aws-cdk-lib 2.177.0__py3-none-any.whl → 2.178.0__py3-none-any.whl

aws_cdk/aws_ecs/__init__.py

@@ -1170,6 +1170,73 @@ const service = ecs.FargateService.fromFargateServiceAttributes(this, 'EcsServic
 const service = ecs.FargateService.fromFargateServiceArn(this, 'EcsService', 'arn:aws:ecs:us-west-2:123456789012:service/my-http-service');
 ```
 
+### Availability Zone rebalancing
+
+ECS services running in AWS can be launched in multiple VPC subnets that are
+each in different Availability Zones (AZs) to achieve high availability. Fargate
+services launched this way will automatically try to achieve an even spread of
+service tasks across AZs, and EC2 services can be instructed to do the same with
+placement strategies. This ensures that the service has equal availability in
+each AZ.
+
+```python
+# vpc: ec2.Vpc
+# cluster: ecs.Cluster
+# task_definition: ecs.TaskDefinition
+
+
+service = ecs.FargateService(self, "Service",
+    cluster=cluster,
+    task_definition=task_definition,
+    # Fargate will try to ensure an even spread of newly launched tasks across
+    # all AZs corresponding to the public subnets of the VPC.
+    vpc_subnets=ec2.SubnetSelection(subnet_type=ec2.SubnetType.PUBLIC)
+)
+```
+
+However, those approaches only affect how newly launched tasks are placed.
+Service tasks can still become unevenly spread across AZs if there is an
+infrastructure event, like an AZ outage or a lack of available compute capacity
+in an AZ. During such events, newly launched tasks may be placed in AZs in such
+a way that tasks are not evenly spread across all AZs. After the infrastructure
+event is over, the service will remain imbalanced until new tasks are launched
+for some other reason, such as a service deployment.
+
+Availability Zone rebalancing is a feature whereby ECS actively tries to correct
+service AZ imbalances whenever they exist, by moving service tasks from
+overbalanced AZs to underbalanced AZs. When an imbalance is detected, ECS will
+launch new tasks in underbalanced AZs, then stop existing tasks in overbalanced
+AZs, to ensure an even spread.
+
+You can enabled Availability Zone rebalancing when creating your service:
+
+```python
+# cluster: ecs.Cluster
+# task_definition: ecs.TaskDefinition
+
+
+service = ecs.FargateService(self, "Service",
+    cluster=cluster,
+    task_definition=task_definition,
+    availability_zone_rebalancing=ecs.AvailabilityZoneRebalancing.ENABLED
+)
+```
+
+Availability Zone rebalancing works in the following configurations:
+
+* Services that use the Replica strategy.
+* Services that specify Availability Zone spread as the first task placement
+  strategy, or do not specify a placement strategy.
+
+You can't use Availability Zone rebalancing with services that meet any of the
+following criteria:
+
+* Uses the Daemon strategy.
+* Uses the EXTERNAL launch type (ECSAnywhere).
+* Uses 100% for the maximumPercent value.
+* Uses a Classic Load Balancer.
+* Uses the `attribute:ecs.availability-zone` as a task placement constraint.
+
 ## Task Auto-Scaling
 
 You can configure the task count of a service to match demand. Task auto-scaling is
@@ -1959,6 +2026,20 @@ task_definition.add_container("TheContainer",
 )
 ```
 
+## Disable service container image version consistency
+
+You can disable the
+[container image "version consistency"](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/deployment-type-ecs.html#deployment-container-image-stability)
+feature of ECS service deployments on a per-container basis.
+
+```python
+task_definition = ecs.Ec2TaskDefinition(self, "TaskDef")
+task_definition.add_container("TheContainer",
+    image=ecs.ContainerImage.from_registry("example-image"),
+    version_consistency=ecs.VersionConsistency.DISABLED
+)
+```
+
 ## Specify a container ulimit
 
 You can specify a container `ulimits` by specifying them in the `ulimits` option while adding the container
@@ -1975,6 +2056,65 @@ task_definition.add_container("TheContainer",
     )]
 )
 ```
+
+## Service Connect TLS
+
+Service Connect TLS is a feature that allows you to secure the communication between services using TLS.
+
+You can specify the `tls` option in the `services` array of the `serviceConnectConfiguration` property.
+
+The `tls` property is an object with the following properties:
+
+* `role`: The IAM role that's associated with the Service Connect TLS.
+* `awsPcaAuthorityArn`: The ARN of the certificate root authority that secures your service.
+* `kmsKey`: The KMS key used for encryption and decryption.
+
+```python
+# cluster: ecs.Cluster
+# task_definition: ecs.TaskDefinition
+# kms_key: kms.IKey
+# role: iam.IRole
+
+
+service = ecs.FargateService(self, "FargateService",
+    cluster=cluster,
+    task_definition=task_definition,
+    service_connect_configuration=ecs.ServiceConnectProps(
+        services=[ecs.ServiceConnectService(
+            tls=ecs.ServiceConnectTlsConfiguration(
+                role=role,
+                kms_key=kms_key,
+                aws_pca_authority_arn="arn:aws:acm-pca:us-east-1:123456789012:certificate-authority/123456789012"
+            ),
+            port_mapping_name="api"
+        )
+        ],
+        namespace="sample namespace"
+    )
+)
+```
+
+## Daemon scheduling strategy
+
+You can specify whether service use Daemon scheduling strategy by specifying `daemon` option in Service constructs. See [differences between Daemon and Replica scheduling strategy](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs_services.html)
+
+```python
+# cluster: ecs.Cluster
+# task_definition: ecs.TaskDefinition
+
+
+ecs.Ec2Service(self, "Ec2Service",
+    cluster=cluster,
+    task_definition=task_definition,
+    daemon=True
+)
+
+ecs.ExternalService(self, "ExternalService",
+    cluster=cluster,
+    task_definition=task_definition,
+    daemon=True
+)
+```
 '''
 from pkgutil import extend_path
 __path__ = extend_path(__path__, __name__)
@@ -4351,6 +4491,32 @@ class AuthorizationConfig:
         )
 
 
+@jsii.enum(jsii_type="aws-cdk-lib.aws_ecs.AvailabilityZoneRebalancing")
+class AvailabilityZoneRebalancing(enum.Enum):
+    '''Indicates whether to use Availability Zone rebalancing for an ECS service.
+
+    :see: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/service-rebalancing.html
+    :exampleMetadata: infused
+
+    Example::
+
+        # cluster: ecs.Cluster
+        # task_definition: ecs.TaskDefinition
+        
+        
+        service = ecs.FargateService(self, "Service",
+            cluster=cluster,
+            task_definition=task_definition,
+            availability_zone_rebalancing=ecs.AvailabilityZoneRebalancing.ENABLED
+        )
+    '''
+
+    ENABLED = "ENABLED"
+    '''Availability zone rebalancing is enabled.'''
+    DISABLED = "DISABLED"
+    '''Availability zone rebalancing is disabled.'''
+
+
 @jsii.enum(jsii_type="aws-cdk-lib.aws_ecs.AwsLogDriverMode")
 class AwsLogDriverMode(enum.Enum):
     '''awslogs provides two modes for delivering messages from the container to the log driver.
@@ -4830,12 +4996,16 @@ class BaseServiceOptions:
             # The values are placeholders you should change.
             import aws_cdk as cdk
             from aws_cdk import aws_ecs as ecs
+            from aws_cdk import aws_iam as iam
+            from aws_cdk import aws_kms as kms
             from aws_cdk import aws_servicediscovery as servicediscovery
             
             # cluster: ecs.Cluster
             # container_definition: ecs.ContainerDefinition
+            # key: kms.Key
             # log_driver: ecs.LogDriver
             # namespace: servicediscovery.INamespace
+            # role: iam.Role
             # service_managed_volume: ecs.ServiceManagedVolume
             # task_definition_revision: ecs.TaskDefinitionRevision
             
@@ -4891,7 +5061,12 @@ class BaseServiceOptions:
                         idle_timeout=cdk.Duration.minutes(30),
                         ingress_port_override=123,
                         per_request_timeout=cdk.Duration.minutes(30),
-                        port=123
+                        port=123,
+                        tls=ecs.ServiceConnectTlsConfiguration(
+                            aws_pca_authority_arn="awsPcaAuthorityArn",
+                            kms_key=key,
+                            role=role
+                        )
                     )]
                 ),
                 service_name="serviceName",
@@ -5227,12 +5402,16 @@ class BaseServiceProps(BaseServiceOptions):
             # The values are placeholders you should change.
             import aws_cdk as cdk
             from aws_cdk import aws_ecs as ecs
+            from aws_cdk import aws_iam as iam
+            from aws_cdk import aws_kms as kms
             from aws_cdk import aws_servicediscovery as servicediscovery
             
             # cluster: ecs.Cluster
             # container_definition: ecs.ContainerDefinition
+            # key: kms.Key
             # log_driver: ecs.LogDriver
             # namespace: servicediscovery.INamespace
+            # role: iam.Role
             # service_managed_volume: ecs.ServiceManagedVolume
             # task_definition_revision: ecs.TaskDefinitionRevision
             
@@ -5289,7 +5468,12 @@ class BaseServiceProps(BaseServiceOptions):
                         idle_timeout=cdk.Duration.minutes(30),
                         ingress_port_override=123,
                         per_request_timeout=cdk.Duration.minutes(30),
-                        port=123
+                        port=123,
+                        tls=ecs.ServiceConnectTlsConfiguration(
+                            aws_pca_authority_arn="awsPcaAuthorityArn",
+                            kms_key=key,
+                            role=role
+                        )
                     )]
                 ),
                 service_name="serviceName",
@@ -8232,7 +8416,7 @@ class CfnService(
 
     .. epigraph::
 
-       The stack update fails if you change any properties that require replacement and at least one Amazon ECS Service Connect ``ServiceConnectConfiguration`` property the is configured. This is because AWS CloudFormation creates the replacement service first, but each ``ServiceConnectService`` must have a name that is unique in the namespace. > Starting April 15, 2023, AWS ; will not onboard new customers to Amazon Elastic Inference (EI), and will help current customers migrate their workloads to options that offer better price and performance. After April 15, 2023, new customers will not be able to launch instances with Amazon EI accelerators in Amazon SageMaker, Amazon ECS , or Amazon EC2 . However, customers who have used Amazon EI at least once during the past 30-day period are considered current customers and will be able to continue using the service.
+       The stack update fails if you change any properties that require replacement and at least one Amazon ECS Service Connect ``ServiceConnectConfiguration`` property is configured. This is because AWS CloudFormation creates the replacement service first, but each ``ServiceConnectService`` must have a name that is unique in the namespace. > Starting April 15, 2023, AWS ; will not onboard new customers to Amazon Elastic Inference (EI), and will help current customers migrate their workloads to options that offer better price and performance. After April 15, 2023, new customers will not be able to launch instances with Amazon EI accelerators in Amazon SageMaker, Amazon ECS , or Amazon EC2 . However, customers who have used Amazon EI at least once during the past 30-day period are considered current customers and will be able to continue using the service.
 
     :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecs-service.html
     :cloudformationResource: AWS::ECS::Service
@@ -8428,7 +8612,7 @@ class CfnService(
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
         :param availability_zone_rebalancing: Indicates whether to use Availability Zone rebalancing for the service. For more information, see `Balancing an Amazon ECS service across Availability Zones <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/service-rebalancing.html>`_ in the *Amazon Elastic Container Service Developer Guide* . Default: - "DISABLED"
-        :param capacity_provider_strategy: The capacity provider strategy to use for the service. If a ``capacityProviderStrategy`` is specified, the ``launchType`` parameter must be omitted. If no ``capacityProviderStrategy`` or ``launchType`` is specified, the ``defaultCapacityProviderStrategy`` for the cluster is used. A capacity provider strategy can contain a maximum of 20 capacity providers.
+        :param capacity_provider_strategy: The capacity provider strategy to use for the service. If a ``capacityProviderStrategy`` is specified, the ``launchType`` parameter must be omitted. If no ``capacityProviderStrategy`` or ``launchType`` is specified, the ``defaultCapacityProviderStrategy`` for the cluster is used. A capacity provider strategy may contain a maximum of 6 capacity providers. .. epigraph:: To remove this property from your service resource, specify an empty ``CapacityProviderStrategyItem`` array.
         :param cluster: The short name or full Amazon Resource Name (ARN) of the cluster that you run your service on. If you do not specify a cluster, the default cluster is assumed.
         :param deployment_configuration: Optional deployment parameters that control how many tasks run during the deployment and the ordering of stopping and starting tasks.
         :param deployment_controller: The deployment controller to use for the service. If no deployment controller is specified, the default value of ``ECS`` is used.
@@ -8437,20 +8621,20 @@ class CfnService(
         :param enable_execute_command: Determines whether the execute command functionality is turned on for the service. If ``true`` , the execute command functionality is turned on for all containers in tasks as part of the service.
         :param health_check_grace_period_seconds: The period of time, in seconds, that the Amazon ECS service scheduler ignores unhealthy Elastic Load Balancing, VPC Lattice, and container health checks after a task has first started. If you don't specify a health check grace period value, the default value of ``0`` is used. If you don't use any of the health checks, then ``healthCheckGracePeriodSeconds`` is unused. If your service's tasks take a while to start and respond to health checks, you can specify a health check grace period of up to 2,147,483,647 seconds (about 69 years). During that time, the Amazon ECS service scheduler ignores health check status. This grace period can prevent the service scheduler from marking tasks as unhealthy and stopping them before they have time to come up.
         :param launch_type: The launch type on which to run your service. For more information, see `Amazon ECS Launch Types <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/launch_types.html>`_ in the *Amazon Elastic Container Service Developer Guide* .
-        :param load_balancers: A list of load balancer objects to associate with the service. If you specify the ``Role`` property, ``LoadBalancers`` must be specified as well. For information about the number of load balancers that you can specify per service, see `Service Load Balancing <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/service-load-balancing.html>`_ in the *Amazon Elastic Container Service Developer Guide* .
+        :param load_balancers: A list of load balancer objects to associate with the service. If you specify the ``Role`` property, ``LoadBalancers`` must be specified as well. For information about the number of load balancers that you can specify per service, see `Service Load Balancing <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/service-load-balancing.html>`_ in the *Amazon Elastic Container Service Developer Guide* . .. epigraph:: To remove this property from your service resource, specify an empty ``LoadBalancer`` array.
         :param network_configuration: The network configuration for the service. This parameter is required for task definitions that use the ``awsvpc`` network mode to receive their own elastic network interface, and it is not supported for other network modes. For more information, see `Task Networking <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-networking.html>`_ in the *Amazon Elastic Container Service Developer Guide* .
-        :param placement_constraints: An array of placement constraint objects to use for tasks in your service. You can specify a maximum of 10 constraints for each task. This limit includes constraints in the task definition and those specified at runtime.
-        :param placement_strategies: The placement strategy objects to use for tasks in your service. You can specify a maximum of 5 strategy rules for each service.
+        :param placement_constraints: An array of placement constraint objects to use for tasks in your service. You can specify a maximum of 10 constraints for each task. This limit includes constraints in the task definition and those specified at runtime. .. epigraph:: To remove this property from your service resource, specify an empty ``PlacementConstraint`` array.
+        :param placement_strategies: The placement strategy objects to use for tasks in your service. You can specify a maximum of 5 strategy rules for each service. .. epigraph:: To remove this property from your service resource, specify an empty ``PlacementStrategy`` array.
         :param platform_version: The platform version that your tasks in the service are running on. A platform version is specified only for tasks using the Fargate launch type. If one isn't specified, the ``LATEST`` platform version is used. For more information, see `AWS Fargate platform versions <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/platform_versions.html>`_ in the *Amazon Elastic Container Service Developer Guide* . Default: - "LATEST"
         :param propagate_tags: Specifies whether to propagate the tags from the task definition to the task. If no value is specified, the tags aren't propagated. Tags can only be propagated to the task during task creation. To add tags to a task after task creation, use the `TagResource <https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_TagResource.html>`_ API action. You must set this to a value other than ``NONE`` when you use Cost Explorer. For more information, see `Amazon ECS usage reports <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/usage-reports.html>`_ in the *Amazon Elastic Container Service Developer Guide* . The default is ``NONE`` .
         :param role: The name or full Amazon Resource Name (ARN) of the IAM role that allows Amazon ECS to make calls to your load balancer on your behalf. This parameter is only permitted if you are using a load balancer with your service and your task definition doesn't use the ``awsvpc`` network mode. If you specify the ``role`` parameter, you must also specify a load balancer object with the ``loadBalancers`` parameter. .. epigraph:: If your account has already created the Amazon ECS service-linked role, that role is used for your service unless you specify a role here. The service-linked role is required if your task definition uses the ``awsvpc`` network mode or if the service is configured to use service discovery, an external deployment controller, multiple target groups, or Elastic Inference accelerators in which case you don't specify a role here. For more information, see `Using service-linked roles for Amazon ECS <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/using-service-linked-roles.html>`_ in the *Amazon Elastic Container Service Developer Guide* . If your specified role has a path other than ``/`` , then you must either specify the full role ARN (this is recommended) or prefix the role name with the path. For example, if a role with the name ``bar`` has a path of ``/foo/`` then you would specify ``/foo/bar`` as the role name. For more information, see `Friendly names and paths <https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-friendly-names>`_ in the *IAM User Guide* .
