aws-cdk-lib 2.202.0__py3-none-any.whl → 2.203.0__py3-none-any.whl

aws_cdk/aws_ec2/__init__.py

@@ -1396,6 +1396,19 @@ endpoint.add_route("Route",
 
 Use the `connections` object of the endpoint to allow traffic to other security groups.
 
+To enable [client route enforcement](https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/cvpn-working-cre.html), configure the `clientRouteEnforcementOptions.enforced` prop to `true`:
+
+```python
+endpoint = vpc.add_client_vpn_endpoint("Endpoint",
+    cidr="10.100.0.0/16",
+    server_certificate_arn="arn:aws:acm:us-east-1:123456789012:certificate/server-certificate-id",
+    client_certificate_arn="arn:aws:acm:us-east-1:123456789012:certificate/client-certificate-id",
+    client_route_enforcement_options=ec2.ClientRouteEnforcementOptions(
+        enforced=True
+    )
+)
+```
+
 ## Instances
 
 You can use the `Instance` class to start up a single EC2 instance. For production setups, we recommend
@@ -41004,9 +41017,7 @@ class CfnNetworkInterfacePermission(
     metaclass=jsii.JSIIMeta,
     jsii_type="aws-cdk-lib.aws_ec2.CfnNetworkInterfacePermission",
 ):
-    '''Specifies a permission for an Amazon EC2 network interface.
-
-    For example, you can grant an AWS authorized partner account permission to attach the specified network interface to an instance in their account.
+    '''Specifies a permission for the network interface, For example, you can grant an AWS -authorized account permission to attach the network interface to an instance in their account.
 
     :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-networkinterfacepermission.html
     :cloudformationResource: AWS::EC2::NetworkInterfacePermission
@@ -53087,8 +53098,9 @@ class CfnSubnet(
             *,
             internet_gateway_block_mode: typing.Optional[builtins.str] = None,
         ) -> None:
-            '''
-            :param internet_gateway_block_mode: The mode of VPC BPA. Options here are off, block-bidirectional, block-ingress
+            '''The state of VPC Block Public Access (BPA).
+
+            :param internet_gateway_block_mode: The mode of VPC BPA. - ``off`` : VPC BPA is not enabled and traffic is allowed to and from internet gateways and egress-only internet gateways in this Region. - ``block-bidirectional`` : Block all traffic to and from internet gateways and egress-only internet gateways in this Region (except for excluded VPCs and subnets). - ``block-ingress`` : Block all internet traffic to the VPCs in this Region (except for VPCs or subnets which are excluded). Only traffic to and from NAT gateways and egress-only internet gateways is allowed because these gateways only allow outbound connections to be established.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-subnet-blockpublicaccessstates.html
             :exampleMetadata: fixture=_generated
@@ -53114,7 +53126,9 @@ class CfnSubnet(
         def internet_gateway_block_mode(self) -> typing.Optional[builtins.str]:
             '''The mode of VPC BPA.
 
-            Options here are off, block-bidirectional, block-ingress
+            - ``off`` : VPC BPA is not enabled and traffic is allowed to and from internet gateways and egress-only internet gateways in this Region.
+            - ``block-bidirectional`` : Block all traffic to and from internet gateways and egress-only internet gateways in this Region (except for excluded VPCs and subnets).
+            - ``block-ingress`` : Block all internet traffic to the VPCs in this Region (except for VPCs or subnets which are excluded). Only traffic to and from NAT gateways and egress-only internet gateways is allowed because these gateways only allow outbound connections to be established.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-subnet-blockpublicaccessstates.html#cfn-ec2-subnet-blockpublicaccessstates-internetgatewayblockmode
             '''
@@ -54354,7 +54368,8 @@ class CfnTrafficMirrorFilter(
     @builtins.property
     @jsii.member(jsii_name="attrId")
     def attr_id(self) -> builtins.str:
-        '''
+        '''The ID of a traffic mirror filter.
+
         :cloudformationAttribute: Id
         '''
         return typing.cast(builtins.str, jsii.get(self, "attrId"))
@@ -54646,6 +54661,15 @@ class CfnTrafficMirrorFilterRule(
         '''
         return typing.cast(builtins.str, jsii.get(self, "attrId"))
 
+    @builtins.property
+    @jsii.member(jsii_name="attrTrafficMirrorFilterRuleId")
+    def attr_traffic_mirror_filter_rule_id(self) -> builtins.str:
+        '''The ID of the Traffic Mirror Filter rule.
