aws-cdk-lib 2.154.1__py3-none-any.whl → 2.156.0__py3-none-any.whl

aws_cdk/aws_elasticloadbalancingv2/__init__.py

@@ -1021,7 +1021,7 @@ class AddNetworkTargetsProps:
     ) -> None:
         '''Properties for adding new network targets to a listener.
 
-        :param port: The port on which the listener listens for requests. Default: Determined from protocol if known
+        :param port: The port on which the target receives traffic. Default: Determined from protocol if known
         :param deregistration_delay: The amount of time for Elastic Load Balancing to wait before deregistering a target. The range is 0-3600 seconds. Default: Duration.minutes(5)
         :param health_check: Health check configuration. Default: - The default value for each property in this configuration varies depending on the target.
         :param preserve_client_ip: Indicates whether client IP preservation is enabled. Default: false if the target group type is IP address and the target group protocol is TCP or TLS. Otherwise, true.
@@ -1092,7 +1092,7 @@ class AddNetworkTargetsProps:
 
     @builtins.property
     def port(self) -> jsii.Number:
-        '''The port on which the listener listens for requests.
+        '''The port on which the target receives traffic.
 
         :default: Determined from protocol if known
         '''
@@ -14942,53 +14942,29 @@ class IpAddressType(enum.Enum):
 
     Example::
 
-        # vpc: ec2.Vpc
-        
-        
-        lb = elbv2.ApplicationLoadBalancer(self, "LB",
-            vpc=vpc,
-            internet_facing=True,
+        import aws_cdk.aws_elasticloadbalancingv2 as elbv2
         
-            # Whether HTTP/2 is enabled
-            http2_enabled=False,
-        
-            # The idle timeout value, in seconds
-            idle_timeout=Duration.seconds(1000),
         
-            # Whether HTTP headers with header fields thatare not valid
-            # are removed by the load balancer (true), or routed to targets
-            drop_invalid_header_fields=True,
-        
-            # How the load balancer handles requests that might
-            # pose a security risk to your application
-            desync_mitigation_mode=elbv2.DesyncMitigationMode.DEFENSIVE,
-        
-            # The type of IP addresses to use.
-            ip_address_type=elbv2.IpAddressType.IPV4,
-        
-            # The duration of client keep-alive connections
-            client_keep_alive=Duration.seconds(500),
-        
-            # Whether cross-zone load balancing is enabled.
-            cross_zone_enabled=True,
-        
-            # Whether the load balancer blocks traffic through the Internet Gateway (IGW).
-            deny_all_igw_traffic=False,
-        
-            # Whether to preserve host header in the request to the target
-            preserve_host_header=True,
-        
-            # Whether to add the TLS information header to the request
-            x_amzn_tls_version_and_cipher_suite_headers=True,
-        
-            # Whether the X-Forwarded-For header should preserve the source port
-            preserve_xff_client_port=True,
+        # The VPC and subnet must have associated IPv6 CIDR blocks.
+        vpc = ec2.Vpc(self, "Vpc",
+            ip_protocol=ec2.IpProtocol.DUAL_STACK
+        )
+        cluster = ecs.Cluster(self, "EcsCluster", vpc=vpc)
         
-            # The processing mode for X-Forwarded-For headers
-            xff_header_processing_mode=elbv2.XffHeaderProcessingMode.APPEND,
+        service = ecs_patterns.ApplicationLoadBalancedFargateService(self, "myService",
+            cluster=cluster,
+            task_image_options=ecsPatterns.ApplicationLoadBalancedTaskImageOptions(
+                image=ecs.ContainerImage.from_registry("amazon/amazon-ecs-sample")
+            ),
+            ip_address_type=elbv2.IpAddressType.DUAL_STACK
+        )
         
-            # Whether to allow a load balancer to route requests to targets if it is unable to forward the request to AWS WAF.
-            waf_fail_open=True
+        application_load_balanced_ec2_service = ecs_patterns.ApplicationLoadBalancedEc2Service(self, "myService",
+            cluster=cluster,
+            task_image_options=ecsPatterns.ApplicationLoadBalancedTaskImageOptions(
+                image=ecs.ContainerImage.from_registry("amazon/amazon-ecs-sample")
+            ),
+            ip_address_type=elbv2.IpAddressType.DUAL_STACK
         )
     '''
 
@@ -21794,7 +21770,7 @@ class NetworkListener(
         one set of targets must be added without conditions.
 
