aws-cdk-lib 2.141.0__py3-none-any.whl → 2.142.1__py3-none-any.whl

aws_cdk/aws_events_targets/__init__.py

@@ -18,6 +18,7 @@ Currently supported are:
   * [Queue a Batch job](#queue-a-batch-job)
   * [Invoke an API Gateway REST API](#invoke-an-api-gateway-rest-api)
   * [Invoke an API Destination](#invoke-an-api-destination)
+  * [Invoke an AppSync GraphQL API](#invoke-an-appsync-graphql-api)
   * [Put an event on an EventBridge bus](#put-an-event-on-an-eventbridge-bus)
   * [Run an ECS Task](#run-an-ecs-task)
 
@@ -362,6 +363,67 @@ rule = events.Rule(self, "OtherRule",
 )
 ```
 
+## Invoke an AppSync GraphQL API
+
+Use the `AppSync` target to trigger an AppSync GraphQL API. You need to
+create an `AppSync.GraphqlApi` configured with `AWS_IAM` authorization mode.
+
+The code snippet below creates an AppSync GraphQL API target that is invoked every hour, calling the `publish` mutation.
+
+```python
+import aws_cdk.aws_appsync as appsync
+
+
+api = appsync.GraphqlApi(self, "api",
+    name="api",
+    definition=appsync.Definition.from_file("schema.graphql"),
+    authorization_config=appsync.AuthorizationConfig(
+        default_authorization=appsync.AuthorizationMode(authorization_type=appsync.AuthorizationType.IAM)
+    )
+)
+
+rule = events.Rule(self, "Rule",
+    schedule=events.Schedule.rate(cdk.Duration.hours(1))
+)
+
+rule.add_target(targets.AppSync(api,
+    graph_qLOperation="mutation Publish($message: String!){ publish(message: $message) { message } }",
+    variables=events.RuleTargetInput.from_object({
+        "message": "hello world"
+    })
+))
+```
+
+You can pass an existing role with the proper permissions to be used for the target when the rule is triggered. The code snippet below uses an existing role and grants permissions to use the publish Mutation on the GraphQL API.
+
+```python
+import aws_cdk.aws_iam as iam
+import aws_cdk.aws_appsync as appsync
+
+
+api = appsync.GraphqlApi.from_graphql_api_attributes(self, "ImportedAPI",
+    graphql_api_id="<api-id>",
+    graphql_api_arn="<api-arn>",
+    graph_qLEndpoint_arn="<api-endpoint-arn>",
+    visibility=appsync.Visibility.GLOBAL,
+    modes=[appsync.AuthorizationType.IAM]
+)
+
+rule = events.Rule(self, "Rule", schedule=events.Schedule.rate(cdk.Duration.minutes(1)))
+role = iam.Role(self, "Role", assumed_by=iam.ServicePrincipal("events.amazonaws.com"))
+
+# allow EventBridge to use the `publish` mutation
+api.grant_mutation(role, "publish")
+
+rule.add_target(targets.AppSync(api,
+    graph_qLOperation="mutation Publish($message: String!){ publish(message: $message) { message } }",
+    variables=events.RuleTargetInput.from_object({
+        "message": "hello world"
+    }),
+    event_role=role
+))
+```
+
 ## Put an event on an EventBridge bus
 
 Use the `EventBus` target to route event to a different EventBus.
@@ -517,6 +579,7 @@ from .. import Duration as _Duration_4839e8c3
 from ..aws_apigateway import (
     IRestApi as _IRestApi_1f02523d, RestApi as _RestApi_777c8238
 )
+from ..aws_appsync import IGraphqlApi as _IGraphqlApi_ed8270f3
 from ..aws_codebuild import IProject as _IProject_aafae30a
 from ..aws_codepipeline import IPipeline as _IPipeline_0931f838
 from ..aws_ec2 import (
@@ -767,6 +830,92 @@ class ApiGateway(
         return typing.cast(_RestApi_777c8238, jsii.get(self, "restApi"))
 
 
+@jsii.implements(_IRuleTarget_7a91f454)
+class AppSync(
+    metaclass=jsii.JSIIMeta,
+    jsii_type="aws-cdk-lib.aws_events_targets.AppSync",
+):
+    '''Use an AppSync GraphQL API as a target for Amazon EventBridge rules.
