aws-cdk-lib 2.219.0__py3-none-any.whl → 2.221.0__py3-none-any.whl

aws_cdk/aws_kinesisvideo/__init__.py

@@ -780,27 +780,6 @@ class CfnStream(
 
         jsii.create(self.__class__, self, [scope, id, props])
 
-    @jsii.member(jsii_name="fromStreamArn")
-    @builtins.classmethod
-    def from_stream_arn(
-        cls,
-        scope: _constructs_77d1e7e8.Construct,
-        id: builtins.str,
-        arn: builtins.str,
-    ) -> IStreamRef:
-        '''Creates a new IStreamRef from an ARN.
-
-        :param scope: -
-        :param id: -
-        :param arn: -
-        '''
-        if __debug__:
-            type_hints = typing.get_type_hints(_typecheckingstub__fe0f44c811e2d2cc90117554fb9deac330b94d4acd5a32161f8a4592bdd478e7)
-            check_type(argname="argument scope", value=scope, expected_type=type_hints["scope"])
-            check_type(argname="argument id", value=id, expected_type=type_hints["id"])
-            check_type(argname="argument arn", value=arn, expected_type=type_hints["arn"])
-        return typing.cast(IStreamRef, jsii.sinvoke(cls, "fromStreamArn", [scope, id, arn]))
-
     @jsii.member(jsii_name="inspect")
     def inspect(self, inspector: _TreeInspector_488e0dd5) -> None:
         '''Examines the CloudFormation resource and discloses attributes.
@@ -1049,14 +1028,6 @@ def _typecheckingstub__9ec46ef966c55301f1d7f90935a5a7340c3d7ee98963234b59d16d191
     """Type checking stubs"""
     pass
 
-def _typecheckingstub__fe0f44c811e2d2cc90117554fb9deac330b94d4acd5a32161f8a4592bdd478e7(
-    scope: _constructs_77d1e7e8.Construct,
-    id: builtins.str,
-    arn: builtins.str,
-) -> None:
-    """Type checking stubs"""
-    pass
-
 def _typecheckingstub__9cce8d8f4e1ffc1f91558eea316dc5656b61eced6fd4e5ed8f9c5d2aedaeb00f(
     inspector: _TreeInspector_488e0dd5,
 ) -> None:
@@ -1104,3 +1075,6 @@ def _typecheckingstub__916b61187a1fea0754be9981eeeb345ba75e61b6417bbde10d8246657
 ) -> None:
     """Type checking stubs"""
     pass
+
+for cls in [ISignalingChannelRef, IStreamRef]:
+    typing.cast(typing.Any, cls).__protocol_attrs__ = typing.cast(typing.Any, cls).__protocol_attrs__ - set(['__jsii_proxy_class__', '__jsii_type__'])

aws_cdk/aws_kms/__init__.py

@@ -4532,3 +4532,6 @@ def _typecheckingstub__889887809ebfcb10b086b9443331082b607fe1c8b476e14ebc4925835
 ) -> None:
     """Type checking stubs"""
     pass
+
+for cls in [IAlias, IAliasRef, IKey, IKeyRef, IReplicaKeyRef]:
+    typing.cast(typing.Any, cls).__protocol_attrs__ = typing.cast(typing.Any, cls).__protocol_attrs__ - set(['__jsii_proxy_class__', '__jsii_type__'])

aws_cdk/aws_lakeformation/__init__.py

@@ -7160,3 +7160,6 @@ def _typecheckingstub__dbfafd4ff73d1cb58139774825c816ddf21d5913087c696e01ca730ed
 ) -> None:
     """Type checking stubs"""
     pass
+
+for cls in [IDataCellsFilterRef, IDataLakeSettingsRef, IPermissionsRef, IPrincipalPermissionsRef, IResourceRef, ITagAssociationRef, ITagRef]:
+    typing.cast(typing.Any, cls).__protocol_attrs__ = typing.cast(typing.Any, cls).__protocol_attrs__ - set(['__jsii_proxy_class__', '__jsii_type__'])

aws_cdk/aws_lambda/__init__.py

@@ -661,6 +661,17 @@ CfnOutput(self, "TheUrl",
 )
 ```
 
+### Important Function URL Permission Update - Oct 2025
+
+Starting Oct 2025, Function URL invocation will require two permissions
+
+* lambda:InvokeFunctionUrl
+* lambda:InvokeFunction (New)
+
+CDK has updated `grantInvokeUrl` and `addFunctionUrl` to add both permission above.
