@pulumi/aws 7.13.0-alpha.1764608791 → 7.13.0-alpha.1765285722

package/types/input.d.ts

@@ -230,6 +230,10 @@ export interface ProviderEndpoint {
      * Use this to override the default service endpoint URL
      */
     arcregionswitch?: pulumi.Input<string>;
+    /**
+     * Use this to override the default service endpoint URL
+     */
+    arczonalshift?: pulumi.Input<string>;
     /**
      * Use this to override the default service endpoint URL
      */
@@ -854,10 +858,6 @@ export interface ProviderEndpoint {
      * Use this to override the default service endpoint URL
      */
     logs?: pulumi.Input<string>;
-    /**
-     * Use this to override the default service endpoint URL
-     */
-    lookoutmetrics?: pulumi.Input<string>;
     /**
      * Use this to override the default service endpoint URL
      */
@@ -918,6 +918,10 @@ export interface ProviderEndpoint {
      * Use this to override the default service endpoint URL
      */
     mwaa?: pulumi.Input<string>;
+    /**
+     * Use this to override the default service endpoint URL
+     */
+    mwaaserverless?: pulumi.Input<string>;
     /**
      * Use this to override the default service endpoint URL
      */
@@ -1054,6 +1058,14 @@ export interface ProviderEndpoint {
      * Use this to override the default service endpoint URL
      */
     rds?: pulumi.Input<string>;
+    /**
+     * Use this to override the default service endpoint URL
+     */
+    rdsdata?: pulumi.Input<string>;
+    /**
+     * Use this to override the default service endpoint URL
+     */
+    rdsdataservice?: pulumi.Input<string>;
     /**
      * Use this to override the default service endpoint URL
      */
@@ -1641,6 +1653,10 @@ export declare namespace alb {
          * Configuration block for creating an action that distributes requests among one or more target groups. Specify only if `type` is `forward`. See below.
          */
         forward?: pulumi.Input<inputs.alb.ListenerDefaultActionForward>;
+        /**
+         * Configuration block for creating a JWT validation action. Required if `type` is `jwt-validation`.
+         */
+        jwtValidation?: pulumi.Input<inputs.alb.ListenerDefaultActionJwtValidation>;
         /**
          * Order for the action. The action with the lowest value for order is performed first. Valid values are between `1` and `50000`. Defaults to the position in the list of actions.
          */
@@ -1654,7 +1670,7 @@ export declare namespace alb {
          */
         targetGroupArn?: pulumi.Input<string>;
         /**
-         * Type of routing action. Valid values are `forward`, `redirect`, `fixed-response`, `authenticate-cognito` and `authenticate-oidc`.
+         * Type of routing action. Valid values are `forward`, `redirect`, `fixed-response`, `authenticate-cognito`, `authenticate-oidc` and `jwt-validation`.
          *
          * The following arguments are optional:
          */
@@ -1800,6 +1816,36 @@ export declare namespace alb {
          */
         weight?: pulumi.Input<number>;
     }
+    interface ListenerDefaultActionJwtValidation {
+        /**
+         * Repeatable configuration block for additional claims to validate.
+         */
+        additionalClaims?: pulumi.Input<pulumi.Input<inputs.alb.ListenerDefaultActionJwtValidationAdditionalClaim>[]>;
+        /**
+         * Issuer of the JWT.
+         */
+        issuer: pulumi.Input<string>;
+        /**
+         * JSON Web Key Set (JWKS) endpoint. This endpoint contains JSON Web Keys (JWK) that are used to validate signatures from the provider. This must be a full URL, including the HTTPS protocol, the domain, and the path.
+         *
+         * The following arguments are optional:
+         */
+        jwksEndpoint: pulumi.Input<string>;
+    }
+    interface ListenerDefaultActionJwtValidationAdditionalClaim {
+        /**
+         * Format of the claim value. Valid values are `single-string`, `string-array` and `space-separated-values`.
+         */
+        format: pulumi.Input<string>;
+        /**
+         * Name of the claim to validate. `exp`, `iss`, `nbf`, or `iat` cannot be specified because they are validated by default.
+         */
+        name: pulumi.Input<string>;
+        /**
+         * List of expected values of the claim.
+         */
+        values: pulumi.Input<pulumi.Input<string>[]>;
+    }
     interface ListenerDefaultActionRedirect {
         /**
          * Hostname. This component is not percent-encoded. The hostname can contain `#{host}`. Defaults to `#{host}`.
@@ -1866,6 +1912,10 @@ export declare namespace alb {
          * Cannot be specified with `targetGroupArn`.
          */
         forward?: pulumi.Input<inputs.alb.ListenerRuleActionForward>;
+        /**
+         * Information for creating a JWT validation action. Required if `type` is `jwt-validation`.
+         */
+        jwtValidation?: pulumi.Input<inputs.alb.ListenerRuleActionJwtValidation>;
         /**
          * Order for the action.
          * The action with the lowest value for order is performed first.
@@ -1885,7 +1935,7 @@ export declare namespace alb {
          */
         targetGroupArn?: pulumi.Input<string>;
         /**
-         * The type of routing action. Valid values are `forward`, `redirect`, `fixed-response`, `authenticate-cognito` and `authenticate-oidc`.
+         * The type of routing action. Valid values are `forward`, `redirect`, `fixed-response`, `authenticate-cognito`, `authenticate-oidc` and `jwt-validation`.
          */
         type: pulumi.Input<string>;
     }
@@ -2017,6 +2067,34 @@ export declare namespace alb {
          */
         weight?: pulumi.Input<number>;
     }
+    interface ListenerRuleActionJwtValidation {
+        /**
+         * Repeatable configuration block for additional claims to validate.
+         */
+        additionalClaims?: pulumi.Input<pulumi.Input<inputs.alb.ListenerRuleActionJwtValidationAdditionalClaim>[]>;
+        /**
+         * Issuer of the JWT.
+         */
+        issuer: pulumi.Input<string>;
+        /**
+         * JSON Web Key Set (JWKS) endpoint. This endpoint contains JSON Web Keys (JWK) that are used to validate signatures from the provider. This must be a full URL, including the HTTPS protocol, the domain, and the path.
+         */
+        jwksEndpoint: pulumi.Input<string>;
+    }
+    interface ListenerRuleActionJwtValidationAdditionalClaim {
+        /**
+         * Format of the claim value. Valid values are `single-string`, `string-array` and `space-separated-values`.
+         */
+        format: pulumi.Input<string>;
+        /**
+         * Name of the claim to validate. `exp`, `iss`, `nbf`, or `iat` cannot be specified because they are validated by default.
+         */
+        name: pulumi.Input<string>;
+        /**
+         * List of expected values of the claim.
+         */
+        values: pulumi.Input<pulumi.Input<string>[]>;
+    }
     interface ListenerRuleActionRedirect {
         /**
          * The hostname. This component is not percent-encoded. The hostname can contain `#{host}`. Defaults to `#{host}`.
@@ -2195,6 +2273,20 @@ export declare namespace alb {
          */
         prefix?: pulumi.Input<string>;
     }
+    interface LoadBalancerHealthCheckLogs {
+        /**
+         * S3 bucket name to store the logs in.
+         */
+        bucket: pulumi.Input<string>;
+        /**
+         * Boolean to enable / disable `healthCheckLogs`. Defaults to `false`, even when `bucket` is specified.
+         */
+        enabled?: pulumi.Input<boolean>;
+        /**
+         * S3 bucket prefix. Logs are stored in the root if not configured.
+         */
+        prefix?: pulumi.Input<string>;
+    }
     interface LoadBalancerIpamPools {
         /**
          * The ID of the IPv4 IPAM pool.
@@ -2360,7 +2452,7 @@ export declare namespace amp {
     }
     interface QueryLoggingConfigurationDestinationCloudwatchLogs {
         /**
-         * The ARN of the CloudWatch log group to which query logs will be sent.
+         * The ARN of the CloudWatch log group to which query logs will be sent. The ARN must end with `:*`
          */
         logGroupArn: pulumi.Input<string>;
     }
@@ -2481,7 +2573,7 @@ export declare namespace amp {
     }
     interface WorkspaceLoggingConfiguration {
         /**
-         * The ARN of the CloudWatch log group to which the vended log data will be published. This log group must exist.
+         * The ARN of the CloudWatch log group to which the vended log data will be published. This log group must exist. The ARN must end with `:*`
          */
         logGroupArn: pulumi.Input<string>;
     }
@@ -8205,6 +8297,10 @@ export declare namespace athena {
          * Configuration block to set up an IAM Identity Center enabled workgroup. See Identity Center Configuration below.
          */
         identityCenterConfiguration?: pulumi.Input<inputs.athena.WorkgroupConfigurationIdentityCenterConfiguration>;
+        /**
+         * Configuration block for storing results in Athena owned storage. See Managed Query Results Configuration below.
+         */
+        managedQueryResultsConfiguration?: pulumi.Input<inputs.athena.WorkgroupConfigurationManagedQueryResultsConfiguration>;
         /**
          * Boolean whether Amazon CloudWatch metrics are enabled for the workgroup. Defaults to `true`.
          */
@@ -8238,6 +8334,22 @@ export declare namespace athena {
          */
         identityCenterInstanceArn?: pulumi.Input<string>;
     }
+    interface WorkgroupConfigurationManagedQueryResultsConfiguration {
+        /**
+         * If set to `true`, allows you to store query results in Athena owned storage. If set to `false`, workgroup member stores query results in the location specified under `result_configuration.output_location`. The default is `false`. A workgroup cannot have the `result_configuration.output_location` set when this is `true`.
+         */
+        enabled?: pulumi.Input<boolean>;
+        /**
+         * Configuration block for the encryption configuration. See Managed Query Results Encryption Configuration below.
+         */
+        encryptionConfiguration?: pulumi.Input<inputs.athena.WorkgroupConfigurationManagedQueryResultsConfigurationEncryptionConfiguration>;
+    }
+    interface WorkgroupConfigurationManagedQueryResultsConfigurationEncryptionConfiguration {
+        /**
+         * KMS key ARN for encrypting managed query results.
+         */
+        kmsKey?: pulumi.Input<string>;
+    }
     interface WorkgroupConfigurationResultConfiguration {
         /**
          * That an Amazon S3 canned ACL should be set to control ownership of stored query results. See ACL Configuration below.
@@ -9614,6 +9726,10 @@ export declare namespace backup {
          * An display name for a backup rule.
          */
         ruleName: pulumi.Input<string>;
+        /**
+         * Block for scanning configuration for the backup rule and includes the malware scanner, and scan mode of either full or incremental.
+         */
+        scanActions?: pulumi.Input<pulumi.Input<inputs.backup.PlanRuleScanAction>[]>;
         /**
          * A CRON expression specifying when AWS Backup initiates a backup job.
          */
@@ -9626,6 +9742,10 @@ export declare namespace backup {
          * The amount of time in minutes before beginning a backup.
          */
         startWindow?: pulumi.Input<number>;
+        /**
+         * The ARN of a logically air-gapped vault. ARN must be in the same account and region. If provided, supported fully managed resources back up directly to logically air-gapped vault, while other supported resources create a temporary (billable) snapshot in backup vault, then copy it to logically air-gapped vault. Unsupported resources only back up to the specified backup vault.
+         */
+        targetLogicallyAirGappedBackupVaultArn?: pulumi.Input<string>;
         /**
          * The name of a logical container where backups are stored.
          */
@@ -9669,6 +9789,30 @@ export declare namespace backup {
          */
         optInToArchiveForSupportedResources?: pulumi.Input<boolean>;
     }
+    interface PlanRuleScanAction {
+        /**
+         * Malware scanner to use for the scan action. Currently only `GUARDDUTY` is supported.
+         */
+        malwareScanner: pulumi.Input<string>;
+        /**
+         * Scanning mode to use for the scan action. Valid values are `FULL_SCAN` and `INCREMENTAL_SCAN`.
+         */
+        scanMode: pulumi.Input<string>;
+    }
+    interface PlanScanSetting {
+        /**
+         * Malware scanner to use for the scan setting. Currently only `GUARDDUTY` is supported.
+         */
+        malwareScanner: pulumi.Input<string>;
+        /**
+         * List of resource types to apply the scan setting to. Valid values are `EBS`, `EC2`, `S3` and `ALL`.
+         */
+        resourceTypes: pulumi.Input<pulumi.Input<string>[]>;
+        /**
+         * ARN of the IAM role that AWS Backup uses to scan resources. See [the AWS documentation](https://docs.aws.amazon.com/guardduty/latest/ug/malware-protection-backup-iam-permissions.html) for details.
+         */
+        scannerRoleArn: pulumi.Input<string>;
+    }
     interface ReportPlanReportDeliveryChannel {
         /**
          * A list of the format of your reports: CSV, JSON, or both. If not specified, the default format is CSV.
@@ -11700,6 +11844,10 @@ export declare namespace bedrock {
         tableName: pulumi.Input<string>;
     }
     interface AgentKnowledgeBaseStorageConfigurationRdsConfigurationFieldMapping {
+        /**
+         * Name for the universal metadata field where Amazon Bedrock will store any custom metadata from your data source.
+         */
+        customMetadataField?: pulumi.Input<string>;
         /**
          * Name of the field in which Amazon Bedrock stores metadata about the vector store.
          */
@@ -12003,10 +12151,48 @@ export declare namespace bedrock {
     }
     interface AgentcoreAgentRuntimeAgentRuntimeArtifact {
         /**
-         * Container configuration block. See `containerConfiguration` below.
+         * Code configuration block for the agent runtime artifact, including the source code location and execution settings. Exactly one of `codeConfiguration` or `containerConfiguration` must be specified. See `codeConfiguration` below.
+         */
+        codeConfiguration?: pulumi.Input<inputs.bedrock.AgentcoreAgentRuntimeAgentRuntimeArtifactCodeConfiguration>;
+        /**
+         * Container configuration block for the agent artifact. Exactly one of `codeConfiguration` or `containerConfiguration` must be specified. See `containerConfiguration` below.
          */
         containerConfiguration?: pulumi.Input<inputs.bedrock.AgentcoreAgentRuntimeAgentRuntimeArtifactContainerConfiguration>;
     }
+    interface AgentcoreAgentRuntimeAgentRuntimeArtifactCodeConfiguration {
+        /**
+         * Configuration block for the source code location and configuration details. See `code` below.
+         */
+        code?: pulumi.Input<inputs.bedrock.AgentcoreAgentRuntimeAgentRuntimeArtifactCodeConfigurationCode>;
+        /**
+         * Array specifying the entry point for code execution, indicating the function or method to invoke when the code runs. The array must contain 1 or 2 elements. Examples: `["main.py"]`, `["opentelemetry-instrument", "main.py"]`.
+         */
+        entryPoints: pulumi.Input<pulumi.Input<string>[]>;
+        /**
+         * Runtime environment used to execute the code. Valid values: `PYTHON_3_10`, `PYTHON_3_11`, `PYTHON_3_12`, `PYTHON_3_13`.
+         */
+        runtime: pulumi.Input<string>;
+    }
+    interface AgentcoreAgentRuntimeAgentRuntimeArtifactCodeConfigurationCode {
+        /**
+         * Configuration block for the Amazon S3 object that contains the source code for the agent runtime. See `s3` below.
+         */
+        s3?: pulumi.Input<inputs.bedrock.AgentcoreAgentRuntimeAgentRuntimeArtifactCodeConfigurationCodeS3>;
+    }
+    interface AgentcoreAgentRuntimeAgentRuntimeArtifactCodeConfigurationCodeS3 {
+        /**
+         * Name of the Amazon S3 bucket.
+         */
+        bucket: pulumi.Input<string>;
+        /**
+         * Key of the object containing the ZIP file of the source code for the agent runtime in the Amazon S3 bucket.