         :param id: -
-        :param port: The port on which the listener listens for requests. Default: Determined from protocol if known
+        :param port: The port on which the target receives traffic. Default: Determined from protocol if known
         :param deregistration_delay: The amount of time for Elastic Load Balancing to wait before deregistering a target. The range is 0-3600 seconds. Default: Duration.minutes(5)
         :param health_check: Health check configuration. Default: - The default value for each property in this configuration varies depending on the target.
         :param preserve_client_ip: Indicates whether client IP preservation is enabled. Default: false if the target group type is IP address and the target group protocol is TCP or TLS. Otherwise, true.

aws_cdk/aws_events/__init__.py

@@ -10276,6 +10276,7 @@ class RuleProps(EventCommonOptions):
         "http_parameters": "httpParameters",
         "input": "input",
         "kinesis_parameters": "kinesisParameters",
+        "redshift_data_parameters": "redshiftDataParameters",
         "retry_policy": "retryPolicy",
         "role": "role",
         "run_command_parameters": "runCommandParameters",
@@ -10295,6 +10296,7 @@ class RuleTargetConfig:
         http_parameters: typing.Optional[typing.Union[CfnRule.HttpParametersProperty, typing.Dict[builtins.str, typing.Any]]] = None,
         input: typing.Optional["RuleTargetInput"] = None,
         kinesis_parameters: typing.Optional[typing.Union[CfnRule.KinesisParametersProperty, typing.Dict[builtins.str, typing.Any]]] = None,
+        redshift_data_parameters: typing.Optional[typing.Union[CfnRule.RedshiftDataParametersProperty, typing.Dict[builtins.str, typing.Any]]] = None,
         retry_policy: typing.Optional[typing.Union[CfnRule.RetryPolicyProperty, typing.Dict[builtins.str, typing.Any]]] = None,
         role: typing.Optional[_IRole_235f5d8e] = None,
         run_command_parameters: typing.Optional[typing.Union[CfnRule.RunCommandParametersProperty, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -10311,6 +10313,7 @@ class RuleTargetConfig:
         :param http_parameters: Contains the HTTP parameters to use when the target is a API Gateway REST endpoint or EventBridge API destination. Default: - None
         :param input: What input to send to the event target. Default: the entire event
         :param kinesis_parameters: Settings that control shard assignment, when the target is a Kinesis stream. If you don't include this parameter, eventId is used as the partition key.
+        :param redshift_data_parameters: Parameters used when the rule invokes Amazon Redshift Queries. Default: - no parameters set
         :param retry_policy: A RetryPolicy object that includes information about the retry policy settings. Default: EventBridge default retry policy
         :param role: Role to use to invoke this event target.
         :param run_command_parameters: Parameters used when the rule invokes Amazon EC2 Systems Manager Run Command.
@@ -10407,6 +10410,17 @@ class RuleTargetConfig:
                 kinesis_parameters=events.CfnRule.KinesisParametersProperty(
                     partition_key_path="partitionKeyPath"
                 ),
+                redshift_data_parameters=events.CfnRule.RedshiftDataParametersProperty(
+                    database="database",
+            
+                    # the properties below are optional
+                    db_user="dbUser",
+                    secret_manager_arn="secretManagerArn",
+                    sql="sql",
+                    sqls=["sqls"],
+                    statement_name="statementName",
+                    with_event=False
+                ),
                 retry_policy=events.CfnRule.RetryPolicyProperty(
                     maximum_event_age_in_seconds=123,
                     maximum_retry_attempts=123
@@ -10436,6 +10450,8 @@ class RuleTargetConfig:
             http_parameters = CfnRule.HttpParametersProperty(**http_parameters)
         if isinstance(kinesis_parameters, dict):
             kinesis_parameters = CfnRule.KinesisParametersProperty(**kinesis_parameters)
+        if isinstance(redshift_data_parameters, dict):
+            redshift_data_parameters = CfnRule.RedshiftDataParametersProperty(**redshift_data_parameters)
         if isinstance(retry_policy, dict):
             retry_policy = CfnRule.RetryPolicyProperty(**retry_policy)
         if isinstance(run_command_parameters, dict):
@@ -10452,6 +10468,7 @@ class RuleTargetConfig:
             check_type(argname="argument http_parameters", value=http_parameters, expected_type=type_hints["http_parameters"])
             check_type(argname="argument input", value=input, expected_type=type_hints["input"])
             check_type(argname="argument kinesis_parameters", value=kinesis_parameters, expected_type=type_hints["kinesis_parameters"])
+            check_type(argname="argument redshift_data_parameters", value=redshift_data_parameters, expected_type=type_hints["redshift_data_parameters"])
             check_type(argname="argument retry_policy", value=retry_policy, expected_type=type_hints["retry_policy"])
             check_type(argname="argument role", value=role, expected_type=type_hints["role"])
             check_type(argname="argument run_command_parameters", value=run_command_parameters, expected_type=type_hints["run_command_parameters"])
@@ -10474,6 +10491,8 @@ class RuleTargetConfig:
             self._values["input"] = input
         if kinesis_parameters is not None:
             self._values["kinesis_parameters"] = kinesis_parameters
+        if redshift_data_parameters is not None:
+            self._values["redshift_data_parameters"] = redshift_data_parameters
         if retry_policy is not None:
             self._values["retry_policy"] = retry_policy
         if role is not None:
@@ -10553,6 +10572,17 @@ class RuleTargetConfig:
         result = self._values.get("kinesis_parameters")
         return typing.cast(typing.Optional[CfnRule.KinesisParametersProperty], result)
 
