-
Notifications
You must be signed in to change notification settings - Fork 4.1k
Commit 0923b5e
authored
feat: update L1 CloudFormation resource definitions (#33980)
Updates the L1 CloudFormation resource definitions with the latest changes from `@aws-cdk/aws-service-spec`
**L1 CloudFormation resource definition changes:**
```
├[~] service aws-arczonalshift
│ └ resources
│ └[~] resource AWS::ARCZonalShift::ZonalAutoshiftConfiguration
│ └ properties
│ └ PracticeRunConfiguration: (documentation changed)
├[~] service aws-cloudformation
│ └ resources
│ └[~] resource AWS::CloudFormation::Stack
│ └ - documentation: The `AWS::CloudFormation::Stack` resource nests a stack as a resource in a top-level template.
│ For more information, see [Embed stacks within other stacks using nested stacks](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-nested-stacks.html) in the *AWS CloudFormation User Guide* .
│ You can add output values from a nested stack within the containing template. You use the [GetAtt](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-getatt.html) function with the nested stack's logical name and the name of the output value in the nested stack in the format `Outputs. *NestedStackOutputName*` .
│ We strongly recommend that updates to nested stacks are run from the parent stack.
│ When you apply template changes to update a top-level stack, CloudFormation updates the top-level stack and initiates an update to its nested stacks. CloudFormation updates the resources of modified nested stacks, but doesn't update the resources of unmodified nested stacks.
│ You must acknowledge IAM capabilities for nested stacks that contain IAM resources. Also, verify that you have cancel update stack permissions, which is required if an update rolls back. For more information about IAM and CloudFormation , see [Controlling access with AWS Identity and Access Management](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/control-access-with-iam.html) in the *AWS CloudFormation User Guide* .
│ > A subset of `AWS::CloudFormation::Stack` resource type properties listed below are available to customers using CloudFormation , AWS CDK , and AWS Cloud Control API to configure.
│ >
│ > - `NotificationARNs`
│ > - `Parameters`
│ > - `Tags`
│ > - `TemplateURL`
│ > - `TimeoutInMinutes`
│ >
│ > These properties can be configured only when using AWS Cloud Control API . This is because the below properties are set by the parent stack, and thus cannot be configured using CloudFormation or AWS CDK but only AWS Cloud Control API .
│ >
│ > - `Capabilities`
│ > - `Description`
│ > - `DisableRollback`
│ > - `EnableTerminationProtection`
│ > - `RoleARN`
│ > - `StackName`
│ > - `StackPolicyBody`
│ > - `StackPolicyURL`
│ > - `StackStatusReason`
│ > - `TemplateBody`
│ >
│ > Customers that configure `AWS::CloudFormation::Stack` using CloudFormation and AWS CDK can do so for nesting a CloudFormation stack as a resource in their top-level template.
│ >
│ > These read-only properties can be accessed only when using AWS Cloud Control API .
│ >
│ > - `ChangeSetId`
│ > - `CreationTime`
│ > - `LastUpdateTime`
│ > - `Outputs`
│ > - `ParentId`
│ > - `RootId`
│ > - `StackId`
│ > - `StackStatus`
│ + documentation: The `AWS::CloudFormation::Stack` resource nests a stack as a resource in a top-level template.
│ For more information, see [Embed stacks within other stacks using nested stacks](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-nested-stacks.html) in the *AWS CloudFormation User Guide* .
│ You can add output values from a nested stack within the containing template. You use the [GetAtt](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-getatt.html) function with the nested stack's logical name and the name of the output value in the nested stack in the format `Outputs. *NestedStackOutputName*` .
│ We strongly recommend that updates to nested stacks are run from the parent stack.
│ When you apply template changes to update a top-level stack, CloudFormation updates the top-level stack and initiates an update to its nested stacks. CloudFormation updates the resources of modified nested stacks, but doesn't update the resources of unmodified nested stacks.
│ You must acknowledge IAM capabilities for nested stacks that contain IAM resources. Also, verify that you have cancel update stack permissions, which is required if an update rolls back. For more information about IAM and CloudFormation , see [Controlling access with AWS Identity and Access Management](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/control-access-with-iam.html) in the *AWS CloudFormation User Guide* .
│ > A subset of `AWS::CloudFormation::Stack` resource type properties listed below are available to customers using CloudFormation , AWS CDK , and Cloud Control to configure.
│ >
│ > - `NotificationARNs`
│ > - `Parameters`
│ > - `Tags`
│ > - `TemplateURL`
│ > - `TimeoutInMinutes`
│ >
│ > These properties can be configured only when using Cloud Control . This is because the below properties are set by the parent stack, and thus cannot be configured using CloudFormation or AWS CDK but only Cloud Control .
