aws-cdk-lib 2.180.0__py3-none-any.whl → 2.181.1__py3-none-any.whl

aws_cdk/aws_cognito/__init__.py

@@ -35,6 +35,7 @@ This module is part of the [AWS Cloud Development Kit](https://github.com/aws/aw
       * [Multi-factor Authentication (MFA)](#multi-factor-authentication-mfa)
       * [Account Recovery Settings](#account-recovery-settings)
       * [Advanced Security Mode](#advanced-security-mode)
+      * [Threat Protection](#threat-protection)
     * [Emails](#emails)
     * [Device Tracking](#device-tracking)
     * [Lambda Triggers](#lambda-triggers)
@@ -472,7 +473,7 @@ A user will not be allowed to reset their password via phone if they are also us
 
 #### Advanced Security Mode
 
-⚠️ Advanced Security Mode is deprecated in favor of [user pool feature plans](#user-pool-feature-plans).
+⚠️ Advanced Security Mode is deprecated in favor of [Threat Protection](#threat-protection).
 
 User pools can be configured to use Advanced security. You can turn the user pool advanced security features on, and customize the actions that are taken in response to different risks. Or you can use audit mode to gather metrics on detected risks without taking action. In audit mode, the advanced security features publish metrics to Amazon CloudWatch. See the [documentation on Advanced security](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html) to learn more.
 
@@ -483,6 +484,15 @@ cognito.UserPool(self, "myuserpool",
 )
 ```
 
+### Threat Protection
+
+This feature is only available if your Feature Plan is set to PLUS.
+
+Threat Protection can be set to configure enforcement levels and automatic responses for users in password-based and custom-challenge authentication flows.
+For configuration, there are 2 options for standard authentication and custom authentication.
+These are represented with properties `standardThreatProtectionMode` and `customThreatProtectionMode`.
+See the [documentation on Threat Protection](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-threat-protection.html)
+
 ### Emails
 
 Cognito sends emails to users in the user pool, when particular actions take place, such as welcome emails, invitation
@@ -1349,9 +1359,9 @@ class AccountRecovery(enum.Enum):
 class AdvancedSecurityMode(enum.Enum):
     '''(deprecated) The different ways in which a user pool's Advanced Security Mode can be configured.
 
-    :deprecated: Advanced Security Mode is deprecated in favor of user pool feature plans.
+    :deprecated: Advanced Security Mode is deprecated due to user pool feature plans. Use StandardThreatProtectionMode and CustomThreatProtectionMode to set Thread Protection level.
 
-    :see: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-userpooladdons.html#cfn-cognito-userpool-userpooladdons-advancedsecuritymode
+    :see: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-userpooladdons.html
     :stability: deprecated
     :exampleMetadata: infused
 
@@ -14044,6 +14054,21 @@ class CustomDomainOptions:
         )
 
 
+@jsii.enum(jsii_type="aws-cdk-lib.aws_cognito.CustomThreatProtectionMode")
+class CustomThreatProtectionMode(enum.Enum):
+    '''The Type of Threat Protection Enabled for Custom Authentication.
+
+    This feature only functions if your FeaturePlan is set to FeaturePlan.PLUS
+
+    :see: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-userpooladdons.html
+    '''
+
+    FULL_FUNCTION = "FULL_FUNCTION"
+    '''Cognito automatically takes preventative actions in response to different levels of risk that you configure for your user pool.'''
+    AUDIT_ONLY = "AUDIT_ONLY"
+    '''Cognito gathers metrics on detected risks, but doesn't take automatic action.'''
+
+
 @jsii.data_type(
     jsii_type="aws-cdk-lib.aws_cognito.DeviceTracking",
     jsii_struct_bases=[],
@@ -17381,6 +17406,23 @@ class StandardAttributesMask:
         )
 
 
+@jsii.enum(jsii_type="aws-cdk-lib.aws_cognito.StandardThreatProtectionMode")
+class StandardThreatProtectionMode(enum.Enum):
+    '''The Type of Threat Protection Enabled for Standard Authentication.
+
+    This feature only functions if your FeaturePlan is set to FeaturePlan.PLUS
+
+    :see: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-userpooladdons.html
+    '''
+
+    FULL_FUNCTION = "FULL_FUNCTION"
+    '''Cognito automatically takes preventative actions in response to different levels of risk that you configure for your user pool.'''
+    AUDIT_ONLY = "AUDIT_ONLY"
+    '''Cognito gathers metrics on detected risks, but doesn't take automatic action.'''
+    NO_ENFORCEMENT = "NO_ENFORCEMENT"
+    '''Cognito doesn't gather metrics on detected risks or automatically take preventative actions.'''
+
+
 @jsii.implements(ICustomAttribute)
 class StringAttribute(
     metaclass=jsii.JSIIMeta,
@@ -17727,6 +17769,7 @@ class UserPool(
         auto_verify: typing.Optional[typing.Union[AutoVerifiedAttrs, typing.Dict[builtins.str, typing.Any]]] = None,
         custom_attributes: typing.Optional[typing.Mapping[builtins.str, ICustomAttribute]] = None,
         custom_sender_kms_key: typing.Optional[_IKey_5f11635f] = None,
+        custom_threat_protection_mode: typing.Optional[CustomThreatProtectionMode] = None,
         deletion_protection: typing.Optional[builtins.bool] = None,
         device_tracking: typing.Optional[typing.Union[DeviceTracking, typing.Dict[builtins.str, typing.Any]]] = None,
         email: typing.Optional["UserPoolEmail"] = None,
@@ -17749,6 +17792,7 @@ class UserPool(
         sms_role_external_id: typing.Optional[builtins.str] = None,
         sns_region: typing.Optional[builtins.str] = None,
         standard_attributes: typing.Optional[typing.Union[StandardAttributes, typing.Dict[builtins.str, typing.Any]]] = None,
+        standard_threat_protection_mode: typing.Optional[StandardThreatProtectionMode] = None,
         user_invitation: typing.Optional[typing.Union[UserInvitationConfig, typing.Dict[builtins.str, typing.Any]]] = None,
         user_pool_name: typing.Optional[builtins.str] = None,
         user_verification: typing.Optional[typing.Union["UserVerificationConfig", typing.Dict[builtins.str, typing.Any]]] = None,
@@ -17761,6 +17805,7 @@ class UserPool(
         :param auto_verify: Attributes which Cognito will look to verify automatically upon user sign up. EMAIL and PHONE are the only available options. Default: - If ``signInAlias`` includes email and/or phone, they will be included in ``autoVerifiedAttributes`` by default. If absent, no attributes will be auto-verified.
         :param custom_attributes: Define a set of custom attributes that can be configured for each user in the user pool. Default: - No custom attributes.
         :param custom_sender_kms_key: This key will be used to encrypt temporary passwords and authorization codes that Amazon Cognito generates. Default: - no key ID configured
+        :param custom_threat_protection_mode: The Type of Threat Protection Enabled for Custom Authentication. This feature only functions if your FeaturePlan is set to FeaturePlan.PLUS Default: - no value
         :param deletion_protection: Indicates whether the user pool should have deletion protection enabled. Default: false
         :param device_tracking: Device tracking settings. Default: - see defaults on each property of DeviceTracking.
         :param email: Email settings for a user pool. Default: - cognito will use the default email configuration
@@ -17783,6 +17828,7 @@ class UserPool(
         :param sms_role_external_id: The 'ExternalId' that Cognito service must be using when assuming the ``smsRole``, if the role is restricted with an 'sts:ExternalId' conditional. Learn more about ExternalId here - https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html This property will be ignored if ``smsRole`` is not specified. Default: - No external id will be configured.
         :param sns_region: The region to integrate with SNS to send SMS messages. This property will do nothing if SMS configuration is not configured. Default: - The same region as the user pool, with a few exceptions - https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html#user-pool-sms-settings-first-time
         :param standard_attributes: The set of attributes that are required for every user in the user pool. Read more on attributes here - https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html Default: - All standard attributes are optional and mutable.
