@pulumi/aws-native 1.28.0-alpha.1746164102 → 1.28.0-alpha.1746553623

package/types/output.d.ts

@@ -1717,6 +1717,10 @@ export declare namespace apigateway {
          */
         type?: enums.apigateway.DocumentationPartLocationType;
     }
+    /**
+     * The ``EndpointConfiguration`` property type specifies the endpoint types of an Amazon API Gateway domain name.
+     *  ``EndpointConfiguration`` is a property of the [AWS::ApiGateway::DomainName](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-domainname.html) resource.
+     */
     interface DomainNameEndpointConfiguration {
         /**
          * The IP address types that can invoke this DomainName. Use `ipv4` to allow only IPv4 addresses to invoke this DomainName, or use `dualstack` to allow both IPv4 and IPv6 addresses to invoke this DomainName. For the `PRIVATE` endpoint type, only `dualstack` is supported.
@@ -1738,6 +1742,9 @@ export declare namespace apigateway {
         truststoreVersion?: string;
     }
     interface DomainNameV2EndpointConfiguration {
+        /**
+         * The IP address types that can invoke an API (RestApi) or a DomainName. Use `ipv4` to allow only IPv4 addresses to invoke an API or DomainName, or use `dualstack` to allow both IPv4 and IPv6 addresses to invoke an API or a DomainName. For the `PRIVATE` endpoint type, only `dualstack` is supported.
+         */
         ipAddressType?: string;
         /**
          * A list of endpoint types of an API (RestApi) or its custom domain name (DomainName). For an edge-optimized API and its custom domain name, the endpoint type is `"EDGE"` . For a regional API and its custom domain name, the endpoint type is `REGIONAL` . For a private API, the endpoint type is `PRIVATE` .
@@ -5905,7 +5912,7 @@ export declare namespace appsync {
     }
     /**
      * Use the ``PipelineConfig`` property type to specify ``PipelineConfig`` for an APSYlong resolver.
-     *   ``PipelineConfig`` is a property of the [AWS::AppSync::Resolver](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-appsync-resolver.html) resource.
+     *  ``PipelineConfig`` is a property of the [AWS::AppSync::Resolver](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-appsync-resolver.html) resource.
      */
     interface ResolverPipelineConfig {
         /**
@@ -5920,15 +5927,15 @@ export declare namespace appsync {
     interface ResolverSyncConfig {
         /**
          * The Conflict Detection strategy to use.
-         *   +   *VERSION*: Detect conflicts based on object versions for this resolver.
-         *   +   *NONE*: Do not detect conflicts when invoking this resolver.
+         *   +  *VERSION*: Detect conflicts based on object versions for this resolver.
+         *   +  *NONE*: Do not detect conflicts when invoking this resolver.
          */
         conflictDetection: string;
         /**
          * The Conflict Resolution strategy to perform in the event of a conflict.
-         *   +   *OPTIMISTIC_CONCURRENCY*: Resolve conflicts by rejecting mutations when versions don't match the latest version at the server.
-         *   +   *AUTOMERGE*: Resolve conflicts with the Automerge conflict resolution strategy.
-         *   +   *LAMBDA*: Resolve conflicts with an LAMlong function supplied in the ``LambdaConflictHandlerConfig``.
+         *   +  *OPTIMISTIC_CONCURRENCY*: Resolve conflicts by rejecting mutations when versions don't match the latest version at the server.
+         *   +  *AUTOMERGE*: Resolve conflicts with the Automerge conflict resolution strategy.
+         *   +  *LAMBDA*: Resolve conflicts with an LAMlong function supplied in the ``LambdaConflictHandlerConfig``.
          */
         conflictHandler?: string;
         /**
@@ -9915,6 +9922,9 @@ export declare namespace bedrock {
         types?: enums.bedrock.DataAutomationProjectAudioExtractionCategoryType[];
     }
     interface DataAutomationProjectAudioOverrideConfiguration {
+        /**
+         * Sets modality processing for audio files. All modalities are enabled by default.
+         */
         modalityProcessing?: outputs.bedrock.DataAutomationProjectModalityProcessingConfiguration;
     }
     interface DataAutomationProjectAudioStandardExtraction {
@@ -10001,6 +10011,9 @@ export declare namespace bedrock {
         types?: enums.bedrock.DataAutomationProjectDocumentOutputTextFormatType[];
     }
     interface DataAutomationProjectDocumentOverrideConfiguration {
+        /**
+         * Sets modality processing for document files. All modalities are enabled by default.
+         */
         modalityProcessing?: outputs.bedrock.DataAutomationProjectModalityProcessingConfiguration;
         /**
          * Whether document splitter is enabled for a project.
@@ -10054,6 +10067,9 @@ export declare namespace bedrock {
         types?: enums.bedrock.DataAutomationProjectImageExtractionCategoryType[];
     }
     interface DataAutomationProjectImageOverrideConfiguration {
+        /**
+         * Sets modality processing for image files. All modalities are enabled by default.
+         */
         modalityProcessing?: outputs.bedrock.DataAutomationProjectModalityProcessingConfiguration;
     }
     interface DataAutomationProjectImageStandardExtraction {
@@ -10087,28 +10103,55 @@ export declare namespace bedrock {
         generativeField?: outputs.bedrock.DataAutomationProjectImageStandardGenerativeField;
     }
     interface DataAutomationProjectModalityProcessingConfiguration {
+        /**
+         * Stores the state of the modality for your project, set to either enabled or disabled
+         */
         state?: enums.bedrock.DataAutomationProjectState;
     }
     /**
      * Modality routing configuration
      */
     interface DataAutomationProjectModalityRoutingConfiguration {
+        /**
+         * Sets whether JPEG files are routed to document or image processing.
