aws-cdk-lib 2.200.1__py3-none-any.whl → 2.201.0__py3-none-any.whl

aws_cdk/aws_synthetics/__init__.py

@@ -302,6 +302,29 @@ cloudwatch.Alarm(self, "CanaryAlarm",
 )
 ```
 
+### Performing safe canary updates
+
+You can configure a canary to first perform a dry run before applying any updates. The `dryRunAndUpdate` property can be used to safely update canaries by validating the changes before they're applied.
+This feature is supported for canary runtime versions `syn-nodejs-puppeteer-10.0+`, `syn-nodejs-playwright-2.0+`, and `syn-python-selenium-5.1+`.
+
+When `dryRunAndUpdate` is set to `true`, CDK will execute a dry run to validate the changes before applying them to the canary.
+If the dry run succeeds, the canary will be updated with the changes.
+If the dry run fails, the CloudFormation deployment will fail with the dry run's failure reason.
+
+```python
+canary = synthetics.Canary(self, "MyCanary",
+    schedule=synthetics.Schedule.rate(Duration.minutes(5)),
+    test=synthetics.Test.custom(
+        code=synthetics.Code.from_asset(path.join(__dirname, "canary")),
+        handler="index.handler"
+    ),
+    runtime=synthetics.Runtime.SYNTHETICS_PYTHON_SELENIUM_5_1,
+    dry_run_and_update=True
+)
+```
+
+For more information, see [Performing safe canary updates](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/performing-safe-canary-upgrades.html).
+
 ### Artifacts
 
 You can pass an S3 bucket to store artifacts from canary runs. If you do not,
@@ -573,6 +596,7 @@ class Canary(
         artifacts_bucket_location: typing.Optional[typing.Union[ArtifactsBucketLocation, typing.Dict[builtins.str, typing.Any]]] = None,
         canary_name: typing.Optional[builtins.str] = None,
         cleanup: typing.Optional["Cleanup"] = None,
+        dry_run_and_update: typing.Optional[builtins.bool] = None,
         environment_variables: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
         failure_retention_period: typing.Optional[_Duration_4839e8c3] = None,
         memory: typing.Optional[_Size_7b441c34] = None,
@@ -599,6 +623,7 @@ class Canary(
         :param artifacts_bucket_location: The s3 location that stores the data of the canary runs. Default: - A new s3 bucket will be created without a prefix.
         :param canary_name: The name of the canary. Be sure to give it a descriptive name that distinguishes it from other canaries in your account. Do not include secrets or proprietary information in your canary name. The canary name makes up part of the canary ARN, which is included in outbound calls over the internet. Default: - A unique name will be generated from the construct ID
         :param cleanup: (deprecated) Specify the underlying resources to be cleaned up when the canary is deleted. Using ``Cleanup.LAMBDA`` will create a Custom Resource to achieve this. Default: Cleanup.NOTHING
+        :param dry_run_and_update: Specifies whether to perform a dry run before updating the canary. If set to true, CDK will execute a dry run to validate the changes before applying them to the canary. If the dry run succeeds, the canary will be updated with the changes. If the dry run fails, the CloudFormation deployment will fail with the dry run’s failure reason. If set to false or omitted, the canary will be updated directly without first performing a dry run. Default: undefined - AWS CloudWatch default is false
         :param environment_variables: Key-value pairs that the Synthetics caches and makes available for your canary scripts. Use environment variables to apply configuration changes, such as test and production environment configurations, without changing your Canary script source code. Default: - No environment variables.
         :param failure_retention_period: How many days should failed runs be retained. Default: Duration.days(31)
         :param memory: The maximum amount of memory that the canary can use while running. This value must be a multiple of 64 Mib. The range is 960 MiB to 3008 MiB. Default: Size.mebibytes(1024)
@@ -627,6 +652,7 @@ class Canary(
             artifacts_bucket_location=artifacts_bucket_location,
             canary_name=canary_name,
             cleanup=cleanup,
+            dry_run_and_update=dry_run_and_update,
             environment_variables=environment_variables,
             failure_retention_period=failure_retention_period,
             memory=memory,
@@ -849,6 +875,7 @@ class Canary(
         "artifacts_bucket_location": "artifactsBucketLocation",
         "canary_name": "canaryName",
         "cleanup": "cleanup",
+        "dry_run_and_update": "dryRunAndUpdate",
         "environment_variables": "environmentVariables",
         "failure_retention_period": "failureRetentionPeriod",
         "memory": "memory",
@@ -877,6 +904,7 @@ class CanaryProps:
         artifacts_bucket_location: typing.Optional[typing.Union[ArtifactsBucketLocation, typing.Dict[builtins.str, typing.Any]]] = None,
         canary_name: typing.Optional[builtins.str] = None,
         cleanup: typing.Optional["Cleanup"] = None,
+        dry_run_and_update: typing.Optional[builtins.bool] = None,
         environment_variables: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
         failure_retention_period: typing.Optional[_Duration_4839e8c3] = None,
         memory: typing.Optional[_Size_7b441c34] = None,
@@ -902,6 +930,7 @@ class CanaryProps:
         :param artifacts_bucket_location: The s3 location that stores the data of the canary runs. Default: - A new s3 bucket will be created without a prefix.
