aws-cdk-lib 2.90.0__py3-none-any.whl → 2.92.0__py3-none-any.whl

aws_cdk/aws_rolesanywhere/__init__.py

@@ -57,11 +57,7 @@ class CfnCRL(
     metaclass=jsii.JSIIMeta,
     jsii_type="aws-cdk-lib.aws_rolesanywhere.CfnCRL",
 ):
-    '''Imports the certificate revocation list (CRL).
-
-    A CRL is a list of certificates that have been revoked by the issuing certificate Authority (CA). IAM Roles Anywhere validates against the CRL before issuing credentials.
-
-    *Required permissions:* ``rolesanywhere:ImportCrl`` .
+    '''Creates a Crl.
 
     :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-rolesanywhere-crl.html
     :exampleMetadata: fixture=_generated
@@ -100,10 +96,10 @@ class CfnCRL(
         '''
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
-        :param crl_data: The x509 v3 specified certificate revocation list (CRL).
-        :param name: The name of the certificate revocation list (CRL).
-        :param enabled: Specifies whether the certificate revocation list (CRL) is enabled.
-        :param tags: A list of tags to attach to the certificate revocation list (CRL).
+        :param crl_data: x509 v3 Certificate Revocation List to revoke auth for corresponding certificates presented in CreateSession operations.
+        :param name: The customer specified name of the resource.
+        :param enabled: The enabled status of the resource.
+        :param tags: A list of Tags.
         :param trust_anchor_arn: The ARN of the TrustAnchor the certificate revocation list (CRL) will provide revocation for.
         '''
         if __debug__:
@@ -173,7 +169,7 @@ class CfnCRL(
     @builtins.property
     @jsii.member(jsii_name="crlData")
     def crl_data(self) -> builtins.str:
-        '''The x509 v3 specified certificate revocation list (CRL).'''
+        '''x509 v3 Certificate Revocation List to revoke auth for corresponding certificates presented in CreateSession operations.'''
         return typing.cast(builtins.str, jsii.get(self, "crlData"))
 
     @crl_data.setter
@@ -186,7 +182,7 @@ class CfnCRL(
     @builtins.property
     @jsii.member(jsii_name="name")
     def name(self) -> builtins.str:
-        '''The name of the certificate revocation list (CRL).'''
+        '''The customer specified name of the resource.'''
         return typing.cast(builtins.str, jsii.get(self, "name"))
 
     @name.setter
@@ -201,7 +197,7 @@ class CfnCRL(
     def enabled(
         self,
     ) -> typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]]:
-        '''Specifies whether the certificate revocation list (CRL) is enabled.'''
+        '''The enabled status of the resource.'''
         return typing.cast(typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]], jsii.get(self, "enabled"))
 
     @enabled.setter
@@ -217,7 +213,7 @@ class CfnCRL(
     @builtins.property
     @jsii.member(jsii_name="tagsRaw")
     def tags_raw(self) -> typing.Optional[typing.List[_CfnTag_f6864754]]:
-        '''A list of tags to attach to the certificate revocation list (CRL).'''
+        '''A list of Tags.'''
         return typing.cast(typing.Optional[typing.List[_CfnTag_f6864754]], jsii.get(self, "tagsRaw"))
 
     @tags_raw.setter
@@ -264,10 +260,10 @@ class CfnCRLProps:
     ) -> None:
         '''Properties for defining a ``CfnCRL``.
 
-        :param crl_data: The x509 v3 specified certificate revocation list (CRL).
-        :param name: The name of the certificate revocation list (CRL).
-        :param enabled: Specifies whether the certificate revocation list (CRL) is enabled.
-        :param tags: A list of tags to attach to the certificate revocation list (CRL).
+        :param crl_data: x509 v3 Certificate Revocation List to revoke auth for corresponding certificates presented in CreateSession operations.
+        :param name: The customer specified name of the resource.
+        :param enabled: The enabled status of the resource.
+        :param tags: A list of Tags.
         :param trust_anchor_arn: The ARN of the TrustAnchor the certificate revocation list (CRL) will provide revocation for.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-rolesanywhere-crl.html
@@ -312,7 +308,7 @@ class CfnCRLProps:
 
     @builtins.property
     def crl_data(self) -> builtins.str:
-        '''The x509 v3 specified certificate revocation list (CRL).
+        '''x509 v3 Certificate Revocation List to revoke auth for corresponding certificates presented in CreateSession operations.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-rolesanywhere-crl.html#cfn-rolesanywhere-crl-crldata
         '''
@@ -322,7 +318,7 @@ class CfnCRLProps:
 
     @builtins.property
     def name(self) -> builtins.str:
-        '''The name of the certificate revocation list (CRL).
+        '''The customer specified name of the resource.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-rolesanywhere-crl.html#cfn-rolesanywhere-crl-name
         '''
@@ -334,7 +330,7 @@ class CfnCRLProps:
     def enabled(
         self,
     ) -> typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]]:
-        '''Specifies whether the certificate revocation list (CRL) is enabled.
+        '''The enabled status of the resource.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-rolesanywhere-crl.html#cfn-rolesanywhere-crl-enabled
         '''
@@ -343,7 +339,7 @@ class CfnCRLProps:
 
