fix(ecs): empty placement constraints not allowed #28431

The readme for apigatewayv2 is currently [removed](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigatewayv2-readme.html), and this PR gets it back. I got the original README.md from this commit (just before it got removed): https://github.com/aws/aws-cdk/blob/187f67b3430dca7ea96a94c66b18694bce213f03/packages/%40aws-cdk/aws-apigatewayv2-alpha/README.md I confirmed other two modules (integration and authorizers) have correct READMEs already. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Adding CDK GC to the roadmap. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

### Description The following issue describes a bug where the IAM Policy is not correctly set to the calling Lambda when using `invokeFunction` and `waitForAssertions`. Normally, when the `waitForAssertions` method is invoked, the necessary Policy is granted to the `waiterProvider` using the `adPolicyStatementFromSdkCall` method. https://github.com/aws/aws-cdk/blob/52a5579aa52c88bb289a7a9677c35385763c8fff/packages/%40aws-cdk/integ-tests-alpha/lib/assertions/sdk.ts#L136 In the case of a Lambda function call, the API name and the Action name of the Policy are different (invoke => invokeFunction), so the `addPolicyStatementFromSdkCall` method cannot grant the correct Policy. The `LambdaInvokeFunction` is doing the correct Policy assignment to deal with this in the constructor. https://github.com/aws/aws-cdk/blob/52a5579aa52c88bb289a7a9677c35385763c8fff/packages/%40aws-cdk/integ-tests-alpha/lib/assertions/sdk.ts#L247 However, this is not done for the `waiterProvider`, resulting in an access denied error. This PR has been modified so that the correct Policy is granted to `waiterProvider`. fixes aws#27865 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

This adds support for creating `AWS::EC2::KeyPair` resources. These are added as a property to `Instance`, `LaunchTemplate`, and `NatInstance` and the older `keyName` prop is deprecated in favor of the new `keyPair: IKeyPair` property. A getter is added to retrieve the SSM parameter that hold the private key for non-imported keys and checks are added to make sure that ED25519 keys are not used with a Windows instance. Closes aws#5252. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

… in CompleteHandler (aws#27310) This PR fixes the case that `StateMachine` generated for `CompleteHandler` in `Provider` cannot set logging. Closes aws#27283. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Adding EKSv2 L2 construct to the roadmap. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

This PR supports `tagPatternList` for the lifecycle policy. According to the doc, the lifecycle policy has following evaluation rules: > A lifecycle policy rule may specify either tagPatternList or tagPrefixList, but not both. > The tagPatternList or tagPrefixList parameters may only used if the tagStatus is tagged. > There is a maximum limit of four wildcards (\*) per string. For example, ["\*test\*1\*2\*3", "test\*1\*2\*3\*"] is valid but ["test\*1\*2\*3\*4\*5\*6"] is invalid. https://docs.aws.amazon.com/AmazonECR/latest/userguide/LifecyclePolicies.html#lp_tag_pattern_list ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

The current wording made it hard for beginners to understand what the PRs actually do. This should improve discoverability of L1 changes. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* Co-authored-by: Sumu Pitchayan <35242245+sumupitchayan@users.noreply.github.com> Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>

… create correct iam policy (aws#28379) In the case for a hosted rotation with a master secret by `fromSecretNameV2()`, IAM policy for lambda is not correct. The secret by the method has a partial ARN, so a generated IAM policy should use an ARN with `'-??????'`, but it will not use the ARN. Closes aws#28308. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…Specification (aws#27791) This PR supports OnDemandSpecification in instance fleets for EMR createCluster. Closes aws#27761. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

… in excessively long IAM policy names (aws#27548) When the importedRoleStackSafeDefaultPolicyName feature flag is enabled, the method to calculate the IAM Policy Name within `aws_iam.ImportedRole.addToPrincipalPolicy()` changes. Specifically, if the generated IAM Policy Name exceeds the maximum allowed length of 128 characters, it will be truncated using `Names.uniqueResourceName()`. Previously, the `Names.UniqueId()` method was used to generate the Policy Name. This method does not allow you to set a maximum length, so if the name exceeded the limit, it would be overwritten using `Names.uniqueResourceName()`—a function that allows for length specification. I considered replacing `Names.UniqueId()` entirely with `Names.uniqueResourceName()`. However, this is on hold due to concerns that existing Policy Names could be affected. If a complete replacement poses no issues, your guidance is appreciated, as I'm not fully versed in the logic behind these methods. Closes aws#27409 , aws#24441 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Recently Amazon SNS supports configuring delivery status logging with AWS CloudFormation. https://aws.amazon.com/about-aws/whats-new/2023/12/amazon-sns-configuring-delivery-status-logging-aws-cloudformation/?nc1=h_ls This is also configurable via L1 CfnTopic construct. https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sns.CfnTopic.html This PR introduces the feature to add delivery status logging configuration via L2 Topic construct. Closes aws#21971 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…ws#28165) (aws#28285) This PR fixes the bug where imported SQS queue cannot be used as Rule DeadLetterQueue, since fromQueueArn can resolve region and account from v2.109.0 Closes aws#28165 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

This PR changes to add the `waiterProvider` property to an `IApiCall` for `awsApiCall` in integ-tests-alpha. By default `awsApiCall` in integ tests, the AwsApiCall construct will automatically add the correct IAM policies to allow the Lambda function to make the API call. It does this based on the service and api that is provided. In the following example the service is SQS and the api is receiveMessage so it will create a policy with Action: 'sqs:ReceiveMessage'. ```ts const integ = new IntegTest(app, 'Integ', { testCases: [stack], }); integ.assertions.awsApiCall('SQS', 'receiveMessage', { QueueUrl: 'url', }); ``` There are some cases where the permissions do not exactly match the service/api call, for example the S3 listObjectsV2 api. In these cases it is possible to add the correct policy by accessing the `provider` object. ```ts const apiCall = integ.assertions.awsApiCall('S3', 'listObjectsV2', { Bucket: 'mybucket', }); apiCall.provider.addToRolePolicy({ Effect: 'Allow', Action: ['s3:GetObject', 's3:ListBucket'], Resource: ['*'], }); ``` On the other hand, there is the case to use `waitForAssertions` when using `awsApiCall` in integ tests. This causes `apiCall` to have a `waiterProvider` property in addition to `provider`. ```ts const apiCall = integ.assertions.awsApiCall('S3', 'listObjectsV2', { Bucket: 'mybucket', }).expect(ExpectedResult.objectLike({ KeyCount: 1, })).waitForAssertions({ interval: cdk.Duration.seconds(30), totalTimeout: cdk.Duration.minutes(10), }); ``` In the case, `waiterProvider` actually calls to the service/api, so it should have the proper policies. However a type of a return value of `apiCall` is `IApiCall` interface so that the interface has a `provider` property, `waiterProvider` is not in `IApiCall` but in `AwsApiCall`. Then it cannot take the policies without casting the following. (`apiCall instanceof AwsApiCall`) ```ts if (apiCall instanceof AwsApiCall) { apiCall.waiterProvider?.addToRolePolicy({ Effect: 'Allow', Action: ['s3:GetObject', 's3:ListBucket'], Resource: ['*'], }); } ``` So I add `waiterProvider` to `IApiCall`, so that it can take the policies without casting: ```ts // if (apiCall instanceof AwsApiCall) { apiCall.waiterProvider?.addToRolePolicy({ Effect: 'Allow', Action: ['s3:GetObject', 's3:ListBucket'], Resource: ['*'], }); //} ``` In my opinion, I see no negative impact from this. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Reverts aws#27844. This change broke the pipeline, pacmak fails with: ``` #STDOUT> /tmp/npm-packu6YRYj/Amazon.CDK.IntegTests.Alpha/Amazon/CDK/IntegTests/Alpha/ApiCallBase.cs(231,77): error CS0115: 'ApiCallBase._Proxy.WaiterProvider': no suitable method found to override [/tmp/npm-packu6YRYj/Amazon.CDK.IntegTests.Alpha/Amazon.CDK.IntegTests.Alpha.csproj] ```

…ist/core/<file>.generated'` (aws#28467) aws#28251 added new files to `aws-cdk-lib/core/lib/dist/core` but this path was excluded from the npm package, causing the above error. This fix includes the generated file into the package. Closes aws#28465 Manually tested with a locally build package that includes the fix. <img width="1449" alt="image" src="https://github.com/aws/aws-cdk/assets/379814/11714c41-edea-403e-9b64-454ba9768c08"> ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…28449) With this change, architecture when bundling is inferred from the target architecture of the Lambda function. Closes aws#18696. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…8055) Closes aws#28051, aws#28209. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…aws#28400) This PR adds the arnForExecuteApi method, previously available only for REST API constructs, to both WebSocket and HTTP API constructs. Closes aws#23301 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…28381) This pull request introduces a new method within the Cluster class, designed to retrieve the Amazon Resource Names (ARNs) of tasks that are part of a given ECS cluster. Example of how to get task ARN ```ts declare cluster: Cluster; // arn:aws:ecs:{region}:{regionId}:task/{clusterName}/* const taskArnPattern = cluster.arnForTasks("*"); ``` Closes aws#26232 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…28466) This Pull Request introduces a new validation feature to the DedicatedIpPoolProps. It ensures that the dedicatedIpPoolName adheres to the specified naming conventions, enhancing data integrity and preventing runtime errors due to invalid names. Closes aws#28451 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…rget utilization (aws#28315) Added an optional parameter that defaults to false over the CPU-based scaling policy that conflicts with the queue visible message-based policy. When disabled this will stop the race condition issue mentioned in aws#20706 by only allowing the scaling of the number of messages on the queue similar to the SQS-Lambda pattern. Note: If this parameter is enabled then this bug will crop up again and the user has to handle the container termination manually. Updated integration tests and unit tests are working. Closes aws#20706 . ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…ws#28092) This PR supports for configuring AutoScalingGroup's instance maintenance policy. - https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-autoscaling-autoscalinggroup-instancemaintenancepolicy.html - https://docs.aws.amazon.com/autoscaling/ec2/userguide/ec2-auto-scaling-instance-maintenance-policy.html - https://docs.aws.amazon.com/autoscaling/ec2/userguide/instance-maintenance-policy-overview-and-considerations.html Closes aws#28042. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

