aws-cdk-lib 2.132.1__py3-none-any.whl → 2.134.0__py3-none-any.whl

aws_cdk/aws_redshift/__init__.py

@@ -245,7 +245,7 @@ class CfnCluster(
         :param namespace_resource_policy: The policy that is attached to a resource.
         :param number_of_nodes: The number of compute nodes in the cluster. This parameter is required when the *ClusterType* parameter is specified as ``multi-node`` . For information about determining how many nodes you need, go to `Working with Clusters <https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-clusters.html#how-many-nodes>`_ in the *Amazon Redshift Cluster Management Guide* . If you don't specify this parameter, you get a single-node cluster. When requesting a multi-node cluster, you must specify the number of nodes that you want in the cluster. Default: ``1`` Constraints: Value must be at least 1 and no more than 100.
         :param owner_account: The AWS account used to create or copy the snapshot. Required if you are restoring a snapshot you do not own, optional if you own the snapshot.
-        :param port: The port number on which the cluster accepts incoming connections. The cluster is accessible only via the JDBC and ODBC connection strings. Part of the connection string requires the port on which the cluster will listen for incoming connections. Default: ``5439`` Valid Values: ``1150-65535``
+        :param port: The port number on which the cluster accepts incoming connections. The cluster is accessible only via the JDBC and ODBC connection strings. Part of the connection string requires the port on which the cluster will listen for incoming connections. Default: ``5439`` Valid Values: - For clusters with ra3 nodes - Select a port within the ranges ``5431-5455`` or ``8191-8215`` . (If you have an existing cluster with ra3 nodes, it isn't required that you change the port to these ranges.) - For clusters with ds2 or dc2 nodes - Select a port within the range ``1150-65535`` .
         :param preferred_maintenance_window: The weekly time range (in UTC) during which automated cluster maintenance can occur. Format: ``ddd:hh24:mi-ddd:hh24:mi`` Default: A 30-minute window selected at random from an 8-hour block of time per region, occurring on a random day of the week. For more information about the time blocks for each region, see `Maintenance Windows <https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-clusters.html#rs-maintenance-windows>`_ in Amazon Redshift Cluster Management Guide. Valid Days: Mon | Tue | Wed | Thu | Fri | Sat | Sun Constraints: Minimum 30-minute window.
         :param publicly_accessible: If ``true`` , the cluster can be accessed from a public network.
         :param resource_action: The Amazon Redshift operation to be performed. Supported operations are ``pause-cluster`` , ``resume-cluster`` , and ``failover-primary-compute`` .
@@ -1913,7 +1913,7 @@ class CfnClusterProps:
         :param namespace_resource_policy: The policy that is attached to a resource.
         :param number_of_nodes: The number of compute nodes in the cluster. This parameter is required when the *ClusterType* parameter is specified as ``multi-node`` . For information about determining how many nodes you need, go to `Working with Clusters <https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-clusters.html#how-many-nodes>`_ in the *Amazon Redshift Cluster Management Guide* . If you don't specify this parameter, you get a single-node cluster. When requesting a multi-node cluster, you must specify the number of nodes that you want in the cluster. Default: ``1`` Constraints: Value must be at least 1 and no more than 100.
         :param owner_account: The AWS account used to create or copy the snapshot. Required if you are restoring a snapshot you do not own, optional if you own the snapshot.
-        :param port: The port number on which the cluster accepts incoming connections. The cluster is accessible only via the JDBC and ODBC connection strings. Part of the connection string requires the port on which the cluster will listen for incoming connections. Default: ``5439`` Valid Values: ``1150-65535``
+        :param port: The port number on which the cluster accepts incoming connections. The cluster is accessible only via the JDBC and ODBC connection strings. Part of the connection string requires the port on which the cluster will listen for incoming connections. Default: ``5439`` Valid Values: - For clusters with ra3 nodes - Select a port within the ranges ``5431-5455`` or ``8191-8215`` . (If you have an existing cluster with ra3 nodes, it isn't required that you change the port to these ranges.) - For clusters with ds2 or dc2 nodes - Select a port within the range ``1150-65535`` .
         :param preferred_maintenance_window: The weekly time range (in UTC) during which automated cluster maintenance can occur. Format: ``ddd:hh24:mi-ddd:hh24:mi`` Default: A 30-minute window selected at random from an 8-hour block of time per region, occurring on a random day of the week. For more information about the time blocks for each region, see `Maintenance Windows <https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-clusters.html#rs-maintenance-windows>`_ in Amazon Redshift Cluster Management Guide. Valid Days: Mon | Tue | Wed | Thu | Fri | Sat | Sun Constraints: Minimum 30-minute window.
         :param publicly_accessible: If ``true`` , the cluster can be accessed from a public network.
         :param resource_action: The Amazon Redshift operation to be performed. Supported operations are ``pause-cluster`` , ``resume-cluster`` , and ``failover-primary-compute`` .
@@ -2675,7 +2675,10 @@ class CfnClusterProps:
 
         Default: ``5439``
 
-        Valid Values: ``1150-65535``
+        Valid Values:
+
+        - For clusters with ra3 nodes - Select a port within the ranges ``5431-5455`` or ``8191-8215`` . (If you have an existing cluster with ra3 nodes, it isn't required that you change the port to these ranges.)
+        - For clusters with ds2 or dc2 nodes - Select a port within the range ``1150-65535`` .
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-redshift-cluster.html#cfn-redshift-cluster-port
         '''

aws_cdk/aws_redshiftserverless/__init__.py

@@ -88,13 +88,6 @@ class CfnNamespace(
             manage_admin_password=False,
             namespace_resource_policy=namespace_resource_policy,
             redshift_idc_application_arn="redshiftIdcApplicationArn",
-            snapshot_copy_configurations=[redshiftserverless.CfnNamespace.SnapshotCopyConfigurationProperty(
-                destination_region="destinationRegion",
-        
-                # the properties below are optional
-                destination_kms_key_id="destinationKmsKeyId",
-                snapshot_retention_period=123
-            )],
             tags=[CfnTag(
                 key="key",
                 value="value"
@@ -121,7 +114,6 @@ class CfnNamespace(
         manage_admin_password: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
         namespace_resource_policy: typing.Any = None,
         redshift_idc_application_arn: typing.Optional[builtins.str] = None,
-        snapshot_copy_configurations: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[typing.Union[_IResolvable_da3f097b, typing.Union["CfnNamespace.SnapshotCopyConfigurationProperty", typing.Dict[builtins.str, typing.Any]]]]]] = None,
         tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
     ) -> None:
         '''
@@ -141,7 +133,6 @@ class CfnNamespace(
         :param manage_admin_password: If true, Amazon Redshift uses AWS Secrets Manager to manage the namespace's admin credentials. You can't use ``AdminUserPassword`` if ``ManageAdminPassword`` is true. If ``ManageAdminPassword`` is ``false`` or not set, Amazon Redshift uses ``AdminUserPassword`` for the admin user account's password.
         :param namespace_resource_policy: The resource policy that will be attached to the namespace.
         :param redshift_idc_application_arn: The ARN for the Redshift application that integrates with IAM Identity Center.
-        :param snapshot_copy_configurations: The snapshot copy configurations for the namespace.
         :param tags: The map of the key-value pairs used to tag the namespace.
         '''
         if __debug__:
@@ -163,7 +154,6 @@ class CfnNamespace(
             manage_admin_password=manage_admin_password,
             namespace_resource_policy=namespace_resource_policy,
             redshift_idc_application_arn=redshift_idc_application_arn,
-            snapshot_copy_configurations=snapshot_copy_configurations,
             tags=tags,
         )
 
