aws-cdk-lib 2.178.2__py3-none-any.whl → 2.180.0__py3-none-any.whl

aws_cdk/aws_apigateway/__init__.py

@@ -591,7 +591,7 @@ The following example shows how to use a rate limited api key :
 
 key = apigateway.RateLimitedApiKey(self, "rate-limited-api-key",
     customer_id="hello-customer",
-    stages=[api.deployment_stage],
+    api_stages=[apigateway.UsagePlanPerApiStage(stage=api.deployment_stage)],
     quota=apigateway.QuotaSettings(
         limit=10000,
         period=apigateway.Period.MONTH
@@ -1684,6 +1684,21 @@ By performing this association, we can invoke the API gateway using the followin
 https://{rest-api-id}-{vpce-id}.execute-api.{region}.amazonaws.com/{stage}
 ```
 
+To restrict access to the API Gateway to only the VPC endpoint, you can use the `grantInvokeFromVpcEndpointsOnly` method to [add resource policies](https://docs.aws.amazon.com/apigateway/latest/developerguide/private-api-tutorial.html#private-api-tutorial-attach-resource-policy) to the API Gateway:
+
+```python
+# api_gw_vpc_endpoint: ec2.IVpcEndpoint
+
+
+api = apigateway.RestApi(self, "PrivateApi",
+    endpoint_configuration=apigateway.EndpointConfiguration(
+        types=[apigateway.EndpointType.PRIVATE],
+        vpc_endpoints=[api_gw_vpc_endpoint]
+    )
+)
+api.grant_invoke_from_vpc_endpoints_only([api_gw_vpc_endpoint])
+```
+
 ## Private Integrations
 
 A private integration makes it simple to expose HTTP/HTTPS resources behind an
@@ -1912,10 +1927,13 @@ from ..aws_elasticloadbalancingv2 import (
     INetworkLoadBalancer as _INetworkLoadBalancer_96e17101
 )
 from ..aws_iam import (
+    AddToResourcePolicyResult as _AddToResourcePolicyResult_1d0a53ad,
     Grant as _Grant_a7ae64f8,
     IGrantable as _IGrantable_71c4f5de,
+    IResourceWithPolicy as _IResourceWithPolicy_720d64fc,
     IRole as _IRole_235f5d8e,
     PolicyDocument as _PolicyDocument_3ac34393,
+    PolicyStatement as _PolicyStatement_0fe33853,
 )
 from ..aws_kinesisfirehose import CfnDeliveryStream as _CfnDeliveryStream_8f3b1735
 from ..aws_kms import IKey as _IKey_5f11635f
@@ -14829,7 +14847,7 @@ class CorsOptions:
         status_code: typing.Optional[jsii.Number] = None,
     ) -> None:
         '''
-        :param allow_origins: Specifies the list of origins that are allowed to make requests to this resource. If you wish to allow all origins, specify ``Cors.ALL_ORIGINS`` or ``[ * ]``. Responses will include the ``Access-Control-Allow-Origin`` response header. If ``Cors.ALL_ORIGINS`` is specified, the ``Vary: Origin`` response header will also be included.
+        :param allow_origins: Specifies the list of origins that are allowed to make requests to this resource. If you wish to allow all origins, specify ``Cors.ALL_ORIGINS`` or ``[ * ]``. Responses will include the ``Access-Control-Allow-Origin`` response header. If specific origins are specified (not ``Cors.ALL_ORIGINS``), the ``Vary: Origin`` response header will also be included.
         :param allow_credentials: The Access-Control-Allow-Credentials response header tells browsers whether to expose the response to frontend JavaScript code when the request's credentials mode (Request.credentials) is "include". When a request's credentials mode (Request.credentials) is "include", browsers will only expose the response to frontend JavaScript code if the Access-Control-Allow-Credentials value is true. Credentials are cookies, authorization headers or TLS client certificates. Default: false
         :param allow_headers: The Access-Control-Allow-Headers response header is used in response to a preflight request which includes the Access-Control-Request-Headers to indicate which HTTP headers can be used during the actual request. Default: Cors.DEFAULT_HEADERS
         :param allow_methods: The Access-Control-Allow-Methods response header specifies the method or methods allowed when accessing the resource in response to a preflight request. If ``ANY`` is specified, it will be expanded to ``Cors.ALL_METHODS``. Default: Cors.ALL_METHODS
@@ -14885,8 +14903,8 @@ class CorsOptions:
         ``[ * ]``.