+
+    :exampleMetadata: infused
+
+    Example::
+
+        import aws_cdk.aws_appsync as appsync
+        
+        
+        api = appsync.GraphqlApi(self, "api",
+            name="api",
+            definition=appsync.Definition.from_file("schema.graphql"),
+            authorization_config=appsync.AuthorizationConfig(
+                default_authorization=appsync.AuthorizationMode(authorization_type=appsync.AuthorizationType.IAM)
+            )
+        )
+        
+        rule = events.Rule(self, "Rule",
+            schedule=events.Schedule.rate(cdk.Duration.hours(1))
+        )
+        
+        rule.add_target(targets.AppSync(api,
+            graph_qLOperation="mutation Publish($message: String!){ publish(message: $message) { message } }",
+            variables=events.RuleTargetInput.from_object({
+                "message": "hello world"
+            })
+        ))
+    '''
+
+    def __init__(
+        self,
+        appsync_api: _IGraphqlApi_ed8270f3,
+        *,
+        graph_ql_operation: builtins.str,
+        event_role: typing.Optional[_IRole_235f5d8e] = None,
+        variables: typing.Optional[_RuleTargetInput_6beca786] = None,
+        dead_letter_queue: typing.Optional[_IQueue_7ed6f679] = None,
+        max_event_age: typing.Optional[_Duration_4839e8c3] = None,
+        retry_attempts: typing.Optional[jsii.Number] = None,
+    ) -> None:
+        '''
+        :param appsync_api: -
+        :param graph_ql_operation: The GraphQL operation; that is, the query, mutation, or subscription to be parsed and executed by the GraphQL service.
+        :param event_role: The role to assume before invoking the target (i.e., the pipeline) when the given rule is triggered. Default: - a new role with permissions to access mutations will be created
+        :param variables: The variables that are include in the GraphQL operation. Default: - The entire event is used
+        :param dead_letter_queue: The SQS queue to be used as deadLetterQueue. Check out the `considerations for using a dead-letter queue <https://docs.aws.amazon.com/eventbridge/latest/userguide/rule-dlq.html#dlq-considerations>`_. The events not successfully delivered are automatically retried for a specified period of time, depending on the retry policy of the target. If an event is not delivered before all retry attempts are exhausted, it will be sent to the dead letter queue. Default: - no dead-letter queue
+        :param max_event_age: The maximum age of a request that Lambda sends to a function for processing. Minimum value of 60. Maximum value of 86400. Default: Duration.hours(24)
+        :param retry_attempts: The maximum number of times to retry when the function returns an error. Minimum value of 0. Maximum value of 185. Default: 185
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__56a99cbd83a0d7a956b68eb6ee5cedd89a2b1c37754c2dc7f5a5ea2ccffb1c7f)
+            check_type(argname="argument appsync_api", value=appsync_api, expected_type=type_hints["appsync_api"])
+        props = AppSyncGraphQLApiProps(
+            graph_ql_operation=graph_ql_operation,
+            event_role=event_role,
+            variables=variables,
+            dead_letter_queue=dead_letter_queue,
+            max_event_age=max_event_age,
+            retry_attempts=retry_attempts,
+        )
+
+        jsii.create(self.__class__, self, [appsync_api, props])
+
+    @jsii.member(jsii_name="bind")
+    def bind(
+        self,
+        rule: _IRule_af9e3d28,
+        _id: typing.Optional[builtins.str] = None,
+    ) -> _RuleTargetConfig_4e70fe03:
+        '''Returns a RuleTarget that can be used to trigger this AppSync GraphQL API as a result from an EventBridge event.
+
+        :param rule: -
+        :param _id: -
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__6b1999a517525e35ef54e6129e3396c11b46ecb394388d3f908c6d627c051c4f)
+            check_type(argname="argument rule", value=rule, expected_type=type_hints["rule"])
+            check_type(argname="argument _id", value=_id, expected_type=type_hints["_id"])
+        return typing.cast(_RuleTargetConfig_4e70fe03, jsii.invoke(self, "bind", [rule, _id]))
+
+
 @jsii.implements(_IRuleTarget_7a91f454)
 class AwsApi(
     metaclass=jsii.JSIIMeta,
@@ -3277,6 +3426,164 @@ class ApiGatewayProps(TargetBaseProps):
         )
 
 
+@jsii.data_type(
+    jsii_type="aws-cdk-lib.aws_events_targets.AppSyncGraphQLApiProps",
+    jsii_struct_bases=[TargetBaseProps],
+    name_mapping={
+        "dead_letter_queue": "deadLetterQueue",
+        "max_event_age": "maxEventAge",
+        "retry_attempts": "retryAttempts",
+        "graph_ql_operation": "graphQLOperation",
+        "event_role": "eventRole",
+        "variables": "variables",
+    },
+)
+class AppSyncGraphQLApiProps(TargetBaseProps):
+    def __init__(
+        self,
+        *,
+        dead_letter_queue: typing.Optional[_IQueue_7ed6f679] = None,
+        max_event_age: typing.Optional[_Duration_4839e8c3] = None,
+        retry_attempts: typing.Optional[jsii.Number] = None,
+        graph_ql_operation: builtins.str,
+        event_role: typing.Optional[_IRole_235f5d8e] = None,
+        variables: typing.Optional[_RuleTargetInput_6beca786] = None,
+    ) -> None:
+        '''Customize the AppSync GraphQL API target.
