aws-cdk-lib 2.173.4__py3-none-any.whl → 2.174.1__py3-none-any.whl

aws_cdk/aws_cloudtrail/__init__.py

@@ -1983,7 +1983,7 @@ class CfnEventDataStore(
         ) -> None:
             '''A single selector statement in an advanced event selector.
 
-            :param field: A field in a CloudTrail event record on which to filter events to be logged. For event data stores for CloudTrail Insights events, AWS Config configuration items, Audit Manager evidence, or events outside of AWS , the field is used only for selecting events as filtering is not supported. For CloudTrail management events, supported fields include ``eventCategory`` (required), ``eventSource`` , and ``readOnly`` . The following additional fields are available for event data stores: ``eventName`` , ``eventType`` , ``sessionCredentialFromConsole`` , and ``userIdentity.arn`` . For CloudTrail data events, supported fields include ``eventCategory`` (required), ``resources.type`` (required), ``eventName`` , ``readOnly`` , and ``resources.ARN`` . The following additional fields are available for event data stores: ``eventSource`` , ``eventType`` , ``sessionCredentialFromConsole`` , and ``userIdentity.arn`` . For CloudTrail network activity events, supported fields include ``eventCategory`` (required), ``eventSource`` (required), ``eventName`` , ``errorCode`` , and ``vpcEndpointId`` . For event data stores for CloudTrail Insights events, AWS Config configuration items, Audit Manager evidence, or events outside of AWS , the only supported field is ``eventCategory`` . - *``readOnly``* - This is an optional field that is only used for management events and data events. This field can be set to ``Equals`` with a value of ``true`` or ``false`` . If you do not add this field, CloudTrail logs both ``read`` and ``write`` events. A value of ``true`` logs only ``read`` events. A value of ``false`` logs only ``write`` events. - *``eventSource``* - This field is only used for management events, data events (for event data stores only), and network activity events. For management events for trails, this is an optional field that can be set to ``NotEquals`` ``kms.amazonaws.com`` to exclude KMS management events, or ``NotEquals`` ``rdsdata.amazonaws.com`` to exclude RDS management events. For management and data events for event data stores, you can use it to include or exclude any event source and can use any operator. For network activity events, this is a required field that only uses the ``Equals`` operator. Set this field to the event source for which you want to log network activity events. If you want to log network activity events for multiple event sources, you must create a separate field selector for each event source. The following are valid values for network activity events: - ``cloudtrail.amazonaws.com`` - ``ec2.amazonaws.com`` - ``kms.amazonaws.com`` - ``secretsmanager.amazonaws.com`` - *``eventName``* - This is an optional field that is only used for data events, management events (for event data stores only), and network activity events. You can use any operator with ``eventName`` . You can use it to filter in or filter out specific events. You can have multiple values for this field, separated by commas. - *``eventCategory``* - This field is required and must be set to ``Equals`` . - For CloudTrail management events, the value must be ``Management`` . - For CloudTrail data events, the value must be ``Data`` . - For CloudTrail network activity events, the value must be ``NetworkActivity`` . The following are used only for event data stores: - For CloudTrail Insights events, the value must be ``Insight`` . - For AWS Config configuration items, the value must be ``ConfigurationItem`` . - For Audit Manager evidence, the value must be ``Evidence`` . - For events outside of AWS , the value must be ``ActivityAuditLog`` . - *``eventType``* - This is an optional field available only for event data stores, which is used to filter management and data events on the event type. For information about available event types, see `CloudTrail record contents <https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-record-contents.html#ct-event-type>`_ in the *AWS CloudTrail user guide* . - *``errorCode``* - This field is only used to filter CloudTrail network activity events and is optional. This is the error code to filter on. Currently, the only valid ``errorCode`` is ``VpceAccessDenied`` . ``errorCode`` can only use the ``Equals`` operator. - *``sessionCredentialFromConsole``* - This is an optional field available only for event data stores, which is used to filter management and data events based on whether the events originated from an AWS Management Console session. ``sessionCredentialFromConsole`` can only use the ``Equals`` and ``NotEquals`` operators. - *``resources.type``* - This field is required for CloudTrail data events. ``resources.type`` can only use the ``Equals`` operator. For a list of available resource types for data events, see `Data events <https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html#logging-data-events>`_ in the *AWS CloudTrail User Guide* . You can have only one ``resources.type`` field per selector. To log events on more than one resource type, add another selector. - *``resources.ARN``* - The ``resources.ARN`` is an optional field for data events. You can use any operator with ``resources.ARN`` , but if you use ``Equals`` or ``NotEquals`` , the value must exactly match the ARN of a valid resource of the type you've specified in the template as the value of resources.type. To log all data events for all objects in a specific S3 bucket, use the ``StartsWith`` operator, and include only the bucket ARN as the matching value. For information about filtering data events on the ``resources.ARN`` field, see `Filtering data events by resources.ARN <https://docs.aws.amazon.com/awscloudtrail/latest/userguide/filtering-data-events.html#filtering-data-events-resourcearn>`_ in the *AWS CloudTrail User Guide* . .. epigraph:: You can't use the ``resources.ARN`` field to filter resource types that do not have ARNs. - *``userIdentity.arn``* - This is an optional field available only for event data stores, which is used to filter management and data events on the userIdentity ARN. You can use any operator with ``userIdentity.arn`` . For more information on the userIdentity element, see `CloudTrail userIdentity element <https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html>`_ in the *AWS CloudTrail User Guide* . - *``vpcEndpointId``* - This field is only used to filter CloudTrail network activity events and is optional. This field identifies the VPC endpoint that the request passed through. You can use any operator with ``vpcEndpointId`` .