+    @builtins.property
+    def redshift_data_parameters(
+        self,
+    ) -> typing.Optional[CfnRule.RedshiftDataParametersProperty]:
+        '''Parameters used when the rule invokes Amazon Redshift Queries.
+
+        :default: - no parameters set
+        '''
+        result = self._values.get("redshift_data_parameters")
+        return typing.cast(typing.Optional[CfnRule.RedshiftDataParametersProperty], result)
+
     @builtins.property
     def retry_policy(self) -> typing.Optional[CfnRule.RetryPolicyProperty]:
         '''A RetryPolicy object that includes information about the retry policy settings.
@@ -10862,27 +10892,22 @@ class Schedule(
 
     Example::
 
-        import aws_cdk.aws_ecs as ecs
+        import aws_cdk.aws_redshiftserverless as redshiftserverless
         
-        # cluster: ecs.ICluster
-        # task_definition: ecs.TaskDefinition
+        # workgroup: redshiftserverless.CfnWorkgroup
         
         
         rule = events.Rule(self, "Rule",
             schedule=events.Schedule.rate(cdk.Duration.hours(1))
         )
         
-        rule.add_target(
-            targets.EcsTask(
-                cluster=cluster,
-                task_definition=task_definition,
-                propagate_tags=ecs.PropagatedTagSource.TASK_DEFINITION,
-                tags=[targets.Tag(
-                    key="my-tag",
-                    value="my-tag-value"
-                )
-                ]
-            ))
+        dlq = sqs.Queue(self, "DeadLetterQueue")
+        
+        rule.add_target(targets.RedshiftQuery(workgroup.attr_workgroup_workgroup_arn,
+            database="dev",
+            dead_letter_queue=dlq,
+            sql=["SELECT * FROM foo", "SELECT * FROM baz"]
+        ))
     '''
 
