aws-cdk-lib 2.176.0__py3-none-any.whl → 2.178.0__py3-none-any.whl

aws_cdk/aws_ecs_patterns/__init__.py

@@ -49,6 +49,8 @@ load_balanced_fargate_service = ecs_patterns.ApplicationLoadBalancedFargateServi
         command=["command"],
         entry_point=["entry", "point"]
     ),
+    container_cpu=256,
+    container_memory_limit_mi_b=512,
     min_healthy_percent=100
 )
 
@@ -74,6 +76,10 @@ By setting `redirectHTTP` to true, CDK will automatically create a listener on p
 
 If you specify the option `recordType` you can decide if you want the construct to use CNAME or Route53-Aliases as record sets.
 
+To set the minimum number of CPU units to reserve for the container, you can use the `containerCpu` property.
+
+To set the amount of memory (in MiB) to provide to the container, you can use the `containerMemoryLimitMiB` property.
+
 If you need to encrypt the traffic between the load balancer and the ECS tasks, you can set the `targetProtocol` to `HTTPS`.
 
 Additionally, if more than one application target group are needed, instantiate one of the following:
@@ -8411,6 +8417,8 @@ class ApplicationLoadBalancedFargateService(
         id: builtins.str,
         *,
         assign_public_ip: typing.Optional[builtins.bool] = None,
+        container_cpu: typing.Optional[jsii.Number] = None,
+        container_memory_limit_mib: typing.Optional[jsii.Number] = None,
         health_check: typing.Optional[typing.Union[_HealthCheck_6459d04f, typing.Dict[builtins.str, typing.Any]]] = None,
         security_groups: typing.Optional[typing.Sequence[_ISecurityGroup_acf8a799]] = None,
         task_subnets: typing.Optional[typing.Union[_SubnetSelection_e57d76df, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -8457,6 +8465,8 @@ class ApplicationLoadBalancedFargateService(
         :param scope: -
         :param id: -
         :param assign_public_ip: Determines whether the service will be assigned a public IP address. Default: false
+        :param container_cpu: The minimum number of CPU units to reserve for the container. Default: - No minimum CPU units reserved.
+        :param container_memory_limit_mib: The amount (in MiB) of memory to present to the container. If your container attempts to exceed the allocated memory, the container is terminated. Default: - No memory limit.
         :param health_check: The health check command and associated configuration parameters for the container. Default: - Health check configuration from container.
         :param security_groups: The security groups to associate with the service. If you do not specify a security group, a new security group is created. Default: - A new security group is created.
         :param task_subnets: The subnets to associate with the service. Default: - Public subnets if ``assignPublicIp`` is set, otherwise the first available one of Private, Isolated, Public, in that order.
@@ -8504,6 +8514,8 @@ class ApplicationLoadBalancedFargateService(
             check_type(argname="argument id", value=id, expected_type=type_hints["id"])
         props = ApplicationLoadBalancedFargateServiceProps(
             assign_public_ip=assign_public_ip,
+            container_cpu=container_cpu,
+            container_memory_limit_mib=container_memory_limit_mib,
             health_check=health_check,
             security_groups=security_groups,
             task_subnets=task_subnets,
@@ -8611,6 +8623,8 @@ class ApplicationLoadBalancedFargateService(
         "runtime_platform": "runtimePlatform",
         "task_definition": "taskDefinition",
         "assign_public_ip": "assignPublicIp",
+        "container_cpu": "containerCpu",
+        "container_memory_limit_mib": "containerMemoryLimitMiB",
         "health_check": "healthCheck",
         "security_groups": "securityGroups",
         "task_subnets": "taskSubnets",
@@ -8661,6 +8675,8 @@ class ApplicationLoadBalancedFargateServiceProps(
         runtime_platform: typing.Optional[typing.Union[_RuntimePlatform_5ed98a9c, typing.Dict[builtins.str, typing.Any]]] = None,
         task_definition: typing.Optional[_FargateTaskDefinition_83754b60] = None,
         assign_public_ip: typing.Optional[builtins.bool] = None,
+        container_cpu: typing.Optional[jsii.Number] = None,
+        container_memory_limit_mib: typing.Optional[jsii.Number] = None,
         health_check: typing.Optional[typing.Union[_HealthCheck_6459d04f, typing.Dict[builtins.str, typing.Any]]] = None,
         security_groups: typing.Optional[typing.Sequence[_ISecurityGroup_acf8a799]] = None,
         task_subnets: typing.Optional[typing.Union[_SubnetSelection_e57d76df, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -8705,6 +8721,8 @@ class ApplicationLoadBalancedFargateServiceProps(
         :param runtime_platform: The runtime platform of the task definition. Default: - If the property is undefined, ``operatingSystemFamily`` is LINUX and ``cpuArchitecture`` is X86_64
         :param task_definition: The task definition to use for tasks in the service. TaskDefinition or TaskImageOptions must be specified, but not both. [disable-awslint:ref-via-interface] Default: - none
         :param assign_public_ip: Determines whether the service will be assigned a public IP address. Default: false
+        :param container_cpu: The minimum number of CPU units to reserve for the container. Default: - No minimum CPU units reserved.
+        :param container_memory_limit_mib: The amount (in MiB) of memory to present to the container. If your container attempts to exceed the allocated memory, the container is terminated. Default: - No memory limit.
         :param health_check: The health check command and associated configuration parameters for the container. Default: - Health check configuration from container.
         :param security_groups: The security groups to associate with the service. If you do not specify a security group, a new security group is created. Default: - A new security group is created.
         :param task_subnets: The subnets to associate with the service. Default: - Public subnets if ``assignPublicIp`` is set, otherwise the first available one of Private, Isolated, Public, in that order.
@@ -8793,6 +8811,8 @@ class ApplicationLoadBalancedFargateServiceProps(
             check_type(argname="argument runtime_platform", value=runtime_platform, expected_type=type_hints["runtime_platform"])
             check_type(argname="argument task_definition", value=task_definition, expected_type=type_hints["task_definition"])
             check_type(argname="argument assign_public_ip", value=assign_public_ip, expected_type=type_hints["assign_public_ip"])
+            check_type(argname="argument container_cpu", value=container_cpu, expected_type=type_hints["container_cpu"])
+            check_type(argname="argument container_memory_limit_mib", value=container_memory_limit_mib, expected_type=type_hints["container_memory_limit_mib"])
             check_type(argname="argument health_check", value=health_check, expected_type=type_hints["health_check"])
             check_type(argname="argument security_groups", value=security_groups, expected_type=type_hints["security_groups"])
             check_type(argname="argument task_subnets", value=task_subnets, expected_type=type_hints["task_subnets"])
@@ -8873,6 +8893,10 @@ class ApplicationLoadBalancedFargateServiceProps(
             self._values["task_definition"] = task_definition
         if assign_public_ip is not None:
             self._values["assign_public_ip"] = assign_public_ip
+        if container_cpu is not None:
+            self._values["container_cpu"] = container_cpu
+        if container_memory_limit_mib is not None:
+            self._values["container_memory_limit_mib"] = container_memory_limit_mib
         if health_check is not None:
             self._values["health_check"] = health_check
         if security_groups is not None:
@@ -9324,6 +9348,27 @@ class ApplicationLoadBalancedFargateServiceProps(
         result = self._values.get("assign_public_ip")
         return typing.cast(typing.Optional[builtins.bool], result)
 
