aws-cdk-lib 2.114.0__py3-none-any.whl → 2.115.0__py3-none-any.whl

aws_cdk/aws_iam/__init__.py

@@ -9264,22 +9264,21 @@ class Policy(
 
     Example::
 
-        # books: apigateway.Resource
-        # iam_user: iam.User
+        # post_auth_fn: lambda.Function
         
         
-        get_books = books.add_method("GET", apigateway.HttpIntegration("http://amazon.com"),
-            authorization_type=apigateway.AuthorizationType.IAM
+        userpool = cognito.UserPool(self, "myuserpool",
+            lambda_triggers=cognito.UserPoolTriggers(
+                post_authentication=post_auth_fn
+            )
         )
         
-        iam_user.attach_inline_policy(iam.Policy(self, "AllowBooks",
-            statements=[
-                iam.PolicyStatement(
-                    actions=["execute-api:Invoke"],
-                    effect=iam.Effect.ALLOW,
-                    resources=[get_books.method_arn]
-                )
-            ]
+        # provide permissions to describe the user pool scoped to the ARN the user pool
+        post_auth_fn.role.attach_inline_policy(iam.Policy(self, "userpool-policy",
+            statements=[iam.PolicyStatement(
+                actions=["cognito-idp:DescribeUserPool"],
+                resources=[userpool.user_pool_arn]
+            )]
         ))
     '''
 
@@ -9870,27 +9869,34 @@ class PolicyStatement(
 ):
     '''Represents a statement in an IAM policy document.
 
-    :exampleMetadata: infused
+    :exampleMetadata: lit=aws-ec2/test/integ.vpc-endpoint.lit.ts infused
 
     Example::
 
-        cross_account_role_arn = "arn:aws:iam::OTHERACCOUNT:role/CrossAccountRoleName" # arn of role deployed in separate account
+        # Add gateway endpoints when creating the VPC
+        vpc = ec2.Vpc(self, "MyVpc",
+            gateway_endpoints={
+                "S3": cdk.aws_ec2.GatewayVpcEndpointOptions(
+                    service=ec2.GatewayVpcEndpointAwsService.S3
+                )
+            }
+        )
         
-        call_region = "us-west-1" # sdk call to be made in specified region (optional)
+        # Alternatively gateway endpoints can be added on the VPC
+        dynamo_db_endpoint = vpc.add_gateway_endpoint("DynamoDbEndpoint",
+            service=ec2.GatewayVpcEndpointAwsService.DYNAMODB
+        )
         
-        cr.AwsCustomResource(self, "CrossAccount",
-            on_create=cr.AwsSdkCall(
-                assumed_role_arn=cross_account_role_arn,
-                region=call_region,  # optional
-                service="sts",
-                action="GetCallerIdentity",
-                physical_resource_id=cr.PhysicalResourceId.of("id")
-            ),
-            policy=cr.AwsCustomResourcePolicy.from_statements([iam.PolicyStatement.from_json({
-                "Effect": "Allow",
-                "Action": "sts:AssumeRole",
-                "Resource": cross_account_role_arn
-            })])
+        # This allows to customize the endpoint policy
+        dynamo_db_endpoint.add_to_policy(
+            iam.PolicyStatement( # Restrict to listing and describing tables
+                principals=[iam.AnyPrincipal()],
+                actions=["dynamodb:DescribeTable", "dynamodb:ListTables"],
+                resources=["*"]))
+        
+        # Add an interface endpoint
+        vpc.add_interface_endpoint("EcrDockerEndpoint",
+            service=ec2.InterfaceVpcEndpointAwsService.ECR_DOCKER
         )
     '''
 
@@ -13717,21 +13723,27 @@ class ArnPrincipal(
 
     Example::
 
-        # Option 3: Create a new role that allows the account root principal to assume. Add this role in the `system:masters` and witch to this role from the AWS console.
-        # cluster: eks.Cluster
+        # Option 2: create your custom mastersRole with scoped assumeBy arn as the Cluster prop. Switch to this role from the AWS console.
+        from aws_cdk.lambda_layer_kubectl_v28 import KubectlV28Layer
+        # vpc: ec2.Vpc
         