+        :param standard_threat_protection_mode: The Type of Threat Protection Enabled for Standard Authentication. This feature only functions if your FeaturePlan is set to FeaturePlan.PLUS Default: - StandardThreatProtectionMode.NO_ENFORCEMENT
         :param user_invitation: Configuration around admins signing up users into a user pool. Default: - see defaults in UserInvitationConfig.
         :param user_pool_name: Name of the user pool. Default: - automatically generated name by CloudFormation at deploy time.
         :param user_verification: Configuration around users signing themselves up to the user pool. Enable or disable self sign-up via the ``selfSignUpEnabled`` property. Default: - see defaults in UserVerificationConfig.
@@ -17797,6 +17843,7 @@ class UserPool(
             auto_verify=auto_verify,
             custom_attributes=custom_attributes,
             custom_sender_kms_key=custom_sender_kms_key,
+            custom_threat_protection_mode=custom_threat_protection_mode,
             deletion_protection=deletion_protection,
             device_tracking=device_tracking,
             email=email,
@@ -17819,6 +17866,7 @@ class UserPool(
             sms_role_external_id=sms_role_external_id,
             sns_region=sns_region,
             standard_attributes=standard_attributes,
+            standard_threat_protection_mode=standard_threat_protection_mode,
             user_invitation=user_invitation,
             user_pool_name=user_pool_name,
             user_verification=user_verification,
@@ -21145,6 +21193,7 @@ class UserPoolOperation(
         "auto_verify": "autoVerify",
         "custom_attributes": "customAttributes",
         "custom_sender_kms_key": "customSenderKmsKey",
+        "custom_threat_protection_mode": "customThreatProtectionMode",
         "deletion_protection": "deletionProtection",
         "device_tracking": "deviceTracking",
         "email": "email",
@@ -21167,6 +21216,7 @@ class UserPoolOperation(
         "sms_role_external_id": "smsRoleExternalId",
         "sns_region": "snsRegion",
         "standard_attributes": "standardAttributes",
+        "standard_threat_protection_mode": "standardThreatProtectionMode",
         "user_invitation": "userInvitation",
         "user_pool_name": "userPoolName",
         "user_verification": "userVerification",
@@ -21181,6 +21231,7 @@ class UserPoolProps:
         auto_verify: typing.Optional[typing.Union[AutoVerifiedAttrs, typing.Dict[builtins.str, typing.Any]]] = None,
         custom_attributes: typing.Optional[typing.Mapping[builtins.str, ICustomAttribute]] = None,
         custom_sender_kms_key: typing.Optional[_IKey_5f11635f] = None,
+        custom_threat_protection_mode: typing.Optional[CustomThreatProtectionMode] = None,
         deletion_protection: typing.Optional[builtins.bool] = None,
         device_tracking: typing.Optional[typing.Union[DeviceTracking, typing.Dict[builtins.str, typing.Any]]] = None,
         email: typing.Optional[UserPoolEmail] = None,
@@ -21203,6 +21254,7 @@ class UserPoolProps:
         sms_role_external_id: typing.Optional[builtins.str] = None,
         sns_region: typing.Optional[builtins.str] = None,
         standard_attributes: typing.Optional[typing.Union[StandardAttributes, typing.Dict[builtins.str, typing.Any]]] = None,
+        standard_threat_protection_mode: typing.Optional[StandardThreatProtectionMode] = None,
         user_invitation: typing.Optional[typing.Union[UserInvitationConfig, typing.Dict[builtins.str, typing.Any]]] = None,
         user_pool_name: typing.Optional[builtins.str] = None,
         user_verification: typing.Optional[typing.Union["UserVerificationConfig", typing.Dict[builtins.str, typing.Any]]] = None,
@@ -21214,6 +21266,7 @@ class UserPoolProps:
         :param auto_verify: Attributes which Cognito will look to verify automatically upon user sign up. EMAIL and PHONE are the only available options. Default: - If ``signInAlias`` includes email and/or phone, they will be included in ``autoVerifiedAttributes`` by default. If absent, no attributes will be auto-verified.
         :param custom_attributes: Define a set of custom attributes that can be configured for each user in the user pool. Default: - No custom attributes.
         :param custom_sender_kms_key: This key will be used to encrypt temporary passwords and authorization codes that Amazon Cognito generates. Default: - no key ID configured
+        :param custom_threat_protection_mode: The Type of Threat Protection Enabled for Custom Authentication. This feature only functions if your FeaturePlan is set to FeaturePlan.PLUS Default: - no value
         :param deletion_protection: Indicates whether the user pool should have deletion protection enabled. Default: false
         :param device_tracking: Device tracking settings. Default: - see defaults on each property of DeviceTracking.
         :param email: Email settings for a user pool. Default: - cognito will use the default email configuration
@@ -21236,6 +21289,7 @@ class UserPoolProps:
         :param sms_role_external_id: The 'ExternalId' that Cognito service must be using when assuming the ``smsRole``, if the role is restricted with an 'sts:ExternalId' conditional. Learn more about ExternalId here - https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html This property will be ignored if ``smsRole`` is not specified. Default: - No external id will be configured.
         :param sns_region: The region to integrate with SNS to send SMS messages. This property will do nothing if SMS configuration is not configured. Default: - The same region as the user pool, with a few exceptions - https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html#user-pool-sms-settings-first-time
         :param standard_attributes: The set of attributes that are required for every user in the user pool. Read more on attributes here - https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html Default: - All standard attributes are optional and mutable.
+        :param standard_threat_protection_mode: The Type of Threat Protection Enabled for Standard Authentication. This feature only functions if your FeaturePlan is set to FeaturePlan.PLUS Default: - StandardThreatProtectionMode.NO_ENFORCEMENT
         :param user_invitation: Configuration around admins signing up users into a user pool. Default: - see defaults in UserInvitationConfig.
         :param user_pool_name: Name of the user pool. Default: - automatically generated name by CloudFormation at deploy time.
         :param user_verification: Configuration around users signing themselves up to the user pool. Enable or disable self sign-up via the ``selfSignUpEnabled`` property. Default: - see defaults in UserVerificationConfig.
@@ -21281,6 +21335,7 @@ class UserPoolProps:
             check_type(argname="argument auto_verify", value=auto_verify, expected_type=type_hints["auto_verify"])
             check_type(argname="argument custom_attributes", value=custom_attributes, expected_type=type_hints["custom_attributes"])
             check_type(argname="argument custom_sender_kms_key", value=custom_sender_kms_key, expected_type=type_hints["custom_sender_kms_key"])
+            check_type(argname="argument custom_threat_protection_mode", value=custom_threat_protection_mode, expected_type=type_hints["custom_threat_protection_mode"])
             check_type(argname="argument deletion_protection", value=deletion_protection, expected_type=type_hints["deletion_protection"])
             check_type(argname="argument device_tracking", value=device_tracking, expected_type=type_hints["device_tracking"])
             check_type(argname="argument email", value=email, expected_type=type_hints["email"])
@@ -21303,6 +21358,7 @@ class UserPoolProps:
             check_type(argname="argument sms_role_external_id", value=sms_role_external_id, expected_type=type_hints["sms_role_external_id"])
             check_type(argname="argument sns_region", value=sns_region, expected_type=type_hints["sns_region"])
             check_type(argname="argument standard_attributes", value=standard_attributes, expected_type=type_hints["standard_attributes"])
+            check_type(argname="argument standard_threat_protection_mode", value=standard_threat_protection_mode, expected_type=type_hints["standard_threat_protection_mode"])
             check_type(argname="argument user_invitation", value=user_invitation, expected_type=type_hints["user_invitation"])
             check_type(argname="argument user_pool_name", value=user_pool_name, expected_type=type_hints["user_pool_name"])
             check_type(argname="argument user_verification", value=user_verification, expected_type=type_hints["user_verification"])
@@ -21317,6 +21373,8 @@ class UserPoolProps:
             self._values["custom_attributes"] = custom_attributes
         if custom_sender_kms_key is not None:
             self._values["custom_sender_kms_key"] = custom_sender_kms_key
+        if custom_threat_protection_mode is not None:
+            self._values["custom_threat_protection_mode"] = custom_threat_protection_mode
         if deletion_protection is not None:
             self._values["deletion_protection"] = deletion_protection
         if device_tracking is not None:
@@ -21361,6 +21419,8 @@ class UserPoolProps:
             self._values["sns_region"] = sns_region
         if standard_attributes is not None:
             self._values["standard_attributes"] = standard_attributes
+        if standard_threat_protection_mode is not None:
+            self._values["standard_threat_protection_mode"] = standard_threat_protection_mode
         if user_invitation is not None:
             self._values["user_invitation"] = user_invitation
         if user_pool_name is not None:
@@ -21383,7 +21443,7 @@ class UserPoolProps:
 
         :default: - no value
 
-        :deprecated: Advanced Security Mode is deprecated in favor of user pool feature plans.
