aws-cdk-lib 2.212.0__py3-none-any.whl → 2.214.0__py3-none-any.whl

aws_cdk/aws_lambda/__init__.py

@@ -4066,7 +4066,7 @@ class CfnCodeSigningConfig(
         def __init__(self, *, untrusted_artifact_on_deployment: builtins.str) -> None:
             '''Code signing configuration `policies <https://docs.aws.amazon.com/lambda/latest/dg/configuration-codesigning.html#config-codesigning-policies>`_ specify the validation failure action for signature mismatch or expiry.
 
-            :param untrusted_artifact_on_deployment: Code signing configuration policy for deployment validation failure. If you set the policy to ``Enforce`` , Lambda blocks the deployment request if signature validation checks fail. If you set the policy to ``Warn`` , Lambda allows the deployment and creates a CloudWatch log. Default value: ``Warn`` Default: - "Warn"
+            :param untrusted_artifact_on_deployment: Code signing configuration policy for deployment validation failure. If you set the policy to ``Enforce`` , Lambda blocks the deployment request if signature validation checks fail. If you set the policy to ``Warn`` , Lambda allows the deployment and issues a new Amazon CloudWatch metric ( ``SignatureValidationErrors`` ) and also stores the warning in the CloudTrail log. Default value: ``Warn`` Default: - "Warn"
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-lambda-codesigningconfig-codesigningpolicies.html
             :exampleMetadata: fixture=_generated
@@ -4092,7 +4092,7 @@ class CfnCodeSigningConfig(
         def untrusted_artifact_on_deployment(self) -> builtins.str:
             '''Code signing configuration policy for deployment validation failure.
 
-            If you set the policy to ``Enforce`` , Lambda blocks the deployment request if signature validation checks fail. If you set the policy to ``Warn`` , Lambda allows the deployment and creates a CloudWatch log.
+            If you set the policy to ``Enforce`` , Lambda blocks the deployment request if signature validation checks fail. If you set the policy to ``Warn`` , Lambda allows the deployment and issues a new Amazon CloudWatch metric ( ``SignatureValidationErrors`` ) and also stores the warning in the CloudTrail log.
 