+
+        :cloudformationAttribute: TrafficMirrorFilterRuleId
+        '''
+        return typing.cast(builtins.str, jsii.get(self, "attrTrafficMirrorFilterRuleId"))
+
     @builtins.property
     @jsii.member(jsii_name="cdkTagManager")
     def cdk_tag_manager(self) -> _TagManager_0a598cb3:
@@ -71494,6 +71518,59 @@ class CfnVolumeProps:
         )
 
 
+@jsii.data_type(
+    jsii_type="aws-cdk-lib.aws_ec2.ClientRouteEnforcementOptions",
+    jsii_struct_bases=[],
+    name_mapping={"enforced": "enforced"},
+)
+class ClientRouteEnforcementOptions:
+    def __init__(self, *, enforced: builtins.bool) -> None:
+        '''Options for Client Route Enforcement.
+
+        :param enforced: Enable or disable Client Route Enforcement. The state can either be true (enabled) or false (disabled).
+
+        :exampleMetadata: fixture=client-vpn infused
+
+        Example::
+
+            endpoint = vpc.add_client_vpn_endpoint("Endpoint",
+                cidr="10.100.0.0/16",
+                server_certificate_arn="arn:aws:acm:us-east-1:123456789012:certificate/server-certificate-id",
+                client_certificate_arn="arn:aws:acm:us-east-1:123456789012:certificate/client-certificate-id",
+                client_route_enforcement_options=ec2.ClientRouteEnforcementOptions(
+                    enforced=True
+                )
+            )
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__ff75a2d8f5c6dd9dde18d6e1933265e0d20a4b21489fde8d4735778facaad902)
+            check_type(argname="argument enforced", value=enforced, expected_type=type_hints["enforced"])
+        self._values: typing.Dict[builtins.str, typing.Any] = {
+            "enforced": enforced,
+        }
+
+    @builtins.property
+    def enforced(self) -> builtins.bool:
+        '''Enable or disable Client Route Enforcement.
+
+        The state can either be true (enabled) or false (disabled).
+        '''
+        result = self._values.get("enforced")
+        assert result is not None, "Required property 'enforced' is missing"
+        return typing.cast(builtins.bool, result)
+
+    def __eq__(self, rhs: typing.Any) -> builtins.bool:
+        return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+    def __ne__(self, rhs: typing.Any) -> builtins.bool:
+        return not (rhs == self)
+
+    def __repr__(self) -> str:
+        return "ClientRouteEnforcementOptions(%s)" % ", ".join(
+            k + "=" + repr(v) for k, v in self._values.items()
+        )
+
+
 class ClientVpnAuthorizationRule(
     _Resource_45bc6135,
     metaclass=jsii.JSIIMeta,
@@ -71828,6 +71905,7 @@ class ClientVpnEndpointAttributes:
         "client_certificate_arn": "clientCertificateArn",
         "client_connection_handler": "clientConnectionHandler",
         "client_login_banner": "clientLoginBanner",
+        "client_route_enforcement_options": "clientRouteEnforcementOptions",
         "description": "description",
         "dns_servers": "dnsServers",
         "logging": "logging",
@@ -71853,6 +71931,7 @@ class ClientVpnEndpointOptions:
         client_certificate_arn: typing.Optional[builtins.str] = None,
         client_connection_handler: typing.Optional["IClientVpnConnectionHandler"] = None,
         client_login_banner: typing.Optional[builtins.str] = None,
+        client_route_enforcement_options: typing.Optional[typing.Union[ClientRouteEnforcementOptions, typing.Dict[builtins.str, typing.Any]]] = None,
         description: typing.Optional[builtins.str] = None,
         dns_servers: typing.Optional[typing.Sequence[builtins.str]] = None,
         logging: typing.Optional[builtins.bool] = None,
@@ -71875,6 +71954,7 @@ class ClientVpnEndpointOptions:
         :param client_certificate_arn: The ARN of the client certificate for mutual authentication. The certificate must be signed by a certificate authority (CA) and it must be provisioned in AWS Certificate Manager (ACM). Default: - use user-based authentication
         :param client_connection_handler: The AWS Lambda function used for connection authorization. The name of the Lambda function must begin with the ``AWSClientVPN-`` prefix Default: - no connection handler
