aws
diff --git a/‎clients/client-wafv2/src/WAFV2.ts
+43-3 b/‎clients/client-wafv2/src/WAFV2.ts
+43-3
diff --git a/‎clients/client-wafv2/src/commands/AssociateWebACLCommand.ts
+2 b/‎clients/client-wafv2/src/commands/AssociateWebACLCommand.ts
+2
diff --git a/‎clients/client-wafv2/src/commands/DeleteWebACLCommand.ts
+30-1 b/‎clients/client-wafv2/src/commands/DeleteWebACLCommand.ts
+30-1
diff --git a/‎clients/client-wafv2/src/commands/DisassociateWebACLCommand.ts
+2-1 b/‎clients/client-wafv2/src/commands/DisassociateWebACLCommand.ts
+2-1
diff --git a/‎clients/client-wafv2/src/commands/UpdateIPSetCommand.ts
+2 b/‎clients/client-wafv2/src/commands/UpdateIPSetCommand.ts
+2
diff --git a/‎clients/client-wafv2/src/commands/UpdateRegexPatternSetCommand.ts
+2 b/‎clients/client-wafv2/src/commands/UpdateRegexPatternSetCommand.ts
+2
@@ -278,6 +278,8 @@ export class WAFV2 extends WAFV2Client {
    *          <p>For Amazon CloudFront, don't use this call. Instead, use your CloudFront distribution configuration. To
    *          associate a web ACL, in the CloudFront call <code>UpdateDistribution</code>, set the web ACL ID
    *          to the Amazon Resource Name (ARN) of the web ACL. For information, see <a href="https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_UpdateDistribution.html">UpdateDistribution</a>.</p>
+   *
+   *          <p>When you make changes to web ACLs or web ACL components, like rules and rule groups, WAF propagates the changes everywhere that the web ACL and its components are stored and used. Your changes are applied within seconds, but there might be a brief period of inconsistency when the changes have arrived in some places and not in others. So, for example, if you change a rule action setting, the action might be the old action in one area and the new action in another area. Or if you add an IP address to an IP set used in a blocking rule, the new address might briefly be blocked in one area while still allowed in another. This temporary inconsistency can occur when you first associate a web ACL with an Amazon Web Services resource and when you change a web ACL that is already associated with a resource. Generally, any inconsistencies of this type last only a few seconds.</p>
    */
   public associateWebACL(
     args: AssociateWebACLCommandInput,
@@ -666,9 +668,38 @@ export class WAFV2 extends WAFV2Client {
   }
 
   /**
-   * <p>Deletes the specified <a>WebACL</a>.</p>
+   * <p>Deletes the specified <a>WebACL</a>. </p>
    *          <p>You can only use this if <code>ManagedByFirewallManager</code> is false in the specified
    *             <a>WebACL</a>. </p>
+   *         <note>
+   *             <p>Before deleting any web ACL, first disassociate it from all resources.</p>
+   *             <ul>
+   *                <li>
+   *                   <p>To retrieve a list of the resources that are associated with a web ACL, use the following calls:</p>
+   *                   <ul>
+   *                      <li>
+   *                         <p>For regional resources, call <a>ListResourcesForWebACL</a>.</p>
+   *                      </li>
+   *                      <li>
+   *                         <p>For Amazon CloudFront distributions, use the CloudFront call <code>ListDistributionsByWebACLId</code>.
+   *                       For information, see <a href="https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_ListDistributionsByWebACLId.html">ListDistributionsByWebACLId</a>.</p>
+   *                      </li>
+   *                   </ul>
+   *                </li>
+   *                <li>
+   *                   <p>To disassociate a resource from a web ACL, use the following calls:</p>
+   *                   <ul>
+   *                      <li>
+   *                         <p>For regional resources, call <a>DisassociateWebACL</a>.</p>
+   *                      </li>
+   *                      <li>
+   *                         <p>For Amazon CloudFront distributions, provide an empty web ACL ID in the CloudFront call
+   *             <code>UpdateDistribution</code>. For information, see <a href="https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_UpdateDistribution.html">UpdateDistribution</a>.</p>
+   *                      </li>
+   *                   </ul>
+   *                </li>
+   *             </ul>
+   *          </note>
    */
   public deleteWebACL(
     args: DeleteWebACLCommandInput,
@@ -730,7 +761,8 @@ export class WAFV2 extends WAFV2Client {
   }
 