CodeBuild has added support for Lambda compute. CloudFormation can be deployed as follows. ```yaml Resources: CodeBuildProject: Type: AWS::CodeBuild::Project Properties: Artifacts: Type: NO_ARTIFACTS ServiceRole: !GetAtt CodeBuildRole.Arn Source: # Environment: Type: LINUX_LAMBDA_CONTAINER ComputeType: BUILD_LAMBDA_1GB Image: aws/codebuild/amazonlinux-x86_64-lambda-standard:go1.21 CodeBuildRole: Type: AWS::IAM::Role Properties: # ``` https://aws.amazon.com/about-aws/whats-new/2023/11/aws-codebuild-lambda-compute This PR implements Lambda ComputeType by adding Classes (`LinuxArmLambdaBuildImage`, `LinuxLambdaBuildImage`) that extend the IBuildImage interface. Supported Docker Images and ComputeTypes are listed below. https://docs.aws.amazon.com/codebuild/latest/userguide/build-env-ref-available.html https://docs.aws.amazon.com/codebuild/latest/userguide/build-env-ref-compute-types.html#environment.types Also, Lambda compute has some limitations and I have added validation for them. https://docs.aws.amazon.com/codebuild/latest/userguide/lambda.html#lambda.limitations closes aws#28418 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

If the stack is not in a healthy state, we should not allow cdk migrate to be run on it. Closes #<issue number here>. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

adding support of trn1 instance type they were introduced [here](https://aws.amazon.com/ec2/instance-types/trn1/) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…8479) This Pull Request introduces a set of new FIPS-compliant SSL policies for the Application Load Balancer (ALB) in AWS Elastic Load Balancing (ELB). These policies enhance the security of ALB by providing options that are compliant with the Federal Information Processing Standards (FIPS). Closes aws#28455 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…rgate service (aws#28463) 1. Fixed the docker image to use Python 3.11 to stop the python3.6 out of date warning/error 2. Fixed the lambda container's entry point handler, causing the integration tests to go into an infinite loop. 3. Fixed/changed the public integration test to a health check test as the queue processing fargate service doesn't have a public-facing feature. Closes aws#28383. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Closes aws#27916. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

