@pulumi/aws 7.16.0-alpha.1767399337 → 7.16.0-alpha.1767972859

package/types/input.d.ts

@@ -8281,6 +8281,14 @@ export declare namespace athena {
          * Integer for the upper data usage limit (cutoff) for the amount of bytes a single query in a workgroup is allowed to scan. Must be at least `10485760`.
          */
         bytesScannedCutoffPerQuery?: pulumi.Input<number>;
+        /**
+         * Configuration block to specify the KMS key that is used to encrypt the user's data stores in Athena. This setting applies to the PySpark engine for Athena notebooks. See Customer Content Encryption Configuration below.
+         */
+        customerContentEncryptionConfiguration?: pulumi.Input<inputs.athena.WorkgroupConfigurationCustomerContentEncryptionConfiguration>;
+        /**
+         * Boolean indicating whether a minimum level of encryption is enforced for the workgroup for query and calculation results written to Amazon S3.
+         */
+        enableMinimumEncryptionConfiguration?: pulumi.Input<boolean>;
         /**
          * Boolean whether the settings for the workgroup override client-side settings. For more information, see [Workgroup Settings Override Client-Side Settings](https://docs.aws.amazon.com/athena/latest/ug/workgroups-settings-override.html). Defaults to `true`.
          */
@@ -8301,6 +8309,10 @@ export declare namespace athena {
          * Configuration block for storing results in Athena owned storage. See Managed Query Results Configuration below.
          */
         managedQueryResultsConfiguration?: pulumi.Input<inputs.athena.WorkgroupConfigurationManagedQueryResultsConfiguration>;
+        /**
+         * Configuration block for managed log persistence, delivering logs to Amazon S3 buckets, Amazon CloudWatch log groups etc. Only applicable to Apache Spark engine. See Monitoring Configuration below.
+         */
+        monitoringConfiguration?: pulumi.Input<inputs.athena.WorkgroupConfigurationMonitoringConfiguration>;
         /**
          * Boolean whether Amazon CloudWatch metrics are enabled for the workgroup. Defaults to `true`.
          */
@@ -8314,6 +8326,9 @@ export declare namespace athena {
          */
         resultConfiguration?: pulumi.Input<inputs.athena.WorkgroupConfigurationResultConfiguration>;
     }
+    interface WorkgroupConfigurationCustomerContentEncryptionConfiguration {
+        kmsKey?: pulumi.Input<string>;
+    }
     interface WorkgroupConfigurationEngineVersion {
         /**
          * The engine version on which the query runs. If `selectedEngineVersion` is set to `AUTO`, the effective engine version is chosen by Athena.
@@ -8345,10 +8360,67 @@ export declare namespace athena {
         encryptionConfiguration?: pulumi.Input<inputs.athena.WorkgroupConfigurationManagedQueryResultsConfigurationEncryptionConfiguration>;
     }
     interface WorkgroupConfigurationManagedQueryResultsConfigurationEncryptionConfiguration {
+        kmsKey?: pulumi.Input<string>;
+    }
+    interface WorkgroupConfigurationMonitoringConfiguration {
+        /**
+         * Configuration block for delivering logs to Amazon CloudWatch log groups. See CloudWatch Logging Configuration below.
+         */
+        cloudWatchLoggingConfiguration?: pulumi.Input<inputs.athena.WorkgroupConfigurationMonitoringConfigurationCloudWatchLoggingConfiguration>;
+        /**
+         * Configuration block for managed log persistence. See Managed Logging Configuration below.
+         */
+        managedLoggingConfiguration?: pulumi.Input<inputs.athena.WorkgroupConfigurationMonitoringConfigurationManagedLoggingConfiguration>;
+        /**
+         * Configuration block for delivering logs to Amazon S3 buckets. See S3 Logging Configuration below.
+         */
+        s3LoggingConfiguration?: pulumi.Input<inputs.athena.WorkgroupConfigurationMonitoringConfigurationS3LoggingConfiguration>;
+    }
+    interface WorkgroupConfigurationMonitoringConfigurationCloudWatchLoggingConfiguration {
+        enabled: pulumi.Input<boolean>;
+        /**
+         * Name of the log group in Amazon CloudWatch Logs where you want to publish your logs.
+         */
+        logGroup?: pulumi.Input<string>;
+        /**
+         * Prefix for the CloudWatch log stream name.
+         */
+        logStreamNamePrefix?: pulumi.Input<string>;
+        /**
+         * Repeatable block defining log types to be delivered to CloudWatch.
+         */
+        logTypes?: pulumi.Input<pulumi.Input<inputs.athena.WorkgroupConfigurationMonitoringConfigurationCloudWatchLoggingConfigurationLogType>[]>;
+    }
+    interface WorkgroupConfigurationMonitoringConfigurationCloudWatchLoggingConfigurationLogType {
+        /**
+         * Type of worker to deliver logs to CloudWatch (for example, `SPARK_DRIVER` and `SPARK_EXECUTOR`).
+         */
+        key: pulumi.Input<string>;
+        /**
+         * List of log types to be delivered to CloudWatch (for example, `STDOUT` and `STDERR`).
+         */
+        values: pulumi.Input<pulumi.Input<string>[]>;
+    }
+    interface WorkgroupConfigurationMonitoringConfigurationManagedLoggingConfiguration {
+        /**
+         * Boolean whether managed log persistence is enabled for the workgroup.
+         */
+        enabled: pulumi.Input<boolean>;
+        kmsKey?: pulumi.Input<string>;
+    }
+    interface WorkgroupConfigurationMonitoringConfigurationS3LoggingConfiguration {
+        /**
+         * Boolean whether Amazon S3 logging is enabled for the workgroup.
+         */
+        enabled: pulumi.Input<boolean>;
         /**
-         * KMS key ARN for encrypting managed query results.
+         * KMS key ARN to encrypt the logs published to the given Amazon S3 destination.
          */
         kmsKey?: pulumi.Input<string>;
+        /**
+         * Amazon S3 destination URI (`s3://bucket/prefix`) for log publishing.
+         */
+        logLocation?: pulumi.Input<string>;
     }
     interface WorkgroupConfigurationResultConfiguration {
         /**
@@ -15397,6 +15469,40 @@ export declare namespace cloudfront {
          */
         items?: pulumi.Input<pulumi.Input<string>[]>;
     }
+    interface ConnectionFunctionConnectionFunctionConfig {
+        /**
+         * Comment to describe the function.
+         */
+        comment: pulumi.Input<string>;
+        /**
+         * Key value store associations. See `keyValueStoreAssociation` below.
+         */
+        keyValueStoreAssociation?: pulumi.Input<inputs.cloudfront.ConnectionFunctionConnectionFunctionConfigKeyValueStoreAssociation>;
+        /**
+         * Runtime environment for the function. Valid values are `cloudfront-js-1.0` and `cloudfront-js-2.0`.
+         */
+        runtime: pulumi.Input<string>;
+    }
+    interface ConnectionFunctionConnectionFunctionConfigKeyValueStoreAssociation {
+        /**
+         * ARN of the key value store.
+         */
+        keyValueStoreArn: pulumi.Input<string>;
+    }
+    interface ConnectionGroupTimeouts {
+        /**
+         * A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours). Default is 90 minutes.
+         */
+        create?: pulumi.Input<string>;
+        /**
+         * A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours). Default is 90 minutes.
