@aws-mdaa/datawarehouse 1.4.0 → 1.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (10) hide show
  1. package/README.md +108 -154
  2. package/SCHEMA.md +7284 -541
  3. package/lib/config-schema.json +2750 -217
  4. package/lib/datawarehouse-config.d.ts +188 -151
  5. package/lib/datawarehouse-config.js +7 -2
  6. package/package.json +17 -12
  7. package/sample_configs/sample-config-comprehensive.yaml +212 -0
  8. package/sample_configs/sample-config-minimal.yaml +45 -0
  9. package/sample_configs/sample-config-public-access-block-external.yaml +31 -0
  10. package/mdaa.config.json +0 -3
package/lib/config-schema.json CHANGED
@@ -2,6 +2,208 @@
2
2
  "$schema": "http://json-schema.org/draft-07/schema#",
3
3
  "additionalProperties": false,
4
4
  "definitions": {
5
+ "AdditionalBlueprintAccount": {
6
+ "additionalProperties": false,
7
+ "properties": {
8
+ "account": {
9
+ "type": "string"
10
+ },
11
+ "authorizedDomainUnits": {
12
+ "items": {
13
+ "type": "string"
14
+ },
15
+ "type": "array"
16
+ },
17
+ "enabledRegions": {
18
+ "items": {
19
+ "type": "string"
20
+ },
21
+ "type": "array"
22
+ },
23
+ "parameters": {
24
+ "additionalProperties": {
25
+ "$ref": "#/definitions/MdaaSageMakerBluePrintParameterConfig"
26
+ },
27
+ "type": "object"
28
+ },
29
+ "provisioningRole": {
30
+ "$ref": "#/definitions/MdaaRoleRef"
31
+ }
32
+ },
33
+ "required": [
34
+ "account",
35
+ "provisioningRole"
36
+ ],
37
+ "type": "object"
38
+ },
39
+ "Architecture": {
40
+ "additionalProperties": false,
41
+ "description": "Architectures supported by AWS Lambda",
42
+ "properties": {
43
+ "dockerPlatform": {
44
+ "description": "The platform to use for this architecture when building with Docker.",
45
+ "type": "string"
46
+ },
47
+ "name": {
48
+ "description": "The name of the architecture as recognized by the AWS Lambda service APIs.",
49
+ "type": "string"
50
+ }
51
+ },
52
+ "required": [
53
+ "dockerPlatform",
54
+ "name"
55
+ ],
56
+ "type": "object"
57
+ },
58
+ "CfnAutoScalingReplacingUpdate": {
59
+ "additionalProperties": false,
60
+ "description": "Specifies whether an Auto Scaling group and the instances it contains are replaced during an update. During replacement,\nAWS CloudFormation retains the old group until it finishes creating the new one. If the update fails, AWS CloudFormation\ncan roll back to the old Auto Scaling group and delete the new Auto Scaling group.\n\nWhile AWS CloudFormation creates the new group, it doesn't detach or attach any instances. After successfully creating\nthe new Auto Scaling group, AWS CloudFormation deletes the old Auto Scaling group during the cleanup process.\n\nWhen you set the WillReplace parameter, remember to specify a matching CreationPolicy. If the minimum number of\ninstances (specified by the MinSuccessfulInstancesPercent property) don't signal success within the Timeout period\n(specified in the CreationPolicy policy), the replacement update fails and AWS CloudFormation rolls back to the old\nAuto Scaling group.",
61
+ "properties": {
62
+ "willReplace": {
63
+ "type": "boolean"
64
+ }
65
+ },
66
+ "type": "object"
67
+ },
68
+ "CfnAutoScalingRollingUpdate": {
69
+ "additionalProperties": false,
70
+ "description": "To specify how AWS CloudFormation handles rolling updates for an Auto Scaling group, use the AutoScalingRollingUpdate\npolicy. Rolling updates enable you to specify whether AWS CloudFormation updates instances that are in an Auto Scaling\ngroup in batches or all at once.",
71
+ "properties": {
72
+ "maxBatchSize": {
73
+ "description": "Specifies the maximum number of instances that AWS CloudFormation updates.",
74
+ "type": "number"
75
+ },
76
+ "minActiveInstancesPercent": {
77
+ "description": "Specifies the percentage of instances in an Auto Scaling group that must remain in service while AWS CloudFormation\nupdates old instances. You can specify a value from 0 to 100. AWS CloudFormation rounds to the nearest tenth of a percent.\nFor example, if you update five instances with a minimum active percentage of 50, three instances must remain in service.",
78
+ "type": "number"
79
+ },
80
+ "minInstancesInService": {
81
+ "description": "Specifies the minimum number of instances that must be in service within the Auto Scaling group while AWS\nCloudFormation updates old instances.",
82
+ "type": "number"
83
+ },
84
+ "minSuccessfulInstancesPercent": {
85
+ "description": "Specifies the percentage of instances in an Auto Scaling rolling update that must signal success for an update to succeed.\nYou can specify a value from 0 to 100. AWS CloudFormation rounds to the nearest tenth of a percent. For example, if you\nupdate five instances with a minimum successful percentage of 50, three instances must signal success.\n\nIf an instance doesn't send a signal within the time specified in the PauseTime property, AWS CloudFormation assumes\nthat the instance wasn't updated.\n\nIf you specify this property, you must also enable the WaitOnResourceSignals and PauseTime properties.",
86
+ "type": "number"
87
+ },
88
+ "pauseTime": {
89
+ "description": "The amount of time that AWS CloudFormation pauses after making a change to a batch of instances to give those instances\ntime to start software applications. For example, you might need to specify PauseTime when scaling up the number of\ninstances in an Auto Scaling group.\n\nIf you enable the WaitOnResourceSignals property, PauseTime is the amount of time that AWS CloudFormation should wait\nfor the Auto Scaling group to receive the required number of valid signals from added or replaced instances. If the\nPauseTime is exceeded before the Auto Scaling group receives the required number of signals, the update fails. For best\nresults, specify a time period that gives your applications sufficient time to get started. If the update needs to be\nrolled back, a short PauseTime can cause the rollback to fail.\n\nSpecify PauseTime in the ISO8601 duration format (in the format PT#H#M#S, where each # is the number of hours, minutes,\nand seconds, respectively). The maximum PauseTime is one hour (PT1H).",
90
+ "type": "string"
91
+ },
92
+ "suspendProcesses": {
93
+ "description": "Specifies the Auto Scaling processes to suspend during a stack update. Suspending processes prevents Auto Scaling from\ninterfering with a stack update. For example, you can suspend alarming so that Auto Scaling doesn't execute scaling\npolicies associated with an alarm. For valid values, see the ScalingProcesses.member.N parameter for the SuspendProcesses\naction in the Auto Scaling API Reference.",
94
+ "items": {
95
+ "type": "string"
96
+ },
97
+ "type": "array"
98
+ },
99
+ "waitOnResourceSignals": {
100
+ "description": "Specifies whether the Auto Scaling group waits on signals from new instances during an update. Use this property to\nensure that instances have completed installing and configuring applications before the Auto Scaling group update proceeds.\nAWS CloudFormation suspends the update of an Auto Scaling group after new EC2 instances are launched into the group.\nAWS CloudFormation must receive a signal from each new instance within the specified PauseTime before continuing the update.\nTo signal the Auto Scaling group, use the cfn-signal helper script or SignalResource API.\n\nTo have instances wait for an Elastic Load Balancing health check before they signal success, add a health-check\nverification by using the cfn-init helper script. For an example, see the verify_instance_health command in the Auto Scaling\nrolling updates sample template.",
101
+ "type": "boolean"
102
+ }
103
+ },
104
+ "type": "object"
105
+ },
106
+ "CfnAutoScalingScheduledAction": {
107
+ "additionalProperties": false,
108
+ "description": "With scheduled actions, the group size properties of an Auto Scaling group can change at any time. When you update a\nstack with an Auto Scaling group and scheduled action, AWS CloudFormation always sets the group size property values of\nyour Auto Scaling group to the values that are defined in the AWS::AutoScaling::AutoScalingGroup resource of your template,\neven if a scheduled action is in effect.\n\nIf you do not want AWS CloudFormation to change any of the group size property values when you have a scheduled action in\neffect, use the AutoScalingScheduledAction update policy to prevent AWS CloudFormation from changing the MinSize, MaxSize,\nor DesiredCapacity properties unless you have modified these values in your template.\\",
109
+ "properties": {
110
+ "ignoreUnmodifiedGroupSizeProperties": {
111
+ "type": "boolean"
112
+ }
113
+ },
114
+ "type": "object"
115
+ },
116
+ "CfnCodeDeployLambdaAliasUpdate": {
117
+ "additionalProperties": false,
118
+ "description": "To perform an AWS CodeDeploy deployment when the version changes on an AWS::Lambda::Alias resource,\nuse the CodeDeployLambdaAliasUpdate update policy.",
119
+ "properties": {
120
+ "afterAllowTrafficHook": {
121
+ "description": "The name of the Lambda function to run after traffic routing completes.",
122
+ "type": "string"
123
+ },
124
+ "applicationName": {
125
+ "description": "The name of the AWS CodeDeploy application.",
126
+ "type": "string"
127
+ },
128
+ "beforeAllowTrafficHook": {
129
+ "description": "The name of the Lambda function to run before traffic routing starts.",
130
+ "type": "string"
131
+ },
132
+ "deploymentGroupName": {
133
+ "description": "The name of the AWS CodeDeploy deployment group. This is where the traffic-shifting policy is set.",
134
+ "type": "string"
135
+ }
136
+ },
137
+ "required": [
138
+ "applicationName",
139
+ "deploymentGroupName"
140
+ ],
141
+ "type": "object"
142
+ },
143
+ "CfnCondition": {
144
+ "additionalProperties": false,
145
+ "description": "Represents a CloudFormation condition, for resources which must be conditionally created and\nthe determination must be made at deploy time.",
146
+ "properties": {
147
+ "_logicalIdLocked": {
148
+ "description": "If the logicalId is locked then it can no longer be overridden.\nThis is needed for cases where the logicalId is consumed prior to synthesis\n(i.e. Stack.exportValue)."
149
+ },
150
+ "_logicalIdOverride": {
151
+ "description": "An explicit logical ID provided by `overrideLogicalId`."
152
+ },
153
+ "creationStack": {
154
+ "items": {
155
+ "type": "string"
156
+ },
157
+ "type": "array"
158
+ },
159
+ "expression": {
160
+ "$ref": "#/definitions/ICfnConditionExpression",
161
+ "description": "The condition statement."
162
+ },
163
+ "logicalId": {
164
+ "description": "The logical ID for this CloudFormation stack element. The logical ID of the element\nis calculated from the path of the resource node in the construct tree.\n\nTo override this value, use `overrideLogicalId(newLogicalId)`.",
165
+ "type": "string"
166
+ },
167
+ "node": {
168
+ "$ref": "#/definitions/Node",
169
+ "description": "The tree node."
170
+ },
171
+ "stack": {
172
+ "$ref": "#/definitions/Stack",
173
+ "description": "The stack in which this element is defined. CfnElements must be defined within a stack scope (directly or indirectly)."
174
+ },
175
+ "synthesizeLogicalId": {
176
+ "description": "Called during synthesize to render the logical ID of this element. If\n`overrideLogicalId` was it will be used, otherwise, we will allocate the\nlogical ID through the stack."
177
+ }
178
+ },
179
+ "required": [
180
+ "creationStack",
181
+ "logicalId",
182
+ "node",
183
+ "stack",
184
+ "synthesizeLogicalId"
185
+ ],
186
+ "type": "object"
187
+ },
188
+ "CfnCreationPolicy": {
189
+ "additionalProperties": false,
190
+ "description": "Associate the CreationPolicy attribute with a resource to prevent its status from reaching create complete until\nAWS CloudFormation receives a specified number of success signals or the timeout period is exceeded. To signal a\nresource, you can use the cfn-signal helper script or SignalResource API. AWS CloudFormation publishes valid signals\nto the stack events so that you track the number of signals sent.\n\nThe creation policy is invoked only when AWS CloudFormation creates the associated resource. Currently, the only\nAWS CloudFormation resources that support creation policies are AWS::AutoScaling::AutoScalingGroup, AWS::EC2::Instance,\nAWS::CloudFormation::WaitCondition and AWS::AppStream::Fleet.\n\nUse the CreationPolicy attribute when you want to wait on resource configuration actions before stack creation proceeds.\nFor example, if you install and configure software applications on an EC2 instance, you might want those applications to\nbe running before proceeding. In such cases, you can add a CreationPolicy attribute to the instance, and then send a success\nsignal to the instance after the applications are installed and configured. For a detailed example, see Deploying Applications\non Amazon EC2 with AWS CloudFormation.",
191
+ "properties": {
192
+ "autoScalingCreationPolicy": {
193
+ "$ref": "#/definitions/CfnResourceAutoScalingCreationPolicy",
194
+ "description": "For an Auto Scaling group replacement update, specifies how many instances must signal success for the\nupdate to succeed."
195
+ },
196
+ "resourceSignal": {
197
+ "$ref": "#/definitions/CfnResourceSignal",
198
+ "description": "When AWS CloudFormation creates the associated resource, configures the number of required success signals and\nthe length of time that AWS CloudFormation waits for those signals."
199
+ },
200
+ "startFleet": {
201
+ "description": "For an AppStream Fleet creation, specifies that the fleet is started after creation.",
202
+ "type": "boolean"
203
+ }
204
+ },
205
+ "type": "object"
206
+ },
5
207
  "CfnParameterProps": {
6
208
  "additionalProperties": false,
7
209
  "properties": {
@@ -65,9 +267,197 @@
65
267
  },
66
268
  "type": "object"
67
269
  },
270
+ "CfnResource": {
271
+ "additionalProperties": false,
272
+ "description": "Represents a CloudFormation resource.",
273
+ "properties": {
274
+ "_cfnProperties": {
275
+ "description": "AWS CloudFormation resource properties.\n\nThis object is returned via cfnProperties"
276
+ },
277
+ "_logicalIdLocked": {
278
+ "description": "If the logicalId is locked then it can no longer be overridden.\nThis is needed for cases where the logicalId is consumed prior to synthesis\n(i.e. Stack.exportValue)."
279
+ },
280
+ "_logicalIdOverride": {
281
+ "description": "An explicit logical ID provided by `overrideLogicalId`."
282
+ },
283
+ "cfnOptions": {
284
+ "$ref": "#/definitions/ICfnResourceOptions",
285
+ "description": "Options for this resource, such as condition, update policy etc."
286
+ },
287
+ "cfnProperties": {
288
+ "additionalProperties": {},
289
+ "type": "object"
290
+ },
291
+ "cfnResourceType": {
292
+ "description": "AWS resource type.",
293
+ "type": "string"
294
+ },
295
+ "creationStack": {
296
+ "items": {
297
+ "type": "string"
298
+ },
299
+ "type": "array"
300
+ },
301
+ "dependsOn": {
302
+ "description": "Logical IDs of dependencies.\n\nIs filled during prepare()."
303
+ },
304
+ "logicalId": {
305
+ "description": "The logical ID for this CloudFormation stack element. The logical ID of the element\nis calculated from the path of the resource node in the construct tree.\n\nTo override this value, use `overrideLogicalId(newLogicalId)`.",
306
+ "type": "string"
307
+ },
308
+ "node": {
309
+ "$ref": "#/definitions/Node",
310
+ "description": "The tree node."
311
+ },
312
+ "rawOverrides": {
313
+ "description": "An object to be merged on top of the entire resource definition."
314
+ },
315
+ "ref": {
316
+ "description": "Return a string that will be resolved to a CloudFormation `{ Ref }` for this element.\n\nIf, by any chance, the intrinsic reference of a resource is not a string, you could\ncoerce it to an IResolvable through `Lazy.any({ produce: resource.ref })`.",
317
+ "type": "string"
318
+ },
319
+ "stack": {
320
+ "$ref": "#/definitions/Stack",
321
+ "description": "The stack in which this element is defined. CfnElements must be defined within a stack scope (directly or indirectly)."
322
+ },
323
+ "synthesizeLogicalId": {
324
+ "description": "Called during synthesize to render the logical ID of this element. If\n`overrideLogicalId` was it will be used, otherwise, we will allocate the\nlogical ID through the stack."
325
+ },
326
+ "updatedProperites": {
327
+ "additionalProperties": {},
328
+ "description": "Deprecated",
329
+ "type": "object"
330
+ },
331
+ "updatedProperties": {
332
+ "additionalProperties": {},
333
+ "description": "Return properties modified after initiation\n\nResources that expose mutable properties should override this function to\ncollect and return the properties object for this resource.",
334
+ "type": "object"
335
+ }
336
+ },
337
+ "required": [
338
+ "_cfnProperties",
339
+ "cfnOptions",
340
+ "cfnProperties",
341
+ "cfnResourceType",
342
+ "creationStack",
343
+ "dependsOn",
344
+ "logicalId",
345
+ "node",
346
+ "rawOverrides",
347
+ "ref",
348
+ "stack",
349
+ "synthesizeLogicalId",
350
+ "updatedProperites",
351
+ "updatedProperties"
352
+ ],
353
+ "type": "object"
354
+ },
355
+ "CfnResourceAutoScalingCreationPolicy": {
356
+ "additionalProperties": false,
357
+ "description": "For an Auto Scaling group replacement update, specifies how many instances must signal success for the\nupdate to succeed.",
358
+ "properties": {
359
+ "minSuccessfulInstancesPercent": {
360
+ "description": "Specifies the percentage of instances in an Auto Scaling replacement update that must signal success for the\nupdate to succeed. You can specify a value from 0 to 100. AWS CloudFormation rounds to the nearest tenth of a percent.\nFor example, if you update five instances with a minimum successful percentage of 50, three instances must signal success.\nIf an instance doesn't send a signal within the time specified by the Timeout property, AWS CloudFormation assumes that the\ninstance wasn't created.",
361
+ "type": "number"
362
+ }
363
+ },
364
+ "type": "object"
365
+ },
366
+ "CfnResourceSignal": {
367
+ "additionalProperties": false,
368
+ "description": "When AWS CloudFormation creates the associated resource, configures the number of required success signals and\nthe length of time that AWS CloudFormation waits for those signals.",
369
+ "properties": {
370
+ "count": {
371
+ "description": "The number of success signals AWS CloudFormation must receive before it sets the resource status as CREATE_COMPLETE.\nIf the resource receives a failure signal or doesn't receive the specified number of signals before the timeout period\nexpires, the resource creation fails and AWS CloudFormation rolls the stack back.",
372
+ "type": "number"
373
+ },
374
+ "timeout": {
375
+ "description": "The length of time that AWS CloudFormation waits for the number of signals that was specified in the Count property.\nThe timeout period starts after AWS CloudFormation starts creating the resource, and the timeout expires no sooner\nthan the time you specify but can occur shortly thereafter. The maximum time that you can specify is 12 hours.",
376
+ "type": "string"
377
+ }
378
+ },
379
+ "type": "object"
380
+ },
381
+ "CfnUpdatePolicy": {
382
+ "additionalProperties": false,
383
+ "description": "Use the UpdatePolicy attribute to specify how AWS CloudFormation handles updates to the AWS::AutoScaling::AutoScalingGroup\nresource. AWS CloudFormation invokes one of three update policies depending on the type of change you make or whether a\nscheduled action is associated with the Auto Scaling group.",
384
+ "properties": {
385
+ "autoScalingReplacingUpdate": {
386
+ "$ref": "#/definitions/CfnAutoScalingReplacingUpdate",
387
+ "description": "Specifies whether an Auto Scaling group and the instances it contains are replaced during an update. During replacement,\nAWS CloudFormation retains the old group until it finishes creating the new one. If the update fails, AWS CloudFormation\ncan roll back to the old Auto Scaling group and delete the new Auto Scaling group."
388
+ },
389
+ "autoScalingRollingUpdate": {
390
+ "$ref": "#/definitions/CfnAutoScalingRollingUpdate",
391
+ "description": "To specify how AWS CloudFormation handles rolling updates for an Auto Scaling group, use the AutoScalingRollingUpdate\npolicy. Rolling updates enable you to specify whether AWS CloudFormation updates instances that are in an Auto Scaling\ngroup in batches or all at once."
392
+ },
393
+ "autoScalingScheduledAction": {
394
+ "$ref": "#/definitions/CfnAutoScalingScheduledAction",
395
+ "description": "To specify how AWS CloudFormation handles updates for the MinSize, MaxSize, and DesiredCapacity properties when\nthe AWS::AutoScaling::AutoScalingGroup resource has an associated scheduled action, use the AutoScalingScheduledAction\npolicy."
396
+ },
397
+ "codeDeployLambdaAliasUpdate": {
398
+ "$ref": "#/definitions/CfnCodeDeployLambdaAliasUpdate",
399
+ "description": "To perform an AWS CodeDeploy deployment when the version changes on an AWS::Lambda::Alias resource,\nuse the CodeDeployLambdaAliasUpdate update policy."
400
+ },
401
+ "enableVersionUpgrade": {
402
+ "description": "To upgrade an Amazon ES domain to a new version of Elasticsearch rather than replacing the entire\nAWS::Elasticsearch::Domain resource, use the EnableVersionUpgrade update policy.",
403
+ "type": "boolean"
404
+ },
405
+ "useOnlineResharding": {
406
+ "description": "To modify a replication group's shards by adding or removing shards, rather than replacing the entire\nAWS::ElastiCache::ReplicationGroup resource, use the UseOnlineResharding update policy.",
407
+ "type": "boolean"
408
+ }
409
+ },
410
+ "type": "object"
411
+ },
412
+ "Conditions": {
413
+ "additionalProperties": false,
414
+ "description": "Conditions for when an IAM Policy is in effect, specified in the following structure:\n\n`{ \"Operator\": { \"keyInRequestContext\": \"value\" } }`\n\nThe value can be either a single string value or an array of string values.\n\nFor more information, including which operators are supported, see [the IAM\ndocumentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html).",
415
+ "type": "object"
416
+ },
417
+ "Connections": {
418
+ "additionalProperties": false,
419
+ "description": "Manage the allowed network connections for constructs with Security Groups.\n\nSecurity Groups can be thought of as a firewall for network-connected\ndevices. This class makes it easy to allow network connections to and\nfrom security groups, and between security groups individually. When\nestablishing connectivity between security groups, it will automatically\nadd rules in both security groups\n\nThis object can manage one or more security groups.",
420
+ "properties": {
421
+ "_securityGroupRules": {
422
+ "description": "The rule that defines how to represent this peer in a security group"
423
+ },
424
+ "_securityGroups": {
425
+ "description": "Underlying securityGroup for this Connections object, if present\n\nMay be empty if this Connections object is not managing a SecurityGroup,\nbut simply representing a Connectable peer."
426
+ },
427
+ "connections": {
428
+ "$ref": "#/definitions/Connections",
429
+ "description": "The network connections associated with this resource."
