aws-cdk-lib 2.162.1__py3-none-any.whl → 2.163.1__py3-none-any.whl

aws_cdk/aws_iam/__init__.py

@@ -430,6 +430,25 @@ role.assume_role_policy.add_statements(iam.PolicyStatement(
 ))
 ```
 
+### Fixing the synthesized service principle for services that do not follow the IAM Pattern
+
+In some cases, certain AWS services may not use the standard `<service>.amazonaws.com` pattern for their service principals. For these services, you can define the ServicePrincipal as following where the provided service principle name will be used as is without any changing.
+
+```python
+sp = iam.ServicePrincipal.from_static_service_principle_name("elasticmapreduce.amazonaws.com.cn")
+```
+
+This principle can use as normal in defining any role, for example:
+
+```python
+emr_service_role = iam.Role(self, "EMRServiceRole",
+    assumed_by=iam.ServicePrincipal.from_static_service_principle_name("elasticmapreduce.amazonaws.com.cn"),
+    managed_policies=[
+        iam.ManagedPolicy.from_aws_managed_policy_name("service-role/AmazonElasticMapReduceRole")
+    ]
+)
+```
+
 ## Parsing JSON Policy Documents
 
 The `PolicyDocument.fromJson` and `PolicyStatement.fromJson` static methods can be used to parse JSON objects. For example:
@@ -13302,6 +13321,25 @@ class ServicePrincipal(
 
         jsii.create(self.__class__, self, [service, opts])
 
+    @jsii.member(jsii_name="fromStaticServicePrincipleName")
+    @builtins.classmethod
+    def from_static_service_principle_name(
+        cls,
+        service_principal_name: builtins.str,
+    ) -> "ServicePrincipal":
+        '''Return the service principal using the service principal name as it is passed to the function without any change regardless of the region used in the stack if it is Opted in or not.
+
+        :param service_principal_name: -
+
+        Example::
+
+            principal_name = iam.ServicePrincipal.from_static_service_principle_name("elasticmapreduce.amazonaws.com.cn")
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__a27520e91f619510327a111d049cade088e838ff4693c5aa6f483dd49985c577)
+            check_type(argname="argument service_principal_name", value=service_principal_name, expected_type=type_hints["service_principal_name"])
+        return typing.cast("ServicePrincipal", jsii.sinvoke(cls, "fromStaticServicePrincipleName", [service_principal_name]))
+
     @jsii.member(jsii_name="servicePrincipalName")
     @builtins.classmethod
     def service_principal_name(cls, service: builtins.str) -> builtins.str:
@@ -16788,6 +16826,12 @@ def _typecheckingstub__2745f75caaf5bf82ce9582f03d25e19c93145745996ad93d343457dd9
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__a27520e91f619510327a111d049cade088e838ff4693c5aa6f483dd49985c577(
+    service_principal_name: builtins.str,
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__fb337dcddbd70acf0d25c8d6f2b9ec2e9bae9105c6aa6db67b9a3c2354bf684b(
     service: builtins.str,
 ) -> None:

aws_cdk/aws_identitystore/__init__.py

@@ -105,7 +105,7 @@ class CfnGroup(
         '''
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
-        :param display_name: The display name value for the group. The length limit is 1,024 characters. This value can consist of letters, accented characters, symbols, numbers, punctuation, tab, new line, carriage return, space, and nonbreaking space in this attribute. This value is specified at the time the group is created and stored as an attribute of the group object in the identity store.
+        :param display_name: The display name value for the group. The length limit is 1,024 characters. This value can consist of letters, accented characters, symbols, numbers, punctuation, tab, new line, carriage return, space, and nonbreaking space in this attribute. This value is specified at the time the group is created and stored as an attribute of the group object in the identity store. Prefix search supports a maximum of 1,000 characters for the string.
         :param identity_store_id: The globally unique identifier for the identity store.
         :param description: A string containing the description of the group.
         '''
@@ -517,7 +517,7 @@ class CfnGroupProps:
     ) -> None:
         '''Properties for defining a ``CfnGroup``.
