From e4141b8d63722eefaefb4a81455ffc8f92a1f451 Mon Sep 17 00:00:00 2001 From: GZ Date: Mon, 22 Jan 2024 12:01:35 -0800 Subject: [PATCH 1/4] fix: Throw appropriate error message when providing non map route settings (#3507) --- .../plugins/api/implicit_http_api_plugin.py | 1 + .../input/error_http_api_list_route_settings.yaml | 9 +++++++++ .../output/error_http_api_list_route_settings.json | 14 ++++++++++++++ 3 files changed, 24 insertions(+) create mode 100644 tests/translator/input/error_http_api_list_route_settings.yaml create mode 100644 tests/translator/output/error_http_api_list_route_settings.json diff --git a/samtranslator/plugins/api/implicit_http_api_plugin.py b/samtranslator/plugins/api/implicit_http_api_plugin.py index 74b110deb..292ded99b 100644 --- a/samtranslator/plugins/api/implicit_http_api_plugin.py +++ b/samtranslator/plugins/api/implicit_http_api_plugin.py @@ -124,6 +124,7 @@ def _add_route_settings_to_api( # Handle Resource-level conditions if necessary api_route_settings = resource.properties.get("RouteSettings", {}) + sam_expect(api_route_settings, api_id, "RouteSettings").to_be_a_map() event_route_settings = event_properties.get("RouteSettings", {}) if condition: event_route_settings = make_conditional(condition, event_properties.get("RouteSettings", {})) diff --git a/tests/translator/input/error_http_api_list_route_settings.yaml b/tests/translator/input/error_http_api_list_route_settings.yaml new file mode 100644 index 000000000..69b28b4f0 --- /dev/null +++ b/tests/translator/input/error_http_api_list_route_settings.yaml @@ -0,0 +1,9 @@ +Resources: + ChatApi: + Type: AWS::Serverless::HttpApi + Properties: + Name: !Ref 'ChatApiName' + RouteSettings: + - RouteKey: !Sub 'ANY /${ChatApiName}' + ThrottlingBurstLimit: 100 + ThrottlingRateLimit: 100 diff --git a/tests/translator/output/error_http_api_list_route_settings.json b/tests/translator/output/error_http_api_list_route_settings.json new file mode 100644 index 000000000..0afc87789 --- /dev/null +++ b/tests/translator/output/error_http_api_list_route_settings.json @@ -0,0 +1,14 @@ +{ + "_autoGeneratedBreakdownErrorMessage": [ + "Invalid Serverless Application Specification document. ", + "Number of errors found: 1. ", + "Resource with id [ChatApi] is invalid. ", + "Property 'RouteSettings' should be a map." + ], + "errorMessage": "Invalid Serverless Application Specification document. Number of errors found: 1. Resource with id [ChatApi] is invalid. Property 'RouteSettings' should be a map.", + "errors": [ + { + "errorMessage": "Resource with id [ChatApi] is invalid. Property 'RouteSettings' should be a map." + } + ] +} From 3814d3fd261e91987049dace5e9a965e8803036d Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Tue, 23 Jan 2024 12:47:36 -0800 Subject: [PATCH 2/4] chore(schema): update (#3508) Co-authored-by: github-actions --- samtranslator/schema/schema.json | 394 ++++++++++++++++------- schema_source/cloudformation-docs.json | 374 ++++++++++++++++----- schema_source/cloudformation.schema.json | 394 ++++++++++++++++------- 3 files changed, 835 insertions(+), 327 deletions(-) diff --git a/samtranslator/schema/schema.json b/samtranslator/schema/schema.json index 1db4e63c6..e0a3c76e7 100644 --- a/samtranslator/schema/schema.json +++ b/samtranslator/schema/schema.json @@ -671,6 +671,11 @@ "AWS::ACMPCA::CertificateAuthority.CrlConfiguration": { "additionalProperties": false, "properties": { + "CrlDistributionPointExtensionConfiguration": { + "$ref": "#/definitions/AWS::ACMPCA::CertificateAuthority.CrlDistributionPointExtensionConfiguration", + "markdownDescription": "", + "title": "CrlDistributionPointExtensionConfiguration" + }, "CustomCname": { "markdownDescription": "Name inserted into the certificate *CRL Distribution Points* extension that enables the use of an alias for the CRL distribution point. Use this value if you don't want the name of your S3 bucket to be public.\n\n> The content of a Canonical Name (CNAME) record must conform to [RFC2396](https://docs.aws.amazon.com/https://www.ietf.org/rfc/rfc2396.txt) restrictions on the use of special characters in URIs. Additionally, the value of the CNAME must not include a protocol prefix such as \"http://\" or \"https://\".", "title": "CustomCname", @@ -699,6 +704,20 @@ }, "type": "object" }, + "AWS::ACMPCA::CertificateAuthority.CrlDistributionPointExtensionConfiguration": { + "additionalProperties": false, + "properties": { + "OmitExtension": { + "markdownDescription": "", + "title": "OmitExtension", + "type": "boolean" + } + }, + "required": [ + "OmitExtension" + ], + "type": "object" + }, "AWS::ACMPCA::CertificateAuthority.CsrExtensions": { "additionalProperties": false, "properties": { @@ -1293,6 +1312,11 @@ "title": "Alias", "type": "string" }, + "KmsKeyArn": { + "markdownDescription": "", + "title": "KmsKeyArn", + "type": "string" + }, "LoggingConfiguration": { "$ref": "#/definitions/AWS::APS::Workspace.LoggingConfiguration", "markdownDescription": "The LoggingConfiguration attribute is used to set the logging configuration for the workspace.", @@ -13184,7 +13208,7 @@ }, "ServiceDiscovery": { "$ref": "#/definitions/AWS::AppMesh::Mesh.MeshServiceDiscovery", - "markdownDescription": "", + "markdownDescription": "An object that represents the service discovery information for a service mesh.", "title": "ServiceDiscovery" } }, @@ -25561,7 +25585,7 @@ }, "ControlScope": { "$ref": "#/definitions/AWS::Backup::Framework.ControlScope", - "markdownDescription": "The scope of a control. The control scope defines what the control will evaluate. Three examples of control scopes are: a specific backup plan, all backup plans with a specific tag, or all backup plans.", + "markdownDescription": "The scope of a control. The control scope defines what the control will evaluate. Three examples of control scopes are: a specific backup plan, all backup plans with a specific tag, or all backup plans.\n\nFor more information, see [`ControlScope` .](https://docs.aws.amazon.com/aws-backup/latest/devguide/API_ControlScope.html)", "title": "ControlScope" } }, @@ -26751,13 +26775,9 @@ "additionalProperties": false, "properties": { "AccessPointId": { - "markdownDescription": "The Amazon EFS access point ID to use. If an access point is specified, the root directory value specified in the `EFSVolumeConfiguration` must either be omitted or set to `/` which enforces the path set on the EFS access point. If an access point is used, transit encryption must be enabled in the `EFSVolumeConfiguration` . For more information, see [Working with Amazon EFS access points](https://docs.aws.amazon.com/efs/latest/ug/efs-access-points.html) in the *Amazon Elastic File System User Guide* .", - "title": "AccessPointId", "type": "string" }, "Iam": { - "markdownDescription": "Whether or not to use the AWS Batch job IAM role defined in a job definition when mounting the Amazon EFS file system. If enabled, transit encryption must be enabled in the `EFSVolumeConfiguration` . If this parameter is omitted, the default value of `DISABLED` is used. For more information, see [Using Amazon EFS access points](https://docs.aws.amazon.com/batch/latest/userguide/efs-volumes.html#efs-volume-accesspoints) in the *AWS Batch User Guide* . EFS IAM authorization requires that `TransitEncryption` be `ENABLED` and that a `JobRoleArn` is specified.", - "title": "Iam", "type": "string" } }, @@ -26767,28 +26787,18 @@ "additionalProperties": false, "properties": { "AuthorizationConfig": { - "$ref": "#/definitions/AWS::Batch::JobDefinition.EFSAuthorizationConfig", - "markdownDescription": "The authorization configuration details for the Amazon EFS file system.", - "title": "AuthorizationConfig" + "$ref": "#/definitions/AWS::Batch::JobDefinition.EFSAuthorizationConfig" }, "FileSystemId": { - "markdownDescription": "The Amazon EFS file system ID to use.", - "title": "FileSystemId", "type": "string" }, "RootDirectory": { - "markdownDescription": "The directory within the Amazon EFS file system to mount as the root directory inside the host. If this parameter is omitted, the root of the Amazon EFS volume is used instead. Specifying `/` has the same effect as omitting this parameter. The maximum length is 4,096 characters.\n\n> If an EFS access point is specified in the `authorizationConfig` , the root directory parameter must either be omitted or set to `/` , which enforces the path set on the Amazon EFS access point.", - "title": "RootDirectory", "type": "string" }, "TransitEncryption": { - "markdownDescription": "Determines whether to enable encryption for Amazon EFS data in transit between the Amazon ECS host and the Amazon EFS server. Transit encryption must be enabled if Amazon EFS IAM authorization is used. If this parameter is omitted, the default value of `DISABLED` is used. For more information, see [Encrypting data in transit](https://docs.aws.amazon.com/efs/latest/ug/encryption-in-transit.html) in the *Amazon Elastic File System User Guide* .", - "title": "TransitEncryption", "type": "string" }, "TransitEncryptionPort": { - "markdownDescription": "The port to use when sending encrypted data between the Amazon ECS host and the Amazon EFS server. If you don't specify a transit encryption port, it uses the port selection strategy that the Amazon EFS mount helper uses. The value must be between 0 and 65,535. For more information, see [EFS mount helper](https://docs.aws.amazon.com/efs/latest/ug/efs-mount-helper.html) in the *Amazon Elastic File System User Guide* .", - "title": "TransitEncryptionPort", "type": "number" } }, @@ -26994,13 +27004,11 @@ "properties": { "Labels": { "additionalProperties": true, - "markdownDescription": "Key-value pairs used to identify, sort, and organize cube resources. Can contain up to 63 uppercase letters, lowercase letters, numbers, hyphens (-), and underscores (_). Labels can be added or modified at any time. Each resource can have multiple labels, but each key must be unique for a given object.", "patternProperties": { "^[a-zA-Z0-9]+$": { "type": "string" } }, - "title": "Labels", "type": "object" } }, @@ -27013,36 +27021,24 @@ "items": { "$ref": "#/definitions/AWS::Batch::JobDefinition.EksContainer" }, - "markdownDescription": "The properties of the container that's used on the Amazon EKS pod.", - "title": "Containers", "type": "array" }, "DnsPolicy": { - "markdownDescription": "The DNS policy for the pod. The default value is `ClusterFirst` . If the `hostNetwork` parameter is not specified, the default is `ClusterFirstWithHostNet` . `ClusterFirst` indicates that any DNS query that does not match the configured cluster domain suffix is forwarded to the upstream nameserver inherited from the node. For more information, see [Pod's DNS policy](https://docs.aws.amazon.com/https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy) in the *Kubernetes documentation* .\n\nValid values: `Default` | `ClusterFirst` | `ClusterFirstWithHostNet`", - "title": "DnsPolicy", "type": "string" }, "HostNetwork": { - "markdownDescription": "Indicates if the pod uses the hosts' network IP address. The default value is `true` . Setting this to `false` enables the Kubernetes pod networking model. Most AWS Batch workloads are egress-only and don't require the overhead of IP allocation for each pod for incoming connections. For more information, see [Host namespaces](https://docs.aws.amazon.com/https://kubernetes.io/docs/concepts/security/pod-security-policy/#host-namespaces) and [Pod networking](https://docs.aws.amazon.com/https://kubernetes.io/docs/concepts/workloads/pods/#pod-networking) in the *Kubernetes documentation* .", - "title": "HostNetwork", "type": "boolean" }, "Metadata": { - "$ref": "#/definitions/AWS::Batch::JobDefinition.EksMetadata", - "markdownDescription": "Metadata about the Kubernetes pod. For more information, see [Understanding Kubernetes Objects](https://docs.aws.amazon.com/https://kubernetes.io/docs/concepts/overview/working-with-objects/kubernetes-objects/) in the *Kubernetes documentation* .", - "title": "Metadata" + "$ref": "#/definitions/AWS::Batch::JobDefinition.EksMetadata" }, "ServiceAccountName": { - "markdownDescription": "The name of the service account that's used to run the pod. For more information, see [Kubernetes service accounts](https://docs.aws.amazon.com/eks/latest/userguide/service-accounts.html) and [Configure a Kubernetes service account to assume an IAM role](https://docs.aws.amazon.com/eks/latest/userguide/associate-service-account-role.html) in the *Amazon EKS User Guide* and [Configure service accounts for pods](https://docs.aws.amazon.com/https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/) in the *Kubernetes documentation* .", - "title": "ServiceAccountName", "type": "string" }, "Volumes": { "items": { "$ref": "#/definitions/AWS::Batch::JobDefinition.EksVolume" }, - "markdownDescription": "Specifies the volumes for a job definition that uses Amazon EKS resources.", - "title": "Volumes", "type": "array" } }, @@ -27181,8 +27177,6 @@ "additionalProperties": false, "properties": { "SourcePath": { - "markdownDescription": "The path on the host container instance that's presented to the container. If this parameter is empty, then the Docker daemon has assigned a host path for you. If this parameter contains a file location, then the data volume persists at the specified location on the host container instance until you delete it manually. If the source path location doesn't exist on the host container instance, the Docker daemon creates it. If the location does exist, the contents of the source path folder are exported.\n\n> This parameter isn't applicable to jobs that run on Fargate resources. Don't provide this for these jobs.", - "title": "SourcePath", "type": "string" } }, @@ -27192,8 +27186,6 @@ "additionalProperties": false, "properties": { "AttemptDurationSeconds": { - "markdownDescription": "The job timeout time (in seconds) that's measured from the job attempt's `startedAt` timestamp. After this time passes, AWS Batch terminates your jobs if they aren't finished. The minimum value for the timeout is 60 seconds.\n\nFor array jobs, the timeout applies to the child jobs, not to the parent array job.\n\nFor multi-node parallel (MNP) jobs, the timeout applies to the whole job, not to the individual nodes.", - "title": "AttemptDurationSeconds", "type": "number" } }, @@ -27278,18 +27270,12 @@ "additionalProperties": false, "properties": { "ContainerPath": { - "markdownDescription": "The path on the container where the host volume is mounted.", - "title": "ContainerPath", "type": "string" }, "ReadOnly": { - "markdownDescription": "If this value is `true` , the container has read-only access to the volume. Otherwise, the container can write to the volume. The default value is `false` .", - "title": "ReadOnly", "type": "boolean" }, "SourceVolume": { - "markdownDescription": "The name of the volume to mount.", - "title": "SourceVolume", "type": "string" } }, @@ -27483,18 +27469,12 @@ "additionalProperties": false, "properties": { "EfsVolumeConfiguration": { - "$ref": "#/definitions/AWS::Batch::JobDefinition.EFSVolumeConfiguration", - "markdownDescription": "This parameter is specified when you're using an Amazon Elastic File System file system for job storage. Jobs that are running on Fargate resources must specify a `platformVersion` of at least `1.4.0` .", - "title": "EfsVolumeConfiguration" + "$ref": "#/definitions/AWS::Batch::JobDefinition.EFSVolumeConfiguration" }, "Host": { - "$ref": "#/definitions/AWS::Batch::JobDefinition.Host", - "markdownDescription": "The contents of the `host` parameter determine whether your data volume persists on the host container instance and where it's stored. If the host parameter is empty, then the Docker daemon assigns a host path for your data volume. However, the data isn't guaranteed to persist after the containers that are associated with it stop running.\n\n> This parameter isn't applicable to jobs that are running on Fargate resources and shouldn't be provided.", - "title": "Host" + "$ref": "#/definitions/AWS::Batch::JobDefinition.Host" }, "Name": { - "markdownDescription": "The name of the volume. It can be up to 255 characters long. It can contain uppercase and lowercase letters, numbers, hyphens (-), and underscores (_). This name is referenced in the `sourceVolume` parameter of container definition `mountPoints` .", - "title": "Name", "type": "string" } }, @@ -30801,7 +30781,7 @@ "items": { "type": "string" }, - "markdownDescription": "The analysis templates that are allowed by the custom analysis rule.", + "markdownDescription": "The ARN of the analysis templates that are allowed by the custom analysis rule.", "title": "AllowedAnalyses", "type": "array" }, @@ -30809,7 +30789,7 @@ "items": { "type": "string" }, - "markdownDescription": "The AWS accounts that are allowed to query by the custom analysis rule. Required when `allowedAnalyses` is `ANY_QUERY` .", + "markdownDescription": "The IDs of the AWS accounts that are allowed to query by the custom analysis rule. Required when `allowedAnalyses` is `ANY_QUERY` .", "title": "AllowedAnalysisProviders", "type": "array" } @@ -38361,7 +38341,7 @@ "title": "RegistryCredential" }, "Type": { - "markdownDescription": "The type of build environment to use for related builds.\n\n- The environment type `ARM_CONTAINER` is available only in regions US East (N. Virginia), US East (Ohio), US West (Oregon), EU (Ireland), Asia Pacific (Mumbai), Asia Pacific (Tokyo), Asia Pacific (Sydney), and EU (Frankfurt).\n- The environment type `LINUX_CONTAINER` with compute type `build.general1.2xlarge` is available only in regions US East (N. Virginia), US East (Ohio), US West (Oregon), Canada (Central), EU (Ireland), EU (London), EU (Frankfurt), Asia Pacific (Tokyo), Asia Pacific (Seoul), Asia Pacific (Singapore), Asia Pacific (Sydney), China (Beijing), and China (Ningxia).\n- The environment type `LINUX_GPU_CONTAINER` is available only in regions US East (N. Virginia), US East (Ohio), US West (Oregon), Canada (Central), EU (Ireland), EU (London), EU (Frankfurt), Asia Pacific (Tokyo), Asia Pacific (Seoul), Asia Pacific (Singapore), Asia Pacific (Sydney) , China (Beijing), and China (Ningxia).\n\n- The environment types `ARM_LAMBDA_CONTAINER` and `LINUX_LAMBDA_CONTAINER` are available only in regions US East (N. Virginia), US East (Ohio), US West (Oregon), Asia Pacific (Mumbai), Asia Pacific (Singapore), Asia Pacific (Sydney), Asia Pacific (Tokyo), EU (Frankfurt), EU (Ireland), and South America (S\u00e3o Paulo).\n\n- The environment types `WINDOWS_CONTAINER` and `WINDOWS_SERVER_2019_CONTAINER` are available only in regions US East (N. Virginia), US East (Ohio), US West (Oregon), and EU (Ireland).\n\nFor more information, see [Build environment compute types](https://docs.aws.amazon.com//codebuild/latest/userguide/build-env-ref-compute-types.html) in the *AWS CodeBuild user guide* .", + "markdownDescription": "The type of build environment to use for related builds.\n\n- The environment type `ARM_CONTAINER` is available only in regions US East (N. Virginia), US East (Ohio), US West (Oregon), EU (Ireland), Asia Pacific (Mumbai), Asia Pacific (Tokyo), Asia Pacific (Sydney), and EU (Frankfurt).\n- The environment type `LINUX_CONTAINER` is available only in regions US East (N. Virginia), US East (Ohio), US West (Oregon), Canada (Central), EU (Ireland), EU (London), EU (Frankfurt), Asia Pacific (Tokyo), Asia Pacific (Seoul), Asia Pacific (Singapore), Asia Pacific (Sydney), China (Beijing), and China (Ningxia).\n- The environment type `LINUX_GPU_CONTAINER` is available only in regions US East (N. Virginia), US East (Ohio), US West (Oregon), Canada (Central), EU (Ireland), EU (London), EU (Frankfurt), Asia Pacific (Tokyo), Asia Pacific (Seoul), Asia Pacific (Singapore), Asia Pacific (Sydney) , China (Beijing), and China (Ningxia).\n\n- The environment types `ARM_LAMBDA_CONTAINER` and `LINUX_LAMBDA_CONTAINER` are available only in regions US East (N. Virginia), US East (Ohio), US West (Oregon), Asia Pacific (Mumbai), Asia Pacific (Singapore), Asia Pacific (Sydney), Asia Pacific (Tokyo), EU (Frankfurt), EU (Ireland), and South America (S\u00e3o Paulo).\n\n- The environment types `WINDOWS_CONTAINER` and `WINDOWS_SERVER_2019_CONTAINER` are available only in regions US East (N. Virginia), US East (Ohio), US West (Oregon), and EU (Ireland).\n\n> If you're using compute fleets during project creation, `type` will be ignored. \n\nFor more information, see [Build environment compute types](https://docs.aws.amazon.com//codebuild/latest/userguide/build-env-ref-compute-types.html) in the *AWS CodeBuild user guide* .", "title": "Type", "type": "string" } @@ -45202,20 +45182,20 @@ "title": "ExclusionByResourceTypes" }, "IncludeGlobalResourceTypes": { - "markdownDescription": "This option is a bundle which only applies to the global IAM resource types: IAM users, groups, roles, and customer managed policies. These global IAM resource types can only be recorded by AWS Config in Regions where AWS Config was available before February 2022. You cannot be record the global IAM resouce types in Regions supported by AWS Config after February 2022. This list where you cannot record the global IAM resource types includes the following Regions:\n\n- Asia Pacific (Hyderabad)\n- Asia Pacific (Melbourne)\n- Europe (Spain)\n- Europe (Zurich)\n- Israel (Tel Aviv)\n- Middle East (UAE)\n\n> *Aurora global clusters are recorded in all enabled Regions*\n> \n> The `AWS::RDS::GlobalCluster` resource type will be recorded in all supported AWS Config Regions where the configuration recorder is enabled, even if `includeGlobalResourceTypes` is not set to `true` . The `includeGlobalResourceTypes` option is a bundle which only applies to IAM users, groups, roles, and customer managed policies.\n> \n> If you do not want to record `AWS::RDS::GlobalCluster` in all enabled Regions, use one of the following recording strategies:\n> \n> - *Record all current and future resource types with exclusions* ( `EXCLUSION_BY_RESOURCE_TYPES` ), or\n> - *Record specific resource types* ( `INCLUSION_BY_RESOURCE_TYPES` ).\n> \n> For more information, see [Selecting Which Resources are Recorded](https://docs.aws.amazon.com/config/latest/developerguide/select-resources.html#select-resources-all) in the *AWS Config developer guide* . > Before you set this field to `true` , set the `allSupported` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) to `true` . Optionally, you can set the `useOnly` field of [RecordingStrategy](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingStrategy.html) to `ALL_SUPPORTED_RESOURCE_TYPES` . > *Overriding fields*\n> \n> If you set this field to `false` but list global IAM resource types in the `resourceTypes` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) , AWS Config will still record configuration changes for those specified resource types *regardless* of if you set the `includeGlobalResourceTypes` field to false.\n> \n> If you do not want to record configuration changes to the global IAM resource types (IAM users, groups, roles, and customer managed policies), make sure to not list them in the `resourceTypes` field in addition to setting the `includeGlobalResourceTypes` field to false.", + "markdownDescription": "This option is a bundle which only applies to the global IAM resource types: IAM users, groups, roles, and customer managed policies. These global IAM resource types can only be recorded by AWS Config in Regions where AWS Config was available before February 2022. You cannot be record the global IAM resouce types in Regions supported by AWS Config after February 2022. This list where you cannot record the global IAM resource types includes the following Regions:\n\n- Asia Pacific (Hyderabad)\n- Asia Pacific (Melbourne)\n- Canada West (Calgary)\n- Europe (Spain)\n- Europe (Zurich)\n- Israel (Tel Aviv)\n- Middle East (UAE)\n\n> *Aurora global clusters are recorded in all enabled Regions*\n> \n> The `AWS::RDS::GlobalCluster` resource type will be recorded in all supported AWS Config Regions where the configuration recorder is enabled, even if `IncludeGlobalResourceTypes` is set to `false` . The `IncludeGlobalResourceTypes` option is a bundle which only applies to IAM users, groups, roles, and customer managed policies.\n> \n> If you do not want to record `AWS::RDS::GlobalCluster` in all enabled Regions, use one of the following recording strategies:\n> \n> - *Record all current and future resource types with exclusions* ( `EXCLUSION_BY_RESOURCE_TYPES` ), or\n> - *Record specific resource types* ( `INCLUSION_BY_RESOURCE_TYPES` ).\n> \n> For more information, see [Selecting Which Resources are Recorded](https://docs.aws.amazon.com/config/latest/developerguide/select-resources.html#select-resources-all) in the *AWS Config developer guide* . > *IncludeGlobalResourceTypes and the exclusion recording strategy*\n> \n> The `IncludeGlobalResourceTypes` field has no impact on the `EXCLUSION_BY_RESOURCE_TYPES` recording strategy. This means that the global IAM resource types ( IAM users, groups, roles, and customer managed policies) will not be automatically added as exclusions for `ExclusionByResourceTypes` when `IncludeGlobalResourceTypes` is set to `false` .\n> \n> The `IncludeGlobalResourceTypes` field should only be used to modify the `AllSupported` field, as the default for the `AllSupported` field is to record configuration changes for all supported resource types excluding the global IAM resource types. To include the global IAM resource types when `AllSupported` is set to `true` , make sure to set `IncludeGlobalResourceTypes` to `true` .\n> \n> To exclude the global IAM resource types for the `EXCLUSION_BY_RESOURCE_TYPES` recording strategy, you need to manually add them to the `ResourceTypes` field of `ExclusionByResourceTypes` . > *Required and optional fields*\n> \n> Before you set this field to `true` , set the `AllSupported` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) to `true` . Optionally, you can set the `useOnly` field of [RecordingStrategy](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingStrategy.html) to `ALL_SUPPORTED_RESOURCE_TYPES` . > *Overriding fields*\n> \n> If you set this field to `false` but list global IAM resource types in the `ResourceTypes` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) , AWS Config will still record configuration changes for those specified resource types *regardless* of if you set the `IncludeGlobalResourceTypes` field to false.\n> \n> If you do not want to record configuration changes to the global IAM resource types (IAM users, groups, roles, and customer managed policies), make sure to not list them in the `ResourceTypes` field in addition to setting the `IncludeGlobalResourceTypes` field to false.", "title": "IncludeGlobalResourceTypes", "type": "boolean" }, "RecordingStrategy": { "$ref": "#/definitions/AWS::Config::ConfigurationRecorder.RecordingStrategy", - "markdownDescription": "An object that specifies the recording strategy for the configuration recorder.\n\n- If you set the `useOnly` field of [RecordingStrategy](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingStrategy.html) to `ALL_SUPPORTED_RESOURCE_TYPES` , AWS Config records configuration changes for all supported resource types, excluding the global IAM resource types. You also must set the `allSupported` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) to `true` . When AWS Config adds support for a new resource type, AWS Config automatically starts recording resources of that type.\n- If you set the `useOnly` field of [RecordingStrategy](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingStrategy.html) to `INCLUSION_BY_RESOURCE_TYPES` , AWS Config records configuration changes for only the resource types you specify in the `resourceTypes` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) .\n- If you set the `useOnly` field of [RecordingStrategy](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingStrategy.html) to `EXCLUSION_BY_RESOURCE_TYPES` , AWS Config records configuration changes for all supported resource types except the resource types that you specify to exclude from being recorded in the `resourceTypes` field of [ExclusionByResourceTypes](https://docs.aws.amazon.com/config/latest/APIReference/API_ExclusionByResourceTypes.html) .\n\n> *Required and optional fields*\n> \n> The `recordingStrategy` field is optional when you set the `allSupported` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) to `true` .\n> \n> The `recordingStrategy` field is optional when you list resource types in the `resourceTypes` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) .\n> \n> The `recordingStrategy` field is required if you list resource types to exclude from recording in the `resourceTypes` field of [ExclusionByResourceTypes](https://docs.aws.amazon.com/config/latest/APIReference/API_ExclusionByResourceTypes.html) . > *Overriding fields*\n> \n> If you choose `EXCLUSION_BY_RESOURCE_TYPES` for the recording strategy, the `exclusionByResourceTypes` field will override other properties in the request.\n> \n> For example, even if you set `includeGlobalResourceTypes` to false, global IAM resource types will still be automatically recorded in this option unless those resource types are specifically listed as exclusions in the `resourceTypes` field of `exclusionByResourceTypes` . > *Global resources types and the resource exclusion recording strategy*\n> \n> By default, if you choose the `EXCLUSION_BY_RESOURCE_TYPES` recording strategy, when AWS Config adds support for a new resource type in the Region where you set up the configuration recorder, including global resource types, AWS Config starts recording resources of that type automatically.\n> \n> Unless specifically listed as exclusions, `AWS::RDS::GlobalCluster` will be recorded automatically in all supported AWS Config Regions were the configuration recorder is enabled.\n> \n> IAM users, groups, roles, and customer managed policies will be recorded in the Region where you set up the configuration recorder if that is a Region where AWS Config was available before February 2022. You cannot be record the global IAM resouce types in Regions supported by AWS Config after February 2022. This list where you cannot record the global IAM resource types includes the following Regions:\n> \n> - Asia Pacific (Hyderabad)\n> - Asia Pacific (Melbourne)\n> - Europe (Spain)\n> - Europe (Zurich)\n> - Israel (Tel Aviv)\n> - Middle East (UAE)", + "markdownDescription": "An object that specifies the recording strategy for the configuration recorder.\n\n- If you set the `useOnly` field of [RecordingStrategy](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingStrategy.html) to `ALL_SUPPORTED_RESOURCE_TYPES` , AWS Config records configuration changes for all supported resource types, excluding the global IAM resource types. You also must set the `AllSupported` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) to `true` . When AWS Config adds support for a new resource type, AWS Config automatically starts recording resources of that type.\n- If you set the `useOnly` field of [RecordingStrategy](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingStrategy.html) to `INCLUSION_BY_RESOURCE_TYPES` , AWS Config records configuration changes for only the resource types you specify in the `ResourceTypes` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) .\n- If you set the `useOnly` field of [RecordingStrategy](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingStrategy.html) to `EXCLUSION_BY_RESOURCE_TYPES` , AWS Config records configuration changes for all supported resource types except the resource types that you specify to exclude from being recorded in the `ResourceTypes` field of [ExclusionByResourceTypes](https://docs.aws.amazon.com/config/latest/APIReference/API_ExclusionByResourceTypes.html) .\n\n> *Required and optional fields*\n> \n> The `recordingStrategy` field is optional when you set the `AllSupported` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) to `true` .\n> \n> The `recordingStrategy` field is optional when you list resource types in the `ResourceTypes` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) .\n> \n> The `recordingStrategy` field is required if you list resource types to exclude from recording in the `ResourceTypes` field of [ExclusionByResourceTypes](https://docs.aws.amazon.com/config/latest/APIReference/API_ExclusionByResourceTypes.html) . > *Overriding fields*\n> \n> If you choose `EXCLUSION_BY_RESOURCE_TYPES` for the recording strategy, the `ExclusionByResourceTypes` field will override other properties in the request.\n> \n> For example, even if you set `IncludeGlobalResourceTypes` to false, global IAM resource types will still be automatically recorded in this option unless those resource types are specifically listed as exclusions in the `ResourceTypes` field of `ExclusionByResourceTypes` . > *Global resources types and the resource exclusion recording strategy*\n> \n> By default, if you choose the `EXCLUSION_BY_RESOURCE_TYPES` recording strategy, when AWS Config adds support for a new resource type in the Region where you set up the configuration recorder, including global resource types, AWS Config starts recording resources of that type automatically.\n> \n> Unless specifically listed as exclusions, `AWS::RDS::GlobalCluster` will be recorded automatically in all supported AWS Config Regions were the configuration recorder is enabled.\n> \n> IAM users, groups, roles, and customer managed policies will be recorded in the Region where you set up the configuration recorder if that is a Region where AWS Config was available before February 2022. You cannot be record the global IAM resouce types in Regions supported by AWS Config after February 2022. This list where you cannot record the global IAM resource types includes the following Regions:\n> \n> - Asia Pacific (Hyderabad)\n> - Asia Pacific (Melbourne)\n> - Canada West (Calgary)\n> - Europe (Spain)\n> - Europe (Zurich)\n> - Israel (Tel Aviv)\n> - Middle East (UAE)", "title": "RecordingStrategy" }, "ResourceTypes": { "items": { "type": "string" }, - "markdownDescription": "A comma-separated list that specifies which resource types AWS Config records.\n\nFor a list of valid `resourceTypes` values, see the *Resource Type Value* column in [Supported AWS resource Types](https://docs.aws.amazon.com/config/latest/developerguide/resource-config-reference.html#supported-resources) in the *AWS Config developer guide* .\n\n> *Required and optional fields*\n> \n> Optionally, you can set the `useOnly` field of [RecordingStrategy](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingStrategy.html) to `INCLUSION_BY_RESOURCE_TYPES` .\n> \n> To record all configuration changes, set the `allSupported` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) to `true` , and either omit this field or don't specify any resource types in this field. If you set the `allSupported` field to `false` and specify values for `resourceTypes` , when AWS Config adds support for a new type of resource, it will not record resources of that type unless you manually add that type to your recording group. > *Region availability*\n> \n> Before specifying a resource type for AWS Config to track, check [Resource Coverage by Region Availability](https://docs.aws.amazon.com/config/latest/developerguide/what-is-resource-config-coverage.html) to see if the resource type is supported in the AWS Region where you set up AWS Config . If a resource type is supported by AWS Config in at least one Region, you can enable the recording of that resource type in all Regions supported by AWS Config , even if the specified resource type is not supported in the AWS Region where you set up AWS Config .", + "markdownDescription": "A comma-separated list that specifies which resource types AWS Config records.\n\nFor a list of valid `ResourceTypes` values, see the *Resource Type Value* column in [Supported AWS resource Types](https://docs.aws.amazon.com/config/latest/developerguide/resource-config-reference.html#supported-resources) in the *AWS Config developer guide* .\n\n> *Required and optional fields*\n> \n> Optionally, you can set the `useOnly` field of [RecordingStrategy](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingStrategy.html) to `INCLUSION_BY_RESOURCE_TYPES` .\n> \n> To record all configuration changes, set the `AllSupported` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) to `true` , and either omit this field or don't specify any resource types in this field. If you set the `AllSupported` field to `false` and specify values for `ResourceTypes` , when AWS Config adds support for a new type of resource, it will not record resources of that type unless you manually add that type to your recording group. > *Region availability*\n> \n> Before specifying a resource type for AWS Config to track, check [Resource Coverage by Region Availability](https://docs.aws.amazon.com/config/latest/developerguide/what-is-resource-config-coverage.html) to see if the resource type is supported in the AWS Region where you set up AWS Config . If a resource type is supported by AWS Config in at least one Region, you can enable the recording of that resource type in all Regions supported by AWS Config , even if the specified resource type is not supported in the AWS Region where you set up AWS Config .", "title": "ResourceTypes", "type": "array" } @@ -45276,7 +45256,7 @@ "additionalProperties": false, "properties": { "UseOnly": { - "markdownDescription": "The recording strategy for the configuration recorder.