From ae6b87924be62d6b3babebddc8586e72b1a3a5ff Mon Sep 17 00:00:00 2001 From: Vandita Patidar Date: Thu, 10 Apr 2025 22:20:24 -0700 Subject: [PATCH] Release 1.97.0 (to main) (#3751) Co-authored-by: Frederic Mbea <117131783+mbfreder@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: github-actions Co-authored-by: Renato Valenzuela <37676028+valerena@users.noreply.github.com> Co-authored-by: aws-sam-cli-bot <46753707+aws-sam-cli-bot@users.noreply.github.com> --- samtranslator/__init__.py | 2 +- .../schema_source/aws_serverless_api.py | 8 + samtranslator/model/api/api_generator.py | 56 ++- samtranslator/model/apigateway.py | 12 + samtranslator/model/sam_resources.py | 5 +- samtranslator/schema/schema.json | 241 +++++---- schema_source/cloudformation-docs.json | 473 +++++++++++------- schema_source/cloudformation.schema.json | 216 ++++---- schema_source/sam.schema.json | 25 + ...i_custom_domain_private_endpoint_base.yaml | 64 +++ ...i_custom_domain_private_endpoint_full.yaml | 70 +++ ...ustom_domain_private_endpoint_route53.yaml | 67 +++ ...ivate_endpoint_route53_hostedzonename.yaml | 67 +++ ..._domain_private_endpoint_route53_ipv6.yaml | 68 +++ ...omain_private_endpoint_without_policy.yaml | 54 ++ ...i_custom_domain_private_endpoint_base.json | 161 ++++++ ...i_custom_domain_private_endpoint_full.json | 172 +++++++ ...ustom_domain_private_endpoint_route53.json | 162 ++++++ ...ivate_endpoint_route53_hostedzonename.json | 162 ++++++ ..._domain_private_endpoint_route53_ipv6.json | 170 +++++++ ...omain_private_endpoint_without_policy.json | 148 ++++++ ...i_custom_domain_private_endpoint_base.json | 161 ++++++ ...i_custom_domain_private_endpoint_full.json | 172 +++++++ ...ustom_domain_private_endpoint_route53.json | 162 ++++++ ...ivate_endpoint_route53_hostedzonename.json | 162 ++++++ ..._domain_private_endpoint_route53_ipv6.json | 170 +++++++ ...omain_private_endpoint_without_policy.json | 148 ++++++ ...i_custom_domain_private_endpoint_base.json | 161 ++++++ ...i_custom_domain_private_endpoint_full.json | 172 +++++++ ...ustom_domain_private_endpoint_route53.json | 162 ++++++ ...ivate_endpoint_route53_hostedzonename.json | 162 ++++++ ..._domain_private_endpoint_route53_ipv6.json | 170 +++++++ ...omain_private_endpoint_without_policy.json | 148 ++++++ 33 files changed, 3969 insertions(+), 384 deletions(-) create mode 100644 tests/translator/input/api_custom_domain_private_endpoint_base.yaml create mode 100644 tests/translator/input/api_custom_domain_private_endpoint_full.yaml create mode 100644 tests/translator/input/api_custom_domain_private_endpoint_route53.yaml create mode 100644 tests/translator/input/api_custom_domain_private_endpoint_route53_hostedzonename.yaml create mode 100644 tests/translator/input/api_custom_domain_private_endpoint_route53_ipv6.yaml create mode 100644 tests/translator/input/api_custom_domain_private_endpoint_without_policy.yaml create mode 100644 tests/translator/output/api_custom_domain_private_endpoint_base.json create mode 100644 tests/translator/output/api_custom_domain_private_endpoint_full.json create mode 100644 tests/translator/output/api_custom_domain_private_endpoint_route53.json create mode 100644 tests/translator/output/api_custom_domain_private_endpoint_route53_hostedzonename.json create mode 100644 tests/translator/output/api_custom_domain_private_endpoint_route53_ipv6.json create mode 100644 tests/translator/output/api_custom_domain_private_endpoint_without_policy.json create mode 100644 tests/translator/output/aws-cn/api_custom_domain_private_endpoint_base.json create mode 100644 tests/translator/output/aws-cn/api_custom_domain_private_endpoint_full.json create mode 100644 tests/translator/output/aws-cn/api_custom_domain_private_endpoint_route53.json create mode 100644 tests/translator/output/aws-cn/api_custom_domain_private_endpoint_route53_hostedzonename.json create mode 100644 tests/translator/output/aws-cn/api_custom_domain_private_endpoint_route53_ipv6.json create mode 100644 tests/translator/output/aws-cn/api_custom_domain_private_endpoint_without_policy.json create mode 100644 tests/translator/output/aws-us-gov/api_custom_domain_private_endpoint_base.json create mode 100644 tests/translator/output/aws-us-gov/api_custom_domain_private_endpoint_full.json create mode 100644 tests/translator/output/aws-us-gov/api_custom_domain_private_endpoint_route53.json create mode 100644 tests/translator/output/aws-us-gov/api_custom_domain_private_endpoint_route53_hostedzonename.json create mode 100644 tests/translator/output/aws-us-gov/api_custom_domain_private_endpoint_route53_ipv6.json create mode 100644 tests/translator/output/aws-us-gov/api_custom_domain_private_endpoint_without_policy.json diff --git a/samtranslator/__init__.py b/samtranslator/__init__.py index 37b7712af..b1867bfc5 100644 --- a/samtranslator/__init__.py +++ b/samtranslator/__init__.py @@ -1 +1 @@ -__version__ = "1.96.0" +__version__ = "1.97.0" diff --git a/samtranslator/internal/schema_source/aws_serverless_api.py b/samtranslator/internal/schema_source/aws_serverless_api.py index bb315b2d6..316ffb9da 100644 --- a/samtranslator/internal/schema_source/aws_serverless_api.py +++ b/samtranslator/internal/schema_source/aws_serverless_api.py @@ -154,6 +154,12 @@ class Route53(BaseModel): SetIdentifier: Optional[PassThroughProp] # TODO: add docs Region: Optional[PassThroughProp] # TODO: add docs SeparateRecordSetGroup: Optional[bool] # TODO: add docs + VpcEndpointDomainName: Optional[PassThroughProp] # TODO: add docs + VpcEndpointHostedZoneId: Optional[PassThroughProp] # TODO: add docs + + +class AccessAssociation(BaseModel): + VpcEndpointId: PassThroughProp # TODO: add docs class Domain(BaseModel): @@ -185,6 +191,7 @@ class Domain(BaseModel): "SecurityPolicy", ["AWS::ApiGateway::DomainName", "Properties", "SecurityPolicy"], ) + AccessAssociation: Optional[AccessAssociation] class DefinitionUri(BaseModel): @@ -307,6 +314,7 @@ class Properties(BaseModel): OpenApiVersion: Optional[OpenApiVersion] = properties("OpenApiVersion") StageName: SamIntrinsicable[str] = properties("StageName") Tags: Optional[DictStrAny] = properties("Tags") + Policy: Optional[PassThroughProp] # TODO: add docs PropagateTags: Optional[bool] # TODO: add docs TracingEnabled: Optional[TracingEnabled] = passthrough_prop( PROPERTIES_STEM, diff --git a/samtranslator/model/api/api_generator.py b/samtranslator/model/api/api_generator.py index 4933aeeb6..b9fe23e4d 100644 --- a/samtranslator/model/api/api_generator.py +++ b/samtranslator/model/api/api_generator.py @@ -13,6 +13,7 @@ ApiGatewayBasePathMappingV2, ApiGatewayDeployment, ApiGatewayDomainName, + ApiGatewayDomainNameAccessAssociation, ApiGatewayDomainNameV2, ApiGatewayResponse, ApiGatewayRestApi, @@ -86,6 +87,7 @@ class ApiDomainResponseV2: domain: Optional[ApiGatewayDomainNameV2] apigw_basepath_mapping_list: Optional[List[ApiGatewayBasePathMappingV2]] recordset_group: Any + domain_access_association: Any class SharedApiUsagePlan: @@ -218,6 +220,7 @@ def __init__( # noqa: PLR0913 api_key_source_type: Optional[Intrinsicable[str]] = None, always_deploy: Optional[bool] = False, feature_toggle: Optional[FeatureToggle] = None, + policy: Optional[Union[Dict[str, Any], Intrinsicable[str]]] = None, ): """Constructs an API Generator class that generates API Gateway resources @@ -275,6 +278,7 @@ def __init__( # noqa: PLR0913 self.api_key_source_type = api_key_source_type self.always_deploy = always_deploy self.feature_toggle = feature_toggle + self.policy = policy def _construct_rest_api(self) -> ApiGatewayRestApi: """Constructs and returns the ApiGateway RestApi. @@ -328,6 +332,9 @@ def _construct_rest_api(self) -> ApiGatewayRestApi: if self.api_key_source_type: rest_api.ApiKeySourceType = self.api_key_source_type + if self.policy: + rest_api.Policy = self.policy + return rest_api def _validate_properties(self) -> None: @@ -602,7 +609,7 @@ def _construct_api_domain_v2( Constructs and returns the ApiGateway Domain V2 and BasepathMapping V2 """ if self.domain is None: - return ApiDomainResponseV2(None, None, None) + return ApiDomainResponseV2(None, None, None, None) sam_expect(self.domain, self.logical_id, "Domain").to_be_a_map() domain_name: PassThrough = sam_expect( @@ -657,6 +664,14 @@ def _construct_api_domain_v2( basepath_mapping.BasePath = path if normalize_basepath else basepath basepath_resource_list.extend([basepath_mapping]) + # Create the DomainNameAccessAssociation + domain_access_association = self.domain.get("AccessAssociation") + domain_access_association_resource = None + if domain_access_association is not None: + domain_access_association_resource = self._generate_domain_access_association( + domain_access_association, domain_name_arn, api_domain_name + ) + # Create the Route53 RecordSetGroup resource record_set_group = None route53 = self.domain.get("Route53") @@ -683,6 +698,7 @@ def _construct_api_domain_v2( domain, basepath_resource_list, self._construct_single_record_set_group(self.domain, domain_name, route53), + domain_access_association_resource, ) if not record_set_group: @@ -691,7 +707,7 @@ def _construct_api_domain_v2( record_set_group.RecordSets += self._construct_record_sets_for_domain(self.domain, domain_name, route53) - return ApiDomainResponseV2(domain, basepath_resource_list, record_set_group) + return ApiDomainResponseV2(domain, basepath_resource_list, record_set_group, domain_access_association_resource) def _get_basepaths(self) -> Optional[List[str]]: if self.domain is None: @@ -779,11 +795,14 @@ def _construct_alias_target(self, domain: Dict[str, Any], api_domain_name: str, if domain.get("EndpointConfiguration") == "REGIONAL": alias_target["HostedZoneId"] = fnGetAtt(api_domain_name, "RegionalHostedZoneId") alias_target["DNSName"] = fnGetAtt(api_domain_name, "RegionalDomainName") - else: + elif domain.get("EndpointConfiguration") == "EDGE": if route53.get("DistributionDomainName") is None: route53["DistributionDomainName"] = fnGetAtt(api_domain_name, "DistributionDomainName") alias_target["HostedZoneId"] = "Z2FDTNDATAQYW2" alias_target["DNSName"] = route53.get("DistributionDomainName") + else: + alias_target["HostedZoneId"] = route53.get("VpcEndpointHostedZoneId") + alias_target["DNSName"] = route53.get("VpcEndpointDomainName") return alias_target def _create_basepath_mapping( @@ -833,12 +852,17 @@ def to_cloudformation( domain: Union[Resource, None] basepath_mapping: Union[List[ApiGatewayBasePathMapping], List[ApiGatewayBasePathMappingV2], None] rest_api = self._construct_rest_api() + is_private_domain = isinstance(self.domain, dict) and self.domain.get("EndpointConfiguration") == "PRIVATE" api_domain_response = ( self._construct_api_domain_v2(rest_api, route53_record_set_groups) - if isinstance(self.domain, dict) and self.domain.get("EndpointConfiguration") == "PRIVATE" + if is_private_domain else self._construct_api_domain(rest_api, route53_record_set_groups) ) + domain_access_association = None + if is_private_domain: + domain_access_association = cast(ApiDomainResponseV2, api_domain_response).domain_access_association + domain = api_domain_response.domain basepath_mapping = api_domain_response.apigw_basepath_mapping_list @@ -882,6 +906,9 @@ def to_cloudformation( ] ) + if domain_access_association is not None: + generated_resources.append(domain_access_association) + # Make a list of single resources generated_resources_list: List[Resource] = [] for resource in generated_resources: @@ -1513,3 +1540,24 @@ def _set_endpoint_configuration(self, rest_api: ApiGatewayRestApi, value: Union[ else: rest_api.EndpointConfiguration = {"Types": [value]} rest_api.Parameters = {"endpointConfigurationTypes": value} + + def _generate_domain_access_association( + self, + domain_access_association: Dict[str, Any], + domain_name_arn: Dict[str, str], + domain_logical_id: str, + ) -> ApiGatewayDomainNameAccessAssociation: + """ + Generate domain access association resource + """ + vpcEndpointId = domain_access_association.get("VpcEndpointId") + logical_id = LogicalIdGenerator("DomainNameAccessAssociation", [vpcEndpointId, domain_logical_id]).gen() + + domain_access_association_resource = ApiGatewayDomainNameAccessAssociation( + logical_id, attributes=self.passthrough_resource_attributes + ) + domain_access_association_resource.DomainNameArn = domain_name_arn + domain_access_association_resource.AccessAssociationSourceType = "VPCE" + domain_access_association_resource.AccessAssociationSource = vpcEndpointId + + return domain_access_association_resource diff --git a/samtranslator/model/apigateway.py b/samtranslator/model/apigateway.py index d8aeddb94..c737c810b 100644 --- a/samtranslator/model/apigateway.py +++ b/samtranslator/model/apigateway.py @@ -29,6 +29,7 @@ class ApiGatewayRestApi(Resource): "Mode": GeneratedProperty(), "ApiKeySourceType": GeneratedProperty(), "Tags": GeneratedProperty(), + "Policy": GeneratedProperty(), } Body: Optional[Dict[str, Any]] @@ -44,6 +45,7 @@ class ApiGatewayRestApi(Resource): Mode: Optional[PassThrough] ApiKeySourceType: Optional[PassThrough] Tags: Optional[PassThrough] + Policy: Optional[PassThrough] runtime_attrs = {"rest_api_id": lambda self: ref(self.logical_id)} @@ -307,6 +309,16 @@ class ApiGatewayApiKey(Resource): runtime_attrs = {"api_key_id": lambda self: ref(self.logical_id)} +class ApiGatewayDomainNameAccessAssociation(Resource): + resource_type = "AWS::ApiGateway::DomainNameAccessAssociation" + property_types = { + "AccessAssociationSource": GeneratedProperty(), + "AccessAssociationSourceType": GeneratedProperty(), + "DomainNameArn": GeneratedProperty(), + "Tags": GeneratedProperty(), + } + + class ApiGatewayAuthorizer: _VALID_FUNCTION_PAYLOAD_TYPES = [None, "TOKEN", "REQUEST"] diff --git a/samtranslator/model/sam_resources.py b/samtranslator/model/sam_resources.py index 397b7666d..9238bb75d 100644 --- a/samtranslator/model/sam_resources.py +++ b/samtranslator/model/sam_resources.py @@ -1,4 +1,4 @@ -""" SAM macro definitions """ +""" SAM macro definitions """ import copy from contextlib import suppress @@ -1275,6 +1275,7 @@ class SamApi(SamResourceMacro): "DisableExecuteApiEndpoint": PropertyType(False, IS_BOOL), "ApiKeySourceType": PropertyType(False, IS_STR), "AlwaysDeploy": Property(False, IS_BOOL), + "Policy": PropertyType(False, one_of(IS_STR, IS_DICT)), } Name: Optional[Intrinsicable[str]] @@ -1306,6 +1307,7 @@ class SamApi(SamResourceMacro): DisableExecuteApiEndpoint: Optional[Intrinsicable[bool]] ApiKeySourceType: Optional[Intrinsicable[str]] AlwaysDeploy: Optional[bool] + Policy: Optional[Union[Dict[str, Any], Intrinsicable[str]]] referable_properties = { "Stage": ApiGatewayStage.resource_type, @@ -1373,6 +1375,7 @@ def to_cloudformation(self, **kwargs) -> List[Resource]: # type: ignore[no-unty api_key_source_type=self.ApiKeySourceType, always_deploy=self.AlwaysDeploy, feature_toggle=feature_toggle, + policy=self.Policy, ) generated_resources = api_generator.to_cloudformation(redeploy_restapi_parameters, route53_record_set_groups) diff --git a/samtranslator/schema/schema.json b/samtranslator/schema/schema.json index 2490b1dfb..aed4e150d 100644 --- a/samtranslator/schema/schema.json +++ b/samtranslator/schema/schema.json @@ -1580,7 +1580,7 @@ "properties": { "PracticeRunConfiguration": { "$ref": "#/definitions/AWS::ARCZonalShift::ZonalAutoshiftConfiguration.PracticeRunConfiguration", - "markdownDescription": "A practice run configuration for a resource includes the Amazon CloudWatch alarms that you've specified for a practice run, as well as any blocked dates or blocked windows for the practice run. When a resource has a practice run configuration, Route 53 ARC shifts traffic for the resource weekly for practice runs.\n\nPractice runs are required for zonal autoshift. The zonal shifts that Route 53 ARC starts for practice runs help you to ensure that shifting away traffic from an Availability Zone during an autoshift is safe for your application.\n\nYou can update or delete a practice run configuration. Before you delete a practice run configuration, you must disable zonal autoshift for the resource. A practice run configuration is required when zonal autoshift is enabled.", + "markdownDescription": "A practice run configuration for a resource includes the Amazon CloudWatch alarms that you've specified for a practice run, as well as any blocked dates or blocked windows for the practice run. When a resource has a practice run configuration, ARC shifts traffic for the resource weekly for practice runs.\n\nPractice runs are required for zonal autoshift. The zonal shifts that ARC starts for practice runs help you to ensure that shifting away traffic from an Availability Zone during an autoshift is safe for your application.\n\nYou can update or delete a practice run configuration. Before you delete a practice run configuration, you must disable zonal autoshift for the resource. A practice run configuration is required when zonal autoshift is enabled.", "title": "PracticeRunConfiguration" }, "ResourceIdentifier": { @@ -5565,7 +5565,7 @@ }, "EndpointConfiguration": { "$ref": "#/definitions/AWS::ApiGateway::DomainName.EndpointConfiguration", - "markdownDescription": "The endpoint configuration of this DomainName showing the endpoint types of the domain name.", + "markdownDescription": "The endpoint configuration of this DomainName showing the endpoint types and IP address types of the domain name.", "title": "EndpointConfiguration" }, "MutualTlsAuthentication": { @@ -6405,7 +6405,7 @@ }, "EndpointConfiguration": { "$ref": "#/definitions/AWS::ApiGateway::RestApi.EndpointConfiguration", - "markdownDescription": "A list of the endpoint types of the API. Use this property when creating an API. When importing an existing API, specify the endpoint configuration types using the `Parameters` property.", + "markdownDescription": "A list of the endpoint types and IP address types of the API. Use this property when creating an API. When importing an existing API, specify the endpoint configuration types using the `Parameters` property.", "title": "EndpointConfiguration" }, "FailOnWarnings": { @@ -30919,7 +30919,7 @@ }, "TimePeriod": { "$ref": "#/definitions/AWS::Budgets::Budget.TimePeriod", - "markdownDescription": "The period of time that is covered by a budget. The period has a start date and an end date. The start date must come before the end date. There are no restrictions on the end date.\n\nThe start date for a budget. If you created your budget and didn't specify a start date, the start date defaults to the start of the chosen time period (MONTHLY, QUARTERLY, or ANNUALLY). For example, if you create your budget on January 24, 2019, choose `MONTHLY` , and don't set a start date, the start date defaults to `01/01/19 00:00 UTC` . The defaults are the same for the AWS Billing and Cost Management console and the API.\n\nYou can change your start date with the `UpdateBudget` operation.\n\nAfter the end date, AWS deletes the budget and all associated notifications and subscribers.", + "markdownDescription": "The period of time that is covered by a budget. The period has a start date and an end date. The start date must come before the end date. There are no restrictions on the end date.\n\nThe start date for a budget. If you created your budget and didn't specify a start date, the start date defaults to the start of the chosen time period (MONTHLY, QUARTERLY, or ANNUALLY). For example, if you create your budget on January 24, 2019, choose `MONTHLY` , and don't set a start date, the start date defaults to `01/01/19 00:00 UTC` . The defaults are the same for the Billing and Cost Management console and the API.\n\nYou can change your start date with the `UpdateBudget` operation.\n\nAfter the end date, AWS deletes the budget and all associated notifications and subscribers.", "title": "TimePeriod" }, "TimeUnit": { @@ -31107,12 +31107,12 @@ "additionalProperties": false, "properties": { "End": { - "markdownDescription": "The end date for a budget. If you didn't specify an end date, AWS set your end date to `06/15/87 00:00 UTC` . The defaults are the same for the AWS Billing and Cost Management console and the API.\n\nAfter the end date, AWS deletes the budget and all the associated notifications and subscribers. You can change your end date with the `UpdateBudget` operation.", + "markdownDescription": "The end date for a budget. If you didn't specify an end date, AWS set your end date to `06/15/87 00:00 UTC` . The defaults are the same for the Billing and Cost Management console and the API.\n\nAfter the end date, AWS deletes the budget and all the associated notifications and subscribers. You can change your end date with the `UpdateBudget` operation.", "title": "End", "type": "string" }, "Start": { - "markdownDescription": "The start date for a budget. If you created your budget and didn't specify a start date, the start date defaults to the start of the chosen time period (MONTHLY, QUARTERLY, or ANNUALLY). For example, if you create your budget on January 24, 2019, choose `MONTHLY` , and don't set a start date, the start date defaults to `01/01/19 00:00 UTC` . The defaults are the same for the AWS Billing and Cost Management console and the API.\n\nYou can change your start date with the `UpdateBudget` operation.\n\nValid values depend on the value of `BudgetType` :\n\n- If `BudgetType` is `COST` or `USAGE` : Valid values are `MONTHLY` , `QUARTERLY` , and `ANNUALLY` .\n- If `BudgetType` is `RI_UTILIZATION` or `RI_COVERAGE` : Valid values are `DAILY` , `MONTHLY` , `QUARTERLY` , and `ANNUALLY` .", + "markdownDescription": "The start date for a budget. If you created your budget and didn't specify a start date, the start date defaults to the start of the chosen time period (MONTHLY, QUARTERLY, or ANNUALLY). For example, if you create your budget on January 24, 2019, choose `MONTHLY` , and don't set a start date, the start date defaults to `01/01/19 00:00 UTC` . The defaults are the same for the Billing and Cost Management console and the API.\n\nYou can change your start date with the `UpdateBudget` operation.\n\nValid values depend on the value of `BudgetType` :\n\n- If `BudgetType` is `COST` or `USAGE` : Valid values are `MONTHLY` , `QUARTERLY` , and `ANNUALLY` .\n- If `BudgetType` is `RI_UTILIZATION` or `RI_COVERAGE` : Valid values are `DAILY` , `MONTHLY` , `QUARTERLY` , and `ANNUALLY` .", "title": "Start", "type": "string" } @@ -31954,7 +31954,7 @@ "items": { "type": "string" }, - "markdownDescription": "Specifies the AWS Regions that the keyspace is replicated in. You must specify at least two and up to six Regions, including the Region that the keyspace is being created in.", + "markdownDescription": "Specifies the AWS Regions that the keyspace is replicated in. You must specify at least two Regions, including the Region that the keyspace is being created in.", "title": "RegionList", "type": "array" }, @@ -39233,7 +39233,7 @@ "type": "array" }, "Field": { - "markdownDescription": "A field in a CloudTrail event record on which to filter events to be logged. For event data stores for CloudTrail Insights events, AWS Config configuration items, Audit Manager evidence, or events outside of AWS , the field is used only for selecting events as filtering is not supported.\n\nFor CloudTrail management events, supported fields include `eventCategory` (required), `eventSource` , and `readOnly` . The following additional fields are available for event data stores: `eventName` , `eventType` , `sessionCredentialFromConsole` , and `userIdentity.arn` .\n\nFor CloudTrail data events, supported fields include `eventCategory` (required), `resources.type` (required), `eventName` , `readOnly` , and `resources.ARN` . The following additional fields are available for event data stores: `eventSource` , `eventType` , `sessionCredentialFromConsole` , and `userIdentity.arn` .\n\nFor CloudTrail network activity events, supported fields include `eventCategory` (required), `eventSource` (required), `eventName` , `errorCode` , and `vpcEndpointId` .\n\nFor event data stores for CloudTrail Insights events, AWS Config configuration items, Audit Manager evidence, or events outside of AWS , the only supported field is `eventCategory` .\n\n> Selectors don't support the use of wildcards like `*` . To match multiple values with a single condition, you may use `StartsWith` , `EndsWith` , `NotStartsWith` , or `NotEndsWith` to explicitly match the beginning or end of the event field. \n\n- *`readOnly`* - This is an optional field that is only used for management events and data events. This field can be set to `Equals` with a value of `true` or `false` . If you do not add this field, CloudTrail logs both `read` and `write` events. A value of `true` logs only `read` events. A value of `false` logs only `write` events.\n- *`eventSource`* - This field is only used for management events, data events (for event data stores only), and network activity events.\n\nFor management events for trails, this is an optional field that can be set to `NotEquals` `kms.amazonaws.com` to exclude KMS management events, or `NotEquals` `rdsdata.amazonaws.com` to exclude RDS management events.\n\nFor management and data events for event data stores, you can use it to include or exclude any event source and can use any operator.\n\nFor network activity events, this is a required field that only uses the `Equals` operator. Set this field to the event source for which you want to log network activity events. If you want to log network activity events for multiple event sources, you must create a separate field selector for each event source.\n\nThe following are valid values for network activity events:\n\n- `cloudtrail.amazonaws.com`\n- `ec2.amazonaws.com`\n- `kms.amazonaws.com`\n- `s3.amazonaws.com`\n- `secretsmanager.amazonaws.com`\n- *`eventName`* - This is an optional field that is only used for data events, management events (for event data stores only), and network activity events. You can use any operator with `eventName` . You can use it to \ufb01lter in or \ufb01lter out specific events. You can have multiple values for this \ufb01eld, separated by commas.\n- *`eventCategory`* - This field is required and must be set to `Equals` .\n\n- For CloudTrail management events, the value must be `Management` .\n- For CloudTrail data events, the value must be `Data` .\n- For CloudTrail network activity events, the value must be `NetworkActivity` .\n\nThe following are used only for event data stores:\n\n- For CloudTrail Insights events, the value must be `Insight` .\n- For AWS Config configuration items, the value must be `ConfigurationItem` .\n- For Audit Manager evidence, the value must be `Evidence` .\n- For events outside of AWS , the value must be `ActivityAuditLog` .\n- *`eventType`* - This is an optional field available only for event data stores, which is used to filter management and data events on the event type. For information about available event types, see [CloudTrail record contents](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-record-contents.html#ct-event-type) in the *AWS CloudTrail user guide* .\n- *`errorCode`* - This \ufb01eld is only used to filter CloudTrail network activity events and is optional. This is the error code to filter on. Currently, the only valid `errorCode` is `VpceAccessDenied` . `errorCode` can only use the `Equals` operator.\n- *`sessionCredentialFromConsole`* - This is an optional field available only for event data stores, which is used to filter management and data events based on whether the events originated from an AWS Management Console session. `sessionCredentialFromConsole` can only use the `Equals` and `NotEquals` operators.\n- *`resources.type`* - This \ufb01eld is required for CloudTrail data events. `resources.type` can only use the `Equals` operator.\n\nFor a list of available resource types for data events, see [Data events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html#logging-data-events) in the *AWS CloudTrail User Guide* .\n\nYou can have only one `resources.type` \ufb01eld per selector. To log events on more than one resource type, add another selector.\n- *`resources.ARN`* - The `resources.ARN` is an optional field for data events. You can use any operator with `resources.ARN` , but if you use `Equals` or `NotEquals` , the value must exactly match the ARN of a valid resource of the type you've speci\ufb01ed in the template as the value of resources.type. To log all data events for all objects in a specific S3 bucket, use the `StartsWith` operator, and include only the bucket ARN as the matching value.\n\nFor more information about the ARN formats of data event resources, see [Actions, resources, and condition keys for AWS services](https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html) in the *Service Authorization Reference* .\n\n> You can't use the `resources.ARN` field to filter resource types that do not have ARNs.\n- *`userIdentity.arn`* - This is an optional field available only for event data stores, which is used to filter management and data events on the userIdentity ARN. You can use any operator with `userIdentity.arn` . For more information on the userIdentity element, see [CloudTrail userIdentity element](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html) in the *AWS CloudTrail User Guide* .\n- *`vpcEndpointId`* - This \ufb01eld is only used to filter CloudTrail network activity events and is optional. This field identifies the VPC endpoint that the request passed through. You can use any operator with `vpcEndpointId` .", + "markdownDescription": "A field in a CloudTrail event record on which to filter events to be logged. For event data stores for CloudTrail Insights events, AWS Config configuration items, Audit Manager evidence, or events outside of AWS , the field is used only for selecting events as filtering is not supported.\n\nFor CloudTrail management events, supported fields include `eventCategory` (required), `eventSource` , and `readOnly` . The following additional fields are available for event data stores: `eventName` , `eventType` , `sessionCredentialFromConsole` , and `userIdentity.arn` .\n\nFor CloudTrail data events, supported fields include `eventCategory` (required), `resources.type` (required), `eventName` , `readOnly` , and `resources.ARN` . The following additional fields are available for event data stores: `eventSource` , `eventType` , `sessionCredentialFromConsole` , and `userIdentity.arn` .\n\nFor CloudTrail network activity events, supported fields include `eventCategory` (required), `eventSource` (required), `eventName` , `errorCode` , and `vpcEndpointId` .\n\nFor event data stores for CloudTrail Insights events, AWS Config configuration items, Audit Manager evidence, or events outside of AWS , the only supported field is `eventCategory` .\n\n> Selectors don't support the use of wildcards like `*` . To match multiple values with a single condition, you may use `StartsWith` , `EndsWith` , `NotStartsWith` , or `NotEndsWith` to explicitly match the beginning or end of the event field. \n\n- *`readOnly`* - This is an optional field that is only used for management events and data events. This field can be set to `Equals` with a value of `true` or `false` . If you do not add this field, CloudTrail logs both `read` and `write` events. A value of `true` logs only `read` events. A value of `false` logs only `write` events.\n- *`eventSource`* - This field is only used for management events, data events (for event data stores only), and network activity events.\n\nFor management events for trails, this is an optional field that can be set to `NotEquals` `kms.amazonaws.com` to exclude KMS management events, or `NotEquals` `rdsdata.amazonaws.com` to exclude RDS management events.\n\nFor management and data events for event data stores, you can use it to include or exclude any event source and can use any operator.\n\nFor network activity events, this is a required field that only uses the `Equals` operator. Set this field to the event source for which you want to log network activity events. If you want to log network activity events for multiple event sources, you must create a separate field selector for each event source. For a list of services supporting network activity events, see [Logging network activity events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-network-events-with-cloudtrail.html) in the *AWS CloudTrail User Guide* .\n- *`eventName`* - This is an optional field that is only used for data events, management events (for event data stores only), and network activity events. You can use any operator with `eventName` . You can use it to \ufb01lter in or \ufb01lter out specific events. You can have multiple values for this \ufb01eld, separated by commas.\n- *`eventCategory`* - This field is required and must be set to `Equals` .\n\n- For CloudTrail management events, the value must be `Management` .\n- For CloudTrail data events, the value must be `Data` .\n- For CloudTrail network activity events, the value must be `NetworkActivity` .\n\nThe following are used only for event data stores:\n\n- For CloudTrail Insights events, the value must be `Insight` .\n- For AWS Config configuration items, the value must be `ConfigurationItem` .\n- For Audit Manager evidence, the value must be `Evidence` .\n- For events outside of AWS , the value must be `ActivityAuditLog` .\n- *`eventType`* - This is an optional field available only for event data stores, which is used to filter management and data events on the event type. For information about available event types, see [CloudTrail record contents](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-record-contents.html#ct-event-type) in the *AWS CloudTrail user guide* .\n- *`errorCode`* - This \ufb01eld is only used to filter CloudTrail network activity events and is optional. This is the error code to filter on. Currently, the only valid `errorCode` is `VpceAccessDenied` . `errorCode` can only use the `Equals` operator.\n- *`sessionCredentialFromConsole`* - This is an optional field available only for event data stores, which is used to filter management and data events based on whether the events originated from an AWS Management Console session. `sessionCredentialFromConsole` can only use the `Equals` and `NotEquals` operators.\n- *`resources.type`* - This \ufb01eld is required for CloudTrail data events. `resources.type` can only use the `Equals` operator.\n\nFor a list of available resource types for data events, see [Data events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html#logging-data-events) in the *AWS CloudTrail User Guide* .\n\nYou can have only one `resources.type` \ufb01eld per selector. To log events on more than one resource type, add another selector.\n- *`resources.ARN`* - The `resources.ARN` is an optional field for data events. You can use any operator with `resources.ARN` , but if you use `Equals` or `NotEquals` , the value must exactly match the ARN of a valid resource of the type you've speci\ufb01ed in the template as the value of resources.type. To log all data events for all objects in a specific S3 bucket, use the `StartsWith` operator, and include only the bucket ARN as the matching value.\n\nFor more information about the ARN formats of data event resources, see [Actions, resources, and condition keys for AWS services](https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html) in the *Service Authorization Reference* .\n\n> You can't use the `resources.ARN` field to filter resource types that do not have ARNs.\n- *`userIdentity.arn`* - This is an optional field available only for event data stores, which is used to filter management and data events on the userIdentity ARN. You can use any operator with `userIdentity.arn` . For more information on the userIdentity element, see [CloudTrail userIdentity element](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html) in the *AWS CloudTrail User Guide* .\n- *`vpcEndpointId`* - This \ufb01eld is only used to filter CloudTrail network activity events and is optional. This field identifies the VPC endpoint that the request passed through. You can use any operator with `vpcEndpointId` .", "title": "Field", "type": "string" }, @@ -39556,7 +39556,7 @@ "type": "array" }, "Field": { - "markdownDescription": "A field in a CloudTrail event record on which to filter events to be logged. For event data stores for CloudTrail Insights events, AWS Config configuration items, Audit Manager evidence, or events outside of AWS , the field is used only for selecting events as filtering is not supported.\n\nFor CloudTrail management events, supported fields include `eventCategory` (required), `eventSource` , and `readOnly` . The following additional fields are available for event data stores: `eventName` , `eventType` , `sessionCredentialFromConsole` , and `userIdentity.arn` .\n\nFor CloudTrail data events, supported fields include `eventCategory` (required), `resources.type` (required), `eventName` , `readOnly` , and `resources.ARN` . The following additional fields are available for event data stores: `eventSource` , `eventType` , `sessionCredentialFromConsole` , and `userIdentity.arn` .\n\nFor CloudTrail network activity events, supported fields include `eventCategory` (required), `eventSource` (required), `eventName` , `errorCode` , and `vpcEndpointId` .\n\nFor event data stores for CloudTrail Insights events, AWS Config configuration items, Audit Manager evidence, or events outside of AWS , the only supported field is `eventCategory` .\n\n> Selectors don't support the use of wildcards like `*` . To match multiple values with a single condition, you may use `StartsWith` , `EndsWith` , `NotStartsWith` , or `NotEndsWith` to explicitly match the beginning or end of the event field. \n\n- *`readOnly`* - This is an optional field that is only used for management events and data events. This field can be set to `Equals` with a value of `true` or `false` . If you do not add this field, CloudTrail logs both `read` and `write` events. A value of `true` logs only `read` events. A value of `false` logs only `write` events.\n- *`eventSource`* - This field is only used for management events, data events (for event data stores only), and network activity events.\n\nFor management events for trails, this is an optional field that can be set to `NotEquals` `kms.amazonaws.com` to exclude KMS management events, or `NotEquals` `rdsdata.amazonaws.com` to exclude RDS management events.\n\nFor management and data events for event data stores, you can use it to include or exclude any event source and can use any operator.\n\nFor network activity events, this is a required field that only uses the `Equals` operator. Set this field to the event source for which you want to log network activity events. If you want to log network activity events for multiple event sources, you must create a separate field selector for each event source.\n\nThe following are valid values for network activity events:\n\n- `cloudtrail.amazonaws.com`\n- `ec2.amazonaws.com`\n- `kms.amazonaws.com`\n- `s3.amazonaws.com`\n- `secretsmanager.amazonaws.com`\n- *`eventName`* - This is an optional field that is only used for data events, management events (for event data stores only), and network activity events. You can use any operator with `eventName` . You can use it to \ufb01lter in or \ufb01lter out specific events. You can have multiple values for this \ufb01eld, separated by commas.\n- *`eventCategory`* - This field is required and must be set to `Equals` .\n\n- For CloudTrail management events, the value must be `Management` .\n- For CloudTrail data events, the value must be `Data` .\n- For CloudTrail network activity events, the value must be `NetworkActivity` .\n\nThe following are used only for event data stores:\n\n- For CloudTrail Insights events, the value must be `Insight` .\n- For AWS Config configuration items, the value must be `ConfigurationItem` .\n- For Audit Manager evidence, the value must be `Evidence` .\n- For events outside of AWS , the value must be `ActivityAuditLog` .\n- *`eventType`* - This is an optional field available only for event data stores, which is used to filter management and data events on the event type. For information about available event types, see [CloudTrail record contents](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-record-contents.html#ct-event-type) in the *AWS CloudTrail user guide* .\n- *`errorCode`* - This \ufb01eld is only used to filter CloudTrail network activity events and is optional. This is the error code to filter on. Currently, the only valid `errorCode` is `VpceAccessDenied` . `errorCode` can only use the `Equals` operator.\n- *`sessionCredentialFromConsole`* - This is an optional field available only for event data stores, which is used to filter management and data events based on whether the events originated from an AWS Management Console session. `sessionCredentialFromConsole` can only use the `Equals` and `NotEquals` operators.\n- *`resources.type`* - This \ufb01eld is required for CloudTrail data events. `resources.type` can only use the `Equals` operator.\n\nFor a list of available resource types for data events, see [Data events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html#logging-data-events) in the *AWS CloudTrail User Guide* .\n\nYou can have only one `resources.type` \ufb01eld per selector. To log events on more than one resource type, add another selector.\n- *`resources.ARN`* - The `resources.ARN` is an optional field for data events. You can use any operator with `resources.ARN` , but if you use `Equals` or `NotEquals` , the value must exactly match the ARN of a valid resource of the type you've speci\ufb01ed in the template as the value of resources.type. To log all data events for all objects in a specific S3 bucket, use the `StartsWith` operator, and include only the bucket ARN as the matching value.\n\nFor more information about the ARN formats of data event resources, see [Actions, resources, and condition keys for AWS services](https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html) in the *Service Authorization Reference* .\n\n> You can't use the `resources.ARN` field to filter resource types that do not have ARNs.\n- *`userIdentity.arn`* - This is an optional field available only for event data stores, which is used to filter management and data events on the userIdentity ARN. You can use any operator with `userIdentity.arn` . For more information on the userIdentity element, see [CloudTrail userIdentity element](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html) in the *AWS CloudTrail User Guide* .\n- *`vpcEndpointId`* - This \ufb01eld is only used to filter CloudTrail network activity events and is optional. This field identifies the VPC endpoint that the request passed through. You can use any operator with `vpcEndpointId` .", + "markdownDescription": "A field in a CloudTrail event record on which to filter events to be logged. For event data stores for CloudTrail Insights events, AWS Config configuration items, Audit Manager evidence, or events outside of AWS , the field is used only for selecting events as filtering is not supported.\n\nFor CloudTrail management events, supported fields include `eventCategory` (required), `eventSource` , and `readOnly` . The following additional fields are available for event data stores: `eventName` , `eventType` , `sessionCredentialFromConsole` , and `userIdentity.arn` .\n\nFor CloudTrail data events, supported fields include `eventCategory` (required), `resources.type` (required), `eventName` , `readOnly` , and `resources.ARN` . The following additional fields are available for event data stores: `eventSource` , `eventType` , `sessionCredentialFromConsole` , and `userIdentity.arn` .\n\nFor CloudTrail network activity events, supported fields include `eventCategory` (required), `eventSource` (required), `eventName` , `errorCode` , and `vpcEndpointId` .\n\nFor event data stores for CloudTrail Insights events, AWS Config configuration items, Audit Manager evidence, or events outside of AWS , the only supported field is `eventCategory` .\n\n> Selectors don't support the use of wildcards like `*` . To match multiple values with a single condition, you may use `StartsWith` , `EndsWith` , `NotStartsWith` , or `NotEndsWith` to explicitly match the beginning or end of the event field. \n\n- *`readOnly`* - This is an optional field that is only used for management events and data events. This field can be set to `Equals` with a value of `true` or `false` . If you do not add this field, CloudTrail logs both `read` and `write` events. A value of `true` logs only `read` events. A value of `false` logs only `write` events.\n- *`eventSource`* - This field is only used for management events, data events (for event data stores only), and network activity events.\n\nFor management events for trails, this is an optional field that can be set to `NotEquals` `kms.amazonaws.com` to exclude KMS management events, or `NotEquals` `rdsdata.amazonaws.com` to exclude RDS management events.\n\nFor management and data events for event data stores, you can use it to include or exclude any event source and can use any operator.\n\nFor network activity events, this is a required field that only uses the `Equals` operator. Set this field to the event source for which you want to log network activity events. If you want to log network activity events for multiple event sources, you must create a separate field selector for each event source. For a list of services supporting network activity events, see [Logging network activity events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-network-events-with-cloudtrail.html) in the *AWS CloudTrail User Guide* .\n- *`eventName`* - This is an optional field that is only used for data events, management events (for event data stores only), and network activity events. You can use any operator with `eventName` . You can use it to \ufb01lter in or \ufb01lter out specific events. You can have multiple values for this \ufb01eld, separated by commas.\n- *`eventCategory`* - This field is required and must be set to `Equals` .\n\n- For CloudTrail management events, the value must be `Management` .\n- For CloudTrail data events, the value must be `Data` .\n- For CloudTrail network activity events, the value must be `NetworkActivity` .\n\nThe following are used only for event data stores:\n\n- For CloudTrail Insights events, the value must be `Insight` .\n- For AWS Config configuration items, the value must be `ConfigurationItem` .\n- For Audit Manager evidence, the value must be `Evidence` .\n- For events outside of AWS , the value must be `ActivityAuditLog` .\n- *`eventType`* - This is an optional field available only for event data stores, which is used to filter management and data events on the event type. For information about available event types, see [CloudTrail record contents](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-record-contents.html#ct-event-type) in the *AWS CloudTrail user guide* .\n- *`errorCode`* - This \ufb01eld is only used to filter CloudTrail network activity events and is optional. This is the error code to filter on. Currently, the only valid `errorCode` is `VpceAccessDenied` . `errorCode` can only use the `Equals` operator.\n- *`sessionCredentialFromConsole`* - This is an optional field available only for event data stores, which is used to filter management and data events based on whether the events originated from an AWS Management Console session. `sessionCredentialFromConsole` can only use the `Equals` and `NotEquals` operators.\n- *`resources.type`* - This \ufb01eld is required for CloudTrail data events. `resources.type` can only use the `Equals` operator.\n\nFor a list of available resource types for data events, see [Data events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html#logging-data-events) in the *AWS CloudTrail User Guide* .\n\nYou can have only one `resources.type` \ufb01eld per selector. To log events on more than one resource type, add another selector.\n- *`resources.ARN`* - The `resources.ARN` is an optional field for data events. You can use any operator with `resources.ARN` , but if you use `Equals` or `NotEquals` , the value must exactly match the ARN of a valid resource of the type you've speci\ufb01ed in the template as the value of resources.type. To log all data events for all objects in a specific S3 bucket, use the `StartsWith` operator, and include only the bucket ARN as the matching value.\n\nFor more information about the ARN formats of data event resources, see [Actions, resources, and condition keys for AWS services](https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html) in the *Service Authorization Reference* .\n\n> You can't use the `resources.ARN` field to filter resource types that do not have ARNs.\n- *`userIdentity.arn`* - This is an optional field available only for event data stores, which is used to filter management and data events on the userIdentity ARN. You can use any operator with `userIdentity.arn` . For more information on the userIdentity element, see [CloudTrail userIdentity element](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html) in the *AWS CloudTrail User Guide* .\n- *`vpcEndpointId`* - This \ufb01eld is only used to filter CloudTrail network activity events and is optional. This field identifies the VPC endpoint that the request passed through. You can use any operator with `vpcEndpointId` .", "title": "Field", "type": "string" }, @@ -45079,7 +45079,7 @@ "type": "object" }, "TargetAddress": { - "markdownDescription": "The Amazon Resource Name (ARN) of the Amazon SNS topic or AWS Chatbot client.", + "markdownDescription": "The Amazon Resource Name (ARN) of the Amazon SNS topic or client.", "title": "TargetAddress", "type": "string" }, @@ -45087,7 +45087,7 @@ "items": { "$ref": "#/definitions/AWS::CodeStarNotifications::NotificationRule.Target" }, - "markdownDescription": "A list of Amazon Resource Names (ARNs) of Amazon SNS topics and AWS Chatbot clients to associate with the notification rule.", + "markdownDescription": "A list of Amazon Resource Names (ARNs) of Amazon SNS topics and clients to associate with the notification rule.", "title": "Targets", "type": "array" } @@ -45126,12 +45126,12 @@ "additionalProperties": false, "properties": { "TargetAddress": { - "markdownDescription": "The Amazon Resource Name (ARN) of the AWS Chatbot topic or AWS Chatbot client.", + "markdownDescription": "The Amazon Resource Name (ARN) of the topic or client.", "title": "TargetAddress", "type": "string" }, "TargetType": { - "markdownDescription": "The target type. Can be an Amazon Simple Notification Service topic or AWS Chatbot client.\n\n- Amazon Simple Notification Service topics are specified as `SNS` .\n- AWS Chatbot clients are specified as `AWSChatbotSlack` .\n- AWS Chatbot clients for Microsoft Teams are specified as `AWSChatbotMicrosoftTeams` .", + "markdownDescription": "The target type. Can be an Amazon Simple Notification Service topic or client.\n\n- Amazon Simple Notification Service topics are specified as `SNS` .\n- clients are specified as `AWSChatbotSlack` .\n- clients for Microsoft Teams are specified as `AWSChatbotMicrosoftTeams` .", "title": "TargetType", "type": "string" } @@ -48212,7 +48212,7 @@ }, "Scope": { "$ref": "#/definitions/AWS::Config::ConfigRule.Scope", - "markdownDescription": "Defines which resources can trigger an evaluation for the rule. The scope can include one or more resource types, a combination of one resource type and one resource ID, or a combination of a tag key and value. Specify a scope to constrain the resources that can trigger an evaluation for the rule. If you do not specify a scope, evaluations are triggered when any resource in the recording group changes.\n\n> Scope is only supported for change-triggered rules. Scope is not supported for periodic or hybrid rules.", + "markdownDescription": "Defines which resources can trigger an evaluation for the rule. The scope can include one or more resource types, a combination of one resource type and one resource ID, or a combination of a tag key and value. Specify a scope to constrain the resources that can trigger an evaluation for the rule. If you do not specify a scope, evaluations are triggered when any resource in the recording group changes.", "title": "Scope" }, "Source": { @@ -102797,7 +102797,7 @@ "type": "string" }, "OperatingSystem": { - "markdownDescription": "The operating system that your game server binaries run on. This value determines the type of fleet resources that you use for this build. If your game build contains multiple executables, they all must run on the same operating system. You must specify a valid operating system in this request. There is no default value. You can't change a build's operating system later.\n\n> Amazon Linux 2 (AL2) will reach end of support on 6/30/2025. See more details in the [Amazon Linux 2 FAQs](https://docs.aws.amazon.com/https://aws.amazon.com/amazon-linux-2/faqs/) . For game servers that are hosted on AL2 and use server SDK version 4.x for Amazon GameLift Servers, first update the game server build to server SDK 5.x, and then deploy to AL2023 instances. See [Migrate to server SDK version 5.](https://docs.aws.amazon.com/gamelift/latest/developerguide/reference-serversdk5-migration.html)", + "markdownDescription": "The operating system that your game server binaries run on. This value determines the type of fleet resources that you use for this build. If your game build contains multiple executables, they all must run on the same operating system. You must specify a valid operating system in this request. There is no default value. You can't change a build's operating system later.\n\n> Amazon Linux 2 (AL2) will reach end of support on 6/30/2025. See more details in the [Amazon Linux 2 FAQs](https://docs.aws.amazon.com/amazon-linux-2/faqs/) . For game servers that are hosted on AL2 and use server SDK version 4.x for Amazon GameLift Servers, first update the game server build to server SDK 5.x, and then deploy to AL2023 instances. See [Migrate to server SDK version 5.](https://docs.aws.amazon.com/gamelift/latest/developerguide/reference-serversdk5-migration.html)", "title": "OperatingSystem", "type": "string" }, @@ -102853,7 +102853,7 @@ "type": "string" }, "ObjectVersion": { - "markdownDescription": "A version of a stored file to retrieve, if the object versioning feature is turned on for the S3 bucket. Use this parameter to specify a specific version. If this parameter isn't set, Amazon GameLift retrieves the latest version of the file.", + "markdownDescription": "A version of a stored file to retrieve, if the object versioning feature is turned on for the S3 bucket. Use this parameter to specify a specific version. If this parameter isn't set, Amazon GameLift Servers retrieves the latest version of the file.", "title": "ObjectVersion", "type": "string" }, @@ -102917,7 +102917,7 @@ "type": "string" }, "OperatingSystem": { - "markdownDescription": "The platform that all containers in the container group definition run on.\n\n> Amazon Linux 2 (AL2) will reach end of support on 6/30/2025. See more details in the [Amazon Linux 2 FAQs](https://docs.aws.amazon.com/https://aws.amazon.com/amazon-linux-2/faqs/) . For game servers that are hosted on AL2 and use server SDK version 4.x for Amazon GameLift Servers, first update the game server build to server SDK 5.x, and then deploy to AL2023 instances. See [Migrate to server SDK version 5.](https://docs.aws.amazon.com/gamelift/latest/developerguide/reference-serversdk5-migration.html)", + "markdownDescription": "The platform that all containers in the container group definition run on.\n\n> Amazon Linux 2 (AL2) will reach end of support on 6/30/2025. See more details in the [Amazon Linux 2 FAQs](https://docs.aws.amazon.com/aws.amazon.com/amazon-linux-2/faqs/) . For game servers that are hosted on AL2 and use server SDK version 4.x for Amazon GameLift Servers, first update the game server build to server SDK 5.x, and then deploy to AL2023 instances. See [Migrate to server SDK version 5.](https://docs.aws.amazon.com/gamelift/latest/developerguide/reference-serversdk5-migration.html)", "title": "OperatingSystem", "type": "string" }, @@ -103328,7 +103328,7 @@ "type": "array" }, "ScriptId": { - "markdownDescription": "The unique identifier for a Realtime configuration script to be deployed on fleet instances. You can use either the script ID or ARN. Scripts must be uploaded to Amazon GameLift prior to creating the fleet. This fleet property cannot be changed later.\n\n> You can't use the `!Ref` command to reference a script created with a CloudFormation template for the fleet property `ScriptId` . Instead, use `Fn::GetAtt Script.Arn` or `Fn::GetAtt Script.Id` to retrieve either of these properties as input for `ScriptId` . Alternatively, enter a `ScriptId` string manually.", + "markdownDescription": "The unique identifier for a Realtime configuration script to be deployed on fleet instances. You can use either the script ID or ARN. Scripts must be uploaded to Amazon GameLift Servers prior to creating the fleet. This fleet property cannot be changed later.\n\n> You can't use the `!Ref` command to reference a script created with a CloudFormation template for the fleet property `ScriptId` . Instead, use `Fn::GetAtt Script.Arn` or `Fn::GetAtt Script.Id` to retrieve either of these properties as input for `ScriptId` . Alternatively, enter a `ScriptId` string manually.", "title": "ScriptId", "type": "string" } @@ -116649,7 +116649,7 @@ }, "MemberId": { "$ref": "#/definitions/AWS::IdentityStore::GroupMembership.MemberId", - "markdownDescription": "An object containing the identifier of a group member. Setting `MemberId` 's `UserId` field to a specific User's ID indicates we should consider that User as a group member.", + "markdownDescription": "An object containing the identifier of a group member. Setting the `MemberId` 's `UserId` field to a specific User's ID indicates that user is a member of the group.", "title": "MemberId" } }, @@ -153322,7 +153322,7 @@ "type": "object" }, "AirflowVersion": { - "markdownDescription": "The version of Apache Airflow to use for the environment. If no value is specified, defaults to the latest version.\n\nIf you specify a newer version number for an existing environment, the version update requires some service interruption before taking effect.\n\n*Allowed Values* : `1.10.12` | `2.0.2` | `2.2.2` | `2.4.3` | `2.5.1` | `2.6.3` | `2.7.2` | `2.8.1` | `2.9.2` (latest)", + "markdownDescription": "The version of Apache Airflow to use for the environment. If no value is specified, defaults to the latest version.\n\nIf you specify a newer version number for an existing environment, the version update requires some service interruption before taking effect.\n\n*Allowed Values* : `1.10.12` | `2.0.2` | `2.2.2` | `2.4.3` | `2.5.1` | `2.6.3` | `2.7.2` | `2.8.1` | `2.9.2` | `2.10.1` (latest)", "title": "AirflowVersion", "type": "string" }, @@ -153337,7 +153337,7 @@ "type": "string" }, "EnvironmentClass": { - "markdownDescription": "The environment class type. Valid values: `mw1.small` , `mw1.medium` , `mw1.large` . To learn more, see [Amazon MWAA environment class](https://docs.aws.amazon.com/mwaa/latest/userguide/environment-class.html) .", + "markdownDescription": "The environment class type. Valid values: `mw1.micro` , `mw1.small` , `mw1.medium` , `mw1.large` , `mw1.1large` , and `mw1.2large` . To learn more, see [Amazon MWAA environment class](https://docs.aws.amazon.com/mwaa/latest/userguide/environment-class.html) .", "title": "EnvironmentClass", "type": "string" }, @@ -153397,7 +153397,7 @@ "type": "string" }, "Schedulers": { - "markdownDescription": "The number of schedulers that you want to run in your environment. Valid values:\n\n- *v2* - Accepts between 2 to 5. Defaults to 2.\n- *v1* - Accepts 1.", + "markdownDescription": "The number of schedulers that you want to run in your environment. Valid values:\n\n- *v2* - For environments larger than mw1.micro, accepts values from 2 to 5. Defaults to 2 for all environment sizes except mw1.micro, which defaults to 1.\n- *v1* - Accepts 1.", "title": "Schedulers", "type": "number" }, @@ -154435,12 +154435,12 @@ "properties": { "EgressGatewayBridge": { "$ref": "#/definitions/AWS::MediaConnect::Bridge.EgressGatewayBridge", - "markdownDescription": "Create a bridge with the egress bridge type. An egress bridge is a cloud-to-ground bridge. The content comes from an existing MediaConnect flow and is delivered to your premises.", + "markdownDescription": "An egress bridge is a cloud-to-ground bridge. The content comes from an existing MediaConnect flow and is delivered to your premises.", "title": "EgressGatewayBridge" }, "IngressGatewayBridge": { "$ref": "#/definitions/AWS::MediaConnect::Bridge.IngressGatewayBridge", - "markdownDescription": "Create a bridge with the ingress bridge type. An ingress bridge is a ground-to-cloud bridge. The content originates at your premises and is delivered to the cloud.", + "markdownDescription": "An ingress bridge is a ground-to-cloud bridge. The content originates at your premises and is delivered to the cloud.", "title": "IngressGatewayBridge" }, "Name": { @@ -154532,7 +154532,7 @@ "additionalProperties": false, "properties": { "IpAddress": { - "markdownDescription": "The network output IP Address.", + "markdownDescription": "The network output IP address.", "title": "IpAddress", "type": "string" }, @@ -154547,12 +154547,12 @@ "type": "string" }, "Port": { - "markdownDescription": "The network output port.", + "markdownDescription": "The network output's port.", "title": "Port", "type": "number" }, "Protocol": { - "markdownDescription": "The network output protocol.", + "markdownDescription": "The network output protocol.\n\n> AWS Elemental MediaConnect no longer supports the Fujitsu QoS protocol. This reference is maintained for legacy purposes only.", "title": "Protocol", "type": "string" }, @@ -154581,7 +154581,7 @@ "type": "string" }, "Name": { - "markdownDescription": "The name of the network source. This name is used to reference the source and must be unique among sources in this bridge.", + "markdownDescription": "The name of the network source.", "title": "Name", "type": "string" }, @@ -154596,7 +154596,7 @@ "type": "number" }, "Protocol": { - "markdownDescription": "The network source protocol.", + "markdownDescription": "The network source protocol.