aws-cdk-lib 2.132.1__py3-none-any.whl → 2.134.0__py3-none-any.whl

aws_cdk/aws_codebuild/__init__.py

@@ -5338,7 +5338,7 @@ class CfnProject(
                The Webhook feature isn't available in AWS CloudFormation for GitHub Enterprise projects. Use the AWS CLI or AWS CodeBuild console to create the webhook.
 
             :param pattern: For a ``WebHookFilter`` that uses ``EVENT`` type, a comma-separated string that specifies one or more events. For example, the webhook filter ``PUSH, PULL_REQUEST_CREATED, PULL_REQUEST_UPDATED`` allows all push, pull request created, and pull request updated events to trigger a build. For a ``WebHookFilter`` that uses any of the other filter types, a regular expression pattern. For example, a ``WebHookFilter`` that uses ``HEAD_REF`` for its ``type`` and the pattern ``^refs/heads/`` triggers a build when the head reference is a branch with a reference name ``refs/heads/branch-name`` .
-            :param type: The type of webhook filter. There are six webhook filter types: ``EVENT`` , ``ACTOR_ACCOUNT_ID`` , ``HEAD_REF`` , ``BASE_REF`` , ``FILE_PATH`` , and ``COMMIT_MESSAGE`` . - **EVENT** - A webhook event triggers a build when the provided ``pattern`` matches one of five event types: ``PUSH`` , ``PULL_REQUEST_CREATED`` , ``PULL_REQUEST_UPDATED`` , ``PULL_REQUEST_REOPENED`` , and ``PULL_REQUEST_MERGED`` . The ``EVENT`` patterns are specified as a comma-separated string. For example, ``PUSH, PULL_REQUEST_CREATED, PULL_REQUEST_UPDATED`` filters all push, pull request created, and pull request updated events. .. epigraph:: The ``PULL_REQUEST_REOPENED`` works with GitHub and GitHub Enterprise only. - **ACTOR_ACCOUNT_ID** - A webhook event triggers a build when a GitHub, GitHub Enterprise, or Bitbucket account ID matches the regular expression ``pattern`` . - **HEAD_REF** - A webhook event triggers a build when the head reference matches the regular expression ``pattern`` . For example, ``refs/heads/branch-name`` and ``refs/tags/tag-name`` . Works with GitHub and GitHub Enterprise push, GitHub and GitHub Enterprise pull request, Bitbucket push, and Bitbucket pull request events. - **BASE_REF** - A webhook event triggers a build when the base reference matches the regular expression ``pattern`` . For example, ``refs/heads/branch-name`` . .. epigraph:: Works with pull request events only. - **FILE_PATH** - A webhook triggers a build when the path of a changed file matches the regular expression ``pattern`` . .. epigraph:: Works with GitHub and Bitbucket events push and pull requests events. Also works with GitHub Enterprise push events, but does not work with GitHub Enterprise pull request events. - **COMMIT_MESSAGE** - A webhook triggers a build when the head commit message matches the regular expression ``pattern`` . .. epigraph:: Works with GitHub and Bitbucket events push and pull requests events. Also works with GitHub Enterprise push events, but does not work with GitHub Enterprise pull request events.
+            :param type: The type of webhook filter. There are eight webhook filter types: ``EVENT`` , ``ACTOR_ACCOUNT_ID`` , ``HEAD_REF`` , ``BASE_REF`` , ``FILE_PATH`` , ``COMMIT_MESSAGE`` , ``TAG_NAME`` , and ``RELEASE_NAME`` . - EVENT - A webhook event triggers a build when the provided ``pattern`` matches one of eight event types: ``PUSH`` , ``PULL_REQUEST_CREATED`` , ``PULL_REQUEST_UPDATED`` , ``PULL_REQUEST_CLOSED`` , ``PULL_REQUEST_REOPENED`` , ``PULL_REQUEST_MERGED`` , ``RELEASED`` , and ``PRERELEASED`` . The ``EVENT`` patterns are specified as a comma-separated string. For example, ``PUSH, PULL_REQUEST_CREATED, PULL_REQUEST_UPDATED`` filters all push, pull request created, and pull request updated events. .. epigraph:: The ``PULL_REQUEST_REOPENED`` works with GitHub and GitHub Enterprise only. The ``RELEASED`` and ``PRERELEASED`` work with GitHub only. - ACTOR_ACCOUNT_ID - A webhook event triggers a build when a GitHub, GitHub Enterprise, or Bitbucket account ID matches the regular expression ``pattern`` . - HEAD_REF - A webhook event triggers a build when the head reference matches the regular expression ``pattern`` . For example, ``refs/heads/branch-name`` and ``refs/tags/tag-name`` . .. epigraph:: Works with GitHub and GitHub Enterprise push, GitHub and GitHub Enterprise pull request, Bitbucket push, and Bitbucket pull request events. - BASE_REF - A webhook event triggers a build when the base reference matches the regular expression ``pattern`` . For example, ``refs/heads/branch-name`` . .. epigraph:: Works with pull request events only. - FILE_PATH - A webhook triggers a build when the path of a changed file matches the regular expression ``pattern`` . .. epigraph:: Works with GitHub and Bitbucket events push and pull requests events. Also works with GitHub Enterprise push events, but does not work with GitHub Enterprise pull request events. - COMMIT_MESSAGE - A webhook triggers a build when the head commit message matches the regular expression ``pattern`` . .. epigraph:: Works with GitHub and Bitbucket events push and pull requests events. Also works with GitHub Enterprise push events, but does not work with GitHub Enterprise pull request events. - TAG_NAME - A webhook triggers a build when the tag name of the release matches the regular expression ``pattern`` . .. epigraph:: Works with ``RELEASED`` and ``PRERELEASED`` events only. - RELEASE_NAME - A webhook triggers a build when the release name matches the regular expression ``pattern`` . .. epigraph:: Works with ``RELEASED`` and ``PRERELEASED`` events only.
             :param exclude_matched_pattern: Used to indicate that the ``pattern`` determines which webhook events do not trigger a build. If true, then a webhook event that does not match the ``pattern`` triggers a build. If false, then a webhook event that matches the ``pattern`` triggers a build.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-codebuild-project-webhookfilter.html
@@ -5388,37 +5388,59 @@ class CfnProject(
         def type(self) -> builtins.str:
             '''The type of webhook filter.
 
