aws-cdk-lib 2.220.0__py3-none-any.whl → 2.221.0__py3-none-any.whl

aws_cdk/aws_stepfunctions/__init__.py

@@ -1747,6 +1747,7 @@ from ..aws_iam import (
     IGrantable as _IGrantable_71c4f5de,
     IPrincipal as _IPrincipal_539bb2fd,
     IRole as _IRole_235f5d8e,
+    IRoleRef as _IRoleRef_613dafc2,
     PolicyStatement as _PolicyStatement_0fe33853,
 )
 from ..aws_kms import IKey as _IKey_5f11635f, IKeyRef as _IKeyRef_1e82344b
@@ -6404,20 +6405,14 @@ class JsonPath(
 
     Example::
 
-        #
-        # JSON state input:
-        #  {
-        #    "bucketName": "my-bucket",
-        #    "prefix": "item"
-        #  }
-        #
-        distributed_map = sfn.DistributedMap(self, "DistributedMap",
-            item_reader=sfn.S3ObjectsItemReader(
-                bucket_name_path=sfn.JsonPath.string_at("$.bucketName"),
-                prefix=sfn.JsonPath.string_at("$.prefix")
+        tasks.SageMakerCreateModel(self, "Sagemaker",
+            model_name="MyModel",
+            primary_container=tasks.ContainerDefinition(
+                image=tasks.DockerImage.from_json_expression(sfn.JsonPath.string_at("$.Model.imageName")),
+                mode=tasks.Mode.SINGLE_MODEL,
+                model_s3_location=tasks.S3Location.from_json_expression("$.TrainingJob.ModelArtifacts.S3ModelArtifacts")
             )
         )
-        distributed_map.item_processor(sfn.Pass(self, "Pass"))
     '''
 
     @jsii.member(jsii_name="array")
@@ -10296,7 +10291,7 @@ class StateMachine(
         logs: typing.Optional[typing.Union[LogOptions, typing.Dict[builtins.str, typing.Any]]] = None,
         query_language: typing.Optional[QueryLanguage] = None,
         removal_policy: typing.Optional[_RemovalPolicy_9f93c814] = None,
-        role: typing.Optional[_IRole_235f5d8e] = None,
+        role: typing.Optional['__IRoleRef_613dafc2__IGrantable_71c4f5de'] = None,
         state_machine_name: typing.Optional[builtins.str] = None,
         state_machine_type: typing.Optional["StateMachineType"] = None,
         timeout: typing.Optional[_Duration_4839e8c3] = None,
@@ -10917,7 +10912,10 @@ class StateMachine(
     @builtins.property
     @jsii.member(jsii_name="role")
     def role(self) -> _IRole_235f5d8e:
-        '''Execution role of this state machine.'''
+        '''Execution role of this state machine.
+
+        Will throw if the Role object that was given does not implement IRole
+        '''
         return typing.cast(_IRole_235f5d8e, jsii.get(self, "role"))
 
     @builtins.property
@@ -11211,7 +11209,7 @@ class StateMachineProps:
         logs: typing.Optional[typing.Union[LogOptions, typing.Dict[builtins.str, typing.Any]]] = None,
         query_language: typing.Optional[QueryLanguage] = None,
         removal_policy: typing.Optional[_RemovalPolicy_9f93c814] = None,
-        role: typing.Optional[_IRole_235f5d8e] = None,
+        role: typing.Optional['__IRoleRef_613dafc2__IGrantable_71c4f5de'] = None,
         state_machine_name: typing.Optional[builtins.str] = None,
         state_machine_type: typing.Optional["StateMachineType"] = None,
         timeout: typing.Optional[_Duration_4839e8c3] = None,
@@ -11375,13 +11373,13 @@ class StateMachineProps:
         return typing.cast(typing.Optional[_RemovalPolicy_9f93c814], result)
 
     @builtins.property
-    def role(self) -> typing.Optional[_IRole_235f5d8e]:
+    def role(self) -> typing.Optional['__IRoleRef_613dafc2__IGrantable_71c4f5de']:
         '''The execution role for the state machine service.
 
         :default: A role is automatically created
         '''
         result = self._values.get("role")
-        return typing.cast(typing.Optional[_IRole_235f5d8e], result)
+        return typing.cast(typing.Optional['__IRoleRef_613dafc2__IGrantable_71c4f5de'], result)
 
     @builtins.property
     def state_machine_name(self) -> typing.Optional[builtins.str]:
@@ -27789,7 +27787,7 @@ def _typecheckingstub__efdfc02291401a50a1d945e5208e9becb9828352fec32bc109ccebafc
     logs: typing.Optional[typing.Union[LogOptions, typing.Dict[builtins.str, typing.Any]]] = None,
     query_language: typing.Optional[QueryLanguage] = None,
     removal_policy: typing.Optional[_RemovalPolicy_9f93c814] = None,
-    role: typing.Optional[_IRole_235f5d8e] = None,
+    role: typing.Optional['__IRoleRef_613dafc2__IGrantable_71c4f5de'] = None,
     state_machine_name: typing.Optional[builtins.str] = None,
     state_machine_type: typing.Optional[StateMachineType] = None,
     timeout: typing.Optional[_Duration_4839e8c3] = None,
@@ -27919,7 +27917,7 @@ def _typecheckingstub__24d23b501c893898901860f31ff1a0a0fa81eb89f06a7acf3eef4f15e
     logs: typing.Optional[typing.Union[LogOptions, typing.Dict[builtins.str, typing.Any]]] = None,
     query_language: typing.Optional[QueryLanguage] = None,
     removal_policy: typing.Optional[_RemovalPolicy_9f93c814] = None,
-    role: typing.Optional[_IRole_235f5d8e] = None,
+    role: typing.Optional['__IRoleRef_613dafc2__IGrantable_71c4f5de'] = None,
     state_machine_name: typing.Optional[builtins.str] = None,
     state_machine_type: typing.Optional[StateMachineType] = None,
     timeout: typing.Optional[_Duration_4839e8c3] = None,
@@ -29762,3 +29760,9 @@ def _typecheckingstub__0d5f089eaa441d0e3ee41bfd31bf52dcf81f27d026fe808208da7e964
 ) -> None:
     """Type checking stubs"""
     pass
+
+class __IRoleRef_613dafc2__IGrantable_71c4f5de(_IRoleRef_613dafc2, _IGrantable_71c4f5de, typing_extensions.Protocol):
+    pass
+
+for cls in [IActivity, IActivityRef, IChainable, IItemReader, INextable, IStateMachine, IStateMachineAliasRef, IStateMachineRef, IStateMachineVersionRef, __IRoleRef_613dafc2__IGrantable_71c4f5de]:
+    typing.cast(typing.Any, cls).__protocol_attrs__ = typing.cast(typing.Any, cls).__protocol_attrs__ - set(['__jsii_proxy_class__', '__jsii_type__'])