│ >
│ > - `Capabilities`
│ > - `Description`
│ > - `DisableRollback`
│ > - `EnableTerminationProtection`
│ > - `RoleARN`
│ > - `StackName`
│ > - `StackPolicyBody`
│ > - `StackPolicyURL`
│ > - `StackStatusReason`
│ > - `TemplateBody`
│ >
│ > Customers that configure `AWS::CloudFormation::Stack` using CloudFormation and AWS CDK can do so for nesting a CloudFormation stack as a resource in their top-level template.
│ >
│ > These read-only properties can be accessed only when using Cloud Control .
│ >
│ > - `ChangeSetId`
│ > - `CreationTime`
│ > - `LastUpdateTime`
│ > - `Outputs`
│ > - `ParentId`
│ > - `RootId`
│ > - `StackId`
│ > - `StackStatus`
├[~] service aws-codestarnotifications
│ └ resources
│ └[~] resource AWS::CodeStarNotifications::NotificationRule
│ ├ - documentation: Creates a notification rule for a resource. The rule specifies the events you want notifications about and the targets (such as Amazon Simple Notification Service topics or AWS Chatbot clients configured for Slack) where you want to receive them.
│ │ + documentation: Creates a notification rule for a resource. The rule specifies the events you want notifications about and the targets (such as Amazon Simple Notification Service topics or clients configured for Slack) where you want to receive them.
│ ├ properties
│ │ ├ TargetAddress: (documentation changed)
│ │ └ Targets: (documentation changed)
│ └ types
│ └[~] type Target
│ ├ - documentation: Information about the AWS Chatbot topics or AWS Chatbot clients associated with a notification rule.
│ │ + documentation: Information about the topics or clients associated with a notification rule.
│ └ properties
│ ├ TargetAddress: (documentation changed)
│ └ TargetType: (documentation changed)
├[~] service aws-ec2
│ └ resources
│ └[~] resource AWS::EC2::Instance
│ └ types
│ ├[+] type EnaSrdSpecification
│ │ ├ documentation: Specifies the ENA Express settings for the network interface that's attached to the instance.
│ │ │ name: EnaSrdSpecification
│ │ └ properties
│ │ ├ EnaSrdEnabled: boolean
│ │ └ EnaSrdUdpSpecification: EnaSrdUdpSpecification
│ ├[+] type EnaSrdUdpSpecification
│ │ ├ documentation: Contains ENA Express settings for UDP network traffic for the network interface that's attached to the instance.
│ │ │ name: EnaSrdUdpSpecification
│ │ └ properties
│ │ └ EnaSrdUdpEnabled: boolean
│ └[~] type NetworkInterface
│ └ properties
│ └[+] EnaSrdSpecification: EnaSrdSpecification
├[~] service aws-eks
│ └ resources
│ ├[~] resource AWS::EKS::Cluster
│ │ └ properties
│ │ └ Force: (documentation changed)
│ └[~] resource AWS::EKS::PodIdentityAssociation
│ ├ properties
│ │ ├[+] DisableSessionTags: boolean
│ │ └[+] TargetRoleArn: string
│ └ attributes
│ └[+] ExternalId: string
├[~] service aws-gamelift
│ └ resources
│ ├[~] resource AWS::GameLift::Build
│ │ └ types
│ │ └[~] type StorageLocation
│ │ └ properties
│ │ └ ObjectVersion: (documentation changed)
│ └[~] resource AWS::GameLift::Fleet
│ └ properties
│ └ ScriptId: (documentation changed)
├[~] service aws-lex
│ └ resources
│ └[~] resource AWS::Lex::Bot
│ └ types
│ ├[~] type BedrockGuardrailConfiguration
│ │ └ - documentation: The guardrail configuration in the Bedrock model specification details.
│ │ + documentation: The details on the Bedrock guardrail configuration.
│ ├[~] type DataSourceConfiguration
│ │ ├ - documentation: Contains details about the configuration of the data source used for the AMAZON.QnAIntent.
│ │ │ + documentation: Contains details about the configuration of the knowledge store used for the `AMAZON.QnAIntent` . You must have already created the knowledge store and indexed the documents within it.
│ │ └ properties
│ │ ├ BedrockKnowledgeStoreConfiguration: (documentation changed)
│ │ ├ KendraConfiguration: (documentation changed)
│ │ └ OpensearchConfiguration: (documentation changed)
│ ├[~] type OpensearchConfiguration
│ │ ├ - documentation: Contains details about the configuration of the Amazon OpenSearch Service database used for the AMAZON.QnAIntent.
