aws-cdk-lib 2.117.0__py3-none-any.whl → 2.119.0__py3-none-any.whl

aws_cdk/aws_rds/__init__.py

@@ -997,6 +997,28 @@ proxy.grant_connect(role, "admin")
 **Note**: In addition to the setup above, a database user will need to be created to support IAM auth.
 See [https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.DBAccounts.html](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.DBAccounts.html) for setup instructions.
 
+To specify the details of authentication used by a proxy to log in as a specific database
+user use the `clientPasswordAuthType` property:
+
+```python
+# vpc: ec2.Vpc
+
+cluster = rds.DatabaseCluster(self, "Database",
+    engine=rds.DatabaseClusterEngine.aurora_mysql(
+        version=rds.AuroraMysqlEngineVersion.VER_3_03_0
+    ),
+    writer=rds.ClusterInstance.provisioned("writer"),
+    vpc=vpc
+)
+
+proxy = rds.DatabaseProxy(self, "Proxy",
+    proxy_target=rds.ProxyTarget.from_cluster(cluster),
+    secrets=[cluster.secret],
+    vpc=vpc,
+    client_password_auth_type=rds.ClientPasswordAuthType.MYSQL_NATIVE_PASSWORD
+)
+```
+
 ### Cluster
 
 The following example shows granting connection access for an IAM role to an Aurora Cluster.
@@ -1257,7 +1279,9 @@ cluster = rds.ServerlessCluster(self, "AnotherCluster",
     scaling=rds.ServerlessScalingOptions(
         auto_pause=Duration.minutes(10),  # default is to pause after 5 minutes of idle time
         min_capacity=rds.AuroraCapacityUnit.ACU_8,  # default is 2 Aurora capacity units (ACUs)
-        max_capacity=rds.AuroraCapacityUnit.ACU_32
+        max_capacity=rds.AuroraCapacityUnit.ACU_32,  # default is 16 Aurora capacity units (ACUs)
+        timeout=Duration.seconds(100),  # default is 5 minutes
+        timeout_action=rds.TimeoutAction.FORCE_APPLY_CAPACITY_CHANGE
     )
 )
 ```
@@ -1425,7 +1449,9 @@ class AuroraCapacityUnit(enum.Enum):
             scaling=rds.ServerlessScalingOptions(
                 auto_pause=Duration.minutes(10),  # default is to pause after 5 minutes of idle time
                 min_capacity=rds.AuroraCapacityUnit.ACU_8,  # default is 2 Aurora capacity units (ACUs)
-                max_capacity=rds.AuroraCapacityUnit.ACU_32
+                max_capacity=rds.AuroraCapacityUnit.ACU_32,  # default is 16 Aurora capacity units (ACUs)
+                timeout=Duration.seconds(100),  # default is 5 minutes
+                timeout_action=rds.TimeoutAction.FORCE_APPLY_CAPACITY_CHANGE
             )
         )
     '''
@@ -2876,6 +2902,12 @@ class AuroraPostgresEngineVersion(
         '''Version "12.16".'''
         return typing.cast("AuroraPostgresEngineVersion", jsii.sget(cls, "VER_12_16"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="VER_12_17")
+    def VER_12_17(cls) -> "AuroraPostgresEngineVersion":
+        '''Version "12.17".'''
+        return typing.cast("AuroraPostgresEngineVersion", jsii.sget(cls, "VER_12_17"))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="VER_12_4")
     def VER_12_4(cls) -> "AuroraPostgresEngineVersion":
@@ -2944,6 +2976,12 @@ class AuroraPostgresEngineVersion(
         '''Version "13.12".'''
         return typing.cast("AuroraPostgresEngineVersion", jsii.sget(cls, "VER_13_12"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="VER_13_13")
+    def VER_13_13(cls) -> "AuroraPostgresEngineVersion":
+        '''Version "13.13".'''
+        return typing.cast("AuroraPostgresEngineVersion", jsii.sget(cls, "VER_13_13"))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="VER_13_3")
     def VER_13_3(cls) -> "AuroraPostgresEngineVersion":
@@ -3006,6 +3044,12 @@ class AuroraPostgresEngineVersion(
         '''Version "13.9".'''
         return typing.cast("AuroraPostgresEngineVersion", jsii.sget(cls, "VER_13_9"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="VER_14_10")
+    def VER_14_10(cls) -> "AuroraPostgresEngineVersion":
+        '''Version "14.10".'''
+        return typing.cast("AuroraPostgresEngineVersion", jsii.sget(cls, "VER_14_10"))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="VER_14_3")
     def VER_14_3(cls) -> "AuroraPostgresEngineVersion":
@@ -3071,6 +3115,18 @@ class AuroraPostgresEngineVersion(
         '''Version "15.4".'''
         return typing.cast("AuroraPostgresEngineVersion", jsii.sget(cls, "VER_15_4"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="VER_15_5")
+    def VER_15_5(cls) -> "AuroraPostgresEngineVersion":
+        '''Version "15.5".'''
+        return typing.cast("AuroraPostgresEngineVersion", jsii.sget(cls, "VER_15_5"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="VER_16_0")
+    def VER_16_0(cls) -> "AuroraPostgresEngineVersion":
+        '''Version "16.0". Version 16.0 is available in preview environment as of November 15, 2023.'''
+        return typing.cast("AuroraPostgresEngineVersion", jsii.sget(cls, "VER_16_0"))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="VER_9_6_11")
     def VER_9_6_11(cls) -> "AuroraPostgresEngineVersion":
@@ -7566,7 +7622,7 @@ class CfnDBInstance(
         :param auto_minor_version_upgrade: A value that indicates whether minor engine upgrades are applied automatically to the DB instance during the maintenance window. By default, minor engine upgrades are applied automatically.
         :param availability_zone: The Availability Zone (AZ) where the database will be created. For information on AWS Regions and Availability Zones, see `Regions and Availability Zones <https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.RegionsAndAvailabilityZones.html>`_ . For Amazon Aurora, each Aurora DB cluster hosts copies of its storage in three separate Availability Zones. Specify one of these Availability Zones. Aurora automatically chooses an appropriate Availability Zone if you don't specify one. Default: A random, system-chosen Availability Zone in the endpoint's AWS Region . Constraints: - The ``AvailabilityZone`` parameter can't be specified if the DB instance is a Multi-AZ deployment. - The specified Availability Zone must be in the same AWS Region as the current endpoint. Example: ``us-east-1d``
         :param backup_retention_period: The number of days for which automated backups are retained. Setting this parameter to a positive number enables backups. Setting this parameter to 0 disables automated backups. *Amazon Aurora* Not applicable. The retention period for automated backups is managed by the DB cluster. Default: 1 Constraints: - Must be a value from 0 to 35 - Can't be set to 0 if the DB instance is a source to read replicas Default: - 1
-        :param ca_certificate_identifier: The identifier of the CA certificate for this DB instance. .. epigraph:: Specifying or updating this property triggers a reboot. For more information about CA certificate identifiers for RDS DB engines, see `Rotating Your SSL/TLS Certificate <https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL-certificate-rotation.html>`_ in the *Amazon RDS User Guide* . For more information about CA certificate identifiers for Aurora DB engines, see `Rotating Your SSL/TLS Certificate <https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.SSL-certificate-rotation.html>`_ in the *Amazon Aurora User Guide* .
