Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: update L1 CloudFormation resource definitions (#30722)
Updates the L1 CloudFormation resource definitions with the latest changes from `@aws-cdk/aws-service-spec`
**L1 CloudFormation resource definition changes:**
```
├[~] service aws-applicationsignals
│ └ resources
│ └[~] resource AWS::ApplicationSignals::ServiceLevelObjective
│ ├ - documentation: Resource Type definition for AWS::ApplicationSignals::ServiceLevelObjective
│ │ + documentation: Creates or updates a service level objective (SLO), which can help you ensure that your critical business operations are meeting customer expectations. Use SLOs to set and track specific target levels for the reliability and availability of your applications and services. SLOs use service level indicators (SLIs) to calculate whether the application is performing at the level that you want.
│ │ Create an SLO to set a target for a service or operation’s availability or latency. CloudWatch measures this target frequently you can find whether it has been breached.
│ │ When you create an SLO, you set an *attainment goal* for it. An *attainment goal* is the ratio of good periods that meet the threshold requirements to the total periods within the interval. For example, an attainment goal of 99.9% means that within your interval, you are targeting 99.9% of the periods to be in healthy state.
│ │ After you have created an SLO, you can retrieve error budget reports for it. An *error budget* is the number of periods or amount of time that your service can accumulate during an interval before your overall SLO budget health is breached and the SLO is considered to be unmet. for example, an SLO with a threshold that 99.95% of requests must be completed under 2000ms every month translates to an error budget of 21.9 minutes of downtime per month.
│ │ When you call this operation, Application Signals creates the *AWSServiceRoleForCloudWatchApplicationSignals* service-linked role, if it doesn't already exist in your account. This service- linked role has the following permissions:
│ │ - `xray:GetServiceGraph`
│ │ - `logs:StartQuery`
│ │ - `logs:GetQueryResults`
│ │ - `cloudwatch:GetMetricData`
│ │ - `cloudwatch:ListMetrics`
│ │ - `tag:GetResources`
│ │ - `autoscaling:DescribeAutoScalingGroups`
│ │ You can easily set SLO targets for your applications that are discovered by Application Signals, using critical metrics such as latency and availability. You can also set SLOs against any CloudWatch metric or math expression that produces a time series.
│ │ For more information about SLOs, see [Service level objectives (SLOs)](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-ServiceLevelObjectives.html) .
│ ├ properties
│ │ ├ Description: (documentation changed)
│ │ ├ Goal: (documentation changed)
│ │ ├ Name: (documentation changed)
│ │ ├ Sli: (documentation changed)
│ │ └ Tags: (documentation changed)
│ ├ attributes
│ │ ├ CreatedTime: (documentation changed)
│ │ └ LastUpdatedTime: (documentation changed)
│ └ types
│ ├[~] type CalendarInterval
│ │ └ properties
│ │ ├ Duration: (documentation changed)
│ │ └ StartTime: (documentation changed)
│ ├[~] type Dimension
│ │ ├ - documentation: A dimension is a name/value pair that is part of the identity of a metric. Because dimensions are part of the unique identifier for a metric, whenever you add a unique name/value pair to one of your metrics, you are creating a new variation of that metric. For example, many Amazon EC2 metrics publish `InstanceId` as a dimension name, and the actual instance ID as the value for that dimension. You can assign up to 30 dimensions to a metric.
│ │ │ + documentation: A dimension is a name/value pair that is part of the identity of a metric. Because dimensions are part of the unique identifier for a metric, whenever you add a unique name/value pair to one of your metrics, you are creating a new variation of that metric. For example, many Amazon EC2 metrics publish `InstanceId` as a dimension name, and the actual instance ID as the value for that dimension.
│ │ │ You can assign up to 30 dimensions to a metric.
│ │ └ properties
│ │ ├ Name: (documentation changed)
│ │ └ Value: (documentation changed)
│ ├[~] type Goal
│ │ ├ - documentation: A structure that contains the attributes that determine the goal of the SLO. This includes the time period for evaluation and the attainment threshold.
│ │ │ + documentation: This structure contains the attributes that determine the goal of an SLO. This includes the time period for evaluation and the attainment threshold.
│ │ └ properties
│ │ ├ AttainmentGoal: (documentation changed)
│ │ └ Interval: (documentation changed)
│ ├[~] type Interval
│ │ ├ - documentation: The time period used to evaluate the SLO. It can be either a calendar interval or rolling interval.
│ │ │ If you omit this parameter, a rolling interval of 7 days is used.
│ │ │ + documentation: The time period used to evaluate the SLO. It can be either a calendar interval or rolling interval.
│ │ └ properties
│ │ ├ CalendarInterval: (documentation changed)
│ │ └ RollingInterval: (documentation changed)
│ ├[~] type Metric
│ │ ├ - documentation: This structure defines the metric used for a service level indicator, including the metric name, namespace, and dimensions.
│ │ │ + documentation: This structure defines the metric used for a service level indicator, including the metric name, namespace, and dimensions
│ │ └ properties
│ │ ├ Dimensions: (documentation changed)
│ │ └ Namespace: (documentation changed)
│ ├[~] type MetricDataQuery
│ │ ├ - documentation: Use this structure to define a metric or metric math expression that you want to use as for a service level objective.
│ │ │ Each `MetricDataQuery` in the `MetricDataQueries` array specifies either a metric to retrieve, or a metric math expression to be performed on retrieved metrics. A single `MetricDataQueries` array can include as many as 20 `MetricDataQuery` structures in the array. The 20 structures can include as many as 10 structures that contain a `MetricStat` parameter to retrieve a metric, and as many as 10 structures that contain the `Expression` parameter to perform a math expression. Of those Expression structures, exactly one must have true as the value for `ReturnData`. The result of this expression used for the SLO.
│ │ │ + documentation: Use this structure to define a metric or metric math expression that you want to use as for a service level objective.
│ │ │ Each `MetricDataQuery` in the `MetricDataQueries` array specifies either a metric to retrieve, or a metric math expression to be performed on retrieved metrics. A single `MetricDataQueries` array can include as many as 20 `MetricDataQuery` structures in the array. The 20 structures can include as many as 10 structures that contain a `MetricStat` parameter to retrieve a metric, and as many as 10 structures that contain the `Expression` parameter to perform a math expression. Of those `Expression` structures, exactly one must have true as the value for `ReturnData` . The result of this expression used for the SLO.
│ │ │ For more information about metric math expressions, see [Use metric math](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/using-metric-math.html) .
│ │ │ Within each `MetricDataQuery` object, you must specify either `Expression` or `MetricStat` but not both.
│ │ └ properties
│ │ ├ AccountId: (documentation changed)
│ │ ├ Expression: (documentation changed)
│ │ ├ Id: (documentation changed)
│ │ ├ MetricStat: (documentation changed)
│ │ └ ReturnData: (documentation changed)
│ ├[~] type MetricStat
│ │ ├ - documentation: A metric to be used directly for the SLO, or to be used in the math expression that will be used for the SLO. Within one MetricDataQuery object, you must specify either Expression or MetricStat but not both.
