Skip to content

feat: update L1 CloudFormation resource definitions #35926

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat: update L1 CloudFormation resource definitions #35926

wants to merge 1 commit into from
+139 −8

Conversation

@aws-cdk-automation
Copy link
Collaborator

@aws-cdk-automation aws-cdk-automation commented Nov 3, 2025

Updates the L1 CloudFormation resource definitions with the latest changes from @aws-cdk/aws-service-spec

L1 CloudFormation resource definition changes:

├[~] service aws-amazonmq
│ └ resources
│    ├[~]  resource AWS::AmazonMQ::Broker
│    │  ├      - documentation: A *broker* is a message broker environment running on Amazon MQ . It is the basic building block of Amazon MQ .
│    │  │      The `AWS::AmazonMQ::Broker` resource lets you create Amazon MQ for ActiveMQ and Amazon MQ for RabbitMQ brokers, add configuration changes or modify users for a speified ActiveMQ broker, return information about the specified broker, and delete the broker. For more information, see [How Amazon MQ works](https://docs.aws.amazon.com//amazon-mq/latest/developer-guide/amazon-mq-how-it-works.html) in the *Amazon MQ Developer Guide* .
│    │  │      - `ec2:CreateNetworkInterface`
│    │  │      This permission is required to allow Amazon MQ to create an elastic network interface (ENI) on behalf of your account.
│    │  │      - `ec2:CreateNetworkInterfacePermission`
│    │  │      This permission is required to attach the ENI to the broker instance.
│    │  │      - `ec2:DeleteNetworkInterface`
│    │  │      - `ec2:DeleteNetworkInterfacePermission`
│    │  │      - `ec2:DetachNetworkInterface`
│    │  │      - `ec2:DescribeInternetGateways`
│    │  │      - `ec2:DescribeNetworkInterfaces`
│    │  │      - `ec2:DescribeNetworkInterfacePermissions`
│    │  │      - `ec2:DescribeRouteTables`
│    │  │      - `ec2:DescribeSecurityGroups`
│    │  │      - `ec2:DescribeSubnets`
│    │  │      - `ec2:DescribeVpcs`
│    │  │      + documentation: Creates a broker. Note: This API is asynchronous.
│    │  │      To create a broker, you must either use the `AmazonMQFullAccess` IAM policy or include the following EC2 permissions in your IAM policy.
│    │  │      - `ec2:CreateNetworkInterface`
│    │  │      This permission is required to allow Amazon MQ to create an elastic network interface (ENI) on behalf of your account.
│    │  │      - `ec2:CreateNetworkInterfacePermission`
│    │  │      This permission is required to attach the ENI to the broker instance.
│    │  │      - `ec2:DeleteNetworkInterface`
│    │  │      - `ec2:DeleteNetworkInterfacePermission`
│    │  │      - `ec2:DetachNetworkInterface`
│    │  │      - `ec2:DescribeInternetGateways`
│    │  │      - `ec2:DescribeNetworkInterfaces`
│    │  │      - `ec2:DescribeNetworkInterfacePermissions`
│    │  │      - `ec2:DescribeRouteTables`
│    │  │      - `ec2:DescribeSecurityGroups`
│    │  │      - `ec2:DescribeSubnets`
│    │  │      - `ec2:DescribeVpcs`
│    │  │      For more information, see [Create an IAM User and Get Your AWS Credentials](https://docs.aws.amazon.com//amazon-mq/latest/developer-guide/amazon-mq-setting-up.html#create-iam-user) and [Never Modify or Delete the Amazon MQ Elastic Network Interface](https://docs.aws.amazon.com//amazon-mq/latest/developer-guide/connecting-to-amazon-mq.html#never-modify-delete-elastic-network-interface) in the *Amazon MQ Developer Guide* .
│    │  ├ properties
│    │  │  ├ AutoMinorVersionUpgrade: (documentation changed)
│    │  │  ├ BrokerName: (documentation changed)
│    │  │  ├ Configuration: (documentation changed)
│    │  │  ├ DeploymentMode: (documentation changed)
│    │  │  ├ EncryptionOptions: (documentation changed)
│    │  │  ├ EngineType: (documentation changed)
│    │  │  ├ EngineVersion: (documentation changed)
│    │  │  ├ HostInstanceType: (documentation changed)
│    │  │  ├ MaintenanceWindowStartTime: (documentation changed)
│    │  │  ├ PubliclyAccessible: (documentation changed)
│    │  │  ├ SubnetIds: (documentation changed)
│    │  │  ├ Tags: (documentation changed)
│    │  │  └ Users: (documentation changed)
│    │  ├ attributes
│    │  │  └ Id: (documentation changed)
│    │  └ types
│    │     ├[~] type ConfigurationId
│    │     │ ├      - documentation: A list of information about the configuration.
│    │     │ │      > Does not apply to RabbitMQ brokers.
│    │     │ │      + documentation: A list of information about the configuration.
│    │     │ └ properties
│    │     │    └ Id: (documentation changed)
│    │     ├[~] type EncryptionOptions
│    │     │ └      - documentation: Encryption options for the broker.
│    │     │        > Does not apply to RabbitMQ brokers.
│    │     │        + documentation: Encryption options for the broker.
│    │     ├[~] type LdapServerMetadata
│    │     │ ├      - documentation: Optional. The metadata of the LDAP server used to authenticate and authorize connections to the broker.
│    │     │ │      > Does not apply to RabbitMQ brokers.
│    │     │ │      + documentation: Optional. The metadata of the LDAP server used to authenticate and authorize connections to the broker. Does not apply to RabbitMQ brokers.