\n\n- If you set this option to `ALL_SUPPORTED_RESOURCE_TYPES` , AWS Config records configuration changes for all supported resource types, excluding the global IAM resource types. You also must set the `allSupported` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) to `true` . When AWS Config adds support for a new resource type, AWS Config automatically starts recording resources of that type. For a list of supported resource types, see [Supported Resource Types](https://docs.aws.amazon.com/config/latest/developerguide/resource-config-reference.html#supported-resources) in the *AWS Config developer guide* .\n- If you set this option to `INCLUSION_BY_RESOURCE_TYPES` , AWS Config records configuration changes for only the resource types that you specify in the `resourceTypes` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) .\n- If you set this option to `EXCLUSION_BY_RESOURCE_TYPES` , AWS Config records configuration changes for all supported resource types, except the resource types that you specify to exclude from being recorded in the `resourceTypes` field of [ExclusionByResourceTypes](https://docs.aws.amazon.com/config/latest/APIReference/API_ExclusionByResourceTypes.html) .\n\n> *Required and optional fields*\n> \n> The `recordingStrategy` field is optional when you set the `allSupported` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) to `true` .\n> \n> The `recordingStrategy` field is optional when you list resource types in the `resourceTypes` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) .\n> \n> The `recordingStrategy` field is required if you list resource types to exclude from recording in the `resourceTypes` field of [ExclusionByResourceTypes](https://docs.aws.amazon.com/config/latest/APIReference/API_ExclusionByResourceTypes.html) . > *Overriding fields*\n> \n> If you choose `EXCLUSION_BY_RESOURCE_TYPES` for the recording strategy, the `exclusionByResourceTypes` field will override other properties in the request.\n> \n> For example, even if you set `includeGlobalResourceTypes` to false, global IAM resource types will still be automatically recorded in this option unless those resource types are specifically listed as exclusions in the `resourceTypes` field of `exclusionByResourceTypes` . > *Global resource types and the exclusion recording strategy*\n> \n> By default, if you choose the `EXCLUSION_BY_RESOURCE_TYPES` recording strategy, when AWS Config adds support for a new resource type in the Region where you set up the configuration recorder, including global resource types, AWS Config starts recording resources of that type automatically.\n> \n> Unless specifically listed as exclusions, `AWS::RDS::GlobalCluster` will be recorded automatically in all supported AWS Config Regions were the configuration recorder is enabled.\n> \n> IAM users, groups, roles, and customer managed policies will be recorded in the Region where you set up the configuration recorder if that is a Region where AWS Config was available before February 2022. You cannot be record the global IAM resouce types in Regions supported by AWS Config after February 2022. This list where you cannot record the global IAM resource types includes the following Regions:\n> \n> - Asia Pacific (Hyderabad)\n> - Asia Pacific (Melbourne)\n> - Europe (Spain)\n> - Europe (Zurich)\n> - Israel (Tel Aviv)\n> - Middle East (UAE)", + "markdownDescription": "The recording strategy for the configuration recorder.\n\n- If you set this option to `ALL_SUPPORTED_RESOURCE_TYPES` , AWS Config records configuration changes for all supported resource types, excluding the global IAM resource types. You also must set the `AllSupported` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) to `true` . When AWS Config adds support for a new resource type, AWS Config automatically starts recording resources of that type. For a list of supported resource types, see [Supported Resource Types](https://docs.aws.amazon.com/config/latest/developerguide/resource-config-reference.html#supported-resources) in the *AWS Config developer guide* .\n- If you set this option to `INCLUSION_BY_RESOURCE_TYPES` , AWS Config records configuration changes for only the resource types that you specify in the `ResourceTypes` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) .\n- If you set this option to `EXCLUSION_BY_RESOURCE_TYPES` , AWS Config records configuration changes for all supported resource types, except the resource types that you specify to exclude from being recorded in the `ResourceTypes` field of [ExclusionByResourceTypes](https://docs.aws.amazon.com/config/latest/APIReference/API_ExclusionByResourceTypes.html) .\n\n> *Required and optional fields*\n> \n> The `recordingStrategy` field is optional when you set the `AllSupported` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) to `true` .\n> \n> The `recordingStrategy` field is optional when you list resource types in the `ResourceTypes` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) .\n> \n> The `recordingStrategy` field is required if you list resource types to exclude from recording in the `ResourceTypes` field of [ExclusionByResourceTypes](https://docs.aws.amazon.com/config/latest/APIReference/API_ExclusionByResourceTypes.html) . > *Overriding fields*\n> \n> If you choose `EXCLUSION_BY_RESOURCE_TYPES` for the recording strategy, the `ExclusionByResourceTypes` field will override other properties in the request.\n> \n> For example, even if you set `IncludeGlobalResourceTypes` to false, global IAM resource types will still be automatically recorded in this option unless those resource types are specifically listed as exclusions in the `ResourceTypes` field of `ExclusionByResourceTypes` . > *Global resource types and the exclusion recording strategy*\n> \n> By default, if you choose the `EXCLUSION_BY_RESOURCE_TYPES` recording strategy, when AWS Config adds support for a new resource type in the Region where you set up the configuration recorder, including global resource types, AWS Config starts recording resources of that type automatically.\n> \n> Unless specifically listed as exclusions, `AWS::RDS::GlobalCluster` will be recorded automatically in all supported AWS Config Regions were the configuration recorder is enabled.\n> \n> IAM users, groups, roles, and customer managed policies will be recorded in the Region where you set up the configuration recorder if that is a Region where AWS Config was available before February 2022. You cannot be record the global IAM resouce types in Regions supported by AWS Config after February 2022. This list where you cannot record the global IAM resource types includes the following Regions:\n> \n> - Asia Pacific (Hyderabad)\n> - Asia Pacific (Melbourne)\n> - Canada West (Calgary)\n> - Europe (Spain)\n> - Europe (Zurich)\n> - Israel (Tel Aviv)\n> - Middle East (UAE)", "title": "UseOnly", "type": "string" } @@ -64981,6 +64961,11 @@ "title": "SourceIpamPoolId", "type": "string" }, + "SourceResource": { + "$ref": "#/definitions/AWS::EC2::IPAMPool.SourceResource", + "markdownDescription": "The resource used to provision CIDRs to a resource planning pool.", + "title": "SourceResource" + }, "Tags": { "items": { "$ref": "#/definitions/Tag" @@ -65031,6 +65016,38 @@ ], "type": "object" }, + "AWS::EC2::IPAMPool.SourceResource": { + "additionalProperties": false, + "properties": { + "ResourceId": { + "markdownDescription": "The source resource ID.", + "title": "ResourceId", + "type": "string" + }, + "ResourceOwner": { + "markdownDescription": "The source resource owner.", + "title": "ResourceOwner", + "type": "string" + }, + "ResourceRegion": { + "markdownDescription": "The source resource Region.", + "title": "ResourceRegion", + "type": "string" + }, + "ResourceType": { + "markdownDescription": "The source resource type.", + "title": "ResourceType", + "type": "string" + } + }, + "required": [ + "ResourceId", + "ResourceOwner", + "ResourceRegion", + "ResourceType" + ], + "type": "object" + }, "AWS::EC2::IPAMPoolCidr": { "additionalProperties": false, "properties": { @@ -65447,7 +65464,7 @@ "items": { "$ref": "#/definitions/AWS::EC2::Instance.ElasticGpuSpecification" }, - "markdownDescription": "An elastic GPU to associate with the instance. An Elastic GPU is a GPU resource that you can attach to your Windows instance to accelerate the graphics performance of your applications. For more information, see [Amazon EC2 Elastic GPUs](https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/elastic-graphics.html) in the *Amazon EC2 User Guide* .", + "markdownDescription": "Deprecated.\n\n> Amazon Elastic Graphics reached end of life on January 8, 2024. For workloads that require graphics acceleration, we recommend that you use Amazon EC2 G4ad, G4dn, or G5 instances.", "title": "ElasticGpuSpecifications", "type": "array" }, @@ -66908,7 +66925,7 @@ "items": { "$ref": "#/definitions/AWS::EC2::LaunchTemplate.ElasticGpuSpecification" }, - "markdownDescription": "An elastic GPU to associate with the instance.", + "markdownDescription": "Deprecated.\n\n> Amazon Elastic Graphics reached end of life on January 8, 2024. For workloads that require graphics acceleration, we recommend that you use Amazon EC2 G4ad, G4dn, or G5 instances.", "title": "ElasticGpuSpecifications", "type": "array" }, @@ -67470,7 +67487,7 @@ "additionalProperties": false, "properties": { "ResourceType": { - "markdownDescription": "The type of resource to tag.\n\nValid Values lists all resource types for Amazon EC2 that can be tagged. When you create a launch template, you can specify tags for the following resource types only: `instance` | `volume` | `elastic-gpu` | `network-interface` | `spot-instances-request` . If the instance does not include the resource type that you specify, the instance launch fails. For example, not all instance types include an Elastic GPU.\n\nTo tag a resource after it has been created, see [CreateTags](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateTags.html) .", + "markdownDescription": "The type of resource to tag.\n\nValid Values lists all resource types for Amazon EC2 that can be tagged. When you create a launch template, you can specify tags for the following resource types only: `instance` | `volume` | `network-interface` | `spot-instances-request` . If the instance does not include the resource type that you specify, the instance launch fails. For example, not all instance types include a volume.\n\nTo tag a resource after it has been created, see [CreateTags](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateTags.html) .", "title": "ResourceType", "type": "string" }, @@ -68069,7 +68086,7 @@ "additionalProperties": false, "properties": { "CidrBlock": { - "markdownDescription": "The IPv4 CIDR range to allow or deny, in CIDR notation (for example, 172.16.0.0/24). Requirement is conditional: You must specify the `CidrBlock` or `Ipv6CidrBlock` property.", + "markdownDescription": "The IPv4 CIDR range to allow or deny, in CIDR notation (for example, 172.16.0.0/24). You must specify an IPv4 CIDR block or an IPv6 CIDR block.", "title": "CidrBlock", "type": "string" }, @@ -68080,11 +68097,11 @@ }, "Icmp": { "$ref": "#/definitions/AWS::EC2::NetworkAclEntry.Icmp", - "markdownDescription": "The Internet Control Message Protocol (ICMP) code and type. Requirement is conditional: Required if specifying 1 (ICMP) for the protocol parameter.", + "markdownDescription": "The Internet Control Message Protocol (ICMP) code and type. Required if specifying 1 (ICMP) for the protocol parameter.", "title": "Icmp" }, "Ipv6CidrBlock": { - "markdownDescription": "The IPv6 network range to allow or deny, in CIDR notation. Requirement is conditional: You must specify the `CidrBlock` or `Ipv6CidrBlock` property.", + "markdownDescription": "The IPv6 network range to allow or deny, in CIDR notation. You must specify an IPv4 CIDR block or an IPv6 CIDR block.", "title": "Ipv6CidrBlock", "type": "string" }, @@ -68095,7 +68112,7 @@ }, "PortRange": { "$ref": "#/definitions/AWS::EC2::NetworkAclEntry.PortRange", - "markdownDescription": "The range of port numbers for the UDP/TCP protocol. Conditional required if specifying 6 (TCP) or 17 (UDP) for the protocol parameter.", + "markdownDescription": "The range of port numbers for the UDP/TCP protocol. Required if specifying 6 (TCP) or 17 (UDP) for the protocol parameter.", "title": "PortRange" }, "Protocol": { @@ -68147,7 +68164,7 @@ "additionalProperties": false, "properties": { "Code": { - "markdownDescription": "The Internet Control Message Protocol (ICMP) code. You can use -1 to specify all ICMP codes for the given ICMP type. Requirement is conditional: Required if you specify 1 (ICMP) for the protocol parameter.", + "markdownDescription": "The Internet Control Message Protocol (ICMP) code. You can use -1 to specify all ICMP codes for the given ICMP type. Required if you specify 1 (ICMP) for the protocol parameter.", "title": "Code", "type": "number" }, @@ -69461,6 +69478,11 @@ "Properties": { "additionalProperties": false, "properties": { + "ConnectionTrackingSpecification": { + "$ref": "#/definitions/AWS::EC2::NetworkInterface.ConnectionTrackingSpecification", + "markdownDescription": "A connection tracking specification for the network interface.", + "title": "ConnectionTrackingSpecification" + }, "Description": { "markdownDescription": "A description for the network interface.", "title": "Description", @@ -69581,6 +69603,27 @@ ], "type": "object" }, + "AWS::EC2::NetworkInterface.ConnectionTrackingSpecification": { + "additionalProperties": false, + "properties": { + "TcpEstablishedTimeout": { + "markdownDescription": "Timeout (in seconds) for idle TCP connections in an established state. Min: 60 seconds. Max: 432000 seconds (5 days). Default: 432000 seconds. Recommended: Less than 432000 seconds.", + "title": "TcpEstablishedTimeout", + "type": "number" + }, + "UdpStreamTimeout": { + "markdownDescription": "Timeout (in seconds) for idle UDP flows classified as streams which have seen more than one request-response transaction. Min: 60 seconds. Max: 180 seconds (3 minutes). Default: 180 seconds.", + "title": "UdpStreamTimeout", + "type": "number" + }, + "UdpTimeout": { + "markdownDescription": "Timeout (in seconds) for idle UDP flows that have seen traffic only in a single direction or a single request-response transaction. Min: 30 seconds. Max: 60 seconds. Default: 30 seconds.", + "title": "UdpTimeout", + "type": "number" + } + }, + "type": "object" + }, "AWS::EC2::NetworkInterface.InstanceIpv6Address": { "additionalProperties": false, "properties": { @@ -70368,7 +70411,7 @@ "type": "array" }, "VpcId": { - "markdownDescription": "The ID of the VPC for the security group.", + "markdownDescription": "The ID of the VPC for the security group. If you do not specify a VPC, the default is to use the default VPC for the Region. If there's no specified VPC and no default VPC, security group creation fails.", "title": "VpcId", "type": "string" } @@ -70428,7 +70471,7 @@ "type": "string" }, "FromPort": { - "markdownDescription": "If the protocol is TCP or UDP, this is the start of the port range. If the protocol is ICMP or ICMPv6, this is the type number. A value of -1 indicates all ICMP/ICMPv6 types. If you specify all ICMP/ICMPv6 types, you must specify all ICMP/ICMPv6 codes.", + "markdownDescription": "If the protocol is TCP or UDP, this is the start of the port range. If the protocol is ICMP or ICMPv6, this is the ICMP type or -1 (all ICMP types).", "title": "FromPort", "type": "number" }, @@ -70438,7 +70481,7 @@ "type": "string" }, "ToPort": { - "markdownDescription": "If the protocol is TCP or UDP, this is the end of the port range. If the protocol is ICMP or ICMPv6, this is the code. A value of -1 indicates all ICMP/ICMPv6 codes. If you specify all ICMP/ICMPv6 types, you must specify all ICMP/ICMPv6 codes.", + "markdownDescription": "If the protocol is TCP or UDP, this is the end of the port range. If the protocol is ICMP or ICMPv6, this is the ICMP code or -1 (all ICMP codes). If the start port is -1 (all ICMP types), then the end port must be -1 (all ICMP codes).", "title": "ToPort", "type": "number" } @@ -70467,7 +70510,7 @@ "type": "string" }, "FromPort": { - "markdownDescription": "If the protocol is TCP or UDP, this is the start of the port range. If the protocol is ICMP or ICMPv6, this is the type number. A value of -1 indicates all ICMP/ICMPv6 types. If you specify all ICMP/ICMPv6 types, you must specify all ICMP/ICMPv6 codes.", + "markdownDescription": "If the protocol is TCP or UDP, this is the start of the port range. If the protocol is ICMP or ICMPv6, this is the ICMP type or -1 (all ICMP types).", "title": "FromPort", "type": "number" }, @@ -70482,7 +70525,7 @@ "type": "string" }, "SourceSecurityGroupId": { - "markdownDescription": "The ID of the security group. You must specify either the security group ID or the security group name in the request. For security groups in a nondefault VPC, you must specify the security group ID.", + "markdownDescription": "The ID of the security group.", "title": "SourceSecurityGroupId", "type": "string" }, @@ -70497,7 +70540,7 @@ "type": "string" }, "ToPort": { - "markdownDescription": "If the protocol is TCP or UDP, this is the end of the port range. If the protocol is ICMP or ICMPv6, this is the code. A value of -1 indicates all ICMP/ICMPv6 codes. If you specify all ICMP/ICMPv6 types, you must specify all ICMP/ICMPv6 codes.", + "markdownDescription": "If the protocol is TCP or UDP, this is the end of the port range. If the protocol is ICMP or ICMPv6, this is the ICMP code or -1 (all ICMP codes). If the start port is -1 (all ICMP types), then the end port must be -1 (all ICMP codes).", "title": "ToPort", "type": "number" } @@ -70568,7 +70611,7 @@ "type": "string" }, "FromPort": { - "markdownDescription": "If the protocol is TCP or UDP, this is the start of the port range. If the protocol is ICMP or ICMPv6, this is the type number. A value of -1 indicates all ICMP/ICMPv6 types. If you specify all ICMP/ICMPv6 types, you must specify all ICMP/ICMPv6 codes.", + "markdownDescription": "If the protocol is TCP or UDP, this is the start of the port range. If the protocol is ICMP or ICMPv6, this is the ICMP type or -1 (all ICMP types).", "title": "FromPort", "type": "number" }, @@ -70583,7 +70626,7 @@ "type": "string" }, "ToPort": { - "markdownDescription": "If the protocol is TCP or UDP, this is the end of the port range. If the protocol is ICMP or ICMPv6, this is the code. A value of -1 indicates all ICMP/ICMPv6 codes. If you specify all ICMP/ICMPv6 types, you must specify all ICMP/ICMPv6 codes.", + "markdownDescription": "If the protocol is TCP or UDP, this is the end of the port range. If the protocol is ICMP or ICMPv6, this is the ICMP code or -1 (all ICMP codes). If the start port is -1 (all ICMP types), then the end port must be -1 (all ICMP codes).", "title": "ToPort", "type": "number" } @@ -71874,7 +71917,7 @@ "additionalProperties": false, "properties": { "AssignIpv6AddressOnCreation": { - "markdownDescription": "Indicates whether a network interface created in this subnet receives an IPv6 address. The default value is `false` .\n\nIf you specify `AssignIpv6AddressOnCreation` , you must also specify `Ipv6CidrBlock` .", + "markdownDescription": "Indicates whether a network interface created in this subnet receives an IPv6 address. The default value is `false` .\n\nIf you specify `AssignIpv6AddressOnCreation` , you must also specify an IPv6 CIDR block.", "title": "AssignIpv6AddressOnCreation", "type": "boolean" }, @@ -71909,7 +71952,7 @@ "type": "number" }, "Ipv6CidrBlock": { - "markdownDescription": "The IPv6 CIDR block.\n\nIf you specify `AssignIpv6AddressOnCreation` , you must also specify `Ipv6CidrBlock` .", + "markdownDescription": "The IPv6 CIDR block.\n\nIf you specify `AssignIpv6AddressOnCreation` , you must also specify an IPv6 CIDR block.", "title": "Ipv6CidrBlock", "type": "string" }, @@ -71917,7 +71960,7 @@ "items": { "type": "string" }, - "markdownDescription": "", + "markdownDescription": "The IPv6 network ranges for the subnet, in CIDR notation.", "title": "Ipv6CidrBlocks", "type": "array" }, @@ -72048,7 +72091,7 @@ "additionalProperties": false, "properties": { "Ipv6CidrBlock": { - "markdownDescription": "The IPv6 network range for the subnet, in CIDR notation. This parameter is required for an IPv6 only subnet.", + "markdownDescription": "The IPv6 network range for the subnet, in CIDR notation.", "title": "Ipv6CidrBlock", "type": "string" }, @@ -78768,6 +78811,11 @@ "AWS::ECS::TaskDefinition.Volume": { "additionalProperties": false, "properties": { + "ConfiguredAtLaunch": { + "markdownDescription": "Indicates whether the volume should be configured at launch time. This is used to create Amazon EBS volumes for standalone tasks or tasks created as part of a service. Each task definition revision may only have one volume configured at launch in the volume configuration.\n\nTo configure a volume at launch time, use this task definition revision and specify a `volumeConfigurations` object when calling the `CreateService` , `UpdateService` , `RunTask` or `StartTask` APIs.", + "title": "ConfiguredAtLaunch", + "type": "boolean" + }, "DockerVolumeConfiguration": { "$ref": "#/definitions/AWS::ECS::TaskDefinition.DockerVolumeConfiguration", "markdownDescription": "This parameter is specified when you use Docker volumes.\n\nWindows containers only support the use of the `local` driver. To use bind mounts, specify the `host` parameter instead.\n\n> Docker volumes aren't supported by tasks run on AWS Fargate .", @@ -105971,8 +106019,7 @@ }, "required": [ "Format", - "Location", - "Name" + "Location" ], "type": "object" }, @@ -106256,8 +106303,7 @@ }, "required": [ "Format", - "Location", - "Name" + "Location" ], "type": "object" }, @@ -108349,7 +108395,7 @@ "items": { "type": "string" }, - "markdownDescription": "A list of which renditions are recorded for a stream, if `renditionSelection` is `CUSTOM` ; otherwise, this field is irrelevant. The selected renditions are recorded if they are available during the stream. If a selected rendition is unavailable, the best available rendition is recorded. For details on the resolution dimensions of each rendition, see [Auto-Record to Amazon S3](https://docs.aws.amazon.com//ivs/latest/userguide/record-to-s3.html) .", + "markdownDescription": "A list of which renditions are recorded for a stream, if `renditionSelection` is `CUSTOM` ; otherwise, this field is irrelevant. The selected renditions are recorded if they are available during the stream. If a selected rendition is unavailable, the best available rendition is recorded. For details on the resolution dimensions of each rendition, see [Auto-Record to Amazon S3](https://docs.aws.amazon.com//ivs/latest/LowLatencyUserGuide/record-to-s3.html) .", "title": "Renditions", "type": "array" } @@ -108379,7 +108425,7 @@ "type": "string" }, "Resolution": { - "markdownDescription": "The desired resolution of recorded thumbnails for a stream. Thumbnails are recorded at the selected resolution if the corresponding rendition is available during the stream; otherwise, they are recorded at source resolution. For more information about resolution values and their corresponding height and width dimensions, see [Auto-Record to Amazon S3](https://docs.aws.amazon.com//ivs/latest/userguide/record-to-s3.html) .", + "markdownDescription": "The desired resolution of recorded thumbnails for a stream. Thumbnails are recorded at the selected resolution if the corresponding rendition is available during the stream; otherwise, they are recorded at source resolution. For more information about resolution values and their corresponding height and width dimensions, see [Auto-Record to Amazon S3](https://docs.aws.amazon.com//ivs/latest/LowLatencyUserGuide/record-to-s3.html) .", "title": "Resolution", "type": "string" }, @@ -108392,7 +108438,7 @@ "type": "array" }, "TargetIntervalSeconds": { - "markdownDescription": "The targeted thumbnail-generation interval in seconds. This is configurable (and required) only if [RecordingMode](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ivs-recordingconfiguration-thumbnailconfiguration.html#cfn-ivs-recordingconfiguration-thumbnailconfiguration-recordingmode) is `INTERVAL` .\n\n> Setting a value for `TargetIntervalSeconds` does not guarantee that thumbnails are generated at the specified interval. For thumbnails to be generated at the `TargetIntervalSeconds` interval, the `IDR/Keyframe` value for the input video must be less than the `TargetIntervalSeconds` value. See [Amazon IVS Streaming Configuration](https://docs.aws.amazon.com/ivs/latest/userguide/streaming-config.html) for information on setting `IDR/Keyframe` to the recommended value in video-encoder settings. \n\n*Default* : 60\n\n*Valid Range* : Minumum value of 1. Maximum value of 60.", + "markdownDescription": "The targeted thumbnail-generation interval in seconds. This is configurable (and required) only if [RecordingMode](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ivs-recordingconfiguration-thumbnailconfiguration.html#cfn-ivs-recordingconfiguration-thumbnailconfiguration-recordingmode) is `INTERVAL` .\n\n> Setting a value for `TargetIntervalSeconds` does not guarantee that thumbnails are generated at the specified interval. For thumbnails to be generated at the `TargetIntervalSeconds` interval, the `IDR/Keyframe` value for the input video must be less than the `TargetIntervalSeconds` value. See [Amazon IVS Streaming Configuration](https://docs.aws.amazon.com/ivs/latest/LowLatencyUserGuide/streaming-config.html) for information on setting `IDR/Keyframe` to the recommended value in video-encoder settings. \n\n*Default* : 60\n\n*Valid Range* : Minumum value of 1. Maximum value of 60.", "title": "TargetIntervalSeconds", "type": "number" } @@ -111905,7 +111951,7 @@ "properties": { "S3Config": { "$ref": "#/definitions/AWS::InternetMonitor::Monitor.S3Config", - "markdownDescription": "The configuration information for publishing Internet Monitor internet measurements to Amazon S3. The configuration includes the bucket name and (optionally) prefix for the S3 bucket to store the measurements, and the delivery status. The delivery status is `ENABLED` or `DISABLED` , depending on whether you choose to deliver internet measurements to S3 logs.", + "markdownDescription": "The configuration for publishing Amazon CloudWatch Internet Monitor internet measurements to Amazon S3.", "title": "S3Config" } }, @@ -111936,17 +111982,17 @@ "additionalProperties": false, "properties": { "BucketName": { - "markdownDescription": "The Amazon S3 bucket name.", + "markdownDescription": "The Amazon S3 bucket name for internet measurements publishing.", "title": "BucketName", "type": "string" }, "BucketPrefix": { - "markdownDescription": "The Amazon S3 bucket prefix.", + "markdownDescription": "An optional Amazon S3 bucket prefix for internet measurements publishing.", "title": "BucketPrefix", "type": "string" }, "LogDeliveryStatus": { - "markdownDescription": "The status of publishing Internet Monitor internet measurements to an Amazon S3 bucket.", + "markdownDescription": "The status of publishing Internet Monitor internet measurements to an Amazon S3 bucket. The delivery status is `ENABLED` if you choose to deliver internet measurements to an S3 bucket, and `DISABLED` otherwise.", "title": "LogDeliveryStatus", "type": "string" } @@ -113164,9 +113210,6 @@ "title": "ServerCertificateArns", "type": "array" }, - "ServerCertificateConfig": { - "$ref": "#/definitions/AWS::IoT::DomainConfiguration.ServerCertificateConfig" - }, "ServiceType": { "markdownDescription": "The type of service delivered by the endpoint.\n\n> AWS IoT Core currently supports only the `DATA` service type.", "title": "ServiceType", @@ -113229,15 +113272,6 @@ }, "type": "object" }, - "AWS::IoT::DomainConfiguration.ServerCertificateConfig": { - "additionalProperties": false, - "properties": { - "EnableOCSPCheck": { - "type": "boolean" - } - }, - "type": "object" - }, "AWS::IoT::DomainConfiguration.ServerCertificateSummary": { "additionalProperties": false, "properties": { @@ -140852,7 +140886,7 @@ "additionalProperties": false, "properties": { "PolicyDocument": { - "markdownDescription": "Specify the data protection policy, in JSON.\n\nThis policy must include two JSON blocks:\n\n- The first block must include both a `DataIdentifer` array and an `Operation` property with an `Audit` action. The `DataIdentifer` array lists the types of sensitive data that you want to mask. For more information about the available options, see [Types of data that you can mask](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/mask-sensitive-log-data-types.html) .\n\nThe `Operation` property with an `Audit` action is required to find the sensitive data terms. This `Audit` action must contain a `FindingsDestination` object. You can optionally use that `FindingsDestination` object to list one or more destinations to send audit findings to. If you specify destinations such as log groups, Kinesis Data Firehose streams, and S3 buckets, they must already exist.\n- The second block must include both a `DataIdentifer` array and an `Operation` property with an `Deidentify` action. The `DataIdentifer` array must exactly match the `DataIdentifer` array in the first block of the policy.\n\nThe `Operation` property with the `Deidentify` action is what actually masks the data, and it must contain the `\"MaskConfig\": {}` object. The `\"MaskConfig\": {}` object must be empty.\n\n> The contents of the two `DataIdentifer` arrays must match exactly.", + "markdownDescription": "Specify the policy, in JSON.\n\n*Data protection policy*\n\nA data protection policy must include two JSON blocks:\n\n- The first block must include both a `DataIdentifer` array and an `Operation` property with an `Audit` action. The `DataIdentifer` array lists the types of sensitive data that you want to mask. For more information about the available options, see [Types of data that you can mask](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/mask-sensitive-log-data-types.html) .\n\nThe `Operation` property with an `Audit` action is required to find the sensitive data terms. This `Audit` action must contain a `FindingsDestination` object. You can optionally use that `FindingsDestination` object to list one or more destinations to send audit findings to. If you specify destinations such as log groups, Kinesis Data Firehose streams, and S3 buckets, they must already exist.\n- The second block must include both a `DataIdentifer` array and an `Operation` property with an `Deidentify` action. The `DataIdentifer` array must exactly match the `DataIdentifer` array in the first block of the policy.\n\nThe `Operation` property with the `Deidentify` action is what actually masks the data, and it must contain the `\"MaskConfig\": {}` object. The `\"MaskConfig\": {}` object must be empty.\n\n> The contents of the two `DataIdentifer` arrays must match exactly. \n\nIn addition to the two JSON blocks, the `policyDocument` can also include `Name` , `Description` , and `Version` fields. The `Name` is different than the operation's `policyName` parameter, and is used as a dimension when CloudWatch Logs reports audit findings metrics to CloudWatch .\n\nThe JSON specified in `policyDocument` can be up to 30,720 characters long.\n\n*Subscription filter policy*\n\nA subscription filter policy can include the following attributes in a JSON block:\n\n- *DestinationArn* The ARN of the destination to deliver log events to. Supported destinations are:\n\n- An Kinesis Data Streams data stream in the same account as the subscription policy, for same-account delivery.\n- An Kinesis Data Firehose data stream in the same account as the subscription policy, for same-account delivery.\n- A Lambda function in the same account as the subscription policy, for same-account delivery.\n- A logical destination in a different account created with [PutDestination](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutDestination.html) , for cross-account delivery. Kinesis Data Streams and Kinesis Data Firehose are supported as logical destinations.\n- *RoleArn* The ARN of an IAM role that grants CloudWatch Logs permissions to deliver ingested log events to the destination stream. You don't need to provide the ARN when you are working with a logical destination for cross-account delivery.\n- *FilterPattern* A filter pattern for subscribing to a filtered stream of log events.\n- *Distribution* The method used to distribute log data to the destination. By default, log data is grouped by log stream, but the grouping can be set to `Random` for a more even distribution. This property is only applicable when the destination is an Kinesis Data Streams data stream.", "title": "PolicyDocument", "type": "string" }, @@ -140862,14 +140896,19 @@ "type": "string" }, "PolicyType": { - "markdownDescription": "Currently the only valid value for this parameter is `DATA_PROTECTION_POLICY` .", + "markdownDescription": "The type of policy that you're creating or updating.", "title": "PolicyType", "type": "string" }, "Scope": { - "markdownDescription": "Currently the only valid value for this parameter is `ALL` , which specifies that the data protection policy applies to all log groups in the account. If you omit this parameter, the default of `ALL` is used.", + "markdownDescription": "Currently the only valid value for this parameter is `ALL` , which specifies that the policy applies to all log groups in the account. If you omit this parameter, the default of `ALL` is used. To scope down a subscription filter policy to a subset of log groups, use the `selectionCriteria` parameter.", "title": "Scope", "type": "string" + }, + "SelectionCriteria": { + "markdownDescription": "Use this parameter to apply a subscription filter policy to a subset of log groups in the account. Currently, the only supported filter is `LogGroupName NOT IN []` . The `selectionCriteria` string can be up to 25KB in length. The length is determined by using its UTF-8 bytes.\n\nUsing the `selectionCriteria` parameter is useful to help prevent infinite loops. For more information, see [Log recursion prevention](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/Subscriptions-recursion-prevention.html) .\n\nSpecifing `selectionCriteria` is valid only when you specify `SUBSCRIPTION_FILTER_POLICY` for `policyType` .", + "title": "SelectionCriteria", + "type": "string" } }, "required": [ @@ -148805,6 +148844,41 @@ }, "type": "object" }, + "AWS::MediaLive::Channel.ColorCorrection": { + "additionalProperties": false, + "properties": { + "InputColorSpace": { + "markdownDescription": "", + "title": "InputColorSpace", + "type": "string" + }, + "OutputColorSpace": { + "markdownDescription": "", + "title": "OutputColorSpace", + "type": "string" + }, + "Uri": { + "markdownDescription": "", + "title": "Uri", + "type": "string" + } + }, + "type": "object" + }, + "AWS::MediaLive::Channel.ColorCorrectionSettings": { + "additionalProperties": false, + "properties": { + "GlobalColorCorrections": { + "items": { + "$ref": "#/definitions/AWS::MediaLive::Channel.ColorCorrection" + }, + "markdownDescription": "", + "title": "GlobalColorCorrections", + "type": "array" + } + }, + "type": "object" + }, "AWS::MediaLive::Channel.ColorSpacePassthroughSettings": { "additionalProperties": false, "properties": {}, @@ -149223,6 +149297,11 @@ "title": "CaptionDescriptions", "type": "array" }, + "ColorCorrectionSettings": { + "$ref": "#/definitions/AWS::MediaLive::Channel.ColorCorrectionSettings", + "markdownDescription": "", + "title": "ColorCorrectionSettings" + }, "FeatureActivations": { "$ref": "#/definitions/AWS::MediaLive::Channel.FeatureActivations", "markdownDescription": "Settings to enable specific features.", @@ -163554,6 +163633,11 @@ "AWS::OpenSearchService::Domain.ClusterConfig": { "additionalProperties": false, "properties": { + "ColdStorageOptions": { + "$ref": "#/definitions/AWS::OpenSearchService::Domain.ColdStorageOptions", + "markdownDescription": "Specifies cold storage options for the domain.", + "title": "ColdStorageOptions" + }, "DedicatedMasterCount": { "markdownDescription": "The number of instances to use for the master node. If you specify this property, you must specify `true` for the `DedicatedMasterEnabled` property.", "title": "DedicatedMasterCount", @@ -163638,6 +163722,17 @@ }, "type": "object" }, + "AWS::OpenSearchService::Domain.ColdStorageOptions": { + "additionalProperties": false, + "properties": { + "Enabled": { + "markdownDescription": "Whether to enable or disable cold storage on the domain. You must enable UltraWarm storage in order to enable cold storage.", + "title": "Enabled", + "type": "boolean" + } + }, + "type": "object" + }, "AWS::OpenSearchService::Domain.DomainEndpointOptions": { "additionalProperties": false, "properties": { @@ -174076,6 +174171,14 @@ "markdownDescription": "", "title": "Definition" }, + "Errors": { + "items": { + "$ref": "#/definitions/AWS::QuickSight::Analysis.AnalysisError" + }, + "markdownDescription": "Errors associated with the analysis.", + "title": "Errors", + "type": "array" + }, "Name": { "markdownDescription": "A descriptive name for the analysis that you're creating. This name displays for the analysis in the Amazon QuickSight console.", "title": "Name", @@ -174094,6 +174197,14 @@ "title": "Permissions", "type": "array" }, + "Sheets": { + "items": { + "$ref": "#/definitions/AWS::QuickSight::Analysis.Sheet" + }, + "markdownDescription": "A list of the associated sheets with the unique identifier and name of each sheet.", + "title": "Sheets", + "type": "array" + }, "SourceEntity": { "$ref": "#/definitions/AWS::QuickSight::Analysis.AnalysisSourceEntity", "markdownDescription": "A source entity to use for the analysis that you're creating. This metadata structure contains details that describe a source template and one or more datasets.