aws-cdk-lib 2.184.1__py3-none-any.whl → 2.186.0__py3-none-any.whl

aws_cdk/aws_iam/__init__.py

@@ -1342,7 +1342,8 @@ class CfnAccessKey(
     @builtins.property
     @jsii.member(jsii_name="attrId")
     def attr_id(self) -> builtins.str:
-        '''
+        '''The ID for this access key.
+
         :cloudformationAttribute: Id
         '''
         return typing.cast(builtins.str, jsii.get(self, "attrId"))
@@ -2492,7 +2493,8 @@ class CfnManagedPolicy(
     @builtins.property
     @jsii.member(jsii_name="attrAttachmentCount")
     def attr_attachment_count(self) -> jsii.Number:
-        '''
+        '''The number of principal entities (users, groups, and roles) that the policy is attached to.
+
         :cloudformationAttribute: AttachmentCount
         '''
         return typing.cast(jsii.Number, jsii.get(self, "attrAttachmentCount"))
@@ -2500,7 +2502,8 @@ class CfnManagedPolicy(
     @builtins.property
     @jsii.member(jsii_name="attrCreateDate")
     def attr_create_date(self) -> builtins.str:
-        '''
+        '''The date and time, in `ISO 8601 date-time format <https://docs.aws.amazon.com/http://www.iso.org/iso/iso8601>`_ , when the policy was created.
+
         :cloudformationAttribute: CreateDate
         '''
         return typing.cast(builtins.str, jsii.get(self, "attrCreateDate"))
@@ -2508,7 +2511,10 @@ class CfnManagedPolicy(
     @builtins.property
     @jsii.member(jsii_name="attrDefaultVersionId")
     def attr_default_version_id(self) -> builtins.str:
-        '''
+        '''The identifier for the version of the policy that is set as the default (operative) version.
+
+        For more information about policy versions, see `Versioning for managed policies <https://docs.aws.amazon.com/IAM/latest/UserGuide/policies-managed-versions.html>`_ in the *IAM User Guide* .
+
         :cloudformationAttribute: DefaultVersionId
         '''
         return typing.cast(builtins.str, jsii.get(self, "attrDefaultVersionId"))
@@ -2516,7 +2522,8 @@ class CfnManagedPolicy(
     @builtins.property
     @jsii.member(jsii_name="attrIsAttachable")
     def attr_is_attachable(self) -> _IResolvable_da3f097b:
-        '''
+        '''Specifies whether the policy can be attached to an IAM user, group, or role.
+
         :cloudformationAttribute: IsAttachable
         '''
         return typing.cast(_IResolvable_da3f097b, jsii.get(self, "attrIsAttachable"))
@@ -2524,7 +2531,10 @@ class CfnManagedPolicy(
     @builtins.property
     @jsii.member(jsii_name="attrPermissionsBoundaryUsageCount")
     def attr_permissions_boundary_usage_count(self) -> jsii.Number:
-        '''
+        '''The number of entities (users and roles) for which the policy is used as the permissions boundary.
+
+        For more information about permissions boundaries, see `Permissions boundaries for IAM identities <https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html>`_ in the *IAM User Guide* .
+
         :cloudformationAttribute: PermissionsBoundaryUsageCount
         '''
         return typing.cast(jsii.Number, jsii.get(self, "attrPermissionsBoundaryUsageCount"))
@@ -2532,7 +2542,10 @@ class CfnManagedPolicy(
     @builtins.property
     @jsii.member(jsii_name="attrPolicyArn")
     def attr_policy_arn(self) -> builtins.str:
-        '''
+        '''The Amazon Resource Name (ARN) of the managed policy that you want information about.
+
+        For more information about ARNs, see `Amazon Resource Names (ARNs) <https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html>`_ in the *AWS General Reference* .
+
         :cloudformationAttribute: PolicyArn
         '''
         return typing.cast(builtins.str, jsii.get(self, "attrPolicyArn"))
@@ -2540,7 +2553,10 @@ class CfnManagedPolicy(
     @builtins.property
     @jsii.member(jsii_name="attrPolicyId")
     def attr_policy_id(self) -> builtins.str:
-        '''
+        '''The stable and unique string identifying the policy.
+