     def __init__(self) -> None:
@@ -12891,6 +12916,7 @@ def _typecheckingstub__10b46a391417178d3d06a5360e56af2bf314e68a1662e39855324f124
     http_parameters: typing.Optional[typing.Union[CfnRule.HttpParametersProperty, typing.Dict[builtins.str, typing.Any]]] = None,
     input: typing.Optional[RuleTargetInput] = None,
     kinesis_parameters: typing.Optional[typing.Union[CfnRule.KinesisParametersProperty, typing.Dict[builtins.str, typing.Any]]] = None,
+    redshift_data_parameters: typing.Optional[typing.Union[CfnRule.RedshiftDataParametersProperty, typing.Dict[builtins.str, typing.Any]]] = None,
     retry_policy: typing.Optional[typing.Union[CfnRule.RetryPolicyProperty, typing.Dict[builtins.str, typing.Any]]] = None,
     role: typing.Optional[_IRole_235f5d8e] = None,
     run_command_parameters: typing.Optional[typing.Union[CfnRule.RunCommandParametersProperty, typing.Dict[builtins.str, typing.Any]]] = None,

aws_cdk/aws_events_targets/__init__.py

@@ -26,6 +26,7 @@ Currently supported are:
     * [Launch type for ECS Task](#launch-type-for-ecs-task)
     * [Assign public IP addresses to tasks](#assign-public-ip-addresses-to-tasks)
     * [Enable Amazon ECS Exec for ECS Task](#enable-amazon-ecs-exec-for-ecs-task)
+  * [Run a Redshift query](#schedule-a-redshift-query-serverless-or-cluster)
 