             Default value: ``Warn``
 
@@ -12005,6 +12005,7 @@ class Code(metaclass=jsii.JSIIAbstractClass, jsii_type="aws-cdk-lib.aws_lambda.C
         cache_from: typing.Optional[typing.Sequence[typing.Union[_DockerCacheOption_63aeecf2, typing.Dict[builtins.str, typing.Any]]]] = None,
         cache_to: typing.Optional[typing.Union[_DockerCacheOption_63aeecf2, typing.Dict[builtins.str, typing.Any]]] = None,
         file: typing.Optional[builtins.str] = None,
+        network: typing.Optional[builtins.str] = None,
         platform: typing.Optional[builtins.str] = None,
         target_stage: typing.Optional[builtins.str] = None,
     ) -> "AssetCode":
@@ -12021,6 +12022,7 @@ class Code(metaclass=jsii.JSIIAbstractClass, jsii_type="aws-cdk-lib.aws_lambda.C
         :param cache_from: Cache from options to pass to the ``docker build`` command. Default: - no cache from args are passed
         :param cache_to: Cache to options to pass to the ``docker build`` command. Default: - no cache to args are passed
         :param file: Name of the Dockerfile, must relative to the docker build path. Default: ``Dockerfile``
+        :param network: Docker `Networking options <https://docs.docker.com/reference/cli/docker/buildx/build/#network>`_. Default: - no networking options
         :param platform: Set platform if server is multi-platform capable. *Requires Docker Engine API v1.38+*. Example value: ``linux/amd64`` Default: - no platform specified
         :param target_stage: Set build target for multi-stage container builds. Any stage defined afterwards will be ignored. Example value: ``build-env`` Default: - Build all stages defined in the Dockerfile
         '''
@@ -12035,6 +12037,7 @@ class Code(metaclass=jsii.JSIIAbstractClass, jsii_type="aws-cdk-lib.aws_lambda.C
             cache_from=cache_from,
             cache_to=cache_to,
             file=file,
+            network=network,
             platform=platform,
             target_stage=target_stage,
         )
@@ -12957,6 +12960,7 @@ class DlqDestinationConfig:
         "cache_from": "cacheFrom",
         "cache_to": "cacheTo",
         "file": "file",
+        "network": "network",
         "platform": "platform",
         "target_stage": "targetStage",
         "image_path": "imagePath",
@@ -12972,6 +12976,7 @@ class DockerBuildAssetOptions(_DockerBuildOptions_8e28be8a):
         cache_from: typing.Optional[typing.Sequence[typing.Union[_DockerCacheOption_63aeecf2, typing.Dict[builtins.str, typing.Any]]]] = None,
         cache_to: typing.Optional[typing.Union[_DockerCacheOption_63aeecf2, typing.Dict[builtins.str, typing.Any]]] = None,
         file: typing.Optional[builtins.str] = None,
+        network: typing.Optional[builtins.str] = None,
         platform: typing.Optional[builtins.str] = None,
         target_stage: typing.Optional[builtins.str] = None,
         image_path: typing.Optional[builtins.str] = None,
@@ -12984,6 +12989,7 @@ class DockerBuildAssetOptions(_DockerBuildOptions_8e28be8a):
         :param cache_from: Cache from options to pass to the ``docker build`` command. Default: - no cache from args are passed
         :param cache_to: Cache to options to pass to the ``docker build`` command. Default: - no cache to args are passed
         :param file: Name of the Dockerfile, must relative to the docker build path. Default: ``Dockerfile``
+        :param network: Docker `Networking options <https://docs.docker.com/reference/cli/docker/buildx/build/#network>`_. Default: - no networking options
         :param platform: Set platform if server is multi-platform capable. *Requires Docker Engine API v1.38+*. Example value: ``linux/amd64`` Default: - no platform specified
         :param target_stage: Set build target for multi-stage container builds. Any stage defined afterwards will be ignored. Example value: ``build-env`` Default: - Build all stages defined in the Dockerfile
         :param image_path: The path in the Docker image where the asset is located after the build operation. Default: /asset
@@ -13020,6 +13026,7 @@ class DockerBuildAssetOptions(_DockerBuildOptions_8e28be8a):
                 ),
                 file="file",
                 image_path="imagePath",
+                network="network",
                 output_path="outputPath",
                 platform="platform",
                 target_stage="targetStage"
@@ -13034,6 +13041,7 @@ class DockerBuildAssetOptions(_DockerBuildOptions_8e28be8a):
             check_type(argname="argument cache_from", value=cache_from, expected_type=type_hints["cache_from"])
             check_type(argname="argument cache_to", value=cache_to, expected_type=type_hints["cache_to"])
             check_type(argname="argument file", value=file, expected_type=type_hints["file"])
+            check_type(argname="argument network", value=network, expected_type=type_hints["network"])
             check_type(argname="argument platform", value=platform, expected_type=type_hints["platform"])
             check_type(argname="argument target_stage", value=target_stage, expected_type=type_hints["target_stage"])
             check_type(argname="argument image_path", value=image_path, expected_type=type_hints["image_path"])
@@ -13049,6 +13057,8 @@ class DockerBuildAssetOptions(_DockerBuildOptions_8e28be8a):
             self._values["cache_to"] = cache_to
         if file is not None:
             self._values["file"] = file
+        if network is not None:
+            self._values["network"] = network
         if platform is not None:
             self._values["platform"] = platform
         if target_stage is not None:
@@ -13103,6 +13113,15 @@ class DockerBuildAssetOptions(_DockerBuildOptions_8e28be8a):
         result = self._values.get("file")
         return typing.cast(typing.Optional[builtins.str], result)
 