     @builtins.property
     def tags(self) -> typing.Optional[typing.List[_CfnTag_f6864754]]:
-        '''A list of tags to attach to the certificate revocation list (CRL).
+        '''A list of Tags.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-rolesanywhere-crl.html#cfn-rolesanywhere-crl-tags
         '''
@@ -377,11 +373,7 @@ class CfnProfile(
     metaclass=jsii.JSIIMeta,
     jsii_type="aws-cdk-lib.aws_rolesanywhere.CfnProfile",
 ):
-    '''Creates a *profile* , a list of the roles that Roles Anywhere service is trusted to assume.
-
-    You use profiles to intersect permissions with IAM managed policies.
-
-    *Required permissions:* ``rolesanywhere:CreateProfile`` .
+    '''Creates a Profile.
 
     :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-rolesanywhere-profile.html
     :exampleMetadata: fixture=_generated
@@ -426,14 +418,14 @@ class CfnProfile(
         '''
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
-        :param name: The name of the profile.
-        :param role_arns: A list of IAM role ARNs. During ``CreateSession`` , if a matching role ARN is provided, the properties in this profile will be applied to the intersection session policy.
-        :param duration_seconds: Sets the maximum number of seconds that vended temporary credentials through `CreateSession <https://docs.aws.amazon.com/rolesanywhere/latest/userguide/authentication-create-session.html>`_ will be valid for, between 900 and 3600.
-        :param enabled: Indicates whether the profile is enabled.
-        :param managed_policy_arns: A list of managed policy ARNs that apply to the vended session credentials.
-        :param require_instance_properties: Specifies whether instance properties are required in temporary credential requests with this profile.
-        :param session_policy: A session policy that applies to the trust boundary of the vended session credentials.
-        :param tags: The tags to attach to the profile.
+        :param name: The customer specified name of the resource.
+        :param role_arns: A list of IAM role ARNs that can be assumed when this profile is specified in a CreateSession request.
+        :param duration_seconds: The number of seconds vended session credentials will be valid for.
+        :param enabled: The enabled status of the resource.
+        :param managed_policy_arns: A list of managed policy ARNs. Managed policies identified by this list will be applied to the vended session credentials.
+        :param require_instance_properties: Specifies whether instance properties are required in CreateSession requests with this profile.
+        :param session_policy: A session policy that will applied to the trust boundary of the vended session credentials.
+        :param tags: A list of Tags.
         '''
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__15739ec913066dea67815f6297a7c4e3ed351b4df22323a7b46fa138af1a7af8)
@@ -514,7 +506,7 @@ class CfnProfile(
     @builtins.property
     @jsii.member(jsii_name="name")
     def name(self) -> builtins.str:
-        '''The name of the profile.'''
+        '''The customer specified name of the resource.'''
         return typing.cast(builtins.str, jsii.get(self, "name"))
 
     @name.setter
@@ -527,7 +519,7 @@ class CfnProfile(
     @builtins.property
     @jsii.member(jsii_name="roleArns")
     def role_arns(self) -> typing.List[builtins.str]:
-        '''A list of IAM role ARNs.'''
+        '''A list of IAM role ARNs that can be assumed when this profile is specified in a CreateSession request.'''
         return typing.cast(typing.List[builtins.str], jsii.get(self, "roleArns"))
 
     @role_arns.setter
@@ -540,7 +532,7 @@ class CfnProfile(
     @builtins.property
     @jsii.member(jsii_name="durationSeconds")
     def duration_seconds(self) -> typing.Optional[jsii.Number]:
-        '''Sets the maximum number of seconds that vended temporary credentials through `CreateSession <https://docs.aws.amazon.com/rolesanywhere/latest/userguide/authentication-create-session.html>`_ will be valid for, between 900 and 3600.'''
+        '''The number of seconds vended session credentials will be valid for.'''
         return typing.cast(typing.Optional[jsii.Number], jsii.get(self, "durationSeconds"))
 
     @duration_seconds.setter
@@ -555,7 +547,7 @@ class CfnProfile(
     def enabled(
         self,
     ) -> typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]]:
-        '''Indicates whether the profile is enabled.'''
+        '''The enabled status of the resource.'''
         return typing.cast(typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]], jsii.get(self, "enabled"))
 
     @enabled.setter
@@ -571,7 +563,7 @@ class CfnProfile(
     @builtins.property
     @jsii.member(jsii_name="managedPolicyArns")
     def managed_policy_arns(self) -> typing.Optional[typing.List[builtins.str]]:
-        '''A list of managed policy ARNs that apply to the vended session credentials.'''
+        '''A list of managed policy ARNs.'''
         return typing.cast(typing.Optional[typing.List[builtins.str]], jsii.get(self, "managedPolicyArns"))
 
     @managed_policy_arns.setter
@@ -589,7 +581,7 @@ class CfnProfile(
     def require_instance_properties(
         self,
     ) -> typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]]:
-        '''Specifies whether instance properties are required in temporary credential requests with this profile.'''
+        '''Specifies whether instance properties are required in CreateSession requests with this profile.'''
         return typing.cast(typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]], jsii.get(self, "requireInstanceProperties"))
 