-            There are six webhook filter types: ``EVENT`` , ``ACTOR_ACCOUNT_ID`` , ``HEAD_REF`` , ``BASE_REF`` , ``FILE_PATH`` , and ``COMMIT_MESSAGE`` .
+            There are eight webhook filter types: ``EVENT`` , ``ACTOR_ACCOUNT_ID`` , ``HEAD_REF`` , ``BASE_REF`` , ``FILE_PATH`` , ``COMMIT_MESSAGE`` , ``TAG_NAME`` , and ``RELEASE_NAME`` .
 
-            - **EVENT** - A webhook event triggers a build when the provided ``pattern`` matches one of five event types: ``PUSH`` , ``PULL_REQUEST_CREATED`` , ``PULL_REQUEST_UPDATED`` , ``PULL_REQUEST_REOPENED`` , and ``PULL_REQUEST_MERGED`` . The ``EVENT`` patterns are specified as a comma-separated string. For example, ``PUSH, PULL_REQUEST_CREATED, PULL_REQUEST_UPDATED`` filters all push, pull request created, and pull request updated events.
+            - EVENT
+            - A webhook event triggers a build when the provided ``pattern`` matches one of eight event types: ``PUSH`` , ``PULL_REQUEST_CREATED`` , ``PULL_REQUEST_UPDATED`` , ``PULL_REQUEST_CLOSED`` , ``PULL_REQUEST_REOPENED`` , ``PULL_REQUEST_MERGED`` , ``RELEASED`` , and ``PRERELEASED`` . The ``EVENT`` patterns are specified as a comma-separated string. For example, ``PUSH, PULL_REQUEST_CREATED, PULL_REQUEST_UPDATED`` filters all push, pull request created, and pull request updated events.
 
             .. epigraph::
 
-               The ``PULL_REQUEST_REOPENED`` works with GitHub and GitHub Enterprise only.
+               The ``PULL_REQUEST_REOPENED`` works with GitHub and GitHub Enterprise only. The ``RELEASED`` and ``PRERELEASED`` work with GitHub only.
 
-            - **ACTOR_ACCOUNT_ID** - A webhook event triggers a build when a GitHub, GitHub Enterprise, or Bitbucket account ID matches the regular expression ``pattern`` .
-            - **HEAD_REF** - A webhook event triggers a build when the head reference matches the regular expression ``pattern`` . For example, ``refs/heads/branch-name`` and ``refs/tags/tag-name`` .
+            - ACTOR_ACCOUNT_ID
+            - A webhook event triggers a build when a GitHub, GitHub Enterprise, or Bitbucket account ID matches the regular expression ``pattern`` .
+            - HEAD_REF
+            - A webhook event triggers a build when the head reference matches the regular expression ``pattern`` . For example, ``refs/heads/branch-name`` and ``refs/tags/tag-name`` .
 
-            Works with GitHub and GitHub Enterprise push, GitHub and GitHub Enterprise pull request, Bitbucket push, and Bitbucket pull request events.
+            .. epigraph::
+
+               Works with GitHub and GitHub Enterprise push, GitHub and GitHub Enterprise pull request, Bitbucket push, and Bitbucket pull request events.
 
-            - **BASE_REF** - A webhook event triggers a build when the base reference matches the regular expression ``pattern`` . For example, ``refs/heads/branch-name`` .
+            - BASE_REF
+            - A webhook event triggers a build when the base reference matches the regular expression ``pattern`` . For example, ``refs/heads/branch-name`` .
 
             .. epigraph::
 
                Works with pull request events only.
 
-            - **FILE_PATH** - A webhook triggers a build when the path of a changed file matches the regular expression ``pattern`` .
+            - FILE_PATH
+            - A webhook triggers a build when the path of a changed file matches the regular expression ``pattern`` .
 
             .. epigraph::
 
                Works with GitHub and Bitbucket events push and pull requests events. Also works with GitHub Enterprise push events, but does not work with GitHub Enterprise pull request events.
 
-            - **COMMIT_MESSAGE** - A webhook triggers a build when the head commit message matches the regular expression ``pattern`` .
+            - COMMIT_MESSAGE
+            - A webhook triggers a build when the head commit message matches the regular expression ``pattern`` .
 
             .. epigraph::
 
                Works with GitHub and Bitbucket events push and pull requests events. Also works with GitHub Enterprise push events, but does not work with GitHub Enterprise pull request events.
 