+    @builtins.property
+    def network(self) -> typing.Optional[builtins.str]:
+        '''Docker `Networking options <https://docs.docker.com/reference/cli/docker/buildx/build/#network>`_.
+
+        :default: - no networking options
+        '''
+        result = self._values.get("network")
+        return typing.cast(typing.Optional[builtins.str], result)
+
     @builtins.property
     def platform(self) -> typing.Optional[builtins.str]:
         '''Set platform if server is multi-platform capable. *Requires Docker Engine API v1.38+*.
@@ -32246,6 +32265,7 @@ def _typecheckingstub__5d398ddff6fb1e58c2dafd59b4cd46de157e95f7c1faf544bd0e4cee3
     cache_from: typing.Optional[typing.Sequence[typing.Union[_DockerCacheOption_63aeecf2, typing.Dict[builtins.str, typing.Any]]]] = None,
     cache_to: typing.Optional[typing.Union[_DockerCacheOption_63aeecf2, typing.Dict[builtins.str, typing.Any]]] = None,
     file: typing.Optional[builtins.str] = None,
+    network: typing.Optional[builtins.str] = None,
     platform: typing.Optional[builtins.str] = None,
     target_stage: typing.Optional[builtins.str] = None,
 ) -> None:
@@ -32358,6 +32378,7 @@ def _typecheckingstub__cbc49d837c4da70ff80dadf559d6f8c32fce03c67b454d4d81e625f4f
     cache_from: typing.Optional[typing.Sequence[typing.Union[_DockerCacheOption_63aeecf2, typing.Dict[builtins.str, typing.Any]]]] = None,
     cache_to: typing.Optional[typing.Union[_DockerCacheOption_63aeecf2, typing.Dict[builtins.str, typing.Any]]] = None,
     file: typing.Optional[builtins.str] = None,
+    network: typing.Optional[builtins.str] = None,
     platform: typing.Optional[builtins.str] = None,
     target_stage: typing.Optional[builtins.str] = None,
     image_path: typing.Optional[builtins.str] = None,

aws_cdk/aws_logs/__init__.py

@@ -1703,9 +1703,10 @@ class CfnDeliveryDestination(
             delivery_destination_name: typing.Optional[builtins.str] = None,
             delivery_destination_policy: typing.Any = None,
         ) -> None:
-            '''
-            :param delivery_destination_name: The name of the delivery destination to assign this policy to.
-            :param delivery_destination_policy: The contents of the policy attached to the delivery destination.
+            '''An IAM policy that grants permissions to CloudWatch Logs to deliver logs cross-account to a specified destination in this account.
+
+            :param delivery_destination_name: A name for an existing destination.
+            :param delivery_destination_policy: Creates or updates an access policy associated with an existing destination. An access policy is an `IAM policy document <https://docs.aws.amazon.com/IAM/latest/UserGuide/policies_overview.html>`_ that is used to authorize claims to register a subscription filter against a given destination.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-logs-deliverydestination-destinationpolicy.html
             :exampleMetadata: fixture=_generated
@@ -1735,7 +1736,7 @@ class CfnDeliveryDestination(
 
         @builtins.property
         def delivery_destination_name(self) -> typing.Optional[builtins.str]:
-            '''The name of the delivery destination to assign this policy to.
+            '''A name for an existing destination.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-logs-deliverydestination-destinationpolicy.html#cfn-logs-deliverydestination-destinationpolicy-deliverydestinationname
             '''
@@ -1744,7 +1745,9 @@ class CfnDeliveryDestination(
 