aws_cdk/aws_stepfunctions_tasks/__init__.py

@@ -1585,7 +1585,7 @@ connection = events.Connection(self, "Connection",
 
 tasks.HttpInvoke(self, "Invoke HTTP API",
     api_root="https://api.example.com",
-    api_endpoint=sfn.TaskInput.from_text("path/to/resource"),
+    api_endpoint=sfn.TaskInput.from_text(sfn.JsonPath.format("resource/{}/details", sfn.JsonPath.string_at("$.resourceId"))),
     body=sfn.TaskInput.from_object({"foo": "bar"}),
     connection=connection,
     headers=sfn.TaskInput.from_object({"Content-Type": "application/json"}),
@@ -63102,7 +63102,7 @@ class HttpInvokeProps(_TaskStateBaseProps_3a62b6d0):
             
             tasks.HttpInvoke(self, "Invoke HTTP API",
                 api_root="https://api.example.com",
-                api_endpoint=sfn.TaskInput.from_text("path/to/resource"),
+                api_endpoint=sfn.TaskInput.from_text(sfn.JsonPath.format("resource/{}/details", sfn.JsonPath.string_at("$.resourceId"))),
                 body=sfn.TaskInput.from_object({"foo": "bar"}),
                 connection=connection,
                 headers=sfn.TaskInput.from_object({"Content-Type": "application/json"}),
@@ -85254,7 +85254,7 @@ class URLEncodingFormat(enum.Enum):
         
         tasks.HttpInvoke(self, "Invoke HTTP API",
             api_root="https://api.example.com",
-            api_endpoint=sfn.TaskInput.from_text("path/to/resource"),
+            api_endpoint=sfn.TaskInput.from_text(sfn.JsonPath.format("resource/{}/details", sfn.JsonPath.string_at("$.resourceId"))),
             body=sfn.TaskInput.from_object({"foo": "bar"}),
             connection=connection,
             headers=sfn.TaskInput.from_object({"Content-Type": "application/json"}),
@@ -96562,3 +96562,6 @@ def _typecheckingstub__7c19025da4101b4b8d2482e0216270cc5e94fe58381fdba0b4cf99f04
 ) -> None:
     """Type checking stubs"""
     pass
+
+for cls in [IBedrockCreateModelCustomizationJobVpcConfig, IContainerDefinition, IEcsLaunchTarget, ISageMakerTask]:
+    typing.cast(typing.Any, cls).__protocol_attrs__ = typing.cast(typing.Any, cls).__protocol_attrs__ - set(['__jsii_proxy_class__', '__jsii_type__'])

aws_cdk/aws_supportapp/__init__.py

@@ -1366,3 +1366,6 @@ def _typecheckingstub__1f10519eb1d45ed1305e842ac3665885bde5d1c65940455981356edc1
 ) -> None:
     """Type checking stubs"""
     pass
+
+for cls in [IAccountAliasRef, ISlackChannelConfigurationRef, ISlackWorkspaceConfigurationRef]:
+    typing.cast(typing.Any, cls).__protocol_attrs__ = typing.cast(typing.Any, cls).__protocol_attrs__ - set(['__jsii_proxy_class__', '__jsii_type__'])

aws_cdk/aws_synthetics/__init__.py

@@ -1676,15 +1676,14 @@ class CfnCanaryProps:
             cfn_canary_props = synthetics.CfnCanaryProps(
                 artifact_s3_location="artifactS3Location",
                 code=synthetics.CfnCanary.CodeProperty(
-                    handler="handler",
-            
-                    # the properties below are optional
+                    blueprint_types=["blueprintTypes"],
                     dependencies=[synthetics.CfnCanary.DependencyProperty(
                         reference="reference",
             
                         # the properties below are optional
                         type="type"
                     )],
+                    handler="handler",
                     s3_bucket="s3Bucket",
                     s3_key="s3Key",
                     s3_object_version="s3ObjectVersion",
@@ -3390,6 +3389,15 @@ class Runtime(metaclass=jsii.JSIIMeta, jsii_type="aws-cdk-lib.aws_synthetics.Run
         '''
         return typing.cast("Runtime", jsii.sget(cls, "SYNTHETICS_PYTHON_SELENIUM_6_0"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="SYNTHETICS_PYTHON_SELENIUM_7_0")
+    def SYNTHETICS_PYTHON_SELENIUM_7_0(cls) -> "Runtime":
+        '''``syn-python-selenium-7.0`` includes the following: - Lambda runtime Python 3.11 - Selenium version 4.32.0 - Chromium version 138.0.7204.168.
+
+        :see: https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch_Synthetics_Library_python_selenium.html#CloudWatch_Synthetics_runtimeversion-syn-python-selenium-7.0
+        '''
+        return typing.cast("Runtime", jsii.sget(cls, "SYNTHETICS_PYTHON_SELENIUM_7_0"))
+
     @builtins.property
     @jsii.member(jsii_name="family")
     def family(self) -> "RuntimeFamily":
@@ -3773,15 +3781,14 @@ class CfnCanary(
         cfn_canary = synthetics.CfnCanary(self, "MyCfnCanary",
             artifact_s3_location="artifactS3Location",
             code=synthetics.CfnCanary.CodeProperty(
-                handler="handler",
-        
-                # the properties below are optional
+                blueprint_types=["blueprintTypes"],
                 dependencies=[synthetics.CfnCanary.DependencyProperty(
                     reference="reference",
         