\n\nEither a `SourceEntity` or a `Definition` must be provided in order for the request to be valid.", @@ -182978,9 +183089,6 @@ "markdownDescription": "The Amazon Resource Name (ARN) of the principal. This can be one of the following:\n\n- The ARN of an Amazon QuickSight user or group associated with a data source or dataset. (This is common.)\n- The ARN of an Amazon QuickSight user, group, or namespace associated with an analysis, dashboard, template, or theme. (This is common.)\n- The ARN of an AWS account root: This is an IAM ARN rather than a Amazon QuickSight ARN. Use this option only to share resources (templates) across AWS accounts . (This is less common.)", "title": "Principal", "type": "string" - }, - "Resource": { - "type": "string" } }, "required": [ @@ -195248,9 +195356,6 @@ "markdownDescription": "The Amazon Resource Name (ARN) of the principal. This can be one of the following:\n\n- The ARN of an Amazon QuickSight user or group associated with a data source or dataset. (This is common.)\n- The ARN of an Amazon QuickSight user, group, or namespace associated with an analysis, dashboard, template, or theme. (This is common.)\n- The ARN of an AWS account root: This is an IAM ARN rather than a Amazon QuickSight ARN. Use this option only to share resources (templates) across AWS accounts . (This is less common.)", "title": "Principal", "type": "string" - }, - "Resource": { - "type": "string" } }, "required": [ @@ -209384,9 +209489,6 @@ "markdownDescription": "The Amazon Resource Name (ARN) of the principal. This can be one of the following:\n\n- The ARN of an Amazon QuickSight user or group associated with a data source or dataset. (This is common.)\n- The ARN of an Amazon QuickSight user, group, or namespace associated with an analysis, dashboard, template, or theme. (This is common.)\n- The ARN of an AWS account root: This is an IAM ARN rather than a Amazon QuickSight ARN. Use this option only to share resources (templates) across AWS accounts . (This is less common.)", "title": "Principal", "type": "string" - }, - "Resource": { - "type": "string" } }, "required": [ @@ -212843,9 +212945,6 @@ "markdownDescription": "The Amazon Resource Name (ARN) of the principal. This can be one of the following:\n\n- The ARN of an Amazon QuickSight user or group associated with a data source or dataset. (This is common.)\n- The ARN of an Amazon QuickSight user, group, or namespace associated with an analysis, dashboard, template, or theme. (This is common.)\n- The ARN of an AWS account root: This is an IAM ARN rather than a Amazon QuickSight ARN. Use this option only to share resources (templates) across AWS accounts . (This is less common.)", "title": "Principal", "type": "string" - }, - "Resource": { - "type": "string" } }, "required": [ @@ -213150,6 +213249,11 @@ "markdownDescription": "The ID for the topic. This ID is unique per AWS Region for each AWS account.", "title": "TopicId", "type": "string" + }, + "UserExperienceVersion": { + "markdownDescription": "The user experience version of a topic.", + "title": "UserExperienceVersion", + "type": "string" } }, "type": "object" @@ -217166,11 +217270,21 @@ "title": "MaintenanceTrackName", "type": "string" }, + "ManageMasterPassword": { + "markdownDescription": "If `true` , Amazon Redshift uses AWS Secrets Manager to manage this cluster's admin credentials. You can't use `MasterUserPassword` if `ManageMasterPassword` is true. If `ManageMasterPassword` is false or not set, Amazon Redshift uses `MasterUserPassword` for the admin user account's password.", + "title": "ManageMasterPassword", + "type": "boolean" + }, "ManualSnapshotRetentionPeriod": { "markdownDescription": "The default number of days to retain a manual snapshot. If the value is -1, the snapshot is retained indefinitely. This setting doesn't change the retention period of existing snapshots.\n\nThe value must be either -1 or an integer between 1 and 3,653.", "title": "ManualSnapshotRetentionPeriod", "type": "number" }, + "MasterPasswordSecretKmsKeyId": { + "markdownDescription": "The ID of the AWS Key Management Service (KMS) key used to encrypt and store the cluster's admin credentials secret. You can only use this parameter if `ManageMasterPassword` is true.", + "title": "MasterPasswordSecretKmsKeyId", + "type": "string" + }, "MasterUserPassword": { "markdownDescription": "The password associated with the admin user account for the cluster that is being created.\n\nYou can't use `MasterUserPassword` if `ManageMasterPassword` is `true` .\n\nConstraints:\n\n- Must be between 8 and 64 characters in length.\n- Must contain at least one uppercase letter.\n- Must contain at least one lowercase letter.\n- Must contain one number.\n- Can be any printable ASCII character (ASCII code 33-126) except `'` (single quote), `\"` (double quote), `\\` , `/` , or `@` .", "title": "MasterUserPassword", @@ -217186,6 +217300,11 @@ "title": "MultiAZ", "type": "boolean" }, + "NamespaceResourcePolicy": { + "markdownDescription": "The policy that is attached to a resource.", + "title": "NamespaceResourcePolicy", + "type": "object" + }, "NodeType": { "markdownDescription": "The node type to be provisioned for the cluster. For information about node types, go to [Working with Clusters](https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-clusters.html#how-many-nodes) in the *Amazon Redshift Cluster Management Guide* .\n\nValid Values: `ds2.xlarge` | `ds2.8xlarge` | `dc1.large` | `dc1.8xlarge` | `dc2.large` | `dc2.8xlarge` | `ra3.xlplus` | `ra3.4xlarge` | `ra3.16xlarge`", "title": "NodeType", @@ -217276,7 +217395,6 @@ "required": [ "ClusterType", "DBName", - "MasterUserPassword", "MasterUsername", "NodeType" ], @@ -217333,9 +217451,6 @@ "type": "string" } }, - "required": [ - "BucketName" - ], "type": "object" }, "AWS::Redshift::ClusterParameterGroup": { @@ -225466,7 +225581,7 @@ }, "TargetObjectKeyFormat": { "$ref": "#/definitions/AWS::S3::Bucket.TargetObjectKeyFormat", - "markdownDescription": "Amazon S3 key format for log objects. Only one format, PartitionedPrefix or SimplePrefix, is allowed.", + "markdownDescription": "Amazon S3 key format for log objects. Only one format, either PartitionedPrefix or SimplePrefix, is allowed.", "title": "TargetObjectKeyFormat" } }, @@ -226142,7 +226257,7 @@ "additionalProperties": false, "properties": { "KMSMasterKeyID": { - "markdownDescription": "KMS key ID to use for the default encryption. This parameter is allowed if SSEAlgorithm is aws:kms.\n\nYou can specify the key ID, key alias, or the Amazon Resource Name (ARN) of the CMK. However, if you are using encryption with cross-account operations, you must use a fully qualified CMK ARN. For more information, see [Using encryption for cross-account operations](https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html#bucket-encryption-update-bucket-policy) .\n\nFor example:\n\n- Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`\n- Key ARN: `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`\n\n> Amazon S3 only supports symmetric KMS keys and not asymmetric KMS keys. For more information, see [Using Symmetric and Asymmetric Keys](https://docs.aws.amazon.com//kms/latest/developerguide/symmetric-asymmetric.html) in the *AWS Key Management Service Developer Guide* .", + "markdownDescription": "AWS Key Management Service (KMS) customer AWS KMS key ID to use for the default encryption. This parameter is allowed if and only if `SSEAlgorithm` is set to `aws:kms` or `aws:kms:dsse` .\n\nYou can specify the key ID, key alias, or the Amazon Resource Name (ARN) of the KMS key.\n\n- Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`\n- Key ARN: `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`\n- Key Alias: `alias/alias-name`\n\nIf you use a key ID, you can run into a LogDestination undeliverable error when creating a VPC flow log.\n\nIf you are using encryption with cross-account or AWS service operations you must use a fully qualified KMS key ARN. For more information, see [Using encryption for cross-account operations](https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html#bucket-encryption-update-bucket-policy) .\n\n> Amazon S3 only supports symmetric encryption KMS keys. For more information, see [Asymmetric keys in AWS KMS](https://docs.aws.amazon.com//kms/latest/developerguide/symmetric-asymmetric.html) in the *AWS Key Management Service Developer Guide* .", "title": "KMSMasterKeyID", "type": "string" }, @@ -236256,6 +236371,11 @@ "markdownDescription": "Tags used to define a `FeatureGroup` .", "title": "Tags", "type": "array" + }, + "ThroughputConfig": { + "$ref": "#/definitions/AWS::SageMaker::FeatureGroup.ThroughputConfig", + "markdownDescription": "Used to set feature group throughput configuration. There are two modes: `ON_DEMAND` and `PROVISIONED` . With on-demand mode, you are charged for data reads and writes that your application performs on your feature group. You do not need to specify read and write throughput because Feature Store accommodates your workloads as they ramp up and down. You can switch a feature group to on-demand only once in a 24 hour period. With provisioned throughput mode, you specify the read and write capacity per second that you expect your application to require, and you are billed based on those limits. Exceeding provisioned throughput will result in your requests being throttled.\n\nNote: `PROVISIONED` throughput mode is supported only for feature groups that are offline-only, or use the [`Standard`](https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_OnlineStoreConfig.html#sagemaker-Type-OnlineStoreConfig-StorageType) tier online store.", + "title": "ThroughputConfig" } }, "required": [ @@ -236413,6 +236533,30 @@ ], "type": "object" }, + "AWS::SageMaker::FeatureGroup.ThroughputConfig": { + "additionalProperties": false, + "properties": { + "ProvisionedReadCapacityUnits": { + "markdownDescription": "For provisioned feature groups with online store enabled, this indicates the read throughput you are billed for and can consume without throttling.\n\nThis field is not applicable for on-demand feature groups.", + "title": "ProvisionedReadCapacityUnits", + "type": "number" + }, + "ProvisionedWriteCapacityUnits": { + "markdownDescription": "For provisioned feature groups, this indicates the write throughput you are billed for and can consume without throttling.\n\nThis field is not applicable for on-demand feature groups.", + "title": "ProvisionedWriteCapacityUnits", + "type": "number" + }, + "ThroughputMode": { + "markdownDescription": "The mode used for your feature group throughput: `ON_DEMAND` or `PROVISIONED` .", + "title": "ThroughputMode", + "type": "string" + } + }, + "required": [ + "ThroughputMode" + ], + "type": "object" + }, "AWS::SageMaker::Image": { "additionalProperties": false, "properties": { @@ -251552,7 +251696,8 @@ } }, "required": [ - "Definition" + "Definition", + "PolicyStoreId" ], "type": "object" }, @@ -251691,6 +251836,11 @@ "Properties": { "additionalProperties": false, "properties": { + "Description": { + "markdownDescription": "Descriptive text that you can provide to help with identification of the current policy store.", + "title": "Description", + "type": "string" + }, "Schema": { "$ref": "#/definitions/AWS::VerifiedPermissions::PolicyStore.SchemaDefinition", "markdownDescription": "Creates or updates the policy schema in a policy store. Cedar can use the schema to validate any Cedar policies and policy templates submitted to the policy store. Any changes to the schema validate only policies and templates submitted after the schema change. Existing policies and templates are not re-evaluated against the changed schema. If you later update a policy, then it is evaluated against the new schema at that time.", diff --git a/schema_source/cloudformation-docs.json b/schema_source/cloudformation-docs.json index 965badef4..6b0f6a0a9 100644 --- a/schema_source/cloudformation-docs.json +++ b/schema_source/cloudformation-docs.json @@ -2013,8 +2013,8 @@ "Name": "A name for the query parameter that will be matched on." }, "AWS::AppMesh::GatewayRoute Tag": { - "Key": "", - "Value": "" + "Key": "One part of a key-value pair that make up a tag. A `key` is a general label that acts like a category for more specific tag values.", + "Value": "The optional part of a key-value pair that make up a tag. A `value` acts as a descriptor within a tag category (key)." }, "AWS::AppMesh::Mesh": { "MeshName": "The name to use for the service mesh.", @@ -2029,11 +2029,11 @@ }, "AWS::AppMesh::Mesh MeshSpec": { "EgressFilter": "The egress filter rules for the service mesh.", - "ServiceDiscovery": "" + "ServiceDiscovery": "An object that represents the service discovery information for a service mesh." }, "AWS::AppMesh::Mesh Tag": { - "Key": "", - "Value": "" + "Key": "One part of a key-value pair that make up a tag. A `key` is a general label that acts like a category for more specific tag values.", + "Value": "The optional part of a key-value pair that make up a tag. A `value` acts as a descriptor within a tag category (key)." }, "AWS::AppMesh::Route": { "MeshName": "The name of the service mesh to create the route in.", @@ -2148,8 +2148,8 @@ "TcpRoute": "An object that represents the specification of a TCP route." }, "AWS::AppMesh::Route Tag": { - "Key": "", - "Value": "" + "Key": "One part of a key-value pair that make up a tag. A `key` is a general label that acts like a category for more specific tag values.", + "Value": "The optional part of a key-value pair that make up a tag. A `value` acts as a descriptor within a tag category (key)." }, "AWS::AppMesh::Route TcpRoute": { "Action": "The action to take if a match is determined.", @@ -2192,8 +2192,8 @@ "Match": "An object that represents the criteria for determining a SANs match." }, "AWS::AppMesh::VirtualGateway Tag": { - "Key": "", - "Value": "" + "Key": "One part of a key-value pair that make up a tag. A `key` is a general label that acts like a category for more specific tag values.", + "Value": "The optional part of a key-value pair that make up a tag. A `value` acts as a descriptor within a tag category (key)." }, "AWS::AppMesh::VirtualGateway VirtualGatewayAccessLog": { "File": "The file object to send virtual gateway access logs to." @@ -2449,8 +2449,8 @@ "Match": "An object that represents the criteria for determining a SANs match." }, "AWS::AppMesh::VirtualNode Tag": { - "Key": "", - "Value": "" + "Key": "One part of a key-value pair that make up a tag. A `key` is a general label that acts like a category for more specific tag values.", + "Value": "The optional part of a key-value pair that make up a tag. A `value` acts as a descriptor within a tag category (key)." }, "AWS::AppMesh::VirtualNode TcpTimeout": { "Idle": "An object that represents an idle timeout. An idle timeout bounds the amount of time that a connection may be idle. The default value is none." @@ -2515,8 +2515,8 @@ "Protocol": "The protocol used for the port mapping. Specify one protocol." }, "AWS::AppMesh::VirtualRouter Tag": { - "Key": "", - "Value": "" + "Key": "One part of a key-value pair that make up a tag. A `key` is a general label that acts like a category for more specific tag values.", + "Value": "The optional part of a key-value pair that make up a tag. A `value` acts as a descriptor within a tag category (key)." }, "AWS::AppMesh::VirtualRouter VirtualRouterListener": { "PortMapping": "The port mapping information for the listener." @@ -2532,8 +2532,8 @@ "VirtualServiceName": "The name to use for the virtual service." }, "AWS::AppMesh::VirtualService Tag": { - "Key": "", - "Value": "" + "Key": "One part of a key-value pair that make up a tag. A `key` is a general label that acts like a category for more specific tag values.", + "Value": "The optional part of a key-value pair that make up a tag. A `value` acts as a descriptor within a tag category (key)." }, "AWS::AppMesh::VirtualService VirtualNodeServiceProvider": { "VirtualNodeName": "The name of the virtual node that is acting as a service provider." @@ -4025,7 +4025,7 @@ "AWS::Backup::Framework FrameworkControl": { "ControlInputParameters": "A list of `ParameterName` and `ParameterValue` pairs.", "ControlName": "The name of a control. This name is between 1 and 256 characters.", - "ControlScope": "The scope of a control. The control scope defines what the control will evaluate. Three examples of control scopes are: a specific backup plan, all backup plans with a specific tag, or all backup plans." + "ControlScope": "The scope of a control. The control scope defines what the control will evaluate. Three examples of control scopes are: a specific backup plan, all backup plans with a specific tag, or all backup plans.\n\nFor more information, see [`ControlScope` .](https://docs.aws.amazon.com/aws-backup/latest/devguide/API_ControlScope.html)" }, "AWS::Backup::Framework Tag": { "Key": "", @@ -4168,6 +4168,10 @@ "Timeout": "The timeout time for jobs that are submitted with this job definition. After the amount of time you specify passes, AWS Batch terminates your jobs if they aren't finished.", "Type": "The type of job definition. For more information about multi-node parallel jobs, see [Creating a multi-node parallel job definition](https://docs.aws.amazon.com/batch/latest/userguide/multi-node-job-def.html) in the *AWS Batch User Guide* .\n\n> If the job is run on Fargate resources, then `multinode` isn't supported." }, + "AWS::Batch::JobDefinition AuthorizationConfig": { + "AccessPointId": "The Amazon EFS access point ID to use. If an access point is specified, the root directory value specified in the `EFSVolumeConfiguration` must either be omitted or set to `/` which enforces the path set on the EFS access point. If an access point is used, transit encryption must be enabled in the `EFSVolumeConfiguration` . For more information, see [Working with Amazon EFS access points](https://docs.aws.amazon.com/efs/latest/ug/efs-access-points.html) in the *Amazon Elastic File System User Guide* .", + "Iam": "Whether or not to use the AWS Batch job IAM role defined in a job definition when mounting the Amazon EFS file system. If enabled, transit encryption must be enabled in the `EFSVolumeConfiguration` . If this parameter is omitted, the default value of `DISABLED` is used. For more information, see [Using Amazon EFS access points](https://docs.aws.amazon.com/batch/latest/userguide/efs-volumes.html#efs-volume-accesspoints) in the *AWS Batch User Guide* . EFS IAM authorization requires that `TransitEncryption` be `ENABLED` and that a `JobRoleArn` is specified." + }, "AWS::Batch::JobDefinition ContainerProperties": { "Command": "The command that's passed to the container. This parameter maps to `Cmd` in the [Create a container](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.23/#create-a-container) section of the [Docker Remote API](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.23/) and the `COMMAND` parameter to [docker run](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/) . For more information, see [https://docs.docker.com/engine/reference/builder/#cmd](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/builder/#cmd) .", "Environment": "The environment variables to pass to a container. This parameter maps to `Env` in the [Create a container](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.23/#create-a-container) section of the [Docker Remote API](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.23/) and the `--env` option to [docker run](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/) .\n\n> We don't recommend using plaintext environment variables for sensitive information, such as credential data. > Environment variables cannot start with \" `AWS_BATCH` \". This naming convention is reserved for variables that AWS Batch sets.", @@ -4197,11 +4201,7 @@ "HostPath": "The path for the device on the host container instance.", "Permissions": "The explicit permissions to provide to the container for the device. By default, the container has permissions for `read` , `write` , and `mknod` for the device." }, - "AWS::Batch::JobDefinition EFSAuthorizationConfig": { - "AccessPointId": "The Amazon EFS access point ID to use. If an access point is specified, the root directory value specified in the `EFSVolumeConfiguration` must either be omitted or set to `/` which enforces the path set on the EFS access point. If an access point is used, transit encryption must be enabled in the `EFSVolumeConfiguration` . For more information, see [Working with Amazon EFS access points](https://docs.aws.amazon.com/efs/latest/ug/efs-access-points.html) in the *Amazon Elastic File System User Guide* .", - "Iam": "Whether or not to use the AWS Batch job IAM role defined in a job definition when mounting the Amazon EFS file system. If enabled, transit encryption must be enabled in the `EFSVolumeConfiguration` . If this parameter is omitted, the default value of `DISABLED` is used. For more information, see [Using Amazon EFS access points](https://docs.aws.amazon.com/batch/latest/userguide/efs-volumes.html#efs-volume-accesspoints) in the *AWS Batch User Guide* . EFS IAM authorization requires that `TransitEncryption` be `ENABLED` and that a `JobRoleArn` is specified." - }, - "AWS::Batch::JobDefinition EFSVolumeConfiguration": { + "AWS::Batch::JobDefinition EfsVolumeConfiguration": { "AuthorizationConfig": "The authorization configuration details for the Amazon EFS file system.", "FileSystemId": "The Amazon EFS file system ID to use.", "RootDirectory": "The directory within the Amazon EFS file system to mount as the root directory inside the host. If this parameter is omitted, the root of the Amazon EFS volume is used instead. Specifying `/` has the same effect as omitting this parameter. The maximum length is 4,096 characters.\n\n> If an EFS access point is specified in the `authorizationConfig` , the root directory parameter must either be omitted or set to `/` , which enforces the path set on the Amazon EFS access point.", @@ -4246,17 +4246,6 @@ "AWS::Batch::JobDefinition EksHostPath": { "Path": "The path of the file or directory on the host to mount into containers on the pod." }, - "AWS::Batch::JobDefinition EksMetadata": { - "Labels": "Key-value pairs used to identify, sort, and organize cube resources. Can contain up to 63 uppercase letters, lowercase letters, numbers, hyphens (-), and underscores (_). Labels can be added or modified at any time. Each resource can have multiple labels, but each key must be unique for a given object." - }, - "AWS::Batch::JobDefinition EksPodProperties": { - "Containers": "The properties of the container that's used on the Amazon EKS pod.", - "DnsPolicy": "The DNS policy for the pod. The default value is `ClusterFirst` . If the `hostNetwork` parameter is not specified, the default is `ClusterFirstWithHostNet` . `ClusterFirst` indicates that any DNS query that does not match the configured cluster domain suffix is forwarded to the upstream nameserver inherited from the node. For more information, see [Pod's DNS policy](https://docs.aws.amazon.com/https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy) in the *Kubernetes documentation* .\n\nValid values: `Default` | `ClusterFirst` | `ClusterFirstWithHostNet`", - "HostNetwork": "Indicates if the pod uses the hosts' network IP address. The default value is `true` . Setting this to `false` enables the Kubernetes pod networking model. Most AWS Batch workloads are egress-only and don't require the overhead of IP allocation for each pod for incoming connections. For more information, see [Host namespaces](https://docs.aws.amazon.com/https://kubernetes.io/docs/concepts/security/pod-security-policy/#host-namespaces) and [Pod networking](https://docs.aws.amazon.com/https://kubernetes.io/docs/concepts/workloads/pods/#pod-networking) in the *Kubernetes documentation* .", - "Metadata": "Metadata about the Kubernetes pod. For more information, see [Understanding Kubernetes Objects](https://docs.aws.amazon.com/https://kubernetes.io/docs/concepts/overview/working-with-objects/kubernetes-objects/) in the *Kubernetes documentation* .", - "ServiceAccountName": "The name of the service account that's used to run the pod. For more information, see [Kubernetes service accounts](https://docs.aws.amazon.com/eks/latest/userguide/service-accounts.html) and [Configure a Kubernetes service account to assume an IAM role](https://docs.aws.amazon.com/eks/latest/userguide/associate-service-account-role.html) in the *Amazon EKS User Guide* and [Configure service accounts for pods](https://docs.aws.amazon.com/https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/) in the *Kubernetes documentation* .", - "Volumes": "Specifies the volumes for a job definition that uses Amazon EKS resources." - }, "AWS::Batch::JobDefinition EksProperties": { "PodProperties": "The properties for the Kubernetes pod resources of a job." }, @@ -4286,12 +4275,6 @@ "AWS::Batch::JobDefinition FargatePlatformConfiguration": { "PlatformVersion": "The AWS Fargate platform version where the jobs are running. A platform version is specified only for jobs that are running on Fargate resources. If one isn't specified, the `LATEST` platform version is used by default. This uses a recent, approved version of the AWS Fargate platform for compute resources. For more information, see [AWS Fargate platform versions](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/platform_versions.html) in the *Amazon Elastic Container Service Developer Guide* ." }, - "AWS::Batch::JobDefinition Host": { - "SourcePath": "The path on the host container instance that's presented to the container. If this parameter is empty, then the Docker daemon has assigned a host path for you. If this parameter contains a file location, then the data volume persists at the specified location on the host container instance until you delete it manually. If the source path location doesn't exist on the host container instance, the Docker daemon creates it. If the location does exist, the contents of the source path folder are exported.\n\n> This parameter isn't applicable to jobs that run on Fargate resources. Don't provide this for these jobs." - }, - "AWS::Batch::JobDefinition JobTimeout": { - "AttemptDurationSeconds": "The job timeout time (in seconds) that's measured from the job attempt's `startedAt` timestamp. After this time passes, AWS Batch terminates your jobs if they aren't finished. The minimum value for the timeout is 60 seconds.\n\nFor array jobs, the timeout applies to the child jobs, not to the parent array job.\n\nFor multi-node parallel (MNP) jobs, the timeout applies to the whole job, not to the individual nodes." - }, "AWS::Batch::JobDefinition LinuxParameters": { "Devices": "Any of the host devices to expose to the container. This parameter maps to `Devices` in the [Create a container](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.23/#create-a-container) section of the [Docker Remote API](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.23/) and the `--device` option to [docker run](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/) .\n\n> This parameter isn't applicable to jobs that are running on Fargate resources. Don't provide it for these jobs.", "InitProcessEnabled": "If true, run an `init` process inside the container that forwards signals and reaps processes. This parameter maps to the `--init` option to [docker run](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/) . This parameter requires version 1.25 of the Docker Remote API or greater on your container instance. To check the Docker Remote API version on your container instance, log in to your container instance and run the following command: `sudo docker version | grep \"Server API version\"`", @@ -4305,7 +4288,10 @@ "Options": "The configuration options to send to the log driver. This parameter requires version 1.19 of the Docker Remote API or greater on your container instance. To check the Docker Remote API version on your container instance, log in to your container instance and run the following command: `sudo docker version | grep \"Server API version\"`", "SecretOptions": "The secrets to pass to the log configuration. For more information, see [Specifying sensitive data](https://docs.aws.amazon.com/batch/latest/userguide/specifying-sensitive-data.html) in the *AWS Batch User Guide* ." }, - "AWS::Batch::JobDefinition MountPoint": { + "AWS::Batch::JobDefinition Metadata": { + "Labels": "" + }, + "AWS::Batch::JobDefinition MountPoints": { "ContainerPath": "The path on the container where the host volume is mounted.", "ReadOnly": "If this value is `true` , the container has read-only access to the volume. Otherwise, the container can write to the volume. The default value is `false` .", "SourceVolume": "The name of the volume to mount." @@ -4322,6 +4308,14 @@ "Container": "The container details for the node range.", "TargetNodes": "The range of nodes, using node index values. A range of `0:3` indicates nodes with index values of `0` through `3` . If the starting range value is omitted ( `:n` ), then `0` is used to start the range. If the ending range value is omitted ( `n:` ), then the highest possible node index is used to end the range. Your accumulative node ranges must account for all nodes ( `0:n` ). You can nest node ranges (for example, `0:10` and `4:5` ). In this case, the `4:5` range properties override the `0:10` properties." }, + "AWS::Batch::JobDefinition PodProperties": { + "Containers": "", + "DnsPolicy": "", + "HostNetwork": "", + "Metadata": "", + "ServiceAccountName": "", + "Volumes": "" + }, "AWS::Batch::JobDefinition ResourceRequirement": { "Type": "The type of resource to assign to a container. The supported resources include `GPU` , `MEMORY` , and `VCPU` .", "Value": "The quantity of the specified resource to reserve for the container. The values vary based on the `type` specified.\n\n- **type=\"GPU\"** - The number of physical GPUs to reserve for the container. Make sure that the number of GPUs reserved for all containers in a job doesn't exceed the number of available GPUs on the compute resource that the job is launched on.\n\n> GPUs aren't available for jobs that are running on Fargate resources.\n- **type=\"MEMORY\"** - The memory hard limit (in MiB) present to the container. This parameter is supported for jobs that are running on EC2 resources. If your container attempts to exceed the memory specified, the container is terminated. This parameter maps to `Memory` in the [Create a container](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.23/#create-a-container) section of the [Docker Remote API](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.23/) and the `--memory` option to [docker run](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/) . You must specify at least 4 MiB of memory for a job. This is required but can be specified in several places for multi-node parallel (MNP) jobs. It must be specified for each node at least once. This parameter maps to `Memory` in the [Create a container](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.23/#create-a-container) section of the [Docker Remote API](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.23/) and the `--memory` option to [docker run](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/) .\n\n> If you're trying to maximize your resource utilization by providing your jobs as much memory as possible for a particular instance type, see [Memory management](https://docs.aws.amazon.com/batch/latest/userguide/memory-management.html) in the *AWS Batch User Guide* . \n\nFor jobs that are running on Fargate resources, then `value` is the hard limit (in MiB), and must match one of the supported values and the `VCPU` values must be one of the values supported for that memory value.\n\n- **value = 512** - `VCPU` = 0.25\n- **value = 1024** - `VCPU` = 0.25 or 0.5\n- **value = 2048** - `VCPU` = 0.25, 0.5, or 1\n- **value = 3072** - `VCPU` = 0.5, or 1\n- **value = 4096** - `VCPU` = 0.5, 1, or 2\n- **value = 5120, 6144, or 7168** - `VCPU` = 1 or 2\n- **value = 8192** - `VCPU` = 1, 2, or 4\n- **value = 9216, 10240, 11264, 12288, 13312, 14336, or 15360** - `VCPU` = 2 or 4\n- **value = 16384** - `VCPU` = 2, 4, or 8\n- **value = 17408, 18432, 19456, 21504, 22528, 23552, 25600, 26624, 27648, 29696, or 30720** - `VCPU` = 4\n- **value = 20480, 24576, or 28672** - `VCPU` = 4 or 8\n- **value = 36864, 45056, 53248, or 61440** - `VCPU` = 8\n- **value = 32768, 40960, 49152, or 57344** - `VCPU` = 8 or 16\n- **value = 65536, 73728, 81920, 90112, 98304, 106496, 114688, or 122880** - `VCPU` = 16\n- **type=\"VCPU\"** - The number of vCPUs reserved for the container. This parameter maps to `CpuShares` in the [Create a container](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.23/#create-a-container) section of the [Docker Remote API](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.23/) and the `--cpu-shares` option to [docker run](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/) . Each vCPU is equivalent to 1,024 CPU shares. For EC2 resources, you must specify at least one vCPU. This is required but can be specified in several places; it must be specified for each node at least once.\n\nThe default for the Fargate On-Demand vCPU resource count quota is 6 vCPUs. For more information about Fargate quotas, see [AWS Fargate quotas](https://docs.aws.amazon.com/general/latest/gr/ecs-service.html#service-quotas-fargate) in the *AWS General Reference* .\n\nFor jobs that are running on Fargate resources, then `value` must match one of the supported values and the `MEMORY` values must be one of the values supported for that `VCPU` value. The supported values are 0.25, 0.5, 1, 2, 4, 8, and 16\n\n- **value = 0.25** - `MEMORY` = 512, 1024, or 2048\n- **value = 0.5** - `MEMORY` = 1024, 2048, 3072, or 4096\n- **value = 1** - `MEMORY` = 2048, 3072, 4096, 5120, 6144, 7168, or 8192\n- **value = 2** - `MEMORY` = 4096, 5120, 6144, 7168, 8192, 9216, 10240, 11264, 12288, 13312, 14336, 15360, or 16384\n- **value = 4** - `MEMORY` = 8192, 9216, 10240, 11264, 12288, 13312, 14336, 15360, 16384, 17408, 18432, 19456, 20480, 21504, 22528, 23552, 24576, 25600, 26624, 27648, 28672, 29696, or 30720\n- **value = 8** - `MEMORY` = 16384, 20480, 24576, 28672, 32768, 36864, 40960, 45056, 49152, 53248, 57344, or 61440\n- **value = 16** - `MEMORY` = 32768, 40960, 49152, 57344, 65536, 73728, 81920, 90112, 98304, 106496, 114688, or 122880" @@ -4338,6 +4332,9 @@ "Name": "The name of the secret.", "ValueFrom": "The secret to expose to the container. The supported values are either the full Amazon Resource Name (ARN) of the AWS Secrets Manager secret or the full ARN of the parameter in the AWS Systems Manager Parameter Store.\n\n> If the AWS Systems Manager Parameter Store parameter exists in the same Region as the job you're launching, then you can use either the full Amazon Resource Name (ARN) or name of the parameter. If the parameter exists in a different Region, then the full ARN must be specified." }, + "AWS::Batch::JobDefinition Timeout": { + "AttemptDurationSeconds": "The job timeout time (in seconds) that's measured from the job attempt's `startedAt` timestamp. After this time passes, AWS Batch terminates your jobs if they aren't finished. The minimum value for the timeout is 60 seconds.\n\nFor array jobs, the timeout applies to the child jobs, not to the parent array job.\n\nFor multi-node parallel (MNP) jobs, the timeout applies to the whole job, not to the individual nodes." + }, "AWS::Batch::JobDefinition Tmpfs": { "ContainerPath": "The absolute file path in the container where the `tmpfs` volume is mounted.", "MountOptions": "The list of `tmpfs` volume mount options.\n\nValid values: \" `defaults` \" | \" `ro` \" | \" `rw` \" | \" `suid` \" | \" `nosuid` \" | \" `dev` \" | \" `nodev` \" | \" `exec` \" | \" `noexec` \" | \" `sync` \" | \" `async` \" | \" `dirsync` \" | \" `remount` \" | \" `mand` \" | \" `nomand` \" | \" `atime` \" | \" `noatime` \" | \" `diratime` \" | \" `nodiratime` \" | \" `bind` \" | \" `rbind\" | \"unbindable\" | \"runbindable\" | \"private\" | \"rprivate\" | \"shared\" | \"rshared\" | \"slave\" | \"rslave\" | \"relatime` \" | \" `norelatime` \" | \" `strictatime` \" | \" `nostrictatime` \" | \" `mode` \" | \" `uid` \" | \" `gid` \" | \" `nr_inodes` \" | \" `nr_blocks` \" | \" `mpol` \"", @@ -4348,11 +4345,14 @@ "Name": "The `type` of the `ulimit` . Valid values are: `core` | `cpu` | `data` | `fsize` | `locks` | `memlock` | `msgqueue` | `nice` | `nofile` | `nproc` | `rss` | `rtprio` | `rttime` | `sigpending` | `stack` .", "SoftLimit": "The soft limit for the `ulimit` type." }, - "AWS::Batch::JobDefinition Volume": { - "EfsVolumeConfiguration": "This parameter is specified when you're using an Amazon Elastic File System file system for job storage. Jobs that are running on Fargate resources must specify a `platformVersion` of at least `1.4.0` .", + "AWS::Batch::JobDefinition Volumes": { + "EfsVolumeConfiguration": "This is used when you're using an Amazon Elastic File System file system for job storage. For more information, see [Amazon EFS Volumes](https://docs.aws.amazon.com/batch/latest/userguide/efs-volumes.html) in the *AWS Batch User Guide* .", "Host": "The contents of the `host` parameter determine whether your data volume persists on the host container instance and where it's stored. If the host parameter is empty, then the Docker daemon assigns a host path for your data volume. However, the data isn't guaranteed to persist after the containers that are associated with it stop running.