         @builtins.property
         def delivery_destination_policy(self) -> typing.Any:
-            '''The contents of the policy attached to the delivery destination.
+            '''Creates or updates an access policy associated with an existing destination.
+
+            An access policy is an `IAM policy document <https://docs.aws.amazon.com/IAM/latest/UserGuide/policies_overview.html>`_ that is used to authorize claims to register a subscription filter against a given destination.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-logs-deliverydestination-destinationpolicy.html#cfn-logs-deliverydestination-destinationpolicy-deliverydestinationpolicy
             '''
@@ -3629,13 +3632,13 @@ class CfnLogGroup(
         '''
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
-        :param data_protection_policy: Creates a data protection policy and assigns it to the log group. A data protection policy can help safeguard sensitive data that's ingested by the log group by auditing and masking the sensitive log data. When a user who does not have permission to view masked data views a log event that includes masked data, the sensitive data is replaced by asterisks. For more information, including a list of types of data that can be audited and masked, see `Protect sensitive log data with masking <https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/mask-sensitive-log-data.html>`_ .
+        :param data_protection_policy: Creates a data protection policy and assigns it to the log group. A data protection policy can help safeguard sensitive data that's ingested by the log group by auditing and masking the sensitive log data. When a user who does not have permission to view masked data views a log event that includes masked data, the sensitive data is replaced by asterisks.
         :param field_index_policies: Creates or updates a *field index policy* for the specified log group. Only log groups in the Standard log class support field index policies. For more information about log classes, see `Log classes <https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CloudWatch_Logs_Log_Classes.html>`_ . You can use field index policies to create *field indexes* on fields found in log events in the log group. Creating field indexes lowers the costs for CloudWatch Logs Insights queries that reference those field indexes, because these queries attempt to skip the processing of log events that are known to not match the indexed field. Good fields to index are fields that you often need to query for and fields that have high cardinality of values Common examples of indexes include request ID, session ID, userID, and instance IDs. For more information, see `Create field indexes to improve query performance and reduce costs <https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CloudWatchLogs-Field-Indexing.html>`_ . Currently, this array supports only one field index policy object.
         :param kms_key_id: The Amazon Resource Name (ARN) of the AWS KMS key to use when encrypting log data. To associate an AWS KMS key with the log group, specify the ARN of that KMS key here. If you do so, ingested data is encrypted using this key. This association is stored as long as the data encrypted with the KMS key is still within CloudWatch Logs . This enables CloudWatch Logs to decrypt this data whenever it is requested. If you attempt to associate a KMS key with the log group but the KMS key doesn't exist or is deactivated, you will receive an ``InvalidParameterException`` error. Log group data is always encrypted in CloudWatch Logs . If you omit this key, the encryption does not use AWS KMS . For more information, see `Encrypt log data in CloudWatch Logs using AWS Key Management Service <https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/encrypt-log-data-kms.html>`_
         :param log_group_class: Specifies the log group class for this log group. There are two classes:. - The ``Standard`` log class supports all CloudWatch Logs features. - The ``Infrequent Access`` log class supports a subset of CloudWatch Logs features and incurs lower costs. For details about the features supported by each class, see `Log classes <https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CloudWatch_Logs_Log_Classes.html>`_ Default: - "STANDARD"
         :param log_group_name: The name of the log group. If you don't specify a name, AWS CloudFormation generates a unique ID for the log group.
-        :param resource_policy_document: 
-        :param retention_in_days: The number of days to retain the log events in the specified log group. Possible values are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1096, 1827, 2192, 2557, 2922, 3288, and 3653. To set a log group so that its log events do not expire, use `DeleteRetentionPolicy <https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DeleteRetentionPolicy.html>`_ .
+        :param resource_policy_document: Creates or updates a resource policy for the specified log group that allows other services to put log events to this account. A LogGroup can have 1 resource policy.
+        :param retention_in_days: The number of days to retain the log events in the specified log group. Possible values are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1096, 1827, 2192, 2557, 2922, 3288, and 3653. To set a log group so that its log events do not expire, do not specify this property.
         :param tags: An array of key-value pairs to apply to the log group. For more information, see `Tag <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html>`_ .
         '''
         if __debug__:
@@ -3781,6 +3784,7 @@ class CfnLogGroup(
     @builtins.property
     @jsii.member(jsii_name="resourcePolicyDocument")
     def resource_policy_document(self) -> typing.Any:
+        '''Creates or updates a resource policy for the specified log group that allows other services to put log events to this account.'''
         return typing.cast(typing.Any, jsii.get(self, "resourcePolicyDocument"))
 
     @resource_policy_document.setter
@@ -3846,13 +3850,13 @@ class CfnLogGroupProps:
     ) -> None:
         '''Properties for defining a ``CfnLogGroup``.
 
