Description: (Optional) Determines how instances are targeted for local account deployments. Don't specify a value for this parameter if you're deploying to OUs. The valid values are `*` , `InstanceIds` , `ResourceGroups` , and `Tags` . Use `*` to target all instances in the account.\n- `TargetInstances`\n\n- Description: (Optional) A comma separated list of instance IDs. You must provide a value for this parameter if you specify `InstanceIds` for the `TargetType` parameter.\n- `TargetTagKey`\n\n- Description: (Optional) The tag key assigned to the instances you want to target. You must provide a value for this parameter if you specify `Tags` for the `TargetType` parameter.\n- `TargetTagValue`\n\n- Description: (Optional) The value of the tag key assigned to the instances you want to target. You must provide a value for this parameter if you specify `Tags` for the `TargetType` parameter.\n- `ResourceGroupName`\n\n- Description: (Optional) The name of the resource group associated with the instances you want to target. You must provide a value for this parameter if you specify `ResourceGroups` for the `TargetType` parameter.\n- `TargetAccounts`\n\n- Description: (Optional) The ID of the AWS account initiating the configuration deployment. You only need to provide a value for this parameter if you want to deploy the configuration locally. A value must be provided for either `TargetAccounts` or `TargetOrganizationalUnits` .\n- `TargetOrganizationalUnits`\n\n- Description: (Optional) A comma separated list of organizational units (OUs) you want to deploy the configuration to.\n- `TargetRegions`\n\n- Description: (Required) A comma separated list of AWS Regions you want to deploy the configuration to.\n- **OpsCenter (Type: AWS QuickSetupType-SSMOpsCenter)** - - `DelegatedAccountId`\n\n- Description: (Required) The ID of the delegated administrator account.\n- `TargetOrganizationalUnits`\n\n- Description: (Required) A comma separated list of organizational units (OUs) you want to deploy the configuration to.\n- `TargetRegions`\n\n- Description: (Required) A comma separated list of AWS Regions you want to deploy the configuration to.\n- **Patch Policy (Type: AWS QuickSetupType-PatchPolicy)** - - `PatchPolicyName`\n\n- Description: (Required) A name for the patch policy. The value you provide is applied to target Amazon EC2 instances as a tag.\n- `SelectedPatchBaselines`\n\n- Description: (Required) An array of JSON objects containing the information for the patch baselines to include in your patch policy.\n- `PatchBaselineUseDefault`\n\n- Description: (Optional) A boolean value that determines whether the selected patch baselines are all AWS provided.\n- `ConfigurationOptionsPatchOperation`\n\n- Description: (Optional) Determines whether target instances scan for available patches, or scan and install available patches. The valid values are `Scan` and `ScanAndInstall` . The default value for the parameter is `Scan` .\n- `ConfigurationOptionsScanValue`\n\n- Description: (Optional) A cron expression that is used as the schedule for when instances scan for available patches.\n- `ConfigurationOptionsInstallValue`\n\n- Description: (Optional) A cron expression that is used as the schedule for when instances install available patches.\n- `ConfigurationOptionsScanNextInterval`\n\n- Description: (Optional) A boolean value that determines whether instances should scan for available patches at the next cron interval. The default value is \" `false` \".\n- `ConfigurationOptionsInstallNextInterval`\n\n- Description: (Optional) A boolean value that determines whether instances should scan for available patches at the next cron interval. The default value is \" `false` \".\n- `RebootOption`\n\n- Description: (Optional) Determines whether instances are rebooted after patches are installed. Valid values are `RebootIfNeeded` and `NoReboot` .\n- `IsPolicyAttachAllowed`\n\n- Description: (Optional) A boolean value that determines whether Quick Setup attaches policies to instances profiles already associated with the target instances. The default value is \" `false` \".\n- `OutputLogEnableS3`\n\n- Description: (Optional) A boolean value that determines whether command output logs are sent to Amazon S3.\n- `OutputS3Location`\n\n- Description: (Optional) A JSON string containing information about the Amazon S3 bucket where you want to store the output details of the request.\n\n- `OutputS3BucketRegion`\n\n- Description: (Optional) The AWS Region where the Amazon S3 bucket you want to deliver command output to is located.\n- `OutputS3BucketName`\n\n- Description: (Optional) The name of the Amazon S3 bucket you want to deliver command output to.\n- `OutputS3KeyPrefix`\n\n- Description: (Optional) The key prefix you want to use in the custom Amazon S3 bucket.\n- `TargetType`\n\n- Description: (Optional) Determines how instances are targeted for local account deployments. Don't specify a value for this parameter if you're deploying to OUs. The valid values are `*` , `InstanceIds` , `ResourceGroups` , and `Tags` . Use `*` to target all instances in the account.\n- `TargetInstances`\n\n- Description: (Optional) A comma separated list of instance IDs. You must provide a value for this parameter if you specify `InstanceIds` for the `TargetType` parameter.\n- `TargetTagKey`\n\n- Description: (Required) The tag key assigned to the instances you want to target. You must provide a value for this parameter if you specify `Tags` for the `TargetType` parameter.\n- `TargetTagValue`\n\n- Description: (Required) The value of the tag key assigned to the instances you want to target. You must provide a value for this parameter if you specify `Tags` for the `TargetType` parameter.\n- `ResourceGroupName`\n\n- Description: (Required) The name of the resource group associated with the instances you want to target. You must provide a value for this parameter if you specify `ResourceGroups` for the `TargetType` parameter.\n- `TargetAccounts`\n\n- Description: (Optional) The ID of the AWS account initiating the configuration deployment. You only need to provide a value for this parameter if you want to deploy the configuration locally. A value must be provided for either `TargetAccounts` or `TargetOrganizationalUnits` .\n- `TargetOrganizationalUnits`\n\n- Description: (Optional) A comma separated list of organizational units (OUs) you want to deploy the configuration to.\n- `TargetRegions`\n\n- Description: (Required) A comma separated list of AWS Regions you want to deploy the configuration to.\n- **Resource Explorer (Type: AWS QuickSetupType-ResourceExplorer)** - - `SelectedAggregatorRegion`\n\n- Description: (Required) The AWS Region where you want to create the aggregator index.\n- `ReplaceExistingAggregator`\n\n- Description: (Required) A boolean value that determines whether to demote an existing aggregator if it is in a Region that differs from the value you specify for the `SelectedAggregatorRegion` .\n- `TargetOrganizationalUnits`\n\n- Description: (Required) A comma separated list of organizational units (OUs) you want to deploy the configuration to.\n- `TargetRegions`\n\n- Description: (Required) A comma separated list of AWS Regions you want to deploy the configuration to.\n- **Resource Scheduler (Type: AWS QuickSetupType-Scheduler)** - - `TargetTagKey`\n\n- Description: (Required) The tag key assigned to the instances you want to target.\n- `TargetTagValue`\n\n- Description: (Required) The value of the tag key assigned to the instances you want to target.\n- `ICalendarString`\n\n- Description: (Required) An iCalendar formatted string containing the schedule you want Change Manager to use.\n- `TargetAccounts`\n\n- Description: (Optional) The ID of the AWS account initiating the configuration deployment. You only need to provide a value for this parameter if you want to deploy the configuration locally. A value must be provided for either `TargetAccounts` or `TargetOrganizationalUnits` .\n- `TargetOrganizationalUnits`\n\n- Description: (Optional) A comma separated list of organizational units (OUs) you want to deploy the configuration to.\n- `TargetRegions`\n\n- Description: (Required) A comma separated list of AWS Regions you want to deploy the configuration to.",
"Type": "The type of the Quick Setup configuration.",
"TypeVersion": "The version of the Quick Setup type used.",
"id": "The ID of the configuration definition."
@@ -46622,7 +46375,6 @@
"LifecycleConfigArn": "The Amazon Resource Name (ARN) of the Lifecycle Configuration attached to the Resource.",
"SageMakerImageArn": "The ARN of the SageMaker AI image that the image version belongs to.",
"SageMakerImageVersionArn": "The ARN of the image version created on the instance. To clear the value set for `SageMakerImageVersionArn` , pass `None` as the value."
- "SageMakerImageVersionArn": "The ARN of the image version created on the instance. To clear the value set for `SageMakerImageVersionArn` , pass `None` as the value."
},
"AWS::SageMaker::App Tag": {
"Key": "The tag key. Tag keys must be unique per resource.",
@@ -46968,7 +46720,6 @@
"LifecycleConfigArn": "The Amazon Resource Name (ARN) of the Lifecycle Configuration attached to the Resource.",
"SageMakerImageArn": "The ARN of the SageMaker AI image that the image version belongs to.",
"SageMakerImageVersionArn": "The ARN of the image version created on the instance. To clear the value set for `SageMakerImageVersionArn` , pass `None` as the value."
- "SageMakerImageVersionArn": "The ARN of the image version created on the instance. To clear the value set for `SageMakerImageVersionArn` , pass `None` as the value."
},
"AWS::SageMaker::Domain SharingSettings": {
"NotebookOutputOption": "Whether to include the notebook cell output when sharing the notebook. The default is `Disabled` .",
@@ -48373,7 +48124,6 @@
"LifecycleConfigArn": "The Amazon Resource Name (ARN) of the Lifecycle Configuration attached to the Resource.",
"SageMakerImageArn": "The ARN of the SageMaker AI image that the image version belongs to.",
"SageMakerImageVersionArn": "The ARN of the image version created on the instance. To clear the value set for `SageMakerImageVersionArn` , pass `None` as the value."
- "SageMakerImageVersionArn": "The ARN of the image version created on the instance. To clear the value set for `SageMakerImageVersionArn` , pass `None` as the value."
},
"AWS::SageMaker::Space SpaceAppLifecycleManagement": {
"IdleSettings": "Settings related to idle shutdown of Studio applications."
@@ -48498,7 +48248,6 @@
"LifecycleConfigArn": "The Amazon Resource Name (ARN) of the Lifecycle Configuration attached to the Resource.",
"SageMakerImageArn": "The ARN of the SageMaker AI image that the image version belongs to.",
"SageMakerImageVersionArn": "The ARN of the image version created on the instance. To clear the value set for `SageMakerImageVersionArn` , pass `None` as the value."
- "SageMakerImageVersionArn": "The ARN of the image version created on the instance. To clear the value set for `SageMakerImageVersionArn` , pass `None` as the value."
},
"AWS::SageMaker::UserProfile SharingSettings": {
"NotebookOutputOption": "Whether to include the notebook cell output when sharing the notebook. The default is `Disabled` .",
@@ -48662,7 +48411,6 @@
"AWS::SecretsManager::RotationSchedule": {
"HostedRotationLambda": "Creates a new Lambda rotation function based on one of the [Secrets Manager rotation function templates](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html) . To use a rotation function that already exists, specify `RotationLambdaARN` instead.\n\nYou must specify `Transform: AWS::SecretsManager-2024-09-16` at the beginning of the CloudFormation template. Transforms are macros hosted by AWS CloudFormation that help you create and manage complex infrastructure. The `Transform: AWS::SecretsManager-2024-09-16` transform automatically extends the CloudFormation stack to include a nested stack (of type `AWS::CloudFormation::Stack` ), which then creates and updates on your behalf during subsequent stack operations, the appropriate rotation Lambda function for your database or service. For general information on transforms, see the [AWS CloudFormation documentation.](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/transform-reference.html)\n\nFor Amazon RDS master user credentials, see [AWS::RDS::DBCluster MasterUserSecret](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-dbcluster-masterusersecret.html) .\n\nFor Amazon Redshift admin user credentials, see [AWS::Redshift::Cluster](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-redshift-cluster.html) .",
"RotateImmediatelyOnUpdate": "Determines whether to rotate the secret immediately or wait until the next scheduled rotation window when the rotation schedule is updated. The rotation schedule is defined in `RotationRules` .\n\nThe default for `RotateImmediatelyOnUpdate` is `true` . If you don't specify this value, Secrets Manager rotates the secret immediately.\n\nIf you set `RotateImmediatelyOnUpdate` to `false` , Secrets Manager tests the rotation configuration by running the [`testSecret` step](https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotate-secrets_how.html) of the Lambda rotation function. This test creates an `AWSPENDING` version of the secret and then removes it.\n\n> When changing an existing rotation schedule and setting `RotateImmediatelyOnUpdate` to `false` :\n> \n> - If using `AutomaticallyAfterDays` or a `ScheduleExpression` with `rate()` , the previously scheduled rotation might still occur.\n> - To prevent unintended rotations, use a `ScheduleExpression` with `cron()` for granular control over rotation windows. \n\nRotation is an asynchronous process. For more information, see [How rotation works](https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotate-secrets_how.html) .",
- "RotateImmediatelyOnUpdate": "Determines whether to rotate the secret immediately or wait until the next scheduled rotation window when the rotation schedule is updated. The rotation schedule is defined in `RotationRules` .\n\nThe default for `RotateImmediatelyOnUpdate` is `true` . If you don't specify this value, Secrets Manager rotates the secret immediately.\n\nIf you set `RotateImmediatelyOnUpdate` to `false` , Secrets Manager tests the rotation configuration by running the [`testSecret` step](https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotate-secrets_how.html) of the Lambda rotation function. This test creates an `AWSPENDING` version of the secret and then removes it.\n\n> When changing an existing rotation schedule and setting `RotateImmediatelyOnUpdate` to `false` :\n> \n> - If using `AutomaticallyAfterDays` or a `ScheduleExpression` with `rate()` , the previously scheduled rotation might still occur.\n> - To prevent unintended rotations, use a `ScheduleExpression` with `cron()` for granular control over rotation windows. \n\nRotation is an asynchronous process. For more information, see [How rotation works](https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotate-secrets_how.html) .",
"RotationLambdaARN": "The ARN of an existing Lambda rotation function. To specify a rotation function that is also defined in this template, use the [Ref](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-ref.html) function.\n\nFor Amazon RDS master user credentials, see [AWS::RDS::DBCluster MasterUserSecret](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-dbcluster-masterusersecret.html) .\n\nFor Amazon Redshift admin user credentials, see [AWS::Redshift::Cluster](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-redshift-cluster.html) .\n\nTo create a new rotation function based on one of the [Secrets Manager rotation function templates](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html) , specify `HostedRotationLambda` instead.",
"RotationRules": "A structure that defines the rotation configuration for this secret.",
"SecretId": "The ARN or name of the secret to rotate. This is unique for each rotation schedule definition.\n\nTo reference a secret also created in this template, use the [Ref](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-ref.html) function with the secret's logical ID."