     @require_instance_properties.setter
@@ -605,7 +597,7 @@ class CfnProfile(
     @builtins.property
     @jsii.member(jsii_name="sessionPolicy")
     def session_policy(self) -> typing.Optional[builtins.str]:
-        '''A session policy that applies to the trust boundary of the vended session credentials.'''
+        '''A session policy that will applied to the trust boundary of the vended session credentials.'''
         return typing.cast(typing.Optional[builtins.str], jsii.get(self, "sessionPolicy"))
 
     @session_policy.setter
@@ -618,7 +610,7 @@ class CfnProfile(
     @builtins.property
     @jsii.member(jsii_name="tagsRaw")
     def tags_raw(self) -> typing.Optional[typing.List[_CfnTag_f6864754]]:
-        '''The tags to attach to the profile.'''
+        '''A list of Tags.'''
         return typing.cast(typing.Optional[typing.List[_CfnTag_f6864754]], jsii.get(self, "tagsRaw"))
 
     @tags_raw.setter
@@ -658,14 +650,14 @@ class CfnProfileProps:
     ) -> None:
         '''Properties for defining a ``CfnProfile``.
 
-        :param name: The name of the profile.
-        :param role_arns: A list of IAM role ARNs. During ``CreateSession`` , if a matching role ARN is provided, the properties in this profile will be applied to the intersection session policy.
-        :param duration_seconds: Sets the maximum number of seconds that vended temporary credentials through `CreateSession <https://docs.aws.amazon.com/rolesanywhere/latest/userguide/authentication-create-session.html>`_ will be valid for, between 900 and 3600.
-        :param enabled: Indicates whether the profile is enabled.
-        :param managed_policy_arns: A list of managed policy ARNs that apply to the vended session credentials.
-        :param require_instance_properties: Specifies whether instance properties are required in temporary credential requests with this profile.
-        :param session_policy: A session policy that applies to the trust boundary of the vended session credentials.
-        :param tags: The tags to attach to the profile.
+        :param name: The customer specified name of the resource.
+        :param role_arns: A list of IAM role ARNs that can be assumed when this profile is specified in a CreateSession request.
+        :param duration_seconds: The number of seconds vended session credentials will be valid for.
+        :param enabled: The enabled status of the resource.
+        :param managed_policy_arns: A list of managed policy ARNs. Managed policies identified by this list will be applied to the vended session credentials.
+        :param require_instance_properties: Specifies whether instance properties are required in CreateSession requests with this profile.
+        :param session_policy: A session policy that will applied to the trust boundary of the vended session credentials.
+        :param tags: A list of Tags.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-rolesanywhere-profile.html
         :exampleMetadata: fixture=_generated
@@ -721,7 +713,7 @@ class CfnProfileProps:
 
     @builtins.property
     def name(self) -> builtins.str:
-        '''The name of the profile.
+        '''The customer specified name of the resource.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-rolesanywhere-profile.html#cfn-rolesanywhere-profile-name
         '''
@@ -731,9 +723,7 @@ class CfnProfileProps:
 
     @builtins.property
     def role_arns(self) -> typing.List[builtins.str]:
-        '''A list of IAM role ARNs.
-
-        During ``CreateSession`` , if a matching role ARN is provided, the properties in this profile will be applied to the intersection session policy.
+        '''A list of IAM role ARNs that can be assumed when this profile is specified in a CreateSession request.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-rolesanywhere-profile.html#cfn-rolesanywhere-profile-rolearns
         '''
@@ -743,7 +733,7 @@ class CfnProfileProps:
 
     @builtins.property
     def duration_seconds(self) -> typing.Optional[jsii.Number]:
-        '''Sets the maximum number of seconds that vended temporary credentials through `CreateSession <https://docs.aws.amazon.com/rolesanywhere/latest/userguide/authentication-create-session.html>`_ will be valid for, between 900 and 3600.
+        '''The number of seconds vended session credentials will be valid for.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-rolesanywhere-profile.html#cfn-rolesanywhere-profile-durationseconds
         '''
@@ -754,7 +744,7 @@ class CfnProfileProps:
     def enabled(
         self,
     ) -> typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]]:
-        '''Indicates whether the profile is enabled.
+        '''The enabled status of the resource.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-rolesanywhere-profile.html#cfn-rolesanywhere-profile-enabled
         '''
@@ -763,7 +753,9 @@ class CfnProfileProps:
 
     @builtins.property
     def managed_policy_arns(self) -> typing.Optional[typing.List[builtins.str]]:
-        '''A list of managed policy ARNs that apply to the vended session credentials.
+        '''A list of managed policy ARNs.
+
+        Managed policies identified by this list will be applied to the vended session credentials.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-rolesanywhere-profile.html#cfn-rolesanywhere-profile-managedpolicyarns
         '''
@@ -774,7 +766,7 @@ class CfnProfileProps:
     def require_instance_properties(
         self,
     ) -> typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]]:
-        '''Specifies whether instance properties are required in temporary credential requests with this profile.
+        '''Specifies whether instance properties are required in CreateSession requests with this profile.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-rolesanywhere-profile.html#cfn-rolesanywhere-profile-requireinstanceproperties
         '''
@@ -783,7 +775,7 @@ class CfnProfileProps:
 