+
+        :param dead_letter_queue: The SQS queue to be used as deadLetterQueue. Check out the `considerations for using a dead-letter queue <https://docs.aws.amazon.com/eventbridge/latest/userguide/rule-dlq.html#dlq-considerations>`_. The events not successfully delivered are automatically retried for a specified period of time, depending on the retry policy of the target. If an event is not delivered before all retry attempts are exhausted, it will be sent to the dead letter queue. Default: - no dead-letter queue
+        :param max_event_age: The maximum age of a request that Lambda sends to a function for processing. Minimum value of 60. Maximum value of 86400. Default: Duration.hours(24)
+        :param retry_attempts: The maximum number of times to retry when the function returns an error. Minimum value of 0. Maximum value of 185. Default: 185
+        :param graph_ql_operation: The GraphQL operation; that is, the query, mutation, or subscription to be parsed and executed by the GraphQL service.
+        :param event_role: The role to assume before invoking the target (i.e., the pipeline) when the given rule is triggered. Default: - a new role with permissions to access mutations will be created
+        :param variables: The variables that are include in the GraphQL operation. Default: - The entire event is used
+
+        :exampleMetadata: infused
+
+        Example::
+
+            import aws_cdk.aws_appsync as appsync
+            
+            
+            api = appsync.GraphqlApi(self, "api",
+                name="api",
+                definition=appsync.Definition.from_file("schema.graphql"),
+                authorization_config=appsync.AuthorizationConfig(
+                    default_authorization=appsync.AuthorizationMode(authorization_type=appsync.AuthorizationType.IAM)
+                )
+            )
+            
+            rule = events.Rule(self, "Rule",
+                schedule=events.Schedule.rate(cdk.Duration.hours(1))
+            )
+            
+            rule.add_target(targets.AppSync(api,
+                graph_qLOperation="mutation Publish($message: String!){ publish(message: $message) { message } }",
+                variables=events.RuleTargetInput.from_object({
+                    "message": "hello world"
+                })
+            ))
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__aea6c33be1be64052595742c1fdd00fb0f53185ebe3c9f93ceacd92d82655d1d)
+            check_type(argname="argument dead_letter_queue", value=dead_letter_queue, expected_type=type_hints["dead_letter_queue"])
+            check_type(argname="argument max_event_age", value=max_event_age, expected_type=type_hints["max_event_age"])
+            check_type(argname="argument retry_attempts", value=retry_attempts, expected_type=type_hints["retry_attempts"])
+            check_type(argname="argument graph_ql_operation", value=graph_ql_operation, expected_type=type_hints["graph_ql_operation"])
+            check_type(argname="argument event_role", value=event_role, expected_type=type_hints["event_role"])
+            check_type(argname="argument variables", value=variables, expected_type=type_hints["variables"])
+        self._values: typing.Dict[builtins.str, typing.Any] = {
+            "graph_ql_operation": graph_ql_operation,
+        }
+        if dead_letter_queue is not None:
+            self._values["dead_letter_queue"] = dead_letter_queue
+        if max_event_age is not None:
+            self._values["max_event_age"] = max_event_age
+        if retry_attempts is not None:
+            self._values["retry_attempts"] = retry_attempts
+        if event_role is not None:
+            self._values["event_role"] = event_role
+        if variables is not None:
+            self._values["variables"] = variables
+
+    @builtins.property
+    def dead_letter_queue(self) -> typing.Optional[_IQueue_7ed6f679]:
+        '''The SQS queue to be used as deadLetterQueue. Check out the `considerations for using a dead-letter queue <https://docs.aws.amazon.com/eventbridge/latest/userguide/rule-dlq.html#dlq-considerations>`_.
+
+        The events not successfully delivered are automatically retried for a specified period of time,
+        depending on the retry policy of the target.
+        If an event is not delivered before all retry attempts are exhausted, it will be sent to the dead letter queue.
