diff --git a/samtranslator/schema/schema.json b/samtranslator/schema/schema.json index 0ef249bfc..efa89384d 100644 --- a/samtranslator/schema/schema.json +++ b/samtranslator/schema/schema.json @@ -18993,7 +18993,7 @@ "type": "string" }, "AtRestEncryptionEnabled": { - "markdownDescription": "At-rest encryption flag for cache. You cannot update this setting after creation.", + "markdownDescription": "*This parameter has been deprecated* .\n\nAt-rest encryption flag for cache. You cannot update this setting after creation.", "title": "AtRestEncryptionEnabled", "type": "boolean" }, @@ -19003,7 +19003,7 @@ "type": "string" }, "TransitEncryptionEnabled": { - "markdownDescription": "Transit encryption flag when connecting to cache. You cannot update this setting after creation.", + "markdownDescription": "*This parameter has been deprecated* .\n\nTransit encryption flag when connecting to cache. You cannot update this setting after creation.", "title": "TransitEncryptionEnabled", "type": "boolean" }, @@ -85990,7 +85990,7 @@ "type": "string" }, "IpAddress": { - "markdownDescription": "Valid IPv4 address within the address range of the specified subnet.", + "markdownDescription": "If the `IpAddressType` for the mount target is IPv4 ( `IPV4_ONLY` or `DUAL_STACK` ), then specify the IPv4 address to use. If you do not specify an `IpAddress` , then Amazon EFS selects an unused IP address from the subnet specified for `SubnetId` .", "title": "IpAddress", "type": "string" }, @@ -85998,12 +85998,12 @@ "items": { "type": "string" }, - "markdownDescription": "VPC security group IDs, of the form `sg-xxxxxxxx` . These must be for the same VPC as the subnet specified. The maximum number of security groups depends on account quota. For more information, see [Amazon VPC Quotas](https://docs.aws.amazon.com/vpc/latest/userguide/amazon-vpc-limits.html) in the *Amazon VPC User Guide* (see the *Security Groups* table).", + "markdownDescription": "VPC security group IDs, of the form `sg-xxxxxxxx` . These must be for the same VPC as the subnet specified. The maximum number of security groups depends on account quota. For more information, see [Amazon VPC Quotas](https://docs.aws.amazon.com/vpc/latest/userguide/amazon-vpc-limits.html) in the *Amazon VPC User Guide* (see the *Security Groups* table). If you don't specify a security group, then Amazon EFS uses the default security group for the subnet's VPC.", "title": "SecurityGroups", "type": "array" }, "SubnetId": { - "markdownDescription": "The ID of the subnet to add the mount target in. For One Zone file systems, use the subnet that is associated with the file system's Availability Zone.", + "markdownDescription": "The ID of the subnet to add the mount target in. For One Zone file systems, use the subnet that is associated with the file system's Availability Zone. The subnet type must be the same type as the `IpAddressType` .", "title": "SubnetId", "type": "string" } @@ -87216,12 +87216,12 @@ "type": "string" }, "Namespace": { - "markdownDescription": "The name of the Kubernetes namespace inside the cluster to create the association in. The service account and the pods that use the service account must be in this namespace.", + "markdownDescription": "The name of the Kubernetes namespace inside the cluster to create the association in. The service account and the Pods that use the service account must be in this namespace.", "title": "Namespace", "type": "string" }, "RoleArn": { - "markdownDescription": "The Amazon Resource Name (ARN) of the IAM role to associate with the service account. The EKS Pod Identity agent manages credentials to assume this role for applications in the containers in the pods that use this service account.", + "markdownDescription": "The Amazon Resource Name (ARN) of the IAM role to associate with the service account. The EKS Pod Identity agent manages credentials to assume this role for applications in the containers in the Pods that use this service account.", "title": "RoleArn", "type": "string" }, @@ -152006,7 +152006,7 @@ "title": "ConnectivityInfo" }, "InstanceType": { - "markdownDescription": "The type of Amazon EC2 instances to use for brokers. The following instance types are allowed: kafka.m5.large, kafka.m5.xlarge, kafka.m5.2xlarge, kafka.m5.4xlarge, kafka.m5.8xlarge, kafka.m5.12xlarge, kafka.m5.16xlarge, kafka.m5.24xlarge, and kafka.t3.small.", + "markdownDescription": "The type of Amazon EC2 instances to use for brokers. Depending on the [broker type](https://docs.aws.amazon.com/msk/latest/developerguide/broker-instance-types.html) , Amazon MSK supports the following broker sizes:\n\n*Standard broker sizes*\n\n- kafka.t3.small\n\n> You can't select the kafka.t3.small instance type when the metadata mode is KRaft.\n- kafka.m5.large, kafka.m5.xlarge, kafka.m5.2xlarge, kafka.m5.4xlarge, kafka.m5.8xlarge, kafka.m5.12xlarge, kafka.m5.16xlarge, kafka.m5.24xlarge\n- kafka.m7g.large, kafka.m7g.xlarge, kafka.m7g.2xlarge, kafka.m7g.4xlarge, kafka.m7g.8xlarge, kafka.m7g.12xlarge, kafka.m7g.16xlarge\n\n*Express broker sizes*\n\n- express.m7g.large, express.m7g.xlarge, express.m7g.2xlarge, express.m7g.4xlarge, express.m7g.8xlarge, express.m7g.12xlarge, express.m7g.16xlarge\n\n> Some broker sizes might not be available in certian AWS Regions. See the updated [Pricing tools](https://docs.aws.amazon.com/msk/pricing/) section on the Amazon MSK pricing page for the latest list of available instances by Region.", "title": "InstanceType", "type": "string" }, @@ -225805,7 +225805,7 @@ "type": "number" }, "InitQuery": { - "markdownDescription": "Add an initialization query, or modify the current one. You can specify one or more SQL statements for the proxy to run when opening each new database connection. The setting is typically used with `SET` statements to make sure that each connection has identical settings. Make sure the query added here is valid. This is an optional field, so you can choose to leave it empty. For including multiple variables in a single SET statement, use a comma separator.\n\nFor example: `SET variable1=value1, variable2=value2`\n\nDefault: no initialization query", + "markdownDescription": "Add an initialization query, or modify the current one. You can specify one or more SQL statements for the proxy to run when opening each new database connection. The setting is typically used with `SET` statements to make sure that each connection has identical settings. Make sure the query added here is valid. This is an optional field, so you can choose to leave it empty. For including multiple variables in a single SET statement, use a comma separator.\n\nFor example: `SET variable1=value1, variable2=value2`\n\nDefault: no initialization query\n\n> Since you can access initialization query as part of target group configuration, it is not protected by authentication or cryptographic methods. Anyone with access to view or manage your proxy target group configuration can view the initialization query. You should not add sensitive data, such as passwords or long-lived encryption keys, to this option.", "title": "InitQuery", "type": "string" }, @@ -270314,7 +270314,7 @@ "items": { "$ref": "#/definitions/AWS::WAFv2::WebACL.ManagedRuleGroupConfig" }, - "markdownDescription": "Additional information that's used by a managed rule group. Many managed rule groups don't require this.\n\nThe rule groups used for intelligent threat mitigation require additional configuration:\n\n- Use the `AWSManagedRulesACFPRuleSet` configuration object to configure the account creation fraud prevention managed rule group. The configuration includes the registration and sign-up pages of your application and the locations in the account creation request payload of data, such as the user email and phone number fields.\n- Use the `AWSManagedRulesATPRuleSet` configuration object to configure the account takeover prevention managed rule group. The configuration includes the sign-in page of your application and the locations in the login request payload of data such as the username and password.\n- Use the `AWSManagedRulesBotControlRuleSet` configuration object to configure the protection level that you want the Bot Control rule group to use.", + "markdownDescription": "Additional information that's used by a managed rule group. Many managed rule groups don't require this.\n\nThe rule groups used for intelligent threat mitigation require additional configuration:\n\n- Use the `AWSManagedRulesACFPRuleSet` configuration object to configure the account creation fraud prevention managed rule group. The configuration includes the registration and sign-up pages of your application and the locations in the account creation request payload of data, such as the user email and phone number fields.\n- Use the `AWSManagedRulesAntiDDoSRuleSet` configuration object to configure the anti-DDoS managed rule group. The configuration includes the sensitivity levels to use in the rules that typically block and challenge requests that might be participating in DDoS attacks and the specification to use to indicate whether a request can handle a silent browser challenge.\n- Use the `AWSManagedRulesATPRuleSet` configuration object to configure the account takeover prevention managed rule group. The configuration includes the sign-in page of your application and the locations in the login request payload of data such as the username and password.\n- Use the `AWSManagedRulesBotControlRuleSet` configuration object to configure the protection level that you want the Bot Control rule group to use.", "title": "ManagedRuleGroupConfigs", "type": "array" }, @@ -270327,7 +270327,7 @@ "items": { "$ref": "#/definitions/AWS::WAFv2::WebACL.RuleActionOverride" }, - "markdownDescription": "Action settings to use in the place of the rule actions that are configured inside the rule group. You specify one override for each rule whose action you want to change.\n\n> Take care to verify the rule names in your overrides. If you provide a rule name that doesn't match the name of any rule in the rule group, AWS WAF doesn't return an error and doesn't apply the override setting. \n\nYou can use overrides for testing, for example you can override all of rule actions to `Count` and then monitor the resulting count metrics to understand how the rule group would handle your web traffic. You can also permanently override some or all actions, to modify how the rule group manages your web traffic.", + "markdownDescription": "Action settings to use in the place of the rule actions that are configured inside the rule group. You specify one override for each rule whose action you want to change.\n\n> Verify the rule names in your overrides carefully. With managed rule groups, AWS WAF silently ignores any override that uses an invalid rule name. With customer-owned rule groups, invalid rule names in your overrides will cause web ACL updates to fail. An invalid rule name is any name that doesn't exactly match the case-sensitive name of an existing rule in the rule group. \n\nYou can use overrides for testing, for example you can override all of rule actions to `Count` and then monitor the resulting count metrics to understand how the rule group would handle your web traffic. You can also permanently override some or all actions, to modify how the rule group manages your web traffic.", "title": "RuleActionOverrides", "type": "array" }, @@ -271027,7 +271027,7 @@ "items": { "$ref": "#/definitions/AWS::WAFv2::WebACL.RuleActionOverride" }, - "markdownDescription": "Action settings to use in the place of the rule actions that are configured inside the rule group. You specify one override for each rule whose action you want to change.\n\n> Take care to verify the rule names in your overrides. If you provide a rule name that doesn't match the name of any rule in the rule group, AWS WAF doesn't return an error and doesn't apply the override setting. \n\nYou can use overrides for testing, for example you can override all of rule actions to `Count` and then monitor the resulting count metrics to understand how the rule group would handle your web traffic. You can also permanently override some or all actions, to modify how the rule group manages your web traffic.", + "markdownDescription": "Action settings to use in the place of the rule actions that are configured inside the rule group. You specify one override for each rule whose action you want to change.\n\n> Verify the rule names in your overrides carefully. With managed rule groups, AWS WAF silently ignores any override that uses an invalid rule name. With customer-owned rule groups, invalid rule names in your overrides will cause web ACL updates to fail. An invalid rule name is any name that doesn't exactly match the case-sensitive name of an existing rule in the rule group. \n\nYou can use overrides for testing, for example you can override all of rule actions to `Count` and then monitor the resulting count metrics to understand how the rule group would handle your web traffic. You can also permanently override some or all actions, to modify how the rule group manages your web traffic.", "title": "RuleActionOverrides", "type": "array" } diff --git a/schema_source/cloudformation-docs.json b/schema_source/cloudformation-docs.json index c31581104..565a34259 100644 --- a/schema_source/cloudformation-docs.json +++ b/schema_source/cloudformation-docs.json @@ -3201,9 +3201,9 @@ "AWS::AppSync::ApiCache": { "ApiCachingBehavior": "Caching behavior.\n\n- *FULL_REQUEST_CACHING* : All requests from the same user are cached. Individual resolvers are automatically cached. All API calls will try to return responses from the cache.\n- *PER_RESOLVER_CACHING* : Individual resolvers that you specify are cached.\n- *OPERATION_LEVEL_CACHING* : Full requests are cached together and returned without executing resolvers.", "ApiId": "The GraphQL API ID.", - "AtRestEncryptionEnabled": "At-rest encryption flag for cache. You cannot update this setting after creation.", + "AtRestEncryptionEnabled": "*This parameter has been deprecated* .\n\nAt-rest encryption flag for cache. You cannot update this setting after creation.", "HealthMetricsConfig": "Controls how cache health metrics will be emitted to CloudWatch. Cache health metrics include:\n\n- *NetworkBandwidthOutAllowanceExceeded* : The network packets dropped because the throughput exceeded the aggregated bandwidth limit. This is useful for diagnosing bottlenecks in a cache configuration.\n- *EngineCPUUtilization* : The CPU utilization (percentage) allocated to the Redis process. This is useful for diagnosing bottlenecks in a cache configuration.\n\nMetrics will be recorded by API ID. You can set the value to `ENABLED` or `DISABLED` .", - "TransitEncryptionEnabled": "Transit encryption flag when connecting to cache. You cannot update this setting after creation.", + "TransitEncryptionEnabled": "*This parameter has been deprecated* .\n\nTransit encryption flag when connecting to cache. You cannot update this setting after creation.", "Ttl": "TTL in seconds for cache entries.