\n\n> AWS Elemental MediaConnect no longer supports the Fujitsu QoS protocol. This reference is maintained for legacy purposes only.", "title": "Protocol", "type": "string" } @@ -154661,7 +154661,7 @@ }, "SourcePriority": { "$ref": "#/definitions/AWS::MediaConnect::Bridge.SourcePriority", - "markdownDescription": "The priority you want to assign to a source. You can have a primary stream and a backup stream or two equally prioritized streams. This setting only applies when Failover Mode is set to FAILOVER.", + "markdownDescription": "The priority you want to assign to a source. You can have a primary stream and a backup stream or two equally prioritized streams.", "title": "SourcePriority" }, "State": { @@ -154710,7 +154710,7 @@ "additionalProperties": false, "properties": { "VpcInterfaceName": { - "markdownDescription": "The name of the VPC interface that you want to send your output to.", + "markdownDescription": "The name of the VPC interface to use for this resource.", "title": "VpcInterfaceName", "type": "string" } @@ -154753,7 +154753,7 @@ "additionalProperties": false, "properties": { "BridgeArn": { - "markdownDescription": "The ARN of the bridge that you want to describe.", + "markdownDescription": "The Amazon Resource Name (ARN) of the bridge that you want to update.", "title": "BridgeArn", "type": "string" }, @@ -154764,7 +154764,7 @@ }, "NetworkOutput": { "$ref": "#/definitions/AWS::MediaConnect::BridgeOutput.BridgeNetworkOutput", - "markdownDescription": "Add a network output to an existing bridge.", + "markdownDescription": "The network output of the bridge. A network output is delivered to your premises.", "title": "NetworkOutput" } }, @@ -154800,7 +154800,7 @@ "additionalProperties": false, "properties": { "IpAddress": { - "markdownDescription": "The network output IP Address.", + "markdownDescription": "The network output IP address.", "title": "IpAddress", "type": "string" }, @@ -154810,12 +154810,12 @@ "type": "string" }, "Port": { - "markdownDescription": "The network output port.", + "markdownDescription": "The network output's port.", "title": "Port", "type": "number" }, "Protocol": { - "markdownDescription": "The network output protocol.", + "markdownDescription": "The network output protocol.\n\n> AWS Elemental MediaConnect no longer supports the Fujitsu QoS protocol. This reference is maintained for legacy purposes only.", "title": "Protocol", "type": "string" }, @@ -154870,13 +154870,13 @@ "additionalProperties": false, "properties": { "BridgeArn": { - "markdownDescription": "The ARN of the bridge that you want to describe.", + "markdownDescription": "The ARN of the bridge feeding this flow.", "title": "BridgeArn", "type": "string" }, "FlowSource": { "$ref": "#/definitions/AWS::MediaConnect::BridgeSource.BridgeFlowSource", - "markdownDescription": "Add a flow source to an existing bridge.", + "markdownDescription": "The source of the flow.", "title": "FlowSource" }, "Name": { @@ -154886,7 +154886,7 @@ }, "NetworkSource": { "$ref": "#/definitions/AWS::MediaConnect::BridgeSource.BridgeNetworkSource", - "markdownDescription": "Add a network source to an existing bridge.", + "markdownDescription": "The source of the network.", "title": "NetworkSource" } }, @@ -154955,7 +154955,7 @@ "type": "number" }, "Protocol": { - "markdownDescription": "The network source protocol.", + "markdownDescription": "The network source protocol.\n\n> AWS Elemental MediaConnect no longer supports the Fujitsu QoS protocol. This reference is maintained for legacy purposes only.", "title": "Protocol", "type": "string" } @@ -154972,7 +154972,7 @@ "additionalProperties": false, "properties": { "VpcInterfaceName": { - "markdownDescription": "The name of the VPC interface that you want to send your output to.", + "markdownDescription": "The name of the VPC interface to use for this resource.", "title": "VpcInterfaceName", "type": "string" } @@ -155096,12 +155096,12 @@ "type": "string" }, "RoleArn": { - "markdownDescription": "The Amazon Resource Name (ARN) of the role that you created during setup (when you set up MediaConnect as a trusted entity).", + "markdownDescription": "The ARN of the role that you created during setup (when you set up MediaConnect as a trusted entity).", "title": "RoleArn", "type": "string" }, "SecretArn": { - "markdownDescription": "The ARN of the secret that you created in AWS Secrets Manager to store the encryption key.", + "markdownDescription": "The ARN of the secret that you created in AWS Secrets Manager to store the encryption key. This parameter is required for static key encryption and is not valid for SPEKE encryption.", "title": "SecretArn", "type": "string" }, @@ -155125,13 +155125,13 @@ "type": "string" }, "RecoveryWindow": { - "markdownDescription": "The size of the buffer (delay) that the service maintains. A larger buffer means a longer delay in transmitting the stream, but more room for error correction. A smaller buffer means a shorter delay, but less room for error correction. You can choose a value from 100-500 ms. If you keep this field blank, the service uses the default value of 200 ms. This setting only applies when Failover Mode is set to MERGE.", + "markdownDescription": "Search window time to look for dash-7 packets.", "title": "RecoveryWindow", "type": "number" }, "SourcePriority": { "$ref": "#/definitions/AWS::MediaConnect::Flow.SourcePriority", - "markdownDescription": "The priority you want to assign to a source. You can have a primary stream and a backup stream or two equally prioritized streams. This setting only applies when Failover Mode is set to FAILOVER.", + "markdownDescription": "The priority you want to assign to a source. You can have a primary stream and a backup stream or two equally prioritized streams.", "title": "SourcePriority" }, "State": { @@ -155166,16 +155166,16 @@ "properties": { "Decryption": { "$ref": "#/definitions/AWS::MediaConnect::Flow.Encryption", - "markdownDescription": "The type of encryption that is used on the content ingested from the source.", + "markdownDescription": "The type of encryption that is used on the content ingested from this source.", "title": "Decryption" }, "Description": { - "markdownDescription": "A description of the source. This description is not visible outside of the current AWS account.", + "markdownDescription": "A description for the source. This value is not used or seen outside of the current MediaConnect account.", "title": "Description", "type": "string" }, "EntitlementArn": { - "markdownDescription": "The ARN of the entitlement that allows you to subscribe to content that comes from another AWS account. The entitlement is set by the content originator and the ARN is generated as part of the originator\u2019s flow.", + "markdownDescription": "The ARN of the entitlement that allows you to subscribe to content that comes from another AWS account. The entitlement is set by the content originator and the ARN is generated as part of the originator's flow.", "title": "EntitlementArn", "type": "string" }, @@ -155185,12 +155185,12 @@ "title": "GatewayBridgeSource" }, "IngestIp": { - "markdownDescription": "The IP address that the flow listens on for incoming content.", + "markdownDescription": "The IP address that the flow will be listening on for incoming content.", "title": "IngestIp", "type": "string" }, "IngestPort": { - "markdownDescription": "The port that the flow listens on for incoming content. If the protocol of the source is Zixi, the port must be set to 2088.", + "markdownDescription": "The port that the flow will be listening on for incoming content.", "title": "IngestPort", "type": "number" }, @@ -155255,12 +155255,12 @@ "type": "string" }, "VpcInterfaceName": { - "markdownDescription": "The name of the VPC interface that the source content comes from.", + "markdownDescription": "The name of the VPC interface that is used for this source.", "title": "VpcInterfaceName", "type": "string" }, "WhitelistCidr": { - "markdownDescription": "The range of IP addresses that are allowed to contribute content to your source. Format the IP addresses as a Classless Inter-Domain Routing (CIDR) block; for example, 10.0.0.0/16.", + "markdownDescription": "The range of IP addresses that should be allowed to contribute content to your source. These IP addresses should be in the form of a Classless Inter-Domain Routing (CIDR) block; for example, 10.0.0.0/16.", "title": "WhitelistCidr", "type": "string" } @@ -155285,7 +155285,7 @@ "additionalProperties": false, "properties": { "VpcInterfaceName": { - "markdownDescription": "The name of the VPC interface that you want to send your output to.", + "markdownDescription": "The name of the VPC interface to use for this resource.", "title": "VpcInterfaceName", "type": "string" } @@ -155339,7 +155339,7 @@ }, "Encryption": { "$ref": "#/definitions/AWS::MediaConnect::FlowEntitlement.Encryption", - "markdownDescription": "The type of encryption that MediaConnect will use on the output that is associated with the entitlement.", + "markdownDescription": "Information about the encryption of the flow.", "title": "Encryption" }, "EntitlementStatus": { @@ -155429,12 +155429,12 @@ "type": "string" }, "RoleArn": { - "markdownDescription": "The Amazon Resource Name (ARN) of the role that you created during setup (when you set up MediaConnect as a trusted entity).", + "markdownDescription": "The ARN of the role that you created during setup (when you set up MediaConnect as a trusted entity).", "title": "RoleArn", "type": "string" }, "SecretArn": { - "markdownDescription": "The ARN of the secret that you created in AWS Secrets Manager to store the encryption key.", + "markdownDescription": "The ARN of the secret that you created in AWS Secrets Manager to store the encryption key. This parameter is required for static key encryption and is not valid for SPEKE encryption.", "title": "SecretArn", "type": "string" }, @@ -155489,12 +155489,12 @@ "items": { "type": "string" }, - "markdownDescription": "The range of IP addresses that are allowed to initiate output requests to this flow. Format the IP addresses as a Classless Inter-Domain Routing (CIDR) block; for example, 10.0.0.0/16.", + "markdownDescription": "The range of IP addresses that should be allowed to initiate output requests to this flow. These IP addresses should be in the form of a Classless Inter-Domain Routing (CIDR) block; for example, 10.0.0.0/16.", "title": "CidrAllowList", "type": "array" }, "Description": { - "markdownDescription": "A description of the output. This description is not visible outside of the current AWS account even if the account grants entitlements to other accounts.", + "markdownDescription": "A description of the output. This description appears only on the MediaConnect console and will not be seen by the end user.", "title": "Description", "type": "string" }, @@ -155505,7 +155505,7 @@ }, "Encryption": { "$ref": "#/definitions/AWS::MediaConnect::FlowOutput.Encryption", - "markdownDescription": "The encryption credentials that you want to use for the output.", + "markdownDescription": "The type of key used for the encryption. If no `keyType` is provided, the service will use the default setting (static-key). Allowable encryption types: static-key.", "title": "Encryption" }, "FlowArn": { @@ -155524,12 +155524,12 @@ "type": "number" }, "Name": { - "markdownDescription": "The name of the output. This value must be unique within the current flow.", + "markdownDescription": "The name of the bridge's output.", "title": "Name", "type": "string" }, "Port": { - "markdownDescription": "The port to use when MediaConnect distributes content to the output.", + "markdownDescription": "The port to use when content is distributed to this output.", "title": "Port", "type": "number" }, @@ -155539,7 +155539,7 @@ "type": "string" }, "RemoteId": { - "markdownDescription": "The identifier that is assigned to the Zixi receiver. This parameter applies only to outputs that use Zixi pull.", + "markdownDescription": "The remote ID for the Zixi-pull stream.", "title": "RemoteId", "type": "string" }, @@ -155555,7 +155555,7 @@ }, "VpcInterfaceAttachment": { "$ref": "#/definitions/AWS::MediaConnect::FlowOutput.VpcInterfaceAttachment", - "markdownDescription": "The VPC interface that you want to send your output to.", + "markdownDescription": "The name of the VPC interface attachment to use for this output.", "title": "VpcInterfaceAttachment" } }, @@ -155600,12 +155600,12 @@ "type": "string" }, "RoleArn": { - "markdownDescription": "The Amazon Resource Name (ARN) of the role that you created during setup (when you set up MediaConnect as a trusted entity).", + "markdownDescription": "The ARN of the role that you created during setup (when you set up MediaConnect as a trusted entity).", "title": "RoleArn", "type": "string" }, "SecretArn": { - "markdownDescription": "The ARN of the secret that you created in AWS Secrets Manager to store the encryption key.", + "markdownDescription": "The ARN of the secret that you created in AWS Secrets Manager to store the encryption key. This parameter is required for static key encryption and is not valid for SPEKE encryption.", "title": "SecretArn", "type": "string" } @@ -155620,7 +155620,7 @@ "additionalProperties": false, "properties": { "VpcInterfaceName": { - "markdownDescription": "The name of the VPC interface that you want to send your output to.", + "markdownDescription": "The name of the VPC interface to use for this resource.", "title": "VpcInterfaceName", "type": "string" } @@ -155664,16 +155664,16 @@ "properties": { "Decryption": { "$ref": "#/definitions/AWS::MediaConnect::FlowSource.Encryption", - "markdownDescription": "The type of encryption that is used on the content ingested from the source.", + "markdownDescription": "The type of encryption that is used on the content ingested from this source. Allowable encryption types: static-key.", "title": "Decryption" }, "Description": { - "markdownDescription": "A description of the source. This description is not visible outside of the current AWS account.", + "markdownDescription": "A description for the source. This value is not used or seen outside of the current MediaConnect account.", "title": "Description", "type": "string" }, "EntitlementArn": { - "markdownDescription": "The ARN of the entitlement that allows you to subscribe to the flow. The entitlement is set by the content originator, and the ARN is generated as part of the originator's flow.", + "markdownDescription": "The ARN of the entitlement that allows you to subscribe to this flow. The entitlement is set by the flow originator, and the ARN is generated as part of the originator's flow.", "title": "EntitlementArn", "type": "string" }, @@ -155684,7 +155684,7 @@ }, "GatewayBridgeSource": { "$ref": "#/definitions/AWS::MediaConnect::FlowSource.GatewayBridgeSource", - "markdownDescription": "The source configuration for cloud flows receiving a stream from a bridge.", + "markdownDescription": "The bridge's source.", "title": "GatewayBridgeSource" }, "IngestPort": { @@ -155693,7 +155693,7 @@ "type": "number" }, "MaxBitrate": { - "markdownDescription": "The maximum bitrate for RIST, RTP, and RTP-FEC streams.", + "markdownDescription": "The smoothing max bitrate (in bps) for RIST, RTP, and RTP-FEC streams.", "title": "MaxBitrate", "type": "number" }, @@ -155743,12 +155743,12 @@ "type": "string" }, "VpcInterfaceName": { - "markdownDescription": "The name of the VPC interface that you want to send your output to.", + "markdownDescription": "The name of the VPC interface to use for this source.", "title": "VpcInterfaceName", "type": "string" }, "WhitelistCidr": { - "markdownDescription": "The range of IP addresses that are allowed to contribute content to your source. Format the IP addresses as a Classless Inter-Domain Routing (CIDR) block; for example, 10.0.0.0/16.", + "markdownDescription": "The range of IP addresses that should be allowed to contribute content to your source. These IP addresses should be in the form of a Classless Inter-Domain Routing (CIDR) block; for example, 10.0.0.0/16.", "title": "WhitelistCidr", "type": "string" } @@ -155814,12 +155814,12 @@ "type": "string" }, "RoleArn": { - "markdownDescription": "The Amazon Resource Name (ARN) of the role that you created during setup (when you set up MediaConnect as a trusted entity).", + "markdownDescription": "The ARN of the role that you created during setup (when you set up MediaConnect as a trusted entity).", "title": "RoleArn", "type": "string" }, "SecretArn": { - "markdownDescription": "The ARN of the secret that you created in AWS Secrets Manager to store the encryption key.", + "markdownDescription": "The ARN of the secret that you created in AWS Secrets Manager to store the encryption key. This parameter is required for static key encryption and is not valid for SPEKE encryption.", "title": "SecretArn", "type": "string" }, @@ -155857,7 +155857,7 @@ "additionalProperties": false, "properties": { "VpcInterfaceName": { - "markdownDescription": "The name of the VPC interface that you want to send your output to.", + "markdownDescription": "The name of the VPC interface to use for this resource.", "title": "VpcInterfaceName", "type": "string" } @@ -155905,7 +155905,7 @@ "type": "string" }, "Name": { - "markdownDescription": "The name of the VPC Interface. This value must be unique within the current flow.", + "markdownDescription": "The name for the VPC interface. This name must be unique within the flow.", "title": "Name", "type": "string" }, @@ -155918,12 +155918,12 @@ "items": { "type": "string" }, - "markdownDescription": "The VPC security groups that you want MediaConnect to use for your VPC configuration. You must include at least one security group in the request.", + "markdownDescription": "A virtual firewall to control inbound and outbound traffic.", "title": "SecurityGroupIds", "type": "array" }, "SubnetId": { - "markdownDescription": "The subnet IDs that you want to use for your VPC interface.\n\nA range of IP addresses in your VPC. When you create your VPC, you specify a range of IPv4 addresses for the VPC in the form of a Classless Inter-Domain Routing (CIDR) block; for example, 10.0.0.0/16. This is the primary CIDR block for your VPC. When you create a subnet for your VPC, you specify the CIDR block for the subnet, which is a subset of the VPC CIDR block.\n\nThe subnets that you use across all VPC interfaces on the flow must be in the same Availability Zone as the flow.", + "markdownDescription": "The subnet IDs that you want to use for your VPC interface. A range of IP addresses in your VPC. When you create your VPC, you specify a range of IPv4 addresses for the VPC in the form of a Classless Inter-Domain Routing (CIDR) block; for example, 10.0.0.0/16. This is the primary CIDR block for your VPC. When you create a subnet for your VPC, you specify the CIDR block for the subnet, which is a subset of the VPC CIDR block. The subnets that you use across all VPC interfaces on the flow must be in the same Availability Zone as the flow.", "title": "SubnetId", "type": "string" } @@ -156002,7 +156002,7 @@ "type": "array" }, "Name": { - "markdownDescription": "The name of the network. This name is used to reference the network and must be unique among networks in this gateway.", + "markdownDescription": "The name of the gateway. This name can not be modified after the gateway is created.", "title": "Name", "type": "string" }, @@ -156010,7 +156010,7 @@ "items": { "$ref": "#/definitions/AWS::MediaConnect::Gateway.GatewayNetwork" }, - "markdownDescription": "The list of networks that you want to add.", + "markdownDescription": "The list of networks in the gateway.", "title": "Networks", "type": "array" } @@ -209279,18 +209279,28 @@ "additionalProperties": false, "properties": { "ContainsHeader": { + "markdownDescription": "Whether the file has a header row, or the files each have a header row.", + "title": "ContainsHeader", "type": "boolean" }, "Delimiter": { + "markdownDescription": "The delimiter between values in the file.", + "title": "Delimiter", "type": "string" }, "Format": { + "markdownDescription": "File format.", + "title": "Format", "type": "string" }, "StartFromRow": { + "markdownDescription": "A row number to start reading data from.", + "title": "StartFromRow", "type": "number" }, "TextQualifier": { + "markdownDescription": "Text qualifier.", + "title": "TextQualifier", "type": "string" } }, @@ -225052,9 +225062,7 @@ "type": "string" }, "CertificateDetails": { - "$ref": "#/definitions/AWS::RDS::DBInstance.CertificateDetails", - "markdownDescription": "The details of the DB instance's server certificate.", - "title": "CertificateDetails" + "$ref": "#/definitions/AWS::RDS::DBInstance.CertificateDetails" }, "CertificateRotationRestart": { "markdownDescription": "Specifies whether the DB instance is restarted when you rotate your SSL/TLS certificate.\n\nBy default, the DB instance is restarted when you rotate your SSL/TLS certificate. The certificate is not updated until the DB instance is restarted.\n\n> Set this parameter only if you are *not* using SSL/TLS to connect to the DB instance. \n\nIf you are using SSL/TLS to connect to the DB instance, follow the appropriate instructions for your DB engine to rotate your SSL/TLS certificate:\n\n- For more information about rotating your SSL/TLS certificate for RDS DB engines, see [Rotating Your SSL/TLS Certificate.](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL-certificate-rotation.html) in the *Amazon RDS User Guide.*\n- For more information about rotating your SSL/TLS certificate for Aurora DB engines, see [Rotating Your SSL/TLS Certificate](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.SSL-certificate-rotation.html) in the *Amazon Aurora User Guide* .\n\nThis setting doesn't apply to RDS Custom DB instances.", @@ -225191,9 +225199,7 @@ "type": "boolean" }, "Endpoint": { - "$ref": "#/definitions/AWS::RDS::DBInstance.Endpoint", - "markdownDescription": "The connection endpoint for the DB instance.\n\n> The endpoint might not be shown for instances with the status of `creating` .", - "title": "Endpoint" + "$ref": "#/definitions/AWS::RDS::DBInstance.Endpoint" }, "Engine": { "markdownDescription": "The name of the database engine to use for this DB instance. Not every database engine is available in every AWS Region.\n\nThis property is required when creating a DB instance.\n\n> You can convert an Oracle database from the non-CDB architecture to the container database (CDB) architecture by updating the `Engine` value in your templates from `oracle-ee` to `oracle-ee-cdb` or from `oracle-se2` to `oracle-se2-cdb` . Converting to the CDB architecture requires an interruption. \n\nValid Values:\n\n- `aurora-mysql` (for Aurora MySQL DB instances)\n- `aurora-postgresql` (for Aurora PostgreSQL DB instances)\n- `custom-oracle-ee` (for RDS Custom for Oracle DB instances)\n- `custom-oracle-ee-cdb` (for RDS Custom for Oracle DB instances)\n- `custom-sqlserver-ee` (for RDS Custom for SQL Server DB instances)\n- `custom-sqlserver-se` (for RDS Custom for SQL Server DB instances)\n- `custom-sqlserver-web` (for RDS Custom for SQL Server DB instances)\n- `db2-ae`\n- `db2-se`\n- `mariadb`\n- `mysql`\n- `oracle-ee`\n- `oracle-ee-cdb`\n- `oracle-se2`\n- `oracle-se2-cdb`\n- `postgres`\n- `sqlserver-ee`\n- `sqlserver-se`\n- `sqlserver-ex`\n- `sqlserver-web`", @@ -226836,7 +226842,7 @@ "type": "boolean" }, "Domain": { - "markdownDescription": "The top-level internet domain name for which your application has administrative authority. This parameter is required.", + "markdownDescription": "The top-level internet domain name for which your application has administrative authority. This parameter or the `DomainList` parameter is required.", "title": "Domain", "type": "string" }, @@ -232089,7 +232095,7 @@ "items": { "$ref": "#/definitions/AWS::Route53::HostedZone.HostedZoneTag" }, - "markdownDescription": "Adds, edits, or deletes tags for a health check or a hosted zone.\n\nFor information about using tags for cost allocation, see [Using Cost Allocation Tags](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/cost-alloc-tags.html) in the *AWS Billing and Cost Management User Guide* .", + "markdownDescription": "Adds, edits, or deletes tags for a health check or a hosted zone.\n\nFor information about using tags for cost allocation, see [Using Cost Allocation Tags](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/cost-alloc-tags.html) in the *Billing and Cost Management User Guide* .", "title": "HostedZoneTags", "type": "array" }, @@ -243473,7 +243479,7 @@ }, "ChatChannel": { "$ref": "#/definitions/AWS::SSMIncidents::ResponsePlan.ChatChannel", - "markdownDescription": "The AWS Chatbot chat channel used for collaboration during an incident.", + "markdownDescription": "The chat channel used for collaboration during an incident.", "title": "ChatChannel" }, "DisplayName": { @@ -243561,7 +243567,7 @@ "items": { "type": "string" }, - "markdownDescription": "The Amazon SNS targets that AWS Chatbot uses to notify the chat channel of updates to an incident. You can also make updates to the incident through the chat channel by using the Amazon SNS topics", + "markdownDescription": "The Amazon SNS targets that uses to notify the chat channel of updates to an incident. You can also make updates to the incident through the chat channel by using the Amazon SNS topics", "title": "ChatbotSns", "type": "array" } @@ -243624,7 +243630,7 @@ "items": { "$ref": "#/definitions/AWS::SSMIncidents::ResponsePlan.NotificationTargetItem" }, - "markdownDescription": "The Amazon Simple Notification Service ( Amazon SNS ) targets that AWS Chatbot uses to notify the chat channel of updates to an incident. You can also make updates to the incident through the chat channel using the Amazon SNS topics.", + "markdownDescription": "The Amazon Simple Notification Service ( Amazon SNS ) targets that uses to notify the chat channel of updates to an incident. You can also make updates to the incident through the chat channel using the Amazon SNS topics.", "title": "NotificationTargets", "type": "array" }, @@ -257084,7 +257090,7 @@ "type": "number" }, "StorageClass": { - "markdownDescription": "The list of storage classes that you can choose from based on the data access, resiliency, and cost requirements of your workloads. The default storage class is S3 Standard.", + "markdownDescription": "The list of storage classes that you can choose from based on the data access, resiliency, and cost requirements of your workloads. The default storage class is *S3 Standard* . For information about other storage classes, see [Setting the storage class of an object](https://docs.aws.amazon.com/AmazonS3/latest/userguide/sc-howtoset.html) in the *Amazon S3 User Guide* .", "title": "StorageClass", "type": "string" } @@ -268188,7 +268194,7 @@ "type": "array" }, "Scope": { - "markdownDescription": "Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AWS AppSync GraphQL API, an Amazon Cognito user pool, an AWS App Runner service, or an AWS Verified Access instance. Valid Values are `CLOUDFRONT` and `REGIONAL` .\n\n> For `CLOUDFRONT` , you must create your WAFv2 resources in the US East (N. Virginia) Region, `us-east-1` .", + "markdownDescription": "Specifies whether this is for an Amazon CloudFront distribution or for a regional application. For an AWS Amplify application, use `CLOUDFRONT` . A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AWS AppSync GraphQL API, an Amazon Cognito user pool, an AWS App Runner service, or an AWS Verified Access instance. Valid Values are `CLOUDFRONT` and `REGIONAL` .\n\n> For `CLOUDFRONT` , you must create your WAFv2 resources in the US East (N. Virginia) Region, `us-east-1` .", "title": "Scope", "type": "string" }, @@ -268314,7 +268320,7 @@ "type": "array" }, "Scope": { - "markdownDescription": "Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AWS AppSync GraphQL API, an Amazon Cognito user pool, an AWS App Runner service, or an AWS Verified Access instance. Valid Values are `CLOUDFRONT` and `REGIONAL` .\n\n> For `CLOUDFRONT` , you must create your WAFv2 resources in the US East (N. Virginia) Region, `us-east-1` .", + "markdownDescription": "Specifies whether this is for an Amazon CloudFront distribution or for a regional application. For an AWS Amplify application, use `CLOUDFRONT` . A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AWS AppSync GraphQL API, an Amazon Cognito user pool, an AWS App Runner service, or an AWS Verified Access instance. Valid Values are `CLOUDFRONT` and `REGIONAL` .\n\n> For `CLOUDFRONT` , you must create your WAFv2 resources in the US East (N. Virginia) Region, `us-east-1` .", "title": "Scope", "type": "string" }, @@ -268403,7 +268409,7 @@ "additionalProperties": false, "properties": { "OversizeHandling": { - "markdownDescription": "What AWS WAF should do if the body is larger than AWS WAF can inspect.\n\nAWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. When a web request body is larger than the limit, the underlying host service only forwards the contents that are within the limit to AWS WAF for inspection.\n\n- For Application Load Balancer and AWS AppSync , the limit is fixed at 8 KB (8,192 bytes).\n- For CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access, the default limit is 16 KB (16,384 bytes), and you can increase the limit for each resource type in the web ACL `AssociationConfig` , for additional processing fees.\n\nThe options for oversize handling are the following:\n\n- `CONTINUE` - Inspect the available body contents normally, according to the rule inspection criteria.\n- `MATCH` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.\n- `NO_MATCH` - Treat the web request as not matching the rule statement.\n\nYou can combine the `MATCH` or `NO_MATCH` settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over the limit.\n\nDefault: `CONTINUE`", + "markdownDescription": "What AWS WAF should do if the body is larger than AWS WAF can inspect.\n\nAWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. When a web request body is larger than the limit, the underlying host service only forwards the contents that are within the limit to AWS WAF for inspection.\n\n- For Application Load Balancer and AWS AppSync , the limit is fixed at 8 KB (8,192 bytes).\n- For CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access, the default limit is 16 KB (16,384 bytes), and you can increase the limit for each resource type in the web ACL `AssociationConfig` , for additional processing fees.\n- For AWS Amplify , use the CloudFront limit.\n\nThe options for oversize handling are the following:\n\n- `CONTINUE` - Inspect the available body contents normally, according to the rule inspection criteria.\n- `MATCH` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.\n- `NO_MATCH` - Treat the web request as not matching the rule statement.\n\nYou can combine the `MATCH` or `NO_MATCH` settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over the limit.\n\nDefault: `CONTINUE`", "title": "OversizeHandling", "type": "string" } @@ -268651,7 +268657,7 @@ }, "Body": { "$ref": "#/definitions/AWS::WAFv2::RuleGroup.Body", - "markdownDescription": "Inspect the request body as plain text. The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form.\n\nAWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. When a web request body is larger than the limit, the underlying host service only forwards the contents that are within the limit to AWS WAF for inspection.\n\n- For Application Load Balancer and AWS AppSync , the limit is fixed at 8 KB (8,192 bytes).\n- For CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access, the default limit is 16 KB (16,384 bytes), and you can increase the limit for each resource type in the web ACL `AssociationConfig` , for additional processing fees.\n\nFor information about how to handle oversized request bodies, see the `Body` object configuration.", + "markdownDescription": "Inspect the request body as plain text. The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form.\n\nAWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. When a web request body is larger than the limit, the underlying host service only forwards the contents that are within the limit to AWS WAF for inspection.\n\n- For Application Load Balancer and AWS AppSync , the limit is fixed at 8 KB (8,192 bytes).\n- For CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access, the default limit is 16 KB (16,384 bytes), and you can increase the limit for each resource type in the web ACL `AssociationConfig` , for additional processing fees.\n- For AWS Amplify , use the CloudFront limit.\n\nFor information about how to handle oversized request bodies, see the `Body` object configuration.", "title": "Body" }, "Cookies": { @@ -268671,7 +268677,7 @@ }, "JsonBody": { "$ref": "#/definitions/AWS::WAFv2::RuleGroup.JsonBody", - "markdownDescription": "Inspect the request body as JSON. The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form.\n\nAWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. When a web request body is larger than the limit, the underlying host service only forwards the contents that are within the limit to AWS WAF for inspection.\n\n- For Application Load Balancer and AWS AppSync , the limit is fixed at 8 KB (8,192 bytes).\n- For CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access, the default limit is 16 KB (16,384 bytes), and you can increase the limit for each resource type in the web ACL `AssociationConfig` , for additional processing fees.\n\nFor information about how to handle oversized request bodies, see the `JsonBody` object configuration.", + "markdownDescription": "Inspect the request body as JSON. The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form.\n\nAWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. When a web request body is larger than the limit, the underlying host service only forwards the contents that are within the limit to AWS WAF for inspection.\n\n- For Application Load Balancer and AWS AppSync , the limit is fixed at 8 KB (8,192 bytes).\n- For CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access, the default limit is 16 KB (16,384 bytes), and you can increase the limit for each resource type in the web ACL `AssociationConfig` , for additional processing fees.\n- For AWS Amplify , use the CloudFront limit.\n\nFor information about how to handle oversized request bodies, see the `JsonBody` object configuration.", "title": "JsonBody" }, "Method": { @@ -268886,7 +268892,7 @@ "type": "string" }, "OversizeHandling": { - "markdownDescription": "What AWS WAF should do if the body is larger than AWS WAF can inspect.\n\nAWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. When a web request body is larger than the limit, the underlying host service only forwards the contents that are within the limit to AWS WAF for inspection.\n\n- For Application Load Balancer and AWS AppSync , the limit is fixed at 8 KB (8,192 bytes).\n- For CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access, the default limit is 16 KB (16,384 bytes), and you can increase the limit for each resource type in the web ACL `AssociationConfig` , for additional processing fees.\n\nThe options for oversize handling are the following:\n\n- `CONTINUE` - Inspect the available body contents normally, according to the rule inspection criteria.\n- `MATCH` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.\n- `NO_MATCH` - Treat the web request as not matching the rule statement.\n\nYou can combine the `MATCH` or `NO_MATCH` settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over the limit.\n\nDefault: `CONTINUE`", + "markdownDescription": "What AWS WAF should do if the body is larger than AWS WAF can inspect.\n\nAWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. When a web request body is larger than the limit, the underlying host service only forwards the contents that are within the limit to AWS WAF for inspection.\n\n- For Application Load Balancer and AWS AppSync , the limit is fixed at 8 KB (8,192 bytes).\n- For CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access, the default limit is 16 KB (16,384 bytes), and you can increase the limit for each resource type in the web ACL `AssociationConfig` , for additional processing fees.\n- For AWS Amplify , use the CloudFront limit.\n\nThe options for oversize handling are the following:\n\n- `CONTINUE` - Inspect the available body contents normally, according to the rule inspection criteria.\n- `MATCH` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.\n- `NO_MATCH` - Treat the web request as not matching the rule statement.\n\nYou can combine the `MATCH` or `NO_MATCH` settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over the limit.\n\nDefault: `CONTINUE`", "title": "OversizeHandling", "type": "string" } @@ -269663,7 +269669,7 @@ "type": "array" }, "Scope": { - "markdownDescription": "Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AWS AppSync GraphQL API, an Amazon Cognito user pool, an AWS App Runner service, or an AWS Verified Access instance. Valid Values are `CLOUDFRONT` and `REGIONAL` .\n\n> For `CLOUDFRONT` , you must create your WAFv2 resources in the US East (N. Virginia) Region, `us-east-1` . \n\nFor information about how to define the association of the web ACL with your resource, see `WebACLAssociation` .", + "markdownDescription": "Specifies whether this is for an Amazon CloudFront distribution or for a regional application. For an AWS Amplify application, use `CLOUDFRONT` . A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AWS AppSync GraphQL API, an Amazon Cognito user pool, an AWS App Runner service, or an AWS Verified Access instance. Valid Values are `CLOUDFRONT` and `REGIONAL` .\n\n> For `CLOUDFRONT` , you must create your WAFv2 resources in the US East (N. Virginia) Region, `us-east-1` . \n\nFor information about how to define the association of the web ACL with your resource, see `WebACLAssociation` .", "title": "Scope", "type": "string" }, @@ -269861,7 +269867,7 @@ "additionalProperties": false, "properties": { "OversizeHandling": { - "markdownDescription": "What AWS WAF should do if the body is larger than AWS WAF can inspect.\n\nAWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. When a web request body is larger than the limit, the underlying host service only forwards the contents that are within the limit to AWS WAF for inspection.\n\n- For Application Load Balancer and AWS AppSync , the limit is fixed at 8 KB (8,192 bytes).\n- For CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access, the default limit is 16 KB (16,384 bytes), and you can increase the limit for each resource type in the web ACL `AssociationConfig` , for additional processing fees.\n\nThe options for oversize handling are the following:\n\n- `CONTINUE` - Inspect the available body contents normally, according to the rule inspection criteria.\n- `MATCH` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.\n- `NO_MATCH` - Treat the web request as not matching the rule statement.\n\nYou can combine the `MATCH` or `NO_MATCH` settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over the limit.\n\nDefault: `CONTINUE`", + "markdownDescription": "What AWS WAF should do if the body is larger than AWS WAF can inspect.\n\nAWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. When a web request body is larger than the limit, the underlying host service only forwards the contents that are within the limit to AWS WAF for inspection.\n\n- For Application Load Balancer and AWS AppSync , the limit is fixed at 8 KB (8,192 bytes).\n- For CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access, the default limit is 16 KB (16,384 bytes), and you can increase the limit for each resource type in the web ACL `AssociationConfig` , for additional processing fees.\n- For AWS Amplify , use the CloudFront limit.\n\nThe options for oversize handling are the following:\n\n- `CONTINUE` - Inspect the available body contents normally, according to the rule inspection criteria.\n- `MATCH` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.\n- `NO_MATCH` - Treat the web request as not matching the rule statement.\n\nYou can combine the `MATCH` or `NO_MATCH` settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over the limit.\n\nDefault: `CONTINUE`", "title": "OversizeHandling", "type": "string" } @@ -270153,7 +270159,7 @@ }, "Body": { "$ref": "#/definitions/AWS::WAFv2::WebACL.Body", - "markdownDescription": "Inspect the request body as plain text. The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form.\n\nAWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. When a web request body is larger than the limit, the underlying host service only forwards the contents that are within the limit to AWS WAF for inspection.\n\n- For Application Load Balancer and AWS AppSync , the limit is fixed at 8 KB (8,192 bytes).\n- For CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access, the default limit is 16 KB (16,384 bytes), and you can increase the limit for each resource type in the web ACL `AssociationConfig` , for additional processing fees.\n\nFor information about how to handle oversized request bodies, see the `Body` object configuration.", + "markdownDescription": "Inspect the request body as plain text. The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form.\n\nAWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. When a web request body is larger than the limit, the underlying host service only forwards the contents that are within the limit to AWS WAF for inspection.\n\n- For Application Load Balancer and AWS AppSync , the limit is fixed at 8 KB (8,192 bytes).\n- For CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access, the default limit is 16 KB (16,384 bytes), and you can increase the limit for each resource type in the web ACL `AssociationConfig` , for additional processing fees.\n- For AWS Amplify , use the CloudFront limit.\n\nFor information about how to handle oversized request bodies, see the `Body` object configuration.", "title": "Body" }, "Cookies": { @@ -270173,7 +270179,7 @@ }, "JsonBody": { "$ref": "#/definitions/AWS::WAFv2::WebACL.JsonBody", - "markdownDescription": "Inspect the request body as JSON. The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form.\n\nAWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. When a web request body is larger than the limit, the underlying host service only forwards the contents that are within the limit to AWS WAF for inspection.\n\n- For Application Load Balancer and AWS AppSync , the limit is fixed at 8 KB (8,192 bytes).\n- For CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access, the default limit is 16 KB (16,384 bytes), and you can increase the limit for each resource type in the web ACL `AssociationConfig` , for additional processing fees.\n\nFor information about how to handle oversized request bodies, see the `JsonBody` object configuration.", + "markdownDescription": "Inspect the request body as JSON. The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form.\n\nAWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. When a web request body is larger than the limit, the underlying host service only forwards the contents that are within the limit to AWS WAF for inspection.\n\n- For Application Load Balancer and AWS AppSync , the limit is fixed at 8 KB (8,192 bytes).\n- For CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access, the default limit is 16 KB (16,384 bytes), and you can increase the limit for each resource type in the web ACL `AssociationConfig` , for additional processing fees.\n- For AWS Amplify , use the CloudFront limit.\n\nFor information about how to handle oversized request bodies, see the `JsonBody` object configuration.", "title": "JsonBody" }, "Method": { @@ -270388,7 +270394,7 @@ "type": "string" }, "OversizeHandling": { - "markdownDescription": "What AWS WAF should do if the body is larger than AWS WAF can inspect.\n\nAWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. When a web request body is larger than the limit, the underlying host service only forwards the contents that are within the limit to AWS WAF for inspection.\n\n- For Application Load Balancer and AWS AppSync , the limit is fixed at 8 KB (8,192 bytes).\n- For CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access, the default limit is 16 KB (16,384 bytes), and you can increase the limit for each resource type in the web ACL `AssociationConfig` , for additional processing fees.\n\nThe options for oversize handling are the following:\n\n- `CONTINUE` - Inspect the available body contents normally, according to the rule inspection criteria.\n- `MATCH` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.\n- `NO_MATCH` - Treat the web request as not matching the rule statement.\n\nYou can combine the `MATCH` or `NO_MATCH` settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over the limit.\n\nDefault: `CONTINUE`", + "markdownDescription": "What AWS WAF should do if the body is larger than AWS WAF can inspect.\n\nAWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. When a web request body is larger than the limit, the underlying host service only forwards the contents that are within the limit to AWS WAF for inspection.\n\n- For Application Load Balancer and AWS AppSync , the limit is fixed at 8 KB (8,192 bytes).\n- For CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access, the default limit is 16 KB (16,384 bytes), and you can increase the limit for each resource type in the web ACL `AssociationConfig` , for additional processing fees.\n- For AWS Amplify , use the CloudFront limit.\n\nThe options for oversize handling are the following:\n\n- `CONTINUE` - Inspect the available body contents normally, according to the rule inspection criteria.\n- `MATCH` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.\n- `NO_MATCH` - Treat the web request as not matching the rule statement.\n\nYou can combine the `MATCH` or `NO_MATCH` settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over the limit.\n\nDefault: `CONTINUE`", "title": "OversizeHandling", "type": "string" } @@ -271508,7 +271514,7 @@ "additionalProperties": false, "properties": { "ResourceArn": { - "markdownDescription": "The Amazon Resource Name (ARN) of the resource to associate with the web ACL.\n\nThe ARN must be in one of the following formats:\n\n- For an Application Load Balancer: `arn: *partition* :elasticloadbalancing: *region* : *account-id* :loadbalancer/app/ *load-balancer-name* / *load-balancer-id*`\n- For an Amazon API Gateway REST API: `arn: *partition* :apigateway: *region* ::/restapis/ *api-id* /stages/ *stage-name*`\n- For an AWS AppSync GraphQL API: `arn: *partition* :appsync: *region* : *account-id* :apis/ *GraphQLApiId*`\n- For an Amazon Cognito user pool: `arn: *partition* :cognito-idp: *region* : *account-id* :userpool/ *user-pool-id*`\n- For an AWS App Runner service: `arn: *partition* :apprunner: *region* : *account-id* :service/ *apprunner-service-name* / *apprunner-service-id*`\n- For an AWS Verified Access instance: `arn: *partition* :ec2: *region* : *account-id* :verified-access-instance/ *instance-id*`", + "markdownDescription": "The Amazon Resource Name (ARN) of the resource to associate with the web ACL.\n\nThe ARN must be in one of the following formats:\n\n- For an Application Load Balancer: `arn: *partition* :elasticloadbalancing: *region* : *account-id* :loadbalancer/app/ *load-balancer-name* / *load-balancer-id*`\n- For an Amazon API Gateway REST API: `arn: *partition* :apigateway: *region* ::/restapis/ *api-id* /stages/ *stage-name*`\n- For an AWS AppSync GraphQL API: `arn: *partition* :appsync: *region* : *account-id* :apis/ *GraphQLApiId*`\n- For an Amazon Cognito user pool: `arn: *partition* :cognito-idp: *region* : *account-id* :userpool/ *user-pool-id*`\n- For an AWS App Runner service: `arn: *partition* :apprunner: *region* : *account-id* :service/ *apprunner-service-name* / *apprunner-service-id*`\n- For an AWS Verified Access instance: `arn: *partition* :ec2: *region* : *account-id* :verified-access-instance/ *instance-id*`\n- For an AWS Amplify instance: `arn: *partition* :amplify: *region* : *account-id* :apps/ *app-id*`", "title": "ResourceArn", "type": "string" }, @@ -273498,6 +273504,19 @@ ], "type": "object" }, + "AccessAssociation": { + "additionalProperties": false, + "properties": { + "VpcEndpointId": { + "$ref": "#/definitions/PassThroughProp" + } + }, + "required": [ + "VpcEndpointId" + ], + "title": "AccessAssociation", + "type": "object" + }, "Alexa::ASK::Skill": { "additionalProperties": false, "properties": { @@ -277217,6 +277236,9 @@ "samtranslator__internal__schema_source__aws_serverless_api__Domain": { "additionalProperties": false, "properties": { + "AccessAssociation": { + "$ref": "#/definitions/AccessAssociation" + }, "BasePath": { "allOf": [ { @@ -277623,6 +277645,9 @@ "markdownDescription": "Version of OpenApi to use\\. This can either be `2.0` for the Swagger specification, or one of the OpenApi 3\\.0 versions, like `3.0.1`\\. For more information about OpenAPI, see the [OpenAPI Specification](https://swagger.io/specification/)\\. \n AWS SAM creates a stage called `Stage` by default\\. Setting this property to any valid value will prevent the creation of the stage `Stage`\\. \n*Type*: String \n*Required*: No \n*AWS CloudFormation compatibility*: This property is unique to AWS SAM and doesn't have an AWS CloudFormation equivalent\\.", "title": "OpenApiVersion" }, + "Policy": { + "$ref": "#/definitions/PassThroughProp" + }, "PropagateTags": { "title": "Propagatetags", "type": "boolean" @@ -277933,6 +277958,12 @@ }, "SetIdentifier": { "$ref": "#/definitions/PassThroughProp" + }, + "VpcEndpointDomainName": { + "$ref": "#/definitions/PassThroughProp" + }, + "VpcEndpointHostedZoneId": { + "$ref": "#/definitions/PassThroughProp" } }, "title": "Route53", diff --git a/schema_source/cloudformation-docs.json b/schema_source/cloudformation-docs.json index 18914382a..41a09c269 100644 --- a/schema_source/cloudformation-docs.json +++ b/schema_source/cloudformation-docs.json @@ -265,7 +265,7 @@ "Status": "" }, "AWS::ARCZonalShift::ZonalAutoshiftConfiguration": { - "PracticeRunConfiguration": "A practice run configuration for a resource includes the Amazon CloudWatch alarms that you've specified for a practice run, as well as any blocked dates or blocked windows for the practice run. When a resource has a practice run configuration, Route 53 ARC shifts traffic for the resource weekly for practice runs.\n\nPractice runs are required for zonal autoshift. The zonal shifts that Route 53 ARC starts for practice runs help you to ensure that shifting away traffic from an Availability Zone during an autoshift is safe for your application.\n\nYou can update or delete a practice run configuration. Before you delete a practice run configuration, you must disable zonal autoshift for the resource. A practice run configuration is required when zonal autoshift is enabled.", + "PracticeRunConfiguration": "A practice run configuration for a resource includes the Amazon CloudWatch alarms that you've specified for a practice run, as well as any blocked dates or blocked windows for the practice run. When a resource has a practice run configuration, ARC shifts traffic for the resource weekly for practice runs.\n\nPractice runs are required for zonal autoshift. The zonal shifts that ARC starts for practice runs help you to ensure that shifting away traffic from an Availability Zone during an autoshift is safe for your application.\n\nYou can update or delete a practice run configuration. Before you delete a practice run configuration, you must disable zonal autoshift for the resource. A practice run configuration is required when zonal autoshift is enabled.", "ResourceIdentifier": "The identifier for the resource that AWS shifts traffic for. The identifier is the Amazon Resource Name (ARN) for the resource.\n\nAt this time, supported resources are Network Load Balancers and Application Load Balancers with cross-zone load balancing turned off.", "ZonalAutoshiftStatus": "When zonal autoshift is `ENABLED` , you authorize AWS to shift away resource traffic for an application from an Availability Zone during events, on your behalf, to help reduce time to recovery. Traffic is also shifted away for the required weekly practice runs." }, @@ -406,6 +406,7 @@ "BasicAuthConfig": "The credentials for basic authorization for an Amplify app. You must base64-encode the authorization credentials and provide them in the format `user:password` .", "BuildSpec": "The build specification (build spec) for an Amplify app.", "CacheConfig": "The cache configuration for the Amplify app. If you don't specify the cache configuration `type` , Amplify uses the default `AMPLIFY_MANAGED` setting.", + "ComputeRoleArn": "The Amazon Resource Name (ARN) of the IAM role for an SSR app. The Compute role allows the Amplify Hosting compute service to securely access specific AWS resources based on the role's permissions. For more information about the SSR Compute role, see [Adding an SSR Compute role](https://docs.aws.amazon.com/amplify/latest/userguide/amplify-SSR-compute-role.html) in the *Amplify User Guide* .", "CustomHeaders": "The custom HTTP headers for an Amplify app.", "CustomRules": "The custom rewrite and redirect rules for an Amplify app.", "Description": "The description of the Amplify app.", @@ -459,10 +460,12 @@ "BasicAuthConfig": "The basic authorization credentials for a branch of an Amplify app. You must base64-encode the authorization credentials and provide them in the format `user:password` .", "BranchName": "The name for the branch.", "BuildSpec": "The build specification (build spec) for the branch.", + "ComputeRoleArn": "The Amazon Resource Name (ARN) of the IAM role to assign to a branch of an SSR app. The SSR Compute role allows the Amplify Hosting compute service to securely access specific AWS resources based on the role's permissions. For more information about the SSR Compute role, see [Adding an SSR Compute role](https://docs.aws.amazon.com/amplify/latest/userguide/amplify-SSR-compute-role.html) in the *Amplify User Guide* .", "Description": "The description for the branch that is part of an Amplify app.", "EnableAutoBuild": "Enables auto building for the branch.", "EnablePerformanceMode": "Enables performance mode for the branch.\n\nPerformance mode optimizes for faster hosting performance by keeping content cached at the edge for a longer interval. When performance mode is enabled, hosting configuration or code changes can take up to 10 minutes to roll out.", "EnablePullRequestPreview": "Specifies whether Amplify Hosting creates a preview for each pull request that is made for this branch. If this property is enabled, Amplify deploys your app to a unique preview URL after each pull request is opened. Development and QA teams can use this preview to test the pull request before it's merged into a production or integration branch.\n\nTo provide backend support for your preview, Amplify automatically provisions a temporary backend environment that it deletes when the pull request is closed. If you want to specify a dedicated backend environment for your previews, use the `PullRequestEnvironmentName` property.\n\nFor more information, see [Web Previews](https://docs.aws.amazon.com/amplify/latest/userguide/pr-previews.html) in the *AWS Amplify Hosting User Guide* .", + "EnableSkewProtection": "Specifies whether the skew protection feature is enabled for the branch.\n\nDeployment skew protection is available to Amplify applications to eliminate version skew issues between client and servers in web applications. When you apply skew protection to a branch, you can ensure that your clients always interact with the correct version of server-side assets, regardless of when a deployment occurs. For more information about skew protection, see [Skew protection for Amplify deployments](https://docs.aws.amazon.com/amplify/latest/userguide/skew-protection.html) in the *Amplify User Guide* .", "EnvironmentVariables": "The environment variables for the branch.", "Framework": "The framework for the branch.", "PullRequestEnvironmentName": "If pull request previews are enabled for this branch, you can use this property to specify a dedicated backend environment for your previews. For example, you could specify an environment named `prod` , `test` , or `dev` that you initialized with the Amplify CLI and mapped to this branch.\n\nTo enable pull request previews, set the `EnablePullRequestPreview` property to `true` .\n\nIf you don't specify an environment, Amplify Hosting provides backend support for each preview by automatically provisioning a temporary backend environment. Amplify Hosting deletes this environment when the pull request is closed.\n\nFor more information about creating backend environments, see [Feature Branch Deployments and Team Workflows](https://docs.aws.amazon.com/amplify/latest/userguide/multi-environments.html) in the *AWS Amplify Hosting User Guide* .", @@ -884,7 +887,7 @@ "AWS::ApiGateway::DomainName": { "CertificateArn": "The reference to an AWS -managed certificate that will be used by edge-optimized endpoint or private endpoint for this domain name. AWS Certificate Manager is the only supported source.", "DomainName": "The custom domain name as an API host name, for example, `my-api.example.com` .", - "EndpointConfiguration": "The endpoint configuration of this DomainName showing the endpoint types of the domain name.", + "EndpointConfiguration": "The endpoint configuration of this DomainName showing the endpoint types and IP address types of the domain name.", "MutualTlsAuthentication": "The mutual TLS authentication configuration for a custom domain name. If specified, API Gateway performs two-way authentication between the client and the server. Clients must present a trusted certificate to access your API.", "OwnershipVerificationCertificateArn": "The ARN of the public certificate issued by ACM to validate ownership of your custom domain. Only required when configuring mutual TLS and using an ACM imported or private CA certificate ARN as the RegionalCertificateArn.", "RegionalCertificateArn": "The reference to an AWS -managed certificate that will be used for validating the regional domain name. AWS Certificate Manager is the only supported source.", @@ -892,6 +895,7 @@ "Tags": "The collection of tags. Each tag element is associated with a given resource." }, "AWS::ApiGateway::DomainName EndpointConfiguration": { + "IpAddressType": "The IP address types that can invoke this DomainName. Use `ipv4` to allow only IPv4 addresses to invoke this DomainName, or use `dualstack` to allow both IPv4 and IPv6 addresses to invoke this DomainName. For the `PRIVATE` endpoint type, only `dualstack` is supported.", "Types": "A list of endpoint types of an API (RestApi) or its custom domain name (DomainName). For an edge-optimized API and its custom domain name, the endpoint type is `\"EDGE\"` . For a regional API and its custom domain name, the endpoint type is `REGIONAL` . For a private API, the endpoint type is `PRIVATE` ." }, "AWS::ApiGateway::DomainName MutualTlsAuthentication": { @@ -915,7 +919,7 @@ "AWS::ApiGateway::DomainNameV2": { "CertificateArn": "The reference to an AWS -managed certificate that will be used by the private endpoint for this domain name. AWS Certificate Manager is the only supported source.", "DomainName": "Represents a custom domain name as a user-friendly host name of an API (RestApi).", - "EndpointConfiguration": "The endpoint configuration to indicate the types of endpoints an API (RestApi) or its custom domain name (DomainName) has.", + "EndpointConfiguration": "The endpoint configuration to indicate the types of endpoints an API (RestApi) or its custom domain name (DomainName) has and the IP address types that can invoke it.", "Policy": "A stringified JSON policy document that applies to the `execute-api` service for this DomainName regardless of the caller and Method configuration. You can use `Fn::ToJsonString` to enter your `policy` . For more information, see [Fn::ToJsonString](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-ToJsonString.html) .", "SecurityPolicy": "The Transport Layer Security (TLS) version + cipher suite for this DomainName. Only `TLS_1_2` is supported.", "Tags": "The collection of tags. Each tag element is associated with a given resource." @@ -1003,7 +1007,7 @@ "CloneFrom": "The ID of the RestApi that you want to clone from.", "Description": "The description of the RestApi.", "DisableExecuteApiEndpoint": "Specifies whether clients can invoke your API by using the default `execute-api` endpoint. By default, clients can invoke your API with the default `https://{api_id}.execute-api.{region}.amazonaws.com` endpoint. To require that clients use a custom domain name to invoke your API, disable the default endpoint", - "EndpointConfiguration": "A list of the endpoint types of the API. Use this property when creating an API. When importing an existing API, specify the endpoint configuration types using the `Parameters` property.", + "EndpointConfiguration": "A list of the endpoint types and IP address types of the API. Use this property when creating an API. When importing an existing API, specify the endpoint configuration types using the `Parameters` property.", "FailOnWarnings": "A query parameter to indicate whether to rollback the API update ( `true` ) or not ( `false` ) when a warning is encountered. The default value is `false` .", "MinimumCompressionSize": "A nullable integer that is used to enable compression (with non-negative between 0 and 10485760 (10M) bytes, inclusive) or disable compression (with a null value) on an API. When compression is enabled, compression or decompression is not applied on the payload if the payload size is smaller than this value. Setting it to zero allows compression for any payload size.", "Mode": "This property applies only when you use OpenAPI to define your REST API. The `Mode` determines how API Gateway handles resource updates.\n\nValid values are `overwrite` or `merge` .\n\nFor `overwrite` , the new API definition replaces the existing one. The existing API identifier remains unchanged.\n\nFor `merge` , the new API definition is merged with the existing API.\n\nIf you don't specify this property, a default value is chosen. For REST APIs created before March 29, 2021, the default is `overwrite` . For REST APIs created after March 29, 2021, the new API definition takes precedence, but any container types such as endpoint configurations and binary media types are merged with the existing API.\n\nUse the default mode to define top-level `RestApi` properties in addition to using OpenAPI. Generally, it's preferred to use API Gateway's OpenAPI extensions to model these properties.", @@ -1013,6 +1017,7 @@ "Tags": "The key-value map of strings. The valid character set is [a-zA-Z+-=._:/]. The tag key can be up to 128 characters and must not start with `aws:` . The tag value can be up to 256 characters." }, "AWS::ApiGateway::RestApi EndpointConfiguration": { + "IpAddressType": "The IP address types that can invoke an API (RestApi). Use `ipv4` to allow only IPv4 addresses to invoke an API, or use `dualstack` to allow both IPv4 and IPv6 addresses to invoke an API. For the `PRIVATE` endpoint type, only `dualstack` is supported.", "Types": "A list of endpoint types of an API (RestApi) or its custom domain name (DomainName). For an edge-optimized API and its custom domain name, the endpoint type is `\"EDGE\"` . For a regional API and its custom domain name, the endpoint type is `REGIONAL` . For a private API, the endpoint type is `PRIVATE` .", "VpcEndpointIds": "A list of VpcEndpointIds of an API (RestApi) against which to create Route53 ALIASes. It is only supported for `PRIVATE` endpoint type." }, @@ -1338,7 +1343,7 @@ }, "AWS::AppConfig::ConfigurationProfile": { "ApplicationId": "The application ID.", - "DeletionProtectionCheck": "", + "DeletionProtectionCheck": "A parameter to configure deletion protection. Deletion protection prevents a user from deleting a configuration profile if your application has called either [GetLatestConfiguration](https://docs.aws.amazon.com/appconfig/2019-10-09/APIReference/API_appconfigdata_GetLatestConfiguration.html) or [GetConfiguration](https://docs.aws.amazon.com/appconfig/2019-10-09/APIReference/API_GetConfiguration.html) for the configuration profile during the specified interval.