 See the README of the `aws-cdk-lib/aws-events` library for more information on
 EventBridge.
@@ -556,6 +557,31 @@ rule.add_target(targets.EcsTask(
     enable_execute_command=True
 ))
 ```
+
+## Schedule a Redshift query (serverless or cluster)
+
+Use the `RedshiftQuery` target to schedule an Amazon Redshift Query.
+
+The code snippet below creates the scheduled event rule that route events to an Amazon Redshift Query
+
+```python
+import aws_cdk.aws_redshiftserverless as redshiftserverless
+
+# workgroup: redshiftserverless.CfnWorkgroup
+
+
+rule = events.Rule(self, "Rule",
+    schedule=events.Schedule.rate(cdk.Duration.hours(1))
+)
+
+dlq = sqs.Queue(self, "DeadLetterQueue")
+
+rule.add_target(targets.RedshiftQuery(workgroup.attr_workgroup_workgroup_arn,
+    database="dev",
+    dead_letter_queue=dlq,
+    sql=["SELECT * FROM foo", "SELECT * FROM baz"]
+))
+```
 '''
 from pkgutil import extend_path
 __path__ = extend_path(__path__, __name__)
@@ -609,6 +635,7 @@ from ..aws_kinesis import IStream as _IStream_4e2457d2
 from ..aws_kinesisfirehose import CfnDeliveryStream as _CfnDeliveryStream_8f3b1735
 from ..aws_lambda import IFunction as _IFunction_6adb0ab8
 from ..aws_logs import ILogGroup as _ILogGroup_3c4fa718
+from ..aws_secretsmanager import ISecret as _ISecret_6e020e6a
 from ..aws_sns import ITopic as _ITopic_9eca4852
 from ..aws_sqs import IQueue as _IQueue_7ed6f679
 from ..aws_stepfunctions import IStateMachine as _IStateMachine_73e8d2b0
@@ -2628,6 +2655,296 @@ class LogGroupTargetInputOptions:
         )
 
 
+@jsii.implements(_IRuleTarget_7a91f454)
+class RedshiftQuery(
+    metaclass=jsii.JSIIMeta,
+    jsii_type="aws-cdk-lib.aws_events_targets.RedshiftQuery",
+):
+    '''Schedule an Amazon Redshift Query to be run, using the Redshift Data API.
+
+    If you would like Amazon Redshift to identify the Event Bridge rule, and present it in the Amazon Redshift console, append a ``QS2-`` prefix to both ``statementName`` and ``ruleName``.
+
+    :exampleMetadata: infused
+
+    Example::
+
+        import aws_cdk.aws_redshiftserverless as redshiftserverless
+        
+        # workgroup: redshiftserverless.CfnWorkgroup
+        
+        
+        rule = events.Rule(self, "Rule",
+            schedule=events.Schedule.rate(cdk.Duration.hours(1))
+        )
+        
+        dlq = sqs.Queue(self, "DeadLetterQueue")
+        
+        rule.add_target(targets.RedshiftQuery(workgroup.attr_workgroup_workgroup_arn,
+            database="dev",
+            dead_letter_queue=dlq,
+            sql=["SELECT * FROM foo", "SELECT * FROM baz"]
+        ))
+    '''
+
+    def __init__(
+        self,
+        cluster_arn: builtins.str,
+        *,
+        database: builtins.str,
+        sql: typing.Sequence[builtins.str],
+        db_user: typing.Optional[builtins.str] = None,
+        dead_letter_queue: typing.Optional[_IQueue_7ed6f679] = None,
+        input: typing.Optional[_RuleTargetInput_6beca786] = None,
+        role: typing.Optional[_IRole_235f5d8e] = None,
+        secret: typing.Optional[_ISecret_6e020e6a] = None,
+        send_event_bridge_event: typing.Optional[builtins.bool] = None,
+        statement_name: typing.Optional[builtins.str] = None,
+    ) -> None:
+        '''
+        :param cluster_arn: The ARN of the Amazon Redshift cluster.
+        :param database: The Amazon Redshift database to run the query against.
+        :param sql: The SQL queries to be executed. Each query is run sequentially within a single transaction; the next query in the array will only execute after the previous one has successfully completed. - When multiple sql queries are included, this will use the ``batchExecuteStatement`` API. Therefore, if any statement fails, the entire transaction is rolled back. - If a single SQL statement is to be executed, this will use the ``executeStatement`` API. Default: - No SQL query is specified
+        :param db_user: The Amazon Redshift database user to run the query as. This is required when authenticating via temporary credentials. Default: - No Database user is specified
+        :param dead_letter_queue: The queue to be used as dead letter queue. Default: - No dead letter queue is specified
+        :param input: The input to the state machine execution. Default: - the entire EventBridge event
+        :param role: The IAM role to be used to execute the SQL statement. Default: - a new role will be created.
+        :param secret: The secret containing the password for the database user. This is required when authenticating via Secrets Manager. If the full secret ARN is not specified, this will instead use the secret name. Default: - No secret is specified
+        :param send_event_bridge_event: Should an event be sent back to Event Bridge when the SQL statement is executed. Default: false
