aws-cdk-lib 2.97.0__py3-none-any.whl → 2.98.0__py3-none-any.whl

aws_cdk/aws_cognito/__init__.py

@@ -1557,6 +1557,7 @@ class CfnIdentityPool(
     To avoid deleting the resource accidentally from AWS CloudFormation , use `DeletionPolicy Attribute <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-deletionpolicy.html>`_ and the `UpdateReplacePolicy Attribute <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-updatereplacepolicy.html>`_ to retain the resource on deletion or replacement.
 
     :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypool.html
+    :cloudformationResource: AWS::Cognito::IdentityPool
     :exampleMetadata: infused
 
     Example::
@@ -2124,6 +2125,7 @@ class CfnIdentityPoolPrincipalTag(
     '''A list of the identity pool principal tag assignments for attributes for access control.
 
     :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypoolprincipaltag.html
+    :cloudformationResource: AWS::Cognito::IdentityPoolPrincipalTag
     :exampleMetadata: fixture=_generated
 
     Example::
@@ -2627,6 +2629,7 @@ class CfnIdentityPoolRoleAttachment(
     '''The ``AWS::Cognito::IdentityPoolRoleAttachment`` resource manages the role configuration for an Amazon Cognito identity pool.
 
     :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypoolroleattachment.html
+    :cloudformationResource: AWS::Cognito::IdentityPoolRoleAttachment
     :exampleMetadata: fixture=_generated
 
     Example::
@@ -3219,6 +3222,7 @@ class CfnUserPool(
        If you don't specify a value for a parameter, Amazon Cognito sets it to a default value.
 
     :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html
+    :cloudformationResource: AWS::Cognito::UserPool
     :exampleMetadata: fixture=_generated
 
     Example::
@@ -4905,7 +4909,7 @@ class CfnUserPool(
             :param require_numbers: In the password policy that you have set, refers to whether you have required users to use at least one number in their password.
             :param require_symbols: In the password policy that you have set, refers to whether you have required users to use at least one symbol in their password.
             :param require_uppercase: In the password policy that you have set, refers to whether you have required users to use at least one uppercase letter in their password.
-            :param temporary_password_validity_days: The number of days a temporary password is valid in the password policy. If the user doesn't sign in during this time, an administrator must reset their password. .. epigraph:: When you set ``TemporaryPasswordValidityDays`` for a user pool, you can no longer set a value for the legacy ``UnusedAccountValidityDays`` parameter in that user pool.
+            :param temporary_password_validity_days: The number of days a temporary password is valid in the password policy. If the user doesn't sign in during this time, an administrator must reset their password. Defaults to ``7`` . If you submit a value of ``0`` , Amazon Cognito treats it as a null value and sets ``TemporaryPasswordValidityDays`` to its default value. .. epigraph:: When you set ``TemporaryPasswordValidityDays`` for a user pool, you can no longer set a value for the legacy ``UnusedAccountValidityDays`` parameter in that user pool.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-passwordpolicy.html
             :exampleMetadata: fixture=_generated
@@ -5006,7 +5010,7 @@ class CfnUserPool(
         def temporary_password_validity_days(self) -> typing.Optional[jsii.Number]:
             '''The number of days a temporary password is valid in the password policy.
 
-            If the user doesn't sign in during this time, an administrator must reset their password.
+            If the user doesn't sign in during this time, an administrator must reset their password. Defaults to ``7`` . If you submit a value of ``0`` , Amazon Cognito treats it as a null value and sets ``TemporaryPasswordValidityDays`` to its default value.
             .. epigraph::
 
                When you set ``TemporaryPasswordValidityDays`` for a user pool, you can no longer set a value for the legacy ``UnusedAccountValidityDays`` parameter in that user pool.
@@ -5865,6 +5869,7 @@ class CfnUserPoolClient(
        If you don't specify a value for a parameter, Amazon Cognito sets it to a default value.
 
