aws-cdk-lib 2.218.0__py3-none-any.whl → 2.220.0__py3-none-any.whl

aws_cdk/aws_rds/__init__.py

@@ -3272,6 +3272,12 @@ class AuroraMysqlEngineVersion(
         '''Version "8.0.mysql_aurora.3.10.0".'''
         return typing.cast("AuroraMysqlEngineVersion", jsii.sget(cls, "VER_3_10_0"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="VER_3_10_1")
+    def VER_3_10_1(cls) -> "AuroraMysqlEngineVersion":
+        '''Version "8.0.mysql_aurora.3.10.1".'''
+        return typing.cast("AuroraMysqlEngineVersion", jsii.sget(cls, "VER_3_10_1"))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="VER_5_7_12")
     def VER_5_7_12(cls) -> "AuroraMysqlEngineVersion":
@@ -5403,7 +5409,7 @@ class CfnDBClusterProps:
         :param iops: The amount of Provisioned IOPS (input/output operations per second) to be initially allocated for each DB instance in the Multi-AZ DB cluster. For information about valid IOPS values, see `Provisioned IOPS storage <https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_Storage.html#USER_PIOPS>`_ in the *Amazon RDS User Guide* . This setting is required to create a Multi-AZ DB cluster. Valid for Cluster Type: Multi-AZ DB clusters only Constraints: - Must be a multiple between .5 and 50 of the storage amount for the DB cluster.
         :param kms_key_id: The Amazon Resource Name (ARN) of the AWS KMS key that is used to encrypt the database instances in the DB cluster, such as ``arn:aws:kms:us-east-1:012345678910:key/abcd1234-a123-456a-a12b-a123b4cd56ef`` . If you enable the ``StorageEncrypted`` property but don't specify this property, the default KMS key is used. If you specify this property, you must set the ``StorageEncrypted`` property to ``true`` . If you specify the ``SnapshotIdentifier`` property, the ``StorageEncrypted`` property value is inherited from the snapshot, and if the DB cluster is encrypted, the specified ``KmsKeyId`` property is used. If you create a read replica of an encrypted DB cluster in another AWS Region, make sure to set ``KmsKeyId`` to a KMS key identifier that is valid in the destination AWS Region. This KMS key is used to encrypt the read replica in that AWS Region. Valid for: Aurora DB clusters and Multi-AZ DB clusters
         :param manage_master_user_password: Specifies whether to manage the master user password with AWS Secrets Manager. For more information, see `Password management with AWS Secrets Manager <https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/rds-secrets-manager.html>`_ in the *Amazon RDS User Guide* and `Password management with AWS Secrets Manager <https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/rds-secrets-manager.html>`_ in the *Amazon Aurora User Guide.* Valid for Cluster Type: Aurora DB clusters and Multi-AZ DB clusters Constraints: - Can't manage the master user password with AWS Secrets Manager if ``MasterUserPassword`` is specified.
-        :param master_user_authentication_type: Specifies the authentication type for the master user. With IAM master user authentication, you can configure the master DB user with IAM database authentication when you create a DB cluster. You can specify one of the following values: - ``password`` - Use standard database authentication with a password. - ``iam-db-auth`` - Use IAM database authentication for the master user. Valid for Cluster Type: Aurora DB clusters and Multi-AZ DB clusters This option is only valid for RDS for PostgreSQL and Aurora PostgreSQL engines.
+        :param master_user_authentication_type: Specifies the authentication type for the master user. With IAM master user authentication, you can configure the master DB user with IAM database authentication when you create a DB cluster. You can specify one of the following values: - ``password`` - Use standard database authentication with a password. - ``iam-db-auth`` - Use IAM database authentication for the master user. Valid for Cluster Type: Aurora DB clusters and Multi-AZ DB clusters This option is only valid for RDS for MySQL, RDS for MariaDB, RDS for PostgreSQL, Aurora MySQL, and Aurora PostgreSQL engines.
         :param master_username: The name of the master user for the DB cluster. .. epigraph:: If you specify the ``SourceDBClusterIdentifier`` , ``SnapshotIdentifier`` , or ``GlobalClusterIdentifier`` property, don't specify this property. The value is inherited from the source DB cluster, the snapshot, or the primary DB cluster for the global database cluster, respectively. Valid for: Aurora DB clusters and Multi-AZ DB clusters
         :param master_user_password: The master password for the DB instance. .. epigraph:: If you specify the ``SourceDBClusterIdentifier`` , ``SnapshotIdentifier`` , or ``GlobalClusterIdentifier`` property, don't specify this property. The value is inherited from the source DB cluster, the snapshot, or the primary DB cluster for the global database cluster, respectively. Valid for: Aurora DB clusters and Multi-AZ DB clusters
         :param master_user_secret: The secret managed by RDS in AWS Secrets Manager for the master user password. .. epigraph:: When you restore a DB cluster from a snapshot, Amazon RDS generates a new secret instead of reusing the secret specified in the ``SecretArn`` property. This ensures that the restored DB cluster is securely managed with a dedicated secret. To maintain consistent integration with your application, you might need to update resource configurations to reference the newly created secret. For more information, see `Password management with AWS Secrets Manager <https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/rds-secrets-manager.html>`_ in the *Amazon RDS User Guide* and `Password management with AWS Secrets Manager <https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/rds-secrets-manager.html>`_ in the *Amazon Aurora User Guide.*
@@ -6297,7 +6303,7 @@ class CfnDBClusterProps:
 