                     # the properties below are optional
                     type="type"
                 )],
+                handler="handler",
                 s3_bucket="s3Bucket",
                 s3_key="s3Key",
                 s3_object_version="s3ObjectVersion",
@@ -4568,8 +4575,9 @@ class CfnCanary(
         jsii_type="aws-cdk-lib.aws_synthetics.CfnCanary.CodeProperty",
         jsii_struct_bases=[],
         name_mapping={
-            "handler": "handler",
+            "blueprint_types": "blueprintTypes",
             "dependencies": "dependencies",
+            "handler": "handler",
             "s3_bucket": "s3Bucket",
             "s3_key": "s3Key",
             "s3_object_version": "s3ObjectVersion",
@@ -4581,8 +4589,9 @@ class CfnCanary(
         def __init__(
             self,
             *,
-            handler: builtins.str,
+            blueprint_types: typing.Optional[typing.Sequence[builtins.str]] = None,
             dependencies: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[typing.Union[_IResolvable_da3f097b, typing.Union["CfnCanary.DependencyProperty", typing.Dict[builtins.str, typing.Any]]]]]] = None,
+            handler: typing.Optional[builtins.str] = None,
             s3_bucket: typing.Optional[builtins.str] = None,
             s3_key: typing.Optional[builtins.str] = None,
             s3_object_version: typing.Optional[builtins.str] = None,
@@ -4593,8 +4602,9 @@ class CfnCanary(
 
             This structure contains the Lambda handler with the location where the canary should start running the script. If the script is stored in an S3 bucket, the bucket name, key, and version are also included. If the script is passed into the canary directly, the script code is contained in the value of ``Script`` .
 
-            :param handler: The entry point to use for the source code when running the canary. For canaries that use the ``syn-python-selenium-1.0`` runtime or a ``syn-nodejs.puppeteer`` runtime earlier than ``syn-nodejs.puppeteer-3.4`` , the handler must be specified as ``*fileName* .handler`` . For ``syn-python-selenium-1.1`` , ``syn-nodejs.puppeteer-3.4`` , and later runtimes, the handler can be specified as ``*fileName* . *functionName*`` , or you can specify a folder where canary scripts reside as ``*folder* / *fileName* . *functionName*`` .
+            :param blueprint_types: ``BlueprintTypes`` are a list of templates that enable simplified canary creation. You can create canaries for common monitoring scenarios by providing only a JSON configuration file instead of writing custom scripts. ``multi-checks`` is the only supported value. When you specify ``BlueprintTypes`` , the ``Handler`` field cannot be specified since the blueprint provides a pre-defined entry point.
             :param dependencies: List of Lambda layers to attach to the canary.
+            :param handler: The entry point to use for the source code when running the canary. For canaries that use the ``syn-python-selenium-1.0`` runtime or a ``syn-nodejs.puppeteer`` runtime earlier than ``syn-nodejs.puppeteer-3.4`` , the handler must be specified as ``*fileName* .handler`` . For ``syn-python-selenium-1.1`` , ``syn-nodejs.puppeteer-3.4`` , and later runtimes, the handler can be specified as ``*fileName* . *functionName*`` , or you can specify a folder where canary scripts reside as ``*folder* / *fileName* . *functionName*`` . This field is required when you don't specify ``BlueprintTypes`` and is not allowed when you specify ``BlueprintTypes`` .
             :param s3_bucket: If your canary script is located in S3, specify the bucket name here. The bucket must already exist.
             :param s3_key: The Amazon S3 key of your script. For more information, see `Working with Amazon S3 Objects <https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingObjects.html>`_ .
             :param s3_object_version: The Amazon S3 version ID of your script.
@@ -4611,15 +4621,14 @@ class CfnCanary(
                 from aws_cdk import aws_synthetics as synthetics
                 
                 code_property = synthetics.CfnCanary.CodeProperty(
-                    handler="handler",
-                
-                    # the properties below are optional
+                    blueprint_types=["blueprintTypes"],
                     dependencies=[synthetics.CfnCanary.DependencyProperty(
                         reference="reference",
                 
                         # the properties below are optional
                         type="type"
                     )],
+                    handler="handler",
                     s3_bucket="s3Bucket",
                     s3_key="s3Key",
                     s3_object_version="s3ObjectVersion",
@@ -4629,18 +4638,21 @@ class CfnCanary(
             '''
             if __debug__:
                 type_hints = typing.get_type_hints(_typecheckingstub__3d403372a613babc1ab10717d050ec9a7f4055961f3545f2d0600d89c7b3dcc3)
-                check_type(argname="argument handler", value=handler, expected_type=type_hints["handler"])
+                check_type(argname="argument blueprint_types", value=blueprint_types, expected_type=type_hints["blueprint_types"])
                 check_type(argname="argument dependencies", value=dependencies, expected_type=type_hints["dependencies"])
+                check_type(argname="argument handler", value=handler, expected_type=type_hints["handler"])
                 check_type(argname="argument s3_bucket", value=s3_bucket, expected_type=type_hints["s3_bucket"])
                 check_type(argname="argument s3_key", value=s3_key, expected_type=type_hints["s3_key"])
                 check_type(argname="argument s3_object_version", value=s3_object_version, expected_type=type_hints["s3_object_version"])
                 check_type(argname="argument script", value=script, expected_type=type_hints["script"])
                 check_type(argname="argument source_location_arn", value=source_location_arn, expected_type=type_hints["source_location_arn"])
-            self._values: typing.Dict[builtins.str, typing.Any] = {
-                "handler": handler,
-            }
+            self._values: typing.Dict[builtins.str, typing.Any] = {}
+            if blueprint_types is not None:
+                self._values["blueprint_types"] = blueprint_types
             if dependencies is not None:
                 self._values["dependencies"] = dependencies
+            if handler is not None:
+                self._values["handler"] = handler
             if s3_bucket is not None:
                 self._values["s3_bucket"] = s3_bucket
             if s3_key is not None:
@@ -4653,16 +4665,17 @@ class CfnCanary(
                 self._values["source_location_arn"] = source_location_arn
 
         @builtins.property
-        def handler(self) -> builtins.str:
-            '''The entry point to use for the source code when running the canary.
+        def blueprint_types(self) -> typing.Optional[typing.List[builtins.str]]:
+            '''``BlueprintTypes`` are a list of templates that enable simplified canary creation.
 
-            For canaries that use the ``syn-python-selenium-1.0`` runtime or a ``syn-nodejs.puppeteer`` runtime earlier than ``syn-nodejs.puppeteer-3.4`` , the handler must be specified as ``*fileName* .handler`` . For ``syn-python-selenium-1.1`` , ``syn-nodejs.puppeteer-3.4`` , and later runtimes, the handler can be specified as ``*fileName* . *functionName*`` , or you can specify a folder where canary scripts reside as ``*folder* / *fileName* . *functionName*`` .
+            You can create canaries for common monitoring scenarios by providing only a JSON configuration file instead of writing custom scripts. ``multi-checks`` is the only supported value.
 
