aws-cdk-lib 2.96.2__py3-none-any.whl → 2.97.1__py3-none-any.whl

aws_cdk/aws_events/__init__.py

@@ -1409,8 +1409,6 @@ class CfnConnection(
         
         cfn_connection = events.CfnConnection(self, "MyCfnConnection",
             authorization_type="authorizationType",
-        
-            # the properties below are optional
             auth_parameters=events.CfnConnection.AuthParametersProperty(
                 api_key_auth_parameters=events.CfnConnection.ApiKeyAuthParametersProperty(
                     api_key_name="apiKeyName",
@@ -1487,7 +1485,7 @@ class CfnConnection(
         scope: _constructs_77d1e7e8.Construct,
         id: builtins.str,
         *,
-        authorization_type: builtins.str,
+        authorization_type: typing.Optional[builtins.str] = None,
         auth_parameters: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnConnection.AuthParametersProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
         description: typing.Optional[builtins.str] = None,
         name: typing.Optional[builtins.str] = None,
@@ -1568,12 +1566,12 @@ class CfnConnection(
 
     @builtins.property
     @jsii.member(jsii_name="authorizationType")
-    def authorization_type(self) -> builtins.str:
+    def authorization_type(self) -> typing.Optional[builtins.str]:
         '''The type of authorization to use for the connection.'''
-        return typing.cast(builtins.str, jsii.get(self, "authorizationType"))
+        return typing.cast(typing.Optional[builtins.str], jsii.get(self, "authorizationType"))
 
     @authorization_type.setter
-    def authorization_type(self, value: builtins.str) -> None:
+    def authorization_type(self, value: typing.Optional[builtins.str]) -> None:
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__4f51f33cc16a16fcb52edb95bbc7ef5dd0bb5f97e31dd1f331adaf42e9cd3668)
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
@@ -2365,7 +2363,7 @@ class CfnConnectionProps:
     def __init__(
         self,
         *,
-        authorization_type: builtins.str,
+        authorization_type: typing.Optional[builtins.str] = None,
         auth_parameters: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnConnection.AuthParametersProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
         description: typing.Optional[builtins.str] = None,
         name: typing.Optional[builtins.str] = None,
@@ -2388,8 +2386,6 @@ class CfnConnectionProps:
             
             cfn_connection_props = events.CfnConnectionProps(
                 authorization_type="authorizationType",
-            
-                # the properties below are optional
                 auth_parameters=events.CfnConnection.AuthParametersProperty(
                     api_key_auth_parameters=events.CfnConnection.ApiKeyAuthParametersProperty(
                         api_key_name="apiKeyName",
@@ -2466,9 +2462,9 @@ class CfnConnectionProps:
             check_type(argname="argument auth_parameters", value=auth_parameters, expected_type=type_hints["auth_parameters"])
             check_type(argname="argument description", value=description, expected_type=type_hints["description"])
             check_type(argname="argument name", value=name, expected_type=type_hints["name"])
-        self._values: typing.Dict[builtins.str, typing.Any] = {
-            "authorization_type": authorization_type,
-        }
+        self._values: typing.Dict[builtins.str, typing.Any] = {}
+        if authorization_type is not None:
+            self._values["authorization_type"] = authorization_type
         if auth_parameters is not None:
             self._values["auth_parameters"] = auth_parameters
         if description is not None:
@@ -2477,7 +2473,7 @@ class CfnConnectionProps:
             self._values["name"] = name
 
     @builtins.property
-    def authorization_type(self) -> builtins.str:
+    def authorization_type(self) -> typing.Optional[builtins.str]:
         '''The type of authorization to use for the connection.
 
         .. epigraph::
@@ -2487,8 +2483,7 @@ class CfnConnectionProps:
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-events-connection.html#cfn-events-connection-authorizationtype
         '''
         result = self._values.get("authorization_type")
-        assert result is not None, "Required property 'authorization_type' is missing"
-        return typing.cast(builtins.str, result)
+        return typing.cast(typing.Optional[builtins.str], result)
 