         :param scheduling_strategy: The scheduling strategy to use for the service. For more information, see `Services <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs_services.html>`_ . There are two service scheduler strategies available: - ``REPLICA`` -The replica scheduling strategy places and maintains the desired number of tasks across your cluster. By default, the service scheduler spreads tasks across Availability Zones. You can use task placement strategies and constraints to customize task placement decisions. This scheduler strategy is required if the service uses the ``CODE_DEPLOY`` or ``EXTERNAL`` deployment controller types. - ``DAEMON`` -The daemon scheduling strategy deploys exactly one task on each active container instance that meets all of the task placement constraints that you specify in your cluster. The service scheduler also evaluates the task placement constraints for running tasks and will stop tasks that don't meet the placement constraints. When you're using this strategy, you don't need to specify a desired number of tasks, a task placement strategy, or use Service Auto Scaling policies. .. epigraph:: Tasks using the Fargate launch type or the ``CODE_DEPLOY`` or ``EXTERNAL`` deployment controller types don't support the ``DAEMON`` scheduling strategy.
         :param service_connect_configuration: The configuration for this service to discover and connect to services, and be discovered by, and connected from, other services within a namespace. Tasks that run in a namespace can use short names to connect to services in the namespace. Tasks can connect to services across all of the clusters in the namespace. Tasks connect through a managed proxy container that collects logs and metrics for increased visibility. Only the tasks that Amazon ECS services create are supported with Service Connect. For more information, see `Service Connect <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/service-connect.html>`_ in the *Amazon Elastic Container Service Developer Guide* .
         :param service_name: The name of your service. Up to 255 letters (uppercase and lowercase), numbers, underscores, and hyphens are allowed. Service names must be unique within a cluster, but you can have similarly named services in multiple clusters within a Region or across multiple Regions. .. epigraph:: The stack update fails if you change any properties that require replacement and the ``ServiceName`` is configured. This is because AWS CloudFormation creates the replacement service first, but each ``ServiceName`` must be unique in the cluster.
-        :param service_registries: The details of the service discovery registry to associate with this service. For more information, see `Service discovery <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/service-discovery.html>`_ . .. epigraph:: Each service may be associated with one service registry. Multiple service registries for each service isn't supported.
+        :param service_registries: The details of the service discovery registry to associate with this service. For more information, see `Service discovery <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/service-discovery.html>`_ . .. epigraph:: Each service may be associated with one service registry. Multiple service registries for each service isn't supported. > To remove this property from your service resource, specify an empty ``ServiceRegistry`` array.
         :param tags: The metadata that you apply to the service to help you categorize and organize them. Each tag consists of a key and an optional value, both of which you define. When a service is deleted, the tags are deleted as well. The following basic restrictions apply to tags: - Maximum number of tags per resource - 50 - For each resource, each tag key must be unique, and each tag key can have only one value. - Maximum key length - 128 Unicode characters in UTF-8 - Maximum value length - 256 Unicode characters in UTF-8 - If your tagging schema is used across multiple services and resources, remember that other services may have restrictions on allowed characters. Generally allowed characters are: letters, numbers, and spaces representable in UTF-8, and the following characters: + - = . _ : /
         :param task_definition: The ``family`` and ``revision`` ( ``family:revision`` ) or full ARN of the task definition to run in your service. If a ``revision`` isn't specified, the latest ``ACTIVE`` revision is used. A task definition must be specified if the service uses either the ``ECS`` or ``CODE_DEPLOY`` deployment controllers. For more information about deployment types, see `Amazon ECS deployment types <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/deployment-types.html>`_ .
-        :param volume_configurations: The configuration for a volume specified in the task definition as a volume that is configured at launch time. Currently, the only supported volume type is an Amazon EBS volume.
+        :param volume_configurations: The configuration for a volume specified in the task definition as a volume that is configured at launch time. Currently, the only supported volume type is an Amazon EBS volume. .. epigraph:: To remove this property from your service resource, specify an empty ``ServiceVolumeConfiguration`` array.
         :param vpc_lattice_configurations: The VPC Lattice configuration for the service being created.
         '''
         if __debug__:
@@ -9784,7 +9968,7 @@ class CfnService(
             self,
             *,
             log_driver: typing.Optional[builtins.str] = None,
-            options: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Mapping[builtins.str, builtins.str]]] = None,
+            options: typing.Optional[typing.Union[typing.Mapping[builtins.str, builtins.str], _IResolvable_da3f097b]] = None,
             secret_options: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[typing.Union[_IResolvable_da3f097b, typing.Union["CfnService.SecretProperty", typing.Dict[builtins.str, typing.Any]]]]]] = None,
         ) -> None:
             '''The log configuration for the container.
@@ -9865,7 +10049,7 @@ class CfnService(
         @builtins.property
         def options(
             self,
-        ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Mapping[builtins.str, builtins.str]]]:
+        ) -> typing.Optional[typing.Union[typing.Mapping[builtins.str, builtins.str], _IResolvable_da3f097b]]:
             '''The configuration options to send to the log driver.
 
             The options you can specify depend on the log driver. Some of the options you can specify when you use the ``awslogs`` log driver to route logs to Amazon CloudWatch include the following:
@@ -9954,7 +10138,7 @@ class CfnService(
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ecs-service-logconfiguration.html#cfn-ecs-service-logconfiguration-options
             '''
             result = self._values.get("options")
-            return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Mapping[builtins.str, builtins.str]]], result)
+            return typing.cast(typing.Optional[typing.Union[typing.Mapping[builtins.str, builtins.str], _IResolvable_da3f097b]], result)
 
         @builtins.property
         def secret_options(
@@ -11638,7 +11822,7 @@ class CfnServiceProps:
         '''Properties for defining a ``CfnService``.
 
         :param availability_zone_rebalancing: Indicates whether to use Availability Zone rebalancing for the service. For more information, see `Balancing an Amazon ECS service across Availability Zones <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/service-rebalancing.html>`_ in the *Amazon Elastic Container Service Developer Guide* . Default: - "DISABLED"
-        :param capacity_provider_strategy: The capacity provider strategy to use for the service. If a ``capacityProviderStrategy`` is specified, the ``launchType`` parameter must be omitted. If no ``capacityProviderStrategy`` or ``launchType`` is specified, the ``defaultCapacityProviderStrategy`` for the cluster is used. A capacity provider strategy can contain a maximum of 20 capacity providers.
+        :param capacity_provider_strategy: The capacity provider strategy to use for the service. If a ``capacityProviderStrategy`` is specified, the ``launchType`` parameter must be omitted. If no ``capacityProviderStrategy`` or ``launchType`` is specified, the ``defaultCapacityProviderStrategy`` for the cluster is used. A capacity provider strategy may contain a maximum of 6 capacity providers. .. epigraph:: To remove this property from your service resource, specify an empty ``CapacityProviderStrategyItem`` array.
         :param cluster: The short name or full Amazon Resource Name (ARN) of the cluster that you run your service on. If you do not specify a cluster, the default cluster is assumed.
         :param deployment_configuration: Optional deployment parameters that control how many tasks run during the deployment and the ordering of stopping and starting tasks.
         :param deployment_controller: The deployment controller to use for the service. If no deployment controller is specified, the default value of ``ECS`` is used.
@@ -11647,20 +11831,20 @@ class CfnServiceProps:
         :param enable_execute_command: Determines whether the execute command functionality is turned on for the service. If ``true`` , the execute command functionality is turned on for all containers in tasks as part of the service.
         :param health_check_grace_period_seconds: The period of time, in seconds, that the Amazon ECS service scheduler ignores unhealthy Elastic Load Balancing, VPC Lattice, and container health checks after a task has first started. If you don't specify a health check grace period value, the default value of ``0`` is used. If you don't use any of the health checks, then ``healthCheckGracePeriodSeconds`` is unused. If your service's tasks take a while to start and respond to health checks, you can specify a health check grace period of up to 2,147,483,647 seconds (about 69 years). During that time, the Amazon ECS service scheduler ignores health check status. This grace period can prevent the service scheduler from marking tasks as unhealthy and stopping them before they have time to come up.
         :param launch_type: The launch type on which to run your service. For more information, see `Amazon ECS Launch Types <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/launch_types.html>`_ in the *Amazon Elastic Container Service Developer Guide* .
-        :param load_balancers: A list of load balancer objects to associate with the service. If you specify the ``Role`` property, ``LoadBalancers`` must be specified as well. For information about the number of load balancers that you can specify per service, see `Service Load Balancing <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/service-load-balancing.html>`_ in the *Amazon Elastic Container Service Developer Guide* .
+        :param load_balancers: A list of load balancer objects to associate with the service. If you specify the ``Role`` property, ``LoadBalancers`` must be specified as well. For information about the number of load balancers that you can specify per service, see `Service Load Balancing <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/service-load-balancing.html>`_ in the *Amazon Elastic Container Service Developer Guide* . .. epigraph:: To remove this property from your service resource, specify an empty ``LoadBalancer`` array.
         :param network_configuration: The network configuration for the service. This parameter is required for task definitions that use the ``awsvpc`` network mode to receive their own elastic network interface, and it is not supported for other network modes. For more information, see `Task Networking <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-networking.html>`_ in the *Amazon Elastic Container Service Developer Guide* .
-        :param placement_constraints: An array of placement constraint objects to use for tasks in your service. You can specify a maximum of 10 constraints for each task. This limit includes constraints in the task definition and those specified at runtime.
-        :param placement_strategies: The placement strategy objects to use for tasks in your service. You can specify a maximum of 5 strategy rules for each service.
+        :param placement_constraints: An array of placement constraint objects to use for tasks in your service. You can specify a maximum of 10 constraints for each task. This limit includes constraints in the task definition and those specified at runtime. .. epigraph:: To remove this property from your service resource, specify an empty ``PlacementConstraint`` array.
+        :param placement_strategies: The placement strategy objects to use for tasks in your service. You can specify a maximum of 5 strategy rules for each service. .. epigraph:: To remove this property from your service resource, specify an empty ``PlacementStrategy`` array.
         :param platform_version: The platform version that your tasks in the service are running on. A platform version is specified only for tasks using the Fargate launch type. If one isn't specified, the ``LATEST`` platform version is used. For more information, see `AWS Fargate platform versions <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/platform_versions.html>`_ in the *Amazon Elastic Container Service Developer Guide* . Default: - "LATEST"
         :param propagate_tags: Specifies whether to propagate the tags from the task definition to the task. If no value is specified, the tags aren't propagated. Tags can only be propagated to the task during task creation. To add tags to a task after task creation, use the `TagResource <https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_TagResource.html>`_ API action. You must set this to a value other than ``NONE`` when you use Cost Explorer. For more information, see `Amazon ECS usage reports <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/usage-reports.html>`_ in the *Amazon Elastic Container Service Developer Guide* . The default is ``NONE`` .
         :param role: The name or full Amazon Resource Name (ARN) of the IAM role that allows Amazon ECS to make calls to your load balancer on your behalf. This parameter is only permitted if you are using a load balancer with your service and your task definition doesn't use the ``awsvpc`` network mode. If you specify the ``role`` parameter, you must also specify a load balancer object with the ``loadBalancers`` parameter. .. epigraph:: If your account has already created the Amazon ECS service-linked role, that role is used for your service unless you specify a role here. The service-linked role is required if your task definition uses the ``awsvpc`` network mode or if the service is configured to use service discovery, an external deployment controller, multiple target groups, or Elastic Inference accelerators in which case you don't specify a role here. For more information, see `Using service-linked roles for Amazon ECS <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/using-service-linked-roles.html>`_ in the *Amazon Elastic Container Service Developer Guide* . If your specified role has a path other than ``/`` , then you must either specify the full role ARN (this is recommended) or prefix the role name with the path. For example, if a role with the name ``bar`` has a path of ``/foo/`` then you would specify ``/foo/bar`` as the role name. For more information, see `Friendly names and paths <https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-friendly-names>`_ in the *IAM User Guide* .
         :param scheduling_strategy: The scheduling strategy to use for the service. For more information, see `Services <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs_services.html>`_ . There are two service scheduler strategies available: - ``REPLICA`` -The replica scheduling strategy places and maintains the desired number of tasks across your cluster. By default, the service scheduler spreads tasks across Availability Zones. You can use task placement strategies and constraints to customize task placement decisions. This scheduler strategy is required if the service uses the ``CODE_DEPLOY`` or ``EXTERNAL`` deployment controller types. - ``DAEMON`` -The daemon scheduling strategy deploys exactly one task on each active container instance that meets all of the task placement constraints that you specify in your cluster. The service scheduler also evaluates the task placement constraints for running tasks and will stop tasks that don't meet the placement constraints. When you're using this strategy, you don't need to specify a desired number of tasks, a task placement strategy, or use Service Auto Scaling policies. .. epigraph:: Tasks using the Fargate launch type or the ``CODE_DEPLOY`` or ``EXTERNAL`` deployment controller types don't support the ``DAEMON`` scheduling strategy.
         :param service_connect_configuration: The configuration for this service to discover and connect to services, and be discovered by, and connected from, other services within a namespace. Tasks that run in a namespace can use short names to connect to services in the namespace. Tasks can connect to services across all of the clusters in the namespace. Tasks connect through a managed proxy container that collects logs and metrics for increased visibility. Only the tasks that Amazon ECS services create are supported with Service Connect. For more information, see `Service Connect <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/service-connect.html>`_ in the *Amazon Elastic Container Service Developer Guide* .
         :param service_name: The name of your service. Up to 255 letters (uppercase and lowercase), numbers, underscores, and hyphens are allowed. Service names must be unique within a cluster, but you can have similarly named services in multiple clusters within a Region or across multiple Regions. .. epigraph:: The stack update fails if you change any properties that require replacement and the ``ServiceName`` is configured. This is because AWS CloudFormation creates the replacement service first, but each ``ServiceName`` must be unique in the cluster.
-        :param service_registries: The details of the service discovery registry to associate with this service. For more information, see `Service discovery <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/service-discovery.html>`_ . .. epigraph:: Each service may be associated with one service registry. Multiple service registries for each service isn't supported.
+        :param service_registries: The details of the service discovery registry to associate with this service. For more information, see `Service discovery <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/service-discovery.html>`_ . .. epigraph:: Each service may be associated with one service registry. Multiple service registries for each service isn't supported. > To remove this property from your service resource, specify an empty ``ServiceRegistry`` array.
         :param tags: The metadata that you apply to the service to help you categorize and organize them. Each tag consists of a key and an optional value, both of which you define. When a service is deleted, the tags are deleted as well. The following basic restrictions apply to tags: - Maximum number of tags per resource - 50 - For each resource, each tag key must be unique, and each tag key can have only one value. - Maximum key length - 128 Unicode characters in UTF-8 - Maximum value length - 256 Unicode characters in UTF-8 - If your tagging schema is used across multiple services and resources, remember that other services may have restrictions on allowed characters. Generally allowed characters are: letters, numbers, and spaces representable in UTF-8, and the following characters: + - = . _ : /
         :param task_definition: The ``family`` and ``revision`` ( ``family:revision`` ) or full ARN of the task definition to run in your service. If a ``revision`` isn't specified, the latest ``ACTIVE`` revision is used. A task definition must be specified if the service uses either the ``ECS`` or ``CODE_DEPLOY`` deployment controllers. For more information about deployment types, see `Amazon ECS deployment types <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/deployment-types.html>`_ .
-        :param volume_configurations: The configuration for a volume specified in the task definition as a volume that is configured at launch time. Currently, the only supported volume type is an Amazon EBS volume.
+        :param volume_configurations: The configuration for a volume specified in the task definition as a volume that is configured at launch time. Currently, the only supported volume type is an Amazon EBS volume. .. epigraph:: To remove this property from your service resource, specify an empty ``ServiceVolumeConfiguration`` array.
         :param vpc_lattice_configurations: The VPC Lattice configuration for the service being created.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecs-service.html
@@ -11920,7 +12104,10 @@ class CfnServiceProps:
 
         If a ``capacityProviderStrategy`` is specified, the ``launchType`` parameter must be omitted. If no ``capacityProviderStrategy`` or ``launchType`` is specified, the ``defaultCapacityProviderStrategy`` for the cluster is used.
 
-        A capacity provider strategy can contain a maximum of 20 capacity providers.
+        A capacity provider strategy may contain a maximum of 6 capacity providers.
+        .. epigraph::
+
+           To remove this property from your service resource, specify an empty ``CapacityProviderStrategyItem`` array.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecs-service.html#cfn-ecs-service-capacityproviderstrategy
         '''
@@ -12034,6 +12221,9 @@ class CfnServiceProps:
         '''A list of load balancer objects to associate with the service.
 
         If you specify the ``Role`` property, ``LoadBalancers`` must be specified as well. For information about the number of load balancers that you can specify per service, see `Service Load Balancing <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/service-load-balancing.html>`_ in the *Amazon Elastic Container Service Developer Guide* .
+        .. epigraph::
+
+           To remove this property from your service resource, specify an empty ``LoadBalancer`` array.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecs-service.html#cfn-ecs-service-loadbalancers
         '''
@@ -12060,6 +12250,9 @@ class CfnServiceProps:
         '''An array of placement constraint objects to use for tasks in your service.
 
         You can specify a maximum of 10 constraints for each task. This limit includes constraints in the task definition and those specified at runtime.
+        .. epigraph::
+
+           To remove this property from your service resource, specify an empty ``PlacementConstraint`` array.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecs-service.html#cfn-ecs-service-placementconstraints
         '''
@@ -12073,6 +12266,9 @@ class CfnServiceProps:
         '''The placement strategy objects to use for tasks in your service.
 
         You can specify a maximum of 5 strategy rules for each service.
+        .. epigraph::
+
+           To remove this property from your service resource, specify an empty ``PlacementStrategy`` array.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecs-service.html#cfn-ecs-service-placementstrategies
         '''
@@ -12176,7 +12372,7 @@ class CfnServiceProps:
 
         .. epigraph::
 
-           Each service may be associated with one service registry. Multiple service registries for each service isn't supported.