\n\nThis parameter supports the following values:\n\n- `BYPASS` : Instructs AWS AppConfig to bypass the deletion protection check and delete a configuration profile even if deletion protection would have otherwise prevented it.\n- `APPLY` : Instructs the deletion protection check to run, even if deletion protection is disabled at the account level. `APPLY` also forces the deletion protection check to run against resources created in the past hour, which are normally excluded from deletion protection checks.\n- `ACCOUNT_DEFAULT` : The default setting, which instructs AWS AppConfig to implement the deletion protection value specified in the `UpdateAccountSettings` API.", "Description": "A description of the configuration profile.", "KmsKeyIdentifier": "The AWS Key Management Service key identifier (key ID, key alias, or key ARN) provided when the resource was created or updated.", "LocationUri": "A URI to locate the configuration. You can specify the following:\n\n- For the AWS AppConfig hosted configuration store and for feature flags, specify `hosted` .\n- For an AWS Systems Manager Parameter Store parameter, specify either the parameter name in the format `ssm-parameter://` or the ARN.\n- For an AWS CodePipeline pipeline, specify the URI in the following format: `codepipeline` ://.\n- For an AWS Secrets Manager secret, specify the URI in the following format: `secretsmanager` ://.\n- For an Amazon S3 object, specify the URI in the following format: `s3:///` . Here is an example: `s3://amzn-s3-demo-bucket/my-app/us-east-1/my-config.json`\n- For an SSM document, specify either the document name in the format `ssm-document://` or the Amazon Resource Name (ARN).", @@ -1373,8 +1378,8 @@ "ParameterValue": "The parameter value." }, "AWS::AppConfig::Deployment Tag": { - "Key": "", - "Value": "" + "Key": "The tag key.", + "Value": "An optional tag value." }, "AWS::AppConfig::DeploymentStrategy": { "DeploymentDurationInMinutes": "Total amount of time for a deployment to last.", @@ -1392,7 +1397,7 @@ }, "AWS::AppConfig::Environment": { "ApplicationId": "The application ID.", - "DeletionProtectionCheck": "", + "DeletionProtectionCheck": "A parameter to configure deletion protection. Deletion protection prevents a user from deleting an environment if your application called either [GetLatestConfiguration](https://docs.aws.amazon.com/appconfig/2019-10-09/APIReference/API_appconfigdata_GetLatestConfiguration.html) or [GetConfiguration](https://docs.aws.amazon.com/appconfig/2019-10-09/APIReference/API_GetConfiguration.html) in the environment during the specified interval.\n\nThis parameter supports the following values:\n\n- `BYPASS` : Instructs AWS AppConfig to bypass the deletion protection check and delete a configuration profile even if deletion protection would have otherwise prevented it.\n- `APPLY` : Instructs the deletion protection check to run, even if deletion protection is disabled at the account level. `APPLY` also forces the deletion protection check to run against resources created in the past hour, which are normally excluded from deletion protection checks.\n- `ACCOUNT_DEFAULT` : The default setting, which instructs AWS AppConfig to implement the deletion protection value specified in the `UpdateAccountSettings` API.", "Description": "A description of the environment.", "Monitors": "Amazon CloudWatch alarms to monitor during the deployment process.", "Name": "A name for the environment.", @@ -1416,7 +1421,7 @@ }, "AWS::AppConfig::Extension Action": { "Description": "Information about actions defined in the extension.", - "Name": "The action name.", + "Name": "The extension name.", "RoleArn": "An Amazon Resource Name (ARN) for an AWS Identity and Access Management assume role.", "Uri": "The extension URI associated to the action point in the extension definition. The URI can be an Amazon Resource Name (ARN) for one of the following: an AWS Lambda function, an Amazon Simple Queue Service queue, an Amazon Simple Notification Service topic, or the Amazon EventBridge default event bus." }, @@ -1438,7 +1443,7 @@ }, "AWS::AppConfig::ExtensionAssociation Tag": { "Key": "A key and optional value to help you categorize resources.", - "Value": "" + "Value": "An optional tag value." }, "AWS::AppConfig::HostedConfigurationVersion": { "ApplicationId": "The application ID.", @@ -5466,7 +5471,7 @@ }, "AWS::Bedrock::DataSource BedrockFoundationModelContextEnrichmentConfiguration": { "EnrichmentStrategyConfiguration": "The enrichment stategy used to provide additional context. For example, Neptune GraphRAG uses Amazon Bedrock foundation models to perform chunk entity extraction.", - "ModelArn": "The Amazon Resource Name (ARN) of the foundation model used for context enrichment." + "ModelArn": "The Amazon Resource Name (ARN) of the model used to create vector embeddings for the knowledge base." }, "AWS::Bedrock::DataSource ChunkingConfiguration": { "ChunkingStrategy": "Knowledge base can split your source data into chunks. A *chunk* refers to an excerpt from a data source that is returned when the knowledge base that it belongs to is queried. You have the following options for chunking your data. If you opt for `NONE` , then you may want to pre-process your files by splitting them up such that each file corresponds to a chunk.\n\n- `FIXED_SIZE` \u2013 Amazon Bedrock splits your source data into chunks of the approximate size that you set in the `fixedSizeChunkingConfiguration` .\n- `HIERARCHICAL` \u2013 Split documents into layers of chunks where the first layer contains large chunks, and the second layer contains smaller chunks derived from the first layer.\n- `SEMANTIC` \u2013 Split documents into chunks based on groups of similar content derived with natural language processing.\n- `NONE` \u2013 Amazon Bedrock treats each file as one chunk. If you choose this option, you may want to pre-process your documents by splitting them into separate files.", @@ -6244,7 +6249,7 @@ "AWS::Bedrock::Prompt ToolChoice": { "Any": "The model must request at least one tool (no text is generated).", "Auto": "(Default). The Model automatically decides if a tool should be called or whether to generate text instead.", - "Tool": "The Model must request the specified tool. Only supported by Amazon Nova models and Anthropic Claude 3 models." + "Tool": "The Model must request the specified tool. Only supported by Anthropic Claude 3 models." }, "AWS::Bedrock::Prompt ToolConfiguration": { "ToolChoice": "If supported by model, forces the model to request a tool.", @@ -6335,7 +6340,7 @@ "AWS::Bedrock::PromptVersion ToolChoice": { "Any": "The model must request at least one tool (no text is generated).", "Auto": "(Default). The Model automatically decides if a tool should be called or whether to generate text instead.", - "Tool": "The Model must request the specified tool. Only supported by Amazon Nova models and Anthropic Claude 3 models." + "Tool": "The Model must request the specified tool. Only supported by Anthropic Claude 3 models." }, "AWS::Bedrock::PromptVersion ToolConfiguration": { "ToolChoice": "If supported by model, forces the model to request a tool.", @@ -6453,7 +6458,7 @@ "CostFilters": "The cost filters, such as `Region` , `Service` , `LinkedAccount` , `Tag` , or `CostCategory` , that are applied to a budget.\n\nAWS Budgets supports the following services as a `Service` filter for RI budgets:\n\n- Amazon EC2\n- Amazon Redshift\n- Amazon Relational Database Service\n- Amazon ElastiCache\n- Amazon OpenSearch Service", "CostTypes": "The types of costs that are included in this `COST` budget.\n\n`USAGE` , `RI_UTILIZATION` , `RI_COVERAGE` , `SAVINGS_PLANS_UTILIZATION` , and `SAVINGS_PLANS_COVERAGE` budgets do not have `CostTypes` .", "PlannedBudgetLimits": "A map containing multiple `BudgetLimit` , including current or future limits.\n\n`PlannedBudgetLimits` is available for cost or usage budget and supports both monthly and quarterly `TimeUnit` .\n\nFor monthly budgets, provide 12 months of `PlannedBudgetLimits` values. This must start from the current month and include the next 11 months. The `key` is the start of the month, `UTC` in epoch seconds.\n\nFor quarterly budgets, provide four quarters of `PlannedBudgetLimits` value entries in standard calendar quarter increments. This must start from the current quarter and include the next three quarters. The `key` is the start of the quarter, `UTC` in epoch seconds.\n\nIf the planned budget expires before 12 months for monthly or four quarters for quarterly, provide the `PlannedBudgetLimits` values only for the remaining periods.\n\nIf the budget begins at a date in the future, provide `PlannedBudgetLimits` values from the start date of the budget.\n\nAfter all of the `BudgetLimit` values in `PlannedBudgetLimits` are used, the budget continues to use the last limit as the `BudgetLimit` . At that point, the planned budget provides the same experience as a fixed budget.\n\n`DescribeBudget` and `DescribeBudgets` response along with `PlannedBudgetLimits` also contain `BudgetLimit` representing the current month or quarter limit present in `PlannedBudgetLimits` . This only applies to budgets that are created with `PlannedBudgetLimits` . Budgets that are created without `PlannedBudgetLimits` only contain `BudgetLimit` . They don't contain `PlannedBudgetLimits` .", - "TimePeriod": "The period of time that is covered by a budget. The period has a start date and an end date. The start date must come before the end date. There are no restrictions on the end date.\n\nThe start date for a budget. If you created your budget and didn't specify a start date, the start date defaults to the start of the chosen time period (MONTHLY, QUARTERLY, or ANNUALLY). For example, if you create your budget on January 24, 2019, choose `MONTHLY` , and don't set a start date, the start date defaults to `01/01/19 00:00 UTC` . The defaults are the same for the AWS Billing and Cost Management console and the API.\n\nYou can change your start date with the `UpdateBudget` operation.\n\nAfter the end date, AWS deletes the budget and all associated notifications and subscribers.", + "TimePeriod": "The period of time that is covered by a budget. The period has a start date and an end date. The start date must come before the end date. There are no restrictions on the end date.\n\nThe start date for a budget. If you created your budget and didn't specify a start date, the start date defaults to the start of the chosen time period (MONTHLY, QUARTERLY, or ANNUALLY). For example, if you create your budget on January 24, 2019, choose `MONTHLY` , and don't set a start date, the start date defaults to `01/01/19 00:00 UTC` . The defaults are the same for the Billing and Cost Management console and the API.\n\nYou can change your start date with the `UpdateBudget` operation.\n\nAfter the end date, AWS deletes the budget and all associated notifications and subscribers.", "TimeUnit": "The length of time until a budget resets the actual and forecasted spend. `DAILY` is available only for `RI_UTILIZATION` and `RI_COVERAGE` budgets." }, "AWS::Budgets::Budget CostTypes": { @@ -6495,8 +6500,8 @@ "SubscriptionType": "The type of notification that AWS sends to a subscriber." }, "AWS::Budgets::Budget TimePeriod": { - "End": "The end date for a budget. If you didn't specify an end date, AWS set your end date to `06/15/87 00:00 UTC` . The defaults are the same for the AWS Billing and Cost Management console and the API.\n\nAfter the end date, AWS deletes the budget and all the associated notifications and subscribers. You can change your end date with the `UpdateBudget` operation.", - "Start": "The start date for a budget. If you created your budget and didn't specify a start date, the start date defaults to the start of the chosen time period (MONTHLY, QUARTERLY, or ANNUALLY). For example, if you create your budget on January 24, 2019, choose `MONTHLY` , and don't set a start date, the start date defaults to `01/01/19 00:00 UTC` . The defaults are the same for the AWS Billing and Cost Management console and the API.\n\nYou can change your start date with the `UpdateBudget` operation.\n\nValid values depend on the value of `BudgetType` :\n\n- If `BudgetType` is `COST` or `USAGE` : Valid values are `MONTHLY` , `QUARTERLY` , and `ANNUALLY` .\n- If `BudgetType` is `RI_UTILIZATION` or `RI_COVERAGE` : Valid values are `DAILY` , `MONTHLY` , `QUARTERLY` , and `ANNUALLY` ." + "End": "The end date for a budget. If you didn't specify an end date, AWS set your end date to `06/15/87 00:00 UTC` . The defaults are the same for the Billing and Cost Management console and the API.\n\nAfter the end date, AWS deletes the budget and all the associated notifications and subscribers. You can change your end date with the `UpdateBudget` operation.", + "Start": "The start date for a budget. If you created your budget and didn't specify a start date, the start date defaults to the start of the chosen time period (MONTHLY, QUARTERLY, or ANNUALLY). For example, if you create your budget on January 24, 2019, choose `MONTHLY` , and don't set a start date, the start date defaults to `01/01/19 00:00 UTC` . The defaults are the same for the Billing and Cost Management console and the API.\n\nYou can change your start date with the `UpdateBudget` operation.\n\nValid values depend on the value of `BudgetType` :\n\n- If `BudgetType` is `COST` or `USAGE` : Valid values are `MONTHLY` , `QUARTERLY` , and `ANNUALLY` .\n- If `BudgetType` is `RI_UTILIZATION` or `RI_COVERAGE` : Valid values are `DAILY` , `MONTHLY` , `QUARTERLY` , and `ANNUALLY` ." }, "AWS::Budgets::BudgetsAction": { "ActionThreshold": "The trigger threshold of the action.", @@ -6603,7 +6608,7 @@ "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) ." }, "AWS::Cassandra::Keyspace ReplicationSpecification": { - "RegionList": "Specifies the AWS Regions that the keyspace is replicated in. You must specify at least two and up to six Regions, including the Region that the keyspace is being created in.", + "RegionList": "Specifies the AWS Regions that the keyspace is replicated in. You must specify at least two Regions, including the Region that the keyspace is being created in.", "ReplicationStrategy": "The options are:\n\n- `SINGLE_REGION` (optional)\n- `MULTI_REGION`\n\nIf no value is specified, the default is `SINGLE_REGION` . If `MULTI_REGION` is specified, `RegionList` is required." }, "AWS::Cassandra::Keyspace Tag": { @@ -7953,7 +7958,7 @@ "AWS::CloudTrail::EventDataStore AdvancedFieldSelector": { "EndsWith": "An operator that includes events that match the last few characters of the event record field specified as the value of `Field` .", "Equals": "An operator that includes events that match the exact value of the event record field specified as the value of `Field` . This is the only valid operator that you can use with the `readOnly` , `eventCategory` , and `resources.type` fields.", - "Field": "A field in a CloudTrail event record on which to filter events to be logged. For event data stores for CloudTrail Insights events, AWS Config configuration items, Audit Manager evidence, or events outside of AWS , the field is used only for selecting events as filtering is not supported.\n\nFor CloudTrail management events, supported fields include `eventCategory` (required), `eventSource` , and `readOnly` . The following additional fields are available for event data stores: `eventName` , `eventType` , `sessionCredentialFromConsole` , and `userIdentity.arn` .\n\nFor CloudTrail data events, supported fields include `eventCategory` (required), `resources.type` (required), `eventName` , `readOnly` , and `resources.ARN` . The following additional fields are available for event data stores: `eventSource` , `eventType` , `sessionCredentialFromConsole` , and `userIdentity.arn` .\n\nFor CloudTrail network activity events, supported fields include `eventCategory` (required), `eventSource` (required), `eventName` , `errorCode` , and `vpcEndpointId` .\n\nFor event data stores for CloudTrail Insights events, AWS Config configuration items, Audit Manager evidence, or events outside of AWS , the only supported field is `eventCategory` .\n\n> Selectors don't support the use of wildcards like `*` . To match multiple values with a single condition, you may use `StartsWith` , `EndsWith` , `NotStartsWith` , or `NotEndsWith` to explicitly match the beginning or end of the event field. \n\n- *`readOnly`* - This is an optional field that is only used for management events and data events. This field can be set to `Equals` with a value of `true` or `false` . If you do not add this field, CloudTrail logs both `read` and `write` events. A value of `true` logs only `read` events. A value of `false` logs only `write` events.\n- *`eventSource`* - This field is only used for management events, data events (for event data stores only), and network activity events.\n\nFor management events for trails, this is an optional field that can be set to `NotEquals` `kms.amazonaws.com` to exclude KMS management events, or `NotEquals` `rdsdata.amazonaws.com` to exclude RDS management events.\n\nFor management and data events for event data stores, you can use it to include or exclude any event source and can use any operator.\n\nFor network activity events, this is a required field that only uses the `Equals` operator. Set this field to the event source for which you want to log network activity events. If you want to log network activity events for multiple event sources, you must create a separate field selector for each event source.\n\nThe following are valid values for network activity events:\n\n- `cloudtrail.amazonaws.com`\n- `ec2.amazonaws.com`\n- `kms.amazonaws.com`\n- `s3.amazonaws.com`\n- `secretsmanager.amazonaws.com`\n- *`eventName`* - This is an optional field that is only used for data events, management events (for event data stores only), and network activity events. You can use any operator with `eventName` . You can use it to \ufb01lter in or \ufb01lter out specific events. You can have multiple values for this \ufb01eld, separated by commas.\n- *`eventCategory`* - This field is required and must be set to `Equals` .\n\n- For CloudTrail management events, the value must be `Management` .\n- For CloudTrail data events, the value must be `Data` .\n- For CloudTrail network activity events, the value must be `NetworkActivity` .\n\nThe following are used only for event data stores:\n\n- For CloudTrail Insights events, the value must be `Insight` .\n- For AWS Config configuration items, the value must be `ConfigurationItem` .\n- For Audit Manager evidence, the value must be `Evidence` .\n- For events outside of AWS , the value must be `ActivityAuditLog` .\n- *`eventType`* - This is an optional field available only for event data stores, which is used to filter management and data events on the event type. For information about available event types, see [CloudTrail record contents](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-record-contents.html#ct-event-type) in the *AWS CloudTrail user guide* .\n- *`errorCode`* - This \ufb01eld is only used to filter CloudTrail network activity events and is optional. This is the error code to filter on. Currently, the only valid `errorCode` is `VpceAccessDenied` . `errorCode` can only use the `Equals` operator.\n- *`sessionCredentialFromConsole`* - This is an optional field available only for event data stores, which is used to filter management and data events based on whether the events originated from an AWS Management Console session. `sessionCredentialFromConsole` can only use the `Equals` and `NotEquals` operators.\n- *`resources.type`* - This \ufb01eld is required for CloudTrail data events. `resources.type` can only use the `Equals` operator.\n\nFor a list of available resource types for data events, see [Data events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html#logging-data-events) in the *AWS CloudTrail User Guide* .\n\nYou can have only one `resources.type` \ufb01eld per selector. To log events on more than one resource type, add another selector.\n- *`resources.ARN`* - The `resources.ARN` is an optional field for data events. You can use any operator with `resources.ARN` , but if you use `Equals` or `NotEquals` , the value must exactly match the ARN of a valid resource of the type you've speci\ufb01ed in the template as the value of resources.type. To log all data events for all objects in a specific S3 bucket, use the `StartsWith` operator, and include only the bucket ARN as the matching value.\n\nFor more information about the ARN formats of data event resources, see [Actions, resources, and condition keys for AWS services](https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html) in the *Service Authorization Reference* .\n\n> You can't use the `resources.ARN` field to filter resource types that do not have ARNs.\n- *`userIdentity.arn`* - This is an optional field available only for event data stores, which is used to filter management and data events on the userIdentity ARN. You can use any operator with `userIdentity.arn` . For more information on the userIdentity element, see [CloudTrail userIdentity element](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html) in the *AWS CloudTrail User Guide* .\n- *`vpcEndpointId`* - This \ufb01eld is only used to filter CloudTrail network activity events and is optional. This field identifies the VPC endpoint that the request passed through. You can use any operator with `vpcEndpointId` .", + "Field": "A field in a CloudTrail event record on which to filter events to be logged. For event data stores for CloudTrail Insights events, AWS Config configuration items, Audit Manager evidence, or events outside of AWS , the field is used only for selecting events as filtering is not supported.\n\nFor CloudTrail management events, supported fields include `eventCategory` (required), `eventSource` , and `readOnly` . The following additional fields are available for event data stores: `eventName` , `eventType` , `sessionCredentialFromConsole` , and `userIdentity.arn` .\n\nFor CloudTrail data events, supported fields include `eventCategory` (required), `resources.type` (required), `eventName` , `readOnly` , and `resources.ARN` . The following additional fields are available for event data stores: `eventSource` , `eventType` , `sessionCredentialFromConsole` , and `userIdentity.arn` .\n\nFor CloudTrail network activity events, supported fields include `eventCategory` (required), `eventSource` (required), `eventName` , `errorCode` , and `vpcEndpointId` .\n\nFor event data stores for CloudTrail Insights events, AWS Config configuration items, Audit Manager evidence, or events outside of AWS , the only supported field is `eventCategory` .\n\n> Selectors don't support the use of wildcards like `*` . To match multiple values with a single condition, you may use `StartsWith` , `EndsWith` , `NotStartsWith` , or `NotEndsWith` to explicitly match the beginning or end of the event field. \n\n- *`readOnly`* - This is an optional field that is only used for management events and data events. This field can be set to `Equals` with a value of `true` or `false` . If you do not add this field, CloudTrail logs both `read` and `write` events. A value of `true` logs only `read` events. A value of `false` logs only `write` events.\n- *`eventSource`* - This field is only used for management events, data events (for event data stores only), and network activity events.\n\nFor management events for trails, this is an optional field that can be set to `NotEquals` `kms.amazonaws.com` to exclude KMS management events, or `NotEquals` `rdsdata.amazonaws.com` to exclude RDS management events.\n\nFor management and data events for event data stores, you can use it to include or exclude any event source and can use any operator.\n\nFor network activity events, this is a required field that only uses the `Equals` operator. Set this field to the event source for which you want to log network activity events. If you want to log network activity events for multiple event sources, you must create a separate field selector for each event source. For a list of services supporting network activity events, see [Logging network activity events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-network-events-with-cloudtrail.html) in the *AWS CloudTrail User Guide* .\n- *`eventName`* - This is an optional field that is only used for data events, management events (for event data stores only), and network activity events. You can use any operator with `eventName` . You can use it to \ufb01lter in or \ufb01lter out specific events. You can have multiple values for this \ufb01eld, separated by commas.\n- *`eventCategory`* - This field is required and must be set to `Equals` .\n\n- For CloudTrail management events, the value must be `Management` .\n- For CloudTrail data events, the value must be `Data` .\n- For CloudTrail network activity events, the value must be `NetworkActivity` .\n\nThe following are used only for event data stores:\n\n- For CloudTrail Insights events, the value must be `Insight` .\n- For AWS Config configuration items, the value must be `ConfigurationItem` .\n- For Audit Manager evidence, the value must be `Evidence` .\n- For events outside of AWS , the value must be `ActivityAuditLog` .\n- *`eventType`* - This is an optional field available only for event data stores, which is used to filter management and data events on the event type. For information about available event types, see [CloudTrail record contents](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-record-contents.html#ct-event-type) in the *AWS CloudTrail user guide* .\n- *`errorCode`* - This \ufb01eld is only used to filter CloudTrail network activity events and is optional. This is the error code to filter on. Currently, the only valid `errorCode` is `VpceAccessDenied` . `errorCode` can only use the `Equals` operator.\n- *`sessionCredentialFromConsole`* - This is an optional field available only for event data stores, which is used to filter management and data events based on whether the events originated from an AWS Management Console session. `sessionCredentialFromConsole` can only use the `Equals` and `NotEquals` operators.\n- *`resources.type`* - This \ufb01eld is required for CloudTrail data events. `resources.type` can only use the `Equals` operator.\n\nFor a list of available resource types for data events, see [Data events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html#logging-data-events) in the *AWS CloudTrail User Guide* .\n\nYou can have only one `resources.type` \ufb01eld per selector. To log events on more than one resource type, add another selector.\n- *`resources.ARN`* - The `resources.ARN` is an optional field for data events. You can use any operator with `resources.ARN` , but if you use `Equals` or `NotEquals` , the value must exactly match the ARN of a valid resource of the type you've speci\ufb01ed in the template as the value of resources.type. To log all data events for all objects in a specific S3 bucket, use the `StartsWith` operator, and include only the bucket ARN as the matching value.\n\nFor more information about the ARN formats of data event resources, see [Actions, resources, and condition keys for AWS services](https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html) in the *Service Authorization Reference* .\n\n> You can't use the `resources.ARN` field to filter resource types that do not have ARNs.\n- *`userIdentity.arn`* - This is an optional field available only for event data stores, which is used to filter management and data events on the userIdentity ARN. You can use any operator with `userIdentity.arn` . For more information on the userIdentity element, see [CloudTrail userIdentity element](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html) in the *AWS CloudTrail User Guide* .\n- *`vpcEndpointId`* - This \ufb01eld is only used to filter CloudTrail network activity events and is optional. This field identifies the VPC endpoint that the request passed through. You can use any operator with `vpcEndpointId` .", "NotEndsWith": "An operator that excludes events that match the last few characters of the event record field specified as the value of `Field` .", "NotEquals": "An operator that excludes events that match the exact value of the event record field specified as the value of `Field` .", "NotStartsWith": "An operator that excludes events that match the first few characters of the event record field specified as the value of `Field` .", @@ -7995,7 +8000,7 @@ "AWS::CloudTrail::Trail AdvancedFieldSelector": { "EndsWith": "An operator that includes events that match the last few characters of the event record field specified as the value of `Field` .", "Equals": "An operator that includes events that match the exact value of the event record field specified as the value of `Field` . This is the only valid operator that you can use with the `readOnly` , `eventCategory` , and `resources.type` fields.", - "Field": "A field in a CloudTrail event record on which to filter events to be logged. For event data stores for CloudTrail Insights events, AWS Config configuration items, Audit Manager evidence, or events outside of AWS , the field is used only for selecting events as filtering is not supported.\n\nFor CloudTrail management events, supported fields include `eventCategory` (required), `eventSource` , and `readOnly` . The following additional fields are available for event data stores: `eventName` , `eventType` , `sessionCredentialFromConsole` , and `userIdentity.arn` .\n\nFor CloudTrail data events, supported fields include `eventCategory` (required), `resources.type` (required), `eventName` , `readOnly` , and `resources.ARN` . The following additional fields are available for event data stores: `eventSource` , `eventType` , `sessionCredentialFromConsole` , and `userIdentity.arn` .\n\nFor CloudTrail network activity events, supported fields include `eventCategory` (required), `eventSource` (required), `eventName` , `errorCode` , and `vpcEndpointId` .\n\nFor event data stores for CloudTrail Insights events, AWS Config configuration items, Audit Manager evidence, or events outside of AWS , the only supported field is `eventCategory` .\n\n> Selectors don't support the use of wildcards like `*` . To match multiple values with a single condition, you may use `StartsWith` , `EndsWith` , `NotStartsWith` , or `NotEndsWith` to explicitly match the beginning or end of the event field. \n\n- *`readOnly`* - This is an optional field that is only used for management events and data events. This field can be set to `Equals` with a value of `true` or `false` . If you do not add this field, CloudTrail logs both `read` and `write` events. A value of `true` logs only `read` events. A value of `false` logs only `write` events.\n- *`eventSource`* - This field is only used for management events, data events (for event data stores only), and network activity events.\n\nFor management events for trails, this is an optional field that can be set to `NotEquals` `kms.amazonaws.com` to exclude KMS management events, or `NotEquals` `rdsdata.amazonaws.com` to exclude RDS management events.\n\nFor management and data events for event data stores, you can use it to include or exclude any event source and can use any operator.\n\nFor network activity events, this is a required field that only uses the `Equals` operator. Set this field to the event source for which you want to log network activity events. If you want to log network activity events for multiple event sources, you must create a separate field selector for each event source.\n\nThe following are valid values for network activity events:\n\n- `cloudtrail.amazonaws.com`\n- `ec2.amazonaws.com`\n- `kms.amazonaws.com`\n- `s3.amazonaws.com`\n- `secretsmanager.amazonaws.com`\n- *`eventName`* - This is an optional field that is only used for data events, management events (for event data stores only), and network activity events. You can use any operator with `eventName` . You can use it to \ufb01lter in or \ufb01lter out specific events. You can have multiple values for this \ufb01eld, separated by commas.\n- *`eventCategory`* - This field is required and must be set to `Equals` .\n\n- For CloudTrail management events, the value must be `Management` .\n- For CloudTrail data events, the value must be `Data` .\n- For CloudTrail network activity events, the value must be `NetworkActivity` .\n\nThe following are used only for event data stores:\n\n- For CloudTrail Insights events, the value must be `Insight` .\n- For AWS Config configuration items, the value must be `ConfigurationItem` .\n- For Audit Manager evidence, the value must be `Evidence` .\n- For events outside of AWS , the value must be `ActivityAuditLog` .\n- *`eventType`* - This is an optional field available only for event data stores, which is used to filter management and data events on the event type. For information about available event types, see [CloudTrail record contents](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-record-contents.html#ct-event-type) in the *AWS CloudTrail user guide* .\n- *`errorCode`* - This \ufb01eld is only used to filter CloudTrail network activity events and is optional. This is the error code to filter on. Currently, the only valid `errorCode` is `VpceAccessDenied` . `errorCode` can only use the `Equals` operator.\n- *`sessionCredentialFromConsole`* - This is an optional field available only for event data stores, which is used to filter management and data events based on whether the events originated from an AWS Management Console session. `sessionCredentialFromConsole` can only use the `Equals` and `NotEquals` operators.\n- *`resources.type`* - This \ufb01eld is required for CloudTrail data events. `resources.type` can only use the `Equals` operator.\n\nFor a list of available resource types for data events, see [Data events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html#logging-data-events) in the *AWS CloudTrail User Guide* .\n\nYou can have only one `resources.type` \ufb01eld per selector. To log events on more than one resource type, add another selector.\n- *`resources.ARN`* - The `resources.ARN` is an optional field for data events. You can use any operator with `resources.ARN` , but if you use `Equals` or `NotEquals` , the value must exactly match the ARN of a valid resource of the type you've speci\ufb01ed in the template as the value of resources.type. To log all data events for all objects in a specific S3 bucket, use the `StartsWith` operator, and include only the bucket ARN as the matching value.\n\nFor more information about the ARN formats of data event resources, see [Actions, resources, and condition keys for AWS services](https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html) in the *Service Authorization Reference* .\n\n> You can't use the `resources.ARN` field to filter resource types that do not have ARNs.\n- *`userIdentity.arn`* - This is an optional field available only for event data stores, which is used to filter management and data events on the userIdentity ARN. You can use any operator with `userIdentity.arn` . For more information on the userIdentity element, see [CloudTrail userIdentity element](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html) in the *AWS CloudTrail User Guide* .\n- *`vpcEndpointId`* - This \ufb01eld is only used to filter CloudTrail network activity events and is optional. This field identifies the VPC endpoint that the request passed through. You can use any operator with `vpcEndpointId` .", + "Field": "A field in a CloudTrail event record on which to filter events to be logged. For event data stores for CloudTrail Insights events, AWS Config configuration items, Audit Manager evidence, or events outside of AWS , the field is used only for selecting events as filtering is not supported.\n\nFor CloudTrail management events, supported fields include `eventCategory` (required), `eventSource` , and `readOnly` . The following additional fields are available for event data stores: `eventName` , `eventType` , `sessionCredentialFromConsole` , and `userIdentity.arn` .\n\nFor CloudTrail data events, supported fields include `eventCategory` (required), `resources.type` (required), `eventName` , `readOnly` , and `resources.ARN` . The following additional fields are available for event data stores: `eventSource` , `eventType` , `sessionCredentialFromConsole` , and `userIdentity.arn` .\n\nFor CloudTrail network activity events, supported fields include `eventCategory` (required), `eventSource` (required), `eventName` , `errorCode` , and `vpcEndpointId` .\n\nFor event data stores for CloudTrail Insights events, AWS Config configuration items, Audit Manager evidence, or events outside of AWS , the only supported field is `eventCategory` .\n\n> Selectors don't support the use of wildcards like `*` . To match multiple values with a single condition, you may use `StartsWith` , `EndsWith` , `NotStartsWith` , or `NotEndsWith` to explicitly match the beginning or end of the event field. \n\n- *`readOnly`* - This is an optional field that is only used for management events and data events. This field can be set to `Equals` with a value of `true` or `false` . If you do not add this field, CloudTrail logs both `read` and `write` events. A value of `true` logs only `read` events. A value of `false` logs only `write` events.\n- *`eventSource`* - This field is only used for management events, data events (for event data stores only), and network activity events.\n\nFor management events for trails, this is an optional field that can be set to `NotEquals` `kms.amazonaws.com` to exclude KMS management events, or `NotEquals` `rdsdata.amazonaws.com` to exclude RDS management events.\n\nFor management and data events for event data stores, you can use it to include or exclude any event source and can use any operator.\n\nFor network activity events, this is a required field that only uses the `Equals` operator. Set this field to the event source for which you want to log network activity events. If you want to log network activity events for multiple event sources, you must create a separate field selector for each event source. For a list of services supporting network activity events, see [Logging network activity events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-network-events-with-cloudtrail.html) in the *AWS CloudTrail User Guide* .\n- *`eventName`* - This is an optional field that is only used for data events, management events (for event data stores only), and network activity events. You can use any operator with `eventName` . You can use it to \ufb01lter in or \ufb01lter out specific events. You can have multiple values for this \ufb01eld, separated by commas.\n- *`eventCategory`* - This field is required and must be set to `Equals` .\n\n- For CloudTrail management events, the value must be `Management` .\n- For CloudTrail data events, the value must be `Data` .\n- For CloudTrail network activity events, the value must be `NetworkActivity` .\n\nThe following are used only for event data stores:\n\n- For CloudTrail Insights events, the value must be `Insight` .\n- For AWS Config configuration items, the value must be `ConfigurationItem` .\n- For Audit Manager evidence, the value must be `Evidence` .\n- For events outside of AWS , the value must be `ActivityAuditLog` .\n- *`eventType`* - This is an optional field available only for event data stores, which is used to filter management and data events on the event type. For information about available event types, see [CloudTrail record contents](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-record-contents.html#ct-event-type) in the *AWS CloudTrail user guide* .\n- *`errorCode`* - This \ufb01eld is only used to filter CloudTrail network activity events and is optional. This is the error code to filter on. Currently, the only valid `errorCode` is `VpceAccessDenied` . `errorCode` can only use the `Equals` operator.\n- *`sessionCredentialFromConsole`* - This is an optional field available only for event data stores, which is used to filter management and data events based on whether the events originated from an AWS Management Console session. `sessionCredentialFromConsole` can only use the `Equals` and `NotEquals` operators.\n- *`resources.type`* - This \ufb01eld is required for CloudTrail data events. `resources.type` can only use the `Equals` operator.\n\nFor a list of available resource types for data events, see [Data events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html#logging-data-events) in the *AWS CloudTrail User Guide* .\n\nYou can have only one `resources.type` \ufb01eld per selector. To log events on more than one resource type, add another selector.\n- *`resources.ARN`* - The `resources.ARN` is an optional field for data events. You can use any operator with `resources.ARN` , but if you use `Equals` or `NotEquals` , the value must exactly match the ARN of a valid resource of the type you've speci\ufb01ed in the template as the value of resources.type. To log all data events for all objects in a specific S3 bucket, use the `StartsWith` operator, and include only the bucket ARN as the matching value.\n\nFor more information about the ARN formats of data event resources, see [Actions, resources, and condition keys for AWS services](https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html) in the *Service Authorization Reference* .\n\n> You can't use the `resources.ARN` field to filter resource types that do not have ARNs.\n- *`userIdentity.arn`* - This is an optional field available only for event data stores, which is used to filter management and data events on the userIdentity ARN. You can use any operator with `userIdentity.arn` . For more information on the userIdentity element, see [CloudTrail userIdentity element](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html) in the *AWS CloudTrail User Guide* .\n- *`vpcEndpointId`* - This \ufb01eld is only used to filter CloudTrail network activity events and is optional. This field identifies the VPC endpoint that the request passed through. You can use any operator with `vpcEndpointId` .", "NotEndsWith": "An operator that excludes events that match the last few characters of the event record field specified as the value of `Field` .", "NotEquals": "An operator that excludes events that match the exact value of the event record field specified as the value of `Field` .", "NotStartsWith": "An operator that excludes events that match the first few characters of the event record field specified as the value of `Field` .", @@ -8942,12 +8947,12 @@ "Resource": "The Amazon Resource Name (ARN) of the resource to associate with the notification rule. Supported resources include pipelines in AWS CodePipeline , repositories in AWS CodeCommit , and build projects in AWS CodeBuild .", "Status": "The status of the notification rule. The default value is `ENABLED` . If the status is set to `DISABLED` , notifications aren't sent for the notification rule.", "Tags": "A list of tags to apply to this notification rule. Key names cannot start with \" `aws` \".", - "TargetAddress": "The Amazon Resource Name (ARN) of the Amazon SNS topic or AWS Chatbot client.", - "Targets": "A list of Amazon Resource Names (ARNs) of Amazon SNS topics and AWS Chatbot clients to associate with the notification rule." + "TargetAddress": "The Amazon Resource Name (ARN) of the Amazon SNS topic or client.", + "Targets": "A list of Amazon Resource Names (ARNs) of Amazon SNS topics and clients to associate with the notification rule." }, "AWS::CodeStarNotifications::NotificationRule Target": { - "TargetAddress": "The Amazon Resource Name (ARN) of the AWS Chatbot topic or AWS Chatbot client.", - "TargetType": "The target type. Can be an Amazon Simple Notification Service topic or AWS Chatbot client.\n\n- Amazon Simple Notification Service topics are specified as `SNS` .\n- AWS Chatbot clients are specified as `AWSChatbotSlack` .\n- AWS Chatbot clients for Microsoft Teams are specified as `AWSChatbotMicrosoftTeams` ." + "TargetAddress": "The Amazon Resource Name (ARN) of the topic or client.", + "TargetType": "The target type. Can be an Amazon Simple Notification Service topic or client.\n\n- Amazon Simple Notification Service topics are specified as `SNS` .\n- clients are specified as `AWSChatbotSlack` .\n- clients for Microsoft Teams are specified as `AWSChatbotMicrosoftTeams` ." }, "AWS::Cognito::IdentityPool": { "AllowClassicFlow": "Enables the Basic (Classic) authentication flow.", @@ -9431,7 +9436,7 @@ "EvaluationModes": "The modes the AWS Config rule can be evaluated in. The valid values are distinct objects. By default, the value is Detective evaluation mode only.", "InputParameters": "A string, in JSON format, that is passed to the AWS Config rule Lambda function.", "MaximumExecutionFrequency": "The maximum frequency with which AWS Config runs evaluations for a rule. You can specify a value for `MaximumExecutionFrequency` when:\n\n- You are using an AWS managed rule that is triggered at a periodic frequency.\n- Your custom rule is triggered when AWS Config delivers the configuration snapshot. For more information, see [ConfigSnapshotDeliveryProperties](https://docs.aws.amazon.com/config/latest/APIReference/API_ConfigSnapshotDeliveryProperties.html) .\n\n> By default, rules with a periodic trigger are evaluated every 24 hours. To change the frequency, specify a valid value for the `MaximumExecutionFrequency` parameter.", - "Scope": "Defines which resources can trigger an evaluation for the rule. The scope can include one or more resource types, a combination of one resource type and one resource ID, or a combination of a tag key and value. Specify a scope to constrain the resources that can trigger an evaluation for the rule. If you do not specify a scope, evaluations are triggered when any resource in the recording group changes.\n\n> Scope is only supported for change-triggered rules. Scope is not supported for periodic or hybrid rules.", + "Scope": "Defines which resources can trigger an evaluation for the rule. The scope can include one or more resource types, a combination of one resource type and one resource ID, or a combination of a tag key and value. Specify a scope to constrain the resources that can trigger an evaluation for the rule. If you do not specify a scope, evaluations are triggered when any resource in the recording group changes.", "Source": "Provides the rule owner ( `AWS` for managed rules, `CUSTOM_POLICY` for Custom Policy rules, and `CUSTOM_LAMBDA` for Custom Lambda rules), the rule identifier, and the notifications that cause the function to evaluate your AWS resources." }, "AWS::Config::ConfigRule Compliance": { @@ -13889,6 +13894,13 @@ "Count": "The number of elastic inference accelerators to attach to the instance.", "Type": "The type of elastic inference accelerator. The possible values are `eia1.medium` , `eia1.large` , `eia1.xlarge` , `eia2.medium` , `eia2.large` , and `eia2.xlarge` ." }, + "AWS::EC2::Instance EnaSrdSpecification": { + "EnaSrdEnabled": "Indicates whether ENA Express is enabled for the network interface.", + "EnaSrdUdpSpecification": "Configures ENA Express for UDP network traffic." + }, + "AWS::EC2::Instance EnaSrdUdpSpecification": { + "EnaSrdUdpEnabled": "Indicates whether UDP traffic to and from the instance uses ENA Express. To specify this setting, you must first enable ENA Express." + }, "AWS::EC2::Instance EnclaveOptions": { "Enabled": "If this parameter is set to `true` , the instance is enabled for AWS Nitro Enclaves; otherwise, it is not enabled for AWS Nitro Enclaves." }, @@ -13912,6 +13924,7 @@ "DeleteOnTermination": "Indicates whether the network interface is deleted when the instance is terminated. Applies only if creating a network interface when launching an instance.", "Description": "The description of the network interface. Applies only if creating a network interface when launching an instance.", "DeviceIndex": "The position of the network interface in the attachment order. A primary network interface has a device index of 0.\n\nIf you create a network interface when launching an instance, you must specify the device index.", + "EnaSrdSpecification": "", "GroupSet": "The IDs of the security groups for the network interface. Applies only if creating a network interface when launching an instance.", "Ipv6AddressCount": "A number of IPv6 addresses to assign to the network interface. Amazon EC2 chooses the IPv6 addresses from the range of the subnet. You cannot specify this option and the option to assign specific IPv6 addresses in the same request. You can specify this option if you've specified a minimum number of instances to launch.", "Ipv6Addresses": "The IPv6 addresses to assign to the network interface. You cannot specify this option and the option to assign a number of IPv6 addresses in the same request. You cannot specify this option if you've specified a minimum number of instances to launch.", @@ -16251,6 +16264,7 @@ "BootstrapSelfManagedAddons": "If you set this value to `False` when creating a cluster, the default networking add-ons will not be installed.\n\nThe default networking addons include vpc-cni, coredns, and kube-proxy.\n\nUse this option when you plan to install third-party alternative add-ons or self-manage the default networking add-ons.", "ComputeConfig": "Indicates the current configuration of the compute capability on your EKS Auto Mode cluster. For example, if the capability is enabled or disabled. If the compute capability is enabled, EKS Auto Mode will create and delete EC2 Managed Instances in your AWS account. For more information, see EKS Auto Mode compute capability in the *Amazon EKS User Guide* .", "EncryptionConfig": "The encryption configuration for the cluster.", + "Force": "Set this value to `true` to override upgrade-blocking readiness checks when updating a cluster.", "KubernetesNetworkConfig": "The Kubernetes network configuration for the cluster.", "Logging": "The logging configuration for your cluster.", "Name": "The unique name to give to your cluster. The name can contain only alphanumeric characters (case-sensitive) and hyphens. It must start with an alphanumeric character and can't be longer than 100 characters. The name must be unique within the AWS Region and AWS account that you're creating the cluster in. Note that underscores can't be used in AWS CloudFormation .", @@ -19033,7 +19047,7 @@ }, "AWS::GameLift::Build": { "Name": "A descriptive label that is associated with a build. Build names do not need to be unique.", - "OperatingSystem": "The operating system that your game server binaries run on. This value determines the type of fleet resources that you use for this build. If your game build contains multiple executables, they all must run on the same operating system. You must specify a valid operating system in this request. There is no default value. You can't change a build's operating system later.\n\n> Amazon Linux 2 (AL2) will reach end of support on 6/30/2025. See more details in the [Amazon Linux 2 FAQs](https://docs.aws.amazon.com/https://aws.amazon.com/amazon-linux-2/faqs/) . For game servers that are hosted on AL2 and use server SDK version 4.x for Amazon GameLift Servers, first update the game server build to server SDK 5.x, and then deploy to AL2023 instances. See [Migrate to server SDK version 5.](https://docs.aws.amazon.com/gamelift/latest/developerguide/reference-serversdk5-migration.html)", + "OperatingSystem": "The operating system that your game server binaries run on. This value determines the type of fleet resources that you use for this build. If your game build contains multiple executables, they all must run on the same operating system. You must specify a valid operating system in this request. There is no default value. You can't change a build's operating system later.\n\n> Amazon Linux 2 (AL2) will reach end of support on 6/30/2025. See more details in the [Amazon Linux 2 FAQs](https://docs.aws.amazon.com/amazon-linux-2/faqs/) . For game servers that are hosted on AL2 and use server SDK version 4.x for Amazon GameLift Servers, first update the game server build to server SDK 5.x, and then deploy to AL2023 instances. See [Migrate to server SDK version 5.](https://docs.aws.amazon.com/gamelift/latest/developerguide/reference-serversdk5-migration.html)", "ServerSdkVersion": "A server SDK version you used when integrating your game server build with Amazon GameLift Servers. For more information see [Integrate games with custom game servers](https://docs.aws.amazon.com/gamelift/latest/developerguide/integration-custom-intro.html) . By default Amazon GameLift Servers sets this value to `4.0.2` .", "StorageLocation": "Information indicating where your game build files are stored. Use this parameter only when creating a build with files stored in an Amazon S3 bucket that you own. The storage location must specify an Amazon S3 bucket name and key. The location must also specify a role ARN that you set up to allow Amazon GameLift Servers to access your Amazon S3 bucket. The S3 bucket and your new build must be in the same Region.\n\nIf a `StorageLocation` is specified, the size of your file can be found in your Amazon S3 bucket. Amazon GameLift Servers will report a `SizeOnDisk` of 0.", "Version": "Version information that is associated with this build. Version strings do not need to be unique." @@ -19041,7 +19055,7 @@ "AWS::GameLift::Build StorageLocation": { "Bucket": "An Amazon S3 bucket identifier. The name of the S3 bucket.\n\n> Amazon GameLift doesn't support uploading from Amazon S3 buckets with names that contain a dot (.).", "Key": "The name of the zip file that contains the build files or script files.", - "ObjectVersion": "A version of a stored file to retrieve, if the object versioning feature is turned on for the S3 bucket. Use this parameter to specify a specific version. If this parameter isn't set, Amazon GameLift retrieves the latest version of the file.", + "ObjectVersion": "A version of a stored file to retrieve, if the object versioning feature is turned on for the S3 bucket. Use this parameter to specify a specific version. If this parameter isn't set, Amazon GameLift Servers retrieves the latest version of the file.", "RoleArn": "The ARNfor an IAM role that allows Amazon GameLift to access the S3 bucket." }, "AWS::GameLift::ContainerFleet": { @@ -19121,7 +19135,7 @@ "ContainerGroupType": "The type of container group. Container group type determines how Amazon GameLift Servers deploys the container group on each fleet instance.", "GameServerContainerDefinition": "The definition for the game server container in this group. This property is used only when the container group type is `GAME_SERVER` . This container definition specifies a container image with the game server build.", "Name": "A descriptive identifier for the container group definition. The name value is unique in an AWS Region.", - "OperatingSystem": "The platform that all containers in the container group definition run on.\n\n> Amazon Linux 2 (AL2) will reach end of support on 6/30/2025. See more details in the [Amazon Linux 2 FAQs](https://docs.aws.amazon.com/https://aws.amazon.com/amazon-linux-2/faqs/) . For game servers that are hosted on AL2 and use server SDK version 4.x for Amazon GameLift Servers, first update the game server build to server SDK 5.x, and then deploy to AL2023 instances. See [Migrate to server SDK version 5.](https://docs.aws.amazon.com/gamelift/latest/developerguide/reference-serversdk5-migration.html)", + "OperatingSystem": "The platform that all containers in the container group definition run on.\n\n> Amazon Linux 2 (AL2) will reach end of support on 6/30/2025. See more details in the [Amazon Linux 2 FAQs](https://docs.aws.amazon.com/aws.amazon.com/amazon-linux-2/faqs/) . For game servers that are hosted on AL2 and use server SDK version 4.x for Amazon GameLift Servers, first update the game server build to server SDK 5.x, and then deploy to AL2023 instances. See [Migrate to server SDK version 5.](https://docs.aws.amazon.com/gamelift/latest/developerguide/reference-serversdk5-migration.html)", "SourceVersionNumber": "", "SupportContainerDefinitions": "The set of definitions for support containers in this group. A container group definition might have zero support container definitions. Support container can be used in any type of container group.", "Tags": "", @@ -19208,7 +19222,7 @@ "ResourceCreationLimitPolicy": "A policy that limits the number of game sessions that an individual player can create on instances in this fleet within a specified span of time.", "RuntimeConfiguration": "Instructions for how to launch and maintain server processes on instances in the fleet. The runtime configuration defines one or more server process configurations, each identifying a build executable or Realtime script file and the number of processes of that type to run concurrently.\n\n> The `RuntimeConfiguration` parameter is required unless the fleet is being configured using the older parameters `ServerLaunchPath` and `ServerLaunchParameters` , which are still supported for backward compatibility.", "ScalingPolicies": "Rule that controls how a fleet is scaled. Scaling policies are uniquely identified by the combination of name and fleet ID.", - "ScriptId": "The unique identifier for a Realtime configuration script to be deployed on fleet instances. You can use either the script ID or ARN. Scripts must be uploaded to Amazon GameLift prior to creating the fleet. This fleet property cannot be changed later.\n\n> You can't use the `!Ref` command to reference a script created with a CloudFormation template for the fleet property `ScriptId` . Instead, use `Fn::GetAtt Script.Arn` or `Fn::GetAtt Script.Id` to retrieve either of these properties as input for `ScriptId` . Alternatively, enter a `ScriptId` string manually." + "ScriptId": "The unique identifier for a Realtime configuration script to be deployed on fleet instances. You can use either the script ID or ARN. Scripts must be uploaded to Amazon GameLift Servers prior to creating the fleet. This fleet property cannot be changed later.\n\n> You can't use the `!Ref` command to reference a script created with a CloudFormation template for the fleet property `ScriptId` . Instead, use `Fn::GetAtt Script.Arn` or `Fn::GetAtt Script.Id` to retrieve either of these properties as input for `ScriptId` . Alternatively, enter a `ScriptId` string manually." }, "AWS::GameLift::Fleet AnywhereConfiguration": { "Cost": "The cost to run your fleet per hour. Amazon GameLift Servers uses the provided cost of your fleet to balance usage in queues. For more information about queues, see [Setting up queues](https://docs.aws.amazon.com/gamelift/latest/developerguide/queues-intro.html) in the *Amazon GameLift Servers Developer Guide* ." @@ -20982,7 +20996,7 @@ }, "AWS::IAM::OIDCProvider Tag": { "Key": "The key name that can be used to look up or retrieve the associated value. For example, `Department` or `Cost Center` are common choices.", - "Value": "The value associated with this tag. For example, tags with a key name of `Department` could have values such as `Human Resources` , `Accounting` , and `Support` . Tags with a key name of `Cost Center` might have values that consist of the number associated with the different cost centers in your company. Typically, many resources have tags with the same key name but with different values.\n\n> AWS always interprets the tag `Value` as a single string. If you need to store an array, you can store comma-separated values in the string. However, you must interpret the value in your code." + "Value": "The value associated with this tag. For example, tags with a key name of `Department` could have values such as `Human Resources` , `Accounting` , and `Support` . Tags with a key name of `Cost Center` might have values that consist of the number associated with the different cost centers in your company. Typically, many resources have tags with the same key name but with different values." }, "AWS::IAM::Policy": { "Groups": "The name of the group to associate the policy with.\n\nThis parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-.", @@ -21008,7 +21022,7 @@ }, "AWS::IAM::Role Tag": { "Key": "The key name that can be used to look up or retrieve the associated value. For example, `Department` or `Cost Center` are common choices.", - "Value": "The value associated with this tag. For example, tags with a key name of `Department` could have values such as `Human Resources` , `Accounting` , and `Support` . Tags with a key name of `Cost Center` might have values that consist of the number associated with the different cost centers in your company. Typically, many resources have tags with the same key name but with different values.\n\n> AWS always interprets the tag `Value` as a single string. If you need to store an array, you can store comma-separated values in the string. However, you must interpret the value in your code." + "Value": "The value associated with this tag. For example, tags with a key name of `Department` could have values such as `Human Resources` , `Accounting` , and `Support` . Tags with a key name of `Cost Center` might have values that consist of the number associated with the different cost centers in your company. Typically, many resources have tags with the same key name but with different values." }, "AWS::IAM::RolePolicy": { "PolicyDocument": "The policy document.\n\nYou must provide policies in JSON format in IAM. However, for AWS CloudFormation templates formatted in YAML, you can provide the policy in JSON or YAML format. AWS CloudFormation always converts a YAML policy to JSON format before submitting it to IAM.\n\nThe [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) used to validate this parameter is a string of characters consisting of the following:\n\n- Any printable ASCII character ranging from the space character ( `\\u0020` ) through the end of the ASCII character range\n- The printable characters in the Basic Latin and Latin-1 Supplement character set (through `\\u00FF` )\n- The special characters tab ( `\\u0009` ), line feed ( `\\u000A` ), and carriage return ( `\\u000D` )", @@ -21030,7 +21044,7 @@ }, "AWS::IAM::SAMLProvider Tag": { "Key": "The key name that can be used to look up or retrieve the associated value. For example, `Department` or `Cost Center` are common choices.", - "Value": "The value associated with this tag. For example, tags with a key name of `Department` could have values such as `Human Resources` , `Accounting` , and `Support` . Tags with a key name of `Cost Center` might have values that consist of the number associated with the different cost centers in your company. Typically, many resources have tags with the same key name but with different values.