+
+If your existing CDK stack uses `grantInvokeUrl` or `addFunctionUrl`, your next deployment will automatically add the `lambda:InvokeFunction` permission without requiring any code changes. This ensures your Function URLs continue working seamlessly. No additional actions are needed.
+
 ### CORS configuration for Function URLs
 
 If you want your Function URLs to be invokable from a web page in browser, you
@@ -5343,8 +5354,8 @@ class CfnPermissionProps:
         :param function_name: The name or ARN of the Lambda function, version, or alias. **Name formats** - *Function name* – ``my-function`` (name-only), ``my-function:v1`` (with alias). - *Function ARN* – ``arn:aws:lambda:us-west-2:123456789012:function:my-function`` . - *Partial ARN* – ``123456789012:function:my-function`` . You can append a version number or alias to any of the formats. The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.
         :param principal: The AWS service , AWS account , IAM user, or IAM role that invokes the function. If you specify a service, use ``SourceArn`` or ``SourceAccount`` to limit who can invoke the function through that service.
         :param event_source_token: For Alexa Smart Home functions, a token that the invoker must supply.
-        :param function_url_auth_type: The type of authentication that your function URL uses. Set to ``AWS_IAM`` if you want to restrict access to authenticated users only. Set to ``NONE`` if you want to bypass IAM authentication to create a public endpoint. For more information, see `Security and auth model for Lambda function URLs <https://docs.aws.amazon.com/lambda/latest/dg/urls-auth.html>`_ .
-        :param invoked_via_function_url: 
+        :param function_url_auth_type: The type of authentication that your function URL uses. Set to ``AWS_IAM`` if you want to restrict access to authenticated users only. Set to ``NONE`` if you want to bypass IAM authentication to create a public endpoint. For more information, see `Control access to Lambda function URLs <https://docs.aws.amazon.com/lambda/latest/dg/urls-auth.html>`_ .
+        :param invoked_via_function_url: Restricts the ``lambda:InvokeFunction`` action to function URL calls. When set to ``true`` , this prevents the principal from invoking the function by any means other than the function URL. For more information, see `Control access to Lambda function URLs <https://docs.aws.amazon.com/lambda/latest/dg/urls-auth.html>`_ .
         :param principal_org_id: The identifier for your organization in AWS Organizations . Use this to grant permissions to all the AWS accounts under this organization.
         :param source_account: For AWS service , the ID of the AWS account that owns the resource. Use this together with ``SourceArn`` to ensure that the specified account owns the resource. It is possible for an Amazon S3 bucket to be deleted by its owner and recreated by another account.
         :param source_arn: For AWS services , the ARN of the AWS resource that invokes the function. For example, an Amazon S3 bucket or Amazon SNS topic. Note that Lambda configures the comparison using the ``StringLike`` operator.
@@ -5455,7 +5466,7 @@ class CfnPermissionProps:
     def function_url_auth_type(self) -> typing.Optional[builtins.str]:
         '''The type of authentication that your function URL uses.
 
-        Set to ``AWS_IAM`` if you want to restrict access to authenticated users only. Set to ``NONE`` if you want to bypass IAM authentication to create a public endpoint. For more information, see `Security and auth model for Lambda function URLs <https://docs.aws.amazon.com/lambda/latest/dg/urls-auth.html>`_ .
+        Set to ``AWS_IAM`` if you want to restrict access to authenticated users only. Set to ``NONE`` if you want to bypass IAM authentication to create a public endpoint. For more information, see `Control access to Lambda function URLs <https://docs.aws.amazon.com/lambda/latest/dg/urls-auth.html>`_ .
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-permission.html#cfn-lambda-permission-functionurlauthtype
         '''
@@ -5466,7 +5477,10 @@ class CfnPermissionProps:
     def invoked_via_function_url(
         self,
     ) -> typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]]:
-        '''
+        '''Restricts the ``lambda:InvokeFunction`` action to function URL calls.
+
+        When set to ``true`` , this prevents the principal from invoking the function by any means other than the function URL. For more information, see `Control access to Lambda function URLs <https://docs.aws.amazon.com/lambda/latest/dg/urls-auth.html>`_ .
