feat: update L1 CloudFormation resource definitions

[aws-cdk-automation]

Updates the L1 CloudFormation resource definitions with the latest changes from @aws-cdk/aws-service-spec

L1 CloudFormation resource definition changes:

├[~] service aws-appmesh
│ └ resources
│    └[~] resource AWS::AppMesh::Mesh
│      └ types
│         └[~] type MeshSpec
│           └ properties
│              └ ServiceDiscovery: (documentation changed)
├[~] service aws-aps
│ └ resources
│    └[~] resource AWS::APS::RuleGroupsNamespace
│      └ properties
│         └ Workspace: - string (required)
│                      + string (required, immutable)
├[~] service aws-backup
│ └ resources
│    └[~] resource AWS::Backup::Framework
│      └ types
│         └[~] type FrameworkControl
│           └ properties
│              └ ControlScope: (documentation changed)
├[~] service aws-chatbot
│ └ resources
│    ├[~] resource AWS::Chatbot::MicrosoftTeamsChannelConfiguration
│    │ └  - documentation: The `AWS::Chatbot::MicrosoftTeamsChannelConfiguration` resource configures a Microsoft Teams channel to allow users to use AWS Chatbot with AWS CloudFormation templates.
│    │    This resource requires some setup to be done in the AWS Chatbot console. To provide the required Microsoft Teams team and tenant IDs, you must perform the initial authorization flow with Microsoft Teams in the AWS Chatbot console, then copy and paste the IDs from the console. For more details, see steps 1-4 in [Setting Up AWS Chatbot with Microsoft Teams](https://docs.aws.amazon.com/chatbot/latest/adminguide/teams-setup.html#teams-client-setup) in the *AWS Chatbot Administrator Guide* .
│    │    + documentation: The `AWS::Chatbot::MicrosoftTeamsChannelConfiguration` resource configures a Microsoft Teams channel to allow users to use AWS Chatbot with AWS CloudFormation templates.
│    │    This resource requires some setup to be done in the AWS Chatbot console. To provide the required Microsoft Teams team and tenant IDs, you must perform the initial authorization flow with Microsoft Teams in the AWS Chatbot console, then copy and paste the IDs from the console. For more details, see [Configure a Microsoft Teams client](https://docs.aws.amazon.com/chatbot/latest/adminguide/teams-setup.html#teams-client-setup) in the *AWS Chatbot Administrator Guide* .
│    └[~] resource AWS::Chatbot::SlackChannelConfiguration
│      └  - documentation: The `AWS::Chatbot::SlackChannelConfiguration` resource configures a Slack channel to allow users to use AWS Chatbot with AWS CloudFormation templates.
│         This resource requires some setup to be done in the AWS Chatbot console. To provide the required Slack workspace ID, you must perform the initial authorization flow with Slack in the AWS Chatbot console, then copy and paste the workspace ID from the console. For more details, see steps 1-4 in [Setting Up AWS Chatbot with Slack](https://docs.aws.amazon.com/chatbot/latest/adminguide/setting-up.html#Setup_intro) in the *AWS Chatbot User Guide* .
│         + documentation: The `AWS::Chatbot::SlackChannelConfiguration` resource configures a Slack channel to allow users to use AWS Chatbot with AWS CloudFormation templates.
│         This resource requires some setup to be done in the AWS Chatbot console. To provide the required Slack workspace ID, you must perform the initial authorization flow with Slack in the AWS Chatbot console, then copy and paste the workspace ID from the console. For more details, see [Configure a Slack client](https://docs.aws.amazon.com/chatbot/latest/adminguide/slack-setup.html#slack-client-setup) in the *AWS Chatbot User Guide* .
├[~] service aws-cleanrooms
│ └ resources
│    └[~] resource AWS::CleanRooms::ConfiguredTable
│      └ types
│         └[~] type AnalysisRuleCustom
│           └ properties
│              ├ AllowedAnalyses: (documentation changed)
│              └ AllowedAnalysisProviders: (documentation changed)
├[~] service aws-cognito
│ └ resources
│    ├[~] resource AWS::Cognito::IdentityPool
│    │ └ types
│    │    └[~] type CognitoIdentityProvider
│    │      └ properties
│    │         ├ ClientId: - string
│    │         │           + string (required)
│    │         └ ProviderName: - string
│    │                         + string (required)
│    └[~] resource AWS::Cognito::IdentityPoolRoleAttachment
│      └ properties
│         └ Roles: - json
│                  + Map<string, string> ⇐ json
├[~] service aws-config
│ └ resources
│    └[~] resource AWS::Config::ConfigurationRecorder
│      └ types
│         ├[~] type ExclusionByResourceTypes
│         │ └  - documentation: Specifies whether the configuration recorder excludes certain resource types from being recorded. Use the `resourceTypes` field to enter a comma-separated list of resource types you want to exclude from recording.
│         │    By default, when AWS Config adds support for a new resource type in the Region where you set up the configuration recorder, including global resource types, AWS Config starts recording resources of that type automatically.
│         │    > *How to use the exclusion recording strategy*
│         │    > 
│         │    > To use this option, you must set the `useOnly` field of [RecordingStrategy](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingStrategy.html) to `EXCLUSION_BY_RESOURCE_TYPES` .
│         │    > 
│         │    > AWS Config will then record configuration changes for all supported resource types, except the resource types that you specify to exclude from being recorded.
│         │    > 
│         │    > *Global resource types and the exclusion recording strategy*
│         │    > 
│         │    > Unless specifically listed as exclusions, `AWS::RDS::GlobalCluster` will be recorded automatically in all supported AWS Config Regions were the configuration recorder is enabled.
│         │    > 
│         │    > IAM users, groups, roles, and customer managed policies will be recorded in the Region where you set up the configuration recorder if that is a Region where AWS Config was available before February 2022. You cannot be record the global IAM resouce types in Regions supported by AWS Config after February 2022. This list where you cannot record the global IAM resource types includes the following Regions:
│         │    > 
│         │    > - Asia Pacific (Hyderabad)
│         │    > - Asia Pacific (Melbourne)
│         │    > - Europe (Spain)
│         │    > - Europe (Zurich)
│         │    > - Israel (Tel Aviv)
│         │    > - Middle East (UAE)
│         │    + documentation: Specifies whether the configuration recorder excludes certain resource types from being recorded. Use the `ResourceTypes` field to enter a comma-separated list of resource types you want to exclude from recording.
│         │    By default, when AWS Config adds support for a new resource type in the Region where you set up the configuration recorder, including global resource types, AWS Config starts recording resources of that type automatically.
│         │    > *How to use the exclusion recording strategy*
│         │    > 
│         │    > To use this option, you must set the `useOnly` field of [RecordingStrategy](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingStrategy.html) to `EXCLUSION_BY_RESOURCE_TYPES` .
│         │    > 
│         │    > AWS Config will then record configuration changes for all supported resource types, except the resource types that you specify to exclude from being recorded.
│         │    > 
│         │    > *Global resource types and the exclusion recording strategy*
│         │    > 
│         │    > Unless specifically listed as exclusions, `AWS::RDS::GlobalCluster` will be recorded automatically in all supported AWS Config Regions were the configuration recorder is enabled.