+            - TAG_NAME
+            - A webhook triggers a build when the tag name of the release matches the regular expression ``pattern`` .
+
+            .. epigraph::
+
+               Works with ``RELEASED`` and ``PRERELEASED`` events only.
+
+            - RELEASE_NAME
+            - A webhook triggers a build when the release name matches the regular expression ``pattern`` .
+
+            .. epigraph::
+
+               Works with ``RELEASED`` and ``PRERELEASED`` events only.
+
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-codebuild-project-webhookfilter.html#cfn-codebuild-project-webhookfilter-type
             '''
             result = self._values.get("type")

aws_cdk/aws_codepipeline/__init__.py

@@ -647,6 +647,9 @@ codepipeline.Pipeline(self, "Pipeline",
 To migrate your pipeline type from V1 to V2, you just need to update the `pipelineType` property to `PipelineType.V2`.
 This migration does not cause replacement of your pipeline.
 
+When the `@aws-cdk/aws-codepipeline:defaultPipelineTypeToV2` feature flag is set to `true` (default for new projects),
+the V2 type is selected by default if you do not specify a value for `pipelineType` property. Otherwise, the V1 type is selected.
+
 ```python
 codepipeline.Pipeline(self, "Pipeline",
     pipeline_type=codepipeline.PipelineType.V2
@@ -2355,7 +2358,8 @@ class CfnPipeline(
                     )],
                     region="region",
                     role_arn="roleArn",
-                    run_order=123
+                    run_order=123,
+                    timeout_in_minutes=123
                 )],
                 name="name",
         
@@ -2768,6 +2772,7 @@ class CfnPipeline(
             "region": "region",
             "role_arn": "roleArn",
             "run_order": "runOrder",
+            "timeout_in_minutes": "timeoutInMinutes",
         },
     )
     class ActionDeclarationProperty:
@@ -2783,13 +2788,10 @@ class CfnPipeline(
             region: typing.Optional[builtins.str] = None,
             role_arn: typing.Optional[builtins.str] = None,
             run_order: typing.Optional[jsii.Number] = None,
+            timeout_in_minutes: typing.Optional[jsii.Number] = None,
         ) -> None:
             '''Represents information about an action declaration.
 
-            .. epigraph::
-
-               Documentation for the ``timeoutInMinutes`` parameter in the ``ActionDeclaration`` is not yet available for CloudFormation and CDK resources in CodePipeline. For more information about the configurable timeout for manual approval actions, see the `ActionDeclaration <https://docs.aws.amazon.com/codepipeline/latest/APIReference/API_ActionDeclaration.html>`_ in the CodePipeline API Reference.
-
             :param action_type_id: Specifies the action type and the provider of the action.
             :param name: The action declaration's name.
             :param configuration: The action's configuration. These are key-value pairs that specify input values for an action. For more information, see `Action Structure Requirements in CodePipeline <https://docs.aws.amazon.com/codepipeline/latest/userguide/reference-pipeline-structure.html#action-requirements>`_ . For the list of configuration properties for the AWS CloudFormation action type in CodePipeline, see `Configuration Properties Reference <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/continuous-delivery-codepipeline-action-reference.html>`_ in the *AWS CloudFormation User Guide* . For template snippets with examples, see `Using Parameter Override Functions with CodePipeline Pipelines <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/continuous-delivery-codepipeline-parameter-override-functions.html>`_ in the *AWS CloudFormation User Guide* . The values can be represented in either JSON or YAML format. For example, the JSON configuration item format is as follows: *JSON:* ``"Configuration" : { Key : Value },``
@@ -2799,6 +2801,7 @@ class CfnPipeline(
             :param region: The action declaration's AWS Region, such as us-east-1.
             :param role_arn: The ARN of the IAM service role that performs the declared action. This is assumed through the roleArn for the pipeline.
             :param run_order: The order in which actions are run.
+            :param timeout_in_minutes: A timeout duration in minutes that can be applied against the ActionType’s default timeout value specified in `Quotas for AWS CodePipeline <https://docs.aws.amazon.com/codepipeline/latest/userguide/limits.html>`_ . This attribute is available only to the manual approval ActionType.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-codepipeline-pipeline-actiondeclaration.html
             :exampleMetadata: fixture=_generated
@@ -2831,7 +2834,8 @@ class CfnPipeline(
                     )],
                     region="region",
                     role_arn="roleArn",
-                    run_order=123
+                    run_order=123,
+                    timeout_in_minutes=123
                 )
             '''
             if __debug__:
@@ -2845,6 +2849,7 @@ class CfnPipeline(
                 check_type(argname="argument region", value=region, expected_type=type_hints["region"])
                 check_type(argname="argument role_arn", value=role_arn, expected_type=type_hints["role_arn"])
                 check_type(argname="argument run_order", value=run_order, expected_type=type_hints["run_order"])
+                check_type(argname="argument timeout_in_minutes", value=timeout_in_minutes, expected_type=type_hints["timeout_in_minutes"])
             self._values: typing.Dict[builtins.str, typing.Any] = {
                 "action_type_id": action_type_id,
                 "name": name,