│    │     │ └ properties
│    │     │    ├ Hosts: (documentation changed)
│    │     │    ├ RoleBase: (documentation changed)
│    │     │    ├ RoleName: (documentation changed)
│    │     │    ├ RoleSearchMatching: (documentation changed)
│    │     │    ├ RoleSearchSubtree: (documentation changed)
│    │     │    ├ ServiceAccountPassword: (documentation changed)
│    │     │    ├ ServiceAccountUsername: (documentation changed)
│    │     │    ├ UserBase: (documentation changed)
│    │     │    ├ UserRoleName: (documentation changed)
│    │     │    ├ UserSearchMatching: (documentation changed)
│    │     │    └ UserSearchSubtree: (documentation changed)
│    │     ├[~] type MaintenanceWindow
│    │     │ ├      - documentation: The parameters that determine the `WeeklyStartTime` to apply pending updates or patches to the broker.
│    │     │ │      + documentation: The parameters that determine the WeeklyStartTime.
│    │     │ └ properties
│    │     │    ├ DayOfWeek: (documentation changed)
│    │     │    └ TimeOfDay: (documentation changed)
│    │     ├[~] type TagsEntry
│    │     │ ├      - documentation: A key-value pair to associate with the broker.
│    │     │ │      + documentation: Create tags when creating the broker.
│    │     │ └ properties
│    │     │    ├ Key: (documentation changed)
│    │     │    └ Value: (documentation changed)
│    │     └[~] type User
│    │       ├      - documentation: The list of broker users (persons or applications) who can access queues and topics. For Amazon MQ for RabbitMQ brokers, one and only one administrative user is accepted and created when a broker is first provisioned. All subsequent broker users are created via the RabbitMQ web console or by using the RabbitMQ management API.
│    │       │      + documentation: The list of broker users (persons or applications) who can access queues and topics. For Amazon MQ for RabbitMQ brokers, one and only one administrative user is accepted and created when a broker is first provisioned. All subsequent broker users are created by making RabbitMQ API calls directly to brokers or via the RabbitMQ web console.
│    │       │      When OAuth 2.0 is enabled, the broker accepts one or no users.
│    │       └ properties
│    │          ├ ConsoleAccess: (documentation changed)
│    │          ├ Password: (documentation changed)
│    │          └ Username: (documentation changed)
│    ├[~]  resource AWS::AmazonMQ::Configuration
│    │  ├      - documentation: Creates a new configuration for the specified configuration name. Amazon MQ uses the default configuration (the engine type and version).
│    │  │      > Does not apply to RabbitMQ brokers.
│    │  │      + documentation: Creates a new configuration for the specified configuration name. Amazon MQ uses the default configuration (the engine type and version).
│    │  ├ properties
│    │  │  ├ Data: (documentation changed)
│    │  │  ├ EngineType: (documentation changed)
│    │  │  ├ EngineVersion: (documentation changed)
│    │  │  └ Name: (documentation changed)
│    │  └ types
│    │     └[~] type TagsEntry
│    │       ├      - documentation: A key-value pair to associate with the configuration.
│    │       │      + documentation: The list of all tags associated with this configuration.
│    │       └ properties
│    │          ├ Key: (documentation changed)
│    │          └ Value: (documentation changed)
│    └[~]  resource AWS::AmazonMQ::ConfigurationAssociation
│       ├      - documentation: Use the AWS CloudFormation `AWS::AmazonMQ::ConfigurationAssociation` resource to associate a configuration with a broker, or return information about the specified ConfigurationAssociation. Only use one per broker, and don't use a configuration on the broker resource if you have associated a configuration with that broker.
│       │      > Does not apply to RabbitMQ brokers.
│       │      + documentation: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-amazonmq-configurationassociation.html
│       ├ properties
│       │  ├ Broker: (documentation changed)
│       │  └ Configuration: (documentation changed)
│       └ types
│          └[~] type ConfigurationId
│            ├      - documentation: The `ConfigurationId` property type specifies a configuration Id and the revision of a configuration.
│            │      + documentation: A list of information about the configuration.
│            └ properties
│               └ Id: (documentation changed)
├[~] service aws-batch
│ └ resources
│    └[~]  resource AWS::Batch::JobDefinition
│       ├ properties
│       │  └[+] ResourceRetentionPolicy: ResourceRetentionPolicy
│       └ types
│          └[+]  type ResourceRetentionPolicy
│             ├      name: ResourceRetentionPolicy
│             └ properties
│                └ SkipDeregisterOnUpdate: boolean (default=false)
├[~] service aws-bedrock
│ └ resources
│    └[~]  resource AWS::Bedrock::AutomatedReasoningPolicy
│       ├ properties
│       │  ├[+] ForceDelete: boolean (default=false, immutable)
│       │  └[+] KmsKeyId: string (immutable)
│       └ attributes
│          └[+] KmsKeyArn: string
├[~] service aws-billingconductor
│ └ resources
│    └[~]  resource AWS::BillingConductor::CustomLineItem
│       ├ properties
│       │  ├[+] ComputationRule: string (immutable)
│       │  └[+] PresentationDetails: PresentationDetails (immutable)
│       └ types
│          └[+]  type PresentationDetails
│             ├      name: PresentationDetails
│             └ properties
│                └ Service: string (required)
├[~] service aws-cloudfront
│ └ resources
│    ├[~]  resource AWS::CloudFront::Distribution
│    │  └ types
│    │     └[~] type VpcOriginConfig
│    │       └ properties
│    │          └[+] OwnerAccountId: string
│    └[~]  resource AWS::CloudFront::VpcOrigin
│       └ attributes
│          └[+] AccountId: string
├[~] service aws-connect
│ └ resources
│    └[~]  resource AWS::Connect::EmailAddress
│       ├ properties
│       │  └[+] AliasConfigurations: Array<AliasConfiguration>
│       └ types
│          └[+]  type AliasConfiguration
│             ├      documentation: Configuration information of an email alias.
│             │      name: AliasConfiguration
│             └ properties
│                └ EmailAddressArn: string (required)
├[~] service aws-connectcampaignsv2
│ └ resources
│    └[~]  resource AWS::ConnectCampaignsV2::Campaign
│       └ types
│          ├[+]  type PreviewConfig
│          │  ├      documentation: Contains preview outbound mode configuration.