│ │ │ + documentation: Contains details about the configuration of the Amazon OpenSearch Service database used for the `AMAZON.QnAIntent` .
│ │ └ properties
│ │ └ IncludeFields: (documentation changed)
│ ├[~] type QnAIntentConfiguration
│ │ ├ - documentation: Details about the the configuration of the built-in Amazon.QnAIntent.
│ │ │ + documentation: Details about the the configuration of the built-in `Amazon.QnAIntent` .
│ │ └ properties
│ │ └ DataSourceConfiguration: (documentation changed)
│ └[~] type QnAKendraConfiguration
│ ├ - documentation: Contains details about the configuration of the Amazon Kendra index used for the AMAZON.QnAIntent.
│ │ + documentation: Contains details about the configuration of the Amazon Kendra index used for the `AMAZON.QnAIntent` .
│ └ properties
│ ├ ExactResponse: (documentation changed)
│ └ QueryFilterString: (documentation changed)
├[~] service aws-notifications
│ └ resources
│ └[~] resource AWS::Notifications::ManagedNotificationAccountContactAssociation
│ ├ - documentation: Associates an Account Management Contact with a `ManagedNotificationConfiguration` for AWS User Notifications . For more information about AWS User Notifications , see the [AWS User Notifications User Guide](https://docs.aws.amazon.com/notifications/latest/userguide/what-is-service.html) . For more information about Account Management Contacts, see the [AWS Account Management Reference Guide](https://docs.aws.amazon.com/accounts/latest/reference/API_AlternateContact.html) .
│ │ + documentation: Associates an Account Management Contact with a `ManagedNotificationConfiguration` for AWS User Notifications . For more information about AWS User Notifications , see the [AWS User Notifications User Guide](https://docs.aws.amazon.com/notifications/latest/userguide/what-is-service.html) . For more information about Account Management Contacts, see the [Account Management Reference Guide](https://docs.aws.amazon.com/accounts/latest/reference/API_AlternateContact.html) .
│ └ properties
│ └ ContactIdentifier: (documentation changed)
├[~] service aws-opensearchserverless
│ └ resources
│ └[~] resource AWS::OpenSearchServerless::Index
│ ├ - documentation: An OpenSearch Serverless index resource
│ │ + documentation: An OpenSearch Serverless index resource.
│ ├ properties
│ │ ├ Mappings: (documentation changed)
│ │ └ Settings: (documentation changed)
│ └ types
│ ├[~] type Index
│ │ ├ - documentation: undefined
│ │ │ + documentation: An OpenSearch Serverless index resource
│ │ └ properties
│ │ ├ Knn: (documentation changed)
│ │ ├ KnnAlgoParamEfSearch: (documentation changed)
│ │ └ RefreshInterval: (documentation changed)
│ ├[~] type IndexSettings
│ │ ├ - documentation: undefined
│ │ │ + documentation: Index settings for the OpenSearch Serverless index.
│ │ └ properties
│ │ └ Index: (documentation changed)
│ ├[~] type Mappings
│ │ ├ - documentation: Index Mappings
│ │ │ + documentation: Index mappings for the OpenSearch Serverless index.
│ │ └ properties
│ │ └ Properties: (documentation changed)
│ ├[~] type Method
│ │ ├ - documentation: Configuration for k-NN search method
│ │ │ + documentation: Configuration for k-NN search method.
│ │ └ properties
│ │ ├ Name: (documentation changed)
│ │ ├ Parameters: (documentation changed)
│ │ └ SpaceType: (documentation changed)
│ ├[~] type Parameters
│ │ ├ - documentation: Additional parameters for the k-NN algorithm
│ │ │ + documentation: Additional parameters for the k-NN algorithm.
│ │ └ properties
│ │ ├ EfConstruction: (documentation changed)
│ │ └ M: (documentation changed)
│ └[~] type PropertyMapping
│ ├ - documentation: undefined
│ │ + documentation: Property mappings for the OpenSearch Serverless index.
│ └ properties
│ ├ Dimension: (documentation changed)
│ ├ Index: (documentation changed)
│ ├ Method: (documentation changed)
│ ├ Properties: (documentation changed)
│ └ Value: (documentation changed)
├[~] service aws-organizations
│ └ resources
│ └[~] resource AWS::Organizations::Account
│ └ - documentation: Creates an AWS account that is automatically a member of the organization whose credentials made the request.