+
+        :default: - no dead-letter queue
+        '''
+        result = self._values.get("dead_letter_queue")
+        return typing.cast(typing.Optional[_IQueue_7ed6f679], result)
+
+    @builtins.property
+    def max_event_age(self) -> typing.Optional[_Duration_4839e8c3]:
+        '''The maximum age of a request that Lambda sends to a function for processing.
+
+        Minimum value of 60.
+        Maximum value of 86400.
+
+        :default: Duration.hours(24)
+        '''
+        result = self._values.get("max_event_age")
+        return typing.cast(typing.Optional[_Duration_4839e8c3], result)
+
+    @builtins.property
+    def retry_attempts(self) -> typing.Optional[jsii.Number]:
+        '''The maximum number of times to retry when the function returns an error.
+
+        Minimum value of 0.
+        Maximum value of 185.
+
+        :default: 185
+        '''
+        result = self._values.get("retry_attempts")
+        return typing.cast(typing.Optional[jsii.Number], result)
+
+    @builtins.property
+    def graph_ql_operation(self) -> builtins.str:
+        '''The GraphQL operation;
+
+        that is, the query, mutation, or subscription
+        to be parsed and executed by the GraphQL service.
+        '''
+        result = self._values.get("graph_ql_operation")
+        assert result is not None, "Required property 'graph_ql_operation' is missing"
+        return typing.cast(builtins.str, result)
+
+    @builtins.property
+    def event_role(self) -> typing.Optional[_IRole_235f5d8e]:
+        '''The role to assume before invoking the target (i.e., the pipeline) when the given rule is triggered.
+
+        :default: - a new role with permissions to access mutations will be created
+        '''
+        result = self._values.get("event_role")
+        return typing.cast(typing.Optional[_IRole_235f5d8e], result)
+
+    @builtins.property
+    def variables(self) -> typing.Optional[_RuleTargetInput_6beca786]:
+        '''The variables that are include in the GraphQL operation.
+
+        :default: - The entire event is used
+        '''
+        result = self._values.get("variables")
+        return typing.cast(typing.Optional[_RuleTargetInput_6beca786], result)
+
+    def __eq__(self, rhs: typing.Any) -> builtins.bool:
+        return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+    def __ne__(self, rhs: typing.Any) -> builtins.bool:
+        return not (rhs == self)
+
+    def __repr__(self) -> str:
+        return "AppSyncGraphQLApiProps(%s)" % ", ".join(
+            k + "=" + repr(v) for k, v in self._values.items()
+        )
+
+
 @jsii.data_type(
     jsii_type="aws-cdk-lib.aws_events_targets.BatchJobProps",
     jsii_struct_bases=[TargetBaseProps],
@@ -4742,6 +5049,8 @@ __all__ = [
     "ApiDestinationProps",
     "ApiGateway",
     "ApiGatewayProps",
+    "AppSync",
+    "AppSyncGraphQLApiProps",
     "AwsApi",
     "AwsApiInput",
     "AwsApiProps",
@@ -4826,6 +5135,26 @@ def _typecheckingstub__f34d8ba93048cf243454dc97d2236199033c050fc0bbc6ff84e18fa60
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__56a99cbd83a0d7a956b68eb6ee5cedd89a2b1c37754c2dc7f5a5ea2ccffb1c7f(
+    appsync_api: _IGraphqlApi_ed8270f3,
+    *,
+    graph_ql_operation: builtins.str,
+    event_role: typing.Optional[_IRole_235f5d8e] = None,
+    variables: typing.Optional[_RuleTargetInput_6beca786] = None,
+    dead_letter_queue: typing.Optional[_IQueue_7ed6f679] = None,
+    max_event_age: typing.Optional[_Duration_4839e8c3] = None,
+    retry_attempts: typing.Optional[jsii.Number] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__6b1999a517525e35ef54e6129e3396c11b46ecb394388d3f908c6d627c051c4f(
+    rule: _IRule_af9e3d28,
+    _id: typing.Optional[builtins.str] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__a41bcbfd7e37d2d2cf83a8f636d325a2a328da0a83ef4d994f0be12782f7d357(
     rule: _IRule_af9e3d28,
     id: typing.Optional[builtins.str] = None,
@@ -5170,6 +5499,18 @@ def _typecheckingstub__ed5e368611ecca03be97333615df4f6727992e87138462a27cc1f9a4c
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__aea6c33be1be64052595742c1fdd00fb0f53185ebe3c9f93ceacd92d82655d1d(
+    *,
+    dead_letter_queue: typing.Optional[_IQueue_7ed6f679] = None,
+    max_event_age: typing.Optional[_Duration_4839e8c3] = None,
+    retry_attempts: typing.Optional[jsii.Number] = None,
+    graph_ql_operation: builtins.str,
+    event_role: typing.Optional[_IRole_235f5d8e] = None,
+    variables: typing.Optional[_RuleTargetInput_6beca786] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__91b263189af78d46fd5bf421034197688036a7347fbaee9bef843d928f9bb43f(
     *,
     dead_letter_queue: typing.Optional[_IQueue_7ed6f679] = None,

aws_cdk/aws_iam/__init__.py

@@ -10723,16 +10723,21 @@ class RoleProps:
 
         Example::
 
-            # definition: sfn.IChainable
-            role = iam.Role(self, "Role",
-                assumed_by=iam.ServicePrincipal("lambda.amazonaws.com")
-            )
-            state_machine = sfn.StateMachine(self, "StateMachine",
-                definition_body=sfn.DefinitionBody.from_chainable(definition)
+            # Option 3: Create a new role that allows the account root principal to assume. Add this role in the `system:masters` and witch to this role from the AWS console.