│         │    > 
│         │    > IAM users, groups, roles, and customer managed policies will be recorded in the Region where you set up the configuration recorder if that is a Region where AWS Config was available before February 2022. You cannot be record the global IAM resouce types in Regions supported by AWS Config after February 2022. This list where you cannot record the global IAM resource types includes the following Regions:
│         │    > 
│         │    > - Asia Pacific (Hyderabad)
│         │    > - Asia Pacific (Melbourne)
│         │    > - Canada West (Calgary)
│         │    > - Europe (Spain)
│         │    > - Europe (Zurich)
│         │    > - Israel (Tel Aviv)
│         │    > - Middle East (UAE)
│         ├[~] type RecordingGroup
│         │ ├  - documentation: Specifies which resource types AWS Config records for configuration changes. By default, AWS Config records configuration changes for all current and future supported resource types in the AWS Region where you have enabled AWS Config , excluding the global IAM resource types: IAM users, groups, roles, and customer managed policies.
│         │ │  In the recording group, you specify whether you want to record all supported current and future supported resource types or to include or exclude specific resources types. For a list of supported resource types, see [Supported Resource Types](https://docs.aws.amazon.com/config/latest/developerguide/resource-config-reference.html#supported-resources) in the *AWS Config developer guide* .
│         │ │  If you don't want AWS Config to record all current and future supported resource types (excluding the global IAM resource types), use one of the following recording strategies:
│         │ │  - *Record all current and future resource types with exclusions* ( `EXCLUSION_BY_RESOURCE_TYPES` ), or
│         │ │  - *Record specific resource types* ( `INCLUSION_BY_RESOURCE_TYPES` ).
│         │ │  If you use the recording strategy to *Record all current and future resource types* ( `ALL_SUPPORTED_RESOURCE_TYPES` ), you can use the flag `includeGlobalResourceTypes` to include the global IAM resource types in your recording.
│         │ │  > *Aurora global clusters are recorded in all enabled Regions*
│         │ │  > 
│         │ │  > The `AWS::RDS::GlobalCluster` resource type will be recorded in all supported AWS Config Regions where the configuration recorder is enabled.
│         │ │  > 
│         │ │  > If you do not want to record `AWS::RDS::GlobalCluster` in all enabled Regions, use the `EXCLUSION_BY_RESOURCE_TYPES` or `INCLUSION_BY_RESOURCE_TYPES` recording strategy.
│         │ │  + documentation: Specifies which resource types AWS Config records for configuration changes. By default, AWS Config records configuration changes for all current and future supported resource types in the AWS Region where you have enabled AWS Config , excluding the global IAM resource types: IAM users, groups, roles, and customer managed policies.
│         │ │  In the recording group, you specify whether you want to record all supported current and future supported resource types or to include or exclude specific resources types. For a list of supported resource types, see [Supported Resource Types](https://docs.aws.amazon.com/config/latest/developerguide/resource-config-reference.html#supported-resources) in the *AWS Config developer guide* .
│         │ │  If you don't want AWS Config to record all current and future supported resource types (excluding the global IAM resource types), use one of the following recording strategies:
│         │ │  - *Record all current and future resource types with exclusions* ( `EXCLUSION_BY_RESOURCE_TYPES` ), or
│         │ │  - *Record specific resource types* ( `INCLUSION_BY_RESOURCE_TYPES` ).
│         │ │  If you use the recording strategy to *Record all current and future resource types* ( `ALL_SUPPORTED_RESOURCE_TYPES` ), you can use the flag `IncludeGlobalResourceTypes` to include the global IAM resource types in your recording.
│         │ │  > *Aurora global clusters are recorded in all enabled Regions*
│         │ │  > 
│         │ │  > The `AWS::RDS::GlobalCluster` resource type will be recorded in all supported AWS Config Regions where the configuration recorder is enabled.
│         │ │  > 
│         │ │  > If you do not want to record `AWS::RDS::GlobalCluster` in all enabled Regions, use the `EXCLUSION_BY_RESOURCE_TYPES` or `INCLUSION_BY_RESOURCE_TYPES` recording strategy.
│         │ └ properties
│         │    ├ IncludeGlobalResourceTypes: (documentation changed)
│         │    ├ RecordingStrategy: (documentation changed)
│         │    └ ResourceTypes: (documentation changed)
│         └[~] type RecordingStrategy
│           └ properties
│              └ UseOnly: (documentation changed)
├[~] service aws-connect
│ └ resources
│    └[~] resource AWS::Connect::Rule
│      └ types
│         └[~] type Actions
│           └ properties
│              ├[-] EndAssociatedTaskActions: Array<json>
│              └[+] EndAssociatedTasksActions: Array<json>
├[+] service aws-datazone
│ ├  capitalized: DataZone
│ │  cloudFormationNamespace: AWS::DataZone
│ │  name: aws-datazone
│ │  shortName: datazone
│ └ resources
│    ├resource AWS::DataZone::DataSource
│    │├  name: DataSource
│    ││  cloudFormationType: AWS::DataZone::DataSource
│    ││  documentation: Definition of AWS::DataZone::DataSource Resource Type
│    │├ properties
│    ││  ├AssetFormsInput: Array<FormInput>
│    ││  ├Description: string
│    ││  ├DomainIdentifier: string (required, immutable)
│    ││  ├EnableSetting: string
│    ││  ├EnvironmentIdentifier: string (required, immutable)
│    ││  ├Configuration: DataSourceConfigurationInput
│    ││  ├Name: string (required)
│    ││  ├ProjectIdentifier: string (required, immutable)
│    ││  ├PublishOnImport: boolean
│    ││  ├Recommendation: RecommendationConfiguration
│    ││  ├Schedule: ScheduleConfiguration
│    ││  └Type: string (required, immutable)
│    │├ attributes
│    ││  ├CreatedAt: string
│    ││  ├DomainId: string
│    ││  ├EnvironmentId: string
│    ││  ├Id: string
│    ││  ├LastRunAssetCount: number
│    ││  ├LastRunAt: string
│    ││  ├LastRunStatus: string
│    ││  ├ProjectId: string
│    ││  ├Status: string
│    ││  └UpdatedAt: string
│    │└ types
│    │   ├type FormInput
│    │   │├  documentation: The details of a metadata form.
│    │   ││  name: FormInput
│    │   │└ properties
│    │   │   ├FormName: string (required)
│    │   │   ├TypeIdentifier: string
│    │   │   ├TypeRevision: string
│    │   │   └Content: string
│    │   ├type DataSourceConfigurationInput
│    │   │├  name: DataSourceConfigurationInput
│    │   │└ properties
│    │   │   ├GlueRunConfiguration: GlueRunConfigurationInput
│    │   │   └RedshiftRunConfiguration: RedshiftRunConfigurationInput
│    │   ├type GlueRunConfigurationInput
│    │   │├  name: GlueRunConfigurationInput
│    │   │└ properties
│    │   │   ├DataAccessRole: string
│    │   │   └RelationalFilterConfigurations: Array<RelationalFilterConfiguration> (required)
│    │   ├type RelationalFilterConfiguration
│    │   │├  documentation: The relational filter configuration for the data source.