\n\n> This parameter isn't applicable to jobs that are running on Fargate resources and shouldn't be provided.", "Name": "The name of the volume. It can be up to 255 characters long. It can contain uppercase and lowercase letters, numbers, hyphens (-), and underscores (_). This name is referenced in the `sourceVolume` parameter of container definition `mountPoints` ." }, + "AWS::Batch::JobDefinition VolumesHost": { + "SourcePath": "The path on the host container instance that's presented to the container. If this parameter is empty, then the Docker daemon has assigned a host path for you. If this parameter contains a file location, then the data volume persists at the specified location on the host container instance until you delete it manually. If the source path location doesn't exist on the host container instance, the Docker daemon creates it. If the location does exist, the contents of the source path folder are exported.\n\n> This parameter isn't applicable to jobs that run on Fargate resources. Don't provide this for these jobs." + }, "AWS::Batch::JobQueue": { "ComputeEnvironmentOrder": "The set of compute environments mapped to a job queue and their order relative to each other. The job scheduler uses this parameter to determine which compute environment runs a specific job. Compute environments must be in the `VALID` state before you can associate them with a job queue. You can associate up to three compute environments with a job queue. All of the compute environments must be either EC2 ( `EC2` or `SPOT` ) or Fargate ( `FARGATE` or `FARGATE_SPOT` ); EC2 and Fargate compute environments can't be mixed.\n\n> All compute environments that are associated with a job queue must share the same architecture. AWS Batch doesn't support mixing compute environment architecture types in a single job queue.", "JobQueueName": "The name of the job queue. It can be up to 128 letters long. It can contain uppercase and lowercase letters, numbers, hyphens (-), and underscores (_).", @@ -4796,8 +4796,8 @@ "ScalarFunctions": "Set of scalar functions that are allowed to be used on dimension columns and the output of aggregation of metrics." }, "AWS::CleanRooms::ConfiguredTable AnalysisRuleCustom": { - "AllowedAnalyses": "The analysis templates that are allowed by the custom analysis rule.", - "AllowedAnalysisProviders": "The AWS accounts that are allowed to query by the custom analysis rule. Required when `allowedAnalyses` is `ANY_QUERY` ." + "AllowedAnalyses": "The ARN of the analysis templates that are allowed by the custom analysis rule.", + "AllowedAnalysisProviders": "The IDs of the AWS accounts that are allowed to query by the custom analysis rule. Required when `allowedAnalyses` is `ANY_QUERY` ." }, "AWS::CleanRooms::ConfiguredTable AnalysisRuleList": { "AllowedJoinOperators": "The logical operators (if any) that are to be used in an INNER JOIN match condition. Default is `AND` .", @@ -5857,7 +5857,7 @@ "ImagePullCredentialsType": "The type of credentials AWS CodeBuild uses to pull images in your build. There are two valid values:\n\n- `CODEBUILD` specifies that AWS CodeBuild uses its own credentials. This requires that you modify your ECR repository policy to trust AWS CodeBuild service principal.\n- `SERVICE_ROLE` specifies that AWS CodeBuild uses your build project's service role.\n\nWhen you use a cross-account or private registry image, you must use SERVICE_ROLE credentials. When you use an AWS CodeBuild curated image, you must use CODEBUILD credentials.", "PrivilegedMode": "Enables running the Docker daemon inside a Docker container. Set to true only if the build project is used to build Docker images. Otherwise, a build that attempts to interact with the Docker daemon fails. The default setting is `false` .\n\nYou can initialize the Docker daemon during the install phase of your build by adding one of the following sets of commands to the install phase of your buildspec file:\n\nIf the operating system's base image is Ubuntu Linux:\n\n`- nohup /usr/local/bin/dockerd --host=unix:///var/run/docker.sock --host=tcp://0.0.0.0:2375 --storage-driver=overlay&`\n\n`- timeout 15 sh -c \"until docker info; do echo .; sleep 1; done\"`\n\nIf the operating system's base image is Alpine Linux and the previous command does not work, add the `-t` argument to `timeout` :\n\n`- nohup /usr/local/bin/dockerd --host=unix:///var/run/docker.sock --host=tcp://0.0.0.0:2375 --storage-driver=overlay&`\n\n`- timeout -t 15 sh -c \"until docker info; do echo .; sleep 1; done\"`", "RegistryCredential": "`RegistryCredential` is a property of the [AWS::CodeBuild::Project Environment](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-codebuild-project.html#cfn-codebuild-project-environment) property that specifies information about credentials that provide access to a private Docker registry. When this is set:\n\n- `imagePullCredentialsType` must be set to `SERVICE_ROLE` .\n- images cannot be curated or an Amazon ECR image.", - "Type": "The type of build environment to use for related builds.\n\n- The environment type `ARM_CONTAINER` is available only in regions US East (N. Virginia), US East (Ohio), US West (Oregon), EU (Ireland), Asia Pacific (Mumbai), Asia Pacific (Tokyo), Asia Pacific (Sydney), and EU (Frankfurt).\n- The environment type `LINUX_CONTAINER` with compute type `build.general1.2xlarge` is available only in regions US East (N. Virginia), US East (Ohio), US West (Oregon), Canada (Central), EU (Ireland), EU (London), EU (Frankfurt), Asia Pacific (Tokyo), Asia Pacific (Seoul), Asia Pacific (Singapore), Asia Pacific (Sydney), China (Beijing), and China (Ningxia).\n- The environment type `LINUX_GPU_CONTAINER` is available only in regions US East (N. Virginia), US East (Ohio), US West (Oregon), Canada (Central), EU (Ireland), EU (London), EU (Frankfurt), Asia Pacific (Tokyo), Asia Pacific (Seoul), Asia Pacific (Singapore), Asia Pacific (Sydney) , China (Beijing), and China (Ningxia).\n\n- The environment types `ARM_LAMBDA_CONTAINER` and `LINUX_LAMBDA_CONTAINER` are available only in regions US East (N. Virginia), US East (Ohio), US West (Oregon), Asia Pacific (Mumbai), Asia Pacific (Singapore), Asia Pacific (Sydney), Asia Pacific (Tokyo), EU (Frankfurt), EU (Ireland), and South America (S\u00e3o Paulo).\n\n- The environment types `WINDOWS_CONTAINER` and `WINDOWS_SERVER_2019_CONTAINER` are available only in regions US East (N. Virginia), US East (Ohio), US West (Oregon), and EU (Ireland).\n\nFor more information, see [Build environment compute types](https://docs.aws.amazon.com//codebuild/latest/userguide/build-env-ref-compute-types.html) in the *AWS CodeBuild user guide* ." + "Type": "The type of build environment to use for related builds.\n\n- The environment type `ARM_CONTAINER` is available only in regions US East (N. Virginia), US East (Ohio), US West (Oregon), EU (Ireland), Asia Pacific (Mumbai), Asia Pacific (Tokyo), Asia Pacific (Sydney), and EU (Frankfurt).\n- The environment type `LINUX_CONTAINER` is available only in regions US East (N. Virginia), US East (Ohio), US West (Oregon), Canada (Central), EU (Ireland), EU (London), EU (Frankfurt), Asia Pacific (Tokyo), Asia Pacific (Seoul), Asia Pacific (Singapore), Asia Pacific (Sydney), China (Beijing), and China (Ningxia).\n- The environment type `LINUX_GPU_CONTAINER` is available only in regions US East (N. Virginia), US East (Ohio), US West (Oregon), Canada (Central), EU (Ireland), EU (London), EU (Frankfurt), Asia Pacific (Tokyo), Asia Pacific (Seoul), Asia Pacific (Singapore), Asia Pacific (Sydney) , China (Beijing), and China (Ningxia).\n\n- The environment types `ARM_LAMBDA_CONTAINER` and `LINUX_LAMBDA_CONTAINER` are available only in regions US East (N. Virginia), US East (Ohio), US West (Oregon), Asia Pacific (Mumbai), Asia Pacific (Singapore), Asia Pacific (Sydney), Asia Pacific (Tokyo), EU (Frankfurt), EU (Ireland), and South America (S\u00e3o Paulo).\n\n- The environment types `WINDOWS_CONTAINER` and `WINDOWS_SERVER_2019_CONTAINER` are available only in regions US East (N. Virginia), US East (Ohio), US West (Oregon), and EU (Ireland).\n\n> If you're using compute fleets during project creation, `type` will be ignored. \n\nFor more information, see [Build environment compute types](https://docs.aws.amazon.com//codebuild/latest/userguide/build-env-ref-compute-types.html) in the *AWS CodeBuild user guide* ." }, "AWS::CodeBuild::Project EnvironmentVariable": { "Name": "The name or key of the environment variable.", @@ -6898,9 +6898,9 @@ "AWS::Config::ConfigurationRecorder RecordingGroup": { "AllSupported": "Specifies whether AWS Config records configuration changes for all supported resource types, excluding the global IAM resource types.\n\nIf you set this field to `true` , when AWS Config adds support for a new resource type, AWS Config starts recording resources of that type automatically.\n\nIf you set this field to `true` , you cannot enumerate specific resource types to record in the `resourceTypes` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) , or to exclude in the `resourceTypes` field of [ExclusionByResourceTypes](https://docs.aws.amazon.com/config/latest/APIReference/API_ExclusionByResourceTypes.html) .\n\n> *Region availability*\n> \n> Check [Resource Coverage by Region Availability](https://docs.aws.amazon.com/config/latest/developerguide/what-is-resource-config-coverage.html) to see if a resource type is supported in the AWS Region where you set up AWS Config .", "ExclusionByResourceTypes": "An object that specifies how AWS Config excludes resource types from being recorded by the configuration recorder.\n\nTo use this option, you must set the `useOnly` field of [AWS::Config::ConfigurationRecorder RecordingStrategy](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-config-configurationrecorder-recordingstrategy.html) to `EXCLUSION_BY_RESOURCE_TYPES` .", - "IncludeGlobalResourceTypes": "This option is a bundle which only applies to the global IAM resource types: IAM users, groups, roles, and customer managed policies. These global IAM resource types can only be recorded by AWS Config in Regions where AWS Config was available before February 2022. You cannot be record the global IAM resouce types in Regions supported by AWS Config after February 2022. This list where you cannot record the global IAM resource types includes the following Regions:\n\n- Asia Pacific (Hyderabad)\n- Asia Pacific (Melbourne)\n- Europe (Spain)\n- Europe (Zurich)\n- Israel (Tel Aviv)\n- Middle East (UAE)\n\n> *Aurora global clusters are recorded in all enabled Regions*\n> \n> The `AWS::RDS::GlobalCluster` resource type will be recorded in all supported AWS Config Regions where the configuration recorder is enabled, even if `includeGlobalResourceTypes` is not set to `true` . The `includeGlobalResourceTypes` option is a bundle which only applies to IAM users, groups, roles, and customer managed policies.\n> \n> If you do not want to record `AWS::RDS::GlobalCluster` in all enabled Regions, use one of the following recording strategies:\n> \n> - *Record all current and future resource types with exclusions* ( `EXCLUSION_BY_RESOURCE_TYPES` ), or\n> - *Record specific resource types* ( `INCLUSION_BY_RESOURCE_TYPES` ).\n> \n> For more information, see [Selecting Which Resources are Recorded](https://docs.aws.amazon.com/config/latest/developerguide/select-resources.html#select-resources-all) in the *AWS Config developer guide* . > Before you set this field to `true` , set the `allSupported` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) to `true` . Optionally, you can set the `useOnly` field of [RecordingStrategy](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingStrategy.html) to `ALL_SUPPORTED_RESOURCE_TYPES` . > *Overriding fields*\n> \n> If you set this field to `false` but list global IAM resource types in the `resourceTypes` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) , AWS Config will still record configuration changes for those specified resource types *regardless* of if you set the `includeGlobalResourceTypes` field to false.\n> \n> If you do not want to record configuration changes to the global IAM resource types (IAM users, groups, roles, and customer managed policies), make sure to not list them in the `resourceTypes` field in addition to setting the `includeGlobalResourceTypes` field to false.", - "RecordingStrategy": "An object that specifies the recording strategy for the configuration recorder.\n\n- If you set the `useOnly` field of [RecordingStrategy](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingStrategy.html) to `ALL_SUPPORTED_RESOURCE_TYPES` , AWS Config records configuration changes for all supported resource types, excluding the global IAM resource types. You also must set the `allSupported` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) to `true` . When AWS Config adds support for a new resource type, AWS Config automatically starts recording resources of that type.\n- If you set the `useOnly` field of [RecordingStrategy](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingStrategy.html) to `INCLUSION_BY_RESOURCE_TYPES` , AWS Config records configuration changes for only the resource types you specify in the `resourceTypes` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) .\n- If you set the `useOnly` field of [RecordingStrategy](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingStrategy.html) to `EXCLUSION_BY_RESOURCE_TYPES` , AWS Config records configuration changes for all supported resource types except the resource types that you specify to exclude from being recorded in the `resourceTypes` field of [ExclusionByResourceTypes](https://docs.aws.amazon.com/config/latest/APIReference/API_ExclusionByResourceTypes.html) .\n\n> *Required and optional fields*\n> \n> The `recordingStrategy` field is optional when you set the `allSupported` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) to `true` .\n> \n> The `recordingStrategy` field is optional when you list resource types in the `resourceTypes` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) .\n> \n> The `recordingStrategy` field is required if you list resource types to exclude from recording in the `resourceTypes` field of [ExclusionByResourceTypes](https://docs.aws.amazon.com/config/latest/APIReference/API_ExclusionByResourceTypes.html) . > *Overriding fields*\n> \n> If you choose `EXCLUSION_BY_RESOURCE_TYPES` for the recording strategy, the `exclusionByResourceTypes` field will override other properties in the request.\n> \n> For example, even if you set `includeGlobalResourceTypes` to false, global IAM resource types will still be automatically recorded in this option unless those resource types are specifically listed as exclusions in the `resourceTypes` field of `exclusionByResourceTypes` . > *Global resources types and the resource exclusion recording strategy*\n> \n> By default, if you choose the `EXCLUSION_BY_RESOURCE_TYPES` recording strategy, when AWS Config adds support for a new resource type in the Region where you set up the configuration recorder, including global resource types, AWS Config starts recording resources of that type automatically.\n> \n> Unless specifically listed as exclusions, `AWS::RDS::GlobalCluster` will be recorded automatically in all supported AWS Config Regions were the configuration recorder is enabled.\n> \n> IAM users, groups, roles, and customer managed policies will be recorded in the Region where you set up the configuration recorder if that is a Region where AWS Config was available before February 2022. You cannot be record the global IAM resouce types in Regions supported by AWS Config after February 2022. This list where you cannot record the global IAM resource types includes the following Regions:\n> \n> - Asia Pacific (Hyderabad)\n> - Asia Pacific (Melbourne)\n> - Europe (Spain)\n> - Europe (Zurich)\n> - Israel (Tel Aviv)\n> - Middle East (UAE)", - "ResourceTypes": "A comma-separated list that specifies which resource types AWS Config records.\n\nFor a list of valid `resourceTypes` values, see the *Resource Type Value* column in [Supported AWS resource Types](https://docs.aws.amazon.com/config/latest/developerguide/resource-config-reference.html#supported-resources) in the *AWS Config developer guide* .\n\n> *Required and optional fields*\n> \n> Optionally, you can set the `useOnly` field of [RecordingStrategy](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingStrategy.html) to `INCLUSION_BY_RESOURCE_TYPES` .\n> \n> To record all configuration changes, set the `allSupported` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) to `true` , and either omit this field or don't specify any resource types in this field. If you set the `allSupported` field to `false` and specify values for `resourceTypes` , when AWS Config adds support for a new type of resource, it will not record resources of that type unless you manually add that type to your recording group. > *Region availability*\n> \n> Before specifying a resource type for AWS Config to track, check [Resource Coverage by Region Availability](https://docs.aws.amazon.com/config/latest/developerguide/what-is-resource-config-coverage.html) to see if the resource type is supported in the AWS Region where you set up AWS Config . If a resource type is supported by AWS Config in at least one Region, you can enable the recording of that resource type in all Regions supported by AWS Config , even if the specified resource type is not supported in the AWS Region where you set up AWS Config ." + "IncludeGlobalResourceTypes": "This option is a bundle which only applies to the global IAM resource types: IAM users, groups, roles, and customer managed policies. These global IAM resource types can only be recorded by AWS Config in Regions where AWS Config was available before February 2022. You cannot be record the global IAM resouce types in Regions supported by AWS Config after February 2022. This list where you cannot record the global IAM resource types includes the following Regions:\n\n- Asia Pacific (Hyderabad)\n- Asia Pacific (Melbourne)\n- Canada West (Calgary)\n- Europe (Spain)\n- Europe (Zurich)\n- Israel (Tel Aviv)\n- Middle East (UAE)\n\n> *Aurora global clusters are recorded in all enabled Regions*\n> \n> The `AWS::RDS::GlobalCluster` resource type will be recorded in all supported AWS Config Regions where the configuration recorder is enabled, even if `IncludeGlobalResourceTypes` is set to `false` . The `IncludeGlobalResourceTypes` option is a bundle which only applies to IAM users, groups, roles, and customer managed policies.\n> \n> If you do not want to record `AWS::RDS::GlobalCluster` in all enabled Regions, use one of the following recording strategies:\n> \n> - *Record all current and future resource types with exclusions* ( `EXCLUSION_BY_RESOURCE_TYPES` ), or\n> - *Record specific resource types* ( `INCLUSION_BY_RESOURCE_TYPES` ).\n> \n> For more information, see [Selecting Which Resources are Recorded](https://docs.aws.amazon.com/config/latest/developerguide/select-resources.html#select-resources-all) in the *AWS Config developer guide* . > *IncludeGlobalResourceTypes and the exclusion recording strategy*\n> \n> The `IncludeGlobalResourceTypes` field has no impact on the `EXCLUSION_BY_RESOURCE_TYPES` recording strategy. This means that the global IAM resource types ( IAM users, groups, roles, and customer managed policies) will not be automatically added as exclusions for `ExclusionByResourceTypes` when `IncludeGlobalResourceTypes` is set to `false` .\n> \n> The `IncludeGlobalResourceTypes` field should only be used to modify the `AllSupported` field, as the default for the `AllSupported` field is to record configuration changes for all supported resource types excluding the global IAM resource types. To include the global IAM resource types when `AllSupported` is set to `true` , make sure to set `IncludeGlobalResourceTypes` to `true` .\n> \n> To exclude the global IAM resource types for the `EXCLUSION_BY_RESOURCE_TYPES` recording strategy, you need to manually add them to the `ResourceTypes` field of `ExclusionByResourceTypes` . > *Required and optional fields*\n> \n> Before you set this field to `true` , set the `AllSupported` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) to `true` . Optionally, you can set the `useOnly` field of [RecordingStrategy](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingStrategy.html) to `ALL_SUPPORTED_RESOURCE_TYPES` . > *Overriding fields*\n> \n> If you set this field to `false` but list global IAM resource types in the `ResourceTypes` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) , AWS Config will still record configuration changes for those specified resource types *regardless* of if you set the `IncludeGlobalResourceTypes` field to false.\n> \n> If you do not want to record configuration changes to the global IAM resource types (IAM users, groups, roles, and customer managed policies), make sure to not list them in the `ResourceTypes` field in addition to setting the `IncludeGlobalResourceTypes` field to false.", + "RecordingStrategy": "An object that specifies the recording strategy for the configuration recorder.\n\n- If you set the `useOnly` field of [RecordingStrategy](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingStrategy.html) to `ALL_SUPPORTED_RESOURCE_TYPES` , AWS Config records configuration changes for all supported resource types, excluding the global IAM resource types. You also must set the `AllSupported` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) to `true` . When AWS Config adds support for a new resource type, AWS Config automatically starts recording resources of that type.\n- If you set the `useOnly` field of [RecordingStrategy](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingStrategy.html) to `INCLUSION_BY_RESOURCE_TYPES` , AWS Config records configuration changes for only the resource types you specify in the `ResourceTypes` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) .\n- If you set the `useOnly` field of [RecordingStrategy](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingStrategy.html) to `EXCLUSION_BY_RESOURCE_TYPES` , AWS Config records configuration changes for all supported resource types except the resource types that you specify to exclude from being recorded in the `ResourceTypes` field of [ExclusionByResourceTypes](https://docs.aws.amazon.com/config/latest/APIReference/API_ExclusionByResourceTypes.html) .\n\n> *Required and optional fields*\n> \n> The `recordingStrategy` field is optional when you set the `AllSupported` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) to `true` .\n> \n> The `recordingStrategy` field is optional when you list resource types in the `ResourceTypes` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) .\n> \n> The `recordingStrategy` field is required if you list resource types to exclude from recording in the `ResourceTypes` field of [ExclusionByResourceTypes](https://docs.aws.amazon.com/config/latest/APIReference/API_ExclusionByResourceTypes.html) . > *Overriding fields*\n> \n> If you choose `EXCLUSION_BY_RESOURCE_TYPES` for the recording strategy, the `ExclusionByResourceTypes` field will override other properties in the request.\n> \n> For example, even if you set `IncludeGlobalResourceTypes` to false, global IAM resource types will still be automatically recorded in this option unless those resource types are specifically listed as exclusions in the `ResourceTypes` field of `ExclusionByResourceTypes` . > *Global resources types and the resource exclusion recording strategy*\n> \n> By default, if you choose the `EXCLUSION_BY_RESOURCE_TYPES` recording strategy, when AWS Config adds support for a new resource type in the Region where you set up the configuration recorder, including global resource types, AWS Config starts recording resources of that type automatically.\n> \n> Unless specifically listed as exclusions, `AWS::RDS::GlobalCluster` will be recorded automatically in all supported AWS Config Regions were the configuration recorder is enabled.\n> \n> IAM users, groups, roles, and customer managed policies will be recorded in the Region where you set up the configuration recorder if that is a Region where AWS Config was available before February 2022. You cannot be record the global IAM resouce types in Regions supported by AWS Config after February 2022. This list where you cannot record the global IAM resource types includes the following Regions:\n> \n> - Asia Pacific (Hyderabad)\n> - Asia Pacific (Melbourne)\n> - Canada West (Calgary)\n> - Europe (Spain)\n> - Europe (Zurich)\n> - Israel (Tel Aviv)\n> - Middle East (UAE)", + "ResourceTypes": "A comma-separated list that specifies which resource types AWS Config records.\n\nFor a list of valid `ResourceTypes` values, see the *Resource Type Value* column in [Supported AWS resource Types](https://docs.aws.amazon.com/config/latest/developerguide/resource-config-reference.html#supported-resources) in the *AWS Config developer guide* .\n\n> *Required and optional fields*\n> \n> Optionally, you can set the `useOnly` field of [RecordingStrategy](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingStrategy.html) to `INCLUSION_BY_RESOURCE_TYPES` .\n> \n> To record all configuration changes, set the `AllSupported` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) to `true` , and either omit this field or don't specify any resource types in this field. If you set the `AllSupported` field to `false` and specify values for `ResourceTypes` , when AWS Config adds support for a new type of resource, it will not record resources of that type unless you manually add that type to your recording group. > *Region availability*\n> \n> Before specifying a resource type for AWS Config to track, check [Resource Coverage by Region Availability](https://docs.aws.amazon.com/config/latest/developerguide/what-is-resource-config-coverage.html) to see if the resource type is supported in the AWS Region where you set up AWS Config . If a resource type is supported by AWS Config in at least one Region, you can enable the recording of that resource type in all Regions supported by AWS Config , even if the specified resource type is not supported in the AWS Region where you set up AWS Config ." }, "AWS::Config::ConfigurationRecorder RecordingMode": { "RecordingFrequency": "The default recording frequency that AWS Config uses to record configuration changes.\n\n> Daily recording is not supported for the following resource types:\n> \n> - `AWS::Config::ResourceCompliance`\n> - `AWS::Config::ConformancePackCompliance`\n> - `AWS::Config::ConfigurationRecorder`\n> \n> For the *allSupported* ( `ALL_SUPPORTED_RESOURCE_TYPES` ) recording strategy, these resource types will be set to Continuous recording.", @@ -6912,7 +6912,7 @@ "ResourceTypes": "A comma-separated list that specifies which resource types AWS Config includes in the override.\n\n> Daily recording is not supported for the following resource types:\n> \n> - `AWS::Config::ResourceCompliance`\n> - `AWS::Config::ConformancePackCompliance`\n> - `AWS::Config::ConfigurationRecorder`" }, "AWS::Config::ConfigurationRecorder RecordingStrategy": { - "UseOnly": "The recording strategy for the configuration recorder.\n\n- If you set this option to `ALL_SUPPORTED_RESOURCE_TYPES` , AWS Config records configuration changes for all supported resource types, excluding the global IAM resource types. You also must set the `allSupported` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) to `true` . When AWS Config adds support for a new resource type, AWS Config automatically starts recording resources of that type. For a list of supported resource types, see [Supported Resource Types](https://docs.aws.amazon.com/config/latest/developerguide/resource-config-reference.html#supported-resources) in the *AWS Config developer guide* .\n- If you set this option to `INCLUSION_BY_RESOURCE_TYPES` , AWS Config records configuration changes for only the resource types that you specify in the `resourceTypes` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) .\n- If you set this option to `EXCLUSION_BY_RESOURCE_TYPES` , AWS Config records configuration changes for all supported resource types, except the resource types that you specify to exclude from being recorded in the `resourceTypes` field of [ExclusionByResourceTypes](https://docs.aws.amazon.com/config/latest/APIReference/API_ExclusionByResourceTypes.html) .\n\n> *Required and optional fields*\n> \n> The `recordingStrategy` field is optional when you set the `allSupported` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) to `true` .\n> \n> The `recordingStrategy` field is optional when you list resource types in the `resourceTypes` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) .\n> \n> The `recordingStrategy` field is required if you list resource types to exclude from recording in the `resourceTypes` field of [ExclusionByResourceTypes](https://docs.aws.amazon.com/config/latest/APIReference/API_ExclusionByResourceTypes.html) . > *Overriding fields*\n> \n> If you choose `EXCLUSION_BY_RESOURCE_TYPES` for the recording strategy, the `exclusionByResourceTypes` field will override other properties in the request.\n> \n> For example, even if you set `includeGlobalResourceTypes` to false, global IAM resource types will still be automatically recorded in this option unless those resource types are specifically listed as exclusions in the `resourceTypes` field of `exclusionByResourceTypes` . > *Global resource types and the exclusion recording strategy*\n> \n> By default, if you choose the `EXCLUSION_BY_RESOURCE_TYPES` recording strategy, when AWS Config adds support for a new resource type in the Region where you set up the configuration recorder, including global resource types, AWS Config starts recording resources of that type automatically.\n> \n> Unless specifically listed as exclusions, `AWS::RDS::GlobalCluster` will be recorded automatically in all supported AWS Config Regions were the configuration recorder is enabled.\n> \n> IAM users, groups, roles, and customer managed policies will be recorded in the Region where you set up the configuration recorder if that is a Region where AWS Config was available before February 2022. You cannot be record the global IAM resouce types in Regions supported by AWS Config after February 2022. This list where you cannot record the global IAM resource types includes the following Regions:\n> \n> - Asia Pacific (Hyderabad)\n> - Asia Pacific (Melbourne)\n> - Europe (Spain)\n> - Europe (Zurich)\n> - Israel (Tel Aviv)\n> - Middle East (UAE)" + "UseOnly": "The recording strategy for the configuration recorder.\n\n- If you set this option to `ALL_SUPPORTED_RESOURCE_TYPES` , AWS Config records configuration changes for all supported resource types, excluding the global IAM resource types. You also must set the `AllSupported` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) to `true` . When AWS Config adds support for a new resource type, AWS Config automatically starts recording resources of that type. For a list of supported resource types, see [Supported Resource Types](https://docs.aws.amazon.com/config/latest/developerguide/resource-config-reference.html#supported-resources) in the *AWS Config developer guide* .\n- If you set this option to `INCLUSION_BY_RESOURCE_TYPES` , AWS Config records configuration changes for only the resource types that you specify in the `ResourceTypes` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) .\n- If you set this option to `EXCLUSION_BY_RESOURCE_TYPES` , AWS Config records configuration changes for all supported resource types, except the resource types that you specify to exclude from being recorded in the `ResourceTypes` field of [ExclusionByResourceTypes](https://docs.aws.amazon.com/config/latest/APIReference/API_ExclusionByResourceTypes.html) .\n\n> *Required and optional fields*\n> \n> The `recordingStrategy` field is optional when you set the `AllSupported` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) to `true` .\n> \n> The `recordingStrategy` field is optional when you list resource types in the `ResourceTypes` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) .\n> \n> The `recordingStrategy` field is required if you list resource types to exclude from recording in the `ResourceTypes` field of [ExclusionByResourceTypes](https://docs.aws.amazon.com/config/latest/APIReference/API_ExclusionByResourceTypes.html) . > *Overriding fields*\n> \n> If you choose `EXCLUSION_BY_RESOURCE_TYPES` for the recording strategy, the `ExclusionByResourceTypes` field will override other properties in the request.\n> \n> For example, even if you set `IncludeGlobalResourceTypes` to false, global IAM resource types will still be automatically recorded in this option unless those resource types are specifically listed as exclusions in the `ResourceTypes` field of `ExclusionByResourceTypes` . > *Global resource types and the exclusion recording strategy*\n> \n> By default, if you choose the `EXCLUSION_BY_RESOURCE_TYPES` recording strategy, when AWS Config adds support for a new resource type in the Region where you set up the configuration recorder, including global resource types, AWS Config starts recording resources of that type automatically.\n> \n> Unless specifically listed as exclusions, `AWS::RDS::GlobalCluster` will be recorded automatically in all supported AWS Config Regions were the configuration recorder is enabled.\n> \n> IAM users, groups, roles, and customer managed policies will be recorded in the Region where you set up the configuration recorder if that is a Region where AWS Config was available before February 2022. You cannot be record the global IAM resouce types in Regions supported by AWS Config after February 2022. This list where you cannot record the global IAM resource types includes the following Regions:\n> \n> - Asia Pacific (Hyderabad)\n> - Asia Pacific (Melbourne)\n> - Canada West (Calgary)\n> - Europe (Spain)\n> - Europe (Zurich)\n> - Israel (Tel Aviv)\n> - Middle East (UAE)" }, "AWS::Config::ConformancePack": { "ConformancePackInputParameters": "A list of ConformancePackInputParameter objects.", @@ -9218,6 +9218,145 @@ "AWS::DataSync::Task Verified": { "ReportLevel": "Specifies whether you want your task report to include only what went wrong with your transfer or a list of what succeeded and didn't.\n\n- `ERRORS_ONLY` : A report shows what DataSync was unable to verify.