+        :deprecated: Advanced Security Mode is deprecated due to user pool feature plans. Use StandardThreatProtectionMode and CustomThreatProtectionMode to set Thread Protection level.
 
         :stability: deprecated
         '''
@@ -21426,6 +21486,21 @@ class UserPoolProps:
         result = self._values.get("custom_sender_kms_key")
         return typing.cast(typing.Optional[_IKey_5f11635f], result)
 
+    @builtins.property
+    def custom_threat_protection_mode(
+        self,
+    ) -> typing.Optional[CustomThreatProtectionMode]:
+        '''The Type of Threat Protection Enabled for Custom Authentication.
+
+        This feature only functions if your FeaturePlan is set to FeaturePlan.PLUS
+
+        :default: - no value
+
+        :see: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-userpooladdons.html
+        '''
+        result = self._values.get("custom_threat_protection_mode")
+        return typing.cast(typing.Optional[CustomThreatProtectionMode], result)
+
     @builtins.property
     def deletion_protection(self) -> typing.Optional[builtins.bool]:
         '''Indicates whether the user pool should have deletion protection enabled.
@@ -21671,6 +21746,21 @@ class UserPoolProps:
         result = self._values.get("standard_attributes")
         return typing.cast(typing.Optional[StandardAttributes], result)
 
+    @builtins.property
+    def standard_threat_protection_mode(
+        self,
+    ) -> typing.Optional[StandardThreatProtectionMode]:
+        '''The Type of Threat Protection Enabled for Standard Authentication.
+
+        This feature only functions if your FeaturePlan is set to FeaturePlan.PLUS
+
+        :default: - StandardThreatProtectionMode.NO_ENFORCEMENT
+
+        :see: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-userpooladdons.html
+        '''
+        result = self._values.get("standard_threat_protection_mode")
+        return typing.cast(typing.Optional[StandardThreatProtectionMode], result)
+
     @builtins.property
     def user_invitation(self) -> typing.Optional[UserInvitationConfig]:
         '''Configuration around admins signing up users into a user pool.
@@ -23564,6 +23654,7 @@ __all__ = [
     "CustomAttributeConfig",
     "CustomAttributeProps",
     "CustomDomainOptions",
+    "CustomThreatProtectionMode",
     "DateTimeAttribute",
     "DeviceTracking",
     "EmailSettings",
@@ -23600,6 +23691,7 @@ __all__ = [
     "StandardAttribute",
     "StandardAttributes",
     "StandardAttributesMask",
+    "StandardThreatProtectionMode",
     "StringAttribute",
     "StringAttributeConstraints",
     "StringAttributeProps",
@@ -25789,6 +25881,7 @@ def _typecheckingstub__677a8ec9a3f2a22d2dfde6fd6818121e4a071dc4e942f6bbe219e5a9b
     auto_verify: typing.Optional[typing.Union[AutoVerifiedAttrs, typing.Dict[builtins.str, typing.Any]]] = None,
     custom_attributes: typing.Optional[typing.Mapping[builtins.str, ICustomAttribute]] = None,
     custom_sender_kms_key: typing.Optional[_IKey_5f11635f] = None,
+    custom_threat_protection_mode: typing.Optional[CustomThreatProtectionMode] = None,
     deletion_protection: typing.Optional[builtins.bool] = None,
     device_tracking: typing.Optional[typing.Union[DeviceTracking, typing.Dict[builtins.str, typing.Any]]] = None,
     email: typing.Optional[UserPoolEmail] = None,
@@ -25811,6 +25904,7 @@ def _typecheckingstub__677a8ec9a3f2a22d2dfde6fd6818121e4a071dc4e942f6bbe219e5a9b
     sms_role_external_id: typing.Optional[builtins.str] = None,
     sns_region: typing.Optional[builtins.str] = None,
     standard_attributes: typing.Optional[typing.Union[StandardAttributes, typing.Dict[builtins.str, typing.Any]]] = None,
+    standard_threat_protection_mode: typing.Optional[StandardThreatProtectionMode] = None,
     user_invitation: typing.Optional[typing.Union[UserInvitationConfig, typing.Dict[builtins.str, typing.Any]]] = None,
     user_pool_name: typing.Optional[builtins.str] = None,
     user_verification: typing.Optional[typing.Union[UserVerificationConfig, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -26249,6 +26343,7 @@ def _typecheckingstub__754b1af40b4712720733e130c63a8ec0ca9a35d4cfb25450725d5aa02
     auto_verify: typing.Optional[typing.Union[AutoVerifiedAttrs, typing.Dict[builtins.str, typing.Any]]] = None,
     custom_attributes: typing.Optional[typing.Mapping[builtins.str, ICustomAttribute]] = None,
     custom_sender_kms_key: typing.Optional[_IKey_5f11635f] = None,
+    custom_threat_protection_mode: typing.Optional[CustomThreatProtectionMode] = None,
     deletion_protection: typing.Optional[builtins.bool] = None,
     device_tracking: typing.Optional[typing.Union[DeviceTracking, typing.Dict[builtins.str, typing.Any]]] = None,
     email: typing.Optional[UserPoolEmail] = None,
@@ -26271,6 +26366,7 @@ def _typecheckingstub__754b1af40b4712720733e130c63a8ec0ca9a35d4cfb25450725d5aa02
     sms_role_external_id: typing.Optional[builtins.str] = None,
     sns_region: typing.Optional[builtins.str] = None,
     standard_attributes: typing.Optional[typing.Union[StandardAttributes, typing.Dict[builtins.str, typing.Any]]] = None,
+    standard_threat_protection_mode: typing.Optional[StandardThreatProtectionMode] = None,
     user_invitation: typing.Optional[typing.Union[UserInvitationConfig, typing.Dict[builtins.str, typing.Any]]] = None,
     user_pool_name: typing.Optional[builtins.str] = None,
     user_verification: typing.Optional[typing.Union[UserVerificationConfig, typing.Dict[builtins.str, typing.Any]]] = None,

aws_cdk/aws_config/__init__.py

@@ -698,7 +698,7 @@ class CfnConfigRule(
         :param evaluation_modes: The modes the AWS Config rule can be evaluated in. The valid values are distinct objects. By default, the value is Detective evaluation mode only.
         :param input_parameters: A string, in JSON format, that is passed to the AWS Config rule Lambda function.
         :param maximum_execution_frequency: The maximum frequency with which AWS Config runs evaluations for a rule. You can specify a value for ``MaximumExecutionFrequency`` when: - You are using an AWS managed rule that is triggered at a periodic frequency. - Your custom rule is triggered when AWS Config delivers the configuration snapshot. For more information, see `ConfigSnapshotDeliveryProperties <https://docs.aws.amazon.com/config/latest/APIReference/API_ConfigSnapshotDeliveryProperties.html>`_ . .. epigraph:: By default, rules with a periodic trigger are evaluated every 24 hours. To change the frequency, specify a valid value for the ``MaximumExecutionFrequency`` parameter.