+         */
+        prefix: pulumi.Input<string>;
+        /**
+         * Version ID of the Amazon S3 object. If not specified, the latest version of the object is used.
+         */
+        versionId?: pulumi.Input<string>;
+    }
     interface AgentcoreAgentRuntimeAgentRuntimeArtifactContainerConfiguration {
         /**
          * URI of the container image in Amazon ECR.
@@ -12215,6 +12401,38 @@ export declare namespace bedrock {
          */
         discoveryUrl: pulumi.Input<string>;
     }
+    interface AgentcoreGatewayInterceptorConfiguration {
+        /**
+         * Input configuration for the interceptor. See `inputConfiguration` below.
+         */
+        inputConfiguration?: pulumi.Input<inputs.bedrock.AgentcoreGatewayInterceptorConfigurationInputConfiguration>;
+        /**
+         * Set of interception points. Valid values: `REQUEST`, `RESPONSE`.
+         */
+        interceptionPoints: pulumi.Input<pulumi.Input<string>[]>;
+        /**
+         * Interceptor infrastructure configuration. See `interceptor` below.
+         */
+        interceptor?: pulumi.Input<inputs.bedrock.AgentcoreGatewayInterceptorConfigurationInterceptor>;
+    }
+    interface AgentcoreGatewayInterceptorConfigurationInputConfiguration {
+        /**
+         * Whether to pass request headers to the interceptor.
+         */
+        passRequestHeaders: pulumi.Input<boolean>;
+    }
+    interface AgentcoreGatewayInterceptorConfigurationInterceptor {
+        /**
+         * Lambda function configuration for the interceptor. See `lambda` below.
+         */
+        lambda?: pulumi.Input<inputs.bedrock.AgentcoreGatewayInterceptorConfigurationInterceptorLambda>;
+    }
+    interface AgentcoreGatewayInterceptorConfigurationInterceptorLambda {
+        /**
+         * ARN of the Lambda function to invoke for the interceptor.
+         */
+        arn: pulumi.Input<string>;
+    }
     interface AgentcoreGatewayProtocolConfiguration {
         /**
          * Model Context Protocol (MCP) configuration block. See `mcp` below.
@@ -13337,11 +13555,35 @@ export declare namespace bedrock {
     }
     interface GuardrailContentPolicyConfigFiltersConfig {
         /**
-         * Strength for filters.
+         * Action to take when harmful content is detected. Valid values: `BLOCK`, `NONE`.
+         */
+        inputAction?: pulumi.Input<string>;
+        /**
+         * Toggles guardrail evaluation on input.
+         */
+        inputEnabled?: pulumi.Input<boolean>;
+        /**
+         * List of selected input modalities. Valid values: `IMAGE`, `TEXT`.
+         */
+        inputModalities?: pulumi.Input<pulumi.Input<string>[]>;
+        /**
+         * Strength for filters. Valid values: `NONE`, `LOW`, `MEDIUM`, `HIGH`.
          */
         inputStrength: pulumi.Input<string>;
         /**
-         * Strength for filters.
+         * Action to take when harmful content is detected. Valid values: `BLOCK`, `NONE`.
+         */
+        outputAction?: pulumi.Input<string>;
+        /**
+         * Toggles guardrail evaluation on output.
+         */
+        outputEnabled?: pulumi.Input<boolean>;
+        /**
+         * List of selected output modalities. Valid values: `IMAGE`, `TEXT`.
+         */
+        outputModalities?: pulumi.Input<pulumi.Input<string>[]>;
+        /**
+         * Strength for filters. Valid values: `NONE`, `LOW`, `MEDIUM`, `HIGH`.
          */
         outputStrength: pulumi.Input<string>;
         /**
@@ -13657,6 +13899,61 @@ export declare namespace bedrockmodel {
     }
 }
 export declare namespace billing {
+    interface ViewDataFilterExpression {
+        /**
+         * Dimension to use for `expression`. Refer to #dimensions for more details.
+         */
+        dimensions?: pulumi.Input<inputs.billing.ViewDataFilterExpressionDimensions>;
+        /**
+         * List of key value map specifying tags associated to the billing view being created.
+         */
+        tags?: pulumi.Input<pulumi.Input<inputs.billing.ViewDataFilterExpressionTag>[]>;
+        /**
+         * Time range to use for `expression`. Refer to #time-range for more details.
+         */
+        timeRange?: pulumi.Input<inputs.billing.ViewDataFilterExpressionTimeRange>;
+    }
+    interface ViewDataFilterExpressionDimensions {
+        /**
+         * Key of the dimension. Possible values are `LINKED_ACCOUNT`.
+         */
+        key: pulumi.Input<string>;
+        /**
+         * List of metadata values that you can use to filter and group your results.
+         */
+        values: pulumi.Input<pulumi.Input<string>[]>;
+    }
+    interface ViewDataFilterExpressionTag {
+        /**
+         * Key of the tag.
+         */
+        key: pulumi.Input<string>;
+        /**
+         * List of values for the tag.
+         */
+        values: pulumi.Input<pulumi.Input<string>[]>;
+    }
+    interface ViewDataFilterExpressionTimeRange {
+        /**
+         * Inclusive end date of the time range.
+         */
+        beginDateInclusive: pulumi.Input<string>;
+        endDateInclusive: pulumi.Input<string>;
+    }
+    interface ViewTimeouts {
+        /**
+         * A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours).
+         */
+        create?: pulumi.Input<string>;
+        /**
+         * A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours). Setting a timeout for a Delete operation is only applicable if changes are saved into state before the destroy operation occurs.
+         */
+        delete?: pulumi.Input<string>;
+        /**
+         * A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours).
+         */
+        update?: pulumi.Input<string>;
+    }
 }
 export declare namespace budgets {
     interface BudgetActionActionThreshold {
@@ -16651,6 +16948,422 @@ export declare namespace cloudwatch {
          */
         value: pulumi.Input<string>;
     }
+    interface LogTransformerTransformerConfig {
+        /**
+         * Adds new key-value pairs to the log event. See `addKeys` below for details.
+         */
+        addKeys?: pulumi.Input<inputs.cloudwatch.LogTransformerTransformerConfigAddKeys>;
+        /**
+         * Copies values within a log event. See `copyValue` below for details.
+         */
+        copyValue?: pulumi.Input<inputs.cloudwatch.LogTransformerTransformerConfigCopyValue>;
+        /**
+         * Parses comma-separated values (CSV) from the log events into columns. See `csv` below for details.
+         */
+        csvs?: pulumi.Input<pulumi.Input<inputs.cloudwatch.LogTransformerTransformerConfigCsv>[]>;
+        /**
+         * Converts a datetime string into a format that you specify. See `dateTimeConverter` below for details.
+         */
+        dateTimeConverters?: pulumi.Input<pulumi.Input<inputs.cloudwatch.LogTransformerTransformerConfigDateTimeConverter>[]>;
+        /**
+         * Deletes entry from a log event. See `deleteKeys` below for details.
+         */
+        deleteKeys?: pulumi.Input<pulumi.Input<inputs.cloudwatch.LogTransformerTransformerConfigDeleteKey>[]>;
+        /**
+         * Parses and structures unstructured data by using pattern matching. See `grok` below for details.
+         */
+        grok?: pulumi.Input<inputs.cloudwatch.LogTransformerTransformerConfigGrok>;
+        /**
+         * Converts list of objects that contain key fields into a map of target keys. See `listToMap` below for details.
+         */
+        listToMaps?: pulumi.Input<pulumi.Input<inputs.cloudwatch.LogTransformerTransformerConfigListToMap>[]>;
+        /**
+         * Converts a string to lowercase. See `lowerCaseString` below for details.
+         */
+        lowerCaseStrings?: pulumi.Input<pulumi.Input<inputs.cloudwatch.LogTransformerTransformerConfigLowerCaseString>[]>;
+        /**
+         * Moves a key from one field to another. See `moveKeys` below for details.
+         */
+        moveKeys?: pulumi.Input<pulumi.Input<inputs.cloudwatch.LogTransformerTransformerConfigMoveKey>[]>;
+        /**
+         * Parses CloudFront vended logs, extracts fields, and converts them into JSON format. See `parseCloudfront` below for details.
+         */
+        parseCloudfront?: pulumi.Input<inputs.cloudwatch.LogTransformerTransformerConfigParseCloudfront>;
+        /**
+         * Parses log events that are in JSON format. See `parseJson` below for details.
+         */
+        parseJsons?: pulumi.Input<pulumi.Input<inputs.cloudwatch.LogTransformerTransformerConfigParseJson>[]>;
+        /**
+         * Parses a specified field in the original log event into key-value pairs. See `parseKeyValue` below for details.
+         */
+        parseKeyValues?: pulumi.Input<pulumi.Input<inputs.cloudwatch.LogTransformerTransformerConfigParseKeyValue>[]>;
+        /**
+         * Parses RDS for PostgreSQL vended logs, extracts fields, and and convert them into a JSON format. See `parsePostgres` below for details.
+         */
+        parsePostgres?: pulumi.Input<inputs.cloudwatch.LogTransformerTransformerConfigParsePostgres>;
+        /**
+         * Parses Route 53 vended logs, extracts fields, and converts them into JSON format. See `parseRoute53` below for details.
+         */
+        parseRoute53?: pulumi.Input<inputs.cloudwatch.LogTransformerTransformerConfigParseRoute53>;
+        /**
+         * Parses logs events and converts them into Open Cybersecurity Schema Framework (OCSF) events. See `parseToOcsf` below for details.
+         */
+        parseToOcsf?: pulumi.Input<inputs.cloudwatch.LogTransformerTransformerConfigParseToOcsf>;
+        /**
+         * Parses Amazon VPC vended logs, extracts fields, and converts them into JSON format. See `parseVpc` below for details.
+         */
+        parseVpc?: pulumi.Input<inputs.cloudwatch.LogTransformerTransformerConfigParseVpc>;
+        /**
+         * Parses AWS WAF vended logs, extracts fields, and converts them into JSON format. See `parseWaf` below for details.
+         */
+        parseWaf?: pulumi.Input<inputs.cloudwatch.LogTransformerTransformerConfigParseWaf>;
+        /**
+         * Renames keys in a log event. See `renameKeys` below for details.
+         */
+        renameKeys?: pulumi.Input<pulumi.Input<inputs.cloudwatch.LogTransformerTransformerConfigRenameKey>[]>;
+        /**
+         * Splits a field into an array of strings using a delimiting character. See `splitString` below for details.
+         */
+        splitStrings?: pulumi.Input<pulumi.Input<inputs.cloudwatch.LogTransformerTransformerConfigSplitString>[]>;
+        /**
+         * Matches a key’s value against a regular expression and replaces all matches with a replacement string. See `substituteString` below for details.
+         */
+        substituteStrings?: pulumi.Input<pulumi.Input<inputs.cloudwatch.LogTransformerTransformerConfigSubstituteString>[]>;
+        /**
+         * Removes leading and trailing whitespace from a string. See `trimString` below for details.
+         */
+        trimStrings?: pulumi.Input<pulumi.Input<inputs.cloudwatch.LogTransformerTransformerConfigTrimString>[]>;
+        /**
+         * Converts a value type associated with the specified key to the specified type. See `typeConverter` below for details.
+         */
+        typeConverters?: pulumi.Input<pulumi.Input<inputs.cloudwatch.LogTransformerTransformerConfigTypeConverter>[]>;
+        /**
+         * Converts a string to uppercase. See `upperCaseString` below for details.
+         */
+        upperCaseStrings?: pulumi.Input<pulumi.Input<inputs.cloudwatch.LogTransformerTransformerConfigUpperCaseString>[]>;
+    }
+    interface LogTransformerTransformerConfigAddKeys {
+        /**
+         * Objects containing the information about the keys to add to the log event. You must include at least one entry, and five at most. See `addKeys` `entry` below for details.
+         */
+        entries: pulumi.Input<pulumi.Input<inputs.cloudwatch.LogTransformerTransformerConfigAddKeysEntry>[]>;
+    }
+    interface LogTransformerTransformerConfigAddKeysEntry {
+        /**
+         * Specifies the key with the value that will be converted to a different type.
+         */
+        key: pulumi.Input<string>;
+        /**
+         * Specifies whether to overwrite the value if the destination key already exists. Defaults to `false`.
+         * * `renameTo` - (Required) Specifies the new name of the key.
+         */
+        overwriteIfExists?: pulumi.Input<boolean>;
+        /**
+         * Specifies the value of the new entry to be added to the log event.
+         */
+        value: pulumi.Input<string>;
+    }
+    interface LogTransformerTransformerConfigCopyValue {
+        /**
+         * Objects containing the information about the values to copy to the log event. You must include at least one entry, and five at most. See `copyValue` `entry` below for details.
+         */
+        entries: pulumi.Input<pulumi.Input<inputs.cloudwatch.LogTransformerTransformerConfigCopyValueEntry>[]>;
+    }
+    interface LogTransformerTransformerConfigCopyValueEntry {
+        /**
+         * Specifies whether to overwrite the value if the destination key already exists. Defaults to `false`.
+         * * `renameTo` - (Required) Specifies the new name of the key.
+         */
+        overwriteIfExists?: pulumi.Input<boolean>;
+        /**
+         * Specifies the key to modify.
+         */
+        source: pulumi.Input<string>;
+        /**
+         * Specifies the key to move to.
+         */
+        target: pulumi.Input<string>;
+    }
+    interface LogTransformerTransformerConfigCsv {
+        /**
+         * Specifies the names to use for the columns in the transformed log event. If not specified, default column names (`[column_1, column2 ...]`) are used.
+         */
+        columns?: pulumi.Input<pulumi.Input<string>[]>;
+        /**
+         * Specifies the character used to separate each column in the original comma-separated value log event. Defaults to the comma `,` character.
+         */
+        delimiter?: pulumi.Input<string>;
+        /**
+         * Specifies the character used as a text qualifier for a single column of data. Defaults to the double quotation mark `"` character.
+         */
+        quoteCharacter?: pulumi.Input<string>;
+        /**
+         * Specifies the path to the field in the log event that has the comma separated values to be parsed. If omitted, the whole log message is processed.
+         */
+        source?: pulumi.Input<string>;
+    }
+    interface LogTransformerTransformerConfigDateTimeConverter {
+        /**
+         * Specifies the locale of the source field. Defaults to `locale.ROOT`.
+         */
+        locale?: pulumi.Input<string>;
+        /**
+         * Specifies the list of patterns to match against the `source` field.
+         */
+        matchPatterns: pulumi.Input<pulumi.Input<string>[]>;
+        /**
+         * Specifies the key to apply the date conversion to.
+         */
+        source: pulumi.Input<string>;
+        /**
+         * Specifies the time zone of the source field. Defaults to `UTC`.
+         */
+        sourceTimezone?: pulumi.Input<string>;
+        /**
+         * Specifies the JSON field to store the result in.
+         */
+        target: pulumi.Input<string>;
+        /**
+         * Specifies the datetime format to use for the converted data in the target field. Defaults to `yyyy-MM-dd'T'HH:mm:ss.SSS'Z`.
+         */
+        targetFormat?: pulumi.Input<string>;
+        /**
+         * Specifies the time zone of the target field. Defaults to `UTC`.
+         */
+        targetTimezone?: pulumi.Input<string>;
+    }
+    interface LogTransformerTransformerConfigDeleteKey {
+        /**
+         * Specifies the keys to be deleted.
+         */
+        withKeys: pulumi.Input<pulumi.Input<string>[]>;
+    }
+    interface LogTransformerTransformerConfigGrok {
+        /**
+         * Specifies the grok pattern to match against the log event.
+         */
+        match: pulumi.Input<string>;
+        /**
+         * Specifies the path to the field in the log event that has the comma separated values to be parsed. If omitted, the whole log message is processed.
