aws-cdk-lib 2.160.0__py3-none-any.whl → 2.161.1__py3-none-any.whl

aws_cdk/aws_rds/__init__.py

@@ -85,6 +85,28 @@ cluster = rds.DatabaseCluster(self, "Database",
 
 For more information about dual-stack mode, see [Working with a DB cluster in a VPC](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/USER_VPC.WorkingWithRDSInstanceinaVPC.html).
 
+If you want to issue read/write transactions directly on an Aurora Replica, you can use [local write forwarding](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/aurora-mysql-write-forwarding.html).
+Local write forwarding allows read replicas to accept write transactions and forward them to the writer DB instance to be committed.
+
+To enable local write forwarding, set the `enableLocalWriteForwarding` property to `true`:
+
+```python
+# vpc: ec2.IVpc
+
+
+rds.DatabaseCluster(self, "DatabaseCluster",
+    engine=rds.DatabaseClusterEngine.aurora_mysql(version=rds.AuroraMysqlEngineVersion.VER_3_07_0),
+    writer=rds.ClusterInstance.serverless_v2("writerInstance"),
+    readers=[
+        rds.ClusterInstance.serverless_v2("readerInstance1")
+    ],
+    vpc=vpc,
+    enable_local_write_forwarding=True
+)
+```
+
+**Note**: Local write forwarding is only supported for Aurora MySQL 3.04 and higher.
+
 Use `DatabaseClusterFromSnapshot` to create a cluster from a snapshot:
 
 ```python
@@ -3341,6 +3363,12 @@ class AuroraPostgresEngineVersion(
         '''Version "12.19".'''
         return typing.cast("AuroraPostgresEngineVersion", jsii.sget(cls, "VER_12_19"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="VER_12_20")
+    def VER_12_20(cls) -> "AuroraPostgresEngineVersion":
+        '''Version "12.20".'''
+        return typing.cast("AuroraPostgresEngineVersion", jsii.sget(cls, "VER_12_20"))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="VER_12_4")
     def VER_12_4(cls) -> "AuroraPostgresEngineVersion":
@@ -3427,6 +3455,12 @@ class AuroraPostgresEngineVersion(
         '''Version "13.15".'''
         return typing.cast("AuroraPostgresEngineVersion", jsii.sget(cls, "VER_13_15"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="VER_13_16")
+    def VER_13_16(cls) -> "AuroraPostgresEngineVersion":
+        '''Version "13.16".'''
+        return typing.cast("AuroraPostgresEngineVersion", jsii.sget(cls, "VER_13_16"))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="VER_13_3")
     def VER_13_3(cls) -> "AuroraPostgresEngineVersion":
@@ -3507,6 +3541,12 @@ class AuroraPostgresEngineVersion(
         '''Version "14.12".'''
         return typing.cast("AuroraPostgresEngineVersion", jsii.sget(cls, "VER_14_12"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="VER_14_13")
+    def VER_14_13(cls) -> "AuroraPostgresEngineVersion":
+        '''Version "14.13".'''
+        return typing.cast("AuroraPostgresEngineVersion", jsii.sget(cls, "VER_14_13"))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="VER_14_3")
     def VER_14_3(cls) -> "AuroraPostgresEngineVersion":
@@ -3585,6 +3625,12 @@ class AuroraPostgresEngineVersion(
         '''Version "15.7".'''
         return typing.cast("AuroraPostgresEngineVersion", jsii.sget(cls, "VER_15_7"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="VER_15_8")
+    def VER_15_8(cls) -> "AuroraPostgresEngineVersion":
+        '''Version "15.8".'''
+        return typing.cast("AuroraPostgresEngineVersion", jsii.sget(cls, "VER_15_8"))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="VER_16_0")
     def VER_16_0(cls) -> "AuroraPostgresEngineVersion":
@@ -3614,6 +3660,12 @@ class AuroraPostgresEngineVersion(
         '''Version "16.3".'''
         return typing.cast("AuroraPostgresEngineVersion", jsii.sget(cls, "VER_16_3"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="VER_16_4")
+    def VER_16_4(cls) -> "AuroraPostgresEngineVersion":
+        '''Version "16.4".'''
+        return typing.cast("AuroraPostgresEngineVersion", jsii.sget(cls, "VER_16_4"))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="VER_9_6_11")
     def VER_9_6_11(cls) -> "AuroraPostgresEngineVersion":
@@ -15948,7 +16000,7 @@ class CfnEventSubscriptionProps:
         )
 
 
-@jsii.implements(_IInspectable_c2943556)
+@jsii.implements(_IInspectable_c2943556, _ITaggableV2_4e6798f8)
 class CfnGlobalCluster(
     _CfnResource_9df397a6,
     metaclass=jsii.JSIIMeta,
@@ -15979,7 +16031,11 @@ class CfnGlobalCluster(
             engine_version="engineVersion",
             global_cluster_identifier="globalClusterIdentifier",
             source_db_cluster_identifier="sourceDbClusterIdentifier",
-            storage_encrypted=False
+            storage_encrypted=False,
+            tags=[CfnTag(
+                key="key",
+                value="value"
+            )]
         )
     '''
 
@@ -15995,6 +16051,7 @@ class CfnGlobalCluster(
         global_cluster_identifier: typing.Optional[builtins.str] = None,
         source_db_cluster_identifier: typing.Optional[builtins.str] = None,
         storage_encrypted: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
+        tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
     ) -> None:
         '''
         :param scope: Scope in which this resource is defined.