+           Each service may be associated with one service registry. Multiple service registries for each service isn't supported. > To remove this property from your service resource, specify an empty ``ServiceRegistry`` array.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecs-service.html#cfn-ecs-service-serviceregistries
         '''
@@ -12230,6 +12426,9 @@ class CfnServiceProps:
         '''The configuration for a volume specified in the task definition as a volume that is configured at launch time.
 
         Currently, the only supported volume type is an Amazon EBS volume.
+        .. epigraph::
+
+           To remove this property from your service resource, specify an empty ``ServiceVolumeConfiguration`` array.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecs-service.html#cfn-ecs-service-volumeconfigurations
         '''
@@ -13039,7 +13238,7 @@ class CfnTaskDefinition(
             disable_networking: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
             dns_search_domains: typing.Optional[typing.Sequence[builtins.str]] = None,
             dns_servers: typing.Optional[typing.Sequence[builtins.str]] = None,
-            docker_labels: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Mapping[builtins.str, builtins.str]]] = None,
+            docker_labels: typing.Optional[typing.Union[typing.Mapping[builtins.str, builtins.str], _IResolvable_da3f097b]] = None,
             docker_security_options: typing.Optional[typing.Sequence[builtins.str]] = None,
             entry_point: typing.Optional[typing.Sequence[builtins.str]] = None,
             environment: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[typing.Union[_IResolvable_da3f097b, typing.Union["CfnTaskDefinition.KeyValuePairProperty", typing.Dict[builtins.str, typing.Any]]]]]] = None,
@@ -13558,7 +13757,7 @@ class CfnTaskDefinition(
         @builtins.property
         def docker_labels(
             self,
-        ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Mapping[builtins.str, builtins.str]]]:
+        ) -> typing.Optional[typing.Union[typing.Mapping[builtins.str, builtins.str], _IResolvable_da3f097b]]:
             '''A key/value map of labels to add to the container.
 
             This parameter maps to ``Labels`` in the docker container create command and the ``--label`` option to docker run. This parameter requires version 1.18 of the Docker Remote API or greater on your container instance. To check the Docker Remote API version on your container instance, log in to your container instance and run the following command: ``sudo docker version --format '{{.Server.APIVersion}}'``
@@ -13566,7 +13765,7 @@ class CfnTaskDefinition(
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ecs-taskdefinition-containerdefinition.html#cfn-ecs-taskdefinition-containerdefinition-dockerlabels
             '''
             result = self._values.get("docker_labels")
-            return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Mapping[builtins.str, builtins.str]]], result)
+            return typing.cast(typing.Optional[typing.Union[typing.Mapping[builtins.str, builtins.str], _IResolvable_da3f097b]], result)
 
         @builtins.property
         def docker_security_options(self) -> typing.Optional[typing.List[builtins.str]]:
@@ -14279,8 +14478,8 @@ class CfnTaskDefinition(
             *,
             autoprovision: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
             driver: typing.Optional[builtins.str] = None,
-            driver_opts: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Mapping[builtins.str, builtins.str]]] = None,
-            labels: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Mapping[builtins.str, builtins.str]]] = None,
+            driver_opts: typing.Optional[typing.Union[typing.Mapping[builtins.str, builtins.str], _IResolvable_da3f097b]] = None,
+            labels: typing.Optional[typing.Union[typing.Mapping[builtins.str, builtins.str], _IResolvable_da3f097b]] = None,
             scope: typing.Optional[builtins.str] = None,
         ) -> None:
             '''The ``DockerVolumeConfiguration`` property specifies a Docker volume configuration and is used when you use Docker volumes.
@@ -14362,7 +14561,7 @@ class CfnTaskDefinition(
         @builtins.property
         def driver_opts(
             self,
-        ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Mapping[builtins.str, builtins.str]]]:
+        ) -> typing.Optional[typing.Union[typing.Mapping[builtins.str, builtins.str], _IResolvable_da3f097b]]:
             '''A map of Docker driver-specific options passed through.
 
             This parameter maps to ``DriverOpts`` in the docker create-volume command and the ``xxopt`` option to docker volume create.
@@ -14370,12 +14569,12 @@ class CfnTaskDefinition(
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ecs-taskdefinition-dockervolumeconfiguration.html#cfn-ecs-taskdefinition-dockervolumeconfiguration-driveropts
             '''
             result = self._values.get("driver_opts")
-            return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Mapping[builtins.str, builtins.str]]], result)
+            return typing.cast(typing.Optional[typing.Union[typing.Mapping[builtins.str, builtins.str], _IResolvable_da3f097b]], result)
 
         @builtins.property
         def labels(
             self,
-        ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Mapping[builtins.str, builtins.str]]]:
+        ) -> typing.Optional[typing.Union[typing.Mapping[builtins.str, builtins.str], _IResolvable_da3f097b]]:
             '''Custom metadata to add to your Docker volume.
 
             This parameter maps to ``Labels`` in the docker container create command and the ``xxlabel`` option to docker volume create.
@@ -14383,7 +14582,7 @@ class CfnTaskDefinition(
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ecs-taskdefinition-dockervolumeconfiguration.html#cfn-ecs-taskdefinition-dockervolumeconfiguration-labels
             '''
             result = self._values.get("labels")
-            return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Mapping[builtins.str, builtins.str]]], result)
+            return typing.cast(typing.Optional[typing.Union[typing.Mapping[builtins.str, builtins.str], _IResolvable_da3f097b]], result)
 
         @builtins.property
         def scope(self) -> typing.Optional[builtins.str]:
@@ -14885,7 +15084,7 @@ class CfnTaskDefinition(
         def __init__(
             self,
             *,
-            options: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Mapping[builtins.str, builtins.str]]] = None,
+            options: typing.Optional[typing.Union[typing.Mapping[builtins.str, builtins.str], _IResolvable_da3f097b]] = None,
             type: typing.Optional[builtins.str] = None,
         ) -> None:
             '''The FireLens configuration for the container.
@@ -14924,7 +15123,7 @@ class CfnTaskDefinition(
         @builtins.property
         def options(
             self,
-        ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Mapping[builtins.str, builtins.str]]]:
+        ) -> typing.Optional[typing.Union[typing.Mapping[builtins.str, builtins.str], _IResolvable_da3f097b]]:
             '''The options to use when configuring the log router.
 
             This field is optional and can be used to add additional metadata, such as the task, task definition, cluster, and container instance details to the log event.
@@ -14938,7 +15137,7 @@ class CfnTaskDefinition(
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ecs-taskdefinition-firelensconfiguration.html#cfn-ecs-taskdefinition-firelensconfiguration-options
             '''
             result = self._values.get("options")
-            return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Mapping[builtins.str, builtins.str]]], result)
+            return typing.cast(typing.Optional[typing.Union[typing.Mapping[builtins.str, builtins.str], _IResolvable_da3f097b]], result)
 
         @builtins.property
         def type(self) -> typing.Optional[builtins.str]:
@@ -15338,6 +15537,14 @@ class CfnTaskDefinition(
 
             For more detailed information about these Linux capabilities, see the `capabilities(7) <https://docs.aws.amazon.com/http://man7.org/linux/man-pages/man7/capabilities.7.html>`_ Linux manual page.
 
+            The following describes how Docker processes the Linux capabilities specified in the ``add`` and ``drop`` request parameters. For information about the latest behavior, see `Docker Compose: order of cap_drop and cap_add <https://docs.aws.amazon.com/https://forums.docker.com/t/docker-compose-order-of-cap-drop-and-cap-add/97136/1>`_ in the Docker Community Forum.
+
+            - When the container is a privleged container, the container capabilities are all of the default Docker capabilities. The capabilities specified in the ``add`` request parameter, and the ``drop`` request parameter are ignored.
+            - When the ``add`` request parameter is set to ALL, the container capabilities are all of the default Docker capabilities, excluding those specified in the ``drop`` request parameter.
+            - When the ``drop`` request parameter is set to ALL, the container capabilities are the capabilities specified in the ``add`` request parameter.
+            - When the ``add`` request parameter and the ``drop`` request parameter are both empty, the capabilities the container capabilities are all of the default Docker capabilities.
+            - The default is to first drop the capabilities specified in the ``drop`` request parameter, and then add the capabilities specified in the ``add`` request parameter.
+
             :param add: The Linux capabilities for the container that have been added to the default configuration provided by Docker. This parameter maps to ``CapAdd`` in the docker container create command and the ``--cap-add`` option to docker run. .. epigraph:: Tasks launched on AWS Fargate only support adding the ``SYS_PTRACE`` kernel capability. Valid values: ``"ALL" | "AUDIT_CONTROL" | "AUDIT_WRITE" | "BLOCK_SUSPEND" | "CHOWN" | "DAC_OVERRIDE" | "DAC_READ_SEARCH" | "FOWNER" | "FSETID" | "IPC_LOCK" | "IPC_OWNER" | "KILL" | "LEASE" | "LINUX_IMMUTABLE" | "MAC_ADMIN" | "MAC_OVERRIDE" | "MKNOD" | "NET_ADMIN" | "NET_BIND_SERVICE" | "NET_BROADCAST" | "NET_RAW" | "SETFCAP" | "SETGID" | "SETPCAP" | "SETUID" | "SYS_ADMIN" | "SYS_BOOT" | "SYS_CHROOT" | "SYS_MODULE" | "SYS_NICE" | "SYS_PACCT" | "SYS_PTRACE" | "SYS_RAWIO" | "SYS_RESOURCE" | "SYS_TIME" | "SYS_TTY_CONFIG" | "SYSLOG" | "WAKE_ALARM"``
             :param drop: The Linux capabilities for the container that have been removed from the default configuration provided by Docker. This parameter maps to ``CapDrop`` in the docker container create command and the ``--cap-drop`` option to docker run. Valid values: ``"ALL" | "AUDIT_CONTROL" | "AUDIT_WRITE" | "BLOCK_SUSPEND" | "CHOWN" | "DAC_OVERRIDE" | "DAC_READ_SEARCH" | "FOWNER" | "FSETID" | "IPC_LOCK" | "IPC_OWNER" | "KILL" | "LEASE" | "LINUX_IMMUTABLE" | "MAC_ADMIN" | "MAC_OVERRIDE" | "MKNOD" | "NET_ADMIN" | "NET_BIND_SERVICE" | "NET_BROADCAST" | "NET_RAW" | "SETFCAP" | "SETGID" | "SETPCAP" | "SETUID" | "SYS_ADMIN" | "SYS_BOOT" | "SYS_CHROOT" | "SYS_MODULE" | "SYS_NICE" | "SYS_PACCT" | "SYS_PTRACE" | "SYS_RAWIO" | "SYS_RESOURCE" | "SYS_TIME" | "SYS_TTY_CONFIG" | "SYSLOG" | "WAKE_ALARM"``
 
@@ -15704,7 +15911,7 @@ class CfnTaskDefinition(
             self,
             *,
             log_driver: builtins.str,
-            options: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Mapping[builtins.str, builtins.str]]] = None,
+            options: typing.Optional[typing.Union[typing.Mapping[builtins.str, builtins.str], _IResolvable_da3f097b]] = None,
             secret_options: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[typing.Union[_IResolvable_da3f097b, typing.Union["CfnTaskDefinition.SecretProperty", typing.Dict[builtins.str, typing.Any]]]]]] = None,
         ) -> None:
             '''The ``LogConfiguration`` property specifies log configuration options to send to a custom log driver for the container.
@@ -15772,7 +15979,7 @@ class CfnTaskDefinition(
         @builtins.property
         def options(
             self,
-        ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Mapping[builtins.str, builtins.str]]]:
+        ) -> typing.Optional[typing.Union[typing.Mapping[builtins.str, builtins.str], _IResolvable_da3f097b]]:
             '''The configuration options to send to the log driver.
 
             The options you can specify depend on the log driver. Some of the options you can specify when you use the ``awslogs`` log driver to route logs to Amazon CloudWatch include the following:
@@ -15861,7 +16068,7 @@ class CfnTaskDefinition(
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ecs-taskdefinition-logconfiguration.html#cfn-ecs-taskdefinition-logconfiguration-options
             '''
             result = self._values.get("options")
-            return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Mapping[builtins.str, builtins.str]]], result)
+            return typing.cast(typing.Optional[typing.Union[typing.Mapping[builtins.str, builtins.str], _IResolvable_da3f097b]], result)
 
         @builtins.property
         def secret_options(
@@ -16430,7 +16637,7 @@ class CfnTaskDefinition(
             self,
             *,
             enabled: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
-            ignored_exit_codes: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[jsii.Number]]] = None,
+            ignored_exit_codes: typing.Optional[typing.Union[typing.Sequence[jsii.Number], _IResolvable_da3f097b]] = None,
             restart_attempt_period: typing.Optional[jsii.Number] = None,
         ) -> None:
             '''You can enable a restart policy for each container defined in your task definition, to overcome transient failures faster and maintain task availability.
@@ -16483,7 +16690,7 @@ class CfnTaskDefinition(
         @builtins.property
         def ignored_exit_codes(
             self,
-        ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[jsii.Number]]]:
+        ) -> typing.Optional[typing.Union[typing.List[jsii.Number], _IResolvable_da3f097b]]:
             '''A list of exit codes that Amazon ECS will ignore and not attempt a restart on.
 
             You can specify a maximum of 50 container exit codes. By default, Amazon ECS does not ignore any exit codes.
@@ -16491,7 +16698,7 @@ class CfnTaskDefinition(
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ecs-taskdefinition-restartpolicy.html#cfn-ecs-taskdefinition-restartpolicy-ignoredexitcodes
             '''
             result = self._values.get("ignored_exit_codes")
-            return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[jsii.Number]]], result)
+            return typing.cast(typing.Optional[typing.Union[typing.List[jsii.Number], _IResolvable_da3f097b]], result)
 
         @builtins.property
         def restart_attempt_period(self) -> typing.Optional[jsii.Number]:
@@ -20337,6 +20544,7 @@ class ContainerDefinition(
         system_controls: typing.Optional[typing.Sequence[typing.Union["SystemControl", typing.Dict[builtins.str, typing.Any]]]] = None,
         ulimits: typing.Optional[typing.Sequence[typing.Union["Ulimit", typing.Dict[builtins.str, typing.Any]]]] = None,
         user: typing.Optional[builtins.str] = None,
+        version_consistency: typing.Optional["VersionConsistency"] = None,
         working_directory: typing.Optional[builtins.str] = None,
     ) -> None:
         '''Constructs a new instance of the ContainerDefinition class.
@@ -20381,6 +20589,7 @@ class ContainerDefinition(
         :param system_controls: A list of namespaced kernel parameters to set in the container. Default: - No system controls are set.
         :param ulimits: An array of ulimits to set in the container.
         :param user: The user to use inside the container. This parameter maps to User in the Create a container section of the Docker Remote API and the --user option to docker run. Default: root
+        :param version_consistency: Specifies whether Amazon ECS will resolve the container image tag provided in the container definition to an image digest. If you set the value for a container as disabled, Amazon ECS will not resolve the provided container image tag to a digest and will use the original image URI specified in the container definition for deployment. Default: VersionConsistency.DISABLED if ``image`` is a CDK asset, VersionConsistency.ENABLED otherwise
         :param working_directory: The working directory in which to run commands inside the container. Default: /
         '''
         if __debug__:
@@ -20426,6 +20635,7 @@ class ContainerDefinition(
             system_controls=system_controls,
             ulimits=ulimits,
             user=user,
+            version_consistency=version_consistency,
             working_directory=working_directory,
         )
 
@@ -20823,6 +21033,7 @@ class ContainerDefinition(
         "system_controls": "systemControls",
         "ulimits": "ulimits",
         "user": "user",
+        "version_consistency": "versionConsistency",
         "working_directory": "workingDirectory",
     },
 )
@@ -20867,6 +21078,7 @@ class ContainerDefinitionOptions:
         system_controls: typing.Optional[typing.Sequence[typing.Union["SystemControl", typing.Dict[builtins.str, typing.Any]]]] = None,
         ulimits: typing.Optional[typing.Sequence[typing.Union["Ulimit", typing.Dict[builtins.str, typing.Any]]]] = None,
         user: typing.Optional[builtins.str] = None,
+        version_consistency: typing.Optional["VersionConsistency"] = None,
         working_directory: typing.Optional[builtins.str] = None,
     ) -> None:
         '''
@@ -20907,6 +21119,7 @@ class ContainerDefinitionOptions:
         :param system_controls: A list of namespaced kernel parameters to set in the container. Default: - No system controls are set.
         :param ulimits: An array of ulimits to set in the container.
         :param user: The user to use inside the container. This parameter maps to User in the Create a container section of the Docker Remote API and the --user option to docker run. Default: root
+        :param version_consistency: Specifies whether Amazon ECS will resolve the container image tag provided in the container definition to an image digest. If you set the value for a container as disabled, Amazon ECS will not resolve the provided container image tag to a digest and will use the original image URI specified in the container definition for deployment. Default: VersionConsistency.DISABLED if ``image`` is a CDK asset, VersionConsistency.ENABLED otherwise
         :param working_directory: The working directory in which to run commands inside the container. Default: /
 
         :exampleMetadata: infused
@@ -20975,6 +21188,7 @@ class ContainerDefinitionOptions:
             check_type(argname="argument system_controls", value=system_controls, expected_type=type_hints["system_controls"])
             check_type(argname="argument ulimits", value=ulimits, expected_type=type_hints["ulimits"])
             check_type(argname="argument user", value=user, expected_type=type_hints["user"])
+            check_type(argname="argument version_consistency", value=version_consistency, expected_type=type_hints["version_consistency"])
             check_type(argname="argument working_directory", value=working_directory, expected_type=type_hints["working_directory"])
         self._values: typing.Dict[builtins.str, typing.Any] = {
             "image": image,
@@ -21051,6 +21265,8 @@ class ContainerDefinitionOptions:
             self._values["ulimits"] = ulimits
         if user is not None:
             self._values["user"] = user
+        if version_consistency is not None:
+            self._values["version_consistency"] = version_consistency
         if working_directory is not None:
             self._values["working_directory"] = working_directory
 
@@ -21461,6 +21677,21 @@ class ContainerDefinitionOptions:
         result = self._values.get("user")
         return typing.cast(typing.Optional[builtins.str], result)
 
+    @builtins.property
+    def version_consistency(self) -> typing.Optional["VersionConsistency"]:
+        '''Specifies whether Amazon ECS will resolve the container image tag provided in the container definition to an image digest.