@@ -2863,6 +2868,8 @@ class CfnPipeline(
                 self._values["role_arn"] = role_arn
             if run_order is not None:
                 self._values["run_order"] = run_order
+            if timeout_in_minutes is not None:
+                self._values["timeout_in_minutes"] = timeout_in_minutes
 
         @builtins.property
         def action_type_id(
@@ -2972,6 +2979,15 @@ class CfnPipeline(
             result = self._values.get("run_order")
             return typing.cast(typing.Optional[jsii.Number], result)
 
+        @builtins.property
+        def timeout_in_minutes(self) -> typing.Optional[jsii.Number]:
+            '''A timeout duration in minutes that can be applied against the ActionType’s default timeout value specified in `Quotas for AWS CodePipeline <https://docs.aws.amazon.com/codepipeline/latest/userguide/limits.html>`_ . This attribute is available only to the manual approval ActionType.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-codepipeline-pipeline-actiondeclaration.html#cfn-codepipeline-pipeline-actiondeclaration-timeoutinminutes
+            '''
+            result = self._values.get("timeout_in_minutes")
+            return typing.cast(typing.Optional[jsii.Number], result)
+
         def __eq__(self, rhs: typing.Any) -> builtins.bool:
             return isinstance(rhs, self.__class__) and rhs._values == self._values
 
@@ -4254,7 +4270,8 @@ class CfnPipeline(
                         )],
                         region="region",
                         role_arn="roleArn",
-                        run_order=123
+                        run_order=123,
+                        timeout_in_minutes=123
                     )],
                     name="name",
                 
@@ -4568,7 +4585,8 @@ class CfnPipelineProps:
                         )],
                         region="region",
                         role_arn="roleArn",
-                        run_order=123
+                        run_order=123,
+                        timeout_in_minutes=123
                     )],
                     name="name",
             
@@ -7248,7 +7266,7 @@ class Pipeline(
         :param enable_key_rotation: Enable KMS key rotation for the generated KMS keys. By default KMS key rotation is disabled, but will add an additional $1/month for each year the key exists when enabled. Default: - false (key rotation is disabled)
         :param execution_mode: The method that the pipeline will use to handle multiple executions. Default: - ExecutionMode.SUPERSEDED
         :param pipeline_name: Name of the pipeline. Default: - AWS CloudFormation generates an ID and uses that for the pipeline name.
-        :param pipeline_type: Type of the pipeline. Default: - PipelineType.V1
+        :param pipeline_type: Type of the pipeline. Default: - PipelineType.V2 if the feature flag ``CODEPIPELINE_DEFAULT_PIPELINE_TYPE_TO_V2`` is true, PipelineType.V1 otherwise
         :param restart_execution_on_update: Indicates whether to rerun the AWS CodePipeline pipeline after you update it. Default: false
         :param reuse_cross_region_support_stacks: Reuse the same cross region support stack for all pipelines in the App. Default: - true (Use the same support stack for all pipelines in App)
         :param role: The IAM role to be assumed by this Pipeline. Default: a new IAM role will be created.
@@ -7886,7 +7904,7 @@ class PipelineProps:
         :param enable_key_rotation: Enable KMS key rotation for the generated KMS keys. By default KMS key rotation is disabled, but will add an additional $1/month for each year the key exists when enabled. Default: - false (key rotation is disabled)
         :param execution_mode: The method that the pipeline will use to handle multiple executions. Default: - ExecutionMode.SUPERSEDED
         :param pipeline_name: Name of the pipeline. Default: - AWS CloudFormation generates an ID and uses that for the pipeline name.
-        :param pipeline_type: Type of the pipeline. Default: - PipelineType.V1
+        :param pipeline_type: Type of the pipeline. Default: - PipelineType.V2 if the feature flag ``CODEPIPELINE_DEFAULT_PIPELINE_TYPE_TO_V2`` is true, PipelineType.V1 otherwise
         :param restart_execution_on_update: Indicates whether to rerun the AWS CodePipeline pipeline after you update it. Default: false
         :param reuse_cross_region_support_stacks: Reuse the same cross region support stack for all pipelines in the App. Default: - true (Use the same support stack for all pipelines in App)
         :param role: The IAM role to be assumed by this Pipeline. Default: a new IAM role will be created.
@@ -8054,7 +8072,10 @@ class PipelineProps:
     def pipeline_type(self) -> typing.Optional["PipelineType"]:
         '''Type of the pipeline.
 
-        :default: - PipelineType.V1
+        :default:
+
+        - PipelineType.V2 if the feature flag ``CODEPIPELINE_DEFAULT_PIPELINE_TYPE_TO_V2``
+        is true, PipelineType.V1 otherwise
 
         :see: https://docs.aws.amazon.com/codepipeline/latest/userguide/pipeline-types-planning.html
         '''
@@ -9395,6 +9416,7 @@ def _typecheckingstub__490d89c9ac665593d791c6e187fcf0e47ca3ec8684f1c7a502e1711bc
     region: typing.Optional[builtins.str] = None,
     role_arn: typing.Optional[builtins.str] = None,
     run_order: typing.Optional[jsii.Number] = None,
+    timeout_in_minutes: typing.Optional[jsii.Number] = None,
 ) -> None:
     """Type checking stubs"""
     pass

aws_cdk/aws_cognito/__init__.py

@@ -5254,7 +5254,7 @@ class CfnUserPool(
         ) -> None:
             '''The minimum and maximum values of an attribute that is of the number data type.
 
-            :param max_value: The maximum value of an attribute that is of the number data type.