@@ -49690,11 +49438,9 @@
"LogDeliveryConfiguration": "Configuration for sending InfluxDB engine logs to a specified S3 bucket.",
"Name": "The name that uniquely identifies the DB instance when interacting with the Amazon Timestream for InfluxDB API and CLI commands. This name will also be a prefix included in the endpoint. DB instance names must be unique per customer and per region.",
"NetworkType": "",
- "NetworkType": "",
"Organization": "The name of the initial organization for the initial admin user in InfluxDB. An InfluxDB organization is a workspace for a group of users.",
"Password": "The password of the initial admin user created in InfluxDB. This password will allow you to access the InfluxDB UI to perform various administrative tasks and also use the InfluxDB CLI to create an operator token. These attributes will be stored in a Secret created in Amazon SecretManager in your account.",
"Port": "",
- "Port": "",
"PubliclyAccessible": "Configures the DB instance with a public IP to facilitate access.",
"Tags": "A list of key-value pairs to associate with the DB instance.",
"Username": "The username of the initial admin user created in InfluxDB. Must start with a letter and can't end with a hyphen or contain two consecutive hyphens. For example, my-user1. This username will allow you to access the InfluxDB UI to perform various administrative tasks and also use the InfluxDB CLI to create an operator token. These attributes will be stored in a Secret created in Amazon Secrets Manager in your account.",
@@ -50203,7 +49949,6 @@
"AWS::VpcLattice::ResourceConfiguration DnsResource": {
"DomainName": "The domain name of the resource configuration.",
"IpAddressType": "The IP address type for the resource configuration."
- "IpAddressType": "The IP address type for the resource configuration."
},
"AWS::VpcLattice::ResourceConfiguration ResourceConfigurationDefinition": {
"ArnResource": "The Amazon Resource Name (ARN) of the resource configuration. For the ARN syntax and format, see [ARN format](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference-arns.html#arns-syntax) in the *AWS Identity and Access Management user guide* .",
diff --git a/schema_source/cloudformation.schema.json b/schema_source/cloudformation.schema.json
index c1b442e764..daa71469a5 100644
--- a/schema_source/cloudformation.schema.json
+++ b/schema_source/cloudformation.schema.json
@@ -83457,7 +83457,7 @@
"items": {
"$ref": "#/definitions/AWS::ECS::Service.CapacityProviderStrategyItem"
},
- "markdownDescription": "The capacity provider strategy to use for the service.\n\nIf a `capacityProviderStrategy` is specified, the `launchType` parameter must be omitted. If no `capacityProviderStrategy` or `launchType` is specified, the `defaultCapacityProviderStrategy` for the cluster is used.\n\nA capacity provider strategy may contain a maximum of 6 capacity providers.\n\n> To remove this property from your service resource, specify an empty `CapacityProviderStrategyItem` array.",
+ "markdownDescription": "The capacity provider strategy to use for the service.\n\nIf a `capacityProviderStrategy` is specified, the `launchType` parameter must be omitted. If no `capacityProviderStrategy` or `launchType` is specified, the `defaultCapacityProviderStrategy` for the cluster is used.\n\nA capacity provider strategy can contain a maximum of 20 capacity providers.\n\n> To remove this property from your service resource, specify an empty `CapacityProviderStrategyItem` array.",
"title": "CapacityProviderStrategy",
"type": "array"
},
From e03dd7d03289f523208b2ace72915436994bfed3 Mon Sep 17 00:00:00 2001
From: Roger Zhang <ruojiazh@amazon.com>
Date: Thu, 20 Mar 2025 00:13:33 +0000
Subject: [PATCH 04/13] fix lint, samll fixes
---
samtranslator/compat.py | 5 +-
samtranslator/model/__init__.py | 2 +-
samtranslator/model/sam_resources.py | 82 ++++++++--------------------
3 files changed, 27 insertions(+), 62 deletions(-)
diff --git a/samtranslator/compat.py b/samtranslator/compat.py
index 7d2686d565..3ffe1a7461 100644
--- a/samtranslator/compat.py
+++ b/samtranslator/compat.py
@@ -1,3 +1,4 @@
+# mypy: ignore-errors
try:
from pydantic import v1 as pydantic
@@ -7,9 +8,9 @@
except ImportError:
# Unfortunately mypy cannot handle this try/expect pattern, and "type: ignore"
# is the simplest work-around. See: https://github.com/python/mypy/issues/1153
- import pydantic # type: ignore
+ import pydantic
except AttributeError:
# Pydantic v1.10.17+
- import pydantic # type: ignore
+ import pydantic
__all__ = ["pydantic"]
diff --git a/samtranslator/model/__init__.py b/samtranslator/model/__init__.py
index e47131793e..eee5c92a28 100644
--- a/samtranslator/model/__init__.py
+++ b/samtranslator/model/__init__.py
@@ -345,7 +345,7 @@ def validate_properties_and_return_model(self, cls: Type[RT]) -> RT:
"""
try:
return cls.parse_obj(self._generate_resource_dict()["Properties"])
- except pydantic.error_wrappers.ValidationError as e:
+ except pydantic.error_wrappers.ValidationError as e: # type: ignore
error_properties: str = ""
with suppress(KeyError):
error_properties = ".".join(str(x) for x in e.errors()[0]["loc"])
diff --git a/samtranslator/model/sam_resources.py b/samtranslator/model/sam_resources.py
index b9701f9044..708d3b8578 100644
--- a/samtranslator/model/sam_resources.py
+++ b/samtranslator/model/sam_resources.py
@@ -323,9 +323,7 @@ def to_cloudformation(self, **kwargs): # type: ignore[no-untyped-def] # noqa: P
lambda_url = self._construct_function_url(lambda_function, lambda_alias, self.FunctionUrlConfig)
resources.append(lambda_url)
url_permissions = self._construct_url_permissions(lambda_function, lambda_alias, self.FunctionUrlConfig)
- if url_permissions:
- for permission in url_permissions:
- resources.append(permission)
+ resources.extend(url_permissions)
self._validate_deployment_preference_and_add_update_policy(
kwargs.get("deployment_preference_collection"),
@@ -1217,7 +1215,7 @@ def _validate_cors_config_parameter(
def _construct_url_permissions(
self, lambda_function: LambdaFunction, lambda_alias: Optional[LambdaAlias], function_url_config: Dict[str, Any]
- ) -> Optional[Tuple[LambdaPermission, LambdaPermission]]:
+ ) -> List[LambdaPermission]:
"""
Construct the lambda permissions associated with the function url resource in a case
for public access when AuthType is NONE
@@ -1232,79 +1230,45 @@ def _construct_url_permissions(
Returns
-------
- Optional[Tuple[LambdaPermission, LambdaPermission]]
+ List[LambdaPermission]
The lambda permission appended to a function url resource with public access and the
Permission to invoke the function in general.
"""
auth_type = function_url_config.get("AuthType")
if auth_type not in ["NONE"] or is_intrinsic(function_url_config):
- return None
+ return []
url_public_permission_logical_id = f"{lambda_function.logical_id}UrlPublicPermissions"
- lambda_url_public_permission = self.get_lambda_url_permissions(
- url_public_permission_logical_id,
- lambda_function,
- lambda_alias,
- FUNCTION_URL_PUBLIC_PERMISSION_ACTION,
- auth_type,
- )
- url_invoke_permission_logical_id = f"{lambda_function.logical_id}URLInvokeAllowPublicAccess"
- lambda_invoke_permission = self.get_lambda_url_permissions(
- url_invoke_permission_logical_id,
- lambda_function,
- lambda_alias,
- FUNCTION_INVOKE_PERMISSION_ACTION,
- auth_type,
- )
-
- return (lambda_url_public_permission, lambda_invoke_permission)
+ lambda_permission_attributes = self.get_passthrough_resource_attributes()
- def get_lambda_url_permissions(
- self,
- logical_id: str,
- lambda_function: LambdaFunction,
- lambda_alias: Optional[LambdaAlias],
- action: str,
- auth_type: str,
- ) -> LambdaPermission:
- """
- get_lambda_url_permissions
+ lambda_url_public_permission = LambdaPermission(
+ logical_id=url_public_permission_logical_id, attributes=lambda_permission_attributes
+ )
+ lambda_url_public_permission.Action = FUNCTION_URL_PUBLIC_PERMISSION_ACTION
+ lambda_url_public_permission.Principal = "*"
+ lambda_url_public_permission.FunctionName = (
+ lambda_alias.get_runtime_attr("arn") if lambda_alias else lambda_function.get_runtime_attr("name")
+ )
+ lambda_url_public_permission.FunctionUrlAuthType = auth_type
- Parameters
- ----------
- logical_id : str
- Unique id of the function
- lambda_function : LambdaFuntion
- Lambda Function resource
- lambda_alias : Optional[LambdaAlias]
- Lambda Alias resource
- action : str
- The action or actions that will be allowed or denied
- auth_type : str
- Function URL AuthType
+ url_invoke_permission_logical_id = f"{lambda_function.logical_id}URLInvokeAllowPublicAccess"
- Returns
- -------
- LambdaPermission
- The lambda permission appended to a function url resource with public access
- """
lambda_permission_attributes = self.get_passthrough_resource_attributes()
- lambda_permission = LambdaPermission(logical_id=logical_id, attributes=lambda_permission_attributes)
- lambda_permission.Action = action
- lambda_permission.Principal = "*"
- lambda_permission.FunctionName = (
+ lambda_invoke_permission = LambdaPermission(
+ logical_id=url_invoke_permission_logical_id, attributes=lambda_permission_attributes
+ )
+ lambda_invoke_permission.Action = FUNCTION_INVOKE_PERMISSION_ACTION
+ lambda_invoke_permission.Principal = "*"
+ lambda_invoke_permission.FunctionName = (
lambda_alias.get_runtime_attr("arn") if lambda_alias else lambda_function.get_runtime_attr("name")
)
- if action == FUNCTION_URL_PUBLIC_PERMISSION_ACTION:
- lambda_permission.FunctionUrlAuthType = auth_type
- if action == FUNCTION_INVOKE_PERMISSION_ACTION:
- lambda_permission.InvokedViaFunctionUrl = True
+ lambda_invoke_permission.InvokedViaFunctionUrl = True
- return lambda_permission
+ return [lambda_url_public_permission, lambda_invoke_permission]
class SamApi(SamResourceMacro):
From f8590719824801750b1e0b2c72afa51ee6091fdd Mon Sep 17 00:00:00 2001
From: Roger Zhang <ruojiazh@amazon.com>
Date: Thu, 20 Mar 2025 00:17:12 +0000
Subject: [PATCH 05/13] lint
---
samtranslator/model/__init__.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/samtranslator/model/__init__.py b/samtranslator/model/__init__.py
index eee5c92a28..e47131793e 100644
--- a/samtranslator/model/__init__.py
+++ b/samtranslator/model/__init__.py
@@ -345,7 +345,7 @@ def validate_properties_and_return_model(self, cls: Type[RT]) -> RT:
"""
try:
return cls.parse_obj(self._generate_resource_dict()["Properties"])
- except pydantic.error_wrappers.ValidationError as e: # type: ignore
+ except pydantic.error_wrappers.ValidationError as e:
error_properties: str = ""
with suppress(KeyError):
error_properties = ".".join(str(x) for x in e.errors()[0]["loc"])
From d05942329d625a811a49dede346347c2bf42a303 Mon Sep 17 00:00:00 2001
From: Roger Zhang <ruojiazh@amazon.com>
Date: Wed, 26 Mar 2025 22:08:30 +0000
Subject: [PATCH 06/13] test
---
.cfnlintrc.yaml | 3 ++
samtranslator/model/__init__.py | 2 +-
samtranslator/model/sam_resources.py | 78 +++++++++++++++++-----------
tests/model/test_sam_resources.py | 14 +++++
4 files changed, 67 insertions(+), 30 deletions(-)
diff --git a/.cfnlintrc.yaml b/.cfnlintrc.yaml
index 23172d0767..67cdeeac3d 100644
--- a/.cfnlintrc.yaml
+++ b/.cfnlintrc.yaml
@@ -1,6 +1,9 @@
templates:
- tests/translator/output/**/*.json
ignore_templates:
+ - tests/translator/output/**/function_with_function_url_config.json
+ - tests/translator/output/**/function_with_function_url_config_and_autopublishalias.json
+ - tests/translator/output/**/function_with_function_url_config_without_cors_config.json
- tests/translator/output/**/error_*.json # Fail by design
- tests/translator/output/**/api_http_paths_with_if_condition.json
- tests/translator/output/**/api_http_paths_with_if_condition_no_value_else_case.json
diff --git a/samtranslator/model/__init__.py b/samtranslator/model/__init__.py
index e47131793e..eee5c92a28 100644
--- a/samtranslator/model/__init__.py
+++ b/samtranslator/model/__init__.py
@@ -345,7 +345,7 @@ def validate_properties_and_return_model(self, cls: Type[RT]) -> RT:
"""
try:
return cls.parse_obj(self._generate_resource_dict()["Properties"])
- except pydantic.error_wrappers.ValidationError as e:
+ except pydantic.error_wrappers.ValidationError as e: # type: ignore
error_properties: str = ""
with suppress(KeyError):
error_properties = ".".join(str(x) for x in e.errors()[0]["loc"])
diff --git a/samtranslator/model/sam_resources.py b/samtranslator/model/sam_resources.py
index 708d3b8578..347c66aae2 100644
--- a/samtranslator/model/sam_resources.py
+++ b/samtranslator/model/sam_resources.py
@@ -133,8 +133,6 @@
from .tags.resource_tagging import get_tag_list
_CONDITION_CHAR_LIMIT = 255
-FUNCTION_URL_PUBLIC_PERMISSION_ACTION = "lambda:InvokeFunctionUrl"
-FUNCTION_INVOKE_PERMISSION_ACTION = "lambda:InvokeFunction"
class SamFunction(SamResourceMacro):
@@ -322,8 +320,13 @@ def to_cloudformation(self, **kwargs): # type: ignore[no-untyped-def] # noqa: P
if self.FunctionUrlConfig:
lambda_url = self._construct_function_url(lambda_function, lambda_alias, self.FunctionUrlConfig)
resources.append(lambda_url)
- url_permissions = self._construct_url_permissions(lambda_function, lambda_alias, self.FunctionUrlConfig)
- resources.extend(url_permissions)
+ url_permission = self._construct_url_permission(lambda_function, lambda_alias, self.FunctionUrlConfig)
+ invoke_dual_auth_permission = self._construct_invoke_dual_auth_permission(
+ lambda_function, lambda_alias, self.FunctionUrlConfig
+ )
+ if url_permission and invoke_dual_auth_permission:
+ resources.append(url_permission)
+ resources.append(invoke_dual_auth_permission)
self._validate_deployment_preference_and_add_update_policy(
kwargs.get("deployment_preference_collection"),
@@ -1213,11 +1216,11 @@ def _validate_cors_config_parameter(
"{} must be of type {}.".format(prop_name, str(prop_type).split("'")[1]),
)
- def _construct_url_permissions(
+ def _construct_url_permission(
self, lambda_function: LambdaFunction, lambda_alias: Optional[LambdaAlias], function_url_config: Dict[str, Any]
- ) -> List[LambdaPermission]:
+ ) -> Optional[LambdaPermission]:
"""
- Construct the lambda permissions associated with the function url resource in a case
+ Construct the lambda permission associated with the function url resource in a case
for public access when AuthType is NONE
Parameters
@@ -1230,45 +1233,62 @@ def _construct_url_permissions(
Returns
-------
- List[LambdaPermission]
- The lambda permission appended to a function url resource with public access and the
- Permission to invoke the function in general.