         Valid for Cluster Type: Aurora DB clusters and Multi-AZ DB clusters
 
-        This option is only valid for RDS for PostgreSQL and Aurora PostgreSQL engines.
+        This option is only valid for RDS for MySQL, RDS for MariaDB, RDS for PostgreSQL, Aurora MySQL, and Aurora PostgreSQL engines.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-rds-dbcluster.html#cfn-rds-dbcluster-masteruserauthenticationtype
         '''
@@ -7025,7 +7031,7 @@ class CfnDBInstanceProps:
         :param kms_key_id: The ARN of the AWS KMS key that's used to encrypt the DB instance, such as ``arn:aws:kms:us-east-1:012345678910:key/abcd1234-a123-456a-a12b-a123b4cd56ef`` . If you enable the StorageEncrypted property but don't specify this property, AWS CloudFormation uses the default KMS key. If you specify this property, you must set the StorageEncrypted property to true. If you specify the ``SourceDBInstanceIdentifier`` or ``SourceDbiResourceId`` property, don't specify this property. The value is inherited from the source DB instance, and if the DB instance is encrypted, the specified ``KmsKeyId`` property is used. However, if the source DB instance is in a different AWS Region, you must specify a KMS key ID. If you specify the ``SourceDBInstanceAutomatedBackupsArn`` property, don't specify this property. The value is inherited from the source DB instance automated backup, and if the automated backup is encrypted, the specified ``KmsKeyId`` property is used. If you create an encrypted read replica in a different AWS Region, then you must specify a KMS key for the destination AWS Region. KMS encryption keys are specific to the region that they're created in, and you can't use encryption keys from one region in another region. If you specify the ``DBSnapshotIdentifier`` property, don't specify this property. The ``StorageEncrypted`` property value is inherited from the snapshot. If the DB instance is encrypted, the specified ``KmsKeyId`` property is also inherited from the snapshot. If you specify ``DBSecurityGroups`` , AWS CloudFormation ignores this property. To specify both a security group and this property, you must use a VPC security group. For more information about Amazon RDS and VPC, see `Using Amazon RDS with Amazon VPC <https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.html>`_ in the *Amazon RDS User Guide* . *Amazon Aurora* Not applicable. The KMS key identifier is managed by the DB cluster.
         :param license_model: License model information for this DB instance. Valid Values: - Aurora MySQL - ``general-public-license`` - Aurora PostgreSQL - ``postgresql-license`` - RDS for Db2 - ``bring-your-own-license`` . For more information about RDS for Db2 licensing, see ` <https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/db2-licensing.html>`_ in the *Amazon RDS User Guide.* - RDS for MariaDB - ``general-public-license`` - RDS for Microsoft SQL Server - ``license-included`` - RDS for MySQL - ``general-public-license`` - RDS for Oracle - ``bring-your-own-license`` or ``license-included`` - RDS for PostgreSQL - ``postgresql-license`` .. epigraph:: If you've specified ``DBSecurityGroups`` and then you update the license model, AWS CloudFormation replaces the underlying DB instance. This will incur some interruptions to database availability.
         :param manage_master_user_password: Specifies whether to manage the master user password with AWS Secrets Manager. For more information, see `Password management with AWS Secrets Manager <https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/rds-secrets-manager.html>`_ in the *Amazon RDS User Guide.* Constraints: - Can't manage the master user password with AWS Secrets Manager if ``MasterUserPassword`` is specified.
-        :param master_user_authentication_type: Specifies the authentication type for the master user. With IAM master user authentication, you can configure the master DB user with IAM database authentication when you create a DB instance. You can specify one of the following values: - ``password`` - Use standard database authentication with a password. - ``iam-db-auth`` - Use IAM database authentication for the master user. This option is only valid for RDS for PostgreSQL and Aurora PostgreSQL engines.
+        :param master_user_authentication_type: Specifies the authentication type for the master user. With IAM master user authentication, you can configure the master DB user with IAM database authentication when you create a DB instance. You can specify one of the following values: - ``password`` - Use standard database authentication with a password. - ``iam-db-auth`` - Use IAM database authentication for the master user. This option is only valid for RDS for MySQL, RDS for MariaDB, RDS for PostgreSQL, Aurora MySQL, and Aurora PostgreSQL engines.
         :param master_username: The master user name for the DB instance. .. epigraph:: If you specify the ``SourceDBInstanceIdentifier`` or ``DBSnapshotIdentifier`` property, don't specify this property. The value is inherited from the source DB instance or snapshot. When migrating a self-managed Db2 database, we recommend that you use the same master username as your self-managed Db2 instance name. *Amazon Aurora* Not applicable. The name for the master user is managed by the DB cluster. *RDS for Db2* Constraints: - Must be 1 to 16 letters or numbers. - First character must be a letter. - Can't be a reserved word for the chosen database engine. *RDS for MariaDB* Constraints: - Must be 1 to 16 letters or numbers. - Can't be a reserved word for the chosen database engine. *RDS for Microsoft SQL Server* Constraints: - Must be 1 to 128 letters or numbers. - First character must be a letter. - Can't be a reserved word for the chosen database engine. *RDS for MySQL* Constraints: - Must be 1 to 16 letters or numbers. - First character must be a letter. - Can't be a reserved word for the chosen database engine. *RDS for Oracle* Constraints: - Must be 1 to 30 letters or numbers. - First character must be a letter. - Can't be a reserved word for the chosen database engine. *RDS for PostgreSQL* Constraints: - Must be 1 to 63 letters or numbers. - First character must be a letter. - Can't be a reserved word for the chosen database engine.
         :param master_user_password: The password for the master user. The password can include any printable ASCII character except "/", """, or "@". *Amazon Aurora* Not applicable. The password for the master user is managed by the DB cluster. *RDS for Db2* Must contain from 8 to 255 characters. *RDS for MariaDB* Constraints: Must contain from 8 to 41 characters. *RDS for Microsoft SQL Server* Constraints: Must contain from 8 to 128 characters. *RDS for MySQL* Constraints: Must contain from 8 to 41 characters. *RDS for Oracle* Constraints: Must contain from 8 to 30 characters. *RDS for PostgreSQL* Constraints: Must contain from 8 to 128 characters.
         :param master_user_secret: The secret managed by RDS in AWS Secrets Manager for the master user password. For more information, see `Password management with AWS Secrets Manager <https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/rds-secrets-manager.html>`_ in the *Amazon RDS User Guide.*
@@ -8385,7 +8391,7 @@ class CfnDBInstanceProps:
         - ``password`` - Use standard database authentication with a password.
         - ``iam-db-auth`` - Use IAM database authentication for the master user.
 