430
+ },
431
+ "defaultPort": {
432
+ "$ref": "#/definitions/Port",
433
+ "description": "The default port configured for this connection peer, if available"
434
+ },
435
+ "remoteRule": {
436
+ "description": "When doing bidirectional grants between Security Groups in different stacks, put the rule on the other SG"
437
+ },
438
+ "securityGroups": {
439
+ "items": {
440
+ "$ref": "#/definitions/ISecurityGroup"
441
+ },
442
+ "type": "array"
443
+ },
444
+ "skip": {
445
+ "description": "When doing bidirectional grants between Connections, make sure we don't recursive infinitely"
446
+ }
447
+ },
448
+ "required": [
449
+ "_securityGroupRules",
450
+ "_securityGroups",
451
+ "connections",
452
+ "remoteRule",
453
+ "securityGroups",
454
+ "skip"
455
+ ],
456
+ "type": "object"
457
+ },
68
458
  "DatabaseUsersProps": {
69
459
  "additionalProperties": false,
70
- "description": "Q-ENHANCED-INTERFACE\nRedshift database user configuration interface for automated user management with Secrets Manager integration and password rotation. Defines database user properties including username specification, database assignment, password policy configuration, and automated secret rotation for secure Redshift user lifecycle management.\n\nUse cases: Database user management; Automated password rotation; Secrets management; Database access control; User lifecycle automation; Secure credential management\n\nAWS: Amazon Redshift database users with AWS Secrets Manager integration for automated password rotation and secure credential management\n\nValidation: userName must be valid Redshift username; dbName must be valid database name; excludeCharacters must be valid password exclusion pattern; secretRotationDays must be positive integer",
460
+ "description": "Redshift database user with Secrets Manager credential storage and automated rotation.\n\nUse cases: Automated user provisioning; Credential rotation; Service account management\n\nAWS: Redshift database users with Secrets Manager integration\n\nValidation: userName, dbName, secretRotationDays required",
71
461
  "properties": {
72
462
  "dbName": {
73
463
  "description": "The DB to which the user will be added",
@@ -100,383 +490,2511 @@
100
490
  ],
101
491
  "type": "object"
102
492
  },
103
- "EventCategories": {
104
- "enum": [
105
- "configuration",
106
- "management",
107
- "monitoring",
108
- "pending",
109
- "security"
493
+ "DockerImage": {
494
+ "additionalProperties": false,
495
+ "description": "A Docker image",
496
+ "properties": {
497
+ "image": {
498
+ "description": "The Docker image",
499
+ "type": "string"
500
+ }
501
+ },
502
+ "required": [
503
+ "image"
110
504
  ],
111
- "type": "string"
505
+ "type": "object"
112
506
  },
113
- "EventNotificationsProps": {
507
+ "DomainConfig": {
114
508
  "additionalProperties": false,
115
- "description": "Q-ENHANCED-INTERFACE\nRedshift event notification configuration interface for SNS-based cluster monitoring with event category filtering and severity-based alerting. Defines event notification properties for monitoring Redshift cluster events including configuration changes, management operations, and security events with email notification integration.\n\nUse cases: Cluster monitoring; Event-based alerting; SNS notifications; Email alerts; Operational monitoring; Security event tracking; Cluster health monitoring\n\nAWS: Amazon Redshift event notifications with SNS integration for cluster monitoring and email-based alerting with event category and severity filtering\n\nValidation: eventCategories must be valid EventCategories enum values if specified; severity must be valid EventSeverity enum value if specified; email must be valid email addresses",
116
509
  "properties": {
117
- "email": {
118
- "description": "Q-ENHANCED-PROPERTY\nOptional array of email addresses for Redshift event notification delivery enabling email-based alerting and monitoring. Defines email recipients for SNS notifications triggered by Redshift cluster events, providing direct email delivery of cluster alerts and operational notifications.\n\nUse cases: Email alerting; Direct notification delivery; Operational monitoring; Event-based notifications; Team alerting\n\nAWS: Amazon SNS email notification delivery for Redshift event notifications with email-based alerting\n\nValidation: Must be array of valid email addresses if provided; optional for email notification delivery",
119
- "items": {
510
+ "blueprintIds": {
511
+ "additionalProperties": {
120
512
  "type": "string"
121
513
  },
122
- "type": "array"
514
+ "type": "object"
123
515
  },
124
- "eventCategories": {
125
- "description": "Q-ENHANCED-PROPERTY\nOptional array of event categories for Redshift event notification filtering enabling selective monitoring of specific cluster events. Defines which types of Redshift events will trigger SNS notifications, allowing focused monitoring on configuration changes, management operations, security events, or maintenance activities.\n\nUse cases: Selective event monitoring; Event category filtering; Focused alerting; Operational monitoring; Event-based notifications\n\nAWS: Amazon Redshift event notification categories for selective SNS-based cluster monitoring and alerting\n\nValidation: Must be array of valid EventCategories enum values if provided; optional for event category filtering",
516
+ "configParamArns": {
517
+ "default": [],
126
518
  "items": {
127
- "$ref": "#/definitions/EventCategories"
519
+ "type": "string"
128
520
  },
129
521
  "type": "array"
130
522
  },
131
- "severity": {
132
- "description": "Q-ENHANCED-PROPERTY\nOptional event severity level for Redshift event notification filtering enabling severity-based alerting and monitoring. Defines the minimum severity level of events that will trigger SNS notifications, allowing filtering based on event importance and impact level.\n\nUse cases: Severity-based filtering; Critical event alerting; Event importance filtering; Alert prioritization; Monitoring optimization\n\nAWS: Amazon Redshift event notification severity filtering for SNS-based alerting with severity-level control\n\nValidation: Must be valid EventSeverity enum value if provided; optional for severity-based filtering",
133
- "enum": [
134
- "ERROR",
135
- "INFO"
136
- ],
523
+ "customResourceRoleName": {
137
524
  "type": "string"
138
- }
139
- },
140
- "type": "object"
141
- },
142
- "FederationProps": {
143
- "additionalProperties": false,
144
- "description": "Q-ENHANCED-INTERFACE\nRedshift federated authentication configuration interface for SAML-based identity provider integration with IAM provider mapping. Defines federation properties for Redshift data warehouse including federation name specification, IAM identity provider ARN, and deprecated URL configuration for secure federated access to analytics workloads.\n\nUse cases: Federated authentication; SAML identity integration; IAM provider mapping; Secure data warehouse access; Identity federation; Single sign-on integration\n\nAWS: Redshift federated authentication with SAML identity provider integration for secure data warehouse access and identity management\n\nValidation: federationName must be valid federation identifier; providerArn must be valid IAM identity provider ARN; url is deprecated and should not be used",
145
- "properties": {
146
- "federationName": {
147
- "description": "Name of the federation for reference elsewhere in the config.",
525
+ },
526
+ "domainArn": {
148
527
  "type": "string"
149
528
  },
150
- "providerArn": {
151
- "description": "Arn of the IAM Identity Provider through which federation will occur",
529
+ "domainBucketArn": {
152
530
  "type": "string"
153
531
  },
154
- "url": {
155
- "description": "Deprecated. No Longer used.",
532
+ "domainBucketUsagePolicyName": {
156
533
  "type": "string"
157
- }
158
- },
159
- "required": [
160
- "federationName",
161
- "providerArn"
162
- ],
534
+ },
535
+ "domainConfigCr": {
536
+ "$ref": "#/definitions/MdaaCustomResource"
537
+ },
538
+ "domainId": {
539
+ "type": "string"
540
+ },
541
+ "domainKmsKeyArn": {
542
+ "type": "string"
543
+ },
544
+ "domainKmsUsagePolicyName": {
545
+ "type": "string"
546
+ },
547
+ "domainName": {
548
+ "type": "string"
549
+ },
550
+ "domainUnitIds": {
551
+ "additionalProperties": {
552
+ "type": "string"
553
+ },
554
+ "type": "object"
555
+ },
556
+ "domainVersion": {
557
+ "type": "string"
558
+ },
559
+ "glueCatalogArns": {
560
+ "items": {
561
+ "type": "string"
562
+ },
563
+ "type": "array"
564
+ },
565
+ "glueCatalogKmsKeyArns": {
566
+ "items": {
567
+ "type": "string"
568
+ },
569
+ "type": "array"
570
+ },
571
+ "node": {
572
+ "$ref": "#/definitions/Node",
573
+ "description": "The tree node."
574
+ },
575
+ "projectIds": {
576
+ "additionalProperties": {
577
+ "type": "string"
578
+ },
579
+ "type": "object"
580
+ },
581
+ "props": {
582
+ "$ref": "#/definitions/DomainConfigProps"
583
+ },
584
+ "ssmParamBase": {
585
+ "type": "string"
586
+ }
587
+ },
588
+ "required": [
589
+ "blueprintIds",
590
+ "configParamArns",
591
+ "customResourceRoleName",
592
+ "domainArn",
593
+ "domainBucketArn",
594
+ "domainBucketUsagePolicyName",
595
+ "domainConfigCr",
596
+ "domainId",
597
+ "domainKmsKeyArn",
598
+ "domainKmsUsagePolicyName",
599
+ "domainName",
600
+ "domainUnitIds",
601
+ "domainVersion",
602
+ "glueCatalogArns",
603
+ "glueCatalogKmsKeyArns",
604
+ "node",
605
+ "projectIds",
606
+ "props",
607
+ "ssmParamBase"
608
+ ],
609
+ "type": "object"
610
+ },
611
+ "DomainConfigProps": {
612
+ "additionalProperties": false,
613
+ "properties": {
614
+ "blueprintIds": {
615
+ "additionalProperties": {
616
+ "type": "string"
617
+ },
618
+ "type": "object"
619
+ },
620
+ "createConfigParams": {
621
+ "type": "boolean"
622
+ },
623
+ "createOutputs": {
624
+ "description": "Flag controlling CloudFormation output and stack export creation for construct resources",
625
+ "type": "boolean"
626
+ },
627
+ "createParams": {
628
+ "description": "Flag controlling SSM parameter creation for construct resource references enabling",
629
+ "type": "boolean"
630
+ },
631
+ "customResourceRoleName": {
632
+ "type": "string"
633
+ },
634
+ "domainArn": {
635
+ "description": "DataZone domain ARN for AWS resource identification and IAM policy integration enabling",
636
+ "type": "string"
637
+ },
638
+ "domainBucketArn": {
639
+ "type": "string"
640
+ },
641
+ "domainBucketUsagePolicyName": {
642
+ "description": "Domain Bucket usage policy name",
643
+ "type": "string"
644
+ },
645
+ "domainId": {
646
+ "description": "DataZone domain ID for unique domain identification within AWS enabling cross-service",
647
+ "type": "string"
648
+ },
649
+ "domainKmsKeyArn": {
650
+ "description": "KMS key ARN for domain encryption ensuring data protection compliance and secure domain operations",
651
+ "type": "string"
652
+ },
653
+ "domainKmsUsagePolicyName": {
654
+ "description": "Domain KMS usage policy name for key access management enabling controlled encryption key",
655
+ "type": "string"
656
+ },
657
+ "domainName": {
658
+ "description": "DataZone domain name for domain identification and management enabling unique domain naming",
659
+ "type": "string"
660
+ },
661
+ "domainUnitIds": {
662
+ "additionalProperties": {
663
+ "type": "string"
664
+ },
665
+ "description": "Map of domain unit names to identifiers for hierarchical domain organization enabling",
666
+ "type": "object"
667
+ },
668
+ "domainVersion": {
669
+ "description": "Domain version for domain lifecycle management and versioning control enabling domain evolution tracking",
670
+ "type": "string"
671
+ },
672
+ "glueCatalogArns": {
673
+ "description": "Array of Glue catalog ARNs for catalog integration enabling data catalog connectivity with DataZone",
674
+ "items": {
675
+ "type": "string"
676
+ },
677
+ "type": "array"
678
+ },
679
+ "glueCatalogKmsKeyArns": {
680
+ "description": "Array of Glue catalog KMS key ARNs for catalog encryption enabling secure catalog integration with DataZone",
681
+ "items": {
682
+ "type": "string"
683
+ },
684
+ "type": "array"
685
+ },
686
+ "naming": {
687
+ "$ref": "#/definitions/IMdaaResourceNaming",
688
+ "description": "MDAA naming implementation for consistent resource naming across all MDAA constructs"
689
+ },
690
+ "projectIds": {
691
+ "additionalProperties": {
692
+ "type": "string"
693
+ },
694
+ "type": "object"
695
+ },
696
+ "refresh": {
697
+ "type": "boolean"
698
+ },
699
+ "ssmParamBase": {
700
+ "description": "SSM parameter base path for domain configuration storage enabling centralized configuration management",
701
+ "type": "string"
702
+ }
703
+ },
704
+ "required": [
705
+ "naming",
706
+ "ssmParamBase"
707
+ ],
708
+ "type": "object"
709
+ },
710
+ "Duration": {
711
+ "additionalProperties": false,
712
+ "description": "Represents a length of time.\n\nThe amount can be specified either as a literal value (e.g: `10`) which\ncannot be negative, or as an unresolved number token.\n\nWhen the amount is passed as a token, unit conversion is not possible.",
713
+ "properties": {
714
+ "amount": {},
715
+ "components": {
716
+ "description": "Return the duration in a set of whole numbered time components, ordered from largest to smallest\n\nOnly components != 0 will be returned.\n\nCan combine millis and seconds together for the benefit of toIsoString,\nmakes the logic in there simpler."
717
+ },
718
+ "unit": {}
719
+ },
720
+ "required": [
721
+ "amount",
722
+ "components",
723
+ "unit"
724
+ ],
725
+ "type": "object"
726
+ },
727
+ "EventCategories": {
728
+ "enum": [
729
+ "configuration",
730
+ "management",
731
+ "monitoring",
732
+ "pending",
733
+ "security"
734
+ ],
735
+ "type": "string"
736
+ },
737
+ "EventNotificationsProps": {
738
+ "additionalProperties": false,
739
+ "description": "Event notification configuration for Redshift cluster monitoring via SNS.\nSupports event category filtering, severity-based alerting, and email delivery.\n\nUse cases: Cluster health monitoring; Security event alerting; Operational notifications\n\nAWS: SNS notifications for Redshift cluster events\n\nValidation: All fields optional",
740
+ "properties": {
741
+ "email": {
742
+ "description": "Email addresses for SNS notification delivery.\nAn SNS topic is created regardless; emails are added as subscriptions.\n\nUse cases: Team alerting; Operational monitoring; Event notification delivery\n\nAWS: SNS email subscriptions for Redshift events\n\nValidation: Optional; array of valid email addresses",
743
+ "items": {
744
+ "type": "string"
745
+ },
746
+ "type": "array"
747
+ },
748
+ "eventCategories": {
749
+ "description": "Event categories to monitor. Valid values: 'configuration', 'management', 'monitoring', 'security', 'pending'.\n\nUse cases: Selective event monitoring; Category-based alerting\n\nAWS: Redshift event notification category filter\n\nValidation: Optional; array of valid EventCategories values",
750
+ "items": {
751
+ "$ref": "#/definitions/EventCategories"
752
+ },
753
+ "type": "array"
754
+ },
755
+ "severity": {
756
+ "description": "Minimum event severity level: 'ERROR' or 'INFO'.\n\nUse cases: Severity-based filtering; Critical-only alerting\n\nAWS: Redshift event notification severity filter\n\nValidation: Optional; 'ERROR' | 'INFO'",
757
+ "enum": [
758
+ "ERROR",
759
+ "INFO"
760
+ ],
761
+ "type": "string"
762
+ }
763
+ },
764
+ "type": "object"
765
+ },
766
+ "FederationProps": {
767
+ "additionalProperties": false,
768
+ "description": "SAML federation configuration for Redshift cluster access.\nCreates IAM roles with SAML trust for dynamic credential generation and group-based access.\n\nUse cases: SAML SSO integration; Federated cluster access; Identity provider mapping\n\nAWS: IAM SAML roles for Redshift federated authentication\n\nValidation: federationName and providerArn required; url deprecated",
769
+ "properties": {
770
+ "federationName": {
771
+ "description": "Name of the federation for reference elsewhere in the config.",
772
+ "type": "string"
773
+ },
774
+ "providerArn": {
775
+ "description": "Arn of the IAM Identity Provider through which federation will occur",
776
+ "type": "string"
777
+ },
778
+ "url": {
779
+ "description": "Deprecated. No Longer used.",
780
+ "type": "string"
781
+ }
782
+ },
783
+ "required": [
784
+ "federationName",
785
+ "providerArn"
786
+ ],
787
+ "type": "object"
788
+ },
789
+ "FunctionReference": {
790
+ "additionalProperties": false,
791
+ "description": "A reference to a Function resource.",
792
+ "properties": {
793
+ "functionArn": {
794
+ "description": "The ARN of the Function resource.",
795
+ "type": "string"
796
+ },
797
+ "functionName": {
798
+ "description": "The FunctionName of the Function resource.",
799
+ "type": "string"
800
+ }
801
+ },
802
+ "required": [
803
+ "functionArn",
804
+ "functionName"
805
+ ],
806
+ "type": "object"
807
+ },
808
+ "ICfnConditionExpression": {
809
+ "additionalProperties": false,
810
+ "description": "Represents a CloudFormation element that can be used within a Condition.\n\nYou can use intrinsic functions, such as ``Fn.conditionIf``,\n``Fn.conditionEquals``, and ``Fn.conditionNot``, to conditionally create\nstack resources. These conditions are evaluated based on input parameters\nthat you declare when you create or update a stack. After you define all your\nconditions, you can associate them with resources or resource properties in\nthe Resources and Outputs sections of a template.\n\nYou define all conditions in the Conditions section of a template except for\n``Fn.conditionIf`` conditions. You can use the ``Fn.conditionIf`` condition\nin the metadata attribute, update policy attribute, and property values in\nthe Resources section and Outputs sections of a template.\n\nYou might use conditions when you want to reuse a template that can create\nresources in different contexts, such as a test environment versus a\nproduction environment. In your template, you can add an EnvironmentType\ninput parameter, which accepts either prod or test as inputs. For the\nproduction environment, you might include Amazon EC2 instances with certain\ncapabilities; however, for the test environment, you want to use less\ncapabilities to save costs. With conditions, you can define which resources\nare created and how they're configured for each environment type.\n\nYou can use `toString` when you wish to embed a condition expression\nin a property value that accepts a `string`. For example:\n\n```ts\nnew sqs.Queue(this, 'MyQueue', {\n queueName: Fn.conditionIf('Condition', 'Hello', 'World').toString()\n});\n```",
811
+ "properties": {
812
+ "creationStack": {
813
+ "description": "The creation stack of this resolvable which will be appended to errors\nthrown during resolution.\n\nThis may return an array with a single informational element indicating how\nto get this property populated, if it was skipped for performance reasons.",
814
+ "items": {
815
+ "type": "string"
816
+ },
817
+ "type": "array"
818
+ },
819
+ "typeHint": {
820
+ "description": "The type that this token will likely resolve to.",
821
+ "enum": [
822
+ "number",
823
+ "string",
824
+ "string-list"
825
+ ],
826
+ "type": "string"
827
+ }
828
+ },
829
+ "required": [
830
+ "creationStack"
831
+ ],
832
+ "type": "object"
833
+ },
834
+ "ICfnResourceOptions": {
835
+ "additionalProperties": false,
836
+ "properties": {
837
+ "condition": {
838
+ "$ref": "#/definitions/CfnCondition",
839
+ "description": "A condition to associate with this resource. This means that only if the condition evaluates to 'true' when the stack\nis deployed, the resource will be included. This is provided to allow CDK projects to produce legacy templates, but normally\nthere is no need to use it in CDK projects."
840
+ },
841
+ "creationPolicy": {
842
+ "$ref": "#/definitions/CfnCreationPolicy",
843
+ "description": "Associate the CreationPolicy attribute with a resource to prevent its status from reaching create complete until\nAWS CloudFormation receives a specified number of success signals or the timeout period is exceeded. To signal a\nresource, you can use the cfn-signal helper script or SignalResource API. AWS CloudFormation publishes valid signals\nto the stack events so that you track the number of signals sent."
844
+ },
845
+ "deletionPolicy": {
846
+ "description": "With the DeletionPolicy attribute you can preserve or (in some cases) backup a resource when its stack is deleted.\nYou specify a DeletionPolicy attribute for each resource that you want to control. If a resource has no DeletionPolicy\nattribute, AWS CloudFormation deletes the resource by default. Note that this capability also applies to update operations\nthat lead to resources being removed.",
847
+ "enum": [
848
+ "Delete",
849
+ "Retain",
850
+ "RetainExceptOnCreate",
851
+ "Snapshot"
852
+ ],
853
+ "type": "string"
854
+ },
855
+ "description": {
856
+ "description": "The description of this resource.\nUsed for informational purposes only, is not processed in any way\n(and stays with the CloudFormation template, is not passed to the underlying resource,\neven if it does have a 'description' property).",
857
+ "type": "string"
858
+ },
859
+ "metadata": {
860
+ "additionalProperties": {},
861
+ "description": "Metadata associated with the CloudFormation resource. This is not the same as the construct metadata which can be added\nusing construct.addMetadata(), but would not appear in the CloudFormation template automatically.",
862
+ "type": "object"
863
+ },
864
+ "updatePolicy": {
865
+ "$ref": "#/definitions/CfnUpdatePolicy",
866
+ "description": "Use the UpdatePolicy attribute to specify how AWS CloudFormation handles updates to the AWS::AutoScaling::AutoScalingGroup\nresource. AWS CloudFormation invokes one of three update policies depending on the type of change you make or whether a\nscheduled action is associated with the Auto Scaling group."
867
+ },
868
+ "updateReplacePolicy": {
869
+ "description": "Use the UpdateReplacePolicy attribute to retain or (in some cases) backup the existing physical instance of a resource\nwhen it is replaced during a stack update operation.",
870
+ "enum": [
871
+ "Delete",
872
+ "Retain",
873
+ "RetainExceptOnCreate",
874
+ "Snapshot"
875
+ ],
876
+ "type": "string"
877
+ },
878
+ "version": {
879
+ "description": "The version of this resource.\nUsed only for custom CloudFormation resources.",
880
+ "type": "string"
881
+ }
882
+ },
883
+ "type": "object"
884
+ },
885
+ "IConstruct": {
886
+ "additionalProperties": false,
887
+ "description": "Represents a construct.",
888
+ "properties": {
889
+ "node": {
890
+ "$ref": "#/definitions/Node",
891
+ "description": "The tree node."
892
+ }
893
+ },
894
+ "required": [
895
+ "node"
896
+ ],
897
+ "type": "object"
898
+ },
899
+ "IFunction": {
900
+ "additionalProperties": false,
901
+ "properties": {
902
+ "architecture": {
903
+ "$ref": "#/definitions/Architecture",
904
+ "description": "The system architectures compatible with this lambda function."
905
+ },
906
+ "connections": {
907
+ "$ref": "#/definitions/Connections",
908
+ "description": "The network connections associated with this resource."
909
+ },
910
+ "env": {
911
+ "$ref": "#/definitions/ResourceEnvironment",
912
+ "description": "The environment this resource belongs to.\nFor resources that are created and managed by the CDK\n(generally, those created by creating new class instances like Role, Bucket, etc.),\nthis is always the same as the environment of the stack they belong to;\nhowever, for imported resources\n(those obtained from static methods like fromRoleArn, fromBucketName, etc.),\nthat might be different than the stack they were imported into."
913
+ },
914
+ "functionArn": {
915
+ "description": "The ARN of the function.",
916
+ "type": "string"
917
+ },
918
+ "functionName": {
919
+ "description": "The name of the function.",
920
+ "type": "string"
921
+ },
922
+ "functionRef": {
923
+ "$ref": "#/definitions/FunctionReference",
924
+ "description": "A reference to a Function resource."
925
+ },
926
+ "grantPrincipal": {
927
+ "$ref": "#/definitions/IPrincipal",
928
+ "description": "The principal to grant permissions to"
929
+ },
930
+ "isBoundToVpc": {
931
+ "description": "Whether or not this Lambda function was bound to a VPC\n\nIf this is is `false`, trying to access the `connections` object will fail.",
932
+ "type": "boolean"
933
+ },
934
+ "latestVersion": {
935
+ "$ref": "#/definitions/IVersion",
936
+ "description": "The `$LATEST` version of this function.\n\nNote that this is reference to a non-specific AWS Lambda version, which\nmeans the function this version refers to can return different results in\ndifferent invocations.\n\nTo obtain a reference to an explicit version which references the current\nfunction configuration, use `lambdaFunction.currentVersion` instead."