│    │   ││  name: RelationalFilterConfiguration
│    │   │└ properties
│    │   │   ├DatabaseName: string (required)
│    │   │   ├SchemaName: string
│    │   │   └FilterExpressions: Array<FilterExpression>
│    │   ├type FilterExpression
│    │   │├  documentation: The search filter expression.
│    │   ││  name: FilterExpression
│    │   │└ properties
│    │   │   ├Type: string (required)
│    │   │   └Expression: string (required)
│    │   ├type RedshiftRunConfigurationInput
│    │   │├  documentation: The configuration details of the Amazon Redshift data source.
│    │   ││  name: RedshiftRunConfigurationInput
│    │   │└ properties
│    │   │   ├DataAccessRole: string
│    │   │   ├RelationalFilterConfigurations: Array<RelationalFilterConfiguration> (required)
│    │   │   ├RedshiftCredentialConfiguration: RedshiftCredentialConfiguration (required)
│    │   │   └RedshiftStorage: RedshiftStorage (required)
│    │   ├type RedshiftCredentialConfiguration
│    │   │├  documentation: The ARN of a secret manager for an Amazon Redshift cluster.
│    │   ││  name: RedshiftCredentialConfiguration
│    │   │└ properties
│    │   │   └SecretManagerArn: string (required)
│    │   ├type RedshiftStorage
│    │   │├  documentation: The details of the Amazon Redshift cluster source.
│    │   ││  name: RedshiftStorage
│    │   │└ properties
│    │   │   ├RedshiftClusterSource: RedshiftClusterStorage
│    │   │   └RedshiftServerlessSource: RedshiftServerlessStorage
│    │   ├type RedshiftClusterStorage
│    │   │├  documentation: The name of an Amazon Redshift cluster.
│    │   ││  name: RedshiftClusterStorage
│    │   │└ properties
│    │   │   └ClusterName: string (required)
│    │   ├type RedshiftServerlessStorage
│    │   │├  documentation: The details of the Amazon Redshift Serverless workgroup storage.
│    │   ││  name: RedshiftServerlessStorage
│    │   │└ properties
│    │   │   └WorkgroupName: string (required)
│    │   ├type RecommendationConfiguration
│    │   │├  documentation: The recommendation to be updated as part of the UpdateDataSource action.
│    │   ││  name: RecommendationConfiguration
│    │   │└ properties
│    │   │   └EnableBusinessNameGeneration: boolean
│    │   └type ScheduleConfiguration
│    │    ├  documentation: The schedule of the data source runs.
│    │    │  name: ScheduleConfiguration
│    │    └ properties
│    │       ├Timezone: string
│    │       └Schedule: string
│    ├resource AWS::DataZone::Domain
│    │├  name: Domain
│    ││  cloudFormationType: AWS::DataZone::Domain
│    ││  documentation: A domain is an organizing entity for connecting together assets, users, and their projects
│    ││  tagInformation: {"tagPropertyName":"Tags","variant":"standard"}
│    │├ properties
│    ││  ├Description: string
│    ││  ├DomainExecutionRole: string (required)
│    ││  ├KmsKeyIdentifier: string (immutable)
│    ││  ├Name: string (required)
│    ││  ├SingleSignOn: SingleSignOn
│    ││  └Tags: Array<tag>
│    │├ attributes
│    ││  ├Arn: string
│    ││  ├CreatedAt: string
│    ││  ├Id: string
│    ││  ├LastUpdatedAt: string
│    ││  ├ManagedAccountId: string
│    ││  ├PortalUrl: string
│    ││  └Status: string
│    │└ types
│    │   └type SingleSignOn
│    │    ├  documentation: The single-sign on configuration of the Amazon DataZone domain.
│    │    │  name: SingleSignOn
│    │    └ properties
│    │       ├Type: string
│    │       └UserAssignment: string
│    ├resource AWS::DataZone::Environment
│    │├  name: Environment
│    ││  cloudFormationType: AWS::DataZone::Environment
│    ││  documentation: Definition of AWS::DataZone::Environment Resource Type
│    │├ properties
│    ││  ├Description: string
│    ││  ├DomainIdentifier: string (required, immutable)
│    ││  ├EnvironmentProfileIdentifier: string (required, immutable)
│    ││  ├GlossaryTerms: Array<string>
│    ││  ├Name: string (required)
│    ││  ├ProjectIdentifier: string (required, immutable)
│    ││  └UserParameters: Array<EnvironmentParameter> (immutable)
│    │├ attributes
│    ││  ├AwsAccountId: string
│    ││  ├AwsAccountRegion: string
│    ││  ├CreatedAt: string
│    ││  ├CreatedBy: string
│    ││  ├DomainId: string
│    ││  ├EnvironmentBlueprintId: string
│    ││  ├EnvironmentProfileId: string
│    ││  ├Id: string
│    ││  ├ProjectId: string
│    ││  ├Provider: string
│    ││  ├Status: string
│    ││  └UpdatedAt: string
│    │└ types
│    │   └type EnvironmentParameter
│    │    ├  documentation: The parameter details of an environment.
│    │    │  name: EnvironmentParameter
│    │    └ properties
│    │       ├Name: string
│    │       └Value: string
│    ├resource AWS::DataZone::EnvironmentBlueprintConfiguration
│    │├  name: EnvironmentBlueprintConfiguration
│    ││  cloudFormationType: AWS::DataZone::EnvironmentBlueprintConfiguration
│    ││  documentation: Definition of AWS::DataZone::EnvironmentBlueprintConfiguration Resource Type
│    │├ properties
│    ││  ├RegionalParameters: Array<RegionalParameter>
│    ││  ├ProvisioningRoleArn: string
│    ││  ├EnabledRegions: Array<string> (required)
│    ││  ├EnvironmentBlueprintIdentifier: string (required, immutable)
│    ││  ├DomainIdentifier: string (required, immutable)
│    ││  └ManageAccessRoleArn: string
│    │├ attributes
│    ││  ├CreatedAt: string
│    ││  ├DomainId: string
│    ││  ├EnvironmentBlueprintId: string
│    ││  └UpdatedAt: string
│    │└ types
│    │   └type RegionalParameter
│    │    ├  name: RegionalParameter
│    │    └ properties
│    │       ├Parameters: Map<string, string>
│    │       └Region: string
│    ├resource AWS::DataZone::EnvironmentProfile
│    │├  name: EnvironmentProfile
│    ││  cloudFormationType: AWS::DataZone::EnvironmentProfile
│    ││  documentation: AWS Datazone Environment Profile is pre-configured set of resources and blueprints that provide reusable templates for creating environments.
│    │├ properties
│    ││  ├AwsAccountId: string
│    ││  ├AwsAccountRegion: string
│    ││  ├Description: string
│    ││  ├DomainIdentifier: string (required, immutable)
│    ││  ├EnvironmentBlueprintIdentifier: string (required, immutable)
│    ││  ├Name: string (required)
│    ││  ├ProjectIdentifier: string (required, immutable)
│    ││  └UserParameters: Array<EnvironmentParameter>
│    │├ attributes
│    ││  ├CreatedAt: string
│    ││  ├CreatedBy: string
│    ││  ├DomainId: string
│    ││  ├EnvironmentBlueprintId: string
│    ││  ├Id: string
│    ││  ├ProjectId: string
│    ││  └UpdatedAt: string
│    │└ types
│    │   └type EnvironmentParameter
│    │    ├  documentation: The parameter details of an environment profile.