+
+        If you set the value for a container as disabled, Amazon ECS will
+        not resolve the provided container image tag to a digest and will use the
+        original image URI specified in the container definition for deployment.
+
+        :default: VersionConsistency.DISABLED if ``image`` is a CDK asset, VersionConsistency.ENABLED otherwise
+
+        :see: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ecs-taskdefinition-containerdefinition.html#cfn-ecs-taskdefinition-containerdefinition-versionconsistency
+        '''
+        result = self._values.get("version_consistency")
+        return typing.cast(typing.Optional["VersionConsistency"], result)
+
     @builtins.property
     def working_directory(self) -> typing.Optional[builtins.str]:
         '''The working directory in which to run commands inside the container.
@@ -21523,6 +21754,7 @@ class ContainerDefinitionOptions:
         "system_controls": "systemControls",
         "ulimits": "ulimits",
         "user": "user",
+        "version_consistency": "versionConsistency",
         "working_directory": "workingDirectory",
         "task_definition": "taskDefinition",
     },
@@ -21568,6 +21800,7 @@ class ContainerDefinitionProps(ContainerDefinitionOptions):
         system_controls: typing.Optional[typing.Sequence[typing.Union["SystemControl", typing.Dict[builtins.str, typing.Any]]]] = None,
         ulimits: typing.Optional[typing.Sequence[typing.Union["Ulimit", typing.Dict[builtins.str, typing.Any]]]] = None,
         user: typing.Optional[builtins.str] = None,
+        version_consistency: typing.Optional["VersionConsistency"] = None,
         working_directory: typing.Optional[builtins.str] = None,
         task_definition: "TaskDefinition",
     ) -> None:
@@ -21610,6 +21843,7 @@ class ContainerDefinitionProps(ContainerDefinitionOptions):
         :param system_controls: A list of namespaced kernel parameters to set in the container. Default: - No system controls are set.
         :param ulimits: An array of ulimits to set in the container.
         :param user: The user to use inside the container. This parameter maps to User in the Create a container section of the Docker Remote API and the --user option to docker run. Default: root
+        :param version_consistency: Specifies whether Amazon ECS will resolve the container image tag provided in the container definition to an image digest. If you set the value for a container as disabled, Amazon ECS will not resolve the provided container image tag to a digest and will use the original image URI specified in the container definition for deployment. Default: VersionConsistency.DISABLED if ``image`` is a CDK asset, VersionConsistency.ENABLED otherwise
         :param working_directory: The working directory in which to run commands inside the container. Default: /
         :param task_definition: The name of the task definition that includes this container definition. [disable-awslint:ref-via-interface]
 
@@ -21704,6 +21938,7 @@ class ContainerDefinitionProps(ContainerDefinitionOptions):
                     soft_limit=123
                 )],
                 user="user",
+                version_consistency=ecs.VersionConsistency.ENABLED,
                 working_directory="workingDirectory"
             )
         '''
@@ -21748,6 +21983,7 @@ class ContainerDefinitionProps(ContainerDefinitionOptions):
             check_type(argname="argument system_controls", value=system_controls, expected_type=type_hints["system_controls"])
             check_type(argname="argument ulimits", value=ulimits, expected_type=type_hints["ulimits"])
             check_type(argname="argument user", value=user, expected_type=type_hints["user"])
+            check_type(argname="argument version_consistency", value=version_consistency, expected_type=type_hints["version_consistency"])
             check_type(argname="argument working_directory", value=working_directory, expected_type=type_hints["working_directory"])
             check_type(argname="argument task_definition", value=task_definition, expected_type=type_hints["task_definition"])
         self._values: typing.Dict[builtins.str, typing.Any] = {
@@ -21826,6 +22062,8 @@ class ContainerDefinitionProps(ContainerDefinitionOptions):
             self._values["ulimits"] = ulimits
         if user is not None:
             self._values["user"] = user
+        if version_consistency is not None:
+            self._values["version_consistency"] = version_consistency
         if working_directory is not None:
             self._values["working_directory"] = working_directory
 
@@ -22236,6 +22474,21 @@ class ContainerDefinitionProps(ContainerDefinitionOptions):
         result = self._values.get("user")
         return typing.cast(typing.Optional[builtins.str], result)
 
+    @builtins.property
+    def version_consistency(self) -> typing.Optional["VersionConsistency"]:
+        '''Specifies whether Amazon ECS will resolve the container image tag provided in the container definition to an image digest.
+
+        If you set the value for a container as disabled, Amazon ECS will
+        not resolve the provided container image tag to a digest and will use the
+        original image URI specified in the container definition for deployment.
+
+        :default: VersionConsistency.DISABLED if ``image`` is a CDK asset, VersionConsistency.ENABLED otherwise
+
+        :see: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ecs-taskdefinition-containerdefinition.html#cfn-ecs-taskdefinition-containerdefinition-versionconsistency
+        '''
+        result = self._values.get("version_consistency")
+        return typing.cast(typing.Optional["VersionConsistency"], result)
+
     @builtins.property
     def working_directory(self) -> typing.Optional[builtins.str]:
         '''The working directory in which to run commands inside the container.
@@ -23999,6 +24252,7 @@ class Ec2ServiceAttributes:
         "volume_configurations": "volumeConfigurations",
         "task_definition": "taskDefinition",
         "assign_public_ip": "assignPublicIp",
+        "availability_zone_rebalancing": "availabilityZoneRebalancing",
         "daemon": "daemon",
         "placement_constraints": "placementConstraints",
         "placement_strategies": "placementStrategies",
@@ -24029,6 +24283,7 @@ class Ec2ServiceProps(BaseServiceOptions):
         volume_configurations: typing.Optional[typing.Sequence["ServiceManagedVolume"]] = None,
         task_definition: "TaskDefinition",
         assign_public_ip: typing.Optional[builtins.bool] = None,
+        availability_zone_rebalancing: typing.Optional[AvailabilityZoneRebalancing] = None,
         daemon: typing.Optional[builtins.bool] = None,
         placement_constraints: typing.Optional[typing.Sequence["PlacementConstraint"]] = None,
         placement_strategies: typing.Optional[typing.Sequence["PlacementStrategy"]] = None,
@@ -24056,6 +24311,7 @@ class Ec2ServiceProps(BaseServiceOptions):
         :param volume_configurations: Configuration details for a volume used by the service. This allows you to specify details about the EBS volume that can be attched to ECS tasks. Default: - undefined
         :param task_definition: The task definition to use for tasks in the service. [disable-awslint:ref-via-interface]
         :param assign_public_ip: Specifies whether the task's elastic network interface receives a public IP address. If true, each task will receive a public IP address. This property is only used for tasks that use the awsvpc network mode. Default: false
+        :param availability_zone_rebalancing: Whether to use Availability Zone rebalancing for the service. If enabled: ``maxHealthyPercent`` must be greater than 100; ``daemon`` must be false; if there are any ``placementStrategies``, the first must be "spread across Availability Zones"; there must be no ``placementConstraints`` using ``attribute:ecs.availability-zone``, and the service must not be a target of a Classic Load Balancer. Default: AvailabilityZoneRebalancing.DISABLED
         :param daemon: Specifies whether the service will use the daemon scheduling strategy. If true, the service scheduler deploys exactly one task on each container instance in your cluster. When you are using this strategy, do not specify a desired number of tasks or any task placement strategies. Default: false
         :param placement_constraints: The placement constraints to use for tasks in the service. For more information, see `Amazon ECS Task Placement Constraints <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-placement-constraints.html>`_. Default: - No constraints.
         :param placement_strategies: The placement strategies to use for tasks in the service. For more information, see `Amazon ECS Task Placement Strategies <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-placement-strategies.html>`_. Default: - No strategies.
@@ -24112,6 +24368,7 @@ class Ec2ServiceProps(BaseServiceOptions):
             check_type(argname="argument volume_configurations", value=volume_configurations, expected_type=type_hints["volume_configurations"])
             check_type(argname="argument task_definition", value=task_definition, expected_type=type_hints["task_definition"])
             check_type(argname="argument assign_public_ip", value=assign_public_ip, expected_type=type_hints["assign_public_ip"])
+            check_type(argname="argument availability_zone_rebalancing", value=availability_zone_rebalancing, expected_type=type_hints["availability_zone_rebalancing"])
             check_type(argname="argument daemon", value=daemon, expected_type=type_hints["daemon"])
             check_type(argname="argument placement_constraints", value=placement_constraints, expected_type=type_hints["placement_constraints"])
             check_type(argname="argument placement_strategies", value=placement_strategies, expected_type=type_hints["placement_strategies"])
@@ -24155,6 +24412,8 @@ class Ec2ServiceProps(BaseServiceOptions):
             self._values["volume_configurations"] = volume_configurations
         if assign_public_ip is not None:
             self._values["assign_public_ip"] = assign_public_ip
+        if availability_zone_rebalancing is not None:
+            self._values["availability_zone_rebalancing"] = availability_zone_rebalancing
         if daemon is not None:
             self._values["daemon"] = daemon
         if placement_constraints is not None:
@@ -24364,6 +24623,24 @@ class Ec2ServiceProps(BaseServiceOptions):
         result = self._values.get("assign_public_ip")
         return typing.cast(typing.Optional[builtins.bool], result)
 
+    @builtins.property
+    def availability_zone_rebalancing(
+        self,
+    ) -> typing.Optional[AvailabilityZoneRebalancing]:
+        '''Whether to use Availability Zone rebalancing for the service.
+
+        If enabled: ``maxHealthyPercent`` must be greater than 100; ``daemon`` must be false; if there
+        are any ``placementStrategies``, the first must be "spread across Availability Zones"; there
+        must be no ``placementConstraints`` using ``attribute:ecs.availability-zone``, and the
+        service must not be a target of a Classic Load Balancer.
+
+        :default: AvailabilityZoneRebalancing.DISABLED
+
+        :see: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/service-rebalancing.html
+        '''
+        result = self._values.get("availability_zone_rebalancing")
+        return typing.cast(typing.Optional[AvailabilityZoneRebalancing], result)
+
     @builtins.property
     def daemon(self) -> typing.Optional[builtins.bool]:
         '''Specifies whether the service will use the daemon scheduling strategy.
@@ -25941,6 +26218,7 @@ class ExternalServiceAttributes:
         "task_definition_revision": "taskDefinitionRevision",
         "volume_configurations": "volumeConfigurations",
         "task_definition": "taskDefinition",
+        "daemon": "daemon",
         "security_groups": "securityGroups",
     },
 )
@@ -25966,6 +26244,7 @@ class ExternalServiceProps(BaseServiceOptions):
         task_definition_revision: typing.Optional["TaskDefinitionRevision"] = None,
         volume_configurations: typing.Optional[typing.Sequence["ServiceManagedVolume"]] = None,
         task_definition: "TaskDefinition",
+        daemon: typing.Optional[builtins.bool] = None,
         security_groups: typing.Optional[typing.Sequence[_ISecurityGroup_acf8a799]] = None,
     ) -> None:
         '''The properties for defining a service using the External launch type.
@@ -25988,6 +26267,7 @@ class ExternalServiceProps(BaseServiceOptions):
         :param task_definition_revision: Revision number for the task definition or ``latest`` to use the latest active task revision. Default: - Uses the revision of the passed task definition deployed by CloudFormation
         :param volume_configurations: Configuration details for a volume used by the service. This allows you to specify details about the EBS volume that can be attched to ECS tasks. Default: - undefined
         :param task_definition: The task definition to use for tasks in the service. [disable-awslint:ref-via-interface]
+        :param daemon: By default, service use REPLICA scheduling strategy, this parameter enable DAEMON scheduling strategy. If true, the service scheduler deploys exactly one task on each container instance in your cluster. When you are using this strategy, do not specify a desired number of tasks or any task placement strategies. Tasks using the Fargate launch type or the CODE_DEPLOY or EXTERNAL deployment controller types don't support the DAEMON scheduling strategy. Default: false
         :param security_groups: The security groups to associate with the service. If you do not specify a security group, a new security group is created. Default: - A new security group is created.
 
         :exampleMetadata: infused
@@ -25998,11 +26278,16 @@ class ExternalServiceProps(BaseServiceOptions):
             # task_definition: ecs.TaskDefinition
             
             
-            service = ecs.ExternalService(self, "Service",
+            ecs.Ec2Service(self, "Ec2Service",
                 cluster=cluster,
                 task_definition=task_definition,
-                desired_count=5,
-                min_healthy_percent=100
+                daemon=True
+            )
+            
+            ecs.ExternalService(self, "ExternalService",
+                cluster=cluster,
+                task_definition=task_definition,
+                daemon=True
             )
         '''
         if isinstance(circuit_breaker, dict):
@@ -26035,6 +26320,7 @@ class ExternalServiceProps(BaseServiceOptions):
             check_type(argname="argument task_definition_revision", value=task_definition_revision, expected_type=type_hints["task_definition_revision"])
             check_type(argname="argument volume_configurations", value=volume_configurations, expected_type=type_hints["volume_configurations"])
             check_type(argname="argument task_definition", value=task_definition, expected_type=type_hints["task_definition"])
+            check_type(argname="argument daemon", value=daemon, expected_type=type_hints["daemon"])
             check_type(argname="argument security_groups", value=security_groups, expected_type=type_hints["security_groups"])
         self._values: typing.Dict[builtins.str, typing.Any] = {
             "cluster": cluster,
@@ -26072,6 +26358,8 @@ class ExternalServiceProps(BaseServiceOptions):
             self._values["task_definition_revision"] = task_definition_revision
         if volume_configurations is not None:
             self._values["volume_configurations"] = volume_configurations
+        if daemon is not None:
+            self._values["daemon"] = daemon
         if security_groups is not None:
             self._values["security_groups"] = security_groups
 
@@ -26260,6 +26548,20 @@ class ExternalServiceProps(BaseServiceOptions):
         assert result is not None, "Required property 'task_definition' is missing"
         return typing.cast("TaskDefinition", result)
 
+    @builtins.property
+    def daemon(self) -> typing.Optional[builtins.bool]:
+        '''By default, service use REPLICA scheduling strategy, this parameter enable DAEMON scheduling strategy.
+
+        If true, the service scheduler deploys exactly one task on each container instance in your cluster.
+
+        When you are using this strategy, do not specify a desired number of tasks or any task placement strategies.
+        Tasks using the Fargate launch type or the CODE_DEPLOY or EXTERNAL deployment controller types don't support the DAEMON scheduling strategy.
+
+        :default: false
+        '''
+        result = self._values.get("daemon")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
     @builtins.property
     def security_groups(self) -> typing.Optional[typing.List[_ISecurityGroup_acf8a799]]:
         '''The security groups to associate with the service.
@@ -26761,6 +27063,7 @@ class FargateServiceAttributes:
         "volume_configurations": "volumeConfigurations",
         "task_definition": "taskDefinition",
         "assign_public_ip": "assignPublicIp",
+        "availability_zone_rebalancing": "availabilityZoneRebalancing",
         "platform_version": "platformVersion",
         "security_groups": "securityGroups",
         "vpc_subnets": "vpcSubnets",
@@ -26789,6 +27092,7 @@ class FargateServiceProps(BaseServiceOptions):
         volume_configurations: typing.Optional[typing.Sequence["ServiceManagedVolume"]] = None,
         task_definition: "TaskDefinition",
         assign_public_ip: typing.Optional[builtins.bool] = None,
+        availability_zone_rebalancing: typing.Optional[AvailabilityZoneRebalancing] = None,
         platform_version: typing.Optional[FargatePlatformVersion] = None,
         security_groups: typing.Optional[typing.Sequence[_ISecurityGroup_acf8a799]] = None,
         vpc_subnets: typing.Optional[typing.Union[_SubnetSelection_e57d76df, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -26814,6 +27118,7 @@ class FargateServiceProps(BaseServiceOptions):
         :param volume_configurations: Configuration details for a volume used by the service. This allows you to specify details about the EBS volume that can be attched to ECS tasks. Default: - undefined
         :param task_definition: The task definition to use for tasks in the service. [disable-awslint:ref-via-interface]
         :param assign_public_ip: Specifies whether the task's elastic network interface receives a public IP address. If true, each task will receive a public IP address. Default: false
+        :param availability_zone_rebalancing: Whether to use Availability Zone rebalancing for the service. If enabled, ``maxHealthyPercent`` must be greater than 100, and the service must not be a target of a Classic Load Balancer. Default: AvailabilityZoneRebalancing.DISABLED
         :param platform_version: The platform version on which to run your service. If one is not specified, the LATEST platform version is used by default. For more information, see `AWS Fargate Platform Versions <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/platform_versions.html>`_ in the Amazon Elastic Container Service Developer Guide. Default: Latest
         :param security_groups: The security groups to associate with the service. If you do not specify a security group, a new security group is created. Default: - A new security group is created.