+         */
+        source?: pulumi.Input<string>;
+    }
+    interface LogTransformerTransformerConfigListToMap {
+        /**
+         * Specifies whether the list will be flattened into single items. Defaults to `false`.
+         */
+        flatten?: pulumi.Input<boolean>;
+        /**
+         * Required if `flatten` is set to true. Specifies the element to keep. Allowed values are `first` and `last`.
+         */
+        flattenedElement?: pulumi.Input<string>;
+        /**
+         * Specifies the key of the field to be extracted as keys in the generated map.
+         */
+        key: pulumi.Input<string>;
+        /**
+         * Specifies the key in the log event that has a list of objects that will be converted to a map.
+         */
+        source: pulumi.Input<string>;
+        /**
+         * Specifies the key of the field that will hold the generated map.
+         */
+        target?: pulumi.Input<string>;
+        /**
+         * Specifies the values that will be extracted from the source objects and put into the values of the generated map. If omitted, original objects in the source list will be put into the values of the generated map.
+         */
+        valueKey?: pulumi.Input<string>;
+    }
+    interface LogTransformerTransformerConfigLowerCaseString {
+        /**
+         * Specifies the keys of the fields to convert to lowercase.
+         */
+        withKeys: pulumi.Input<pulumi.Input<string>[]>;
+    }
+    interface LogTransformerTransformerConfigMoveKey {
+        /**
+         * Objects containing the information about the keys to move to the log event. You must include at least one entry, and five at most. See `moveKeys` `entry` below for details.
+         */
+        entries: pulumi.Input<pulumi.Input<inputs.cloudwatch.LogTransformerTransformerConfigMoveKeyEntry>[]>;
+    }
+    interface LogTransformerTransformerConfigMoveKeyEntry {
+        /**
+         * Specifies whether to overwrite the value if the destination key already exists. Defaults to `false`.
+         * * `renameTo` - (Required) Specifies the new name of the key.
+         */
+        overwriteIfExists?: pulumi.Input<boolean>;
+        /**
+         * Specifies the key to modify.
+         */
+        source: pulumi.Input<string>;
+        /**
+         * Specifies the key to move to.
+         */
+        target: pulumi.Input<string>;
+    }
+    interface LogTransformerTransformerConfigParseCloudfront {
+        /**
+         * Specifies the source field to be parsed. The only allowed value is `@message`. If omitted, the whole log message is processed.
+         */
+        source?: pulumi.Input<string>;
+    }
+    interface LogTransformerTransformerConfigParseJson {
+        /**
+         * Specifies the location to put the parsed key value pair into. If omitted, it will be placed under the root node.
+         */
+        destination?: pulumi.Input<string>;
+        /**
+         * Specifies the path to the field in the log event that will be parsed. Defaults to `@message`.
+         */
+        source?: pulumi.Input<string>;
+    }
+    interface LogTransformerTransformerConfigParseKeyValue {
+        /**
+         * Specifies the destination field to put the extracted key-value pairs into.
+         */
+        destination?: pulumi.Input<string>;
+        /**
+         * Specifies the field delimiter string that is used between key-value pairs in the original log events. Defaults to the ampersand `&` character.
+         */
+        fieldDelimiter?: pulumi.Input<string>;
+        /**
+         * Specifies a prefix that will be added to all transformed keys.
+         */
+        keyPrefix?: pulumi.Input<string>;
+        /**
+         * Specifies the delimiter string to use between the key and value in each pair in the transformed log event. Defaults to the equal `=` character.
+         */
+        keyValueDelimiter?: pulumi.Input<string>;
+        /**
+         * Specifies a value to insert into the value field in the result if a key-value pair is not successfully split.
+         */
+        nonMatchValue?: pulumi.Input<string>;
+        /**
+         * Specifies whether to overwrite the value if the destination key already exists. Defaults to `false`.
+         */
+        overwriteIfExists?: pulumi.Input<boolean>;
+        /**
+         * Specifies the path to the field in the log event that will be parsed. Defaults to `@message`.
+         */
+        source?: pulumi.Input<string>;
+    }
+    interface LogTransformerTransformerConfigParsePostgres {
+        /**
+         * Specifies the source field to be parsed. The only allowed value is `@message`. If omitted, the whole log message is processed.
+         */
+        source?: pulumi.Input<string>;
+    }
+    interface LogTransformerTransformerConfigParseRoute53 {
+        /**
+         * Specifies the source field to be parsed. The only allowed value is `@message`. If omitted, the whole log message is processed.
+         */
+        source?: pulumi.Input<string>;
+    }
+    interface LogTransformerTransformerConfigParseToOcsf {
+        eventSource: pulumi.Input<string>;
+        /**
+         * Specifies the version of the OCSF schema to use for the transformed log events. The only allowed value is `V1.1`.
+         */
+        ocsfVersion: pulumi.Input<string>;
+        /**
+         * Specifies the source field to be parsed. The only allowed value is `@message`. If omitted, the whole log message is processed.
+         */
+        source?: pulumi.Input<string>;
+    }
+    interface LogTransformerTransformerConfigParseVpc {
+        /**
+         * Specifies the source field to be parsed. The only allowed value is `@message`. If omitted, the whole log message is processed.
+         */
+        source?: pulumi.Input<string>;
+    }
+    interface LogTransformerTransformerConfigParseWaf {
+        /**
+         * Specifies the source field to be parsed. The only allowed value is `@message`. If omitted, the whole log message is processed.
+         */
+        source?: pulumi.Input<string>;
+    }
+    interface LogTransformerTransformerConfigRenameKey {
+        /**
+         * Objects containing the information about the keys to rename. You must include at least one entry, and five at most. See `renameKeys` `entry` below for details.
+         */
+        entries: pulumi.Input<pulumi.Input<inputs.cloudwatch.LogTransformerTransformerConfigRenameKeyEntry>[]>;
+    }
+    interface LogTransformerTransformerConfigRenameKeyEntry {
+        /**
+         * Specifies the key with the value that will be converted to a different type.
+         */
+        key: pulumi.Input<string>;
+        /**
+         * Specifies whether to overwrite the value if the destination key already exists. Defaults to `false`.
+         * * `renameTo` - (Required) Specifies the new name of the key.
+         */
+        overwriteIfExists?: pulumi.Input<boolean>;
+        renameTo: pulumi.Input<string>;
+    }
+    interface LogTransformerTransformerConfigSplitString {
+        /**
+         * Objects containing the information about the fields to split. You must include at least one entry, and ten at most. See `splitString` `entry` below for details.
+         */
+        entries: pulumi.Input<pulumi.Input<inputs.cloudwatch.LogTransformerTransformerConfigSplitStringEntry>[]>;
+    }
+    interface LogTransformerTransformerConfigSplitStringEntry {
+        /**
+         * Specifies the separator characters to split the string entry on.
+         */
+        delimiter: pulumi.Input<string>;
+        /**
+         * Specifies the key to modify.
+         */
+        source: pulumi.Input<string>;
+    }
+    interface LogTransformerTransformerConfigSubstituteString {
+        /**
+         * Objects containing the information about the fields to substitute. You must include at least one entry, and ten at most. See `substituteString` `entry` below for details.
+         */
+        entries: pulumi.Input<pulumi.Input<inputs.cloudwatch.LogTransformerTransformerConfigSubstituteStringEntry>[]>;
+    }
+    interface LogTransformerTransformerConfigSubstituteStringEntry {
+        /**
+         * Specifies the regular expression string to be replaced.
+         */
+        from: pulumi.Input<string>;
+        /**
+         * Specifies the key to modify.
+         */
+        source: pulumi.Input<string>;
+        /**
+         * Specifies the string to be substituted for each match of `from`.
+         */
+        to: pulumi.Input<string>;
+    }
+    interface LogTransformerTransformerConfigTrimString {
+        /**
+         * Specifies the keys of the fields to trim.
+         */
+        withKeys: pulumi.Input<pulumi.Input<string>[]>;
+    }
+    interface LogTransformerTransformerConfigTypeConverter {
+        /**
+         * Objects containing the information about the fields to change the type of. You must include at least one entry, and five at most. See `typeConverter` `entry` below for details.
+         */
+        entries: pulumi.Input<pulumi.Input<inputs.cloudwatch.LogTransformerTransformerConfigTypeConverterEntry>[]>;
+    }
+    interface LogTransformerTransformerConfigTypeConverterEntry {
+        /**
+         * Specifies the key with the value that will be converted to a different type.
+         */
+        key: pulumi.Input<string>;
+        /**
+         * Specifies the type to convert the field value to. Allowed values are: `integer`, `double`, `string` and `boolean`.
+         */
+        type: pulumi.Input<string>;
+    }
+    interface LogTransformerTransformerConfigUpperCaseString {
+        /**
+         * Specifies the keys of the fields to convert to uppercase.
+         */
+        withKeys: pulumi.Input<pulumi.Input<string>[]>;
+    }
     interface MetricAlarmMetricQuery {
         /**
          * The ID of the account where the metrics are located, if this is a cross-account alarm.
@@ -18596,7 +19309,7 @@ export declare namespace codestarconnections {
 export declare namespace codestarnotifications {
     interface NotificationRuleTarget {
         /**
-         * The ARN of notification rule target. For example, a SNS Topic ARN.
+         * The ARN of the Amazon Q Developer in chat applications topic or Amazon Q Developer in chat applications client.
          */
         address: pulumi.Input<string>;
         /**
@@ -18604,7 +19317,7 @@ export declare namespace codestarnotifications {
          */
         status?: pulumi.Input<string>;
         /**
-         * The type of the notification target. Default value is `SNS`.
+         * The type of the notification target. Valid values are `SNS`, `AWSChatbotSlack`, and `AWSChatbotMicrosoftTeams`. Default value is `SNS`.
          */
         type?: pulumi.Input<string>;
     }
@@ -23714,6 +24427,12 @@ export declare namespace dynamodb {
          */
         writeUnitsPerSecond?: pulumi.Input<number>;
     }
+    interface TableGlobalTableWitness {
+        /**
+         * Name of the AWS Region that serves as a witness for the MRSC global table.
+         */
+        regionName?: pulumi.Input<string>;
+    }
     interface TableImportTable {
         /**
          * Type of compression to be used on the input coming from the imported table.
@@ -24472,6 +25191,134 @@ export declare namespace ec2 {
          */
         update?: pulumi.Input<string>;
     }
+    interface EncryptionControlResourceExclusions {
+        /**
+         * `state` and `stateMessage` describing encryption enforcement state for Egress-Only Internet Gateways.
+         */
+        egressOnlyInternetGateway: pulumi.Input<inputs.ec2.EncryptionControlResourceExclusionsEgressOnlyInternetGateway>;
+        /**
+         * `state` and `stateMessage` describing encryption enforcement state for Elastic File System (EFS).
+         */
+        elasticFileSystem: pulumi.Input<inputs.ec2.EncryptionControlResourceExclusionsElasticFileSystem>;
+        /**
+         * `state` and `stateMessage` describing encryption enforcement state for Internet Gateways.
+         */
+        internetGateway: pulumi.Input<inputs.ec2.EncryptionControlResourceExclusionsInternetGateway>;
+        /**
+         * `state` and `stateMessage` describing encryption enforcement state for Lambda Functions.
+         */
+        lambda: pulumi.Input<inputs.ec2.EncryptionControlResourceExclusionsLambda>;
+        /**
+         * `state` and `stateMessage` describing encryption enforcement state for NAT Gateways.
+         */
+        natGateway: pulumi.Input<inputs.ec2.EncryptionControlResourceExclusionsNatGateway>;
+        /**
+         * `state` and `stateMessage` describing encryption enforcement state for Virtual Private Gateways.
+         */
+        virtualPrivateGateway: pulumi.Input<inputs.ec2.EncryptionControlResourceExclusionsVirtualPrivateGateway>;
+        /**
+         * `state` and `stateMessage` describing encryption enforcement state for VPC Lattice.
+         */
+        vpcLattice: pulumi.Input<inputs.ec2.EncryptionControlResourceExclusionsVpcLattice>;
+        /**
+         * `state` and `stateMessage` describing encryption enforcement state for peered VPCs.
+         */
+        vpcPeering: pulumi.Input<inputs.ec2.EncryptionControlResourceExclusionsVpcPeering>;
+    }
+    interface EncryptionControlResourceExclusionsEgressOnlyInternetGateway {
+        /**
+         * The current state of the VPC Encryption Control.
+         */
+        state: pulumi.Input<string>;
+        /**
+         * A message providing additional information about the state of the VPC Encryption Control.
+         */
+        stateMessage: pulumi.Input<string>;
+    }
+    interface EncryptionControlResourceExclusionsElasticFileSystem {
+        /**
+         * The current state of the VPC Encryption Control.
+         */
+        state: pulumi.Input<string>;
+        /**
+         * A message providing additional information about the state of the VPC Encryption Control.
+         */
+        stateMessage: pulumi.Input<string>;
+    }
+    interface EncryptionControlResourceExclusionsInternetGateway {
+        /**
+         * The current state of the VPC Encryption Control.
+         */
+        state: pulumi.Input<string>;
+        /**
+         * A message providing additional information about the state of the VPC Encryption Control.
+         */
+        stateMessage: pulumi.Input<string>;
+    }
+    interface EncryptionControlResourceExclusionsLambda {
+        /**
+         * The current state of the VPC Encryption Control.
+         */
+        state: pulumi.Input<string>;
+        /**
+         * A message providing additional information about the state of the VPC Encryption Control.
+         */
+        stateMessage: pulumi.Input<string>;
+    }
+    interface EncryptionControlResourceExclusionsNatGateway {
+        /**
+         * The current state of the VPC Encryption Control.
+         */
+        state: pulumi.Input<string>;
+        /**
+         * A message providing additional information about the state of the VPC Encryption Control.
+         */
+        stateMessage: pulumi.Input<string>;
+    }
+    interface EncryptionControlResourceExclusionsVirtualPrivateGateway {
+        /**
+         * The current state of the VPC Encryption Control.
+         */
+        state: pulumi.Input<string>;
+        /**
+         * A message providing additional information about the state of the VPC Encryption Control.
+         */
+        stateMessage: pulumi.Input<string>;
+    }
+    interface EncryptionControlResourceExclusionsVpcLattice {
+        /**
+         * The current state of the VPC Encryption Control.
+         */
+        state: pulumi.Input<string>;
+        /**
+         * A message providing additional information about the state of the VPC Encryption Control.
+         */
+        stateMessage: pulumi.Input<string>;
+    }
+    interface EncryptionControlResourceExclusionsVpcPeering {
+        /**
+         * The current state of the VPC Encryption Control.
+         */
+        state: pulumi.Input<string>;
+        /**
+         * A message providing additional information about the state of the VPC Encryption Control.
+         */
+        stateMessage: pulumi.Input<string>;
+    }
+    interface EncryptionControlTimeouts {
+        /**
+         * A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours).
+         */
+        create?: pulumi.Input<string>;
+        /**
+         * A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours). Setting a timeout for a Delete operation is only applicable if changes are saved into state before the destroy operation occurs.
+         */
+        delete?: pulumi.Input<string>;
+        /**
+         * A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours).
+         */
+        update?: pulumi.Input<string>;
+    }
     interface FleetFleetInstanceSet {
         /**
          * The IDs of the instances.
@@ -26972,6 +27819,20 @@ export declare namespace ec2 {
          */
         description?: pulumi.Input<string>;
     }
+    interface NatGatewayAvailabilityZoneAddress {
+        /**
+         * List of allocation IDs of the Elastic IP addresses (EIPs) to be used for handling outbound NAT traffic in this specific Availability Zone.
+         */
+        allocationIds?: pulumi.Input<pulumi.Input<string>[]>;
+        /**
+         * Availability Zone (e.g. `us-west-2a`) where this specific NAT gateway configuration will be active. Exactly one of `availabilityZone` or `availabilityZoneId` must be specified.