+         */
         jpeg?: enums.bedrock.DataAutomationProjectDesiredModality;
+        /**
+         * Sets whether MOV files are routed to audio or video processing.
+         */
         mov?: enums.bedrock.DataAutomationProjectDesiredModality;
+        /**
+         * Sets whether MP4 files are routed to audio or video processing.
+         */
         mp4?: enums.bedrock.DataAutomationProjectDesiredModality;
+        /**
+         * Sets whether PNG files are routed to document or image processing.
+         */
         png?: enums.bedrock.DataAutomationProjectDesiredModality;
     }
     /**
      * Override configuration
      */
     interface DataAutomationProjectOverrideConfiguration {
+        /**
+         * This element declares whether your project will process audio files.
+         */
         audio?: outputs.bedrock.DataAutomationProjectAudioOverrideConfiguration;
         /**
          * Additional settings for a project.
          */
         document?: outputs.bedrock.DataAutomationProjectDocumentOverrideConfiguration;
+        /**
+         * This element declares whether your project will process image files.
+         */
         image?: outputs.bedrock.DataAutomationProjectImageOverrideConfiguration;
+        /**
+         * Lets you set which modalities certain file types are processed as.
+         */
         modalityRouting?: outputs.bedrock.DataAutomationProjectModalityRoutingConfiguration;
+        /**
+         * This element declares whether your project will process video files.
+         */
         video?: outputs.bedrock.DataAutomationProjectVideoOverrideConfiguration;
     }
     interface DataAutomationProjectSplitterConfiguration {
@@ -10155,6 +10198,9 @@ export declare namespace bedrock {
         types?: enums.bedrock.DataAutomationProjectVideoExtractionCategoryType[];
     }
     interface DataAutomationProjectVideoOverrideConfiguration {
+        /**
+         * Sets modality processing for video files. All modalities are enabled by default.
+         */
         modalityProcessing?: outputs.bedrock.DataAutomationProjectModalityProcessingConfiguration;
     }
     interface DataAutomationProjectVideoStandardExtraction {
@@ -14604,6 +14650,9 @@ export declare namespace cloudfront {
          * A comment to describe the distribution. The comment cannot be longer than 128 characters.
          */
         comment?: string;
+        /**
+         * The connection mode to filter distributions by.
+         */
         connectionMode?: enums.cloudfront.DistributionConnectionMode;
         /**
          * The identifier of a continuous deployment policy. For more information, see ``CreateContinuousDeploymentPolicy``.
@@ -14690,6 +14739,9 @@ export declare namespace cloudfront {
          * A Boolean that indicates whether this is a staging distribution. When this value is ``true``, this is a staging distribution. When this value is ``false``, this is not a staging distribution.
          */
         staging?: boolean;
+        /**
+         * A distribution tenant configuration.
+         */
         tenantConfig?: outputs.cloudfront.DistributionConfigTenantConfigProperties;
         /**
          * A complex type that determines the distribution's SSL/TLS configuration for communicating with viewers.
@@ -14701,6 +14753,9 @@ export declare namespace cloudfront {
          */
         webAclId?: string;
     }
+    /**
+     * A distribution tenant configuration.
+     */
     interface DistributionConfigTenantConfigProperties {
         parameterDefinitions?: outputs.cloudfront.DistributionParameterDefinition[];
     }
@@ -15244,9 +15299,18 @@ export declare namespace cloudfront {
         originShieldRegion?: string;
     }
     interface DistributionParameterDefinition {
+        /**
+         * The value that you assigned to the parameter.
+         */
         definition: outputs.cloudfront.DistributionParameterDefinitionDefinitionProperties;
+        /**
+         * The name of the parameter.
+         */
         name: string;
     }
+    /**
+     * The value that you assigned to the parameter.
+     */
     interface DistributionParameterDefinitionDefinitionProperties {
         stringSchema?: outputs.cloudfront.DistributionParameterDefinitionDefinitionPropertiesStringSchemaProperties;
     }
@@ -15294,32 +15358,84 @@ export declare namespace cloudfront {
         quantity: number;
     }
     interface DistributionTenantCertificate {
+        /**
+         * The Amazon Resource Name (ARN) of the ACM certificate.
+         */
         arn?: string;
     }
     interface DistributionTenantCustomizations {
+        /**
+         * The AWS Certificate Manager (ACM) certificate.
+         */
         certificate?: outputs.cloudfront.DistributionTenantCertificate;
+        /**
+         * The geographic restrictions.
+         */
         geoRestrictions?: outputs.cloudfront.DistributionTenantGeoRestrictionCustomization;
+        /**
+         * The AWS WAF web ACL.
+         */
         webAcl?: outputs.cloudfront.DistributionTenantWebAclCustomization;
     }
     interface DistributionTenantDomainResult {
+        /**
+         * The specified domain.
+         */
         domain?: string;
+        /**
+         * Whether the domain is active or inactive.
+         */
         status?: enums.cloudfront.DistributionTenantDomainResultStatus;
     }
     interface DistributionTenantGeoRestrictionCustomization {
+        /**
+         * The locations for geographic restrictions.
+         */
         locations?: string[];
+        /**
+         * The method that you want to use to restrict distribution of your content by country:
+         *
+         * - `none` : No geographic restriction is enabled, meaning access to content is not restricted by client geo location.
