aws-cdk-lib 2.186.0__py3-none-any.whl → 2.188.0__py3-none-any.whl

aws_cdk/aws_eks/__init__.py

@@ -2046,6 +2046,20 @@ cluster = eks.Cluster(self, "Cluster",
 )
 ```
 
+## NodeGroup Repair Config
+
+You can enable Managed Node Group [auto-repair config](https://docs.aws.amazon.com/eks/latest/userguide/node-health.html#node-auto-repair) using `enableNodeAutoRepair`
+property. For example:
+
+```python
+# cluster: eks.Cluster
+
+
+cluster.add_nodegroup_capacity("NodeGroup",
+    enable_node_auto_repair=True
+)
+```
+
 ## Known Issues and Limitations
 
 * [One cluster per stack](https://github.com/aws/aws-cdk/issues/10073)
@@ -5950,6 +5964,7 @@ class CfnCluster(
                 ),
                 resources=["resources"]
             )],
+            force=False,
             kubernetes_network_config=eks.CfnCluster.KubernetesNetworkConfigProperty(
                 elastic_load_balancing=eks.CfnCluster.ElasticLoadBalancingProperty(
                     enabled=False
@@ -6015,6 +6030,7 @@ class CfnCluster(
         bootstrap_self_managed_addons: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
         compute_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnCluster.ComputeConfigProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
         encryption_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[typing.Union[_IResolvable_da3f097b, typing.Union["CfnCluster.EncryptionConfigProperty", typing.Dict[builtins.str, typing.Any]]]]]] = None,
+        force: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
         kubernetes_network_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnCluster.KubernetesNetworkConfigProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
         logging: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnCluster.LoggingProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
         name: typing.Optional[builtins.str] = None,
@@ -6035,11 +6051,12 @@ class CfnCluster(
         :param bootstrap_self_managed_addons: If you set this value to ``False`` when creating a cluster, the default networking add-ons will not be installed. The default networking addons include vpc-cni, coredns, and kube-proxy. Use this option when you plan to install third-party alternative add-ons or self-manage the default networking add-ons.
         :param compute_config: Indicates the current configuration of the compute capability on your EKS Auto Mode cluster. For example, if the capability is enabled or disabled. If the compute capability is enabled, EKS Auto Mode will create and delete EC2 Managed Instances in your AWS account. For more information, see EKS Auto Mode compute capability in the *Amazon EKS User Guide* .
         :param encryption_config: The encryption configuration for the cluster.
+        :param force: Set this value to ``true`` to override upgrade-blocking readiness checks when updating a cluster. Default: - false
         :param kubernetes_network_config: The Kubernetes network configuration for the cluster.
         :param logging: The logging configuration for your cluster.
         :param name: The unique name to give to your cluster. The name can contain only alphanumeric characters (case-sensitive) and hyphens. It must start with an alphanumeric character and can't be longer than 100 characters. The name must be unique within the AWS Region and AWS account that you're creating the cluster in. Note that underscores can't be used in AWS CloudFormation .
         :param outpost_config: An object representing the configuration of your local Amazon EKS cluster on an AWS Outpost. This object isn't available for clusters on the AWS cloud.
-        :param remote_network_config: The configuration in the cluster for EKS Hybrid Nodes. You can't change or update this configuration after the cluster is created.
+        :param remote_network_config: The configuration in the cluster for EKS Hybrid Nodes. You can add, change, or remove this configuration after the cluster is created.
         :param storage_config: Indicates the current configuration of the block storage capability on your EKS Auto Mode cluster. For example, if the capability is enabled or disabled. If the block storage capability is enabled, EKS Auto Mode will create and delete EBS volumes in your AWS account. For more information, see EKS Auto Mode block storage capability in the *Amazon EKS User Guide* .
         :param tags: The metadata that you apply to the cluster to assist with categorization and organization. Each tag consists of a key and an optional value, both of which you define. Cluster tags don't propagate to any other resources associated with the cluster. .. epigraph:: You must have the ``eks:TagResource`` and ``eks:UntagResource`` permissions for your `IAM principal <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html>`_ to manage the AWS CloudFormation stack. If you don't have these permissions, there might be unexpected behavior with stack-level tags propagating to the resource during resource creation and update.
         :param upgrade_policy: This value indicates if extended support is enabled or disabled for the cluster. `Learn more about EKS Extended Support in the *Amazon EKS User Guide* . <https://docs.aws.amazon.com/eks/latest/userguide/extended-support-control.html>`_
@@ -6057,6 +6074,7 @@ class CfnCluster(
             bootstrap_self_managed_addons=bootstrap_self_managed_addons,
             compute_config=compute_config,
             encryption_config=encryption_config,
+            force=force,
             kubernetes_network_config=kubernetes_network_config,
             logging=logging,
             name=name,
@@ -6295,6 +6313,24 @@ class CfnCluster(
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
         jsii.set(self, "encryptionConfig", value) # pyright: ignore[reportArgumentType]
 
+    @builtins.property
+    @jsii.member(jsii_name="force")
+    def force(
+        self,
+    ) -> typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]]:
+        '''Set this value to ``true`` to override upgrade-blocking readiness checks when updating a cluster.'''