 
-        :param display_name: The display name value for the group. The length limit is 1,024 characters. This value can consist of letters, accented characters, symbols, numbers, punctuation, tab, new line, carriage return, space, and nonbreaking space in this attribute. This value is specified at the time the group is created and stored as an attribute of the group object in the identity store.
+        :param display_name: The display name value for the group. The length limit is 1,024 characters. This value can consist of letters, accented characters, symbols, numbers, punctuation, tab, new line, carriage return, space, and nonbreaking space in this attribute. This value is specified at the time the group is created and stored as an attribute of the group object in the identity store. Prefix search supports a maximum of 1,000 characters for the string.
         :param identity_store_id: The globally unique identifier for the identity store.
         :param description: A string containing the description of the group.
 
@@ -556,6 +556,8 @@ class CfnGroupProps:
 
         The length limit is 1,024 characters. This value can consist of letters, accented characters, symbols, numbers, punctuation, tab, new line, carriage return, space, and nonbreaking space in this attribute. This value is specified at the time the group is created and stored as an attribute of the group object in the identity store.
 
+        Prefix search supports a maximum of 1,000 characters for the string.
+
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-identitystore-group.html#cfn-identitystore-group-displayname
         '''
         result = self._values.get("display_name")

aws_cdk/aws_iot/__init__.py

@@ -3612,10 +3612,10 @@ class CfnDomainConfiguration(
         '''
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
-        :param application_protocol: 
-        :param authentication_type: 
+        :param application_protocol: An enumerated string that specifies the application-layer protocol. .. epigraph:: This property isn't available in China.
+        :param authentication_type: An enumerated string that specifies the authentication type. .. epigraph:: This property isn't available in China.
         :param authorizer_config: An object that specifies the authorization service for a domain.
-        :param client_certificate_config: 
+        :param client_certificate_config: An object that specifies the client certificate configuration for a domain. .. epigraph:: This property isn't available in China.
         :param domain_configuration_name: The name of the domain configuration. This value must be unique to a region.
         :param domain_configuration_status: The status to which the domain configuration should be updated. Valid values: ``ENABLED`` | ``DISABLED``
         :param domain_name: The name of the domain.
@@ -3721,6 +3721,7 @@ class CfnDomainConfiguration(
     @builtins.property
     @jsii.member(jsii_name="applicationProtocol")
     def application_protocol(self) -> typing.Optional[builtins.str]:
+        '''An enumerated string that specifies the application-layer protocol.'''
         return typing.cast(typing.Optional[builtins.str], jsii.get(self, "applicationProtocol"))
 
     @application_protocol.setter
@@ -3733,6 +3734,7 @@ class CfnDomainConfiguration(
     @builtins.property
     @jsii.member(jsii_name="authenticationType")
     def authentication_type(self) -> typing.Optional[builtins.str]:
+        '''An enumerated string that specifies the authentication type.'''
         return typing.cast(typing.Optional[builtins.str], jsii.get(self, "authenticationType"))
 
     @authentication_type.setter
@@ -3765,6 +3767,7 @@ class CfnDomainConfiguration(
     def client_certificate_config(
         self,
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnDomainConfiguration.ClientCertificateConfigProperty"]]:
+        '''An object that specifies the client certificate configuration for a domain.'''
         return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnDomainConfiguration.ClientCertificateConfigProperty"]], jsii.get(self, "clientCertificateConfig"))
 
     @client_certificate_config.setter
@@ -3995,8 +3998,13 @@ class CfnDomainConfiguration(
             *,
             client_certificate_callback_arn: typing.Optional[builtins.str] = None,
         ) -> None:
-            '''
-            :param client_certificate_callback_arn: 
+            '''An object that specifies the client certificate configuration for a domain.
+
+            .. epigraph::
+
+               This property isn't available in China.