+        :param statement_name: The name of the SQL statement. You can name the SQL statement for identitfication purposes. If you would like Amazon Redshift to identify the Event Bridge rule, and present it in the Amazon Redshift console, append a ``QS2-`` prefix to the statement name. Default: - No statement name is specified
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__6f991f630fb494b0dbf6dd8dd11dec71e3b3618d520bce2a1761a05620a3d899)
+            check_type(argname="argument cluster_arn", value=cluster_arn, expected_type=type_hints["cluster_arn"])
+        props = RedshiftQueryProps(
+            database=database,
+            sql=sql,
+            db_user=db_user,
+            dead_letter_queue=dead_letter_queue,
+            input=input,
+            role=role,
+            secret=secret,
+            send_event_bridge_event=send_event_bridge_event,
+            statement_name=statement_name,
+        )
+
+        jsii.create(self.__class__, self, [cluster_arn, props])
+
+    @jsii.member(jsii_name="bind")
+    def bind(
+        self,
+        rule: _IRule_af9e3d28,
+        _id: typing.Optional[builtins.str] = None,
+    ) -> _RuleTargetConfig_4e70fe03:
+        '''Returns the rule target specification.
+
+        NOTE: Do not use the various ``inputXxx`` options. They can be set in a call to ``addTarget``.
+
+        :param rule: -
+        :param _id: -
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__39a86a8b0444f7c45c252e76fda9d4157fe34d2c363d4a99075556e92c234689)
+            check_type(argname="argument rule", value=rule, expected_type=type_hints["rule"])
+            check_type(argname="argument _id", value=_id, expected_type=type_hints["_id"])
+        return typing.cast(_RuleTargetConfig_4e70fe03, jsii.invoke(self, "bind", [rule, _id]))
+
+
+@jsii.data_type(
+    jsii_type="aws-cdk-lib.aws_events_targets.RedshiftQueryProps",
+    jsii_struct_bases=[],
+    name_mapping={
+        "database": "database",
+        "sql": "sql",
+        "db_user": "dbUser",
+        "dead_letter_queue": "deadLetterQueue",
+        "input": "input",
+        "role": "role",
+        "secret": "secret",
+        "send_event_bridge_event": "sendEventBridgeEvent",
+        "statement_name": "statementName",
+    },
+)
+class RedshiftQueryProps:
+    def __init__(
+        self,
+        *,
+        database: builtins.str,
+        sql: typing.Sequence[builtins.str],
+        db_user: typing.Optional[builtins.str] = None,
+        dead_letter_queue: typing.Optional[_IQueue_7ed6f679] = None,
+        input: typing.Optional[_RuleTargetInput_6beca786] = None,
+        role: typing.Optional[_IRole_235f5d8e] = None,
+        secret: typing.Optional[_ISecret_6e020e6a] = None,
+        send_event_bridge_event: typing.Optional[builtins.bool] = None,
+        statement_name: typing.Optional[builtins.str] = None,
+    ) -> None:
+        '''Configuration properties of an Amazon Redshift Query event.
+
+        :param database: The Amazon Redshift database to run the query against.
+        :param sql: The SQL queries to be executed. Each query is run sequentially within a single transaction; the next query in the array will only execute after the previous one has successfully completed. - When multiple sql queries are included, this will use the ``batchExecuteStatement`` API. Therefore, if any statement fails, the entire transaction is rolled back. - If a single SQL statement is to be executed, this will use the ``executeStatement`` API. Default: - No SQL query is specified
+        :param db_user: The Amazon Redshift database user to run the query as. This is required when authenticating via temporary credentials. Default: - No Database user is specified
+        :param dead_letter_queue: The queue to be used as dead letter queue. Default: - No dead letter queue is specified
+        :param input: The input to the state machine execution. Default: - the entire EventBridge event
+        :param role: The IAM role to be used to execute the SQL statement. Default: - a new role will be created.
+        :param secret: The secret containing the password for the database user. This is required when authenticating via Secrets Manager. If the full secret ARN is not specified, this will instead use the secret name. Default: - No secret is specified
+        :param send_event_bridge_event: Should an event be sent back to Event Bridge when the SQL statement is executed. Default: false
+        :param statement_name: The name of the SQL statement. You can name the SQL statement for identitfication purposes. If you would like Amazon Redshift to identify the Event Bridge rule, and present it in the Amazon Redshift console, append a ``QS2-`` prefix to the statement name. Default: - No statement name is specified
+
+        :exampleMetadata: infused
+
+        Example::
+
+            import aws_cdk.aws_redshiftserverless as redshiftserverless
+            