│          │  │      name: PreviewConfig
│          │  └ properties
│          │     ├ BandwidthAllocation: number (required)
│          │     ├ TimeoutConfig: TimeoutConfig (required)
│          │     └ AgentActions: Array<string>
│          ├[~] type TelephonyOutboundMode
│          │ └ properties
│          │    └[+] PreviewConfig: PreviewConfig
│          └[+]  type TimeoutConfig
│             ├      documentation: Contains preview outbound mode timeout configuration.
│             │      name: TimeoutConfig
│             └ properties
│                └ DurationInSeconds: integer
├[~] service aws-datazone
│ └ resources
│    └[~]  resource AWS::DataZone::Connection
│       ├ properties
│       │  ├[+] EnableTrustedIdentityPropagation: boolean (immutable)
│       │  ├ EnvironmentIdentifier: - string (required, immutable)
│       │  │                        + string (immutable)
│       │  └[+] ProjectIdentifier: string (immutable)
│       └ types
│          ├[~] type ConnectionPropertiesInput
│          │ └ properties
│          │    └[+] S3Properties: S3PropertiesInput
│          └[+]  type S3PropertiesInput
│             ├      documentation: S3 Properties Input
│             │      name: S3PropertiesInput
│             └ properties
│                ├ S3Uri: string (required)
│                └ S3AccessGrantLocationId: string
├[~] service aws-dynamodb
│ └ resources
│    ├[~]  resource AWS::DynamoDB::GlobalTable
│    │  └ properties
│    │     ├[-] GlobalTableSettingsReplicationMode: string
│    │     └[-] GlobalTableSourceArn: string (immutable)
│    └[~]  resource AWS::DynamoDB::Table
│       └ properties
│          └[-] GlobalTableSettingsReplicationMode: string
├[~] service aws-ec2
│ └ resources
│    ├[+]  resource AWS::EC2::CapacityManagerDataExport
│    │  ├      name: CapacityManagerDataExport
│    │  │      cloudFormationType: AWS::EC2::CapacityManagerDataExport
│    │  │      documentation: Creates a new data export configuration for EC2 Capacity Manager. This allows you to automatically export capacity usage data to an S3 bucket on a scheduled basis. The exported data includes metrics for On-Demand, Spot, and Capacity Reservations usage across your organization.
│    │  │      tagInformation: {"tagPropertyName":"Tags","variant":"standard"}
│    │  ├ properties
│    │  │  ├ S3BucketName: string (required, immutable)
│    │  │  ├ S3BucketPrefix: string (immutable)
│    │  │  ├ Schedule: string (required, immutable)
│    │  │  ├ OutputFormat: string (required, immutable)
│    │  │  └ Tags: Array<tag>
│    │  └ attributes
│    │     └ CapacityManagerDataExportId: string
│    ├[~]  resource AWS::EC2::NatGateway
│    │  └ attributes
│    │     └ EniId: (documentation changed)
│    └[~]  resource AWS::EC2::Volume
│       └ properties
│          ├ AvailabilityZone: - string (required)
│          │                   + string
│          ├[+] AvailabilityZoneId: string
│          └[+] SourceVolumeId: string
├[~] service aws-ecs
│ └ resources
│    └[~]  resource AWS::ECS::Service
│       └ types
│          ├[+]  type CanaryConfiguration
│          │  ├      name: CanaryConfiguration
│          │  └ properties
│          │     ├ CanaryPercent: number
│          │     └ CanaryBakeTimeInMinutes: integer
│          ├[~] type DeploymentConfiguration
│          │ └ properties
│          │    ├[+] CanaryConfiguration: CanaryConfiguration
│          │    └[+] LinearConfiguration: LinearConfiguration
│          ├[+]  type LinearConfiguration
│          │  ├      name: LinearConfiguration
│          │  └ properties
│          │     ├ StepBakeTimeInMinutes: integer
│          │     └ StepPercent: number
│          ├[+]  type ServiceConnectAccessLogConfiguration
│          │  ├      name: ServiceConnectAccessLogConfiguration
│          │  └ properties
│          │     ├ Format: string (required)
│          │     └ IncludeQueryParameters: string
│          └[~] type ServiceConnectConfiguration
│            └ properties
│               └[+] AccessLogConfiguration: ServiceConnectAccessLogConfiguration
├[~] service aws-eks
│ └ resources
│    └[~]  resource AWS::EKS::Nodegroup
│       └ types
│          ├[~] type NodeRepairConfig
│          │ └ properties
│          │    ├[+] MaxParallelNodesRepairedCount: integer
│          │    ├[+] MaxParallelNodesRepairedPercentage: integer
│          │    ├[+] MaxUnhealthyNodeThresholdCount: integer
│          │    ├[+] MaxUnhealthyNodeThresholdPercentage: integer
│          │    └[+] NodeRepairConfigOverrides: Array<NodeRepairConfigOverrides>
│          └[+]  type NodeRepairConfigOverrides
│             ├      documentation: Specify granular overrides for specific repair actions. These overrides control the repair action and the repair delay time before a node is considered eligible for repair. If you use this, you must specify all the values.
│             │      name: NodeRepairConfigOverrides
│             └ properties
│                ├ NodeMonitoringCondition: string
│                ├ NodeUnhealthyReason: string
│                ├ MinRepairWaitTimeMins: integer
│                └ RepairAction: string
├[~] service aws-elasticloadbalancingv2
│ └ resources
│    └[~]  resource AWS::ElasticLoadBalancingV2::ListenerRule
│       └ types
│          ├[~] type RewriteConfig
│          │ ├      - documentation: undefined
│          │ │      + documentation: Information about a rewrite transform. This transform matches a pattern and replaces it with the specified string.