│ │ │ + documentation: This structure defines the metric to be used as the service level indicator, along with the statistics, period, and unit.
│ │ └ properties
│ │ ├ Metric: (documentation changed)
│ │ ├ Period: (documentation changed)
│ │ ├ Stat: (documentation changed)
│ │ └ Unit: (documentation changed)
│ ├[~] type RollingInterval
│ │ ├ - documentation: If the interval is a calendar interval, this structure contains the interval specifications.
│ │ │ + documentation: If the interval for this SLO is a rolling interval, this structure contains the interval specifications.
│ │ └ properties
│ │ ├ Duration: (documentation changed)
│ │ └ DurationUnit: (documentation changed)
│ ├[~] type Sli
│ │ ├ - documentation: This structure contains information about the performance metric that an SLO monitors.
│ │ │ + documentation: This structure specifies the information about the service and the performance metric that an SLO is to monitor.
│ │ └ properties
│ │ ├ ComparisonOperator: (documentation changed)
│ │ └ SliMetric: (documentation changed)
│ └[~] type SliMetric
│ ├ - documentation: A structure that contains information about the metric that the SLO monitors.
│ │ + documentation: Use this structure to specify the metric to be used for the SLO.
│ └ properties
│ ├ KeyAttributes: (documentation changed)
│ ├ MetricDataQueries: (documentation changed)
│ ├ MetricType: (documentation changed)
│ ├ OperationName: (documentation changed)
│ └ Statistic: (documentation changed)
├[~] service aws-apptest
│ └ resources
│ └[~] resource AWS::AppTest::TestCase
│ ├ - documentation: Represents a Test Case that can be captured and executed
│ │ + documentation: Creates a test case for an application.
│ │ For more information about test cases, see [Test cases](https://docs.aws.amazon.com/m2/latest/userguide/testing-test-cases.html) and [Application Testing concepts](https://docs.aws.amazon.com/m2/latest/userguide/concepts-apptest.html) in the *AWS Mainframe Modernization User Guide* .
│ ├ properties
│ │ ├ Description: (documentation changed)
│ │ ├ Name: (documentation changed)
│ │ ├ Steps: (documentation changed)
│ │ └ Tags: (documentation changed)
│ ├ attributes
│ │ ├ CreationTime: (documentation changed)
│ │ ├ LastUpdateTime: (documentation changed)
│ │ ├ Status: (documentation changed)
│ │ ├ TestCaseArn: (documentation changed)
│ │ ├ TestCaseId: (documentation changed)
│ │ └ TestCaseVersion: (documentation changed)
│ └ types
│ ├[~] type Batch
│ │ ├ - documentation: undefined
│ │ │ + documentation: Defines a batch.
│ │ └ properties
│ │ ├ BatchJobName: (documentation changed)
│ │ ├ BatchJobParameters: (documentation changed)
│ │ └ ExportDataSetNames: (documentation changed)
│ ├[~] type CloudFormationAction
│ │ ├ - documentation: undefined
│ │ │ + documentation: Specifies the CloudFormation action.
│ │ └ properties
│ │ ├ ActionType: (documentation changed)
│ │ └ Resource: (documentation changed)
│ ├[~] type CompareAction
│ │ ├ - documentation: undefined
│ │ │ + documentation: Compares the action.
│ │ └ properties
│ │ ├ Input: (documentation changed)
│ │ └ Output: (documentation changed)
│ ├[~] type DatabaseCDC
│ │ ├ - documentation: undefined
│ │ │ + documentation: Defines the Change Data Capture (CDC) of the database.
│ │ └ properties
│ │ ├ SourceMetadata: (documentation changed)
│ │ └ TargetMetadata: (documentation changed)
│ ├[~] type DataSet
│ │ ├ - documentation: undefined
│ │ │ + documentation: Defines a data set.
│ │ └ properties
│ │ ├ Ccsid: (documentation changed)
│ │ ├ Format: (documentation changed)
│ │ ├ Length: (documentation changed)
│ │ ├ Name: (documentation changed)
│ │ └ Type: (documentation changed)
│ ├[~] type FileMetadata
│ │ ├ - documentation: undefined
│ │ │ + documentation: Specifies a file metadata.
│ │ └ properties
│ │ ├ DatabaseCDC: (documentation changed)
│ │ └ DataSets: (documentation changed)
│ ├[~] type Input
│ │ ├ - documentation: undefined
│ │ │ + documentation: Specifies the input.
│ │ └ properties
│ │ └ File: (documentation changed)
│ ├[~] type InputFile
│ │ ├ - documentation: undefined
│ │ │ + documentation: Specifies the input file.
│ │ └ properties
│ │ ├ FileMetadata: (documentation changed)
│ │ ├ SourceLocation: (documentation changed)
│ │ └ TargetLocation: (documentation changed)
│ ├[~] type M2ManagedActionProperties
│ │ ├ - documentation: undefined
│ │ │ + documentation: Specifies the AWS Mainframe Modernization managed action properties.
│ │ └ properties
│ │ ├ ForceStop: (documentation changed)
│ │ └ ImportDataSetLocation: (documentation changed)
│ ├[~] type M2ManagedApplicationAction
│ │ ├ - documentation: undefined
│ │ │ + documentation: Specifies the AWS Mainframe Modernization managed application action.
│ │ └ properties
│ │ ├ ActionType: (documentation changed)
│ │ ├ Properties: (documentation changed)
│ │ └ Resource: (documentation changed)
│ ├[~] type M2NonManagedApplicationAction
│ │ ├ - documentation: undefined
│ │ │ + documentation: Specifies the AWS Mainframe Modernization non-managed application action.
│ │ └ properties
│ │ ├ ActionType: (documentation changed)
│ │ └ Resource: (documentation changed)
│ ├[~] type MainframeAction
│ │ ├ - documentation: undefined
│ │ │ + documentation: Specifies the mainframe action.
│ │ └ properties
│ │ ├ ActionType: (documentation changed)
│ │ ├ Properties: (documentation changed)
│ │ └ Resource: (documentation changed)
│ ├[~] type MainframeActionProperties
│ │ ├ - documentation: undefined
│ │ │ + documentation: Specifies the mainframe action properties.
│ │ └ properties
│ │ └ DmsTaskArn: (documentation changed)
│ ├[~] type MainframeActionType
│ │ ├ - documentation: undefined
│ │ │ + documentation: Specifies the mainframe action type.
│ │ └ properties
│ │ ├ Batch: (documentation changed)
│ │ └ Tn3270: (documentation changed)
│ ├[~] type Output
│ │ ├ - documentation: undefined
│ │ │ + documentation: Specifies an output.