+
+            :param client_certificate_callback_arn: The ARN of the Lambda function that IoT invokes after mutual TLS authentication during the connection. .. epigraph:: This property isn't available in China.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iot-domainconfiguration-clientcertificateconfig.html
             :exampleMetadata: fixture=_generated
@@ -4020,7 +4028,12 @@ class CfnDomainConfiguration(
 
         @builtins.property
         def client_certificate_callback_arn(self) -> typing.Optional[builtins.str]:
-            '''
+            '''The ARN of the Lambda function that IoT invokes after mutual TLS authentication during the connection.
+
+            .. epigraph::
+
+               This property isn't available in China.
+
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iot-domainconfiguration-clientcertificateconfig.html#cfn-iot-domainconfiguration-clientcertificateconfig-clientcertificatecallbackarn
             '''
             result = self._values.get("client_certificate_callback_arn")
@@ -4284,10 +4297,10 @@ class CfnDomainConfigurationProps:
     ) -> None:
         '''Properties for defining a ``CfnDomainConfiguration``.
 
-        :param application_protocol: 
-        :param authentication_type: 
+        :param application_protocol: An enumerated string that specifies the application-layer protocol. .. epigraph:: This property isn't available in China.
+        :param authentication_type: An enumerated string that specifies the authentication type. .. epigraph:: This property isn't available in China.
         :param authorizer_config: An object that specifies the authorization service for a domain.
-        :param client_certificate_config: 
+        :param client_certificate_config: An object that specifies the client certificate configuration for a domain. .. epigraph:: This property isn't available in China.
         :param domain_configuration_name: The name of the domain configuration. This value must be unique to a region.
         :param domain_configuration_status: The status to which the domain configuration should be updated. Valid values: ``ENABLED`` | ``DISABLED``
         :param domain_name: The name of the domain.
@@ -4380,7 +4393,12 @@ class CfnDomainConfigurationProps:
 
     @builtins.property
     def application_protocol(self) -> typing.Optional[builtins.str]:
-        '''
+        '''An enumerated string that specifies the application-layer protocol.
+
+        .. epigraph::
+
+           This property isn't available in China.
+
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iot-domainconfiguration.html#cfn-iot-domainconfiguration-applicationprotocol
         '''
         result = self._values.get("application_protocol")
@@ -4388,7 +4406,12 @@ class CfnDomainConfigurationProps:
 
     @builtins.property
     def authentication_type(self) -> typing.Optional[builtins.str]:
-        '''
+        '''An enumerated string that specifies the authentication type.
+
+        .. epigraph::
+
+           This property isn't available in China.
+
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iot-domainconfiguration.html#cfn-iot-domainconfiguration-authenticationtype
         '''
         result = self._values.get("authentication_type")
@@ -4409,7 +4432,12 @@ class CfnDomainConfigurationProps:
     def client_certificate_config(
         self,
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, CfnDomainConfiguration.ClientCertificateConfigProperty]]:
-        '''
+        '''An object that specifies the client certificate configuration for a domain.
+
+        .. epigraph::
+
+           This property isn't available in China.
+
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iot-domainconfiguration.html#cfn-iot-domainconfiguration-clientcertificateconfig
         '''
         result = self._values.get("client_certificate_config")

aws_cdk/aws_kinesis/__init__.py

@@ -240,6 +240,201 @@ from ..aws_iam import Grant as _Grant_a7ae64f8, IGrantable as _IGrantable_71c4f5
 from ..aws_kms import IKey as _IKey_5f11635f
 
 
+@jsii.implements(_IInspectable_c2943556)
+class CfnResourcePolicy(
+    _CfnResource_9df397a6,
+    metaclass=jsii.JSIIMeta,
+    jsii_type="aws-cdk-lib.aws_kinesis.CfnResourcePolicy",
+):
+    '''Attaches a resource-based policy to a data stream or registered consumer.
+
+    If you are using an identity other than the root user of the AWS account that owns the resource, the calling identity must have the ``PutResourcePolicy`` permissions on the specified Kinesis Data Streams resource and belong to the owner's account in order to use this operation. If you don't have ``PutResourcePolicy`` permissions, Amazon Kinesis Data Streams returns a ``403 Access Denied error`` . If you receive a ``ResourceNotFoundException`` , check to see if you passed a valid stream or consumer resource.