-            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-synthetics-canary-code.html#cfn-synthetics-canary-code-handler
+            When you specify ``BlueprintTypes`` , the ``Handler`` field cannot be specified since the blueprint provides a pre-defined entry point.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-synthetics-canary-code.html#cfn-synthetics-canary-code-blueprinttypes
             '''
-            result = self._values.get("handler")
-            assert result is not None, "Required property 'handler' is missing"
-            return typing.cast(builtins.str, result)
+            result = self._values.get("blueprint_types")
+            return typing.cast(typing.Optional[typing.List[builtins.str]], result)
 
         @builtins.property
         def dependencies(
@@ -4675,6 +4688,19 @@ class CfnCanary(
             result = self._values.get("dependencies")
             return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, "CfnCanary.DependencyProperty"]]]], result)
 
+        @builtins.property
+        def handler(self) -> typing.Optional[builtins.str]:
+            '''The entry point to use for the source code when running the canary.
+
+            For canaries that use the ``syn-python-selenium-1.0`` runtime or a ``syn-nodejs.puppeteer`` runtime earlier than ``syn-nodejs.puppeteer-3.4`` , the handler must be specified as ``*fileName* .handler`` . For ``syn-python-selenium-1.1`` , ``syn-nodejs.puppeteer-3.4`` , and later runtimes, the handler can be specified as ``*fileName* . *functionName*`` , or you can specify a folder where canary scripts reside as ``*folder* / *fileName* . *functionName*`` .
+
+            This field is required when you don't specify ``BlueprintTypes`` and is not allowed when you specify ``BlueprintTypes`` .
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-synthetics-canary-code.html#cfn-synthetics-canary-code-handler
+            '''
+            result = self._values.get("handler")
+            return typing.cast(typing.Optional[builtins.str], result)
+
         @builtins.property
         def s3_bucket(self) -> typing.Optional[builtins.str]:
             '''If your canary script is located in S3, specify the bucket name here.
@@ -5336,7 +5362,7 @@ class CfnCanary(
 
             :param base_canary_run_id: Specifies which canary run to use the screenshots from as the baseline for future visual monitoring with this canary. Valid values are ``nextrun`` to use the screenshots from the next run after this update is made, ``lastrun`` to use the screenshots from the most recent run before this update was made, or the value of ``Id`` in the `CanaryRun <https://docs.aws.amazon.com/AmazonSynthetics/latest/APIReference/API_CanaryRun.html>`_ from any past run of this canary.
             :param base_screenshots: An array of screenshots that are used as the baseline for comparisons during visual monitoring.
-            :param browser_type: 
+            :param browser_type: The browser type associated with this visual reference configuration. Valid values are ``CHROME`` and ``FIREFOX`` .
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-synthetics-canary-visualreference.html
             :exampleMetadata: fixture=_generated
@@ -5398,7 +5424,10 @@ class CfnCanary(
 
         @builtins.property
         def browser_type(self) -> typing.Optional[builtins.str]:
-            '''
+            '''The browser type associated with this visual reference configuration.
+
+            Valid values are ``CHROME`` and ``FIREFOX`` .
+
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-synthetics-canary-visualreference.html#cfn-synthetics-canary-visualreference-browsertype
             '''
             result = self._values.get("browser_type")
@@ -6065,8 +6094,9 @@ def _typecheckingstub__c91e35c3c240434fee052d7f899893609a9c027813412eb6312483e20
 
 def _typecheckingstub__3d403372a613babc1ab10717d050ec9a7f4055961f3545f2d0600d89c7b3dcc3(
     *,
-    handler: builtins.str,
+    blueprint_types: typing.Optional[typing.Sequence[builtins.str]] = None,
     dependencies: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[typing.Union[_IResolvable_da3f097b, typing.Union[CfnCanary.DependencyProperty, typing.Dict[builtins.str, typing.Any]]]]]] = None,
+    handler: typing.Optional[builtins.str] = None,
     s3_bucket: typing.Optional[builtins.str] = None,
     s3_key: typing.Optional[builtins.str] = None,
     s3_object_version: typing.Optional[builtins.str] = None,
@@ -6178,3 +6208,6 @@ def _typecheckingstub__0d85cd0ddf465884c3990e0492b92e22606ecfb33b8127bf42d0c344b
 ) -> None:
     """Type checking stubs"""
     pass
+
+for cls in [ICanaryRef, IGroupRef]:
+    typing.cast(typing.Any, cls).__protocol_attrs__ = typing.cast(typing.Any, cls).__protocol_attrs__ - set(['__jsii_proxy_class__', '__jsii_type__'])

aws_cdk/aws_systemsmanagersap/__init__.py

@@ -951,3 +951,6 @@ def _typecheckingstub__209aa7feaf1ed6ac2bf183538ccbb7555a21c47880975dd9f9b002d73
 ) -> None:
     """Type checking stubs"""
     pass
+
+for cls in [IApplicationRef]:
+    typing.cast(typing.Any, cls).__protocol_attrs__ = typing.cast(typing.Any, cls).__protocol_attrs__ - set(['__jsii_proxy_class__', '__jsii_type__'])

aws_cdk/aws_timestream/__init__.py

@@ -3749,27 +3749,6 @@ class CfnTable(
 
         jsii.create(self.__class__, self, [scope, id, props])
 
-    @jsii.member(jsii_name="fromTableArn")
-    @builtins.classmethod
-    def from_table_arn(
-        cls,
-        scope: _constructs_77d1e7e8.Construct,
-        id: builtins.str,
-        arn: builtins.str,
-    ) -> ITableRef:
-        '''Creates a new ITableRef from an ARN.
-
-        :param scope: -
-        :param id: -
-        :param arn: -
-        '''
-        if __debug__:
-            type_hints = typing.get_type_hints(_typecheckingstub__fa753463a41b4c926c9b5b8d188dff52c3157fe2316e6dfb94568d8660260ca2)
-            check_type(argname="argument scope", value=scope, expected_type=type_hints["scope"])
-            check_type(argname="argument id", value=id, expected_type=type_hints["id"])
-            check_type(argname="argument arn", value=arn, expected_type=type_hints["arn"])
-        return typing.cast(ITableRef, jsii.sinvoke(cls, "fromTableArn", [scope, id, arn]))
-
     @jsii.member(jsii_name="inspect")
     def inspect(self, inspector: _TreeInspector_488e0dd5) -> None:
         '''Examines the CloudFormation resource and discloses attributes.
@@ -4946,14 +4925,6 @@ def _typecheckingstub__aad96eaee00841ee49968da22b6ed13b3777f265d71c1981b2f1b217c
     """Type checking stubs"""
     pass
 