+            :param field: A field in a CloudTrail event record on which to filter events to be logged. For event data stores for CloudTrail Insights events, AWS Config configuration items, Audit Manager evidence, or events outside of AWS , the field is used only for selecting events as filtering is not supported. For CloudTrail management events, supported fields include ``eventCategory`` (required), ``eventSource`` , and ``readOnly`` . The following additional fields are available for event data stores: ``eventName`` , ``eventType`` , ``sessionCredentialFromConsole`` , and ``userIdentity.arn`` . For CloudTrail data events, supported fields include ``eventCategory`` (required), ``resources.type`` (required), ``eventName`` , ``readOnly`` , and ``resources.ARN`` . The following additional fields are available for event data stores: ``eventSource`` , ``eventType`` , ``sessionCredentialFromConsole`` , and ``userIdentity.arn`` . For CloudTrail network activity events, supported fields include ``eventCategory`` (required), ``eventSource`` (required), ``eventName`` , ``errorCode`` , and ``vpcEndpointId`` . For event data stores for CloudTrail Insights events, AWS Config configuration items, Audit Manager evidence, or events outside of AWS , the only supported field is ``eventCategory`` . .. epigraph:: Selectors don't support the use of wildcards like ``*`` . To match multiple values with a single condition, you may use ``StartsWith`` , ``EndsWith`` , ``NotStartsWith`` , or ``NotEndsWith`` to explicitly match the beginning or end of the event field. - *``readOnly``* - This is an optional field that is only used for management events and data events. This field can be set to ``Equals`` with a value of ``true`` or ``false`` . If you do not add this field, CloudTrail logs both ``read`` and ``write`` events. A value of ``true`` logs only ``read`` events. A value of ``false`` logs only ``write`` events. - *``eventSource``* - This field is only used for management events, data events (for event data stores only), and network activity events. For management events for trails, this is an optional field that can be set to ``NotEquals`` ``kms.amazonaws.com`` to exclude KMS management events, or ``NotEquals`` ``rdsdata.amazonaws.com`` to exclude RDS management events. For management and data events for event data stores, you can use it to include or exclude any event source and can use any operator. For network activity events, this is a required field that only uses the ``Equals`` operator. Set this field to the event source for which you want to log network activity events. If you want to log network activity events for multiple event sources, you must create a separate field selector for each event source. The following are valid values for network activity events: - ``cloudtrail.amazonaws.com`` - ``ec2.amazonaws.com`` - ``kms.amazonaws.com`` - ``secretsmanager.amazonaws.com`` - *``eventName``* - This is an optional field that is only used for data events, management events (for event data stores only), and network activity events. You can use any operator with ``eventName`` . You can use it to filter in or filter out specific events. You can have multiple values for this field, separated by commas. - *``eventCategory``* - This field is required and must be set to ``Equals`` . - For CloudTrail management events, the value must be ``Management`` . - For CloudTrail data events, the value must be ``Data`` . - For CloudTrail network activity events, the value must be ``NetworkActivity`` . The following are used only for event data stores: - For CloudTrail Insights events, the value must be ``Insight`` . - For AWS Config configuration items, the value must be ``ConfigurationItem`` . - For Audit Manager evidence, the value must be ``Evidence`` . - For events outside of AWS , the value must be ``ActivityAuditLog`` . - *``eventType``* - This is an optional field available only for event data stores, which is used to filter management and data events on the event type. For information about available event types, see `CloudTrail record contents <https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-record-contents.html#ct-event-type>`_ in the *AWS CloudTrail user guide* . - *``errorCode``* - This field is only used to filter CloudTrail network activity events and is optional. This is the error code to filter on. Currently, the only valid ``errorCode`` is ``VpceAccessDenied`` . ``errorCode`` can only use the ``Equals`` operator. - *``sessionCredentialFromConsole``* - This is an optional field available only for event data stores, which is used to filter management and data events based on whether the events originated from an AWS Management Console session. ``sessionCredentialFromConsole`` can only use the ``Equals`` and ``NotEquals`` operators. - *``resources.type``* - This field is required for CloudTrail data events. ``resources.type`` can only use the ``Equals`` operator. For a list of available resource types for data events, see `Data events <https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html#logging-data-events>`_ in the *AWS CloudTrail User Guide* . You can have only one ``resources.type`` field per selector. To log events on more than one resource type, add another selector. - *``resources.ARN``* - The ``resources.ARN`` is an optional field for data events. You can use any operator with ``resources.ARN`` , but if you use ``Equals`` or ``NotEquals`` , the value must exactly match the ARN of a valid resource of the type you've specified in the template as the value of resources.type. To log all data events for all objects in a specific S3 bucket, use the ``StartsWith`` operator, and include only the bucket ARN as the matching value. For information about filtering data events on the ``resources.ARN`` field, see `Filtering data events by resources.ARN <https://docs.aws.amazon.com/awscloudtrail/latest/userguide/filtering-data-events.html#filtering-data-events-resourcearn>`_ in the *AWS CloudTrail User Guide* . .. epigraph:: You can't use the ``resources.ARN`` field to filter resource types that do not have ARNs. - *``userIdentity.arn``* - This is an optional field available only for event data stores, which is used to filter management and data events on the userIdentity ARN. You can use any operator with ``userIdentity.arn`` . For more information on the userIdentity element, see `CloudTrail userIdentity element <https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html>`_ in the *AWS CloudTrail User Guide* . - *``vpcEndpointId``* - This field is only used to filter CloudTrail network activity events and is optional. This field identifies the VPC endpoint that the request passed through. You can use any operator with ``vpcEndpointId`` .
             :param ends_with: An operator that includes events that match the last few characters of the event record field specified as the value of ``Field`` .
             :param equal_to: An operator that includes events that match the exact value of the event record field specified as the value of ``Field`` . This is the only valid operator that you can use with the ``readOnly`` , ``eventCategory`` , and ``resources.type`` fields.