+         * - `blacklist` : The `Location` elements specify the countries in which you don't want CloudFront to distribute your content.
+         * - `whitelist` : The `Location` elements specify the countries in which you want CloudFront to distribute your content.
+         */
         restrictionType?: enums.cloudfront.DistributionTenantGeoRestrictionCustomizationRestrictionType;
     }
     interface DistributionTenantManagedCertificateRequest {
+        /**
+         * You can opt out of certificate transparency logging by specifying the `disabled` option. Opt in by specifying `enabled` . For more information, see [Certificate Transparency Logging](https://docs.aws.amazon.com/acm/latest/userguide/acm-concepts.html#concept-transparency) in the *AWS Certificate Manager User Guide* .
+         */
         certificateTransparencyLoggingPreference?: enums.cloudfront.DistributionTenantManagedCertificateRequestCertificateTransparencyLoggingPreference;
+        /**
+         * The primary domain name associated with the CloudFront managed ACM certificate.
+         */
         primaryDomainName?: string;
+        /**
+         * Specify how the HTTP validation token will be served when requesting the CloudFront managed ACM certificate.
+         *
+         * - For `cloudfront` , CloudFront will automatically serve the validation token. Choose this mode if you can point the domain's DNS to CloudFront immediately.
+         * - For `self-hosted` , you serve the validation token from your existing infrastructure. Choose this mode when you need to maintain current traffic flow while your certificate is being issued. You can place the validation token at the well-known path on your existing web server, wait for ACM to validate and issue the certificate, and then update your DNS to point to CloudFront.
+         */
         validationTokenHost?: enums.cloudfront.DistributionTenantManagedCertificateRequestValidationTokenHost;
     }
     interface DistributionTenantParameter {
+        /**
+         * The parameter name.
+         */
         name?: string;
+        /**
+         * The parameter value.
+         */
         value?: string;
     }
     interface DistributionTenantWebAclCustomization {
+        /**
+         * The action for the AWS WAF web ACL customization. You can specify `override` to specify a separate AWS WAF web ACL for the distribution tenant. If you specify `disable` , the distribution tenant won't have AWS WAF web ACL protections and won't inherit from the multi-tenant distribution.
+         */
         action?: enums.cloudfront.DistributionTenantWebAclCustomizationAction;
+        /**
+         * The Amazon Resource Name (ARN) of the AWS WAF web ACL.
+         */
         arn?: string;
     }
     /**
@@ -17244,6 +17360,16 @@ export declare namespace cognito {
          */
         userDataShared?: boolean;
     }
+    interface UserPoolClientRefreshTokenRotation {
+        /**
+         * The state of refresh token rotation for the current app client.
+         */
+        feature?: enums.cognito.UserPoolClientRefreshTokenRotationFeature;
+        /**
+         * When you request a token refresh with `GetTokensFromRefreshToken` , the original refresh token that you're rotating out can remain valid for a period of time of up to 60 seconds. This allows for client-side retries. When `RetryGracePeriodSeconds` is `0` , the grace period is disabled and a successful request immediately invalidates the submitted refresh token.
+         */
+        retryGracePeriodSeconds?: number;
+    }
     interface UserPoolClientTokenValidityUnits {
         /**
          * A time unit for the value that you set in the `AccessTokenValidity` parameter. The default `AccessTokenValidity` time unit is `hours` . `AccessTokenValidity` duration can range from five minutes to one day.
@@ -22167,6 +22293,11 @@ export declare namespace datazone {
          */
         value?: string;
     }
+    /**
+     * The properties of a domain unit's owner.
+     */
+    interface OwnerProperties {
+    }
     interface ProjectMembershipMember0Properties {
         userIdentifier: string;
     }
@@ -36659,6 +36790,10 @@ export declare namespace imagebuilder {
          * region
          */
         region: string;
+        /**
+         * The SSM parameter configurations to use for AMI distribution.
+         */
+        ssmParameterConfigurations?: outputs.imagebuilder.DistributionConfigurationSsmParameterConfiguration[];
     }
     /**
      * The Windows faster-launching configuration to use for AMI distribution.
@@ -36749,6 +36884,23 @@ export declare namespace imagebuilder {
          */
         setDefaultVersion?: boolean;
     }
+    /**
+     * The SSM parameter configuration for AMI distribution.
+     */
+    interface DistributionConfigurationSsmParameterConfiguration {
+        /**
+         * The account ID for the AMI to update the parameter with.
+         */
+        amiAccountId?: string;
+        /**
+         * The data type of the SSM parameter.
+         */
+        dataType?: enums.imagebuilder.DistributionConfigurationSsmParameterConfigurationDataType;
+        /**
+         * The name of the SSM parameter.
+         */
+        parameterName: string;
+    }
     /**
      * The destination repository for the container image.
      */
@@ -45736,7 +45888,7 @@ export declare namespace lambda {
         zipFile?: string;
     }
     /**
-     * The [dead-letter queue](https://docs.aws.amazon.com/lambda/latest/dg/invocation-async.html#dlq) for failed asynchronous invocations.
+     * The [dead-letter queue](https://docs.aws.amazon.com/lambda/latest/dg/invocation-async-retain-records.html#invocation-dlq) for failed asynchronous invocations.
      */
     interface FunctionDeadLetterConfig {
         /**
@@ -45827,11 +45979,11 @@ export declare namespace lambda {
         runtimeVersionArn?: string;
         /**
          * Specify the runtime update mode.