         
-        console_read_only_role = iam.Role(self, "ConsoleReadOnlyRole",
+        masters_role = iam.Role(self, "MastersRole",
             assumed_by=iam.ArnPrincipal("arn_for_trusted_principal")
         )
-        console_read_only_role.add_to_policy(iam.PolicyStatement(
+        
+        cluster = eks.Cluster(self, "EksCluster",
+            vpc=vpc,
+            version=eks.KubernetesVersion.V1_28,
+            kubectl_layer=KubectlV28Layer(self, "KubectlLayer"),
+            masters_role=masters_role
+        )
+        
+        masters_role.add_to_policy(iam.PolicyStatement(
             actions=["eks:AccessKubernetesApi", "eks:Describe*", "eks:List*"
             ],
             resources=[cluster.cluster_arn]
         ))
-        
-        # Add this role to system:masters RBAC group
-        cluster.aws_auth.add_masters_role(console_read_only_role)
     '''
 
     def __init__(self, arn: builtins.str) -> None:

aws_cdk/aws_internetmonitor/__init__.py

@@ -537,7 +537,7 @@ class CfnMonitor(
         ) -> None:
             '''Publish internet measurements to an Amazon S3 bucket in addition to CloudWatch Logs.
 
-            :param s3_config: The configuration for publishing Amazon CloudWatch Internet Monitor internet measurements to Amazon S3.
+            :param s3_config: The configuration information for publishing Internet Monitor internet measurements to Amazon S3. The configuration includes the bucket name and (optionally) prefix for the S3 bucket to store the measurements, and the delivery status. The delivery status is ``ENABLED`` or ``DISABLED`` , depending on whether you choose to deliver internet measurements to S3 logs.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-internetmonitor-monitor-internetmeasurementslogdelivery.html
             :exampleMetadata: fixture=_generated
@@ -567,7 +567,9 @@ class CfnMonitor(
         def s3_config(
             self,
         ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnMonitor.S3ConfigProperty"]]:
-            '''The configuration for publishing Amazon CloudWatch Internet Monitor internet measurements to Amazon S3.
+            '''The configuration information for publishing Internet Monitor internet measurements to Amazon S3.
+
+            The configuration includes the bucket name and (optionally) prefix for the S3 bucket to store the measurements, and the delivery status. The delivery status is ``ENABLED`` or ``DISABLED`` , depending on whether you choose to deliver internet measurements to S3 logs.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-internetmonitor-monitor-internetmeasurementslogdelivery.html#cfn-internetmonitor-monitor-internetmeasurementslogdelivery-s3config
             '''
@@ -703,13 +705,11 @@ class CfnMonitor(
         ) -> None:
             '''The configuration for publishing Amazon CloudWatch Internet Monitor internet measurements to Amazon S3.
 
-            The configuration includes the bucket name and (optionally) bucket prefix for the S3 bucket to store the measurements, and the delivery status. The delivery status is ``ENABLED`` if you choose to deliver internet measurements to S3 logs, and ``DISABLED`` otherwise.
+            The configuration includes the bucket name and (optionally) prefix for the S3 bucket to store the measurements, and the delivery status. The delivery status is ``ENABLED`` or ``DISABLED`` , depending on whether you choose to deliver internet measurements to S3 logs.
 
-            The measurements are also published to Amazon CloudWatch Logs.
-
-            :param bucket_name: The Amazon S3 bucket name for internet measurements publishing.
-            :param bucket_prefix: An optional Amazon S3 bucket prefix for internet measurements publishing.
-            :param log_delivery_status: The status of publishing Internet Monitor internet measurements to an Amazon S3 bucket. The delivery status is ``ENABLED`` if you choose to deliver internet measurements to an S3 bucket, and ``DISABLED`` otherwise.
+            :param bucket_name: The Amazon S3 bucket name.
+            :param bucket_prefix: The Amazon S3 bucket prefix.
+            :param log_delivery_status: The status of publishing Internet Monitor internet measurements to an Amazon S3 bucket.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-internetmonitor-monitor-s3config.html
             :exampleMetadata: fixture=_generated
@@ -741,7 +741,7 @@ class CfnMonitor(
 