     @builtins.property
     def auth_parameters(
@@ -11402,7 +11397,7 @@ def _typecheckingstub__65bde9b35de094b905dd335652d04503af85c50ac027a006a1d7ec926
     scope: _constructs_77d1e7e8.Construct,
     id: builtins.str,
     *,
-    authorization_type: builtins.str,
+    authorization_type: typing.Optional[builtins.str] = None,
     auth_parameters: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnConnection.AuthParametersProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
     description: typing.Optional[builtins.str] = None,
     name: typing.Optional[builtins.str] = None,
@@ -11423,7 +11418,7 @@ def _typecheckingstub__9baa06fe2df5d5855b8fea8613ae753f8301c4cdb9f83ba3f45fd5407
     pass
 
 def _typecheckingstub__4f51f33cc16a16fcb52edb95bbc7ef5dd0bb5f97e31dd1f331adaf42e9cd3668(
-    value: builtins.str,
+    value: typing.Optional[builtins.str],
 ) -> None:
     """Type checking stubs"""
     pass
@@ -11510,7 +11505,7 @@ def _typecheckingstub__8ef124487a6c31dc58a802230e7bf50f962f08be9cde1fb39c45b429d
 
 def _typecheckingstub__2b32e6c6e8c1c2772bb604474216b07683c108c349058e240d272750b95ff394(
     *,
-    authorization_type: builtins.str,
+    authorization_type: typing.Optional[builtins.str] = None,
     auth_parameters: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnConnection.AuthParametersProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
     description: typing.Optional[builtins.str] = None,
     name: typing.Optional[builtins.str] = None,