│ │ └ properties
│ │ └ File: (documentation changed)
│ ├[~] type OutputFile
│ │ ├ - documentation: undefined
│ │ │ + documentation: Specifies an output file.
│ │ └ properties
│ │ └ FileLocation: (documentation changed)
│ ├[~] type ResourceAction
│ │ ├ - documentation: undefined
│ │ │ + documentation: Specifies a resource action.
│ │ └ properties
│ │ ├ CloudFormationAction: (documentation changed)
│ │ ├ M2ManagedApplicationAction: (documentation changed)
│ │ └ M2NonManagedApplicationAction: (documentation changed)
│ ├[~] type Script
│ │ ├ - documentation: undefined
│ │ │ + documentation: Specifies the script.
│ │ └ properties
│ │ ├ ScriptLocation: (documentation changed)
│ │ └ Type: (documentation changed)
│ ├[~] type SourceDatabaseMetadata
│ │ ├ - documentation: undefined
│ │ │ + documentation: Specifies the source database metadata.
│ │ └ properties
│ │ ├ CaptureTool: (documentation changed)
│ │ └ Type: (documentation changed)
│ ├[~] type Step
│ │ ├ - documentation: undefined
│ │ │ + documentation: Defines a step.
│ │ └ properties
│ │ ├ Action: (documentation changed)
│ │ ├ Description: (documentation changed)
│ │ └ Name: (documentation changed)
│ ├[~] type StepAction
│ │ ├ - documentation: undefined
│ │ │ + documentation: Specifies a step action.
│ │ └ properties
│ │ ├ CompareAction: (documentation changed)
│ │ ├ MainframeAction: (documentation changed)
│ │ └ ResourceAction: (documentation changed)
│ ├[~] type TargetDatabaseMetadata
│ │ ├ - documentation: undefined
│ │ │ + documentation: Specifies a target database metadata.
│ │ └ properties
│ │ ├ CaptureTool: (documentation changed)
│ │ └ Type: (documentation changed)
│ ├[~] type TestCaseLatestVersion
│ │ ├ - documentation: undefined
│ │ │ + documentation: Specifies the latest version of a test case.
│ │ └ properties
│ │ ├ Status: (documentation changed)
│ │ └ Version: (documentation changed)
│ └[~] type TN3270
│ ├ - documentation: undefined
│ │ + documentation: Specifies the TN3270 protocol.
│ └ properties
│ ├ ExportDataSetNames: (documentation changed)
│ └ Script: (documentation changed)
├[~] service aws-backup
│ └ resources
│ ├[~] resource AWS::Backup::BackupVault
│ │ └ properties
│ │ └ BackupVaultName: (documentation changed)
│ └[~] resource AWS::Backup::RestoreTestingSelection
│ └ types
│ └[~] type ProtectedResourceConditions
│ └ - documentation: The conditions that you define for resources in your restore testing plan using tags.
│ For example, `"StringEquals": { "Key": "aws:ResourceTag/CreatedByCryo", "Value": "true" },` . Condition operators are case sensitive.
│ + documentation: The conditions that you define for resources in your restore testing plan using tags.
├[~] service aws-bedrock
│ └ resources
│ └[~] resource AWS::Bedrock::Agent
│ ├ properties
│ │ └[+] GuardrailConfiguration: GuardrailConfiguration
│ └ types
│ └[+] type GuardrailConfiguration
│ ├ documentation: Configuration information for a guardrail that you use with the `Converse` action.
│ │ name: GuardrailConfiguration
│ └ properties
│ ├GuardrailIdentifier: string
│ └GuardrailVersion: string
├[~] service aws-cloudtrail
│ └ resources
│ └[~] resource AWS::CloudTrail::Trail
│ ├ properties
│ │ ├ CloudWatchLogsLogGroupArn: (documentation changed)
│ │ └ CloudWatchLogsRoleArn: (documentation changed)
│ └ types
│ └[~] type DataResource
│ ├ - documentation: Data events provide information about the resource operations performed on or within a resource itself. These are also known as data plane operations. You can specify up to 250 data resources for a trail.
│ │ Configure the `DataResource` to specify the resource type and resource ARNs for which you want to log data events.
│ │ You can specify the following resource types in your event selectors for your trail:
│ │ - `AWS::DynamoDB::Table`
│ │ - `AWS::Lambda::Function`
│ │ - `AWS::S3::Object`
│ │ > The total number of allowed data resources is 250. This number can be distributed between 1 and 5 event selectors, but the total cannot exceed 250 across all selectors for the trail.
│ │ >
│ │ > If you are using advanced event selectors, the maximum total number of values for all conditions, across all advanced event selectors for the trail, is 500.
│ │ The following example demonstrates how logging works when you configure logging of all data events for an S3 bucket named `bucket-1` . In this example, the CloudTrail user specified an empty prefix, and the option to log both `Read` and `Write` data events.
│ │ - A user uploads an image file to `bucket-1` .
│ │ - The `PutObject` API operation is an Amazon S3 object-level API. It is recorded as a data event in CloudTrail. Because the CloudTrail user specified an S3 bucket with an empty prefix, events that occur on any object in that bucket are logged. The trail processes and logs the event.
│ │ - A user uploads an object to an Amazon S3 bucket named `arn:aws:s3:::bucket-2` .
│ │ - The `PutObject` API operation occurred for an object in an S3 bucket that the CloudTrail user didn't specify for the trail. The trail doesn’t log the event.
│ │ The following example demonstrates how logging works when you configure logging of AWS Lambda data events for a Lambda function named *MyLambdaFunction* , but not for all Lambda functions.
│ │ - A user runs a script that includes a call to the *MyLambdaFunction* function and the *MyOtherLambdaFunction* function.
│ │ - The `Invoke` API operation on *MyLambdaFunction* is an Lambda API. It is recorded as a data event in CloudTrail. Because the CloudTrail user specified logging data events for *MyLambdaFunction* , any invocations of that function are logged. The trail processes and logs the event.
│ │ - The `Invoke` API operation on *MyOtherLambdaFunction* is an Lambda API. Because the CloudTrail user did not specify logging data events for all Lambda functions, the `Invoke` operation for *MyOtherLambdaFunction* does not match the function specified for the trail. The trail doesn’t log the event.
│ │ + documentation: Data events provide information about the resource operations performed on or within a resource itself. These are also known as data plane operations. You can specify up to 250 data resources for a trail.
│ │ Configure the `DataResource` to specify the resource type and resource ARNs for which you want to log data events.
│ │ You can specify the following resource types in your event selectors for your trail:
│ │ - `AWS::DynamoDB::Table`
│ │ - `AWS::Lambda::Function`
│ │ - `AWS::S3::Object`
│ │ > The total number of allowed data resources is 250. This number can be distributed between 1 and 5 event selectors, but the total cannot exceed 250 across all selectors for the trail.