\n\nValid values are 1\u20133,600 seconds.", "Type": "The cache instance type. Valid values are\n\n- `SMALL`\n- `MEDIUM`\n- `LARGE`\n- `XLARGE`\n- `LARGE_2X`\n- `LARGE_4X`\n- `LARGE_8X` (not available in all regions)\n- `LARGE_12X`\n\nHistorically, instance types were identified by an EC2-style value. As of July 2020, this is deprecated, and the generic identifiers above should be used.\n\nThe following legacy instance types are available, but their use is discouraged:\n\n- *T2_SMALL* : A t2.small instance type.\n- *T2_MEDIUM* : A t2.medium instance type.\n- *R4_LARGE* : A r4.large instance type.\n- *R4_XLARGE* : A r4.xlarge instance type.\n- *R4_2XLARGE* : A r4.2xlarge instance type.\n- *R4_4XLARGE* : A r4.4xlarge instance type.\n- *R4_8XLARGE* : A r4.8xlarge instance type." }, @@ -4004,6 +4004,13 @@ "EffectiveEngineVersion": "Read only. The engine version on which the query runs. If the user requests a valid engine version other than Auto, the effective engine version is the same as the engine version that the user requested. If the user requests Auto, the effective engine version is chosen by Athena. When a request to update the engine version is made by a `CreateWorkGroup` or `UpdateWorkGroup` operation, the `EffectiveEngineVersion` field is ignored.", "SelectedEngineVersion": "The engine version requested by the user. Possible values are determined by the output of `ListEngineVersions` , including AUTO. The default is AUTO." }, + "AWS::Athena::WorkGroup ManagedQueryResultsConfiguration": { + "Enabled": "If set to true, allows you to store query results in Athena owned storage. If set to false, workgroup member stores query results in location specified under `ResultConfiguration$OutputLocation` . The default is false. A workgroup cannot have the `ResultConfiguration$OutputLocation` parameter when you set this field to true.", + "EncryptionConfiguration": "If you encrypt query and calculation results in Athena owned storage, this field indicates the encryption option (for example, SSE_KMS or CSE_KMS) and key information." + }, + "AWS::Athena::WorkGroup ManagedStorageEncryptionConfiguration": { + "KmsKey": "" + }, "AWS::Athena::WorkGroup ResultConfiguration": { "AclConfiguration": "Indicates that an Amazon S3 canned ACL should be set to control ownership of stored query results. Currently the only supported canned ACL is `BUCKET_OWNER_FULL_CONTROL` . This is a client-side setting. If workgroup settings override client-side settings, then the query uses the ACL configuration that is specified for the workgroup, and also uses the location for storing query results specified in the workgroup. See `EnforceWorkGroupConfiguration` .", "EncryptionConfiguration": "If query results are encrypted in Amazon S3, indicates the encryption option used (for example, `SSE_KMS` or `CSE_KMS` ) and key information. This is a client-side setting. If workgroup settings override client-side settings, then the query uses the encryption configuration that is specified for the workgroup, and also uses the location for storing query results specified in the workgroup. See `EnforceWorkGroupConfiguration` and [Override client-side settings](https://docs.aws.amazon.com/athena/latest/ug/workgroups-settings-override.html) .", @@ -4031,6 +4038,7 @@ "EnforceWorkGroupConfiguration": "If set to \"true\", the settings for the workgroup override client-side settings. If set to \"false\", client-side settings are used. For more information, see [Override client-side settings](https://docs.aws.amazon.com/athena/latest/ug/workgroups-settings-override.html) .", "EngineVersion": "The engine version that all queries running on the workgroup use.", "ExecutionRole": "Role used to access user resources in an Athena for Apache Spark session. This property applies only to Spark-enabled workgroups in Athena.", + "ManagedQueryResultsConfiguration": "The configuration for storing results in Athena owned storage, which includes whether this feature is enabled; whether encryption configuration, if any, is used for encrypting query results.", "PublishCloudWatchMetricsEnabled": "Indicates that the Amazon CloudWatch metrics are enabled for the workgroup.", "RequesterPaysEnabled": "If set to `true` , allows members assigned to a workgroup to reference Amazon S3 Requester Pays buckets in queries. If set to `false` , workgroup members cannot query data from Requester Pays buckets, and queries that retrieve data from Requester Pays buckets cause an error. The default is `false` . For more information about Requester Pays buckets, see [Requester Pays Buckets](https://docs.aws.amazon.com/AmazonS3/latest/dev/RequesterPaysBuckets.html) in the *Amazon Simple Storage Service Developer Guide* .", "ResultConfiguration": "Specifies the location in Amazon S3 where query results are stored and the encryption option, if any, used for query results. For more information, see [Work with query results and recent queries](https://docs.aws.amazon.com/athena/latest/ug/querying.html) ." @@ -10900,7 +10908,8 @@ "DisplayName": "The display name of the calculated attribute.", "DomainName": "The unique name of the domain.", "Statistic": "The aggregation operation to perform for the calculated attribute.", - "Tags": "An array of key-value pairs to apply to this resource." + "Tags": "An array of key-value pairs to apply to this resource.", + "UseHistoricalData": "Whether historical data ingested before the Calculated Attribute was created should be included in calculations." }, "AWS::CustomerProfiles::CalculatedAttributeDefinition AttributeDetails": { "Attributes": "Mathematical expression and a list of attribute items specified in that expression.", @@ -10915,8 +10924,15 @@ "Threshold": "The threshold for the calculated attribute." }, "AWS::CustomerProfiles::CalculatedAttributeDefinition Range": { + "TimestampFormat": "", + "TimestampSource": "", "Unit": "The unit of time.", - "Value": "The amount of time of the specified unit." + "Value": "The amount of time of the specified unit.", + "ValueRange": "" + }, + "AWS::CustomerProfiles::CalculatedAttributeDefinition Readiness": { + "Message": "", + "ProgressPercentage": "" }, "AWS::CustomerProfiles::CalculatedAttributeDefinition Tag": { "Key": "", @@ -10926,6 +10942,10 @@ "Operator": "The operator of the threshold.", "Value": "The value of the threshold." }, + "AWS::CustomerProfiles::CalculatedAttributeDefinition ValueRange": { + "End": "", + "Start": "" + }, "AWS::CustomerProfiles::Domain": { "DeadLetterQueueUrl": "The URL of the SQS dead letter queue, which is used for reporting errors associated with ingesting data from third party applications. You must set up a policy on the `DeadLetterQueue` for the `SendMessage` operation to enable Amazon Connect Customer Profiles to send messages to the `DeadLetterQueue` .", "DefaultEncryptionKey": "The default encryption key, which is an AWS managed key, is used when no specific type of encryption key is specified. It is used to encrypt all data before it is placed in permanent or semi-permanent storage.", @@ -11146,6 +11166,7 @@ "ExpirationDays": "The number of days until the data of this type expires.", "Fields": "A list of field definitions for the object type mapping.", "Keys": "A list of keys that can be used to map data to the profile or search for the profile.", + "MaxProfileObjectCount": "The amount of profile object max count assigned to the object type.", "ObjectTypeName": "The name of the profile object type.", "SourceLastUpdatedTimestampFormat": "The format of your sourceLastUpdatedTimestamp that was previously set up.", "Tags": "The tags used to organize, track, or control access for this resource.", @@ -14242,8 +14263,13 @@ "PrivateIpAddress": "The primary or secondary private IP address to associate with the Elastic IP address. If no private IP address is specified, the Elastic IP address is associated with the primary private IP address." }, "AWS::EC2::EgressOnlyInternetGateway": { + "Tags": "The tags assigned to the egress-only internet gateway.", "VpcId": "The ID of the VPC for which to create the egress-only internet gateway." }, + "AWS::EC2::EgressOnlyInternetGateway Tag": { + "Key": "The key of the tag.\n\nConstraints: Tag keys are case-sensitive and accept a maximum of 127 Unicode characters. May not begin with `aws:` .", + "Value": "The value of the tag.\n\nConstraints: Tag values are case-sensitive and accept a maximum of 256 Unicode characters." + }, "AWS::EC2::EnclaveCertificateIamRoleAssociation": { "CertificateArn": "The ARN of the ACM certificate with which to associate the IAM role.", "RoleArn": "The ARN of the IAM role to associate with the ACM certificate. You can associate up to 16 IAM roles with an ACM certificate." @@ -16848,9 +16874,11 @@ }, "AWS::EFS::MountTarget": { "FileSystemId": "The ID of the file system for which to create the mount target.", - "IpAddress": "Valid IPv4 address within the address range of the specified subnet.", - "SecurityGroups": "VPC security group IDs, of the form `sg-xxxxxxxx` . These must be for the same VPC as the subnet specified. The maximum number of security groups depends on account quota. For more information, see [Amazon VPC Quotas](https://docs.aws.amazon.com/vpc/latest/userguide/amazon-vpc-limits.html) in the *Amazon VPC User Guide* (see the *Security Groups* table).", - "SubnetId": "The ID of the subnet to add the mount target in. For One Zone file systems, use the subnet that is associated with the file system's Availability Zone." + "IpAddress": "If the `IpAddressType` for the mount target is IPv4 ( `IPV4_ONLY` or `DUAL_STACK` ), then specify the IPv4 address to use. If you do not specify an `IpAddress` , then Amazon EFS selects an unused IP address from the subnet specified for `SubnetId` .", + "IpAddressType": "The IP address type for the mount target. The possible values are `IPV4_ONLY` (only IPv4 addresses), `IPV6_ONLY` (only IPv6 addresses), and `DUAL_STACK` (dual-stack, both IPv4 and IPv6 addresses). If you don\u2019t specify an `IpAddressType` , then `IPV4_ONLY` is used.\n\n> The `IPAddressType` must match the IP type of the subnet. Additionally, the `IPAddressType` parameter overrides the value set as the default IP address for the subnet in the VPC. For example, if the `IPAddressType` is `IPV4_ONLY` and `AssignIpv6AddressOnCreation` is `true` , then IPv4 is used for the mount target. For more information, see [Modify the IP addressing attributes of your subnet](https://docs.aws.amazon.com/vpc/latest/userguide/subnet-public-ip.html) .", + "Ipv6Address": "If the `IPAddressType` for the mount target is IPv6 ( `IPV6_ONLY` or `DUAL_STACK` ), then specify the IPv6 address to use. If you do not specify an `Ipv6Address` , then Amazon EFS selects an unused IP address from the subnet specified for `SubnetId` .", + "SecurityGroups": "VPC security group IDs, of the form `sg-xxxxxxxx` . These must be for the same VPC as the subnet specified. The maximum number of security groups depends on account quota. For more information, see [Amazon VPC Quotas](https://docs.aws.amazon.com/vpc/latest/userguide/amazon-vpc-limits.html) in the *Amazon VPC User Guide* (see the *Security Groups* table). If you don't specify a security group, then Amazon EFS uses the default security group for the subnet's VPC.", + "SubnetId": "The ID of the subnet to add the mount target in. For One Zone file systems, use the subnet that is associated with the file system's Availability Zone. The subnet type must be the same type as the `IpAddressType` ." }, "AWS::EKS::AccessEntry": { "AccessPolicies": "The access policies to associate to the access entry.", @@ -16878,14 +16906,14 @@ "AddonVersion": "The version of the add-on.", "ClusterName": "The name of your cluster.", "ConfigurationValues": "The configuration values that you provided.", - "PodIdentityAssociations": "An array of Pod Identity Assocations owned by the Addon. Each EKS Pod Identity association maps a role to a service account in a namespace in the cluster.\n\nFor more information, see [Attach an IAM Role to an Amazon EKS add-on using Pod Identity](https://docs.aws.amazon.com/eks/latest/userguide/add-ons-iam.html) in the *Amazon EKS User Guide* .", + "PodIdentityAssociations": "An array of EKS Pod Identity associations owned by the add-on. Each association maps a role to a service account in a namespace in the cluster.\n\nFor more information, see [Attach an IAM Role to an Amazon EKS add-on using EKS Pod Identity](https://docs.aws.amazon.com/eks/latest/userguide/add-ons-iam.html) in the *Amazon EKS User Guide* .", "PreserveOnDelete": "Specifying this option preserves the add-on software on your cluster but Amazon EKS stops managing any settings for the add-on. If an IAM account is associated with the add-on, it isn't removed.", "ResolveConflicts": "How to resolve field value conflicts for an Amazon EKS add-on. Conflicts are handled based on the value you choose:\n\n- *None* \u2013 If the self-managed version of the add-on is installed on your cluster, Amazon EKS doesn't change the value. Creation of the add-on might fail.\n- *Overwrite* \u2013 If the self-managed version of the add-on is installed on your cluster and the Amazon EKS default value is different than the existing value, Amazon EKS changes the value to the Amazon EKS default value.\n- *Preserve* \u2013 This is similar to the NONE option. If the self-managed version of the add-on is installed on your cluster Amazon EKS doesn't change the add-on resource properties. Creation of the add-on might fail if conflicts are detected. This option works differently during the update operation. For more information, see [`UpdateAddon`](https://docs.aws.amazon.com/eks/latest/APIReference/API_UpdateAddon.html) .\n\nIf you don't currently have the self-managed version of the add-on installed on your cluster, the Amazon EKS add-on is installed. Amazon EKS sets all values to default values, regardless of the option that you specify.", "ServiceAccountRoleArn": "The Amazon Resource Name (ARN) of an existing IAM role to bind to the add-on's service account. The role must be assigned the IAM permissions required by the add-on. If you don't specify an existing IAM role, then the add-on uses the permissions assigned to the node IAM role. For more information, see [Amazon EKS node IAM role](https://docs.aws.amazon.com/eks/latest/userguide/create-node-role.html) in the *Amazon EKS User Guide* .\n\n> To specify an existing IAM role, you must have an IAM OpenID Connect (OIDC) provider created for your cluster. For more information, see [Enabling IAM roles for service accounts on your cluster](https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html) in the *Amazon EKS User Guide* .", "Tags": "The metadata that you apply to the add-on to assist with categorization and organization. Each tag consists of a key and an optional value, both of which you define. Add-on tags do not propagate to any other resources associated with the cluster." }, "AWS::EKS::Addon PodIdentityAssociation": { - "RoleArn": "The Amazon Resource Name (ARN) of the IAM role to associate with the service account. The EKS Pod Identity agent manages credentials to assume this role for applications in the containers in the pods that use this service account.", + "RoleArn": "The Amazon Resource Name (ARN) of the IAM role to associate with the service account. The EKS Pod Identity agent manages credentials to assume this role for applications in the containers in the Pods that use this service account.", "ServiceAccount": "The name of the Kubernetes service account inside the cluster to associate the IAM credentials with." }, "AWS::EKS::Addon Tag": { @@ -16894,7 +16922,7 @@ }, "AWS::EKS::Cluster": { "AccessConfig": "The access configuration for the cluster.", - "BootstrapSelfManagedAddons": "If you set this value to `False` when creating a cluster, the default networking add-ons will not be installed.