\n\n> AWS always interprets the tag `Value` as a single string. If you need to store an array, you can store comma-separated values in the string. However, you must interpret the value in your code." + "Value": "The value associated with this tag. For example, tags with a key name of `Department` could have values such as `Human Resources` , `Accounting` , and `Support` . Tags with a key name of `Cost Center` might have values that consist of the number associated with the different cost centers in your company. Typically, many resources have tags with the same key name but with different values." }, "AWS::IAM::ServerCertificate": { "CertificateBody": "The contents of the public key certificate.", @@ -21042,7 +21056,7 @@ }, "AWS::IAM::ServerCertificate Tag": { "Key": "The key name that can be used to look up or retrieve the associated value. For example, `Department` or `Cost Center` are common choices.", - "Value": "The value associated with this tag. For example, tags with a key name of `Department` could have values such as `Human Resources` , `Accounting` , and `Support` . Tags with a key name of `Cost Center` might have values that consist of the number associated with the different cost centers in your company. Typically, many resources have tags with the same key name but with different values.\n\n> AWS always interprets the tag `Value` as a single string. If you need to store an array, you can store comma-separated values in the string. However, you must interpret the value in your code." + "Value": "The value associated with this tag. For example, tags with a key name of `Department` could have values such as `Human Resources` , `Accounting` , and `Support` . Tags with a key name of `Cost Center` might have values that consist of the number associated with the different cost centers in your company. Typically, many resources have tags with the same key name but with different values." }, "AWS::IAM::ServiceLinkedRole": { "AWSServiceName": "The service principal for the AWS service to which this role is attached. You use a string similar to a URL but without the http:// in front. For example: `elasticbeanstalk.amazonaws.com` .\n\nService principals are unique and case-sensitive. To find the exact service principal for your service-linked role, see [AWS services that work with IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html) in the *IAM User Guide* . Look for the services that have *Yes* in the *Service-Linked Role* column. Choose the *Yes* link to view the service-linked role documentation for that service.", @@ -21069,7 +21083,7 @@ }, "AWS::IAM::User Tag": { "Key": "The key name that can be used to look up or retrieve the associated value. For example, `Department` or `Cost Center` are common choices.", - "Value": "The value associated with this tag. For example, tags with a key name of `Department` could have values such as `Human Resources` , `Accounting` , and `Support` . Tags with a key name of `Cost Center` might have values that consist of the number associated with the different cost centers in your company. Typically, many resources have tags with the same key name but with different values.\n\n> AWS always interprets the tag `Value` as a single string. If you need to store an array, you can store comma-separated values in the string. However, you must interpret the value in your code." + "Value": "The value associated with this tag. For example, tags with a key name of `Department` could have values such as `Human Resources` , `Accounting` , and `Support` . Tags with a key name of `Cost Center` might have values that consist of the number associated with the different cost centers in your company. Typically, many resources have tags with the same key name but with different values." }, "AWS::IAM::UserPolicy": { "PolicyDocument": "The policy document.\n\nYou must provide policies in JSON format in IAM. However, for AWS CloudFormation templates formatted in YAML, you can provide the policy in JSON or YAML format. AWS CloudFormation always converts a YAML policy to JSON format before submitting it to IAM.\n\nThe [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) used to validate this parameter is a string of characters consisting of the following:\n\n- Any printable ASCII character ranging from the space character ( `\\u0020` ) through the end of the ASCII character range\n- The printable characters in the Basic Latin and Latin-1 Supplement character set (through `\\u00FF` )\n- The special characters tab ( `\\u0009` ), line feed ( `\\u000A` ), and carriage return ( `\\u000D` )", @@ -21088,7 +21102,7 @@ }, "AWS::IAM::VirtualMFADevice Tag": { "Key": "The key name that can be used to look up or retrieve the associated value. For example, `Department` or `Cost Center` are common choices.", - "Value": "The value associated with this tag. For example, tags with a key name of `Department` could have values such as `Human Resources` , `Accounting` , and `Support` . Tags with a key name of `Cost Center` might have values that consist of the number associated with the different cost centers in your company. Typically, many resources have tags with the same key name but with different values.\n\n> AWS always interprets the tag `Value` as a single string. If you need to store an array, you can store comma-separated values in the string. However, you must interpret the value in your code." + "Value": "The value associated with this tag. For example, tags with a key name of `Department` could have values such as `Human Resources` , `Accounting` , and `Support` . Tags with a key name of `Cost Center` might have values that consist of the number associated with the different cost centers in your company. Typically, many resources have tags with the same key name but with different values." }, "AWS::IVS::Channel": { "Authorized": "Whether the channel is authorized.\n\n*Default* : `false`", @@ -21275,7 +21289,7 @@ "AWS::IdentityStore::GroupMembership": { "GroupId": "The identifier for a group in the identity store.", "IdentityStoreId": "The globally unique identifier for the identity store.", - "MemberId": "An object containing the identifier of a group member. Setting `MemberId` 's `UserId` field to a specific User's ID indicates we should consider that User as a group member." + "MemberId": "An object containing the identifier of a group member. Setting the `MemberId` 's `UserId` field to a specific User's ID indicates that user is a member of the group." }, "AWS::IdentityStore::GroupMembership MemberId": { "UserId": "An object containing the identifiers of resources that can be members." @@ -23634,6 +23648,28 @@ "Key": "The key or name that identifies the tag.", "Value": "The value of the tag." }, + "AWS::IoTSiteWise::Dataset": { + "DatasetDescription": "", + "DatasetName": "", + "DatasetSource": "", + "Tags": "" + }, + "AWS::IoTSiteWise::Dataset DatasetSource": { + "SourceDetail": "", + "SourceFormat": "", + "SourceType": "" + }, + "AWS::IoTSiteWise::Dataset KendraSourceDetail": { + "KnowledgeBaseArn": "", + "RoleArn": "" + }, + "AWS::IoTSiteWise::Dataset SourceDetail": { + "Kendra": "" + }, + "AWS::IoTSiteWise::Dataset Tag": { + "Key": "", + "Value": "" + }, "AWS::IoTSiteWise::Gateway": { "GatewayCapabilitySummaries": "A list of gateway capability summaries that each contain a namespace and status. Each gateway capability defines data sources for the gateway. To retrieve a capability configuration's definition, use [DescribeGatewayCapabilityConfiguration](https://docs.aws.amazon.com/iot-sitewise/latest/APIReference/API_DescribeGatewayCapabilityConfiguration.html) .", "GatewayName": "A unique name for the gateway.", @@ -26016,6 +26052,24 @@ "EndTimeoutMs": "Time for which a bot waits after the customer stops speaking to assume the utterance is finished.", "MaxLengthMs": "Time for how long Amazon Lex waits before speech input is truncated and the speech is returned to application." }, + "AWS::Lex::Bot BKBExactResponseFields": { + "AnswerField": "" + }, + "AWS::Lex::Bot BedrockGuardrailConfiguration": { + "BedrockGuardrailIdentifier": "", + "BedrockGuardrailVersion": "" + }, + "AWS::Lex::Bot BedrockKnowledgeStoreConfiguration": { + "BKBExactResponseFields": "", + "BedrockKnowledgeBaseArn": "The base ARN of the knowledge base used.", + "ExactResponse": "Specifies whether to return an exact response, or to return an answer generated by the model, using the fields you specify from the database." + }, + "AWS::Lex::Bot BedrockModelSpecification": { + "BedrockGuardrailConfiguration": "", + "BedrockModelCustomPrompt": "", + "BedrockTraceStatus": "", + "ModelArn": "The ARN of the foundation model used in descriptive bot building." + }, "AWS::Lex::Bot BotAliasLocaleSettings": { "CodeHookSpecification": "Specifies the Lambda function that should be used in the locale.", "Enabled": "Determines whether the locale is enabled for the bot. If the value is `false` , the locale isn't available for use." @@ -26082,6 +26136,11 @@ "AWS::Lex::Bot DataPrivacy": { "ChildDirected": "For each Amazon Lex bot created with the Amazon Lex Model Building Service, you must specify whether your use of Amazon Lex is related to a website, program, or other application that is directed or targeted, in whole or in part, to children under age 13 and subject to the Children's Online Privacy Protection Act (COPPA) by specifying `true` or `false` in the `childDirected` field. By specifying `true` in the `childDirected` field, you confirm that your use of Amazon Lex *is* related to a website, program, or other application that is directed or targeted, in whole or in part, to children under age 13 and subject to COPPA. By specifying `false` in the `childDirected` field, you confirm that your use of Amazon Lex *is not* related to a website, program, or other application that is directed or targeted, in whole or in part, to children under age 13 and subject to COPPA. You may not specify a default value for the `childDirected` field that does not accurately reflect whether your use of Amazon Lex is related to a website, program, or other application that is directed or targeted, in whole or in part, to children under age 13 and subject to COPPA. If your use of Amazon Lex relates to a website, program, or other application that is directed in whole or in part, to children under age 13, you must obtain any required verifiable parental consent under COPPA. For information regarding the use of Amazon Lex in connection with websites, programs, or other applications that are directed or targeted, in whole or in part, to children under age 13, see the [Amazon Lex FAQ](https://docs.aws.amazon.com/lex/faqs#data-security) ." }, + "AWS::Lex::Bot DataSourceConfiguration": { + "BedrockKnowledgeStoreConfiguration": "Contains details about the configuration of the Amazon Bedrock knowledge base used for the `AMAZON.QnAIntent` . To set up a knowledge base, follow the steps at [Building a knowledge base](https://docs.aws.amazon.com/bedrock/latest/userguide/knowledge-base.html) .", + "KendraConfiguration": "Contains details about the configuration of the Amazon Kendra index used for the `AMAZON.QnAIntent` . To create a Amazon Kendra index, follow the steps at [Creating an index](https://docs.aws.amazon.com/kendra/latest/dg/create-index.html) .", + "OpensearchConfiguration": "Contains details about the configuration of the Amazon OpenSearch Service database used for the `AMAZON.QnAIntent` . To create a domain, follow the steps at [Creating and managing Amazon OpenSearch Service domains](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/createupdatedomains.html) ." + }, "AWS::Lex::Bot DefaultConditionalBranch": { "NextStep": "The next step in the conversation.", "Response": "Specifies a list of message groups that Amazon Lex uses to respond the user input." @@ -26109,6 +26168,10 @@ "EnableCodeHookInvocation": "Indicates whether a Lambda function should be invoked for the dialog.", "InvocationLabel": "A label that indicates the dialog step from which the dialog code hook is happening." }, + "AWS::Lex::Bot ExactResponseFields": { + "AnswerField": "The name of the field that contains the answer to the query made to the OpenSearch Service database.", + "QuestionField": "The name of the field that contains the query made to the OpenSearch Service database." + }, "AWS::Lex::Bot ExternalSourceSetting": { "GrammarSlotTypeSetting": "Settings required for a slot type based on a grammar that you provide." }, @@ -26169,6 +26232,7 @@ "Name": "The name of the intent. Intent names must be unique within the locale that contains the intent and can't match the name of any built-in intent.", "OutputContexts": "A list of contexts that the intent activates when it is fulfilled.", "ParentIntentSignature": "A unique identifier for the built-in intent to base this intent on.", + "QnAIntentConfiguration": "", "SampleUtterances": "A list of utterances that a user might say to signal the intent.", "SlotPriorities": "Indicates the priority for slots. Amazon Lex prompts the user for slot values in priority order.", "Slots": "A list of slots that the intent requires for fulfillment." @@ -26223,6 +26287,13 @@ "AWS::Lex::Bot ObfuscationSetting": { "ObfuscationSettingType": "Value that determines whether Amazon Lex obscures slot values in conversation logs. The default is to obscure the values." }, + "AWS::Lex::Bot OpensearchConfiguration": { + "DomainEndpoint": "The endpoint of the Amazon OpenSearch Service domain.", + "ExactResponse": "Specifies whether to return an exact response or to return an answer generated by the model using the fields you specify from the database.", + "ExactResponseFields": "Contains the names of the fields used for an exact response to the user.", + "IncludeFields": "Contains a list of fields from the Amazon OpenSearch Service that the model can use to generate the answer to the query.", + "IndexName": "The name of the Amazon OpenSearch Service index." + }, "AWS::Lex::Bot OutputContext": { "Name": "The name of the output context.", "TimeToLiveInSeconds": "The amount of time, in seconds, that the output context should remain active. The time is figured from the first time the context is sent to the user.", @@ -26266,6 +26337,16 @@ "MessageSelectionStrategy": "Indicates how a message is selected from a message group among retries.", "PromptAttemptsSpecification": "Specifies the advanced settings on each attempt of the prompt." }, + "AWS::Lex::Bot QnAIntentConfiguration": { + "BedrockModelConfiguration": "", + "DataSourceConfiguration": "Contains details about the configuration of the data source used for the `AMAZON.QnAIntent` ." + }, + "AWS::Lex::Bot QnAKendraConfiguration": { + "ExactResponse": "Specifies whether to return an exact response from the Amazon Kendra index or to let the Amazon Bedrock model you select generate a response based on the results. To use this feature, you must first add FAQ questions to your index by following the steps at [Adding frequently asked questions (FAQs) to an index](https://docs.aws.amazon.com/kendra/latest/dg/in-creating-faq.html) .", + "KendraIndex": "The ARN of the Amazon Kendra index to use.", + "QueryFilterString": "Contains the Amazon Kendra filter string to use if enabled. For more information on the Amazon Kendra search filter JSON format, see [Using document attributes to filter search results](https://docs.aws.amazon.com/kendra/latest/dg/filtering.html#search-filtering) .", + "QueryFilterStringEnabled": "Specifies whether to enable an Amazon Kendra filter string or not." + }, "AWS::Lex::Bot Replication": { "ReplicaRegions": "" }, @@ -27619,10 +27700,10 @@ }, "AWS::MWAA::Environment": { "AirflowConfigurationOptions": "A list of key-value pairs containing the Airflow configuration options for your environment. For example, `core.default_timezone: utc` . To learn more, see [Apache Airflow configuration options](https://docs.aws.amazon.com/mwaa/latest/userguide/configuring-env-variables.html) .", - "AirflowVersion": "The version of Apache Airflow to use for the environment. If no value is specified, defaults to the latest version.\n\nIf you specify a newer version number for an existing environment, the version update requires some service interruption before taking effect.\n\n*Allowed Values* : `1.10.12` | `2.0.2` | `2.2.2` | `2.4.3` | `2.5.1` | `2.6.3` | `2.7.2` | `2.8.1` | `2.9.2` (latest)", + "AirflowVersion": "The version of Apache Airflow to use for the environment. If no value is specified, defaults to the latest version.\n\nIf you specify a newer version number for an existing environment, the version update requires some service interruption before taking effect.\n\n*Allowed Values* : `1.10.12` | `2.0.2` | `2.2.2` | `2.4.3` | `2.5.1` | `2.6.3` | `2.7.2` | `2.8.1` | `2.9.2` | `2.10.1` (latest)", "DagS3Path": "The relative path to the DAGs folder on your Amazon S3 bucket. For example, `dags` . To learn more, see [Adding or updating DAGs](https://docs.aws.amazon.com/mwaa/latest/userguide/configuring-dag-folder.html) .", "EndpointManagement": "Defines whether the VPC endpoints configured for the environment are created, and managed, by the customer or by Amazon MWAA. If set to `SERVICE` , Amazon MWAA will create and manage the required VPC endpoints in your VPC. If set to `CUSTOMER` , you must create, and manage, the VPC endpoints in your VPC.", - "EnvironmentClass": "The environment class type. Valid values: `mw1.small` , `mw1.medium` , `mw1.large` . To learn more, see [Amazon MWAA environment class](https://docs.aws.amazon.com/mwaa/latest/userguide/environment-class.html) .", + "EnvironmentClass": "The environment class type. Valid values: `mw1.micro` , `mw1.small` , `mw1.medium` , `mw1.large` , `mw1.1large` , and `mw1.2large` . To learn more, see [Amazon MWAA environment class](https://docs.aws.amazon.com/mwaa/latest/userguide/environment-class.html) .", "ExecutionRoleArn": "The Amazon Resource Name (ARN) of the execution role in IAM that allows MWAA to access AWS resources in your environment. For example, `arn:aws:iam::123456789:role/my-execution-role` . To learn more, see [Amazon MWAA Execution role](https://docs.aws.amazon.com/mwaa/latest/userguide/mwaa-create-role.html) .", "KmsKey": "The AWS Key Management Service (KMS) key to encrypt and decrypt the data in your environment. You can use an AWS KMS key managed by MWAA, or a customer-managed KMS key (advanced).", "LoggingConfiguration": "The Apache Airflow logs being sent to CloudWatch Logs: `DagProcessingLogs` , `SchedulerLogs` , `TaskLogs` , `WebserverLogs` , `WorkerLogs` .", @@ -27636,7 +27717,7 @@ "PluginsS3Path": "The relative path to the `plugins.zip` file on your Amazon S3 bucket. For example, `plugins.zip` . To learn more, see [Installing custom plugins](https://docs.aws.amazon.com/mwaa/latest/userguide/configuring-dag-import-plugins.html) .", "RequirementsS3ObjectVersion": "The version of the requirements.txt file on your Amazon S3 bucket. To learn more, see [Installing Python dependencies](https://docs.aws.amazon.com/mwaa/latest/userguide/working-dags-dependencies.html) .", "RequirementsS3Path": "The relative path to the `requirements.txt` file on your Amazon S3 bucket. For example, `requirements.txt` . To learn more, see [Installing Python dependencies](https://docs.aws.amazon.com/mwaa/latest/userguide/working-dags-dependencies.html) .", - "Schedulers": "The number of schedulers that you want to run in your environment. Valid values:\n\n- *v2* - Accepts between 2 to 5. Defaults to 2.\n- *v1* - Accepts 1.", + "Schedulers": "The number of schedulers that you want to run in your environment. Valid values:\n\n- *v2* - For environments larger than mw1.micro, accepts values from 2 to 5. Defaults to 2 for all environment sizes except mw1.micro, which defaults to 1.\n- *v1* - Accepts 1.", "SourceBucketArn": "The Amazon Resource Name (ARN) of the Amazon S3 bucket where your DAG code and supporting files are stored. For example, `arn:aws:s3:::my-airflow-bucket-unique-name` . To learn more, see [Create an Amazon S3 bucket for Amazon MWAA](https://docs.aws.amazon.com/mwaa/latest/userguide/mwaa-s3-bucket.html) .", "StartupScriptS3ObjectVersion": "The version of the startup shell script in your Amazon S3 bucket. You must specify the [version ID](https://docs.aws.amazon.com/AmazonS3/latest/userguide/versioning-workflows.html) that Amazon S3 assigns to the file every time you update the script.\n\nVersion IDs are Unicode, UTF-8 encoded, URL-ready, opaque strings that are no more than 1,024 bytes long. The following is an example:\n\n`3sL4kqtJlcpXroDTDmJ+rmSpXd3dIbrHY+MTRCxf3vjVBH40Nr8X8gdRQBpUMLUo`\n\nFor more information, see [Using a startup script](https://docs.aws.amazon.com/mwaa/latest/userguide/using-startup-script.html) .", "StartupScriptS3Path": "The relative path to the startup shell script in your Amazon S3 bucket. For example, `s3://mwaa-environment/startup.sh` .\n\nAmazon MWAA runs the script as your environment starts, and before running the Apache Airflow process. You can use this script to install dependencies, modify Apache Airflow configuration options, and set environment variables. For more information, see [Using a startup script](https://docs.aws.amazon.com/mwaa/latest/userguide/using-startup-script.html) .", @@ -27777,8 +27858,8 @@ "InstanceType": "The Amazon Managed Blockchain instance type for the node." }, "AWS::MediaConnect::Bridge": { - "EgressGatewayBridge": "Create a bridge with the egress bridge type. An egress bridge is a cloud-to-ground bridge. The content comes from an existing MediaConnect flow and is delivered to your premises.", - "IngressGatewayBridge": "Create a bridge with the ingress bridge type. An ingress bridge is a ground-to-cloud bridge. The content originates at your premises and is delivered to the cloud.", + "EgressGatewayBridge": "An egress bridge is a cloud-to-ground bridge. The content comes from an existing MediaConnect flow and is delivered to your premises.", + "IngressGatewayBridge": "An ingress bridge is a ground-to-cloud bridge. The content originates at your premises and is delivered to the cloud.", "Name": "The name of the bridge. This name can not be modified after the bridge is created.", "Outputs": "The outputs that you want to add to this bridge.", "PlacementArn": "The bridge placement Amazon Resource Number (ARN).", @@ -27791,20 +27872,20 @@ "Name": "The name of the flow source." }, "AWS::MediaConnect::Bridge BridgeNetworkOutput": { - "IpAddress": "The network output IP Address.", + "IpAddress": "The network output IP address.", "Name": "The network output name.", "NetworkName": "The network output's gateway network name.", - "Port": "The network output port.", - "Protocol": "The network output protocol.", + "Port": "The network output's port.", + "Protocol": "The network output protocol.\n\n> AWS Elemental MediaConnect no longer supports the Fujitsu QoS protocol. This reference is maintained for legacy purposes only.", "Ttl": "The network output TTL." }, "AWS::MediaConnect::Bridge BridgeNetworkSource": { "MulticastIp": "The network source multicast IP.", "MulticastSourceSettings": "The settings related to the multicast source.", - "Name": "The name of the network source. This name is used to reference the source and must be unique among sources in this bridge.", + "Name": "The name of the network source.", "NetworkName": "The network source's gateway network name.", "Port": "The network source port.", - "Protocol": "The network source protocol." + "Protocol": "The network source protocol.\n\n> AWS Elemental MediaConnect no longer supports the Fujitsu QoS protocol. This reference is maintained for legacy purposes only." }, "AWS::MediaConnect::Bridge BridgeOutput": { "NetworkOutput": "The output of the bridge. A network output is delivered to your premises." @@ -27818,7 +27899,7 @@ }, "AWS::MediaConnect::Bridge FailoverConfig": { "FailoverMode": "The type of failover you choose for this flow. MERGE combines the source streams into a single stream, allowing graceful recovery from any single-source loss. FAILOVER allows switching between different streams.", - "SourcePriority": "The priority you want to assign to a source. You can have a primary stream and a backup stream or two equally prioritized streams. This setting only applies when Failover Mode is set to FAILOVER.", + "SourcePriority": "The priority you want to assign to a source. You can have a primary stream and a backup stream or two equally prioritized streams.", "State": "The state of source failover on the flow. If the state is inactive, the flow can have only one source. If the state is active, the flow can have one or two sources." }, "AWS::MediaConnect::Bridge IngressGatewayBridge": { @@ -27832,25 +27913,25 @@ "PrimarySource": "The name of the source you choose as the primary source for this flow." }, "AWS::MediaConnect::Bridge VpcInterfaceAttachment": { - "VpcInterfaceName": "The name of the VPC interface that you want to send your output to." + "VpcInterfaceName": "The name of the VPC interface to use for this resource." }, "AWS::MediaConnect::BridgeOutput": { - "BridgeArn": "The ARN of the bridge that you want to describe.", + "BridgeArn": "The Amazon Resource Name (ARN) of the bridge that you want to update.", "Name": "The network output name. This name is used to reference the output and must be unique among outputs in this bridge.", - "NetworkOutput": "Add a network output to an existing bridge." + "NetworkOutput": "The network output of the bridge. A network output is delivered to your premises." }, "AWS::MediaConnect::BridgeOutput BridgeNetworkOutput": { - "IpAddress": "The network output IP Address.", + "IpAddress": "The network output IP address.", "NetworkName": "The network output's gateway network name.", - "Port": "The network output port.", - "Protocol": "The network output protocol.", + "Port": "The network output's port.", + "Protocol": "The network output protocol.\n\n> AWS Elemental MediaConnect no longer supports the Fujitsu QoS protocol. This reference is maintained for legacy purposes only.", "Ttl": "The network output TTL." }, "AWS::MediaConnect::BridgeSource": { - "BridgeArn": "The ARN of the bridge that you want to describe.", - "FlowSource": "Add a flow source to an existing bridge.", + "BridgeArn": "The ARN of the bridge feeding this flow.", + "FlowSource": "The source of the flow.", "Name": "The name of the flow source. This name is used to reference the source and must be unique among sources in this bridge.", - "NetworkSource": "Add a network source to an existing bridge." + "NetworkSource": "The source of the network." }, "AWS::MediaConnect::BridgeSource BridgeFlowSource": { "FlowArn": "The ARN of the cloud flow used as a source of this bridge.", @@ -27861,29 +27942,31 @@ "MulticastSourceSettings": "The settings related to the multicast source.", "NetworkName": "The network source's gateway network name.", "Port": "The network source port.", - "Protocol": "The network source protocol." + "Protocol": "The network source protocol.\n\n> AWS Elemental MediaConnect no longer supports the Fujitsu QoS protocol. This reference is maintained for legacy purposes only." }, "AWS::MediaConnect::BridgeSource MulticastSourceSettings": { - "MulticastSourceIp": "" + "MulticastSourceIp": "The IP address of the source for source-specific multicast (SSM)." }, "AWS::MediaConnect::BridgeSource VpcInterfaceAttachment": { - "VpcInterfaceName": "The name of the VPC interface that you want to send your output to." + "VpcInterfaceName": "The name of the VPC interface to use for this resource." }, "AWS::MediaConnect::Flow": { "AvailabilityZone": "The Availability Zone that you want to create the flow in. These options are limited to the Availability Zones within the current AWS Region.", + "FlowSize": "Determines the processing capacity and feature set of the flow. Set this optional parameter to LARGE if you want to enable NDI outputs on the flow.", "Maintenance": "The maintenance settings you want to use for the flow.", - "MediaStreams": "The media streams associated with the flow. You can associate any of these media streams with sources and outputs on the flow.", + "MediaStreams": "The media streams that are associated with the flow. After you associate a media stream with a source, you can also associate it with outputs on the flow.", "Name": "The name of the flow.", + "NdiConfig": "Specifies the configuration settings for NDI outputs. Required when the flow includes NDI outputs.", "Source": "The settings for the source that you want to use for the new flow.", "SourceFailoverConfig": "The settings for source failover.", "SourceMonitoringConfig": "The settings for source monitoring.", - "VpcInterfaces": "The VPC interfaces that you added to this flow." + "VpcInterfaces": "The VPC Interfaces for this flow." }, "AWS::MediaConnect::Flow AudioMonitoringSetting": { "SilentAudio": "Detects periods of silence." }, "AWS::MediaConnect::Flow BlackFrames": { - "State": "Indicates whether the `BlackFrames` metric is enabled or disabled.", + "State": "Indicates whether the `BlackFrames` metric is enabled or disabled..", "ThresholdSeconds": "Specifies the number of consecutive seconds of black frames that triggers an event or alert." }, "AWS::MediaConnect::Flow Encryption": { @@ -27893,14 +27976,14 @@ "KeyType": "The type of key that is used for the encryption. If you don't specify a `keyType` value, the service uses the default setting ( `static-key` ). Valid key types are: `static-key` , `speke` , and `srt-password` .", "Region": "The AWS Region that the API Gateway proxy endpoint was created in. This parameter is required for SPEKE encryption and is not valid for static key encryption.", "ResourceId": "An identifier for the content. The service sends this value to the key server to identify the current endpoint. The resource ID is also known as the content ID. This parameter is required for SPEKE encryption and is not valid for static key encryption.", - "RoleArn": "The Amazon Resource Name (ARN) of the role that you created during setup (when you set up MediaConnect as a trusted entity).", - "SecretArn": "The ARN of the secret that you created in AWS Secrets Manager to store the encryption key.", + "RoleArn": "The ARN of the role that you created during setup (when you set up MediaConnect as a trusted entity).", + "SecretArn": "The ARN of the secret that you created in AWS Secrets Manager to store the encryption key. This parameter is required for static key encryption and is not valid for SPEKE encryption.", "Url": "The URL from the API Gateway proxy that you set up to talk to your key server. This parameter is required for SPEKE encryption and is not valid for static key encryption." }, "AWS::MediaConnect::Flow FailoverConfig": { "FailoverMode": "The type of failover you choose for this flow. MERGE combines the source streams into a single stream, allowing graceful recovery from any single-source loss. FAILOVER allows switching between different streams. The string for this property must be entered as MERGE or FAILOVER. No other string entry is valid.", - "RecoveryWindow": "The size of the buffer (delay) that the service maintains. A larger buffer means a longer delay in transmitting the stream, but more room for error correction. A smaller buffer means a shorter delay, but less room for error correction. You can choose a value from 100-500 ms. If you keep this field blank, the service uses the default value of 200 ms. This setting only applies when Failover Mode is set to MERGE.", - "SourcePriority": "The priority you want to assign to a source. You can have a primary stream and a backup stream or two equally prioritized streams. This setting only applies when Failover Mode is set to FAILOVER.", + "RecoveryWindow": "Search window time to look for dash-7 packets.", + "SourcePriority": "The priority you want to assign to a source. You can have a primary stream and a backup stream or two equally prioritized streams.", "State": "The state of source failover on the flow. If the state is inactive, the flow can have only one source. If the state is active, the flow can have one or two sources." }, "AWS::MediaConnect::Flow Fmtp": { @@ -27925,7 +28008,7 @@ "Interface": "The VPC interface where the media stream comes in from." }, "AWS::MediaConnect::Flow Interface": { - "Name": "The name of the VPC interface that you want to use for the media stream associated with the output." + "Name": "The name of the VPC interface." }, "AWS::MediaConnect::Flow Maintenance": { "MaintenanceDay": "A day of a week when the maintenance will happen. Use Monday/Tuesday/Wednesday/Thursday/Friday/Saturday/Sunday.", @@ -27933,7 +28016,7 @@ }, "AWS::MediaConnect::Flow MediaStream": { "Attributes": "Attributes that are related to the media stream.", - "ClockRate": "The sample rate for the stream. This value in measured in kHz.", + "ClockRate": "The sample rate for the stream. This value is measured in Hz.", "Description": "A description that can help you quickly identify what your media stream is used for.", "Fmt": "The format type number (sometimes referred to as RTP payload type) of the media stream. MediaConnect assigns this value to the media stream. For ST 2110 JPEG XS outputs, you need to provide this value to the receiver.", "MediaStreamId": "A unique identifier for the media stream.", @@ -27942,29 +28025,39 @@ "VideoFormat": "The resolution of the video." }, "AWS::MediaConnect::Flow MediaStreamAttributes": { - "Fmtp": "A set of parameters that define the media stream.", + "Fmtp": "The settings that you want to use to define the media stream.", "Lang": "The audio language, in a format that is recognized by the receiver." }, "AWS::MediaConnect::Flow MediaStreamSourceConfiguration": { - "EncodingName": "The format that was used to encode the data.\n\nFor ancillary data streams, set the encoding name to `smpte291` .\n\nFor audio streams, set the encoding name to `pcm` .\n\nFor video, 2110 streams, set the encoding name to `raw` .\n\nFor video, JPEG XS streams, set the encoding name to `jxsv` .", + "EncodingName": "The format that was used to encode the data. For ancillary data streams, set the encoding name to smpte291. For audio streams, set the encoding name to pcm. For video, 2110 streams, set the encoding name to raw. For video, JPEG XS streams, set the encoding name to jxsv.", "InputConfigurations": "The media streams that you want to associate with the source.", "MediaStreamName": "A name that helps you distinguish one media stream from another." }, + "AWS::MediaConnect::Flow NdiConfig": { + "MachineName": "A prefix for the names of the NDI sources that the flow creates. If a custom name isn't specified, MediaConnect generates a unique 12-character ID as the prefix.", + "NdiDiscoveryServers": "A list of up to three NDI discovery server configurations. While not required by the API, this configuration is necessary for NDI functionality to work properly.", + "NdiState": "A setting that controls whether NDI outputs can be used in the flow. Must be ENABLED to add NDI outputs. Default is DISABLED." + }, + "AWS::MediaConnect::Flow NdiDiscoveryServerConfig": { + "DiscoveryServerAddress": "The unique network address of the NDI discovery server.", + "DiscoveryServerPort": "The port for the NDI discovery server. Defaults to 5959 if a custom port isn't specified.", + "VpcInterfaceAdapter": "The identifier for the Virtual Private Cloud (VPC) network interface used by the flow." + }, "AWS::MediaConnect::Flow SilentAudio": { "State": "Indicates whether the `SilentAudio` metric is enabled or disabled.", "ThresholdSeconds": "Specifies the number of consecutive seconds of silence that triggers an event or alert." }, "AWS::MediaConnect::Flow Source": { - "Decryption": "The type of encryption that is used on the content ingested from the source.", - "Description": "A description of the source. This description is not visible outside of the current AWS account.", - "EntitlementArn": "The ARN of the entitlement that allows you to subscribe to content that comes from another AWS account. The entitlement is set by the content originator and the ARN is generated as part of the originator\u2019s flow.", + "Decryption": "The type of encryption that is used on the content ingested from this source.", + "Description": "A description for the source. This value is not used or seen outside of the current MediaConnect account.", + "EntitlementArn": "The ARN of the entitlement that allows you to subscribe to content that comes from another AWS account. The entitlement is set by the content originator and the ARN is generated as part of the originator's flow.", "GatewayBridgeSource": "The source configuration for cloud flows receiving a stream from a bridge.", - "IngestIp": "The IP address that the flow listens on for incoming content.", - "IngestPort": "The port that the flow listens on for incoming content. If the protocol of the source is Zixi, the port must be set to 2088.", + "IngestIp": "The IP address that the flow will be listening on for incoming content.", + "IngestPort": "The port that the flow will be listening on for incoming content.", "MaxBitrate": "The maximum bitrate for RIST, RTP, and RTP-FEC streams.", "MaxLatency": "The maximum latency in milliseconds for a RIST or Zixi-based source.", "MaxSyncBuffer": "The size of the buffer (in milliseconds) to use to sync incoming source data.", - "MediaStreamSourceConfigurations": "The media stream that is associated with the source, and the parameters for that association.", + "MediaStreamSourceConfigurations": "The media streams that are associated with the source, and the parameters for those associations.", "MinLatency": "The minimum latency in milliseconds for SRT-based streams. In streams that use the SRT protocol, this value that you set on your MediaConnect source or output represents the minimal potential latency of that connection. The latency of the stream is set to the highest number between the sender\u2019s minimum latency and the receiver\u2019s minimum latency.", "Name": "The name of the source.", "Protocol": "The protocol that is used by the source. AWS CloudFormation does not currently support CDI or ST 2110 JPEG XS source protocols.\n\n> AWS Elemental MediaConnect no longer supports the Fujitsu QoS protocol. This reference is maintained for legacy purposes only.", @@ -27975,8 +28068,8 @@ "SourceListenerAddress": "Source IP or domain name for SRT-caller protocol.", "SourceListenerPort": "Source port for SRT-caller protocol.", "StreamId": "The stream ID that you want to use for the transport. This parameter applies only to Zixi-based streams.", - "VpcInterfaceName": "The name of the VPC interface that the source content comes from.", - "WhitelistCidr": "The range of IP addresses that are allowed to contribute content to your source. Format the IP addresses as a Classless Inter-Domain Routing (CIDR) block; for example, 10.0.0.0/16." + "VpcInterfaceName": "The name of the VPC interface that is used for this source.", + "WhitelistCidr": "The range of IP addresses that should be allowed to contribute content to your source. These IP addresses should be in the form of a Classless Inter-Domain Routing (CIDR) block; for example, 10.0.0.0/16." }, "AWS::MediaConnect::Flow SourceMonitoringConfig": { "AudioMonitoringSettings": "Contains the settings for audio stream metrics monitoring.", @@ -27992,20 +28085,20 @@ "FrozenFrames": "Detects video frames that have not changed." }, "AWS::MediaConnect::Flow VpcInterface": { - "Name": "The name for the VPC interface. This name must be unique within the flow.", - "NetworkInterfaceIds": "The IDs of the network interfaces that MediaConnect created in your account.", + "Name": "Immutable and has to be a unique against other VpcInterfaces in this Flow.", + "NetworkInterfaceIds": "IDs of the network interfaces created in customer's account by MediaConnect .", "NetworkInterfaceType": "The type of network interface.", - "RoleArn": "The ARN of the IAM role that you created when you set up MediaConnect as a trusted service.", - "SecurityGroupIds": "A virtual firewall to control inbound and outbound traffic.", - "SubnetId": "The subnet IDs that you specified for your VPC interface.\n\nA subnet ID is a range of IP addresses in your VPC. When you create your VPC, you specify a range of IPv4 addresses for the VPC in the form of a Classless Inter-Domain Routing (CIDR) block; for example, 10.0.0.0/16. This is the primary CIDR block for your VPC. When you create a subnet for your VPC, you specify the CIDR block for the subnet, which is a subset of the VPC CIDR block.\n\nThe subnets that you use across all VPC interfaces on the flow must be in the same Availability Zone as the flow." + "RoleArn": "A role Arn MediaConnect can assume to create ENIs in your account.", + "SecurityGroupIds": "Security Group IDs to be used on ENI.", + "SubnetId": "Subnet must be in the AZ of the Flow." }, "AWS::MediaConnect::Flow VpcInterfaceAttachment": { - "VpcInterfaceName": "The name of the VPC interface that you want to send your output to." + "VpcInterfaceName": "The name of the VPC interface to use for this resource." }, "AWS::MediaConnect::FlowEntitlement": { "DataTransferSubscriberFeePercent": "The percentage of the entitlement data transfer fee that you want the subscriber to be responsible for.", "Description": "A description of the entitlement. This description appears only on the MediaConnect console and is not visible outside of the current AWS account.", - "Encryption": "The type of encryption that MediaConnect will use on the output that is associated with the entitlement.", + "Encryption": "Information about the encryption of the flow.", "EntitlementStatus": "An indication of whether the new entitlement should be enabled or disabled as soon as it is created. If you don\u2019t specify the entitlementStatus field in your request, MediaConnect sets it to ENABLED.", "FlowArn": "The Amazon Resource Name (ARN) of the flow.", "Name": "The name of the entitlement. This value must be unique within the current flow.", @@ -28018,63 +28111,65 @@ "KeyType": "The type of key that is used for the encryption. If you don't specify a `keyType` value, the service uses the default setting ( `static-key` ). Valid key types are: `static-key` , `speke` , and `srt-password` .", "Region": "The AWS Region that the API Gateway proxy endpoint was created in. This parameter is required for SPEKE encryption and is not valid for static key encryption.", "ResourceId": "An identifier for the content. The service sends this value to the key server to identify the current endpoint. The resource ID is also known as the content ID. This parameter is required for SPEKE encryption and is not valid for static key encryption.", - "RoleArn": "The Amazon Resource Name (ARN) of the role that you created during setup (when you set up MediaConnect as a trusted entity).", - "SecretArn": "The ARN of the secret that you created in AWS Secrets Manager to store the encryption key.", + "RoleArn": "The ARN of the role that you created during setup (when you set up MediaConnect as a trusted entity).", + "SecretArn": "The ARN of the secret that you created in AWS Secrets Manager to store the encryption key. This parameter is required for static key encryption and is not valid for SPEKE encryption.", "Url": "The URL from the API Gateway proxy that you set up to talk to your key server. This parameter is required for SPEKE encryption and is not valid for static key encryption." }, "AWS::MediaConnect::FlowOutput": { - "CidrAllowList": "The range of IP addresses that are allowed to initiate output requests to this flow. Format the IP addresses as a Classless Inter-Domain Routing (CIDR) block; for example, 10.0.0.0/16.", - "Description": "A description of the output. This description is not visible outside of the current AWS account even if the account grants entitlements to other accounts.", + "CidrAllowList": "The range of IP addresses that should be allowed to initiate output requests to this flow. These IP addresses should be in the form of a Classless Inter-Domain Routing (CIDR) block; for example, 10.0.0.0/16.", + "Description": "A description of the output. This description appears only on the MediaConnect console and will not be seen by the end user.", "Destination": "The IP address where you want to send the output.", - "Encryption": "The encryption credentials that you want to use for the output.", + "Encryption": "The type of key used for the encryption. If no `keyType` is provided, the service will use the default setting (static-key). Allowable encryption types: static-key.", "FlowArn": "The Amazon Resource Name (ARN) of the flow this output is attached to.", "MaxLatency": "The maximum latency in milliseconds. This parameter applies only to RIST-based and Zixi-based streams.", - "MediaStreamOutputConfigurations": "The definition for each media stream that is associated with the output.", + "MediaStreamOutputConfigurations": "The media streams that are associated with the output, and the parameters for those associations.", "MinLatency": "The minimum latency in milliseconds for SRT-based streams. In streams that use the SRT protocol, this value that you set on your MediaConnect source or output represents the minimal potential latency of that connection. The latency of the stream is set to the highest number between the sender\u2019s minimum latency and the receiver\u2019s minimum latency.", - "Name": "The name of the output. This value must be unique within the current flow.", - "OutputStatus": "An indication of whether the new output should be enabled or disabled as soon as it is created. If you don't specify the outputStatus field in your request, MediaConnect sets it to ENABLED.", - "Port": "The port to use when MediaConnect distributes content to the output.", + "Name": "The name of the bridge's output.", + "NdiProgramName": "A suffix for the names of the NDI sources that the flow creates. If a custom name isn't specified, MediaConnect uses the output name.", + "NdiSpeedHqQuality": "A quality setting for the NDI Speed HQ encoder.", + "OutputStatus": "", + "Port": "The port to use when content is distributed to this output.", "Protocol": "The protocol to use for the output.\n\n> AWS Elemental MediaConnect no longer supports the Fujitsu QoS protocol. This reference is maintained for legacy purposes only.", - "RemoteId": "The identifier that is assigned to the Zixi receiver. This parameter applies only to outputs that use Zixi pull.", + "RemoteId": "The remote ID for the Zixi-pull stream.", "SmoothingLatency": "The smoothing latency in milliseconds for RIST, RTP, and RTP-FEC streams.", "StreamId": "The stream ID that you want to use for this transport. This parameter applies only to Zixi and SRT caller-based streams.", - "VpcInterfaceAttachment": "The VPC interface that you want to send your output to." + "VpcInterfaceAttachment": "The name of the VPC interface attachment to use for this output." }, "AWS::MediaConnect::FlowOutput DestinationConfiguration": { - "DestinationIp": "The IP address where contents of the media stream will be sent.", - "DestinationPort": "The port to use when the content of the media stream is distributed to the output.", - "Interface": "The VPC interface that is used for the media stream associated with the output." + "DestinationIp": "The IP address where you want MediaConnect to send contents of the media stream.", + "DestinationPort": "The port that you want MediaConnect to use when it distributes the media stream to the output.", + "Interface": "The VPC interface that you want to use for the media stream associated with the output." }, "AWS::MediaConnect::FlowOutput EncodingParameters": { - "CompressionFactor": "A value that is used to calculate compression for an output. The bitrate of the output is calculated as follows:\n\nOutput bitrate = (1 / compressionFactor) * (source bitrate)\n\nThis property only applies to outputs that use the ST 2110 JPEG XS protocol, with a flow source that uses the CDI protocol. Valid values are in the range of 3.0 to 10.0, inclusive.", + "CompressionFactor": "A value that is used to calculate compression for an output. The bitrate of the output is calculated as follows: Output bitrate = (1 / compressionFactor) * (source bitrate) This property only applies to outputs that use the ST 2110 JPEG XS protocol, with a flow source that uses the CDI protocol. Valid values are floating point numbers in the range of 3.0 to 10.0, inclusive.", "EncoderProfile": "A setting on the encoder that drives compression settings. This property only applies to video media streams associated with outputs that use the ST 2110 JPEG XS protocol, with a flow source that uses the CDI protocol." }, "AWS::MediaConnect::FlowOutput Encryption": { "Algorithm": "The type of algorithm that is used for static key encryption (such as aes128, aes192, or aes256). If you are using SPEKE or SRT-password encryption, this property must be left blank.", "KeyType": "The type of key that is used for the encryption. If you don't specify a `keyType` value, the service uses the default setting ( `static-key` ). Valid key types are: `static-key` , `speke` , and `srt-password` .", - "RoleArn": "The Amazon Resource Name (ARN) of the role that you created during setup (when you set up MediaConnect as a trusted entity).", - "SecretArn": "The ARN of the secret that you created in AWS Secrets Manager to store the encryption key." + "RoleArn": "The ARN of the role that you created during setup (when you set up MediaConnect as a trusted entity).", + "SecretArn": "The ARN of the secret that you created in AWS Secrets Manager to store the encryption key. This parameter is required for static key encryption and is not valid for SPEKE encryption." }, "AWS::MediaConnect::FlowOutput Interface": { - "Name": "The name of the VPC interface that you want to use for the media stream associated with the output." + "Name": "The name of the VPC interface." }, "AWS::MediaConnect::FlowOutput MediaStreamOutputConfiguration": { - "DestinationConfigurations": "The media streams that you want to associate with the output.", - "EncodingName": "The format that will be used to encode the data.\n\nFor ancillary data streams, set the encoding name to `smpte291` .\n\nFor audio streams, set the encoding name to `pcm` .\n\nFor video streams on sources or outputs that use the CDI protocol, set the encoding name to `raw` .\n\nFor video streams on sources or outputs that use the ST 2110 JPEG XS protocol, set the encoding name to `jxsv` .", + "DestinationConfigurations": "The transport parameters that are associated with each outbound media stream.", + "EncodingName": "The format that was used to encode the data. For ancillary data streams, set the encoding name to smpte291. For audio streams, set the encoding name to pcm. For video, 2110 streams, set the encoding name to raw. For video, JPEG XS streams, set the encoding name to jxsv.", "EncodingParameters": "A collection of parameters that determine how MediaConnect will convert the content. These fields only apply to outputs on flows that have a CDI source.", - "MediaStreamName": "A name that helps you distinguish one media stream from another." + "MediaStreamName": "The name of the media stream." }, "AWS::MediaConnect::FlowOutput VpcInterfaceAttachment": { - "VpcInterfaceName": "The name of the VPC interface that you want to send your output to." + "VpcInterfaceName": "The name of the VPC interface to use for this resource." }, "AWS::MediaConnect::FlowSource": { - "Decryption": "The type of encryption that is used on the content ingested from the source.", - "Description": "A description of the source. This description is not visible outside of the current AWS account.", - "EntitlementArn": "The ARN of the entitlement that allows you to subscribe to the flow. The entitlement is set by the content originator, and the ARN is generated as part of the originator's flow.", + "Decryption": "The type of encryption that is used on the content ingested from this source. Allowable encryption types: static-key.", + "Description": "A description for the source. This value is not used or seen outside of the current MediaConnect account.", + "EntitlementArn": "The ARN of the entitlement that allows you to subscribe to this flow. The entitlement is set by the flow originator, and the ARN is generated as part of the originator's flow.", "FlowArn": "The Amazon Resource Name (ARN) of the flow this source is connected to. The flow must have Failover enabled to add an additional source.", - "GatewayBridgeSource": "The source configuration for cloud flows receiving a stream from a bridge.", + "GatewayBridgeSource": "The bridge's source.", "IngestPort": "The port that the flow listens on for incoming content. If the protocol of the source is Zixi, the port must be set to 2088.", - "MaxBitrate": "The maximum bitrate for RIST, RTP, and RTP-FEC streams.", + "MaxBitrate": "The smoothing max bitrate (in bps) for RIST, RTP, and RTP-FEC streams.", "MaxLatency": "The maximum latency in milliseconds. This parameter applies only to RIST-based and Zixi-based streams.", "MinLatency": "The minimum latency in milliseconds for SRT-based streams. In streams that use the SRT protocol, this value that you set on your MediaConnect source or output represents the minimal potential latency of that connection. The latency of the stream is set to the highest number between the sender\u2019s minimum latency and the receiver\u2019s minimum latency.", "Name": "The name of the source.", @@ -28084,8 +28179,8 @@ "SourceListenerAddress": "Source IP or domain name for SRT-caller protocol.", "SourceListenerPort": "Source port for SRT-caller protocol.", "StreamId": "The stream ID that you want to use for this transport. This parameter applies only to Zixi and SRT caller-based streams.", - "VpcInterfaceName": "The name of the VPC interface that you want to send your output to.", - "WhitelistCidr": "The range of IP addresses that are allowed to contribute content to your source. Format the IP addresses as a Classless Inter-Domain Routing (CIDR) block; for example, 10.0.0.0/16." + "VpcInterfaceName": "The name of the VPC interface to use for this source.", + "WhitelistCidr": "The range of IP addresses that should be allowed to contribute content to your source. These IP addresses should be in the form of a Classless Inter-Domain Routing (CIDR) block; for example, 10.0.0.0/16." }, "AWS::MediaConnect::FlowSource Encryption": { "Algorithm": "The type of algorithm that is used for static key encryption (such as aes128, aes192, or aes256). If you are using SPEKE or SRT-password encryption, this property must be left blank.", @@ -28094,8 +28189,8 @@ "KeyType": "The type of key that is used for the encryption. If you don't specify a `keyType` value, the service uses the default setting ( `static-key` ). Valid key types are: `static-key` , `speke` , and `srt-password` .", "Region": "The AWS Region that the API Gateway proxy endpoint was created in. This parameter is required for SPEKE encryption and is not valid for static key encryption.", "ResourceId": "An identifier for the content. The service sends this value to the key server to identify the current endpoint. The resource ID is also known as the content ID. This parameter is required for SPEKE encryption and is not valid for static key encryption.", - "RoleArn": "The Amazon Resource Name (ARN) of the role that you created during setup (when you set up MediaConnect as a trusted entity).", - "SecretArn": "The ARN of the secret that you created in AWS Secrets Manager to store the encryption key.", + "RoleArn": "The ARN of the role that you created during setup (when you set up MediaConnect as a trusted entity).", + "SecretArn": "The ARN of the secret that you created in AWS Secrets Manager to store the encryption key. This parameter is required for static key encryption and is not valid for SPEKE encryption.", "Url": "The URL from the API Gateway proxy that you set up to talk to your key server. This parameter is required for SPEKE encryption and is not valid for static key encryption." }, "AWS::MediaConnect::FlowSource GatewayBridgeSource": { @@ -28103,19 +28198,19 @@ "VpcInterfaceAttachment": "The name of the VPC interface attachment to use for this bridge source." }, "AWS::MediaConnect::FlowSource VpcInterfaceAttachment": { - "VpcInterfaceName": "The name of the VPC interface that you want to send your output to." + "VpcInterfaceName": "The name of the VPC interface to use for this resource." }, "AWS::MediaConnect::FlowVpcInterface": { "FlowArn": "The Amazon Resource Name (ARN) of the flow.", - "Name": "The name of the VPC Interface. This value must be unique within the current flow.", + "Name": "The name for the VPC interface. This name must be unique within the flow.", "RoleArn": "The Amazon Resource Name (ARN) of the role that you created when you set up MediaConnect as a trusted service.", - "SecurityGroupIds": "The VPC security groups that you want MediaConnect to use for your VPC configuration. You must include at least one security group in the request.", - "SubnetId": "The subnet IDs that you want to use for your VPC interface.\n\nA range of IP addresses in your VPC. When you create your VPC, you specify a range of IPv4 addresses for the VPC in the form of a Classless Inter-Domain Routing (CIDR) block; for example, 10.0.0.0/16. This is the primary CIDR block for your VPC. When you create a subnet for your VPC, you specify the CIDR block for the subnet, which is a subset of the VPC CIDR block.\n\nThe subnets that you use across all VPC interfaces on the flow must be in the same Availability Zone as the flow." + "SecurityGroupIds": "A virtual firewall to control inbound and outbound traffic.", + "SubnetId": "The subnet IDs that you want to use for your VPC interface. A range of IP addresses in your VPC. When you create your VPC, you specify a range of IPv4 addresses for the VPC in the form of a Classless Inter-Domain Routing (CIDR) block; for example, 10.0.0.0/16. This is the primary CIDR block for your VPC. When you create a subnet for your VPC, you specify the CIDR block for the subnet, which is a subset of the VPC CIDR block. The subnets that you use across all VPC interfaces on the flow must be in the same Availability Zone as the flow." }, "AWS::MediaConnect::Gateway": { "EgressCidrBlocks": "The range of IP addresses that are allowed to contribute content or initiate output requests for flows communicating with this gateway. These IP addresses should be in the form of a Classless Inter-Domain Routing (CIDR) block; for example, 10.0.0.0/16.", - "Name": "The name of the network. This name is used to reference the network and must be unique among networks in this gateway.", - "Networks": "The list of networks that you want to add." + "Name": "The name of the gateway. This name can not be modified after the gateway is created.", + "Networks": "The list of networks in the gateway." }, "AWS::MediaConnect::Gateway GatewayNetwork": { "CidrBlock": "A unique IP address range to use for this network. These IP addresses should be in the form of a Classless Inter-Domain Routing (CIDR) block; for example, 10.0.0.0/16.", @@ -30348,6 +30443,7 @@ "AWS::NetworkFirewall::Firewall": { "DeleteProtection": "A flag indicating whether it is possible to delete the firewall. A setting of `TRUE` indicates that the firewall is protected against deletion. Use this setting to protect against accidentally deleting a firewall that is in use. When you create a firewall, the operation initializes this flag to `TRUE` .", "Description": "A description of the firewall.", + "EnabledAnalysisTypes": "An optional setting indicating the specific traffic analysis types to enable on the firewall.", "FirewallName": "The descriptive name of the firewall. You can't change the name of a firewall after you create it.", "FirewallPolicyArn": "The Amazon Resource Name (ARN) of the firewall policy.\n\nThe relationship of firewall to firewall policy is many to one. Each firewall requires one firewall policy association, and you can use the same firewall policy for multiple firewalls.", "FirewallPolicyChangeProtection": "A setting indicating whether the firewall is protected against a change to the firewall policy association. Use this setting to protect against accidentally modifying the firewall policy for a firewall that is in use. When you create a firewall, the operation initializes this setting to `TRUE` .", @@ -30986,7 +31082,7 @@ "Status": "The status of the `EventRule` .\n\n- Values:\n\n- `ACTIVE`\n\n- The `EventRule` can process events.\n- `INACTIVE`\n\n- The `EventRule` may be unable to process events.\n- `CREATING`\n\n- The `EventRule` is being created.\n\nOnly `GET` and `LIST` calls can be run.\n- `UPDATING`\n\n- The `EventRule` is being updated.\n\nOnly `GET` and `LIST` calls can be run.\n- `DELETING`\n\n- The `EventRule` is being deleted.