│ │ >
│ │ > If you are using advanced event selectors, the maximum total number of values for all conditions, across all advanced event selectors for the trail, is 500.
│ │ The following example demonstrates how logging works when you configure logging of all data events for an S3 bucket named `DOC-EXAMPLE-BUCKET1` . In this example, the CloudTrail user specified an empty prefix, and the option to log both `Read` and `Write` data events.
│ │ - A user uploads an image file to `DOC-EXAMPLE-BUCKET1` .
│ │ - The `PutObject` API operation is an Amazon S3 object-level API. It is recorded as a data event in CloudTrail. Because the CloudTrail user specified an S3 bucket with an empty prefix, events that occur on any object in that bucket are logged. The trail processes and logs the event.
│ │ - A user uploads an object to an Amazon S3 bucket named `arn:aws:s3:::DOC-EXAMPLE-BUCKET1` .
│ │ - The `PutObject` API operation occurred for an object in an S3 bucket that the CloudTrail user didn't specify for the trail. The trail doesn’t log the event.
│ │ The following example demonstrates how logging works when you configure logging of AWS Lambda data events for a Lambda function named *MyLambdaFunction* , but not for all Lambda functions.
│ │ - A user runs a script that includes a call to the *MyLambdaFunction* function and the *MyOtherLambdaFunction* function.
│ │ - The `Invoke` API operation on *MyLambdaFunction* is an Lambda API. It is recorded as a data event in CloudTrail. Because the CloudTrail user specified logging data events for *MyLambdaFunction* , any invocations of that function are logged. The trail processes and logs the event.
│ │ - The `Invoke` API operation on *MyOtherLambdaFunction* is an Lambda API. Because the CloudTrail user did not specify logging data events for all Lambda functions, the `Invoke` operation for *MyOtherLambdaFunction* does not match the function specified for the trail. The trail doesn’t log the event.
│ └ properties
│ └ Values: (documentation changed)
├[~] service aws-codeartifact
│ └ resources
│ ├[~] resource AWS::CodeArtifact::Domain
│ │ └ properties
│ │ └ EncryptionKey: (documentation changed)
│ └[~] resource AWS::CodeArtifact::Repository
│ └ properties
│ └ DomainOwner: (documentation changed)
├[~] service aws-codebuild
│ └ resources
│ └[~] resource AWS::CodeBuild::Project
│ └ types
│ ├[~] type ProjectTriggers
│ │ └ properties
│ │ └[+] ScopeConfiguration: ScopeConfiguration
│ ├[+] type ScopeConfiguration
│ │ ├ name: ScopeConfiguration
│ │ └ properties
│ │ └Name: string (required)
│ └[~] type WebhookFilter
│ └ properties
│ └ Type: (documentation changed)
├[~] service aws-cognito
│ └ resources
│ ├[~] resource AWS::Cognito::UserPoolClient
│ │ └ properties
│ │ └ DefaultRedirectURI: (documentation changed)
│ └[~] resource AWS::Cognito::UserPoolResourceServer
│ └ attributes
│ └[-] Id: string
├[~] service aws-datasync
│ └ resources
│ └[~] resource AWS::DataSync::Agent
│ └ properties
│ ├ ActivationKey: (documentation changed)
│ ├ AgentName: (documentation changed)
│ └ SubnetArns: (documentation changed)
├[~] service aws-deadline
│ └ resources
│ └[~] resource AWS::Deadline::Monitor
│ └ attributes
│ └ Arn: (documentation changed)
├[~] service aws-dms
│ └ resources
│ └[~] resource AWS::DMS::ReplicationConfig
│ └ attributes
│ └ ReplicationConfigArn: (documentation changed)
├[~] service aws-ec2
│ └ resources
│ ├[~] resource AWS::EC2::EC2Fleet
│ │ ├ - documentation: Specifies the configuration information to launch a fleet--or group--of instances. An EC2 Fleet can launch multiple instance types across multiple Availability Zones, using the On-Demand Instance, Reserved Instance, and Spot Instance purchasing models together. Using EC2 Fleet, you can define separate On-Demand and Spot capacity targets, specify the instance types that work best for your applications, and specify how Amazon EC2 should distribute your fleet capacity within each purchasing model. For more information, see [Launching an EC2 Fleet](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-fleet.html) in the *Amazon EC2 User Guide for Linux Instances* .
│ │ │ + documentation: Specifies the configuration information to launch a fleet--or group--of instances. An EC2 Fleet can launch multiple instance types across multiple Availability Zones, using the On-Demand Instance, Reserved Instance, and Spot Instance purchasing models together. Using EC2 Fleet, you can define separate On-Demand and Spot capacity targets, specify the instance types that work best for your applications, and specify how Amazon EC2 should distribute your fleet capacity within each purchasing model. For more information, see [Launching an EC2 Fleet](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-fleet.html) in the *Amazon EC2 User Guide* .
│ │ └ types
│ │ └[~] type InstanceRequirementsRequest
│ │ └ properties
│ │ └ MaxSpotPriceAsPercentageOfOptimalOnDemandPrice: (documentation changed)
│ ├[~] resource AWS::EC2::Host
│ │ └ - documentation: Allocates a fully dedicated physical server for launching EC2 instances. Because the host is fully dedicated for your use, it can help you address compliance requirements and reduce costs by allowing you to use your existing server-bound software licenses. For more information, see [Dedicated Hosts](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/dedicated-hosts-overview.html) in the *Amazon EC2 User Guide for Linux Instances* .
│ │ + documentation: Allocates a fully dedicated physical server for launching EC2 instances. Because the host is fully dedicated for your use, it can help you address compliance requirements and reduce costs by allowing you to use your existing server-bound software licenses. For more information, see [Dedicated Hosts](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/dedicated-hosts-overview.html) in the *Amazon EC2 User Guide* .
│ ├[~] resource AWS::EC2::Instance
│ │ └ types
│ │ └[~] type ElasticGpuSpecification
│ │ └ - documentation: > Amazon Elastic Graphics reached end of life on January 8, 2024. For workloads that require graphics acceleration, we recommend that you use Amazon EC2 G4ad, G4dn, or G5 instances.
│ │ Specifies the type of Elastic GPU. An Elastic GPU is a GPU resource that you can attach to your Amazon EC2 instance to accelerate the graphics performance of your applications. For more information, see [Amazon EC2 Elastic GPUs](https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/elastic-graphics.html) in the *Amazon EC2 User Guide for Windows Instances* .
│ │ `ElasticGpuSpecification` is a property of the [AWS::EC2::Instance](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-instance.html) resource.
│ │ + documentation: > Amazon Elastic Graphics reached end of life on January 8, 2024. For workloads that require graphics acceleration, we recommend that you use Amazon EC2 G4ad, G4dn, or G5 instances.