+        :param ca_certificate_identifier: The identifier of the CA certificate for this DB instance. Specifying or updating this property triggers a reboot. For more information about CA certificate identifiers for RDS DB engines, see `Rotating Your SSL/TLS Certificate <https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL-certificate-rotation.html>`_ in the *Amazon RDS User Guide* . For more information about CA certificate identifiers for Aurora DB engines, see `Rotating Your SSL/TLS Certificate <https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.SSL-certificate-rotation.html>`_ in the *Amazon Aurora User Guide* .
         :param certificate_details: The details of the DB instance's server certificate.
         :param certificate_rotation_restart: Specifies whether the DB instance is restarted when you rotate your SSL/TLS certificate. By default, the DB instance is restarted when you rotate your SSL/TLS certificate. The certificate is not updated until the DB instance is restarted. .. epigraph:: Set this parameter only if you are *not* using SSL/TLS to connect to the DB instance. If you are using SSL/TLS to connect to the DB instance, follow the appropriate instructions for your DB engine to rotate your SSL/TLS certificate: - For more information about rotating your SSL/TLS certificate for RDS DB engines, see `Rotating Your SSL/TLS Certificate. <https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL-certificate-rotation.html>`_ in the *Amazon RDS User Guide.* - For more information about rotating your SSL/TLS certificate for Aurora DB engines, see `Rotating Your SSL/TLS Certificate <https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.SSL-certificate-rotation.html>`_ in the *Amazon Aurora User Guide* . This setting doesn't apply to RDS Custom DB instances.
         :param character_set_name: For supported engines, indicates that the DB instance should be associated with the specified character set. *Amazon Aurora* Not applicable. The character set is managed by the DB cluster. For more information, see `AWS::RDS::DBCluster <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-rds-dbcluster.html>`_ .
@@ -9550,7 +9606,7 @@ class CfnDBInstanceProps:
         :param auto_minor_version_upgrade: A value that indicates whether minor engine upgrades are applied automatically to the DB instance during the maintenance window. By default, minor engine upgrades are applied automatically.
         :param availability_zone: The Availability Zone (AZ) where the database will be created. For information on AWS Regions and Availability Zones, see `Regions and Availability Zones <https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.RegionsAndAvailabilityZones.html>`_ . For Amazon Aurora, each Aurora DB cluster hosts copies of its storage in three separate Availability Zones. Specify one of these Availability Zones. Aurora automatically chooses an appropriate Availability Zone if you don't specify one. Default: A random, system-chosen Availability Zone in the endpoint's AWS Region . Constraints: - The ``AvailabilityZone`` parameter can't be specified if the DB instance is a Multi-AZ deployment. - The specified Availability Zone must be in the same AWS Region as the current endpoint. Example: ``us-east-1d``
         :param backup_retention_period: The number of days for which automated backups are retained. Setting this parameter to a positive number enables backups. Setting this parameter to 0 disables automated backups. *Amazon Aurora* Not applicable. The retention period for automated backups is managed by the DB cluster. Default: 1 Constraints: - Must be a value from 0 to 35 - Can't be set to 0 if the DB instance is a source to read replicas Default: - 1
-        :param ca_certificate_identifier: The identifier of the CA certificate for this DB instance. .. epigraph:: Specifying or updating this property triggers a reboot. For more information about CA certificate identifiers for RDS DB engines, see `Rotating Your SSL/TLS Certificate <https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL-certificate-rotation.html>`_ in the *Amazon RDS User Guide* . For more information about CA certificate identifiers for Aurora DB engines, see `Rotating Your SSL/TLS Certificate <https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.SSL-certificate-rotation.html>`_ in the *Amazon Aurora User Guide* .
+        :param ca_certificate_identifier: The identifier of the CA certificate for this DB instance. Specifying or updating this property triggers a reboot. For more information about CA certificate identifiers for RDS DB engines, see `Rotating Your SSL/TLS Certificate <https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL-certificate-rotation.html>`_ in the *Amazon RDS User Guide* . For more information about CA certificate identifiers for Aurora DB engines, see `Rotating Your SSL/TLS Certificate <https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.SSL-certificate-rotation.html>`_ in the *Amazon Aurora User Guide* .
         :param certificate_details: The details of the DB instance's server certificate.
         :param certificate_rotation_restart: Specifies whether the DB instance is restarted when you rotate your SSL/TLS certificate. By default, the DB instance is restarted when you rotate your SSL/TLS certificate. The certificate is not updated until the DB instance is restarted. .. epigraph:: Set this parameter only if you are *not* using SSL/TLS to connect to the DB instance. If you are using SSL/TLS to connect to the DB instance, follow the appropriate instructions for your DB engine to rotate your SSL/TLS certificate: - For more information about rotating your SSL/TLS certificate for RDS DB engines, see `Rotating Your SSL/TLS Certificate. <https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL-certificate-rotation.html>`_ in the *Amazon RDS User Guide.* - For more information about rotating your SSL/TLS certificate for Aurora DB engines, see `Rotating Your SSL/TLS Certificate <https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.SSL-certificate-rotation.html>`_ in the *Amazon Aurora User Guide* . This setting doesn't apply to RDS Custom DB instances.
         :param character_set_name: For supported engines, indicates that the DB instance should be associated with the specified character set. *Amazon Aurora* Not applicable. The character set is managed by the DB cluster. For more information, see `AWS::RDS::DBCluster <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-rds-dbcluster.html>`_ .
@@ -10133,13 +10189,7 @@ class CfnDBInstanceProps:
     def ca_certificate_identifier(self) -> typing.Optional[builtins.str]:
         '''The identifier of the CA certificate for this DB instance.
 
-        .. epigraph::
-
-           Specifying or updating this property triggers a reboot.
-
-        For more information about CA certificate identifiers for RDS DB engines, see `Rotating Your SSL/TLS Certificate <https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL-certificate-rotation.html>`_ in the *Amazon RDS User Guide* .
-
-        For more information about CA certificate identifiers for Aurora DB engines, see `Rotating Your SSL/TLS Certificate <https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.SSL-certificate-rotation.html>`_ in the *Amazon Aurora User Guide* .
+        Specifying or updating this property triggers a reboot. For more information about CA certificate identifiers for RDS DB engines, see `Rotating Your SSL/TLS Certificate <https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL-certificate-rotation.html>`_ in the *Amazon RDS User Guide* . For more information about CA certificate identifiers for Aurora DB engines, see `Rotating Your SSL/TLS Certificate <https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.SSL-certificate-rotation.html>`_ in the *Amazon Aurora User Guide* .
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-rds-dbinstance.html#cfn-rds-dbinstance-cacertificateidentifier
         '''
@@ -15955,6 +16005,42 @@ class CfnOptionGroupProps:
         )
 
 
+@jsii.enum(jsii_type="aws-cdk-lib.aws_rds.ClientPasswordAuthType")
+class ClientPasswordAuthType(enum.Enum):
+    '''Client password authentication type used by a proxy to log in as a specific database user.