\n- `SUCCESSES_AND_ERRORS` : A report shows what DataSync was able and unable to verify." }, + "AWS::DataZone::DataSource": { + "AssetFormsInput": "The metadata forms attached to the assets that the data source works with.", + "Configuration": "The configuration of the data source.", + "Description": "The description of the data source.", + "DomainIdentifier": "The ID of the Amazon DataZone domain where the data source is created.", + "EnableSetting": "Specifies whether the data source is enabled.", + "EnvironmentIdentifier": "The unique identifier of the Amazon DataZone environment to which the data source publishes assets.", + "Name": "The name of the data source.", + "ProjectIdentifier": "The identifier of the Amazon DataZone project in which you want to add this data source.", + "PublishOnImport": "Specifies whether the assets that this data source creates in the inventory are to be also automatically published to the catalog.", + "Recommendation": "Specifies whether the business name generation is to be enabled for this data source.", + "Schedule": "The schedule of the data source runs.", + "Type": "The type of the data source." + }, + "AWS::DataZone::DataSource DataSourceConfigurationInput": { + "GlueRunConfiguration": "The configuration of the AWS Glue data source.", + "RedshiftRunConfiguration": "The configuration of the Amazon Redshift data source." + }, + "AWS::DataZone::DataSource FilterExpression": { + "Expression": "The search filter expression.", + "Type": "The search filter explresison type." + }, + "AWS::DataZone::DataSource FormInput": { + "Content": "The content of the metadata form.", + "FormName": "The name of the metadata form.", + "TypeIdentifier": "The ID of the metadata form type.", + "TypeRevision": "The revision of the metadata form type." + }, + "AWS::DataZone::DataSource GlueRunConfigurationInput": { + "DataAccessRole": "The data access role included in the configuration details of the AWS Glue data source.", + "RelationalFilterConfigurations": "The relational filter configurations included in the configuration details of the AWS Glue data source." + }, + "AWS::DataZone::DataSource RecommendationConfiguration": { + "EnableBusinessNameGeneration": "Specifies whether automatic business name generation is to be enabled or not as part of the recommendation configuration." + }, + "AWS::DataZone::DataSource RedshiftClusterStorage": { + "ClusterName": "The name of an Amazon Redshift cluster." + }, + "AWS::DataZone::DataSource RedshiftCredentialConfiguration": { + "SecretManagerArn": "The ARN of a secret manager for an Amazon Redshift cluster." + }, + "AWS::DataZone::DataSource RedshiftRunConfigurationInput": { + "DataAccessRole": "The data access role included in the configuration details of the Amazon Redshift data source.", + "RedshiftCredentialConfiguration": "The details of the credentials required to access an Amazon Redshift cluster.", + "RedshiftStorage": "The details of the Amazon Redshift storage as part of the configuration of an Amazon Redshift data source run.", + "RelationalFilterConfigurations": "The relational filter configurations included in the configuration details of the AWS Glue data source." + }, + "AWS::DataZone::DataSource RedshiftServerlessStorage": { + "WorkgroupName": "The name of the Amazon Redshift Serverless workgroup." + }, + "AWS::DataZone::DataSource RedshiftStorage": { + "RedshiftClusterSource": "The details of the Amazon Redshift cluster source.", + "RedshiftServerlessSource": "The details of the Amazon Redshift Serverless workgroup source." + }, + "AWS::DataZone::DataSource RelationalFilterConfiguration": { + "DatabaseName": "The database name specified in the relational filter configuration for the data source.", + "FilterExpressions": "The filter expressions specified in the relational filter configuration for the data source.", + "SchemaName": "The schema name specified in the relational filter configuration for the data source." + }, + "AWS::DataZone::DataSource ScheduleConfiguration": { + "Schedule": "The schedule of the data source runs.", + "Timezone": "The timezone of the data source run." + }, + "AWS::DataZone::Domain": { + "Description": "The description of the Amazon DataZone domain.", + "DomainExecutionRole": "The domain execution role that is created when an Amazon DataZone domain is created. The domain execution role is created in the AWS account that houses the Amazon DataZone domain.", + "KmsKeyIdentifier": "The identifier of the AWS Key Management Service (KMS) key that is used to encrypt the Amazon DataZone domain, metadata, and reporting data.", + "Name": "The name of the Amazon DataZone domain.", + "SingleSignOn": "The single sign-on details in Amazon DataZone.", + "Tags": "The tags specified for the Amazon DataZone domain." + }, + "AWS::DataZone::Domain SingleSignOn": { + "Type": "The type of single sign-on in Amazon DataZone.", + "UserAssignment": "The single sign-on user assignment in Amazon DataZone." + }, + "AWS::DataZone::Domain Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, + "AWS::DataZone::Environment": { + "Description": "The description of the environment.", + "DomainIdentifier": "The identifier of the Amazon DataZone domain in which the environment is created.", + "EnvironmentProfileIdentifier": "The identifier of the environment profile that is used to create this Amazon DataZone environment.", + "GlossaryTerms": "The glossary terms that can be used in this Amazon DataZone environment.", + "Name": "The name of the Amazon DataZone environment.", + "ProjectIdentifier": "The identifier of the Amazon DataZone project in which this environment is created.", + "UserParameters": "The user parameters of this Amazon DataZone environment." + }, + "AWS::DataZone::Environment EnvironmentParameter": { + "Name": "The name of the environment parameter.", + "Value": "The value of the environment parameter." + }, + "AWS::DataZone::EnvironmentBlueprintConfiguration": { + "DomainIdentifier": "The identifier of the Amazon DataZone domain in which an environment blueprint exists.", + "EnabledRegions": "The enabled AWS Regions specified in a blueprint configuration.", + "EnvironmentBlueprintIdentifier": "The identifier of the environment blueprint.\n\nIn the current release, only the following values are supported: `DefaultDataLake` and `DefaultDataWarehouse` .", + "ManageAccessRoleArn": "The ARN of the manage access role.", + "ProvisioningRoleArn": "The ARN of the provisioning role.", + "RegionalParameters": "The regional parameters of the environment blueprint." + }, + "AWS::DataZone::EnvironmentBlueprintConfiguration RegionalParameter": { + "Parameters": "A string to string map containing parameters for the region.", + "Region": "The region specified in the environment parameter." + }, + "AWS::DataZone::EnvironmentProfile": { + "AwsAccountId": "The identifier of an AWS account in which an environment profile exists.", + "AwsAccountRegion": "The AWS Region in which an environment profile exists.", + "Description": "The description of the environment profile.", + "DomainIdentifier": "The identifier of the Amazon DataZone domain in which the environment profile exists.", + "EnvironmentBlueprintIdentifier": "The identifier of a blueprint with which an environment profile is created.", + "Name": "The name of the environment profile.", + "ProjectIdentifier": "The identifier of a project in which an environment profile exists.", + "UserParameters": "The user parameters of this Amazon DataZone environment profile." + }, + "AWS::DataZone::EnvironmentProfile EnvironmentParameter": { + "Name": "The name specified in the environment parameter.", + "Value": "The value of the environment profile." + }, + "AWS::DataZone::Project": { + "Description": "The description of a project.", + "DomainIdentifier": "The identifier of a Amazon DataZone domain where the project exists.", + "GlossaryTerms": "The glossary terms that can be used in this Amazon DataZone project.", + "Name": "The name of a project." + }, + "AWS::DataZone::SubscriptionTarget": { + "ApplicableAssetTypes": "The asset types included in the subscription target.", + "AuthorizedPrincipals": "The authorized principals included in the subscription target.", + "DomainIdentifier": "The ID of the Amazon DataZone domain in which subscription target is created.", + "EnvironmentIdentifier": "The ID of the environment in which subscription target is created.", + "ManageAccessRole": "The manage access role that is used to create the subscription target.", + "Name": "The name of the subscription target.", + "Provider": "The provider of the subscription target.", + "SubscriptionTargetConfig": "The configuration of the subscription target.", + "Type": "The type of the subscription target." + }, + "AWS::DataZone::SubscriptionTarget SubscriptionTargetForm": { + "Content": "The content of the subscription target configuration.", + "FormName": "The form name included in the subscription target configuration." + }, "AWS::Detective::Graph": { "AutoEnableMembers": "Indicates whether to automatically enable new organization accounts as member accounts in the organization behavior graph.\n\nBy default, this property is set to `false` . If you want to change the value of this property, you must be the Detective administrator for the organization. For more information on setting a Detective administrator account, see [AWS::Detective::OrganizationAdmin](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-detective-organizationadmin.html)", "Tags": "The tag values to assign to the new behavior graph." @@ -10118,7 +10257,7 @@ "CreditSpecification": "The credit option for CPU usage of the burstable performance instance. Valid values are `standard` and `unlimited` . To change this attribute after launch, use [ModifyInstanceCreditSpecification](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyInstanceCreditSpecification.html) . For more information, see [Burstable performance instances](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/burstable-performance-instances.html) in the *Amazon EC2 User Guide* .\n\nDefault: `standard` (T2 instances) or `unlimited` (T3/T3a/T4g instances)\n\nFor T3 instances with `host` tenancy, only `standard` is supported.", "DisableApiTermination": "If you set this parameter to `true` , you can't terminate the instance using the Amazon EC2 console, CLI, or API; otherwise, you can. To change this attribute after launch, use [ModifyInstanceAttribute](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyInstanceAttribute.html) . Alternatively, if you set `InstanceInitiatedShutdownBehavior` to `terminate` , you can terminate the instance by running the shutdown command from the instance.\n\nDefault: `false`", "EbsOptimized": "Indicates whether the instance is optimized for Amazon EBS I/O. This optimization provides dedicated throughput to Amazon EBS and an optimized configuration stack to provide optimal Amazon EBS I/O performance. This optimization isn't available with all instance types. Additional usage charges apply when using an EBS-optimized instance.\n\nDefault: `false`", - "ElasticGpuSpecifications": "An elastic GPU to associate with the instance. An Elastic GPU is a GPU resource that you can attach to your Windows instance to accelerate the graphics performance of your applications. For more information, see [Amazon EC2 Elastic GPUs](https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/elastic-graphics.html) in the *Amazon EC2 User Guide* .", + "ElasticGpuSpecifications": "Deprecated.\n\n> Amazon Elastic Graphics reached end of life on January 8, 2024. For workloads that require graphics acceleration, we recommend that you use Amazon EC2 G4ad, G4dn, or G5 instances.", "ElasticInferenceAccelerators": "An elastic inference accelerator to associate with the instance. Elastic inference accelerators are a resource you can attach to your Amazon EC2 instances to accelerate your Deep Learning (DL) inference workloads.\n\nYou cannot specify accelerators from different generations in the same request.\n\n> Starting April 15, 2023, AWS will not onboard new customers to Amazon Elastic Inference (EI), and will help current customers migrate their workloads to options that offer better price and performance. After April 15, 2023, new customers will not be able to launch instances with Amazon EI accelerators in Amazon SageMaker, Amazon ECS, or Amazon EC2. However, customers who have used Amazon EI at least once during the past 30-day period are considered current customers and will be able to continue using the service.", "EnclaveOptions": "Indicates whether the instance is enabled for AWS Nitro Enclaves.", "HibernationOptions": "Indicates whether an instance is enabled for hibernation. This parameter is valid only if the instance meets the [hibernation prerequisites](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/hibernating-prerequisites.html) . For more information, see [Hibernate your instance](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Hibernate.html) in the *Amazon EC2 User Guide* .\n\nYou can't enable hibernation and AWS Nitro Enclaves on the same instance.", @@ -10387,7 +10526,7 @@ "DisableApiStop": "Indicates whether to enable the instance for stop protection. For more information, see [Stop protection](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Stop_Start.html#Using_StopProtection) in the *Amazon Elastic Compute Cloud User Guide* .", "DisableApiTermination": "If you set this parameter to `true` , you can't terminate the instance using the Amazon EC2 console, CLI, or API; otherwise, you can. To change this attribute after launch, use [ModifyInstanceAttribute](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyInstanceAttribute.html) . Alternatively, if you set `InstanceInitiatedShutdownBehavior` to `terminate` , you can terminate the instance by running the shutdown command from the instance.", "EbsOptimized": "Indicates whether the instance is optimized for Amazon EBS I/O. This optimization provides dedicated throughput to Amazon EBS and an optimized configuration stack to provide optimal Amazon EBS I/O performance. This optimization isn't available with all instance types. Additional usage charges apply when using an EBS-optimized instance.", - "ElasticGpuSpecifications": "An elastic GPU to associate with the instance.", + "ElasticGpuSpecifications": "Deprecated.\n\n> Amazon Elastic Graphics reached end of life on January 8, 2024. For workloads that require graphics acceleration, we recommend that you use Amazon EC2 G4ad, G4dn, or G5 instances.", "ElasticInferenceAccelerators": "An elastic inference accelerator to associate with the instance. Elastic inference accelerators are a resource you can attach to your Amazon EC2 instances to accelerate your Deep Learning (DL) inference workloads.\n\nYou cannot specify accelerators from different generations in the same request.\n\n> Starting April 15, 2023, AWS will not onboard new customers to Amazon Elastic Inference (EI), and will help current customers migrate their workloads to options that offer better price and performance. After April 15, 2023, new customers will not be able to launch instances with Amazon EI accelerators in Amazon SageMaker, Amazon ECS, or Amazon EC2. However, customers who have used Amazon EI at least once during the past 30-day period are considered current customers and will be able to continue using the service.", "EnclaveOptions": "Indicates whether the instance is enabled for AWS Nitro Enclaves. For more information, see [What is AWS Nitro Enclaves?](https://docs.aws.amazon.com/enclaves/latest/user/nitro-enclave.html) in the *AWS Nitro Enclaves User Guide* .\n\nYou can't enable AWS Nitro Enclaves and hibernation on the same instance.", "HibernationOptions": "Indicates whether an instance is enabled for hibernation. This parameter is valid only if the instance meets the [hibernation prerequisites](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/hibernating-prerequisites.html) . For more information, see [Hibernate your instance](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Hibernate.html) in the *Amazon Elastic Compute Cloud User Guide* .", @@ -10509,7 +10648,7 @@ "Value": "The tag value." }, "AWS::EC2::LaunchTemplate TagSpecification": { - "ResourceType": "The type of resource to tag.\n\nValid Values lists all resource types for Amazon EC2 that can be tagged. When you create a launch template, you can specify tags for the following resource types only: `instance` | `volume` | `elastic-gpu` | `network-interface` | `spot-instances-request` . If the instance does not include the resource type that you specify, the instance launch fails. For example, not all instance types include an Elastic GPU.\n\nTo tag a resource after it has been created, see [CreateTags](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateTags.html) .", + "ResourceType": "The type of resource to tag.\n\nValid Values lists all resource types for Amazon EC2 that can be tagged. When you create a launch template, you can specify tags for the following resource types only: `instance` | `volume` | `network-interface` | `spot-instances-request` . If the instance does not include the resource type that you specify, the instance launch fails. For example, not all instance types include a volume.\n\nTo tag a resource after it has been created, see [CreateTags](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateTags.html) .", "Tags": "The tags to apply to the resource." }, "AWS::EC2::LaunchTemplate TotalLocalStorageGB": { @@ -10577,18 +10716,18 @@ "Value": "The tag value." }, "AWS::EC2::NetworkAclEntry": { - "CidrBlock": "The IPv4 CIDR range to allow or deny, in CIDR notation (for example, 172.16.0.0/24). Requirement is conditional: You must specify the `CidrBlock` or `Ipv6CidrBlock` property.", + "CidrBlock": "The IPv4 CIDR range to allow or deny, in CIDR notation (for example, 172.16.0.0/24). You must specify an IPv4 CIDR block or an IPv6 CIDR block.", "Egress": "Whether this rule applies to egress traffic from the subnet ( `true` ) or ingress traffic to the subnet ( `false` ). By default, AWS CloudFormation specifies `false` .", - "Icmp": "The Internet Control Message Protocol (ICMP) code and type. Requirement is conditional: Required if specifying 1 (ICMP) for the protocol parameter.", - "Ipv6CidrBlock": "The IPv6 network range to allow or deny, in CIDR notation. Requirement is conditional: You must specify the `CidrBlock` or `Ipv6CidrBlock` property.", + "Icmp": "The Internet Control Message Protocol (ICMP) code and type. Required if specifying 1 (ICMP) for the protocol parameter.", + "Ipv6CidrBlock": "The IPv6 network range to allow or deny, in CIDR notation. You must specify an IPv4 CIDR block or an IPv6 CIDR block.", "NetworkAclId": "The ID of the ACL for the entry.", - "PortRange": "The range of port numbers for the UDP/TCP protocol. Conditional required if specifying 6 (TCP) or 17 (UDP) for the protocol parameter.", + "PortRange": "The range of port numbers for the UDP/TCP protocol. Required if specifying 6 (TCP) or 17 (UDP) for the protocol parameter.", "Protocol": "The IP protocol that the rule applies to. You must specify -1 or a protocol number. You can specify -1 for all protocols.\n\n> If you specify -1, all ports are opened and the `PortRange` property is ignored.", "RuleAction": "Whether to allow or deny traffic that matches the rule; valid values are \"allow\" or \"deny\".", "RuleNumber": "Rule number to assign to the entry, such as 100. ACL entries are processed in ascending order by rule number. Entries can't use the same rule number unless one is an egress rule and the other is an ingress rule." }, "AWS::EC2::NetworkAclEntry Icmp": { - "Code": "The Internet Control Message Protocol (ICMP) code. You can use -1 to specify all ICMP codes for the given ICMP type. Requirement is conditional: Required if you specify 1 (ICMP) for the protocol parameter.", + "Code": "The Internet Control Message Protocol (ICMP) code. You can use -1 to specify all ICMP codes for the given ICMP type. Required if you specify 1 (ICMP) for the protocol parameter.", "Type": "The Internet Control Message Protocol (ICMP) type. You can use -1 to specify all ICMP types. Conditional requirement: Required if you specify 1 (ICMP) for the `CreateNetworkAclEntry` protocol parameter." }, "AWS::EC2::NetworkAclEntry PortRange": { @@ -10931,7 +11070,7 @@ "SecurityGroupEgress": "The outbound rules associated with the security group. There is a short interruption during which you cannot connect to the security group.", "SecurityGroupIngress": "The inbound rules associated with the security group. There is a short interruption during which you cannot connect to the security group.", "Tags": "Any tags assigned to the security group.", - "VpcId": "The ID of the VPC for the security group." + "VpcId": "The ID of the VPC for the security group. If you do not specify a VPC, the default is to use the default VPC for the Region. If there's no specified VPC and no default VPC, security group creation fails." }, "AWS::EC2::SecurityGroup Egress": { "CidrIp": "The IPv4 address range, in CIDR format.\n\nYou must specify a destination security group ( `DestinationPrefixListId` or `DestinationSecurityGroupId` ) or a CIDR range ( `CidrIp` or `CidrIpv6` ).\n\nFor examples of rules that you can add to security groups for specific access scenarios, see [Security group rules for different use cases](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html) in the *Amazon EC2 User Guide* .", @@ -10939,21 +11078,21 @@ "Description": "A description for the security group rule.\n\nConstraints: Up to 255 characters in length. Allowed characters are a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=;{}!$*", "DestinationPrefixListId": "The prefix list IDs for the destination AWS service. This is the AWS service that you want to access through a VPC endpoint from instances associated with the security group.\n\nYou must specify a destination security group ( `DestinationPrefixListId` or `DestinationSecurityGroupId` ) or a CIDR range ( `CidrIp` or `CidrIpv6` ).", "DestinationSecurityGroupId": "The ID of the destination VPC security group.\n\nYou must specify a destination security group ( `DestinationPrefixListId` or `DestinationSecurityGroupId` ) or a CIDR range ( `CidrIp` or `CidrIpv6` ).", - "FromPort": "If the protocol is TCP or UDP, this is the start of the port range. If the protocol is ICMP or ICMPv6, this is the type number. A value of -1 indicates all ICMP/ICMPv6 types. If you specify all ICMP/ICMPv6 types, you must specify all ICMP/ICMPv6 codes.", + "FromPort": "If the protocol is TCP or UDP, this is the start of the port range. If the protocol is ICMP or ICMPv6, this is the ICMP type or -1 (all ICMP types).", "IpProtocol": "The IP protocol name ( `tcp` , `udp` , `icmp` , `icmpv6` ) or number (see [Protocol Numbers](https://docs.aws.amazon.com/http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml) ).\n\nUse `-1` to specify all protocols. When authorizing security group rules, specifying `-1` or a protocol number other than `tcp` , `udp` , `icmp` , or `icmpv6` allows traffic on all ports, regardless of any port range you specify. For `tcp` , `udp` , and `icmp` , you must specify a port range. For `icmpv6` , the port range is optional; if you omit the port range, traffic for all types and codes is allowed.", - "ToPort": "If the protocol is TCP or UDP, this is the end of the port range. If the protocol is ICMP or ICMPv6, this is the code. A value of -1 indicates all ICMP/ICMPv6 codes. If you specify all ICMP/ICMPv6 types, you must specify all ICMP/ICMPv6 codes." + "ToPort": "If the protocol is TCP or UDP, this is the end of the port range. If the protocol is ICMP or ICMPv6, this is the ICMP code or -1 (all ICMP codes). If the start port is -1 (all ICMP types), then the end port must be -1 (all ICMP codes)." }, "AWS::EC2::SecurityGroup Ingress": { "CidrIp": "The IPv4 address range, in CIDR format.\n\nYou must specify a source security group ( `SourcePrefixListId` or `SourceSecurityGroupId` ) or a CIDR range ( `CidrIp` or `CidrIpv6` ).\n\nFor examples of rules that you can add to security groups for specific access scenarios, see [Security group rules for different use cases](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html) in the *Amazon EC2 User Guide* .", "CidrIpv6": "The IPv6 address range, in CIDR format.\n\nYou must specify a source security group ( `SourcePrefixListId` or `SourceSecurityGroupId` ) or a CIDR range ( `CidrIp` or `CidrIpv6` ).\n\nFor examples of rules that you can add to security groups for specific access scenarios, see [Security group rules for different use cases](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html) in the *Amazon EC2 User Guide* .", "Description": "Updates the description of an ingress (inbound) security group rule. You can replace an existing description, or add a description to a rule that did not have one previously.\n\nConstraints: Up to 255 characters in length. Allowed characters are a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=;{}!$*", - "FromPort": "If the protocol is TCP or UDP, this is the start of the port range. If the protocol is ICMP or ICMPv6, this is the type number. A value of -1 indicates all ICMP/ICMPv6 types. If you specify all ICMP/ICMPv6 types, you must specify all ICMP/ICMPv6 codes.", + "FromPort": "If the protocol is TCP or UDP, this is the start of the port range. If the protocol is ICMP or ICMPv6, this is the ICMP type or -1 (all ICMP types).", "IpProtocol": "The IP protocol name ( `tcp` , `udp` , `icmp` , `icmpv6` ) or number (see [Protocol Numbers](https://docs.aws.amazon.com/http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml) ).\n\nUse `-1` to specify all protocols. When authorizing security group rules, specifying `-1` or a protocol number other than `tcp` , `udp` , `icmp` , or `icmpv6` allows traffic on all ports, regardless of any port range you specify. For `tcp` , `udp` , and `icmp` , you must specify a port range. For `icmpv6` , the port range is optional; if you omit the port range, traffic for all types and codes is allowed.", "SourcePrefixListId": "The ID of a prefix list.", - "SourceSecurityGroupId": "The ID of the security group. You must specify either the security group ID or the security group name in the request. For security groups in a nondefault VPC, you must specify the security group ID.", + "SourceSecurityGroupId": "The ID of the security group.", "SourceSecurityGroupName": "[Default VPC] The name of the source security group. You must specify either the security group ID or the security group name. You can't specify the group name in combination with an IP address range. Creates rules that grant full ICMP, UDP, and TCP access.\n\nFor security groups in a nondefault VPC, you must specify the group ID.", "SourceSecurityGroupOwnerId": "[nondefault VPC] The AWS account ID for the source security group, if the source security group is in a different account. You can't specify this property with an IP address range. Creates rules that grant full ICMP, UDP, and TCP access.\n\nIf you specify `SourceSecurityGroupName` or `SourceSecurityGroupId` and that security group is owned by a different account than the account creating the stack, you must specify the `SourceSecurityGroupOwnerId` ; otherwise, this property is optional.", - "ToPort": "If the protocol is TCP or UDP, this is the end of the port range. If the protocol is ICMP or ICMPv6, this is the code. A value of -1 indicates all ICMP/ICMPv6 codes. If you specify all ICMP/ICMPv6 types, you must specify all ICMP/ICMPv6 codes." + "ToPort": "If the protocol is TCP or UDP, this is the end of the port range. If the protocol is ICMP or ICMPv6, this is the ICMP code or -1 (all ICMP codes). If the start port is -1 (all ICMP types), then the end port must be -1 (all ICMP codes)." }, "AWS::EC2::SecurityGroup Tag": { "Key": "The tag key.", @@ -10965,10 +11104,10 @@ "Description": "The description of an egress (outbound) security group rule.\n\nConstraints: Up to 255 characters in length. Allowed characters are a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=;{}!$*", "DestinationPrefixListId": "The prefix list IDs for an AWS service. This is the AWS service that you want to access through a VPC endpoint from instances associated with the security group.\n\nYou must specify a destination security group ( `DestinationPrefixListId` or `DestinationSecurityGroupId` ) or a CIDR range ( `CidrIp` or `CidrIpv6` ).", "DestinationSecurityGroupId": "The ID of the security group.\n\nYou must specify a destination security group ( `DestinationPrefixListId` or `DestinationSecurityGroupId` ) or a CIDR range ( `CidrIp` or `CidrIpv6` ).", - "FromPort": "If the protocol is TCP or UDP, this is the start of the port range. If the protocol is ICMP or ICMPv6, this is the type number. A value of -1 indicates all ICMP/ICMPv6 types. If you specify all ICMP/ICMPv6 types, you must specify all ICMP/ICMPv6 codes.", + "FromPort": "If the protocol is TCP or UDP, this is the start of the port range. If the protocol is ICMP or ICMPv6, this is the ICMP type or -1 (all ICMP types).", "GroupId": "The ID of the security group. You must specify either the security group ID or the security group name in the request. For security groups in a nondefault VPC, you must specify the security group ID.", "IpProtocol": "The IP protocol name ( `tcp` , `udp` , `icmp` , `icmpv6` ) or number (see [Protocol Numbers](https://docs.aws.amazon.com/http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml) ).\n\nUse `-1` to specify all protocols. When authorizing security group rules, specifying `-1` or a protocol number other than `tcp` , `udp` , `icmp` , or `icmpv6` allows traffic on all ports, regardless of any port range you specify. For `tcp` , `udp` , and `icmp` , you must specify a port range. For `icmpv6` , the port range is optional; if you omit the port range, traffic for all types and codes is allowed.", - "ToPort": "If the protocol is TCP or UDP, this is the end of the port range. If the protocol is ICMP or ICMPv6, this is the code. A value of -1 indicates all ICMP/ICMPv6 codes. If you specify all ICMP/ICMPv6 types, you must specify all ICMP/ICMPv6 codes." + "ToPort": "If the protocol is TCP or UDP, this is the end of the port range. If the protocol is ICMP or ICMPv6, this is the ICMP code or -1 (all ICMP codes). If the start port is -1 (all ICMP types), then the end port must be -1 (all ICMP codes)." }, "AWS::EC2::SecurityGroupIngress": { "CidrIp": "The IPv4 address range, in CIDR format.\n\nYou must specify a source security group ( `SourcePrefixListId` or `SourceSecurityGroupId` ) or a CIDR range ( `CidrIp` or `CidrIpv6` ).\n\nFor examples of rules that you can add to security groups for specific access scenarios, see [Security group rules for different use cases](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html) in the *Amazon EC2 User Guide* .", @@ -11194,15 +11333,15 @@ "Min": "The minimum number of vCPUs. To specify no minimum limit, specify `0` ." }, "AWS::EC2::Subnet": { - "AssignIpv6AddressOnCreation": "Indicates whether a network interface created in this subnet receives an IPv6 address. The default value is `false` .\n\nIf you specify `AssignIpv6AddressOnCreation` , you must also specify `Ipv6CidrBlock` .", + "AssignIpv6AddressOnCreation": "Indicates whether a network interface created in this subnet receives an IPv6 address. The default value is `false` .\n\nIf you specify `AssignIpv6AddressOnCreation` , you must also specify an IPv6 CIDR block.", "AvailabilityZone": "The Availability Zone of the subnet.\n\nIf you update this property, you must also update the `CidrBlock` property.", "AvailabilityZoneId": "The AZ ID of the subnet.", "CidrBlock": "The IPv4 CIDR block assigned to the subnet.\n\nIf you update this property, we create a new subnet, and then delete the existing one.", "EnableDns64": "Indicates whether DNS queries made to the Amazon-provided DNS Resolver in this subnet should return synthetic IPv6 addresses for IPv4-only destinations. For more information, see [DNS64 and NAT64](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html#nat-gateway-nat64-dns64) in the *Amazon Virtual Private Cloud User Guide* .", "Ipv4IpamPoolId": "An IPv4 IPAM pool ID for the subnet.", "Ipv4NetmaskLength": "An IPv4 netmask length for the subnet.", - "Ipv6CidrBlock": "The IPv6 CIDR block.\n\nIf you specify `AssignIpv6AddressOnCreation` , you must also specify `Ipv6CidrBlock` .", - "Ipv6CidrBlocks": "", + "Ipv6CidrBlock": "The IPv6 CIDR block.\n\nIf you specify `AssignIpv6AddressOnCreation` , you must also specify an IPv6 CIDR block.", + "Ipv6CidrBlocks": "The IPv6 network ranges for the subnet, in CIDR notation.", "Ipv6IpamPoolId": "An IPv6 IPAM pool ID for the subnet.", "Ipv6Native": "Indicates whether this is an IPv6 only subnet. For more information, see [Subnet basics](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Subnets.html#subnet-basics) in the *Amazon Virtual Private Cloud User Guide* .", "Ipv6NetmaskLength": "An IPv6 netmask length for the subnet.", @@ -11222,7 +11361,7 @@ "Value": "The tag value." }, "AWS::EC2::SubnetCidrBlock": { - "Ipv6CidrBlock": "The IPv6 network range for the subnet, in CIDR notation. This parameter is required for an IPv6 only subnet.", + "Ipv6CidrBlock": "The IPv6 network range for the subnet, in CIDR notation.", "Ipv6IpamPoolId": "An IPv6 IPAM pool ID for the subnet.", "Ipv6NetmaskLength": "An IPv6 netmask length for the subnet.", "SubnetId": "The ID of the subnet." @@ -11912,7 +12051,17 @@ "ClientAliases": "The list of client aliases for this Service Connect service. You use these to assign names that can be used by client applications. The maximum number of client aliases that you can have in this list is 1.\n\nEach alias (\"endpoint\") is a fully-qualified name and port number that other Amazon ECS tasks (\"clients\") can use to connect to this service.\n\nEach name and port mapping must be unique within the namespace.\n\nFor each `ServiceConnectService` , you must provide at least one `clientAlias` with one `port` .", "DiscoveryName": "The `discoveryName` is the name of the new AWS Cloud Map service that Amazon ECS creates for this Amazon ECS service. This must be unique within the AWS Cloud Map namespace. The name can contain up to 64 characters. The name can include lowercase letters, numbers, underscores (_), and hyphens (-). The name can't start with a hyphen.\n\nIf the `discoveryName` isn't specified, the port mapping name from the task definition is used in `portName.namespace` .", "IngressPortOverride": "The port number for the Service Connect proxy to listen on.\n\nUse the value of this field to bypass the proxy for traffic on the port number specified in the named `portMapping` in the task definition of this application, and then use it in your VPC security groups to allow traffic into the proxy for this Amazon ECS service.\n\nIn `awsvpc` mode and Fargate, the default value is the container port number. The container port number is in the `portMapping` in the task definition. In bridge mode, the default value is the ephemeral port of the Service Connect proxy.", - "PortName": "The `portName` must match the name of one of the `portMappings` from all the containers in the task definition of this Amazon ECS service." + "PortName": "The `portName` must match the name of one of the `portMappings` from all the containers in the task definition of this Amazon ECS service.", + "Timeout": "", + "Tls": "" + }, + "AWS::ECS::Service ServiceConnectTlsCertificateAuthority": { + "AwsPcaAuthorityArn": "" + }, + "AWS::ECS::Service ServiceConnectTlsConfiguration": { + "IssuerCertificateAuthority": "", + "KmsKey": "", + "RoleArn": "" }, "AWS::ECS::Service ServiceManagedEBSVolumeConfiguration": { "Encrypted": "Indicates whether the volume should be encrypted. If no value is specified, encryption is turned on by default. This parameter maps 1:1 with the `Encrypted` parameter of the [CreateVolume API](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateVolume.html) in the *Amazon EC2 API Reference* .", @@ -11940,6 +12089,10 @@ "Key": "One part of a key-value pair that make up a tag. A `key` is a general label that acts like a category for more specific tag values.", "Value": "The optional part of a key-value pair that make up a tag. A `value` acts as a descriptor within a tag category (key)." }, + "AWS::ECS::Service TimeoutConfiguration": { + "IdleTimeoutSeconds": "", + "PerRequestTimeoutSeconds": "" + }, "AWS::ECS::TaskDefinition": { "ContainerDefinitions": "A list of container definitions in JSON format that describe the different containers that make up your task. For more information about container definition parameters and defaults, see [Amazon ECS Task Definitions](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_defintions.html) in the *Amazon Elastic Container Service Developer Guide* .", "Cpu": "The number of `cpu` units used by the task. If you use the EC2 launch type, this field is optional. Any value can be used. If you use the Fargate launch type, this field is required. You must use one of the following values. The value that you choose determines your range of valid values for the `memory` parameter.\n\nThe CPU units cannot be less than 1 vCPU when you use Windows containers on Fargate.\n\n- 256 (.25 vCPU) - Available `memory` values: 512 (0.5 GB), 1024 (1 GB), 2048 (2 GB)\n- 512 (.5 vCPU) - Available `memory` values: 1024 (1 GB), 2048 (2 GB), 3072 (3 GB), 4096 (4 GB)\n- 1024 (1 vCPU) - Available `memory` values: 2048 (2 GB), 3072 (3 GB), 4096 (4 GB), 5120 (5 GB), 6144 (6 GB), 7168 (7 GB), 8192 (8 GB)\n- 2048 (2 vCPU) - Available `memory` values: 4096 (4 GB) and 16384 (16 GB) in increments of 1024 (1 GB)\n- 4096 (4 vCPU) - Available `memory` values: 8192 (8 GB) and 30720 (30 GB) in increments of 1024 (1 GB)\n- 8192 (8 vCPU) - Available `memory` values: 16 GB and 60 GB in 4 GB increments\n\nThis option requires Linux platform `1.4.0` or later.\n- 16384 (16vCPU) - Available `memory` values: 32GB and 120 GB in 8 GB increments\n\nThis option requires Linux platform `1.4.0` or later.", @@ -13496,6 +13649,7 @@ "Weight": "The weight. The range is 0 to 999." }, "AWS::ElasticLoadBalancingV2::LoadBalancer": { + "EnforceSecurityGroupInboundRulesOnPrivateLinkTraffic": "Indicates whether to evaluate inbound security group rules for traffic sent to a Network Load Balancer through AWS PrivateLink .", "IpAddressType": "The IP address type. The possible values are `ipv4` (for IPv4 addresses) and `dualstack` (for IPv4 and IPv6 addresses). You can\u2019t specify `dualstack` for a load balancer with a UDP or TCP_UDP listener.", "LoadBalancerAttributes": "The load balancer attributes.", "Name": "The name of the load balancer. This name must be unique per region per account, can have a maximum of 32 characters, must contain only alphanumeric characters or hyphens, must not begin or end with a hyphen, and must not begin with \"internal-\".