│ │ Specifies the type of Elastic GPU. An Elastic GPU is a GPU resource that you can attach to your Amazon EC2 instance to accelerate the graphics performance of your applications.
│ │ `ElasticGpuSpecification` is a property of the [AWS::EC2::Instance](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-instance.html) resource.
│ ├[~] resource AWS::EC2::InstanceConnectEndpoint
│ │ └ properties
│ │ └ PreserveClientIp: (documentation changed)
│ ├[~] resource AWS::EC2::LaunchTemplate
│ │ └ types
│ │ ├[~] type InstanceRequirements
│ │ │ └ properties
│ │ │ └ MaxSpotPriceAsPercentageOfOptimalOnDemandPrice: (documentation changed)
│ │ └[~] type LaunchTemplateData
│ │ └ properties
│ │ └ UserData: (documentation changed)
│ ├[~] resource AWS::EC2::SecurityGroup
│ │ └ attributes
│ │ ├ GroupId: (documentation changed)
│ │ └ VpcId: (documentation changed)
│ └[~] resource AWS::EC2::SpotFleet
│ └ types
│ ├[~] type InstanceRequirementsRequest
│ │ └ properties
│ │ └ MaxSpotPriceAsPercentageOfOptimalOnDemandPrice: (documentation changed)
│ └[~] type SpotFleetRequestConfigData
│ └ properties
│ └ IamFleetRole: (documentation changed)
├[~] service aws-ecs
│ └ resources
│ ├[~] resource AWS::ECS::Service
│ │ └ types
│ │ ├[~] type LogConfiguration
│ │ │ ├ - documentation: The log configuration for the container. This parameter maps to `LogConfig` in the [Create a container](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/#operation/ContainerCreate) section of the [Docker Remote API](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/) and the `--log-driver` option to [`docker run`](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/commandline/run/) .
│ │ │ │ By default, containers use the same logging driver that the Docker daemon uses. However, the container might use a different logging driver than the Docker daemon by specifying a log driver configuration in the container definition. For more information about the options for different supported log drivers, see [Configure logging drivers](https://docs.aws.amazon.com/https://docs.docker.com/engine/admin/logging/overview/) in the Docker documentation.
│ │ │ │ Understand the following when specifying a log configuration for your containers.
│ │ │ │ - Amazon ECS currently supports a subset of the logging drivers available to the Docker daemon. Additional log drivers may be available in future releases of the Amazon ECS container agent.
│ │ │ │ For tasks on AWS Fargate , the supported log drivers are `awslogs` , `splunk` , and `awsfirelens` .
│ │ │ │ For tasks hosted on Amazon EC2 instances, the supported log drivers are `awslogs` , `fluentd` , `gelf` , `json-file` , `journald` , `logentries` , `syslog` , `splunk` , and `awsfirelens` .
│ │ │ │ - This parameter requires version 1.18 of the Docker Remote API or greater on your container instance.
│ │ │ │ - For tasks that are hosted on Amazon EC2 instances, the Amazon ECS container agent must register the available logging drivers with the `ECS_AVAILABLE_LOGGING_DRIVERS` environment variable before containers placed on that instance can use these log configuration options. For more information, see [Amazon ECS container agent configuration](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-agent-config.html) in the *Amazon Elastic Container Service Developer Guide* .
│ │ │ │ - For tasks that are on AWS Fargate , because you don't have access to the underlying infrastructure your tasks are hosted on, any additional software needed must be installed outside of the task. For example, the Fluentd output aggregators or a remote host running Logstash to send Gelf logs to.
│ │ │ │ + documentation: The log configuration for the container. This parameter maps to `LogConfig` in the [Create a container](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/#operation/ContainerCreate) section of the [Docker Remote API](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/) and the `--log-driver` option to [`docker run`](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/commandline/run/) .
│ │ │ │ By default, containers use the same logging driver that the Docker daemon uses. However, the container might use a different logging driver than the Docker daemon by specifying a log driver configuration in the container definition. For more information about the options for different supported log drivers, see [Configure logging drivers](https://docs.aws.amazon.com/https://docs.docker.com/engine/admin/logging/overview/) in the Docker documentation.
│ │ │ │ Understand the following when specifying a log configuration for your containers.
│ │ │ │ - Amazon ECS currently supports a subset of the logging drivers available to the Docker daemon. Additional log drivers may be available in future releases of the Amazon ECS container agent.
│ │ │ │ For tasks on AWS Fargate , the supported log drivers are `awslogs` , `splunk` , and `awsfirelens` .
│ │ │ │ For tasks hosted on Amazon EC2 instances, the supported log drivers are `awslogs` , `fluentd` , `gelf` , `json-file` , `journald` , `syslog` , `splunk` , and `awsfirelens` .
│ │ │ │ - This parameter requires version 1.18 of the Docker Remote API or greater on your container instance.
│ │ │ │ - For tasks that are hosted on Amazon EC2 instances, the Amazon ECS container agent must register the available logging drivers with the `ECS_AVAILABLE_LOGGING_DRIVERS` environment variable before containers placed on that instance can use these log configuration options. For more information, see [Amazon ECS container agent configuration](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-agent-config.html) in the *Amazon Elastic Container Service Developer Guide* .
│ │ │ │ - For tasks that are on AWS Fargate , because you don't have access to the underlying infrastructure your tasks are hosted on, any additional software needed must be installed outside of the task. For example, the Fluentd output aggregators or a remote host running Logstash to send Gelf logs to.
│ │ │ └ properties
│ │ │ └ LogDriver: (documentation changed)
│ │ └[~] type ServiceConnectConfiguration
│ │ └ properties
│ │ └ LogConfiguration: (documentation changed)
│ └[~] resource AWS::ECS::TaskDefinition
│ ├ properties
│ │ ├ ExecutionRoleArn: (documentation changed)
│ │ └ TaskRoleArn: (documentation changed)
│ └ types
│ ├[~] type ContainerDefinition
│ │ └ properties
│ │ └ Cpu: (documentation changed)
│ ├[~] type LogConfiguration
│ │ └ properties
│ │ └ LogDriver: (documentation changed)
│ └[~] type Ulimit
│ └ - documentation: The `ulimit` settings to pass to the container.
│ Amazon ECS tasks hosted on AWS Fargate use the default resource limit values set by the operating system with the exception of the `nofile` resource limit parameter which AWS Fargate overrides. The `nofile` resource limit sets a restriction on the number of open files that a container can use. The default `nofile` soft limit is `1024` and the default hard limit is `65535` .
│ You can specify the `ulimit` settings for a container in a task definition.
│ + documentation: The `ulimit` settings to pass to the container.
│ Amazon ECS tasks hosted on AWS Fargate use the default resource limit values set by the operating system with the exception of the `nofile` resource limit parameter which AWS Fargate overrides. The `nofile` resource limit sets a restriction on the number of open files that a container can use. The default `nofile` soft limit is `65535` and the default hard limit is `65535` .