+ LambdaPermission
+ The lambda permission appended to a function url resource with public access
"""
auth_type = function_url_config.get("AuthType")
if auth_type not in ["NONE"] or is_intrinsic(function_url_config):
- return []
-
- url_public_permission_logical_id = f"{lambda_function.logical_id}UrlPublicPermissions"
+ return None
+ logical_id = f"{lambda_function.logical_id}UrlPublicPermissions"
lambda_permission_attributes = self.get_passthrough_resource_attributes()
-
- lambda_url_public_permission = LambdaPermission(
- logical_id=url_public_permission_logical_id, attributes=lambda_permission_attributes
- )
- lambda_url_public_permission.Action = FUNCTION_URL_PUBLIC_PERMISSION_ACTION
- lambda_url_public_permission.Principal = "*"
- lambda_url_public_permission.FunctionName = (
+ lambda_permission = LambdaPermission(logical_id=logical_id, attributes=lambda_permission_attributes)
+ lambda_permission.Action = "lambda:InvokeFunctionUrl"
+ lambda_permission.FunctionName = (
lambda_alias.get_runtime_attr("arn") if lambda_alias else lambda_function.get_runtime_attr("name")
)
- lambda_url_public_permission.FunctionUrlAuthType = auth_type
+ lambda_permission.Principal = "*"
+ lambda_permission.FunctionUrlAuthType = auth_type
+ return lambda_permission
- url_invoke_permission_logical_id = f"{lambda_function.logical_id}URLInvokeAllowPublicAccess"
+ def _construct_invoke_dual_auth_permission(
+ self, lambda_function: LambdaFunction, lambda_alias: Optional[LambdaAlias], function_url_config: Dict[str, Any]
+ ) -> Optional[LambdaPermission]:
+ """
+ Construct the lambda permission associated with the function invoke resource in a case
+ for public access when AuthType is NONE
- lambda_permission_attributes = self.get_passthrough_resource_attributes()
+ Parameters
+ ----------
+ lambda_function : LambdaUrl
+ Lambda Function resource
- lambda_invoke_permission = LambdaPermission(
- logical_id=url_invoke_permission_logical_id, attributes=lambda_permission_attributes
- )
- lambda_invoke_permission.Action = FUNCTION_INVOKE_PERMISSION_ACTION
+ lambda_alias : LambdaAlias
+ Lambda Alias resource
+
+ Returns
+ -------
+ LambdaPermission
+ The lambda permission appended to a function that allow function invoke only from Function URL
+ """
+ # create lambda:InvokeFunction with InvokedViaFunctionUrl=True
+ auth_type = function_url_config.get("AuthType")
+
+ if auth_type not in ["NONE"] or is_intrinsic(function_url_config):
+ return None
+
+ logical_id = f"{lambda_function.logical_id}URLInvokeAllowPublicAccess"
+ lambda_permission_attributes = self.get_passthrough_resource_attributes()
+ lambda_invoke_permission = LambdaPermission(logical_id=logical_id, attributes=lambda_permission_attributes)
+ lambda_invoke_permission.Action = "lambda:InvokeFunction"
lambda_invoke_permission.Principal = "*"
lambda_invoke_permission.FunctionName = (
lambda_alias.get_runtime_attr("arn") if lambda_alias else lambda_function.get_runtime_attr("name")
)
-
lambda_invoke_permission.InvokedViaFunctionUrl = True
- return [lambda_url_public_permission, lambda_invoke_permission]
+ return lambda_invoke_permission
class SamApi(SamResourceMacro):
diff --git a/tests/model/test_sam_resources.py b/tests/model/test_sam_resources.py
index da1ea963df..b53649f107 100644
--- a/tests/model/test_sam_resources.py
+++ b/tests/model/test_sam_resources.py
@@ -593,6 +593,20 @@ def test_with_valid_function_url_config_with_lambda_permission(self):
if permission.Action == "lambda:InvokeFunction":
self.assertEqual(permission.InvokedViaFunctionUrl, True)
+ @patch("boto3.session.Session.region_name", "ap-southeast-1")
+ def test_with_aws_iam_function_url_config_with_lambda_permission(self):
+ function = SamFunction("foo")
+ function.CodeUri = "s3://foobar/foo.zip"
+ function.Runtime = "foo"
+ function.Handler = "bar"
+ # When create FURL with AWS_IAM
+ function.FunctionUrlConfig = {"AuthType": "AWS_IAM"}
+
+ cfnResources = function.to_cloudformation(**self.kwargs)
+ generatedUrlList = [x for x in cfnResources if isinstance(x, LambdaPermission)]
+ # Then no permisssion should be auto created
+ self.assertEqual(generatedUrlList.__len__(), 0)
+
@patch("boto3.session.Session.region_name", "ap-southeast-1")
def test_with_invalid_function_url_config_with_authorization_type_value_as_None(self):
function = SamFunction("foo")
From 8fd1cdccbd3e7a4dd661763bb3ee7b7126c9ed74 Mon Sep 17 00:00:00 2001
From: Roger Zhang <ruojiazh@amazon.com>
Date: Wed, 26 Mar 2025 22:10:41 +0000
Subject: [PATCH 07/13] ignore
---
samtranslator/model/__init__.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/samtranslator/model/__init__.py b/samtranslator/model/__init__.py
index eee5c92a28..e47131793e 100644
--- a/samtranslator/model/__init__.py
+++ b/samtranslator/model/__init__.py
@@ -345,7 +345,7 @@ def validate_properties_and_return_model(self, cls: Type[RT]) -> RT:
"""
try:
return cls.parse_obj(self._generate_resource_dict()["Properties"])
- except pydantic.error_wrappers.ValidationError as e: # type: ignore
+ except pydantic.error_wrappers.ValidationError as e:
error_properties: str = ""
with suppress(KeyError):
error_properties = ".".join(str(x) for x in e.errors()[0]["loc"])
From 6ee36f667d556fcbda4c4743d25cf405c0f98cd2 Mon Sep 17 00:00:00 2001
From: Roger Zhang <ruojiazh@amazon.com>
Date: Fri, 18 Apr 2025 22:30:09 +0000
Subject: [PATCH 08/13] Add integ test for Dual auth
---
..._function_with_function_url_dual_auth.json | 22 ++++++
...n_url_with_autopuplishalias_dual_auth.json | 30 ++++++++
..._function_with_function_url_dual_auth.yaml | 27 +++++++
...n_url_with_autopuplishalias_dual_auth.yaml | 28 ++++++++
integration/single/test_basic_function.py | 72 +++++++++++++++++++
5 files changed, 179 insertions(+)
create mode 100644 integration/resources/expected/single/basic_function_with_function_url_dual_auth.json
create mode 100644 integration/resources/expected/single/basic_function_with_function_url_with_autopuplishalias_dual_auth.json
create mode 100644 integration/resources/templates/single/basic_function_with_function_url_dual_auth.yaml
create mode 100644 integration/resources/templates/single/basic_function_with_function_url_with_autopuplishalias_dual_auth.yaml
diff --git a/integration/resources/expected/single/basic_function_with_function_url_dual_auth.json b/integration/resources/expected/single/basic_function_with_function_url_dual_auth.json
new file mode 100644
index 0000000000..e1132a9524
--- /dev/null
+++ b/integration/resources/expected/single/basic_function_with_function_url_dual_auth.json
@@ -0,0 +1,22 @@
+[
+ {
+ "LogicalResourceId": "MyLambdaFunction",
+ "ResourceType": "AWS::Lambda::Function"
+ },
+ {
+ "LogicalResourceId": "MyLambdaFunctionUrl",
+ "ResourceType": "AWS::Lambda::Url"
+ },
+ {
+ "LogicalResourceId": "MyLambdaFunctionUrlPublicPermissions",
+ "ResourceType": "AWS::Lambda::Permission"
+ },
+ {
+ "LogicalResourceId": "MyLambdaFunctionURLInvokeAllowPublicAccess",
+ "ResourceType": "AWS::Lambda::Permission"
+ },
+ {
+ "LogicalResourceId": "MyLambdaFunctionRole",
+ "ResourceType": "AWS::IAM::Role"
+ }
+]
diff --git a/integration/resources/expected/single/basic_function_with_function_url_with_autopuplishalias_dual_auth.json b/integration/resources/expected/single/basic_function_with_function_url_with_autopuplishalias_dual_auth.json
new file mode 100644
index 0000000000..fef523859c
--- /dev/null
+++ b/integration/resources/expected/single/basic_function_with_function_url_with_autopuplishalias_dual_auth.json
@@ -0,0 +1,30 @@
+[
+ {
+ "LogicalResourceId": "MyLambdaFunction",
+ "ResourceType": "AWS::Lambda::Function"
+ },
+ {
+ "LogicalResourceId": "MyLambdaFunctionRole",
+ "ResourceType": "AWS::IAM::Role"
+ },
+ {
+ "LogicalResourceId": "MyLambdaFunctionVersion",
+ "ResourceType": "AWS::Lambda::Version"
+ },
+ {
+ "LogicalResourceId": "MyLambdaFunctionAliaslive",
+ "ResourceType": "AWS::Lambda::Alias"
+ },
+ {
+ "LogicalResourceId": "MyLambdaFunctionUrlPublicPermissions",
+ "ResourceType": "AWS::Lambda::Permission"
+ },
+ {
+ "LogicalResourceId": "MyLambdaFunctionURLInvokeAllowPublicAccess",
+ "ResourceType": "AWS::Lambda::Permission"
+ },
+ {
+ "LogicalResourceId": "MyLambdaFunctionUrl",
+ "ResourceType": "AWS::Lambda::Url"
+ }
+]
diff --git a/integration/resources/templates/single/basic_function_with_function_url_dual_auth.yaml b/integration/resources/templates/single/basic_function_with_function_url_dual_auth.yaml
new file mode 100644
index 0000000000..aefab5730b
--- /dev/null
+++ b/integration/resources/templates/single/basic_function_with_function_url_dual_auth.yaml
@@ -0,0 +1,27 @@
+Resources:
+ MyLambdaFunction:
+ Type: AWS::Serverless::Function
+ Properties:
+ Handler: index.handler
+ Runtime: nodejs18.x
+ CodeUri: ${codeuri}
+ MemorySize: 128
+ FunctionUrlConfig:
+ AuthType: NONE
+ Cors:
+ AllowOrigins:
+ - https://foo.com
+ AllowMethods:
+ - POST
+ AllowCredentials: true
+ AllowHeaders:
+ - x-Custom-Header
+ ExposeHeaders:
+ - x-amzn-header
+ MaxAge: 10
+Outputs:
+ FunctionUrl:
+ Description: "URL of the Lambda function"
+ Value: !GetAtt MyLambdaFunctionUrl.FunctionUrl
+Metadata:
+ SamTransformTest: true
diff --git a/integration/resources/templates/single/basic_function_with_function_url_with_autopuplishalias_dual_auth.yaml b/integration/resources/templates/single/basic_function_with_function_url_with_autopuplishalias_dual_auth.yaml
new file mode 100644
index 0000000000..ff57b6ecb7
--- /dev/null
+++ b/integration/resources/templates/single/basic_function_with_function_url_with_autopuplishalias_dual_auth.yaml
@@ -0,0 +1,28 @@
+Resources:
+ MyLambdaFunction:
+ Type: AWS::Serverless::Function
+ Properties:
+ Handler: index.handler
+ Runtime: nodejs18.x
+ CodeUri: ${codeuri}
+ MemorySize: 128
+ AutoPublishAlias: live
+ FunctionUrlConfig:
+ AuthType: NONE
+ Cors:
+ AllowOrigins:
+ - https://foo.com
+ AllowMethods:
+ - POST
+ AllowCredentials: true
+ AllowHeaders:
+ - x-Custom-Header
+ ExposeHeaders:
+ - x-amzn-header
+ MaxAge: 10
+Outputs:
+ FunctionUrl:
+ Description: "URL of the Lambda function alias"
+ Value: !GetAtt MyLambdaFunctionUrl.FunctionUrl
+Metadata:
+ SamTransformTest: true
diff --git a/integration/single/test_basic_function.py b/integration/single/test_basic_function.py
index 5678130c6d..249b66d7ce 100644
--- a/integration/single/test_basic_function.py
+++ b/integration/single/test_basic_function.py
@@ -130,6 +130,78 @@ def test_basic_function_with_url_config(self, file_name, qualifier):
self.assertEqual(function_url_config["Cors"], cors_config)
self._assert_invoke(lambda_client, function_name, qualifier, 200)
+
+ @parameterized.expand(
+ [
+ ("single/basic_function_with_function_url_dual_auth", None),
+ ("single/basic_function_with_function_url_with_autopuplishalias_dual_auth", "live"),
+ ]
+ )
+ @skipIf(current_region_does_not_support([LAMBDA_URL]), "Lambda Url is not supported in this testing region")
+ def test_basic_function_with_url_dual_auth(self, file_name, qualifier):
+ """
+ Creates a basic lambda function with Function Url with authtype: None
+ Verifies that 2 AWS::Lambda::Permission resources are created:
+ - lambda:InvokeFunctionUrl
+ - lambda:InvokeFunction with InvokedViaFunctionUrl: True
+ """
+ self.create_and_verify_stack(file_name)
+
+ # Get Lambda permissions
+ lambda_permissions = self.get_stack_resources("AWS::Lambda::Permission")
+
+ # Verify we have exactly 2 permissions
+ self.assertEqual(len(lambda_permissions), 2, "Expected exactly 2 Lambda permissions")
+
+ # Check for the expected permission logical IDs
+ invoke_function_url_permission = None
+ invoke_permission = None
+
+ for permission in lambda_permissions:
+ logical_id = permission["LogicalResourceId"]
+ if "MyLambdaFunctionUrlPublicPermissions" in logical_id:
+ invoke_function_url_permission = permission
+ elif "MyLambdaFunctionURLInvokeAllowPublicAccess" in logical_id:
+ invoke_permission = permission
+
+ # Verify both permissions exist
+ self.assertIsNotNone(invoke_function_url_permission, "Expected MyLambdaFunctionUrlPublicPermissions to exist")
+ self.assertIsNotNone(invoke_permission, "Expected MyLambdaFunctionURLInvokeAllowPublicAccess to exist")
+
+ # Get the function name and URL
+ function_name = self.get_physical_id_by_type("AWS::Lambda::Function")
+ lambda_client = self.client_provider.lambda_client
+
+
+
+ # Get the function URL configuration to verify auth type
+ function_url_config = (
+ lambda_client.get_function_url_config(FunctionName=function_name, Qualifier=qualifier)
+ if qualifier
+ else lambda_client.get_function_url_config(FunctionName=function_name)
+ )
+
+ # Verify the auth type is NONE
+ self.assertEqual(function_url_config["AuthType"], "NONE", "Expected AuthType to be NONE")
+
+ # Get the template to check for InvokedViaFunctionUrl property
+ cfn_client = self.client_provider.cfn_client
+ template = cfn_client.get_template(StackName=self.stack_name)
+ template_body = template["TemplateBody"]
+
+ # Check if the InvokePermission has InvokedViaFunctionUrl: True
+ # This is a bit hacky but we don't have direct access to the resource properties