   /**
-   * <p>Disassociates a web ACL from a regional application resource. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, or an AppSync GraphQL API.  </p>
+   * <p>Disassociates the specified regional application resource from any existing web ACL association. A resource can have at most one
+   *            web ACL association. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, or an AppSync GraphQL API.  </p>
    *          <p>For Amazon CloudFront, don't use this call. Instead, use your CloudFront distribution configuration. To
    *          disassociate a web ACL, provide an empty web ACL ID in the CloudFront call
    *             <code>UpdateDistribution</code>. For information, see <a href="https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_UpdateDistribution.html">UpdateDistribution</a>.</p>
@@ -1740,6 +1772,8 @@ export class WAFV2 extends WAFV2Client {
    *          <note>
    *             <p>This operation completely replaces the mutable specifications that you already have for the IP set with the ones that you provide to this call. To modify the IP set, retrieve it by calling <a>GetIPSet</a>, update the settings as needed, and then provide the complete IP set specification to this call.</p>
    *          </note>
+   *
+   *          <p>When you make changes to web ACLs or web ACL components, like rules and rule groups, WAF propagates the changes everywhere that the web ACL and its components are stored and used. Your changes are applied within seconds, but there might be a brief period of inconsistency when the changes have arrived in some places and not in others. So, for example, if you change a rule action setting, the action might be the old action in one area and the new action in another area. Or if you add an IP address to an IP set used in a blocking rule, the new address might briefly be blocked in one area while still allowed in another. This temporary inconsistency can occur when you first associate a web ACL with an Amazon Web Services resource and when you change a web ACL that is already associated with a resource. Generally, any inconsistencies of this type last only a few seconds.</p>
    */
   public updateIPSet(args: UpdateIPSetCommandInput, options?: __HttpHandlerOptions): Promise<UpdateIPSetCommandOutput>;
   public updateIPSet(args: UpdateIPSetCommandInput, cb: (err: any, data?: UpdateIPSetCommandOutput) => void): void;
@@ -1809,6 +1843,8 @@ export class WAFV2 extends WAFV2Client {
    *          <note>
    *             <p>This operation completely replaces the mutable specifications that you already have for the regex pattern set with the ones that you provide to this call. To modify the regex pattern set, retrieve it by calling <a>GetRegexPatternSet</a>, update the settings as needed, and then provide the complete regex pattern set specification to this call.</p>
    *          </note>
+   *
+   *          <p>When you make changes to web ACLs or web ACL components, like rules and rule groups, WAF propagates the changes everywhere that the web ACL and its components are stored and used. Your changes are applied within seconds, but there might be a brief period of inconsistency when the changes have arrived in some places and not in others. So, for example, if you change a rule action setting, the action might be the old action in one area and the new action in another area. Or if you add an IP address to an IP set used in a blocking rule, the new address might briefly be blocked in one area while still allowed in another. This temporary inconsistency can occur when you first associate a web ACL with an Amazon Web Services resource and when you change a web ACL that is already associated with a resource. Generally, any inconsistencies of this type last only a few seconds.</p>
    */
   public updateRegexPatternSet(
     args: UpdateRegexPatternSetCommandInput,
@@ -1844,6 +1880,8 @@ export class WAFV2 extends WAFV2Client {
    *          <note>
    *             <p>This operation completely replaces the mutable specifications that you already have for the rule group with the ones that you provide to this call. To modify the rule group, retrieve it by calling <a>GetRuleGroup</a>, update the settings as needed, and then provide the complete rule group specification to this call.</p>
    *          </note>
+   *
+   *          <p>When you make changes to web ACLs or web ACL components, like rules and rule groups, WAF propagates the changes everywhere that the web ACL and its components are stored and used. Your changes are applied within seconds, but there might be a brief period of inconsistency when the changes have arrived in some places and not in others. So, for example, if you change a rule action setting, the action might be the old action in one area and the new action in another area. Or if you add an IP address to an IP set used in a blocking rule, the new address might briefly be blocked in one area while still allowed in another. This temporary inconsistency can occur when you first associate a web ACL with an Amazon Web Services resource and when you change a web ACL that is already associated with a resource. Generally, any inconsistencies of this type last only a few seconds.</p>
    *          <p> A rule group defines a collection of rules to inspect and control web requests that you can use in a <a>WebACL</a>. When you create a rule group, you define an immutable capacity limit. If you update a rule group, you must stay within the capacity. This allows others to reuse the rule group with confidence in its capacity requirements. </p>
    */
   public updateRuleGroup(
@@ -1876,7 +1914,9 @@ export class WAFV2 extends WAFV2Client {
   }
 