-        This option is only valid for RDS for PostgreSQL and Aurora PostgreSQL engines.
+        This option is only valid for RDS for MySQL, RDS for MariaDB, RDS for PostgreSQL, Aurora MySQL, and Aurora PostgreSQL engines.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-rds-dbinstance.html#cfn-rds-dbinstance-masteruserauthenticationtype
         '''
@@ -9243,7 +9249,7 @@ class CfnDBProxyEndpointProps:
         :param db_proxy_endpoint_name: The name of the DB proxy endpoint to create.
         :param db_proxy_name: The name of the DB proxy associated with the DB proxy endpoint that you create.
         :param vpc_subnet_ids: The VPC subnet IDs for the DB proxy endpoint that you create. You can specify a different set of subnet IDs than for the original DB proxy.
-        :param endpoint_network_type: The network type of the DB proxy endpoint. The network type determines the IP version that the proxy endpoint supports.
+        :param endpoint_network_type: The network type of the DB proxy endpoint. The network type determines the IP version that the proxy endpoint supports. Valid values: - ``IPV4`` - The proxy endpoint supports IPv4 only. - ``IPV6`` - The proxy endpoint supports IPv6 only. - ``DUAL`` - The proxy endpoint supports both IPv4 and IPv6.
         :param tags: An optional set of key-value pairs to associate arbitrary data of your choosing with the proxy.
         :param target_role: A value that indicates whether the DB proxy endpoint can be used for read/write or read-only operations.
         :param vpc_security_group_ids: The VPC security group IDs for the DB proxy endpoint that you create. You can specify a different set of security group IDs than for the original DB proxy. The default is the default security group for the VPC.
@@ -9333,6 +9339,12 @@ class CfnDBProxyEndpointProps:
 
         The network type determines the IP version that the proxy endpoint supports.
 
+        Valid values:
+
+        - ``IPV4`` - The proxy endpoint supports IPv4 only.
+        - ``IPV6`` - The proxy endpoint supports IPv6 only.
+        - ``DUAL`` - The proxy endpoint supports both IPv4 and IPv6.
+
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-rds-dbproxyendpoint.html#cfn-rds-dbproxyendpoint-endpointnetworktype
         '''
         result = self._values.get("endpoint_network_type")
@@ -9426,12 +9438,12 @@ class CfnDBProxyProps:
         :param vpc_subnet_ids: One or more VPC subnet IDs to associate with the new proxy.
         :param auth: The authorization mechanism that the proxy uses.
         :param debug_logging: Specifies whether the proxy logs detailed connection and query information. When you enable ``DebugLogging`` , the proxy captures connection details and connection pool behavior from your queries. Debug logging increases CloudWatch costs and can impact proxy performance. Enable this option only when you need to troubleshoot connection or performance issues.
-        :param default_auth_scheme: The default authentication scheme that the proxy uses for client connections to the proxy and connections from the proxy to the underlying database.
-        :param endpoint_network_type: The network type of the DB proxy endpoint. The network type determines the IP version that the proxy endpoint supports.
+        :param default_auth_scheme: The default authentication scheme that the proxy uses for client connections to the proxy and connections from the proxy to the underlying database. Valid values are ``NONE`` and ``IAM_AUTH`` . When set to ``IAM_AUTH`` , the proxy uses end-to-end IAM authentication to connect to the database.
+        :param endpoint_network_type: The network type of the DB proxy endpoint. The network type determines the IP version that the proxy endpoint supports. Valid values: - ``IPV4`` - The proxy endpoint supports IPv4 only. - ``IPV6`` - The proxy endpoint supports IPv6 only. - ``DUAL`` - The proxy endpoint supports both IPv4 and IPv6.
         :param idle_client_timeout: The number of seconds that a connection to the proxy can be inactive before the proxy disconnects it. You can set this value higher or lower than the connection timeout limit for the associated database.
         :param require_tls: Specifies whether Transport Layer Security (TLS) encryption is required for connections to the proxy. By enabling this setting, you can enforce encrypted TLS connections to the proxy.
         :param tags: An optional set of key-value pairs to associate arbitrary data of your choosing with the proxy.
-        :param target_connection_network_type: The network type that the proxy uses to connect to the target database. The network type determines the IP version that the proxy uses for connections to the database.
+        :param target_connection_network_type: The network type that the proxy uses to connect to the target database. The network type determines the IP version that the proxy uses for connections to the database. Valid values: - ``IPV4`` - The proxy connects to the database using IPv4 only. - ``IPV6`` - The proxy connects to the database using IPv6 only.
         :param vpc_security_group_ids: One or more VPC security group IDs to associate with the new proxy. If you plan to update the resource, don't specify VPC security groups in a shared VPC.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-rds-dbproxy.html
@@ -9582,6 +9594,8 @@ class CfnDBProxyProps:
     def default_auth_scheme(self) -> typing.Optional[builtins.str]:
         '''The default authentication scheme that the proxy uses for client connections to the proxy and connections from the proxy to the underlying database.
 
+        Valid values are ``NONE`` and ``IAM_AUTH`` . When set to ``IAM_AUTH`` , the proxy uses end-to-end IAM authentication to connect to the database.
+
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-rds-dbproxy.html#cfn-rds-dbproxy-defaultauthscheme
         '''
         result = self._values.get("default_auth_scheme")
@@ -9593,6 +9607,12 @@ class CfnDBProxyProps:
 
         The network type determines the IP version that the proxy endpoint supports.
 
+        Valid values:
+
+        - ``IPV4`` - The proxy endpoint supports IPv4 only.
+        - ``IPV6`` - The proxy endpoint supports IPv6 only.
+        - ``DUAL`` - The proxy endpoint supports both IPv4 and IPv6.
+
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-rds-dbproxy.html#cfn-rds-dbproxy-endpointnetworktype
         '''
         result = self._values.get("endpoint_network_type")
@@ -9637,6 +9657,11 @@ class CfnDBProxyProps:
 
         The network type determines the IP version that the proxy uses for connections to the database.
 
+        Valid values:
+
+        - ``IPV4`` - The proxy connects to the database using IPv4 only.
+        - ``IPV6`` - The proxy connects to the database using IPv6 only.
+
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-rds-dbproxy.html#cfn-rds-dbproxy-targetconnectionnetworktype
         '''
         result = self._values.get("target_connection_network_type")
@@ -16990,7 +17015,7 @@ class DatabaseInstanceNewProps:
         :param s3_import_role: Role that will be associated with this DB instance to enable S3 import. This feature is only supported by the Microsoft SQL Server, Oracle, and PostgreSQL engines. This property must not be used if ``s3ImportBuckets`` is used. For Microsoft SQL Server: Default: - New role is created if ``s3ImportBuckets`` is set, no role is defined otherwise
         :param security_groups: The security groups to assign to the DB instance. Default: - a new security group is created
         :param storage_throughput: The storage throughput, specified in mebibytes per second (MiBps). Only applicable for GP3. Default: - 125 MiBps if allocated storage is less than 400 GiB for MariaDB, MySQL, and PostgreSQL, less than 200 GiB for Oracle and less than 20 GiB for SQL Server. 500 MiBps otherwise (except for SQL Server where the default is always 125 MiBps).
-        :param storage_type: The storage type. Storage types supported are gp2, io1, standard. Default: GP2
+        :param storage_type: The storage type to associate with the DB instance. Storage types supported are gp2, gp3, io1, io2, and standard. Default: StorageType.GP2
         :param subnet_group: Existing subnet group for the instance. Default: - a new subnet group will be created.
         :param vpc_subnets: The type of subnets to add to the created DB subnet group. Default: - private subnets
 
@@ -17698,11 +17723,11 @@ class DatabaseInstanceNewProps:
 
     @builtins.property
     def storage_type(self) -> typing.Optional["StorageType"]:
-        '''The storage type.
+        '''The storage type to associate with the DB instance.
 