+        For more information about IDs, see `IAM identifiers <https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html>`_ in the *IAM User Guide* .
+
         :cloudformationAttribute: PolicyId
         '''
         return typing.cast(builtins.str, jsii.get(self, "attrPolicyId"))
@@ -2548,7 +2564,10 @@ class CfnManagedPolicy(
     @builtins.property
     @jsii.member(jsii_name="attrUpdateDate")
     def attr_update_date(self) -> builtins.str:
-        '''
+        '''The date and time, in `ISO 8601 date-time format <https://docs.aws.amazon.com/http://www.iso.org/iso/iso8601>`_ , when the policy was last updated.
+
+        When a policy has only one version, this field contains the date and time when the policy was created. When a policy has more than one version, this field contains the date and time when the most recent policy version was created.
+
         :cloudformationAttribute: UpdateDate
         '''
         return typing.cast(builtins.str, jsii.get(self, "attrUpdateDate"))
@@ -3274,7 +3293,10 @@ class CfnPolicy(
     @builtins.property
     @jsii.member(jsii_name="attrId")
     def attr_id(self) -> builtins.str:
-        '''
+        '''The stable and unique string identifying the policy.
+
+        For more information about IDs, see `IAM identifiers <https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html>`_ in the *IAM User Guide* .
+
         :cloudformationAttribute: Id
         '''
         return typing.cast(builtins.str, jsii.get(self, "attrId"))
@@ -4405,10 +4427,10 @@ class CfnSAMLProvider(
         '''
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
-        :param add_private_key: The private key from your external identity provider.
-        :param assertion_encryption_mode: The encryption setting for the SAML provider.
+        :param add_private_key: Specifies the new private key from your external identity provider. The private key must be a .pem file that uses AES-GCM or AES-CBC encryption algorithm to decrypt SAML assertions.
+        :param assertion_encryption_mode: Specifies the encryption setting for the SAML provider.
         :param name: The name of the provider to create. This parameter allows (through its `regex pattern <https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex>`_ ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
-        :param private_key_list: 
+        :param private_key_list: The private key metadata for the SAML provider.
         :param remove_private_key: The Key ID of the private key to remove.
         :param saml_metadata_document: An XML document generated by an identity provider (IdP) that supports SAML 2.0. The document includes the issuer's name, expiration information, and keys that can be used to validate the SAML authentication response (assertions) that are received from the IdP. You must generate the metadata document using the identity management software that is used as your organization's IdP. For more information, see `About SAML 2.0-based federation <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html>`_ in the *IAM User Guide*
         :param tags: A list of tags that you want to attach to the new IAM SAML provider. Each tag consists of a key name and an associated value. For more information about tagging, see `Tagging IAM resources <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html>`_ in the *IAM User Guide* . .. epigraph:: If any one of the tags is invalid or if you exceed the allowed maximum number of tags, then the entire request fails and the resource is not created.
@@ -4491,7 +4513,7 @@ class CfnSAMLProvider(
     @builtins.property
     @jsii.member(jsii_name="addPrivateKey")
     def add_private_key(self) -> typing.Optional[builtins.str]:
-        '''The private key from your external identity provider.'''
+        '''Specifies the new private key from your external identity provider.'''
         return typing.cast(typing.Optional[builtins.str], jsii.get(self, "addPrivateKey"))
 