+         */
+        availabilityZone?: pulumi.Input<string>;
+        /**
+         * Availability Zone ID (e.g. `usw2-az2`) where this specific NAT gateway configuration will be active. Exactly one of `availabilityZone` or `availabilityZoneId` must be specified.
+         */
+        availabilityZoneId?: pulumi.Input<string>;
+    }
     interface NatGatewayEipAssociationTimeouts {
         /**
          * A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours).
@@ -26982,6 +27843,36 @@ export declare namespace ec2 {
          */
         delete?: pulumi.Input<string>;
     }
+    interface NatGatewayRegionalNatGatewayAddress {
+        /**
+         * The Allocation ID of the Elastic IP address for the NAT Gateway. Required when `connectivityType` is set to `public` and `availabilityMode` is set to `zonal`. When `availabilityMode` is set to `regional`, this must not be set; instead, use the `availabilityZoneAddress` block to specify EIPs for each AZ.
+         */
+        allocationId?: pulumi.Input<string>;
+        /**
+         * Association ID of the Elastic IP address.
+         */
+        associationId?: pulumi.Input<string>;
+        /**
+         * Availability Zone where this specific NAT gateway configuration is active.
+         */
+        availabilityZone?: pulumi.Input<string>;
+        /**
+         * Availability Zone ID where this specific NAT gateway configuration is active
+         */
+        availabilityZoneId?: pulumi.Input<string>;
+        /**
+         * ID of the network interface.
+         */
+        networkInterfaceId?: pulumi.Input<string>;
+        /**
+         * Public IP address.
+         */
+        publicIp?: pulumi.Input<string>;
+        /**
+         * Status of the NAT gateway address.
+         */
+        status?: pulumi.Input<string>;
+    }
     interface NetworkAclEgress {
         /**
          * The action to take.
@@ -28554,203 +29445,331 @@ export declare namespace ec2 {
          */
         volumeSize?: pulumi.Input<number>;
         /**
-         * Type of volume. Valid values include `standard`, `gp2`, `gp3`, `io1`, `io2`, `sc1`, or `st1`. Defaults to `gp2`.
+         * Type of volume. Valid values include `standard`, `gp2`, `gp3`, `io1`, `io2`, `sc1`, or `st1`. Defaults to `gp2`.
+         *
+         * > **NOTE:** Currently, changes to the `ebsBlockDevice` configuration of _existing_ resources cannot be automatically detected by this provider. To manage changes and attachments of an EBS block to an instance, use the `aws.ebs.Volume` and `aws.ec2.VolumeAttachment` resources instead. If you use `ebsBlockDevice` on an `aws.ec2.Instance`, this provider will assume management over the full set of non-root EBS block devices for the instance, treating additional block devices as drift. For this reason, `ebsBlockDevice` cannot be mixed with external `aws.ebs.Volume` and `aws.ec2.VolumeAttachment` resources for a given instance.
+         */
+        volumeType?: pulumi.Input<string>;
+    }
+    interface SpotInstanceRequestEnclaveOptions {
+        /**
+         * Whether Nitro Enclaves will be enabled on the instance. Defaults to `false`.
+         *
+         * For more information, see the documentation on [Nitro Enclaves](https://docs.aws.amazon.com/enclaves/latest/user/nitro-enclave.html).
+         */
+        enabled?: pulumi.Input<boolean>;
+    }
+    interface SpotInstanceRequestEphemeralBlockDevice {
+        /**
+         * Name of the block device to mount on the instance.
+         */
+        deviceName: pulumi.Input<string>;
+        /**
+         * Suppresses the specified device included in the AMI's block device mapping.
+         */
+        noDevice?: pulumi.Input<boolean>;
+        /**
+         * [Instance Store Device Name](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/InstanceStorage.html#InstanceStoreDeviceNames) (e.g., `ephemeral0`).
+         *
+         * Each AWS Instance type has a different set of Instance Store block devices available for attachment. AWS [publishes a list](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/InstanceStorage.html#StorageOnInstanceTypes) of which ephemeral devices are available on each type. The devices are always identified by the `virtualName` in the format `ephemeral{0..N}`.
+         */
+        virtualName?: pulumi.Input<string>;
+    }
+    interface SpotInstanceRequestLaunchTemplate {
+        /**
+         * ID of the launch template. Conflicts with `name`.
+         */
+        id?: pulumi.Input<string>;
+        /**
+         * Name of the launch template. Conflicts with `id`.
+         */
+        name?: pulumi.Input<string>;
+        /**
+         * Template version. Can be a specific version number, `$Latest` or `$Default`. The default value is `$Default`.
+         */
+        version?: pulumi.Input<string>;
+    }
+    interface SpotInstanceRequestMaintenanceOptions {
+        /**
+         * Automatic recovery behavior of the Instance. Can be `"default"` or `"disabled"`. See [Recover your instance](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-recover.html) for more details.
+         */
+        autoRecovery?: pulumi.Input<string>;
+    }
+    interface SpotInstanceRequestMetadataOptions {
+        /**
+         * Whether the metadata service is available. Valid values include `enabled` or `disabled`. Defaults to `enabled`.
+         */
+        httpEndpoint?: pulumi.Input<string>;
+        /**
+         * Whether the IPv6 endpoint for the instance metadata service is enabled. Defaults to `disabled`.
+         */
+        httpProtocolIpv6?: pulumi.Input<string>;
+        /**
+         * Desired HTTP PUT response hop limit for instance metadata requests. The larger the number, the further instance metadata requests can travel. Valid values are integer from `1` to `64`. Defaults to `1`.
+         */
+        httpPutResponseHopLimit?: pulumi.Input<number>;
+        /**
+         * Whether or not the metadata service requires session tokens, also referred to as _Instance Metadata Service Version 2 (IMDSv2)_. Valid values include `optional` or `required`.
+         */
+        httpTokens?: pulumi.Input<string>;
+        /**
+         * Enables or disables access to instance tags from the instance metadata service. Valid values include `enabled` or `disabled`. Defaults to `disabled`.
+         *
+         * For more information, see the documentation on the [Instance Metadata Service](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html).
+         */
+        instanceMetadataTags?: pulumi.Input<string>;
+    }
+    interface SpotInstanceRequestNetworkInterface {
+        /**
+         * Whether or not to delete the network interface on instance termination. Defaults to `false`. Currently, the only valid value is `false`, as this is only supported when creating new network interfaces when launching an instance.
+         */
+        deleteOnTermination?: pulumi.Input<boolean>;
+        /**
+         * Integer index of the network interface attachment. Limited by instance type.
+         */
+        deviceIndex: pulumi.Input<number>;
+        /**
+         * Integer index of the network card. Limited by instance type. The default index is `0`.
+         */
+        networkCardIndex?: pulumi.Input<number>;
+        /**
+         * ID of the network interface to attach.
+         */
+        networkInterfaceId: pulumi.Input<string>;
+    }
+    interface SpotInstanceRequestPrimaryNetworkInterface {
+        /**
+         * Whether the network interface will be deleted when the instance terminates.
+         */
+        deleteOnTermination?: pulumi.Input<boolean>;
+        /**
+         * ID of the network interface to attach.
+         */
+        networkInterfaceId?: pulumi.Input<string>;
+    }
+    interface SpotInstanceRequestPrivateDnsNameOptions {
+        /**
+         * Indicates whether to respond to DNS queries for instance hostnames with DNS A records.
+         */
+        enableResourceNameDnsARecord?: pulumi.Input<boolean>;
+        /**
+         * Indicates whether to respond to DNS queries for instance hostnames with DNS AAAA records.
+         */
+        enableResourceNameDnsAaaaRecord?: pulumi.Input<boolean>;
+        /**
+         * Type of hostname for Amazon EC2 instances. For IPv4 only subnets, an instance DNS name must be based on the instance IPv4 address. For IPv6 native subnets, an instance DNS name must be based on the instance ID. For dual-stack subnets, you can specify whether DNS names use the instance IPv4 address or the instance ID. Valid values: `ip-name` and `resource-name`.
+         */
+        hostnameType?: pulumi.Input<string>;
+    }
+    interface SpotInstanceRequestRootBlockDevice {
+        /**
+         * Whether the volume should be destroyed on instance termination. Defaults to `true`.
+         */
+        deleteOnTermination?: pulumi.Input<boolean>;
+        deviceName?: pulumi.Input<string>;
+        /**
+         * Whether to enable volume encryption. Defaults to `false`. Must be configured to perform drift detection.
+         */
+        encrypted?: pulumi.Input<boolean>;
+        /**
+         * Amount of provisioned [IOPS](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-io-characteristics.html). Only valid for volumeType of `io1`, `io2` or `gp3`.
+         */
+        iops?: pulumi.Input<number>;
+        /**
+         * Amazon Resource Name (ARN) of the KMS Key to use when encrypting the volume. Must be configured to perform drift detection.
+         */
+        kmsKeyId?: pulumi.Input<string>;
+        /**
+         * Map of tags to assign to the device.
+         */
+        tags?: pulumi.Input<{
+            [key: string]: pulumi.Input<string>;
+        }>;
+        /**
+         * A map of tags assigned to the resource, including those inherited from the provider `defaultTags` configuration block.
+         */
+        tagsAll?: pulumi.Input<{
+            [key: string]: pulumi.Input<string>;
+        }>;
+        /**
+         * Throughput to provision for a volume in mebibytes per second (MiB/s). This is only valid for `volumeType` of `gp3`.
+         */
+        throughput?: pulumi.Input<number>;
+        volumeId?: pulumi.Input<string>;
+        /**
+         * Size of the volume in gibibytes (GiB).
+         */
+        volumeSize?: pulumi.Input<number>;
+        /**
+         * Type of volume. Valid values include `standard`, `gp2`, `gp3`, `io1`, `io2`, `sc1`, or `st1`. Defaults to the volume type that the AMI uses.
          *
-         * > **NOTE:** Currently, changes to the `ebsBlockDevice` configuration of _existing_ resources cannot be automatically detected by this provider. To manage changes and attachments of an EBS block to an instance, use the `aws.ebs.Volume` and `aws.ec2.VolumeAttachment` resources instead. If you use `ebsBlockDevice` on an `aws.ec2.Instance`, this provider will assume management over the full set of non-root EBS block devices for the instance, treating additional block devices as drift. For this reason, `ebsBlockDevice` cannot be mixed with external `aws.ebs.Volume` and `aws.ec2.VolumeAttachment` resources for a given instance.
+         * Modifying the `encrypted` or `kmsKeyId` settings of the `rootBlockDevice` requires resource replacement.
          */
         volumeType?: pulumi.Input<string>;
     }
-    interface SpotInstanceRequestEnclaveOptions {
+    interface TrafficMirrorFilterRuleDestinationPortRange {
         /**
-         * Whether Nitro Enclaves will be enabled on the instance. Defaults to `false`.
-         *
-         * For more information, see the documentation on [Nitro Enclaves](https://docs.aws.amazon.com/enclaves/latest/user/nitro-enclave.html).
+         * Starting port of the range
          */
-        enabled?: pulumi.Input<boolean>;
-    }
-    interface SpotInstanceRequestEphemeralBlockDevice {
+        fromPort?: pulumi.Input<number>;
         /**
-         * Name of the block device to mount on the instance.
+         * Ending port of the range
          */
-        deviceName: pulumi.Input<string>;
+        toPort?: pulumi.Input<number>;
+    }
+    interface TrafficMirrorFilterRuleSourcePortRange {
         /**
-         * Suppresses the specified device included in the AMI's block device mapping.
+         * Starting port of the range
          */
-        noDevice?: pulumi.Input<boolean>;
+        fromPort?: pulumi.Input<number>;
         /**
-         * [Instance Store Device Name](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/InstanceStorage.html#InstanceStoreDeviceNames) (e.g., `ephemeral0`).
-         *
-         * Each AWS Instance type has a different set of Instance Store block devices available for attachment. AWS [publishes a list](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/InstanceStorage.html#StorageOnInstanceTypes) of which ephemeral devices are available on each type. The devices are always identified by the `virtualName` in the format `ephemeral{0..N}`.
+         * Ending port of the range
          */
-        virtualName?: pulumi.Input<string>;
+        toPort?: pulumi.Input<number>;
     }
-    interface SpotInstanceRequestLaunchTemplate {
+    interface VpcBlockPublicAccessExclusionTimeouts {
         /**
-         * ID of the launch template. Conflicts with `name`.
+         * A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours).
          */
-        id?: pulumi.Input<string>;
+        create?: pulumi.Input<string>;
         /**
-         * Name of the launch template. Conflicts with `id`.
+         * A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours). Setting a timeout for a Delete operation is only applicable if changes are saved into state before the destroy operation occurs.
          */
-        name?: pulumi.Input<string>;
+        delete?: pulumi.Input<string>;
         /**
-         * Template version. Can be a specific version number, `$Latest` or `$Default`. The default value is `$Default`.
+         * A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours).
          */
-        version?: pulumi.Input<string>;
+        update?: pulumi.Input<string>;
     }
-    interface SpotInstanceRequestMaintenanceOptions {
+    interface VpcBlockPublicAccessOptionsTimeouts {
         /**
-         * Automatic recovery behavior of the Instance. Can be `"default"` or `"disabled"`. See [Recover your instance](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-recover.html) for more details.
+         * A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours).
          */
-        autoRecovery?: pulumi.Input<string>;
-    }
-    interface SpotInstanceRequestMetadataOptions {
+        create?: pulumi.Input<string>;
         /**
-         * Whether the metadata service is available. Valid values include `enabled` or `disabled`. Defaults to `enabled`.
+         * A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours). Setting a timeout for a Delete operation is only applicable if changes are saved into state before the destroy operation occurs.
          */
-        httpEndpoint?: pulumi.Input<string>;
+        delete?: pulumi.Input<string>;
         /**
-         * Whether the IPv6 endpoint for the instance metadata service is enabled. Defaults to `disabled`.
+         * A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours).
          */
-        httpProtocolIpv6?: pulumi.Input<string>;
+        update?: pulumi.Input<string>;
+    }
+    interface VpcEncryptionControlResourceExclusions {
         /**
-         * Desired HTTP PUT response hop limit for instance metadata requests. The larger the number, the further instance metadata requests can travel. Valid values are integer from `1` to `64`. Defaults to `1`.
+         * `state` and `stateMessage` describing encryption enforcement state for Egress-Only Internet Gateways.
          */
-        httpPutResponseHopLimit?: pulumi.Input<number>;
+        egressOnlyInternetGateway: pulumi.Input<inputs.ec2.VpcEncryptionControlResourceExclusionsEgressOnlyInternetGateway>;
         /**
-         * Whether or not the metadata service requires session tokens, also referred to as _Instance Metadata Service Version 2 (IMDSv2)_. Valid values include `optional` or `required`.
+         * `state` and `stateMessage` describing encryption enforcement state for Elastic File System (EFS).
          */
-        httpTokens?: pulumi.Input<string>;
+        elasticFileSystem: pulumi.Input<inputs.ec2.VpcEncryptionControlResourceExclusionsElasticFileSystem>;
         /**
-         * Enables or disables access to instance tags from the instance metadata service. Valid values include `enabled` or `disabled`. Defaults to `disabled`.
-         *
-         * For more information, see the documentation on the [Instance Metadata Service](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html).
+         * `state` and `stateMessage` describing encryption enforcement state for Internet Gateways.
          */
-        instanceMetadataTags?: pulumi.Input<string>;
-    }
-    interface SpotInstanceRequestNetworkInterface {
+        internetGateway: pulumi.Input<inputs.ec2.VpcEncryptionControlResourceExclusionsInternetGateway>;
         /**
-         * Whether or not to delete the network interface on instance termination. Defaults to `false`. Currently, the only valid value is `false`, as this is only supported when creating new network interfaces when launching an instance.