 
         Responses will include the ``Access-Control-Allow-Origin`` response header.
-        If ``Cors.ALL_ORIGINS`` is specified, the ``Vary: Origin`` response header will
-        also be included.
+        If specific origins are specified (not ``Cors.ALL_ORIGINS``), the ``Vary: Origin``
+        response header will also be included.
 
         :see: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin
         '''
@@ -15664,9 +15682,13 @@ class EndpointConfiguration:
 
         Example::
 
+            # some_endpoint: ec2.IVpcEndpoint
+            
+            
             api = apigateway.RestApi(self, "api",
                 endpoint_configuration=apigateway.EndpointConfiguration(
-                    types=[apigateway.EndpointType.EDGE]
+                    types=[apigateway.EndpointType.PRIVATE],
+                    vpc_endpoints=[some_endpoint]
                 )
             )
         '''
@@ -15718,12 +15740,14 @@ class EndpointType(enum.Enum):
 
     Example::
 
-        # api_definition: apigateway.ApiDefinition
+        # some_endpoint: ec2.IVpcEndpoint
         
         
-        api = apigateway.SpecRestApi(self, "ExampleRestApi",
-            api_definition=api_definition,
-            endpoint_types=[apigateway.EndpointType.PRIVATE]
+        api = apigateway.RestApi(self, "api",
+            endpoint_configuration=apigateway.EndpointConfiguration(
+                types=[apigateway.EndpointType.PRIVATE],
+                vpc_endpoints=[some_endpoint]
+            )
         )
     '''
 
@@ -16437,7 +16461,7 @@ class IResource(_IResource_c80c4260, typing_extensions.Protocol):
         resource that has a different origin (domain, protocol, or port) from its
         own.
 
-        :param allow_origins: Specifies the list of origins that are allowed to make requests to this resource. If you wish to allow all origins, specify ``Cors.ALL_ORIGINS`` or ``[ * ]``. Responses will include the ``Access-Control-Allow-Origin`` response header. If ``Cors.ALL_ORIGINS`` is specified, the ``Vary: Origin`` response header will also be included.
+        :param allow_origins: Specifies the list of origins that are allowed to make requests to this resource. If you wish to allow all origins, specify ``Cors.ALL_ORIGINS`` or ``[ * ]``. Responses will include the ``Access-Control-Allow-Origin`` response header. If specific origins are specified (not ``Cors.ALL_ORIGINS``), the ``Vary: Origin`` response header will also be included.
         :param allow_credentials: The Access-Control-Allow-Credentials response header tells browsers whether to expose the response to frontend JavaScript code when the request's credentials mode (Request.credentials) is "include". When a request's credentials mode (Request.credentials) is "include", browsers will only expose the response to frontend JavaScript code if the Access-Control-Allow-Credentials value is true. Credentials are cookies, authorization headers or TLS client certificates. Default: false
         :param allow_headers: The Access-Control-Allow-Headers response header is used in response to a preflight request which includes the Access-Control-Request-Headers to indicate which HTTP headers can be used during the actual request. Default: Cors.DEFAULT_HEADERS
         :param allow_methods: The Access-Control-Allow-Methods response header specifies the method or methods allowed when accessing the resource in response to a preflight request. If ``ANY`` is specified, it will be expanded to ``Cors.ALL_METHODS``. Default: Cors.ALL_METHODS
@@ -16628,7 +16652,7 @@ class _IResourceProxy(
         resource that has a different origin (domain, protocol, or port) from its
         own.
 
-        :param allow_origins: Specifies the list of origins that are allowed to make requests to this resource. If you wish to allow all origins, specify ``Cors.ALL_ORIGINS`` or ``[ * ]``. Responses will include the ``Access-Control-Allow-Origin`` response header. If ``Cors.ALL_ORIGINS`` is specified, the ``Vary: Origin`` response header will also be included.
+        :param allow_origins: Specifies the list of origins that are allowed to make requests to this resource. If you wish to allow all origins, specify ``Cors.ALL_ORIGINS`` or ``[ * ]``. Responses will include the ``Access-Control-Allow-Origin`` response header. If specific origins are specified (not ``Cors.ALL_ORIGINS``), the ``Vary: Origin`` response header will also be included.