+
+    Request patterns can be one of the following:
+
+    - Data stream pattern: ``arn:aws.*:kinesis:.*:\\d{12}:.*stream/\\S+``
+    - Consumer pattern: ``^(arn):aws.*:kinesis:.*:\\d{12}:.*stream\\/[a-zA-Z0-9_.-]+\\/consumer\\/[a-zA-Z0-9_.-]+:[0-9]+``
+
+    For more information, see `Controlling Access to Amazon Kinesis Data Streams Resources Using IAM <https://docs.aws.amazon.com/streams/latest/dev/controlling-access.html>`_ .
+
+    :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-kinesis-resourcepolicy.html
+    :cloudformationResource: AWS::Kinesis::ResourcePolicy
+    :exampleMetadata: fixture=_generated
+
+    Example::
+
+        # The code below shows an example of how to instantiate this type.
+        # The values are placeholders you should change.
+        from aws_cdk import aws_kinesis as kinesis
+        
+        # resource_policy: Any
+        
+        cfn_resource_policy = kinesis.CfnResourcePolicy(self, "MyCfnResourcePolicy",
+            resource_arn="resourceArn",
+            resource_policy=resource_policy
+        )
+    '''
+
+    def __init__(
+        self,
+        scope: _constructs_77d1e7e8.Construct,
+        id: builtins.str,
+        *,
+        resource_arn: builtins.str,
+        resource_policy: typing.Any,
+    ) -> None:
+        '''
+        :param scope: Scope in which this resource is defined.
+        :param id: Construct identifier for this resource (unique in its scope).
+        :param resource_arn: This is the name for the resource policy.
+        :param resource_policy: This is the description for the resource policy.
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__d637108cee3cd0781f4431aaf5dbbdcd6254ef22d3f2922cee25b64d42fbf957)
+            check_type(argname="argument scope", value=scope, expected_type=type_hints["scope"])
+            check_type(argname="argument id", value=id, expected_type=type_hints["id"])
+        props = CfnResourcePolicyProps(
+            resource_arn=resource_arn, resource_policy=resource_policy
+        )
+
+        jsii.create(self.__class__, self, [scope, id, props])
+
+    @jsii.member(jsii_name="inspect")
+    def inspect(self, inspector: _TreeInspector_488e0dd5) -> None:
+        '''Examines the CloudFormation resource and discloses attributes.
+
+        :param inspector: tree inspector to collect and process attributes.
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__045925af979db6aed97959dc574fc91b8ebab52940589dd4ac5cea22d9e1c37f)
+            check_type(argname="argument inspector", value=inspector, expected_type=type_hints["inspector"])
+        return typing.cast(None, jsii.invoke(self, "inspect", [inspector]))
+
+    @jsii.member(jsii_name="renderProperties")
+    def _render_properties(
+        self,
+        props: typing.Mapping[builtins.str, typing.Any],
+    ) -> typing.Mapping[builtins.str, typing.Any]:
+        '''
+        :param props: -
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__2fbcd9f422a87f866ccf52168beedf905788cffe10833fbaef759cb99a877efa)
+            check_type(argname="argument props", value=props, expected_type=type_hints["props"])
+        return typing.cast(typing.Mapping[builtins.str, typing.Any], jsii.invoke(self, "renderProperties", [props]))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="CFN_RESOURCE_TYPE_NAME")
+    def CFN_RESOURCE_TYPE_NAME(cls) -> builtins.str:
+        '''The CloudFormation resource type name for this resource class.'''