\n\nThe default networking addons include vpc-cni, coredns, and kube-proxy.\n\nUse this option when you plan to install third-party alternative add-ons or self-manage the default networking add-ons.", + "BootstrapSelfManagedAddons": "If you set this value to `False` when creating a cluster, the default networking add-ons will not be installed.\n\nThe default networking add-ons include `vpc-cni` , `coredns` , and `kube-proxy` .\n\nUse this option when you plan to install third-party alternative add-ons or self-manage the default networking add-ons.", "ComputeConfig": "Indicates the current configuration of the compute capability on your EKS Auto Mode cluster. For example, if the capability is enabled or disabled. If the compute capability is enabled, EKS Auto Mode will create and delete EC2 Managed Instances in your AWS account. For more information, see EKS Auto Mode compute capability in the *Amazon EKS User Guide* .", "EncryptionConfig": "The encryption configuration for the cluster.", "Force": "Set this value to `true` to override upgrade-blocking readiness checks when updating a cluster.", @@ -16957,14 +16985,14 @@ "KeyArn": "Amazon Resource Name (ARN) or alias of the KMS key. The KMS key must be symmetric and created in the same AWS Region as the cluster. If the KMS key was created in a different account, the [IAM principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html) must have access to the KMS key. For more information, see [Allowing users in other accounts to use a KMS key](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-modifying-external-accounts.html) in the *AWS Key Management Service Developer Guide* ." }, "AWS::EKS::Cluster RemoteNetworkConfig": { - "RemoteNodeNetworks": "The list of network CIDRs that can contain hybrid nodes.\n\nThese CIDR blocks define the expected IP address range of the hybrid nodes that join the cluster. These blocks are typically determined by your network administrator.\n\nEnter one or more IPv4 CIDR blocks in decimal dotted-quad notation (for example, `10.2.0.0/16` ).\n\nIt must satisfy the following requirements:\n\n- Each block must be within an `IPv4` RFC-1918 network range. Minimum allowed size is /24, maximum allowed size is /8. Publicly-routable addresses aren't supported.\n- Each block cannot overlap with the range of the VPC CIDR blocks for your EKS resources, or the block of the Kubernetes service IP range.\n- Each block must have a route to the VPC that uses the VPC CIDR blocks, not public IPs or Elastic IPs. There are many options including AWS Transit Gateway , AWS Site-to-Site VPN , or AWS Direct Connect .\n- Each host must allow outbound connection to the EKS cluster control plane on TCP ports `443` and `10250` .\n- Each host must allow inbound connection from the EKS cluster control plane on TCP port 10250 for logs, exec and port-forward operations.\n- Each host must allow TCP and UDP network connectivity to and from other hosts that are running `CoreDNS` on UDP port `53` for service and pod DNS names.", - "RemotePodNetworks": "The list of network CIDRs that can contain pods that run Kubernetes webhooks on hybrid nodes.\n\nThese CIDR blocks are determined by configuring your Container Network Interface (CNI) plugin. We recommend the Calico CNI or Cilium CNI. Note that the Amazon VPC CNI plugin for Kubernetes isn't available for on-premises and edge locations.\n\nEnter one or more IPv4 CIDR blocks in decimal dotted-quad notation (for example, `10.2.0.0/16` ).\n\nIt must satisfy the following requirements:\n\n- Each block must be within an `IPv4` RFC-1918 network range. Minimum allowed size is /24, maximum allowed size is /8. Publicly-routable addresses aren't supported.\n- Each block cannot overlap with the range of the VPC CIDR blocks for your EKS resources, or the block of the Kubernetes service IP range." + "RemoteNodeNetworks": "The list of network CIDRs that can contain hybrid nodes.\n\nThese CIDR blocks define the expected IP address range of the hybrid nodes that join the cluster. These blocks are typically determined by your network administrator.\n\nEnter one or more IPv4 CIDR blocks in decimal dotted-quad notation (for example, `10.2.0.0/16` ).\n\nIt must satisfy the following requirements:\n\n- Each block must be within an `IPv4` RFC-1918 network range. Minimum allowed size is /32, maximum allowed size is /8. Publicly-routable addresses aren't supported.\n- Each block cannot overlap with the range of the VPC CIDR blocks for your EKS resources, or the block of the Kubernetes service IP range.\n- Each block must have a route to the VPC that uses the VPC CIDR blocks, not public IPs or Elastic IPs. There are many options including AWS Transit Gateway , AWS Site-to-Site VPN , or AWS Direct Connect .\n- Each host must allow outbound connection to the EKS cluster control plane on TCP ports `443` and `10250` .\n- Each host must allow inbound connection from the EKS cluster control plane on TCP port 10250 for logs, exec and port-forward operations.\n- Each host must allow TCP and UDP network connectivity to and from other hosts that are running `CoreDNS` on UDP port `53` for service and pod DNS names.", + "RemotePodNetworks": "The list of network CIDRs that can contain pods that run Kubernetes webhooks on hybrid nodes.\n\nThese CIDR blocks are determined by configuring your Container Network Interface (CNI) plugin. We recommend the Calico CNI or Cilium CNI. Note that the Amazon VPC CNI plugin for Kubernetes isn't available for on-premises and edge locations.\n\nEnter one or more IPv4 CIDR blocks in decimal dotted-quad notation (for example, `10.2.0.0/16` ).\n\nIt must satisfy the following requirements:\n\n- Each block must be within an `IPv4` RFC-1918 network range. Minimum allowed size is /32, maximum allowed size is /8. Publicly-routable addresses aren't supported.\n- Each block cannot overlap with the range of the VPC CIDR blocks for your EKS resources, or the block of the Kubernetes service IP range." }, "AWS::EKS::Cluster RemoteNodeNetwork": { - "Cidrs": "A network CIDR that can contain hybrid nodes.\n\nThese CIDR blocks define the expected IP address range of the hybrid nodes that join the cluster. These blocks are typically determined by your network administrator.\n\nEnter one or more IPv4 CIDR blocks in decimal dotted-quad notation (for example, `10.2.0.0/16` ).\n\nIt must satisfy the following requirements:\n\n- Each block must be within an `IPv4` RFC-1918 network range. Minimum allowed size is /24, maximum allowed size is /8. Publicly-routable addresses aren't supported.\n- Each block cannot overlap with the range of the VPC CIDR blocks for your EKS resources, or the block of the Kubernetes service IP range.\n- Each block must have a route to the VPC that uses the VPC CIDR blocks, not public IPs or Elastic IPs. There are many options including AWS Transit Gateway , AWS Site-to-Site VPN , or AWS Direct Connect .\n- Each host must allow outbound connection to the EKS cluster control plane on TCP ports `443` and `10250` .\n- Each host must allow inbound connection from the EKS cluster control plane on TCP port 10250 for logs, exec and port-forward operations.\n- Each host must allow TCP and UDP network connectivity to and from other hosts that are running `CoreDNS` on UDP port `53` for service and pod DNS names." + "Cidrs": "A network CIDR that can contain hybrid nodes.\n\nThese CIDR blocks define the expected IP address range of the hybrid nodes that join the cluster. These blocks are typically determined by your network administrator.\n\nEnter one or more IPv4 CIDR blocks in decimal dotted-quad notation (for example, `10.2.0.0/16` ).\n\nIt must satisfy the following requirements:\n\n- Each block must be within an `IPv4` RFC-1918 network range. Minimum allowed size is /32, maximum allowed size is /8. Publicly-routable addresses aren't supported.\n- Each block cannot overlap with the range of the VPC CIDR blocks for your EKS resources, or the block of the Kubernetes service IP range.\n- Each block must have a route to the VPC that uses the VPC CIDR blocks, not public IPs or Elastic IPs. There are many options including AWS Transit Gateway , AWS Site-to-Site VPN , or AWS Direct Connect .\n- Each host must allow outbound connection to the EKS cluster control plane on TCP ports `443` and `10250` .\n- Each host must allow inbound connection from the EKS cluster control plane on TCP port 10250 for logs, exec and port-forward operations.\n- Each host must allow TCP and UDP network connectivity to and from other hosts that are running `CoreDNS` on UDP port `53` for service and pod DNS names." }, "AWS::EKS::Cluster RemotePodNetwork": { - "Cidrs": "A network CIDR that can contain pods that run Kubernetes webhooks on hybrid nodes.\n\nThese CIDR blocks are determined by configuring your Container Network Interface (CNI) plugin. We recommend the Calico CNI or Cilium CNI. Note that the Amazon VPC CNI plugin for Kubernetes isn't available for on-premises and edge locations.\n\nEnter one or more IPv4 CIDR blocks in decimal dotted-quad notation (for example, `10.2.0.0/16` ).\n\nIt must satisfy the following requirements:\n\n- Each block must be within an `IPv4` RFC-1918 network range. Minimum allowed size is /24, maximum allowed size is /8. Publicly-routable addresses aren't supported.\n- Each block cannot overlap with the range of the VPC CIDR blocks for your EKS resources, or the block of the Kubernetes service IP range." + "Cidrs": "A network CIDR that can contain pods that run Kubernetes webhooks on hybrid nodes.\n\nThese CIDR blocks are determined by configuring your Container Network Interface (CNI) plugin. We recommend the Calico CNI or Cilium CNI. Note that the Amazon VPC CNI plugin for Kubernetes isn't available for on-premises and edge locations.\n\nEnter one or more IPv4 CIDR blocks in decimal dotted-quad notation (for example, `10.2.0.0/16` ).\n\nIt must satisfy the following requirements:\n\n- Each block must be within an `IPv4` RFC-1918 network range. Minimum allowed size is /32, maximum allowed size is /8. Publicly-routable addresses aren't supported.\n- Each block cannot overlap with the range of the VPC CIDR blocks for your EKS resources, or the block of the Kubernetes service IP range." }, "AWS::EKS::Cluster ResourcesVpcConfig": { "EndpointPrivateAccess": "Set this value to `true` to enable private access for your cluster's Kubernetes API server endpoint. If you enable private access, Kubernetes API requests from within your cluster's VPC use the private VPC endpoint. The default value for this parameter is `false` , which disables private access for your Kubernetes API server. If you disable private access and you have nodes or AWS Fargate pods in the cluster, then ensure that `publicAccessCidrs` includes the necessary CIDR blocks for communication with the nodes or Fargate pods. For more information, see [Cluster API server endpoint](https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html) in the **Amazon EKS User Guide** .", @@ -17080,10 +17108,12 @@ }, "AWS::EKS::PodIdentityAssociation": { "ClusterName": "The name of the cluster that the association is in.", - "Namespace": "The name of the Kubernetes namespace inside the cluster to create the association in. The service account and the pods that use the service account must be in this namespace.", - "RoleArn": "The Amazon Resource Name (ARN) of the IAM role to associate with the service account. The EKS Pod Identity agent manages credentials to assume this role for applications in the containers in the pods that use this service account.", + "DisableSessionTags": "The state of the automatic sessions tags. The value of *true* disables these tags.\n\nEKS Pod Identity adds a pre-defined set of session tags when it assumes the role. You can use these tags to author a single role that can work across resources by allowing access to AWS resources based on matching tags. By default, EKS Pod Identity attaches six tags, including tags for cluster name, namespace, and service account name. For the list of tags added by EKS Pod Identity, see [List of session tags added by EKS Pod Identity](https://docs.aws.amazon.com/eks/latest/userguide/pod-id-abac.html#pod-id-abac-tags) in the *Amazon EKS User Guide* .", + "Namespace": "The name of the Kubernetes namespace inside the cluster to create the association in. The service account and the Pods that use the service account must be in this namespace.", + "RoleArn": "The Amazon Resource Name (ARN) of the IAM role to associate with the service account. The EKS Pod Identity agent manages credentials to assume this role for applications in the containers in the Pods that use this service account.", "ServiceAccount": "The name of the Kubernetes service account inside the cluster to associate the IAM credentials with.", - "Tags": "Metadata that assists with categorization and organization. Each tag consists of a key and an optional value. You define both. Tags don't propagate to any other cluster or AWS resources.\n\nThe following basic restrictions apply to tags:\n\n- Maximum number of tags per resource \u2013 50\n- For each resource, each tag key must be unique, and each tag key can have only one value.\n- Maximum key length \u2013 128 Unicode characters in UTF-8\n- Maximum value length \u2013 256 Unicode characters in UTF-8\n- If your tagging schema is used across multiple services and resources, remember that other services may have restrictions on allowed characters. Generally allowed characters are: letters, numbers, and spaces representable in UTF-8, and the following characters: + - = . _ : / @.\n- Tag keys and values are case-sensitive.\n- Do not use `aws:` , `AWS:` , or any upper or lowercase combination of such as a prefix for either keys or values as it is reserved for AWS use. You cannot edit or delete tag keys or values with this prefix. Tags with this prefix do not count against your tags per resource limit." + "Tags": "Metadata that assists with categorization and organization. Each tag consists of a key and an optional value. You define both. Tags don't propagate to any other cluster or AWS resources.\n\nThe following basic restrictions apply to tags:\n\n- Maximum number of tags per resource \u2013 50\n- For each resource, each tag key must be unique, and each tag key can have only one value.\n- Maximum key length \u2013 128 Unicode characters in UTF-8\n- Maximum value length \u2013 256 Unicode characters in UTF-8\n- If your tagging schema is used across multiple services and resources, remember that other services may have restrictions on allowed characters. Generally allowed characters are: letters, numbers, and spaces representable in UTF-8, and the following characters: + - = . _ : / @.