aws_cdk/aws_fms/__init__.py

@@ -343,7 +343,7 @@ class CfnPolicy(
         :param exclude_map: Specifies the AWS account IDs and AWS Organizations organizational units (OUs) to exclude from the policy. Specifying an OU is the equivalent of specifying all accounts in the OU and in any of its child OUs, including any child OUs and accounts that are added at a later time. You can specify inclusions or exclusions, but not both. If you specify an ``IncludeMap`` , AWS Firewall Manager applies the policy to all accounts specified by the ``IncludeMap`` , and does not evaluate any ``ExcludeMap`` specifications. If you do not specify an ``IncludeMap`` , then Firewall Manager applies the policy to all accounts except for those specified by the ``ExcludeMap`` . You can specify account IDs, OUs, or a combination: - Specify account IDs by setting the key to ``ACCOUNT`` . For example, the following is a valid map: ``{“ACCOUNT” : [“accountID1”, “accountID2”]}`` . - Specify OUs by setting the key to ``ORGUNIT`` . For example, the following is a valid map: ``{“ORGUNIT” : [“ouid111”, “ouid112”]}`` . - Specify accounts and OUs together in a single map, separated with a comma. For example, the following is a valid map: ``{“ACCOUNT” : [“accountID1”, “accountID2”], “ORGUNIT” : [“ouid111”, “ouid112”]}`` .
         :param include_map: Specifies the AWS account IDs and AWS Organizations organizational units (OUs) to include in the policy. Specifying an OU is the equivalent of specifying all accounts in the OU and in any of its child OUs, including any child OUs and accounts that are added at a later time. You can specify inclusions or exclusions, but not both. If you specify an ``IncludeMap`` , AWS Firewall Manager applies the policy to all accounts specified by the ``IncludeMap`` , and does not evaluate any ``ExcludeMap`` specifications. If you do not specify an ``IncludeMap`` , then Firewall Manager applies the policy to all accounts except for those specified by the ``ExcludeMap`` . You can specify account IDs, OUs, or a combination: - Specify account IDs by setting the key to ``ACCOUNT`` . For example, the following is a valid map: ``{“ACCOUNT” : [“accountID1”, “accountID2”]}`` . - Specify OUs by setting the key to ``ORGUNIT`` . For example, the following is a valid map: ``{“ORGUNIT” : [“ouid111”, “ouid112”]}`` . - Specify accounts and OUs together in a single map, separated with a comma. For example, the following is a valid map: ``{“ACCOUNT” : [“accountID1”, “accountID2”], “ORGUNIT” : [“ouid111”, “ouid112”]}`` .
         :param policy_description: The definition of the AWS Network Firewall firewall policy.
-        :param resources_clean_up: Indicates whether AWS Firewall Manager should automatically remove protections from resources that leave the policy scope and clean up resources that Firewall Manager is managing for accounts when those accounts leave policy scope. For example, Firewall Manager will disassociate a Firewall Manager managed web ACL from a protected customer resource when the customer resource leaves policy scope. By default, Firewall Manager doesn't remove protections or delete Firewall Manager managed resources. This option is not available for Shield Advanced or AWS WAF Classic policies.
+        :param resources_clean_up: Indicates whether AWS Firewall Manager should automatically remove protections from resources that leave the policy scope and clean up resources that Firewall Manager is managing for accounts when those accounts leave policy scope. For example, Firewall Manager will disassociate a Firewall Manager managed web ACL from a protected customer resource when the customer resource leaves policy scope. By default, Firewall Manager doesn't remove protections or delete Firewall Manager managed resources. This option is not available for AWS WAF Classic policies.
         :param resource_set_ids: The unique identifiers of the resource sets used by the policy.
         :param resource_tags: An array of ``ResourceTag`` objects, used to explicitly include resources in the policy scope or explicitly exclude them. If this isn't set, then tags aren't used to modify policy scope. See also ``ExcludeResourceTags`` .
         :param resource_type: The type of resource protected by or in scope of the policy. This is in the format shown in the `AWS Resource Types Reference <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-template-resource-type-ref.html>`_ . To apply this policy to multiple resource types, specify a resource type of ``ResourceTypeList`` and then specify the resource types in a ``ResourceTypeList`` . For AWS WAF and Shield Advanced, example resource types include ``AWS::ElasticLoadBalancingV2::LoadBalancer`` and ``AWS::CloudFront::Distribution`` . For a security group common policy, valid values are ``AWS::EC2::NetworkInterface`` and ``AWS::EC2::Instance`` . For a security group content audit policy, valid values are ``AWS::EC2::SecurityGroup`` , ``AWS::EC2::NetworkInterface`` , and ``AWS::EC2::Instance`` . For a security group usage audit policy, the value is ``AWS::EC2::SecurityGroup`` . For an AWS Network Firewall policy or DNS Firewall policy, the value is ``AWS::EC2::VPC`` .
@@ -1322,7 +1322,7 @@ class CfnPolicyProps:
         :param exclude_map: Specifies the AWS account IDs and AWS Organizations organizational units (OUs) to exclude from the policy. Specifying an OU is the equivalent of specifying all accounts in the OU and in any of its child OUs, including any child OUs and accounts that are added at a later time. You can specify inclusions or exclusions, but not both. If you specify an ``IncludeMap`` , AWS Firewall Manager applies the policy to all accounts specified by the ``IncludeMap`` , and does not evaluate any ``ExcludeMap`` specifications. If you do not specify an ``IncludeMap`` , then Firewall Manager applies the policy to all accounts except for those specified by the ``ExcludeMap`` . You can specify account IDs, OUs, or a combination: - Specify account IDs by setting the key to ``ACCOUNT`` . For example, the following is a valid map: ``{“ACCOUNT” : [“accountID1”, “accountID2”]}`` . - Specify OUs by setting the key to ``ORGUNIT`` . For example, the following is a valid map: ``{“ORGUNIT” : [“ouid111”, “ouid112”]}`` . - Specify accounts and OUs together in a single map, separated with a comma. For example, the following is a valid map: ``{“ACCOUNT” : [“accountID1”, “accountID2”], “ORGUNIT” : [“ouid111”, “ouid112”]}`` .
         :param include_map: Specifies the AWS account IDs and AWS Organizations organizational units (OUs) to include in the policy. Specifying an OU is the equivalent of specifying all accounts in the OU and in any of its child OUs, including any child OUs and accounts that are added at a later time. You can specify inclusions or exclusions, but not both. If you specify an ``IncludeMap`` , AWS Firewall Manager applies the policy to all accounts specified by the ``IncludeMap`` , and does not evaluate any ``ExcludeMap`` specifications. If you do not specify an ``IncludeMap`` , then Firewall Manager applies the policy to all accounts except for those specified by the ``ExcludeMap`` . You can specify account IDs, OUs, or a combination: - Specify account IDs by setting the key to ``ACCOUNT`` . For example, the following is a valid map: ``{“ACCOUNT” : [“accountID1”, “accountID2”]}`` . - Specify OUs by setting the key to ``ORGUNIT`` . For example, the following is a valid map: ``{“ORGUNIT” : [“ouid111”, “ouid112”]}`` . - Specify accounts and OUs together in a single map, separated with a comma. For example, the following is a valid map: ``{“ACCOUNT” : [“accountID1”, “accountID2”], “ORGUNIT” : [“ouid111”, “ouid112”]}`` .
         :param policy_description: The definition of the AWS Network Firewall firewall policy.
-        :param resources_clean_up: Indicates whether AWS Firewall Manager should automatically remove protections from resources that leave the policy scope and clean up resources that Firewall Manager is managing for accounts when those accounts leave policy scope. For example, Firewall Manager will disassociate a Firewall Manager managed web ACL from a protected customer resource when the customer resource leaves policy scope. By default, Firewall Manager doesn't remove protections or delete Firewall Manager managed resources. This option is not available for Shield Advanced or AWS WAF Classic policies.
+        :param resources_clean_up: Indicates whether AWS Firewall Manager should automatically remove protections from resources that leave the policy scope and clean up resources that Firewall Manager is managing for accounts when those accounts leave policy scope. For example, Firewall Manager will disassociate a Firewall Manager managed web ACL from a protected customer resource when the customer resource leaves policy scope. By default, Firewall Manager doesn't remove protections or delete Firewall Manager managed resources. This option is not available for AWS WAF Classic policies.
         :param resource_set_ids: The unique identifiers of the resource sets used by the policy.
         :param resource_tags: An array of ``ResourceTag`` objects, used to explicitly include resources in the policy scope or explicitly exclude them. If this isn't set, then tags aren't used to modify policy scope. See also ``ExcludeResourceTags`` .
         :param resource_type: The type of resource protected by or in scope of the policy. This is in the format shown in the `AWS Resource Types Reference <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-template-resource-type-ref.html>`_ . To apply this policy to multiple resource types, specify a resource type of ``ResourceTypeList`` and then specify the resource types in a ``ResourceTypeList`` . For AWS WAF and Shield Advanced, example resource types include ``AWS::ElasticLoadBalancingV2::LoadBalancer`` and ``AWS::CloudFront::Distribution`` . For a security group common policy, valid values are ``AWS::EC2::NetworkInterface`` and ``AWS::EC2::Instance`` . For a security group content audit policy, valid values are ``AWS::EC2::SecurityGroup`` , ``AWS::EC2::NetworkInterface`` , and ``AWS::EC2::Instance`` . For a security group usage audit policy, the value is ``AWS::EC2::SecurityGroup`` . For an AWS Network Firewall policy or DNS Firewall policy, the value is ``AWS::EC2::VPC`` .
@@ -1660,7 +1660,7 @@ class CfnPolicyProps:
 