│    │    │  name: EnvironmentParameter
│    │    └ properties
│    │       ├Name: string
│    │       └Value: string
│    ├resource AWS::DataZone::Project
│    │├  name: Project
│    ││  cloudFormationType: AWS::DataZone::Project
│    ││  documentation: Amazon DataZone projects are business use case–based groupings of people, assets (data), and tools used to simplify access to the AWS analytics.
│    │├ properties
│    ││  ├Description: string
│    ││  ├DomainIdentifier: string (required, immutable)
│    ││  ├GlossaryTerms: Array<string>
│    ││  └Name: string (required)
│    │└ attributes
│    │   ├Id: string
│    │   ├CreatedAt: string
│    │   ├CreatedBy: string
│    │   ├DomainId: string
│    │   └LastUpdatedAt: string
│    └resource AWS::DataZone::SubscriptionTarget
│     ├  name: SubscriptionTarget
│     │  cloudFormationType: AWS::DataZone::SubscriptionTarget
│     │  documentation: Subscription targets enables one to access the data to which you have subscribed in your projects.
│     ├ properties
│     │  ├ApplicableAssetTypes: Array<string> (required)
│     │  ├AuthorizedPrincipals: Array<string> (required)
│     │  ├DomainIdentifier: string (required, immutable)
│     │  ├EnvironmentIdentifier: string (required, immutable)
│     │  ├ManageAccessRole: string (required)
│     │  ├Name: string (required)
│     │  ├Provider: string
│     │  ├SubscriptionTargetConfig: Array<SubscriptionTargetForm> (required)
│     │  └Type: string (required, immutable)
│     ├ attributes
│     │  ├CreatedAt: string
│     │  ├CreatedBy: string
│     │  ├DomainId: string
│     │  ├EnvironmentId: string
│     │  ├Id: string
│     │  ├ProjectId: string
│     │  ├UpdatedAt: string
│     │  └UpdatedBy: string
│     └ types
│        └type SubscriptionTargetForm
│         ├  documentation: The details of the subscription target configuration.
│         │  name: SubscriptionTargetForm
│         └ properties
│            ├FormName: string (required)
│            └Content: string (required)
├[~] service aws-ec2
│ └ resources
│    └[~] resource AWS::EC2::IPAMPool
│      ├ properties
│      │  └ SourceResource: (documentation changed)
│      └ types
│         └[~] type SourceResource
│           ├  - documentation: The resource associated with this pool's space. Depending on the ResourceType, setting a SourceResource changes which space can be provisioned in this pool and which types of resources can receive allocations
│           │  + documentation: The resource used to provision CIDRs to a resource planning pool.
│           └ properties
│              ├ ResourceId: (documentation changed)
│              ├ ResourceOwner: (documentation changed)
│              ├ ResourceRegion: (documentation changed)
│              └ ResourceType: (documentation changed)
├[~] service aws-ecs
│ └ resources
│    ├[~] resource AWS::ECS::Service
│    │ ├ properties
│    │ │  └ VolumeConfigurations: (documentation changed)
│    │ └ types
│    │    ├[~] type EBSTagSpecification
│    │    │ ├  - documentation: undefined
│    │    │ │  + documentation: The tag specifications of an Amazon EBS volume.
│    │    │ └ properties
│    │    │    ├ PropagateTags: (documentation changed)
│    │    │    ├ ResourceType: (documentation changed)
│    │    │    └ Tags: (documentation changed)
│    │    ├[~] type ServiceConnectService
│    │    │ └ properties
│    │    │    ├[+] Timeout: TimeoutConfiguration
│    │    │    └[+] Tls: ServiceConnectTlsConfiguration
│    │    ├[+] type ServiceConnectTlsCertificateAuthority
│    │    │ ├  name: ServiceConnectTlsCertificateAuthority
│    │    │ └ properties
│    │    │    └AwsPcaAuthorityArn: string
│    │    ├[+] type ServiceConnectTlsConfiguration
│    │    │ ├  name: ServiceConnectTlsConfiguration
│    │    │ └ properties
│    │    │    ├IssuerCertificateAuthority: ServiceConnectTlsCertificateAuthority (required)
│    │    │    ├KmsKey: string
│    │    │    └RoleArn: string
│    │    ├[~] type ServiceManagedEBSVolumeConfiguration
│    │    │ ├  - documentation: undefined
│    │    │ │  + documentation: The configuration for the Amazon EBS volume that Amazon ECS creates and manages on your behalf. These settings are used to create each Amazon EBS volume, with one volume created for each task in the service.
│    │    │ │  Many of these parameters map 1:1 with the Amazon EBS `CreateVolume` API request parameters.
│    │    │ └ properties
│    │    │    ├ Encrypted: (documentation changed)
│    │    │    ├ FilesystemType: (documentation changed)
│    │    │    ├ Iops: (documentation changed)
│    │    │    ├ KmsKeyId: (documentation changed)
│    │    │    ├ RoleArn: (documentation changed)
│    │    │    ├ SizeInGiB: (documentation changed)
│    │    │    ├ SnapshotId: (documentation changed)
│    │    │    ├ TagSpecifications: (documentation changed)
│    │    │    ├ Throughput: (documentation changed)
│    │    │    └ VolumeType: (documentation changed)
│    │    ├[~] type ServiceVolumeConfiguration
│    │    │ ├  - documentation: undefined
│    │    │ │  + documentation: The configuration for a volume specified in the task definition as a volume that is configured at launch time. Currently, the only supported volume type is an Amazon EBS volume.
│    │    │ └ properties
│    │    │    ├ ManagedEBSVolume: (documentation changed)
│    │    │    └ Name: (documentation changed)
│    │    └[+] type TimeoutConfiguration
│    │      ├  name: TimeoutConfiguration
│    │      └ properties
│    │         ├IdleTimeoutSeconds: integer
│    │         └PerRequestTimeoutSeconds: integer
│    └[~] resource AWS::ECS::TaskDefinition
│      └ types
│         └[~] type Volume
│           ├  - documentation: The `Volume` property specifies a data volume used in a task definition. For tasks that use a Docker volume, specify a `DockerVolumeConfiguration` . For tasks that use a bind mount host volume, specify a `host` and optional `sourcePath` . For more information about `host` and optional `sourcePath` , see [Volumes](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html#volumes) and [Using Data Volumes in Tasks](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/using_data_volumes.html) .
│           │  + documentation: The data volume configuration for tasks launched using this task definition. Specifying a volume configuration in a task definition is optional. The volume configuration may contain multiple volumes but only one volume configured at launch is supported. Each volume defined in the volume configuration may only specify a `name` and one of either `configuredAtLaunch` , `dockerVolumeConfiguration` , `efsVolumeConfiguration` , `fsxWindowsFileServerVolumeConfiguration` , or `host` . If an empty volume configuration is specified, by default Amazon ECS uses a host volume. For more information, see [Using data volumes in tasks](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/using_data_volumes.html) .