-        :param data_protection_policy: Creates a data protection policy and assigns it to the log group. A data protection policy can help safeguard sensitive data that's ingested by the log group by auditing and masking the sensitive log data. When a user who does not have permission to view masked data views a log event that includes masked data, the sensitive data is replaced by asterisks. For more information, including a list of types of data that can be audited and masked, see `Protect sensitive log data with masking <https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/mask-sensitive-log-data.html>`_ .
+        :param data_protection_policy: Creates a data protection policy and assigns it to the log group. A data protection policy can help safeguard sensitive data that's ingested by the log group by auditing and masking the sensitive log data. When a user who does not have permission to view masked data views a log event that includes masked data, the sensitive data is replaced by asterisks.
         :param field_index_policies: Creates or updates a *field index policy* for the specified log group. Only log groups in the Standard log class support field index policies. For more information about log classes, see `Log classes <https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CloudWatch_Logs_Log_Classes.html>`_ . You can use field index policies to create *field indexes* on fields found in log events in the log group. Creating field indexes lowers the costs for CloudWatch Logs Insights queries that reference those field indexes, because these queries attempt to skip the processing of log events that are known to not match the indexed field. Good fields to index are fields that you often need to query for and fields that have high cardinality of values Common examples of indexes include request ID, session ID, userID, and instance IDs. For more information, see `Create field indexes to improve query performance and reduce costs <https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CloudWatchLogs-Field-Indexing.html>`_ . Currently, this array supports only one field index policy object.
         :param kms_key_id: The Amazon Resource Name (ARN) of the AWS KMS key to use when encrypting log data. To associate an AWS KMS key with the log group, specify the ARN of that KMS key here. If you do so, ingested data is encrypted using this key. This association is stored as long as the data encrypted with the KMS key is still within CloudWatch Logs . This enables CloudWatch Logs to decrypt this data whenever it is requested. If you attempt to associate a KMS key with the log group but the KMS key doesn't exist or is deactivated, you will receive an ``InvalidParameterException`` error. Log group data is always encrypted in CloudWatch Logs . If you omit this key, the encryption does not use AWS KMS . For more information, see `Encrypt log data in CloudWatch Logs using AWS Key Management Service <https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/encrypt-log-data-kms.html>`_
         :param log_group_class: Specifies the log group class for this log group. There are two classes:. - The ``Standard`` log class supports all CloudWatch Logs features. - The ``Infrequent Access`` log class supports a subset of CloudWatch Logs features and incurs lower costs. For details about the features supported by each class, see `Log classes <https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CloudWatch_Logs_Log_Classes.html>`_ Default: - "STANDARD"
         :param log_group_name: The name of the log group. If you don't specify a name, AWS CloudFormation generates a unique ID for the log group.
-        :param resource_policy_document: 
-        :param retention_in_days: The number of days to retain the log events in the specified log group. Possible values are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1096, 1827, 2192, 2557, 2922, 3288, and 3653. To set a log group so that its log events do not expire, use `DeleteRetentionPolicy <https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DeleteRetentionPolicy.html>`_ .
+        :param resource_policy_document: Creates or updates a resource policy for the specified log group that allows other services to put log events to this account. A LogGroup can have 1 resource policy.
+        :param retention_in_days: The number of days to retain the log events in the specified log group. Possible values are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1096, 1827, 2192, 2557, 2922, 3288, and 3653. To set a log group so that its log events do not expire, do not specify this property.
         :param tags: An array of key-value pairs to apply to the log group. For more information, see `Tag <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html>`_ .
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-logs-loggroup.html
@@ -3916,8 +3920,6 @@ class CfnLogGroupProps:
 
         A data protection policy can help safeguard sensitive data that's ingested by the log group by auditing and masking the sensitive log data. When a user who does not have permission to view masked data views a log event that includes masked data, the sensitive data is replaced by asterisks.
 