@@ -517,24 +507,6 @@ class CfnNamespace(
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
         jsii.set(self, "redshiftIdcApplicationArn", value)
 
-    @builtins.property
-    @jsii.member(jsii_name="snapshotCopyConfigurations")
-    def snapshot_copy_configurations(
-        self,
-    ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, "CfnNamespace.SnapshotCopyConfigurationProperty"]]]]:
-        '''The snapshot copy configurations for the namespace.'''
-        return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, "CfnNamespace.SnapshotCopyConfigurationProperty"]]]], jsii.get(self, "snapshotCopyConfigurations"))
-
-    @snapshot_copy_configurations.setter
-    def snapshot_copy_configurations(
-        self,
-        value: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, "CfnNamespace.SnapshotCopyConfigurationProperty"]]]],
-    ) -> None:
-        if __debug__:
-            type_hints = typing.get_type_hints(_typecheckingstub__f7336d2da1a6ceace7b9ad8afbae65968e0c9440d9a2bcf4cd5e62d531da1693)
-            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
-        jsii.set(self, "snapshotCopyConfigurations", value)
-
     @builtins.property
     @jsii.member(jsii_name="tagsRaw")
     def tags_raw(self) -> typing.Optional[typing.List[_CfnTag_f6864754]]:
@@ -801,94 +773,6 @@ class CfnNamespace(
                 k + "=" + repr(v) for k, v in self._values.items()
             )
 
-    @jsii.data_type(
-        jsii_type="aws-cdk-lib.aws_redshiftserverless.CfnNamespace.SnapshotCopyConfigurationProperty",
-        jsii_struct_bases=[],
-        name_mapping={
-            "destination_region": "destinationRegion",
-            "destination_kms_key_id": "destinationKmsKeyId",
-            "snapshot_retention_period": "snapshotRetentionPeriod",
-        },
-    )
-    class SnapshotCopyConfigurationProperty:
-        def __init__(
-            self,
-            *,
-            destination_region: builtins.str,
-            destination_kms_key_id: typing.Optional[builtins.str] = None,
-            snapshot_retention_period: typing.Optional[jsii.Number] = None,
-        ) -> None:
-            '''
-            :param destination_region: 
-            :param destination_kms_key_id: 
-            :param snapshot_retention_period: 
-
-            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-redshiftserverless-namespace-snapshotcopyconfiguration.html
-            :exampleMetadata: fixture=_generated
-
-            Example::
-
-                # The code below shows an example of how to instantiate this type.
-                # The values are placeholders you should change.
-                from aws_cdk import aws_redshiftserverless as redshiftserverless
-                
-                snapshot_copy_configuration_property = redshiftserverless.CfnNamespace.SnapshotCopyConfigurationProperty(
-                    destination_region="destinationRegion",
-                
-                    # the properties below are optional
-                    destination_kms_key_id="destinationKmsKeyId",
-                    snapshot_retention_period=123
-                )
-            '''
-            if __debug__:
-                type_hints = typing.get_type_hints(_typecheckingstub__4f726a14406204ec2ead254e53f2cdca3d4ac96a2d835e99da9cbbb58c02dccd)
-                check_type(argname="argument destination_region", value=destination_region, expected_type=type_hints["destination_region"])
-                check_type(argname="argument destination_kms_key_id", value=destination_kms_key_id, expected_type=type_hints["destination_kms_key_id"])
-                check_type(argname="argument snapshot_retention_period", value=snapshot_retention_period, expected_type=type_hints["snapshot_retention_period"])
-            self._values: typing.Dict[builtins.str, typing.Any] = {
-                "destination_region": destination_region,
-            }
-            if destination_kms_key_id is not None:
-                self._values["destination_kms_key_id"] = destination_kms_key_id
-            if snapshot_retention_period is not None:
-                self._values["snapshot_retention_period"] = snapshot_retention_period
-
-        @builtins.property
-        def destination_region(self) -> builtins.str:
-            '''
-            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-redshiftserverless-namespace-snapshotcopyconfiguration.html#cfn-redshiftserverless-namespace-snapshotcopyconfiguration-destinationregion
-            '''
-            result = self._values.get("destination_region")
-            assert result is not None, "Required property 'destination_region' is missing"
-            return typing.cast(builtins.str, result)
-
-        @builtins.property
-        def destination_kms_key_id(self) -> typing.Optional[builtins.str]:
-            '''
-            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-redshiftserverless-namespace-snapshotcopyconfiguration.html#cfn-redshiftserverless-namespace-snapshotcopyconfiguration-destinationkmskeyid
-            '''
-            result = self._values.get("destination_kms_key_id")
-            return typing.cast(typing.Optional[builtins.str], result)
-
-        @builtins.property
-        def snapshot_retention_period(self) -> typing.Optional[jsii.Number]:
-            '''
-            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-redshiftserverless-namespace-snapshotcopyconfiguration.html#cfn-redshiftserverless-namespace-snapshotcopyconfiguration-snapshotretentionperiod
-            '''
-            result = self._values.get("snapshot_retention_period")
-            return typing.cast(typing.Optional[jsii.Number], result)
-
-        def __eq__(self, rhs: typing.Any) -> builtins.bool:
-            return isinstance(rhs, self.__class__) and rhs._values == self._values
-
-        def __ne__(self, rhs: typing.Any) -> builtins.bool:
-            return not (rhs == self)
-
-        def __repr__(self) -> str:
-            return "SnapshotCopyConfigurationProperty(%s)" % ", ".join(
-                k + "=" + repr(v) for k, v in self._values.items()
-            )
-
 