… PIP urls, causing an unnecessary rebuild (aws#27903) Update the bundler hash logic to ignore the secret token that is included in the URL when fetching packages from Code Artifact. This token changes constantly, and prevents the results of a previous build from being reused, along with causing lambdas to be unnecessarily redeployed anytime the CDK is built, even if no code is changed. This implementation strips the token from the hash, but does not change anything else about the hash. Open question Currently this logic will error if an invalid URL string is passed for PIP_INDEX_URL or PIP_EXTRA_INDEX_URL. The build would fail later anyway when those URLs are being used, but I'm happy to try/catch this logic block to be more robust if that is preferred. Closes aws#27331. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Adds support for dual-stack NetworkLoadBalancer via the [`ipAddressType`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-elasticloadbalancingv2-loadbalancer.html#cfn-elasticloadbalancingv2-loadbalancer-ipaddresstype) property. Example: ``` const lb = new elbv2.NetworkLoadBalancer(this, 'LB', { vpc, internetFacing: true ipAddressType: elbv2.IpAddressType.DUAL_STACK, }); ``` Also, added validation to enforce that UDP or TCP_UDP listeners cannot be added to a dualstack NLB. Closes aws#27538. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Updates the L1 CloudFormation resource definitions with the latest changes from `@aws-cdk/aws-service-spec` **L1 CloudFormation resource definition changes:** ``` ├[~] service aws-appstream │ └ resources │ └[~] resource AWS::AppStream::Stack │ └ types │ └[~] type UserSetting │ └ properties │ └ MaximumLength: (documentation changed) ├[~] service aws-appsync │ └ resources │ └[~] resource AWS::AppSync::GraphQLApi │ ├ properties │ │ ├[+] IntrospectionConfig: string │ │ ├[+] QueryDepthLimit: integer │ │ └[+] ResolverCountLimit: integer │ └ attributes │ └ GraphQLEndpointArn: (documentation changed) ├[~] service aws-b2bi │ └ resources │ ├[~] resource AWS::B2BI::Capability │ │ ├ - documentation: Definition of AWS::B2BI::Capability Resource Type │ │ │ + documentation: Instantiates a capability based on the specified parameters. A trading capability contains the information required to transform incoming EDI documents into JSON or XML outputs. │ │ ├ properties │ │ │ ├ Configuration: (documentation changed) │ │ │ ├ InstructionsDocuments: (documentation changed) │ │ │ ├ Name: (documentation changed) │ │ │ ├ Tags: (documentation changed) │ │ │ └ Type: (documentation changed) │ │ ├ attributes │ │ │ ├ CapabilityArn: (documentation changed) │ │ │ ├ CapabilityId: (documentation changed) │ │ │ ├ CreatedAt: (documentation changed) │ │ │ └ ModifiedAt: (documentation changed) │ │ └ types │ │ ├[~] type CapabilityConfiguration │ │ │ ├ - documentation: undefined │ │ │ │ + documentation: A capability object. Currently, only EDI (electronic data interchange) capabilities are supported. A trading capability contains the information required to transform incoming EDI documents into JSON or XML outputs. │ │ │ └ properties │ │ │ └ Edi: (documentation changed) │ │ ├[~] type EdiConfiguration │ │ │ ├ - documentation: undefined │ │ │ │ + documentation: Specifies the details for the EDI (electronic data interchange) transformation. │ │ │ └ properties │ │ │ ├ InputLocation: (documentation changed) │ │ │ ├ OutputLocation: (documentation changed) │ │ │ ├ TransformerId: (documentation changed) │ │ │ └ Type: (documentation changed) │ │ ├[~] type EdiType │ │ │ ├ - documentation: undefined │ │ │ │ + documentation: Specifies the details for the EDI standard that is being used for the transformer. Currently, only X12 is supported. X12 is a set of standards and corresponding messages that define specific business documents. │ │ │ └ properties │ │ │ └ X12Details: (documentation changed) │ │ ├[~] type S3Location │ │ │ ├ - documentation: undefined │ │ │ │ + documentation: Specifies the details for the Amazon S3 file location that is being used with AWS B2BI Data Interchange. File locations in Amazon S3 are identified using a combination of the bucket and key. │ │ │ └ properties │ │ │ ├ BucketName: (documentation changed) │ │ │ └ Key: (documentation changed) │ │ └[~] type X12Details │ │ └ properties │ │ ├ TransactionSet: (documentation changed) │ │ └ Version: (documentation changed) │ ├[~] resource AWS::B2BI::Partnership │ │ ├ - documentation: Definition of AWS::B2BI::Partnership Resource Type │ │ │ + documentation: Creates a partnership between a customer and a trading partner, based on the supplied parameters. A partnership represents the connection between you and your trading partner. It ties together a profile and one or more trading capabilities. │ │ ├ properties │ │ │ ├ Capabilities: (documentation changed) │ │ │ ├ Name: (documentation changed) │ │ │ ├ ProfileId: (documentation changed) │ │ │ └ Tags: (documentation changed) │ │ └ attributes │ │ ├ CreatedAt: (documentation changed) │ │ ├ ModifiedAt: (documentation changed) │ │ ├ PartnershipArn: (documentation changed) │ │ ├ PartnershipId: (documentation changed) │ │ └ TradingPartnerId: (documentation changed) │ ├[~] resource AWS::B2BI::Profile │ │ ├ - documentation: Definition of AWS::B2BI::Profile Resource Type │ │ │ + documentation: Creates a customer profile. You can have up to five customer profiles, each representing a distinct private network. A profile is the mechanism used to create the concept of a private network. │ │ ├ properties │ │ │ ├ BusinessName: (documentation changed) │ │ │ ├ Logging: (documentation changed) │ │ │ ├ Name: (documentation changed) │ │ │ └ Tags: (documentation changed) │ │ └ attributes │ │ ├ CreatedAt: (documentation changed) │ │ ├ LogGroupName: (documentation changed) │ │ ├ ModifiedAt: (documentation changed) │ │ └ ProfileArn: (documentation changed) │ └[~] resource AWS::B2BI::Transformer │ ├ - documentation: Definition of AWS::B2BI::Transformer Resource Type │ │ + documentation: Creates a transformer. A transformer describes how to process the incoming EDI documents and extract the necessary information to the output file. │ ├ properties │ │ ├ EdiType: (documentation changed) │ │ ├ FileFormat: (documentation changed) │ │ ├ MappingTemplate: (documentation changed) │ │ ├ ModifiedAt: (documentation changed) │ │ ├ Name: (documentation changed) │ │ ├ SampleDocument: (documentation changed) │ │ ├ Status: (documentation changed) │ │ └ Tags: (documentation changed) │ ├ attributes │ │ ├ CreatedAt: (documentation changed) │ │ ├ TransformerArn: (documentation changed) │ │ └ TransformerId: (documentation changed) │ └ types │ ├[~] type EdiType │ │ ├ - documentation: undefined │ │ │ + documentation: Specifies the details for the EDI standard that is being used for the transformer. Currently, only X12 is supported. X12 is a set of standards and corresponding messages that define specific business documents. │ │ └ properties │ │ └ X12Details: (documentation changed) │ └[~] type X12Details │ ├ - documentation: undefined │ │ + documentation: A structure that contains the X12 transaction set and version. The X12 structure is used when the system transforms an EDI (electronic data interchange) file. │ │ > If an EDI input file contains more than one transaction, each transaction must have the same transaction set and version, for example 214/4010. If not, the transformer cannot parse the file. │ └ properties │ ├ TransactionSet: (documentation changed) │ └ Version: (documentation changed) ├[~] service aws-batch │ └ resources │ └[~] resource AWS::Batch::JobDefinition │ ├ properties │ │ ├ ContainerProperties: - ContainerProperties │ │ │ + ContainerProperties (immutable) │ │ ├ EksProperties: - EksProperties │ │ │ + EksProperties (immutable) │ │ ├ NodeProperties: - NodeProperties │ │ │ + NodeProperties (immutable) │ │ ├ Parameters: - json │ │ │ + Map<string, string> ⇐ json (immutable) │ │ ├ PlatformCapabilities: - Array<string> │ │ │ + Array<string> (immutable) │ │ ├ PropagateTags: - boolean │ │ │ + boolean (immutable) │ │ ├ RetryStrategy: - RetryStrategy │ │ │ + RetryStrategy (immutable) │ │ ├ SchedulingPriority: - integer │ │ │ + integer (immutable) │ │ ├ Tags: - json (immutable) │ │ │ + Map<string, string> ⇐ json (immutable) │ │ ├ Timeout: - Timeout │ │ │ + JobTimeout ⇐ Timeout (immutable) │ │ └ Type: - string (required) │ │ + string (required, immutable) │ ├ attributes │ │ ├[+] ContainerOrchestrationType: string │ │ ├[-] Id: string │ │ ├[+] JobDefinitionArn: string │ │ ├[+] Revision: integer │ │ └[+] Status: string │ └ types │ ├[~] type AuthorizationConfig │ │ ├ - documentation: The authorization configuration details for the Amazon EFS file system. │ │ │ + documentation: undefined │ │ └ properties │ │ ├ AccessPointId: (documentation changed) │ │ └ Iam: (documentation changed) │ ├[~] type ContainerProperties │ │ └ properties │ │ ├ MountPoints: - Array<MountPoints> │ │ │ + Array<MountPoint> ⇐ Array<MountPoints> │ │ └ Volumes: - Array<Volumes> │ │ + Array<Volume> ⇐ Array<Volumes> │ ├[+] type EFSAuthorizationConfig │ │ ├ documentation: The authorization configuration details for the Amazon EFS file system. │ │ │ name: EFSAuthorizationConfig │ │ └ properties │ │ ├AccessPointId: string │ │ └Iam: string │ ├[~] type EfsVolumeConfiguration │ │ ├ - documentation: This is used when you're using an Amazon Elastic File System file system for job storage. For more information, see [Amazon EFS Volumes](https://docs.aws.amazon.com/batch/latest/userguide/efs-volumes.html) in the *AWS Batch User Guide* . │ │ │ + documentation: undefined │ │ └ properties │ │ ├ AuthorizationConfig: (documentation changed) │ │ ├ FileSystemId: (documentation changed) │ │ ├ RootDirectory: (documentation changed) │ │ ├ TransitEncryption: (documentation changed) │ │ └ TransitEncryptionPort: (documentation changed) │ ├[+] type EFSVolumeConfiguration │ │ ├ documentation: This is used when you're using an Amazon Elastic File System file system for job storage. For more information, see [Amazon EFS Volumes](https://docs.aws.amazon.com/batch/latest/userguide/efs-volumes.html) in the *AWS Batch User Guide* . │ │ │ name: EFSVolumeConfiguration │ │ └ properties │ │ ├FileSystemId: string (required) │ │ ├RootDirectory: string │ │ ├TransitEncryption: string │ │ ├TransitEncryptionPort: integer │ │ └AuthorizationConfig: EFSAuthorizationConfig │ ├[+] type EksMetadata │ │ ├ documentation: Describes and uniquely identifies Kubernetes resources. For example, the compute environment that a pod runs in or the `jobID` for a job running in the pod. For more information, see [Understanding Kubernetes Objects](https://docs.aws.amazon.com/https://kubernetes.io/docs/concepts/overview/working-with-objects/kubernetes-objects/) in the *Kubernetes documentation* . │ │ │ name: EksMetadata │ │ └ properties │ │ └Labels: Map<string, string> │ ├[+] type EksPodProperties │ │ ├ documentation: The properties for the pod. │ │ │ name: EksPodProperties │ │ └ properties │ │ ├ServiceAccountName: string │ │ ├HostNetwork: boolean │ │ ├DnsPolicy: string │ │ ├Containers: Array<EksContainer> │ │ ├Volumes: Array<EksVolume> │ │ └Metadata: EksMetadata │ ├[~] type EksProperties │ │ └ properties │ │ └ PodProperties: - PodProperties │ │ + EksPodProperties ⇐ PodProperties │ ├[+] type Host │ │ ├ documentation: Determine whether your data volume persists on the host container instance and where it's stored. If this parameter is empty, then the Docker daemon assigns a host path for your data volume. However, the data isn't guaranteed to persist after the containers that are associated with it stop running. │ │ │ name: Host │ │ └ properties │ │ └SourcePath: string │ ├[+] type JobTimeout │ │ ├ documentation: An object that represents a job timeout configuration. │ │ │ name: JobTimeout │ │ └ properties │ │ └AttemptDurationSeconds: integer │ ├[~] type LogConfiguration │ │ └ properties │ │ └ Options: - json │ │ + Map<string, string> ⇐ json │ ├[+] type MountPoint │ │ ├ documentation: Details for a Docker volume mount point that's used in a job's container properties. This parameter maps to `Volumes` in the [Create a container](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.43/#tag/Container/operation/ContainerCreate) section of the *Docker Remote API* and the `--volume` option to docker run. │ │ │ name: MountPoint │ │ └ properties │ │ ├ContainerPath: string │ │ ├ReadOnly: boolean │ │ └SourceVolume: string │ ├[~] type MountPoints │ │ ├ - documentation: Details for a Docker volume mount point that's used in a job's container properties. This parameter maps to `Volumes` in the [Create a container](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.43/#tag/Container/operation/ContainerCreate) section of the *Docker Remote API* and the `--volume` option to docker run. │ │ │ + documentation: undefined │ │ └ properties │ │ ├ ContainerPath: (documentation changed) │ │ ├ ReadOnly: (documentation changed) │ │ └ SourceVolume: (documentation changed) │ ├[~] type PodProperties │ │ ├ - documentation: The properties for the pod. │ │ │ + documentation: undefined │ │ └ properties │ │ ├ Containers: (documentation changed) │ │ ├ DnsPolicy: (documentation changed) │ │ ├ HostNetwork: (documentation changed) │ │ ├ ServiceAccountName: (documentation changed) │ │ └ Volumes: (documentation changed) │ ├[~] type Resources │ │ └ properties │ │ ├ Limits: - json │ │ │ + Map<string, string> ⇐ json │ │ └ Requests: - json │ │ + Map<string, string> ⇐ json │ ├[~] type Timeout │ │ ├ - documentation: An object that represents a job timeout configuration. │ │ │ + documentation: undefined │ │ └ properties │ │ └ AttemptDurationSeconds: (documentation changed) │ ├[+] type Volume │ │ ├ documentation: A data volume that's used in a job's container properties. │ │ │ name: Volume │ │ └ properties │ │ ├Host: Host │ │ ├EfsVolumeConfiguration: EFSVolumeConfiguration │ │ └Name: string │ ├[~] type Volumes │ │ ├ - documentation: A list of volumes that are associated with the job. │ │ │ + documentation: undefined │ │ └ properties │ │ ├ EfsVolumeConfiguration: (documentation changed) │ │ ├ Host: (documentation changed) │ │ └ Name: (documentation changed) │ └[~] type VolumesHost │ ├ - documentation: Determine whether your data volume persists on the host container instance and where it's stored. If this parameter is empty, then the Docker daemon assigns a host path for your data volume. However, the data isn't guaranteed to persist after the containers that are associated with it stop running. │ │ + documentation: undefined │ └ properties │ └ SourcePath: (documentation changed) ├[~] service aws-cloud9 │ └ resources │ └[~] resource AWS::Cloud9::EnvironmentEC2 │ └ properties │ └ ImageId: (documentation changed) ├[~] service aws-cloudtrail │ └ resources │ ├[~] resource AWS::CloudTrail::EventDataStore │ │ └ types │ │ └[~] type AdvancedFieldSelector │ │ └ properties │ │ └ Field: (documentation changed) │ └[~] resource AWS::CloudTrail::Trail │ ├ properties │ │ └ CloudWatchLogsLogGroupArn: (documentation changed) │ └ types │ ├[~] type AdvancedFieldSelector │ │ └ properties │ │ └ Field: (documentation changed) │ └[~] type DataResource │ └ properties │ └ Type: (documentation changed) ├[~] service aws-codecommit │ └ resources │ └[~] resource AWS::CodeCommit::Repository │ └ properties │ └[+] KmsKeyId: string ├[~] service aws-codedeploy │ └ resources │ └[~] resource AWS::CodeDeploy::DeploymentGroup │ └ properties │ └ TerminationHookEnabled: (documentation changed) ├[~] service aws-cognito │ └ resources │ └[~] resource AWS::Cognito::UserPool │ └ types │ └[~] type LambdaConfig │ └ properties │ └ PreTokenGeneration: (documentation changed) ├[~] service aws-connect │ └ resources │ ├[~] resource AWS::Connect::HoursOfOperation │ │ └ properties │ │ └ Tags: (documentation changed) │ ├[~] resource AWS::Connect::Queue │ │ └ properties │ │ └ Tags: (documentation changed) │ ├[~] resource AWS::Connect::QuickConnect │ │ ├ properties │ │ │ └ Tags: (documentation changed) │ │ └ attributes │ │ └ QuickConnectArn: (documentation changed) │ ├[~] resource AWS::Connect::RoutingProfile │ │ └ properties │ │ └ Tags: (documentation changed) │ └[~] resource AWS::Connect::SecurityProfile │ └ properties │ └ Tags: (documentation changed) ├[~] service aws-datasync │ └ resources │ ├[~] resource AWS::DataSync::LocationAzureBlob │ │ └ - documentation: Creates an endpoint for a Microsoft Azure Blob Storage container that AWS DataSync can use as a transfer source or destination. │ │ Before you begin, make sure you know [how DataSync accesses Azure Blob Storage](https://docs.aws.amazon.com/datasync/latest/userguide/creating-azure-blob-location.html#azure-blob-access) and works with [access tiers](https://docs.aws.amazon.com/datasync/latest/userguide/creating-azure-blob-location.html#azure-blob-access-tiers) and [blob types](https://docs.aws.amazon.com/datasync/latest/userguide/creating-azure-blob-location.html#blob-types) . You also need a [DataSync agent](https://docs.aws.amazon.com/datasync/latest/userguide/creating-azure-blob-location.html#azure-blob-creating-agent) that can connect to your container. │ │ + documentation: Creates a transfer *location* for a Microsoft Azure Blob Storage container. AWS DataSync can use this location as a transfer source or destination. │ │ Before you begin, make sure you know [how DataSync accesses Azure Blob Storage](https://docs.aws.amazon.com/datasync/latest/userguide/creating-azure-blob-location.html#azure-blob-access) and works with [access tiers](https://docs.aws.amazon.com/datasync/latest/userguide/creating-azure-blob-location.html#azure-blob-access-tiers) and [blob types](https://docs.aws.amazon.com/datasync/latest/userguide/creating-azure-blob-location.html#blob-types) . You also need a [DataSync agent](https://docs.aws.amazon.com/datasync/latest/userguide/creating-azure-blob-location.html#azure-blob-creating-agent) that can connect to your container. │ ├[~] resource AWS::DataSync::LocationFSxONTAP │ │ └ types │ │ └[~] type SMB │ │ └ properties │ │ └ Domain: (documentation changed) │ ├[~] resource AWS::DataSync::LocationFSxWindows │ │ └ properties │ │ ├ Domain: (documentation changed) │ │ └ Password: (documentation changed) │ ├[~] resource AWS::DataSync::LocationS3 │ │ └ types │ │ └[~] type S3Config │ │ └ - documentation: The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role used to access an Amazon S3 bucket. │ │ For detailed information about using such a role, see [Creating a Location for Amazon S3](https://docs.aws.amazon.com/datasync/latest/userguide/working-with-locations.html#create-s3-location) in the *AWS DataSync User Guide* . │ │ + documentation: The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role used to access an Amazon S3 bucket. │ │ For detailed information about using such a role, see [Creating a Location for Amazon S3](https://docs.aws.amazon.com/datasync/latest/userguide/create-s3-location.html) in the *AWS DataSync User Guide* . │ ├[~] resource AWS::DataSync::LocationSMB │ │ └ properties │ │ └ Domain: (documentation changed) │ └[~] resource AWS::DataSync::Task │ └ types │ └[~] type Options │ └ properties │ ├ LogLevel: (documentation changed) │ └ ObjectTags: (documentation changed) ├[~] service aws-ec2 │ └ resources │ ├[~] resource AWS::EC2::Instance │ │ └ attributes │ │ └[-] InstanceId: string │ ├[~] resource AWS::EC2::Subnet │ │ ├ properties │ │ │ ├[-] Ipv4NetmaskLength: integer │ │ │ ├[+] Ipv6CidrBlocks: Array<string> │ │ │ └[-] Ipv6NetmaskLength: integer │ │ └ attributes │ │ └ Ipv6CidrBlocks: (documentation changed) │ └[~] resource AWS::EC2::Volume │ └ - documentation: Specifies an Amazon Elastic Block Store (Amazon EBS) volume. You can attach the volume to an instance in the same Availability Zone using [AWS::EC2::VolumeAttachment](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-ebs-volumeattachment.html) . │ When you use AWS CloudFormation to update an Amazon EBS volume that modifies `Iops` , `Size` , or `VolumeType` , there is a cooldown period before another operation can occur. This can cause your stack to report being in `UPDATE_IN_PROGRESS` or `UPDATE_ROLLBACK_IN_PROGRESS` for long periods of time. │ Amazon EBS does not support sizing down an Amazon EBS volume. AWS CloudFormation does not attempt to modify an Amazon EBS volume