│ AWS CloudFormation uses the [`CreateAccount`](https://docs.aws.amazon.com/organizations/latest/APIReference/API_CreateAccount.html) operation to create accounts. This is an asynchronous request that AWS performs in the background. Because `CreateAccount` operates asynchronously, it can return a successful completion message even though account initialization might still be in progress. You might need to wait a few minutes before you can successfully access the account. To check the status of the request, do one of the following:
│ - Use the `Id` value of the `CreateAccountStatus` response element from the `CreateAccount` operation to provide as a parameter to the [`DescribeCreateAccountStatus`](https://docs.aws.amazon.com/organizations/latest/APIReference/API_DescribeCreateAccountStatus.html) operation.
│ - Check the CloudTrail log for the `CreateAccountResult` event. For information on using CloudTrail with AWS Organizations , see [Logging and monitoring in AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_security_incident-response.html#orgs_cloudtrail-integration) in the *AWS Organizations User Guide* .
│ The user who calls the API to create an account must have the `organizations:CreateAccount` permission. If you enabled all features in the organization, AWS Organizations creates the required service-linked role named `AWSServiceRoleForOrganizations` . For more information, see [AWS Organizations and service-linked roles](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services.html#orgs_integrate_services-using_slrs) in the *AWS Organizations User Guide* .
│ If the request includes tags, then the requester must have the `organizations:TagResource` permission.
│ AWS Organizations preconfigures the new member account with a role (named `OrganizationAccountAccessRole` by default) that grants users in the management account administrator permissions in the new member account. Principals in the management account can assume the role. AWS Organizations clones the company name and address information for the new account from the organization's management account.
│ For more information about creating accounts, see [Creating a member account in your organization](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_create.html) in the *AWS Organizations User Guide* .
│ This operation can be called only from the organization's management account.
│ *Deleting Account resources*
│ The default `DeletionPolicy` for resource `AWS::Organizations::Account` is `Retain` . For more information about how AWS CloudFormation deletes resources, see [DeletionPolicy Attribute](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-deletionpolicy.html) .
│ > - If you include multiple accounts in a single template, you must use the `DependsOn` attribute on each account resource type so that the accounts are created sequentially. If you create multiple accounts at the same time, Organizations returns an error and the stack operation fails.
│ > - You can't modify the following list of `Account` resource parameters using AWS CloudFormation updates.
│ >
│ > - AccountName
│ > - Email
│ > - RoleName
│ >
│ > If you attempt to update the listed parameters, CloudFormation will attempt the update, but you will receive an error message as those updates are not supported from an Organizations management account or a [registered delegated administrator](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-orgs-delegated-admin.html) account. Both the update and the update roll-back will fail, so you must skip the account resource update. To update parameters `AccountName` and `Email` , you must sign in to the AWS Management Console as the AWS account root user. For more information, see [Update the AWS account name, email address, or password for the root user](https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-update-root-user.html) in the *AWS Account Management Reference Guide* .
│ > - When you create an account in an organization using the AWS Organizations console, API, or AWS CLI commands, we don't automatically collect the information required for the account to operate as a standalone account. That includes collecting the payment method and signing the end user license agreement (EULA). If you must remove an account from your organization later, you can do so only after you provide the missing information. For more information, see [Considerations before removing an account from an organization](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_account-before-remove.html) in the *AWS Organizations User Guide* .
│ > - When you create an account in an organization using AWS CloudFormation , you can't specify a value for the `CreateAccount` operation parameter `IamUserAccessToBilling` . The default value for parameter `IamUserAccessToBilling` is `ALLOW` , and IAM users and roles with the required permissions can access billing information for the new account.
│ > - If you get an exception that indicates `DescribeCreateAccountStatus returns IN_PROGRESS state before time out` . You must check the account creation status using the [`DescribeCreateAccountStatus`](https://docs.aws.amazon.com/organizations/latest/APIReference/API_DescribeCreateAccountStatus.html) operation. If the account state returns as `SUCCEEDED` , you can import the account into AWS CloudFormation management using [`resource import`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/resource-import.html) .
│ > - If you get an exception that indicates you have exceeded your account quota for the organization, you can request an increase by using the [Service Quotas console](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_reference_limits.html) .
│ > - If you get an exception that indicates the operation failed because your organization is still initializing, wait one hour and then try again. If the error persists, contact [AWS Support](https://docs.aws.amazon.com/support/home#/) .
│ > - We don't recommend that you use the `CreateAccount` operation to create multiple temporary accounts. You can close accounts using the [`CloseAccount`](https://docs.aws.amazon.com/organizations/latest/APIReference/API_CloseAccount.html) operation or from the AWS Organizations console in the organization's management account. For information on the requirements and process for closing an account, see [Closing a member account in your organization](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_close.html) in the *AWS Organizations User Guide* .
