aws-cdk-lib 2.73.0__py3-none-any.whl → 2.76.0__py3-none-any.whl

aws_cdk/aws_cognito/__init__.py

@@ -552,9 +552,8 @@ provider = cognito.UserPoolIdentityProviderAmazon(self, "Amazon",
 Using Google identity provider is possible to use clientSecretValue with SecretValue from secrets manager.
 
 ```python
-# Example automatically generated from non-compiling source. May contain errors.
 userpool = cognito.UserPool(self, "Pool")
-secret = secrets_manager.Secret.from_secret_attributes(self, "CognitoClientSecret",
+secret = secretsmanager.Secret.from_secret_attributes(self, "CognitoClientSecret",
     secret_complete_arn="arn:aws:secretsmanager:xxx:xxx:secret:xxx-xxx"
 ).secret_value
 
@@ -772,7 +771,9 @@ User Pool clients can generate a client ID as well as a client secret, to suppor
 To create a client with an autogenerated client secret, pass the `generateSecret: true` prop:
 
 ```python
-# Example automatically generated from non-compiling source. May contain errors.
+# imported_pool: cognito.UserPool
+
+
 user_pool_client = cognito.UserPoolClient(self, "UserPoolClient",
     user_pool=imported_pool,
     generate_secret=True
@@ -5746,49 +5747,66 @@ class CfnUserPoolClient(
 
     :cloudformationResource: AWS::Cognito::UserPoolClient
     :link: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html
-    :exampleMetadata: fixture=_generated
+    :exampleMetadata: infused
 
     Example::
 
-        # The code below shows an example of how to instantiate this type.
-        # The values are placeholders you should change.
-        from aws_cdk import aws_cognito as cognito
+        from aws_cdk import aws_certificatemanager as acm
         
-        cfn_user_pool_client = cognito.CfnUserPoolClient(self, "MyCfnUserPoolClient",
-            user_pool_id="userPoolId",
+        # vpc: ec2.Vpc
+        # certificate: acm.Certificate
         
-            # the properties below are optional
-            access_token_validity=123,
-            allowed_oAuth_flows=["allowedOAuthFlows"],
-            allowed_oAuth_flows_user_pool_client=False,
-            allowed_oAuth_scopes=["allowedOAuthScopes"],
-            analytics_configuration=cognito.CfnUserPoolClient.AnalyticsConfigurationProperty(
-                application_arn="applicationArn",
-                application_id="applicationId",
-                external_id="externalId",
-                role_arn="roleArn",
-                user_data_shared=False
-            ),
-            auth_session_validity=123,
-            callback_ur_ls=["callbackUrLs"],
-            client_name="clientName",
-            default_redirect_uri="defaultRedirectUri",
-            enable_propagate_additional_user_context_data=False,
-            enable_token_revocation=False,
-            explicit_auth_flows=["explicitAuthFlows"],
-            generate_secret=False,
-            id_token_validity=123,
-            logout_ur_ls=["logoutUrLs"],
-            prevent_user_existence_errors="preventUserExistenceErrors",
-            read_attributes=["readAttributes"],
-            refresh_token_validity=123,
-            supported_identity_providers=["supportedIdentityProviders"],
-            token_validity_units=cognito.CfnUserPoolClient.TokenValidityUnitsProperty(
-                access_token="accessToken",
-                id_token="idToken",
-                refresh_token="refreshToken"
+        
+        lb = elbv2.ApplicationLoadBalancer(self, "LB",
+            vpc=vpc,
+            internet_facing=True
+        )
+        
+        user_pool = cognito.UserPool(self, "UserPool")
+        user_pool_client = cognito.UserPoolClient(self, "Client",
+            user_pool=user_pool,
+        
+            # Required minimal configuration for use with an ELB
+            generate_secret=True,
+            auth_flows=cognito.AuthFlow(
+                user_password=True
             ),
-            write_attributes=["writeAttributes"]
+            o_auth=cognito.OAuthSettings(
+                flows=cognito.OAuthFlows(
+                    authorization_code_grant=True
+                ),
+                scopes=[cognito.OAuthScope.EMAIL],
+                callback_urls=[f"https://{lb.loadBalancerDnsName}/oauth2/idpresponse"
+                ]
+            )
+        )
+        cfn_client = user_pool_client.node.default_child
+        cfn_client.add_property_override("RefreshTokenValidity", 1)
+        cfn_client.add_property_override("SupportedIdentityProviders", ["COGNITO"])
+        
+        user_pool_domain = cognito.UserPoolDomain(self, "Domain",
+            user_pool=user_pool,
+            cognito_domain=cognito.CognitoDomainOptions(
+                domain_prefix="test-cdk-prefix"
+            )
+        )
+        
+        lb.add_listener("Listener",
+            port=443,
+            certificates=[certificate],
+            default_action=actions.AuthenticateCognitoAction(
+                user_pool=user_pool,
+                user_pool_client=user_pool_client,
+                user_pool_domain=user_pool_domain,
+                next=elbv2.ListenerAction.fixed_response(200,
+                    content_type="text/plain",
+                    message_body="Authenticated"
+                )
+            )
+        )
+        
+        CfnOutput(self, "DNS",
+            value=lb.load_balancer_dns_name
         )
     '''
 