         :param client_login_banner: Customizable text that will be displayed in a banner on AWS provided clients when a VPN session is established. UTF-8 encoded characters only. Maximum of 1400 characters. Default: - no banner is presented to the client
+        :param client_route_enforcement_options: Options for Client Route Enforcement. Client Route Enforcement is a feature of Client VPN that helps enforce administrator defined routes on devices connected through the VPN. This feature helps improve your security posture by ensuring that network traffic originating from a connected client is not inadvertently sent outside the VPN tunnel. Default: undefined - AWS Client VPN default setting is disable client route enforcement
         :param description: A brief description of the Client VPN endpoint. Default: - no description
         :param dns_servers: Information about the DNS servers to be used for DNS resolution. A Client VPN endpoint can have up to two DNS servers. Default: - use the DNS address configured on the device
         :param logging: Whether to enable connections logging. Default: true
@@ -71905,6 +71985,8 @@ class ClientVpnEndpointOptions:
                 group_id="group-id"
             )
         '''
+        if isinstance(client_route_enforcement_options, dict):
+            client_route_enforcement_options = ClientRouteEnforcementOptions(**client_route_enforcement_options)
         if isinstance(vpc_subnets, dict):
             vpc_subnets = SubnetSelection(**vpc_subnets)
         if __debug__:
@@ -71915,6 +71997,7 @@ class ClientVpnEndpointOptions:
             check_type(argname="argument client_certificate_arn", value=client_certificate_arn, expected_type=type_hints["client_certificate_arn"])
             check_type(argname="argument client_connection_handler", value=client_connection_handler, expected_type=type_hints["client_connection_handler"])
             check_type(argname="argument client_login_banner", value=client_login_banner, expected_type=type_hints["client_login_banner"])
+            check_type(argname="argument client_route_enforcement_options", value=client_route_enforcement_options, expected_type=type_hints["client_route_enforcement_options"])
             check_type(argname="argument description", value=description, expected_type=type_hints["description"])
             check_type(argname="argument dns_servers", value=dns_servers, expected_type=type_hints["dns_servers"])
             check_type(argname="argument logging", value=logging, expected_type=type_hints["logging"])
@@ -71940,6 +72023,8 @@ class ClientVpnEndpointOptions:
             self._values["client_connection_handler"] = client_connection_handler
         if client_login_banner is not None:
             self._values["client_login_banner"] = client_login_banner
+        if client_route_enforcement_options is not None:
+            self._values["client_route_enforcement_options"] = client_route_enforcement_options
         if description is not None:
             self._values["description"] = description
         if dns_servers is not None:
@@ -72037,6 +72122,22 @@ class ClientVpnEndpointOptions:
         result = self._values.get("client_login_banner")
         return typing.cast(typing.Optional[builtins.str], result)
 
+    @builtins.property
+    def client_route_enforcement_options(
+        self,
+    ) -> typing.Optional[ClientRouteEnforcementOptions]:
+        '''Options for Client Route Enforcement.
+
+        Client Route Enforcement is a feature of Client VPN that helps enforce administrator defined routes on devices connected through the VPN.
+        This feature helps improve your security posture by ensuring that network traffic originating from a connected client is not inadvertently sent outside the VPN tunnel.
+
+        :default: undefined - AWS Client VPN default setting is disable client route enforcement
+
+        :see: https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/cvpn-working-cre.html
+        '''
+        result = self._values.get("client_route_enforcement_options")
+        return typing.cast(typing.Optional[ClientRouteEnforcementOptions], result)
+
     @builtins.property
     def description(self) -> typing.Optional[builtins.str]:
         '''A brief description of the Client VPN endpoint.