+        return typing.cast(typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]], jsii.get(self, "force"))
+
+    @force.setter
+    def force(
+        self,
+        value: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]],
+    ) -> None:
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__ec11778764d939bb12cbec68a418a76be768d7a638339c5189ae6cfe44059ebd)
+            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+        jsii.set(self, "force", value) # pyright: ignore[reportArgumentType]
+
     @builtins.property
     @jsii.member(jsii_name="kubernetesNetworkConfig")
     def kubernetes_network_config(
@@ -7378,7 +7414,7 @@ class CfnCluster(
         ) -> None:
             '''The configuration in the cluster for EKS Hybrid Nodes.
 
-            You can't change or update this configuration after the cluster is created.
+            You can add, change, or remove this configuration after the cluster is created.
 
             :param remote_node_networks: The list of network CIDRs that can contain hybrid nodes. These CIDR blocks define the expected IP address range of the hybrid nodes that join the cluster. These blocks are typically determined by your network administrator. Enter one or more IPv4 CIDR blocks in decimal dotted-quad notation (for example, ``10.2.0.0/16`` ). It must satisfy the following requirements: - Each block must be within an ``IPv4`` RFC-1918 network range. Minimum allowed size is /24, maximum allowed size is /8. Publicly-routable addresses aren't supported. - Each block cannot overlap with the range of the VPC CIDR blocks for your EKS resources, or the block of the Kubernetes service IP range. - Each block must have a route to the VPC that uses the VPC CIDR blocks, not public IPs or Elastic IPs. There are many options including AWS Transit Gateway , AWS Site-to-Site VPN , or AWS Direct Connect . - Each host must allow outbound connection to the EKS cluster control plane on TCP ports ``443`` and ``10250`` . - Each host must allow inbound connection from the EKS cluster control plane on TCP port 10250 for logs, exec and port-forward operations. - Each host must allow TCP and UDP network connectivity to and from other hosts that are running ``CoreDNS`` on UDP port ``53`` for service and pod DNS names.
             :param remote_pod_networks: The list of network CIDRs that can contain pods that run Kubernetes webhooks on hybrid nodes. These CIDR blocks are determined by configuring your Container Network Interface (CNI) plugin. We recommend the Calico CNI or Cilium CNI. Note that the Amazon VPC CNI plugin for Kubernetes isn't available for on-premises and edge locations. Enter one or more IPv4 CIDR blocks in decimal dotted-quad notation (for example, ``10.2.0.0/16`` ). It must satisfy the following requirements: - Each block must be within an ``IPv4`` RFC-1918 network range. Minimum allowed size is /24, maximum allowed size is /8. Publicly-routable addresses aren't supported. - Each block cannot overlap with the range of the VPC CIDR blocks for your EKS resources, or the block of the Kubernetes service IP range.
@@ -7955,6 +7991,7 @@ class CfnCluster(
         "bootstrap_self_managed_addons": "bootstrapSelfManagedAddons",
         "compute_config": "computeConfig",
         "encryption_config": "encryptionConfig",
+        "force": "force",
         "kubernetes_network_config": "kubernetesNetworkConfig",
         "logging": "logging",
         "name": "name",
@@ -7977,6 +8014,7 @@ class CfnClusterProps:
         bootstrap_self_managed_addons: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
         compute_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnCluster.ComputeConfigProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
         encryption_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[typing.Union[_IResolvable_da3f097b, typing.Union[CfnCluster.EncryptionConfigProperty, typing.Dict[builtins.str, typing.Any]]]]]] = None,
+        force: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
         kubernetes_network_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnCluster.KubernetesNetworkConfigProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
         logging: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnCluster.LoggingProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
         name: typing.Optional[builtins.str] = None,
@@ -7996,11 +8034,12 @@ class CfnClusterProps:
         :param bootstrap_self_managed_addons: If you set this value to ``False`` when creating a cluster, the default networking add-ons will not be installed. The default networking addons include vpc-cni, coredns, and kube-proxy. Use this option when you plan to install third-party alternative add-ons or self-manage the default networking add-ons.
         :param compute_config: Indicates the current configuration of the compute capability on your EKS Auto Mode cluster. For example, if the capability is enabled or disabled. If the compute capability is enabled, EKS Auto Mode will create and delete EC2 Managed Instances in your AWS account. For more information, see EKS Auto Mode compute capability in the *Amazon EKS User Guide* .
         :param encryption_config: The encryption configuration for the cluster.
+        :param force: Set this value to ``true`` to override upgrade-blocking readiness checks when updating a cluster. Default: - false
         :param kubernetes_network_config: The Kubernetes network configuration for the cluster.
         :param logging: The logging configuration for your cluster.
         :param name: The unique name to give to your cluster. The name can contain only alphanumeric characters (case-sensitive) and hyphens. It must start with an alphanumeric character and can't be longer than 100 characters. The name must be unique within the AWS Region and AWS account that you're creating the cluster in. Note that underscores can't be used in AWS CloudFormation .
         :param outpost_config: An object representing the configuration of your local Amazon EKS cluster on an AWS Outpost. This object isn't available for clusters on the AWS cloud.
-        :param remote_network_config: The configuration in the cluster for EKS Hybrid Nodes. You can't change or update this configuration after the cluster is created.
+        :param remote_network_config: The configuration in the cluster for EKS Hybrid Nodes. You can add, change, or remove this configuration after the cluster is created.