│          │ └ properties
│          │    ├ Regex: (documentation changed)
│          │    └ Replace: (documentation changed)
│          ├[~] type RuleCondition
│          │ └ properties
│          │    └ RegexValues: (documentation changed)
│          └[~] type Transform
│            └ properties
│               └ Type: (documentation changed)
├[~] service aws-events
│ └ resources
│    ├[~]  resource AWS::Events::ApiDestination
│    │  └ attributes
│    │     └ ArnForPolicy: (documentation changed)
│    ├[~]  resource AWS::Events::Connection
│    │  └ attributes
│    │     └ ArnForPolicy: (documentation changed)
│    └[~]  resource AWS::Events::EventBusPolicy
│       ├ properties
│       │  ├ Condition: (documentation changed)
│       │  └ Principal: (documentation changed)
│       ├ attributes
│       │  └[-] Id: string
│       └ types
│          └[~] type Condition
│            ├      - documentation: A JSON string which you can use to limit the event bus permissions you are granting to only accounts that fulfill the condition. Currently, the only supported condition is membership in a certain AWS organization. The string must contain `Type` , `Key` , and `Value` fields. The `Value` field specifies the ID of the AWS organization. Following is an example value for `Condition` :
│            │      `'{"Type" : "StringEquals", "Key": "aws:PrincipalOrgID", "Value": "o-1234567890"}'`
│            │      + documentation: This parameter enables you to limit the permission to accounts that fulfill a certain condition, such as being a member of a certain AWS organization.
│            └ properties
│               ├ Key: (documentation changed)
│               ├ Type: (documentation changed)
│               └ Value: (documentation changed)
├[~] service aws-fsx
│ └ resources
│    └[~]  resource AWS::FSx::FileSystem
│       └ types
│          └[~] type OntapConfiguration
│            └ properties
│               └[+] EndpointIpv6AddressRange: string
├[~] service aws-guardduty
│ └ resources
│    └[~]  resource AWS::GuardDuty::TrustedEntitySet
│       └      - documentation: The `AWS::GuardDuty::TrustedEntitySet` resource helps you create a list of IP addresses and domain names that you can use for secure communication with your AWS infrastructure and applications. Once you activate this list, GuardDuty will not generate findings when there is an activity associated with these safe IP addresses and domain names. At any given time, you can have only one trusted entity set.
│              Only the users of the GuardDuty administrator account can manage the entity sets. These settings automatically apply member accounts.
│              + documentation: Creates a new trusted entity set. In the trusted entity set, you can provide IP addresses and domains that you believe are secure for communication in your AWS environment. GuardDuty will not generate findings for the entries that are specified in a trusted entity set. At any given time, you can have only one trusted entity set.
│              Only users of the administrator account can manage the entity sets, which automatically apply to member accounts.
├[~] service aws-iam
│ └ resources
│    └[~]  resource AWS::IAM::Policy
│       └      - documentation: Adds or updates an inline policy document that is embedded in the specified IAM group, user or role.
│              An IAM user can also have a managed policy attached to it. For information about policies, see [Managed Policies and Inline Policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/policies-managed-vs-inline.html) in the *IAM User Guide* .
│              The Groups, Roles, and Users properties are optional. However, you must specify at least one of these properties.
│              For information about policy documents see [Creating IAM policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html) in the *IAM User Guide* .
│              For information about limits on the number of inline policies that you can embed in an identity, see [Limitations on IAM Entities](https://docs.aws.amazon.com/IAM/latest/UserGuide/LimitationsOnEntities.html) in the *IAM User Guide* .
│              > This resource does not support [drift detection](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-stack-drift.html) . The following inline policy resource types support drift detection:
│              > 
│              > - [`AWS::IAM::GroupPolicy`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-grouppolicy.html)
│              > - [`AWS::IAM::RolePolicy`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-rolepolicy.html)
│              > - [`AWS::IAM::UserPolicy`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-userpolicy.html)
│              + documentation: Adds or updates an inline policy document that is embedded in the specified IAM group, user or role.
│              An IAM user can also have a managed policy attached to it. For information about policies, see [Managed Policies and Inline Policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/policies-managed-vs-inline.html) in the *IAM User Guide* .
│              The Groups, Roles, and Users properties are optional. However, you must specify at least one of these properties.
│              For information about policy documents, see [Creating IAM policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html) in the *IAM User Guide* .
│              For information about limits on the number of inline policies that you can embed in an identity, see [Limitations on IAM Entities](https://docs.aws.amazon.com/IAM/latest/UserGuide/LimitationsOnEntities.html) in the *IAM User Guide* .
│              > This resource does not support [drift detection](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-stack-drift.html) . The following inline policy resource types support drift detection:
│              > 
│              > - [`AWS::IAM::GroupPolicy`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-grouppolicy.html)
│              > - [`AWS::IAM::RolePolicy`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-rolepolicy.html)
│              > - [`AWS::IAM::UserPolicy`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-userpolicy.html)
├[~] service aws-imagebuilder
│ └ resources
│    ├[~]  resource AWS::ImageBuilder::Image
│    │  ├ properties
│    │  │  ├[+] DeletionSettings: DeletionSettings
│    │  │  └[+] ImagePipelineExecutionSettings: ImagePipelineExecutionSettings
│    │  └ types
│    │     ├[+]  type DeletionSettings
│    │     │  ├      documentation: The deletion settings of the image, indicating whether to delete the underlying resources in addition to the image.
│    │     │  │      name: DeletionSettings
│    │     │  └ properties
│    │     │     └ ExecutionRole: string (required)
│    │     └[+]  type ImagePipelineExecutionSettings
│    │        ├      documentation: The settings for starting an image pipeline execution.
