Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: update L1 CloudFormation resource definitions (#33480)
Updates the L1 CloudFormation resource definitions with the latest changes from `@aws-cdk/aws-service-spec` **L1 CloudFormation resource definition changes:** ``` ├[~] service aws-acmpca │ └ resources │ └[~] resource AWS::ACMPCA::CertificateAuthority │ └ types │ └[~] type CrlConfiguration │ └ properties │ ├ CrlType: (documentation changed) │ └ CustomPath: (documentation changed) ├[~] service aws-bedrock │ └ resources │ └[~] resource AWS::Bedrock::Agent │ └ types │ └[~] type PromptConfiguration │ └ properties │ └ ParserMode: (documentation changed) ├[~] service aws-cloudtrail │ └ resources │ ├[~] resource AWS::CloudTrail::EventDataStore │ │ └ types │ │ ├[~] type AdvancedEventSelector │ │ │ └ - documentation: Advanced event selectors let you create fine-grained selectors for AWS CloudTrail management, data, and network activity events. They help you control costs by logging only those events that are important to you. For more information about configuring advanced event selectors, see the [Logging data events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html) , [Logging network activity events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-network-events-with-cloudtrail.html) , and [Logging management events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-management-events-with-cloudtrail.html) topics in the *AWS CloudTrail User Guide* . │ │ │ You cannot apply both event selectors and advanced event selectors to a trail. │ │ │ *Supported CloudTrail event record fields for management events* │ │ │ - `eventCategory` (required) │ │ │ - `eventSource` │ │ │ - `readOnly` │ │ │ The following additional fields are available for event data stores: │ │ │ - `eventName` │ │ │ - `eventType` │ │ │ - `sessionCredentialFromConsole` │ │ │ - `userIdentity.arn` │ │ │ *Supported CloudTrail event record fields for data events* │ │ │ - `eventCategory` (required) │ │ │ - `resources.type` (required) │ │ │ - `readOnly` │ │ │ - `eventName` │ │ │ - `resources.ARN` │ │ │ The following additional fields are available for event data stores: │ │ │ - `eventSource` │ │ │ - `eventType` │ │ │ - `sessionCredentialFromConsole` │ │ │ - `userIdentity.arn` │ │ │ *Supported CloudTrail event record fields for network activity events* │ │ │ > Network activity events is in preview release for CloudTrail and is subject to change. │ │ │ - `eventCategory` (required) │ │ │ - `eventSource` (required) │ │ │ - `eventName` │ │ │ - `errorCode` - The only valid value for `errorCode` is `VpceAccessDenied` . │ │ │ - `vpcEndpointId` │ │ │ > For event data stores for CloudTrail Insights events, AWS Config configuration items, Audit Manager evidence, or events outside of AWS , the only supported field is `eventCategory` . │ │ │ + documentation: Advanced event selectors let you create fine-grained selectors for AWS CloudTrail management, data, and network activity events. They help you control costs by logging only those events that are important to you. For more information about configuring advanced event selectors, see the [Logging data events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html) , [Logging network activity events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-network-events-with-cloudtrail.html) , and [Logging management events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-management-events-with-cloudtrail.html) topics in the *AWS CloudTrail User Guide* . │ │ │ You cannot apply both event selectors and advanced event selectors to a trail. │ │ │ *Supported CloudTrail event record fields for management events* │ │ │ - `eventCategory` (required) │ │ │ - `eventSource` │ │ │ - `readOnly` │ │ │ The following additional fields are available for event data stores: │ │ │ - `eventName` │ │ │ - `eventType` │ │ │ - `sessionCredentialFromConsole` │ │ │ - `userIdentity.arn` │ │ │ *Supported CloudTrail event record fields for data events* │ │ │ - `eventCategory` (required) │ │ │ - `resources.type` (required) │ │ │ - `readOnly` │ │ │ - `eventName` │ │ │ - `resources.ARN` │ │ │ The following additional fields are available for event data stores: │ │ │ - `eventSource` │ │ │ - `eventType` │ │ │ - `sessionCredentialFromConsole` │ │ │ - `userIdentity.arn` │ │ │ *Supported CloudTrail event record fields for network activity events* │ │ │ - `eventCategory` (required) │ │ │ - `eventSource` (required) │ │ │ - `eventName` │ │ │ - `errorCode` - The only valid value for `errorCode` is `VpceAccessDenied` . │ │ │ - `vpcEndpointId` │ │ │ > For event data stores for CloudTrail Insights events, AWS Config configuration items, Audit Manager evidence, or events outside of AWS , the only supported field is `eventCategory` . │ │ └[~] type AdvancedFieldSelector │ │ └ properties │ │ └ Field: (documentation changed) │ └[~] resource AWS::CloudTrail::Trail │ └ types │ ├[~] type AdvancedEventSelector │ │ └ - documentation: Advanced event selectors let you create fine-grained selectors for AWS CloudTrail management, data, and network activity events. They help you control costs by logging only those events that are important to you. For more information about configuring advanced event selectors, see the [Logging data events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html) , [Logging network activity events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-network-events-with-cloudtrail.html) , and [Logging management events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-management-events-with-cloudtrail.html) topics in the *AWS CloudTrail User Guide* . │ │ You cannot apply both event selectors and advanced event selectors to a trail. │ │ *Supported CloudTrail event record fields for management events* │ │ - `eventCategory` (required) │ │ - `eventSource` │ │ - `readOnly` │ │ The following additional fields are available for event data stores: │ │ - `eventName` │ │ - `eventType` │ │ - `sessionCredentialFromConsole` │ │ - `userIdentity.arn` │ │ *Supported CloudTrail event record fields for data events* │ │ - `eventCategory` (required) │ │ - `resources.type` (required) │ │ - `readOnly` │ │ - `eventName` │ │ - `resources.ARN` │ │ The following additional fields are available for event data stores: │ │ - `eventSource` │ │ - `eventType` │ │ - `sessionCredentialFromConsole` │ │ - `userIdentity.arn` │ │ *Supported CloudTrail event record fields for network activity events* │ │ > Network activity events is in preview release for CloudTrail and is subject to change. │ │ - `eventCategory` (required) │ │ - `eventSource` (required) │ │ - `eventName` │ │ - `errorCode` - The only valid value for `errorCode` is `VpceAccessDenied` . │ │ - `vpcEndpointId` │ │ > For event data stores for CloudTrail Insights events, AWS Config configuration items, Audit Manager evidence, or events outside of AWS , the only supported field is `eventCategory` . │ │ + documentation: Advanced event selectors let you create fine-grained selectors for AWS CloudTrail management, data, and network activity events. They help you control costs by logging only those events that are important to you. For more information about configuring advanced event selectors, see the [Logging data events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html) , [Logging network activity events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-network-events-with-cloudtrail.html) , and [Logging management events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-management-events-with-cloudtrail.html) topics in the *AWS CloudTrail User Guide* . │ │ You cannot apply both event selectors and advanced event selectors to a trail. │ │ *Supported CloudTrail event record fields for management events* │ │ - `eventCategory` (required) │ │ - `eventSource` │ │ - `readOnly` │ │ The following additional fields are available for event data stores: │ │ - `eventName` │ │ - `eventType` │ │ - `sessionCredentialFromConsole` │ │ - `userIdentity.arn` │ │ *Supported CloudTrail event record fields for data events* │ │ - `eventCategory` (required) │ │ - `resources.type` (required) │ │ - `readOnly` │ │ - `eventName` │ │ - `resources.ARN` │ │ The following additional fields are available for event data stores: │ │ - `eventSource` │ │ - `eventType` │ │ - `sessionCredentialFromConsole` │ │ - `userIdentity.arn` │ │ *Supported CloudTrail event record fields for network activity events* │ │ - `eventCategory` (required) │ │ - `eventSource` (required) │ │ - `eventName` │ │ - `errorCode` - The only valid value for `errorCode` is `VpceAccessDenied` . │ │ - `vpcEndpointId` │ │ > For event data stores for CloudTrail Insights events, AWS Config configuration items, Audit Manager evidence, or events outside of AWS , the only supported field is `eventCategory` . │ └[~] type AdvancedFieldSelector │ └ properties │ └ Field: (documentation changed) ├[~] service aws-connect │ └ resources │ └[~] resource AWS::Connect::ContactFlowVersion │ ├ - documentation: Resource Type Definition for ContactFlowVersion │ │ + documentation: Creates a version for the specified customer-managed flow within the specified instance. │ ├ properties │ │ ├ ContactFlowId: (documentation changed) │ │ └ Description: (documentation changed) │ └ attributes │ ├ ContactFlowVersionARN: (documentation changed) │ ├ FlowContentSha256: (documentation changed) │ └ Version: (documentation changed) ├[~] service aws-dynamodb │ └ resources │ └[~] resource AWS::DynamoDB::GlobalTable │ └ properties │ └[-] PointInTimeRecoverySpecification: PointInTimeRecoverySpecification ├[~] service aws-ec2 │ └ resources │ ├[~] resource AWS::EC2::IPAM │ │ └ types │ │ └[~] type IpamOrganizationalUnitExclusion │ │ └ properties │ │ └ OrganizationsEntityPath: (documentation changed) │ └[~] resource AWS::EC2::LaunchTemplate │ └ types │ ├[~] type CpuOptions │ │ └ properties │ │ └ AmdSevSnp: (documentation changed) │ ├[~] type Ebs │ │ └ properties │ │ └ Iops: (documentation changed) │ ├[~] type LaunchTemplateData │ │ └ properties │ │ ├ CpuOptions: (documentation changed) │ │ ├ DisableApiStop: (documentation changed) │ │ ├ EnclaveOptions: (documentation changed) │ │ ├ MetadataOptions: (documentation changed) │ │ └ UserData: (documentation changed) │ ├[~] type MetadataOptions │ │ └ properties │ │ └ InstanceMetadataTags: (documentation changed) │ ├[~] type NetworkInterface │ │ └ properties │ │ └ InterfaceType: (documentation changed) │ └[~] type SpotOptions │ └ properties │ └ MaxPrice: (documentation changed) ├[~] service aws-ecs │ └ resources │ ├[~] resource AWS::ECS::Cluster │ │ └ types │ │ └[~] type ManagedStorageConfiguration │ │ └ properties │ │ ├ FargateEphemeralStorageKmsKeyId: (documentation changed) │ │ └ KmsKeyId: (documentation changed) │ ├[~] resource AWS::ECS::Service │ │ └ properties │ │ ├ AvailabilityZoneRebalancing: (documentation changed) │ │ └ CapacityProviderStrategy: (documentation changed) │ └[~] resource AWS::ECS::TaskDefinition │ └ types │ └[~] type HealthCheck │ └ properties │ ├ Interval: (documentation changed) │ ├ Retries: (documentation changed) │ ├ StartPeriod: (documentation changed) │ └ Timeout: (documentation changed) ├[~] service aws-fsx │ └ resources │ └[~] resource AWS::FSx::FileSystem │ └ types │ └[~] type OpenZFSConfiguration │ └ properties │ ├ EndpointIpAddressRange: (documentation changed) │ └ ThroughputCapacity: (documentation changed) ├[~] service aws-groundstation │ └ resources │ └[~] resource AWS::GroundStation::MissionProfile │ └ types │ └[~] type StreamsKmsKey │ └ properties │ └ KmsAliasName: (documentation changed) ├[~] service aws-iot │ └ resources │ └[~] resource AWS::IoT::Logging │ └ - documentation: Configure logging. │ + documentation: Configure logging. │ > If you already set the log function of AWS IoT Core , you can't deploy the AWS Cloud Development Kit (AWS CDK) to change the logging settings. You can change the logging settings by either: │ > │ > - Importing a role into your AWS CloudFormation stack, such as with the [infrastructure as code generator (IaC generator)](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/generate-IaC.html) . │ > - [Deleting the existing role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_manage_delete.html#roles-managingrole-deleting-console) . ├[~] service aws-rds │ └ resources │ └[~] resource AWS::RDS::GlobalCluster │ ├ properties │ │ └[-] GlobalEndpoint: GlobalEndpoint │ └ attributes │ └[+] GlobalEndpoint: GlobalEndpoint └[~] service aws-wafv2 └ resources ├[~] resource AWS::WAFv2::LoggingConfiguration │ ├ - documentation: Defines an association between logging destinations and a web ACL resource, for logging from AWS WAF . As part of the association, you can specify parts of the standard logging fields to keep out of the logs and you can specify filters so that you log only a subset of the logging records. │ │ > You can define one logging destination per web ACL. │ │ You can access information about the traffic that AWS WAF inspects using the following steps: │ │ - Create your logging destination. You can use an Amazon CloudWatch Logs log group, an Amazon Simple Storage Service (Amazon S3) bucket, or an Amazon Kinesis Data Firehose. │ │ The name that you give the destination must start with `aws-waf-logs-` . Depending on the type of destination, you might need to configure additional settings or permissions. │ │ For configuration requirements and pricing information for each destination type, see [Logging web ACL traffic](https://docs.aws.amazon.com/waf/latest/developerguide/logging.html) in the *AWS WAF Developer Guide* . │ │ - Associate your logging destination to your web ACL using a `PutLoggingConfiguration` request. │ │ When you successfully enable logging using a `PutLoggingConfiguration` request, AWS