         :param storage_config: Indicates the current configuration of the block storage capability on your EKS Auto Mode cluster. For example, if the capability is enabled or disabled. If the block storage capability is enabled, EKS Auto Mode will create and delete EBS volumes in your AWS account. For more information, see EKS Auto Mode block storage capability in the *Amazon EKS User Guide* .
         :param tags: The metadata that you apply to the cluster to assist with categorization and organization. Each tag consists of a key and an optional value, both of which you define. Cluster tags don't propagate to any other resources associated with the cluster. .. epigraph:: You must have the ``eks:TagResource`` and ``eks:UntagResource`` permissions for your `IAM principal <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html>`_ to manage the AWS CloudFormation stack. If you don't have these permissions, there might be unexpected behavior with stack-level tags propagating to the resource during resource creation and update.
         :param upgrade_policy: This value indicates if extended support is enabled or disabled for the cluster. `Learn more about EKS Extended Support in the *Amazon EKS User Guide* . <https://docs.aws.amazon.com/eks/latest/userguide/extended-support-control.html>`_
@@ -8045,6 +8084,7 @@ class CfnClusterProps:
                     ),
                     resources=["resources"]
                 )],
+                force=False,
                 kubernetes_network_config=eks.CfnCluster.KubernetesNetworkConfigProperty(
                     elastic_load_balancing=eks.CfnCluster.ElasticLoadBalancingProperty(
                         enabled=False
@@ -8106,6 +8146,7 @@ class CfnClusterProps:
             check_type(argname="argument bootstrap_self_managed_addons", value=bootstrap_self_managed_addons, expected_type=type_hints["bootstrap_self_managed_addons"])
             check_type(argname="argument compute_config", value=compute_config, expected_type=type_hints["compute_config"])
             check_type(argname="argument encryption_config", value=encryption_config, expected_type=type_hints["encryption_config"])
+            check_type(argname="argument force", value=force, expected_type=type_hints["force"])
             check_type(argname="argument kubernetes_network_config", value=kubernetes_network_config, expected_type=type_hints["kubernetes_network_config"])
             check_type(argname="argument logging", value=logging, expected_type=type_hints["logging"])
             check_type(argname="argument name", value=name, expected_type=type_hints["name"])
@@ -8128,6 +8169,8 @@ class CfnClusterProps:
             self._values["compute_config"] = compute_config
         if encryption_config is not None:
             self._values["encryption_config"] = encryption_config
+        if force is not None:
+            self._values["force"] = force
         if kubernetes_network_config is not None:
             self._values["kubernetes_network_config"] = kubernetes_network_config
         if logging is not None:
@@ -8225,6 +8268,19 @@ class CfnClusterProps:
         result = self._values.get("encryption_config")
         return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, CfnCluster.EncryptionConfigProperty]]]], result)
 
+    @builtins.property
+    def force(
+        self,
+    ) -> typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]]:
+        '''Set this value to ``true`` to override upgrade-blocking readiness checks when updating a cluster.
+
+        :default: - false
+
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-eks-cluster.html#cfn-eks-cluster-force
+        '''
+        result = self._values.get("force")
+        return typing.cast(typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]], result)
+
     @builtins.property
     def kubernetes_network_config(
         self,
@@ -8277,7 +8333,7 @@ class CfnClusterProps:
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, CfnCluster.RemoteNetworkConfigProperty]]:
         '''The configuration in the cluster for EKS Hybrid Nodes.
 
-        You can't change or update this configuration after the cluster is created.
+        You can add, change, or remove this configuration after the cluster is created.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-eks-cluster.html#cfn-eks-cluster-remotenetworkconfig
         '''
@@ -10977,10 +11033,12 @@ class CfnPodIdentityAssociation(
             service_account="serviceAccount",
         
             # the properties below are optional
+            disable_session_tags=False,
             tags=[CfnTag(
                 key="key",
                 value="value"
-            )]
+            )],
+            target_role_arn="targetRoleArn"
         )
     '''
 
@@ -10993,7 +11051,9 @@ class CfnPodIdentityAssociation(
         namespace: builtins.str,
         role_arn: builtins.str,
         service_account: builtins.str,
+        disable_session_tags: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
         tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
+        target_role_arn: typing.Optional[builtins.str] = None,
     ) -> None:
         '''
         :param scope: Scope in which this resource is defined.
@@ -11002,7 +11062,9 @@ class CfnPodIdentityAssociation(
         :param namespace: The name of the Kubernetes namespace inside the cluster to create the association in. The service account and the pods that use the service account must be in this namespace.
         :param role_arn: The Amazon Resource Name (ARN) of the IAM role to associate with the service account. The EKS Pod Identity agent manages credentials to assume this role for applications in the containers in the pods that use this service account.
         :param service_account: The name of the Kubernetes service account inside the cluster to associate the IAM credentials with.
+        :param disable_session_tags: The Disable Session Tags of the pod identity association.
         :param tags: Metadata that assists with categorization and organization. Each tag consists of a key and an optional value. You define both. Tags don't propagate to any other cluster or AWS resources. The following basic restrictions apply to tags: - Maximum number of tags per resource – 50 - For each resource, each tag key must be unique, and each tag key can have only one value. - Maximum key length – 128 Unicode characters in UTF-8 - Maximum value length – 256 Unicode characters in UTF-8 - If your tagging schema is used across multiple services and resources, remember that other services may have restrictions on allowed characters. Generally allowed characters are: letters, numbers, and spaces representable in UTF-8, and the following characters: + - = . _ : /
+        :param target_role_arn: The Target Role Arn of the pod identity association.