     @builtins.property
     def session_policy(self) -> typing.Optional[builtins.str]:
-        '''A session policy that applies to the trust boundary of the vended session credentials.
+        '''A session policy that will applied to the trust boundary of the vended session credentials.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-rolesanywhere-profile.html#cfn-rolesanywhere-profile-sessionpolicy
         '''
@@ -792,7 +784,7 @@ class CfnProfileProps:
 
     @builtins.property
     def tags(self) -> typing.Optional[typing.List[_CfnTag_f6864754]]:
-        '''The tags to attach to the profile.
+        '''A list of Tags.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-rolesanywhere-profile.html#cfn-rolesanywhere-profile-tags
         '''
@@ -817,11 +809,7 @@ class CfnTrustAnchor(
     metaclass=jsii.JSIIMeta,
     jsii_type="aws-cdk-lib.aws_rolesanywhere.CfnTrustAnchor",
 ):
-    '''Creates a trust anchor to establish trust between IAM Roles Anywhere and your certificate authority (CA).
-
-    You can define a trust anchor as a reference to an AWS Private Certificate Authority ( AWS Private CA ) or by uploading a CA certificate. Your AWS workloads can authenticate with the trust anchor using certificates issued by the CA in exchange for temporary AWS credentials.
-
-    *Required permissions:* ``rolesanywhere:CreateTrustAnchor`` .
+    '''Creates a TrustAnchor.
 
     :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-rolesanywhere-trustanchor.html
     :exampleMetadata: fixture=_generated
@@ -1015,7 +1003,7 @@ class CfnTrustAnchor(
             acm_pca_arn: typing.Optional[builtins.str] = None,
             x509_certificate_data: typing.Optional[builtins.str] = None,
         ) -> None:
-            '''The data field of the trust anchor depending on its type.
+            '''A union object representing the data field of the TrustAnchor depending on its type.
 
             :param acm_pca_arn: The root certificate of the AWS Private Certificate Authority specified by this ARN is used in trust validation for temporary credential requests. Included for trust anchors of type ``AWS_ACM_PCA`` . .. epigraph:: This field is not supported in your region.
             :param x509_certificate_data: The PEM-encoded data for the certificate anchor. Included for trust anchors of type ``CERTIFICATE_BUNDLE`` .
@@ -1092,10 +1080,10 @@ class CfnTrustAnchor(
             source_data: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnTrustAnchor.SourceDataProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
             source_type: typing.Optional[builtins.str] = None,
         ) -> None:
-            '''The trust anchor type and its related certificate data.
+            '''Object representing the TrustAnchor type and its related certificate data.
 
-            :param source_data: The data field of the trust anchor depending on its type.
-            :param source_type: The type of the TrustAnchor. .. epigraph:: ``AWS_ACM_PCA`` is not an allowed value in your region.
+            :param source_data: A union object representing the data field of the TrustAnchor depending on its type.
+            :param source_type: The type of the TrustAnchor.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rolesanywhere-trustanchor-source.html
             :exampleMetadata: fixture=_generated
@@ -1128,7 +1116,7 @@ class CfnTrustAnchor(
         def source_data(
             self,
         ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnTrustAnchor.SourceDataProperty"]]:
-            '''The data field of the trust anchor depending on its type.
+            '''A union object representing the data field of the TrustAnchor depending on its type.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rolesanywhere-trustanchor-source.html#cfn-rolesanywhere-trustanchor-source-sourcedata
             '''
@@ -1139,10 +1127,6 @@ class CfnTrustAnchor(
         def source_type(self) -> typing.Optional[builtins.str]:
             '''The type of the TrustAnchor.
 
-            .. epigraph::
-
-               ``AWS_ACM_PCA`` is not an allowed value in your region.
-
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rolesanywhere-trustanchor-source.html#cfn-rolesanywhere-trustanchor-source-sourcetype
             '''
             result = self._values.get("source_type")