-def _typecheckingstub__fa753463a41b4c926c9b5b8d188dff52c3157fe2316e6dfb94568d8660260ca2(
-    scope: _constructs_77d1e7e8.Construct,
-    id: builtins.str,
-    arn: builtins.str,
-) -> None:
-    """Type checking stubs"""
-    pass
-
 def _typecheckingstub__5e1f672b6c3046841d69f96c6b256cf927db52e0b4f4cd165e7022a893b539b1(
     inspector: _TreeInspector_488e0dd5,
 ) -> None:
@@ -5050,3 +5021,6 @@ def _typecheckingstub__09067b1978c488643c66537ddae08f743cfe6b4aac79c820f90d9c083
 ) -> None:
     """Type checking stubs"""
     pass
+
+for cls in [IDatabaseRef, IInfluxDBInstanceRef, IScheduledQueryRef, ITableRef]:
+    typing.cast(typing.Any, cls).__protocol_attrs__ = typing.cast(typing.Any, cls).__protocol_attrs__ - set(['__jsii_proxy_class__', '__jsii_type__'])

aws_cdk/aws_transfer/__init__.py

@@ -691,7 +691,7 @@ class CfnConnectorProps:
         '''Properties for defining a ``CfnConnector``.
 
         :param access_role: Connectors are used to send files using either the AS2 or SFTP protocol. For the access role, provide the Amazon Resource Name (ARN) of the AWS Identity and Access Management role to use. *For AS2 connectors* With AS2, you can send files by calling ``StartFileTransfer`` and specifying the file paths in the request parameter, ``SendFilePaths`` . We use the file’s parent directory (for example, for ``--send-file-paths /bucket/dir/file.txt`` , parent directory is ``/bucket/dir/`` ) to temporarily store a processed AS2 message file, store the MDN when we receive them from the partner, and write a final JSON file containing relevant metadata of the transmission. So, the ``AccessRole`` needs to provide read and write access to the parent directory of the file location used in the ``StartFileTransfer`` request. Additionally, you need to provide read and write access to the parent directory of the files that you intend to send with ``StartFileTransfer`` . If you are using Basic authentication for your AS2 connector, the access role requires the ``secretsmanager:GetSecretValue`` permission for the secret. If the secret is encrypted using a customer-managed key instead of the AWS managed key in Secrets Manager, then the role also needs the ``kms:Decrypt`` permission for that key. *For SFTP connectors* Make sure that the access role provides read and write access to the parent directory of the file location that's used in the ``StartFileTransfer`` request. Additionally, make sure that the role provides ``secretsmanager:GetSecretValue`` permission to AWS Secrets Manager .
-        :param url: The URL of the partner's AS2 or SFTP endpoint.
+        :param url: The URL of the partner's AS2 or SFTP endpoint. When creating AS2 connectors or service-managed SFTP connectors (connectors without egress configuration), you must provide a URL to specify the remote server endpoint. For VPC Lattice type connectors, the URL must be null.
         :param as2_config: A structure that contains the parameters for an AS2 connector object.
         :param logging_role: The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows a connector to turn on CloudWatch logging for Amazon S3 events. When set, you can view connector activity in your CloudWatch logs.
         :param security_policy_name: The text name of the security policy for the specified connector.
@@ -778,6 +778,8 @@ class CfnConnectorProps:
     def url(self) -> builtins.str:
         '''The URL of the partner's AS2 or SFTP endpoint.
 
+        When creating AS2 connectors or service-managed SFTP connectors (connectors without egress configuration), you must provide a URL to specify the remote server endpoint. For VPC Lattice type connectors, the URL must be null.
+
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-transfer-connector.html#cfn-transfer-connector-url
         '''
         result = self._values.get("url")
@@ -2794,27 +2796,6 @@ class CfnAgreement(
 
         jsii.create(self.__class__, self, [scope, id, props])
 
-    @jsii.member(jsii_name="fromAgreementArn")
-    @builtins.classmethod
-    def from_agreement_arn(
-        cls,
-        scope: _constructs_77d1e7e8.Construct,
-        id: builtins.str,
-        arn: builtins.str,
-    ) -> IAgreementRef:
-        '''Creates a new IAgreementRef from an ARN.
-
-        :param scope: -
-        :param id: -
-        :param arn: -
-        '''
-        if __debug__:
-            type_hints = typing.get_type_hints(_typecheckingstub__49865972fac7cf97b37625ebb0dab09d88b56b9f2dd79d90fc649828bfc624ff)
-            check_type(argname="argument scope", value=scope, expected_type=type_hints["scope"])
-            check_type(argname="argument id", value=id, expected_type=type_hints["id"])
-            check_type(argname="argument arn", value=arn, expected_type=type_hints["arn"])
-        return typing.cast(IAgreementRef, jsii.sinvoke(cls, "fromAgreementArn", [scope, id, arn]))
-
     @jsii.member(jsii_name="inspect")
     def inspect(self, inspector: _TreeInspector_488e0dd5) -> None:
         '''Examines the CloudFormation resource and discloses attributes.
@@ -3573,7 +3554,7 @@ class CfnConnector(
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
         :param access_role: Connectors are used to send files using either the AS2 or SFTP protocol. For the access role, provide the Amazon Resource Name (ARN) of the AWS Identity and Access Management role to use. *For AS2 connectors* With AS2, you can send files by calling ``StartFileTransfer`` and specifying the file paths in the request parameter, ``SendFilePaths`` . We use the file’s parent directory (for example, for ``--send-file-paths /bucket/dir/file.txt`` , parent directory is ``/bucket/dir/`` ) to temporarily store a processed AS2 message file, store the MDN when we receive them from the partner, and write a final JSON file containing relevant metadata of the transmission. So, the ``AccessRole`` needs to provide read and write access to the parent directory of the file location used in the ``StartFileTransfer`` request. Additionally, you need to provide read and write access to the parent directory of the files that you intend to send with ``StartFileTransfer`` . If you are using Basic authentication for your AS2 connector, the access role requires the ``secretsmanager:GetSecretValue`` permission for the secret. If the secret is encrypted using a customer-managed key instead of the AWS managed key in Secrets Manager, then the role also needs the ``kms:Decrypt`` permission for that key. *For SFTP connectors* Make sure that the access role provides read and write access to the parent directory of the file location that's used in the ``StartFileTransfer`` request. Additionally, make sure that the role provides ``secretsmanager:GetSecretValue`` permission to AWS Secrets Manager .
-        :param url: The URL of the partner's AS2 or SFTP endpoint.
+        :param url: The URL of the partner's AS2 or SFTP endpoint. When creating AS2 connectors or service-managed SFTP connectors (connectors without egress configuration), you must provide a URL to specify the remote server endpoint. For VPC Lattice type connectors, the URL must be null.
         :param as2_config: A structure that contains the parameters for an AS2 connector object.
         :param logging_role: The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows a connector to turn on CloudWatch logging for Amazon S3 events. When set, you can view connector activity in your CloudWatch logs.
         :param security_policy_name: The text name of the security policy for the specified connector.
@@ -4064,7 +4045,7 @@ class CfnConnector(
             '''A structure that contains the parameters for an SFTP connector object.
 