             :param not_ends_with: An operator that excludes events that match the last few characters of the event record field specified as the value of ``Field`` .
@@ -2050,6 +2050,9 @@ class CfnEventDataStore(
             For CloudTrail network activity events, supported fields include ``eventCategory`` (required), ``eventSource`` (required), ``eventName`` , ``errorCode`` , and ``vpcEndpointId`` .
 
             For event data stores for CloudTrail Insights events, AWS Config configuration items, Audit Manager evidence, or events outside of AWS , the only supported field is ``eventCategory`` .
+            .. epigraph::
+
+               Selectors don't support the use of wildcards like ``*`` . To match multiple values with a single condition, you may use ``StartsWith`` , ``EndsWith`` , ``NotStartsWith`` , or ``NotEndsWith`` to explicitly match the beginning or end of the event field.
 
             - *``readOnly``* - This is an optional field that is only used for management events and data events. This field can be set to ``Equals`` with a value of ``true`` or ``false`` . If you do not add this field, CloudTrail logs both ``read`` and ``write`` events. A value of ``true`` logs only ``read`` events. A value of ``false`` logs only ``write`` events.
             - *``eventSource``* - This field is only used for management events, data events (for event data stores only), and network activity events.
@@ -3388,7 +3391,7 @@ class CfnTrail(
         ) -> None:
             '''A single selector statement in an advanced event selector.
 
-            :param field: A field in a CloudTrail event record on which to filter events to be logged. For event data stores for CloudTrail Insights events, AWS Config configuration items, Audit Manager evidence, or events outside of AWS , the field is used only for selecting events as filtering is not supported. For CloudTrail management events, supported fields include ``eventCategory`` (required), ``eventSource`` , and ``readOnly`` . The following additional fields are available for event data stores: ``eventName`` , ``eventType`` , ``sessionCredentialFromConsole`` , and ``userIdentity.arn`` . For CloudTrail data events, supported fields include ``eventCategory`` (required), ``resources.type`` (required), ``eventName`` , ``readOnly`` , and ``resources.ARN`` . The following additional fields are available for event data stores: ``eventSource`` , ``eventType`` , ``sessionCredentialFromConsole`` , and ``userIdentity.arn`` . For CloudTrail network activity events, supported fields include ``eventCategory`` (required), ``eventSource`` (required), ``eventName`` , ``errorCode`` , and ``vpcEndpointId`` . For event data stores for CloudTrail Insights events, AWS Config configuration items, Audit Manager evidence, or events outside of AWS , the only supported field is ``eventCategory`` . - *``readOnly``* - This is an optional field that is only used for management events and data events. This field can be set to ``Equals`` with a value of ``true`` or ``false`` . If you do not add this field, CloudTrail logs both ``read`` and ``write`` events. A value of ``true`` logs only ``read`` events. A value of ``false`` logs only ``write`` events. - *``eventSource``* - This field is only used for management events, data events (for event data stores only), and network activity events. For management events for trails, this is an optional field that can be set to ``NotEquals`` ``kms.amazonaws.com`` to exclude KMS management events, or ``NotEquals`` ``rdsdata.amazonaws.com`` to exclude RDS management events. For management and data events for event data stores, you can use it to include or exclude any event source and can use any operator. For network activity events, this is a required field that only uses the ``Equals`` operator. Set this field to the event source for which you want to log network activity events. If you want to log network activity events for multiple event sources, you must create a separate field selector for each event source. The following are valid values for network activity events: - ``cloudtrail.amazonaws.com`` - ``ec2.amazonaws.com`` - ``kms.amazonaws.com`` - ``secretsmanager.amazonaws.com`` - *``eventName``* - This is an optional field that is only used for data events, management events (for event data stores only), and network activity events. You can use any operator with ``eventName`` . You can use it to filter in or filter out specific events. You can have multiple values for this field, separated by commas. - *``eventCategory``* - This field is required and must be set to ``Equals`` . - For CloudTrail management events, the value must be ``Management`` . - For CloudTrail data events, the value must be ``Data`` . - For CloudTrail network activity events, the value must be ``NetworkActivity`` . The following are used only for event data stores: - For CloudTrail Insights events, the value must be ``Insight`` . - For AWS Config configuration items, the value must be ``ConfigurationItem`` . - For Audit Manager evidence, the value must be ``Evidence`` . - For events outside of AWS , the value must be ``ActivityAuditLog`` . - *``eventType``* - This is an optional field available only for event data stores, which is used to filter management and data events on the event type. For information about available event types, see `CloudTrail record contents <https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-record-contents.html#ct-event-type>`_ in the *AWS CloudTrail user guide* . - *``errorCode``* - This field is only used to filter CloudTrail network activity events and is optional. This is the error code to filter on. Currently, the only valid ``errorCode`` is ``VpceAccessDenied`` . ``errorCode`` can only use the ``Equals`` operator. - *``sessionCredentialFromConsole``* - This is an optional field available only for event data stores, which is used to filter management and data events based on whether the events originated from an AWS Management Console session. ``sessionCredentialFromConsole`` can only use the ``Equals`` and ``NotEquals`` operators. - *``resources.type``* - This field is required for CloudTrail data events. ``resources.type`` can only use the ``Equals`` operator. For a list of available resource types for data events, see `Data events <https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html#logging-data-events>`_ in the *AWS CloudTrail User Guide* . You can have only one ``resources.type`` field per selector. To log events on more than one resource type, add another selector. - *``resources.ARN``* - The ``resources.ARN`` is an optional field for data events. You can use any operator with ``resources.ARN`` , but if you use ``Equals`` or ``NotEquals`` , the value must exactly match the ARN of a valid resource of the type you've specified in the template as the value of resources.type. To log all data events for all objects in a specific S3 bucket, use the ``StartsWith`` operator, and include only the bucket ARN as the matching value. For information about filtering data events on the ``resources.ARN`` field, see `Filtering data events by resources.ARN <https://docs.aws.amazon.com/awscloudtrail/latest/userguide/filtering-data-events.html#filtering-data-events-resourcearn>`_ in the *AWS CloudTrail User Guide* . .. epigraph:: You can't use the ``resources.ARN`` field to filter resource types that do not have ARNs. - *``userIdentity.arn``* - This is an optional field available only for event data stores, which is used to filter management and data events on the userIdentity ARN. You can use any operator with ``userIdentity.arn`` . For more information on the userIdentity element, see `CloudTrail userIdentity element <https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html>`_ in the *AWS CloudTrail User Guide* . - *``vpcEndpointId``* - This field is only used to filter CloudTrail network activity events and is optional. This field identifies the VPC endpoint that the request passed through. You can use any operator with ``vpcEndpointId`` .