     :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html
+    :cloudformationResource: AWS::Cognito::UserPoolClient
     :exampleMetadata: infused
 
     Example::
@@ -5976,11 +5981,11 @@ class CfnUserPoolClient(
         :param id_token_validity: The ID token time limit. After this limit expires, your user can't use their ID token. To specify the time unit for ``IdTokenValidity`` as ``seconds`` , ``minutes`` , ``hours`` , or ``days`` , set a ``TokenValidityUnits`` value in your API request. For example, when you set ``IdTokenValidity`` as ``10`` and ``TokenValidityUnits`` as ``hours`` , your user can authenticate their session with their ID token for 10 hours. The default time unit for ``IdTokenValidity`` in an API request is hours.
         :param logout_ur_ls: A list of allowed logout URLs for the IdPs.
         :param prevent_user_existence_errors: Use this setting to choose which errors and responses are returned by Cognito APIs during authentication, account confirmation, and password recovery when the user does not exist in the user pool. When set to ``ENABLED`` and the user does not exist, authentication returns an error indicating either the username or password was incorrect, and account confirmation and password recovery return a response indicating a code was sent to a simulated destination. When set to ``LEGACY`` , those APIs will return a ``UserNotFoundException`` exception if the user does not exist in the user pool.
-        :param read_attributes: The read attributes.
+        :param read_attributes: The list of user attributes that you want your app client to have read-only access to. After your user authenticates in your app, their access token authorizes them to read their own attribute value for any attribute in this list. An example of this kind of activity is when your user selects a link to view their profile information. Your app makes a `GetUser <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GetUser.html>`_ API request to retrieve and display your user's profile data. When you don't specify the ``ReadAttributes`` for your app client, your app can read the values of ``email_verified`` , ``phone_number_verified`` , and the Standard attributes of your user pool. When your user pool has read access to these default attributes, ``ReadAttributes`` doesn't return any information. Amazon Cognito only populates ``ReadAttributes`` in the API response if you have specified your own custom set of read attributes.
         :param refresh_token_validity: The refresh token time limit. After this limit expires, your user can't use their refresh token. To specify the time unit for ``RefreshTokenValidity`` as ``seconds`` , ``minutes`` , ``hours`` , or ``days`` , set a ``TokenValidityUnits`` value in your API request. For example, when you set ``RefreshTokenValidity`` as ``10`` and ``TokenValidityUnits`` as ``days`` , your user can refresh their session and retrieve new access and ID tokens for 10 days. The default time unit for ``RefreshTokenValidity`` in an API request is days. You can't set ``RefreshTokenValidity`` to 0. If you do, Amazon Cognito overrides the value with the default value of 30 days.
         :param supported_identity_providers: A list of provider names for the identity providers (IdPs) that are supported on this client. The following are supported: ``COGNITO`` , ``Facebook`` , ``Google`` , ``SignInWithApple`` , and ``LoginWithAmazon`` . You can also specify the names that you configured for the SAML and OIDC IdPs in your user pool, for example ``MySAMLIdP`` or ``MyOIDCIdP`` .
         :param token_validity_units: The units in which the validity times are represented. The default unit for RefreshToken is days, and default for ID and access tokens are hours.
-        :param write_attributes: The user pool attributes that the app client can write to. If your app client allows users to sign in through an IdP, this array must include all attributes that you have mapped to IdP attributes. Amazon Cognito updates mapped attributes when users sign in to your application through an IdP. If your app client does not have write access to a mapped attribute, Amazon Cognito throws an error when it tries to update the attribute. For more information, see `Specifying IdP Attribute Mappings for Your user pool <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-specifying-attribute-mapping.html>`_ .
+        :param write_attributes: The list of user attributes that you want your app client to have write access to. After your user authenticates in your app, their access token authorizes them to set or modify their own attribute value for any attribute in this list. An example of this kind of activity is when you present your user with a form to update their profile information and they change their last name. Your app then makes an `UpdateUserAttributes <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserAttributes.html>`_ API request and sets ``family_name`` to the new value. When you don't specify the ``WriteAttributes`` for your app client, your app can write the values of the Standard attributes of your user pool. When your user pool has write access to these default attributes, ``WriteAttributes`` doesn't return any information. Amazon Cognito only populates ``WriteAttributes`` in the API response if you have specified your own custom set of write attributes. If your app client allows users to sign in through an IdP, this array must include all attributes that you have mapped to IdP attributes. Amazon Cognito updates mapped attributes when users sign in to your application through an IdP. If your app client does not have write access to a mapped attribute, Amazon Cognito throws an error when it tries to update the attribute. For more information, see `Specifying IdP Attribute Mappings for Your user pool <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-specifying-attribute-mapping.html>`_ .
         '''
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__87712ca9ae8faf9f73a6c5d11987fcf280543ea093bcc4253c800c0151725828)
@@ -6339,7 +6344,7 @@ class CfnUserPoolClient(
     @builtins.property
     @jsii.member(jsii_name="readAttributes")
     def read_attributes(self) -> typing.Optional[typing.List[builtins.str]]:
-        '''The read attributes.'''
+        '''The list of user attributes that you want your app client to have read-only access to.'''
         return typing.cast(typing.Optional[typing.List[builtins.str]], jsii.get(self, "readAttributes"))
 