@@ -72184,6 +72285,7 @@ class ClientVpnEndpointOptions:
         "client_certificate_arn": "clientCertificateArn",
         "client_connection_handler": "clientConnectionHandler",
         "client_login_banner": "clientLoginBanner",
+        "client_route_enforcement_options": "clientRouteEnforcementOptions",
         "description": "description",
         "dns_servers": "dnsServers",
         "logging": "logging",
@@ -72210,6 +72312,7 @@ class ClientVpnEndpointProps(ClientVpnEndpointOptions):
         client_certificate_arn: typing.Optional[builtins.str] = None,
         client_connection_handler: typing.Optional["IClientVpnConnectionHandler"] = None,
         client_login_banner: typing.Optional[builtins.str] = None,
+        client_route_enforcement_options: typing.Optional[typing.Union[ClientRouteEnforcementOptions, typing.Dict[builtins.str, typing.Any]]] = None,
         description: typing.Optional[builtins.str] = None,
         dns_servers: typing.Optional[typing.Sequence[builtins.str]] = None,
         logging: typing.Optional[builtins.bool] = None,
@@ -72233,6 +72336,7 @@ class ClientVpnEndpointProps(ClientVpnEndpointOptions):
         :param client_certificate_arn: The ARN of the client certificate for mutual authentication. The certificate must be signed by a certificate authority (CA) and it must be provisioned in AWS Certificate Manager (ACM). Default: - use user-based authentication
         :param client_connection_handler: The AWS Lambda function used for connection authorization. The name of the Lambda function must begin with the ``AWSClientVPN-`` prefix Default: - no connection handler
         :param client_login_banner: Customizable text that will be displayed in a banner on AWS provided clients when a VPN session is established. UTF-8 encoded characters only. Maximum of 1400 characters. Default: - no banner is presented to the client
+        :param client_route_enforcement_options: Options for Client Route Enforcement. Client Route Enforcement is a feature of Client VPN that helps enforce administrator defined routes on devices connected through the VPN. This feature helps improve your security posture by ensuring that network traffic originating from a connected client is not inadvertently sent outside the VPN tunnel. Default: undefined - AWS Client VPN default setting is disable client route enforcement
         :param description: A brief description of the Client VPN endpoint. Default: - no description
         :param dns_servers: Information about the DNS servers to be used for DNS resolution. A Client VPN endpoint can have up to two DNS servers. Default: - use the DNS address configured on the device
         :param logging: Whether to enable connections logging. Default: true
@@ -72276,6 +72380,9 @@ class ClientVpnEndpointProps(ClientVpnEndpointOptions):
                 client_certificate_arn="clientCertificateArn",
                 client_connection_handler=client_vpn_connection_handler,
                 client_login_banner="clientLoginBanner",
+                client_route_enforcement_options=ec2.ClientRouteEnforcementOptions(
+                    enforced=False
+                ),
                 description="description",
                 dns_servers=["dnsServers"],
                 logging=False,
@@ -72298,6 +72405,8 @@ class ClientVpnEndpointProps(ClientVpnEndpointOptions):
                 )
             )
         '''
+        if isinstance(client_route_enforcement_options, dict):
+            client_route_enforcement_options = ClientRouteEnforcementOptions(**client_route_enforcement_options)
         if isinstance(vpc_subnets, dict):
             vpc_subnets = SubnetSelection(**vpc_subnets)
         if __debug__:
@@ -72308,6 +72417,7 @@ class ClientVpnEndpointProps(ClientVpnEndpointOptions):
             check_type(argname="argument client_certificate_arn", value=client_certificate_arn, expected_type=type_hints["client_certificate_arn"])
             check_type(argname="argument client_connection_handler", value=client_connection_handler, expected_type=type_hints["client_connection_handler"])
             check_type(argname="argument client_login_banner", value=client_login_banner, expected_type=type_hints["client_login_banner"])
+            check_type(argname="argument client_route_enforcement_options", value=client_route_enforcement_options, expected_type=type_hints["client_route_enforcement_options"])
             check_type(argname="argument description", value=description, expected_type=type_hints["description"])
             check_type(argname="argument dns_servers", value=dns_servers, expected_type=type_hints["dns_servers"])
             check_type(argname="argument logging", value=logging, expected_type=type_hints["logging"])
@@ -72335,6 +72445,8 @@ class ClientVpnEndpointProps(ClientVpnEndpointOptions):
             self._values["client_connection_handler"] = client_connection_handler
         if client_login_banner is not None:
             self._values["client_login_banner"] = client_login_banner
+        if client_route_enforcement_options is not None:
+            self._values["client_route_enforcement_options"] = client_route_enforcement_options
         if description is not None:
             self._values["description"] = description
         if dns_servers is not None:
@@ -72432,6 +72544,22 @@ class ClientVpnEndpointProps(ClientVpnEndpointOptions):
         result = self._values.get("client_login_banner")
         return typing.cast(typing.Optional[builtins.str], result)
 
+    @builtins.property
+    def client_route_enforcement_options(
+        self,
+    ) -> typing.Optional[ClientRouteEnforcementOptions]:
+        '''Options for Client Route Enforcement.
+
+        Client Route Enforcement is a feature of Client VPN that helps enforce administrator defined routes on devices connected through the VPN.
+        This feature helps improve your security posture by ensuring that network traffic originating from a connected client is not inadvertently sent outside the VPN tunnel.