to a smaller size on rollback. │ Some common scenarios when you might encounter a cooldown period for Amazon EBS include: │ - You successfully update an Amazon EBS volume and the update succeeds. When you attempt another update within the cooldown window, that update will be subject to a cooldown period. │ - You successfully update an Amazon EBS volume and the update succeeds but another change in your `update-stack` call fails. The rollback will be subject to a cooldown period. │ For more information on the cooldown period, see [Requirements when modifying volumes](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/modify-volume-requirements.html) . │ *DeletionPolicy attribute* │ To control how AWS CloudFormation handles the volume when the stack is deleted, set a deletion policy for your volume. You can choose to retain the volume, to delete the volume, or to create a snapshot of the volume. For more information, see [DeletionPolicy attribute](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-deletionpolicy.html) . │ > If you set a deletion policy that creates a snapshot, all tags on the volume are included in the snapshot. │ + documentation: Specifies an Amazon Elastic Block Store (Amazon EBS) volume. │ When you use AWS CloudFormation to update an Amazon EBS volume that modifies `Iops` , `Size` , or `VolumeType` , there is a cooldown period before another operation can occur. This can cause your stack to report being in `UPDATE_IN_PROGRESS` or `UPDATE_ROLLBACK_IN_PROGRESS` for long periods of time. │ Amazon EBS does not support sizing down an Amazon EBS volume. AWS CloudFormation does not attempt to modify an Amazon EBS volume to a smaller size on rollback. │ Some common scenarios when you might encounter a cooldown period for Amazon EBS include: │ - You successfully update an Amazon EBS volume and the update succeeds. When you attempt another update within the cooldown window, that update will be subject to a cooldown period. │ - You successfully update an Amazon EBS volume and the update succeeds but another change in your `update-stack` call fails. The rollback will be subject to a cooldown period. │ For more information on the cooldown period, see [Requirements when modifying volumes](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/modify-volume-requirements.html) . │ *DeletionPolicy attribute* │ To control how AWS CloudFormation handles the volume when the stack is deleted, set a deletion policy for your volume. You can choose to retain the volume, to delete the volume, or to create a snapshot of the volume. For more information, see [DeletionPolicy attribute](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-deletionpolicy.html) . │ > If you set a deletion policy that creates a snapshot, all tags on the volume are included in the snapshot. ├[~] service aws-ecs │ └ resources │ └[~] resource AWS::ECS::Service │ ├ properties │ │ └[+] VolumeConfigurations: Array<ServiceVolumeConfiguration> │ └ types │ ├[+] type EBSTagSpecification │ │ ├ name: EBSTagSpecification │ │ └ properties │ │ ├ResourceType: string (required) │ │ ├Tags: Array<tag> │ │ └PropagateTags: string │ ├[+] type ServiceManagedEBSVolumeConfiguration │ │ ├ name: ServiceManagedEBSVolumeConfiguration │ │ └ properties │ │ ├Encrypted: boolean │ │ ├KmsKeyId: string │ │ ├VolumeType: string │ │ ├SizeInGiB: integer │ │ ├SnapshotId: string │ │ ├Iops: integer │ │ ├Throughput: integer │ │ ├TagSpecifications: Array<EBSTagSpecification> │ │ ├RoleArn: string (required) │ │ └FilesystemType: string │ └[+] type ServiceVolumeConfiguration │ ├ name: ServiceVolumeConfiguration │ └ properties │ ├Name: string (required) │ └ManagedEBSVolume: ServiceManagedEBSVolumeConfiguration ├[~] service aws-efs │ └ resources │ └[~] resource AWS::EFS::FileSystem │ ├ properties │ │ ├ AvailabilityZoneName: (documentation changed) │ │ └ LifecyclePolicies: (documentation changed) │ └ types │ ├[~] type FileSystemProtection │ │ ├ - documentation: undefined │ │ │ + documentation: Describes the protection on the file system. │ │ └ properties │ │ └ ReplicationOverwriteProtection: (documentation changed) │ ├[~] type LifecyclePolicy │ │ ├ - documentation: Describes a policy used by EFS lifecycle management and EFS Intelligent-Tiering that specifies when to transition files into and out of the file system's Infrequent Access (IA) storage class. For more information, see [EFS Intelligent‐Tiering and EFS Lifecycle Management](https://docs.aws.amazon.com/efs/latest/ug/lifecycle-management-efs.html) . │ │ │ > - Each `LifecyclePolicy` object can have only a single transition. This means that in a request body, `LifecyclePolicies` must be structured as an array of `LifecyclePolicy` objects, one object for each transition, `TransitionToIA` , `TransitionToPrimaryStorageClass` . │ │ │ > - See the AWS::EFS::FileSystem examples for the correct `LifecyclePolicy` structure. Do not use the syntax shown on this page. │ │ │ + documentation: Describes a policy used by Lifecycle management that specifies when to transition files into and out of the EFS storage classes. For more information, see [Managing file system storage](https://docs.aws.amazon.com/efs/latest/ug/lifecycle-management-efs.html) . │ │ │ > - Each `LifecyclePolicy` object can have only a single transition. This means that in a request body, `LifecyclePolicies` must be structured as an array of `LifecyclePolicy` objects, one object for each transition, `TransitionToIA` , `TransitionToArchive` , `TransitionToPrimaryStorageClass` . │ │ │ > - See the AWS::EFS::FileSystem examples for the correct `LifecyclePolicy` structure. Do not use the syntax shown on this page. │ │ └ properties │ │ └ TransitionToArchive: (documentation changed) │ └[~] type ReplicationDestination │ └ properties │ ├ AvailabilityZoneName: (documentation changed) │ └ Region: (documentation changed) ├[~] service aws-eks │ └ resources │ ├[+] resource AWS::EKS::AccessEntry │ │ ├ name: AccessEntry │ │ │ cloudFormationType: AWS::EKS::AccessEntry │ │ │ documentation: Creates an access entry. │ │ │ An access entry allows an IAM principal to access your cluster. Access entries can replace the need to maintain entries in the `aws-auth` `ConfigMap` for authentication. You have the following options for authorizing an IAM principal to access Kubernetes objects on your cluster: Kubernetes role-based access control (RBAC), Amazon EKS, or both. Kubernetes RBAC authorization requires you to create and manage Kubernetes `Role` , `ClusterRole` , `RoleBinding` , and `ClusterRoleBinding` objects, in addition to managing access entries. If you use Amazon EKS authorization exclusively, you don't need to create and manage Kubernetes `Role` , `ClusterRole` , `RoleBinding` , and `ClusterRoleBinding` objects. │ │ │ For more information about access entries, see [Access entries](https://docs.aws.amazon.com/eks/latest/userguide/access-entries.html) in the *Amazon EKS User Guide* . │ │ │ tagInformation: {"tagPropertyName":"Tags","variant":"standard"} │ │ ├ properties │ │ │ ├ClusterName: string (required, immutable) │ │ │ ├PrincipalArn: string (required, immutable) │ │ │ ├Username: string │ │ │ ├Tags: Array<tag> │ │ │ ├KubernetesGroups: Array<string> │ │ │ ├AccessPolicies: Array<AccessPolicy> │ │ │ └Type: string (immutable) │ │ ├ attributes │ │ │ └AccessEntryArn: string │ │ └ types │ │ ├type AccessPolicy │ │ │├ documentation: An access policy includes permissions that allow Amazon EKS to authorize an IAM principal to work with Kubernetes objects on your cluster. The policies are managed by Amazon EKS, but they're not IAM policies. You can't view the permissions in the policies using the API. The permissions for many of the policies are similar to the Kubernetes `cluster-admin` , `admin` , `edit` , and `view` cluster roles. For more information about these cluster roles, see [User-facing roles](https://docs.aws.amazon.com/https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles) in the Kubernetes documentation. To view the contents of the policies, see [Access policy permissions](https://docs.aws.amazon.com/eks/latest/userguide/access-policies.html#access-policy-permissions) in the *Amazon EKS User Guide* . │ │ ││ name: AccessPolicy │ │ │└ properties │ │ │ ├PolicyArn: string (required) │ │ │ └AccessScope: AccessScope (required) │ │ └type AccessScope │ │ ├ documentation: The scope of an `AccessPolicy` that's associated to an `AccessEntry` . │ │ │ name: AccessScope │ │ └ properties │ │ ├Type: string (required) │ │ └Namespaces: Array<string> │ ├[~] resource AWS::EKS::Addon │ │ └ properties │ │ └ ClusterName: (documentation changed) │ ├[~] resource AWS::EKS::Cluster │ │ ├ properties │ │ │ ├[+] AccessConfig: AccessConfig │ │ │ └ ResourcesVpcConfig: (documentation changed) │ │ └ types │ │ ├[+] type AccessConfig │ │ │ ├ documentation: The access configuration for the cluster. │ │ │ │ name: AccessConfig │ │ │ └ properties │ │ │ ├BootstrapClusterCreatorAdminPermissions: boolean (immutable) │ │ │ └AuthenticationMode: string │ │ ├[~] type ControlPlanePlacement │ │ │ └ properties │ │ │ └ GroupName: (documentation changed) │ │ ├[~] type EncryptionConfig │ │ │ └ properties │ │ │ └ Resources: (documentation changed) │ │ ├[~] type KubernetesNetworkConfig │ │ │ └ properties │ │ │ └ ServiceIpv4Cidr: (documentation changed) │ │ └[~] type ResourcesVpcConfig │ │ └ properties │ │ └ PublicAccessCidrs: (documentation changed) │ ├[~] resource AWS::EKS::FargateProfile │ │ ├ - documentation: Creates an AWS Fargate profile for your Amazon EKS cluster. You must have at least one Fargate profile in a cluster to be able to run pods on Fargate. │ │ │ The Fargate profile allows an administrator to declare which pods run on Fargate and specify which pods run on which Fargate profile. This declaration is done through the profile’s selectors. Each profile can have up to five selectors that contain a namespace and labels. A namespace is required for every selector. The label field consists of multiple optional key-value pairs. Pods that match the selectors are scheduled on Fargate. If a to-be-scheduled pod matches any of the selectors in the Fargate profile, then that pod is run on Fargate. │ │ │ When you create a Fargate profile, you must specify a pod execution role to use with the pods that are scheduled with the profile. This role is added to the cluster's Kubernetes [Role Based Access Control](https://docs.aws.amazon.com/https://kubernetes.io/docs/reference/access-authn-authz/rbac/) (RBAC) for authorization so that the `kubelet` that is running on the Fargate infrastructure can register with your Amazon EKS cluster so that it can appear in your cluster as a node. The pod execution role also provides IAM permissions to the Fargate infrastructure to allow read access to Amazon ECR image repositories. For more information, see [Pod Execution Role](https://docs.aws.amazon.com/eks/latest/userguide/pod-execution-role.html) in the *Amazon EKS User Guide* . │ │ │ Fargate profiles are immutable. However, you can create a new updated profile to replace an existing profile and then delete the original after the updated profile has finished creating. │ │ │ If any Fargate profiles in a cluster are in the `DELETING` status, you must wait for that Fargate profile to finish deleting before you can create any other profiles in that cluster. │ │ │ For more information, see [AWS Fargate Profile](https://docs.aws.amazon.com/eks/latest/userguide/fargate-profile.html) in the *Amazon EKS User Guide* . │ │ │ + documentation: Creates an AWS Fargate profile for your Amazon EKS cluster. You must have at least one Fargate profile in a cluster to be able to run pods on Fargate. │ │ │ The Fargate profile allows an administrator to declare which pods run on Fargate and specify which pods run on which Fargate profile. This declaration is done through the profile’s selectors. Each profile can have up to five selectors that contain a namespace and labels. A namespace is required for every selector. The label field consists of multiple optional key-value pairs. Pods that match the selectors are scheduled on Fargate. If a to-be-scheduled pod matches any of the selectors in the Fargate profile, then that pod is run on Fargate. │ │ │ When you create a Fargate profile, you must specify a pod execution role to use with the pods that are scheduled with the profile. This role is added to the cluster's Kubernetes [Role Based Access Control](https://docs.aws.amazon.com/https://kubernetes.io/docs/reference/access-authn-authz/rbac/) (RBAC) for authorization so that the `kubelet` that is running on the Fargate infrastructure can register with your Amazon EKS cluster so that it can appear in your cluster as a node. The pod execution role also provides IAM permissions to the Fargate infrastructure to allow read access to Amazon ECR image repositories. For more information, see [Pod Execution Role](https://docs.aws.amazon.com/eks/latest/userguide/pod-execution-role.html) in the *Amazon EKS User Guide* . │ │ │ Fargate profiles are immutable. However, you can create a new updated profile to replace an existing profile and then delete the original after the updated profile has finished creating. │ │ │ If any Fargate profiles in a cluster are in the `DELETING` status, you must wait for that Fargate profile to finish deleting before you can create any other profiles in that cluster. │ │ │ For more information, see [AWS Fargate profile](https://docs.aws.amazon.com/eks/latest/userguide/fargate-profile.html) in the *Amazon EKS User Guide* . │ │ ├ properties │ │ │ ├ ClusterName: (documentation changed) │ │ │ ├ PodExecutionRoleArn: (documentation changed) │ │ │ ├ Selectors: (documentation changed) │ │ │ ├ Subnets: (documentation changed) │ │ │ └ Tags: (documentation changed) │ │ └ types │ │ └[~] type Selector │ │ └ properties │ │ └ Namespace: (documentation changed) │ ├[~] resource AWS::EKS::IdentityProviderConfig │ │ ├ - documentation: Associate an identity provider configuration to a cluster. │ │ │ If you want to authenticate identities using an identity provider, you can create an identity provider configuration and associate it to your cluster. After configuring authentication to your cluster you can create Kubernetes `roles` and `clusterroles` to assign permissions to the roles, and then bind the roles to the identities using Kubernetes `rolebindings` and `clusterrolebindings` . For more information see [Using RBAC Authorization](https://docs.aws.amazon.com/https://kubernetes.io/docs/reference/access-authn-authz/rbac/) in the Kubernetes documentation. │ │ │ + documentation: Associates an identity provider configuration to a cluster. │ │ │ If you want to authenticate identities using an identity provider, you can create an identity provider configuration and associate it to your cluster. After configuring authentication to your cluster you can create Kubernetes `Role` and `ClusterRole` objects, assign permissions to them, and then bind them to the identities using Kubernetes `RoleBinding` and `ClusterRoleBinding` objects. For more information see [Using RBAC Authorization](https://docs.aws.amazon.com/https://kubernetes.io/docs/reference/access-authn-authz/rbac/) in the Kubernetes documentation. │ │ └ properties │ │ ├ ClusterName: (documentation changed) │ │ └ Tags: (documentation changed) │ ├[~] resource AWS::EKS::Nodegroup │ │ ├ - documentation: Creates a managed node group for an Amazon EKS cluster. You can only create a node group for your cluster that is equal to the current Kubernetes version for the cluster. │ │ │ An Amazon EKS managed node group is an Amazon EC2 Auto Scaling group and associated Amazon EC2 instances that are managed by AWS for an Amazon EKS cluster. For more information, see [Managed node groups](https://docs.aws.amazon.com/eks/latest/userguide/managed-node-groups.html) in the *Amazon EKS User Guide* . │ │ │ > Windows AMI types are only supported for commercial Regions that support Windows Amazon EKS. │ │ │ + documentation: Creates a managed node group for an Amazon EKS cluster. │ │ │ You can only create a node group for your cluster that is equal to the current Kubernetes version for the cluster. All node groups are created with the latest AMI release version for the respective minor Kubernetes version of the cluster, unless you deploy a custom AMI using a launch template. For more information about using launch templates, see [Launch template support](https://docs.aws.amazon.com/eks/latest/userguide/launch-templates.html) . │ │ │ An Amazon EKS managed node group is an Amazon EC2 Auto Scaling group and associated Amazon EC2 instances that are managed by AWS for an Amazon EKS cluster. For more information, see [Managed node groups](https://docs.aws.amazon.com/eks/latest/userguide/managed-node-groups.html) in the *Amazon EKS User Guide* . │ │ │ > Windows AMI types are only supported for commercial AWS Regions that support Windows on Amazon EKS. │ │ ├ properties │ │ │ ├ ClusterName: (documentation changed) │ │ │ ├ ForceUpdateEnabled: (documentation changed) │ │ │ ├ Labels: (documentation changed) │ │ │ ├ NodeRole: (documentation changed) │ │ │ ├ Subnets: (documentation changed) │ │ │ └ Tags: (documentation changed) │ │ ├ attributes │ │ │ └ ClusterName: (documentation changed) │ │ └ types │ │ ├[~] type ScalingConfig │ │ │ └ properties │ │ │ └ DesiredSize: (documentation changed) │ │ ├[~] type Taint │ │ │ └ - documentation: A property that allows a node to repel a set of pods. For more information, see [Node taints on managed node groups](https://docs.aws.amazon.com/eks/latest/userguide/node-taints-managed-node-groups.html) . │ │ │ + documentation: A property that allows a node to repel a `Pod` . For more information, see [Node taints on managed node groups](https://docs.aws.amazon.com/eks/latest/userguide/node-taints-managed-node-groups.html) in the *Amazon EKS User Guide* . │ │ └[~] type UpdateConfig │ │ └ properties │ │ ├ MaxUnavailable: (documentation changed) │ │ └ MaxUnavailablePercentage: (documentation changed) │ └[~] resource AWS::EKS::PodIdentityAssociation │ └ properties │ └ Tags: (documentation changed) ├[~] service aws-emr │ └ resources │ └[~] resource AWS::EMR::Cluster │ ├ properties │ │ ├ EbsRootVolumeIops: (documentation changed) │ │ └ EbsRootVolumeThroughput: (documentation changed) │ └ types │ └[~] type PlacementGroupConfig │ ├ - documentation: undefined │ │ + documentation: Placement group configuration for an Amazon EMR cluster. The configuration specifies the placement strategy that can be applied to instance roles during cluster creation. │ │ To use this configuration, consider attaching managed policy AmazonElasticMapReducePlacementGroupPolicy to the Amazon EMR role. │ └ properties │ ├ InstanceRole: (documentation changed) │ └ PlacementStrategy: (documentation changed) ├[~] service aws-emrserverless │ └ resources │ └[~] resource AWS::EMRServerless::Application │ └ types │ ├[+] type CloudWatchLoggingConfiguration │ │ ├ name: CloudWatchLoggingConfiguration │ │ └ properties │ │ ├Enabled: boolean (default=false) │ │ ├LogGroupName: string │ │ ├LogStreamNamePrefix: string │ │ ├EncryptionKeyArn: string │ │ └LogTypeMap: Array<LogTypeMapKeyValuePair> │ ├[+] type LogTypeMapKeyValuePair │ │ ├ name: LogTypeMapKeyValuePair │ │ └ properties │ │ ├Key: string (required) │ │ └Value: Array<string> (required) │ └[~] type MonitoringConfiguration │ └ properties │ └[+] CloudWatchLoggingConfiguration: CloudWatchLoggingConfiguration ├[~] service aws-eventschemas │ └ resources │ └[~] resource AWS::EventSchemas::Schema │ └ attributes │ └ LastModified: (documentation changed) ├[~] service aws-gamelift │ └ resources │ └[~] resource AWS::GameLift::MatchmakingConfiguration │ └ types │ └[~] type GameProperty │ └ - documentation: Set of key-value pairs that contain information about a game session. When included in a game session request, these properties communicate details to be used when setting up the new game session. For example, a game property might specify a game mode, level, or map. Game properties are passed to the game server process when initiating a new game session. For more information, see the [Amazon GameLift Developer Guide](https://docs.aws.amazon.com/gamelift/latest/developerguide/gamelift-sdk-client-api.html#gamelift-sdk-client-api-create) . │ + documentation: This key-value pair can store custom data about a game session. For example, you might use a `GameProperty` to track a game session's map, level of difficulty, or remaining time. The difficulty level could be specified like this: `{"Key": "difficulty", "Value":"Novice"}` . │ You can set game properties when creating a game session. You can also modify game properties of an active game session. When searching for game sessions, you can filter on game property keys and values. You can't delete game properties from a game session. │ For examples of working with game properties, see [Create a game session with properties](https://docs.aws.amazon.com/gamelift/latest/developerguide/gamelift-sdk-client-api.html#game-properties) . ├[~] service aws-greengrass │ └ resources │ ├[~] resource AWS::Greengrass::ConnectorDefinition │ │ ├ properties │ │ │ └ Tags: (documentation changed) │ │ └ types │ │ └[~] type Connector │ │ ├ - documentation: Connectors are modules that provide built-in integration with local infrastructure, device protocols, AWS , and other cloud services. For more information, see [Integrate with Services and Protocols Using Greengrass Connectors](https://docs.aws.amazon.com/greengrass/latest/developerguide/connectors.html) in the *Developer Guide* . │ │ │ In an AWS CloudFormation template, the `Connectors` property of the [`ConnectorDefinitionVersion`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-greengrass-connectordefinition-connectordefinitionversion.html) property type contains a list of `Connector` property types. │ │ │ + documentation: Connectors are modules that provide built-in integration with local infrastructure, device protocols, AWS , and other cloud services. For more information, see [Integrate with Services and Protocols Using Greengrass Connectors](https://docs.aws.amazon.com/greengrass/v1/developerguide/connectors.html) in the *Developer Guide* . │ │ │ In an AWS CloudFormation template, the `Connectors` property of the [`ConnectorDefinitionVersion`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-greengrass-connectordefinition-connectordefinitionversion.html) property type contains a list of `Connector` property types. │ │ └ properties │ │ ├ ConnectorArn: (documentation changed) │ │ └ Parameters: (documentation changed) │ ├[~] resource AWS::Greengrass::ConnectorDefinitionVersion │ │ └ types │ │ └[~] type Connector │ │ ├ - documentation: Connectors are modules that provide built-in integration with local infrastructure, device protocols, AWS , and other cloud services. For more information, see [Integrate with Services and Protocols Using Greengrass Connectors](https://docs.aws.amazon.com/greengrass/latest/developerguide/connectors.html) in the *Developer Guide* . │ │ │ In an AWS CloudFormation template, the `Connectors` property of the [`AWS::Greengrass::ConnectorDefinitionVersion`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-greengrass-connectordefinitionversion.html) resource contains a list of `Connector` property types. │ │ │ + documentation: Connectors are modules that provide built-in integration with local infrastructure, device protocols, AWS , and other cloud services. For more information, see [Integrate with Services and Protocols Using Greengrass Connectors](https://docs.aws.amazon.com/greengrass/v1/developerguide/connectors.html) in the *Developer Guide* . │ │ │ In an AWS CloudFormation template, the `Connectors` property of the [`AWS::Greengrass::ConnectorDefinitionVersion`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-greengrass-connectordefinitionversion.html) resource contains a list of `Connector` property types. │ │ └ properties │ │ ├ ConnectorArn: (documentation changed) │ │ └ Parameters: (documentation changed) │ ├[~] resource AWS::Greengrass::CoreDefinition │ │ ├ properties │ │ │ └ Tags: (documentation changed) │ │ └ types │ │ └[~] type Core │ │ └ - documentation: A core is an AWS IoT device that runs the AWS IoT Greengrass core software and manages local processes for a Greengrass group. For more information, see [What Is AWS IoT Greengrass ?](https://docs.aws.amazon.com/greengrass/latest/developerguide/what-is-gg.html) in the *Developer Guide* . │ │ In an AWS CloudFormation template, the `Cores` property of the [`CoreDefinitionVersion`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-greengrass-coredefinition-coredefinitionversion.html) property type contains a list of `Core` property types. Currently, the list can contain only one core. │ │ + documentation: A core is an AWS IoT device that runs the AWS IoT Greengrass core software and manages local processes for a Greengrass group. For more information, see [What Is AWS IoT Greengrass ?](https://docs.aws.amazon.com/greengrass/v1/developerguide/what-is-gg.html) in the *Developer Guide* . │ │ In an AWS CloudFormation template, the `Cores` property of the [`CoreDefinitionVersion`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-greengrass-coredefinition-coredefinitionversion.html) property type contains a list of `Core` property types. Currently, the list can contain only one core. │ ├[~] resource AWS::Greengrass::CoreDefinitionVersion │ │ └ types │ │ └[~] type Core │ │ └ - documentation: A core is an AWS IoT device that runs the AWS IoT Greengrass core software and manages local processes for a Greengrass group. For more information, see [What Is AWS IoT Greengrass ?](https://docs.aws.amazon.com/greengrass/latest/developerguide/what-is-gg.html) in the *Developer Guide* . │ │ In an AWS CloudFormation template, the `Cores` property of the [`AWS::Greengrass::CoreDefinitionVersion`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-greengrass-coredefinitionversion.html) resource contains a list of `Core` property types. Currently, the list can contain only one core. │ │ + documentation: A core is an AWS IoT device that runs the AWS IoT Greengrass core software and manages local processes for a Greengrass group. For more information, see [What Is AWS IoT Greengrass ?](https://docs.aws.amazon.com/greengrass/v1/developerguide/what-is-gg.html) in the *Developer Guide* . │ │ In an AWS CloudFormation template, the `Cores` property of the [`AWS::Greengrass::CoreDefinitionVersion`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-greengrass-coredefinitionversion.html) resource contains a list of `Core` property types. Currently, the list can contain only one core. │ ├[~] resource AWS::Greengrass::DeviceDefinition │ │ ├ properties │ │ │ └ Tags: (documentation changed) │ │ └ types │ │ └[~] type Device │ │ └ - documentation: A device is an AWS IoT device (thing) that's added to a Greengrass group. Greengrass devices can communicate with the Greengrass core in the same group. For more information, see [What Is AWS IoT Greengrass ?](https://docs.aws.amazon.com/greengrass/latest/developerguide/what-is-gg.html) in the *Developer Guide* . │ │ In an AWS CloudFormation template, the `Devices` property of the [`DeviceDefinitionVersion`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-greengrass-devicedefinition-devicedefinitionversion.html) property type contains a list of `Device` property types. │ │ + documentation: A device is an AWS IoT device (thing) that's added to a Greengrass group. Greengrass devices can communicate with the Greengrass core in the same group. For more information, see [What Is AWS IoT Greengrass ?](https://docs.aws.amazon.com/greengrass/v1/developerguide/what-is-gg.html) in the *Developer Guide* . │ │ In an AWS CloudFormation template, the `Devices` property of the [`DeviceDefinitionVersion`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-greengrass-devicedefinition-devicedefinitionversion.html) property type contains a list of `Device` property types. │ ├[~] resource AWS::Greengrass::DeviceDefinitionVersion │ │ └ types │ │ └[~] type Device │ │ └ - documentation: A device is an AWS IoT device (thing) that's added to a Greengrass group. Greengrass devices can communicate with the Greengrass core in the same group. For more information, see [What Is AWS IoT Greengrass ?](https://docs.aws.amazon.com/greengrass/latest/developerguide/what-is-gg.html) in the *Developer Guide* . │ │ In an AWS CloudFormation template, the `Devices` property of the [`AWS::Greengrass::DeviceDefinitionVersion`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-greengrass-devicedefinitionversion.html) resource contains a list of `Device` property types. │ │ + documentation: A device is an AWS IoT device (thing) that's added to a Greengrass group. Greengrass devices can communicate with the Greengrass core in the same group. For more information, see [What Is AWS IoT Greengrass ?](https://docs.aws.amazon.com/greengrass/v1/developerguide/what-is-gg.html) in the *Developer Guide* . │ │ In an AWS CloudFormation template, the `Devices` property of the [`AWS::Greengrass::DeviceDefinitionVersion`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-greengrass-devicedefinitionversion.html) resource contains a list of `Device` property types. │ ├[~] resource AWS::Greengrass::FunctionDefinition │ │ ├ properties │ │ │ └ Tags: (documentation changed) │ │ └ types │ │ ├[~] type Execution │ │ │ └ properties │ │ │ ├ IsolationMode: (documentation changed) │ │ │ └ RunAs: (documentation changed) │ │ ├[~] type Function │ │ │ └ - documentation: A function is a Lambda function that's referenced from an AWS IoT Greengrass group. The function is deployed to a Greengrass core where it runs locally. For more information, see [Run Lambda Functions on the AWS IoT Greengrass Core](https://docs.aws.amazon.com/greengrass/latest/developerguide/lambda-functions.html) in the *Developer Guide* . │ │ │ In an AWS CloudFormation template, the `Functions` property of the [`FunctionDefinitionVersion`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-greengrass-functiondefinition-functiondefinitionversion.html) property type contains a list of `Function` property types. │ │ │ + documentation: A function is a Lambda function that's referenced from an AWS IoT Greengrass group. The function is deployed to a Greengrass core where it runs locally. For more information, see [Run Lambda Functions on the AWS IoT Greengrass Core](https://docs.aws.amazon.com/greengrass/v1/developerguide/lambda-functions.html) in the *Developer Guide* . │ │ │ In an AWS CloudFormation template, the `Functions` property of the [`FunctionDefinitionVersion`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-greengrass-functiondefinition-functiondefinitionversion.html) property type contains a list of `Function` property types. │ │ ├[~] type FunctionConfiguration │ │ │ └ - documentation: The group-specific configuration settings for a Lambda function. These settings configure the function's behavior in the Greengrass group. For more information, see [Controlling Execution of Greengrass Lambda Functions by Using Group-Specific Configuration](https://docs.aws.amazon.com/greengrass/latest/developerguide/lambda-group-config.html) in the *Developer Guide* . │ │ │ In an AWS CloudFormation template, `FunctionConfiguration` is a property of the [`Function`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-greengrass-functiondefinition-function.html) property type. │ │ │ + documentation: The group-specific configuration settings for a Lambda function. These settings configure the function's behavior in the Greengrass group. For more information, see [Controlling Execution of Greengrass Lambda Functions by Using Group-Specific Configuration](https://docs.aws.amazon.com/greengrass/v1/developerguide/lambda-group-config.html) in the *Developer Guide* . │ │ │ In an AWS CloudFormation template, `FunctionConfiguration` is a property of the [`Function`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-greengrass-functiondefinition-function.html) property type. │ │ └[~] type RunAs │ │ └ - documentation: The access identity whose permissions are used to run the Lambda function. This setting overrides the default access identity that's specified for the group (by default, ggc_user and ggc_group). You can override the user, group, or both. For more information, see [Run as](https://docs.aws.amazon.com/greengrass/latest/developerguide/lambda-group-config.html#lambda-access-identity.html) in the *Developer Guide* . │ │ > Running as the root user increases risks to your data and device. Do not run as root (UID/GID=0) unless your business case requires it. For more information and requirements, see [Running a Lambda Function as Root](https://docs.aws.amazon.com/greengrass/latest/developerguide/lambda-group-config.html#lambda-running-as-root) . │ │ In an AWS CloudFormation template, `RunAs` is a property of the [`Execution`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-greengrass-functiondefinition-execution.html) property type. │ │ + documentation: The access identity whose permissions are used to run the Lambda function. This setting overrides the default access identity that's specified for the group (by default, ggc_user and ggc_group). You can override the user, group, or both. For more information, see [Run as](https://docs.aws.amazon.com/greengrass/v1/developerguide/lambda-group-config.html#lambda-access-identity.html) in the *Developer Guide* . │ │ > Running as the root user increases risks to your data and device. Do not run as root (UID/GID=0) unless your business case requires it. For more information and requirements, see [Running a Lambda Function as Root](https://docs.aws.amazon.com/greengrass/v1/developerguide/lambda-group-config.html#lambda-running-as-root) . │ │ In an AWS CloudFormation template, `RunAs` is a property of the [`Execution`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-greengrass-functiondefinition-execution.html) property type. │ ├[~] resource AWS::Greengrass::FunctionDefinitionVersion │ │ └ types │ │ ├[~] type Execution │ │ │ └ properties │ │ │ ├ IsolationMode: (documentation changed) │ │ │ └ RunAs: (documentation changed) │ │ ├[~] type Function │ │ │ └ - documentation: A function is a Lambda function that's referenced from an AWS IoT Greengrass group. The function is deployed to a Greengrass core where it runs locally. For more information, see [Run Lambda Functions on the AWS IoT Greengrass Core](https://docs.aws.amazon.com/greengrass/latest/developerguide/lambda-functions.html) in the *Developer Guide* . │ │ │ In an AWS CloudFormation template, the `Functions` property of the [`AWS::Greengrass::FunctionDefinitionVersion`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-greengrass-functiondefinitionversion.html) resource contains a list of `Function` property types. │ │ │ + documentation: A function is a Lambda function that's referenced from an AWS IoT Greengrass group. The function is deployed to a Greengrass core where it runs locally. For more information, see [Run Lambda Functions on the AWS IoT Greengrass Core](https://docs.aws.amazon.com/greengrass/v1/developerguide/lambda-functions.html) in the *Developer Guide* . │ │ │ In an AWS CloudFormation template, the `Functions` property of the [`AWS::Greengrass::FunctionDefinitionVersion`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-greengrass-functiondefinitionversion.html) resource contains a list of `Function` property types. │ │ ├[~] type FunctionConfiguration │ │ │ └ - documentation: The group-specific configuration settings for a Lambda function. These settings configure the function's behavior in the Greengrass group. For more information, see [Controlling Execution of Greengrass Lambda Functions by Using Group-Specific Configuration](https://docs.aws.amazon.com/greengrass/latest/developerguide/lambda-group-config.html) in the *Developer Guide* . │ │ │ In an AWS CloudFormation template, `FunctionConfiguration` is a property of the [`Function`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-greengrass-functiondefinitionversion-function.html) property type. │ │ │ + documentation: The group-specific configuration settings for a Lambda function. These settings configure the function's behavior in the Greengrass group. For more information, see [Controlling Execution of Greengrass Lambda Functions by Using Group-Specific Configuration](https://docs.aws.amazon.com/greengrass/v1/developerguide/lambda-group-config.html) in the *Developer Guide* . │ │ │ In an AWS CloudFormation template, `FunctionConfiguration` is a property of the [`Function`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-greengrass-functiondefinitionversion-function.html) property type. │ │ └[~] type RunAs │ │ └ - documentation: The user and group permissions used to run the Lambda function. This setting overrides the default access identity that's specified for the group (by default, ggc_user and ggc_group). You can override the user, group, or both. For more information, see [Run as](https://docs.aws.amazon.com/greengrass/latest/developerguide/lambda-group-config.html#lambda-access-identity.html) in the *Developer Guide* . │ │ > Running as the root user increases risks to your data and device. Do not run as root (UID/GID=0) unless your business case requires it. For more information and requirements, see [Running a Lambda Function as Root](https://docs.aws.amazon.com/greengrass/latest/developerguide/lambda-group-config.html#lambda-running-as-root) . │ │ In an AWS CloudFormation template, `RunAs` is a property of the [`Execution`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-greengrass-functiondefinitionversion-execution.html) property type. │ │ + documentation: The user and group permissions used to run the Lambda function. This setting overrides the default access identity that's specified for the group (by default, ggc_user and ggc_group). You can override the user, group, or both. For more information, see [Run as](https://docs.aws.amazon.com/greengrass/v1/developerguide/lambda-group-config.html#lambda-access-identity.html) in the *Developer Guide* . │ │ > Running as the root user increases risks to your data and device. Do not run as root (UID/GID=0) unless your business case requires it. For more information and requirements, see [Running a Lambda Function as Root](https://docs.aws.amazon.com/greengrass/v1/developerguide/lambda-group-config.html#lambda-running-as-root) . │ │ In an AWS CloudFormation template, `RunAs` is a property of the [`Execution`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-greengrass-functiondefinitionversion-execution.html) property type. │ ├[~] resource AWS::Greengrass::Group │ │ ├ - documentation: AWS IoT Greengrass seamlessly extends AWS to edge devices so they can act locally on the data they generate, while still using the cloud for management, analytics, and durable storage. With AWS IoT Greengrass , connected devices can run AWS Lambda functions, execute predictions based on machine learning models, keep device data in sync, and communicate with other devices securely – even when not connected to the internet. For more information, see the [Developer Guide](https://docs.aws.amazon.com/greengrass/latest/developerguide/what-is-gg.html) . │ │ │ > For AWS Region support, see [AWS CloudFormation Support for AWS IoT Greengrass](https://docs.aws.amazon.com/greengrass/latest/developerguide/cloudformation-support.html) in the *Developer Guide* . │ │ │ The `AWS::Greengrass::Group` resource represents a group in AWS IoT Greengrass . In the AWS IoT Greengrass API, groups are used to organize your group versions. │ │ │ Groups can reference multiple group versions. All group versions must be associated with a group. A group version references a device definition version, subscription definition version, and other version types that contain the components you want to deploy to a Greengrass core device. │ │ │ To deploy a group version, the group version must reference a core definition version that contains one core. Other version types are optionally included, depending on your business need. │ │ │ > When you create a group, you can optionally include an initial group version. To associate a group version later, create a [`AWS::Greengrass::GroupVersion`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-greengrass-groupversion.html) resource and specify the ID of this group. │ │ │ > │ │ │ > To change group components (such as…