+            :param field: A field in a CloudTrail event record on which to filter events to be logged. For event data stores for CloudTrail Insights events, AWS Config configuration items, Audit Manager evidence, or events outside of AWS , the field is used only for selecting events as filtering is not supported. For CloudTrail management events, supported fields include ``eventCategory`` (required), ``eventSource`` , and ``readOnly`` . The following additional fields are available for event data stores: ``eventName`` , ``eventType`` , ``sessionCredentialFromConsole`` , and ``userIdentity.arn`` . For CloudTrail data events, supported fields include ``eventCategory`` (required), ``resources.type`` (required), ``eventName`` , ``readOnly`` , and ``resources.ARN`` . The following additional fields are available for event data stores: ``eventSource`` , ``eventType`` , ``sessionCredentialFromConsole`` , and ``userIdentity.arn`` . For CloudTrail network activity events, supported fields include ``eventCategory`` (required), ``eventSource`` (required), ``eventName`` , ``errorCode`` , and ``vpcEndpointId`` . For event data stores for CloudTrail Insights events, AWS Config configuration items, Audit Manager evidence, or events outside of AWS , the only supported field is ``eventCategory`` . .. epigraph:: Selectors don't support the use of wildcards like ``*`` . To match multiple values with a single condition, you may use ``StartsWith`` , ``EndsWith`` , ``NotStartsWith`` , or ``NotEndsWith`` to explicitly match the beginning or end of the event field. - *``readOnly``* - This is an optional field that is only used for management events and data events. This field can be set to ``Equals`` with a value of ``true`` or ``false`` . If you do not add this field, CloudTrail logs both ``read`` and ``write`` events. A value of ``true`` logs only ``read`` events. A value of ``false`` logs only ``write`` events. - *``eventSource``* - This field is only used for management events, data events (for event data stores only), and network activity events. For management events for trails, this is an optional field that can be set to ``NotEquals`` ``kms.amazonaws.com`` to exclude KMS management events, or ``NotEquals`` ``rdsdata.amazonaws.com`` to exclude RDS management events. For management and data events for event data stores, you can use it to include or exclude any event source and can use any operator. For network activity events, this is a required field that only uses the ``Equals`` operator. Set this field to the event source for which you want to log network activity events. If you want to log network activity events for multiple event sources, you must create a separate field selector for each event source. The following are valid values for network activity events: - ``cloudtrail.amazonaws.com`` - ``ec2.amazonaws.com`` - ``kms.amazonaws.com`` - ``secretsmanager.amazonaws.com`` - *``eventName``* - This is an optional field that is only used for data events, management events (for event data stores only), and network activity events. You can use any operator with ``eventName`` . You can use it to filter in or filter out specific events. You can have multiple values for this field, separated by commas. - *``eventCategory``* - This field is required and must be set to ``Equals`` . - For CloudTrail management events, the value must be ``Management`` . - For CloudTrail data events, the value must be ``Data`` . - For CloudTrail network activity events, the value must be ``NetworkActivity`` . The following are used only for event data stores: - For CloudTrail Insights events, the value must be ``Insight`` . - For AWS Config configuration items, the value must be ``ConfigurationItem`` . - For Audit Manager evidence, the value must be ``Evidence`` . - For events outside of AWS , the value must be ``ActivityAuditLog`` . - *``eventType``* - This is an optional field available only for event data stores, which is used to filter management and data events on the event type. For information about available event types, see `CloudTrail record contents <https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-record-contents.html#ct-event-type>`_ in the *AWS CloudTrail user guide* . - *``errorCode``* - This field is only used to filter CloudTrail network activity events and is optional. This is the error code to filter on. Currently, the only valid ``errorCode`` is ``VpceAccessDenied`` . ``errorCode`` can only use the ``Equals`` operator. - *``sessionCredentialFromConsole``* - This is an optional field available only for event data stores, which is used to filter management and data events based on whether the events originated from an AWS Management Console session. ``sessionCredentialFromConsole`` can only use the ``Equals`` and ``NotEquals`` operators. - *``resources.type``* - This field is required for CloudTrail data events. ``resources.type`` can only use the ``Equals`` operator. For a list of available resource types for data events, see `Data events <https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html#logging-data-events>`_ in the *AWS CloudTrail User Guide* . You can have only one ``resources.type`` field per selector. To log events on more than one resource type, add another selector. - *``resources.ARN``* - The ``resources.ARN`` is an optional field for data events. You can use any operator with ``resources.ARN`` , but if you use ``Equals`` or ``NotEquals`` , the value must exactly match the ARN of a valid resource of the type you've specified in the template as the value of resources.type. To log all data events for all objects in a specific S3 bucket, use the ``StartsWith`` operator, and include only the bucket ARN as the matching value. For information about filtering data events on the ``resources.ARN`` field, see `Filtering data events by resources.ARN <https://docs.aws.amazon.com/awscloudtrail/latest/userguide/filtering-data-events.html#filtering-data-events-resourcearn>`_ in the *AWS CloudTrail User Guide* . .. epigraph:: You can't use the ``resources.ARN`` field to filter resource types that do not have ARNs. - *``userIdentity.arn``* - This is an optional field available only for event data stores, which is used to filter management and data events on the userIdentity ARN. You can use any operator with ``userIdentity.arn`` . For more information on the userIdentity element, see `CloudTrail userIdentity element <https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html>`_ in the *AWS CloudTrail User Guide* . - *``vpcEndpointId``* - This field is only used to filter CloudTrail network activity events and is optional. This field identifies the VPC endpoint that the request passed through. You can use any operator with ``vpcEndpointId`` .