         @builtins.property
         def bucket_name(self) -> typing.Optional[builtins.str]:
-            '''The Amazon S3 bucket name for internet measurements publishing.
+            '''The Amazon S3 bucket name.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-internetmonitor-monitor-s3config.html#cfn-internetmonitor-monitor-s3config-bucketname
             '''
@@ -750,7 +750,7 @@ class CfnMonitor(
 
         @builtins.property
         def bucket_prefix(self) -> typing.Optional[builtins.str]:
-            '''An optional Amazon S3 bucket prefix for internet measurements publishing.
+            '''The Amazon S3 bucket prefix.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-internetmonitor-monitor-s3config.html#cfn-internetmonitor-monitor-s3config-bucketprefix
             '''
@@ -761,8 +761,6 @@ class CfnMonitor(
         def log_delivery_status(self) -> typing.Optional[builtins.str]:
             '''The status of publishing Internet Monitor internet measurements to an Amazon S3 bucket.
 
-            The delivery status is ``ENABLED`` if you choose to deliver internet measurements to an S3 bucket, and ``DISABLED`` otherwise.
-
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-internetmonitor-monitor-s3config.html#cfn-internetmonitor-monitor-s3config-logdeliverystatus
             '''
             result = self._values.get("log_delivery_status")

aws_cdk/aws_lightsail/__init__.py

@@ -2879,7 +2879,7 @@ class CfnDatabase(
         :param relational_database_bundle_id: The bundle ID for the database (for example, ``medium_1_0`` ).
         :param relational_database_name: The name of the instance.
         :param availability_zone: The Availability Zone for the database.
-        :param backup_retention: A Boolean value indicating whether automated backup retention is enabled for the database.
+        :param backup_retention: A Boolean value indicating whether automated backup retention is enabled for the database. Data Import Mode is enabled when ``BackupRetention`` is set to ``false`` , and is disabled when ``BackupRetention`` is set to ``true`` .
         :param ca_certificate_identifier: The certificate associated with the database.
         :param master_user_password: The password for the primary user of the database. The password can include any printable ASCII character except the following: /, ", or
         :param preferred_backup_window: The daily time range during which automated backups are created for the database (for example, ``16:00-16:30`` ).
@@ -3404,7 +3404,7 @@ class CfnDatabaseProps:
         :param relational_database_bundle_id: The bundle ID for the database (for example, ``medium_1_0`` ).
         :param relational_database_name: The name of the instance.
         :param availability_zone: The Availability Zone for the database.
-        :param backup_retention: A Boolean value indicating whether automated backup retention is enabled for the database.
+        :param backup_retention: A Boolean value indicating whether automated backup retention is enabled for the database. Data Import Mode is enabled when ``BackupRetention`` is set to ``false`` , and is disabled when ``BackupRetention`` is set to ``true`` .
         :param ca_certificate_identifier: The certificate associated with the database.
         :param master_user_password: The password for the primary user of the database. The password can include any printable ASCII character except the following: /, ", or
         :param preferred_backup_window: The daily time range during which automated backups are created for the database (for example, ``16:00-16:30`` ).
@@ -3611,6 +3611,8 @@ class CfnDatabaseProps:
     ) -> typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]]:
         '''A Boolean value indicating whether automated backup retention is enabled for the database.
 
+        Data Import Mode is enabled when ``BackupRetention`` is set to ``false`` , and is disabled when ``BackupRetention`` is set to ``true`` .
+
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lightsail-database.html#cfn-lightsail-database-backupretention
         '''
         result = self._values.get("backup_retention")

