aws-cdk-lib 2.147.2__py3-none-any.whl → 2.148.0__py3-none-any.whl

aws_cdk/aws_kinesisfirehose/__init__.py

@@ -1,4 +1,4 @@
-'''
+r'''
 # Amazon Kinesis Data Firehose Construct Library
 
 This module is part of the [AWS Cloud Development Kit](https://github.com/aws/aws-cdk) project.
@@ -3373,6 +3373,7 @@ class CfnDeliveryStream(
             "retry_options": "retryOptions",
             "role_arn": "roleArn",
             "s3_backup_mode": "s3BackupMode",
+            "secrets_manager_configuration": "secretsManagerConfiguration",
         },
     )
     class HttpEndpointDestinationConfigurationProperty:
@@ -3388,6 +3389,7 @@ class CfnDeliveryStream(
             retry_options: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnDeliveryStream.RetryOptionsProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
             role_arn: typing.Optional[builtins.str] = None,
             s3_backup_mode: typing.Optional[builtins.str] = None,
+            secrets_manager_configuration: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnDeliveryStream.SecretsManagerConfigurationProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
         ) -> None:
             '''Describes the configuration of the HTTP endpoint destination.
 
@@ -3402,6 +3404,7 @@ class CfnDeliveryStream(
             :param retry_options: Describes the retry behavior in case Kinesis Data Firehose is unable to deliver data to the specified HTTP endpoint destination, or if it doesn't receive a valid acknowledgment of receipt from the specified HTTP endpoint destination.
             :param role_arn: Kinesis Data Firehose uses this IAM role for all the permissions that the delivery stream needs.
             :param s3_backup_mode: Describes the S3 bucket backup options for the data that Kinesis Data Firehose delivers to the HTTP endpoint destination. You can back up all documents (AllData) or only the documents that Kinesis Data Firehose could not deliver to the specified HTTP endpoint destination (FailedDataOnly).
+            :param secrets_manager_configuration: The configuration that defines how you access secrets for HTTP Endpoint destination.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-kinesisfirehose-deliverystream-httpendpointdestinationconfiguration.html
             :exampleMetadata: fixture=_generated
@@ -3478,7 +3481,14 @@ class CfnDeliveryStream(
                         duration_in_seconds=123
                     ),
                     role_arn="roleArn",
-                    s3_backup_mode="s3BackupMode"
+                    s3_backup_mode="s3BackupMode",
+                    secrets_manager_configuration=kinesisfirehose.CfnDeliveryStream.SecretsManagerConfigurationProperty(
+                        enabled=False,
+                
+                        # the properties below are optional
+                        role_arn="roleArn",
+                        secret_arn="secretArn"
+                    )
                 )
             '''
             if __debug__:
@@ -3492,6 +3502,7 @@ class CfnDeliveryStream(
                 check_type(argname="argument retry_options", value=retry_options, expected_type=type_hints["retry_options"])
                 check_type(argname="argument role_arn", value=role_arn, expected_type=type_hints["role_arn"])
                 check_type(argname="argument s3_backup_mode", value=s3_backup_mode, expected_type=type_hints["s3_backup_mode"])
+                check_type(argname="argument secrets_manager_configuration", value=secrets_manager_configuration, expected_type=type_hints["secrets_manager_configuration"])
             self._values: typing.Dict[builtins.str, typing.Any] = {
                 "endpoint_configuration": endpoint_configuration,
                 "s3_configuration": s3_configuration,
@@ -3510,6 +3521,8 @@ class CfnDeliveryStream(
                 self._values["role_arn"] = role_arn
             if s3_backup_mode is not None:
                 self._values["s3_backup_mode"] = s3_backup_mode
+            if secrets_manager_configuration is not None:
+                self._values["secrets_manager_configuration"] = secrets_manager_configuration
 
         @builtins.property
         def endpoint_configuration(
@@ -3612,6 +3625,17 @@ class CfnDeliveryStream(
             result = self._values.get("s3_backup_mode")
             return typing.cast(typing.Optional[builtins.str], result)
 
+        @builtins.property
+        def secrets_manager_configuration(
+            self,
+        ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnDeliveryStream.SecretsManagerConfigurationProperty"]]:
+            '''The configuration that defines how you access secrets for HTTP Endpoint destination.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-kinesisfirehose-deliverystream-httpendpointdestinationconfiguration.html#cfn-kinesisfirehose-deliverystream-httpendpointdestinationconfiguration-secretsmanagerconfiguration
+            '''
+            result = self._values.get("secrets_manager_configuration")
+            return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnDeliveryStream.SecretsManagerConfigurationProperty"]], result)
+
         def __eq__(self, rhs: typing.Any) -> builtins.bool:
             return isinstance(rhs, self.__class__) and rhs._values == self._values
 
@@ -4810,15 +4834,16 @@ class CfnDeliveryStream(
         name_mapping={
             "cluster_jdbcurl": "clusterJdbcurl",
             "copy_command": "copyCommand",
-            "password": "password",
             "role_arn": "roleArn",
             "s3_configuration": "s3Configuration",
-            "username": "username",
             "cloud_watch_logging_options": "cloudWatchLoggingOptions",
+            "password": "password",
             "processing_configuration": "processingConfiguration",
             "retry_options": "retryOptions",
             "s3_backup_configuration": "s3BackupConfiguration",
             "s3_backup_mode": "s3BackupMode",
+            "secrets_manager_configuration": "secretsManagerConfiguration",
+            "username": "username",
         },
     )
     class RedshiftDestinationConfigurationProperty:
@@ -4827,29 +4852,31 @@ class CfnDeliveryStream(
             *,
             cluster_jdbcurl: builtins.str,
             copy_command: typing.Union[_IResolvable_da3f097b, typing.Union["CfnDeliveryStream.CopyCommandProperty", typing.Dict[builtins.str, typing.Any]]],
-            password: builtins.str,
             role_arn: builtins.str,
             s3_configuration: typing.Union[_IResolvable_da3f097b, typing.Union["CfnDeliveryStream.S3DestinationConfigurationProperty", typing.Dict[builtins.str, typing.Any]]],
-            username: builtins.str,
             cloud_watch_logging_options: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnDeliveryStream.CloudWatchLoggingOptionsProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
+            password: typing.Optional[builtins.str] = None,
             processing_configuration: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnDeliveryStream.ProcessingConfigurationProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
             retry_options: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnDeliveryStream.RedshiftRetryOptionsProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
             s3_backup_configuration: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnDeliveryStream.S3DestinationConfigurationProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
             s3_backup_mode: typing.Optional[builtins.str] = None,
+            secrets_manager_configuration: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnDeliveryStream.SecretsManagerConfigurationProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
+            username: typing.Optional[builtins.str] = None,
         ) -> None:
             '''The ``RedshiftDestinationConfiguration`` property type specifies an Amazon Redshift cluster to which Amazon Kinesis Data Firehose (Kinesis Data Firehose) delivers data.
 