\n- Tag keys and values are case-sensitive.\n- Do not use `aws:` , `AWS:` , or any upper or lowercase combination of such as a prefix for either keys or values as it is reserved for AWS use. You cannot edit or delete tag keys or values with this prefix. Tags with this prefix do not count against your tags per resource limit.", + "TargetRoleArn": "The Amazon Resource Name (ARN) of the target IAM role to associate with the service account. This role is assumed by using the EKS Pod Identity association role, then the credentials for this role are injected into the Pod." }, "AWS::EKS::PodIdentityAssociation Tag": { "Key": "One part of a key-value pair that make up a tag. A `key` is a general label that acts like a category for more specific tag values.", @@ -17643,6 +17673,77 @@ "AWS::EMRServerless::Application WorkerTypeSpecificationInput": { "ImageConfiguration": "The image configuration for a worker type." }, + "AWS::EVS::Environment": { + "ConnectivityInfo": "The connectivity configuration for the environment. Amazon EVS requires that you specify two route server peer IDs. During environment creation, the route server endpoints peer with the NSX uplink VLAN for connectivity to the NSX overlay network.", + "EnvironmentName": "The name of the environment.", + "Hosts": "Required for environment resource creation.", + "InitialVlans": "> Amazon EVS is in public preview release and is subject to change. \n\nThe initial VLAN subnets for the environment. Amazon EVS VLAN subnets have a minimum CIDR block size of /28 and a maximum size of /24. Amazon EVS VLAN subnet CIDR blocks must not overlap with other subnets in the VPC.\n\nRequired for environment resource creation.", + "KmsKeyId": "The AWS KMS key ID that AWS Secrets Manager uses to encrypt secrets that are associated with the environment. These secrets contain the VCF credentials that are needed to install vCenter Server, NSX, and SDDC Manager.\n\nBy default, Amazon EVS use the AWS Secrets Manager managed key `aws/secretsmanager` . You can also specify a customer managed key.", + "LicenseInfo": "The license information that Amazon EVS requires to create an environment. Amazon EVS requires two license keys: a VCF solution key and a vSAN license key.", + "ServiceAccessSecurityGroups": "The security groups that allow traffic between the Amazon EVS control plane and your VPC for service access. If a security group is not specified, Amazon EVS uses the default security group in your account for service access.", + "ServiceAccessSubnetId": "The subnet that is used to establish connectivity between the Amazon EVS control plane and VPC. Amazon EVS uses this subnet to perform validations and create the environment.", + "SiteId": "The Broadcom Site ID that is associated with your Amazon EVS environment. Amazon EVS uses the Broadcom Site ID that you provide to meet Broadcom VCF license usage reporting requirements for Amazon EVS.", + "Tags": "Metadata that assists with categorization and organization. Each tag consists of a key and an optional value. You define both. Tags don't propagate to any other cluster or AWS resources.", + "TermsAccepted": "Customer confirmation that the customer has purchased and will continue to maintain the required number of VCF software licenses to cover all physical processor cores in the Amazon EVS environment. Information about your VCF software in Amazon EVS will be shared with Broadcom to verify license compliance.", + "VcfHostnames": "The DNS hostnames to be used by the VCF management appliances in your environment.\n\nFor environment creation to be successful, each hostname entry must resolve to a domain name that you've registered in your DNS service of choice and configured in the DHCP option set of your VPC. DNS hostnames cannot be changed after environment creation has started.", + "VcfVersion": "The VCF version of the environment.", + "VpcId": "The VPC associated with the environment." + }, + "AWS::EVS::Environment Check": { + "ImpairedSince": "The time when environment health began to be impaired.", + "Result": "The check result.", + "Type": "The check type. Amazon EVS performs the following checks.\n\n- `KEY_REUSE` : checks that the VCF license key is not used by another Amazon EVS environment. This check fails if a used license is added to the environment.\n- `KEY_COVERAGE` : checks that your VCF license key allocates sufficient vCPU cores for all deployed hosts. The check fails when any assigned hosts in the EVS environment are not covered by license keys, or when any unassigned hosts cannot be covered by available vCPU cores in keys.\n- `REACHABILITY` : checks that the Amazon EVS control plane has a persistent connection to SDDC Manager. If Amazon EVS cannot reach the environment, this check fails.\n- `HOST_COUNT` : Checks that your environment has a minimum of 4 hosts, which is a requirement for VCF 5.2.1.\n\nIf this check fails, you will need to add hosts so that your environment meets this minimum requirement. Amazon EVS only supports environments with 4-16 hosts." + }, + "AWS::EVS::Environment ConnectivityInfo": { + "PrivateRouteServerPeerings": "The unique IDs for private route server peers." + }, + "AWS::EVS::Environment HostInfoForCreate": { + "DedicatedHostId": "The unique ID of the Amazon EC2 Dedicated Host.", + "HostName": "The DNS hostname of the host. DNS hostnames for hosts must be unique across Amazon EVS environments and within VCF.", + "InstanceType": "The EC2 instance type that represents the host.", + "KeyName": "The name of the SSH key that is used to access the host.", + "PlacementGroupId": "The unique ID of the placement group where the host is placed." + }, + "AWS::EVS::Environment InitialVlanInfo": { + "Cidr": "The CIDR block that you provide to create an Amazon EVS VLAN subnet. Amazon EVS VLAN subnets have a minimum CIDR block size of /28 and a maximum size of /24. Amazon EVS VLAN subnet CIDR blocks must not overlap with other subnets in the VPC." + }, + "AWS::EVS::Environment InitialVlans": { + "EdgeVTep": "The edge VTEP VLAN subnet. This VLAN subnet manages traffic flowing between the internal network and external networks, including internet access and other site connections.", + "ExpansionVlan1": "An additional VLAN subnet that can be used to extend VCF capabilities once configured. For example, you can configure an expansion VLAN subnet to use NSX Federation for centralized management and synchronization of multiple NSX deployments across different locations.", + "ExpansionVlan2": "An additional VLAN subnet that can be used to extend VCF capabilities once configured. For example, you can configure an expansion VLAN subnet to use NSX Federation for centralized management and synchronization of multiple NSX deployments across different locations.", + "Hcx": "The HCX VLAN subnet. This VLAN subnet allows the HCX Interconnnect (IX) and HCX Network Extension (NE) to reach their peers and enable HCX Service Mesh creation.", + "NsxUpLink": "The NSX uplink VLAN subnet. This VLAN subnet allows connectivity to the NSX overlay network.", + "VMotion": "The vMotion VLAN subnet. This VLAN subnet carries traffic for vSphere vMotion.", + "VSan": "The vSAN VLAN subnet. This VLAN subnet carries the communication between ESXi hosts to implement a vSAN shared storage pool.", + "VTep": "The VTEP VLAN subnet. This VLAN subnet handles internal network traffic between virtual machines within a VCF instance.", + "VmManagement": "The VM management VLAN subnet. This VLAN subnet carries traffic for vSphere virtual machines.", + "VmkManagement": "The host VMkernel management VLAN subnet. This VLAN subnet carries traffic for managing ESXi hosts and communicating with VMware vCenter Server." + }, + "AWS::EVS::Environment LicenseInfo": { + "SolutionKey": "The VCF solution key. This license unlocks VMware VCF product features, including vSphere, NSX, SDDC Manager, and vCenter Server.", + "VsanKey": "The VSAN license key. This license unlocks vSAN features." + }, + "AWS::EVS::Environment Secret": { + "SecretArn": "The Amazon Resource Name (ARN) of the secret." + }, + "AWS::EVS::Environment ServiceAccessSecurityGroups": { + "SecurityGroups": "The security groups that allow service access." + }, + "AWS::EVS::Environment Tag": { + "Key": "The key name of the tag. You can specify a value that's 1 to 128 Unicode characters in length and can't be prefixed with `aws:` . digits, whitespace, `_` , `.` , `:` , `/` , `=` , `+` , `@` , `-` , and `\"` .\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) .", + "Value": "The value for the tag. You can specify a value that's 1 to 256 characters in length. You can use any of the following characters: the set of Unicode letters, digits, whitespace, `_` , `.` , `/` , `=` , `+` , and `-` .\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) ." + }, + "AWS::EVS::Environment VcfHostnames": { + "CloudBuilder": "The hostname for VMware Cloud Builder.", + "Nsx": "The VMware NSX hostname.", + "NsxEdge1": "The hostname for the first NSX Edge node.", + "NsxEdge2": "The hostname for the second NSX Edge node.", + "NsxManager1": "The hostname for the first VMware NSX Manager virtual machine (VM).", + "NsxManager2": "The hostname for the second VMware NSX Manager virtual machine (VM).", + "NsxManager3": "The hostname for the third VMware NSX Manager virtual machine (VM).", + "SddcManager": "The hostname for SDDC Manager.", + "VCenter": "The VMware vCenter hostname." + }, "AWS::ElastiCache::CacheCluster": { "AZMode": "Specifies whether the nodes in this Memcached cluster are created in a single Availability Zone or created across multiple Availability Zones in the cluster's region.\n\nThis parameter is only supported for Memcached clusters.\n\nIf the `AZMode` and `PreferredAvailabilityZones` are not specified, ElastiCache assumes `single-az` mode.", "AutoMinorVersionUpgrade": "If you are running Valkey 7.2 or later, or Redis OSS engine version 6.0 or later, set this parameter to yes if you want to opt-in to the next minor version upgrade campaign. This parameter is disabled for previous versions.", @@ -18486,7 +18587,7 @@ }, "AWS::EntityResolution::MatchingWorkflow": { "Description": "A description of the workflow.", - "IncrementalRunConfig": "An object which defines an incremental run type and has only `incrementalRunType` as a field.", + "IncrementalRunConfig": "Optional. An object that defines the incremental run type. This object contains only the `incrementalRunType` field, which appears as \"Automatic\" in the console.\n\n> For workflows where `resolutionType` is `ML_MATCHING` , incremental processing is not supported.", "InputSourceConfig": "A list of `InputSource` objects, which have the fields `InputSourceARN` and `SchemaName` .", "OutputSourceConfig": "A list of `OutputSource` objects, each of which contains fields `OutputS3Path` , `ApplyNormalization` , and `Output` .", "ResolutionTechniques": "An object which defines the `resolutionType` and the `ruleBasedProperties` .", @@ -18495,7 +18596,7 @@ "WorkflowName": "The name of the workflow. There can't be multiple `MatchingWorkflows` with the same name." }, "AWS::EntityResolution::MatchingWorkflow IncrementalRunConfig": { - "IncrementalRunType": "The type of incremental run. It takes only one value: `IMMEDIATE` ." + "IncrementalRunType": "The type of incremental run. The only valid value is `IMMEDIATE` . This appears as \"Automatic\" in the console.\n\n> For workflows where `resolutionType` is `ML_MATCHING` , incremental processing is not supported." }, "AWS::EntityResolution::MatchingWorkflow InputSource": { "ApplyNormalization": "Normalizes the attributes defined in the schema in the input data. For example, if an attribute has an `AttributeType` of `PHONE_NUMBER` , and the data in the input table is in a format of 1234567890, AWS Entity Resolution will normalize this field in the output to (123)-456-7890.", @@ -26461,7 +26562,8 @@ "TumblingWindowInSeconds": "(Kinesis and DynamoDB Streams only) The duration in seconds of a processing window for DynamoDB and Kinesis Streams event sources. A value of 0 seconds indicates no tumbling window." }, "AWS::Lambda::EventSourceMapping AmazonManagedKafkaEventSourceConfig": { - "ConsumerGroupId": "The identifier for the Kafka consumer group to join. The consumer group ID must be unique among all your Kafka event sources. After creating a Kafka event source mapping with the consumer group ID specified, you cannot update this value. For more information, see [Customizable consumer group ID](https://docs.aws.amazon.com/lambda/latest/dg/with-msk.html#services-msk-consumer-group-id) ." + "ConsumerGroupId": "The identifier for the Kafka consumer group to join. The consumer group ID must be unique among all your Kafka event sources. After creating a Kafka event source mapping with the consumer group ID specified, you cannot update this value. For more information, see [Customizable consumer group ID](https://docs.aws.amazon.com/lambda/latest/dg/with-msk.html#services-msk-consumer-group-id) .", + "SchemaRegistryConfig": "" }, "AWS::Lambda::EventSourceMapping DestinationConfig": { "OnFailure": "The destination configuration for failed invocations." @@ -26493,11 +26595,25 @@ "AWS::Lambda::EventSourceMapping ScalingConfig": { "MaximumConcurrency": "Limits the number of concurrent instances that the Amazon SQS event source can invoke." }, + "AWS::Lambda::EventSourceMapping SchemaRegistryAccessConfig": { + "Type": "", + "URI": "" + }, + "AWS::Lambda::EventSourceMapping SchemaRegistryConfig": { + "AccessConfigs": "", + "EventRecordFormat": "", + "SchemaRegistryURI": "", + "SchemaValidationConfigs": "" + }, + "AWS::Lambda::EventSourceMapping SchemaValidationConfig": { + "Attribute": "" + }, "AWS::Lambda::EventSourceMapping SelfManagedEventSource": { "Endpoints": "The list of bootstrap servers for your Kafka brokers in the following format: `\"KafkaBootstrapServers\": [\"abc.xyz.com:xxxx\",\"abc2.xyz.com:xxxx\"]` ." }, "AWS::Lambda::EventSourceMapping SelfManagedKafkaEventSourceConfig": { - "ConsumerGroupId": "The identifier for the Kafka consumer group to join. The consumer group ID must be unique among all your Kafka event sources. After creating a Kafka event source mapping with the consumer group ID specified, you cannot update this value. For more information, see [Customizable consumer group ID](https://docs.aws.amazon.com/lambda/latest/dg/with-kafka-process.html#services-smaa-topic-add) ." + "ConsumerGroupId": "The identifier for the Kafka consumer group to join. The consumer group ID must be unique among all your Kafka event sources. After creating a Kafka event source mapping with the consumer group ID specified, you cannot update this value. For more information, see [Customizable consumer group ID](https://docs.aws.amazon.com/lambda/latest/dg/with-kafka-process.html#services-smaa-topic-add) .", + "SchemaRegistryConfig": "" }, "AWS::Lambda::EventSourceMapping SourceAccessConfiguration": { "Type": "The type of authentication protocol, VPC components, or virtual host for your event source. For example: `\"Type\":\"SASL_SCRAM_512_AUTH\"` .