│ + documentation: Creates an AWS account that is automatically a member of the organization whose credentials made the request.
│ AWS CloudFormation uses the [`CreateAccount`](https://docs.aws.amazon.com/organizations/latest/APIReference/API_CreateAccount.html) operation to create accounts. This is an asynchronous request that AWS performs in the background. Because `CreateAccount` operates asynchronously, it can return a successful completion message even though account initialization might still be in progress. You might need to wait a few minutes before you can successfully access the account. To check the status of the request, do one of the following:
│ - Use the `Id` value of the `CreateAccountStatus` response element from the `CreateAccount` operation to provide as a parameter to the [`DescribeCreateAccountStatus`](https://docs.aws.amazon.com/organizations/latest/APIReference/API_DescribeCreateAccountStatus.html) operation.
│ - Check the CloudTrail log for the `CreateAccountResult` event. For information on using CloudTrail with AWS Organizations , see [Logging and monitoring in AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_security_incident-response.html#orgs_cloudtrail-integration) in the *AWS Organizations User Guide* .
│ The user who calls the API to create an account must have the `organizations:CreateAccount` permission. If you enabled all features in the organization, AWS Organizations creates the required service-linked role named `AWSServiceRoleForOrganizations` . For more information, see [AWS Organizations and service-linked roles](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services.html#orgs_integrate_services-using_slrs) in the *AWS Organizations User Guide* .
│ If the request includes tags, then the requester must have the `organizations:TagResource` permission.
│ AWS Organizations preconfigures the new member account with a role (named `OrganizationAccountAccessRole` by default) that grants users in the management account administrator permissions in the new member account. Principals in the management account can assume the role. AWS Organizations clones the company name and address information for the new account from the organization's management account.
│ For more information about creating accounts, see [Creating a member account in your organization](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_create.html) in the *AWS Organizations User Guide* .
│ This operation can be called only from the organization's management account.
│ *Deleting Account resources*
│ The default `DeletionPolicy` for resource `AWS::Organizations::Account` is `Retain` . For more information about how AWS CloudFormation deletes resources, see [DeletionPolicy Attribute](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-deletionpolicy.html) .
│ > - If you include multiple accounts in a single template, you must use the `DependsOn` attribute on each account resource type so that the accounts are created sequentially. If you create multiple accounts at the same time, Organizations returns an error and the stack operation fails.
│ > - You can't modify the following list of `Account` resource parameters using AWS CloudFormation updates.
│ >
│ > - AccountName
│ > - Email
│ > - RoleName
│ >
│ > If you attempt to update the listed parameters, CloudFormation will attempt the update, but you will receive an error message as those updates are not supported from an Organizations management account or a [registered delegated administrator](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-orgs-delegated-admin.html) account. Both the update and the update roll-back will fail, so you must skip the account resource update. To update parameters `AccountName` and `Email` , you must sign in to the AWS Management Console as the AWS account root user. For more information, see [Update the AWS account name, email address, or password for the root user](https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-update-root-user.html) in the *Account Management Reference Guide* .
│ > - When you create an account in an organization using the AWS Organizations console, API, or AWS CLI commands, we don't automatically collect the information required for the account to operate as a standalone account. That includes collecting the payment method and signing the end user license agreement (EULA). If you must remove an account from your organization later, you can do so only after you provide the missing information. For more information, see [Considerations before removing an account from an organization](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_account-before-remove.html) in the *AWS Organizations User Guide* .
│ > - When you create an account in an organization using AWS CloudFormation , you can't specify a value for the `CreateAccount` operation parameter `IamUserAccessToBilling` . The default value for parameter `IamUserAccessToBilling` is `ALLOW` , and IAM users and roles with the required permissions can access billing information for the new account.
│ > - If you get an exception that indicates `DescribeCreateAccountStatus returns IN_PROGRESS state before time out` . You must check the account creation status using the [`DescribeCreateAccountStatus`](https://docs.aws.amazon.com/organizations/latest/APIReference/API_DescribeCreateAccountStatus.html) operation. If the account state returns as `SUCCEEDED` , you can import the account into AWS CloudFormation management using [`resource import`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/resource-import.html) .
│ > - If you get an exception that indicates you have exceeded your account quota for the organization, you can request an increase by using the [Service Quotas console](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_reference_limits.html) .
│ > - If you get an exception that indicates the operation failed because your organization is still initializing, wait one hour and then try again. If the error persists, contact [AWS Support](https://docs.aws.amazon.com/support/home#/) .