@@ -12976,17 +12994,21 @@ class OAuthFlows:
 
         Example::
 
-            pool = cognito.UserPool(self, "Pool")
-            pool.add_client("app-client",
+            userpool = cognito.UserPool(self, "UserPool")
+            client = userpool.add_client("Client",
+                # ...
                 o_auth=cognito.OAuthSettings(
                     flows=cognito.OAuthFlows(
-                        authorization_code_grant=True
+                        implicit_code_grant=True
                     ),
-                    scopes=[cognito.OAuthScope.OPENID],
-                    callback_urls=["https://my-app-domain.com/welcome"],
-                    logout_urls=["https://my-app-domain.com/signin"]
+                    callback_urls=["https://myapp.com/home", "https://myapp.com/users"
+                    ]
                 )
             )
+            domain = userpool.add_domain("Domain")
+            sign_in_url = domain.sign_in_url(client,
+                redirect_uri="https://myapp.com/home"
+            )
         '''
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__9aa5ba53667700cdf4d217354a8b54484e7e7fa22880031485734768e7a3bf8b)
@@ -13052,14 +13074,28 @@ class OAuthScope(
     Example::
 
         pool = cognito.UserPool(self, "Pool")
-        pool.add_client("app-client",
+        
+        read_only_scope = cognito.ResourceServerScope(scope_name="read", scope_description="Read-only access")
+        full_access_scope = cognito.ResourceServerScope(scope_name="*", scope_description="Full access")
+        
+        user_server = pool.add_resource_server("ResourceServer",
+            identifier="users",
+            scopes=[read_only_scope, full_access_scope]
+        )
+        
+        read_only_client = pool.add_client("read-only-client",
+            # ...
             o_auth=cognito.OAuthSettings(
-                flows=cognito.OAuthFlows(
-                    authorization_code_grant=True
-                ),
-                scopes=[cognito.OAuthScope.OPENID],
-                callback_urls=["https://my-app-domain.com/welcome"],
-                logout_urls=["https://my-app-domain.com/signin"]
+                # ...
+                scopes=[cognito.OAuthScope.resource_server(user_server, read_only_scope)]
+            )
+        )
+        
+        full_access_client = pool.add_client("full-access-client",
+            # ...
+            o_auth=cognito.OAuthSettings(
+                # ...
+                scopes=[cognito.OAuthScope.resource_server(user_server, full_access_scope)]
             )
         )
     '''
@@ -13174,20 +13210,30 @@ class OAuthSettings:
 
         Example::
 