-        For more information, including a list of types of data that can be audited and masked, see `Protect sensitive log data with masking <https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/mask-sensitive-log-data.html>`_ .
-
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-logs-loggroup.html#cfn-logs-loggroup-dataprotectionpolicy
         '''
         result = self._values.get("data_protection_policy")
@@ -3984,7 +3986,10 @@ class CfnLogGroupProps:
 
     @builtins.property
     def resource_policy_document(self) -> typing.Any:
-        '''
+        '''Creates or updates a resource policy for the specified log group that allows other services to put log events to this account.
+
+        A LogGroup can have 1 resource policy.
+
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-logs-loggroup.html#cfn-logs-loggroup-resourcepolicydocument
         '''
         result = self._values.get("resource_policy_document")
@@ -3996,7 +4001,7 @@ class CfnLogGroupProps:
 
         Possible values are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1096, 1827, 2192, 2557, 2922, 3288, and 3653.
 
-        To set a log group so that its log events do not expire, use `DeleteRetentionPolicy <https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DeleteRetentionPolicy.html>`_ .
+        To set a log group so that its log events do not expire, do not specify this property.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-logs-loggroup.html#cfn-logs-loggroup-retentionindays
         '''

aws_cdk/aws_mediapackagev2/__init__.py

@@ -433,7 +433,7 @@ class CfnChannel(
         ) -> None:
             '''The configuration for input switching based on the media quality confidence score (MQCS) as provided from AWS Elemental MediaLive.
 
-            :param mqcs_input_switching: When true, AWS Elemental MediaPackage performs input switching based on the MQCS. Default is true. This setting is valid only when ``InputType`` is ``CMAF`` .
+            :param mqcs_input_switching: When true, AWS Elemental MediaPackage performs input switching based on the MQCS. Default is false. This setting is valid only when ``InputType`` is ``CMAF`` .
             :param preferred_input: For CMAF inputs, indicates which input MediaPackage should prefer when both inputs have equal MQCS scores. Select ``1`` to prefer the first ingest endpoint, or ``2`` to prefer the second ingest endpoint. If you don't specify a preferred input, MediaPackage uses its default switching behavior when MQCS scores are equal.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-mediapackagev2-channel-inputswitchconfiguration.html
@@ -466,7 +466,7 @@ class CfnChannel(
         ) -> typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]]:
             '''When true, AWS Elemental MediaPackage performs input switching based on the MQCS.
 
-            Default is true. This setting is valid only when ``InputType`` is ``CMAF`` .
+            Default is false. This setting is valid only when ``InputType`` is ``CMAF`` .
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-mediapackagev2-channel-inputswitchconfiguration.html#cfn-mediapackagev2-channel-inputswitchconfiguration-mqcsinputswitching
             '''

aws_cdk/aws_networkfirewall/__init__.py

@@ -6048,7 +6048,7 @@ class CfnTLSInspectionConfiguration(
         ) -> None:
             '''When enabled, Network Firewall checks if the server certificate presented by the server in the SSL/TLS connection has a revoked or unkown status.
 
-            If the certificate has an unknown or revoked status, you must specify the actions that Network Firewall takes on outbound traffic. To check the certificate revocation status, you must also specify a ``CertificateAuthorityArn`` in `ServerCertificateConfiguration <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-networkfirewall-servercertificateconfiguration.html>`_ .
+            If the certificate has an unknown or revoked status, you must specify the actions that Network Firewall takes on outbound traffic. To check the certificate revocation status, you must also specify a ``CertificateAuthorityArn`` in `ServerCertificateConfiguration <https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-networkfirewall-servercertificateconfiguration.html>`_ .
 