\n\nOnly `GET` and `LIST` calls can be run." }, "AWS::Notifications::ManagedNotificationAccountContactAssociation": { - "ContactIdentifier": "The unique identifier of the notification contact associated with the AWS account. For more information about the contact types associated with an account, see the [AWS Account Management Reference Guide](https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-update-contact-alternate.html#manage-acct-update-contact-alternate-orgs) .", + "ContactIdentifier": "The unique identifier of the notification contact associated with the AWS account. For more information about the contact types associated with an account, see the [Account Management Reference Guide](https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-update-contact-alternate.html#manage-acct-update-contact-alternate-orgs) .", "ManagedNotificationConfigurationArn": "The ARN of the `ManagedNotificationConfiguration` to be associated with the `Channel` ." }, "AWS::Notifications::ManagedNotificationAdditionalChannelAssociation": { @@ -31132,9 +31228,13 @@ "Tags": "Tags for the group." }, "AWS::Omics::SequenceStore": { + "AccessLogLocation": "Location of the access logs.", "Description": "A description for the store.", + "ETagAlgorithmFamily": "The algorithm family of the ETag.", "FallbackLocation": "An S3 location that is used to store files that have failed a direct upload.", "Name": "A name for the store.", + "PropagatedSetLevelTags": "", + "S3AccessPolicy": "", "SseConfig": "Server-side encryption (SSE) settings for the store.", "Tags": "Tags for the store." }, @@ -31189,39 +31289,39 @@ "Value": "The value of the tag." }, "AWS::OpenSearchServerless::Index": { - "CollectionEndpoint": "", - "IndexName": "", - "Mappings": "", - "Settings": "" + "CollectionEndpoint": "The endpoint for the collection.", + "IndexName": "The name of the OpenSearch Serverless index.", + "Mappings": "Index mappings for the OpenSearch Serverless index.", + "Settings": "Index settings for the OpenSearch Serverless index." }, "AWS::OpenSearchServerless::Index Index": { - "Knn": "", - "KnnAlgoParamEfSearch": "", - "RefreshInterval": "" + "Knn": "Enable or disable k-nearest neighbor search capability.", + "KnnAlgoParamEfSearch": "The size of the dynamic list for the nearest neighbors.", + "RefreshInterval": "How often to perform a refresh operation. For example, 1s or 5s." }, "AWS::OpenSearchServerless::Index IndexSettings": { - "Index": "" + "Index": "Index settings." }, "AWS::OpenSearchServerless::Index Mappings": { - "Properties": "" + "Properties": "Nested fields within an object or nested field type." }, "AWS::OpenSearchServerless::Index Method": { - "Engine": "", - "Name": "", - "Parameters": "", - "SpaceType": "" + "Engine": "The k-NN search engine to use", + "Name": "The algorithm name for k-NN search.", + "Parameters": "Additional parameters for the k-NN algorithm.", + "SpaceType": "The distance function used for k-NN search." }, "AWS::OpenSearchServerless::Index Parameters": { - "EfConstruction": "", - "M": "" + "EfConstruction": "The size of the dynamic list used during k-NN graph creation.", + "M": "Number of neighbors to consider during k-NN search." }, "AWS::OpenSearchServerless::Index PropertyMapping": { - "Dimension": "", - "Index": "", - "Method": "", - "Properties": "", - "Type": "", - "Value": "" + "Dimension": "Dimension size for vector fields, defines the number of dimensions in the vector.", + "Index": "Whether a field should be indexed.", + "Method": "Configuration for k-NN search method.", + "Properties": "Defines the fields within the mapping, including their types and configurations.", + "Type": "The field data type. Must be a valid OpenSearch field type.", + "Value": "Default value for the field when not specified in a document." }, "AWS::OpenSearchServerless::LifecyclePolicy": { "Description": "The description of the lifecycle policy.", @@ -31743,7 +31843,7 @@ "VpcInformation": "Information of the VPC and security group(s) used with the connector." }, "AWS::PCAConnectorAD::Connector VpcInformation": { - "IpAddressType": "", + "IpAddressType": "The VPC IP address type.", "SecurityGroupIds": "The security groups used with the connector. You can use a maximum of 4 security groups with a connector." }, "AWS::PCAConnectorAD::DirectoryRegistration": { @@ -39440,7 +39540,8 @@ "PhysicalTableMap": "Declares the physical tables that are available in the underlying data sources.", "RowLevelPermissionDataSet": "The row-level security configuration for the data that you want to create.", "RowLevelPermissionTagConfiguration": "The element you can use to define tags for row-level security.", - "Tags": "Contains a map of the key-value pairs for the resource tag or tags assigned to the dataset." + "Tags": "Contains a map of the key-value pairs for the resource tag or tags assigned to the dataset.", + "UseAs": "The usage of the dataset." }, "AWS::QuickSight::DataSet CalculatedColumn": { "ColumnId": "A unique ID to identify a calculated column. During a dataset update, if the column ID of a calculated column matches that of an existing calculated column, Amazon QuickSight preserves the existing calculated column.", @@ -39477,6 +39578,7 @@ "SqlQuery": "The SQL query." }, "AWS::QuickSight::DataSet DataSetRefreshProperties": { + "FailureConfiguration": "The failure configuration for a dataset.", "RefreshConfiguration": "The refresh configuration for a dataset." }, "AWS::QuickSight::DataSet DataSetUsageConfiguration": { @@ -39598,6 +39700,12 @@ "AWS::QuickSight::DataSet RefreshConfiguration": { "IncrementalRefresh": "The incremental refresh for the dataset." }, + "AWS::QuickSight::DataSet RefreshFailureConfiguration": { + "EmailAlert": "The email alert configuration for a dataset refresh failure." + }, + "AWS::QuickSight::DataSet RefreshFailureEmailAlert": { + "AlertStatus": "The status value that determines if email alerts are sent." + }, "AWS::QuickSight::DataSet RelationalTable": { "Catalog": "The catalog associated with a table.", "DataSourceArn": "The Amazon Resource Name (ARN) for the data source.", @@ -39670,6 +39778,13 @@ "ColumnName": "The column that this operation acts on.", "TagNames": "The column tags to remove from this column." }, + "AWS::QuickSight::DataSet UploadSettings": { + "ContainsHeader": "Whether the file has a header row, or the files each have a header row.", + "Delimiter": "The delimiter between values in the file.", + "Format": "File format.", + "StartFromRow": "A row number to start reading data from.", + "TextQualifier": "Text qualifier." + }, "AWS::QuickSight::DataSource": { "AlternateDataSourceParameters": "A set of alternate data source parameters that you want to share for the credentials stored with this data source. The credentials are applied in tandem with the data source parameters when you copy a data source by using a create or update request. The API operation compares the `DataSourceParameters` structure that's in the request with the structures in the `AlternateDataSourceParameters` allow list. If the structures are an exact match, the request is allowed to use the credentials from this existing data source. If the `AlternateDataSourceParameters` list is null, the `Credentials` originally used with this `DataSourceParameters` are automatically allowed.", "AwsAccountId": "The AWS account ID.", @@ -43068,7 +43183,6 @@ "PreferredBackupWindow": "The daily time range during which automated backups are created. For more information, see [Backup Window](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Aurora.Managing.Backups.html#Aurora.Managing.Backups.BackupWindow) in the *Amazon Aurora User Guide.*\n\nConstraints:\n\n- Must be in the format `hh24:mi-hh24:mi` .\n- Must be in Universal Coordinated Time (UTC).\n- Must not conflict with the preferred maintenance window.\n- Must be at least 30 minutes.\n\nValid for: Aurora DB clusters and Multi-AZ DB clusters", "PreferredMaintenanceWindow": "The weekly time range during which system maintenance can occur, in Universal Coordinated Time (UTC).\n\nFormat: `ddd:hh24:mi-ddd:hh24:mi`\n\nThe default is a 30-minute window selected at random from an 8-hour block of time for each AWS Region, occurring on a random day of the week. To see the time blocks available, see [Maintaining an Amazon Aurora DB cluster](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/USER_UpgradeDBInstance.Maintenance.html#AdjustingTheMaintenanceWindow.Aurora) in the *Amazon Aurora User Guide.*\n\nValid Days: Mon, Tue, Wed, Thu, Fri, Sat, Sun.\n\nConstraints: Minimum 30-minute window.\n\nValid for: Aurora DB clusters and Multi-AZ DB clusters", "PubliclyAccessible": "Specifies whether the DB cluster is publicly accessible.\n\nWhen the DB cluster is publicly accessible and you connect from outside of the DB cluster's virtual private cloud (VPC), its Domain Name System (DNS) endpoint resolves to the public IP address. When you connect from within the same VPC as the DB cluster, the endpoint resolves to the private IP address. Access to the DB cluster is ultimately controlled by the security group it uses. That public access isn't permitted if the security group assigned to the DB cluster doesn't permit it.\n\nWhen the DB cluster isn't publicly accessible, it is an internal DB cluster with a DNS name that resolves to a private IP address.\n\nValid for Cluster Type: Multi-AZ DB clusters only\n\nDefault: The default behavior varies depending on whether `DBSubnetGroupName` is specified.\n\nIf `DBSubnetGroupName` isn't specified, and `PubliclyAccessible` isn't specified, the following applies:\n\n- If the default VPC in the target Region doesn\u2019t have an internet gateway attached to it, the DB cluster is private.\n- If the default VPC in the target Region has an internet gateway attached to it, the DB cluster is public.\n\nIf `DBSubnetGroupName` is specified, and `PubliclyAccessible` isn't specified, the following applies:\n\n- If the subnets are part of a VPC that doesn\u2019t have an internet gateway attached to it, the DB cluster is private.\n- If the subnets are part of a VPC that has an internet gateway attached to it, the DB cluster is public.", - "ReadEndpoint": "This data type represents the information you need to connect to an Amazon RDS DB instance. This data type is used as a response element in the following actions:\n\n- `CreateDBInstance`\n- `DescribeDBInstances`\n- `DeleteDBInstance`\n\nFor the data structure that represents Amazon Aurora DB cluster endpoints, see `DBClusterEndpoint` .", "ReplicationSourceIdentifier": "The Amazon Resource Name (ARN) of the source DB instance or DB cluster if this DB cluster is created as a read replica.\n\nValid for: Aurora DB clusters only", "RestoreToTime": "The date and time to restore the DB cluster to.\n\nValid Values: Value must be a time in Universal Coordinated Time (UTC) format\n\nConstraints:\n\n- Must be before the latest restorable time for the DB instance\n- Must be specified if `UseLatestRestorableTime` parameter isn't provided\n- Can't be specified if the `UseLatestRestorableTime` parameter is enabled\n- Can't be specified if the `RestoreType` parameter is `copy-on-write`\n\nThis property must be used with `SourceDBClusterIdentifier` property. The resulting cluster will have the identifier that matches the value of the `DBclusterIdentifier` property.\n\nExample: `2015-03-07T23:45:00Z`\n\nValid for: Aurora DB clusters and Multi-AZ DB clusters", "RestoreType": "The type of restore to be performed. You can specify one of the following values:\n\n- `full-copy` - The new DB cluster is restored as a full copy of the source DB cluster.\n- `copy-on-write` - The new DB cluster is restored as a clone of the source DB cluster.\n\nIf you don't specify a `RestoreType` value, then the new DB cluster is restored as a full copy of the source DB cluster.\n\nValid for: Aurora DB clusters and Multi-AZ DB clusters", @@ -43134,10 +43248,10 @@ "AutoMinorVersionUpgrade": "A value that indicates whether minor engine upgrades are applied automatically to the DB instance during the maintenance window. By default, minor engine upgrades are applied automatically.", "AutomaticBackupReplicationKmsKeyId": "The AWS KMS key identifier for encryption of the replicated automated backups. The KMS key ID is the Amazon Resource Name (ARN) for the KMS encryption key in the destination AWS Region , for example, `arn:aws:kms:us-east-1:123456789012:key/AKIAIOSFODNN7EXAMPLE` .", "AutomaticBackupReplicationRegion": "The AWS Region associated with the automated backup.", + "AutomaticBackupReplicationRetentionPeriod": "The retention period for automated backups in a different AWS Region. Use this parameter to set a unique retention period that only applies to cross-Region automated backups. To enable automated backups in a different Region, specify a positive value for the `AutomaticBackupReplicationRegion` parameter.\n\nIf not specified, this parameter defaults to the value of the `BackupRetentionPeriod` parameter. The maximum allowed value is 35.", "AvailabilityZone": "The Availability Zone (AZ) where the database will be created. For information on AWS Regions and Availability Zones, see [Regions and Availability Zones](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.RegionsAndAvailabilityZones.html) .\n\nFor Amazon Aurora, each Aurora DB cluster hosts copies of its storage in three separate Availability Zones. Specify one of these Availability Zones. Aurora automatically chooses an appropriate Availability Zone if you don't specify one.\n\nDefault: A random, system-chosen Availability Zone in the endpoint's AWS Region .\n\nConstraints:\n\n- The `AvailabilityZone` parameter can't be specified if the DB instance is a Multi-AZ deployment.\n- The specified Availability Zone must be in the same AWS Region as the current endpoint.\n\nExample: `us-east-1d`", "BackupRetentionPeriod": "The number of days for which automated backups are retained. Setting this parameter to a positive number enables backups. Setting this parameter to 0 disables automated backups.\n\n*Amazon Aurora*\n\nNot applicable. The retention period for automated backups is managed by the DB cluster.\n\nDefault: 1\n\nConstraints:\n\n- Must be a value from 0 to 35\n- Can't be set to 0 if the DB instance is a source to read replicas", "CACertificateIdentifier": "The identifier of the CA certificate for this DB instance.\n\nFor more information, see [Using SSL/TLS to encrypt a connection to a DB instance](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html) in the *Amazon RDS User Guide* and [Using SSL/TLS to encrypt a connection to a DB cluster](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.SSL.html) in the *Amazon Aurora User Guide* .", - "CertificateDetails": "The details of the DB instance's server certificate.", "CertificateRotationRestart": "Specifies whether the DB instance is restarted when you rotate your SSL/TLS certificate.\n\nBy default, the DB instance is restarted when you rotate your SSL/TLS certificate. The certificate is not updated until the DB instance is restarted.\n\n> Set this parameter only if you are *not* using SSL/TLS to connect to the DB instance. \n\nIf you are using SSL/TLS to connect to the DB instance, follow the appropriate instructions for your DB engine to rotate your SSL/TLS certificate:\n\n- For more information about rotating your SSL/TLS certificate for RDS DB engines, see [Rotating Your SSL/TLS Certificate.](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL-certificate-rotation.html) in the *Amazon RDS User Guide.*\n- For more information about rotating your SSL/TLS certificate for Aurora DB engines, see [Rotating Your SSL/TLS Certificate](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.SSL-certificate-rotation.html) in the *Amazon Aurora User Guide* .\n\nThis setting doesn't apply to RDS Custom DB instances.", "CharacterSetName": "For supported engines, indicates that the DB instance should be associated with the specified character set.\n\n*Amazon Aurora*\n\nNot applicable. The character set is managed by the DB cluster. For more information, see [AWS::RDS::DBCluster](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-rds-dbcluster.html) .", "CopyTagsToSnapshot": "Specifies whether to copy tags from the DB instance to snapshots of the DB instance. By default, tags are not copied.\n\nThis setting doesn't apply to Amazon Aurora DB instances. Copying tags to snapshots is managed by the DB cluster. Setting this value for an Aurora DB instance has no effect on the DB cluster setting.", @@ -43164,7 +43278,6 @@ "EnableCloudwatchLogsExports": "The list of log types that need to be enabled for exporting to CloudWatch Logs. The values in the list depend on the DB engine being used. For more information, see [Publishing Database Logs to Amazon CloudWatch Logs](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_LogAccess.html#USER_LogAccess.Procedural.UploadtoCloudWatch) in the *Amazon Relational Database Service User Guide* .\n\n*Amazon Aurora*\n\nNot applicable. CloudWatch Logs exports are managed by the DB cluster.\n\n*Db2*\n\nValid values: `diag.log` , `notify.log`\n\n*MariaDB*\n\nValid values: `audit` , `error` , `general` , `slowquery`\n\n*Microsoft SQL Server*\n\nValid values: `agent` , `error`\n\n*MySQL*\n\nValid values: `audit` , `error` , `general` , `slowquery`\n\n*Oracle*\n\nValid values: `alert` , `audit` , `listener` , `trace` , `oemagent`\n\n*PostgreSQL*\n\nValid values: `postgresql` , `upgrade`", "EnableIAMDatabaseAuthentication": "A value that indicates whether to enable mapping of AWS Identity and Access Management (IAM) accounts to database accounts. By default, mapping is disabled.\n\nThis property is supported for RDS for MariaDB, RDS for MySQL, and RDS for PostgreSQL. For more information, see [IAM Database Authentication for MariaDB, MySQL, and PostgreSQL](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.html) in the *Amazon RDS User Guide.*\n\n*Amazon Aurora*\n\nNot applicable. Mapping AWS IAM accounts to database accounts is managed by the DB cluster.", "EnablePerformanceInsights": "Specifies whether to enable Performance Insights for the DB instance. For more information, see [Using Amazon Performance Insights](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_PerfInsights.html) in the *Amazon RDS User Guide* .\n\nThis setting doesn't apply to RDS Custom DB instances.", - "Endpoint": "The connection endpoint for the DB instance.\n\n> The endpoint might not be shown for instances with the status of `creating` .", "Engine": "The name of the database engine to use for this DB instance. Not every database engine is available in every AWS Region.\n\nThis property is required when creating a DB instance.\n\n> You can convert an Oracle database from the non-CDB architecture to the container database (CDB) architecture by updating the `Engine` value in your templates from `oracle-ee` to `oracle-ee-cdb` or from `oracle-se2` to `oracle-se2-cdb` . Converting to the CDB architecture requires an interruption. \n\nValid Values:\n\n- `aurora-mysql` (for Aurora MySQL DB instances)\n- `aurora-postgresql` (for Aurora PostgreSQL DB instances)\n- `custom-oracle-ee` (for RDS Custom for Oracle DB instances)\n- `custom-oracle-ee-cdb` (for RDS Custom for Oracle DB instances)\n- `custom-sqlserver-ee` (for RDS Custom for SQL Server DB instances)\n- `custom-sqlserver-se` (for RDS Custom for SQL Server DB instances)\n- `custom-sqlserver-web` (for RDS Custom for SQL Server DB instances)\n- `db2-ae`\n- `db2-se`\n- `mariadb`\n- `mysql`\n- `oracle-ee`\n- `oracle-ee-cdb`\n- `oracle-se2`\n- `oracle-se2-cdb`\n- `postgres`\n- `sqlserver-ee`\n- `sqlserver-se`\n- `sqlserver-ex`\n- `sqlserver-web`", "EngineLifecycleSupport": "The life cycle type for this DB instance.\n\n> By default, this value is set to `open-source-rds-extended-support` , which enrolls your DB instance into Amazon RDS Extended Support. At the end of standard support, you can avoid charges for Extended Support by setting the value to `open-source-rds-extended-support-disabled` . In this case, creating the DB instance will fail if the DB major version is past its end of standard support date. \n\nThis setting applies only to RDS for MySQL and RDS for PostgreSQL. For Amazon Aurora DB instances, the life cycle type is managed by the DB cluster.\n\nYou can use this setting to enroll your DB instance into Amazon RDS Extended Support. With RDS Extended Support, you can run the selected major engine version on your DB instance past the end of standard support for that engine version. For more information, see [Using Amazon RDS Extended Support](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/extended-support.html) in the *Amazon RDS User Guide* .\n\nValid Values: `open-source-rds-extended-support | open-source-rds-extended-support-disabled`\n\nDefault: `open-source-rds-extended-support`", "EngineVersion": "The version number of the database engine to use.\n\nFor a list of valid engine versions, use the `DescribeDBEngineVersions` action.\n\nThe following are the database engines and links to information about the major and minor versions that are available with Amazon RDS. Not every database engine is available for every AWS Region.\n\n*Amazon Aurora*\n\nNot applicable. The version number of the database engine to be used by the DB instance is managed by the DB cluster.\n\n*Db2*\n\nSee [Amazon RDS for Db2](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_Db2.html#Db2.Concepts.VersionMgmt) in the *Amazon RDS User Guide.*\n\n*MariaDB*\n\nSee [MariaDB on Amazon RDS Versions](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_MariaDB.html#MariaDB.Concepts.VersionMgmt) in the *Amazon RDS User Guide.*\n\n*Microsoft SQL Server*\n\nSee [Microsoft SQL Server Versions on Amazon RDS](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_SQLServer.html#SQLServer.Concepts.General.VersionSupport) in the *Amazon RDS User Guide.*\n\n*MySQL*\n\nSee [MySQL on Amazon RDS Versions](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_MySQL.html#MySQL.Concepts.VersionMgmt) in the *Amazon RDS User Guide.*\n\n*Oracle*\n\nSee [Oracle Database Engine Release Notes](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Appendix.Oracle.PatchComposition.html) in the *Amazon RDS User Guide.*\n\n*PostgreSQL*\n\nSee [Supported PostgreSQL Database Versions](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_PostgreSQL.html#PostgreSQL.Concepts.General.DBVersions) in the *Amazon RDS User Guide.*", @@ -43409,7 +43522,9 @@ "AppMonitorConfiguration": "A structure that contains much of the configuration data for the app monitor. If you are using Amazon Cognito for authorization, you must include this structure in your request, and it must include the ID of the Amazon Cognito identity pool to use for authorization. If you don't include `AppMonitorConfiguration` , you must set up your own authorization method. For more information, see [Authorize your application to send data to AWS](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-RUM-get-started-authorization.html) .\n\nIf you omit this argument, the sample rate used for CloudWatch RUM is set to 10% of the user sessions.", "CustomEvents": "Specifies whether this app monitor allows the web client to define and send custom events. If you omit this parameter, custom events are `DISABLED` .", "CwLogEnabled": "Data collected by CloudWatch RUM is kept by RUM for 30 days and then deleted. This parameter specifies whether CloudWatch RUM sends a copy of this telemetry data to Amazon CloudWatch Logs in your account. This enables you to keep the telemetry data for more than 30 days, but it does incur Amazon CloudWatch Logs charges.\n\nIf you omit this parameter, the default is `false` .", - "Domain": "The top-level internet domain name for which your application has administrative authority. This parameter is required.", + "DeobfuscationConfiguration": "A structure that contains the configuration for how an app monitor can deobfuscate stack traces.", + "Domain": "The top-level internet domain name for which your application has administrative authority. This parameter or the `DomainList` parameter is required.", + "DomainList": "List the domain names for which your application has administrative authority. This parameter or the `Domain` parameter is required.\n\nYou can have a minimum of 1 and a maximum of 5 `Domain` under `DomainList` . Each `Domain` must be a minimum length of 1 and a maximum of 253 characters.", "Name": "A name for the app monitor. This parameter is required.", "ResourcePolicy": "Use this structure to assign a resource-based policy to a CloudWatch RUM app monitor to control access to it. Each app monitor can have one resource-based policy. The maximum size of the policy is 4 KB. To learn more about using resource policies with RUM, see [Using resource-based policies with CloudWatch RUM](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-RUM-resource-policies.html) .", "Tags": "Assigns one or more tags (key-value pairs) to the app monitor.\n\nTags can help you organize and categorize your resources. You can also use them to scope user permissions by granting a user permission to access or change only resources with certain tag values.\n\nTags don't have any semantic meaning to AWS and are interpreted strictly as strings of characters.\n\nYou can associate as many as 50 tags with an app monitor.\n\nFor more information, see [Tagging AWS resources](https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html) ." @@ -43429,6 +43544,13 @@ "AWS::RUM::AppMonitor CustomEvents": { "Status": "Set this to `ENABLED` to allow the web client to send custom events for this app monitor.\n\nValid values are `ENABLED` and `DISABLED` ." }, + "AWS::RUM::AppMonitor DeobfuscationConfiguration": { + "JavaScriptSourceMaps": "A structure that contains the configuration for how an app monitor can unminify JavaScript error stack traces using source maps." + }, + "AWS::RUM::AppMonitor JavaScriptSourceMaps": { + "S3Uri": "The S3Uri of the bucket or folder that stores the source map files. It is required if status is ENABLED.", + "Status": "Specifies whether JavaScript error stack traces should be unminified for this app monitor. The default is for JavaScript error stack trace unminification to be `DISABLED` ." + }, "AWS::RUM::AppMonitor MetricDefinition": { "DimensionKeys": "This field is a map of field paths to dimension names. It defines the dimensions to associate with this metric in CloudWatch . The value of this field is used only if the metric destination is `CloudWatch` . If the metric destination is `Evidently` , the value of `DimensionKeys` is ignored.", "EventPattern": "The pattern that defines the metric. RUM checks events that happen in a user's session against the pattern, and events that match the pattern are sent to the metric destination.\n\nIf the metrics destination is `CloudWatch` and the event also matches a value in `DimensionKeys` , then the metric is published with the specified dimensions.", @@ -43448,8 +43570,8 @@ "PolicyRevisionId": "A string value that you can use to conditionally update your policy. You can provide the revision ID of your existing policy to make mutating requests against that policy.\n\nWhen you assign a policy revision ID, then later requests about that policy will be rejected with an `InvalidPolicyRevisionIdException` error if they don't provide the correct current revision ID." }, "AWS::RUM::AppMonitor Tag": { - "Key": "", - "Value": "" + "Key": "A string that you can use to assign a value. The combination of tag keys and values can help you organize and categorize your resources.", + "Value": "The value for the specified tag key." }, "AWS::Rbin::Rule": { "Description": "The retention rule description.", @@ -44182,7 +44304,7 @@ }, "AWS::Route53::HostedZone": { "HostedZoneConfig": "A complex type that contains an optional comment.\n\nIf you don't want to specify a comment, omit the `HostedZoneConfig` and `Comment` elements.", - "HostedZoneTags": "Adds, edits, or deletes tags for a health check or a hosted zone.\n\nFor information about using tags for cost allocation, see [Using Cost Allocation Tags](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/cost-alloc-tags.html) in the *AWS Billing and Cost Management User Guide* .", + "HostedZoneTags": "Adds, edits, or deletes tags for a health check or a hosted zone.\n\nFor information about using tags for cost allocation, see [Using Cost Allocation Tags](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/cost-alloc-tags.html) in the *Billing and Cost Management User Guide* .", "Name": "The name of the domain. Specify a fully qualified domain name, for example, *www.example.com* . The trailing dot is optional; Amazon Route 53 assumes that the domain name is fully qualified. This means that Route 53 treats *www.example.com* (without a trailing dot) and *www.example.com.* (with a trailing dot) as identical.\n\nIf you're creating a public hosted zone, this is the name you have registered with your DNS registrar. If your domain name is registered with a registrar other than Route 53, change the name servers for your domain to the set of `NameServers` that are returned by the `Fn::GetAtt` intrinsic function.", "QueryLoggingConfig": "Creates a configuration for DNS query logging. After you create a query logging configuration, Amazon Route 53 begins to publish log data to an Amazon CloudWatch Logs log group.\n\nDNS query logs contain information about the queries that Route 53 receives for a specified public hosted zone, such as the following:\n\n- Route 53 edge location that responded to the DNS query\n- Domain or subdomain that was requested\n- DNS record type, such as A or AAAA\n- DNS response code, such as `NoError` or `ServFail`\n\n- **Log Group and Resource Policy** - Before you create a query logging configuration, perform the following operations.\n\n> If you create a query logging configuration using the Route 53 console, Route 53 performs these operations automatically. \n\n- Create a CloudWatch Logs log group, and make note of the ARN, which you specify when you create a query logging configuration. Note the following:\n\n- You must create the log group in the us-east-1 region.\n- You must use the same AWS account to create the log group and the hosted zone that you want to configure query logging for.\n- When you create log groups for query logging, we recommend that you use a consistent prefix, for example:\n\n`/aws/route53/ *hosted zone name*`\n\nIn the next step, you'll create a resource policy, which controls access to one or more log groups and the associated AWS resources, such as Route 53 hosted zones. There's a limit on the number of resource policies that you can create, so we recommend that you use a consistent prefix so you can use the same resource policy for all the log groups that you create for query logging.\n- Create a CloudWatch Logs resource policy, and give it the permissions that Route 53 needs to create log streams and to send query logs to log streams. You must create the CloudWatch Logs resource policy in the us-east-1 region. For the value of `Resource` , specify the ARN for the log group that you created in the previous step. To use the same resource policy for all the CloudWatch Logs log groups that you created for query logging configurations, replace the hosted zone name with `*` , for example:\n\n`arn:aws:logs:us-east-1:123412341234:log-group:/aws/route53/*`\n\nTo avoid the confused deputy problem, a security issue where an entity without a permission for an action can coerce a more-privileged entity to perform it, you can optionally limit the permissions that a service has to a resource in a resource-based policy by supplying the following values:\n\n- For `aws:SourceArn` , supply the hosted zone ARN used in creating the query logging configuration. For example, `aws:SourceArn: arn:aws:route53:::hostedzone/hosted zone ID` .\n- For `aws:SourceAccount` , supply the account ID for the account that creates the query logging configuration. For example, `aws:SourceAccount:111111111111` .\n\nFor more information, see [The confused deputy problem](https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html) in the *AWS IAM User Guide* .\n\n> You can't use the CloudWatch console to create or edit a resource policy. You must use the CloudWatch API, one of the AWS SDKs, or the AWS CLI .\n- **Log Streams and Edge Locations** - When Route 53 finishes creating the configuration for DNS query logging, it does the following:\n\n- Creates a log stream for an edge location the first time that the edge location responds to DNS queries for the specified hosted zone. That log stream is used to log all queries that Route 53 responds to for that edge location.\n- Begins to send query logs to the applicable log stream.\n\nThe name of each log stream is in the following format:\n\n`*hosted zone ID* / *edge location code*`\n\nThe edge location code is a three-letter code and an arbitrarily assigned number, for example, DFW3. The three-letter code typically corresponds with the International Air Transport Association airport code for an airport near the edge location. (These abbreviations might change in the future.) For a list of edge locations, see \"The Route 53 Global Network\" on the [Route 53 Product Details](https://docs.aws.amazon.com/route53/details/) page.\n- **Queries That Are Logged** - Query logs contain only the queries that DNS resolvers forward to Route 53. If a DNS resolver has already cached the response to a query (such as the IP address for a load balancer for example.com), the resolver will continue to return the cached response. It doesn't forward another query to Route 53 until the TTL for the corresponding resource record set expires. Depending on how many DNS queries are submitted for a resource record set, and depending on the TTL for that resource record set, query logs might contain information about only one query out of every several thousand queries that are submitted to DNS. For more information about how DNS works, see [Routing Internet Traffic to Your Website or Web Application](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/welcome-dns-service.html) in the *Amazon Route 53 Developer Guide* .\n- **Log File Format** - For a list of the values in each query log and the format of each value, see [Logging DNS Queries](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/query-logs.html) in the *Amazon Route 53 Developer Guide* .\n- **Pricing** - For information about charges for query logs, see [Amazon CloudWatch Pricing](https://docs.aws.amazon.com/cloudwatch/pricing/) .\n- **How to Stop Logging** - If you want Route 53 to stop sending query logs to CloudWatch Logs, delete the query logging configuration. For more information, see [DeleteQueryLoggingConfig](https://docs.aws.amazon.com/Route53/latest/APIReference/API_DeleteQueryLoggingConfig.html) .", "VPCs": "*Private hosted zones:* A complex type that contains information about the VPCs that are associated with the specified hosted zone.\n\n> For public hosted zones, omit `VPCs` , `VPCId` , and `VPCRegion` ." @@ -44325,6 +44447,7 @@ }, "AWS::Route53RecoveryControl::Cluster": { "Name": "Name of the cluster. You can use any non-white space character in the name except the following: & > < ' (single quote) \" (double quote) ; (semicolon).", + "NetworkType": "The network-type can either be IPV4 or DUALSTACK.", "Tags": "The tags associated with the cluster." }, "AWS::Route53RecoveryControl::Cluster ClusterEndpoint": { @@ -46094,7 +46217,7 @@ }, "AWS::SSMIncidents::ResponsePlan": { "Actions": "The actions that the response plan starts at the beginning of an incident.", - "ChatChannel": "The AWS Chatbot chat channel used for collaboration during an incident.", + "ChatChannel": "The chat channel used for collaboration during an incident.", "DisplayName": "The human readable name of the response plan.", "Engagements": "The Amazon Resource Name (ARN) for the contacts and escalation plans that the response plan engages during an incident.", "IncidentTemplate": "Details used to create an incident when using this response plan.", @@ -46106,7 +46229,7 @@ "SsmAutomation": "Details about the Systems Manager automation document that will be used as a runbook during an incident." }, "AWS::SSMIncidents::ResponsePlan ChatChannel": { - "ChatbotSns": "The Amazon SNS targets that AWS Chatbot uses to notify the chat channel of updates to an incident. You can also make updates to the incident through the chat channel by using the Amazon SNS topics" + "ChatbotSns": "The Amazon SNS targets that uses to notify the chat channel of updates to an incident. You can also make updates to the incident through the chat channel by using the Amazon SNS topics" }, "AWS::SSMIncidents::ResponsePlan DynamicSsmParameter": { "Key": "The key parameter to use when running the Systems Manager Automation runbook.", @@ -46119,7 +46242,7 @@ "DedupeString": "Used to create only one incident record for an incident.", "Impact": "Defines the impact to the customers. Providing an impact overwrites the impact provided by a response plan.\n\n**Possible impacts:** - `1` - Critical impact, this typically relates to full application failure that impacts many to all customers.\n- `2` - High impact, partial application failure with impact to many customers.\n- `3` - Medium impact, the application is providing reduced service to customers.\n- `4` - Low impact, customer might aren't impacted by the problem yet.\n- `5` - No impact, customers aren't currently impacted but urgent action is needed to avoid impact.", "IncidentTags": "Tags to assign to the template. When the `StartIncident` API action is called, Incident Manager assigns the tags specified in the template to the incident.", - "NotificationTargets": "The Amazon Simple Notification Service ( Amazon SNS ) targets that AWS Chatbot uses to notify the chat channel of updates to an incident. You can also make updates to the incident through the chat channel using the Amazon SNS topics.", + "NotificationTargets": "The Amazon Simple Notification Service ( Amazon SNS ) targets that uses to notify the chat channel of updates to an incident. You can also make updates to the incident through the chat channel using the Amazon SNS topics.", "Summary": "The summary describes what has happened during the incident.", "Title": "The title of the incident is a brief and easily recognizable." }, @@ -48724,7 +48847,7 @@ }, "AWS::SecurityLake::DataLake Transitions": { "Days": "The number of days before data transitions to a different S3 Storage Class in the Amazon Security Lake object.", - "StorageClass": "The list of storage classes that you can choose from based on the data access, resiliency, and cost requirements of your workloads. The default storage class is S3 Standard." + "StorageClass": "The list of storage classes that you can choose from based on the data access, resiliency, and cost requirements of your workloads. The default storage class is *S3 Standard* . For information about other storage classes, see [Setting the storage class of an object](https://docs.aws.amazon.com/AmazonS3/latest/userguide/sc-howtoset.html) in the *Amazon S3 User Guide* ." }, "AWS::SecurityLake::Subscriber": { "AccessTypes": "You can choose to notify subscribers of new objects with an Amazon Simple Queue Service (Amazon SQS) queue or through messaging to an HTTPS endpoint provided by the subscriber.\n\nSubscribers can consume data by directly querying AWS Lake Formation tables in your Amazon S3 bucket through services like Amazon Athena. This subscription type is defined as `LAKEFORMATION` .", @@ -49286,6 +49409,7 @@ "AWS::SystemsManagerSAP::Application": { "ApplicationId": "The ID of the application.", "ApplicationType": "The type of the application.", + "ComponentsInfo": "", "Credentials": "The credentials of the SAP application.", "DatabaseArn": "The Amazon Resource Name (ARN) of the database.", "Instances": "The Amazon EC2 instances on which your SAP application is running.", @@ -49293,6 +49417,11 @@ "Sid": "The System ID of the application.", "Tags": "The tags on the application." }, + "AWS::SystemsManagerSAP::Application ComponentInfo": { + "ComponentType": "This string is the type of the component.\n\nAccepted value is `WD` .", + "Ec2InstanceId": "This is the Amazon EC2 instance on which your SAP component is running.\n\nAccepted values are alphanumeric.", + "Sid": "This string is the SAP System ID of the component.\n\nAccepted values are alphanumeric." + }, "AWS::SystemsManagerSAP::Application Credential": { "CredentialType": "The type of the application credentials.", "DatabaseName": "The name of the SAP HANA database.", @@ -50260,7 +50389,7 @@ "Description": "A description of the set that helps with identification.", "Name": "The name of the set. You cannot change the name after you create the set.", "RegularExpressionList": "The regular expression patterns in the set.", - "Scope": "Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AWS AppSync GraphQL API, an Amazon Cognito user pool, an AWS App Runner service, or an AWS Verified Access instance. Valid Values are `CLOUDFRONT` and `REGIONAL` .\n\n> For `CLOUDFRONT` , you must create your WAFv2 resources in the US East (N. Virginia) Region, `us-east-1` .", + "Scope": "Specifies whether this is for an Amazon CloudFront distribution or for a regional application. For an AWS Amplify application, use `CLOUDFRONT` . A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AWS AppSync GraphQL API, an Amazon Cognito user pool, an AWS App Runner service, or an AWS Verified Access instance. Valid Values are `CLOUDFRONT` and `REGIONAL` .\n\n> For `CLOUDFRONT` , you must create your WAFv2 resources in the US East (N. Virginia) Region, `us-east-1` .", "Tags": "Key:value pairs associated with an AWS resource. The key:value pair can be anything you define. Typically, the tag key represents a category (such as \"environment\") and the tag value represents a specific value within that category (such as \"test,\" \"development,\" or \"production\"). You can add up to 50 tags to each AWS resource.\n\n> To modify tags on existing resources, use the AWS WAF APIs or command line interface. With AWS CloudFormation , you can only add tags to AWS WAF resources during resource creation." }, "AWS::WAFv2::RegexPatternSet Tag": { @@ -50275,7 +50404,7 @@ "Description": "A description of the rule group that helps with identification.", "Name": "The name of the rule group. You cannot change the name of a rule group after you create it.", "Rules": "The rule statements used to identify the web requests that you want to allow, block, or count. Each rule includes one top-level statement that AWS WAF uses to identify matching web requests, and parameters that govern how AWS WAF handles them.", - "Scope": "Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AWS AppSync GraphQL API, an Amazon Cognito user pool, an AWS App Runner service, or an AWS Verified Access instance. Valid Values are `CLOUDFRONT` and `REGIONAL` .\n\n> For `CLOUDFRONT` , you must create your WAFv2 resources in the US East (N. Virginia) Region, `us-east-1` .", + "Scope": "Specifies whether this is for an Amazon CloudFront distribution or for a regional application. For an AWS Amplify application, use `CLOUDFRONT` . A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AWS AppSync GraphQL API, an Amazon Cognito user pool, an AWS App Runner service, or an AWS Verified Access instance. Valid Values are `CLOUDFRONT` and `REGIONAL` .\n\n> For `CLOUDFRONT` , you must create your WAFv2 resources in the US East (N. Virginia) Region, `us-east-1` .", "Tags": "Key:value pairs associated with an AWS resource. The key:value pair can be anything you define. Typically, the tag key represents a category (such as \"environment\") and the tag value represents a specific value within that category (such as \"test,\" \"development,\" or \"production\"). You can add up to 50 tags to each AWS resource.\n\n> To modify tags on existing resources, use the AWS WAF APIs or command line interface. With AWS CloudFormation , you can only add tags to AWS WAF resources during resource creation.", "VisibilityConfig": "Defines and enables Amazon CloudWatch metrics and web request sample collection." }, @@ -50289,7 +50418,7 @@ "CustomResponse": "Defines a custom response for the web request.\n\nFor information about customizing web requests and responses, see [Customizing web requests and responses in AWS WAF](https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html) in the *AWS WAF Developer Guide* ." }, "AWS::WAFv2::RuleGroup Body": { - "OversizeHandling": "What AWS WAF should do if the body is larger than AWS WAF can inspect.\n\nAWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. When a web request body is larger than the limit, the underlying host service only forwards the contents that are within the limit to AWS WAF for inspection.\n\n- For Application Load Balancer and AWS AppSync , the limit is fixed at 8 KB (8,192 bytes).\n- For CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access, the default limit is 16 KB (16,384 bytes), and you can increase the limit for each resource type in the web ACL `AssociationConfig` , for additional processing fees.\n\nThe options for oversize handling are the following:\n\n- `CONTINUE` - Inspect the available body contents normally, according to the rule inspection criteria.\n- `MATCH` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.\n- `NO_MATCH` - Treat the web request as not matching the rule statement.\n\nYou can combine the `MATCH` or `NO_MATCH` settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over the limit.\n\nDefault: `CONTINUE`" + "OversizeHandling": "What AWS WAF should do if the body is larger than AWS WAF can inspect.\n\nAWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. When a web request body is larger than the limit, the underlying host service only forwards the contents that are within the limit to AWS WAF for inspection.\n\n- For Application Load Balancer and AWS AppSync , the limit is fixed at 8 KB (8,192 bytes).\n- For CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access, the default limit is 16 KB (16,384 bytes), and you can increase the limit for each resource type in the web ACL `AssociationConfig` , for additional processing fees.\n- For AWS Amplify , use the CloudFront limit.\n\nThe options for oversize handling are the following:\n\n- `CONTINUE` - Inspect the available body contents normally, according to the rule inspection criteria.\n- `MATCH` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.\n- `NO_MATCH` - Treat the web request as not matching the rule statement.\n\nYou can combine the `MATCH` or `NO_MATCH` settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over the limit.\n\nDefault: `CONTINUE`" }, "AWS::WAFv2::RuleGroup ByteMatchStatement": { "FieldToMatch": "The part of the web request that you want AWS WAF to inspect.", @@ -50341,16 +50470,17 @@ }, "AWS::WAFv2::RuleGroup FieldToMatch": { "AllQueryArguments": "Inspect all query arguments.", - "Body": "Inspect the request body as plain text. The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form.\n\nAWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. When a web request body is larger than the limit, the underlying host service only forwards the contents that are within the limit to AWS WAF for inspection.\n\n- For Application Load Balancer and AWS AppSync , the limit is fixed at 8 KB (8,192 bytes).\n- For CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access, the default limit is 16 KB (16,384 bytes), and you can increase the limit for each resource type in the web ACL `AssociationConfig` , for additional processing fees.\n\nFor information about how to handle oversized request bodies, see the `Body` object configuration.", + "Body": "Inspect the request body as plain text. The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form.\n\nAWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. When a web request body is larger than the limit, the underlying host service only forwards the contents that are within the limit to AWS WAF for inspection.\n\n- For Application Load Balancer and AWS AppSync , the limit is fixed at 8 KB (8,192 bytes).\n- For CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access, the default limit is 16 KB (16,384 bytes), and you can increase the limit for each resource type in the web ACL `AssociationConfig` , for additional processing fees.\n- For AWS Amplify , use the CloudFront limit.\n\nFor information about how to handle oversized request bodies, see the `Body` object configuration.", "Cookies": "Inspect the request cookies. You must configure scope and pattern matching filters in the `Cookies` object, to define the set of cookies and the parts of the cookies that AWS WAF inspects.\n\nOnly the first 8 KB (8192 bytes) of a request's cookies and only the first 200 cookies are forwarded to AWS WAF for inspection by the underlying host service. You must configure how to handle any oversize cookie content in the `Cookies` object. AWS WAF applies the pattern matching filters to the cookies that it receives from the underlying host service.", "Headers": "Inspect the request headers. You must configure scope and pattern matching filters in the `Headers` object, to define the set of headers to and the parts of the headers that AWS WAF inspects.\n\nOnly the first 8 KB (8192 bytes) of a request's headers and only the first 200 headers are forwarded to AWS WAF for inspection by the underlying host service. You must configure how to handle any oversize header content in the `Headers` object. AWS WAF applies the pattern matching filters to the headers that it receives from the underlying host service.", "JA3Fingerprint": "Available for use with Amazon CloudFront distributions and Application Load Balancers. Match against the request's JA3 fingerprint. The JA3 fingerprint is a 32-character hash derived from the TLS Client Hello of an incoming request. This fingerprint serves as a unique identifier for the client's TLS configuration. AWS WAF calculates and logs this fingerprint for each request that has enough TLS Client Hello information for the calculation. Almost all web requests include this information.\n\n> You can use this choice only with a string match `ByteMatchStatement` with the `PositionalConstraint` set to `EXACTLY` . \n\nYou can obtain the JA3 fingerprint for client requests from the web ACL logs. If AWS WAF is able to calculate the fingerprint, it includes it in the logs. For information about the logging fields, see [Log fields](https://docs.aws.amazon.com/waf/latest/developerguide/logging-fields.html) in the *AWS WAF Developer Guide* .\n\nProvide the JA3 fingerprint string from the logs in your string match statement specification, to match with any future requests that have the same TLS configuration.", "JA4Fingerprint": "Available for use with Amazon CloudFront distributions and Application Load Balancers. Match against the request's JA4 fingerprint. The JA4 fingerprint is a 36-character hash derived from the TLS Client Hello of an incoming request. This fingerprint serves as a unique identifier for the client's TLS configuration. AWS WAF calculates and logs this fingerprint for each request that has enough TLS Client Hello information for the calculation. Almost all web requests include this information.\n\n> You can use this choice only with a string match `ByteMatchStatement` with the `PositionalConstraint` set to `EXACTLY` . \n\nYou can obtain the JA4 fingerprint for client requests from the web ACL logs. If AWS WAF is able to calculate the fingerprint, it includes it in the logs. For information about the logging fields, see [Log fields](https://docs.aws.amazon.com/waf/latest/developerguide/logging-fields.html) in the *AWS WAF Developer Guide* .\n\nProvide the JA4 fingerprint string from the logs in your string match statement specification, to match with any future requests that have the same TLS configuration.", - "JsonBody": "Inspect the request body as JSON. The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form.\n\nAWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. When a web request body is larger than the limit, the underlying host service only forwards the contents that are within the limit to AWS WAF for inspection.\n\n- For Application Load Balancer and AWS AppSync , the limit is fixed at 8 KB (8,192 bytes).\n- For CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access, the default limit is 16 KB (16,384 bytes), and you can increase the limit for each resource type in the web ACL `AssociationConfig` , for additional processing fees.\n\nFor information about how to handle oversized request bodies, see the `JsonBody` object configuration.", + "JsonBody": "Inspect the request body as JSON. The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form.\n\nAWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. When a web request body is larger than the limit, the underlying host service only forwards the contents that are within the limit to AWS WAF for inspection.\n\n- For Application Load Balancer and AWS AppSync , the limit is fixed at 8 KB (8,192 bytes).\n- For CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access, the default limit is 16 KB (16,384 bytes), and you can increase the limit for each resource type in the web ACL `AssociationConfig` , for additional processing fees.\n- For AWS Amplify , use the CloudFront limit.\n\nFor information about how to handle oversized request bodies, see the `JsonBody` object configuration.", "Method": "Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform.", "QueryString": "Inspect the query string. This is the part of a URL that appears after a `?` character, if any.", "SingleHeader": "Inspect a single header. Provide the name of the header to inspect, for example, `User-Agent` or `Referer` . This setting isn't case sensitive.\n\nExample JSON: `\"SingleHeader\": { \"Name\": \"haystack\" }`\n\nAlternately, you can filter and inspect all headers with the `Headers` `FieldToMatch` setting.", "SingleQueryArgument": "Inspect a single query argument. Provide the name of the query argument to inspect, such as *UserName* or *SalesRegion* . The name can be up to 30 characters long and isn't case sensitive.\n\nExample JSON: `\"SingleQueryArgument\": { \"Name\": \"myArgument\" }`", + "UriFragment": "Inspect fragments of the request URI. You must configure scope and pattern matching filters in the `UriFragment` object, to define the fragment of a URI that AWS WAF inspects.\n\nOnly the first 8 KB (8192 bytes) of a request's URI fragments and only the first 200 URI fragments are forwarded to AWS WAF for inspection by the underlying host service. You must configure how to handle any oversize URI fragment content in the `UriFragment` object. AWS WAF applies the pattern matching filters to the cookies that it receives from the underlying host service.", "UriPath": "Inspect the request URI path. This is the part of the web request that identifies a resource, for example, `/images/daily-ad.jpg` ." }, "AWS::WAFv2::RuleGroup ForwardedIPConfiguration": { @@ -50393,7 +50523,7 @@ "InvalidFallbackBehavior": "What AWS WAF should do if it fails to completely parse the JSON body. The options are the following:\n\n- `EVALUATE_AS_STRING` - Inspect the body as plain text. AWS WAF applies the text transformations and inspection criteria that you defined for the JSON inspection to the body text string.\n- `MATCH` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.\n- `NO_MATCH` - Treat the web request as not matching the rule statement.\n\nIf you don't provide this setting, AWS WAF parses and evaluates the content only up to the first parsing failure that it encounters.\n\n> AWS WAF parsing doesn't fully validate the input JSON string, so parsing can succeed even for invalid JSON. When parsing succeeds, AWS WAF doesn't apply the fallback behavior. For more information, see [JSON body](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-fields-list.html#waf-rule-statement-request-component-json-body) in the *AWS WAF Developer Guide* .", "MatchPattern": "The patterns to look for in the JSON body. AWS WAF inspects the results of these pattern matches against the rule inspection criteria.", "MatchScope": "The parts of the JSON to match against using the `MatchPattern` . If you specify `ALL` , AWS WAF matches against keys and values.\n\n`All` does not require a match to be found in the keys and a match to be found in the values. It requires a match to be found in the keys or the values or both. To require a match in the keys and in the values, use a logical `AND` statement to combine two match rules, one that inspects the keys and another that inspects the values.", - "OversizeHandling": "What AWS WAF should do if the body is larger than AWS WAF can inspect.\n\nAWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. When a web request body is larger than the limit, the underlying host service only forwards the contents that are within the limit to AWS WAF for inspection.\n\n- For Application Load Balancer and AWS AppSync , the limit is fixed at 8 KB (8,192 bytes).\n- For CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access, the default limit is 16 KB (16,384 bytes), and you can increase the limit for each resource type in the web ACL `AssociationConfig` , for additional processing fees.\n\nThe options for oversize handling are the following:\n\n- `CONTINUE` - Inspect the available body contents normally, according to the rule inspection criteria.\n- `MATCH` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.\n- `NO_MATCH` - Treat the web request as not matching the rule statement.\n\nYou can combine the `MATCH` or `NO_MATCH` settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over the limit.\n\nDefault: `CONTINUE`" + "OversizeHandling": "What AWS WAF should do if the body is larger than AWS WAF can inspect.\n\nAWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. When a web request body is larger than the limit, the underlying host service only forwards the contents that are within the limit to AWS WAF for inspection.\n\n- For Application Load Balancer and AWS AppSync , the limit is fixed at 8 KB (8,192 bytes).\n- For CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access, the default limit is 16 KB (16,384 bytes), and you can increase the limit for each resource type in the web ACL `AssociationConfig` , for additional processing fees.\n- For AWS Amplify , use the CloudFront limit.\n\nThe options for oversize handling are the following:\n\n- `CONTINUE` - Inspect the available body contents normally, according to the rule inspection criteria.\n- `MATCH` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.\n- `NO_MATCH` - Treat the web request as not matching the rule statement.\n\nYou can combine the `MATCH` or `NO_MATCH` settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over the limit.\n\nDefault: `CONTINUE`" }, "AWS::WAFv2::RuleGroup JsonMatchPattern": { "All": "Match all of the elements. See also `MatchScope` in the `JsonBody` `FieldToMatch` specification.\n\nYou must specify either this setting or the `IncludedPaths` setting, but not both.", @@ -50530,6 +50660,9 @@ "Priority": "Sets the relative processing order for multiple transformations. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content. The priorities don't need to be consecutive, but they must all be different.", "Type": "For detailed descriptions of each of the transformation types, see [Text transformations](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-transformation.html) in the *AWS WAF Developer Guide* ." }, + "AWS::WAFv2::RuleGroup UriFragment": { + "FallbackBehavior": "What AWS WAF should do if it fails to completely parse the JSON body. The options are the following:\n\n- `EVALUATE_AS_STRING` - Inspect the body as plain text. AWS WAF applies the text transformations and inspection criteria that you defined for the JSON inspection to the body text string.\n- `MATCH` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.\n- `NO_MATCH` - Treat the web request as not matching the rule statement.\n\nIf you don't provide this setting, AWS WAF parses and evaluates the content only up to the first parsing failure that it encounters.\n\nExample JSON: `{ \"UriFragment\": { \"FallbackBehavior\": \"MATCH\"} }`\n\n> AWS WAF parsing doesn't fully validate the input JSON string, so parsing can succeed even for invalid JSON. When parsing succeeds, AWS WAF doesn't apply the fallback behavior. For more information, see [JSON body](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-fields-list.html#waf-rule-statement-request-component-json-body) in the *AWS WAF Developer Guide* ." + }, "AWS::WAFv2::RuleGroup VisibilityConfig": { "CloudWatchMetricsEnabled": "Indicates whether the associated resource sends metrics to Amazon CloudWatch. For the list of available metrics, see [AWS WAF Metrics](https://docs.aws.amazon.com/waf/latest/developerguide/monitoring-cloudwatch.html#waf-metrics) in the *AWS WAF Developer Guide* .\n\nFor web ACLs, the metrics are for web requests that have the web ACL default action applied. AWS WAF applies the default action to web requests that pass the inspection of all rules in the web ACL without being either allowed or blocked. For more information,\nsee [The web ACL default action](https://docs.aws.amazon.com/waf/latest/developerguide/web-acl-default-action.html) in the *AWS WAF Developer Guide* .", "MetricName": "A name of the Amazon CloudWatch metric dimension. The name can contain only the characters: A-Z, a-z, 0-9, - (hyphen), and _ (underscore). The name can be from one to 128 characters long. It can't contain whitespace or metric names that are reserved for AWS WAF , for example `All` and `Default_Action` .", @@ -50549,7 +50682,7 @@ "Description": "A description of the web ACL that helps with identification.", "Name": "The name of the web ACL. You cannot change the name of a web ACL after you create it.", "Rules": "The rule statements used to identify the web requests that you want to manage. Each rule includes one top-level statement that AWS WAF uses to identify matching web requests, and parameters that govern how AWS WAF handles them.", - "Scope": "Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AWS AppSync GraphQL API, an Amazon Cognito user pool, an AWS App Runner service, or an AWS Verified Access instance. Valid Values are `CLOUDFRONT` and `REGIONAL` .\n\n> For `CLOUDFRONT` , you must create your WAFv2 resources in the US East (N. Virginia) Region, `us-east-1` . \n\nFor information about how to define the association of the web ACL with your resource, see `WebACLAssociation` .", + "Scope": "Specifies whether this is for an Amazon CloudFront distribution or for a regional application. For an AWS Amplify application, use `CLOUDFRONT` . A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AWS AppSync GraphQL API, an Amazon Cognito user pool, an AWS App Runner service, or an AWS Verified Access instance. Valid Values are `CLOUDFRONT` and `REGIONAL` .\n\n> For `CLOUDFRONT` , you must create your WAFv2 resources in the US East (N. Virginia) Region, `us-east-1` . \n\nFor information about how to define the association of the web ACL with your resource, see `WebACLAssociation` .", "Tags": "Key:value pairs associated with an AWS resource. The key:value pair can be anything you define. Typically, the tag key represents a category (such as \"environment\") and the tag value represents a specific value within that category (such as \"test,\" \"development,\" or \"production\"). You can add up to 50 tags to each AWS resource.\n\n> To modify tags on existing resources, use the AWS WAF APIs or command line interface. With AWS CloudFormation , you can only add tags to AWS WAF resources during resource creation.", "TokenDomains": "Specifies the domains that AWS WAF should accept in a web request token. This enables the use of tokens across multiple protected websites. When AWS WAF provides a token, it uses the domain of the AWS resource that the web ACL is protecting. If you don't specify a list of token domains, AWS WAF accepts tokens only for the domain of the protected resource. With a token domain list, AWS WAF accepts the resource's host domain plus all domains in the token domain list, including their prefixed subdomains.", "VisibilityConfig": "Defines and enables Amazon CloudWatch metrics and web request sample collection." @@ -50584,7 +50717,7 @@ "CustomResponse": "Defines a custom response for the web request.\n\nFor information about customizing web requests and responses, see [Customizing web requests and responses in AWS WAF](https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html) in the *AWS WAF Developer Guide* ." }, "AWS::WAFv2::WebACL Body": { - "OversizeHandling": "What AWS WAF should do if the body is larger than AWS WAF can inspect.