-            userpool = cognito.UserPool(self, "UserPool")
-            client = userpool.add_client("Client",
+            pool = cognito.UserPool(self, "Pool")
+            
+            read_only_scope = cognito.ResourceServerScope(scope_name="read", scope_description="Read-only access")
+            full_access_scope = cognito.ResourceServerScope(scope_name="*", scope_description="Full access")
+            
+            user_server = pool.add_resource_server("ResourceServer",
+                identifier="users",
+                scopes=[read_only_scope, full_access_scope]
+            )
+            
+            read_only_client = pool.add_client("read-only-client",
                 # ...
                 o_auth=cognito.OAuthSettings(
-                    flows=cognito.OAuthFlows(
-                        implicit_code_grant=True
-                    ),
-                    callback_urls=["https://myapp.com/home", "https://myapp.com/users"
-                    ]
+                    # ...
+                    scopes=[cognito.OAuthScope.resource_server(user_server, read_only_scope)]
                 )
             )
-            domain = userpool.add_domain("Domain")
-            sign_in_url = domain.sign_in_url(client,
-                redirect_uri="https://myapp.com/home"
+            
+            full_access_client = pool.add_client("full-access-client",
+                # ...
+                o_auth=cognito.OAuthSettings(
+                    # ...
+                    scopes=[cognito.OAuthScope.resource_server(user_server, full_access_scope)]
+                )
             )
         '''
         if isinstance(flows, dict):
@@ -15135,14 +15181,16 @@ class UserPool(
 
     Example::
 
-        pool_sms_role = iam.Role(self, "userpoolsmsrole",
-            assumed_by=iam.ServicePrincipal("foo")
-        )
-        
-        cognito.UserPool(self, "myuserpool",
-            # ...
-            sms_role=pool_sms_role,
-            sms_role_external_id="c87467be-4f34-11ea-b77f-2e728ce88125"
+        pool = cognito.UserPool(self, "Pool")
+        pool.add_client("app-client",
+            o_auth=cognito.OAuthSettings(
+                flows=cognito.OAuthFlows(
+                    authorization_code_grant=True
+                ),
+                scopes=[cognito.OAuthScope.OPENID],
+                callback_urls=["https://my-app-domain.com/welcome"],
+                logout_urls=["https://my-app-domain.com/signin"]
+            )
         )
     '''
 
@@ -16057,10 +16105,16 @@ class UserPoolClientProps(UserPoolClientOptions):
 
         Example::
 
-            imported_pool = cognito.UserPool.from_user_pool_id(self, "imported-pool", "us-east-1_oiuR12Abd")
-            cognito.UserPoolClient(self, "customer-app-client",
-                user_pool=imported_pool
+            # imported_pool: cognito.UserPool
+            
+            
+            user_pool_client = cognito.UserPoolClient(self, "UserPoolClient",
+                user_pool=imported_pool,
+                generate_secret=True
             )
+            
+            # Allows you to pass the generated secret to other pieces of infrastructure
+            secret = user_pool_client.user_pool_client_secret
         '''
         if isinstance(auth_flows, dict):
             auth_flows = AuthFlow(**auth_flows)
@@ -16307,14 +16361,20 @@ class UserPoolDomain(
 
     Example::
 
-        import aws_cdk.aws_cognito as cognito
-        
-        # zone: route53.HostedZone
-        # domain: cognito.UserPoolDomain
-        
-        route53.ARecord(self, "AliasRecord",
-            zone=zone,
-            target=route53.RecordTarget.from_alias(targets.UserPoolDomainTarget(domain))
+        userpool = cognito.UserPool(self, "UserPool")
+        client = userpool.add_client("Client",
+            # ...
+            o_auth=cognito.OAuthSettings(
+                flows=cognito.OAuthFlows(
+                    implicit_code_grant=True
+                ),
+                callback_urls=["https://myapp.com/home", "https://myapp.com/users"
+                ]
+            )
+        )
+        domain = userpool.add_domain("Domain")
+        sign_in_url = domain.sign_in_url(client,
+            redirect_uri="https://myapp.com/home"
         )
     '''
 
@@ -16529,30 +16589,67 @@ class UserPoolDomainProps(UserPoolDomainOptions):
         :param custom_domain: Associate a custom domain with your user pool Either ``customDomain`` or ``cognitoDomain`` must be specified. Default: - not set if ``cognitoDomain`` is specified, otherwise, throws an error.
         :param user_pool: The user pool to which this domain should be associated.
 