\n\n- `BASIC_AUTH` \u2013 (Amazon MQ) The AWS Secrets Manager secret that stores your broker credentials.\n- `BASIC_AUTH` \u2013 (Self-managed Apache Kafka) The Secrets Manager ARN of your secret key used for SASL/PLAIN authentication of your Apache Kafka brokers.\n- `VPC_SUBNET` \u2013 (Self-managed Apache Kafka) The subnets associated with your VPC. Lambda connects to these subnets to fetch data from your self-managed Apache Kafka cluster.\n- `VPC_SECURITY_GROUP` \u2013 (Self-managed Apache Kafka) The VPC security group used to manage access to your self-managed Apache Kafka brokers.\n- `SASL_SCRAM_256_AUTH` \u2013 (Self-managed Apache Kafka) The Secrets Manager ARN of your secret key used for SASL SCRAM-256 authentication of your self-managed Apache Kafka brokers.\n- `SASL_SCRAM_512_AUTH` \u2013 (Amazon MSK, Self-managed Apache Kafka) The Secrets Manager ARN of your secret key used for SASL SCRAM-512 authentication of your self-managed Apache Kafka brokers.\n- `VIRTUAL_HOST` \u2013- (RabbitMQ) The name of the virtual host in your RabbitMQ broker. Lambda uses this RabbitMQ host as the event source. This property cannot be specified in an UpdateEventSourceMapping API call.\n- `CLIENT_CERTIFICATE_TLS_AUTH` \u2013 (Amazon MSK, self-managed Apache Kafka) The Secrets Manager ARN of your secret key containing the certificate chain (X.509 PEM), private key (PKCS#8 PEM), and private key password (optional) used for mutual TLS authentication of your MSK/Apache Kafka brokers.\n- `SERVER_ROOT_CA_CERTIFICATE` \u2013 (Self-managed Apache Kafka) The Secrets Manager ARN of your secret key containing the root CA certificate (X.509 PEM) used for TLS encryption of your Apache Kafka brokers.", @@ -28200,7 +28316,7 @@ "BrokerAZDistribution": "This parameter is currently not in use.", "ClientSubnets": "The list of subnets to connect to in the client virtual private cloud (VPC). Amazon creates elastic network interfaces (ENIs) inside these subnets. Client applications use ENIs to produce and consume data.\n\nIf you use the US West (N. California) Region, specify exactly two subnets. For other Regions where Amazon MSK is available, you can specify either two or three subnets. The subnets that you specify must be in distinct Availability Zones. When you create a cluster, Amazon MSK distributes the broker nodes evenly across the subnets that you specify.\n\nClient subnets can't occupy the Availability Zone with ID `use1-az3` .", "ConnectivityInfo": "Information about the cluster's connectivity setting.", - "InstanceType": "The type of Amazon EC2 instances to use for brokers. The following instance types are allowed: kafka.m5.large, kafka.m5.xlarge, kafka.m5.2xlarge, kafka.m5.4xlarge, kafka.m5.8xlarge, kafka.m5.12xlarge, kafka.m5.16xlarge, kafka.m5.24xlarge, and kafka.t3.small.", + "InstanceType": "The type of Amazon EC2 instances to use for brokers. Depending on the [broker type](https://docs.aws.amazon.com/msk/latest/developerguide/broker-instance-types.html) , Amazon MSK supports the following broker sizes:\n\n*Standard broker sizes*\n\n- kafka.t3.small\n\n> You can't select the kafka.t3.small instance type when the metadata mode is KRaft.\n- kafka.m5.large, kafka.m5.xlarge, kafka.m5.2xlarge, kafka.m5.4xlarge, kafka.m5.8xlarge, kafka.m5.12xlarge, kafka.m5.16xlarge, kafka.m5.24xlarge\n- kafka.m7g.large, kafka.m7g.xlarge, kafka.m7g.2xlarge, kafka.m7g.4xlarge, kafka.m7g.8xlarge, kafka.m7g.12xlarge, kafka.m7g.16xlarge\n\n*Express broker sizes*\n\n- express.m7g.large, express.m7g.xlarge, express.m7g.2xlarge, express.m7g.4xlarge, express.m7g.8xlarge, express.m7g.12xlarge, express.m7g.16xlarge\n\n> Some broker sizes might not be available in certian AWS Regions. See the updated [Pricing tools](https://docs.aws.amazon.com/msk/pricing/) section on the Amazon MSK pricing page for the latest list of available instances by Region.", "SecurityGroups": "The security groups to associate with the ENIs in order to specify who can connect to and communicate with the Amazon MSK cluster. If you don't specify a security group, Amazon MSK uses the default security group associated with the VPC. If you specify security groups that were shared with you, you must ensure that you have permissions to them. Specifically, you need the `ec2:DescribeSecurityGroups` permission.", "StorageInfo": "Contains information about storage volumes attached to Amazon MSK broker nodes." }, @@ -28427,7 +28543,8 @@ "StartupScriptS3Path": "The relative path to the startup shell script in your Amazon S3 bucket. For example, `s3://mwaa-environment/startup.sh` .\n\nAmazon MWAA runs the script as your environment starts, and before running the Apache Airflow process. You can use this script to install dependencies, modify Apache Airflow configuration options, and set environment variables. For more information, see [Using a startup script](https://docs.aws.amazon.com/mwaa/latest/userguide/using-startup-script.html) .", "Tags": "The key-value tag pairs associated to your environment. For example, `\"Environment\": \"Staging\"` . To learn more, see [Tagging](https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html) .\n\nIf you specify new tags for an existing environment, the update requires service interruption before taking effect.", "WebserverAccessMode": "The Apache Airflow *Web server* access mode. To learn more, see [Apache Airflow access modes](https://docs.aws.amazon.com/mwaa/latest/userguide/configuring-networking.html) . Valid values: `PRIVATE_ONLY` or `PUBLIC_ONLY` .", - "WeeklyMaintenanceWindowStart": "The day and time of the week to start weekly maintenance updates of your environment in the following format: `DAY:HH:MM` . For example: `TUE:03:30` . You can specify a start time in 30 minute increments only. Supported input includes the following:\n\n- MON|TUE|WED|THU|FRI|SAT|SUN:([01]\\\\d|2[0-3]):(00|30)" + "WeeklyMaintenanceWindowStart": "The day and time of the week to start weekly maintenance updates of your environment in the following format: `DAY:HH:MM` . For example: `TUE:03:30` . You can specify a start time in 30 minute increments only. Supported input includes the following:\n\n- MON|TUE|WED|THU|FRI|SAT|SUN:([01]\\\\d|2[0-3]):(00|30)", + "WorkerReplacementStrategy": "" }, "AWS::MWAA::Environment LoggingConfiguration": { "DagProcessingLogs": "Defines the processing logs sent to CloudWatch Logs and the logging level to send.", @@ -31263,6 +31380,7 @@ "Value": "The part of the key:value pair that defines a tag. You can use a tag value to describe a specific value within a category, such as \"companyA\" or \"companyB.\" Tag values are case-sensitive." }, "AWS::NetworkFirewall::LoggingConfiguration": { + "EnableMonitoringDashboard": "", "FirewallArn": "The Amazon Resource Name (ARN) of the `Firewall` that the logging configuration is associated with. You can't change the firewall specification after you create the logging configuration.", "FirewallName": "The name of the firewall that the logging configuration is associated with. You can't change the firewall specification after you create the logging configuration.", "LoggingConfiguration": "Defines how AWS Network Firewall performs logging for a `Firewall` ." @@ -44093,7 +44211,7 @@ }, "AWS::RDS::DBProxyTargetGroup ConnectionPoolConfigurationInfoFormat": { "ConnectionBorrowTimeout": "The number of seconds for a proxy to wait for a connection to become available in the connection pool. This setting only applies when the proxy has opened its maximum number of connections and all connections are busy with client sessions.\n\nDefault: `120`\n\nConstraints:\n\n- Must be between 0 and 300.", - "InitQuery": "Add an initialization query, or modify the current one. You can specify one or more SQL statements for the proxy to run when opening each new database connection. The setting is typically used with `SET` statements to make sure that each connection has identical settings. Make sure the query added here is valid. This is an optional field, so you can choose to leave it empty. For including multiple variables in a single SET statement, use a comma separator.\n\nFor example: `SET variable1=value1, variable2=value2`\n\nDefault: no initialization query", + "InitQuery": "Add an initialization query, or modify the current one. You can specify one or more SQL statements for the proxy to run when opening each new database connection. The setting is typically used with `SET` statements to make sure that each connection has identical settings. Make sure the query added here is valid. This is an optional field, so you can choose to leave it empty. For including multiple variables in a single SET statement, use a comma separator.\n\nFor example: `SET variable1=value1, variable2=value2`\n\nDefault: no initialization query\n\n> Since you can access initialization query as part of target group configuration, it is not protected by authentication or cryptographic methods. Anyone with access to view or manage your proxy target group configuration can view the initialization query. You should not add sensitive data, such as passwords or long-lived encryption keys, to this option.", "MaxConnectionsPercent": "The maximum size of the connection pool for each target in a target group. The value is expressed as a percentage of the `max_connections` setting for the RDS DB instance or Aurora DB cluster used by the target group.\n\nIf you specify `MaxIdleConnectionsPercent` , then you must also include a value for this parameter.\n\nDefault: `10` for RDS for Microsoft SQL Server, and `100` for all other engines\n\nConstraints:\n\n- Must be between 1 and 100.", "MaxIdleConnectionsPercent": "A value that controls how actively the proxy closes idle database connections in the connection pool. The value is expressed as a percentage of the `max_connections` setting for the RDS DB instance or Aurora DB cluster used by the target group. With a high value, the proxy leaves a high percentage of idle database connections open. A low value causes the proxy to close more idle connections and return them to the database.\n\nIf you specify this parameter, then you must also include a value for `MaxConnectionsPercent` .\n\nDefault: The default value is half of the value of `MaxConnectionsPercent` . For example, if `MaxConnectionsPercent` is 80, then the default value of `MaxIdleConnectionsPercent` is 40. If the value of `MaxConnectionsPercent` isn't specified, then for SQL Server, `MaxIdleConnectionsPercent` is `5` , and for all other engines, the default is `50` .\n\nConstraints:\n\n- Must be between 0 and the value of `MaxConnectionsPercent` .", "SessionPinningFilters": "Each item in the list represents a class of SQL operations that normally cause all later statements in a session using a proxy to be pinned to the same underlying database connection. Including an item in the list exempts that class of SQL operations from the pinning behavior.\n\nDefault: no session pinning filters" @@ -47481,7 +47599,8 @@ "DockerSettings": "A collection of settings that configure the domain's Docker interaction.", "ExecutionRoleIdentityConfig": "The configuration for attaching a SageMaker AI user profile name to the execution role as a [sts:SourceIdentity key](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html) .", "RStudioServerProDomainSettings": "A collection of settings that configure the `RStudioServerPro` Domain-level app.", - "SecurityGroupIds": "The security groups for the Amazon Virtual Private Cloud that the `Domain` uses for communication between Domain-level apps and user apps." + "SecurityGroupIds": "The security groups for the Amazon Virtual Private Cloud that the `Domain` uses for communication between Domain-level apps and user apps.", + "UnifiedStudioSettings": "The settings that apply to an SageMaker AI domain when you use it in Amazon SageMaker Unified Studio." }, "AWS::SageMaker::Domain EFSFileSystemConfig": { "FileSystemId": "The ID of your Amazon EFS file system.", @@ -47553,6 +47672,15 @@ "Key": "The tag key. Tag keys must be unique per resource.", "Value": "The tag value." }, + "AWS::SageMaker::Domain UnifiedStudioSettings": { + "DomainAccountId": "The ID of the AWS account that has the Amazon SageMaker Unified Studio domain. The default value, if you don't specify an ID, is the ID of the account that has the Amazon SageMaker AI domain.", + "DomainId": "The ID of the Amazon SageMaker Unified Studio domain associated with this domain.", + "DomainRegion": "The AWS Region where the domain is located in Amazon SageMaker Unified Studio. The default value, if you don't specify a Region, is the Region where the Amazon SageMaker AI domain is located.", + "EnvironmentId": "The ID of the environment that Amazon SageMaker Unified Studio associates with the domain.", + "ProjectId": "The ID of the Amazon SageMaker Unified Studio project that corresponds to the domain.", + "ProjectS3Path": "The location where Amazon S3 stores temporary execution data and other artifacts for the project that corresponds to the domain.", + "StudioWebPortalAccess": "Sets whether you can access the domain in Amazon SageMaker Studio:\n\n- **ENABLED** - You can access the domain in Amazon SageMaker Studio. If you migrate the domain to Amazon SageMaker Unified Studio, you can access it in both studio interfaces.\n- **DISABLED** - You can't access the domain in Amazon SageMaker Studio. If you migrate the domain to Amazon SageMaker Unified Studio, you can access it only in that studio interface.\n\nTo migrate a domain to Amazon SageMaker Unified Studio, you specify the UnifiedStudioSettings data type when you use the UpdateDomain action." + }, "AWS::SageMaker::Domain UserSettings": { "AutoMountHomeEFS": "Indicates whether auto-mounting of an EFS volume is supported for the user profile. The `DefaultAsDomain` value is only supported for user profiles. Do not use the `DefaultAsDomain` value when setting this parameter for a domain.\n\nSageMaker applies this setting only to private spaces that the user creates in the domain. SageMaker doesn't apply this setting to shared spaces.", "CodeEditorAppSettings": "The Code Editor application settings.\n\nSageMaker applies these settings only to private spaces that the user creates in the domain. SageMaker doesn't apply these settings to shared spaces.", @@ -51247,6 +51375,10 @@ "AWS::WAFv2::RuleGroup AndStatement": { "Statements": "The statements to combine with AND logic. You can use any statements that can be nested." }, + "AWS::WAFv2::RuleGroup AsnMatchStatement": { + "AsnList": "Contains one or more Autonomous System Numbers (ASNs). ASNs are unique identifiers assigned to large internet networks managed by organizations such as internet service providers, enterprises, universities, or government agencies.", + "ForwardedIPConfig": "The configuration for inspecting IP addresses to match against an ASN in an HTTP header that you specify, instead of using the IP address that's reported by the web request origin. Commonly, this is the X-Forwarded-For (XFF) header, but you can specify any header name." + }, "AWS::WAFv2::RuleGroup BlockAction": { "CustomResponse": "Defines a custom response for the web request.