             :param cluster_jdbcurl: The connection string that Kinesis Data Firehose uses to connect to the Amazon Redshift cluster.
             :param copy_command: Configures the Amazon Redshift ``COPY`` command that Kinesis Data Firehose uses to load data into the cluster from the Amazon S3 bucket.
-            :param password: The password for the Amazon Redshift user that you specified in the ``Username`` property.
             :param role_arn: The ARN of the AWS Identity and Access Management (IAM) role that grants Kinesis Data Firehose access to your Amazon S3 bucket and AWS KMS (if you enable data encryption). For more information, see `Grant Kinesis Data Firehose Access to an Amazon Redshift Destination <https://docs.aws.amazon.com/firehose/latest/dev/controlling-access.html#using-iam-rs>`_ in the *Amazon Kinesis Data Firehose Developer Guide* .
             :param s3_configuration: The S3 bucket where Kinesis Data Firehose first delivers data. After the data is in the bucket, Kinesis Data Firehose uses the ``COPY`` command to load the data into the Amazon Redshift cluster. For the Amazon S3 bucket's compression format, don't specify ``SNAPPY`` or ``ZIP`` because the Amazon Redshift ``COPY`` command doesn't support them.
-            :param username: The Amazon Redshift user that has permission to access the Amazon Redshift cluster. This user must have ``INSERT`` privileges for copying data from the Amazon S3 bucket to the cluster.
             :param cloud_watch_logging_options: The CloudWatch logging options for your delivery stream.
+            :param password: The password for the Amazon Redshift user that you specified in the ``Username`` property.
             :param processing_configuration: The data processing configuration for the Kinesis Data Firehose delivery stream.
             :param retry_options: The retry behavior in case Firehose is unable to deliver documents to Amazon Redshift. Default value is 3600 (60 minutes).
             :param s3_backup_configuration: The configuration for backup in Amazon S3.
             :param s3_backup_mode: The Amazon S3 backup mode. After you create a delivery stream, you can update it to enable Amazon S3 backup if it is disabled. If backup is enabled, you can't update the delivery stream to disable it.
+            :param secrets_manager_configuration: The configuration that defines how you access secrets for Amazon Redshift.
+            :param username: The Amazon Redshift user that has permission to access the Amazon Redshift cluster. This user must have ``INSERT`` privileges for copying data from the Amazon S3 bucket to the cluster.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-kinesisfirehose-deliverystream-redshiftdestinationconfiguration.html
             :exampleMetadata: fixture=_generated
@@ -4869,7 +4896,6 @@ class CfnDeliveryStream(
                         copy_options="copyOptions",
                         data_table_columns="dataTableColumns"
                     ),
-                    password="password",
                     role_arn="roleArn",
                     s3_configuration=kinesisfirehose.CfnDeliveryStream.S3DestinationConfigurationProperty(
                         bucket_arn="bucketArn",
@@ -4895,7 +4921,6 @@ class CfnDeliveryStream(
                         error_output_prefix="errorOutputPrefix",
                         prefix="prefix"
                     ),
-                    username="username",
                 
                     # the properties below are optional
                     cloud_watch_logging_options=kinesisfirehose.CfnDeliveryStream.CloudWatchLoggingOptionsProperty(
@@ -4903,6 +4928,7 @@ class CfnDeliveryStream(
                         log_group_name="logGroupName",
                         log_stream_name="logStreamName"
                     ),
+                    password="password",
                     processing_configuration=kinesisfirehose.CfnDeliveryStream.ProcessingConfigurationProperty(
                         enabled=False,
                         processors=[kinesisfirehose.CfnDeliveryStream.ProcessorProperty(
@@ -4942,32 +4968,41 @@ class CfnDeliveryStream(
                         error_output_prefix="errorOutputPrefix",
                         prefix="prefix"
                     ),
-                    s3_backup_mode="s3BackupMode"
+                    s3_backup_mode="s3BackupMode",
+                    secrets_manager_configuration=kinesisfirehose.CfnDeliveryStream.SecretsManagerConfigurationProperty(
+                        enabled=False,
+                
+                        # the properties below are optional
+                        role_arn="roleArn",
+                        secret_arn="secretArn"
+                    ),
+                    username="username"
                 )
             '''
             if __debug__:
                 type_hints = typing.get_type_hints(_typecheckingstub__a05dc5298788a3b9496bc2e383242a0570183c6703c04af2c5e991292f2c58fa)
                 check_type(argname="argument cluster_jdbcurl", value=cluster_jdbcurl, expected_type=type_hints["cluster_jdbcurl"])
                 check_type(argname="argument copy_command", value=copy_command, expected_type=type_hints["copy_command"])
-                check_type(argname="argument password", value=password, expected_type=type_hints["password"])
                 check_type(argname="argument role_arn", value=role_arn, expected_type=type_hints["role_arn"])
                 check_type(argname="argument s3_configuration", value=s3_configuration, expected_type=type_hints["s3_configuration"])
-                check_type(argname="argument username", value=username, expected_type=type_hints["username"])
                 check_type(argname="argument cloud_watch_logging_options", value=cloud_watch_logging_options, expected_type=type_hints["cloud_watch_logging_options"])
+                check_type(argname="argument password", value=password, expected_type=type_hints["password"])
                 check_type(argname="argument processing_configuration", value=processing_configuration, expected_type=type_hints["processing_configuration"])
                 check_type(argname="argument retry_options", value=retry_options, expected_type=type_hints["retry_options"])
                 check_type(argname="argument s3_backup_configuration", value=s3_backup_configuration, expected_type=type_hints["s3_backup_configuration"])
                 check_type(argname="argument s3_backup_mode", value=s3_backup_mode, expected_type=type_hints["s3_backup_mode"])
+                check_type(argname="argument secrets_manager_configuration", value=secrets_manager_configuration, expected_type=type_hints["secrets_manager_configuration"])
+                check_type(argname="argument username", value=username, expected_type=type_hints["username"])
             self._values: typing.Dict[builtins.str, typing.Any] = {
                 "cluster_jdbcurl": cluster_jdbcurl,
                 "copy_command": copy_command,
-                "password": password,
                 "role_arn": role_arn,
                 "s3_configuration": s3_configuration,
-                "username": username,
             }
             if cloud_watch_logging_options is not None:
                 self._values["cloud_watch_logging_options"] = cloud_watch_logging_options
+            if password is not None:
+                self._values["password"] = password
             if processing_configuration is not None:
                 self._values["processing_configuration"] = processing_configuration
             if retry_options is not None:
@@ -4976,6 +5011,10 @@ class CfnDeliveryStream(
                 self._values["s3_backup_configuration"] = s3_backup_configuration
             if s3_backup_mode is not None:
                 self._values["s3_backup_mode"] = s3_backup_mode
+            if secrets_manager_configuration is not None:
+                self._values["secrets_manager_configuration"] = secrets_manager_configuration
+            if username is not None:
+                self._values["username"] = username
 