937
+ },
938
+ "node": {
939
+ "$ref": "#/definitions/Node",
940
+ "description": "The tree node."
941
+ },
942
+ "permissionsNode": {
943
+ "$ref": "#/definitions/Node",
944
+ "description": "The construct node where permissions are attached."
945
+ },
946
+ "resourceArnsForGrantInvoke": {
947
+ "description": "The ARN(s) to put into the resource field of the generated IAM policy for grantInvoke().\n\nThis property is for cdk modules to consume only. You should not need to use this property.\nInstead, use grantInvoke() directly.",
948
+ "items": {
949
+ "type": "string"
950
+ },
951
+ "type": "array"
952
+ },
953
+ "role": {
954
+ "$ref": "#/definitions/IRole",
955
+ "description": "The IAM role associated with this function."
956
+ },
957
+ "stack": {
958
+ "$ref": "#/definitions/Stack",
959
+ "description": "The stack in which this resource is defined."
960
+ }
961
+ },
962
+ "required": [
963
+ "architecture",
964
+ "connections",
965
+ "env",
966
+ "functionArn",
967
+ "functionName",
968
+ "functionRef",
969
+ "grantPrincipal",
970
+ "isBoundToVpc",
971
+ "latestVersion",
972
+ "node",
973
+ "permissionsNode",
974
+ "resourceArnsForGrantInvoke",
975
+ "stack"
976
+ ],
977
+ "type": "object"
978
+ },
979
+ "IKey": {
980
+ "additionalProperties": false,
981
+ "description": "A KMS Key, either managed by this CDK app, or imported.\n\nThis interface does double duty: it represents an actual KMS keys, but it\nalso represents things that can behave like KMS keys, like a key alias.",
982
+ "properties": {
983
+ "env": {
984
+ "$ref": "#/definitions/ResourceEnvironment",
985
+ "description": "The environment this resource belongs to.\nFor resources that are created and managed by the CDK\n(generally, those created by creating new class instances like Role, Bucket, etc.),\nthis is always the same as the environment of the stack they belong to;\nhowever, for imported resources\n(those obtained from static methods like fromRoleArn, fromBucketName, etc.),\nthat might be different than the stack they were imported into."
986
+ },
987
+ "keyArn": {
988
+ "description": "The ARN of the key.",
989
+ "type": "string"
990
+ },
991
+ "keyId": {
992
+ "description": "The ID of the key\n(the part that looks something like: 1234abcd-12ab-34cd-56ef-1234567890ab).",
993
+ "type": "string"
994
+ },
995
+ "keyRef": {
996
+ "$ref": "#/definitions/KeyReference",
997
+ "description": "A reference to a Key resource."
998
+ },
999
+ "node": {
1000
+ "$ref": "#/definitions/Node",
1001
+ "description": "The tree node."
1002
+ },
1003
+ "stack": {
1004
+ "$ref": "#/definitions/Stack",
1005
+ "description": "The stack in which this resource is defined."
1006
+ }
1007
+ },
1008
+ "required": [
1009
+ "env",
1010
+ "keyArn",
1011
+ "keyId",
1012
+ "keyRef",
1013
+ "node",
1014
+ "stack"
1015
+ ],
1016
+ "type": "object"
1017
+ },
1018
+ "ILayerVersion": {
1019
+ "additionalProperties": false,
1020
+ "properties": {
1021
+ "compatibleRuntimes": {
1022
+ "default": "- All supported runtimes. Setting this to Runtime.ALL is equivalent to leaving it undefined.",
1023
+ "description": "The runtimes compatible with this Layer.",
1024
+ "items": {
1025
+ "$ref": "#/definitions/Runtime"
1026
+ },
1027
+ "type": "array"
1028
+ },
1029
+ "env": {
1030
+ "$ref": "#/definitions/ResourceEnvironment",
1031
+ "description": "The environment this resource belongs to.\nFor resources that are created and managed by the CDK\n(generally, those created by creating new class instances like Role, Bucket, etc.),\nthis is always the same as the environment of the stack they belong to;\nhowever, for imported resources\n(those obtained from static methods like fromRoleArn, fromBucketName, etc.),\nthat might be different than the stack they were imported into."
1032
+ },
1033
+ "layerVersionArn": {
1034
+ "description": "The ARN of the Lambda Layer version that this Layer defines.",
1035
+ "type": "string"
1036
+ },
1037
+ "layerVersionRef": {
1038
+ "$ref": "#/definitions/LayerVersionReference",
1039
+ "description": "A reference to a LayerVersion resource."
1040
+ },
1041
+ "node": {
1042
+ "$ref": "#/definitions/Node",
1043
+ "description": "The tree node."
1044
+ },
1045
+ "stack": {
1046
+ "$ref": "#/definitions/Stack",
1047
+ "description": "The stack in which this resource is defined."
1048
+ }
1049
+ },
1050
+ "required": [
1051
+ "env",
1052
+ "layerVersionArn",
1053
+ "layerVersionRef",
1054
+ "node",
1055
+ "stack"
1056
+ ],
1057
+ "type": "object"
1058
+ },
1059
+ "ILogGroup": {
1060
+ "additionalProperties": false,
1061
+ "properties": {
1062
+ "env": {
1063
+ "$ref": "#/definitions/ResourceEnvironment",
1064
+ "description": "The environment this resource belongs to.\nFor resources that are created and managed by the CDK\n(generally, those created by creating new class instances like Role, Bucket, etc.),\nthis is always the same as the environment of the stack they belong to;\nhowever, for imported resources\n(those obtained from static methods like fromRoleArn, fromBucketName, etc.),\nthat might be different than the stack they were imported into."
1065
+ },
1066
+ "logGroupArn": {
1067
+ "description": "The ARN of this log group, with ':*' appended",
1068
+ "type": "string"
1069
+ },
1070
+ "logGroupName": {
1071
+ "description": "The name of this log group",
1072
+ "type": "string"
1073
+ },
1074
+ "node": {
1075
+ "$ref": "#/definitions/Node",
1076
+ "description": "The tree node."
1077
+ },
1078
+ "stack": {
1079
+ "$ref": "#/definitions/Stack",
1080
+ "description": "The stack in which this resource is defined."
1081
+ }
1082
+ },
1083
+ "required": [
1084
+ "env",
1085
+ "logGroupArn",
1086
+ "logGroupName",
1087
+ "node",
1088
+ "stack"
1089
+ ],
1090
+ "type": "object"
1091
+ },
1092
+ "IMdaaResourceNaming": {
1093
+ "additionalProperties": false,
1094
+ "properties": {
1095
+ "props": {
1096
+ "$ref": "#/definitions/MdaaResourceNamingConfig",
1097
+ "description": "Configuration properties containing organizational context and CDK node access for the naming implementation"
1098
+ }
1099
+ },
1100
+ "required": [
1101
+ "props"
1102
+ ],
1103
+ "type": "object"
1104
+ },
1105
+ "IPrincipal": {
1106
+ "additionalProperties": false,
1107
+ "description": "Represents a logical IAM principal.\n\nAn IPrincipal describes a logical entity that can perform AWS API calls\nagainst sets of resources, optionally under certain conditions.\n\nExamples of simple principals are IAM objects that you create, such\nas Users or Roles.\n\nAn example of a more complex principals is a `ServicePrincipal` (such as\n`new ServicePrincipal(\"sns.amazonaws.com\")`, which represents the Simple\nNotifications Service).\n\nA single logical Principal may also map to a set of physical principals.\nFor example, `new OrganizationPrincipal('o-12345abcde')` represents all\nidentities that are part of the given AWS Organization.",
1108
+ "properties": {
1109
+ "assumeRoleAction": {
1110
+ "description": "When this Principal is used in an AssumeRole policy, the action to use.",
1111
+ "type": "string"
1112
+ },
1113
+ "grantPrincipal": {
1114
+ "$ref": "#/definitions/IPrincipal",
1115
+ "description": "The principal to grant permissions to"
1116
+ },
1117
+ "policyFragment": {
1118
+ "$ref": "#/definitions/PrincipalPolicyFragment",
1119
+ "description": "Return the policy fragment that identifies this principal in a Policy."
1120
+ },
1121
+ "principalAccount": {
1122
+ "description": "The AWS account ID of this principal.\nCan be undefined when the account is not known\n(for example, for service principals).\nCan be a Token - in that case,\nit's assumed to be AWS::AccountId.",
1123
+ "type": "string"
1124
+ }
1125
+ },
1126
+ "required": [
1127
+ "assumeRoleAction",
1128
+ "grantPrincipal",
1129
+ "policyFragment"
1130
+ ],
1131
+ "type": "object"
1132
+ },
1133
+ "IQueue": {
1134
+ "additionalProperties": false,
1135
+ "description": "Represents an SQS queue",
1136
+ "properties": {
1137
+ "encryptionMasterKey": {
1138
+ "$ref": "#/definitions/IKey",
1139
+ "description": "If this queue is server-side encrypted, this is the KMS encryption key."
1140
+ },
1141
+ "encryptionType": {
1142
+ "description": "Whether the contents of the queue are encrypted, and by what type of key.",
1143
+ "enum": [
1144
+ "KMS",
1145
+ "KMS_MANAGED",
1146
+ "NONE",
1147
+ "SQS_MANAGED"
1148
+ ],
1149
+ "type": "string"
1150
+ },
1151
+ "env": {
1152
+ "$ref": "#/definitions/ResourceEnvironment",
1153
+ "description": "The environment this resource belongs to.\nFor resources that are created and managed by the CDK\n(generally, those created by creating new class instances like Role, Bucket, etc.),\nthis is always the same as the environment of the stack they belong to;\nhowever, for imported resources\n(those obtained from static methods like fromRoleArn, fromBucketName, etc.),\nthat might be different than the stack they were imported into."
1154
+ },
1155
+ "fifo": {
1156
+ "description": "Whether this queue is an Amazon SQS FIFO queue. If false, this is a standard queue.",
1157
+ "type": "boolean"
1158
+ },
1159
+ "node": {
1160
+ "$ref": "#/definitions/Node",
1161
+ "description": "The tree node."
1162
+ },
1163
+ "queueArn": {
1164
+ "description": "The ARN of this queue",
1165
+ "type": "string"
1166
+ },
1167
+ "queueName": {
1168
+ "description": "The name of this queue",
1169
+ "type": "string"
1170
+ },
1171
+ "queueUrl": {
1172
+ "description": "The URL of this queue",
1173
+ "type": "string"
1174
+ },
1175
+ "stack": {
1176
+ "$ref": "#/definitions/Stack",
1177
+ "description": "The stack in which this resource is defined."
1178
+ }
1179
+ },
1180
+ "required": [
1181
+ "env",
1182
+ "fifo",
1183
+ "node",
1184
+ "queueArn",
1185
+ "queueName",
1186
+ "queueUrl",
1187
+ "stack"
1188
+ ],
1189
+ "type": "object"
1190
+ },
1191
+ "IResolvable": {
1192
+ "additionalProperties": false,
1193
+ "description": "Interface for values that can be resolvable later\n\nTokens are special objects that participate in synthesis.",
1194
+ "properties": {
1195
+ "creationStack": {
1196
+ "description": "The creation stack of this resolvable which will be appended to errors\nthrown during resolution.\n\nThis may return an array with a single informational element indicating how\nto get this property populated, if it was skipped for performance reasons.",
1197
+ "items": {
1198
+ "type": "string"
1199
+ },
1200
+ "type": "array"
1201
+ },
1202
+ "typeHint": {
1203
+ "description": "The type that this token will likely resolve to.",
1204
+ "enum": [
1205
+ "number",
1206
+ "string",
1207
+ "string-list"
1208
+ ],
1209
+ "type": "string"
1210
+ }
1211
+ },
1212
+ "required": [
1213
+ "creationStack"
1214
+ ],
1215
+ "type": "object"
1216
+ },
1217
+ "IRole": {
1218
+ "additionalProperties": false,
1219
+ "description": "A Role object",
1220
+ "properties": {
1221
+ "assumeRoleAction": {
1222
+ "description": "When this Principal is used in an AssumeRole policy, the action to use.",
1223
+ "type": "string"
1224
+ },
1225
+ "env": {
1226
+ "$ref": "#/definitions/ResourceEnvironment",
1227
+ "description": "The environment this resource belongs to.\nFor resources that are created and managed by the CDK\n(generally, those created by creating new class instances like Role, Bucket, etc.),\nthis is always the same as the environment of the stack they belong to;\nhowever, for imported resources\n(those obtained from static methods like fromRoleArn, fromBucketName, etc.),\nthat might be different than the stack they were imported into."
1228
+ },
1229
+ "grantPrincipal": {
1230
+ "$ref": "#/definitions/IPrincipal",
1231
+ "description": "The principal to grant permissions to"
1232
+ },
1233
+ "node": {
1234
+ "$ref": "#/definitions/Node",
1235
+ "description": "The tree node."
1236
+ },
1237
+ "policyFragment": {
1238
+ "$ref": "#/definitions/PrincipalPolicyFragment",
1239
+ "description": "Return the policy fragment that identifies this principal in a Policy."
1240
+ },
1241
+ "principalAccount": {
1242
+ "description": "The AWS account ID of this principal.\nCan be undefined when the account is not known\n(for example, for service principals).\nCan be a Token - in that case,\nit's assumed to be AWS::AccountId.",
1243
+ "type": "string"
1244
+ },
1245
+ "roleArn": {
1246
+ "description": "Returns the ARN of this role.",
1247
+ "type": "string"
1248
+ },
1249
+ "roleName": {
1250
+ "description": "Returns the name of this role.",
1251
+ "type": "string"
1252
+ },
1253
+ "roleRef": {
1254
+ "$ref": "#/definitions/RoleReference",
1255
+ "description": "A reference to a Role resource."
1256
+ },
1257
+ "stack": {
1258
+ "$ref": "#/definitions/Stack",
1259
+ "description": "The stack in which this resource is defined."
1260
+ }
1261
+ },
1262
+ "required": [
1263
+ "assumeRoleAction",
1264
+ "env",
1265
+ "grantPrincipal",
1266
+ "node",
1267
+ "policyFragment",
1268
+ "roleArn",
1269
+ "roleName",
1270
+ "roleRef",
1271
+ "stack"
1272
+ ],
1273
+ "type": "object"
1274
+ },
1275
+ "ISecurityGroup": {
1276
+ "additionalProperties": false,
1277
+ "description": "Interface for security group-like objects",
1278
+ "properties": {
1279
+ "allowAllOutbound": {
1280
+ "description": "Whether the SecurityGroup has been configured to allow all outbound traffic",
1281
+ "type": "boolean"
1282
+ },
1283
+ "canInlineRule": {
1284
+ "description": "Whether the rule can be inlined into a SecurityGroup or not",
1285
+ "type": "boolean"
1286
+ },
1287
+ "connections": {
1288
+ "$ref": "#/definitions/Connections",
1289
+ "description": "The network connections associated with this resource."
1290
+ },
1291
+ "env": {
1292
+ "$ref": "#/definitions/ResourceEnvironment",
1293
+ "description": "The environment this resource belongs to.\nFor resources that are created and managed by the CDK\n(generally, those created by creating new class instances like Role, Bucket, etc.),\nthis is always the same as the environment of the stack they belong to;\nhowever, for imported resources\n(those obtained from static methods like fromRoleArn, fromBucketName, etc.),\nthat might be different than the stack they were imported into."
1294
+ },
1295
+ "node": {
1296
+ "$ref": "#/definitions/Node",
1297
+ "description": "The tree node."
1298
+ },
1299
+ "securityGroupId": {
1300
+ "description": "ID for the current security group",
1301
+ "type": "string"
1302
+ },
1303
+ "securityGroupRef": {
1304
+ "$ref": "#/definitions/SecurityGroupReference",
1305
+ "description": "A reference to a SecurityGroup resource."
1306
+ },
1307
+ "stack": {
1308
+ "$ref": "#/definitions/Stack",
1309
+ "description": "The stack in which this resource is defined."
1310
+ },
1311
+ "uniqueId": {
1312
+ "description": "A unique identifier for this connection peer",
1313
+ "type": "string"
1314
+ }
1315
+ },
1316
+ "required": [
1317
+ "allowAllOutbound",
1318
+ "canInlineRule",
1319
+ "connections",
1320
+ "env",
1321
+ "node",
1322
+ "securityGroupId",
1323
+ "securityGroupRef",
1324
+ "stack",
1325
+ "uniqueId"
1326
+ ],
1327
+ "type": "object"
1328
+ },
1329
+ "IStackSynthesizer": {
1330
+ "additionalProperties": false,
1331
+ "description": "Encodes information how a certain Stack should be deployed",
1332
+ "properties": {
1333
+ "bootstrapQualifier": {
1334
+ "default": "- no qualifier",
1335
+ "description": "The qualifier used to bootstrap this stack",
1336
+ "type": "string"
1337
+ },
1338
+ "lookupRole": {
1339
+ "default": "- no role",
1340
+ "description": "The role used to lookup for this stack",
1341
+ "type": "string"
1342
+ }
1343
+ },
1344
+ "type": "object"
1345
+ },
1346
+ "ITemplateOptions": {
1347
+ "additionalProperties": false,
1348
+ "description": "CloudFormation template options for a stack.",
1349
+ "properties": {
1350
+ "description": {
1351
+ "description": "Gets or sets the description of this stack.\nIf provided, it will be included in the CloudFormation template's \"Description\" attribute.",
1352
+ "type": "string"
1353
+ },
1354
+ "metadata": {
1355
+ "additionalProperties": {},
1356
+ "description": "Metadata associated with the CloudFormation template.",
1357
+ "type": "object"
1358
+ },
1359
+ "templateFormatVersion": {
1360
+ "description": "Gets or sets the AWSTemplateFormatVersion field of the CloudFormation template.",
1361
+ "type": "string"
1362
+ },
1363
+ "transforms": {
1364
+ "description": "Gets or sets the top-level template transform(s) for this stack (e.g. `[\"AWS::Serverless-2016-10-31\"]`).",
1365
+ "items": {
1366
+ "type": "string"
1367
+ },
1368
+ "type": "array"
1369
+ }
1370
+ },
1371
+ "type": "object"
1372
+ },
1373
+ "ITopic": {
1374
+ "additionalProperties": false,
1375
+ "description": "Represents an SNS topic",
1376
+ "properties": {
1377
+ "contentBasedDeduplication": {
1378
+ "description": "Enables content-based deduplication for FIFO topics.",
1379
+ "type": "boolean"
1380
+ },
1381
+ "env": {
1382
+ "$ref": "#/definitions/ResourceEnvironment",
1383
+ "description": "The environment this resource belongs to.\nFor resources that are created and managed by the CDK\n(generally, those created by creating new class instances like Role, Bucket, etc.),\nthis is always the same as the environment of the stack they belong to;\nhowever, for imported resources\n(those obtained from static methods like fromRoleArn, fromBucketName, etc.),\nthat might be different than the stack they were imported into."
1384
+ },
1385
+ "fifo": {
1386
+ "description": "Whether this topic is an Amazon SNS FIFO queue. If false, this is a standard topic.",
1387
+ "type": "boolean"
1388
+ },
1389
+ "masterKey": {
1390
+ "$ref": "#/definitions/IKey",
1391
+ "default": "None",
1392
+ "description": "A KMS Key, either managed by this CDK app, or imported.\n\nThis property applies only to server-side encryption."
1393
+ },
1394
+ "node": {
1395
+ "$ref": "#/definitions/Node",
1396
+ "description": "The tree node."
1397
+ },
1398
+ "stack": {
1399
+ "$ref": "#/definitions/Stack",
1400
+ "description": "The stack in which this resource is defined."
1401
+ },
1402
+ "topicArn": {
1403
+ "description": "The ARN of the topic",
1404
+ "type": "string"
1405
+ },
1406
+ "topicName": {
1407
+ "description": "The name of the topic",
1408
+ "type": "string"
1409
+ }
1410
+ },
1411
+ "required": [
1412
+ "contentBasedDeduplication",
1413
+ "env",
1414
+ "fifo",
1415
+ "node",
1416
+ "stack",
1417
+ "topicArn",
1418
+ "topicName"
1419
+ ],
1420
+ "type": "object"
1421
+ },
1422
+ "IVersion": {
1423
+ "additionalProperties": false,
1424
+ "properties": {
1425
+ "architecture": {
1426
+ "$ref": "#/definitions/Architecture",
1427
+ "description": "The system architectures compatible with this lambda function."
1428
+ },
1429
+ "connections": {
1430
+ "$ref": "#/definitions/Connections",
1431
+ "description": "The network connections associated with this resource."
1432
+ },
1433
+ "edgeArn": {
1434
+ "description": "The ARN of the version for Lambda@Edge.",
1435
+ "type": "string"
1436
+ },
1437
+ "env": {
1438
+ "$ref": "#/definitions/ResourceEnvironment",
1439
+ "description": "The environment this resource belongs to.\nFor resources that are created and managed by the CDK\n(generally, those created by creating new class instances like Role, Bucket, etc.),\nthis is always the same as the environment of the stack they belong to;\nhowever, for imported resources\n(those obtained from static methods like fromRoleArn, fromBucketName, etc.),\nthat might be different than the stack they were imported into."
1440
+ },
1441
+ "functionArn": {
1442
+ "description": "The ARN of the function.",
1443
+ "type": "string"
1444
+ },
1445
+ "functionName": {
1446
+ "description": "The name of the function.",
1447
+ "type": "string"
1448
+ },
1449
+ "functionRef": {
1450
+ "$ref": "#/definitions/FunctionReference",
1451
+ "description": "A reference to a Function resource."
1452
+ },
1453
+ "grantPrincipal": {
1454
+ "$ref": "#/definitions/IPrincipal",
1455
+ "description": "The principal to grant permissions to"
1456
+ },
1457
+ "isBoundToVpc": {
1458
+ "description": "Whether or not this Lambda function was bound to a VPC\n\nIf this is is `false`, trying to access the `connections` object will fail.",
1459
+ "type": "boolean"
1460
+ },
1461
+ "lambda": {
1462
+ "$ref": "#/definitions/IFunction",
1463
+ "description": "The underlying AWS Lambda function."
1464
+ },
1465
+ "latestVersion": {
1466
+ "$ref": "#/definitions/IVersion",
1467
+ "description": "The `$LATEST` version of this function.\n\nNote that this is reference to a non-specific AWS Lambda version, which\nmeans the function this version refers to can return different results in\ndifferent invocations.\n\nTo obtain a reference to an explicit version which references the current\nfunction configuration, use `lambdaFunction.currentVersion` instead."
1468
+ },
1469
+ "node": {
1470
+ "$ref": "#/definitions/Node",
1471
+ "description": "The tree node."
1472
+ },
1473
+ "permissionsNode": {
1474
+ "$ref": "#/definitions/Node",
1475
+ "description": "The construct node where permissions are attached."
1476
+ },
1477
+ "resourceArnsForGrantInvoke": {
1478
+ "description": "The ARN(s) to put into the resource field of the generated IAM policy for grantInvoke().\n\nThis property is for cdk modules to consume only. You should not need to use this property.\nInstead, use grantInvoke() directly.",
1479
+ "items": {
1480
+ "type": "string"
1481
+ },
1482
+ "type": "array"
1483
+ },
1484
+ "role": {
1485
+ "$ref": "#/definitions/IRole",
1486
+ "description": "The IAM role associated with this function."
1487
+ },
1488
+ "stack": {
1489
+ "$ref": "#/definitions/Stack",
1490
+ "description": "The stack in which this resource is defined."