         :param canary_name: The name of the canary. Be sure to give it a descriptive name that distinguishes it from other canaries in your account. Do not include secrets or proprietary information in your canary name. The canary name makes up part of the canary ARN, which is included in outbound calls over the internet. Default: - A unique name will be generated from the construct ID
         :param cleanup: (deprecated) Specify the underlying resources to be cleaned up when the canary is deleted. Using ``Cleanup.LAMBDA`` will create a Custom Resource to achieve this. Default: Cleanup.NOTHING
+        :param dry_run_and_update: Specifies whether to perform a dry run before updating the canary. If set to true, CDK will execute a dry run to validate the changes before applying them to the canary. If the dry run succeeds, the canary will be updated with the changes. If the dry run fails, the CloudFormation deployment will fail with the dry run’s failure reason. If set to false or omitted, the canary will be updated directly without first performing a dry run. Default: undefined - AWS CloudWatch default is false
         :param environment_variables: Key-value pairs that the Synthetics caches and makes available for your canary scripts. Use environment variables to apply configuration changes, such as test and production environment configurations, without changing your Canary script source code. Default: - No environment variables.
         :param failure_retention_period: How many days should failed runs be retained. Default: Duration.days(31)
         :param memory: The maximum amount of memory that the canary can use while running. This value must be a multiple of 64 Mib. The range is 960 MiB to 3008 MiB. Default: Size.mebibytes(1024)
@@ -948,6 +977,7 @@ class CanaryProps:
             check_type(argname="argument artifacts_bucket_location", value=artifacts_bucket_location, expected_type=type_hints["artifacts_bucket_location"])
             check_type(argname="argument canary_name", value=canary_name, expected_type=type_hints["canary_name"])
             check_type(argname="argument cleanup", value=cleanup, expected_type=type_hints["cleanup"])
+            check_type(argname="argument dry_run_and_update", value=dry_run_and_update, expected_type=type_hints["dry_run_and_update"])
             check_type(argname="argument environment_variables", value=environment_variables, expected_type=type_hints["environment_variables"])
             check_type(argname="argument failure_retention_period", value=failure_retention_period, expected_type=type_hints["failure_retention_period"])
             check_type(argname="argument memory", value=memory, expected_type=type_hints["memory"])
@@ -979,6 +1009,8 @@ class CanaryProps:
             self._values["canary_name"] = canary_name
         if cleanup is not None:
             self._values["cleanup"] = cleanup
+        if dry_run_and_update is not None:
+            self._values["dry_run_and_update"] = dry_run_and_update
         if environment_variables is not None:
             self._values["environment_variables"] = environment_variables
         if failure_retention_period is not None:
@@ -1122,6 +1154,23 @@ class CanaryProps:
         result = self._values.get("cleanup")
         return typing.cast(typing.Optional["Cleanup"], result)
 
+    @builtins.property
+    def dry_run_and_update(self) -> typing.Optional[builtins.bool]:
+        '''Specifies whether to perform a dry run before updating the canary.
+
+        If set to true, CDK will execute a dry run to validate the changes before applying them to the canary.
+        If the dry run succeeds, the canary will be updated with the changes.
+        If the dry run fails, the CloudFormation deployment will fail with the dry run’s failure reason.
+
+        If set to false or omitted, the canary will be updated directly without first performing a dry run.
+
+        :default: undefined - AWS CloudWatch default is false
+
+        :see: https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/performing-safe-canary-upgrades.html
+        '''
+        result = self._values.get("dry_run_and_update")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
     @builtins.property
     def environment_variables(
         self,
@@ -3935,6 +3984,20 @@ class Runtime(metaclass=jsii.JSIIMeta, jsii_type="aws-cdk-lib.aws_synthetics.Run
         '''
         return typing.cast("Runtime", jsii.sget(cls, "SYNTHETICS_NODEJS_PLAYWRIGHT_1_0"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="SYNTHETICS_NODEJS_PLAYWRIGHT_2_0")
+    def SYNTHETICS_NODEJS_PLAYWRIGHT_2_0(cls) -> "Runtime":
+        '''``syn-nodejs-playwright-2.0`` includes the following: - Lambda runtime Node.js 20.x - Playwright version 1.49.1 - Chromium version 131.0.6778.264.