+
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-permission.html#cfn-lambda-permission-invokedviafunctionurl
         '''
         result = self._values.get("invoked_via_function_url")
@@ -15337,6 +15351,7 @@ class ParamsAndSecretsVersions(enum.Enum):
         "action": "action",
         "event_source_token": "eventSourceToken",
         "function_url_auth_type": "functionUrlAuthType",
+        "invoked_via_function_url": "invokedViaFunctionUrl",
         "organization_id": "organizationId",
         "scope": "scope",
         "source_account": "sourceAccount",
@@ -15351,6 +15366,7 @@ class Permission:
         action: typing.Optional[builtins.str] = None,
         event_source_token: typing.Optional[builtins.str] = None,
         function_url_auth_type: typing.Optional[FunctionUrlAuthType] = None,
+        invoked_via_function_url: typing.Optional[builtins.bool] = None,
         organization_id: typing.Optional[builtins.str] = None,
         scope: typing.Optional[_constructs_77d1e7e8.Construct] = None,
         source_account: typing.Optional[builtins.str] = None,
@@ -15362,6 +15378,7 @@ class Permission:
         :param action: The Lambda actions that you want to allow in this statement. For example, you can specify lambda:CreateFunction to specify a certain action, or use a wildcard (``lambda:*``) to grant permission to all Lambda actions. For a list of actions, see Actions and Condition Context Keys for AWS Lambda in the IAM User Guide. Default: 'lambda:InvokeFunction'
         :param event_source_token: A unique token that must be supplied by the principal invoking the function. Default: - The caller would not need to present a token.
         :param function_url_auth_type: The authType for the function URL that you are granting permissions for. Default: - No functionUrlAuthType
+        :param invoked_via_function_url: The condition key for limiting the scope of lambda:InvokeFunction action to Function URL only. When set to true, it restricts the principal in this policy to perform invokes for the resource only via Function URLs. Default: - false
         :param organization_id: The organization you want to grant permissions to. Use this ONLY if you need to grant permissions to a subset of the organization. If you want to grant permissions to the entire organization, sending the organization principal through the ``principal`` property will suffice. You can use this property to ensure that all source principals are owned by a specific organization. Default: - No organizationId
         :param scope: The scope to which the permission constructs be attached. The default is the Lambda function construct itself, but this would need to be different in cases such as cross-stack references where the Permissions would need to sit closer to the consumer of this permission (i.e., the caller). Default: - The instance of lambda.IFunction
         :param source_account: The AWS account ID (without hyphens) of the source owner. For example, if you specify an S3 bucket in the SourceArn property, this value is the bucket owner's account ID. You can use this property to ensure that all source principals are owned by a specific account.
@@ -15389,6 +15406,7 @@ class Permission:
             check_type(argname="argument action", value=action, expected_type=type_hints["action"])
             check_type(argname="argument event_source_token", value=event_source_token, expected_type=type_hints["event_source_token"])
             check_type(argname="argument function_url_auth_type", value=function_url_auth_type, expected_type=type_hints["function_url_auth_type"])
+            check_type(argname="argument invoked_via_function_url", value=invoked_via_function_url, expected_type=type_hints["invoked_via_function_url"])
             check_type(argname="argument organization_id", value=organization_id, expected_type=type_hints["organization_id"])
             check_type(argname="argument scope", value=scope, expected_type=type_hints["scope"])
             check_type(argname="argument source_account", value=source_account, expected_type=type_hints["source_account"])
@@ -15402,6 +15420,8 @@ class Permission:
             self._values["event_source_token"] = event_source_token
         if function_url_auth_type is not None:
             self._values["function_url_auth_type"] = function_url_auth_type
+        if invoked_via_function_url is not None:
+            self._values["invoked_via_function_url"] = invoked_via_function_url
         if organization_id is not None:
             self._values["organization_id"] = organization_id
         if scope is not None:
@@ -15463,6 +15483,17 @@ class Permission:
         result = self._values.get("function_url_auth_type")
         return typing.cast(typing.Optional[FunctionUrlAuthType], result)
 
+    @builtins.property
+    def invoked_via_function_url(self) -> typing.Optional[builtins.bool]:
+        '''The condition key for limiting the scope of lambda:InvokeFunction action to Function URL only.
+
+        When set to true, it restricts the principal in this policy to perform invokes for the resource only via Function URLs.