1491
+ },
1492
+ "version": {
1493
+ "description": "The most recently deployed version of this function.",
1494
+ "type": "string"
1495
+ },
1496
+ "versionRef": {
1497
+ "$ref": "#/definitions/VersionReference",
1498
+ "description": "A reference to a Version resource."
1499
+ }
1500
+ },
1501
+ "required": [
1502
+ "architecture",
1503
+ "connections",
1504
+ "edgeArn",
1505
+ "env",
1506
+ "functionArn",
1507
+ "functionName",
1508
+ "functionRef",
1509
+ "grantPrincipal",
1510
+ "isBoundToVpc",
1511
+ "lambda",
1512
+ "latestVersion",
1513
+ "node",
1514
+ "permissionsNode",
1515
+ "resourceArnsForGrantInvoke",
1516
+ "stack",
1517
+ "version",
1518
+ "versionRef"
1519
+ ],
1520
+ "type": "object"
1521
+ },
1522
+ "KeyReference": {
1523
+ "additionalProperties": false,
1524
+ "description": "A reference to a Key resource.",
1525
+ "properties": {
1526
+ "keyArn": {
1527
+ "description": "The ARN of the Key resource.",
1528
+ "type": "string"
1529
+ },
1530
+ "keyId": {
1531
+ "description": "The KeyId of the Key resource.",
1532
+ "type": "string"
1533
+ }
1534
+ },
1535
+ "required": [
1536
+ "keyArn",
1537
+ "keyId"
1538
+ ],
1539
+ "type": "object"
1540
+ },
1541
+ "LayerVersionReference": {
1542
+ "additionalProperties": false,
1543
+ "description": "A reference to a LayerVersion resource.",
1544
+ "properties": {
1545
+ "layerVersionArn": {
1546
+ "description": "The LayerVersionArn of the LayerVersion resource.",
1547
+ "type": "string"
1548
+ }
1549
+ },
1550
+ "required": [
1551
+ "layerVersionArn"
1552
+ ],
1553
+ "type": "object"
1554
+ },
1555
+ "LogRetention": {
1556
+ "additionalProperties": false,
1557
+ "description": "Creates a custom resource to control the retention policy of a CloudWatch Logs\nlog group. The log group is created if it doesn't already exist. The policy\nis removed when `retentionDays` is `undefined` or equal to `Infinity`.\nLog group can be created in the region that is different from stack region by\nspecifying `logGroupRegion`",
1558
+ "properties": {
1559
+ "ensureSingletonLogRetentionFunction": {
1560
+ "description": "Helper method to ensure that only one instance of LogRetentionFunction resources are in the stack mimicking the\nbehaviour of aws-cdk-lib/aws-lambda's SingletonFunction to prevent circular dependencies"
1561
+ },
1562
+ "logGroupArn": {
1563
+ "description": "The ARN of the LogGroup.",
1564
+ "type": "string"
1565
+ },
1566
+ "node": {
1567
+ "$ref": "#/definitions/Node",
1568
+ "description": "The tree node."
1569
+ }
1570
+ },
1571
+ "required": [
1572
+ "ensureSingletonLogRetentionFunction",
1573
+ "logGroupArn",
1574
+ "node"
1575
+ ],
1576
+ "type": "object"
1577
+ },
1578
+ "MdaaCustomResource": {
1579
+ "additionalProperties": false,
1580
+ "properties": {
1581
+ "_allowCrossEnvironment": {},
1582
+ "_physicalName": {},
1583
+ "env": {
1584
+ "$ref": "#/definitions/ResourceEnvironment",
1585
+ "description": "The environment this resource belongs to.\nFor resources that are created and managed by the CDK\n(generally, those created by creating new class instances like Role, Bucket, etc.),\nthis is always the same as the environment of the stack they belong to;\nhowever, for imported resources\n(those obtained from static methods like fromRoleArn, fromBucketName, etc.),\nthat might be different than the stack they were imported into."
1586
+ },
1587
+ "handlerFunction": {
1588
+ "$ref": "#/definitions/MdaaLambdaFunction"
1589
+ },
1590
+ "node": {
1591
+ "$ref": "#/definitions/Node",
1592
+ "description": "The tree node."
1593
+ },
1594
+ "physicalName": {
1595
+ "description": "Returns a string-encoded token that resolves to the physical name that\nshould be passed to the CloudFormation resource.\n\nThis value will resolve to one of the following:\n- a concrete value (e.g. `\"my-awesome-bucket\"`)\n- `undefined`, when a name should be generated by CloudFormation\n- a concrete name generated automatically during synthesis, in\n cross-environment scenarios.",
1596
+ "type": "string"
1597
+ },
1598
+ "ref": {
1599
+ "description": "The physical name of this custom resource.",
1600
+ "type": "string"
1601
+ },
1602
+ "resource": {},
1603
+ "stack": {
1604
+ "$ref": "#/definitions/Stack",
1605
+ "description": "The stack in which this resource is defined."
1606
+ }
1607
+ },
1608
+ "required": [
1609
+ "_allowCrossEnvironment",
1610
+ "_physicalName",
1611
+ "env",
1612
+ "handlerFunction",
1613
+ "node",
1614
+ "physicalName",
1615
+ "ref",
1616
+ "resource",
1617
+ "stack"
1618
+ ],
1619
+ "type": "object"
1620
+ },
1621
+ "MdaaLambdaFunction": {
1622
+ "additionalProperties": false,
1623
+ "description": "Construct for creating a compliant Lambda Function",
1624
+ "properties": {
1625
+ "_allowCrossEnvironment": {},
1626
+ "_architecture": {},
1627
+ "_connections": {
1628
+ "$ref": "#/definitions/Connections",
1629
+ "description": "Actual connections object for this Lambda\n\nMay be unset, in which case this Lambda is not configured use in a VPC."
1630
+ },
1631
+ "_currentVersion": {},
1632
+ "_functionUrlInvocationGrants": {
1633
+ "$ref": "#/definitions/Record%3Cstring%2CGrant%3E",
1634
+ "description": "Mapping of function URL invocation principals to grants. Used to de-dupe `grantInvokeUrl()` calls."
1635
+ },
1636
+ "_hasAddedArrayTokenStatements": {
1637
+ "description": "Track whether we've added statements with array token resources to the role's default policy"
1638
+ },
1639
+ "_hasAddedLiteralStatements": {
1640
+ "description": "Track whether we've added statements with literal resources to the role's default policy"
1641
+ },
1642
+ "_invocationGrants": {
1643
+ "$ref": "#/definitions/Record%3Cstring%2CGrant%3E",
1644
+ "description": "Mapping of invocation principals to grants. Used to de-dupe `grantInvoke()` calls."
1645
+ },
1646
+ "_latestVersion": {},
1647
+ "_layers": {
1648
+ "items": {
1649
+ "$ref": "#/definitions/ILayerVersion"
1650
+ },
1651
+ "type": "array"
1652
+ },
1653
+ "_logGroup": {},
1654
+ "_logRetention": {
1655
+ "$ref": "#/definitions/LogRetention",
1656
+ "description": "Creates a custom resource to control the retention policy of a CloudWatch Logs\nlog group. The log group is created if it doesn't already exist. The policy\nis removed when `retentionDays` is `undefined` or equal to `Infinity`.\nLog group can be created in the region that is different from stack region by\nspecifying `logGroupRegion`"
1657
+ },
1658
+ "_physicalName": {},
1659
+ "_policyCounter": {
1660
+ "description": "The number of permissions added to this function"
1661
+ },
1662
+ "_skipPermissions": {
1663
+ "description": "Whether the user decides to skip adding permissions.\nThe only use case is for cross-account, imported lambdas\nwhere the user commits to modifying the permisssions\non the imported lambda outside CDK.",
1664
+ "type": "boolean"
1665
+ },
1666
+ "_warnIfCurrentVersionCalled": {
1667
+ "description": "Flag to delay adding a warning message until current version is invoked.",
1668
+ "type": "boolean"
1669
+ },
1670
+ "architecture": {
1671
+ "$ref": "#/definitions/Architecture",
1672
+ "description": "The architecture of this Lambda Function (this is an optional attribute and defaults to X86_64)."
1673
+ },
1674
+ "buildDeadLetterConfig": {},
1675
+ "buildDeadLetterQueue": {},
1676
+ "buildTracingConfig": {},
1677
+ "canCreatePermissions": {
1678
+ "const": true,
1679
+ "default": true,
1680
+ "description": "Whether the addPermission() call adds any permissions\n\nTrue for new Lambdas, false for version $LATEST and imported Lambdas\nfrom different accounts.",
1681
+ "type": "boolean"
1682
+ },
1683
+ "configureAdotInstrumentation": {
1684
+ "description": "Add an AWS Distro for OpenTelemetry Lambda layer."
1685
+ },
1686
+ "configureLambdaInsights": {
1687
+ "description": "Configured lambda insights on the function if specified. This is achieved by adding an imported layer which is added to the\nlist of lambda layers on synthesis.\n\nhttps://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Lambda-Insights-extension-versions.html"
1688
+ },
1689
+ "configureParamsAndSecretsExtension": {
1690
+ "description": "Add a Parameters and Secrets Extension Lambda layer."
1691
+ },
1692
+ "configureSnapStart": {},
1693
+ "configureVpc": {
1694
+ "description": "If configured, set up the VPC-related properties\n\nReturns the VpcConfig that should be added to the\nLambda creation properties."
1695
+ },
1696
+ "connections": {
1697
+ "$ref": "#/definitions/Connections",
1698
+ "description": "Access the Connections object\n\nWill fail if not a VPC-enabled Lambda Function"
1699
+ },
1700
+ "currentVersion": {
1701
+ "$ref": "#/definitions/Version",
1702
+ "description": "Returns a `lambda.Version` which represents the current version of this\nLambda function. A new version will be created every time the function's\nconfiguration changes.\n\nYou can specify options for this version using the `currentVersionOptions`\nprop when initializing the `lambda.Function`."
1703
+ },
1704
+ "currentVersionOptions": {},
1705
+ "deadLetterQueue": {
1706
+ "$ref": "#/definitions/IQueue",
1707
+ "description": "The DLQ (as queue) associated with this Lambda Function (this is an optional attribute)."
1708
+ },
1709
+ "deadLetterTopic": {
1710
+ "$ref": "#/definitions/ITopic",
1711
+ "description": "The DLQ (as topic) associated with this Lambda Function (this is an optional attribute)."
1712
+ },
1713
+ "env": {
1714
+ "$ref": "#/definitions/ResourceEnvironment",
1715
+ "description": "The environment this resource belongs to.\nFor resources that are created and managed by the CDK\n(generally, those created by creating new class instances like Role, Bucket, etc.),\nthis is always the same as the environment of the stack they belong to;\nhowever, for imported resources\n(those obtained from static methods like fromRoleArn, fromBucketName, etc.),\nthat might be different than the stack they were imported into."
1716
+ },
1717
+ "environment": {
1718
+ "description": "Environment variables for this function"
1719
+ },
1720
+ "functionArn": {
1721
+ "description": "ARN of this function",
1722
+ "type": "string"
1723
+ },
1724
+ "functionName": {
1725
+ "description": "Name of this function",
1726
+ "type": "string"
1727
+ },
1728
+ "functionRef": {
1729
+ "$ref": "#/definitions/FunctionReference",
1730
+ "description": "A reference to a Function resource."
1731
+ },
1732
+ "getLoggingConfig": {
1733
+ "description": "Get Logging Config property for the function.\nThis method returns the function LoggingConfig Property if the property is set on the\nfunction and undefined if not."
1734
+ },
1735
+ "grant": {},
1736
+ "grantPrincipal": {
1737
+ "$ref": "#/definitions/IPrincipal",
1738
+ "description": "The principal this Lambda Function is running as"
1739
+ },
1740
+ "hashMixins": {},
1741
+ "isBoundToVpc": {
1742
+ "description": "Whether or not this Lambda function was bound to a VPC\n\nIf this is is `false`, trying to access the `connections` object will fail.",
1743
+ "type": "boolean"
1744
+ },
1745
+ "isPrincipalWithConditions": {},
1746
+ "isQueue": {},
1747
+ "latestVersion": {
1748
+ "$ref": "#/definitions/IVersion",
1749
+ "description": "The `$LATEST` version of this function.\n\nNote that this is reference to a non-specific AWS Lambda version, which\nmeans the function this version refers to can return different results in\ndifferent invocations.\n\nTo obtain a reference to an explicit version which references the current\nfunction configuration, use `lambdaFunction.currentVersion` instead."
1750
+ },
1751
+ "logGroup": {
1752
+ "$ref": "#/definitions/ILogGroup",
1753
+ "description": "The LogGroup where the Lambda function's logs are made available.\n\nIf either `logRetention` is set or this property is called, a CloudFormation custom resource is added to the stack that\npre-creates the log group as part of the stack deployment, if it already doesn't exist, and sets the correct log retention\nperiod (never expire, by default).\n\nFurther, if the log group already exists and the `logRetention` is not set, the custom resource will reset the log retention\nto never expire even if it was configured with a different value."
1754
+ },
1755
+ "node": {
1756
+ "$ref": "#/definitions/Node",
1757
+ "description": "The tree node."
1758
+ },
1759
+ "parsePermissionPrincipal": {
1760
+ "description": "Translate IPrincipal to something we can pass to AWS::Lambda::Permissions\n\nDo some nasty things because `Permission` supports a subset of what the\nfull IAM principal language supports, and we may not be able to parse strings\noutright because they may be tokens.\n\nTry to recognize some specific Principal classes first, then try a generic\nfallback."
1761
+ },
1762
+ "permissionsNode": {
1763
+ "$ref": "#/definitions/Node",
1764
+ "description": "The construct node where permissions are attached."
1765
+ },
1766
+ "physicalName": {
1767
+ "description": "Returns a string-encoded token that resolves to the physical name that\nshould be passed to the CloudFormation resource.\n\nThis value will resolve to one of the following:\n- a concrete value (e.g. `\"my-awesome-bucket\"`)\n- `undefined`, when a name should be generated by CloudFormation\n- a concrete name generated automatically during synthesis, in\n cross-environment scenarios.",
1768
+ "type": "string"
1769
+ },
1770
+ "renderEnvironment": {},
1771
+ "renderLayers": {},
1772
+ "resourceArnsForGrantInvoke": {
1773
+ "description": "The ARN(s) to put into the resource field of the generated IAM policy for grantInvoke()",
1774
+ "items": {
1775
+ "type": "string"
1776
+ },
1777
+ "type": "array"
1778
+ },
1779
+ "role": {
1780
+ "$ref": "#/definitions/IRole",
1781
+ "description": "Execution role associated with this function"
1782
+ },
1783
+ "runtime": {
1784
+ "$ref": "#/definitions/Runtime",
1785
+ "description": "The runtime configured for this lambda."
1786
+ },
1787
+ "stack": {
1788
+ "$ref": "#/definitions/Stack",
1789
+ "description": "The stack in which this resource is defined."
1790
+ },
1791
+ "statementHasArrayTokens": {
1792
+ "description": "Check if a policy statement contains array tokens that would cause CloudFormation\nresolution conflicts when mixed with literal arrays in the same policy document.\n\nArray tokens are created by CloudFormation intrinsic functions that return arrays,\nsuch as Fn::Split, Fn::GetAZs, etc. These cannot be safely merged with literal\nresource arrays due to CloudFormation's token resolution limitations.\n\nIndividual string tokens within literal arrays (e.g., `[\"arn:${token}:...\"]`) are\nsafe and do not cause conflicts, so they are not detected by this method."
1793
+ },
1794
+ "timeout": {
1795
+ "$ref": "#/definitions/Duration",
1796
+ "description": "The timeout configured for this lambda."
1797
+ },
1798
+ "validateConditionCombinations": {},
1799
+ "validateConditions": {},
1800
+ "validateProfiling": {}
1801
+ },
1802
+ "required": [
1803
+ "_allowCrossEnvironment",
1804
+ "_functionUrlInvocationGrants",
1805
+ "_hasAddedArrayTokenStatements",
1806
+ "_hasAddedLiteralStatements",
1807
+ "_invocationGrants",
1808
+ "_layers",
1809
+ "_physicalName",
1810
+ "_policyCounter",
1811
+ "_warnIfCurrentVersionCalled",
1812
+ "architecture",
1813
+ "buildDeadLetterConfig",
1814
+ "buildDeadLetterQueue",
1815
+ "buildTracingConfig",
1816
+ "canCreatePermissions",
1817
+ "configureAdotInstrumentation",
1818
+ "configureLambdaInsights",
1819
+ "configureParamsAndSecretsExtension",
1820
+ "configureSnapStart",
1821
+ "configureVpc",
1822
+ "connections",
1823
+ "currentVersion",
1824
+ "env",
1825
+ "environment",
1826
+ "functionArn",
1827
+ "functionName",
1828
+ "functionRef",
1829
+ "getLoggingConfig",
1830
+ "grant",
1831
+ "grantPrincipal",
1832
+ "hashMixins",
1833
+ "isBoundToVpc",
1834
+ "isPrincipalWithConditions",
1835
+ "isQueue",
1836
+ "latestVersion",
1837
+ "logGroup",
1838
+ "node",
1839
+ "parsePermissionPrincipal",
1840
+ "permissionsNode",
1841
+ "physicalName",
1842
+ "renderEnvironment",
1843
+ "renderLayers",
1844
+ "resourceArnsForGrantInvoke",
1845
+ "runtime",
1846
+ "stack",
1847
+ "statementHasArrayTokens",
1848
+ "validateConditionCombinations",
1849
+ "validateConditions",
1850
+ "validateProfiling"
1851
+ ],
1852
+ "type": "object"
1853
+ },
1854
+ "MdaaNagSuppressionByPath": {
1855
+ "additionalProperties": false,
1856
+ "properties": {
1857
+ "path": {
1858
+ "description": "CloudFormation resource path identifying the specific resource for which CDK Nag rules should be suppressed",
1859
+ "type": "string"
1860
+ },
1861
+ "suppressions": {
1862
+ "description": "Array of specific CDK Nag rule suppressions with rule IDs and mandatory justifications for audit compliance",
1863
+ "items": {
1864
+ "additionalProperties": false,
1865
+ "properties": {
1866
+ "id": {
1867
+ "type": "string"
1868
+ },
1869
+ "reason": {
1870
+ "type": "string"
1871
+ }
1872
+ },
1873
+ "required": [
1874
+ "id",
1875
+ "reason"
1876
+ ],
1877
+ "type": "object"
1878
+ },
1879
+ "type": "array"
1880
+ }
1881
+ },
1882
+ "required": [
1883
+ "path",
1884
+ "suppressions"
1885
+ ],
1886
+ "type": "object"
1887
+ },
1888
+ "MdaaNagSuppressionConfigs": {
1889
+ "additionalProperties": false,
1890
+ "properties": {
1891
+ "by_path": {
1892
+ "description": "Array of CDK Nag suppressions organized by CloudFormation resource path, enabling targeted",
1893
+ "items": {
1894
+ "$ref": "#/definitions/MdaaNagSuppressionByPath"
1895
+ },
1896
+ "type": "array"
1897
+ }
1898
+ },
1899
+ "required": [
1900
+ "by_path"
1901
+ ],
1902
+ "type": "object"
1903
+ },
1904
+ "MdaaResourceNamingConfig": {
1905
+ "additionalProperties": false,
1906
+ "properties": {
1907
+ "cdkNode": {
1908
+ "$ref": "#/definitions/Node",
1909
+ "description": "CDK construct node providing access to context values for custom naming implementations"
1910
+ },
1911
+ "domain": {
1912
+ "description": "Domain identifier from MDAA configuration representing logical business or organizational boundaries",
1913
+ "type": "string"
1914
+ },
1915
+ "env": {
1916
+ "description": "Environment identifier from MDAA configuration that distinguishes deployment stages within the same domain",
1917
+ "type": "string"
1918
+ },
1919
+ "moduleName": {
1920
+ "description": "Module name from MDAA configuration identifying the specific MDAA module deployment within a domain/environment",
1921
+ "type": "string"
1922
+ },
1923
+ "org": {
1924
+ "description": "Organization identifier from MDAA configuration that serves as the top-level namespace for all AWS resource names",
1925
+ "type": "string"
1926
+ }
1927
+ },
1928
+ "required": [
1929
+ "cdkNode",
1930
+ "domain",
1931
+ "env",
1932
+ "moduleName",
1933
+ "org"
1934
+ ],
1935
+ "type": "object"
1936
+ },
1937
+ "MdaaRoleRef": {
1938
+ "additionalProperties": false,
1939
+ "properties": {
1940
+ "arn": {
1941
+ "description": "Full IAM role ARN for cross-account role references and explicit role identification.\n\nUse cases: Cross-account role references; Explicit role binding; Multi-account deployments\n\nAWS: Full IAM role ARN (arn:aws:iam::ACCOUNT:role/ROLE-NAME)\n\nValidation: Optional; must be a valid IAM role ARN if provided",
1942
+ "type": "string"
1943
+ },
1944
+ "id": {
1945
+ "description": "IAM role unique identifier for role resolution using the role's AWS-generated ID.\n\nUse cases: Stable role references; Role resolution by unique ID; Immutable role binding\n\nAWS: IAM role unique ID (e.g., AROA...)\n\nValidation: Optional; must be a valid IAM role unique ID if provided",
1946
+ "type": "string"
1947
+ },
1948
+ "immutable": {
1949
+ "description": "Flag indicating whether the referenced role should be treated as immutable and not modified by MDAA operations.\n\nUse cases: Pre-existing role protection; Externally managed roles; Read-only role references\n\nAWS: Controls whether MDAA attaches policies or modifies the referenced IAM role\n\nValidation: Optional boolean; defaults to false",
1950
+ "type": "boolean"
1951
+ },
1952
+ "name": {
1953
+ "description": "IAM role name for role resolution within the same AWS account.\n\nUse cases: Same-account role references; Role name-based resolution; Local IAM role binding\n\nAWS: IAM role name resolved via GetRole within the deployment account\n\nValidation: Optional; must be a valid IAM role name; mutually preferred with arn/id for resolution",
1954
+ "type": "string"
1955
+ },
1956
+ "refId": {
1957
+ "description": "Unique identifier for the role reference within a configuration scope, enabling role lookup and deduplication.\n\nUse cases: Role reference identification; Configuration deduplication; Role lookup key\n\nAWS: Logical identifier for IAM role references within MDAA configuration\n\nValidation: Optional; must be unique within the configuration scope if provided",
1958
+ "type": "string"
1959
+ },
1960
+ "sso": {
1961
+ "description": "Flag indicating the role should be resolved as an AWS SSO auto-generated role.\n\nUse cases: AWS IAM Identity Center integration; SSO permission set role binding; Federated access\n\nAWS: Resolves role via AWS SSO/Identity Center auto-generated role naming convention\n\nValidation: Optional boolean; defaults to false",
1962
+ "type": "boolean"
1963
+ }
1964
+ },
1965
+ "type": "object"
1966
+ },
1967
+ "MdaaSageMakerBluePrintParameterConfig": {
1968
+ "additionalProperties": false,
1969
+ "properties": {
1970
+ "blueprintParamProps": {
1971
+ "$ref": "#/definitions/MdaaSageMakerBluePrintParameterProps"
1972
+ },
1973
+ "cfnParamProps": {
1974
+ "$ref": "#/definitions/CfnParameterProps"
1975
+ }
1976
+ },
1977
+ "required": [
1978
+ "blueprintParamProps"
1979
+ ],
1980
+ "type": "object"
1981
+ },
1982
+ "MdaaSageMakerBluePrintParameterProps": {
1983