         :param allow_credentials: The Access-Control-Allow-Credentials response header tells browsers whether to expose the response to frontend JavaScript code when the request's credentials mode (Request.credentials) is "include". When a request's credentials mode (Request.credentials) is "include", browsers will only expose the response to frontend JavaScript code if the Access-Control-Allow-Credentials value is true. Credentials are cookies, authorization headers or TLS client certificates. Default: false
         :param allow_headers: The Access-Control-Allow-Headers response header is used in response to a preflight request which includes the Access-Control-Request-Headers to indicate which HTTP headers can be used during the actual request. Default: Cors.DEFAULT_HEADERS
         :param allow_methods: The Access-Control-Allow-Methods response header specifies the method or methods allowed when accessing the resource in response to a preflight request. If ``ANY`` is specified, it will be expanded to ``Cors.ALL_METHODS``. Default: Cors.ALL_METHODS
@@ -21470,7 +21494,7 @@ class Period(enum.Enum):
         
         key = apigateway.RateLimitedApiKey(self, "rate-limited-api-key",
             customer_id="hello-customer",
-            stages=[api.deployment_stage],
+            api_stages=[apigateway.UsagePlanPerApiStage(stage=api.deployment_stage)],
             quota=apigateway.QuotaSettings(
                 limit=10000,
                 period=apigateway.Period.MONTH
@@ -21511,7 +21535,7 @@ class QuotaSettings:
             
             key = apigateway.RateLimitedApiKey(self, "rate-limited-api-key",
                 customer_id="hello-customer",
-                stages=[api.deployment_stage],
+                api_stages=[apigateway.UsagePlanPerApiStage(stage=api.deployment_stage)],
                 quota=apigateway.QuotaSettings(
                     limit=10000,
                     period=apigateway.Period.MONTH
@@ -21588,7 +21612,7 @@ class RateLimitedApiKey(
         
         key = apigateway.RateLimitedApiKey(self, "rate-limited-api-key",
             customer_id="hello-customer",
-            stages=[api.deployment_stage],
+            api_stages=[apigateway.UsagePlanPerApiStage(stage=api.deployment_stage)],
             quota=apigateway.QuotaSettings(
                 limit=10000,
                 period=apigateway.Period.MONTH
@@ -21619,7 +21643,7 @@ class RateLimitedApiKey(
         '''
         :param scope: -
         :param id: -
-        :param api_stages: API Stages to be associated with the RateLimitedApiKey. Default: none
+        :param api_stages: API Stages to be associated with the RateLimitedApiKey. If you already prepared UsagePlan resource explicitly, you should use ``stages`` property. If you prefer to prepare UsagePlan resource implicitly via RateLimitedApiKey, or you should specify throttle settings at each stage individually, you should use ``apiStages`` property. Default: none
         :param quota: Number of requests clients can make in a given time period. Default: none
         :param throttle: Overall throttle settings for the API. Default: none
         :param customer_id: An AWS Marketplace customer identifier to use when integrating with the AWS SaaS Marketplace. Default: none
@@ -22652,7 +22676,7 @@ class ResourceBase(
         resource that has a different origin (domain, protocol, or port) from its
         own.
 
-        :param allow_origins: Specifies the list of origins that are allowed to make requests to this resource. If you wish to allow all origins, specify ``Cors.ALL_ORIGINS`` or ``[ * ]``. Responses will include the ``Access-Control-Allow-Origin`` response header. If ``Cors.ALL_ORIGINS`` is specified, the ``Vary: Origin`` response header will also be included.
+        :param allow_origins: Specifies the list of origins that are allowed to make requests to this resource. If you wish to allow all origins, specify ``Cors.ALL_ORIGINS`` or ``[ * ]``. Responses will include the ``Access-Control-Allow-Origin`` response header. If specific origins are specified (not ``Cors.ALL_ORIGINS``), the ``Vary: Origin`` response header will also be included.