…8481) Because of PRs that require cli integ tests run, some PRs have the automated review failing while awaiting review (and integ tests run). We shouldn't auto-close these as stale ever, since the ball is in our court. See aws#27882, where we were bad. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…s load balancer name (aws#28394) Fixes by adding the `loadBalancerName` property to the generated `ApplicationLoadBalancer`. Closes aws#23535. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

… IAM entities (aws#28486) Added a `grantTaskProtection` method to the ECS (Elastic Container Service) Cluster. This method grants ECS tasks the necessary permissions to interact with the task protection API. Closes aws#26233 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…lerated tasks (aws#28488) This pull request introduces a new variant, AWS_ECS_1_NVIDIA, to the BottlerocketEcsVariant enum. This addition caters to the increasing demand for GPU-accelerated computing in containerized environments, particularly for tasks that require intensive computing power, such as machine learning and 3D rendering. Closes aws#25980 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…table construct (aws#27643) Add [cfn-glue-table-tableinput-parameters](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-glue-table-tableinput.html#cfn-glue-table-tableinput-parameters) to Glue Table construct as optional props User can specify additional table parameter when creating Glue Table. Any key/value can be set depending on each user's requirement like table's additional metadata or statistics. Some parameter can be used when AWS services / 3rd party tools read table like `skip.header.line.count`. Closes aws#14159. --- All Submissions: - [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) Adding new Unconventional Dependencies: - [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies) New Features - [x] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)? - [x] Did you use yarn integ to deploy the infrastructure and generate the snapshot (i.e. yarn integ without --dry-run)? --- By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license --------- Co-authored-by: Vinayak Kukreja <78971045+vinayak-kukreja@users.noreply.github.com> Co-authored-by: Sumu Pitchayan <35242245+sumupitchayan@users.noreply.github.com>