@@ -16006,6 +16063,7 @@ class CfnGlobalCluster(
         :param global_cluster_identifier: The cluster identifier for this global database cluster. This parameter is stored as a lowercase string.
         :param source_db_cluster_identifier: The Amazon Resource Name (ARN) to use as the primary cluster of the global database. If you provide a value for this parameter, don't specify values for the following settings because Amazon Aurora uses the values from the specified source DB cluster: - ``DatabaseName`` - ``Engine`` - ``EngineVersion`` - ``StorageEncrypted``
         :param storage_encrypted: Specifies whether to enable storage encryption for the new global database cluster. Constraints: - Can't be specified if ``SourceDBClusterIdentifier`` is specified. In this case, Amazon Aurora uses the setting from the source DB cluster.
+        :param tags: An array of key-value pairs to apply to this resource.
         '''
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__1611fa62b935d4f304c9fd8befd7c639fa3cc4898c7c6d9f86feb2d669b72e80)
@@ -16019,6 +16077,7 @@ class CfnGlobalCluster(
             global_cluster_identifier=global_cluster_identifier,
             source_db_cluster_identifier=source_db_cluster_identifier,
             storage_encrypted=storage_encrypted,
+            tags=tags,
         )
 
         jsii.create(self.__class__, self, [scope, id, props])
@@ -16053,6 +16112,12 @@ class CfnGlobalCluster(
         '''The CloudFormation resource type name for this resource class.'''
         return typing.cast(builtins.str, jsii.sget(cls, "CFN_RESOURCE_TYPE_NAME"))
 
+    @builtins.property
+    @jsii.member(jsii_name="cdkTagManager")
+    def cdk_tag_manager(self) -> _TagManager_0a598cb3:
+        '''Tag Manager which manages the tags for this resource.'''
+        return typing.cast(_TagManager_0a598cb3, jsii.get(self, "cdkTagManager"))
+
     @builtins.property
     @jsii.member(jsii_name="cfnProperties")
     def _cfn_properties(self) -> typing.Mapping[builtins.str, typing.Any]:
@@ -16162,6 +16227,19 @@ class CfnGlobalCluster(
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
         jsii.set(self, "storageEncrypted", value) # pyright: ignore[reportArgumentType]
 
+    @builtins.property
+    @jsii.member(jsii_name="tags")
+    def tags(self) -> typing.Optional[typing.List[_CfnTag_f6864754]]:
+        '''An array of key-value pairs to apply to this resource.'''
+        return typing.cast(typing.Optional[typing.List[_CfnTag_f6864754]], jsii.get(self, "tags"))
+
+    @tags.setter
+    def tags(self, value: typing.Optional[typing.List[_CfnTag_f6864754]]) -> None:
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__353dbc811b6418119794dea977794a47fb1500897063d3e8fdf280f56575e579)
+            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+        jsii.set(self, "tags", value) # pyright: ignore[reportArgumentType]
+
 
 @jsii.data_type(
     jsii_type="aws-cdk-lib.aws_rds.CfnGlobalClusterProps",
@@ -16174,6 +16252,7 @@ class CfnGlobalCluster(
         "global_cluster_identifier": "globalClusterIdentifier",
         "source_db_cluster_identifier": "sourceDbClusterIdentifier",
         "storage_encrypted": "storageEncrypted",
+        "tags": "tags",
     },
 )
 class CfnGlobalClusterProps:
@@ -16187,6 +16266,7 @@ class CfnGlobalClusterProps:
         global_cluster_identifier: typing.Optional[builtins.str] = None,
         source_db_cluster_identifier: typing.Optional[builtins.str] = None,
         storage_encrypted: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
+        tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
     ) -> None:
         '''Properties for defining a ``CfnGlobalCluster``.
 
@@ -16197,6 +16277,7 @@ class CfnGlobalClusterProps:
         :param global_cluster_identifier: The cluster identifier for this global database cluster. This parameter is stored as a lowercase string.
         :param source_db_cluster_identifier: The Amazon Resource Name (ARN) to use as the primary cluster of the global database. If you provide a value for this parameter, don't specify values for the following settings because Amazon Aurora uses the values from the specified source DB cluster: - ``DatabaseName`` - ``Engine`` - ``EngineVersion`` - ``StorageEncrypted``
         :param storage_encrypted: Specifies whether to enable storage encryption for the new global database cluster. Constraints: - Can't be specified if ``SourceDBClusterIdentifier`` is specified. In this case, Amazon Aurora uses the setting from the source DB cluster.