     @add_private_key.setter
@@ -4504,7 +4526,7 @@ class CfnSAMLProvider(
     @builtins.property
     @jsii.member(jsii_name="assertionEncryptionMode")
     def assertion_encryption_mode(self) -> typing.Optional[builtins.str]:
-        '''The encryption setting for the SAML provider.'''
+        '''Specifies the encryption setting for the SAML provider.'''
         return typing.cast(typing.Optional[builtins.str], jsii.get(self, "assertionEncryptionMode"))
 
     @assertion_encryption_mode.setter
@@ -4532,6 +4554,7 @@ class CfnSAMLProvider(
     def private_key_list(
         self,
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, "CfnSAMLProvider.SAMLPrivateKeyProperty"]]]]:
+        '''The private key metadata for the SAML provider.'''
         return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, "CfnSAMLProvider.SAMLPrivateKeyProperty"]]]], jsii.get(self, "privateKeyList"))
 
     @private_key_list.setter
@@ -4590,10 +4613,12 @@ class CfnSAMLProvider(
     )
     class SAMLPrivateKeyProperty:
         def __init__(self, *, key_id: builtins.str, timestamp: builtins.str) -> None:
-            '''The private key metadata for the SAML provider.
+            '''Contains the private keys for the SAML provider.
+
+            This data type is used as a response element in the `GetSAMLProvider <https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetSAMLProvider.html>`_ operation.
 
             :param key_id: The unique identifier for the SAML private key.
-            :param timestamp: The date and time, in <a href="http://www.iso.org/iso/iso8601">ISO 8601 date-time format, when the private key was uploaded.
+            :param timestamp: The date and time, in `ISO 8601 date-time <https://docs.aws.amazon.com/http://www.iso.org/iso/iso8601>`_ format, when the private key was uploaded.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-samlprovider-samlprivatekey.html
             :exampleMetadata: fixture=_generated
@@ -4630,7 +4655,7 @@ class CfnSAMLProvider(
 
         @builtins.property
         def timestamp(self) -> builtins.str:
-            '''The date and time, in <a href="http://www.iso.org/iso/iso8601">ISO 8601 date-time  format, when the private key was uploaded.
+            '''The date and time, in `ISO 8601 date-time <https://docs.aws.amazon.com/http://www.iso.org/iso/iso8601>`_ format, when the private key was uploaded.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-samlprovider-samlprivatekey.html#cfn-iam-samlprovider-samlprivatekey-timestamp
             '''
@@ -4677,10 +4702,10 @@ class CfnSAMLProviderProps:
     ) -> None:
         '''Properties for defining a ``CfnSAMLProvider``.
 
-        :param add_private_key: The private key from your external identity provider.
-        :param assertion_encryption_mode: The encryption setting for the SAML provider.
+        :param add_private_key: Specifies the new private key from your external identity provider. The private key must be a .pem file that uses AES-GCM or AES-CBC encryption algorithm to decrypt SAML assertions.
+        :param assertion_encryption_mode: Specifies the encryption setting for the SAML provider.
         :param name: The name of the provider to create. This parameter allows (through its `regex pattern <https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex>`_ ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
-        :param private_key_list: 
+        :param private_key_list: The private key metadata for the SAML provider.
         :param remove_private_key: The Key ID of the private key to remove.
         :param saml_metadata_document: An XML document generated by an identity provider (IdP) that supports SAML 2.0. The document includes the issuer's name, expiration information, and keys that can be used to validate the SAML authentication response (assertions) that are received from the IdP. You must generate the metadata document using the identity management software that is used as your organization's IdP. For more information, see `About SAML 2.0-based federation <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html>`_ in the *IAM User Guide*
         :param tags: A list of tags that you want to attach to the new IAM SAML provider. Each tag consists of a key name and an associated value. For more information about tagging, see `Tagging IAM resources <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html>`_ in the *IAM User Guide* . .. epigraph:: If any one of the tags is invalid or if you exceed the allowed maximum number of tags, then the entire request fails and the resource is not created.
@@ -4737,7 +4762,9 @@ class CfnSAMLProviderProps:
 