+            :param max_value: The maximum length of a number attribute value. Must be a number less than or equal to ``2^1023`` , represented as a string with a length of 131072 characters or fewer.
             :param min_value: The minimum value of an attribute that is of the number data type.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-numberattributeconstraints.html
@@ -5283,7 +5283,9 @@ class CfnUserPool(
 
         @builtins.property
         def max_value(self) -> typing.Optional[builtins.str]:
-            '''The maximum value of an attribute that is of the number data type.
+            '''The maximum length of a number attribute value.
+
+            Must be a number less than or equal to ``2^1023`` , represented as a string with a length of 131072 characters or fewer.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-numberattributeconstraints.html#cfn-cognito-userpool-numberattributeconstraints-maxvalue
             '''
@@ -5970,7 +5972,7 @@ class CfnUserPool(
 
             ``StringAttributeConstraints`` is a subproperty of the `SchemaAttribute <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-schemaattribute.html>`_ property type.
 
-            :param max_length: The maximum length.
+            :param max_length: The maximum length of a string attribute value. Must be a number less than or equal to ``2^1023`` , represented as a string with a length of 131072 characters or fewer.
             :param min_length: The minimum length.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-stringattributeconstraints.html
@@ -5999,7 +6001,9 @@ class CfnUserPool(
 
         @builtins.property
         def max_length(self) -> typing.Optional[builtins.str]:
-            '''The maximum length.
+            '''The maximum length of a string attribute value.
+
+            Must be a number less than or equal to ``2^1023`` , represented as a string with a length of 131072 characters or fewer.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-stringattributeconstraints.html#cfn-cognito-userpool-stringattributeconstraints-maxlength
             '''
@@ -8346,7 +8350,7 @@ class CfnUserPoolIdentityProvider(
         :param user_pool_id: The user pool ID.
         :param attribute_mapping: A mapping of IdP attributes to standard and custom user pool attributes.
         :param idp_identifiers: A list of IdP identifiers.
-        :param provider_details: The IdP details. The following list describes the provider detail keys for each IdP type. - For Google and Login with Amazon: - client_id - client_secret - authorize_scopes - For Facebook: - client_id - client_secret - authorize_scopes - api_version - For Sign in with Apple: - client_id - team_id - key_id - private_key - authorize_scopes - For OpenID Connect (OIDC) providers: - client_id - client_secret - attributes_request_method - oidc_issuer - authorize_scopes - The following keys are only present if Amazon Cognito didn't discover them at the ``oidc_issuer`` URL. - authorize_url - token_url - attributes_url - jwks_uri - Amazon Cognito sets the value of the following keys automatically. They are read-only. - attributes_url_add_attributes - For SAML providers: - MetadataFile or MetadataURL - IDPSignout *optional*
+        :param provider_details: The scopes, URLs, and identifiers for your external identity provider. The following examples describe the provider detail keys for each IdP type. These values and their schema are subject to change. Social IdP ``authorize_scopes`` values must match the values listed here. - **OpenID Connect (OIDC)** - Amazon Cognito accepts the following elements when it can't discover endpoint URLs from ``oidc_issuer`` : ``attributes_url`` , ``authorize_url`` , ``jwks_uri`` , ``token_url`` . Create or update request: ``"ProviderDetails": { "attributes_request_method": "GET", "attributes_url": "https://auth.example.com/userInfo", "authorize_scopes": "openid profile email", "authorize_url": "https://auth.example.com/authorize", "client_id": "1example23456789", "client_secret": "provider-app-client-secret", "jwks_uri": "https://auth.example.com/.well-known/jwks.json", "oidc_issuer": "https://auth.example.com", "token_url": "https://example.com/token" }`` Describe response: ``"ProviderDetails": { "attributes_request_method": "GET", "attributes_url": "https://auth.example.com/userInfo", "attributes_url_add_attributes": "false", "authorize_scopes": "openid profile email", "authorize_url": "https://auth.example.com/authorize", "client_id": "1example23456789", "client_secret": "provider-app-client-secret", "jwks_uri": "https://auth.example.com/.well-known/jwks.json", "oidc_issuer": "https://auth.example.com", "token_url": "https://example.com/token" }`` - **SAML** - Create or update request with Metadata URL: ``"ProviderDetails": { "IDPInit": "true", "IDPSignout": "true", "EncryptedResponses" : "true", "MetadataURL": "https://auth.example.com/sso/saml/metadata", "RequestSigningAlgorithm": "rsa-sha256" }`` Create or update request with Metadata file: ``"ProviderDetails": { "IDPInit": "true", "IDPSignout": "true", "EncryptedResponses" : "true", "MetadataFile": "[metadata XML]", "RequestSigningAlgorithm": "rsa-sha256" }`` The value of ``MetadataFile`` must be the plaintext metadata document with all quote (") characters escaped by backslashes. Describe response: ``"ProviderDetails": { "IDPInit": "true", "IDPSignout": "true", "EncryptedResponses" : "true", "ActiveEncryptionCertificate": "[certificate]", "MetadataURL": "https://auth.example.com/sso/saml/metadata", "RequestSigningAlgorithm": "rsa-sha256", "SLORedirectBindingURI": "https://auth.example.com/slo/saml", "SSORedirectBindingURI": "https://auth.example.com/sso/saml" }`` - **LoginWithAmazon** - Create