\n\nAWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. When a web request body is larger than the limit, the underlying host service only forwards the contents that are within the limit to AWS WAF for inspection.\n\n- For Application Load Balancer and AWS AppSync , the limit is fixed at 8 KB (8,192 bytes).\n- For CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access, the default limit is 16 KB (16,384 bytes), and you can increase the limit for each resource type in the web ACL `AssociationConfig` , for additional processing fees.\n\nThe options for oversize handling are the following:\n\n- `CONTINUE` - Inspect the available body contents normally, according to the rule inspection criteria.\n- `MATCH` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.\n- `NO_MATCH` - Treat the web request as not matching the rule statement.\n\nYou can combine the `MATCH` or `NO_MATCH` settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over the limit.\n\nDefault: `CONTINUE`" + "OversizeHandling": "What AWS WAF should do if the body is larger than AWS WAF can inspect.\n\nAWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. When a web request body is larger than the limit, the underlying host service only forwards the contents that are within the limit to AWS WAF for inspection.\n\n- For Application Load Balancer and AWS AppSync , the limit is fixed at 8 KB (8,192 bytes).\n- For CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access, the default limit is 16 KB (16,384 bytes), and you can increase the limit for each resource type in the web ACL `AssociationConfig` , for additional processing fees.\n- For AWS Amplify , use the CloudFront limit.\n\nThe options for oversize handling are the following:\n\n- `CONTINUE` - Inspect the available body contents normally, according to the rule inspection criteria.\n- `MATCH` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.\n- `NO_MATCH` - Treat the web request as not matching the rule statement.\n\nYou can combine the `MATCH` or `NO_MATCH` settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over the limit.\n\nDefault: `CONTINUE`" }, "AWS::WAFv2::WebACL ByteMatchStatement": { "FieldToMatch": "The part of the web request that you want AWS WAF to inspect.", @@ -50655,16 +50788,17 @@ }, "AWS::WAFv2::WebACL FieldToMatch": { "AllQueryArguments": "Inspect all query arguments.", - "Body": "Inspect the request body as plain text. The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form.\n\nAWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. When a web request body is larger than the limit, the underlying host service only forwards the contents that are within the limit to AWS WAF for inspection.\n\n- For Application Load Balancer and AWS AppSync , the limit is fixed at 8 KB (8,192 bytes).\n- For CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access, the default limit is 16 KB (16,384 bytes), and you can increase the limit for each resource type in the web ACL `AssociationConfig` , for additional processing fees.\n\nFor information about how to handle oversized request bodies, see the `Body` object configuration.", + "Body": "Inspect the request body as plain text. The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form.\n\nAWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. When a web request body is larger than the limit, the underlying host service only forwards the contents that are within the limit to AWS WAF for inspection.\n\n- For Application Load Balancer and AWS AppSync , the limit is fixed at 8 KB (8,192 bytes).\n- For CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access, the default limit is 16 KB (16,384 bytes), and you can increase the limit for each resource type in the web ACL `AssociationConfig` , for additional processing fees.\n- For AWS Amplify , use the CloudFront limit.\n\nFor information about how to handle oversized request bodies, see the `Body` object configuration.", "Cookies": "Inspect the request cookies. You must configure scope and pattern matching filters in the `Cookies` object, to define the set of cookies and the parts of the cookies that AWS WAF inspects.\n\nOnly the first 8 KB (8192 bytes) of a request's cookies and only the first 200 cookies are forwarded to AWS WAF for inspection by the underlying host service. You must configure how to handle any oversize cookie content in the `Cookies` object. AWS WAF applies the pattern matching filters to the cookies that it receives from the underlying host service.", "Headers": "Inspect the request headers. You must configure scope and pattern matching filters in the `Headers` object, to define the set of headers to and the parts of the headers that AWS WAF inspects.\n\nOnly the first 8 KB (8192 bytes) of a request's headers and only the first 200 headers are forwarded to AWS WAF for inspection by the underlying host service. You must configure how to handle any oversize header content in the `Headers` object. AWS WAF applies the pattern matching filters to the headers that it receives from the underlying host service.", "JA3Fingerprint": "Available for use with Amazon CloudFront distributions and Application Load Balancers. Match against the request's JA3 fingerprint. The JA3 fingerprint is a 32-character hash derived from the TLS Client Hello of an incoming request. This fingerprint serves as a unique identifier for the client's TLS configuration. AWS WAF calculates and logs this fingerprint for each request that has enough TLS Client Hello information for the calculation. Almost all web requests include this information.\n\n> You can use this choice only with a string match `ByteMatchStatement` with the `PositionalConstraint` set to `EXACTLY` . \n\nYou can obtain the JA3 fingerprint for client requests from the web ACL logs. If AWS WAF is able to calculate the fingerprint, it includes it in the logs. For information about the logging fields, see [Log fields](https://docs.aws.amazon.com/waf/latest/developerguide/logging-fields.html) in the *AWS WAF Developer Guide* .\n\nProvide the JA3 fingerprint string from the logs in your string match statement specification, to match with any future requests that have the same TLS configuration.", "JA4Fingerprint": "Available for use with Amazon CloudFront distributions and Application Load Balancers. Match against the request's JA4 fingerprint. The JA4 fingerprint is a 36-character hash derived from the TLS Client Hello of an incoming request. This fingerprint serves as a unique identifier for the client's TLS configuration. AWS WAF calculates and logs this fingerprint for each request that has enough TLS Client Hello information for the calculation. Almost all web requests include this information.\n\n> You can use this choice only with a string match `ByteMatchStatement` with the `PositionalConstraint` set to `EXACTLY` . \n\nYou can obtain the JA4 fingerprint for client requests from the web ACL logs. If AWS WAF is able to calculate the fingerprint, it includes it in the logs. For information about the logging fields, see [Log fields](https://docs.aws.amazon.com/waf/latest/developerguide/logging-fields.html) in the *AWS WAF Developer Guide* .\n\nProvide the JA4 fingerprint string from the logs in your string match statement specification, to match with any future requests that have the same TLS configuration.", - "JsonBody": "Inspect the request body as JSON. The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form.\n\nAWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. When a web request body is larger than the limit, the underlying host service only forwards the contents that are within the limit to AWS WAF for inspection.\n\n- For Application Load Balancer and AWS AppSync , the limit is fixed at 8 KB (8,192 bytes).\n- For CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access, the default limit is 16 KB (16,384 bytes), and you can increase the limit for each resource type in the web ACL `AssociationConfig` , for additional processing fees.\n\nFor information about how to handle oversized request bodies, see the `JsonBody` object configuration.", + "JsonBody": "Inspect the request body as JSON. The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form.\n\nAWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. When a web request body is larger than the limit, the underlying host service only forwards the contents that are within the limit to AWS WAF for inspection.\n\n- For Application Load Balancer and AWS AppSync , the limit is fixed at 8 KB (8,192 bytes).\n- For CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access, the default limit is 16 KB (16,384 bytes), and you can increase the limit for each resource type in the web ACL `AssociationConfig` , for additional processing fees.\n- For AWS Amplify , use the CloudFront limit.\n\nFor information about how to handle oversized request bodies, see the `JsonBody` object configuration.", "Method": "Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform.", "QueryString": "Inspect the query string. This is the part of a URL that appears after a `?` character, if any.", "SingleHeader": "Inspect a single header. Provide the name of the header to inspect, for example, `User-Agent` or `Referer` . This setting isn't case sensitive.\n\nExample JSON: `\"SingleHeader\": { \"Name\": \"haystack\" }`\n\nAlternately, you can filter and inspect all headers with the `Headers` `FieldToMatch` setting.", "SingleQueryArgument": "Inspect a single query argument. Provide the name of the query argument to inspect, such as *UserName* or *SalesRegion* . The name can be up to 30 characters long and isn't case sensitive.\n\nExample JSON: `\"SingleQueryArgument\": { \"Name\": \"myArgument\" }`", + "UriFragment": "Inspect fragments of the request URI. You must configure scope and pattern matching filters in the `UriFragment` object, to define the fragment of a URI that AWS WAF inspects.\n\nOnly the first 8 KB (8192 bytes) of a request's URI fragments and only the first 200 URI fragments are forwarded to AWS WAF for inspection by the underlying host service. You must configure how to handle any oversize URI fragment content in the `UriFragment` object. AWS WAF applies the pattern matching filters to the cookies that it receives from the underlying host service.", "UriPath": "Inspect the request URI path. This is the part of the web request that identifies a resource, for example, `/images/daily-ad.jpg` ." }, "AWS::WAFv2::WebACL FieldToProtect": { @@ -50711,7 +50845,7 @@ "InvalidFallbackBehavior": "What AWS WAF should do if it fails to completely parse the JSON body. The options are the following:\n\n- `EVALUATE_AS_STRING` - Inspect the body as plain text. AWS WAF applies the text transformations and inspection criteria that you defined for the JSON inspection to the body text string.\n- `MATCH` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.\n- `NO_MATCH` - Treat the web request as not matching the rule statement.\n\nIf you don't provide this setting, AWS WAF parses and evaluates the content only up to the first parsing failure that it encounters.\n\n> AWS WAF parsing doesn't fully validate the input JSON string, so parsing can succeed even for invalid JSON. When parsing succeeds, AWS WAF doesn't apply the fallback behavior. For more information, see [JSON body](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-fields-list.html#waf-rule-statement-request-component-json-body) in the *AWS WAF Developer Guide* .", "MatchPattern": "The patterns to look for in the JSON body. AWS WAF inspects the results of these pattern matches against the rule inspection criteria.", "MatchScope": "The parts of the JSON to match against using the `MatchPattern` . If you specify `ALL` , AWS WAF matches against keys and values.\n\n`All` does not require a match to be found in the keys and a match to be found in the values. It requires a match to be found in the keys or the values or both. To require a match in the keys and in the values, use a logical `AND` statement to combine two match rules, one that inspects the keys and another that inspects the values.", - "OversizeHandling": "What AWS WAF should do if the body is larger than AWS WAF can inspect.\n\nAWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. When a web request body is larger than the limit, the underlying host service only forwards the contents that are within the limit to AWS WAF for inspection.\n\n- For Application Load Balancer and AWS AppSync , the limit is fixed at 8 KB (8,192 bytes).\n- For CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access, the default limit is 16 KB (16,384 bytes), and you can increase the limit for each resource type in the web ACL `AssociationConfig` , for additional processing fees.\n\nThe options for oversize handling are the following:\n\n- `CONTINUE` - Inspect the available body contents normally, according to the rule inspection criteria.\n- `MATCH` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.\n- `NO_MATCH` - Treat the web request as not matching the rule statement.\n\nYou can combine the `MATCH` or `NO_MATCH` settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over the limit.\n\nDefault: `CONTINUE`" + "OversizeHandling": "What AWS WAF should do if the body is larger than AWS WAF can inspect.\n\nAWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. When a web request body is larger than the limit, the underlying host service only forwards the contents that are within the limit to AWS WAF for inspection.\n\n- For Application Load Balancer and AWS AppSync , the limit is fixed at 8 KB (8,192 bytes).\n- For CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access, the default limit is 16 KB (16,384 bytes), and you can increase the limit for each resource type in the web ACL `AssociationConfig` , for additional processing fees.\n- For AWS Amplify , use the CloudFront limit.\n\nThe options for oversize handling are the following:\n\n- `CONTINUE` - Inspect the available body contents normally, according to the rule inspection criteria.\n- `MATCH` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.\n- `NO_MATCH` - Treat the web request as not matching the rule statement.\n\nYou can combine the `MATCH` or `NO_MATCH` settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over the limit.\n\nDefault: `CONTINUE`" }, "AWS::WAFv2::WebACL JsonMatchPattern": { "All": "Match all of the elements. See also `MatchScope` in the `JsonBody` `FieldToMatch` specification.\n\nYou must specify either this setting or the `IncludedPaths` setting, but not both.", @@ -50919,6 +51053,9 @@ "Priority": "Sets the relative processing order for multiple transformations. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content. The priorities don't need to be consecutive, but they must all be different.", "Type": "For detailed descriptions of each of the transformation types, see [Text transformations](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-transformation.html) in the *AWS WAF Developer Guide* ." }, + "AWS::WAFv2::WebACL UriFragment": { + "FallbackBehavior": "What AWS WAF should do if it fails to completely parse the JSON body. The options are the following:\n\n- `EVALUATE_AS_STRING` - Inspect the body as plain text. AWS WAF applies the text transformations and inspection criteria that you defined for the JSON inspection to the body text string.\n- `MATCH` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.\n- `NO_MATCH` - Treat the web request as not matching the rule statement.\n\nIf you don't provide this setting, AWS WAF parses and evaluates the content only up to the first parsing failure that it encounters.\n\nExample JSON: `{ \"UriFragment\": { \"FallbackBehavior\": \"MATCH\"} }`\n\n> AWS WAF parsing doesn't fully validate the input JSON string, so parsing can succeed even for invalid JSON. When parsing succeeds, AWS WAF doesn't apply the fallback behavior. For more information, see [JSON body](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-fields-list.html#waf-rule-statement-request-component-json-body) in the *AWS WAF Developer Guide* ." + }, "AWS::WAFv2::WebACL VisibilityConfig": { "CloudWatchMetricsEnabled": "Indicates whether the associated resource sends metrics to Amazon CloudWatch. For the list of available metrics, see [AWS WAF Metrics](https://docs.aws.amazon.com/waf/latest/developerguide/monitoring-cloudwatch.html#waf-metrics) in the *AWS WAF Developer Guide* .\n\nFor web ACLs, the metrics are for web requests that have the web ACL default action applied. AWS WAF applies the default action to web requests that pass the inspection of all rules in the web ACL without being either allowed or blocked. For more information,\nsee [The web ACL default action](https://docs.aws.amazon.com/waf/latest/developerguide/web-acl-default-action.html) in the *AWS WAF Developer Guide* .", "MetricName": "A name of the Amazon CloudWatch metric dimension. The name can contain only the characters: A-Z, a-z, 0-9, - (hyphen), and _ (underscore). The name can be from one to 128 characters long. It can't contain whitespace or metric names that are reserved for AWS WAF , for example `All` and `Default_Action` .", @@ -50929,7 +51066,7 @@ "TextTransformations": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. If you specify one or more transformations in a rule statement, AWS WAF performs all transformations on the content of the request component identified by `FieldToMatch` , starting from the lowest priority setting, before inspecting the content for a match." }, "AWS::WAFv2::WebACLAssociation": { - "ResourceArn": "The Amazon Resource Name (ARN) of the resource to associate with the web ACL.\n\nThe ARN must be in one of the following formats:\n\n- For an Application Load Balancer: `arn: *partition* :elasticloadbalancing: *region* : *account-id* :loadbalancer/app/ *load-balancer-name* / *load-balancer-id*`\n- For an Amazon API Gateway REST API: `arn: *partition* :apigateway: *region* ::/restapis/ *api-id* /stages/ *stage-name*`\n- For an AWS AppSync GraphQL API: `arn: *partition* :appsync: *region* : *account-id* :apis/ *GraphQLApiId*`\n- For an Amazon Cognito user pool: `arn: *partition* :cognito-idp: *region* : *account-id* :userpool/ *user-pool-id*`\n- For an AWS App Runner service: `arn: *partition* :apprunner: *region* : *account-id* :service/ *apprunner-service-name* / *apprunner-service-id*`\n- For an AWS Verified Access instance: `arn: *partition* :ec2: *region* : *account-id* :verified-access-instance/ *instance-id*`", + "ResourceArn": "The Amazon Resource Name (ARN) of the resource to associate with the web ACL.\n\nThe ARN must be in one of the following formats:\n\n- For an Application Load Balancer: `arn: *partition* :elasticloadbalancing: *region* : *account-id* :loadbalancer/app/ *load-balancer-name* / *load-balancer-id*`\n- For an Amazon API Gateway REST API: `arn: *partition* :apigateway: *region* ::/restapis/ *api-id* /stages/ *stage-name*`\n- For an AWS AppSync GraphQL API: `arn: *partition* :appsync: *region* : *account-id* :apis/ *GraphQLApiId*`\n- For an Amazon Cognito user pool: `arn: *partition* :cognito-idp: *region* : *account-id* :userpool/ *user-pool-id*`\n- For an AWS App Runner service: `arn: *partition* :apprunner: *region* : *account-id* :service/ *apprunner-service-name* / *apprunner-service-id*`\n- For an AWS Verified Access instance: `arn: *partition* :ec2: *region* : *account-id* :verified-access-instance/ *instance-id*`\n- For an AWS Amplify instance: `arn: *partition* :amplify: *region* : *account-id* :apps/ *app-id*`", "WebACLArn": "The Amazon Resource Name (ARN) of the web ACL that you want to associate with the resource." }, "AWS::Wisdom::AIAgent": { diff --git a/schema_source/cloudformation.schema.json b/schema_source/cloudformation.schema.json index 43bdb7d8b..daa71469a 100644 --- a/schema_source/cloudformation.schema.json +++ b/schema_source/cloudformation.schema.json @@ -1580,7 +1580,7 @@ "properties": { "PracticeRunConfiguration": { "$ref": "#/definitions/AWS::ARCZonalShift::ZonalAutoshiftConfiguration.PracticeRunConfiguration", - "markdownDescription": "A practice run configuration for a resource includes the Amazon CloudWatch alarms that you've specified for a practice run, as well as any blocked dates or blocked windows for the practice run. When a resource has a practice run configuration, Route 53 ARC shifts traffic for the resource weekly for practice runs.\n\nPractice runs are required for zonal autoshift. The zonal shifts that Route 53 ARC starts for practice runs help you to ensure that shifting away traffic from an Availability Zone during an autoshift is safe for your application.\n\nYou can update or delete a practice run configuration. Before you delete a practice run configuration, you must disable zonal autoshift for the resource. A practice run configuration is required when zonal autoshift is enabled.", + "markdownDescription": "A practice run configuration for a resource includes the Amazon CloudWatch alarms that you've specified for a practice run, as well as any blocked dates or blocked windows for the practice run. When a resource has a practice run configuration, ARC shifts traffic for the resource weekly for practice runs.\n\nPractice runs are required for zonal autoshift. The zonal shifts that ARC starts for practice runs help you to ensure that shifting away traffic from an Availability Zone during an autoshift is safe for your application.\n\nYou can update or delete a practice run configuration. Before you delete a practice run configuration, you must disable zonal autoshift for the resource. A practice run configuration is required when zonal autoshift is enabled.", "title": "PracticeRunConfiguration" }, "ResourceIdentifier": { @@ -5565,7 +5565,7 @@ }, "EndpointConfiguration": { "$ref": "#/definitions/AWS::ApiGateway::DomainName.EndpointConfiguration", - "markdownDescription": "The endpoint configuration of this DomainName showing the endpoint types of the domain name.", + "markdownDescription": "The endpoint configuration of this DomainName showing the endpoint types and IP address types of the domain name.", "title": "EndpointConfiguration" }, "MutualTlsAuthentication": { @@ -6398,7 +6398,7 @@ }, "EndpointConfiguration": { "$ref": "#/definitions/AWS::ApiGateway::RestApi.EndpointConfiguration", - "markdownDescription": "A list of the endpoint types of the API. Use this property when creating an API. When importing an existing API, specify the endpoint configuration types using the `Parameters` property.", + "markdownDescription": "A list of the endpoint types and IP address types of the API. Use this property when creating an API. When importing an existing API, specify the endpoint configuration types using the `Parameters` property.", "title": "EndpointConfiguration" }, "FailOnWarnings": { @@ -30891,7 +30891,7 @@ }, "TimePeriod": { "$ref": "#/definitions/AWS::Budgets::Budget.TimePeriod", - "markdownDescription": "The period of time that is covered by a budget. The period has a start date and an end date. The start date must come before the end date. There are no restrictions on the end date.\n\nThe start date for a budget. If you created your budget and didn't specify a start date, the start date defaults to the start of the chosen time period (MONTHLY, QUARTERLY, or ANNUALLY). For example, if you create your budget on January 24, 2019, choose `MONTHLY` , and don't set a start date, the start date defaults to `01/01/19 00:00 UTC` . The defaults are the same for the AWS Billing and Cost Management console and the API.\n\nYou can change your start date with the `UpdateBudget` operation.\n\nAfter the end date, AWS deletes the budget and all associated notifications and subscribers.", + "markdownDescription": "The period of time that is covered by a budget. The period has a start date and an end date. The start date must come before the end date. There are no restrictions on the end date.\n\nThe start date for a budget. If you created your budget and didn't specify a start date, the start date defaults to the start of the chosen time period (MONTHLY, QUARTERLY, or ANNUALLY). For example, if you create your budget on January 24, 2019, choose `MONTHLY` , and don't set a start date, the start date defaults to `01/01/19 00:00 UTC` . The defaults are the same for the Billing and Cost Management console and the API.\n\nYou can change your start date with the `UpdateBudget` operation.\n\nAfter the end date, AWS deletes the budget and all associated notifications and subscribers.", "title": "TimePeriod" }, "TimeUnit": { @@ -31079,12 +31079,12 @@ "additionalProperties": false, "properties": { "End": { - "markdownDescription": "The end date for a budget. If you didn't specify an end date, AWS set your end date to `06/15/87 00:00 UTC` . The defaults are the same for the AWS Billing and Cost Management console and the API.\n\nAfter the end date, AWS deletes the budget and all the associated notifications and subscribers. You can change your end date with the `UpdateBudget` operation.", + "markdownDescription": "The end date for a budget. If you didn't specify an end date, AWS set your end date to `06/15/87 00:00 UTC` . The defaults are the same for the Billing and Cost Management console and the API.\n\nAfter the end date, AWS deletes the budget and all the associated notifications and subscribers. You can change your end date with the `UpdateBudget` operation.", "title": "End", "type": "string" }, "Start": { - "markdownDescription": "The start date for a budget. If you created your budget and didn't specify a start date, the start date defaults to the start of the chosen time period (MONTHLY, QUARTERLY, or ANNUALLY). For example, if you create your budget on January 24, 2019, choose `MONTHLY` , and don't set a start date, the start date defaults to `01/01/19 00:00 UTC` . The defaults are the same for the AWS Billing and Cost Management console and the API.\n\nYou can change your start date with the `UpdateBudget` operation.\n\nValid values depend on the value of `BudgetType` :\n\n- If `BudgetType` is `COST` or `USAGE` : Valid values are `MONTHLY` , `QUARTERLY` , and `ANNUALLY` .\n- If `BudgetType` is `RI_UTILIZATION` or `RI_COVERAGE` : Valid values are `DAILY` , `MONTHLY` , `QUARTERLY` , and `ANNUALLY` .", + "markdownDescription": "The start date for a budget. If you created your budget and didn't specify a start date, the start date defaults to the start of the chosen time period (MONTHLY, QUARTERLY, or ANNUALLY). For example, if you create your budget on January 24, 2019, choose `MONTHLY` , and don't set a start date, the start date defaults to `01/01/19 00:00 UTC` . The defaults are the same for the Billing and Cost Management console and the API.\n\nYou can change your start date with the `UpdateBudget` operation.\n\nValid values depend on the value of `BudgetType` :\n\n- If `BudgetType` is `COST` or `USAGE` : Valid values are `MONTHLY` , `QUARTERLY` , and `ANNUALLY` .\n- If `BudgetType` is `RI_UTILIZATION` or `RI_COVERAGE` : Valid values are `DAILY` , `MONTHLY` , `QUARTERLY` , and `ANNUALLY` .", "title": "Start", "type": "string" } @@ -31926,7 +31926,7 @@ "items": { "type": "string" }, - "markdownDescription": "Specifies the AWS Regions that the keyspace is replicated in. You must specify at least two and up to six Regions, including the Region that the keyspace is being created in.", + "markdownDescription": "Specifies the AWS Regions that the keyspace is replicated in. You must specify at least two Regions, including the Region that the keyspace is being created in.", "title": "RegionList", "type": "array" }, @@ -39205,7 +39205,7 @@ "type": "array" }, "Field": { - "markdownDescription": "A field in a CloudTrail event record on which to filter events to be logged. For event data stores for CloudTrail Insights events, AWS Config configuration items, Audit Manager evidence, or events outside of AWS , the field is used only for selecting events as filtering is not supported.\n\nFor CloudTrail management events, supported fields include `eventCategory` (required), `eventSource` , and `readOnly` . The following additional fields are available for event data stores: `eventName` , `eventType` , `sessionCredentialFromConsole` , and `userIdentity.arn` .\n\nFor CloudTrail data events, supported fields include `eventCategory` (required), `resources.type` (required), `eventName` , `readOnly` , and `resources.ARN` . The following additional fields are available for event data stores: `eventSource` , `eventType` , `sessionCredentialFromConsole` , and `userIdentity.arn` .\n\nFor CloudTrail network activity events, supported fields include `eventCategory` (required), `eventSource` (required), `eventName` , `errorCode` , and `vpcEndpointId` .\n\nFor event data stores for CloudTrail Insights events, AWS Config configuration items, Audit Manager evidence, or events outside of AWS , the only supported field is `eventCategory` .\n\n> Selectors don't support the use of wildcards like `*` . To match multiple values with a single condition, you may use `StartsWith` , `EndsWith` , `NotStartsWith` , or `NotEndsWith` to explicitly match the beginning or end of the event field. \n\n- *`readOnly`* - This is an optional field that is only used for management events and data events. This field can be set to `Equals` with a value of `true` or `false` . If you do not add this field, CloudTrail logs both `read` and `write` events. A value of `true` logs only `read` events. A value of `false` logs only `write` events.\n- *`eventSource`* - This field is only used for management events, data events (for event data stores only), and network activity events.\n\nFor management events for trails, this is an optional field that can be set to `NotEquals` `kms.amazonaws.com` to exclude KMS management events, or `NotEquals` `rdsdata.amazonaws.com` to exclude RDS management events.\n\nFor management and data events for event data stores, you can use it to include or exclude any event source and can use any operator.\n\nFor network activity events, this is a required field that only uses the `Equals` operator. Set this field to the event source for which you want to log network activity events. If you want to log network activity events for multiple event sources, you must create a separate field selector for each event source.\n\nThe following are valid values for network activity events:\n\n- `cloudtrail.amazonaws.com`\n- `ec2.amazonaws.com`\n- `kms.amazonaws.com`\n- `s3.amazonaws.com`\n- `secretsmanager.amazonaws.com`\n- *`eventName`* - This is an optional field that is only used for data events, management events (for event data stores only), and network activity events. You can use any operator with `eventName` . You can use it to \ufb01lter in or \ufb01lter out specific events. You can have multiple values for this \ufb01eld, separated by commas.\n- *`eventCategory`* - This field is required and must be set to `Equals` .\n\n- For CloudTrail management events, the value must be `Management` .\n- For CloudTrail data events, the value must be `Data` .\n- For CloudTrail network activity events, the value must be `NetworkActivity` .\n\nThe following are used only for event data stores:\n\n- For CloudTrail Insights events, the value must be `Insight` .\n- For AWS Config configuration items, the value must be `ConfigurationItem` .\n- For Audit Manager evidence, the value must be `Evidence` .\n- For events outside of AWS , the value must be `ActivityAuditLog` .\n- *`eventType`* - This is an optional field available only for event data stores, which is used to filter management and data events on the event type. For information about available event types, see [CloudTrail record contents](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-record-contents.html#ct-event-type) in the *AWS CloudTrail user guide* .\n- *`errorCode`* - This \ufb01eld is only used to filter CloudTrail network activity events and is optional. This is the error code to filter on. Currently, the only valid `errorCode` is `VpceAccessDenied` . `errorCode` can only use the `Equals` operator.\n- *`sessionCredentialFromConsole`* - This is an optional field available only for event data stores, which is used to filter management and data events based on whether the events originated from an AWS Management Console session. `sessionCredentialFromConsole` can only use the `Equals` and `NotEquals` operators.\n- *`resources.type`* - This \ufb01eld is required for CloudTrail data events. `resources.type` can only use the `Equals` operator.\n\nFor a list of available resource types for data events, see [Data events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html#logging-data-events) in the *AWS CloudTrail User Guide* .\n\nYou can have only one `resources.type` \ufb01eld per selector. To log events on more than one resource type, add another selector.\n- *`resources.ARN`* - The `resources.ARN` is an optional field for data events. You can use any operator with `resources.ARN` , but if you use `Equals` or `NotEquals` , the value must exactly match the ARN of a valid resource of the type you've speci\ufb01ed in the template as the value of resources.type. To log all data events for all objects in a specific S3 bucket, use the `StartsWith` operator, and include only the bucket ARN as the matching value.\n\nFor more information about the ARN formats of data event resources, see [Actions, resources, and condition keys for AWS services](https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html) in the *Service Authorization Reference* .\n\n> You can't use the `resources.ARN` field to filter resource types that do not have ARNs.\n- *`userIdentity.arn`* - This is an optional field available only for event data stores, which is used to filter management and data events on the userIdentity ARN. You can use any operator with `userIdentity.arn` . For more information on the userIdentity element, see [CloudTrail userIdentity element](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html) in the *AWS CloudTrail User Guide* .\n- *`vpcEndpointId`* - This \ufb01eld is only used to filter CloudTrail network activity events and is optional. This field identifies the VPC endpoint that the request passed through. You can use any operator with `vpcEndpointId` .", + "markdownDescription": "A field in a CloudTrail event record on which to filter events to be logged. For event data stores for CloudTrail Insights events, AWS Config configuration items, Audit Manager evidence, or events outside of AWS , the field is used only for selecting events as filtering is not supported.\n\nFor CloudTrail management events, supported fields include `eventCategory` (required), `eventSource` , and `readOnly` . The following additional fields are available for event data stores: `eventName` , `eventType` , `sessionCredentialFromConsole` , and `userIdentity.arn` .\n\nFor CloudTrail data events, supported fields include `eventCategory` (required), `resources.type` (required), `eventName` , `readOnly` , and `resources.ARN` . The following additional fields are available for event data stores: `eventSource` , `eventType` , `sessionCredentialFromConsole` , and `userIdentity.arn` .\n\nFor CloudTrail network activity events, supported fields include `eventCategory` (required), `eventSource` (required), `eventName` , `errorCode` , and `vpcEndpointId` .\n\nFor event data stores for CloudTrail Insights events, AWS Config configuration items, Audit Manager evidence, or events outside of AWS , the only supported field is `eventCategory` .\n\n> Selectors don't support the use of wildcards like `*` . To match multiple values with a single condition, you may use `StartsWith` , `EndsWith` , `NotStartsWith` , or `NotEndsWith` to explicitly match the beginning or end of the event field. \n\n- *`readOnly`* - This is an optional field that is only used for management events and data events. This field can be set to `Equals` with a value of `true` or `false` . If you do not add this field, CloudTrail logs both `read` and `write` events. A value of `true` logs only `read` events. A value of `false` logs only `write` events.\n- *`eventSource`* - This field is only used for management events, data events (for event data stores only), and network activity events.\n\nFor management events for trails, this is an optional field that can be set to `NotEquals` `kms.amazonaws.com` to exclude KMS management events, or `NotEquals` `rdsdata.amazonaws.com` to exclude RDS management events.\n\nFor management and data events for event data stores, you can use it to include or exclude any event source and can use any operator.\n\nFor network activity events, this is a required field that only uses the `Equals` operator. Set this field to the event source for which you want to log network activity events. If you want to log network activity events for multiple event sources, you must create a separate field selector for each event source. For a list of services supporting network activity events, see [Logging network activity events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-network-events-with-cloudtrail.html) in the *AWS CloudTrail User Guide* .\n- *`eventName`* - This is an optional field that is only used for data events, management events (for event data stores only), and network activity events. You can use any operator with `eventName` . You can use it to \ufb01lter in or \ufb01lter out specific events. You can have multiple values for this \ufb01eld, separated by commas.\n- *`eventCategory`* - This field is required and must be set to `Equals` .\n\n- For CloudTrail management events, the value must be `Management` .\n- For CloudTrail data events, the value must be `Data` .\n- For CloudTrail network activity events, the value must be `NetworkActivity` .\n\nThe following are used only for event data stores:\n\n- For CloudTrail Insights events, the value must be `Insight` .\n- For AWS Config configuration items, the value must be `ConfigurationItem` .\n- For Audit Manager evidence, the value must be `Evidence` .\n- For events outside of AWS , the value must be `ActivityAuditLog` .\n- *`eventType`* - This is an optional field available only for event data stores, which is used to filter management and data events on the event type. For information about available event types, see [CloudTrail record contents](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-record-contents.html#ct-event-type) in the *AWS CloudTrail user guide* .\n- *`errorCode`* - This \ufb01eld is only used to filter CloudTrail network activity events and is optional. This is the error code to filter on. Currently, the only valid `errorCode` is `VpceAccessDenied` . `errorCode` can only use the `Equals` operator.\n- *`sessionCredentialFromConsole`* - This is an optional field available only for event data stores, which is used to filter management and data events based on whether the events originated from an AWS Management Console session. `sessionCredentialFromConsole` can only use the `Equals` and `NotEquals` operators.\n- *`resources.type`* - This \ufb01eld is required for CloudTrail data events. `resources.type` can only use the `Equals` operator.\n\nFor a list of available resource types for data events, see [Data events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html#logging-data-events) in the *AWS CloudTrail User Guide* .\n\nYou can have only one `resources.type` \ufb01eld per selector. To log events on more than one resource type, add another selector.\n- *`resources.ARN`* - The `resources.ARN` is an optional field for data events. You can use any operator with `resources.ARN` , but if you use `Equals` or `NotEquals` , the value must exactly match the ARN of a valid resource of the type you've speci\ufb01ed in the template as the value of resources.type. To log all data events for all objects in a specific S3 bucket, use the `StartsWith` operator, and include only the bucket ARN as the matching value.\n\nFor more information about the ARN formats of data event resources, see [Actions, resources, and condition keys for AWS services](https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html) in the *Service Authorization Reference* .\n\n> You can't use the `resources.ARN` field to filter resource types that do not have ARNs.\n- *`userIdentity.arn`* - This is an optional field available only for event data stores, which is used to filter management and data events on the userIdentity ARN. You can use any operator with `userIdentity.arn` . For more information on the userIdentity element, see [CloudTrail userIdentity element](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html) in the *AWS CloudTrail User Guide* .\n- *`vpcEndpointId`* - This \ufb01eld is only used to filter CloudTrail network activity events and is optional. This field identifies the VPC endpoint that the request passed through. You can use any operator with `vpcEndpointId` .", "title": "Field", "type": "string" }, @@ -39528,7 +39528,7 @@ "type": "array" }, "Field": { - "markdownDescription": "A field in a CloudTrail event record on which to filter events to be logged. For event data stores for CloudTrail Insights events, AWS Config configuration items, Audit Manager evidence, or events outside of AWS , the field is used only for selecting events as filtering is not supported.\n\nFor CloudTrail management events, supported fields include `eventCategory` (required), `eventSource` , and `readOnly` . The following additional fields are available for event data stores: `eventName` , `eventType` , `sessionCredentialFromConsole` , and `userIdentity.arn` .\n\nFor CloudTrail data events, supported fields include `eventCategory` (required), `resources.type` (required), `eventName` , `readOnly` , and `resources.ARN` . The following additional fields are available for event data stores: `eventSource` , `eventType` , `sessionCredentialFromConsole` , and `userIdentity.arn` .\n\nFor CloudTrail network activity events, supported fields include `eventCategory` (required), `eventSource` (required), `eventName` , `errorCode` , and `vpcEndpointId` .\n\nFor event data stores for CloudTrail Insights events, AWS Config configuration items, Audit Manager evidence, or events outside of AWS , the only supported field is `eventCategory` .\n\n> Selectors don't support the use of wildcards like `*` . To match multiple values with a single condition, you may use `StartsWith` , `EndsWith` , `NotStartsWith` , or `NotEndsWith` to explicitly match the beginning or end of the event field. \n\n- *`readOnly`* - This is an optional field that is only used for management events and data events. This field can be set to `Equals` with a value of `true` or `false` . If you do not add this field, CloudTrail logs both `read` and `write` events. A value of `true` logs only `read` events. A value of `false` logs only `write` events.\n- *`eventSource`* - This field is only used for management events, data events (for event data stores only), and network activity events.\n\nFor management events for trails, this is an optional field that can be set to `NotEquals` `kms.amazonaws.com` to exclude KMS management events, or `NotEquals` `rdsdata.amazonaws.com` to exclude RDS management events.\n\nFor management and data events for event data stores, you can use it to include or exclude any event source and can use any operator.\n\nFor network activity events, this is a required field that only uses the `Equals` operator. Set this field to the event source for which you want to log network activity events. If you want to log network activity events for multiple event sources, you must create a separate field selector for each event source.\n\nThe following are valid values for network activity events:\n\n- `cloudtrail.amazonaws.com`\n- `ec2.amazonaws.com`\n- `kms.amazonaws.com`\n- `s3.amazonaws.com`\n- `secretsmanager.amazonaws.com`\n- *`eventName`* - This is an optional field that is only used for data events, management events (for event data stores only), and network activity events. You can use any operator with `eventName` . You can use it to \ufb01lter in or \ufb01lter out specific events. You can have multiple values for this \ufb01eld, separated by commas.\n- *`eventCategory`* - This field is required and must be set to `Equals` .\n\n- For CloudTrail management events, the value must be `Management` .\n- For CloudTrail data events, the value must be `Data` .\n- For CloudTrail network activity events, the value must be `NetworkActivity` .\n\nThe following are used only for event data stores:\n\n- For CloudTrail Insights events, the value must be `Insight` .\n- For AWS Config configuration items, the value must be `ConfigurationItem` .\n- For Audit Manager evidence, the value must be `Evidence` .\n- For events outside of AWS , the value must be `ActivityAuditLog` .\n- *`eventType`* - This is an optional field available only for event data stores, which is used to filter management and data events on the event type. For information about available event types, see [CloudTrail record contents](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-record-contents.html#ct-event-type) in the *AWS CloudTrail user guide* .\n- *`errorCode`* - This \ufb01eld is only used to filter CloudTrail network activity events and is optional. This is the error code to filter on. Currently, the only valid `errorCode` is `VpceAccessDenied` . `errorCode` can only use the `Equals` operator.\n- *`sessionCredentialFromConsole`* - This is an optional field available only for event data stores, which is used to filter management and data events based on whether the events originated from an AWS Management Console session. `sessionCredentialFromConsole` can only use the `Equals` and `NotEquals` operators.\n- *`resources.type`* - This \ufb01eld is required for CloudTrail data events. `resources.type` can only use the `Equals` operator.\n\nFor a list of available resource types for data events, see [Data events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html#logging-data-events) in the *AWS CloudTrail User Guide* .\n\nYou can have only one `resources.type` \ufb01eld per selector. To log events on more than one resource type, add another selector.\n- *`resources.ARN`* - The `resources.ARN` is an optional field for data events. You can use any operator with `resources.ARN` , but if you use `Equals` or `NotEquals` , the value must exactly match the ARN of a valid resource of the type you've speci\ufb01ed in the template as the value of resources.type. To log all data events for all objects in a specific S3 bucket, use the `StartsWith` operator, and include only the bucket ARN as the matching value.\n\nFor more information about the ARN formats of data event resources, see [Actions, resources, and condition keys for AWS services](https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html) in the *Service Authorization Reference* .\n\n> You can't use the `resources.ARN` field to filter resource types that do not have ARNs.\n- *`userIdentity.arn`* - This is an optional field available only for event data stores, which is used to filter management and data events on the userIdentity ARN. You can use any operator with `userIdentity.arn` . For more information on the userIdentity element, see [CloudTrail userIdentity element](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html) in the *AWS CloudTrail User Guide* .\n- *`vpcEndpointId`* - This \ufb01eld is only used to filter CloudTrail network activity events and is optional. This field identifies the VPC endpoint that the request passed through. You can use any operator with `vpcEndpointId` .", + "markdownDescription": "A field in a CloudTrail event record on which to filter events to be logged. For event data stores for CloudTrail Insights events, AWS Config configuration items, Audit Manager evidence, or events outside of AWS , the field is used only for selecting events as filtering is not supported.\n\nFor CloudTrail management events, supported fields include `eventCategory` (required), `eventSource` , and `readOnly` . The following additional fields are available for event data stores: `eventName` , `eventType` , `sessionCredentialFromConsole` , and `userIdentity.arn` .\n\nFor CloudTrail data events, supported fields include `eventCategory` (required), `resources.type` (required), `eventName` , `readOnly` , and `resources.ARN` . The following additional fields are available for event data stores: `eventSource` , `eventType` , `sessionCredentialFromConsole` , and `userIdentity.arn` .\n\nFor CloudTrail network activity events, supported fields include `eventCategory` (required), `eventSource` (required), `eventName` , `errorCode` , and `vpcEndpointId` .\n\nFor event data stores for CloudTrail Insights events, AWS Config configuration items, Audit Manager evidence, or events outside of AWS , the only supported field is `eventCategory` .\n\n> Selectors don't support the use of wildcards like `*` . To match multiple values with a single condition, you may use `StartsWith` , `EndsWith` , `NotStartsWith` , or `NotEndsWith` to explicitly match the beginning or end of the event field. \n\n- *`readOnly`* - This is an optional field that is only used for management events and data events. This field can be set to `Equals` with a value of `true` or `false` . If you do not add this field, CloudTrail logs both `read` and `write` events. A value of `true` logs only `read` events. A value of `false` logs only `write` events.\n- *`eventSource`* - This field is only used for management events, data events (for event data stores only), and network activity events.\n\nFor management events for trails, this is an optional field that can be set to `NotEquals` `kms.amazonaws.com` to exclude KMS management events, or `NotEquals` `rdsdata.amazonaws.com` to exclude RDS management events.\n\nFor management and data events for event data stores, you can use it to include or exclude any event source and can use any operator.\n\nFor network activity events, this is a required field that only uses the `Equals` operator. Set this field to the event source for which you want to log network activity events. If you want to log network activity events for multiple event sources, you must create a separate field selector for each event source. For a list of services supporting network activity events, see [Logging network activity events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-network-events-with-cloudtrail.html) in the *AWS CloudTrail User Guide* .\n- *`eventName`* - This is an optional field that is only used for data events, management events (for event data stores only), and network activity events. You can use any operator with `eventName` . You can use it to \ufb01lter in or \ufb01lter out specific events. You can have multiple values for this \ufb01eld, separated by commas.\n- *`eventCategory`* - This field is required and must be set to `Equals` .\n\n- For CloudTrail management events, the value must be `Management` .\n- For CloudTrail data events, the value must be `Data` .\n- For CloudTrail network activity events, the value must be `NetworkActivity` .\n\nThe following are used only for event data stores:\n\n- For CloudTrail Insights events, the value must be `Insight` .\n- For AWS Config configuration items, the value must be `ConfigurationItem` .\n- For Audit Manager evidence, the value must be `Evidence` .\n- For events outside of AWS , the value must be `ActivityAuditLog` .\n- *`eventType`* - This is an optional field available only for event data stores, which is used to filter management and data events on the event type. For information about available event types, see [CloudTrail record contents](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-record-contents.html#ct-event-type) in the *AWS CloudTrail user guide* .\n- *`errorCode`* - This \ufb01eld is only used to filter CloudTrail network activity events and is optional. This is the error code to filter on. Currently, the only valid `errorCode` is `VpceAccessDenied` . `errorCode` can only use the `Equals` operator.\n- *`sessionCredentialFromConsole`* - This is an optional field available only for event data stores, which is used to filter management and data events based on whether the events originated from an AWS Management Console session. `sessionCredentialFromConsole` can only use the `Equals` and `NotEquals` operators.\n- *`resources.type`* - This \ufb01eld is required for CloudTrail data events. `resources.type` can only use the `Equals` operator.\n\nFor a list of available resource types for data events, see [Data events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html#logging-data-events) in the *AWS CloudTrail User Guide* .\n\nYou can have only one `resources.type` \ufb01eld per selector. To log events on more than one resource type, add another selector.\n- *`resources.ARN`* - The `resources.ARN` is an optional field for data events. You can use any operator with `resources.ARN` , but if you use `Equals` or `NotEquals` , the value must exactly match the ARN of a valid resource of the type you've speci\ufb01ed in the template as the value of resources.type. To log all data events for all objects in a specific S3 bucket, use the `StartsWith` operator, and include only the bucket ARN as the matching value.\n\nFor more information about the ARN formats of data event resources, see [Actions, resources, and condition keys for AWS services](https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html) in the *Service Authorization Reference* .\n\n> You can't use the `resources.ARN` field to filter resource types that do not have ARNs.\n- *`userIdentity.arn`* - This is an optional field available only for event data stores, which is used to filter management and data events on the userIdentity ARN. You can use any operator with `userIdentity.arn` . For more information on the userIdentity element, see [CloudTrail userIdentity element](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html) in the *AWS CloudTrail User Guide* .\n- *`vpcEndpointId`* - This \ufb01eld is only used to filter CloudTrail network activity events and is optional. This field identifies the VPC endpoint that the request passed through. You can use any operator with `vpcEndpointId` .", "title": "Field", "type": "string" }, @@ -45051,7 +45051,7 @@ "type": "object" }, "TargetAddress": { - "markdownDescription": "The Amazon Resource Name (ARN) of the Amazon SNS topic or AWS Chatbot client.", + "markdownDescription": "The Amazon Resource Name (ARN) of the Amazon SNS topic or client.", "title": "TargetAddress", "type": "string" }, @@ -45059,7 +45059,7 @@ "items": { "$ref": "#/definitions/AWS::CodeStarNotifications::NotificationRule.Target" }, - "markdownDescription": "A list of Amazon Resource Names (ARNs) of Amazon SNS topics and AWS Chatbot clients to associate with the notification rule.", + "markdownDescription": "A list of Amazon Resource Names (ARNs) of Amazon SNS topics and clients to associate with the notification rule.", "title": "Targets", "type": "array" } @@ -45098,12 +45098,12 @@ "additionalProperties": false, "properties": { "TargetAddress": { - "markdownDescription": "The Amazon Resource Name (ARN) of the AWS Chatbot topic or AWS Chatbot client.", + "markdownDescription": "The Amazon Resource Name (ARN) of the topic or client.", "title": "TargetAddress", "type": "string" }, "TargetType": { - "markdownDescription": "The target type. Can be an Amazon Simple Notification Service topic or AWS Chatbot client.\n\n- Amazon Simple Notification Service topics are specified as `SNS` .\n- AWS Chatbot clients are specified as `AWSChatbotSlack` .\n- AWS Chatbot clients for Microsoft Teams are specified as `AWSChatbotMicrosoftTeams` .", + "markdownDescription": "The target type. Can be an Amazon Simple Notification Service topic or client.\n\n- Amazon Simple Notification Service topics are specified as `SNS` .\n- clients are specified as `AWSChatbotSlack` .\n- clients for Microsoft Teams are specified as `AWSChatbotMicrosoftTeams` .", "title": "TargetType", "type": "string" } @@ -48184,7 +48184,7 @@ }, "Scope": { "$ref": "#/definitions/AWS::Config::ConfigRule.Scope", - "markdownDescription": "Defines which resources can trigger an evaluation for the rule. The scope can include one or more resource types, a combination of one resource type and one resource ID, or a combination of a tag key and value. Specify a scope to constrain the resources that can trigger an evaluation for the rule. If you do not specify a scope, evaluations are triggered when any resource in the recording group changes.\n\n> Scope is only supported for change-triggered rules. Scope is not supported for periodic or hybrid rules.", + "markdownDescription": "Defines which resources can trigger an evaluation for the rule. The scope can include one or more resource types, a combination of one resource type and one resource ID, or a combination of a tag key and value. Specify a scope to constrain the resources that can trigger an evaluation for the rule. If you do not specify a scope, evaluations are triggered when any resource in the recording group changes.", "title": "Scope" }, "Source": { @@ -102755,7 +102755,7 @@ "type": "string" }, "OperatingSystem": { - "markdownDescription": "The operating system that your game server binaries run on. This value determines the type of fleet resources that you use for this build. If your game build contains multiple executables, they all must run on the same operating system. You must specify a valid operating system in this request. There is no default value. You can't change a build's operating system later.\n\n> Amazon Linux 2 (AL2) will reach end of support on 6/30/2025. See more details in the [Amazon Linux 2 FAQs](https://docs.aws.amazon.com/https://aws.amazon.com/amazon-linux-2/faqs/) . For game servers that are hosted on AL2 and use server SDK version 4.x for Amazon GameLift Servers, first update the game server build to server SDK 5.x, and then deploy to AL2023 instances. See [Migrate to server SDK version 5.](https://docs.aws.amazon.com/gamelift/latest/developerguide/reference-serversdk5-migration.html)", + "markdownDescription": "The operating system that your game server binaries run on. This value determines the type of fleet resources that you use for this build. If your game build contains multiple executables, they all must run on the same operating system. You must specify a valid operating system in this request. There is no default value. You can't change a build's operating system later.\n\n> Amazon Linux 2 (AL2) will reach end of support on 6/30/2025. See more details in the [Amazon Linux 2 FAQs](https://docs.aws.amazon.com/amazon-linux-2/faqs/) . For game servers that are hosted on AL2 and use server SDK version 4.x for Amazon GameLift Servers, first update the game server build to server SDK 5.x, and then deploy to AL2023 instances. See [Migrate to server SDK version 5.](https://docs.aws.amazon.com/gamelift/latest/developerguide/reference-serversdk5-migration.html)", "title": "OperatingSystem", "type": "string" }, @@ -102811,7 +102811,7 @@ "type": "string" }, "ObjectVersion": { - "markdownDescription": "A version of a stored file to retrieve, if the object versioning feature is turned on for the S3 bucket. Use this parameter to specify a specific version. If this parameter isn't set, Amazon GameLift retrieves the latest version of the file.", + "markdownDescription": "A version of a stored file to retrieve, if the object versioning feature is turned on for the S3 bucket. Use this parameter to specify a specific version. If this parameter isn't set, Amazon GameLift Servers retrieves the latest version of the file.", "title": "ObjectVersion", "type": "string" }, @@ -102875,7 +102875,7 @@ "type": "string" }, "OperatingSystem": { - "markdownDescription": "The platform that all containers in the container group definition run on.\n\n> Amazon Linux 2 (AL2) will reach end of support on 6/30/2025. See more details in the [Amazon Linux 2 FAQs](https://docs.aws.amazon.com/https://aws.amazon.com/amazon-linux-2/faqs/) . For game servers that are hosted on AL2 and use server SDK version 4.x for Amazon GameLift Servers, first update the game server build to server SDK 5.x, and then deploy to AL2023 instances. See [Migrate to server SDK version 5.](https://docs.aws.amazon.com/gamelift/latest/developerguide/reference-serversdk5-migration.html)", + "markdownDescription": "The platform that all containers in the container group definition run on.\n\n> Amazon Linux 2 (AL2) will reach end of support on 6/30/2025. See more details in the [Amazon Linux 2 FAQs](https://docs.aws.amazon.com/aws.amazon.com/amazon-linux-2/faqs/) . For game servers that are hosted on AL2 and use server SDK version 4.x for Amazon GameLift Servers, first update the game server build to server SDK 5.x, and then deploy to AL2023 instances. See [Migrate to server SDK version 5.](https://docs.aws.amazon.com/gamelift/latest/developerguide/reference-serversdk5-migration.html)", "title": "OperatingSystem", "type": "string" }, @@ -103286,7 +103286,7 @@ "type": "array" }, "ScriptId": { - "markdownDescription": "The unique identifier for a Realtime configuration script to be deployed on fleet instances. You can use either the script ID or ARN. Scripts must be uploaded to Amazon GameLift prior to creating the fleet. This fleet property cannot be changed later.\n\n> You can't use the `!Ref` command to reference a script created with a CloudFormation template for the fleet property `ScriptId` . Instead, use `Fn::GetAtt Script.Arn` or `Fn::GetAtt Script.Id` to retrieve either of these properties as input for `ScriptId` . Alternatively, enter a `ScriptId` string manually.", + "markdownDescription": "The unique identifier for a Realtime configuration script to be deployed on fleet instances. You can use either the script ID or ARN. Scripts must be uploaded to Amazon GameLift Servers prior to creating the fleet. This fleet property cannot be changed later.\n\n> You can't use the `!Ref` command to reference a script created with a CloudFormation template for the fleet property `ScriptId` . Instead, use `Fn::GetAtt Script.Arn` or `Fn::GetAtt Script.Id` to retrieve either of these properties as input for `ScriptId` . Alternatively, enter a `ScriptId` string manually.", "title": "ScriptId", "type": "string" } @@ -116607,7 +116607,7 @@ }, "MemberId": { "$ref": "#/definitions/AWS::IdentityStore::GroupMembership.MemberId", - "markdownDescription": "An object containing the identifier of a group member. Setting `MemberId` 's `UserId` field to a specific User's ID indicates we should consider that User as a group member.", + "markdownDescription": "An object containing the identifier of a group member. Setting the `MemberId` 's `UserId` field to a specific User's ID indicates that user is a member of the group.", "title": "MemberId" } }, @@ -153273,7 +153273,7 @@ "type": "object" }, "AirflowVersion": { - "markdownDescription": "The version of Apache Airflow to use for the environment. If no value is specified, defaults to the latest version.\n\nIf you specify a newer version number for an existing environment, the version update requires some service interruption before taking effect.