│    │        │      name: ImagePipelineExecutionSettings
│    │        └ properties
│    │           ├ DeploymentId: string
│    │           └ OnUpdate: boolean
│    └[~]  resource AWS::ImageBuilder::ImagePipeline
│       └ attributes
│          └[+] DeploymentId: string
├[~] service aws-iotwireless
│ └ resources
│    └[~]  resource AWS::IoTWireless::WirelessDeviceImportTask
│       └      - arnTemplate: arn:${Partition}:iotwireless:${Region}:${Account}:WirelessDeviceImportTask/${WirelessDeviceImportTaskId}
│              + arnTemplate: arn:${Partition}:iotwireless:${Region}:${Account}:ImportTask/${ImportTaskId}
├[~] service aws-lambda
│ └ resources
│    ├[~]  resource AWS::Lambda::EventInvokeConfig
│    │  └ types
│    │     ├[~] type OnFailure
│    │     │ └ properties
│    │     │    └ Destination: (documentation changed)
│    │     └[~] type OnSuccess
│    │       └ properties
│    │          └ Destination: (documentation changed)
│    └[~]  resource AWS::Lambda::EventSourceMapping
│       └ types
│          └[~] type OnFailure
│            └ properties
│               └ Destination: (documentation changed)
├[~] service aws-mediapackagev2
│ └ resources
│    └[~]  resource AWS::MediaPackageV2::OriginEndpoint
│       ├ properties
│       │  └[+] MssManifests: Array<MssManifestConfiguration>
│       ├ attributes
│       │  └[+] MssManifestUrls: Array<string>
│       └ types
│          ├[~] type EncryptionMethod
│          │ └ properties
│          │    └[+] IsmEncryptionMethod: string
│          └[+]  type MssManifestConfiguration
│             ├      documentation: <p>Configuration details for a Microsoft Smooth Streaming (MSS) manifest associated with an origin endpoint. This includes all the settings and properties that define how the MSS content is packaged and delivered.</p>
│             │      name: MssManifestConfiguration
│             └ properties
│                ├ ManifestName: string (required)
│                ├ FilterConfiguration: FilterConfiguration
│                ├ ManifestWindowSeconds: integer
│                └ ManifestLayout: string
├[~] service aws-networkfirewall
│ └ resources
│    ├[~]  resource AWS::NetworkFirewall::Firewall
│    │  └ attributes
│    │     └[+] TransitGatewayAttachmentId: string
│    ├[~]  resource AWS::NetworkFirewall::FirewallPolicy
│    │  └ types
│    │     └[~] type FirewallPolicy
│    │       └ properties
│    │          └[+] EnableTLSSessionHolding: boolean
│    └[~]  resource AWS::NetworkFirewall::RuleGroup
│       └      - arnTemplate: arn:${Partition}:network-firewall:${Region}:${Account}:stateful-rulegroup/${Name}
│              + arnTemplate: arn:${Partition}:network-firewall:${Region}:${Account}:stateless-rulegroup/${Name}
├[~] service aws-observabilityadmin
│ └ resources
│    ├[~]  resource AWS::ObservabilityAdmin::OrganizationCentralizationRule
│    │  └      - arnTemplate: arn:${Partition}:observabilityadmin:${Region}:${Account}:organization-centralization-rule:${CentralizationRuleName}
│    │         + arnTemplate: arn:${Partition}:observabilityadmin:${Region}:${Account}:organization-centralization-rule/${CentralizationRuleName}
│    ├[~]  resource AWS::ObservabilityAdmin::OrganizationTelemetryRule
│    │  └      - arnTemplate: arn:${Partition}:observabilityadmin:${Region}:${Account}:organization-telemetry-rule:${TelemetryRuleName}
│    │         + arnTemplate: arn:${Partition}:observabilityadmin:${Region}:${Account}:organization-telemetry-rule/${TelemetryRuleName}
│    └[~]  resource AWS::ObservabilityAdmin::TelemetryRule
│       └      - arnTemplate: arn:${Partition}:observabilityadmin:${Region}:${Account}:telemetry-rule:${TelemetryRuleName}
│              + arnTemplate: arn:${Partition}:observabilityadmin:${Region}:${Account}:telemetry-rule/${TelemetryRuleName}
├[~] service aws-odb
│ └ resources
│    └[~]  resource AWS::ODB::OdbNetwork
│       └ types
│          ├[~] type ManagedS3BackupAccess
│          │ └ properties
│          │    └ Status: (documentation changed)
│          ├[~] type S3Access
│          │ └ properties
│          │    └ Status: (documentation changed)
│          ├[~] type ServiceNetworkEndpoint
│          │ └ properties
│          │    └ VpcEndpointType: (documentation changed)
│          └[~] type ZeroEtlAccess
│            └ properties
│               └ Status: (documentation changed)
├[~] service aws-organizations
│ └ resources
│    └[~]  resource AWS::Organizations::Account
│       └ attributes
│          └[+] State: string
├[~] service aws-osis
│ └ resources
│    └[~]  resource AWS::OSIS::Pipeline
│       └ properties
│          └ PipelineRoleArn: (documentation changed)
├[~] service aws-pinpoint
│ └ resources
│    ├[~]  resource AWS::Pinpoint::EmailTemplate
│    │  └      - arnTemplate: arn:${Partition}:mobiletargeting:${Region}:${Account}:templates/${TemplateName}/VOICE
│    │         + arnTemplate: arn:${Partition}:mobiletargeting:${Region}:${Account}:templates/${TemplateName}/EMAIL
│    └[~]  resource AWS::Pinpoint::PushTemplate
│       └      - arnTemplate: arn:${Partition}:mobiletargeting:${Region}:${Account}:templates/${TemplateName}/VOICE
│              + arnTemplate: arn:${Partition}:mobiletargeting:${Region}:${Account}:templates/${TemplateName}/PUSH
├[~] service aws-quicksight
│ └ resources
│    └[~]  resource AWS::QuickSight::Dashboard
│       └ types
│          └[~] type DashboardPublishOptions
│            └      - documentation: Dashboard publish options.
│                   + documentation: Dashboard publish options:
│                   - `AvailabilityStatus` for `AdHocFilteringOption` - This status can be either `ENABLED` or `DISABLED` . When this is set to `DISABLED` , Amazon Quick Sight disables the left filter pane on the published dashboard, which can be used for ad hoc (one-time) filtering. This option is `ENABLED` by default.