+    @builtins.property
+    def container_cpu(self) -> typing.Optional[jsii.Number]:
+        '''The minimum number of CPU units to reserve for the container.
+
+        :default: - No minimum CPU units reserved.
+        '''
+        result = self._values.get("container_cpu")
+        return typing.cast(typing.Optional[jsii.Number], result)
+
+    @builtins.property
+    def container_memory_limit_mib(self) -> typing.Optional[jsii.Number]:
+        '''The amount (in MiB) of memory to present to the container.
+
+        If your container attempts to exceed the allocated memory, the container
+        is terminated.
+
+        :default: - No memory limit.
+        '''
+        result = self._values.get("container_memory_limit_mib")
+        return typing.cast(typing.Optional[jsii.Number], result)
+
     @builtins.property
     def health_check(self) -> typing.Optional[_HealthCheck_6459d04f]:
         '''The health check command and associated configuration parameters for the container.
@@ -17086,6 +17131,8 @@ def _typecheckingstub__52e4707f036e6b5ab8a12a1dd88ad78656d9ef102eb7d04caef957d69
     id: builtins.str,
     *,
     assign_public_ip: typing.Optional[builtins.bool] = None,
+    container_cpu: typing.Optional[jsii.Number] = None,
+    container_memory_limit_mib: typing.Optional[jsii.Number] = None,
     health_check: typing.Optional[typing.Union[_HealthCheck_6459d04f, typing.Dict[builtins.str, typing.Any]]] = None,
     security_groups: typing.Optional[typing.Sequence[_ISecurityGroup_acf8a799]] = None,
     task_subnets: typing.Optional[typing.Union[_SubnetSelection_e57d76df, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -17170,6 +17217,8 @@ def _typecheckingstub__cdcb8bd483faaddad588ad37d4527fa1a0028fc2307a21fc3690044a0
     runtime_platform: typing.Optional[typing.Union[_RuntimePlatform_5ed98a9c, typing.Dict[builtins.str, typing.Any]]] = None,
     task_definition: typing.Optional[_FargateTaskDefinition_83754b60] = None,
     assign_public_ip: typing.Optional[builtins.bool] = None,
+    container_cpu: typing.Optional[jsii.Number] = None,
+    container_memory_limit_mib: typing.Optional[jsii.Number] = None,
     health_check: typing.Optional[typing.Union[_HealthCheck_6459d04f, typing.Dict[builtins.str, typing.Any]]] = None,
     security_groups: typing.Optional[typing.Sequence[_ISecurityGroup_acf8a799]] = None,
     task_subnets: typing.Optional[typing.Union[_SubnetSelection_e57d76df, typing.Dict[builtins.str, typing.Any]]] = None,

aws_cdk/aws_efs/__init__.py

@@ -1634,7 +1634,7 @@ class CfnFileSystem(
         :param kms_key_id: The ID of the AWS KMS key to be used to protect the encrypted file system. This parameter is only required if you want to use a nondefault KMS key . If this parameter is not specified, the default KMS key for Amazon EFS is used. This ID can be in one of the following formats: - Key ID - A unique identifier of the key, for example ``1234abcd-12ab-34cd-56ef-1234567890ab`` . - ARN - An Amazon Resource Name (ARN) for the key, for example ``arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`` . - Key alias - A previously created display name for a key, for example ``alias/projectKey1`` . - Key alias ARN - An ARN for a key alias, for example ``arn:aws:kms:us-west-2:444455556666:alias/projectKey1`` . If ``KmsKeyId`` is specified, the ``Encrypted`` parameter must be set to true.
         :param lifecycle_policies: An array of ``LifecyclePolicy`` objects that define the file system's ``LifecycleConfiguration`` object. A ``LifecycleConfiguration`` object informs Lifecycle management of the following: - When to move files in the file system from primary storage to IA storage. - When to move files in the file system from primary storage or IA storage to Archive storage. - When to move files that are in IA or Archive storage to primary storage. .. epigraph:: Amazon EFS requires that each ``LifecyclePolicy`` object have only a single transition. This means that in a request body, ``LifecyclePolicies`` needs to be structured as an array of ``LifecyclePolicy`` objects, one object for each transition, ``TransitionToIA`` , ``TransitionToArchive`` ``TransitionToPrimaryStorageClass`` . See the example requests in the following section for more information.
         :param performance_mode: The performance mode of the file system. We recommend ``generalPurpose`` performance mode for all file systems. File systems using the ``maxIO`` performance mode can scale to higher levels of aggregate throughput and operations per second with a tradeoff of slightly higher latencies for most file operations. The performance mode can't be changed after the file system has been created. The ``maxIO`` mode is not supported on One Zone file systems. .. epigraph:: Due to the higher per-operation latencies with Max I/O, we recommend using General Purpose performance mode for all file systems. Default is ``generalPurpose`` .
-        :param provisioned_throughput_in_mibps: The throughput, measured in mebibytes per second (MiBps), that you want to provision for a file system that you're creating. Required if ``ThroughputMode`` is set to ``provisioned`` . Valid values are 1-3414 MiBps, with the upper limit depending on Region. To increase this limit, contact AWS Support . For more information, see `Amazon EFS quotas that you can increase <https://docs.aws.amazon.com/efs/latest/ug/limits.html#soft-limits>`_ in the *Amazon EFS User Guide* .
+        :param provisioned_throughput_in_mibps: The throughput, measured in mebibytes per second (MiBps), that you want to provision for a file system that you're creating. Required if ``ThroughputMode`` is set to ``provisioned`` . Valid values are 1-3414 MiBps, with the upper limit depending on Region. To increase this limit, contact Support . For more information, see `Amazon EFS quotas that you can increase <https://docs.aws.amazon.com/efs/latest/ug/limits.html#soft-limits>`_ in the *Amazon EFS User Guide* .
         :param replication_configuration: Describes the replication configuration for a specific file system.
         :param throughput_mode: Specifies the throughput mode for the file system. The mode can be ``bursting`` , ``provisioned`` , or ``elastic`` . If you set ``ThroughputMode`` to ``provisioned`` , you must also set a value for ``ProvisionedThroughputInMibps`` . After you create the file system, you can decrease your file system's Provisioned throughput or change between the throughput modes, with certain time restrictions. For more information, see `Specifying throughput with provisioned mode <https://docs.aws.amazon.com/efs/latest/ug/performance.html#provisioned-throughput>`_ in the *Amazon EFS User Guide* . Default is ``bursting`` .
         '''
@@ -2502,7 +2502,7 @@ class CfnFileSystemProps:
         :param kms_key_id: The ID of the AWS KMS key to be used to protect the encrypted file system. This parameter is only required if you want to use a nondefault KMS key . If this parameter is not specified, the default KMS key for Amazon EFS is used. This ID can be in one of the following formats: - Key ID - A unique identifier of the key, for example ``1234abcd-12ab-34cd-56ef-1234567890ab`` . - ARN - An Amazon Resource Name (ARN) for the key, for example ``arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`` . - Key alias - A previously created display name for a key, for example ``alias/projectKey1`` . - Key alias ARN - An ARN for a key alias, for example ``arn:aws:kms:us-west-2:444455556666:alias/projectKey1`` . If ``KmsKeyId`` is specified, the ``Encrypted`` parameter must be set to true.
         :param lifecycle_policies: An array of ``LifecyclePolicy`` objects that define the file system's ``LifecycleConfiguration`` object. A ``LifecycleConfiguration`` object informs Lifecycle management of the following: - When to move files in the file system from primary storage to IA storage. - When to move files in the file system from primary storage or IA storage to Archive storage. - When to move files that are in IA or Archive storage to primary storage. .. epigraph:: Amazon EFS requires that each ``LifecyclePolicy`` object have only a single transition. This means that in a request body, ``LifecyclePolicies`` needs to be structured as an array of ``LifecyclePolicy`` objects, one object for each transition, ``TransitionToIA`` , ``TransitionToArchive`` ``TransitionToPrimaryStorageClass`` . See the example requests in the following section for more information.
         :param performance_mode: The performance mode of the file system. We recommend ``generalPurpose`` performance mode for all file systems. File systems using the ``maxIO`` performance mode can scale to higher levels of aggregate throughput and operations per second with a tradeoff of slightly higher latencies for most file operations. The performance mode can't be changed after the file system has been created. The ``maxIO`` mode is not supported on One Zone file systems. .. epigraph:: Due to the higher per-operation latencies with Max I/O, we recommend using General Purpose performance mode for all file systems. Default is ``generalPurpose`` .
-        :param provisioned_throughput_in_mibps: The throughput, measured in mebibytes per second (MiBps), that you want to provision for a file system that you're creating. Required if ``ThroughputMode`` is set to ``provisioned`` . Valid values are 1-3414 MiBps, with the upper limit depending on Region. To increase this limit, contact AWS Support . For more information, see `Amazon EFS quotas that you can increase <https://docs.aws.amazon.com/efs/latest/ug/limits.html#soft-limits>`_ in the *Amazon EFS User Guide* .
+        :param provisioned_throughput_in_mibps: The throughput, measured in mebibytes per second (MiBps), that you want to provision for a file system that you're creating. Required if ``ThroughputMode`` is set to ``provisioned`` . Valid values are 1-3414 MiBps, with the upper limit depending on Region. To increase this limit, contact Support . For more information, see `Amazon EFS quotas that you can increase <https://docs.aws.amazon.com/efs/latest/ug/limits.html#soft-limits>`_ in the *Amazon EFS User Guide* .
         :param replication_configuration: Describes the replication configuration for a specific file system.
         :param throughput_mode: Specifies the throughput mode for the file system. The mode can be ``bursting`` , ``provisioned`` , or ``elastic`` . If you set ``ThroughputMode`` to ``provisioned`` , you must also set a value for ``ProvisionedThroughputInMibps`` . After you create the file system, you can decrease your file system's Provisioned throughput or change between the throughput modes, with certain time restrictions. For more information, see `Specifying throughput with provisioned mode <https://docs.aws.amazon.com/efs/latest/ug/performance.html#provisioned-throughput>`_ in the *Amazon EFS User Guide* . Default is ``bursting`` .
 