\n\nFor information about customizing web requests and responses, see [Customizing web requests and responses in AWS WAF](https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html) in the *AWS WAF Developer Guide* ." }, @@ -51387,6 +51519,7 @@ "ScopeDownStatement": "An optional nested statement that narrows the scope of the web requests that are evaluated and managed by the rate-based statement. When you use a scope-down statement, the rate-based rule only tracks and rate limits requests that match the scope-down statement. You can use any nestable `Statement` in the scope-down statement, and you can nest statements at any level, the same as you can for a rule statement." }, "AWS::WAFv2::RuleGroup RateBasedStatementCustomKey": { + "ASN": "Use an Autonomous System Number (ASN) derived from the request's originating or forwarded IP address as an aggregate key. Each distinct ASN contributes to the aggregation instance.", "Cookie": "Use the value of a cookie in the request as an aggregate key. Each distinct value in the cookie contributes to the aggregation instance. If you use a single cookie as your custom key, then each value fully defines an aggregation instance.", "ForwardedIP": "Use the first IP address in an HTTP header as an aggregate key. Each distinct forwarded IP address contributes to the aggregation instance.\n\nWhen you specify an IP or forwarded IP in the custom key settings, you must also specify at least one other key to use. You can aggregate on only the forwarded IP address by specifying `FORWARDED_IP` in your rate-based statement's `AggregateKeyType` .\n\nWith this option, you must specify the header to use in the rate-based rule's `ForwardedIPConfig` property.", "HTTPMethod": "Use the request's HTTP method as an aggregate key. Each distinct HTTP method contributes to the aggregation instance. If you use just the HTTP method as your custom key, then each method fully defines an aggregation instance.", @@ -51472,6 +51605,7 @@ }, "AWS::WAFv2::RuleGroup Statement": { "AndStatement": "A logical rule statement used to combine other rule statements with AND logic. You provide more than one `Statement` within the `AndStatement` .", + "AsnMatchStatement": "A rule statement that inspects web traffic based on the Autonomous System Number (ASN) associated with the request's IP address.\n\nFor additional details, see [ASN match rule statement](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-type-asn-match.html) in the [AWS WAF Developer Guide](https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html) .", "ByteMatchStatement": "A rule statement that defines a string match search for AWS WAF to apply to web requests. The byte match statement provides the bytes to search for, the location in requests that you want AWS WAF to search, and other settings. The bytes to search for are typically a string that corresponds with ASCII characters. In the AWS WAF console and the developer guide, this is called a string match statement.", "GeoMatchStatement": "A rule statement that labels web requests by country and region and that matches against web requests based on country code. A geo match rule labels every request that it inspects regardless of whether it finds a match.\n\n- To manage requests only by country, you can use this statement by itself and specify the countries that you want to match against in the `CountryCodes` array.\n- Otherwise, configure your geo match rule with Count action so that it only labels requests. Then, add one or more label match rules to run after the geo match rule and configure them to match against the geographic labels and handle the requests as needed.\n\nAWS WAF labels requests using the alpha-2 country and region codes from the International Organization for Standardization (ISO) 3166 standard. AWS WAF determines the codes using either the IP address in the web request origin or, if you specify it, the address in the geo match `ForwardedIPConfig` .\n\nIf you use the web request origin, the label formats are `awswaf:clientip:geo:region:-` and `awswaf:clientip:geo:country:` .\n\nIf you use a forwarded IP address, the label formats are `awswaf:forwardedip:geo:region:-` and `awswaf:forwardedip:geo:country:` .\n\nFor additional details, see [Geographic match rule statement](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-type-geo-match.html) in the [AWS WAF Developer Guide](https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html) .", "IPSetReferenceStatement": "A rule statement used to detect web requests coming from particular IP addresses or address ranges. To use this, create an `IPSet` that specifies the addresses you want to detect, then use the ARN of that set in this statement.\n\nEach IP set rule statement references an IP set. You create and maintain the set independent of your rules. This allows you to use the single set in multiple rules. When you update the referenced set, AWS WAF automatically updates all rules that reference it.", @@ -51514,7 +51648,7 @@ "DefaultAction": "The action to perform if none of the `Rules` contained in the `WebACL` match.", "Description": "A description of the web ACL that helps with identification.", "Name": "The name of the web ACL. You cannot change the name of a web ACL after you create it.", - "OnSourceDDoSProtectionConfig": "", + "OnSourceDDoSProtectionConfig": "Configures the level of DDoS protection that applies to web ACLs associated with Application Load Balancers.", "Rules": "The rule statements used to identify the web requests that you want to manage. Each rule includes one top-level statement that AWS WAF uses to identify matching web requests, and parameters that govern how AWS WAF handles them.", "Scope": "Specifies whether this is for an Amazon CloudFront distribution or for a regional application. For an AWS Amplify application, use `CLOUDFRONT` . A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AWS AppSync GraphQL API, an Amazon Cognito user pool, an AWS App Runner service, or an AWS Verified Access instance. Valid Values are `CLOUDFRONT` and `REGIONAL` .\n\n> For `CLOUDFRONT` , you must create your WAFv2 resources in the US East (N. Virginia) Region, `us-east-1` . \n\nFor information about how to define the association of the web ACL with your resource, see `WebACLAssociation` .", "Tags": "Key:value pairs associated with an AWS resource. The key:value pair can be anything you define. Typically, the tag key represents a category (such as \"environment\") and the tag value represents a specific value within that category (such as \"test,\" \"development,\" or \"production\"). You can add up to 50 tags to each AWS resource.\n\n> To modify tags on existing resources, use the AWS WAF APIs or command line interface. With AWS CloudFormation , you can only add tags to AWS WAF resources during resource creation.", @@ -51534,6 +51668,10 @@ "RequestInspection": "The criteria for inspecting login requests, used by the ATP rule group to validate credentials usage.", "ResponseInspection": "The criteria for inspecting responses to login requests, used by the ATP rule group to track login failure rates.\n\n> Response inspection is available only in web ACLs that protect Amazon CloudFront distributions. \n\nThe ATP rule group evaluates the responses that your protected resources send back to client login attempts, keeping count of successful and failed attempts for each IP address and client session. Using this information, the rule group labels and mitigates requests from client sessions and IP addresses that have had too many failed login attempts in a short amount of time." }, + "AWS::WAFv2::WebACL AWSManagedRulesAntiDDoSRuleSet": { + "ClientSideActionConfig": "Configures the request handling that's applied by the managed rule group rules `ChallengeAllDuringEvent` and `ChallengeDDoSRequests` during a distributed denial of service (DDoS) attack.", + "SensitivityToBlock": "The sensitivity that the rule group rule `DDoSRequests` uses when matching against the DDoS suspicion labeling on a request. The managed rule group adds the labeling during DDoS events, before the `DDoSRequests` rule runs.\n\nThe higher the sensitivity, the more levels of labeling that the rule matches:\n\n- Low sensitivity is less sensitive, causing the rule to match only on the most likely participants in an attack, which are the requests with the high suspicion label `awswaf:managed:aws:anti-ddos:high-suspicion-ddos-request` .\n- Medium sensitivity causes the rule to match on the medium and high suspicion labels.\n- High sensitivity causes the rule to match on all of the suspicion labels: low, medium, and high.\n\nDefault: `LOW`" + }, "AWS::WAFv2::WebACL AWSManagedRulesBotControlRuleSet": { "EnableMachineLearning": "Applies only to the targeted inspection level.\n\nDetermines whether to use machine learning (ML) to analyze your web traffic for bot-related activity. Machine learning is required for the Bot Control rules `TGT_ML_CoordinatedActivityLow` and `TGT_ML_CoordinatedActivityMedium` , which\ninspect for anomalous behavior that might indicate distributed, coordinated bot activity.\n\nFor more information about this choice, see the listing for these rules in the table at [Bot Control rules listing](https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-bot.html#aws-managed-rule-groups-bot-rules) in the *AWS WAF Developer Guide* .\n\nDefault: `TRUE`", "InspectionLevel": "The inspection level to use for the Bot Control rule group. The common level is the least expensive. The targeted level includes all common level rules and adds rules with more advanced inspection criteria. For details, see [AWS WAF Bot Control rule group](https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-bot.html) in the *AWS WAF Developer Guide* ." @@ -51544,6 +51682,10 @@ "AWS::WAFv2::WebACL AndStatement": { "Statements": "The statements to combine with AND logic. You can use any statements that can be nested." }, + "AWS::WAFv2::WebACL AsnMatchStatement": { + "AsnList": "Contains one or more Autonomous System Numbers (ASNs). ASNs are unique identifiers assigned to large internet networks managed by organizations such as internet service providers, enterprises, universities, or government agencies.", + "ForwardedIPConfig": "The configuration for inspecting IP addresses to match against an ASN in an HTTP header that you specify, instead of using the IP address that's reported by the web request origin. Commonly, this is the X-Forwarded-For (XFF) header, but you can specify any header name." + }, "AWS::WAFv2::WebACL AssociationConfig": { "RequestBody": "Customizes the maximum size of the request body that your protected CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access resources forward to AWS WAF for inspection. The default size is 16 KB (16,384 bytes). You can change the setting for any of the available resource types.\n\n> You are charged additional fees when your protected resources forward body sizes that are larger than the default. For more information, see [AWS WAF Pricing](https://docs.aws.amazon.com/waf/pricing/) . \n\nExample JSON: `{ \"API_GATEWAY\": \"KB_48\", \"APP_RUNNER_SERVICE\": \"KB_32\" }`\n\nFor Application Load Balancer and AWS AppSync , the limit is fixed at 8 KB (8,192 bytes)." }, @@ -51572,6 +51714,14 @@ "AWS::WAFv2::WebACL ChallengeConfig": { "ImmunityTimeProperty": "Determines how long a challenge timestamp in the token remains valid after the client successfully responds to a challenge." }, + "AWS::WAFv2::WebACL ClientSideAction": { + "ExemptUriRegularExpressions": "The regular expression to match against the web request URI, used to identify requests that can't handle a silent browser challenge. When the `ClientSideAction` setting `UsageOfAction` is enabled, the managed rule group uses this setting to determine which requests to label with `awswaf:managed:aws:anti-ddos:challengeable-request` . If `UsageOfAction` is disabled, this setting has no effect and the managed rule group doesn't add the label to any requests.\n\nThe anti-DDoS managed rule group doesn't evaluate the rules `ChallengeDDoSRequests` or `ChallengeAllDuringEvent` for web requests whose URIs match this regex. This is true regardless of whether you override the rule action for either of the rules in your web ACL configuration.\n\nAWS recommends using a regular expression.\n\nThis setting is required if `UsageOfAction` is set to `ENABLED` . If required, you can provide between 1 and 5 regex objects in the array of settings.\n\nAWS recommends starting with the following setting. Review and update it for your application's needs:\n\n`\\/api\\/|\\.(acc|avi|css|gif|jpe?g|js|mp[34]|ogg|otf|pdf|png|tiff?|ttf|webm|webp|woff2?)$`", + "Sensitivity": "The sensitivity that the rule group rule `ChallengeDDoSRequests` uses when matching against the DDoS suspicion labeling on a request. The managed rule group adds the labeling during DDoS events, before the `ChallengeDDoSRequests` rule runs.\n\nThe higher the sensitivity, the more levels of labeling that the rule matches:\n\n- Low sensitivity is less sensitive, causing the rule to match only on the most likely participants in an attack, which are the requests with the high suspicion label `awswaf:managed:aws:anti-ddos:high-suspicion-ddos-request` .\n- Medium sensitivity causes the rule to match on the medium and high suspicion labels.\n- High sensitivity causes the rule to match on all of the suspicion labels: low, medium, and high.\n\nDefault: `HIGH`", + "UsageOfAction": "Determines whether to use the `AWSManagedRulesAntiDDoSRuleSet` rules `ChallengeAllDuringEvent` and `ChallengeDDoSRequests` in the rule group evaluation and the related label `awswaf:managed:aws:anti-ddos:challengeable-request` .\n\n- If usage is enabled:\n\n- The managed rule group adds the label `awswaf:managed:aws:anti-ddos:challengeable-request` to any web request whose URL does *NOT* match the regular expressions provided in the `ClientSideAction` setting `ExemptUriRegularExpressions` .\n- The two rules are evaluated against web requests for protected resources that are experiencing a DDoS attack. The two rules only apply their action to matching requests that have the label `awswaf:managed:aws:anti-ddos:challengeable-request` .\n- If usage is disabled:\n\n- The managed rule group doesn't add the label `awswaf:managed:aws:anti-ddos:challengeable-request` to any web requests.\n- The two rules are not evaluated.\n- None of the other `ClientSideAction` settings have any effect.\n\n> This setting only enables or disables the use of the two anti-DDOS rules `ChallengeAllDuringEvent` and `ChallengeDDoSRequests` in the anti-DDoS managed rule group.\n> \n> This setting doesn't alter the action setting in the two rules. To override the actions used by the rules `ChallengeAllDuringEvent` and `ChallengeDDoSRequests` , enable this setting, and then override the rule actions in the usual way, in your managed rule group configuration." + }, + "AWS::WAFv2::WebACL ClientSideActionConfig": { + "Challenge": "Configuration for the use of the `AWSManagedRulesAntiDDoSRuleSet` rules `ChallengeAllDuringEvent` and `ChallengeDDoSRequests` .