+        :param tags: An array of key-value pairs to apply to this resource.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-rds-globalcluster.html
         :exampleMetadata: fixture=_generated
@@ -16214,7 +16295,11 @@ class CfnGlobalClusterProps:
                 engine_version="engineVersion",
                 global_cluster_identifier="globalClusterIdentifier",
                 source_db_cluster_identifier="sourceDbClusterIdentifier",
-                storage_encrypted=False
+                storage_encrypted=False,
+                tags=[CfnTag(
+                    key="key",
+                    value="value"
+                )]
             )
         '''
         if __debug__:
@@ -16226,6 +16311,7 @@ class CfnGlobalClusterProps:
             check_type(argname="argument global_cluster_identifier", value=global_cluster_identifier, expected_type=type_hints["global_cluster_identifier"])
             check_type(argname="argument source_db_cluster_identifier", value=source_db_cluster_identifier, expected_type=type_hints["source_db_cluster_identifier"])
             check_type(argname="argument storage_encrypted", value=storage_encrypted, expected_type=type_hints["storage_encrypted"])
+            check_type(argname="argument tags", value=tags, expected_type=type_hints["tags"])
         self._values: typing.Dict[builtins.str, typing.Any] = {}
         if deletion_protection is not None:
             self._values["deletion_protection"] = deletion_protection
@@ -16241,6 +16327,8 @@ class CfnGlobalClusterProps:
             self._values["source_db_cluster_identifier"] = source_db_cluster_identifier
         if storage_encrypted is not None:
             self._values["storage_encrypted"] = storage_encrypted
+        if tags is not None:
+            self._values["tags"] = tags
 
     @builtins.property
     def deletion_protection(
@@ -16346,6 +16434,15 @@ class CfnGlobalClusterProps:
         result = self._values.get("storage_encrypted")
         return typing.cast(typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]], result)
 
+    @builtins.property
+    def tags(self) -> typing.Optional[typing.List[_CfnTag_f6864754]]:
+        '''An array of key-value pairs to apply to this resource.
+
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-rds-globalcluster.html#cfn-rds-globalcluster-tags
+        '''
+        result = self._values.get("tags")
+        return typing.cast(typing.Optional[typing.List[_CfnTag_f6864754]], result)
+
     def __eq__(self, rhs: typing.Any) -> builtins.bool:
         return isinstance(rhs, self.__class__) and rhs._values == self._values
 
@@ -19680,6 +19777,7 @@ class DatabaseClusterEngine(
         "domain": "domain",
         "domain_role": "domainRole",
         "enable_data_api": "enableDataApi",
+        "enable_local_write_forwarding": "enableLocalWriteForwarding",
         "iam_authentication": "iamAuthentication",
         "instance_identifier_base": "instanceIdentifierBase",
         "instance_props": "instanceProps",
@@ -19730,6 +19828,7 @@ class DatabaseClusterFromSnapshotProps:
         domain: typing.Optional[builtins.str] = None,
         domain_role: typing.Optional[_IRole_235f5d8e] = None,
         enable_data_api: typing.Optional[builtins.bool] = None,
+        enable_local_write_forwarding: typing.Optional[builtins.bool] = None,
         iam_authentication: typing.Optional[builtins.bool] = None,
         instance_identifier_base: typing.Optional[builtins.str] = None,
         instance_props: typing.Optional[typing.Union["InstanceProps", typing.Dict[builtins.str, typing.Any]]] = None,
@@ -19777,6 +19876,7 @@ class DatabaseClusterFromSnapshotProps:
         :param domain: Directory ID for associating the DB cluster with a specific Active Directory. Necessary for enabling Kerberos authentication. If specified, the DB cluster joins the given Active Directory, enabling Kerberos authentication. If not specified, the DB cluster will not be associated with any Active Directory, and Kerberos authentication will not be enabled. Default: - DB cluster is not associated with an Active Directory; Kerberos authentication is not enabled.
         :param domain_role: The IAM role to be used when making API calls to the Directory Service. The role needs the AWS-managed policy ``AmazonRDSDirectoryServiceAccess`` or equivalent. Default: - If ``DatabaseClusterBaseProps.domain`` is specified, a role with the ``AmazonRDSDirectoryServiceAccess`` policy is automatically created.
         :param enable_data_api: Whether to enable the Data API for the cluster. Default: - false
+        :param enable_local_write_forwarding: Whether read replicas can forward write operations to the writer DB instance in the DB cluster. This setting can only be enabled for Aurora MySQL 3.04 and higher clusters. Default: false
         :param iam_authentication: Whether to enable mapping of AWS Identity and Access Management (IAM) accounts to database accounts. Default: false
         :param instance_identifier_base: Base identifier for instances. Every replica is named by appending the replica number to this string, 1-based. Default: - clusterIdentifier is used with the word "Instance" appended. If clusterIdentifier is not provided, the identifier is automatically generated.
         :param instance_props: (deprecated) Settings for the individual instances that are launched.
@@ -19843,6 +19943,7 @@ class DatabaseClusterFromSnapshotProps:
             check_type(argname="argument domain", value=domain, expected_type=type_hints["domain"])
             check_type(argname="argument domain_role", value=domain_role, expected_type=type_hints["domain_role"])
             check_type(argname="argument enable_data_api", value=enable_data_api, expected_type=type_hints["enable_data_api"])
+            check_type(argname="argument enable_local_write_forwarding", value=enable_local_write_forwarding, expected_type=type_hints["enable_local_write_forwarding"])
             check_type(argname="argument iam_authentication", value=iam_authentication, expected_type=type_hints["iam_authentication"])
             check_type(argname="argument instance_identifier_base", value=instance_identifier_base, expected_type=type_hints["instance_identifier_base"])
             check_type(argname="argument instance_props", value=instance_props, expected_type=type_hints["instance_props"])
@@ -19902,6 +20003,8 @@ class DatabaseClusterFromSnapshotProps:
             self._values["domain_role"] = domain_role
         if enable_data_api is not None:
             self._values["enable_data_api"] = enable_data_api
+        if enable_local_write_forwarding is not None:
+            self._values["enable_local_write_forwarding"] = enable_local_write_forwarding
         if iam_authentication is not None:
             self._values["iam_authentication"] = iam_authentication
         if instance_identifier_base is not None:
@@ -20132,6 +20235,19 @@ class DatabaseClusterFromSnapshotProps:
         result = self._values.get("enable_data_api")
         return typing.cast(typing.Optional[builtins.bool], result)
 
+    @builtins.property
+    def enable_local_write_forwarding(self) -> typing.Optional[builtins.bool]:
+        '''Whether read replicas can forward write operations to the writer DB instance in the DB cluster.