         '''
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__be8311b6089cea26f85c63a586f0c5b063230a1b4a96ffcd4c6c983a331d8652)
@@ -11013,7 +11075,9 @@ class CfnPodIdentityAssociation(
             namespace=namespace,
             role_arn=role_arn,
             service_account=service_account,
+            disable_session_tags=disable_session_tags,
             tags=tags,
+            target_role_arn=target_role_arn,
         )
 
         jsii.create(self.__class__, self, [scope, id, props])
@@ -11066,6 +11130,15 @@ class CfnPodIdentityAssociation(
         '''
         return typing.cast(builtins.str, jsii.get(self, "attrAssociationId"))
 
+    @builtins.property
+    @jsii.member(jsii_name="attrExternalId")
+    def attr_external_id(self) -> builtins.str:
+        '''The External Id of the pod identity association.
+
+        :cloudformationAttribute: ExternalId
+        '''
+        return typing.cast(builtins.str, jsii.get(self, "attrExternalId"))
+
     @builtins.property
     @jsii.member(jsii_name="cdkTagManager")
     def cdk_tag_manager(self) -> _TagManager_0a598cb3:
@@ -11129,6 +11202,24 @@ class CfnPodIdentityAssociation(
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
         jsii.set(self, "serviceAccount", value) # pyright: ignore[reportArgumentType]
 
+    @builtins.property
+    @jsii.member(jsii_name="disableSessionTags")
+    def disable_session_tags(
+        self,
+    ) -> typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]]:
+        '''The Disable Session Tags of the pod identity association.'''
+        return typing.cast(typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]], jsii.get(self, "disableSessionTags"))
+
+    @disable_session_tags.setter
+    def disable_session_tags(
+        self,
+        value: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]],
+    ) -> None:
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__cb3dbe4cc3b44e9265bbfe13e41235db909b0c1dc0e052b3bdda07fd4b228e8b)
+            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+        jsii.set(self, "disableSessionTags", value) # pyright: ignore[reportArgumentType]
+
     @builtins.property
     @jsii.member(jsii_name="tags")
     def tags(self) -> typing.Optional[typing.List[_CfnTag_f6864754]]:
@@ -11142,6 +11233,19 @@ class CfnPodIdentityAssociation(
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
         jsii.set(self, "tags", value) # pyright: ignore[reportArgumentType]
 
+    @builtins.property
+    @jsii.member(jsii_name="targetRoleArn")
+    def target_role_arn(self) -> typing.Optional[builtins.str]:
+        '''The Target Role Arn of the pod identity association.'''
+        return typing.cast(typing.Optional[builtins.str], jsii.get(self, "targetRoleArn"))
+
+    @target_role_arn.setter
+    def target_role_arn(self, value: typing.Optional[builtins.str]) -> None:
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__cb6220c6db8cf93a8a307b1ba0630d6bc64b4a09325e7cfe5854228aa75ff833)
+            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+        jsii.set(self, "targetRoleArn", value) # pyright: ignore[reportArgumentType]
+
 
 @jsii.data_type(
     jsii_type="aws-cdk-lib.aws_eks.CfnPodIdentityAssociationProps",
@@ -11151,7 +11255,9 @@ class CfnPodIdentityAssociation(
         "namespace": "namespace",
         "role_arn": "roleArn",
         "service_account": "serviceAccount",
+        "disable_session_tags": "disableSessionTags",
         "tags": "tags",
+        "target_role_arn": "targetRoleArn",
     },
 )
 class CfnPodIdentityAssociationProps:
@@ -11162,7 +11268,9 @@ class CfnPodIdentityAssociationProps:
         namespace: builtins.str,
         role_arn: builtins.str,
         service_account: builtins.str,
+        disable_session_tags: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
         tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
+        target_role_arn: typing.Optional[builtins.str] = None,
     ) -> None:
         '''Properties for defining a ``CfnPodIdentityAssociation``.
 
@@ -11170,7 +11278,9 @@ class CfnPodIdentityAssociationProps:
         :param namespace: The name of the Kubernetes namespace inside the cluster to create the association in. The service account and the pods that use the service account must be in this namespace.
         :param role_arn: The Amazon Resource Name (ARN) of the IAM role to associate with the service account. The EKS Pod Identity agent manages credentials to assume this role for applications in the containers in the pods that use this service account.
         :param service_account: The name of the Kubernetes service account inside the cluster to associate the IAM credentials with.
+        :param disable_session_tags: The Disable Session Tags of the pod identity association.