│           └ properties
│              ├ ConfiguredAtLaunch: (documentation changed)
│              └ Name: (documentation changed)
├[~] service aws-elasticloadbalancingv2
│ └ resources
│    └[~] resource AWS::ElasticLoadBalancingV2::LoadBalancer
│      └ properties
│         └[+] EnforceSecurityGroupInboundRulesOnPrivateLinkTraffic: string
├[~] service aws-events
│ └ resources
│    └[~] resource AWS::Events::Rule
│      └ types
│         ├[~] type AppSyncParameters
│         │ ├  - documentation: undefined
│         │ │  + documentation: Contains the GraphQL operation to be parsed and executed, if the event target is an AWS AppSync API.
│         │ └ properties
│         │    └ GraphQLOperation: (documentation changed)
│         └[~] type Target
│           └ properties
│              └ AppSyncParameters: (documentation changed)
├[~] service aws-internetmonitor
│ └ resources
│    └[~] resource AWS::InternetMonitor::Monitor
│      └ types
│         ├[~] type InternetMeasurementsLogDelivery
│         │ └ properties
│         │    └ S3Config: (documentation changed)
│         └[~] type S3Config
│           ├  - documentation: The configuration for publishing Amazon CloudWatch Internet Monitor internet measurements to Amazon S3. The configuration includes the bucket name and (optionally) bucket prefix for the S3 bucket to store the measurements, and the delivery status. The delivery status is `ENABLED` if you choose to deliver internet measurements to S3 logs, and `DISABLED` otherwise.
│           │  The measurements are also published to Amazon CloudWatch Logs.
│           │  + documentation: The configuration for publishing Amazon CloudWatch Internet Monitor internet measurements to Amazon S3. The configuration includes the bucket name and (optionally) prefix for the S3 bucket to store the measurements, and the delivery status. The delivery status is `ENABLED` or `DISABLED` , depending on whether you choose to deliver internet measurements to S3 logs.
│           └ properties
│              ├ BucketName: (documentation changed)
│              ├ BucketPrefix: (documentation changed)
│              └ LogDeliveryStatus: (documentation changed)
├[~] service aws-iot
│ └ resources
│    ├[~] resource AWS::IoT::SoftwarePackage
│    │ └ properties
│    │    ├ Description: (documentation changed)
│    │    ├ PackageName: (documentation changed)
│    │    └ Tags: (documentation changed)
│    └[~] resource AWS::IoT::SoftwarePackageVersion
│      └ properties
│         ├ Attributes: (documentation changed)
│         ├ Description: (documentation changed)
│         ├ PackageName: (documentation changed)
│         ├ Tags: (documentation changed)
│         └ VersionName: (documentation changed)
├[~] service aws-ivs
│ └ resources
│    └[+] resource AWS::IVS::Stage
│      ├  name: Stage
│      │  cloudFormationType: AWS::IVS::Stage
│      │  documentation: Resource Definition for type AWS::IVS::Stage.
│      │  tagInformation: {"tagPropertyName":"Tags","variant":"standard"}
│      ├ properties
│      │  ├Name: string
│      │  └Tags: Array<tag>
│      └ attributes
│         ├Arn: string
│         └ActiveSessionId: string (default="")
├[~] service aws-lakeformation
│ └ resources
│    └[~] resource AWS::LakeFormation::Resource
│      └ properties
│         └[+] HybridAccessEnabled: boolean
├[~] service aws-location
│ └ resources
│    └[~] resource AWS::Location::Map
│      └ types
│         └[~] type MapConfiguration
│           └ properties
│              └[+] CustomLayers: Array<string>
├[~] service aws-logs
│ └ resources
│    └[~] resource AWS::Logs::AccountPolicy
│      ├  - documentation: Creates or updates an account-level data protection policy that applies to all log groups in the account. A data protection policy can help safeguard sensitive data that's ingested by your log groups by auditing and masking the sensitive log data. Each account can have only one account-level policy.
│      │  > Sensitive data is detected and masked when it is ingested into a log group. When you set a data protection policy, log events ingested into the log groups before that time are not masked. 
│      │  If you create a data protection policy for your whole account, it applies to both existing log groups and all log groups that are created later in this account. The account policy is applied to existing log groups with eventual consistency. It might take up to 5 minutes before sensitive data in existing log groups begins to be masked.
│      │  By default, when a user views a log event that includes masked data, the sensitive data is replaced by asterisks. A user who has the `logs:Unmask` permission can use a [GetLogEvents](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_GetLogEvents.html) or [FilterLogEvents](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_FilterLogEvents.html) operation with the `unmask` parameter set to `true` to view the unmasked log events. Users with the `logs:Unmask` can also view unmasked data in the CloudWatch Logs console by running a CloudWatch Logs Insights query with the `unmask` query command.
│      │  For more information, including a list of types of data that can be audited and masked, see [Protect sensitive log data with masking](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/mask-sensitive-log-data.html) .
│      │  To create an account-level policy, you must be signed on with the `logs:PutDataProtectionPolicy` and `logs:PutAccountPolicy` permissions.
│      │  An account-level policy applies to all log groups in the account. You can also create a data protection policy that applies to just one log group. If a log group has its own data protection policy and the account also has an account-level data protection policy, then the two policies are cumulative. Any sensitive term specified in either policy is masked.
│      │  + documentation: Creates or updates an aaccount-level data protection policy or subscription filter policy that applies to all log groups or a subset of log groups in the account.
│      │  *Data protection policy*
│      │  A data protection policy can help safeguard sensitive data that's ingested by your log groups by auditing and masking the sensitive log data. Each account can have only one account-level data protection policy.
│      │  > Sensitive data is detected and masked when it is ingested into a log group. When you set a data protection policy, log events ingested into the log groups before that time are not masked. 
│      │  If you create a data protection policy for your whole account, it applies to both existing log groups and all log groups that are created later in this account. The account policy is applied to existing log groups with eventual consistency. It might take up to 5 minutes before sensitive data in existing log groups begins to be masked.
│      │  By default, when a user views a log event that includes masked data, the sensitive data is replaced by asterisks. A user who has the `logs:Unmask` permission can use a [GetLogEvents](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_GetLogEvents.html) or [FilterLogEvents](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_FilterLogEvents.html) operation with the `unmask` parameter set to `true` to view the unmasked log events. Users with the `logs:Unmask` can also view unmasked data in the CloudWatch Logs console by running a CloudWatch Logs Insights query with the `unmask` query command.
│      │  For more information, including a list of types of data that can be audited and masked, see [Protect sensitive log data with masking](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/mask-sensitive-log-data.html) .
│      │  To create an account-level policy, you must be signed on with the `logs:PutDataProtectionPolicy` and `logs:PutAccountPolicy` permissions.
│      │  An account-level policy applies to all log groups in the account. You can also create a data protection policy that applies to just one log group. If a log group has its own data protection policy and the account also has an account-level data protection policy, then the two policies are cumulative. Any sensitive term specified in either policy is masked.
│      │  *Subscription filter policy*
│      │  A subscription filter policy sets up a real-time feed of log events from CloudWatch Logs to other AWS services. Account-level subscription filter policies apply to both existing log groups and log groups that are created later in this account. Supported destinations are Kinesis Data Streams , Kinesis Data Firehose , and Lambda . When log events are sent to the receiving service, they are Base64 encoded and compressed with the GZIP format.