aws_cdk/aws_logs/__init__.py

@@ -6000,7 +6000,7 @@ class LogGroup(
         :param id: -
         :param data_protection_policy: Data Protection Policy for this log group. Default: - no data protection policy
         :param encryption_key: The KMS customer managed key to encrypt the log group with. Default: Server-side encrpytion managed by the CloudWatch Logs service
-        :param log_group_class: The class of the log group. Possible values are: STANDARD and INFREQUENT_ACCESS. INFREQUENT_ACCESS class provides customers a cost-effective way to consolidate logs which supports querying using Logs Insights. Default: LogGroupClass.STANDARD
+        :param log_group_class: The class of the log group. Possible values are: STANDARD and INFREQUENT_ACCESS. INFREQUENT_ACCESS class provides customers a cost-effective way to consolidate logs which supports querying using Logs Insights. The logGroupClass property cannot be changed once the log group is created. Default: LogGroupClass.STANDARD
         :param log_group_name: Name of the log group. Default: Automatically generated
         :param removal_policy: Determine the removal policy of this log group. Normally you want to retain the log group so you can diagnose issues from logs even after a deployment that no longer includes the log group. In that case, use the normal date-based retention policy to age out your logs. Default: RemovalPolicy.Retain
         :param retention: How long, in days, the log contents will be retained. To retain all logs, set this value to RetentionDays.INFINITE. Default: RetentionDays.TWO_YEARS
@@ -6294,7 +6294,7 @@ class LogGroupProps:
 
         :param data_protection_policy: Data Protection Policy for this log group. Default: - no data protection policy
         :param encryption_key: The KMS customer managed key to encrypt the log group with. Default: Server-side encrpytion managed by the CloudWatch Logs service
-        :param log_group_class: The class of the log group. Possible values are: STANDARD and INFREQUENT_ACCESS. INFREQUENT_ACCESS class provides customers a cost-effective way to consolidate logs which supports querying using Logs Insights. Default: LogGroupClass.STANDARD
+        :param log_group_class: The class of the log group. Possible values are: STANDARD and INFREQUENT_ACCESS. INFREQUENT_ACCESS class provides customers a cost-effective way to consolidate logs which supports querying using Logs Insights. The logGroupClass property cannot be changed once the log group is created. Default: LogGroupClass.STANDARD
         :param log_group_name: Name of the log group. Default: Automatically generated
         :param removal_policy: Determine the removal policy of this log group. Normally you want to retain the log group so you can diagnose issues from logs even after a deployment that no longer includes the log group. In that case, use the normal date-based retention policy to age out your logs. Default: RemovalPolicy.Retain
         :param retention: How long, in days, the log contents will be retained. To retain all logs, set this value to RetentionDays.INFINITE. Default: RetentionDays.TWO_YEARS
@@ -6376,8 +6376,9 @@ class LogGroupProps:
     def log_group_class(self) -> typing.Optional[LogGroupClass]:
         '''The class of the log group. Possible values are: STANDARD and INFREQUENT_ACCESS.
 
-        INFREQUENT_ACCESS class provides customers a cost-effective way to
-        consolidate logs which supports querying using Logs Insights.
+        INFREQUENT_ACCESS class provides customers a cost-effective way to consolidate
+        logs which supports querying using Logs Insights. The logGroupClass property cannot
+        be changed once the log group is created.
 
         :default: LogGroupClass.STANDARD
         '''