         :param tags: Metadata that assists with categorization and organization. Each tag consists of a key and an optional value. You define both. Tags don't propagate to any other cluster or AWS resources. The following basic restrictions apply to tags: - Maximum number of tags per resource – 50 - For each resource, each tag key must be unique, and each tag key can have only one value. - Maximum key length – 128 Unicode characters in UTF-8 - Maximum value length – 256 Unicode characters in UTF-8 - If your tagging schema is used across multiple services and resources, remember that other services may have restrictions on allowed characters. Generally allowed characters are: letters, numbers, and spaces representable in UTF-8, and the following characters: + - = . _ : /
+        :param target_role_arn: The Target Role Arn of the pod identity association.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-eks-podidentityassociation.html
         :exampleMetadata: fixture=_generated
@@ -11188,10 +11298,12 @@ class CfnPodIdentityAssociationProps:
                 service_account="serviceAccount",
             
                 # the properties below are optional
+                disable_session_tags=False,
                 tags=[CfnTag(
                     key="key",
                     value="value"
-                )]
+                )],
+                target_role_arn="targetRoleArn"
             )
         '''
         if __debug__:
@@ -11200,15 +11312,21 @@ class CfnPodIdentityAssociationProps:
             check_type(argname="argument namespace", value=namespace, expected_type=type_hints["namespace"])
             check_type(argname="argument role_arn", value=role_arn, expected_type=type_hints["role_arn"])
             check_type(argname="argument service_account", value=service_account, expected_type=type_hints["service_account"])
+            check_type(argname="argument disable_session_tags", value=disable_session_tags, expected_type=type_hints["disable_session_tags"])
             check_type(argname="argument tags", value=tags, expected_type=type_hints["tags"])
+            check_type(argname="argument target_role_arn", value=target_role_arn, expected_type=type_hints["target_role_arn"])
         self._values: typing.Dict[builtins.str, typing.Any] = {
             "cluster_name": cluster_name,
             "namespace": namespace,
             "role_arn": role_arn,
             "service_account": service_account,
         }
+        if disable_session_tags is not None:
+            self._values["disable_session_tags"] = disable_session_tags
         if tags is not None:
             self._values["tags"] = tags
+        if target_role_arn is not None:
+            self._values["target_role_arn"] = target_role_arn
 
     @builtins.property
     def cluster_name(self) -> builtins.str:
@@ -11254,6 +11372,17 @@ class CfnPodIdentityAssociationProps:
         assert result is not None, "Required property 'service_account' is missing"
         return typing.cast(builtins.str, result)
 
+    @builtins.property
+    def disable_session_tags(
+        self,
+    ) -> typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]]:
+        '''The Disable Session Tags of the pod identity association.
+
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-eks-podidentityassociation.html#cfn-eks-podidentityassociation-disablesessiontags
+        '''
+        result = self._values.get("disable_session_tags")
+        return typing.cast(typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]], result)
+
     @builtins.property
     def tags(self) -> typing.Optional[typing.List[_CfnTag_f6864754]]:
         '''Metadata that assists with categorization and organization.
@@ -11279,6 +11408,15 @@ class CfnPodIdentityAssociationProps:
         result = self._values.get("tags")
         return typing.cast(typing.Optional[typing.List[_CfnTag_f6864754]], result)
 
+    @builtins.property
+    def target_role_arn(self) -> typing.Optional[builtins.str]:
+        '''The Target Role Arn of the pod identity association.
+
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-eks-podidentityassociation.html#cfn-eks-podidentityassociation-targetrolearn
+        '''
+        result = self._values.get("target_role_arn")
+        return typing.cast(typing.Optional[builtins.str], result)
+
     def __eq__(self, rhs: typing.Any) -> builtins.bool:
         return isinstance(rhs, self.__class__) and rhs._values == self._values
 
@@ -15871,6 +16009,7 @@ class Nodegroup(
             capacity_type=eks.CapacityType.SPOT,
             desired_size=123,
             disk_size=123,
+            enable_node_auto_repair=False,
             force_update=False,
             instance_types=[instance_type],
             labels={
@@ -15924,6 +16063,7 @@ class Nodegroup(
         capacity_type: typing.Optional[CapacityType] = None,
         desired_size: typing.Optional[jsii.Number] = None,
         disk_size: typing.Optional[jsii.Number] = None,
+        enable_node_auto_repair: typing.Optional[builtins.bool] = None,
         force_update: typing.Optional[builtins.bool] = None,
         instance_types: typing.Optional[typing.Sequence[_InstanceType_f64915b9]] = None,
         labels: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
@@ -15948,6 +16088,7 @@ class Nodegroup(
         :param capacity_type: The capacity type of the nodegroup. Default: - ON_DEMAND
         :param desired_size: The current number of worker nodes that the managed node group should maintain. If not specified, the nodewgroup will initially create ``minSize`` instances. Default: 2
         :param disk_size: The root device disk size (in GiB) for your node group instances. Default: 20
+        :param enable_node_auto_repair: Specifies whether to enable node auto repair for the node group. Node auto repair is disabled by default. Default: - disabled
         :param force_update: Force the update if the existing node group's pods are unable to be drained due to a pod disruption budget issue. If an update fails because pods could not be drained, you can force the update after it fails to terminate the old node whether or not any pods are running on the node. Default: true
         :param instance_types: The instance types to use for your node group. Default: t3.medium will be used according to the cloudformation document.
         :param labels: The Kubernetes labels to be applied to the nodes in the node group when they are created. Default: - None
@@ -15974,6 +16115,7 @@ class Nodegroup(
             capacity_type=capacity_type,
             desired_size=desired_size,
             disk_size=disk_size,
+            enable_node_auto_repair=enable_node_auto_repair,
             force_update=force_update,
             instance_types=instance_types,
             labels=labels,
@@ -16084,6 +16226,10 @@ class NodegroupAmiType(enum.Enum):
     '''Bottlerocket Linux with Nvidia-GPU support (ARM-64).'''
     BOTTLEROCKET_X86_64_NVIDIA = "BOTTLEROCKET_X86_64_NVIDIA"
     '''Bottlerocket with Nvidia-GPU support (x86-64).'''