         @builtins.property
         def cluster_jdbcurl(self) -> builtins.str:
@@ -4999,16 +5038,6 @@ class CfnDeliveryStream(
             assert result is not None, "Required property 'copy_command' is missing"
             return typing.cast(typing.Union[_IResolvable_da3f097b, "CfnDeliveryStream.CopyCommandProperty"], result)
 
-        @builtins.property
-        def password(self) -> builtins.str:
-            '''The password for the Amazon Redshift user that you specified in the ``Username`` property.
-
-            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-kinesisfirehose-deliverystream-redshiftdestinationconfiguration.html#cfn-kinesisfirehose-deliverystream-redshiftdestinationconfiguration-password
-            '''
-            result = self._values.get("password")
-            assert result is not None, "Required property 'password' is missing"
-            return typing.cast(builtins.str, result)
-
         @builtins.property
         def role_arn(self) -> builtins.str:
             '''The ARN of the AWS Identity and Access Management (IAM) role that grants Kinesis Data Firehose access to your Amazon S3 bucket and AWS KMS (if you enable data encryption).
@@ -5035,18 +5064,6 @@ class CfnDeliveryStream(
             assert result is not None, "Required property 's3_configuration' is missing"
             return typing.cast(typing.Union[_IResolvable_da3f097b, "CfnDeliveryStream.S3DestinationConfigurationProperty"], result)
 
-        @builtins.property
-        def username(self) -> builtins.str:
-            '''The Amazon Redshift user that has permission to access the Amazon Redshift cluster.
-
-            This user must have ``INSERT`` privileges for copying data from the Amazon S3 bucket to the cluster.
-
-            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-kinesisfirehose-deliverystream-redshiftdestinationconfiguration.html#cfn-kinesisfirehose-deliverystream-redshiftdestinationconfiguration-username
-            '''
-            result = self._values.get("username")
-            assert result is not None, "Required property 'username' is missing"
-            return typing.cast(builtins.str, result)
-
         @builtins.property
         def cloud_watch_logging_options(
             self,
@@ -5058,6 +5075,15 @@ class CfnDeliveryStream(
             result = self._values.get("cloud_watch_logging_options")
             return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnDeliveryStream.CloudWatchLoggingOptionsProperty"]], result)
 
+        @builtins.property
+        def password(self) -> typing.Optional[builtins.str]:
+            '''The password for the Amazon Redshift user that you specified in the ``Username`` property.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-kinesisfirehose-deliverystream-redshiftdestinationconfiguration.html#cfn-kinesisfirehose-deliverystream-redshiftdestinationconfiguration-password
+            '''
+            result = self._values.get("password")
+            return typing.cast(typing.Optional[builtins.str], result)
+
         @builtins.property
         def processing_configuration(
             self,
@@ -5104,6 +5130,28 @@ class CfnDeliveryStream(
             result = self._values.get("s3_backup_mode")
             return typing.cast(typing.Optional[builtins.str], result)
 
+        @builtins.property
+        def secrets_manager_configuration(
+            self,
+        ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnDeliveryStream.SecretsManagerConfigurationProperty"]]:
+            '''The configuration that defines how you access secrets for Amazon Redshift.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-kinesisfirehose-deliverystream-redshiftdestinationconfiguration.html#cfn-kinesisfirehose-deliverystream-redshiftdestinationconfiguration-secretsmanagerconfiguration
+            '''
+            result = self._values.get("secrets_manager_configuration")
+            return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnDeliveryStream.SecretsManagerConfigurationProperty"]], result)
+
+        @builtins.property
+        def username(self) -> typing.Optional[builtins.str]:
+            '''The Amazon Redshift user that has permission to access the Amazon Redshift cluster.
+
+            This user must have ``INSERT`` privileges for copying data from the Amazon S3 bucket to the cluster.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-kinesisfirehose-deliverystream-redshiftdestinationconfiguration.html#cfn-kinesisfirehose-deliverystream-redshiftdestinationconfiguration-username
+            '''
+            result = self._values.get("username")
+            return typing.cast(typing.Optional[builtins.str], result)
+
         def __eq__(self, rhs: typing.Any) -> builtins.bool:
             return isinstance(rhs, self.__class__) and rhs._values == self._values
 
@@ -5587,6 +5635,104 @@ class CfnDeliveryStream(
                 k + "=" + repr(v) for k, v in self._values.items()
             )
 