│ You can specify the `ulimit` settings for a container in a task definition.
├[~] service aws-eks
│ └ resources
│ └[~] resource AWS::EKS::Cluster
│ └ properties
│ └[+] BootstrapSelfManagedAddons: boolean (immutable)
├[~] service aws-elasticache
│ └ resources
│ ├[~] resource AWS::ElastiCache::ReplicationGroup
│ │ └ properties
│ │ └ ReplicationGroupId: (documentation changed)
│ ├[~] resource AWS::ElastiCache::ServerlessCache
│ │ └ properties
│ │ ├ DailySnapshotTime: (documentation changed)
│ │ └ SnapshotRetentionLimit: (documentation changed)
│ ├[~] resource AWS::ElastiCache::User
│ │ └ properties
│ │ └ Tags: (documentation changed)
│ └[~] resource AWS::ElastiCache::UserGroup
│ └ properties
│ └ Tags: (documentation changed)
├[~] service aws-emrserverless
│ └ resources
│ └[~] resource AWS::EMRServerless::Application
│ └ types
│ └[~] type WorkerConfiguration
│ └ properties
│ └[+] DiskType: string
├[~] service aws-gamelift
│ └ resources
│ ├[~] resource AWS::GameLift::Build
│ │ └ properties
│ │ └ OperatingSystem: (documentation changed)
│ └[~] resource AWS::GameLift::ContainerGroupDefinition
│ └ properties
│ └ OperatingSystem: (documentation changed)
├[~] service aws-glue
│ └ resources
│ ├[~] resource AWS::Glue::Connection
│ │ └ types
│ │ ├[~] type ConnectionInput
│ │ │ └ properties
│ │ │ ├ ConnectionType: (documentation changed)
│ │ │ ├ Name: (documentation changed)
│ │ │ └ PhysicalConnectionRequirements: (documentation changed)
│ │ └[~] type PhysicalConnectionRequirements
│ │ ├ - documentation: Specifies the physical requirements for a connection.
│ │ │ + documentation: The OAuth client app in GetConnection response.
│ │ └ properties
│ │ └ AvailabilityZone: (documentation changed)
│ └[~] resource AWS::Glue::Job
│ └ properties
│ └ MaintenanceWindow: (documentation changed)
├[~] service aws-grafana
│ └ resources
│ └[~] resource AWS::Grafana::Workspace
│ └ properties
│ ├ AuthenticationProviders: (documentation changed)
│ └ NotificationDestinations: (documentation changed)
├[~] service aws-guardduty
│ └ resources
│ ├[~] resource AWS::GuardDuty::Detector
│ │ ├ attributes
│ │ │ └ Id: (documentation changed)
│ │ └ types
│ │ ├[~] type CFNFeatureConfiguration
│ │ │ └ properties
│ │ │ └ Name: (documentation changed)
│ │ └[~] type TagItem
│ │ └ properties
│ │ ├ Key: (documentation changed)
│ │ └ Value: (documentation changed)
│ ├[~] resource AWS::GuardDuty::Filter
│ │ ├ properties
│ │ │ ├ DetectorId: - string (immutable)
│ │ │ │ + string (required, immutable)
│ │ │ └ Name: - string (immutable)
│ │ │ + string (required, immutable)
│ │ └ types
│ │ ├[~] type FindingCriteria
│ │ │ └ properties
│ │ │ └ Criterion: (documentation changed)
│ │ └[~] type TagItem
│ │ ├ - documentation: undefined
│ │ │ + documentation: Describes a tag.
│ │ └ properties
│ │ ├ Key: (documentation changed)
│ │ └ Value: (documentation changed)
│ ├[~] resource AWS::GuardDuty::IPSet
│ │ └ types
│ │ └[~] type TagItem
│ │ ├ - documentation: undefined
│ │ │ + documentation: Contains information about a tag.
│ │ └ properties
│ │ ├ Key: (documentation changed)
│ │ └ Value: (documentation changed)
│ ├[~] resource AWS::GuardDuty::MalwareProtectionPlan
│ │ ├ - documentation: Resource Type definition for AWS::GuardDuty::MalwareProtectionPlan
│ │ │ + documentation: Creates a new Malware Protection plan for the protected resource.
│ │ │ When you create a Malware Protection plan, the [AWS service terms for GuardDuty Malware Protection](https://docs.aws.amazon.com/service-terms/#87._Amazon_GuardDuty) will apply.
│ │ ├ properties
│ │ │ ├ Actions: (documentation changed)
│ │ │ ├ ProtectedResource: (documentation changed)
│ │ │ ├ Role: (documentation changed)
│ │ │ └ Tags: (documentation changed)
│ │ ├ attributes
│ │ │ ├ Arn: (documentation changed)
│ │ │ ├ MalwareProtectionPlanId: (documentation changed)
│ │ │ ├ Status: (documentation changed)
│ │ │ └ StatusReasons: (documentation changed)
│ │ └ types
│ │ ├[~] type CFNActions
│ │ │ ├ - documentation: undefined
│ │ │ │ + documentation: Specifies the action that is to be applied to the Malware Protection plan resource.
│ │ │ └ properties
│ │ │ └ Tagging: (documentation changed)
│ │ ├[~] type CFNProtectedResource
│ │ │ └ - documentation: undefined
│ │ │ + documentation: Information about the protected resource. Presently, `S3Bucket` is the only supported protected resource.
│ │ ├[~] type CFNStatusReasons
│ │ │ ├ - documentation: undefined
│ │ │ │ + documentation: Information about the status code and status details associated with the status of the Malware Protection plan.
│ │ │ └ properties
│ │ │ ├ Code: (documentation changed)
│ │ │ └ Message: (documentation changed)
│ │ ├[~] type CFNTagging
│ │ │ ├ - documentation: undefined
│ │ │ │ + documentation: Contains information about tagging status of the Malware Protection plan resource.
│ │ │ └ properties
│ │ │ └ Status: (documentation changed)
│ │ ├[~] type S3Bucket
│ │ │ └ properties
│ │ │ └ ObjectPrefixes: (documentation changed)
│ │ └[~] type TagItem
│ │ ├ - documentation: undefined
│ │ │ + documentation: Contains information about a tag.
│ │ └ properties
│ │ ├ Key: (documentation changed)
│ │ └ Value: (documentation changed)
│ ├[~] resource AWS::GuardDuty::Master
│ │ └ properties
│ │ └ InvitationId: (documentation changed)
│ └[~] resource AWS::GuardDuty::ThreatIntelSet
│ ├ - documentation: The `AWS::GuardDuty::ThreatIntelSet` resource specifies a new `ThreatIntelSet` . A `ThreatIntelSet` consists of known malicious IP addresses. GuardDuty generates findings based on the `ThreatIntelSet` when it is activated.