+
+        :default: undefined - AWS Client VPN default setting is disable client route enforcement
+
+        :see: https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/cvpn-working-cre.html
+        '''
+        result = self._values.get("client_route_enforcement_options")
+        return typing.cast(typing.Optional[ClientRouteEnforcementOptions], result)
+
     @builtins.property
     def description(self) -> typing.Optional[builtins.str]:
         '''A brief description of the Client VPN endpoint.
@@ -77085,6 +77213,7 @@ class IVpc(_IResource_c80c4260, typing_extensions.Protocol):
         client_certificate_arn: typing.Optional[builtins.str] = None,
         client_connection_handler: typing.Optional[IClientVpnConnectionHandler] = None,
         client_login_banner: typing.Optional[builtins.str] = None,
+        client_route_enforcement_options: typing.Optional[typing.Union[ClientRouteEnforcementOptions, typing.Dict[builtins.str, typing.Any]]] = None,
         description: typing.Optional[builtins.str] = None,
         dns_servers: typing.Optional[typing.Sequence[builtins.str]] = None,
         logging: typing.Optional[builtins.bool] = None,
@@ -77108,6 +77237,7 @@ class IVpc(_IResource_c80c4260, typing_extensions.Protocol):
         :param client_certificate_arn: The ARN of the client certificate for mutual authentication. The certificate must be signed by a certificate authority (CA) and it must be provisioned in AWS Certificate Manager (ACM). Default: - use user-based authentication
         :param client_connection_handler: The AWS Lambda function used for connection authorization. The name of the Lambda function must begin with the ``AWSClientVPN-`` prefix Default: - no connection handler
         :param client_login_banner: Customizable text that will be displayed in a banner on AWS provided clients when a VPN session is established. UTF-8 encoded characters only. Maximum of 1400 characters. Default: - no banner is presented to the client
+        :param client_route_enforcement_options: Options for Client Route Enforcement. Client Route Enforcement is a feature of Client VPN that helps enforce administrator defined routes on devices connected through the VPN. This feature helps improve your security posture by ensuring that network traffic originating from a connected client is not inadvertently sent outside the VPN tunnel. Default: undefined - AWS Client VPN default setting is disable client route enforcement
         :param description: A brief description of the Client VPN endpoint. Default: - no description
         :param dns_servers: Information about the DNS servers to be used for DNS resolution. A Client VPN endpoint can have up to two DNS servers. Default: - use the DNS address configured on the device
         :param logging: Whether to enable connections logging. Default: true
@@ -77331,6 +77461,7 @@ class _IVpcProxy(
         client_certificate_arn: typing.Optional[builtins.str] = None,
         client_connection_handler: typing.Optional[IClientVpnConnectionHandler] = None,
         client_login_banner: typing.Optional[builtins.str] = None,
+        client_route_enforcement_options: typing.Optional[typing.Union[ClientRouteEnforcementOptions, typing.Dict[builtins.str, typing.Any]]] = None,
         description: typing.Optional[builtins.str] = None,
         dns_servers: typing.Optional[typing.Sequence[builtins.str]] = None,
         logging: typing.Optional[builtins.bool] = None,
@@ -77354,6 +77485,7 @@ class _IVpcProxy(
         :param client_certificate_arn: The ARN of the client certificate for mutual authentication. The certificate must be signed by a certificate authority (CA) and it must be provisioned in AWS Certificate Manager (ACM). Default: - use user-based authentication
         :param client_connection_handler: The AWS Lambda function used for connection authorization. The name of the Lambda function must begin with the ``AWSClientVPN-`` prefix Default: - no connection handler
         :param client_login_banner: Customizable text that will be displayed in a banner on AWS provided clients when a VPN session is established. UTF-8 encoded characters only. Maximum of 1400 characters. Default: - no banner is presented to the client
+        :param client_route_enforcement_options: Options for Client Route Enforcement. Client Route Enforcement is a feature of Client VPN that helps enforce administrator defined routes on devices connected through the VPN. This feature helps improve your security posture by ensuring that network traffic originating from a connected client is not inadvertently sent outside the VPN tunnel. Default: undefined - AWS Client VPN default setting is disable client route enforcement
         :param description: A brief description of the Client VPN endpoint. Default: - no description
         :param dns_servers: Information about the DNS servers to be used for DNS resolution. A Client VPN endpoint can have up to two DNS servers. Default: - use the DNS address configured on the device