         By default, Firewall Manager doesn't remove protections or delete Firewall Manager managed resources.
 
-        This option is not available for Shield Advanced or AWS WAF Classic policies.
+        This option is not available for AWS WAF Classic policies.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-fms-policy.html#cfn-fms-policy-resourcescleanup
         '''

aws_cdk/aws_gamelift/__init__.py

@@ -458,7 +458,7 @@ class CfnBuild(
         :param id: Construct identifier for this resource (unique in its scope).
         :param name: A descriptive label that is associated with a build. Build names do not need to be unique.
         :param operating_system: The operating system that your game server binaries run on. This value determines the type of fleet resources that you use for this build. If your game build contains multiple executables, they all must run on the same operating system. You must specify a valid operating system in this request. There is no default value. You can't change a build's operating system later. .. epigraph:: If you have active fleets using the Windows Server 2012 operating system, you can continue to create new builds using this OS until October 10, 2023, when Microsoft ends its support. All others must use Windows Server 2016 when creating new Windows-based builds.
-        :param server_sdk_version: A server SDK version you used when integrating your game server build with Amazon GameLift. For more information see `Integrate games with custom game servers <https://docs.aws.amazon.com/gamelift/latest/developerguide/integration-custom-intro.html>`_ . By default Amazon GameLift sets this value to ``4.0.2`` .
+        :param server_sdk_version: The Amazon GameLift Server SDK version used to develop your game server.
         :param storage_location: Information indicating where your game build files are stored. Use this parameter only when creating a build with files stored in an Amazon S3 bucket that you own. The storage location must specify an Amazon S3 bucket name and key. The location must also specify a role ARN that you set up to allow Amazon GameLift to access your Amazon S3 bucket. The S3 bucket and your new build must be in the same Region. If a ``StorageLocation`` is specified, the size of your file can be found in your Amazon S3 bucket. Amazon GameLift will report a ``SizeOnDisk`` of 0.
         :param version: Version information that is associated with this build. Version strings do not need to be unique.
         '''
@@ -551,7 +551,7 @@ class CfnBuild(
     @builtins.property
     @jsii.member(jsii_name="serverSdkVersion")
     def server_sdk_version(self) -> typing.Optional[builtins.str]:
-        '''A server SDK version you used when integrating your game server build with Amazon GameLift.'''
+        '''The Amazon GameLift Server SDK version used to develop your game server.'''
         return typing.cast(typing.Optional[builtins.str], jsii.get(self, "serverSdkVersion"))
 