 @jsii.data_type(
     jsii_type="aws-cdk-lib.aws_redshiftserverless.CfnNamespaceProps",
@@ -908,7 +792,6 @@ class CfnNamespace(
         "manage_admin_password": "manageAdminPassword",
         "namespace_resource_policy": "namespaceResourcePolicy",
         "redshift_idc_application_arn": "redshiftIdcApplicationArn",
-        "snapshot_copy_configurations": "snapshotCopyConfigurations",
         "tags": "tags",
     },
 )
@@ -930,7 +813,6 @@ class CfnNamespaceProps:
         manage_admin_password: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
         namespace_resource_policy: typing.Any = None,
         redshift_idc_application_arn: typing.Optional[builtins.str] = None,
-        snapshot_copy_configurations: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[typing.Union[_IResolvable_da3f097b, typing.Union[CfnNamespace.SnapshotCopyConfigurationProperty, typing.Dict[builtins.str, typing.Any]]]]]] = None,
         tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
     ) -> None:
         '''Properties for defining a ``CfnNamespace``.
@@ -949,7 +831,6 @@ class CfnNamespaceProps:
         :param manage_admin_password: If true, Amazon Redshift uses AWS Secrets Manager to manage the namespace's admin credentials. You can't use ``AdminUserPassword`` if ``ManageAdminPassword`` is true. If ``ManageAdminPassword`` is ``false`` or not set, Amazon Redshift uses ``AdminUserPassword`` for the admin user account's password.
         :param namespace_resource_policy: The resource policy that will be attached to the namespace.
         :param redshift_idc_application_arn: The ARN for the Redshift application that integrates with IAM Identity Center.
-        :param snapshot_copy_configurations: The snapshot copy configurations for the namespace.
         :param tags: The map of the key-value pairs used to tag the namespace.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-redshiftserverless-namespace.html
@@ -980,13 +861,6 @@ class CfnNamespaceProps:
                 manage_admin_password=False,
                 namespace_resource_policy=namespace_resource_policy,
                 redshift_idc_application_arn="redshiftIdcApplicationArn",
-                snapshot_copy_configurations=[redshiftserverless.CfnNamespace.SnapshotCopyConfigurationProperty(
-                    destination_region="destinationRegion",
-            
-                    # the properties below are optional
-                    destination_kms_key_id="destinationKmsKeyId",
-                    snapshot_retention_period=123
-                )],
                 tags=[CfnTag(
                     key="key",
                     value="value"
@@ -1009,7 +883,6 @@ class CfnNamespaceProps:
             check_type(argname="argument manage_admin_password", value=manage_admin_password, expected_type=type_hints["manage_admin_password"])
             check_type(argname="argument namespace_resource_policy", value=namespace_resource_policy, expected_type=type_hints["namespace_resource_policy"])
             check_type(argname="argument redshift_idc_application_arn", value=redshift_idc_application_arn, expected_type=type_hints["redshift_idc_application_arn"])
-            check_type(argname="argument snapshot_copy_configurations", value=snapshot_copy_configurations, expected_type=type_hints["snapshot_copy_configurations"])
             check_type(argname="argument tags", value=tags, expected_type=type_hints["tags"])
         self._values: typing.Dict[builtins.str, typing.Any] = {
             "namespace_name": namespace_name,
@@ -1040,8 +913,6 @@ class CfnNamespaceProps:
             self._values["namespace_resource_policy"] = namespace_resource_policy
         if redshift_idc_application_arn is not None:
             self._values["redshift_idc_application_arn"] = redshift_idc_application_arn
-        if snapshot_copy_configurations is not None:
-            self._values["snapshot_copy_configurations"] = snapshot_copy_configurations
         if tags is not None:
             self._values["tags"] = tags
 
@@ -1182,17 +1053,6 @@ class CfnNamespaceProps:
         result = self._values.get("redshift_idc_application_arn")
         return typing.cast(typing.Optional[builtins.str], result)
 
-    @builtins.property
-    def snapshot_copy_configurations(
-        self,
-    ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, CfnNamespace.SnapshotCopyConfigurationProperty]]]]:
-        '''The snapshot copy configurations for the namespace.
-
-        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-redshiftserverless-namespace.html#cfn-redshiftserverless-namespace-snapshotcopyconfigurations
-        '''
-        result = self._values.get("snapshot_copy_configurations")
-        return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, CfnNamespace.SnapshotCopyConfigurationProperty]]]], result)
-
     @builtins.property
     def tags(self) -> typing.Optional[typing.List[_CfnTag_f6864754]]:
         '''The map of the key-value pairs used to tag the namespace.
@@ -2613,7 +2473,6 @@ def _typecheckingstub__e517382d9f55a518348d7299a7ce6c5be66bae2202f4223bf3c891a7d
     manage_admin_password: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
     namespace_resource_policy: typing.Any = None,
     redshift_idc_application_arn: typing.Optional[builtins.str] = None,
-    snapshot_copy_configurations: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[typing.Union[_IResolvable_da3f097b, typing.Union[CfnNamespace.SnapshotCopyConfigurationProperty, typing.Dict[builtins.str, typing.Any]]]]]] = None,
     tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
 ) -> None:
     """Type checking stubs"""
@@ -2715,12 +2574,6 @@ def _typecheckingstub__51136c4f6d62ea1ed8116bbb890860f45a983131873ecd0a7b4075950
     """Type checking stubs"""
     pass
 
-def _typecheckingstub__f7336d2da1a6ceace7b9ad8afbae65968e0c9440d9a2bcf4cd5e62d531da1693(
-    value: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, CfnNamespace.SnapshotCopyConfigurationProperty]]]],
-) -> None:
-    """Type checking stubs"""
-    pass
-
 def _typecheckingstub__2e2da7bae4bc39426d05dc2f307e08d5246472ad626b032ef4c2ea7b7d1bd33f(
     value: typing.Optional[typing.List[_CfnTag_f6864754]],
 ) -> None:
@@ -2746,15 +2599,6 @@ def _typecheckingstub__6bcbea65acb7d2a3cef7455cfbb52c832d3da01cd5e02df21a06cdb2b
     """Type checking stubs"""
     pass
 
-def _typecheckingstub__4f726a14406204ec2ead254e53f2cdca3d4ac96a2d835e99da9cbbb58c02dccd(
-    *,
-    destination_region: builtins.str,
-    destination_kms_key_id: typing.Optional[builtins.str] = None,
-    snapshot_retention_period: typing.Optional[jsii.Number] = None,
-) -> None:
-    """Type checking stubs"""
-    pass
-
 def _typecheckingstub__5964a5da555f62a5d9615a6e07cd0d1128cdf904fd5aa3c5be9fd5e53dc30bd9(
     *,
     namespace_name: builtins.str,
@@ -2771,7 +2615,6 @@ def _typecheckingstub__5964a5da555f62a5d9615a6e07cd0d1128cdf904fd5aa3c5be9fd5e53
     manage_admin_password: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
     namespace_resource_policy: typing.Any = None,
     redshift_idc_application_arn: typing.Optional[builtins.str] = None,
-    snapshot_copy_configurations: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[typing.Union[_IResolvable_da3f097b, typing.Union[CfnNamespace.SnapshotCopyConfigurationProperty, typing.Dict[builtins.str, typing.Any]]]]]] = None,
     tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
 ) -> None:
     """Type checking stubs"""

aws_cdk/aws_sagemaker/__init__.py

@@ -11139,7 +11139,7 @@ class CfnEndpointConfig(
 
             :param max_concurrency: The maximum number of concurrent invocations your serverless endpoint can process.
             :param memory_size_in_mb: The memory size of your serverless endpoint. Valid values are in 1 GB increments: 1024 MB, 2048 MB, 3072 MB, 4096 MB, 5120 MB, or 6144 MB.
-            :param provisioned_concurrency: 
+            :param provisioned_concurrency: The amount of provisioned concurrency to allocate for the serverless endpoint. Should be less than or equal to ``MaxConcurrency`` . .. epigraph:: This field is not supported for serverless endpoint recommendations for Inference Recommender jobs. For more information about creating an Inference Recommender job, see `CreateInferenceRecommendationsJobs <https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_CreateInferenceRecommendationsJob.html>`_ .
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-sagemaker-endpointconfig-serverlessconfig.html
             :exampleMetadata: fixture=_generated
@@ -11194,7 +11194,13 @@ class CfnEndpointConfig(
 
         @builtins.property
         def provisioned_concurrency(self) -> typing.Optional[jsii.Number]:
-            '''
+            '''The amount of provisioned concurrency to allocate for the serverless endpoint.
+
+            Should be less than or equal to ``MaxConcurrency`` .
+            .. epigraph::
+
+               This field is not supported for serverless endpoint recommendations for Inference Recommender jobs. For more information about creating an Inference Recommender job, see `CreateInferenceRecommendationsJobs <https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_CreateInferenceRecommendationsJob.html>`_ .
+
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-sagemaker-endpointconfig-serverlessconfig.html#cfn-sagemaker-endpointconfig-serverlessconfig-provisionedconcurrency
             '''
             result = self._values.get("provisioned_concurrency")
@@ -12288,7 +12294,7 @@ class CfnFeatureGroup(
 
             You must include ``FeatureName`` and ``FeatureType`` . Valid feature ``FeatureType`` s are ``Integral`` , ``Fractional`` and ``String`` .
 