     @read_attributes.setter
@@ -6404,7 +6409,7 @@ class CfnUserPoolClient(
     @builtins.property
     @jsii.member(jsii_name="writeAttributes")
     def write_attributes(self) -> typing.Optional[typing.List[builtins.str]]:
-        '''The user pool attributes that the app client can write to.'''
+        '''The list of user attributes that you want your app client to have write access to.'''
         return typing.cast(typing.Optional[typing.List[builtins.str]], jsii.get(self, "writeAttributes"))
 
     @write_attributes.setter
@@ -6718,11 +6723,11 @@ class CfnUserPoolClientProps:
         :param id_token_validity: The ID token time limit. After this limit expires, your user can't use their ID token. To specify the time unit for ``IdTokenValidity`` as ``seconds`` , ``minutes`` , ``hours`` , or ``days`` , set a ``TokenValidityUnits`` value in your API request. For example, when you set ``IdTokenValidity`` as ``10`` and ``TokenValidityUnits`` as ``hours`` , your user can authenticate their session with their ID token for 10 hours. The default time unit for ``IdTokenValidity`` in an API request is hours.
         :param logout_ur_ls: A list of allowed logout URLs for the IdPs.
         :param prevent_user_existence_errors: Use this setting to choose which errors and responses are returned by Cognito APIs during authentication, account confirmation, and password recovery when the user does not exist in the user pool. When set to ``ENABLED`` and the user does not exist, authentication returns an error indicating either the username or password was incorrect, and account confirmation and password recovery return a response indicating a code was sent to a simulated destination. When set to ``LEGACY`` , those APIs will return a ``UserNotFoundException`` exception if the user does not exist in the user pool.
-        :param read_attributes: The read attributes.
+        :param read_attributes: The list of user attributes that you want your app client to have read-only access to. After your user authenticates in your app, their access token authorizes them to read their own attribute value for any attribute in this list. An example of this kind of activity is when your user selects a link to view their profile information. Your app makes a `GetUser <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GetUser.html>`_ API request to retrieve and display your user's profile data. When you don't specify the ``ReadAttributes`` for your app client, your app can read the values of ``email_verified`` , ``phone_number_verified`` , and the Standard attributes of your user pool. When your user pool has read access to these default attributes, ``ReadAttributes`` doesn't return any information. Amazon Cognito only populates ``ReadAttributes`` in the API response if you have specified your own custom set of read attributes.
         :param refresh_token_validity: The refresh token time limit. After this limit expires, your user can't use their refresh token. To specify the time unit for ``RefreshTokenValidity`` as ``seconds`` , ``minutes`` , ``hours`` , or ``days`` , set a ``TokenValidityUnits`` value in your API request. For example, when you set ``RefreshTokenValidity`` as ``10`` and ``TokenValidityUnits`` as ``days`` , your user can refresh their session and retrieve new access and ID tokens for 10 days. The default time unit for ``RefreshTokenValidity`` in an API request is days. You can't set ``RefreshTokenValidity`` to 0. If you do, Amazon Cognito overrides the value with the default value of 30 days.
         :param supported_identity_providers: A list of provider names for the identity providers (IdPs) that are supported on this client. The following are supported: ``COGNITO`` , ``Facebook`` , ``Google`` , ``SignInWithApple`` , and ``LoginWithAmazon`` . You can also specify the names that you configured for the SAML and OIDC IdPs in your user pool, for example ``MySAMLIdP`` or ``MyOIDCIdP`` .
         :param token_validity_units: The units in which the validity times are represented. The default unit for RefreshToken is days, and default for ID and access tokens are hours.