+
+    :exampleMetadata: infused
+
+    Example::
+
+        # vpc: ec2.Vpc
+        
+        cluster = rds.DatabaseCluster(self, "Database",
+            engine=rds.DatabaseClusterEngine.aurora_mysql(
+                version=rds.AuroraMysqlEngineVersion.VER_3_03_0
+            ),
+            writer=rds.ClusterInstance.provisioned("writer"),
+            vpc=vpc
+        )
+        
+        proxy = rds.DatabaseProxy(self, "Proxy",
+            proxy_target=rds.ProxyTarget.from_cluster(cluster),
+            secrets=[cluster.secret],
+            vpc=vpc,
+            client_password_auth_type=rds.ClientPasswordAuthType.MYSQL_NATIVE_PASSWORD
+        )
+    '''
+
+    MYSQL_NATIVE_PASSWORD = "MYSQL_NATIVE_PASSWORD"
+    '''MySQL Native Password client authentication type.'''
+    POSTGRES_SCRAM_SHA_256 = "POSTGRES_SCRAM_SHA_256"
+    '''SCRAM SHA 256 client authentication type.'''
+    POSTGRES_MD5 = "POSTGRES_MD5"
+    '''PostgreSQL MD5 client authentication type.'''
+    SQL_SERVER_AUTHENTICATION = "SQL_SERVER_AUTHENTICATION"
+    '''SQL Server Authentication client authentication type.'''
+
+
 @jsii.data_type(
     jsii_type="aws-cdk-lib.aws_rds.ClusterEngineBindOptions",
     jsii_struct_bases=[],
@@ -22708,6 +22794,7 @@ class DatabaseProxyAttributes:
         "secrets": "secrets",
         "vpc": "vpc",
         "borrow_timeout": "borrowTimeout",
+        "client_password_auth_type": "clientPasswordAuthType",
         "db_proxy_name": "dbProxyName",
         "debug_logging": "debugLogging",
         "iam_auth": "iamAuth",
@@ -22729,6 +22816,7 @@ class DatabaseProxyOptions:
         secrets: typing.Sequence[_ISecret_6e020e6a],
         vpc: _IVpc_f30d5663,
         borrow_timeout: typing.Optional[_Duration_4839e8c3] = None,
+        client_password_auth_type: typing.Optional[ClientPasswordAuthType] = None,
         db_proxy_name: typing.Optional[builtins.str] = None,
         debug_logging: typing.Optional[builtins.bool] = None,
         iam_auth: typing.Optional[builtins.bool] = None,
@@ -22747,6 +22835,7 @@ class DatabaseProxyOptions:
         :param secrets: The secret that the proxy uses to authenticate to the RDS DB instance or Aurora DB cluster. These secrets are stored within Amazon Secrets Manager. One or more secrets are required.
         :param vpc: The VPC to associate with the new proxy.
         :param borrow_timeout: The duration for a proxy to wait for a connection to become available in the connection pool. Only applies when the proxy has opened its maximum number of connections and all connections are busy with client sessions. Value must be between 1 second and 1 hour, or ``Duration.seconds(0)`` to represent unlimited. Default: cdk.Duration.seconds(120)
+        :param client_password_auth_type: Specifies the details of authentication used by a proxy to log in as a specific database user. Default: - CloudFormation defaults will apply given the specified database engine.
         :param db_proxy_name: The identifier for the proxy. This name must be unique for all proxies owned by your AWS account in the specified AWS Region. An identifier must begin with a letter and must contain only ASCII letters, digits, and hyphens; it can't end with a hyphen or contain two consecutive hyphens. Default: - Generated by CloudFormation (recommended)
         :param debug_logging: Whether the proxy includes detailed information about SQL statements in its logs. This information helps you to debug issues involving SQL behavior or the performance and scalability of the proxy connections. The debug information includes the text of SQL statements that you submit through the proxy. Thus, only enable this setting when needed for debugging, and only when you have security measures in place to safeguard any sensitive information that appears in the logs. Default: false
         :param iam_auth: Whether to require or disallow AWS Identity and Access Management (IAM) authentication for connections to the proxy. Default: false
@@ -22784,6 +22873,7 @@ class DatabaseProxyOptions:
             check_type(argname="argument secrets", value=secrets, expected_type=type_hints["secrets"])
             check_type(argname="argument vpc", value=vpc, expected_type=type_hints["vpc"])
             check_type(argname="argument borrow_timeout", value=borrow_timeout, expected_type=type_hints["borrow_timeout"])
+            check_type(argname="argument client_password_auth_type", value=client_password_auth_type, expected_type=type_hints["client_password_auth_type"])
             check_type(argname="argument db_proxy_name", value=db_proxy_name, expected_type=type_hints["db_proxy_name"])
             check_type(argname="argument debug_logging", value=debug_logging, expected_type=type_hints["debug_logging"])
             check_type(argname="argument iam_auth", value=iam_auth, expected_type=type_hints["iam_auth"])
@@ -22802,6 +22892,8 @@ class DatabaseProxyOptions:
         }
         if borrow_timeout is not None:
             self._values["borrow_timeout"] = borrow_timeout
+        if client_password_auth_type is not None:
+            self._values["client_password_auth_type"] = client_password_auth_type
         if db_proxy_name is not None:
             self._values["db_proxy_name"] = db_proxy_name
         if debug_logging is not None:
@@ -22859,6 +22951,15 @@ class DatabaseProxyOptions:
         result = self._values.get("borrow_timeout")
         return typing.cast(typing.Optional[_Duration_4839e8c3], result)
 
+    @builtins.property
+    def client_password_auth_type(self) -> typing.Optional[ClientPasswordAuthType]:
+        '''Specifies the details of authentication used by a proxy to log in as a specific database user.
+
+        :default: - CloudFormation defaults will apply given the specified database engine.
+        '''
+        result = self._values.get("client_password_auth_type")
+        return typing.cast(typing.Optional[ClientPasswordAuthType], result)
+
     @builtins.property
     def db_proxy_name(self) -> typing.Optional[builtins.str]:
         '''The identifier for the proxy.
@@ -23023,6 +23124,7 @@ class DatabaseProxyOptions:
         "secrets": "secrets",
         "vpc": "vpc",
         "borrow_timeout": "borrowTimeout",
+        "client_password_auth_type": "clientPasswordAuthType",
         "db_proxy_name": "dbProxyName",
         "debug_logging": "debugLogging",
         "iam_auth": "iamAuth",
@@ -23045,6 +23147,7 @@ class DatabaseProxyProps(DatabaseProxyOptions):
         secrets: typing.Sequence[_ISecret_6e020e6a],
         vpc: _IVpc_f30d5663,
         borrow_timeout: typing.Optional[_Duration_4839e8c3] = None,
+        client_password_auth_type: typing.Optional[ClientPasswordAuthType] = None,
         db_proxy_name: typing.Optional[builtins.str] = None,
         debug_logging: typing.Optional[builtins.bool] = None,
         iam_auth: typing.Optional[builtins.bool] = None,
@@ -23064,6 +23167,7 @@ class DatabaseProxyProps(DatabaseProxyOptions):
         :param secrets: The secret that the proxy uses to authenticate to the RDS DB instance or Aurora DB cluster. These secrets are stored within Amazon Secrets Manager. One or more secrets are required.