+         */
+        delete?: pulumi.Input<string>;
+        /**
+         * A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours). Default is 90 minutes.
+         */
+        update?: pulumi.Input<string>;
+    }
     interface ContinuousDeploymentPolicyStagingDistributionDnsNames {
         /**
          * A list of CloudFront domain names for the staging distribution.
@@ -15451,6 +15557,12 @@ export declare namespace cloudfront {
          */
         maximumTtl: pulumi.Input<number>;
     }
+    interface DistributionConnectionFunctionAssociation {
+        /**
+         * Identifier for the distribution. For example: `EDFDVBD632BHDS5`.
+         */
+        id: pulumi.Input<string>;
+    }
     interface DistributionCustomErrorResponse {
         /**
          * Minimum amount of time you want HTTP error codes to stay in CloudFront caches before CloudFront queries your origin to see whether the object has been updated.
@@ -15881,6 +15993,10 @@ export declare namespace cloudfront {
     interface DistributionOriginVpcOriginConfig {
         originKeepaliveTimeout?: pulumi.Input<number>;
         originReadTimeout?: pulumi.Input<number>;
+        /**
+         * The AWS account ID that owns the VPC origin. Required when referencing a VPC origin from a different AWS account for cross-account VPC origin access.
+         */
+        ownerAccountId?: pulumi.Input<string>;
         /**
          * The VPC origin ID.
          */
@@ -15899,6 +16015,94 @@ export declare namespace cloudfront {
          */
         restrictionType: pulumi.Input<string>;
     }
+    interface DistributionTenantCustomizations {
+        /**
+         * Certificate configuration for the tenant (maximum one).
+         */
+        certificate?: pulumi.Input<inputs.cloudfront.DistributionTenantCustomizationsCertificate>;
+        /**
+         * Geographic restrictions configuration for the tenant (maximum one).
+         */
+        geoRestriction?: pulumi.Input<inputs.cloudfront.DistributionTenantCustomizationsGeoRestriction>;
+        /**
+         * Web ACL configuration for the tenant (maximum one).
+         */
+        webAcl?: pulumi.Input<inputs.cloudfront.DistributionTenantCustomizationsWebAcl>;
+    }
+    interface DistributionTenantCustomizationsCertificate {
+        /**
+         * ARN of the distribution tenant.
+         */
+        arn?: pulumi.Input<string>;
+    }
+    interface DistributionTenantCustomizationsGeoRestriction {
+        /**
+         * Set of ISO 3166-1-alpha-2 country codes for the restriction. Required if `restrictionType` is `whitelist` or `blacklist`.
+         */
+        locations?: pulumi.Input<pulumi.Input<string>[]>;
+        /**
+         * Method to restrict distribution by country: `none`, `whitelist`, or `blacklist`.
+         */
+        restrictionType?: pulumi.Input<string>;
+    }
+    interface DistributionTenantCustomizationsWebAcl {
+        /**
+         * Action to take for the web ACL. Valid values: `allow`, `block`.
+         */
+        action?: pulumi.Input<string>;
+        /**
+         * ARN of the distribution tenant.
+         */
+        arn?: pulumi.Input<string>;
+    }
+    interface DistributionTenantDomain {
+        /**
+         * Set of domains associated with the distribution tenant.
+         */
+        domain: pulumi.Input<string>;
+        /**
+         * Current status of the distribution tenant.
+         */
+        status?: pulumi.Input<string>;
+    }
+    interface DistributionTenantManagedCertificateRequest {
+        /**
+         * Certificate transparency logging preference. Valid values: `enabled`, `disabled`.
+         */
+        certificateTransparencyLoggingPreference?: pulumi.Input<string>;
+        /**
+         * Primary domain name for the certificate.
+         */
+        primaryDomainName?: pulumi.Input<string>;
+        /**
+         * Host for validation token. Valid values: `cloudfront`, `domain`.
+         */
+        validationTokenHost?: pulumi.Input<string>;
+    }
+    interface DistributionTenantParameter {
+        /**
+         * Name of the distribution tenant.
+         */
+        name: pulumi.Input<string>;
+        /**
+         * Value of the parameter.
+         */
+        value: pulumi.Input<string>;
+    }
+    interface DistributionTenantTimeouts {
+        /**
+         * A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours).
+         */
+        create?: pulumi.Input<string>;
+        /**
+         * A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours). Setting a timeout for a Delete operation is only applicable if changes are saved into state before the destroy operation occurs.
+         */
+        delete?: pulumi.Input<string>;
+        /**
+         * A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours).
+         */
+        update?: pulumi.Input<string>;
+    }
     interface DistributionTrustedKeyGroup {
         /**
          * Whether the distribution is enabled to accept end user requests for content.
@@ -15961,6 +16165,30 @@ export declare namespace cloudfront {
          */
         sslSupportMethod?: pulumi.Input<string>;
     }
+    interface DistributionViewerMtlsConfig {
+        /**
+         * The mode for viewer mTLS. Valid values: `required`, `optional`.
+         */
+        mode?: pulumi.Input<string>;
+        /**
+         * The trust store configuration for viewer mTLS (maximum one).
+         */
+        trustStoreConfig?: pulumi.Input<inputs.cloudfront.DistributionViewerMtlsConfigTrustStoreConfig>;
+    }
+    interface DistributionViewerMtlsConfigTrustStoreConfig {
+        /**
+         * Whether to advertise the trust store CA names to clients. Defaults to `false`.
+         */
+        advertiseTrustStoreCaNames?: pulumi.Input<boolean>;
+        /**
+         * Whether to ignore certificate expiry for viewer mTLS. Defaults to `false`.
+         */
+        ignoreCertificateExpiry?: pulumi.Input<boolean>;
+        /**
+         * Identifier of the trust store to use for viewer mTLS.
+         */
+        trustStoreId: pulumi.Input<string>;
+    }
     interface FieldLevelEncryptionConfigContentTypeProfileConfig {
         /**
          * Object that contains an attribute `items` that contains the list of configurations for a field-level encryption content type-profile. See Content Type Profile.
@@ -16053,6 +16281,441 @@ export declare namespace cloudfront {
          */
         realtimeMetricsSubscriptionStatus: pulumi.Input<string>;
     }
+    interface MultitenantDistributionActiveTrustedKeyGroup {
+        /**
+         * Whether any of the key groups have public keys that CloudFront can use to verify the signatures of signed URLs and signed cookies.
+         */
+        enabled?: pulumi.Input<boolean>;
+        /**
+         * List of key groups. See Key Group Items below.
+         */
+        items?: pulumi.Input<pulumi.Input<inputs.cloudfront.MultitenantDistributionActiveTrustedKeyGroupItem>[]>;
+    }
+    interface MultitenantDistributionActiveTrustedKeyGroupItem {
+        /**
+         * ID of the key group that contains the public keys.
+         */
+        keyGroupId?: pulumi.Input<string>;
+        /**
+         * Set of active CloudFront key pairs associated with the signer that can be used to verify the signatures of signed URLs and signed cookies.
+         */
+        keyPairIds?: pulumi.Input<pulumi.Input<string>[]>;
+    }
+    interface MultitenantDistributionCacheBehavior {
+        /**
+         * Controls which HTTP methods CloudFront processes and forwards to your Amazon S3 bucket or your custom origin.