+
+        This setting can only be enabled for Aurora MySQL 3.04 and higher clusters.
+
+        :default: false
+
+        :see: https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/aurora-mysql-write-forwarding.html
+        '''
+        result = self._values.get("enable_local_write_forwarding")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
     @builtins.property
     def iam_authentication(self) -> typing.Optional[builtins.bool]:
         '''Whether to enable mapping of AWS Identity and Access Management (IAM) accounts to database accounts.
@@ -20491,6 +20607,7 @@ class DatabaseClusterFromSnapshotProps:
         "domain": "domain",
         "domain_role": "domainRole",
         "enable_data_api": "enableDataApi",
+        "enable_local_write_forwarding": "enableLocalWriteForwarding",
         "iam_authentication": "iamAuthentication",
         "instance_identifier_base": "instanceIdentifierBase",
         "instance_props": "instanceProps",
@@ -20539,6 +20656,7 @@ class DatabaseClusterProps:
         domain: typing.Optional[builtins.str] = None,
         domain_role: typing.Optional[_IRole_235f5d8e] = None,
         enable_data_api: typing.Optional[builtins.bool] = None,
+        enable_local_write_forwarding: typing.Optional[builtins.bool] = None,
         iam_authentication: typing.Optional[builtins.bool] = None,
         instance_identifier_base: typing.Optional[builtins.str] = None,
         instance_props: typing.Optional[typing.Union["InstanceProps", typing.Dict[builtins.str, typing.Any]]] = None,
@@ -20584,6 +20702,7 @@ class DatabaseClusterProps:
         :param domain: Directory ID for associating the DB cluster with a specific Active Directory. Necessary for enabling Kerberos authentication. If specified, the DB cluster joins the given Active Directory, enabling Kerberos authentication. If not specified, the DB cluster will not be associated with any Active Directory, and Kerberos authentication will not be enabled. Default: - DB cluster is not associated with an Active Directory; Kerberos authentication is not enabled.
         :param domain_role: The IAM role to be used when making API calls to the Directory Service. The role needs the AWS-managed policy ``AmazonRDSDirectoryServiceAccess`` or equivalent. Default: - If ``DatabaseClusterBaseProps.domain`` is specified, a role with the ``AmazonRDSDirectoryServiceAccess`` policy is automatically created.
         :param enable_data_api: Whether to enable the Data API for the cluster. Default: - false
+        :param enable_local_write_forwarding: Whether read replicas can forward write operations to the writer DB instance in the DB cluster. This setting can only be enabled for Aurora MySQL 3.04 and higher clusters. Default: false
         :param iam_authentication: Whether to enable mapping of AWS Identity and Access Management (IAM) accounts to database accounts. Default: false
         :param instance_identifier_base: Base identifier for instances. Every replica is named by appending the replica number to this string, 1-based. Default: - clusterIdentifier is used with the word "Instance" appended. If clusterIdentifier is not provided, the identifier is automatically generated.
         :param instance_props: (deprecated) Settings for the individual instances that are launched.
@@ -20657,6 +20776,7 @@ class DatabaseClusterProps:
             check_type(argname="argument domain", value=domain, expected_type=type_hints["domain"])
             check_type(argname="argument domain_role", value=domain_role, expected_type=type_hints["domain_role"])
             check_type(argname="argument enable_data_api", value=enable_data_api, expected_type=type_hints["enable_data_api"])
+            check_type(argname="argument enable_local_write_forwarding", value=enable_local_write_forwarding, expected_type=type_hints["enable_local_write_forwarding"])
             check_type(argname="argument iam_authentication", value=iam_authentication, expected_type=type_hints["iam_authentication"])
             check_type(argname="argument instance_identifier_base", value=instance_identifier_base, expected_type=type_hints["instance_identifier_base"])
             check_type(argname="argument instance_props", value=instance_props, expected_type=type_hints["instance_props"])
@@ -20714,6 +20834,8 @@ class DatabaseClusterProps:
             self._values["domain_role"] = domain_role
         if enable_data_api is not None:
             self._values["enable_data_api"] = enable_data_api
+        if enable_local_write_forwarding is not None:
+            self._values["enable_local_write_forwarding"] = enable_local_write_forwarding
         if iam_authentication is not None:
             self._values["iam_authentication"] = iam_authentication
         if instance_identifier_base is not None:
@@ -20919,6 +21041,19 @@ class DatabaseClusterProps:
         result = self._values.get("enable_data_api")
         return typing.cast(typing.Optional[builtins.bool], result)
 
+    @builtins.property
+    def enable_local_write_forwarding(self) -> typing.Optional[builtins.bool]:
+        '''Whether read replicas can forward write operations to the writer DB instance in the DB cluster.
+
+        This setting can only be enabled for Aurora MySQL 3.04 and higher clusters.