or update request: ``"ProviderDetails": { "authorize_scopes": "profile postal_code", "client_id": "amzn1.application-oa2-client.1example23456789", "client_secret": "provider-app-client-secret"`` Describe response: ``"ProviderDetails": { "attributes_url": "https://api.amazon.com/user/profile", "attributes_url_add_attributes": "false", "authorize_scopes": "profile postal_code", "authorize_url": "https://www.amazon.com/ap/oa", "client_id": "amzn1.application-oa2-client.1example23456789", "client_secret": "provider-app-client-secret", "token_request_method": "POST", "token_url": "https://api.amazon.com/auth/o2/token" }`` - **Google** - Create or update request: ``"ProviderDetails": { "authorize_scopes": "email profile openid", "client_id": "1example23456789.apps.googleusercontent.com", "client_secret": "provider-app-client-secret" }`` Describe response: ``"ProviderDetails": { "attributes_url": "https://people.googleapis.com/v1/people/me?personFields=", "attributes_url_add_attributes": "true", "authorize_scopes": "email profile openid", "authorize_url": "https://accounts.google.com/o/oauth2/v2/auth", "client_id": "1example23456789.apps.googleusercontent.com", "client_secret": "provider-app-client-secret", "oidc_issuer": "https://accounts.google.com", "token_request_method": "POST", "token_url": "https://www.googleapis.com/oauth2/v4/token" }`` - **SignInWithApple** - Create or update request: ``"ProviderDetails": { "authorize_scopes": "email name", "client_id": "com.example.cognito", "private_key": "1EXAMPLE", "key_id": "2EXAMPLE", "team_id": "3EXAMPLE" }`` Describe response: ``"ProviderDetails": { "attributes_url_add_attributes": "false", "authorize_scopes": "email name", "authorize_url": "https://appleid.apple.com/auth/authorize", "client_id": "com.example.cognito", "key_id": "1EXAMPLE", "oidc_issuer": "https://appleid.apple.com", "team_id": "2EXAMPLE", "token_request_method": "POST", "token_url": "https://appleid.apple.com/auth/token" }`` - **Facebook** - Create or update request: ``"ProviderDetails": { "api_version": "v17.0", "authorize_scopes": "public_profile, email", "client_id": "1example23456789", "client_secret": "provider-app-client-secret" }`` Describe response: ``"ProviderDetails": { "api_version": "v17.0", "attributes_url": "https://graph.facebook.com/v17.0/me?fields=", "attributes_url_add_attributes": "true", "authorize_scopes": "public_profile, email", "authorize_url": "https://www.facebook.com/v17.0/dialog/oauth", "client_id": "1example23456789", "client_secret": "provider-app-client-secret", "token_request_method": "GET", "token_url": "https://graph.facebook.com/v17.0/oauth/access_token" }``
         '''
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__759e90505ceb64aa7002be11d4da4a87090102263927799f662a83f606483634)
@@ -8478,10 +8482,7 @@ class CfnUserPoolIdentityProvider(
     @builtins.property
     @jsii.member(jsii_name="providerDetails")
     def provider_details(self) -> typing.Any:
-        '''The IdP details.
-
-        The following list describes the provider detail keys for each IdP type.
-        '''
+        '''The scopes, URLs, and identifiers for your external identity provider.'''
         return typing.cast(typing.Any, jsii.get(self, "providerDetails"))
 
     @provider_details.setter
@@ -8522,7 +8523,7 @@ class CfnUserPoolIdentityProviderProps:
         :param user_pool_id: The user pool ID.
         :param attribute_mapping: A mapping of IdP attributes to standard and custom user pool attributes.
         :param idp_identifiers: A list of IdP identifiers.
-        :param provider_details: The IdP details. The following list describes the provider detail keys for each IdP type. - For Google and Login with Amazon: - client_id - client_secret - authorize_scopes - For Facebook: - client_id - client_secret - authorize_scopes - api_version - For Sign in with Apple: - client_id - team_id - key_id - private_key - authorize_scopes - For OpenID Connect (OIDC) providers: - client_id - client_secret - attributes_request_method - oidc_issuer - authorize_scopes - The following keys are only present if Amazon Cognito didn't discover them at the ``oidc_issuer`` URL. - authorize_url - token_url - attributes_url - jwks_uri - Amazon Cognito sets the value of the following keys automatically. They are read-only. - attributes_url_add_attributes - For SAML providers: - MetadataFile or MetadataURL - IDPSignout *optional*
+        :param provider_details: The scopes, URLs, and identifiers for your external identity provider. The following examples describe the provider detail keys for each IdP type. These values and their schema are subject to change. Social IdP ``authorize_scopes`` values must match the values listed here. - **OpenID Connect (OIDC)** - Amazon Cognito accepts the following elements when it can't discover endpoint URLs from ``oidc_issuer`` : ``attributes_url`` , ``authorize_url`` , ``jwks_uri`` , ``token_url`` . Create or update request: ``"ProviderDetails": { "attributes_request_method": "GET", "attributes_url": "https://auth.example.com/userInfo", "authorize_scopes": "openid profile email", "authorize_url": "https://auth.example.com/authorize", "client_id": "1example23456789", "client_secret": "provider-app-client-secret", "jwks_uri": "https://auth.example.com/.well-known/jwks.json", "oidc_issuer": "https://auth.example.com", "token_url": "https://example.com/token" }`` Describe response: ``"ProviderDetails": { "attributes_request_method": "GET", "attributes_url": "https://auth.example.com/userInfo", "attributes_url_add_attributes": "false", "authorize_scopes": "openid profile