│ > - We don't recommend that you use the `CreateAccount` operation to create multiple temporary accounts. You can close accounts using the [`CloseAccount`](https://docs.aws.amazon.com/organizations/latest/APIReference/API_CloseAccount.html) operation or from the AWS Organizations console in the organization's management account. For information on the requirements and process for closing an account, see [Closing a member account in your organization](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_close.html) in the *AWS Organizations User Guide* .
├[~] service aws-quicksight
│ └ resources
│ └[~] resource AWS::QuickSight::DataSet
│ └ types
│ └[~] type UploadSettings
│ ├ - documentation: <p>Information about the format for a source file or files.</p>
│ │ + documentation: Information about the format for a source file or files.
│ └ properties
│ ├ ContainsHeader: (documentation changed)
│ ├ Delimiter: (documentation changed)
│ ├ Format: (documentation changed)
│ ├ StartFromRow: (documentation changed)
│ └ TextQualifier: (documentation changed)
├[~] service aws-route53recoverycontrol
│ └ resources
│ └[~] resource AWS::Route53RecoveryControl::Cluster
│ └ properties
│ └ NetworkType: (documentation changed)
├[~] service aws-rum
│ └ resources
│ └[~] resource AWS::RUM::AppMonitor
│ └ properties
│ └ Domain: (documentation changed)
├[~] service aws-ssmincidents
│ └ resources
│ └[~] resource AWS::SSMIncidents::ResponsePlan
│ ├ properties
│ │ └ ChatChannel: (documentation changed)
│ └ types
│ ├[~] type ChatChannel
│ │ ├ - documentation: The AWS Chatbot chat channel used for collaboration during an incident.
│ │ │ + documentation: The chat channel used for collaboration during an incident.
│ │ └ properties
│ │ └ ChatbotSns: (documentation changed)
│ ├[~] type IncidentTemplate
│ │ └ properties
│ │ └ NotificationTargets: (documentation changed)
│ └[~] type NotificationTargetItem
│ └ - documentation: The Amazon SNS topic that's used by AWS Chatbot to notify the incidents chat channel.
│ + documentation: The Amazon SNS topic that's used by to notify the incidents chat channel.
└[~] service aws-wafv2
└ resources
├[~] resource AWS::WAFv2::RegexPatternSet
│ └ properties
│ └ Scope: (documentation changed)
├[~] resource AWS::WAFv2::RuleGroup
│ ├ properties
│ │ └ Scope: (documentation changed)
│ └ types
│ ├[~] type Body
│ │ └ properties
│ │ └ OversizeHandling: (documentation changed)
│ ├[~] type FieldToMatch
│ │ └ properties
│ │ ├ Body: (documentation changed)
│ │ └ JsonBody: (documentation changed)
│ └[~] type JsonBody
│ └ properties
│ └ OversizeHandling: (documentation changed)
├[~] resource AWS::WAFv2::WebACL
│ ├ - documentation: > This is the latest version of *AWS WAF* , named AWS WAF V2, released in November, 2019. For information, including how to migrate your AWS WAF resources from the prior release, see the [AWS WAF developer guide](https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html) .
│ │ Use an `WebACL` to define a collection of rules to use to inspect and control web requests. Each rule in a web ACL has a statement that defines what to look for in web requests and an action that AWS WAF applies to requests that match the statement. In the web ACL, you assign a default action to take (allow, block) for any request that doesn't match any of the rules.
│ │ The rules in a web ACL can be a combination of explicitly defined rules and rule groups that you reference from the web ACL. The rule groups can be rule groups that you manage or rule groups that are managed by others.
│ │ You can associate a web ACL with one or more AWS resources to protect. The resources can be an Amazon CloudFront distribution, an Amazon API Gateway REST API, an Application Load Balancer , an AWS AppSync GraphQL API , an Amazon Cognito user pool, an AWS App Runner service, or an AWS Verified Access instance.
│ │ For more information, see [Web access control lists (web ACLs)](https://docs.aws.amazon.com/waf/latest/developerguide/web-acl.html) in the *AWS WAF developer guide* .
│ │ *Web ACLs used in AWS Shield Advanced automatic application layer DDoS mitigation*
│ │ If you use Shield Advanced automatic application layer DDoS mitigation, the web ACLs that you use with automatic mitigation have a rule group rule whose name starts with `ShieldMitigationRuleGroup` . This rule is used for automatic mitigations and it's managed for you in the web ACL by Shield Advanced and AWS WAF . You'll see the rule listed among the web ACL rules when you view the web ACL through the AWS WAF interfaces.