-        :param scope: Defines which resources can trigger an evaluation for the rule. The scope can include one or more resource types, a combination of one resource type and one resource ID, or a combination of a tag key and value. Specify a scope to constrain the resources that can trigger an evaluation for the rule. If you do not specify a scope, evaluations are triggered when any resource in the recording group changes. .. epigraph:: The scope can be empty.
+        :param scope: Defines which resources can trigger an evaluation for the rule. The scope can include one or more resource types, a combination of one resource type and one resource ID, or a combination of a tag key and value. Specify a scope to constrain the resources that can trigger an evaluation for the rule. If you do not specify a scope, evaluations are triggered when any resource in the recording group changes. .. epigraph:: Scope is only supported for change-triggered rules. Scope is not supported for periodic or hybrid rules.
         '''
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__deecc74e0a0f7e54fde16a159ece5d8f96f56f6b8aca025003adcc1d931d5d00)
@@ -1512,7 +1512,7 @@ class CfnConfigRuleProps:
         :param evaluation_modes: The modes the AWS Config rule can be evaluated in. The valid values are distinct objects. By default, the value is Detective evaluation mode only.
         :param input_parameters: A string, in JSON format, that is passed to the AWS Config rule Lambda function.
         :param maximum_execution_frequency: The maximum frequency with which AWS Config runs evaluations for a rule. You can specify a value for ``MaximumExecutionFrequency`` when: - You are using an AWS managed rule that is triggered at a periodic frequency. - Your custom rule is triggered when AWS Config delivers the configuration snapshot. For more information, see `ConfigSnapshotDeliveryProperties <https://docs.aws.amazon.com/config/latest/APIReference/API_ConfigSnapshotDeliveryProperties.html>`_ . .. epigraph:: By default, rules with a periodic trigger are evaluated every 24 hours. To change the frequency, specify a valid value for the ``MaximumExecutionFrequency`` parameter.
-        :param scope: Defines which resources can trigger an evaluation for the rule. The scope can include one or more resource types, a combination of one resource type and one resource ID, or a combination of a tag key and value. Specify a scope to constrain the resources that can trigger an evaluation for the rule. If you do not specify a scope, evaluations are triggered when any resource in the recording group changes. .. epigraph:: The scope can be empty.
+        :param scope: Defines which resources can trigger an evaluation for the rule. The scope can include one or more resource types, a combination of one resource type and one resource ID, or a combination of a tag key and value. Specify a scope to constrain the resources that can trigger an evaluation for the rule. If you do not specify a scope, evaluations are triggered when any resource in the recording group changes. .. epigraph:: Scope is only supported for change-triggered rules. Scope is not supported for periodic or hybrid rules.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-config-configrule.html
         :exampleMetadata: fixture=_generated
@@ -1684,7 +1684,7 @@ class CfnConfigRuleProps:
         The scope can include one or more resource types, a combination of one resource type and one resource ID, or a combination of a tag key and value. Specify a scope to constrain the resources that can trigger an evaluation for the rule. If you do not specify a scope, evaluations are triggered when any resource in the recording group changes.
         .. epigraph::
 
-           The scope can be empty.
+           Scope is only supported for change-triggered rules. Scope is not supported for periodic or hybrid rules.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-config-configrule.html#cfn-config-configrule-scope
         '''

aws_cdk/aws_dynamodb/__init__.py

@@ -4990,7 +4990,7 @@ class CfnTable(
         :param id: Construct identifier for this resource (unique in its scope).
         :param key_schema: Specifies the attributes that make up the primary key for the table. The attributes in the ``KeySchema`` property must also be defined in the ``AttributeDefinitions`` property.
         :param attribute_definitions: A list of attributes that describe the key schema for the table and indexes. This property is required to create a DynamoDB table. Update requires: `Some interruptions <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-some-interrupt>`_ . Replacement if you edit an existing AttributeDefinition.
-        :param billing_mode: Specify how you are charged for read and write throughput and how you manage capacity. Valid values include: - ``PROVISIONED`` - We recommend using ``PROVISIONED`` for predictable workloads. ``PROVISIONED`` sets the billing mode to `Provisioned Mode <https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/HowItWorks.ReadWriteCapacityMode.html#HowItWorks.ProvisionedThroughput.Manual>`_ . - ``PAY_PER_REQUEST`` - We recommend using ``PAY_PER_REQUEST`` for unpredictable workloads. ``PAY_PER_REQUEST`` sets the billing mode to `On-Demand Mode <https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/HowItWorks.ReadWriteCapacityMode.html#HowItWorks.OnDemand>`_ . If not specified, the default is ``PROVISIONED`` .
+        :param billing_mode: Specify how you are charged for read and write throughput and how you manage capacity. Valid values include: - ``PAY_PER_REQUEST`` - We recommend using ``PAY_PER_REQUEST`` for most DynamoDB workloads. ``PAY_PER_REQUEST`` sets the billing mode to `On-demand capacity mode <https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/on-demand-capacity-mode.html>`_ . - ``PROVISIONED`` - We recommend using ``PROVISIONED`` for steady workloads with predictable growth where capacity requirements can be reliably forecasted. ``PROVISIONED`` sets the billing mode to `Provisioned capacity mode <https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/provisioned-capacity-mode.html>`_ . If not specified, the default is ``PROVISIONED`` .
         :param contributor_insights_specification: The settings used to enable or disable CloudWatch Contributor Insights for the specified table.
         :param deletion_protection_enabled: Determines if a table is protected from deletion. When enabled, the table cannot be deleted by any user or process. This setting is disabled by default. For more information, see `Using deletion protection <https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/WorkingWithTables.Basics.html#WorkingWithTables.Basics.DeletionProtection>`_ in the *Amazon DynamoDB Developer Guide* .
         :param global_secondary_indexes: Global secondary indexes to be created on the table. You can create up to 20 global secondary indexes. .. epigraph:: If you update a table to include a new global secondary index, AWS CloudFormation initiates the index creation and then proceeds with the stack update. AWS CloudFormation doesn't wait for the index to complete creation because the backfilling phase can take a long time, depending on the size of the table. You can't use the index or update the table until the index's status is ``ACTIVE`` . You can track its status by using the DynamoDB `DescribeTable <https://docs.aws.amazon.com/cli/latest/reference/dynamodb/describe-table.html>`_ command. If you add or delete an index during an update, we recommend that you don't update any other resources. If your stack fails to update and is rolled back while adding a new index, you must manually delete the index. Updates are not supported. The following are exceptions: - If you update either the contributor insights specification or the provisioned throughput values of global secondary indexes, you can update the table without interruption. - You can delete or add one global secondary index without interruption. If you do both in the same update (for example, by changing the index's logical ID), the update fails.
@@ -7207,7 +7207,7 @@ class CfnTableProps:
 
         :param key_schema: Specifies the attributes that make up the primary key for the table. The attributes in the ``KeySchema`` property must also be defined in the ``AttributeDefinitions`` property.
         :param attribute_definitions: A list of attributes that describe the key schema for the table and indexes. This property is required to create a DynamoDB table. Update requires: `Some interruptions <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-some-interrupt>`_ . Replacement if you edit an existing AttributeDefinition.
-        :param billing_mode: Specify how you are charged for read and write throughput and how you manage capacity. Valid values include: - ``PROVISIONED`` - We recommend using ``PROVISIONED`` for predictable workloads. ``PROVISIONED`` sets the billing mode to `Provisioned Mode <https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/HowItWorks.ReadWriteCapacityMode.html#HowItWorks.ProvisionedThroughput.Manual>`_ . - ``PAY_PER_REQUEST`` - We recommend using ``PAY_PER_REQUEST`` for unpredictable workloads. ``PAY_PER_REQUEST`` sets the billing mode to `On-Demand Mode <https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/HowItWorks.ReadWriteCapacityMode.html#HowItWorks.OnDemand>`_ . If not specified, the default is ``PROVISIONED`` .