+         */
+        allowedMethods?: pulumi.Input<inputs.cloudfront.MultitenantDistributionCacheBehaviorAllowedMethods>;
+        /**
+         * Unique identifier of the cache policy that is attached to the cache behavior.
+         */
+        cachePolicyId?: pulumi.Input<string>;
+        /**
+         * Whether you want CloudFront to automatically compress content for web requests that include `Accept-Encoding: gzip` in the request header. Default: `false`.
+         */
+        compress?: pulumi.Input<boolean>;
+        /**
+         * Field level encryption configuration ID.
+         */
+        fieldLevelEncryptionId?: pulumi.Input<string>;
+        /**
+         * Configuration block for CloudFront Functions associations. See Function Association below.
+         */
+        functionAssociations?: pulumi.Input<pulumi.Input<inputs.cloudfront.MultitenantDistributionCacheBehaviorFunctionAssociation>[]>;
+        /**
+         * Configuration block for Lambda@Edge associations. See Lambda Function Association below.
+         */
+        lambdaFunctionAssociations?: pulumi.Input<pulumi.Input<inputs.cloudfront.MultitenantDistributionCacheBehaviorLambdaFunctionAssociation>[]>;
+        /**
+         * Unique identifier of the origin request policy that is attached to the behavior.
+         */
+        originRequestPolicyId?: pulumi.Input<string>;
+        /**
+         * Pattern that specifies which requests you want this cache behavior to apply to.
+         */
+        pathPattern: pulumi.Input<string>;
+        /**
+         * ARN of the real-time log configuration that is attached to this cache behavior.
+         */
+        realtimeLogConfigArn?: pulumi.Input<string>;
+        /**
+         * Identifier for a response headers policy.
+         */
+        responseHeadersPolicyId?: pulumi.Input<string>;
+        /**
+         * Value of ID for the origin that you want CloudFront to route requests to when a request matches the path pattern either for a cache behavior or for the default cache behavior.
+         */
+        targetOriginId: pulumi.Input<string>;
+        /**
+         * List of key group IDs that CloudFront can use to validate signed URLs or signed cookies.
+         */
+        trustedKeyGroups?: pulumi.Input<inputs.cloudfront.MultitenantDistributionCacheBehaviorTrustedKeyGroups>;
+        /**
+         * Use this element to specify the protocol that users can use to access the files in the origin specified by TargetOriginId when a request matches the path pattern in PathPattern. One of `allow-all`, `https-only`, or `redirect-to-https`.
+         */
+        viewerProtocolPolicy: pulumi.Input<string>;
+    }
+    interface MultitenantDistributionCacheBehaviorAllowedMethods {
+        /**
+         * Controls whether CloudFront caches the response to requests using the specified HTTP methods.
+         */
+        cachedMethods: pulumi.Input<pulumi.Input<string>[]>;
+        items: pulumi.Input<pulumi.Input<string>[]>;
+    }
+    interface MultitenantDistributionCacheBehaviorFunctionAssociation {
+        /**
+         * Specific event to trigger this function. Valid values: `viewer-request`, `origin-request`, `viewer-response`, `origin-response`.
+         */
+        eventType: pulumi.Input<string>;
+        /**
+         * ARN of the CloudFront function.
+         */
+        functionArn: pulumi.Input<string>;
+    }
+    interface MultitenantDistributionCacheBehaviorLambdaFunctionAssociation {
+        /**
+         * Specific event to trigger this function. Valid values: `viewer-request`, `origin-request`, `viewer-response`, `origin-response`.
+         */
+        eventType: pulumi.Input<string>;
+        /**
+         * When set to true, the request body is exposed to the Lambda function. Default: `false`.
+         */
+        includeBody?: pulumi.Input<boolean>;
+        /**
+         * ARN of the Lambda function.
+         */
+        lambdaFunctionArn: pulumi.Input<string>;
+    }
+    interface MultitenantDistributionCacheBehaviorTrustedKeyGroups {
+        /**
+         * Whether the distribution is enabled to accept end user requests for content.
+         */
+        enabled?: pulumi.Input<boolean>;
+        items?: pulumi.Input<pulumi.Input<string>[]>;
+    }
+    interface MultitenantDistributionCustomErrorResponse {
+        /**
+         * Minimum amount of time that you want CloudFront to cache the HTTP status code specified in ErrorCode.
+         */
+        errorCachingMinTtl?: pulumi.Input<number>;
+        /**
+         * HTTP status code for which you want to specify a custom error page and/or a caching duration.
+         */
+        errorCode: pulumi.Input<number>;
+        /**
+         * HTTP status code that you want CloudFront to return to the viewer along with the custom error page.
+         */
+        responseCode?: pulumi.Input<string>;
+        /**
+         * Path to the custom error page that you want CloudFront to return to a viewer when your origin returns the HTTP status code specified by ErrorCode.
+         */
+        responsePagePath?: pulumi.Input<string>;
+    }
+    interface MultitenantDistributionDefaultCacheBehavior {
+        /**
+         * Controls which HTTP methods CloudFront processes and forwards to your Amazon S3 bucket or your custom origin.
+         */
+        allowedMethods?: pulumi.Input<inputs.cloudfront.MultitenantDistributionDefaultCacheBehaviorAllowedMethods>;
+        /**
+         * Unique identifier of the cache policy that is attached to the cache behavior.
+         */
+        cachePolicyId?: pulumi.Input<string>;
+        /**
+         * Whether you want CloudFront to automatically compress content for web requests that include `Accept-Encoding: gzip` in the request header. Default: `false`.
+         */
+        compress?: pulumi.Input<boolean>;
+        /**
+         * Field level encryption configuration ID.
+         */
+        fieldLevelEncryptionId?: pulumi.Input<string>;
+        /**
+         * Configuration block for CloudFront Functions associations. See Function Association below.
+         */
+        functionAssociations?: pulumi.Input<pulumi.Input<inputs.cloudfront.MultitenantDistributionDefaultCacheBehaviorFunctionAssociation>[]>;
+        /**
+         * Configuration block for Lambda@Edge associations. See Lambda Function Association below.
+         */
+        lambdaFunctionAssociations?: pulumi.Input<pulumi.Input<inputs.cloudfront.MultitenantDistributionDefaultCacheBehaviorLambdaFunctionAssociation>[]>;
+        /**
+         * Unique identifier of the origin request policy that is attached to the behavior.
+         */
+        originRequestPolicyId?: pulumi.Input<string>;
+        /**
+         * ARN of the real-time log configuration that is attached to this cache behavior.
+         */
+        realtimeLogConfigArn?: pulumi.Input<string>;
+        /**
+         * Identifier for a response headers policy.
+         */
+        responseHeadersPolicyId?: pulumi.Input<string>;
+        /**
+         * Value of ID for the origin that you want CloudFront to route requests to when a request matches the path pattern either for a cache behavior or for the default cache behavior.
+         */
+        targetOriginId: pulumi.Input<string>;
+        /**
+         * List of key group IDs that CloudFront can use to validate signed URLs or signed cookies.
+         */
+        trustedKeyGroups?: pulumi.Input<inputs.cloudfront.MultitenantDistributionDefaultCacheBehaviorTrustedKeyGroups>;
+        /**
+         * Use this element to specify the protocol that users can use to access the files in the origin specified by TargetOriginId when a request matches the path pattern in PathPattern. One of `allow-all`, `https-only`, or `redirect-to-https`.