│ │ When you manage the web ACL through AWS CloudFormation interfaces, you won't see the Shield Advanced rule. AWS CloudFormation doesn't include this type of rule in the stack drift status between the actual configuration of the web ACL and your web ACL template.
│ │ Don't add the Shield Advanced rule group rule to your web ACL template. The rule shouldn't be in your template. When you update the web ACL template in a stack, the Shield Advanced rule is maintained for you by AWS WAF in the resulting web ACL.
│ │ For more information, see [Shield Advanced automatic application layer DDoS mitigation](https://docs.aws.amazon.com/waf/latest/developerguide/ddos-automatic-app-layer-response.html) in the *AWS Shield Advanced developer guide* .
│ │ + documentation: > This is the latest version of *AWS WAF* , named AWS WAF V2, released in November, 2019. For information, including how to migrate your AWS WAF resources from the prior release, see the [AWS WAF developer guide](https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html) .
│ │ Use an `WebACL` to define a collection of rules to use to inspect and control web requests. Each rule in a web ACL has a statement that defines what to look for in web requests and an action that AWS WAF applies to requests that match the statement. In the web ACL, you assign a default action to take (allow, block) for any request that doesn't match any of the rules.
│ │ The rules in a web ACL can be a combination of explicitly defined rules and rule groups that you reference from the web ACL. The rule groups can be rule groups that you manage or rule groups that are managed by others.
│ │ You can associate a web ACL with one or more AWS resources to protect. The resources can be an Amazon CloudFront distribution, an Amazon API Gateway REST API, an Application Load Balancer , an AWS AppSync GraphQL API , an Amazon Cognito user pool, an AWS App Runner service, an AWS Amplify application, or an AWS Verified Access instance.
│ │ For more information, see [Web access control lists (web ACLs)](https://docs.aws.amazon.com/waf/latest/developerguide/web-acl.html) in the *AWS WAF developer guide* .
│ │ *Web ACLs used in AWS Shield Advanced automatic application layer DDoS mitigation*
│ │ If you use Shield Advanced automatic application layer DDoS mitigation, the web ACLs that you use with automatic mitigation have a rule group rule whose name starts with `ShieldMitigationRuleGroup` . This rule is used for automatic mitigations and it's managed for you in the web ACL by Shield Advanced and AWS WAF . You'll see the rule listed among the web ACL rules when you view the web ACL through the AWS WAF interfaces.
│ │ When you manage the web ACL through AWS CloudFormation interfaces, you won't see the Shield Advanced rule. AWS CloudFormation doesn't include this type of rule in the stack drift status between the actual configuration of the web ACL and your web ACL template.
│ │ Don't add the Shield Advanced rule group rule to your web ACL template. The rule shouldn't be in your template. When you update the web ACL template in a stack, the Shield Advanced rule is maintained for you by AWS WAF in the resulting web ACL.
│ │ For more information, see [Shield Advanced automatic application layer DDoS mitigation](https://docs.aws.amazon.com/waf/latest/developerguide/ddos-automatic-app-layer-response.html) in the *AWS Shield Advanced developer guide* .
│ ├ properties
│ │ └ Scope: (documentation changed)
│ └ types
│ ├[~] type Body
│ │ └ properties
│ │ └ OversizeHandling: (documentation changed)
│ ├[~] type FieldToMatch
│ │ └ properties
│ │ ├ Body: (documentation changed)
│ │ └ JsonBody: (documentation changed)
│ └[~] type JsonBody
│ └ properties
│ └ OversizeHandling: (documentation changed)
└[~] resource AWS::WAFv2::WebACLAssociation
├ - documentation: > This is the latest version of *AWS WAF* , named AWS WAF V2, released in November, 2019. For information, including how to migrate your AWS WAF resources from the prior release, see the [AWS WAF developer guide](https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html) .
│ Use a web ACL association to define an association between a web ACL and a regional application resource, to protect the resource. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AWS AppSync GraphQL API, an Amazon Cognito user pool, an AWS App Runner service, or an AWS Verified Access instance.
│ For Amazon CloudFront , don't use this resource. Instead, use your CloudFront distribution configuration. To associate a web ACL with a distribution, provide the Amazon Resource Name (ARN) of the `WebACL` to your CloudFront distribution configuration. To disassociate a web ACL, provide an empty ARN. For information, see [AWS::CloudFront::Distribution](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudfront-distribution.html) .
│ *Required permissions for customer-managed IAM policies*
│ This call requires permissions that are specific to the protected resource type. For details, see [Permissions for AssociateWebACL](https://docs.aws.amazon.com/waf/latest/developerguide/security_iam_service-with-iam.html#security_iam_action-AssociateWebACL) in the *AWS WAF Developer Guide* .