         :param vpc: The VPC to associate with the new proxy.
         :param borrow_timeout: The duration for a proxy to wait for a connection to become available in the connection pool. Only applies when the proxy has opened its maximum number of connections and all connections are busy with client sessions. Value must be between 1 second and 1 hour, or ``Duration.seconds(0)`` to represent unlimited. Default: cdk.Duration.seconds(120)
+        :param client_password_auth_type: Specifies the details of authentication used by a proxy to log in as a specific database user. Default: - CloudFormation defaults will apply given the specified database engine.
         :param db_proxy_name: The identifier for the proxy. This name must be unique for all proxies owned by your AWS account in the specified AWS Region. An identifier must begin with a letter and must contain only ASCII letters, digits, and hyphens; it can't end with a hyphen or contain two consecutive hyphens. Default: - Generated by CloudFormation (recommended)
         :param debug_logging: Whether the proxy includes detailed information about SQL statements in its logs. This information helps you to debug issues involving SQL behavior or the performance and scalability of the proxy connections. The debug information includes the text of SQL statements that you submit through the proxy. Thus, only enable this setting when needed for debugging, and only when you have security measures in place to safeguard any sensitive information that appears in the logs. Default: false
         :param iam_auth: Whether to require or disallow AWS Identity and Access Management (IAM) authentication for connections to the proxy. Default: false
@@ -23108,6 +23212,7 @@ class DatabaseProxyProps(DatabaseProxyOptions):
             check_type(argname="argument secrets", value=secrets, expected_type=type_hints["secrets"])
             check_type(argname="argument vpc", value=vpc, expected_type=type_hints["vpc"])
             check_type(argname="argument borrow_timeout", value=borrow_timeout, expected_type=type_hints["borrow_timeout"])
+            check_type(argname="argument client_password_auth_type", value=client_password_auth_type, expected_type=type_hints["client_password_auth_type"])
             check_type(argname="argument db_proxy_name", value=db_proxy_name, expected_type=type_hints["db_proxy_name"])
             check_type(argname="argument debug_logging", value=debug_logging, expected_type=type_hints["debug_logging"])
             check_type(argname="argument iam_auth", value=iam_auth, expected_type=type_hints["iam_auth"])
@@ -23128,6 +23233,8 @@ class DatabaseProxyProps(DatabaseProxyOptions):
         }
         if borrow_timeout is not None:
             self._values["borrow_timeout"] = borrow_timeout
+        if client_password_auth_type is not None:
+            self._values["client_password_auth_type"] = client_password_auth_type
         if db_proxy_name is not None:
             self._values["db_proxy_name"] = db_proxy_name
         if debug_logging is not None:
@@ -23185,6 +23292,15 @@ class DatabaseProxyProps(DatabaseProxyOptions):
         result = self._values.get("borrow_timeout")
         return typing.cast(typing.Optional[_Duration_4839e8c3], result)
 
+    @builtins.property
+    def client_password_auth_type(self) -> typing.Optional[ClientPasswordAuthType]:
+        '''Specifies the details of authentication used by a proxy to log in as a specific database user.
+
+        :default: - CloudFormation defaults will apply given the specified database engine.
+        '''
+        result = self._values.get("client_password_auth_type")
+        return typing.cast(typing.Optional[ClientPasswordAuthType], result)
+
     @builtins.property
     def db_proxy_name(self) -> typing.Optional[builtins.str]:
         '''The identifier for the proxy.
@@ -24042,6 +24158,7 @@ class IDatabaseCluster(
         secrets: typing.Sequence[_ISecret_6e020e6a],
         vpc: _IVpc_f30d5663,
         borrow_timeout: typing.Optional[_Duration_4839e8c3] = None,
+        client_password_auth_type: typing.Optional[ClientPasswordAuthType] = None,
         db_proxy_name: typing.Optional[builtins.str] = None,
         debug_logging: typing.Optional[builtins.bool] = None,
         iam_auth: typing.Optional[builtins.bool] = None,
@@ -24061,6 +24178,7 @@ class IDatabaseCluster(
         :param secrets: The secret that the proxy uses to authenticate to the RDS DB instance or Aurora DB cluster. These secrets are stored within Amazon Secrets Manager. One or more secrets are required.
         :param vpc: The VPC to associate with the new proxy.
         :param borrow_timeout: The duration for a proxy to wait for a connection to become available in the connection pool. Only applies when the proxy has opened its maximum number of connections and all connections are busy with client sessions. Value must be between 1 second and 1 hour, or ``Duration.seconds(0)`` to represent unlimited. Default: cdk.Duration.seconds(120)
+        :param client_password_auth_type: Specifies the details of authentication used by a proxy to log in as a specific database user. Default: - CloudFormation defaults will apply given the specified database engine.
         :param db_proxy_name: The identifier for the proxy. This name must be unique for all proxies owned by your AWS account in the specified AWS Region. An identifier must begin with a letter and must contain only ASCII letters, digits, and hyphens; it can't end with a hyphen or contain two consecutive hyphens. Default: - Generated by CloudFormation (recommended)
         :param debug_logging: Whether the proxy includes detailed information about SQL statements in its logs. This information helps you to debug issues involving SQL behavior or the performance and scalability of the proxy connections. The debug information includes the text of SQL statements that you submit through the proxy. Thus, only enable this setting when needed for debugging, and only when you have security measures in place to safeguard any sensitive information that appears in the logs. Default: false
         :param iam_auth: Whether to require or disallow AWS Identity and Access Management (IAM) authentication for connections to the proxy. Default: false
@@ -24581,6 +24699,7 @@ class _IDatabaseClusterProxy(
         secrets: typing.Sequence[_ISecret_6e020e6a],
         vpc: _IVpc_f30d5663,
         borrow_timeout: typing.Optional[_Duration_4839e8c3] = None,
+        client_password_auth_type: typing.Optional[ClientPasswordAuthType] = None,
         db_proxy_name: typing.Optional[builtins.str] = None,
         debug_logging: typing.Optional[builtins.bool] = None,
         iam_auth: typing.Optional[builtins.bool] = None,
@@ -24600,6 +24719,7 @@ class _IDatabaseClusterProxy(
         :param secrets: The secret that the proxy uses to authenticate to the RDS DB instance or Aurora DB cluster. These secrets are stored within Amazon Secrets Manager. One or more secrets are required.
         :param vpc: The VPC to associate with the new proxy.