             :param ends_with: An operator that includes events that match the last few characters of the event record field specified as the value of ``Field`` .
             :param equal_to: An operator that includes events that match the exact value of the event record field specified as the value of ``Field`` . This is the only valid operator that you can use with the ``readOnly`` , ``eventCategory`` , and ``resources.type`` fields.
             :param not_ends_with: An operator that excludes events that match the last few characters of the event record field specified as the value of ``Field`` .
@@ -3455,6 +3458,9 @@ class CfnTrail(
             For CloudTrail network activity events, supported fields include ``eventCategory`` (required), ``eventSource`` (required), ``eventName`` , ``errorCode`` , and ``vpcEndpointId`` .
 
             For event data stores for CloudTrail Insights events, AWS Config configuration items, Audit Manager evidence, or events outside of AWS , the only supported field is ``eventCategory`` .
+            .. epigraph::
+
+               Selectors don't support the use of wildcards like ``*`` . To match multiple values with a single condition, you may use ``StartsWith`` , ``EndsWith`` , ``NotStartsWith`` , or ``NotEndsWith`` to explicitly match the beginning or end of the event field.
 
             - *``readOnly``* - This is an optional field that is only used for management events and data events. This field can be set to ``Equals`` with a value of ``true`` or ``false`` . If you do not add this field, CloudTrail logs both ``read`` and ``write`` events. A value of ``true`` logs only ``read`` events. A value of ``false`` logs only ``write`` events.
             - *``eventSource``* - This field is only used for management events, data events (for event data stores only), and network activity events.

aws_cdk/aws_codebuild/__init__.py

@@ -988,6 +988,20 @@ codebuild.Project(self, "MyProject",
     visibility=codebuild.ProjectVisibility.PUBLIC_READ
 )
 ```
+
+## Auto retry limit
+
+You can automatically retry your builds in AWS CodeBuild by setting `autoRetryLimit` property.
+
+With auto-retry enabled, CodeBuild will automatically call RetryBuild using the project's service role after a failed build up to a specified limit.
+
+For example, if the auto-retry limit is set to two, CodeBuild will call the RetryBuild API to automatically retry your build for up to two additional times.
+
+```python
+codebuild.Project(self, "MyProject",
+    auto_retry_limit=2
+)
+```
 '''
 from pkgutil import extend_path
 __path__ = extend_path(__path__, __name__)
@@ -8237,6 +8251,7 @@ class CloudWatchLoggingOptions:
     jsii_struct_bases=[],
     name_mapping={
         "allow_all_outbound": "allowAllOutbound",
+        "auto_retry_limit": "autoRetryLimit",
         "badge": "badge",
         "build_spec": "buildSpec",
         "cache": "cache",
@@ -8265,6 +8280,7 @@ class CommonProjectProps:
         self,
         *,
         allow_all_outbound: typing.Optional[builtins.bool] = None,
+        auto_retry_limit: typing.Optional[jsii.Number] = None,
         badge: typing.Optional[builtins.bool] = None,
         build_spec: typing.Optional[BuildSpec] = None,
         cache: typing.Optional[Cache] = None,
@@ -8289,6 +8305,7 @@ class CommonProjectProps:
     ) -> None:
         '''
         :param allow_all_outbound: Whether to allow the CodeBuild to send all network traffic. If set to false, you must individually add traffic rules to allow the CodeBuild project to connect to network targets. Only used if 'vpc' is supplied. Default: true
+        :param auto_retry_limit: CodeBuild will automatically call retry build using the project's service role up to the auto-retry limit. ``autoRetryLimit`` must be between 0 and 10. Default: - no retry
         :param badge: Indicates whether AWS CodeBuild generates a publicly accessible URL for your project's build badge. For more information, see Build Badges Sample in the AWS CodeBuild User Guide. Default: false
         :param build_spec: Filename or contents of buildspec in JSON format. Default: - Empty buildspec.
         :param cache: Caching strategy to use. Default: Cache.none
@@ -8342,6 +8359,7 @@ class CommonProjectProps:
             
             common_project_props = codebuild.CommonProjectProps(
                 allow_all_outbound=False,
+                auto_retry_limit=123,
                 badge=False,
                 build_spec=build_spec,
                 cache=cache,
@@ -8419,6 +8437,7 @@ class CommonProjectProps:
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__45bdedf6c9b38dcb0797768fa0fdec382e282ebd8679405f7dd9df6cb022c272)
             check_type(argname="argument allow_all_outbound", value=allow_all_outbound, expected_type=type_hints["allow_all_outbound"])
+            check_type(argname="argument auto_retry_limit", value=auto_retry_limit, expected_type=type_hints["auto_retry_limit"])
             check_type(argname="argument badge", value=badge, expected_type=type_hints["badge"])
             check_type(argname="argument build_spec", value=build_spec, expected_type=type_hints["build_spec"])
             check_type(argname="argument cache", value=cache, expected_type=type_hints["cache"])
@@ -8443,6 +8462,8 @@ class CommonProjectProps:
         self._values: typing.Dict[builtins.str, typing.Any] = {}
         if allow_all_outbound is not None:
             self._values["allow_all_outbound"] = allow_all_outbound
+        if auto_retry_limit is not None:
+            self._values["auto_retry_limit"] = auto_retry_limit
         if badge is not None:
             self._values["badge"] = badge
         if build_spec is not None:
@@ -8500,6 +8521,17 @@ class CommonProjectProps:
         result = self._values.get("allow_all_outbound")
         return typing.cast(typing.Optional[builtins.bool], result)
 
+    @builtins.property
+    def auto_retry_limit(self) -> typing.Optional[jsii.Number]:
+        '''CodeBuild will automatically call retry build using the project's service role up to the auto-retry limit.