+    @jsii.data_type(
+        jsii_type="aws-cdk-lib.aws_kinesisfirehose.CfnDeliveryStream.SecretsManagerConfigurationProperty",
+        jsii_struct_bases=[],
+        name_mapping={
+            "enabled": "enabled",
+            "role_arn": "roleArn",
+            "secret_arn": "secretArn",
+        },
+    )
+    class SecretsManagerConfigurationProperty:
+        def __init__(
+            self,
+            *,
+            enabled: typing.Union[builtins.bool, _IResolvable_da3f097b],
+            role_arn: typing.Optional[builtins.str] = None,
+            secret_arn: typing.Optional[builtins.str] = None,
+        ) -> None:
+            '''The structure that defines how Firehose accesses the secret.
+
+            :param enabled: Specifies whether you want to use the the secrets manager feature. When set as ``True`` the secrets manager configuration overwrites the existing secrets in the destination configuration. When it's set to ``False`` Firehose falls back to the credentials in the destination configuration.
+            :param role_arn: Specifies the role that Firehose assumes when calling the Secrets Manager API operation. When you provide the role, it overrides any destination specific role defined in the destination configuration. If you do not provide the then we use the destination specific role. This parameter is required for Splunk.
+            :param secret_arn: The ARN of the secret that stores your credentials. It must be in the same region as the Firehose stream and the role. The secret ARN can reside in a different account than the delivery stream and role as Firehose supports cross-account secret access. This parameter is required when *Enabled* is set to ``True`` .
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-kinesisfirehose-deliverystream-secretsmanagerconfiguration.html
+            :exampleMetadata: fixture=_generated
+
+            Example::
+
+                # The code below shows an example of how to instantiate this type.
+                # The values are placeholders you should change.
+                from aws_cdk import aws_kinesisfirehose as kinesisfirehose
+                
+                secrets_manager_configuration_property = kinesisfirehose.CfnDeliveryStream.SecretsManagerConfigurationProperty(
+                    enabled=False,
+                
+                    # the properties below are optional
+                    role_arn="roleArn",
+                    secret_arn="secretArn"
+                )
+            '''
+            if __debug__:
+                type_hints = typing.get_type_hints(_typecheckingstub__b935af4b7f540cbb6b063a9c37a906eaf8c3ed8781b19ea32e1836ca909b3dac)
+                check_type(argname="argument enabled", value=enabled, expected_type=type_hints["enabled"])
+                check_type(argname="argument role_arn", value=role_arn, expected_type=type_hints["role_arn"])
+                check_type(argname="argument secret_arn", value=secret_arn, expected_type=type_hints["secret_arn"])
+            self._values: typing.Dict[builtins.str, typing.Any] = {
+                "enabled": enabled,
+            }
+            if role_arn is not None:
+                self._values["role_arn"] = role_arn
+            if secret_arn is not None:
+                self._values["secret_arn"] = secret_arn
+
+        @builtins.property
+        def enabled(self) -> typing.Union[builtins.bool, _IResolvable_da3f097b]:
+            '''Specifies whether you want to use the the secrets manager feature.
+
+            When set as ``True`` the secrets manager configuration overwrites the existing secrets in the destination configuration. When it's set to ``False`` Firehose falls back to the credentials in the destination configuration.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-kinesisfirehose-deliverystream-secretsmanagerconfiguration.html#cfn-kinesisfirehose-deliverystream-secretsmanagerconfiguration-enabled
+            '''
+            result = self._values.get("enabled")
+            assert result is not None, "Required property 'enabled' is missing"
+            return typing.cast(typing.Union[builtins.bool, _IResolvable_da3f097b], result)
+
+        @builtins.property
+        def role_arn(self) -> typing.Optional[builtins.str]:
+            '''Specifies the role that Firehose assumes when calling the Secrets Manager API operation.
+
+            When you provide the role, it overrides any destination specific role defined in the destination configuration. If you do not provide the then we use the destination specific role. This parameter is required for Splunk.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-kinesisfirehose-deliverystream-secretsmanagerconfiguration.html#cfn-kinesisfirehose-deliverystream-secretsmanagerconfiguration-rolearn
+            '''
+            result = self._values.get("role_arn")
+            return typing.cast(typing.Optional[builtins.str], result)
+
+        @builtins.property
+        def secret_arn(self) -> typing.Optional[builtins.str]:
+            '''The ARN of the secret that stores your credentials.
+
+            It must be in the same region as the Firehose stream and the role. The secret ARN can reside in a different account than the delivery stream and role as Firehose supports cross-account secret access. This parameter is required when *Enabled* is set to ``True`` .
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-kinesisfirehose-deliverystream-secretsmanagerconfiguration.html#cfn-kinesisfirehose-deliverystream-secretsmanagerconfiguration-secretarn
+            '''
+            result = self._values.get("secret_arn")
+            return typing.cast(typing.Optional[builtins.str], result)
+
+        def __eq__(self, rhs: typing.Any) -> builtins.bool:
+            return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+        def __ne__(self, rhs: typing.Any) -> builtins.bool:
+            return not (rhs == self)
+
+        def __repr__(self) -> str:
+            return "SecretsManagerConfigurationProperty(%s)" % ", ".join(
+                k + "=" + repr(v) for k, v in self._values.items()
+            )
+
     @jsii.data_type(
         jsii_type="aws-cdk-lib.aws_kinesisfirehose.CfnDeliveryStream.SerializerProperty",
         jsii_struct_bases=[],
@@ -5691,22 +5837,23 @@ class CfnDeliveryStream(
         name_mapping={
             "account_url": "accountUrl",
             "database": "database",
-            "private_key": "privateKey",
             "role_arn": "roleArn",
             "s3_configuration": "s3Configuration",
             "schema": "schema",
             "table": "table",
-            "user": "user",
             "cloud_watch_logging_options": "cloudWatchLoggingOptions",
             "content_column_name": "contentColumnName",
             "data_loading_option": "dataLoadingOption",
             "key_passphrase": "keyPassphrase",
             "meta_data_column_name": "metaDataColumnName",
+            "private_key": "privateKey",
             "processing_configuration": "processingConfiguration",
             "retry_options": "retryOptions",
             "s3_backup_mode": "s3BackupMode",
+            "secrets_manager_configuration": "secretsManagerConfiguration",
             "snowflake_role_configuration": "snowflakeRoleConfiguration",
             "snowflake_vpc_configuration": "snowflakeVpcConfiguration",
+            "user": "user",
         },
     )
     class SnowflakeDestinationConfigurationProperty:
@@ -5715,43 +5862,45 @@ class CfnDeliveryStream(
             *,
             account_url: builtins.str,
             database: builtins.str,
-            private_key: builtins.str,
             role_arn: builtins.str,
             s3_configuration: typing.Union[_IResolvable_da3f097b, typing.Union["CfnDeliveryStream.S3DestinationConfigurationProperty", typing.Dict[builtins.str, typing.Any]]],
             schema: builtins.str,
             table: builtins.str,
-            user: builtins.str,
             cloud_watch_logging_options: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnDeliveryStream.CloudWatchLoggingOptionsProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
             content_column_name: typing.Optional[builtins.str] = None,
             data_loading_option: typing.Optional[builtins.str] = None,
             key_passphrase: typing.Optional[builtins.str] = None,
             meta_data_column_name: typing.Optional[builtins.str] = None,
+            private_key: typing.Optional[builtins.str] = None,
             processing_configuration: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnDeliveryStream.ProcessingConfigurationProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
             retry_options: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnDeliveryStream.SnowflakeRetryOptionsProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
             s3_backup_mode: typing.Optional[builtins.str] = None,
+            secrets_manager_configuration: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnDeliveryStream.SecretsManagerConfigurationProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
             snowflake_role_configuration: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnDeliveryStream.SnowflakeRoleConfigurationProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
             snowflake_vpc_configuration: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnDeliveryStream.SnowflakeVpcConfigurationProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
+            user: typing.Optional[builtins.str] = None,
         ) -> None:
             '''Configure Snowflake destination.
 