             :param revoked_status_action: Configures how Network Firewall processes traffic when it determines that the certificate presented by the server in the SSL/TLS connection has a revoked status. - *PASS* - Allow the connection to continue, and pass subsequent packets to the stateful engine for inspection. - *DROP* - Network Firewall closes the connection and drops subsequent packets for that connection. - *REJECT* - Network Firewall sends a TCP reject packet back to your client. The service closes the connection and drops subsequent packets for that connection. ``REJECT`` is available only for TCP traffic.
             :param unknown_status_action: Configures how Network Firewall processes traffic when it determines that the certificate presented by the server in the SSL/TLS connection has an unknown status, or a status that cannot be determined for any other reason, including when the service is unable to connect to the OCSP and CRL endpoints for the certificate. - *PASS* - Allow the connection to continue, and pass subsequent packets to the stateful engine for inspection. - *DROP* - Network Firewall closes the connection and drops subsequent packets for that connection. - *REJECT* - Network Firewall sends a TCP reject packet back to your client. The service closes the connection and drops subsequent packets for that connection. ``REJECT`` is available only for TCP traffic.
@@ -6205,14 +6205,14 @@ class CfnTLSInspectionConfiguration(
             scopes: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[typing.Union[_IResolvable_da3f097b, typing.Union["CfnTLSInspectionConfiguration.ServerCertificateScopeProperty", typing.Dict[builtins.str, typing.Any]]]]]] = None,
             server_certificates: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[typing.Union[_IResolvable_da3f097b, typing.Union["CfnTLSInspectionConfiguration.ServerCertificateProperty", typing.Dict[builtins.str, typing.Any]]]]]] = None,
         ) -> None:
-            '''Configures the AWS Certificate Manager certificates and scope that Network Firewall uses to decrypt and re-encrypt traffic using a `TLSInspectionConfiguration <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-networkfirewall-tlsinspectionconfiguration.html>`_ . You can configure ``ServerCertificates`` for inbound SSL/TLS inspection, a ``CertificateAuthorityArn`` for outbound SSL/TLS inspection, or both. For information about working with certificates for TLS inspection, see `Using SSL/TLS server certficiates with TLS inspection configurations <https://docs.aws.amazon.com/network-firewall/latest/developerguide/tls-inspection-certificate-requirements.html>`_ in the *AWS Network Firewall Developer Guide* .
+            '''Configures the AWS Certificate Manager certificates and scope that Network Firewall uses to decrypt and re-encrypt traffic using a `TLSInspectionConfiguration <https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-networkfirewall-tlsinspectionconfiguration.html>`_ . You can configure ``ServerCertificates`` for inbound SSL/TLS inspection, a ``CertificateAuthorityArn`` for outbound SSL/TLS inspection, or both. For information about working with certificates for TLS inspection, see `Using SSL/TLS server certficiates with TLS inspection configurations <https://docs.aws.amazon.com/network-firewall/latest/developerguide/tls-inspection-certificate-requirements.html>`_ in the *AWS Network Firewall Developer Guide* .
 
             .. epigraph::
 
-               If a server certificate that's associated with your `TLSInspectionConfiguration <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-networkfirewall-tlsinspectionconfiguration.html>`_ is revoked, deleted, or expired it can result in client-side TLS errors.
+               If a server certificate that's associated with your `TLSInspectionConfiguration <https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-networkfirewall-tlsinspectionconfiguration.html>`_ is revoked, deleted, or expired it can result in client-side TLS errors.
 
             :param certificate_authority_arn: The Amazon Resource Name (ARN) of the imported certificate authority (CA) certificate within AWS Certificate Manager (ACM) to use for outbound SSL/TLS inspection. The following limitations apply: - You can use CA certificates that you imported into ACM, but you can't generate CA certificates with ACM. - You can't use certificates issued by AWS Private Certificate Authority . For more information about configuring certificates for outbound inspection, see `Using SSL/TLS certificates with TLS inspection configurations <https://docs.aws.amazon.com/network-firewall/latest/developerguide/tls-inspection-certificate-requirements.html>`_ in the *AWS Network Firewall Developer Guide* . For information about working with certificates in ACM, see `Importing certificates <https://docs.aws.amazon.com/acm/latest/userguide/import-certificate.html>`_ in the *AWS Certificate Manager User Guide* .
-            :param check_certificate_revocation_status: When enabled, Network Firewall checks if the server certificate presented by the server in the SSL/TLS connection has a revoked or unkown status. If the certificate has an unknown or revoked status, you must specify the actions that Network Firewall takes on outbound traffic. To check the certificate revocation status, you must also specify a ``CertificateAuthorityArn`` in `ServerCertificateConfiguration <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-networkfirewall-servercertificateconfiguration.html>`_ .
+            :param check_certificate_revocation_status: When enabled, Network Firewall checks if the server certificate presented by the server in the SSL/TLS connection has a revoked or unkown status. If the certificate has an unknown or revoked status, you must specify the actions that Network Firewall takes on outbound traffic. To check the certificate revocation status, you must also specify a ``CertificateAuthorityArn`` in `ServerCertificateConfiguration <https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-networkfirewall-servercertificateconfiguration.html>`_ .
             :param scopes: A list of scopes.
             :param server_certificates: The list of server certificates to use for inbound SSL/TLS inspection.
 