+         * `state` and `stateMessage` describing encryption enforcement state for Lambda Functions.
          */
-        deleteOnTermination?: pulumi.Input<boolean>;
+        lambda: pulumi.Input<inputs.ec2.VpcEncryptionControlResourceExclusionsLambda>;
         /**
-         * Integer index of the network interface attachment. Limited by instance type.
+         * `state` and `stateMessage` describing encryption enforcement state for NAT Gateways.
          */
-        deviceIndex: pulumi.Input<number>;
+        natGateway: pulumi.Input<inputs.ec2.VpcEncryptionControlResourceExclusionsNatGateway>;
         /**
-         * Integer index of the network card. Limited by instance type. The default index is `0`.
+         * `state` and `stateMessage` describing encryption enforcement state for Virtual Private Gateways.
          */
-        networkCardIndex?: pulumi.Input<number>;
+        virtualPrivateGateway: pulumi.Input<inputs.ec2.VpcEncryptionControlResourceExclusionsVirtualPrivateGateway>;
         /**
-         * ID of the network interface to attach.
+         * `state` and `stateMessage` describing encryption enforcement state for VPC Lattice.
          */
-        networkInterfaceId: pulumi.Input<string>;
-    }
-    interface SpotInstanceRequestPrimaryNetworkInterface {
+        vpcLattice: pulumi.Input<inputs.ec2.VpcEncryptionControlResourceExclusionsVpcLattice>;
         /**
-         * Whether the network interface will be deleted when the instance terminates.
+         * `state` and `stateMessage` describing encryption enforcement state for peered VPCs.
          */
-        deleteOnTermination?: pulumi.Input<boolean>;
-        /**
-         * ID of the network interface to attach.
-         */
-        networkInterfaceId?: pulumi.Input<string>;
+        vpcPeering: pulumi.Input<inputs.ec2.VpcEncryptionControlResourceExclusionsVpcPeering>;
     }
-    interface SpotInstanceRequestPrivateDnsNameOptions {
+    interface VpcEncryptionControlResourceExclusionsEgressOnlyInternetGateway {
         /**
-         * Indicates whether to respond to DNS queries for instance hostnames with DNS A records.
+         * The current state of the VPC Encryption Control.
          */
-        enableResourceNameDnsARecord?: pulumi.Input<boolean>;
-        /**
-         * Indicates whether to respond to DNS queries for instance hostnames with DNS AAAA records.
-         */
-        enableResourceNameDnsAaaaRecord?: pulumi.Input<boolean>;
+        state: pulumi.Input<string>;
         /**
-         * Type of hostname for Amazon EC2 instances. For IPv4 only subnets, an instance DNS name must be based on the instance IPv4 address. For IPv6 native subnets, an instance DNS name must be based on the instance ID. For dual-stack subnets, you can specify whether DNS names use the instance IPv4 address or the instance ID. Valid values: `ip-name` and `resource-name`.
+         * A message providing additional information about the state of the VPC Encryption Control.
          */
-        hostnameType?: pulumi.Input<string>;
+        stateMessage: pulumi.Input<string>;
     }
-    interface SpotInstanceRequestRootBlockDevice {
-        /**
-         * Whether the volume should be destroyed on instance termination. Defaults to `true`.
-         */
-        deleteOnTermination?: pulumi.Input<boolean>;
-        deviceName?: pulumi.Input<string>;
+    interface VpcEncryptionControlResourceExclusionsElasticFileSystem {
         /**
-         * Whether to enable volume encryption. Defaults to `false`. Must be configured to perform drift detection.
+         * The current state of the VPC Encryption Control.
          */
-        encrypted?: pulumi.Input<boolean>;
+        state: pulumi.Input<string>;
         /**
-         * Amount of provisioned [IOPS](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-io-characteristics.html). Only valid for volumeType of `io1`, `io2` or `gp3`.
+         * A message providing additional information about the state of the VPC Encryption Control.
          */
-        iops?: pulumi.Input<number>;
+        stateMessage: pulumi.Input<string>;
+    }
+    interface VpcEncryptionControlResourceExclusionsInternetGateway {
         /**
-         * Amazon Resource Name (ARN) of the KMS Key to use when encrypting the volume. Must be configured to perform drift detection.
+         * The current state of the VPC Encryption Control.
          */
-        kmsKeyId?: pulumi.Input<string>;
+        state: pulumi.Input<string>;
         /**
-         * Map of tags to assign to the device.
+         * A message providing additional information about the state of the VPC Encryption Control.
          */
-        tags?: pulumi.Input<{
-            [key: string]: pulumi.Input<string>;
-        }>;
+        stateMessage: pulumi.Input<string>;
+    }
+    interface VpcEncryptionControlResourceExclusionsLambda {
         /**
-         * A map of tags assigned to the resource, including those inherited from the provider `defaultTags` configuration block.
+         * The current state of the VPC Encryption Control.
          */
-        tagsAll?: pulumi.Input<{
-            [key: string]: pulumi.Input<string>;
-        }>;
+        state: pulumi.Input<string>;
         /**
-         * Throughput to provision for a volume in mebibytes per second (MiB/s). This is only valid for `volumeType` of `gp3`.
+         * A message providing additional information about the state of the VPC Encryption Control.
          */
-        throughput?: pulumi.Input<number>;
-        volumeId?: pulumi.Input<string>;
+        stateMessage: pulumi.Input<string>;
+    }
+    interface VpcEncryptionControlResourceExclusionsNatGateway {
         /**
-         * Size of the volume in gibibytes (GiB).
+         * The current state of the VPC Encryption Control.
          */
-        volumeSize?: pulumi.Input<number>;
+        state: pulumi.Input<string>;
         /**
-         * Type of volume. Valid values include `standard`, `gp2`, `gp3`, `io1`, `io2`, `sc1`, or `st1`. Defaults to the volume type that the AMI uses.
-         *
-         * Modifying the `encrypted` or `kmsKeyId` settings of the `rootBlockDevice` requires resource replacement.
+         * A message providing additional information about the state of the VPC Encryption Control.
          */
-        volumeType?: pulumi.Input<string>;
+        stateMessage: pulumi.Input<string>;
     }
-    interface TrafficMirrorFilterRuleDestinationPortRange {
+    interface VpcEncryptionControlResourceExclusionsVirtualPrivateGateway {
         /**
-         * Starting port of the range
+         * The current state of the VPC Encryption Control.
          */
-        fromPort?: pulumi.Input<number>;
+        state: pulumi.Input<string>;
         /**
-         * Ending port of the range
+         * A message providing additional information about the state of the VPC Encryption Control.
          */
-        toPort?: pulumi.Input<number>;
+        stateMessage: pulumi.Input<string>;
     }
-    interface TrafficMirrorFilterRuleSourcePortRange {
+    interface VpcEncryptionControlResourceExclusionsVpcLattice {
         /**
-         * Starting port of the range
+         * The current state of the VPC Encryption Control.
          */
-        fromPort?: pulumi.Input<number>;
+        state: pulumi.Input<string>;
         /**
-         * Ending port of the range
+         * A message providing additional information about the state of the VPC Encryption Control.
          */
-        toPort?: pulumi.Input<number>;
+        stateMessage: pulumi.Input<string>;
     }
-    interface VpcBlockPublicAccessExclusionTimeouts {
+    interface VpcEncryptionControlResourceExclusionsVpcPeering {
         /**
-         * A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours).
+         * The current state of the VPC Encryption Control.
          */
-        create?: pulumi.Input<string>;
-        /**
-         * A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours). Setting a timeout for a Delete operation is only applicable if changes are saved into state before the destroy operation occurs.
-         */
-        delete?: pulumi.Input<string>;
+        state: pulumi.Input<string>;
         /**
-         * A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours).
+         * A message providing additional information about the state of the VPC Encryption Control.
          */
-        update?: pulumi.Input<string>;
+        stateMessage: pulumi.Input<string>;
     }
-    interface VpcBlockPublicAccessOptionsTimeouts {
+    interface VpcEncryptionControlTimeouts {
         /**
          * A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours).
          */
@@ -28887,6 +29906,18 @@ export declare namespace ec2 {
         cloudwatchLogOptions?: pulumi.Input<inputs.ec2.VpnConnectionTunnel1LogOptionsCloudwatchLogOptions>;
     }
     interface VpnConnectionTunnel1LogOptionsCloudwatchLogOptions {
+        /**
+         * Enable or disable BGP logging feature. The default is `false`.
+         */
+        bgpLogEnabled?: pulumi.Input<boolean>;
+        /**
+         * The Amazon Resource Name (ARN) of the CloudWatch log group to send BGP logs to.
+         */
+        bgpLogGroupArn?: pulumi.Input<string>;
+        /**
+         * Set BGP log format. Default format is json. Possible values are: `json` and `text`. The default is `json`.
+         */
+        bgpLogOutputFormat?: pulumi.Input<string>;
         /**
          * Enable or disable VPN tunnel logging feature. The default is `false`.
          */
@@ -28907,6 +29938,18 @@ export declare namespace ec2 {
         cloudwatchLogOptions?: pulumi.Input<inputs.ec2.VpnConnectionTunnel2LogOptionsCloudwatchLogOptions>;
     }
     interface VpnConnectionTunnel2LogOptionsCloudwatchLogOptions {
+        /**
+         * Enable or disable BGP logging feature. The default is `false`.
+         */
+        bgpLogEnabled?: pulumi.Input<boolean>;
+        /**
+         * The Amazon Resource Name (ARN) of the CloudWatch log group to send BGP logs to.
+         */
+        bgpLogGroupArn?: pulumi.Input<string>;
+        /**
+         * Set BGP log format. Default format is json. Possible values are: `json` and `text`. The default is `json`.
+         */
+        bgpLogOutputFormat?: pulumi.Input<string>;
         /**
          * Enable or disable VPN tunnel logging feature. The default is `false`.
          */
@@ -29770,6 +30813,10 @@ export declare namespace ecs {
         targetCapacity?: pulumi.Input<number>;
     }
     interface CapacityProviderManagedInstancesProvider {
+        /**
+         * Defines how Amazon ECS Managed Instances optimizes the infrastructure in your capacity provider. Configure it to turn on or off the infrastructure optimization in your capacity provider, and to control the idle EC2 instances optimization delay.
+         */
+        infrastructureOptimization?: pulumi.Input<inputs.ecs.CapacityProviderManagedInstancesProviderInfrastructureOptimization>;
         /**
          * The Amazon Resource Name (ARN) of the infrastructure role that Amazon ECS uses to manage instances on your behalf. This role must have permissions to launch, terminate, and manage Amazon EC2 instances, as well as access to other AWS services required for Amazon ECS Managed Instances functionality. For more information, see [Amazon ECS infrastructure IAM role](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/infrastructure_IAM_role.html) in the Amazon ECS Developer Guide.
          */
@@ -29783,6 +30830,14 @@ export declare namespace ecs {
          */
         propagateTags?: pulumi.Input<string>;
     }
+    interface CapacityProviderManagedInstancesProviderInfrastructureOptimization {
+        /**
+         * This parameter defines the number of seconds Amazon ECS Managed Instances waits before optimizing EC2 instances that have become idle or underutilized. A longer delay increases the likelihood of placing new tasks on idle instances, reducing startup time. A shorter delay helps reduce infrastructure costs by optimizing idle instances more quickly. Valid values are:
+         * * Not set (null) - Uses the default optimization behavior.
+         * * `-1` - Disables automatic infrastructure optimization.
+         */
+        scaleInAfter?: pulumi.Input<number>;
+    }
     interface CapacityProviderManagedInstancesProviderInstanceLaunchTemplate {
         /**
          * The Amazon Resource Name (ARN) of the instance profile that Amazon ECS applies to Amazon ECS Managed Instances. This instance profile must include the necessary permissions for your tasks to access AWS services and resources. For more information, see [Amazon ECS instance profile for Managed Instances](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/instance_IAM_role.html) in the Amazon ECS Developer Guide.
@@ -30041,6 +31096,103 @@ export declare namespace ecs {
          */
         value: pulumi.Input<string>;
     }
+    interface ExpressGatewayServiceIngressPath {
+        accessType: pulumi.Input<string>;
+        endpoint: pulumi.Input<string>;
+    }
+    interface ExpressGatewayServiceNetworkConfiguration {
+        /**
+         * Security groups associated with the task. If not specified, the default security group for the VPC is used.
+         */
+        securityGroups: pulumi.Input<pulumi.Input<string>[]>;
+        /**
+         * Subnets associated with the task. At least 2 subnets must be specified when using network configuration. If not specified, default subnets will be used.
+         */
+        subnets: pulumi.Input<pulumi.Input<string>[]>;
+    }
+    interface ExpressGatewayServicePrimaryContainer {
+        awsLogsConfigurations?: pulumi.Input<pulumi.Input<inputs.ecs.ExpressGatewayServicePrimaryContainerAwsLogsConfiguration>[]>;
+        /**
+         * Command to run in the container. Overrides the default command from the Docker image.
+         */
+        commands?: pulumi.Input<pulumi.Input<string>[]>;
+        /**
+         * Port on which the container listens for connections.
+         */
+        containerPort?: pulumi.Input<number>;
+        environments?: pulumi.Input<pulumi.Input<inputs.ecs.ExpressGatewayServicePrimaryContainerEnvironment>[]>;
+        /**
+         * Docker image to use for the container.
+         */
+        image: pulumi.Input<string>;
+        repositoryCredentials?: pulumi.Input<inputs.ecs.ExpressGatewayServicePrimaryContainerRepositoryCredentials>;
+        secrets?: pulumi.Input<pulumi.Input<inputs.ecs.ExpressGatewayServicePrimaryContainerSecret>[]>;
+    }
+    interface ExpressGatewayServicePrimaryContainerAwsLogsConfiguration {
+        /**
+         * CloudWatch log group name.
+         */
+        logGroup: pulumi.Input<string>;
+        /**
+         * Prefix for log stream names. If not specified, a default prefix will be used.
+         */
+        logStreamPrefix: pulumi.Input<string>;
+    }
+    interface ExpressGatewayServicePrimaryContainerEnvironment {
+        /**
+         * Name of the environment variable.
+         */
+        name: pulumi.Input<string>;
+        /**
+         * Value of the environment variable.
+         */
+        value: pulumi.Input<string>;
+    }
+    interface ExpressGatewayServicePrimaryContainerRepositoryCredentials {
+        /**
+         * ARN of the AWS Systems Manager parameter containing the repository credentials.
+         */
+        credentialsParameter: pulumi.Input<string>;
+    }
+    interface ExpressGatewayServicePrimaryContainerSecret {
+        name: pulumi.Input<string>;
+        /**
+         * ARN of the AWS Secrets Manager secret or AWS Systems Manager parameter containing the secret value.
+         */
+        valueFrom: pulumi.Input<string>;
+    }
+    interface ExpressGatewayServiceScalingTarget {
+        /**
+         * Metric to use for auto-scaling. Valid values are `CPU` and `MEMORY`.
+         */
+        autoScalingMetric: pulumi.Input<string>;
+        /**
+         * Target value for the auto-scaling metric (as a percentage). Defaults to `60`.
+         */
+        autoScalingTargetValue: pulumi.Input<number>;
+        /**
+         * Maximum number of tasks to run.
+         */
+        maxTaskCount: pulumi.Input<number>;
+        /**
+         * Minimum number of tasks to run.
+         */
+        minTaskCount: pulumi.Input<number>;
+    }
+    interface ExpressGatewayServiceTimeouts {
+        /**
+         * A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours).
+         */
+        create?: pulumi.Input<string>;
+        /**
+         * A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours). Setting a timeout for a Delete operation is only applicable if changes are saved into state before the destroy operation occurs.