+ # We're checking if the string representation of the template contains this property
+ template_str = str(template_body)
+ self.assertIn("InvokedViaFunctionUrl", template_str,
+ "Expected InvokedViaFunctionUrl property in the template")
+
+ # Get the function URL from stack outputs
+ function_url = self.get_stack_output("FunctionUrl")["OutputValue"]
+ # Invoke the function URL and verify the response
+ self._verify_get_request(function_url, self.FUNCTION_OUTPUT)
+
+
@skipIf(current_region_does_not_support([CODE_DEPLOY]), "CodeDeploy is not supported in this testing region")
def test_function_with_deployment_preference_alarms_intrinsic_if(self):
self.create_and_verify_stack("single/function_with_deployment_preference_alarms_intrinsic_if")
From b785e3e919a125b7015b2b30ebc4e361378bdb8e Mon Sep 17 00:00:00 2001
From: Roger Zhang <ruojiazh@amazon.com>
Date: Fri, 18 Apr 2025 22:33:45 +0000
Subject: [PATCH 09/13] lint
---
..._function_with_function_url_dual_auth.yaml | 2 +-
...n_url_with_autopuplishalias_dual_auth.yaml | 2 +-
integration/single/test_basic_function.py | 25 ++++++++-----------
samtranslator/schema/schema.json | 6 ++---
4 files changed, 15 insertions(+), 20 deletions(-)
diff --git a/integration/resources/templates/single/basic_function_with_function_url_dual_auth.yaml b/integration/resources/templates/single/basic_function_with_function_url_dual_auth.yaml
index aefab5730b..4274a39477 100644
--- a/integration/resources/templates/single/basic_function_with_function_url_dual_auth.yaml
+++ b/integration/resources/templates/single/basic_function_with_function_url_dual_auth.yaml
@@ -21,7 +21,7 @@ Resources:
MaxAge: 10
Outputs:
FunctionUrl:
- Description: "URL of the Lambda function"
+ Description: URL of the Lambda function
Value: !GetAtt MyLambdaFunctionUrl.FunctionUrl
Metadata:
SamTransformTest: true
diff --git a/integration/resources/templates/single/basic_function_with_function_url_with_autopuplishalias_dual_auth.yaml b/integration/resources/templates/single/basic_function_with_function_url_with_autopuplishalias_dual_auth.yaml
index ff57b6ecb7..c78bbb3e35 100644
--- a/integration/resources/templates/single/basic_function_with_function_url_with_autopuplishalias_dual_auth.yaml
+++ b/integration/resources/templates/single/basic_function_with_function_url_with_autopuplishalias_dual_auth.yaml
@@ -22,7 +22,7 @@ Resources:
MaxAge: 10
Outputs:
FunctionUrl:
- Description: "URL of the Lambda function alias"
+ Description: URL of the Lambda function alias
Value: !GetAtt MyLambdaFunctionUrl.FunctionUrl
Metadata:
SamTransformTest: true
diff --git a/integration/single/test_basic_function.py b/integration/single/test_basic_function.py
index 249b66d7ce..4896c35f57 100644
--- a/integration/single/test_basic_function.py
+++ b/integration/single/test_basic_function.py
@@ -130,7 +130,6 @@ def test_basic_function_with_url_config(self, file_name, qualifier):
self.assertEqual(function_url_config["Cors"], cors_config)
self._assert_invoke(lambda_client, function_name, qualifier, 200)
-
@parameterized.expand(
[
("single/basic_function_with_function_url_dual_auth", None),
@@ -149,59 +148,55 @@ def test_basic_function_with_url_dual_auth(self, file_name, qualifier):
# Get Lambda permissions
lambda_permissions = self.get_stack_resources("AWS::Lambda::Permission")
-
+
# Verify we have exactly 2 permissions
self.assertEqual(len(lambda_permissions), 2, "Expected exactly 2 Lambda permissions")
-
+
# Check for the expected permission logical IDs
invoke_function_url_permission = None
invoke_permission = None
-
+
for permission in lambda_permissions:
logical_id = permission["LogicalResourceId"]
if "MyLambdaFunctionUrlPublicPermissions" in logical_id:
invoke_function_url_permission = permission
elif "MyLambdaFunctionURLInvokeAllowPublicAccess" in logical_id:
invoke_permission = permission
-
+
# Verify both permissions exist
self.assertIsNotNone(invoke_function_url_permission, "Expected MyLambdaFunctionUrlPublicPermissions to exist")
self.assertIsNotNone(invoke_permission, "Expected MyLambdaFunctionURLInvokeAllowPublicAccess to exist")
-
+
# Get the function name and URL
function_name = self.get_physical_id_by_type("AWS::Lambda::Function")
lambda_client = self.client_provider.lambda_client
-
-
# Get the function URL configuration to verify auth type
function_url_config = (
lambda_client.get_function_url_config(FunctionName=function_name, Qualifier=qualifier)
if qualifier
else lambda_client.get_function_url_config(FunctionName=function_name)
)
-
+
# Verify the auth type is NONE
self.assertEqual(function_url_config["AuthType"], "NONE", "Expected AuthType to be NONE")
-
+
# Get the template to check for InvokedViaFunctionUrl property
cfn_client = self.client_provider.cfn_client
template = cfn_client.get_template(StackName=self.stack_name)
template_body = template["TemplateBody"]
-
+
# Check if the InvokePermission has InvokedViaFunctionUrl: True
# This is a bit hacky but we don't have direct access to the resource properties
# We're checking if the string representation of the template contains this property
template_str = str(template_body)
- self.assertIn("InvokedViaFunctionUrl", template_str,
- "Expected InvokedViaFunctionUrl property in the template")
-
+ self.assertIn("InvokedViaFunctionUrl", template_str, "Expected InvokedViaFunctionUrl property in the template")
+
# Get the function URL from stack outputs
function_url = self.get_stack_output("FunctionUrl")["OutputValue"]
# Invoke the function URL and verify the response
self._verify_get_request(function_url, self.FUNCTION_OUTPUT)
-
@skipIf(current_region_does_not_support([CODE_DEPLOY]), "CodeDeploy is not supported in this testing region")
def test_function_with_deployment_preference_alarms_intrinsic_if(self):
self.create_and_verify_stack("single/function_with_deployment_preference_alarms_intrinsic_if")
diff --git a/samtranslator/schema/schema.json b/samtranslator/schema/schema.json
index 4c0d122db3..aed4e150db 100644
--- a/samtranslator/schema/schema.json
+++ b/samtranslator/schema/schema.json
@@ -41962,7 +41962,7 @@
"type": "string"
},
"Type": {
- "markdownDescription": "The type of webhook filter. There are nine webhook filter types: `EVENT` , `ACTOR_ACCOUNT_ID` , `HEAD_REF` , `BASE_REF` , `FILE_PATH` , `COMMIT_MESSAGE` , `TAG_NAME` , `RELEASE_NAME` , and `WORKFLOW_NAME` .\n\n- EVENT\n\n- A webhook event triggers a build when the provided `pattern` matches one of nine event types: `PUSH` , `PULL_REQUEST_CREATED` , `PULL_REQUEST_UPDATED` , `PULL_REQUEST_CLOSED` , `PULL_REQUEST_REOPENED` , `PULL_REQUEST_MERGED` , `RELEASED` , `PRERELEASED` , and `WORKFLOW_JOB_QUEUED` . The `EVENT` patterns are specified as a comma-separated string. For example, `PUSH, PULL_REQUEST_CREATED, PULL_REQUEST_UPDATED` filters all push, pull request created, and pull request updated events.\n\n> Types `PULL_REQUEST_REOPENED` and `WORKFLOW_JOB_QUEUED` work with GitHub and GitHub Enterprise only. Types `RELEASED` and `PRERELEASED` work with GitHub only.\n- ACTOR_ACCOUNT_ID\n\n- A webhook event triggers a build when a GitHub, GitHub Enterprise, or Bitbucket account ID matches the regular expression `pattern` .\n- HEAD_REF\n\n- A webhook event triggers a build when the head reference matches the regular expression `pattern` . For example, `refs/heads/branch-name` and `refs/tags/tag-name` .\n\n> Works with GitHub and GitHub Enterprise push, GitHub and GitHub Enterprise pull request, Bitbucket push, and Bitbucket pull request events.\n- BASE_REF\n\n- A webhook event triggers a build when the base reference matches the regular expression `pattern` . For example, `refs/heads/branch-name` .\n\n> Works with pull request events only.\n- FILE_PATH\n\n- A webhook triggers a build when the path of a changed file matches the regular expression `pattern` .\n\n> Works with GitHub and Bitbucket events push and pull requests events. Also works with GitHub Enterprise push events, but does not work with GitHub Enterprise pull request events.\n- COMMIT_MESSAGE\n\n- A webhook triggers a build when the head commit message matches the regular expression `pattern` .\n\n> Works with GitHub and Bitbucket events push and pull requests events. Also works with GitHub Enterprise push events, but does not work with GitHub Enterprise pull request events.\n- TAG_NAME\n\n- A webhook triggers a build when the tag name of the release matches the regular expression `pattern` .\n\n> Works with `RELEASED` and `PRERELEASED` events only.\n- RELEASE_NAME\n\n- A webhook triggers a build when the release name matches the regular expression `pattern` .\n\n> Works with `RELEASED` and `PRERELEASED` events only.\n- REPOSITORY_NAME\n\n- A webhook triggers a build when the repository name matches the regular expression pattern.\n\n> Works with GitHub global or organization webhooks only.\n- WORKFLOW_NAME\n\n- A webhook triggers a build when the workflow name matches the regular expression `pattern` .\n\n> Works with `WORKFLOW_JOB_QUEUED` events only. > For CodeBuild-hosted Buildkite runner builds, WORKFLOW_NAME filters will filter by pipeline name.",
+ "markdownDescription": "The type of webhook filter. There are 11 webhook filter types: `EVENT` , `ACTOR_ACCOUNT_ID` , `HEAD_REF` , `BASE_REF` , `FILE_PATH` , `COMMIT_MESSAGE` , `TAG_NAME` , `RELEASE_NAME` , `REPOSITORY_NAME` , `ORGANIZATION_NAME` , and `WORKFLOW_NAME` .\n\n- EVENT\n\n- A webhook event triggers a build when the provided `pattern` matches one of nine event types: `PUSH` , `PULL_REQUEST_CREATED` , `PULL_REQUEST_UPDATED` , `PULL_REQUEST_CLOSED` , `PULL_REQUEST_REOPENED` , `PULL_REQUEST_MERGED` , `RELEASED` , `PRERELEASED` , and `WORKFLOW_JOB_QUEUED` . The `EVENT` patterns are specified as a comma-separated string. For example, `PUSH, PULL_REQUEST_CREATED, PULL_REQUEST_UPDATED` filters all push, pull request created, and pull request updated events.\n\n> Types `PULL_REQUEST_REOPENED` and `WORKFLOW_JOB_QUEUED` work with GitHub and GitHub Enterprise only. Types `RELEASED` and `PRERELEASED` work with GitHub only.\n- ACTOR_ACCOUNT_ID\n\n- A webhook event triggers a build when a GitHub, GitHub Enterprise, or Bitbucket account ID matches the regular expression `pattern` .\n- HEAD_REF\n\n- A webhook event triggers a build when the head reference matches the regular expression `pattern` . For example, `refs/heads/branch-name` and `refs/tags/tag-name` .\n\n> Works with GitHub and GitHub Enterprise push, GitHub and GitHub Enterprise pull request, Bitbucket push, and Bitbucket pull request events.\n- BASE_REF\n\n- A webhook event triggers a build when the base reference matches the regular expression `pattern` . For example, `refs/heads/branch-name` .\n\n> Works with pull request events only.\n- FILE_PATH\n\n- A webhook triggers a build when the path of a changed file matches the regular expression `pattern` .\n\n> Works with push and pull request events only.\n- COMMIT_MESSAGE\n\n- A webhook triggers a build when the head commit message matches the regular expression `pattern` .\n\n> Works with push and pull request events only.\n- TAG_NAME\n\n- A webhook triggers a build when the tag name of the release matches the regular expression `pattern` .\n\n> Works with `RELEASED` and `PRERELEASED` events only.\n- RELEASE_NAME\n\n- A webhook triggers a build when the release name matches the regular expression `pattern` .\n\n> Works with `RELEASED` and `PRERELEASED` events only.\n- REPOSITORY_NAME\n\n- A webhook triggers a build when the repository name matches the regular expression `pattern` .\n\n> Works with GitHub global or organization webhooks only.\n- ORGANIZATION_NAME\n\n- A webhook triggers a build when the organization name matches the regular expression `pattern` .\n\n> Works with GitHub global webhooks only.\n- WORKFLOW_NAME\n\n- A webhook triggers a build when the workflow name matches the regular expression `pattern` .\n\n> Works with `WORKFLOW_JOB_QUEUED` events only. > For CodeBuild-hosted Buildkite runner builds, WORKFLOW_NAME filters will filter by pipeline name.",
"title": "Type",
"type": "string"
}
@@ -62816,7 +62816,7 @@
"type": "string"
},
"ServerHostname": {
- "markdownDescription": "Specifies the domain name or IP address of the SMB file server that your DataSync agent will mount.\n\nRemember the following when configuring this parameter:\n\n- You can't specify an IP version 6 (IPv6) address.\n- If you're using Kerberos authentication, you must specify a domain name.",
+ "markdownDescription": "Specifies the domain name or IP address of the SMB file server that your DataSync agent connects to.\n\nRemember the following when configuring this parameter:\n\n- You can't specify an IP version 6 (IPv6) address.\n- If you're using Kerberos authentication, you must specify a domain name.",
"title": "ServerHostname",
"type": "string"
},
@@ -93223,7 +93223,7 @@
"type": "boolean"
},
"Mode": {
- "markdownDescription": "The client certificate handling method. The possible values are `off` , `passthrough` , and `verify` . The default value is `off` .",
+ "markdownDescription": "The client certificate handling method. Options are `off` , `passthrough` or `verify` . The default value is `off` .",