\n\nIf you don't specify a name, AWS CloudFormation generates a unique physical ID for the load balancer. If you specify a name, you cannot perform updates that require replacement of this resource, but you can perform other updates. To replace the resource, specify a new name.", @@ -16566,7 +16720,7 @@ }, "AWS::IVS::RecordingConfiguration RenditionConfiguration": { "RenditionSelection": "The set of renditions are recorded for a stream. For `BASIC` channels, the `CUSTOM` value has no effect. If `CUSTOM` is specified, a set of renditions can be specified in the `renditions` field. Default: `ALL` .", - "Renditions": "A list of which renditions are recorded for a stream, if `renditionSelection` is `CUSTOM` ; otherwise, this field is irrelevant. The selected renditions are recorded if they are available during the stream. If a selected rendition is unavailable, the best available rendition is recorded. For details on the resolution dimensions of each rendition, see [Auto-Record to Amazon S3](https://docs.aws.amazon.com//ivs/latest/userguide/record-to-s3.html) ." + "Renditions": "A list of which renditions are recorded for a stream, if `renditionSelection` is `CUSTOM` ; otherwise, this field is irrelevant. The selected renditions are recorded if they are available during the stream. If a selected rendition is unavailable, the best available rendition is recorded. For details on the resolution dimensions of each rendition, see [Auto-Record to Amazon S3](https://docs.aws.amazon.com//ivs/latest/LowLatencyUserGuide/record-to-s3.html) ." }, "AWS::IVS::RecordingConfiguration S3DestinationConfiguration": { "BucketName": "Location (S3 bucket name) where recorded videos will be stored." @@ -16577,9 +16731,17 @@ }, "AWS::IVS::RecordingConfiguration ThumbnailConfiguration": { "RecordingMode": "Thumbnail recording mode. Valid values:\n\n- `DISABLED` : Use DISABLED to disable the generation of thumbnails for recorded video.\n- `INTERVAL` : Use INTERVAL to enable the generation of thumbnails for recorded video at a time interval controlled by the [TargetIntervalSeconds](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ivs-recordingconfiguration-thumbnailconfiguration.html#cfn-ivs-recordingconfiguration-thumbnailconfiguration-targetintervalseconds) property.\n\n*Default* : `INTERVAL`", - "Resolution": "The desired resolution of recorded thumbnails for a stream. Thumbnails are recorded at the selected resolution if the corresponding rendition is available during the stream; otherwise, they are recorded at source resolution. For more information about resolution values and their corresponding height and width dimensions, see [Auto-Record to Amazon S3](https://docs.aws.amazon.com//ivs/latest/userguide/record-to-s3.html) .", + "Resolution": "The desired resolution of recorded thumbnails for a stream. Thumbnails are recorded at the selected resolution if the corresponding rendition is available during the stream; otherwise, they are recorded at source resolution. For more information about resolution values and their corresponding height and width dimensions, see [Auto-Record to Amazon S3](https://docs.aws.amazon.com//ivs/latest/LowLatencyUserGuide/record-to-s3.html) .", "Storage": "The format in which thumbnails are recorded for a stream. `SEQUENTIAL` records all generated thumbnails in a serial manner, to the media/thumbnails directory. `LATEST` saves the latest thumbnail in media/thumbnails/latest/thumb.jpg and overwrites it at the interval specified by `targetIntervalSeconds` . You can enable both `SEQUENTIAL` and `LATEST` . Default: `SEQUENTIAL` .", - "TargetIntervalSeconds": "The targeted thumbnail-generation interval in seconds. This is configurable (and required) only if [RecordingMode](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ivs-recordingconfiguration-thumbnailconfiguration.html#cfn-ivs-recordingconfiguration-thumbnailconfiguration-recordingmode) is `INTERVAL` .\n\n> Setting a value for `TargetIntervalSeconds` does not guarantee that thumbnails are generated at the specified interval. For thumbnails to be generated at the `TargetIntervalSeconds` interval, the `IDR/Keyframe` value for the input video must be less than the `TargetIntervalSeconds` value. See [Amazon IVS Streaming Configuration](https://docs.aws.amazon.com/ivs/latest/userguide/streaming-config.html) for information on setting `IDR/Keyframe` to the recommended value in video-encoder settings. \n\n*Default* : 60\n\n*Valid Range* : Minumum value of 1. Maximum value of 60." + "TargetIntervalSeconds": "The targeted thumbnail-generation interval in seconds. This is configurable (and required) only if [RecordingMode](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ivs-recordingconfiguration-thumbnailconfiguration.html#cfn-ivs-recordingconfiguration-thumbnailconfiguration-recordingmode) is `INTERVAL` .\n\n> Setting a value for `TargetIntervalSeconds` does not guarantee that thumbnails are generated at the specified interval. For thumbnails to be generated at the `TargetIntervalSeconds` interval, the `IDR/Keyframe` value for the input video must be less than the `TargetIntervalSeconds` value. See [Amazon IVS Streaming Configuration](https://docs.aws.amazon.com/ivs/latest/LowLatencyUserGuide/streaming-config.html) for information on setting `IDR/Keyframe` to the recommended value in video-encoder settings. \n\n*Default* : 60\n\n*Valid Range* : Minumum value of 1. Maximum value of 60." + }, + "AWS::IVS::Stage": { + "Name": "Stage name.", + "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ivs-stage-tag.html) ." + }, + "AWS::IVS::Stage Tag": { + "Key": "One part of a key-value pair that makes up a tag. A `key` is a general label that acts like a category for more specific tag values.", + "Value": "The optional part of a key-value pair that makes up a tag. A `value` acts as a descriptor within a tag category (key)." }, "AWS::IVS::StreamKey": { "ChannelArn": "Channel ARN for the stream.", @@ -17076,7 +17238,7 @@ "PerformanceScoreThreshold": "The health event threshold percentage set for performance scores. When the overall performance score is at or below this percentage, Internet Monitor creates a health event." }, "AWS::InternetMonitor::Monitor InternetMeasurementsLogDelivery": { - "S3Config": "The configuration information for publishing Internet Monitor internet measurements to Amazon S3. The configuration includes the bucket name and (optionally) prefix for the S3 bucket to store the measurements, and the delivery status. The delivery status is `ENABLED` or `DISABLED` , depending on whether you choose to deliver internet measurements to S3 logs." + "S3Config": "The configuration for publishing Amazon CloudWatch Internet Monitor internet measurements to Amazon S3." }, "AWS::InternetMonitor::Monitor LocalHealthEventsConfig": { "HealthScoreThreshold": "The health event threshold percentage set for a local health score.", @@ -17084,9 +17246,9 @@ "Status": "The status of whether Internet Monitor creates a health event based on a threshold percentage set for a local health score. The status can be `ENABLED` or `DISABLED` ." }, "AWS::InternetMonitor::Monitor S3Config": { - "BucketName": "The Amazon S3 bucket name.", - "BucketPrefix": "The Amazon S3 bucket prefix.", - "LogDeliveryStatus": "The status of publishing Internet Monitor internet measurements to an Amazon S3 bucket." + "BucketName": "The Amazon S3 bucket name for internet measurements publishing.", + "BucketPrefix": "An optional Amazon S3 bucket prefix for internet measurements publishing.", + "LogDeliveryStatus": "The status of publishing Internet Monitor internet measurements to an Amazon S3 bucket. The delivery status is `ENABLED` if you choose to deliver internet measurements to an S3 bucket, and `DISABLED` otherwise." }, "AWS::InternetMonitor::Monitor Tag": { "Key": "", @@ -20142,6 +20304,7 @@ "MSKSourceConfiguration": "The configuration for the Amazon MSK cluster to be used as the source for a delivery stream.", "RedshiftDestinationConfiguration": "An Amazon Redshift destination for the delivery stream.\n\nConditional. You must specify only one destination configuration.\n\nIf you change the delivery stream destination from an Amazon Redshift destination to an Amazon ES destination, update requires [some interruptions](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-some-interrupt) .", "S3DestinationConfiguration": "The `S3DestinationConfiguration` property type specifies an Amazon Simple Storage Service (Amazon S3) destination to which Amazon Kinesis Data Firehose (Kinesis Data Firehose) delivers data.\n\nConditional. You must specify only one destination configuration.\n\nIf you change the delivery stream destination from an Amazon S3 destination to an Amazon ES destination, update requires [some interruptions](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-some-interrupt) .", + "SnowflakeDestinationConfiguration": "", "SplunkDestinationConfiguration": "The configuration of a destination in Splunk for the delivery stream.", "Tags": "A set of tags to assign to the delivery stream. A tag is a key-value pair that you can define and assign to AWS resources. Tags are metadata. For example, you can add friendly names and descriptions or other types of information that can help you distinguish the delivery stream. For more information about tags, see [Using Cost Allocation Tags](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/cost-alloc-tags.html) in the AWS Billing and Cost Management User Guide.\n\nYou can specify up to 50 tags when creating a delivery stream." }, @@ -20391,6 +20554,36 @@ "OrcSerDe": "A serializer to use for converting data to the ORC format before storing it in Amazon S3. For more information, see [Apache ORC](https://docs.aws.amazon.com/https://orc.apache.org/docs/) .", "ParquetSerDe": "A serializer to use for converting data to the Parquet format before storing it in Amazon S3. For more information, see [Apache Parquet](https://docs.aws.amazon.com/https://parquet.apache.org/documentation/latest/) ." }, + "AWS::KinesisFirehose::DeliveryStream SnowflakeDestinationConfiguration": { + "AccountUrl": "", + "CloudWatchLoggingOptions": "", + "ContentColumnName": "", + "DataLoadingOption": "", + "Database": "", + "KeyPassphrase": "", + "MetaDataColumnName": "", + "PrivateKey": "", + "ProcessingConfiguration": "", + "RetryOptions": "", + "RoleARN": "", + "S3BackupMode": "", + "S3Configuration": "", + "Schema": "", + "SnowflakeRoleConfiguration": "", + "SnowflakeVpcConfiguration": "", + "Table": "", + "User": "" + }, + "AWS::KinesisFirehose::DeliveryStream SnowflakeRetryOptions": { + "DurationInSeconds": "" + }, + "AWS::KinesisFirehose::DeliveryStream SnowflakeRoleConfiguration": { + "Enabled": "", + "SnowflakeRole": "" + }, + "AWS::KinesisFirehose::DeliveryStream SnowflakeVpcConfiguration": { + "PrivateLinkVpceId": "" + }, "AWS::KinesisFirehose::DeliveryStream SplunkBufferingHints": { "IntervalInSeconds": "Buffer incoming data for the specified period of time, in seconds, before delivering it to the destination. The default value is 60 (1 minute).", "SizeInMBs": "Buffer incoming data to the specified size, in MBs, before delivering it to the destination. The default value is 5." @@ -20580,6 +20773,7 @@ "Name": "The name of the table resource. A table is a metadata definition that represents your data. You can Grant and Revoke table privileges to a principal." }, "AWS::LakeFormation::Resource": { + "HybridAccessEnabled": "Indicates whether the data access of tables pointing to the location can be managed by both Lake Formation permissions as well as Amazon S3 bucket policies.", "ResourceArn": "The Amazon Resource Name (ARN) of the resource.", "RoleArn": "The IAM role that registered a resource.", "UseServiceLinkedRole": "Designates a trusted caller, an IAM principal, by registering this caller with the Data Catalog .", @@ -21799,11 +21993,11 @@ "TrackerName": "The name for the tracker resource.\n\nRequirements:\n\n- Contain only alphanumeric characters (A-Z, a-z, 0-9) , hyphens (-), periods (.), and underscores (_).\n- Must be a unique tracker resource name.\n- No spaces allowed. For example, `ExampleTracker` ." }, "AWS::Logs::AccountPolicy": { - "PolicyDocument": "Specify the data protection policy, in JSON.\n\nThis policy must include two JSON blocks:\n\n- The first block must include both a `DataIdentifer` array and an `Operation` property with an `Audit` action. The `DataIdentifer` array lists the types of sensitive data that you want to mask. For more information about the available options, see [Types of data that you can mask](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/mask-sensitive-log-data-types.html) .\n\nThe `Operation` property with an `Audit` action is required to find the sensitive data terms. This `Audit` action must contain a `FindingsDestination` object. You can optionally use that `FindingsDestination` object to list one or more destinations to send audit findings to. If you specify destinations such as log groups, Kinesis Data Firehose streams, and S3 buckets, they must already exist.\n- The second block must include both a `DataIdentifer` array and an `Operation` property with an `Deidentify` action. The `DataIdentifer` array must exactly match the `DataIdentifer` array in the first block of the policy.\n\nThe `Operation` property with the `Deidentify` action is what actually masks the data, and it must contain the `\"MaskConfig\": {}` object. The `\"MaskConfig\": {}` object must be empty.\n\n> The contents of the two `DataIdentifer` arrays must match exactly.", + "PolicyDocument": "Specify the policy, in JSON.\n\n*Data protection policy*\n\nA data protection policy must include two JSON blocks:\n\n- The first block must include both a `DataIdentifer` array and an `Operation` property with an `Audit` action. The `DataIdentifer` array lists the types of sensitive data that you want to mask. For more information about the available options, see [Types of data that you can mask](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/mask-sensitive-log-data-types.html) .\n\nThe `Operation` property with an `Audit` action is required to find the sensitive data terms. This `Audit` action must contain a `FindingsDestination` object. You can optionally use that `FindingsDestination` object to list one or more destinations to send audit findings to. If you specify destinations such as log groups, Kinesis Data Firehose streams, and S3 buckets, they must already exist.\n- The second block must include both a `DataIdentifer` array and an `Operation` property with an `Deidentify` action. The `DataIdentifer` array must exactly match the `DataIdentifer` array in the first block of the policy.\n\nThe `Operation` property with the `Deidentify` action is what actually masks the data, and it must contain the `\"MaskConfig\": {}` object. The `\"MaskConfig\": {}` object must be empty.\n\n> The contents of the two `DataIdentifer` arrays must match exactly. \n\nIn addition to the two JSON blocks, the `policyDocument` can also include `Name` , `Description` , and `Version` fields. The `Name` is different than the operation's `policyName` parameter, and is used as a dimension when CloudWatch Logs reports audit findings metrics to CloudWatch .\n\nThe JSON specified in `policyDocument` can be up to 30,720 characters long.\n\n*Subscription filter policy*\n\nA subscription filter policy can include the following attributes in a JSON block:\n\n- *DestinationArn* The ARN of the destination to deliver log events to. Supported destinations are:\n\n- An Kinesis Data Streams data stream in the same account as the subscription policy, for same-account delivery.\n- An Kinesis Data Firehose data stream in the same account as the subscription policy, for same-account delivery.\n- A Lambda function in the same account as the subscription policy, for same-account delivery.\n- A logical destination in a different account created with [PutDestination](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutDestination.html) , for cross-account delivery. Kinesis Data Streams and Kinesis Data Firehose are supported as logical destinations.\n- *RoleArn* The ARN of an IAM role that grants CloudWatch Logs permissions to deliver ingested log events to the destination stream. You don't need to provide the ARN when you are working with a logical destination for cross-account delivery.\n- *FilterPattern* A filter pattern for subscribing to a filtered stream of log events.\n- *Distribution* The method used to distribute log data to the destination. By default, log data is grouped by log stream, but the grouping can be set to `Random` for a more even distribution. This property is only applicable when the destination is an Kinesis Data Streams data stream.", "PolicyName": "A name for the policy. This must be unique within the account.", - "PolicyType": "Currently the only valid value for this parameter is `DATA_PROTECTION_POLICY` .", - "Scope": "Currently the only valid value for this parameter is `ALL` , which specifies that the data protection policy applies to all log groups in the account. If you omit this parameter, the default of `ALL` is used.", - "SelectionCriteria": "The log group selection criteria for this subscription filter policy." + "PolicyType": "The type of policy that you're creating or updating.", + "Scope": "Currently the only valid value for this parameter is `ALL` , which specifies that the policy applies to all log groups in the account. If you omit this parameter, the default of `ALL` is used. To scope down a subscription filter policy to a subset of log groups, use the `selectionCriteria` parameter.", + "SelectionCriteria": "Use this parameter to apply a subscription filter policy to a subset of log groups in the account. Currently, the only supported filter is `LogGroupName NOT IN []` . The `selectionCriteria` string can be up to 25KB in length. The length is determined by using its UTF-8 bytes.\n\nUsing the `selectionCriteria` parameter is useful to help prevent infinite loops. For more information, see [Log recursion prevention](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/Subscriptions-recursion-prevention.html) .\n\nSpecifing `selectionCriteria` is valid only when you specify `SUBSCRIPTION_FILTER_POLICY` for `policyType` ." }, "AWS::Logs::Delivery": { "DeliveryDestinationArn": "The ARN of the delivery destination that is associated with this delivery.", @@ -22972,6 +23166,14 @@ "AWS::MediaLive::Channel CdiInputSpecification": { "Resolution": "Maximum CDI input resolution" }, + "AWS::MediaLive::Channel ColorCorrection": { + "InputColorSpace": "", + "OutputColorSpace": "", + "Uri": "" + }, + "AWS::MediaLive::Channel ColorCorrectionSettings": { + "GlobalColorCorrections": "" + }, "AWS::MediaLive::Channel DvbNitSettings": { "NetworkId": "The numeric value placed in the Network Information Table (NIT).", "NetworkName": "The network name text placed in the networkNameDescriptor inside the Network Information Table (NIT). The maximum length is 256 characters.", @@ -23058,6 +23260,7 @@ "AvailConfiguration": "The configuration settings for the ad avail handling.", "BlackoutSlate": "The settings for the blackout slate.", "CaptionDescriptions": "The encoding information for output captions.", + "ColorCorrectionSettings": "", "FeatureActivations": "Settings to enable specific features.", "GlobalConfiguration": "The configuration settings that apply to the entire channel.", "MotionGraphicsConfiguration": "Settings to enable and configure the motion graphics overlay feature in the channel.", @@ -25334,6 +25537,7 @@ "SAMLOptions": "Container for information about the SAML configuration for OpenSearch Dashboards." }, "AWS::OpenSearchService::Domain ClusterConfig": { + "ColdStorageOptions": "Specifies cold storage options for the domain.", "DedicatedMasterCount": "The number of instances to use for the master node. If you specify this property, you must specify `true` for the `DedicatedMasterEnabled` property.", "DedicatedMasterEnabled": "Indicates whether to use a dedicated master node for the OpenSearch Service domain. A dedicated master node is a cluster node that performs cluster management tasks, but doesn't hold data or respond to data upload requests. Dedicated master nodes offload cluster management tasks to increase the stability of your search clusters. See [Dedicated master nodes in Amazon OpenSearch Service](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/managedomains-dedicatedmasternodes.html) .", "DedicatedMasterType": "The hardware configuration of the computer that hosts the dedicated master node, such as `m3.medium.search` . If you specify this property, you must specify `true` for the `DedicatedMasterEnabled` property. For valid values, see [Supported instance types in Amazon OpenSearch Service](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/supported-instance-types.html) .", @@ -25352,6 +25556,9 @@ "RoleArn": "The `AmazonOpenSearchServiceCognitoAccess` role that allows OpenSearch Service to configure your user pool and identity pool.\n\nRequired if you enabled Cognito Authentication for OpenSearch Dashboards.", "UserPoolId": "The Amazon Cognito user pool ID that you want OpenSearch Service to use for OpenSearch Dashboards authentication.\n\nRequired if you enabled Cognito Authentication for OpenSearch Dashboards." }, + "AWS::OpenSearchService::Domain ColdStorageOptions": { + "Enabled": "Whether to enable or disable cold storage on the domain. You must enable UltraWarm storage in order to enable cold storage." + }, "AWS::OpenSearchService::Domain DomainEndpointOptions": { "CustomEndpoint": "The fully qualified URL for your custom endpoint. Required if you enabled a custom endpoint for the domain.", "CustomEndpointCertificateArn": "The AWS Certificate Manager ARN for your domain's SSL/TLS certificate. Required if you enabled a custom endpoint for the domain.", @@ -36565,7 +36772,8 @@ "BlockOverrideTtl": "The recommended amount of time, in seconds, for the DNS resolver or web browser to cache the provided override record. Used for the rule action `BLOCK` with a `BlockResponse` setting of `OVERRIDE` .", "BlockResponse": "The way that you want DNS Firewall to block the request. Used for the rule action setting `BLOCK` .\n\n- `NODATA` - Respond indicating that the query was successful, but no response is available for it.\n- `NXDOMAIN` - Respond indicating that the domain name that's in the query doesn't exist.\n- `OVERRIDE` - Provide a custom override in the response. This option requires custom handling details in the rule's `BlockOverride*` settings.", "FirewallDomainListId": "The ID of the domain list that's used in the rule.", - "Priority": "The priority of the rule in the rule group. This value must be unique within the rule group. DNS Firewall processes the rules in a rule group by order of priority, starting from the lowest setting." + "Priority": "The priority of the rule in the rule group. This value must be unique within the rule group. DNS Firewall processes the rules in a rule group by order of priority, starting from the lowest setting.", + "Qtype": "The DNS query type you want the rule to evaluate. Allowed values are;\n\n- A: Returns an IPv4 address.\n- AAAA: Returns an Ipv6 address.\n- CAA: Restricts CAs that can create SSL/TLS certifications for the domain.\n- CNAME: Returns another domain name.\n- DS: Record that identifies the DNSSEC signing key of a delegated zone.\n- MX: Specifies mail servers.\n- NAPTR: Regular-expression-based rewriting of domain names.\n- NS: Authoritative name servers.\n- PTR: Maps an IP address to a domain name.\n- SOA: Start of authority record for the zone.\n- SPF: Lists the servers authorized to send emails from a domain.\n- SRV: Application specific values that identify servers.\n- TXT: Verifies email senders and application-specific values.\n- A query type you define by using the DNS type ID, for example 28 for AAAA. The values must be defined as TYPE NUMBER , where the NUMBER can be 1-65334, for example, TYPE28. For more information, see [List of DNS record types](https://docs.aws.amazon.com/https://en.wikipedia.org/wiki/List_of_DNS_record_types) ." }, "AWS::Route53Resolver::FirewallRuleGroup Tag": { "Key": "The name for the tag. For example, if you want to associate Resolver resources with the account IDs of your customers for billing purposes, the value of `Key` might be `account-id` .", @@ -36812,7 +37020,7 @@ "AWS::S3::Bucket LoggingConfiguration": { "DestinationBucketName": "The name of the bucket where Amazon S3 should store server access log files. You can store log files in any bucket that you own. By default, logs are stored in the bucket where the `LoggingConfiguration` property is defined.", "LogFilePrefix": "A prefix for all log object keys. If you store log files from multiple Amazon S3 buckets in a single bucket, you can use a prefix to distinguish which log files came from which bucket.", - "TargetObjectKeyFormat": "Amazon S3 key format for log objects. Only one format, PartitionedPrefix or SimplePrefix, is allowed." + "TargetObjectKeyFormat": "Amazon S3 key format for log objects. Only one format, either PartitionedPrefix or SimplePrefix, is allowed." }, "AWS::S3::Bucket Metrics": { "EventThreshold": "A container specifying the time threshold for emitting the `s3:Replication:OperationMissedThreshold` event.", @@ -36952,7 +37160,7 @@ "Rules": "A list of containers for the key-value pair that defines the criteria for the filter rule." }, "AWS::S3::Bucket ServerSideEncryptionByDefault": { - "KMSMasterKeyID": "KMS key ID to use for the default encryption. This parameter is allowed if SSEAlgorithm is aws:kms.\n\nYou can specify the key ID, key alias, or the Amazon Resource Name (ARN) of the CMK. However, if you are using encryption with cross-account operations, you must use a fully qualified CMK ARN. For more information, see [Using encryption for cross-account operations](https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html#bucket-encryption-update-bucket-policy) .\n\nFor example:\n\n- Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`\n- Key ARN: `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`\n\n> Amazon S3 only supports symmetric KMS keys and not asymmetric KMS keys. For more information, see [Using Symmetric and Asymmetric Keys](https://docs.aws.amazon.com//kms/latest/developerguide/symmetric-asymmetric.html) in the *AWS Key Management Service Developer Guide* .", + "KMSMasterKeyID": "AWS Key Management Service (KMS) customer AWS KMS key ID to use for the default encryption. This parameter is allowed if and only if `SSEAlgorithm` is set to `aws:kms` or `aws:kms:dsse` .\n\nYou can specify the key ID, key alias, or the Amazon Resource Name (ARN) of the KMS key.\n\n- Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`\n- Key ARN: `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`\n- Key Alias: `alias/alias-name`\n\nIf you use a key ID, you can run into a LogDestination undeliverable error when creating a VPC flow log.\n\nIf you are using encryption with cross-account or AWS service operations you must use a fully qualified KMS key ARN. For more information, see [Using encryption for cross-account operations](https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html#bucket-encryption-update-bucket-policy) .\n\n> Amazon S3 only supports symmetric encryption KMS keys. For more information, see [Asymmetric keys in AWS KMS](https://docs.aws.amazon.com//kms/latest/developerguide/symmetric-asymmetric.html) in the *AWS Key Management Service Developer Guide* .", "SSEAlgorithm": "Server-side encryption algorithm to use for the default encryption." }, "AWS::S3::Bucket ServerSideEncryptionRule": { diff --git a/schema_source/cloudformation.schema.json b/schema_source/cloudformation.schema.json index b7811d7b0..35771689f 100644 --- a/schema_source/cloudformation.schema.json +++ b/schema_source/cloudformation.schema.json @@ -671,6 +671,11 @@ "AWS::ACMPCA::CertificateAuthority.CrlConfiguration": { "additionalProperties": false, "properties": { + "CrlDistributionPointExtensionConfiguration": { + "$ref": "#/definitions/AWS::ACMPCA::CertificateAuthority.CrlDistributionPointExtensionConfiguration", + "markdownDescription": "", + "title": "CrlDistributionPointExtensionConfiguration" + }, "CustomCname": { "markdownDescription": "Name inserted into the certificate *CRL Distribution Points* extension that enables the use of an alias for the CRL distribution point. Use this value if you don't want the name of your S3 bucket to be public.\n\n> The content of a Canonical Name (CNAME) record must conform to [RFC2396](https://docs.aws.amazon.com/https://www.ietf.org/rfc/rfc2396.txt) restrictions on the use of special characters in URIs. Additionally, the value of the CNAME must not include a protocol prefix such as \"http://\" or \"https://\".", "title": "CustomCname", @@ -699,6 +704,20 @@ }, "type": "object" }, + "AWS::ACMPCA::CertificateAuthority.CrlDistributionPointExtensionConfiguration": { + "additionalProperties": false, + "properties": { + "OmitExtension": { + "markdownDescription": "", + "title": "OmitExtension", + "type": "boolean" + } + }, + "required": [ + "OmitExtension" + ], + "type": "object" + }, "AWS::ACMPCA::CertificateAuthority.CsrExtensions": { "additionalProperties": false, "properties": { @@ -1293,6 +1312,11 @@ "title": "Alias", "type": "string" }, + "KmsKeyArn": { + "markdownDescription": "", + "title": "KmsKeyArn", + "type": "string" + }, "LoggingConfiguration": { "$ref": "#/definitions/AWS::APS::Workspace.LoggingConfiguration", "markdownDescription": "The LoggingConfiguration attribute is used to set the logging configuration for the workspace.", @@ -13170,7 +13194,7 @@ }, "ServiceDiscovery": { "$ref": "#/definitions/AWS::AppMesh::Mesh.MeshServiceDiscovery", - "markdownDescription": "", + "markdownDescription": "An object that represents the service discovery information for a service mesh.", "title": "ServiceDiscovery" } }, @@ -25533,7 +25557,7 @@ }, "ControlScope": { "$ref": "#/definitions/AWS::Backup::Framework.ControlScope", - "markdownDescription": "The scope of a control. The control scope defines what the control will evaluate. Three examples of control scopes are: a specific backup plan, all backup plans with a specific tag, or all backup plans.", + "markdownDescription": "The scope of a control. The control scope defines what the control will evaluate. Three examples of control scopes are: a specific backup plan, all backup plans with a specific tag, or all backup plans.\n\nFor more information, see [`ControlScope` .](https://docs.aws.amazon.com/aws-backup/latest/devguide/API_ControlScope.html)", "title": "ControlScope" } }, @@ -26723,13 +26747,9 @@ "additionalProperties": false, "properties": { "AccessPointId": { - "markdownDescription": "The Amazon EFS access point ID to use. If an access point is specified, the root directory value specified in the `EFSVolumeConfiguration` must either be omitted or set to `/` which enforces the path set on the EFS access point. If an access point is used, transit encryption must be enabled in the `EFSVolumeConfiguration` . For more information, see [Working with Amazon EFS access points](https://docs.aws.amazon.com/efs/latest/ug/efs-access-points.html) in the *Amazon Elastic File System User Guide* .", - "title": "AccessPointId", "type": "string" }, "Iam": { - "markdownDescription": "Whether or not to use the AWS Batch job IAM role defined in a job definition when mounting the Amazon EFS file system. If enabled, transit encryption must be enabled in the `EFSVolumeConfiguration` . If this parameter is omitted, the default value of `DISABLED` is used. For more information, see [Using Amazon EFS access points](https://docs.aws.amazon.com/batch/latest/userguide/efs-volumes.html#efs-volume-accesspoints) in the *AWS Batch User Guide* . EFS IAM authorization requires that `TransitEncryption` be `ENABLED` and that a `JobRoleArn` is specified.", - "title": "Iam", "type": "string" } }, @@ -26739,28 +26759,18 @@ "additionalProperties": false, "properties": { "AuthorizationConfig": { - "$ref": "#/definitions/AWS::Batch::JobDefinition.EFSAuthorizationConfig", - "markdownDescription": "The authorization configuration details for the Amazon EFS file system.", - "title": "AuthorizationConfig" + "$ref": "#/definitions/AWS::Batch::JobDefinition.EFSAuthorizationConfig" }, "FileSystemId": { - "markdownDescription": "The Amazon EFS file system ID to use.", - "title": "FileSystemId", "type": "string" }, "RootDirectory": { - "markdownDescription": "The directory within the Amazon EFS file system to mount as the root directory inside the host. If this parameter is omitted, the root of the Amazon EFS volume is used instead. Specifying `/` has the same effect as omitting this parameter. The maximum length is 4,096 characters.\n\n> If an EFS access point is specified in the `authorizationConfig` , the root directory parameter must either be omitted or set to `/` , which enforces the path set on the Amazon EFS access point.", - "title": "RootDirectory", "type": "string" }, "TransitEncryption": { - "markdownDescription": "Determines whether to enable encryption for Amazon EFS data in transit between the Amazon ECS host and the Amazon EFS server. Transit encryption must be enabled if Amazon EFS IAM authorization is used. If this parameter is omitted, the default value of `DISABLED` is used. For more information, see [Encrypting data in transit](https://docs.aws.amazon.com/efs/latest/ug/encryption-in-transit.html) in the *Amazon Elastic File System User Guide* .", - "title": "TransitEncryption", "type": "string" }, "TransitEncryptionPort": { - "markdownDescription": "The port to use when sending encrypted data between the Amazon ECS host and the Amazon EFS server. If you don't specify a transit encryption port, it uses the port selection strategy that the Amazon EFS mount helper uses. The value must be between 0 and 65,535. For more information, see [EFS mount helper](https://docs.aws.amazon.com/efs/latest/ug/efs-mount-helper.html) in the *Amazon Elastic File System User Guide* .", - "title": "TransitEncryptionPort", "type": "number" } }, @@ -26966,13 +26976,11 @@ "properties": { "Labels": { "additionalProperties": true, - "markdownDescription": "Key-value pairs used to identify, sort, and organize cube resources. Can contain up to 63 uppercase letters, lowercase letters, numbers, hyphens (-), and underscores (_). Labels can be added or modified at any time. Each resource can have multiple labels, but each key must be unique for a given object.", "patternProperties": { "^[a-zA-Z0-9]+$": { "type": "string" } }, - "title": "Labels", "type": "object" } }, @@ -26985,36 +26993,24 @@ "items": { "$ref": "#/definitions/AWS::Batch::JobDefinition.EksContainer" }, - "markdownDescription": "The properties of the container that's used on the Amazon EKS pod.", - "title": "Containers", "type": "array" }, "DnsPolicy": { - "markdownDescription": "The DNS policy for the pod. The default value is `ClusterFirst` . If the `hostNetwork` parameter is not specified, the default is `ClusterFirstWithHostNet` . `ClusterFirst` indicates that any DNS query that does not match the configured cluster domain suffix is forwarded to the upstream nameserver inherited from the node. For more information, see [Pod's DNS policy](https://docs.aws.amazon.com/https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy) in the *Kubernetes documentation* .\n\nValid values: `Default` | `ClusterFirst` | `ClusterFirstWithHostNet`", - "title": "DnsPolicy", "type": "string" }, "HostNetwork": { - "markdownDescription": "Indicates if the pod uses the hosts' network IP address. The default value is `true` . Setting this to `false` enables the Kubernetes pod networking model. Most AWS Batch workloads are egress-only and don't require the overhead of IP allocation for each pod for incoming connections. For more information, see [Host namespaces](https://docs.aws.amazon.com/https://kubernetes.io/docs/concepts/security/pod-security-policy/#host-namespaces) and [Pod networking](https://docs.aws.amazon.com/https://kubernetes.io/docs/concepts/workloads/pods/#pod-networking) in the *Kubernetes documentation* .", - "title": "HostNetwork", "type": "boolean" }, "Metadata": { - "$ref": "#/definitions/AWS::Batch::JobDefinition.EksMetadata", - "markdownDescription": "Metadata about the Kubernetes pod. For more information, see [Understanding Kubernetes Objects](https://docs.aws.amazon.com/https://kubernetes.io/docs/concepts/overview/working-with-objects/kubernetes-objects/) in the *Kubernetes documentation* .", - "title": "Metadata" + "$ref": "#/definitions/AWS::Batch::JobDefinition.EksMetadata" }, "ServiceAccountName": { - "markdownDescription": "The name of the service account that's used to run the pod. For more information, see [Kubernetes service accounts](https://docs.aws.amazon.com/eks/latest/userguide/service-accounts.html) and [Configure a Kubernetes service account to assume an IAM role](https://docs.aws.amazon.com/eks/latest/userguide/associate-service-account-role.html) in the *Amazon EKS User Guide* and [Configure service accounts for pods](https://docs.aws.amazon.com/https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/) in the *Kubernetes documentation* .", - "title": "ServiceAccountName", "type": "string" }, "Volumes": { "items": { "$ref": "#/definitions/AWS::Batch::JobDefinition.EksVolume" }, - "markdownDescription": "Specifies the volumes for a job definition that uses Amazon EKS resources.", - "title": "Volumes", "type": "array" } }, @@ -27153,8 +27149,6 @@ "additionalProperties": false, "properties": { "SourcePath": { - "markdownDescription": "The path on the host container instance that's presented to the container. If this parameter is empty, then the Docker daemon has assigned a host path for you. If this parameter contains a file location, then the data volume persists at the specified location on the host container instance until you delete it manually. If the source path location doesn't exist on the host container instance, the Docker daemon creates it. If the location does exist, the contents of the source path folder are exported.