-        Storage types supported are gp2, io1, standard.
+        Storage types supported are gp2, gp3, io1, io2, and standard.
 
-        :default: GP2
+        :default: StorageType.GP2
 
         :see: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_Storage.html#Concepts.Storage.GeneralSSD
         '''
@@ -17891,7 +17916,7 @@ class DatabaseInstanceReadReplicaProps(DatabaseInstanceNewProps):
         :param s3_import_role: Role that will be associated with this DB instance to enable S3 import. This feature is only supported by the Microsoft SQL Server, Oracle, and PostgreSQL engines. This property must not be used if ``s3ImportBuckets`` is used. For Microsoft SQL Server: Default: - New role is created if ``s3ImportBuckets`` is set, no role is defined otherwise
         :param security_groups: The security groups to assign to the DB instance. Default: - a new security group is created
         :param storage_throughput: The storage throughput, specified in mebibytes per second (MiBps). Only applicable for GP3. Default: - 125 MiBps if allocated storage is less than 400 GiB for MariaDB, MySQL, and PostgreSQL, less than 200 GiB for Oracle and less than 20 GiB for SQL Server. 500 MiBps otherwise (except for SQL Server where the default is always 125 MiBps).
-        :param storage_type: The storage type. Storage types supported are gp2, io1, standard. Default: GP2
+        :param storage_type: The storage type to associate with the DB instance. Storage types supported are gp2, gp3, io1, io2, and standard. Default: StorageType.GP2
         :param subnet_group: Existing subnet group for the instance. Default: - a new subnet group will be created.
         :param vpc_subnets: The type of subnets to add to the created DB subnet group. Default: - private subnets
         :param instance_type: The name of the compute and memory capacity classes.
@@ -18552,11 +18577,11 @@ class DatabaseInstanceReadReplicaProps(DatabaseInstanceNewProps):
 
     @builtins.property
     def storage_type(self) -> typing.Optional["StorageType"]:
-        '''The storage type.
+        '''The storage type to associate with the DB instance.
 
-        Storage types supported are gp2, io1, standard.
+        Storage types supported are gp2, gp3, io1, io2, and standard.
 
-        :default: GP2
+        :default: StorageType.GP2
 
         :see: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_Storage.html#Concepts.Storage.GeneralSSD
         '''
@@ -18796,7 +18821,7 @@ class DatabaseInstanceSourceProps(DatabaseInstanceNewProps):
         :param s3_import_role: Role that will be associated with this DB instance to enable S3 import. This feature is only supported by the Microsoft SQL Server, Oracle, and PostgreSQL engines. This property must not be used if ``s3ImportBuckets`` is used. For Microsoft SQL Server: Default: - New role is created if ``s3ImportBuckets`` is set, no role is defined otherwise
         :param security_groups: The security groups to assign to the DB instance. Default: - a new security group is created
         :param storage_throughput: The storage throughput, specified in mebibytes per second (MiBps). Only applicable for GP3. Default: - 125 MiBps if allocated storage is less than 400 GiB for MariaDB, MySQL, and PostgreSQL, less than 200 GiB for Oracle and less than 20 GiB for SQL Server. 500 MiBps otherwise (except for SQL Server where the default is always 125 MiBps).
-        :param storage_type: The storage type. Storage types supported are gp2, io1, standard. Default: GP2
+        :param storage_type: The storage type to associate with the DB instance. Storage types supported are gp2, gp3, io1, io2, and standard. Default: StorageType.GP2
         :param subnet_group: Existing subnet group for the instance. Default: - a new subnet group will be created.
         :param vpc_subnets: The type of subnets to add to the created DB subnet group. Default: - private subnets
         :param engine: The database engine.
@@ -19547,11 +19572,11 @@ class DatabaseInstanceSourceProps(DatabaseInstanceNewProps):
 
     @builtins.property
     def storage_type(self) -> typing.Optional["StorageType"]:
-        '''The storage type.
+        '''The storage type to associate with the DB instance.
 
-        Storage types supported are gp2, io1, standard.
+        Storage types supported are gp2, gp3, io1, io2, and standard.
 