This PR adds a `ipAddressType` property for `Domain`. Closes aws#28436. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Add support for [IntrospectionConfig](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-appsync-graphqlapi.html#cfn-appsync-graphqlapi-introspectionconfig) Closes aws#28429. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

aws#28471) ### Description The related issue reports that deployment fails due to circular dependencies when multiple RDSProxy are created. The `DatabaseProxy` uses the `node.addDependency` method to ensure that the `CfnDBProxyTargetGroup` is created after the `DBCluster` and `DBInstance` are created (aws#12237). This works well for a single `DatabaseProxy`, but does not work well when multiple `DatabaseProxy` are created with `DatabaseCluster.addProxy`. When creating a `DatabaseProxy` with the `DatabaseCluster.addProxy` method, it is created as a child of the `DatabaseCluster`. https://github.com/aws/aws-cdk/blob/cd54c4239ec29182e30fd91634505df560d6e5f8/packages/aws-cdk-lib/aws-rds/lib/cluster.ts#L446 The `node.addDependency` method recursively sets dependencies on child Constructs, so if multiple `DatabaseProxy` are created as a child of a `DatabaseCluster` in the construct tree, multiple `DatabaseProxy` dependencies on each other. If the `addProxy` method is not used, the user initializes the `DatabaseProxy` directly and it does not become a child of `DatabaseCluster`. For example, ```ts new DatabaseProxy(stack, 'DBProxy', { proxyTarget: rds.ProxyTarget.fromCluster(cluster), vpc, }); ``` I believe this is the cause of the `these resources have a dependency cycle` error reported in the related issue. To correct this error, this PR uses `CfnResource.addDependency` instead of `node.addDependency` to avoid recurrent dependencies. Closes aws#25633 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