     @builtins.property
     def add_private_key(self) -> typing.Optional[builtins.str]:
-        '''The private key from your external identity provider.
+        '''Specifies the new private key from your external identity provider.
+
+        The private key must be a .pem file that uses AES-GCM or AES-CBC encryption algorithm to decrypt SAML assertions.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-samlprovider.html#cfn-iam-samlprovider-addprivatekey
         '''
@@ -4746,7 +4773,7 @@ class CfnSAMLProviderProps:
 
     @builtins.property
     def assertion_encryption_mode(self) -> typing.Optional[builtins.str]:
-        '''The encryption setting for the SAML provider.
+        '''Specifies the encryption setting for the SAML provider.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-samlprovider.html#cfn-iam-samlprovider-assertionencryptionmode
         '''
@@ -4768,7 +4795,8 @@ class CfnSAMLProviderProps:
     def private_key_list(
         self,
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, CfnSAMLProvider.SAMLPrivateKeyProperty]]]]:
-        '''
+        '''The private key metadata for the SAML provider.
+
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-samlprovider.html#cfn-iam-samlprovider-privatekeylist
         '''
         result = self._values.get("private_key_list")
@@ -6388,7 +6416,10 @@ class CfnUserToGroupAddition(
     @builtins.property
     @jsii.member(jsii_name="attrId")
     def attr_id(self) -> builtins.str:
-        '''
+        '''The stable and unique string identifying the group.
+
+        For more information about IDs, see `IAM identifiers <https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html>`_ in the *IAM User Guide* .
+
         :cloudformationAttribute: Id
         '''
         return typing.cast(builtins.str, jsii.get(self, "attrId"))
@@ -7347,6 +7378,87 @@ class Grant(metaclass=jsii.JSIIMeta, jsii_type="aws-cdk-lib.aws_iam.Grant"):
         detach_grant = volume.grant_detach_volume_by_resource_tag(instance.grant_principal, [instance])
     '''
 
+    @jsii.member(jsii_name="addStatementToResourcePolicy")
+    @builtins.classmethod
+    def add_statement_to_resource_policy(
+        cls,
+        *,
+        statement: "PolicyStatement",
+        resource: "IResourceWithPolicy",
+        resource_self_arns: typing.Optional[typing.Sequence[builtins.str]] = None,
+        actions: typing.Sequence[builtins.str],
+        grantee: "IGrantable",
+        resource_arns: typing.Sequence[builtins.str],
+        conditions: typing.Optional[typing.Mapping[builtins.str, typing.Mapping[builtins.str, typing.Any]]] = None,
+    ) -> "Grant":
+        '''Add a pre-constructed policy statement to the resource's policy.
+
+        This method provides direct, low-level control over the initial policy statement being added.
+        It is useful when you need to:
+
+        - Add complex policy statements that can't be expressed through other grant methods
+        - Specify the initial structure of the policy statement
+        - Add statements with custom conditions or other advanced IAM features
+
+        Important differences from other grant methods:
+
+        - Only modifies the resource policy, never modifies any principal's policy
+        - Takes a complete PolicyStatement rather than constructing one from parameters
+        - Always attempts to add the statement, regardless of principal type or account
+        - Does not attempt any automatic principal/resource policy selection logic
+
+        Note: The final form of the policy statement in the resource's policy may differ
+        from the provided statement, depending on the resource's implementation of
+        addToResourcePolicy.
+
+        :param statement: The policy statement to add to the resource's policy. This statement will be passed to the resource's addToResourcePolicy method. The actual handling of the statement depends on the specific IResourceWithPolicy implementation.
+        :param resource: The resource with a resource policy. The statement will be added to the resource policy if it couldn't be added to the principal policy.
+        :param resource_self_arns: When referring to the resource in a resource policy, use this as ARN. (Depending on the resource type, this needs to be '*' in a resource policy). Default: Same as regular resource ARNs
+        :param actions: The actions to grant.
+        :param grantee: The principal to grant to. Default: if principal is undefined, no work is done.
+        :param resource_arns: The resource ARNs to grant to.
+        :param conditions: Any conditions to attach to the grant. Default: - No conditions
+
+        :return: A Grant object representing the result of the operation
+
+        Example::
+
+            # grantee: iam.IGrantable
+            # actions: List[str]
+            # resource_arns: List[str]
+            # bucket: s3.Bucket
+            
+            
+            statement = iam.PolicyStatement(
+                effect=iam.Effect.ALLOW,
+                actions=actions,
+                principals=[iam.ServicePrincipal("lambda.amazonaws.com")],
+                conditions={
+                    "StringEquals": {
+                        "aws:SourceAccount": Stack.of(self).account
+                    }
+                }
+            )
+            iam.Grant.add_statement_to_resource_policy(
+                grantee=grantee,
+                actions=actions,
+                resource_arns=resource_arns,
+                resource=bucket,
+                statement=statement
+            )
+        '''
+        options = GrantPolicyWithResourceOptions(
+            statement=statement,
+            resource=resource,
+            resource_self_arns=resource_self_arns,
+            actions=actions,
+            grantee=grantee,
+            resource_arns=resource_arns,
+            conditions=conditions,
+        )
+
+        return typing.cast("Grant", jsii.sinvoke(cls, "addStatementToResourcePolicy", [options]))
+
     @jsii.member(jsii_name="addToPrincipal")
     @builtins.classmethod
     def add_to_principal(
@@ -12012,6 +12124,175 @@ class AccessKey(
         return typing.cast(_SecretValue_3dd0ddae, jsii.get(self, "secretAccessKey"))
 