+        :param billing_mode: Specify how you are charged for read and write throughput and how you manage capacity. Valid values include: - ``PAY_PER_REQUEST`` - We recommend using ``PAY_PER_REQUEST`` for most DynamoDB workloads. ``PAY_PER_REQUEST`` sets the billing mode to `On-demand capacity mode <https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/on-demand-capacity-mode.html>`_ . - ``PROVISIONED`` - We recommend using ``PROVISIONED`` for steady workloads with predictable growth where capacity requirements can be reliably forecasted. ``PROVISIONED`` sets the billing mode to `Provisioned capacity mode <https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/provisioned-capacity-mode.html>`_ . If not specified, the default is ``PROVISIONED`` .
         :param contributor_insights_specification: The settings used to enable or disable CloudWatch Contributor Insights for the specified table.
         :param deletion_protection_enabled: Determines if a table is protected from deletion. When enabled, the table cannot be deleted by any user or process. This setting is disabled by default. For more information, see `Using deletion protection <https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/WorkingWithTables.Basics.html#WorkingWithTables.Basics.DeletionProtection>`_ in the *Amazon DynamoDB Developer Guide* .
         :param global_secondary_indexes: Global secondary indexes to be created on the table. You can create up to 20 global secondary indexes. .. epigraph:: If you update a table to include a new global secondary index, AWS CloudFormation initiates the index creation and then proceeds with the stack update. AWS CloudFormation doesn't wait for the index to complete creation because the backfilling phase can take a long time, depending on the size of the table. You can't use the index or update the table until the index's status is ``ACTIVE`` . You can track its status by using the DynamoDB `DescribeTable <https://docs.aws.amazon.com/cli/latest/reference/dynamodb/describe-table.html>`_ command. If you add or delete an index during an update, we recommend that you don't update any other resources. If your stack fails to update and is rolled back while adding a new index, you must manually delete the index. Updates are not supported. The following are exceptions: - If you update either the contributor insights specification or the provisioned throughput values of global secondary indexes, you can update the table without interruption. - You can delete or add one global secondary index without interruption. If you do both in the same update (for example, by changing the index's logical ID), the update fails.
@@ -7464,8 +7464,8 @@ class CfnTableProps:
 
         Valid values include:
 
-        - ``PROVISIONED`` - We recommend using ``PROVISIONED`` for predictable workloads. ``PROVISIONED`` sets the billing mode to `Provisioned Mode <https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/HowItWorks.ReadWriteCapacityMode.html#HowItWorks.ProvisionedThroughput.Manual>`_ .
-        - ``PAY_PER_REQUEST`` - We recommend using ``PAY_PER_REQUEST`` for unpredictable workloads. ``PAY_PER_REQUEST`` sets the billing mode to `On-Demand Mode <https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/HowItWorks.ReadWriteCapacityMode.html#HowItWorks.OnDemand>`_ .
+        - ``PAY_PER_REQUEST`` - We recommend using ``PAY_PER_REQUEST`` for most DynamoDB workloads. ``PAY_PER_REQUEST`` sets the billing mode to `On-demand capacity mode <https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/on-demand-capacity-mode.html>`_ .
+        - ``PROVISIONED`` - We recommend using ``PROVISIONED`` for steady workloads with predictable growth where capacity requirements can be reliably forecasted. ``PROVISIONED`` sets the billing mode to `Provisioned capacity mode <https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/provisioned-capacity-mode.html>`_ .
 
         If not specified, the default is ``PROVISIONED`` .
 

aws_cdk/aws_ecs/__init__.py

@@ -7570,7 +7570,7 @@ class CfnCluster(
 
             Tasks that run in a namespace can use short names to connect to services in the namespace. Tasks can connect to services across all of the clusters in the namespace. Tasks connect through a managed proxy container that collects logs and metrics for increased visibility. Only the tasks that Amazon ECS services create are supported with Service Connect. For more information, see `Service Connect <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/service-connect.html>`_ in the *Amazon Elastic Container Service Developer Guide* .
 
-            :param namespace: The namespace name or full Amazon Resource Name (ARN) of the AWS Cloud Map namespace that's used when you create a service and don't specify a Service Connect configuration. The namespace name can include up to 1024 characters. The name is case-sensitive. The name can't include hyphens (-), tilde (~), greater than (>), less than (<), or slash (/). If you enter an existing namespace name or ARN, then that namespace will be used. Any namespace type is supported. The namespace must be in this account and this AWS Region. If you enter a new name, a AWS Cloud Map namespace will be created. Amazon ECS creates a AWS Cloud Map namespace with the "API calls" method of instance discovery only. This instance discovery method is the "HTTP" namespace type in the AWS Command Line Interface . Other types of instance discovery aren't used by Service Connect. If you update the cluster with an empty string ``""`` for the namespace name, the cluster configuration for Service Connect is removed. Note that the namespace will remain in AWS Cloud Map and must be deleted separately. For more information about AWS Cloud Map , see `Working with Services <https://docs.aws.amazon.com/cloud-map/latest/dg/working-with-services.html>`_ in the *AWS Cloud Map Developer Guide* .
+            :param namespace: The namespace name or full Amazon Resource Name (ARN) of the AWS Cloud Map namespace that's used when you create a service and don't specify a Service Connect configuration. The namespace name can include up to 1024 characters. The name is case-sensitive. The name can't include greater than (>), less than (<), double quotation marks ("), or slash (/). If you enter an existing namespace name or ARN, then that namespace will be used. Any namespace type is supported. The namespace must be in this account and this AWS Region. If you enter a new name, a AWS Cloud Map namespace will be created. Amazon ECS creates a AWS Cloud Map namespace with the "API calls" method of instance discovery only. This instance discovery method is the "HTTP" namespace type in the AWS Command Line Interface . Other types of instance discovery aren't used by Service Connect. If you update the cluster with an empty string ``""`` for the namespace name, the cluster configuration for Service Connect is removed. Note that the namespace will remain in AWS Cloud Map and must be deleted separately. For more information about AWS Cloud Map , see `Working with Services <https://docs.aws.amazon.com/cloud-map/latest/dg/working-with-services.html>`_ in the *AWS Cloud Map Developer Guide* .
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ecs-cluster-serviceconnectdefaults.html
             :exampleMetadata: fixture=_generated
@@ -7596,7 +7596,7 @@ class CfnCluster(
         def namespace(self) -> typing.Optional[builtins.str]:
             '''The namespace name or full Amazon Resource Name (ARN) of the AWS Cloud Map namespace that's used when you create a service and don't specify a Service Connect configuration.
 
-            The namespace name can include up to 1024 characters. The name is case-sensitive. The name can't include hyphens (-), tilde (~), greater than (>), less than (<), or slash (/).
+            The namespace name can include up to 1024 characters. The name is case-sensitive. The name can't include greater than (>), less than (<), double quotation marks ("), or slash (/).
 
             If you enter an existing namespace name or ARN, then that namespace will be used. Any namespace type is supported. The namespace must be in this account and this AWS Region.
 
@@ -9156,7 +9156,7 @@ class CfnService(
 
             For example ``awsVpcConfiguration={subnets=["subnet-12344321"],securityGroups=["sg-12344321"]}`` .
 
-            :param assign_public_ip: Whether the task's elastic network interface receives a public IP address. The default value is ``ENABLED`` .
+            :param assign_public_ip: Whether the task's elastic network interface receives a public IP address. Consider the following when you set this value: - When you use ``create-service`` or ``update-service`` , the default is ``DISABLED`` . - When the service ``deploymentController`` is ``ECS`` , the value must be ``DISABLED`` . - When you use ``create-service`` or ``update-service`` , the default is ``ENABLED`` .