+
+        New Features:
+
+        - The mismatch between total duration and sum of timings for a given request in HAR file is fixed.
+        - Supports dry runs for the canary which allows for adhoc executions or performing a safe canary update.
+
+        :see: https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch_Synthetics_Library_nodejs_playwright.html#Synthetics_runtimeversion-syn-nodejs-playwright-2.0
+        '''
+        return typing.cast("Runtime", jsii.sget(cls, "SYNTHETICS_NODEJS_PLAYWRIGHT_2_0"))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="SYNTHETICS_NODEJS_PUPPETEER_3_5")
     def SYNTHETICS_NODEJS_PUPPETEER_3_5(cls) -> "Runtime":
@@ -4345,6 +4408,15 @@ class Runtime(metaclass=jsii.JSIIMeta, jsii_type="aws-cdk-lib.aws_synthetics.Run
         '''
         return typing.cast("Runtime", jsii.sget(cls, "SYNTHETICS_PYTHON_SELENIUM_5_1"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="SYNTHETICS_PYTHON_SELENIUM_6_0")
+    def SYNTHETICS_PYTHON_SELENIUM_6_0(cls) -> "Runtime":
+        '''``syn-python-selenium-6.0`` includes the following: - Lambda runtime Python 3.11 - Selenium version 4.21.0 - Chromium version 131.0.6778.264.
+
+        :see: https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch_Synthetics_Library_python_selenium.html#CloudWatch_Synthetics_runtimeversion-syn-python-selenium-6.0
+        '''
+        return typing.cast("Runtime", jsii.sget(cls, "SYNTHETICS_PYTHON_SELENIUM_6_0"))
+
     @builtins.property
     @jsii.member(jsii_name="family")
     def family(self) -> "RuntimeFamily":
@@ -4748,6 +4820,7 @@ def _typecheckingstub__b3b6d76e5f93e31884e16cc00a9b4fc93e6782ff7db09c74aa1ef9346
     artifacts_bucket_location: typing.Optional[typing.Union[ArtifactsBucketLocation, typing.Dict[builtins.str, typing.Any]]] = None,
     canary_name: typing.Optional[builtins.str] = None,
     cleanup: typing.Optional[Cleanup] = None,
+    dry_run_and_update: typing.Optional[builtins.bool] = None,
     environment_variables: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
     failure_retention_period: typing.Optional[_Duration_4839e8c3] = None,
     memory: typing.Optional[_Size_7b441c34] = None,
@@ -4776,6 +4849,7 @@ def _typecheckingstub__44ec0b14d52b66927d4daebe6f97bb070f3629bb0eb86e21668ca7862
     artifacts_bucket_location: typing.Optional[typing.Union[ArtifactsBucketLocation, typing.Dict[builtins.str, typing.Any]]] = None,
     canary_name: typing.Optional[builtins.str] = None,
     cleanup: typing.Optional[Cleanup] = None,
+    dry_run_and_update: typing.Optional[builtins.bool] = None,
     environment_variables: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
     failure_retention_period: typing.Optional[_Duration_4839e8c3] = None,
     memory: typing.Optional[_Size_7b441c34] = None,

aws_cdk/aws_transfer/__init__.py

@@ -3940,7 +3940,7 @@ class CfnUser(
         :param role: The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that controls your users' access to your Amazon S3 bucket or Amazon EFS file system. The policies attached to this role determine the level of access that you want to provide your users when transferring files into and out of your Amazon S3 bucket or Amazon EFS file system. The IAM role should also contain a trust relationship that allows the server to access your resources when servicing your users' transfer requests.
         :param server_id: A system-assigned unique identifier for a server instance. This is the specific server that you added your user to.
         :param user_name: A unique string that identifies a user and is associated with a ``ServerId`` . This user name must be a minimum of 3 and a maximum of 100 characters long. The following are valid characters: a-z, A-Z, 0-9, underscore '_', hyphen '-', period '.', and at sign '@'. The user name can't start with a hyphen, period, or at sign.
-        :param home_directory: The landing directory (folder) for a user when they log in to the server using the client. A ``HomeDirectory`` example is ``/bucket_name/home/mydirectory`` . .. epigraph:: The ``HomeDirectory`` parameter is only used if ``HomeDirectoryType`` is set to ``PATH`` .
+        :param home_directory: The landing directory (folder) for a user when they log in to the server using the client. A ``HomeDirectory`` example is ``/bucket_name/home/mydirectory`` . .. epigraph:: You can use the ``HomeDirectory`` parameter for ``HomeDirectoryType`` when it is set to either ``PATH`` or ``LOGICAL`` .