│                   - `AvailabilityStatus` for `ExportToCSVOption` - This status can be either `ENABLED` or `DISABLED` . The visual option to export data to .CSV format isn't enabled when this is set to `DISABLED` . This option is `ENABLED` by default.
│                   - `VisibilityState` for `SheetControlsOption` - This visibility state can be either `COLLAPSED` or `EXPANDED` . This option is `COLLAPSED` by default.
│                   - `AvailabilityStatus` for `QuickSuiteActionsOption` - This status can be either `ENABLED` or `DISABLED` . Features related to Actions in Amazon Quick Suite on dashboards are disabled when this is set to `DISABLED` . This option is `DISABLED` by default.
│                   - `AvailabilityStatus` for `ExecutiveSummaryOption` - This status can be either `ENABLED` or `DISABLED` . The option to build an executive summary is disabled when this is set to `DISABLED` . This option is `ENABLED` by default.
│                   - `AvailabilityStatus` for `DataStoriesSharingOption` - This status can be either `ENABLED` or `DISABLED` . The option to share a data story is disabled when this is set to `DISABLED` . This option is `ENABLED` by default.
├[~] service aws-ram
│ └ resources
│    └[~]  resource AWS::RAM::Permission
│       └      - arnTemplate: arn:${Partition}:ram::${Account}:permission/${ResourcePath}
│              + arnTemplate: arn:${Partition}:ram:${Region}:${Account}:permission/${ResourcePath}
├[+] service aws-rtbfabric
│ ├      capitalized: RTBFabric
│ │      cloudFormationNamespace: AWS::RTBFabric
│ │      name: aws-rtbfabric
│ │      shortName: rtbfabric
│ └ resources
│    ├ resource AWS::RTBFabric::Link
│    │ ├      name: Link
│    │ │      cloudFormationType: AWS::RTBFabric::Link
│    │ │      documentation: Resource Type definition for AWS::RTBFabric::Link Resource Type
│    │ │      tagInformation: {"tagPropertyName":"Tags","variant":"standard"}
│    │ ├ properties
│    │ │  ├ Tags: Array<tag>
│    │ │  ├ GatewayId: string (required)
│    │ │  ├ PeerGatewayId: string (required)
│    │ │  ├ LinkAttributes: LinkAttributes
│    │ │  ├ HttpResponderAllowed: boolean
│    │ │  ├ LinkLogSettings: LinkLogSettings (required)
│    │ │  └ ModuleConfigurationList: Array<ModuleConfiguration>
│    │ ├ attributes
│    │ │  ├ LinkId: string
│    │ │  ├ Arn: string
│    │ │  ├ LinkStatus: string
│    │ │  ├ CreatedTimestamp: string
│    │ │  ├ UpdatedTimestamp: string
│    │ │  └ LinkDirection: string
│    │ └ types
│    │    ├ type Action
│    │    │ ├      name: Action
│    │    │ └ properties
│    │    │    ├ NoBid: NoBidAction (required)
│    │    │    └ HeaderTag: HeaderTagAction (required)
│    │    ├ type ApplicationLogs
│    │    │ ├      name: ApplicationLogs
│    │    │ └ properties
│    │    │    └ LinkApplicationLogSampling: LinkApplicationLogSampling (required)
│    │    ├ type Filter
│    │    │ ├      name: Filter
│    │    │ └ properties
│    │    │    └ Criteria: Array<FilterCriterion> (required)
│    │    ├ type FilterCriterion
│    │    │ ├      name: FilterCriterion
│    │    │ └ properties
│    │    │    ├ Path: string (required)
│    │    │    └ Values: Array<string> (required)
│    │    ├ type HeaderTagAction
│    │    │ ├      name: HeaderTagAction
│    │    │ └ properties
│    │    │    ├ Name: string (required)
│    │    │    └ Value: string (required)
│    │    ├ type LinkApplicationLogSampling
│    │    │ ├      name: LinkApplicationLogSampling
│    │    │ └ properties
│    │    │    ├ ErrorLog: number (required)
│    │    │    └ FilterLog: number (required)
│    │    ├ type LinkAttributes
│    │    │ ├      name: LinkAttributes
│    │    │ └ properties
│    │    │    ├ ResponderErrorMasking: Array<ResponderErrorMaskingForHttpCode>
│    │    │    └ CustomerProvidedId: string
│    │    ├ type LinkLogSettings
│    │    │ ├      name: LinkLogSettings
│    │    │ └ properties
│    │    │    └ ApplicationLogs: ApplicationLogs (required)
│    │    ├ type ModuleConfiguration
│    │    │ ├      name: ModuleConfiguration
│    │    │ └ properties
│    │    │    ├ Version: string
│    │    │    ├ Name: string (required)
│    │    │    ├ DependsOn: Array<string>
│    │    │    └ ModuleParameters: ModuleParameters
│    │    ├ type ModuleParameters
│    │    │ ├      name: ModuleParameters
│    │    │ └ properties
│    │    │    ├ NoBid: NoBidModuleParameters
│    │    │    └ OpenRtbAttribute: OpenRtbAttributeModuleParameters
│    │    ├ type NoBidAction
│    │    │ ├      name: NoBidAction
│    │    │ └ properties
│    │    │    └ NoBidReasonCode: integer
│    │    ├ type NoBidModuleParameters
│    │    │ ├      name: NoBidModuleParameters
│    │    │ └ properties
│    │    │    ├ Reason: string
│    │    │    ├ ReasonCode: integer
│    │    │    └ PassThroughPercentage: number
│    │    ├ type OpenRtbAttributeModuleParameters
│    │    │ ├      name: OpenRtbAttributeModuleParameters
│    │    │ └ properties
│    │    │    ├ FilterType: string (required)
│    │    │    ├ FilterConfiguration: Array<Filter> (required)
│    │    │    ├ Action: Action (required)
│    │    │    └ HoldbackPercentage: number (required)
│    │    └ type ResponderErrorMaskingForHttpCode
│    │      ├      name: ResponderErrorMaskingForHttpCode
│    │      └ properties
│    │         ├ HttpCode: string (required)
│    │         ├ Action: string (required)
│    │         ├ LoggingTypes: Array<string> (required)
│    │         └ ResponseLoggingPercentage: number
│    ├ resource AWS::RTBFabric::RequesterGateway
│    │ ├      name: RequesterGateway
│    │ │      cloudFormationType: AWS::RTBFabric::RequesterGateway
│    │ │      documentation: Resource Type definition for AWS::RTBFabric::RequesterGateway Resource Type.