         :param allow_credentials: The Access-Control-Allow-Credentials response header tells browsers whether to expose the response to frontend JavaScript code when the request's credentials mode (Request.credentials) is "include". When a request's credentials mode (Request.credentials) is "include", browsers will only expose the response to frontend JavaScript code if the Access-Control-Allow-Credentials value is true. Credentials are cookies, authorization headers or TLS client certificates. Default: false
         :param allow_headers: The Access-Control-Allow-Headers response header is used in response to a preflight request which includes the Access-Control-Request-Headers to indicate which HTTP headers can be used during the actual request. Default: Cors.DEFAULT_HEADERS
         :param allow_methods: The Access-Control-Allow-Methods response header specifies the method or methods allowed when accessing the resource in response to a preflight request. If ``ANY`` is specified, it will be expanded to ``Cors.ALL_METHODS``. Default: Cors.ALL_METHODS
@@ -23534,7 +23558,7 @@ class RestApiAttributes:
         )
 
 
-@jsii.implements(IRestApi)
+@jsii.implements(IRestApi, _IResourceWithPolicy_720d64fc)
 class RestApiBase(
     _Resource_45bc6135,
     metaclass=jsii.JSIIAbstractClass,
@@ -23716,6 +23740,18 @@ class RestApiBase(
 
         return typing.cast("GatewayResponse", jsii.invoke(self, "addGatewayResponse", [id, options]))
 
+    @jsii.member(jsii_name="addToResourcePolicy")
+    @abc.abstractmethod
+    def add_to_resource_policy(
+        self,
+        statement: _PolicyStatement_0fe33853,
+    ) -> _AddToResourcePolicyResult_1d0a53ad:
+        '''Add a statement to the resource's resource policy.
+
+        :param statement: -
+        '''
+        ...
+
     @jsii.member(jsii_name="addUsagePlan")
     def add_usage_plan(
         self,
@@ -23769,6 +23805,22 @@ class RestApiBase(
             check_type(argname="argument stage", value=stage, expected_type=type_hints["stage"])
         return typing.cast(builtins.str, jsii.invoke(self, "arnForExecuteApi", [method, path, stage]))
 
+    @jsii.member(jsii_name="grantInvokeFromVpcEndpointsOnly")
+    def grant_invoke_from_vpc_endpoints_only(
+        self,
+        vpc_endpoints: typing.Sequence[_IVpcEndpoint_d8ea9bc3],
+    ) -> None:
+        '''Add a resource policy that only allows API execution from a VPC Endpoint to create a private API.
+
+        :param vpc_endpoints: the interface VPC endpoints to grant access to.
+
+        :see: https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-resource-policies-examples.html#apigateway-resource-policies-source-vpc-example
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__d9c72e763e6fd8bee0fdc38b4c6d9a51728ddb7d71c8f2cc4723eeecc90240d6)
+            check_type(argname="argument vpc_endpoints", value=vpc_endpoints, expected_type=type_hints["vpc_endpoints"])
+        return typing.cast(None, jsii.invoke(self, "grantInvokeFromVpcEndpointsOnly", [vpc_endpoints]))
+
     @jsii.member(jsii_name="metric")
     def metric(
         self,
@@ -24236,11 +24288,40 @@ class RestApiBase(
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
         jsii.set(self, "cloudWatchAccount", value) # pyright: ignore[reportArgumentType]
 
+    @builtins.property
+    @jsii.member(jsii_name="resourcePolicy")
+    def _resource_policy(self) -> typing.Optional[_PolicyDocument_3ac34393]:
+        return typing.cast(typing.Optional[_PolicyDocument_3ac34393], jsii.get(self, "resourcePolicy"))
+
+    @_resource_policy.setter
+    def _resource_policy(
+        self,
+        value: typing.Optional[_PolicyDocument_3ac34393],
+    ) -> None:
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__055b7d6b7f5983f0cbe73bf5302adcab621abc6451932928f4fc669ed6ce3182)
+            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+        jsii.set(self, "resourcePolicy", value) # pyright: ignore[reportArgumentType]
+
 
 class _RestApiBaseProxy(
     RestApiBase,
     jsii.proxy_for(_Resource_45bc6135), # type: ignore[misc]
 ):
+    @jsii.member(jsii_name="addToResourcePolicy")
+    def add_to_resource_policy(
+        self,
+        statement: _PolicyStatement_0fe33853,
+    ) -> _AddToResourcePolicyResult_1d0a53ad:
+        '''Add a statement to the resource's resource policy.