+         */
+        viewerProtocolPolicy: pulumi.Input<string>;
+    }
+    interface MultitenantDistributionDefaultCacheBehaviorAllowedMethods {
+        /**
+         * Controls whether CloudFront caches the response to requests using the specified HTTP methods.
+         */
+        cachedMethods: pulumi.Input<pulumi.Input<string>[]>;
+        items: pulumi.Input<pulumi.Input<string>[]>;
+    }
+    interface MultitenantDistributionDefaultCacheBehaviorFunctionAssociation {
+        /**
+         * Specific event to trigger this function. Valid values: `viewer-request`, `origin-request`, `viewer-response`, `origin-response`.
+         */
+        eventType: pulumi.Input<string>;
+        /**
+         * ARN of the CloudFront function.
+         */
+        functionArn: pulumi.Input<string>;
+    }
+    interface MultitenantDistributionDefaultCacheBehaviorLambdaFunctionAssociation {
+        /**
+         * Specific event to trigger this function. Valid values: `viewer-request`, `origin-request`, `viewer-response`, `origin-response`.
+         */
+        eventType: pulumi.Input<string>;
+        /**
+         * When set to true, the request body is exposed to the Lambda function. Default: `false`.
+         */
+        includeBody?: pulumi.Input<boolean>;
+        /**
+         * ARN of the Lambda function.
+         */
+        lambdaFunctionArn: pulumi.Input<string>;
+    }
+    interface MultitenantDistributionDefaultCacheBehaviorTrustedKeyGroups {
+        /**
+         * Whether the distribution is enabled to accept end user requests for content.
+         */
+        enabled?: pulumi.Input<boolean>;
+        items?: pulumi.Input<pulumi.Input<string>[]>;
+    }
+    interface MultitenantDistributionOrigin {
+        /**
+         * Number of times that CloudFront attempts to connect to the origin. Must be between 1-3. Default: 3.
+         */
+        connectionAttempts?: pulumi.Input<number>;
+        /**
+         * Number of seconds that CloudFront waits when trying to establish a connection to the origin. Must be between 1-10. Default: 10.
+         */
+        connectionTimeout?: pulumi.Input<number>;
+        /**
+         * One or more sub-resources with `name` and `value` parameters that specify header data that will be sent to the origin. See Custom Header below.
+         */
+        customHeaders?: pulumi.Input<pulumi.Input<inputs.cloudfront.MultitenantDistributionOriginCustomHeader>[]>;
+        /**
+         * CloudFront origin access identity to associate with the origin. See Custom Origin Config below.
+         */
+        customOriginConfigs?: pulumi.Input<pulumi.Input<inputs.cloudfront.MultitenantDistributionOriginCustomOriginConfig>[]>;
+        /**
+         * DNS domain name of either the S3 bucket, or web site of your custom origin.
+         */
+        domainName: pulumi.Input<string>;
+        /**
+         * Identifier for the distribution.
+         */
+        id: pulumi.Input<string>;
+        /**
+         * CloudFront origin access control identifier to associate with the origin.
+         */
+        originAccessControlId?: pulumi.Input<string>;
+        /**
+         * Optional element that causes CloudFront to request your content from a directory in your Amazon S3 bucket or your custom origin.
+         */
+        originPath?: pulumi.Input<string>;
+        /**
+         * CloudFront Origin Shield configuration information. See Origin Shield below.
+         */
+        originShields?: pulumi.Input<pulumi.Input<inputs.cloudfront.MultitenantDistributionOriginOriginShield>[]>;
+        /**
+         * Number of seconds that CloudFront waits for a response after forwarding a request to the origin. Default: 30.
+         */
+        responseCompletionTimeout?: pulumi.Input<number>;
+        /**
+         * CloudFront VPC origin configuration. See VPC Origin Config below.
+         */
+        vpcOriginConfigs?: pulumi.Input<pulumi.Input<inputs.cloudfront.MultitenantDistributionOriginVpcOriginConfig>[]>;
+    }
+    interface MultitenantDistributionOriginCustomHeader {
+        /**
+         * Name of the header.
+         */
+        headerName: pulumi.Input<string>;
+        /**
+         * Value for the header.
+         */
+        headerValue: pulumi.Input<string>;
+    }
+    interface MultitenantDistributionOriginCustomOriginConfig {
+        /**
+         * HTTP port the custom origin listens on.
+         */
+        httpPort: pulumi.Input<number>;
+        /**
+         * HTTPS port the custom origin listens on.
+         */
+        httpsPort: pulumi.Input<number>;
+        /**
+         * Type of IP addresses used by your origins. Valid values are `ipv4` and `dualstack`.
+         */
+        ipAddressType?: pulumi.Input<string>;
+        /**
+         * Custom keep-alive timeout, in seconds. Default: 5.
+         */
+        originKeepaliveTimeout?: pulumi.Input<number>;
+        /**
+         * Origin protocol policy to apply to your origin. Valid values are `http-only`, `https-only`, and `match-viewer`.
+         */
+        originProtocolPolicy: pulumi.Input<string>;
+        /**
+         * Custom read timeout, in seconds. Default: 30.
+         */
+        originReadTimeout?: pulumi.Input<number>;
+        /**
+         * List of SSL/TLS protocols that you want CloudFront to use when communicating with your origin over HTTPS.
+         */
+        originSslProtocols: pulumi.Input<pulumi.Input<string>[]>;
+    }
+    interface MultitenantDistributionOriginGroup {
+        /**
+         * Failover criteria for when to failover to the secondary origin. See Failover Criteria below.
+         */
+        failoverCriteria?: pulumi.Input<inputs.cloudfront.MultitenantDistributionOriginGroupFailoverCriteria>;
+        /**
+         * List of origins in this origin group. Must contain exactly 2 members. See Origin Group Member below.
+         */
+        members?: pulumi.Input<pulumi.Input<inputs.cloudfront.MultitenantDistributionOriginGroupMember>[]>;
+        /**
+         * Unique identifier for the origin group.
+         */
+        originId: pulumi.Input<string>;
+    }
+    interface MultitenantDistributionOriginGroupFailoverCriteria {
+        /**
+         * List of HTTP status codes that trigger a failover to the secondary origin.
+         */
+        statusCodes: pulumi.Input<pulumi.Input<number>[]>;
+    }
+    interface MultitenantDistributionOriginGroupMember {
+        originId: pulumi.Input<string>;
+    }
+    interface MultitenantDistributionOriginOriginShield {
+        /**
+         * Whether Origin Shield is enabled.
+         */
+        enabled: pulumi.Input<boolean>;
+        /**
+         * AWS Region for Origin Shield. Required when `enabled` is `true`.
+         */
+        originShieldRegion?: pulumi.Input<string>;
+    }
+    interface MultitenantDistributionOriginVpcOriginConfig {
+        /**
+         * Custom keep-alive timeout, in seconds. By default, CloudFront uses a default timeout. Default: 5.
+         */
+        originKeepaliveTimeout?: pulumi.Input<number>;
+        /**
+         * Custom read timeout, in seconds. By default, CloudFront uses a default timeout. Default: 30.
+         */
+        originReadTimeout?: pulumi.Input<number>;
+        /**
+         * ID of the VPC origin that you want CloudFront to route requests to.
+         */
+        vpcOriginId: pulumi.Input<string>;
+    }
+    interface MultitenantDistributionRestrictions {
+        /**
+         * Geographic restriction configuration. See Geo Restriction below.