+
+        :default: false
+
+        :see: https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/aurora-mysql-write-forwarding.html
+        '''
+        result = self._values.get("enable_local_write_forwarding")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
     @builtins.property
     def iam_authentication(self) -> typing.Optional[builtins.bool]:
         '''Whether to enable mapping of AWS Identity and Access Management (IAM) accounts to database accounts.
@@ -39470,6 +39605,7 @@ class DatabaseClusterFromSnapshot(
         domain: typing.Optional[builtins.str] = None,
         domain_role: typing.Optional[_IRole_235f5d8e] = None,
         enable_data_api: typing.Optional[builtins.bool] = None,
+        enable_local_write_forwarding: typing.Optional[builtins.bool] = None,
         iam_authentication: typing.Optional[builtins.bool] = None,
         instance_identifier_base: typing.Optional[builtins.str] = None,
         instance_props: typing.Optional[typing.Union[InstanceProps, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -39518,6 +39654,7 @@ class DatabaseClusterFromSnapshot(
         :param domain: Directory ID for associating the DB cluster with a specific Active Directory. Necessary for enabling Kerberos authentication. If specified, the DB cluster joins the given Active Directory, enabling Kerberos authentication. If not specified, the DB cluster will not be associated with any Active Directory, and Kerberos authentication will not be enabled. Default: - DB cluster is not associated with an Active Directory; Kerberos authentication is not enabled.
         :param domain_role: The IAM role to be used when making API calls to the Directory Service. The role needs the AWS-managed policy ``AmazonRDSDirectoryServiceAccess`` or equivalent. Default: - If ``DatabaseClusterBaseProps.domain`` is specified, a role with the ``AmazonRDSDirectoryServiceAccess`` policy is automatically created.
         :param enable_data_api: Whether to enable the Data API for the cluster. Default: - false
+        :param enable_local_write_forwarding: Whether read replicas can forward write operations to the writer DB instance in the DB cluster. This setting can only be enabled for Aurora MySQL 3.04 and higher clusters. Default: false
         :param iam_authentication: Whether to enable mapping of AWS Identity and Access Management (IAM) accounts to database accounts. Default: false
         :param instance_identifier_base: Base identifier for instances. Every replica is named by appending the replica number to this string, 1-based. Default: - clusterIdentifier is used with the word "Instance" appended. If clusterIdentifier is not provided, the identifier is automatically generated.
         :param instance_props: (deprecated) Settings for the individual instances that are launched.
@@ -39568,6 +39705,7 @@ class DatabaseClusterFromSnapshot(
             domain=domain,
             domain_role=domain_role,
             enable_data_api=enable_data_api,
+            enable_local_write_forwarding=enable_local_write_forwarding,
             iam_authentication=iam_authentication,
             instance_identifier_base=instance_identifier_base,
             instance_props=instance_props,
@@ -43090,6 +43228,8 @@ class DatabaseInstanceReadReplica(
         '''The AWS Region-unique, immutable identifier for the DB instance.
 
         This identifier is found in AWS CloudTrail log entries whenever the AWS KMS key for the DB instance is accessed.
+
+        :see: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-rds-dbinstance.html#aws-resource-rds-dbinstance-return-values
         '''
         return typing.cast(typing.Optional[builtins.str], jsii.get(self, "instanceResourceId"))
 
@@ -43467,6 +43607,7 @@ class DatabaseCluster(
         domain: typing.Optional[builtins.str] = None,
         domain_role: typing.Optional[_IRole_235f5d8e] = None,
         enable_data_api: typing.Optional[builtins.bool] = None,
+        enable_local_write_forwarding: typing.Optional[builtins.bool] = None,
         iam_authentication: typing.Optional[builtins.bool] = None,
         instance_identifier_base: typing.Optional[builtins.str] = None,
         instance_props: typing.Optional[typing.Union[InstanceProps, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -43513,6 +43654,7 @@ class DatabaseCluster(
         :param domain: Directory ID for associating the DB cluster with a specific Active Directory. Necessary for enabling Kerberos authentication. If specified, the DB cluster joins the given Active Directory, enabling Kerberos authentication. If not specified, the DB cluster will not be associated with any Active Directory, and Kerberos authentication will not be enabled. Default: - DB cluster is not associated with an Active Directory; Kerberos authentication is not enabled.
         :param domain_role: The IAM role to be used when making API calls to the Directory Service. The role needs the AWS-managed policy ``AmazonRDSDirectoryServiceAccess`` or equivalent. Default: - If ``DatabaseClusterBaseProps.domain`` is specified, a role with the ``AmazonRDSDirectoryServiceAccess`` policy is automatically created.
         :param enable_data_api: Whether to enable the Data API for the cluster. Default: - false
+        :param enable_local_write_forwarding: Whether read replicas can forward write operations to the writer DB instance in the DB cluster. This setting can only be enabled for Aurora MySQL 3.04 and higher clusters. Default: false
         :param iam_authentication: Whether to enable mapping of AWS Identity and Access Management (IAM) accounts to database accounts. Default: false
         :param instance_identifier_base: Base identifier for instances. Every replica is named by appending the replica number to this string, 1-based. Default: - clusterIdentifier is used with the word "Instance" appended. If clusterIdentifier is not provided, the identifier is automatically generated.
         :param instance_props: (deprecated) Settings for the individual instances that are launched.