-            :param feature_name: The name of a feature. The type must be a string. ``FeatureName`` cannot be any of the following: ``is_deleted`` , ``write_time`` , ``api_invocation_time`` .
+            :param feature_name: The name of a feature. The type must be a string. ``FeatureName`` cannot be any of the following: ``is_deleted`` , ``write_time`` , ``api_invocation_time`` . The name: - Must start and end with an alphanumeric character. - Can only include alphanumeric characters, underscores, and hyphens. Spaces are not allowed.
             :param feature_type: The value type of a feature. Valid values are Integral, Fractional, or String.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-sagemaker-featuregroup-featuredefinition.html
@@ -12320,6 +12326,11 @@ class CfnFeatureGroup(
 
             The type must be a string. ``FeatureName`` cannot be any of the following: ``is_deleted`` , ``write_time`` , ``api_invocation_time`` .
 
+            The name:
+
+            - Must start and end with an alphanumeric character.
+            - Can only include alphanumeric characters, underscores, and hyphens. Spaces are not allowed.
+
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-sagemaker-featuregroup-featuredefinition.html#cfn-sagemaker-featuregroup-featuredefinition-featurename
             '''
             result = self._values.get("feature_name")
@@ -12692,7 +12703,7 @@ class CfnFeatureGroup(
             s3_uri: builtins.str,
             kms_key_id: typing.Optional[builtins.str] = None,
         ) -> None:
-            '''The Amazon Simple Storage (Amazon S3) location and and security configuration for ``OfflineStore`` .
+            '''The Amazon Simple Storage (Amazon S3) location and security configuration for ``OfflineStore`` .
 
             :param s3_uri: The S3 URI, or location in Amazon S3, of ``OfflineStore`` . S3 URIs have a format similar to the following: ``s3://example-bucket/prefix/`` .
             :param kms_key_id: The AWS Key Management Service (KMS) key ARN of the key used to encrypt any objects written into the ``OfflineStore`` S3 location. The IAM ``roleARN`` that is passed as a parameter to ``CreateFeatureGroup`` must have below permissions to the ``KmsKeyId`` : - ``"kms:GenerateDataKey"``
@@ -15353,7 +15364,7 @@ class CfnInferenceExperiment(
     @builtins.property
     @jsii.member(jsii_name="attrArn")
     def attr_arn(self) -> builtins.str:
-        '''The Amazon Resource Name (ARN) of the inference experiment.
+        '''The ARN for your inference experiment.
 
         :cloudformationAttribute: Arn
         '''
@@ -15362,7 +15373,7 @@ class CfnInferenceExperiment(
     @builtins.property
     @jsii.member(jsii_name="attrCreationTime")
     def attr_creation_time(self) -> builtins.str:
-        '''The timestamp at which you created the inference experiment.
+        '''The timestamp at which the inference experiment was created.
 
         :cloudformationAttribute: CreationTime
         '''
@@ -15413,7 +15424,16 @@ class CfnInferenceExperiment(
     @builtins.property
     @jsii.member(jsii_name="attrStatus")
     def attr_status(self) -> builtins.str:
-        '''The status of the inference experiment.
+        '''The status of the inference experiment. The following are the possible statuses for an inference experiment:.
+
+        - ``Creating`` - Amazon SageMaker is creating your experiment.
+        - ``Created`` - Amazon SageMaker has finished the creation of your experiment and will begin the experiment at the scheduled time.
+        - ``Updating`` - When you make changes to your experiment, your experiment shows as updating.
+        - ``Starting`` - Amazon SageMaker is beginning your experiment.
+        - ``Running`` - Your experiment is in progress.
+        - ``Stopping`` - Amazon SageMaker is stopping your experiment.
+        - ``Completed`` - Your experiment has completed.
+        - ``Cancelled`` - When you conclude your experiment early using the `StopInferenceExperiment <https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_StopInferenceExperiment.html>`_ API, or if any operation fails with an unexpected error, it shows as cancelled.
 
         :cloudformationAttribute: Status
         '''
@@ -17044,7 +17064,7 @@ class CfnModel(
             '''Describes the container, as part of model definition.
 
             :param container_hostname: This parameter is ignored for models that contain only a ``PrimaryContainer`` . When a ``ContainerDefinition`` is part of an inference pipeline, the value of the parameter uniquely identifies the container for the purposes of logging and metrics. For information, see `Use Logs and Metrics to Monitor an Inference Pipeline <https://docs.aws.amazon.com/sagemaker/latest/dg/inference-pipeline-logs-metrics.html>`_ . If you don't specify a value for this parameter for a ``ContainerDefinition`` that is part of an inference pipeline, a unique name is automatically assigned based on the position of the ``ContainerDefinition`` in the pipeline. If you specify a value for the ``ContainerHostName`` for any ``ContainerDefinition`` that is part of an inference pipeline, you must specify a value for the ``ContainerHostName`` parameter of every ``ContainerDefinition`` in that pipeline.
-            :param environment: The environment variables to set in the Docker container. Each key and value in the ``Environment`` string to string map can have length of up to 1024. We support up to 16 entries in the map.
+            :param environment: The environment variables to set in the Docker container. The maximum length of each key and value in the ``Environment`` map is 1024 bytes. The maximum length of all keys and values in the map, combined, is 32 KB. If you pass multiple containers to a ``CreateModel`` request, then the maximum length of all of their maps, combined, is also 32 KB.
             :param image: The path where inference code is stored. This can be either in Amazon EC2 Container Registry or in a Docker registry that is accessible from the same VPC that you configure for your endpoint. If you are using your own custom algorithm instead of an algorithm provided by SageMaker, the inference code must meet SageMaker requirements. SageMaker supports both ``registry/repository[:tag]`` and ``registry/repository[@digest]`` image path formats. For more information, see `Using Your Own Algorithms with Amazon SageMaker <https://docs.aws.amazon.com/sagemaker/latest/dg/your-algorithms.html>`_ . .. epigraph:: The model artifacts in an Amazon S3 bucket and the Docker image for inference container in Amazon EC2 Container Registry must be in the same region as the model or endpoint you are creating.
             :param image_config: Specifies whether the model container is in Amazon ECR or a private Docker registry accessible from your Amazon Virtual Private Cloud (VPC). For information about storing containers in a private Docker registry, see `Use a Private Docker Registry for Real-Time Inference Containers <https://docs.aws.amazon.com/sagemaker/latest/dg/your-algorithms-containers-inference-private.html>`_ . .. epigraph:: The model artifacts in an Amazon S3 bucket and the Docker image for inference container in Amazon EC2 Container Registry must be in the same region as the model or endpoint you are creating.
             :param inference_specification_name: The inference specification name in the model package version.
@@ -17147,7 +17167,7 @@ class CfnModel(
         def environment(self) -> typing.Any:
             '''The environment variables to set in the Docker container.
 