+            # cluster: eks.Cluster
+            
+            
+            console_read_only_role = iam.Role(self, "ConsoleReadOnlyRole",
+                assumed_by=iam.ArnPrincipal("arn_for_trusted_principal")
             )
+            console_read_only_role.add_to_policy(iam.PolicyStatement(
+                actions=["eks:AccessKubernetesApi", "eks:Describe*", "eks:List*"
+                ],
+                resources=[cluster.cluster_arn]
+            ))
             
-            # Give role permission to get execution history of ALL executions for the state machine
-            state_machine.grant_execution(role, "states:GetExecutionHistory")
+            # Add this role to system:masters RBAC group
+            cluster.aws_auth.add_masters_role(console_read_only_role)
         '''
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__9c9223cb9fa6dff45ee4fd7013629ab18542c2499a83f542c5405968fad2287c)

aws_cdk/aws_lambda_nodejs/__init__.py

@@ -157,6 +157,9 @@ environment.
 When passing a runtime that is known to include a version of the aws sdk, it will be excluded by default. For example, when
 passing `NODEJS_16_X`, `aws-sdk` is excluded. When passing `NODEJS_18_X`,  all `@aws-sdk/*` packages are excluded.
 
+> [!WARNING]
+> The NodeJS runtime of Node 16 will be deprecated by Lambda on June 12, 2024. Lambda runtimes Node 18 and higher include SDKv3 and not SDKv2. Updating your Lambda runtime from <=Node 16 to any newer version will require bundling the SDK with your handler code, or updating all SDK calls in your handler code to use SDKv3 (which is not a trivial update). Please account for this added complexity and update as soon as possible.
+
 This can be configured by specifying `bundling.externalModules`:
 
 ```python

aws_cdk/aws_logs/__init__.py

@@ -69,7 +69,7 @@ log_group = logs.LogGroup(self, "LogGroup")
 log_group.grant_write(iam.ServicePrincipal("es.amazonaws.com"))
 ```
 
-Similarily, read permissions can be granted to the log group as follows.
+Similarly, read permissions can be granted to the log group as follows.
 
 ```python
 log_group = logs.LogGroup(self, "LogGroup")
@@ -6018,7 +6018,7 @@ class LogGroup(
         :param scope: -
         :param id: -
         :param data_protection_policy: Data Protection Policy for this log group. Default: - no data protection policy
-        :param encryption_key: The KMS customer managed key to encrypt the log group with. Default: Server-side encrpytion managed by the CloudWatch Logs service
+        :param encryption_key: The KMS customer managed key to encrypt the log group with. Default: Server-side encryption managed by the CloudWatch Logs service
         :param log_group_class: The class of the log group. Possible values are: STANDARD and INFREQUENT_ACCESS. INFREQUENT_ACCESS class provides customers a cost-effective way to consolidate logs which supports querying using Logs Insights. The logGroupClass property cannot be changed once the log group is created. Default: LogGroupClass.STANDARD
         :param log_group_name: Name of the log group. Default: Automatically generated
         :param removal_policy: Determine the removal policy of this log group. Normally you want to retain the log group so you can diagnose issues from logs even after a deployment that no longer includes the log group. In that case, use the normal date-based retention policy to age out your logs. Default: RemovalPolicy.Retain
@@ -6312,7 +6312,7 @@ class LogGroupProps:
         '''Properties for a LogGroup.