         :param borrow_timeout: The duration for a proxy to wait for a connection to become available in the connection pool. Only applies when the proxy has opened its maximum number of connections and all connections are busy with client sessions. Value must be between 1 second and 1 hour, or ``Duration.seconds(0)`` to represent unlimited. Default: cdk.Duration.seconds(120)
+        :param client_password_auth_type: Specifies the details of authentication used by a proxy to log in as a specific database user. Default: - CloudFormation defaults will apply given the specified database engine.
         :param db_proxy_name: The identifier for the proxy. This name must be unique for all proxies owned by your AWS account in the specified AWS Region. An identifier must begin with a letter and must contain only ASCII letters, digits, and hyphens; it can't end with a hyphen or contain two consecutive hyphens. Default: - Generated by CloudFormation (recommended)
         :param debug_logging: Whether the proxy includes detailed information about SQL statements in its logs. This information helps you to debug issues involving SQL behavior or the performance and scalability of the proxy connections. The debug information includes the text of SQL statements that you submit through the proxy. Thus, only enable this setting when needed for debugging, and only when you have security measures in place to safeguard any sensitive information that appears in the logs. Default: false
         :param iam_auth: Whether to require or disallow AWS Identity and Access Management (IAM) authentication for connections to the proxy. Default: false
@@ -24620,6 +24740,7 @@ class _IDatabaseClusterProxy(
             secrets=secrets,
             vpc=vpc,
             borrow_timeout=borrow_timeout,
+            client_password_auth_type=client_password_auth_type,
             db_proxy_name=db_proxy_name,
             debug_logging=debug_logging,
             iam_auth=iam_auth,
@@ -25319,6 +25440,7 @@ class IDatabaseInstance(
         secrets: typing.Sequence[_ISecret_6e020e6a],
         vpc: _IVpc_f30d5663,
         borrow_timeout: typing.Optional[_Duration_4839e8c3] = None,
+        client_password_auth_type: typing.Optional[ClientPasswordAuthType] = None,
         db_proxy_name: typing.Optional[builtins.str] = None,
         debug_logging: typing.Optional[builtins.bool] = None,
         iam_auth: typing.Optional[builtins.bool] = None,
@@ -25338,6 +25460,7 @@ class IDatabaseInstance(
         :param secrets: The secret that the proxy uses to authenticate to the RDS DB instance or Aurora DB cluster. These secrets are stored within Amazon Secrets Manager. One or more secrets are required.
         :param vpc: The VPC to associate with the new proxy.
         :param borrow_timeout: The duration for a proxy to wait for a connection to become available in the connection pool. Only applies when the proxy has opened its maximum number of connections and all connections are busy with client sessions. Value must be between 1 second and 1 hour, or ``Duration.seconds(0)`` to represent unlimited. Default: cdk.Duration.seconds(120)
+        :param client_password_auth_type: Specifies the details of authentication used by a proxy to log in as a specific database user. Default: - CloudFormation defaults will apply given the specified database engine.
         :param db_proxy_name: The identifier for the proxy. This name must be unique for all proxies owned by your AWS account in the specified AWS Region. An identifier must begin with a letter and must contain only ASCII letters, digits, and hyphens; it can't end with a hyphen or contain two consecutive hyphens. Default: - Generated by CloudFormation (recommended)
         :param debug_logging: Whether the proxy includes detailed information about SQL statements in its logs. This information helps you to debug issues involving SQL behavior or the performance and scalability of the proxy connections. The debug information includes the text of SQL statements that you submit through the proxy. Thus, only enable this setting when needed for debugging, and only when you have security measures in place to safeguard any sensitive information that appears in the logs. Default: false
         :param iam_auth: Whether to require or disallow AWS Identity and Access Management (IAM) authentication for connections to the proxy. Default: false
@@ -25662,6 +25785,7 @@ class _IDatabaseInstanceProxy(
         secrets: typing.Sequence[_ISecret_6e020e6a],
         vpc: _IVpc_f30d5663,
         borrow_timeout: typing.Optional[_Duration_4839e8c3] = None,
+        client_password_auth_type: typing.Optional[ClientPasswordAuthType] = None,
         db_proxy_name: typing.Optional[builtins.str] = None,
         debug_logging: typing.Optional[builtins.bool] = None,
         iam_auth: typing.Optional[builtins.bool] = None,
@@ -25681,6 +25805,7 @@ class _IDatabaseInstanceProxy(
         :param secrets: The secret that the proxy uses to authenticate to the RDS DB instance or Aurora DB cluster. These secrets are stored within Amazon Secrets Manager. One or more secrets are required.
         :param vpc: The VPC to associate with the new proxy.
         :param borrow_timeout: The duration for a proxy to wait for a connection to become available in the connection pool. Only applies when the proxy has opened its maximum number of connections and all connections are busy with client sessions. Value must be between 1 second and 1 hour, or ``Duration.seconds(0)`` to represent unlimited. Default: cdk.Duration.seconds(120)
+        :param client_password_auth_type: Specifies the details of authentication used by a proxy to log in as a specific database user. Default: - CloudFormation defaults will apply given the specified database engine.
         :param db_proxy_name: The identifier for the proxy. This name must be unique for all proxies owned by your AWS account in the specified AWS Region. An identifier must begin with a letter and must contain only ASCII letters, digits, and hyphens; it can't end with a hyphen or contain two consecutive hyphens. Default: - Generated by CloudFormation (recommended)
         :param debug_logging: Whether the proxy includes detailed information about SQL statements in its logs. This information helps you to debug issues involving SQL behavior or the performance and scalability of the proxy connections. The debug information includes the text of SQL statements that you submit through the proxy. Thus, only enable this setting when needed for debugging, and only when you have security measures in place to safeguard any sensitive information that appears in the logs. Default: false
         :param iam_auth: Whether to require or disallow AWS Identity and Access Management (IAM) authentication for connections to the proxy. Default: false
@@ -25701,6 +25826,7 @@ class _IDatabaseInstanceProxy(
             secrets=secrets,
             vpc=vpc,
             borrow_timeout=borrow_timeout,
+            client_password_auth_type=client_password_auth_type,
             db_proxy_name=db_proxy_name,
             debug_logging=debug_logging,
             iam_auth=iam_auth,
@@ -33279,6 +33405,8 @@ class ServerlessClusterProps:
         "auto_pause": "autoPause",
         "max_capacity": "maxCapacity",
         "min_capacity": "minCapacity",
+        "timeout": "timeout",
+        "timeout_action": "timeoutAction",
     },
 )
 class ServerlessScalingOptions:
@@ -33288,12 +33416,16 @@ class ServerlessScalingOptions:
         auto_pause: typing.Optional[_Duration_4839e8c3] = None,
         max_capacity: typing.Optional[AuroraCapacityUnit] = None,
         min_capacity: typing.Optional[AuroraCapacityUnit] = None,
+        timeout: typing.Optional[_Duration_4839e8c3] = None,
+        timeout_action: typing.Optional["TimeoutAction"] = None,
     ) -> None:
         '''Options for configuring scaling on an Aurora Serverless cluster.