WAF creates an additional role or policy that is required to write logs to the logging destination. For an Amazon CloudWatch Logs log group, AWS WAF creates a resource policy on the log group. For an Amazon S3 bucket, AWS WAF creates a bucket policy. For an Amazon Kinesis Data Firehose, AWS WAF creates a service-linked role. │ │ For additional information about web ACL logging, see [Logging web ACL traffic information](https://docs.aws.amazon.com/waf/latest/developerguide/logging.html) in the *AWS WAF Developer Guide* . │ │ + documentation: Defines an association between logging destinations and a web ACL resource, for logging from AWS WAF . As part of the association, you can specify parts of the standard logging fields to keep out of the logs and you can specify filters so that you log only a subset of the logging records. │ │ If you configure data protection for the web ACL, the protection applies to the data that AWS WAF sends to the logs. │ │ > You can define one logging destination per web ACL. │ │ You can access information about the traffic that AWS WAF inspects using the following steps: │ │ - Create your logging destination. You can use an Amazon CloudWatch Logs log group, an Amazon Simple Storage Service (Amazon S3) bucket, or an Amazon Kinesis Data Firehose. │ │ The name that you give the destination must start with `aws-waf-logs-` . Depending on the type of destination, you might need to configure additional settings or permissions. │ │ For configuration requirements and pricing information for each destination type, see [Logging web ACL traffic](https://docs.aws.amazon.com/waf/latest/developerguide/logging.html) in the *AWS WAF Developer Guide* . │ │ - Associate your logging destination to your web ACL using a `PutLoggingConfiguration` request. │ │ When you successfully enable logging using a `PutLoggingConfiguration` request, AWS WAF creates an additional role or policy that is required to write logs to the logging destination. For an Amazon CloudWatch Logs log group, AWS WAF creates a resource policy on the log group. For an Amazon S3 bucket, AWS WAF creates a bucket policy. For an Amazon Kinesis Data Firehose, AWS WAF creates a service-linked role. │ │ For additional information about web ACL logging, see [Logging web ACL traffic information](https://docs.aws.amazon.com/waf/latest/developerguide/logging.html) in the *AWS WAF Developer Guide* . │ └ properties │ └ RedactedFields: (documentation changed) ├[~] resource AWS::WAFv2::RuleGroup │ └ types │ ├[~] type FieldToMatch │ │ └ - documentation: Specifies a web request component to be used in a rule match statement or in a logging configuration. │ │ - In a rule statement, this is the part of the web request that you want AWS WAF to inspect. Include the single `FieldToMatch` type that you want to inspect, with additional specifications as needed, according to the type. You specify a single request component in `FieldToMatch` for each rule statement that requires it. To inspect more than one component of the web request, create a separate rule statement for each component. │ │ Example JSON for a `QueryString` field to match: │ │ `"FieldToMatch": { "QueryString": {} }` │ │ Example JSON for a `Method` field to match specification: │ │ `"FieldToMatch": { "Method": { "Name": "DELETE" } }` │ │ - In a logging configuration, this is used in the `RedactedFields` property to specify a field to redact from the logging records. For this use case, note the following: │ │ - Even though all `FieldToMatch` settings are available, the only valid settings for field redaction are `UriPath` , `QueryString` , `SingleHeader` , and `Method` . │ │ - In this documentation, the descriptions of the individual fields talk about specifying the web request component to inspect, but for field redaction, you are specifying the component type to redact from the logs. │ │ - If you have request sampling enabled, the redacted fields configuration for logging has no impact on sampling. The only way to exclude fields from request sampling is by disabling sampling in the web ACL visibility configuration. │ │ + documentation: Specifies a web request component to be used in a rule match statement or in a logging configuration. │ │ - In a rule statement, this is the part of the web request that you want AWS WAF to inspect. Include the single `FieldToMatch` type that you want to inspect, with additional specifications as needed, according to the type. You specify a single request component in `FieldToMatch` for each rule statement that requires it. To inspect more than one component