\n\n> This parameter isn't applicable to jobs that run on Fargate resources. Don't provide this for these jobs.", - "title": "SourcePath", "type": "string" } }, @@ -27164,8 +27158,6 @@ "additionalProperties": false, "properties": { "AttemptDurationSeconds": { - "markdownDescription": "The job timeout time (in seconds) that's measured from the job attempt's `startedAt` timestamp. After this time passes, AWS Batch terminates your jobs if they aren't finished. The minimum value for the timeout is 60 seconds.\n\nFor array jobs, the timeout applies to the child jobs, not to the parent array job.\n\nFor multi-node parallel (MNP) jobs, the timeout applies to the whole job, not to the individual nodes.", - "title": "AttemptDurationSeconds", "type": "number" } }, @@ -27250,18 +27242,12 @@ "additionalProperties": false, "properties": { "ContainerPath": { - "markdownDescription": "The path on the container where the host volume is mounted.", - "title": "ContainerPath", "type": "string" }, "ReadOnly": { - "markdownDescription": "If this value is `true` , the container has read-only access to the volume. Otherwise, the container can write to the volume. The default value is `false` .", - "title": "ReadOnly", "type": "boolean" }, "SourceVolume": { - "markdownDescription": "The name of the volume to mount.", - "title": "SourceVolume", "type": "string" } }, @@ -27455,18 +27441,12 @@ "additionalProperties": false, "properties": { "EfsVolumeConfiguration": { - "$ref": "#/definitions/AWS::Batch::JobDefinition.EFSVolumeConfiguration", - "markdownDescription": "This parameter is specified when you're using an Amazon Elastic File System file system for job storage. Jobs that are running on Fargate resources must specify a `platformVersion` of at least `1.4.0` .", - "title": "EfsVolumeConfiguration" + "$ref": "#/definitions/AWS::Batch::JobDefinition.EFSVolumeConfiguration" }, "Host": { - "$ref": "#/definitions/AWS::Batch::JobDefinition.Host", - "markdownDescription": "The contents of the `host` parameter determine whether your data volume persists on the host container instance and where it's stored. If the host parameter is empty, then the Docker daemon assigns a host path for your data volume. However, the data isn't guaranteed to persist after the containers that are associated with it stop running.\n\n> This parameter isn't applicable to jobs that are running on Fargate resources and shouldn't be provided.", - "title": "Host" + "$ref": "#/definitions/AWS::Batch::JobDefinition.Host" }, "Name": { - "markdownDescription": "The name of the volume. It can be up to 255 characters long. It can contain uppercase and lowercase letters, numbers, hyphens (-), and underscores (_). This name is referenced in the `sourceVolume` parameter of container definition `mountPoints` .", - "title": "Name", "type": "string" } }, @@ -30773,7 +30753,7 @@ "items": { "type": "string" }, - "markdownDescription": "The analysis templates that are allowed by the custom analysis rule.", + "markdownDescription": "The ARN of the analysis templates that are allowed by the custom analysis rule.", "title": "AllowedAnalyses", "type": "array" }, @@ -30781,7 +30761,7 @@ "items": { "type": "string" }, - "markdownDescription": "The AWS accounts that are allowed to query by the custom analysis rule. Required when `allowedAnalyses` is `ANY_QUERY` .", + "markdownDescription": "The IDs of the AWS accounts that are allowed to query by the custom analysis rule. Required when `allowedAnalyses` is `ANY_QUERY` .", "title": "AllowedAnalysisProviders", "type": "array" } @@ -38333,7 +38313,7 @@ "title": "RegistryCredential" }, "Type": { - "markdownDescription": "The type of build environment to use for related builds.\n\n- The environment type `ARM_CONTAINER` is available only in regions US East (N. Virginia), US East (Ohio), US West (Oregon), EU (Ireland), Asia Pacific (Mumbai), Asia Pacific (Tokyo), Asia Pacific (Sydney), and EU (Frankfurt).\n- The environment type `LINUX_CONTAINER` with compute type `build.general1.2xlarge` is available only in regions US East (N. Virginia), US East (Ohio), US West (Oregon), Canada (Central), EU (Ireland), EU (London), EU (Frankfurt), Asia Pacific (Tokyo), Asia Pacific (Seoul), Asia Pacific (Singapore), Asia Pacific (Sydney), China (Beijing), and China (Ningxia).\n- The environment type `LINUX_GPU_CONTAINER` is available only in regions US East (N. Virginia), US East (Ohio), US West (Oregon), Canada (Central), EU (Ireland), EU (London), EU (Frankfurt), Asia Pacific (Tokyo), Asia Pacific (Seoul), Asia Pacific (Singapore), Asia Pacific (Sydney) , China (Beijing), and China (Ningxia).\n\n- The environment types `ARM_LAMBDA_CONTAINER` and `LINUX_LAMBDA_CONTAINER` are available only in regions US East (N. Virginia), US East (Ohio), US West (Oregon), Asia Pacific (Mumbai), Asia Pacific (Singapore), Asia Pacific (Sydney), Asia Pacific (Tokyo), EU (Frankfurt), EU (Ireland), and South America (S\u00e3o Paulo).\n\n- The environment types `WINDOWS_CONTAINER` and `WINDOWS_SERVER_2019_CONTAINER` are available only in regions US East (N. Virginia), US East (Ohio), US West (Oregon), and EU (Ireland).\n\nFor more information, see [Build environment compute types](https://docs.aws.amazon.com//codebuild/latest/userguide/build-env-ref-compute-types.html) in the *AWS CodeBuild user guide* .", + "markdownDescription": "The type of build environment to use for related builds.\n\n- The environment type `ARM_CONTAINER` is available only in regions US East (N. Virginia), US East (Ohio), US West (Oregon), EU (Ireland), Asia Pacific (Mumbai), Asia Pacific (Tokyo), Asia Pacific (Sydney), and EU (Frankfurt).\n- The environment type `LINUX_CONTAINER` is available only in regions US East (N. Virginia), US East (Ohio), US West (Oregon), Canada (Central), EU (Ireland), EU (London), EU (Frankfurt), Asia Pacific (Tokyo), Asia Pacific (Seoul), Asia Pacific (Singapore), Asia Pacific (Sydney), China (Beijing), and China (Ningxia).\n- The environment type `LINUX_GPU_CONTAINER` is available only in regions US East (N. Virginia), US East (Ohio), US West (Oregon), Canada (Central), EU (Ireland), EU (London), EU (Frankfurt), Asia Pacific (Tokyo), Asia Pacific (Seoul), Asia Pacific (Singapore), Asia Pacific (Sydney) , China (Beijing), and China (Ningxia).\n\n- The environment types `ARM_LAMBDA_CONTAINER` and `LINUX_LAMBDA_CONTAINER` are available only in regions US East (N. Virginia), US East (Ohio), US West (Oregon), Asia Pacific (Mumbai), Asia Pacific (Singapore), Asia Pacific (Sydney), Asia Pacific (Tokyo), EU (Frankfurt), EU (Ireland), and South America (S\u00e3o Paulo).\n\n- The environment types `WINDOWS_CONTAINER` and `WINDOWS_SERVER_2019_CONTAINER` are available only in regions US East (N. Virginia), US East (Ohio), US West (Oregon), and EU (Ireland).\n\n> If you're using compute fleets during project creation, `type` will be ignored. \n\nFor more information, see [Build environment compute types](https://docs.aws.amazon.com//codebuild/latest/userguide/build-env-ref-compute-types.html) in the *AWS CodeBuild user guide* .", "title": "Type", "type": "string" } @@ -45174,20 +45154,20 @@ "title": "ExclusionByResourceTypes" }, "IncludeGlobalResourceTypes": { - "markdownDescription": "This option is a bundle which only applies to the global IAM resource types: IAM users, groups, roles, and customer managed policies. These global IAM resource types can only be recorded by AWS Config in Regions where AWS Config was available before February 2022. You cannot be record the global IAM resouce types in Regions supported by AWS Config after February 2022. This list where you cannot record the global IAM resource types includes the following Regions:\n\n- Asia Pacific (Hyderabad)\n- Asia Pacific (Melbourne)\n- Europe (Spain)\n- Europe (Zurich)\n- Israel (Tel Aviv)\n- Middle East (UAE)\n\n> *Aurora global clusters are recorded in all enabled Regions*\n> \n> The `AWS::RDS::GlobalCluster` resource type will be recorded in all supported AWS Config Regions where the configuration recorder is enabled, even if `includeGlobalResourceTypes` is not set to `true` . The `includeGlobalResourceTypes` option is a bundle which only applies to IAM users, groups, roles, and customer managed policies.\n> \n> If you do not want to record `AWS::RDS::GlobalCluster` in all enabled Regions, use one of the following recording strategies:\n> \n> - *Record all current and future resource types with exclusions* ( `EXCLUSION_BY_RESOURCE_TYPES` ), or\n> - *Record specific resource types* ( `INCLUSION_BY_RESOURCE_TYPES` ).\n> \n> For more information, see [Selecting Which Resources are Recorded](https://docs.aws.amazon.com/config/latest/developerguide/select-resources.html#select-resources-all) in the *AWS Config developer guide* . > Before you set this field to `true` , set the `allSupported` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) to `true` . Optionally, you can set the `useOnly` field of [RecordingStrategy](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingStrategy.html) to `ALL_SUPPORTED_RESOURCE_TYPES` . > *Overriding fields*\n> \n> If you set this field to `false` but list global IAM resource types in the `resourceTypes` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) , AWS Config will still record configuration changes for those specified resource types *regardless* of if you set the `includeGlobalResourceTypes` field to false.\n> \n> If you do not want to record configuration changes to the global IAM resource types (IAM users, groups, roles, and customer managed policies), make sure to not list them in the `resourceTypes` field in addition to setting the `includeGlobalResourceTypes` field to false.", + "markdownDescription": "This option is a bundle which only applies to the global IAM resource types: IAM users, groups, roles, and customer managed policies. These global IAM resource types can only be recorded by AWS Config in Regions where AWS Config was available before February 2022. You cannot be record the global IAM resouce types in Regions supported by AWS Config after February 2022. This list where you cannot record the global IAM resource types includes the following Regions:\n\n- Asia Pacific (Hyderabad)\n- Asia Pacific (Melbourne)\n- Canada West (Calgary)\n- Europe (Spain)\n- Europe (Zurich)\n- Israel (Tel Aviv)\n- Middle East (UAE)\n\n> *Aurora global clusters are recorded in all enabled Regions*\n> \n> The `AWS::RDS::GlobalCluster` resource type will be recorded in all supported AWS Config Regions where the configuration recorder is enabled, even if `IncludeGlobalResourceTypes` is set to `false` . The `IncludeGlobalResourceTypes` option is a bundle which only applies to IAM users, groups, roles, and customer managed policies.\n> \n> If you do not want to record `AWS::RDS::GlobalCluster` in all enabled Regions, use one of the following recording strategies:\n> \n> - *Record all current and future resource types with exclusions* ( `EXCLUSION_BY_RESOURCE_TYPES` ), or\n> - *Record specific resource types* ( `INCLUSION_BY_RESOURCE_TYPES` ).\n> \n> For more information, see [Selecting Which Resources are Recorded](https://docs.aws.amazon.com/config/latest/developerguide/select-resources.html#select-resources-all) in the *AWS Config developer guide* . > *IncludeGlobalResourceTypes and the exclusion recording strategy*\n> \n> The `IncludeGlobalResourceTypes` field has no impact on the `EXCLUSION_BY_RESOURCE_TYPES` recording strategy. This means that the global IAM resource types ( IAM users, groups, roles, and customer managed policies) will not be automatically added as exclusions for `ExclusionByResourceTypes` when `IncludeGlobalResourceTypes` is set to `false` .\n> \n> The `IncludeGlobalResourceTypes` field should only be used to modify the `AllSupported` field, as the default for the `AllSupported` field is to record configuration changes for all supported resource types excluding the global IAM resource types. To include the global IAM resource types when `AllSupported` is set to `true` , make sure to set `IncludeGlobalResourceTypes` to `true` .\n> \n> To exclude the global IAM resource types for the `EXCLUSION_BY_RESOURCE_TYPES` recording strategy, you need to manually add them to the `ResourceTypes` field of `ExclusionByResourceTypes` . > *Required and optional fields*\n> \n> Before you set this field to `true` , set the `AllSupported` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) to `true` . Optionally, you can set the `useOnly` field of [RecordingStrategy](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingStrategy.html) to `ALL_SUPPORTED_RESOURCE_TYPES` . > *Overriding fields*\n> \n> If you set this field to `false` but list global IAM resource types in the `ResourceTypes` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) , AWS Config will still record configuration changes for those specified resource types *regardless* of if you set the `IncludeGlobalResourceTypes` field to false.\n> \n> If you do not want to record configuration changes to the global IAM resource types (IAM users, groups, roles, and customer managed policies), make sure to not list them in the `ResourceTypes` field in addition to setting the `IncludeGlobalResourceTypes` field to false.", "title": "IncludeGlobalResourceTypes", "type": "boolean" }, "RecordingStrategy": { "$ref": "#/definitions/AWS::Config::ConfigurationRecorder.RecordingStrategy", - "markdownDescription": "An object that specifies the recording strategy for the configuration recorder.\n\n- If you set the `useOnly` field of [RecordingStrategy](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingStrategy.html) to `ALL_SUPPORTED_RESOURCE_TYPES` , AWS Config records configuration changes for all supported resource types, excluding the global IAM resource types. You also must set the `allSupported` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) to `true` . When AWS Config adds support for a new resource type, AWS Config automatically starts recording resources of that type.\n- If you set the `useOnly` field of [RecordingStrategy](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingStrategy.html) to `INCLUSION_BY_RESOURCE_TYPES` , AWS Config records configuration changes for only the resource types you specify in the `resourceTypes` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) .\n- If you set the `useOnly` field of [RecordingStrategy](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingStrategy.html) to `EXCLUSION_BY_RESOURCE_TYPES` , AWS Config records configuration changes for all supported resource types except the resource types that you specify to exclude from being recorded in the `resourceTypes` field of [ExclusionByResourceTypes](https://docs.aws.amazon.com/config/latest/APIReference/API_ExclusionByResourceTypes.html) .\n\n> *Required and optional fields*\n> \n> The `recordingStrategy` field is optional when you set the `allSupported` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) to `true` .\n> \n> The `recordingStrategy` field is optional when you list resource types in the `resourceTypes` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) .\n> \n> The `recordingStrategy` field is required if you list resource types to exclude from recording in the `resourceTypes` field of [ExclusionByResourceTypes](https://docs.aws.amazon.com/config/latest/APIReference/API_ExclusionByResourceTypes.html) . > *Overriding fields*\n> \n> If you choose `EXCLUSION_BY_RESOURCE_TYPES` for the recording strategy, the `exclusionByResourceTypes` field will override other properties in the request.\n> \n> For example, even if you set `includeGlobalResourceTypes` to false, global IAM resource types will still be automatically recorded in this option unless those resource types are specifically listed as exclusions in the `resourceTypes` field of `exclusionByResourceTypes` . > *Global resources types and the resource exclusion recording strategy*\n> \n> By default, if you choose the `EXCLUSION_BY_RESOURCE_TYPES` recording strategy, when AWS Config adds support for a new resource type in the Region where you set up the configuration recorder, including global resource types, AWS Config starts recording resources of that type automatically.\n> \n> Unless specifically listed as exclusions, `AWS::RDS::GlobalCluster` will be recorded automatically in all supported AWS Config Regions were the configuration recorder is enabled.\n> \n> IAM users, groups, roles, and customer managed policies will be recorded in the Region where you set up the configuration recorder if that is a Region where AWS Config was available before February 2022. You cannot be record the global IAM resouce types in Regions supported by AWS Config after February 2022. This list where you cannot record the global IAM resource types includes the following Regions:\n> \n> - Asia Pacific (Hyderabad)\n> - Asia Pacific (Melbourne)\n> - Europe (Spain)\n> - Europe (Zurich)\n> - Israel (Tel Aviv)\n> - Middle East (UAE)", + "markdownDescription": "An object that specifies the recording strategy for the configuration recorder.\n\n- If you set the `useOnly` field of [RecordingStrategy](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingStrategy.html) to `ALL_SUPPORTED_RESOURCE_TYPES` , AWS Config records configuration changes for all supported resource types, excluding the global IAM resource types. You also must set the `AllSupported` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) to `true` . When AWS Config adds support for a new resource type, AWS Config automatically starts recording resources of that type.\n- If you set the `useOnly` field of [RecordingStrategy](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingStrategy.html) to `INCLUSION_BY_RESOURCE_TYPES` , AWS Config records configuration changes for only the resource types you specify in the `ResourceTypes` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) .\n- If you set the `useOnly` field of [RecordingStrategy](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingStrategy.html) to `EXCLUSION_BY_RESOURCE_TYPES` , AWS Config records configuration changes for all supported resource types except the resource types that you specify to exclude from being recorded in the `ResourceTypes` field of [ExclusionByResourceTypes](https://docs.aws.amazon.com/config/latest/APIReference/API_ExclusionByResourceTypes.html) .\n\n> *Required and optional fields*\n> \n> The `recordingStrategy` field is optional when you set the `AllSupported` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) to `true` .\n> \n> The `recordingStrategy` field is optional when you list resource types in the `ResourceTypes` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) .\n> \n> The `recordingStrategy` field is required if you list resource types to exclude from recording in the `ResourceTypes` field of [ExclusionByResourceTypes](https://docs.aws.amazon.com/config/latest/APIReference/API_ExclusionByResourceTypes.html) . > *Overriding fields*\n> \n> If you choose `EXCLUSION_BY_RESOURCE_TYPES` for the recording strategy, the `ExclusionByResourceTypes` field will override other properties in the request.\n> \n> For example, even if you set `IncludeGlobalResourceTypes` to false, global IAM resource types will still be automatically recorded in this option unless those resource types are specifically listed as exclusions in the `ResourceTypes` field of `ExclusionByResourceTypes` . > *Global resources types and the resource exclusion recording strategy*\n> \n> By default, if you choose the `EXCLUSION_BY_RESOURCE_TYPES` recording strategy, when AWS Config adds support for a new resource type in the Region where you set up the configuration recorder, including global resource types, AWS Config starts recording resources of that type automatically.\n> \n> Unless specifically listed as exclusions, `AWS::RDS::GlobalCluster` will be recorded automatically in all supported AWS Config Regions were the configuration recorder is enabled.\n> \n> IAM users, groups, roles, and customer managed policies will be recorded in the Region where you set up the configuration recorder if that is a Region where AWS Config was available before February 2022. You cannot be record the global IAM resouce types in Regions supported by AWS Config after February 2022. This list where you cannot record the global IAM resource types includes the following Regions:\n> \n> - Asia Pacific (Hyderabad)\n> - Asia Pacific (Melbourne)\n> - Canada West (Calgary)\n> - Europe (Spain)\n> - Europe (Zurich)\n> - Israel (Tel Aviv)\n> - Middle East (UAE)", "title": "RecordingStrategy" }, "ResourceTypes": { "items": { "type": "string" }, - "markdownDescription": "A comma-separated list that specifies which resource types AWS Config records.\n\nFor a list of valid `resourceTypes` values, see the *Resource Type Value* column in [Supported AWS resource Types](https://docs.aws.amazon.com/config/latest/developerguide/resource-config-reference.html#supported-resources) in the *AWS Config developer guide* .\n\n> *Required and optional fields*\n> \n> Optionally, you can set the `useOnly` field of [RecordingStrategy](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingStrategy.html) to `INCLUSION_BY_RESOURCE_TYPES` .\n> \n> To record all configuration changes, set the `allSupported` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) to `true` , and either omit this field or don't specify any resource types in this field. If you set the `allSupported` field to `false` and specify values for `resourceTypes` , when AWS Config adds support for a new type of resource, it will not record resources of that type unless you manually add that type to your recording group. > *Region availability*\n> \n> Before specifying a resource type for AWS Config to track, check [Resource Coverage by Region Availability](https://docs.aws.amazon.com/config/latest/developerguide/what-is-resource-config-coverage.html) to see if the resource type is supported in the AWS Region where you set up AWS Config . If a resource type is supported by AWS Config in at least one Region, you can enable the recording of that resource type in all Regions supported by AWS Config , even if the specified resource type is not supported in the AWS Region where you set up AWS Config .", + "markdownDescription": "A comma-separated list that specifies which resource types AWS Config records.\n\nFor a list of valid `ResourceTypes` values, see the *Resource Type Value* column in [Supported AWS resource Types](https://docs.aws.amazon.com/config/latest/developerguide/resource-config-reference.html#supported-resources) in the *AWS Config developer guide* .\n\n> *Required and optional fields*\n> \n> Optionally, you can set the `useOnly` field of [RecordingStrategy](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingStrategy.html) to `INCLUSION_BY_RESOURCE_TYPES` .\n> \n> To record all configuration changes, set the `AllSupported` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) to `true` , and either omit this field or don't specify any resource types in this field. If you set the `AllSupported` field to `false` and specify values for `ResourceTypes` , when AWS Config adds support for a new type of resource, it will not record resources of that type unless you manually add that type to your recording group. > *Region availability*\n> \n> Before specifying a resource type for AWS Config to track, check [Resource Coverage by Region Availability](https://docs.aws.amazon.com/config/latest/developerguide/what-is-resource-config-coverage.html) to see if the resource type is supported in the AWS Region where you set up AWS Config . If a resource type is supported by AWS Config in at least one Region, you can enable the recording of that resource type in all Regions supported by AWS Config , even if the specified resource type is not supported in the AWS Region where you set up AWS Config .", "title": "ResourceTypes", "type": "array" } @@ -45248,7 +45228,7 @@ "additionalProperties": false, "properties": { "UseOnly": { - "markdownDescription": "The recording strategy for the configuration recorder.\n\n- If you set this option to `ALL_SUPPORTED_RESOURCE_TYPES` , AWS Config records configuration changes for all supported resource types, excluding the global IAM resource types. You also must set the `allSupported` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) to `true` . When AWS Config adds support for a new resource type, AWS Config automatically starts recording resources of that type. For a list of supported resource types, see [Supported Resource Types](https://docs.aws.amazon.com/config/latest/developerguide/resource-config-reference.html#supported-resources) in the *AWS Config developer guide* .\n- If you set this option to `INCLUSION_BY_RESOURCE_TYPES` , AWS Config records configuration changes for only the resource types that you specify in the `resourceTypes` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) .\n- If you set this option to `EXCLUSION_BY_RESOURCE_TYPES` , AWS Config records configuration changes for all supported resource types, except the resource types that you specify to exclude from being recorded in the `resourceTypes` field of [ExclusionByResourceTypes](https://docs.aws.amazon.com/config/latest/APIReference/API_ExclusionByResourceTypes.html) .\n\n> *Required and optional fields*\n> \n> The `recordingStrategy` field is optional when you set the `allSupported` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) to `true` .\n> \n> The `recordingStrategy` field is optional when you list resource types in the `resourceTypes` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) .\n> \n> The `recordingStrategy` field is required if you list resource types to exclude from recording in the `resourceTypes` field of [ExclusionByResourceTypes](https://docs.aws.amazon.com/config/latest/APIReference/API_ExclusionByResourceTypes.html) . > *Overriding fields*\n> \n> If you choose `EXCLUSION_BY_RESOURCE_TYPES` for the recording strategy, the `exclusionByResourceTypes` field will override other properties in the request.\n> \n> For example, even if you set `includeGlobalResourceTypes` to false, global IAM resource types will still be automatically recorded in this option unless those resource types are specifically listed as exclusions in the `resourceTypes` field of `exclusionByResourceTypes` . > *Global resource types and the exclusion recording strategy*\n> \n> By default, if you choose the `EXCLUSION_BY_RESOURCE_TYPES` recording strategy, when AWS Config adds support for a new resource type in the Region where you set up the configuration recorder, including global resource types, AWS Config starts recording resources of that type automatically.\n> \n> Unless specifically listed as exclusions, `AWS::RDS::GlobalCluster` will be recorded automatically in all supported AWS Config Regions were the configuration recorder is enabled.\n> \n> IAM users, groups, roles, and customer managed policies will be recorded in the Region where you set up the configuration recorder if that is a Region where AWS Config was available before February 2022. You cannot be record the global IAM resouce types in Regions supported by AWS Config after February 2022. This list where you cannot record the global IAM resource types includes the following Regions:\n> \n> - Asia Pacific (Hyderabad)\n> - Asia Pacific (Melbourne)\n> - Europe (Spain)\n> - Europe (Zurich)\n> - Israel (Tel Aviv)\n> - Middle East (UAE)", + "markdownDescription": "The recording strategy for the configuration recorder.\n\n- If you set this option to `ALL_SUPPORTED_RESOURCE_TYPES` , AWS Config records configuration changes for all supported resource types, excluding the global IAM resource types. You also must set the `AllSupported` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) to `true` . When AWS Config adds support for a new resource type, AWS Config automatically starts recording resources of that type. For a list of supported resource types, see [Supported Resource Types](https://docs.aws.amazon.com/config/latest/developerguide/resource-config-reference.html#supported-resources) in the *AWS Config developer guide* .\n- If you set this option to `INCLUSION_BY_RESOURCE_TYPES` , AWS Config records configuration changes for only the resource types that you specify in the `ResourceTypes` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) .\n- If you set this option to `EXCLUSION_BY_RESOURCE_TYPES` , AWS Config records configuration changes for all supported resource types, except the resource types that you specify to exclude from being recorded in the `ResourceTypes` field of [ExclusionByResourceTypes](https://docs.aws.amazon.com/config/latest/APIReference/API_ExclusionByResourceTypes.html) .\n\n> *Required and optional fields*\n> \n> The `recordingStrategy` field is optional when you set the `AllSupported` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) to `true` .\n> \n> The `recordingStrategy` field is optional when you list resource types in the `ResourceTypes` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) .\n> \n> The `recordingStrategy` field is required if you list resource types to exclude from recording in the `ResourceTypes` field of [ExclusionByResourceTypes](https://docs.aws.amazon.com/config/latest/APIReference/API_ExclusionByResourceTypes.html) . > *Overriding fields*\n> \n> If you choose `EXCLUSION_BY_RESOURCE_TYPES` for the recording strategy, the `ExclusionByResourceTypes` field will override other properties in the request.\n> \n> For example, even if you set `IncludeGlobalResourceTypes` to false, global IAM resource types will still be automatically recorded in this option unless those resource types are specifically listed as exclusions in the `ResourceTypes` field of `ExclusionByResourceTypes` . > *Global resource types and the exclusion recording strategy*\n> \n> By default, if you choose the `EXCLUSION_BY_RESOURCE_TYPES` recording strategy, when AWS Config adds support for a new resource type in the Region where you set up the configuration recorder, including global resource types, AWS Config starts recording resources of that type automatically.\n> \n> Unless specifically listed as exclusions, `AWS::RDS::GlobalCluster` will be recorded automatically in all supported AWS Config Regions were the configuration recorder is enabled.\n> \n> IAM users, groups, roles, and customer managed policies will be recorded in the Region where you set up the configuration recorder if that is a Region where AWS Config was available before February 2022. You cannot be record the global IAM resouce types in Regions supported by AWS Config after February 2022. This list where you cannot record the global IAM resource types includes the following Regions:\n> \n> - Asia Pacific (Hyderabad)\n> - Asia Pacific (Melbourne)\n> - Canada West (Calgary)\n> - Europe (Spain)\n> - Europe (Zurich)\n> - Israel (Tel Aviv)\n> - Middle East (UAE)", "title": "UseOnly", "type": "string" } @@ -64946,6 +64926,11 @@ "title": "SourceIpamPoolId", "type": "string" }, + "SourceResource": { + "$ref": "#/definitions/AWS::EC2::IPAMPool.SourceResource", + "markdownDescription": "The resource used to provision CIDRs to a resource planning pool.", + "title": "SourceResource" + }, "Tags": { "items": { "$ref": "#/definitions/Tag" @@ -64996,6 +64981,38 @@ ], "type": "object" }, + "AWS::EC2::IPAMPool.SourceResource": { + "additionalProperties": false, + "properties": { + "ResourceId": { + "markdownDescription": "The source resource ID.", + "title": "ResourceId", + "type": "string" + }, + "ResourceOwner": { + "markdownDescription": "The source resource owner.", + "title": "ResourceOwner", + "type": "string" + }, + "ResourceRegion": { + "markdownDescription": "The source resource Region.", + "title": "ResourceRegion", + "type": "string" + }, + "ResourceType": { + "markdownDescription": "The source resource type.", + "title": "ResourceType", + "type": "string" + } + }, + "required": [ + "ResourceId", + "ResourceOwner", + "ResourceRegion", + "ResourceType" + ], + "type": "object" + }, "AWS::EC2::IPAMPoolCidr": { "additionalProperties": false, "properties": { @@ -65412,7 +65429,7 @@ "items": { "$ref": "#/definitions/AWS::EC2::Instance.ElasticGpuSpecification" }, - "markdownDescription": "An elastic GPU to associate with the instance. An Elastic GPU is a GPU resource that you can attach to your Windows instance to accelerate the graphics performance of your applications. For more information, see [Amazon EC2 Elastic GPUs](https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/elastic-graphics.html) in the *Amazon EC2 User Guide* .", + "markdownDescription": "Deprecated.\n\n> Amazon Elastic Graphics reached end of life on January 8, 2024. For workloads that require graphics acceleration, we recommend that you use Amazon EC2 G4ad, G4dn, or G5 instances.", "title": "ElasticGpuSpecifications", "type": "array" }, @@ -66873,7 +66890,7 @@ "items": { "$ref": "#/definitions/AWS::EC2::LaunchTemplate.ElasticGpuSpecification" }, - "markdownDescription": "An elastic GPU to associate with the instance.", + "markdownDescription": "Deprecated.\n\n> Amazon Elastic Graphics reached end of life on January 8, 2024. For workloads that require graphics acceleration, we recommend that you use Amazon EC2 G4ad, G4dn, or G5 instances.", "title": "ElasticGpuSpecifications", "type": "array" }, @@ -67435,7 +67452,7 @@ "additionalProperties": false, "properties": { "ResourceType": { - "markdownDescription": "The type of resource to tag.\n\nValid Values lists all resource types for Amazon EC2 that can be tagged. When you create a launch template, you can specify tags for the following resource types only: `instance` | `volume` | `elastic-gpu` | `network-interface` | `spot-instances-request` . If the instance does not include the resource type that you specify, the instance launch fails. For example, not all instance types include an Elastic GPU.\n\nTo tag a resource after it has been created, see [CreateTags](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateTags.html) .", + "markdownDescription": "The type of resource to tag.\n\nValid Values lists all resource types for Amazon EC2 that can be tagged. When you create a launch template, you can specify tags for the following resource types only: `instance` | `volume` | `network-interface` | `spot-instances-request` . If the instance does not include the resource type that you specify, the instance launch fails. For example, not all instance types include a volume.