│ │ + documentation: The `AWS::GuardDuty::ThreatIntelSet` resource specifies a new `ThreatIntelSet` . A `ThreatIntelSet` consists of known malicious IP addresses. GuardDuty generates findings based on the `ThreatIntelSet` after it is activated.
│ ├ attributes
│ │ └ Id: (documentation changed)
│ └ types
│ └[~] type TagItem
│ ├ - documentation: undefined
│ │ + documentation: Contains information about a tag.
│ └ properties
│ ├ Key: (documentation changed)
│ └ Value: (documentation changed)
├[~] service aws-kinesisanalyticsv2
│ └ resources
│ └[~] resource AWS::KinesisAnalyticsV2::Application
│ └ types
│ ├[~] type ApplicationConfiguration
│ │ └ properties
│ │ └[+] ApplicationSystemRollbackConfiguration: ApplicationSystemRollbackConfiguration
│ └[+] type ApplicationSystemRollbackConfiguration
│ ├ documentation: Describes whether system initiated rollbacks are enabled for a Flink-based Kinesis Data Analytics application.
│ │ name: ApplicationSystemRollbackConfiguration
│ └ properties
│ └RollbackEnabled: boolean (required)
├[~] service aws-kinesisfirehose
│ └ resources
│ └[~] resource AWS::KinesisFirehose::DeliveryStream
│ └ types
│ ├[~] type HttpEndpointDestinationConfiguration
│ │ └ properties
│ │ └ SecretsManagerConfiguration: (documentation changed)
│ ├[~] type RedshiftDestinationConfiguration
│ │ └ properties
│ │ └ SecretsManagerConfiguration: (documentation changed)
│ ├[~] type SecretsManagerConfiguration
│ │ ├ - documentation: undefined
│ │ │ + documentation: The structure that defines how Firehose accesses the secret.
│ │ └ properties
│ │ ├ Enabled: (documentation changed)
│ │ ├ RoleARN: (documentation changed)
│ │ └ SecretARN: (documentation changed)
│ ├[~] type SnowflakeDestinationConfiguration
│ │ └ properties
│ │ └ SecretsManagerConfiguration: (documentation changed)
│ └[~] type SplunkDestinationConfiguration
│ └ properties
│ └ SecretsManagerConfiguration: (documentation changed)
├[~] service aws-kms
│ └ resources
│ └[~] resource AWS::KMS::Key
│ └ properties
│ ├ KeySpec: (documentation changed)
│ └ KeyUsage: (documentation changed)
├[~] service aws-networkmanager
│ └ resources
│ ├[~] resource AWS::NetworkManager::ConnectAttachment
│ │ └ properties
│ │ └ Tags: (documentation changed)
│ ├[~] resource AWS::NetworkManager::CoreNetwork
│ │ └ attributes
│ │ └ OwnerAccount: (documentation changed)
│ └[~] resource AWS::NetworkManager::SiteToSiteVpnAttachment
│ └ properties
│ └ Tags: (documentation changed)
├[~] service aws-omics
│ └ resources
│ └[~] resource AWS::Omics::RunGroup
│ └ - documentation: Creates a run group.
│ + documentation: You can optionally create a run group to limit the compute resources for the runs that you add to the group.
├[~] service aws-opsworkscm
│ └ resources
│ └[~] resource AWS::OpsWorksCM::Server
│ └ properties
│ └ ServerName: (documentation changed)
├[~] service aws-rds
│ └ resources
│ ├[~] resource AWS::RDS::DBCluster
│ │ └ properties
│ │ ├[+] EnableLocalWriteForwarding: boolean
│ │ └[+] EngineLifecycleSupport: string
│ ├[~] resource AWS::RDS::DBInstance
│ │ └ properties
│ │ └[+] EngineLifecycleSupport: string
│ └[~] resource AWS::RDS::GlobalCluster
│ └ properties
│ └[+] EngineLifecycleSupport: string
├[~] service aws-redshift
│ └ resources
│ ├[~] resource AWS::Redshift::Cluster
│ │ └ properties
│ │ ├ NodeType: (documentation changed)
│ │ └ Port: (documentation changed)
│ └[~] resource AWS::Redshift::ScheduledAction
│ └ properties
│ └ TargetAction: (documentation changed)
├[~] service aws-s3
│ └ resources
│ └[~] resource AWS::S3::Bucket
│ └ types
│ ├[~] type EncryptionConfiguration
│ │ └ - documentation: Specifies encryption-related information for an Amazon S3 bucket that is a destination for replicated objects.
│ │ + documentation: Specifies encryption-related information for an Amazon S3 bucket that is a destination for replicated objects.
│ │ > If you're specifying a customer managed KMS key, we recommend using a fully qualified KMS key ARN. If you use a KMS key alias instead, then AWS KMS resolves the key within the requester’s account. This behavior can result in data that's encrypted with a KMS key that belongs to the requester, and not the bucket owner.
│ ├[~] type PartitionedPrefix
│ │ └ properties
│ │ └ PartitionDateSource: (documentation changed)
│ ├[~] type ServerSideEncryptionByDefault
│ │ └ - documentation: Describes the default server-side encryption to apply to new objects in the bucket. If a PUT Object request doesn't specify any server-side encryption, this default encryption will be applied. If you don't specify a customer managed key at configuration, Amazon S3 automatically creates an AWS KMS key in your AWS account the first time that you add an object encrypted with SSE-KMS to a bucket. By default, Amazon S3 uses this KMS key for SSE-KMS. For more information, see [PUT Bucket encryption](https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTencryption.html) in the *Amazon S3 API Reference* .
│ │ + documentation: Describes the default server-side encryption to apply to new objects in the bucket. If a PUT Object request doesn't specify any server-side encryption, this default encryption will be applied. If you don't specify a customer managed key at configuration, Amazon S3 automatically creates an AWS KMS key in your AWS account the first time that you add an object encrypted with SSE-KMS to a bucket. By default, Amazon S3 uses this KMS key for SSE-KMS. For more information, see [PUT Bucket encryption](https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTencryption.html) in the *Amazon S3 API Reference* .
│ │ > If you're specifying a customer managed KMS key, we recommend using a fully qualified KMS key ARN. If you use a KMS key alias instead, then AWS KMS resolves the key within the requester’s account. This behavior can result in data that's encrypted with a KMS key that belongs to the requester, and not the bucket owner.
│ └[~] type ServerSideEncryptionRule
│ └ - documentation: Specifies the default server-side encryption configuration.
│ + documentation: Specifies the default server-side encryption configuration.
│ > If you're specifying a customer managed KMS key, we recommend using a fully qualified KMS key ARN. If you use a KMS key alias instead, then AWS KMS resolves the key within the requester’s account. This behavior can result in data that's encrypted with a KMS key that belongs to the requester, and not the bucket owner.