+    BOTTLEROCKET_ARM_64_FIPS = "BOTTLEROCKET_ARM_64_FIPS"
+    '''Bottlerocket Linux (ARM-64) with FIPS enabled.'''
+    BOTTLEROCKET_X86_64_FIPS = "BOTTLEROCKET_X86_64_FIPS"
+    '''Bottlerocket (x86-64) with FIPS enabled.'''
     WINDOWS_CORE_2019_X86_64 = "WINDOWS_CORE_2019_X86_64"
     '''Windows Core 2019 (x86-64).'''
     WINDOWS_CORE_2022_X86_64 = "WINDOWS_CORE_2022_X86_64"
@@ -16110,6 +16256,7 @@ class NodegroupAmiType(enum.Enum):
         "capacity_type": "capacityType",
         "desired_size": "desiredSize",
         "disk_size": "diskSize",
+        "enable_node_auto_repair": "enableNodeAutoRepair",
         "force_update": "forceUpdate",
         "instance_types": "instanceTypes",
         "labels": "labels",
@@ -16135,6 +16282,7 @@ class NodegroupOptions:
         capacity_type: typing.Optional[CapacityType] = None,
         desired_size: typing.Optional[jsii.Number] = None,
         disk_size: typing.Optional[jsii.Number] = None,
+        enable_node_auto_repair: typing.Optional[builtins.bool] = None,
         force_update: typing.Optional[builtins.bool] = None,
         instance_types: typing.Optional[typing.Sequence[_InstanceType_f64915b9]] = None,
         labels: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
@@ -16157,6 +16305,7 @@ class NodegroupOptions:
         :param capacity_type: The capacity type of the nodegroup. Default: - ON_DEMAND
         :param desired_size: The current number of worker nodes that the managed node group should maintain. If not specified, the nodewgroup will initially create ``minSize`` instances. Default: 2
         :param disk_size: The root device disk size (in GiB) for your node group instances. Default: 20
+        :param enable_node_auto_repair: Specifies whether to enable node auto repair for the node group. Node auto repair is disabled by default. Default: - disabled
         :param force_update: Force the update if the existing node group's pods are unable to be drained due to a pod disruption budget issue. If an update fails because pods could not be drained, you can force the update after it fails to terminate the old node whether or not any pods are running on the node. Default: true
         :param instance_types: The instance types to use for your node group. Default: t3.medium will be used according to the cloudformation document.
         :param labels: The Kubernetes labels to be applied to the nodes in the node group when they are created. Default: - None
@@ -16201,6 +16350,7 @@ class NodegroupOptions:
             check_type(argname="argument capacity_type", value=capacity_type, expected_type=type_hints["capacity_type"])
             check_type(argname="argument desired_size", value=desired_size, expected_type=type_hints["desired_size"])
             check_type(argname="argument disk_size", value=disk_size, expected_type=type_hints["disk_size"])
+            check_type(argname="argument enable_node_auto_repair", value=enable_node_auto_repair, expected_type=type_hints["enable_node_auto_repair"])
             check_type(argname="argument force_update", value=force_update, expected_type=type_hints["force_update"])
             check_type(argname="argument instance_types", value=instance_types, expected_type=type_hints["instance_types"])
             check_type(argname="argument labels", value=labels, expected_type=type_hints["labels"])
@@ -16225,6 +16375,8 @@ class NodegroupOptions:
             self._values["desired_size"] = desired_size
         if disk_size is not None:
             self._values["disk_size"] = disk_size
+        if enable_node_auto_repair is not None:
+            self._values["enable_node_auto_repair"] = enable_node_auto_repair
         if force_update is not None:
             self._values["force_update"] = force_update
         if instance_types is not None:
@@ -16298,6 +16450,19 @@ class NodegroupOptions:
         result = self._values.get("disk_size")
         return typing.cast(typing.Optional[jsii.Number], result)
 
+    @builtins.property
+    def enable_node_auto_repair(self) -> typing.Optional[builtins.bool]:
+        '''Specifies whether to enable node auto repair for the node group.
+
+        Node auto repair is disabled by default.
+
+        :default: - disabled
+
+        :see: https://docs.aws.amazon.com/eks/latest/userguide/node-health.html#node-auto-repair
+        '''
+        result = self._values.get("enable_node_auto_repair")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
     @builtins.property
     def force_update(self) -> typing.Optional[builtins.bool]:
         '''Force the update if the existing node group's pods are unable to be drained due to a pod disruption budget issue.
@@ -16495,6 +16660,7 @@ class NodegroupOptions:
         "capacity_type": "capacityType",
         "desired_size": "desiredSize",
         "disk_size": "diskSize",
+        "enable_node_auto_repair": "enableNodeAutoRepair",
         "force_update": "forceUpdate",
         "instance_types": "instanceTypes",
         "labels": "labels",
@@ -16521,6 +16687,7 @@ class NodegroupProps(NodegroupOptions):
         capacity_type: typing.Optional[CapacityType] = None,
         desired_size: typing.Optional[jsii.Number] = None,
         disk_size: typing.Optional[jsii.Number] = None,
+        enable_node_auto_repair: typing.Optional[builtins.bool] = None,
         force_update: typing.Optional[builtins.bool] = None,
         instance_types: typing.Optional[typing.Sequence[_InstanceType_f64915b9]] = None,
         labels: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
@@ -16544,6 +16711,7 @@ class NodegroupProps(NodegroupOptions):
         :param capacity_type: The capacity type of the nodegroup. Default: - ON_DEMAND
         :param desired_size: The current number of worker nodes that the managed node group should maintain. If not specified, the nodewgroup will initially create ``minSize`` instances. Default: 2
         :param disk_size: The root device disk size (in GiB) for your node group instances. Default: 20
+        :param enable_node_auto_repair: Specifies whether to enable node auto repair for the node group. Node auto repair is disabled by default. Default: - disabled
         :param force_update: Force the update if the existing node group's pods are unable to be drained due to a pod disruption budget issue. If an update fails because pods could not be drained, you can force the update after it fails to terminate the old node whether or not any pods are running on the node. Default: true
         :param instance_types: The instance types to use for your node group. Default: t3.medium will be used according to the cloudformation document.