             :param security_groups: The IDs of the security groups associated with the task or service. If you don't specify a security group, the default security group for the VPC is used. There's a limit of 5 security groups that can be specified. .. epigraph:: All specified security groups must be from the same VPC.
             :param subnets: The IDs of the subnets associated with the task or service. There's a limit of 16 subnets that can be specified. .. epigraph:: All specified subnets must be from the same VPC.
 
@@ -9192,7 +9192,11 @@ class CfnService(
         def assign_public_ip(self) -> typing.Optional[builtins.str]:
             '''Whether the task's elastic network interface receives a public IP address.
 
-            The default value is ``ENABLED`` .
+            Consider the following when you set this value:
+
+            - When you use ``create-service`` or ``update-service`` , the default is ``DISABLED`` .
+            - When the service ``deploymentController`` is ``ECS`` , the value must be ``DISABLED`` .
+            - When you use ``create-service`` or ``update-service`` , the default is ``ENABLED`` .
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ecs-service-awsvpcconfiguration.html#cfn-ecs-service-awsvpcconfiguration-assignpublicip
             '''
@@ -12717,7 +12721,7 @@ class CfnTaskDefinition(
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
         :param container_definitions: A list of container definitions in JSON format that describe the different containers that make up your task. For more information about container definition parameters and defaults, see `Amazon ECS Task Definitions <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_defintions.html>`_ in the *Amazon Elastic Container Service Developer Guide* .
-        :param cpu: The number of ``cpu`` units used by the task. If you use the EC2 launch type, this field is optional. Any value can be used. If you use the Fargate launch type, this field is required. You must use one of the following values. The value that you choose determines your range of valid values for the ``memory`` parameter. If you use the EC2 launch type, this field is optional. Supported values are between ``128`` CPU units ( ``0.125`` vCPUs) and ``10240`` CPU units ( ``10`` vCPUs). The CPU units cannot be less than 1 vCPU when you use Windows containers on Fargate. - 256 (.25 vCPU) - Available ``memory`` values: 512 (0.5 GB), 1024 (1 GB), 2048 (2 GB) - 512 (.5 vCPU) - Available ``memory`` values: 1024 (1 GB), 2048 (2 GB), 3072 (3 GB), 4096 (4 GB) - 1024 (1 vCPU) - Available ``memory`` values: 2048 (2 GB), 3072 (3 GB), 4096 (4 GB), 5120 (5 GB), 6144 (6 GB), 7168 (7 GB), 8192 (8 GB) - 2048 (2 vCPU) - Available ``memory`` values: 4096 (4 GB) and 16384 (16 GB) in increments of 1024 (1 GB) - 4096 (4 vCPU) - Available ``memory`` values: 8192 (8 GB) and 30720 (30 GB) in increments of 1024 (1 GB) - 8192 (8 vCPU) - Available ``memory`` values: 16 GB and 60 GB in 4 GB increments This option requires Linux platform ``1.4.0`` or later. - 16384 (16vCPU) - Available ``memory`` values: 32GB and 120 GB in 8 GB increments This option requires Linux platform ``1.4.0`` or later.
+        :param cpu: The number of ``cpu`` units used by the task. If you use the EC2 launch type, this field is optional. Any value can be used. If you use the Fargate launch type, this field is required. You must use one of the following values. The value that you choose determines your range of valid values for the ``memory`` parameter. If you're using the EC2 launch type or the external launch type, this field is optional. Supported values are between ``128`` CPU units ( ``0.125`` vCPUs) and ``196608`` CPU units ( ``192`` vCPUs). The CPU units cannot be less than 1 vCPU when you use Windows containers on Fargate. - 256 (.25 vCPU) - Available ``memory`` values: 512 (0.5 GB), 1024 (1 GB), 2048 (2 GB) - 512 (.5 vCPU) - Available ``memory`` values: 1024 (1 GB), 2048 (2 GB), 3072 (3 GB), 4096 (4 GB) - 1024 (1 vCPU) - Available ``memory`` values: 2048 (2 GB), 3072 (3 GB), 4096 (4 GB), 5120 (5 GB), 6144 (6 GB), 7168 (7 GB), 8192 (8 GB) - 2048 (2 vCPU) - Available ``memory`` values: 4096 (4 GB) and 16384 (16 GB) in increments of 1024 (1 GB) - 4096 (4 vCPU) - Available ``memory`` values: 8192 (8 GB) and 30720 (30 GB) in increments of 1024 (1 GB) - 8192 (8 vCPU) - Available ``memory`` values: 16 GB and 60 GB in 4 GB increments This option requires Linux platform ``1.4.0`` or later. - 16384 (16vCPU) - Available ``memory`` values: 32GB and 120 GB in 8 GB increments This option requires Linux platform ``1.4.0`` or later.
         :param enable_fault_injection: Enables fault injection and allows for fault injection requests to be accepted from the task's containers. The default value is ``false`` .
         :param ephemeral_storage: The ephemeral storage settings to use for tasks run with the task definition.
         :param execution_role_arn: The Amazon Resource Name (ARN) of the task execution role that grants the Amazon ECS container agent permission to make AWS API calls on your behalf. For informationabout the required IAM roles for Amazon ECS, see `IAM roles for Amazon ECS <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/security-ecs-iam-role-overview.html>`_ in the *Amazon Elastic Container Service Developer Guide* .
@@ -17556,7 +17560,7 @@ class CfnTaskDefinitionProps:
         '''Properties for defining a ``CfnTaskDefinition``.
 
         :param container_definitions: A list of container definitions in JSON format that describe the different containers that make up your task. For more information about container definition parameters and defaults, see `Amazon ECS Task Definitions <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_defintions.html>`_ in the *Amazon Elastic Container Service Developer Guide* .
-        :param cpu: The number of ``cpu`` units used by the task. If you use the EC2 launch type, this field is optional. Any value can be used. If you use the Fargate launch type, this field is required. You must use one of the following values. The value that you choose determines your range of valid values for the ``memory`` parameter. If you use the EC2 launch type, this field is optional. Supported values are between ``128`` CPU units ( ``0.125`` vCPUs) and ``10240`` CPU units ( ``10`` vCPUs). The CPU units cannot be less than 1 vCPU when you use Windows containers on Fargate. - 256 (.25 vCPU) - Available ``memory`` values: 512 (0.5 GB), 1024 (1 GB), 2048 (2 GB) - 512 (.5 vCPU) - Available ``memory`` values: 1024 (1 GB), 2048 (2 GB), 3072 (3 GB), 4096 (4 GB) - 1024 (1 vCPU) - Available ``memory`` values: 2048 (2 GB), 3072 (3 GB), 4096 (4 GB), 5120 (5 GB), 6144 (6 GB), 7168 (7 GB), 8192 (8 GB) - 2048 (2 vCPU) - Available ``memory`` values: 4096 (4 GB) and 16384 (16 GB) in increments of 1024 (1 GB) - 4096 (4 vCPU) - Available ``memory`` values: 8192 (8 GB) and 30720 (30 GB) in increments of 1024 (1 GB) - 8192 (8 vCPU) - Available ``memory`` values: 16 GB and 60 GB in 4 GB increments This option requires Linux platform ``1.4.0`` or later. - 16384 (16vCPU) - Available ``memory`` values: 32GB and 120 GB in 8 GB increments This option requires Linux platform ``1.4.0`` or later.