-         *   +   *Auto (default)* - Automatically update to the most recent and secure runtime version using a [Two-phase runtime version rollout](https://docs.aws.amazon.com/lambda/latest/dg/runtimes-update.html#runtime-management-two-phase). This is the best choice for most customers to ensure they always benefit from runtime updates.
-         *   +   *FunctionUpdate* - LAM updates the runtime of you function to the most recent and secure runtime version when you update your function. This approach synchronizes runtime updates with function deployments, giving you control over when runtime updates are applied and allowing you to detect and mitigate rare runtime update incompatibilities early. When using this setting, you need to regularly update your functions to keep their runtime up-to-date.
-         *   +   *Manual* - You specify a runtime version in your function configuration. The function will use this runtime version indefinitely. In the rare case where a new runtime version is incompatible with an existing function, this allows you to roll back your function to an earlier runtime version. For more information, see [Roll back a runtime version](https://docs.aws.amazon.com/lambda/latest/dg/runtimes-update.html#runtime-management-rollback).
+         *   +  *Auto (default)* - Automatically update to the most recent and secure runtime version using a [Two-phase runtime version rollout](https://docs.aws.amazon.com/lambda/latest/dg/runtimes-update.html#runtime-management-two-phase). This is the best choice for most customers to ensure they always benefit from runtime updates.
+         *   +  *FunctionUpdate* - LAM updates the runtime of you function to the most recent and secure runtime version when you update your function. This approach synchronizes runtime updates with function deployments, giving you control over when runtime updates are applied and allowing you to detect and mitigate rare runtime update incompatibilities early. When using this setting, you need to regularly update your functions to keep their runtime up-to-date.
+         *   +  *Manual* - You specify a runtime version in your function configuration. The function will use this runtime version indefinitely. In the rare case where a new runtime version is incompatible with an existing function, this allows you to roll back your function to an earlier runtime version. For more information, see [Roll back a runtime version](https://docs.aws.amazon.com/lambda/latest/dg/runtimes-update.html#runtime-management-rollback).
          *
-         *   *Valid Values*: ``Auto`` | ``FunctionUpdate`` | ``Manual``
+         *  *Valid Values*: ``Auto`` | ``FunctionUpdate`` | ``Manual``
          */
         updateRuntimeOn: enums.lambda.FunctionRuntimeManagementConfigUpdateRuntimeOn;
     }
@@ -50862,6 +51014,15 @@ export declare namespace mediatailor {
          */
         type: enums.mediatailor.LiveSourceType;
     }
+    /**
+     * <p>The setting that indicates what conditioning MediaTailor will perform on ads that the ad decision server (ADS) returns.</p>
+     */
+    interface PlaybackConfigurationAdConditioningConfiguration {
+        /**
+         * For ads that have media files with streaming delivery and supported file extensions, indicates what transcoding action MediaTailor takes when it first receives these ads from the ADS. `TRANSCODE` indicates that MediaTailor must transcode the ads. `NONE` indicates that you have already transcoded the ads outside of MediaTailor and don't need them transcoded as part of the ad insertion workflow. For more information about ad conditioning see [Using preconditioned ads](https://docs.aws.amazon.com/mediatailor/latest/ug/precondition-ads.html) in the AWS Elemental MediaTailor user guide.
+         */
+        streamingMediaFileConditioning: enums.mediatailor.PlaybackConfigurationStreamingMediaFileConditioning;
+    }
     /**
      * For HLS, when set to true, MediaTailor passes through EXT-X-CUE-IN, EXT-X-CUE-OUT, and EXT-X-SPLICEPOINT-SCTE35 ad markers from the origin manifest to the MediaTailor personalized manifest. No logic is applied to these ad markers. For example, if EXT-X-CUE-OUT has a value of 60, but no ads are filled for that ad break, MediaTailor will not set the value to 0.
      */
@@ -52903,7 +53064,7 @@ export declare namespace nimblestudio {
 export declare namespace oam {
     interface LinkConfiguration {
         /**
-         * Use this structure to filter which log groups are to send log events from the source account to the monitoring account.
+         * Use this structure to filter which log groups are to share log events from this source account to the monitoring account.
          */
         logGroupConfiguration?: outputs.oam.LinkFilter;
         /**
@@ -52912,6 +53073,32 @@ export declare namespace oam {
         metricConfiguration?: outputs.oam.LinkFilter;
     }
     interface LinkFilter {
+        /**
+         * When used in `MetricConfiguration` this field specifies which metric namespaces are to be shared with the monitoring account
+         *
+         * When used in `LogGroupConfiguration` this field specifies which log groups are to share their log events with the monitoring account. Use the term `LogGroupName` and one or more of the following operands.
+         *
+         * Use single quotation marks (') around log group names and metric namespaces.
+         *
+         * The matching of log group names and metric namespaces is case sensitive. Each filter has a limit of five conditional operands. Conditional operands are `AND` and `OR` .
+         *
+         * - `=` and `!=`
+         * - `AND`
+         * - `OR`
+         * - `LIKE` and `NOT LIKE` . These can be used only as prefix searches. Include a `%` at the end of the string that you want to search for and include.
+         * - `IN` and `NOT IN` , using parentheses `( )`
+         *
+         * Examples:
+         *
+         * - `Namespace NOT LIKE 'AWS/%'` includes only namespaces that don't start with `AWS/` , such as custom namespaces.
+         * - `Namespace IN ('AWS/EC2', 'AWS/ELB', 'AWS/S3')` includes only the metrics in the EC2, Elastic Load Balancing , and Amazon S3 namespaces.