         :param labels: The Kubernetes labels to be applied to the nodes in the node group when they are created. Default: - None
@@ -16586,6 +16754,7 @@ class NodegroupProps(NodegroupOptions):
                 capacity_type=eks.CapacityType.SPOT,
                 desired_size=123,
                 disk_size=123,
+                enable_node_auto_repair=False,
                 force_update=False,
                 instance_types=[instance_type],
                 labels={
@@ -16640,6 +16809,7 @@ class NodegroupProps(NodegroupOptions):
             check_type(argname="argument capacity_type", value=capacity_type, expected_type=type_hints["capacity_type"])
             check_type(argname="argument desired_size", value=desired_size, expected_type=type_hints["desired_size"])
             check_type(argname="argument disk_size", value=disk_size, expected_type=type_hints["disk_size"])
+            check_type(argname="argument enable_node_auto_repair", value=enable_node_auto_repair, expected_type=type_hints["enable_node_auto_repair"])
             check_type(argname="argument force_update", value=force_update, expected_type=type_hints["force_update"])
             check_type(argname="argument instance_types", value=instance_types, expected_type=type_hints["instance_types"])
             check_type(argname="argument labels", value=labels, expected_type=type_hints["labels"])
@@ -16667,6 +16837,8 @@ class NodegroupProps(NodegroupOptions):
             self._values["desired_size"] = desired_size
         if disk_size is not None:
             self._values["disk_size"] = disk_size
+        if enable_node_auto_repair is not None:
+            self._values["enable_node_auto_repair"] = enable_node_auto_repair
         if force_update is not None:
             self._values["force_update"] = force_update
         if instance_types is not None:
@@ -16740,6 +16912,19 @@ class NodegroupProps(NodegroupOptions):
         result = self._values.get("disk_size")
         return typing.cast(typing.Optional[jsii.Number], result)
 
+    @builtins.property
+    def enable_node_auto_repair(self) -> typing.Optional[builtins.bool]:
+        '''Specifies whether to enable node auto repair for the node group.
+
+        Node auto repair is disabled by default.
+
+        :default: - disabled
+
+        :see: https://docs.aws.amazon.com/eks/latest/userguide/node-health.html#node-auto-repair
+        '''
+        result = self._values.get("enable_node_auto_repair")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
     @builtins.property
     def force_update(self) -> typing.Optional[builtins.bool]:
         '''Force the update if the existing node group's pods are unable to be drained due to a pod disruption budget issue.
@@ -18770,6 +18955,7 @@ class Cluster(
         capacity_type: typing.Optional[CapacityType] = None,
         desired_size: typing.Optional[jsii.Number] = None,
         disk_size: typing.Optional[jsii.Number] = None,
+        enable_node_auto_repair: typing.Optional[builtins.bool] = None,
         force_update: typing.Optional[builtins.bool] = None,
         instance_types: typing.Optional[typing.Sequence[_InstanceType_f64915b9]] = None,
         labels: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
@@ -18795,6 +18981,7 @@ class Cluster(
         :param capacity_type: The capacity type of the nodegroup. Default: - ON_DEMAND
         :param desired_size: The current number of worker nodes that the managed node group should maintain. If not specified, the nodewgroup will initially create ``minSize`` instances. Default: 2
         :param disk_size: The root device disk size (in GiB) for your node group instances. Default: 20
+        :param enable_node_auto_repair: Specifies whether to enable node auto repair for the node group. Node auto repair is disabled by default. Default: - disabled
         :param force_update: Force the update if the existing node group's pods are unable to be drained due to a pod disruption budget issue. If an update fails because pods could not be drained, you can force the update after it fails to terminate the old node whether or not any pods are running on the node. Default: true
         :param instance_types: The instance types to use for your node group. Default: t3.medium will be used according to the cloudformation document.