 
         :param data_protection_policy: Data Protection Policy for this log group. Default: - no data protection policy
-        :param encryption_key: The KMS customer managed key to encrypt the log group with. Default: Server-side encrpytion managed by the CloudWatch Logs service
+        :param encryption_key: The KMS customer managed key to encrypt the log group with. Default: Server-side encryption managed by the CloudWatch Logs service
         :param log_group_class: The class of the log group. Possible values are: STANDARD and INFREQUENT_ACCESS. INFREQUENT_ACCESS class provides customers a cost-effective way to consolidate logs which supports querying using Logs Insights. The logGroupClass property cannot be changed once the log group is created. Default: LogGroupClass.STANDARD
         :param log_group_name: Name of the log group. Default: Automatically generated
         :param removal_policy: Determine the removal policy of this log group. Normally you want to retain the log group so you can diagnose issues from logs even after a deployment that no longer includes the log group. In that case, use the normal date-based retention policy to age out your logs. Default: RemovalPolicy.Retain
@@ -6386,7 +6386,7 @@ class LogGroupProps:
     def encryption_key(self) -> typing.Optional[_IKey_5f11635f]:
         '''The KMS customer managed key to encrypt the log group with.
 
-        :default: Server-side encrpytion managed by the CloudWatch Logs service
+        :default: Server-side encryption managed by the CloudWatch Logs service
         '''
         result = self._values.get("encryption_key")
         return typing.cast(typing.Optional[_IKey_5f11635f], result)
@@ -8701,7 +8701,7 @@ class CustomDataIdentifier(
         '''Create a custom data identifier.
 
         :param name: - the name of the custom data identifier. This cannot share the same name as a managed data identifier.
-        :param regex: - the regular expresssion to detect and mask log events for.
+        :param regex: - the regular expression to detect and mask log events for.
         '''
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__8962f986463b4e81629495838f26c8990feeca56061597cb66e94771b4cfb79d)
@@ -8729,7 +8729,7 @@ class CustomDataIdentifier(
     @builtins.property
     @jsii.member(jsii_name="regex")
     def regex(self) -> builtins.str:
-        '''- the regular expresssion to detect and mask log events for.'''
+        '''- the regular expression to detect and mask log events for.'''
         return typing.cast(builtins.str, jsii.get(self, "regex"))
 
 

aws_cdk/aws_rds/__init__.py

@@ -323,7 +323,7 @@ to use for a cluster instances:
 cluster = rds.DatabaseCluster(self, "Database",
     engine=rds.DatabaseClusterEngine.aurora_mysql(version=rds.AuroraMysqlEngineVersion.VER_3_01_0),
     writer=rds.ClusterInstance.provisioned("writer",
-        ca_certificate=rds.CaCertificate.RDS_CA_RDS2048_G1
+        ca_certificate=rds.CaCertificate.RDS_CA_RSA2048_G1
     ),
     readers=[
         rds.ClusterInstance.serverless_v2("reader",
@@ -696,7 +696,7 @@ to use for the instance:
 rds.DatabaseInstance(self, "Instance",
     engine=rds.DatabaseInstanceEngine.mysql(version=rds.MysqlEngineVersion.VER_8_0_30),
     vpc=vpc,
-    ca_certificate=rds.CaCertificate.RDS_CA_RDS2048_G1
+    ca_certificate=rds.CaCertificate.RDS_CA_RSA2048_G1
 )
 ```
 
@@ -3440,6 +3440,12 @@ class AuroraPostgresEngineVersion(
         '''Version "16.1".'''
         return typing.cast("AuroraPostgresEngineVersion", jsii.sget(cls, "VER_16_1"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="VER_16_2")
+    def VER_16_2(cls) -> "AuroraPostgresEngineVersion":
+        '''Version "16.2".'''