-            Each key and value in the ``Environment`` string to string map can have length of up to 1024. We support up to 16 entries in the map.
+            The maximum length of each key and value in the ``Environment`` map is 1024 bytes. The maximum length of all keys and values in the map, combined, is 32 KB. If you pass multiple containers to a ``CreateModel`` request, then the maximum length of all of their maps, combined, is also 32 KB.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-sagemaker-model-containerdefinition.html#cfn-sagemaker-model-containerdefinition-environment
             '''

aws_cdk/aws_shield/__init__.py

@@ -110,7 +110,7 @@ class CfnDRTAccess(
         '''
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
-        :param role_arn: Authorizes the Shield Response Team (SRT) using the specified role, to access your AWS account to assist with DDoS attack mitigation during potential attacks. This enables the SRT to inspect your AWS WAF configuration and logs and to create or update AWS WAF rules and web ACLs. You can associate only one ``RoleArn`` with your subscription. If you submit this update for an account that already has an associated role, the new ``RoleArn`` will replace the existing ``RoleArn`` . This change requires the following: - You must be subscribed to the `Business Support plan <https://docs.aws.amazon.com/premiumsupport/business-support/>`_ or the `Enterprise Support plan <https://docs.aws.amazon.com/premiumsupport/enterprise-support/>`_ . - You must have the ``iam:PassRole`` permission. For more information, see `Granting a user permissions to pass a role to an AWS service <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_passrole.html>`_ . - The ``AWSShieldDRTAccessPolicy`` managed policy must be attached to the role that you specify in the request. You can access this policy in the IAM console at `AWSShieldDRTAccessPolicy <https://docs.aws.amazon.com/iam/home?#/policies/arn:aws:iam::aws:policy/service-role/AWSShieldDRTAccessPolicy>`_ . For information, see `Adding and removing IAM identity permissions <https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-attach-detach.html>`_ . - The role must trust the service principal ``drt.shield.amazonaws.com`` . For information, see `IAM JSON policy elements: Principal <https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html>`_ . The SRT will have access only to your AWS WAF and Shield resources. By submitting this request, you provide permissions to the SRT to inspect your AWS WAF and Shield configuration and logs, and to create and update AWS WAF rules and web ACLs on your behalf. The SRT takes these actions only if explicitly authorized by you.
+        :param role_arn: Authorizes the Shield Response Team (SRT) using the specified role, to access your AWS account to assist with DDoS attack mitigation during potential attacks. This enables the SRT to inspect your AWS WAF configuration and logs and to create or update AWS WAF rules and web ACLs. You can associate only one ``RoleArn`` with your subscription. If you submit this update for an account that already has an associated role, the new ``RoleArn`` will replace the existing ``RoleArn`` . This change requires the following: - You must be subscribed to the `Business Support plan <https://docs.aws.amazon.com/premiumsupport/business-support/>`_ or the `Enterprise Support plan <https://docs.aws.amazon.com/premiumsupport/enterprise-support/>`_ . - The ``AWSShieldDRTAccessPolicy`` managed policy must be attached to the role that you specify in the request. You can access this policy in the IAM console at `AWSShieldDRTAccessPolicy <https://docs.aws.amazon.com/iam/home?#/policies/arn:aws:iam::aws:policy/service-role/AWSShieldDRTAccessPolicy>`_ . For information, see `Adding and removing IAM identity permissions <https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-attach-detach.html>`_ . - The role must trust the service principal ``drt.shield.amazonaws.com`` . For information, see `IAM JSON policy elements: Principal <https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html>`_ . The SRT will have access only to your AWS WAF and Shield resources. By submitting this request, you provide permissions to the SRT to inspect your AWS WAF and Shield configuration and logs, and to create and update AWS WAF rules and web ACLs on your behalf. The SRT takes these actions only if explicitly authorized by you.
         :param log_bucket_list: Authorizes the Shield Response Team (SRT) to access the specified Amazon S3 bucket containing log data such as Application Load Balancer access logs, CloudFront logs, or logs from third party sources. You can associate up to 10 Amazon S3 buckets with your subscription. Use this to share information with the SRT that's not available in AWS WAF logs. To use the services of the SRT, you must be subscribed to the `Business Support plan <https://docs.aws.amazon.com/premiumsupport/business-support/>`_ or the `Enterprise Support plan <https://docs.aws.amazon.com/premiumsupport/enterprise-support/>`_ .
         '''
         if __debug__:
@@ -209,7 +209,7 @@ class CfnDRTAccessProps:
     ) -> None:
         '''Properties for defining a ``CfnDRTAccess``.
 