│      │  The following destinations are supported for subscription filters:
│      │  - An Kinesis Data Streams data stream in the same account as the subscription policy, for same-account delivery.
│      │  - An Kinesis Data Firehose data stream in the same account as the subscription policy, for same-account delivery.
│      │  - A Lambda function in the same account as the subscription policy, for same-account delivery.
│      │  - A logical destination in a different account created with [PutDestination](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutDestination.html) , for cross-account delivery. Kinesis Data Streams and Kinesis Data Firehose are supported as logical destinations.
│      │  Each account can have one account-level subscription filter policy. If you are updating an existing filter, you must specify the correct name in `PolicyName` . To perform a `PutAccountPolicy` subscription filter operation for any destination except a Lambda function, you must also have the `iam:PassRole` permission.
│      └ properties
│         ├ PolicyDocument: (documentation changed)
│         ├ PolicyType: (documentation changed)
│         ├ Scope: (documentation changed)
│         └[+] SelectionCriteria: string
├[~] service aws-medialive
│ └ resources
│    └[~] resource AWS::MediaLive::Channel
│      └ types
│         ├[+] type ColorCorrection
│         │ ├  name: ColorCorrection
│         │ └ properties
│         │    ├OutputColorSpace: string
│         │    ├InputColorSpace: string
│         │    └Uri: string
│         ├[+] type ColorCorrectionSettings
│         │ ├  name: ColorCorrectionSettings
│         │ └ properties
│         │    └GlobalColorCorrections: Array<ColorCorrection>
│         └[~] type EncoderSettings
│           └ properties
│              └[+] ColorCorrectionSettings: ColorCorrectionSettings
├[~] service aws-networkfirewall
│ └ resources
│    ├[~] resource AWS::NetworkFirewall::FirewallPolicy
│    │ └ types
│    │    └[~] type StatefulEngineOptions
│    │      └ properties
│    │         └ RuleOrder: (documentation changed)
│    ├[~] resource AWS::NetworkFirewall::RuleGroup
│    │ └ types
│    │    └[~] type RuleOption
│    │      └ properties
│    │         └ Keyword: (documentation changed)
│    └[~] resource AWS::NetworkFirewall::TLSInspectionConfiguration
│      ├  - documentation: The object that defines a TLS inspection configuration. This, along with `TLSInspectionConfigurationResponse` , define the TLS inspection configuration. You can retrieve all objects for a TLS inspection configuration by calling `DescribeTLSInspectionConfiguration` .
│      │  AWS Network Firewall uses a TLS inspection configuration to decrypt traffic. Network Firewall re-encrypts the traffic before sending it to its destination.
│      │  To use a TLS inspection configuration, you add it to a new Network Firewall firewall policy, then you apply the firewall policy to a firewall. Network Firewall acts as a proxy service to decrypt and inspect the traffic traveling through your firewalls. You can reference a TLS inspection configuration from more than one firewall policy, and you can use a firewall policy in more than one firewall. For more information about using TLS inspection configurations, see [Inspecting SSL/TLS traffic with TLS
│      │  inspection configurations](https://docs.aws.amazon.com/network-firewall/latest/developerguide/tls-inspection.html) in the *AWS Network Firewall Developer Guide* .
│      │  + documentation: The object that defines a TLS inspection configuration.
│      │  AWS Network Firewall uses a TLS inspection configuration to decrypt traffic. Network Firewall re-encrypts the traffic before sending it to its destination.
│      │  To use a TLS inspection configuration, you add it to a new Network Firewall firewall policy, then you apply the firewall policy to a firewall. Network Firewall acts as a proxy service to decrypt and inspect the traffic traveling through your firewalls. You can reference a TLS inspection configuration from more than one firewall policy, and you can use a firewall policy in more than one firewall. For more information about using TLS inspection configurations, see [Inspecting SSL/TLS traffic with TLS inspection configurations](https://docs.aws.amazon.com/network-firewall/latest/developerguide/tls-inspection.html) in the *AWS Network Firewall Developer Guide* .
│      ├ properties
│      │  └ TLSInspectionConfiguration: (documentation changed)
│      └ types
│         ├[~] type Address
│         │ └  - documentation: A single IP address specification. This is used in the `MatchAttributes` source and destination specifications.
│         │    + documentation: A single IP address specification. This is used in the [MatchAttributes](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-networkfirewall-rulegroup-matchattributes.html) source and destination settings.
│         ├[~] type CheckCertificateRevocationStatus
│         │ ├  - documentation: undefined
│         │ │  + documentation: When enabled, Network Firewall checks if the server certificate presented by the server in the SSL/TLS connection has a revoked or unkown status. If the certificate has an unknown or revoked status, you must specify the actions that Network Firewall takes on outbound traffic. To check the certificate revocation status, you must also specify a `CertificateAuthorityArn` in [ServerCertificateConfiguration](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-networkfirewall-servercertificateconfiguration.html) .
│         │ └ properties
│         │    ├ RevokedStatusAction: (documentation changed)
│         │    └ UnknownStatusAction: (documentation changed)
│         ├[~] type PortRange
│         │ └  - documentation: A single port range specification. This is used for source and destination port ranges in the stateless rule `MatchAttributes` , `SourcePorts` , and `DestinationPorts` settings.
│         │    + documentation: A single port range specification. This is used for source and destination port ranges in the stateless rule [MatchAttributes](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-networkfirewall-rulegroup-matchattributes.html) , `SourcePorts` , and `DestinationPorts` settings.
│         ├[~] type ServerCertificate
│         │ └  - documentation: Any AWS Certificate Manager (ACM) Secure Sockets Layer/Transport Layer Security (SSL/TLS) server certificate that's associated with a `ServerCertificateConfiguration` . Used in a `TLSInspectionConfiguration` for inspection of inbound traffic to your firewall. You must request or import a SSL/TLS certificate into ACM for each domain Network Firewall needs to decrypt and inspect. AWS Network Firewall uses the SSL/TLS certificates to decrypt specified inbound SSL/TLS traffic going to your firewall. For information about working with certificates in AWS Certificate Manager , see [Request a public certificate](https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-request-public.html) or [Importing certificates](https://docs.aws.amazon.com/acm/latest/userguide/import-certificate.html) in the *AWS Certificate Manager User Guide* .
│         │    + documentation: Any AWS Certificate Manager (ACM) Secure Sockets Layer/Transport Layer Security (SSL/TLS) server certificate that's associated with a [ServerCertificateConfiguration](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-networkfirewall-tlsinspectionconfiguration-servercertificateconfiguration.html) . Used in a [TLSInspectionConfiguration](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-networkfirewall-tlsinspectionconfiguration.html) for inspection of inbound traffic to your firewall. You must request or import a SSL/TLS certificate into ACM for each domain Network Firewall needs to decrypt and inspect. AWS Network Firewall uses the SSL/TLS certificates to decrypt specified inbound SSL/TLS traffic going to your firewall. For information about working with certificates in AWS Certificate Manager , see [Request a public certificate](https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-request-public.html) or [Importing certificates](https://docs.aws.amazon.com/acm/latest/userguide/import-certificate.html) in the *AWS Certificate Manager User Guide* .