+        return typing.cast("AuroraPostgresEngineVersion", jsii.sget(cls, "VER_16_2"))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="VER_9_6_11")
     def VER_9_6_11(cls) -> "AuroraPostgresEngineVersion":
@@ -3652,10 +3658,16 @@ class CaCertificate(
         # vpc: ec2.Vpc
         
         
-        rds.DatabaseInstance(self, "Instance",
-            engine=rds.DatabaseInstanceEngine.mysql(version=rds.MysqlEngineVersion.VER_8_0_30),
+        cluster = docdb.DatabaseCluster(self, "Database",
+            master_user=docdb.Login(
+                username="myuser"
+            ),
+            instance_type=ec2.InstanceType.of(ec2.InstanceClass.MEMORY5, ec2.InstanceSize.LARGE),
+            vpc_subnets=ec2.SubnetSelection(
+                subnet_type=ec2.SubnetType.PUBLIC
+            ),
             vpc=vpc,
-            ca_certificate=rds.CaCertificate.of("future-rds-ca")
+            ca_certificate=docdb.CaCertificate.RDS_CA_RSA4096_G1
         )
     '''
 
@@ -3691,15 +3703,37 @@ class CaCertificate(
     @jsii.python.classproperty
     @jsii.member(jsii_name="RDS_CA_RDS2048_G1")
     def RDS_CA_RDS2048_G1(cls) -> "CaCertificate":
-        '''rds-ca-rsa2048-g1 certificate authority.'''
+        '''(deprecated) rds-ca-rsa2048-g1 certificate authority.
+
+        :deprecated: use RDS_CA_RSA2048_G1 (slight misspelling)
+
+        :stability: deprecated
+        '''
         return typing.cast("CaCertificate", jsii.sget(cls, "RDS_CA_RDS2048_G1"))
 
     @jsii.python.classproperty
     @jsii.member(jsii_name="RDS_CA_RDS4096_G1")
     def RDS_CA_RDS4096_G1(cls) -> "CaCertificate":
-        '''rds-ca-rsa4096-g1 certificate authority.'''
+        '''(deprecated) rds-ca-rsa4096-g1 certificate authority.
+
+        :deprecated: use RDS_CA_RSA4096_G1 (slight misspelling)
+
+        :stability: deprecated
+        '''
         return typing.cast("CaCertificate", jsii.sget(cls, "RDS_CA_RDS4096_G1"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="RDS_CA_RSA2048_G1")
+    def RDS_CA_RSA2048_G1(cls) -> "CaCertificate":
+        '''rds-ca-rsa2048-g1 certificate authority.'''
+        return typing.cast("CaCertificate", jsii.sget(cls, "RDS_CA_RSA2048_G1"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="RDS_CA_RSA4096_G1")
+    def RDS_CA_RSA4096_G1(cls) -> "CaCertificate":
+        '''rds-ca-rsa4096-g1 certificate authority.'''
+        return typing.cast("CaCertificate", jsii.sget(cls, "RDS_CA_RSA4096_G1"))
+
 
 @jsii.implements(_IInspectable_c2943556, _ITaggableV2_4e6798f8)
 class CfnCustomDBEngineVersion(
@@ -35591,7 +35625,7 @@ class ServerlessV2ClusterInstanceProps(ClusterInstanceOptions):
             cluster = rds.DatabaseCluster(self, "Database",
                 engine=rds.DatabaseClusterEngine.aurora_mysql(version=rds.AuroraMysqlEngineVersion.VER_3_01_0),
                 writer=rds.ClusterInstance.provisioned("writer",
-                    ca_certificate=rds.CaCertificate.RDS_CA_RDS2048_G1
+                    ca_certificate=rds.CaCertificate.RDS_CA_RSA2048_G1
                 ),
                 readers=[
                     rds.ClusterInstance.serverless_v2("reader",

aws_cdk/aws_s3/__init__.py

@@ -597,6 +597,8 @@ as it does not contain any objects.
 To override this and force all objects to get deleted during bucket deletion,
 enable the`autoDeleteObjects` option.
 
+When `autoDeleteObjects` is enabled, `s3:PutBucketPolicy` is added to the bucket policy. This is done to allow the custom resource this feature is built on to add a deny policy for `s3:PutObject` to the bucket policy when a delete stack event occurs. Adding this deny policy prevents new objects from being written to the bucket. Doing this prevents race conditions with external bucket writers during the deletion process.