         :param home_directory_mappings: Logical directory mappings that specify what Amazon S3 or Amazon EFS paths and keys should be visible to your user and how you want to make them visible. You must specify the ``Entry`` and ``Target`` pair, where ``Entry`` shows how the path is made visible and ``Target`` is the actual Amazon S3 or Amazon EFS path. If you only specify a target, it is displayed as is. You also must ensure that your AWS Identity and Access Management (IAM) role provides access to paths in ``Target`` . This value can be set only when ``HomeDirectoryType`` is set to *LOGICAL* . The following is an ``Entry`` and ``Target`` pair example. ``[ { "Entry": "/directory1", "Target": "/bucket_name/home/mydirectory" } ]`` In most cases, you can use this value instead of the session policy to lock your user down to the designated home directory (" ``chroot`` "). To do this, you can set ``Entry`` to ``/`` and set ``Target`` to the value the user should see for their home directory when they log in. The following is an ``Entry`` and ``Target`` pair example for ``chroot`` . ``[ { "Entry": "/", "Target": "/bucket_name/home/mydirectory" } ]``
         :param home_directory_type: The type of landing directory (folder) that you want your users' home directory to be when they log in to the server. If you set it to ``PATH`` , the user will see the absolute Amazon S3 bucket or Amazon EFS path as is in their file transfer protocol clients. If you set it to ``LOGICAL`` , you need to provide mappings in the ``HomeDirectoryMappings`` for how you want to make Amazon S3 or Amazon EFS paths visible to your users. .. epigraph:: If ``HomeDirectoryType`` is ``LOGICAL`` , you must provide mappings, using the ``HomeDirectoryMappings`` parameter. If, on the other hand, ``HomeDirectoryType`` is ``PATH`` , you provide an absolute path using the ``HomeDirectory`` parameter. You cannot have both ``HomeDirectory`` and ``HomeDirectoryMappings`` in your template.
         :param policy: A session policy for your user so you can use the same IAM role across multiple users. This policy restricts user access to portions of their Amazon S3 bucket. Variables that you can use inside this policy include ``${Transfer:UserName}`` , ``${Transfer:HomeDirectory}`` , and ``${Transfer:HomeBucket}`` . .. epigraph:: For session policies, AWS Transfer Family stores the policy as a JSON blob, instead of the Amazon Resource Name (ARN) of the policy. You save the policy as a JSON blob and pass it in the ``Policy`` argument. For an example of a session policy, see `Example session policy <https://docs.aws.amazon.com/transfer/latest/userguide/session-policy.html>`_ . For more information, see `AssumeRole <https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html>`_ in the *AWS Security Token Service API Reference* .
@@ -4406,7 +4406,7 @@ class CfnUserProps:
         :param role: The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that controls your users' access to your Amazon S3 bucket or Amazon EFS file system. The policies attached to this role determine the level of access that you want to provide your users when transferring files into and out of your Amazon S3 bucket or Amazon EFS file system. The IAM role should also contain a trust relationship that allows the server to access your resources when servicing your users' transfer requests.
         :param server_id: A system-assigned unique identifier for a server instance. This is the specific server that you added your user to.
         :param user_name: A unique string that identifies a user and is associated with a ``ServerId`` . This user name must be a minimum of 3 and a maximum of 100 characters long. The following are valid characters: a-z, A-Z, 0-9, underscore '_', hyphen '-', period '.', and at sign '@'. The user name can't start with a hyphen, period, or at sign.
-        :param home_directory: The landing directory (folder) for a user when they log in to the server using the client. A ``HomeDirectory`` example is ``/bucket_name/home/mydirectory`` . .. epigraph:: The ``HomeDirectory`` parameter is only used if ``HomeDirectoryType`` is set to ``PATH`` .
+        :param home_directory: The landing directory (folder) for a user when they log in to the server using the client. A ``HomeDirectory`` example is ``/bucket_name/home/mydirectory`` . .. epigraph:: You can use the ``HomeDirectory`` parameter for ``HomeDirectoryType`` when it is set to either ``PATH`` or ``LOGICAL`` .