"title": "Mode",
"type": "string"
},
From ba859e60d0885e62d5786e37ddf676b8f253abb4 Mon Sep 17 00:00:00 2001
From: Roger Zhang <ruojiazh@amazon.com>
Date: Fri, 18 Apr 2025 22:36:13 +0000
Subject: [PATCH 10/13] revert schema
---
schema_source/cloudformation-docs.json | 26 +++++++++++++++++++-------
1 file changed, 19 insertions(+), 7 deletions(-)
diff --git a/schema_source/cloudformation-docs.json b/schema_source/cloudformation-docs.json
index 07bae4b16e..41a09c2698 100644
--- a/schema_source/cloudformation-docs.json
+++ b/schema_source/cloudformation-docs.json
@@ -8425,7 +8425,7 @@
"AWS::CodeBuild::Project WebhookFilter": {
"ExcludeMatchedPattern": "Used to indicate that the `pattern` determines which webhook events do not trigger a build. If true, then a webhook event that does not match the `pattern` triggers a build. If false, then a webhook event that matches the `pattern` triggers a build.",
"Pattern": "For a `WebHookFilter` that uses `EVENT` type, a comma-separated string that specifies one or more events. For example, the webhook filter `PUSH, PULL_REQUEST_CREATED, PULL_REQUEST_UPDATED` allows all push, pull request created, and pull request updated events to trigger a build.\n\nFor a `WebHookFilter` that uses any of the other filter types, a regular expression pattern. For example, a `WebHookFilter` that uses `HEAD_REF` for its `type` and the pattern `^refs/heads/` triggers a build when the head reference is a branch with a reference name `refs/heads/branch-name` .",
- "Type": "The type of webhook filter. There are nine webhook filter types: `EVENT` , `ACTOR_ACCOUNT_ID` , `HEAD_REF` , `BASE_REF` , `FILE_PATH` , `COMMIT_MESSAGE` , `TAG_NAME` , `RELEASE_NAME` , and `WORKFLOW_NAME` .\n\n- EVENT\n\n- A webhook event triggers a build when the provided `pattern` matches one of nine event types: `PUSH` , `PULL_REQUEST_CREATED` , `PULL_REQUEST_UPDATED` , `PULL_REQUEST_CLOSED` , `PULL_REQUEST_REOPENED` , `PULL_REQUEST_MERGED` , `RELEASED` , `PRERELEASED` , and `WORKFLOW_JOB_QUEUED` . The `EVENT` patterns are specified as a comma-separated string. For example, `PUSH, PULL_REQUEST_CREATED, PULL_REQUEST_UPDATED` filters all push, pull request created, and pull request updated events.\n\n> Types `PULL_REQUEST_REOPENED` and `WORKFLOW_JOB_QUEUED` work with GitHub and GitHub Enterprise only. Types `RELEASED` and `PRERELEASED` work with GitHub only.\n- ACTOR_ACCOUNT_ID\n\n- A webhook event triggers a build when a GitHub, GitHub Enterprise, or Bitbucket account ID matches the regular expression `pattern` .\n- HEAD_REF\n\n- A webhook event triggers a build when the head reference matches the regular expression `pattern` . For example, `refs/heads/branch-name` and `refs/tags/tag-name` .\n\n> Works with GitHub and GitHub Enterprise push, GitHub and GitHub Enterprise pull request, Bitbucket push, and Bitbucket pull request events.\n- BASE_REF\n\n- A webhook event triggers a build when the base reference matches the regular expression `pattern` . For example, `refs/heads/branch-name` .\n\n> Works with pull request events only.\n- FILE_PATH\n\n- A webhook triggers a build when the path of a changed file matches the regular expression `pattern` .\n\n> Works with GitHub and Bitbucket events push and pull requests events. Also works with GitHub Enterprise push events, but does not work with GitHub Enterprise pull request events.\n- COMMIT_MESSAGE\n\n- A webhook triggers a build when the head commit message matches the regular expression `pattern` .\n\n> Works with GitHub and Bitbucket events push and pull requests events. Also works with GitHub Enterprise push events, but does not work with GitHub Enterprise pull request events.\n- TAG_NAME\n\n- A webhook triggers a build when the tag name of the release matches the regular expression `pattern` .\n\n> Works with `RELEASED` and `PRERELEASED` events only.\n- RELEASE_NAME\n\n- A webhook triggers a build when the release name matches the regular expression `pattern` .\n\n> Works with `RELEASED` and `PRERELEASED` events only.\n- REPOSITORY_NAME\n\n- A webhook triggers a build when the repository name matches the regular expression pattern.\n\n> Works with GitHub global or organization webhooks only.\n- WORKFLOW_NAME\n\n- A webhook triggers a build when the workflow name matches the regular expression `pattern` .\n\n> Works with `WORKFLOW_JOB_QUEUED` events only. > For CodeBuild-hosted Buildkite runner builds, WORKFLOW_NAME filters will filter by pipeline name."
+ "Type": "The type of webhook filter. There are 11 webhook filter types: `EVENT` , `ACTOR_ACCOUNT_ID` , `HEAD_REF` , `BASE_REF` , `FILE_PATH` , `COMMIT_MESSAGE` , `TAG_NAME` , `RELEASE_NAME` , `REPOSITORY_NAME` , `ORGANIZATION_NAME` , and `WORKFLOW_NAME` .\n\n- EVENT\n\n- A webhook event triggers a build when the provided `pattern` matches one of nine event types: `PUSH` , `PULL_REQUEST_CREATED` , `PULL_REQUEST_UPDATED` , `PULL_REQUEST_CLOSED` , `PULL_REQUEST_REOPENED` , `PULL_REQUEST_MERGED` , `RELEASED` , `PRERELEASED` , and `WORKFLOW_JOB_QUEUED` . The `EVENT` patterns are specified as a comma-separated string. For example, `PUSH, PULL_REQUEST_CREATED, PULL_REQUEST_UPDATED` filters all push, pull request created, and pull request updated events.\n\n> Types `PULL_REQUEST_REOPENED` and `WORKFLOW_JOB_QUEUED` work with GitHub and GitHub Enterprise only. Types `RELEASED` and `PRERELEASED` work with GitHub only.\n- ACTOR_ACCOUNT_ID\n\n- A webhook event triggers a build when a GitHub, GitHub Enterprise, or Bitbucket account ID matches the regular expression `pattern` .\n- HEAD_REF\n\n- A webhook event triggers a build when the head reference matches the regular expression `pattern` . For example, `refs/heads/branch-name` and `refs/tags/tag-name` .\n\n> Works with GitHub and GitHub Enterprise push, GitHub and GitHub Enterprise pull request, Bitbucket push, and Bitbucket pull request events.\n- BASE_REF\n\n- A webhook event triggers a build when the base reference matches the regular expression `pattern` . For example, `refs/heads/branch-name` .\n\n> Works with pull request events only.\n- FILE_PATH\n\n- A webhook triggers a build when the path of a changed file matches the regular expression `pattern` .\n\n> Works with push and pull request events only.\n- COMMIT_MESSAGE\n\n- A webhook triggers a build when the head commit message matches the regular expression `pattern` .\n\n> Works with push and pull request events only.\n- TAG_NAME\n\n- A webhook triggers a build when the tag name of the release matches the regular expression `pattern` .\n\n> Works with `RELEASED` and `PRERELEASED` events only.\n- RELEASE_NAME\n\n- A webhook triggers a build when the release name matches the regular expression `pattern` .\n\n> Works with `RELEASED` and `PRERELEASED` events only.\n- REPOSITORY_NAME\n\n- A webhook triggers a build when the repository name matches the regular expression `pattern` .\n\n> Works with GitHub global or organization webhooks only.\n- ORGANIZATION_NAME\n\n- A webhook triggers a build when the organization name matches the regular expression `pattern` .\n\n> Works with GitHub global webhooks only.\n- WORKFLOW_NAME\n\n- A webhook triggers a build when the workflow name matches the regular expression `pattern` .\n\n> Works with `WORKFLOW_JOB_QUEUED` events only. > For CodeBuild-hosted Buildkite runner builds, WORKFLOW_NAME filters will filter by pipeline name."
},
"AWS::CodeBuild::ReportGroup": {
"DeleteReports": "When deleting a report group, specifies if reports within the report group should be deleted.\n\n- **true** - Deletes any reports that belong to the report group before deleting the report group.\n- **false** - You must delete any reports in the report group. This is the default value. If you delete a report group that contains one or more reports, an exception is thrown.",
@@ -12187,7 +12187,7 @@
"KerberosPrincipal": "Specifies a Kerberos prinicpal, which is an identity in your Kerberos realm that has permission to access the files, folders, and file metadata in your SMB file server.\n\nA Kerberos principal might look like `HOST/kerberosuser@MYDOMAIN.ORG` .\n\nPrincipal names are case sensitive. Your DataSync task execution will fail if the principal that you specify for this parameter doesn\u2019t exactly match the principal that you use to create the keytab file.",
"MountOptions": "Specifies the version of the SMB protocol that DataSync uses to access your SMB file server.",
"Password": "Specifies the password of the user who can mount your SMB file server and has permission to access the files and folders involved in your transfer. This parameter applies only if `AuthenticationType` is set to `NTLM` .",
- "ServerHostname": "Specifies the domain name or IP address of the SMB file server that your DataSync agent will mount.\n\nRemember the following when configuring this parameter:\n\n- You can't specify an IP version 6 (IPv6) address.\n- If you're using Kerberos authentication, you must specify a domain name.",
+ "ServerHostname": "Specifies the domain name or IP address of the SMB file server that your DataSync agent connects to.\n\nRemember the following when configuring this parameter:\n\n- You can't specify an IP version 6 (IPv6) address.\n- If you're using Kerberos authentication, you must specify a domain name.",
"Subdirectory": "Specifies the name of the share exported by your SMB file server where DataSync will read or write data. You can include a subdirectory in the share path (for example, `/path/to/subdirectory` ). Make sure that other SMB clients in your network can also mount this path.\n\nTo copy all data in the subdirectory, DataSync must be able to mount the SMB share and access all of its data. For more information, see [Providing DataSync access to SMB file servers](https://docs.aws.amazon.com/datasync/latest/userguide/create-smb-location.html#configuring-smb-permissions) .",
"Tags": "Specifies labels that help you categorize, filter, and search for your AWS resources. We recommend creating at least a name tag for your location.",
"User": "Specifies the user that can mount and access the files, folders, and file metadata in your SMB file server. This parameter applies only if `AuthenticationType` is set to `NTLM` .\n\nFor information about choosing a user with the right level of access for your transfer, see [Providing DataSync access to SMB file servers](https://docs.aws.amazon.com/datasync/latest/userguide/create-smb-location.html#configuring-smb-permissions) ."
@@ -15259,6 +15259,8 @@
"GatewayLoadBalancerArns": "The Amazon Resource Names (ARNs) of the Gateway Load Balancers.",
"NetworkLoadBalancerArns": "The Amazon Resource Names (ARNs) of the Network Load Balancers.",
"PayerResponsibility": "The entity that is responsible for the endpoint costs. The default is the endpoint owner. If you set the payer responsibility to the service owner, you cannot set it back to the endpoint owner.",
+ "SupportedIpAddressTypes": "The supported IP address types. The possible values are `ipv4` and `ipv6` .",
+ "SupportedRegions": "The Regions from which service consumers can access the service.",
"Tags": "The tags to associate with the service."
},
"AWS::EC2::VPCEndpointService Tag": {
@@ -17454,9 +17456,9 @@
"Value": "The value of the attribute."
},
"AWS::ElasticLoadBalancingV2::Listener MutualAuthentication": {
- "AdvertiseTrustStoreCaNames": "Indicates whether trust store CA certificate names are advertised. The default value is `off` .",
+ "AdvertiseTrustStoreCaNames": "Indicates whether trust store CA certificate names are advertised.",
"IgnoreClientCertificateExpiry": "Indicates whether expired client certificates are ignored.",
- "Mode": "The client certificate handling method. The possible values are `off` , `passthrough` , and `verify` . The default value is `off` .",
+ "Mode": "The client certificate handling method. Options are `off` , `passthrough` or `verify` . The default value is `off` .",
"TrustStoreArn": "The Amazon Resource Name (ARN) of the trust store."
},
"AWS::ElasticLoadBalancingV2::Listener RedirectConfig": {
@@ -23672,7 +23674,7 @@
"GatewayCapabilitySummaries": "A list of gateway capability summaries that each contain a namespace and status. Each gateway capability defines data sources for the gateway. To retrieve a capability configuration's definition, use [DescribeGatewayCapabilityConfiguration](https://docs.aws.amazon.com/iot-sitewise/latest/APIReference/API_DescribeGatewayCapabilityConfiguration.html) .",
"GatewayName": "A unique name for the gateway.",
"GatewayPlatform": "The gateway's platform. You can only specify one platform in a gateway.",
- "GatewayVersion": "",
+ "GatewayVersion": "The version of the gateway. A value of `3` indicates an MQTT-enabled, V3 gateway, while `2` indicates a Classic streams, V2 gateway.",
"Tags": "A list of key-value pairs that contain metadata for the gateway. For more information, see [Tagging your AWS IoT SiteWise resources](https://docs.aws.amazon.com/iot-sitewise/latest/userguide/tag-resources.html) in the *AWS IoT SiteWise User Guide* ."