+        return typing.cast(builtins.str, jsii.sget(cls, "CFN_RESOURCE_TYPE_NAME"))
+
+    @builtins.property
+    @jsii.member(jsii_name="cfnProperties")
+    def _cfn_properties(self) -> typing.Mapping[builtins.str, typing.Any]:
+        return typing.cast(typing.Mapping[builtins.str, typing.Any], jsii.get(self, "cfnProperties"))
+
+    @builtins.property
+    @jsii.member(jsii_name="resourceArn")
+    def resource_arn(self) -> builtins.str:
+        '''This is the name for the resource policy.'''
+        return typing.cast(builtins.str, jsii.get(self, "resourceArn"))
+
+    @resource_arn.setter
+    def resource_arn(self, value: builtins.str) -> None:
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__afec0f5206f450a53f1d8f83fabea1a74a415b8e1561742c86dcb34c8df7ef18)
+            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+        jsii.set(self, "resourceArn", value) # pyright: ignore[reportArgumentType]
+
+    @builtins.property
+    @jsii.member(jsii_name="resourcePolicy")
+    def resource_policy(self) -> typing.Any:
+        '''This is the description for the resource policy.'''
+        return typing.cast(typing.Any, jsii.get(self, "resourcePolicy"))
+
+    @resource_policy.setter
+    def resource_policy(self, value: typing.Any) -> None:
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__9ce115deea862b93afa1f5f701216876983abcfa93ac3ace697573677451b118)
+            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+        jsii.set(self, "resourcePolicy", value) # pyright: ignore[reportArgumentType]
+
+
+@jsii.data_type(
+    jsii_type="aws-cdk-lib.aws_kinesis.CfnResourcePolicyProps",
+    jsii_struct_bases=[],
+    name_mapping={"resource_arn": "resourceArn", "resource_policy": "resourcePolicy"},
+)
+class CfnResourcePolicyProps:
+    def __init__(
+        self,
+        *,
+        resource_arn: builtins.str,
+        resource_policy: typing.Any,
+    ) -> None:
+        '''Properties for defining a ``CfnResourcePolicy``.
+
+        :param resource_arn: This is the name for the resource policy.
+        :param resource_policy: This is the description for the resource policy.
+
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-kinesis-resourcepolicy.html
+        :exampleMetadata: fixture=_generated
+
+        Example::
+
+            # The code below shows an example of how to instantiate this type.
+            # The values are placeholders you should change.
+            from aws_cdk import aws_kinesis as kinesis
+            
+            # resource_policy: Any
+            
+            cfn_resource_policy_props = kinesis.CfnResourcePolicyProps(
+                resource_arn="resourceArn",
+                resource_policy=resource_policy
+            )
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__dc9d3035df5ffd3d2e91ef2e5c2b108309a10ae013584b2ef5c2d3bdde4567bc)
+            check_type(argname="argument resource_arn", value=resource_arn, expected_type=type_hints["resource_arn"])
+            check_type(argname="argument resource_policy", value=resource_policy, expected_type=type_hints["resource_policy"])
+        self._values: typing.Dict[builtins.str, typing.Any] = {
+            "resource_arn": resource_arn,
+            "resource_policy": resource_policy,
+        }
+
+    @builtins.property
+    def resource_arn(self) -> builtins.str:
+        '''This is the name for the resource policy.
+
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-kinesis-resourcepolicy.html#cfn-kinesis-resourcepolicy-resourcearn
+        '''
+        result = self._values.get("resource_arn")
+        assert result is not None, "Required property 'resource_arn' is missing"
+        return typing.cast(builtins.str, result)
+
+    @builtins.property
+    def resource_policy(self) -> typing.Any:
+        '''This is the description for the resource policy.