         :param home_directory_mappings: Logical directory mappings that specify what Amazon S3 or Amazon EFS paths and keys should be visible to your user and how you want to make them visible. You must specify the ``Entry`` and ``Target`` pair, where ``Entry`` shows how the path is made visible and ``Target`` is the actual Amazon S3 or Amazon EFS path. If you only specify a target, it is displayed as is. You also must ensure that your AWS Identity and Access Management (IAM) role provides access to paths in ``Target`` . This value can be set only when ``HomeDirectoryType`` is set to *LOGICAL* . The following is an ``Entry`` and ``Target`` pair example. ``[ { "Entry": "/directory1", "Target": "/bucket_name/home/mydirectory" } ]`` In most cases, you can use this value instead of the session policy to lock your user down to the designated home directory (" ``chroot`` "). To do this, you can set ``Entry`` to ``/`` and set ``Target`` to the value the user should see for their home directory when they log in. The following is an ``Entry`` and ``Target`` pair example for ``chroot`` . ``[ { "Entry": "/", "Target": "/bucket_name/home/mydirectory" } ]``
         :param home_directory_type: The type of landing directory (folder) that you want your users' home directory to be when they log in to the server. If you set it to ``PATH`` , the user will see the absolute Amazon S3 bucket or Amazon EFS path as is in their file transfer protocol clients. If you set it to ``LOGICAL`` , you need to provide mappings in the ``HomeDirectoryMappings`` for how you want to make Amazon S3 or Amazon EFS paths visible to your users. .. epigraph:: If ``HomeDirectoryType`` is ``LOGICAL`` , you must provide mappings, using the ``HomeDirectoryMappings`` parameter. If, on the other hand, ``HomeDirectoryType`` is ``PATH`` , you provide an absolute path using the ``HomeDirectory`` parameter. You cannot have both ``HomeDirectory`` and ``HomeDirectoryMappings`` in your template.
         :param policy: A session policy for your user so you can use the same IAM role across multiple users. This policy restricts user access to portions of their Amazon S3 bucket. Variables that you can use inside this policy include ``${Transfer:UserName}`` , ``${Transfer:HomeDirectory}`` , and ``${Transfer:HomeBucket}`` . .. epigraph:: For session policies, AWS Transfer Family stores the policy as a JSON blob, instead of the Amazon Resource Name (ARN) of the policy. You save the policy as a JSON blob and pass it in the ``Policy`` argument. For an example of a session policy, see `Example session policy <https://docs.aws.amazon.com/transfer/latest/userguide/session-policy.html>`_ . For more information, see `AssumeRole <https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html>`_ in the *AWS Security Token Service API Reference* .
@@ -4528,7 +4528,7 @@ class CfnUserProps:
         A ``HomeDirectory`` example is ``/bucket_name/home/mydirectory`` .
         .. epigraph::
 
-           The ``HomeDirectory`` parameter is only used if ``HomeDirectoryType`` is set to ``PATH`` .
+           You can use the ``HomeDirectory`` parameter for ``HomeDirectoryType`` when it is set to either ``PATH`` or ``LOGICAL`` .
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-transfer-user.html#cfn-transfer-user-homedirectory
         '''

aws_cdk/aws_verifiedpermissions/__init__.py

@@ -1953,7 +1953,7 @@ class CfnPolicyStore(
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
         :param validation_settings: Specifies the validation setting for this policy store. Currently, the only valid and required value is ``Mode`` . .. epigraph:: We recommend that you turn on ``STRICT`` mode only after you define a schema. If a schema doesn't exist, then ``STRICT`` mode causes any policy to fail validation, and Verified Permissions rejects the policy. You can turn off validation by using the `UpdatePolicyStore <https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_UpdatePolicyStore>`_ . Then, when you have a schema defined, use `UpdatePolicyStore <https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_UpdatePolicyStore>`_ again to turn validation back on.
-        :param deletion_protection: 
+        :param deletion_protection: Specifies whether the policy store can be deleted. If enabled, the policy store can't be deleted. The default state is ``DISABLED`` .
         :param description: Descriptive text that you can provide to help with identification of the current policy store.
         :param schema: Creates or updates the policy schema in a policy store. Cedar can use the schema to validate any Cedar policies and policy templates submitted to the policy store. Any changes to the schema validate only policies and templates submitted after the schema change. Existing policies and templates are not re-evaluated against the changed schema. If you later update a policy, then it is evaluated against the new schema at that time.
         :param tags: The list of key-value pairs to associate with the policy store.
@@ -2054,6 +2054,10 @@ class CfnPolicyStore(
     def deletion_protection(
         self,
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnPolicyStore.DeletionProtectionProperty"]]:
+        '''Specifies whether the policy store can be deleted.
+
+        If enabled, the policy store can't be deleted.
+        '''
         return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnPolicyStore.DeletionProtectionProperty"]], jsii.get(self, "deletionProtection"))
 
     @deletion_protection.setter
@@ -2117,8 +2121,9 @@ class CfnPolicyStore(
     )
     class DeletionProtectionProperty:
         def __init__(self, *, mode: builtins.str) -> None:
-            '''
-            :param mode: Default: - "DISABLED"
+            '''Specifies whether the policy store can be deleted.
+
+            :param mode: Specifies whether the policy store can be deleted. If enabled, the policy store can't be deleted. The default state is ``DISABLED`` . Default: - "DISABLED"
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-verifiedpermissions-policystore-deletionprotection.html
             :exampleMetadata: fixture=_generated
@@ -2142,7 +2147,10 @@ class CfnPolicyStore(
 
         @builtins.property
         def mode(self) -> builtins.str:
-            '''
+            '''Specifies whether the policy store can be deleted. If enabled, the policy store can't be deleted.