         :param vpc_subnets: The subnets to associate with the service. Default: - Public subnets if ``assignPublicIp`` is set, otherwise the first available one of Private, Isolated, Public, in that order.
@@ -26822,34 +27127,22 @@ class FargateServiceProps(BaseServiceOptions):
 
         Example::
 
-            import aws_cdk.aws_cloudwatch as cw
-            
             # cluster: ecs.Cluster
             # task_definition: ecs.TaskDefinition
-            # elb_alarm: cw.Alarm
+            # vpc: ec2.Vpc
             
+            service = ecs.FargateService(self, "Service", cluster=cluster, task_definition=task_definition, min_healthy_percent=100)
             
-            service = ecs.FargateService(self, "Service",
-                cluster=cluster,
-                task_definition=task_definition,
-                min_healthy_percent=100,
-                deployment_alarms=ecs.DeploymentAlarmConfig(
-                    alarm_names=[elb_alarm.alarm_name],
-                    behavior=ecs.AlarmBehavior.ROLLBACK_ON_ALARM
+            lb = elbv2.ApplicationLoadBalancer(self, "LB", vpc=vpc, internet_facing=True)
+            listener = lb.add_listener("Listener", port=80)
+            service.register_load_balancer_targets(
+                container_name="web",
+                container_port=80,
+                new_target_group_id="ECS",
+                listener=ecs.ListenerConfig.application_listener(listener,
+                    protocol=elbv2.ApplicationProtocol.HTTPS
                 )
             )
-            
-            # Defining a deployment alarm after the service has been created
-            cpu_alarm_name = "MyCpuMetricAlarm"
-            cw.Alarm(self, "CPUAlarm",
-                alarm_name=cpu_alarm_name,
-                metric=service.metric_cpu_utilization(),
-                evaluation_periods=2,
-                threshold=80
-            )
-            service.enable_deployment_alarms([cpu_alarm_name],
-                behavior=ecs.AlarmBehavior.FAIL_ON_ALARM
-            )
         '''
         if isinstance(circuit_breaker, dict):
             circuit_breaker = DeploymentCircuitBreaker(**circuit_breaker)
@@ -26884,6 +27177,7 @@ class FargateServiceProps(BaseServiceOptions):
             check_type(argname="argument volume_configurations", value=volume_configurations, expected_type=type_hints["volume_configurations"])
             check_type(argname="argument task_definition", value=task_definition, expected_type=type_hints["task_definition"])
             check_type(argname="argument assign_public_ip", value=assign_public_ip, expected_type=type_hints["assign_public_ip"])
+            check_type(argname="argument availability_zone_rebalancing", value=availability_zone_rebalancing, expected_type=type_hints["availability_zone_rebalancing"])
             check_type(argname="argument platform_version", value=platform_version, expected_type=type_hints["platform_version"])
             check_type(argname="argument security_groups", value=security_groups, expected_type=type_hints["security_groups"])
             check_type(argname="argument vpc_subnets", value=vpc_subnets, expected_type=type_hints["vpc_subnets"])
@@ -26925,6 +27219,8 @@ class FargateServiceProps(BaseServiceOptions):
             self._values["volume_configurations"] = volume_configurations
         if assign_public_ip is not None:
             self._values["assign_public_ip"] = assign_public_ip
+        if availability_zone_rebalancing is not None:
+            self._values["availability_zone_rebalancing"] = availability_zone_rebalancing
         if platform_version is not None:
             self._values["platform_version"] = platform_version
         if security_groups is not None:
@@ -27128,6 +27424,22 @@ class FargateServiceProps(BaseServiceOptions):
         result = self._values.get("assign_public_ip")
         return typing.cast(typing.Optional[builtins.bool], result)
 
+    @builtins.property
+    def availability_zone_rebalancing(
+        self,
+    ) -> typing.Optional[AvailabilityZoneRebalancing]:
+        '''Whether to use Availability Zone rebalancing for the service.
+
+        If enabled, ``maxHealthyPercent`` must be greater than 100, and the service must not be a target
+        of a Classic Load Balancer.
+
+        :default: AvailabilityZoneRebalancing.DISABLED
+
+        :see: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/service-rebalancing.html
+        '''
+        result = self._values.get("availability_zone_rebalancing")
+        return typing.cast(typing.Optional[AvailabilityZoneRebalancing], result)
+
     @builtins.property
     def platform_version(self) -> typing.Optional[FargatePlatformVersion]:
         '''The platform version on which to run your service.
@@ -27963,6 +28275,7 @@ class FirelensLogRouter(
                 soft_limit=123
             )],
             user="user",
+            version_consistency=ecs.VersionConsistency.ENABLED,
             working_directory="workingDirectory"
         )
     '''
@@ -28011,6 +28324,7 @@ class FirelensLogRouter(
         system_controls: typing.Optional[typing.Sequence[typing.Union["SystemControl", typing.Dict[builtins.str, typing.Any]]]] = None,
         ulimits: typing.Optional[typing.Sequence[typing.Union["Ulimit", typing.Dict[builtins.str, typing.Any]]]] = None,
         user: typing.Optional[builtins.str] = None,
+        version_consistency: typing.Optional["VersionConsistency"] = None,
         working_directory: typing.Optional[builtins.str] = None,
     ) -> None:
         '''Constructs a new instance of the FirelensLogRouter class.
@@ -28056,6 +28370,7 @@ class FirelensLogRouter(
         :param system_controls: A list of namespaced kernel parameters to set in the container. Default: - No system controls are set.
         :param ulimits: An array of ulimits to set in the container.
         :param user: The user to use inside the container. This parameter maps to User in the Create a container section of the Docker Remote API and the --user option to docker run. Default: root
+        :param version_consistency: Specifies whether Amazon ECS will resolve the container image tag provided in the container definition to an image digest. If you set the value for a container as disabled, Amazon ECS will not resolve the provided container image tag to a digest and will use the original image URI specified in the container definition for deployment. Default: VersionConsistency.DISABLED if ``image`` is a CDK asset, VersionConsistency.ENABLED otherwise
         :param working_directory: The working directory in which to run commands inside the container. Default: /
         '''
         if __debug__:
@@ -28102,6 +28417,7 @@ class FirelensLogRouter(
             system_controls=system_controls,
             ulimits=ulimits,
             user=user,
+            version_consistency=version_consistency,
             working_directory=working_directory,
         )
 
@@ -28169,6 +28485,7 @@ class FirelensLogRouter(
         "system_controls": "systemControls",
         "ulimits": "ulimits",
         "user": "user",
+        "version_consistency": "versionConsistency",
         "working_directory": "workingDirectory",
         "firelens_config": "firelensConfig",
     },
@@ -28214,6 +28531,7 @@ class FirelensLogRouterDefinitionOptions(ContainerDefinitionOptions):
         system_controls: typing.Optional[typing.Sequence[typing.Union["SystemControl", typing.Dict[builtins.str, typing.Any]]]] = None,
         ulimits: typing.Optional[typing.Sequence[typing.Union["Ulimit", typing.Dict[builtins.str, typing.Any]]]] = None,
         user: typing.Optional[builtins.str] = None,
+        version_consistency: typing.Optional["VersionConsistency"] = None,
         working_directory: typing.Optional[builtins.str] = None,
         firelens_config: typing.Union[FirelensConfig, typing.Dict[builtins.str, typing.Any]],
     ) -> None:
@@ -28256,6 +28574,7 @@ class FirelensLogRouterDefinitionOptions(ContainerDefinitionOptions):
         :param system_controls: A list of namespaced kernel parameters to set in the container. Default: - No system controls are set.
         :param ulimits: An array of ulimits to set in the container.
         :param user: The user to use inside the container. This parameter maps to User in the Create a container section of the Docker Remote API and the --user option to docker run. Default: root
+        :param version_consistency: Specifies whether Amazon ECS will resolve the container image tag provided in the container definition to an image digest. If you set the value for a container as disabled, Amazon ECS will not resolve the provided container image tag to a digest and will use the original image URI specified in the container definition for deployment. Default: VersionConsistency.DISABLED if ``image`` is a CDK asset, VersionConsistency.ENABLED otherwise
         :param working_directory: The working directory in which to run commands inside the container. Default: /
         :param firelens_config: Firelens configuration.
 
@@ -28358,6 +28677,7 @@ class FirelensLogRouterDefinitionOptions(ContainerDefinitionOptions):
                     soft_limit=123
                 )],
                 user="user",
+                version_consistency=ecs.VersionConsistency.ENABLED,
                 working_directory="workingDirectory"
             )
         '''
@@ -28404,6 +28724,7 @@ class FirelensLogRouterDefinitionOptions(ContainerDefinitionOptions):
             check_type(argname="argument system_controls", value=system_controls, expected_type=type_hints["system_controls"])
             check_type(argname="argument ulimits", value=ulimits, expected_type=type_hints["ulimits"])
             check_type(argname="argument user", value=user, expected_type=type_hints["user"])
+            check_type(argname="argument version_consistency", value=version_consistency, expected_type=type_hints["version_consistency"])
             check_type(argname="argument working_directory", value=working_directory, expected_type=type_hints["working_directory"])
             check_type(argname="argument firelens_config", value=firelens_config, expected_type=type_hints["firelens_config"])
         self._values: typing.Dict[builtins.str, typing.Any] = {
@@ -28482,6 +28803,8 @@ class FirelensLogRouterDefinitionOptions(ContainerDefinitionOptions):
             self._values["ulimits"] = ulimits
         if user is not None:
             self._values["user"] = user
+        if version_consistency is not None:
+            self._values["version_consistency"] = version_consistency
         if working_directory is not None:
             self._values["working_directory"] = working_directory
 
@@ -28892,6 +29215,21 @@ class FirelensLogRouterDefinitionOptions(ContainerDefinitionOptions):
         result = self._values.get("user")
         return typing.cast(typing.Optional[builtins.str], result)
 
+    @builtins.property
+    def version_consistency(self) -> typing.Optional["VersionConsistency"]:
+        '''Specifies whether Amazon ECS will resolve the container image tag provided in the container definition to an image digest.
+
+        If you set the value for a container as disabled, Amazon ECS will
+        not resolve the provided container image tag to a digest and will use the
+        original image URI specified in the container definition for deployment.
+
+        :default: VersionConsistency.DISABLED if ``image`` is a CDK asset, VersionConsistency.ENABLED otherwise
+
+        :see: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ecs-taskdefinition-containerdefinition.html#cfn-ecs-taskdefinition-containerdefinition-versionconsistency
+        '''
+        result = self._values.get("version_consistency")
+        return typing.cast(typing.Optional["VersionConsistency"], result)
+
     @builtins.property
     def working_directory(self) -> typing.Optional[builtins.str]:
         '''The working directory in which to run commands inside the container.
@@ -28961,6 +29299,7 @@ class FirelensLogRouterDefinitionOptions(ContainerDefinitionOptions):
         "system_controls": "systemControls",
         "ulimits": "ulimits",
         "user": "user",
+        "version_consistency": "versionConsistency",
         "working_directory": "workingDirectory",
         "task_definition": "taskDefinition",
         "firelens_config": "firelensConfig",
@@ -29007,6 +29346,7 @@ class FirelensLogRouterProps(ContainerDefinitionProps):
         system_controls: typing.Optional[typing.Sequence[typing.Union["SystemControl", typing.Dict[builtins.str, typing.Any]]]] = None,
         ulimits: typing.Optional[typing.Sequence[typing.Union["Ulimit", typing.Dict[builtins.str, typing.Any]]]] = None,
         user: typing.Optional[builtins.str] = None,
+        version_consistency: typing.Optional["VersionConsistency"] = None,
         working_directory: typing.Optional[builtins.str] = None,
         task_definition: "TaskDefinition",
         firelens_config: typing.Union[FirelensConfig, typing.Dict[builtins.str, typing.Any]],
@@ -29050,6 +29390,7 @@ class FirelensLogRouterProps(ContainerDefinitionProps):
         :param system_controls: A list of namespaced kernel parameters to set in the container. Default: - No system controls are set.
         :param ulimits: An array of ulimits to set in the container.
         :param user: The user to use inside the container. This parameter maps to User in the Create a container section of the Docker Remote API and the --user option to docker run. Default: root
+        :param version_consistency: Specifies whether Amazon ECS will resolve the container image tag provided in the container definition to an image digest. If you set the value for a container as disabled, Amazon ECS will not resolve the provided container image tag to a digest and will use the original image URI specified in the container definition for deployment. Default: VersionConsistency.DISABLED if ``image`` is a CDK asset, VersionConsistency.ENABLED otherwise
         :param working_directory: The working directory in which to run commands inside the container. Default: /
         :param task_definition: The name of the task definition that includes this container definition. [disable-awslint:ref-via-interface]
         :param firelens_config: Firelens configuration.
@@ -29155,6 +29496,7 @@ class FirelensLogRouterProps(ContainerDefinitionProps):
                     soft_limit=123
                 )],
                 user="user",
+                version_consistency=ecs.VersionConsistency.ENABLED,
                 working_directory="workingDirectory"
             )
         '''
@@ -29201,6 +29543,7 @@ class FirelensLogRouterProps(ContainerDefinitionProps):
             check_type(argname="argument system_controls", value=system_controls, expected_type=type_hints["system_controls"])
             check_type(argname="argument ulimits", value=ulimits, expected_type=type_hints["ulimits"])
             check_type(argname="argument user", value=user, expected_type=type_hints["user"])
+            check_type(argname="argument version_consistency", value=version_consistency, expected_type=type_hints["version_consistency"])
             check_type(argname="argument working_directory", value=working_directory, expected_type=type_hints["working_directory"])
             check_type(argname="argument task_definition", value=task_definition, expected_type=type_hints["task_definition"])
             check_type(argname="argument firelens_config", value=firelens_config, expected_type=type_hints["firelens_config"])
@@ -29281,6 +29624,8 @@ class FirelensLogRouterProps(ContainerDefinitionProps):
             self._values["ulimits"] = ulimits
         if user is not None:
             self._values["user"] = user
+        if version_consistency is not None:
+            self._values["version_consistency"] = version_consistency
         if working_directory is not None:
             self._values["working_directory"] = working_directory
 
@@ -29691,6 +30036,21 @@ class FirelensLogRouterProps(ContainerDefinitionProps):
         result = self._values.get("user")
         return typing.cast(typing.Optional[builtins.str], result)
 
+    @builtins.property
+    def version_consistency(self) -> typing.Optional["VersionConsistency"]:
+        '''Specifies whether Amazon ECS will resolve the container image tag provided in the container definition to an image digest.
+
+        If you set the value for a container as disabled, Amazon ECS will
+        not resolve the provided container image tag to a digest and will use the
+        original image URI specified in the container definition for deployment.
+
+        :default: VersionConsistency.DISABLED if ``image`` is a CDK asset, VersionConsistency.ENABLED otherwise
+
+        :see: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ecs-taskdefinition-containerdefinition.html#cfn-ecs-taskdefinition-containerdefinition-versionconsistency
+        '''
+        result = self._values.get("version_consistency")
+        return typing.cast(typing.Optional["VersionConsistency"], result)
+
     @builtins.property
     def working_directory(self) -> typing.Optional[builtins.str]:
         '''The working directory in which to run commands inside the container.
@@ -34908,6 +35268,7 @@ class ServiceConnectProps:
         "ingress_port_override": "ingressPortOverride",
         "per_request_timeout": "perRequestTimeout",
         "port": "port",
+        "tls": "tls",
     },
 )
 class ServiceConnectService:
@@ -34921,6 +35282,7 @@ class ServiceConnectService:
         ingress_port_override: typing.Optional[jsii.Number] = None,
         per_request_timeout: typing.Optional[_Duration_4839e8c3] = None,
         port: typing.Optional[jsii.Number] = None,
+        tls: typing.Optional[typing.Union["ServiceConnectTlsConfiguration", typing.Dict[builtins.str, typing.Any]]] = None,
     ) -> None:
         '''Interface for service connect Service props.
 
@@ -34931,6 +35293,7 @@ class ServiceConnectService:
         :param ingress_port_override: Optional. The port on the Service Connect agent container to use for traffic ingress to this service. Default: - none
         :param per_request_timeout: The amount of time waiting for the upstream to respond with a complete response per request for Service Connect. A value of 0 can be set to disable ``perRequestTimeout``. Can only be set when the ``appProtocol`` for the application container is HTTP/HTTP2/GRPC. If ``idleTimeout`` is set to a time that is less than ``perRequestTimeout``, the connection will close when the ``idleTimeout`` is reached and not the ``perRequestTimeout``. Default: - Duration.seconds(15)
         :param port: The port for clients to use to communicate with this service via Service Connect. Default: the container port specified by the port mapping in portMappingName.