+ "additionalProperties": false,
1984
+ "properties": {
1985
+ "defaultValue": {
1986
+ "type": "string"
1987
+ },
1988
+ "description": {
1989
+ "type": "string"
1990
+ },
1991
+ "fieldType": {
1992
+ "type": "string"
1993
+ },
1994
+ "isEditable": {
1995
+ "type": "boolean"
1996
+ },
1997
+ "isOptional": {
1998
+ "type": "boolean"
1999
+ },
2000
+ "isUpdateSupported": {
2001
+ "type": "boolean"
2002
+ }
2003
+ },
2004
+ "required": [
2005
+ "fieldType"
2006
+ ],
2007
+ "type": "object"
2008
+ },
2009
+ "MdaaSageMakerCustomBluePrintConfig": {
2010
+ "additionalProperties": false,
2011
+ "description": "Q-ENHANCED-INTERFACE\nConfiguration interface for AWS SageMaker blueprint deployment that specifies domain association, and parameterization. Enables MDAA modules to be deployed as self-service SageMaker blueprints with controlled access and validation.\n\nUse cases: Self-service infrastructure deployment; Controlled resource provisioning; Parameterized blueprint offerings\n\nAWS: Configures AWS SageMaker blueprints for self-service deployment of MDAA modules with domain management\n\nValidation: domain_arn must be valid SageMaker domain ARN;",
2012
+ "properties": {
2013
+ "additionalAccounts": {
2014
+ "additionalProperties": {
2015
+ "$ref": "#/definitions/AdditionalBlueprintAccount"
2016
+ },
2017
+ "description": "Q-ENHANCED-PROPERTY\nOptional map of additional AWS accounts where the SageMaker blueprint should be enabled. Each entry maps a friendly account name to account-specific configuration including provisioning role ARN and optional parameters and authorized domain units.\n\nUse cases: Multi-account deployment; Cross-account provisioning; Account-specific configuration\n\nAWS: AWS SageMaker blueprint multi-account provisioning configuration\n\nValidation: Must be object with string keys and valid account configuration values if provided",
2018
+ "type": "object"
2019
+ },
2020
+ "authorizedDomainUnits": {
2021
+ "items": {
2022
+ "type": "string"
2023
+ },
2024
+ "type": "array"
2025
+ },
2026
+ "blueprintName": {
2027
+ "type": "string"
2028
+ },
2029
+ "description": {
2030
+ "description": "Q-ENHANCED-PROPERTY\nDescription for the SageMaker blueprint that will be visible to end users in the SageMaker console. Should be descriptive and user-friendly to facilitate blueprint discovery and selection.\n\nUse cases: Product identification; User-friendly naming; SageMaker console display\n\nAWS: AWS SageMaker blueprint name for user interface display\n\nValidation: Must be non-empty string suitable for SageMaker blueprint naming",
2031
+ "type": "string"
2032
+ },
2033
+ "domainBucketName": {
2034
+ "type": "string"
2035
+ },
2036
+ "domainConfig": {
2037
+ "$ref": "#/definitions/DomainConfig"
2038
+ },
2039
+ "domainConfigSSMParam": {
2040
+ "description": "Q-ENHANCED-PROPERTY\nOptional SSM parameter reference for domain configuration enabling dynamic domain configuration management. Specifies the SSM parameter containing domain configuration data for flexible domain setup and configuration management.\n\nUse cases: Dynamic configuration; SSM parameter reference; Configuration management; Flexible setup\n\nAWS: AWS Systems Manager parameter for DataZone domain configuration reference\n\nValidation: Must be valid SSM parameter name if provided; parameter must contain valid domain configuration",
2041
+ "type": "string"
2042
+ },
2043
+ "enabledRegions": {
2044
+ "items": {
2045
+ "type": "string"
2046
+ },
2047
+ "type": "array"
2048
+ },
2049
+ "parameters": {
2050
+ "additionalProperties": {
2051
+ "$ref": "#/definitions/MdaaSageMakerBluePrintParameterConfig"
2052
+ },
2053
+ "description": "Q-ENHANCED-PROPERTY\nOptional object containing named parameter configurations for the SageMaker blueprint. Enables parameterized blueprint deployment with validation rules and user input constraints.\n\nUse cases: Product parameterization; User input collection; Deployment customization\n\nAWS: AWS SageMaker blueprint parameters for user-configurable deployment options\n\nValidation: Must be object with string keys and valid MdaaServiceCatalogParameterConfig values if provided\n *",
2054
+ "type": "object"
2055
+ },
2056
+ "provisioningRole": {
2057
+ "$ref": "#/definitions/MdaaRoleRef"
2058
+ }
2059
+ },
2060
+ "required": [
2061
+ "provisioningRole"
2062
+ ],
2063
+ "type": "object"
2064
+ },
2065
+ "MdaaServiceCatalogConstraintConfig": {
2066
+ "additionalProperties": false,
2067
+ "properties": {
2068
+ "description": {
2069
+ "description": "Human-readable description explaining the purpose and scope of the Service Catalog constraint",
2070
+ "type": "string"
2071
+ },
2072
+ "rules": {
2073
+ "additionalProperties": {
2074
+ "$ref": "#/definitions/MdaaServiceCatalogConstraintRuleConfig"
2075
+ },
2076
+ "description": "Object containing named constraint rules that define the validation logic for Service Catalog product parameters",
2077
+ "type": "object"
2078
+ }
2079
+ },
2080
+ "required": [
2081
+ "description",
2082
+ "rules"
2083
+ ],
2084
+ "type": "object"
2085
+ },
2086
+ "MdaaServiceCatalogConstraintRuleAssertionConfig": {
2087
+ "additionalProperties": false,
2088
+ "properties": {
2089
+ "assert": {
2090
+ "description": "Constraint assertion expression that defines the validation logic for Service Catalog product parameters",
2091
+ "type": "string"
2092
+ },
2093
+ "description": {
2094
+ "description": "Human-readable description explaining the purpose and requirements of the constraint assertion",
2095
+ "type": "string"
2096
+ }
2097
+ },
2098
+ "required": [
2099
+ "assert",
2100
+ "description"
2101
+ ],
2102
+ "type": "object"
2103
+ },
2104
+ "MdaaServiceCatalogConstraintRuleCondititionConfig": {
2105
+ "additionalProperties": false,
2106
+ "type": "object"
2107
+ },
2108
+ "MdaaServiceCatalogConstraintRuleConfig": {
2109
+ "additionalProperties": false,
2110
+ "properties": {
2111
+ "assertions": {
2112
+ "description": "Array of constraint assertions that define the validation logic to be applied when the condition is met",
2113
+ "items": {
2114
+ "$ref": "#/definitions/MdaaServiceCatalogConstraintRuleAssertionConfig"
2115
+ },
2116
+ "type": "array"
2117
+ },
2118
+ "condition": {
2119
+ "$ref": "#/definitions/MdaaServiceCatalogConstraintRuleCondititionConfig",
2120
+ "description": "Condition configuration that determines when the constraint rule assertions should be evaluated"
2121
+ }
2122
+ },
2123
+ "required": [
2124
+ "assertions",
2125
+ "condition"
2126
+ ],
2127
+ "type": "object"
2128
+ },
2129
+ "MdaaServiceCatalogParameterConfig": {
2130
+ "additionalProperties": false,
2131
+ "properties": {
2132
+ "constraints": {
2133
+ "$ref": "#/definitions/MdaaServiceCatalogConstraintConfig",
2134
+ "description": "Constraint configuration that defines additional validation rules for the Service Catalog product parameter"
2135
+ },
2136
+ "props": {
2137
+ "$ref": "#/definitions/CfnParameterProps",
2138
+ "description": "CloudFormation parameter properties that define the parameter characteristics including type,"
2139
+ }
2140
+ },
2141
+ "required": [
2142
+ "props"
2143
+ ],
2144
+ "type": "object"
2145
+ },
2146
+ "MdaaServiceCatalogProductConfig": {
2147
+ "additionalProperties": false,
2148
+ "properties": {
2149
+ "launch_role_name": {
2150
+ "description": "IAM role name that will be used to launch the Service Catalog product",
2151
+ "type": "string"
2152
+ },
2153
+ "name": {
2154
+ "description": "Display name for the Service Catalog product that will be visible to end users in the Service Catalog console",
2155
+ "type": "string"
2156
+ },
2157
+ "owner": {
2158
+ "description": "Owner identifier for the Service Catalog product, typically representing the team or organization",
2159
+ "type": "string"
2160
+ },
2161
+ "parameters": {
2162
+ "additionalProperties": {
2163
+ "$ref": "#/definitions/MdaaServiceCatalogParameterConfig"
2164
+ },
2165
+ "description": "Object containing named parameter configurations for the Service Catalog product",
2166
+ "type": "object"
2167
+ },
2168
+ "portfolio_arn": {
2169
+ "description": "ARN of the AWS Service Catalog portfolio where the product will be associated",
2170
+ "type": "string"
2171
+ },
2172
+ "portfolio_bucket_name": {
2173
+ "type": "string"
2174
+ }
2175
+ },
2176
+ "required": [
2177
+ "name",
2178
+ "owner",
2179
+ "portfolio_arn",
2180
+ "portfolio_bucket_name"
2181
+ ],
2182
+ "type": "object"
2183
+ },
2184
+ "MetadataEntry": {
2185
+ "additionalProperties": false,
2186
+ "description": "An entry in the construct metadata table.",
2187
+ "properties": {
2188
+ "data": {
2189
+ "description": "The data."
2190
+ },
2191
+ "trace": {
2192
+ "default": "- no trace information",
2193
+ "description": "Stack trace at the point of adding the metadata.\n\nOnly available if `addMetadata()` is called with `stackTrace: true`.",
2194
+ "items": {
2195
+ "type": "string"
2196
+ },
2197
+ "type": "array"
2198
+ },
2199
+ "type": {
2200
+ "description": "The metadata entry type.",
2201
+ "type": "string"
2202
+ }
2203
+ },
2204
+ "required": [
2205
+ "data",
2206
+ "type"
2207
+ ],
2208
+ "type": "object"
2209
+ },
2210
+ "Node": {
2211
+ "additionalProperties": false,
2212
+ "description": "Represents the construct node in the scope tree.",
2213
+ "properties": {
2214
+ "_addr": {},
2215
+ "_children": {},
2216
+ "_context": {},
2217
+ "_defaultChild": {},
2218
+ "_dependencies": {},
2219
+ "_locked": {},
2220
+ "_metadata": {},
2221
+ "_validations": {},
2222
+ "addChild": {
2223
+ "description": "Adds a child construct to this node."
2224
+ },
2225
+ "addr": {
2226
+ "description": "Returns an opaque tree-unique address for this construct.\n\nAddresses are 42 characters hexadecimal strings. They begin with \"c8\"\nfollowed by 40 lowercase hexadecimal characters (0-9a-f).\n\nAddresses are calculated using a SHA-1 of the components of the construct\npath.\n\nTo enable refactorings of construct trees, constructs with the ID `Default`\nwill be excluded from the calculation. In those cases constructs in the\nsame tree may have the same addreess.",
2227
+ "type": "string"
2228
+ },
2229
+ "children": {
2230
+ "description": "All direct children of this construct.",
2231
+ "items": {
2232
+ "$ref": "#/definitions/IConstruct"
2233
+ },
2234
+ "type": "array"
2235
+ },
2236
+ "defaultChild": {
2237
+ "$ref": "#/definitions/IConstruct",
2238
+ "description": "Returns the child construct that has the id `Default` or `Resource\"`.\nThis is usually the construct that provides the bulk of the underlying functionality.\nUseful for modifications of the underlying construct that are not available at the higher levels.\nOverride the defaultChild property.\n\nThis should only be used in the cases where the correct\ndefault child is not named 'Resource' or 'Default' as it\nshould be.\n\nIf you set this to undefined, the default behavior of finding\nthe child named 'Resource' or 'Default' will be used."
2239
+ },
2240
+ "dependencies": {
2241
+ "description": "Return all dependencies registered on this node (non-recursive).",
2242
+ "items": {
2243
+ "$ref": "#/definitions/IConstruct"
2244
+ },
2245
+ "type": "array"
2246
+ },
2247
+ "host": {},
2248
+ "id": {
2249
+ "description": "The id of this construct within the current scope.\n\nThis is a a scope-unique id. To obtain an app-unique id for this construct, use `addr`.",
2250
+ "type": "string"
2251
+ },
2252
+ "locked": {
2253
+ "description": "Returns true if this construct or the scopes in which it is defined are\nlocked.",
2254
+ "type": "boolean"
2255
+ },
2256
+ "metadata": {
2257
+ "description": "An immutable array of metadata objects associated with this construct.\nThis can be used, for example, to implement support for deprecation notices, source mapping, etc.",
2258
+ "items": {
2259
+ "$ref": "#/definitions/MetadataEntry"
2260
+ },
2261
+ "type": "array"
2262
+ },
2263
+ "path": {
2264
+ "description": "The full, absolute path of this construct in the tree.\n\nComponents are separated by '/'.",
2265
+ "type": "string"
2266
+ },
2267
+ "root": {
2268
+ "$ref": "#/definitions/IConstruct",
2269
+ "description": "Returns the root of the construct tree."
2270
+ },
2271
+ "scope": {
2272
+ "$ref": "#/definitions/IConstruct",
2273
+ "description": "Returns the scope in which this construct is defined.\n\nThe value is `undefined` at the root of the construct scope tree."
2274
+ },
2275
+ "scopes": {
2276
+ "description": "All parent scopes of this construct.",
2277
+ "items": {
2278
+ "$ref": "#/definitions/IConstruct"
2279
+ },
2280
+ "type": "array"
2281
+ }
2282
+ },
2283
+ "required": [
2284
+ "_children",
2285
+ "_context",
2286
+ "_defaultChild",
2287
+ "_dependencies",
2288
+ "_locked",
2289
+ "_metadata",
2290
+ "_validations",
2291
+ "addChild",
2292
+ "addr",
2293
+ "children",
2294
+ "dependencies",
2295
+ "host",
2296
+ "id",
2297
+ "locked",
2298
+ "metadata",
2299
+ "path",
2300
+ "root",
2301
+ "scopes"
2302
+ ],
2303
+ "type": "object"
2304
+ },
2305
+ "Port": {
2306
+ "additionalProperties": false,
2307
+ "description": "Interface for classes that provide the connection-specification parts of a security group rule",
2308
+ "properties": {
2309
+ "canInlineRule": {
2310
+ "description": "Whether the rule containing this port range can be inlined into a securitygroup or not.",
2311
+ "type": "boolean"
2312
+ },
2313
+ "props": {}
2314
+ },
2315
+ "required": [
2316
+ "canInlineRule",
2317
+ "props"
2318
+ ],
2319
+ "type": "object"
2320
+ },
2321
+ "PrincipalPolicyFragment": {
2322
+ "additionalProperties": false,
2323
+ "description": "A collection of the fields in a PolicyStatement that can be used to identify a principal.\n\nThis consists of the JSON used in the \"Principal\" field, and optionally a\nset of \"Condition\"s that need to be applied to the policy.\n\nGenerally, a principal looks like:\n\n { '<TYPE>': ['ID', 'ID', ...] }\n\nAnd this is also the type of the field `principalJson`. However, there is a\nspecial type of principal that is just the string '*', which is treated\ndifferently by some services. To represent that principal, `principalJson`\nshould contain `{ 'LiteralString': ['*'] }`.",
2324
+ "properties": {
2325
+ "conditions": {
2326
+ "$ref": "#/definitions/Conditions",
2327
+ "description": "The conditions under which the policy is in effect.\nSee [the IAM documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html)."
2328
+ },
2329
+ "principalJson": {
2330
+ "additionalProperties": {
2331
+ "items": {
2332
+ "type": "string"
2333
+ },
2334
+ "type": "array"
2335
+ },
2336
+ "type": "object"
2337
+ }
2338
+ },
2339
+ "required": [
2340
+ "conditions",
2341
+ "principalJson"
2342
+ ],
2343
+ "type": "object"
2344
+ },
2345
+ "Record<string,Grant>": {
2346
+ "additionalProperties": false,
163
2347
  "type": "object"
164
2348
  },
165
- "MdaaNagSuppressionByPath": {
2349
+ "ResourceEnvironment": {
166
2350
  "additionalProperties": false,
167
- "description": "Q-ENHANCED-INTERFACE\nConfiguration interface for suppressing specific CDK Nag security rules on individual CloudFormation resources identified by their resource path. Provides targeted rule suppression with mandatory justification for audit and compliance tracking.\n\nUse cases: Individual resource security exceptions; False positive rule suppressions; Documented compliance deviations\n\nAWS: Suppresses specific CDK Nag security rules for individual CloudFormation resources during deployment validation\n\nValidation: path must be valid CloudFormation resource path; suppressions array must contain valid rule IDs and justifications",
2351
+ "description": "Represents the environment a given resource lives in.\nUsed as the return value for the `IResource.env` property.",
168
2352
  "properties": {
169
- "path": {
170
- "description": "Q-ENHANCED-PROPERTY\nCloudFormation resource path identifying the specific resource for which CDK Nag rules should be suppressed. Uses CDK construct tree path format to precisely target individual resources within the deployment stack.\n\nUse cases: Specific resource targeting; Individual resource exceptions; Precise suppression scope control\n\nAWS: CloudFormation resource path for targeted CDK Nag rule suppression during validation\n\nValidation: Must be valid CDK construct tree path format (e.g., /StackName/ConstructName/ResourceName)",
2353
+ "account": {
2354
+ "description": "The AWS account ID that this resource belongs to.\nSince this can be a Token\n(for example, when the account is CloudFormation's AWS::AccountId intrinsic),\nmake sure to use Token.compareStrings()\ninstead of just comparing the values for equality.",
171
2355
  "type": "string"
172
2356
  },
173
- "suppressions": {
174
- "description": "Q-ENHANCED-PROPERTY\nArray of specific CDK Nag rule suppressions with rule IDs and mandatory justifications for audit compliance. Each suppression must include the rule identifier and business justification for the security exception.\n\nUse cases: Multiple rule suppressions per resource; Documented security exceptions; Audit trail maintenance\n\nAWS: CDK Nag rule ID suppression with justification tracking for compliance auditing\n\nValidation: Each suppression must have valid CDK Nag rule ID and non-empty reason string\n *",
175
- "items": {
176
- "additionalProperties": false,
177
- "properties": {
178
- "id": {
179
- "type": "string"
180
- },
181
- "reason": {
182
- "type": "string"
183
- }
184
- },
185
- "required": [
186
- "id",
187
- "reason"
188
- ],
189
- "type": "object"
190
- },
191
- "type": "array"
2357
+ "region": {
2358
+ "description": "The AWS region that this resource belongs to.\nSince this can be a Token\n(for example, when the region is CloudFormation's AWS::Region intrinsic),\nmake sure to use Token.compareStrings()\ninstead of just comparing the values for equality.",
2359
+ "type": "string"
192
2360
  }
193
2361
  },
194
2362
  "required": [
195
- "path",
196
- "suppressions"
2363
+ "account",
2364
+ "region"
197
2365
  ],
198
2366
  "type": "object"
199
2367
  },
200
- "MdaaNagSuppressionConfigs": {
2368
+ "RoleReference": {
201
2369
  "additionalProperties": false,
202
- "description": "Q-ENHANCED-INTERFACE\nConfiguration interface for CDK Nag rule suppressions organized by CloudFormation resource paths. Enables selective suppression of security compliance rules for specific resources while maintaining overall compliance posture and audit trail.\n\nUse cases: False positive suppression; Approved security exceptions; Legacy resource compliance exemptions\n\nAWS: Suppresses CDK Nag security rule violations for specific CloudFormation resources during deployment validation\n\nValidation: by_path array must contain valid suppression configurations with resource paths and justifications",
2370
+ "description": "A reference to a Role resource.",
203
2371
  "properties": {
204
- "by_path": {
205
- "description": "Q-ENHANCED-PROPERTY\nArray of CDK Nag suppressions organized by CloudFormation resource path, enabling targeted suppression of specific security rules for individual resources. Each suppression requires justification and maps to specific CloudFormation resource paths.\n\nUse cases: Resource-specific security exceptions; False positive rule suppressions; Approved compliance deviations\n\nAWS: CDK Nag rule suppression targeting specific CloudFormation resources during security validation\n\nValidation: Must be array of valid MdaaNagSuppressionByPath objects with valid resource paths and suppression details\n *",
206
- "items": {
207
- "$ref": "#/definitions/MdaaNagSuppressionByPath"
208
- },
209
- "type": "array"
2372
+ "roleArn": {
2373
+ "description": "The ARN of the Role resource.",
2374
+ "type": "string"
2375
+ },
2376
+ "roleName": {
2377
+ "description": "The RoleName of the Role resource.",
2378
+ "type": "string"
210
2379
  }
211
2380
  },
212
2381
  "required": [
213
- "by_path"
2382
+ "roleArn",
2383
+ "roleName"
214
2384
  ],
215
2385
  "type": "object"
216
2386
  },
217
- "MdaaRoleRef": {
2387
+ "Runtime": {
218
2388
  "additionalProperties": false,
219
- "description": "Q-ENHANCED-INTERFACE\nConfiguration interface for referencing IAM roles across MDAA modules using multiple identification methods. Enables flexible role resolution for cross-module dependencies, external role integration, and SSO-managed roles while supporting both mutable and immutable role references.\n\nUse cases: Cross-module IAM role sharing; External role integration from Landing Zone Accelerator; SSO-managed role references for federated access\n\nAWS: References AWS IAM roles for service permissions, cross-account access, and federated identity integration\n\nValidation: At least one of name, arn, or id must be provided; arn must be valid IAM role ARN format; name must be valid IAM role name",
2389
+ "description": "Lambda function runtime environment.\n\nIf you need to use a runtime name that doesn't exist as a static member, you\ncan instantiate a `Runtime` object, e.g: `new Runtime('nodejs99.99')`.",
220
2390
  "properties": {
221
- "arn": {
222
- "description": "Q-ENHANCED-PROPERTY\nFull IAM role ARN for cross-account role references and explicit role identification. Enables precise role targeting across AWS accounts and regions, essential for cross-account data sharing and federated access scenarios.\n\nUse cases: Cross-account role references; External role integration; Precise role identification with account/region context\n\nAWS: AWS IAM role ARN for cross-account permissions and explicit role targeting\n\nValidation: Must be valid IAM role ARN format (arn:aws:iam::account-id:role/role-name)",
223
- "type": "string"
2391
+ "bundlingImage": {
2392
+ "$ref": "#/definitions/DockerImage",
2393
+ "description": "The bundling Docker image for this runtime."