+
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-kinesis-resourcepolicy.html#cfn-kinesis-resourcepolicy-resourcepolicy
+        '''
+        result = self._values.get("resource_policy")
+        assert result is not None, "Required property 'resource_policy' is missing"
+        return typing.cast(typing.Any, result)
+
+    def __eq__(self, rhs: typing.Any) -> builtins.bool:
+        return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+    def __ne__(self, rhs: typing.Any) -> builtins.bool:
+        return not (rhs == self)
+
+    def __repr__(self) -> str:
+        return "CfnResourcePolicyProps(%s)" % ", ".join(
+            k + "=" + repr(v) for k, v in self._values.items()
+        )
+
+
 @jsii.implements(_IInspectable_c2943556, _ITaggable_36806126)
 class CfnStream(
     _CfnResource_9df397a6,
@@ -3896,6 +4091,8 @@ class StreamProps:
 
 
 __all__ = [
+    "CfnResourcePolicy",
+    "CfnResourcePolicyProps",
     "CfnStream",
     "CfnStreamConsumer",
     "CfnStreamConsumerProps",
@@ -3910,6 +4107,48 @@ __all__ = [
 
 publication.publish()
 
+def _typecheckingstub__d637108cee3cd0781f4431aaf5dbbdcd6254ef22d3f2922cee25b64d42fbf957(
+    scope: _constructs_77d1e7e8.Construct,
+    id: builtins.str,
+    *,
+    resource_arn: builtins.str,
+    resource_policy: typing.Any,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__045925af979db6aed97959dc574fc91b8ebab52940589dd4ac5cea22d9e1c37f(
+    inspector: _TreeInspector_488e0dd5,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__2fbcd9f422a87f866ccf52168beedf905788cffe10833fbaef759cb99a877efa(
+    props: typing.Mapping[builtins.str, typing.Any],
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__afec0f5206f450a53f1d8f83fabea1a74a415b8e1561742c86dcb34c8df7ef18(
+    value: builtins.str,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__9ce115deea862b93afa1f5f701216876983abcfa93ac3ace697573677451b118(
+    value: typing.Any,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__dc9d3035df5ffd3d2e91ef2e5c2b108309a10ae013584b2ef5c2d3bdde4567bc(
+    *,
+    resource_arn: builtins.str,
+    resource_policy: typing.Any,
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__b956aa40f3e4f7ebba018fbc1caa3788147e52190c5c7131c5c035b042428a53(
     scope: _constructs_77d1e7e8.Construct,
     id: builtins.str,

aws_cdk/aws_kms/__init__.py

@@ -145,6 +145,23 @@ Note that a call to `.addToResourcePolicy(statement)` on `myKeyLookup` will not
 an affect on the key's policy because it is not owned by your stack. The call
 will be a no-op.
 
+If the target key is not found in your account, an error will be thrown.
+To prevent the error in the case, you can receive a dummy key without the error
+by setting `returnDummyKeyOnMissing` to `true`. The dummy key has a `keyId` of
+`1234abcd-12ab-34cd-56ef-1234567890ab`. The value of the dummy key id can also be
+referenced using the `Key.DEFAULT_DUMMY_KEY_ID` variable, and you can check if the
+key is a dummy key by using the `Key.isLookupDummy()` method.
+
+```python
+dummy = kms.Key.from_lookup(self, "MyKeyLookup",
+    alias_name="alias/NonExistentAlias",
+    return_dummy_key_on_missing=True
+)
+
+if kms.Key.is_lookup_dummy(dummy):
+    pass
+```
+
 ## Key Policies
 
 Controlling access and usage of KMS Keys requires the use of key policies (resource-based policies attached to the key);
@@ -2261,6 +2278,7 @@ class Key(
         id: builtins.str,
         *,
         alias_name: builtins.str,
+        return_dummy_key_on_missing: typing.Optional[builtins.bool] = None,
     ) -> IKey:
         '''Import an existing Key by querying the AWS environment this stack is deployed to.
 
@@ -2275,6 +2293,12 @@ class Key(
         You can therefore not use any values that will only be available at
         CloudFormation execution time (i.e., Tokens).
 
+        If you set ``returnDummyKeyOnMissing`` to ``true`` in ``options`` and the key was not found,
+        this method will return a dummy key with a key id '1234abcd-12ab-34cd-56ef-1234567890ab'.
+        The value of the dummy key id can also be referenced using the ``Key.DEFAULT_DUMMY_KEY_ID``
+        variable, and you can check if the key is a dummy key by using the ``Key.isLookupDummy()``
+        method.