-        :param write_attributes: The user pool attributes that the app client can write to. If your app client allows users to sign in through an IdP, this array must include all attributes that you have mapped to IdP attributes. Amazon Cognito updates mapped attributes when users sign in to your application through an IdP. If your app client does not have write access to a mapped attribute, Amazon Cognito throws an error when it tries to update the attribute. For more information, see `Specifying IdP Attribute Mappings for Your user pool <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-specifying-attribute-mapping.html>`_ .
+        :param write_attributes: The list of user attributes that you want your app client to have write access to. After your user authenticates in your app, their access token authorizes them to set or modify their own attribute value for any attribute in this list. An example of this kind of activity is when you present your user with a form to update their profile information and they change their last name. Your app then makes an `UpdateUserAttributes <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserAttributes.html>`_ API request and sets ``family_name`` to the new value. When you don't specify the ``WriteAttributes`` for your app client, your app can write the values of the Standard attributes of your user pool. When your user pool has write access to these default attributes, ``WriteAttributes`` doesn't return any information. Amazon Cognito only populates ``WriteAttributes`` in the API response if you have specified your own custom set of write attributes. If your app client allows users to sign in through an IdP, this array must include all attributes that you have mapped to IdP attributes. Amazon Cognito updates mapped attributes when users sign in to your application through an IdP. If your app client does not have write access to a mapped attribute, Amazon Cognito throws an error when it tries to update the attribute. For more information, see `Specifying IdP Attribute Mappings for Your user pool <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-specifying-attribute-mapping.html>`_ .
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html
         :exampleMetadata: fixture=_generated
@@ -7085,7 +7090,11 @@ class CfnUserPoolClientProps:
 
     @builtins.property
     def read_attributes(self) -> typing.Optional[typing.List[builtins.str]]:
-        '''The read attributes.
+        '''The list of user attributes that you want your app client to have read-only access to.
+
+        After your user authenticates in your app, their access token authorizes them to read their own attribute value for any attribute in this list. An example of this kind of activity is when your user selects a link to view their profile information. Your app makes a `GetUser <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GetUser.html>`_ API request to retrieve and display your user's profile data.
+
+        When you don't specify the ``ReadAttributes`` for your app client, your app can read the values of ``email_verified`` , ``phone_number_verified`` , and the Standard attributes of your user pool. When your user pool has read access to these default attributes, ``ReadAttributes`` doesn't return any information. Amazon Cognito only populates ``ReadAttributes`` in the API response if you have specified your own custom set of read attributes.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html#cfn-cognito-userpoolclient-readattributes
         '''
@@ -7135,7 +7144,11 @@ class CfnUserPoolClientProps:
 
     @builtins.property
     def write_attributes(self) -> typing.Optional[typing.List[builtins.str]]:
-        '''The user pool attributes that the app client can write to.
+        '''The list of user attributes that you want your app client to have write access to.
+
+        After your user authenticates in your app, their access token authorizes them to set or modify their own attribute value for any attribute in this list. An example of this kind of activity is when you present your user with a form to update their profile information and they change their last name. Your app then makes an `UpdateUserAttributes <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserAttributes.html>`_ API request and sets ``family_name`` to the new value.
+
+        When you don't specify the ``WriteAttributes`` for your app client, your app can write the values of the Standard attributes of your user pool. When your user pool has write access to these default attributes, ``WriteAttributes`` doesn't return any information. Amazon Cognito only populates ``WriteAttributes`` in the API response if you have specified your own custom set of write attributes.
 