+        :param tls: A reference to an object that represents a Transport Layer Security (TLS) configuration. Default: - none
 
         :exampleMetadata: fixture=_generated
 
@@ -34940,6 +35303,11 @@ class ServiceConnectService:
             # The values are placeholders you should change.
             import aws_cdk as cdk
             from aws_cdk import aws_ecs as ecs
+            from aws_cdk import aws_iam as iam
+            from aws_cdk import aws_kms as kms
+            
+            # key: kms.Key
+            # role: iam.Role
             
             service_connect_service = ecs.ServiceConnectService(
                 port_mapping_name="portMappingName",
@@ -34950,9 +35318,16 @@ class ServiceConnectService:
                 idle_timeout=cdk.Duration.minutes(30),
                 ingress_port_override=123,
                 per_request_timeout=cdk.Duration.minutes(30),
-                port=123
+                port=123,
+                tls=ecs.ServiceConnectTlsConfiguration(
+                    aws_pca_authority_arn="awsPcaAuthorityArn",
+                    kms_key=key,
+                    role=role
+                )
             )
         '''
+        if isinstance(tls, dict):
+            tls = ServiceConnectTlsConfiguration(**tls)
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__5fc70dc513eac25b19e79ac6e7ba5dc61662a4299bbba170094fabb95b271fd0)
             check_type(argname="argument port_mapping_name", value=port_mapping_name, expected_type=type_hints["port_mapping_name"])
@@ -34962,6 +35337,7 @@ class ServiceConnectService:
             check_type(argname="argument ingress_port_override", value=ingress_port_override, expected_type=type_hints["ingress_port_override"])
             check_type(argname="argument per_request_timeout", value=per_request_timeout, expected_type=type_hints["per_request_timeout"])
             check_type(argname="argument port", value=port, expected_type=type_hints["port"])
+            check_type(argname="argument tls", value=tls, expected_type=type_hints["tls"])
         self._values: typing.Dict[builtins.str, typing.Any] = {
             "port_mapping_name": port_mapping_name,
         }
@@ -34977,6 +35353,8 @@ class ServiceConnectService:
             self._values["per_request_timeout"] = per_request_timeout
         if port is not None:
             self._values["port"] = port
+        if tls is not None:
+            self._values["tls"] = tls
 
     @builtins.property
     def port_mapping_name(self) -> builtins.str:
@@ -35057,6 +35435,15 @@ class ServiceConnectService:
         result = self._values.get("port")
         return typing.cast(typing.Optional[jsii.Number], result)
 
+    @builtins.property
+    def tls(self) -> typing.Optional["ServiceConnectTlsConfiguration"]:
+        '''A reference to an object that represents a Transport Layer Security (TLS) configuration.
+
+        :default: - none
+        '''
+        result = self._values.get("tls")
+        return typing.cast(typing.Optional["ServiceConnectTlsConfiguration"], result)
+
     def __eq__(self, rhs: typing.Any) -> builtins.bool:
         return isinstance(rhs, self.__class__) and rhs._values == self._values
 
@@ -35069,6 +35456,108 @@ class ServiceConnectService:
         )
 
 
+@jsii.data_type(
+    jsii_type="aws-cdk-lib.aws_ecs.ServiceConnectTlsConfiguration",
+    jsii_struct_bases=[],
+    name_mapping={
+        "aws_pca_authority_arn": "awsPcaAuthorityArn",
+        "kms_key": "kmsKey",
+        "role": "role",
+    },
+)
+class ServiceConnectTlsConfiguration:
+    def __init__(
+        self,
+        *,
+        aws_pca_authority_arn: typing.Optional[builtins.str] = None,
+        kms_key: typing.Optional[_IKey_5f11635f] = None,
+        role: typing.Optional[_IRole_235f5d8e] = None,
+    ) -> None:
+        '''TLS configuration for Service Connect service.
+
+        :param aws_pca_authority_arn: The ARN of the certificate root authority that secures your service. Default: - none
+        :param kms_key: The KMS key used for encryption and decryption. Default: - none
+        :param role: The IAM role that's associated with the Service Connect TLS. Default: - none
+
+        :exampleMetadata: infused
+
+        Example::
+
+            # cluster: ecs.Cluster
+            # task_definition: ecs.TaskDefinition
+            # kms_key: kms.IKey
+            # role: iam.IRole
+            
+            
+            service = ecs.FargateService(self, "FargateService",
+                cluster=cluster,
+                task_definition=task_definition,
+                service_connect_configuration=ecs.ServiceConnectProps(
+                    services=[ecs.ServiceConnectService(
+                        tls=ecs.ServiceConnectTlsConfiguration(
+                            role=role,
+                            kms_key=kms_key,
+                            aws_pca_authority_arn="arn:aws:acm-pca:us-east-1:123456789012:certificate-authority/123456789012"
+                        ),
+                        port_mapping_name="api"
+                    )
+                    ],
+                    namespace="sample namespace"
+                )
+            )
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__7266405779c519b75a2c1f8c4019cc54ff7bc528da44ee8ce4b42ec354e3b370)
+            check_type(argname="argument aws_pca_authority_arn", value=aws_pca_authority_arn, expected_type=type_hints["aws_pca_authority_arn"])
+            check_type(argname="argument kms_key", value=kms_key, expected_type=type_hints["kms_key"])
+            check_type(argname="argument role", value=role, expected_type=type_hints["role"])
+        self._values: typing.Dict[builtins.str, typing.Any] = {}
+        if aws_pca_authority_arn is not None:
+            self._values["aws_pca_authority_arn"] = aws_pca_authority_arn
+        if kms_key is not None:
+            self._values["kms_key"] = kms_key
+        if role is not None:
+            self._values["role"] = role
+
+    @builtins.property
+    def aws_pca_authority_arn(self) -> typing.Optional[builtins.str]:
+        '''The ARN of the certificate root authority that secures your service.
+
+        :default: - none
+        '''
+        result = self._values.get("aws_pca_authority_arn")
+        return typing.cast(typing.Optional[builtins.str], result)
+
+    @builtins.property
+    def kms_key(self) -> typing.Optional[_IKey_5f11635f]:
+        '''The KMS key used for encryption and decryption.
+
+        :default: - none
+        '''
+        result = self._values.get("kms_key")
+        return typing.cast(typing.Optional[_IKey_5f11635f], result)
+
+    @builtins.property
+    def role(self) -> typing.Optional[_IRole_235f5d8e]:
+        '''The IAM role that's associated with the Service Connect TLS.
+
+        :default: - none
+        '''
+        result = self._values.get("role")
+        return typing.cast(typing.Optional[_IRole_235f5d8e], result)
+
+    def __eq__(self, rhs: typing.Any) -> builtins.bool:
+        return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+    def __ne__(self, rhs: typing.Any) -> builtins.bool:
+        return not (rhs == self)
+
+    def __repr__(self) -> str:
+        return "ServiceConnectTlsConfiguration(%s)" % ", ".join(
+            k + "=" + repr(v) for k, v in self._values.items()
+        )
+
+
 @jsii.data_type(
     jsii_type="aws-cdk-lib.aws_ecs.ServiceManagedEBSVolumeConfiguration",
     jsii_struct_bases=[],
@@ -36646,20 +37135,32 @@ class TaskDefinition(
 
     Example::
 
-        # cluster: ecs.Cluster
         # task_definition: ecs.TaskDefinition
-        # vpc: ec2.Vpc
+        # cluster: ecs.Cluster
         
-        service = ecs.FargateService(self, "Service", cluster=cluster, task_definition=task_definition, min_healthy_percent=100)
         
-        lb = elbv2.ApplicationLoadBalancer(self, "LB", vpc=vpc, internet_facing=True)
-        listener = lb.add_listener("Listener", port=80)
-        service.register_load_balancer_targets(
-            container_name="web",
-            container_port=80,
-            new_target_group_id="ECS",
-            listener=ecs.ListenerConfig.application_listener(listener,
-                protocol=elbv2.ApplicationProtocol.HTTPS
+        # Add a container to the task definition
+        specific_container = task_definition.add_container("Container",
+            image=ecs.ContainerImage.from_registry("/aws/aws-example-app"),
+            memory_limit_mi_b=2048
+        )
+        
+        # Add a port mapping
+        specific_container.add_port_mappings(
+            container_port=7600,
+            protocol=ecs.Protocol.TCP
+        )
+        
+        ecs.Ec2Service(self, "Service",
+            cluster=cluster,
+            task_definition=task_definition,
+            min_healthy_percent=100,
+            cloud_map_options=ecs.CloudMapOptions(
+                # Create SRV records - useful for bridge networking
+                dns_record_type=cloudmap.DnsRecordType.SRV,
+                # Targets port TCP port 7600 `specificContainer`
+                container=specific_container,
+                container_port=7600
             )
         )
     '''
@@ -36690,10 +37191,10 @@ class TaskDefinition(
 
         :param scope: -
         :param id: -
-        :param compatibility: The task launch type compatiblity requirement.
+        :param compatibility: The task launch type compatibility requirement.
         :param cpu: The number of cpu units used by the task. If you are using the EC2 launch type, this field is optional and any value can be used. If you are using the Fargate launch type, this field is required and you must use one of the following values, which determines your range of valid values for the memory parameter: 256 (.25 vCPU) - Available memory values: 512 (0.5 GB), 1024 (1 GB), 2048 (2 GB) 512 (.5 vCPU) - Available memory values: 1024 (1 GB), 2048 (2 GB), 3072 (3 GB), 4096 (4 GB) 1024 (1 vCPU) - Available memory values: 2048 (2 GB), 3072 (3 GB), 4096 (4 GB), 5120 (5 GB), 6144 (6 GB), 7168 (7 GB), 8192 (8 GB) 2048 (2 vCPU) - Available memory values: Between 4096 (4 GB) and 16384 (16 GB) in increments of 1024 (1 GB) 4096 (4 vCPU) - Available memory values: Between 8192 (8 GB) and 30720 (30 GB) in increments of 1024 (1 GB) 8192 (8 vCPU) - Available memory values: Between 16384 (16 GB) and 61440 (60 GB) in increments of 4096 (4 GB) 16384 (16 vCPU) - Available memory values: Between 32768 (32 GB) and 122880 (120 GB) in increments of 8192 (8 GB) Default: - CPU units are not specified.
         :param ephemeral_storage_gib: The amount (in GiB) of ephemeral storage to be allocated to the task. Only supported in Fargate platform version 1.4.0 or later. Default: - Undefined, in which case, the task will receive 20GiB ephemeral storage.
-        :param inference_accelerators: The inference accelerators to use for the containers in the task. Not supported in Fargate. Default: - No inference accelerators.
+        :param inference_accelerators: (deprecated) The inference accelerators to use for the containers in the task. Not supported in Fargate. Default: - No inference accelerators.
         :param ipc_mode: The IPC resource namespace to use for the containers in the task. Not supported in Fargate and Windows containers. Default: - IpcMode used by the task is not specified
         :param memory_mib: The amount (in MiB) of memory used by the task. If using the EC2 launch type, this field is optional and any value can be used. If using the Fargate launch type, this field is required and you must use one of the following values, which determines your range of valid values for the cpu parameter: 512 (0.5 GB), 1024 (1 GB), 2048 (2 GB) - Available cpu values: 256 (.25 vCPU) 1024 (1 GB), 2048 (2 GB), 3072 (3 GB), 4096 (4 GB) - Available cpu values: 512 (.5 vCPU) 2048 (2 GB), 3072 (3 GB), 4096 (4 GB), 5120 (5 GB), 6144 (6 GB), 7168 (7 GB), 8192 (8 GB) - Available cpu values: 1024 (1 vCPU) Between 4096 (4 GB) and 16384 (16 GB) in increments of 1024 (1 GB) - Available cpu values: 2048 (2 vCPU) Between 8192 (8 GB) and 30720 (30 GB) in increments of 1024 (1 GB) - Available cpu values: 4096 (4 vCPU) Between 16384 (16 GB) and 61440 (60 GB) in increments of 4096 (4 GB) - Available cpu values: 8192 (8 vCPU) Between 32768 (32 GB) and 122880 (120 GB) in increments of 8192 (8 GB) - Available cpu values: 16384 (16 vCPU) Default: - Memory used by task is not specified.
         :param network_mode: The networking mode to use for the containers in the task. On Fargate, the only supported networking mode is AwsVpc. Default: - NetworkMode.Bridge for EC2 & External tasks, AwsVpc for Fargate tasks.
@@ -36834,6 +37335,7 @@ class TaskDefinition(
         system_controls: typing.Optional[typing.Sequence[typing.Union[SystemControl, typing.Dict[builtins.str, typing.Any]]]] = None,
         ulimits: typing.Optional[typing.Sequence[typing.Union["Ulimit", typing.Dict[builtins.str, typing.Any]]]] = None,
         user: typing.Optional[builtins.str] = None,
+        version_consistency: typing.Optional["VersionConsistency"] = None,
         working_directory: typing.Optional[builtins.str] = None,
     ) -> ContainerDefinition:
         '''Adds a new container to the task definition.
@@ -36876,6 +37378,7 @@ class TaskDefinition(
         :param system_controls: A list of namespaced kernel parameters to set in the container. Default: - No system controls are set.
         :param ulimits: An array of ulimits to set in the container.
         :param user: The user to use inside the container. This parameter maps to User in the Create a container section of the Docker Remote API and the --user option to docker run. Default: root
+        :param version_consistency: Specifies whether Amazon ECS will resolve the container image tag provided in the container definition to an image digest. If you set the value for a container as disabled, Amazon ECS will not resolve the provided container image tag to a digest and will use the original image URI specified in the container definition for deployment. Default: VersionConsistency.DISABLED if ``image`` is a CDK asset, VersionConsistency.ENABLED otherwise
         :param working_directory: The working directory in which to run commands inside the container. Default: /
         '''
         if __debug__:
@@ -36919,6 +37422,7 @@ class TaskDefinition(
             system_controls=system_controls,
             ulimits=ulimits,
             user=user,
+            version_consistency=version_consistency,
             working_directory=working_directory,
         )
 
@@ -36981,6 +37485,7 @@ class TaskDefinition(
         system_controls: typing.Optional[typing.Sequence[typing.Union[SystemControl, typing.Dict[builtins.str, typing.Any]]]] = None,
         ulimits: typing.Optional[typing.Sequence[typing.Union["Ulimit", typing.Dict[builtins.str, typing.Any]]]] = None,
         user: typing.Optional[builtins.str] = None,
+        version_consistency: typing.Optional["VersionConsistency"] = None,
         working_directory: typing.Optional[builtins.str] = None,
     ) -> FirelensLogRouter:
         '''Adds a firelens log router to the task definition.
@@ -37024,6 +37529,7 @@ class TaskDefinition(
         :param system_controls: A list of namespaced kernel parameters to set in the container. Default: - No system controls are set.
         :param ulimits: An array of ulimits to set in the container.
         :param user: The user to use inside the container. This parameter maps to User in the Create a container section of the Docker Remote API and the --user option to docker run. Default: root
+        :param version_consistency: Specifies whether Amazon ECS will resolve the container image tag provided in the container definition to an image digest. If you set the value for a container as disabled, Amazon ECS will not resolve the provided container image tag to a digest and will use the original image URI specified in the container definition for deployment. Default: VersionConsistency.DISABLED if ``image`` is a CDK asset, VersionConsistency.ENABLED otherwise
         :param working_directory: The working directory in which to run commands inside the container. Default: /
         '''
         if __debug__:
@@ -37068,6 +37574,7 @@ class TaskDefinition(
             system_controls=system_controls,
             ulimits=ulimits,
             user=user,
+            version_consistency=version_consistency,
             working_directory=working_directory,
         )
 
@@ -37080,10 +37587,14 @@ class TaskDefinition(
         device_name: typing.Optional[builtins.str] = None,
         device_type: typing.Optional[builtins.str] = None,
     ) -> None:
-        '''Adds an inference accelerator to the task definition.
+        '''(deprecated) Adds an inference accelerator to the task definition.
 
         :param device_name: The Elastic Inference accelerator device name. Default: - empty
         :param device_type: The Elastic Inference accelerator type to use. The allowed values are: eia2.medium, eia2.large and eia2.xlarge. Default: - empty
+
+        :deprecated: ECS TaskDefinition's inferenceAccelerator is EOL since April 2024
+
+        :stability: deprecated
         '''
         inference_accelerator = InferenceAccelerator(
             device_name=device_name, device_type=device_type
@@ -37502,10 +38013,10 @@ class TaskDefinitionProps(CommonTaskDefinitionProps):
         :param proxy_configuration: The configuration details for the App Mesh proxy. Default: - No proxy configuration.
         :param task_role: The name of the IAM role that grants containers in the task permission to call AWS APIs on your behalf. Default: - A task role is automatically created for you.
         :param volumes: The list of volume definitions for the task. For more information, see `Task Definition Parameter Volumes <https://docs.aws.amazon.com/AmazonECS/latest/developerguide//task_definition_parameters.html#volumes>`_. Default: - No volumes are passed to the Docker daemon on a container instance.
-        :param compatibility: The task launch type compatiblity requirement.
+        :param compatibility: The task launch type compatibility requirement.
         :param cpu: The number of cpu units used by the task. If you are using the EC2 launch type, this field is optional and any value can be used. If you are using the Fargate launch type, this field is required and you must use one of the following values, which determines your range of valid values for the memory parameter: 256 (.25 vCPU) - Available memory values: 512 (0.5 GB), 1024 (1 GB), 2048 (2 GB) 512 (.5 vCPU) - Available memory values: 1024 (1 GB), 2048 (2 GB), 3072 (3 GB), 4096 (4 GB) 1024 (1 vCPU) - Available memory values: 2048 (2 GB), 3072 (3 GB), 4096 (4 GB), 5120 (5 GB), 6144 (6 GB), 7168 (7 GB), 8192 (8 GB) 2048 (2 vCPU) - Available memory values: Between 4096 (4 GB) and 16384 (16 GB) in increments of 1024 (1 GB) 4096 (4 vCPU) - Available memory values: Between 8192 (8 GB) and 30720 (30 GB) in increments of 1024 (1 GB) 8192 (8 vCPU) - Available memory values: Between 16384 (16 GB) and 61440 (60 GB) in increments of 4096 (4 GB) 16384 (16 vCPU) - Available memory values: Between 32768 (32 GB) and 122880 (120 GB) in increments of 8192 (8 GB) Default: - CPU units are not specified.
         :param ephemeral_storage_gib: The amount (in GiB) of ephemeral storage to be allocated to the task. Only supported in Fargate platform version 1.4.0 or later. Default: - Undefined, in which case, the task will receive 20GiB ephemeral storage.