-        :default: GP2
+        :default: StorageType.GP2
 
         :see: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_Storage.html#Concepts.Storage.GeneralSSD
         '''
@@ -36962,7 +36987,7 @@ class CfnDBCluster(
         :param iops: The amount of Provisioned IOPS (input/output operations per second) to be initially allocated for each DB instance in the Multi-AZ DB cluster. For information about valid IOPS values, see `Provisioned IOPS storage <https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_Storage.html#USER_PIOPS>`_ in the *Amazon RDS User Guide* . This setting is required to create a Multi-AZ DB cluster. Valid for Cluster Type: Multi-AZ DB clusters only Constraints: - Must be a multiple between .5 and 50 of the storage amount for the DB cluster.
         :param kms_key_id: The Amazon Resource Name (ARN) of the AWS KMS key that is used to encrypt the database instances in the DB cluster, such as ``arn:aws:kms:us-east-1:012345678910:key/abcd1234-a123-456a-a12b-a123b4cd56ef`` . If you enable the ``StorageEncrypted`` property but don't specify this property, the default KMS key is used. If you specify this property, you must set the ``StorageEncrypted`` property to ``true`` . If you specify the ``SnapshotIdentifier`` property, the ``StorageEncrypted`` property value is inherited from the snapshot, and if the DB cluster is encrypted, the specified ``KmsKeyId`` property is used. If you create a read replica of an encrypted DB cluster in another AWS Region, make sure to set ``KmsKeyId`` to a KMS key identifier that is valid in the destination AWS Region. This KMS key is used to encrypt the read replica in that AWS Region. Valid for: Aurora DB clusters and Multi-AZ DB clusters
         :param manage_master_user_password: Specifies whether to manage the master user password with AWS Secrets Manager. For more information, see `Password management with AWS Secrets Manager <https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/rds-secrets-manager.html>`_ in the *Amazon RDS User Guide* and `Password management with AWS Secrets Manager <https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/rds-secrets-manager.html>`_ in the *Amazon Aurora User Guide.* Valid for Cluster Type: Aurora DB clusters and Multi-AZ DB clusters Constraints: - Can't manage the master user password with AWS Secrets Manager if ``MasterUserPassword`` is specified.
-        :param master_user_authentication_type: Specifies the authentication type for the master user. With IAM master user authentication, you can configure the master DB user with IAM database authentication when you create a DB cluster. You can specify one of the following values: - ``password`` - Use standard database authentication with a password. - ``iam-db-auth`` - Use IAM database authentication for the master user. Valid for Cluster Type: Aurora DB clusters and Multi-AZ DB clusters This option is only valid for RDS for PostgreSQL and Aurora PostgreSQL engines.
+        :param master_user_authentication_type: Specifies the authentication type for the master user. With IAM master user authentication, you can configure the master DB user with IAM database authentication when you create a DB cluster. You can specify one of the following values: - ``password`` - Use standard database authentication with a password. - ``iam-db-auth`` - Use IAM database authentication for the master user. Valid for Cluster Type: Aurora DB clusters and Multi-AZ DB clusters This option is only valid for RDS for MySQL, RDS for MariaDB, RDS for PostgreSQL, Aurora MySQL, and Aurora PostgreSQL engines.
         :param master_username: The name of the master user for the DB cluster. .. epigraph:: If you specify the ``SourceDBClusterIdentifier`` , ``SnapshotIdentifier`` , or ``GlobalClusterIdentifier`` property, don't specify this property. The value is inherited from the source DB cluster, the snapshot, or the primary DB cluster for the global database cluster, respectively. Valid for: Aurora DB clusters and Multi-AZ DB clusters
         :param master_user_password: The master password for the DB instance. .. epigraph:: If you specify the ``SourceDBClusterIdentifier`` , ``SnapshotIdentifier`` , or ``GlobalClusterIdentifier`` property, don't specify this property. The value is inherited from the source DB cluster, the snapshot, or the primary DB cluster for the global database cluster, respectively. Valid for: Aurora DB clusters and Multi-AZ DB clusters
         :param master_user_secret: The secret managed by RDS in AWS Secrets Manager for the master user password. .. epigraph:: When you restore a DB cluster from a snapshot, Amazon RDS generates a new secret instead of reusing the secret specified in the ``SecretArn`` property. This ensures that the restored DB cluster is securely managed with a dedicated secret. To maintain consistent integration with your application, you might need to update resource configurations to reference the newly created secret. For more information, see `Password management with AWS Secrets Manager <https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/rds-secrets-manager.html>`_ in the *Amazon RDS User Guide* and `Password management with AWS Secrets Manager <https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/rds-secrets-manager.html>`_ in the *Amazon Aurora User Guide.*
@@ -39105,7 +39130,7 @@ class CfnDBInstance(
         :param kms_key_id: The ARN of the AWS KMS key that's used to encrypt the DB instance, such as ``arn:aws:kms:us-east-1:012345678910:key/abcd1234-a123-456a-a12b-a123b4cd56ef`` . If you enable the StorageEncrypted property but don't specify this property, AWS CloudFormation uses the default KMS key. If you specify this property, you must set the StorageEncrypted property to true. If you specify the ``SourceDBInstanceIdentifier`` or ``SourceDbiResourceId`` property, don't specify this property. The value is inherited from the source DB instance, and if the DB instance is encrypted, the specified ``KmsKeyId`` property is used. However, if the source DB instance is in a different AWS Region, you must specify a KMS key ID. If you specify the ``SourceDBInstanceAutomatedBackupsArn`` property, don't specify this property. The value is inherited from the source DB instance automated backup, and if the automated backup is encrypted, the specified ``KmsKeyId`` property is used. If you create an encrypted read replica in a different AWS Region, then you must specify a KMS key for the destination AWS Region. KMS encryption keys are specific to the region that they're created in, and you can't use encryption keys from one region in another region. If you specify the ``DBSnapshotIdentifier`` property, don't specify this property. The ``StorageEncrypted`` property value is inherited from the snapshot. If the DB instance is encrypted, the specified ``KmsKeyId`` property is also inherited from the snapshot. If you specify ``DBSecurityGroups`` , AWS CloudFormation ignores this property. To specify both a security group and this property, you must use a VPC security group. For more information about Amazon RDS and VPC, see `Using Amazon RDS with Amazon VPC <https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.html>`_ in the *Amazon RDS User Guide* . *Amazon Aurora* Not applicable. The KMS key identifier is managed by the DB cluster.
         :param license_model: License model information for this DB instance. Valid Values: - Aurora MySQL - ``general-public-license`` - Aurora PostgreSQL - ``postgresql-license`` - RDS for Db2 - ``bring-your-own-license`` . For more information about RDS for Db2 licensing, see ` <https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/db2-licensing.html>`_ in the *Amazon RDS User Guide.* - RDS for MariaDB - ``general-public-license`` - RDS for Microsoft SQL Server - ``license-included`` - RDS for MySQL - ``general-public-license`` - RDS for Oracle - ``bring-your-own-license`` or ``license-included`` - RDS for PostgreSQL - ``postgresql-license`` .. epigraph:: If you've specified ``DBSecurityGroups`` and then you update the license model, AWS CloudFormation replaces the underlying DB instance. This will incur some interruptions to database availability.
         :param manage_master_user_password: Specifies whether to manage the master user password with AWS Secrets Manager. For more information, see `Password management with AWS Secrets Manager <https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/rds-secrets-manager.html>`_ in the *Amazon RDS User Guide.* Constraints: - Can't manage the master user password with AWS Secrets Manager if ``MasterUserPassword`` is specified.
-        :param master_user_authentication_type: Specifies the authentication type for the master user. With IAM master user authentication, you can configure the master DB user with IAM database authentication when you create a DB instance. You can specify one of the following values: - ``password`` - Use standard database authentication with a password. - ``iam-db-auth`` - Use IAM database authentication for the master user. This option is only valid for RDS for PostgreSQL and Aurora PostgreSQL engines.
+        :param master_user_authentication_type: Specifies the authentication type for the master user. With IAM master user authentication, you can configure the master DB user with IAM database authentication when you create a DB instance. You can specify one of the following values: - ``password`` - Use standard database authentication with a password. - ``iam-db-auth`` - Use IAM database authentication for the master user. This option is only valid for RDS for MySQL, RDS for MariaDB, RDS for PostgreSQL, Aurora MySQL, and Aurora PostgreSQL engines.