@@ -6293,7 +6293,7 @@ class CfnTLSInspectionConfiguration(
         ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnTLSInspectionConfiguration.CheckCertificateRevocationStatusProperty"]]:
             '''When enabled, Network Firewall checks if the server certificate presented by the server in the SSL/TLS connection has a revoked or unkown status.
 
-            If the certificate has an unknown or revoked status, you must specify the actions that Network Firewall takes on outbound traffic. To check the certificate revocation status, you must also specify a ``CertificateAuthorityArn`` in `ServerCertificateConfiguration <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-networkfirewall-servercertificateconfiguration.html>`_ .
+            If the certificate has an unknown or revoked status, you must specify the actions that Network Firewall takes on outbound traffic. To check the certificate revocation status, you must also specify a ``CertificateAuthorityArn`` in `ServerCertificateConfiguration <https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-networkfirewall-servercertificateconfiguration.html>`_ .
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-networkfirewall-tlsinspectionconfiguration-servercertificateconfiguration.html#cfn-networkfirewall-tlsinspectionconfiguration-servercertificateconfiguration-checkcertificaterevocationstatus
             '''
@@ -6344,7 +6344,7 @@ class CfnTLSInspectionConfiguration(
             *,
             resource_arn: typing.Optional[builtins.str] = None,
         ) -> None:
-            '''Any AWS Certificate Manager (ACM) Secure Sockets Layer/Transport Layer Security (SSL/TLS) server certificate that's associated with a `ServerCertificateConfiguration <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-networkfirewall-tlsinspectionconfiguration-servercertificateconfiguration.html>`_ . Used in a `TLSInspectionConfiguration <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-networkfirewall-tlsinspectionconfiguration.html>`_ for inspection of inbound traffic to your firewall. You must request or import a SSL/TLS certificate into ACM for each domain Network Firewall needs to decrypt and inspect. AWS Network Firewall uses the SSL/TLS certificates to decrypt specified inbound SSL/TLS traffic going to your firewall. For information about working with certificates in AWS Certificate Manager , see `Request a public certificate <https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-request-public.html>`_ or `Importing certificates <https://docs.aws.amazon.com/acm/latest/userguide/import-certificate.html>`_ in the *AWS Certificate Manager User Guide* .
+            '''Any AWS Certificate Manager (ACM) Secure Sockets Layer/Transport Layer Security (SSL/TLS) server certificate that's associated with a `ServerCertificateConfiguration <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-networkfirewall-tlsinspectionconfiguration-servercertificateconfiguration.html>`_ . Used in a `TLSInspectionConfiguration <https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-networkfirewall-tlsinspectionconfiguration.html>`_ for inspection of inbound traffic to your firewall. You must request or import a SSL/TLS certificate into ACM for each domain Network Firewall needs to decrypt and inspect. AWS Network Firewall uses the SSL/TLS certificates to decrypt specified inbound SSL/TLS traffic going to your firewall. For information about working with certificates in AWS Certificate Manager , see `Request a public certificate <https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-request-public.html>`_ or `Importing certificates <https://docs.aws.amazon.com/acm/latest/userguide/import-certificate.html>`_ in the *AWS Certificate Manager User Guide* .
 
             :param resource_arn: The Amazon Resource Name (ARN) of the AWS Certificate Manager SSL/TLS server certificate that's used for inbound SSL/TLS inspection.