+         * - `Namespace = 'AWS/EC2' OR Namespace NOT LIKE 'AWS/%'` includes only the EC2 namespace and your custom namespaces.
+         * - `LogGroupName IN ('This-Log-Group', 'Other-Log-Group')` includes only the log groups with names `This-Log-Group` and `Other-Log-Group` .
+         * - `LogGroupName NOT IN ('Private-Log-Group', 'Private-Log-Group-2')` includes all log groups except the log groups with names `Private-Log-Group` and `Private-Log-Group-2` .
+         * - `LogGroupName LIKE 'aws/lambda/%' OR LogGroupName LIKE 'AWSLogs%'` includes all log groups that have names that start with `aws/lambda/` or `AWSLogs` .
+         *
+         * > If you are updating a link that uses filters, you can specify `*` as the only value for the `filter` parameter to delete the filter and share all log groups with the monitoring account.
+         */
         filter: string;
     }
 }
@@ -55808,7 +55995,7 @@ export declare namespace qbusiness {
          */
         invocationCondition?: outputs.qbusiness.DataSourceDocumentAttributeCondition;
         /**
-         * The Amazon Resource Name (ARN) of the Lambda function during ingestion. For more information, see [Using Lambda functions for Amazon Q Business document enrichment](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/cde-lambda-operations.html) .
+         * The Amazon Resource Name (ARN) of the Lambda function sduring ingestion. For more information, see [Using Lambda functions for Amazon Q Business document enrichment](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/cde-lambda-operations.html) .
          */
         lambdaArn?: string;
         /**
@@ -86510,7 +86697,7 @@ export declare namespace s3 {
         allowedHeaders?: string[];
         /**
          * An HTTP method that you allow the origin to run.
-         *   *Allowed values*: ``GET`` | ``PUT`` | ``HEAD`` | ``POST`` | ``DELETE``
+         *  *Allowed values*: ``GET`` | ``PUT`` | ``HEAD`` | ``POST`` | ``DELETE``
          */
         allowedMethods: enums.s3.BucketCorsRuleAllowedMethodsItem[];
         /**
@@ -86563,7 +86750,7 @@ export declare namespace s3 {
         years?: number;
     }
     /**
-     * Specifies whether Amazon S3 replicates delete markers. If you specify a ``Filter`` in your replication configuration, you must also include a ``DeleteMarkerReplication`` element. If your ``Filter`` includes a ``Tag`` element, the ``DeleteMarkerReplication`` ``Status`` must be set to Disabled, because Amazon S3 does not support replicating delete markers for tag-based rules. For an example configuration, see [Basic Rule Configuration](https://docs.aws.amazon.com/AmazonS3/latest/dev/replication-add-config.html#replication-config-min-rule-config).
+     * Specifies whether Amazon S3 replicates delete markers. If you specify a ``Filter`` in your replication configuration, you must also include a ``DeleteMarkerReplication`` element. If your ``Filter`` includes a ``Tag`` element, the ``DeleteMarkerReplication````Status`` must be set to Disabled, because Amazon S3 does not support replicating delete markers for tag-based rules. For an example configuration, see [Basic Rule Configuration](https://docs.aws.amazon.com/AmazonS3/latest/dev/replication-add-config.html#replication-config-min-rule-config).
      *  For more information about delete marker replication, see [Basic Rule Configuration](https://docs.aws.amazon.com/AmazonS3/latest/dev/delete-marker-replication.html).
      *   If you are using an earlier version of the replication configuration, Amazon S3 handles replication of delete markers differently. For more information, see [Backward Compatibility](https://docs.aws.amazon.com/AmazonS3/latest/dev/replication-add-config.html#replication-backward-compat-considerations).
      */
@@ -86588,7 +86775,7 @@ export declare namespace s3 {
         bucketArn: string;
         /**
          * Specifies the file format used when exporting data to Amazon S3.
-         *   *Allowed values*: ``CSV`` | ``ORC`` | ``Parquet``
+         *  *Allowed values*: ``CSV`` | ``ORC`` | ``Parquet``
          */
         format: enums.s3.BucketDestinationFormat;
         /**
@@ -86726,8 +86913,8 @@ export declare namespace s3 {
         /**
          * Indicates which default minimum object size behavior is applied to the lifecycle configuration.
          *   This parameter applies to general purpose buckets only. It isn't supported for directory bucket lifecycle configurations.
-         *    +   ``all_storage_classes_128K`` - Objects smaller than 128 KB will not transition to any storage class by default.
-         *   +   ``varies_by_storage_class`` - Objects smaller than 128 KB will transition to Glacier Flexible Retrieval or Glacier Deep Archive storage classes. By default, all other storage classes will prevent transitions smaller than 128 KB.
+         *    +  ``all_storage_classes_128K`` - Objects smaller than 128 KB will not transition to any storage class by default.
+         *   +  ``varies_by_storage_class`` - Objects smaller than 128 KB will transition to Glacier Flexible Retrieval or Glacier Deep Archive storage classes. By default, all other storage classes will prevent transitions smaller than 128 KB.
          *
          *  To customize the minimum object size for any transition you can add a filter that specifies a custom ``ObjectSizeGreaterThan`` or ``ObjectSizeLessThan`` in the body of your transition rule. Custom filters always take precedence over the default transition behavior.
          */
@@ -86992,7 +87179,7 @@ export declare namespace s3 {
     interface BucketReplicaModifications {
         /**
          * Specifies whether Amazon S3 replicates modifications on replicas.