 
+@jsii.data_type(
+    jsii_type="aws-cdk-lib.aws_iam.GrantPolicyWithResourceOptions",
+    jsii_struct_bases=[GrantWithResourceOptions],
+    name_mapping={
+        "actions": "actions",
+        "grantee": "grantee",
+        "resource_arns": "resourceArns",
+        "conditions": "conditions",
+        "resource": "resource",
+        "resource_self_arns": "resourceSelfArns",
+        "statement": "statement",
+    },
+)
+class GrantPolicyWithResourceOptions(GrantWithResourceOptions):
+    def __init__(
+        self,
+        *,
+        actions: typing.Sequence[builtins.str],
+        grantee: IGrantable,
+        resource_arns: typing.Sequence[builtins.str],
+        conditions: typing.Optional[typing.Mapping[builtins.str, typing.Mapping[builtins.str, typing.Any]]] = None,
+        resource: IResourceWithPolicy,
+        resource_self_arns: typing.Optional[typing.Sequence[builtins.str]] = None,
+        statement: PolicyStatement,
+    ) -> None:
+        '''Options for a grant operation that directly adds a policy statement to a resource.
+
+        This differs from GrantWithResourceOptions in that it requires a pre-constructed
+        PolicyStatement rather than constructing one from individual permissions.
+        Use this when you need fine-grained control over the initial policy statement's contents.
+
+        :param actions: The actions to grant.
+        :param grantee: The principal to grant to. Default: if principal is undefined, no work is done.
+        :param resource_arns: The resource ARNs to grant to.
+        :param conditions: Any conditions to attach to the grant. Default: - No conditions
+        :param resource: The resource with a resource policy. The statement will be added to the resource policy if it couldn't be added to the principal policy.
+        :param resource_self_arns: When referring to the resource in a resource policy, use this as ARN. (Depending on the resource type, this needs to be '*' in a resource policy). Default: Same as regular resource ARNs
+        :param statement: The policy statement to add to the resource's policy. This statement will be passed to the resource's addToResourcePolicy method. The actual handling of the statement depends on the specific IResourceWithPolicy implementation.
+
+        :exampleMetadata: infused
+
+        Example::
+
+            # grantee: iam.IGrantable
+            # actions: List[str]
+            # resource_arns: List[str]
+            # bucket: s3.Bucket
+            
+            
+            statement = iam.PolicyStatement(
+                effect=iam.Effect.ALLOW,
+                actions=actions,
+                principals=[iam.ServicePrincipal("lambda.amazonaws.com")],
+                conditions={
+                    "StringEquals": {
+                        "aws:SourceAccount": Stack.of(self).account
+                    }
+                }
+            )
+            iam.Grant.add_statement_to_resource_policy(
+                grantee=grantee,
+                actions=actions,
+                resource_arns=resource_arns,
+                resource=bucket,
+                statement=statement
+            )
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__0475ec23892b6dacf8e0426b204cca68a4091056bb08c20a72dbc06d2aedcf5e)
+            check_type(argname="argument actions", value=actions, expected_type=type_hints["actions"])
+            check_type(argname="argument grantee", value=grantee, expected_type=type_hints["grantee"])
+            check_type(argname="argument resource_arns", value=resource_arns, expected_type=type_hints["resource_arns"])
+            check_type(argname="argument conditions", value=conditions, expected_type=type_hints["conditions"])
+            check_type(argname="argument resource", value=resource, expected_type=type_hints["resource"])
+            check_type(argname="argument resource_self_arns", value=resource_self_arns, expected_type=type_hints["resource_self_arns"])
+            check_type(argname="argument statement", value=statement, expected_type=type_hints["statement"])
+        self._values: typing.Dict[builtins.str, typing.Any] = {
+            "actions": actions,
+            "grantee": grantee,
+            "resource_arns": resource_arns,
+            "resource": resource,
+            "statement": statement,
+        }
+        if conditions is not None:
+            self._values["conditions"] = conditions
+        if resource_self_arns is not None:
+            self._values["resource_self_arns"] = resource_self_arns