             :param account_url: URL for accessing your Snowflake account. This URL must include your `account identifier <https://docs.aws.amazon.com/https://docs.snowflake.com/en/user-guide/admin-account-identifier>`_ . Note that the protocol (https://) and port number are optional.
             :param database: All data in Snowflake is maintained in databases.
-            :param private_key: The private key used to encrypt your Snowflake client. For information, see `Using Key Pair Authentication & Key Rotation <https://docs.aws.amazon.com/https://docs.snowflake.com/en/user-guide/data-load-snowpipe-streaming-configuration#using-key-pair-authentication-key-rotation>`_ .
             :param role_arn: The Amazon Resource Name (ARN) of the Snowflake role.
             :param s3_configuration: 
             :param schema: Each database consists of one or more schemas, which are logical groupings of database objects, such as tables and views.
             :param table: All data in Snowflake is stored in database tables, logically structured as collections of columns and rows.
-            :param user: User login name for the Snowflake account.
             :param cloud_watch_logging_options: 
             :param content_column_name: The name of the record content column.
             :param data_loading_option: Choose to load JSON keys mapped to table column names or choose to split the JSON payload where content is mapped to a record content column and source metadata is mapped to a record metadata column.
             :param key_passphrase: Passphrase to decrypt the private key when the key is encrypted. For information, see `Using Key Pair Authentication & Key Rotation <https://docs.aws.amazon.com/https://docs.snowflake.com/en/user-guide/data-load-snowpipe-streaming-configuration#using-key-pair-authentication-key-rotation>`_ .
             :param meta_data_column_name: The name of the record metadata column.
+            :param private_key: The private key used to encrypt your Snowflake client. For information, see `Using Key Pair Authentication & Key Rotation <https://docs.aws.amazon.com/https://docs.snowflake.com/en/user-guide/data-load-snowpipe-streaming-configuration#using-key-pair-authentication-key-rotation>`_ .
             :param processing_configuration: 
             :param retry_options: The time period where Firehose will retry sending data to the chosen HTTP endpoint.
             :param s3_backup_mode: Choose an S3 backup mode.
+            :param secrets_manager_configuration: The configuration that defines how you access secrets for Snowflake.
             :param snowflake_role_configuration: Optionally configure a Snowflake role. Otherwise the default user role will be used.
             :param snowflake_vpc_configuration: The VPCE ID for Firehose to privately connect with Snowflake. The ID format is com.amazonaws.vpce.[region].vpce-svc-<[id]>. For more information, see `Amazon PrivateLink & Snowflake <https://docs.aws.amazon.com/https://docs.snowflake.com/en/user-guide/admin-security-privatelink>`_
+            :param user: User login name for the Snowflake account.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-kinesisfirehose-deliverystream-snowflakedestinationconfiguration.html
             :exampleMetadata: fixture=_generated
@@ -5765,7 +5914,6 @@ class CfnDeliveryStream(
                 snowflake_destination_configuration_property = kinesisfirehose.CfnDeliveryStream.SnowflakeDestinationConfigurationProperty(
                     account_url="accountUrl",
                     database="database",
-                    private_key="privateKey",
                     role_arn="roleArn",
                     s3_configuration=kinesisfirehose.CfnDeliveryStream.S3DestinationConfigurationProperty(
                         bucket_arn="bucketArn",
@@ -5793,7 +5941,6 @@ class CfnDeliveryStream(
                     ),
                     schema="schema",
                     table="table",
-                    user="user",
                 
                     # the properties below are optional
                     cloud_watch_logging_options=kinesisfirehose.CfnDeliveryStream.CloudWatchLoggingOptionsProperty(
@@ -5805,6 +5952,7 @@ class CfnDeliveryStream(
                     data_loading_option="dataLoadingOption",
                     key_passphrase="keyPassphrase",
                     meta_data_column_name="metaDataColumnName",
+                    private_key="privateKey",
                     processing_configuration=kinesisfirehose.CfnDeliveryStream.ProcessingConfigurationProperty(
                         enabled=False,
                         processors=[kinesisfirehose.CfnDeliveryStream.ProcessorProperty(
@@ -5821,44 +5969,51 @@ class CfnDeliveryStream(
                         duration_in_seconds=123
                     ),
                     s3_backup_mode="s3BackupMode",
+                    secrets_manager_configuration=kinesisfirehose.CfnDeliveryStream.SecretsManagerConfigurationProperty(
+                        enabled=False,
+                
+                        # the properties below are optional
+                        role_arn="roleArn",
+                        secret_arn="secretArn"
+                    ),
                     snowflake_role_configuration=kinesisfirehose.CfnDeliveryStream.SnowflakeRoleConfigurationProperty(
                         enabled=False,
                         snowflake_role="snowflakeRole"
                     ),
                     snowflake_vpc_configuration=kinesisfirehose.CfnDeliveryStream.SnowflakeVpcConfigurationProperty(
                         private_link_vpce_id="privateLinkVpceId"
-                    )
+                    ),
+                    user="user"
                 )
             '''
             if __debug__:
                 type_hints = typing.get_type_hints(_typecheckingstub__9743b3910a7f4b6edd05f7d4a76aa45c5a9f674a473fcf4c8c046e1d8d64cb53)
                 check_type(argname="argument account_url", value=account_url, expected_type=type_hints["account_url"])
                 check_type(argname="argument database", value=database, expected_type=type_hints["database"])
-                check_type(argname="argument private_key", value=private_key, expected_type=type_hints["private_key"])
                 check_type(argname="argument role_arn", value=role_arn, expected_type=type_hints["role_arn"])
                 check_type(argname="argument s3_configuration", value=s3_configuration, expected_type=type_hints["s3_configuration"])
                 check_type(argname="argument schema", value=schema, expected_type=type_hints["schema"])
                 check_type(argname="argument table", value=table, expected_type=type_hints["table"])
-                check_type(argname="argument user", value=user, expected_type=type_hints["user"])
                 check_type(argname="argument cloud_watch_logging_options", value=cloud_watch_logging_options, expected_type=type_hints["cloud_watch_logging_options"])
                 check_type(argname="argument content_column_name", value=content_column_name, expected_type=type_hints["content_column_name"])
                 check_type(argname="argument data_loading_option", value=data_loading_option, expected_type=type_hints["data_loading_option"])
                 check_type(argname="argument key_passphrase", value=key_passphrase, expected_type=type_hints["key_passphrase"])
                 check_type(argname="argument meta_data_column_name", value=meta_data_column_name, expected_type=type_hints["meta_data_column_name"])
+                check_type(argname="argument private_key", value=private_key, expected_type=type_hints["private_key"])
                 check_type(argname="argument processing_configuration", value=processing_configuration, expected_type=type_hints["processing_configuration"])
                 check_type(argname="argument retry_options", value=retry_options, expected_type=type_hints["retry_options"])
                 check_type(argname="argument s3_backup_mode", value=s3_backup_mode, expected_type=type_hints["s3_backup_mode"])
+                check_type(argname="argument secrets_manager_configuration", value=secrets_manager_configuration, expected_type=type_hints["secrets_manager_configuration"])
                 check_type(argname="argument snowflake_role_configuration", value=snowflake_role_configuration, expected_type=type_hints["snowflake_role_configuration"])
                 check_type(argname="argument snowflake_vpc_configuration", value=snowflake_vpc_configuration, expected_type=type_hints["snowflake_vpc_configuration"])
+                check_type(argname="argument user", value=user, expected_type=type_hints["user"])
             self._values: typing.Dict[builtins.str, typing.Any] = {
                 "account_url": account_url,
                 "database": database,
-                "private_key": private_key,
                 "role_arn": role_arn,
                 "s3_configuration": s3_configuration,
                 "schema": schema,
                 "table": table,
-                "user": user,
             }
             if cloud_watch_logging_options is not None:
                 self._values["cloud_watch_logging_options"] = cloud_watch_logging_options
@@ -5870,16 +6025,22 @@ class CfnDeliveryStream(
                 self._values["key_passphrase"] = key_passphrase
             if meta_data_column_name is not None:
                 self._values["meta_data_column_name"] = meta_data_column_name
+            if private_key is not None:
+                self._values["private_key"] = private_key
             if processing_configuration is not None:
                 self._values["processing_configuration"] = processing_configuration
             if retry_options is not None:
                 self._values["retry_options"] = retry_options
             if s3_backup_mode is not None:
                 self._values["s3_backup_mode"] = s3_backup_mode
+            if secrets_manager_configuration is not None:
+                self._values["secrets_manager_configuration"] = secrets_manager_configuration
             if snowflake_role_configuration is not None:
                 self._values["snowflake_role_configuration"] = snowflake_role_configuration
             if snowflake_vpc_configuration is not None:
                 self._values["snowflake_vpc_configuration"] = snowflake_vpc_configuration
+            if user is not None:
+                self._values["user"] = user
 