224
2394
  },
225
- "id": {
226
- "description": "Q-ENHANCED-PROPERTY\nIAM role unique identifier for role resolution using the role's AWS-generated ID. Provides the most stable role reference method that persists across role name changes and enables precise role targeting.\n\nUse cases: Stable role references across name changes; Precise role identification; Role references in automated systems\n\nAWS: AWS IAM role unique ID for stable role identification\n\nValidation: Must be valid IAM role ID format (typically AROA followed by alphanumeric characters)",
227
- "type": "string"
2395
+ "family": {
2396
+ "description": "The runtime family.",
2397
+ "enum": [
2398
+ 0,
2399
+ 1,
2400
+ 2,
2401
+ 3,
2402
+ 4,
2403
+ 5,
2404
+ 6
2405
+ ],
2406
+ "type": "number"
228
2407
  },
229
- "immutable": {
230
- "description": "Q-ENHANCED-PROPERTY\nFlag indicating whether the referenced role should be treated as immutable and not modified by MDAA operations. Prevents accidental role modifications for externally managed roles and ensures role integrity for critical system roles.\n\nUse cases: External role protection; System role preservation; Landing Zone Accelerator role integration\n\nAWS: Role modification protection flag for IAM role management\n\nValidation: Boolean value, defaults to false if not specified",
2408
+ "isVariable": {
2409
+ "description": "Enabled for runtime enums that always target the latest available.",
231
2410
  "type": "boolean"
232
2411
  },
233
2412
  "name": {
234
- "description": "Q-ENHANCED-PROPERTY\nIAM role name for role resolution within the same AWS account. Enables simple role references when the role exists in the current account and provides the most straightforward method for role identification.\n\nUse cases: Same-account role references; MDAA-generated role references; Simple role configuration\n\nAWS: AWS IAM role name for role lookup and permission assignment\n\nValidation: Must be valid IAM role name (1-64 characters, alphanumeric plus +=,.@-_ characters)",
2413
+ "description": "The name of this runtime, as expected by the Lambda resource.",
235
2414
  "type": "string"
236
2415
  },
237
- "refId": {
238
- "description": "Q-ENHANCED-PROPERTY\nUnique identifier for the role reference within a configuration scope, enabling role reference management and resolution tracking. Provides a logical name for the role reference that can be used for cross-referencing and dependency management.\n\nUse cases: Role reference tracking in complex configurations; Cross-module role dependency mapping; Configuration validation and debugging\n\nAWS: Logical identifier for IAM role references in MDAA configurations\n\nValidation: Must be unique within the configuration scope if provided; alphanumeric and hyphens recommended",
239
- "type": "string"
2416
+ "supportsCodeGuruProfiling": {
2417
+ "description": "Whether this runtime is integrated with and supported for profiling using Amazon CodeGuru Profiler.",
2418
+ "type": "boolean"
240
2419
  },
241
- "sso": {
242
- "description": "Q-ENHANCED-PROPERTY\nFlag indicating the role should be resolved as an AWS SSO auto-generated role, enabling integration with AWS Identity Center managed roles. Automatically implies immutability and enables federated access patterns for MDAA resources.\n\nUse cases: AWS Identity Center integration; Federated user access; SSO-managed role references\n\nAWS: AWS Identity Center (SSO) role resolution for federated access\n\nValidation: Boolean value, implies immutable=true when set to true",
2420
+ "supportsInlineCode": {
2421
+ "description": "Whether the ``ZipFile`` (aka inline code) property can be used with this\nruntime.",
2422
+ "type": "boolean"
2423
+ },
2424
+ "supportsSnapStart": {
2425
+ "description": "Whether this runtime supports snapstart.",
243
2426
  "type": "boolean"
244
2427
  }
245
2428
  },
2429
+ "required": [
2430
+ "bundlingImage",
2431
+ "isVariable",
2432
+ "name",
2433
+ "supportsCodeGuruProfiling",
2434
+ "supportsInlineCode",
2435
+ "supportsSnapStart"
2436
+ ],
246
2437
  "type": "object"
247
2438
  },
248
- "MdaaServiceCatalogConstraintConfig": {
2439
+ "ScheduledActionProps": {
249
2440
  "additionalProperties": false,
250
- "description": "Q-ENHANCED-INTERFACE\nConfiguration interface for AWS Service Catalog constraints that group multiple validation rules with descriptive information. Enables parameter validation and business rule enforcement for Service Catalog products.\n\nUse cases: Product parameter validation; Business rule grouping; Service Catalog compliance enforcement\n\nAWS: Configures AWS Service Catalog constraints with multiple validation rules for product provisioning\n\nValidation: description must be non-empty; rules must be object with valid constraint rule configurations",
2441
+ "description": "Scheduled action for automated Redshift cluster pause/resume.\nSupports cron-based scheduling with configurable active time windows.\n\nUse cases: Cost optimization via scheduled pause; Business-hours automation; Cluster lifecycle management\n\nAWS: Redshift scheduled actions (pauseCluster/resumeCluster)\n\nValidation: name, targetAction, schedule required; times in UTC ISO format",
251
2442
  "properties": {
252
- "description": {
253
- "description": "Q-ENHANCED-PROPERTY\nHuman-readable description explaining the purpose and scope of the Service Catalog constraint. Provides clear documentation about the validation rules and business requirements enforced by the constraint.\n\nUse cases: Constraint documentation; User guidance; Business rule explanation\n\nAWS: AWS Service Catalog constraint description for user understanding\n\nValidation: Must be non-empty descriptive text explaining the constraint purpose and scope",
2443
+ "enable": {
2444
+ "description": "Scheduled action is enabled if true",
2445
+ "type": "boolean"
2446
+ },
2447
+ "endTime": {
2448
+ "description": "The scheduled action Start Date & Time in UTC format till when the scheduled action is effective.",
254
2449
  "type": "string"
255
2450
  },
256
- "rules": {
257
- "additionalProperties": {
258
- "$ref": "#/definitions/MdaaServiceCatalogConstraintRuleConfig"
259
- },
260
- "description": "Q-ENHANCED-PROPERTY\nObject containing named constraint rules that define the validation logic for Service Catalog product parameters. Each rule can contain conditions and assertions for parameter validation.\n\nUse cases: Named validation rules; Organized constraint logic; Multiple validation scenarios\n\nAWS: AWS Service Catalog constraint rules for structured parameter validation\n\nValidation: Must be object with string keys and valid MdaaServiceCatalogConstraintRuleConfig values\n *",
261
- "type": "object"
2451
+ "name": {
2452
+ "description": "Unique name for the scheduled action.\n\nUse cases: Action identification; Operational tracking\n\nAWS: Redshift scheduled action name\n\nValidation: Required; unique string identifier",
2453
+ "type": "string"
2454
+ },
2455
+ "schedule": {
2456
+ "description": "Cron expression for schedule timing in format: cron(Minutes Hours Day-of-month Month Day-of-week Year).\n\nUse cases: Business-hours scheduling; Weekend pause; Custom timing\n\nAWS: Redshift scheduled action cron schedule\n\nValidation: Required; valid cron expression",
2457
+ "type": "string"
2458
+ },
2459
+ "startTime": {
2460
+ "description": "UTC start date/time when the schedule becomes active (ISO 8601 format).\n\nUse cases: Deferred activation; Time-bounded scheduling\n\nAWS: Redshift scheduled action start time\n\nValidation: Optional; valid UTC timestamp (e.g., '2023-12-31T00:00:00Z')",
2461
+ "type": "string"
2462
+ },
2463
+ "targetAction": {
2464
+ "description": "Target operation: 'pauseCluster' or 'resumeCluster'. resizeCluster is not supported.\n\nUse cases: Cluster pause for cost savings; Cluster resume for availability\n\nAWS: Redshift scheduled action target operation\n\nValidation: Required; 'pauseCluster' or 'resumeCluster'",
2465
+ "type": "string"
262
2466
  }
263
2467
  },
264
2468
  "required": [
265
- "description",
266
- "rules"
2469
+ "enable",
2470
+ "name",
2471
+ "schedule",
2472
+ "targetAction"
267
2473
  ],
268
2474
  "type": "object"
269
2475
  },
270
- "MdaaServiceCatalogConstraintRuleAssertionConfig": {
2476
+ "SecurityGroupReference": {
271
2477
  "additionalProperties": false,
272
- "description": "Q-ENHANCED-INTERFACE\nConfiguration interface for AWS Service Catalog constraint rule assertions that define validation logic for Service Catalog product parameters. Enables parameter validation and business rule enforcement during Service Catalog product provisioning.\n\nUse cases: Parameter validation rules; Business logic enforcement; Service Catalog product compliance\n\nAWS: Configures AWS Service Catalog constraint rules for product parameter validation during provisioning\n\nValidation: assert must be valid constraint assertion expression; description must be non-empty explanatory text",
2478
+ "description": "A reference to a SecurityGroup resource.",
273
2479
  "properties": {
274
- "assert": {
275
- "description": "Q-ENHANCED-PROPERTY\nConstraint assertion expression that defines the validation logic for Service Catalog product parameters. Uses CloudFormation intrinsic functions and conditions to validate parameter values during product provisioning.\n\nUse cases: Parameter range validation; Cross-parameter dependency checks; Business rule enforcement\n\nAWS: AWS Service Catalog constraint rule assertion for parameter validation\n\nValidation: Must be valid CloudFormation condition expression using intrinsic functions",
276
- "type": "string"
277
- },
278
- "description": {
279
- "description": "Q-ENHANCED-PROPERTY\nHuman-readable description explaining the purpose and requirements of the constraint assertion. Provides clear guidance to users about parameter validation requirements and business rules.\n\nUse cases: User guidance for parameter validation; Error message context; Business rule documentation\n\nAWS: AWS Service Catalog constraint rule description for user guidance\n\nValidation: Must be non-empty descriptive text explaining the constraint purpose",
2480
+ "securityGroupId": {
2481
+ "description": "The Id of the SecurityGroup resource.",
280
2482
  "type": "string"
281
2483
  }
282
2484
  },
283
2485
  "required": [
284
- "assert",
285
- "description"
2486
+ "securityGroupId"
286
2487
  ],
287
2488
  "type": "object"
288
2489
  },
289
- "MdaaServiceCatalogConstraintRuleCondititionConfig": {
290
- "additionalProperties": false,
291
- "type": "object"
292
- },
293
- "MdaaServiceCatalogConstraintRuleConfig": {
2490
+ "Stack": {
294
2491
  "additionalProperties": false,
295
- "description": "Q-ENHANCED-INTERFACE\nConfiguration interface for AWS Service Catalog constraint rules that combine conditions and assertions for parameter validation. Enables complex validation logic with conditional assertions based on parameter values.\n\nUse cases: Complex parameter validation; Conditional business rules; Multi-parameter validation logic\n\nAWS: Configures AWS Service Catalog constraint rules with conditions and assertions for product parameter validation\n\nValidation: condition must be valid condition config; assertions must be array of valid assertion configs",
2492
+ "description": "A root construct which represents a single CloudFormation stack.",
296
2493
  "properties": {
297
- "assertions": {
298
- "description": "Q-ENHANCED-PROPERTY\nArray of constraint assertions that define the validation logic to be applied when the condition is met. Each assertion validates specific aspects of the Service Catalog product parameters.\n\nUse cases: Multiple validation checks; parameter validation; Business rule enforcement\n\nAWS: AWS Service Catalog constraint rule assertions for parameter validation\n\nValidation: Must be array of valid MdaaServiceCatalogConstraintRuleAssertionConfig objects",
2494
+ "_crossRegionReferences": {
2495
+ "description": "Whether cross region references are enabled for this stack",
2496
+ "type": "boolean"
2497
+ },
2498
+ "_logicalIds": {
2499
+ "description": "Logical ID generation strategy"
2500
+ },
2501
+ "_missingContext": {
2502
+ "description": "Lists all missing contextual information.\nThis is returned when the stack is synthesized under the 'missing' attribute\nand allows tooling to obtain the context and re-synthesize."
2503
+ },
2504
+ "_notificationArns": {
2505
+ "description": "SNS Notification ARNs to receive stack events.",
299
2506
  "items": {
300
- "$ref": "#/definitions/MdaaServiceCatalogConstraintRuleAssertionConfig"
2507
+ "type": "string"
301
2508
  },
302
2509
  "type": "array"
303
2510
  },
304
- "condition": {
305
- "$ref": "#/definitions/MdaaServiceCatalogConstraintRuleCondititionConfig",
306
- "description": "Q-ENHANCED-PROPERTY\nCondition configuration that determines when the constraint rule assertions should be evaluated. Enables conditional validation logic based on parameter values and deployment context.\n\nUse cases: Conditional validation logic; Context-dependent rules; Parameter-dependent constraints\n\nAWS: AWS Service Catalog constraint rule condition for conditional validation\n\nValidation: Must be valid MdaaServiceCatalogConstraintRuleCondititionConfig object"
2511
+ "_stackDependencies": {
2512
+ "description": "Other stacks this stack depends on"
2513
+ },
2514
+ "_stackName": {},
2515
+ "_suppressTemplateIndentation": {
2516
+ "default": "- the value of `@aws-cdk/core:suppressTemplateIndentation`, or `false` if that is not set.",
2517
+ "description": "Enable this flag to suppress indentation in generated\nCloudFormation templates.\n\nIf not specified, the value of the `@aws-cdk/core:suppressTemplateIndentation`\ncontext key will be used. If that is not specified, then the\ndefault value `false` will be used."
2518
+ },
2519
+ "_terminationProtection": {},
2520
+ "_versionReportingEnabled": {
2521
+ "description": "Whether version reporting is enabled for this stack\n\nControls whether the CDK Metadata resource is injected",
2522
+ "type": "boolean"
2523
+ },
2524
+ "account": {
2525
+ "description": "The AWS account into which this stack will be deployed.\n\nThis value is resolved according to the following rules:\n\n1. The value provided to `env.account` when the stack is defined. This can\n either be a concrete account (e.g. `585695031111`) or the\n `Aws.ACCOUNT_ID` token.\n3. `Aws.ACCOUNT_ID`, which represents the CloudFormation intrinsic reference\n `{ \"Ref\": \"AWS::AccountId\" }` encoded as a string token.\n\nPreferably, you should use the return value as an opaque string and not\nattempt to parse it to implement your logic. If you do, you must first\ncheck that it is a concrete value an not an unresolved token. If this\nvalue is an unresolved token (`Token.isUnresolved(stack.account)` returns\n`true`), this implies that the user wishes that this stack will synthesize\ninto an **account-agnostic template**. In this case, your code should either\nfail (throw an error, emit a synth error using `Annotations.of(construct).addError()`) or\nimplement some other account-agnostic behavior.",
2526
+ "type": "string"
2527
+ },
2528
+ "addPermissionsBoundaryAspect": {
2529
+ "description": "Adds an aspect to the stack that will apply the permissions boundary.\nThis will only add the aspect if the permissions boundary has been set"
2530
+ },
2531
+ "artifactId": {
2532
+ "description": "The ID of the cloud assembly artifact for this stack.",
2533
+ "type": "string"
2534
+ },
2535
+ "availabilityZones": {
2536
+ "description": "Returns the list of AZs that are available in the AWS environment\n(account/region) associated with this stack.\n\nIf the stack is environment-agnostic (either account and/or region are\ntokens), this property will return an array with 2 tokens that will resolve\nat deploy-time to the first two availability zones returned from CloudFormation's\n`Fn::GetAZs` intrinsic function.\n\nIf they are not available in the context, returns a set of dummy values and\nreports them as missing, and let the CLI resolve them by calling EC2\n`DescribeAvailabilityZones` on the target environment.\n\nTo specify a different strategy for selecting availability zones override this method.",
2537
+ "items": {
2538
+ "type": "string"
2539
+ },
2540
+ "type": "array"
2541
+ },
2542
+ "bundlingRequired": {
2543
+ "description": "Indicates whether the stack requires bundling or not",
2544
+ "type": "boolean"
2545
+ },
2546
+ "dependencies": {
2547
+ "description": "Return the stacks this stack depends on",
2548
+ "items": {
2549
+ "$ref": "#/definitions/Stack"
2550
+ },
2551
+ "type": "array"
2552
+ },
2553
+ "environment": {
2554
+ "description": "The environment coordinates in which this stack is deployed. In the form\n`aws://account/region`. Use `stack.account` and `stack.region` to obtain\nthe specific values, no need to parse.\n\nYou can use this value to determine if two stacks are targeting the same\nenvironment.\n\nIf either `stack.account` or `stack.region` are not concrete values (e.g.\n`Aws.ACCOUNT_ID` or `Aws.REGION`) the special strings `unknown-account` and/or\n`unknown-region` will be used respectively to indicate this stack is\nregion/account-agnostic.",
2555
+ "type": "string"
2556
+ },
2557
+ "generateStackArtifactId": {
2558
+ "description": "The artifact ID for this stack\n\nStack artifact ID is unique within the App's Cloud Assembly."
2559
+ },
2560
+ "generateStackId": {
2561
+ "description": "Generate an ID with respect to the given container construct."
2562
+ },
2563
+ "generateStackName": {
2564
+ "description": "Calculate the stack name based on the construct path\n\nThe stack name is the name under which we'll deploy the stack,\nand incorporates containing Stage names by default.\n\nGenerally this looks a lot like how logical IDs are calculated.\nThe stack name is calculated based on the construct root path,\nas follows:\n\n- Path is calculated with respect to containing App or Stage (if any)\n- If the path is one component long just use that component, otherwise\n combine them with a hash.\n\nSince the hash is quite ugly and we'd like to avoid it if possible -- but\nwe can't anymore in the general case since it has been written into legacy\nstacks. The introduction of Stages makes it possible to make this nicer however.\nWhen a Stack is nested inside a Stage, we use the path components below the\nStage, and prefix the path components of the Stage before it."
2565
+ },
2566
+ "maxResources": {
2567
+ "description": "Maximum number of resources in the stack\n\nSet to 0 to mean \"unlimited\"."
2568
+ },
2569
+ "nested": {
2570
+ "description": "Indicates if this is a nested stack, in which case `parentStack` will include a reference to it's parent.",
2571
+ "type": "boolean"
2572
+ },
2573
+ "nestedStackParent": {
2574
+ "$ref": "#/definitions/Stack",
2575
+ "description": "If this is a nested stack, returns it's parent stack."
2576
+ },
2577
+ "nestedStackResource": {
2578
+ "$ref": "#/definitions/CfnResource",
2579
+ "description": "If this is a nested stack, this represents its `AWS::CloudFormation::Stack`\nresource. `undefined` for top-level (non-nested) stacks."
2580
+ },
2581
+ "node": {
2582
+ "$ref": "#/definitions/Node",
2583
+ "description": "The tree node."
2584
+ },
2585
+ "notificationArns": {
2586
+ "description": "Returns the list of notification Amazon Resource Names (ARNs) for the current stack.",
2587
+ "items": {
2588
+ "type": "string"
2589
+ },
2590
+ "type": "array"
2591
+ },
2592
+ "parseEnvironment": {
2593
+ "description": "Determine the various stack environment attributes."
2594
+ },
2595
+ "partition": {
2596
+ "description": "The partition in which this stack is defined",
2597
+ "type": "string"
2598
+ },
2599
+ "permissionsBoundaryArn": {
2600
+ "description": "If a permissions boundary has been applied on this scope or any parent scope\nthen this will return the ARN of the permissions boundary.\n\nThis will return the permissions boundary that has been applied to the most\nspecific scope.\n\nFor example:\n\nconst stage = new Stage(app, 'stage', {\n permissionsBoundary: PermissionsBoundary.fromName('stage-pb'),\n});\n\nconst stack = new Stack(stage, 'Stack', {\n permissionsBoundary: PermissionsBoundary.fromName('some-other-pb'),\n});\n\n Stack.permissionsBoundaryArn === 'arn:${AWS::Partition}:iam::${AWS::AccountId}:policy/some-other-pb';"
2601
+ },
2602
+ "region": {
2603
+ "description": "The AWS region into which this stack will be deployed (e.g. `us-west-2`).\n\nThis value is resolved according to the following rules:\n\n1. The value provided to `env.region` when the stack is defined. This can\n either be a concrete region (e.g. `us-west-2`) or the `Aws.REGION`\n token.\n3. `Aws.REGION`, which is represents the CloudFormation intrinsic reference\n `{ \"Ref\": \"AWS::Region\" }` encoded as a string token.\n\nPreferably, you should use the return value as an opaque string and not\nattempt to parse it to implement your logic. If you do, you must first\ncheck that it is a concrete value an not an unresolved token. If this\nvalue is an unresolved token (`Token.isUnresolved(stack.region)` returns\n`true`), this implies that the user wishes that this stack will synthesize\ninto a **region-agnostic template**. In this case, your code should either\nfail (throw an error, emit a synth error using `Annotations.of(construct).addError()`) or\nimplement some other region-agnostic behavior.",
2604
+ "type": "string"
2605
+ },
2606
+ "resolveExportedValue": {},
2607
+ "stackDependencyReasons": {
2608
+ "description": "Check whether this stack has a (transitive) dependency on another stack\n\nReturns the list of reasons on the dependency path, or undefined\nif there is no dependency."
2609
+ },
2610
+ "stackId": {
2611
+ "description": "The ID of the stack",
2612
+ "type": "string"
2613
+ },
2614
+ "stackName": {
2615
+ "description": "The concrete CloudFormation physical stack name.\n\nThis is either the name defined explicitly in the `stackName` prop or\nallocated based on the stack's location in the construct tree. Stacks that\nare directly defined under the app use their construct `id` as their stack\nname. Stacks that are defined deeper within the tree will use a hashed naming\nscheme based on the construct path to ensure uniqueness.\n\nIf you wish to obtain the deploy-time AWS::StackName intrinsic,\nyou can use `Aws.STACK_NAME` directly.",
2616
+ "type": "string"
2617
+ },
2618
+ "synthesizer": {
2619
+ "$ref": "#/definitions/IStackSynthesizer",
2620
+ "description": "Synthesis method for this stack"
2621
+ },
2622
+ "tags": {
2623
+ "$ref": "#/definitions/TagManager",
2624
+ "description": "Tags to be applied to the stack."
2625
+ },
2626
+ "templateFile": {
2627
+ "description": "The name of the CloudFormation template file emitted to the output\ndirectory during synthesis.\n\nExample value: `MyStack.template.json`",
2628
+ "type": "string"
2629
+ },
2630
+ "templateOptions": {
2631
+ "$ref": "#/definitions/ITemplateOptions",
2632
+ "description": "Options for CloudFormation template (like version, transform, description)."
2633
+ },
2634
+ "terminationProtection": {
2635
+ "description": "Whether termination protection is enabled for this stack.",
2636
+ "type": "boolean"
2637
+ },
2638
+ "urlSuffix": {
2639
+ "description": "The Amazon domain suffix for the region in which this stack is defined",
2640
+ "type": "string"
307
2641
  }
308
2642
  },
309
2643
  "required": [
310
- "assertions",
311
- "condition"
2644
+ "_crossRegionReferences",
2645
+ "_logicalIds",
2646
+ "_missingContext",
2647
+ "_stackDependencies",
2648
+ "_stackName",
2649
+ "_suppressTemplateIndentation",
2650
+ "_terminationProtection",
2651
+ "_versionReportingEnabled",
2652
+ "account",
2653
+ "addPermissionsBoundaryAspect",
2654
+ "artifactId",
2655
+ "availabilityZones",
2656
+ "bundlingRequired",
2657
+ "dependencies",
2658
+ "environment",
2659
+ "generateStackArtifactId",
2660
+ "generateStackId",
2661
+ "generateStackName",
2662
+ "maxResources",
2663
+ "nested",
2664
+ "node",
2665
+ "notificationArns",
2666
+ "parseEnvironment",
2667
+ "partition",
2668
+ "permissionsBoundaryArn",
2669
+ "region",
2670
+ "resolveExportedValue",
2671
+ "stackDependencyReasons",
2672
+ "stackId",
2673
+ "stackName",
2674
+ "synthesizer",
2675
+ "tags",
2676
+ "templateFile",
2677
+ "templateOptions",
2678
+ "terminationProtection",
2679
+ "urlSuffix"
312
2680
  ],
313
2681
  "type": "object"
314
2682
  },
315
- "MdaaServiceCatalogParameterConfig": {
2683
+ "TagManager": {
316
2684
  "additionalProperties": false,
317
- "description": "Q-ENHANCED-INTERFACE\nConfiguration interface for AWS Service Catalog product parameters that combines CloudFormation parameter properties with optional constraint validation. Enables parameterized Service Catalog products with validation rules.\n\nUse cases: Service Catalog product parameterization; Parameter validation; User input constraints\n\nAWS: Configures AWS Service Catalog product parameters with CloudFormation properties and validation constraints\n\nValidation: props must be valid CfnParameterProps; constraints must be valid constraint configuration if provided",
2685
+ "description": "TagManager facilitates a common implementation of tagging for Constructs\n\nNormally, you do not need to use this class, as the CloudFormation specification\nwill indicate which resources are taggable. However, sometimes you will need this\nto make custom resources taggable. Used `tagManager.renderedTags` to obtain a\nvalue that will resolve to the tags at synthesis time.",
318
2686
  "properties": {
319
- "constraints": {
320
- "$ref": "#/definitions/MdaaServiceCatalogConstraintConfig",
321
- "description": "Q-ENHANCED-PROPERTY\nOptional constraint configuration that defines additional validation rules for the Service Catalog product parameter. Enables business rule enforcement and complex parameter validation beyond basic CloudFormation constraints.\n\nUse cases: Advanced parameter validation; Business rule enforcement; Cross-parameter validation\n\nAWS: AWS Service Catalog parameter constraints for enhanced validation during provisioning\n\nValidation: Must be valid MdaaServiceCatalogConstraintConfig object if provided"
2687
+ "_setTag": {},
2688
+ "didHaveInitialTags": {},
2689
+ "dynamicTags": {},
2690
+ "externalTagPriority": {},
2691
+ "parseExternalTags": {
2692
+ "description": "Parse external tags.\n\nSet the parseable ones into this tag manager. Save the rest (tokens, lazies) in `this.dynamicTags`."