-        :exampleMetadata: fixture=_generated
+        :exampleMetadata: infused
 
         Example::
 
-            # The code below shows an example of how to instantiate this type.
-            # The values are placeholders you should change.
-            from aws_cdk import aws_certificatemanager as certificatemanager
-            from aws_cdk import aws_cognito as cognito
+            from aws_cdk import aws_certificatemanager as acm
             
-            # certificate: certificatemanager.Certificate
-            # user_pool: cognito.UserPool
+            # vpc: ec2.Vpc
+            # certificate: acm.Certificate
+            
+            
+            lb = elbv2.ApplicationLoadBalancer(self, "LB",
+                vpc=vpc,
+                internet_facing=True
+            )
             
-            user_pool_domain_props = cognito.UserPoolDomainProps(
+            user_pool = cognito.UserPool(self, "UserPool")
+            user_pool_client = cognito.UserPoolClient(self, "Client",
                 user_pool=user_pool,
             
-                # the properties below are optional
-                cognito_domain=cognito.CognitoDomainOptions(
-                    domain_prefix="domainPrefix"
+                # Required minimal configuration for use with an ELB
+                generate_secret=True,
+                auth_flows=cognito.AuthFlow(
+                    user_password=True
                 ),
-                custom_domain=cognito.CustomDomainOptions(
-                    certificate=certificate,
-                    domain_name="domainName"
+                o_auth=cognito.OAuthSettings(
+                    flows=cognito.OAuthFlows(
+                        authorization_code_grant=True
+                    ),
+                    scopes=[cognito.OAuthScope.EMAIL],
+                    callback_urls=[f"https://{lb.loadBalancerDnsName}/oauth2/idpresponse"
+                    ]
+                )
+            )
+            cfn_client = user_pool_client.node.default_child
+            cfn_client.add_property_override("RefreshTokenValidity", 1)
+            cfn_client.add_property_override("SupportedIdentityProviders", ["COGNITO"])
+            
+            user_pool_domain = cognito.UserPoolDomain(self, "Domain",
+                user_pool=user_pool,
+                cognito_domain=cognito.CognitoDomainOptions(
+                    domain_prefix="test-cdk-prefix"
+                )
+            )
+            
+            lb.add_listener("Listener",
+                port=443,
+                certificates=[certificate],
+                default_action=actions.AuthenticateCognitoAction(
+                    user_pool=user_pool,
+                    user_pool_client=user_pool_client,
+                    user_pool_domain=user_pool_domain,
+                    next=elbv2.ListenerAction.fixed_response(200,
+                        content_type="text/plain",
+                        message_body="Authenticated"
+                    )
                 )
             )
+            
+            CfnOutput(self, "DNS",
+                value=lb.load_balancer_dns_name
+            )
         '''
         if isinstance(cognito_domain, dict):
             cognito_domain = CognitoDomainOptions(**cognito_domain)
@@ -17010,9 +17107,8 @@ class UserPoolIdentityProviderGoogle(
 
     Example::
 
-        # Example automatically generated from non-compiling source. May contain errors.
         userpool = cognito.UserPool(self, "Pool")
-        secret = secrets_manager.Secret.from_secret_attributes(self, "CognitoClientSecret",
+        secret = secretsmanager.Secret.from_secret_attributes(self, "CognitoClientSecret",
             secret_complete_arn="arn:aws:secretsmanager:xxx:xxx:secret:xxx-xxx"
         ).secret_value
         
@@ -19723,9 +19819,8 @@ class UserPoolIdentityProviderGoogleProps(UserPoolIdentityProviderProps):
 
         Example::
 
-            # Example automatically generated from non-compiling source. May contain errors.
             userpool = cognito.UserPool(self, "Pool")
-            secret = secrets_manager.Secret.from_secret_attributes(self, "CognitoClientSecret",
+            secret = secretsmanager.Secret.from_secret_attributes(self, "CognitoClientSecret",
                 secret_complete_arn="arn:aws:secretsmanager:xxx:xxx:secret:xxx-xxx"
             ).secret_value
             