-        :param role_arn: Authorizes the Shield Response Team (SRT) using the specified role, to access your AWS account to assist with DDoS attack mitigation during potential attacks. This enables the SRT to inspect your AWS WAF configuration and logs and to create or update AWS WAF rules and web ACLs. You can associate only one ``RoleArn`` with your subscription. If you submit this update for an account that already has an associated role, the new ``RoleArn`` will replace the existing ``RoleArn`` . This change requires the following: - You must be subscribed to the `Business Support plan <https://docs.aws.amazon.com/premiumsupport/business-support/>`_ or the `Enterprise Support plan <https://docs.aws.amazon.com/premiumsupport/enterprise-support/>`_ . - You must have the ``iam:PassRole`` permission. For more information, see `Granting a user permissions to pass a role to an AWS service <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_passrole.html>`_ . - The ``AWSShieldDRTAccessPolicy`` managed policy must be attached to the role that you specify in the request. You can access this policy in the IAM console at `AWSShieldDRTAccessPolicy <https://docs.aws.amazon.com/iam/home?#/policies/arn:aws:iam::aws:policy/service-role/AWSShieldDRTAccessPolicy>`_ . For information, see `Adding and removing IAM identity permissions <https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-attach-detach.html>`_ . - The role must trust the service principal ``drt.shield.amazonaws.com`` . For information, see `IAM JSON policy elements: Principal <https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html>`_ . The SRT will have access only to your AWS WAF and Shield resources. By submitting this request, you provide permissions to the SRT to inspect your AWS WAF and Shield configuration and logs, and to create and update AWS WAF rules and web ACLs on your behalf. The SRT takes these actions only if explicitly authorized by you.
+        :param role_arn: Authorizes the Shield Response Team (SRT) using the specified role, to access your AWS account to assist with DDoS attack mitigation during potential attacks. This enables the SRT to inspect your AWS WAF configuration and logs and to create or update AWS WAF rules and web ACLs. You can associate only one ``RoleArn`` with your subscription. If you submit this update for an account that already has an associated role, the new ``RoleArn`` will replace the existing ``RoleArn`` . This change requires the following: - You must be subscribed to the `Business Support plan <https://docs.aws.amazon.com/premiumsupport/business-support/>`_ or the `Enterprise Support plan <https://docs.aws.amazon.com/premiumsupport/enterprise-support/>`_ . - The ``AWSShieldDRTAccessPolicy`` managed policy must be attached to the role that you specify in the request. You can access this policy in the IAM console at `AWSShieldDRTAccessPolicy <https://docs.aws.amazon.com/iam/home?#/policies/arn:aws:iam::aws:policy/service-role/AWSShieldDRTAccessPolicy>`_ . For information, see `Adding and removing IAM identity permissions <https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-attach-detach.html>`_ . - The role must trust the service principal ``drt.shield.amazonaws.com`` . For information, see `IAM JSON policy elements: Principal <https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html>`_ . The SRT will have access only to your AWS WAF and Shield resources. By submitting this request, you provide permissions to the SRT to inspect your AWS WAF and Shield configuration and logs, and to create and update AWS WAF rules and web ACLs on your behalf. The SRT takes these actions only if explicitly authorized by you.
         :param log_bucket_list: Authorizes the Shield Response Team (SRT) to access the specified Amazon S3 bucket containing log data such as Application Load Balancer access logs, CloudFront logs, or logs from third party sources. You can associate up to 10 Amazon S3 buckets with your subscription. Use this to share information with the SRT that's not available in AWS WAF logs. To use the services of the SRT, you must be subscribed to the `Business Support plan <https://docs.aws.amazon.com/premiumsupport/business-support/>`_ or the `Enterprise Support plan <https://docs.aws.amazon.com/premiumsupport/enterprise-support/>`_ .
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-shield-drtaccess.html
@@ -249,7 +249,6 @@ class CfnDRTAccessProps:
         This change requires the following:
 
         - You must be subscribed to the `Business Support plan <https://docs.aws.amazon.com/premiumsupport/business-support/>`_ or the `Enterprise Support plan <https://docs.aws.amazon.com/premiumsupport/enterprise-support/>`_ .
-        - You must have the ``iam:PassRole`` permission. For more information, see `Granting a user permissions to pass a role to an AWS service <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_passrole.html>`_ .
         - The ``AWSShieldDRTAccessPolicy`` managed policy must be attached to the role that you specify in the request. You can access this policy in the IAM console at `AWSShieldDRTAccessPolicy <https://docs.aws.amazon.com/iam/home?#/policies/arn:aws:iam::aws:policy/service-role/AWSShieldDRTAccessPolicy>`_ . For information, see `Adding and removing IAM identity permissions <https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-attach-detach.html>`_ .
         - The role must trust the service principal ``drt.shield.amazonaws.com`` . For information, see `IAM JSON policy elements: Principal <https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html>`_ .
 
@@ -1078,7 +1077,7 @@ class CfnProtectionGroup(
         '''
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
-        :param aggregation: Defines how AWS Shield combines resource data for the group in order to detect, mitigate, and report events. - Sum - Use the total traffic across the group. This is a good choice for most cases. Examples include Elastic IP addresses for EC2 instances that scale manually or automatically. - Mean - Use the average of the traffic across the group. This is a good choice for resources that share traffic uniformly. Examples include accelerators and load balancers. - Max - Use the highest traffic from each resource. This is useful for resources that don't share traffic and for resources that share that traffic in a non-uniform way. Examples include Amazon CloudFront distributions and origin resources for CloudFront distributions.
+        :param aggregation: Defines how AWS Shield combines resource data for the group in order to detect, mitigate, and report events. - ``Sum`` - Use the total traffic across the group. This is a good choice for most cases. Examples include Elastic IP addresses for EC2 instances that scale manually or automatically. - ``Mean`` - Use the average of the traffic across the group. This is a good choice for resources that share traffic uniformly. Examples include accelerators and load balancers. - ``Max`` - Use the highest traffic from each resource. This is useful for resources that don't share traffic and for resources that share that traffic in a non-uniform way. Examples include Amazon CloudFront distributions and origin resources for CloudFront distributions.
         :param pattern: The criteria to use to choose the protected resources for inclusion in the group. You can include all resources that have protections, provide a list of resource ARNs (Amazon Resource Names), or include all resources of a specified resource type.
         :param protection_group_id: The name of the protection group. You use this to identify the protection group in lists and to manage the protection group, for example to update, delete, or describe it.
         :param members: The ARNs (Amazon Resource Names) of the resources to include in the protection group. You must set this when you set ``Pattern`` to ``ARBITRARY`` and you must not set it for any other ``Pattern`` setting.
@@ -1254,7 +1253,7 @@ class CfnProtectionGroupProps:
     ) -> None:
         '''Properties for defining a ``CfnProtectionGroup``.
 
-        :param aggregation: Defines how AWS Shield combines resource data for the group in order to detect, mitigate, and report events. - Sum - Use the total traffic across the group. This is a good choice for most cases. Examples include Elastic IP addresses for EC2 instances that scale manually or automatically. - Mean - Use the average of the traffic across the group. This is a good choice for resources that share traffic uniformly. Examples include accelerators and load balancers. - Max - Use the highest traffic from each resource. This is useful for resources that don't share traffic and for resources that share that traffic in a non-uniform way. Examples include Amazon CloudFront distributions and origin resources for CloudFront distributions.
+        :param aggregation: Defines how AWS Shield combines resource data for the group in order to detect, mitigate, and report events. - ``Sum`` - Use the total traffic across the group. This is a good choice for most cases. Examples include Elastic IP addresses for EC2 instances that scale manually or automatically. - ``Mean`` - Use the average of the traffic across the group. This is a good choice for resources that share traffic uniformly. Examples include accelerators and load balancers. - ``Max`` - Use the highest traffic from each resource. This is useful for resources that don't share traffic and for resources that share that traffic in a non-uniform way. Examples include Amazon CloudFront distributions and origin resources for CloudFront distributions.
         :param pattern: The criteria to use to choose the protected resources for inclusion in the group. You can include all resources that have protections, provide a list of resource ARNs (Amazon Resource Names), or include all resources of a specified resource type.
         :param protection_group_id: The name of the protection group. You use this to identify the protection group in lists and to manage the protection group, for example to update, delete, or describe it.
         :param members: The ARNs (Amazon Resource Names) of the resources to include in the protection group. You must set this when you set ``Pattern`` to ``ARBITRARY`` and you must not set it for any other ``Pattern`` setting.
@@ -1308,9 +1307,9 @@ class CfnProtectionGroupProps:
     def aggregation(self) -> builtins.str:
         '''Defines how AWS Shield combines resource data for the group in order to detect, mitigate, and report events.
 