+        :param cpu: The number of ``cpu`` units used by the task. If you use the EC2 launch type, this field is optional. Any value can be used. If you use the Fargate launch type, this field is required. You must use one of the following values. The value that you choose determines your range of valid values for the ``memory`` parameter. If you're using the EC2 launch type or the external launch type, this field is optional. Supported values are between ``128`` CPU units ( ``0.125`` vCPUs) and ``196608`` CPU units ( ``192`` vCPUs). The CPU units cannot be less than 1 vCPU when you use Windows containers on Fargate. - 256 (.25 vCPU) - Available ``memory`` values: 512 (0.5 GB), 1024 (1 GB), 2048 (2 GB) - 512 (.5 vCPU) - Available ``memory`` values: 1024 (1 GB), 2048 (2 GB), 3072 (3 GB), 4096 (4 GB) - 1024 (1 vCPU) - Available ``memory`` values: 2048 (2 GB), 3072 (3 GB), 4096 (4 GB), 5120 (5 GB), 6144 (6 GB), 7168 (7 GB), 8192 (8 GB) - 2048 (2 vCPU) - Available ``memory`` values: 4096 (4 GB) and 16384 (16 GB) in increments of 1024 (1 GB) - 4096 (4 vCPU) - Available ``memory`` values: 8192 (8 GB) and 30720 (30 GB) in increments of 1024 (1 GB) - 8192 (8 vCPU) - Available ``memory`` values: 16 GB and 60 GB in 4 GB increments This option requires Linux platform ``1.4.0`` or later. - 16384 (16vCPU) - Available ``memory`` values: 32GB and 120 GB in 8 GB increments This option requires Linux platform ``1.4.0`` or later.
         :param enable_fault_injection: Enables fault injection and allows for fault injection requests to be accepted from the task's containers. The default value is ``false`` .
         :param ephemeral_storage: The ephemeral storage settings to use for tasks run with the task definition.
         :param execution_role_arn: The Amazon Resource Name (ARN) of the task execution role that grants the Amazon ECS container agent permission to make AWS API calls on your behalf. For informationabout the required IAM roles for Amazon ECS, see `IAM roles for Amazon ECS <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/security-ecs-iam-role-overview.html>`_ in the *Amazon Elastic Container Service Developer Guide* .
@@ -17880,9 +17884,7 @@ class CfnTaskDefinitionProps:
 
         If you use the EC2 launch type, this field is optional. Any value can be used. If you use the Fargate launch type, this field is required. You must use one of the following values. The value that you choose determines your range of valid values for the ``memory`` parameter.
 
-        If you use the EC2 launch type, this field is optional. Supported values are between ``128`` CPU units ( ``0.125`` vCPUs) and ``10240`` CPU units ( ``10`` vCPUs).
-
-        The CPU units cannot be less than 1 vCPU when you use Windows containers on Fargate.
+        If you're using the EC2 launch type or the external launch type, this field is optional. Supported values are between ``128`` CPU units ( ``0.125`` vCPUs) and ``196608`` CPU units ( ``192`` vCPUs). The CPU units cannot be less than 1 vCPU when you use Windows containers on Fargate.
 
         - 256 (.25 vCPU) - Available ``memory`` values: 512 (0.5 GB), 1024 (1 GB), 2048 (2 GB)
         - 512 (.5 vCPU) - Available ``memory`` values: 1024 (1 GB), 2048 (2 GB), 3072 (3 GB), 4096 (4 GB)
@@ -18555,7 +18557,7 @@ class CfnTaskSet(
             For example ``awsVpcConfiguration={subnets=["subnet-12344321"],securityGroups=["sg-12344321"]}`` .
 
             :param subnets: The IDs of the subnets associated with the task or service. There's a limit of 16 subnets that can be specified. .. epigraph:: All specified subnets must be from the same VPC.
-            :param assign_public_ip: Whether the task's elastic network interface receives a public IP address. The default value is ``ENABLED`` .
+            :param assign_public_ip: Whether the task's elastic network interface receives a public IP address. Consider the following when you set this value: - When you use ``create-service`` or ``update-service`` , the default is ``DISABLED`` . - When the service ``deploymentController`` is ``ECS`` , the value must be ``DISABLED`` . - When you use ``create-service`` or ``update-service`` , the default is ``ENABLED`` .
             :param security_groups: The IDs of the security groups associated with the task or service. If you don't specify a security group, the default security group for the VPC is used. There's a limit of 5 security groups that can be specified. .. epigraph:: All specified security groups must be from the same VPC.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ecs-taskset-awsvpcconfiguration.html
@@ -18607,7 +18609,11 @@ class CfnTaskSet(
         def assign_public_ip(self) -> typing.Optional[builtins.str]:
             '''Whether the task's elastic network interface receives a public IP address.
 
-            The default value is ``ENABLED`` .
+            Consider the following when you set this value:
+
+            - When you use ``create-service`` or ``update-service`` , the default is ``DISABLED`` .
+            - When the service ``deploymentController`` is ``ECS`` , the value must be ``DISABLED`` .
+            - When you use ``create-service`` or ``update-service`` , the default is ``ENABLED`` .
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ecs-taskset-awsvpcconfiguration.html#cfn-ecs-taskset-awsvpcconfiguration-assignpublicip
             '''

aws_cdk/aws_eks/__init__.py

@@ -9464,7 +9464,9 @@ class CfnNodegroup(
 ):
     '''Creates a managed node group for an Amazon EKS cluster.
 
-    You can only create a node group for your cluster that is equal to the current Kubernetes version for the cluster. All node groups are created with the latest AMI release version for the respective minor Kubernetes version of the cluster, unless you deploy a custom AMI using a launch template. For more information about using launch templates, see `Customizing managed nodes with launch templates <https://docs.aws.amazon.com/eks/latest/userguide/launch-templates.html>`_ .
+    You can only create a node group for your cluster that is equal to the current Kubernetes version for the cluster. All node groups are created with the latest AMI release version for the respective minor Kubernetes version of the cluster, unless you deploy a custom AMI using a launch template.
+
+    For later updates, you will only be able to update a node group using a launch template only if it was originally deployed with a launch template. Additionally, the launch template ID or name must match what was used when the node group was created. You can update the launch template version with necessary changes. For more information about using launch templates, see `Customizing managed nodes with launch templates <https://docs.aws.amazon.com/eks/latest/userguide/launch-templates.html>`_ .
 
     An Amazon EKS managed node group is an Amazon EC2 Auto Scaling group and associated Amazon EC2 instances that are managed by AWS for an Amazon EKS cluster. For more information, see `Managed node groups <https://docs.aws.amazon.com/eks/latest/userguide/managed-node-groups.html>`_ in the *Amazon EKS User Guide* .
     .. epigraph::
@@ -9570,7 +9572,7 @@ class CfnNodegroup(
         :param force_update_enabled: Force the update if any ``Pod`` on the existing node group can't be drained due to a ``Pod`` disruption budget issue. If an update fails because all Pods can't be drained, you can force the update after it fails to terminate the old node whether or not any ``Pod`` is running on the node. Default: - false
         :param instance_types: Specify the instance types for a node group. If you specify a GPU instance type, make sure to also specify an applicable GPU AMI type with the ``amiType`` parameter. If you specify ``launchTemplate`` , then you can specify zero or one instance type in your launch template *or* you can specify 0-20 instance types for ``instanceTypes`` . If however, you specify an instance type in your launch template *and* specify any ``instanceTypes`` , the node group deployment will fail. If you don't specify an instance type in a launch template or for ``instanceTypes`` , then ``t3.medium`` is used, by default. If you specify ``Spot`` for ``capacityType`` , then we recommend specifying multiple values for ``instanceTypes`` . For more information, see `Managed node group capacity types <https://docs.aws.amazon.com/eks/latest/userguide/managed-node-groups.html#managed-node-group-capacity-types>`_ and `Customizing managed nodes with launch templates <https://docs.aws.amazon.com/eks/latest/userguide/launch-templates.html>`_ in the *Amazon EKS User Guide* .
         :param labels: The Kubernetes ``labels`` applied to the nodes in the node group. .. epigraph:: Only ``labels`` that are applied with the Amazon EKS API are shown here. There may be other Kubernetes ``labels`` applied to the nodes in this group.