aws_cdk/aws_config/__init__.py

@@ -121,7 +121,6 @@ custom_rule = config.CustomRule(self, "Custom",
 Guard which contains the logic that evaluates whether your AWS resources comply with the rule.
 
 ```python
-# Example automatically generated from non-compiling source. May contain errors.
 sample_policy_text = """
 # This rule checks if point in time recovery (PITR) is enabled on active Amazon DynamoDB tables
 let status = ['ACTIVE']
@@ -139,7 +138,7 @@ rule checkcompliance when
 }
 """
 
-config.CustomPolicy(stack, "Custom",
+config.CustomPolicy(self, "Custom",
     policy_text=sample_policy_text,
     enable_debug_log=True,
     rule_scope=config.RuleScope.from_resources([config.ResourceType.DYNAMODB_TABLE
@@ -3535,7 +3534,7 @@ class CfnOrganizationConfigRule(
         :param id: - scoped id of the resource.
         :param organization_config_rule_name: The name that you assign to organization AWS Config rule.
         :param excluded_accounts: A comma-separated list of accounts excluded from organization AWS Config rule.
-        :param organization_custom_policy_rule_metadata: An object that specifies metadata for your organization's AWS Config Custom Policy rule. The metadata includes the runtime system in use, which accounts have debug logging enabled, and other custom rule metadata, such as resource type, resource ID of AWS resource, and organization trigger types that initiate AWS Config to evaluate AWS resources against a rule.
+        :param organization_custom_policy_rule_metadata: ``AWS::Config::OrganizationConfigRule.OrganizationCustomPolicyRuleMetadata``.
         :param organization_custom_rule_metadata: An ``OrganizationCustomRuleMetadata`` object.
         :param organization_managed_rule_metadata: An ``OrganizationManagedRuleMetadata`` object.
         '''
@@ -3628,9 +3627,7 @@ class CfnOrganizationConfigRule(
     def organization_custom_policy_rule_metadata(
         self,
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnOrganizationConfigRule.OrganizationCustomPolicyRuleMetadataProperty"]]:
-        '''An object that specifies metadata for your organization's AWS Config Custom Policy rule.
-
-        The metadata includes the runtime system in use, which accounts have debug logging enabled, and other custom rule metadata, such as resource type, resource ID of AWS resource, and organization trigger types that initiate AWS Config to evaluate AWS resources against a rule.
+        '''``AWS::Config::OrganizationConfigRule.OrganizationCustomPolicyRuleMetadata``.
 
         :link: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-config-organizationconfigrule.html#cfn-config-organizationconfigrule-organizationcustompolicyrulemetadata
         '''
@@ -3721,21 +3718,18 @@ class CfnOrganizationConfigRule(
             tag_key_scope: typing.Optional[builtins.str] = None,
             tag_value_scope: typing.Optional[builtins.str] = None,
         ) -> None:
-            '''An object that specifies metadata for your organization's AWS Config Custom Policy rule.
-
-            The metadata includes the runtime system in use, which accounts have debug logging enabled, and other custom rule metadata, such as resource type, resource ID of AWS resource, and organization trigger types that initiate AWS Config to evaluate AWS resources against a rule.
-
-            :param policy_text: The policy definition containing the logic for your organization AWS Config Custom Policy rule.
+            '''
+            :param policy_text: ``CfnOrganizationConfigRule.OrganizationCustomPolicyRuleMetadataProperty.PolicyText``.
             :param runtime: ``CfnOrganizationConfigRule.OrganizationCustomPolicyRuleMetadataProperty.Runtime``.
-            :param debug_log_delivery_accounts: A list of accounts that you can enable debug logging for your organization AWS Config Custom Policy rule. List is null when debug logging is enabled for all accounts.
-            :param description: The description that you provide for your organization AWS Config Custom Policy rule.
-            :param input_parameters: A string, in JSON format, that is passed to your organization AWS Config Custom Policy rule.
-            :param maximum_execution_frequency: The maximum frequency with which AWS Config runs evaluations for a rule. Your AWS Config Custom Policy rule is triggered when AWS Config delivers the configuration snapshot. For more information, see ``ConfigSnapshotDeliveryProperties`` .