         If your app client allows users to sign in through an IdP, this array must include all attributes that you have mapped to IdP attributes. Amazon Cognito updates mapped attributes when users sign in to your application through an IdP. If your app client does not have write access to a mapped attribute, Amazon Cognito throws an error when it tries to update the attribute. For more information, see `Specifying IdP Attribute Mappings for Your user pool <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-specifying-attribute-mapping.html>`_ .
 
@@ -7165,6 +7178,7 @@ class CfnUserPoolDomain(
     '''The AWS::Cognito::UserPoolDomain resource creates a new domain for a user pool.
 
     :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpooldomain.html
+    :cloudformationResource: AWS::Cognito::UserPoolDomain
     :exampleMetadata: fixture=_generated
 
     Example::
@@ -7483,6 +7497,7 @@ class CfnUserPoolGroup(
        If you don't specify a value for a parameter, Amazon Cognito sets it to a default value.
 
     :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolgroup.html
+    :cloudformationResource: AWS::Cognito::UserPoolGroup
     :exampleMetadata: fixture=_generated
 
     Example::
@@ -7787,6 +7802,7 @@ class CfnUserPoolIdentityProvider(
     '''The ``AWS::Cognito::UserPoolIdentityProvider`` resource creates an identity provider for a user pool.
 
     :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolidentityprovider.html
+    :cloudformationResource: AWS::Cognito::UserPoolIdentityProvider
     :exampleMetadata: fixture=_generated
 
     Example::
@@ -8764,6 +8780,7 @@ class CfnUserPoolResourceServer(
        If you don't specify a value for a parameter, Amazon Cognito sets it to a default value.
 
     :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolresourceserver.html
+    :cloudformationResource: AWS::Cognito::UserPoolResourceServer
     :exampleMetadata: fixture=_generated
 
     Example::
@@ -9117,6 +9134,7 @@ class CfnUserPoolRiskConfigurationAttachment(
     You can specify risk configuration for a single client (with a specific ``clientId`` ) or for all clients (by setting the ``clientId`` to ``ALL`` ). If you specify ``ALL`` , the default configuration is used for every client that has had no risk configuration set previously. If you specify risk configuration for a particular client, it no longer falls back to the ``ALL`` configuration.
 
     :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolriskconfigurationattachment.html
+    :cloudformationResource: AWS::Cognito::UserPoolRiskConfigurationAttachment
     :exampleMetadata: fixture=_generated
 
     Example::
@@ -10321,6 +10339,7 @@ class CfnUserPoolUICustomizationAttachment(
     Setting a logo image isn't supported from AWS CloudFormation . Use the Amazon Cognito `SetUICustomization <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetUICustomization.html#API_SetUICustomization_RequestSyntax>`_ API operation to set the image.
 
     :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpooluicustomizationattachment.html
+    :cloudformationResource: AWS::Cognito::UserPoolUICustomizationAttachment
     :exampleMetadata: fixture=_generated
 
     Example::
@@ -10547,6 +10566,7 @@ class CfnUserPoolUser(
     '''The ``AWS::Cognito::UserPoolUser`` resource creates an Amazon Cognito user pool user.
 
     :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpooluser.html
+    :cloudformationResource: AWS::Cognito::UserPoolUser
     :exampleMetadata: fixture=_generated
 
     Example::
@@ -11096,6 +11116,7 @@ class CfnUserPoolUserToGroupAttachment(
     '''Adds the specified user to the specified group.
 