+
+            The default state is ``DISABLED`` .
+
             :default: - "DISABLED"
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-verifiedpermissions-policystore-deletionprotection.html#cfn-verifiedpermissions-policystore-deletionprotection-mode
@@ -2305,7 +2313,7 @@ class CfnPolicyStoreProps:
         '''Properties for defining a ``CfnPolicyStore``.
 
         :param validation_settings: Specifies the validation setting for this policy store. Currently, the only valid and required value is ``Mode`` . .. epigraph:: We recommend that you turn on ``STRICT`` mode only after you define a schema. If a schema doesn't exist, then ``STRICT`` mode causes any policy to fail validation, and Verified Permissions rejects the policy. You can turn off validation by using the `UpdatePolicyStore <https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_UpdatePolicyStore>`_ . Then, when you have a schema defined, use `UpdatePolicyStore <https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_UpdatePolicyStore>`_ again to turn validation back on.
-        :param deletion_protection: 
+        :param deletion_protection: Specifies whether the policy store can be deleted. If enabled, the policy store can't be deleted. The default state is ``DISABLED`` .
         :param description: Descriptive text that you can provide to help with identification of the current policy store.
         :param schema: Creates or updates the policy schema in a policy store. Cedar can use the schema to validate any Cedar policies and policy templates submitted to the policy store. Any changes to the schema validate only policies and templates submitted after the schema change. Existing policies and templates are not re-evaluated against the changed schema. If you later update a policy, then it is evaluated against the new schema at that time.
         :param tags: The list of key-value pairs to associate with the policy store.
@@ -2378,7 +2386,10 @@ class CfnPolicyStoreProps:
     def deletion_protection(
         self,
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, CfnPolicyStore.DeletionProtectionProperty]]:
-        '''
+        '''Specifies whether the policy store can be deleted. If enabled, the policy store can't be deleted.
+
+        The default state is ``DISABLED`` .
+
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-verifiedpermissions-policystore.html#cfn-verifiedpermissions-policystore-deletionprotection
         '''
         result = self._values.get("deletion_protection")

aws_cdk/aws_wafv2/__init__.py

@@ -4377,7 +4377,7 @@ class CfnRuleGroup(
 
                If the specified header isn't present in the request, AWS WAF doesn't apply the rule to the web request at all.
 
-            This configuration is used for ``GeoMatchStatement`` and ``RateBasedStatement`` . For ``IPSetReferenceStatement`` , use ``IPSetForwardedIPConfig`` instead.
+            This configuration is used for ``GeoMatchStatement`` , ``AsnMatchStatement`` , and ``RateBasedStatement`` . For ``IPSetReferenceStatement`` , use ``IPSetForwardedIPConfig`` instead.
 
             AWS WAF only evaluates the first IP address found in the specified HTTP header.
 
@@ -11173,6 +11173,7 @@ class CfnWebACL(
         data_protection_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnWebACL.DataProtectionConfigProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
         description: typing.Optional[builtins.str] = None,
         name: typing.Optional[builtins.str] = None,
+        on_source_d_do_s_protection_config: typing.Any = None,
         rules: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[typing.Union[_IResolvable_da3f097b, typing.Union["CfnWebACL.RuleProperty", typing.Dict[builtins.str, typing.Any]]]]]] = None,
         tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
         token_domains: typing.Optional[typing.Sequence[builtins.str]] = None,
@@ -11190,6 +11191,7 @@ class CfnWebACL(
         :param data_protection_config: Specifies data protection to apply to the web request data for the web ACL. This is a web ACL level data protection option. The data protection that you configure for the web ACL alters the data that's available for any other data collection activity, including your AWS WAF logging destinations, web ACL request sampling, and Amazon Security Lake data collection and management. Your other option for data protection is in the logging configuration, which only affects logging.
         :param description: A description of the web ACL that helps with identification.
         :param name: The name of the web ACL. You cannot change the name of a web ACL after you create it.
+        :param on_source_d_do_s_protection_config: 
         :param rules: The rule statements used to identify the web requests that you want to manage. Each rule includes one top-level statement that AWS WAF uses to identify matching web requests, and parameters that govern how AWS WAF handles them.
         :param tags: Key:value pairs associated with an AWS resource. The key:value pair can be anything you define. Typically, the tag key represents a category (such as "environment") and the tag value represents a specific value within that category (such as "test," "development," or "production"). You can add up to 50 tags to each AWS resource. .. epigraph:: To modify tags on existing resources, use the AWS WAF APIs or command line interface. With AWS CloudFormation , you can only add tags to AWS WAF resources during resource creation.