+
+        :default: - false
+        '''
+        result = self._values.get("invoked_via_function_url")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
     @builtins.property
     def organization_id(self) -> typing.Optional[builtins.str]:
         '''The organization you want to grant permissions to.
@@ -24700,7 +24731,7 @@ class CfnPermission(
 
     To grant permission to another account, specify the account ID as the ``Principal`` . To grant permission to an organization defined in AWS Organizations , specify the organization ID as the ``PrincipalOrgID`` . For AWS services, the principal is a domain-style identifier defined by the service, like ``s3.amazonaws.com`` or ``sns.amazonaws.com`` . For AWS services, you can also specify the ARN of the associated resource as the ``SourceArn`` . If you grant permission to a service principal without specifying the source, other accounts could potentially configure resources in their account to invoke your Lambda function.
 
-    If your function has a function URL, you can specify the ``FunctionUrlAuthType`` parameter. This adds a condition to your permission that only applies when your function URL's ``AuthType`` matches the specified ``FunctionUrlAuthType`` . For more information about the ``AuthType`` parameter, see `Security and auth model for Lambda function URLs <https://docs.aws.amazon.com/lambda/latest/dg/urls-auth.html>`_ .
+    If your function has a function URL, you can specify the ``FunctionUrlAuthType`` parameter. This adds a condition to your permission that only applies when your function URL's ``AuthType`` matches the specified ``FunctionUrlAuthType`` . For more information about the ``AuthType`` parameter, see `Control access to Lambda function URLs <https://docs.aws.amazon.com/lambda/latest/dg/urls-auth.html>`_ .
 
     This resource adds a statement to a resource-based permission policy for the function. For more information about function policies, see `Lambda Function Policies <https://docs.aws.amazon.com/lambda/latest/dg/access-control-resource-based.html>`_ .
 
@@ -24751,8 +24782,8 @@ class CfnPermission(
         :param function_name: The name or ARN of the Lambda function, version, or alias. **Name formats** - *Function name* – ``my-function`` (name-only), ``my-function:v1`` (with alias). - *Function ARN* – ``arn:aws:lambda:us-west-2:123456789012:function:my-function`` . - *Partial ARN* – ``123456789012:function:my-function`` . You can append a version number or alias to any of the formats. The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.
         :param principal: The AWS service , AWS account , IAM user, or IAM role that invokes the function. If you specify a service, use ``SourceArn`` or ``SourceAccount`` to limit who can invoke the function through that service.
         :param event_source_token: For Alexa Smart Home functions, a token that the invoker must supply.
-        :param function_url_auth_type: The type of authentication that your function URL uses. Set to ``AWS_IAM`` if you want to restrict access to authenticated users only. Set to ``NONE`` if you want to bypass IAM authentication to create a public endpoint. For more information, see `Security and auth model for Lambda function URLs <https://docs.aws.amazon.com/lambda/latest/dg/urls-auth.html>`_ .
-        :param invoked_via_function_url: 
+        :param function_url_auth_type: The type of authentication that your function URL uses. Set to ``AWS_IAM`` if you want to restrict access to authenticated users only. Set to ``NONE`` if you want to bypass IAM authentication to create a public endpoint. For more information, see `Control access to Lambda function URLs <https://docs.aws.amazon.com/lambda/latest/dg/urls-auth.html>`_ .
+        :param invoked_via_function_url: Restricts the ``lambda:InvokeFunction`` action to function URL calls. When set to ``true`` , this prevents the principal from invoking the function by any means other than the function URL. For more information, see `Control access to Lambda function URLs <https://docs.aws.amazon.com/lambda/latest/dg/urls-auth.html>`_ .
         :param principal_org_id: The identifier for your organization in AWS Organizations . Use this to grant permissions to all the AWS accounts under this organization.
         :param source_account: For AWS service , the ID of the AWS account that owns the resource. Use this together with ``SourceArn`` to ensure that the specified account owns the resource. It is possible for an Amazon S3 bucket to be deleted by its owner and recreated by another account.
         :param source_arn: For AWS services , the ARN of the AWS resource that invokes the function. For example, an Amazon S3 bucket or Amazon SNS topic. Note that Lambda configures the comparison using the ``StringLike`` operator.