322
2693
  },
323
- "props": {
324
- "$ref": "#/definitions/CfnParameterProps",
325
- "description": "Q-ENHANCED-PROPERTY\nCloudFormation parameter properties that define the parameter characteristics including type, default value, and allowed values. Provides the foundational parameter definition for Service Catalog products.\n\nUse cases: Parameter type definition; Default value specification; Allowed value constraints\n\nAWS: AWS CloudFormation parameter properties for Service Catalog product parameters\n\nValidation: Must be valid CfnParameterProps object with required CloudFormation parameter properties"
326
- }
2694
+ "priorities": {},
2695
+ "renderedTags": {
2696
+ "$ref": "#/definitions/IResolvable",
2697
+ "description": "A lazy value that represents the rendered tags at synthesis time\n\nIf you need to make a custom construct taggable, use the value of this\nproperty to pass to the `tags` property of the underlying construct."
2698
+ },
2699
+ "resourceTypeName": {},
2700
+ "sortedTags": {},
2701
+ "tagFormatter": {},
2702
+ "tagPropertyName": {
2703
+ "description": "The property name for tag values\n\nNormally this is `tags` but some resources choose a different name. Cognito\nUserPool uses UserPoolTags",
2704
+ "type": "string"
2705
+ },
2706
+ "tags": {}
327
2707
  },
328
2708
  "required": [
329
- "props"
2709
+ "_setTag",
2710
+ "didHaveInitialTags",
2711
+ "externalTagPriority",
2712
+ "parseExternalTags",
2713
+ "priorities",
2714
+ "renderedTags",
2715
+ "resourceTypeName",
2716
+ "sortedTags",
2717
+ "tagFormatter",
2718
+ "tagPropertyName",
2719
+ "tags"
330
2720
  ],
331
2721
  "type": "object"
332
2722
  },
333
- "MdaaServiceCatalogProductConfig": {
2723
+ "Version": {
334
2724
  "additionalProperties": false,
335
- "description": "Q-ENHANCED-INTERFACE\nConfiguration interface for AWS Service Catalog product deployment that specifies portfolio association, ownership, and parameterization. Enables MDAA modules to be deployed as self-service Service Catalog products with controlled access and validation.\n\nUse cases: Self-service infrastructure deployment; Controlled resource provisioning; Parameterized product offerings\n\nAWS: Configures AWS Service Catalog products for self-service deployment of MDAA modules with portfolio management\n\nValidation: portfolio_arn must be valid Service Catalog portfolio ARN; owner and name must be non-empty strings",
2725
+ "description": "Tag the current state of a Function with a Version number\n\nAvoid using this resource directly. If you need a Version object, use\n`function.currentVersion` instead. That will add a Version object to your\ntemplate, and make sure the Version is invalidated whenever the Function\nobject changes. If you use the `Version` resource directly, you are\nresponsible for making sure it is invalidated (by changing its\nlogical ID) whenever necessary.\n\nVersion resources can then be used in `Alias` resources to refer to a\nparticular deployment of a Lambda.\n\nIf you want to ensure that you're associating the right version with\nthe right deployment, specify the `codeSha256` property while\ncreating the `Version.",
336
2726
  "properties": {
337
- "launch_role_name": {
338
- "description": "Q-ENHANCED-PROPERTY\nOptional IAM role name that will be used to launch the Service Catalog product. Enables controlled permissions for product provisioning and resource creation with specific IAM role constraints.\n\nUse cases: Controlled provisioning permissions; IAM role-based access; Security constraint enforcement\n\nAWS: AWS Service Catalog launch role for controlled product provisioning permissions\n\nValidation: Must be valid IAM role name if provided",
2727
+ "_allowCrossEnvironment": {},
2728
+ "_connections": {
2729
+ "$ref": "#/definitions/Connections",
2730
+ "description": "Actual connections object for this Lambda\n\nMay be unset, in which case this Lambda is not configured use in a VPC."
2731
+ },
2732
+ "_functionUrlInvocationGrants": {
2733
+ "$ref": "#/definitions/Record%3Cstring%2CGrant%3E",
2734
+ "description": "Mapping of function URL invocation principals to grants. Used to de-dupe `grantInvokeUrl()` calls."
2735
+ },
2736
+ "_hasAddedArrayTokenStatements": {
2737
+ "description": "Track whether we've added statements with array token resources to the role's default policy"
2738
+ },
2739
+ "_hasAddedLiteralStatements": {
2740
+ "description": "Track whether we've added statements with literal resources to the role's default policy"
2741
+ },
2742
+ "_invocationGrants": {
2743
+ "$ref": "#/definitions/Record%3Cstring%2CGrant%3E",
2744
+ "description": "Mapping of invocation principals to grants. Used to de-dupe `grantInvoke()` calls."
2745
+ },
2746
+ "_latestVersion": {},
2747
+ "_physicalName": {},
2748
+ "_policyCounter": {
2749
+ "description": "The number of permissions added to this function"
2750
+ },
2751
+ "_skipPermissions": {
2752
+ "description": "Whether the user decides to skip adding permissions.\nThe only use case is for cross-account, imported lambdas\nwhere the user commits to modifying the permisssions\non the imported lambda outside CDK.",
2753
+ "type": "boolean"
2754
+ },
2755
+ "_warnIfCurrentVersionCalled": {
2756
+ "description": "Flag to delay adding a warning message until current version is invoked.",
2757
+ "type": "boolean"
2758
+ },
2759
+ "architecture": {
2760
+ "$ref": "#/definitions/Architecture",
2761
+ "description": "The architecture of this Lambda Function."
2762
+ },
2763
+ "canCreatePermissions": {
2764
+ "const": true,
2765
+ "default": true,
2766
+ "description": "Whether the addPermission() call adds any permissions\n\nTrue for new Lambdas, false for version $LATEST and imported Lambdas\nfrom different accounts.",
2767
+ "type": "boolean"
2768
+ },
2769
+ "connections": {
2770
+ "$ref": "#/definitions/Connections",
2771
+ "description": "Access the Connections object\n\nWill fail if not a VPC-enabled Lambda Function"
2772
+ },
2773
+ "determineProvisionedConcurrency": {
2774
+ "description": "Validate that the provisionedConcurrentExecutions makes sense\n\nMember must have value greater than or equal to 1"
2775
+ },
2776
+ "edgeArn": {
2777
+ "description": "The ARN of the version for Lambda@Edge.",
339
2778
  "type": "string"
340
2779
  },
341
- "name": {
342
- "description": "Q-ENHANCED-PROPERTY\nDisplay name for the Service Catalog product that will be visible to end users in the Service Catalog console. Should be descriptive and user-friendly to facilitate product discovery and selection.\n\nUse cases: Product identification; User-friendly naming; Service Catalog console display\n\nAWS: AWS Service Catalog product name for user interface display\n\nValidation: Must be non-empty string suitable for Service Catalog product naming",
2780
+ "env": {
2781
+ "$ref": "#/definitions/ResourceEnvironment",
2782
+ "description": "The environment this resource belongs to.\nFor resources that are created and managed by the CDK\n(generally, those created by creating new class instances like Role, Bucket, etc.),\nthis is always the same as the environment of the stack they belong to;\nhowever, for imported resources\n(those obtained from static methods like fromRoleArn, fromBucketName, etc.),\nthat might be different than the stack they were imported into."
2783
+ },
2784
+ "functionArn": {
2785
+ "description": "The ARN fo the function.",
343
2786
  "type": "string"
344
2787
  },
345
- "owner": {
346
- "description": "Q-ENHANCED-PROPERTY\nOwner identifier for the Service Catalog product, typically representing the team or organization responsible for the product. Provides accountability and contact information for product management.\n\nUse cases: Product ownership identification; Contact information; Responsibility assignment\n\nAWS: AWS Service Catalog product owner for accountability and management\n\nValidation: Must be non-empty string identifying the product owner",
2788
+ "functionName": {
2789
+ "description": "The name of the function.",
347
2790
  "type": "string"
348
2791
  },
349
- "parameters": {
350
- "additionalProperties": {
351
- "$ref": "#/definitions/MdaaServiceCatalogParameterConfig"
2792
+ "functionRef": {
2793
+ "$ref": "#/definitions/FunctionReference",
2794
+ "description": "A reference to a Function resource."
2795
+ },
2796
+ "grant": {},
2797
+ "grantPrincipal": {
2798
+ "$ref": "#/definitions/IPrincipal",
2799
+ "description": "The principal this Lambda Function is running as"
2800
+ },
2801
+ "isBoundToVpc": {
2802
+ "description": "Whether or not this Lambda function was bound to a VPC\n\nIf this is is `false`, trying to access the `connections` object will fail.",
2803
+ "type": "boolean"
2804
+ },
2805
+ "isPrincipalWithConditions": {},
2806
+ "lambda": {
2807
+ "$ref": "#/definitions/IFunction",
2808
+ "description": "The underlying `IFunction`"
2809
+ },
2810
+ "latestVersion": {
2811
+ "$ref": "#/definitions/IVersion",
2812
+ "description": "The `$LATEST` version of this function.\n\nNote that this is reference to a non-specific AWS Lambda version, which\nmeans the function this version refers to can return different results in\ndifferent invocations.\n\nTo obtain a reference to an explicit version which references the current\nfunction configuration, use `lambdaFunction.currentVersion` instead."
2813
+ },
2814
+ "node": {
2815
+ "$ref": "#/definitions/Node",
2816
+ "description": "The tree node."
2817
+ },
2818
+ "parsePermissionPrincipal": {
2819
+ "description": "Translate IPrincipal to something we can pass to AWS::Lambda::Permissions\n\nDo some nasty things because `Permission` supports a subset of what the\nfull IAM principal language supports, and we may not be able to parse strings\noutright because they may be tokens.\n\nTry to recognize some specific Principal classes first, then try a generic\nfallback."
2820
+ },
2821
+ "permissionsNode": {
2822
+ "$ref": "#/definitions/Node",
2823
+ "description": "The construct node where permissions are attached."
2824
+ },
2825
+ "physicalName": {
2826
+ "description": "Returns a string-encoded token that resolves to the physical name that\nshould be passed to the CloudFormation resource.\n\nThis value will resolve to one of the following:\n- a concrete value (e.g. `\"my-awesome-bucket\"`)\n- `undefined`, when a name should be generated by CloudFormation\n- a concrete name generated automatically during synthesis, in\n cross-environment scenarios.",
2827
+ "type": "string"
2828
+ },
2829
+ "qualifier": {
2830
+ "description": "The qualifier of the version or alias of this function.\nA qualifier is the identifier that's appended to a version or alias ARN.",
2831
+ "type": "string"
2832
+ },
2833
+ "resourceArnsForGrantInvoke": {
2834
+ "description": "The ARN(s) to put into the resource field of the generated IAM policy for grantInvoke()",
2835
+ "items": {
2836
+ "type": "string"
352
2837
  },
353
- "description": "Q-ENHANCED-PROPERTY\nOptional object containing named parameter configurations for the Service Catalog product. Enables parameterized product deployment with validation rules and user input constraints.\n\nUse cases: Product parameterization; User input collection; Deployment customization\n\nAWS: AWS Service Catalog product parameters for user-configurable deployment options\n\nValidation: Must be object with string keys and valid MdaaServiceCatalogParameterConfig values if provided\n *",
354
- "type": "object"
2838
+ "type": "array"
355
2839
  },
356
- "portfolio_arn": {
357
- "description": "Q-ENHANCED-PROPERTY\nARN of the AWS Service Catalog portfolio where the product will be associated. Determines access control and organizational structure for the Service Catalog product deployment.\n\nUse cases: Portfolio organization; Access control; Product categorization\n\nAWS: AWS Service Catalog portfolio ARN for product association and access management\n\nValidation: Must be valid AWS Service Catalog portfolio ARN format",
2840
+ "role": {
2841
+ "$ref": "#/definitions/IRole",
2842
+ "description": "The IAM role associated with this function.\n\nUndefined if the function was imported without a role."
2843
+ },
2844
+ "stack": {
2845
+ "$ref": "#/definitions/Stack",
2846
+ "description": "The stack in which this resource is defined."
2847
+ },
2848
+ "statementHasArrayTokens": {
2849
+ "description": "Check if a policy statement contains array tokens that would cause CloudFormation\nresolution conflicts when mixed with literal arrays in the same policy document.\n\nArray tokens are created by CloudFormation intrinsic functions that return arrays,\nsuch as Fn::Split, Fn::GetAZs, etc. These cannot be safely merged with literal\nresource arrays due to CloudFormation's token resolution limitations.\n\nIndividual string tokens within literal arrays (e.g., `[\"arn:${token}:...\"]`) are\nsafe and do not cause conflicts, so they are not detected by this method."
2850
+ },
2851
+ "validateConditionCombinations": {},
2852
+ "validateConditions": {},
2853
+ "version": {
2854
+ "description": "The most recently deployed version of this function.",
358
2855
  "type": "string"
2856
+ },
2857
+ "versionRef": {
2858
+ "$ref": "#/definitions/VersionReference",
2859
+ "description": "A reference to a Version resource."
359
2860
  }
360
2861
  },
361
2862
  "required": [
362
- "name",
363
- "owner",
364
- "portfolio_arn"
2863
+ "_allowCrossEnvironment",
2864
+ "_functionUrlInvocationGrants",
2865
+ "_hasAddedArrayTokenStatements",
2866
+ "_hasAddedLiteralStatements",
2867
+ "_invocationGrants",
2868
+ "_physicalName",
2869
+ "_policyCounter",
2870
+ "_warnIfCurrentVersionCalled",
2871
+ "architecture",
2872
+ "canCreatePermissions",
2873
+ "connections",
2874
+ "determineProvisionedConcurrency",
2875
+ "edgeArn",
2876
+ "env",
2877
+ "functionArn",
2878
+ "functionName",
2879
+ "functionRef",
2880
+ "grant",
2881
+ "grantPrincipal",
2882
+ "isBoundToVpc",
2883
+ "isPrincipalWithConditions",
2884
+ "lambda",
2885
+ "latestVersion",
2886
+ "node",
2887
+ "parsePermissionPrincipal",
2888
+ "permissionsNode",
2889
+ "physicalName",
2890
+ "qualifier",
2891
+ "resourceArnsForGrantInvoke",
2892
+ "stack",
2893
+ "statementHasArrayTokens",
2894
+ "validateConditionCombinations",
2895
+ "validateConditions",
2896
+ "version",
2897
+ "versionRef"
365
2898
  ],
366
2899
  "type": "object"
367
2900
  },
368
- "Record<string,string>": {
369
- "additionalProperties": false,
370
- "type": "object"
371
- },
372
- "ScheduledActionProps": {
2901
+ "VersionReference": {
373
2902
  "additionalProperties": false,
374
- "description": "Q-ENHANCED-INTERFACE\nRedshift scheduled action configuration interface for automated cluster management with pause/resume scheduling and cron-based timing. Defines scheduled action properties for cost optimization through automated cluster lifecycle management including pause and resume operations based on business hours and usage patterns.\n\nUse cases: Cost optimization automation; Cluster lifecycle management; Business hours scheduling; Automated pause/resume; Resource cost control; Usage-based scheduling\n\nAWS: Amazon Redshift scheduled actions with cron scheduling for automated cluster pause and resume operations for cost optimization\n\nValidation: name must be valid scheduled action identifier; targetAction must be 'pauseCluster' or 'resumeCluster'; schedule must be valid cron expression; dates must be valid UTC timestamps",
2903
+ "description": "A reference to a Version resource.",
375
2904
  "properties": {
376
- "enable": {
377
- "description": "Scheduled action is enabled if true",
378
- "type": "boolean"
379
- },
380
- "endTime": {
381
- "description": "The scheduled action Start Date & Time in UTC format till when the scheduled action is effective.",
382
- "type": "string"
383
- },
384
- "name": {
385
- "description": "Q-ENHANCED-PROPERTY\nRequired unique name identifier for the Redshift scheduled action enabling action identification and management. Provides a descriptive name for the scheduled action that will be used for tracking, logging, and management of automated cluster operations within the Redshift environment.\n\nUse cases: Action identification; Scheduled action management; Logging and tracking; Action naming; Operational visibility\n\nAWS: Amazon Redshift scheduled action name for action identification and management\n\nValidation: Must be unique string identifier; required for scheduled action creation and management",
386
- "type": "string"
387
- },
388
- "schedule": {
389
- "description": "Q-ENHANCED-PROPERTY\nRequired cron expression defining the schedule for Redshift scheduled action execution enabling precise timing control. Specifies when the scheduled action will be executed using standard cron format for flexible scheduling based on business hours, usage patterns, and cost optimization requirements.\n\nUse cases: Business hours scheduling; Cost optimization timing; Usage pattern alignment; Automated scheduling; Precise timing control\n\nAWS: Amazon Redshift scheduled action cron schedule for automated execution timing\n\nValidation: Must be valid cron expression; required for scheduled action timing specification",
390
- "type": "string"
391
- },
392
- "startTime": {
393
- "description": "Q-ENHANCED-PROPERTY\nOptional start date and time in UTC format defining when the Redshift scheduled action becomes effective enabling time-bounded scheduling. Specifies the earliest date and time when the scheduled action will begin executing, providing control over when automated cluster operations start.\n\nUse cases: Time-bounded scheduling; Action activation timing; Scheduled start control; Deployment timing; Operational planning\n\nAWS: Amazon Redshift scheduled action start time for time-bounded execution control\n\nValidation: Must be valid UTC timestamp if provided; optional for scheduled action start time control",
394
- "type": "string"
395
- },
396
- "targetAction": {
397
- "description": "Q-ENHANCED-PROPERTY\nRequired target action type for Redshift scheduled action specifying the cluster operation to be performed. Defines the specific action that will be executed on the Redshift cluster, typically either pausing or resuming the cluster for cost optimization and resource management.\n\nUse cases: Cluster pause operations; Cluster resume operations; Cost optimization automation; Resource lifecycle management\n\nAWS: Amazon Redshift scheduled action target operation for automated cluster lifecycle management\n\nValidation: Must be \"pauseCluster\" or \"resumeCluster\"; required for scheduled action operation specification",
2905
+ "functionArn": {
2906
+ "description": "The FunctionArn of the Version resource.",
398
2907
  "type": "string"
399
2908
  }
400
2909
  },
401
2910
  "required": [
402
- "enable",
403
- "name",
404
- "schedule",
405
- "targetAction"
2911
+ "functionArn"
406
2912
  ],
407
2913
  "type": "object"
408
2914
  }
409
2915
  },
410
2916
  "properties": {
411
2917
  "additionalBucketKmsKeyArns": {
412
- "description": "Q-ENHANCED-PROPERTY\nOptional additional KMS key ARNs for cluster bucket encryption enabling multi-key encryption scenarios and cross-account access. Provides additional KMS keys that can be used for writing to the cluster bucket beyond the default cluster encryption key.\n\nUse cases: Multi-key encryption; Cross-account access; Additional encryption keys; Flexible key management\n\nAWS: AWS KMS key ARNs for additional cluster bucket encryption and access control\n\nValidation: Must be array of valid KMS key ARNs if provided; keys must be accessible for bucket operations",
2918
+ "description": "Additional KMS key ARNs allowed to write to the cluster bucket.\nUseful for allowing Glue jobs or other services to write encrypted data to the warehouse bucket.\n\nUse cases: Cross-service encryption; Glue job integration; Multi-key bucket access\n\nAWS: KMS key ARNs for warehouse bucket encryption\n\nValidation: Optional; array of valid KMS key ARNs",
413
2919
  "items": {
414
2920
  "type": "string"
415
2921
  },
416
2922
  "type": "array"
417
2923
  },
418
2924
  "adminPasswordRotationDays": {
419
- "description": "Q-ENHANCED-PROPERTY\nRequired number of days between automatic admin password rotations for enhanced security compliance. Enables automated credential management and compliance with password rotation policies for improved cluster security posture.\n\nUse cases: Automated credential rotation; Security policy compliance; Password management automation\n\nAWS: Amazon Redshift automatic password rotation configuration for security management\n\nValidation: Must be positive integer; required; defines password rotation frequency for security compliance",
2925
+ "description": "Days between automatic admin password rotations via Secrets Manager.\n\nUse cases: Automated credential rotation; Security compliance; Password policy enforcement\n\nAWS: Redshift admin password rotation via Secrets Manager\n\nValidation: Required; positive integer",
420
2926
  "type": "number"
421
2927
  },
422
2928
  "adminUsername": {
423
- "description": "Q-ENHANCED-PROPERTY\nRequired admin username for the Redshift cluster providing administrative access to the data warehouse. Defines the master user account for cluster administration, database management, and initial user provisioning.\n\nUse cases: Cluster administration; Database management; Initial user provisioning\n\nAWS: Amazon Redshift cluster master username for administrative access and database management\n\nValidation: Must be valid Redshift username; required; used for cluster administrative access",
2929
+ "description": "Admin username for the Redshift cluster. A secret is automatically generated for the password.\n\nUse cases: Cluster administration; Database management; Initial user provisioning\n\nAWS: Redshift cluster master username\n\nValidation: Required; valid Redshift username",
424
2930
  "type": "string"
425
2931
  },
426
2932
  "automatedSnapshotRetentionDays": {
427
- "description": "Q-ENHANCED-PROPERTY\nOptional retention period for automated snapshots enabling backup management and data protection. Specifies the number of days automated snapshots are retained for point-in-time recovery and data protection requirements.\n\nUse cases: Backup management; Data protection; Point-in-time recovery; Compliance requirements\n\nAWS: Amazon Redshift automated snapshot retention for backup management and data protection\n\nValidation: Must be positive integer if specified; defines snapshot retention period for backup management",
2933
+ "default": 1,
2934
+ "description": "Number of days automated snapshots are retained (1-35). Set to 0 to disable.\n\nUse cases: Backup management; Point-in-time recovery; Data protection compliance\n\nAWS: Redshift automated snapshot retention\n\nValidation: Optional; integer 0-35",
428
2935
  "type": "number"
429
2936
  },
2937
+ "backupRegion": {
2938
+ "description": "Target region for cross-region snapshot copies. When set, enables cross-region snapshot copy to this region.\n\nUse cases: Disaster recovery; Cross-region backup; Business continuity\n\nAWS: Redshift snapshot copy destination region\n\nValidation: Optional; valid AWS region string, must differ from the deployment region",
2939
+ "type": "string"
2940
+ },
430
2941
  "clusterPort": {
431
- "description": "Q-ENHANCED-PROPERTY\nOptional cluster port number for client connections enabling custom port configuration and network security. Defines the TCP port on which the Redshift cluster accepts client connections, supporting custom networking requirements and security configurations.\n\nUse cases: Custom port configuration; Network security; Client connection management; Port standardization\n\nAWS: Amazon Redshift cluster port configuration for client connection management\n\nValidation: Must be valid port number if specified; defaults to 5440; must be accessible through security groups",
2942
+ "default": 5440,
2943
+ "description": "TCP port for client connections to the cluster.\n\nUse cases: Custom port configuration; Network security; Port standardization\n\nAWS: Redshift cluster listening port\n\nValidation: Optional; valid port number; must be in range 5431-5455 or 8191-8215 when multiAz is true",
432
2944
  "type": "number"
433
2945
  },
434
2946
  "createWarehouseBucket": {