\n\n> This setting isn't related to the configuration of the `Challenge` action itself. It only configures the use of the two anti-DDoS rules named here. \n\nYou can enable or disable the use of these rules, and you can configure how to use them when they are enabled." + }, "AWS::WAFv2::WebACL CookieMatchPattern": { "All": "Inspect all cookies.", "ExcludedCookies": "Inspect only the cookies whose keys don't match any of the strings specified here.", @@ -51695,6 +51845,7 @@ "AWS::WAFv2::WebACL ManagedRuleGroupConfig": { "AWSManagedRulesACFPRuleSet": "Additional configuration for using the account creation fraud prevention (ACFP) managed rule group, `AWSManagedRulesACFPRuleSet` . Use this to provide account creation request information to the rule group. For web ACLs that protect CloudFront distributions, use this to also provide the information about how your distribution responds to account creation requests.\n\nFor information about using the ACFP managed rule group, see [AWS WAF Fraud Control account creation fraud prevention (ACFP) rule group](https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-acfp.html) and [AWS WAF Fraud Control account creation fraud prevention (ACFP)](https://docs.aws.amazon.com/waf/latest/developerguide/waf-acfp.html) in the *AWS WAF Developer Guide* .", "AWSManagedRulesATPRuleSet": "Additional configuration for using the account takeover prevention (ATP) managed rule group, `AWSManagedRulesATPRuleSet` . Use this to provide login request information to the rule group. For web ACLs that protect CloudFront distributions, use this to also provide the information about how your distribution responds to login requests.\n\nThis configuration replaces the individual configuration fields in `ManagedRuleGroupConfig` and provides additional feature configuration.\n\nFor information about using the ATP managed rule group, see [AWS WAF Fraud Control account takeover prevention (ATP) rule group](https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-atp.html) and [AWS WAF Fraud Control account takeover prevention (ATP)](https://docs.aws.amazon.com/waf/latest/developerguide/waf-atp.html) in the *AWS WAF Developer Guide* .", + "AWSManagedRulesAntiDDoSRuleSet": "Additional configuration for using the anti-DDoS managed rule group, `AWSManagedRulesAntiDDoSRuleSet` . Use this to configure anti-DDoS behavior for the rule group.\n\nFor information about using the anti-DDoS managed rule group, see [AWS WAF Anti-DDoS rule group](https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-anti-ddos.html) and [Distributed Denial of Service (DDoS) prevention](https://docs.aws.amazon.com/waf/latest/developerguide/waf-anti-ddos.html) in the *AWS WAF Developer Guide* .", "AWSManagedRulesBotControlRuleSet": "Additional configuration for using the Bot Control managed rule group. Use this to specify the inspection level that you want to use. For information about using the Bot Control managed rule group, see [AWS WAF Bot Control rule group](https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-bot.html) and [AWS WAF Bot Control](https://docs.aws.amazon.com/waf/latest/developerguide/waf-bot-control.html) in the *AWS WAF Developer Guide* .", "LoginPath": "> Instead of this setting, provide your configuration under `AWSManagedRulesATPRuleSet` .", "PasswordField": "> Instead of this setting, provide your configuration under the request inspection configuration for `AWSManagedRulesATPRuleSet` or `AWSManagedRulesACFPRuleSet` .", @@ -51703,9 +51854,9 @@ }, "AWS::WAFv2::WebACL ManagedRuleGroupStatement": { "ExcludedRules": "Rules in the referenced rule group whose actions are set to `Count` .\n\n> Instead of this option, use `RuleActionOverrides` . It accepts any valid action setting, including `Count` .", - "ManagedRuleGroupConfigs": "Additional information that's used by a managed rule group. Many managed rule groups don't require this.\n\nThe rule groups used for intelligent threat mitigation require additional configuration:\n\n- Use the `AWSManagedRulesACFPRuleSet` configuration object to configure the account creation fraud prevention managed rule group. The configuration includes the registration and sign-up pages of your application and the locations in the account creation request payload of data, such as the user email and phone number fields.\n- Use the `AWSManagedRulesATPRuleSet` configuration object to configure the account takeover prevention managed rule group. The configuration includes the sign-in page of your application and the locations in the login request payload of data such as the username and password.\n- Use the `AWSManagedRulesBotControlRuleSet` configuration object to configure the protection level that you want the Bot Control rule group to use.", + "ManagedRuleGroupConfigs": "Additional information that's used by a managed rule group. Many managed rule groups don't require this.\n\nThe rule groups used for intelligent threat mitigation require additional configuration:\n\n- Use the `AWSManagedRulesACFPRuleSet` configuration object to configure the account creation fraud prevention managed rule group. The configuration includes the registration and sign-up pages of your application and the locations in the account creation request payload of data, such as the user email and phone number fields.\n- Use the `AWSManagedRulesAntiDDoSRuleSet` configuration object to configure the anti-DDoS managed rule group. The configuration includes the sensitivity levels to use in the rules that typically block and challenge requests that might be participating in DDoS attacks and the specification to use to indicate whether a request can handle a silent browser challenge.\n- Use the `AWSManagedRulesATPRuleSet` configuration object to configure the account takeover prevention managed rule group. The configuration includes the sign-in page of your application and the locations in the login request payload of data such as the username and password.\n- Use the `AWSManagedRulesBotControlRuleSet` configuration object to configure the protection level that you want the Bot Control rule group to use.", "Name": "The name of the managed rule group. You use this, along with the vendor name, to identify the rule group.", - "RuleActionOverrides": "Action settings to use in the place of the rule actions that are configured inside the rule group. You specify one override for each rule whose action you want to change.\n\n> Take care to verify the rule names in your overrides. If you provide a rule name that doesn't match the name of any rule in the rule group, AWS WAF doesn't return an error and doesn't apply the override setting. \n\nYou can use overrides for testing, for example you can override all of rule actions to `Count` and then monitor the resulting count metrics to understand how the rule group would handle your web traffic. You can also permanently override some or all actions, to modify how the rule group manages your web traffic.", + "RuleActionOverrides": "Action settings to use in the place of the rule actions that are configured inside the rule group. You specify one override for each rule whose action you want to change.\n\n> Verify the rule names in your overrides carefully. With managed rule groups, AWS WAF silently ignores any override that uses an invalid rule name. With customer-owned rule groups, invalid rule names in your overrides will cause web ACL updates to fail. An invalid rule name is any name that doesn't exactly match the case-sensitive name of an existing rule in the rule group. \n\nYou can use overrides for testing, for example you can override all of rule actions to `Count` and then monitor the resulting count metrics to understand how the rule group would handle your web traffic. You can also permanently override some or all actions, to modify how the rule group manages your web traffic.", "ScopeDownStatement": "An optional nested statement that narrows the scope of the web requests that are evaluated by the managed rule group. Requests are only evaluated by the rule group if they match the scope-down statement. You can use any nestable `Statement` in the scope-down statement, and you can nest statements at any level, the same as you can for a rule statement.", "VendorName": "The name of the managed rule group vendor. You use this, along with the rule group name, to identify a rule group.", "Version": "The version of the managed rule group to use. If you specify this, the version setting is fixed until you change it. If you don't specify this, AWS WAF uses the vendor's default version, and then keeps the version at the vendor's default when the vendor updates the managed rule group settings." @@ -51713,6 +51864,9 @@ "AWS::WAFv2::WebACL NotStatement": { "Statement": "The statement to negate. You can use any statement that can be nested." }, + "AWS::WAFv2::WebACL OnSourceDDoSProtectionConfig": { + "ALBLowReputationMode": "The level of DDoS protection that applies to web ACLs associated with Application Load Balancers. `ACTIVE_UNDER_DDOS` protection is enabled by default whenever a web ACL is associated with an Application Load Balancer. In the event that an Application Load Balancer experiences high-load conditions or suspected DDoS attacks, the `ACTIVE_UNDER_DDOS` protection automatically rate limits traffic from known low reputation sources without disrupting Application Load Balancer availability. `ALWAYS_ON` protection provides constant, always-on monitoring of known low reputation sources for suspected DDoS attacks. While this provides a higher level of protection, there may be potential impacts on legitimate traffic." + }, "AWS::WAFv2::WebACL OrStatement": { "Statements": "The statements to combine with OR logic. You can use any statements that can be nested." }, @@ -51729,6 +51883,7 @@ "ScopeDownStatement": "An optional nested statement that narrows the scope of the web requests that are evaluated and managed by the rate-based statement. When you use a scope-down statement, the rate-based rule only tracks and rate limits requests that match the scope-down statement. You can use any nestable `Statement` in the scope-down statement, and you can nest statements at any level, the same as you can for a rule statement." }, "AWS::WAFv2::WebACL RateBasedStatementCustomKey": { + "ASN": "Use an Autonomous System Number (ASN) derived from the request's originating or forwarded IP address as an aggregate key. Each distinct ASN contributes to the aggregation instance.", "Cookie": "Use the value of a cookie in the request as an aggregate key. Each distinct value in the cookie contributes to the aggregation instance. If you use a single cookie as your custom key, then each value fully defines an aggregation instance.", "ForwardedIP": "Use the first IP address in an HTTP header as an aggregate key. Each distinct forwarded IP address contributes to the aggregation instance.\n\nWhen you specify an IP or forwarded IP in the custom key settings, you must also specify at least one other key to use. You can aggregate on only the forwarded IP address by specifying `FORWARDED_IP` in your rate-based statement's `AggregateKeyType` .\n\nWith this option, you must specify the header to use in the rate-based rule's `ForwardedIPConfig` property.", "HTTPMethod": "Use the request's HTTP method as an aggregate key. Each distinct HTTP method contributes to the aggregation instance. If you use just the HTTP method as your custom key, then each method fully defines an aggregation instance.", @@ -51768,6 +51923,9 @@ "AWS::WAFv2::WebACL RateLimitUriPath": { "TextTransformations": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. Text transformations are used in rule match statements, to transform the `FieldToMatch` request component before inspecting it, and they're used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, AWS WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the transformed component contents." }, + "AWS::WAFv2::WebACL Regex": { + "RegexString": "The string representing the regular expression." + }, "AWS::WAFv2::WebACL RegexMatchStatement": { "FieldToMatch": "The part of the web request that you want AWS WAF to inspect.", "RegexString": "The string representing the regular expression.", @@ -51843,7 +52001,7 @@ "AWS::WAFv2::WebACL RuleGroupReferenceStatement": { "Arn": "The Amazon Resource Name (ARN) of the entity.", "ExcludedRules": "Rules in the referenced rule group whose actions are set to `Count` .\n\n> Instead of this option, use `RuleActionOverrides` . It accepts any valid action setting, including `Count` .", - "RuleActionOverrides": "Action settings to use in the place of the rule actions that are configured inside the rule group. You specify one override for each rule whose action you want to change.\n\n> Take care to verify the rule names in your overrides. If you provide a rule name that doesn't match the name of any rule in the rule group, AWS WAF doesn't return an error and doesn't apply the override setting. \n\nYou can use overrides for testing, for example you can override all of rule actions to `Count` and then monitor the resulting count metrics to understand how the rule group would handle your web traffic. You can also permanently override some or all actions, to modify how the rule group manages your web traffic." + "RuleActionOverrides": "Action settings to use in the place of the rule actions that are configured inside the rule group. You specify one override for each rule whose action you want to change.\n\n> Verify the rule names in your overrides carefully. With managed rule groups, AWS WAF silently ignores any override that uses an invalid rule name. With customer-owned rule groups, invalid rule names in your overrides will cause web ACL updates to fail. An invalid rule name is any name that doesn't exactly match the case-sensitive name of an existing rule in the rule group. \n\nYou can use overrides for testing, for example you can override all of rule actions to `Count` and then monitor the resulting count metrics to understand how the rule group would handle your web traffic. You can also permanently override some or all actions, to modify how the rule group manages your web traffic." }, "AWS::WAFv2::WebACL SingleHeader": { "Name": "The name of the query header to inspect." @@ -51864,6 +52022,7 @@ }, "AWS::WAFv2::WebACL Statement": { "AndStatement": "A logical rule statement used to combine other rule statements with AND logic. You provide more than one `Statement` within the `AndStatement` .", + "AsnMatchStatement": "A rule statement that inspects web traffic based on the Autonomous System Number (ASN) associated with the request's IP address.\n\nFor additional details, see [ASN match rule statement](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-type-asn-match.html) in the [AWS WAF Developer Guide](https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html) .", "ByteMatchStatement": "A rule statement that defines a string match search for AWS WAF to apply to web requests. The byte match statement provides the bytes to search for, the location in requests that you want AWS WAF to search, and other settings. The bytes to search for are typically a string that corresponds with ASCII characters. In the AWS WAF console and the developer guide, this is called a string match statement.", "GeoMatchStatement": "A rule statement that labels web requests by country and region and that matches against web requests based on country code. A geo match rule labels every request that it inspects regardless of whether it finds a match.