aws_cdk/aws_route53/__init__.py

@@ -4211,7 +4211,7 @@ class CfnRecordSetGroup(
             :param failover: *Failover resource record sets only:* To configure failover, you add the ``Failover`` element to two resource record sets. For one resource record set, you specify ``PRIMARY`` as the value for ``Failover`` ; for the other resource record set, you specify ``SECONDARY`` . In addition, you include the ``HealthCheckId`` element and specify the health check that you want Amazon Route 53 to perform for each resource record set. Except where noted, the following failover behaviors assume that you have included the ``HealthCheckId`` element in both resource record sets: - When the primary resource record set is healthy, Route 53 responds to DNS queries with the applicable value from the primary resource record set regardless of the health of the secondary resource record set. - When the primary resource record set is unhealthy and the secondary resource record set is healthy, Route 53 responds to DNS queries with the applicable value from the secondary resource record set. - When the secondary resource record set is unhealthy, Route 53 responds to DNS queries with the applicable value from the primary resource record set regardless of the health of the primary resource record set. - If you omit the ``HealthCheckId`` element for the secondary resource record set, and if the primary resource record set is unhealthy, Route 53 always responds to DNS queries with the applicable value from the secondary resource record set. This is true regardless of the health of the associated endpoint. You can't create non-failover resource record sets that have the same values for the ``Name`` and ``Type`` elements as failover resource record sets. For failover alias resource record sets, you must also include the ``EvaluateTargetHealth`` element and set the value to true. For more information about configuring failover for Route 53, see the following topics in the *Amazon Route 53 Developer Guide* : - `Route 53 Health Checks and DNS Failover <https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/dns-failover.html>`_ - `Configuring Failover in a Private Hosted Zone <https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/dns-failover-private-hosted-zones.html>`_
             :param geo_location: *Geolocation resource record sets only:* A complex type that lets you control how Amazon Route 53 responds to DNS queries based on the geographic origin of the query. For example, if you want all queries from Africa to be routed to a web server with an IP address of ``192.0.2.111`` , create a resource record set with a ``Type`` of ``A`` and a ``ContinentCode`` of ``AF`` . .. epigraph:: Although creating geolocation and geolocation alias resource record sets in a private hosted zone is allowed, it's not supported. If you create separate resource record sets for overlapping geographic regions (for example, one resource record set for a continent and one for a country on the same continent), priority goes to the smallest geographic region. This allows you to route most queries for a continent to one resource and to route queries for a country on that continent to a different resource. You can't create two geolocation resource record sets that specify the same geographic location. The value ``*`` in the ``CountryCode`` element matches all geographic locations that aren't specified in other geolocation resource record sets that have the same values for the ``Name`` and ``Type`` elements. .. epigraph:: Geolocation works by mapping IP addresses to locations. However, some IP addresses aren't mapped to geographic locations, so even if you create geolocation resource record sets that cover all seven continents, Route 53 will receive some DNS queries from locations that it can't identify. We recommend that you create a resource record set for which the value of ``CountryCode`` is ``*`` . Two groups of queries are routed to the resource that you specify in this record: queries that come from locations for which you haven't created geolocation resource record sets and queries from IP addresses that aren't mapped to a location. If you don't create a ``*`` resource record set, Route 53 returns a "no answer" response for queries from those locations. You can't create non-geolocation resource record sets that have the same values for the ``Name`` and ``Type`` elements as geolocation resource record sets.
             :param health_check_id: If you want Amazon Route 53 to return this resource record set in response to a DNS query only when the status of a health check is healthy, include the ``HealthCheckId`` element and specify the ID of the applicable health check. Route 53 determines whether a resource record set is healthy based on one of the following: - By periodically sending a request to the endpoint that is specified in the health check - By aggregating the status of a specified group of health checks (calculated health checks) - By determining the current state of a CloudWatch alarm (CloudWatch metric health checks) .. epigraph:: Route 53 doesn't check the health of the endpoint that is specified in the resource record set, for example, the endpoint specified by the IP address in the ``Value`` element. When you add a ``HealthCheckId`` element to a resource record set, Route 53 checks the health of the endpoint that you specified in the health check. For more information, see the following topics in the *Amazon Route 53 Developer Guide* : - `How Amazon Route 53 Determines Whether an Endpoint Is Healthy <https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/dns-failover-determining-health-of-endpoints.html>`_ - `Route 53 Health Checks and DNS Failover <https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/dns-failover.html>`_ - `Configuring Failover in a Private Hosted Zone <https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/dns-failover-private-hosted-zones.html>`_ *When to Specify HealthCheckId* Specifying a value for ``HealthCheckId`` is useful only when Route 53 is choosing between two or more resource record sets to respond to a DNS query, and you want Route 53 to base the choice in part on the status of a health check. Configuring health checks makes sense only in the following configurations: - *Non-alias resource record sets* : You're checking the health of a group of non-alias resource record sets that have the same routing policy, name, and type (such as multiple weighted records named www.example.com with a type of A) and you specify health check IDs for all the resource record sets. If the health check status for a resource record set is healthy, Route 53 includes the record among the records that it responds to DNS queries with. If the health check status for a resource record set is unhealthy, Route 53 stops responding