@@ -2742,7 +2742,7 @@ class CfnFileSystemProps:
     def provisioned_throughput_in_mibps(self) -> typing.Optional[jsii.Number]:
         '''The throughput, measured in mebibytes per second (MiBps), that you want to provision for a file system that you're creating.
 
-        Required if ``ThroughputMode`` is set to ``provisioned`` . Valid values are 1-3414 MiBps, with the upper limit depending on Region. To increase this limit, contact AWS Support . For more information, see `Amazon EFS quotas that you can increase <https://docs.aws.amazon.com/efs/latest/ug/limits.html#soft-limits>`_ in the *Amazon EFS User Guide* .
+        Required if ``ThroughputMode`` is set to ``provisioned`` . Valid values are 1-3414 MiBps, with the upper limit depending on Region. To increase this limit, contact Support . For more information, see `Amazon EFS quotas that you can increase <https://docs.aws.amazon.com/efs/latest/ug/limits.html#soft-limits>`_ in the *Amazon EFS User Guide* .
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-efs-filesystem.html#cfn-efs-filesystem-provisionedthroughputinmibps
         '''
@@ -2829,7 +2829,7 @@ class CfnMountTarget(
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
         :param file_system_id: The ID of the file system for which to create the mount target.
-        :param security_groups: Up to five VPC security group IDs, of the form ``sg-xxxxxxxx`` . These must be for the same VPC as subnet specified.
+        :param security_groups: VPC security group IDs, of the form ``sg-xxxxxxxx`` . These must be for the same VPC as the subnet specified. The maximum number of security groups depends on account quota. For more information, see `Amazon VPC Quotas <https://docs.aws.amazon.com/vpc/latest/userguide/amazon-vpc-limits.html>`_ in the *Amazon VPC User Guide* (see the *Security Groups* table).
         :param subnet_id: The ID of the subnet to add the mount target in. For One Zone file systems, use the subnet that is associated with the file system's Availability Zone.
         :param ip_address: Valid IPv4 address within the address range of the specified subnet.
         '''
@@ -2919,7 +2919,7 @@ class CfnMountTarget(
     @builtins.property
     @jsii.member(jsii_name="securityGroups")
     def security_groups(self) -> typing.List[builtins.str]:
-        '''Up to five VPC security group IDs, of the form ``sg-xxxxxxxx`` .'''
+        '''VPC security group IDs, of the form ``sg-xxxxxxxx`` .'''
         return typing.cast(typing.List[builtins.str], jsii.get(self, "securityGroups"))
 
     @security_groups.setter
@@ -2978,7 +2978,7 @@ class CfnMountTargetProps:
         '''Properties for defining a ``CfnMountTarget``.
 
         :param file_system_id: The ID of the file system for which to create the mount target.
-        :param security_groups: Up to five VPC security group IDs, of the form ``sg-xxxxxxxx`` . These must be for the same VPC as subnet specified.
+        :param security_groups: VPC security group IDs, of the form ``sg-xxxxxxxx`` . These must be for the same VPC as the subnet specified. The maximum number of security groups depends on account quota. For more information, see `Amazon VPC Quotas <https://docs.aws.amazon.com/vpc/latest/userguide/amazon-vpc-limits.html>`_ in the *Amazon VPC User Guide* (see the *Security Groups* table).
         :param subnet_id: The ID of the subnet to add the mount target in. For One Zone file systems, use the subnet that is associated with the file system's Availability Zone.
         :param ip_address: Valid IPv4 address within the address range of the specified subnet.
 
@@ -3026,9 +3026,9 @@ class CfnMountTargetProps:
 
     @builtins.property
     def security_groups(self) -> typing.List[builtins.str]:
-        '''Up to five VPC security group IDs, of the form ``sg-xxxxxxxx`` .
+        '''VPC security group IDs, of the form ``sg-xxxxxxxx`` .
 
-        These must be for the same VPC as subnet specified.
+        These must be for the same VPC as the subnet specified. The maximum number of security groups depends on account quota. For more information, see `Amazon VPC Quotas <https://docs.aws.amazon.com/vpc/latest/userguide/amazon-vpc-limits.html>`_ in the *Amazon VPC User Guide* (see the *Security Groups* table).
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-efs-mounttarget.html#cfn-efs-mounttarget-securitygroups
         '''