-         *   *Allowed values*: ``Enabled`` | ``Disabled``
+         *  *Allowed values*: ``Enabled`` | ``Disabled``
          */
         status: enums.s3.BucketReplicaModificationsStatus;
     }
@@ -87049,7 +87236,7 @@ export declare namespace s3 {
      */
     interface BucketReplicationRule {
         /**
-         * Specifies whether Amazon S3 replicates delete markers. If you specify a ``Filter`` in your replication configuration, you must also include a ``DeleteMarkerReplication`` element. If your ``Filter`` includes a ``Tag`` element, the ``DeleteMarkerReplication`` ``Status`` must be set to Disabled, because Amazon S3 does not support replicating delete markers for tag-based rules. For an example configuration, see [Basic Rule Configuration](https://docs.aws.amazon.com/AmazonS3/latest/dev/replication-add-config.html#replication-config-min-rule-config).
+         * Specifies whether Amazon S3 replicates delete markers. If you specify a ``Filter`` in your replication configuration, you must also include a ``DeleteMarkerReplication`` element. If your ``Filter`` includes a ``Tag`` element, the ``DeleteMarkerReplication````Status`` must be set to Disabled, because Amazon S3 does not support replicating delete markers for tag-based rules. For an example configuration, see [Basic Rule Configuration](https://docs.aws.amazon.com/AmazonS3/latest/dev/replication-add-config.html#replication-config-min-rule-config).
          *  For more information about delete marker replication, see [Basic Rule Configuration](https://docs.aws.amazon.com/AmazonS3/latest/dev/delete-marker-replication.html).
          *   If you are using an earlier version of the replication configuration, Amazon S3 handles replication of delete markers differently. For more information, see [Backward Compatibility](https://docs.aws.amazon.com/AmazonS3/latest/dev/replication-add-config.html#replication-backward-compat-considerations).
          */
@@ -87278,15 +87465,15 @@ export declare namespace s3 {
     }
     /**
      * Describes the default server-side encryption to apply to new objects in the bucket. If a PUT Object request doesn't specify any server-side encryption, this default encryption will be applied. For more information, see [PutBucketEncryption](https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTencryption.html).
-     *    +   *General purpose buckets* - If you don't specify a customer managed key at configuration, Amazon S3 automatically creates an AWS KMS key (``aws/s3``) in your AWS account the first time that you add an object encrypted with SSE-KMS to a bucket. By default, Amazon S3 uses this KMS key for SSE-KMS.
-     *   +   *Directory buckets* - Your SSE-KMS configuration can only support 1 [customer managed key](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk) per directory bucket's lifetime. The [managed key](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk) (``aws/s3``) isn't supported.
-     *   +   *Directory buckets* - For directory buckets, there are only two supported options for server-side encryption: SSE-S3 and SSE-KMS.
+     *    +  *General purpose buckets* - If you don't specify a customer managed key at configuration, Amazon S3 automatically creates an AWS KMS key (``aws/s3``) in your AWS account the first time that you add an object encrypted with SSE-KMS to a bucket. By default, Amazon S3 uses this KMS key for SSE-KMS.
+     *   +  *Directory buckets* - Your SSE-KMS configuration can only support 1 [customer managed key](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk) per directory bucket's lifetime. The [managed key](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk) (``aws/s3``) isn't supported.
+     *   +  *Directory buckets* - For directory buckets, there are only two supported options for server-side encryption: SSE-S3 and SSE-KMS.
      */
     interface BucketServerSideEncryptionByDefault {
         /**
          * AWS Key Management Service (KMS) customer managed key ID to use for the default encryption.
-         *    +   *General purpose buckets* - This parameter is allowed if and only if ``SSEAlgorithm`` is set to ``aws:kms`` or ``aws:kms:dsse``.
-         *   +   *Directory buckets* - This parameter is allowed if and only if ``SSEAlgorithm`` is set to ``aws:kms``.
+         *    +  *General purpose buckets* - This parameter is allowed if and only if ``SSEAlgorithm`` is set to ``aws:kms`` or ``aws:kms:dsse``.
+         *   +  *Directory buckets* - This parameter is allowed if and only if ``SSEAlgorithm`` is set to ``aws:kms``.
          *
          *   You can specify the key ID, key alias, or the Amazon Resource Name (ARN) of the KMS key.
          *   +  Key ID: ``1234abcd-12ab-34cd-56ef-1234567890ab``
@@ -87294,8 +87481,8 @@ export declare namespace s3 {
          *   +  Key Alias: ``alias/alias-name``
          *
          *  If you are using encryption with cross-account or AWS service operations, you must use a fully qualified KMS key ARN. For more information, see [Using encryption for cross-account operations](https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html#bucket-encryption-update-bucket-policy).
-         *    +   *General purpose buckets* - If you're specifying a customer managed KMS key, we recommend using a fully qualified KMS key ARN. If you use a KMS key alias instead, then KMS resolves the key within the requester’s account. This behavior can result in data that's encrypted with a KMS key that belongs to the requester, and not the bucket owner. Also, if you use a key ID, you can run into a LogDestination undeliverable error when creating a VPC flow log.
-         *   +   *Directory buckets* - When you specify an [customer managed key](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk) for encryption in your directory bucket, only use the key ID or key ARN. The key alias format of the KMS key isn't supported.
+         *    +  *General purpose buckets* - If you're specifying a customer managed KMS key, we recommend using a fully qualified KMS key ARN. If you use a KMS key alias instead, then KMS resolves the key within the requester’s account. This behavior can result in data that's encrypted with a KMS key that belongs to the requester, and not the bucket owner. Also, if you use a key ID, you can run into a LogDestination undeliverable error when creating a VPC flow log.