+
+    @builtins.property
+    def actions(self) -> typing.List[builtins.str]:
+        '''The actions to grant.'''
+        result = self._values.get("actions")
+        assert result is not None, "Required property 'actions' is missing"
+        return typing.cast(typing.List[builtins.str], result)
+
+    @builtins.property
+    def grantee(self) -> IGrantable:
+        '''The principal to grant to.
+
+        :default: if principal is undefined, no work is done.
+        '''
+        result = self._values.get("grantee")
+        assert result is not None, "Required property 'grantee' is missing"
+        return typing.cast(IGrantable, result)
+
+    @builtins.property
+    def resource_arns(self) -> typing.List[builtins.str]:
+        '''The resource ARNs to grant to.'''
+        result = self._values.get("resource_arns")
+        assert result is not None, "Required property 'resource_arns' is missing"
+        return typing.cast(typing.List[builtins.str], result)
+
+    @builtins.property
+    def conditions(
+        self,
+    ) -> typing.Optional[typing.Mapping[builtins.str, typing.Mapping[builtins.str, typing.Any]]]:
+        '''Any conditions to attach to the grant.
+
+        :default: - No conditions
+        '''
+        result = self._values.get("conditions")
+        return typing.cast(typing.Optional[typing.Mapping[builtins.str, typing.Mapping[builtins.str, typing.Any]]], result)
+
+    @builtins.property
+    def resource(self) -> IResourceWithPolicy:
+        '''The resource with a resource policy.
+
+        The statement will be added to the resource policy if it couldn't be
+        added to the principal policy.
+        '''
+        result = self._values.get("resource")
+        assert result is not None, "Required property 'resource' is missing"
+        return typing.cast(IResourceWithPolicy, result)
+
+    @builtins.property
+    def resource_self_arns(self) -> typing.Optional[typing.List[builtins.str]]:
+        '''When referring to the resource in a resource policy, use this as ARN.
+
+        (Depending on the resource type, this needs to be '*' in a resource policy).
+
+        :default: Same as regular resource ARNs
+        '''
+        result = self._values.get("resource_self_arns")
+        return typing.cast(typing.Optional[typing.List[builtins.str]], result)
+
+    @builtins.property
+    def statement(self) -> PolicyStatement:
+        '''The policy statement to add to the resource's policy.
+
+        This statement will be passed to the resource's addToResourcePolicy method.
+        The actual handling of the statement depends on the specific IResourceWithPolicy
+        implementation.
+        '''
+        result = self._values.get("statement")
+        assert result is not None, "Required property 'statement' is missing"
+        return typing.cast(PolicyStatement, result)
+
+    def __eq__(self, rhs: typing.Any) -> builtins.bool:
+        return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+    def __ne__(self, rhs: typing.Any) -> builtins.bool:
+        return not (rhs == self)
+
+    def __repr__(self) -> str:
+        return "GrantPolicyWithResourceOptions(%s)" % ", ".join(
+            k + "=" + repr(v) for k, v in self._values.items()
+        )
+
+
 @jsii.interface(jsii_type="aws-cdk-lib.aws_iam.IAssumeRolePrincipal")
 class IAssumeRolePrincipal(IPrincipal, typing_extensions.Protocol):
     '''A type of principal that has more control over its own representation in AssumeRolePolicyDocuments.
@@ -15075,6 +15356,7 @@ __all__ = [
     "Grant",
     "GrantOnPrincipalAndResourceOptions",
     "GrantOnPrincipalOptions",
+    "GrantPolicyWithResourceOptions",
     "GrantWithResourceOptions",
     "Group",
     "GroupProps",
@@ -16855,6 +17137,19 @@ def _typecheckingstub__604f514db426465dbc092293e7b2e46f5358ddb17770a96f51ef7e6a5
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__0475ec23892b6dacf8e0426b204cca68a4091056bb08c20a72dbc06d2aedcf5e(
+    *,
+    actions: typing.Sequence[builtins.str],
+    grantee: IGrantable,
+    resource_arns: typing.Sequence[builtins.str],
+    conditions: typing.Optional[typing.Mapping[builtins.str, typing.Mapping[builtins.str, typing.Any]]] = None,
+    resource: IResourceWithPolicy,
+    resource_self_arns: typing.Optional[typing.Sequence[builtins.str]] = None,
+    statement: PolicyStatement,
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__2773dd1c98b9bb45b356173892f3248a430e55c5ab0a22cb6e5df0bcdaa898a5(
     document: PolicyDocument,
 ) -> None:

aws_cdk/aws_imagebuilder/__init__.py

@@ -63,6 +63,7 @@ from .. import (
     IInspectable as _IInspectable_c2943556,
     IResolvable as _IResolvable_da3f097b,
     ITaggable as _ITaggable_36806126,
+    ITaggableV2 as _ITaggableV2_4e6798f8,
     TagManager as _TagManager_0a598cb3,
     TreeInspector as _TreeInspector_488e0dd5,
 )
@@ -7626,7 +7627,7 @@ class CfnInfrastructureConfigurationProps:
         )
 
 
-@jsii.implements(_IInspectable_c2943556)
+@jsii.implements(_IInspectable_c2943556, _ITaggableV2_4e6798f8)
 class CfnLifecyclePolicy(
     _CfnResource_9df397a6,
     metaclass=jsii.JSIIMeta,
@@ -7788,6 +7789,12 @@ class CfnLifecyclePolicy(
         '''
         return typing.cast(builtins.str, jsii.get(self, "attrArn"))
 
+    @builtins.property
+    @jsii.member(jsii_name="cdkTagManager")
+    def cdk_tag_manager(self) -> _TagManager_0a598cb3:
+        '''Tag Manager which manages the tags for this resource.'''
+        return typing.cast(_TagManager_0a598cb3, jsii.get(self, "cdkTagManager"))
+
     @builtins.property
     @jsii.member(jsii_name="cfnProperties")
     def _cfn_properties(self) -> typing.Mapping[builtins.str, typing.Any]:
@@ -8996,7 +9003,7 @@ class CfnLifecyclePolicyProps:
         )
 