\n\n- To manage requests only by country, you can use this statement by itself and specify the countries that you want to match against in the `CountryCodes` array.\n- Otherwise, configure your geo match rule with Count action so that it only labels requests. Then, add one or more label match rules to run after the geo match rule and configure them to match against the geographic labels and handle the requests as needed.\n\nAWS WAF labels requests using the alpha-2 country and region codes from the International Organization for Standardization (ISO) 3166 standard. AWS WAF determines the codes using either the IP address in the web request origin or, if you specify it, the address in the geo match `ForwardedIPConfig` .\n\nIf you use the web request origin, the label formats are `awswaf:clientip:geo:region:-` and `awswaf:clientip:geo:country:` .\n\nIf you use a forwarded IP address, the label formats are `awswaf:forwardedip:geo:region:-` and `awswaf:forwardedip:geo:country:` .\n\nFor additional details, see [Geographic match rule statement](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-type-geo-match.html) in the [AWS WAF Developer Guide](https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html) .", "IPSetReferenceStatement": "A rule statement used to detect web requests coming from particular IP addresses or address ranges. To use this, create an `IPSet` that specifies the addresses you want to detect, then use the ARN of that set in this statement.\n\nEach IP set rule statement references an IP set. You create and maintain the set independent of your rules. This allows you to use the single set in multiple rules. When you update the referenced set, AWS WAF automatically updates all rules that reference it.", diff --git a/schema_source/cloudformation.schema.json b/schema_source/cloudformation.schema.json index d480011b2..76aaf7620 100644 --- a/schema_source/cloudformation.schema.json +++ b/schema_source/cloudformation.schema.json @@ -18979,7 +18979,7 @@ "type": "string" }, "AtRestEncryptionEnabled": { - "markdownDescription": "At-rest encryption flag for cache. You cannot update this setting after creation.", + "markdownDescription": "*This parameter has been deprecated* .\n\nAt-rest encryption flag for cache. You cannot update this setting after creation.", "title": "AtRestEncryptionEnabled", "type": "boolean" }, @@ -18989,7 +18989,7 @@ "type": "string" }, "TransitEncryptionEnabled": { - "markdownDescription": "Transit encryption flag when connecting to cache. You cannot update this setting after creation.", + "markdownDescription": "*This parameter has been deprecated* .\n\nTransit encryption flag when connecting to cache. You cannot update this setting after creation.", "title": "TransitEncryptionEnabled", "type": "boolean" }, @@ -85955,7 +85955,7 @@ "type": "string" }, "IpAddress": { - "markdownDescription": "Valid IPv4 address within the address range of the specified subnet.", + "markdownDescription": "If the `IpAddressType` for the mount target is IPv4 ( `IPV4_ONLY` or `DUAL_STACK` ), then specify the IPv4 address to use. If you do not specify an `IpAddress` , then Amazon EFS selects an unused IP address from the subnet specified for `SubnetId` .", "title": "IpAddress", "type": "string" }, @@ -85963,12 +85963,12 @@ "items": { "type": "string" }, - "markdownDescription": "VPC security group IDs, of the form `sg-xxxxxxxx` . These must be for the same VPC as the subnet specified. The maximum number of security groups depends on account quota. For more information, see [Amazon VPC Quotas](https://docs.aws.amazon.com/vpc/latest/userguide/amazon-vpc-limits.html) in the *Amazon VPC User Guide* (see the *Security Groups* table).", + "markdownDescription": "VPC security group IDs, of the form `sg-xxxxxxxx` . These must be for the same VPC as the subnet specified. The maximum number of security groups depends on account quota. For more information, see [Amazon VPC Quotas](https://docs.aws.amazon.com/vpc/latest/userguide/amazon-vpc-limits.html) in the *Amazon VPC User Guide* (see the *Security Groups* table). If you don't specify a security group, then Amazon EFS uses the default security group for the subnet's VPC.", "title": "SecurityGroups", "type": "array" }, "SubnetId": { - "markdownDescription": "The ID of the subnet to add the mount target in. For One Zone file systems, use the subnet that is associated with the file system's Availability Zone.", + "markdownDescription": "The ID of the subnet to add the mount target in. For One Zone file systems, use the subnet that is associated with the file system's Availability Zone. The subnet type must be the same type as the `IpAddressType` .", "title": "SubnetId", "type": "string" } @@ -87181,12 +87181,12 @@ "type": "string" }, "Namespace": { - "markdownDescription": "The name of the Kubernetes namespace inside the cluster to create the association in. The service account and the pods that use the service account must be in this namespace.", + "markdownDescription": "The name of the Kubernetes namespace inside the cluster to create the association in. The service account and the Pods that use the service account must be in this namespace.", "title": "Namespace", "type": "string" }, "RoleArn": { - "markdownDescription": "The Amazon Resource Name (ARN) of the IAM role to associate with the service account. The EKS Pod Identity agent manages credentials to assume this role for applications in the containers in the pods that use this service account.", + "markdownDescription": "The Amazon Resource Name (ARN) of the IAM role to associate with the service account. The EKS Pod Identity agent manages credentials to assume this role for applications in the containers in the Pods that use this service account.", "title": "RoleArn", "type": "string" }, @@ -151957,7 +151957,7 @@ "title": "ConnectivityInfo" }, "InstanceType": { - "markdownDescription": "The type of Amazon EC2 instances to use for brokers. The following instance types are allowed: kafka.m5.large, kafka.m5.xlarge, kafka.m5.2xlarge, kafka.m5.4xlarge, kafka.m5.8xlarge, kafka.m5.12xlarge, kafka.m5.16xlarge, kafka.m5.24xlarge, and kafka.t3.small.", + "markdownDescription": "The type of Amazon EC2 instances to use for brokers. Depending on the [broker type](https://docs.aws.amazon.com/msk/latest/developerguide/broker-instance-types.html) , Amazon MSK supports the following broker sizes:\n\n*Standard broker sizes*\n\n- kafka.t3.small\n\n> You can't select the kafka.t3.small instance type when the metadata mode is KRaft.\n- kafka.m5.large, kafka.m5.xlarge, kafka.m5.2xlarge, kafka.m5.4xlarge, kafka.m5.8xlarge, kafka.m5.12xlarge, kafka.m5.16xlarge, kafka.m5.24xlarge\n- kafka.m7g.large, kafka.m7g.xlarge, kafka.m7g.2xlarge, kafka.m7g.4xlarge, kafka.m7g.8xlarge, kafka.m7g.12xlarge, kafka.m7g.16xlarge\n\n*Express broker sizes*\n\n- express.m7g.large, express.m7g.xlarge, express.m7g.2xlarge, express.m7g.4xlarge, express.m7g.8xlarge, express.m7g.12xlarge, express.m7g.16xlarge\n\n> Some broker sizes might not be available in certian AWS Regions. See the updated [Pricing tools](https://docs.aws.amazon.com/msk/pricing/) section on the Amazon MSK pricing page for the latest list of available instances by Region.", "title": "InstanceType", "type": "string" }, @@ -225756,7 +225756,7 @@ "type": "number" }, "InitQuery": { - "markdownDescription": "Add an initialization query, or modify the current one. You can specify one or more SQL statements for the proxy to run when opening each new database connection. The setting is typically used with `SET` statements to make sure that each connection has identical settings. Make sure the query added here is valid. This is an optional field, so you can choose to leave it empty. For including multiple variables in a single SET statement, use a comma separator.\n\nFor example: `SET variable1=value1, variable2=value2`\n\nDefault: no initialization query", + "markdownDescription": "Add an initialization query, or modify the current one. You can specify one or more SQL statements for the proxy to run when opening each new database connection. The setting is typically used with `SET` statements to make sure that each connection has identical settings. Make sure the query added here is valid. This is an optional field, so you can choose to leave it empty. For including multiple variables in a single SET statement, use a comma separator.\n\nFor example: `SET variable1=value1, variable2=value2`\n\nDefault: no initialization query\n\n> Since you can access initialization query as part of target group configuration, it is not protected by authentication or cryptographic methods. Anyone with access to view or manage your proxy target group configuration can view the initialization query. You should not add sensitive data, such as passwords or long-lived encryption keys, to this option.", "title": "InitQuery", "type": "string" }, @@ -270237,7 +270237,7 @@ "items": { "$ref": "#/definitions/AWS::WAFv2::WebACL.ManagedRuleGroupConfig" }, - "markdownDescription": "Additional information that's used by a managed rule group. Many managed rule groups don't require this.\n\nThe rule groups used for intelligent threat mitigation require additional configuration:\n\n- Use the `AWSManagedRulesACFPRuleSet` configuration object to configure the account creation fraud prevention managed rule group. The configuration includes the registration and sign-up pages of your application and the locations in the account creation request payload of data, such as the user email and phone number fields.\n- Use the `AWSManagedRulesATPRuleSet` configuration object to configure the account takeover prevention managed rule group. The configuration includes the sign-in page of your application and the locations in the login request payload of data such as the username and password.\n- Use the `AWSManagedRulesBotControlRuleSet` configuration object to configure the protection level that you want the Bot Control rule group to use.", + "markdownDescription": "Additional information that's used by a managed rule group. Many managed rule groups don't require this.\n\nThe rule groups used for intelligent threat mitigation require additional configuration:\n\n- Use the `AWSManagedRulesACFPRuleSet` configuration object to configure the account creation fraud prevention managed rule group. The configuration includes the registration and sign-up pages of your application and the locations in the account creation request payload of data, such as the user email and phone number fields.\n- Use the `AWSManagedRulesAntiDDoSRuleSet` configuration object to configure the anti-DDoS managed rule group. The configuration includes the sensitivity levels to use in the rules that typically block and challenge requests that might be participating in DDoS attacks and the specification to use to indicate whether a request can handle a silent browser challenge.\n- Use the `AWSManagedRulesATPRuleSet` configuration object to configure the account takeover prevention managed rule group. The configuration includes the sign-in page of your application and the locations in the login request payload of data such as the username and password.\n- Use the `AWSManagedRulesBotControlRuleSet` configuration object to configure the protection level that you want the Bot Control rule group to use.", "title": "ManagedRuleGroupConfigs", "type": "array" }, @@ -270250,7 +270250,7 @@ "items": { "$ref": "#/definitions/AWS::WAFv2::WebACL.RuleActionOverride" }, - "markdownDescription": "Action settings to use in the place of the rule actions that are configured inside the rule group. You specify one override for each rule whose action you want to change.\n\n> Take care to verify the rule names in your overrides. If you provide a rule name that doesn't match the name of any rule in the rule group, AWS WAF doesn't return an error and doesn't apply the override setting. \n\nYou can use overrides for testing, for example you can override all of rule actions to `Count` and then monitor the resulting count metrics to understand how the rule group would handle your web traffic. You can also permanently override some or all actions, to modify how the rule group manages your web traffic.", + "markdownDescription": "Action settings to use in the place of the rule actions that are configured inside the rule group. You specify one override for each rule whose action you want to change.\n\n> Verify the rule names in your overrides carefully. With managed rule groups, AWS WAF silently ignores any override that uses an invalid rule name. With customer-owned rule groups, invalid rule names in your overrides will cause web ACL updates to fail. An invalid rule name is any name that doesn't exactly match the case-sensitive name of an existing rule in the rule group. \n\nYou can use overrides for testing, for example you can override all of rule actions to `Count` and then monitor the resulting count metrics to understand how the rule group would handle your web traffic. You can also permanently override some or all actions, to modify how the rule group manages your web traffic.", "title": "RuleActionOverrides", "type": "array" }, @@ -270950,7 +270950,7 @@ "items": { "$ref": "#/definitions/AWS::WAFv2::WebACL.RuleActionOverride" }, - "markdownDescription": "Action settings to use in the place of the rule actions that are configured inside the rule group. You specify one override for each rule whose action you want to change.\n\n> Take care to verify the rule names in your overrides. If you provide a rule name that doesn't match the name of any rule in the rule group, AWS WAF doesn't return an error and doesn't apply the override setting. \n\nYou can use overrides for testing, for example you can override all of rule actions to `Count` and then monitor the resulting count metrics to understand how the rule group would handle your web traffic. You can also permanently override some or all actions, to modify how the rule group manages your web traffic.", + "markdownDescription": "Action settings to use in the place of the rule actions that are configured inside the rule group. You specify one override for each rule whose action you want to change.\n\n> Verify the rule names in your overrides carefully. With managed rule groups, AWS WAF silently ignores any override that uses an invalid rule name. With customer-owned rule groups, invalid rule names in your overrides will cause web ACL updates to fail. An invalid rule name is any name that doesn't exactly match the case-sensitive name of an existing rule in the rule group. \n\nYou can use overrides for testing, for example you can override all of rule actions to `Count` and then monitor the resulting count metrics to understand how the rule group would handle your web traffic. You can also permanently override some or all actions, to modify how the rule group manages your web traffic.", "title": "RuleActionOverrides", "type": "array" }