+
+        ``autoRetryLimit`` must be between 0 and 10.
+
+        :default: - no retry
+        '''
+        result = self._values.get("auto_retry_limit")
+        return typing.cast(typing.Optional[jsii.Number], result)
+
     @builtins.property
     def badge(self) -> typing.Optional[builtins.bool]:
         '''Indicates whether AWS CodeBuild generates a publicly accessible URL for your project's build badge.
@@ -9029,6 +9061,12 @@ class EnvironmentType(enum.Enum):
     '''Windows Server 2022 container.'''
     MAC_ARM = "MAC_ARM"
     '''MacOS ARM container.'''
+    LINUX_EC2 = "LINUX_EC2"
+    '''Linux EC2.'''
+    ARM_EC2 = "ARM_EC2"
+    '''ARM EC2.'''
+    WINDOWS_EC2 = "WINDOWS_EC2"
+    '''Windows EC2.'''
 
 
 @jsii.enum(jsii_type="aws-cdk-lib.aws_codebuild.EventAction")
@@ -12789,6 +12827,7 @@ class PhaseChangeEvent(
     jsii_struct_bases=[CommonProjectProps],
     name_mapping={
         "allow_all_outbound": "allowAllOutbound",
+        "auto_retry_limit": "autoRetryLimit",
         "badge": "badge",
         "build_spec": "buildSpec",
         "cache": "cache",
@@ -12817,6 +12856,7 @@ class PipelineProjectProps(CommonProjectProps):
         self,
         *,
         allow_all_outbound: typing.Optional[builtins.bool] = None,
+        auto_retry_limit: typing.Optional[jsii.Number] = None,
         badge: typing.Optional[builtins.bool] = None,
         build_spec: typing.Optional[BuildSpec] = None,
         cache: typing.Optional[Cache] = None,
@@ -12841,6 +12881,7 @@ class PipelineProjectProps(CommonProjectProps):
     ) -> None:
         '''
         :param allow_all_outbound: Whether to allow the CodeBuild to send all network traffic. If set to false, you must individually add traffic rules to allow the CodeBuild project to connect to network targets. Only used if 'vpc' is supplied. Default: true
+        :param auto_retry_limit: CodeBuild will automatically call retry build using the project's service role up to the auto-retry limit. ``autoRetryLimit`` must be between 0 and 10. Default: - no retry
         :param badge: Indicates whether AWS CodeBuild generates a publicly accessible URL for your project's build badge. For more information, see Build Badges Sample in the AWS CodeBuild User Guide. Default: false
         :param build_spec: Filename or contents of buildspec in JSON format. Default: - Empty buildspec.
         :param cache: Caching strategy to use. Default: Cache.none
@@ -12929,6 +12970,7 @@ class PipelineProjectProps(CommonProjectProps):
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__cad18ebbb1c05a6adb06360d9baca4a0658b2f85c2078bc257ed8d4f8467c35e)
             check_type(argname="argument allow_all_outbound", value=allow_all_outbound, expected_type=type_hints["allow_all_outbound"])
+            check_type(argname="argument auto_retry_limit", value=auto_retry_limit, expected_type=type_hints["auto_retry_limit"])
             check_type(argname="argument badge", value=badge, expected_type=type_hints["badge"])
             check_type(argname="argument build_spec", value=build_spec, expected_type=type_hints["build_spec"])
             check_type(argname="argument cache", value=cache, expected_type=type_hints["cache"])
@@ -12953,6 +12995,8 @@ class PipelineProjectProps(CommonProjectProps):
         self._values: typing.Dict[builtins.str, typing.Any] = {}
         if allow_all_outbound is not None:
             self._values["allow_all_outbound"] = allow_all_outbound
+        if auto_retry_limit is not None:
+            self._values["auto_retry_limit"] = auto_retry_limit
         if badge is not None:
             self._values["badge"] = badge
         if build_spec is not None:
@@ -13010,6 +13054,17 @@ class PipelineProjectProps(CommonProjectProps):
         result = self._values.get("allow_all_outbound")
         return typing.cast(typing.Optional[builtins.bool], result)
 
+    @builtins.property
+    def auto_retry_limit(self) -> typing.Optional[jsii.Number]:
+        '''CodeBuild will automatically call retry build using the project's service role up to the auto-retry limit.
+
+        ``autoRetryLimit`` must be between 0 and 10.
+
+        :default: - no retry
+        '''
+        result = self._values.get("auto_retry_limit")
+        return typing.cast(typing.Optional[jsii.Number], result)
+
     @builtins.property
     def badge(self) -> typing.Optional[builtins.bool]:
         '''Indicates whether AWS CodeBuild generates a publicly accessible URL for your project's build badge.
@@ -13314,6 +13369,7 @@ class Project(
         secondary_sources: typing.Optional[typing.Sequence[ISource]] = None,
         source: typing.Optional[ISource] = None,
         allow_all_outbound: typing.Optional[builtins.bool] = None,
+        auto_retry_limit: typing.Optional[jsii.Number] = None,
         badge: typing.Optional[builtins.bool] = None,
         build_spec: typing.Optional[BuildSpec] = None,
         cache: typing.Optional[Cache] = None,
@@ -13344,6 +13400,7 @@ class Project(
         :param secondary_sources: The secondary sources for the Project. Can be also added after the Project has been created by using the ``Project#addSecondarySource`` method. Default: - No secondary sources.