-        - Sum - Use the total traffic across the group. This is a good choice for most cases. Examples include Elastic IP addresses for EC2 instances that scale manually or automatically.
-        - Mean - Use the average of the traffic across the group. This is a good choice for resources that share traffic uniformly. Examples include accelerators and load balancers.
-        - Max - Use the highest traffic from each resource. This is useful for resources that don't share traffic and for resources that share that traffic in a non-uniform way. Examples include Amazon CloudFront distributions and origin resources for CloudFront distributions.
+        - ``Sum`` - Use the total traffic across the group. This is a good choice for most cases. Examples include Elastic IP addresses for EC2 instances that scale manually or automatically.
+        - ``Mean`` - Use the average of the traffic across the group. This is a good choice for resources that share traffic uniformly. Examples include accelerators and load balancers.
+        - ``Max`` - Use the highest traffic from each resource. This is useful for resources that don't share traffic and for resources that share that traffic in a non-uniform way. Examples include Amazon CloudFront distributions and origin resources for CloudFront distributions.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-shield-protectiongroup.html#cfn-shield-protectiongroup-aggregation
         '''

aws_cdk/aws_ssm/__init__.py

@@ -262,7 +262,7 @@ class CfnAssociation(
         :param schedule_expression: A cron expression that specifies a schedule when the association runs. The schedule runs in Coordinated Universal Time (UTC).
         :param schedule_offset: Number of days to wait after the scheduled day to run an association.
         :param sync_compliance: The mode for generating association compliance. You can specify ``AUTO`` or ``MANUAL`` . In ``AUTO`` mode, the system uses the status of the association execution to determine the compliance status. If the association execution runs successfully, then the association is ``COMPLIANT`` . If the association execution doesn't run successfully, the association is ``NON-COMPLIANT`` . In ``MANUAL`` mode, you must specify the ``AssociationId`` as a parameter for the ``PutComplianceItems`` API action. In this case, compliance data is not managed by State Manager. It is managed by your direct call to the ``PutComplianceItems`` API action. By default, all associations use ``AUTO`` mode.
-        :param targets: The targets for the association. You must specify the ``InstanceId`` or ``Targets`` property. You can target all instances in an AWS account by specifyingt he ``InstanceIds`` key with a value of ``*`` . To view a JSON and a YAML example that targets all instances, see the "Create an association for all managed instances in an AWS account " later in this page.
+        :param targets: The targets for the association. You must specify the ``InstanceId`` or ``Targets`` property. You can target all instances in an AWS account by specifying t he ``InstanceIds`` key with a value of ``*`` . Supported formats include the following. - ``Key=InstanceIds,Values=<instance-id-1>,<instance-id-2>,<instance-id-3>`` - ``Key=tag-key,Values=<my-tag-key-1>,<my-tag-key-2>`` To view a JSON and a YAML example that targets all instances, see "Create an association for all managed instances in an AWS account " on the Examples page.
         :param wait_for_success_timeout_seconds: The number of seconds the service should wait for the association status to show "Success" before proceeding with the stack execution. If the association status doesn't show "Success" after the specified number of seconds, then stack creation fails. .. epigraph:: When you specify a value for the ``WaitForSuccessTimeoutSeconds`` , `drift detection <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-stack-drift.html>`_ for your AWS CloudFormation stack’s configuration might yield inaccurate results. If drift detection is important in your scenario, we recommend that you don’t include ``WaitForSuccessTimeoutSeconds`` in your template.
         '''
         if __debug__:
@@ -867,7 +867,7 @@ class CfnAssociationProps:
         :param schedule_expression: A cron expression that specifies a schedule when the association runs. The schedule runs in Coordinated Universal Time (UTC).
         :param schedule_offset: Number of days to wait after the scheduled day to run an association.
         :param sync_compliance: The mode for generating association compliance. You can specify ``AUTO`` or ``MANUAL`` . In ``AUTO`` mode, the system uses the status of the association execution to determine the compliance status. If the association execution runs successfully, then the association is ``COMPLIANT`` . If the association execution doesn't run successfully, the association is ``NON-COMPLIANT`` . In ``MANUAL`` mode, you must specify the ``AssociationId`` as a parameter for the ``PutComplianceItems`` API action. In this case, compliance data is not managed by State Manager. It is managed by your direct call to the ``PutComplianceItems`` API action. By default, all associations use ``AUTO`` mode.
-        :param targets: The targets for the association. You must specify the ``InstanceId`` or ``Targets`` property. You can target all instances in an AWS account by specifyingt he ``InstanceIds`` key with a value of ``*`` . To view a JSON and a YAML example that targets all instances, see the "Create an association for all managed instances in an AWS account " later in this page.
+        :param targets: The targets for the association. You must specify the ``InstanceId`` or ``Targets`` property. You can target all instances in an AWS account by specifying t he ``InstanceIds`` key with a value of ``*`` . Supported formats include the following. - ``Key=InstanceIds,Values=<instance-id-1>,<instance-id-2>,<instance-id-3>`` - ``Key=tag-key,Values=<my-tag-key-1>,<my-tag-key-2>`` To view a JSON and a YAML example that targets all instances, see "Create an association for all managed instances in an AWS account " on the Examples page.
         :param wait_for_success_timeout_seconds: The number of seconds the service should wait for the association status to show "Success" before proceeding with the stack execution. If the association status doesn't show "Success" after the specified number of seconds, then stack creation fails. .. epigraph:: When you specify a value for the ``WaitForSuccessTimeoutSeconds`` , `drift detection <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-stack-drift.html>`_ for your AWS CloudFormation stack’s configuration might yield inaccurate results. If drift detection is important in your scenario, we recommend that you don’t include ``WaitForSuccessTimeoutSeconds`` in your template.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ssm-association.html
@@ -1155,7 +1155,14 @@ class CfnAssociationProps:
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, CfnAssociation.TargetProperty]]]]:
         '''The targets for the association.
 
-        You must specify the ``InstanceId`` or ``Targets`` property. You can target all instances in an AWS account by specifyingt he ``InstanceIds`` key with a value of ``*`` . To view a JSON and a YAML example that targets all instances, see the "Create an association for all managed instances in an AWS account " later in this page.
+        You must specify the ``InstanceId`` or ``Targets`` property. You can target all instances in an AWS account by specifying t he ``InstanceIds`` key with a value of ``*`` .
+
+        Supported formats include the following.
+
+        - ``Key=InstanceIds,Values=<instance-id-1>,<instance-id-2>,<instance-id-3>``
+        - ``Key=tag-key,Values=<my-tag-key-1>,<my-tag-key-2>``
+
+        To view a JSON and a YAML example that targets all instances, see "Create an association for all managed instances in an AWS account " on the Examples page.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ssm-association.html#cfn-ssm-association-targets
         '''
@@ -4646,7 +4653,7 @@ class CfnParameter(
         '''
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
-        :param type: The type of parameter. .. epigraph:: Although ``SecureString`` is included in the list of valid values, AWS CloudFormation does *not* currently support creating ``SecureString`` parameters.
+        :param type: The type of parameter.
         :param value: The parameter value. .. epigraph:: If type is ``StringList`` , the system returns a comma-separated string with no spaces between commas in the ``Value`` field.
         :param allowed_pattern: A regular expression used to validate the parameter value. For example, for ``String`` types with values restricted to numbers, you can specify the following: ``AllowedPattern=^\\d+$``
         :param data_type: The data type of the parameter, such as ``text`` or ``aws:ec2:image`` . The default is ``text`` .
@@ -4887,7 +4894,7 @@ class CfnParameterProps:
     ) -> None:
         '''Properties for defining a ``CfnParameter``.
 