         :param logging: Whether to enable connections logging. Default: true
@@ -77378,6 +77510,7 @@ class _IVpcProxy(
             client_certificate_arn=client_certificate_arn,
             client_connection_handler=client_connection_handler,
             client_login_banner=client_login_banner,
+            client_route_enforcement_options=client_route_enforcement_options,
             description=description,
             dns_servers=dns_servers,
             logging=logging,
@@ -95057,6 +95190,7 @@ class Vpc(
         client_certificate_arn: typing.Optional[builtins.str] = None,
         client_connection_handler: typing.Optional[IClientVpnConnectionHandler] = None,
         client_login_banner: typing.Optional[builtins.str] = None,
+        client_route_enforcement_options: typing.Optional[typing.Union[ClientRouteEnforcementOptions, typing.Dict[builtins.str, typing.Any]]] = None,
         description: typing.Optional[builtins.str] = None,
         dns_servers: typing.Optional[typing.Sequence[builtins.str]] = None,
         logging: typing.Optional[builtins.bool] = None,
@@ -95080,6 +95214,7 @@ class Vpc(
         :param client_certificate_arn: The ARN of the client certificate for mutual authentication. The certificate must be signed by a certificate authority (CA) and it must be provisioned in AWS Certificate Manager (ACM). Default: - use user-based authentication
         :param client_connection_handler: The AWS Lambda function used for connection authorization. The name of the Lambda function must begin with the ``AWSClientVPN-`` prefix Default: - no connection handler
         :param client_login_banner: Customizable text that will be displayed in a banner on AWS provided clients when a VPN session is established. UTF-8 encoded characters only. Maximum of 1400 characters. Default: - no banner is presented to the client
+        :param client_route_enforcement_options: Options for Client Route Enforcement. Client Route Enforcement is a feature of Client VPN that helps enforce administrator defined routes on devices connected through the VPN. This feature helps improve your security posture by ensuring that network traffic originating from a connected client is not inadvertently sent outside the VPN tunnel. Default: undefined - AWS Client VPN default setting is disable client route enforcement
         :param description: A brief description of the Client VPN endpoint. Default: - no description
         :param dns_servers: Information about the DNS servers to be used for DNS resolution. A Client VPN endpoint can have up to two DNS servers. Default: - use the DNS address configured on the device
         :param logging: Whether to enable connections logging. Default: true
@@ -95104,6 +95239,7 @@ class Vpc(
             client_certificate_arn=client_certificate_arn,
             client_connection_handler=client_connection_handler,
             client_login_banner=client_login_banner,
+            client_route_enforcement_options=client_route_enforcement_options,
             description=description,
             dns_servers=dns_servers,
             logging=logging,
@@ -103607,6 +103743,7 @@ class ClientVpnEndpoint(
         client_certificate_arn: typing.Optional[builtins.str] = None,
         client_connection_handler: typing.Optional[IClientVpnConnectionHandler] = None,
         client_login_banner: typing.Optional[builtins.str] = None,
+        client_route_enforcement_options: typing.Optional[typing.Union[ClientRouteEnforcementOptions, typing.Dict[builtins.str, typing.Any]]] = None,
         description: typing.Optional[builtins.str] = None,
         dns_servers: typing.Optional[typing.Sequence[builtins.str]] = None,
         logging: typing.Optional[builtins.bool] = None,
@@ -103631,6 +103768,7 @@ class ClientVpnEndpoint(
         :param client_certificate_arn: The ARN of the client certificate for mutual authentication. The certificate must be signed by a certificate authority (CA) and it must be provisioned in AWS Certificate Manager (ACM). Default: - use user-based authentication
         :param client_connection_handler: The AWS Lambda function used for connection authorization. The name of the Lambda function must begin with the ``AWSClientVPN-`` prefix Default: - no connection handler
         :param client_login_banner: Customizable text that will be displayed in a banner on AWS provided clients when a VPN session is established. UTF-8 encoded characters only. Maximum of 1400 characters. Default: - no banner is presented to the client
+        :param client_route_enforcement_options: Options for Client Route Enforcement. Client Route Enforcement is a feature of Client VPN that helps enforce administrator defined routes on devices connected through the VPN. This feature helps improve your security posture by ensuring that network traffic originating from a connected client is not inadvertently sent outside the VPN tunnel. Default: undefined - AWS Client VPN default setting is disable client route enforcement
         :param description: A brief description of the Client VPN endpoint. Default: - no description