to DNS queries using the value for that resource record set. If the health check status for all resource record sets in the group is unhealthy, Route 53 considers all resource record sets in the group healthy and responds to DNS queries accordingly. - *Alias resource record sets* : You specify the following settings: - You set ``EvaluateTargetHealth`` to true for an alias resource record set in a group of resource record sets that have the same routing policy, name, and type (such as multiple weighted records named www.example.com with a type of A). - You configure the alias resource record set to route traffic to a non-alias resource record set in the same hosted zone. - You specify a health check ID for the non-alias resource record set. If the health check status is healthy, Route 53 considers the alias resource record set to be healthy and includes the alias record among the records that it responds to DNS queries with. If the health check status is unhealthy, Route 53 stops responding to DNS queries using the alias resource record set. .. epigraph:: The alias resource record set can also route traffic to a *group* of non-alias resource record sets that have the same routing policy, name, and type. In that configuration, associate health checks with all of the resource record sets in the group of non-alias resource record sets. *Geolocation Routing* For geolocation resource record sets, if an endpoint is unhealthy, Route 53 looks for a resource record set for the larger, associated geographic region. For example, suppose you have resource record sets for a state in the United States, for the entire United States, for North America, and a resource record set that has ``*`` for ``CountryCode`` is ``*`` , which applies to all locations. If the endpoint for the state resource record set is unhealthy, Route 53 checks for healthy resource record sets in the following order until it finds a resource record set for which the endpoint is healthy: - The United States - North America - The default resource record set *Specifying the Health Check Endpoint by Domain Name* If your health checks specify the endpoint only by domain name, we recommend that you create a separate health check for each endpoint. For example, create a health check for each ``HTTP`` server that is serving content for ``www.example.com`` . For the value of ``FullyQualifiedDomainName`` , specify the domain name of the server (such as ``us-east-2-www.example.com`` ), not the name of the resource record sets ( ``www.example.com`` ). .. epigraph:: Health check results will be unpredictable if you do the following: - Create a health check that has the same value for ``FullyQualifiedDomainName`` as the name of a resource record set. - Associate that health check with the resource record set.
-            :param hosted_zone_id: The ID of the hosted zone that you want to create records in. Specify either ``HostedZoneName`` or ``HostedZoneId`` , but not both. If you have multiple hosted zones with the same domain name, you must specify the hosted zone using ``HostedZoneId`` .
+            :param hosted_zone_id: The ID of the hosted zone that you want to create records in. Specify either ``HostedZoneName`` or ``HostedZoneId`` , but not both. If you have multiple hosted zones with the same domain name, you must specify the hosted zone using ``HostedZoneId`` . Do not provide the ``HostedZoneId`` if it is already defined in ``AWS::Route53::RecordSetGroup`` . The creation fails if ``HostedZoneId`` is defined in both.
             :param hosted_zone_name: The name of the hosted zone that you want to create records in. You must include a trailing dot (for example, ``www.example.com.`` ) as part of the ``HostedZoneName`` . When you create a stack using an ``AWS::Route53::RecordSet`` that specifies ``HostedZoneName`` , AWS CloudFormation attempts to find a hosted zone whose name matches the ``HostedZoneName`` . If AWS CloudFormation can't find a hosted zone with a matching domain name, or if there is more than one hosted zone with the specified domain name, AWS CloudFormation will not create the stack. Specify either ``HostedZoneName`` or ``HostedZoneId`` , but not both. If you have multiple hosted zones with the same domain name, you must specify the hosted zone using ``HostedZoneId`` .
             :param multi_value_answer: *Multivalue answer resource record sets only* : To route traffic approximately randomly to multiple resources, such as web servers, create one multivalue answer record for each resource and specify ``true`` for ``MultiValueAnswer`` . Note the following: - If you associate a health check with a multivalue answer resource record set, Amazon Route 53 responds to DNS queries with the corresponding IP address only when the health check is healthy. - If you don't associate a health check with a multivalue answer record, Route 53 always considers the record to be healthy. - Route 53 responds to DNS queries with up to eight healthy records; if you have eight or fewer healthy records, Route 53 responds to all DNS queries with all the healthy records. - If you have more than eight healthy records, Route 53 responds to different DNS resolvers with different combinations of healthy records. - When all records are unhealthy, Route 53 responds to DNS queries with up to eight unhealthy records. - If a resource becomes unavailable after a resolver caches a response, client software typically tries another of the IP addresses in the response. You can't create multivalue answer alias records.
             :param region: *Latency-based resource record sets only:* The Amazon EC2 Region where you created the resource that this resource record set refers to. The resource typically is an AWS resource, such as an EC2 instance or an ELB load balancer, and is referred to by an IP address or a DNS domain name, depending on the record type. When Amazon Route 53 receives a DNS query for a domain name and type for which you have created latency resource record sets, Route 53 selects the latency resource record set that has the lowest latency between the end user and the associated Amazon EC2 Region. Route 53 then returns the value that is associated with the selected resource record set. Note the following: - You can only specify one ``ResourceRecord`` per latency resource record set. - You can only create one latency resource record set for each Amazon EC2 Region. - You aren't required to create latency resource record sets for all Amazon EC2 Regions. Route 53 will choose the region with the best latency from among the regions that you create latency resource record sets for. - You can't create non-latency resource record sets that have the same values for the ``Name`` and ``Type`` elements as latency resource record sets.
@@ -4531,6 +4531,8 @@ class CfnRecordSetGroup(
 