aws_cdk/aws_eks/__init__.py

@@ -822,7 +822,7 @@ By default, CDK will create a new python lambda function to apply your k8s manif
 
 ```python
 handler_role = iam.Role.from_role_arn(self, "HandlerRole", "arn:aws:iam::123456789012:role/lambda-role")
-# get the serivceToken from the custom resource provider
+# get the serviceToken from the custom resource provider
 function_arn = lambda_.Function.from_function_name(self, "ProviderOnEventFunc", "ProviderframeworkonEvent-XXX").function_arn
 kubectl_provider = eks.KubectlProvider.from_kubectl_provider_attributes(self, "KubectlProvider",
     function_arn=function_arn,
@@ -2690,7 +2690,7 @@ class AddonProps:
 
         :param addon_name: Name of the Add-On.
         :param cluster: The EKS cluster the Add-On is associated with.
-        :param addon_version: Version of the Add-On. You can check all available versions with describe-addon-versons. For example, this lists all available versions for the ``eks-pod-identity-agent`` addon: $ aws eks describe-addon-versions --addon-name eks-pod-identity-agent --query 'addons[*].addonVersions[*].addonVersion' Default: the latest version.
+        :param addon_version: Version of the Add-On. You can check all available versions with describe-addon-versions. For example, this lists all available versions for the ``eks-pod-identity-agent`` addon: $ aws eks describe-addon-versions --addon-name eks-pod-identity-agent --query 'addons[*].addonVersions[*].addonVersion' Default: the latest version.
         :param preserve_on_delete: Specifying this option preserves the add-on software on your cluster but Amazon EKS stops managing any settings for the add-on. If an IAM account is associated with the add-on, it isn't removed. Default: true
 
         :exampleMetadata: infused
@@ -2741,7 +2741,7 @@ class AddonProps:
     def addon_version(self) -> typing.Optional[builtins.str]:
         '''Version of the Add-On.
 
-        You can check all available versions with describe-addon-versons.
+        You can check all available versions with describe-addon-versions.
         For example, this lists all available versions for the ``eks-pod-identity-agent`` addon:
         $ aws eks describe-addon-versions --addon-name eks-pod-identity-agent
         --query 'addons[*].addonVersions[*].addonVersion'
@@ -4675,11 +4675,11 @@ class CfnAccessEntry(
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
         :param cluster_name: The name of your cluster.
-        :param principal_arn: The ARN of the IAM principal for the ``AccessEntry`` . You can specify one ARN for each access entry. You can't specify the same ARN in more than one access entry. This value can't be changed after access entry creation. The valid principals differ depending on the type of the access entry in the ``type`` field. The only valid ARN is IAM roles for the types of access entries for nodes: `` `` . You can use every IAM principal type for ``STANDARD`` access entries. You can't use the STS session principal type with access entries because this is a temporary principal for each session and not a permanent identity that can be assigned permissions. `IAM best practices <https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#bp-users-federation-idp>`_ recommend using IAM roles with temporary credentials, rather than IAM users with long-term credentials.
+        :param principal_arn: The ARN of the IAM principal for the ``AccessEntry`` . You can specify one ARN for each access entry. You can't specify the same ARN in more than one access entry. This value can't be changed after access entry creation. The valid principals differ depending on the type of the access entry in the ``type`` field. For ``STANDARD`` access entries, you can use every IAM principal type. For nodes ( ``EC2`` (for EKS Auto Mode), ``EC2_LINUX`` , ``EC2_WINDOWS`` , ``FARGATE_LINUX`` , and ``HYBRID_LINUX`` ), the only valid ARN is IAM roles. You can't use the STS session principal type with access entries because this is a temporary principal for each session and not a permanent identity that can be assigned permissions. `IAM best practices <https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#bp-users-federation-idp>`_ recommend using IAM roles with temporary credentials, rather than IAM users with long-term credentials.
         :param access_policies: The access policies to associate to the access entry.
         :param kubernetes_groups: The value for ``name`` that you've specified for ``kind: Group`` as a ``subject`` in a Kubernetes ``RoleBinding`` or ``ClusterRoleBinding`` object. Amazon EKS doesn't confirm that the value for ``name`` exists in any bindings on your cluster. You can specify one or more names. Kubernetes authorizes the ``principalArn`` of the access entry to access any cluster objects that you've specified in a Kubernetes ``Role`` or ``ClusterRole`` object that is also specified in a binding's ``roleRef`` . For more information about creating Kubernetes ``RoleBinding`` , ``ClusterRoleBinding`` , ``Role`` , or ``ClusterRole`` objects, see `Using RBAC Authorization in the Kubernetes documentation <https://docs.aws.amazon.com/https://kubernetes.io/docs/reference/access-authn-authz/rbac/>`_ . If you want Amazon EKS to authorize the ``principalArn`` (instead of, or in addition to Kubernetes authorizing the ``principalArn`` ), you can associate one or more access policies to the access entry using ``AssociateAccessPolicy`` . If you associate any access policies, the ``principalARN`` has all permissions assigned in the associated access policies and all permissions in any Kubernetes ``Role`` or ``ClusterRole`` objects that the group names are bound to.
         :param tags: Metadata that assists with categorization and organization. Each tag consists of a key and an optional value. You define both. Tags don't propagate to any other cluster or AWS resources.
-        :param type: The type of the new access entry. Valid values are ``Standard`` , ``FARGATE_LINUX`` , ``EC2_LINUX`` , and ``EC2_WINDOWS`` . If the ``principalArn`` is for an IAM role that's used for self-managed Amazon EC2 nodes, specify ``EC2_LINUX`` or ``EC2_WINDOWS`` . Amazon EKS grants the necessary permissions to the node for you. If the ``principalArn`` is for any other purpose, specify ``STANDARD`` . If you don't specify a value, Amazon EKS sets the value to ``STANDARD`` . It's unnecessary to create access entries for IAM roles used with Fargate profiles or managed Amazon EC2 nodes, because Amazon EKS creates entries in the ``aws-auth`` ``ConfigMap`` for the roles. You can't change this value once you've created the access entry. If you set the value to ``EC2_LINUX`` or ``EC2_WINDOWS`` , you can't specify values for ``kubernetesGroups`` , or associate an ``AccessPolicy`` to the access entry.
+        :param type: The type of the new access entry. Valid values are ``STANDARD`` , ``FARGATE_LINUX`` , ``EC2_LINUX`` , ``EC2_WINDOWS`` , ``EC2`` (for EKS Auto Mode), ``HYBRID_LINUX`` , and ``HYPERPOD_LINUX`` . If the ``principalArn`` is for an IAM role that's used for self-managed Amazon EC2 nodes, specify ``EC2_LINUX`` or ``EC2_WINDOWS`` . Amazon EKS grants the necessary permissions to the node for you. If the ``principalArn`` is for any other purpose, specify ``STANDARD`` . If you don't specify a value, Amazon EKS sets the value to ``STANDARD`` . If you have the access mode of the cluster set to ``API_AND_CONFIG_MAP`` , it's unnecessary to create access entries for IAM roles used with Fargate profiles or managed Amazon EC2 nodes, because Amazon EKS creates entries in the ``aws-auth`` ``ConfigMap`` for the roles. You can't change this value once you've created the access entry. If you set the value to ``EC2_LINUX`` or ``EC2_WINDOWS`` , you can't specify values for ``kubernetesGroups`` , or associate an ``AccessPolicy`` to the access entry.
         :param username: The username to authenticate to Kubernetes with. We recommend not specifying a username and letting Amazon EKS specify it for you. For more information about the value Amazon EKS specifies for you, or constraints before specifying your own username, see `Creating access entries <https://docs.aws.amazon.com/eks/latest/userguide/access-entries.html#creating-access-entries>`_ in the *Amazon EKS User Guide* .
         '''
         if __debug__:
@@ -4824,10 +4824,7 @@ class CfnAccessEntry(
     @builtins.property
     @jsii.member(jsii_name="type")
     def type(self) -> typing.Optional[builtins.str]:
-        '''The type of the new access entry.
-
-        Valid values are ``Standard`` , ``FARGATE_LINUX`` , ``EC2_LINUX`` , and ``EC2_WINDOWS`` .
-        '''
+        '''The type of the new access entry.'''
         return typing.cast(typing.Optional[builtins.str], jsii.get(self, "type"))
 
     @type.setter
@@ -5034,11 +5031,11 @@ class CfnAccessEntryProps:
         '''Properties for defining a ``CfnAccessEntry``.
 
         :param cluster_name: The name of your cluster.
-        :param principal_arn: The ARN of the IAM principal for the ``AccessEntry`` . You can specify one ARN for each access entry. You can't specify the same ARN in more than one access entry. This value can't be changed after access entry creation. The valid principals differ depending on the type of the access entry in the ``type`` field. The only valid ARN is IAM roles for the types of access entries for nodes: `` `` . You can use every IAM principal type for ``STANDARD`` access entries. You can't use the STS session principal type with access entries because this is a temporary principal for each session and not a permanent identity that can be assigned permissions. `IAM best practices <https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#bp-users-federation-idp>`_ recommend using IAM roles with temporary credentials, rather than IAM users with long-term credentials.
+        :param principal_arn: The ARN of the IAM principal for the ``AccessEntry`` . You can specify one ARN for each access entry. You can't specify the same ARN in more than one access entry. This value can't be changed after access entry creation. The valid principals differ depending on the type of the access entry in the ``type`` field. For ``STANDARD`` access entries, you can use every IAM principal type. For nodes ( ``EC2`` (for EKS Auto Mode), ``EC2_LINUX`` , ``EC2_WINDOWS`` , ``FARGATE_LINUX`` , and ``HYBRID_LINUX`` ), the only valid ARN is IAM roles. You can't use the STS session principal type with access entries because this is a temporary principal for each session and not a permanent identity that can be assigned permissions. `IAM best practices <https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#bp-users-federation-idp>`_ recommend using IAM roles with temporary credentials, rather than IAM users with long-term credentials.
         :param access_policies: The access policies to associate to the access entry.
         :param kubernetes_groups: The value for ``name`` that you've specified for ``kind: Group`` as a ``subject`` in a Kubernetes ``RoleBinding`` or ``ClusterRoleBinding`` object. Amazon EKS doesn't confirm that the value for ``name`` exists in any bindings on your cluster. You can specify one or more names. Kubernetes authorizes the ``principalArn`` of the access entry to access any cluster objects that you've specified in a Kubernetes ``Role`` or ``ClusterRole`` object that is also specified in a binding's ``roleRef`` . For more information about creating Kubernetes ``RoleBinding`` , ``ClusterRoleBinding`` , ``Role`` , or ``ClusterRole`` objects, see `Using RBAC Authorization in the Kubernetes documentation <https://docs.aws.amazon.com/https://kubernetes.io/docs/reference/access-authn-authz/rbac/>`_ . If you want Amazon EKS to authorize the ``principalArn`` (instead of, or in addition to Kubernetes authorizing the ``principalArn`` ), you can associate one or more access policies to the access entry using ``AssociateAccessPolicy`` . If you associate any access policies, the ``principalARN`` has all permissions assigned in the associated access policies and all permissions in any Kubernetes ``Role`` or ``ClusterRole`` objects that the group names are bound to.
         :param tags: Metadata that assists with categorization and organization. Each tag consists of a key and an optional value. You define both. Tags don't propagate to any other cluster or AWS resources.
-        :param type: The type of the new access entry. Valid values are ``Standard`` , ``FARGATE_LINUX`` , ``EC2_LINUX`` , and ``EC2_WINDOWS`` . If the ``principalArn`` is for an IAM role that's used for self-managed Amazon EC2 nodes, specify ``EC2_LINUX`` or ``EC2_WINDOWS`` . Amazon EKS grants the necessary permissions to the node for you. If the ``principalArn`` is for any other purpose, specify ``STANDARD`` . If you don't specify a value, Amazon EKS sets the value to ``STANDARD`` . It's unnecessary to create access entries for IAM roles used with Fargate profiles or managed Amazon EC2 nodes, because Amazon EKS creates entries in the ``aws-auth`` ``ConfigMap`` for the roles. You can't change this value once you've created the access entry. If you set the value to ``EC2_LINUX`` or ``EC2_WINDOWS`` , you can't specify values for ``kubernetesGroups`` , or associate an ``AccessPolicy`` to the access entry.
+        :param type: The type of the new access entry. Valid values are ``STANDARD`` , ``FARGATE_LINUX`` , ``EC2_LINUX`` , ``EC2_WINDOWS`` , ``EC2`` (for EKS Auto Mode), ``HYBRID_LINUX`` , and ``HYPERPOD_LINUX`` . If the ``principalArn`` is for an IAM role that's used for self-managed Amazon EC2 nodes, specify ``EC2_LINUX`` or ``EC2_WINDOWS`` . Amazon EKS grants the necessary permissions to the node for you. If the ``principalArn`` is for any other purpose, specify ``STANDARD`` . If you don't specify a value, Amazon EKS sets the value to ``STANDARD`` . If you have the access mode of the cluster set to ``API_AND_CONFIG_MAP`` , it's unnecessary to create access entries for IAM roles used with Fargate profiles or managed Amazon EC2 nodes, because Amazon EKS creates entries in the ``aws-auth`` ``ConfigMap`` for the roles. You can't change this value once you've created the access entry. If you set the value to ``EC2_LINUX`` or ``EC2_WINDOWS`` , you can't specify values for ``kubernetesGroups`` , or associate an ``AccessPolicy`` to the access entry.
         :param username: The username to authenticate to Kubernetes with. We recommend not specifying a username and letting Amazon EKS specify it for you. For more information about the value Amazon EKS specifies for you, or constraints before specifying your own username, see `Creating access entries <https://docs.aws.amazon.com/eks/latest/userguide/access-entries.html#creating-access-entries>`_ in the *Amazon EKS User Guide* .
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-eks-accessentry.html
@@ -5113,7 +5110,7 @@ class CfnAccessEntryProps:
 
         You can specify one ARN for each access entry. You can't specify the same ARN in more than one access entry. This value can't be changed after access entry creation.
 
-        The valid principals differ depending on the type of the access entry in the ``type`` field. The only valid ARN is IAM roles for the types of access entries for nodes: `` `` . You can use every IAM principal type for ``STANDARD`` access entries. You can't use the STS session principal type with access entries because this is a temporary principal for each session and not a permanent identity that can be assigned permissions.
+        The valid principals differ depending on the type of the access entry in the ``type`` field. For ``STANDARD`` access entries, you can use every IAM principal type. For nodes ( ``EC2`` (for EKS Auto Mode), ``EC2_LINUX`` , ``EC2_WINDOWS`` , ``FARGATE_LINUX`` , and ``HYBRID_LINUX`` ), the only valid ARN is IAM roles. You can't use the STS session principal type with access entries because this is a temporary principal for each session and not a permanent identity that can be assigned permissions.
 
         `IAM best practices <https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#bp-users-federation-idp>`_ recommend using IAM roles with temporary credentials, rather than IAM users with long-term credentials.
 
@@ -5162,9 +5159,11 @@ class CfnAccessEntryProps:
 
     @builtins.property
     def type(self) -> typing.Optional[builtins.str]:
-        '''The type of the new access entry. Valid values are ``Standard`` , ``FARGATE_LINUX`` , ``EC2_LINUX`` , and ``EC2_WINDOWS`` .
+        '''The type of the new access entry.
 
-        If the ``principalArn`` is for an IAM role that's used for self-managed Amazon EC2 nodes, specify ``EC2_LINUX`` or ``EC2_WINDOWS`` . Amazon EKS grants the necessary permissions to the node for you. If the ``principalArn`` is for any other purpose, specify ``STANDARD`` . If you don't specify a value, Amazon EKS sets the value to ``STANDARD`` . It's unnecessary to create access entries for IAM roles used with Fargate profiles or managed Amazon EC2 nodes, because Amazon EKS creates entries in the ``aws-auth`` ``ConfigMap`` for the roles. You can't change this value once you've created the access entry.