+         *   +  *Directory buckets* - When you specify an [customer managed key](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk) for encryption in your directory bucket, only use the key ID or key ARN. The key alias format of the KMS key isn't supported.
          *
          *    Amazon S3 only supports symmetric encryption KMS keys. For more information, see [Asymmetric keys in KMS](https://docs.aws.amazon.com//kms/latest/developerguide/symmetric-asymmetric.html) in the *Key Management Service Developer Guide*.
          */
@@ -87308,8 +87495,8 @@ export declare namespace s3 {
     }
     /**
      * Specifies the default server-side encryption configuration.
-     *    +   *General purpose buckets* - If you're specifying a customer managed KMS key, we recommend using a fully qualified KMS key ARN. If you use a KMS key alias instead, then KMS resolves the key within the requester’s account. This behavior can result in data that's encrypted with a KMS key that belongs to the requester, and not the bucket owner.
-     *   +   *Directory buckets* - When you specify an [customer managed key](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk) for encryption in your directory bucket, only use the key ID or key ARN. The key alias format of the KMS key isn't supported.
+     *    +  *General purpose buckets* - If you're specifying a customer managed KMS key, we recommend using a fully qualified KMS key ARN. If you use a KMS key alias instead, then KMS resolves the key within the requester’s account. This behavior can result in data that's encrypted with a KMS key that belongs to the requester, and not the bucket owner.
+     *   +  *Directory buckets* - When you specify an [customer managed key](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk) for encryption in your directory bucket, only use the key ID or key ARN. The key alias format of the KMS key isn't supported.
      */
     interface BucketServerSideEncryptionRule {
         /**
@@ -92750,7 +92937,7 @@ export declare namespace secretsmanager {
     }
     /**
      * Generates a random password. We recommend that you specify the maximum length and include every character type that the system you are generating a password for can support.
-     *   *Required permissions:* ``secretsmanager:GetRandomPassword``. For more information, see [IAM policy actions for Secrets Manager](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssecretsmanager.html#awssecretsmanager-actions-as-permissions) and [Authentication and access control in Secrets Manager](https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access.html).
+     *  *Required permissions:*``secretsmanager:GetRandomPassword``. For more information, see [IAM policy actions for Secrets Manager](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssecretsmanager.html#awssecretsmanager-actions-as-permissions) and [Authentication and access control in Secrets Manager](https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access.html).
      */
     interface SecretGenerateSecretString {
         /**
@@ -95268,6 +95455,37 @@ export declare namespace ssmcontacts {
         handOffTime: string;
     }
 }
+export declare namespace ssmguiconnect {
+    /**
+     * The set of preferences used for recording RDP connections in the requesting AWS account and AWS Region. This includes details such as which S3 bucket recordings are stored in.
+     */
+    interface ConnectionRecordingPreferencesProperties {
+        /**
+         * The ARN of a AWS KMS key that is used to encrypt data while it is being processed by the service. This key must exist in the same AWS Region as the node you start an RDP connection to.
+         */
+        kmsKeyArn: string;
+        /**
+         * Determines where recordings of RDP connections are stored.
+         */
+        recordingDestinations: outputs.ssmguiconnect.PreferencesRecordingDestinations;
+    }
+    /**
+     * Determines where recordings of RDP connections are stored.
+     */
+    interface PreferencesRecordingDestinations {
+        /**
+         * The S3 bucket where RDP connection recordings are stored.
+         */
+        s3Buckets: outputs.ssmguiconnect.PreferencesS3Bucket[];
+    }
+    /**
+     * The S3 bucket where RDP connection recordings are stored.
+     */
+    interface PreferencesS3Bucket {
+        bucketName: string;
+        bucketOwner: string;
+    }
+}
 export declare namespace ssmincidents {
     /**
      * The ReplicationSet regional configuration.

package/types/output.js.map

@@ -1 +1 @@
-{"version":3,"file":"output.js","sourceRoot":"","sources":["../../types/output.ts"],"names":[],"mappings":";AAAA,sEAAsE;AACtE,iFAAiF;;;AA+nlBjF,IAAiB,MAAM,CAgHtB;AAhHD,WAAiB,MAAM;IAoDnB;;OAEG;IACH,SAAgB,yBAAyB,CAAC,GAAe;;QACrD,uCACO,GAAG,KACN,qBAAqB,EAAE,MAAA,CAAC,GAAG,CAAC,qBAAqB,CAAC,mCAAI,CAAC,IACzD;IACN,CAAC;IALe,gCAAyB,4BAKxC,CAAA;AAoDL,CAAC,EAhHgB,MAAM,GAAN,cAAM,KAAN,cAAM,QAgHtB"}
+{"version":3,"file":"output.js","sourceRoot":"","sources":["../../types/output.ts"],"names":[],"mappings":";AAAA,sEAAsE;AACtE,iFAAiF;;;AA8vlBjF,IAAiB,MAAM,CAgHtB;AAhHD,WAAiB,MAAM;IAoDnB;;OAEG;IACH,SAAgB,yBAAyB,CAAC,GAAe;;QACrD,uCACO,GAAG,KACN,qBAAqB,EAAE,MAAA,CAAC,GAAG,CAAC,qBAAqB,CAAC,mCAAI,CAAC,IACzD;IACN,CAAC;IALe,gCAAyB,4BAKxC,CAAA;AAoDL,CAAC,EAhHgB,MAAM,GAAN,cAAM,KAAN,cAAM,QAgHtB"}

package/verifiedpermissions/getPolicyStore.d.ts

@@ -27,6 +27,10 @@ export interface GetPolicyStoreResult {
      * Creates or updates the policy schema in a policy store. Cedar can use the schema to validate any Cedar policies and policy templates submitted to the policy store. Any changes to the schema validate only policies and templates submitted after the schema change. Existing policies and templates are not re-evaluated against the changed schema. If you later update a policy, then it is evaluated against the new schema at that time.