         :param source: The source of the build. *Note*: if ``NoSource`` is given as the source, then you need to provide an explicit ``buildSpec``. Default: - NoSource
         :param allow_all_outbound: Whether to allow the CodeBuild to send all network traffic. If set to false, you must individually add traffic rules to allow the CodeBuild project to connect to network targets. Only used if 'vpc' is supplied. Default: true
+        :param auto_retry_limit: CodeBuild will automatically call retry build using the project's service role up to the auto-retry limit. ``autoRetryLimit`` must be between 0 and 10. Default: - no retry
         :param badge: Indicates whether AWS CodeBuild generates a publicly accessible URL for your project's build badge. For more information, see Build Badges Sample in the AWS CodeBuild User Guide. Default: false
         :param build_spec: Filename or contents of buildspec in JSON format. Default: - Empty buildspec.
         :param cache: Caching strategy to use. Default: Cache.none
@@ -13376,6 +13433,7 @@ class Project(
             secondary_sources=secondary_sources,
             source=source,
             allow_all_outbound=allow_all_outbound,
+            auto_retry_limit=auto_retry_limit,
             badge=badge,
             build_spec=build_spec,
             cache=cache,
@@ -14317,6 +14375,7 @@ class ProjectNotifyOnOptions(_NotificationRuleOptions_dff73281):
     jsii_struct_bases=[CommonProjectProps],
     name_mapping={
         "allow_all_outbound": "allowAllOutbound",
+        "auto_retry_limit": "autoRetryLimit",
         "badge": "badge",
         "build_spec": "buildSpec",
         "cache": "cache",
@@ -14349,6 +14408,7 @@ class ProjectProps(CommonProjectProps):
         self,
         *,
         allow_all_outbound: typing.Optional[builtins.bool] = None,
+        auto_retry_limit: typing.Optional[jsii.Number] = None,
         badge: typing.Optional[builtins.bool] = None,
         build_spec: typing.Optional[BuildSpec] = None,
         cache: typing.Optional[Cache] = None,
@@ -14377,6 +14437,7 @@ class ProjectProps(CommonProjectProps):
     ) -> None:
         '''
         :param allow_all_outbound: Whether to allow the CodeBuild to send all network traffic. If set to false, you must individually add traffic rules to allow the CodeBuild project to connect to network targets. Only used if 'vpc' is supplied. Default: true
+        :param auto_retry_limit: CodeBuild will automatically call retry build using the project's service role up to the auto-retry limit. ``autoRetryLimit`` must be between 0 and 10. Default: - no retry
         :param badge: Indicates whether AWS CodeBuild generates a publicly accessible URL for your project's build badge. For more information, see Build Badges Sample in the AWS CodeBuild User Guide. Default: false
         :param build_spec: Filename or contents of buildspec in JSON format. Default: - Empty buildspec.
         :param cache: Caching strategy to use. Default: Cache.none
@@ -14430,6 +14491,7 @@ class ProjectProps(CommonProjectProps):
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__98a249849c6dd1146c8e8d845c1f535b7a85df68782d9f343764b44702f1be04)
             check_type(argname="argument allow_all_outbound", value=allow_all_outbound, expected_type=type_hints["allow_all_outbound"])
+            check_type(argname="argument auto_retry_limit", value=auto_retry_limit, expected_type=type_hints["auto_retry_limit"])
             check_type(argname="argument badge", value=badge, expected_type=type_hints["badge"])
             check_type(argname="argument build_spec", value=build_spec, expected_type=type_hints["build_spec"])
             check_type(argname="argument cache", value=cache, expected_type=type_hints["cache"])
@@ -14458,6 +14520,8 @@ class ProjectProps(CommonProjectProps):
         self._values: typing.Dict[builtins.str, typing.Any] = {}
         if allow_all_outbound is not None:
             self._values["allow_all_outbound"] = allow_all_outbound
+        if auto_retry_limit is not None:
+            self._values["auto_retry_limit"] = auto_retry_limit
         if badge is not None:
             self._values["badge"] = badge
         if build_spec is not None:
@@ -14523,6 +14587,17 @@ class ProjectProps(CommonProjectProps):
         result = self._values.get("allow_all_outbound")
         return typing.cast(typing.Optional[builtins.bool], result)
 
+    @builtins.property
+    def auto_retry_limit(self) -> typing.Optional[jsii.Number]:
+        '''CodeBuild will automatically call retry build using the project's service role up to the auto-retry limit.
+
+        ``autoRetryLimit`` must be between 0 and 10.
+
+        :default: - no retry
+        '''
+        result = self._values.get("auto_retry_limit")
+        return typing.cast(typing.Optional[jsii.Number], result)
+
     @builtins.property
     def badge(self) -> typing.Optional[builtins.bool]:
         '''Indicates whether AWS CodeBuild generates a publicly accessible URL for your project's build badge.
@@ -17823,6 +17898,7 @@ class PipelineProject(
         id: builtins.str,
         *,
         allow_all_outbound: typing.Optional[builtins.bool] = None,
+        auto_retry_limit: typing.Optional[jsii.Number] = None,
         badge: typing.Optional[builtins.bool] = None,
         build_spec: typing.Optional[BuildSpec] = None,
         cache: typing.Optional[Cache] = None,
@@ -17849,6 +17925,7 @@ class PipelineProject(
         :param scope: -
         :param id: -
         :param allow_all_outbound: Whether to allow the CodeBuild to send all network traffic. If set to false, you must individually add traffic rules to allow the CodeBuild project to connect to network targets. Only used if 'vpc' is supplied. Default: true
+        :param auto_retry_limit: CodeBuild will automatically call retry build using the project's service role up to the auto-retry limit. ``autoRetryLimit`` must be between 0 and 10. Default: - no retry
         :param badge: Indicates whether AWS CodeBuild generates a publicly accessible URL for your project's build badge. For more information, see Build Badges Sample in the AWS CodeBuild User Guide. Default: false
         :param build_spec: Filename or contents of buildspec in JSON format. Default: - Empty buildspec.