│    │ │      tagInformation: {"tagPropertyName":"Tags","variant":"standard"}
│    │ │      arnTemplate: arn:${Partition}:rtbfabric:${Region}:${Account}:gateway/${GatewayId}
│    │ ├ properties
│    │ │  ├ Tags: Array<tag>
│    │ │  ├ Description: string
│    │ │  ├ VpcId: string (required)
│    │ │  ├ SubnetIds: Array<string> (required)
│    │ │  └ SecurityGroupIds: Array<string> (required)
│    │ └ attributes
│    │    ├ GatewayId: string
│    │    ├ Arn: string
│    │    ├ RequesterGatewayStatus: string
│    │    ├ DomainName: string
│    │    ├ CreatedTimestamp: string
│    │    ├ UpdatedTimestamp: string
│    │    ├ ActiveLinksCount: integer
│    │    └ TotalLinksCount: integer
│    └ resource AWS::RTBFabric::ResponderGateway
│      ├      name: ResponderGateway
│      │      cloudFormationType: AWS::RTBFabric::ResponderGateway
│      │      documentation: Resource Type definition for AWS::RTBFabric::ResponderGateway Resource Type
│      │      tagInformation: {"tagPropertyName":"Tags","variant":"standard"}
│      │      arnTemplate: arn:${Partition}:rtbfabric:${Region}:${Account}:gateway/${GatewayId}
│      ├ properties
│      │  ├ TrustStoreConfiguration: TrustStoreConfiguration
│      │  ├ Description: string
│      │  ├ DomainName: string
│      │  ├ Port: integer (required)
│      │  ├ ManagedEndpointConfiguration: ManagedEndpointConfiguration
│      │  ├ SubnetIds: Array<string> (required)
│      │  ├ SecurityGroupIds: Array<string> (required)
│      │  ├ VpcId: string (required)
│      │  ├ Protocol: string (required)
│      │  └ Tags: Array<tag>
│      ├ attributes
│      │  ├ GatewayId: string
│      │  ├ Arn: string
│      │  ├ ResponderGatewayStatus: string
│      │  ├ CreatedTimestamp: string
│      │  └ UpdatedTimestamp: string
│      └ types
│         ├ type AutoScalingGroupsConfiguration
│         │ ├      name: AutoScalingGroupsConfiguration
│         │ └ properties
│         │    ├ AutoScalingGroupNameList: Array<string> (required)
│         │    └ RoleArn: string (required)
│         ├ type EksEndpointsConfiguration
│         │ ├      name: EksEndpointsConfiguration
│         │ └ properties
│         │    ├ ClusterApiServerCaCertificateChain: string (required)
│         │    ├ EndpointsResourceName: string (required)
│         │    ├ ClusterApiServerEndpointUri: string (required)
│         │    ├ ClusterName: string (required)
│         │    ├ EndpointsResourceNamespace: string (required)
│         │    └ RoleArn: string (required)
│         ├ type ManagedEndpointConfiguration
│         │ ├      name: ManagedEndpointConfiguration
│         │ └ properties
│         │    ├ AutoScalingGroupsConfiguration: AutoScalingGroupsConfiguration
│         │    └ EksEndpointsConfiguration: EksEndpointsConfiguration
│         └ type TrustStoreConfiguration
│           ├      name: TrustStoreConfiguration
│           └ properties
│              └ CertificateAuthorityCertificates: Array<string> (required)
├[~] service aws-s3
│ └ resources
│    └[~]  resource AWS::S3::Bucket
│       └ types
│          ├[~] type DeleteMarkerReplication
│          │ └ properties
│          │    └ Status: (documentation changed)
│          └[~] type VersioningConfiguration
│            └      - documentation: Describes the versioning state of an Amazon S3 bucket. For more information, see [PUT Bucket versioning](https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTVersioningStatus.html) in the *Amazon S3 API Reference* .
│                   > When you enable versioning on a bucket for the first time, it might take a short amount of time for the change to be fully propagated. We recommend that you wait for 15 minutes after enabling versioning before issuing write operations ( `PUT` or `DELETE` ) on objects in the bucket.
│                   + documentation: Describes the versioning state of an Amazon S3 bucket. For more information, see [PUT Bucket versioning](https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTVersioningStatus.html) in the *Amazon S3 API Reference* .
│                   Keep the following timing in mind when enabling, suspending, or transitioning between versioning states:
│                   - *Enabling versioning* - Changes may take up to 15 minutes to propagate across all AWS regions for full consistency.
│                   - *Suspending versioning* - Takes effect immediately with no propagation delay.
│                   - *Transitioning between states* - Any change from Suspended to Enabled has a 15-minute delay.