         :param dns_servers: Information about the DNS servers to be used for DNS resolution. A Client VPN endpoint can have up to two DNS servers. Default: - use the DNS address configured on the device
         :param logging: Whether to enable connections logging. Default: true
@@ -103657,6 +103795,7 @@ class ClientVpnEndpoint(
             client_certificate_arn=client_certificate_arn,
             client_connection_handler=client_connection_handler,
             client_login_banner=client_login_banner,
+            client_route_enforcement_options=client_route_enforcement_options,
             description=description,
             dns_servers=dns_servers,
             logging=logging,
@@ -104142,6 +104281,7 @@ __all__ = [
     "CfnVolumeAttachment",
     "CfnVolumeAttachmentProps",
     "CfnVolumeProps",
+    "ClientRouteEnforcementOptions",
     "ClientVpnAuthorizationRule",
     "ClientVpnAuthorizationRuleOptions",
     "ClientVpnAuthorizationRuleProps",
@@ -114316,6 +114456,13 @@ def _typecheckingstub__df1f84bfc2d41a9f2d283d6a706150686c01c8f45a742c92af54cbee7
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__ff75a2d8f5c6dd9dde18d6e1933265e0d20a4b21489fde8d4735778facaad902(
+    *,
+    enforced: builtins.bool,
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__6f8556471b9878ffc0a31155bd24890dd137dc2f25f5faa23ec8adbfb35154db(
     scope: _constructs_77d1e7e8.Construct,
     id: builtins.str,
@@ -114363,6 +114510,7 @@ def _typecheckingstub__73f8593e2e6199f8ae542cff4cbe02f0be09fd9043b8072cbb652d5b0
     client_certificate_arn: typing.Optional[builtins.str] = None,
     client_connection_handler: typing.Optional[IClientVpnConnectionHandler] = None,
     client_login_banner: typing.Optional[builtins.str] = None,
+    client_route_enforcement_options: typing.Optional[typing.Union[ClientRouteEnforcementOptions, typing.Dict[builtins.str, typing.Any]]] = None,
     description: typing.Optional[builtins.str] = None,
     dns_servers: typing.Optional[typing.Sequence[builtins.str]] = None,
     logging: typing.Optional[builtins.bool] = None,
@@ -114388,6 +114536,7 @@ def _typecheckingstub__8e89ba9082e1bc80500c526e8522c5a90e2a91bd17d985f5932611e0b
     client_certificate_arn: typing.Optional[builtins.str] = None,
     client_connection_handler: typing.Optional[IClientVpnConnectionHandler] = None,
     client_login_banner: typing.Optional[builtins.str] = None,
+    client_route_enforcement_options: typing.Optional[typing.Union[ClientRouteEnforcementOptions, typing.Dict[builtins.str, typing.Any]]] = None,
     description: typing.Optional[builtins.str] = None,
     dns_servers: typing.Optional[typing.Sequence[builtins.str]] = None,
     logging: typing.Optional[builtins.bool] = None,
@@ -114821,6 +114970,7 @@ def _typecheckingstub__19cdaa7bec0f733a863944b2be6c76392b1e518714158a913370b8de7
     client_certificate_arn: typing.Optional[builtins.str] = None,
     client_connection_handler: typing.Optional[IClientVpnConnectionHandler] = None,
     client_login_banner: typing.Optional[builtins.str] = None,
+    client_route_enforcement_options: typing.Optional[typing.Union[ClientRouteEnforcementOptions, typing.Dict[builtins.str, typing.Any]]] = None,
     description: typing.Optional[builtins.str] = None,
     dns_servers: typing.Optional[typing.Sequence[builtins.str]] = None,
     logging: typing.Optional[builtins.bool] = None,
@@ -116704,6 +116854,7 @@ def _typecheckingstub__04f8b7e933af74b695401b45c9c6b308e4684ecde3cb9a2a1e358a336
     client_certificate_arn: typing.Optional[builtins.str] = None,
     client_connection_handler: typing.Optional[IClientVpnConnectionHandler] = None,
     client_login_banner: typing.Optional[builtins.str] = None,
+    client_route_enforcement_options: typing.Optional[typing.Union[ClientRouteEnforcementOptions, typing.Dict[builtins.str, typing.Any]]] = None,
     description: typing.Optional[builtins.str] = None,
     dns_servers: typing.Optional[typing.Sequence[builtins.str]] = None,
     logging: typing.Optional[builtins.bool] = None,
@@ -117575,6 +117726,7 @@ def _typecheckingstub__9a2422e1dfabadbd7f572317ed37670a87714b6f36fe9da2a01f1e26e
     client_certificate_arn: typing.Optional[builtins.str] = None,
     client_connection_handler: typing.Optional[IClientVpnConnectionHandler] = None,
     client_login_banner: typing.Optional[builtins.str] = None,
+    client_route_enforcement_options: typing.Optional[typing.Union[ClientRouteEnforcementOptions, typing.Dict[builtins.str, typing.Any]]] = None,
     description: typing.Optional[builtins.str] = None,
     dns_servers: typing.Optional[typing.Sequence[builtins.str]] = None,
     logging: typing.Optional[builtins.bool] = None,

aws_cdk/aws_ecr/__init__.py

@@ -2667,7 +2667,7 @@ class CfnRepositoryCreationTemplate(
         :param custom_role_arn: The ARN of the role to be assumed by Amazon ECR. Amazon ECR will assume your supplied role when the customRoleArn is specified. When this field isn't specified, Amazon ECR will use the service-linked role for the repository creation template.