-            :param organization_config_rule_trigger_types: The type of notification that initiates AWS Config to run an evaluation for a rule. For AWS Config Custom Policy rules, AWS Config supports change-initiated notification types: - ``ConfigurationItemChangeNotification`` - Initiates an evaluation when AWS Config delivers a configuration item as a result of a resource change. - ``OversizedConfigurationItemChangeNotification`` - Initiates an evaluation when AWS Config delivers an oversized configuration item. AWS Config may generate this notification type when a resource changes and the notification exceeds the maximum size allowed by Amazon SNS.
-            :param resource_id_scope: The ID of the AWS resource that was evaluated.
-            :param resource_types_scope: The type of the AWS resource that was evaluated.
-            :param tag_key_scope: One part of a key-value pair that make up a tag. A key is a general label that acts like a category for more specific tag values.
-            :param tag_value_scope: The optional part of a key-value pair that make up a tag. A value acts as a descriptor within a tag category (key).
+            :param debug_log_delivery_accounts: ``CfnOrganizationConfigRule.OrganizationCustomPolicyRuleMetadataProperty.DebugLogDeliveryAccounts``.
+            :param description: ``CfnOrganizationConfigRule.OrganizationCustomPolicyRuleMetadataProperty.Description``.
+            :param input_parameters: ``CfnOrganizationConfigRule.OrganizationCustomPolicyRuleMetadataProperty.InputParameters``.
+            :param maximum_execution_frequency: ``CfnOrganizationConfigRule.OrganizationCustomPolicyRuleMetadataProperty.MaximumExecutionFrequency``.
+            :param organization_config_rule_trigger_types: ``CfnOrganizationConfigRule.OrganizationCustomPolicyRuleMetadataProperty.OrganizationConfigRuleTriggerTypes``.
+            :param resource_id_scope: ``CfnOrganizationConfigRule.OrganizationCustomPolicyRuleMetadataProperty.ResourceIdScope``.
+            :param resource_types_scope: ``CfnOrganizationConfigRule.OrganizationCustomPolicyRuleMetadataProperty.ResourceTypesScope``.
+            :param tag_key_scope: ``CfnOrganizationConfigRule.OrganizationCustomPolicyRuleMetadataProperty.TagKeyScope``.
+            :param tag_value_scope: ``CfnOrganizationConfigRule.OrganizationCustomPolicyRuleMetadataProperty.TagValueScope``.
 
             :link: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-config-organizationconfigrule-organizationcustompolicyrulemetadata.html
             :exampleMetadata: fixture=_generated
@@ -3800,7 +3794,7 @@ class CfnOrganizationConfigRule(
 
         @builtins.property
         def policy_text(self) -> builtins.str:
-            '''The policy definition containing the logic for your organization AWS Config Custom Policy rule.
+            '''``CfnOrganizationConfigRule.OrganizationCustomPolicyRuleMetadataProperty.PolicyText``.
 
             :link: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-config-organizationconfigrule-organizationcustompolicyrulemetadata.html#cfn-config-organizationconfigrule-organizationcustompolicyrulemetadata-policytext
             '''
@@ -3822,9 +3816,7 @@ class CfnOrganizationConfigRule(
         def debug_log_delivery_accounts(
             self,
         ) -> typing.Optional[typing.List[builtins.str]]:
-            '''A list of accounts that you can enable debug logging for your organization AWS Config Custom Policy rule.
-
-            List is null when debug logging is enabled for all accounts.
+            '''``CfnOrganizationConfigRule.OrganizationCustomPolicyRuleMetadataProperty.DebugLogDeliveryAccounts``.
 
             :link: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-config-organizationconfigrule-organizationcustompolicyrulemetadata.html#cfn-config-organizationconfigrule-organizationcustompolicyrulemetadata-debuglogdeliveryaccounts
             '''
@@ -3833,7 +3825,7 @@ class CfnOrganizationConfigRule(
 
         @builtins.property
         def description(self) -> typing.Optional[builtins.str]:
-            '''The description that you provide for your organization AWS Config Custom Policy rule.
+            '''``CfnOrganizationConfigRule.OrganizationCustomPolicyRuleMetadataProperty.Description``.
 