+        Valid values are ``STANDARD`` , ``FARGATE_LINUX`` , ``EC2_LINUX`` , ``EC2_WINDOWS`` , ``EC2`` (for EKS Auto Mode), ``HYBRID_LINUX`` , and ``HYPERPOD_LINUX`` .
+
+        If the ``principalArn`` is for an IAM role that's used for self-managed Amazon EC2 nodes, specify ``EC2_LINUX`` or ``EC2_WINDOWS`` . Amazon EKS grants the necessary permissions to the node for you. If the ``principalArn`` is for any other purpose, specify ``STANDARD`` . If you don't specify a value, Amazon EKS sets the value to ``STANDARD`` . If you have the access mode of the cluster set to ``API_AND_CONFIG_MAP`` , it's unnecessary to create access entries for IAM roles used with Fargate profiles or managed Amazon EC2 nodes, because Amazon EKS creates entries in the ``aws-auth`` ``ConfigMap`` for the roles. You can't change this value once you've created the access entry.
 
         If you set the value to ``EC2_LINUX`` or ``EC2_WINDOWS`` , you can't specify values for ``kubernetesGroups`` , or associate an ``AccessPolicy`` to the access entry.
 
@@ -5261,7 +5260,7 @@ class CfnAddon(
         :param configuration_values: The configuration values that you provided.
         :param pod_identity_associations: An array of Pod Identity Assocations owned by the Addon. Each EKS Pod Identity association maps a role to a service account in a namespace in the cluster. For more information, see `Attach an IAM Role to an Amazon EKS add-on using Pod Identity <https://docs.aws.amazon.com/eks/latest/userguide/add-ons-iam.html>`_ in the *Amazon EKS User Guide* .
         :param preserve_on_delete: Specifying this option preserves the add-on software on your cluster but Amazon EKS stops managing any settings for the add-on. If an IAM account is associated with the add-on, it isn't removed.
-        :param resolve_conflicts: How to resolve field value conflicts for an Amazon EKS add-on. Conflicts are handled based on the value you choose: - *None* – If the self-managed version of the add-on is installed on your cluster, Amazon EKS doesn't change the value. Creation of the add-on might fail. - *Overwrite* – If the self-managed version of the add-on is installed on your cluster and the Amazon EKS default value is different than the existing value, Amazon EKS changes the value to the Amazon EKS default value. - *Preserve* – This is similar to the NONE option. If the self-managed version of the add-on is installed on your cluster Amazon EKS doesn't change the add-on resource properties. Creation of the add-on might fail if conflicts are detected. This option works differently during the update operation. For more information, see `UpdateAddon <https://docs.aws.amazon.com/eks/latest/APIReference/API_UpdateAddon.html>`_ . If you don't currently have the self-managed version of the add-on installed on your cluster, the Amazon EKS add-on is installed. Amazon EKS sets all values to default values, regardless of the option that you specify.
+        :param resolve_conflicts: How to resolve field value conflicts for an Amazon EKS add-on. Conflicts are handled based on the value you choose: - *None* – If the self-managed version of the add-on is installed on your cluster, Amazon EKS doesn't change the value. Creation of the add-on might fail. - *Overwrite* – If the self-managed version of the add-on is installed on your cluster and the Amazon EKS default value is different than the existing value, Amazon EKS changes the value to the Amazon EKS default value. - *Preserve* – This is similar to the NONE option. If the self-managed version of the add-on is installed on your cluster Amazon EKS doesn't change the add-on resource properties. Creation of the add-on might fail if conflicts are detected. This option works differently during the update operation. For more information, see ```UpdateAddon`` <https://docs.aws.amazon.com/eks/latest/APIReference/API_UpdateAddon.html>`_ . If you don't currently have the self-managed version of the add-on installed on your cluster, the Amazon EKS add-on is installed. Amazon EKS sets all values to default values, regardless of the option that you specify.
         :param service_account_role_arn: The Amazon Resource Name (ARN) of an existing IAM role to bind to the add-on's service account. The role must be assigned the IAM permissions required by the add-on. If you don't specify an existing IAM role, then the add-on uses the permissions assigned to the node IAM role. For more information, see `Amazon EKS node IAM role <https://docs.aws.amazon.com/eks/latest/userguide/create-node-role.html>`_ in the *Amazon EKS User Guide* . .. epigraph:: To specify an existing IAM role, you must have an IAM OpenID Connect (OIDC) provider created for your cluster. For more information, see `Enabling IAM roles for service accounts on your cluster <https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html>`_ in the *Amazon EKS User Guide* .
         :param tags: The metadata that you apply to the add-on to assist with categorization and organization. Each tag consists of a key and an optional value, both of which you define. Add-on tags do not propagate to any other resources associated with the cluster.
         '''
@@ -5571,7 +5570,7 @@ class CfnAddonProps:
         :param configuration_values: The configuration values that you provided.
         :param pod_identity_associations: An array of Pod Identity Assocations owned by the Addon. Each EKS Pod Identity association maps a role to a service account in a namespace in the cluster. For more information, see `Attach an IAM Role to an Amazon EKS add-on using Pod Identity <https://docs.aws.amazon.com/eks/latest/userguide/add-ons-iam.html>`_ in the *Amazon EKS User Guide* .
         :param preserve_on_delete: Specifying this option preserves the add-on software on your cluster but Amazon EKS stops managing any settings for the add-on. If an IAM account is associated with the add-on, it isn't removed.
-        :param resolve_conflicts: How to resolve field value conflicts for an Amazon EKS add-on. Conflicts are handled based on the value you choose: - *None* – If the self-managed version of the add-on is installed on your cluster, Amazon EKS doesn't change the value. Creation of the add-on might fail. - *Overwrite* – If the self-managed version of the add-on is installed on your cluster and the Amazon EKS default value is different than the existing value, Amazon EKS changes the value to the Amazon EKS default value. - *Preserve* – This is similar to the NONE option. If the self-managed version of the add-on is installed on your cluster Amazon EKS doesn't change the add-on resource properties. Creation of the add-on might fail if conflicts are detected. This option works differently during the update operation. For more information, see `UpdateAddon <https://docs.aws.amazon.com/eks/latest/APIReference/API_UpdateAddon.html>`_ . If you don't currently have the self-managed version of the add-on installed on your cluster, the Amazon EKS add-on is installed. Amazon EKS sets all values to default values, regardless of the option that you specify.
+        :param resolve_conflicts: How to resolve field value conflicts for an Amazon EKS add-on. Conflicts are handled based on the value you choose: - *None* – If the self-managed version of the add-on is installed on your cluster, Amazon EKS doesn't change the value. Creation of the add-on might fail. - *Overwrite* – If the self-managed version of the add-on is installed on your cluster and the Amazon EKS default value is different than the existing value, Amazon EKS changes the value to the Amazon EKS default value. - *Preserve* – This is similar to the NONE option. If the self-managed version of the add-on is installed on your cluster Amazon EKS doesn't change the add-on resource properties. Creation of the add-on might fail if conflicts are detected. This option works differently during the update operation. For more information, see ```UpdateAddon`` <https://docs.aws.amazon.com/eks/latest/APIReference/API_UpdateAddon.html>`_ . If you don't currently have the self-managed version of the add-on installed on your cluster, the Amazon EKS add-on is installed. Amazon EKS sets all values to default values, regardless of the option that you specify.