     @server_sdk_version.setter
@@ -611,11 +611,10 @@ class CfnBuild(
             role_arn: builtins.str,
             object_version: typing.Optional[builtins.str] = None,
         ) -> None:
-            '''The location in Amazon S3 where build or script files are stored for access by Amazon GameLift.
-
-            :param bucket: An Amazon S3 bucket identifier. Thename of the S3 bucket. .. epigraph:: Amazon GameLift doesn't support uploading from Amazon S3 buckets with names that contain a dot (.).
+            '''
+            :param bucket: An Amazon S3 bucket identifier. This is the name of the S3 bucket.
             :param key: The name of the zip file that contains the build files or script files.
-            :param role_arn: The Amazon Resource Name ( `ARN <https://docs.aws.amazon.com/AmazonS3/latest/dev/s3-arn-format.html>`_ ) for an IAM role that allows Amazon GameLift to access the S3 bucket.
+            :param role_arn: The Amazon Resource Name (ARN) for an IAM role that allows Amazon GameLift to access the S3 bucket.
             :param object_version: The version of the file, if object versioning is turned on for the bucket. Amazon GameLift uses this information when retrieving files from your S3 bucket. To retrieve a specific version of the file, provide an object version. To retrieve the latest version of the file, do not set this parameter.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-gamelift-build-storagelocation.html
@@ -652,11 +651,9 @@ class CfnBuild(
 
         @builtins.property
         def bucket(self) -> builtins.str:
-            '''An Amazon S3 bucket identifier. Thename of the S3 bucket.
+            '''An Amazon S3 bucket identifier.
 
-            .. epigraph::
-
-               Amazon GameLift doesn't support uploading from Amazon S3 buckets with names that contain a dot (.).
+            This is the name of the S3 bucket.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-gamelift-build-storagelocation.html#cfn-gamelift-build-storagelocation-bucket
             '''
@@ -676,7 +673,7 @@ class CfnBuild(
 
         @builtins.property
         def role_arn(self) -> builtins.str:
-            '''The Amazon Resource Name ( `ARN <https://docs.aws.amazon.com/AmazonS3/latest/dev/s3-arn-format.html>`_ ) for an IAM role that allows Amazon GameLift to access the S3 bucket.
+            '''The Amazon Resource Name (ARN) for an IAM role that allows Amazon GameLift to access the S3 bucket.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-gamelift-build-storagelocation.html#cfn-gamelift-build-storagelocation-rolearn
             '''
@@ -732,7 +729,7 @@ class CfnBuildProps:
 
         :param name: A descriptive label that is associated with a build. Build names do not need to be unique.
         :param operating_system: The operating system that your game server binaries run on. This value determines the type of fleet resources that you use for this build. If your game build contains multiple executables, they all must run on the same operating system. You must specify a valid operating system in this request. There is no default value. You can't change a build's operating system later. .. epigraph:: If you have active fleets using the Windows Server 2012 operating system, you can continue to create new builds using this OS until October 10, 2023, when Microsoft ends its support. All others must use Windows Server 2016 when creating new Windows-based builds.
-        :param server_sdk_version: A server SDK version you used when integrating your game server build with Amazon GameLift. For more information see `Integrate games with custom game servers <https://docs.aws.amazon.com/gamelift/latest/developerguide/integration-custom-intro.html>`_ . By default Amazon GameLift sets this value to ``4.0.2`` .
+        :param server_sdk_version: The Amazon GameLift Server SDK version used to develop your game server.
         :param storage_location: Information indicating where your game build files are stored. Use this parameter only when creating a build with files stored in an Amazon S3 bucket that you own. The storage location must specify an Amazon S3 bucket name and key. The location must also specify a role ARN that you set up to allow Amazon GameLift to access your Amazon S3 bucket. The S3 bucket and your new build must be in the same Region. If a ``StorageLocation`` is specified, the size of your file can be found in your Amazon S3 bucket. Amazon GameLift will report a ``SizeOnDisk`` of 0.
         :param version: Version information that is associated with this build. Version strings do not need to be unique.
 