         @builtins.property
         def account_url(self) -> builtins.str:
@@ -5903,18 +6064,6 @@ class CfnDeliveryStream(
             assert result is not None, "Required property 'database' is missing"
             return typing.cast(builtins.str, result)
 
-        @builtins.property
-        def private_key(self) -> builtins.str:
-            '''The private key used to encrypt your Snowflake client.
-
-            For information, see `Using Key Pair Authentication & Key Rotation <https://docs.aws.amazon.com/https://docs.snowflake.com/en/user-guide/data-load-snowpipe-streaming-configuration#using-key-pair-authentication-key-rotation>`_ .
-
-            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-kinesisfirehose-deliverystream-snowflakedestinationconfiguration.html#cfn-kinesisfirehose-deliverystream-snowflakedestinationconfiguration-privatekey
-            '''
-            result = self._values.get("private_key")
-            assert result is not None, "Required property 'private_key' is missing"
-            return typing.cast(builtins.str, result)
-
         @builtins.property
         def role_arn(self) -> builtins.str:
             '''The Amazon Resource Name (ARN) of the Snowflake role.
@@ -5956,16 +6105,6 @@ class CfnDeliveryStream(
             assert result is not None, "Required property 'table' is missing"
             return typing.cast(builtins.str, result)
 
-        @builtins.property
-        def user(self) -> builtins.str:
-            '''User login name for the Snowflake account.
-
-            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-kinesisfirehose-deliverystream-snowflakedestinationconfiguration.html#cfn-kinesisfirehose-deliverystream-snowflakedestinationconfiguration-user
-            '''
-            result = self._values.get("user")
-            assert result is not None, "Required property 'user' is missing"
-            return typing.cast(builtins.str, result)
-
         @builtins.property
         def cloud_watch_logging_options(
             self,
@@ -6014,6 +6153,17 @@ class CfnDeliveryStream(
             result = self._values.get("meta_data_column_name")
             return typing.cast(typing.Optional[builtins.str], result)
 
+        @builtins.property
+        def private_key(self) -> typing.Optional[builtins.str]:
+            '''The private key used to encrypt your Snowflake client.
+
+            For information, see `Using Key Pair Authentication & Key Rotation <https://docs.aws.amazon.com/https://docs.snowflake.com/en/user-guide/data-load-snowpipe-streaming-configuration#using-key-pair-authentication-key-rotation>`_ .
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-kinesisfirehose-deliverystream-snowflakedestinationconfiguration.html#cfn-kinesisfirehose-deliverystream-snowflakedestinationconfiguration-privatekey
+            '''
+            result = self._values.get("private_key")
+            return typing.cast(typing.Optional[builtins.str], result)
+
         @builtins.property
         def processing_configuration(
             self,
@@ -6044,6 +6194,17 @@ class CfnDeliveryStream(
             result = self._values.get("s3_backup_mode")
             return typing.cast(typing.Optional[builtins.str], result)
 
+        @builtins.property
+        def secrets_manager_configuration(
+            self,
+        ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnDeliveryStream.SecretsManagerConfigurationProperty"]]:
+            '''The configuration that defines how you access secrets for Snowflake.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-kinesisfirehose-deliverystream-snowflakedestinationconfiguration.html#cfn-kinesisfirehose-deliverystream-snowflakedestinationconfiguration-secretsmanagerconfiguration
+            '''
+            result = self._values.get("secrets_manager_configuration")
+            return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnDeliveryStream.SecretsManagerConfigurationProperty"]], result)
+
         @builtins.property
         def snowflake_role_configuration(
             self,
@@ -6070,6 +6231,15 @@ class CfnDeliveryStream(
             result = self._values.get("snowflake_vpc_configuration")
             return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnDeliveryStream.SnowflakeVpcConfigurationProperty"]], result)
 
+        @builtins.property
+        def user(self) -> typing.Optional[builtins.str]:
+            '''User login name for the Snowflake account.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-kinesisfirehose-deliverystream-snowflakedestinationconfiguration.html#cfn-kinesisfirehose-deliverystream-snowflakedestinationconfiguration-user
+            '''
+            result = self._values.get("user")
+            return typing.cast(typing.Optional[builtins.str], result)
+
         def __eq__(self, rhs: typing.Any) -> builtins.bool:
             return isinstance(rhs, self.__class__) and rhs._values == self._values
 
@@ -6351,14 +6521,15 @@ class CfnDeliveryStream(
         name_mapping={
             "hec_endpoint": "hecEndpoint",
             "hec_endpoint_type": "hecEndpointType",
-            "hec_token": "hecToken",
             "s3_configuration": "s3Configuration",
             "buffering_hints": "bufferingHints",
             "cloud_watch_logging_options": "cloudWatchLoggingOptions",
             "hec_acknowledgment_timeout_in_seconds": "hecAcknowledgmentTimeoutInSeconds",
+            "hec_token": "hecToken",
             "processing_configuration": "processingConfiguration",
             "retry_options": "retryOptions",
             "s3_backup_mode": "s3BackupMode",
+            "secrets_manager_configuration": "secretsManagerConfiguration",
         },
     )
     class SplunkDestinationConfigurationProperty:
@@ -6367,27 +6538,29 @@ class CfnDeliveryStream(
             *,
             hec_endpoint: builtins.str,
             hec_endpoint_type: builtins.str,
-            hec_token: builtins.str,
             s3_configuration: typing.Union[_IResolvable_da3f097b, typing.Union["CfnDeliveryStream.S3DestinationConfigurationProperty", typing.Dict[builtins.str, typing.Any]]],
             buffering_hints: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnDeliveryStream.SplunkBufferingHintsProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
             cloud_watch_logging_options: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnDeliveryStream.CloudWatchLoggingOptionsProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
             hec_acknowledgment_timeout_in_seconds: typing.Optional[jsii.Number] = None,
+            hec_token: typing.Optional[builtins.str] = None,
             processing_configuration: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnDeliveryStream.ProcessingConfigurationProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
             retry_options: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnDeliveryStream.SplunkRetryOptionsProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
             s3_backup_mode: typing.Optional[builtins.str] = None,
+            secrets_manager_configuration: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnDeliveryStream.SecretsManagerConfigurationProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
         ) -> None:
             '''The ``SplunkDestinationConfiguration`` property type specifies the configuration of a destination in Splunk for a Kinesis Data Firehose delivery stream.
 