@@ -24894,6 +24925,7 @@ class CfnPermission(
     def invoked_via_function_url(
         self,
     ) -> typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]]:
+        '''Restricts the ``lambda:InvokeFunction`` action to function URL calls.'''
         return typing.cast(typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]], jsii.get(self, "invokedViaFunctionUrl"))
 
     @invoked_via_function_url.setter
@@ -27005,6 +27037,7 @@ class IFunction(
         action: typing.Optional[builtins.str] = None,
         event_source_token: typing.Optional[builtins.str] = None,
         function_url_auth_type: typing.Optional[FunctionUrlAuthType] = None,
+        invoked_via_function_url: typing.Optional[builtins.bool] = None,
         organization_id: typing.Optional[builtins.str] = None,
         scope: typing.Optional[_constructs_77d1e7e8.Construct] = None,
         source_account: typing.Optional[builtins.str] = None,
@@ -27017,6 +27050,7 @@ class IFunction(
         :param action: The Lambda actions that you want to allow in this statement. For example, you can specify lambda:CreateFunction to specify a certain action, or use a wildcard (``lambda:*``) to grant permission to all Lambda actions. For a list of actions, see Actions and Condition Context Keys for AWS Lambda in the IAM User Guide. Default: 'lambda:InvokeFunction'
         :param event_source_token: A unique token that must be supplied by the principal invoking the function. Default: - The caller would not need to present a token.
         :param function_url_auth_type: The authType for the function URL that you are granting permissions for. Default: - No functionUrlAuthType
+        :param invoked_via_function_url: The condition key for limiting the scope of lambda:InvokeFunction action to Function URL only. When set to true, it restricts the principal in this policy to perform invokes for the resource only via Function URLs. Default: - false
         :param organization_id: The organization you want to grant permissions to. Use this ONLY if you need to grant permissions to a subset of the organization. If you want to grant permissions to the entire organization, sending the organization principal through the ``principal`` property will suffice. You can use this property to ensure that all source principals are owned by a specific organization. Default: - No organizationId
         :param scope: The scope to which the permission constructs be attached. The default is the Lambda function construct itself, but this would need to be different in cases such as cross-stack references where the Permissions would need to sit closer to the consumer of this permission (i.e., the caller). Default: - The instance of lambda.IFunction
         :param source_account: The AWS account ID (without hyphens) of the source owner. For example, if you specify an S3 bucket in the SourceArn property, this value is the bucket owner's account ID. You can use this property to ensure that all source principals are owned by a specific account.
@@ -27504,6 +27538,7 @@ class _IFunctionProxy(
         action: typing.Optional[builtins.str] = None,
         event_source_token: typing.Optional[builtins.str] = None,
         function_url_auth_type: typing.Optional[FunctionUrlAuthType] = None,
+        invoked_via_function_url: typing.Optional[builtins.bool] = None,
         organization_id: typing.Optional[builtins.str] = None,
         scope: typing.Optional[_constructs_77d1e7e8.Construct] = None,
         source_account: typing.Optional[builtins.str] = None,
@@ -27516,6 +27551,7 @@ class _IFunctionProxy(
         :param action: The Lambda actions that you want to allow in this statement. For example, you can specify lambda:CreateFunction to specify a certain action, or use a wildcard (``lambda:*``) to grant permission to all Lambda actions. For a list of actions, see Actions and Condition Context Keys for AWS Lambda in the IAM User Guide. Default: 'lambda:InvokeFunction'
         :param event_source_token: A unique token that must be supplied by the principal invoking the function. Default: - The caller would not need to present a token.
         :param function_url_auth_type: The authType for the function URL that you are granting permissions for. Default: - No functionUrlAuthType
+        :param invoked_via_function_url: The condition key for limiting the scope of lambda:InvokeFunction action to Function URL only. When set to true, it restricts the principal in this policy to perform invokes for the resource only via Function URLs. Default: - false
         :param organization_id: The organization you want to grant permissions to. Use this ONLY if you need to grant permissions to a subset of the organization. If you want to grant permissions to the entire organization, sending the organization principal through the ``principal`` property will suffice. You can use this property to ensure that all source principals are owned by a specific organization. Default: - No organizationId
         :param scope: The scope to which the permission constructs be attached. The default is the Lambda function construct itself, but this would need to be different in cases such as cross-stack references where the Permissions would need to sit closer to the consumer of this permission (i.e., the caller). Default: - The instance of lambda.IFunction
         :param source_account: The AWS account ID (without hyphens) of the source owner. For example, if you specify an S3 bucket in the SourceArn property, this value is the bucket owner's account ID. You can use this property to ensure that all source principals are owned by a specific account.