   /**
-   * <p>Updates the specified <a>WebACL</a>.</p>
+   * <p>Updates the specified <a>WebACL</a>. While updating a web ACL, WAF provides continous coverage to the resources that you have associated with the web ACL. </p>
+   *
+   *          <p>When you make changes to web ACLs or web ACL components, like rules and rule groups, WAF propagates the changes everywhere that the web ACL and its components are stored and used. Your changes are applied within seconds, but there might be a brief period of inconsistency when the changes have arrived in some places and not in others. So, for example, if you change a rule action setting, the action might be the old action in one area and the new action in another area. Or if you add an IP address to an IP set used in a blocking rule, the new address might briefly be blocked in one area while still allowed in another. This temporary inconsistency can occur when you first associate a web ACL with an Amazon Web Services resource and when you change a web ACL that is already associated with a resource. Generally, any inconsistencies of this type last only a few seconds.</p>
    *          <note>
    *             <p>This operation completely replaces the mutable specifications that you already have for the web ACL with the ones that you provide to this call. To modify the web ACL, retrieve it by calling <a>GetWebACL</a>, update the settings as needed, and then provide the complete web ACL specification to this call.</p>
    *          </note>
 
@@ -27,6 +27,8 @@ export interface AssociateWebACLCommandOutput extends AssociateWebACLResponse, _
  *          <p>For Amazon CloudFront, don't use this call. Instead, use your CloudFront distribution configuration. To
  *          associate a web ACL, in the CloudFront call <code>UpdateDistribution</code>, set the web ACL ID
  *          to the Amazon Resource Name (ARN) of the web ACL. For information, see <a href="https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_UpdateDistribution.html">UpdateDistribution</a>.</p>
+ *
+ *          <p>When you make changes to web ACLs or web ACL components, like rules and rule groups, WAF propagates the changes everywhere that the web ACL and its components are stored and used. Your changes are applied within seconds, but there might be a brief period of inconsistency when the changes have arrived in some places and not in others. So, for example, if you change a rule action setting, the action might be the old action in one area and the new action in another area. Or if you add an IP address to an IP set used in a blocking rule, the new address might briefly be blocked in one area while still allowed in another. This temporary inconsistency can occur when you first associate a web ACL with an Amazon Web Services resource and when you change a web ACL that is already associated with a resource. Generally, any inconsistencies of this type last only a few seconds.</p>
  * @example
  * Use a bare-bones client and the command you need to make an API call.
  * ```javascript
 
@@ -22,9 +22,38 @@ export interface DeleteWebACLCommandInput extends DeleteWebACLRequest {}
 export interface DeleteWebACLCommandOutput extends DeleteWebACLResponse, __MetadataBearer {}
 
 /**
- * <p>Deletes the specified <a>WebACL</a>.</p>
+ * <p>Deletes the specified <a>WebACL</a>. </p>
  *          <p>You can only use this if <code>ManagedByFirewallManager</code> is false in the specified
  *             <a>WebACL</a>. </p>
+ *         <note>
+ *             <p>Before deleting any web ACL, first disassociate it from all resources.</p>
+ *             <ul>
+ *                <li>
+ *                   <p>To retrieve a list of the resources that are associated with a web ACL, use the following calls:</p>
+ *                   <ul>
+ *                      <li>
+ *                         <p>For regional resources, call <a>ListResourcesForWebACL</a>.</p>
+ *                      </li>
+ *                      <li>
+ *                         <p>For Amazon CloudFront distributions, use the CloudFront call <code>ListDistributionsByWebACLId</code>.
+ *                       For information, see <a href="https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_ListDistributionsByWebACLId.html">ListDistributionsByWebACLId</a>.</p>
+ *                      </li>
+ *                   </ul>
+ *                </li>
+ *                <li>
+ *                   <p>To disassociate a resource from a web ACL, use the following calls:</p>
+ *                   <ul>
+ *                      <li>
+ *                         <p>For regional resources, call <a>DisassociateWebACL</a>.</p>
+ *                      </li>
+ *                      <li>
+ *                         <p>For Amazon CloudFront distributions, provide an empty web ACL ID in the CloudFront call
+ *             <code>UpdateDistribution</code>. For information, see <a href="https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_UpdateDistribution.html">UpdateDistribution</a>.</p>
+ *                      </li>
+ *                   </ul>
+ *                </li>
+ *             </ul>
+ *          </note>
  * @example
  * Use a bare-bones client and the command you need to make an API call.
  * ```javascript
 