│         ├[~] type ServerCertificateConfiguration
│         │ ├  - documentation: Configures the AWS Certificate Manager certificates and scope that Network Firewall uses to decrypt and re-encrypt traffic using a `TLSInspectionConfiguration` . You can configure `ServerCertificates` for inbound SSL/TLS inspection, a `CertificateAuthorityArn` for outbound SSL/TLS inspection, or both. For information about working with certificates for TLS inspection, see [Using SSL/TLS server certficiates with TLS inspection configurations](https://docs.aws.amazon.com/network-firewall/latest/developerguide/tls-inspection-certificate-requirements.html) in the *AWS Network Firewall Developer Guide* .
│         │ │  > If a server certificate that's associated with your `TLSInspectionConfiguration` is revoked, deleted, or expired it can result in client-side TLS errors.
│         │ │  + documentation: Configures the AWS Certificate Manager certificates and scope that Network Firewall uses to decrypt and re-encrypt traffic using a [TLSInspectionConfiguration](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-networkfirewall-tlsinspectionconfiguration.html) . You can configure `ServerCertificates` for inbound SSL/TLS inspection, a `CertificateAuthorityArn` for outbound SSL/TLS inspection, or both. For information about working with certificates for TLS inspection, see [Using SSL/TLS server certficiates with TLS inspection configurations](https://docs.aws.amazon.com/network-firewall/latest/developerguide/tls-inspection-certificate-requirements.html) in the *AWS Network Firewall Developer Guide* .
│         │ │  > If a server certificate that's associated with your [TLSInspectionConfiguration](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-networkfirewall-tlsinspectionconfiguration.html) is revoked, deleted, or expired it can result in client-side TLS errors.
│         │ └ properties
│         │    └ CheckCertificateRevocationStatus: (documentation changed)
│         └[~] type TLSInspectionConfiguration
│           └  - documentation: The object that defines a TLS inspection configuration. This, along with `TLSInspectionConfigurationResponse` , define the TLS inspection configuration. You can retrieve all objects for a TLS inspection configuration by calling `DescribeTLSInspectionConfiguration` .
│              AWS Network Firewall uses a TLS inspection configuration to decrypt traffic. Network Firewall re-encrypts the traffic before sending it to its destination.
│              To use a TLS inspection configuration, you add it to a new Network Firewall firewall policy, then you apply the firewall policy to a firewall. Network Firewall acts as a proxy service to decrypt and inspect the traffic traveling through your firewalls. You can reference a TLS inspection configuration from more than one firewall policy, and you can use a firewall policy in more than one firewall. For more information about using TLS inspection configurations, see [Inspecting SSL/TLS traffic with TLS
│              inspection configurations](https://docs.aws.amazon.com/network-firewall/latest/developerguide/tls-inspection.html) in the *AWS Network Firewall Developer Guide* .
│              + documentation: The object that defines a TLS inspection configuration. This defines the TLS inspection configuration.
│              AWS Network Firewall uses a TLS inspection configuration to decrypt traffic. Network Firewall re-encrypts the traffic before sending it to its destination.
│              To use a TLS inspection configuration, you add it to a new Network Firewall firewall policy, then you apply the firewall policy to a firewall. Network Firewall acts as a proxy service to decrypt and inspect the traffic traveling through your firewalls. You can reference a TLS inspection configuration from more than one firewall policy, and you can use a firewall policy in more than one firewall. For more information about using TLS inspection configurations, see [Inspecting SSL/TLS traffic with TLS inspection configurations](https://docs.aws.amazon.com/network-firewall/latest/developerguide/tls-inspection.html) in the *AWS Network Firewall Developer Guide* .
├[~] service aws-networkmanager
│ └ resources
│    └[~] resource AWS::NetworkManager::Device
│      └ attributes
│         └ CreatedAt: (documentation changed)
├[~] service aws-opensearchservice
│ └ resources
│    └[~] resource AWS::OpenSearchService::Domain
│      └ types
│         ├[~] type ClusterConfig
│         │ └ properties
│         │    └[+] ColdStorageOptions: ColdStorageOptions
│         └[+] type ColdStorageOptions
│           ├  documentation: Specifies options for cold storage. For more information, see [Cold storage for Amazon OpenSearch Service](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/cold-storage.html) .
│           │  name: ColdStorageOptions
│           └ properties
│              └Enabled: boolean
├[~] service aws-rolesanywhere
│ └ resources
│    ├[~] resource AWS::RolesAnywhere::Profile
│    │ ├  - documentation: Creates a *profile* , a list of the roles that Roles Anywhere service is trusted to assume. You use profiles to intersect permissions with IAM managed policies.
│    │ │  *Required permissions:* `rolesanywhere:CreateProfile` .
│    │ │  + documentation: Creates a Profile.
│    │ └ properties
│    │    ├ DurationSeconds: (documentation changed)
│    │    ├ Enabled: (documentation changed)
│    │    ├ ManagedPolicyArns: (documentation changed)
│    │    ├ Name: (documentation changed)
│    │    ├ RequireInstanceProperties: (documentation changed)
│    │    ├ RoleArns: (documentation changed)
│    │    ├ SessionPolicy: (documentation changed)
│    │    └ Tags: (documentation changed)
│    └[~] resource AWS::RolesAnywhere::TrustAnchor
│      ├  - documentation: Creates a trust anchor to establish trust between IAM Roles Anywhere and your certificate authority (CA). You can define a trust anchor as a reference to an AWS Private Certificate Authority ( AWS Private CA ) or by uploading a CA certificate. Your AWS workloads can authenticate with the trust anchor using certificates issued by the CA in exchange for temporary AWS credentials.
│      │  *Required permissions:* `rolesanywhere:CreateTrustAnchor` .
│      │  + documentation: Creates a TrustAnchor.
│      └ types
│         ├[~] type Source
│         │ ├  - documentation: The trust anchor type and its related certificate data.
│         │ │  + documentation: Object representing the TrustAnchor type and its related certificate data.
│         │ └ properties
│         │    ├ SourceData: (documentation changed)
│         │    └ SourceType: (documentation changed)
│         └[~] type SourceData
│           └  - documentation: The data field of the trust anchor depending on its type.
│              + documentation: A union object representing the data field of the TrustAnchor depending on its type
├[~] service aws-s3
│ └ resources
│    └[~] resource AWS::S3::Bucket
│      └ types
│         ├[~] type LoggingConfiguration
│         │ └ properties
│         │    └ TargetObjectKeyFormat: (documentation changed)
│         ├[~] type PartitionedPrefix
│         │ └  - documentation: Amazon S3 keys for log objects are partitioned in the following format:
│         │    `[DestinationPrefix][SourceAccountId]/[SourceRegion]/[SourceBucket]/[YYYY]/[MM]/[DD]/[YYYY]-[MM]-[DD]-[hh]-[mm]-[ss]-[UniqueString]`
│         │    + documentation: Amazon S3 keys for log objects are partitioned in the following format:
│         │    `[DestinationPrefix][SourceAccountId]/[SourceRegion]/[SourceBucket]/[YYYY]/[MM]/[DD]/[YYYY]-[MM]-[DD]-[hh]-[mm]-[ss]-[UniqueString]`
│         │    PartitionedPrefix defaults to EventTime delivery when server access logs are delivered.