             :link: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-config-organizationconfigrule-organizationcustompolicyrulemetadata.html#cfn-config-organizationconfigrule-organizationcustompolicyrulemetadata-description
             '''
@@ -3842,7 +3834,7 @@ class CfnOrganizationConfigRule(
 
         @builtins.property
         def input_parameters(self) -> typing.Optional[builtins.str]:
-            '''A string, in JSON format, that is passed to your organization AWS Config Custom Policy rule.
+            '''``CfnOrganizationConfigRule.OrganizationCustomPolicyRuleMetadataProperty.InputParameters``.
 
             :link: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-config-organizationconfigrule-organizationcustompolicyrulemetadata.html#cfn-config-organizationconfigrule-organizationcustompolicyrulemetadata-inputparameters
             '''
@@ -3851,9 +3843,7 @@ class CfnOrganizationConfigRule(
 
         @builtins.property
         def maximum_execution_frequency(self) -> typing.Optional[builtins.str]:
-            '''The maximum frequency with which AWS Config runs evaluations for a rule.
-
-            Your AWS Config Custom Policy rule is triggered when AWS Config delivers the configuration snapshot. For more information, see ``ConfigSnapshotDeliveryProperties`` .
+            '''``CfnOrganizationConfigRule.OrganizationCustomPolicyRuleMetadataProperty.MaximumExecutionFrequency``.
 
             :link: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-config-organizationconfigrule-organizationcustompolicyrulemetadata.html#cfn-config-organizationconfigrule-organizationcustompolicyrulemetadata-maximumexecutionfrequency
             '''
@@ -3864,12 +3854,7 @@ class CfnOrganizationConfigRule(
         def organization_config_rule_trigger_types(
             self,
         ) -> typing.Optional[typing.List[builtins.str]]:
-            '''The type of notification that initiates AWS Config to run an evaluation for a rule.
-
-            For AWS Config Custom Policy rules, AWS Config supports change-initiated notification types:
-
-            - ``ConfigurationItemChangeNotification`` - Initiates an evaluation when AWS Config delivers a configuration item as a result of a resource change.
-            - ``OversizedConfigurationItemChangeNotification`` - Initiates an evaluation when AWS Config delivers an oversized configuration item. AWS Config may generate this notification type when a resource changes and the notification exceeds the maximum size allowed by Amazon SNS.
+            '''``CfnOrganizationConfigRule.OrganizationCustomPolicyRuleMetadataProperty.OrganizationConfigRuleTriggerTypes``.
 
             :link: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-config-organizationconfigrule-organizationcustompolicyrulemetadata.html#cfn-config-organizationconfigrule-organizationcustompolicyrulemetadata-organizationconfigruletriggertypes
             '''
@@ -3878,7 +3863,7 @@ class CfnOrganizationConfigRule(
 
         @builtins.property
         def resource_id_scope(self) -> typing.Optional[builtins.str]:
-            '''The ID of the AWS resource that was evaluated.
+            '''``CfnOrganizationConfigRule.OrganizationCustomPolicyRuleMetadataProperty.ResourceIdScope``.
 
             :link: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-config-organizationconfigrule-organizationcustompolicyrulemetadata.html#cfn-config-organizationconfigrule-organizationcustompolicyrulemetadata-resourceidscope
             '''
@@ -3887,7 +3872,7 @@ class CfnOrganizationConfigRule(
 
         @builtins.property
         def resource_types_scope(self) -> typing.Optional[typing.List[builtins.str]]:
-            '''The type of the AWS resource that was evaluated.
+            '''``CfnOrganizationConfigRule.OrganizationCustomPolicyRuleMetadataProperty.ResourceTypesScope``.
 
             :link: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-config-organizationconfigrule-organizationcustompolicyrulemetadata.html#cfn-config-organizationconfigrule-organizationcustompolicyrulemetadata-resourcetypesscope
             '''
@@ -3896,9 +3881,7 @@ class CfnOrganizationConfigRule(
 
         @builtins.property
         def tag_key_scope(self) -> typing.Optional[builtins.str]:
-            '''One part of a key-value pair that make up a tag.
-
-            A key is a general label that acts like a category for more specific tag values.