 
-@jsii.implements(_IInspectable_c2943556)
+@jsii.implements(_IInspectable_c2943556, _ITaggableV2_4e6798f8)
 class CfnWorkflow(
     _CfnResource_9df397a6,
     metaclass=jsii.JSIIMeta,
@@ -9116,6 +9123,12 @@ class CfnWorkflow(
         '''
         return typing.cast(builtins.str, jsii.get(self, "attrArn"))
 
+    @builtins.property
+    @jsii.member(jsii_name="cdkTagManager")
+    def cdk_tag_manager(self) -> _TagManager_0a598cb3:
+        '''Tag Manager which manages the tags for this resource.'''
+        return typing.cast(_TagManager_0a598cb3, jsii.get(self, "cdkTagManager"))
+
     @builtins.property
     @jsii.member(jsii_name="cfnProperties")
     def _cfn_properties(self) -> typing.Mapping[builtins.str, typing.Any]:

aws_cdk/aws_iotfleetwise/__init__.py

@@ -3356,7 +3356,7 @@ class CfnDecoderManifest(
             :param offset: The offset used to calculate the signal value. Combined with factor, the calculation is ``value = raw_value * factor + offset`` .
             :param start_bit: Indicates the beginning of the CAN message.
             :param name: The name of the signal.
-            :param signal_value_type: 
+            :param signal_value_type: The value type of the signal. The default value is ``INTEGER`` .
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iotfleetwise-decodermanifest-cansignal.html
             :exampleMetadata: fixture=_generated
@@ -3489,7 +3489,10 @@ class CfnDecoderManifest(
 
         @builtins.property
         def signal_value_type(self) -> typing.Optional[builtins.str]:
-            '''
+            '''The value type of the signal.
+
+            The default value is ``INTEGER`` .
+
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iotfleetwise-decodermanifest-cansignal.html#cfn-iotfleetwise-decodermanifest-cansignal-signalvaluetype
             '''
             result = self._values.get("signal_value_type")
@@ -4058,8 +4061,8 @@ class CfnDecoderManifest(
             :param start_byte: Indicates the beginning of the message.
             :param bit_mask_length: The number of bits to mask in a message.
             :param bit_right_shift: The number of positions to shift bits in the message.
-            :param is_signed: 
-            :param signal_value_type: 
+            :param is_signed: Determines whether the message is signed ( ``true`` ) or not ( ``false`` ). If it's signed, the message can represent both positive and negative numbers. The ``isSigned`` parameter only applies to the ``INTEGER`` raw signal type, and it doesn't affect the ``FLOATING_POINT`` raw signal type. The default value is ``false`` .
+            :param signal_value_type: The value type of the signal. The default value is ``INTEGER`` .
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iotfleetwise-decodermanifest-obdsignal.html
             :exampleMetadata: fixture=_generated
@@ -4211,7 +4214,10 @@ class CfnDecoderManifest(
         def is_signed(
             self,
         ) -> typing.Optional[typing.Union[builtins.str, builtins.bool, _IResolvable_da3f097b]]:
-            '''
+            '''Determines whether the message is signed ( ``true`` ) or not ( ``false`` ).
+
+            If it's signed, the message can represent both positive and negative numbers. The ``isSigned`` parameter only applies to the ``INTEGER`` raw signal type, and it doesn't affect the ``FLOATING_POINT`` raw signal type. The default value is ``false`` .
+
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iotfleetwise-decodermanifest-obdsignal.html#cfn-iotfleetwise-decodermanifest-obdsignal-issigned
             '''
             result = self._values.get("is_signed")
@@ -4219,7 +4225,10 @@ class CfnDecoderManifest(
 
         @builtins.property
         def signal_value_type(self) -> typing.Optional[builtins.str]:
-            '''
+            '''The value type of the signal.
+
+            The default value is ``INTEGER`` .
+
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iotfleetwise-decodermanifest-obdsignal.html#cfn-iotfleetwise-decodermanifest-obdsignal-signalvaluetype
             '''
             result = self._values.get("signal_value_type")