email", "authorize_url": "https://auth.example.com/authorize", "client_id": "1example23456789", "client_secret": "provider-app-client-secret", "jwks_uri": "https://auth.example.com/.well-known/jwks.json", "oidc_issuer": "https://auth.example.com", "token_url": "https://example.com/token" }`` - **SAML** - Create or update request with Metadata URL: ``"ProviderDetails": { "IDPInit": "true", "IDPSignout": "true", "EncryptedResponses" : "true", "MetadataURL": "https://auth.example.com/sso/saml/metadata", "RequestSigningAlgorithm": "rsa-sha256" }`` Create or update request with Metadata file: ``"ProviderDetails": { "IDPInit": "true", "IDPSignout": "true", "EncryptedResponses" : "true", "MetadataFile": "[metadata XML]", "RequestSigningAlgorithm": "rsa-sha256" }`` The value of ``MetadataFile`` must be the plaintext metadata document with all quote (") characters escaped by backslashes. Describe response: ``"ProviderDetails": { "IDPInit": "true", "IDPSignout": "true", "EncryptedResponses" : "true", "ActiveEncryptionCertificate": "[certificate]", "MetadataURL": "https://auth.example.com/sso/saml/metadata", "RequestSigningAlgorithm": "rsa-sha256", "SLORedirectBindingURI": "https://auth.example.com/slo/saml", "SSORedirectBindingURI": "https://auth.example.com/sso/saml" }`` - **LoginWithAmazon** - Create or update request: ``"ProviderDetails": { "authorize_scopes": "profile postal_code", "client_id": "amzn1.application-oa2-client.1example23456789", "client_secret": "provider-app-client-secret"`` Describe response: ``"ProviderDetails": { "attributes_url": "https://api.amazon.com/user/profile", "attributes_url_add_attributes": "false", "authorize_scopes": "profile postal_code", "authorize_url": "https://www.amazon.com/ap/oa", "client_id": "amzn1.application-oa2-client.1example23456789", "client_secret": "provider-app-client-secret", "token_request_method": "POST", "token_url": "https://api.amazon.com/auth/o2/token" }`` - **Google** - Create or update request: ``"ProviderDetails": { "authorize_scopes": "email profile openid", "client_id": "1example23456789.apps.googleusercontent.com", "client_secret": "provider-app-client-secret" }`` Describe response: ``"ProviderDetails": { "attributes_url": "https://people.googleapis.com/v1/people/me?personFields=", "attributes_url_add_attributes": "true", "authorize_scopes": "email profile openid", "authorize_url": "https://accounts.google.com/o/oauth2/v2/auth", "client_id": "1example23456789.apps.googleusercontent.com", "client_secret": "provider-app-client-secret", "oidc_issuer": "https://accounts.google.com", "token_request_method": "POST", "token_url": "https://www.googleapis.com/oauth2/v4/token" }`` - **SignInWithApple** - Create or update request: ``"ProviderDetails": { "authorize_scopes": "email name", "client_id": "com.example.cognito", "private_key": "1EXAMPLE", "key_id": "2EXAMPLE", "team_id": "3EXAMPLE" }`` Describe response: ``"ProviderDetails": { "attributes_url_add_attributes": "false", "authorize_scopes": "email name", "authorize_url": "https://appleid.apple.com/auth/authorize", "client_id": "com.example.cognito", "key_id": "1EXAMPLE", "oidc_issuer": "https://appleid.apple.com", "team_id": "2EXAMPLE", "token_request_method": "POST", "token_url": "https://appleid.apple.com/auth/token" }`` - **Facebook** - Create or update request: ``"ProviderDetails": { "api_version": "v17.0", "authorize_scopes": "public_profile, email", "client_id": "1example23456789", "client_secret": "provider-app-client-secret" }`` Describe response: ``"ProviderDetails": { "api_version": "v17.0", "attributes_url": "https://graph.facebook.com/v17.0/me?fields=", "attributes_url_add_attributes": "true", "authorize_scopes": "public_profile, email", "authorize_url": "https://www.facebook.com/v17.0/dialog/oauth", "client_id": "1example23456789", "client_secret": "provider-app-client-secret", "token_request_method": "GET", "token_url": "https://graph.facebook.com/v17.0/oauth/access_token" }``
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolidentityprovider.html
         :exampleMetadata: fixture=_generated
@@ -8617,39 +8618,42 @@ class CfnUserPoolIdentityProviderProps:
 
     @builtins.property
     def provider_details(self) -> typing.Any:
-        '''The IdP details. The following list describes the provider detail keys for each IdP type.
-
-        - For Google and Login with Amazon:
-        - client_id
-        - client_secret
-        - authorize_scopes
-        - For Facebook:
-        - client_id
-        - client_secret
-        - authorize_scopes
-        - api_version
-        - For Sign in with Apple:
-        - client_id
-        - team_id
-        - key_id
-        - private_key
-        - authorize_scopes
-        - For OpenID Connect (OIDC) providers:
-        - client_id
-        - client_secret
-        - attributes_request_method
-        - oidc_issuer
-        - authorize_scopes
-        - The following keys are only present if Amazon Cognito didn't discover them at the ``oidc_issuer`` URL.
-        - authorize_url
-        - token_url
-        - attributes_url
-        - jwks_uri
-        - Amazon Cognito sets the value of the following keys automatically. They are read-only.
-        - attributes_url_add_attributes
-        - For SAML providers:
-        - MetadataFile or MetadataURL
-        - IDPSignout *optional*
+        '''The scopes, URLs, and identifiers for your external identity provider.
+
+        The following
+        examples describe the provider detail keys for each IdP type. These values and their
+        schema are subject to change. Social IdP ``authorize_scopes`` values must match
+        the values listed here.
+
+        - **OpenID Connect (OIDC)** - Amazon Cognito accepts the following elements when it can't discover endpoint URLs from ``oidc_issuer`` : ``attributes_url`` , ``authorize_url`` , ``jwks_uri`` , ``token_url`` .