-        :param inference_accelerators: The inference accelerators to use for the containers in the task. Not supported in Fargate. Default: - No inference accelerators.
+        :param inference_accelerators: (deprecated) The inference accelerators to use for the containers in the task. Not supported in Fargate. Default: - No inference accelerators.
         :param ipc_mode: The IPC resource namespace to use for the containers in the task. Not supported in Fargate and Windows containers. Default: - IpcMode used by the task is not specified
         :param memory_mib: The amount (in MiB) of memory used by the task. If using the EC2 launch type, this field is optional and any value can be used. If using the Fargate launch type, this field is required and you must use one of the following values, which determines your range of valid values for the cpu parameter: 512 (0.5 GB), 1024 (1 GB), 2048 (2 GB) - Available cpu values: 256 (.25 vCPU) 1024 (1 GB), 2048 (2 GB), 3072 (3 GB), 4096 (4 GB) - Available cpu values: 512 (.5 vCPU) 2048 (2 GB), 3072 (3 GB), 4096 (4 GB), 5120 (5 GB), 6144 (6 GB), 7168 (7 GB), 8192 (8 GB) - Available cpu values: 1024 (1 vCPU) Between 4096 (4 GB) and 16384 (16 GB) in increments of 1024 (1 GB) - Available cpu values: 2048 (2 vCPU) Between 8192 (8 GB) and 30720 (30 GB) in increments of 1024 (1 GB) - Available cpu values: 4096 (4 vCPU) Between 16384 (16 GB) and 61440 (60 GB) in increments of 4096 (4 GB) - Available cpu values: 8192 (8 vCPU) Between 32768 (32 GB) and 122880 (120 GB) in increments of 8192 (8 GB) - Available cpu values: 16384 (16 vCPU) Default: - Memory used by task is not specified.
         :param network_mode: The networking mode to use for the containers in the task. On Fargate, the only supported networking mode is AwsVpc. Default: - NetworkMode.Bridge for EC2 & External tasks, AwsVpc for Fargate tasks.
@@ -37666,7 +38177,7 @@ class TaskDefinitionProps(CommonTaskDefinitionProps):
 
     @builtins.property
     def compatibility(self) -> Compatibility:
-        '''The task launch type compatiblity requirement.'''
+        '''The task launch type compatibility requirement.'''
         result = self._values.get("compatibility")
         assert result is not None, "Required property 'compatibility' is missing"
         return typing.cast(Compatibility, result)
@@ -37713,11 +38224,15 @@ class TaskDefinitionProps(CommonTaskDefinitionProps):
     def inference_accelerators(
         self,
     ) -> typing.Optional[typing.List[InferenceAccelerator]]:
-        '''The inference accelerators to use for the containers in the task.
+        '''(deprecated) The inference accelerators to use for the containers in the task.
 
         Not supported in Fargate.
 
         :default: - No inference accelerators.
+
+        :deprecated: ECS TaskDefinition's inferenceAccelerator is EOL since April 2024
+
+        :stability: deprecated
         '''
         result = self._values.get("inference_accelerators")
         return typing.cast(typing.Optional[typing.List[InferenceAccelerator]], result)
@@ -38299,6 +38814,28 @@ class UlimitName(enum.Enum):
     STACK = "STACK"
 
 
+@jsii.enum(jsii_type="aws-cdk-lib.aws_ecs.VersionConsistency")
+class VersionConsistency(enum.Enum):
+    '''State of the container version consistency feature.
+
+    :see: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ecs-taskdefinition-containerdefinition.html#cfn-ecs-taskdefinition-containerdefinition-versionconsistency
+    :exampleMetadata: infused
+
+    Example::
+
+        task_definition = ecs.Ec2TaskDefinition(self, "TaskDef")
+        task_definition.add_container("TheContainer",
+            image=ecs.ContainerImage.from_registry("example-image"),
+            version_consistency=ecs.VersionConsistency.DISABLED
+        )
+    '''
+
+    ENABLED = "ENABLED"
+    '''The version consistency feature is enabled for this container.'''
+    DISABLED = "DISABLED"
+    '''The version consistency feature is disabled for this container.'''
+
+
 @jsii.data_type(
     jsii_type="aws-cdk-lib.aws_ecs.Volume",
     jsii_struct_bases=[],
@@ -39407,7 +39944,7 @@ class Cluster(
         statistic: typing.Optional[builtins.str] = None,
         unit: typing.Optional[_Unit_61bc6f70] = None,
     ) -> _Metric_e396a4dc:
-        '''This method returns the specifed CloudWatch metric for this cluster.
+        '''This method returns the specified CloudWatch metric for this cluster.
 
         :param metric_name: -
         :param account: Account which this metric comes from. Default: - Deployment account.
@@ -40510,7 +41047,7 @@ class BaseService(
 
         Don't call this. Call ``loadBalancer.addTarget()`` instead.
 
-        :param load_balancer: -
+        :param load_balancer: [disable-awslint:ref-via-interface].
         '''
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__56ff5a0e2823e80ea268c7defc428085c67b793cb31e88397d625cd6370439a1)
@@ -41038,6 +41575,7 @@ class Ec2Service(
         *,
         task_definition: TaskDefinition,
         assign_public_ip: typing.Optional[builtins.bool] = None,
+        availability_zone_rebalancing: typing.Optional[AvailabilityZoneRebalancing] = None,
         daemon: typing.Optional[builtins.bool] = None,
         placement_constraints: typing.Optional[typing.Sequence[PlacementConstraint]] = None,
         placement_strategies: typing.Optional[typing.Sequence[PlacementStrategy]] = None,
@@ -41067,6 +41605,7 @@ class Ec2Service(
         :param id: -
         :param task_definition: The task definition to use for tasks in the service. [disable-awslint:ref-via-interface]
         :param assign_public_ip: Specifies whether the task's elastic network interface receives a public IP address. If true, each task will receive a public IP address. This property is only used for tasks that use the awsvpc network mode. Default: false
+        :param availability_zone_rebalancing: Whether to use Availability Zone rebalancing for the service. If enabled: ``maxHealthyPercent`` must be greater than 100; ``daemon`` must be false; if there are any ``placementStrategies``, the first must be "spread across Availability Zones"; there must be no ``placementConstraints`` using ``attribute:ecs.availability-zone``, and the service must not be a target of a Classic Load Balancer. Default: AvailabilityZoneRebalancing.DISABLED
         :param daemon: Specifies whether the service will use the daemon scheduling strategy. If true, the service scheduler deploys exactly one task on each container instance in your cluster. When you are using this strategy, do not specify a desired number of tasks or any task placement strategies. Default: false
         :param placement_constraints: The placement constraints to use for tasks in the service. For more information, see `Amazon ECS Task Placement Constraints <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-placement-constraints.html>`_. Default: - No constraints.
         :param placement_strategies: The placement strategies to use for tasks in the service. For more information, see `Amazon ECS Task Placement Strategies <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-placement-strategies.html>`_. Default: - No strategies.
@@ -41097,6 +41636,7 @@ class Ec2Service(
         props = Ec2ServiceProps(
             task_definition=task_definition,
             assign_public_ip=assign_public_ip,
+            availability_zone_rebalancing=availability_zone_rebalancing,
             daemon=daemon,
             placement_constraints=placement_constraints,
             placement_strategies=placement_strategies,
@@ -41201,6 +41741,21 @@ class Ec2Service(
             check_type(argname="argument strategies", value=strategies, expected_type=typing.Tuple[type_hints["strategies"], ...]) # pyright: ignore [reportGeneralTypeIssues]
         return typing.cast(None, jsii.invoke(self, "addPlacementStrategies", [*strategies]))
 
+    @jsii.member(jsii_name="attachToClassicLB")
+    def attach_to_classic_lb(self, load_balancer: _LoadBalancer_a894d40e) -> None:
+        '''Registers the service as a target of a Classic Load Balancer (CLB).
+
+        Don't call this. Call ``loadBalancer.addTarget()`` instead.
+
+        :param load_balancer: -
+
+        :override: true
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__92dbc7c46013b6831215fcc3302fb341d8b788fd8a9ae3631b63127cde348e55)
+            check_type(argname="argument load_balancer", value=load_balancer, expected_type=type_hints["load_balancer"])
+        return typing.cast(None, jsii.invoke(self, "attachToClassicLB", [load_balancer]))
+
 
 @jsii.implements(IEc2TaskDefinition)
 class Ec2TaskDefinition(
@@ -41380,6 +41935,7 @@ class Ec2TaskDefinition(
         system_controls: typing.Optional[typing.Sequence[typing.Union[SystemControl, typing.Dict[builtins.str, typing.Any]]]] = None,
         ulimits: typing.Optional[typing.Sequence[typing.Union[Ulimit, typing.Dict[builtins.str, typing.Any]]]] = None,
         user: typing.Optional[builtins.str] = None,
+        version_consistency: typing.Optional[VersionConsistency] = None,
         working_directory: typing.Optional[builtins.str] = None,
     ) -> ContainerDefinition:
         '''Tasks running in AWSVPC networking mode requires an additional environment variable for the region to be sourced.
@@ -41424,6 +41980,7 @@ class Ec2TaskDefinition(
         :param system_controls: A list of namespaced kernel parameters to set in the container. Default: - No system controls are set.
         :param ulimits: An array of ulimits to set in the container.
         :param user: The user to use inside the container. This parameter maps to User in the Create a container section of the Docker Remote API and the --user option to docker run. Default: root
+        :param version_consistency: Specifies whether Amazon ECS will resolve the container image tag provided in the container definition to an image digest. If you set the value for a container as disabled, Amazon ECS will not resolve the provided container image tag to a digest and will use the original image URI specified in the container definition for deployment. Default: VersionConsistency.DISABLED if ``image`` is a CDK asset, VersionConsistency.ENABLED otherwise
         :param working_directory: The working directory in which to run commands inside the container. Default: /
         '''
         if __debug__:
@@ -41467,6 +42024,7 @@ class Ec2TaskDefinition(
             system_controls=system_controls,
             ulimits=ulimits,
             user=user,
+            version_consistency=version_consistency,
             working_directory=working_directory,
         )
 
@@ -41490,11 +42048,16 @@ class ExternalService(
         # task_definition: ecs.TaskDefinition
         
         
-        service = ecs.ExternalService(self, "Service",
+        ecs.Ec2Service(self, "Ec2Service",
             cluster=cluster,
             task_definition=task_definition,
-            desired_count=5,
-            min_healthy_percent=100
+            daemon=True
+        )
+        
+        ecs.ExternalService(self, "ExternalService",
+            cluster=cluster,
+            task_definition=task_definition,
+            daemon=True
         )
     '''
 
@@ -41504,6 +42067,7 @@ class ExternalService(
         id: builtins.str,
         *,
         task_definition: TaskDefinition,
+        daemon: typing.Optional[builtins.bool] = None,
         security_groups: typing.Optional[typing.Sequence[_ISecurityGroup_acf8a799]] = None,
         cluster: ICluster,
         capacity_provider_strategies: typing.Optional[typing.Sequence[typing.Union[CapacityProviderStrategy, typing.Dict[builtins.str, typing.Any]]]] = None,
@@ -41528,6 +42092,7 @@ class ExternalService(
         :param scope: -
         :param id: -
         :param task_definition: The task definition to use for tasks in the service. [disable-awslint:ref-via-interface]
+        :param daemon: By default, service use REPLICA scheduling strategy, this parameter enable DAEMON scheduling strategy. If true, the service scheduler deploys exactly one task on each container instance in your cluster. When you are using this strategy, do not specify a desired number of tasks or any task placement strategies. Tasks using the Fargate launch type or the CODE_DEPLOY or EXTERNAL deployment controller types don't support the DAEMON scheduling strategy. Default: false
         :param security_groups: The security groups to associate with the service. If you do not specify a security group, a new security group is created. Default: - A new security group is created.
         :param cluster: The name of the cluster that hosts the service.
         :param capacity_provider_strategies: A list of Capacity Provider strategies used to place a service. Default: - undefined
@@ -41553,6 +42118,7 @@ class ExternalService(
             check_type(argname="argument id", value=id, expected_type=type_hints["id"])
         props = ExternalServiceProps(
             task_definition=task_definition,
+            daemon=daemon,
             security_groups=security_groups,
             cluster=cluster,
             capacity_provider_strategies=capacity_provider_strategies,
@@ -41918,34 +42484,22 @@ class FargateService(
 
     Example::
 
-        import aws_cdk.aws_cloudwatch as cw
-        
         # cluster: ecs.Cluster
         # task_definition: ecs.TaskDefinition
-        # elb_alarm: cw.Alarm
+        # vpc: ec2.Vpc
         
+        service = ecs.FargateService(self, "Service", cluster=cluster, task_definition=task_definition, min_healthy_percent=100)
         
-        service = ecs.FargateService(self, "Service",
-            cluster=cluster,
-            task_definition=task_definition,
-            min_healthy_percent=100,
-            deployment_alarms=ecs.DeploymentAlarmConfig(
-                alarm_names=[elb_alarm.alarm_name],
-                behavior=ecs.AlarmBehavior.ROLLBACK_ON_ALARM
+        lb = elbv2.ApplicationLoadBalancer(self, "LB", vpc=vpc, internet_facing=True)
+        listener = lb.add_listener("Listener", port=80)
+        service.register_load_balancer_targets(
+            container_name="web",
+            container_port=80,
+            new_target_group_id="ECS",
+            listener=ecs.ListenerConfig.application_listener(listener,
+                protocol=elbv2.ApplicationProtocol.HTTPS
             )
         )
-        
-        # Defining a deployment alarm after the service has been created
-        cpu_alarm_name = "MyCpuMetricAlarm"
-        cw.Alarm(self, "CPUAlarm",
-            alarm_name=cpu_alarm_name,
-            metric=service.metric_cpu_utilization(),
-            evaluation_periods=2,
-            threshold=80
-        )
-        service.enable_deployment_alarms([cpu_alarm_name],
-            behavior=ecs.AlarmBehavior.FAIL_ON_ALARM
-        )
     '''
 
     def __init__(
@@ -41955,6 +42509,7 @@ class FargateService(
         *,
         task_definition: TaskDefinition,
         assign_public_ip: typing.Optional[builtins.bool] = None,
+        availability_zone_rebalancing: typing.Optional[AvailabilityZoneRebalancing] = None,
         platform_version: typing.Optional[FargatePlatformVersion] = None,
         security_groups: typing.Optional[typing.Sequence[_ISecurityGroup_acf8a799]] = None,
         vpc_subnets: typing.Optional[typing.Union[_SubnetSelection_e57d76df, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -41982,6 +42537,7 @@ class FargateService(
         :param id: -
         :param task_definition: The task definition to use for tasks in the service. [disable-awslint:ref-via-interface]
         :param assign_public_ip: Specifies whether the task's elastic network interface receives a public IP address. If true, each task will receive a public IP address. Default: false
+        :param availability_zone_rebalancing: Whether to use Availability Zone rebalancing for the service. If enabled, ``maxHealthyPercent`` must be greater than 100, and the service must not be a target of a Classic Load Balancer. Default: AvailabilityZoneRebalancing.DISABLED
         :param platform_version: The platform version on which to run your service. If one is not specified, the LATEST platform version is used by default. For more information, see `AWS Fargate Platform Versions <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/platform_versions.html>`_ in the Amazon Elastic Container Service Developer Guide. Default: Latest
         :param security_groups: The security groups to associate with the service. If you do not specify a security group, a new security group is created. Default: - A new security group is created.
         :param vpc_subnets: The subnets to associate with the service. Default: - Public subnets if ``assignPublicIp`` is set, otherwise the first available one of Private, Isolated, Public, in that order.
@@ -42010,6 +42566,7 @@ class FargateService(
         props = FargateServiceProps(
             task_definition=task_definition,
             assign_public_ip=assign_public_ip,
+            availability_zone_rebalancing=availability_zone_rebalancing,
             platform_version=platform_version,
             security_groups=security_groups,
             vpc_subnets=vpc_subnets,
@@ -42084,6 +42641,21 @@ class FargateService(
 
         return typing.cast(IBaseService, jsii.sinvoke(cls, "fromFargateServiceAttributes", [scope, id, attrs]))
 
+    @jsii.member(jsii_name="attachToClassicLB")
+    def attach_to_classic_lb(self, load_balancer: _LoadBalancer_a894d40e) -> None:
+        '''Registers the service as a target of a Classic Load Balancer (CLB).
+
+        Don't call this. Call ``loadBalancer.addTarget()`` instead.
+
+        :param load_balancer: -
+
+        :override: true
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__41a65f2e7e6448580d3322dee4bc9635bee60d9fd0fb6a801d91c37859e117f4)
+            check_type(argname="argument load_balancer", value=load_balancer, expected_type=type_hints["load_balancer"])
+        return typing.cast(None, jsii.invoke(self, "attachToClassicLB", [load_balancer]))
+
 
 @jsii.implements(IFargateTaskDefinition)
 class FargateTaskDefinition(
@@ -42235,6 +42807,18 @@ class FargateTaskDefinition(
 
         return typing.cast(IFargateTaskDefinition, jsii.sinvoke(cls, "fromFargateTaskDefinitionAttributes", [scope, id, attrs]))
 
+    @builtins.property
+    @jsii.member(jsii_name="cpu")
+    def cpu(self) -> jsii.Number:
+        '''The number of cpu units used by the task.'''
+        return typing.cast(jsii.Number, jsii.get(self, "cpu"))
+
+    @builtins.property
+    @jsii.member(jsii_name="memoryMiB")
+    def memory_mib(self) -> jsii.Number:
+        '''The amount (in MiB) of memory used by the task.'''