},
"AWS::IoTSiteWise::Gateway GatewayCapabilitySummary": {
@@ -27943,7 +27945,7 @@
"Protocol": "The network source protocol.\n\n> AWS Elemental MediaConnect no longer supports the Fujitsu QoS protocol. This reference is maintained for legacy purposes only."
},
"AWS::MediaConnect::BridgeSource MulticastSourceSettings": {
- "MulticastSourceIp": ""
+ "MulticastSourceIp": "The IP address of the source for source-specific multicast (SSM)."
},
"AWS::MediaConnect::BridgeSource VpcInterfaceAttachment": {
"VpcInterfaceName": "The name of the VPC interface to use for this resource."
@@ -28031,6 +28033,16 @@
"InputConfigurations": "The media streams that you want to associate with the source.",
"MediaStreamName": "A name that helps you distinguish one media stream from another."
},
+ "AWS::MediaConnect::Flow NdiConfig": {
+ "MachineName": "A prefix for the names of the NDI sources that the flow creates. If a custom name isn't specified, MediaConnect generates a unique 12-character ID as the prefix.",
+ "NdiDiscoveryServers": "A list of up to three NDI discovery server configurations. While not required by the API, this configuration is necessary for NDI functionality to work properly.",
+ "NdiState": "A setting that controls whether NDI outputs can be used in the flow. Must be ENABLED to add NDI outputs. Default is DISABLED."
+ },
+ "AWS::MediaConnect::Flow NdiDiscoveryServerConfig": {
+ "DiscoveryServerAddress": "The unique network address of the NDI discovery server.",
+ "DiscoveryServerPort": "The port for the NDI discovery server. Defaults to 5959 if a custom port isn't specified.",
+ "VpcInterfaceAdapter": "The identifier for the Virtual Private Cloud (VPC) network interface used by the flow."
+ },
"AWS::MediaConnect::Flow SilentAudio": {
"State": "Indicates whether the `SilentAudio` metric is enabled or disabled.",
"ThresholdSeconds": "Specifies the number of consecutive seconds of silence that triggers an event or alert."
@@ -46273,7 +46285,7 @@
"AWS::SSMQuickSetup::ConfigurationManager ConfigurationDefinition": {
"LocalDeploymentAdministrationRoleArn": "The ARN of the IAM role used to administrate local configuration deployments.",
"LocalDeploymentExecutionRoleName": "The name of the IAM role used to deploy local configurations.",
- "Parameters": "The parameters for the configuration definition type. Parameters for configuration definitions vary based the configuration type. The following lists outline the parameters for each configuration type.\n\n- **AWS Config Recording (Type: AWS QuickSetupType-CFGRecording)** - - `RecordAllResources`\n\n- Description: (Optional) A boolean value that determines whether all supported resources are recorded. The default value is \" `true` \".\n- `ResourceTypesToRecord`\n\n- Description: (Optional) A comma separated list of resource types you want to record.\n- `RecordGlobalResourceTypes`\n\n- Description: (Optional) A boolean value that determines whether global resources are recorded with all resource configurations. The default value is \" `false` \".\n- `GlobalResourceTypesRegion`\n\n- Description: (Optional) Determines the AWS Region where global resources are recorded.\n- `UseCustomBucket`\n\n- Description: (Optional) A boolean value that determines whether a custom Amazon S3 bucket is used for delivery. The default value is \" `false` \".\n- `DeliveryBucketName`\n\n- Description: (Optional) The name of the Amazon S3 bucket you want AWS Config to deliver configuration snapshots and configuration history files to.\n- `DeliveryBucketPrefix`\n\n- Description: (Optional) The key prefix you want to use in the custom Amazon S3 bucket.\n- `NotificationOptions`\n\n- Description: (Optional) Determines the notification configuration for the recorder. The valid values are `NoStreaming` , `UseExistingTopic` , and `CreateTopic` . The default value is `NoStreaming` .\n- `CustomDeliveryTopicAccountId`\n\n- Description: (Optional) The ID of the AWS account where the Amazon SNS topic you want to use for notifications resides. You must specify a value for this parameter if you use the `UseExistingTopic` notification option.\n- `CustomDeliveryTopicName`\n\n- Description: (Optional) The name of the Amazon SNS topic you want to use for notifications. You must specify a value for this parameter if you use the `UseExistingTopic` notification option.\n- `RemediationSchedule`\n\n- Description: (Optional) A rate expression that defines the schedule for drift remediation. The valid values are `rate(30 days)` , `rate(7 days)` , `rate(1 days)` , and `none` . The default value is \" `none` \".\n- `TargetAccounts`\n\n- Description: (Optional) The ID of the AWS account initiating the configuration deployment. You only need to provide a value for this parameter if you want to deploy the configuration locally. A value must be provided for either `TargetAccounts` or `TargetOrganizationalUnits` .\n- `TargetOrganizationalUnits`\n\n- Description: (Optional) The ID of the root of your Organization. This configuration type doesn't currently support choosing specific OUs. The configuration will be deployed to all the OUs in the Organization.\n- `TargetRegions`\n\n- Description: (Required) A comma separated list of AWS Regions you want to deploy the configuration to.\n- **Change Manager (Type: AWS QuickSetupType-SSMChangeMgr)** - - `DelegatedAccountId`\n\n- Description: (Required) The ID of the delegated administrator account.\n- `JobFunction`\n\n- Description: (Required) The name for the Change Manager job function.\n- `PermissionType`\n\n- Description: (Optional) Specifies whether you want to use default administrator permissions for the job function role, or provide a custom IAM policy. The valid values are `CustomPermissions` and `AdminPermissions` . The default value for the parameter is `CustomerPermissions` .\n- `CustomPermissions`\n\n- Description: (Optional) A JSON string containing the IAM policy you want your job function to use. You must provide a value for this parameter if you specify `CustomPermissions` for the `PermissionType` parameter.\n- `TargetOrganizationalUnits`\n\n- Description: (Required) A comma separated list of organizational units (OUs) you want to deploy the configuration to.\n- `TargetRegions`\n\n- Description: (Required) A comma separated list of AWS Regions you want to deploy the configuration to.\n- **Conformance Packs (Type: AWS QuickSetupType-CFGCPacks)** - - `DelegatedAccountId`\n\n- Description: (Optional) The ID of the delegated administrator account. This parameter is required for Organization deployments.\n- `RemediationSchedule`\n\n- Description: (Optional) A rate expression that defines the schedule for drift remediation. The valid values are `rate(30 days)` , `rate(14 days)` , `rate(2 days)` , and `none` . The default value is \" `none` \".\n- `CPackNames`\n\n- Description: (Required) A comma separated list of AWS Config conformance packs.\n- `TargetAccounts`\n\n- Description: (Optional) The ID of the AWS account initiating the configuration deployment. You only need to provide a value for this parameter if you want to deploy the configuration locally. A value must be provided for either `TargetAccounts` or `TargetOrganizationalUnits` .\n- `TargetOrganizationalUnits`\n\n- Description: (Optional) The ID of the root of your Organization. This configuration type doesn't currently support choosing specific OUs. The configuration will be deployed to all the OUs in the Organization.\n- `TargetRegions`\n\n- Description: (Required) A comma separated list of AWS Regions you want to deploy the configuration to.\n- **Default Host Management Configuration (Type: AWS QuickSetupType-DHMC)** - - `UpdateSSMAgent`\n\n- Description: (Optional) A boolean value that determines whether the SSM Agent is updated on the target instances every 2 weeks. The default value is \" `true` \".\n- `TargetOrganizationalUnits`\n\n- Description: (Required) A comma separated list of organizational units (OUs) you want to deploy the configuration to.\n- `TargetRegions`\n\n- Description: (Required) A comma separated list of AWS Regions you want to deploy the configuration to.\n- **DevOps\u00a0Guru (Type: AWS QuickSetupType-DevOpsGuru)** - - `AnalyseAllResources`\n\n- Description: (Optional) A boolean value that determines whether DevOps\u00a0Guru analyzes all AWS CloudFormation stacks in the account. The default value is \" `false` \".\n- `EnableSnsNotifications`\n\n- Description: (Optional) A boolean value that determines whether DevOps\u00a0Guru sends notifications when an insight is created. The default value is \" `true` \".\n- `EnableSsmOpsItems`\n\n- Description: (Optional) A boolean value that determines whether DevOps\u00a0Guru creates an OpsCenter OpsItem when an insight is created. The default value is \" `true` \".\n- `EnableDriftRemediation`\n\n- Description: (Optional) A boolean value that determines whether a drift remediation schedule is used. The default value is \" `false` \".\n- `RemediationSchedule`\n\n- Description: (Optional) A rate expression that defines the schedule for drift remediation. The valid values are `rate(30 days)` , `rate(14 days)` , `rate(1 days)` , and `none` . The default value is \" `none` \".\n- `TargetAccounts`\n\n- Description: (Optional) The ID of the AWS account initiating the configuration deployment. You only need to provide a value for this parameter if you want to deploy the configuration locally. A value must be provided for either `TargetAccounts` or `TargetOrganizationalUnits` .\n- `TargetOrganizationalUnits`\n\n- Description: (Optional) A comma separated list of organizational units (OUs) you want to deploy the configuration to.\n- `TargetRegions`\n\n- Description: (Required) A comma separated list of AWS Regions you want to deploy the configuration to.\n- **Distributor (Type: AWS QuickSetupType-Distributor)** - - `PackagesToInstall`\n\n- Description: (Required) A comma separated list of packages you want to install on the target instances. The valid values are `AWSEFSTools` , `AWSCWAgent` , and `AWSEC2LaunchAgent` .\n- `RemediationSchedule`\n\n- Description: (Optional) A rate expression that defines the schedule for drift remediation. The valid values are `rate(30 days)` , `rate(14 days)` , `rate(2 days)` , and `none` . The default value is \" `rate(30 days)` \".\n- `IsPolicyAttachAllowed`\n\n- Description: (Optional) A boolean value that determines whether Quick Setup attaches policies to instances profiles already associated with the target instances. The default value is \" `false` \".\n- `TargetType`\n\n- Description: (Optional) Determines how instances are targeted for local account deployments. Don't specify a value for this parameter if you're deploying to OUs. The valid values are `*` , `InstanceIds` , `ResourceGroups` , and `Tags` . Use `*` to target all instances in the account.\n- `TargetInstances`\n\n- Description: (Optional) A comma separated list of instance IDs. You must provide a value for this parameter if you specify `InstanceIds` for the `TargetType` parameter.\n- `TargetTagKey`\n\n- Description: (Required) The tag key assigned to the instances you want to target. You must provide a value for this parameter if you specify `Tags` for the `TargetType` parameter.\n- `TargetTagValue`\n\n- Description: (Required) The value of the tag key assigned to the instances you want to target. You must provide a value for this parameter if you specify `Tags` for the `TargetType` parameter.\n- `ResourceGroupName`\n\n- Description: (Required) The name of the resource group associated with the instances you want to target. You must provide a value for this parameter if you specify `ResourceGroups` for the `TargetType` parameter.\n- `TargetAccounts`\n\n- Description: (Optional) The ID of the AWS account initiating the configuration deployment. You only need to provide a value for this parameter if you want to deploy the configuration locally. A value must be provided for either `TargetAccounts` or `TargetOrganizationalUnits` .\n- `TargetOrganizationalUnits`\n\n- Description: (Optional) A comma separated list of organizational units (OUs) you want to deploy the configuration to.\n- `TargetRegions`\n\n- Description: (Required) A comma separated list of AWS Regions you want to deploy the configuration to.\n- **Host Management (Type: AWS QuickSetupType-SSMHostMgmt)** - - `UpdateSSMAgent`\n\n- Description: (Optional) A boolean value that determines whether the SSM Agent is updated on the target instances every 2 weeks. The default value is \" `true` \".\n- `UpdateEc2LaunchAgent`\n\n- Description: (Optional) A boolean value that determines whether the EC2 Launch agent is updated on the target instances every month. The default value is \" `false` \".\n- `CollectInventory`\n\n- Description: (Optional) A boolean value that determines whether instance metadata is collected on the target instances every 30 minutes. The default value is \" `true` \".\n- `ScanInstances`\n\n- Description: (Optional) A boolean value that determines whether the target instances are scanned daily for available patches. The default value is \" `true` \".\n- `InstallCloudWatchAgent`\n\n- Description: (Optional) A boolean value that determines whether the Amazon CloudWatch agent is installed on the target instances. The default value is \" `false` \".\n- `UpdateCloudWatchAgent`\n\n- Description: (Optional) A boolean value that determines whether the Amazon CloudWatch agent is updated on the target instances every month. The default value is \" `false` \".\n- `IsPolicyAttachAllowed`\n\n- Description: (Optional) A boolean value that determines whether Quick Setup attaches policies to instances profiles already associated with the target instances. The default value is \" `false` \".\n- `TargetType`\n\n- Description: (Optional) Determines how instances are targeted for local account deployments. Don't specify a value for this parameter if you're deploying to OUs. The valid values are `*` , `InstanceIds` , `ResourceGroups` , and `Tags` . Use `*` to target all instances in the account.\n- `TargetInstances`\n\n- Description: (Optional) A comma separated list of instance IDs. You must provide a value for this parameter if you specify `InstanceIds` for the `TargetType` parameter.\n- `TargetTagKey`\n\n- Description: (Optional) The tag key assigned to the instances you want to target. You must provide a value for this parameter if you specify `Tags` for the `TargetType` parameter.\n- `TargetTagValue`\n\n- Description: (Optional) The value of the tag key assigned to the instances you want to target. You must provide a value for this parameter if you specify `Tags` for the `TargetType` parameter.\n- `ResourceGroupName`\n\n- Description: (Optional) The name of the resource group associated with the instances you want to target. You must provide a value for this parameter if you specify `ResourceGroups` for the `TargetType` parameter.\n- `TargetAccounts`\n\n- Description: (Optional) The ID of the AWS account initiating the configuration deployment. You only need to provide a value for this parameter if you want to deploy the configuration locally. A value must be provided for either `TargetAccounts` or `TargetOrganizationalUnits` .\n- `TargetOrganizationalUnits`\n\n- Description: (Optional) A comma separated list of organizational units (OUs) you want to deploy the configuration to.\n- `TargetRegions`\n\n- Description: (Required) A comma separated list of AWS Regions you want to deploy the configuration to.