+
+        Create or update request: ``"ProviderDetails": { "attributes_request_method": "GET", "attributes_url": "https://auth.example.com/userInfo", "authorize_scopes": "openid profile email", "authorize_url": "https://auth.example.com/authorize", "client_id": "1example23456789", "client_secret": "provider-app-client-secret", "jwks_uri": "https://auth.example.com/.well-known/jwks.json", "oidc_issuer": "https://auth.example.com", "token_url": "https://example.com/token" }``
+
+        Describe response: ``"ProviderDetails": { "attributes_request_method": "GET", "attributes_url": "https://auth.example.com/userInfo", "attributes_url_add_attributes": "false", "authorize_scopes": "openid profile email", "authorize_url": "https://auth.example.com/authorize", "client_id": "1example23456789", "client_secret": "provider-app-client-secret", "jwks_uri": "https://auth.example.com/.well-known/jwks.json", "oidc_issuer": "https://auth.example.com", "token_url": "https://example.com/token" }``
+
+        - **SAML** - Create or update request with Metadata URL: ``"ProviderDetails": { "IDPInit": "true", "IDPSignout": "true", "EncryptedResponses" : "true", "MetadataURL": "https://auth.example.com/sso/saml/metadata", "RequestSigningAlgorithm": "rsa-sha256" }``
+
+        Create or update request with Metadata file: ``"ProviderDetails": { "IDPInit": "true", "IDPSignout": "true", "EncryptedResponses" : "true", "MetadataFile": "[metadata XML]", "RequestSigningAlgorithm": "rsa-sha256" }``
+
+        The value of ``MetadataFile`` must be the plaintext metadata document with all quote (") characters escaped by backslashes.
+
+        Describe response: ``"ProviderDetails": { "IDPInit": "true", "IDPSignout": "true", "EncryptedResponses" : "true", "ActiveEncryptionCertificate": "[certificate]", "MetadataURL": "https://auth.example.com/sso/saml/metadata", "RequestSigningAlgorithm": "rsa-sha256", "SLORedirectBindingURI": "https://auth.example.com/slo/saml", "SSORedirectBindingURI": "https://auth.example.com/sso/saml" }``
+
+        - **LoginWithAmazon** - Create or update request: ``"ProviderDetails": { "authorize_scopes": "profile postal_code", "client_id": "amzn1.application-oa2-client.1example23456789", "client_secret": "provider-app-client-secret"``
+
+        Describe response: ``"ProviderDetails": { "attributes_url": "https://api.amazon.com/user/profile", "attributes_url_add_attributes": "false", "authorize_scopes": "profile postal_code", "authorize_url": "https://www.amazon.com/ap/oa", "client_id": "amzn1.application-oa2-client.1example23456789", "client_secret": "provider-app-client-secret", "token_request_method": "POST", "token_url": "https://api.amazon.com/auth/o2/token" }``
+
+        - **Google** - Create or update request: ``"ProviderDetails": { "authorize_scopes": "email profile openid", "client_id": "1example23456789.apps.googleusercontent.com", "client_secret": "provider-app-client-secret" }``
+
+        Describe response: ``"ProviderDetails": { "attributes_url": "https://people.googleapis.com/v1/people/me?personFields=", "attributes_url_add_attributes": "true", "authorize_scopes": "email profile openid", "authorize_url": "https://accounts.google.com/o/oauth2/v2/auth", "client_id": "1example23456789.apps.googleusercontent.com", "client_secret": "provider-app-client-secret", "oidc_issuer": "https://accounts.google.com", "token_request_method": "POST", "token_url": "https://www.googleapis.com/oauth2/v4/token" }``
+
+        - **SignInWithApple** - Create or update request: ``"ProviderDetails": { "authorize_scopes": "email name", "client_id": "com.example.cognito", "private_key": "1EXAMPLE", "key_id": "2EXAMPLE", "team_id": "3EXAMPLE" }``
+
+        Describe response: ``"ProviderDetails": { "attributes_url_add_attributes": "false", "authorize_scopes": "email name", "authorize_url": "https://appleid.apple.com/auth/authorize", "client_id": "com.example.cognito", "key_id": "1EXAMPLE", "oidc_issuer": "https://appleid.apple.com", "team_id": "2EXAMPLE", "token_request_method": "POST", "token_url": "https://appleid.apple.com/auth/token" }``
+
+        - **Facebook** - Create or update request: ``"ProviderDetails": { "api_version": "v17.0", "authorize_scopes": "public_profile, email", "client_id": "1example23456789", "client_secret": "provider-app-client-secret" }``
+
+        Describe response: ``"ProviderDetails": { "api_version": "v17.0", "attributes_url": "https://graph.facebook.com/v17.0/me?fields=", "attributes_url_add_attributes": "true", "authorize_scopes": "public_profile, email", "authorize_url": "https://www.facebook.com/v17.0/dialog/oauth", "client_id": "1example23456789", "client_secret": "provider-app-client-secret", "token_request_method": "GET", "token_url": "https://graph.facebook.com/v17.0/oauth/access_token" }``
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolidentityprovider.html#cfn-cognito-userpoolidentityprovider-providerdetails
         '''
@@ -9006,7 +9010,8 @@ class CfnUserPoolProps:
     def deletion_protection(self) -> typing.Optional[builtins.str]:
         '''When active, ``DeletionProtection`` prevents accidental deletion of your user pool.
 
-        Before you can delete a user pool that you have protected against deletion, you must deactivate this feature.
+        Before you can delete a user pool that you have protected against deletion, you
+        must deactivate this feature.
 
         When you try to delete a protected user pool in a ``DeleteUserPool`` API request, Amazon Cognito returns an ``InvalidParameterException`` error. To delete a protected user pool, send a new ``DeleteUserPool`` request after you deactivate deletion protection in an ``UpdateUserPool`` API request.