         :param master_username: The master user name for the DB instance. .. epigraph:: If you specify the ``SourceDBInstanceIdentifier`` or ``DBSnapshotIdentifier`` property, don't specify this property. The value is inherited from the source DB instance or snapshot. When migrating a self-managed Db2 database, we recommend that you use the same master username as your self-managed Db2 instance name. *Amazon Aurora* Not applicable. The name for the master user is managed by the DB cluster. *RDS for Db2* Constraints: - Must be 1 to 16 letters or numbers. - First character must be a letter. - Can't be a reserved word for the chosen database engine. *RDS for MariaDB* Constraints: - Must be 1 to 16 letters or numbers. - Can't be a reserved word for the chosen database engine. *RDS for Microsoft SQL Server* Constraints: - Must be 1 to 128 letters or numbers. - First character must be a letter. - Can't be a reserved word for the chosen database engine. *RDS for MySQL* Constraints: - Must be 1 to 16 letters or numbers. - First character must be a letter. - Can't be a reserved word for the chosen database engine. *RDS for Oracle* Constraints: - Must be 1 to 30 letters or numbers. - First character must be a letter. - Can't be a reserved word for the chosen database engine. *RDS for PostgreSQL* Constraints: - Must be 1 to 63 letters or numbers. - First character must be a letter. - Can't be a reserved word for the chosen database engine.
         :param master_user_password: The password for the master user. The password can include any printable ASCII character except "/", """, or "@". *Amazon Aurora* Not applicable. The password for the master user is managed by the DB cluster. *RDS for Db2* Must contain from 8 to 255 characters. *RDS for MariaDB* Constraints: Must contain from 8 to 41 characters. *RDS for Microsoft SQL Server* Constraints: Must contain from 8 to 128 characters. *RDS for MySQL* Constraints: Must contain from 8 to 41 characters. *RDS for Oracle* Constraints: Must contain from 8 to 30 characters. *RDS for PostgreSQL* Constraints: Must contain from 8 to 128 characters.
         :param master_user_secret: The secret managed by RDS in AWS Secrets Manager for the master user password. For more information, see `Password management with AWS Secrets Manager <https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/rds-secrets-manager.html>`_ in the *Amazon RDS User Guide.*
@@ -41553,12 +41578,12 @@ class CfnDBProxy(
         :param vpc_subnet_ids: One or more VPC subnet IDs to associate with the new proxy.
         :param auth: The authorization mechanism that the proxy uses.
         :param debug_logging: Specifies whether the proxy logs detailed connection and query information. When you enable ``DebugLogging`` , the proxy captures connection details and connection pool behavior from your queries. Debug logging increases CloudWatch costs and can impact proxy performance. Enable this option only when you need to troubleshoot connection or performance issues.
-        :param default_auth_scheme: The default authentication scheme that the proxy uses for client connections to the proxy and connections from the proxy to the underlying database.
-        :param endpoint_network_type: The network type of the DB proxy endpoint. The network type determines the IP version that the proxy endpoint supports.
+        :param default_auth_scheme: The default authentication scheme that the proxy uses for client connections to the proxy and connections from the proxy to the underlying database. Valid values are ``NONE`` and ``IAM_AUTH`` . When set to ``IAM_AUTH`` , the proxy uses end-to-end IAM authentication to connect to the database.
+        :param endpoint_network_type: The network type of the DB proxy endpoint. The network type determines the IP version that the proxy endpoint supports. Valid values: - ``IPV4`` - The proxy endpoint supports IPv4 only. - ``IPV6`` - The proxy endpoint supports IPv6 only. - ``DUAL`` - The proxy endpoint supports both IPv4 and IPv6.
         :param idle_client_timeout: The number of seconds that a connection to the proxy can be inactive before the proxy disconnects it. You can set this value higher or lower than the connection timeout limit for the associated database.
         :param require_tls: Specifies whether Transport Layer Security (TLS) encryption is required for connections to the proxy. By enabling this setting, you can enforce encrypted TLS connections to the proxy.
         :param tags: An optional set of key-value pairs to associate arbitrary data of your choosing with the proxy.
-        :param target_connection_network_type: The network type that the proxy uses to connect to the target database. The network type determines the IP version that the proxy uses for connections to the database.
+        :param target_connection_network_type: The network type that the proxy uses to connect to the target database. The network type determines the IP version that the proxy uses for connections to the database. Valid values: - ``IPV4`` - The proxy connects to the database using IPv4 only. - ``IPV6`` - The proxy connects to the database using IPv6 only.
         :param vpc_security_group_ids: One or more VPC security group IDs to associate with the new proxy. If you plan to update the resource, don't specify VPC security groups in a shared VPC.
         '''
         if __debug__:
@@ -42111,7 +42136,7 @@ class CfnDBProxyEndpoint(
         :param db_proxy_endpoint_name: The name of the DB proxy endpoint to create.
         :param db_proxy_name: The name of the DB proxy associated with the DB proxy endpoint that you create.
         :param vpc_subnet_ids: The VPC subnet IDs for the DB proxy endpoint that you create. You can specify a different set of subnet IDs than for the original DB proxy.
-        :param endpoint_network_type: The network type of the DB proxy endpoint. The network type determines the IP version that the proxy endpoint supports.
+        :param endpoint_network_type: The network type of the DB proxy endpoint. The network type determines the IP version that the proxy endpoint supports. Valid values: - ``IPV4`` - The proxy endpoint supports IPv4 only. - ``IPV6`` - The proxy endpoint supports IPv6 only. - ``DUAL`` - The proxy endpoint supports both IPv4 and IPv6.
         :param tags: An optional set of key-value pairs to associate arbitrary data of your choosing with the proxy.
         :param target_role: A value that indicates whether the DB proxy endpoint can be used for read/write or read-only operations.
         :param vpc_security_group_ids: The VPC security group IDs for the DB proxy endpoint that you create. You can specify a different set of security group IDs than for the original DB proxy. The default is the default security group for the VPC.
@@ -47695,7 +47720,7 @@ class DatabaseInstanceFromSnapshot(
         :param s3_import_role: Role that will be associated with this DB instance to enable S3 import. This feature is only supported by the Microsoft SQL Server, Oracle, and PostgreSQL engines. This property must not be used if ``s3ImportBuckets`` is used. For Microsoft SQL Server: Default: - New role is created if ``s3ImportBuckets`` is set, no role is defined otherwise
         :param security_groups: The security groups to assign to the DB instance. Default: - a new security group is created
         :param storage_throughput: The storage throughput, specified in mebibytes per second (MiBps). Only applicable for GP3. Default: - 125 MiBps if allocated storage is less than 400 GiB for MariaDB, MySQL, and PostgreSQL, less than 200 GiB for Oracle and less than 20 GiB for SQL Server. 500 MiBps otherwise (except for SQL Server where the default is always 125 MiBps).
-        :param storage_type: The storage type. Storage types supported are gp2, io1, standard. Default: GP2
+        :param storage_type: The storage type to associate with the DB instance. Storage types supported are gp2, gp3, io1, io2, and standard. Default: StorageType.GP2
         :param subnet_group: Existing subnet group for the instance. Default: - a new subnet group will be created.
         :param vpc_subnets: The type of subnets to add to the created DB subnet group. Default: - private subnets
         '''
@@ -48129,7 +48154,7 @@ class DatabaseInstanceFromSnapshotProps(DatabaseInstanceSourceProps):
         :param s3_import_role: Role that will be associated with this DB instance to enable S3 import. This feature is only supported by the Microsoft SQL Server, Oracle, and PostgreSQL engines. This property must not be used if ``s3ImportBuckets`` is used. For Microsoft SQL Server: Default: - New role is created if ``s3ImportBuckets`` is set, no role is defined otherwise
         :param security_groups: The security groups to assign to the DB instance. Default: - a new security group is created
         :param storage_throughput: The storage throughput, specified in mebibytes per second (MiBps). Only applicable for GP3. Default: - 125 MiBps if allocated storage is less than 400 GiB for MariaDB, MySQL, and PostgreSQL, less than 200 GiB for Oracle and less than 20 GiB for SQL Server. 500 MiBps otherwise (except for SQL Server where the default is always 125 MiBps).
-        :param storage_type: The storage type. Storage types supported are gp2, io1, standard. Default: GP2
+        :param storage_type: The storage type to associate with the DB instance. Storage types supported are gp2, gp3, io1, io2, and standard. Default: StorageType.GP2
         :param subnet_group: Existing subnet group for the instance. Default: - a new subnet group will be created.
         :param vpc_subnets: The type of subnets to add to the created DB subnet group. Default: - private subnets
         :param engine: The database engine.
@@ -48814,11 +48839,11 @@ class DatabaseInstanceFromSnapshotProps(DatabaseInstanceSourceProps):
 