             Specify either ``HostedZoneName`` or ``HostedZoneId`` , but not both. If you have multiple hosted zones with the same domain name, you must specify the hosted zone using ``HostedZoneId`` .
 
+            Do not provide the ``HostedZoneId`` if it is already defined in ``AWS::Route53::RecordSetGroup`` . The creation fails if ``HostedZoneId`` is defined in both.
+
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-route53-recordsetgroup-recordset.html#cfn-route53-recordsetgroup-recordset-hostedzoneid
             '''
             result = self._values.get("hosted_zone_id")

aws_cdk/aws_s3/__init__.py

@@ -2803,7 +2803,7 @@ class CfnBucket(
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
         :param accelerate_configuration: Configures the transfer acceleration state for an Amazon S3 bucket. For more information, see `Amazon S3 Transfer Acceleration <https://docs.aws.amazon.com/AmazonS3/latest/dev/transfer-acceleration.html>`_ in the *Amazon S3 User Guide* .
-        :param access_control: A canned access control list (ACL) that grants predefined permissions to the bucket. For more information about canned ACLs, see `Canned ACL <https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#canned-acl>`_ in the *Amazon S3 User Guide* . Be aware that the syntax for this property differs from the information provided in the *Amazon S3 User Guide* . The AccessControl property is case-sensitive and must be one of the following values: Private, PublicRead, PublicReadWrite, AuthenticatedRead, LogDeliveryWrite, BucketOwnerRead, BucketOwnerFullControl, or AwsExecRead.
+        :param access_control: .. epigraph:: This is a legacy property, and it is not recommended for most use cases. A majority of modern use cases in Amazon S3 no longer require the use of ACLs, and we recommend that you keep ACLs disabled. For more information, see `Controlling object ownership <https://docs.aws.amazon.com//AmazonS3/latest/userguide/about-object-ownership.html>`_ in the *Amazon S3 User Guide* . A canned access control list (ACL) that grants predefined permissions to the bucket. For more information about canned ACLs, see `Canned ACL <https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#canned-acl>`_ in the *Amazon S3 User Guide* . S3 buckets are created with ACLs disabled by default. Therefore, unless you explicitly set the `AWS::S3::OwnershipControls <https://docs.aws.amazon.com//AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-ownershipcontrols.html>`_ property to enable ACLs, your resource will fail to deploy with any value other than Private. Use cases requiring ACLs are uncommon. The majority of access control configurations can be successfully and more easily achieved with bucket policies. For more information, see `AWS::S3::BucketPolicy <https://docs.aws.amazon.com//AWSCloudFormation/latest/UserGuide/aws-properties-s3-policy.html>`_ . For examples of common policy configurations, including S3 Server Access Logs buckets and more, see `Bucket policy examples <https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html>`_ in the *Amazon S3 User Guide* .
         :param analytics_configurations: Specifies the configuration and any analyses for the analytics filter of an Amazon S3 bucket.
         :param bucket_encryption: Specifies default encryption for a bucket using server-side encryption with Amazon S3-managed keys (SSE-S3), AWS KMS-managed keys (SSE-KMS), or dual-layer server-side encryption with KMS-managed keys (DSSE-KMS). For information about the Amazon S3 default encryption feature, see `Amazon S3 Default Encryption for S3 Buckets <https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html>`_ in the *Amazon S3 User Guide* .
         :param bucket_name: A name for the bucket. If you don't specify a name, AWS CloudFormation generates a unique ID and uses that ID for the bucket name. The bucket name must contain only lowercase letters, numbers, periods (.), and dashes (-) and must follow `Amazon S3 bucket restrictions and limitations <https://docs.aws.amazon.com/AmazonS3/latest/dev/BucketRestrictions.html>`_ . For more information, see `Rules for naming Amazon S3 buckets <https://docs.aws.amazon.com/AmazonS3/latest/dev/BucketRestrictions.html#bucketnamingrules>`_ in the *Amazon S3 User Guide* . .. epigraph:: If you specify a name, you can't perform updates that require replacement of this resource. You can perform updates that require no or some interruption. If you need to replace the resource, specify a new name.
@@ -2973,7 +2973,9 @@ class CfnBucket(
     @builtins.property
     @jsii.member(jsii_name="accessControl")
     def access_control(self) -> typing.Optional[builtins.str]:
-        '''A canned access control list (ACL) that grants predefined permissions to the bucket.'''
+        '''.. epigraph::
+
+   This is a legacy property, and it is not recommended for most use cases.'''
         return typing.cast(typing.Optional[builtins.str], jsii.get(self, "accessControl"))
 
     @access_control.setter
@@ -4140,7 +4142,7 @@ class CfnBucket(
             '''Specifies information about where to publish analysis or configuration results for an Amazon S3 bucket.
 
             :param bucket_arn: The Amazon Resource Name (ARN) of the bucket to which data is exported.
-            :param format: Specifies the file format used when exporting data to Amazon S3.
+            :param format: Specifies the file format used when exporting data to Amazon S3. *Allowed values* : ``CSV`` | ``ORC`` | ``Parquet``
             :param bucket_account_id: The account ID that owns the destination S3 bucket. If no account ID is provided, the owner is not validated before exporting data. .. epigraph:: Although this value is optional, we strongly recommend that you set it to help prevent problems if the destination bucket ownership changes.
             :param prefix: The prefix to use when exporting data. The prefix is prepended to all results.
 
@@ -4191,6 +4193,8 @@ class CfnBucket(
         def format(self) -> builtins.str:
             '''Specifies the file format used when exporting data to Amazon S3.
 
+            *Allowed values* : ``CSV`` | ``ORC`` | ``Parquet``
+
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-destination.html#cfn-s3-bucket-destination-format
             '''
             result = self._values.get("format")
@@ -9100,7 +9104,7 @@ class CfnBucketProps:
         '''Properties for defining a ``CfnBucket``.
 