\n\n*Allowed Values* : `1.10.12` | `2.0.2` | `2.2.2` | `2.4.3` | `2.5.1` | `2.6.3` | `2.7.2` | `2.8.1` | `2.9.2` (latest)", + "markdownDescription": "The version of Apache Airflow to use for the environment. If no value is specified, defaults to the latest version.\n\nIf you specify a newer version number for an existing environment, the version update requires some service interruption before taking effect.\n\n*Allowed Values* : `1.10.12` | `2.0.2` | `2.2.2` | `2.4.3` | `2.5.1` | `2.6.3` | `2.7.2` | `2.8.1` | `2.9.2` | `2.10.1` (latest)", "title": "AirflowVersion", "type": "string" }, @@ -153288,7 +153288,7 @@ "type": "string" }, "EnvironmentClass": { - "markdownDescription": "The environment class type. Valid values: `mw1.small` , `mw1.medium` , `mw1.large` . To learn more, see [Amazon MWAA environment class](https://docs.aws.amazon.com/mwaa/latest/userguide/environment-class.html) .", + "markdownDescription": "The environment class type. Valid values: `mw1.micro` , `mw1.small` , `mw1.medium` , `mw1.large` , `mw1.1large` , and `mw1.2large` . To learn more, see [Amazon MWAA environment class](https://docs.aws.amazon.com/mwaa/latest/userguide/environment-class.html) .", "title": "EnvironmentClass", "type": "string" }, @@ -153348,7 +153348,7 @@ "type": "string" }, "Schedulers": { - "markdownDescription": "The number of schedulers that you want to run in your environment. Valid values:\n\n- *v2* - Accepts between 2 to 5. Defaults to 2.\n- *v1* - Accepts 1.", + "markdownDescription": "The number of schedulers that you want to run in your environment. Valid values:\n\n- *v2* - For environments larger than mw1.micro, accepts values from 2 to 5. Defaults to 2 for all environment sizes except mw1.micro, which defaults to 1.\n- *v1* - Accepts 1.", "title": "Schedulers", "type": "number" }, @@ -154386,12 +154386,12 @@ "properties": { "EgressGatewayBridge": { "$ref": "#/definitions/AWS::MediaConnect::Bridge.EgressGatewayBridge", - "markdownDescription": "Create a bridge with the egress bridge type. An egress bridge is a cloud-to-ground bridge. The content comes from an existing MediaConnect flow and is delivered to your premises.", + "markdownDescription": "An egress bridge is a cloud-to-ground bridge. The content comes from an existing MediaConnect flow and is delivered to your premises.", "title": "EgressGatewayBridge" }, "IngressGatewayBridge": { "$ref": "#/definitions/AWS::MediaConnect::Bridge.IngressGatewayBridge", - "markdownDescription": "Create a bridge with the ingress bridge type. An ingress bridge is a ground-to-cloud bridge. The content originates at your premises and is delivered to the cloud.", + "markdownDescription": "An ingress bridge is a ground-to-cloud bridge. The content originates at your premises and is delivered to the cloud.", "title": "IngressGatewayBridge" }, "Name": { @@ -154483,7 +154483,7 @@ "additionalProperties": false, "properties": { "IpAddress": { - "markdownDescription": "The network output IP Address.", + "markdownDescription": "The network output IP address.", "title": "IpAddress", "type": "string" }, @@ -154498,12 +154498,12 @@ "type": "string" }, "Port": { - "markdownDescription": "The network output port.", + "markdownDescription": "The network output's port.", "title": "Port", "type": "number" }, "Protocol": { - "markdownDescription": "The network output protocol.", + "markdownDescription": "The network output protocol.\n\n> AWS Elemental MediaConnect no longer supports the Fujitsu QoS protocol. This reference is maintained for legacy purposes only.", "title": "Protocol", "type": "string" }, @@ -154532,7 +154532,7 @@ "type": "string" }, "Name": { - "markdownDescription": "The name of the network source. This name is used to reference the source and must be unique among sources in this bridge.", + "markdownDescription": "The name of the network source.", "title": "Name", "type": "string" }, @@ -154547,7 +154547,7 @@ "type": "number" }, "Protocol": { - "markdownDescription": "The network source protocol.", + "markdownDescription": "The network source protocol.\n\n> AWS Elemental MediaConnect no longer supports the Fujitsu QoS protocol. This reference is maintained for legacy purposes only.", "title": "Protocol", "type": "string" } @@ -154612,7 +154612,7 @@ }, "SourcePriority": { "$ref": "#/definitions/AWS::MediaConnect::Bridge.SourcePriority", - "markdownDescription": "The priority you want to assign to a source. You can have a primary stream and a backup stream or two equally prioritized streams. This setting only applies when Failover Mode is set to FAILOVER.", + "markdownDescription": "The priority you want to assign to a source. You can have a primary stream and a backup stream or two equally prioritized streams.", "title": "SourcePriority" }, "State": { @@ -154661,7 +154661,7 @@ "additionalProperties": false, "properties": { "VpcInterfaceName": { - "markdownDescription": "The name of the VPC interface that you want to send your output to.", + "markdownDescription": "The name of the VPC interface to use for this resource.", "title": "VpcInterfaceName", "type": "string" } @@ -154704,7 +154704,7 @@ "additionalProperties": false, "properties": { "BridgeArn": { - "markdownDescription": "The ARN of the bridge that you want to describe.", + "markdownDescription": "The Amazon Resource Name (ARN) of the bridge that you want to update.", "title": "BridgeArn", "type": "string" }, @@ -154715,7 +154715,7 @@ }, "NetworkOutput": { "$ref": "#/definitions/AWS::MediaConnect::BridgeOutput.BridgeNetworkOutput", - "markdownDescription": "Add a network output to an existing bridge.", + "markdownDescription": "The network output of the bridge. A network output is delivered to your premises.", "title": "NetworkOutput" } }, @@ -154751,7 +154751,7 @@ "additionalProperties": false, "properties": { "IpAddress": { - "markdownDescription": "The network output IP Address.", + "markdownDescription": "The network output IP address.", "title": "IpAddress", "type": "string" }, @@ -154761,12 +154761,12 @@ "type": "string" }, "Port": { - "markdownDescription": "The network output port.", + "markdownDescription": "The network output's port.", "title": "Port", "type": "number" }, "Protocol": { - "markdownDescription": "The network output protocol.", + "markdownDescription": "The network output protocol.\n\n> AWS Elemental MediaConnect no longer supports the Fujitsu QoS protocol. This reference is maintained for legacy purposes only.", "title": "Protocol", "type": "string" }, @@ -154821,13 +154821,13 @@ "additionalProperties": false, "properties": { "BridgeArn": { - "markdownDescription": "The ARN of the bridge that you want to describe.", + "markdownDescription": "The ARN of the bridge feeding this flow.", "title": "BridgeArn", "type": "string" }, "FlowSource": { "$ref": "#/definitions/AWS::MediaConnect::BridgeSource.BridgeFlowSource", - "markdownDescription": "Add a flow source to an existing bridge.", + "markdownDescription": "The source of the flow.", "title": "FlowSource" }, "Name": { @@ -154837,7 +154837,7 @@ }, "NetworkSource": { "$ref": "#/definitions/AWS::MediaConnect::BridgeSource.BridgeNetworkSource", - "markdownDescription": "Add a network source to an existing bridge.", + "markdownDescription": "The source of the network.", "title": "NetworkSource" } }, @@ -154906,7 +154906,7 @@ "type": "number" }, "Protocol": { - "markdownDescription": "The network source protocol.", + "markdownDescription": "The network source protocol.\n\n> AWS Elemental MediaConnect no longer supports the Fujitsu QoS protocol. This reference is maintained for legacy purposes only.", "title": "Protocol", "type": "string" } @@ -154923,7 +154923,7 @@ "additionalProperties": false, "properties": { "VpcInterfaceName": { - "markdownDescription": "The name of the VPC interface that you want to send your output to.", + "markdownDescription": "The name of the VPC interface to use for this resource.", "title": "VpcInterfaceName", "type": "string" } @@ -155047,12 +155047,12 @@ "type": "string" }, "RoleArn": { - "markdownDescription": "The Amazon Resource Name (ARN) of the role that you created during setup (when you set up MediaConnect as a trusted entity).", + "markdownDescription": "The ARN of the role that you created during setup (when you set up MediaConnect as a trusted entity).", "title": "RoleArn", "type": "string" }, "SecretArn": { - "markdownDescription": "The ARN of the secret that you created in AWS Secrets Manager to store the encryption key.", + "markdownDescription": "The ARN of the secret that you created in AWS Secrets Manager to store the encryption key. This parameter is required for static key encryption and is not valid for SPEKE encryption.", "title": "SecretArn", "type": "string" }, @@ -155076,13 +155076,13 @@ "type": "string" }, "RecoveryWindow": { - "markdownDescription": "The size of the buffer (delay) that the service maintains. A larger buffer means a longer delay in transmitting the stream, but more room for error correction. A smaller buffer means a shorter delay, but less room for error correction. You can choose a value from 100-500 ms. If you keep this field blank, the service uses the default value of 200 ms. This setting only applies when Failover Mode is set to MERGE.", + "markdownDescription": "Search window time to look for dash-7 packets.", "title": "RecoveryWindow", "type": "number" }, "SourcePriority": { "$ref": "#/definitions/AWS::MediaConnect::Flow.SourcePriority", - "markdownDescription": "The priority you want to assign to a source. You can have a primary stream and a backup stream or two equally prioritized streams. This setting only applies when Failover Mode is set to FAILOVER.", + "markdownDescription": "The priority you want to assign to a source. You can have a primary stream and a backup stream or two equally prioritized streams.", "title": "SourcePriority" }, "State": { @@ -155117,16 +155117,16 @@ "properties": { "Decryption": { "$ref": "#/definitions/AWS::MediaConnect::Flow.Encryption", - "markdownDescription": "The type of encryption that is used on the content ingested from the source.", + "markdownDescription": "The type of encryption that is used on the content ingested from this source.", "title": "Decryption" }, "Description": { - "markdownDescription": "A description of the source. This description is not visible outside of the current AWS account.", + "markdownDescription": "A description for the source. This value is not used or seen outside of the current MediaConnect account.", "title": "Description", "type": "string" }, "EntitlementArn": { - "markdownDescription": "The ARN of the entitlement that allows you to subscribe to content that comes from another AWS account. The entitlement is set by the content originator and the ARN is generated as part of the originator\u2019s flow.", + "markdownDescription": "The ARN of the entitlement that allows you to subscribe to content that comes from another AWS account. The entitlement is set by the content originator and the ARN is generated as part of the originator's flow.", "title": "EntitlementArn", "type": "string" }, @@ -155136,12 +155136,12 @@ "title": "GatewayBridgeSource" }, "IngestIp": { - "markdownDescription": "The IP address that the flow listens on for incoming content.", + "markdownDescription": "The IP address that the flow will be listening on for incoming content.", "title": "IngestIp", "type": "string" }, "IngestPort": { - "markdownDescription": "The port that the flow listens on for incoming content. If the protocol of the source is Zixi, the port must be set to 2088.", + "markdownDescription": "The port that the flow will be listening on for incoming content.", "title": "IngestPort", "type": "number" }, @@ -155206,12 +155206,12 @@ "type": "string" }, "VpcInterfaceName": { - "markdownDescription": "The name of the VPC interface that the source content comes from.", + "markdownDescription": "The name of the VPC interface that is used for this source.", "title": "VpcInterfaceName", "type": "string" }, "WhitelistCidr": { - "markdownDescription": "The range of IP addresses that are allowed to contribute content to your source. Format the IP addresses as a Classless Inter-Domain Routing (CIDR) block; for example, 10.0.0.0/16.", + "markdownDescription": "The range of IP addresses that should be allowed to contribute content to your source. These IP addresses should be in the form of a Classless Inter-Domain Routing (CIDR) block; for example, 10.0.0.0/16.", "title": "WhitelistCidr", "type": "string" } @@ -155236,7 +155236,7 @@ "additionalProperties": false, "properties": { "VpcInterfaceName": { - "markdownDescription": "The name of the VPC interface that you want to send your output to.", + "markdownDescription": "The name of the VPC interface to use for this resource.", "title": "VpcInterfaceName", "type": "string" } @@ -155290,7 +155290,7 @@ }, "Encryption": { "$ref": "#/definitions/AWS::MediaConnect::FlowEntitlement.Encryption", - "markdownDescription": "The type of encryption that MediaConnect will use on the output that is associated with the entitlement.", + "markdownDescription": "Information about the encryption of the flow.", "title": "Encryption" }, "EntitlementStatus": { @@ -155380,12 +155380,12 @@ "type": "string" }, "RoleArn": { - "markdownDescription": "The Amazon Resource Name (ARN) of the role that you created during setup (when you set up MediaConnect as a trusted entity).", + "markdownDescription": "The ARN of the role that you created during setup (when you set up MediaConnect as a trusted entity).", "title": "RoleArn", "type": "string" }, "SecretArn": { - "markdownDescription": "The ARN of the secret that you created in AWS Secrets Manager to store the encryption key.", + "markdownDescription": "The ARN of the secret that you created in AWS Secrets Manager to store the encryption key. This parameter is required for static key encryption and is not valid for SPEKE encryption.", "title": "SecretArn", "type": "string" }, @@ -155440,12 +155440,12 @@ "items": { "type": "string" }, - "markdownDescription": "The range of IP addresses that are allowed to initiate output requests to this flow. Format the IP addresses as a Classless Inter-Domain Routing (CIDR) block; for example, 10.0.0.0/16.", + "markdownDescription": "The range of IP addresses that should be allowed to initiate output requests to this flow. These IP addresses should be in the form of a Classless Inter-Domain Routing (CIDR) block; for example, 10.0.0.0/16.", "title": "CidrAllowList", "type": "array" }, "Description": { - "markdownDescription": "A description of the output. This description is not visible outside of the current AWS account even if the account grants entitlements to other accounts.", + "markdownDescription": "A description of the output. This description appears only on the MediaConnect console and will not be seen by the end user.", "title": "Description", "type": "string" }, @@ -155456,7 +155456,7 @@ }, "Encryption": { "$ref": "#/definitions/AWS::MediaConnect::FlowOutput.Encryption", - "markdownDescription": "The encryption credentials that you want to use for the output.", + "markdownDescription": "The type of key used for the encryption. If no `keyType` is provided, the service will use the default setting (static-key). Allowable encryption types: static-key.", "title": "Encryption" }, "FlowArn": { @@ -155475,12 +155475,12 @@ "type": "number" }, "Name": { - "markdownDescription": "The name of the output. This value must be unique within the current flow.", + "markdownDescription": "The name of the bridge's output.", "title": "Name", "type": "string" }, "Port": { - "markdownDescription": "The port to use when MediaConnect distributes content to the output.", + "markdownDescription": "The port to use when content is distributed to this output.", "title": "Port", "type": "number" }, @@ -155490,7 +155490,7 @@ "type": "string" }, "RemoteId": { - "markdownDescription": "The identifier that is assigned to the Zixi receiver. This parameter applies only to outputs that use Zixi pull.", + "markdownDescription": "The remote ID for the Zixi-pull stream.", "title": "RemoteId", "type": "string" }, @@ -155506,7 +155506,7 @@ }, "VpcInterfaceAttachment": { "$ref": "#/definitions/AWS::MediaConnect::FlowOutput.VpcInterfaceAttachment", - "markdownDescription": "The VPC interface that you want to send your output to.", + "markdownDescription": "The name of the VPC interface attachment to use for this output.", "title": "VpcInterfaceAttachment" } }, @@ -155551,12 +155551,12 @@ "type": "string" }, "RoleArn": { - "markdownDescription": "The Amazon Resource Name (ARN) of the role that you created during setup (when you set up MediaConnect as a trusted entity).", + "markdownDescription": "The ARN of the role that you created during setup (when you set up MediaConnect as a trusted entity).", "title": "RoleArn", "type": "string" }, "SecretArn": { - "markdownDescription": "The ARN of the secret that you created in AWS Secrets Manager to store the encryption key.", + "markdownDescription": "The ARN of the secret that you created in AWS Secrets Manager to store the encryption key. This parameter is required for static key encryption and is not valid for SPEKE encryption.", "title": "SecretArn", "type": "string" } @@ -155571,7 +155571,7 @@ "additionalProperties": false, "properties": { "VpcInterfaceName": { - "markdownDescription": "The name of the VPC interface that you want to send your output to.", + "markdownDescription": "The name of the VPC interface to use for this resource.", "title": "VpcInterfaceName", "type": "string" } @@ -155615,16 +155615,16 @@ "properties": { "Decryption": { "$ref": "#/definitions/AWS::MediaConnect::FlowSource.Encryption", - "markdownDescription": "The type of encryption that is used on the content ingested from the source.", + "markdownDescription": "The type of encryption that is used on the content ingested from this source. Allowable encryption types: static-key.", "title": "Decryption" }, "Description": { - "markdownDescription": "A description of the source. This description is not visible outside of the current AWS account.", + "markdownDescription": "A description for the source. This value is not used or seen outside of the current MediaConnect account.", "title": "Description", "type": "string" }, "EntitlementArn": { - "markdownDescription": "The ARN of the entitlement that allows you to subscribe to the flow. The entitlement is set by the content originator, and the ARN is generated as part of the originator's flow.", + "markdownDescription": "The ARN of the entitlement that allows you to subscribe to this flow. The entitlement is set by the flow originator, and the ARN is generated as part of the originator's flow.", "title": "EntitlementArn", "type": "string" }, @@ -155635,7 +155635,7 @@ }, "GatewayBridgeSource": { "$ref": "#/definitions/AWS::MediaConnect::FlowSource.GatewayBridgeSource", - "markdownDescription": "The source configuration for cloud flows receiving a stream from a bridge.", + "markdownDescription": "The bridge's source.", "title": "GatewayBridgeSource" }, "IngestPort": { @@ -155644,7 +155644,7 @@ "type": "number" }, "MaxBitrate": { - "markdownDescription": "The maximum bitrate for RIST, RTP, and RTP-FEC streams.", + "markdownDescription": "The smoothing max bitrate (in bps) for RIST, RTP, and RTP-FEC streams.", "title": "MaxBitrate", "type": "number" }, @@ -155694,12 +155694,12 @@ "type": "string" }, "VpcInterfaceName": { - "markdownDescription": "The name of the VPC interface that you want to send your output to.", + "markdownDescription": "The name of the VPC interface to use for this source.", "title": "VpcInterfaceName", "type": "string" }, "WhitelistCidr": { - "markdownDescription": "The range of IP addresses that are allowed to contribute content to your source. Format the IP addresses as a Classless Inter-Domain Routing (CIDR) block; for example, 10.0.0.0/16.", + "markdownDescription": "The range of IP addresses that should be allowed to contribute content to your source. These IP addresses should be in the form of a Classless Inter-Domain Routing (CIDR) block; for example, 10.0.0.0/16.", "title": "WhitelistCidr", "type": "string" } @@ -155765,12 +155765,12 @@ "type": "string" }, "RoleArn": { - "markdownDescription": "The Amazon Resource Name (ARN) of the role that you created during setup (when you set up MediaConnect as a trusted entity).", + "markdownDescription": "The ARN of the role that you created during setup (when you set up MediaConnect as a trusted entity).", "title": "RoleArn", "type": "string" }, "SecretArn": { - "markdownDescription": "The ARN of the secret that you created in AWS Secrets Manager to store the encryption key.", + "markdownDescription": "The ARN of the secret that you created in AWS Secrets Manager to store the encryption key. This parameter is required for static key encryption and is not valid for SPEKE encryption.", "title": "SecretArn", "type": "string" }, @@ -155808,7 +155808,7 @@ "additionalProperties": false, "properties": { "VpcInterfaceName": { - "markdownDescription": "The name of the VPC interface that you want to send your output to.", + "markdownDescription": "The name of the VPC interface to use for this resource.", "title": "VpcInterfaceName", "type": "string" } @@ -155856,7 +155856,7 @@ "type": "string" }, "Name": { - "markdownDescription": "The name of the VPC Interface. This value must be unique within the current flow.", + "markdownDescription": "The name for the VPC interface. This name must be unique within the flow.", "title": "Name", "type": "string" }, @@ -155869,12 +155869,12 @@ "items": { "type": "string" }, - "markdownDescription": "The VPC security groups that you want MediaConnect to use for your VPC configuration. You must include at least one security group in the request.", + "markdownDescription": "A virtual firewall to control inbound and outbound traffic.", "title": "SecurityGroupIds", "type": "array" }, "SubnetId": { - "markdownDescription": "The subnet IDs that you want to use for your VPC interface.\n\nA range of IP addresses in your VPC. When you create your VPC, you specify a range of IPv4 addresses for the VPC in the form of a Classless Inter-Domain Routing (CIDR) block; for example, 10.0.0.0/16. This is the primary CIDR block for your VPC. When you create a subnet for your VPC, you specify the CIDR block for the subnet, which is a subset of the VPC CIDR block.\n\nThe subnets that you use across all VPC interfaces on the flow must be in the same Availability Zone as the flow.", + "markdownDescription": "The subnet IDs that you want to use for your VPC interface. A range of IP addresses in your VPC. When you create your VPC, you specify a range of IPv4 addresses for the VPC in the form of a Classless Inter-Domain Routing (CIDR) block; for example, 10.0.0.0/16. This is the primary CIDR block for your VPC. When you create a subnet for your VPC, you specify the CIDR block for the subnet, which is a subset of the VPC CIDR block. The subnets that you use across all VPC interfaces on the flow must be in the same Availability Zone as the flow.", "title": "SubnetId", "type": "string" } @@ -155953,7 +155953,7 @@ "type": "array" }, "Name": { - "markdownDescription": "The name of the network. This name is used to reference the network and must be unique among networks in this gateway.", + "markdownDescription": "The name of the gateway. This name can not be modified after the gateway is created.", "title": "Name", "type": "string" }, @@ -155961,7 +155961,7 @@ "items": { "$ref": "#/definitions/AWS::MediaConnect::Gateway.GatewayNetwork" }, - "markdownDescription": "The list of networks that you want to add.", + "markdownDescription": "The list of networks in the gateway.", "title": "Networks", "type": "array" } @@ -209230,18 +209230,28 @@ "additionalProperties": false, "properties": { "ContainsHeader": { + "markdownDescription": "Whether the file has a header row, or the files each have a header row.", + "title": "ContainsHeader", "type": "boolean" }, "Delimiter": { + "markdownDescription": "The delimiter between values in the file.", + "title": "Delimiter", "type": "string" }, "Format": { + "markdownDescription": "File format.", + "title": "Format", "type": "string" }, "StartFromRow": { + "markdownDescription": "A row number to start reading data from.", + "title": "StartFromRow", "type": "number" }, "TextQualifier": { + "markdownDescription": "Text qualifier.", + "title": "TextQualifier", "type": "string" } }, @@ -225003,9 +225013,7 @@ "type": "string" }, "CertificateDetails": { - "$ref": "#/definitions/AWS::RDS::DBInstance.CertificateDetails", - "markdownDescription": "The details of the DB instance's server certificate.", - "title": "CertificateDetails" + "$ref": "#/definitions/AWS::RDS::DBInstance.CertificateDetails" }, "CertificateRotationRestart": { "markdownDescription": "Specifies whether the DB instance is restarted when you rotate your SSL/TLS certificate.\n\nBy default, the DB instance is restarted when you rotate your SSL/TLS certificate. The certificate is not updated until the DB instance is restarted.\n\n> Set this parameter only if you are *not* using SSL/TLS to connect to the DB instance. \n\nIf you are using SSL/TLS to connect to the DB instance, follow the appropriate instructions for your DB engine to rotate your SSL/TLS certificate:\n\n- For more information about rotating your SSL/TLS certificate for RDS DB engines, see [Rotating Your SSL/TLS Certificate.](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL-certificate-rotation.html) in the *Amazon RDS User Guide.*\n- For more information about rotating your SSL/TLS certificate for Aurora DB engines, see [Rotating Your SSL/TLS Certificate](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.SSL-certificate-rotation.html) in the *Amazon Aurora User Guide* .\n\nThis setting doesn't apply to RDS Custom DB instances.", @@ -225142,9 +225150,7 @@ "type": "boolean" }, "Endpoint": { - "$ref": "#/definitions/AWS::RDS::DBInstance.Endpoint", - "markdownDescription": "The connection endpoint for the DB instance.\n\n> The endpoint might not be shown for instances with the status of `creating` .", - "title": "Endpoint" + "$ref": "#/definitions/AWS::RDS::DBInstance.Endpoint" }, "Engine": { "markdownDescription": "The name of the database engine to use for this DB instance. Not every database engine is available in every AWS Region.\n\nThis property is required when creating a DB instance.\n\n> You can convert an Oracle database from the non-CDB architecture to the container database (CDB) architecture by updating the `Engine` value in your templates from `oracle-ee` to `oracle-ee-cdb` or from `oracle-se2` to `oracle-se2-cdb` . Converting to the CDB architecture requires an interruption. \n\nValid Values:\n\n- `aurora-mysql` (for Aurora MySQL DB instances)\n- `aurora-postgresql` (for Aurora PostgreSQL DB instances)\n- `custom-oracle-ee` (for RDS Custom for Oracle DB instances)\n- `custom-oracle-ee-cdb` (for RDS Custom for Oracle DB instances)\n- `custom-sqlserver-ee` (for RDS Custom for SQL Server DB instances)\n- `custom-sqlserver-se` (for RDS Custom for SQL Server DB instances)\n- `custom-sqlserver-web` (for RDS Custom for SQL Server DB instances)\n- `db2-ae`\n- `db2-se`\n- `mariadb`\n- `mysql`\n- `oracle-ee`\n- `oracle-ee-cdb`\n- `oracle-se2`\n- `oracle-se2-cdb`\n- `postgres`\n- `sqlserver-ee`\n- `sqlserver-se`\n- `sqlserver-ex`\n- `sqlserver-web`", @@ -226787,7 +226793,7 @@ "type": "boolean" }, "Domain": { - "markdownDescription": "The top-level internet domain name for which your application has administrative authority. This parameter is required.", + "markdownDescription": "The top-level internet domain name for which your application has administrative authority. This parameter or the `DomainList` parameter is required.", "title": "Domain", "type": "string" }, @@ -232040,7 +232046,7 @@ "items": { "$ref": "#/definitions/AWS::Route53::HostedZone.HostedZoneTag" }, - "markdownDescription": "Adds, edits, or deletes tags for a health check or a hosted zone.\n\nFor information about using tags for cost allocation, see [Using Cost Allocation Tags](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/cost-alloc-tags.html) in the *AWS Billing and Cost Management User Guide* .", + "markdownDescription": "Adds, edits, or deletes tags for a health check or a hosted zone.\n\nFor information about using tags for cost allocation, see [Using Cost Allocation Tags](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/cost-alloc-tags.html) in the *Billing and Cost Management User Guide* .", "title": "HostedZoneTags", "type": "array" }, @@ -243403,7 +243409,7 @@ }, "ChatChannel": { "$ref": "#/definitions/AWS::SSMIncidents::ResponsePlan.ChatChannel", - "markdownDescription": "The AWS Chatbot chat channel used for collaboration during an incident.", + "markdownDescription": "The chat channel used for collaboration during an incident.", "title": "ChatChannel" }, "DisplayName": { @@ -243491,7 +243497,7 @@ "items": { "type": "string" }, - "markdownDescription": "The Amazon SNS targets that AWS Chatbot uses to notify the chat channel of updates to an incident. You can also make updates to the incident through the chat channel by using the Amazon SNS topics", + "markdownDescription": "The Amazon SNS targets that uses to notify the chat channel of updates to an incident. You can also make updates to the incident through the chat channel by using the Amazon SNS topics", "title": "ChatbotSns", "type": "array" } @@ -243554,7 +243560,7 @@ "items": { "$ref": "#/definitions/AWS::SSMIncidents::ResponsePlan.NotificationTargetItem" }, - "markdownDescription": "The Amazon Simple Notification Service ( Amazon SNS ) targets that AWS Chatbot uses to notify the chat channel of updates to an incident. You can also make updates to the incident through the chat channel using the Amazon SNS topics.", + "markdownDescription": "The Amazon Simple Notification Service ( Amazon SNS ) targets that uses to notify the chat channel of updates to an incident. You can also make updates to the incident through the chat channel using the Amazon SNS topics.", "title": "NotificationTargets", "type": "array" }, @@ -257014,7 +257020,7 @@ "type": "number" }, "StorageClass": { - "markdownDescription": "The list of storage classes that you can choose from based on the data access, resiliency, and cost requirements of your workloads. The default storage class is S3 Standard.", + "markdownDescription": "The list of storage classes that you can choose from based on the data access, resiliency, and cost requirements of your workloads. The default storage class is *S3 Standard* . For information about other storage classes, see [Setting the storage class of an object](https://docs.aws.amazon.com/AmazonS3/latest/userguide/sc-howtoset.html) in the *Amazon S3 User Guide* .", "title": "StorageClass", "type": "string" } @@ -268111,7 +268117,7 @@ "type": "array" }, "Scope": { - "markdownDescription": "Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AWS AppSync GraphQL API, an Amazon Cognito user pool, an AWS App Runner service, or an AWS Verified Access instance. Valid Values are `CLOUDFRONT` and `REGIONAL` .\n\n> For `CLOUDFRONT` , you must create your WAFv2 resources in the US East (N. Virginia) Region, `us-east-1` .", + "markdownDescription": "Specifies whether this is for an Amazon CloudFront distribution or for a regional application. For an AWS Amplify application, use `CLOUDFRONT` . A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AWS AppSync GraphQL API, an Amazon Cognito user pool, an AWS App Runner service, or an AWS Verified Access instance. Valid Values are `CLOUDFRONT` and `REGIONAL` .\n\n> For `CLOUDFRONT` , you must create your WAFv2 resources in the US East (N. Virginia) Region, `us-east-1` .", "title": "Scope", "type": "string" }, @@ -268237,7 +268243,7 @@ "type": "array" }, "Scope": { - "markdownDescription": "Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AWS AppSync GraphQL API, an Amazon Cognito user pool, an AWS App Runner service, or an AWS Verified Access instance. Valid Values are `CLOUDFRONT` and `REGIONAL` .\n\n> For `CLOUDFRONT` , you must create your WAFv2 resources in the US East (N. Virginia) Region, `us-east-1` .", + "markdownDescription": "Specifies whether this is for an Amazon CloudFront distribution or for a regional application. For an AWS Amplify application, use `CLOUDFRONT` . A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AWS AppSync GraphQL API, an Amazon Cognito user pool, an AWS App Runner service, or an AWS Verified Access instance. Valid Values are `CLOUDFRONT` and `REGIONAL` .\n\n> For `CLOUDFRONT` , you must create your WAFv2 resources in the US East (N. Virginia) Region, `us-east-1` .", "title": "Scope", "type": "string" }, @@ -268326,7 +268332,7 @@ "additionalProperties": false, "properties": { "OversizeHandling": { - "markdownDescription": "What AWS WAF should do if the body is larger than AWS WAF can inspect.\n\nAWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. When a web request body is larger than the limit, the underlying host service only forwards the contents that are within the limit to AWS WAF for inspection.\n\n- For Application Load Balancer and AWS AppSync , the limit is fixed at 8 KB (8,192 bytes).\n- For CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access, the default limit is 16 KB (16,384 bytes), and you can increase the limit for each resource type in the web ACL `AssociationConfig` , for additional processing fees.\n\nThe options for oversize handling are the following:\n\n- `CONTINUE` - Inspect the available body contents normally, according to the rule inspection criteria.\n- `MATCH` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.\n- `NO_MATCH` - Treat the web request as not matching the rule statement.\n\nYou can combine the `MATCH` or `NO_MATCH` settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over the limit.\n\nDefault: `CONTINUE`", + "markdownDescription": "What AWS WAF should do if the body is larger than AWS WAF can inspect.\n\nAWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. When a web request body is larger than the limit, the underlying host service only forwards the contents that are within the limit to AWS WAF for inspection.\n\n- For Application Load Balancer and AWS AppSync , the limit is fixed at 8 KB (8,192 bytes).\n- For CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access, the default limit is 16 KB (16,384 bytes), and you can increase the limit for each resource type in the web ACL `AssociationConfig` , for additional processing fees.\n- For AWS Amplify , use the CloudFront limit.\n\nThe options for oversize handling are the following:\n\n- `CONTINUE` - Inspect the available body contents normally, according to the rule inspection criteria.\n- `MATCH` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.\n- `NO_MATCH` - Treat the web request as not matching the rule statement.\n\nYou can combine the `MATCH` or `NO_MATCH` settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over the limit.\n\nDefault: `CONTINUE`", "title": "OversizeHandling", "type": "string" } @@ -268574,7 +268580,7 @@ }, "Body": { "$ref": "#/definitions/AWS::WAFv2::RuleGroup.Body", - "markdownDescription": "Inspect the request body as plain text. The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form.\n\nAWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. When a web request body is larger than the limit, the underlying host service only forwards the contents that are within the limit to AWS WAF for inspection.\n\n- For Application Load Balancer and AWS AppSync , the limit is fixed at 8 KB (8,192 bytes).\n- For CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access, the default limit is 16 KB (16,384 bytes), and you can increase the limit for each resource type in the web ACL `AssociationConfig` , for additional processing fees.\n\nFor information about how to handle oversized request bodies, see the `Body` object configuration.", + "markdownDescription": "Inspect the request body as plain text. The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form.\n\nAWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. When a web request body is larger than the limit, the underlying host service only forwards the contents that are within the limit to AWS WAF for inspection.\n\n- For Application Load Balancer and AWS AppSync , the limit is fixed at 8 KB (8,192 bytes).\n- For CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access, the default limit is 16 KB (16,384 bytes), and you can increase the limit for each resource type in the web ACL `AssociationConfig` , for additional processing fees.\n- For AWS Amplify , use the CloudFront limit.\n\nFor information about how to handle oversized request bodies, see the `Body` object configuration.", "title": "Body" }, "Cookies": { @@ -268594,7 +268600,7 @@ }, "JsonBody": { "$ref": "#/definitions/AWS::WAFv2::RuleGroup.JsonBody", - "markdownDescription": "Inspect the request body as JSON. The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form.\n\nAWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. When a web request body is larger than the limit, the underlying host service only forwards the contents that are within the limit to AWS WAF for inspection.\n\n- For Application Load Balancer and AWS AppSync , the limit is fixed at 8 KB (8,192 bytes).\n- For CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access, the default limit is 16 KB (16,384 bytes), and you can increase the limit for each resource type in the web ACL `AssociationConfig` , for additional processing fees.\n\nFor information about how to handle oversized request bodies, see the `JsonBody` object configuration.", + "markdownDescription": "Inspect the request body as JSON. The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form.\n\nAWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. When a web request body is larger than the limit, the underlying host service only forwards the contents that are within the limit to AWS WAF for inspection.\n\n- For Application Load Balancer and AWS AppSync , the limit is fixed at 8 KB (8,192 bytes).\n- For CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access, the default limit is 16 KB (16,384 bytes), and you can increase the limit for each resource type in the web ACL `AssociationConfig` , for additional processing fees.\n- For AWS Amplify , use the CloudFront limit.\n\nFor information about how to handle oversized request bodies, see the `JsonBody` object configuration.", "title": "JsonBody" }, "Method": { @@ -268809,7 +268815,7 @@ "type": "string" }, "OversizeHandling": { - "markdownDescription": "What AWS WAF should do if the body is larger than AWS WAF can inspect.\n\nAWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. When a web request body is larger than the limit, the underlying host service only forwards the contents that are within the limit to AWS WAF for inspection.\n\n- For Application Load Balancer and AWS AppSync , the limit is fixed at 8 KB (8,192 bytes).\n- For CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access, the default limit is 16 KB (16,384 bytes), and you can increase the limit for each resource type in the web ACL `AssociationConfig` , for additional processing fees.\n\nThe options for oversize handling are the following:\n\n- `CONTINUE` - Inspect the available body contents normally, according to the rule inspection criteria.\n- `MATCH` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.\n- `NO_MATCH` - Treat the web request as not matching the rule statement.\n\nYou can combine the `MATCH` or `NO_MATCH` settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over the limit.\n\nDefault: `CONTINUE`", + "markdownDescription": "What AWS WAF should do if the body is larger than AWS WAF can inspect.\n\nAWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. When a web request body is larger than the limit, the underlying host service only forwards the contents that are within the limit to AWS WAF for inspection.\n\n- For Application Load Balancer and AWS AppSync , the limit is fixed at 8 KB (8,192 bytes).\n- For CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access, the default limit is 16 KB (16,384 bytes), and you can increase the limit for each resource type in the web ACL `AssociationConfig` , for additional processing fees.\n- For AWS Amplify , use the CloudFront limit.\n\nThe options for oversize handling are the following:\n\n- `CONTINUE` - Inspect the available body contents normally, according to the rule inspection criteria.\n- `MATCH` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.\n- `NO_MATCH` - Treat the web request as not matching the rule statement.\n\nYou can combine the `MATCH` or `NO_MATCH` settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over the limit.\n\nDefault: `CONTINUE`", "title": "OversizeHandling", "type": "string" } @@ -269586,7 +269592,7 @@ "type": "array" }, "Scope": { - "markdownDescription": "Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AWS AppSync GraphQL API, an Amazon Cognito user pool, an AWS App Runner service, or an AWS Verified Access instance. Valid Values are `CLOUDFRONT` and `REGIONAL` .\n\n> For `CLOUDFRONT` , you must create your WAFv2 resources in the US East (N. Virginia) Region, `us-east-1` . \n\nFor information about how to define the association of the web ACL with your resource, see `WebACLAssociation` .", + "markdownDescription": "Specifies whether this is for an Amazon CloudFront distribution or for a regional application. For an AWS Amplify application, use `CLOUDFRONT` . A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AWS AppSync GraphQL API, an Amazon Cognito user pool, an AWS App Runner service, or an AWS Verified Access instance. Valid Values are `CLOUDFRONT` and `REGIONAL` .\n\n> For `CLOUDFRONT` , you must create your WAFv2 resources in the US East (N. Virginia) Region, `us-east-1` . \n\nFor information about how to define the association of the web ACL with your resource, see `WebACLAssociation` .", "title": "Scope", "type": "string" }, @@ -269784,7 +269790,7 @@ "additionalProperties": false, "properties": { "OversizeHandling": { - "markdownDescription": "What AWS WAF should do if the body is larger than AWS WAF can inspect.\n\nAWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. When a web request body is larger than the limit, the underlying host service only forwards the contents that are within the limit to AWS WAF for inspection.\n\n- For Application Load Balancer and AWS AppSync , the limit is fixed at 8 KB (8,192 bytes).\n- For CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access, the default limit is 16 KB (16,384 bytes), and you can increase the limit for each resource type in the web ACL `AssociationConfig` , for additional processing fees.\n\nThe options for oversize handling are the following:\n\n- `CONTINUE` - Inspect the available body contents normally, according to the rule inspection criteria.\n- `MATCH` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.\n- `NO_MATCH` - Treat the web request as not matching the rule statement.\n\nYou can combine the `MATCH` or `NO_MATCH` settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over the limit.\n\nDefault: `CONTINUE`", + "markdownDescription": "What AWS WAF should do if the body is larger than AWS WAF can inspect.\n\nAWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. When a web request body is larger than the limit, the underlying host service only forwards the contents that are within the limit to AWS WAF for inspection.\n\n- For Application Load Balancer and AWS AppSync , the limit is fixed at 8 KB (8,192 bytes).\n- For CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access, the default limit is 16 KB (16,384 bytes), and you can increase the limit for each resource type in the web ACL `AssociationConfig` , for additional processing fees.\n- For AWS Amplify , use the CloudFront limit.\n\nThe options for oversize handling are the following:\n\n- `CONTINUE` - Inspect the available body contents normally, according to the rule inspection criteria.\n- `MATCH` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.\n- `NO_MATCH` - Treat the web request as not matching the rule statement.\n\nYou can combine the `MATCH` or `NO_MATCH` settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over the limit.\n\nDefault: `CONTINUE`", "title": "OversizeHandling", "type": "string" } @@ -270076,7 +270082,7 @@ }, "Body": { "$ref": "#/definitions/AWS::WAFv2::WebACL.Body", - "markdownDescription": "Inspect the request body as plain text. The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form.\n\nAWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. When a web request body is larger than the limit, the underlying host service only forwards the contents that are within the limit to AWS WAF for inspection.\n\n- For Application Load Balancer and AWS AppSync , the limit is fixed at 8 KB (8,192 bytes).\n- For CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access, the default limit is 16 KB (16,384 bytes), and you can increase the limit for each resource type in the web ACL `AssociationConfig` , for additional processing fees.\n\nFor information about how to handle oversized request bodies, see the `Body` object configuration.", + "markdownDescription": "Inspect the request body as plain text. The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form.\n\nAWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. When a web request body is larger than the limit, the underlying host service only forwards the contents that are within the limit to AWS WAF for inspection.\n\n- For Application Load Balancer and AWS AppSync , the limit is fixed at 8 KB (8,192 bytes).\n- For CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access, the default limit is 16 KB (16,384 bytes), and you can increase the limit for each resource type in the web ACL `AssociationConfig` , for additional processing fees.\n- For AWS Amplify , use the CloudFront limit.\n\nFor information about how to handle oversized request bodies, see the `Body` object configuration.", "title": "Body" }, "Cookies": { @@ -270096,7 +270102,7 @@ }, "JsonBody": { "$ref": "#/definitions/AWS::WAFv2::WebACL.JsonBody", - "markdownDescription": "Inspect the request body as JSON. The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form.\n\nAWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. When a web request body is larger than the limit, the underlying host service only forwards the contents that are within the limit to AWS WAF for inspection.\n\n- For Application Load Balancer and AWS AppSync , the limit is fixed at 8 KB (8,192 bytes).\n- For CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access, the default limit is 16 KB (16,384 bytes), and you can increase the limit for each resource type in the web ACL `AssociationConfig` , for additional processing fees.\n\nFor information about how to handle oversized request bodies, see the `JsonBody` object configuration.", + "markdownDescription": "Inspect the request body as JSON. The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form.\n\nAWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. When a web request body is larger than the limit, the underlying host service only forwards the contents that are within the limit to AWS WAF for inspection.\n\n- For Application Load Balancer and AWS AppSync , the limit is fixed at 8 KB (8,192 bytes).\n- For CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access, the default limit is 16 KB (16,384 bytes), and you can increase the limit for each resource type in the web ACL `AssociationConfig` , for additional processing fees.\n- For AWS Amplify , use the CloudFront limit.\n\nFor information about how to handle oversized request bodies, see the `JsonBody` object configuration.", "title": "JsonBody" }, "Method": { @@ -270311,7 +270317,7 @@ "type": "string" }, "OversizeHandling": { - "markdownDescription": "What AWS WAF should do if the body is larger than AWS WAF can inspect.\n\nAWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. When a web request body is larger than the limit, the underlying host service only forwards the contents that are within the limit to AWS WAF for inspection.\n\n- For Application Load Balancer and AWS AppSync , the limit is fixed at 8 KB (8,192 bytes).\n- For CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access, the default limit is 16 KB (16,384 bytes), and you can increase the limit for each resource type in the web ACL `AssociationConfig` , for additional processing fees.\n\nThe options for oversize handling are the following:\n\n- `CONTINUE` - Inspect the available body contents normally, according to the rule inspection criteria.\n- `MATCH` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.\n- `NO_MATCH` - Treat the web request as not matching the rule statement.\n\nYou can combine the `MATCH` or `NO_MATCH` settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over the limit.\n\nDefault: `CONTINUE`", + "markdownDescription": "What AWS WAF should do if the body is larger than AWS WAF can inspect.\n\nAWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. When a web request body is larger than the limit, the underlying host service only forwards the contents that are within the limit to AWS WAF for inspection.\n\n- For Application Load Balancer and AWS AppSync , the limit is fixed at 8 KB (8,192 bytes).\n- For CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access, the default limit is 16 KB (16,384 bytes), and you can increase the limit for each resource type in the web ACL `AssociationConfig` , for additional processing fees.\n- For AWS Amplify , use the CloudFront limit.\n\nThe options for oversize handling are the following:\n\n- `CONTINUE` - Inspect the available body contents normally, according to the rule inspection criteria.\n- `MATCH` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.\n- `NO_MATCH` - Treat the web request as not matching the rule statement.\n\nYou can combine the `MATCH` or `NO_MATCH` settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over the limit.\n\nDefault: `CONTINUE`", "title": "OversizeHandling", "type": "string" } @@ -271431,7 +271437,7 @@ "additionalProperties": false, "properties": { "ResourceArn": { - "markdownDescription": "The Amazon Resource Name (ARN) of the resource to associate with the web ACL.\n\nThe ARN must be in one of the following formats:\n\n- For an Application Load Balancer: `arn: *partition* :elasticloadbalancing: *region* : *account-id* :loadbalancer/app/ *load-balancer-name* / *load-balancer-id*`\n- For an Amazon API Gateway REST API: `arn: *partition* :apigateway: *region* ::/restapis/ *api-id* /stages/ *stage-name*`\n- For an AWS AppSync GraphQL API: `arn: *partition* :appsync: *region* : *account-id* :apis/ *GraphQLApiId*`\n- For an Amazon Cognito user pool: `arn: *partition* :cognito-idp: *region* : *account-id* :userpool/ *user-pool-id*`\n- For an AWS App Runner service: `arn: *partition* :apprunner: *region* : *account-id* :service/ *apprunner-service-name* / *apprunner-service-id*`\n- For an AWS Verified Access instance: `arn: *partition* :ec2: *region* : *account-id* :verified-access-instance/ *instance-id*`", + "markdownDescription": "The Amazon Resource Name (ARN) of the resource to associate with the web ACL.\n\nThe ARN must be in one of the following formats:\n\n- For an Application Load Balancer: `arn: *partition* :elasticloadbalancing: *region* : *account-id* :loadbalancer/app/ *load-balancer-name* / *load-balancer-id*`\n- For an Amazon API Gateway REST API: `arn: *partition* :apigateway: *region* ::/restapis/ *api-id* /stages/ *stage-name*`\n- For an AWS AppSync GraphQL API: `arn: *partition* :appsync: *region* : *account-id* :apis/ *GraphQLApiId*`\n- For an Amazon Cognito user pool: `arn: *partition* :cognito-idp: *region* : *account-id* :userpool/ *user-pool-id*`\n- For an AWS App Runner service: `arn: *partition* :apprunner: *region* : *account-id* :service/ *apprunner-service-name* / *apprunner-service-id*`\n- For an AWS Verified Access instance: `arn: *partition* :ec2: *region* : *account-id* :verified-access-instance/ *instance-id*`\n- For an AWS Amplify instance: `arn: *partition* :amplify: *region* : *account-id* :apps/ *app-id*`", "title": "ResourceArn", "type": "string" }, diff --git a/schema_source/sam.schema.json b/schema_source/sam.schema.json index 4a5dbf6e0..ef135734b 100644 --- a/schema_source/sam.schema.json +++ b/schema_source/sam.schema.json @@ -1,6 +1,19 @@ { "$schema": "http://json-schema.org/draft-04/schema#", "definitions": { + "AccessAssociation": { + "additionalProperties": false, + "properties": { + "VpcEndpointId": { + "$ref": "#/definitions/PassThroughProp" + } + }, + "required": [ + "VpcEndpointId" + ], + "title": "AccessAssociation", + "type": "object" + }, "AlexaSkillEvent": { "additionalProperties": false, "properties": { @@ -3573,6 +3586,9 @@ "samtranslator__internal__schema_source__aws_serverless_api__Domain": { "additionalProperties": false, "properties": { + "AccessAssociation": { + "$ref": "#/definitions/AccessAssociation" + }, "BasePath": { "allOf": [ { @@ -4292,6 +4308,9 @@ "markdownDescription": "Version of OpenApi to use\\. This can either be `2.0` for the Swagger specification, or one of the OpenApi 3\\.0 versions, like `3.0.1`\\. For more information about OpenAPI, see the [OpenAPI Specification](https://swagger.io/specification/)\\. \n AWS SAM creates a stage called `Stage` by default\\. Setting this property to any valid value will prevent the creation of the stage `Stage`\\. \n*Type*: String \n*Required*: No \n*AWS CloudFormation compatibility*: This property is unique to AWS SAM and doesn't have an AWS CloudFormation equivalent\\.", "title": "OpenApiVersion" }, + "Policy": { + "$ref": "#/definitions/PassThroughProp" + }, "PropagateTags": { "title": "Propagatetags", "type": "boolean" @@ -4672,6 +4691,12 @@ }, "SetIdentifier": { "$ref": "#/definitions/PassThroughProp" + }, + "VpcEndpointDomainName": { + "$ref": "#/definitions/PassThroughProp" + }, + "VpcEndpointHostedZoneId": { + "$ref": "#/definitions/PassThroughProp" } }, "title": "Route53", diff --git a/tests/translator/input/api_custom_domain_private_endpoint_base.yaml b/tests/translator/input/api_custom_domain_private_endpoint_base.yaml new file mode 100644 index 000000000..ebcd9e3f7 --- /dev/null +++ b/tests/translator/input/api_custom_domain_private_endpoint_base.yaml @@ -0,0 +1,64 @@ +AWSTemplateFormatVersion: '2010-09-09' +Transform: AWS::Serverless-2016-10-31 +Description: Sample SAM Template for a simple serverless application + +Parameters: + DomainName: + Type: String + Default: sam.apigateway.com + CertificateArn: + Type: String + Default: arn:aws:acm:us-east-1:123456789012:certificate/4ba8fce1-abcd-4717-9c34-11bfd24372ba + HostedZoneId: + Type: String + Default: Z012334 + VpcEndpointId: + Type: String + Default: vpce-123123123123123 + +Resources: + MyApi: + Type: AWS::Serverless::Api + Properties: + Policy: + Version: '2012-10-17' + Statement: + - Effect: Allow + Principal: '*' + Action: execute-api:Invoke + Resource: execute-api:/* + - Effect: Deny + Principal: '*' + Action: execute-api:Invoke + Resource: execute-api:/* + Condition: + StringNotEquals: + aws:SourceVpce: !Ref VpcEndpointId + OpenApiVersion: 3.0.1 + StageName: Prod + EndpointConfiguration: + Type: PRIVATE + VPCEndpointIds: + - !Ref VpcEndpointId + + Domain: + DomainName: !Ref DomainName + CertificateArn: !Ref CertificateArn + EndpointConfiguration: PRIVATE + BasePath: + - / + - /get + Policy: + Version: '2012-10-17' + Statement: + - Effect: Allow + Principal: '*' + Action: execute-api:Invoke + Resource: execute-api:/* + - Effect: Deny + Principal: '*' + Action: execute-api:Invoke + Resource: execute-api:/* + Condition: + StringNotEquals: + aws:SourceVpce: !Ref VpcEndpointId diff --git a/tests/translator/input/api_custom_domain_private_endpoint_full.yaml b/tests/translator/input/api_custom_domain_private_endpoint_full.yaml new file mode 100644 index 000000000..037714d33 --- /dev/null +++ b/tests/translator/input/api_custom_domain_private_endpoint_full.yaml @@ -0,0 +1,70 @@ +AWSTemplateFormatVersion: '2010-09-09' +Transform: AWS::Serverless-2016-10-31 +Description: Sample SAM Template for a simple serverless application + +Parameters: + DomainName: + Type: String + Default: sam.apigateway.com + CertificateArn: + Type: String + Default: arn:aws:acm:us-east-1:123456789012:certificate/4ba8fce1-abcd-4717-9c34-11bfd24372ba + HostedZoneId: + Type: String + Default: Z012334 + VpcEndpointId: + Type: String + Default: vpce-123123123123123 + + +Resources: + MyApi: + Type: AWS::Serverless::Api + Properties: + Policy: + Version: '2012-10-17' + Statement: + - Effect: Allow + Principal: '*' + Action: execute-api:Invoke + Resource: execute-api:/* + - Effect: Deny + Principal: '*' + Action: execute-api:Invoke + Resource: execute-api:/* + Condition: + StringNotEquals: + aws:SourceVpce: !Ref VpcEndpointId + OpenApiVersion: 3.0.1 + StageName: Prod + EndpointConfiguration: + Type: PRIVATE + VPCEndpointIds: + - !Ref VpcEndpointId + + Domain: + DomainName: !Ref DomainName + CertificateArn: !Ref CertificateArn + EndpointConfiguration: PRIVATE + BasePath: + - /get + Route53: + HostedZoneId: HostedZoneId + VpcEndpointDomainName: VPCEndpointDomainName + VpcEndpointHostedZoneId: VPCEndpointHostedZoneId + AccessAssociation: + VpcEndpointId: !Ref VpcEndpointId + Policy: + Version: '2012-10-17' + Statement: + - Effect: Allow + Principal: '*' + Action: execute-api:Invoke + Resource: execute-api:/* + - Effect: Deny + Principal: '*' + Action: execute-api:Invoke + Resource: execute-api:/* + Condition: + StringNotEquals: + aws:SourceVpce: !Ref VpcEndpointId diff --git a/tests/translator/input/api_custom_domain_private_endpoint_route53.yaml b/tests/translator/input/api_custom_domain_private_endpoint_route53.yaml new file mode 100644 index 000000000..075e6f157 --- /dev/null +++ b/tests/translator/input/api_custom_domain_private_endpoint_route53.yaml @@ -0,0 +1,67 @@ +AWSTemplateFormatVersion: '2010-09-09' +Transform: AWS::Serverless-2016-10-31 +Description: Sample SAM Template for a simple serverless application + +Parameters: + DomainName: + Type: String + Default: sam.apigateway.com + CertificateArn: + Type: String + Default: arn:aws:acm:us-east-1:123456789012:certificate/4ba8fce1-abcd-4717-9c34-11bfd24372ba + HostedZoneId: + Type: String + Default: Z012334 + VpcEndpointId: + Type: String + Default: vpce-123123123123123 + +Resources: + MyApi: + Type: AWS::Serverless::Api + Properties: + Policy: + Version: '2012-10-17' + Statement: + - Effect: Allow + Principal: '*' + Action: execute-api:Invoke + Resource: execute-api:/* + - Effect: Deny + Principal: '*' + Action: execute-api:Invoke + Resource: execute-api:/* + Condition: + StringNotEquals: + aws:SourceVpce: !Ref VpcEndpointId + OpenApiVersion: 3.0.1 + StageName: Prod + EndpointConfiguration: + Type: PRIVATE + VPCEndpointIds: + - !Ref VpcEndpointId + + Domain: + DomainName: !Ref DomainName + CertificateArn: !Ref CertificateArn + EndpointConfiguration: PRIVATE + BasePath: + - /get + Route53: + HostedZoneId: HostedZoneId + VpcEndpointDomainName: VPCEndpointDomainName + VpcEndpointHostedZoneId: VPCEndpointHostedZoneId + Policy: + Version: '2012-10-17' + Statement: + - Effect: Allow + Principal: '*' + Action: execute-api:Invoke + Resource: execute-api:/* + - Effect: Deny + Principal: '*' + Action: execute-api:Invoke + Resource: execute-api:/* + Condition: + StringNotEquals: + aws:SourceVpce: !Ref VpcEndpointId diff --git a/tests/translator/input/api_custom_domain_private_endpoint_route53_hostedzonename.yaml b/tests/translator/input/api_custom_domain_private_endpoint_route53_hostedzonename.yaml new file mode 100644 index 000000000..63a21b61b --- /dev/null +++ b/tests/translator/input/api_custom_domain_private_endpoint_route53_hostedzonename.yaml @@ -0,0 +1,67 @@ +AWSTemplateFormatVersion: '2010-09-09' +Transform: AWS::Serverless-2016-10-31 +Description: Sample SAM Template for a simple serverless application + +Parameters: + DomainName: + Type: String + Default: sam.apigateway.com + CertificateArn: + Type: String + Default: arn:aws:acm:us-east-1:123456789012:certificate/4ba8fce1-abcd-4717-9c34-11bfd24372ba + HostedZoneId: + Type: String + Default: Z012334 + VpcEndpointId: + Type: String + Default: vpce-123123123123123 + +Resources: + MyApi: + Type: AWS::Serverless::Api + Properties: + Policy: + Version: '2012-10-17' + Statement: + - Effect: Allow + Principal: '*' + Action: execute-api:Invoke + Resource: execute-api:/* + - Effect: Deny + Principal: '*' + Action: execute-api:Invoke + Resource: execute-api:/* + Condition: + StringNotEquals: + aws:SourceVpce: !Ref VpcEndpointId + OpenApiVersion: 3.0.1 + StageName: Prod + EndpointConfiguration: + Type: PRIVATE + VPCEndpointIds: + - !Ref VpcEndpointId + + Domain: + DomainName: !Ref DomainName + CertificateArn: !Ref CertificateArn + EndpointConfiguration: PRIVATE + BasePath: + - /get + Route53: + HostedZoneName: www.my-domain.com. + VpcEndpointDomainName: VPCEndpointDomainName + VpcEndpointHostedZoneId: VPCEndpointHostedZoneId + Policy: + Version: '2012-10-17' + Statement: + - Effect: Allow + Principal: '*' + Action: execute-api:Invoke + Resource: execute-api:/* + - Effect: Deny + Principal: '*' + Action: execute-api:Invoke + Resource: execute-api:/* + Condition: + StringNotEquals: + aws:SourceVpce: !Ref VpcEndpointId diff --git a/tests/translator/input/api_custom_domain_private_endpoint_route53_ipv6.yaml b/tests/translator/input/api_custom_domain_private_endpoint_route53_ipv6.yaml new file mode 100644 index 000000000..fae9d746f --- /dev/null +++ b/tests/translator/input/api_custom_domain_private_endpoint_route53_ipv6.yaml @@ -0,0 +1,68 @@ +AWSTemplateFormatVersion: '2010-09-09' +Transform: AWS::Serverless-2016-10-31 +Description: Sample SAM Template for a simple serverless application + +Parameters: + DomainName: + Type: String + Default: sam.apigateway.com + CertificateArn: + Type: String + Default: arn:aws:acm:us-east-1:123456789012:certificate/4ba8fce1-abcd-4717-9c34-11bfd24372ba + HostedZoneId: + Type: String + Default: Z012334 + VpcEndpointId: + Type: String + Default: vpce-123123123123123 + +Resources: + MyApi: + Type: AWS::Serverless::Api + Properties: + Policy: + Version: '2012-10-17' + Statement: + - Effect: Allow + Principal: '*' + Action: execute-api:Invoke + Resource: execute-api:/* + - Effect: Deny + Principal: '*' + Action: execute-api:Invoke + Resource: execute-api:/* + Condition: + StringNotEquals: + aws:SourceVpce: !Ref VpcEndpointId + OpenApiVersion: 3.0.1 + StageName: Prod + EndpointConfiguration: + Type: PRIVATE + VPCEndpointIds: + - !Ref VpcEndpointId + + Domain: + DomainName: !Ref DomainName + CertificateArn: !Ref CertificateArn + EndpointConfiguration: PRIVATE + BasePath: + - /get + Route53: + HostedZoneId: HostedZoneId + VpcEndpointDomainName: VPCEndpointDomainName + VpcEndpointHostedZoneId: VPCEndpointHostedZoneId + IpV6: true + Policy: + Version: '2012-10-17' + Statement: + - Effect: Allow + Principal: '*' + Action: execute-api:Invoke + Resource: execute-api:/* + - Effect: Deny + Principal: '*' + Action: execute-api:Invoke + Resource: execute-api:/* + Condition: + StringNotEquals: + aws:SourceVpce: !Ref VpcEndpointId diff --git a/tests/translator/input/api_custom_domain_private_endpoint_without_policy.yaml b/tests/translator/input/api_custom_domain_private_endpoint_without_policy.yaml new file mode 100644 index 000000000..0d92422b1 --- /dev/null +++ b/tests/translator/input/api_custom_domain_private_endpoint_without_policy.yaml @@ -0,0 +1,54 @@ +AWSTemplateFormatVersion: '2010-09-09' +Transform: AWS::Serverless-2016-10-31 +Description: Sample SAM Template for a simple serverless application + +Parameters: + DomainName: + Type: String + Default: sam.apigateway.com + CertificateArn: + Type: String + Default: arn:aws:acm:us-east-1:123456789012:certificate/4ba8fce1-abcd-4717-9c34-11bfd24372ba + HostedZoneId: + Type: String + Default: Z012334 + VpcEndpointId: + Type: String + Default: vpce-123123123123123 + +Resources: + MyApi: + Type: AWS::Serverless::Api + Properties: + Policy: + Version: '2012-10-17' + Statement: + - Effect: Allow + Principal: '*' + Action: execute-api:Invoke + Resource: execute-api:/* + - Effect: Deny + Principal: '*' + Action: execute-api:Invoke + Resource: execute-api:/* + Condition: + StringNotEquals: + aws:SourceVpce: !Ref VpcEndpointId + OpenApiVersion: 3.0.1 + StageName: Prod + EndpointConfiguration: + Type: PRIVATE + VPCEndpointIds: + - !Ref VpcEndpointId + + Domain: + DomainName: !Ref DomainName + CertificateArn: !Ref CertificateArn + EndpointConfiguration: PRIVATE + BasePath: + - /get + Route53: + HostedZoneId: HostedZoneId + VpcEndpointDomainName: VPCEndpointDomainName + VpcEndpointHostedZoneId: VPCEndpointHostedZoneId + IpV6: true diff --git a/tests/translator/output/api_custom_domain_private_endpoint_base.json b/tests/translator/output/api_custom_domain_private_endpoint_base.json new file mode 100644 index 000000000..06fa4317e --- /dev/null +++ b/tests/translator/output/api_custom_domain_private_endpoint_base.json @@ -0,0 +1,161 @@ +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "Sample SAM Template for a simple serverless application", + "Parameters": { + "CertificateArn": { + "Default": "arn:aws:acm:us-east-1:123456789012:certificate/4ba8fce1-abcd-4717-9c34-11bfd24372ba", + "Type": "String" + }, + "DomainName": { + "Default": "sam.apigateway.com", + "Type": "String" + }, + "HostedZoneId": { + "Default": "Z012334", + "Type": "String" + }, + "VpcEndpointId": { + "Default": "vpce-123123123123123", + "Type": "String" + } + }, + "Resources": { + "ApiGatewayDomainNameV2f6d6317296": { + "Properties": { + "CertificateArn": "arn:aws:acm:us-east-1:123456789012:certificate/4ba8fce1-abcd-4717-9c34-11bfd24372ba", + "DomainName": "sam.apigateway.com", + "EndpointConfiguration": { + "Types": [ + "PRIVATE" + ] + }, + "Policy": { + "Statement": [ + { + "Action": "execute-api:Invoke", + "Effect": "Allow", + "Principal": "*", + "Resource": "execute-api:/*" + }, + { + "Action": "execute-api:Invoke", + "Condition": { + "StringNotEquals": { + "aws:SourceVpce": "vpce-123123123123123" + } + }, + "Effect": "Deny", + "Principal": "*", + "Resource": "execute-api:/*" + } + ], + "Version": "2012-10-17" + } + }, + "Type": "AWS::ApiGateway::DomainNameV2" + }, + "MyApi": { + "Properties": { + "Body": { + "info": { + "title": { + "Ref": "AWS::StackName" + }, + "version": "1.0" + }, + "openapi": "3.0.1", + "paths": {} + }, + "EndpointConfiguration": { + "Types": [ + "PRIVATE" + ], + "VpcEndpointIds": [ + { + "Ref": "VpcEndpointId" + } + ] + }, + "Parameters": { + "endpointConfigurationTypes": "PRIVATE" + }, + "Policy": { + "Statement": [ + { + "Action": "execute-api:Invoke", + "Effect": "Allow", + "Principal": "*", + "Resource": "execute-api:/*" + }, + { + "Action": "execute-api:Invoke", + "Condition": { + "StringNotEquals": { + "aws:SourceVpce": { + "Ref": "VpcEndpointId" + } + } + }, + "Effect": "Deny", + "Principal": "*", + "Resource": "execute-api:/*" + } + ], + "Version": "2012-10-17" + } + }, + "Type": "AWS::ApiGateway::RestApi" + }, + "MyApiBasePathMapping": { + "Properties": { + "BasePath": "", + "DomainNameArn": { + "Ref": "ApiGatewayDomainNameV2f6d6317296" + }, + "RestApiId": { + "Ref": "MyApi" + }, + "Stage": { + "Ref": "MyApiProdStage" + } + }, + "Type": "AWS::ApiGateway::BasePathMappingV2" + }, + "MyApiDeploymentcb24a23e08": { + "Properties": { + "Description": "RestApi deployment id: cb24a23e08ea7c0680d705fb0db3b7b6a1b82c12", + "RestApiId": { + "Ref": "MyApi" + } + }, + "Type": "AWS::ApiGateway::Deployment" + }, + "MyApiProdStage": { + "Properties": { + "DeploymentId": { + "Ref": "MyApiDeploymentcb24a23e08" + }, + "RestApiId": { + "Ref": "MyApi" + }, + "StageName": "Prod" + }, + "Type": "AWS::ApiGateway::Stage" + }, + "MyApigetBasePathMapping": { + "Properties": { + "BasePath": "get", + "DomainNameArn": { + "Ref": "ApiGatewayDomainNameV2f6d6317296" + }, + "RestApiId": { + "Ref": "MyApi" + }, + "Stage": { + "Ref": "MyApiProdStage" + } + }, + "Type": "AWS::ApiGateway::BasePathMappingV2" + } + } +} diff --git a/tests/translator/output/api_custom_domain_private_endpoint_full.json b/tests/translator/output/api_custom_domain_private_endpoint_full.json new file mode 100644 index 000000000..7cc8c50f6 --- /dev/null +++ b/tests/translator/output/api_custom_domain_private_endpoint_full.json @@ -0,0 +1,172 @@ +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "Sample SAM Template for a simple serverless application", + "Parameters": { + "CertificateArn": { + "Default": "arn:aws:acm:us-east-1:123456789012:certificate/4ba8fce1-abcd-4717-9c34-11bfd24372ba", + "Type": "String" + }, + "DomainName": { + "Default": "sam.apigateway.com", + "Type": "String" + }, + "HostedZoneId": { + "Default": "Z012334", + "Type": "String" + }, + "VpcEndpointId": { + "Default": "vpce-123123123123123", + "Type": "String" + } + }, + "Resources": { + "ApiGatewayDomainNameV2f6d6317296": { + "Properties": { + "CertificateArn": "arn:aws:acm:us-east-1:123456789012:certificate/4ba8fce1-abcd-4717-9c34-11bfd24372ba", + "DomainName": "sam.apigateway.com", + "EndpointConfiguration": { + "Types": [ + "PRIVATE" + ] + }, + "Policy": { + "Statement": [ + { + "Action": "execute-api:Invoke", + "Effect": "Allow", + "Principal": "*", + "Resource": "execute-api:/*" + }, + { + "Action": "execute-api:Invoke", + "Condition": { + "StringNotEquals": { + "aws:SourceVpce": "vpce-123123123123123" + } + }, + "Effect": "Deny", + "Principal": "*", + "Resource": "execute-api:/*" + } + ], + "Version": "2012-10-17" + } + }, + "Type": "AWS::ApiGateway::DomainNameV2" + }, + "DomainNameAccessAssociation73b399e17c": { + "Properties": { + "AccessAssociationSource": "vpce-123123123123123", + "AccessAssociationSourceType": "VPCE", + "DomainNameArn": { + "Ref": "ApiGatewayDomainNameV2f6d6317296" + } + }, + "Type": "AWS::ApiGateway::DomainNameAccessAssociation" + }, + "MyApi": { + "Properties": { + "Body": { + "info": { + "title": { + "Ref": "AWS::StackName" + }, + "version": "1.0" + }, + "openapi": "3.0.1", + "paths": {} + }, + "EndpointConfiguration": { + "Types": [ + "PRIVATE" + ], + "VpcEndpointIds": [ + { + "Ref": "VpcEndpointId" + } + ] + }, + "Parameters": { + "endpointConfigurationTypes": "PRIVATE" + }, + "Policy": { + "Statement": [ + { + "Action": "execute-api:Invoke", + "Effect": "Allow", + "Principal": "*", + "Resource": "execute-api:/*" + }, + { + "Action": "execute-api:Invoke", + "Condition": { + "StringNotEquals": { + "aws:SourceVpce": { + "Ref": "VpcEndpointId" + } + } + }, + "Effect": "Deny", + "Principal": "*", + "Resource": "execute-api:/*" + } + ], + "Version": "2012-10-17" + } + }, + "Type": "AWS::ApiGateway::RestApi" + }, + "MyApiDeployment831bb29f90": { + "Properties": { + "Description": "RestApi deployment id: 831bb29f90ba78e5cb705db850981137f44f2af6", + "RestApiId": { + "Ref": "MyApi" + } + }, + "Type": "AWS::ApiGateway::Deployment" + }, + "MyApiProdStage": { + "Properties": { + "DeploymentId": { + "Ref": "MyApiDeployment831bb29f90" + }, + "RestApiId": { + "Ref": "MyApi" + }, + "StageName": "Prod" + }, + "Type": "AWS::ApiGateway::Stage" + }, + "MyApigetBasePathMapping": { + "Properties": { + "BasePath": "get", + "DomainNameArn": { + "Ref": "ApiGatewayDomainNameV2f6d6317296" + }, + "RestApiId": { + "Ref": "MyApi" + }, + "Stage": { + "Ref": "MyApiProdStage" + } + }, + "Type": "AWS::ApiGateway::BasePathMappingV2" + }, + "RecordSetGroup486a9be065": { + "Properties": { + "HostedZoneId": "HostedZoneId", + "RecordSets": [ + { + "AliasTarget": { + "DNSName": "VPCEndpointDomainName", + "HostedZoneId": "VPCEndpointHostedZoneId" + }, + "Name": "sam.apigateway.com", + "Type": "A" + } + ] + }, + "Type": "AWS::Route53::RecordSetGroup" + } + } +} diff --git a/tests/translator/output/api_custom_domain_private_endpoint_route53.json b/tests/translator/output/api_custom_domain_private_endpoint_route53.json new file mode 100644 index 000000000..e4a6a3c93 --- /dev/null +++ b/tests/translator/output/api_custom_domain_private_endpoint_route53.json @@ -0,0 +1,162 @@ +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "Sample SAM Template for a simple serverless application", + "Parameters": { + "CertificateArn": { + "Default": "arn:aws:acm:us-east-1:123456789012:certificate/4ba8fce1-abcd-4717-9c34-11bfd24372ba", + "Type": "String" + }, + "DomainName": { + "Default": "sam.apigateway.com", + "Type": "String" + }, + "HostedZoneId": { + "Default": "Z012334", + "Type": "String" + }, + "VpcEndpointId": { + "Default": "vpce-123123123123123", + "Type": "String" + } + }, + "Resources": { + "ApiGatewayDomainNameV2f6d6317296": { + "Properties": { + "CertificateArn": "arn:aws:acm:us-east-1:123456789012:certificate/4ba8fce1-abcd-4717-9c34-11bfd24372ba", + "DomainName": "sam.apigateway.com", + "EndpointConfiguration": { + "Types": [ + "PRIVATE" + ] + }, + "Policy": { + "Statement": [ + { + "Action": "execute-api:Invoke", + "Effect": "Allow", + "Principal": "*", + "Resource": "execute-api:/*" + }, + { + "Action": "execute-api:Invoke", + "Condition": { + "StringNotEquals": { + "aws:SourceVpce": "vpce-123123123123123" + } + }, + "Effect": "Deny", + "Principal": "*", + "Resource": "execute-api:/*" + } + ], + "Version": "2012-10-17" + } + }, + "Type": "AWS::ApiGateway::DomainNameV2" + }, + "MyApi": { + "Properties": { + "Body": { + "info": { + "title": { + "Ref": "AWS::StackName" + }, + "version": "1.0" + }, + "openapi": "3.0.1", + "paths": {} + }, + "EndpointConfiguration": { + "Types": [ + "PRIVATE" + ], + "VpcEndpointIds": [ + { + "Ref": "VpcEndpointId" + } + ] + }, + "Parameters": { + "endpointConfigurationTypes": "PRIVATE" + }, + "Policy": { + "Statement": [ + { + "Action": "execute-api:Invoke", + "Effect": "Allow", + "Principal": "*", + "Resource": "execute-api:/*" + }, + { + "Action": "execute-api:Invoke", + "Condition": { + "StringNotEquals": { + "aws:SourceVpce": { + "Ref": "VpcEndpointId" + } + } + }, + "Effect": "Deny", + "Principal": "*", + "Resource": "execute-api:/*" + } + ], + "Version": "2012-10-17" + } + }, + "Type": "AWS::ApiGateway::RestApi" + }, + "MyApiDeployment7fb7fb7562": { + "Properties": { + "Description": "RestApi deployment id: 7fb7fb756279bc39cce853ffcc3a97ad86d477d5", + "RestApiId": { + "Ref": "MyApi" + } + }, + "Type": "AWS::ApiGateway::Deployment" + }, + "MyApiProdStage": { + "Properties": { + "DeploymentId": { + "Ref": "MyApiDeployment7fb7fb7562" + }, + "RestApiId": { + "Ref": "MyApi" + }, + "StageName": "Prod" + }, + "Type": "AWS::ApiGateway::Stage" + }, + "MyApigetBasePathMapping": { + "Properties": { + "BasePath": "get", + "DomainNameArn": { + "Ref": "ApiGatewayDomainNameV2f6d6317296" + }, + "RestApiId": { + "Ref": "MyApi" + }, + "Stage": { + "Ref": "MyApiProdStage" + } + }, + "Type": "AWS::ApiGateway::BasePathMappingV2" + }, + "RecordSetGroup486a9be065": { + "Properties": { + "HostedZoneId": "HostedZoneId", + "RecordSets": [ + { + "AliasTarget": { + "DNSName": "VPCEndpointDomainName", + "HostedZoneId": "VPCEndpointHostedZoneId" + }, + "Name": "sam.apigateway.com", + "Type": "A" + } + ] + }, + "Type": "AWS::Route53::RecordSetGroup" + } + } +} diff --git a/tests/translator/output/api_custom_domain_private_endpoint_route53_hostedzonename.json b/tests/translator/output/api_custom_domain_private_endpoint_route53_hostedzonename.json new file mode 100644 index 000000000..dfa63ae28 --- /dev/null +++ b/tests/translator/output/api_custom_domain_private_endpoint_route53_hostedzonename.json @@ -0,0 +1,162 @@ +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "Sample SAM Template for a simple serverless application", + "Parameters": { + "CertificateArn": { + "Default": "arn:aws:acm:us-east-1:123456789012:certificate/4ba8fce1-abcd-4717-9c34-11bfd24372ba", + "Type": "String" + }, + "DomainName": { + "Default": "sam.apigateway.com", + "Type": "String" + }, + "HostedZoneId": { + "Default": "Z012334", + "Type": "String" + }, + "VpcEndpointId": { + "Default": "vpce-123123123123123", + "Type": "String" + } + }, + "Resources": { + "ApiGatewayDomainNameV2f6d6317296": { + "Properties": { + "CertificateArn": "arn:aws:acm:us-east-1:123456789012:certificate/4ba8fce1-abcd-4717-9c34-11bfd24372ba", + "DomainName": "sam.apigateway.com", + "EndpointConfiguration": { + "Types": [ + "PRIVATE" + ] + }, + "Policy": { + "Statement": [ + { + "Action": "execute-api:Invoke", + "Effect": "Allow", + "Principal": "*", + "Resource": "execute-api:/*" + }, + { + "Action": "execute-api:Invoke", + "Condition": { + "StringNotEquals": { + "aws:SourceVpce": "vpce-123123123123123" + } + }, + "Effect": "Deny", + "Principal": "*", + "Resource": "execute-api:/*" + } + ], + "Version": "2012-10-17" + } + }, + "Type": "AWS::ApiGateway::DomainNameV2" + }, + "MyApi": { + "Properties": { + "Body": { + "info": { + "title": { + "Ref": "AWS::StackName" + }, + "version": "1.0" + }, + "openapi": "3.0.1", + "paths": {} + }, + "EndpointConfiguration": { + "Types": [ + "PRIVATE" + ], + "VpcEndpointIds": [ + { + "Ref": "VpcEndpointId" + } + ] + }, + "Parameters": { + "endpointConfigurationTypes": "PRIVATE" + }, + "Policy": { + "Statement": [ + { + "Action": "execute-api:Invoke", + "Effect": "Allow", + "Principal": "*", + "Resource": "execute-api:/*" + }, + { + "Action": "execute-api:Invoke", + "Condition": { + "StringNotEquals": { + "aws:SourceVpce": { + "Ref": "VpcEndpointId" + } + } + }, + "Effect": "Deny", + "Principal": "*", + "Resource": "execute-api:/*" + } + ], + "Version": "2012-10-17" + } + }, + "Type": "AWS::ApiGateway::RestApi" + }, + "MyApiDeploymentd5e9004dee": { + "Properties": { + "Description": "RestApi deployment id: d5e9004dee57490c19220f944a5f0a204c041c13", + "RestApiId": { + "Ref": "MyApi" + } + }, + "Type": "AWS::ApiGateway::Deployment" + }, + "MyApiProdStage": { + "Properties": { + "DeploymentId": { + "Ref": "MyApiDeploymentd5e9004dee" + }, + "RestApiId": { + "Ref": "MyApi" + }, + "StageName": "Prod" + }, + "Type": "AWS::ApiGateway::Stage" + }, + "MyApigetBasePathMapping": { + "Properties": { + "BasePath": "get", + "DomainNameArn": { + "Ref": "ApiGatewayDomainNameV2f6d6317296" + }, + "RestApiId": { + "Ref": "MyApi" + }, + "Stage": { + "Ref": "MyApiProdStage" + } + }, + "Type": "AWS::ApiGateway::BasePathMappingV2" + }, + "RecordSetGroup456ebaf280": { + "Properties": { + "HostedZoneName": "www.my-domain.com.", + "RecordSets": [ + { + "AliasTarget": { + "DNSName": "VPCEndpointDomainName", + "HostedZoneId": "VPCEndpointHostedZoneId" + }, + "Name": "sam.apigateway.com", + "Type": "A" + } + ] + }, + "Type": "AWS::Route53::RecordSetGroup" + } + } +} diff --git a/tests/translator/output/api_custom_domain_private_endpoint_route53_ipv6.json b/tests/translator/output/api_custom_domain_private_endpoint_route53_ipv6.json new file mode 100644 index 000000000..57533697e --- /dev/null +++ b/tests/translator/output/api_custom_domain_private_endpoint_route53_ipv6.json @@ -0,0 +1,170 @@ +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "Sample SAM Template for a simple serverless application", + "Parameters": { + "CertificateArn": { + "Default": "arn:aws:acm:us-east-1:123456789012:certificate/4ba8fce1-abcd-4717-9c34-11bfd24372ba", + "Type": "String" + }, + "DomainName": { + "Default": "sam.apigateway.com", + "Type": "String" + }, + "HostedZoneId": { + "Default": "Z012334", + "Type": "String" + }, + "VpcEndpointId": { + "Default": "vpce-123123123123123", + "Type": "String" + } + }, + "Resources": { + "ApiGatewayDomainNameV2f6d6317296": { + "Properties": { + "CertificateArn": "arn:aws:acm:us-east-1:123456789012:certificate/4ba8fce1-abcd-4717-9c34-11bfd24372ba", + "DomainName": "sam.apigateway.com", + "EndpointConfiguration": { + "Types": [ + "PRIVATE" + ] + }, + "Policy": { + "Statement": [ + { + "Action": "execute-api:Invoke", + "Effect": "Allow", + "Principal": "*", + "Resource": "execute-api:/*" + }, + { + "Action": "execute-api:Invoke", + "Condition": { + "StringNotEquals": { + "aws:SourceVpce": "vpce-123123123123123" + } + }, + "Effect": "Deny", + "Principal": "*", + "Resource": "execute-api:/*" + } + ], + "Version": "2012-10-17" + } + }, + "Type": "AWS::ApiGateway::DomainNameV2" + }, + "MyApi": { + "Properties": { + "Body": { + "info": { + "title": { + "Ref": "AWS::StackName" + }, + "version": "1.0" + }, + "openapi": "3.0.1", + "paths": {} + }, + "EndpointConfiguration": { + "Types": [ + "PRIVATE" + ], + "VpcEndpointIds": [ + { + "Ref": "VpcEndpointId" + } + ] + }, + "Parameters": { + "endpointConfigurationTypes": "PRIVATE" + }, + "Policy": { + "Statement": [ + { + "Action": "execute-api:Invoke", + "Effect": "Allow", + "Principal": "*", + "Resource": "execute-api:/*" + }, + { + "Action": "execute-api:Invoke", + "Condition": { + "StringNotEquals": { + "aws:SourceVpce": { + "Ref": "VpcEndpointId" + } + } + }, + "Effect": "Deny", + "Principal": "*", + "Resource": "execute-api:/*" + } + ], + "Version": "2012-10-17" + } + }, + "Type": "AWS::ApiGateway::RestApi" + }, + "MyApiDeployment3693c4e775": { + "Properties": { + "Description": "RestApi deployment id: 3693c4e775ecebd2f6db26dea5689d6f8ace2ed6", + "RestApiId": { + "Ref": "MyApi" + } + }, + "Type": "AWS::ApiGateway::Deployment" + }, + "MyApiProdStage": { + "Properties": { + "DeploymentId": { + "Ref": "MyApiDeployment3693c4e775" + }, + "RestApiId": { + "Ref": "MyApi" + }, + "StageName": "Prod" + }, + "Type": "AWS::ApiGateway::Stage" + }, + "MyApigetBasePathMapping": { + "Properties": { + "BasePath": "get", + "DomainNameArn": { + "Ref": "ApiGatewayDomainNameV2f6d6317296" + }, + "RestApiId": { + "Ref": "MyApi" + }, + "Stage": { + "Ref": "MyApiProdStage" + } + }, + "Type": "AWS::ApiGateway::BasePathMappingV2" + }, + "RecordSetGroup486a9be065": { + "Properties": { + "HostedZoneId": "HostedZoneId", + "RecordSets": [ + { + "AliasTarget": { + "DNSName": "VPCEndpointDomainName", + "HostedZoneId": "VPCEndpointHostedZoneId" + }, + "Name": "sam.apigateway.com", + "Type": "A" + }, + { + "AliasTarget": { + "DNSName": "VPCEndpointDomainName", + "HostedZoneId": "VPCEndpointHostedZoneId" + }, + "Name": "sam.apigateway.com", + "Type": "AAAA" + } + ] + }, + "Type": "AWS::Route53::RecordSetGroup" + } + } +} diff --git a/tests/translator/output/api_custom_domain_private_endpoint_without_policy.json b/tests/translator/output/api_custom_domain_private_endpoint_without_policy.json new file mode 100644 index 000000000..2cc0a041d --- /dev/null +++ b/tests/translator/output/api_custom_domain_private_endpoint_without_policy.json @@ -0,0 +1,148 @@ +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "Sample SAM Template for a simple serverless application", + "Parameters": { + "CertificateArn": { + "Default": "arn:aws:acm:us-east-1:123456789012:certificate/4ba8fce1-abcd-4717-9c34-11bfd24372ba", + "Type": "String" + }, + "DomainName": { + "Default": "sam.apigateway.com", + "Type": "String" + }, + "HostedZoneId": { + "Default": "Z012334", + "Type": "String" + }, + "VpcEndpointId": { + "Default": "vpce-123123123123123", + "Type": "String" + } + }, + "Resources": { + "ApiGatewayDomainNameV2f6d6317296": { + "Properties": { + "CertificateArn": "arn:aws:acm:us-east-1:123456789012:certificate/4ba8fce1-abcd-4717-9c34-11bfd24372ba", + "DomainName": "sam.apigateway.com", + "EndpointConfiguration": { + "Types": [ + "PRIVATE" + ] + } + }, + "Type": "AWS::ApiGateway::DomainNameV2" + }, + "MyApi": { + "Properties": { + "Body": { + "info": { + "title": { + "Ref": "AWS::StackName" + }, + "version": "1.0" + }, + "openapi": "3.0.1", + "paths": {} + }, + "EndpointConfiguration": { + "Types": [ + "PRIVATE" + ], + "VpcEndpointIds": [ + { + "Ref": "VpcEndpointId" + } + ] + }, + "Parameters": { + "endpointConfigurationTypes": "PRIVATE" + }, + "Policy": { + "Statement": [ + { + "Action": "execute-api:Invoke", + "Effect": "Allow", + "Principal": "*", + "Resource": "execute-api:/*" + }, + { + "Action": "execute-api:Invoke", + "Condition": { + "StringNotEquals": { + "aws:SourceVpce": { + "Ref": "VpcEndpointId" + } + } + }, + "Effect": "Deny", + "Principal": "*", + "Resource": "execute-api:/*" + } + ], + "Version": "2012-10-17" + } + }, + "Type": "AWS::ApiGateway::RestApi" + }, + "MyApiDeploymentdbd67416a9": { + "Properties": { + "Description": "RestApi deployment id: dbd67416a94d411fe2930d26ea838f562f2b45fd", + "RestApiId": { + "Ref": "MyApi" + } + }, + "Type": "AWS::ApiGateway::Deployment" + }, + "MyApiProdStage": { + "Properties": { + "DeploymentId": { + "Ref": "MyApiDeploymentdbd67416a9" + }, + "RestApiId": { + "Ref": "MyApi" + }, + "StageName": "Prod" + }, + "Type": "AWS::ApiGateway::Stage" + }, + "MyApigetBasePathMapping": { + "Properties": { + "BasePath": "get", + "DomainNameArn": { + "Ref": "ApiGatewayDomainNameV2f6d6317296" + }, + "RestApiId": { + "Ref": "MyApi" + }, + "Stage": { + "Ref": "MyApiProdStage" + } + }, + "Type": "AWS::ApiGateway::BasePathMappingV2" + }, + "RecordSetGroup486a9be065": { + "Properties": { + "HostedZoneId": "HostedZoneId", + "RecordSets": [ + { + "AliasTarget": { + "DNSName": "VPCEndpointDomainName", + "HostedZoneId": "VPCEndpointHostedZoneId" + }, + "Name": "sam.apigateway.com", + "Type": "A" + }, + { + "AliasTarget": { + "DNSName": "VPCEndpointDomainName", + "HostedZoneId": "VPCEndpointHostedZoneId" + }, + "Name": "sam.apigateway.com", + "Type": "AAAA" + } + ] + }, + "Type": "AWS::Route53::RecordSetGroup" + } + } +} diff --git a/tests/translator/output/aws-cn/api_custom_domain_private_endpoint_base.json b/tests/translator/output/aws-cn/api_custom_domain_private_endpoint_base.json new file mode 100644 index 000000000..06fa4317e --- /dev/null +++ b/tests/translator/output/aws-cn/api_custom_domain_private_endpoint_base.json @@ -0,0 +1,161 @@ +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "Sample SAM Template for a simple serverless application", + "Parameters": { + "CertificateArn": { + "Default": "arn:aws:acm:us-east-1:123456789012:certificate/4ba8fce1-abcd-4717-9c34-11bfd24372ba", + "Type": "String" + }, + "DomainName": { + "Default": "sam.apigateway.com", + "Type": "String" + }, + "HostedZoneId": { + "Default": "Z012334", + "Type": "String" + }, + "VpcEndpointId": { + "Default": "vpce-123123123123123", + "Type": "String" + } + }, + "Resources": { + "ApiGatewayDomainNameV2f6d6317296": { + "Properties": { + "CertificateArn": "arn:aws:acm:us-east-1:123456789012:certificate/4ba8fce1-abcd-4717-9c34-11bfd24372ba", + "DomainName": "sam.apigateway.com", + "EndpointConfiguration": { + "Types": [ + "PRIVATE" + ] + }, + "Policy": { + "Statement": [ + { + "Action": "execute-api:Invoke", + "Effect": "Allow", + "Principal": "*", + "Resource": "execute-api:/*" + }, + { + "Action": "execute-api:Invoke", + "Condition": { + "StringNotEquals": { + "aws:SourceVpce": "vpce-123123123123123" + } + }, + "Effect": "Deny", + "Principal": "*", + "Resource": "execute-api:/*" + } + ], + "Version": "2012-10-17" + } + }, + "Type": "AWS::ApiGateway::DomainNameV2" + }, + "MyApi": { + "Properties": { + "Body": { + "info": { + "title": { + "Ref": "AWS::StackName" + }, + "version": "1.0" + }, + "openapi": "3.0.1", + "paths": {} + }, + "EndpointConfiguration": { + "Types": [ + "PRIVATE" + ], + "VpcEndpointIds": [ + { + "Ref": "VpcEndpointId" + } + ] + }, + "Parameters": { + "endpointConfigurationTypes": "PRIVATE" + }, + "Policy": { + "Statement": [ + { + "Action": "execute-api:Invoke", + "Effect": "Allow", + "Principal": "*", + "Resource": "execute-api:/*" + }, + { + "Action": "execute-api:Invoke", + "Condition": { + "StringNotEquals": { + "aws:SourceVpce": { + "Ref": "VpcEndpointId" + } + } + }, + "Effect": "Deny", + "Principal": "*", + "Resource": "execute-api:/*" + } + ], + "Version": "2012-10-17" + } + }, + "Type": "AWS::ApiGateway::RestApi" + }, + "MyApiBasePathMapping": { + "Properties": { + "BasePath": "", + "DomainNameArn": { + "Ref": "ApiGatewayDomainNameV2f6d6317296" + }, + "RestApiId": { + "Ref": "MyApi" + }, + "Stage": { + "Ref": "MyApiProdStage" + } + }, + "Type": "AWS::ApiGateway::BasePathMappingV2" + }, + "MyApiDeploymentcb24a23e08": { + "Properties": { + "Description": "RestApi deployment id: cb24a23e08ea7c0680d705fb0db3b7b6a1b82c12", + "RestApiId": { + "Ref": "MyApi" + } + }, + "Type": "AWS::ApiGateway::Deployment" + }, + "MyApiProdStage": { + "Properties": { + "DeploymentId": { + "Ref": "MyApiDeploymentcb24a23e08" + }, + "RestApiId": { + "Ref": "MyApi" + }, + "StageName": "Prod" + }, + "Type": "AWS::ApiGateway::Stage" + }, + "MyApigetBasePathMapping": { + "Properties": { + "BasePath": "get", + "DomainNameArn": { + "Ref": "ApiGatewayDomainNameV2f6d6317296" + }, + "RestApiId": { + "Ref": "MyApi" + }, + "Stage": { + "Ref": "MyApiProdStage" + } + }, + "Type": "AWS::ApiGateway::BasePathMappingV2" + } + } +} diff --git a/tests/translator/output/aws-cn/api_custom_domain_private_endpoint_full.json b/tests/translator/output/aws-cn/api_custom_domain_private_endpoint_full.json new file mode 100644 index 000000000..7cc8c50f6 --- /dev/null +++ b/tests/translator/output/aws-cn/api_custom_domain_private_endpoint_full.json @@ -0,0 +1,172 @@ +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "Sample SAM Template for a simple serverless application", + "Parameters": { + "CertificateArn": { + "Default": "arn:aws:acm:us-east-1:123456789012:certificate/4ba8fce1-abcd-4717-9c34-11bfd24372ba", + "Type": "String" + }, + "DomainName": { + "Default": "sam.apigateway.com", + "Type": "String" + }, + "HostedZoneId": { + "Default": "Z012334", + "Type": "String" + }, + "VpcEndpointId": { + "Default": "vpce-123123123123123", + "Type": "String" + } + }, + "Resources": { + "ApiGatewayDomainNameV2f6d6317296": { + "Properties": { + "CertificateArn": "arn:aws:acm:us-east-1:123456789012:certificate/4ba8fce1-abcd-4717-9c34-11bfd24372ba", + "DomainName": "sam.apigateway.com", + "EndpointConfiguration": { + "Types": [ + "PRIVATE" + ] + }, + "Policy": { + "Statement": [ + { + "Action": "execute-api:Invoke", + "Effect": "Allow", + "Principal": "*", + "Resource": "execute-api:/*" + }, + { + "Action": "execute-api:Invoke", + "Condition": { + "StringNotEquals": { + "aws:SourceVpce": "vpce-123123123123123" + } + }, + "Effect": "Deny", + "Principal": "*", + "Resource": "execute-api:/*" + } + ], + "Version": "2012-10-17" + } + }, + "Type": "AWS::ApiGateway::DomainNameV2" + }, + "DomainNameAccessAssociation73b399e17c": { + "Properties": { + "AccessAssociationSource": "vpce-123123123123123", + "AccessAssociationSourceType": "VPCE", + "DomainNameArn": { + "Ref": "ApiGatewayDomainNameV2f6d6317296" + } + }, + "Type": "AWS::ApiGateway::DomainNameAccessAssociation" + }, + "MyApi": { + "Properties": { + "Body": { + "info": { + "title": { + "Ref": "AWS::StackName" + }, + "version": "1.0" + }, + "openapi": "3.0.1", + "paths": {} + }, + "EndpointConfiguration": { + "Types": [ + "PRIVATE" + ], + "VpcEndpointIds": [ + { + "Ref": "VpcEndpointId" + } + ] + }, + "Parameters": { + "endpointConfigurationTypes": "PRIVATE" + }, + "Policy": { + "Statement": [ + { + "Action": "execute-api:Invoke", + "Effect": "Allow", + "Principal": "*", + "Resource": "execute-api:/*" + }, + { + "Action": "execute-api:Invoke", + "Condition": { + "StringNotEquals": { + "aws:SourceVpce": { + "Ref": "VpcEndpointId" + } + } + }, + "Effect": "Deny", + "Principal": "*", + "Resource": "execute-api:/*" + } + ], + "Version": "2012-10-17" + } + }, + "Type": "AWS::ApiGateway::RestApi" + }, + "MyApiDeployment831bb29f90": { + "Properties": { + "Description": "RestApi deployment id: 831bb29f90ba78e5cb705db850981137f44f2af6", + "RestApiId": { + "Ref": "MyApi" + } + }, + "Type": "AWS::ApiGateway::Deployment" + }, + "MyApiProdStage": { + "Properties": { + "DeploymentId": { + "Ref": "MyApiDeployment831bb29f90" + }, + "RestApiId": { + "Ref": "MyApi" + }, + "StageName": "Prod" + }, + "Type": "AWS::ApiGateway::Stage" + }, + "MyApigetBasePathMapping": { + "Properties": { + "BasePath": "get", + "DomainNameArn": { + "Ref": "ApiGatewayDomainNameV2f6d6317296" + }, + "RestApiId": { + "Ref": "MyApi" + }, + "Stage": { + "Ref": "MyApiProdStage" + } + }, + "Type": "AWS::ApiGateway::BasePathMappingV2" + }, + "RecordSetGroup486a9be065": { + "Properties": { + "HostedZoneId": "HostedZoneId", + "RecordSets": [ + { + "AliasTarget": { + "DNSName": "VPCEndpointDomainName", + "HostedZoneId": "VPCEndpointHostedZoneId" + }, + "Name": "sam.apigateway.com", + "Type": "A" + } + ] + }, + "Type": "AWS::Route53::RecordSetGroup" + } + } +} diff --git a/tests/translator/output/aws-cn/api_custom_domain_private_endpoint_route53.json b/tests/translator/output/aws-cn/api_custom_domain_private_endpoint_route53.json new file mode 100644 index 000000000..e4a6a3c93 --- /dev/null +++ b/tests/translator/output/aws-cn/api_custom_domain_private_endpoint_route53.json @@ -0,0 +1,162 @@ +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "Sample SAM Template for a simple serverless application", + "Parameters": { + "CertificateArn": { + "Default": "arn:aws:acm:us-east-1:123456789012:certificate/4ba8fce1-abcd-4717-9c34-11bfd24372ba", + "Type": "String" + }, + "DomainName": { + "Default": "sam.apigateway.com", + "Type": "String" + }, + "HostedZoneId": { + "Default": "Z012334", + "Type": "String" + }, + "VpcEndpointId": { + "Default": "vpce-123123123123123", + "Type": "String" + } + }, + "Resources": { + "ApiGatewayDomainNameV2f6d6317296": { + "Properties": { + "CertificateArn": "arn:aws:acm:us-east-1:123456789012:certificate/4ba8fce1-abcd-4717-9c34-11bfd24372ba", + "DomainName": "sam.apigateway.com", + "EndpointConfiguration": { + "Types": [ + "PRIVATE" + ] + }, + "Policy": { + "Statement": [ + { + "Action": "execute-api:Invoke", + "Effect": "Allow", + "Principal": "*", + "Resource": "execute-api:/*" + }, + { + "Action": "execute-api:Invoke", + "Condition": { + "StringNotEquals": { + "aws:SourceVpce": "vpce-123123123123123" + } + }, + "Effect": "Deny", + "Principal": "*", + "Resource": "execute-api:/*" + } + ], + "Version": "2012-10-17" + } + }, + "Type": "AWS::ApiGateway::DomainNameV2" + }, + "MyApi": { + "Properties": { + "Body": { + "info": { + "title": { + "Ref": "AWS::StackName" + }, + "version": "1.0" + }, + "openapi": "3.0.1", + "paths": {} + }, + "EndpointConfiguration": { + "Types": [ + "PRIVATE" + ], + "VpcEndpointIds": [ + { + "Ref": "VpcEndpointId" + } + ] + }, + "Parameters": { + "endpointConfigurationTypes": "PRIVATE" + }, + "Policy": { + "Statement": [ + { + "Action": "execute-api:Invoke", + "Effect": "Allow", + "Principal": "*", + "Resource": "execute-api:/*" + }, + { + "Action": "execute-api:Invoke", + "Condition": { + "StringNotEquals": { + "aws:SourceVpce": { + "Ref": "VpcEndpointId" + } + } + }, + "Effect": "Deny", + "Principal": "*", + "Resource": "execute-api:/*" + } + ], + "Version": "2012-10-17" + } + }, + "Type": "AWS::ApiGateway::RestApi" + }, + "MyApiDeployment7fb7fb7562": { + "Properties": { + "Description": "RestApi deployment id: 7fb7fb756279bc39cce853ffcc3a97ad86d477d5", + "RestApiId": { + "Ref": "MyApi" + } + }, + "Type": "AWS::ApiGateway::Deployment" + }, + "MyApiProdStage": { + "Properties": { + "DeploymentId": { + "Ref": "MyApiDeployment7fb7fb7562" + }, + "RestApiId": { + "Ref": "MyApi" + }, + "StageName": "Prod" + }, + "Type": "AWS::ApiGateway::Stage" + }, + "MyApigetBasePathMapping": { + "Properties": { + "BasePath": "get", + "DomainNameArn": { + "Ref": "ApiGatewayDomainNameV2f6d6317296" + }, + "RestApiId": { + "Ref": "MyApi" + }, + "Stage": { + "Ref": "MyApiProdStage" + } + }, + "Type": "AWS::ApiGateway::BasePathMappingV2" + }, + "RecordSetGroup486a9be065": { + "Properties": { + "HostedZoneId": "HostedZoneId", + "RecordSets": [ + { + "AliasTarget": { + "DNSName": "VPCEndpointDomainName", + "HostedZoneId": "VPCEndpointHostedZoneId" + }, + "Name": "sam.apigateway.com", + "Type": "A" + } + ] + }, + "Type": "AWS::Route53::RecordSetGroup" + } + } +} diff --git a/tests/translator/output/aws-cn/api_custom_domain_private_endpoint_route53_hostedzonename.json b/tests/translator/output/aws-cn/api_custom_domain_private_endpoint_route53_hostedzonename.json new file mode 100644 index 000000000..dfa63ae28 --- /dev/null +++ b/tests/translator/output/aws-cn/api_custom_domain_private_endpoint_route53_hostedzonename.json @@ -0,0 +1,162 @@ +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "Sample SAM Template for a simple serverless application", + "Parameters": { + "CertificateArn": { + "Default": "arn:aws:acm:us-east-1:123456789012:certificate/4ba8fce1-abcd-4717-9c34-11bfd24372ba", + "Type": "String" + }, + "DomainName": { + "Default": "sam.apigateway.com", + "Type": "String" + }, + "HostedZoneId": { + "Default": "Z012334", + "Type": "String" + }, + "VpcEndpointId": { + "Default": "vpce-123123123123123", + "Type": "String" + } + }, + "Resources": { + "ApiGatewayDomainNameV2f6d6317296": { + "Properties": { + "CertificateArn": "arn:aws:acm:us-east-1:123456789012:certificate/4ba8fce1-abcd-4717-9c34-11bfd24372ba", + "DomainName": "sam.apigateway.com", + "EndpointConfiguration": { + "Types": [ + "PRIVATE" + ] + }, + "Policy": { + "Statement": [ + { + "Action": "execute-api:Invoke", + "Effect": "Allow", + "Principal": "*", + "Resource": "execute-api:/*" + }, + { + "Action": "execute-api:Invoke", + "Condition": { + "StringNotEquals": { + "aws:SourceVpce": "vpce-123123123123123" + } + }, + "Effect": "Deny", + "Principal": "*", + "Resource": "execute-api:/*" + } + ], + "Version": "2012-10-17" + } + }, + "Type": "AWS::ApiGateway::DomainNameV2" + }, + "MyApi": { + "Properties": { + "Body": { + "info": { + "title": { + "Ref": "AWS::StackName" + }, + "version": "1.0" + }, + "openapi": "3.0.1", + "paths": {} + }, + "EndpointConfiguration": { + "Types": [ + "PRIVATE" + ], + "VpcEndpointIds": [ + { + "Ref": "VpcEndpointId" + } + ] + }, + "Parameters": { + "endpointConfigurationTypes": "PRIVATE" + }, + "Policy": { + "Statement": [ + { + "Action": "execute-api:Invoke", + "Effect": "Allow", + "Principal": "*", + "Resource": "execute-api:/*" + }, + { + "Action": "execute-api:Invoke", + "Condition": { + "StringNotEquals": { + "aws:SourceVpce": { + "Ref": "VpcEndpointId" + } + } + }, + "Effect": "Deny", + "Principal": "*", + "Resource": "execute-api:/*" + } + ], + "Version": "2012-10-17" + } + }, + "Type": "AWS::ApiGateway::RestApi" + }, + "MyApiDeploymentd5e9004dee": { + "Properties": { + "Description": "RestApi deployment id: d5e9004dee57490c19220f944a5f0a204c041c13", + "RestApiId": { + "Ref": "MyApi" + } + }, + "Type": "AWS::ApiGateway::Deployment" + }, + "MyApiProdStage": { + "Properties": { + "DeploymentId": { + "Ref": "MyApiDeploymentd5e9004dee" + }, + "RestApiId": { + "Ref": "MyApi" + }, + "StageName": "Prod" + }, + "Type": "AWS::ApiGateway::Stage" + }, + "MyApigetBasePathMapping": { + "Properties": { + "BasePath": "get", + "DomainNameArn": { + "Ref": "ApiGatewayDomainNameV2f6d6317296" + }, + "RestApiId": { + "Ref": "MyApi" + }, + "Stage": { + "Ref": "MyApiProdStage" + } + }, + "Type": "AWS::ApiGateway::BasePathMappingV2" + }, + "RecordSetGroup456ebaf280": { + "Properties": { + "HostedZoneName": "www.my-domain.com.", + "RecordSets": [ + { + "AliasTarget": { + "DNSName": "VPCEndpointDomainName", + "HostedZoneId": "VPCEndpointHostedZoneId" + }, + "Name": "sam.apigateway.com", + "Type": "A" + } + ] + }, + "Type": "AWS::Route53::RecordSetGroup" + } + } +} diff --git a/tests/translator/output/aws-cn/api_custom_domain_private_endpoint_route53_ipv6.json b/tests/translator/output/aws-cn/api_custom_domain_private_endpoint_route53_ipv6.json new file mode 100644 index 000000000..57533697e --- /dev/null +++ b/tests/translator/output/aws-cn/api_custom_domain_private_endpoint_route53_ipv6.json @@ -0,0 +1,170 @@ +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "Sample SAM Template for a simple serverless application", + "Parameters": { + "CertificateArn": { + "Default": "arn:aws:acm:us-east-1:123456789012:certificate/4ba8fce1-abcd-4717-9c34-11bfd24372ba", + "Type": "String" + }, + "DomainName": { + "Default": "sam.apigateway.com", + "Type": "String" + }, + "HostedZoneId": { + "Default": "Z012334", + "Type": "String" + }, + "VpcEndpointId": { + "Default": "vpce-123123123123123", + "Type": "String" + } + }, + "Resources": { + "ApiGatewayDomainNameV2f6d6317296": { + "Properties": { + "CertificateArn": "arn:aws:acm:us-east-1:123456789012:certificate/4ba8fce1-abcd-4717-9c34-11bfd24372ba", + "DomainName": "sam.apigateway.com", + "EndpointConfiguration": { + "Types": [ + "PRIVATE" + ] + }, + "Policy": { + "Statement": [ + { + "Action": "execute-api:Invoke", + "Effect": "Allow", + "Principal": "*", + "Resource": "execute-api:/*" + }, + { + "Action": "execute-api:Invoke", + "Condition": { + "StringNotEquals": { + "aws:SourceVpce": "vpce-123123123123123" + } + }, + "Effect": "Deny", + "Principal": "*", + "Resource": "execute-api:/*" + } + ], + "Version": "2012-10-17" + } + }, + "Type": "AWS::ApiGateway::DomainNameV2" + }, + "MyApi": { + "Properties": { + "Body": { + "info": { + "title": { + "Ref": "AWS::StackName" + }, + "version": "1.0" + }, + "openapi": "3.0.1", + "paths": {} + }, + "EndpointConfiguration": { + "Types": [ + "PRIVATE" + ], + "VpcEndpointIds": [ + { + "Ref": "VpcEndpointId" + } + ] + }, + "Parameters": { + "endpointConfigurationTypes": "PRIVATE" + }, + "Policy": { + "Statement": [ + { + "Action": "execute-api:Invoke", + "Effect": "Allow", + "Principal": "*", + "Resource": "execute-api:/*" + }, + { + "Action": "execute-api:Invoke", + "Condition": { + "StringNotEquals": { + "aws:SourceVpce": { + "Ref": "VpcEndpointId" + } + } + }, + "Effect": "Deny", + "Principal": "*", + "Resource": "execute-api:/*" + } + ], + "Version": "2012-10-17" + } + }, + "Type": "AWS::ApiGateway::RestApi" + }, + "MyApiDeployment3693c4e775": { + "Properties": { + "Description": "RestApi deployment id: 3693c4e775ecebd2f6db26dea5689d6f8ace2ed6", + "RestApiId": { + "Ref": "MyApi" + } + }, + "Type": "AWS::ApiGateway::Deployment" + }, + "MyApiProdStage": { + "Properties": { + "DeploymentId": { + "Ref": "MyApiDeployment3693c4e775" + }, + "RestApiId": { + "Ref": "MyApi" + }, + "StageName": "Prod" + }, + "Type": "AWS::ApiGateway::Stage" + }, + "MyApigetBasePathMapping": { + "Properties": { + "BasePath": "get", + "DomainNameArn": { + "Ref": "ApiGatewayDomainNameV2f6d6317296" + }, + "RestApiId": { + "Ref": "MyApi" + }, + "Stage": { + "Ref": "MyApiProdStage" + } + }, + "Type": "AWS::ApiGateway::BasePathMappingV2" + }, + "RecordSetGroup486a9be065": { + "Properties": { + "HostedZoneId": "HostedZoneId", + "RecordSets": [ + { + "AliasTarget": { + "DNSName": "VPCEndpointDomainName", + "HostedZoneId": "VPCEndpointHostedZoneId" + }, + "Name": "sam.apigateway.com", + "Type": "A" + }, + { + "AliasTarget": { + "DNSName": "VPCEndpointDomainName", + "HostedZoneId": "VPCEndpointHostedZoneId" + }, + "Name": "sam.apigateway.com", + "Type": "AAAA" + } + ] + }, + "Type": "AWS::Route53::RecordSetGroup" + } + } +} diff --git a/tests/translator/output/aws-cn/api_custom_domain_private_endpoint_without_policy.json b/tests/translator/output/aws-cn/api_custom_domain_private_endpoint_without_policy.json new file mode 100644 index 000000000..2cc0a041d --- /dev/null +++ b/tests/translator/output/aws-cn/api_custom_domain_private_endpoint_without_policy.json @@ -0,0 +1,148 @@ +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "Sample SAM Template for a simple serverless application", + "Parameters": { + "CertificateArn": { + "Default": "arn:aws:acm:us-east-1:123456789012:certificate/4ba8fce1-abcd-4717-9c34-11bfd24372ba", + "Type": "String" + }, + "DomainName": { + "Default": "sam.apigateway.com", + "Type": "String" + }, + "HostedZoneId": { + "Default": "Z012334", + "Type": "String" + }, + "VpcEndpointId": { + "Default": "vpce-123123123123123", + "Type": "String" + } + }, + "Resources": { + "ApiGatewayDomainNameV2f6d6317296": { + "Properties": { + "CertificateArn": "arn:aws:acm:us-east-1:123456789012:certificate/4ba8fce1-abcd-4717-9c34-11bfd24372ba", + "DomainName": "sam.apigateway.com", + "EndpointConfiguration": { + "Types": [ + "PRIVATE" + ] + } + }, + "Type": "AWS::ApiGateway::DomainNameV2" + }, + "MyApi": { + "Properties": { + "Body": { + "info": { + "title": { + "Ref": "AWS::StackName" + }, + "version": "1.0" + }, + "openapi": "3.0.1", + "paths": {} + }, + "EndpointConfiguration": { + "Types": [ + "PRIVATE" + ], + "VpcEndpointIds": [ + { + "Ref": "VpcEndpointId" + } + ] + }, + "Parameters": { + "endpointConfigurationTypes": "PRIVATE" + }, + "Policy": { + "Statement": [ + { + "Action": "execute-api:Invoke", + "Effect": "Allow", + "Principal": "*", + "Resource": "execute-api:/*" + }, + { + "Action": "execute-api:Invoke", + "Condition": { + "StringNotEquals": { + "aws:SourceVpce": { + "Ref": "VpcEndpointId" + } + } + }, + "Effect": "Deny", + "Principal": "*", + "Resource": "execute-api:/*" + } + ], + "Version": "2012-10-17" + } + }, + "Type": "AWS::ApiGateway::RestApi" + }, + "MyApiDeploymentdbd67416a9": { + "Properties": { + "Description": "RestApi deployment id: dbd67416a94d411fe2930d26ea838f562f2b45fd", + "RestApiId": { + "Ref": "MyApi" + } + }, + "Type": "AWS::ApiGateway::Deployment" + }, + "MyApiProdStage": { + "Properties": { + "DeploymentId": { + "Ref": "MyApiDeploymentdbd67416a9" + }, + "RestApiId": { + "Ref": "MyApi" + }, + "StageName": "Prod" + }, + "Type": "AWS::ApiGateway::Stage" + }, + "MyApigetBasePathMapping": { + "Properties": { + "BasePath": "get", + "DomainNameArn": { + "Ref": "ApiGatewayDomainNameV2f6d6317296" + }, + "RestApiId": { + "Ref": "MyApi" + }, + "Stage": { + "Ref": "MyApiProdStage" + } + }, + "Type": "AWS::ApiGateway::BasePathMappingV2" + }, + "RecordSetGroup486a9be065": { + "Properties": { + "HostedZoneId": "HostedZoneId", + "RecordSets": [ + { + "AliasTarget": { + "DNSName": "VPCEndpointDomainName", + "HostedZoneId": "VPCEndpointHostedZoneId" + }, + "Name": "sam.apigateway.com", + "Type": "A" + }, + { + "AliasTarget": { + "DNSName": "VPCEndpointDomainName", + "HostedZoneId": "VPCEndpointHostedZoneId" + }, + "Name": "sam.apigateway.com", + "Type": "AAAA" + } + ] + }, + "Type": "AWS::Route53::RecordSetGroup" + } + } +} diff --git a/tests/translator/output/aws-us-gov/api_custom_domain_private_endpoint_base.json b/tests/translator/output/aws-us-gov/api_custom_domain_private_endpoint_base.json new file mode 100644 index 000000000..06fa4317e --- /dev/null +++ b/tests/translator/output/aws-us-gov/api_custom_domain_private_endpoint_base.json @@ -0,0 +1,161 @@ +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "Sample SAM Template for a simple serverless application", + "Parameters": { + "CertificateArn": { + "Default": "arn:aws:acm:us-east-1:123456789012:certificate/4ba8fce1-abcd-4717-9c34-11bfd24372ba", + "Type": "String" + }, + "DomainName": { + "Default": "sam.apigateway.com", + "Type": "String" + }, + "HostedZoneId": { + "Default": "Z012334", + "Type": "String" + }, + "VpcEndpointId": { + "Default": "vpce-123123123123123", + "Type": "String" + } + }, + "Resources": { + "ApiGatewayDomainNameV2f6d6317296": { + "Properties": { + "CertificateArn": "arn:aws:acm:us-east-1:123456789012:certificate/4ba8fce1-abcd-4717-9c34-11bfd24372ba", + "DomainName": "sam.apigateway.com", + "EndpointConfiguration": { + "Types": [ + "PRIVATE" + ] + }, + "Policy": { + "Statement": [ + { + "Action": "execute-api:Invoke", + "Effect": "Allow", + "Principal": "*", + "Resource": "execute-api:/*" + }, + { + "Action": "execute-api:Invoke", + "Condition": { + "StringNotEquals": { + "aws:SourceVpce": "vpce-123123123123123" + } + }, + "Effect": "Deny", + "Principal": "*", + "Resource": "execute-api:/*" + } + ], + "Version": "2012-10-17" + } + }, + "Type": "AWS::ApiGateway::DomainNameV2" + }, + "MyApi": { + "Properties": { + "Body": { + "info": { + "title": { + "Ref": "AWS::StackName" + }, + "version": "1.0" + }, + "openapi": "3.0.1", + "paths": {} + }, + "EndpointConfiguration": { + "Types": [ + "PRIVATE" + ], + "VpcEndpointIds": [ + { + "Ref": "VpcEndpointId" + } + ] + }, + "Parameters": { + "endpointConfigurationTypes": "PRIVATE" + }, + "Policy": { + "Statement": [ + { + "Action": "execute-api:Invoke", + "Effect": "Allow", + "Principal": "*", + "Resource": "execute-api:/*" + }, + { + "Action": "execute-api:Invoke", + "Condition": { + "StringNotEquals": { + "aws:SourceVpce": { + "Ref": "VpcEndpointId" + } + } + }, + "Effect": "Deny", + "Principal": "*", + "Resource": "execute-api:/*" + } + ], + "Version": "2012-10-17" + } + }, + "Type": "AWS::ApiGateway::RestApi" + }, + "MyApiBasePathMapping": { + "Properties": { + "BasePath": "", + "DomainNameArn": { + "Ref": "ApiGatewayDomainNameV2f6d6317296" + }, + "RestApiId": { + "Ref": "MyApi" + }, + "Stage": { + "Ref": "MyApiProdStage" + } + }, + "Type": "AWS::ApiGateway::BasePathMappingV2" + }, + "MyApiDeploymentcb24a23e08": { + "Properties": { + "Description": "RestApi deployment id: cb24a23e08ea7c0680d705fb0db3b7b6a1b82c12", + "RestApiId": { + "Ref": "MyApi" + } + }, + "Type": "AWS::ApiGateway::Deployment" + }, + "MyApiProdStage": { + "Properties": { + "DeploymentId": { + "Ref": "MyApiDeploymentcb24a23e08" + }, + "RestApiId": { + "Ref": "MyApi" + }, + "StageName": "Prod" + }, + "Type": "AWS::ApiGateway::Stage" + }, + "MyApigetBasePathMapping": { + "Properties": { + "BasePath": "get", + "DomainNameArn": { + "Ref": "ApiGatewayDomainNameV2f6d6317296" + }, + "RestApiId": { + "Ref": "MyApi" + }, + "Stage": { + "Ref": "MyApiProdStage" + } + }, + "Type": "AWS::ApiGateway::BasePathMappingV2" + } + } +} diff --git a/tests/translator/output/aws-us-gov/api_custom_domain_private_endpoint_full.json b/tests/translator/output/aws-us-gov/api_custom_domain_private_endpoint_full.json new file mode 100644 index 000000000..7cc8c50f6 --- /dev/null +++ b/tests/translator/output/aws-us-gov/api_custom_domain_private_endpoint_full.json @@ -0,0 +1,172 @@ +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "Sample SAM Template for a simple serverless application", + "Parameters": { + "CertificateArn": { + "Default": "arn:aws:acm:us-east-1:123456789012:certificate/4ba8fce1-abcd-4717-9c34-11bfd24372ba", + "Type": "String" + }, + "DomainName": { + "Default": "sam.apigateway.com", + "Type": "String" + }, + "HostedZoneId": { + "Default": "Z012334", + "Type": "String" + }, + "VpcEndpointId": { + "Default": "vpce-123123123123123", + "Type": "String" + } + }, + "Resources": { + "ApiGatewayDomainNameV2f6d6317296": { + "Properties": { + "CertificateArn": "arn:aws:acm:us-east-1:123456789012:certificate/4ba8fce1-abcd-4717-9c34-11bfd24372ba", + "DomainName": "sam.apigateway.com", + "EndpointConfiguration": { + "Types": [ + "PRIVATE" + ] + }, + "Policy": { + "Statement": [ + { + "Action": "execute-api:Invoke", + "Effect": "Allow", + "Principal": "*", + "Resource": "execute-api:/*" + }, + { + "Action": "execute-api:Invoke", + "Condition": { + "StringNotEquals": { + "aws:SourceVpce": "vpce-123123123123123" + } + }, + "Effect": "Deny", + "Principal": "*", + "Resource": "execute-api:/*" + } + ], + "Version": "2012-10-17" + } + }, + "Type": "AWS::ApiGateway::DomainNameV2" + }, + "DomainNameAccessAssociation73b399e17c": { + "Properties": { + "AccessAssociationSource": "vpce-123123123123123", + "AccessAssociationSourceType": "VPCE", + "DomainNameArn": { + "Ref": "ApiGatewayDomainNameV2f6d6317296" + } + }, + "Type": "AWS::ApiGateway::DomainNameAccessAssociation" + }, + "MyApi": { + "Properties": { + "Body": { + "info": { + "title": { + "Ref": "AWS::StackName" + }, + "version": "1.0" + }, + "openapi": "3.0.1", + "paths": {} + }, + "EndpointConfiguration": { + "Types": [ + "PRIVATE" + ], + "VpcEndpointIds": [ + { + "Ref": "VpcEndpointId" + } + ] + }, + "Parameters": { + "endpointConfigurationTypes": "PRIVATE" + }, + "Policy": { + "Statement": [ + { + "Action": "execute-api:Invoke", + "Effect": "Allow", + "Principal": "*", + "Resource": "execute-api:/*" + }, + { + "Action": "execute-api:Invoke", + "Condition": { + "StringNotEquals": { + "aws:SourceVpce": { + "Ref": "VpcEndpointId" + } + } + }, + "Effect": "Deny", + "Principal": "*", + "Resource": "execute-api:/*" + } + ], + "Version": "2012-10-17" + } + }, + "Type": "AWS::ApiGateway::RestApi" + }, + "MyApiDeployment831bb29f90": { + "Properties": { + "Description": "RestApi deployment id: 831bb29f90ba78e5cb705db850981137f44f2af6", + "RestApiId": { + "Ref": "MyApi" + } + }, + "Type": "AWS::ApiGateway::Deployment" + }, + "MyApiProdStage": { + "Properties": { + "DeploymentId": { + "Ref": "MyApiDeployment831bb29f90" + }, + "RestApiId": { + "Ref": "MyApi" + }, + "StageName": "Prod" + }, + "Type": "AWS::ApiGateway::Stage" + }, + "MyApigetBasePathMapping": { + "Properties": { + "BasePath": "get", + "DomainNameArn": { + "Ref": "ApiGatewayDomainNameV2f6d6317296" + }, + "RestApiId": { + "Ref": "MyApi" + }, + "Stage": { + "Ref": "MyApiProdStage" + } + }, + "Type": "AWS::ApiGateway::BasePathMappingV2" + }, + "RecordSetGroup486a9be065": { + "Properties": { + "HostedZoneId": "HostedZoneId", + "RecordSets": [ + { + "AliasTarget": { + "DNSName": "VPCEndpointDomainName", + "HostedZoneId": "VPCEndpointHostedZoneId" + }, + "Name": "sam.apigateway.com", + "Type": "A" + } + ] + }, + "Type": "AWS::Route53::RecordSetGroup" + } + } +} diff --git a/tests/translator/output/aws-us-gov/api_custom_domain_private_endpoint_route53.json b/tests/translator/output/aws-us-gov/api_custom_domain_private_endpoint_route53.json new file mode 100644 index 000000000..e4a6a3c93 --- /dev/null +++ b/tests/translator/output/aws-us-gov/api_custom_domain_private_endpoint_route53.json @@ -0,0 +1,162 @@ +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "Sample SAM Template for a simple serverless application", + "Parameters": { + "CertificateArn": { + "Default": "arn:aws:acm:us-east-1:123456789012:certificate/4ba8fce1-abcd-4717-9c34-11bfd24372ba", + "Type": "String" + }, + "DomainName": { + "Default": "sam.apigateway.com", + "Type": "String" + }, + "HostedZoneId": { + "Default": "Z012334", + "Type": "String" + }, + "VpcEndpointId": { + "Default": "vpce-123123123123123", + "Type": "String" + } + }, + "Resources": { + "ApiGatewayDomainNameV2f6d6317296": { + "Properties": { + "CertificateArn": "arn:aws:acm:us-east-1:123456789012:certificate/4ba8fce1-abcd-4717-9c34-11bfd24372ba", + "DomainName": "sam.apigateway.com", + "EndpointConfiguration": { + "Types": [ + "PRIVATE" + ] + }, + "Policy": { + "Statement": [ + { + "Action": "execute-api:Invoke", + "Effect": "Allow", + "Principal": "*", + "Resource": "execute-api:/*" + }, + { + "Action": "execute-api:Invoke", + "Condition": { + "StringNotEquals": { + "aws:SourceVpce": "vpce-123123123123123" + } + }, + "Effect": "Deny", + "Principal": "*", + "Resource": "execute-api:/*" + } + ], + "Version": "2012-10-17" + } + }, + "Type": "AWS::ApiGateway::DomainNameV2" + }, + "MyApi": { + "Properties": { + "Body": { + "info": { + "title": { + "Ref": "AWS::StackName" + }, + "version": "1.0" + }, + "openapi": "3.0.1", + "paths": {} + }, + "EndpointConfiguration": { + "Types": [ + "PRIVATE" + ], + "VpcEndpointIds": [ + { + "Ref": "VpcEndpointId" + } + ] + }, + "Parameters": { + "endpointConfigurationTypes": "PRIVATE" + }, + "Policy": { + "Statement": [ + { + "Action": "execute-api:Invoke", + "Effect": "Allow", + "Principal": "*", + "Resource": "execute-api:/*" + }, + { + "Action": "execute-api:Invoke", + "Condition": { + "StringNotEquals": { + "aws:SourceVpce": { + "Ref": "VpcEndpointId" + } + } + }, + "Effect": "Deny", + "Principal": "*", + "Resource": "execute-api:/*" + } + ], + "Version": "2012-10-17" + } + }, + "Type": "AWS::ApiGateway::RestApi" + }, + "MyApiDeployment7fb7fb7562": { + "Properties": { + "Description": "RestApi deployment id: 7fb7fb756279bc39cce853ffcc3a97ad86d477d5", + "RestApiId": { + "Ref": "MyApi" + } + }, + "Type": "AWS::ApiGateway::Deployment" + }, + "MyApiProdStage": { + "Properties": { + "DeploymentId": { + "Ref": "MyApiDeployment7fb7fb7562" + }, + "RestApiId": { + "Ref": "MyApi" + }, + "StageName": "Prod" + }, + "Type": "AWS::ApiGateway::Stage" + }, + "MyApigetBasePathMapping": { + "Properties": { + "BasePath": "get", + "DomainNameArn": { + "Ref": "ApiGatewayDomainNameV2f6d6317296" + }, + "RestApiId": { + "Ref": "MyApi" + }, + "Stage": { + "Ref": "MyApiProdStage" + } + }, + "Type": "AWS::ApiGateway::BasePathMappingV2" + }, + "RecordSetGroup486a9be065": { + "Properties": { + "HostedZoneId": "HostedZoneId", + "RecordSets": [ + { + "AliasTarget": { + "DNSName": "VPCEndpointDomainName", + "HostedZoneId": "VPCEndpointHostedZoneId" + }, + "Name": "sam.apigateway.com", + "Type": "A" + } + ] + }, + "Type": "AWS::Route53::RecordSetGroup" + } + } +} diff --git a/tests/translator/output/aws-us-gov/api_custom_domain_private_endpoint_route53_hostedzonename.json b/tests/translator/output/aws-us-gov/api_custom_domain_private_endpoint_route53_hostedzonename.json new file mode 100644 index 000000000..dfa63ae28 --- /dev/null +++ b/tests/translator/output/aws-us-gov/api_custom_domain_private_endpoint_route53_hostedzonename.json @@ -0,0 +1,162 @@ +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "Sample SAM Template for a simple serverless application", + "Parameters": { + "CertificateArn": { + "Default": "arn:aws:acm:us-east-1:123456789012:certificate/4ba8fce1-abcd-4717-9c34-11bfd24372ba", + "Type": "String" + }, + "DomainName": { + "Default": "sam.apigateway.com", + "Type": "String" + }, + "HostedZoneId": { + "Default": "Z012334", + "Type": "String" + }, + "VpcEndpointId": { + "Default": "vpce-123123123123123", + "Type": "String" + } + }, + "Resources": { + "ApiGatewayDomainNameV2f6d6317296": { + "Properties": { + "CertificateArn": "arn:aws:acm:us-east-1:123456789012:certificate/4ba8fce1-abcd-4717-9c34-11bfd24372ba", + "DomainName": "sam.apigateway.com", + "EndpointConfiguration": { + "Types": [ + "PRIVATE" + ] + }, + "Policy": { + "Statement": [ + { + "Action": "execute-api:Invoke", + "Effect": "Allow", + "Principal": "*", + "Resource": "execute-api:/*" + }, + { + "Action": "execute-api:Invoke", + "Condition": { + "StringNotEquals": { + "aws:SourceVpce": "vpce-123123123123123" + } + }, + "Effect": "Deny", + "Principal": "*", + "Resource": "execute-api:/*" + } + ], + "Version": "2012-10-17" + } + }, + "Type": "AWS::ApiGateway::DomainNameV2" + }, + "MyApi": { + "Properties": { + "Body": { + "info": { + "title": { + "Ref": "AWS::StackName" + }, + "version": "1.0" + }, + "openapi": "3.0.1", + "paths": {} + }, + "EndpointConfiguration": { + "Types": [ + "PRIVATE" + ], + "VpcEndpointIds": [ + { + "Ref": "VpcEndpointId" + } + ] + }, + "Parameters": { + "endpointConfigurationTypes": "PRIVATE" + }, + "Policy": { + "Statement": [ + { + "Action": "execute-api:Invoke", + "Effect": "Allow", + "Principal": "*", + "Resource": "execute-api:/*" + }, + { + "Action": "execute-api:Invoke", + "Condition": { + "StringNotEquals": { + "aws:SourceVpce": { + "Ref": "VpcEndpointId" + } + } + }, + "Effect": "Deny", + "Principal": "*", + "Resource": "execute-api:/*" + } + ], + "Version": "2012-10-17" + } + }, + "Type": "AWS::ApiGateway::RestApi" + }, + "MyApiDeploymentd5e9004dee": { + "Properties": { + "Description": "RestApi deployment id: d5e9004dee57490c19220f944a5f0a204c041c13", + "RestApiId": { + "Ref": "MyApi" + } + }, + "Type": "AWS::ApiGateway::Deployment" + }, + "MyApiProdStage": { + "Properties": { + "DeploymentId": { + "Ref": "MyApiDeploymentd5e9004dee" + }, + "RestApiId": { + "Ref": "MyApi" + }, + "StageName": "Prod" + }, + "Type": "AWS::ApiGateway::Stage" + }, + "MyApigetBasePathMapping": { + "Properties": { + "BasePath": "get", + "DomainNameArn": { + "Ref": "ApiGatewayDomainNameV2f6d6317296" + }, + "RestApiId": { + "Ref": "MyApi" + }, + "Stage": { + "Ref": "MyApiProdStage" + } + }, + "Type": "AWS::ApiGateway::BasePathMappingV2" + }, + "RecordSetGroup456ebaf280": { + "Properties": { + "HostedZoneName": "www.my-domain.com.", + "RecordSets": [ + { + "AliasTarget": { + "DNSName": "VPCEndpointDomainName", + "HostedZoneId": "VPCEndpointHostedZoneId" + }, + "Name": "sam.apigateway.com", + "Type": "A" + } + ] + }, + "Type": "AWS::Route53::RecordSetGroup" + } + } +} diff --git a/tests/translator/output/aws-us-gov/api_custom_domain_private_endpoint_route53_ipv6.json b/tests/translator/output/aws-us-gov/api_custom_domain_private_endpoint_route53_ipv6.json new file mode 100644 index 000000000..57533697e --- /dev/null +++ b/tests/translator/output/aws-us-gov/api_custom_domain_private_endpoint_route53_ipv6.json @@ -0,0 +1,170 @@ +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "Sample SAM Template for a simple serverless application", + "Parameters": { + "CertificateArn": { + "Default": "arn:aws:acm:us-east-1:123456789012:certificate/4ba8fce1-abcd-4717-9c34-11bfd24372ba", + "Type": "String" + }, + "DomainName": { + "Default": "sam.apigateway.com", + "Type": "String" + }, + "HostedZoneId": { + "Default": "Z012334", + "Type": "String" + }, + "VpcEndpointId": { + "Default": "vpce-123123123123123", + "Type": "String" + } + }, + "Resources": { + "ApiGatewayDomainNameV2f6d6317296": { + "Properties": { + "CertificateArn": "arn:aws:acm:us-east-1:123456789012:certificate/4ba8fce1-abcd-4717-9c34-11bfd24372ba", + "DomainName": "sam.apigateway.com", + "EndpointConfiguration": { + "Types": [ + "PRIVATE" + ] + }, + "Policy": { + "Statement": [ + { + "Action": "execute-api:Invoke", + "Effect": "Allow", + "Principal": "*", + "Resource": "execute-api:/*" + }, + { + "Action": "execute-api:Invoke", + "Condition": { + "StringNotEquals": { + "aws:SourceVpce": "vpce-123123123123123" + } + }, + "Effect": "Deny", + "Principal": "*", + "Resource": "execute-api:/*" + } + ], + "Version": "2012-10-17" + } + }, + "Type": "AWS::ApiGateway::DomainNameV2" + }, + "MyApi": { + "Properties": { + "Body": { + "info": { + "title": { + "Ref": "AWS::StackName" + }, + "version": "1.0" + }, + "openapi": "3.0.1", + "paths": {} + }, + "EndpointConfiguration": { + "Types": [ + "PRIVATE" + ], + "VpcEndpointIds": [ + { + "Ref": "VpcEndpointId" + } + ] + }, + "Parameters": { + "endpointConfigurationTypes": "PRIVATE" + }, + "Policy": { + "Statement": [ + { + "Action": "execute-api:Invoke", + "Effect": "Allow", + "Principal": "*", + "Resource": "execute-api:/*" + }, + { + "Action": "execute-api:Invoke", + "Condition": { + "StringNotEquals": { + "aws:SourceVpce": { + "Ref": "VpcEndpointId" + } + } + }, + "Effect": "Deny", + "Principal": "*", + "Resource": "execute-api:/*" + } + ], + "Version": "2012-10-17" + } + }, + "Type": "AWS::ApiGateway::RestApi" + }, + "MyApiDeployment3693c4e775": { + "Properties": { + "Description": "RestApi deployment id: 3693c4e775ecebd2f6db26dea5689d6f8ace2ed6", + "RestApiId": { + "Ref": "MyApi" + } + }, + "Type": "AWS::ApiGateway::Deployment" + }, + "MyApiProdStage": { + "Properties": { + "DeploymentId": { + "Ref": "MyApiDeployment3693c4e775" + }, + "RestApiId": { + "Ref": "MyApi" + }, + "StageName": "Prod" + }, + "Type": "AWS::ApiGateway::Stage" + }, + "MyApigetBasePathMapping": { + "Properties": { + "BasePath": "get", + "DomainNameArn": { + "Ref": "ApiGatewayDomainNameV2f6d6317296" + }, + "RestApiId": { + "Ref": "MyApi" + }, + "Stage": { + "Ref": "MyApiProdStage" + } + }, + "Type": "AWS::ApiGateway::BasePathMappingV2" + }, + "RecordSetGroup486a9be065": { + "Properties": { + "HostedZoneId": "HostedZoneId", + "RecordSets": [ + { + "AliasTarget": { + "DNSName": "VPCEndpointDomainName", + "HostedZoneId": "VPCEndpointHostedZoneId" + }, + "Name": "sam.apigateway.com", + "Type": "A" + }, + { + "AliasTarget": { + "DNSName": "VPCEndpointDomainName", + "HostedZoneId": "VPCEndpointHostedZoneId" + }, + "Name": "sam.apigateway.com", + "Type": "AAAA" + } + ] + }, + "Type": "AWS::Route53::RecordSetGroup" + } + } +} diff --git a/tests/translator/output/aws-us-gov/api_custom_domain_private_endpoint_without_policy.json b/tests/translator/output/aws-us-gov/api_custom_domain_private_endpoint_without_policy.json new file mode 100644 index 000000000..2cc0a041d --- /dev/null +++ b/tests/translator/output/aws-us-gov/api_custom_domain_private_endpoint_without_policy.json @@ -0,0 +1,148 @@ +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "Sample SAM Template for a simple serverless application", + "Parameters": { + "CertificateArn": { + "Default": "arn:aws:acm:us-east-1:123456789012:certificate/4ba8fce1-abcd-4717-9c34-11bfd24372ba", + "Type": "String" + }, + "DomainName": { + "Default": "sam.apigateway.com", + "Type": "String" + }, + "HostedZoneId": { + "Default": "Z012334", + "Type": "String" + }, + "VpcEndpointId": { + "Default": "vpce-123123123123123", + "Type": "String" + } + }, + "Resources": { + "ApiGatewayDomainNameV2f6d6317296": { + "Properties": { + "CertificateArn": "arn:aws:acm:us-east-1:123456789012:certificate/4ba8fce1-abcd-4717-9c34-11bfd24372ba", + "DomainName": "sam.apigateway.com", + "EndpointConfiguration": { + "Types": [ + "PRIVATE" + ] + } + }, + "Type": "AWS::ApiGateway::DomainNameV2" + }, + "MyApi": { + "Properties": { + "Body": { + "info": { + "title": { + "Ref": "AWS::StackName" + }, + "version": "1.0" + }, + "openapi": "3.0.1", + "paths": {} + }, + "EndpointConfiguration": { + "Types": [ + "PRIVATE" + ], + "VpcEndpointIds": [ + { + "Ref": "VpcEndpointId" + } + ] + }, + "Parameters": { + "endpointConfigurationTypes": "PRIVATE" + }, + "Policy": { + "Statement": [ + { + "Action": "execute-api:Invoke", + "Effect": "Allow", + "Principal": "*", + "Resource": "execute-api:/*" + }, + { + "Action": "execute-api:Invoke", + "Condition": { + "StringNotEquals": { + "aws:SourceVpce": { + "Ref": "VpcEndpointId" + } + } + }, + "Effect": "Deny", + "Principal": "*", + "Resource": "execute-api:/*" + } + ], + "Version": "2012-10-17" + } + }, + "Type": "AWS::ApiGateway::RestApi" + }, + "MyApiDeploymentdbd67416a9": { + "Properties": { + "Description": "RestApi deployment id: dbd67416a94d411fe2930d26ea838f562f2b45fd", + "RestApiId": { + "Ref": "MyApi" + } + }, + "Type": "AWS::ApiGateway::Deployment" + }, + "MyApiProdStage": { + "Properties": { + "DeploymentId": { + "Ref": "MyApiDeploymentdbd67416a9" + }, + "RestApiId": { + "Ref": "MyApi" + }, + "StageName": "Prod" + }, + "Type": "AWS::ApiGateway::Stage" + }, + "MyApigetBasePathMapping": { + "Properties": { + "BasePath": "get", + "DomainNameArn": { + "Ref": "ApiGatewayDomainNameV2f6d6317296" + }, + "RestApiId": { + "Ref": "MyApi" + }, + "Stage": { + "Ref": "MyApiProdStage" + } + }, + "Type": "AWS::ApiGateway::BasePathMappingV2" + }, + "RecordSetGroup486a9be065": { + "Properties": { + "HostedZoneId": "HostedZoneId", + "RecordSets": [ + { + "AliasTarget": { + "DNSName": "VPCEndpointDomainName", + "HostedZoneId": "VPCEndpointHostedZoneId" + }, + "Name": "sam.apigateway.com", + "Type": "A" + }, + { + "AliasTarget": { + "DNSName": "VPCEndpointDomainName", + "HostedZoneId": "VPCEndpointHostedZoneId" + }, + "Name": "sam.apigateway.com", + "Type": "AAAA" + } + ] + }, + "Type": "AWS::Route53::RecordSetGroup" + } + } +}