             :param max_concurrent_connections: Specify the number of concurrent connections that your connector creates to the remote server. The default value is ``1`` . The maximum values is ``5`` . .. epigraph:: If you are using the AWS Management Console , the default value is ``5`` . This parameter specifies the number of active connections that your connector can establish with the remote server at the same time. Increasing this value can enhance connector performance when transferring large file batches by enabling parallel operations. Default: - 1
-            :param trusted_host_keys: The public portion of the host key, or keys, that are used to identify the external server to which you are connecting. You can use the ``ssh-keyscan`` command against the SFTP server to retrieve the necessary key. .. epigraph:: ``TrustedHostKeys`` is optional for ``CreateConnector`` . If not provided, you can use ``TestConnection`` to retrieve the server host key during the initial connection attempt, and subsequently update the connector with the observed host key. The three standard SSH public key format elements are ``<key type>`` , ``<body base64>`` , and an optional ``<comment>`` , with spaces between each element. Specify only the ``<key type>`` and ``<body base64>`` : do not enter the ``<comment>`` portion of the key. For the trusted host key, AWS Transfer Family accepts RSA and ECDSA keys. - For RSA keys, the ``<key type>`` string is ``ssh-rsa`` . - For ECDSA keys, the ``<key type>`` string is either ``ecdsa-sha2-nistp256`` , ``ecdsa-sha2-nistp384`` , or ``ecdsa-sha2-nistp521`` , depending on the size of the key you generated. Run this command to retrieve the SFTP server host key, where your SFTP server name is ``ftp.host.com`` . ``ssh-keyscan ftp.host.com`` This prints the public host key to standard output. ``ftp.host.com ssh-rsa AAAAB3Nza...<long-string-for-public-key`` Copy and paste this string into the ``TrustedHostKeys`` field for the ``create-connector`` command or into the *Trusted host keys* field in the console.
+            :param trusted_host_keys: The public portion of the host key, or keys, that are used to identify the external server to which you are connecting. You can use the ``ssh-keyscan`` command against the SFTP server to retrieve the necessary key. .. epigraph:: ``TrustedHostKeys`` is optional for ``CreateConnector`` . If not provided, you can use ``TestConnection`` to retrieve the server host key during the initial connection attempt, and subsequently update the connector with the observed host key. When creating connectors with egress config (VPC_LATTICE type connectors), since host name is not something we can verify, the only accepted trusted host key format is ``key-type key-body`` without the host name. For example: ``ssh-rsa AAAAB3Nza...<long-string-for-public-key>`` The three standard SSH public key format elements are ``<key type>`` , ``<body base64>`` , and an optional ``<comment>`` , with spaces between each element. Specify only the ``<key type>`` and ``<body base64>`` : do not enter the ``<comment>`` portion of the key. For the trusted host key, AWS Transfer Family accepts RSA and ECDSA keys. - For RSA keys, the ``<key type>`` string is ``ssh-rsa`` . - For ECDSA keys, the ``<key type>`` string is either ``ecdsa-sha2-nistp256`` , ``ecdsa-sha2-nistp384`` , or ``ecdsa-sha2-nistp521`` , depending on the size of the key you generated. Run this command to retrieve the SFTP server host key, where your SFTP server name is ``ftp.host.com`` . ``ssh-keyscan ftp.host.com`` This prints the public host key to standard output. ``ftp.host.com ssh-rsa AAAAB3Nza...<long-string-for-public-key>`` Copy and paste this string into the ``TrustedHostKeys`` field for the ``create-connector`` command or into the *Trusted host keys* field in the console. For VPC Lattice type connectors (VPC_LATTICE), remove the hostname from the key and use only the ``key-type key-body`` format. In this example, it should be: ``ssh-rsa AAAAB3Nza...<long-string-for-public-key>``
             :param user_secret_id: The identifier for the secret (in AWS Secrets Manager) that contains the SFTP user's private key, password, or both. The identifier must be the Amazon Resource Name (ARN) of the secret. .. epigraph:: - Required when creating an SFTP connector - Optional when updating an existing SFTP connector
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-transfer-connector-sftpconfig.html
@@ -4122,6 +4103,8 @@ class CfnConnector(
 
                ``TrustedHostKeys`` is optional for ``CreateConnector`` . If not provided, you can use ``TestConnection`` to retrieve the server host key during the initial connection attempt, and subsequently update the connector with the observed host key.
 
+            When creating connectors with egress config (VPC_LATTICE type connectors), since host name is not something we can verify, the only accepted trusted host key format is ``key-type key-body`` without the host name. For example: ``ssh-rsa AAAAB3Nza...<long-string-for-public-key>``
+
             The three standard SSH public key format elements are ``<key type>`` , ``<body base64>`` , and an optional ``<comment>`` , with spaces between each element. Specify only the ``<key type>`` and ``<body base64>`` : do not enter the ``<comment>`` portion of the key.
 
             For the trusted host key, AWS Transfer Family accepts RSA and ECDSA keys.
@@ -4135,10 +4118,12 @@ class CfnConnector(
 
             This prints the public host key to standard output.
 
-            ``ftp.host.com ssh-rsa AAAAB3Nza...<long-string-for-public-key``
+            ``ftp.host.com ssh-rsa AAAAB3Nza...<long-string-for-public-key>``
 
             Copy and paste this string into the ``TrustedHostKeys`` field for the ``create-connector`` command or into the *Trusted host keys* field in the console.
 