         :param accelerate_configuration: Configures the transfer acceleration state for an Amazon S3 bucket. For more information, see `Amazon S3 Transfer Acceleration <https://docs.aws.amazon.com/AmazonS3/latest/dev/transfer-acceleration.html>`_ in the *Amazon S3 User Guide* .
-        :param access_control: A canned access control list (ACL) that grants predefined permissions to the bucket. For more information about canned ACLs, see `Canned ACL <https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#canned-acl>`_ in the *Amazon S3 User Guide* . Be aware that the syntax for this property differs from the information provided in the *Amazon S3 User Guide* . The AccessControl property is case-sensitive and must be one of the following values: Private, PublicRead, PublicReadWrite, AuthenticatedRead, LogDeliveryWrite, BucketOwnerRead, BucketOwnerFullControl, or AwsExecRead.
+        :param access_control: .. epigraph:: This is a legacy property, and it is not recommended for most use cases. A majority of modern use cases in Amazon S3 no longer require the use of ACLs, and we recommend that you keep ACLs disabled. For more information, see `Controlling object ownership <https://docs.aws.amazon.com//AmazonS3/latest/userguide/about-object-ownership.html>`_ in the *Amazon S3 User Guide* . A canned access control list (ACL) that grants predefined permissions to the bucket. For more information about canned ACLs, see `Canned ACL <https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#canned-acl>`_ in the *Amazon S3 User Guide* . S3 buckets are created with ACLs disabled by default. Therefore, unless you explicitly set the `AWS::S3::OwnershipControls <https://docs.aws.amazon.com//AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-ownershipcontrols.html>`_ property to enable ACLs, your resource will fail to deploy with any value other than Private. Use cases requiring ACLs are uncommon. The majority of access control configurations can be successfully and more easily achieved with bucket policies. For more information, see `AWS::S3::BucketPolicy <https://docs.aws.amazon.com//AWSCloudFormation/latest/UserGuide/aws-properties-s3-policy.html>`_ . For examples of common policy configurations, including S3 Server Access Logs buckets and more, see `Bucket policy examples <https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html>`_ in the *Amazon S3 User Guide* .
         :param analytics_configurations: Specifies the configuration and any analyses for the analytics filter of an Amazon S3 bucket.
         :param bucket_encryption: Specifies default encryption for a bucket using server-side encryption with Amazon S3-managed keys (SSE-S3), AWS KMS-managed keys (SSE-KMS), or dual-layer server-side encryption with KMS-managed keys (DSSE-KMS). For information about the Amazon S3 default encryption feature, see `Amazon S3 Default Encryption for S3 Buckets <https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html>`_ in the *Amazon S3 User Guide* .
         :param bucket_name: A name for the bucket. If you don't specify a name, AWS CloudFormation generates a unique ID and uses that ID for the bucket name. The bucket name must contain only lowercase letters, numbers, periods (.), and dashes (-) and must follow `Amazon S3 bucket restrictions and limitations <https://docs.aws.amazon.com/AmazonS3/latest/dev/BucketRestrictions.html>`_ . For more information, see `Rules for naming Amazon S3 buckets <https://docs.aws.amazon.com/AmazonS3/latest/dev/BucketRestrictions.html#bucketnamingrules>`_ in the *Amazon S3 User Guide* . .. epigraph:: If you specify a name, you can't perform updates that require replacement of this resource. You can perform updates that require no or some interruption. If you need to replace the resource, specify a new name.
@@ -9214,11 +9218,17 @@ class CfnBucketProps:
 
     @builtins.property
     def access_control(self) -> typing.Optional[builtins.str]:
-        '''A canned access control list (ACL) that grants predefined permissions to the bucket.
+        '''.. epigraph::
+
+   This is a legacy property, and it is not recommended for most use cases.
+
+        A majority of modern use cases in Amazon S3 no longer require the use of ACLs, and we recommend that you keep ACLs disabled. For more information, see `Controlling object ownership <https://docs.aws.amazon.com//AmazonS3/latest/userguide/about-object-ownership.html>`_ in the *Amazon S3 User Guide* .
+
+        A canned access control list (ACL) that grants predefined permissions to the bucket. For more information about canned ACLs, see `Canned ACL <https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#canned-acl>`_ in the *Amazon S3 User Guide* .
 
-        For more information about canned ACLs, see `Canned ACL <https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#canned-acl>`_ in the *Amazon S3 User Guide* .
+        S3 buckets are created with ACLs disabled by default. Therefore, unless you explicitly set the `AWS::S3::OwnershipControls <https://docs.aws.amazon.com//AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-ownershipcontrols.html>`_ property to enable ACLs, your resource will fail to deploy with any value other than Private. Use cases requiring ACLs are uncommon.
 
-        Be aware that the syntax for this property differs from the information provided in the *Amazon S3 User Guide* . The AccessControl property is case-sensitive and must be one of the following values: Private, PublicRead, PublicReadWrite, AuthenticatedRead, LogDeliveryWrite, BucketOwnerRead, BucketOwnerFullControl, or AwsExecRead.
+        The majority of access control configurations can be successfully and more easily achieved with bucket policies. For more information, see `AWS::S3::BucketPolicy <https://docs.aws.amazon.com//AWSCloudFormation/latest/UserGuide/aws-properties-s3-policy.html>`_ . For examples of common policy configurations, including S3 Server Access Logs buckets and more, see `Bucket policy examples <https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html>`_ in the *Amazon S3 User Guide* .
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-s3-bucket.html#cfn-s3-bucket-accesscontrol
         '''