         :param cache: Caching strategy to use. Default: Cache.none
@@ -17877,6 +17954,7 @@ class PipelineProject(
             check_type(argname="argument id", value=id, expected_type=type_hints["id"])
         props = PipelineProjectProps(
             allow_all_outbound=allow_all_outbound,
+            auto_retry_limit=auto_retry_limit,
             badge=badge,
             build_spec=build_spec,
             cache=cache,
@@ -18971,6 +19049,7 @@ def _typecheckingstub__4e4467ca0465848107e106703feaa1c7e5b01e6c17278f397449aa39b
 def _typecheckingstub__45bdedf6c9b38dcb0797768fa0fdec382e282ebd8679405f7dd9df6cb022c272(
     *,
     allow_all_outbound: typing.Optional[builtins.bool] = None,
+    auto_retry_limit: typing.Optional[jsii.Number] = None,
     badge: typing.Optional[builtins.bool] = None,
     build_spec: typing.Optional[BuildSpec] = None,
     cache: typing.Optional[Cache] = None,
@@ -19489,6 +19568,7 @@ def _typecheckingstub__088f043d10fcd15701414055dc0a14f58d71044ecaba5c848f1c97225
 def _typecheckingstub__cad18ebbb1c05a6adb06360d9baca4a0658b2f85c2078bc257ed8d4f8467c35e(
     *,
     allow_all_outbound: typing.Optional[builtins.bool] = None,
+    auto_retry_limit: typing.Optional[jsii.Number] = None,
     badge: typing.Optional[builtins.bool] = None,
     build_spec: typing.Optional[BuildSpec] = None,
     cache: typing.Optional[Cache] = None,
@@ -19523,6 +19603,7 @@ def _typecheckingstub__98b7b3a6b3dbe1931f04b0f953f1ae252e81da8d9335e78d6f3748d71
     secondary_sources: typing.Optional[typing.Sequence[ISource]] = None,
     source: typing.Optional[ISource] = None,
     allow_all_outbound: typing.Optional[builtins.bool] = None,
+    auto_retry_limit: typing.Optional[jsii.Number] = None,
     badge: typing.Optional[builtins.bool] = None,
     build_spec: typing.Optional[BuildSpec] = None,
     cache: typing.Optional[Cache] = None,
@@ -19748,6 +19829,7 @@ def _typecheckingstub__bc03cbcaf72adec5894eef2ab3574a0593c9df9cedc3c395bdaeb7adc
 def _typecheckingstub__98a249849c6dd1146c8e8d845c1f535b7a85df68782d9f343764b44702f1be04(
     *,
     allow_all_outbound: typing.Optional[builtins.bool] = None,
+    auto_retry_limit: typing.Optional[jsii.Number] = None,
     badge: typing.Optional[builtins.bool] = None,
     build_spec: typing.Optional[BuildSpec] = None,
     cache: typing.Optional[Cache] = None,
@@ -20044,6 +20126,7 @@ def _typecheckingstub__cb5f1bed2a9bb9c41d6f93b4b1a4c9ce7347295312e04439f922446ae
     id: builtins.str,
     *,
     allow_all_outbound: typing.Optional[builtins.bool] = None,
+    auto_retry_limit: typing.Optional[jsii.Number] = None,
     badge: typing.Optional[builtins.bool] = None,
     build_spec: typing.Optional[BuildSpec] = None,
     cache: typing.Optional[Cache] = None,

aws_cdk/aws_codepipeline/__init__.py

@@ -3249,7 +3249,7 @@ class CfnPipeline(
         ) -> None:
             '''Represents information about an action type.
 
-            :param category: A category defines what kind of action can be taken in the stage, and constrains the provider type for the action. Valid categories are limited to one of the values below. - ``Source`` - ``Build`` - ``Test`` - ``Deploy`` - ``Invoke`` - ``Approval``
+            :param category: A category defines what kind of action can be taken in the stage, and constrains the provider type for the action. Valid categories are limited to one of the values below. - ``Source`` - ``Build`` - ``Test`` - ``Deploy`` - ``Invoke`` - ``Approval`` - ``Compute``
             :param owner: The creator of the action being called. There are three valid values for the ``Owner`` field in the action category section within your pipeline structure: ``AWS`` , ``ThirdParty`` , and ``Custom`` . For more information, see `Valid Action Types and Providers in CodePipeline <https://docs.aws.amazon.com/codepipeline/latest/userguide/reference-pipeline-structure.html#actions-valid-providers>`_ .
             :param provider: The provider of the service being called by the action. Valid providers are determined by the action category. For example, an action in the Deploy category type might have a provider of CodeDeploy, which would be specified as ``CodeDeploy`` . For more information, see `Valid Action Types and Providers in CodePipeline <https://docs.aws.amazon.com/codepipeline/latest/userguide/reference-pipeline-structure.html#actions-valid-providers>`_ .
             :param version: A string that describes the action version.
@@ -3295,6 +3295,7 @@ class CfnPipeline(
             - ``Deploy``
             - ``Invoke``
             - ``Approval``
+            - ``Compute``
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-codepipeline-pipeline-actiontypeid.html#cfn-codepipeline-pipeline-actiontypeid-category
             '''