@@ -43561,6 +43703,7 @@ class DatabaseCluster(
             domain=domain,
             domain_role=domain_role,
             enable_data_api=enable_data_api,
+            enable_local_write_forwarding=enable_local_write_forwarding,
             iam_authentication=iam_authentication,
             instance_identifier_base=instance_identifier_base,
             instance_props=instance_props,
@@ -46617,6 +46760,7 @@ def _typecheckingstub__1611fa62b935d4f304c9fd8befd7c639fa3cc4898c7c6d9f86feb2d66
     global_cluster_identifier: typing.Optional[builtins.str] = None,
     source_db_cluster_identifier: typing.Optional[builtins.str] = None,
     storage_encrypted: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
+    tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
 ) -> None:
     """Type checking stubs"""
     pass
@@ -46675,6 +46819,12 @@ def _typecheckingstub__f760cdb237d4844bc219ed58856db0d37bc81d9e590f5413f4b7b4f0c
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__353dbc811b6418119794dea977794a47fb1500897063d3e8fdf280f56575e579(
+    value: typing.Optional[typing.List[_CfnTag_f6864754]],
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__ef2e57f0cb9427badb90bc7e1248f0f26bc8de21a104bb924da9733667030430(
     *,
     deletion_protection: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
@@ -46684,6 +46834,7 @@ def _typecheckingstub__ef2e57f0cb9427badb90bc7e1248f0f26bc8de21a104bb924da973366
     global_cluster_identifier: typing.Optional[builtins.str] = None,
     source_db_cluster_identifier: typing.Optional[builtins.str] = None,
     storage_encrypted: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
+    tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
 ) -> None:
     """Type checking stubs"""
     pass
@@ -47063,6 +47214,7 @@ def _typecheckingstub__1e44b5aef872ca17869a17181382f06cd0166bdbe07e2c33701d3bf1e
     domain: typing.Optional[builtins.str] = None,
     domain_role: typing.Optional[_IRole_235f5d8e] = None,
     enable_data_api: typing.Optional[builtins.bool] = None,
+    enable_local_write_forwarding: typing.Optional[builtins.bool] = None,
     iam_authentication: typing.Optional[builtins.bool] = None,
     instance_identifier_base: typing.Optional[builtins.str] = None,
     instance_props: typing.Optional[typing.Union[InstanceProps, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -47112,6 +47264,7 @@ def _typecheckingstub__a32e21c90ab65d3cfdb3b7ef2a0d741ba1528ec8824cd1817d1e485b4
     domain: typing.Optional[builtins.str] = None,
     domain_role: typing.Optional[_IRole_235f5d8e] = None,
     enable_data_api: typing.Optional[builtins.bool] = None,
+    enable_local_write_forwarding: typing.Optional[builtins.bool] = None,
     iam_authentication: typing.Optional[builtins.bool] = None,
     instance_identifier_base: typing.Optional[builtins.str] = None,
     instance_props: typing.Optional[typing.Union[InstanceProps, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -48313,6 +48466,7 @@ def _typecheckingstub__d1a2e259091e12a41b0f5818df495769518e049ebcc89ed340ffc7ba4
     domain: typing.Optional[builtins.str] = None,
     domain_role: typing.Optional[_IRole_235f5d8e] = None,
     enable_data_api: typing.Optional[builtins.bool] = None,
+    enable_local_write_forwarding: typing.Optional[builtins.bool] = None,
     iam_authentication: typing.Optional[builtins.bool] = None,
     instance_identifier_base: typing.Optional[builtins.str] = None,
     instance_props: typing.Optional[typing.Union[InstanceProps, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -48795,6 +48949,7 @@ def _typecheckingstub__c6184cbbefaa372690b9776dafecbf5857cf9bfbab91d1666aad22c56
     domain: typing.Optional[builtins.str] = None,
     domain_role: typing.Optional[_IRole_235f5d8e] = None,
     enable_data_api: typing.Optional[builtins.bool] = None,
+    enable_local_write_forwarding: typing.Optional[builtins.bool] = None,
     iam_authentication: typing.Optional[builtins.bool] = None,
     instance_identifier_base: typing.Optional[builtins.str] = None,
     instance_props: typing.Optional[typing.Union[InstanceProps, typing.Dict[builtins.str, typing.Any]]] = None,

aws_cdk/aws_route53resolver/__init__.py

@@ -3650,7 +3650,7 @@ class CfnResolverRule(
             :param ip: One IPv4 address that you want to forward DNS queries to.
             :param ipv6: One IPv6 address that you want to forward DNS queries to.
             :param port: The port at ``Ip`` that you want to forward DNS queries to.
-            :param protocol: The protocols for the Resolver endpoints. DoH-FIPS is applicable for inbound endpoints only. For an inbound endpoint you can apply the protocols as follows: - Do53 and DoH in combination. - Do53 and DoH-FIPS in combination. - Do53 alone. - DoH alone. - DoH-FIPS alone. - None, which is treated as Do53. For an outbound endpoint you can apply the protocols as follows: - Do53 and DoH in combination. - Do53 alone. - DoH alone. - None, which is treated as Do53.
+            :param protocol: The protocols for the target address. The protocol you choose needs to be supported by the outbound endpoint of the Resolver rule.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-route53resolver-resolverrule-targetaddress.html
             :exampleMetadata: fixture=_generated
@@ -3713,23 +3713,9 @@ class CfnResolverRule(
 
         @builtins.property
         def protocol(self) -> typing.Optional[builtins.str]:
-            '''The protocols for the Resolver endpoints. DoH-FIPS is applicable for inbound endpoints only.