 
         :param auto_pause: The time before an Aurora Serverless database cluster is paused. A database cluster can be paused only when it is idle (it has no connections). Auto pause time must be between 5 minutes and 1 day. If a DB cluster is paused for more than seven days, the DB cluster might be backed up with a snapshot. In this case, the DB cluster is restored when there is a request to connect to it. Set to 0 to disable Default: - automatic pause enabled after 5 minutes
         :param max_capacity: The maximum capacity for an Aurora Serverless database cluster. Default: - determined by Aurora based on database engine
         :param min_capacity: The minimum capacity for an Aurora Serverless database cluster. Default: - determined by Aurora based on database engine
+        :param timeout: The amount of time that Aurora Serverless v1 tries to find a scaling point to perform seamless scaling before enforcing the timeout action. Default: - 5 minutes
+        :param timeout_action: The action to take when the timeout is reached. Selecting ForceApplyCapacityChange will force the capacity to the specified value as soon as possible, even without a scaling point. Selecting RollbackCapacityChange will ignore the capacity change if a scaling point is not found. This is the default behavior. Default: - TimeoutAction.ROLLBACK_CAPACITY_CHANGE
 
         :exampleMetadata: infused
 
@@ -33310,7 +33442,9 @@ class ServerlessScalingOptions:
                 scaling=rds.ServerlessScalingOptions(
                     auto_pause=Duration.minutes(10),  # default is to pause after 5 minutes of idle time
                     min_capacity=rds.AuroraCapacityUnit.ACU_8,  # default is 2 Aurora capacity units (ACUs)
-                    max_capacity=rds.AuroraCapacityUnit.ACU_32
+                    max_capacity=rds.AuroraCapacityUnit.ACU_32,  # default is 16 Aurora capacity units (ACUs)
+                    timeout=Duration.seconds(100),  # default is 5 minutes
+                    timeout_action=rds.TimeoutAction.FORCE_APPLY_CAPACITY_CHANGE
                 )
             )
         '''
@@ -33319,6 +33453,8 @@ class ServerlessScalingOptions:
             check_type(argname="argument auto_pause", value=auto_pause, expected_type=type_hints["auto_pause"])
             check_type(argname="argument max_capacity", value=max_capacity, expected_type=type_hints["max_capacity"])
             check_type(argname="argument min_capacity", value=min_capacity, expected_type=type_hints["min_capacity"])
+            check_type(argname="argument timeout", value=timeout, expected_type=type_hints["timeout"])
+            check_type(argname="argument timeout_action", value=timeout_action, expected_type=type_hints["timeout_action"])
         self._values: typing.Dict[builtins.str, typing.Any] = {}
         if auto_pause is not None:
             self._values["auto_pause"] = auto_pause
@@ -33326,6 +33462,10 @@ class ServerlessScalingOptions:
             self._values["max_capacity"] = max_capacity
         if min_capacity is not None:
             self._values["min_capacity"] = min_capacity
+        if timeout is not None:
+            self._values["timeout"] = timeout
+        if timeout_action is not None:
+            self._values["timeout_action"] = timeout_action
 
     @builtins.property
     def auto_pause(self) -> typing.Optional[_Duration_4839e8c3]:
@@ -33363,6 +33503,27 @@ class ServerlessScalingOptions:
         result = self._values.get("min_capacity")
         return typing.cast(typing.Optional[AuroraCapacityUnit], result)
 
+    @builtins.property
+    def timeout(self) -> typing.Optional[_Duration_4839e8c3]:
+        '''The amount of time that Aurora Serverless v1 tries to find a scaling point to perform seamless scaling before enforcing the timeout action.
+
+        :default: - 5 minutes
+        '''
+        result = self._values.get("timeout")
+        return typing.cast(typing.Optional[_Duration_4839e8c3], result)
+
+    @builtins.property
+    def timeout_action(self) -> typing.Optional["TimeoutAction"]:
+        '''The action to take when the timeout is reached.
+
+        Selecting ForceApplyCapacityChange will force the capacity to the specified value as soon as possible, even without a scaling point.
+        Selecting RollbackCapacityChange will ignore the capacity change if a scaling point is not found. This is the default behavior.
+
+        :default: - TimeoutAction.ROLLBACK_CAPACITY_CHANGE
+        '''
+        result = self._values.get("timeout_action")
+        return typing.cast(typing.Optional["TimeoutAction"], result)
+
     def __eq__(self, rhs: typing.Any) -> builtins.bool:
         return isinstance(rhs, self.__class__) and rhs._values == self._values
 
@@ -34580,6 +34741,18 @@ class SqlServerEngineVersion(
         '''Version "15.00.4335.1.v1".'''
         return typing.cast("SqlServerEngineVersion", jsii.sget(cls, "VER_15_00_4335_1_V1"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="VER_15_00_4345_5_V1")
+    def VER_15_00_4345_5_V1(cls) -> "SqlServerEngineVersion":
+        '''Version "15.00.4345.5.v1".'''
+        return typing.cast("SqlServerEngineVersion", jsii.sget(cls, "VER_15_00_4345_5_V1"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="VER_16")
+    def VER_16(cls) -> "SqlServerEngineVersion":
+        '''Version "16.00" (only a major version, without a specific minor version).'''
+        return typing.cast("SqlServerEngineVersion", jsii.sget(cls, "VER_16"))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="VER_16_00_4085_2_V1")
     def VER_16_00_4085_2_V1(cls) -> "SqlServerEngineVersion":
@@ -35113,6 +35286,46 @@ class SubnetGroupProps:
         )
 
 
+@jsii.enum(jsii_type="aws-cdk-lib.aws_rds.TimeoutAction")
+class TimeoutAction(enum.Enum):
+    '''TimeoutAction defines the action to take when a timeout occurs if a scaling point is not found.
+
+    :see: https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/aurora-serverless-v1.how-it-works.html#aurora-serverless.how-it-works.timeout-action
+    :exampleMetadata: infused
+
+    Example::
+
+        # vpc: ec2.Vpc
+        
+        
+        cluster = rds.ServerlessCluster(self, "AnotherCluster",
+            engine=rds.DatabaseClusterEngine.AURORA_POSTGRESQL,
+            copy_tags_to_snapshot=True,  # whether to save the cluster tags when creating the snapshot. Default is 'true'
+            parameter_group=rds.ParameterGroup.from_parameter_group_name(self, "ParameterGroup", "default.aurora-postgresql10"),
+            vpc=vpc,
+            scaling=rds.ServerlessScalingOptions(
+                auto_pause=Duration.minutes(10),  # default is to pause after 5 minutes of idle time
+                min_capacity=rds.AuroraCapacityUnit.ACU_8,  # default is 2 Aurora capacity units (ACUs)
+                max_capacity=rds.AuroraCapacityUnit.ACU_32,  # default is 16 Aurora capacity units (ACUs)
+                timeout=Duration.seconds(100),  # default is 5 minutes
+                timeout_action=rds.TimeoutAction.FORCE_APPLY_CAPACITY_CHANGE
+            )
+        )
+    '''
+
+    FORCE_APPLY_CAPACITY_CHANGE = "FORCE_APPLY_CAPACITY_CHANGE"
+    '''FORCE_APPLY_CAPACITY_CHANGE sets the capacity to the specified value as soon as possible.