-        :param type: The type of parameter. .. epigraph:: Although ``SecureString`` is included in the list of valid values, AWS CloudFormation does *not* currently support creating ``SecureString`` parameters.
+        :param type: The type of parameter.
         :param value: The parameter value. .. epigraph:: If type is ``StringList`` , the system returns a comma-separated string with no spaces between commas in the ``Value`` field.
         :param allowed_pattern: A regular expression used to validate the parameter value. For example, for ``String`` types with values restricted to numbers, you can specify the following: ``AllowedPattern=^\\d+$``
         :param data_type: The data type of the parameter, such as ``text`` or ``aws:ec2:image`` . The default is ``text`` .
@@ -4956,10 +4963,6 @@ class CfnParameterProps:
     def type(self) -> builtins.str:
         '''The type of parameter.
 
-        .. epigraph::
-
-           Although ``SecureString`` is included in the list of valid values, AWS CloudFormation does *not* currently support creating ``SecureString`` parameters.
-
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ssm-parameter.html#cfn-ssm-parameter-type
         '''
         result = self._values.get("type")
@@ -5168,7 +5171,7 @@ class CfnPatchBaseline(
         :param operating_system: Defines the operating system the patch baseline applies to. The default value is ``WINDOWS`` . Default: - "WINDOWS"
         :param patch_groups: The name of the patch group to be registered with the patch baseline.
         :param rejected_patches: A list of explicitly rejected patches for the baseline. For information about accepted formats for lists of approved patches and rejected patches, see `About package name formats for approved and rejected patch lists <https://docs.aws.amazon.com/systems-manager/latest/userguide/patch-manager-approved-rejected-package-name-formats.html>`_ in the *AWS Systems Manager User Guide* .
-        :param rejected_patches_action: The action for Patch Manager to take on patches included in the ``RejectedPackages`` list. - *``ALLOW_AS_DEPENDENCY``* : A package in the ``Rejected`` patches list is installed only if it is a dependency of another package. It is considered compliant with the patch baseline, and its status is reported as ``InstalledOther`` . This is the default action if no option is specified. - *``BLOCK``* : Packages in the ``RejectedPatches`` list, and packages that include them as dependencies, aren't installed under any circumstances. If a package was installed before it was added to the Rejected patches list, it is considered non-compliant with the patch baseline, and its status is reported as ``InstalledRejected`` . Default: - "ALLOW_AS_DEPENDENCY"
+        :param rejected_patches_action: The action for Patch Manager to take on patches included in the ``RejectedPackages`` list. - *``ALLOW_AS_DEPENDENCY``* : A package in the ``Rejected`` patches list is installed only if it is a dependency of another package. It is considered compliant with the patch baseline, and its status is reported as ``InstalledOther`` . This is the default action if no option is specified. - *BLOCK* : Packages in the *Rejected patches* list, and packages that include them as dependencies, aren't installed by Patch Manager under any circumstances. If a package was installed before it was added to the *Rejected patches* list, or is installed outside of Patch Manager afterward, it's considered noncompliant with the patch baseline and its status is reported as *InstalledRejected* . Default: - "ALLOW_AS_DEPENDENCY"
         :param sources: Information about the patches to use to update the managed nodes, including target operating systems and source repositories. Applies to Linux managed nodes only.
         :param tags: Optional metadata that you assign to a resource. Tags enable you to categorize a resource in different ways, such as by purpose, owner, or environment. For example, you might want to tag a patch baseline to identify the severity level of patches it specifies and the operating system family it applies to.
         '''
@@ -5974,7 +5977,7 @@ class CfnPatchBaselineProps:
         :param operating_system: Defines the operating system the patch baseline applies to. The default value is ``WINDOWS`` . Default: - "WINDOWS"
         :param patch_groups: The name of the patch group to be registered with the patch baseline.
         :param rejected_patches: A list of explicitly rejected patches for the baseline. For information about accepted formats for lists of approved patches and rejected patches, see `About package name formats for approved and rejected patch lists <https://docs.aws.amazon.com/systems-manager/latest/userguide/patch-manager-approved-rejected-package-name-formats.html>`_ in the *AWS Systems Manager User Guide* .
-        :param rejected_patches_action: The action for Patch Manager to take on patches included in the ``RejectedPackages`` list. - *``ALLOW_AS_DEPENDENCY``* : A package in the ``Rejected`` patches list is installed only if it is a dependency of another package. It is considered compliant with the patch baseline, and its status is reported as ``InstalledOther`` . This is the default action if no option is specified. - *``BLOCK``* : Packages in the ``RejectedPatches`` list, and packages that include them as dependencies, aren't installed under any circumstances. If a package was installed before it was added to the Rejected patches list, it is considered non-compliant with the patch baseline, and its status is reported as ``InstalledRejected`` . Default: - "ALLOW_AS_DEPENDENCY"
+        :param rejected_patches_action: The action for Patch Manager to take on patches included in the ``RejectedPackages`` list. - *``ALLOW_AS_DEPENDENCY``* : A package in the ``Rejected`` patches list is installed only if it is a dependency of another package. It is considered compliant with the patch baseline, and its status is reported as ``InstalledOther`` . This is the default action if no option is specified. - *BLOCK* : Packages in the *Rejected patches* list, and packages that include them as dependencies, aren't installed by Patch Manager under any circumstances. If a package was installed before it was added to the *Rejected patches* list, or is installed outside of Patch Manager afterward, it's considered noncompliant with the patch baseline and its status is reported as *InstalledRejected* . Default: - "ALLOW_AS_DEPENDENCY"
         :param sources: Information about the patches to use to update the managed nodes, including target operating systems and source repositories. Applies to Linux managed nodes only.
         :param tags: Optional metadata that you assign to a resource. Tags enable you to categorize a resource in different ways, such as by purpose, owner, or environment. For example, you might want to tag a patch baseline to identify the severity level of patches it specifies and the operating system family it applies to.
 
@@ -6210,7 +6213,7 @@ class CfnPatchBaselineProps:
         '''The action for Patch Manager to take on patches included in the ``RejectedPackages`` list.
 
         - *``ALLOW_AS_DEPENDENCY``* : A package in the ``Rejected`` patches list is installed only if it is a dependency of another package. It is considered compliant with the patch baseline, and its status is reported as ``InstalledOther`` . This is the default action if no option is specified.
-        - *``BLOCK``* : Packages in the ``RejectedPatches`` list, and packages that include them as dependencies, aren't installed under any circumstances. If a package was installed before it was added to the Rejected patches list, it is considered non-compliant with the patch baseline, and its status is reported as ``InstalledRejected`` .
+        - *BLOCK* : Packages in the *Rejected patches* list, and packages that include them as dependencies, aren't installed by Patch Manager under any circumstances. If a package was installed before it was added to the *Rejected patches* list, or is installed outside of Patch Manager afterward, it's considered noncompliant with the patch baseline and its status is reported as *InstalledRejected* .
 
         :default: - "ALLOW_AS_DEPENDENCY"