+            '''The protocols for the target address.
 
-            For an inbound endpoint you can apply the protocols as follows:
-
-            - Do53 and DoH in combination.
-            - Do53 and DoH-FIPS in combination.
-            - Do53 alone.
-            - DoH alone.
-            - DoH-FIPS alone.
-            - None, which is treated as Do53.
-
-            For an outbound endpoint you can apply the protocols as follows:
-
-            - Do53 and DoH in combination.
-            - Do53 alone.
-            - DoH alone.
-            - None, which is treated as Do53.
+            The protocol you choose needs to be supported by the outbound endpoint of the Resolver rule.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-route53resolver-resolverrule-targetaddress.html#cfn-route53resolver-resolverrule-targetaddress-protocol
             '''

aws_cdk/aws_s3/__init__.py

@@ -9426,13 +9426,15 @@ class CfnBucket(
         ) -> None:
             '''Describes the default server-side encryption to apply to new objects in the bucket.
 
-            If a PUT Object request doesn't specify any server-side encryption, this default encryption will be applied. If you don't specify a customer managed key at configuration, Amazon S3 automatically creates an AWS KMS key in your AWS account the first time that you add an object encrypted with SSE-KMS to a bucket. By default, Amazon S3 uses this KMS key for SSE-KMS. For more information, see `PUT Bucket encryption <https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTencryption.html>`_ in the *Amazon S3 API Reference* .
+            If a PUT Object request doesn't specify any server-side encryption, this default encryption will be applied. For more information, see `PutBucketEncryption <https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTencryption.html>`_ .
             .. epigraph::
 
-               If you're specifying a customer managed KMS key, we recommend using a fully qualified KMS key ARN. If you use a KMS key alias instead, then AWS KMS resolves the key within the requester’s account. This behavior can result in data that's encrypted with a KMS key that belongs to the requester, and not the bucket owner.
+               - *General purpose buckets* - If you don't specify a customer managed key at configuration, Amazon S3 automatically creates an AWS KMS key ( ``aws/s3`` ) in your AWS account the first time that you add an object encrypted with SSE-KMS to a bucket. By default, Amazon S3 uses this KMS key for SSE-KMS.
+               - *Directory buckets* - Your SSE-KMS configuration can only support 1 `customer managed key <https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk>`_ per directory bucket for the lifetime of the bucket. `AWS managed key <https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk>`_ ( ``aws/s3`` ) isn't supported.
+               - *Directory buckets* - For directory buckets, there are only two supported options for server-side encryption: SSE-S3 and SSE-KMS.
 
-            :param sse_algorithm: Server-side encryption algorithm to use for the default encryption.
-            :param kms_master_key_id: AWS Key Management Service (KMS) customer AWS KMS key ID to use for the default encryption. This parameter is allowed if and only if ``SSEAlgorithm`` is set to ``aws:kms`` or ``aws:kms:dsse`` . You can specify the key ID, key alias, or the Amazon Resource Name (ARN) of the KMS key. - Key ID: ``1234abcd-12ab-34cd-56ef-1234567890ab`` - Key ARN: ``arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`` - Key Alias: ``alias/alias-name`` If you use a key ID, you can run into a LogDestination undeliverable error when creating a VPC flow log. If you are using encryption with cross-account or AWS service operations you must use a fully qualified KMS key ARN. For more information, see `Using encryption for cross-account operations <https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html#bucket-encryption-update-bucket-policy>`_ . .. epigraph:: Amazon S3 only supports symmetric encryption KMS keys. For more information, see `Asymmetric keys in AWS KMS <https://docs.aws.amazon.com//kms/latest/developerguide/symmetric-asymmetric.html>`_ in the *AWS Key Management Service Developer Guide* .
+            :param sse_algorithm: Server-side encryption algorithm to use for the default encryption. .. epigraph:: For directory buckets, there are only two supported values for server-side encryption: ``AES256`` and ``aws:kms`` .
+            :param kms_master_key_id: AWS Key Management Service (KMS) customer managed key ID to use for the default encryption. .. epigraph:: - *General purpose buckets* - This parameter is allowed if and only if ``SSEAlgorithm`` is set to ``aws:kms`` or ``aws:kms:dsse`` . - *Directory buckets* - This parameter is allowed if and only if ``SSEAlgorithm`` is set to ``aws:kms`` . You can specify the key ID, key alias, or the Amazon Resource Name (ARN) of the KMS key. - Key ID: ``1234abcd-12ab-34cd-56ef-1234567890ab`` - Key ARN: ``arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`` - Key Alias: ``alias/alias-name`` If you are using encryption with cross-account or AWS service operations, you must use a fully qualified KMS key ARN. For more information, see `Using encryption for cross-account operations <https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html#bucket-encryption-update-bucket-policy>`_ . .. epigraph:: - *General purpose buckets* - If you're specifying a customer managed KMS key, we recommend using a fully qualified KMS key ARN. If you use a KMS key alias instead, then AWS KMS resolves the key within the requester’s account. This behavior can result in data that's encrypted with a KMS key that belongs to the requester, and not the bucket owner. Also, if you use a key ID, you can run into a LogDestination undeliverable error when creating a VPC flow log. - *Directory buckets* - When you specify an `AWS KMS customer managed key <https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk>`_ for encryption in your directory bucket, only use the key ID or key ARN. The key alias format of the KMS key isn't supported. > Amazon S3 only supports symmetric encryption KMS keys. For more information, see `Asymmetric keys in AWS KMS <https://docs.aws.amazon.com//kms/latest/developerguide/symmetric-asymmetric.html>`_ in the *AWS Key Management Service Developer Guide* .