+        return typing.cast(jsii.Number, jsii.get(self, "memoryMiB"))
+
     @builtins.property
     @jsii.member(jsii_name="networkMode")
     def network_mode(self) -> NetworkMode:
@@ -42267,6 +42851,7 @@ __all__ = [
     "AssetImageProps",
     "AssociateCloudMapServiceOptions",
     "AuthorizationConfig",
+    "AvailabilityZoneRebalancing",
     "AwsLogDriver",
     "AwsLogDriverMode",
     "AwsLogDriverProps",
@@ -42433,6 +43018,7 @@ __all__ = [
     "ServiceConnect",
     "ServiceConnectProps",
     "ServiceConnectService",
+    "ServiceConnectTlsConfiguration",
     "ServiceManagedEBSVolumeConfiguration",
     "ServiceManagedVolume",
     "ServiceManagedVolumeProps",
@@ -42452,6 +43038,7 @@ __all__ = [
     "TrackCustomMetricProps",
     "Ulimit",
     "UlimitName",
+    "VersionConsistency",
     "Volume",
     "VolumeFrom",
     "WindowsOptimizedVersion",
@@ -43332,7 +43919,7 @@ def _typecheckingstub__251c3999c1586967f7c9091782e6a113831e05b5f853b910cad8c8e75
 def _typecheckingstub__dc71ad10c4d7e167753ff81a7c450165b3118a6f5f0f8c2ad282bc4bc057a60b(
     *,
     log_driver: typing.Optional[builtins.str] = None,
-    options: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Mapping[builtins.str, builtins.str]]] = None,
+    options: typing.Optional[typing.Union[typing.Mapping[builtins.str, builtins.str], _IResolvable_da3f097b]] = None,
     secret_options: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[typing.Union[_IResolvable_da3f097b, typing.Union[CfnService.SecretProperty, typing.Dict[builtins.str, typing.Any]]]]]] = None,
 ) -> None:
     """Type checking stubs"""
@@ -43663,7 +44250,7 @@ def _typecheckingstub__d367f5be98d90056ca7f199c577c5744b20417ce5d1c8ad339824ec9d
     disable_networking: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
     dns_search_domains: typing.Optional[typing.Sequence[builtins.str]] = None,
     dns_servers: typing.Optional[typing.Sequence[builtins.str]] = None,
-    docker_labels: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Mapping[builtins.str, builtins.str]]] = None,
+    docker_labels: typing.Optional[typing.Union[typing.Mapping[builtins.str, builtins.str], _IResolvable_da3f097b]] = None,
     docker_security_options: typing.Optional[typing.Sequence[builtins.str]] = None,
     entry_point: typing.Optional[typing.Sequence[builtins.str]] = None,
     environment: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[typing.Union[_IResolvable_da3f097b, typing.Union[CfnTaskDefinition.KeyValuePairProperty, typing.Dict[builtins.str, typing.Any]]]]]] = None,
@@ -43721,8 +44308,8 @@ def _typecheckingstub__fa8da109bc6888a0534920dcd1b365d2de33c75ccc0bbb15b5246ab75
     *,
     autoprovision: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
     driver: typing.Optional[builtins.str] = None,
-    driver_opts: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Mapping[builtins.str, builtins.str]]] = None,
-    labels: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Mapping[builtins.str, builtins.str]]] = None,
+    driver_opts: typing.Optional[typing.Union[typing.Mapping[builtins.str, builtins.str], _IResolvable_da3f097b]] = None,
+    labels: typing.Optional[typing.Union[typing.Mapping[builtins.str, builtins.str], _IResolvable_da3f097b]] = None,
     scope: typing.Optional[builtins.str] = None,
 ) -> None:
     """Type checking stubs"""
@@ -43773,7 +44360,7 @@ def _typecheckingstub__ef74e299375c10c97a6bb4455d35f14ea7c21e10b612cd0fb3958fd12
 
 def _typecheckingstub__6a1cd84d62e34083a37bc4c25d849ac547dacc5fe8a4db04170cf83e3cd1e9d3(
     *,
-    options: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Mapping[builtins.str, builtins.str]]] = None,
+    options: typing.Optional[typing.Union[typing.Mapping[builtins.str, builtins.str], _IResolvable_da3f097b]] = None,
     type: typing.Optional[builtins.str] = None,
 ) -> None:
     """Type checking stubs"""
@@ -43845,7 +44432,7 @@ def _typecheckingstub__c0aaf73788be7f1d342c8a05599189d471843835d7b8d191218db6717
 def _typecheckingstub__21877ca71c2d5ead7d497c9d9a61ebef73ab6b2fcae2f5452db9d1dec56c00aa(
     *,
     log_driver: builtins.str,
-    options: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Mapping[builtins.str, builtins.str]]] = None,
+    options: typing.Optional[typing.Union[typing.Mapping[builtins.str, builtins.str], _IResolvable_da3f097b]] = None,
     secret_options: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[typing.Union[_IResolvable_da3f097b, typing.Union[CfnTaskDefinition.SecretProperty, typing.Dict[builtins.str, typing.Any]]]]]] = None,
 ) -> None:
     """Type checking stubs"""
@@ -43899,7 +44486,7 @@ def _typecheckingstub__9f0e59715edb889cdb53a1111c692d2fcadb558bf86158ff87dec568d
 def _typecheckingstub__8ff4a086a815b10fb977e9150a7c099378c03c3a8fe78638f9abfeeaa1b6dad0(
     *,
     enabled: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
-    ignored_exit_codes: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[jsii.Number]]] = None,
+    ignored_exit_codes: typing.Optional[typing.Union[typing.Sequence[jsii.Number], _IResolvable_da3f097b]] = None,
     restart_attempt_period: typing.Optional[jsii.Number] = None,
 ) -> None:
     """Type checking stubs"""
@@ -44289,6 +44876,7 @@ def _typecheckingstub__d8756b492e023ad8d33a399196b15b610f709400ce213e179f17dd1f6
     system_controls: typing.Optional[typing.Sequence[typing.Union[SystemControl, typing.Dict[builtins.str, typing.Any]]]] = None,
     ulimits: typing.Optional[typing.Sequence[typing.Union[Ulimit, typing.Dict[builtins.str, typing.Any]]]] = None,
     user: typing.Optional[builtins.str] = None,
+    version_consistency: typing.Optional[VersionConsistency] = None,
     working_directory: typing.Optional[builtins.str] = None,
 ) -> None:
     """Type checking stubs"""
@@ -44422,6 +45010,7 @@ def _typecheckingstub__f2e5f24c1574825a81dd77783d48886a430a675a0e04f03559eca98b5
     system_controls: typing.Optional[typing.Sequence[typing.Union[SystemControl, typing.Dict[builtins.str, typing.Any]]]] = None,
     ulimits: typing.Optional[typing.Sequence[typing.Union[Ulimit, typing.Dict[builtins.str, typing.Any]]]] = None,
     user: typing.Optional[builtins.str] = None,
+    version_consistency: typing.Optional[VersionConsistency] = None,
     working_directory: typing.Optional[builtins.str] = None,
 ) -> None:
     """Type checking stubs"""
@@ -44466,6 +45055,7 @@ def _typecheckingstub__20c974a49c79829fac0811dffaf78c449f92ae136414b96232160d37c
     system_controls: typing.Optional[typing.Sequence[typing.Union[SystemControl, typing.Dict[builtins.str, typing.Any]]]] = None,
     ulimits: typing.Optional[typing.Sequence[typing.Union[Ulimit, typing.Dict[builtins.str, typing.Any]]]] = None,
     user: typing.Optional[builtins.str] = None,
+    version_consistency: typing.Optional[VersionConsistency] = None,
     working_directory: typing.Optional[builtins.str] = None,
     task_definition: TaskDefinition,
 ) -> None:
@@ -44717,6 +45307,7 @@ def _typecheckingstub__95634258086aa3448fbdfd9896017a2cbeb858f382deb61186bb9e22b
     volume_configurations: typing.Optional[typing.Sequence[ServiceManagedVolume]] = None,
     task_definition: TaskDefinition,
     assign_public_ip: typing.Optional[builtins.bool] = None,
+    availability_zone_rebalancing: typing.Optional[AvailabilityZoneRebalancing] = None,
     daemon: typing.Optional[builtins.bool] = None,
     placement_constraints: typing.Optional[typing.Sequence[PlacementConstraint]] = None,
     placement_strategies: typing.Optional[typing.Sequence[PlacementStrategy]] = None,
@@ -44913,6 +45504,7 @@ def _typecheckingstub__3cc413964caae89bfcfbcabff8356ffe5c054f46824be99731a77b64e
     task_definition_revision: typing.Optional[TaskDefinitionRevision] = None,
     volume_configurations: typing.Optional[typing.Sequence[ServiceManagedVolume]] = None,
     task_definition: TaskDefinition,
+    daemon: typing.Optional[builtins.bool] = None,
     security_groups: typing.Optional[typing.Sequence[_ISecurityGroup_acf8a799]] = None,
 ) -> None:
     """Type checking stubs"""
@@ -44971,6 +45563,7 @@ def _typecheckingstub__8290283f61f3e2d289b7e7f81cad1a5d1e9ed9dbc07ccce2b57604682
     volume_configurations: typing.Optional[typing.Sequence[ServiceManagedVolume]] = None,
     task_definition: TaskDefinition,
     assign_public_ip: typing.Optional[builtins.bool] = None,
+    availability_zone_rebalancing: typing.Optional[AvailabilityZoneRebalancing] = None,
     platform_version: typing.Optional[FargatePlatformVersion] = None,
     security_groups: typing.Optional[typing.Sequence[_ISecurityGroup_acf8a799]] = None,
     vpc_subnets: typing.Optional[typing.Union[_SubnetSelection_e57d76df, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -45068,6 +45661,7 @@ def _typecheckingstub__aa1e4969dd0e00a5737510c273aa9546ad4ce7bc5a8a146f2a37666b0
     system_controls: typing.Optional[typing.Sequence[typing.Union[SystemControl, typing.Dict[builtins.str, typing.Any]]]] = None,
     ulimits: typing.Optional[typing.Sequence[typing.Union[Ulimit, typing.Dict[builtins.str, typing.Any]]]] = None,
     user: typing.Optional[builtins.str] = None,
+    version_consistency: typing.Optional[VersionConsistency] = None,
     working_directory: typing.Optional[builtins.str] = None,
 ) -> None:
     """Type checking stubs"""
@@ -45118,6 +45712,7 @@ def _typecheckingstub__2bb9382e9a7b1b34a020902905c4bf83e2d4970135e7592e5b5a1da62
     system_controls: typing.Optional[typing.Sequence[typing.Union[SystemControl, typing.Dict[builtins.str, typing.Any]]]] = None,
     ulimits: typing.Optional[typing.Sequence[typing.Union[Ulimit, typing.Dict[builtins.str, typing.Any]]]] = None,
     user: typing.Optional[builtins.str] = None,
+    version_consistency: typing.Optional[VersionConsistency] = None,
     working_directory: typing.Optional[builtins.str] = None,
     firelens_config: typing.Union[FirelensConfig, typing.Dict[builtins.str, typing.Any]],
 ) -> None:
@@ -45163,6 +45758,7 @@ def _typecheckingstub__498b2375cb2035a958edbdd10ad5f4352caa5773be14b63a07c337871
     system_controls: typing.Optional[typing.Sequence[typing.Union[SystemControl, typing.Dict[builtins.str, typing.Any]]]] = None,
     ulimits: typing.Optional[typing.Sequence[typing.Union[Ulimit, typing.Dict[builtins.str, typing.Any]]]] = None,
     user: typing.Optional[builtins.str] = None,
+    version_consistency: typing.Optional[VersionConsistency] = None,
     working_directory: typing.Optional[builtins.str] = None,
     task_definition: TaskDefinition,
     firelens_config: typing.Union[FirelensConfig, typing.Dict[builtins.str, typing.Any]],
@@ -45708,6 +46304,16 @@ def _typecheckingstub__5fc70dc513eac25b19e79ac6e7ba5dc61662a4299bbba170094fabb95
     ingress_port_override: typing.Optional[jsii.Number] = None,
     per_request_timeout: typing.Optional[_Duration_4839e8c3] = None,
     port: typing.Optional[jsii.Number] = None,
+    tls: typing.Optional[typing.Union[ServiceConnectTlsConfiguration, typing.Dict[builtins.str, typing.Any]]] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__7266405779c519b75a2c1f8c4019cc54ff7bc528da44ee8ce4b42ec354e3b370(
+    *,
+    aws_pca_authority_arn: typing.Optional[builtins.str] = None,
+    kms_key: typing.Optional[_IKey_5f11635f] = None,
+    role: typing.Optional[_IRole_235f5d8e] = None,
 ) -> None:
     """Type checking stubs"""
     pass
@@ -45914,6 +46520,7 @@ def _typecheckingstub__8fe416001b357a118b80b0f9e3432c5bffbeffe29c2f7e67a02e5589c
     system_controls: typing.Optional[typing.Sequence[typing.Union[SystemControl, typing.Dict[builtins.str, typing.Any]]]] = None,
     ulimits: typing.Optional[typing.Sequence[typing.Union[Ulimit, typing.Dict[builtins.str, typing.Any]]]] = None,
     user: typing.Optional[builtins.str] = None,
+    version_consistency: typing.Optional[VersionConsistency] = None,
     working_directory: typing.Optional[builtins.str] = None,
 ) -> None:
     """Type checking stubs"""
@@ -45966,6 +46573,7 @@ def _typecheckingstub__a448c235107c9543bb055362134e3500d0a20b6f51e433675f952a773
     system_controls: typing.Optional[typing.Sequence[typing.Union[SystemControl, typing.Dict[builtins.str, typing.Any]]]] = None,
     ulimits: typing.Optional[typing.Sequence[typing.Union[Ulimit, typing.Dict[builtins.str, typing.Any]]]] = None,
     user: typing.Optional[builtins.str] = None,
+    version_consistency: typing.Optional[VersionConsistency] = None,
     working_directory: typing.Optional[builtins.str] = None,
 ) -> None:
     """Type checking stubs"""
@@ -46475,6 +47083,7 @@ def _typecheckingstub__1e578461670bd6cdf856f914534e1feff8905e31d33cd7aea2b9f5151
     *,
     task_definition: TaskDefinition,
     assign_public_ip: typing.Optional[builtins.bool] = None,
+    availability_zone_rebalancing: typing.Optional[AvailabilityZoneRebalancing] = None,
     daemon: typing.Optional[builtins.bool] = None,
     placement_constraints: typing.Optional[typing.Sequence[PlacementConstraint]] = None,
     placement_strategies: typing.Optional[typing.Sequence[PlacementStrategy]] = None,
@@ -46532,6 +47141,12 @@ def _typecheckingstub__102b3ccc22a55022584267b95a6aad5f4562322f31caae888256cf6e5
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__92dbc7c46013b6831215fcc3302fb341d8b788fd8a9ae3631b63127cde348e55(
+    load_balancer: _LoadBalancer_a894d40e,
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__3a26b01aaf87e4ece20469628f4af696fcfbad789e85b4622bd3e2092663b3b4(
     scope: _constructs_77d1e7e8.Construct,
     id: builtins.str,
@@ -46611,6 +47226,7 @@ def _typecheckingstub__e16f7a8ab558d24dc81cd83e043fb5a8b37369f32cee89bd310588535
     system_controls: typing.Optional[typing.Sequence[typing.Union[SystemControl, typing.Dict[builtins.str, typing.Any]]]] = None,
     ulimits: typing.Optional[typing.Sequence[typing.Union[Ulimit, typing.Dict[builtins.str, typing.Any]]]] = None,
     user: typing.Optional[builtins.str] = None,
+    version_consistency: typing.Optional[VersionConsistency] = None,
     working_directory: typing.Optional[builtins.str] = None,
 ) -> None:
     """Type checking stubs"""
@@ -46621,6 +47237,7 @@ def _typecheckingstub__6ceef4de126cbb6bd6f379ba0b53be2fb61c35761f50685b5d228c682
     id: builtins.str,
     *,
     task_definition: TaskDefinition,
+    daemon: typing.Optional[builtins.bool] = None,
     security_groups: typing.Optional[typing.Sequence[_ISecurityGroup_acf8a799]] = None,
     cluster: ICluster,
     capacity_provider_strategies: typing.Optional[typing.Sequence[typing.Union[CapacityProviderStrategy, typing.Dict[builtins.str, typing.Any]]]] = None,
@@ -46724,6 +47341,7 @@ def _typecheckingstub__0ddac6b19472d00f74c1777e699ce5b239dc49e62ff4ab4674c917bbe
     *,
     task_definition: TaskDefinition,
     assign_public_ip: typing.Optional[builtins.bool] = None,
+    availability_zone_rebalancing: typing.Optional[AvailabilityZoneRebalancing] = None,
     platform_version: typing.Optional[FargatePlatformVersion] = None,
     security_groups: typing.Optional[typing.Sequence[_ISecurityGroup_acf8a799]] = None,
     vpc_subnets: typing.Optional[typing.Union[_SubnetSelection_e57d76df, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -46767,6 +47385,12 @@ def _typecheckingstub__37b5dcb0db8589a95c60e0ecf7798026d77e370bf80dfe7d964a48907
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__41a65f2e7e6448580d3322dee4bc9635bee60d9fd0fb6a801d91c37859e117f4(
+    load_balancer: _LoadBalancer_a894d40e,
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__d6eac52d828f2df0ab5e16014f889cf23534875319ae4b479cd554d5399de072(
     scope: _constructs_77d1e7e8.Construct,
     id: builtins.str,