+
         The Key information will be cached in ``cdk.context.json`` and the same Key
         will be used on future runs. To refresh the lookup, you will have to
         evict the value from the cache using the ``cdk context`` command. See
@@ -2283,15 +2307,34 @@ class Key(
         :param scope: -
         :param id: -
         :param alias_name: The alias name of the Key. Must be in the format ``alias/<AliasName>``.
+        :param return_dummy_key_on_missing: Whether to return a dummy key if the key was not found. If it is set to ``true`` and the key was not found, a dummy key with a key id '1234abcd-12ab-34cd-56ef-1234567890ab' will be returned. The value of the dummy key id can also be referenced using the ``Key.DEFAULT_DUMMY_KEY_ID`` variable, and you can check if the key is a dummy key by using the ``Key.isLookupDummy()`` method. Default: false
         '''
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__54c731fe78f9388d4b31695080a02f67600ec386d3b55f25a7274b86edbd4673)
             check_type(argname="argument scope", value=scope, expected_type=type_hints["scope"])
             check_type(argname="argument id", value=id, expected_type=type_hints["id"])
-        options = KeyLookupOptions(alias_name=alias_name)
+        options = KeyLookupOptions(
+            alias_name=alias_name,
+            return_dummy_key_on_missing=return_dummy_key_on_missing,
+        )
 
         return typing.cast(IKey, jsii.sinvoke(cls, "fromLookup", [scope, id, options]))
 
+    @jsii.member(jsii_name="isLookupDummy")
+    @builtins.classmethod
+    def is_lookup_dummy(cls, key: IKey) -> builtins.bool:
+        '''Checks if the key returned by the ``Key.fromLookup()`` method is a dummy key, i.e., a key that was not found.
+
+        This method can only be used if the ``returnDummyKeyOnMissing`` option
+        is set to ``true`` in the ``options`` for the ``Key.fromLookup()`` method.
+
+        :param key: -
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__8a60ddf97e7bd93ce51bb72de0630a0a66c03edf9f9e5f71c93ad6e4563a7cb0)
+            check_type(argname="argument key", value=key, expected_type=type_hints["key"])
+        return typing.cast(builtins.bool, jsii.sinvoke(cls, "isLookupDummy", [key]))
+
     @jsii.member(jsii_name="addAlias")
     def add_alias(self, alias_name: builtins.str) -> "Alias":
         '''Defines a new alias for the key.
@@ -2410,6 +2453,16 @@ class Key(
             check_type(argname="argument grantee", value=grantee, expected_type=type_hints["grantee"])
         return typing.cast(_Grant_a7ae64f8, jsii.invoke(self, "grantVerifyMac", [grantee]))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="DEFAULT_DUMMY_KEY_ID")
+    def DEFAULT_DUMMY_KEY_ID(cls) -> builtins.str:
+        '''The default key id of the dummy key.
+
+        This value is used as a dummy key id if the key was not found
+        by the ``Key.fromLookup()`` method.
+        '''
+        return typing.cast(builtins.str, jsii.sget(cls, "DEFAULT_DUMMY_KEY_ID"))
+
     @builtins.property
     @jsii.member(jsii_name="keyArn")
     def key_arn(self) -> builtins.str:
@@ -2447,13 +2500,22 @@ class Key(
 @jsii.data_type(
     jsii_type="aws-cdk-lib.aws_kms.KeyLookupOptions",
     jsii_struct_bases=[],
-    name_mapping={"alias_name": "aliasName"},
+    name_mapping={
+        "alias_name": "aliasName",
+        "return_dummy_key_on_missing": "returnDummyKeyOnMissing",
+    },
 )
 class KeyLookupOptions:
-    def __init__(self, *, alias_name: builtins.str) -> None:
+    def __init__(
+        self,
+        *,
+        alias_name: builtins.str,
+        return_dummy_key_on_missing: typing.Optional[builtins.bool] = None,
+    ) -> None:
         '''Properties for looking up an existing Key.