+
+        :param statement: -
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__e5b96ed4eaeba0605aea131fd9bd60ab19b56a3504a62607ee5eff63a4b41ae8)
+            check_type(argname="argument statement", value=statement, expected_type=type_hints["statement"])
+        return typing.cast(_AddToResourcePolicyResult_1d0a53ad, jsii.invoke(self, "addToResourcePolicy", [statement]))
+
     @builtins.property
     @jsii.member(jsii_name="restApiId")
     def rest_api_id(self) -> builtins.str:
@@ -24721,25 +24802,15 @@ class RestApiProps(ResourceOptions, RestApiBaseProps):
 
         Example::
 
-            destination_bucket = s3.Bucket(self, "Bucket")
-            delivery_stream_role = iam.Role(self, "Role",
-                assumed_by=iam.ServicePrincipal("firehose.amazonaws.com")
-            )
-            
-            stream = firehose.CfnDeliveryStream(self, "MyStream",
-                delivery_stream_name="amazon-apigateway-delivery-stream",
-                s3_destination_configuration=firehose.CfnDeliveryStream.S3DestinationConfigurationProperty(
-                    bucket_arn=destination_bucket.bucket_arn,
-                    role_arn=delivery_stream_role.role_arn
-                )
+            state_machine = stepfunctions.StateMachine(self, "MyStateMachine",
+                state_machine_type=stepfunctions.StateMachineType.EXPRESS,
+                definition=stepfunctions.Chain.start(stepfunctions.Pass(self, "Pass"))
             )
             
-            api = apigateway.RestApi(self, "books",
-                deploy_options=apigateway.StageOptions(
-                    access_log_destination=apigateway.FirehoseLogDestination(stream),
-                    access_log_format=apigateway.AccessLogFormat.json_with_standard_fields()
-                )
+            api = apigateway.RestApi(self, "Api",
+                rest_api_name="MyApi"
             )
+            api.root.add_method("GET", apigateway.StepFunctionsIntegration.start_execution(state_machine))
         '''
         if isinstance(default_cors_preflight_options, dict):
             default_cors_preflight_options = CorsOptions(**default_cors_preflight_options)
@@ -25565,6 +25636,24 @@ class SpecRestApi(
 
         jsii.create(self.__class__, self, [scope, id, props])
 
+    @jsii.member(jsii_name="addToResourcePolicy")
+    def add_to_resource_policy(
+        self,
+        statement: _PolicyStatement_0fe33853,
+    ) -> _AddToResourcePolicyResult_1d0a53ad:
+        '''Adds a statement to the resource policy associated with this rest api.
+
+        A resource policy will be automatically created upon the first call to ``addToResourcePolicy``.
+
+        Note that this does not work with imported rest api.
+
+        :param statement: The policy statement to add.
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__a598fa29dde7454edf374298a15d782fc9a7cfb24aea9c673988425532fdfaa8)
+            check_type(argname="argument statement", value=statement, expected_type=type_hints["statement"])
+        return typing.cast(_AddToResourcePolicyResult_1d0a53ad, jsii.invoke(self, "addToResourcePolicy", [statement]))
+
     @builtins.property
     @jsii.member(jsii_name="restApiId")
     def rest_api_id(self) -> builtins.str:
@@ -31391,7 +31480,7 @@ class RateLimitedApiKeyProps(ApiKeyProps):
         :param generate_distinct_id: Specifies whether the key identifier is distinct from the created API key value. Default: false
         :param resources: (deprecated) A list of resources this api key is associated with. Default: none
         :param stages: A list of Stages this api key is associated with. Default: - the api key is not associated with any stages
-        :param api_stages: API Stages to be associated with the RateLimitedApiKey. Default: none
+        :param api_stages: API Stages to be associated with the RateLimitedApiKey. If you already prepared UsagePlan resource explicitly, you should use ``stages`` property. If you prefer to prepare UsagePlan resource implicitly via RateLimitedApiKey, or you should specify throttle settings at each stage individually, you should use ``apiStages`` property. Default: none
         :param quota: Number of requests clients can make in a given time period. Default: none
         :param throttle: Overall throttle settings for the API. Default: none
 
@@ -31404,7 +31493,7 @@ class RateLimitedApiKeyProps(ApiKeyProps):
             
             key = apigateway.RateLimitedApiKey(self, "rate-limited-api-key",
                 customer_id="hello-customer",
-                stages=[api.deployment_stage],
+                api_stages=[apigateway.UsagePlanPerApiStage(stage=api.deployment_stage)],
                 quota=apigateway.QuotaSettings(
                     limit=10000,
                     period=apigateway.Period.MONTH
@@ -31590,6 +31679,10 @@ class RateLimitedApiKeyProps(ApiKeyProps):
     def api_stages(self) -> typing.Optional[typing.List[UsagePlanPerApiStage]]:
         '''API Stages to be associated with the RateLimitedApiKey.