+            # workgroup: redshiftserverless.CfnWorkgroup
+            
+            
+            rule = events.Rule(self, "Rule",
+                schedule=events.Schedule.rate(cdk.Duration.hours(1))
+            )
+            
+            dlq = sqs.Queue(self, "DeadLetterQueue")
+            
+            rule.add_target(targets.RedshiftQuery(workgroup.attr_workgroup_workgroup_arn,
+                database="dev",
+                dead_letter_queue=dlq,
+                sql=["SELECT * FROM foo", "SELECT * FROM baz"]
+            ))
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__d13f81540e4b5fba1ebd8aafeb69150df8060d4625c37631f59f81095b2a27b2)
+            check_type(argname="argument database", value=database, expected_type=type_hints["database"])
+            check_type(argname="argument sql", value=sql, expected_type=type_hints["sql"])
+            check_type(argname="argument db_user", value=db_user, expected_type=type_hints["db_user"])
+            check_type(argname="argument dead_letter_queue", value=dead_letter_queue, expected_type=type_hints["dead_letter_queue"])
+            check_type(argname="argument input", value=input, expected_type=type_hints["input"])
+            check_type(argname="argument role", value=role, expected_type=type_hints["role"])
+            check_type(argname="argument secret", value=secret, expected_type=type_hints["secret"])
+            check_type(argname="argument send_event_bridge_event", value=send_event_bridge_event, expected_type=type_hints["send_event_bridge_event"])
+            check_type(argname="argument statement_name", value=statement_name, expected_type=type_hints["statement_name"])
+        self._values: typing.Dict[builtins.str, typing.Any] = {
+            "database": database,
+            "sql": sql,
+        }
+        if db_user is not None:
+            self._values["db_user"] = db_user
+        if dead_letter_queue is not None:
+            self._values["dead_letter_queue"] = dead_letter_queue
+        if input is not None:
+            self._values["input"] = input
+        if role is not None:
+            self._values["role"] = role
+        if secret is not None:
+            self._values["secret"] = secret
+        if send_event_bridge_event is not None:
+            self._values["send_event_bridge_event"] = send_event_bridge_event
+        if statement_name is not None:
+            self._values["statement_name"] = statement_name
+
+    @builtins.property
+    def database(self) -> builtins.str:
+        '''The Amazon Redshift database to run the query against.'''
+        result = self._values.get("database")
+        assert result is not None, "Required property 'database' is missing"
+        return typing.cast(builtins.str, result)
+
+    @builtins.property
+    def sql(self) -> typing.List[builtins.str]:
+        '''The SQL queries to be executed.
+
+        Each query is run sequentially within a single transaction; the next query in the array will only execute after the previous one has successfully completed.
+
+        - When multiple sql queries are included, this will use the ``batchExecuteStatement`` API. Therefore, if any statement fails, the entire transaction is rolled back.
+        - If a single SQL statement is to be executed, this will use the ``executeStatement`` API.
+
+        :default: - No SQL query is specified
+        '''
+        result = self._values.get("sql")
+        assert result is not None, "Required property 'sql' is missing"
+        return typing.cast(typing.List[builtins.str], result)
+
+    @builtins.property
+    def db_user(self) -> typing.Optional[builtins.str]:
+        '''The Amazon Redshift database user to run the query as.
+
+        This is required when authenticating via temporary credentials.
+
+        :default: - No Database user is specified
+        '''
+        result = self._values.get("db_user")
+        return typing.cast(typing.Optional[builtins.str], result)
+
+    @builtins.property
+    def dead_letter_queue(self) -> typing.Optional[_IQueue_7ed6f679]:
+        '''The queue to be used as dead letter queue.
+
+        :default: - No dead letter queue is specified
+        '''
+        result = self._values.get("dead_letter_queue")
+        return typing.cast(typing.Optional[_IQueue_7ed6f679], result)
+
+    @builtins.property
+    def input(self) -> typing.Optional[_RuleTargetInput_6beca786]:
+        '''The input to the state machine execution.
+
+        :default: - the entire EventBridge event
+        '''
+        result = self._values.get("input")
+        return typing.cast(typing.Optional[_RuleTargetInput_6beca786], result)
+
+    @builtins.property
+    def role(self) -> typing.Optional[_IRole_235f5d8e]:
+        '''The IAM role to be used to execute the SQL statement.
+
+        :default: - a new role will be created.
+        '''
+        result = self._values.get("role")