 
         :param alias_name: The alias name of the Key. Must be in the format ``alias/<AliasName>``.
+        :param return_dummy_key_on_missing: Whether to return a dummy key if the key was not found. If it is set to ``true`` and the key was not found, a dummy key with a key id '1234abcd-12ab-34cd-56ef-1234567890ab' will be returned. The value of the dummy key id can also be referenced using the ``Key.DEFAULT_DUMMY_KEY_ID`` variable, and you can check if the key is a dummy key by using the ``Key.isLookupDummy()`` method. Default: false
 
         :exampleMetadata: infused
 
@@ -2471,9 +2533,12 @@ class KeyLookupOptions:
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__2f5a93b8499d8ef4842a85d33ca3d3de5edce426bd92f9899e4dcda2ebfcf7e0)
             check_type(argname="argument alias_name", value=alias_name, expected_type=type_hints["alias_name"])
+            check_type(argname="argument return_dummy_key_on_missing", value=return_dummy_key_on_missing, expected_type=type_hints["return_dummy_key_on_missing"])
         self._values: typing.Dict[builtins.str, typing.Any] = {
             "alias_name": alias_name,
         }
+        if return_dummy_key_on_missing is not None:
+            self._values["return_dummy_key_on_missing"] = return_dummy_key_on_missing
 
     @builtins.property
     def alias_name(self) -> builtins.str:
@@ -2485,6 +2550,22 @@ class KeyLookupOptions:
         assert result is not None, "Required property 'alias_name' is missing"
         return typing.cast(builtins.str, result)
 
+    @builtins.property
+    def return_dummy_key_on_missing(self) -> typing.Optional[builtins.bool]:
+        '''Whether to return a dummy key if the key was not found.
+
+        If it is set to ``true`` and the key was not found, a dummy
+        key with a key id '1234abcd-12ab-34cd-56ef-1234567890ab'
+        will be returned. The value of the dummy key id can also
+        be referenced using the ``Key.DEFAULT_DUMMY_KEY_ID`` variable,
+        and you can check if the key is a dummy key by using the
+        ``Key.isLookupDummy()`` method.
+
+        :default: false
+        '''
+        result = self._values.get("return_dummy_key_on_missing")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
     def __eq__(self, rhs: typing.Any) -> builtins.bool:
         return isinstance(rhs, self.__class__) and rhs._values == self._values
 
@@ -3611,6 +3692,13 @@ def _typecheckingstub__54c731fe78f9388d4b31695080a02f67600ec386d3b55f25a7274b86e
     id: builtins.str,
     *,
     alias_name: builtins.str,
+    return_dummy_key_on_missing: typing.Optional[builtins.bool] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__8a60ddf97e7bd93ce51bb72de0630a0a66c03edf9f9e5f71c93ad6e4563a7cb0(
+    key: IKey,
 ) -> None:
     """Type checking stubs"""
     pass
@@ -3674,6 +3762,7 @@ def _typecheckingstub__de56bfcabbb83e3ba315f07ba084787bd71e82306a46ddc61555bc4f0
 def _typecheckingstub__2f5a93b8499d8ef4842a85d33ca3d3de5edce426bd92f9899e4dcda2ebfcf7e0(
     *,
     alias_name: builtins.str,
+    return_dummy_key_on_missing: typing.Optional[builtins.bool] = None,
 ) -> None:
     """Type checking stubs"""
     pass

aws_cdk/aws_lambda/__init__.py

@@ -14209,9 +14209,9 @@ class FilterRule(
 
     @jsii.member(jsii_name="null")
     @builtins.classmethod
-    def null(cls) -> typing.List[builtins.str]:
+    def null(cls) -> typing.Any:
         '''Null comparison operator.'''
-        return typing.cast(typing.List[builtins.str], jsii.sinvoke(cls, "null", []))
+        return typing.cast(typing.Any, jsii.sinvoke(cls, "null", []))
 
     @jsii.member(jsii_name="or")
     @builtins.classmethod