             :param hec_endpoint: The HTTP Event Collector (HEC) endpoint to which Firehose sends your data.
             :param hec_endpoint_type: This type can be either ``Raw`` or ``Event`` .
-            :param hec_token: This is a GUID that you obtain from your Splunk cluster when you create a new HEC endpoint.
             :param s3_configuration: The configuration for the backup Amazon S3 location.
             :param buffering_hints: The buffering options. If no value is specified, the default values for Splunk are used.
             :param cloud_watch_logging_options: The Amazon CloudWatch logging options for your delivery stream.
             :param hec_acknowledgment_timeout_in_seconds: The amount of time that Firehose waits to receive an acknowledgment from Splunk after it sends it data. At the end of the timeout period, Firehose either tries to send the data again or considers it an error, based on your retry settings.
+            :param hec_token: This is a GUID that you obtain from your Splunk cluster when you create a new HEC endpoint.
             :param processing_configuration: The data processing configuration.
             :param retry_options: The retry behavior in case Firehose is unable to deliver data to Splunk, or if it doesn't receive an acknowledgment of receipt from Splunk.
             :param s3_backup_mode: Defines how documents should be delivered to Amazon S3. When set to ``FailedEventsOnly`` , Firehose writes any data that could not be indexed to the configured Amazon S3 destination. When set to ``AllEvents`` , Firehose delivers all incoming records to Amazon S3, and also writes failed documents to Amazon S3. The default value is ``FailedEventsOnly`` . You can update this backup mode from ``FailedEventsOnly`` to ``AllEvents`` . You can't update it from ``AllEvents`` to ``FailedEventsOnly`` .
+            :param secrets_manager_configuration: The configuration that defines how you access secrets for Splunk.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-kinesisfirehose-deliverystream-splunkdestinationconfiguration.html
             :exampleMetadata: fixture=_generated
@@ -6401,7 +6574,6 @@ class CfnDeliveryStream(
                 splunk_destination_configuration_property = kinesisfirehose.CfnDeliveryStream.SplunkDestinationConfigurationProperty(
                     hec_endpoint="hecEndpoint",
                     hec_endpoint_type="hecEndpointType",
-                    hec_token="hecToken",
                     s3_configuration=kinesisfirehose.CfnDeliveryStream.S3DestinationConfigurationProperty(
                         bucket_arn="bucketArn",
                         role_arn="roleArn",
@@ -6438,6 +6610,7 @@ class CfnDeliveryStream(
                         log_stream_name="logStreamName"
                     ),
                     hec_acknowledgment_timeout_in_seconds=123,
+                    hec_token="hecToken",
                     processing_configuration=kinesisfirehose.CfnDeliveryStream.ProcessingConfigurationProperty(
                         enabled=False,
                         processors=[kinesisfirehose.CfnDeliveryStream.ProcessorProperty(
@@ -6453,25 +6626,32 @@ class CfnDeliveryStream(
                     retry_options=kinesisfirehose.CfnDeliveryStream.SplunkRetryOptionsProperty(
                         duration_in_seconds=123
                     ),
-                    s3_backup_mode="s3BackupMode"
+                    s3_backup_mode="s3BackupMode",
+                    secrets_manager_configuration=kinesisfirehose.CfnDeliveryStream.SecretsManagerConfigurationProperty(
+                        enabled=False,
+                
+                        # the properties below are optional
+                        role_arn="roleArn",
+                        secret_arn="secretArn"
+                    )
                 )
             '''
             if __debug__:
                 type_hints = typing.get_type_hints(_typecheckingstub__be9923ea7818bcdc567ae6e06b529c44c6a3c42b59af06768977f4c55fdd20a6)
                 check_type(argname="argument hec_endpoint", value=hec_endpoint, expected_type=type_hints["hec_endpoint"])
                 check_type(argname="argument hec_endpoint_type", value=hec_endpoint_type, expected_type=type_hints["hec_endpoint_type"])
-                check_type(argname="argument hec_token", value=hec_token, expected_type=type_hints["hec_token"])
                 check_type(argname="argument s3_configuration", value=s3_configuration, expected_type=type_hints["s3_configuration"])
                 check_type(argname="argument buffering_hints", value=buffering_hints, expected_type=type_hints["buffering_hints"])
                 check_type(argname="argument cloud_watch_logging_options", value=cloud_watch_logging_options, expected_type=type_hints["cloud_watch_logging_options"])
                 check_type(argname="argument hec_acknowledgment_timeout_in_seconds", value=hec_acknowledgment_timeout_in_seconds, expected_type=type_hints["hec_acknowledgment_timeout_in_seconds"])
+                check_type(argname="argument hec_token", value=hec_token, expected_type=type_hints["hec_token"])
                 check_type(argname="argument processing_configuration", value=processing_configuration, expected_type=type_hints["processing_configuration"])
                 check_type(argname="argument retry_options", value=retry_options, expected_type=type_hints["retry_options"])
                 check_type(argname="argument s3_backup_mode", value=s3_backup_mode, expected_type=type_hints["s3_backup_mode"])
+                check_type(argname="argument secrets_manager_configuration", value=secrets_manager_configuration, expected_type=type_hints["secrets_manager_configuration"])
             self._values: typing.Dict[builtins.str, typing.Any] = {
                 "hec_endpoint": hec_endpoint,
                 "hec_endpoint_type": hec_endpoint_type,
-                "hec_token": hec_token,
                 "s3_configuration": s3_configuration,
             }
             if buffering_hints is not None:
@@ -6480,12 +6660,16 @@ class CfnDeliveryStream(
                 self._values["cloud_watch_logging_options"] = cloud_watch_logging_options
             if hec_acknowledgment_timeout_in_seconds is not None:
                 self._values["hec_acknowledgment_timeout_in_seconds"] = hec_acknowledgment_timeout_in_seconds
+            if hec_token is not None:
+                self._values["hec_token"] = hec_token
             if processing_configuration is not None:
                 self._values["processing_configuration"] = processing_configuration
             if retry_options is not None:
                 self._values["retry_options"] = retry_options
             if s3_backup_mode is not None:
                 self._values["s3_backup_mode"] = s3_backup_mode
+            if secrets_manager_configuration is not None:
+                self._values["secrets_manager_configuration"] = secrets_manager_configuration
 
         @builtins.property
         def hec_endpoint(self) -> builtins.str:
@@ -6507,16 +6691,6 @@ class CfnDeliveryStream(
             assert result is not None, "Required property 'hec_endpoint_type' is missing"
             return typing.cast(builtins.str, result)
 
-        @builtins.property
-        def hec_token(self) -> builtins.str:
-            '''This is a GUID that you obtain from your Splunk cluster when you create a new HEC endpoint.
-
-            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-kinesisfirehose-deliverystream-splunkdestinationconfiguration.html#cfn-kinesisfirehose-deliverystream-splunkdestinationconfiguration-hectoken
-            '''
-            result = self._values.get("hec_token")
-            assert result is not None, "Required property 'hec_token' is missing"
-            return typing.cast(builtins.str, result)
-
         @builtins.property
         def s3_configuration(
             self,
@@ -6564,6 +6738,15 @@ class CfnDeliveryStream(
             result = self._values.get("hec_acknowledgment_timeout_in_seconds")
             return typing.cast(typing.Optional[jsii.Number], result)
 