 
+        If you already prepared UsagePlan resource explicitly, you should use ``stages`` property.
+        If you prefer to prepare UsagePlan resource implicitly via RateLimitedApiKey,
+        or you should specify throttle settings at each stage individually, you should use ``apiStages`` property.
+
         :default: none
         '''
         result = self._values.get("api_stages")
@@ -32115,6 +32208,24 @@ class RestApi(
 
         return typing.cast(RequestValidator, jsii.invoke(self, "addRequestValidator", [id, props]))
 
+    @jsii.member(jsii_name="addToResourcePolicy")
+    def add_to_resource_policy(
+        self,
+        statement: _PolicyStatement_0fe33853,
+    ) -> _AddToResourcePolicyResult_1d0a53ad:
+        '''Adds a statement to the resource policy associated with this rest api.
+
+        A resource policy will be automatically created upon the first call to ``addToResourcePolicy``.
+
+        Note that this does not work with imported rest api.
+
+        :param statement: The policy statement to add.
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__52663697f28f1fd364df71313e30a1c7fde152016b3381ce552603f8a5dfc54f)
+            check_type(argname="argument statement", value=statement, expected_type=type_hints["statement"])
+        return typing.cast(_AddToResourcePolicyResult_1d0a53ad, jsii.invoke(self, "addToResourcePolicy", [statement]))
+
     @builtins.property
     @jsii.member(jsii_name="methods")
     def methods(self) -> typing.List[Method]:
@@ -36046,6 +36157,12 @@ def _typecheckingstub__8ee391044c8afeacec6635a772559caff651608cf2a1be322b25e001d
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__d9c72e763e6fd8bee0fdc38b4c6d9a51728ddb7d71c8f2cc4723eeecc90240d6(
+    vpc_endpoints: typing.Sequence[_IVpcEndpoint_d8ea9bc3],
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__83e0007c5bc1aeac14243c8f05dab576ffb55853642cfe1f4a1352b59dda08cf(
     metric_name: builtins.str,
     *,
@@ -36081,6 +36198,18 @@ def _typecheckingstub__7f2c768d74b0b943c1a251d6140ff29b65485077acf73526ebf83da3d
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__055b7d6b7f5983f0cbe73bf5302adcab621abc6451932928f4fc669ed6ce3182(
+    value: typing.Optional[_PolicyDocument_3ac34393],
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__e5b96ed4eaeba0605aea131fd9bd60ab19b56a3504a62607ee5eff63a4b41ae8(
+    statement: _PolicyStatement_0fe33853,
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__f8db41d1cbb038cc89af89c87ca398274183966ac93d18298a50a87996e9aab5(
     *,
     cloud_watch_role: typing.Optional[builtins.bool] = None,
@@ -36186,6 +36315,12 @@ def _typecheckingstub__4722b635be09e87466169ef31b6610061f0fa16d1cff99382f0584fde
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__a598fa29dde7454edf374298a15d782fc9a7cfb24aea9c673988425532fdfaa8(
+    statement: _PolicyStatement_0fe33853,
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__4506705cb637aa3098ad358d76fa29dd7a218f7542020d2e9dbfe8182f9cc797(
     *,
     cloud_watch_role: typing.Optional[builtins.bool] = None,
@@ -36921,6 +37056,12 @@ def _typecheckingstub__c7e66eb05224fabb309270e01184adec5effecc24f4bae236c407a527
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__52663697f28f1fd364df71313e30a1c7fde152016b3381ce552603f8a5dfc54f(
+    statement: _PolicyStatement_0fe33853,
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__d2e28fbc4cf23b8af8415c85c3b3fef473c187c8b6a1d16ed48d739acfa4bbed(
     endpoint: _IEndpoint_58fe201a,
     *,