@@ -27531,6 +27567,7 @@ class _IFunctionProxy(
             action=action,
             event_source_token=event_source_token,
             function_url_auth_type=function_url_auth_type,
+            invoked_via_function_url=invoked_via_function_url,
             organization_id=organization_id,
             scope=scope,
             source_account=source_account,
@@ -28806,6 +28843,7 @@ class FunctionBase(
         action: typing.Optional[builtins.str] = None,
         event_source_token: typing.Optional[builtins.str] = None,
         function_url_auth_type: typing.Optional[FunctionUrlAuthType] = None,
+        invoked_via_function_url: typing.Optional[builtins.bool] = None,
         organization_id: typing.Optional[builtins.str] = None,
         scope: typing.Optional[_constructs_77d1e7e8.Construct] = None,
         source_account: typing.Optional[builtins.str] = None,
@@ -28818,6 +28856,7 @@ class FunctionBase(
         :param action: The Lambda actions that you want to allow in this statement. For example, you can specify lambda:CreateFunction to specify a certain action, or use a wildcard (``lambda:*``) to grant permission to all Lambda actions. For a list of actions, see Actions and Condition Context Keys for AWS Lambda in the IAM User Guide. Default: 'lambda:InvokeFunction'
         :param event_source_token: A unique token that must be supplied by the principal invoking the function. Default: - The caller would not need to present a token.
         :param function_url_auth_type: The authType for the function URL that you are granting permissions for. Default: - No functionUrlAuthType
+        :param invoked_via_function_url: The condition key for limiting the scope of lambda:InvokeFunction action to Function URL only. When set to true, it restricts the principal in this policy to perform invokes for the resource only via Function URLs. Default: - false
         :param organization_id: The organization you want to grant permissions to. Use this ONLY if you need to grant permissions to a subset of the organization. If you want to grant permissions to the entire organization, sending the organization principal through the ``principal`` property will suffice. You can use this property to ensure that all source principals are owned by a specific organization. Default: - No organizationId
         :param scope: The scope to which the permission constructs be attached. The default is the Lambda function construct itself, but this would need to be different in cases such as cross-stack references where the Permissions would need to sit closer to the consumer of this permission (i.e., the caller). Default: - The instance of lambda.IFunction
         :param source_account: The AWS account ID (without hyphens) of the source owner. For example, if you specify an S3 bucket in the SourceArn property, this value is the bucket owner's account ID. You can use this property to ensure that all source principals are owned by a specific account.
@@ -28833,6 +28872,7 @@ class FunctionBase(
             action=action,
             event_source_token=event_source_token,
             function_url_auth_type=function_url_auth_type,
+            invoked_via_function_url=invoked_via_function_url,
             organization_id=organization_id,
             scope=scope,
             source_account=source_account,
@@ -29892,6 +29932,7 @@ class SingletonFunction(
         action: typing.Optional[builtins.str] = None,
         event_source_token: typing.Optional[builtins.str] = None,
         function_url_auth_type: typing.Optional[FunctionUrlAuthType] = None,
+        invoked_via_function_url: typing.Optional[builtins.bool] = None,
         organization_id: typing.Optional[builtins.str] = None,
         scope: typing.Optional[_constructs_77d1e7e8.Construct] = None,
         source_account: typing.Optional[builtins.str] = None,
@@ -29904,6 +29945,7 @@ class SingletonFunction(
         :param action: The Lambda actions that you want to allow in this statement. For example, you can specify lambda:CreateFunction to specify a certain action, or use a wildcard (``lambda:*``) to grant permission to all Lambda actions. For a list of actions, see Actions and Condition Context Keys for AWS Lambda in the IAM User Guide. Default: 'lambda:InvokeFunction'
         :param event_source_token: A unique token that must be supplied by the principal invoking the function. Default: - The caller would not need to present a token.