435
- "description": "Q-ENHANCED-PROPERTY\nOptional flag controlling data warehouse bucket creation for cluster storage operations. When enabled (default), creates dedicated S3 bucket for data warehouse operations including data loading, unloading, and backup storage.\n\nUse cases: Storage resource management; Data operations; Backup storage; ETL operations\n\nAWS: Amazon S3 bucket creation for Redshift data warehouse storage operations\n\nValidation: Boolean value; defaults to true; creates dedicated warehouse bucket when enabled",
2947
+ "default": true,
2948
+ "description": "Control whether a dedicated S3 bucket is created for warehouse data operations\n(loading, unloading, backup).\n\nUse cases: Storage resource management; Data operations; Bucket lifecycle control\n\nAWS: S3 bucket for Redshift data warehouse operations\n\nValidation: Optional; boolean",
436
2949
  "type": "boolean"
437
2950
  },
438
2951
  "dataAdminRoles": {
439
- "description": "Q-ENHANCED-PROPERTY\nRequired array of admin role references with full access to cluster resources including KMS keys and S3 buckets. Provides administrative permissions for data warehouse management, security administration, and resource access control.\n\nUse cases: Administrative access control; Security management; Resource administration\n\nAWS: AWS IAM roles with full Redshift cluster and resource access permissions\n\nValidation: Must be array of valid MdaaRoleRef objects; required; roles receive full cluster access",
2952
+ "description": "Admin roles granted full access to cluster resources including KMS keys and S3 buckets.\n\nUse cases: Administrative access control; Security management; Resource administration\n\nAWS: IAM roles with full Redshift cluster and resource access\n\nValidation: Required; array of valid MdaaRoleRef",
440
2953
  "items": {
441
2954
  "$ref": "#/definitions/MdaaRoleRef"
442
2955
  },
443
2956
  "type": "array"
444
2957
  },
445
2958
  "databaseUsers": {
446
- "description": "Q-ENHANCED-PROPERTY\nOptional database users for automated user creation and credential management enabling secure user provisioning and rotation. Creates database users in Redshift with automated credential storage and rotation through Secrets Manager and SSM.\n\nUse cases: Automated user provisioning; Credential management; Security automation; User lifecycle management\n\nAWS: Amazon Redshift database users with Secrets Manager and SSM integration for credential management\n\nValidation: Must be array of valid DatabaseUsersProps if provided; enables automated user and credential management\n *",
2959
+ "description": "Database users created in Redshift with credentials stored in Secrets Manager.\nSupports automated secret rotation on a configurable cycle.\n\nUse cases: Automated user provisioning; Credential management; Secret rotation\n\nAWS: Redshift database users with Secrets Manager credential storage and rotation\n\nValidation: Optional; array of valid DatabaseUsersProps",
447
2960
  "items": {
448
2961
  "$ref": "#/definitions/DatabaseUsersProps"
449
2962
  },
450
2963
  "type": "array"
451
2964
  },
452
2965
  "dbName": {
453
- "description": "Q-ENHANCED-PROPERTY\nOptional database name for initial database creation enabling custom database naming and organization. Specifies the name of the initial database created in the cluster, supporting custom naming conventions and database organization.\n\nUse cases: Custom database naming; Database organization; Initial database setup; Naming conventions\n\nAWS: Amazon Redshift initial database name for cluster database creation and organization\n\nValidation: Must be valid database name if specified; defaults to \"default_db\"; used for initial database creation",
2966
+ "default": "default_db",
2967
+ "description": "Initial database name created in the cluster.\n\nUse cases: Custom database naming; Initial database setup\n\nAWS: Redshift initial database\n\nValidation: Optional; valid database name",
454
2968
  "type": "string"
455
2969
  },
456
2970
  "enableAuditLoggingToS3": {
457
- "description": "Q-ENHANCED-PROPERTY\nRequired flag enabling audit logging to S3 for compliance and security monitoring. When enabled, creates dedicated S3 bucket for Redshift audit logs with SSE-S3 encryption as required by Redshift audit logging constraints.\n\nUse cases: Compliance auditing; Security monitoring; Audit trail management\n\nAWS: Amazon Redshift audit logging to S3 for compliance and security monitoring\n\nValidation: Boolean value; required; creates SSE-S3 encrypted audit bucket when enabled",
2971
+ "description": "Enable audit logging to a dedicated S3 bucket. The audit bucket uses SSE-S3 encryption\n(not KMS) due to Redshift audit logging requirements.\n\nUse cases: Compliance auditing; Security monitoring; User activity tracking\n\nAWS: Redshift audit logging to S3 with SSE-S3 encryption\n\nValidation: Required; boolean",
458
2972
  "type": "boolean"
459
2973
  },
460
2974
  "eventNotifications": {
461
2975
  "$ref": "#/definitions/EventNotificationsProps",
462
- "description": "Q-ENHANCED-PROPERTY\nOptional event notification configuration for cluster and scheduled action monitoring enabling operational awareness and alerting. Configures SNS notifications for cluster events and scheduled action status for operational monitoring.\n\nUse cases: Operational monitoring; Event alerting; Cluster status tracking; Automated notifications\n\nAWS: Amazon SNS notifications for Redshift cluster events and operational monitoring\n\nValidation: Must be valid EventNotificationsProps if provided; enables cluster event monitoring and alerting"
2976
+ "description": "Event notification configuration for cluster and scheduled action monitoring.\nConfigures SNS notifications with email delivery, severity filtering, and event category selection.\n\nUse cases: Operational monitoring; Event alerting; Cluster status tracking\n\nAWS: SNS notifications for Redshift cluster events\n\nValidation: Optional; valid EventNotificationsProps"
463
2977
  },
464
2978
  "executionRoles": {
465
- "description": "Q-ENHANCED-PROPERTY\nOptional array of external execution role references for Redshift cluster operations and integrations. Enables cluster to assume external roles for cross-service operations, data access, and integration with other AWS services.\n\nUse cases: Cross-service operations; External data access; Service integration workflows\n\nAWS: AWS IAM roles for Redshift cluster cross-service operations and integrations\n\nValidation: Must be array of valid MdaaRoleRef objects if provided; roles must be assumable by Redshift service",
2979
+ "description": "External execution roles associated with the Redshift cluster for cross-service operations.\nIf a role also needs warehouse bucket access, add it to warehouseBucketUserRoles explicitly.\n\nUse cases: Cross-service integrations; External data access; Glue/Lambda integration\n\nAWS: IAM execution roles associated with the Redshift cluster\n\nValidation: Optional; array of valid MdaaRoleRef; roles must be assumable by Redshift",
466
2980
  "items": {
467
2981
  "$ref": "#/definitions/MdaaRoleRef"
468
2982
  },
469
2983
  "type": "array"
470
2984
  },
471
2985
  "federations": {
472
- "description": "Q-ENHANCED-PROPERTY\nOptional array of federation configurations for SAML or OIDC identity provider integration with the data warehouse. Enables federated access to Redshift through external identity providers for centralized identity management and SSO capabilities.\n\nUse cases: SAML federation setup; OIDC provider integration; Centralized identity management for data warehouse access\n\nAWS: AWS IAM identity provider configuration for federated Redshift access and SSO integration\n\nValidation: Must be array of valid FederationProps if provided; enables federated authentication when specified",
2986
+ "description": "SAML or OIDC federation configurations for federated Redshift access.\nEach federation creates an IAM role with SAML trust for dynamic credential generation\nand group-based cluster access.\n\nUse cases: SAML federation setup; SSO integration; Federated cluster access\n\nAWS: IAM SAML identity provider roles for Redshift federated access\n\nValidation: Optional; array of valid FederationProps",
473
2987
  "items": {
474
2988
  "$ref": "#/definitions/FederationProps"
475
2989
  },
476
2990
  "type": "array"
477
2991
  },
2992
+ "multiAz": {
2993
+ "description": "Enable multi-AZ deployment for high availability.\n\nUse cases: High availability; Fault tolerance; Production deployments\n\nAWS: Redshift multi-AZ deployment\n\nValidation: Optional; boolean. When true, requires: numberOfNodes >= 2, subnetIds in >= 3 AZs,\nclusterPort in range 5431-5455 or 8191-8215, and pause/resume scheduled actions are not supported.",
2994
+ "type": "boolean"
2995
+ },
478
2996
  "multiNode": {
479
- "description": "Q-ENHANCED-PROPERTY\nOptional flag controlling cluster node configuration for single-node or multi-node deployment. When true, creates multi-node cluster for distributed processing; when false, creates single-node cluster for development or small workloads.\n\nUse cases: Cluster architecture selection; Development vs production deployment; Cost optimization; Performance scaling\n\nAWS: Amazon Redshift cluster type configuration for single-node or multi-node deployment\n\nValidation: Boolean value; determines cluster architecture and node distribution; affects performance and cost",
2997
+ "description": "Multi-node cluster flag. When true, creates a multi-node cluster for distributed processing;\nwhen false, creates a single-node cluster for development or small workloads.\n\nUse cases: Cluster architecture selection; Dev vs production deployment; Cost optimization\n\nAWS: Redshift cluster type (single-node or multi-node)\n\nValidation: Optional; boolean",
480
2998
  "type": "boolean"
481
2999
  },
482
3000
  "nag_suppressions": {
@@ -484,26 +3002,38 @@
484
3002
  "description": "Q-ENHANCED-PROPERTY\nOptional CDK Nag suppression configurations for compliance rule management enabling controlled security rule exceptions and compliance documentation. Provides structured approach to managing security rule suppressions with proper justification and documentation for compliance auditing.\n\nUse cases: Compliance management; Security rule exceptions; Audit documentation; Controlled suppressions\n\nAWS: CDK Nag suppressions for compliance rule management and security exception documentation\n\nValidation: Must be valid MdaaNagSuppressionConfigs if provided; enables structured compliance rule management"
485
3003
  },
486
3004
  "nodeType": {
487
- "description": "Q-ENHANCED-PROPERTY\nRequired node type specification determining compute and storage capacity for cluster nodes. Controls the underlying EC2 instance type and affects performance, storage, and cost characteristics of the data warehouse.\n\nUse cases: Performance optimization; Cost management; Workload-specific sizing\n\nAWS: Amazon Redshift node type for compute and storage capacity configuration\n\nValidation: Must be valid Redshift node type; required; determines cluster compute and storage capacity",
3005
+ "description": "Redshift node type determining compute and storage capacity (e.g., RA3_4XLARGE).\n\nUse cases: Performance sizing; Cost optimization; Workload-specific capacity\n\nAWS: Redshift node type (instance type)\n\nValidation: Required; valid Redshift node type string",
488
3006
  "type": "string"
489
3007
  },
490
3008
  "numberOfNodes": {
491
- "description": "Q-ENHANCED-PROPERTY\nRequired number of nodes for the Redshift cluster determining total compute capacity and parallel processing capability. Controls cluster size and affects performance, cost, and data distribution characteristics.\n\nUse cases: Cluster sizing; Performance scaling; Cost optimization\n\nAWS: Amazon Redshift cluster node count for compute capacity and parallel processing\n\nValidation: Must be positive integer; required; determines cluster size and processing capacity",
3009
+ "description": "Number of nodes in the Redshift cluster.\n\nUse cases: Cluster sizing; Performance scaling; Cost management\n\nAWS: Redshift cluster node count\n\nValidation: Required; positive integer; must be >= 2 when multiAz is true",
492
3010
  "type": "number"
493
3011
  },
494
3012
  "parameterGroupParams": {
495
- "$ref": "#/definitions/Record%3Cstring%2Cstring%3E",
496
- "description": "Q-ENHANCED-PROPERTY\nOptional parameter group parameters for cluster configuration customization enabling performance tuning and operational optimization. Provides additional cluster parameters while security-sensitive values are automatically overridden for compliance and security.\n\nUse cases: Performance tuning; Operational optimization; Custom cluster configuration; Workload-specific settings\n\nAWS: Amazon Redshift parameter group configuration for cluster customization and optimization\n\nValidation: Must be object with string key-value pairs if provided; security-sensitive values will be overridden\n *"
3013
+ "additionalProperties": {
3014
+ "type": "string"
3015
+ },
3016
+ "description": "Additional cluster parameter group parameters for performance tuning.\nSecurity-sensitive values are automatically overridden for compliance (e.g., SSL enforcement).\n\nUse cases: Performance tuning; Custom cluster configuration; Workload optimization\n\nAWS: Redshift parameter group parameters\n\nValidation: Optional; string key-value pairs",
3017
+ "type": "object"
497
3018
  },
498
3019
  "preferredMaintenanceWindow": {
499
- "description": "Q-ENHANCED-PROPERTY\nRequired preferred maintenance window for automated cluster maintenance operations. Specifies the weekly time range during which system maintenance can occur, minimizing impact on business operations and ensuring predictable maintenance scheduling.\n\nUse cases: Maintenance scheduling; Business continuity; Operational planning; Downtime management\n\nAWS: Amazon Redshift preferred maintenance window for automated system maintenance\n\nValidation: Must be valid time window format (e.g., 'Sun:23:45-Mon:00:15'); required; defines maintenance scheduling",
3020
+ "description": "Weekly maintenance window in ddd:hh24:mi-ddd:hh24:mi format (UTC).\nExample: 'Sun:23:45-Mon:00:15'.\n\nUse cases: Maintenance scheduling; Business continuity; Downtime management\n\nAWS: Redshift preferred maintenance window\n\nValidation: Required; valid time window format",
500
3021
  "type": "string"
501
3022
  },
3023
+ "publicAccessBlockManagedExternally": {
3024
+ "default": false,
3025
+ "description": "When true, omits the explicit blockPublicAccess setting on S3 buckets so CDK does not emit\na PutBucketPublicAccessBlock API call. Use when public access block is managed externally\n(e.g., by AWS account-level settings and/or SCPs that deny s3:PutBucketPublicAccessBlock).\n\nUse cases: SCP-restricted environments; Externally managed public access block;\nOrganizations enforcing account-level S3 Block Public Access\n\nAWS: S3 PutBucketPublicAccessBlock\n\nValidation: Optional; boolean; default false",
3026
+ "type": "boolean"
3027
+ },
502
3028
  "redshiftManageMasterPassword": {
503
3029
  "type": "boolean"
504
3030
  },
3031
+ "sagemakerBlueprint": {
3032
+ "$ref": "#/definitions/MdaaSageMakerCustomBluePrintConfig",
3033
+ "description": "Q-ENHANCED-PROPERTY\nOptional SageMaker blueprint configuration for governed self-service deployment enabling controlled infrastructure provisioning and governance. When specified, deploys the module as a SageMaker blueprint instead of direct deployment for governed access and compliance.\n\nUse cases: Governed deployment; Self-service provisioning; SageMaker integration; Controlled access\n\nAWS: SageMaker blueprint configuration for governed infrastructure deployment and self-service provisioning\n\nValidation: Must be valid MdaaServiceCatalogProductConfig if provided; enables SageMaker deployment mode"
3034
+ },
505
3035
  "scheduledActions": {
506
- "description": "Q-ENHANCED-PROPERTY\nOptional scheduled actions for automated cluster pause and resume operations enabling cost optimization and operational automation. Defines scheduled pause and resume actions for the cluster to optimize costs during non-business hours.\n\nUse cases: Cost optimization; Automated operations; Scheduled maintenance; Resource management\n\nAWS: Amazon Redshift scheduled actions for automated cluster pause and resume operations\n\nValidation: Must be array of valid ScheduledActionProps if provided; defines automated cluster operations",
3036
+ "description": "Scheduled actions for automated cluster pause/resume operations.\nEach action specifies a target action (pauseCluster/resumeCluster), cron schedule,\nand active time window.\n\nUse cases: Cost optimization via scheduled pause; Automated operations; Business-hours scheduling\n\nAWS: Redshift scheduled actions for cluster lifecycle management\n\nValidation: Optional; array of valid ScheduledActionProps",
507
3037
  "items": {
508
3038
  "$ref": "#/definitions/ScheduledActionProps"
509
3039
  },
@@ -511,7 +3041,7 @@
511
3041
  },
512
3042
  "securityGroupIngress": {
513
3043
  "additionalProperties": false,
514
- "description": "Q-ENHANCED-PROPERTY\nRequired security group ingress configuration defining allowed inbound connections to the cluster. Specifies IPv4 CIDR blocks and security group IDs that can connect to the cluster port for controlled network access.\n\nUse cases: Network access control; Client connectivity; Security group management\n\nAWS: Amazon VPC security group ingress rules for Redshift cluster access control\n\nValidation: Must be object with ipv4 and/or sg arrays; required; defines allowed inbound connections\n *",
3044
+ "description": "Security group ingress rules defining allowed inbound connections to the cluster port.\nSupports IPv4 CIDR blocks and security group references. All other traffic is blocked.\n\nUse cases: Network access control; Client connectivity; Security group management\n\nAWS: VPC security group ingress rules for Redshift cluster\n\nValidation: Required; object with optional ipv4 and/or sg arrays",
515
3045
  "properties": {
516
3046
  "ipv4": {
517
3047
  "items": {
@@ -533,33 +3063,36 @@
533
3063
  "description": "Q-ENHANCED-PROPERTY\nOptional Service Catalog product configuration for governed self-service deployment enabling controlled infrastructure provisioning and governance. When specified, deploys the module as a Service Catalog product instead of direct deployment for governed access and compliance.\n\nUse cases: Governed deployment; Self-service provisioning; Service Catalog integration; Controlled access\n\nAWS: Service Catalog product configuration for governed infrastructure deployment and self-service provisioning\n\nValidation: Must be valid MdaaServiceCatalogProductConfig if provided; enables Service Catalog deployment mode"
534
3064
  },
535
3065
  "snapshotIdentifier": {
536
- "description": "Q-ENHANCED-PROPERTY\nOptional snapshot identifier for cluster restoration from existing snapshot enabling disaster recovery and data migration. Specifies the snapshot ID to restore the cluster from, supporting disaster recovery scenarios and data migration operations.\n\nUse cases: Disaster recovery; Data migration; Cluster restoration; Backup recovery\n\nAWS: Amazon Redshift snapshot identifier for cluster restoration and disaster recovery\n\nValidation: Must be valid snapshot identifier if specified; only provide when restoring from snapshot",
3066
+ "description": "Snapshot identifier for cluster restoration. Only provide when restoring from an existing snapshot.\n\nUse cases: Disaster recovery; Data migration; Cluster restoration\n\nAWS: Redshift snapshot for cluster restoration\n\nValidation: Optional; valid snapshot identifier",
537
3067
  "type": "string"
538
3068
  },
539
3069
  "snapshotOwnerAccount": {
540
3070
  "description": "ownerAccount Refers to snapshot owner account. Applicable if restoring the cluster from snapshot and snapshot belongs to another account\nOptional - By default, snapshots are searched within current account",
541
- "type": "number"
3071
+ "type": [
3072
+ "string",
3073
+ "number"
3074
+ ]
542
3075
  },
543
3076
  "subnetIds": {
544
- "description": "Q-ENHANCED-PROPERTY\nRequired array of subnet IDs for Redshift cluster node placement within the VPC. Defines the network subnets where cluster nodes will be deployed for secure VPC connectivity and availability zone distribution.\n\nUse cases: VPC network placement; Subnet-specific deployment; Multi-AZ cluster distribution\n\nAWS: Amazon VPC subnets for Redshift cluster node placement and network configuration\n\nValidation: Must be array of valid subnet IDs; required; subnets must exist in specified VPC",
3077
+ "description": "Subnet IDs for Redshift cluster node placement. For automatic cluster relocation,\nspecify at least one subnet per AZ.\n\nUse cases: Multi-AZ placement; Subnet-specific deployment; Cluster relocation support\n\nAWS: VPC subnets for Redshift subnet group\n\nValidation: Required; array of valid subnet IDs in the specified VPC; must contain >= 3 subnets in different AZs when multiAz is true",
545
3078
  "items": {
546
3079
  "type": "string"
547
3080
  },
548
3081
  "type": "array"
549
3082
  },
550
3083
  "vpcId": {
551
- "description": "Q-ENHANCED-PROPERTY\nRequired VPC ID for Redshift cluster deployment providing network isolation and security controls. Ensures cluster operates within the specified VPC for secure networking and integration with other VPC resources.\n\nUse cases: VPC network isolation; Secure networking; VPC resource integration\n\nAWS: Amazon VPC for Redshift cluster network isolation and security controls\n\nValidation: Must be valid VPC ID; required; VPC must exist and be accessible",
3084
+ "description": "VPC ID for Redshift cluster deployment. The cluster is deployed within this VPC\nwith network access controlled by security groups.\n\nUse cases: Network isolation; VPC-based deployment; Secure networking\n\nAWS: VPC for Redshift cluster network configuration\n\nValidation: Required; valid VPC ID",
552
3085
  "type": "string"
553
3086
  },
554
3087
  "warehouseBucketUserRoles": {
555
- "description": "Q-ENHANCED-PROPERTY\nOptional array of user role references with access to data warehouse S3 buckets for data loading and unloading operations. Enables controlled access to warehouse storage resources for ETL operations and data management workflows.\n\nUse cases: Data loading operations; ETL workflow access; Controlled storage access\n\nAWS: AWS IAM roles with S3 bucket access for Redshift data operations\n\nValidation: Must be array of valid MdaaRoleRef objects if provided; roles receive bucket access permissions",
3088
+ "description": "Roles granted read/write access to the data warehouse S3 bucket for data loading/unloading.\n\nUse cases: ETL data loading; Data unloading operations; Bucket access for analytics\n\nAWS: IAM roles with S3 bucket access for Redshift data operations\n\nValidation: Optional; array of valid MdaaRoleRef",
556
3089
  "items": {
557
3090
  "$ref": "#/definitions/MdaaRoleRef"
558
3091
  },
559
3092
  "type": "array"
560
3093
  },
561
3094
  "workloadManagement": {
562
- "description": "Q-ENHANCED-PROPERTY\nOptional workload management configuration for query performance optimization and resource allocation. Defines WLM configuration elements for managing query queues, memory allocation, and concurrency for optimal cluster performance.\n\nUse cases: Query performance optimization; Resource allocation; Workload management; Concurrency control\n\nAWS: Amazon Redshift workload management configuration for query optimization and resource control\n\nValidation: Must be array of valid ConfigurationElement objects if provided; defines WLM configuration",
3095
+ "description": "Workload management (WLM) configuration for query queue management and resource allocation.\n\nUse cases: Query performance optimization; Concurrency control; Resource allocation\n\nAWS: Redshift WLM configuration\n\nValidation: Optional; array of valid ConfigurationElement",
563
3096
  "items": {
564
3097
  "additionalProperties": {},
565
3098
  "type": "object"