+            '''``CfnOrganizationConfigRule.OrganizationCustomPolicyRuleMetadataProperty.TagKeyScope``.
 
             :link: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-config-organizationconfigrule-organizationcustompolicyrulemetadata.html#cfn-config-organizationconfigrule-organizationcustompolicyrulemetadata-tagkeyscope
             '''
@@ -3907,9 +3890,7 @@ class CfnOrganizationConfigRule(
 
         @builtins.property
         def tag_value_scope(self) -> typing.Optional[builtins.str]:
-            '''The optional part of a key-value pair that make up a tag.
-
-            A value acts as a descriptor within a tag category (key).
+            '''``CfnOrganizationConfigRule.OrganizationCustomPolicyRuleMetadataProperty.TagValueScope``.
 
             :link: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-config-organizationconfigrule-organizationcustompolicyrulemetadata.html#cfn-config-organizationconfigrule-organizationcustompolicyrulemetadata-tagvaluescope
             '''
@@ -4343,7 +4324,7 @@ class CfnOrganizationConfigRuleProps:
 
         :param organization_config_rule_name: The name that you assign to organization AWS Config rule.
         :param excluded_accounts: A comma-separated list of accounts excluded from organization AWS Config rule.
-        :param organization_custom_policy_rule_metadata: An object that specifies metadata for your organization's AWS Config Custom Policy rule. The metadata includes the runtime system in use, which accounts have debug logging enabled, and other custom rule metadata, such as resource type, resource ID of AWS resource, and organization trigger types that initiate AWS Config to evaluate AWS resources against a rule.
+        :param organization_custom_policy_rule_metadata: ``AWS::Config::OrganizationConfigRule.OrganizationCustomPolicyRuleMetadata``.
         :param organization_custom_rule_metadata: An ``OrganizationCustomRuleMetadata`` object.
         :param organization_managed_rule_metadata: An ``OrganizationManagedRuleMetadata`` object.
 
@@ -4445,9 +4426,7 @@ class CfnOrganizationConfigRuleProps:
     def organization_custom_policy_rule_metadata(
         self,
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, CfnOrganizationConfigRule.OrganizationCustomPolicyRuleMetadataProperty]]:
-        '''An object that specifies metadata for your organization's AWS Config Custom Policy rule.
-
-        The metadata includes the runtime system in use, which accounts have debug logging enabled, and other custom rule metadata, such as resource type, resource ID of AWS resource, and organization trigger types that initiate AWS Config to evaluate AWS resources against a rule.
+        '''``AWS::Config::OrganizationConfigRule.OrganizationCustomPolicyRuleMetadata``.
 
         :link: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-config-organizationconfigrule.html#cfn-config-organizationconfigrule-organizationcustompolicyrulemetadata
         '''
@@ -11607,7 +11586,6 @@ class CustomPolicy(
 
     Example::
 
-        # Example automatically generated from non-compiling source. May contain errors.
         sample_policy_text = """
         # This rule checks if point in time recovery (PITR) is enabled on active Amazon DynamoDB tables
         let status = ['ACTIVE']
@@ -11625,7 +11603,7 @@ class CustomPolicy(
         }
         """
         
-        config.CustomPolicy(stack, "Custom",
+        config.CustomPolicy(self, "Custom",
             policy_text=sample_policy_text,
             enable_debug_log=True,
             rule_scope=config.RuleScope.from_resources([config.ResourceType.DYNAMODB_TABLE
@@ -11908,7 +11886,6 @@ class CustomPolicyProps(RuleProps):
 
         Example::
 
-            # Example automatically generated from non-compiling source. May contain errors.
             sample_policy_text = """
             # This rule checks if point in time recovery (PITR) is enabled on active Amazon DynamoDB tables
             let status = ['ACTIVE']
@@ -11926,7 +11903,7 @@ class CustomPolicyProps(RuleProps):
             }
             """
             
-            config.CustomPolicy(stack, "Custom",
+            config.CustomPolicy(self, "Custom",
                 policy_text=sample_policy_text,
                 enable_debug_log=True,
                 rule_scope=config.RuleScope.from_resources([config.ResourceType.DYNAMODB_TABLE