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-serversideencryptionbydefault.html
             :exampleMetadata: fixture=_generated
@@ -9464,6 +9466,10 @@ class CfnBucket(
         def sse_algorithm(self) -> builtins.str:
             '''Server-side encryption algorithm to use for the default encryption.
 
+            .. epigraph::
+
+               For directory buckets, there are only two supported values for server-side encryption: ``AES256`` and ``aws:kms`` .
+
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-serversideencryptionbydefault.html#cfn-s3-bucket-serversideencryptionbydefault-ssealgorithm
             '''
             result = self._values.get("sse_algorithm")
@@ -9472,9 +9478,12 @@ class CfnBucket(
 
         @builtins.property
         def kms_master_key_id(self) -> typing.Optional[builtins.str]:
-            '''AWS Key Management Service (KMS) customer AWS KMS key ID to use for the default encryption.
+            '''AWS Key Management Service (KMS) customer managed key ID to use for the default encryption.
 
-            This parameter is allowed if and only if ``SSEAlgorithm`` is set to ``aws:kms`` or ``aws:kms:dsse`` .
+            .. epigraph::
+
+               - *General purpose buckets* - This parameter is allowed if and only if ``SSEAlgorithm`` is set to ``aws:kms`` or ``aws:kms:dsse`` .
+               - *Directory buckets* - This parameter is allowed if and only if ``SSEAlgorithm`` is set to ``aws:kms`` .
 
             You can specify the key ID, key alias, or the Amazon Resource Name (ARN) of the KMS key.
 
@@ -9482,12 +9491,11 @@ class CfnBucket(
             - Key ARN: ``arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab``
             - Key Alias: ``alias/alias-name``
 
-            If you use a key ID, you can run into a LogDestination undeliverable error when creating a VPC flow log.
-
-            If you are using encryption with cross-account or AWS service operations you must use a fully qualified KMS key ARN. For more information, see `Using encryption for cross-account operations <https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html#bucket-encryption-update-bucket-policy>`_ .
+            If you are using encryption with cross-account or AWS service operations, you must use a fully qualified KMS key ARN. For more information, see `Using encryption for cross-account operations <https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html#bucket-encryption-update-bucket-policy>`_ .
             .. epigraph::
 
-               Amazon S3 only supports symmetric encryption KMS keys. For more information, see `Asymmetric keys in AWS KMS <https://docs.aws.amazon.com//kms/latest/developerguide/symmetric-asymmetric.html>`_ in the *AWS Key Management Service Developer Guide* .
+               - *General purpose buckets* - If you're specifying a customer managed KMS key, we recommend using a fully qualified KMS key ARN. If you use a KMS key alias instead, then AWS KMS resolves the key within the requester’s account. This behavior can result in data that's encrypted with a KMS key that belongs to the requester, and not the bucket owner. Also, if you use a key ID, you can run into a LogDestination undeliverable error when creating a VPC flow log.
+               - *Directory buckets* - When you specify an `AWS KMS customer managed key <https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk>`_ for encryption in your directory bucket, only use the key ID or key ARN. The key alias format of the KMS key isn't supported. > Amazon S3 only supports symmetric encryption KMS keys. For more information, see `Asymmetric keys in AWS KMS <https://docs.aws.amazon.com//kms/latest/developerguide/symmetric-asymmetric.html>`_ in the *AWS Key Management Service Developer Guide* .
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-serversideencryptionbydefault.html#cfn-s3-bucket-serversideencryptionbydefault-kmsmasterkeyid
             '''
@@ -9524,7 +9532,8 @@ class CfnBucket(
 
             .. epigraph::
 
-               If you're specifying a customer managed KMS key, we recommend using a fully qualified KMS key ARN. If you use a KMS key alias instead, then AWS KMS resolves the key within the requester’s account. This behavior can result in data that's encrypted with a KMS key that belongs to the requester, and not the bucket owner.
+               - *General purpose buckets* - If you're specifying a customer managed KMS key, we recommend using a fully qualified KMS key ARN. If you use a KMS key alias instead, then AWS KMS resolves the key within the requester’s account. This behavior can result in data that's encrypted with a KMS key that belongs to the requester, and not the bucket owner.
+               - *Directory buckets* - When you specify an `AWS KMS customer managed key <https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk>`_ for encryption in your directory bucket, only use the key ID or key ARN. The key alias format of the KMS key isn't supported.
 
             :param bucket_key_enabled: Specifies whether Amazon S3 should use an S3 Bucket Key with server-side encryption using KMS (SSE-KMS) for new objects in the bucket. Existing objects are not affected. Setting the ``BucketKeyEnabled`` element to ``true`` causes Amazon S3 to use an S3 Bucket Key. By default, S3 Bucket Key is not enabled. For more information, see `Amazon S3 Bucket Keys <https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-key.html>`_ in the *Amazon S3 User Guide* .
             :param server_side_encryption_by_default: Specifies the default server-side encryption to apply to new objects in the bucket. If a PUT Object request doesn't specify any server-side encryption, this default encryption will be applied.