         :param token_domains: Specifies the domains that AWS WAF should accept in a web request token. This enables the use of tokens across multiple protected websites. When AWS WAF provides a token, it uses the domain of the AWS resource that the web ACL is protecting. If you don't specify a list of token domains, AWS WAF accepts tokens only for the domain of the protected resource. With a token domain list, AWS WAF accepts the resource's host domain plus all domains in the token domain list, including their prefixed subdomains.
@@ -11209,6 +11211,7 @@ class CfnWebACL(
             data_protection_config=data_protection_config,
             description=description,
             name=name,
+            on_source_d_do_s_protection_config=on_source_d_do_s_protection_config,
             rules=rules,
             tags=tags,
             token_domains=token_domains,
@@ -11466,6 +11469,18 @@ class CfnWebACL(
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
         jsii.set(self, "name", value) # pyright: ignore[reportArgumentType]
 
+    @builtins.property
+    @jsii.member(jsii_name="onSourceDDoSProtectionConfig")
+    def on_source_d_do_s_protection_config(self) -> typing.Any:
+        return typing.cast(typing.Any, jsii.get(self, "onSourceDDoSProtectionConfig"))
+
+    @on_source_d_do_s_protection_config.setter
+    def on_source_d_do_s_protection_config(self, value: typing.Any) -> None:
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__1180464a1661a74085b880efee37841284ce892adac9d3cda8cb5c117c625ba2)
+            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+        jsii.set(self, "onSourceDDoSProtectionConfig", value) # pyright: ignore[reportArgumentType]
+
     @builtins.property
     @jsii.member(jsii_name="rules")
     def rules(
@@ -14282,7 +14297,7 @@ class CfnWebACL(
 
                If the specified header isn't present in the request, AWS WAF doesn't apply the rule to the web request at all.
 
-            This configuration is used for ``GeoMatchStatement`` and ``RateBasedStatement`` . For ``IPSetReferenceStatement`` , use ``IPSetForwardedIPConfig`` instead.
+            This configuration is used for ``GeoMatchStatement`` , ``AsnMatchStatement`` , and ``RateBasedStatement`` . For ``IPSetReferenceStatement`` , use ``IPSetForwardedIPConfig`` instead.
 
             AWS WAF only evaluates the first IP address found in the specified HTTP header.
 
@@ -20580,6 +20595,7 @@ class CfnWebACLAssociationProps:
         "data_protection_config": "dataProtectionConfig",
         "description": "description",
         "name": "name",
+        "on_source_d_do_s_protection_config": "onSourceDDoSProtectionConfig",
         "rules": "rules",
         "tags": "tags",
         "token_domains": "tokenDomains",
@@ -20599,6 +20615,7 @@ class CfnWebACLProps:
         data_protection_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnWebACL.DataProtectionConfigProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
         description: typing.Optional[builtins.str] = None,
         name: typing.Optional[builtins.str] = None,
+        on_source_d_do_s_protection_config: typing.Any = None,
         rules: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[typing.Union[_IResolvable_da3f097b, typing.Union[CfnWebACL.RuleProperty, typing.Dict[builtins.str, typing.Any]]]]]] = None,
         tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
         token_domains: typing.Optional[typing.Sequence[builtins.str]] = None,
@@ -20615,6 +20632,7 @@ class CfnWebACLProps:
         :param data_protection_config: Specifies data protection to apply to the web request data for the web ACL. This is a web ACL level data protection option. The data protection that you configure for the web ACL alters the data that's available for any other data collection activity, including your AWS WAF logging destinations, web ACL request sampling, and Amazon Security Lake data collection and management. Your other option for data protection is in the logging configuration, which only affects logging.
         :param description: A description of the web ACL that helps with identification.
         :param name: The name of the web ACL. You cannot change the name of a web ACL after you create it.
+        :param on_source_d_do_s_protection_config: 
         :param rules: The rule statements used to identify the web requests that you want to manage. Each rule includes one top-level statement that AWS WAF uses to identify matching web requests, and parameters that govern how AWS WAF handles them.
         :param tags: Key:value pairs associated with an AWS resource. The key:value pair can be anything you define. Typically, the tag key represents a category (such as "environment") and the tag value represents a specific value within that category (such as "test," "development," or "production"). You can add up to 50 tags to each AWS resource. .. epigraph:: To modify tags on existing resources, use the AWS WAF APIs or command line interface. With AWS CloudFormation , you can only add tags to AWS WAF resources during resource creation.
         :param token_domains: Specifies the domains that AWS WAF should accept in a web request token. This enables the use of tokens across multiple protected websites. When AWS WAF provides a token, it uses the domain of the AWS resource that the web ACL is protecting. If you don't specify a list of token domains, AWS WAF accepts tokens only for the domain of the protected resource. With a token domain list, AWS WAF accepts the resource's host domain plus all domains in the token domain list, including their prefixed subdomains.