         :param description: The description associated with the repository creation template.
         :param encryption_configuration: The encryption configuration associated with the repository creation template.
-        :param image_tag_mutability: The tag mutability setting for the repository. If this parameter is omitted, the default setting of MUTABLE will be used which will allow image tags to be overwritten. If IMMUTABLE is specified, all image tags within the repository will be immutable which will prevent them from being overwritten.
+        :param image_tag_mutability: The tag mutability setting for the repository. If this parameter is omitted, the default setting of ``MUTABLE`` will be used which will allow image tags to be overwritten. If ``IMMUTABLE`` is specified, all image tags within the repository will be immutable which will prevent them from being overwritten.
         :param lifecycle_policy: The lifecycle policy to use for repositories created using the template.
         :param repository_policy: The repository policy to apply to repositories created using the template. A repository policy is a permissions policy associated with a repository to control access permissions.
         :param resource_tags: The metadata to apply to the repository to help you categorize and organize. Each tag consists of a key and an optional value, both of which you define. Tag keys can have a maximum character length of 128 characters, and tag values can have a maximum length of 256 characters.
@@ -2994,7 +2994,7 @@ class CfnRepositoryCreationTemplateProps:
         :param custom_role_arn: The ARN of the role to be assumed by Amazon ECR. Amazon ECR will assume your supplied role when the customRoleArn is specified. When this field isn't specified, Amazon ECR will use the service-linked role for the repository creation template.
         :param description: The description associated with the repository creation template.
         :param encryption_configuration: The encryption configuration associated with the repository creation template.
-        :param image_tag_mutability: The tag mutability setting for the repository. If this parameter is omitted, the default setting of MUTABLE will be used which will allow image tags to be overwritten. If IMMUTABLE is specified, all image tags within the repository will be immutable which will prevent them from being overwritten.
+        :param image_tag_mutability: The tag mutability setting for the repository. If this parameter is omitted, the default setting of ``MUTABLE`` will be used which will allow image tags to be overwritten. If ``IMMUTABLE`` is specified, all image tags within the repository will be immutable which will prevent them from being overwritten.
         :param lifecycle_policy: The lifecycle policy to use for repositories created using the template.
         :param repository_policy: The repository policy to apply to repositories created using the template. A repository policy is a permissions policy associated with a repository to control access permissions.
         :param resource_tags: The metadata to apply to the repository to help you categorize and organize. Each tag consists of a key and an optional value, both of which you define. Tag keys can have a maximum character length of 128 characters, and tag values can have a maximum length of 256 characters.
@@ -3117,7 +3117,7 @@ class CfnRepositoryCreationTemplateProps:
     def image_tag_mutability(self) -> typing.Optional[builtins.str]:
         '''The tag mutability setting for the repository.
 
-        If this parameter is omitted, the default setting of MUTABLE will be used which will allow image tags to be overwritten. If IMMUTABLE is specified, all image tags within the repository will be immutable which will prevent them from being overwritten.
+        If this parameter is omitted, the default setting of ``MUTABLE`` will be used which will allow image tags to be overwritten. If ``IMMUTABLE`` is specified, all image tags within the repository will be immutable which will prevent them from being overwritten.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecr-repositorycreationtemplate.html#cfn-ecr-repositorycreationtemplate-imagetagmutability
         '''