     @builtins.property
     def storage_type(self) -> typing.Optional[StorageType]:
-        '''The storage type.
+        '''The storage type to associate with the DB instance.
 
-        Storage types supported are gp2, io1, standard.
+        Storage types supported are gp2, gp3, io1, io2, and standard.
 
-        :default: GP2
+        :default: StorageType.GP2
 
         :see: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_Storage.html#Concepts.Storage.GeneralSSD
         '''
@@ -49144,7 +49169,7 @@ class DatabaseInstanceProps(DatabaseInstanceSourceProps):
         :param s3_import_role: Role that will be associated with this DB instance to enable S3 import. This feature is only supported by the Microsoft SQL Server, Oracle, and PostgreSQL engines. This property must not be used if ``s3ImportBuckets`` is used. For Microsoft SQL Server: Default: - New role is created if ``s3ImportBuckets`` is set, no role is defined otherwise
         :param security_groups: The security groups to assign to the DB instance. Default: - a new security group is created
         :param storage_throughput: The storage throughput, specified in mebibytes per second (MiBps). Only applicable for GP3. Default: - 125 MiBps if allocated storage is less than 400 GiB for MariaDB, MySQL, and PostgreSQL, less than 200 GiB for Oracle and less than 20 GiB for SQL Server. 500 MiBps otherwise (except for SQL Server where the default is always 125 MiBps).
-        :param storage_type: The storage type. Storage types supported are gp2, io1, standard. Default: GP2
+        :param storage_type: The storage type to associate with the DB instance. Storage types supported are gp2, gp3, io1, io2, and standard. Default: StorageType.GP2
         :param subnet_group: Existing subnet group for the instance. Default: - a new subnet group will be created.
         :param vpc_subnets: The type of subnets to add to the created DB subnet group. Default: - private subnets
         :param engine: The database engine.
@@ -49835,11 +49860,11 @@ class DatabaseInstanceProps(DatabaseInstanceSourceProps):
 
     @builtins.property
     def storage_type(self) -> typing.Optional[StorageType]:
-        '''The storage type.
+        '''The storage type to associate with the DB instance.
 
-        Storage types supported are gp2, io1, standard.
+        Storage types supported are gp2, gp3, io1, io2, and standard.
 
-        :default: GP2
+        :default: StorageType.GP2
 
         :see: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_Storage.html#Concepts.Storage.GeneralSSD
         '''
@@ -50122,7 +50147,7 @@ class DatabaseInstanceReadReplica(
         :param s3_import_role: Role that will be associated with this DB instance to enable S3 import. This feature is only supported by the Microsoft SQL Server, Oracle, and PostgreSQL engines. This property must not be used if ``s3ImportBuckets`` is used. For Microsoft SQL Server: Default: - New role is created if ``s3ImportBuckets`` is set, no role is defined otherwise
         :param security_groups: The security groups to assign to the DB instance. Default: - a new security group is created
         :param storage_throughput: The storage throughput, specified in mebibytes per second (MiBps). Only applicable for GP3. Default: - 125 MiBps if allocated storage is less than 400 GiB for MariaDB, MySQL, and PostgreSQL, less than 200 GiB for Oracle and less than 20 GiB for SQL Server. 500 MiBps otherwise (except for SQL Server where the default is always 125 MiBps).
-        :param storage_type: The storage type. Storage types supported are gp2, io1, standard. Default: GP2
+        :param storage_type: The storage type to associate with the DB instance. Storage types supported are gp2, gp3, io1, io2, and standard. Default: StorageType.GP2
         :param subnet_group: Existing subnet group for the instance. Default: - a new subnet group will be created.
         :param vpc_subnets: The type of subnets to add to the created DB subnet group. Default: - private subnets
         '''
@@ -51588,7 +51613,7 @@ class DatabaseInstance(
         :param s3_import_role: Role that will be associated with this DB instance to enable S3 import. This feature is only supported by the Microsoft SQL Server, Oracle, and PostgreSQL engines. This property must not be used if ``s3ImportBuckets`` is used. For Microsoft SQL Server: Default: - New role is created if ``s3ImportBuckets`` is set, no role is defined otherwise
         :param security_groups: The security groups to assign to the DB instance. Default: - a new security group is created
         :param storage_throughput: The storage throughput, specified in mebibytes per second (MiBps). Only applicable for GP3. Default: - 125 MiBps if allocated storage is less than 400 GiB for MariaDB, MySQL, and PostgreSQL, less than 200 GiB for Oracle and less than 20 GiB for SQL Server. 500 MiBps otherwise (except for SQL Server where the default is always 125 MiBps).
-        :param storage_type: The storage type. Storage types supported are gp2, io1, standard. Default: GP2
+        :param storage_type: The storage type to associate with the DB instance. Storage types supported are gp2, gp3, io1, io2, and standard. Default: StorageType.GP2
         :param subnet_group: Existing subnet group for the instance. Default: - a new subnet group will be created.
         :param vpc_subnets: The type of subnets to add to the created DB subnet group. Default: - private subnets
         '''