         :param service_account_role_arn: The Amazon Resource Name (ARN) of an existing IAM role to bind to the add-on's service account. The role must be assigned the IAM permissions required by the add-on. If you don't specify an existing IAM role, then the add-on uses the permissions assigned to the node IAM role. For more information, see `Amazon EKS node IAM role <https://docs.aws.amazon.com/eks/latest/userguide/create-node-role.html>`_ in the *Amazon EKS User Guide* . .. epigraph:: To specify an existing IAM role, you must have an IAM OpenID Connect (OIDC) provider created for your cluster. For more information, see `Enabling IAM roles for service accounts on your cluster <https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html>`_ in the *Amazon EKS User Guide* .
         :param tags: The metadata that you apply to the add-on to assist with categorization and organization. Each tag consists of a key and an optional value, both of which you define. Add-on tags do not propagate to any other resources associated with the cluster.
 
@@ -5708,7 +5707,7 @@ class CfnAddonProps:
 
         - *None* – If the self-managed version of the add-on is installed on your cluster, Amazon EKS doesn't change the value. Creation of the add-on might fail.
         - *Overwrite* – If the self-managed version of the add-on is installed on your cluster and the Amazon EKS default value is different than the existing value, Amazon EKS changes the value to the Amazon EKS default value.
-        - *Preserve* – This is similar to the NONE option. If the self-managed version of the add-on is installed on your cluster Amazon EKS doesn't change the add-on resource properties. Creation of the add-on might fail if conflicts are detected. This option works differently during the update operation. For more information, see `UpdateAddon <https://docs.aws.amazon.com/eks/latest/APIReference/API_UpdateAddon.html>`_ .
+        - *Preserve* – This is similar to the NONE option. If the self-managed version of the add-on is installed on your cluster Amazon EKS doesn't change the add-on resource properties. Creation of the add-on might fail if conflicts are detected. This option works differently during the update operation. For more information, see ```UpdateAddon`` <https://docs.aws.amazon.com/eks/latest/APIReference/API_UpdateAddon.html>`_ .
 
         If you don't currently have the self-managed version of the add-on installed on your cluster, the Amazon EKS add-on is installed. Amazon EKS sets all values to default values, regardless of the option that you specify.
 
@@ -9418,7 +9417,8 @@ class CfnNodegroup(
             )],
             update_config=eks.CfnNodegroup.UpdateConfigProperty(
                 max_unavailable=123,
-                max_unavailable_percentage=123
+                max_unavailable_percentage=123,
+                update_strategy="updateStrategy"
             ),
             version="version"
         )
@@ -9437,7 +9437,7 @@ class CfnNodegroup(
         disk_size: typing.Optional[jsii.Number] = None,
         force_update_enabled: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
         instance_types: typing.Optional[typing.Sequence[builtins.str]] = None,
-        labels: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Mapping[builtins.str, builtins.str]]] = None,
+        labels: typing.Optional[typing.Union[typing.Mapping[builtins.str, builtins.str], _IResolvable_da3f097b]] = None,
         launch_template: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnNodegroup.LaunchTemplateSpecificationProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
         nodegroup_name: typing.Optional[builtins.str] = None,
         node_repair_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnNodegroup.NodeRepairConfigProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
@@ -9689,14 +9689,14 @@ class CfnNodegroup(
     @jsii.member(jsii_name="labels")
     def labels(
         self,
-    ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Mapping[builtins.str, builtins.str]]]:
+    ) -> typing.Optional[typing.Union[typing.Mapping[builtins.str, builtins.str], _IResolvable_da3f097b]]:
         '''The Kubernetes ``labels`` applied to the nodes in the node group.'''
-        return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Mapping[builtins.str, builtins.str]]], jsii.get(self, "labels"))
+        return typing.cast(typing.Optional[typing.Union[typing.Mapping[builtins.str, builtins.str], _IResolvable_da3f097b]], jsii.get(self, "labels"))
 
     @labels.setter
     def labels(
         self,
-        value: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Mapping[builtins.str, builtins.str]]],
+        value: typing.Optional[typing.Union[typing.Mapping[builtins.str, builtins.str], _IResolvable_da3f097b]],
     ) -> None:
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__bfdcdc90e2da680bcf24a101a162039fcfa5c8ddbf5eae9a97a45451dc10a0e1)
@@ -10294,6 +10294,7 @@ class CfnNodegroup(
         name_mapping={
             "max_unavailable": "maxUnavailable",
             "max_unavailable_percentage": "maxUnavailablePercentage",
+            "update_strategy": "updateStrategy",
         },
     )
     class UpdateConfigProperty:
@@ -10302,11 +10303,13 @@ class CfnNodegroup(
             *,
             max_unavailable: typing.Optional[jsii.Number] = None,
             max_unavailable_percentage: typing.Optional[jsii.Number] = None,
+            update_strategy: typing.Optional[builtins.str] = None,
         ) -> None:
             '''The update configuration for the node group.
 
             :param max_unavailable: The maximum number of nodes unavailable at once during a version update. Nodes are updated in parallel. This value or ``maxUnavailablePercentage`` is required to have a value.The maximum number is 100.
             :param max_unavailable_percentage: The maximum percentage of nodes unavailable during a version update. This percentage of nodes are updated in parallel, up to 100 nodes at once. This value or ``maxUnavailable`` is required to have a value.
+            :param update_strategy: The configuration for the behavior to follow during an node group version update of this managed node group. You choose between two possible strategies for replacing nodes during an UpdateNodegroupVersion action.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-eks-nodegroup-updateconfig.html
             :exampleMetadata: fixture=_generated
@@ -10319,18 +10322,22 @@ class CfnNodegroup(
                 
                 update_config_property = eks.CfnNodegroup.UpdateConfigProperty(
                     max_unavailable=123,
-                    max_unavailable_percentage=123
+                    max_unavailable_percentage=123,
+                    update_strategy="updateStrategy"
                 )
             '''
             if __debug__:
                 type_hints = typing.get_type_hints(_typecheckingstub__883c5208b02930e4808e078b3ecb98b51411fa92d248a8031301fe5434326e12)
                 check_type(argname="argument max_unavailable", value=max_unavailable, expected_type=type_hints["max_unavailable"])
                 check_type(argname="argument max_unavailable_percentage", value=max_unavailable_percentage, expected_type=type_hints["max_unavailable_percentage"])
+                check_type(argname="argument update_strategy", value=update_strategy, expected_type=type_hints["update_strategy"])
             self._values: typing.Dict[builtins.str, typing.Any] = {}
             if max_unavailable is not None:
                 self._values["max_unavailable"] = max_unavailable
             if max_unavailable_percentage is not None:
                 self._values["max_unavailable_percentage"] = max_unavailable_percentage
+            if update_strategy is not None:
+                self._values["update_strategy"] = update_strategy
 
         @builtins.property
         def max_unavailable(self) -> typing.Optional[jsii.Number]:
@@ -10354,6 +10361,17 @@ class CfnNodegroup(
             result = self._values.get("max_unavailable_percentage")
             return typing.cast(typing.Optional[jsii.Number], result)
 
+        @builtins.property
+        def update_strategy(self) -> typing.Optional[builtins.str]:
+            '''The configuration for the behavior to follow during an node group version update of this managed node group.
+