+
+    Transactions may be interrupted, and connections to temporary tables and locks may be dropped.
+    Only select this option if your application can recover from dropped connections or incomplete transactions.
+    '''
+    ROLLBACK_CAPACITY_CHANGE = "ROLLBACK_CAPACITY_CHANGE"
+    '''ROLLBACK_CAPACITY_CHANGE ignores the capacity change if a scaling point is not found.
+
+    This is the default behavior.
+    '''
+
+
 @jsii.implements(IClusterInstance)
 class ClusterInstance(
     metaclass=jsii.JSIIMeta,
@@ -35353,6 +35566,7 @@ class DatabaseClusterBase(
         secrets: typing.Sequence[_ISecret_6e020e6a],
         vpc: _IVpc_f30d5663,
         borrow_timeout: typing.Optional[_Duration_4839e8c3] = None,
+        client_password_auth_type: typing.Optional[ClientPasswordAuthType] = None,
         db_proxy_name: typing.Optional[builtins.str] = None,
         debug_logging: typing.Optional[builtins.bool] = None,
         iam_auth: typing.Optional[builtins.bool] = None,
@@ -35372,6 +35586,7 @@ class DatabaseClusterBase(
         :param secrets: The secret that the proxy uses to authenticate to the RDS DB instance or Aurora DB cluster. These secrets are stored within Amazon Secrets Manager. One or more secrets are required.
         :param vpc: The VPC to associate with the new proxy.
         :param borrow_timeout: The duration for a proxy to wait for a connection to become available in the connection pool. Only applies when the proxy has opened its maximum number of connections and all connections are busy with client sessions. Value must be between 1 second and 1 hour, or ``Duration.seconds(0)`` to represent unlimited. Default: cdk.Duration.seconds(120)
+        :param client_password_auth_type: Specifies the details of authentication used by a proxy to log in as a specific database user. Default: - CloudFormation defaults will apply given the specified database engine.
         :param db_proxy_name: The identifier for the proxy. This name must be unique for all proxies owned by your AWS account in the specified AWS Region. An identifier must begin with a letter and must contain only ASCII letters, digits, and hyphens; it can't end with a hyphen or contain two consecutive hyphens. Default: - Generated by CloudFormation (recommended)
         :param debug_logging: Whether the proxy includes detailed information about SQL statements in its logs. This information helps you to debug issues involving SQL behavior or the performance and scalability of the proxy connections. The debug information includes the text of SQL statements that you submit through the proxy. Thus, only enable this setting when needed for debugging, and only when you have security measures in place to safeguard any sensitive information that appears in the logs. Default: false
         :param iam_auth: Whether to require or disallow AWS Identity and Access Management (IAM) authentication for connections to the proxy. Default: false
@@ -35392,6 +35607,7 @@ class DatabaseClusterBase(
             secrets=secrets,
             vpc=vpc,
             borrow_timeout=borrow_timeout,
+            client_password_auth_type=client_password_auth_type,
             db_proxy_name=db_proxy_name,
             debug_logging=debug_logging,
             iam_auth=iam_auth,
@@ -36694,6 +36910,7 @@ class DatabaseInstanceBase(
         secrets: typing.Sequence[_ISecret_6e020e6a],
         vpc: _IVpc_f30d5663,
         borrow_timeout: typing.Optional[_Duration_4839e8c3] = None,
+        client_password_auth_type: typing.Optional[ClientPasswordAuthType] = None,
         db_proxy_name: typing.Optional[builtins.str] = None,
         debug_logging: typing.Optional[builtins.bool] = None,
         iam_auth: typing.Optional[builtins.bool] = None,
@@ -36713,6 +36930,7 @@ class DatabaseInstanceBase(
         :param secrets: The secret that the proxy uses to authenticate to the RDS DB instance or Aurora DB cluster. These secrets are stored within Amazon Secrets Manager. One or more secrets are required.
         :param vpc: The VPC to associate with the new proxy.
         :param borrow_timeout: The duration for a proxy to wait for a connection to become available in the connection pool. Only applies when the proxy has opened its maximum number of connections and all connections are busy with client sessions. Value must be between 1 second and 1 hour, or ``Duration.seconds(0)`` to represent unlimited. Default: cdk.Duration.seconds(120)
+        :param client_password_auth_type: Specifies the details of authentication used by a proxy to log in as a specific database user. Default: - CloudFormation defaults will apply given the specified database engine.
         :param db_proxy_name: The identifier for the proxy. This name must be unique for all proxies owned by your AWS account in the specified AWS Region. An identifier must begin with a letter and must contain only ASCII letters, digits, and hyphens; it can't end with a hyphen or contain two consecutive hyphens. Default: - Generated by CloudFormation (recommended)
         :param debug_logging: Whether the proxy includes detailed information about SQL statements in its logs. This information helps you to debug issues involving SQL behavior or the performance and scalability of the proxy connections. The debug information includes the text of SQL statements that you submit through the proxy. Thus, only enable this setting when needed for debugging, and only when you have security measures in place to safeguard any sensitive information that appears in the logs. Default: false
         :param iam_auth: Whether to require or disallow AWS Identity and Access Management (IAM) authentication for connections to the proxy. Default: false
@@ -36733,6 +36951,7 @@ class DatabaseInstanceBase(
             secrets=secrets,
             vpc=vpc,
             borrow_timeout=borrow_timeout,
+            client_password_auth_type=client_password_auth_type,
             db_proxy_name=db_proxy_name,
             debug_logging=debug_logging,
             iam_auth=iam_auth,
@@ -39792,11 +40011,9 @@ class DatabaseProxy(
         proxy = rds.DatabaseProxy(self, "Proxy",
             proxy_target=rds.ProxyTarget.from_cluster(cluster),
             secrets=[cluster.secret],
-            vpc=vpc
+            vpc=vpc,
+            client_password_auth_type=rds.ClientPasswordAuthType.MYSQL_NATIVE_PASSWORD
         )
-        
-        role = iam.Role(self, "DBProxyRole", assumed_by=iam.AccountPrincipal(self.account))
-        proxy.grant_connect(role, "admin")
     '''
 
     def __init__(
@@ -39808,6 +40025,7 @@ class DatabaseProxy(
         secrets: typing.Sequence[_ISecret_6e020e6a],
         vpc: _IVpc_f30d5663,
         borrow_timeout: typing.Optional[_Duration_4839e8c3] = None,
+        client_password_auth_type: typing.Optional[ClientPasswordAuthType] = None,
         db_proxy_name: typing.Optional[builtins.str] = None,
         debug_logging: typing.Optional[builtins.bool] = None,
         iam_auth: typing.Optional[builtins.bool] = None,
@@ -39828,6 +40046,7 @@ class DatabaseProxy(
         :param secrets: The secret that the proxy uses to authenticate to the RDS DB instance or Aurora DB cluster. These secrets are stored within Amazon Secrets Manager. One or more secrets are required.
         :param vpc: The VPC to associate with the new proxy.