+         */
+        delete?: pulumi.Input<string>;
+        /**
+         * A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours).
+         */
+        update?: pulumi.Input<string>;
+    }
     interface GetTaskExecutionCapacityProviderStrategy {
         /**
          * The number of tasks, at a minimum, to run on the specified capacity provider. Only one capacity provider in a capacity provider strategy can have a base defined. Defaults to `0`.
@@ -31063,6 +32215,85 @@ export declare namespace eks {
          */
         serviceAccount: pulumi.Input<string>;
     }
+    interface CapabilityConfiguration {
+        /**
+         * ArgoCD configuration. See `argoCd` below.
+         */
+        argoCd?: pulumi.Input<inputs.eks.CapabilityConfigurationArgoCd>;
+    }
+    interface CapabilityConfigurationArgoCd {
+        /**
+         * AWS IAM Identity Center configuration. See `awsIdc` below.
+         */
+        awsIdc?: pulumi.Input<inputs.eks.CapabilityConfigurationArgoCdAwsIdc>;
+        /**
+         * Kubernetes namespace for ArgoCD.
+         */
+        namespace?: pulumi.Input<string>;
+        /**
+         * Network access configuration. See `networkAccess` below.
+         */
+        networkAccess?: pulumi.Input<inputs.eks.CapabilityConfigurationArgoCdNetworkAccess>;
+        /**
+         * RBAC role mappings. See `rbacRoleMapping` below.
+         */
+        rbacRoleMappings?: pulumi.Input<pulumi.Input<inputs.eks.CapabilityConfigurationArgoCdRbacRoleMapping>[]>;
+        /**
+         * URL of the Argo CD server.
+         */
+        serverUrl?: pulumi.Input<string>;
+    }
+    interface CapabilityConfigurationArgoCdAwsIdc {
+        /**
+         * ARN of the IAM Identity Center instance.
+         */
+        idcInstanceArn: pulumi.Input<string>;
+        idcManagedApplicationArn?: pulumi.Input<string>;
+        /**
+         * Region of the IAM Identity Center instance.
+         */
+        idcRegion?: pulumi.Input<string>;
+    }
+    interface CapabilityConfigurationArgoCdNetworkAccess {
+        /**
+         * VPC Endpoint IDs.
+         */
+        vpceIds?: pulumi.Input<pulumi.Input<string>[]>;
+    }
+    interface CapabilityConfigurationArgoCdRbacRoleMapping {
+        /**
+         * List of identities. See `identity` below.
+         */
+        identities?: pulumi.Input<pulumi.Input<inputs.eks.CapabilityConfigurationArgoCdRbacRoleMappingIdentity>[]>;
+        /**
+         * ArgoCD role. Valid values: `ADMIN`, `EDITOR`, `VIEWER`.
+         */
+        role: pulumi.Input<string>;
+    }
+    interface CapabilityConfigurationArgoCdRbacRoleMappingIdentity {
+        /**
+         * Identity ID.
+         */
+        id: pulumi.Input<string>;
+        /**
+         * Identity type. Valid values: `SSO_USER`, `SSO_GROUP`.
+         */
+        type: pulumi.Input<string>;
+    }
+    interface CapabilityTimeouts {
+        /**
+         * A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours).
+         */
+        create?: pulumi.Input<string>;
+        /**
+         * A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours). Setting a timeout for a Delete operation is only applicable if changes are saved into state before the destroy operation occurs.
+         */
+        delete?: pulumi.Input<string>;
+        /**
+         * A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours).
+         */
+        update?: pulumi.Input<string>;
+    }
     interface ClusterAccessConfig {
         /**
          * The authentication mode for the cluster. Valid values are `CONFIG_MAP`, `API` or `API_AND_CONFIG_MAP`
@@ -31093,6 +32324,12 @@ export declare namespace eks {
          */
         nodeRoleArn?: pulumi.Input<string>;
     }
+    interface ClusterControlPlaneScalingConfig {
+        /**
+         * The control plane scaling tier. Valid values are `standard`, `tier-xl`, `tier-2xl`, or `tier-4xl`. Defaults to `standard`. For more information about each tier, see [EKS Provisioned Control Plane](https://docs.aws.amazon.com/eks/latest/userguide/eks-provisioned-control-plane-getting-started.html).
+         */
+        tier?: pulumi.Input<string>;
+    }
     interface ClusterEncryptionConfig {
         /**
          * Configuration block with provider for encryption. Detailed below.
@@ -33743,7 +34980,7 @@ export declare namespace fis {
     }
     interface ExperimentTemplateActionTarget {
         /**
-         * Target type. Valid values are `AutoScalingGroups` (EC2 Auto Scaling groups), `Buckets` (S3 Buckets), `Cluster` (EKS Cluster), `Clusters` (ECS Clusters), `DBInstances` (RDS DB Instances), `Instances` (EC2 Instances), `ManagedResources` (EKS clusters, Application and Network Load Balancers, and EC2 Auto Scaling groups that are enabled for ARC zonal shift), `Nodegroups` (EKS Node groups), `Pods` (EKS Pods), `ReplicationGroups`(ElastiCache Redis Replication Groups), `Roles` (IAM Roles), `SpotInstances` (EC2 Spot Instances), `Subnets` (VPC Subnets), `Tables` (DynamoDB encrypted global tables), `Tasks` (ECS Tasks), `TransitGateways` (Transit gateways), `Volumes` (EBS Volumes). See the [documentation](https://docs.aws.amazon.com/fis/latest/userguide/action-sequence.html#action-targets) for more details.
+         * Target type. Valid values are `AutoScalingGroups` (EC2 Auto Scaling groups), `Buckets` (S3 Buckets), `Cluster` (EKS Cluster), `Clusters` (ECS Clusters), `DBInstances` (RDS DB Instances), `Functions` (Lambda Functions), `Instances` (EC2 Instances), `ManagedResources` (EKS clusters, Application and Network Load Balancers, and EC2 Auto Scaling groups that are enabled for ARC zonal shift), `Nodegroups` (EKS Node groups), `Pods` (EKS Pods), `ReplicationGroups`(ElastiCache Redis Replication Groups), `Roles` (IAM Roles), `SpotInstances` (EC2 Spot Instances), `Subnets` (VPC Subnets), `Tables` (DynamoDB encrypted global tables), `Tasks` (ECS Tasks), `TransitGateways` (Transit gateways), `Volumes` (EBS Volumes). See the [documentation](https://docs.aws.amazon.com/fis/latest/userguide/action-sequence.html#action-targets) for more details.
          */
         key: pulumi.Input<string>;
         /**
@@ -33823,7 +35060,7 @@ export declare namespace fis {
     }
     interface ExperimentTemplateLogConfigurationCloudwatchLogsConfiguration {
         /**
-         * The Amazon Resource Name (ARN) of the destination Amazon CloudWatch Logs log group.
+         * The Amazon Resource Name (ARN) of the destination Amazon CloudWatch Logs log group. The ARN must end with `:*`
          */
         logGroupArn: pulumi.Input<string>;
     }
@@ -34569,6 +35806,16 @@ export declare namespace fsx {
          */
         mode?: pulumi.Input<string>;
     }
+    interface OpenZfsFileSystemReadCacheConfiguration {
+        /**
+         * Size of the file system's SSD read cache, in gibibytes (GiB). Required when `sizingMode` is set to `USER_PROVISIONED`. Must not be set when any other `sizingMode` is used.
+         */
+        size?: pulumi.Input<number>;
+        /**
+         * Specifies how the provisioned SSD read cache is sized. Valid values are `NO_CACHE`, `USER_PROVISIONED`, and `PROPORTIONAL_TO_THROUGHPUT_CAPACITY`. See the [AWS API documentation](https://docs.aws.amazon.com/fsx/latest/APIReference/API_OpenZFSReadCacheConfiguration.html) for more information.
+         */
+        sizingMode?: pulumi.Input<string>;
+    }
     interface OpenZfsFileSystemRootVolumeConfiguration {
         /**
          * A boolean flag indicating whether tags for the file system should be copied to snapshots. The default value is false.
@@ -43905,6 +45152,71 @@ export declare namespace lambda {
             [key: string]: pulumi.Input<number>;
         }>;
     }
+    interface CapacityProviderCapacityProviderScalingConfig {
+        maxVcpuCount: pulumi.Input<number>;
+        /**
+         * The scaling mode for the Capacity Provider. Valid values are `AUTO` and `MANUAL`. Defaults to `AUTO`.
+         */
+        scalingMode: pulumi.Input<string>;
+        /**
+         * List of scaling policies. See Scaling Policies below.
+         */
+        scalingPolicies: pulumi.Input<pulumi.Input<inputs.lambda.CapacityProviderCapacityProviderScalingConfigScalingPolicy>[]>;
+    }
+    interface CapacityProviderCapacityProviderScalingConfigScalingPolicy {
+        /**
+         * The predefined metric type for the scaling policy. Valid values are `LAMBDA_PROVISIONED_CONCURRENCY_UTILIZATION`.
+         */
+        predefinedMetricType: pulumi.Input<string>;
+        /**
+         * The target value for the scaling policy.
+         */
+        targetValue: pulumi.Input<number>;
+    }
+    interface CapacityProviderInstanceRequirement {
+        /**
+         * List of allowed instance types.
+         */
+        allowedInstanceTypes: pulumi.Input<pulumi.Input<string>[]>;
+        /**
+         * List of CPU architectures. Valid values are `X86_64` and `ARM64`.
+         */
+        architectures: pulumi.Input<pulumi.Input<string>[]>;
+        /**
+         * List of excluded instance types.
+         */
+        excludedInstanceTypes: pulumi.Input<pulumi.Input<string>[]>;
+    }
+    interface CapacityProviderPermissionsConfig {
+        /**
+         * The ARN of the IAM role that allows Lambda to manage the Capacity Provider.
+         */
+        capacityProviderOperatorRoleArn: pulumi.Input<string>;
+    }
+    interface CapacityProviderTimeouts {
+        /**
+         * A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours).
+         */
+        create?: pulumi.Input<string>;
+        /**
+         * A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours). Setting a timeout for a Delete operation is only applicable if changes are saved into state before the destroy operation occurs.
+         */
+        delete?: pulumi.Input<string>;
+        /**
+         * A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours).
+         */
+        update?: pulumi.Input<string>;
+    }
+    interface CapacityProviderVpcConfig {
+        /**
+         * List of security group IDs for the VPC.
+         */
+        securityGroupIds: pulumi.Input<pulumi.Input<string>[]>;
+        /**
+         * List of subnet IDs for the VPC.
+         */
+        subnetIds: pulumi.Input<pulumi.Input<string>[]>;
+    }
     interface CodeSigningConfigAllowedPublishers {
         /**
          * Set of ARNs for each of the signing profiles. A signing profile defines a trusted user who can sign a code package. Maximum of 20 signing profiles.
@@ -44083,12 +45395,42 @@ export declare namespace lambda {
          */
         uri: pulumi.Input<string>;
     }
+    interface FunctionCapacityProviderConfig {
+        /**
+         * Configuration block for Lambda Managed Instances Capacity Provider. See below.
+         */
+        lambdaManagedInstancesCapacityProviderConfig: pulumi.Input<inputs.lambda.FunctionCapacityProviderConfigLambdaManagedInstancesCapacityProviderConfig>;
+    }
+    interface FunctionCapacityProviderConfigLambdaManagedInstancesCapacityProviderConfig {
+        /**
+         * ARN of the Capacity Provider.
+         */
+        capacityProviderArn: pulumi.Input<string>;
+        /**
+         * Memory GiB per vCPU for the execution environment.
+         */
+        executionEnvironmentMemoryGibPerVcpu?: pulumi.Input<number>;
+        /**
+         * Maximum concurrency per execution environment.
+         */
+        perExecutionEnvironmentMaxConcurrency?: pulumi.Input<number>;
+    }
     interface FunctionDeadLetterConfig {
         /**
          * ARN of an SNS topic or SQS queue to notify when an invocation fails.
          */
         targetArn: pulumi.Input<string>;
     }
+    interface FunctionDurableConfig {
+        /**
+         * Maximum execution time in seconds for the durable function. Valid value between 1 and 31622400 (366 days).
+         */
+        executionTimeout: pulumi.Input<number>;
+        /**
+         * Number of days to retain the function's execution state. Valid value between 1 and 90. If not specified, the function's execution state is not retained. Defaults to 14.
+         */
+        retentionPeriod?: pulumi.Input<number>;
+    }
     interface FunctionEnvironment {
         /**
          * Map of environment variables available to your Lambda function during execution.
@@ -44177,6 +45519,12 @@ export declare namespace lambda {
          */
         optimizationStatus?: pulumi.Input<string>;
     }
+    interface FunctionTenancyConfig {
+        /**
+         * Tenant Isolation Mode. Valid values: `PER_TENANT`.
+         */
+        tenantIsolationMode: pulumi.Input<string>;
+    }
     interface FunctionTracingConfig {
         /**
          * X-Ray tracing mode. Valid values: `Active`, `PassThrough`.
@@ -44250,6 +45598,11 @@ export declare namespace lb {
          * Detailed below.
          */
         forwards?: inputs.lb.GetListenerRuleActionForward[];
+        /**
+         * An action to validate using JWT.
+         * Detailed below.
+         */
+        jwtValidations?: inputs.lb.GetListenerRuleActionJwtValidation[];
         /**
          * The evaluation order of the action.
          */
@@ -44285,6 +45638,11 @@ export declare namespace lb {
          * Detailed below.
          */
         forwards?: pulumi.Input<pulumi.Input<inputs.lb.GetListenerRuleActionForwardArgs>[]>;
+        /**
+         * An action to validate using JWT.
+         * Detailed below.
+         */
+        jwtValidations?: pulumi.Input<pulumi.Input<inputs.lb.GetListenerRuleActionJwtValidationArgs>[]>;
         /**
          * The evaluation order of the action.
          */
@@ -44390,7 +45748,7 @@ export declare namespace lb {
          */
         clientId?: string;
         /**
-         * OIDC issuer identifier of the IdP.
+         * Issuer of the JWT.
          */
         issuer?: string;
         /**
@@ -44435,7 +45793,7 @@ export declare namespace lb {
          */
         clientId?: pulumi.Input<string>;
         /**
-         * OIDC issuer identifier of the IdP.
+         * Issuer of the JWT.
          */
         issuer?: pulumi.Input<string>;
         /**
@@ -44557,6 +45915,62 @@ export declare namespace lb {
          */
         weight?: pulumi.Input<number>;
     }
+    interface GetListenerRuleActionJwtValidation {
+        /**
+         * Additional claims to validate.
+         */
+        additionalClaims?: inputs.lb.GetListenerRuleActionJwtValidationAdditionalClaim[];
+        /**
+         * Issuer of the JWT.
+         */
+        issuer?: string;
+        /**
+         * JSON Web Key Set (JWKS) endpoint.
+         */
+        jwksEndpoint?: string;
+    }
+    interface GetListenerRuleActionJwtValidationArgs {
+        /**
+         * Additional claims to validate.
+         */
+        additionalClaims?: pulumi.Input<pulumi.Input<inputs.lb.GetListenerRuleActionJwtValidationAdditionalClaimArgs>[]>;
+        /**
+         * Issuer of the JWT.
+         */
+        issuer?: pulumi.Input<string>;
+        /**
+         * JSON Web Key Set (JWKS) endpoint.
+         */
+        jwksEndpoint?: pulumi.Input<string>;
+    }
+    interface GetListenerRuleActionJwtValidationAdditionalClaim {
+        /**
+         * Format of the claim value.
+         */
+        format?: string;
+        /**
+         * Name of the claim to validate.