├[+] service aws-s3vectors
│ ├      capitalized: S3Vectors
│ │      cloudFormationNamespace: AWS::S3Vectors
│ │      name: aws-s3vectors
│ │      shortName: s3vectors
│ └ resources
│    ├ resource AWS::S3Vectors::Index
│    │ ├      name: Index
│    │ │      cloudFormationType: AWS::S3Vectors::Index
│    │ │      documentation: Resource Type definition for AWS::S3Vectors::Index
│    │ ├ properties
│    │ │  ├ DataType: string (required, immutable)
│    │ │  ├ Dimension: integer (required, immutable)
│    │ │  ├ DistanceMetric: string (required, immutable)
│    │ │  ├ IndexName: string (immutable)
│    │ │  ├ MetadataConfiguration: MetadataConfiguration (immutable)
│    │ │  ├ VectorBucketArn: string (immutable)
│    │ │  └ VectorBucketName: string (immutable)
│    │ ├ attributes
│    │ │  ├ CreationTime: string
│    │ │  └ IndexArn: string
│    │ └ types
│    │    └ type MetadataConfiguration
│    │      ├      documentation: The metadata configuration for the vector index.
│    │      │      name: MetadataConfiguration
│    │      └ properties
│    │         └ NonFilterableMetadataKeys: Array<string>
│    ├ resource AWS::S3Vectors::VectorBucket
│    │ ├      name: VectorBucket
│    │ │      cloudFormationType: AWS::S3Vectors::VectorBucket
│    │ │      documentation: Resource Type definition for AWS::S3Vectors::VectorBucket
│    │ ├ properties
│    │ │  ├ VectorBucketName: string (immutable)
│    │ │  └ EncryptionConfiguration: EncryptionConfiguration (immutable)
│    │ ├ attributes
│    │ │  ├ VectorBucketArn: string
│    │ │  └ CreationTime: string
│    │ └ types
│    │    └ type EncryptionConfiguration
│    │      ├      documentation: The encryption configuration for the vector bucket.
│    │      │      name: EncryptionConfiguration
│    │      └ properties
│    │         ├ SseType: string (default="AES256")
│    │         └ KmsKeyArn: string
│    └ resource AWS::S3Vectors::VectorBucketPolicy
│      ├      name: VectorBucketPolicy
│      │      cloudFormationType: AWS::S3Vectors::VectorBucketPolicy
│      │      documentation: Resource Type definition for AWS::S3Vectors::VectorBucketPolicy
│      │      scrutinizable: ResourcePolicyResource
│      └ properties
│         ├ Policy: json | string (required)
│         ├ VectorBucketArn: string (immutable)
│         └ VectorBucketName: string (immutable)
├[~] service aws-sagemaker
│ └ resources
│    ├[~]  resource AWS::SageMaker::NotebookInstance
│    │  └ properties
│    │     └ PlatformIdentifier: (documentation changed)
│    └[~]  resource AWS::SageMaker::ProcessingJob
│       └ types
│          └[~] type S3Input
│            └ properties
│               └ S3DataDistributionType: (documentation changed)
├[~] service aws-securityhub
│ └ resources
│    ├[~]  resource AWS::SecurityHub::AggregatorV2
│    │  └      - documentation: Enables aggregation across AWS Regions . This API is in private preview and subject to change.
│    │         + documentation: Enables aggregation across AWS Regions . This API is in public preview and subject to change.
│    ├[~]  resource AWS::SecurityHub::AutomationRuleV2
│    │  └      - documentation: Creates a V2 automation rule. This API is in private preview and subject to change.
│    │         + documentation: Creates a V2 automation rule. This API is in public preview and subject to change.
│    └[~]  resource AWS::SecurityHub::HubV2
│       └      - documentation: Returns details about the service resource in your account. This API is in private preview and subject to change.
│              + documentation: Returns details about the service resource in your account. This API is in public preview and subject to change.
├[~] service aws-ses
│ └ resources
│    └[~]  resource AWS::SES::MailManagerAddressList
│       └      - arnTemplate: undefined
│              + arnTemplate: arn:${Partition}:ses:${Region}:${Account}:mailmanager-address-list/${AddressListId}
└[~] service aws-transfer
  └ resources
     └[~]  resource AWS::Transfer::Connector
        ├ properties
        │  ├[+] EgressConfig: ConnectorEgressConfig
        │  ├[+] EgressType: string
        │  └ Url: - string (required)
        │         + string
        ├ attributes
        │  └[+] Status: string
        └ types
           ├[+]  type ConnectorEgressConfig
           │  ├      documentation: Configuration structure that defines how traffic is routed from the connector to the SFTP server. Contains VPC Lattice settings when using VPC_LATTICE egress type for private connectivity through customer VPCs.
           │  │      name: ConnectorEgressConfig
           │  └ properties
           │     └ VpcLattice: ConnectorVpcLatticeEgressConfig (required)
           └[+]  type ConnectorVpcLatticeEgressConfig
              ├      documentation: VPC_LATTICE egress configuration that specifies the Resource Configuration ARN and port for connecting to SFTP servers through customer VPCs. Requires a valid Resource Configuration with appropriate network access.
              │      name: ConnectorVpcLatticeEgressConfig
              └ properties
                 ├ ResourceConfigurationArn: string (required)
                 └ PortNumber: integer

@aws-cdk-automation @github-actions
feat: update L1 CloudFormation resource definitions
1f2aec9 
Updates the L1 CloudFormation resource definitions with the latest changes from `@aws-cdk/aws-service-spec`
@aws-cdk-automation aws-cdk-automation added contribution/core This is a PR that came from AWS. dependencies This issue is a problem in a dependency or a pull request that updates a dependency file. pr-linter/exempt-readme The PR linter will not require README changes pr-linter/exempt-test The PR linter will not require test changes pr-linter/exempt-integ-test The PR linter will not require integ test changes labels Nov 3, 2025
@aws-cdk-automation aws-cdk-automation requested a review from a team November 3, 2025 10:28
@github-actions github-actions bot added the p2 label Nov 3, 2025
@aws-cdk-automation aws-cdk-automation requested a review from a team November 3, 2025 10:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

contribution/core This is a PR that came from AWS. dependencies This issue is a problem in a dependency or a pull request that updates a dependency file. p2 pr-linter/exempt-integ-test The PR linter will not require integ test changes pr-linter/exempt-readme The PR linter will not require README changes pr-linter/exempt-test The PR linter will not require test changes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@aws-cdk-automation