         :param borrow_timeout: The duration for a proxy to wait for a connection to become available in the connection pool. Only applies when the proxy has opened its maximum number of connections and all connections are busy with client sessions. Value must be between 1 second and 1 hour, or ``Duration.seconds(0)`` to represent unlimited. Default: cdk.Duration.seconds(120)
+        :param client_password_auth_type: Specifies the details of authentication used by a proxy to log in as a specific database user. Default: - CloudFormation defaults will apply given the specified database engine.
         :param db_proxy_name: The identifier for the proxy. This name must be unique for all proxies owned by your AWS account in the specified AWS Region. An identifier must begin with a letter and must contain only ASCII letters, digits, and hyphens; it can't end with a hyphen or contain two consecutive hyphens. Default: - Generated by CloudFormation (recommended)
         :param debug_logging: Whether the proxy includes detailed information about SQL statements in its logs. This information helps you to debug issues involving SQL behavior or the performance and scalability of the proxy connections. The debug information includes the text of SQL statements that you submit through the proxy. Thus, only enable this setting when needed for debugging, and only when you have security measures in place to safeguard any sensitive information that appears in the logs. Default: false
         :param iam_auth: Whether to require or disallow AWS Identity and Access Management (IAM) authentication for connections to the proxy. Default: false
@@ -39850,6 +40069,7 @@ class DatabaseProxy(
             secrets=secrets,
             vpc=vpc,
             borrow_timeout=borrow_timeout,
+            client_password_auth_type=client_password_auth_type,
             db_proxy_name=db_proxy_name,
             debug_logging=debug_logging,
             iam_auth=iam_auth,
@@ -41006,6 +41226,7 @@ __all__ = [
     "CfnGlobalClusterProps",
     "CfnOptionGroup",
     "CfnOptionGroupProps",
+    "ClientPasswordAuthType",
     "ClusterEngineBindOptions",
     "ClusterEngineConfig",
     "ClusterEngineFeatures",
@@ -41111,6 +41332,7 @@ __all__ = [
     "StorageType",
     "SubnetGroup",
     "SubnetGroupProps",
+    "TimeoutAction",
 ]
 
 publication.publish()
@@ -43765,6 +43987,7 @@ def _typecheckingstub__b1364fc4a6f282f0983046855ebcccd28a886dcf87529b7c146731570
     secrets: typing.Sequence[_ISecret_6e020e6a],
     vpc: _IVpc_f30d5663,
     borrow_timeout: typing.Optional[_Duration_4839e8c3] = None,
+    client_password_auth_type: typing.Optional[ClientPasswordAuthType] = None,
     db_proxy_name: typing.Optional[builtins.str] = None,
     debug_logging: typing.Optional[builtins.bool] = None,
     iam_auth: typing.Optional[builtins.bool] = None,
@@ -43786,6 +44009,7 @@ def _typecheckingstub__9c2a07edd3cc888abd237aad605bd4ef9d0dcee9338dbfb923f0d5488
     secrets: typing.Sequence[_ISecret_6e020e6a],
     vpc: _IVpc_f30d5663,
     borrow_timeout: typing.Optional[_Duration_4839e8c3] = None,
+    client_password_auth_type: typing.Optional[ClientPasswordAuthType] = None,
     db_proxy_name: typing.Optional[builtins.str] = None,
     debug_logging: typing.Optional[builtins.bool] = None,
     iam_auth: typing.Optional[builtins.bool] = None,
@@ -43867,6 +44091,7 @@ def _typecheckingstub__cc014f052070ff8221cfea3705aabe02b81605d77d8c0391cfd1b437b
     secrets: typing.Sequence[_ISecret_6e020e6a],
     vpc: _IVpc_f30d5663,
     borrow_timeout: typing.Optional[_Duration_4839e8c3] = None,
+    client_password_auth_type: typing.Optional[ClientPasswordAuthType] = None,
     db_proxy_name: typing.Optional[builtins.str] = None,
     debug_logging: typing.Optional[builtins.bool] = None,
     iam_auth: typing.Optional[builtins.bool] = None,
@@ -43911,6 +44136,7 @@ def _typecheckingstub__82275f6c142bc7bc61c7b1dbb8e8fef70822986e2806e0e0d4173aeb1
     secrets: typing.Sequence[_ISecret_6e020e6a],
     vpc: _IVpc_f30d5663,
     borrow_timeout: typing.Optional[_Duration_4839e8c3] = None,
+    client_password_auth_type: typing.Optional[ClientPasswordAuthType] = None,
     db_proxy_name: typing.Optional[builtins.str] = None,
     debug_logging: typing.Optional[builtins.bool] = None,
     iam_auth: typing.Optional[builtins.bool] = None,
@@ -44456,6 +44682,8 @@ def _typecheckingstub__9a1f89c0c65d19c59a39815eed12ef2c6e9e165d64a4cae0e66976870
     auto_pause: typing.Optional[_Duration_4839e8c3] = None,
     max_capacity: typing.Optional[AuroraCapacityUnit] = None,
     min_capacity: typing.Optional[AuroraCapacityUnit] = None,
+    timeout: typing.Optional[_Duration_4839e8c3] = None,
+    timeout_action: typing.Optional[TimeoutAction] = None,
 ) -> None:
     """Type checking stubs"""
     pass
@@ -44662,6 +44890,7 @@ def _typecheckingstub__9e7b9f9993460ed4933effe80545b41147c8e758c88df339423fdef3e
     secrets: typing.Sequence[_ISecret_6e020e6a],
     vpc: _IVpc_f30d5663,
     borrow_timeout: typing.Optional[_Duration_4839e8c3] = None,
+    client_password_auth_type: typing.Optional[ClientPasswordAuthType] = None,
     db_proxy_name: typing.Optional[builtins.str] = None,
     debug_logging: typing.Optional[builtins.bool] = None,
     iam_auth: typing.Optional[builtins.bool] = None,
@@ -44801,6 +45030,7 @@ def _typecheckingstub__1a570d3e3410884069b8a67a8efdb043b454116fb50145140aeead995
     secrets: typing.Sequence[_ISecret_6e020e6a],
     vpc: _IVpc_f30d5663,
     borrow_timeout: typing.Optional[_Duration_4839e8c3] = None,
+    client_password_auth_type: typing.Optional[ClientPasswordAuthType] = None,
     db_proxy_name: typing.Optional[builtins.str] = None,
     debug_logging: typing.Optional[builtins.bool] = None,
     iam_auth: typing.Optional[builtins.bool] = None,
@@ -45126,6 +45356,7 @@ def _typecheckingstub__15a5a083e6c872f4fd6b153de10a2f345844db34e421f370cd8d33bc8
     secrets: typing.Sequence[_ISecret_6e020e6a],
     vpc: _IVpc_f30d5663,
     borrow_timeout: typing.Optional[_Duration_4839e8c3] = None,
+    client_password_auth_type: typing.Optional[ClientPasswordAuthType] = None,
     db_proxy_name: typing.Optional[builtins.str] = None,
     debug_logging: typing.Optional[builtins.bool] = None,
     iam_auth: typing.Optional[builtins.bool] = None,