+         */
+        geoRestriction?: pulumi.Input<inputs.cloudfront.MultitenantDistributionRestrictionsGeoRestriction>;
+    }
+    interface MultitenantDistributionRestrictionsGeoRestriction {
+        /**
+         * List of ISO 3166-1-alpha-2 country codes for which you want CloudFront either to distribute your content (`whitelist`) or not distribute your content (`blacklist`). Required when `restrictionType` is `whitelist` or `blacklist`.
+         */
+        items?: pulumi.Input<pulumi.Input<string>[]>;
+        /**
+         * Method to restrict distribution of your content by country. Valid values are `none`, `whitelist`, and `blacklist`.
+         */
+        restrictionType: pulumi.Input<string>;
+    }
+    interface MultitenantDistributionTenantConfig {
+        /**
+         * One or more parameter definitions for the tenant configuration. See Parameter Definition below.
+         */
+        parameterDefinitions?: pulumi.Input<pulumi.Input<inputs.cloudfront.MultitenantDistributionTenantConfigParameterDefinition>[]>;
+    }
+    interface MultitenantDistributionTenantConfigParameterDefinition {
+        /**
+         * Definition of the parameter schema. See Parameter Definition Schema below.
+         */
+        definitions?: pulumi.Input<pulumi.Input<inputs.cloudfront.MultitenantDistributionTenantConfigParameterDefinitionDefinition>[]>;
+        /**
+         * Name of the parameter.
+         */
+        name: pulumi.Input<string>;
+    }
+    interface MultitenantDistributionTenantConfigParameterDefinitionDefinition {
+        /**
+         * String schema configuration. See String Schema below.
+         */
+        stringSchemas?: pulumi.Input<pulumi.Input<inputs.cloudfront.MultitenantDistributionTenantConfigParameterDefinitionDefinitionStringSchema>[]>;
+    }
+    interface MultitenantDistributionTenantConfigParameterDefinitionDefinitionStringSchema {
+        /**
+         * Comment describing the parameter.
+         */
+        comment?: pulumi.Input<string>;
+        /**
+         * Default value for the parameter.
+         */
+        defaultValue?: pulumi.Input<string>;
+        /**
+         * Whether the parameter is required.
+         */
+        required: pulumi.Input<boolean>;
+    }
+    interface MultitenantDistributionTimeouts {
+        /**
+         * A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours).
+         */
+        create?: pulumi.Input<string>;
+        /**
+         * A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours). Setting a timeout for a Delete operation is only applicable if changes are saved into state before the destroy operation occurs.
+         */
+        delete?: pulumi.Input<string>;
+        /**
+         * A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours).
+         */
+        update?: pulumi.Input<string>;
+    }
+    interface MultitenantDistributionViewerCertificate {
+        /**
+         * ARN of the AWS Certificate Manager certificate that you wish to use with this distribution. Required when using a custom SSL certificate.
+         */
+        acmCertificateArn?: pulumi.Input<string>;
+        /**
+         * Whether to use the CloudFront default certificate. Cannot be used with `acmCertificateArn`.
+         */
+        cloudfrontDefaultCertificate?: pulumi.Input<boolean>;
+        /**
+         * Minimum version of the SSL protocol that you want CloudFront to use for HTTPS connections. Default: `TLSv1`.
+         */
+        minimumProtocolVersion?: pulumi.Input<string>;
+        /**
+         * How you want CloudFront to serve HTTPS requests. Valid values are `sni-only` and `vip`. Required when `acmCertificateArn` is specified.
+         */
+        sslSupportMethod?: pulumi.Input<string>;
+    }
     interface OriginRequestPolicyCookiesConfig {
         cookieBehavior: pulumi.Input<string>;
         cookies?: pulumi.Input<inputs.cloudfront.OriginRequestPolicyCookiesConfigCookies>;
@@ -24050,7 +24713,7 @@ export declare namespace dlm {
     }
     interface LifecyclePolicyPolicyDetailsScheduleCreateRule {
         /**
-         * The schedule, as a Cron expression. The schedule interval must be between 1 hour and 1 year. Conflicts with `interval`, `intervalUnit`, and `times`.
+         * The schedule, as a Cron expression. The schedule interval must be between 1 hour and 1 year. Conflicts with `interval`, `intervalUnit`, and `times`. For details on valid Cron expressions, see [here](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-scheduled-rule-pattern.html#eb-cron-expressions).
          */
         cronExpression?: pulumi.Input<string>;
         interval?: pulumi.Input<number>;
@@ -24714,6 +25377,78 @@ export declare namespace dynamodb {
         enabled?: pulumi.Input<boolean>;
         kmsKeyArn?: pulumi.Input<string>;
     }
+    interface GlobalSecondaryIndexKeySchema {
+        /**
+         * Name of the attribute.
+         */
+        attributeName: pulumi.Input<string>;
+        /**
+         * Type of the attribute in the index.
+         * Valid values are `S` (string), `N` (number), or `B` (binary).
+         */
+        attributeType: pulumi.Input<string>;
+        /**
+         * Key type.
+         * Valid values are `HASH` or `RANGE`.
+         */
+        keyType: pulumi.Input<string>;
+    }
+    interface GlobalSecondaryIndexOnDemandThroughput {
+        /**
+         * Maximum number of read request units for this index.
+         */
+        maxReadRequestUnits?: pulumi.Input<number>;
+        /**
+         * Maximum number of write request units for this index.
+         */
+        maxWriteRequestUnits?: pulumi.Input<number>;
+    }
+    interface GlobalSecondaryIndexProjection {
+        /**
+         * Specifies which additional attributes to include in the index.
+         * Only valid when `projectionType` is `INCLUDE`.`
+         */
+        nonKeyAttributes?: pulumi.Input<pulumi.Input<string>[]>;
+        /**
+         * The set of attributes represented in the index.
+         * One of `ALL`, `INCLUDE`, or `KEYS_ONLY`.
+         */
+        projectionType: pulumi.Input<string>;
+    }
+    interface GlobalSecondaryIndexProvisionedThroughput {
+        /**
+         * Number of read capacity units for this index.
+         */
+        readCapacityUnits?: pulumi.Input<number>;
+        /**
+         * Number of write capacity units for this index.
+         */
+        writeCapacityUnits?: pulumi.Input<number>;
+    }
+    interface GlobalSecondaryIndexTimeouts {
+        /**
+         * A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours).
+         */
+        create?: pulumi.Input<string>;
+        /**
+         * A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours). Setting a timeout for a Delete operation is only applicable if changes are saved into state before the destroy operation occurs.
+         */
+        delete?: pulumi.Input<string>;
+        /**
+         * A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours).
+         */
+        update?: pulumi.Input<string>;
+    }
+    interface GlobalSecondaryIndexWarmThroughput {
+        /**
+         * Number of read operations this index can instantaneously support.
+         */
+        readUnitsPerSecond: pulumi.Input<number>;
+        /**
+         * Number of write operations this index can instantaneously support.