aws_cdk/aws_opensearchservice/__init__.py

@@ -900,6 +900,7 @@ class CfnDomain(
                 kms_key_id="kmsKeyId"
             ),
             engine_version="engineVersion",
+            ip_address_type="ipAddressType",
             log_publishing_options={
                 "log_publishing_options_key": opensearchservice.CfnDomain.LogPublishingOptionProperty(
                     cloud_watch_logs_log_group_arn="cloudWatchLogsLogGroupArn",
@@ -951,6 +952,7 @@ class CfnDomain(
         ebs_options: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnDomain.EBSOptionsProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
         encryption_at_rest_options: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnDomain.EncryptionAtRestOptionsProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
         engine_version: typing.Optional[builtins.str] = None,
+        ip_address_type: typing.Optional[builtins.str] = None,
         log_publishing_options: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Mapping[builtins.str, typing.Union[_IResolvable_da3f097b, typing.Union["CfnDomain.LogPublishingOptionProperty", typing.Dict[builtins.str, typing.Any]]]]]] = None,
         node_to_node_encryption_options: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnDomain.NodeToNodeEncryptionOptionsProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
         off_peak_window_options: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnDomain.OffPeakWindowOptionsProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
@@ -973,6 +975,7 @@ class CfnDomain(
         :param ebs_options: The configurations of Amazon Elastic Block Store (Amazon EBS) volumes that are attached to data nodes in the OpenSearch Service domain. For more information, see `EBS volume size limits <https://docs.aws.amazon.com/opensearch-service/latest/developerguide/limits.html#ebsresource>`_ in the *Amazon OpenSearch Service Developer Guide* .
         :param encryption_at_rest_options: Whether the domain should encrypt data at rest, and if so, the AWS KMS key to use. See `Encryption of data at rest for Amazon OpenSearch Service <https://docs.aws.amazon.com/opensearch-service/latest/developerguide/encryption-at-rest.html>`_ .
         :param engine_version: The version of OpenSearch to use. The value must be in the format ``OpenSearch_X.Y`` or ``Elasticsearch_X.Y`` . If not specified, the latest version of OpenSearch is used. For information about the versions that OpenSearch Service supports, see `Supported versions of OpenSearch and Elasticsearch <https://docs.aws.amazon.com/opensearch-service/latest/developerguide/what-is.html#choosing-version>`_ in the *Amazon OpenSearch Service Developer Guide* . If you set the `EnableVersionUpgrade <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-updatepolicy.html#cfn-attributes-updatepolicy-upgradeopensearchdomain>`_ update policy to ``true`` , you can update ``EngineVersion`` without interruption. When ``EnableVersionUpgrade`` is set to ``false`` , or is not specified, updating ``EngineVersion`` results in `replacement <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement>`_ .
+        :param ip_address_type: 
         :param log_publishing_options: An object with one or more of the following keys: ``SEARCH_SLOW_LOGS`` , ``ES_APPLICATION_LOGS`` , ``INDEX_SLOW_LOGS`` , ``AUDIT_LOGS`` , depending on the types of logs you want to publish. Each key needs a valid ``LogPublishingOption`` value. For the full syntax, see the `examples <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-opensearchservice-domain.html#aws-resource-opensearchservice-domain--examples>`_ .
         :param node_to_node_encryption_options: Specifies whether node-to-node encryption is enabled. See `Node-to-node encryption for Amazon OpenSearch Service <https://docs.aws.amazon.com/opensearch-service/latest/developerguide/ntn.html>`_ .
         :param off_peak_window_options: Options for a domain's off-peak window, during which OpenSearch Service can perform mandatory configuration changes on the domain.
@@ -997,6 +1000,7 @@ class CfnDomain(
             ebs_options=ebs_options,
             encryption_at_rest_options=encryption_at_rest_options,
             engine_version=engine_version,
+            ip_address_type=ip_address_type,
             log_publishing_options=log_publishing_options,
             node_to_node_encryption_options=node_to_node_encryption_options,
             off_peak_window_options=off_peak_window_options,
@@ -1074,6 +1078,14 @@ class CfnDomain(
         '''
         return typing.cast(_IResolvable_da3f097b, jsii.get(self, "attrDomainEndpoints"))
 
+    @builtins.property
+    @jsii.member(jsii_name="attrDomainEndpointV2")
+    def attr_domain_endpoint_v2(self) -> builtins.str:
+        '''
+        :cloudformationAttribute: DomainEndpointV2
+        '''
+        return typing.cast(builtins.str, jsii.get(self, "attrDomainEndpointV2"))
+
     @builtins.property
     @jsii.member(jsii_name="attrId")
     def attr_id(self) -> builtins.str:
@@ -1348,6 +1360,18 @@ class CfnDomain(
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
         jsii.set(self, "engineVersion", value)
 