\n- **OpsCenter (Type: AWS QuickSetupType-SSMOpsCenter)** - - `DelegatedAccountId`\n\n- Description: (Required) The ID of the delegated administrator account.\n- `TargetOrganizationalUnits`\n\n- Description: (Required) A comma separated list of organizational units (OUs) you want to deploy the configuration to.\n- `TargetRegions`\n\n- Description: (Required) A comma separated list of AWS Regions you want to deploy the configuration to.\n- **Patch Policy (Type: AWS QuickSetupType-PatchPolicy)** - - `PatchPolicyName`\n\n- Description: (Required) A name for the patch policy. The value you provide is applied to target Amazon EC2 instances as a tag.\n- `SelectedPatchBaselines`\n\n- Description: (Required) An array of JSON objects containing the information for the patch baselines to include in your patch policy.\n- `PatchBaselineUseDefault`\n\n- Description: (Optional) A boolean value that determines whether the selected patch baselines are all AWS provided.\n- `ConfigurationOptionsPatchOperation`\n\n- Description: (Optional) Determines whether target instances scan for available patches, or scan and install available patches. The valid values are `Scan` and `ScanAndInstall` . The default value for the parameter is `Scan` .\n- `ConfigurationOptionsScanValue`\n\n- Description: (Optional) A cron expression that is used as the schedule for when instances scan for available patches.\n- `ConfigurationOptionsInstallValue`\n\n- Description: (Optional) A cron expression that is used as the schedule for when instances install available patches.\n- `ConfigurationOptionsScanNextInterval`\n\n- Description: (Optional) A boolean value that determines whether instances should scan for available patches at the next cron interval. The default value is \" `false` \".\n- `ConfigurationOptionsInstallNextInterval`\n\n- Description: (Optional) A boolean value that determines whether instances should scan for available patches at the next cron interval. The default value is \" `false` \".\n- `RebootOption`\n\n- Description: (Optional) Determines whether instances are rebooted after patches are installed. Valid values are `RebootIfNeeded` and `NoReboot` .\n- `IsPolicyAttachAllowed`\n\n- Description: (Optional) A boolean value that determines whether Quick Setup attaches policies to instances profiles already associated with the target instances. The default value is \" `false` \".\n- `OutputLogEnableS3`\n\n- Description: (Optional) A boolean value that determines whether command output logs are sent to Amazon S3.\n- `OutputS3Location`\n\n- Description: (Optional) A JSON string containing information about the Amazon S3 bucket where you want to store the output details of the request.\n\n- `OutputS3BucketRegion`\n\n- Description: (Optional) The AWS Region where the Amazon S3 bucket you want to deliver command output to is located.\n- `OutputS3BucketName`\n\n- Description: (Optional) The name of the Amazon S3 bucket you want to deliver command output to.\n- `OutputS3KeyPrefix`\n\n- Description: (Optional) The key prefix you want to use in the custom Amazon S3 bucket.\n- `TargetType`\n\n- Description: (Optional) Determines how instances are targeted for local account deployments. Don't specify a value for this parameter if you're deploying to OUs. The valid values are `*` , `InstanceIds` , `ResourceGroups` , and `Tags` . Use `*` to target all instances in the account.\n- `TargetInstances`\n\n- Description: (Optional) A comma separated list of instance IDs. You must provide a value for this parameter if you specify `InstanceIds` for the `TargetType` parameter.\n- `TargetTagKey`\n\n- Description: (Required) The tag key assigned to the instances you want to target. You must provide a value for this parameter if you specify `Tags` for the `TargetType` parameter.\n- `TargetTagValue`\n\n- Description: (Required) The value of the tag key assigned to the instances you want to target. You must provide a value for this parameter if you specify `Tags` for the `TargetType` parameter.\n- `ResourceGroupName`\n\n- Description: (Required) The name of the resource group associated with the instances you want to target. You must provide a value for this parameter if you specify `ResourceGroups` for the `TargetType` parameter.\n- `TargetAccounts`\n\n- Description: (Optional) The ID of the AWS account initiating the configuration deployment. You only need to provide a value for this parameter if you want to deploy the configuration locally. A value must be provided for either `TargetAccounts` or `TargetOrganizationalUnits` .\n- `TargetOrganizationalUnits`\n\n- Description: (Optional) A comma separated list of organizational units (OUs) you want to deploy the configuration to.\n- `TargetRegions`\n\n- Description: (Required) A comma separated list of AWS Regions you want to deploy the configuration to.\n- **Resource Explorer (Type: AWS QuickSetupType-ResourceExplorer)** - - `SelectedAggregatorRegion`\n\n- Description: (Required) The AWS Region where you want to create the aggregator index.\n- `ReplaceExistingAggregator`\n\n- Description: (Required) A boolean value that determines whether to demote an existing aggregator if it is in a Region that differs from the value you specify for the `SelectedAggregatorRegion` .\n- `TargetOrganizationalUnits`\n\n- Description: (Required) A comma separated list of organizational units (OUs) you want to deploy the configuration to.\n- `TargetRegions`\n\n- Description: (Required) A comma separated list of AWS Regions you want to deploy the configuration to.\n- **Resource Scheduler (Type: AWS QuickSetupType-Scheduler)** - - `TargetTagKey`\n\n- Description: (Required) The tag key assigned to the instances you want to target.\n- `TargetTagValue`\n\n- Description: (Required) The value of the tag key assigned to the instances you want to target.\n- `ICalendarString`\n\n- Description: (Required) An iCalendar formatted string containing the schedule you want Change Manager to use.\n- `TargetAccounts`\n\n- Description: (Optional) The ID of the AWS account initiating the configuration deployment. You only need to provide a value for this parameter if you want to deploy the configuration locally. A value must be provided for either `TargetAccounts` or `TargetOrganizationalUnits` .\n- `TargetOrganizationalUnits`\n\n- Description: (Optional) A comma separated list of organizational units (OUs) you want to deploy the configuration to.\n- `TargetRegions`\n\n- Description: (Required) A comma separated list of AWS Regions you want to deploy the configuration to.",
+ "Parameters": "The parameters for the configuration definition type. Parameters for configuration definitions vary based the configuration type. The following lists outline the parameters for each configuration type.\n\n- **AWS Config Recording (Type: AWS QuickSetupType-CFGRecording)** - - `RecordAllResources`\n\n- Description: (Optional) A boolean value that determines whether all supported resources are recorded. The default value is \" `true` \".\n- `ResourceTypesToRecord`\n\n- Description: (Optional) A comma separated list of resource types you want to record.\n- `RecordGlobalResourceTypes`\n\n- Description: (Optional) A boolean value that determines whether global resources are recorded with all resource configurations. The default value is \" `false` \".\n- `GlobalResourceTypesRegion`\n\n- Description: (Optional) Determines the AWS Region where global resources are recorded.\n- `UseCustomBucket`\n\n- Description: (Optional) A boolean value that determines whether a custom Amazon S3 bucket is used for delivery. The default value is \" `false` \".\n- `DeliveryBucketName`\n\n- Description: (Optional) The name of the Amazon S3 bucket you want AWS Config to deliver configuration snapshots and configuration history files to.\n- `DeliveryBucketPrefix`\n\n- Description: (Optional) The key prefix you want to use in the custom Amazon S3 bucket.\n- `NotificationOptions`\n\n- Description: (Optional) Determines the notification configuration for the recorder. The valid values are `NoStreaming` , `UseExistingTopic` , and `CreateTopic` . The default value is `NoStreaming` .\n- `CustomDeliveryTopicAccountId`\n\n- Description: (Optional) The ID of the AWS account where the Amazon SNS topic you want to use for notifications resides. You must specify a value for this parameter if you use the `UseExistingTopic` notification option.\n- `CustomDeliveryTopicName`\n\n- Description: (Optional) The name of the Amazon SNS topic you want to use for notifications. You must specify a value for this parameter if you use the `UseExistingTopic` notification option.\n- `RemediationSchedule`\n\n- Description: (Optional) A rate expression that defines the schedule for drift remediation. The valid values are `rate(30 days)` , `rate(7 days)` , `rate(1 days)` , and `none` . The default value is \" `none` \".\n- `TargetAccounts`\n\n- Description: (Optional) The ID of the AWS account initiating the configuration deployment. You only need to provide a value for this parameter if you want to deploy the configuration locally. A value must be provided for either `TargetAccounts` or `TargetOrganizationalUnits` .\n- `TargetOrganizationalUnits`\n\n- Description: (Optional) The ID of the root of your Organization. This configuration type doesn't currently support choosing specific OUs. The configuration will be deployed to all the OUs in the Organization.\n- `TargetRegions`\n\n- Description: (Required) A comma separated list of AWS Regions you want to deploy the configuration to.\n- **Change Manager (Type: AWS QuickSetupType-SSMChangeMgr)** - - `DelegatedAccountId`\n\n- Description: (Required) The ID of the delegated administrator account.\n- `JobFunction`\n\n- Description: (Required) The name for the Change Manager job function.\n- `PermissionType`\n\n- Description: (Optional) Specifies whether you want to use default administrator permissions for the job function role, or provide a custom IAM policy. The valid values are `CustomPermissions` and `AdminPermissions` . The default value for the parameter is `CustomerPermissions` .\n- `CustomPermissions`\n\n- Description: (Optional) A JSON string containing the IAM policy you want your job function to use. You must provide a value for this parameter if you specify `CustomPermissions` for the `PermissionType` parameter.\n- `TargetOrganizationalUnits`\n\n- Description: (Required) A comma separated list of organizational units (OUs) you want to deploy the configuration to.\n- `TargetRegions`\n\n- Description: (Required) A comma separated list of AWS Regions you want to deploy the configuration to.\n- **Conformance Packs (Type: AWS QuickSetupType-CFGCPacks)** - - `DelegatedAccountId`\n\n- Description: (Optional) The ID of the delegated administrator account. This parameter is required for Organization deployments.\n- `RemediationSchedule`\n\n- Description: (Optional) A rate expression that defines the schedule for drift remediation. The valid values are `rate(30 days)` , `rate(14 days)` , `rate(2 days)` , and `none` . The default value is \" `none` \".\n- `CPackNames`\n\n- Description: (Required) A comma separated list of AWS Config conformance packs.\n- `TargetAccounts`\n\n- Description: (Optional) The ID of the AWS account initiating the configuration deployment. You only need to provide a value for this parameter if you want to deploy the configuration locally. A value must be provided for either `TargetAccounts` or `TargetOrganizationalUnits` .\n- `TargetOrganizationalUnits`\n\n- Description: (Optional) The ID of the root of your Organization. This configuration type doesn't currently support choosing specific OUs. The configuration will be deployed to all the OUs in the Organization.\n- `TargetRegions`\n\n- Description: (Required) A comma separated list of AWS Regions you want to deploy the configuration to.\n- **Default Host Management Configuration (Type: AWS QuickSetupType-DHMC)** - - `UpdateSSMAgent`\n\n- Description: (Optional) A boolean value that determines whether the SSM Agent is updated on the target instances every 2 weeks. The default value is \" `true` \".\n- `TargetOrganizationalUnits`\n\n- Description: (Required) A comma separated list of organizational units (OUs) you want to deploy the configuration to.\n- `TargetRegions`\n\n- Description: (Required) The AWS Regions to deploy the configuration to. For this type, the parameter only accepts a value of `AllRegions` .\n- **DevOps\u00a0Guru (Type: AWS QuickSetupType-DevOpsGuru)** - - `AnalyseAllResources`\n\n- Description: (Optional) A boolean value that determines whether DevOps\u00a0Guru analyzes all AWS CloudFormation stacks in the account. The default value is \" `false` \".\n- `EnableSnsNotifications`\n\n- Description: (Optional) A boolean value that determines whether DevOps\u00a0Guru sends notifications when an insight is created. The default value is \" `true` \".\n- `EnableSsmOpsItems`\n\n- Description: (Optional) A boolean value that determines whether DevOps\u00a0Guru creates an OpsCenter OpsItem when an insight is created. The default value is \" `true` \".\n- `EnableDriftRemediation`\n\n- Description: (Optional) A boolean value that determines whether a drift remediation schedule is used. The default value is \" `false` \".\n- `RemediationSchedule`\n\n- Description: (Optional) A rate expression that defines the schedule for drift remediation. The valid values are `rate(30 days)` , `rate(14 days)` , `rate(1 days)` , and `none` . The default value is \" `none` \".\n- `TargetAccounts`\n\n- Description: (Optional) The ID of the AWS account initiating the configuration deployment. You only need to provide a value for this parameter if you want to deploy the configuration locally. A value must be provided for either `TargetAccounts` or `TargetOrganizationalUnits` .\n- `TargetOrganizationalUnits`\n\n- Description: (Optional) A comma separated list of organizational units (OUs) you want to deploy the configuration to.\n- `TargetRegions`\n\n- Description: (Required) A comma separated list of AWS Regions you want to deploy the configuration to.\n- **Distributor (Type: AWS QuickSetupType-Distributor)** - - `PackagesToInstall`\n\n- Description: (Required) A comma separated list of packages you want to install on the target instances. The valid values are `AWSEFSTools` , `AWSCWAgent` , and `AWSEC2LaunchAgent` .\n- `RemediationSchedule`\n\n- Description: (Optional) A rate expression that defines the schedule for drift remediation. The valid values are `rate(30 days)` , `rate(14 days)` , `rate(2 days)` , and `none` . The default value is \" `rate(30 days)` \".\n- `IsPolicyAttachAllowed`\n\n- Description: (Optional) A boolean value that determines whether Quick Setup attaches policies to instances profiles already associated with the target instances. The default value is \" `false` \".\n- `TargetType`\n\n- Description: (Optional) Determines how instances are targeted for local account deployments. Don't specify a value for this parameter if you're deploying to OUs. The valid values are `*` , `InstanceIds` , `ResourceGroups` , and `Tags` . Use `*` to target all instances in the account.\n- `TargetInstances`\n\n- Description: (Optional) A comma separated list of instance IDs. You must provide a value for this parameter if you specify `InstanceIds` for the `TargetType` parameter.