      */
     readonly schema?: outputs.verifiedpermissions.PolicyStoreSchemaDefinition;
+    /**
+     * The tags to add to the policy store
+     */
+    readonly tags?: outputs.Tag[];
     /**
      * Specifies the validation setting for this policy store.
      *

package/verifiedpermissions/getPolicyStore.js.map

@@ -1 +1 @@
-{"version":3,"file":"getPolicyStore.js","sourceRoot":"","sources":["../../verifiedpermissions/getPolicyStore.ts"],"names":[],"mappings":";AAAA,sEAAsE;AACtE,iFAAiF;;;AAEjF,yCAAyC;AAIzC,0CAA0C;AAE1C;;GAEG;AACH,SAAgB,cAAc,CAAC,IAAwB,EAAE,IAA2B;IAChF,IAAI,GAAG,MAAM,CAAC,YAAY,CAAC,SAAS,CAAC,oBAAoB,EAAE,EAAE,IAAI,IAAI,EAAE,CAAC,CAAC;IACzE,OAAO,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,+CAA+C,EAAE;QAC1E,eAAe,EAAE,IAAI,CAAC,aAAa;KACtC,EAAE,IAAI,CAAC,CAAC;AACb,CAAC;AALD,wCAKC;AAmCD;;GAEG;AACH,SAAgB,oBAAoB,CAAC,IAA8B,EAAE,IAAiC;IAClG,IAAI,GAAG,MAAM,CAAC,YAAY,CAAC,SAAS,CAAC,oBAAoB,EAAE,EAAE,IAAI,IAAI,EAAE,CAAC,CAAC;IACzE,OAAO,MAAM,CAAC,OAAO,CAAC,YAAY,CAAC,+CAA+C,EAAE;QAChF,eAAe,EAAE,IAAI,CAAC,aAAa;KACtC,EAAE,IAAI,CAAC,CAAC;AACb,CAAC;AALD,oDAKC"}
+{"version":3,"file":"getPolicyStore.js","sourceRoot":"","sources":["../../verifiedpermissions/getPolicyStore.ts"],"names":[],"mappings":";AAAA,sEAAsE;AACtE,iFAAiF;;;AAEjF,yCAAyC;AAIzC,0CAA0C;AAE1C;;GAEG;AACH,SAAgB,cAAc,CAAC,IAAwB,EAAE,IAA2B;IAChF,IAAI,GAAG,MAAM,CAAC,YAAY,CAAC,SAAS,CAAC,oBAAoB,EAAE,EAAE,IAAI,IAAI,EAAE,CAAC,CAAC;IACzE,OAAO,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,+CAA+C,EAAE;QAC1E,eAAe,EAAE,IAAI,CAAC,aAAa;KACtC,EAAE,IAAI,CAAC,CAAC;AACb,CAAC;AALD,wCAKC;AAuCD;;GAEG;AACH,SAAgB,oBAAoB,CAAC,IAA8B,EAAE,IAAiC;IAClG,IAAI,GAAG,MAAM,CAAC,YAAY,CAAC,SAAS,CAAC,oBAAoB,EAAE,EAAE,IAAI,IAAI,EAAE,CAAC,CAAC;IACzE,OAAO,MAAM,CAAC,OAAO,CAAC,YAAY,CAAC,+CAA+C,EAAE;QAChF,eAAe,EAAE,IAAI,CAAC,aAAa;KACtC,EAAE,IAAI,CAAC,CAAC;AACb,CAAC;AALD,oDAKC"}

package/verifiedpermissions/policyStore.d.ts

@@ -53,6 +53,10 @@ export declare class PolicyStore extends pulumi.CustomResource {
      * Creates or updates the policy schema in a policy store. Cedar can use the schema to validate any Cedar policies and policy templates submitted to the policy store. Any changes to the schema validate only policies and templates submitted after the schema change. Existing policies and templates are not re-evaluated against the changed schema. If you later update a policy, then it is evaluated against the new schema at that time.
      */
     readonly schema: pulumi.Output<outputs.verifiedpermissions.PolicyStoreSchemaDefinition | undefined>;
+    /**
+     * The tags to add to the policy store
+     */
+    readonly tags: pulumi.Output<outputs.Tag[] | undefined>;
     /**
      * Specifies the validation setting for this policy store.
      *
@@ -82,6 +86,10 @@ export interface PolicyStoreArgs {
      * Creates or updates the policy schema in a policy store. Cedar can use the schema to validate any Cedar policies and policy templates submitted to the policy store. Any changes to the schema validate only policies and templates submitted after the schema change. Existing policies and templates are not re-evaluated against the changed schema. If you later update a policy, then it is evaluated against the new schema at that time.
      */
     schema?: pulumi.Input<inputs.verifiedpermissions.PolicyStoreSchemaDefinitionArgs>;
+    /**
+     * The tags to add to the policy store
+     */
+    tags?: pulumi.Input<pulumi.Input<inputs.TagArgs>[]>;
     /**
      * Specifies the validation setting for this policy store.
      *