     :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolusertogroupattachment.html
+    :cloudformationResource: AWS::Cognito::UserPoolUserToGroupAttachment
     :exampleMetadata: fixture=_generated
 
     Example::
@@ -11123,8 +11144,8 @@ class CfnUserPoolUserToGroupAttachment(
         '''
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
-        :param group_name: The group name.
-        :param username: The username for the user.
+        :param group_name: The name of the group that you want to add your user to.
+        :param username: The username of the user that you want to query or modify. The value of this parameter is typically your user's username, but it can be any of their alias attributes. If ``username`` isn't an alias attribute in your user pool, you can also use their ``sub`` in this request.
         :param user_pool_id: The user pool ID for the user pool.
         '''
         if __debug__:
@@ -11183,7 +11204,7 @@ class CfnUserPoolUserToGroupAttachment(
     @builtins.property
     @jsii.member(jsii_name="groupName")
     def group_name(self) -> builtins.str:
-        '''The group name.'''
+        '''The name of the group that you want to add your user to.'''
         return typing.cast(builtins.str, jsii.get(self, "groupName"))
 
     @group_name.setter
@@ -11196,7 +11217,7 @@ class CfnUserPoolUserToGroupAttachment(
     @builtins.property
     @jsii.member(jsii_name="username")
     def username(self) -> builtins.str:
-        '''The username for the user.'''
+        '''The username of the user that you want to query or modify.'''
         return typing.cast(builtins.str, jsii.get(self, "username"))
 
     @username.setter
@@ -11239,8 +11260,8 @@ class CfnUserPoolUserToGroupAttachmentProps:
     ) -> None:
         '''Properties for defining a ``CfnUserPoolUserToGroupAttachment``.
 
-        :param group_name: The group name.
-        :param username: The username for the user.
+        :param group_name: The name of the group that you want to add your user to.
+        :param username: The username of the user that you want to query or modify. The value of this parameter is typically your user's username, but it can be any of their alias attributes. If ``username`` isn't an alias attribute in your user pool, you can also use their ``sub`` in this request.
         :param user_pool_id: The user pool ID for the user pool.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolusertogroupattachment.html
@@ -11271,7 +11292,7 @@ class CfnUserPoolUserToGroupAttachmentProps:
 
     @builtins.property
     def group_name(self) -> builtins.str:
-        '''The group name.
+        '''The name of the group that you want to add your user to.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolusertogroupattachment.html#cfn-cognito-userpoolusertogroupattachment-groupname
         '''
@@ -11281,7 +11302,10 @@ class CfnUserPoolUserToGroupAttachmentProps:
 
     @builtins.property
     def username(self) -> builtins.str:
-        '''The username for the user.
+        '''The username of the user that you want to query or modify.
+
+        The value of this parameter is typically your user's
+        username, but it can be any of their alias attributes. If ``username`` isn't an alias attribute in your user pool, you can also use their ``sub`` in this request.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolusertogroupattachment.html#cfn-cognito-userpoolusertogroupattachment-username
         '''

aws_cdk/aws_comprehend/__init__.py

@@ -62,6 +62,7 @@ class CfnDocumentClassifier(
     You provide a set of training documents that are labeled with the categories that you want to identify. After the classifier is trained you can use it to categorize a set of labeled documents into the categories. For more information, see `Document Classification <https://docs.aws.amazon.com/comprehend/latest/dg/how-document-classification.html>`_ in the Comprehend Developer Guide.
 
     :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-comprehend-documentclassifier.html
+    :cloudformationResource: AWS::Comprehend::DocumentClassifier
     :exampleMetadata: fixture=_generated
 
     Example::
@@ -1397,6 +1398,7 @@ class CfnFlywheel(
     For more information about flywheels, see `Flywheel overview <https://docs.aws.amazon.com/comprehend/latest/dg/flywheels-about.html>`_ in the *Amazon Comprehend Developer Guide* .
 
     :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-comprehend-flywheel.html
+    :cloudformationResource: AWS::Comprehend::Flywheel
     :exampleMetadata: fixture=_generated
 
     Example::

aws_cdk/aws_config/__init__.py

@@ -312,6 +312,7 @@ class CfnAggregationAuthorization(
     '''An object that represents the authorizations granted to aggregator accounts and regions.
 