         :param labels: The Kubernetes labels to be applied to the nodes in the node group when they are created. Default: - None
@@ -18821,6 +19008,7 @@ class Cluster(
             capacity_type=capacity_type,
             desired_size=desired_size,
             disk_size=disk_size,
+            enable_node_auto_repair=enable_node_auto_repair,
             force_update=force_update,
             instance_types=instance_types,
             labels=labels,
@@ -21891,6 +22079,7 @@ def _typecheckingstub__d3e62a858014f3867f3039d1328d57223fb0d16e3fb6d1e2d79279938
     bootstrap_self_managed_addons: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
     compute_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnCluster.ComputeConfigProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
     encryption_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[typing.Union[_IResolvable_da3f097b, typing.Union[CfnCluster.EncryptionConfigProperty, typing.Dict[builtins.str, typing.Any]]]]]] = None,
+    force: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
     kubernetes_network_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnCluster.KubernetesNetworkConfigProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
     logging: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnCluster.LoggingProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
     name: typing.Optional[builtins.str] = None,
@@ -21953,6 +22142,12 @@ def _typecheckingstub__b161fda542258d1cd8a20fecd3943cacecb658f19ab16b918baf49908
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__ec11778764d939bb12cbec68a418a76be768d7a638339c5189ae6cfe44059ebd(
+    value: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]],
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__1a14e543582631e80cb6fc2093270dba17f568b8779b381e3bc7398bfafb6699(
     value: typing.Optional[typing.Union[_IResolvable_da3f097b, CfnCluster.KubernetesNetworkConfigProperty]],
 ) -> None:
@@ -22168,6 +22363,7 @@ def _typecheckingstub__270f142a59c249328ab174c5b0484cfdae6e3110ab52578dbe783d6f8
     bootstrap_self_managed_addons: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
     compute_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnCluster.ComputeConfigProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
     encryption_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[typing.Union[_IResolvable_da3f097b, typing.Union[CfnCluster.EncryptionConfigProperty, typing.Dict[builtins.str, typing.Any]]]]]] = None,
+    force: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
     kubernetes_network_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnCluster.KubernetesNetworkConfigProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
     logging: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnCluster.LoggingProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
     name: typing.Optional[builtins.str] = None,
@@ -22596,7 +22792,9 @@ def _typecheckingstub__be8311b6089cea26f85c63a586f0c5b063230a1b4a96ffcd4c6c983a3
     namespace: builtins.str,
     role_arn: builtins.str,
     service_account: builtins.str,
+    disable_session_tags: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
     tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
+    target_role_arn: typing.Optional[builtins.str] = None,
 ) -> None:
     """Type checking stubs"""
     pass
@@ -22637,19 +22835,33 @@ def _typecheckingstub__ea3bb34348aff57e29a5352e7460510bda8dd51720dbf7d275297137f
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__cb3dbe4cc3b44e9265bbfe13e41235db909b0c1dc0e052b3bdda07fd4b228e8b(
+    value: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]],
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__b0e0a0551adefc10761733af04b8c51e7dad6b483be9252882ecff10539c7dcc(
     value: typing.Optional[typing.List[_CfnTag_f6864754]],
 ) -> None:
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__cb6220c6db8cf93a8a307b1ba0630d6bc64b4a09325e7cfe5854228aa75ff833(
+    value: typing.Optional[builtins.str],
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__40e8da56b529234cdbb596fa46af952a935adf744e907347861dfc232b89038b(
     *,
     cluster_name: builtins.str,
     namespace: builtins.str,
     role_arn: builtins.str,
     service_account: builtins.str,
+    disable_session_tags: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
     tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
+    target_role_arn: typing.Optional[builtins.str] = None,
 ) -> None:
     """Type checking stubs"""
     pass
@@ -23029,6 +23241,7 @@ def _typecheckingstub__786fdb6d4c92794281e2a7ea4e6305e651a12884bcdc063cf6fe5a64c
     capacity_type: typing.Optional[CapacityType] = None,
     desired_size: typing.Optional[jsii.Number] = None,
     disk_size: typing.Optional[jsii.Number] = None,
+    enable_node_auto_repair: typing.Optional[builtins.bool] = None,
     force_update: typing.Optional[builtins.bool] = None,
     instance_types: typing.Optional[typing.Sequence[_InstanceType_f64915b9]] = None,
     labels: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
@@ -23062,6 +23275,7 @@ def _typecheckingstub__019154b49c40dcdcdd533db7688b958baf443f513473d96721969a0d5
     capacity_type: typing.Optional[CapacityType] = None,
     desired_size: typing.Optional[jsii.Number] = None,
     disk_size: typing.Optional[jsii.Number] = None,
+    enable_node_auto_repair: typing.Optional[builtins.bool] = None,
     force_update: typing.Optional[builtins.bool] = None,
     instance_types: typing.Optional[typing.Sequence[_InstanceType_f64915b9]] = None,
     labels: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
@@ -23087,6 +23301,7 @@ def _typecheckingstub__c522b5bc1207d683d19377a7c1fae066520518733e5dc4e1b4952f88c
     capacity_type: typing.Optional[CapacityType] = None,
     desired_size: typing.Optional[jsii.Number] = None,
     disk_size: typing.Optional[jsii.Number] = None,
+    enable_node_auto_repair: typing.Optional[builtins.bool] = None,
     force_update: typing.Optional[builtins.bool] = None,
     instance_types: typing.Optional[typing.Sequence[_InstanceType_f64915b9]] = None,
     labels: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
@@ -23451,6 +23666,7 @@ def _typecheckingstub__d3dbc0c0b7cb36fb532d2c452f5cac822b7564b4aa6f4490020610695
     capacity_type: typing.Optional[CapacityType] = None,
     desired_size: typing.Optional[jsii.Number] = None,
     disk_size: typing.Optional[jsii.Number] = None,
+    enable_node_auto_repair: typing.Optional[builtins.bool] = None,
     force_update: typing.Optional[builtins.bool] = None,
     instance_types: typing.Optional[typing.Sequence[_InstanceType_f64915b9]] = None,
     labels: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,