+         */
+        name?: string;
+        /**
+         * Set of `key`-`value` pairs indicating the query string parameters to match.
+         */
+        values?: string[];
+    }
+    interface GetListenerRuleActionJwtValidationAdditionalClaimArgs {
+        /**
+         * Format of the claim value.
+         */
+        format?: pulumi.Input<string>;
+        /**
+         * Name of the claim to validate.
+         */
+        name?: pulumi.Input<string>;
+        /**
+         * Set of `key`-`value` pairs indicating the query string parameters to match.
+         */
+        values?: pulumi.Input<pulumi.Input<string>[]>;
+    }
     interface GetListenerRuleActionRedirect {
         /**
          * The hostname.
@@ -44902,6 +46316,10 @@ export declare namespace lb {
          * Configuration block for creating an action that distributes requests among one or more target groups. Specify only if `type` is `forward`. See below.
          */
         forward?: pulumi.Input<inputs.lb.ListenerDefaultActionForward>;
+        /**
+         * Configuration block for creating a JWT validation action. Required if `type` is `jwt-validation`.
+         */
+        jwtValidation?: pulumi.Input<inputs.lb.ListenerDefaultActionJwtValidation>;
         /**
          * Order for the action. The action with the lowest value for order is performed first. Valid values are between `1` and `50000`. Defaults to the position in the list of actions.
          */
@@ -44915,7 +46333,7 @@ export declare namespace lb {
          */
         targetGroupArn?: pulumi.Input<string>;
         /**
-         * Type of routing action. Valid values are `forward`, `redirect`, `fixed-response`, `authenticate-cognito` and `authenticate-oidc`.
+         * Type of routing action. Valid values are `forward`, `redirect`, `fixed-response`, `authenticate-cognito`, `authenticate-oidc` and `jwt-validation`.
          *
          * The following arguments are optional:
          */
@@ -45061,6 +46479,36 @@ export declare namespace lb {
          */
         weight?: pulumi.Input<number>;
     }
+    interface ListenerDefaultActionJwtValidation {
+        /**
+         * Repeatable configuration block for additional claims to validate.
+         */
+        additionalClaims?: pulumi.Input<pulumi.Input<inputs.lb.ListenerDefaultActionJwtValidationAdditionalClaim>[]>;
+        /**
+         * Issuer of the JWT.
+         */
+        issuer: pulumi.Input<string>;
+        /**
+         * JSON Web Key Set (JWKS) endpoint. This endpoint contains JSON Web Keys (JWK) that are used to validate signatures from the provider. This must be a full URL, including the HTTPS protocol, the domain, and the path.
+         *
+         * The following arguments are optional:
+         */
+        jwksEndpoint: pulumi.Input<string>;
+    }
+    interface ListenerDefaultActionJwtValidationAdditionalClaim {
+        /**
+         * Format of the claim value. Valid values are `single-string`, `string-array` and `space-separated-values`.
+         */
+        format: pulumi.Input<string>;
+        /**
+         * Name of the claim to validate. `exp`, `iss`, `nbf`, or `iat` cannot be specified because they are validated by default.
+         */
+        name: pulumi.Input<string>;
+        /**
+         * List of expected values of the claim.
+         */
+        values: pulumi.Input<pulumi.Input<string>[]>;
+    }
     interface ListenerDefaultActionRedirect {
         /**
          * Hostname. This component is not percent-encoded. The hostname can contain `#{host}`. Defaults to `#{host}`.
@@ -45127,6 +46575,10 @@ export declare namespace lb {
          * Cannot be specified with `targetGroupArn`.
          */
         forward?: pulumi.Input<inputs.lb.ListenerRuleActionForward>;
+        /**
+         * Information for creating a JWT validation action. Required if `type` is `jwt-validation`.
+         */
+        jwtValidation?: pulumi.Input<inputs.lb.ListenerRuleActionJwtValidation>;
         /**
          * Order for the action.
          * The action with the lowest value for order is performed first.
@@ -45146,7 +46598,7 @@ export declare namespace lb {
          */
         targetGroupArn?: pulumi.Input<string>;
         /**
-         * The type of routing action. Valid values are `forward`, `redirect`, `fixed-response`, `authenticate-cognito` and `authenticate-oidc`.
+         * The type of routing action. Valid values are `forward`, `redirect`, `fixed-response`, `authenticate-cognito`, `authenticate-oidc` and `jwt-validation`.
          */
         type: pulumi.Input<string>;
     }
@@ -45278,6 +46730,34 @@ export declare namespace lb {
          */
         weight?: pulumi.Input<number>;
     }
+    interface ListenerRuleActionJwtValidation {
+        /**
+         * Repeatable configuration block for additional claims to validate.
+         */
+        additionalClaims?: pulumi.Input<pulumi.Input<inputs.lb.ListenerRuleActionJwtValidationAdditionalClaim>[]>;
+        /**
+         * Issuer of the JWT.
+         */
+        issuer: pulumi.Input<string>;
+        /**
+         * JSON Web Key Set (JWKS) endpoint. This endpoint contains JSON Web Keys (JWK) that are used to validate signatures from the provider. This must be a full URL, including the HTTPS protocol, the domain, and the path.
+         */
+        jwksEndpoint: pulumi.Input<string>;
+    }
+    interface ListenerRuleActionJwtValidationAdditionalClaim {
+        /**
+         * Format of the claim value. Valid values are `single-string`, `string-array` and `space-separated-values`.
+         */
+        format: pulumi.Input<string>;
+        /**
+         * Name of the claim to validate. `exp`, `iss`, `nbf`, or `iat` cannot be specified because they are validated by default.
+         */
+        name: pulumi.Input<string>;
+        /**
+         * List of expected values of the claim.
+         */
+        values: pulumi.Input<pulumi.Input<string>[]>;
+    }
     interface ListenerRuleActionRedirect {
         /**
          * The hostname. This component is not percent-encoded. The hostname can contain `#{host}`. Defaults to `#{host}`.
@@ -45456,6 +46936,20 @@ export declare namespace lb {
          */
         prefix?: pulumi.Input<string>;
     }
+    interface LoadBalancerHealthCheckLogs {
+        /**
+         * S3 bucket name to store the logs in.
+         */
+        bucket: pulumi.Input<string>;
+        /**
+         * Boolean to enable / disable `healthCheckLogs`. Defaults to `false`, even when `bucket` is specified.
+         */
+        enabled?: pulumi.Input<boolean>;
+        /**
+         * S3 bucket prefix. Logs are stored in the root if not configured.
+         */
+        prefix?: pulumi.Input<string>;
+    }
     interface LoadBalancerIpamPools {
         /**
          * The ID of the IPv4 IPAM pool.
@@ -61015,6 +62509,14 @@ export declare namespace msk {
          */
         enabledInBroker: pulumi.Input<boolean>;
     }
+    interface ClusterRebalancing {
+        /**
+         * The status of intelligent rebalancing. Valid values: `ACTIVE`, `PAUSED`. Default is `ACTIVE` for new Express-based clusters.
+         *
+         * > **NOTE:** Intelligent rebalancing is only available for MSK Provisioned clusters with Express brokers. When enabled, you cannot use third-party rebalancing tools such as Cruise Control. See [AWS MSK Intelligent Rebalancing](https://docs.aws.amazon.com/msk/latest/developerguide/intelligent-rebalancing.html) for more information.
+         */
+        status: pulumi.Input<string>;
+    }
     interface ReplicatorKafkaCluster {
         /**
          * Details of an Amazon MSK cluster.
@@ -62279,7 +63781,7 @@ export declare namespace networkflowmonitor {
          */
         identifier: pulumi.Input<string>;
         /**
-         * The type of the resource. Valid values are `AWS::EC2::VPC`, `AWS::EC2::Subnet`, `AWS::EC2::AvailabilityZone`, `AWS::EC2::Region`.
+         * The type of the resource. Valid values are `AWS::EC2::VPC`, `AWS::EC2::Subnet`, `AWS::EC2::AvailabilityZone`, `AWS::EC2::Region`, and `AWS::EKS::Cluster`.
          */
         type: pulumi.Input<string>;
     }
@@ -62289,7 +63791,7 @@ export declare namespace networkflowmonitor {
          */
         identifier: pulumi.Input<string>;
         /**
-         * The type of the resource. Valid values are `AWS::EC2::VPC`, `AWS::EC2::Subnet`, `AWS::EC2::AvailabilityZone`, `AWS::EC2::Region`.
+         * The type of the resource. Valid values are `AWS::EC2::VPC`, `AWS::EC2::Subnet`, `AWS::EC2::AvailabilityZone`, `AWS::EC2::Region`, and `AWS::EKS::Cluster`.
          */
         type: pulumi.Input<string>;
     }
@@ -63182,13 +64684,13 @@ export declare namespace odb {
         isHealthMonitoringEnabled: pulumi.Input<boolean>;
         isIncidentLogsEnabled: pulumi.Input<boolean>;
     }
-    interface CloudVmClusterIormConfigCach {
-        dbPlans: pulumi.Input<pulumi.Input<inputs.odb.CloudVmClusterIormConfigCachDbPlan>[]>;
+    interface CloudVmClusterIormConfigCache {
+        dbPlans: pulumi.Input<pulumi.Input<inputs.odb.CloudVmClusterIormConfigCacheDbPlan>[]>;
         lifecycleDetails: pulumi.Input<string>;
         lifecycleState: pulumi.Input<string>;
         objective: pulumi.Input<string>;
     }
-    interface CloudVmClusterIormConfigCachDbPlan {
+    interface CloudVmClusterIormConfigCacheDbPlan {
         dbName: pulumi.Input<string>;
         flashCacheLimit: pulumi.Input<string>;
         share: pulumi.Input<number>;
@@ -69237,6 +70739,14 @@ export declare namespace s3 {
          */
         prefix?: pulumi.Input<string>;
     }
+    interface BucketAbacAbacStatus {
+        /**
+         * ABAC status of the general purpose bucket.
+         * Valid values are `Enabled` and `Disabled`.
+         * By default, ABAC is disabled for all Amazon S3 general purpose buckets.
+         */
+        status: pulumi.Input<string>;
+    }
     interface BucketAclAccessControlPolicy {
         /**
          * Set of `grant` configuration blocks. See below.
@@ -70568,6 +72078,10 @@ export declare namespace s3 {
          * Single object for setting server-side encryption by default. See below.
          */
         applyServerSideEncryptionByDefault?: pulumi.Input<inputs.s3.BucketServerSideEncryptionConfigurationRuleApplyServerSideEncryptionByDefault>;
+        /**
+         * List of server-side encryption types to block for object uploads. Valid values are `SSE-C` (blocks uploads using server-side encryption with customer-provided keys) and `NONE` (unblocks all encryption types). Starting in March 2026, Amazon S3 will automatically block SSE-C uploads for all new buckets.
+         */
+        blockedEncryptionTypes?: pulumi.Input<pulumi.Input<string>[]>;
         /**
          * Whether or not to use [Amazon S3 Bucket Keys](https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-key.html) for SSE-KMS.
          */
@@ -70588,6 +72102,10 @@ export declare namespace s3 {
          * Single object for setting server-side encryption by default. See below.
          */
         applyServerSideEncryptionByDefault?: pulumi.Input<inputs.s3.BucketServerSideEncryptionConfigurationV2RuleApplyServerSideEncryptionByDefault>;
+        /**
+         * List of server-side encryption types to block for object uploads. Valid values are `SSE-C` (blocks uploads using server-side encryption with customer-provided keys) and `NONE` (unblocks all encryption types). Starting in March 2026, Amazon S3 will automatically block SSE-C uploads for all new buckets.
+         */
+        blockedEncryptionTypes?: pulumi.Input<pulumi.Input<string>[]>;
         /**
          * Whether or not to use [Amazon S3 Bucket Keys](https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-key.html) for SSE-KMS.
          */
@@ -71248,6 +72766,16 @@ export declare namespace s3 {
         Statement: pulumi.Input<pulumi.Input<inputs.iam.PolicyStatement>[]>;
         Version: pulumi.Input<enums.iam.PolicyDocumentVersion>;
     }
+    interface VectorsVectorBucketEncryptionConfiguration {
+        /**
+         * AWS KMS CMK ARN to use for the default encryption of the vector bucket. Allowed if and only if `sseType` is set to `aws:kms`.
+         */
+        kmsKeyArn: pulumi.Input<string>;
+        /**
+         * Server-side encryption type to use for the default encryption of the vector bucket. Valid values: `AES256`, `aws:kms`.
+         */
+        sseType: pulumi.Input<string>;
+    }
 }
 export declare namespace s3control {
     interface AccessGrantAccessGrantsLocationConfiguration {
@@ -71695,6 +73223,18 @@ export declare namespace s3tables {
          */
         unreferencedDays: pulumi.Input<number>;
     }
+    interface TableBucketReplicationRule {
+        /**
+         * Replication destination. See Destination below for more details.
+         */
+        destinations?: pulumi.Input<pulumi.Input<inputs.s3tables.TableBucketReplicationRuleDestination>[]>;
+    }
+    interface TableBucketReplicationRuleDestination {
+        /**
+         * ARN of destination table bucket to replicate source tables to.
+         */
+        destinationTableBucketArn: pulumi.Input<string>;
+    }
     interface TableEncryptionConfiguration {
         /**
          * The ARN of a KMS Key to be used with `aws:kms` `sseAlgorithm`
@@ -71795,6 +73335,18 @@ export declare namespace s3tables {
          */
         type: pulumi.Input<string>;
     }
+    interface TableReplicationRule {
+        /**
+         * Replication destination. See Destination below for more details.
+         */
+        destinations?: pulumi.Input<pulumi.Input<inputs.s3tables.TableReplicationRuleDestination>[]>;
+    }
+    interface TableReplicationRuleDestination {
+        /**
+         * ARN of destination table bucket to replicate source tables to.
+         */
+        destinationTableBucketArn: pulumi.Input<string>;
+    }
 }
 export declare namespace sagemaker {
     interface AppImageConfigCodeEditorAppImageConfig {
@@ -73757,18 +75309,21 @@ export declare namespace sagemaker {
     }
     interface ModelContainer {
         /**
-         * The DNS host name for the container.
+         * Additional data sources that are available to the model in addition to those specified in `modelDataSource`. See Additional Model Data Source.
+         */
+        additionalModelDataSources?: pulumi.Input<pulumi.Input<inputs.sagemaker.ModelContainerAdditionalModelDataSource>[]>;
+        /**
+         * DNS host name for the container.
          */
         containerHostname?: pulumi.Input<string>;
         /**
          * Environment variables for the Docker container.
-         * A list of key value pairs.
          */
         environment?: pulumi.Input<{
             [key: string]: pulumi.Input<string>;
         }>;
         /**
-         * The registry path where the inference code image is stored in Amazon ECR.
+         * Registry path where the inference code image is stored in Amazon ECR.
          */
         image?: pulumi.Input<string>;
         /**
@@ -73776,23 +75331,24 @@ export declare namespace sagemaker {
          */
         imageConfig?: pulumi.Input<inputs.sagemaker.ModelContainerImageConfig>;
         /**
-         * The inference specification name in the model package version.
+         * Inference specification name in the model package version.
          */
         inferenceSpecificationName?: pulumi.Input<string>;
         /**
-         * The container hosts value `SingleModel/MultiModel`. The default value is `SingleModel`.
+         * Container hosts value. Allowed values are: `SingleModel` and `MultiModel`. The default value is `SingleModel`.
          */
         mode?: pulumi.Input<string>;
         /**
-         * The location of model data to deploy. Use this for uncompressed model deployment. For information about how to deploy an uncompressed model, see [Deploying uncompressed models](https://docs.aws.amazon.com/sagemaker/latest/dg/large-model-inference-uncompressed.html) in the _AWS SageMaker AI Developer Guide_.