+        return typing.cast(typing.Optional[_IRole_235f5d8e], result)
+
+    @builtins.property
+    def secret(self) -> typing.Optional[_ISecret_6e020e6a]:
+        '''The secret containing the password for the database user.
+
+        This is required when authenticating via Secrets Manager.
+        If the full secret ARN is not specified, this will instead use the secret name.
+
+        :default: - No secret is specified
+        '''
+        result = self._values.get("secret")
+        return typing.cast(typing.Optional[_ISecret_6e020e6a], result)
+
+    @builtins.property
+    def send_event_bridge_event(self) -> typing.Optional[builtins.bool]:
+        '''Should an event be sent back to Event Bridge when the SQL statement is executed.
+
+        :default: false
+        '''
+        result = self._values.get("send_event_bridge_event")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
+    @builtins.property
+    def statement_name(self) -> typing.Optional[builtins.str]:
+        '''The name of the SQL statement.
+
+        You can name the SQL statement for identitfication purposes. If you would like Amazon Redshift to identify the Event Bridge rule, and present it in the Amazon Redshift console, append a ``QS2-`` prefix to the statement name.
+
+        :default: - No statement name is specified
+        '''
+        result = self._values.get("statement_name")
+        return typing.cast(typing.Optional[builtins.str], result)
+
+    def __eq__(self, rhs: typing.Any) -> builtins.bool:
+        return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+    def __ne__(self, rhs: typing.Any) -> builtins.bool:
+        return not (rhs == self)
+
+    def __repr__(self) -> str:
+        return "RedshiftQueryProps(%s)" % ", ".join(
+            k + "=" + repr(v) for k, v in self._values.items()
+        )
+
+
 @jsii.implements(_IRuleTarget_7a91f454)
 class SfnStateMachine(
     metaclass=jsii.JSIIMeta,
@@ -5197,6 +5514,8 @@ __all__ = [
     "LogGroupProps",
     "LogGroupTargetInput",
     "LogGroupTargetInputOptions",
+    "RedshiftQuery",
+    "RedshiftQueryProps",
     "SfnStateMachine",
     "SfnStateMachineProps",
     "SnsTopic",
@@ -5524,6 +5843,44 @@ def _typecheckingstub__12b2a1770edaa7f8ba5d731e85339d65d757aa25fd54d6c6be4746c6a
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__6f991f630fb494b0dbf6dd8dd11dec71e3b3618d520bce2a1761a05620a3d899(
+    cluster_arn: builtins.str,
+    *,
+    database: builtins.str,
+    sql: typing.Sequence[builtins.str],
+    db_user: typing.Optional[builtins.str] = None,
+    dead_letter_queue: typing.Optional[_IQueue_7ed6f679] = None,
+    input: typing.Optional[_RuleTargetInput_6beca786] = None,
+    role: typing.Optional[_IRole_235f5d8e] = None,
+    secret: typing.Optional[_ISecret_6e020e6a] = None,
+    send_event_bridge_event: typing.Optional[builtins.bool] = None,
+    statement_name: typing.Optional[builtins.str] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__39a86a8b0444f7c45c252e76fda9d4157fe34d2c363d4a99075556e92c234689(
+    rule: _IRule_af9e3d28,
+    _id: typing.Optional[builtins.str] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__d13f81540e4b5fba1ebd8aafeb69150df8060d4625c37631f59f81095b2a27b2(
+    *,
+    database: builtins.str,
+    sql: typing.Sequence[builtins.str],
+    db_user: typing.Optional[builtins.str] = None,
+    dead_letter_queue: typing.Optional[_IQueue_7ed6f679] = None,
+    input: typing.Optional[_RuleTargetInput_6beca786] = None,
+    role: typing.Optional[_IRole_235f5d8e] = None,
+    secret: typing.Optional[_ISecret_6e020e6a] = None,
+    send_event_bridge_event: typing.Optional[builtins.bool] = None,
+    statement_name: typing.Optional[builtins.str] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__257316eeebae5ef658a5b570361035fdfb5ab37e96962b24c2e814b0702cba68(
     machine: _IStateMachine_73e8d2b0,
     *,

aws_cdk/aws_iam/__init__.py

@@ -13237,17 +13237,16 @@ class ServicePrincipal(
 
     Example::
 
-        lambda_role = iam.Role(self, "Role",
-            assumed_by=iam.ServicePrincipal("lambda.amazonaws.com"),
-            description="Example role..."
+        # definition: sfn.IChainable
+        role = iam.Role(self, "Role",
+            assumed_by=iam.ServicePrincipal("lambda.amazonaws.com")
         )
-        
-        stream = kinesis.Stream(self, "MyEncryptedStream",
-            encryption=kinesis.StreamEncryption.KMS
+        state_machine = sfn.StateMachine(self, "StateMachine",
+            definition_body=sfn.DefinitionBody.from_chainable(definition)
         )
         
-        # give lambda permissions to read stream
-        stream.grant_read(lambda_role)
+        # Give role permission to get execution history of ALL executions for the state machine
+        state_machine.grant_execution(role, "states:GetExecutionHistory")
     '''
 
     def __init__(