├[~] service aws-servicediscovery
│ └ resources
│ └[~] resource AWS::ServiceDiscovery::Instance
│ └ properties
│ └ InstanceId: (documentation changed)
├[~] service aws-ses
│ └ resources
│ └[~] resource AWS::SES::ConfigurationSetEventDestination
│ └ types
│ ├[+] type EventBridgeDestination
│ │ ├ documentation: An object that contains Event bus ARN associated with the event bridge destination.
│ │ │ name: EventBridgeDestination
│ │ └ properties
│ │ └EventBusArn: string (required)
│ └[~] type EventDestination
│ └ properties
│ └[+] EventBridgeDestination: EventBridgeDestination
├[~] service aws-signer
│ └ resources
│ └[~] resource AWS::Signer::SigningProfile
│ └ properties
│ └[+] ProfileName: string (immutable)
├[~] service aws-sqs
│ └ resources
│ └[~] resource AWS::SQS::Queue
│ └ properties
│ └ RedrivePolicy: (documentation changed)
├[~] service aws-ssm
│ └ resources
│ └[~] resource AWS::SSM::ResourceDataSync
│ └ properties
│ └ SyncName: (documentation changed)
├[~] service aws-verifiedpermissions
│ └ resources
│ └[~] resource AWS::VerifiedPermissions::IdentitySource
│ └ types
│ ├[~] type IdentitySourceConfiguration
│ │ └ properties
│ │ ├ CognitoUserPoolConfiguration: - CognitoUserPoolConfiguration (required)
│ │ │ + CognitoUserPoolConfiguration
│ │ └[+] OpenIdConnectConfiguration: OpenIdConnectConfiguration
│ ├[+] type OpenIdConnectAccessTokenConfiguration
│ │ ├ documentation: The configuration of an OpenID Connect (OIDC) identity source for handling access token claims. Contains the claim that you want to identify as the principal in an authorization request, and the values of the `aud` claim, or audiences, that you want to accept.
│ │ │ This data type is part of a [OpenIdConnectTokenSelection](https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_OpenIdConnectTokenSelection.html) structure, which is a parameter of [CreateIdentitySource](https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_CreateIdentitySource.html) .
│ │ │ name: OpenIdConnectAccessTokenConfiguration
│ │ └ properties
│ │ ├PrincipalIdClaim: string (default="sub")
│ │ └Audiences: Array<string>
│ ├[+] type OpenIdConnectConfiguration
│ │ ├ documentation: Contains configuration details of an OpenID Connect (OIDC) identity provider, or identity source, that Verified Permissions can use to generate entities from authenticated identities. It specifies the issuer URL, token type that you want to use, and policy store entity details.
│ │ │ This data type is part of a [Configuration](https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_Configuration.html) structure, which is a parameter to [CreateIdentitySource](https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_CreateIdentitySource.html) .
│ │ │ name: OpenIdConnectConfiguration
│ │ └ properties
│ │ ├Issuer: string (required)
│ │ ├EntityIdPrefix: string
│ │ ├GroupConfiguration: OpenIdConnectGroupConfiguration
│ │ └TokenSelection: OpenIdConnectTokenSelection (required)
│ ├[+] type OpenIdConnectGroupConfiguration
│ │ ├ documentation: The claim in OIDC identity provider tokens that indicates a user's group membership, and the entity type that you want to map it to. For example, this object can map the contents of a `groups` claim to `MyCorp::UserGroup` .
│ │ │ This data type is part of a [OpenIdConnectConfiguration](https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_OpenIdConnectConfiguration.html) structure, which is a parameter of [CreateIdentitySource](https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_CreateIdentitySource.html) .
│ │ │ name: OpenIdConnectGroupConfiguration
│ │ └ properties
│ │ ├GroupClaim: string (required)
│ │ └GroupEntityType: string (required)
│ ├[+] type OpenIdConnectIdentityTokenConfiguration
│ │ ├ documentation: The configuration of an OpenID Connect (OIDC) identity source for handling identity (ID) token claims. Contains the claim that you want to identify as the principal in an authorization request, and the values of the `aud` claim, or audiences, that you want to accept.
│ │ │ This data type is part of a [OpenIdConnectTokenSelection](https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_OpenIdConnectTokenSelection.html) structure, which is a parameter of [CreateIdentitySource](https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_CreateIdentitySource.html) .
│ │ │ name: OpenIdConnectIdentityTokenConfiguration
│ │ └ properties
│ │ ├PrincipalIdClaim: string (default="sub")
│ │ └ClientIds: Array<string>
│ └[+] type OpenIdConnectTokenSelection
│ ├ documentation: The token type that you want to process from your OIDC identity provider. Your policy store can process either identity (ID) or access tokens from a given OIDC identity source.
│ │ This data type is part of a [OpenIdConnectConfiguration](https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_OpenIdConnectConfiguration.html) structure, which is a parameter of [CreateIdentitySource](https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_CreateIdentitySource.html) .
│ │ name: OpenIdConnectTokenSelection
│ └ properties
│ ├AccessTokenOnly: OpenIdConnectAccessTokenConfiguration
│ └IdentityTokenOnly: OpenIdConnectIdentityTokenConfiguration
├[~] service aws-workspaces
│ └ resources
│ └[+] resource AWS::WorkSpaces::WorkspacesPool
│ ├ name: WorkspacesPool
│ │ cloudFormationType: AWS::WorkSpaces::WorkspacesPool
│ │ documentation: Resource Type definition for AWS::WorkSpaces::WorkspacesPool
│ │ tagInformation: {"tagPropertyName":"Tags","variant":"standard"}
│ ├ properties
│ │ ├Capacity: Capacity (required)
│ │ ├PoolName: string (required, immutable)
│ │ ├Description: string
│ │ ├BundleId: string (required)
│ │ ├DirectoryId: string (required)
│ │ ├ApplicationSettings: ApplicationSettings
│ │ ├TimeoutSettings: TimeoutSettings
│ │ └Tags: Array<tag>
│ ├ attributes
│ │ ├PoolId: string
│ │ ├PoolArn: string
│ │ └CreatedAt: string
│ └ types
│ ├type Capacity
│ │├ name: Capacity
│ │└ properties
│ │ └DesiredUserSessions: integer (required)
│ ├type ApplicationSettings
│ │├ name: ApplicationSettings
│ │└ properties
│ │ ├Status: string (required)
│ │ └SettingsGroup: string
│ └type TimeoutSettings
│ ├ name: TimeoutSettings
│ └ properties
│ ├DisconnectTimeoutInSeconds: integer
│ ├IdleDisconnectTimeoutInSeconds: integer
│ └MaxUserDurationInSeconds: integer
└[~] service aws-workspacesweb
└ resources
└[~] resource AWS::WorkSpacesWeb::IpAccessSettings
└ properties
└ Tags: (documentation changed)
```- Loading branch information
1 parent
9a5d4f0
commit 4ceeced