+            For VPC Lattice type connectors (VPC_LATTICE), remove the hostname from the key and use only the ``key-type key-body`` format. In this example, it should be: ``ssh-rsa AAAAB3Nza...<long-string-for-public-key>``
+
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-transfer-connector-sftpconfig.html#cfn-transfer-connector-sftpconfig-trustedhostkeys
             '''
             result = self._values.get("trusted_host_keys")
@@ -5199,13 +5184,17 @@ class CfnServer(
         ) -> None:
             '''The protocol settings that are configured for your server.
 
+            .. epigraph::
+
+               Avoid placing Network Load Balancers (NLBs) or NAT gateways in front of AWS Transfer Family servers, as this increases costs and can cause performance issues, including reduced connection limits for FTPS. For more details, see `Avoid placing NLBs and NATs in front of AWS Transfer Family <https://docs.aws.amazon.com/transfer/latest/userguide/infrastructure-security.html#nlb-considerations>`_ .
+
             - To indicate passive mode (for FTP and FTPS protocols), use the ``PassiveIp`` parameter. Enter a single dotted-quad IPv4 address, such as the external IP address of a firewall, router, or load balancer.
             - To ignore the error that is generated when the client attempts to use the ``SETSTAT`` command on a file that you are uploading to an Amazon S3 bucket, use the ``SetStatOption`` parameter. To have the AWS Transfer Family server ignore the ``SETSTAT`` command and upload files without needing to make any changes to your SFTP client, set the value to ``ENABLE_NO_OP`` . If you set the ``SetStatOption`` parameter to ``ENABLE_NO_OP`` , Transfer Family generates a log entry to Amazon CloudWatch Logs, so that you can determine when the client is making a ``SETSTAT`` call.
             - To determine whether your AWS Transfer Family server resumes recent, negotiated sessions through a unique session ID, use the ``TlsSessionResumptionMode`` parameter.
             - ``As2Transports`` indicates the transport method for the AS2 messages. Currently, only HTTP is supported.
 
             :param as2_transports: List of ``As2Transport`` objects.
-            :param passive_ip: Indicates passive mode, for FTP and FTPS protocols. Enter a single IPv4 address, such as the public IP address of a firewall, router, or load balancer. For example: ``aws transfer update-server --protocol-details PassiveIp=0.0.0.0`` Replace ``0.0.0.0`` in the example above with the actual IP address you want to use. .. epigraph:: If you change the ``PassiveIp`` value, you must stop and then restart your Transfer Family server for the change to take effect. For details on using passive mode (PASV) in a NAT environment, see `Configuring your FTPS server behind a firewall or NAT with AWS Transfer Family <https://docs.aws.amazon.com/storage/configuring-your-ftps-server-behind-a-firewall-or-nat-with-aws-transfer-family/>`_ . *Special values* The ``AUTO`` and ``0.0.0.0`` are special values for the ``PassiveIp`` parameter. The value ``PassiveIp=AUTO`` is assigned by default to FTP and FTPS type servers. In this case, the server automatically responds with one of the endpoint IPs within the PASV response. ``PassiveIp=0.0.0.0`` has a more unique application for its usage. For example, if you have a High Availability (HA) Network Load Balancer (NLB) environment, where you have 3 subnets, you can only specify a single IP address using the ``PassiveIp`` parameter. This reduces the effectiveness of having High Availability. In this case, you can specify ``PassiveIp=0.0.0.0`` . This tells the client to use the same IP address as the Control connection and utilize all AZs for their connections. Note, however, that not all FTP clients support the ``PassiveIp=0.0.0.0`` response. FileZilla and WinSCP do support it. If you are using other clients, check to see if your client supports the ``PassiveIp=0.0.0.0`` response.
+            :param passive_ip: Indicates passive mode, for FTP and FTPS protocols. Enter a single IPv4 address, such as the public IP address of a firewall, router, or load balancer. For example: ``aws transfer update-server --protocol-details PassiveIp=0.0.0.0`` Replace ``0.0.0.0`` in the example above with the actual IP address you want to use. .. epigraph:: If you change the ``PassiveIp`` value, you must stop and then restart your Transfer Family server for the change to take effect. For details on using passive mode (PASV) in a NAT environment, see `Configuring your FTPS server behind a firewall or NAT with AWS Transfer Family <https://docs.aws.amazon.com/storage/configuring-your-ftps-server-behind-a-firewall-or-nat-with-aws-transfer-family/>`_ . Additionally, avoid placing Network Load Balancers (NLBs) or NAT gateways in front of AWS Transfer Family servers. This configuration increases costs and can cause performance issues. When NLBs or NATs are in the communication path, Transfer Family cannot accurately recognize client IP addresses, which impacts connection sharding and limits FTPS servers to only 300 simultaneous connections instead of 10,000. If you must use an NLB, use port 21 for health checks and enable TLS session resumption by setting ``TlsSessionResumptionMode = ENFORCED`` . For optimal performance, migrate to VPC endpoints with Elastic IP addresses instead of using NLBs. For more details, see `Avoid placing NLBs and NATs in front of AWS Transfer Family <https://docs.aws.amazon.com/transfer/latest/userguide/infrastructure-security.html#nlb-considerations>`_ . *Special values* The ``AUTO`` and ``0.0.0.0`` are special values for the ``PassiveIp`` parameter. The value ``PassiveIp=AUTO`` is assigned by default to FTP and FTPS type servers. In this case, the server automatically responds with one of the endpoint IPs within the PASV response. ``PassiveIp=0.0.0.0`` has a more unique application for its usage. For example, if you have a High Availability (HA) Network Load Balancer (NLB) environment, where you have 3 subnets, you can only specify a single IP address using the ``PassiveIp`` parameter. This reduces the effectiveness of having High Availability. In this case, you can specify ``PassiveIp=0.0.0.0`` . This tells the client to use the same IP address as the Control connection and utilize all AZs for their connections. Note, however, that not all FTP clients support the ``PassiveIp=0.0.0.0`` response. FileZilla and WinSCP do support it. If you are using other clients, check to see if your client supports the ``PassiveIp=0.0.0.0`` response.
             :param set_stat_option: Use the ``SetStatOption`` to ignore the error that is generated when the client attempts to use ``SETSTAT`` on a file you are uploading to an S3 bucket. Some SFTP file transfer clients can attempt to change the attributes of remote files, including timestamp and permissions, using commands, such as ``SETSTAT`` when uploading the file. However, these commands are not compatible with object storage systems, such as Amazon S3. Due to this incompatibility, file uploads from these clients can result in errors even when the file is otherwise successfully uploaded. Set the value to ``ENABLE_NO_OP`` to have the Transfer Family server ignore the ``SETSTAT`` command, and upload files without needing to make any changes to your SFTP client. While the ``SetStatOption`` ``ENABLE_NO_OP`` setting ignores the error, it does generate a log entry in Amazon CloudWatch Logs, so you can determine when the client is making a ``SETSTAT`` call. .. epigraph:: If you want to preserve the original timestamp for your file, and modify other file attributes using ``SETSTAT`` , you can use Amazon EFS as backend storage with Transfer Family.
             :param tls_session_resumption_mode: A property used with Transfer Family servers that use the FTPS protocol. TLS Session Resumption provides a mechanism to resume or share a negotiated secret key between the control and data connection for an FTPS session. ``TlsSessionResumptionMode`` determines whether or not the server resumes recent, negotiated sessions through a unique session ID. This property is available during ``CreateServer`` and ``UpdateServer`` calls. If a ``TlsSessionResumptionMode`` value is not specified during ``CreateServer`` , it is set to ``ENFORCED`` by default. - ``DISABLED`` : the server does not process TLS session resumption client requests and creates a new TLS session for each request. - ``ENABLED`` : the server processes and accepts clients that are performing TLS session resumption. The server doesn't reject client data connections that do not perform the TLS session resumption client processing. - ``ENFORCED`` : the server processes and accepts clients that are performing TLS session resumption. The server rejects client data connections that do not perform the TLS session resumption client processing. Before you set the value to ``ENFORCED`` , test your clients. .. epigraph:: Not all FTPS clients perform TLS session resumption. So, if you choose to enforce TLS session resumption, you prevent any connections from FTPS clients that don't perform the protocol negotiation. To determine whether or not you can use the ``ENFORCED`` value, you need to test your clients.
 