+    @builtins.property
+    @jsii.member(jsii_name="ipAddressType")
+    def ip_address_type(self) -> typing.Optional[builtins.str]:
+        return typing.cast(typing.Optional[builtins.str], jsii.get(self, "ipAddressType"))
+
+    @ip_address_type.setter
+    def ip_address_type(self, value: typing.Optional[builtins.str]) -> None:
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__15de3b6bee67c94e6a9ff942356ecb4f67771482ab0d1655f673b885868135c2)
+            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+        jsii.set(self, "ipAddressType", value)
+
     @builtins.property
     @jsii.member(jsii_name="logPublishingOptions")
     def log_publishing_options(
@@ -3490,6 +3514,7 @@ class CfnDomain(
         "ebs_options": "ebsOptions",
         "encryption_at_rest_options": "encryptionAtRestOptions",
         "engine_version": "engineVersion",
+        "ip_address_type": "ipAddressType",
         "log_publishing_options": "logPublishingOptions",
         "node_to_node_encryption_options": "nodeToNodeEncryptionOptions",
         "off_peak_window_options": "offPeakWindowOptions",
@@ -3514,6 +3539,7 @@ class CfnDomainProps:
         ebs_options: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnDomain.EBSOptionsProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
         encryption_at_rest_options: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnDomain.EncryptionAtRestOptionsProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
         engine_version: typing.Optional[builtins.str] = None,
+        ip_address_type: typing.Optional[builtins.str] = None,
         log_publishing_options: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Mapping[builtins.str, typing.Union[_IResolvable_da3f097b, typing.Union[CfnDomain.LogPublishingOptionProperty, typing.Dict[builtins.str, typing.Any]]]]]] = None,
         node_to_node_encryption_options: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnDomain.NodeToNodeEncryptionOptionsProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
         off_peak_window_options: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnDomain.OffPeakWindowOptionsProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
@@ -3535,6 +3561,7 @@ class CfnDomainProps:
         :param ebs_options: The configurations of Amazon Elastic Block Store (Amazon EBS) volumes that are attached to data nodes in the OpenSearch Service domain. For more information, see `EBS volume size limits <https://docs.aws.amazon.com/opensearch-service/latest/developerguide/limits.html#ebsresource>`_ in the *Amazon OpenSearch Service Developer Guide* .
         :param encryption_at_rest_options: Whether the domain should encrypt data at rest, and if so, the AWS KMS key to use. See `Encryption of data at rest for Amazon OpenSearch Service <https://docs.aws.amazon.com/opensearch-service/latest/developerguide/encryption-at-rest.html>`_ .
         :param engine_version: The version of OpenSearch to use. The value must be in the format ``OpenSearch_X.Y`` or ``Elasticsearch_X.Y`` . If not specified, the latest version of OpenSearch is used. For information about the versions that OpenSearch Service supports, see `Supported versions of OpenSearch and Elasticsearch <https://docs.aws.amazon.com/opensearch-service/latest/developerguide/what-is.html#choosing-version>`_ in the *Amazon OpenSearch Service Developer Guide* . If you set the `EnableVersionUpgrade <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-updatepolicy.html#cfn-attributes-updatepolicy-upgradeopensearchdomain>`_ update policy to ``true`` , you can update ``EngineVersion`` without interruption. When ``EnableVersionUpgrade`` is set to ``false`` , or is not specified, updating ``EngineVersion`` results in `replacement <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement>`_ .
+        :param ip_address_type: 
         :param log_publishing_options: An object with one or more of the following keys: ``SEARCH_SLOW_LOGS`` , ``ES_APPLICATION_LOGS`` , ``INDEX_SLOW_LOGS`` , ``AUDIT_LOGS`` , depending on the types of logs you want to publish. Each key needs a valid ``LogPublishingOption`` value. For the full syntax, see the `examples <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-opensearchservice-domain.html#aws-resource-opensearchservice-domain--examples>`_ .
         :param node_to_node_encryption_options: Specifies whether node-to-node encryption is enabled. See `Node-to-node encryption for Amazon OpenSearch Service <https://docs.aws.amazon.com/opensearch-service/latest/developerguide/ntn.html>`_ .
         :param off_peak_window_options: Options for a domain's off-peak window, during which OpenSearch Service can perform mandatory configuration changes on the domain.
@@ -3624,6 +3651,7 @@ class CfnDomainProps:
                     kms_key_id="kmsKeyId"
                 ),
                 engine_version="engineVersion",
+                ip_address_type="ipAddressType",
                 log_publishing_options={
                     "log_publishing_options_key": opensearchservice.CfnDomain.LogPublishingOptionProperty(
                         cloud_watch_logs_log_group_arn="cloudWatchLogsLogGroupArn",
@@ -3671,6 +3699,7 @@ class CfnDomainProps:
             check_type(argname="argument ebs_options", value=ebs_options, expected_type=type_hints["ebs_options"])
             check_type(argname="argument encryption_at_rest_options", value=encryption_at_rest_options, expected_type=type_hints["encryption_at_rest_options"])
             check_type(argname="argument engine_version", value=engine_version, expected_type=type_hints["engine_version"])
+            check_type(argname="argument ip_address_type", value=ip_address_type, expected_type=type_hints["ip_address_type"])
             check_type(argname="argument log_publishing_options", value=log_publishing_options, expected_type=type_hints["log_publishing_options"])
             check_type(argname="argument node_to_node_encryption_options", value=node_to_node_encryption_options, expected_type=type_hints["node_to_node_encryption_options"])
             check_type(argname="argument off_peak_window_options", value=off_peak_window_options, expected_type=type_hints["off_peak_window_options"])
@@ -3701,6 +3730,8 @@ class CfnDomainProps:
             self._values["encryption_at_rest_options"] = encryption_at_rest_options
         if engine_version is not None:
             self._values["engine_version"] = engine_version
+        if ip_address_type is not None:
+            self._values["ip_address_type"] = ip_address_type
         if log_publishing_options is not None:
             self._values["log_publishing_options"] = log_publishing_options
         if node_to_node_encryption_options is not None:
@@ -3849,6 +3880,14 @@ class CfnDomainProps:
         result = self._values.get("engine_version")
         return typing.cast(typing.Optional[builtins.str], result)
 