@@ -20638,6 +20656,7 @@ class CfnWebACLProps:
             check_type(argname="argument data_protection_config", value=data_protection_config, expected_type=type_hints["data_protection_config"])
             check_type(argname="argument description", value=description, expected_type=type_hints["description"])
             check_type(argname="argument name", value=name, expected_type=type_hints["name"])
+            check_type(argname="argument on_source_d_do_s_protection_config", value=on_source_d_do_s_protection_config, expected_type=type_hints["on_source_d_do_s_protection_config"])
             check_type(argname="argument rules", value=rules, expected_type=type_hints["rules"])
             check_type(argname="argument tags", value=tags, expected_type=type_hints["tags"])
             check_type(argname="argument token_domains", value=token_domains, expected_type=type_hints["token_domains"])
@@ -20660,6 +20679,8 @@ class CfnWebACLProps:
             self._values["description"] = description
         if name is not None:
             self._values["name"] = name
+        if on_source_d_do_s_protection_config is not None:
+            self._values["on_source_d_do_s_protection_config"] = on_source_d_do_s_protection_config
         if rules is not None:
             self._values["rules"] = rules
         if tags is not None:
@@ -20804,6 +20825,14 @@ class CfnWebACLProps:
         result = self._values.get("name")
         return typing.cast(typing.Optional[builtins.str], result)
 
+    @builtins.property
+    def on_source_d_do_s_protection_config(self) -> typing.Any:
+        '''
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-wafv2-webacl.html#cfn-wafv2-webacl-onsourceddosprotectionconfig
+        '''
+        result = self._values.get("on_source_d_do_s_protection_config")
+        return typing.cast(typing.Any, result)
+
     @builtins.property
     def rules(
         self,
@@ -21747,6 +21776,7 @@ def _typecheckingstub__03030a65c492e95a1d1ae5ddafd6acbb9efdfa7e18b6367ac7e03eb8f
     data_protection_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnWebACL.DataProtectionConfigProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
     description: typing.Optional[builtins.str] = None,
     name: typing.Optional[builtins.str] = None,
+    on_source_d_do_s_protection_config: typing.Any = None,
     rules: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[typing.Union[_IResolvable_da3f097b, typing.Union[CfnWebACL.RuleProperty, typing.Dict[builtins.str, typing.Any]]]]]] = None,
     tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
     token_domains: typing.Optional[typing.Sequence[builtins.str]] = None,
@@ -21826,6 +21856,12 @@ def _typecheckingstub__191460374393c7b9829682ab4faa571596cd3c2090e46352a427930a2
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__1180464a1661a74085b880efee37841284ce892adac9d3cda8cb5c117c625ba2(
+    value: typing.Any,
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__7e3abb4095a53abe30bca846b48411ffb15b0267398c52a824a8ffba45db4f4c(
     value: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, CfnWebACL.RuleProperty]]]],
 ) -> None:
@@ -22584,6 +22620,7 @@ def _typecheckingstub__6e738df983d65d43590c0a02c03e6e0daa3a2097ae335371d22711838
     data_protection_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnWebACL.DataProtectionConfigProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
     description: typing.Optional[builtins.str] = None,
     name: typing.Optional[builtins.str] = None,
+    on_source_d_do_s_protection_config: typing.Any = None,
     rules: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[typing.Union[_IResolvable_da3f097b, typing.Union[CfnWebACL.RuleProperty, typing.Dict[builtins.str, typing.Any]]]]]] = None,
     tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
     token_domains: typing.Optional[typing.Sequence[builtins.str]] = None,

{aws_cdk_lib-2.200.1.dist-info → aws_cdk_lib-2.201.0.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: aws-cdk-lib
-Version: 2.200.1
+Version: 2.201.0
 Summary: Version 2 of the AWS Cloud Development Kit library
 Home-page: https://github.com/aws/aws-cdk
 Author: Amazon Web Services
@@ -22,7 +22,7 @@ License-File: LICENSE
 License-File: NOTICE
 Requires-Dist: aws-cdk.asset-awscli-v1==2.2.237
 Requires-Dist: aws-cdk.asset-node-proxy-agent-v6<3.0.0,>=2.1.0
-Requires-Dist: aws-cdk.cloud-assembly-schema<45.0.0,>=44.1.0
+Requires-Dist: aws-cdk.cloud-assembly-schema<45.0.0,>=44.2.0
 Requires-Dist: constructs<11.0.0,>=10.0.0
 Requires-Dist: jsii<2.0.0,>=1.112.0
 Requires-Dist: publication>=0.0.3