+         */
+        writeUnitsPerSecond: pulumi.Input<number>;
+    }
     interface GlobalTableReplica {
         /**
          * AWS region name of replica DynamoDB TableE.g., `us-east-1`
@@ -30165,9 +30900,17 @@ export declare namespace ec2 {
          */
         dnsRecordIpType?: pulumi.Input<string>;
         /**
-         * Indicates whether to enable private DNS only for inbound endpoints. This option is available only for services that support both gateway and interface endpoints. It routes traffic that originates from the VPC to the gateway endpoint and traffic that originates from on-premises to the interface endpoint. Default is `false`. Can only be specified if privateDnsEnabled is `true`.
+         * Boolean indicating whether to enable private DNS only for inbound endpoints. This option is available only for interface endpoints of services that support both gateway and interface endpoints. A gateway endpoint for the same service must be created before an interface endpoint is created. Traffic originating from the VPC is routed to the gateway endpoint, while traffic originating from on-premises is routed to the interface endpoint. Defaults to `false`. This argument can be specified only if `privateDnsEnabled` is `true`.
          */
         privateDnsOnlyForInboundResolverEndpoint?: pulumi.Input<boolean>;
+        /**
+         * Preference for which private domains have a private hosted zone created for and associated with the specified VPC. Valid values are `ALL_DOMAINS`, `VERIFIED_DOMAINS_ONLY`, `VERIFIED_DOMAINS_AND_SPECIFIED_DOMAINS`, and `SPECIFIED_DOMAINS_ONLY`. Only supported when `privateDnsEnabled` is `true` and when the `vpcEndpointType` is `ServiceNetwork` or `Resource`.
+         */
+        privateDnsPreference?: pulumi.Input<string>;
+        /**
+         * List of private domains to create private hosted zones for and associate with the specified VPC. Must be specified when `privateDnsEnabled` is `true` and `privateDnsPreference` is set to either `VERIFIED_DOMAINS_AND_SPECIFIED_DOMAINS` or `SPECIFIED_DOMAINS_ONLY`. In all other cases, this argument must not be specified.
+         */
+        privateDnsSpecifiedDomains?: pulumi.Input<pulumi.Input<string>[]>;
     }
     interface VpcEndpointServicePrivateDnsNameConfiguration {
         /**
@@ -30823,7 +31566,7 @@ export declare namespace ec2transitgateway {
 export declare namespace ecr {
     interface GetLifecyclePolicyDocumentRule {
         /**
-         * Specifies the action type.
+         * Specifies the action to take.
          */
         action?: inputs.ecr.GetLifecyclePolicyDocumentRuleAction;
         /**
@@ -30831,7 +31574,7 @@ export declare namespace ecr {
          */
         description?: string;
         /**
-         * Sets the order in which rules are evaluated, lowest to highest. When you add rules to a lifecycle policy, you must give them each a unique value for `priority`. Values do not need to be sequential across rules in a policy. A rule with a `tagStatus` value of "any" must have the highest value for `priority` and be evaluated last.
+         * Sets the order in which rules are evaluated, lowest to highest. When you add rules to a lifecycle policy, you must give them each a unique value for `priority`. Values do not need to be sequential across rules in a policy. A rule with a `tagStatus` value of `any` must have the highest value for `priority` and be evaluated last.
          */
         priority: number;
         /**
@@ -30841,7 +31584,7 @@ export declare namespace ecr {
     }
     interface GetLifecyclePolicyDocumentRuleArgs {
         /**
-         * Specifies the action type.
+         * Specifies the action to take.
          */
         action?: pulumi.Input<inputs.ecr.GetLifecyclePolicyDocumentRuleActionArgs>;
         /**
@@ -30849,7 +31592,7 @@ export declare namespace ecr {
          */
         description?: pulumi.Input<string>;
         /**
-         * Sets the order in which rules are evaluated, lowest to highest. When you add rules to a lifecycle policy, you must give them each a unique value for `priority`. Values do not need to be sequential across rules in a policy. A rule with a `tagStatus` value of "any" must have the highest value for `priority` and be evaluated last.
+         * Sets the order in which rules are evaluated, lowest to highest. When you add rules to a lifecycle policy, you must give them each a unique value for `priority`. Values do not need to be sequential across rules in a policy. A rule with a `tagStatus` value of `any` must have the highest value for `priority` and be evaluated last.
          */
         priority: pulumi.Input<number>;
         /**
@@ -30858,30 +31601,38 @@ export declare namespace ecr {
         selection?: pulumi.Input<inputs.ecr.GetLifecyclePolicyDocumentRuleSelectionArgs>;
     }
     interface GetLifecyclePolicyDocumentRuleAction {
+        targetStorageClass?: string;
         /**
-         * The supported value is `expire`.
+         * Specify an action type. The supported values are `expire` (to delete images) and `transition` (to move images to archive storage).
+         * * `targetStorageClass` (Required if `type` is `transition`) - The storage class you want the lifecycle policy to transition the image to. `archive` is the only supported value.
          */
         type: string;
     }
     interface GetLifecyclePolicyDocumentRuleActionArgs {
+        targetStorageClass?: pulumi.Input<string>;
         /**
-         * The supported value is `expire`.
+         * Specify an action type. The supported values are `expire` (to delete images) and `transition` (to move images to archive storage).
+         * * `targetStorageClass` (Required if `type` is `transition`) - The storage class you want the lifecycle policy to transition the image to. `archive` is the only supported value.
          */
         type: pulumi.Input<string>;
     }
     interface GetLifecyclePolicyDocumentRuleSelection {
         /**
-         * Specify a count number. If the `countType` used is "imageCountMoreThan", then the value is the maximum number of images that you want to retain in your repository. If the `countType` used is "sinceImagePushed", then the value is the maximum age limit for your images.
+         * Specify a count number. If the `countType` used is `imageCountMoreThan`, then the value is the maximum number of images that you want to retain in your repository. If the `countType` used is `sinceImagePushed`, then the value is the maximum age limit for your images. If the `countType` used is `sinceImagePulled`, then the value is the maximum number of days since the image was last pulled. If the `countType` used is `sinceImageTransitioned`, then the value is the maximum number of days since the image was archived.
          */
         countNumber: number;
         /**
-         * Specify a count type to apply to the images. If `countType` is set to "imageCountMoreThan", you also specify `countNumber` to create a rule that sets a limit on the number of images that exist in your repository. If `countType` is set to "sinceImagePushed", you also specify `countUnit` and `countNumber` to specify a time limit on the images that exist in your repository.
+         * Specify a count type to apply to the images. If `countType` is set to `imageCountMoreThan`, you also specify `countNumber` to create a rule that sets a limit on the number of images that exist in your repository. If `countType` is set to `sinceImagePushed`, `sinceImagePulled`, or `sinceImageTransitioned`, you also specify `countUnit` and `countNumber` to specify a time limit on the images that exist in your repository.
          */
         countType: string;
         /**
-         * Specify a count unit of days to indicate that as the unit of time, in addition to `countNumber`, which is the number of days.
+         * Specify a count unit of `days` to indicate that as the unit of time, in addition to `countNumber`, which is the number of days.
          */
         countUnit?: string;
+        /**
+         * The rule will only select images of this storage class. When using a `countType` of `imageCountMoreThan`, `sinceImagePushed`, or `sinceImagePulled`, the only supported value is `standard`. When using a `countType` of `sinceImageTransitioned`, this is required, and the only supported value is `archive`. If you omit this, the value of `standard` will be used.