-        :param launch_template: An object representing a node group's launch template specification. When using this object, don't directly specify ``instanceTypes`` , ``diskSize`` , or ``remoteAccess`` . Make sure that the launch template meets the requirements in ``launchTemplateSpecification`` . Also refer to `Customizing managed nodes with launch templates <https://docs.aws.amazon.com/eks/latest/userguide/launch-templates.html>`_ in the *Amazon EKS User Guide* .
+        :param launch_template: An object representing a node group's launch template specification. When using this object, don't directly specify ``instanceTypes`` , ``diskSize`` , or ``remoteAccess`` . You cannot later specify a different launch template ID or name than what was used to create the node group. Make sure that the launch template meets the requirements in ``launchTemplateSpecification`` . Also refer to `Customizing managed nodes with launch templates <https://docs.aws.amazon.com/eks/latest/userguide/launch-templates.html>`_ in the *Amazon EKS User Guide* .
         :param nodegroup_name: The unique name to give your node group.
         :param node_repair_config: The node auto repair configuration for the node group.
         :param release_version: The AMI version of the Amazon EKS optimized AMI to use with your node group (for example, ``1.14.7- *YYYYMMDD*`` ). By default, the latest available AMI version for the node group's current Kubernetes version is used. For more information, see `Amazon EKS optimized Linux AMI Versions <https://docs.aws.amazon.com/eks/latest/userguide/eks-linux-ami-versions.html>`_ in the *Amazon EKS User Guide* . .. epigraph:: Changing this value triggers an update of the node group if one is available. You can't update other properties at the same time as updating ``Release Version`` .
@@ -9994,9 +9996,9 @@ class CfnNodegroup(
 
             You must specify either the launch template ID or the launch template name in the request, but not both.
 
-            :param id: The ID of the launch template. You must specify either the launch template ID or the launch template name in the request, but not both.
-            :param name: The name of the launch template. You must specify either the launch template name or the launch template ID in the request, but not both.
-            :param version: The version number of the launch template to use. If no version is specified, then the template's default version is used.
+            :param id: The ID of the launch template. You must specify either the launch template ID or the launch template name in the request, but not both. After node group creation, you cannot use a different ID.
+            :param name: The name of the launch template. You must specify either the launch template name or the launch template ID in the request, but not both. After node group creation, you cannot use a different name.
+            :param version: The version number of the launch template to use. If no version is specified, then the template's default version is used. You can use a different version for node group updates.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-eks-nodegroup-launchtemplatespecification.html
             :exampleMetadata: fixture=_generated
@@ -10030,7 +10032,7 @@ class CfnNodegroup(
         def id(self) -> typing.Optional[builtins.str]:
             '''The ID of the launch template.
 
-            You must specify either the launch template ID or the launch template name in the request, but not both.
+            You must specify either the launch template ID or the launch template name in the request, but not both. After node group creation, you cannot use a different ID.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-eks-nodegroup-launchtemplatespecification.html#cfn-eks-nodegroup-launchtemplatespecification-id
             '''
@@ -10041,7 +10043,7 @@ class CfnNodegroup(
         def name(self) -> typing.Optional[builtins.str]:
             '''The name of the launch template.
 
-            You must specify either the launch template name or the launch template ID in the request, but not both.
+            You must specify either the launch template name or the launch template ID in the request, but not both. After node group creation, you cannot use a different name.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-eks-nodegroup-launchtemplatespecification.html#cfn-eks-nodegroup-launchtemplatespecification-name
             '''
@@ -10052,7 +10054,7 @@ class CfnNodegroup(
         def version(self) -> typing.Optional[builtins.str]:
             '''The version number of the launch template to use.
 
-            If no version is specified, then the template's default version is used.
+            If no version is specified, then the template's default version is used. You can use a different version for node group updates.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-eks-nodegroup-launchtemplatespecification.html#cfn-eks-nodegroup-launchtemplatespecification-version
             '''
@@ -10555,7 +10557,7 @@ class CfnNodegroupProps:
         :param force_update_enabled: Force the update if any ``Pod`` on the existing node group can't be drained due to a ``Pod`` disruption budget issue. If an update fails because all Pods can't be drained, you can force the update after it fails to terminate the old node whether or not any ``Pod`` is running on the node. Default: - false
         :param instance_types: Specify the instance types for a node group. If you specify a GPU instance type, make sure to also specify an applicable GPU AMI type with the ``amiType`` parameter. If you specify ``launchTemplate`` , then you can specify zero or one instance type in your launch template *or* you can specify 0-20 instance types for ``instanceTypes`` . If however, you specify an instance type in your launch template *and* specify any ``instanceTypes`` , the node group deployment will fail. If you don't specify an instance type in a launch template or for ``instanceTypes`` , then ``t3.medium`` is used, by default. If you specify ``Spot`` for ``capacityType`` , then we recommend specifying multiple values for ``instanceTypes`` . For more information, see `Managed node group capacity types <https://docs.aws.amazon.com/eks/latest/userguide/managed-node-groups.html#managed-node-group-capacity-types>`_ and `Customizing managed nodes with launch templates <https://docs.aws.amazon.com/eks/latest/userguide/launch-templates.html>`_ in the *Amazon EKS User Guide* .
         :param labels: The Kubernetes ``labels`` applied to the nodes in the node group. .. epigraph:: Only ``labels`` that are applied with the Amazon EKS API are shown here. There may be other Kubernetes ``labels`` applied to the nodes in this group.
-        :param launch_template: An object representing a node group's launch template specification. When using this object, don't directly specify ``instanceTypes`` , ``diskSize`` , or ``remoteAccess`` . Make sure that the launch template meets the requirements in ``launchTemplateSpecification`` . Also refer to `Customizing managed nodes with launch templates <https://docs.aws.amazon.com/eks/latest/userguide/launch-templates.html>`_ in the *Amazon EKS User Guide* .
+        :param launch_template: An object representing a node group's launch template specification. When using this object, don't directly specify ``instanceTypes`` , ``diskSize`` , or ``remoteAccess`` . You cannot later specify a different launch template ID or name than what was used to create the node group. Make sure that the launch template meets the requirements in ``launchTemplateSpecification`` . Also refer to `Customizing managed nodes with launch templates <https://docs.aws.amazon.com/eks/latest/userguide/launch-templates.html>`_ in the *Amazon EKS User Guide* .
         :param nodegroup_name: The unique name to give your node group.
         :param node_repair_config: The node auto repair configuration for the node group.
         :param release_version: The AMI version of the Amazon EKS optimized AMI to use with your node group (for example, ``1.14.7- *YYYYMMDD*`` ). By default, the latest available AMI version for the node group's current Kubernetes version is used. For more information, see `Amazon EKS optimized Linux AMI Versions <https://docs.aws.amazon.com/eks/latest/userguide/eks-linux-ami-versions.html>`_ in the *Amazon EKS User Guide* . .. epigraph:: Changing this value triggers an update of the node group if one is available. You can't update other properties at the same time as updating ``Release Version`` .
@@ -10797,7 +10799,9 @@ class CfnNodegroupProps:
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, CfnNodegroup.LaunchTemplateSpecificationProperty]]:
         '''An object representing a node group's launch template specification.
 
-        When using this object, don't directly specify ``instanceTypes`` , ``diskSize`` , or ``remoteAccess`` . Make sure that the launch template meets the requirements in ``launchTemplateSpecification`` . Also refer to `Customizing managed nodes with launch templates <https://docs.aws.amazon.com/eks/latest/userguide/launch-templates.html>`_ in the *Amazon EKS User Guide* .
+        When using this object, don't directly specify ``instanceTypes`` , ``diskSize`` , or ``remoteAccess`` . You cannot later specify a different launch template ID or name than what was used to create the node group.
+
+        Make sure that the launch template meets the requirements in ``launchTemplateSpecification`` . Also refer to `Customizing managed nodes with launch templates <https://docs.aws.amazon.com/eks/latest/userguide/launch-templates.html>`_ in the *Amazon EKS User Guide* .
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-eks-nodegroup.html#cfn-eks-nodegroup-launchtemplate
         '''