+        @builtins.property
+        def hec_token(self) -> typing.Optional[builtins.str]:
+            '''This is a GUID that you obtain from your Splunk cluster when you create a new HEC endpoint.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-kinesisfirehose-deliverystream-splunkdestinationconfiguration.html#cfn-kinesisfirehose-deliverystream-splunkdestinationconfiguration-hectoken
+            '''
+            result = self._values.get("hec_token")
+            return typing.cast(typing.Optional[builtins.str], result)
+
         @builtins.property
         def processing_configuration(
             self,
@@ -6599,6 +6782,17 @@ class CfnDeliveryStream(
             result = self._values.get("s3_backup_mode")
             return typing.cast(typing.Optional[builtins.str], result)
 
+        @builtins.property
+        def secrets_manager_configuration(
+            self,
+        ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnDeliveryStream.SecretsManagerConfigurationProperty"]]:
+            '''The configuration that defines how you access secrets for Splunk.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-kinesisfirehose-deliverystream-splunkdestinationconfiguration.html#cfn-kinesisfirehose-deliverystream-splunkdestinationconfiguration-secretsmanagerconfiguration
+            '''
+            result = self._values.get("secrets_manager_configuration")
+            return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnDeliveryStream.SecretsManagerConfigurationProperty"]], result)
+
         def __eq__(self, rhs: typing.Any) -> builtins.bool:
             return isinstance(rhs, self.__class__) and rhs._values == self._values
 
@@ -7488,6 +7682,7 @@ def _typecheckingstub__6e8b3a25c8aa6cb1c905473fb8dd18a708e794918ae12a9a622993603
     retry_options: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnDeliveryStream.RetryOptionsProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
     role_arn: typing.Optional[builtins.str] = None,
     s3_backup_mode: typing.Optional[builtins.str] = None,
+    secrets_manager_configuration: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnDeliveryStream.SecretsManagerConfigurationProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
 ) -> None:
     """Type checking stubs"""
     pass
@@ -7603,15 +7798,16 @@ def _typecheckingstub__a05dc5298788a3b9496bc2e383242a0570183c6703c04af2c5e991292
     *,
     cluster_jdbcurl: builtins.str,
     copy_command: typing.Union[_IResolvable_da3f097b, typing.Union[CfnDeliveryStream.CopyCommandProperty, typing.Dict[builtins.str, typing.Any]]],
-    password: builtins.str,
     role_arn: builtins.str,
     s3_configuration: typing.Union[_IResolvable_da3f097b, typing.Union[CfnDeliveryStream.S3DestinationConfigurationProperty, typing.Dict[builtins.str, typing.Any]]],
-    username: builtins.str,
     cloud_watch_logging_options: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnDeliveryStream.CloudWatchLoggingOptionsProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
+    password: typing.Optional[builtins.str] = None,
     processing_configuration: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnDeliveryStream.ProcessingConfigurationProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
     retry_options: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnDeliveryStream.RedshiftRetryOptionsProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
     s3_backup_configuration: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnDeliveryStream.S3DestinationConfigurationProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
     s3_backup_mode: typing.Optional[builtins.str] = None,
+    secrets_manager_configuration: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnDeliveryStream.SecretsManagerConfigurationProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
+    username: typing.Optional[builtins.str] = None,
 ) -> None:
     """Type checking stubs"""
     pass
@@ -7656,6 +7852,15 @@ def _typecheckingstub__c1389c57283b687c62069951b51187332947eeb24f5fcb8781af71c2b
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__b935af4b7f540cbb6b063a9c37a906eaf8c3ed8781b19ea32e1836ca909b3dac(
+    *,
+    enabled: typing.Union[builtins.bool, _IResolvable_da3f097b],
+    role_arn: typing.Optional[builtins.str] = None,
+    secret_arn: typing.Optional[builtins.str] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__706925197a1b663cd9be8234e85ce2780b58d7bf71737c801e0c393104407464(
     *,
     orc_ser_de: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnDeliveryStream.OrcSerDeProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
@@ -7668,22 +7873,23 @@ def _typecheckingstub__9743b3910a7f4b6edd05f7d4a76aa45c5a9f674a473fcf4c8c046e1d8
     *,
     account_url: builtins.str,
     database: builtins.str,
-    private_key: builtins.str,
     role_arn: builtins.str,
     s3_configuration: typing.Union[_IResolvable_da3f097b, typing.Union[CfnDeliveryStream.S3DestinationConfigurationProperty, typing.Dict[builtins.str, typing.Any]]],
     schema: builtins.str,
     table: builtins.str,
-    user: builtins.str,
     cloud_watch_logging_options: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnDeliveryStream.CloudWatchLoggingOptionsProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
     content_column_name: typing.Optional[builtins.str] = None,
     data_loading_option: typing.Optional[builtins.str] = None,
     key_passphrase: typing.Optional[builtins.str] = None,
     meta_data_column_name: typing.Optional[builtins.str] = None,
+    private_key: typing.Optional[builtins.str] = None,
     processing_configuration: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnDeliveryStream.ProcessingConfigurationProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
     retry_options: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnDeliveryStream.SnowflakeRetryOptionsProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
     s3_backup_mode: typing.Optional[builtins.str] = None,
+    secrets_manager_configuration: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnDeliveryStream.SecretsManagerConfigurationProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
     snowflake_role_configuration: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnDeliveryStream.SnowflakeRoleConfigurationProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
     snowflake_vpc_configuration: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnDeliveryStream.SnowflakeVpcConfigurationProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
+    user: typing.Optional[builtins.str] = None,
 ) -> None:
     """Type checking stubs"""
     pass
@@ -7722,14 +7928,15 @@ def _typecheckingstub__be9923ea7818bcdc567ae6e06b529c44c6a3c42b59af06768977f4c55
     *,
     hec_endpoint: builtins.str,
     hec_endpoint_type: builtins.str,
-    hec_token: builtins.str,
     s3_configuration: typing.Union[_IResolvable_da3f097b, typing.Union[CfnDeliveryStream.S3DestinationConfigurationProperty, typing.Dict[builtins.str, typing.Any]]],
     buffering_hints: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnDeliveryStream.SplunkBufferingHintsProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
     cloud_watch_logging_options: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnDeliveryStream.CloudWatchLoggingOptionsProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
     hec_acknowledgment_timeout_in_seconds: typing.Optional[jsii.Number] = None,
+    hec_token: typing.Optional[builtins.str] = None,
     processing_configuration: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnDeliveryStream.ProcessingConfigurationProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
     retry_options: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnDeliveryStream.SplunkRetryOptionsProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
     s3_backup_mode: typing.Optional[builtins.str] = None,
+    secrets_manager_configuration: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnDeliveryStream.SecretsManagerConfigurationProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
 ) -> None:
     """Type checking stubs"""
     pass