+    @builtins.property
+    def ip_address_type(self) -> typing.Optional[builtins.str]:
+        '''
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-opensearchservice-domain.html#cfn-opensearchservice-domain-ipaddresstype
+        '''
+        result = self._values.get("ip_address_type")
+        return typing.cast(typing.Optional[builtins.str], result)
+
     @builtins.property
     def log_publishing_options(
         self,
@@ -8113,6 +8152,7 @@ def _typecheckingstub__6fcd2545392b3f48f314c640881e38e167b5936f1165d2eb1ce21766d
     ebs_options: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnDomain.EBSOptionsProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
     encryption_at_rest_options: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnDomain.EncryptionAtRestOptionsProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
     engine_version: typing.Optional[builtins.str] = None,
+    ip_address_type: typing.Optional[builtins.str] = None,
     log_publishing_options: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Mapping[builtins.str, typing.Union[_IResolvable_da3f097b, typing.Union[CfnDomain.LogPublishingOptionProperty, typing.Dict[builtins.str, typing.Any]]]]]] = None,
     node_to_node_encryption_options: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnDomain.NodeToNodeEncryptionOptionsProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
     off_peak_window_options: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnDomain.OffPeakWindowOptionsProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
@@ -8202,6 +8242,12 @@ def _typecheckingstub__88301df742e18b9ab560ac04b99b966a761eeee663731308b40ab8ca4
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__15de3b6bee67c94e6a9ff942356ecb4f67771482ab0d1655f673b885868135c2(
+    value: typing.Optional[builtins.str],
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__7ad842d30b972e4535042c97d9a43923a473c809de18faef95c075764d365933(
     value: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Mapping[builtins.str, typing.Union[_IResolvable_da3f097b, CfnDomain.LogPublishingOptionProperty]]]],
 ) -> None:
@@ -8437,6 +8483,7 @@ def _typecheckingstub__4a3bbf8db74762f8d49d2ee572e0b31eef8650964dd0e8a168a5fe2d6
     ebs_options: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnDomain.EBSOptionsProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
     encryption_at_rest_options: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnDomain.EncryptionAtRestOptionsProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
     engine_version: typing.Optional[builtins.str] = None,
+    ip_address_type: typing.Optional[builtins.str] = None,
     log_publishing_options: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Mapping[builtins.str, typing.Union[_IResolvable_da3f097b, typing.Union[CfnDomain.LogPublishingOptionProperty, typing.Dict[builtins.str, typing.Any]]]]]] = None,
     node_to_node_encryption_options: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnDomain.NodeToNodeEncryptionOptionsProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
     off_peak_window_options: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnDomain.OffPeakWindowOptionsProperty, typing.Dict[builtins.str, typing.Any]]]] = None,