+         */
+        storageClass?: string;
         /**
          * You must specify a comma-separated list of image tag patterns that may contain wildcards (\*) on which to take action with your lifecycle policy. For example, if your images are tagged as `prod`, `prod1`, `prod2`, and so on, you would use the tag pattern list `["prod\*"]` to specify all of them. If you specify multiple tags, only the images with all specified tags are selected. There is a maximum limit of four wildcards (\*) per string. For example, `["*test*1*2*3", "test*1*2*3*"]` is valid but `["test*1*2*3*4*5*6"]` is invalid.
          */
@@ -30891,23 +31642,27 @@ export declare namespace ecr {
          */
         tagPrefixLists?: string[];
         /**
-         * Determines whether the lifecycle policy rule that you are adding specifies a tag for an image. Acceptable options are "tagged", "untagged", or "any". If you specify "any", then all images have the rule applied to them. If you specify "tagged", then you must also specify a `tagPrefixList` value. If you specify "untagged", then you must omit `tagPrefixList`.
+         * Determines whether the lifecycle policy rule that you are adding specifies a tag for an image. Acceptable options are `tagged`, `untagged`, or `any`. If you specify `any`, then all images have the rule evaluated against them. If you specify `tagged`, then you must also specify a `tagPrefixList` value or a `tagPatternList` value. If you specify `untagged`, then you must omit both `tagPrefixList` and `tagPatternList`.
          */
         tagStatus: string;
     }
     interface GetLifecyclePolicyDocumentRuleSelectionArgs {
         /**
-         * Specify a count number. If the `countType` used is "imageCountMoreThan", then the value is the maximum number of images that you want to retain in your repository. If the `countType` used is "sinceImagePushed", then the value is the maximum age limit for your images.
+         * Specify a count number. If the `countType` used is `imageCountMoreThan`, then the value is the maximum number of images that you want to retain in your repository. If the `countType` used is `sinceImagePushed`, then the value is the maximum age limit for your images. If the `countType` used is `sinceImagePulled`, then the value is the maximum number of days since the image was last pulled. If the `countType` used is `sinceImageTransitioned`, then the value is the maximum number of days since the image was archived.
          */
         countNumber: pulumi.Input<number>;
         /**
-         * Specify a count type to apply to the images. If `countType` is set to "imageCountMoreThan", you also specify `countNumber` to create a rule that sets a limit on the number of images that exist in your repository. If `countType` is set to "sinceImagePushed", you also specify `countUnit` and `countNumber` to specify a time limit on the images that exist in your repository.
+         * Specify a count type to apply to the images. If `countType` is set to `imageCountMoreThan`, you also specify `countNumber` to create a rule that sets a limit on the number of images that exist in your repository. If `countType` is set to `sinceImagePushed`, `sinceImagePulled`, or `sinceImageTransitioned`, you also specify `countUnit` and `countNumber` to specify a time limit on the images that exist in your repository.
          */
         countType: pulumi.Input<string>;
         /**
-         * Specify a count unit of days to indicate that as the unit of time, in addition to `countNumber`, which is the number of days.
+         * Specify a count unit of `days` to indicate that as the unit of time, in addition to `countNumber`, which is the number of days.
          */
         countUnit?: pulumi.Input<string>;
+        /**
+         * The rule will only select images of this storage class. When using a `countType` of `imageCountMoreThan`, `sinceImagePushed`, or `sinceImagePulled`, the only supported value is `standard`. When using a `countType` of `sinceImageTransitioned`, this is required, and the only supported value is `archive`. If you omit this, the value of `standard` will be used.
+         */
+        storageClass?: pulumi.Input<string>;
         /**
          * You must specify a comma-separated list of image tag patterns that may contain wildcards (\*) on which to take action with your lifecycle policy. For example, if your images are tagged as `prod`, `prod1`, `prod2`, and so on, you would use the tag pattern list `["prod\*"]` to specify all of them. If you specify multiple tags, only the images with all specified tags are selected. There is a maximum limit of four wildcards (\*) per string. For example, `["*test*1*2*3", "test*1*2*3*"]` is valid but `["test*1*2*3*4*5*6"]` is invalid.
          */
@@ -30917,7 +31672,7 @@ export declare namespace ecr {
          */
         tagPrefixLists?: pulumi.Input<pulumi.Input<string>[]>;
         /**
-         * Determines whether the lifecycle policy rule that you are adding specifies a tag for an image. Acceptable options are "tagged", "untagged", or "any". If you specify "any", then all images have the rule applied to them. If you specify "tagged", then you must also specify a `tagPrefixList` value. If you specify "untagged", then you must omit `tagPrefixList`.
+         * Determines whether the lifecycle policy rule that you are adding specifies a tag for an image. Acceptable options are `tagged`, `untagged`, or `any`. If you specify `any`, then all images have the rule evaluated against them. If you specify `tagged`, then you must also specify a `tagPrefixList` value or a `tagPatternList` value. If you specify `untagged`, then you must omit both `tagPrefixList` and `tagPatternList`.
          */
         tagStatus: pulumi.Input<string>;
     }
@@ -31205,6 +31960,10 @@ export declare namespace ecs {
         scaleInAfter?: pulumi.Input<number>;
     }
     interface CapacityProviderManagedInstancesProviderInstanceLaunchTemplate {
+        /**
+         * The purchasing option for the EC2 instances used in the capacity provider. Determines whether to use On-Demand or Spot instances. Valid values are `ON_DEMAND` and `SPOT`. Defaults to `ON_DEMAND` when not specified. Changing this value will trigger replacement of the capacity provider. For more information, see [Amazon EC2 billing and purchasing options](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-purchasing-options.html) in the Amazon EC2 User Guide.
+         */
+        capacityOptionType?: pulumi.Input<string>;
         /**
          * The Amazon Resource Name (ARN) of the instance profile that Amazon ECS applies to Amazon ECS Managed Instances. This instance profile must include the necessary permissions for your tasks to access AWS services and resources. For more information, see [Amazon ECS instance profile for Managed Instances](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/instance_IAM_role.html) in the Amazon ECS Developer Guide.
          */
@@ -37912,10 +38671,18 @@ export declare namespace guardduty {
          * A value to be evaluated. Accepts either an integer or a date in [RFC 3339 format](https://tools.ietf.org/html/rfc3339#section-5.8).
          */
         lessThanOrEqual?: pulumi.Input<string>;
+        /**
+         * List of string values to be evaluated as matching conditions.
+         */
+        matches?: pulumi.Input<pulumi.Input<string>[]>;
         /**
          * List of string values to be evaluated.
          */
         notEquals?: pulumi.Input<pulumi.Input<string>[]>;
+        /**
+         * List of string values to be evaluated as non-matching conditions.
+         */
+        notMatches?: pulumi.Input<pulumi.Input<string>[]>;
     }
     interface MalwareProtectionPlanAction {
         /**
@@ -38966,6 +39733,12 @@ export declare namespace imagebuilder {
          */
         timeoutMinutes?: pulumi.Input<number>;
     }
+    interface ImageLoggingConfiguration {
+        /**
+         * Name of the CloudWatch Log Group to send logs to.
+         */
+        logGroupName: pulumi.Input<string>;
+    }
     interface ImageOutputResource {
         /**
          * Set of objects with each Amazon Machine Image (AMI) created.
@@ -39035,6 +39808,16 @@ export declare namespace imagebuilder {
          */
         timeoutMinutes?: pulumi.Input<number>;
     }
+    interface ImagePipelineLoggingConfiguration {
+        /**
+         * Name of the CloudWatch Log Group to send image logs to.