of the web request, create a separate rule statement for each component. │ │ Example JSON for a `QueryString` field to match: │ │ `"FieldToMatch": { "QueryString": {} }` │ │ Example JSON for a `Method` field to match specification: │ │ `"FieldToMatch": { "Method": { "Name": "DELETE" } }` │ │ - In a logging configuration, this is used in the `RedactedFields` property to specify a field to redact from the logging records. For this use case, note the following: │ │ - Even though all `FieldToMatch` settings are available, the only valid settings for field redaction are `UriPath` , `QueryString` , `SingleHeader` , and `Method` . │ │ - In this documentation, the descriptions of the individual fields talk about specifying the web request component to inspect, but for field redaction, you are specifying the component type to redact from the logs. │ │ - If you have request sampling enabled, the redacted fields configuration for logging has no impact on sampling. You can only exclude fields from request sampling by disabling sampling in the web ACL visibility configuration or by configuring data protection for the web ACL. │ └[~] type VisibilityConfig │ └ properties │ └ SampledRequestsEnabled: (documentation changed) └[~] resource AWS::WAFv2::WebACL └ types ├[~] type FieldToMatch │ └ - documentation: Specifies a web request component to be used in a rule match statement or in a logging configuration. │ - In a rule statement, this is the part of the web request that you want AWS WAF to inspect. Include the single `FieldToMatch` type that you want to inspect, with additional specifications as needed, according to the type. You specify a single request component in `FieldToMatch` for each rule statement that requires it. To inspect more than one component of the web request, create a separate rule statement for each component. │ Example JSON for a `QueryString` field to match: │ `"FieldToMatch": { "QueryString": {} }` │ Example JSON for a `Method` field to match specification: │ `"FieldToMatch": { "Method": { "Name": "DELETE" } }` │ - In a logging configuration, this is used in the `RedactedFields` property to specify a field to redact from the logging records. For this use case, note the following: │ - Even though all `FieldToMatch` settings are available, the only valid settings for field redaction are `UriPath` , `QueryString` , `SingleHeader` , and `Method` . │ - In this documentation, the descriptions of the individual fields talk about specifying the web request component to inspect, but for field redaction, you are specifying the component type to redact from the logs. │ - If you have request sampling enabled, the redacted fields configuration for logging has no impact on sampling. The only way to exclude fields from request sampling is by disabling sampling in the web ACL visibility configuration. │ + documentation: Specifies a web request component to be used in a rule match statement or in a logging configuration. │ - In a rule statement, this is the part of the web request that you want AWS WAF to inspect. Include the single `FieldToMatch` type that you want to inspect, with additional specifications as needed, according to the type. You specify a single request component in `FieldToMatch` for each rule statement that requires it. To inspect more than one component of the web request, create a separate rule statement for each component. │ Example JSON for a `QueryString` field to match: │ `"FieldToMatch": { "QueryString": {} }` │ Example JSON for a `Method` field to match specification: │ `"FieldToMatch": { "Method": { "Name": "DELETE" } }` │ - In a logging configuration, this is used in the `RedactedFields` property to specify a field to redact from the logging records. For this use case, note the following: │ - Even though all `FieldToMatch` settings are available, the only valid settings for field redaction are `UriPath` , `QueryString` , `SingleHeader` , and `Method` . │ - In this documentation, the descriptions of the individual fields talk about specifying the web request component to inspect, but for field redaction, you are specifying the component type to redact from the logs. │ - If you have request sampling enabled, the redacted fields configuration for logging has no impact on sampling. You can only exclude fields from request sampling by disabling sampling in the web ACL visibility configuration or by configuring data protection for the web ACL. └[~] type VisibilityConfig └ properties └ SampledRequestsEnabled: (documentation changed) ```
- Loading branch information
1 parent
3a61695
commit 67e596e