+            You choose between two possible strategies for replacing nodes during an UpdateNodegroupVersion action.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-eks-nodegroup-updateconfig.html#cfn-eks-nodegroup-updateconfig-updatestrategy
+            '''
+            result = self._values.get("update_strategy")
+            return typing.cast(typing.Optional[builtins.str], result)
+
         def __eq__(self, rhs: typing.Any) -> builtins.bool:
             return isinstance(rhs, self.__class__) and rhs._values == self._values
 
@@ -10403,7 +10421,7 @@ class CfnNodegroupProps:
         disk_size: typing.Optional[jsii.Number] = None,
         force_update_enabled: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
         instance_types: typing.Optional[typing.Sequence[builtins.str]] = None,
-        labels: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Mapping[builtins.str, builtins.str]]] = None,
+        labels: typing.Optional[typing.Union[typing.Mapping[builtins.str, builtins.str], _IResolvable_da3f097b]] = None,
         launch_template: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnNodegroup.LaunchTemplateSpecificationProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
         nodegroup_name: typing.Optional[builtins.str] = None,
         node_repair_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnNodegroup.NodeRepairConfigProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
@@ -10491,7 +10509,8 @@ class CfnNodegroupProps:
                 )],
                 update_config=eks.CfnNodegroup.UpdateConfigProperty(
                     max_unavailable=123,
-                    max_unavailable_percentage=123
+                    max_unavailable_percentage=123,
+                    update_strategy="updateStrategy"
                 ),
                 version="version"
             )
@@ -10649,7 +10668,7 @@ class CfnNodegroupProps:
     @builtins.property
     def labels(
         self,
-    ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Mapping[builtins.str, builtins.str]]]:
+    ) -> typing.Optional[typing.Union[typing.Mapping[builtins.str, builtins.str], _IResolvable_da3f097b]]:
         '''The Kubernetes ``labels`` applied to the nodes in the node group.
 
         .. epigraph::
@@ -10659,7 +10678,7 @@ class CfnNodegroupProps:
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-eks-nodegroup.html#cfn-eks-nodegroup-labels
         '''
         result = self._values.get("labels")
-        return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Mapping[builtins.str, builtins.str]]], result)
+        return typing.cast(typing.Optional[typing.Union[typing.Mapping[builtins.str, builtins.str], _IResolvable_da3f097b]], result)
 
     @builtins.property
     def launch_template(
@@ -14203,7 +14222,7 @@ class KubectlProvider(
     Example::
 
         handler_role = iam.Role.from_role_arn(self, "HandlerRole", "arn:aws:iam::123456789012:role/lambda-role")
-        # get the serivceToken from the custom resource provider
+        # get the serviceToken from the custom resource provider
         function_arn = lambda_.Function.from_function_name(self, "ProviderOnEventFunc", "ProviderframeworkonEvent-XXX").function_arn
         kubectl_provider = eks.KubectlProvider.from_kubectl_provider_attributes(self, "KubectlProvider",
             function_arn=function_arn,
@@ -14333,7 +14352,7 @@ class KubectlProviderAttributes:
         Example::
 
             handler_role = iam.Role.from_role_arn(self, "HandlerRole", "arn:aws:iam::123456789012:role/lambda-role")
-            # get the serivceToken from the custom resource provider
+            # get the serviceToken from the custom resource provider
             function_arn = lambda_.Function.from_function_name(self, "ProviderOnEventFunc", "ProviderframeworkonEvent-XXX").function_arn
             kubectl_provider = eks.KubectlProvider.from_kubectl_provider_attributes(self, "KubectlProvider",
                 function_arn=function_arn,
@@ -14522,7 +14541,7 @@ class KubernetesManifest(
     @jsii.python.classproperty
     @jsii.member(jsii_name="RESOURCE_TYPE")
     def RESOURCE_TYPE(cls) -> builtins.str:
-        '''The CloudFormation reosurce type.'''
+        '''The CloudFormation resource type.'''
         return typing.cast(builtins.str, jsii.sget(cls, "RESOURCE_TYPE"))
 
 
@@ -14951,7 +14970,7 @@ class KubernetesObjectValue(
     @jsii.python.classproperty
     @jsii.member(jsii_name="RESOURCE_TYPE")
     def RESOURCE_TYPE(cls) -> builtins.str:
-        '''The CloudFormation reosurce type.'''
+        '''The CloudFormation resource type.'''
         return typing.cast(builtins.str, jsii.sget(cls, "RESOURCE_TYPE"))
 
     @builtins.property
@@ -17873,7 +17892,7 @@ class Addon(
         :param id: The construct ID.
         :param addon_name: Name of the Add-On.
         :param cluster: The EKS cluster the Add-On is associated with.
-        :param addon_version: Version of the Add-On. You can check all available versions with describe-addon-versons. For example, this lists all available versions for the ``eks-pod-identity-agent`` addon: $ aws eks describe-addon-versions --addon-name eks-pod-identity-agent --query 'addons[*].addonVersions[*].addonVersion' Default: the latest version.
+        :param addon_version: Version of the Add-On. You can check all available versions with describe-addon-versions. For example, this lists all available versions for the ``eks-pod-identity-agent`` addon: $ aws eks describe-addon-versions --addon-name eks-pod-identity-agent --query 'addons[*].addonVersions[*].addonVersion' Default: the latest version.
         :param preserve_on_delete: Specifying this option preserves the add-on software on your cluster but Amazon EKS stops managing any settings for the add-on. If an IAM account is associated with the add-on, it isn't removed. Default: true
         '''
         if __debug__:
@@ -21964,7 +21983,7 @@ def _typecheckingstub__27ebd660a66f96284eec036f7614b1586f77d9990c9dd345fe73522c7
     disk_size: typing.Optional[jsii.Number] = None,
     force_update_enabled: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
     instance_types: typing.Optional[typing.Sequence[builtins.str]] = None,
-    labels: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Mapping[builtins.str, builtins.str]]] = None,
+    labels: typing.Optional[typing.Union[typing.Mapping[builtins.str, builtins.str], _IResolvable_da3f097b]] = None,
     launch_template: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnNodegroup.LaunchTemplateSpecificationProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
     nodegroup_name: typing.Optional[builtins.str] = None,
     node_repair_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnNodegroup.NodeRepairConfigProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
@@ -22040,7 +22059,7 @@ def _typecheckingstub__d7945a05c2376d70b30fc28a96959abf6f7e23d90fd6e700764137f4b
     pass
 
 def _typecheckingstub__bfdcdc90e2da680bcf24a101a162039fcfa5c8ddbf5eae9a97a45451dc10a0e1(
-    value: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Mapping[builtins.str, builtins.str]]],
+    value: typing.Optional[typing.Union[typing.Mapping[builtins.str, builtins.str], _IResolvable_da3f097b]],
 ) -> None:
     """Type checking stubs"""
     pass
@@ -22151,6 +22170,7 @@ def _typecheckingstub__883c5208b02930e4808e078b3ecb98b51411fa92d248a8031301fe543
     *,
     max_unavailable: typing.Optional[jsii.Number] = None,
     max_unavailable_percentage: typing.Optional[jsii.Number] = None,
+    update_strategy: typing.Optional[builtins.str] = None,
 ) -> None:
     """Type checking stubs"""
     pass
@@ -22165,7 +22185,7 @@ def _typecheckingstub__61a7b4277678abead400083fb1974a4f71ee28a78b5e79235fc3a4581
     disk_size: typing.Optional[jsii.Number] = None,
     force_update_enabled: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
     instance_types: typing.Optional[typing.Sequence[builtins.str]] = None,
-    labels: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Mapping[builtins.str, builtins.str]]] = None,
+    labels: typing.Optional[typing.Union[typing.Mapping[builtins.str, builtins.str], _IResolvable_da3f097b]] = None,
     launch_template: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnNodegroup.LaunchTemplateSpecificationProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
     nodegroup_name: typing.Optional[builtins.str] = None,
     node_repair_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnNodegroup.NodeRepairConfigProperty, typing.Dict[builtins.str, typing.Any]]]] = None,