+         */
+        imageLogGroupName?: pulumi.Input<string>;
+        /**
+         * Name of the CloudWatch Log Group to send pipeline logs to.
+         */
+        pipelineLogGroupName?: pulumi.Input<string>;
+    }
     interface ImagePipelineSchedule {
         /**
          * Condition when the pipeline should trigger a new image build. Valid values are `EXPRESSION_MATCH_AND_DEPENDENCY_UPDATES_AVAILABLE` and `EXPRESSION_MATCH_ONLY`. Defaults to `EXPRESSION_MATCH_AND_DEPENDENCY_UPDATES_AVAILABLE`.
@@ -45665,7 +46448,7 @@ export declare namespace lambda {
     }
     interface EventSourceMappingDestinationConfigOnFailure {
         /**
-         * ARN of the destination resource.
+         * ARN of the destination resource, or `kafka://your-topic-name` for Amazon MSK and self-managed Apache Kafka destinations.
          */
         destinationArn: pulumi.Input<string>;
     }
@@ -45710,6 +46493,10 @@ export declare namespace lambda {
          * Minimum number of event pollers this event source can scale down to. The range is between 1 and 200.
          */
         minimumPollers?: pulumi.Input<number>;
+        /**
+         * The name of the provisioned poller group used to group multiple ESMs within the event source's VPC to share Event Poller Unit (EPU) capacity. You can use this option to optimize Provisioned mode costs for your ESMs. You can group up to 100 ESMs per poller group and aggregate maximum pollers across all ESMs in a group cannot exceed 2000.
+         */
+        pollerGroupName?: pulumi.Input<string>;
     }
     interface EventSourceMappingScalingConfig {
         /**
@@ -63479,7 +64266,7 @@ export declare namespace networkfirewall {
          */
         policyVariables?: pulumi.Input<inputs.networkfirewall.FirewallPolicyFirewallPolicyPolicyVariables>;
         /**
-         * Set of actions to take on a packet if it does not match any stateful rules in the policy. This can only be specified if the policy has a `statefulEngineOptions` block with a `ruleOrder` value of `STRICT_ORDER`. You can specify one of either or neither values of `aws:drop_strict` or `aws:drop_established`, as well as any combination of `aws:alert_strict` and `aws:alert_established`.
+         * Set of actions to take on a packet if it does not match any stateful rules in the policy. This can only be specified if the policy has a `statefulEngineOptions` block with a `ruleOrder` value of `STRICT_ORDER`. Value values: `aws:drop_strict`, `aws:drop_established`, `aws:drop_established_app_layer`, `aws:alert_strict`, `aws:alert_established, `aws:alert_established_app_layer`. For more information, see [Strict evaluation order](https://docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-rule-evaluation-order.html#suricata-strict-rule-evaluation-order.html) in the AWS Network Firewall Developer Guide.
          */
         statefulDefaultActions?: pulumi.Input<pulumi.Input<string>[]>;
         /**
@@ -69389,6 +70176,66 @@ export declare namespace redshift {
          */
         subnetId?: pulumi.Input<string>;
     }
+    interface IdcApplicationAuthorizedTokenIssuer {
+        /**
+         * List of audiences for the authorized token issuer for integrating Amazon Redshift with IDC Identity Center.
+         */
+        authorizedAudiencesLists?: pulumi.Input<pulumi.Input<string>[]>;
+        /**
+         * ARN for the authorized token issuer for integrating Amazon Redshift with IDC Identity Center.
+         */
+        trustedTokenIssuerArn?: pulumi.Input<string>;
+    }
+    interface IdcApplicationServiceIntegration {
+        /**
+         * List of scopes set up for Lake Formation integration. Refer to the lakeFormation documentation for more details.
+         */
+        lakeFormation?: pulumi.Input<inputs.redshift.IdcApplicationServiceIntegrationLakeFormation>;
+        /**
+         * List of scopes set up for Redshift integration. Refer to the redshift documentation for more details.
+         */
+        redshift?: pulumi.Input<inputs.redshift.IdcApplicationServiceIntegrationRedshift>;
+        /**
+         * List of scopes set up for S3 Access Grants integration. Refer to the s3AccessGrants documentation for more details.
+         */
+        s3AccessGrants?: pulumi.Input<inputs.redshift.IdcApplicationServiceIntegrationS3AccessGrants>;
+    }
+    interface IdcApplicationServiceIntegrationLakeFormation {
+        /**
+         * Lake formation scope.
+         */
+        lakeFormationQuery?: pulumi.Input<inputs.redshift.IdcApplicationServiceIntegrationLakeFormationLakeFormationQuery>;
+    }
+    interface IdcApplicationServiceIntegrationLakeFormationLakeFormationQuery {
+        /**
+         * Determines whether the query scope is enabled or disabled.
+         */
+        authorization: pulumi.Input<string>;
+    }
+    interface IdcApplicationServiceIntegrationRedshift {
+        /**
+         * Amazon Redshift connect service integration scope.
+         */
+        connect?: pulumi.Input<inputs.redshift.IdcApplicationServiceIntegrationRedshiftConnect>;
+    }
+    interface IdcApplicationServiceIntegrationRedshiftConnect {
+        /**
+         * Determines whether the connect integration is enabled or disabled.
+         */
+        authorization: pulumi.Input<string>;
+    }
+    interface IdcApplicationServiceIntegrationS3AccessGrants {
+        /**
+         * S3 Access grants integration scope.
+         */
+        readWriteAccess?: pulumi.Input<inputs.redshift.IdcApplicationServiceIntegrationS3AccessGrantsReadWriteAccess>;
+    }
+    interface IdcApplicationServiceIntegrationS3AccessGrantsReadWriteAccess {
+        /**
+         * Determines whether read/write scope is enabled or disabled.
+         */
+        authorization: pulumi.Input<string>;
+    }
     interface IntegrationTimeouts {
         /**
          * A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours).
@@ -82055,6 +82902,30 @@ export declare namespace transfer {
          */
         uid: pulumi.Input<number>;
     }
+    interface WebAppEndpointDetails {
+        /**
+         * Block defining VPC configuration for hosting the web app endpoint within a VPC. See Vpc below.
+         */
+        vpc?: pulumi.Input<inputs.transfer.WebAppEndpointDetailsVpc>;
+    }
+    interface WebAppEndpointDetailsVpc {
+        /**
+         * List of security group IDs that control access to the web app endpoint. If not specified, the VPC's default security group is used.
+         */
+        securityGroupIds?: pulumi.Input<pulumi.Input<string>[]>;
+        /**
+         * List of subnet IDs within the VPC where the web app endpoint will be deployed. These subnets must be in the same VPC specified in the `vpcId` parameter.
+         */
+        subnetIds: pulumi.Input<pulumi.Input<string>[]>;
+        /**
+         * ID of the VPC endpoint created for the web app.
+         */
+        vpcEndpointId?: pulumi.Input<string>;
+        /**
+         * ID of the VPC where the web app endpoint will be hosted. The VPC must be dual-stack, meaning it supports both IPv4 and IPv6 addressing.
+         */
+        vpcId: pulumi.Input<string>;
+    }
     interface WebAppIdentityProviderDetails {
         /**
          * Block that describes the values to use for the IAM Identity Center settings. See Identity center config below.