     :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-config-aggregationauthorization.html
+    :cloudformationResource: AWS::Config::AggregationAuthorization
     :exampleMetadata: fixture=_generated
 
     Example::
@@ -575,6 +576,7 @@ class CfnConfigRule(
     For more information about developing and using AWS Config rules, see `Evaluating Resources with AWS Config Rules <https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config.html>`_ in the *AWS Config Developer Guide* .
 
     :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-config-configrule.html
+    :cloudformationResource: AWS::Config::ConfigRule
     :exampleMetadata: fixture=_generated
 
     Example::
@@ -1663,6 +1665,7 @@ class CfnConfigurationAggregator(
     '''The details about the configuration aggregator, including information about source accounts, regions, and metadata of the aggregator.
 
     :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-config-configurationaggregator.html
+    :cloudformationResource: AWS::Config::ConfigurationAggregator
     :exampleMetadata: fixture=_generated
 
     Example::
@@ -2176,6 +2179,7 @@ class CfnConfigurationRecorder(
     For more information, see `Configuration Recorder <https://docs.aws.amazon.com/config/latest/developerguide/config-concepts.html#config-recorder>`_ in the AWS Config Developer Guide.
 
     :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-config-configurationrecorder.html
+    :cloudformationResource: AWS::Config::ConfigurationRecorder
     :exampleMetadata: fixture=_generated
 
     Example::
@@ -2841,6 +2845,7 @@ class CfnConformancePack(
     ConformancePack creates a service linked role in your account. The service linked role is created only when the role does not exist in your account.
 
     :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-config-conformancepack.html
+    :cloudformationResource: AWS::Config::ConformancePack
     :exampleMetadata: fixture=_generated
 
     Example::
@@ -3399,6 +3404,7 @@ class CfnDeliveryChannel(
     For more information, see `Managing the Delivery Channel <https://docs.aws.amazon.com/config/latest/developerguide/manage-delivery-channel.html>`_ in the AWS Config Developer Guide.
 
     :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-config-deliverychannel.html
+    :cloudformationResource: AWS::Config::DeliveryChannel
     :exampleMetadata: fixture=_generated
 
     Example::
@@ -3840,6 +3846,7 @@ class CfnOrganizationConfigRule(
     If you are adding a new AWS Config Custom Lambda rule, you first need to create an AWS Lambda function in the management account or a delegated administrator that the rule invokes to evaluate your resources. You also need to create an IAM role in the managed account that can be assumed by the Lambda function. When you use ``PutOrganizationConfigRule`` to add a Custom Lambda rule to AWS Config , you must specify the Amazon Resource Name (ARN) that AWS Lambda assigns to the function.
 
     :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-config-organizationconfigrule.html
+    :cloudformationResource: AWS::Config::OrganizationConfigRule
     :exampleMetadata: fixture=_generated
 
     Example::
@@ -4869,6 +4876,7 @@ class CfnOrganizationConformancePack(
     OrganizationConformancePack enables organization service access for ``config-multiaccountsetup.amazonaws.com`` through the ``EnableAWSServiceAccess`` action and creates a service linked role in the master account of your organization. The service linked role is created only when the role does not exist in the master account.
 
     :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-config-organizationconformancepack.html
+    :cloudformationResource: AWS::Config::OrganizationConformancePack
     :exampleMetadata: fixture=_generated
 
     Example::
@@ -5327,6 +5335,7 @@ class CfnRemediationConfiguration(
     '''An object that represents the details about the remediation configuration that includes the remediation action, parameters, and data to execute the action.
 
     :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-config-remediationconfiguration.html
+    :cloudformationResource: AWS::Config::RemediationConfiguration
     :exampleMetadata: fixture=_generated
 
     Example::
@@ -6184,6 +6193,7 @@ class CfnStoredQuery(
     '''Provides the details of a stored query.
 
     :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-config-storedquery.html
+    :cloudformationResource: AWS::Config::StoredQuery
     :exampleMetadata: fixture=_generated
 
     Example::