\n\nTo tag a resource after it has been created, see [CreateTags](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateTags.html) .", "title": "ResourceType", "type": "string" }, @@ -68034,7 +68051,7 @@ "additionalProperties": false, "properties": { "CidrBlock": { - "markdownDescription": "The IPv4 CIDR range to allow or deny, in CIDR notation (for example, 172.16.0.0/24). Requirement is conditional: You must specify the `CidrBlock` or `Ipv6CidrBlock` property.", + "markdownDescription": "The IPv4 CIDR range to allow or deny, in CIDR notation (for example, 172.16.0.0/24). You must specify an IPv4 CIDR block or an IPv6 CIDR block.", "title": "CidrBlock", "type": "string" }, @@ -68045,11 +68062,11 @@ }, "Icmp": { "$ref": "#/definitions/AWS::EC2::NetworkAclEntry.Icmp", - "markdownDescription": "The Internet Control Message Protocol (ICMP) code and type. Requirement is conditional: Required if specifying 1 (ICMP) for the protocol parameter.", + "markdownDescription": "The Internet Control Message Protocol (ICMP) code and type. Required if specifying 1 (ICMP) for the protocol parameter.", "title": "Icmp" }, "Ipv6CidrBlock": { - "markdownDescription": "The IPv6 network range to allow or deny, in CIDR notation. Requirement is conditional: You must specify the `CidrBlock` or `Ipv6CidrBlock` property.", + "markdownDescription": "The IPv6 network range to allow or deny, in CIDR notation. You must specify an IPv4 CIDR block or an IPv6 CIDR block.", "title": "Ipv6CidrBlock", "type": "string" }, @@ -68060,7 +68077,7 @@ }, "PortRange": { "$ref": "#/definitions/AWS::EC2::NetworkAclEntry.PortRange", - "markdownDescription": "The range of port numbers for the UDP/TCP protocol. Conditional required if specifying 6 (TCP) or 17 (UDP) for the protocol parameter.", + "markdownDescription": "The range of port numbers for the UDP/TCP protocol. Required if specifying 6 (TCP) or 17 (UDP) for the protocol parameter.", "title": "PortRange" }, "Protocol": { @@ -68112,7 +68129,7 @@ "additionalProperties": false, "properties": { "Code": { - "markdownDescription": "The Internet Control Message Protocol (ICMP) code. You can use -1 to specify all ICMP codes for the given ICMP type. Requirement is conditional: Required if you specify 1 (ICMP) for the protocol parameter.", + "markdownDescription": "The Internet Control Message Protocol (ICMP) code. You can use -1 to specify all ICMP codes for the given ICMP type. Required if you specify 1 (ICMP) for the protocol parameter.", "title": "Code", "type": "number" }, @@ -69426,6 +69443,11 @@ "Properties": { "additionalProperties": false, "properties": { + "ConnectionTrackingSpecification": { + "$ref": "#/definitions/AWS::EC2::NetworkInterface.ConnectionTrackingSpecification", + "markdownDescription": "A connection tracking specification for the network interface.", + "title": "ConnectionTrackingSpecification" + }, "Description": { "markdownDescription": "A description for the network interface.", "title": "Description", @@ -69546,6 +69568,27 @@ ], "type": "object" }, + "AWS::EC2::NetworkInterface.ConnectionTrackingSpecification": { + "additionalProperties": false, + "properties": { + "TcpEstablishedTimeout": { + "markdownDescription": "Timeout (in seconds) for idle TCP connections in an established state. Min: 60 seconds. Max: 432000 seconds (5 days). Default: 432000 seconds. Recommended: Less than 432000 seconds.", + "title": "TcpEstablishedTimeout", + "type": "number" + }, + "UdpStreamTimeout": { + "markdownDescription": "Timeout (in seconds) for idle UDP flows classified as streams which have seen more than one request-response transaction. Min: 60 seconds. Max: 180 seconds (3 minutes). Default: 180 seconds.", + "title": "UdpStreamTimeout", + "type": "number" + }, + "UdpTimeout": { + "markdownDescription": "Timeout (in seconds) for idle UDP flows that have seen traffic only in a single direction or a single request-response transaction. Min: 30 seconds. Max: 60 seconds. Default: 30 seconds.", + "title": "UdpTimeout", + "type": "number" + } + }, + "type": "object" + }, "AWS::EC2::NetworkInterface.InstanceIpv6Address": { "additionalProperties": false, "properties": { @@ -70333,7 +70376,7 @@ "type": "array" }, "VpcId": { - "markdownDescription": "The ID of the VPC for the security group.", + "markdownDescription": "The ID of the VPC for the security group. If you do not specify a VPC, the default is to use the default VPC for the Region. If there's no specified VPC and no default VPC, security group creation fails.", "title": "VpcId", "type": "string" } @@ -70393,7 +70436,7 @@ "type": "string" }, "FromPort": { - "markdownDescription": "If the protocol is TCP or UDP, this is the start of the port range. If the protocol is ICMP or ICMPv6, this is the type number. A value of -1 indicates all ICMP/ICMPv6 types. If you specify all ICMP/ICMPv6 types, you must specify all ICMP/ICMPv6 codes.", + "markdownDescription": "If the protocol is TCP or UDP, this is the start of the port range. If the protocol is ICMP or ICMPv6, this is the ICMP type or -1 (all ICMP types).", "title": "FromPort", "type": "number" }, @@ -70403,7 +70446,7 @@ "type": "string" }, "ToPort": { - "markdownDescription": "If the protocol is TCP or UDP, this is the end of the port range. If the protocol is ICMP or ICMPv6, this is the code. A value of -1 indicates all ICMP/ICMPv6 codes. If you specify all ICMP/ICMPv6 types, you must specify all ICMP/ICMPv6 codes.", + "markdownDescription": "If the protocol is TCP or UDP, this is the end of the port range. If the protocol is ICMP or ICMPv6, this is the ICMP code or -1 (all ICMP codes). If the start port is -1 (all ICMP types), then the end port must be -1 (all ICMP codes).", "title": "ToPort", "type": "number" } @@ -70432,7 +70475,7 @@ "type": "string" }, "FromPort": { - "markdownDescription": "If the protocol is TCP or UDP, this is the start of the port range. If the protocol is ICMP or ICMPv6, this is the type number. A value of -1 indicates all ICMP/ICMPv6 types. If you specify all ICMP/ICMPv6 types, you must specify all ICMP/ICMPv6 codes.", + "markdownDescription": "If the protocol is TCP or UDP, this is the start of the port range. If the protocol is ICMP or ICMPv6, this is the ICMP type or -1 (all ICMP types).", "title": "FromPort", "type": "number" }, @@ -70447,7 +70490,7 @@ "type": "string" }, "SourceSecurityGroupId": { - "markdownDescription": "The ID of the security group. You must specify either the security group ID or the security group name in the request. For security groups in a nondefault VPC, you must specify the security group ID.", + "markdownDescription": "The ID of the security group.", "title": "SourceSecurityGroupId", "type": "string" }, @@ -70462,7 +70505,7 @@ "type": "string" }, "ToPort": { - "markdownDescription": "If the protocol is TCP or UDP, this is the end of the port range. If the protocol is ICMP or ICMPv6, this is the code. A value of -1 indicates all ICMP/ICMPv6 codes. If you specify all ICMP/ICMPv6 types, you must specify all ICMP/ICMPv6 codes.", + "markdownDescription": "If the protocol is TCP or UDP, this is the end of the port range. If the protocol is ICMP or ICMPv6, this is the ICMP code or -1 (all ICMP codes). If the start port is -1 (all ICMP types), then the end port must be -1 (all ICMP codes).", "title": "ToPort", "type": "number" } @@ -70533,7 +70576,7 @@ "type": "string" }, "FromPort": { - "markdownDescription": "If the protocol is TCP or UDP, this is the start of the port range. If the protocol is ICMP or ICMPv6, this is the type number. A value of -1 indicates all ICMP/ICMPv6 types. If you specify all ICMP/ICMPv6 types, you must specify all ICMP/ICMPv6 codes.", + "markdownDescription": "If the protocol is TCP or UDP, this is the start of the port range. If the protocol is ICMP or ICMPv6, this is the ICMP type or -1 (all ICMP types).", "title": "FromPort", "type": "number" }, @@ -70548,7 +70591,7 @@ "type": "string" }, "ToPort": { - "markdownDescription": "If the protocol is TCP or UDP, this is the end of the port range. If the protocol is ICMP or ICMPv6, this is the code. A value of -1 indicates all ICMP/ICMPv6 codes. If you specify all ICMP/ICMPv6 types, you must specify all ICMP/ICMPv6 codes.", + "markdownDescription": "If the protocol is TCP or UDP, this is the end of the port range. If the protocol is ICMP or ICMPv6, this is the ICMP code or -1 (all ICMP codes). If the start port is -1 (all ICMP types), then the end port must be -1 (all ICMP codes).", "title": "ToPort", "type": "number" } @@ -71839,7 +71882,7 @@ "additionalProperties": false, "properties": { "AssignIpv6AddressOnCreation": { - "markdownDescription": "Indicates whether a network interface created in this subnet receives an IPv6 address. The default value is `false` .\n\nIf you specify `AssignIpv6AddressOnCreation` , you must also specify `Ipv6CidrBlock` .", + "markdownDescription": "Indicates whether a network interface created in this subnet receives an IPv6 address. The default value is `false` .\n\nIf you specify `AssignIpv6AddressOnCreation` , you must also specify an IPv6 CIDR block.", "title": "AssignIpv6AddressOnCreation", "type": "boolean" }, @@ -71874,7 +71917,7 @@ "type": "number" }, "Ipv6CidrBlock": { - "markdownDescription": "The IPv6 CIDR block.\n\nIf you specify `AssignIpv6AddressOnCreation` , you must also specify `Ipv6CidrBlock` .", + "markdownDescription": "The IPv6 CIDR block.\n\nIf you specify `AssignIpv6AddressOnCreation` , you must also specify an IPv6 CIDR block.", "title": "Ipv6CidrBlock", "type": "string" }, @@ -71882,7 +71925,7 @@ "items": { "type": "string" }, - "markdownDescription": "", + "markdownDescription": "The IPv6 network ranges for the subnet, in CIDR notation.", "title": "Ipv6CidrBlocks", "type": "array" }, @@ -72013,7 +72056,7 @@ "additionalProperties": false, "properties": { "Ipv6CidrBlock": { - "markdownDescription": "The IPv6 network range for the subnet, in CIDR notation. This parameter is required for an IPv6 only subnet.", + "markdownDescription": "The IPv6 network range for the subnet, in CIDR notation.", "title": "Ipv6CidrBlock", "type": "string" }, @@ -78733,6 +78776,11 @@ "AWS::ECS::TaskDefinition.Volume": { "additionalProperties": false, "properties": { + "ConfiguredAtLaunch": { + "markdownDescription": "Indicates whether the volume should be configured at launch time. This is used to create Amazon EBS volumes for standalone tasks or tasks created as part of a service. Each task definition revision may only have one volume configured at launch in the volume configuration.\n\nTo configure a volume at launch time, use this task definition revision and specify a `volumeConfigurations` object when calling the `CreateService` , `UpdateService` , `RunTask` or `StartTask` APIs.", + "title": "ConfiguredAtLaunch", + "type": "boolean" + }, "DockerVolumeConfiguration": { "$ref": "#/definitions/AWS::ECS::TaskDefinition.DockerVolumeConfiguration", "markdownDescription": "This parameter is specified when you use Docker volumes.\n\nWindows containers only support the use of the `local` driver. To use bind mounts, specify the `host` parameter instead.\n\n> Docker volumes aren't supported by tasks run on AWS Fargate .", @@ -105929,8 +105977,7 @@ }, "required": [ "Format", - "Location", - "Name" + "Location" ], "type": "object" }, @@ -106214,8 +106261,7 @@ }, "required": [ "Format", - "Location", - "Name" + "Location" ], "type": "object" }, @@ -108307,7 +108353,7 @@ "items": { "type": "string" }, - "markdownDescription": "A list of which renditions are recorded for a stream, if `renditionSelection` is `CUSTOM` ; otherwise, this field is irrelevant. The selected renditions are recorded if they are available during the stream. If a selected rendition is unavailable, the best available rendition is recorded. For details on the resolution dimensions of each rendition, see [Auto-Record to Amazon S3](https://docs.aws.amazon.com//ivs/latest/userguide/record-to-s3.html) .", + "markdownDescription": "A list of which renditions are recorded for a stream, if `renditionSelection` is `CUSTOM` ; otherwise, this field is irrelevant. The selected renditions are recorded if they are available during the stream. If a selected rendition is unavailable, the best available rendition is recorded. For details on the resolution dimensions of each rendition, see [Auto-Record to Amazon S3](https://docs.aws.amazon.com//ivs/latest/LowLatencyUserGuide/record-to-s3.html) .", "title": "Renditions", "type": "array" } @@ -108337,7 +108383,7 @@ "type": "string" }, "Resolution": { - "markdownDescription": "The desired resolution of recorded thumbnails for a stream. Thumbnails are recorded at the selected resolution if the corresponding rendition is available during the stream; otherwise, they are recorded at source resolution. For more information about resolution values and their corresponding height and width dimensions, see [Auto-Record to Amazon S3](https://docs.aws.amazon.com//ivs/latest/userguide/record-to-s3.html) .", + "markdownDescription": "The desired resolution of recorded thumbnails for a stream. Thumbnails are recorded at the selected resolution if the corresponding rendition is available during the stream; otherwise, they are recorded at source resolution. For more information about resolution values and their corresponding height and width dimensions, see [Auto-Record to Amazon S3](https://docs.aws.amazon.com//ivs/latest/LowLatencyUserGuide/record-to-s3.html) .", "title": "Resolution", "type": "string" }, @@ -108350,7 +108396,7 @@ "type": "array" }, "TargetIntervalSeconds": { - "markdownDescription": "The targeted thumbnail-generation interval in seconds. This is configurable (and required) only if [RecordingMode](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ivs-recordingconfiguration-thumbnailconfiguration.html#cfn-ivs-recordingconfiguration-thumbnailconfiguration-recordingmode) is `INTERVAL` .\n\n> Setting a value for `TargetIntervalSeconds` does not guarantee that thumbnails are generated at the specified interval. For thumbnails to be generated at the `TargetIntervalSeconds` interval, the `IDR/Keyframe` value for the input video must be less than the `TargetIntervalSeconds` value. See [Amazon IVS Streaming Configuration](https://docs.aws.amazon.com/ivs/latest/userguide/streaming-config.html) for information on setting `IDR/Keyframe` to the recommended value in video-encoder settings. \n\n*Default* : 60\n\n*Valid Range* : Minumum value of 1. Maximum value of 60.", + "markdownDescription": "The targeted thumbnail-generation interval in seconds. This is configurable (and required) only if [RecordingMode](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ivs-recordingconfiguration-thumbnailconfiguration.html#cfn-ivs-recordingconfiguration-thumbnailconfiguration-recordingmode) is `INTERVAL` .\n\n> Setting a value for `TargetIntervalSeconds` does not guarantee that thumbnails are generated at the specified interval. For thumbnails to be generated at the `TargetIntervalSeconds` interval, the `IDR/Keyframe` value for the input video must be less than the `TargetIntervalSeconds` value. See [Amazon IVS Streaming Configuration](https://docs.aws.amazon.com/ivs/latest/LowLatencyUserGuide/streaming-config.html) for information on setting `IDR/Keyframe` to the recommended value in video-encoder settings. \n\n*Default* : 60\n\n*Valid Range* : Minumum value of 1. Maximum value of 60.", "title": "TargetIntervalSeconds", "type": "number" } @@ -111863,7 +111909,7 @@ "properties": { "S3Config": { "$ref": "#/definitions/AWS::InternetMonitor::Monitor.S3Config", - "markdownDescription": "The configuration information for publishing Internet Monitor internet measurements to Amazon S3. The configuration includes the bucket name and (optionally) prefix for the S3 bucket to store the measurements, and the delivery status. The delivery status is `ENABLED` or `DISABLED` , depending on whether you choose to deliver internet measurements to S3 logs.", + "markdownDescription": "The configuration for publishing Amazon CloudWatch Internet Monitor internet measurements to Amazon S3.", "title": "S3Config" } }, @@ -111894,17 +111940,17 @@ "additionalProperties": false, "properties": { "BucketName": { - "markdownDescription": "The Amazon S3 bucket name.", + "markdownDescription": "The Amazon S3 bucket name for internet measurements publishing.", "title": "BucketName", "type": "string" }, "BucketPrefix": { - "markdownDescription": "The Amazon S3 bucket prefix.", + "markdownDescription": "An optional Amazon S3 bucket prefix for internet measurements publishing.", "title": "BucketPrefix", "type": "string" }, "LogDeliveryStatus": { - "markdownDescription": "The status of publishing Internet Monitor internet measurements to an Amazon S3 bucket.", + "markdownDescription": "The status of publishing Internet Monitor internet measurements to an Amazon S3 bucket. The delivery status is `ENABLED` if you choose to deliver internet measurements to an S3 bucket, and `DISABLED` otherwise.", "title": "LogDeliveryStatus", "type": "string" } @@ -113122,9 +113168,6 @@ "title": "ServerCertificateArns", "type": "array" }, - "ServerCertificateConfig": { - "$ref": "#/definitions/AWS::IoT::DomainConfiguration.ServerCertificateConfig" - }, "ServiceType": { "markdownDescription": "The type of service delivered by the endpoint.\n\n> AWS IoT Core currently supports only the `DATA` service type.", "title": "ServiceType", @@ -113187,15 +113230,6 @@ }, "type": "object" }, - "AWS::IoT::DomainConfiguration.ServerCertificateConfig": { - "additionalProperties": false, - "properties": { - "EnableOCSPCheck": { - "type": "boolean" - } - }, - "type": "object" - }, "AWS::IoT::DomainConfiguration.ServerCertificateSummary": { "additionalProperties": false, "properties": { @@ -140803,7 +140837,7 @@ "additionalProperties": false, "properties": { "PolicyDocument": { - "markdownDescription": "Specify the data protection policy, in JSON.\n\nThis policy must include two JSON blocks:\n\n- The first block must include both a `DataIdentifer` array and an `Operation` property with an `Audit` action. The `DataIdentifer` array lists the types of sensitive data that you want to mask. For more information about the available options, see [Types of data that you can mask](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/mask-sensitive-log-data-types.html) .\n\nThe `Operation` property with an `Audit` action is required to find the sensitive data terms. This `Audit` action must contain a `FindingsDestination` object. You can optionally use that `FindingsDestination` object to list one or more destinations to send audit findings to. If you specify destinations such as log groups, Kinesis Data Firehose streams, and S3 buckets, they must already exist.\n- The second block must include both a `DataIdentifer` array and an `Operation` property with an `Deidentify` action. The `DataIdentifer` array must exactly match the `DataIdentifer` array in the first block of the policy.\n\nThe `Operation` property with the `Deidentify` action is what actually masks the data, and it must contain the `\"MaskConfig\": {}` object. The `\"MaskConfig\": {}` object must be empty.\n\n> The contents of the two `DataIdentifer` arrays must match exactly.", + "markdownDescription": "Specify the policy, in JSON.\n\n*Data protection policy*\n\nA data protection policy must include two JSON blocks:\n\n- The first block must include both a `DataIdentifer` array and an `Operation` property with an `Audit` action. The `DataIdentifer` array lists the types of sensitive data that you want to mask. For more information about the available options, see [Types of data that you can mask](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/mask-sensitive-log-data-types.html) .\n\nThe `Operation` property with an `Audit` action is required to find the sensitive data terms. This `Audit` action must contain a `FindingsDestination` object. You can optionally use that `FindingsDestination` object to list one or more destinations to send audit findings to. If you specify destinations such as log groups, Kinesis Data Firehose streams, and S3 buckets, they must already exist.\n- The second block must include both a `DataIdentifer` array and an `Operation` property with an `Deidentify` action. The `DataIdentifer` array must exactly match the `DataIdentifer` array in the first block of the policy.\n\nThe `Operation` property with the `Deidentify` action is what actually masks the data, and it must contain the `\"MaskConfig\": {}` object. The `\"MaskConfig\": {}` object must be empty.\n\n> The contents of the two `DataIdentifer` arrays must match exactly. \n\nIn addition to the two JSON blocks, the `policyDocument` can also include `Name` , `Description` , and `Version` fields. The `Name` is different than the operation's `policyName` parameter, and is used as a dimension when CloudWatch Logs reports audit findings metrics to CloudWatch .\n\nThe JSON specified in `policyDocument` can be up to 30,720 characters long.\n\n*Subscription filter policy*\n\nA subscription filter policy can include the following attributes in a JSON block:\n\n- *DestinationArn* The ARN of the destination to deliver log events to. Supported destinations are:\n\n- An Kinesis Data Streams data stream in the same account as the subscription policy, for same-account delivery.\n- An Kinesis Data Firehose data stream in the same account as the subscription policy, for same-account delivery.\n- A Lambda function in the same account as the subscription policy, for same-account delivery.\n- A logical destination in a different account created with [PutDestination](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutDestination.html) , for cross-account delivery. Kinesis Data Streams and Kinesis Data Firehose are supported as logical destinations.\n- *RoleArn* The ARN of an IAM role that grants CloudWatch Logs permissions to deliver ingested log events to the destination stream. You don't need to provide the ARN when you are working with a logical destination for cross-account delivery.\n- *FilterPattern* A filter pattern for subscribing to a filtered stream of log events.\n- *Distribution* The method used to distribute log data to the destination. By default, log data is grouped by log stream, but the grouping can be set to `Random` for a more even distribution. This property is only applicable when the destination is an Kinesis Data Streams data stream.", "title": "PolicyDocument", "type": "string" }, @@ -140813,14 +140847,19 @@ "type": "string" }, "PolicyType": { - "markdownDescription": "Currently the only valid value for this parameter is `DATA_PROTECTION_POLICY` .", + "markdownDescription": "The type of policy that you're creating or updating.", "title": "PolicyType", "type": "string" }, "Scope": { - "markdownDescription": "Currently the only valid value for this parameter is `ALL` , which specifies that the data protection policy applies to all log groups in the account. If you omit this parameter, the default of `ALL` is used.", + "markdownDescription": "Currently the only valid value for this parameter is `ALL` , which specifies that the policy applies to all log groups in the account. If you omit this parameter, the default of `ALL` is used. To scope down a subscription filter policy to a subset of log groups, use the `selectionCriteria` parameter.", "title": "Scope", "type": "string" + }, + "SelectionCriteria": { + "markdownDescription": "Use this parameter to apply a subscription filter policy to a subset of log groups in the account. Currently, the only supported filter is `LogGroupName NOT IN []` . The `selectionCriteria` string can be up to 25KB in length. The length is determined by using its UTF-8 bytes.\n\nUsing the `selectionCriteria` parameter is useful to help prevent infinite loops. For more information, see [Log recursion prevention](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/Subscriptions-recursion-prevention.html) .\n\nSpecifing `selectionCriteria` is valid only when you specify `SUBSCRIPTION_FILTER_POLICY` for `policyType` .", + "title": "SelectionCriteria", + "type": "string" } }, "required": [ @@ -148756,6 +148795,41 @@ }, "type": "object" }, + "AWS::MediaLive::Channel.ColorCorrection": { + "additionalProperties": false, + "properties": { + "InputColorSpace": { + "markdownDescription": "", + "title": "InputColorSpace", + "type": "string" + }, + "OutputColorSpace": { + "markdownDescription": "", + "title": "OutputColorSpace", + "type": "string" + }, + "Uri": { + "markdownDescription": "", + "title": "Uri", + "type": "string" + } + }, + "type": "object" + }, + "AWS::MediaLive::Channel.ColorCorrectionSettings": { + "additionalProperties": false, + "properties": { + "GlobalColorCorrections": { + "items": { + "$ref": "#/definitions/AWS::MediaLive::Channel.ColorCorrection" + }, + "markdownDescription": "", + "title": "GlobalColorCorrections", + "type": "array" + } + }, + "type": "object" + }, "AWS::MediaLive::Channel.ColorSpacePassthroughSettings": { "additionalProperties": false, "properties": {}, @@ -149174,6 +149248,11 @@ "title": "CaptionDescriptions", "type": "array" }, + "ColorCorrectionSettings": { + "$ref": "#/definitions/AWS::MediaLive::Channel.ColorCorrectionSettings", + "markdownDescription": "", + "title": "ColorCorrectionSettings" + }, "FeatureActivations": { "$ref": "#/definitions/AWS::MediaLive::Channel.FeatureActivations", "markdownDescription": "Settings to enable specific features.", @@ -163505,6 +163584,11 @@ "AWS::OpenSearchService::Domain.ClusterConfig": { "additionalProperties": false, "properties": { + "ColdStorageOptions": { + "$ref": "#/definitions/AWS::OpenSearchService::Domain.ColdStorageOptions", + "markdownDescription": "Specifies cold storage options for the domain.", + "title": "ColdStorageOptions" + }, "DedicatedMasterCount": { "markdownDescription": "The number of instances to use for the master node. If you specify this property, you must specify `true` for the `DedicatedMasterEnabled` property.", "title": "DedicatedMasterCount", @@ -163589,6 +163673,17 @@ }, "type": "object" }, + "AWS::OpenSearchService::Domain.ColdStorageOptions": { + "additionalProperties": false, + "properties": { + "Enabled": { + "markdownDescription": "Whether to enable or disable cold storage on the domain. You must enable UltraWarm storage in order to enable cold storage.", + "title": "Enabled", + "type": "boolean" + } + }, + "type": "object" + }, "AWS::OpenSearchService::Domain.DomainEndpointOptions": { "additionalProperties": false, "properties": { @@ -174027,6 +174122,14 @@ "markdownDescription": "", "title": "Definition" }, + "Errors": { + "items": { + "$ref": "#/definitions/AWS::QuickSight::Analysis.AnalysisError" + }, + "markdownDescription": "Errors associated with the analysis.", + "title": "Errors", + "type": "array" + }, "Name": { "markdownDescription": "A descriptive name for the analysis that you're creating. This name displays for the analysis in the Amazon QuickSight console.", "title": "Name", @@ -174045,6 +174148,14 @@ "title": "Permissions", "type": "array" }, + "Sheets": { + "items": { + "$ref": "#/definitions/AWS::QuickSight::Analysis.Sheet" + }, + "markdownDescription": "A list of the associated sheets with the unique identifier and name of each sheet.", + "title": "Sheets", + "type": "array" + }, "SourceEntity": { "$ref": "#/definitions/AWS::QuickSight::Analysis.AnalysisSourceEntity", "markdownDescription": "A source entity to use for the analysis that you're creating. This metadata structure contains details that describe a source template and one or more datasets.\n\nEither a `SourceEntity` or a `Definition` must be provided in order for the request to be valid.", @@ -182929,9 +183040,6 @@ "markdownDescription": "The Amazon Resource Name (ARN) of the principal. This can be one of the following:\n\n- The ARN of an Amazon QuickSight user or group associated with a data source or dataset. (This is common.)\n- The ARN of an Amazon QuickSight user, group, or namespace associated with an analysis, dashboard, template, or theme. (This is common.)\n- The ARN of an AWS account root: This is an IAM ARN rather than a Amazon QuickSight ARN. Use this option only to share resources (templates) across AWS accounts . (This is less common.)", "title": "Principal", "type": "string" - }, - "Resource": { - "type": "string" } }, "required": [ @@ -195199,9 +195307,6 @@ "markdownDescription": "The Amazon Resource Name (ARN) of the principal. This can be one of the following:\n\n- The ARN of an Amazon QuickSight user or group associated with a data source or dataset. (This is common.)\n- The ARN of an Amazon QuickSight user, group, or namespace associated with an analysis, dashboard, template, or theme. (This is common.)\n- The ARN of an AWS account root: This is an IAM ARN rather than a Amazon QuickSight ARN. Use this option only to share resources (templates) across AWS accounts . (This is less common.)", "title": "Principal", "type": "string" - }, - "Resource": { - "type": "string" } }, "required": [ @@ -209335,9 +209440,6 @@ "markdownDescription": "The Amazon Resource Name (ARN) of the principal. This can be one of the following:\n\n- The ARN of an Amazon QuickSight user or group associated with a data source or dataset. (This is common.)\n- The ARN of an Amazon QuickSight user, group, or namespace associated with an analysis, dashboard, template, or theme. (This is common.)\n- The ARN of an AWS account root: This is an IAM ARN rather than a Amazon QuickSight ARN. Use this option only to share resources (templates) across AWS accounts . (This is less common.)", "title": "Principal", "type": "string" - }, - "Resource": { - "type": "string" } }, "required": [ @@ -212794,9 +212896,6 @@ "markdownDescription": "The Amazon Resource Name (ARN) of the principal. This can be one of the following:\n\n- The ARN of an Amazon QuickSight user or group associated with a data source or dataset. (This is common.)\n- The ARN of an Amazon QuickSight user, group, or namespace associated with an analysis, dashboard, template, or theme. (This is common.)\n- The ARN of an AWS account root: This is an IAM ARN rather than a Amazon QuickSight ARN. Use this option only to share resources (templates) across AWS accounts . (This is less common.)", "title": "Principal", "type": "string" - }, - "Resource": { - "type": "string" } }, "required": [ @@ -213101,6 +213200,11 @@ "markdownDescription": "The ID for the topic. This ID is unique per AWS Region for each AWS account.", "title": "TopicId", "type": "string" + }, + "UserExperienceVersion": { + "markdownDescription": "The user experience version of a topic.", + "title": "UserExperienceVersion", + "type": "string" } }, "type": "object" @@ -217117,11 +217221,21 @@ "title": "MaintenanceTrackName", "type": "string" }, + "ManageMasterPassword": { + "markdownDescription": "If `true` , Amazon Redshift uses AWS Secrets Manager to manage this cluster's admin credentials. You can't use `MasterUserPassword` if `ManageMasterPassword` is true. If `ManageMasterPassword` is false or not set, Amazon Redshift uses `MasterUserPassword` for the admin user account's password.", + "title": "ManageMasterPassword", + "type": "boolean" + }, "ManualSnapshotRetentionPeriod": { "markdownDescription": "The default number of days to retain a manual snapshot. If the value is -1, the snapshot is retained indefinitely. This setting doesn't change the retention period of existing snapshots.\n\nThe value must be either -1 or an integer between 1 and 3,653.", "title": "ManualSnapshotRetentionPeriod", "type": "number" }, + "MasterPasswordSecretKmsKeyId": { + "markdownDescription": "The ID of the AWS Key Management Service (KMS) key used to encrypt and store the cluster's admin credentials secret. You can only use this parameter if `ManageMasterPassword` is true.", + "title": "MasterPasswordSecretKmsKeyId", + "type": "string" + }, "MasterUserPassword": { "markdownDescription": "The password associated with the admin user account for the cluster that is being created.\n\nYou can't use `MasterUserPassword` if `ManageMasterPassword` is `true` .\n\nConstraints:\n\n- Must be between 8 and 64 characters in length.\n- Must contain at least one uppercase letter.\n- Must contain at least one lowercase letter.\n- Must contain one number.\n- Can be any printable ASCII character (ASCII code 33-126) except `'` (single quote), `\"` (double quote), `\\` , `/` , or `@` .", "title": "MasterUserPassword", @@ -217137,6 +217251,11 @@ "title": "MultiAZ", "type": "boolean" }, + "NamespaceResourcePolicy": { + "markdownDescription": "The policy that is attached to a resource.", + "title": "NamespaceResourcePolicy", + "type": "object" + }, "NodeType": { "markdownDescription": "The node type to be provisioned for the cluster. For information about node types, go to [Working with Clusters](https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-clusters.html#how-many-nodes) in the *Amazon Redshift Cluster Management Guide* .\n\nValid Values: `ds2.xlarge` | `ds2.8xlarge` | `dc1.large` | `dc1.8xlarge` | `dc2.large` | `dc2.8xlarge` | `ra3.xlplus` | `ra3.4xlarge` | `ra3.16xlarge`", "title": "NodeType", @@ -217227,7 +217346,6 @@ "required": [ "ClusterType", "DBName", - "MasterUserPassword", "MasterUsername", "NodeType" ], @@ -217284,9 +217402,6 @@ "type": "string" } }, - "required": [ - "BucketName" - ], "type": "object" }, "AWS::Redshift::ClusterParameterGroup": { @@ -225410,7 +225525,7 @@ }, "TargetObjectKeyFormat": { "$ref": "#/definitions/AWS::S3::Bucket.TargetObjectKeyFormat", - "markdownDescription": "Amazon S3 key format for log objects. Only one format, PartitionedPrefix or SimplePrefix, is allowed.", + "markdownDescription": "Amazon S3 key format for log objects. Only one format, either PartitionedPrefix or SimplePrefix, is allowed.", "title": "TargetObjectKeyFormat" } }, @@ -226086,7 +226201,7 @@ "additionalProperties": false, "properties": { "KMSMasterKeyID": { - "markdownDescription": "KMS key ID to use for the default encryption. This parameter is allowed if SSEAlgorithm is aws:kms.\n\nYou can specify the key ID, key alias, or the Amazon Resource Name (ARN) of the CMK. However, if you are using encryption with cross-account operations, you must use a fully qualified CMK ARN. For more information, see [Using encryption for cross-account operations](https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html#bucket-encryption-update-bucket-policy) .\n\nFor example:\n\n- Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`\n- Key ARN: `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`\n\n> Amazon S3 only supports symmetric KMS keys and not asymmetric KMS keys. For more information, see [Using Symmetric and Asymmetric Keys](https://docs.aws.amazon.com//kms/latest/developerguide/symmetric-asymmetric.html) in the *AWS Key Management Service Developer Guide* .", + "markdownDescription": "AWS Key Management Service (KMS) customer AWS KMS key ID to use for the default encryption. This parameter is allowed if and only if `SSEAlgorithm` is set to `aws:kms` or `aws:kms:dsse` .\n\nYou can specify the key ID, key alias, or the Amazon Resource Name (ARN) of the KMS key.\n\n- Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`\n- Key ARN: `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`\n- Key Alias: `alias/alias-name`\n\nIf you use a key ID, you can run into a LogDestination undeliverable error when creating a VPC flow log.\n\nIf you are using encryption with cross-account or AWS service operations you must use a fully qualified KMS key ARN. For more information, see [Using encryption for cross-account operations](https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html#bucket-encryption-update-bucket-policy) .\n\n> Amazon S3 only supports symmetric encryption KMS keys. For more information, see [Asymmetric keys in AWS KMS](https://docs.aws.amazon.com//kms/latest/developerguide/symmetric-asymmetric.html) in the *AWS Key Management Service Developer Guide* .", "title": "KMSMasterKeyID", "type": "string" }, @@ -236186,6 +236301,11 @@ "markdownDescription": "Tags used to define a `FeatureGroup` .", "title": "Tags", "type": "array" + }, + "ThroughputConfig": { + "$ref": "#/definitions/AWS::SageMaker::FeatureGroup.ThroughputConfig", + "markdownDescription": "Used to set feature group throughput configuration. There are two modes: `ON_DEMAND` and `PROVISIONED` . With on-demand mode, you are charged for data reads and writes that your application performs on your feature group. You do not need to specify read and write throughput because Feature Store accommodates your workloads as they ramp up and down. You can switch a feature group to on-demand only once in a 24 hour period. With provisioned throughput mode, you specify the read and write capacity per second that you expect your application to require, and you are billed based on those limits. Exceeding provisioned throughput will result in your requests being throttled.\n\nNote: `PROVISIONED` throughput mode is supported only for feature groups that are offline-only, or use the [`Standard`](https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_OnlineStoreConfig.html#sagemaker-Type-OnlineStoreConfig-StorageType) tier online store.", + "title": "ThroughputConfig" } }, "required": [ @@ -236343,6 +236463,30 @@ ], "type": "object" }, + "AWS::SageMaker::FeatureGroup.ThroughputConfig": { + "additionalProperties": false, + "properties": { + "ProvisionedReadCapacityUnits": { + "markdownDescription": "For provisioned feature groups with online store enabled, this indicates the read throughput you are billed for and can consume without throttling.\n\nThis field is not applicable for on-demand feature groups.", + "title": "ProvisionedReadCapacityUnits", + "type": "number" + }, + "ProvisionedWriteCapacityUnits": { + "markdownDescription": "For provisioned feature groups, this indicates the write throughput you are billed for and can consume without throttling.\n\nThis field is not applicable for on-demand feature groups.", + "title": "ProvisionedWriteCapacityUnits", + "type": "number" + }, + "ThroughputMode": { + "markdownDescription": "The mode used for your feature group throughput: `ON_DEMAND` or `PROVISIONED` .", + "title": "ThroughputMode", + "type": "string" + } + }, + "required": [ + "ThroughputMode" + ], + "type": "object" + }, "AWS::SageMaker::Image": { "additionalProperties": false, "properties": { @@ -251475,7 +251619,8 @@ } }, "required": [ - "Definition" + "Definition", + "PolicyStoreId" ], "type": "object" }, @@ -251614,6 +251759,11 @@ "Properties": { "additionalProperties": false, "properties": { + "Description": { + "markdownDescription": "Descriptive text that you can provide to help with identification of the current policy store.", + "title": "Description", + "type": "string" + }, "Schema": { "$ref": "#/definitions/AWS::VerifiedPermissions::PolicyStore.SchemaDefinition", "markdownDescription": "Creates or updates the policy schema in a policy store. Cedar can use the schema to validate any Cedar policies and policy templates submitted to the policy store. Any changes to the schema validate only policies and templates submitted after the schema change. Existing policies and templates are not re-evaluated against the changed schema. If you later update a policy, then it is evaluated against the new schema at that time.", From b65c647420a8d18484884238a6ba461c1441bacc Mon Sep 17 00:00:00 2001 From: aws-sam-cli-bot <46753707+aws-sam-cli-bot@users.noreply.github.com> Date: Thu, 15 Feb 2024 18:23:55 +0000 Subject: [PATCH 3/4] chore: bump version to 1.85.0 --- samtranslator/__init__.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/samtranslator/__init__.py b/samtranslator/__init__.py index 9e18d77e2..6dc92b979 100644 --- a/samtranslator/__init__.py +++ b/samtranslator/__init__.py @@ -1 +1 @@ -__version__ = "1.83.0" +__version__ = "1.85.0" From d7af8898335096e17b07e3a6a21b00026f7f7db5 Mon Sep 17 00:00:00 2001 From: Grace Luo <54298030+gracelu0@users.noreply.github.com> Date: Thu, 15 Feb 2024 10:30:28 -0800 Subject: [PATCH 4/4] Update __init__.py --- samtranslator/__init__.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/samtranslator/__init__.py b/samtranslator/__init__.py index 25945bb72..6dc92b979 100644 --- a/samtranslator/__init__.py +++ b/samtranslator/__init__.py @@ -1 +1 @@ -__version__ = "1.85.0" \ No newline at end of file +__version__ = "1.85.0"