         :param function_url_auth_type: The authType for the function URL that you are granting permissions for. Default: - No functionUrlAuthType
+        :param invoked_via_function_url: The condition key for limiting the scope of lambda:InvokeFunction action to Function URL only. When set to true, it restricts the principal in this policy to perform invokes for the resource only via Function URLs. Default: - false
         :param organization_id: The organization you want to grant permissions to. Use this ONLY if you need to grant permissions to a subset of the organization. If you want to grant permissions to the entire organization, sending the organization principal through the ``principal`` property will suffice. You can use this property to ensure that all source principals are owned by a specific organization. Default: - No organizationId
         :param scope: The scope to which the permission constructs be attached. The default is the Lambda function construct itself, but this would need to be different in cases such as cross-stack references where the Permissions would need to sit closer to the consumer of this permission (i.e., the caller). Default: - The instance of lambda.IFunction
         :param source_account: The AWS account ID (without hyphens) of the source owner. For example, if you specify an S3 bucket in the SourceArn property, this value is the bucket owner's account ID. You can use this property to ensure that all source principals are owned by a specific account.
@@ -29917,6 +29959,7 @@ class SingletonFunction(
             action=action,
             event_source_token=event_source_token,
             function_url_auth_type=function_url_auth_type,
+            invoked_via_function_url=invoked_via_function_url,
             organization_id=organization_id,
             scope=scope,
             source_account=source_account,
@@ -33115,6 +33158,7 @@ def _typecheckingstub__43f02634f6ed895ea88b35db6c7a6ba5a7da45fa4945d0f90bf36d079
     action: typing.Optional[builtins.str] = None,
     event_source_token: typing.Optional[builtins.str] = None,
     function_url_auth_type: typing.Optional[FunctionUrlAuthType] = None,
+    invoked_via_function_url: typing.Optional[builtins.bool] = None,
     organization_id: typing.Optional[builtins.str] = None,
     scope: typing.Optional[_constructs_77d1e7e8.Construct] = None,
     source_account: typing.Optional[builtins.str] = None,
@@ -34803,6 +34847,7 @@ def _typecheckingstub__012ac5126b1401118a0cd31e22b2fef5e1ab897a320c6edf7d16633af
     action: typing.Optional[builtins.str] = None,
     event_source_token: typing.Optional[builtins.str] = None,
     function_url_auth_type: typing.Optional[FunctionUrlAuthType] = None,
+    invoked_via_function_url: typing.Optional[builtins.bool] = None,
     organization_id: typing.Optional[builtins.str] = None,
     scope: typing.Optional[_constructs_77d1e7e8.Construct] = None,
     source_account: typing.Optional[builtins.str] = None,
@@ -35048,6 +35093,7 @@ def _typecheckingstub__213097e02686d5b4e582802e2e3e822fb2c79f2920c55d92f2f4f8f05
     action: typing.Optional[builtins.str] = None,
     event_source_token: typing.Optional[builtins.str] = None,
     function_url_auth_type: typing.Optional[FunctionUrlAuthType] = None,
+    invoked_via_function_url: typing.Optional[builtins.bool] = None,
     organization_id: typing.Optional[builtins.str] = None,
     scope: typing.Optional[_constructs_77d1e7e8.Construct] = None,
     source_account: typing.Optional[builtins.str] = None,
@@ -35245,6 +35291,7 @@ def _typecheckingstub__6d48a048e22819587505668ae6e1fbdfeedaaaf355ad52bd1196e683b
     action: typing.Optional[builtins.str] = None,
     event_source_token: typing.Optional[builtins.str] = None,
     function_url_auth_type: typing.Optional[FunctionUrlAuthType] = None,
+    invoked_via_function_url: typing.Optional[builtins.bool] = None,
     organization_id: typing.Optional[builtins.str] = None,
     scope: typing.Optional[_constructs_77d1e7e8.Construct] = None,