│         └[~] type ServerSideEncryptionByDefault
│           └ properties
│              └ KMSMasterKeyID: (documentation changed)
├[~] service aws-sagemaker
│ └ resources
│    ├[~] resource AWS::SageMaker::DataQualityJobDefinition
│    │ └ types
│    │    └[~] type VpcConfig
│    │      └  - documentation: Specifies an Amazon Virtual Private Cloud (VPC) that your SageMaker jobs, hosted models, and compute resources have access to. You can control access to and from your resources by configuring a VPC. For more information, see [Give SageMaker Access to Resources in your Amazon VPC](https://docs.aws.amazon.com/https://docs.aws.amazon.com/sagemaker/latest/dg/infrastructure-give-access.html) .
│    │         + documentation: Specifies an Amazon Virtual Private Cloud (VPC) that your SageMaker jobs, hosted models, and compute resources have access to. You can control access to and from your resources by configuring a VPC. For more information, see [Give SageMaker Access to Resources in your Amazon VPC](https://docs.aws.amazon.com/sagemaker/latest/dg/infrastructure-give-access.html) .
│    ├[~] resource AWS::SageMaker::Model
│    │ └ types
│    │    ├[~] type ModelAccessConfig
│    │    │ └  - documentation: The access configuration file for the ML model. You can explicitly accept the model end-user license agreement (EULA) within the `ModelAccessConfig` . For more information, see [End-user license agreements](https://docs.aws.amazon.com/sagemaker/latest/dg/jumpstart-foundation-models-choose.html#jumpstart-foundation-models-choose-eula) .
│    │    │    + documentation: The access configuration file to control access to the ML model. You can explicitly accept the model end-user license agreement (EULA) within the `ModelAccessConfig` .
│    │    │    - If you are a Jumpstart user, see the [End-user license agreements](https://docs.aws.amazon.com/sagemaker/latest/dg/jumpstart-foundation-models-choose.html#jumpstart-foundation-models-choose-eula) section for more details on accepting the EULA.
│    │    │    - If you are an AutoML user, see the *Optional Parameters* section of *Create an AutoML job to fine-tune text generation models using the API* for details on [How to set the EULA acceptance when fine-tuning a model using the AutoML API](https://docs.aws.amazon.com/sagemaker/latest/dg/autopilot-create-experiment-finetune-llms.html#autopilot-llms-finetuning-api-optional-params) .
│    │    └[~] type VpcConfig
│    │      └  - documentation: Specifies an Amazon Virtual Private Cloud (VPC) that your SageMaker jobs, hosted models, and compute resources have access to. You can control access to and from your resources by configuring a VPC. For more information, see [Give SageMaker Access to Resources in your Amazon VPC](https://docs.aws.amazon.com/https://docs.aws.amazon.com/sagemaker/latest/dg/infrastructure-give-access.html) .
│    │         + documentation: Specifies an Amazon Virtual Private Cloud (VPC) that your SageMaker jobs, hosted models, and compute resources have access to. You can control access to and from your resources by configuring a VPC. For more information, see [Give SageMaker Access to Resources in your Amazon VPC](https://docs.aws.amazon.com/sagemaker/latest/dg/infrastructure-give-access.html) .
│    ├[~] resource AWS::SageMaker::ModelBiasJobDefinition
│    │ └ types
│    │    └[~] type VpcConfig
│    │      └  - documentation: Specifies an Amazon Virtual Private Cloud (VPC) that your SageMaker jobs, hosted models, and compute resources have access to. You can control access to and from your resources by configuring a VPC. For more information, see [Give SageMaker Access to Resources in your Amazon VPC](https://docs.aws.amazon.com/https://docs.aws.amazon.com/sagemaker/latest/dg/infrastructure-give-access.html) .
│    │         + documentation: Specifies an Amazon Virtual Private Cloud (VPC) that your SageMaker jobs, hosted models, and compute resources have access to. You can control access to and from your resources by configuring a VPC. For more information, see [Give SageMaker Access to Resources in your Amazon VPC](https://docs.aws.amazon.com/sagemaker/latest/dg/infrastructure-give-access.html) .
│    ├[~] resource AWS::SageMaker::ModelExplainabilityJobDefinition
│    │ └ types
│    │    └[~] type VpcConfig
│    │      └  - documentation: Specifies an Amazon Virtual Private Cloud (VPC) that your SageMaker jobs, hosted models, and compute resources have access to. You can control access to and from your resources by configuring a VPC. For more information, see [Give SageMaker Access to Resources in your Amazon VPC](https://docs.aws.amazon.com/https://docs.aws.amazon.com/sagemaker/latest/dg/infrastructure-give-access.html) .
│    │         + documentation: Specifies an Amazon Virtual Private Cloud (VPC) that your SageMaker jobs, hosted models, and compute resources have access to. You can control access to and from your resources by configuring a VPC. For more information, see [Give SageMaker Access to Resources in your Amazon VPC](https://docs.aws.amazon.com/sagemaker/latest/dg/infrastructure-give-access.html) .
│    ├[~] resource AWS::SageMaker::ModelQualityJobDefinition
│    │ └ types
│    │    └[~] type VpcConfig
│    │      └  - documentation: Specifies an Amazon Virtual Private Cloud (VPC) that your SageMaker jobs, hosted models, and compute resources have access to. You can control access to and from your resources by configuring a VPC. For more information, see [Give SageMaker Access to Resources in your Amazon VPC](https://docs.aws.amazon.com/https://docs.aws.amazon.com/sagemaker/latest/dg/infrastructure-give-access.html) .
│    │         + documentation: Specifies an Amazon Virtual Private Cloud (VPC) that your SageMaker jobs, hosted models, and compute resources have access to. You can control access to and from your resources by configuring a VPC. For more information, see [Give SageMaker Access to Resources in your Amazon VPC](https://docs.aws.amazon.com/sagemaker/latest/dg/infrastructure-give-access.html) .
│    └[~] resource AWS::SageMaker::MonitoringSchedule
│      └ types
│         └[~] type VpcConfig
│           └  - documentation: Specifies an Amazon Virtual Private Cloud (VPC) that your SageMaker jobs, hosted models, and compute resources have access to. You can control access to and from your resources by configuring a VPC. For more information, see [Give SageMaker Access to Resources in your Amazon VPC](https://docs.aws.amazon.com/https://docs.aws.amazon.com/sagemaker/latest/dg/infrastructure-give-access.html) .
│              + documentation: Specifies an Amazon Virtual Private Cloud (VPC) that your SageMaker jobs, hosted models, and compute resources have access to. You can control access to and from your resources by configuring a VPC. For more information, see [Give SageMaker Access to Resources in your Amazon VPC](https://docs.aws.amazon.com/sagemaker/latest/dg/infrastructure-give-access.html) .
├[~] service aws-servicecatalogappregistry
│ └ resources
│    └[~] resource AWS::ServiceCatalogAppRegistry::Application
│      └ attributes
│         ├ ApplicationTagKey: (documentation changed)
│         └ ApplicationTagValue: (documentation changed)
└[~] service aws-workspaces
  └ resources
     └[~] resource AWS::WorkSpaces::Workspace
       └ types
          └[~] type WorkspaceProperties
            └ properties
               └ RunningMode: (documentation changed)

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
• Commit ID: e450c5c
• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).