\n- `TargetTagKey`\n\n- Description: (Required) The tag key assigned to the instances you want to target. You must provide a value for this parameter if you specify `Tags` for the `TargetType` parameter.\n- `TargetTagValue`\n\n- Description: (Required) The value of the tag key assigned to the instances you want to target. You must provide a value for this parameter if you specify `Tags` for the `TargetType` parameter.\n- `ResourceGroupName`\n\n- Description: (Required) The name of the resource group associated with the instances you want to target. You must provide a value for this parameter if you specify `ResourceGroups` for the `TargetType` parameter.\n- `TargetAccounts`\n\n- Description: (Optional) The ID of the AWS account initiating the configuration deployment. You only need to provide a value for this parameter if you want to deploy the configuration locally. A value must be provided for either `TargetAccounts` or `TargetOrganizationalUnits` .\n- `TargetOrganizationalUnits`\n\n- Description: (Optional) A comma separated list of organizational units (OUs) you want to deploy the configuration to.\n- `TargetRegions`\n\n- Description: (Required) A comma separated list of AWS Regions you want to deploy the configuration to.\n- **Host Management (Type: AWS QuickSetupType-SSMHostMgmt)** - - `UpdateSSMAgent`\n\n- Description: (Optional) A boolean value that determines whether the SSM Agent is updated on the target instances every 2 weeks. The default value is \" `true` \".\n- `UpdateEc2LaunchAgent`\n\n- Description: (Optional) A boolean value that determines whether the EC2 Launch agent is updated on the target instances every month. The default value is \" `false` \".\n- `CollectInventory`\n\n- Description: (Optional) A boolean value that determines whether instance metadata is collected on the target instances every 30 minutes. The default value is \" `true` \".\n- `ScanInstances`\n\n- Description: (Optional) A boolean value that determines whether the target instances are scanned daily for available patches. The default value is \" `true` \".\n- `InstallCloudWatchAgent`\n\n- Description: (Optional) A boolean value that determines whether the Amazon CloudWatch agent is installed on the target instances. The default value is \" `false` \".\n- `UpdateCloudWatchAgent`\n\n- Description: (Optional) A boolean value that determines whether the Amazon CloudWatch agent is updated on the target instances every month. The default value is \" `false` \".\n- `IsPolicyAttachAllowed`\n\n- Description: (Optional) A boolean value that determines whether Quick Setup attaches policies to instances profiles already associated with the target instances. The default value is \" `false` \".\n- `TargetType`\n\n- Description: (Optional) Determines how instances are targeted for local account deployments. Don't specify a value for this parameter if you're deploying to OUs. The valid values are `*` , `InstanceIds` , `ResourceGroups` , and `Tags` . Use `*` to target all instances in the account.\n- `TargetInstances`\n\n- Description: (Optional) A comma separated list of instance IDs. You must provide a value for this parameter if you specify `InstanceIds` for the `TargetType` parameter.\n- `TargetTagKey`\n\n- Description: (Optional) The tag key assigned to the instances you want to target. You must provide a value for this parameter if you specify `Tags` for the `TargetType` parameter.\n- `TargetTagValue`\n\n- Description: (Optional) The value of the tag key assigned to the instances you want to target. You must provide a value for this parameter if you specify `Tags` for the `TargetType` parameter.\n- `ResourceGroupName`\n\n- Description: (Optional) The name of the resource group associated with the instances you want to target. You must provide a value for this parameter if you specify `ResourceGroups` for the `TargetType` parameter.\n- `TargetAccounts`\n\n- Description: (Optional) The ID of the AWS account initiating the configuration deployment. You only need to provide a value for this parameter if you want to deploy the configuration locally. A value must be provided for either `TargetAccounts` or `TargetOrganizationalUnits` .\n- `TargetOrganizationalUnits`\n\n- Description: (Optional) A comma separated list of organizational units (OUs) you want to deploy the configuration to.\n- `TargetRegions`\n\n- Description: (Required) A comma separated list of AWS Regions you want to deploy the configuration to.\n- **OpsCenter (Type: AWS QuickSetupType-SSMOpsCenter)** - - `DelegatedAccountId`\n\n- Description: (Required) The ID of the delegated administrator account.\n- `TargetOrganizationalUnits`\n\n- Description: (Required) A comma separated list of organizational units (OUs) you want to deploy the configuration to.\n- `TargetRegions`\n\n- Description: (Required) A comma separated list of AWS Regions you want to deploy the configuration to.\n- **Patch Policy (Type: AWS QuickSetupType-PatchPolicy)** - - `PatchPolicyName`\n\n- Description: (Required) A name for the patch policy. The value you provide is applied to target Amazon EC2 instances as a tag.\n- `SelectedPatchBaselines`\n\n- Description: (Required) An array of JSON objects containing the information for the patch baselines to include in your patch policy.\n- `PatchBaselineUseDefault`\n\n- Description: (Optional) A value that determines whether the selected patch baselines are all AWS provided. Supported values are `default` and `custom` .\n- `PatchBaselineRegion`\n\n- Description: (Required) The AWS Region where the patch baseline exist.\n- `ConfigurationOptionsPatchOperation`\n\n- Description: (Optional) Determines whether target instances scan for available patches, or scan and install available patches. The valid values are `Scan` and `ScanAndInstall` . The default value for the parameter is `Scan` .\n- `ConfigurationOptionsScanValue`\n\n- Description: (Optional) A cron expression that is used as the schedule for when instances scan for available patches.\n- `ConfigurationOptionsInstallValue`\n\n- Description: (Optional) A cron expression that is used as the schedule for when instances install available patches.\n- `ConfigurationOptionsScanNextInterval`\n\n- Description: (Optional) A boolean value that determines whether instances should scan for available patches at the next cron interval. The default value is \" `false` \".\n- `ConfigurationOptionsInstallNextInterval`\n\n- Description: (Optional) A boolean value that determines whether instances should scan for available patches at the next cron interval. The default value is \" `false` \".\n- `RebootOption`\n\n- Description: (Optional) Determines whether instances are rebooted after patches are installed. Valid values are `RebootIfNeeded` and `NoReboot` .\n- `IsPolicyAttachAllowed`\n\n- Description: (Optional) A boolean value that determines whether Quick Setup attaches policies to instances profiles already associated with the target instances. The default value is \" `false` \".\n- `OutputLogEnableS3`\n\n- Description: (Optional) A boolean value that determines whether command output logs are sent to Amazon S3.\n- `OutputS3Location`\n\n- Description: (Optional) A JSON string containing information about the Amazon S3 bucket where you want to store the output details of the request.\n\n- `OutputS3BucketRegion`\n\n- Description: (Optional) The AWS Region where the Amazon S3 bucket you want to deliver command output to is located.\n- `OutputS3BucketName`\n\n- Description: (Optional) The name of the Amazon S3 bucket you want to deliver command output to.\n- `OutputS3KeyPrefix`\n\n- Description: (Optional) The key prefix you want to use in the custom Amazon S3 bucket.\n- `TargetType`\n\n- Description: (Optional) Determines how instances are targeted for local account deployments. Don't specify a value for this parameter if you're deploying to OUs. The valid values are `*` , `InstanceIds` , `ResourceGroups` , and `Tags` . Use `*` to target all instances in the account.\n- `TargetInstances`\n\n- Description: (Optional) A comma separated list of instance IDs. You must provide a value for this parameter if you specify `InstanceIds` for the `TargetType` parameter.\n- `TargetTagKey`\n\n- Description: (Required) The tag key assigned to the instances you want to target. You must provide a value for this parameter if you specify `Tags` for the `TargetType` parameter.\n- `TargetTagValue`\n\n- Description: (Required) The value of the tag key assigned to the instances you want to target. You must provide a value for this parameter if you specify `Tags` for the `TargetType` parameter.\n- `ResourceGroupName`\n\n- Description: (Required) The name of the resource group associated with the instances you want to target. You must provide a value for this parameter if you specify `ResourceGroups` for the `TargetType` parameter.\n- `TargetAccounts`\n\n- Description: (Optional) The ID of the AWS account initiating the configuration deployment. You only need to provide a value for this parameter if you want to deploy the configuration locally. A value must be provided for either `TargetAccounts` or `TargetOrganizationalUnits` .\n- `TargetOrganizationalUnits`\n\n- Description: (Optional) A comma separated list of organizational units (OUs) you want to deploy the configuration to.\n- `TargetRegions`\n\n- Description: (Required) A comma separated list of AWS Regions you want to deploy the configuration to.\n- **Resource Explorer (Type: AWS QuickSetupType-ResourceExplorer)** - - `SelectedAggregatorRegion`\n\n- Description: (Required) The AWS Region where you want to create the aggregator index.\n- `ReplaceExistingAggregator`\n\n- Description: (Required) A boolean value that determines whether to demote an existing aggregator if it is in a Region that differs from the value you specify for the `SelectedAggregatorRegion` .\n- `TargetOrganizationalUnits`\n\n- Description: (Required) A comma separated list of organizational units (OUs) you want to deploy the configuration to.\n- `TargetRegions`\n\n- Description: (Required) A comma separated list of AWS Regions you want to deploy the configuration to.\n- **Resource Scheduler (Type: AWS QuickSetupType-Scheduler)** - - `TargetTagKey`\n\n- Description: (Required) The tag key assigned to the instances you want to target.\n- `TargetTagValue`\n\n- Description: (Required) The value of the tag key assigned to the instances you want to target.\n- `ICalendarString`\n\n- Description: (Required) An iCalendar formatted string containing the schedule you want Change Manager to use.\n- `TargetAccounts`\n\n- Description: (Optional) The ID of the AWS account initiating the configuration deployment. You only need to provide a value for this parameter if you want to deploy the configuration locally. A value must be provided for either `TargetAccounts` or `TargetOrganizationalUnits` .\n- `TargetOrganizationalUnits`\n\n- Description: (Optional) A comma separated list of organizational units (OUs) you want to deploy the configuration to.\n- `TargetRegions`\n\n- Description: (Required) A comma separated list of AWS Regions you want to deploy the configuration to.",
"Type": "The type of the Quick Setup configuration.",
"TypeVersion": "The version of the Quick Setup type used.",
"id": "The ID of the configuration definition."
From 3b16647c1d0a6df0cf23a28fac4bc1b50dee064e Mon Sep 17 00:00:00 2001
From: Roger Zhang <ruojiazh@amazon.com>
Date: Wed, 23 Apr 2025 22:12:03 +0000
Subject: [PATCH 11/13] address feedback
---
integration/single/test_basic_function.py | 2 +-
samtranslator/compat.py | 5 ++---
2 files changed, 3 insertions(+), 4 deletions(-)
diff --git a/integration/single/test_basic_function.py b/integration/single/test_basic_function.py
index 4896c35f57..ee00524ab9 100644
--- a/integration/single/test_basic_function.py
+++ b/integration/single/test_basic_function.py
@@ -183,7 +183,7 @@ def test_basic_function_with_url_dual_auth(self, file_name, qualifier):
# Get the template to check for InvokedViaFunctionUrl property
cfn_client = self.client_provider.cfn_client
- template = cfn_client.get_template(StackName=self.stack_name)
+ template = cfn_client.get_template(StackName=self.stack_name, TemplateStage="Processed")
template_body = template["TemplateBody"]
# Check if the InvokePermission has InvokedViaFunctionUrl: True
diff --git a/samtranslator/compat.py b/samtranslator/compat.py
index 3ffe1a7461..4109d8696e 100644
--- a/samtranslator/compat.py
+++ b/samtranslator/compat.py
@@ -1,4 +1,3 @@
-# mypy: ignore-errors
try:
from pydantic import v1 as pydantic
@@ -8,9 +7,9 @@
except ImportError:
# Unfortunately mypy cannot handle this try/expect pattern, and "type: ignore"
# is the simplest work-around. See: https://github.com/python/mypy/issues/1153
- import pydantic
+ import pydantic # type: ignore
except AttributeError:
# Pydantic v1.10.17+
- import pydantic
+ import pydantic # type: ignore
__all__ = ["pydantic"]
From cf160f70edb0d5f2141320f796a267447385fe67 Mon Sep 17 00:00:00 2001
From: Roger Zhang <ruojiazh@amazon.com>
Date: Wed, 23 Apr 2025 22:13:37 +0000
Subject: [PATCH 12/13] lint
---
samtranslator/compat.py | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/samtranslator/compat.py b/samtranslator/compat.py
index 4109d8696e..7d2686d565 100644
--- a/samtranslator/compat.py
+++ b/samtranslator/compat.py
@@ -7,9 +7,9 @@
except ImportError:
# Unfortunately mypy cannot handle this try/expect pattern, and "type: ignore"
# is the simplest work-around. See: https://github.com/python/mypy/issues/1153
- import pydantic # type: ignore
+ import pydantic # type: ignore
except AttributeError:
# Pydantic v1.10.17+
- import pydantic # type: ignore
+ import pydantic # type: ignore
__all__ = ["pydantic"]
From 3472a0eec5435713988a37ce1b225937ba5b2732 Mon Sep 17 00:00:00 2001
From: Roger Zhang <ruojiazh@amazon.com>
Date: Wed, 23 Apr 2025 23:46:00 +0000
Subject: [PATCH 13/13] address comments
---
samtranslator/model/sam_resources.py | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/samtranslator/model/sam_resources.py b/samtranslator/model/sam_resources.py
index 347c66aae2..70e7ef6750 100644
--- a/samtranslator/model/sam_resources.py
+++ b/samtranslator/model/sam_resources.py
@@ -321,7 +321,7 @@ def to_cloudformation(self, **kwargs): # type: ignore[no-untyped-def] # noqa: P
lambda_url = self._construct_function_url(lambda_function, lambda_alias, self.FunctionUrlConfig)
resources.append(lambda_url)
url_permission = self._construct_url_permission(lambda_function, lambda_alias, self.FunctionUrlConfig)
- invoke_dual_auth_permission = self._construct_invoke_dual_auth_permission(
+ invoke_dual_auth_permission = self._construct_invoke_permission(
lambda_function, lambda_alias, self.FunctionUrlConfig
)
if url_permission and invoke_dual_auth_permission:
@@ -1231,6 +1231,10 @@ def _construct_url_permission(
lambda_alias : LambdaAlias
Lambda Alias resource
+
+ function_url_config: Dict
+ Function url config used to create FURL
+
Returns
-------
LambdaPermission
@@ -1252,7 +1256,7 @@ def _construct_url_permission(
lambda_permission.FunctionUrlAuthType = auth_type
return lambda_permission
- def _construct_invoke_dual_auth_permission(
+ def _construct_invoke_permission(
self, lambda_function: LambdaFunction, lambda_alias: Optional[LambdaAlias], function_url_config: Dict[str, Any]
) -> Optional[LambdaPermission]:
"""
@@ -1267,6 +1271,9 @@ def _construct_invoke_dual_auth_permission(
lambda_alias : LambdaAlias
Lambda Alias resource
+ function_url_config: Dict
+ Function url config used to create FURL
+
Returns
-------
LambdaPermission