@@ -806,9 +803,7 @@ class CfnBuildProps:
 
     @builtins.property
     def server_sdk_version(self) -> typing.Optional[builtins.str]:
-        '''A server SDK version you used when integrating your game server build with Amazon GameLift.
-
-        For more information see `Integrate games with custom game servers <https://docs.aws.amazon.com/gamelift/latest/developerguide/integration-custom-intro.html>`_ . By default Amazon GameLift sets this value to ``4.0.2`` .
+        '''The Amazon GameLift Server SDK version used to develop your game server.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-gamelift-build.html#cfn-gamelift-build-serversdkversion
         '''

aws_cdk/aws_grafana/__init__.py

@@ -147,7 +147,7 @@ class CfnWorkspace(
         :param client_token: A unique, case-sensitive, user-provided identifier to ensure the idempotency of the request.
         :param data_sources: Specifies the AWS data sources that have been configured to have IAM roles and permissions created to allow Amazon Managed Grafana to read data from these sources. This list is only used when the workspace was created through the AWS console, and the ``permissionType`` is ``SERVICE_MANAGED`` .
         :param description: The user-defined description of the workspace.
-        :param grafana_version: Specifies the version of Grafana to support in the new workspace. To get a list of supported version, use the ``ListVersions`` operation.
+        :param grafana_version: Specifies the version of Grafana to support in the workspace. Defaults to the latest version on create (for example, 9.4), or the current version of the workspace on update. Can only be used to upgrade (for example, from 8.4 to 9.4), not downgrade (for example, from 9.4 to 8.4). To know what versions are available to upgrade to for a specific workspace, see the `ListVersions <https://docs.aws.amazon.com/grafana/latest/APIReference/API_ListVersions.html>`_ operation.
         :param name: The name of the workspace.
         :param network_access_control: The configuration settings for network access to your workspace.
         :param notification_destinations: The AWS notification channels that Amazon Managed Grafana can automatically create IAM roles and permissions for, to allow Amazon Managed Grafana to use these channels.
@@ -391,7 +391,7 @@ class CfnWorkspace(
     @builtins.property
     @jsii.member(jsii_name="grafanaVersion")
     def grafana_version(self) -> typing.Optional[builtins.str]:
-        '''Specifies the version of Grafana to support in the new workspace.'''
+        '''Specifies the version of Grafana to support in the workspace.'''
         return typing.cast(typing.Optional[builtins.str], jsii.get(self, "grafanaVersion"))
 
     @grafana_version.setter
@@ -1205,7 +1205,7 @@ class CfnWorkspaceProps:
         :param client_token: A unique, case-sensitive, user-provided identifier to ensure the idempotency of the request.
         :param data_sources: Specifies the AWS data sources that have been configured to have IAM roles and permissions created to allow Amazon Managed Grafana to read data from these sources. This list is only used when the workspace was created through the AWS console, and the ``permissionType`` is ``SERVICE_MANAGED`` .
         :param description: The user-defined description of the workspace.
-        :param grafana_version: Specifies the version of Grafana to support in the new workspace. To get a list of supported version, use the ``ListVersions`` operation.
+        :param grafana_version: Specifies the version of Grafana to support in the workspace. Defaults to the latest version on create (for example, 9.4), or the current version of the workspace on update. Can only be used to upgrade (for example, from 8.4 to 9.4), not downgrade (for example, from 9.4 to 8.4). To know what versions are available to upgrade to for a specific workspace, see the `ListVersions <https://docs.aws.amazon.com/grafana/latest/APIReference/API_ListVersions.html>`_ operation.
         :param name: The name of the workspace.
         :param network_access_control: The configuration settings for network access to your workspace.
         :param notification_destinations: The AWS notification channels that Amazon Managed Grafana can automatically create IAM roles and permissions for, to allow Amazon Managed Grafana to use these channels.
@@ -1392,9 +1392,13 @@ class CfnWorkspaceProps:
 
     @builtins.property
     def grafana_version(self) -> typing.Optional[builtins.str]:
-        '''Specifies the version of Grafana to support in the new workspace.
+        '''Specifies the version of Grafana to support in the workspace.
 
-        To get a list of supported version, use the ``ListVersions`` operation.
+        Defaults to the latest version on create (for example, 9.4), or the current version of the workspace on update.
+
+        Can only be used to upgrade (for example, from 8.4 to 9.4), not downgrade (for example, from 9.4 to 8.4).
+
+        To know what versions are available to upgrade to for a specific workspace, see the `ListVersions <https://docs.aws.amazon.com/grafana/latest/APIReference/API_ListVersions.html>`_ operation.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-grafana-workspace.html#cfn-grafana-workspace-grafanaversion
         '''