│ *Temporary inconsistencies during updates*
│ When you create or change a web ACL or other AWS WAF resources, the changes take a small amount of time to propagate to all areas where the resources are stored. The propagation time can be from a few seconds to a number of minutes.
│ The following are examples of the temporary inconsistencies that you might notice during change propagation:
│ - After you create a web ACL, if you try to associate it with a resource, you might get an exception indicating that the web ACL is unavailable.
│ - After you add a rule group to a web ACL, the new rule group rules might be in effect in one area where the web ACL is used and not in another.
│ - After you change a rule action setting, you might see the old action in some places and the new action in others.
│ - After you add an IP address to an IP set that is in use in a blocking rule, the new address might be blocked in one area while still allowed in another.
│ + documentation: > This is the latest version of *AWS WAF* , named AWS WAF V2, released in November, 2019. For information, including how to migrate your AWS WAF resources from the prior release, see the [AWS WAF developer guide](https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html) .
│ Use a web ACL association to define an association between a web ACL and a regional application resource, to protect the resource. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AWS AppSync GraphQL API, an Amazon Cognito user pool, an AWS App Runner service, an AWS Amplify application, or an AWS Verified Access instance.
│ For Amazon CloudFront , don't use this resource. Instead, use your CloudFront distribution configuration. To associate a web ACL with a distribution, provide the Amazon Resource Name (ARN) of the `WebACL` to your CloudFront distribution configuration. To disassociate a web ACL, provide an empty ARN. For information, see [AWS::CloudFront::Distribution](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudfront-distribution.html) .
│ *Required permissions for customer-managed IAM policies*
│ This call requires permissions that are specific to the protected resource type. For details, see [Permissions for AssociateWebACL](https://docs.aws.amazon.com/waf/latest/developerguide/security_iam_service-with-iam.html#security_iam_action-AssociateWebACL) in the *AWS WAF Developer Guide* .
│ *Temporary inconsistencies during updates*
│ When you create or change a web ACL or other AWS WAF resources, the changes take a small amount of time to propagate to all areas where the resources are stored. The propagation time can be from a few seconds to a number of minutes.
│ The following are examples of the temporary inconsistencies that you might notice during change propagation:
│ - After you create a web ACL, if you try to associate it with a resource, you might get an exception indicating that the web ACL is unavailable.
│ - After you add a rule group to a web ACL, the new rule group rules might be in effect in one area where the web ACL is used and not in another.
│ - After you change a rule action setting, you might see the old action in some places and the new action in others.
│ - After you add an IP address to an IP set that is in use in a blocking rule, the new address might be blocked in one area while still allowed in another.
└ properties
└ ResourceArn: (documentation changed)
```1 parent cd425c7 commit 0923b5eCopy full SHA for 0923b5e
File tree
3 files changed
+15
-8
lines changedFilter options
- packages/aws-cdk-lib
- tools/@aws-cdk/spec2cdk
3 files changed
+15
-8
lines changedDiff for: packages/aws-cdk-lib/package.json
Copy file name to clipboardExpand all lines: packages/aws-cdk-lib/package.json+1-1
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
136 | 136 | | |
137 | 137 | | |
138 | 138 | | |
139 | | - | |
| 139 | + | |
140 | 140 | | |
141 | 141 | | |
142 | 142 | | |
| |||
Diff for: tools/@aws-cdk/spec2cdk/package.json
Copy file name to clipboardExpand all lines: tools/@aws-cdk/spec2cdk/package.json+2-2
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
32 | 32 | | |
33 | 33 | | |
34 | 34 | | |
35 | | - | |
| 35 | + | |
36 | 36 | | |
37 | | - | |
| 37 | + | |
38 | 38 | | |
39 | 39 | | |
40 | 40 | | |
| |||
+12-5
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
66 | 66 | | |
67 | 67 | | |
68 | 68 | | |
69 | | - | |
70 | | - | |
71 | | - | |
72 | | - | |
| 69 | + | |
| 70 | + | |
| 71 | + | |
| 72 | + | |
73 | 73 | | |
74 | | - | |
| 74 | + | |
75 | 75 | | |
76 | 76 | | |
77 | 77 | | |
| |||
147 | 147 | | |
148 | 148 | | |
149 | 149 | | |
| 150 | + | |
| 151 | + | |
| 152 | + | |
| 153 | + | |
| 154 | + | |
| 155 | + | |
| 156 | + | |
150 | 157 | | |
151 | 158 | | |
152 | 159 | | |
| |||
0 commit comments