+
 ```python
 bucket = s3.Bucket(self, "MyTempFileBucket",
     removal_policy=cdk.RemovalPolicy.DESTROY,
@@ -1752,7 +1754,7 @@ class BucketProps:
     ) -> None:
         '''
         :param access_control: Specifies a canned ACL that grants predefined permissions to the bucket. Default: BucketAccessControl.PRIVATE
-        :param auto_delete_objects: Whether all objects should be automatically deleted when the bucket is removed from the stack or when the stack is deleted. Requires the ``removalPolicy`` to be set to ``RemovalPolicy.DESTROY``. **Warning** if you have deployed a bucket with ``autoDeleteObjects: true``, switching this to ``false`` in a CDK version *before* ``1.126.0`` will lead to all objects in the bucket being deleted. Be sure to update your bucket resources by deploying with CDK version ``1.126.0`` or later **before** switching this value to ``false``. Default: false
+        :param auto_delete_objects: Whether all objects should be automatically deleted when the bucket is removed from the stack or when the stack is deleted. Requires the ``removalPolicy`` to be set to ``RemovalPolicy.DESTROY``. **Warning** if you have deployed a bucket with ``autoDeleteObjects: true``, switching this to ``false`` in a CDK version *before* ``1.126.0`` will lead to all objects in the bucket being deleted. Be sure to update your bucket resources by deploying with CDK version ``1.126.0`` or later **before** switching this value to ``false``. Setting ``autoDeleteObjects`` to true on a bucket will add ``s3:PutBucketPolicy`` to the bucket policy. This is because during bucket deletion, the custom resource provider needs to update the bucket policy by adding a deny policy for ``s3:PutObject`` to prevent race conditions with external bucket writers. Default: false
         :param block_public_access: The block public access configuration of this bucket. Default: - CloudFormation defaults will apply. New buckets and objects don't allow public access, but users can modify bucket policies or object permissions to allow public access
         :param bucket_key_enabled: Whether Amazon S3 should use its own intermediary key to generate data keys. Only relevant when using KMS for encryption. - If not enabled, every object GET and PUT will cause an API call to KMS (with the attendant cost implications of that). - If enabled, S3 will use its own time-limited key instead. Only relevant, when Encryption is set to ``BucketEncryption.KMS`` or ``BucketEncryption.KMS_MANAGED``. Default: - false
         :param bucket_name: Physical name of this bucket. Default: - Assigned by CloudFormation (recommended).
@@ -1919,6 +1921,11 @@ class BucketProps:
         all objects in the bucket being deleted. Be sure to update your bucket resources
         by deploying with CDK version ``1.126.0`` or later **before** switching this value to ``false``.
 
+        Setting ``autoDeleteObjects`` to true on a bucket will add ``s3:PutBucketPolicy`` to the
+        bucket policy. This is because during bucket deletion, the custom resource provider
+        needs to update the bucket policy by adding a deny policy for ``s3:PutObject`` to
+        prevent race conditions with external bucket writers.
+
         :default: false
         '''
         result = self._values.get("auto_delete_objects")
@@ -19361,7 +19368,7 @@ class Bucket(
         :param scope: -
         :param id: -
         :param access_control: Specifies a canned ACL that grants predefined permissions to the bucket. Default: BucketAccessControl.PRIVATE
-        :param auto_delete_objects: Whether all objects should be automatically deleted when the bucket is removed from the stack or when the stack is deleted. Requires the ``removalPolicy`` to be set to ``RemovalPolicy.DESTROY``. **Warning** if you have deployed a bucket with ``autoDeleteObjects: true``, switching this to ``false`` in a CDK version *before* ``1.126.0`` will lead to all objects in the bucket being deleted. Be sure to update your bucket resources by deploying with CDK version ``1.126.0`` or later **before** switching this value to ``false``. Default: false
+        :param auto_delete_objects: Whether all objects should be automatically deleted when the bucket is removed from the stack or when the stack is deleted. Requires the ``removalPolicy`` to be set to ``RemovalPolicy.DESTROY``. **Warning** if you have deployed a bucket with ``autoDeleteObjects: true``, switching this to ``false`` in a CDK version *before* ``1.126.0`` will lead to all objects in the bucket being deleted. Be sure to update your bucket resources by deploying with CDK version ``1.126.0`` or later **before** switching this value to ``false``. Setting ``autoDeleteObjects`` to true on a bucket will add ``s3:PutBucketPolicy`` to the bucket policy. This is because during bucket deletion, the custom resource provider needs to update the bucket policy by adding a deny policy for ``s3:PutObject`` to prevent race conditions with external bucket writers. Default: false
         :param block_public_access: The block public access configuration of this bucket. Default: - CloudFormation defaults will apply. New buckets and objects don't allow public access, but users can modify bucket policies or object permissions to allow public access
         :param bucket_key_enabled: Whether Amazon S3 should use its own intermediary key to generate data keys. Only relevant when using KMS for encryption. - If not enabled, every object GET and PUT will cause an API call to KMS (with the attendant cost implications of that). - If enabled, S3 will use its own time-limited key instead. Only relevant, when Encryption is set to ``BucketEncryption.KMS`` or ``BucketEncryption.KMS_MANAGED``. Default: - false
         :param bucket_name: Physical name of this bucket. Default: - Assigned by CloudFormation (recommended).