aws_cdk/aws_refactorspaces/__init__.py

@@ -1207,9 +1207,13 @@ class CfnApplication(
     metaclass=jsii.JSIIMeta,
     jsii_type="aws-cdk-lib.aws_refactorspaces.CfnApplication",
 ):
-    '''Creates an AWS Migration Hub Refactor Spaces application.
+    '''.. epigraph::
 
-    The account that owns the environment also owns the applications created inside the environment, regardless of the account that creates the application. Refactor Spaces provisions an Amazon API Gateway, API Gateway VPC link, and Network Load Balancer for the application proxy inside your account.
+   AWS Migration Hub will no longer be open to new customers starting November 7, 2025.
+
+    To continue using the service, sign up prior to November 7, 2025. For capabilities similar to AWS Migration Hub , explore `AWS Migration Hub <https://docs.aws.amazon.com/https://aws.amazon.com/transform>`_ .
+
+    Creates an AWS Migration Hub Refactor Spaces application. The account that owns the environment also owns the applications created inside the environment, regardless of the account that creates the application. Refactor Spaces provisions an Amazon API Gateway, API Gateway VPC link, and Network Load Balancer for the application proxy inside your account.
 
     In environments created with a `CreateEnvironment:NetworkFabricType <https://docs.aws.amazon.com/migrationhub-refactor-spaces/latest/APIReference/API_CreateEnvironment.html#migrationhubrefactorspaces-CreateEnvironment-request-NetworkFabricType>`_ of ``NONE`` you need to configure `VPC to VPC connectivity <https://docs.aws.amazon.com/whitepapers/latest/aws-vpc-connectivity-options/amazon-vpc-to-amazon-vpc-connectivity-options.html>`_ between your service VPC and the application proxy VPC to route traffic through the application proxy to a service with a private URL endpoint. For more information, see `Create an application <https://docs.aws.amazon.com/migrationhub-refactor-spaces/latest/userguide/getting-started-create-application.html>`_ in the *Refactor Spaces User Guide* .
 
@@ -1565,9 +1569,13 @@ class CfnEnvironment(
     metaclass=jsii.JSIIMeta,
     jsii_type="aws-cdk-lib.aws_refactorspaces.CfnEnvironment",
 ):
-    '''Creates an AWS Migration Hub Refactor Spaces environment.
+    '''.. epigraph::
+
+   AWS Migration Hub will no longer be open to new customers starting November 7, 2025.
 
-    The caller owns the environment resource, and all Refactor Spaces applications, services, and routes created within the environment. They are referred to as the *environment owner* . The environment owner has cross-account visibility and control of Refactor Spaces resources that are added to the environment by other accounts that the environment is shared with.
+    To continue using the service, sign up prior to November 7, 2025. For capabilities similar to AWS Migration Hub , explore `AWS Migration Hub <https://docs.aws.amazon.com/https://aws.amazon.com/transform>`_ .
+
+    Creates an AWS Migration Hub Refactor Spaces environment. The caller owns the environment resource, and all Refactor Spaces applications, services, and routes created within the environment. They are referred to as the *environment owner* . The environment owner has cross-account visibility and control of Refactor Spaces resources that are added to the environment by other accounts that the environment is shared with.
 
     When creating an environment with a `CreateEnvironment:NetworkFabricType <https://docs.aws.amazon.com/migrationhub-refactor-spaces/latest/APIReference/API_CreateEnvironment.html#migrationhubrefactorspaces-CreateEnvironment-request-NetworkFabricType>`_ of ``TRANSIT_GATEWAY`` , Refactor Spaces provisions a transit gateway to enable services in VPCs to communicate directly across accounts. If `CreateEnvironment:NetworkFabricType <https://docs.aws.amazon.com/migrationhub-refactor-spaces/latest/APIReference/API_CreateEnvironment.html#migrationhubrefactorspaces-CreateEnvironment-request-NetworkFabricType>`_ is ``NONE`` , Refactor Spaces does not create a transit gateway and you must use your network infrastructure to route traffic to services with private URL endpoints.
 
@@ -2235,9 +2243,13 @@ class CfnService(
     metaclass=jsii.JSIIMeta,
     jsii_type="aws-cdk-lib.aws_refactorspaces.CfnService",
 ):
-    '''Creates an AWS Migration Hub Refactor Spaces service.
+    '''.. epigraph::
+
+   AWS Migration Hub will no longer be open to new customers starting November 7, 2025.
+
+    To continue using the service, sign up prior to November 7, 2025. For capabilities similar to AWS Migration Hub , explore `AWS Migration Hub <https://docs.aws.amazon.com/https://aws.amazon.com/transform>`_ .
 
-    The account owner of the service is always the environment owner, regardless of which account in the environment creates the service. Services have either a URL endpoint in a virtual private cloud (VPC), or a Lambda function endpoint.
+    Creates an AWS Migration Hub Refactor Spaces service. The account owner of the service is always the environment owner, regardless of which account in the environment creates the service. Services have either a URL endpoint in a virtual private cloud (VPC), or a Lambda function endpoint.
     .. epigraph::
 
        If an AWS resource is launched in a service VPC, and you want it to be accessible to all of an environment’s services with VPCs and routes, apply the ``RefactorSpacesSecurityGroup`` to the resource. Alternatively, to add more cross-account constraints, apply your own security group.