+         * Location of model data to deploy. Use this for uncompressed model deployment. For information about how to deploy an uncompressed model, see [Deploying uncompressed models](https://docs.aws.amazon.com/sagemaker/latest/dg/large-model-inference-uncompressed.html) in the _AWS SageMaker AI Developer Guide_.
          */
         modelDataSource?: pulumi.Input<inputs.sagemaker.ModelContainerModelDataSource>;
         /**
-         * The URL for the S3 location where model artifacts are stored.
+         * URL for the S3 location where model artifacts are stored.
          */
         modelDataUrl?: pulumi.Input<string>;
         /**
-         * The Amazon Resource Name (ARN) of the model package to use to create the model.
+         * Amazon Resource Name (ARN) of the model package to use to create the model.
+         * A list of key value pairs.
          */
         modelPackageName?: pulumi.Input<string>;
         /**
@@ -73800,6 +75356,40 @@ export declare namespace sagemaker {
          */
         multiModelConfig?: pulumi.Input<inputs.sagemaker.ModelContainerMultiModelConfig>;
     }
+    interface ModelContainerAdditionalModelDataSource {
+        /**
+         * Custom name for the additional model data source object. It will be stored in `/opt/ml/additional-model-data-sources/<channel_name>/`.
+         */
+        channelName: pulumi.Input<string>;
+        /**
+         * S3 location of model data to deploy. See S3 Data Source.
+         */
+        s3DataSources: pulumi.Input<pulumi.Input<inputs.sagemaker.ModelContainerAdditionalModelDataSourceS3DataSource>[]>;
+    }
+    interface ModelContainerAdditionalModelDataSourceS3DataSource {
+        /**
+         * How the model data is prepared. Allowed values are: `None` and `Gzip`.
+         */
+        compressionType: pulumi.Input<string>;
+        /**
+         * Specifies the access configuration file for the ML model. You can explicitly accept the model end-user license agreement (EULA) within the [`modelAccessConfig` configuration block]. See Model Access Config.
+         */
+        modelAccessConfig?: pulumi.Input<inputs.sagemaker.ModelContainerAdditionalModelDataSourceS3DataSourceModelAccessConfig>;
+        /**
+         * Type of model data to deploy. Allowed values are: `S3Object` and `S3Prefix`.
+         */
+        s3DataType: pulumi.Input<string>;
+        /**
+         * The S3 path of model data to deploy.
+         */
+        s3Uri: pulumi.Input<string>;
+    }
+    interface ModelContainerAdditionalModelDataSourceS3DataSourceModelAccessConfig {
+        /**
+         * Specifies agreement to the model end-user license agreement (EULA). The value must be set to `true` in order to accept the EULA that this model requires. You are responsible for reviewing and complying with any applicable license terms and making sure they are acceptable for your use case before downloading or using a model.
+         */
+        acceptEula: pulumi.Input<boolean>;
+    }
     interface ModelContainerImageConfig {
         /**
          * Specifies whether the model container is in Amazon ECR or a private Docker registry accessible from your Amazon Virtual Private Cloud (VPC). Allowed values are: `Platform` and `Vpc`.
@@ -73812,13 +75402,13 @@ export declare namespace sagemaker {
     }
     interface ModelContainerImageConfigRepositoryAuthConfig {
         /**
-         * The Amazon Resource Name (ARN) of an AWS Lambda function that provides credentials to authenticate to the private Docker registry where your model image is hosted. For information about how to create an AWS Lambda function, see [Create a Lambda function with the console](https://docs.aws.amazon.com/lambda/latest/dg/getting-started-create-function.html) in the _AWS Lambda Developer Guide_.
+         * Amazon Resource Name (ARN) of an AWS Lambda function that provides credentials to authenticate to the private Docker registry where your model image is hosted. For information about how to create an AWS Lambda function, see [Create a Lambda function with the console](https://docs.aws.amazon.com/lambda/latest/dg/getting-started-create-function.html) in the _AWS Lambda Developer Guide_.
          */
         repositoryCredentialsProviderArn: pulumi.Input<string>;
     }
     interface ModelContainerModelDataSource {
         /**
-         * The S3 location of model data to deploy.
+         * S3 location of model data to deploy. See S3 Data Source.
          */
         s3DataSources: pulumi.Input<pulumi.Input<inputs.sagemaker.ModelContainerModelDataSourceS3DataSource>[]>;
     }
@@ -73828,11 +75418,11 @@ export declare namespace sagemaker {
          */
         compressionType: pulumi.Input<string>;
         /**
-         * Specifies the access configuration file for the ML model. You can explicitly accept the model end-user license agreement (EULA) within the [`modelAccessConfig` configuration block]. see Model Access Config.
+         * Specifies the access configuration file for the ML model. You can explicitly accept the model end-user license agreement (EULA) within the [`modelAccessConfig` configuration block]. See Model Access Config.
          */
         modelAccessConfig?: pulumi.Input<inputs.sagemaker.ModelContainerModelDataSourceS3DataSourceModelAccessConfig>;
         /**
-         * The type of model data to deploy. Allowed values are: `S3Object` and `S3Prefix`.
+         * Type of model data to deploy. Allowed values are: `S3Object` and `S3Prefix`.
          */
         s3DataType: pulumi.Input<string>;
         /**
@@ -73842,7 +75432,7 @@ export declare namespace sagemaker {
     }
     interface ModelContainerModelDataSourceS3DataSourceModelAccessConfig {
         /**
-         * Specifies agreement to the model end-user license agreement (EULA). The AcceptEula value must be explicitly defined as `true` in order to accept the EULA that this model requires. You are responsible for reviewing and complying with any applicable license terms and making sure they are acceptable for your use case before downloading or using a model.
+         * Specifies agreement to the model end-user license agreement (EULA). The value must be set to `true` in order to accept the EULA that this model requires. You are responsible for reviewing and complying with any applicable license terms and making sure they are acceptable for your use case before downloading or using a model.
          */
         acceptEula: pulumi.Input<boolean>;
     }
@@ -73854,24 +75444,27 @@ export declare namespace sagemaker {
     }
     interface ModelInferenceExecutionConfig {
         /**
-         * The container hosts value `SingleModel/MultiModel`. The default value is `SingleModel`.
+         * How containers in a multi-container are run. Allowed values are: `Serial` and `Direct`.
          */
         mode: pulumi.Input<string>;
     }
     interface ModelPrimaryContainer {
         /**
-         * The DNS host name for the container.
+         * Additional data sources that are available to the model in addition to those specified in `modelDataSource`. See Additional Model Data Source.
+         */
+        additionalModelDataSources?: pulumi.Input<pulumi.Input<inputs.sagemaker.ModelPrimaryContainerAdditionalModelDataSource>[]>;
+        /**
+         * DNS host name for the container.
          */
         containerHostname?: pulumi.Input<string>;
         /**
          * Environment variables for the Docker container.
-         * A list of key value pairs.
          */
         environment?: pulumi.Input<{
             [key: string]: pulumi.Input<string>;
         }>;
         /**
-         * The registry path where the inference code image is stored in Amazon ECR.
+         * Registry path where the inference code image is stored in Amazon ECR.
          */
         image?: pulumi.Input<string>;
         /**
@@ -73879,23 +75472,21 @@ export declare namespace sagemaker {
          */
         imageConfig?: pulumi.Input<inputs.sagemaker.ModelPrimaryContainerImageConfig>;
         /**
-         * The inference specification name in the model package version.
+         * Inference specification name in the model package version.
          */
         inferenceSpecificationName?: pulumi.Input<string>;
-        /**
-         * The container hosts value `SingleModel/MultiModel`. The default value is `SingleModel`.
-         */
         mode?: pulumi.Input<string>;
         /**
-         * The location of model data to deploy. Use this for uncompressed model deployment. For information about how to deploy an uncompressed model, see [Deploying uncompressed models](https://docs.aws.amazon.com/sagemaker/latest/dg/large-model-inference-uncompressed.html) in the _AWS SageMaker AI Developer Guide_.
+         * Location of model data to deploy. Use this for uncompressed model deployment. For information about how to deploy an uncompressed model, see [Deploying uncompressed models](https://docs.aws.amazon.com/sagemaker/latest/dg/large-model-inference-uncompressed.html) in the _AWS SageMaker AI Developer Guide_.
          */
         modelDataSource?: pulumi.Input<inputs.sagemaker.ModelPrimaryContainerModelDataSource>;
         /**
-         * The URL for the S3 location where model artifacts are stored.
+         * URL for the S3 location where model artifacts are stored.
          */
         modelDataUrl?: pulumi.Input<string>;
         /**
-         * The Amazon Resource Name (ARN) of the model package to use to create the model.
+         * Amazon Resource Name (ARN) of the model package to use to create the model.
+         * A list of key value pairs.
          */
         modelPackageName?: pulumi.Input<string>;
         /**
@@ -73903,6 +75494,40 @@ export declare namespace sagemaker {
          */
         multiModelConfig?: pulumi.Input<inputs.sagemaker.ModelPrimaryContainerMultiModelConfig>;
     }
+    interface ModelPrimaryContainerAdditionalModelDataSource {
+        /**
+         * Custom name for the additional model data source object. It will be stored in `/opt/ml/additional-model-data-sources/<channel_name>/`.
+         */
+        channelName: pulumi.Input<string>;
+        /**
+         * S3 location of model data to deploy. See S3 Data Source.
+         */
+        s3DataSources: pulumi.Input<pulumi.Input<inputs.sagemaker.ModelPrimaryContainerAdditionalModelDataSourceS3DataSource>[]>;
+    }
+    interface ModelPrimaryContainerAdditionalModelDataSourceS3DataSource {
+        /**
+         * How the model data is prepared. Allowed values are: `None` and `Gzip`.
+         */
+        compressionType: pulumi.Input<string>;
+        /**
+         * Specifies the access configuration file for the ML model. You can explicitly accept the model end-user license agreement (EULA) within the [`modelAccessConfig` configuration block]. See Model Access Config.
+         */
+        modelAccessConfig?: pulumi.Input<inputs.sagemaker.ModelPrimaryContainerAdditionalModelDataSourceS3DataSourceModelAccessConfig>;
+        /**
+         * Type of model data to deploy. Allowed values are: `S3Object` and `S3Prefix`.
+         */
+        s3DataType: pulumi.Input<string>;
+        /**
+         * The S3 path of model data to deploy.
+         */
+        s3Uri: pulumi.Input<string>;
+    }
+    interface ModelPrimaryContainerAdditionalModelDataSourceS3DataSourceModelAccessConfig {
+        /**
+         * Specifies agreement to the model end-user license agreement (EULA). The value must be set to `true` in order to accept the EULA that this model requires. You are responsible for reviewing and complying with any applicable license terms and making sure they are acceptable for your use case before downloading or using a model.
+         */
+        acceptEula: pulumi.Input<boolean>;
+    }
     interface ModelPrimaryContainerImageConfig {
         /**
          * Specifies whether the model container is in Amazon ECR or a private Docker registry accessible from your Amazon Virtual Private Cloud (VPC). Allowed values are: `Platform` and `Vpc`.
@@ -73915,13 +75540,13 @@ export declare namespace sagemaker {
     }
     interface ModelPrimaryContainerImageConfigRepositoryAuthConfig {
         /**
-         * The Amazon Resource Name (ARN) of an AWS Lambda function that provides credentials to authenticate to the private Docker registry where your model image is hosted. For information about how to create an AWS Lambda function, see [Create a Lambda function with the console](https://docs.aws.amazon.com/lambda/latest/dg/getting-started-create-function.html) in the _AWS Lambda Developer Guide_.
+         * Amazon Resource Name (ARN) of an AWS Lambda function that provides credentials to authenticate to the private Docker registry where your model image is hosted. For information about how to create an AWS Lambda function, see [Create a Lambda function with the console](https://docs.aws.amazon.com/lambda/latest/dg/getting-started-create-function.html) in the _AWS Lambda Developer Guide_.
          */
         repositoryCredentialsProviderArn: pulumi.Input<string>;
     }
     interface ModelPrimaryContainerModelDataSource {
         /**
-         * The S3 location of model data to deploy.
+         * S3 location of model data to deploy. See S3 Data Source.
          */
         s3DataSources: pulumi.Input<pulumi.Input<inputs.sagemaker.ModelPrimaryContainerModelDataSourceS3DataSource>[]>;
     }
@@ -73931,11 +75556,11 @@ export declare namespace sagemaker {
          */
         compressionType: pulumi.Input<string>;
         /**
-         * Specifies the access configuration file for the ML model. You can explicitly accept the model end-user license agreement (EULA) within the [`modelAccessConfig` configuration block]. see Model Access Config.
+         * Specifies the access configuration file for the ML model. You can explicitly accept the model end-user license agreement (EULA) within the [`modelAccessConfig` configuration block]. See Model Access Config.
          */
         modelAccessConfig?: pulumi.Input<inputs.sagemaker.ModelPrimaryContainerModelDataSourceS3DataSourceModelAccessConfig>;
         /**
-         * The type of model data to deploy. Allowed values are: `S3Object` and `S3Prefix`.
+         * Type of model data to deploy. Allowed values are: `S3Object` and `S3Prefix`.
          */
         s3DataType: pulumi.Input<string>;
         /**
@@ -73945,7 +75570,7 @@ export declare namespace sagemaker {
     }
     interface ModelPrimaryContainerModelDataSourceS3DataSourceModelAccessConfig {
         /**
-         * Specifies agreement to the model end-user license agreement (EULA). The AcceptEula value must be explicitly defined as `true` in order to accept the EULA that this model requires. You are responsible for reviewing and complying with any applicable license terms and making sure they are acceptable for your use case before downloading or using a model.
+         * Specifies agreement to the model end-user license agreement (EULA). The value must be set to `true` in order to accept the EULA that this model requires. You are responsible for reviewing and complying with any applicable license terms and making sure they are acceptable for your use case before downloading or using a model.
          */
         acceptEula: pulumi.Input<boolean>;
     }
@@ -73956,7 +75581,13 @@ export declare namespace sagemaker {
         modelCacheSetting?: pulumi.Input<string>;
     }
     interface ModelVpcConfig {
+        /**
+         * List of security group IDs you want to be applied to your training job or model. Specify the security groups for the VPC that is specified in the Subnets field.
+         */
         securityGroupIds: pulumi.Input<pulumi.Input<string>[]>;
+        /**
+         * List of subnet IDs in the VPC to which you want to connect your training job or model.
+         */
         subnets: pulumi.Input<pulumi.Input<string>[]>;
     }
     interface MonitoringScheduleMonitoringScheduleConfig {
@@ -79643,6 +81274,22 @@ export declare namespace transfer {
          */
         signingAlgorithm: pulumi.Input<string>;
     }
+    interface ConnectorEgressConfig {
+        /**
+         * VPC Lattice configuration for routing connector traffic through customer VPCs. Fields documented below.
+         */
+        vpcLattice?: pulumi.Input<inputs.transfer.ConnectorEgressConfigVpcLattice>;
+    }
+    interface ConnectorEgressConfigVpcLattice {
+        /**
+         * Port number for connecting to the SFTP server through VPC Lattice. Defaults to 22 if not specified. Must match the port on which the target SFTP server is listening. Valid values are between 1 and 65535.
+         */
+        portNumber?: pulumi.Input<number>;
+        /**
+         * ARN of the VPC Lattice Resource Configuration that defines the target SFTP server location. Must point to a valid Resource Configuration in a VPC with appropriate network connectivity to the SFTP server.
+         */
+        resourceConfigurationArn: pulumi.Input<string>;
+    }
     interface ConnectorSftpConfig {
         /**
          * A list of public portion of the host key, or keys, that are used to authenticate the user to the external server to which you are connecting.(https://docs.aws.amazon.com/transfer/latest/userguide/API_SftpConnectorConfig.html)