@@ -5263,6 +5252,8 @@ class CfnServer(
 
                If you change the ``PassiveIp`` value, you must stop and then restart your Transfer Family server for the change to take effect. For details on using passive mode (PASV) in a NAT environment, see `Configuring your FTPS server behind a firewall or NAT with AWS Transfer Family <https://docs.aws.amazon.com/storage/configuring-your-ftps-server-behind-a-firewall-or-nat-with-aws-transfer-family/>`_ .
 
+               Additionally, avoid placing Network Load Balancers (NLBs) or NAT gateways in front of AWS Transfer Family servers. This configuration increases costs and can cause performance issues. When NLBs or NATs are in the communication path, Transfer Family cannot accurately recognize client IP addresses, which impacts connection sharding and limits FTPS servers to only 300 simultaneous connections instead of 10,000. If you must use an NLB, use port 21 for health checks and enable TLS session resumption by setting ``TlsSessionResumptionMode = ENFORCED`` . For optimal performance, migrate to VPC endpoints with Elastic IP addresses instead of using NLBs. For more details, see `Avoid placing NLBs and NATs in front of AWS Transfer Family <https://docs.aws.amazon.com/transfer/latest/userguide/infrastructure-security.html#nlb-considerations>`_ .
+
             *Special values*
 
             The ``AUTO`` and ``0.0.0.0`` are special values for the ``PassiveIp`` parameter. The value ``PassiveIp=AUTO`` is assigned by default to FTP and FTPS type servers. In this case, the server automatically responds with one of the endpoint IPs within the PASV response. ``PassiveIp=0.0.0.0`` has a more unique application for its usage. For example, if you have a High Availability (HA) Network Load Balancer (NLB) environment, where you have 3 subnets, you can only specify a single IP address using the ``PassiveIp`` parameter. This reduces the effectiveness of having High Availability. In this case, you can specify ``PassiveIp=0.0.0.0`` . This tells the client to use the same IP address as the Control connection and utilize all AZs for their connections. Note, however, that not all FTP clients support the ``PassiveIp=0.0.0.0`` response. FileZilla and WinSCP do support it. If you are using other clients, check to see if your client supports the ``PassiveIp=0.0.0.0`` response.
@@ -8179,14 +8170,6 @@ def _typecheckingstub__f95ec07e6c4ee624e4f9374f7db0e66b46af64fa8c86e2e41aa290c72
     """Type checking stubs"""
     pass
 
-def _typecheckingstub__49865972fac7cf97b37625ebb0dab09d88b56b9f2dd79d90fc649828bfc624ff(
-    scope: _constructs_77d1e7e8.Construct,
-    id: builtins.str,
-    arn: builtins.str,
-) -> None:
-    """Type checking stubs"""
-    pass
-
 def _typecheckingstub__228db9cea00437d476e4860ef1214693d948e861477e0b0435205c3df9bf79f1(
     inspector: _TreeInspector_488e0dd5,
 ) -> None:
@@ -9093,3 +9076,6 @@ def _typecheckingstub__b548edb0a5fb9cfebb89a31ba69695395ed26d4793bbaa01e670bb558
 ) -> None:
     """Type checking stubs"""
     pass
+
+for cls in [IAgreementRef, ICertificateRef, IConnectorRef, IProfileRef, IServerRef, IUserRef, IWebAppRef, IWorkflowRef]:
+    typing.cast(typing.Any, cls).__protocol_attrs__ = typing.cast(typing.Any, cls).__protocol_attrs__ - set(['__jsii_proxy_class__', '__jsii_type__'])

aws_cdk/aws_verifiedpermissions/__init__.py

@@ -3594,3 +3594,6 @@ def _typecheckingstub__c58edfa87a5f12d9679dc9e906de042ce6fb26dbf1811d4fbdfc9c7e8
 ) -> None:
     """Type checking stubs"""
     pass
+
+for cls in [IIdentitySourceRef, IPolicyRef, IPolicyStoreRef, IPolicyTemplateRef]:
+    typing.cast(typing.Any, cls).__protocol_attrs__ = typing.cast(typing.Any, cls).__protocol_attrs__ - set(['__jsii_proxy_class__', '__jsii_type__'])

aws_cdk/aws_voiceid/__init__.py

@@ -627,3 +627,6 @@ def _typecheckingstub__026258552a46cefb8caa670ab5034652c3e2c257df5858a178b076195
 ) -> None:
     """Type checking stubs"""
     pass
+
+for cls in [IDomainRef]:
+    typing.cast(typing.Any, cls).__protocol_attrs__ = typing.cast(typing.Any, cls).__protocol_attrs__ - set(['__jsii_proxy_class__', '__jsii_type__'])