The link to the Wiki page on `TrustedMember` has changed, and prlint is now failing, so I fixed the broken link in this PR. ![スクリーンショット 2023-12-28 14 34 01](https://github.com/aws/aws-cdk/assets/58683719/f776ce9c-fc42-419f-b13e-798c36789125) https://github.com/aws/aws-cdk/wiki/_compare/17dd5d3103a6cd3350441f20371915d0cd0c1465...4863a52be6383e221667a9c7b9f982f37cac852c For Example, https://github.com/aws/aws-cdk/actions/runs/7344487786/job/19996393076?pr=28495 ![スクリーンショット 2023-12-28 14 37 10](https://github.com/aws/aws-cdk/assets/58683719/bb3a39a5-7c68-406f-ac9a-0e6e9998961e) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…ws#28464) Closes aws#28393 > Basically [LaunchTemplateOverrides](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_autoscaling.LaunchTemplateOverrides.html) for L2 construct is missing the [InstanceRequirements](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-autoscaling-autoscalinggroup-launchtemplateoverrides.html#cfn-autoscaling-autoscalinggroup-launchtemplateoverrides-instancerequirements) attribute. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --------- Co-authored-by: Sumu Pitchayan <35242245+sumupitchayan@users.noreply.github.com>

This adds an initial resource to support creating a Key Value Store and specifying an import source. Unfortunately, CloudFormation doesn't seem to support specifying the `KeyValueStoreAssociations` property of a function so there isn't a way to actually associate the store with a function. Closes aws#28377. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

fixed aws#28163 This provides an option to change the runtime for CloudFront Functions. This makes it easier to access the CloudFront KeyValueStore. https://docs.aws.amazon.com/ja_jp/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-function-functionconfig.html ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Add new aurora engine versions: - 12.17 - 13.13 - 14.10 - 15.5 - 16.0 Release notes: - https://aws.amazon.com/about-aws/whats-new/2023/12/amazon-aurora-postgresql-15-5-14-10-13-13-12-17/ - https://aws.amazon.com/about-aws/whats-new/2023/11/amazon-aurora-postgresql-16-rds-database-preview/

…28529) This PR adds validations for `EmrCreateCluster`. ## timeoutDurationMinutes > Minimum value is 5 and maximum value is 1440. https://docs.aws.amazon.com/emr/latest/APIReference/API_SpotProvisioningSpecification.html ## bidPrice and bidPriceAsPercentageOfOnDemandPrice Both `bidPrice` and `bidPriceAsPercentageOfOnDemandPrice` are specified, the error occurs in Step Functions console. ``` Specify at most one of bidPrice or bidPriceAsPercentageOfOnDemandPrice value for the Spot Instance fleet : Master request. (Service: AmazonElasticMapReduce; Status Code: 400; Error Code: ValidationException; Request ID: xxxxxx; Proxy: null) ``` ## targetOnDemandCapacity and targetSpotCapacity > At least one of TargetSpotCapacity and TargetOnDemandCapacity should be greater than 0. For a master instance fleet, only one of TargetSpotCapacity and TargetOnDemandCapacity can be specified, and its value must be 1. https://docs.aws.amazon.com/emr/latest/APIReference/API_InstanceFleetConfig.html ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…instance fleets in EmrCreateCluster (aws#28525) This PR adds new allocation strategies for spot instance fleets in EmrCreateCluster. - price-capacity-optimized - recommended - lowest-price - diversified https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-emr-instancefleetconfig-spotprovisioningspecification.html https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-fleet-allocation-strategy.html ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Calling `withConditions` after `withSessionTags` will override the existing `sts:TagSession` action for the statement. This implementation fixes the issue. Closes aws#28426. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Closes aws#27740. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

@deprecated

…ined (aws#28533) As per these documents, the following build image is not actively maintained, so I added @deprecated tag in this PR. - `standard` - `STANDARD_1_0` - `STANDARD_2_0` - `STANDARD_3_0` - `STANDARD_4_0` - `amazonlinux2-x86_64-standard` - `AMAZON_LINUX_2` - `AMAZON_LINUX_2_2` - `AMAZON_LINUX_2_3` - `amazonlinux2-aarch64-standard` - `AMAZON_LINUX_2_STANDARD_1_0` https://github.com/aws/aws-codebuild-docker-images?tab=readme-ov-file#image-maintenance https://docs.aws.amazon.com/codebuild/latest/userguide/build-env-ref-available.html relates: aws#23096 (comment), aws#16707 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Happy New Year! ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Automated changes by [create-pull-request](https://github.com/peter-evans/create-pull-request) GitHub action

…er (aws#28532) This PR adds a new parameter `timeout` as Duration type instead of `timeoutDurationMinutes` because the `timeoutDurationMinutes` is a number type. Originally, `timeoutDurationMinutes` was a **required** parameter, but we have made it **optional** and also made the new parameter **optional** to avoid breaking change. Instead, added a validation to ensure that the value is specified. We discussed this in the following thread: aws#28529 (comment) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

aws#27340 introduced the ability to create multiple event bus policies on a single event bus. To facilitate this, the logical Id was changed from `"Policy"` to the statementId. This triggers a replacement, which fails in CloudFormation because the statement ID does not change. The idea behind this PR is simple -- we are updating the statement ID of the policy to trigger a change for anyone who updates to the new version. I think we are okay with this change because no one should be depending on the statementIds of their policies. And since the policy is not a stateful resource, updating the policy should not harm anyone. I have checked the feasibility of this PR on my own, hence the lack of an integ test. closes aws#28520 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…28536) This pull request adds the `interactive` argument to `ContainerDefinitionOptions`. This argument is used when deploying containerized applications that require the allocation of standard input (stdin) or a terminal (tty). This parameter corresponds to `OpenStdin` in the "Create a container" section of the Docker Remote API and the `--interactive` option to `docker run`. Closes aws#24326. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

> Validates roleName Closes aws#28502 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…ws#28557) This schema is now publicly available and needs to be cleaned up. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…8523) This is correctly handled for empty change sets here: https://github.com/aws/aws-cdk/blob/9d8b06f6478a98e01e3aaa86c1dbf22d6e861f05/packages/aws-cdk/lib/api/util/cloudformation.ts#L290-L296 but not for direct updates. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

`splitArn` is the correct updated version of `parseArn`. It's now necessary to use `ArnFormat` not a literal string for the format of the ARN resource for `splitArn` and `formatArn`. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…ter (aws#28534) This pull request introduces two new properties to the `ServerlessCluster` class in the AWS CDK RDS package: `secondsBeforeTimeout` and `timeoutAction`. The `secondsBeforeTimeout` property allows users to specify the amount of time that Aurora Serverless v1 will attempt to find a scaling point to perform seamless scaling before enforcing the timeout action. The default value is 300 seconds (5 minutes). The `timeoutAction` property allows users to specify the action to take when the timeout is reached. Users can choose between `ForceApplyCapacityChange`, which will force the capacity to the specified value as soon as possible, even without a scaling point, and `RollbackCapacityChange`, which will ignore the capacity change if a scaling point is not found. The default behavior is `RollbackCapacityChange`. These enhancements provide users with more control over the scaling behavior of their Aurora Serverless clusters. Closes aws#27183 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Adds support for [`ClientPasswordAuthType`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-dbproxy-authformat.html#cfn-rds-dbproxy-authformat-clientpasswordauthtype) on `DatabaseProxy` construct. Closes aws#28415. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Output path with space breaks go build Solution: quoting `go build` output path Closes aws#28555 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…#28566) This change fixes a bad behavior of the asset bundling if we use the SINGLE_FILE asset type with the OUTPUT hash type. Because only the created file is moved and the temporary bundle dir is left over, subsequent bundling runs fail and create empty asset files. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

… template changes (aws#28336) Adds a new flag to diff, `--change-set`, that creates a new changeset and uses it to determine resource replacement. This new flag is on by default. When the flag is set, the following happens: * Resource metadata changes are obscured * Resource changes that do not appear in the changeset are obscured from the diff When the flag is unset, yaml Fn::GetAtt short-form uses are considered equivalent to their long-form counterpart. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Commits on Dec 20, 2023

add missing trailing coma

paulhcsun committed Dec 20, 2023

Configuration menu

View commit details

Copy full SHA for bc50f91

Browse repository at this point

Copy the full SHA

bc50f91 View commit details

Browse the repository at this point in the history

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix(ecs): empty placement constraints not allowed #28431

fix(ecs): empty placement constraints not allowed #28431

Commits on Dec 19, 2023

Commits on Dec 20, 2023

Commits on Jan 5, 2024