@@ -22,7 +22,8 @@ export interface DisassociateWebACLCommandInput extends DisassociateWebACLReques
 export interface DisassociateWebACLCommandOutput extends DisassociateWebACLResponse, __MetadataBearer {}
 
 /**
- * <p>Disassociates a web ACL from a regional application resource. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, or an AppSync GraphQL API.  </p>
+ * <p>Disassociates the specified regional application resource from any existing web ACL association. A resource can have at most one
+ *            web ACL association. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, or an AppSync GraphQL API.  </p>
  *          <p>For Amazon CloudFront, don't use this call. Instead, use your CloudFront distribution configuration. To
  *          disassociate a web ACL, provide an empty web ACL ID in the CloudFront call
  *             <code>UpdateDistribution</code>. For information, see <a href="https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_UpdateDistribution.html">UpdateDistribution</a>.</p>
 
@@ -26,6 +26,8 @@ export interface UpdateIPSetCommandOutput extends UpdateIPSetResponse, __Metadat
  *          <note>
  *             <p>This operation completely replaces the mutable specifications that you already have for the IP set with the ones that you provide to this call. To modify the IP set, retrieve it by calling <a>GetIPSet</a>, update the settings as needed, and then provide the complete IP set specification to this call.</p>
  *          </note>
+ *
+ *          <p>When you make changes to web ACLs or web ACL components, like rules and rule groups, WAF propagates the changes everywhere that the web ACL and its components are stored and used. Your changes are applied within seconds, but there might be a brief period of inconsistency when the changes have arrived in some places and not in others. So, for example, if you change a rule action setting, the action might be the old action in one area and the new action in another area. Or if you add an IP address to an IP set used in a blocking rule, the new address might briefly be blocked in one area while still allowed in another. This temporary inconsistency can occur when you first associate a web ACL with an Amazon Web Services resource and when you change a web ACL that is already associated with a resource. Generally, any inconsistencies of this type last only a few seconds.</p>
  * @example
  * Use a bare-bones client and the command you need to make an API call.
  * ```javascript
 
@@ -26,6 +26,8 @@ export interface UpdateRegexPatternSetCommandOutput extends UpdateRegexPatternSe
  *          <note>
  *             <p>This operation completely replaces the mutable specifications that you already have for the regex pattern set with the ones that you provide to this call. To modify the regex pattern set, retrieve it by calling <a>GetRegexPatternSet</a>, update the settings as needed, and then provide the complete regex pattern set specification to this call.</p>
  *          </note>
+ *
+ *          <p>When you make changes to web ACLs or web ACL components, like rules and rule groups, WAF propagates the changes everywhere that the web ACL and its components are stored and used. Your changes are applied within seconds, but there might be a brief period of inconsistency when the changes have arrived in some places and not in others. So, for example, if you change a rule action setting, the action might be the old action in one area and the new action in another area. Or if you add an IP address to an IP set used in a blocking rule, the new address might briefly be blocked in one area while still allowed in another. This temporary inconsistency can occur when you first associate a web ACL with an Amazon Web Services resource and when you change a web ACL that is already associated with a resource. Generally, any inconsistencies of this type last only a few seconds.</p>
  * @example
  * Use a bare-bones client and the command you need to make an API call.
  * ```javascript