     source_account: typing.Optional[builtins.str] = None,
@@ -35583,3 +35630,6 @@ def _typecheckingstub__368a49fe1f866c7ea7986c57b6f8488d0fddea8f62bf05ec1ed7eb09b
 ) -> None:
     """Type checking stubs"""
     pass
+
+for cls in [IAlias, IAliasRef, ICodeSigningConfig, ICodeSigningConfigRef, IDestination, IEventInvokeConfigRef, IEventSource, IEventSourceDlq, IEventSourceMapping, IEventSourceMappingRef, IFunction, IFunctionRef, IFunctionUrl, ILayerVersion, ILayerVersionPermissionRef, ILayerVersionRef, IPermissionRef, IScalableFunctionAttribute, ISchemaRegistry, IUrlRef, IVersion, IVersionRef]:
+    typing.cast(typing.Any, cls).__protocol_attrs__ = typing.cast(typing.Any, cls).__protocol_attrs__ - set(['__jsii_proxy_class__', '__jsii_type__'])

aws_cdk/aws_lambda_nodejs/__init__.py

@@ -3193,3 +3193,6 @@ def _typecheckingstub__2da45b394f0332be0f6d6b7468d9fb54961953d56265da69955d36ffa
 ) -> None:
     """Type checking stubs"""
     pass
+
+for cls in [ICommandHooks]:
+    typing.cast(typing.Any, cls).__protocol_attrs__ = typing.cast(typing.Any, cls).__protocol_attrs__ - set(['__jsii_proxy_class__', '__jsii_type__'])

aws_cdk/aws_launchwizard/__init__.py

@@ -625,3 +625,6 @@ def _typecheckingstub__057665c8ffa5f5cdaedcf0301e727d15ee8b0244807853f59c72aadbb
 ) -> None:
     """Type checking stubs"""
     pass
+
+for cls in [IDeploymentRef]:
+    typing.cast(typing.Any, cls).__protocol_attrs__ = typing.cast(typing.Any, cls).__protocol_attrs__ - set(['__jsii_proxy_class__', '__jsii_type__'])

aws_cdk/aws_lex/__init__.py

@@ -13794,27 +13794,6 @@ class CfnBotAlias(
 
         jsii.create(self.__class__, self, [scope, id, props])
 
-    @jsii.member(jsii_name="fromBotAliasArn")
-    @builtins.classmethod
-    def from_bot_alias_arn(
-        cls,
-        scope: _constructs_77d1e7e8.Construct,
-        id: builtins.str,
-        arn: builtins.str,
-    ) -> IBotAliasRef:
-        '''Creates a new IBotAliasRef from an ARN.
-
-        :param scope: -
-        :param id: -
-        :param arn: -
-        '''
-        if __debug__:
-            type_hints = typing.get_type_hints(_typecheckingstub__2ab747fa9eb7cb105192618f589a683ebd337733abaa1cc095d0ab0c0fa55d0d)
-            check_type(argname="argument scope", value=scope, expected_type=type_hints["scope"])
-            check_type(argname="argument id", value=id, expected_type=type_hints["id"])
-            check_type(argname="argument arn", value=arn, expected_type=type_hints["arn"])
-        return typing.cast(IBotAliasRef, jsii.sinvoke(cls, "fromBotAliasArn", [scope, id, arn]))
-
     @jsii.member(jsii_name="inspect")
     def inspect(self, inspector: _TreeInspector_488e0dd5) -> None:
         '''Examines the CloudFormation resource and discloses attributes.
@@ -16545,14 +16524,6 @@ def _typecheckingstub__57cf179c443f74ff3b1c43c56eef686f369711792e444e53d5668f07a
     """Type checking stubs"""
     pass
 
-def _typecheckingstub__2ab747fa9eb7cb105192618f589a683ebd337733abaa1cc095d0ab0c0fa55d0d(
-    scope: _constructs_77d1e7e8.Construct,
-    id: builtins.str,
-    arn: builtins.str,
-) -> None:
-    """Type checking stubs"""
-    pass
-
 def _typecheckingstub__69e306fef7aca1ecd05a385248f8253ae3fef56958f84e69c038125bb4b466d0(
     inspector: _TreeInspector_488e0dd5,
 ) -> None:
@@ -16795,3 +16766,6 @@ def _typecheckingstub__c2269eb87c059c5d27aab85364fde6b4ccb6e21ca5bc766b939d038b5
 ) -> None:
     """Type checking stubs"""
     pass
+
+for cls in [IBotAliasRef, IBotRef, IBotVersionRef, IResourcePolicyRef]:
+    typing.cast(typing.Any, cls).__protocol_attrs__ = typing.cast(typing.Any, cls).__protocol_attrs__ - set(['__jsii_proxy_class__', '__jsii_type__'])

aws_cdk/aws_licensemanager/__init__.py

@@ -2058,3 +2058,6 @@ def _typecheckingstub__483b5b4e301dfddf60a6c6da8bdc4898ec615b5045a70ceeeefc10fe7
 ) -> None:
     """Type checking stubs"""
     pass
+
+for cls in [IGrantRef, ILicenseRef]:
+    typing.cast(typing.Any, cls).__protocol_attrs__ = typing.cast(typing.Any, cls).__protocol_attrs__ - set(['__jsii_proxy_class__', '__jsii_type__'])